OPNSense

• HAProxy Simple Configuration for local webserver
• Adguard Home communications error to 127.0.0.1#53: connection refused
• Disable IPv6 in OPNSense
• How to enable the HAProxy statistics page in OPNsense
• HowTo Restore a Google Drive backup file in OPNsense
• Run frequent Speedtest in OPNsense
• Voorgestelde waarden voor Advanced tab in Unbound
• Setup os-ddclient for when external IP address changes

HAProxy Simple Configuration for local webserver

Parameters for this setup

Local webserver is on ip address 192.168.1.200 and uses port 80

Step 1: Define a Real server

• Name: anything you like to recognize the webserver
  
• IP address: The IP address of the internal webserver e.g. 192.168.1.200
• Port: 80
• SSL: disable

1. Define a Virtual service->Backend Pool
   • Name: anything you like
   • Servers: The server you defined in the step 1 (remember to press TAB after entering server name) 

Step 2: Define a condition:

• • Name: anything you like
    
  • Condition: Host contains or you can use any other condition to match like Host matches and use the full url.
    
  • Host string = Anything to recognize the URL or the full url in case of host matches.
    

Step 3: Define a rule

• Name: anything you like
• Select Conditions: Select the webserver from the dropdown menu
• Under HAProxy function > Execute function:  Use specified Backend Pool
• Use backend pool: Select the backend Pool from the drop down menu
  

Step 4: Define a Virtual Service

Under Public Service:

• Name: anything you like
• Listen addresses: 0.0.0.0:443 (TAB)
• Enable SSL offloading: Checked
• Default backend pool: Select from dropdown menu (TAB)
• Certificate: your Let's Encrypt certificate
• Under Advanced settings: 
  • Select rules: The rule you made earlier
    

Adguard Home communications error to 127.0.0.1#53: connection refused

When you cannot update OPNsense and you see an error in a SSH session when you try to run:

root@OPNsense:~ # dig @127.0.0.1 -p 53 google.com

dig @127.0.0.1 -p 53 google.com

You probably have a wrong binding in the Adguard config file.

To solve this issue:

nano AdGuardhome.yaml

cd /usr/local/AdGuardHome

Change the bind (from a local ip address) to:

dns:
  bind_hosts:
    - 0.0.0.0

Then restart Adguard Home

Disable IPv6 in OPNSense

Set IPv6 on all interfaces on ' None' and also remove the ' Allow IPv6' vinkje.

Remove also the ' Allow IPv6' rule in de firewall rules:

How to enable the HAProxy statistics page in OPNsense

Step 1: Edit Global Settings

In the left-hand menu, go to Services , select HAPproxy and then and then Settings.

• • Under the Settings tab, locate the Global Parameters
  • Enable ' Advanced Mode' on the top left of the page
  • Add or modify the following configuration line in the “Custom Options” field (on the bottom of the picture):

     

    stats socket /var/run/haproxy.socket group proxy mode 775 level admin 

    This enables a UNIX socket for administrative purposes.

Step 2: Configure Statistics in Frontend Settings

• • Go to Virtual Servers in the Top menu
  • Click the + sign and add a new Public Service: 'StatsFrontend'
  • In this frontend, configure it as follows:
    • Set Name: StatsFrontend
    • Set Listen Adressess: set to local IP address of OPNsense (e.g. 192.168.2.1) with the default port 8822
      
    • Set Type to default HTTP/HTTPS (SSL offloading) [default]
      
    • Scroll all the way down to “Advanced Settings”, add these lines in the “Option Pass-through” field:

1. • • stats enable
       stats uri /haproxy?stats
       stats realm Haproxy\ Statistics
       stats auth admin:password123

       Replace admin with your desired username and password with a strong password.
     • Click on “Save” and then apply changes by clicking on “Apply”.

---

Step 3: Configure Firewall Rules

1. Allow Access to the Statistics Port:

   • Navigate to Firewall > Rules > LAN
     
   • Create a new rule with these parameters:
     • Action: Pass
     • Protocol: TCP
     • Destination: This Firewall
       
     • Destination Port Range: Other and the 8822
     • Description: Access the Statistics page
     • Leave everything else to the default values
     • Save the rule and click on “Apply Changes”.

