Recent posts

#81

Development and Code Review / Re: Automating configuration o...

Last post by bimbar - December 09, 2025, 10:53:12 AM

I dream of a direct CLI interface to the configuration like for example juniper or fortinet.

#82

General Discussion / Zoraxy Reverse Proxy does not ...

Last post by crazywolf13 - December 09, 2025, 10:45:10 AM

Hi

So issue is between Zoraxy (Reverse Proxy written in Go) and OPNsense WebUI. Currently Zoraxy seems to work with most if not all sites except OPNSense.

When trying to add a HTTP Proxy for OPNsense there are a couple of options available:

- [] Allow plain HTTP access # Allow inbound connections without TLS/SSL
- [] Disable Requests Logging # Disable logging for all incoming requests for this hostname
- [] Disable Statistic Collection # Disable collecting statistics for this hostname but keep request logging
- [] Monitor Uptime # Enable active uptime monitor and auto disable upstreams that are offline
- [] Use Sticky Session # Enable stick session on load balancing
- [] Disable Chunked Transfer Encoding # Enable this option if your upstream uses a legacy HTTP server implementation (e.g. Proxmox / opencloud)
- [] Require TLS # Proxy target require HTTPS connection
- [] Skip Verification # Check this if proxy target is using self signed certificates
- [] Skip WebSocket Origin Check # Check this to allow cross-origin websocket requests
It's also possible to set/remove headers on zoraxy>client or zoraxy>origin

I've tried about every possible way and could not get it to work, I seem to be not the only one: https://github.com/tobychui/zoraxy/discussions/228


I've tried this suggestion: https://github.com/opnsense/plugins/issues/4471#issuecomment-2742109624 which did not work and also this one https://github.com/opnsense/plugins/issues/4471#issuecomment-2599639355 by adding the line

Code Select Expand

server.http-parseopts = ( "method-get-body" => "enable" ) to the file: /usr/local/etc/lighttpd/lighttpd.conf I hope that's the correct one? Both of these suggested fixes did not work for zoraxy, I'm still getting the Bad request error:


Here a curl output of the site:

Code Select Expand

❯❯ curl -v https://opnsense.XXX.dev
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
*   Trying 10.10.20.9:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from XXX port 57877
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.XXX.dev
> User-Agent: curl/8.16.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Length: 2789
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 09 Dec 2025 09:10:56 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Referrer-Policy: same-origin
< Server: OPNsense
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 10:10:56 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>

    <link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
    <link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">

    <script src="/ui/js/jquery-3.5.1.min.js"></script>

        <script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>


            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "lsIHDJMZv7fNwZEWS_S0Pw" );
                  }
                });
              });
            </script>
            </head>
  <body class="page-login">

  <div class="container">
    <main class="login-modal-container">
      <header class="login-modal-head" style="height:50px;">
        <div class="navbar-brand">
              <img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
            </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="NqqKPVoCWf2rymUXMqttXQ" value="lsIHDJMZv7fNwZEWS_S0Pw" autocomplete="new-password" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>




          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025        <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
      </div>

    </div>

    </body>
  </html>
* Connection #0 to host opnsense.XXX.dev:443 left intact

Zoraxy does not seem to have an option to force a specific HTTP version, and as this is not neccessary for any other proxy setup in my homelab (50+ http proxies) I think there should be another way?


It would be very nice if we could get to the bottom of this, thanks!

#83

25.7, 25.10 Series / Re: Local DNS overrides no lon...

Last post by meyergru - December 09, 2025, 09:51:02 AM

You do not have to set an upstream DNS server for Unbound at all, because it can resolve on its own.

Try leaving the DNS servers empty in System:Settings:General and uncheck both "DNS server options" on that page.

#84

25.7, 25.10 Series / Re: Could This Be The Reason?

Last post by Monviech (Cedrik) - December 09, 2025, 09:47:48 AM

The issue with a readme is that people do not read a readme in general. And if its too long its TL:DR so even less people even attempt to give it a go.

Better keep it as short and concise as possible, like e.g. the rules of the internet. xD

#85

Q-Feeds (Threat intelligence) / Re: Looking for testers Q-Feed...

Last post by vpx - December 09, 2025, 09:45:27 AM

Hi Stefan,

Thanks, it has been fixed. 👍🏻

#86

Virtual private networks / Re: wireguard site 2 site not ...

Last post by meyergru - December 09, 2025, 09:42:32 AM

If both firewalls can ping one another (BTW: on which address? The tunnel IP or their LAN IP?), then it seems obvious that your firewall rules created in step 6 of the official instructions are wrong. You should not have to use NAT on the Wireguard interfaces. Just follow the docs.
 

#87

25.7, 25.10 Series / Re: Could This Be The Reason?

Last post by meyergru - December 09, 2025, 09:38:03 AM

No, Patrick, just no. That device is not at all transparent, which is a huge difference.

Should I add a new point "About Home Network Guy's and other's youtube videos and why to avoid transparent bridges in general" to the READ ME FIRST article? Up to this point, I avoided changing the order because of the many references, but this one should probably be way up.

#88

Virtual private networks / Re: wireguard site 2 site not ...

Last post by austrian-firewaller - December 09, 2025, 09:16:18 AM

without creating a interface for wireguard

Create one on both sides.

Why? It should not be necessary? And I think i did that as well, nothing changed. I found other sources telling not to do so.

#89

Virtual private networks / Re: wireguard site 2 site not ...

Last post by austrian-firewaller - December 09, 2025, 09:15:05 AM

Thank you for your reply.

The allowed IP in Site A:
172.16.0.10/32, 192.168.10.0/24

Site B:
172.16.0.1/32, 192.168.1.0/24

so in each instance it is the fw tunnel IP and the network from the oposite site.
That should be correct right?

#90

Development and Code Review / Re: Automating configuration o...

Last post by Monviech (Cedrik) - December 09, 2025, 09:02:17 AM

So far not all components have an API yet but thats the long term goal, some features like Router Advertisements are migrated to MVC as we speak: https://opnsense.org/roadmap/



Maybe here you can find some inspiration how to automate non api components?
https://github.com/O-X-L/ansible-opnsense