"Recent posts
#81
Virtual private networks / Re: WireGuard Exporter Tool
Last post by Monviech (Cedrik) - December 11, 2025, 09:56:54 AMYeah the slab is at the usecase. If you just need a tunnel its awesome, if you need roadwarrior setup for even 10+ users that is also not a security risk when the WG profile is extracted, OpenVPN or IPsec are the way. It's also a management nightmare at anything than a few users.
#82
Virtual private networks / Re: WireGuard Exporter Tool
Last post by Patrick M. Hausen - December 11, 2025, 09:50:02 AMQuote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMWireguard - the simple alternative to IPsec and OpenVPN
Oh, it absolutely is for gateway to gateway setups. I love it.
Quote from: Monviech (Cedrik) on December 11, 2025, 09:39:16 AMuntil it isn't TM
It does not scale well for road warrior use. That's why we keep OpenVPN.
#83
25.7, 25.10 Series / Re: OPNCentral cannot provisio...
Last post by franco - December 11, 2025, 09:49:48 AMAre all nodes up to date?
We were discussing the same here:
https://www.reddit.com/r/opnsense/comments/1pj2uvz/comment/ntbofdo/
Cheers,
Franco
We were discussing the same here:
https://www.reddit.com/r/opnsense/comments/1pj2uvz/comment/ntbofdo/
Cheers,
Franco
#84
25.7, 25.10 Series / OPNCentral cannot provision so...
Last post by nono - December 11, 2025, 09:45:17 AMWe rely on OPNCentral to keep our both mains firewall (recently updated to 25.10.1) and it seems that OPNCentral isn't able to sync few services (like Firewall Rules, NAT, etc).
We're using wireguard connection between the two firewall which are UP but I do not find any related logs so I'm wondering is anyone else faced the same issue ?
We're using wireguard connection between the two firewall which are UP but I do not find any related logs so I'm wondering is anyone else faced the same issue ?
#85
Virtual private networks / Re: WireGuard Exporter Tool
Last post by Monviech (Cedrik) - December 11, 2025, 09:39:16 AMWireguard - the simple alternative to IPsec and OpenVPN, until it isn't TM
#86
25.7, 25.10 Series / Re: Help Troubleshooting OPNse...
Last post by Patrick M. Hausen - December 11, 2025, 09:38:46 AMThis is not how NTP works.
OPNsense runs an NTP server that synchronises itself with public servers on the Internet. Once a synchronised state is reached that server directly answers requests by all local clients.
The "pending" is normal for the pool entries. But there should be one server labeled as "Active Peer" and some more labeled as "Candidate". If that is the case all is well.
OPNsense runs an NTP server that synchronises itself with public servers on the Internet. Once a synchronised state is reached that server directly answers requests by all local clients.
The "pending" is normal for the pool entries. But there should be one server labeled as "Active Peer" and some more labeled as "Candidate". If that is the case all is well.
#87
Virtual private networks / Re: WireGuard Exporter Tool
Last post by Patrick M. Hausen - December 11, 2025, 09:35:59 AMQuote from: JMini on December 11, 2025, 05:12:46 AMYou can't even build the conf file from the information in the peer details. No access to the Private Key
The private key should be created on the peer and never leave the peer. That's why it's called "private". The instance on OPNsense only needs the public key of every peer so that's what is saved in the configuration.
There are no clients and servers in WireGuard. It's all peers.
#88
25.7, 25.10 Series / WAN load balancing behavior
Last post by OPNenthu - December 11, 2025, 09:34:17 AMI don't know exactly when it started, but I think in the last few updates (currently I'm on 25.7.9) I'm seeing that the load on two VPN gateways is not being equally distributed anymore.
I have two Wireguard devices (wg0, wg1) and respective interfaces (WAN_VPN0, WAN_VPN1). The interfaces are enabled but not configured. I have a corresponding IPv4 and IPv6 gateway for each interface.
I then created two LB groups: one has the IPv4 members on a common tier, and the other has the IPv6 members on a common tier. I have a VLAN interface with policy routing to send non-local traffic out the respective IPv4 or IPv6 gateway. Within the gateway settings, all of them have the default weight (1). Both gateways are monitored and healthy.
There is a client VM connected to this VLAN. I started a few streams and am seeing that there is a very strong preference for one WG interface. In the past I would see the traffic more evenly split and both interfaces would show activity.
My expectation is that the client will choose either IPv4 or IPv6 and within the respective gateway group it should balance fairly between the two upstream devices. Is that a fair assumption or have I misunderstood? Also, I am curious what the selection criteria is for load balancing- does it distribute by 5-tuple?
Edit: although the screenshot shows "Round Robin with Sticky Address", I wasn't using that previously. Just changed it for testing.
I have two Wireguard devices (wg0, wg1) and respective interfaces (WAN_VPN0, WAN_VPN1). The interfaces are enabled but not configured. I have a corresponding IPv4 and IPv6 gateway for each interface.
I then created two LB groups: one has the IPv4 members on a common tier, and the other has the IPv6 members on a common tier. I have a VLAN interface with policy routing to send non-local traffic out the respective IPv4 or IPv6 gateway. Within the gateway settings, all of them have the default weight (1). Both gateways are monitored and healthy.
There is a client VM connected to this VLAN. I started a few streams and am seeing that there is a very strong preference for one WG interface. In the past I would see the traffic more evenly split and both interfaces would show activity.
My expectation is that the client will choose either IPv4 or IPv6 and within the respective gateway group it should balance fairly between the two upstream devices. Is that a fair assumption or have I misunderstood? Also, I am curious what the selection criteria is for load balancing- does it distribute by 5-tuple?
Edit: although the screenshot shows "Round Robin with Sticky Address", I wasn't using that previously. Just changed it for testing.
#89
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by Monviech (Cedrik) - December 11, 2025, 09:08:40 AMYou can do the same way simpler and lightweight with dnsmasq as alternative:
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
#90
Web Proxy Filtering and Caching / Re: Squid Proxy | Allow only s...
Last post by bpill - December 11, 2025, 08:34:12 AMNo one? :)