---

Step 4: Test Access to the Statistics Page

1. Open a web browser from a device allowed by your firewall rules.
2. Enter the URL for accessing statistics, such as:

http://192.168.2.1:8822/haproxy?stats

Enter the username and password you configured earlier when prompted.

If everything is configured correctly, you should see HAProxy’s statistics page displaying real-time data about connections, backends, frontends, etc.

HowTo Restore a Google Drive backup file in OPNsense

A description on how to use Google Drive backup feature in OPNsense can be found here:

https://docs.opnsense.org/manual/how-tos/cloud_backup.html

But this is a rather complicated process, so read carefully!

You probably already know that you need a P12 key to store the backup files on Google Drive. Why is that?

The P12 key you created for use with Google Drive backups in OPNsense plays an important role in the authentication process between OPNsense and Google’s API. Here's exactly what the P12 key does during the backup and restore process:

---

1. What does the P12 key do?

The P12 key (a so-called PKCS#12 file) contains a private key that OPNsense uses to cryptographically authenticate itself as a service account to Google. It is linked to a Google Cloud service account that has access to your Google Drive.

In short:

1. Authentication
   When creating a backup, OPNsense connects to the Google Drive API.

2. Signing a JWT (JSON Web Token)
   OPNsense generates a specially formatted token (JWT) and signs it with the private key from the P12 file.

3. Token exchange with Google
   The signed JWT is sent to Google’s OAuth 2.0 token endpoint, and in return, OPNsense receives an access token.

4. Access to Google Drive
   With that access token, OPNsense can upload or download files from Google Drive on behalf of the service account.

---

Why is this necessary?

Unlike user-based authentication (which uses a browser and interactive OAuth consent), this is a server-to-server authentication method. That’s ideal because OPNsense needs to perform automated backups without requiring manual login or user consent each time.

---

What happens during a restore?

During a restore:

1. OPNsense follows the same authentication process to access Google Drive.

2. It retrieves the list of XML backup files.

3. The user selects a file, and OPNsense downloads it via the API (authorized through the same token process).

---

Important security note

• Treat the P12 file as a secret.
  Anyone with access to this key — and who knows the associated service account — can access your backup files.

• Make sure only OPNsense (and you as the administrator) have access to this file.

2. How to restore a backup from Google Drive when using Linux?

With kio-Gdrive installed in Dolphin is not working because Google blocks this

That’s a known limitation of kio-gdrive in combination with Google’s stricter security policies. Google now blocks applications that are not verified or have not gone through OAuth validation, which applies to many open-source or locally installed apps like kio-gdrive.

Why does Google block kio-gdrive?

Google sees kio-gdrive as an "unverified app" requesting access to sensitive scopes (such as full access to your Drive). Because of that, Google refuses to complete the OAuth flow.

Solutions

1. Use rclone instead of kio-gdrive (recommended)

As mentioned earlier, rclone is the most robust and Google-compliant way to access Google Drive locally without running into OAuth issues. Rclone is recognized by Google, uses approved scopes, and just works.

➡️ Advantage: Stable and compatible with service accounts.

Installeren en instellen

Install rclone:

sudo apt install rclone

Configure rclone for Google Drive:

rclone config

Choose:

• n to create a new remote configuration.

• Enter a name, for example: gdrive.

• Choose option 13 for Google Drive.

• Leave Client ID and Client Secret blank (or enter the values from your Google Cloud Console if you have them).

• Select "service_account_file" when prompted and provide the path to your .p12 or .json file.

   

  ⚠️ Note: rclone works best with JSON service account keys rather than P12.
  If you only have a P12 key, you may first need to manually generate a JSON key via the Google Cloud Console.

  Because we use OPNsense, we have no choice but using a P12 key.

   

Verify your setup:

rclone ls gdrive:

Download a backup file:

rclone copy gdrive:opnsense-backups/config-2025-05-28.xml .

Upload the file via the OPNsense web interface:

Go to:
System → Configuration → Backups → Restore → Upload the .xml file.

2. Create your own Google API project (advanced)

If you really want to keep using kio-gdrive (not recommended), then you’ll need to:

➡️ Google will still show a warning ("unverified app") and you’ll need to bypass it by clicking “Advanced” → “Proceed to...”.

