OPNsense, NethServer and Certificates

@michelandre

Salut Michel-André

In my diagrams, most are from clients, in their offices. My NethServers at clients all only run with one NIC (GREEN). There’s still a basic firewall running on NethServer, even if you do not install firewall or two NICs. And my clients also have workstations, printers and other stuff. The doctors have an X-Ray, not something any freak has at home!
These all need network and Internet, that’s the main reason a switch is there. The Switch in some cases, is as virtual as nethServer and OPNsense, everything in Proxmox.
I’ve done that kind of setup, even helping people here at the forum setting this up!

If both NethServer and OPNsense act as Firewall, you’ld end up with double NAT, not the best background for VoIP. I have been forced to use double NAT before, it does work, but can cause unexpected issues.

My suggestion would be as in this description:

https://wiki.nethserver.org/doku.php?id=userguide:nethserver_and_proxmox

I’d use IP 1 for the OPNsense, my firewalls always use 1 as IP. My NethServers almost always use 20 as their IP (GREEN). NethServers AD is uses IP 11.

I use a XL table like this for all networks, the dark grey (below) are “standards” for devices.

The rest looks like this (no MAC addresses shown…)

If you want, I can provide a sample in XL on my nextcloud at home…

If you’re in doubt as to why two networks and two firewalls to configure - you most likely don’t need a second firewall, which can make life difficult.
If you’re happy with OPNsense features and stability (like I am), then remove the second NIC from your NethServer (or deconfigure it) and only use a single GREEN Network.

I’ve set up 30+ NethServers for clients, and only twice setup a NethServer for a friend, and only because the firewall he had fried between Xmas and New Year, when getting spares is difficult. And no internet during those xmas just isn’t an option!

All the rest were all configured with only one NIC. Together, OPNsense and NethServer make it happen! And even if you have a problem with something you set up on NethServer and it doesn’t work as expected - you still have internet to check the NethServer Forum or Google for help!

There are legit reasons for going the extra mile and using more than one firewall:

20 years ago, I had to secure a bank’s internet connection.
At the time, I used three different firewalls, cascaded.
All three using different OS and Systems.
Checkpoint, Cisco and a MonoWall, behind each other.
All three had out of band and internal monitoring.
A break in would have entailed hacking the checkpoint, using whatever was working after the hack to attack the cisco. And after the cisco, you’ld still have had to attack the M0n0wall.
Even if you cut their telefone / cable connection, a SMS would have been sent from the monitoring system.
And all in all, you would have had exactly 2x 5 minutes to do the break in, else the alarm would have been triggered!

But at home or in the office, you don’t really need this kind of over-security - and they had the budget for that!

My 2 cents
Andy

3 Likes

Wouldn’t the most elegant solution be simply that every device handles its own certs? This is simple to arrange with DNS validation–and if your DNS provider doesn’t have a supported API, use acme-dns instead:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

Once you set up acme-dns on your Neth server, point the OPNSense box to it for its own DNS validation.

@danb35

And how does NethServers AD get it’s certs then? :slight_smile:
I wasn’t aware of an option to use LetsEncrypt also in AD of NethServer…

AFAIK it still needs to be setup by hand or a script triggered be renewal of LetsEncrypt (hook).

Another reason: The premise was to be able to use AD users for OPNsense VPNs, and also allow OPNsense to use NethServers Nextcloud for Backup of configs regularily…

Andy

I haven’t used AD, but I assumed it used the default system certificate, which is updated with the certificate-update event. Is this not the case? If not, it really seems like it should be.

Even if not, DNS validation means you don’t need public DNS records pointing to your AD server, and the OPNSense box can still maintain its own certs.

Unfortunately not, AD uses self created ssl certs, which aren’t accepted by OPNsense.
The default on NethServer doesn’t affect the AD.

I agree this should be the case, but we’re doing the alpha/beta work behing this for now.

Elleni, Markus and me, we tweaked the whole thing till it worked, fluffed and whistled!

And it only really works if all use the same cert.
We didn’t have enough public IPs to test other variants.

Even though the AD’s name is in public DNS - the AD is not accessible from outside!
The internal DNS do pinnt to the correct internal IP of the AD (Split Brain DNS).

1 Like

Salut Andy,

That easily convinced me to place the switch between OPNsense and the LOCAL LAN.
The capture image for the redirection is from NS but it will be almost the same except OPNsense can make a redirection in one rule for both TCP & UDP.

Webmail/Roundube & hiding server name

With a custom template, I am able to hide the server name.

# cat /etc/e-smith/templates-custom/etc/roundcubemail/config.inc.php/91CacherNomDuServeur

**$config['default_host'] = '127.0.0.1';

image

Let’s Encrypt & hiding other domain names:

There are 4 other domains hosted on NS 192.168.1.1.

When accessing any particular domain, I would like to to see only the Certificate and CNAME related to that domain only .

- With acme.sh, it is quite easy to have a Let’s Encrypt certificate for any LOCAL domain.
- I can write a script to transfer the certs or the complete cert-directory-domain-name into any folder of OPNsense throught ssh/key-connection.
- Maybe also add a custom-template to add a line to /sbin/e-smith/signal-event certificate-update to run that script ?

