Jump to content
TorGuard

Search the Community

Showing results for tags 'pfsense'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • The Lounge
    • General Stuff
    • Member Tutorials
    • TorGuard Reviews
  • TorGuard Software Releases
    • Network Status
    • TorGuard Client Releases
    • Android Client Releases
    • iOS App Releases
    • Chrome Extension Releases
    • Firefox Extension Releases
    • Edge Extension Releases
  • TorGuard VPN Support
    • VPN Questions and General Support
    • VPN Windows Support
    • VPN Mac Support
    • VPN Linux Support
    • VPN Router Support
    • iOS VPN Support
    • Android VPN Support
  • TorGuard Proxy Support
    • Proxy Questions and General Support
    • Firefox Extension Support
    • Chrome Extension Support

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 8 results

  1. Look A Here - Look A Here - Well, I am back one more again - spinning those hits that get you thumping and pumping for the tasks ( s ) ahead. You all know " The Time Honored Intro " - https://www.youtube.com/watch?v=xg5IRsPs5E8 and https://www.youtube.com/watch?v=2u-n__lHhWU sing along - https://genius.com/Led-zeppelin-good-times-bad-times-lyricshttps://www.youtube.com/watch?v=h1vKOchATXs - dig the vibe https://genius.com/Boogie-down-productions-my-philosophy-lyrics - and the original heart throb as a Surprise Bonus - https://www.youtube.com/watch?v=pc_F3PaYgl0 Now, that I have satisfied the full spectrum in time and space of " The Beats " needed here we go with pfSense AdGuardHome. See here for basic guide : pfSense AdGuardHome - Now this guide is designed for AdGuardHome on pfSense; however, I am going to modify it so that it is much simpler for you to master. I prefer this method as it gives me more control over updates / upgrades and configuration. In addition, this aforementioned guide sets up AdGuardHome on the LAN for DNS. I am going to set up AdGuardHome DNS on both the IPV4 and IPV6 local hosts - which are the default interfaces for pfSense UNBOUND. However, if you prefer to use your LAN for AdGuardHome DNS as described in tutorial by all means just follow the original guide. AdGuardHome works flawlessly with both OpenVPN and WireGuard protocols. No need for firewall rules or port forwarding with this set up. It works " as is " right " OUT THE BOX ". Step 1: Do Not Change the Port of your pfSense DNS Resolver To enable rDNS lookups and hostname lookups for devices on your LAN, enable " DHCP Registration" and " Static DHCP" in DNS Resolver settings. Step 2: Install these packages below, so that you can install AdGuardHome. # pkg install ca_root_nss # pkg install screen # pkg install nano # pkg install sudo ## AdGuardHome will not install as service without sudo Step 3 : Go to this page for auto installation script - the script will download proper package for your architecture. https://github.com/AdguardTeam/AdGuardHome#test-unstable-versions Using AGH install script is easier and simpler for most users. Just use their Edge builds as they are most up to date. It will also warn if there is missing dependencies. curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -c edge ATTENTION : I strongly suggest that you watch this video before you begin. Although lengthy - it is very informative and worthwhile. https://www.youtube.com/watch?v=yMcM40ipDlQ Van Tech Corner OpenWRT AdGuard Home. You also will be able to follow this guide much better - as a ( moving ) picture is worth a thousand words. Follow directions carefully - you will have AdGuard Home up and running on pfSense by the end of this guide / tutorial. Step 4 - After installation scripts runs, you should be seeing something like below. Naturally you may see a different IP Address depending on your network interfaces - but you must use the LAN for initial AdGuardHome Configuration here it is - http://192.168.5.10:3000 Pick out your LAN interface so that you can perform initial configuration of AdGuardHome . Now, I am going to show you how to use AdGuard Home with UNBOUND. Once again I implore you to look at Van Tech Corner OpenWRT AdGuard Home Video https://www.youtube.com/watch?v=yMcM40ipDlQ A - Choose LAN Address For Web Interface - Port 8088 / Choose Localhost ( 127.0.0.1 ) For DNS - Change to Port 5353 Step 5 - Now we need to configure UNBOUND for AdGuardHome. Go to Services > DNS Resolver > General Settings > Display Custom Options > Custom options In the Box For " Custom options " enter the following below : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: ::[email protected] Then Go To System > General Setup > DNS Server Settings > DNS Servers and enter the following below for DNS Servers : A - 127.0.0.1 B - ::1 both without any gateway and C - Remove ( Do Not ) Check " DNS Server Override " " Allow DNS server list to be overridden by DHCP/PPP on WAN " Option D - Leave Option " DNS Resolution Behavior " at Default Setting Step 6 - Making AdGuard Home start on boot : Special thanks to eoghan2t9 for a start up script for AdGuardHome which works flawlessly. The script is found here : https://github.com/AdguardTeam/AdGuardHome/issues/1352 Some modifications are required for pfSense AdGuardHome. Follow these steps below : A - # mv /usr/local/etc/rc.d/AdGuardHome /usr/local/etc/rc.d/adguardhome.sh B - # nano /usr/local/etc/rc.d/adguardhome.sh C - Delete the contents of the file and fill it with these contents below : #!