selfhosted-apps-docker/opnsense/readme.md

# OPNsense

###### guide-by-example

![logo](https://i.imgur.com/3ROLmaz.png)

# Purpose

Firewall, router, dhcp server, recursive DNS, VPN, traffic monitoring.

* [Official site](https://opnsense.org/)
* [GitHub](https://github.com/opnsense)
* [Subreddits](https://www.reddit.com/r/opNsenseFirewall+opnsense/)

Opensource.<br>
Backend is FreeBSD with its packet filter `pf` and `configd`
for managing daemons, services and templates.<br>
For web gui frontend it uses lighttpd web server, PHP/Phalcon framework
and custom services built in Python.

Can be installed on a physical server or in a virtual machine.

<details>
<summary><h1>VMware ESXi</h1></summary>

This setup is running on the free version of ESXi 7.0 U3<br>

#### Network setup

Two physical network cards - NICs

* the default `vSwitch0` will be used for LAN side
* create new virtual switch - `vSwitch1-WAN`
* create new port group - `WAN Network`, assign to it `vSwitch1-WAN`

#### Virtual machine creation

* Guest OS family - Other
* Guest OS version - FreeBSD 13 or later versions (64-bit)
* CPU - 2 cores
* RAM - 2GB, for basic functionality, later can assign more 
* SCSI Controller 0 - LSI Logic SAS
* VM Options > Boot Options > Firmware - EFI

Afterwards, edit the VM, add network adapter connected to `WAN Network`

[Download](https://opnsense.org/download/) the latest opnsense - amd64, dvd,
extract iso, upload to ESXi datastore,
mount it in to the VMs dvd, check connect on boot


#### OPNsense installation in VM

Disconnect your current router and plug stuff in to the ESXi host.

* let it boot up
* login `root/opnsense`
* set interfaces, in ESXi VM overview you can see networks and MAC addresses 
* set IPs, wan is usually left alone with dhcp,<br>
  static ip for LAN and enable dhcp server running and give it range
* afterwards you should be able to access web gui
* log out
* log in as `installer/opnsense`
* click through installation leaving stuff at default except for password
* done

Afte the initial setup, install plugin `os-vmware`<br>
System > Firmware > Plugins

</details>

<details>
<summary><h1>First login and basic setup</h1></summary>

* at the LAN ip login
* click through wizzard, use 8.8.8.8 and 1.1.1.1 for DNS
* 

</details>


<details>
<summary><h1>Switch to https</h1></summary>

Not really needed. More like an exercise.
But hey, its extra protection from someone snooping
who is already on the LAN side I guess.

### on cloudflare

* create dns record `fw.example.com`
* get user ID - its in the url when you are on cloudflare dashboard, looks like 0122db3h3824893914169c9c4f919747f
* in My Profile >  Api Tokens > get Global API Key
* in My Profile >  Api Tokens > create token that looks [like this](https://i.imgur.com/pRelkUu.png)
    * zone/zone/read
    * zone/dns/edit
    * include all zones

### in opnsense acme plugin

* download acme plugin
* Services: ACME Client: Accounts - create account with your email
  where notifications about certs can go
* Services: ACME Client: Challenge Types - create new dns challange with info
  you gathered from cloudflare,
  looks something [like this](https://i.imgur.com/bYZ6pTj.png)
* Services: ACME Client: Certificates - create new certificate,
  stuff is just picked from the drop down menus,
  [looks like this](https://i.imgur.com/MC1kBCV.png)
* now check logs if request went through on its own, or just click small icon
  to force renew the certificate, in logs in matter of a minute
  there should be some either success or fail

### in opnsense Services: Unbound DNS: General

* add an override - so that the fw.example.com points to your local ip
  instead of going out, [looks like this](https://i.imgur.com/vqT9t3Y.png)

### in opnsense System: Settings: Administration

* Alternate Hostnames - add your fw.example.com
* SSL Certificate -  pick from dropdown menu your certificate
* apply changes
* switch radio buttons at the top from http to https if its not already.
  The previous steps should be done as opnsense will want to reload gui

now from local LAN side one can access web gui with https://fw.example.com
and its an encrypted communication between the browser and the firewall

</details>

<details>
<summary><h1>Geoblock</h1></summary>


</details>
update 2 years ago			`# OPNsense`

			`###### guide-by-example`

			`![logo](https://i.imgur.com/3ROLmaz.png)`

			`# Purpose`

			`Firewall, router, dhcp server, recursive DNS, VPN, traffic monitoring.`

			`* [Official site](https://opnsense.org/)`
			`* [GitHub](https://github.com/opnsense)`
			`* [Subreddits](https://www.reddit.com/r/opNsenseFirewall+opnsense/)`

			`Opensource.<br>`
			Backend is FreeBSD with its packet filter `pf` and `configd`
			`for managing daemons, services and templates.<br>`
			`For web gui frontend it uses lighttpd web server, PHP/Phalcon framework`
			`and custom services built in Python.`

