How to deploy OPNsense on Glesys

OPNsense is a firewall service that can be deployed on a Glesys server. It is primarily used to secure and manage network traffic between public and private networks.

OPNsense is a powerful, open-source firewall and routing platform based on FreeBSD. It is designed to deliver enterprise-grade network security while remaining accessible and easy to use for businesses, organizations, and advanced home networks.

Originally forked from pfSense in 2015, OPNsense has since evolved into a modern, flexible solution with a strong focus on security, stability, and usability. Its intuitive web-based interface, combined with a wide range of features, makes it a popular choice for administrators who need both simplicity and advanced functionality.

Overview

To demonstrate how to configure OPNsense between a private network and the internet, we'll create the following environment. Adapt the steps to match your specific needs.

An OPNsense firewall using the ready-made KVM template.
The firewall will sit between a private network and the public internet.
The firewall will have two network interfaces: one connected to the internet, the other to the private network.
- The WAN interface (internet) will have two publicly accessible IP addresses, one for IPv4 and one for IPv6.
- The LAN interface (private network) will have two internal addresses, one for IPv4 and one for IPv6.
NAT will be set up for both IPv4 and IPv6.
For demonstrative purposes, a web server will be set up on an internal Debian virtual machine.
Internally, computers will be assigned static IPv4 and IPv6 addresses (manual configuration on each VM).
For remote access, a WireGuard tunnel will be set up.

Creating a private network (if you don’t already have one)

In the control panel, navigate to Networking → Private networks. Click Create.

Give the network a name, such as OPNsense lab. Click Create.

Next, click Create segment.

Give the segment a name, for example, Private LAN. Leave the platform at KVM. Select a data center for the segment. Set the internal IPv4 to match your desired network. Here, we'll leave it at the default since it doesn't really matter in this case. Click Create.

Creating a virtual machine for OPNsense

In the control panel, navigate to Computer → Virtual machines and click Create server.

Select KVM as the platform. Adjust the resources as needed. Under Template & Data center, select the latest OPNsense template, and the same data center you used for the private network. Give the virtual machine a hostname, such as opnsense-lab. The IP addresses can be left as-is (one IPv4 and one IPv6 address assigned). Click Create server.

Once the VM is ready, go to the Network adapters tab and create a new adapter. This network adapter will be used for the LAN.

Give the adapter a name, select the LAN segment created earlier, and click Create.

Initial configuration of OPNsense

When the VM is online, and the new adapter is connected, click Actions → Console.

The console will now open. You'll need to do some initial configuration before you can reach the OPNsense WebUI. Log in with the default username. If there's no login prompt, hit Enter a couple of times until it appears.

Username: root
Password: opnsense

From the console, you'll need to perform the following steps:

Select option 3 to set a new root password.
- Type y to proceed and press Enter.
- Enter your new password.
Select option 6 to reboot the firewall (only required after the first install).
- Type y to proceed and press Enter.
Log in again with root and your new password.
Select option 1 to assign the interfaces:
- Do you want to configure LAGGs now? → press Enter (No)
- Do you want to configure VLANs now? → press Enter (No)
- Enter the WAN interface name → enter the first interface: vtnet0
- Enter the LAN interface name → enter the second interface: vtnet1
- Enter the Optional interface 1 name → press Enter (skip)
- Do you want to proceed? → type y and press Enter

The WAN IPv4 address should now be assigned by DHCP. If not, select option 2 to manually configure the address.

Next, you'll need to disable the firewall temporarily so you can access the WebUI:
- Select option 8 (Shell).
- Enter pfctl -d to temporarily disable the firewall.
- Type exit and press Enter to exit the shell.
Select option 0 to log out.

Accessing the WebUI using the public address

Access the WebUI in a browser using the IPv4 address assigned to the WAN interface. You'll see a warning about the certificate being self-signed. Accept the certificate and continue.

Next, you'll need to add a rule so that you can continue accessing the WebUI from your home or office with the firewall enabled in OPNsense.

Navigate to Firewall → Rules → WAN. Click the red + icon on the right side.

Set Protocol to TCP.
Change Source to Single host or Network and enter your public IP (the IP of your home or office).
Set the Destination to WAN address.
Set Destination port range to:
- From: HTTPS
- To: HTTPS
Click Save.

Next, you'll need to click Apply changes for the new rule to have an effect. As soon as the rule is applied, the firewall will be enabled (which we previously disabled). If the web page keeps reloading or you only see a blank page, try clicking the URL in the browser and pressing Enter.

