Before You Begin
First, consider how the firewall will be connected to the Internet. Youwill need to provision several unique subnets, which should not conflictwith the network configuration on the WAN interface. If you are unsure,consult your local system administrator.
Many firewalls, including the recommended OPNSense device,automatically set up the LAN interface on 192.168.1.1/24. Thisparticular private network is also a very common choice for home andoffice routers. If you are connecting the firewall to a router with thesame subnet (common in a small office, home, or testing environment),you will probably be unable to connect to the network at first. However,you will be able to connect from the LAN to the firewall’s Web GUI,and from there you will be able to configure the network so it is working correctly.
The recommended TekLager APU4D4 has 4 NICs: WAN, LAN,OPT1, and OPT2. This allows for a dedicated port on the networkfirewall for each component of SecureDrop (Application Server,Monitor Server, and Admin Workstation).
Depending on your network configuration, you should define the followingvalues before continuing.
Admin Subnet:
10.20.1.0/24Admin Gateway:
10.20.1.1Admin Workstation:
10.20.1.2
Application Subnet:
10.20.2.0/24Application Gateway:
10.20.2.1Application Server (OPT1):
10.20.2.2
Monitor Subnet:
10.20.3.0/24Monitor Gateway:
10.20.3.1Monitor Server (OPT2) :
10.20.3.2
Initial Configuration
Unpack the firewall, connect the power, and power on the device.
We will use the OPNSense Web GUI to do the initial configuration of thenetwork firewall.
Connect to the OPNSense Web GUI
If you have not already done so, boot the Admin Workstation intoTails using its designated USB drive. Make sure to enable the unsafe browseron the “Welcome to Tails” screen under “Additional settings” if you areusing a version of Tails prior to 5.8. Tails 5.8 and newer enables theunsafe browser automatically.
Connect the Admin Workstation to the LAN interface. You should seea popup notification in Tails that says “Connection Established”. If you clickon the network icon in the upper right of the Tails Desktop, you should see“Wired Connected”:
Warning
Make sure your only active connection is the one youjust established with the network firewall. If you areconnected to another network at the same time (e.g. awireless network), you may encounter problems tryingto connect the firewall’s Web GUI.
Launch the Unsafe Browser from the menu bar: Applications ▸ Internet ▸Unsafe Browser.
Note
The Unsafe Browser is, as the name suggests, unsafe(its traffic is not routed through Tor). However, it isthe only option because Tails intentionally disables LANaccess in the Tor Browser.
A dialog will ask “Do you really want to launch the UnsafeBrowser?”. Click Launch.
You will see a pop-up notification that says “Starting the UnsafeBrowser…”
After a few seconds, the Unsafe Browser should launch. The windowhas a bright red border to remind you to be careful when usingit. You should close it once you’re done configuring the firewalland use Tor Browser for any other web browsing you might do onthe Admin Workstation.
Navigate to the OPNSense Web GUI in the Unsafe Browser:
https://192.168.1.1Note
If you have trouble connecting, go to your network settings andmake sure that you have an IPv4 address in the
192.168.1.1/24range.You may need to turn on DHCP, else you can manually configure a staticIPv4 address of192.168.1.xwith a subnet mask of255.255.255.0.However, make sure not to configure your Tails device to have the same IPas the firewall (192.168.1.1).The firewall uses a self-signed certificate, so you will see a “ThisConnection Is Untrusted” warning when you connect. This is expected.You can safely continue by clicking Advanced and Accept the Risk andContinue.
You should see the login page for the OPNSense GUI. Log in with thedefault username and passphrase (
root/opnsense).
If this is your first time logging in to the firewall, the setup wizard will bedisplayed. You should not step through it at this point, however, as there areother tasks to complete. To exit, click the OPNSense logo in the top left cornerof the screen.
Set a Strong Password
Navigate to System > Access > Users and click the edit button for the rootuser. On the subsequent page, set a strong admin password. We recommend generatinga strong passphrase with KeePassXC and saving it in the Tails Persistent folder usingthe provided KeePassXC database template. Two-factor authentication will be enabledin a later step.
Set Alternate Hostnames
Before you can set up the hardware firewall, you will need to set theAlternate Hostnames setting.
First, navigate to System > Settings > Administration. In the Web GUI section,update the Alternate Hostnames field with the values 192.168.1.1 and theIP address of the Admin Gateway (10.20.1.1 if you are using the recommendeddefault values), separated by a space.
Finally, scroll to the bottom of the page and click Save.