/bin/sh . /etc/rc.subr name="adguardhome" rcvar="adguardhome_enable" adguardhome_user="root" adguardhome_command="/opt/AdGuardHome/AdGuardHome" pidfile="/var/run/${name}.pid" command="/usr/sbin/daemon" command_args="-P ${pidfile} -r -f ${adguardhome_command}" load_rc_config $name : ${adguardhome_enable:=yes} run_rc_command "$1" D- Make it executable - I run this command - it works for me: # chmod 755 /usr/local/etc/rc.d/adguardhome.sh E - In order to have pfSense use default start up script ( /usr/local/etc/rc.d/adguardhome.sh ) at boot time you will have to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/adguardhome - create the needed new file # nano /etc/rc.conf.d/adguardhome - in the new file enter the following two lines: adguardhome_enable="YES" adguardhome_bootup_run="/usr/local/etc/rc.d/adguardhome.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/adguardhome Step 7 - Configure AdGuardHome via AdGuardHome.yaml for UNBOUND We will edit the sections listed below : ( a ) dns: ( bind_hosts: ) ( b ) upstream_dns: ( c ) bootstrap_dns: ( d ) all_servers: ( e ) filters: # nano /opt/AdGuardHome/AdGuardHome.yaml web_session_ttl: 720 dns: bind_hosts: - 127.0.0.1 - ::1 port: 5353 We will edit the sections listed below ( a ) upstream_dns: ( b ) bootstrap_dns: ( c ) all_servers: upstream_dns: - quic://dns.adguard.com:784 - quic://dot-jp.blahdns.com:784 - quic://dot-fi.blahdns.com:784 - quic://dot-sg.blahdns.com:784 - quic://dot-de.blahdns.com:784 - quic://doh.tiar.app:784 - quic://dns.emeraldonion.org:8853 - quic://uk.adhole.org:784 - quic://de.adhole.org:784 - quic://sg.adhole.org:784 - quic://dandelionsprout.asuscomm.com:48582 - quic://dns.arapurayil.com:784 - quic://dns.comss.one:784 - quic://dns.east.comss.one:784 - tls://getdnsapi.net - tls://dns-nyc.aaflalo.me - tls://dns.cmrg.net - tls://dot.ny.ahadns.net - tls://dot.la.ahadns.net - tls://dot.chi.ahadns.net - tls://ordns.he.net - tls://us-east.adhole.org - tls://dns.neutopia.org - tls://dns.digitale-gesellschaft.ch - tls://dot.sb - tls://draco.plan9-ns2.com upstream_dns_file: "" bootstrap_dns: - 1.1.1.2 - 1.0.0.2 - 2606:4700:4700::1112 - 2606:4700:4700::1002 all_servers: true Enter the following below for filters : filters: - enabled: true url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard DNS filter id: 1 - enabled: true url: https://badmojr.github.io/1Hosts/Lite/adblock.txt name: 1Hosts (Lite) id: 1635566025 - enabled: true url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt name: Scam Blocklist by DurableNapkin id: 1625359388 - enabled: true url: https://block.energized.pro/basic/formats/hosts.txt name: Energized Basic Protection id: 1625359389 - enabled: true url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts name: https://github.com/StevenBlack/hosts id: 1625359390 - enabled: true url: https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt name: https://firebog.net/ - OSINT.digitalside.it id: 1625359391 - enabled: true url: https://v.firebog.net/hosts/Easyprivacy.txt name: https://firebog.net/ - EasyPrivacy id: 1625359393 whitelist_filters: - enabled: true url: https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt name: https://github.com/anudeepND/whitelist id: 1625359392 user_rules: [] After configuring AdGuardHome via AdGuardHome.yaml both of the commands below : a - # /usr/local/etc/rc.d/adguardhome.sh restart b - # /usr/local/etc/rc.d/unbound onestart Note : The best practice is to reboot your pfSense after configuring AdGuardHome via AdGuardHome.yaml . Step 8 - I strongly recommend enabled Encryption. With Encryption AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS. For Encryption = Go To Top of AdGuardHome WEB GUI - Settings > Encryption settings the follow instructions ( a ) - enable Encryption - check the Box ( b ) - Fill in full server name such as this example - freedom.babybaby.mywire.org : https://www.wolffhaven45.com/2017/11/07/intranet-ssl-certificate-for-pfsense-using-lets-encrypt--cloudflare/ - I recommend Dynu ACME LET’S ENCRYPT ( c ) Certificates : In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on LetsEncrypt.org or you can buy it from one of the trusted Certificate Authorities. If you follow the tutorial above you can issue yourself a LetsEncrypt Certificate cost free. This is fictional domain. See here for how to get Dynu Account and Credentials : https://forum.openwrt.org/t/dynu-openwrt-acme-lets-encrypt/110758 The target directory for ACME certificates is actually under /cf/config/acme/. Just browse to directory through Diagnostics > Edit File > Browse > The open /cf - then open /conf - open up /acme - just open these two files below and copy and paste them into appropriate boxes in the AdGuardHome WEB GUI. These are the files you will need to copy and paste below : freedom.babybaby.mywire.org/fullchain.cer freedom.babybaby.mywire.org/freedom.babybaby.mywire.org.key In order to log into AdGuardHome WEB GUI when it is encrypted you must move pfSense WEBGUI to a different port than 443 - You may now log into Encrypted AdGuardHome WEB GUI - this option is available by entering the following ( from example above ) : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty. say moved FireWall Admin to Port 1443 - you may still log into your pfSsense Encrypted WEBGUI at : https://freedom.babybaby.mywire.org:1443 PS - I started this journey in order to learn how to use DNS-over-QUIC, or DoQ. In full disclosure I exclusively use DNS-over-QUIC upstream servers with AdGuardHome. Also, I used Encryption for DNS OVER TLS bootstrap servers. So - the whole damn thing ( my DNS ) is encrypted. BTW, I certainly will not at all miss having to update the