Question:
● How to activate them in OPNsense?
● Will that be enough ?

Mille mercis d’avance,

Michel-André

1 Like

Trivial. Create the desired certs one at a time (using certbot, acme.sh, or any other ACME client you prefer), then assign the appropriate cert to each virtual host–assuming Neth is handling the TLS termination for each of these. If it isn’t (i.e., if you’re using a reverse proxy on OPNSense to handle TLS termination), then get the certs on that box, and there’s no real need to have a cert (much less a trusted cert) on the Neth box for those domains. There really shouldn’t be any reason to be copying certs from one machine to another.

Hi Dan,

I will investigate this option.

Thank you for your reply.

Michel-André

I don’t know if this is of any help, but here I tried to explain what I did to get letsencrypt certificates from nethserver automatically copied to nsdc AD container (separate machine from the one aquiring the certs in my case) everytime they get renewed and also to add them to opnsense router, so opnsense can query ad for user authentication in order to be able to restrict vpn access to ad users with additional 2fa in opnsense:

1 Like

Hi all,

This is the network I want to use to test Let’s Encrypt certificates & response to HTTPS:

● I will use 1.2.3.4 as the IP for the opnsense.toto-101.com server WAN interface and 192.168.1.75 for the LAN.
● On Poste de travail, for the IP address of WordPress and MediaWIki, I will use the hosts file so I can use the FQDN to access the Web pages.

When accesssing WordPress or Mediawiki web page from the Poste de travail: 1.2.3.5, I would like to receive the appropriate certificate.

LET’S ENCRYPT:
● I can ask Let’s Encrypt certificates from the 3 servers or I can use only OPNsense server to ask the 3 certificates: one for itself, one for wordpress and one for mediawiki.
● There is no problem with this as I will use the registrar API for the challenges.
● Then automate the copy of the certificate to the appropriate server with SFTP.

■ Automation
Services Let’s Encrypt Automation + to add a new automation

■ Certificate
Services Let’s Encrypt Certificates pencil” to Edit Certificate.
image

WEB PROXY:
Before to be able to test this scenario, I have to set the proxy parameters (standard or transparent, etc).
I think I have to use a transparent proxy, but for this, I need more googling or someone help…

All comments appreciated,

Michel-André

1 Like

@michelandre

Salut Michel-André

On which box (IP) is the proxy intended to run on?

I use mostly “standard”, but I do set WPAD and Proxy as DNS entries (eg pointing to my NethServer). Windows (All Versions up til 10) will use WPAD by default. And it’s quite easy to set it on Mac that WPAD is used.

Andy

1 Like

No doubt an orthogonal question, but why install mediawiki and Wordpress on separate Neth servers? They’re entirely capable of running side-by-side on the same server.

Hi Andy,

The one on the left: opensense.toto-101.com.

I think that I need to restart the http server on WordPress after the copy with SFTP ?

Michel-André

Not restart, just reload.

1 Like

Hi Dan,

In reality, they are on the same NS server, but I want to test the SFTP copy for 2 LOCAL servers to make sure everything is working properly.

Michel-André

Why do you want to do the SFTP copy in the first place? If you’re using DNS validation anyway, get the cert on the machine that’s going to use it. If you’re going to use it on both machines (e.g., HAProxy on OPNsense and for the web server itself on Neth), obtain separate certs on each machine.

Sure, you can copy certs using SFTP–there’s nothing magical about these files, and it’s plenty secure, especially on your own LAN–but why?

Salut Andy,

Can you explain the steps a little?

Michel-André

Hi Dan,

Because I am looking at how OPNsense is working.

Michel-André

@michelandre

Well, you need a few DNS entries.

On OPNsense, you can use unbound, that is quite capable.
On NethServer, use the internal DNS.

Create an entry with FQDN for the host where the proxy is running on (NethServer or OPNsense).
Create an Alias for proxy.yourdomain.com and wpad.yourdomain.com (replace as needed…).

WPAD must be accessible via web under the url wpad.yourdomain.com/proxy.pac
On your NethServer this also works using just the IP/proxy.pac.

NethServer has a built in WPAD file (proxy.pac), you can use this as starters.
WPAD is quite powerful, see google for a few examples. It’s also quite old and can have security issues, but as long as you’re using it on your own network, it’s ok. A lot of large companies use this.

proxy.pac is a simple text file with some JS. You can use your preferred editor.

Note:
For security reasons, it’s actually a good idea to use WPAD in any network. If WPAD is set in DNS, that takes higher priority than eg a hacker with a linux notebook, (called wpad) and running apache and squid… Classic Man in the Middle attack.

However if it’s set in DNS, that takes priority over anything the notebook may propagate…
-> Better security!

Andy

1 Like

Hi all,

After trying many different scenarios, it is finally working and giving the right Let’s Encrypt certificate using: https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html.

I just issue a certificate using acme.sh for wordpress.toto-101.com and another cert to opnsense.toto-101.com. No need to transfer any cert to OPNsense server.

But it is kind of slow to answer and display the page.
Also, it is not answering https://wordpress.toto-10.com. I have to use www.



I had no luck with unbound but I would like to use it if I can find a detailed tutorial.

Michel-André