In this chapter, we will learn more about system configuration and administration, adding users and groups, authenticating on LDAP servers, managing certificates, changing some advanced operating system settings, and how to back up all system configurations.
As we already learned, OPNsense is a complete security platform with a great framework to manage the operating system it runs on – FreeBSD. We will continue exploring WebGUI and learn how to perform some system administration tasks on it. We are going to create users, groups, and certificates, see the steps to add an external authentication server, change some system settings for testing, and perform backup and restore tests. In this chapter, we will look at the following topics:
To follow this chapter, you will need to have a basic knowledge of digital certificates and how they work, an understanding of user and group privileges, LDAP and SSH usage and configuration, and logging concepts, and a running OPNsense to practice the proposed exercises.
Before we can start managing users and groups, it's important to understand the least privilege principle. It defines that a user must have only the privileges necessary to complete a task, so it isn't a good idea to have all firewall users as admins with full privileges or even to share the root password with a lot of users. This will break the least privilege concept.
A better approach is to define profiles and apply these profiles to users so that unnecessary privileges for some users can be avoided. A good way to do this is by creating groups and assigning the required privileges to each one. After that, you can add new users or assign existing ones to each group based on the least privilege principle.
Let's see how to create users and groups, and assign privileges to them.
Users created in WebGUI can be used for authentication in services such as Captive Portal, the proxy, IPsec, and OpenVPN and will be authenticated to log into OPNsense using the Command-Line Interface (CLI) or WebGUI.
The users can be managed using the System | Access | Users menu:
Some important properties are shown in the screenshot:
The following properties are depicted in the preceding screenshot:
Let's look at the user privileges.
The user privileges are privileges related to WebGUI and define what a specific user can do or see while using it.
After clicking on the pencil icon, a new page will show, as in the following screenshot:
Now that we have learned how to create and manage users, it's time to see how to group users.
To practice how to create a new user and assign WebGUI privileges, follow these steps:
Note that the new user only has access to the Dashboard screen. Now you can practice selecting other privileges.
Important Note
If you don't select any privileges, the user won't be able to log into WebGUI.
Groups, as the name suggests, will help us to group users and apply privileges to them, instead of defining each one individually. As with user privileges, we can only assign privileges to a group its users can access on WebGUI.
To add a new group, go to System | Access | Groups as shown in the following screenshot and click on the + Add button:
The following are the options depicted in the preceding screenshot:
As usual, when you finish creating the group, just click on the Save button. As you can see in the following screenshot, the new group is listed as Normal group:
This means that it doesn't have privileges to all WebGUI pages like the admins, for example. We need to give some privileges to this new group since it was created with no privileges assigned.
To assign privileges to a group, you must click on the pencil icon on the Groups page. On the group editor page, now the Assigned Privileges option will be visible. Just click on the pencil icon to assign group privileges:
In the system privileges, try selecting only All pages and click on the Save button and this will take you back to the group editor page. Click on Save again. As you can see in the following screenshot, the new group is shown as Superuser group, because we selected the All pages option:
We just did this as an example to show the difference between a normal group and a superuser group. Now you can go back and edit your new group with the privileges you want.
We have learned how to manage users from the local database. Now, let's see how to use external authentication services.
Besides local database authentication, OPNsense also supports an external authentication backend, such as Microsoft Active Directory or OpenLDAP, for example. The currently supported protocols are RADIUS and LDAP. There is a special authentication backend that is only used for the Captive Portal service: Voucher Server, which we will explore in detail in Chapter 14, Captive Portal. You can combine these backends with a Time-Based One-Time Password (TOTP) using Google Authenticator, for example, to enable 2FA.
If you aren't familiar with any of these protocols, you might be asking, When do I need to use an external authentication backend? Let's start with one common example.
