Instead of exposing my home IP Address to the world for some of the services I host I decided it was best to use a cloud provider to reverse proxy the requests back from the cloud provider to my home lab over VPN.
In this post I’ll detail setting up the site to site vpn connection from my home to the cloud and back with Wireguard, as well as share the HA Proxy configuration I have with OPNSense.
##Deployment of OPNSense on DigitalOcean Droplet
OPNSense Firewall is not one of Digital Oceans supported images, so I was required to upload my own .img file to Digital Ocean for OPNSense to work/install.
The installer ended up being an .img file because when I attempted to load the .iso file the boot failed and there appeared to be a corrupt ISO or lack of support from DO on the ISO.
Either way FreeBSD was not having it with the Droplet upon install.
Below is an issue I encountered with the installer uploading and attempting to install the .img file on the Droplet (note the console needed to be used).
Basically what was happening is that OPNSense was running in RAM, and wasn’t able to be installed on any of the hdd’s.
I had to go through a couple installs to confirm the configuration was working properly and firewall changes were written to disk and persistent after reboot.
Essentially what needs to happen is all the disks need to be deleted and root needs to be remounted.
Below is the process:
Go back to the DigitalOcean interface, select the droplet and open the console window to complete the deployment process.
- Press ENTER to accept the copyright notice after the installer starts.
- Now select ‘Install’.
- Then choose ‘»> Continue with default keymap’.
- Also, choose ‘Manual’.
- Delete all listed EXCEPT for vtbd0, vtbd0s2 and vtbd0s2a.
- Select “vtbd0” and hit “C,” then click “OK.”
- Choose vtbd0s1 and then hit “C”.
- Now change the mount point to “/” and select ‘OK’.
- Select ‘Finish’
- Then select ‘Commit’
- Finally, select “No” and “Reboot after the installation is finished.”
Interface/Wireguard Configuration
As a note everything is blocked in the firewall by default and on first boot interfaces must be configured.
(Firewall rules must be added for access to work.)
To access the web gui I ended up just running pfctl -d from the Digital Ocean console and then just used the webgui on port 80 with the WAN IP Address.
(pfctl -d just disables the firewall all together, definitely not safe in production)
After logging in to the webgui, I changed the root pw and configured my interfaces.
- WAN
- LAN (some Digital Ocean LAN network which I disabled)
After these were configured I updated and added the wireguard package.
From there I followed the OPNSense Guide on Site-to-Site VPN.
For this specific config I used port 51820.
This meant I had to open the ports (allow traffic) on the WAN interface of both WAN Interfaces.
Step 1 - Installation
Install the plugin as usual, refresh and page and the you will find the client via VPN ‣ WireGuard.
Step 2 - Setup WireGuard
Go to tab Local and create a new instance. Give it a Name and set a desired Listen Port. If you have more than one service instance be aware that you can use the Listen Port only once. For Tunnel Address choose a new virtual network to run communication over it, just like with OpenVPN or GRE (e.g. 192.168.0.1/24). Peers can not be chosen yet since we have not created them yet. After hitting Save changes you can reopen the newly created instance, write down your new public key and give it to the other side.
When this VPN is set up on OPNsense only do the same on the second machine and exchange the public keys. Now go to tab Endpoints and add the remote site, give it a Name, insert the Public Key and the Allowed IPs e.g. 192.168.0.2/32, 10.10.10.0/24. This will set the remote tunnel IP address (/32 is important when using multiple endpoints) and route 10.10.10.0/24 via the tunnel. Endpoint Address is the public IP of the remote site and you can also set optionally the Endpoint Port, now hit Save changes.
Go back to tab Local, open the instance and choose the newly created endpoint in Peers.
Now we can Enable the VPN in tab General and go on with the setup.
Step 3 - Setup Firewall
On Firewall ‣ Rules add a new rule on your WAN interface allowing the port you set in your instance (Protocol UDP). You also have a new interface Wireguard in rules, where you can set granular rules on connections inside your tunnel.
Your tunnel is now up and running.
Step 4 - Routing networks
If you want to route your internal networks via this VPN just add the network in the field Allowed IPs in Endpoints tab (e.g. 10.0.1.0/24).
###After following the guide I was pretty well setup with my site to site vpn. Below I have a “table” of the configuration
Configuration on Digital Ocean OPNSense Firewall:
Local Tab:
Name:
- SiteVPN
Interface:
- wg1
Tunnel Address:
- 192.168.1.2/24
Port:
- 51820
Endpoints:
- Homelab
Endpoints Tab:
Name
- Homelab
Endpoint Address
- my.ip.addr.here
Endpoint Port:
- 51820
Allowed IPs
- 192.168.1.1/24,10.0.0.0/8,172.16.0.0/12
Then on the local I configured basically the same with the Tunnel Address changed to: “192.168.1.1/24” and I only allowed “192.168.1.2/24” through the firewall.
After this configuraion was complete I was able to connect back and forth from my Digital Ocean droplet to the rest of my environment meaning I could point DNS on the Digital Ocean Droplet to the DNS Server in my homelab environment.
Configuring HAProxy
After Site-to-Site VPN was configured, setting UP HAProxy was relatively easy.
I created the real servers on the DO OPNSense to point back to servers on the 10.0.0.0/8 network in my homelab, the conditions and rules to match hostnames, and I created the frontend server to serve the requests.
The most annoying part was repointing DNS via Route53, and then pulling down another certificate with the ACME Client Plugin and even this was a short step.
Looking Back:
I probably could have done this with IPTables and an Ubuntu Image with HAProxy and Wireguard Installed, but that’s a post for a different time.