For those who read my writings, I have set up a virtual router based on Debian. Those begginings of router between two networks have been working super well to today, without hiccups. The firewall was something else; it was... empty.
This said, it was a more... secondary issue, I would say: this router's sole purpose was only to split the network in half. Six months later, I have a few projects in mind and I think it's time to remediate this situation.
The choice of the router / firewall
I have first thought setting up a pfSense firewall. From what I have seen from a few videos on the internets, it wasn't looking too bad to configure. But. Because there's always a but. It must support Wireguard. Not negociable.
So I have roamed on the internet, looking for a hypothetical support of Wireguard on pfSense. From what I have seen, it wasn't present and I didn't fancy hacking and patching something that would half work, nor I wanted to setup a new virtual machine for the VPN. So I kept on roaming.
And I found OPNsense.
From what I have understood, OPNsense is a fork of pfSense (code available on Github) and the interface should be looking like pfSense's.
So, why that firewall with lots of basic features withs bells and whistles ? I won't lie on that I don't need tis cheptel of features but they are nice to have nonetheless. What I cared about, it was Wireguard; we'll see later how it is configured.
The installation is done without much trouble via the installation program integrated and the latter does the thing like a grown up person. It is only a few screens that come one after the other. I've taken the guided installation: I don't care that the root file system takes the whold virtual disk assigned to the virtual machine; it's here for that.
Given that I still want to be able to access the administration interface of the firewall, I haven't configured a LAN yet. Indeed, if I activate the LAN, the web interface will only be accessible from the other side and me... I'm technically on the side of the WAN interface. I think you have more or less guessed: this router / firewall will be between my containers / virtual machines and me.
From the console, I have assigned an IP that suits well and added the static route on the internet box. The initial setup is done.
The network interfaces on both networks
It's here that things start to be entertaining, if I can say so. I started by adding one small rule to the firewall of the WAN interface so I can still access the web interface once everything is good to go. Then, I've assigned the interface that will have foot in the virtualized network.
Finally, to finish off with the "external" interace, all trafic coming from outside, that is TCP or UDP, can pass on the other side.
On the virtualized side, I have taken my time to write the rules. In the end, I have a set that satisfies and that shouldn't cause much trouple once I put this router in place of the other.
Of course, I've created a very temporary container that will allow me to test if everything works how I desire.
Ahhh... we now arrive on the most interesting part, besides the countless features of OPNsense: the VPN clients. If you have more of less carefully read until here, you certainly have guessed I will start with Wireguard. So I installed the plugin that suits well.
For the installation, nothing more simple: System -> Firmware -> Plugins, then install Wireguard. For the configuration, at first sight, we can be a little confused but it's simple enough; even the documentation says that. The configurations are located in VPN -> Wireguard.
I first create a "Local" configuration with the needed information, then an "Endpoint" with the server, then come back to "Local" to add the server to the pairs of our client. Of course, needed rules should be added in the "Wireguard" firewall. If everything goes well and the configuration is just perfect, we should be able to send an ICMP packet type echo-request and get back an *ICMP packet type echo-reply", i.e. a ping. In one way and the other way for good measure. While we're here, why not try to open a TCP connection in one direction then in the other ?
The configuration of an OpenVPN client was a little harder but not impossible. The bulk of the issues I encountered comes from configuration variations between the OpenVPN server and the client.
I quickly setup myself a server with Angristan's OpenVPN installation script. After a few tweaks in the the configuration file and the firewall of the distant server, I was able to connect with my client to validate.
What was a little bit special, in the case of OPNsense, is the configuration of certificates to do before creating the client with the client file under your eyes. Something else, the installation script has configured OpenVPN to use
tls-crypt to authenticate data passing through the tunnel. If you check the box "Authenticate data" and you copy-paste the preshared key given by the server, the handshake will be successful but nothing will be able to make it through the tunnel. You have to uncheck the box and directly paste the
tls-crypt block in a multiline textarea at the bottom of the page.
Yes, it's a bit of a mess. Client and server must have a similar configuration.
Routes. I followed the part of the documentation that suited well to add a route across the tunnel.
Once everything was working and the firewall well configured, it's a satisfaction to have something functional.
Do we switch ?
So I switch the routers. The handmade router goes into background and the new router comes in front of the scene. Concretely, this is translated by changing the virtual interfaces on both routers, then changing the IP address where it's necessary, then changing the static route on the internet to point to the right place.
Putting back the VPNs together wasn't too complicated. OpenVPN had a little bit of resistance because I haven't read the
.ovpn file to retranscribe it on the OPNsense's web interface. In the end, a reboot and there you have it, everything worked again.
In the end, OPNsense is a firewall that satisfies my use case and is simple to use. Yes, as mentioned before, I don't use all the bells and whistles offered. This doesn't hinder the satisfaction of my use case.
We'll see what the future has to offer.