Try to imagine the following scenario: You need to set up a new VPN tunnel that will be used by one of your customers. The IT team told you that they need to provide secure access to employees – a few hundred. Most of them will work from home, but they already access all network resources using their Microsoft Active Directory credentials and this must work in the same way with the new VPN access. Is there another option other than using the authentication backend? If you thought to suggest importing all the users from the Microsoft Active Directory server, this may appear to help at first glance, but the credentials would not be synced with the privilege groups and the password changes will be forgotten about! So, think twice and don't say a single word. Just nod and say to the customer, Consider it done! How can you meet the client's needs? By using OPNsense with external authentication, of course!
So, for the client to site tunnels, it will help a lot to use an external authentication service. In this way, IT support and administration teams without access to OPNsense can manage the users just by accessing the authentication server. Cool, huh? That means peace for you and you'll save time because you don't have to deal with support tickets such as please change the password of so-and-so user.
Currently, the VPN services that can use external authentication on OPNsense are OpenVPN and IPsec. Other services that can use the external authentication backend are Captive Portal, the proxy, and some plugins such as NGINX as well.
You can also use external authentication to manage users that will be allowed to log into WebGUI and SSH with limited access.
To enable an external authentication server, go to System | Access | Servers and click on the + Add button.
The following fields will be available:
The following are the available LDAP options:
The extra options when using LDAP and time-based OTP are as follows:
The following are the available options for the RADIUS protocol:
Now we have explored how to manage users, groups, and authentication, it's time to look at digital certificates and how to use them in OPNsense.
OPNsense uses certificates to ensure secure communication between nodes in services such as OpenVPN and IPsec, and HTTP services such as Captive Portal, web proxies, and WebGUI.
The available types of certificates in OPNsense are the following:
We will dive into the entire process of creating and using certificates in Chapter 8, Virtual Private Networking.
Meanwhile, let's move on to learn how to configure the OPNsense general settings.
In the System | Settings menu, you will find several submenus that will allow you to configure some settings in OPNsense. Let's go through them one by one. To access each one, access System | Settings | <Submenu's name> as follows.
On this page, we will find options related to accessing OPNsense and administration such as WebGUI and SSH configuration and authentication options.
The following options are available in WebGUI:
Note
To learn more about HSTS, please refer to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
Note
In the old OPNsense versions (until 21.7 version), the default log format was the circular log (clog), which changes the manner to access the logs using the CLI:
Ex.: clog -f /var/log/lighttpd.log
Nowadays, it is common to read in cybersecurity news pages about flaws in WebGUI/managers that allow attackers to gain privileged access to them, so I would advise you – even with the excellent security history of the OPNsense project – to avoid allowing WebGUI to be accessed from the internet (WAN interfaces). This could expose your firewall unnecessarily. Always prefer to use a VPN or limit the source IP in a firewall rule.
Another relevant topic is the default ports used by WebGUI, HTTP, and HTTPS – TCP/80 and TCP/443 (HTTP/3 should use the UDP protocol) respectively are common ports used by web servers that might be without the protection of OPNsense. So, to avoid ports conflicting, change the WebGUI default port and disable the HTTP redirect. Let's now learn how to enable CLI remote access using the Secure Shell protocol.
The SSH protocol is very popular, useful, and secure and it is the way to access the OPNsense CLI remotely. The available options to configure are the following:
The following are the available options on the Console access page:
Important Note
If you select an option that isn't supported by the hardware on which OPNsense is installed, you could lose console access.
The authentication options are as follows:
On the System | Settings | Administration page, we can define how to connect to OPNsense to manage it, whether via the CLI, console, or WebGUI. Next, we will explore the General page options.
To access it, go to System | Settings | General. On this page, we can configure some basic system and network settings. Let's explore each of these.
The system options are the following:
The following are the networking options:
Important Note
If you have multiple WANs configured and it will set the ISP's DNS servers, you should select the respective ISP gateway to avoid resolution requests flowing to another ISP that has been blocked at the destination DNS server.
Let's now discuss the logging process in OPNsense.
