OPNsense, NethServer and Certificates

Hi Andy,

I am looking at OPNsense. I installed it in a VM just to see how it’s working. So far quite nice…

Question #1:
I installed a Let’s Encrypt Certificate on that server but since I am on a LOCAL VM, I was wondering what will be the certificate used, if I https from the Internet to a LOCAL WordPress NS physical server domain?

I think it will be the one from OPNsense and not the one from the LOCAL server.

The solution will be to add domains to the OPNsense server and also to Let’s Encrypt certificate then, redirect the queries to LOCAL server ?

Question #2:
Will it pass the SIP packets to the internal IP phone or do I have to redirect them from the OPNsense server. Right now, it is the NS LOCAL server that redirect SIP to the phone.

Thank you for you advices,

Michel-André

@michelandre

Salut Michel-André!

If I recall right, you’re a native french speaker!

SSL Certs:

As the old saying goes, there are more ways than one…

1. The OPNsense handles all Certs
2. The OPNsense has no LetsEncrypt SSL, the NethServer handles it all.
3. The NethServer copies (triggered by a software hook) it’s SSL certs (also with the OPNsense FQDN and AD FQDN) to OPNsense and to the NethServers AD.

I’m using Nr2, ports 80 and 443 are passed to the NethServer, which handles all SSL certs, also for VMs and virtual hosts.

With Elleni (Ilias real name) I helped him with Nr3, IMHO the most elegant of all three.
Elleni can help here!

Nr 1 is basically Nr3 in reverse…

All three variants can easily handle name based virtual hosts, on different hosts or on your NethServer. (with SSL!).

SIP / VoIP

SIP works very well on OPNsense.
You need to set this to advanced. (Can’t get the screen in english or french, but you should be able to find it:
( Firewall -> Settings -> Advanced ).

Bildschirmfoto 2020-07-13 um 23.34.012838×1470 467 KB

My rules for SIP. This client has 4 SIP numbers from Deutsche Telekom, and has a hardware SIP-PBX (Starface). Telephony is extremly stable!

Bildschirmfoto 2020-07-13 um 23.44.102286×664 117 KB

Note: Deutsche Telekom needs more than the usual SIP Port and the SIP-RTP (The actual voice port-range), but they have it well documented for End users and those end users with more know how and hardware!

If you want the nice Dark Mode theme, load the rebellion theme here:
(Set it under System -> Settings -> General -> Theme)

Bildschirmfoto 2020-07-13 um 23.38.022838×1358 440 KB

The red box represents what I’ve loaded in this clients OPNsense…

And here’s what my dashboard looks like:

Bildschirmfoto 2020-07-13 um 23.40.072846×1444 442 KB

Bildschirmfoto 2020-07-13 um 23.39.552848×1356 460 KB

If you’re using a Proxmox as Hypervisor, OPNsense should have VirtIO NICs, meaning you’ve got a couple of 10 GBE NICs on your virtual Firewall!

If you’ve noticed, OPNsense also supports Wireguard (Discussed often on nethServer forum) and even stuff like nginx, if you want to eg do a reverse proxy directly on your firewall…

Also cool options is Backups encrypted or not (Backups in house i do not encrypt, if i were to use Google, I’d encrypt them! Nextcloud as automated backup target is also very nice (needs the SSL cert tweak in Nr3). A Backup is a simple XML file (simple formatted .txt file!), easy to copy / paste to other configs.

The option to partially restore backups, like just DHCP or VPN is also very cool, you can restore bits and pieces to make your own ultimate OPNsense master Image! Would be a cool feature also in NethServer!
However, OPNsense just restores the config, you still have to install any plug-ins needed, something NethServer does better by installing needed software!!!

Hope this helps!
Andy

(Soory I didn’t see the new topic)

Hi Andy,

J’apprécie grandement le détail, la séquence et la précision des explications.

Question: About speed !
Is adding a delay (nsec step) to the packet, to place the switch between the OPNserver and NS ?

Compare to the bottleneck of the Internet, a 2-3 nsec is nothing so I think of placing the NS server directly into the OPNserver. In other word, leave everything like it is and place the OPNsense server as a big switch betwenn the VDSL and the NS server.
In your diagrams there is a swith between OPNsense and anything else.

The question is what to use as IP address for both ends of the connection between the 2 servers. The VDSL management IP is on 192 (the LAN network of NS) as everything else also.
The problem is for the WAN networl of NS. The color: Extern RED (presently to the Internet) which is a non confident network. Somewhere it is important to have a RED network for differentiation ?

