Deploying OPNSense appliance on Telia Cloud Platform

It was announced earlier that there will be a post regarding the deployment of OPNSense VPN, LB and FW appliance on Telia Cloud Platform (TCP), so here it is 🙂

There are two ways to deploy it:

1) manually (create networks, subnets, spin up VM with proper networks);
2) via orchestration, using a Heat template.

In this post I’ll focus on the second option for the deployment process but the post-deployment configuration is the same for both options. So let’s start!

1) Log in to your TCP tenant and head over to the menu item Orchestration and choose the item Stacks.

2) Select the action “Launch Stack” and in the “Select Template” window choose “URL” as the value for the “Template Source” and then input the following URL as the value:

Don’t change anything for “Environment Source” and “Environment File” fields and click “Next”.

3) The next window is very important because the values there will define the networking details, such as IP addresses. The template provides default values but feel free to change them as you see fit. In this tutorial we’ll change the default values to some other ones. You will also need to provide a name for the orchestration stack name (e.g. opnsense) and the password for your user name.

Do not change anything below the “opnsense_flavor_name”.

4) Upon successful execution of the template the status of the stack will change to “Create complete”, click on the stack name with a hyperlink for more details and select the tab “Overview”.

5) The deployment is complete, now you need to open the appliance console and perform the initial configuration. The default credentials are provided in the stack “Overview” tab, along with the LAN and WAN IP addresses that will be needed for the initial setup. So now click on the console URL for the OPNSense appliance VM to proceed to initial setup.

Click on the blueish bar that says “Connected (encrypted)…” to gain keyboard focus for the console, enter login credentials and upon a successful login you’ll get the appliance menu.

6) Select option 3 to set the root password, answer y to the wizard question, and then type in and confirm your new permanent root password.

7) Now you need to set the interface IP address by selecting option 2. Then select interface 1 (LAN) and perform the configuration. In this particular example I’ll use the following answers for the configuration wizard (in the order of appearance):

8) The same procedure has to be repeated for the WAN interface by selecting option 2. Then select interface 2 (WAN) and perform the configuration.

One important aspect here – the WAN gateway IP address. In the Telia Cloud platform we have multiple external IP pools but the general rule is that the gateway IP address always starts with 1, e.g. if your external IP address for the WAN interface is – then the gateway will be, alternatively, if your external IP address is – then the gateway will be

9) Once all is set with the interface IP addresses you’ll see the following window:

10) Now you need to temporarily disable the firewall to allow further configuration to take place via browser and also test that the ping gets through to the appliance over WAN. To do that, select option 8 (Shell), and type in:

pfctl -d

11) Now open a browser and head to your WAN IP address via HTTPS. User name is root and you know the password 🙂

Upon the first login a configuration wizard will start to perform the initial setup, so complete it. I suggest as the time server and Europe/Vilnius as the timezone. Don’t forget to type in the value for the “Upstream Gateway” field. Once you finish the wizard, it will reload the firewall, so head to the appliance VM console and temporarily disable the firewall again.

12) The final step is to add a floating firewall rule to allow administrator access to the OPNsense appliance via the Internet. To do that, you’ll need to know your external IP address. Head over to to find out what it is, and then add the rule to the firewall.

Important! Once you add a rule (or remove, or modify) to the firewall, you need another action to take that rule into effect (a double action verification) by clicking “Apply changes”.

After applying the changes the firewall rules will be reapplied and the firewall enabled. Don’t forget to exit the appliance VM console by typing exit and selecting 0 from the menu.

That’s it with the deployment! Make sure you update the appliance to the latest version (menu item System -> Firmware -> Updates), enjoy OPNSense! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

90 − = 85