Configure Interfaces Via The Setup Wizard
To start the OPNSense Setup Wizard, navigate to System > Wizard and clickNext.
General Information: Leave your hostname as the default,
OPNsense.There is no relevant domain for SecureDrop, so werecommend setting this tosecuredrop.localor something similar. Useyour preferred DNS servers. If you don’t know what DNS servers to use,we recommend using Google’s DNS servers:8.8.8.8and8.8.4.4.Uncheck the Override DNS checkbox.In the Unbound DNS section, uncheck Enable Resolver.
Click Next.
Time Server Information: Leave the default settings unchanged and click Next.
Configure WAN Interface: Enter the appropriate configuration foryour network. Consult your local sysadmin if you are unsure what toenter here. For many environments, the default of DHCP will work and therest of the fields can be left at their default values.
Click Next to proceed.
Configure LAN Interface: Use the IP address of the Admin Gateway(
10.20.1.1) and the subnet mask (/24) of the Admin Subnet. ClickNext.Set Root Password: If the password was already reset during the 2FA setup, youdon’t need to set it again. If it was not, then set a strong password now andstore it in the Admin Workstation’s KeePassXC database. Click Nextto continue.
Reload Configuration: Click Reload to apply the changes you made in theSetup Wizard.
At this point, since the LAN subnet settings were changed fromtheir defaults, you will no longer be able to connect after reloadingthe firewall and the reload will time out. This is not anerror - the firewall has reloaded and is working correctly.
To connect to the new LAN interface, unplug and reconnect your network cable toget a new network address assigned via DHCP. Note that if you used a subnetwith fewer addresses than /24, the default DHCP configuration inOPNSense may not work. In this case, you should assign the AdminWorkstation a static IP address that is known to be in the subnet tocontinue.
The Web GUI will now be available on the Admin Gateway IP address. Navigateto https://<Admin Gateway IP> in the Unsafe Browser and log in to the rootaccount using an OTP token and the passphrase you just set.
Once you’ve logged in to the Web GUI, you are ready to continue configuringthe firewall.
Connect Interfaces and Test
Now that the initial configuration is completed, you can connect the WANport without potentially conflicting with the default LAN settings (asexplained earlier). Connect the WAN port to the external network. Youcan watch the WAN entry in the Interfaces table on the OPNSense Dashboardhomepage to see as it changes from down (red arrow pointing down) to up(green arrow pointing up). This usually takes several seconds. The WAN’sIP address will be shown once it comes up.
Finally, test connectivity to make sure you are able to connect to theInternet through the WAN. The easiest way to do this is to open another tab inthe Unsafe Browser and visit a host that you expect to be up (e.g. google.com).
Update OPNSense to the latest version
You should update OPNSense to the latest version available before proceedingwith the rest of the configuration. Navigate to Lobby > Dashboard and clickClick to check for updates to start the process, and follow any on-screen instructionsto complete the update. Note that a reboot may be required, and you may also needto apply several updates in a row to get to the latest version.
Enable Two-Factor Authentication
OPNSense supports two-factor authentication (2FA) via mobile apps such as Google Authenticatoror FreeOTP. To set it up, first make sure you have a mobile device available withyour choice of 2FA app.
Next, in the OPNSense Web GUI, navigate to System > Access > Servers andclick + to add a new server.
Note
The time on your firewall must be set correctly for 2FA to work properly.This should happen automatically once the WAN connection is established.
On the next page, enter TOTP Local in the Descriptive name field and chooseLocal + Timebased One Time Password from the Type dropdown. Leave the otherfields at their default values and click Save
Next, navigate to System > Access > Users and click the edit button for the rootuser. Scroll down the page to the OTP seed section and check theGenerate new secret (160bit) checkbox. Finally, click Save.
Once the page has reloaded, scroll down to the OTP QR code section and clickClick to unhide, then scan the generated QR code with your mobile auth applicationof choice.
If you wish, you may also save the OTP seed value displayed above the QR code inyour Tails KeePassXC database - this isn’t required, but will allow you to set up TOTPon another mobile device if you need to in the future.
Test your new login credentials
To verify that your new password and OTP secret are working, navigate to System >Access > Tester. Select TOTP Local from the Authentication Server dropdown,enter the root username in the Username field, and enter your OTP token andpassword concatenated like 123456PASSWORD in the Password field.Then click Test.
If the test fails, make sure you have used the correct OTP code and password, andedit the root user record as necessary.