SPKI PIN Keys for DOT SERVERS in the Stubby yaml configuration file. Bonus Feature: For Those Who Care To PIMP Their AdGuardHome WEBGUI You must install Stylish Addon To Use AdGuardHome Dark Theme Firefox addon : https://addons.mozilla.org/en-US/firefox/addon/stylish/ Chrome extension : https://tinyurl.com/yntw4wyw Go here - For Stylish Dark Themes : https://userstyles.org/styles/browse?search_terms=adguard&type=false I use XENORCHISM - https://userstyles.org/styles/178841/adguard-home-dark-theme You must enter your LAN IP ADDRESS IN " Customize Settings " Box prior to installation If you enabled Encryption with a valid SSL certificates chain for your domain - then enter your Full Domain Name in " Customize Settings " Box prior to installation instead of LAN IP. As per this example, Full Domain Name in " Customize Settings " Box see below : freedom.babybaby.mywire.org You may then access AdGuardHome WEBGIU on port 443 - here is example from above : https://freedom.babybaby.mywire.org:443 - with Encryption Enabled you will see " green padlock " when logging in / your certificate pulls double duty Here Is What You Get After Install : See AdGuardHome Dark Screenshot When a new AdGuardHome version becomes available on The Edge Channel it will show up in the WEBGUI. All you need to do in order to stay up to date is press the " update to the latest version " button on the AdGuardHome WEBGUI page. Easy Peasy.
  2. Dear Community, First you all know the drill by now - " The Intro " - a true legend Jackie to all - https://www.youtube.com/watch?v=sBa81YSyshk and the lyrics as always - https://genius.com/Jackie-wilson-baby-workout-lyrics - just for fun - https://www.youtube.com/watch?v=iNLXxDMxe18 - https://genius.com/Chris-montez-lets-dance-lyrics / Surprise Bonus : https://www.youtube.com/watch?v=sIH6s1thcWQ Now with that out of the way. Let's get down to business. I am one of the many who have tried to get WireGuard up and running on pfSense 2.5.2 . Well, I am very pleased to announce that you have come to the right place if you want rock solid WireGuard on pfSense ( finally ). Forget about anything else you may have heard about how to achieve this goal - this is the most simple, direct and effective method you will find. I know - pfsense has WireGuard built in as a package - and there is pfSense-pkg-WireGuard maintained by theonemcdonald. Personally I do not find any of these solutions to be as efficient as the one I will detail here. So - here we go. OK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/ - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/ - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section. 1 - All of the packages that you will need to install are found in the FreeBSD repository. Just install these packages in the order as listed below: A - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-kmod-0.0.20210606_1.txz B - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/bash-5.1.8.txz C - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/bash-completion-2.11,2.txz D - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-tools-1.0.20210914.txz E - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-go-0.0.20210424,1.txz F - # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/wireguard-2,1.txz 2 - To begin you need to get your WIREGUARD configuration files from the TORGUARD website. To do so login your TORGUARD account then go to Tools ( along the top of Login Page ). Then select " Config Generator " from the drop down menu. From the top line " VPN Tunnel type: " select WireGuard. Go to the next line - " VPN Server Hostname/IP: " choose your desired location. Enter your TorGuard Username and Password. You also have the option to enter your own Local Private-Key and Local Public-Key if you elect to do so. When all of the fields are complete - click on the " Generate Config " box. Download the file to your desired location. Open the numbered config file with a text editor. Your Config file will be like this - see below : ## all the information below is invalid and fictitious for obvious reasons - use your actual file and valid entries to ensure connection. # TorGuard WireGuard Config [Interface] PrivateKey = 0LyqOOa31kblp0mViH+TfwmBT8PIfWXuT9OUa7cvVmo= ListenPort = 51820 DNS = 1.1.1.1 Address = 100.96.0.141/24 [Peer] PublicKey = fmmIzVG3JL1tjDjTIBpE+C5WQbLGCHsdIqQVodQ7yPM= AllowedIPs = 0.0.0.0/0 Endpoint = 23.10.187.115:1443 PersistentKeepalive = 25 3 - Now I used this guide as the template for my manual installation of WIREGUARD on pfSense see here : https://genneko.github.io/playing-with-bsd/networking/freebsd-wireguard-quicklook/ I will make this simple for you step by step. You may sing and / or hum along as we proceed. A- First - configure WireGuard Client. TorGuard, AzireVPN, VPN.ac, Mullvad, IVPN, are commercial VPN providers which offer LIVE ! WireGuard Services now. I use TorGuard here is a sample file. Keys are dummies - only used for illustrative purposes in this tutorial- Use your real WireGuard configuration file here: Create file by SSH and issue the commands below- A - # touch /usr/local/etc/wireguard/tunwg0.conf B - # nano /usr/local/etc/wireguard/tunwg0.conf - then enter the contents of your previously downloaded TorGuard WireGuard Config as detailed above. Save and Close. Done with this file. 4 - B - Run command via SSH A - # wg-quick up tunwg0 ( wireguard-go is in package and this action creates wireguard interface ) " tunwg0 " ( tunwgZero ) must be the name of the WireGuard interface otherwise you