			`Can be installed on a physical server or in a virtual machine.`

update 2 years ago			`<details>`
update 2 years ago			`<summary><h1>VMware ESXi</h1></summary>`
update 2 years ago
			`This setup is running on the free version of ESXi 7.0 U3<br>`

			`#### Network setup`

			`Two physical network cards - NICs`

			* the default `vSwitch0` will be used for LAN side
			* create new virtual switch - `vSwitch1-WAN`
			* create new port group - `WAN Network`, assign to it `vSwitch1-WAN`

			`#### Virtual machine creation`

			`* Guest OS family - Other`
			`* Guest OS version - FreeBSD 13 or later versions (64-bit)`
			`* CPU - 2 cores`
			`* RAM - 2GB, for basic functionality, later can assign more`
			`* SCSI Controller 0 - LSI Logic SAS`
			`* VM Options > Boot Options > Firmware - EFI`

			Afterwards, edit the VM, add network adapter connected to `WAN Network`

			`[Download](https://opnsense.org/download/) the latest opnsense - amd64, dvd,`
			`extract iso, upload to ESXi datastore,`
			`mount it in to the VMs dvd, check connect on boot`


			`#### OPNsense installation in VM`

			`Disconnect your current router and plug stuff in to the ESXi host.`

			`* let it boot up`
			* login `root/opnsense`
			`* set interfaces, in ESXi VM overview you can see networks and MAC addresses`
			`* set IPs, wan is usually left alone with dhcp,<br>`
			`static ip for LAN and enable dhcp server running and give it range`
			`* afterwards you should be able to access web gui`
			`* log out`
			* log in as `installer/opnsense`
			`* click through installation leaving stuff at default except for password`
			`* done`

update 2 years ago			Afte the initial setup, install plugin `os-vmware`<br>
			`System > Firmware > Plugins`
update 2 years ago
update 2 years ago			`</details>`
update 2 years ago
			`<details>`
update 2 years ago			`<summary><h1>First login and basic setup</h1></summary>`
update 2 years ago
			`* at the LAN ip login`
			`* click through wizzard, use 8.8.8.8 and 1.1.1.1 for DNS`
			`*`

update 2 years ago			`</details>`


update 2 years ago			`<details>`
update 2 years ago			`<summary><h1>Switch to https</h1></summary>`

			`Not really needed. More like an exercise.`
			`But hey, its extra protection from someone snooping`
update 2 years ago			`who is already on the LAN side I guess.`
update 2 years ago
			`### on cloudflare`

update 2 years ago			* create dns record `fw.example.com`
			`* get user ID - its in the url when you are on cloudflare dashboard, looks like 0122db3h3824893914169c9c4f919747f`
update 2 years ago			`* in My Profile > Api Tokens > get Global API Key`
update 2 years ago			`* in My Profile > Api Tokens > create token that looks [like this](https://i.imgur.com/pRelkUu.png)`
update 2 years ago			`* zone/zone/read`
			`* zone/dns/edit`
			`* include all zones`
update 2 years ago
			`### in opnsense acme plugin`

			`* download acme plugin`
update 2 years ago			`* Services: ACME Client: Accounts - create account with your email`
			`where notifications about certs can go`
			`* Services: ACME Client: Challenge Types - create new dns challange with info`
			`you gathered from cloudflare,`
			`looks something [like this](https://i.imgur.com/bYZ6pTj.png)`
			`* Services: ACME Client: Certificates - create new certificate,`
			`stuff is just picked from the drop down menus,`
			`[looks like this](https://i.imgur.com/MC1kBCV.png)`
			`* now check logs if request went through on its own, or just click small icon`
			`to force renew the certificate, in logs in matter of a minute`
			`there should be some either success or fail`
update 2 years ago
			`### in opnsense Services: Unbound DNS: General`

update 2 years ago			`* add an override - so that the fw.example.com points to your local ip`
			`instead of going out, [looks like this](https://i.imgur.com/vqT9t3Y.png)`
update 2 years ago
			`### in opnsense System: Settings: Administration`

update 2 years ago			`* Alternate Hostnames - add your fw.example.com`
update 2 years ago			`* SSL Certificate - pick from dropdown menu your certificate`
			`* apply changes`
update 2 years ago			`* switch radio buttons at the top from http to https if its not already.`
			`The previous steps should be done as opnsense will want to reload gui`
update 2 years ago
update 2 years ago			`now from local LAN side one can access web gui with https://fw.example.com`
			`and its an encrypted communication between the browser and the firewall`
update 2 years ago
			`</details>`
update 2 years ago
update 2 years ago			`<details>`
			`<summary><h1>Geoblock</h1></summary>`
update 2 years ago


update 2 years ago			`</details>`