OPNsense has inheritance from pfSense, which used the circular logging format. This means that the logs will have a predefined size, never exceeding it. This can be good when you need to keep small logs but isn't suitable when you want a longer event history in each log file. This applies to the core log files, which means that log files from plugins don't use the circular logging approach. Later in this chapter, we will see how to read circular logs in the CLI. Once in WebGUI, the visualization doesn't differ from regular log files.
Since version 20.7 of OPNsense, it is possible to disable the circular logs. By doing that, the one-file-per-day approach will be used for log file rotation. Let's see how to configure this and other logging options in OPNsense.
Go to System | Settings | Logging to open the log settings page:
The options in the log settings page are as follows:
Note – Disabling the Circular Log
If you disable the circular log, pay attention to the size of your log files. They can become very large and then occupy the entire OPNsense disk. The size of log files can vary depending on the volume of traffic OPNsense is processing.
Let's now look at the remote logging options.
Remote logging is very useful when we want to preserve log entries, whether from losing them in a disk crash or from a system compromise due to a cyberattack. It is a good practice to enable remote logging in all managed hosts and send the log entries to a system that will process each log entry. For example, at Cloudfence, our SOC analyzes all log entries using a Security Information and Event Management (SIEM) system that helps us to detect and respond to threats. We can do that thanks to the remote logging feature present in OPNsense, protecting dozens of networks. If you are curious which system we are using to do that, look at the Wazuh project: https://www.wazuh.com. Another good option is to send logs to the ELK Stack, which you can create nice dashboards with. You can learn more about it by visiting https://www.elastic.co. If you need help in sending logs from OPNsense to the ELK Stack, look at Fabian Franz's repository on GitHub: https://github.com/fabianfrz/opnsense-logstash-config.
Now that I think that you are convinced that it's a good idea to enable remote logging, let's move on and see how to do that. Go to System | Settings | Logging / targets and click on the + icon to add a new syslog server, also called target here:
A new page will appear with details that must be filled in to configure the remote logging target as shown in the following screenshot:
Before detailing each field, it is important to say that we will not cover here how to set up and configure a remote logging server, but if you want, you can do that using a syslog server such as syslog-ng, Graylog, or any other syslog compatible server. Googling it, for syslog, you will find a lot of options to use as a syslog-server. OPNsense uses the syslog-ng server to send remote events using the syslog standard. At https://en.wikipedia.org/wiki/Syslog-ng, you will find explanations about terms used in syslog message logging, such as facility, severity, or level. If you don't know anything about syslog messages, then I recommend you spend some time reading about this before continuing.
The following are the fields present in the preceding screenshot:
Lastly, before we move on from the logging topic, let's look at the log visualization options available in the System | Log Files menu:
You can always check the files presented in this chapter in the CLI using the clog command while circular logs are enabled. If they're disabled, then change the command to tail.
An example of reading the system.log CLI is shown here.
Circular logs can be enabled, using the following command:
tail -f /var/log/openvpn/openvpn_`date *%Y%m%d`
Circular logs can be disabled, using the following command:
tail -f /var/log/system/system_20210605.log
Now that we have explored the OPNsense general settings and logging, we are ready to learn about advanced settings available in WebGUI.
OPNsense's WebGUI is a powerful management interface that allows us to configure even the most advanced features available in the FreeBSD operating system. Let's explore them and learn how to optimize and customize our firewall with available advanced options.
In this topic, we will explore two menu options: System | Settings | Miscellaneous and System | Settings | Tunables. Let's start with the first one.
On the Miscellaneous page, we will find options related to hardware, system file backups, disk and memory settings, and the hardware buzzer control when it is present on the hardware.
There are the following cryptography options:
Hardware requirements: it will load the driver to read the CPU's temperature. For Intel CPUs, select Intel Core CPU on-die thermal sensor (coretemp). If the CPU is an AMD, then select AMD K8, K10 and K11 CPU on-die thermal sensor (amdtemp), otherwise, leave it as the default None/ACPI option, then the operating system will try reading the temperature from the motherboard sensor if it has Advanced Configuration and Power Interface (ACPI) support.