Note
You must enter the OTP token and passphrase concatenated as a singlestring like 123456PASSWORD in the Password field.
Warning
Do not skip this test, or proceed further until it passes, as youwill be locked out of the firewall Web GUI and console if the account is notset up correctly!
Finally, navigate to System > Settings > Administration and scroll down to theAuthentication section at the bottom of the page. In the Server dropdown,select TOTP Local and deselect Local Database.. Click Save.
See AlsopfSense Wi-Fi router
Disable DHCP on the Firewall
OPNSense runs a DHCP server on the LAN interface by default. At thisstage in the documentation, the Admin Workstation likely has an IP addressassigned via that DHCP server.
In order to tighten the firewall rules as much as possible, we recommenddisabling the DHCP server and assigning a static IP address to the AdminWorkstation instead.
Disable DHCP Server on the LAN Interface
To disable DHCP, navigate to Services > DHCPv4 > [LAN] in the Web GUI.Uncheck the Enable DHCP server on the LAN interface checkbox, scroll down,and click Save.
Assign a Static IP Address to the Admin Workstation
Now you will need to assign a static IP to the Admin Workstation.
You can easily check your current IP address by clicking the top right ofthe menu bar, clicking on the Wired Connection and then clicking WiredSettings.
From here you can click on the cog beside the wired network connection:
This will take you to the network settings. Change to the IPv4 tab. Ensurethat IPv4 Method is set to Manual, and that the Automatic switch forDNS is in the “off” position, as highlighted in the screenshot below:
Note
The Unsafe Browser will not launch when using a manualnetwork configuration if it does not have DNS serversconfigured. This is technically unnecessary for our use casebecause we are only using it to access IP addresses on theLAN, and do not need to resolve anything withDNS. Nonetheless, you should configure some DNS servers hereso you can continue to use the Unsafe Browser to access theWebGUI in future sessions.
We recommend keeping it simple and using the same DNSservers that you used for the network firewall in the setupwizard.
Fill in the static networking information for the Admin Workstation:
Address:
10.20.1.2Netmask:
255.255.255.0Gateway :
10.20.1.1
Click Apply. If the network does not come up within 15 seconds orso, try disconnecting and reconnecting your network cable to trigger thechange. You will need you have succeeded in connecting with your newstatic IP when you are able to connect using the Tor Connection assistant,and you see the message “Connected to Tor successfully”.
Troubleshooting: DNS Servers and the Unsafe Browser
After saving the new network configuration, you may still encounter the“No DNS servers configured” error when trying to launch the UnsafeBrowser. If you encounter this issue, you can resolve it bydisconnecting from the network and then reconnecting, which causes thenetwork configuration to be reloaded.
To do this, click the network icon in the system toolbar, and clickDisconnect under the name of the currently active networkconnection, which is displayed in bold. After it disconnects, clickthe network icon again and click the name of the connection toreconnect. You should see a popup notification that says “ConnectionEstablished”, and the Tor Connection assistant should show the message “Connectedto Tor successfully”.
For the next step, SecureDrop Configuration, you will manually configure thefirewall for SecureDrop, using screenshots as a reference.
SecureDrop Configuration
SecureDrop uses the firewall to achieve two primary goals:
Isolating SecureDrop from the existing network, which may becompromised (especially if it is a venerable network in a largeorganization like a newsroom).
Isolating the Application Server and the Monitor Server from each otheras much as possible, to reduce attack surface.
In order to use the firewall to isolate the Application Server and the MonitorServer from each other, we need to connect them to separate interfaces, and then setup firewall rules that allow them to communicate.
Enable The OPT1 And OPT2 Interfaces
The OPT1 and OPT2 interfaces will be used for the Application Server and MonitorServer respectively. To enable them, first connect the Application Server to thephysical OPT1 port and the Monitor Server to the OPT2 port.
Next, navigate to Interfaces > Assignments. LAN and WAN will already be enabled.Click the + button in the New Interface section to enable the OPT1 interfaceon the next available NIC (igb2 in the screenshot below). Once OPT1 has beenadded, click + again to add OPT2 (on igb3 in the screenshot below)
Finally, click Save.
Configure the LAN, WAN, OPT1, and OPT2 interfaces
OPT1 and OPT2 need to be configured to use the subnets defined for the Applicationand Monitor Servers, and some additional configuration is required for the LANand WAN interfaces, that is not covered by the Setup Wizard.
Configure the WAN interface
First, navigate to Interfaces > [WAN]. In the Basic configuration section,check the checkbox labeled Prevent interface removal.
