Recent posts

#1
26.7 Series / Re: [Solved] Attempt to Upgrad...
Last post by BryanC1968 - Today at 07:00:24 PM
Quote from: Wintrob-IT on Today at 05:46:58 PMBryanC1968, you are the best!!!!!! i almost formatted the firewall for the upgrade :)


Your Welcome.  Glad I could help someone else...  I did quite a bit of googling to find a fix for the problem.  I found some old forum posts either on this forum or on reddit from someone else having this same issue with one of the previous version upgrades.  And they found out that the cpu-microcode plugin was what was causing the issue, so I gave it a try and it worked...
#2
26.7 Series / Re: Wireguard S2S broken
Last post by Patrick M. Hausen - Today at 06:55:50 PM
Try using an IP address instead of a DNS name. Name resolution is problematic with WG. It does it only once at startup.

I try to avoid depending on DNS for S2S VPN in general.
#3
26.7 Series / Wireguard S2S broken
Last post by QuisaZaderak - Today at 06:53:12 PM
Hi,

I upgraded today from 2026.1.11_10 to 26.7
Since the upgrade my WireGuard setup connecting my home OpnSense with my Azure OpnSense does not come up again.

In error log of WireGuard there is following new entry:

2026-07-16T18:31:17Errorwireguard/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg0' '/usr/local/etc/wireguard/wg0.conf'> returned exit code 1 and the output was "Name does not resolve: `xxxxxxxx.spdns.org:51820' Configuration parsing error"

I tried to recreate the entry but still get this error.
#4
General Discussion / Re: Postfix/rspamd DKIM signin...
Last post by putt1ck - Today at 06:43:02 PM
As per previous poster, seems best to have an answer here as the most relevant result that turns up on <enter preferred search engine here>.

Following steps as above fails initially on rspamadm dkim_keygen with error "Too many options". While rspamdadm documentation (at time of writing) states the comamnd will produce two files, as indicated above, actually it produces only the the key file, outputting the txt (DNS entry) content to stdout. To get it to a shell add a redirect into the example command before the email.txt path. There are also typos in the previously posted instructions, and it doesn't cover the scenario of sending from subdomains, so will reproduce tested working version (OPNsense 26.1) below.

1. Install os-rspamd via web UI (if you already have it installed, disable it for now)

2. enable ssh and sudo as needed, access csh with root powers

3. Create folder for DKIM key
mkdir usr/local/etc/rspamd/dkim
4. Generate key

rspamadm dkim_keygen -d sub.yourdomain.tld -s email -k /usr/local/etc/rspamd/dkim/email.key -b 2048 > /usr/local/etc/rspamd/dkim/email.txt
5. Set proper owner and ACL for key file
chown rspamd:rspamd /usr/local/etc/rspamd/dkim/email.key
chmod 600 /usr/local/etc/rspamd/dkim/email.key

6. Disable clamav module (not sure this is required, but getting it working took so much trouble shooting that we made this change (and clamav should be called by postfix anyway?)
vi /usr/local/etc/rspamd/override.d/antivirus.confenabled = false;
7. Enable DKIM signing by creating the override file with the necessary settings
vi /usr/local/etc/rspamd/override.d/dkim_signing.conf
enabled = true;
sign_local = true; #send from known hosts and networks
auth_only = false; #send only from authenticated users
use_domain = envelope; #setting to from also worked for us but left at envelope in production
allow_hdrfrom_mismatch = false;
allow_username_mismatch = false;
use_esld = false; #needed if you are using a subdomain to send mail direct from a service e.g. nextcloud.example.com - esld will assume only the latter 2 parts are relevant and look for a domain that matches example.com and fail
use_redis = false; #in our case the keys were not loading to redis but rspamd dkim_signing module was treating it as the "source of truth" and failing to find the key

domain {
   sub.yourdomain.tld {
    selector = "email";
    path = "/usr/local/etc/rspamd/dkim/email.key";
     }
}

8. Test syntax and restart rspamd

rspamadm configtest
service rspamd restart
9. In web UI enable rspamd plugin and enable antispam in postfix

10. Test DKIM signing from CLI
Create a simple test email where the from address domain part has to match whatever you've used in the steps above
vi testmail.eml with content
From: john.doe@sub.yourdomain.tld
To: jim.doe@example.com
Subject: Test DKIM Signing

This is a test email for DKIM signing.

Then run
rspamc --pass-all -vvvv -i 10.0.3.10 -d jim.doe@example.com -F john.doe@sub.yourdomain.tld < testmail.emlIf signing is working properly then the response should include something like

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sub.yourdomain.tld;
        s=email; t=1784209642; h=from:from:reply-to:subject:subject:to:to:cc;
        bh=RYXvt0hMSt1DiETNsCX712grsTrzBedJQa3fPCnNtAO4=;
        b=bjKtJoFa31oH8afOzkrN+0Thoh84RyvokrSMdr+hcjtJ+aRdDlxR9ZoA

If at this stage you don't get DKIM signing, you can enable rspamd debug logs on a per module basis

vi /usr/local/etc/rspamd/logging.inc appending the line
debug_modules = ["dkim_signing"]; then restart rspamd and try the test again. Log is in /var/logs/rspamd/rspamd.log.

