Recent posts

#21

Virtual private networks / OPNsense as OpenVPN Server beh...

Last post by ita.tc - Today at 01:46:01 PM

Hi all,

I would like to setup an OPNsense behind another firewall to provide OpenVPN Road warrior connections into a network. I thought "how hard could it be?", set up a new OPNsense, disabled the WAN interface, configured LAN with a static IPv4 and added the existing firewall as gateway. Added port forwarding for management interfaces (temporarily for deployment) and 1194 UDP in that firewall and configured an OpenVPN instance on the OPNsense. Remote Access worked instantly, but I can't get OpenVPN to work. It seems like am missing an important step here. I read some posts and found this one, which seemed promising. Sadly I must have messed up since disabling the Anti-lockout rule locked me out of the admin interface. I did create my own rules allowing access beforehand but I might have forgotten to hit "apply" like a total noob.
So now I'm looking to understand this issue before making another attempt. I had something similar running on a Synology NAS with their VPN Server and really didn't expect to run into so many issues. We have quite a few OPNsenses deployed successfully, but not with only one interface. If I could I would replace the existing firewall but that is currently not possible.
Any help in this matter will be greatly appreciated.

#22

Tutorials and FAQs / Re: OPNsense aarch64 firmware ...

Last post by franco - Today at 12:54:08 PM

Great, thanks for doing this.


Cheers,
Franco

#23

German - Deutsch / Re: Squid Web Proxy - Access-C...

Last post by Herr_Zlpp - Today at 12:28:27 PM

Hi, hast Du hierzu seinerzeit eine Lösung gefunden?
Ich hänge gerade an dem selben Thema.

Gruß, Zlpp

#24

25.7, 25.10 Series / Re: Using Adguard Home and DNS...

Last post by OPNenthu - Today at 11:53:00 AM

I just assume that intelligence sharing takes place with them, but at least I may not be monetized and profiled by domestic companies that I might have relationships or business with.

#25

25.7, 25.10 Series / Re: Using Adguard Home and DNS...

Last post by Patrick M. Hausen - Today at 11:44:07 AM

Quad9 are located in Switzerland and seem to be ok:

https://quad9.net/about/foundation-council/

#26

General Discussion / Re: use traffic shaper in fire...

Last post by Seimus - Today at 11:42:58 AM

do we need to configure the interface, source, destination, and direction as well

I am not sure what you mean by this.

PFs Traffic Shaping just replaces the RULEs section under FW > Shaper > Rules. This gives you a possibility to use all the features of PF rules, but as well to reduce the number of needed rules. As you can use just one RULE to classify UPLOAD and DOWNLOAD, instead of two needed rules in the old ipfw rules (FW > Shaper > Rules).

For Pipe and Queue configuration you follow the docs and best practices, e.g at minimum separate PIPEs and QUEUEs for Upload and download.

Regards,
S.

#27

25.7, 25.10 Series / Re: Using Adguard Home and DNS...

Last post by OPNenthu - Today at 11:36:54 AM

What do you recommend for those of us outside the GDPR protections?

The only thing I've come up with to date (as a thought exercise) is to potentially proxy through a foreign hosted VPS, but it would need to be both under the user's strict control and paid for anonymously.  I don't think it exists.

#28

25.7, 25.10 Series / Re: Using Adguard Home and DNS...

Last post by Patrick M. Hausen - Today at 11:16:51 AM

Huh. OK. So If I dont't define any forwarders in Unbound, it'll perform a look up as you describe?

Yes. That's the point of running a recursive name server for your clients.

What settings do I need to set for this to happen? I thought I HAD TO define forward DNS servers

Simply do not configure any upstream servers (aka "forwarders"). DNS was from the start designed as a distributed database that does not need any central service.

Does Unbound use DOH/DOT to send the request to the resolvers?

Terminology is important: Unbound in that configuration is a resolver or recursive name server. The servers it queries are the authoritative servers for the particular zone in question.

If you followed my argument and the example I gave for looking up forum.opnsense.org you might wonder how any recursive server gets the list of servers for the root zone. Simple: they "never" change and are compiled in. A major change in the root name servers requires a new release of Unbound.

Actually the first thing Unbound does on start up is fetch an updated list of root name servers, but should the compiled in one diverge too much from reality, that will of course fail. But that way a change of a single one out of the dozen or so can be tolerated. Should that one be picked for the first query, the request will fail and Unbound will try another one.

If your threat model involves preventing your ISP collecting your DNS queries then I think that's a good reason not to use any kind of plain DNS, such as Unbound in recursive mode.  However it's not as simple as that.  You have to trust that your DoT provider isn't colluding with other entities to share or sell your data. 

Exactly. My ISP is Deutsche Telekom. They are bound by GDPR and a whole lot of EU customer protection laws. Should anybody ever discover they spy on customers' traffic, all hell will break loose.

So I trust them quite a bit more than any DNS provider, possibly located in the US.

#29

25.7, 25.10 Series / Re: 25.7.8 Reporting -> Unboun...

Last post by Patrick M. Hausen - Today at 11:06:05 AM

But the OPNsense build server afaik does not use poudriere for building packages.

It should 😛

#30

German - Deutsch / Re: UnboundDNS und lokaler Hos...

Last post by knebb - Today at 11:04:19 AM

Määäääääh!

Ja, ok, das hat geklappt. Wenn man im Kopf hat, dass ALLE Registrierungen aus sein müssen. Außer natürlich der Einstellung wo "KEINE" davorsteht...

Vielen Dank!

/KNEBB