Setting up the interfaces

It's now time to continue configuring the interfaces. This will entail setting up IPv6 on the WAN interface and IPv4 and IPv6 on the LAN interface. IPv6 is optional, but its adoption is growing, however slowly.

IPv6 on WAN

Let's start by adding the IPv6 address to the WAN interface. Currently, there are some problems retrieving the IPv6 address in OPNsense over DHCPv6. To get around this, it's better to configure the IPv6 address manually.

First, look up the IPv6 address in Glesys Cloud. Navigate to your virtual machine for OPNsense and scroll down to IP Addresses. Here, you'll find the assigned IPv6 address.

Next, you'll need to look up the gateway and netmask for the address. You'll do this under Networking → IP addresses. Click the info icon next to the IPv6 address. Note down the gateway and netmask.

Back in OPNsense, navigate to System → Gateways → Configuration. Here, click the red + icon.

In the dialog box that opens, fill in a name for the gateway, such as WAN_static_ipv6. Leave the Interface at WAN. Select IPv6 as the Address Family. In the IP Address field, fill in the gateway address from the previous step (don't copy the address from the screenshot below, it won't work). Click Save.

Next, navigate to Interfaces → WAN. Leave most of it as it is, but change the following:

Set IPv6 Configuration Type to Static IPv6.
At the bottom of the page, fill in your virtual machine's IPv6 address in the IPv6 address field, and select the netmask from the previous step.
Select the newly created gateway, WAN_static_ipv6, in the IPv6 gateway rules field.
Click Save.

Next, click Apply changes at the top.

IPv4 and IPv6 on the LAN (private network)

Navigate to Interfaces → LAN. For IPv4 configuration type and IPv6 configuration type, select Static IPv4 and Static IPv6, respectively.

Then, fill in the IPv4 and IPv6 addresses that this OPNsense machine shall be reachable on in the private network. Choose networks that won't collide with your home or office network (we'll create a WireGuard tunnel to the OPNsense firewall later, and hence connect the private network to your home/office). Here, we choose 192.168.73.1/24 for the IPv4 address and fd10:a:b:c::1/64 for the IPv6 address.

Click Save when the IPv4 and IPv6 addresses are set.

Then, click Apply changes.

Setting up IPv6 NAT

Navigate to Firewall → NAT → Outbound. Select Hybrid outbound NAT rule generation. Click Save.

Next, under Manual rules, click the red + icon.

Here, fill in the following values and leave the rest as it is:

Interface, select WAN.
TCP/IP Version, select IPv6.
Source address, select LAN net.
Translation/target, select WAN address.

When you're done, click Save at the bottom of the page.

Once the page is saved, click Apply changes.

Setting up WireGuard for remote access

WireGuard is a fast and modern VPN tunnel that's included in OPNsense. It's an excellent choice for remote access to both the firewall itself and the private network.

Navigate to VPN → WireGuard → Instances. Click the red + icon.

In the instance dialog, give the instance a name, such as RemoteAccess.

Then, generate a new key by clicking the cog icon. The values for the Public key and Private key will then be filled out automatically.

For the Listen port, set it to a static value, such as 51820.

Tunnel address is the IP address and network that will be used inside the tunnel. Choose a unique address that won't collide with any of your existing networks. In this example, we'll choose 10.0.55.1/24.

Click Save.

Then, make sure to check Enable WireGuard and click Apply.

Generating a peer/client configuration

OPNsense has built-in support for generating configuration files for peers/clients. Click the tab Peer generator to generate the first peer configuration.

The first peer is generated automatically when you click the generator tab. However, you need to fill in some additional values before copying the configuration.

Instance: Select the RemoteAccess WireGuard instances created earlier.
Endpoint: Fill in the public IPv4 WAN address to this firewall and the port of the WireGuard instance (51820). Separate the IPv4 address and the port with a colon.
Name: Choose a name for this peer, such as MyHome or MyOffice.
Address: Leave this as it is; OPNsense automatically chooses the next available address.
Allowed IPs: Change this to the private network, such as 192.168.73.0/24. If you skip this part, the WireGuard peer will try to route all traffic through the tunnel.

Once these fields are filled in, copy the text in the Config field and save it on the computer you will use to connect to the tunnel. For example, save it in /etc/wireguard/wg1.conf if you're running Linux.

Next—after you have copied the text—click the red checkmark icon. This will save the current peer configuration and create a new configuration for the next peer.