Michel-André

@michelandre

Salut Michel-André

In my diagrams, most are from clients, in their offices. My NethServers at clients all only run with one NIC (GREEN). There’s still a basic firewall running on NethServer, even if you do not install firewall or two NICs. And my clients also have workstations, printers and other stuff. The doctors have an X-Ray, not something any freak has at home!
These all need network and Internet, that’s the main reason a switch is there. The Switch in some cases, is as virtual as nethServer and OPNsense, everything in Proxmox.
I’ve done that kind of setup, even helping people here at the forum setting this up!

If both NethServer and OPNsense act as Firewall, you’ld end up with double NAT, not the best background for VoIP. I have been forced to use double NAT before, it does work, but can cause unexpected issues.

My suggestion would be as in this description:

https://wiki.nethserver.org/doku.php?id=userguide:nethserver_and_proxmox

I’d use IP 1 for the OPNsense, my firewalls always use 1 as IP. My NethServers almost always use 20 as their IP (GREEN). NethServers AD is uses IP 11.

I use a XL table like this for all networks, the dark grey (below) are “standards” for devices.

Bildschirmfoto 2020-02-28 um 18.37.571578×1000 353 KB

The rest looks like this (no MAC addresses shown…)

Bildschirmfoto 2020-02-28 um 18.43.141508×928 218 KB

If you want, I can provide a sample in XL on my nextcloud at home…

If you’re in doubt as to why two networks and two firewalls to configure - you most likely don’t need a second firewall, which can make life difficult.
If you’re happy with OPNsense features and stability (like I am), then remove the second NIC from your NethServer (or deconfigure it) and only use a single GREEN Network.

I’ve set up 30+ NethServers for clients, and only twice setup a NethServer for a friend, and only because the firewall he had fried between Xmas and New Year, when getting spares is difficult. And no internet during those xmas just isn’t an option!

All the rest were all configured with only one NIC. Together, OPNsense and NethServer make it happen! And even if you have a problem with something you set up on NethServer and it doesn’t work as expected - you still have internet to check the NethServer Forum or Google for help!

There are legit reasons for going the extra mile and using more than one firewall:

20 years ago, I had to secure a bank’s internet connection.
At the time, I used three different firewalls, cascaded.
All three using different OS and Systems.
Checkpoint, Cisco and a MonoWall, behind each other.
All three had out of band and internal monitoring.
A break in would have entailed hacking the checkpoint, using whatever was working after the hack to attack the cisco. And after the cisco, you’ld still have had to attack the M0n0wall.
Even if you cut their telefone / cable connection, a SMS would have been sent from the monitoring system.
And all in all, you would have had exactly 2x 5 minutes to do the break in, else the alarm would have been triggered!

But at home or in the office, you don’t really need this kind of over-security - and they had the budget for that!

My 2 cents
Andy

Wouldn’t the most elegant solution be simply that every device handles its own certs? This is simple to arrange with DNS validation–and if your DNS provider doesn’t have a supported API, use acme-dns instead:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

Once you set up acme-dns on your Neth server, point the OPNSense box to it for its own DNS validation.

@danb35

And how does NethServers AD get it’s certs then?
I wasn’t aware of an option to use LetsEncrypt also in AD of NethServer…

AFAIK it still needs to be setup by hand or a script triggered be renewal of LetsEncrypt (hook).

Another reason: The premise was to be able to use AD users for OPNsense VPNs, and also allow OPNsense to use NethServers Nextcloud for Backup of configs regularily…

Andy

I haven’t used AD, but I assumed it used the default system certificate, which is updated with the certificate-update event. Is this not the case? If not, it really seems like it should be.

Even if not, DNS validation means you don’t need public DNS records pointing to your AD server, and the OPNSense box can still maintain its own certs.

Unfortunately not, AD uses self created ssl certs, which aren’t accepted by OPNsense.
The default on NethServer doesn’t affect the AD.

I agree this should be the case, but we’re doing the alpha/beta work behing this for now.

Elleni, Markus and me, we tweaked the whole thing till it worked, fluffed and whistled!

And it only really works if all use the same cert.
We didn’t have enough public IPs to test other variants.

Even though the AD’s name is in public DNS - the AD is not accessible from outside!
The internal DNS do pinnt to the correct internal IP of the AD (Split Brain DNS).