will have issues You may also run # wireguard-go tunwg0 to create tunwg0 but I prefer the first method mentioned here. 5 - Configure WireGuard Service with rc.d - for automatic startup/shutdown of the tunnel. In order to achieve this there’s already an rc.d script /usr/local/etc/rc.d/wireguard which came with the wireguard package. You need to issue this command : A - # mv /usr/local/etc/rc.d/wireguard /usr/local/etc/rc.d/wireguard.sh / then enter the file - B - # nano /usr/local/etc/rc.d/wireguard.sh Then go to bottom of file - lines 46 and 47 - change : ${wireguard_enable="NO"} to : ${wireguard_enable="YES"} and then add tunwg0 on line 47 : ${wireguard_interfaces=""} to : ${wireguard_interfaces="tunwg0"} ( tunwgZero ) - Save and Close - Make it executable, I run this command - it works for me: C - # chmod 755 /usr/local/etc/rc.d/wireguard.sh - Done with this file. 6- In order to have OPNsense use default start up script ( /usr/local/etc/rc.d/wireguard.sh ) at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : A - # nano /etc/rc.conf.d/wireguard - in the new file enter the following two lines: wireguard_enable="YES" wireguard_bootup_run="/usr/local/etc/rc.d/wireguard.sh" Save and Close - Make it executable (tunwg0) B - # chmod 755 /etc/rc.conf.d/wireguard / Done with this file. 7 - A - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go along top menu - go to Interfaces > Assignments -choose tunwg0 interface from drop down menu. Click on the + Add Button. The selection will be listed as opt1, opt2 are some similar name depending on the number of your pre-configured lan interfaces. Click underneath opt2 ( in my case ) - then when the page opens up - Enable the new interface. Name the new interface - in my case " WIRE " . DO NOTHING ELSE HERE ! Save and Apply - Done with this phase. B - Second - Firewall Rule - go to Firewall > NAT > Outbound > Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ). On the page which opens change Interface from WAN in drop down menu to your Wireguard ( tunwg0 ) Interface which you created and labeled previously - in this example " WIRE " . Next - Change " Address Family " to IPV4 - " Protocol " to " Any " - " Source " to " Any " - " Destination " to " Any " " Translation Address " to " Interface Address " - Lastly enter "Description " in my case " Made For Wire " now Click " Save " at bottom of page. Finally click " Save and Apply " at the top of the page. Your WireGuard Client is now installed and ready - you must enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up. Lastly, issue command # wg show which prints out your WireGuard Connection statistics and configuration. Sample output for wg show below: interface: tunwg0 public key: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= private key: (hidden) listening port: 51820 peer: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= endpoint: 159.x.xxx.xxx:xxx allowed ips: 0.0.0.0/0 latest handshake: 1 minute, 46 seconds ago transfer: 3.35 MiB received, 859.23 KiB sent persistent keepalive: every 25 seconds This solution is guaranteed to ensure that WireGuard interface ( tunwg0 ) the ability to survive a reboot When you reboot or reestablish connection - go to Status > Filter Reload - then press Reload Filter Radio Button to get yourself up and running once again.
  3. Dear Community, First you all know the drill by now - " The Intro " - as a peace loving man and in light of the turbulent times we all must endure - here we go without no further ado - Kool and The Gang / https://www.youtube.com/watch?v=JgxWC3iZh7A and the lyrics if you care to sing along - https://genius.com/Kool-and-the-gang-love-and-understanding-lyrics and one of my favorites - The Chambers Brothers - https://www.youtube.com/watch?v=BvCH-6kOAGs - lyrics here : https://genius.com/The-chambers-brothers-love-peace-and-happiness-lyrics This is a new updated guide designed to assist you in installing DNS Privacy DNS OVER TLS on pfSense 2.5.2 . Please disregard and do not use any guides and / or tutorials which predate this one. The setup features getdns and Stubby forwarded to and integrated with Unbound. You may refer to my earlier guide / tutorial here for additional information regarding the benefits of DNS Privacy DNS OVER TLS - see link here - https://bit.ly/3p0AGwX OK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/ - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/ - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section. 1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository. So to begin enter these commands below in the order : A # pkg install libuv B # pkg install libyaml ( both of these will install from native pfSense 2.5.2 box ) . The following packages must be installed from FreeBSD. C # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libev-4.33,1.txz D # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libidn-1.35.txz Now - here is where this guide diverges from its' predecessors. There is a new specific iteration of Unbound which pfSense 2.5.2 has installed. The package is called - unbound112-1.12.0_1 . Now if you attempt to add getdns-1.5.2_4.txz package via pkg add url method - see below : ( # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz ) ### this will not work ! the installation will fail and complain that " missing dependency Unbound " is the reason. so here is the solution to that dilemma below : enter the following command E # fetch https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz From there you can enter command # ls -a / and you will see that getdns-1.5.2_4.txz package is now in your root directory. Next just enter the command F # pkg install getdns-1.5.2_4.txz follow the prompts answering " yes " to any all. By the way, once this package is successfully installed it must remain in your root directory otherwise DNS OVER TLS will stop working if you remove it for any reason. Now you may proceed as in the usual fashion. 