Show Posts
1
General Discussion / Captive Portal on the WAN interface
« on: August 04, 2017, 04:58:38 pm »
Is it possible to select the WAN interface when setting up the Captive Portal? Right now (OPNsense 17.7-amd64) it's only showing LAN and VPN as possible interface choices.
The reason I want to put the Captive Portal on the WAN interface is because I have internal websites that I would like to access securely from the internet. In this specific case I want to offer friends and family access to my Sonarr and Radarr services, and expecting them to be able to VPN is a hassle. You know, because they are family and are computer illiterate.
HAProxy only does basic auth with a userlist maintained in a text file, easy for small amounts of users but a pain to maintain in the long run with any kind of scale. NGINX requires compilation of addon modules for LDAP or RADIUS auth. The Captive Portal option would pretty neat and would follow a kind of https://beyondcorp.com philosophy.
I already have LDAP auth for OPNsense configured and working through a FreeIPA server and the Captive Portal already supports users and groups through LDAP. It would be perfect to leverage FreeIPA LDAP instead of relying on HAProxy basic auth or setting up an internal NGINX vm to reverse proxy everything through. I could see this being a really neat feature for OPNsense especially with adding 2FA/MFA to the mix, especially duo auth proxy.
Any help would be appreciated, even if it's just pointing me at some rules that redirects WAN:80,443 to LAN:9000, if that would work.
The reason I want to put the Captive Portal on the WAN interface is because I have internal websites that I would like to access securely from the internet. In this specific case I want to offer friends and family access to my Sonarr and Radarr services, and expecting them to be able to VPN is a hassle. You know, because they are family and are computer illiterate.
HAProxy only does basic auth with a userlist maintained in a text file, easy for small amounts of users but a pain to maintain in the long run with any kind of scale. NGINX requires compilation of addon modules for LDAP or RADIUS auth. The Captive Portal option would pretty neat and would follow a kind of https://beyondcorp.com philosophy.
I already have LDAP auth for OPNsense configured and working through a FreeIPA server and the Captive Portal already supports users and groups through LDAP. It would be perfect to leverage FreeIPA LDAP instead of relying on HAProxy basic auth or setting up an internal NGINX vm to reverse proxy everything through. I could see this being a really neat feature for OPNsense especially with adding 2FA/MFA to the mix, especially duo auth proxy.
Any help would be appreciated, even if it's just pointing me at some rules that redirects WAN:80,443 to LAN:9000, if that would work.