"
This is the build for OPNsense 25.7.5. This successfully create an isolated test lab behind a firewall where traffic can only egress via Tor.
Setup:
1. Simple firewall WAN, LAN. configure/test from a PC on the LAN. All in proxmox 9.
2. proxmox vbr0 (dhcp) for the WAN, which connects to a lab network for access to the Internet
3. proxmox vbr1 (192.168.101.254/24) for the LAN, which is the secured network
4. Put a VM with a web browser on vbr1
Configuration:
0. WAN interface is vtnet0, LAN is vtnet1
1. Initial setup wizard https://192.168.101.254
- Hostname: isolationfw
- Domain: proxmox.lab
- DNS: 8.8.8.8 and 8.8.4.4 (unfiltered DNS)
- _Uncheck_ override DNS
- WAN DHCP, _uncheck_ block RFC1918 private networks since the lab is also private address space
- LAN review and click next
- update root password or leave the same and click next
2. Update System > Firmware > Status > Check for Updates, apply and reboot (optionally install plugin os-qemeu-guest-agent for proxmox and enable qemu agent in proxmox)
3. Test normal Internet access form the VM behind the firewall (web pages, nslookup, etc.)
4. Disable Internet and DNS
- Firewall > Rules > LAN
- Change the IPv4 rule to be a Block action
- Change the IPv6 rule to be a Block action
- Click Apply changes
5. Confirm that Internet browsing fails and that nslookup from the command line also fails (i.e., 'nslookup google.com' times out)
6. Configure Tor
This provides some anonymity, if done correctly
- Configure the firewall to transparently proxy Internet traffic over Tor
- Be careful to <ins>configure DNS correctly</ins> to forward over Tor so your DNS traffic is not leaked
- You many choose to configure the firewall to instead use a VPN service; be mindful of the terms and conditions and that in some cases they will surrender details of your activity to under court order
- System > Firmware > Plugins
- Check Show community plugins, install os-tor
- Refresh the page
- Services > Tor > Configuration
- General tab: Enable : yes, listen on LAN (only)
- Enable advanced mode, check Enable Transparent Proxy
- Click Save
- SOCKS Proxy ACL tab: Add acl IPv4, network 192.168.101.0/24, accept, save, reload service
7. Configure firewall
- Firewall > NAT > Port Forward
- Add rule Allow interface LAN IPv4 TCP/IP LAN Net to destination any port DNS, redirect target IP 127.0.0.1 redirect target port other 9053 description Tor for DNS
- Add rule below (at end) Allow interface LAN IPv4 TCP LAN Net to destination any port any, redirect target IP 127.0.0.1 redirect target port other 9040 description Tor for tcp traffic
- Firewall > Rules > LAN
- Move the automatic rules to the TOP
- First port 9053 rule
- Next port 9040 rule
- Followed by the block rules
- Click Save
- Click Apply changes
- Reboot the firewall
8. Test from the test VM
- Internet browser works
- nslookup works
- Using your browser connect to https://check.torproject.org
- You should see "Congratulations. This browser is configured to use Tor."
Checking for leaks. Log in to the OPNsense firewall.
WAN interface is vtnet0, LAN is vtnet1
DNS leak test
- tcpdump -nni vtnet0 port 53
test nslookup and web browsing from the test VM. succeeds. should be none in the packet capture. the traffic is on vtnet1 but never leaks onto vtnet0
ICMP leak test
- tcpdump -nni vtnet0 icmp
test ping to the Internet. fails. should be none.
UDP leak (TOR does only tcp with udp 53 for DNS) (remember to use VPN if you need UDP)
- tcpdump -nni vtnet0 proto 17 and port 443
Install Chrome browser, use chrome://flags to Enable Experimental QUIC protocol, relaunch Chrome and visit google.com
The firewall will log drops but nothing will show in the packet capture.
Setup:
1. Simple firewall WAN, LAN. configure/test from a PC on the LAN. All in proxmox 9.
2. proxmox vbr0 (dhcp) for the WAN, which connects to a lab network for access to the Internet
3. proxmox vbr1 (192.168.101.254/24) for the LAN, which is the secured network
4. Put a VM with a web browser on vbr1
Configuration:
0. WAN interface is vtnet0, LAN is vtnet1
1. Initial setup wizard https://192.168.101.254
- Hostname: isolationfw
- Domain: proxmox.lab
- DNS: 8.8.8.8 and 8.8.4.4 (unfiltered DNS)
- _Uncheck_ override DNS
- WAN DHCP, _uncheck_ block RFC1918 private networks since the lab is also private address space
- LAN review and click next
- update root password or leave the same and click next
2. Update System > Firmware > Status > Check for Updates, apply and reboot (optionally install plugin os-qemeu-guest-agent for proxmox and enable qemu agent in proxmox)
3. Test normal Internet access form the VM behind the firewall (web pages, nslookup, etc.)
4. Disable Internet and DNS
- Firewall > Rules > LAN
- Change the IPv4 rule to be a Block action
- Change the IPv6 rule to be a Block action
- Click Apply changes
5. Confirm that Internet browsing fails and that nslookup from the command line also fails (i.e., 'nslookup google.com' times out)
6. Configure Tor
This provides some anonymity, if done correctly
- Configure the firewall to transparently proxy Internet traffic over Tor
- Be careful to <ins>configure DNS correctly</ins> to forward over Tor so your DNS traffic is not leaked
- You many choose to configure the firewall to instead use a VPN service; be mindful of the terms and conditions and that in some cases they will surrender details of your activity to under court order
- System > Firmware > Plugins
- Check Show community plugins, install os-tor
- Refresh the page
- Services > Tor > Configuration
- General tab: Enable : yes, listen on LAN (only)
- Enable advanced mode, check Enable Transparent Proxy
- Click Save
- SOCKS Proxy ACL tab: Add acl IPv4, network 192.168.101.0/24, accept, save, reload service
7. Configure firewall
- Firewall > NAT > Port Forward
- Add rule Allow interface LAN IPv4 TCP/IP LAN Net to destination any port DNS, redirect target IP 127.0.0.1 redirect target port other 9053 description Tor for DNS
- Add rule below (at end) Allow interface LAN IPv4 TCP LAN Net to destination any port any, redirect target IP 127.0.0.1 redirect target port other 9040 description Tor for tcp traffic
- Firewall > Rules > LAN
- Move the automatic rules to the TOP
- First port 9053 rule
- Next port 9040 rule
- Followed by the block rules
- Click Save
- Click Apply changes
- Reboot the firewall
8. Test from the test VM
- Internet browser works
- nslookup works
- Using your browser connect to https://check.torproject.org
- You should see "Congratulations. This browser is configured to use Tor."
Checking for leaks. Log in to the OPNsense firewall.
WAN interface is vtnet0, LAN is vtnet1
DNS leak test
- tcpdump -nni vtnet0 port 53
test nslookup and web browsing from the test VM. succeeds. should be none in the packet capture. the traffic is on vtnet1 but never leaks onto vtnet0
ICMP leak test
- tcpdump -nni vtnet0 icmp
test ping to the Internet. fails. should be none.
UDP leak (TOR does only tcp with udp 53 for DNS) (remember to use VPN if you need UDP)
- tcpdump -nni vtnet0 proto 17 and port 443
Install Chrome browser, use chrome://flags to Enable Experimental QUIC protocol, relaunch Chrome and visit google.com
The firewall will log drops but nothing will show in the packet capture.
