OPNsense Forum

English Forums => General Discussion => Topic started by: bogartusmaximus on August 04, 2017, 04:58:38 pm

Title: Captive Portal on the WAN interface
Post by: bogartusmaximus on August 04, 2017, 04:58:38 pm

Is it possible to select the WAN interface when setting up the Captive Portal?  Right now (OPNsense 17.7-amd64) it's only showing LAN and VPN as possible interface choices.

The reason I want to put the Captive Portal on the WAN interface is because I have internal websites that I would like to access securely from the internet.  In this specific case I want to offer friends and family access to my Sonarr and Radarr services, and expecting them to be able to VPN is a hassle.  You know, because they are family and are computer illiterate.

HAProxy only does basic auth with a userlist maintained in a text file, easy for small amounts of users but a pain to maintain in the long run with any kind of scale.  NGINX requires compilation of addon modules for LDAP or RADIUS auth.  The Captive Portal option would pretty neat and would follow a kind of https://beyondcorp.com philosophy.

I already have LDAP auth for OPNsense configured and working through a FreeIPA server and the Captive Portal already supports users and groups through LDAP.  It would be perfect to leverage FreeIPA LDAP instead of relying on HAProxy basic auth or setting up an internal NGINX vm to reverse proxy everything through.  I could see this being a really neat feature for OPNsense especially with adding 2FA/MFA to the mix, especially duo auth proxy.

Any help would be appreciated, even if it's just pointing me at some rules that redirects WAN:80,443 to LAN:9000, if that would work.

Title: Re: Captive Portal on the WAN interface
Post by: bogartusmaximus on August 08, 2017, 08:18:48 am

Update:

I've been using nginx as a reverse proxy with LDAP since posting.  Seems pretty basic and undeveloped, e.g. using example code.

I am investigating setting up a shibboleth instance to add SAML support to web authentication and SSO (Single Sign On) for services i am hosting:

https://github.com/nginx-shib/nginx-http-shibboleth
https://shibboleth.net/about/

Two things to note:  backend services are unencrypted until i get letsencrpt set up for each service instead of just on the nginx frontend, and backend services will be unauthenticated since authentication will happen at the webauth proxy.  All services are on a private VLAN so users typically would not be able to access directly on the LAN.

Anyone else doing anything similiar?