2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default. First though Stubby needs Unbound root.key - run this command before getting started: # su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 755 /usr/local/etc/rc.d/stubby.sh B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} - that is all you have to do to this file. It comes pre-configured. Save and exit. 3 - Now you must configure Stubby to resolve DNS OVER TLS - A -# nano /usr/local/etc/stubby/stubby.yml ################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - [email protected] - 0::[email protected] tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 - address_data: 2001:470:1c:76d::53 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 139.162.112.47 - address_data: 2400:8902::f03c:92ff:fe27:344b tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 - address_data: 2a01:4f8:c17:ec67::1 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 - address_data: 2a01:4f9:c010:43ce::1 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 192.53.175.149 - address_data: 2400:8901::f03c:92ff:fe27:870a tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.91.92.121 - address_data: 2a05:9406::175 tls_auth_name: "dot-ch.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 213.196.191.96 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ= ### Publicly Available DOT Test Servers ### ## 12 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo= ## 13 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek= ## 14 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A= ## 15 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 - address_data: 2a05:fc84::43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 - address_data: 2a05:fc84::42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w= ## 16 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3 When I get some time - next day or two - I will post a separate Forum entry which lists many more DNS OVER TLS servers that are publicly available for all. However, these are more than enough to get you started. 4 - In order to have pfSense 2.5.2 use default start up script ( /usr/local/etc/rc.d/stubby.sh ) at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/. Not to prolong this - do the following : # touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines: stubby_enable="YES" stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh" Save and exit / then make the file executable - once again - works for me : # chmod 755 /etc/rc.conf.d/stubby 5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS. Go to Services > DNS RESOLVER > General Settings > Display Custom Options In the Custom options Box - enter the following below : server: do-not-query-localhost: no forward-zone: name: "." # Allow all DNS queries forward-addr: [email protected] forward-addr: 0::[email protected] Save and Apply 6 - Next -Under System > General Setup > DNS Server Settings A - Set the first DNS Server to 127.0.0.1 add no other DNS Servers here B - DNS Server Override - make sure this is unchecked C - DNS Resolution Behavior Use local DNS (127.0.0.1), fall back to remote DNS SERVERS (Default) Save and Apply Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY ( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server.
  4. Originally was going to use wireguard on 1 VM but found I had to start routing more than I originally planned. So I've now switched to setting up wireguard in pfsense. I got wireguard in pfsense and all is fine with wireguard itself(at least I think it's not the issue) Now want to direct some traffic out wireguard and other traffic out WAN Once I connect the wireguard all NON-vpn devices lose access to the Internet - they can still communicate with each other inside the network but lose the ability to do anything internet based. However my VPN devices are working as they should, I haven't confirmed they are doing DNS properly yet as I want to get my other devices working first. To get wireguard working I used steps from: Basically I only have a few hosts to send out wireguard, the majority will use WAN (including DHCP clients) I'd like to take a group of IP's and make those go out the VPN, and anything else not. WAN interface has public internet IP - 68.x.x.x LAN gateway, this is gateway on all devices - 192.168.1.1 DHCP Range - 192.168.1.130 - 192.168.1.254 Created an alias: NAT/Outbound - Hybrid Outbound I THINK this is allowing the wanted "protected" devices out via the VPN - this is good and what I'm wanting. In Firewall/Rules/LAN I have the following: Most examples for building this type of routing rules have involved openVPN and are from 2015. While this should be getting me close I still am not getting it to work. The things i"ve read indicate that the VPN connection should become a second gateway, and I'd just set that as the gateway on the VPN devices. However when I bring the wireguard connection up there is no second gateway getting auto-magically created. Do I have to create one? Shouldn't the rules I've put in place allow the flow of traffic over VPN, and if not meeting VPN then it flows over regular?
