Amazon Web Services (AWS) is the world's most complete and commonly utilized cloud platform, offering over 200 fully-featured services from data centers worldwide. Millions of customers, including startups, enterprises, and government agencies, use AWS to reduce costs, become more agile, and innovate more quickly. Gartner Research has placed Amazon Web Services in the Leaders quadrant of the new 2021 Magic Quadrant for Cloud Infrastructure & Platform Services (CIPS).
OPNsense is the fastest-growing open-source firewall and routing platform with an Open Source Initiative (OSI) certified 2-clause or simplified BSD license. It has a comprehensive feature set that includes everything from a router/firewall to integrated intrusion detection and prevention.
Modularization, multi-language support, hardened security, simple and reliable firmware upgrades, rapid adoption of upstream software updates, and a huge and welcoming community are all hallmarks of the project. Although it is commonly referred to as a traditional packet filtering firewall, OPNsense powered by the Zenarmor plugin provides next-generation firewall capabilities and is getting widely deployed in enterprise networks. There is an officially supported OPNsense image for Amazon Cloud. However, there is no publicly available OPNsense image on the Google Cloud Platform. But, you can also create and launch an OPNsense instance on your Google Cloud console.
OPNsense instance on AWS provides the following features:
Stateful Inspection Firewall with extensive routing functions, including OSPF and BGP, and many dynamic protocols
OpenVPN, IPsec, and WireGuard are some of the well-known VPN technologies that can assist secure your cloud architecture.
Proofpoint's high-quality rulesets (ET Open, ET Pro [Telemetry], depending on license) are included in inline intrusion detection and prevention.
In this article, we will explain to you 9 steps for installing an OPNsense firewall on AWS Cloud. This will allow you to establish a powerful firewall on AWS Cloud to deliver a VPN server. After installing your OPNsense instance you can install either WireGuard or OpenVPN service on it as you wish.
Best Practice
You can quickly install Zenarmor NGFW Plug-in on your OPNsense VPN server running on AWS to protect remote employees from cyber threats.
Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.
Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.
Zenarmor Free Edition is available at no cost for all OPNsense users.
Cost of OPNsense on AWS
In the AWS Cloud, an instance is a virtual server. An Amazon Machine Image is used to start an instance (AMI). Your instance's operating system, application server, and apps are all provided by the AMI.
The AWS Free Tier allows you to get started with Amazon EC2 for free when you sign up for AWS. You can launch and utilize a t2.micro
instance for free for 12 months if you select the free tier (in Regions where t2.micro is unavailable, you can use a t3.micro instance under the free tier). If you launch an instance that isn't in the free tier, you'll have to pay the usual Amazon EC2 use fees.
OPNsense EC2 image is available in AWS Marketplace for a free trial from Deciso Sales B.V. This product is available for a 30-day trial period. There will be no software fees for that unit, but there will be AWS infrastructure fees. Depending on your setup selections, infrastructure fees will be incurred. When your free trial period ends, it will automatically convert to a paid subscription, and you will be charged for any subsequent usage above the free units you were given.
OPNsense instances on AWS can optionally be upgraded to the Business Edition by purchasing a separate license from shop.opnsense.com
. Volume discounts are also available.
Deploying OPNsense on AWS
The launch instance wizard can be used to start an OPNsense instance on AWS. The instance launch wizard specifies all of the launch parameters required to launch the instance. When the launch instance wizard offers a default value, you can accept it or enter your own. To launch an instance, you must first choose an AMI and a key pair.
To install an OPNsense instance on AWS, you may follow the steps explained below.
Step 1 - Select OPNsense AMI
To select OPNsense AMI you can follow the steps below:
Go to the Amazon EC2 console at
https://console.aws.amazon.com/ec2/
.Click Launch instance in your EC2 view to start a new instance. This will redirect you to the Choose an Amazon Machine Image (AMI) page.
Figure 1. Launch new instance on AWS
Type
opnsense
in the search bar.Click on the AWS Marketplace on the left sidebar.
Select the
OPNsense® Firewall/Router/VPN/IDPS
image sold by Deciso Sales B.V..
Figure 2. Selecting OPNsense AMI
- Click Continue at the right bottom of the dialog box that includes Product Details and Pricing Details appears. This will take you to the Choose an Instance Type page.
Figure 3. Product and Pricing Details of OPNsense AWS Instance
Step 2: Choose an Instance Type
Amazon EC2 offers a diverse set of instance types that are tailored to specific use cases. Instances are virtual servers on which applications can be run. They have varying combinations of CPU, memory, storage, and networking capacity, giving you the freedom to select the best resource mix for your applications.
You can select the hardware configuration and size of the OPNsense instance to launch on the Choose an Instance Type page. Though Deciso recommends using an m4.large instance (or larger) for the best experience with OPNsense, you can select t2.micro (- ECUs, 1 vCPUs, 2.5 GHz, -, 1 GiB memory, EBS only) to remain eligible for the free tier for your trial.
To choose the instance type, you may follow the next steps:
Select
t2.micro
orm4.large
depending on your requirements by clicking on the check box in the first column.Click on the Next: Configure Instance Details to configure your instance further.