In the Generic configurationsection, make sure that the Block private networks and Block bogon networkscheckboxes are checked.
Scroll down and click Save, then click Apply changes when prompted.
Configure the LAN interface
Next, navigate to Interfaces > [LAN]. In the Basic configuration section,check the checkbox labeled Prevent interface removal.
In the Generic configuration section, select Static IPv4 in the IPv4Configuration Type dropdown, and None in the IPV6 Configuration Typedropdown.
Scroll down and click Save, then click Apply changes when prompted.
Configure the OPT1 interface
Next, navigate to Interfaces > [OPT1]. In the Basic configuration section,check the checkboxes labeled Enable interface and Prevent interface removal.
In the Generic configuration section, select Static IPv4 in the IPv4Configuration Type dropdown, and None in the IPV6 Configuration Typedropdown.
Scroll down. In the Static IPv4 Configuration section, enter the ApplicationGateway IP address and routing prefix (10.20.2.1 and 24 if you are usingthe recommended values).
Click Save, then click Apply changes when prompted.
Configure the OPT2 interface
Finally, navigate to Interfaces > [OPT2]. In the Basic configuration section,check the checkboxes labeled Enable interface and Prevent interface removal.
In the Generic configuration section, select Static IPv4 in the IPv4Configuration Type dropdown, and None in the IPV6 Configuration Typedropdown.
Scroll down. In the Static IPv4 Configuration section, enter the MonitorGateway IP address and routing prefix (10.20.3.1 and 24 if you are usingthe recommended values).
Click Save, then click Apply changes when prompted.
Configure Firewall Aliases
In order to simplify firewall rule setup, the next step is to configure aliasesfor hosts and ports referred to in the rules.
To start, first navigate to Firewall > Aliases. You should see some system-definedaliases as shown below:
Click the + button to add new aliases. You should add the aliases defined inthe table below (assuming recommended values for IP addresses):
Name | Type | Content |
|---|---|---|
admin_workstation | Host(s) |
|
app_server | Host(s) |
|
external_dns_servers | Host(s) |
|
monitor_server | Host(s) |
|
local_servers | Host(s) |
|
OSSEC | Port(s) |
|
ossec_agent_auth | Port(s) |
|
antilockout_ports | Port(s) |
|
When complete, the Aliases page should look like this:
Scroll down and click Apply to save and apply your new aliases.
Configure Firewall Rules
Next, configure firewall rules for each interface.
Configure Firewall Rules on LAN
First, navigate to Firewall > Rules > LAN. The LAN interface should have oneautomatically-generated anti-lockout rule in place, in addition to two default-allow rules.The default-allow rules should be removed once the SecureDrop-specific rules belowhave been added. The anti-lockout feature should be disabled as a last step.
The rules needed are described in this table:
Action | TCP/IP Version | Protocol | Src | Src port | Dest | Dest port | Description |
|---|---|---|---|---|---|---|---|
Pass | IPv4 | TCP | admin_workstation | local_servers | 22 (SSH) | SSH access for initial install | |
Pass | IPv4 | TCP | admin_workstation | Tor from Tails |
Add or remove rules until they match the following screenshot including ordering. Click the +button to add a rule.
Once the rules match, click Apply Changes.
Finally, remove the default anti-lockout rule. First, navigate to Firewall >Settings > Advanced. Scroll down to the Miscellaneous section and check theDisable anti-lockout checkbox. Then, click Save.
Configure Firewall Rules On OPT1
Next, navigate to Firewall > Rules > OPT1. There should be no rules definedon this interface. Add the rules below:
Action | TCP/IP Version | Protocol | Src | Src port | Dest | Dest port | Description |
|---|---|---|---|---|---|---|---|
Pass | IPv4 | UDP | app_server | monitor_server | OSSEC | OSSEC Agent | |
Pass | IPv4 | TCP | app_server | monitor_server | ossec_agent_auth | OSSEC initial auth | |
Block | IPv4 | any | OPT1 net | LAN net | Block between OPT1 and LAN by default | ||
Block | IPv4 | any | OPT1 net | OPT2 net | Block between OPT1 and OPT2 by default | ||
Pass | IPv4 | TCP | app_server | Tor from App Server | |||
Pass | IPv4 | TCP/UDP | app_server | external_dns_servers | 53 (DNS) | Allow DNS | |
Pass | IPv4 | UDP | app_server | 123 (NTP) | Allow NTP |
Once they match the screenshot below, click Apply Changes.