11. With a successful local test move to add the DNS TXT record for the appropriate (sub.) domain, using the content of the email.txt file you created earlier cat /usr/local/etc/rspamd/dkim/email.txt. Some DNS services will require you to remove some or all of the " "'s used to split the record before letting you add it.

12. Now send a real email using your OPNsense mail relay, the key will be added and the mail should be delivered (to even that big mail provider who tries not to accept emails from small mail providers).

NB this was done on a server going into production so we may have done some steps during troubleshooting that we've overlooked in this write-up. Should get to test it on another project soon and will amend as needed.

Hope it helps someone, be nice to get added to rspamd plugin...

#5
26.7 Series / Opnsense 26.7 Great - What Hav...
Last post by appasquatic - Today at 06:39:31 PM
Hi Guys,

I wonder if I might ask for some help?

I run a mail server behind a Caddy reverse proxy which is hosted on a DEC850 device running opnsense 26.1.8_5. Today, I upgraded firmware to opnsense 26.7, and the experience was great, and everything appeared to be working, except the 3rd party plugin for Caddy.

The Outbound NAT configuration carried over perfectly from the upgrade, and from what I could see, so did all of the firewall rules. I've attached the Caddy file for inspection (although it does appear that I'm bullying Caddy, it's the proxying of HTTP and HTTPS ports that stopped working, so my suspicions are aroused. I've watched Poirot, so I've some idea how to pursue a thread, but not the slightest idea how to fix it).

Is there anything easy that you think I might be missing? If so, though lacking professional expertise, I have the vigor of an enthusiast, so I'm ready to try anything I can understand or research.

(I've temporarily rolled back for now, but I'm learning about a work-around whereby I might proxy the HTTPS port via Caddy hosted on Kubernetes on the email server host).

Again, very pleased with the upgrade, but I've just this one sticking point where I think I may have tied myself in knots. Any help appreciated. I'll supply any relevant info. Not to worry if it's too much a pain, since I can always run with my Plan B and upgrade to the latest opnsense anyway.

Thanks again for your time, and great work on the firmware.
 
#6
26.7 Series / Re: [SOLVED] Performance issue...
Last post by meyergru - Today at 06:33:44 PM
That is why I answered: the title suggests a general problem, while it seems very specific (maybe you consider changing the title).

If you want to investigate, you can look at the command line that is called underneath (with Proxmox, that is possible). It will be derived from the options you choose and may show what causes it. I had to explicitely use the "args" line above to even enable it.

I do not use Hyper-V extensions because they are strictly needed only for Windows guests and when I tried, I even noticed a slightly higher CPU load with Hyper-V enabled for OpnSense.
#7
26.7 Series / Re: 26.7 continually reboots
Last post by Patrick M. Hausen - Today at 06:30:15 PM
Correct. We already have dozens of successful upgrade reports on this forum alone and probably hundreds if not thousands of upgrades in the field.

What leads you to the conclusion the problem you see is a general one and not particular to your configuration?

I'd start with: do you have any third party repositories enabled? Have you ever installed packages from the FreeBSD repo instead of the OPNsense one and potentially replaced the "pkg" binary?
#8
Das kann ein Client auf der Firewall nicht leisten. Die Idee von OTP ist, dass ein Mensch das Token mit einem Medienbruch (Token, Smartphone App) jedes Mal manuell eingibt. Sonst ist es sinnlos.
#9
Quote from: JediFonger on Today at 06:10:28 PMon gui when i click on nut, i get the bug report crash.

That's a new OPNsense frontend problem completely unrelated to the NUT crash we had on 26.1 and definitely not fixed by manually messing around with packages.

Rather, just do:

opnsense-patch https://github.com/opnsense/core/commit/14710e775

The crash report you get looks nowhere like the issue we had on 26.1 yet somehow you come to the conclusion that both issues are the same and require the same fix? The title of this thread is "NUT is Broken After Udating to 26.1.8_5". Not "NUT is Broken After Udating to 26.7".  🤷

If you installed the workaround on 26.1 then unlock the NUT package:

pkg unlock nut

Then check for pending updates from the UI and update the NUT package to the one matching 26.7. Then apply the patch above.
#10
German - Deutsch / OpenVPN Client Instance mit TO...
Last post by schulzan - Today at 06:17:30 PM
Hallo Zusammen,

ich möchte eine Verbindung zu einer OpenVPN Gegenstelle aufbauen, die neben User und Passwort auch noch einen 6 Stelligen Token (nach dem Passwort) erfordert. Ich habe es geschafft einen TOTP Server einzurichten und einen User mit Passwort so zu speichern, dass sie Synchron zur den Zugangsdaten der Gegenstelle funktionieren. Aber ich finde keine Möglichkeit auf diesen User und Passwort/Tokenkombination in die OpenVPN Client Instanz einzugeben. Hat es schon mal jemand hinbekommen? Seht ihr eine Möglichkeit?

Gruß
Andreas