Salut Andy,

That easily convinced me to place the switch between OPNsense and the LOCAL LAN.
The capture image for the redirection is from NS but it will be almost the same except OPNsense can make a redirection in one rule for both TCP & UDP.

image1329×960 224 KB

Webmail/Roundube & hiding server name

With a custom template, I am able to hide the server name.

# cat /etc/e-smith/templates-custom/etc/roundcubemail/config.inc.php/91CacherNomDuServeur

**$config['default_host'] = '127.0.0.1';

Let’s Encrypt & hiding other domain names:

There are 4 other domains hosted on NS 192.168.1.1.

When accessing any particular domain, I would like to to see only the Certificate and CNAME related to that domain only .

- With acme.sh, it is quite easy to have a Let’s Encrypt certificate for any LOCAL domain.
- I can write a script to transfer the certs or the complete cert-directory-domain-name into any folder of OPNsense throught ssh/key-connection.
- Maybe also add a custom-template to add a line to /sbin/e-smith/signal-event certificate-update to run that script ?

Question:
● How to activate them in OPNsense?
● Will that be enough ?

Mille mercis d’avance,

Michel-André

Trivial. Create the desired certs one at a time (using certbot, acme.sh, or any other ACME client you prefer), then assign the appropriate cert to each virtual host–assuming Neth is handling the TLS termination for each of these. If it isn’t (i.e., if you’re using a reverse proxy on OPNSense to handle TLS termination), then get the certs on that box, and there’s no real need to have a cert (much less a trusted cert) on the Neth box for those domains. There really shouldn’t be any reason to be copying certs from one machine to another.

Hi Dan,

I will investigate this option.

Thank you for your reply.

Michel-André

I don’t know if this is of any help, but here I tried to explain what I did to get letsencrypt certificates from nethserver automatically copied to nsdc AD container (separate machine from the one aquiring the certs in my case) everytime they get renewed and also to add them to opnsense router, so opnsense can query ad for user authentication in order to be able to restrict vpn access to ad users with additional 2fa in opnsense:

Hi all,

This is the network I want to use to test Let’s Encrypt certificates & response to HTTPS:

image931×575 52.9 KB

● I will use 1.2.3.4 as the IP for the opnsense.toto-101.com server WAN interface and 192.168.1.75 for the LAN.
● On Poste de travail, for the IP address of WordPress and MediaWIki, I will use the hosts file so I can use the FQDN to access the Web pages.

When accesssing WordPress or Mediawiki web page from the Poste de travail: 1.2.3.5, I would like to receive the appropriate certificate.

☐ LET’S ENCRYPT:
● I can ask Let’s Encrypt certificates from the 3 servers or I can use only OPNsense server to ask the 3 certificates: one for itself, one for wordpress and one for mediawiki.
● There is no problem with this as I will use the registrar API for the challenges.
● Then automate the copy of the certificate to the appropriate server with SFTP.

■ Automation
Services → Let’s Encrypt → Automation → + to add a new automation

image894×621 16.9 KB

■ Certificate
Services → Let’s Encrypt → Certificates → “pencil” to Edit Certificate.

☐ WEB PROXY:
Before to be able to test this scenario, I have to set the proxy parameters (standard or transparent, etc).
I think I have to use a transparent proxy, but for this, I need more googling or someone help…

All comments appreciated,

Michel-André

@michelandre

Salut Michel-André

On which box (IP) is the proxy intended to run on?

I use mostly “standard”, but I do set WPAD and Proxy as DNS entries (eg pointing to my NethServer). Windows (All Versions up til 10) will use WPAD by default. And it’s quite easy to set it on Mac that WPAD is used.

Andy

No doubt an orthogonal question, but why install mediawiki and Wordpress on separate Neth servers? They’re entirely capable of running side-by-side on the same server.

Hi Andy,

The one on the left: opensense.toto-101.com.

I think that I need to restart the http server on WordPress after the copy with SFTP ?

Michel-André

Not restart, just reload.

Hi Dan,

In reality, they are on the same NS server, but I want to test the SFTP copy for 2 LOCAL servers to make sure everything is working properly.

Michel-André

Why do you want to do the SFTP copy in the first place? If you’re using DNS validation anyway, get the cert on the machine that’s going to use it. If you’re going to use it on both machines (e.g., HAProxy on OPNsense and for the web server itself on Neth), obtain separate certs on each machine.

Sure, you can copy certs using SFTP–there’s nothing magical about these files, and it’s plenty secure, especially on your own LAN–but why?

Salut Andy,

Can you explain the steps a little?

Michel-André