It was announced earlier that there will be a post regarding the deployment of OPNSense VPN, LB and FW appliance on Telia Cloud Platform (TCP), so here it is 🙂
There are two ways to deploy it:
1) manually (create networks, subnets, spin up VM with proper networks);
2) via orchestration, using a Heat template.
In this post I’ll focus on the second option for the deployment process but the post-deployment configuration is the same for both options. So let’s start!
1) Log in to your TCP tenant and head over to the menu item Orchestration and choose the item Stacks.
Don’t change anything for “Environment Source” and “Environment File” fields and click “Next”.
3) The next window is very important because the values there will define the networking details, such as IP addresses. The template provides default values but feel free to change them as you see fit. In this tutorial we’ll change the default values to some other ones. You will also need to provide a name for the orchestration stack name (e.g. opnsense) and the password for your user name.
Do not change anything below the “opnsense_flavor_name”.
5) The deployment is complete, now you need to open the appliance console and perform the initial configuration. The default credentials are provided in the stack “Overview” tab, along with the LAN and WAN IP addresses that will be needed for the initial setup. So now click on the console URL for the OPNSense appliance VM to proceed to initial setup.
7) Now you need to set the interface IP address by selecting option 2. Then select interface 1 (LAN) and perform the configuration. In this particular example I’ll use the following answers for the configuration wizard (in the order of appearance):
One important aspect here – the WAN gateway IP address. In the Telia Cloud platform we have multiple external IP pools but the general rule is that the gateway IP address always starts with 1, e.g. if your external IP address for the WAN interface is 126.96.36.199 – then the gateway will be 188.8.131.52, alternatively, if your external IP address is 184.108.40.206 – then the gateway will be 220.127.116.11.
9) Once all is set with the interface IP addresses you’ll see the following window:
10) Now you need to temporarily disable the firewall to allow further configuration to take place via browser and also test that the ping gets through to the appliance over WAN. To do that, select option 8 (Shell), and type in:
Upon the first login a configuration wizard will start to perform the initial setup, so complete it. I suggest 18.104.22.168 as the time server and Europe/Vilnius as the timezone. Don’t forget to type in the value for the “Upstream Gateway” field. Once you finish the wizard, it will reload the firewall, so head to the appliance VM console and temporarily disable the firewall again.
12) The final step is to add a floating firewall rule to allow administrator access to the OPNsense appliance via the Internet. To do that, you’ll need to know your external IP address. Head over to https://whatismyipaddress.com/ to find out what it is, and then add the rule to the firewall.
Important! Once you add a rule (or remove, or modify) to the firewall, you need another action to take that rule into effect (a double action verification) by clicking “Apply changes”.
After applying the changes the firewall rules will be reapplied and the firewall enabled. Don’t forget to exit the appliance VM console by typing exit and selecting 0 from the menu.