OPNSense Security Configuration Guide

This comprehensive guide will help you securely configure your OPNSense firewall following industry best practices and security standards.

1. Initial Setup and Access Control

Change Default Admin Credentials

The default admin credentials should be changed immediately:

1. Navigate to System → Access → Users
2. Click on the root user
3. Change the password to a strong passphrase
4. Consider creating a separate admin account and disabling root web access

Enable HTTPS and Configure Certificate

Ensure the web interface uses HTTPS with a valid certificate:

1. Navigate to System → Settings → Administration
2. Ensure Protocol is set to HTTPS
3. Generate or import a valid SSL/TLS certificate at System → Trust → Certificates
4. Select the certificate in the administration settings

Restrict Management Access

Limit web interface access to specific networks:

1. Go to System → Settings → Administration
2. Set "Listen Interfaces" to only management interfaces
3. Configure allowed IP addresses or networks
4. Disable web GUI access from WAN
5. Consider using a dedicated management VLAN

2. Firewall Rules Best Practices

Principle of Least Privilege

Apply the principle of least privilege to all firewall rules:

• Only allow necessary traffic
• Deny by default, allow by exception
• Use specific source and destination addresses
• Avoid "any to any" rules

Enable Logging

Enable logging on important rules for security monitoring:

• Log all deny rules for security analysis
• Log critical allow rules
• Review logs regularly using Firewall → Log Files → Live View
• Configure remote syslog for centralized logging

Rule Organization

Organize rules for optimal performance and security:

1. Place more specific rules at the top
2. Group related rules together
3. Use aliases for IP addresses and ports
4. Review and clean up unused rules regularly

3. Network Security Configuration

Configure VLANs

Segment your network using VLANs:

• Create separate VLANs for different security zones (DMZ, Guest, Internal, Management)
• Configure inter-VLAN firewall rules at Firewall → Rules
• Isolate untrusted networks from sensitive systems
• Navigate to Interfaces → Other Types → VLAN

Enable IDS/IPS with Suricata

OPNSense includes Suricata for intrusion detection and prevention:

1. Navigate to Services → Intrusion Detection
2. Enable IDS mode or IPS mode (blocking)
3. Select interfaces to protect (WAN and critical interfaces)
4. Enable appropriate rule sets (ET Open, Abuse.ch)
5. Configure update frequency for rule sets
6. Review and tune alerts to minimize false positives

NAT and Port Forwarding

Secure NAT and port forwarding:

• Navigate to Firewall → NAT → Port Forward
• Limit port forwards to specific source IPs when possible
• Use non-standard ports where appropriate
• Enable logging on NAT rules
• Regularly audit port forwards for necessity

4. Service Hardening

SSH Access

If SSH is required, secure it properly:

1. Navigate to System → Settings → Administration
2. Enable "Secure Shell" only if necessary
3. Change the SSH port from default (22)
4. Enable "Login Group" to restrict access
5. Configure "Permit Root Login" to "No"
6. Use key-based authentication when possible
7. Restrict SSH access via firewall rules

DNS Configuration

Configure DNS securely with Unbound:

• Navigate to Services → Unbound DNS → General
• Enable Unbound DNS resolver
• Enable DNSSEC validation
• Configure DNS over TLS for upstream queries
• Use reputable DNS servers (Cloudflare 1.1.1.1, Quad9 9.9.9.9)
• Enable query logging for security monitoring

NTP Configuration

Ensure accurate time synchronization:

1. Go to System → Settings → General
2. Configure multiple reliable NTP time servers
3. Set correct timezone
4. Enable "Prefer IPv4"

5. VPN Security

OpenVPN Configuration

Secure OpenVPN setup:

• Use certificate-based authentication
• Enable TLS authentication
• Use strong encryption (AES-256-GCM)
• Set appropriate DH parameters (2048-bit minimum)
• Configure client-specific overrides when needed
• Disable LZO compression (security risk)
• Navigate to VPN → OpenVPN

IPsec Configuration

For IPsec VPN tunnels:

• Use IKEv2 instead of IKEv1
• Use strong encryption (AES-256-GCM)
• Enable Perfect Forward Secrecy (PFS)
• Use certificate-based authentication when possible
• Set appropriate key lifetimes
• Navigate to VPN → IPsec

WireGuard (Modern Alternative)

OPNSense supports WireGuard for modern VPN deployments:

1. Navigate to VPN → WireGuard
2. Create server instance with generated keys
3. Configure client instances
4. WireGuard uses modern cryptography by default
5. Lighter weight and faster than OpenVPN

6. Monitoring and Maintenance

Regular Updates

Keep your system updated:

• Check for updates at System → Firmware → Updates
• Enable automatic update checks
• Subscribe to OPNSense security announcements
• Test updates in a non-production environment first
• Maintain configuration backups before updates

Backup Configuration

Regular backups are essential:

1. Navigate to System → Configuration → Backups
2. Download configuration regularly
3. Store backups securely offline
4. Encrypt backup files
5. Test restore procedures periodically
6. Consider automated backups to remote storage

Log Monitoring

Monitor logs for security events:

• Review firewall logs daily at Firewall → Log Files → Live View
• Monitor system logs for errors
• Check authentication logs for failed attempts
• Configure remote syslog at System → Settings → Logging
• Use log analysis tools for pattern detection

7. Additional Security Measures

Install Security Plugins

Consider these additional security plugins:

• os-acme-client - Let's Encrypt certificate automation
• os-maltrail - Malicious traffic detection
• os-nginx - Reverse proxy with WAF capabilities
• os-crowdsec - Collaborative security intelligence
• Navigate to System → Firmware → Plugins

Disable Unused Services

Reduce attack surface by disabling unnecessary services:

• Disable unused network interfaces
• Remove unnecessary plugins
• Disable unused protocols (RIP, OSPF if not needed)
• Turn off UPnP unless absolutely required

Enable Two-Factor Authentication

Add an extra layer of security:

1. Navigate to System → Access → Servers
2. Configure TOTP authentication server
3. Assign OTP server to users
4. Use Google Authenticator or similar app

8. Security Checklist

9. Additional Resources

• Official OPNSense Documentation
• OPNSense Community Forum
• OPNSense Support

Back to Home