After migrating to OPNSense from pfSense, I have been discovering numerous features that I never knew existed in OPNSense. These little features are what makes me have zero regrets for switching to OPNSense. Today we will look at the various options for backing up configuration changes. After all, backups should be high on the priority list after first setting up OPNSense.
Nextcloud Backup
This is one of my favorite features of Nextcloud that was missing from pfSense. The ability to backup one Open-Source software to another just makes my day! It’s as easy as entering my Nextcloud credentials and specifying the backup location:
Manual Backup
Manual backups are a quick and easy way to take a configuration backup. I generally use this if/when I need to rebuild my entire network/homelab from scratch (if/when my Nextcloud is not available to be backed up to)
Google Drive Backup
I won’t discuss much about this here since I’m not a fan of Google Drive for privacy reasons, but if you are, you can feel somewhat confident that your configuration that is saved on Google drive is safe because it can be encrypted.
OPNSense is designed with security in mind, but there are some security settings which are not enabled by default – one of them being Two-Factor-Authentication (2FA). I am a big fan of 2FA since it is a simple step that significantly enhances the ‘security at the front door’ (Don’t forget security at the back door though! – access via SSH does not have 2FA enabled, so enforcing a ssh certificate is recommended – more on this in a later post).
Why 2FA
In my opinion, 2FA is probably the best bang for the buck when it comes to adding security to an application/service. It is usually easy to implement, requires minimal effort to use, and arguably enhances security by a factor of 100%. Just do it and don’t look back, you won’t regret enabling/using it.
Setup 2FA
Enabling 2FA is pretty simple in OPNSense. Simply:
In OPNSense navigate to System > Access > Servers or just simply search for servers in the searchbar:
Click the Add button
Give the Authentication server a name, in my case I’ll call it ‘Password + TOTP’
Change the type to Local + Timebased One Time Password
All the other defaults should be fine.
Save the changes.
Navigate to System > Access > Users and click the pencil icon to modify your user
Look for OTP seed and click Generate new secret (160 bit)
Click Save
How under the OTP seed setting there should be a button that says Click to unhide. Clicking this button will display a QR Code that can be used to setup your favorite TOTP (Time based One Time Password) app. My favorite is OTP Auth. Simply scan the QR Code using the app and you should immediately see the 2FA code displayed for 30 seconds at a time.
Test 2FA
Before enabling 2FA you will want to test it to make sure your code is working. To do so:
Navigate to System > Access > Tester
Select your new Authentication Server from the dropdown, enter your username and password.
Add your TOTP code the the FRONT of your password (You may be used to entering the TOTP code in a separate input box, but OPNSense combines the password with the TOTP code)
If setup correctly, OPNSense should display a success message:
Enable 2FA
Now that you have setup and tested 2FA, you should be able to enable it:
Navigate to System > Settings > Administration
Scroll to the bottom and change the Authentication Server to your new server (in my case: Password + TOTP)
Note: You should disable/unselect the other Local Database server to prevent logins without using 2FA.
Test your code by trying to log out of and log back into OPNSenseNote: this would be a good time to take a snapshot or a backup of OPNSense if you ahve a means of doing so – just in case you can’t get back in! (In my case I can take a simple Proxmox snapshot)
Bask in your vastly improved security!
Optionally make sure a certificate is required via ssh login (or disable ssh login completely) since ssh login does not support 2FA.
After Migrating to OPNSense I’ve really been impressed with it’s improvements over pfSense in various areas. I will repeat that I have nothing against pfSense, but OPNSense continues to surprise me the more I poke around and discover some of it’s unique features. Today we will take a quick look at one of my favorite features of OPNSense: the Search Bar!
There’s not much to talk about other than the fact that it is super useful for finding some of those hidden menu items.
No more spending minutes trying to browse the menus for that one page you remember seeing but cannot seem to find anymore.
No more having to search the pfSense documentation or forum for finding the location of a specific setting.
Fuzzy Searching Works:
Limitations
One limitation is that individual settings are not displayed (only settings ‘pages’ are)
For example, if i search for Hardware acceleration does not reveal the System > Settings > Miscellaneous page:
I’ve been happily using pfSense for a few years now and have generally been quite happy with it’s performance and feature set, however I learned recently that the installation files that can be downloaded from the pfSense website is not the same code that is open sourced on Github. I try to stay away from the arguments about which software is ‘more’ open source friendly, but I do like to support the projects that are committed to a FOSS (Free and Open Source) model without up-selling additional features. I don’t have anything against up-selling additional features, but IMO up-selling additional features can lead to a neglected core product.
pfSense – Thank You
I am not leaving pfSense because I didn’t like the project, but because I wanted to try something new that is more committed to an Open Source future. pfSense is a great solution for any networking enthusiast, and I would not hesitate to recommend it. However, as you will see below, I would first recommend OPNsense for a few main reasons…
Full-featured email notifications (pfSense had some email notifications but they were severely limited)
I’ve always wondered about OPNsense and if it could offer some of the things I often wanted in pfSense but could not easily achieve, and so far I have been very pleasantly pleased with the installation & configuration.
Installation
Installation was straightforward (although I installed it in a Proxmox VM):
Download ISO from OPNsense website & upload ISO to Proxmox server
Finish the rest of the configuration in the OPNsense web GUI (Default user/password: root/opnsense)
Migrating from pfSense
The most daunting task that I was dreading was figuring out how to migrate to OPNsense from pfSense with minimal downtime. I had heard of a slight possibility that certain sections of pfSense configuration backups could be imported into OPNsense, but I decided to avoid that route in order to start with as clean of an OPNsense installation as possible. My migration path was:
Step through each menu in pfSense and update the corresponding setting in OPNsense
Some configuration items didn’t exist like the awesome pfBlocker (I will miss this)
When I came to the ‘Interfaces’ section, I setup each interface with a different (temporary) static IP
After all configuration items were finished, I began to shut down services on pfSense and enable them on OPNSense one at a time (i.e., disable dhcp on LAN, and enable LAN DHCP on OPNSense with same lease range)
Finally I disabled the interfaces on pfSense and re-configured the static IP addresses on the OPNSense interfaces to match how they were configured in pfSense.
The Features I’ve Always Wanted!
Full-featured Email Notifications, Reporting, Settings Search, Home Assistant Integration…