Skip to main content

OPNsense - Installation, Certificate Authority Setup

646 words·
OPNsense Certificate Authority Router
Table of Contents

I initially wanted to use OPNsense as a virtual router on my Windows PC, but later found out that VMware Workstation does not support VLANs. I would definitely like to come back to this at a later date, but so far this is a mini tutorial for the installation of OPNsense and the setup of a certificate authority - latter is actually quite easy and useful.

OPNsense
#

Installation
#

To start the actual installation wizard, wait till the WAN & LAN interface assignment is complete and then login with the following credentials:

Username: installer Password: opnsense

Default Login
#

After the installation is complete, use the following default credentials for the shell and the webinterface:

Username: root Password: opnsense


Basic Setup
#

General DNS Servers
#

Define one or more DNS servers for the DNS resolution:

Go to System > Settings > General

  • DNS servers: 1.1.1.1

Interface
#

Go to Interfaces and select the OPT1 interfaces

  • Enable: Select Enable Interface
  • IPv4 Configuration Type: Static IPv4
  • IPv4 address: Define the gateway IP for the interface

DHCP Service
#

Enable the DNS service for the “OPT1” interface:

Go to Services > ISC DHCPv4 > OPT1

  • Select Enable DHCP server for the OPT1 interface

  • Range: Define the DHCP range


Let’s Encrypt Certificate
#

I have tested using an already existing Let’s Encrypt wildcard certificate for the OPNsense webinterface, which I think is a fast and easy solution.

Host Name
#

Define a FQDNf for OPNsense:

Go to System > Settings > General

  • Hostname: opensense
  • Domain: jklug.work

Upload Certificate
#

Go to System > Trust > Certificates

Paste the fullchain.pem file into the Certificate data field and the privkey.pem file into the Private key data field.


Apply Certificate
#

Go to System > Settings > Administration

  • Protocol HTTPS

  • Select the uploaded certificate in the SSL Certificate field


Build internal CA
#

Host Name
#

Define the domain name for OPNsense:

Go to System > Settings > General

  • Hostname: opensense
  • Domain: jklug.local

Create Root CA
#

Create the internal certificate authority:

Go to System > Trust > Authorities

  • Descriptive Name: Enter a name for the root CA
  • Method: Choose Create an internal Certificate Authority
  • Lifetime: Define the validity period for the root CA (e.g., 3650 days for 10 years).
  • Distinguished Name: Define the common name

Click Save to create the root CA


Create Intermediate CA
#

Create the intermediate certificate authority:

  • Descriptive Name: Enter a name for the root CA
  • Method: Chose Create an intermediate Certificate Authority
  • Signing Certificate Authority: Select the root CA
  • Lifetime: Define the validity period for the intermediate CA
  • Distinguished Name: Define the common name

Click Save to create the intermediate CA


Export Root CA certificate
#

Export the root CA certificate, and later add it as Trusted Root Certification Authorities certificate in Windows:

  • Click export CA cert

Note: As best practice export the root CA private key and store it somewhere save. After that the root CA can be deleted and only restored when necessary, using the private key and certificate to recreate it.


Create Internal Certificate
#

Go to System > Trust > Certificates

  • Method: Select Create an internal certificate
  • Descriptive name: Define a name for the certificate
  • Certificate authority: Select your intermediate CA to sign this certificate
  • Type: Select Server Certificate
  • Common Name: Define the domain name for the server

Click Save to create the internal certificate


Apply Internal Certificate
#

Go to System > Settings > Administration

  • Protocol HTTPS

  • SSL Certificate: Select the internal certificate

Click Save to apply the settings. After that the connection is secure. If another certificate was used before, it may be necessary to reboot the OPNsense server.


Windows Certificate Manager
#

Open the MMC Certificate Manager for local computer:

# Run 
certlm.msc

Import the the root CA certificate: opnsense-root-CA.crt

After the certificate is imported the connection uses TLS encryption.


Links #

# Download
https://opnsense.org/download/

# Installation
https://docs.opnsense.org/manual/install.html