Figure 4. Selecting Instance Type
Step 3: Configure Instance Details
On the Configure Instance Details page, You can configure the OPNsense instance to meet your needs. You can launch multiple instances from the same AMI, request Spot instances to benefit from lower pricing, assign an access management role to the instance, and do other things.
By default, a network is assigned which is accessible from an external IPv4 address.
You can change the instance settings by following the next steps.
Leave all options as default or change the setting depending on your requirements.
Click Next: Add Storage.
Figure 5. Configure Instance Details
Step 4 - Add Storage
Your instance will be launched with the storage device settings listed on this page. You can add more EBS volumes and instance store volumes to your instance, as well as change the root volume's settings. After launching an instance, you can also attach additional EBS volumes, but not instance store volumes.
To configure the OPNsense instance storage, you may follow the next steps:
Set the Size, such as
30
.Select the Volume Type. Free tier eligible customers can get up to 30 GB of EBS General Purpose (SSD) or Magnetic storage.
You may select Delete on Termination to delete the volume when the instance is terminated.
Click Next: Add Tags.
Figure 6. Add Storage
Step 5 - Add Tags
On the Add Tags page, optionally you may enter key and value combinations to specify tags. You have the option of tagging the instance, the volumes, or both. To add a tag you may follow the steps below:
Click Add Tag button.
Specify Key, such as
Name
.Specify Value, such as
OPNsense
.To add more than one tag to your resources, you can select Add another tag.
When you're finished, click Next: Configure Security Group.
Figure 7. Add Tags
Step 6 - Configure security group
A security group is a collection of firewall rules that govern the traffic to and from your instance. You can add rules to this page to allow specific traffic to reach your instance. To configure the security group, you may follow the steps listed below:
- Leave all settings as default and then click Review and Launch.
warning
Rules that allow all IP addresses (0.0.0.0/0) to connect to your instance via SSH and HTTP(S) are fine for this short exercise but are dangerous in production environments. Only a specific IP address or range of IP addresses should be allowed to access your instance.
Figure 8. Configure Security Group for OPNsense instance on AWS
Step 7 - Review Instance Launch and Select Key Pair
To review instance launch and select SSH key pair, you may follow the next steps:
Check the details of your instance on the Review Instance Launch page and make any necessary changes by selecting the appropriate Edit link.
When you're ready, click Launch.
Figure 9. Review Instance Launch
Choose an existing key pair and select a key pair or create a new one in the Select an existing key pair or create a new key pair dialog box.
Select the acknowledgment check box, then click Launch Instances.
Figure 10. Select an existing key pair or create a new key pair
Step 8. Obtain Initial Password
To obtain the initial ec2-user
and root
password for your OPNsense instance, you may follow the steps below:
Go to the EC2 instances page on your AWS console.
Select the OPNsense instance.
Navigate to the Actions > Monitor and troubleshoot > Get system log.
Figure 11. Getting System Log for OPNsense instance on AWS
- Scroll up to the initial password in the log window. You can view both
ec2-user
androot
initial passwords.
Figure 12. Viewing System Log to obtain initial OPNsense instance passwords on AWS
Step 9. Initial Configuration
You can connect to your OPNsense web UI via https://public_ip_of_opnsense_instance
and complete WebUI wizard by following the steps below.
Connect
https://public_ip_of_opnsense_instance
using your favorite browser.Login as
root
using the default OPNsense password which isopnsense
.Complete Initial Configuration of the OPNsense Firewall by accepting default settings.
Figure 13. Initial Configuration Wizard for OPNsense instance on AWS
- Change the
root
password with a new one. After completing the wizard, you should enable SSH and add firewall rules.
5.Navigate to the System > Settings > Administration in OPNsense Web UI.
Scroll down to the Secure Shell Server.
Check Enable Secure Shell option.
Check
Permit root user login
option.Check
Permit password login
option.Click Save at the bottom of the page.
Figure 14. Enable Secure Shell for OPNsense
To define a firewall rule on OPNsense firewall instance to allow SSH and HTTP(S) from firewall admin IP addresses navigate to Firewall > Rules > WAN.
Set Action to Pass.
Set Interface to
WAN
.Set Protocol to
TCP
.Select Source as
Single Host or Network
and type the IP address of your administrator.Set Destination:
WAN Address
.Set Destination Port Range to
any
.Check the
Log packets that are handled by this rule
option.Set Description: to
Allow admin access to OPNsense
Click Save.
Figure 15. WAN Firewall Rules for unlimited administrator access on OPNsense
Apply Changes to activate the changes.
Navigate to the Firewall > Settings > Advanced to disable anti-lockout rule.
Check the
Disable administration anti-lockout rule
option.
Figure 16. Disabling administrator anti-lockout rule on OPNsense
Click Save at the bottom of the page.
Lastly, update the OPNsense firewall and always keep your firewall up-to-date for better network security.
Your OPNsense firewall instance is ready to use on AWS Cloud now.
Here is the hands on video for installing an OPNsense instance on Amazon Web Services(AWS):