⚠️ This is unstable and error-prone, especially if you use 2FA.

3. Download backups manually via your browser 

This is the easiest method for occasional use: just log in to Google Drive via your browser and download the XML backup file manually. Because I have no need for frequent accessing the backup files I use this method and select the downloaded file under Restore:

You don't need the P12 key to restore, because it is already known in OPNsense.

Run frequent Speedtest in OPNsense

To be able to use the Speedtest plugin, you need to install the Mimugmail repository:

https://github.com/mimugmail/opn-repo

Then go to System>Firmware>Plugins and install the 'os-speedtest-community' plugin in OPNsense.

Yes, there is a "misconfigured" notice, but everything will work fine :-)

In OPNsense "Reporting > Speedtest", locate desired server and make note of server ID, (the numbers between the brackets in "(#####) Server Name")

go to "System > Settings > Cron" create/edit the speedtest entry.
Set "Command" field to "Run speedtest [serverid]"
Set "Parameters" field to "#####" you dont need to append with "--server"... literally... just the numbers. 

Under Reporting>Speedtest you can find the results. Just click on the little "show log" switch.

 

Voorgestelde waarden voor Advanced tab in Unbound

Screenshots staan onderaan deze post.

Basisinstellingen voor privacy en veiligheid:

Prestatiesettings:

Cachinginstellingen:

Logginginstellingen:

Diverse instellingen:

Aanbevolen instellingen (samenvatting):

Door deze instellingen zorgvuldig af te stemmen, kun je de prestaties, privacy en veiligheid van je DNS-resolutie optimaliseren.

Setup os-ddclient for when external IP address changes

Here's a step-by-step guide in English on how to configure os-ddclient in OPNsense to automatically update your Cloudflare DNS records when your external IP address changes (e.g., from your ISP).

If you get the concept of this then you should be able to do this for DuckDNS or Dynu DNS or one of the other options in a similar way.

---

Prerequisites

Before you begin:

• You need a Cloudflare account.

• You need a domain managed by Cloudflare.

• You should have your Cloudflare API token or API key (Token is preferred for security).

• os-ddclient must be installed and enabled in OPNsense (System > Firmware > Plugins > install os-ddclient).

---

Step-by-step Configuration

1. Enable os-ddclient

Go to:

• Services > Dynamic DNS > Settings

• Check Enable

• Click Save

2. Add a Dynamic DNS Account

Go to:

• Services > Dynamic DNS > Accounts

• Click ➕ Add

Now fill in the required fields:

General Settings

• Enabled: ✅

• Description: e.g., Cloudflare mydomain.com

• Service: cloudflare

Cloudflare API Credentials

You have two options: API Token (preferred) or Global API Key.

If you're using an API Token:

• Username: leave blank  >>there are problem reported when this is filled in and you are using the API key method.

• Password: paste your API Token

• Make sure your API token has permission to:

  • Zone: DNS → Edit

  • Zone: Zone → Read

I have made a new API token. When logged in on Cloudflare, go to the top right and click on Profile . Then go to {} API Tokens and add a new token for "Edit zone DNS". Save the token on a safe place.

If you're using a Global API Key:

• Username / Email: your Cloudflare account email

• Password: your Global API Key

The use of the Global API key for this is not recommended!

Hostname Details

• Wildcard: usually unchecked unless you want *.home.example.com updated too
• Zone: your domain name (e.g., example.com)

• Hostname(s): the DNS record(s) you want to update (e.g., home.example.com) >>when the same API key is used then you can add multiple domain names here.

IP Settings

• Check IP Method: Interface (or use Web for online IP detection)

• Interface to monitor: WAN

• Check ip timeout: 10 >> default value in minutes. Leave it as it is.

• Force SSL: ✅ (recommended)

Click Save, then Apply.

---

Test the Setup

1. After saving, go to the Services > Dynamic DNS > Log File.

2. Click Run now next to your entry to test it.

3. Check the log to see if the IP update succeeded.

---

Done!

Your OPNsense box will now monitor your WAN IP and automatically update your Cloudflare DNS A or AAAA record whenever your public IP changes.