Allowing WireGuard traffic to the OPNsense firewall

You also need to allow the WireGuard port you chose for the instance, for example, 51820. By default, OPNsense blocks all incoming connections.

Navigate to Firewall → Rules → WAN. Click the red + icon to create a new rule.

When the rule page appears, set the following values and leave the rest as it is.

TCP/IP version: IPv4
Protocol: UDP
Destination: WAN address
Destination port range:
- From: (other) 51820
- To: (other) 51820

When everything is filled out, click Save.

Then, when you return to the rules overview, click Apply changes.

Allowing traffic from the tunnel to the private network

Next, you also have to allow traffic from the WireGuard tunnel to connect to the private network behind the OPNsense firewall. This allows you to connect to the OPNsense WebUI and all the virtual machines in the private network.

Navigate to Firewall → Rules → WireGuard (Group). Click the red + icon.

For the new rule, set the TCP/IP Version to IPv4 if it isn't already the default. Set the Destination to LAN net. Click Save at the bottom of the page to save the settings. When you return to the rules overview, click Apply changes.

Connecting to the tunnel

Assuming you have saved the configuration file on your Linux system in /etc/wireguard/wg1.conf and installed WireGuard, connect to it using the following command as root (on your local home or office computer).

Command

wg-quick up wg1

You can then try to ping the firewall's IP address in the private network, in our case, 192.168.73.1.

Command (command is highlighted, output is not)

ping -c 3 192.168.73.1
PING 192.168.73.1 (192.168.73.1) 56(84) bytes of data.
64 bytes from 192.168.73.1: icmp_seq=1 ttl=64 time=11.6 ms
64 bytes from 192.168.73.1: icmp_seq=2 ttl=64 time=5.31 ms
64 bytes from 192.168.73.1: icmp_seq=3 ttl=64 time=5.22 ms

--- 192.168.73.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 5.220/7.361/11.552/2.963 ms

Removing the rule that allows your home or office IP

If pinging the firewall on the LAN address works, you can instead connect to the OPNsense WebUI on the LAN address (192.168.73.1). After that, you can proceed to remove the rule you created at the very beginning, the one that allows your home or office IP.

Navigate to Firewall → Rules → WAN. Then click the trashcan icon next to the rule with your home or office IP and port 443. Click yes when asked to confirm the deletion. And finally, click Apply changes.

Setting up a Debian VM inside the private network

To demonstrate how to configure a virtual machine inside the private network, we'll set up a Debian server. We'll also set up port-forwarding of port 80 to it, both via IPv4 and IPv6.

Create a new KVM virtual machine as you usually would (see the guide Create virtual machines).

While creating the VM, choose the Debian 13 template. For IPv4 and IPv6 addresses, select No IPv4 and No IPv6 (since the VM should sit inside the private network, it shouldn't be reachable via a public IP). Set a password for your user; you'll need to log in with that user through the console later on to set the IP addresses.

Once the VM is created, switch to the Network adapter tab. Click Create network adapter.

Next, give the adapter a name and select the private network created earlier. Click Create when done.

Now you'll need to open the console and configure the network (since it doesn't have any IP addresses). Click Actions → Console.

Once the console is open, log in with the username and password you chose when creating the virtual machine. If you can't see any login prompt, try hitting Enter a couple of times.

When you are logged in, execute the command ip addr. This should give you a list of all the network adapters in the virtual machine. Most likely, there are three adapters: lo, ens1, and enp9s0. The network adapter for the private network is the last one, in this case, enp9s0.

In Glesys's Debian 13 template, the network is configured using NetPlan. In this case, we will give this virtual machine the IPv4 address 192.168.73.2 and the IPv6 address fd10:a:b:c::2.

To configure the network, run the command sudo nano /etc/netplan/50-cloud-init.yaml and enter your password when sudo asks for it.

Command

sudo nano /etc/netplan/50-cloud-init.yaml

This will open an editor. Edit the file so that it looks like this (adjust the IP addresses to match your private network and the interface to match your VM):

/etc/netplan/50-cloud-init.yaml

network:
  version: 2
  ethernets:
    ens1: {}
    enp9s0:
      addresses: [192.168.73.2/24, "fd10:a:b:c::2/64"]
      nameservers:
        addresses: [192.168.73.1, "fd10:a:b:c::1"]
      routes:
        - to: default
          via: 192.168.73.1
        - to: "::/0"
          via: "fd10:a:b:c::1"

When you are finished editing the file, press Ctrl+X to quit the editor. Answer y (yes) to the question if you want to save the file and press Enter.