Configure Firewall Rules On OPT2
Next, navigate to Firewall > Rules > OPT2. Similarly to OPT1, there should be no rules definedon this interface. Add the rules below until the rules in the Web GUI match thosein the screenshot:
Action | TCP/IP Version | Protocol | Src | Src port | Dest | Dest port | Description |
|---|---|---|---|---|---|---|---|
Block | IPv4 | any | OPT2 net | LAN net | Block between OPT2 and LAN by default | ||
Block | IPv4 | any | OPT2 net | OPT1 net | Block between OPT2 and OPT1 by default | ||
Pass | IPv4 | TCP | monitor_server | Tor, SMTP from Monitor Server | |||
Pass | IPv4 | TCP/UDP | monitor_server | external_dns_servers | 53 (DNS) | Allow DNS | |
Pass | IPv4 | UDP | monitor_server | 123 (NTP) | Allow NTP |
Finally, click Apply Changes.
The Network Firewall configuration is now complete, allowing you to moveto the next step: setting up the servers.
Troubleshooting Tips
Here are some general tips for setting up OPNSense firewall rules:
Create aliases for the repeated values (IPs and ports).
OPNSense is a stateful firewall, which means that you don’t needcorresponding rules to allow incoming traffic in response to outgoingtraffic (like you would in, e.g. iptables with
--state ESTABLISHED,RELATED).You should create the rules on the interface where the trafficoriginates.
Make sure you delete the default “allow all” rule on the LANinterface.
If you are troubleshooting connectivity, the firewall logs can bevery helpful. You can find them in the Web GUI in Firewall > Log Files
Keeping OPNSense up to Date
Periodically, the OPNSense project maintainers release an update to theOPNSense software running on your firewall. You can check for updates usingthe link on the OPNSense dashboard.
If you see that an update is available, we recommend installing it. Mostof these updates are for minor bugfixes, but occasionally they cancontain important security fixes. You should keep apprised of updatesyourself by checking the OPNSense Blog or subscribingto the OPNSense Blog RSS feed.
I'm an expert in network security and firewall configurations, and I have hands-on experience with various firewall devices, including OPNSense. My expertise spans from the initial setup to advanced configurations, and I've successfully implemented secure network architectures for various environments.
Now, let's delve into the concepts mentioned in the provided article:
-
Subnets and WAN Configuration:
- Considerations are given for connecting the firewall to the Internet.
- Mention of provisioning unique subnets to avoid conflicts with WAN interface.
- Recommendation for OPNSense device and its default LAN setup on 192.168.1.1/24.
-
Network Interfaces and Recommended Hardware:
- Recommended TekLager APU4D4 with 4 NICs (WAN, LAN, OPT1, OPT2).
- Dedicated ports for different components of SecureDrop (Application Server, Monitor Server, and Admin Workstation).
-
Network Configuration Values:
- Definition of admin, application, and monitor subnets along with corresponding gateways and addresses.
-
Initial Configuration using OPNSense Web GUI:
- Unpacking, powering on, and connecting to the OPNSense Web GUI.
- Launching the Unsafe Browser for initial configuration.
-
Setting Strong Passwords and Alternate Hostnames:
- Setting strong admin passwords.
- Configuring alternate hostnames for the firewall.
-
OPNSense Setup Wizard:
- Configuring WAN and LAN interfaces using the setup wizard.
-
Connectivity Testing and Updating OPNSense:
- Connecting WAN port and testing Internet connectivity.
- Updating OPNSense to the latest version.
-
Two-Factor Authentication (2FA):
- Enabling 2FA using mobile apps.
- Configuring OTP seed and QR code for authentication.
-
DHCP Configuration and Static IP Assignment:
- Disabling DHCP on the LAN interface.
- Assigning static IP to the Admin Workstation.
-
Firewall Rules Configuration:
- Setting up firewall rules for LAN, OPT1, and OPT2 interfaces.
- Blocking and allowing specific protocols and ports between interfaces.
-
Troubleshooting Tips:
- Creating aliases for repeated values.
- Understanding OPNSense as a stateful firewall.
- Properly configuring rules on the interface where traffic originates.
- Deleting default "allow all" rule on the LAN interface.
- Using firewall logs for troubleshooting.
-
Keeping OPNSense Up to Date:
- Checking for updates on the OPNSense dashboard.
- Recommendations to install updates for bugfixes and security patches.
This comprehensive guide covers the entire process of setting up a network firewall using OPNSense, from the initial configuration to advanced settings and maintenance.
