I initially wanted to use OPNsense as a virtual router on my Windows PC, but later found out that VMware Workstation does not support VLANs. I would definitely like to come back to this at a later date, but so far this is a mini tutorial for the installation of OPNsense and the setup of a certificate authority - latter is actually quite easy and useful.
OPNsense #
Installation #
To start the actual installation wizard, wait till the WAN & LAN interface assignment is complete and then login with the following credentials:
Username: installer
Password: opnsense
Default Login #
After the installation is complete, use the following default credentials for the shell and the webinterface:
Username: root
Password: opnsense
Basic Setup #
General DNS Servers #
Define one or more DNS servers for the DNS resolution:
Go to System > Settings > General
- DNS servers:
1.1.1.1
Interface #
Go to Interfaces and select the OPT1 interfaces
- Enable: Select
Enable Interface - IPv4 Configuration Type:
Static IPv4
- IPv4 address: Define the gateway IP for the interface
DHCP Service #
Enable the DNS service for the “OPT1” interface:
Go to Services > ISC DHCPv4 > OPT1
-
Select
Enable DHCP server for the OPT1 interface -
Range: Define the DHCP range
Let’s Encrypt Certificate #
I have tested using an already existing Let’s Encrypt wildcard certificate for the OPNsense webinterface, which I think is a fast and easy solution.
Host Name #
Define a FQDNf for OPNsense:
Go to System > Settings > General
- Hostname:
opensense - Domain:
jklug.work
Upload Certificate #
Go to System > Trust > Certificates
Paste the fullchain.pem file into the Certificate data field and the
privkey.pem file into the Private key data field.
Apply Certificate #
Go to System > Settings > Administration
-
Protocol
HTTPS -
Select the uploaded certificate in the
SSL Certificatefield
Build internal CA #
Host Name #
Define the domain name for OPNsense:
Go to System > Settings > General
- Hostname:
opensense - Domain:
jklug.local
Create Root CA #
Create the internal certificate authority:
Go to System > Trust > Authorities
- Descriptive Name: Enter a name for the root CA
- Method: Choose
Create an internal Certificate Authority - Lifetime: Define the validity period for the root CA (e.g., 3650 days for 10 years).
- Distinguished Name: Define the common name
Click Save to create the root CA
Create Intermediate CA #
Create the intermediate certificate authority:
- Descriptive Name: Enter a name for the root CA
- Method: Chose
Create an intermediate Certificate Authority - Signing Certificate Authority: Select the root CA
- Lifetime: Define the validity period for the intermediate CA
- Distinguished Name: Define the common name
Click Save to create the intermediate CA
Export Root CA certificate #
Export the root CA certificate, and later add it as Trusted Root Certification Authorities certificate in Windows:
- Click
export CA cert
Note: As best practice export the root CA private key and store it somewhere save. After that the root CA can be deleted and only restored when necessary, using the private key and certificate to recreate it.
Create Internal Certificate #
Go to System > Trust > Certificates
- Method: Select
Create an internal certificate - Descriptive name: Define a name for the certificate
- Certificate authority: Select your intermediate CA to sign this certificate
- Type: Select
Server Certificate - Common Name: Define the domain name for the server
Click Save to create the internal certificate
Apply Internal Certificate #
Go to System > Settings > Administration
-
Protocol
HTTPS -
SSL Certificate: Select the internal certificate
Click Save to apply the settings. After that the connection is secure. If another certificate was used before, it may be necessary to reboot the OPNsense server.
Windows Certificate Manager #
Open the MMC Certificate Manager for local computer:
# Run
certlm.msc
Import the the root CA certificate: opnsense-root-CA.crt
After the certificate is imported the connection uses TLS encryption.
Links #
# Download
https://opnsense.org/download/
# Installation
https://docs.opnsense.org/manual/install.html