Next, run sudo netplan apply to activate the new IP addresses. Confirm it's working by pinging the OPNsense firewall using both the IPv4 and IPv6 addresses.

Commands and output (commands are highlighted)

sudo netplan apply

ping -c 3 192.168.73.1
PING 192.168.73.1 (192.168.73.1) 56(84) bytes of data.
64 bytes from 192.168.73.1: icmp_seq=1 ttl=64 time=0.472 ms
64 bytes from 192.168.73.1: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.73.1: icmp_seq=3 ttl=64 time=0.276 ms

--- 192.168.73.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2050ms
rtt min/avg/max/mdev = 0.215/0.321/0.472/0.109 ms

ping -c 3 fd10:a:b:c::1
PING fd10:a:b:c::1 (fd10:a:b:c::1) 56 data bytes
64 bytes from fd10:a:b:c::1: icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from fd10:a:b:c::1: icmp_seq=2 ttl=64 time=0.339 ms
64 bytes from fd10:a:b:c::1: icmp_seq=3 ttl=64 time=0.650 ms

--- fd10:a:b:c::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2026ms
rtt min/avg/max/mdev = 0.339/0.686/1.069/0.299 ms

Also, verify that the VM can reach the internet over both IPv4 and IPv6 by pinging, for example, google.com.

Commands and output (commands are highlighted)

ping -4 -c 3 google.com
PING google.com (192.178.25.14) 56(84) bytes of data.
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=1 ttl=116 time=9.77 ms
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=2 ttl=116 time=9.85 ms
64 bytes from lcarna-ae-in-f14.1e100.net (192.178.25.14): icmp_seq=3 ttl=116 time=9.90 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.767/9.838/9.897/0.053 ms

ping -6 -c 3 google.com
PING google.com (2a00:1450:400f:808::200e) 56 data bytes
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=1 ttl=116 time=10.6 ms
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=2 ttl=116 time=9.75 ms
64 bytes from lcarna-ad-in-x0e.1e100.net (2a00:1450:400f:808::200e): icmp_seq=3 ttl=116 time=9.47 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.466/9.942/10.617/0.490 ms

Connecting to the Debian VM over the WireGuard tunnel

From now on, while connected to WireGuard, you can SSH into the Debian VM from your home or office computer using the IP address 192.168.73.2.

Expose a web server on the Debian VM (optional)

To demonstrate how to port-forward from OPNsense to a VM over both IPv4 and IPv6, we'll set up a web server on the Debian VM. This will make the web server accessible over both of the public addresses (IPv4 and IPv6).

Start by installing Apache on the Debian VM.

Command

sudo apt install apache2

Let's change the default web page to something simple so you can see if it's the correct page being served:

Command

echo "Debian private network web server" | sudo tee /var/www/html/index.html

If you do a local test, the above text should display:

Command and output (command is highlighted)

curl http://127.0.0.1
Debian private network web server

Now that you know the web server is working and serving the test page, it's time to port-forward traffic from the public IP addresses to it.

Navigate to Firewall → NAT → Destination NAT. Click the red + icon.

Start by adding the IPv4 port-forward. Fill in the following values:

Interface: WAN
Version: IPv4
Protocol: TCP
Destination address: This Firewall
Destination port: Single port or range
- 80
Redirect target IP: Single host or network
- 192.168.73.2
Redirect target port: Single port
- 80
Firewall rule: Register rule

Click Save.

Repeat the process by clicking the red + icon again to configure IPv6 port-forwarding. This time, fill in the following values:

Interface: WAN
Version: IPv6
Protocol: TCP
Destination address: This Firewall
Destination port: Single port or range
- 80
Redirect target IP: Single host or network
- fd10:a:b:c::2
Redirect target port: Single port
- 80
Firewall rule: Register rule

Click Save.

Finally, when the rules are saved, click Apply.

Connecting to the web server from the outside

At last, you can try connecting to the web server from the public internet. From another computer—at home or at the office—that has both IPv4 and IPv6, use curl to connect to the public addresses of the firewall.

Commands and output (commands are highlighted)

curl 203.0.113.51
Debian private network web server
curl [2001:db8:aa::2b2]
Debian private network web server

PreviousBuild your own gateway for your private network NextRestore virtual machines

Last updated 1 month ago

Was this helpful?