  5. Hello Community - First of all I hope that all is well with with all. These are troubling times that we currently are in. May Peace and Love Prevail. As Always The Intro - Lyrics by Jimi here - https://genius.com/Jimi-hendrix-power-of-love-lyrics and video : Power of Love - https://www.youtube.com/watch?v=-k-9Hb7RdgY Bonus - We Gotta Live Together (Live At Filmore East, 1970 / 50th Anniversary) - Lyrics - https://genius.com/Jimi-hendrix-we-gotta-live-together-live-at-filmore-east-1970-50th-anniversary-lyrics and video - https://www.youtube.com/watch?v=OOIuSsA72nM Now - let's get down to business. I recently bought a new mini-pc ( Qotom-Q375G4 Intel Core I7-5500U ) and I installed pfSense on it along side OPNsense. This little beast has 1 x Minipcie port (for mSATA SSD) and regular 1 x SATA Port on which I installed a Samsung SSD 860 EVO 250GB 2.5 Inch SATA III Internal SSD. So, OPNsense offers plugins and it is very easy to add the modules. Netdata is one of these plugins and I love it. Unfortunately, pfSense does not offer this as a native package. So, I set out to be able to install Netdata on pfSense. I looked around and found that this was not that difficult to achieve. So, I am putting this together for those who may wish to monitor their pfSense router with Netdata. Netdata boasts - Monitor everything in real time for free with Netdata. See here : https://github.com/netdata/netdata OK - here is what you need to do in order to get Netdata up and running on pfSense. I followed this guide here : https://learn.netdata.cloud/docs/agent/packaging/installer/methods/pfsense - Honestly this is a great guide - one of the best I have read. First - you need to install these four packages from the pfSense package repo with the following command below via SSH - 1 - # pkg install -y pkgconf bash e2fsprogs-libuuid libuv nano Next ( just follow the aforementioned guide ) - however you must always check the FreeBSD repo to see that you have the latest packages listed below; otherwise you will get an error message that " the package was not found ". Also, I have found as of late that if you try to access the main FreeBSD repo by entering the " https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ " url - you will get the " 403 Forbidden - nginx error ". This precludes you from viewing the current FreeBSD package list. I searched around and found a FreeBSD package repo that seems to be up and stable - it is " http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ " located in South Africa. Virtually all of the FreeBSD package repos are inaccessible as well. Oddly, enough you are still able to download the FreeBSD packages from the main repo - it is just that you can not see the repo packages ( to check package latest versions by entering the url ). With that being said - let's proceed. So here we begin the process of installing the necessary packages from the FreeBSD repo. Some of these packages have been updated since the time that the referenced tutorial ( https://learn.netdata.cloud/docs/agent/packaging/installer/methods/pfsense was written / Last updated on 5/19/2020 . Also - remember to install the packages for your architecture. pfsense 2.4.5_1 is based on FreeBSD 11.3-STABLE - so you would go to : http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ for your packages. If you are like me and you run pfsense 2.5.0 ( Development Snapshots which are based on FreeBSD 12.0 ) you will need packages from : http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ - With that all out of the way - no more delays. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Install these packages from the FreeBsd repo ( for pfSense 2.5.0 ) in the exact order as listed via SSH as shown below : 2 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/Judy-1.0.5_2.txz 3 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-certifi-2020.6.20.txz 4 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-asn1crypto-1.3.0.txz 5 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-pycparser-2.20.txz 6 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-cffi-1.14.0_1.txz 7 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-six-1.14.0.txz 8 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-cryptography-2.6.1.txz 9 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-idna-2.8.txz 10 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-openssl-19.0.0.txz 11 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-pysocks-1.7.1.txz 12 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-urllib3-1.25.7,1.txz 13 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/py37-yaml-5.3.1.txz 14 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/netdata-1.23.1.txz XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Install these packages from the FreeBsd repo ( for pfsense 2.4.5_1 ) in the exact order as listed via SSH as shown below : 2 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/Judy-1.0.5_2.txz 3 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-certifi-2020.6.20.txz 4 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-asn1crypto-1.3.0.txz 5 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-pycparser-2.20.txz 6 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-cffi-1.14.0_1.txz 7 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-six-1.14.0.txz 8 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-cryptography-2.6.1.txz 9 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-idna-2.8.txz 10 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-openssl-19.0.0.txz 11 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-pysocks-1.7.1.txz 12 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-urllib3-1.25.7,1.txz 13 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/py37-yaml-5.3.1.txz 14 - # pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/netdata-1.23.1.txz XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX After installing all these packages above Netdata is installed on your pfSense Box. We must now configure Netdata. As the guide says you must edit the following file " /usr/local/etc/netdata/netdata.conf " You may accomplish though the WEBGUI or by using Nano. For WEBGUI - from top line Menu go to Diagnostics > from down down menu go to > Edit File. Paste " /usr/local/etc/netdata/netdata.conf " in " Path to file to be edited " Box - the click on " Load ". The file will appear and you can edit it easily from here. Third line from the bottom - you must change ( designate ) the " bind to = " address from default " 127.0.0.1 " to something else. The guide suggests the address of " 0.0.0.0 " - I change the address to that of my LAN IP Address. For example if your LAN IP is 192.168.7.23 - enter that address as follows : " bind to = 192.168.7.23 " then click on Save. I do this to restrict access to Netdata on my pfSense instance. Now we need to set up Netdata to start on boot up. The author notes that " To start Netdata manually, run service netdata onestart. " - this is only good for one time start. You now can enter Netdata by going to http://192.168.7.23:19999 after manual start in this example. The guide suggests using Shellcmd utility in order start Netdata at boot. I disagree and will show you how to start Netdata at boot the standard pfSense way. See below - Start Netdata At Boot: 1 - In pfSense, the Netdata configuration files are located under /usr/local/etc/netdata. See the very bottom of the page for this information. So in order to start Netdata at boot do the following : A - Issue following command via SSH - # mv /usr/local/etc/rc.d/netdata /usr/local/etc/rc.d/netdata.sh B - Make the file new executable - I run two commands - works for me # # chmod 744 /usr/local/etc/rc.d/netdata.sh and # chmod a+x /usr/local/etc/rc.d/netdata.sh C - Edit new file go to line 37 : ${netdata_enable="NO"} and change from : ${netdata_enable="NO"} to : ${netdata_enable="YES"} You may edit file " /usr/local/etc/rc.d/netdata.sh " as before either through WEBGUI or Nano. Reboot your pfSesne router and you will see that Netdata starts on boot. Enjoy and Peace Always Unto You and The Entire World.
