selfhosted-apps-docker/opnsense
2022-10-22 18:34:26 +02:00
..
readme.md update 2022-10-22 18:34:26 +02:00

OPNsense

guide-by-example

logo

Purpose

Firewall, router, dhcp server, recursive DNS, VPN, traffic monitoring.

Opensource.
Backend is FreeBSD with its packet filter pf and configd for managing daemons, services and templates.
For web gui frontend it uses lighttpd web server, PHP/Phalcon framework and custom services built in Python.

Can be installed on a physical server or in a virtual machine.

VMware ESXi

This setup is running on the free version of ESXi 7.0 U3

Network setup

Two physical network cards - NICs

esxi-network

  • the default vSwitch0 will be used for LAN side
  • create new virtual switch - vSwitch1-WAN
  • create new port group - WAN Network, assign to it vSwitch1-WAN

Virtual machine creation

  • Guest OS family - Other
  • Guest OS version - FreeBSD 13 or later versions (64-bit)
  • CPU - 2 cores
  • RAM - 2GB, for basic functionality, later can assign more
  • SCSI Controller 0 - LSI Logic SAS
  • VM Options > Boot Options > Firmware - EFI

Afterwards, edit the VM, add network adapter connected to WAN Network

Download the latest opnsense - amd64, dvd, extract iso, upload to ESXi datastore, mount it in to the VMs dvd, check connect on boot

OPNsense installation in VM

Disconnect your current router and plug stuff in to the ESXi host.

  • let it boot up
  • login root/opnsense
  • set interfaces, in ESXi VM overview you can see networks and MAC addresses
  • set IPs, wan is usually left alone with dhcp,
    static ip for LAN and enable dhcp server running and give it range
  • afterwards you should be able to access web gui
  • log out
  • log in as installer/opnsense
  • click through installation leaving stuff at default except for password
  • done

Afte the initial setup, install plugin os-vmware
System > Firmware > Plugins

First login and basic setup

  • at the LAN ip login
  • click through wizzard, use 8.8.8.8 and 1.1.1.1 for DNS

Switch to https

Not really needed. More like an exercise. But hey, its extra protection from someone snooping who is already on the LAN side I guess.

on cloudflare

  • create dns record fw.example.com
  • get user ID - its in the url when you are on cloudflare dashboard, looks like 0122db3h3824893914169c9c4f919747f
  • in My Profile > Api Tokens > get Global API Key
  • in My Profile > Api Tokens > create token that looks like this
    • zone/zone/read
    • zone/dns/edit
    • include all zones

in opnsense acme plugin

  • download acme plugin
  • Services: ACME Client: Accounts - create account with your email where notifications about certs can go
  • Services: ACME Client: Challenge Types - create new dns challange with info you gathered from cloudflare, looks something like this
  • Services: ACME Client: Certificates - create new certificate, stuff is just picked from the drop down menus, looks like this
  • now check logs if request went through on its own, or just click small icon to force renew the certificate, in logs in matter of a minute there should be some either success or fail

in opnsense Services: Unbound DNS: General

  • add an override - so that the fw.example.com points to your local ip instead of going out, looks like this

in opnsense System: Settings: Administration

  • Alternate Hostnames - add your fw.example.com
  • SSL Certificate - pick from dropdown menu your certificate
  • apply changes
  • switch radio buttons at the top from http to https if its not already.
    The previous steps should be done as opnsense will want to reload gui

now from local LAN side one can access web gui with https://fw.example.com and its an encrypted communication between the browser and the firewall

Geoblock

Lock out the entire world from your network, except for your own country. Great security benefits, but if you dont use dns challange you might have issues with https certificates renewal and other stuff thats initiated connection from the outside.

Following the official documentation

on maxmind.com

  • register account on maxmind.com, this will give access to info which IP ranges belong to which country
  • in the freshly created maxmind account generate new license
  • in this url replace My_License_key with your actual license key
    https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=My_License_key&suffix=zip
  • paste it in browser, if its working it should download zip file with the IP info

in opnsense

  • Firewall: Aliases: GeoIP tab - paste the url, click apply
  • switch to Aliases tab, create new geoip alias and select your own country
    something like this
  • Firewall: Rules: WAN - create new rule
    block; source invert; source geoip alias we created; enable log packets that are handled by this rule; add description
    something like this

Observe it in action in Firewall: Log Files: Live View

If you host anything with a website you can test if its working by using opera build in vpn, or by using some online web site testers. Assuming you are not in the country from which these run their test.