In the following options, you can select how many times you want OPNsense to run a backup of the data to be restored in the next boot. These options are especially useful when OPNsense is running based on a nano image that saves the volatile data only in RAM or when the power is cut off and data not saved in the disk will be lost:
The power saving options are related to power control. There are modes available and three options, each one representing a power mode: on AC, on Battery, and on Normal. This last one is used when the power control can't determine whether the power source is connected.
The power modes are as follows:
The following are the options available in the disk/memory settings:
Startup/Shutdown Sound - Disable the startup/shutdown beep: Check this if you no longer want to hear the sound played when OPNsense finishes the boot or when it starts the shutdown process.
Let's move on to the System | Settings | Tunables page to have a brief introduction to what we can set for the FreeBSD low-level settings.
When FreeBSD boots into multi-user mode, which is the default mode for OPNsense, it reads a configuration file, /etc/sysctl.conf, and there we can set a lot of low-level settings that allow us to tweak the entire system behavior.
The OPNsense default configuration brings a lot of sysctl settings, or tunables as we will call them here. These tunables can configure settings such as network card driver options, TCP/IP protocol stack behavior, and so on. To get a complete list, you can run the sysctl -a command in the CLI.
Tunables Important Note
Only change settings on the Tunables page if you really know what you are doing. Common examples of changing tunable settings are recommended settings for specific hardware drivers, such as network interfaces or a network performance tweak. It is recommended that an experienced FreeBSD professional handles these settings.
If you want to learn more about FreeBSD sysctl and other advanced configurations, I recommend you look at Packt's available FreeBSD books.
OPNsense saves all the configuration settings in an XML file, /conf/config.xml, and it is extremely important to save it in a safe place that will allow you to restore this configuration if it is necessary.
OPNsense offers some embedded options to save this configuration in external cloud drives such as Google Drive and Nextcloud (using an additional plugin). This book will not cover the configuration of how to use backup configuration, but you can find information at https://docs.opnsense.org/manual/how-tos/cloud_backup.html. Some plugins can help with this task also; check out the OPNsense plugins list at System | Firmware | Plugins.
To back up your system configuration files, you can go to System | Configuration | Backups.
Click on the Download configuration button to download the configuration file to your computer's local disk. Check Encrypt this configuration file., if you want to encrypt it. Doing that requires that you type a password twice. Fill in the Password and Confirmation textboxes.
To restore the file is quite simple. On the same page, you will find the Restore options. Click on the Choose File button, choose the backup config.xml file on your computer, and then click on the Restore configuration button. A system reboot is recommended, so you can leave the Reboot after a successful restore. option checked. If you saved this configuration file using encryption, then you need to check the Configuration file is encrypted. option and then fill it with the password used while backing up this configuration.
In the Restore area option, you can select which configurations you want to restore. If you need a full restore, just leave it as the default option: ALL.
Another very useful backup and restore feature is the configuration history. To use it, go to System | Configuration | History:
This page will contain the last 100 configuration file versions. It can save you when you made a change by mistake and need to restore the configuration fairly quickly. To restore, just go to the line before your modification and click on the restore icon button (the first icon). It will restore the configuration without a reboot. Very nice, huh? I'm sure that this feature has saved a lot of jobs!
The other two icons are to exclude the configuration version – the trashcan icon (the second icon), or to download it (the third icon).
You can also see the differences between two configuration versions, in a different format, on this page. To do that, just select the two versions you want to compare and then click on the View differences button.
In this chapter, we've learned how to configure the OPNsense system settings, create users and groups, and how to back up the system configuration. You are now able to change OPNsense settings, add users and groups with different levels of privileges, enable external authentication for remote users' authentication in OPNsense, and change low-level settings using tunables. And you can do all these system modifications with confidence by doing a system backup before applying changes.
In the next chapter, we will dive into firewalling concepts and features available on OPNsense. We will learn how to manage rules, change firewall settings when necessary, and troubleshoot common issues using diagnostic tools and logs.
3.12.73.64