  6. Dear TorGuard Pfsense WireGuard Users, Please Read The Entire Guide / Tutorial Before You Begin - It Will Save You Potential Setup Issues and Detail All Setup Options First you all know the drill by now - " The Intro " to pay homage to an all time oft forgotten Stax Great who speaks my mind right about now / lyrics - https://genius.com/Otis-redding-respect-lyrics and video : https://www.youtube.com/watch?v=7BDw-H_hUzw - and Nina Simone to boot : lyrics : https://genius.com/Nina-simone-mississippi-goddam-lyrics and video : https://www.youtube.com/watch?v=LJ25-U3jNWM Hello and I hope all are safe and well. Ascrod has been kind enough to make available a package for WireGuard on pfsense. I have tested the package and would like to recommend this to all of those who might be interested. The package thread and discussion are found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense and here on Github : https://github.com/Ascrod/pfSense-pkg-wireguard Here are Ascrod assets in releases on github : https://github.com/Ascrod/pfSense-pkg-wireguard/releases There is a webgui for WireGuard and it works well.The package works very well on pfsense 2.4.5. I was finally able to build my own Lucasnz pfsense 2.5.0 package successfully - and it worked as intended. Read the update for pfsense 2.5.0 pfSense-pkg-wireguard below. There also is a fork of this pfsense package developed by Ashus / pfSense-pkg-wireguard found here : https://github.com/Ashus/pfSense-pkg-wireguard Lucasnz see here for homepage : https://github.com/lucasnz/pfSense-pkg-wireguard lucasnz/pfSense-pkg-wireguard forked from Ascrod/pfSense-pkg-wireguard Here are Lucasnz assets in releases on github : https://github.com/lucasnz/pfSense-pkg-wireguard/releases/tag/v1.0.1 Please Note He Has Only One Package Which Is For pfSense 2.4.5 . If you want Lucasnz for pfSense 2.5.0 then you may either use the pre-compiled package I offer up here or build your own by following the tutorial provided below. For those interested - I have one link to a tutorial and another which points you to an already compiled Lucasnz package for pfsense 2.5.0 - which is based on FreeBSD 12. The tutorial illustrates and instructs you how to build your own Lucasnz pfSense-pkg-wireguard-1.0.1.txz package. The reason that I chose Lucasnz is because " that it just works ". Lucasnz WireGuard for pfsense survives reboots, upgrades - and has no issues with DNS or any such other related problems. The links are here below for all those interested : https://drive.google.com/file/d/1b8coPZvqmhisHpoFBfOBV9BYaH917yaC/view?usp=sharing / tutorial link https://drive.google.com/file/d/1SaggDk6-1BOwcSa4-498jQfGZICqqvsb/view?usp=sharing / package download These really work well IMHO - so I hope this helps and a word to the wise should be sufficient. I am going to try to get Ashus / pfSense-pkg-wireguard to work on pfsense 2.5.0 and I will report my findings. UPDATE BELOW : Well, I got in touch with Ashus - and he was kind enough to build and compile a " proper and official " pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( this is the package needed for pfsense 2.5.0 ) . Here are Ashus assets in releases on github : https://github.com/Ashus/pfSense-pkg-wireguard/releases by using Ashus packages you can either install pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz ( for pfsense 2.4.5 / based on FreeBsd 11 ) or use his new pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz ( for pfsense 2.5.0 -devel - based on FreeBsd 12 ) . Always check https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ or https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ for the latest packages in the FreeBsd Repo depending on your architecture - especially as bash, wireguard-go, and wireguard packages are updated periodically. I have found as of late that if you try to access the main FreeBSD repo by entering the " https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/ " url - you will get the " 403 Forbidden - nginx error ". This precludes you from viewing the current FreeBSD package list. I searched around and found a FreeBSD package repo that seems to be up and stable - it is " http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ " or http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ which is located in South Africa. Virtually all of the FreeBSD package repos are inaccessible as well. Oddly, enough you are still able to download the FreeBSD packages from the main repo - it is just that you can not see the repo packages ( to check package latest versions by entering the url ). With that being said - let's proceed. the complete needed software installation is outlined like this here - see below : Use Putty or Kitty to enter an SSH session on your pfsense router in order to proceed : Or Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ These packages indicated below are correct and updated as of 10/19/2020 / always remember check FreeBSD package repo for latest dependency packages The procedure detailed below is for pfsense 2.5.0 / FreeBsd 12 : Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/ 1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-5.0.18_3.txz 2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/bash-completion-2.11,2.txz 3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-go-0.0.20200320.txz 4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:12:amd64/latest/All/wireguard-1.0.20200827.txz 5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd12-amd64.txz Best To Use FreeBsd Mirror - http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/ This procedure detailed below is for pfsense 2.4.5 / FreeBsd 11 : 1. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-5.0.18_3.txz 2. (opt.) pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/bash-completion-2.11,2.txz 3. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-go-0.0.20200320.txz 4. pkg add http://pkg0.jinx.freebsd.org/FreeBSD:11:amd64/latest/All/wireguard-1.0.20200827.txz 5. pkg add https://github.com/Ashus/pfSense-pkg-wireguard/releases/download/v1.0.1b/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz Please Note and Understand : I strongly recommend using Lucasnz pfSense-pkg-wireguard-1.0.1.txz package for the reasons detailed above. For pfSense 2.4.5 ( Based on FreeBsd 11 ) in step # 5 substitute the line below : 5. pkg add https://github.com/lucasnz/pfSense-pkg-wireguard/releases/download/v1.0.1/pfSense-pkg-wireguard-1.0.1-freebsd11-amd64.txz For Lucasnz for pfSense 2.5.0 ( Based on FreeBsd 12 ) - 1 - Download the already compiled Lucasnz pfSense-pkg-wireguard-1.0.1.txz package above ( or build your own from tutorial above ) to usb drive or desktop folder where you can find this later. 2 - Next fire up your pfSense 2.5.0 router. WinSCP ( scp protocol ) into your 2.5.0 router and transfer ( drag and drop ) the Lucasnz pfSense-pkg-wireguard-1.0.1.txz from the local directory you exported it to earlier ( in this case on my Windows 10 machine ) into the /root directory of your pfSense 2.5.0 router. 3 - Finally, for pfSense 2.5.0 in step # 5 substitute the line below : 5. pkg add pfSense-pkg-wireguard-1.0.1.txz ( Use / substitute your WinSCP transferred package here ) You can also try Ascrod's Wireguard package but this is described in detail in the first link above. Ashus has more features - you can read the documentation for each and make your decision. These are Ashus' Wireguard setup directions below : Configuration Configure an interface and any number of peers. Then go to the Assign Interfaces screen and create a new interface for tunwg0. Name it, enable it, and don't touch any other settings. Once the interface is up, you can create firewall rules for it, forward ports to it, and generally treat it the same as a physical interface. It should also persist across reboots. If there is a need for more interfaces, add the tunwg1.conf or more files with incremental interface number to /usr/local/etc/wireguard/. Unfortunately those cannot be currently edited via GUI, and everytime you add more, you need to reinstall this package or wireguard service. Each time the service is reinstalled, all tunnels are detected from files again, so they could persist across reboots and could be reloaded from GUI all at once. For help with configuring WireGuard, please read the official documentation . The unofficial documentation and examples may also be helpful. 1 - You must fill in your TorGuard WirGuard information in the WireGuard webgui - under VPN > WireGuard > Interface and VPN > WireGuard > Peers - and Save Both entries See this tutorial here for directions as to how to generate your TorGuard Wireguard Configuration Files : https://forums.torguard.net/index.php?/topic/1698-pfsense-wireguard-client-working-with-catch-22/ Read Step 2 on that page for detailed explanation 2- Create WireGuard Interface with this command : # wg-quick up tunwg0 Then go to Interfaces > Assign Interfaces Add tunwg0 ( opt 1 , 2 etc depending on your setup ) Name it, enable it, and don't touch any other settings. 3 - Then setup firewall rules for tunwg0 - there are many firewall setup options to be found here : https://forum.netgate.com/topic/150943/i-made-a-wireguard-package-for-pfsense Just read through the thread. If you want a simple firewall rule setup see below : 4 - Now head to pfSense WEBGUI in order to configure Wireguard Interface ( created earlier ) and FireWall Rule. First, go to Interfaces > Assignments -you will see tunwg0 interface - click (+) add button /symbol. Once the tunwg0 interface is listed as ( OPT 1 - 2 depending on your setup ) - Click underneath it - - enter check in " Enable interface " - and enter description - I call mine " WIRE " - DO NOTHING ELSE HERE ! Save and Apply - Done with this phase. 5 - Next - Firewall Rule - go to Firewall > NAT > Outbound Once on this Landing Page put a Dot in radio button Hybrid outbound NAT rule generation - Click on Save - Do Not - Repeat Do Not Click Save and Apply At This Time - Instead Click on Add Square with Up Arrow (underneath Mappings ) on the page which opens change Interface from WAN in drop down menu to your WireGuard ( tunwg0 ) Interface which you created and labeled previously - in this example " WIRE " . Next - Change Source Address to " ANY " from the drop down menu. Leave / Set Translation/target to Interface address. Enter " Description -e.g. " Made For Wire " now Click " Save " at bottom of page. You will be taken back to Firewall:Nat:Outbound Landing Page - Click on " Apply Changes " in right upper hand corner - Done with Firewall Rule. This rule is the only one you need. Now that your TorGuard WireGuard Client is installed and ready - you may enter command # /usr/local/etc/rc.d/wireguard.sh restart in order to start it up. You may also reboot your pfsense Router Hope this helps someone - See screenshots below for illustrative purposes - enjoy !!! Naturally substitute your own TorGuard WireGuard connection information Peace, directnupe
  7. Is it possible to get torguard working in PFSense with Stunnel? Or some other way to stop the constant Authenticate/Decrypt packet error’s I get which reduces the connection to a crawl when I use UDP on a Virgin media connection? I’ve found using TCP stops the errors but the speed is then abysmal. If I use the torguard client with stunnel enabled however the speeds improve. The only problem is I need stunnel working on pfsense not the client. Any help appreciated.
  8. If you are lucky to have pfsense box, then use this hack to create full proof kill switch: Firewall > Rules, Floating tab Action: Pass Disabled: unchecked Quick: checked Interface: WAN Direction: out TCP/IP Version: IPv4 Protocol: UDP Source: any Destination: TorGuard's IP ADDRESS Destination port range: VPN X port of TorGuard's VPN server Then below that rule: Action: Reject Disabled: unchecked Quick: checked Interface: WAN Direction: out TCP/IP Version: IPv4 Protocol: any Source: any Destination: any Destination port range: any That will allow outbound connections to only 1 IP on UDP X and block everything else. x = port
×
×
  • Create New...