OPNsense template
This tutorial will show you how to create and configure an OPNsense appliance with a network interface on the internet and a second one on a private LAN where will reside your private VMs. We will also configure an OpenVPN server allowing you to reach your private VMs or simply route your traffic through the OPNsense appliance while surfing the web.
Prerequisite
Make sure you have the HEAT client installed
Create the stack
The command below will create an OPNSense appliance VM with 2 network interfaces, one connected to the internet (WAN) and the second one connected to a newly created network (LAN).
openstack stack create -t https://docs.infomaniak.cloud/tutorials/04.firewall/opnsense.yaml demo --wait
2022-04-26 08:21:04Z [demo]: CREATE_IN_PROGRESS Stack CREATE started
2022-04-26 08:21:04Z [demo.lan_net]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:04Z [demo.lan_net]: CREATE_COMPLETE state changed
2022-04-26 08:21:04Z [demo.lan_subnet]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:05Z [demo.opnsense_wan_port_secgroup]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:05Z [demo.lan_subnet]: CREATE_COMPLETE state changed
2022-04-26 08:21:05Z [demo.opnsense_server_lan_port]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:06Z [demo.opnsense_wan_port_secgroup]: CREATE_COMPLETE state changed
2022-04-26 08:21:06Z [demo.opnsense_server_wan_port]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:06Z [demo.opnsense_server_lan_port]: CREATE_COMPLETE state changed
2022-04-26 08:21:07Z [demo.opnsense_server_wan_port]: CREATE_COMPLETE state changed
2022-04-26 08:21:07Z [demo.opnsense_server]: CREATE_IN_PROGRESS state changed
2022-04-26 08:21:25Z [demo.opnsense_server]: CREATE_COMPLETE state changed
2022-04-26 08:21:25Z [demo]: CREATE_COMPLETE Stack CREATE completed successfully
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | 60cc13b1-3ffc-4d22-9bf2-a544fc474552 |
| stack_name | demo |
| description | OPNSense template. Creates an OPNSense appliance VM with 2 network interfaces, one connected to the internet (WAN) and the second one connected to a newly created network (LAN). |
| | |
| creation_time | 2022-04-26T08:21:03Z |
| updated_time | None |
| stack_status | CREATE_COMPLETE |
| stack_status_reason | Stack CREATE completed successfully |
+---------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- Retrieve details such as WAN IP, passwords etc using the command
openstack stack show <stack name>
openstack stack show demo
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | 78814d75-1bde-4ead-ac79-84a9f7b18cef |
| stack_name | demo |
| description | OPNSense template. Creates an OPNSense appliance VM with 2 network interfaces, one connected to the internet (WAN) and the second one connected to a newly created network (LAN). |
| | |
| creation_time | 2022-04-26T08:37:20Z |
| updated_time | None |
| stack_status | CREATE_COMPLETE |
| stack_status_reason | Stack CREATE completed successfully |
| parameters | OS::project_id: f8e2d506252c4961ad0fa321abf1f1b5 |
| | OS::stack_id: 78814d75-1bde-4ead-ac79-84a9f7b18cef |
| | OS::stack_name: demo |
| | lan_net_name: lan |
| | opnsense_flavor_name: a1-ram2-disk20-perf1 |
| | opnsense_image_name: opnsense |
| | opnsense_server_name: OPNSense |
| | wan_net_name: ext-net1 |
| | |
| outputs | - description: LAN IP address for the OPNSense appliance VM (vtnet1) |
| | output_key: WAN IP |
| | output_value: 195.15.240.200 |
| | - description: Change this password once the appliance is deployed. |
| | output_key: Default Credentials |
| | output_value: root / clm2ppOPNSENSE! |
| | - description: Tips |
| | output_key: Usage Notes |
| | output_value: Configure the OPNSense via the VM console below and temporary disable |
| | the firewall to access the OPNsense web portal using pfctl -d. |
| | - description: LAN IP address for the OPNSense appliance VM (vtnet0) |
| | output_key: LAN IP |
| | output_value: 192.168.1.1 |
| | - description: Console URL for the OPNSense appliance VM |
| | output_key: VM Console |
| | output_value: https://api.pub1.infomaniak.cloud:443/novnc/vnc_auto.html?path=%3Ftoken%3Ddb16e671-f3dc-4fbe-bc7b-698d692fb14e |
| | |
| links | - href: https://api.pub1.infomaniak.cloud/orchestration-api/v1/f8e2d506252c4961ad0fa321abf1f1b5/stacks/demo/78814d75-1bde-4ead-ac79-84a9f7b18cef |
| | rel: self |
| | |
| deletion_time | None |
| notification_topics | [] |
| capabilities | [] |
| disable_rollback | True |
| timeout_mins | None |
| stack_owner | PCU-XDS7FSZ |
| parent | None |
| stack_user_project_id | f393e8f19e554434a702aa28b1e0c61a |
| tags | [] |
| | |
+-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
OPNsense public WAN IP is 195.15.240.200
OPNsense LAN IP is 192.168.1.1
OPNsense credentials are root clm2ppOPNSENSE!
Warning
Change the credentials before opening the OPNsense web panel to the internet as explained below
Allow access to the OPNSense appliance web panel using the VM console
Once the stack is created, the OPNsense appliance VM is up and running but no connection is possible yet for security reasons.
You have to make the first configuration steps using the VM console : openstack console url show OPNSense. You also have the link in the output above.
- Log in using the default credentials listed above.
-
Change the root password selecting option 3
-
Temporary disable the firewall in order to connect to the web panel. Select option 8 (shell) and run the command
pfctl -d
OPNsense initial configuration
- Now that the firewall is disabled you can access the OPNsense web panel using the WAN IP and the new root password you've chosen, here https://195.15.240.200
- Wait a few seconds for the wizard to load and follow the steps.
- Clicking reload will enable the firewall so go back to the VM console and run again
pfctl -dafter clickingreload.
To get the url console : openstack console url show OPNSense
- You should then see the last wizard message
OPNsense final configuration
Now the OPNsense appliance is configured but the firewall is stopped. We will create a new firewall rule allowing our IP to access the OPNsense appliance (your router IP at home or company public IP/range).
- Go to
firewall->Rules->WANand add a rule by clicking the orange plus button at the top right corner.
Be sure to fill the right IP or range otherwise you'll lose access to the web panel. In case you make a mistake, go back to the OPNsense VM web console, disable again the firewall using the command pfctl -d and review your rule. To get the url console : openstack console url show OPNSense
- Apply the new rule by clicking the "apply changes" button at the top right corner. It will reload and enable the firewall.
Tips
If you have difficulties creating a pass rule, check the firewall logs to get hints on what you're doing wrong: Firewall -> Log File -> Live View
OPNsense and OpenVPN
To create an OpenVPN server follow these steps.
Info
In this demo we created 10 years (3652 days) lifetime certificates but some devices or software might refuse a lifetime > 397 days.
Create a Certificate Authority (CA)
- Go to
System->Trust->Authoritiesand add an authority by clicking the orange plus button at the top right corner.
Create a Certificate for OpenVPN
- Go to
System->Trust->Certificatesand add a certificate by clicking the orange plus button at the top right corner.
Create a VPN user
- Go to
System->Access->Userand add a user by clicking the orange plus button at the top right corner.
!!! don't forget to check the box "click to create a user certificate"
- After clicking "Save" you will be asked to create the user certificate.
Create the OpenVPN Server
- Go to
VPN->OpenVPN->Serversand add a server by clicking the orange plus button at the top right corner.
General information
Cryptographic Settings
Tunnel and Client settings
Add a firewall rule to allow OpenVPN port
- Go to
Firewall->Rules->WANand add a rule by clicking the orange plus button at the top right corner.
Don't forget to click on "Apply Changes" at the top right corner
Export the OpenVPN User's profile
- Go to
VPN->OpenVPN->Client Export
- Download the profile using the download button next to the user Taylor. The file name should be similar to
OpenVPN_taylor.ovpn
You can now import your OpenVPN profile and initiate the connection, you will be prompted for the login password, corresponding to the user taylor created earlier in this example.
Congratulations, your traffic now goes through the OpenVPN server
Access LAN Virtual Machines through the VPN
Now that you have a openVPN access, the virtual machines on the LAN subnet will be reachable by their LAN IPs 192.168.1.x
You might want to use the OpenVPN only for reaching the LAN virtual machines. To achieve this add a firewall rule in your OpenVPN chain
- Go to
Firewall->Rules->OpenVPNand add a rule by clicking the orange plus button at the top right corner.
Change the OpenVP server configuration to route only the LAN
-
Go to
VPN->OpenVPN->Servers -
Untick Redirect Gateway
-
Fill
IPv4 Local Network, in our example our VMs are on the LAN192.168.1.0/24
Let's try to create and reach a virtual machine.
- Create a Linux server :
openstack server create --flavor a1-ram2-disk20-perf1 --key-name yubikey-taylor --network demo-lan --image "Debian 11 bullseye" VM_Linux_1
- Allow
SSHorRDPif you created a windows VM
openstack security group rule create --protocol tcp --dst-port 22 --ethertype IPv4 default
openstack security group rule create --protocol tcp --dst-port 3389 --ethertype IPv4 default
- Get the VM IP
openstack server list
+--------------------------------------+--------------+--------+--------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+----------------------+
| ID | Name | Status | Networks | Image | Flavor |
+--------------------------------------+--------------+--------+--------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+----------------------+
| 6a1f1e57-51fc-4e8c-9c13-8b729805e12f | VM_Linux_1 | ACTIVE | OPNSense-lan=192.168.1.102 | Debian 11.3 bullseye | a1-ram2-disk20-perf1 |
| 75d203ee-a0cd-46c9-acb4-27493152f077 | OPNSense | ACTIVE | OPNSense-lan=192.168.1.1; ext-net1=195.15.240.200, 2001:1600:10:100::52e | OPNsense 22.1.2_2-amd64 | a1-ram2-disk20-perf1 |
+--------------------------------------+--------------+--------+--------------------------------------------------------------------------+-----------------------------------------------------------------------------------------+----------------------+
Once the VM is ACTIVE you can ssh it using its LAN IP :
ssh debian@192.168.1.102
Linux vm-linux-1 5.10.0-13-cloud-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Apr 27 09:36:23 2022 from 10.9.0.2
debian@vm-linux-1:~$
And voila !