Can I install OPNsense on my Dell T30 server running Ubuntu ?

Started by freeflyer, December 21, 2023, 07:23:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2023, 07:23:20 PM
I have been looking at setting up a remote VPN connection between my house and my parents house as shown in the following diagram...

https://www.dropbox.com/scl/fi/08jbpas4gja418fwgc5w5/VPN.jpg?rlkey=ycpmjfcp1umh9vfbmcnua5r91&dl=0

People have recommened I look at OPNsense and use its VPN, but I am not sure how to install it.

I was hoping I could install it on my Dell T30 server which is running Ubuntu 20.04.

I followed the guide below to install Virtualbox and OPNsesne, but I got confused when it came to setting up the network adapters in Virtualbox.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-opnsense-on-vbox

The guide says:

Quote
We will create 2 network adapters, the first one will be Bridge Adapter.

For Adapter 1:

Select the 'Bridge Adapter' option from the "Attach to: "drop-down menu.

Select the network adapter on the host system that traffic to from this network card will go through. We chose the wireless adapter.  In this case wlo1.

For Adapter 2:

The second Network adapter will be Host-only-Adapter.

You should choose the created vboxnet interfaces. In this case vboxnet2


My Dell T30 only has one LAN port which uses an embedded Intel I219-LM GbE LAN 10/100/1000 NIC.

Its name appears as 'enp0s31f6' which I can set as the 'Bridge Adapter' for Adapter 1 as shown in the following diagram...

https://www.dropbox.com/scl/fi/z8qqo8sx2t6jwysm90m3o/Adapter1.png?rlkey=dgkkis7c0k0050in4oysnnnmk&dl=0

However, I cannot set Adapter 2 as 'Host only Adapter' becase the drop down box for name only has the option 'Not selected' and there is an error that says 'Invalid settings detected - no host-only adapter is currently selected as shown in the following diagram...

https://www.dropbox.com/scl/fi/tmb83wdnc1i4iu2udnn2s/Adapter2.png?rlkey=m2y6pmxaomo37xziwqluiujbn&dl=0

Is it even possible to setup OPNsense on my Dell T30 Ubuntu server and if so, how do I configure the network adapters in Virtualbox ?



December 22, 2023, 01:43:01 AM #1
You can technically install a Virtual Machine in a software hypervisor like Virtualbox but it won't do what you need because there is only one physical nic on the host that is already in use.
VPN tunnels are created between two endpoints, and they need to be able to do routing of networks, which naturally puts them as software on firewalls. So VPNs normally go from firewall to firewall. Here is your first problem. You have a fritzbox router/firewall so OPN on the T30 would make it a second router/firewall on your house. With the fact of having only one nic, that's an almost impossible task unless you do very funky setups and won't be easy to direct you. Lots of triest and failures. Stuff for pros.
Then on the other end, your parents' house, similar with the virgin router. Here you could setup a VPN client that connects to your house i.e initiate the connections. Similarly needs some setup on the virgin router that might not be available on their firmware.
So what can you do? You don't need another router/firewall on your side. Your fritboz already can establish vpn connections https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7530/3448_VPN-with-FRITZ/
So your side is just configuring your fritz. On your parents' side you have to figure out what the virgin router can do or not, and if can't do VPN connections like the fritz, then setup a vpn on their MAC OS and see how to get the relevant ports allowed on the virgin router.
December 22, 2023, 01:07:02 PM #2 Last Edit: December 22, 2023, 01:11:12 PM by freeflyer
Thanks cookiemonster,

I had a feeling that having only one physical NIC might be an issue so thanks for confirming this.

I guess one solution would be to purchase a NIC card with multiple ports that fits into one of the PCIe slots in the Dell T30 ?

One thing I don't understand about firewalls, is that if the router has a firewall then why do OS's like Windows, Mac OS, Ubuntu etc come with firewalls as they would be a second firewall too ?

I have been advised never to put a VPN on a router.  I was told...

QuoteNever, ever, run the VPN on your primary edge router that protects your entire network. When that device fails, there are some terrible failure modes which may leave you with no VPN, but access still provided. I don't want anything on my edge router besides a firewall and routing. No DHCP, no DNS, no fancy addons, no VPN. They should do routing and firewalling, nothing else. Sure, there are 500 packages that can be installed on our edge routers now, but just because something is possible, that doesn't make it a good idea. I use OPNSense on my router. No way would I run a VPN on it and I won't use openVPN at all due to the complexity. OPNSense is just a router distro that runs on x86-64 systems using BSD as the base OS. I stopped using OpenVPN a few years ago and switched to Wireguard. It is 100x easier to setup and faster for transfers.

As it seems I can't use OPNsense (unless fitting a PCIe NIC card will work?), I'm wondering if its possible to run Wireguard VPN in Virtualbox on my Dell T30 Ubuntu server ?  Then my parents could use a VPN client to connect to my server and I can then perform offsite backups.

I initially was looking at setting up a VPN connection and OPNsense was recommended by several people as a way to do this, but it sounded like OPNsense also provides extra protection which is why I started looking at it.

These people run OPNsense on their router, would it be possible to run it on my Fritzbox router if I decided to in the future ?

If required I can replace the router at my house and my parents house, although I wouldn't know which router to replace them with.  I also get the impression Virgin ISP is more restrictive when trying to setup things like this ?
December 22, 2023, 11:35:41 PM #3
QuoteI guess one solution would be to purchase a NIC card with multiple ports that fits into one of the PCIe slots in the Dell T30 ?
Yes you can but you still would be putting a firewall (OPN) on Virtualbox on the "inside" when it is needed on the "outside". Complicated and pointless.

QuoteOne thing I don't understand about firewalls, is that if the router has a firewall then why do OS's like Windows, Mac OS, Ubuntu etc come with firewalls as they would be a second firewall too ?
They are but they police traffic only for that "host", i.e. itself ONLY. For this reason it does not interfere nor protect other hosts. That software firewall is completely unaware of what is happening on the rest of the infrastructure.

QuoteI have been advised never to put a VPN on a router.  I was told...
You can install a VPN client on a PC and make a connection to another endpoint and the traffic goes in that tunnel. When it is put on the router/firewall like OPN, it allows to get all the traffic through that tunnel, or selectively for only some clients aka "policy routing".

QuoteNever, ever, run the VPN on your primary edge router that protects your entire network. When that device fails, there are some terrible failure modes which may leave you with no VPN, but access still provided. I don't want anything on my edge router besides a firewall and routing. No DHCP, no DNS, no fancy addons, no VPN. They should do routing and firewalling, nothing else. Sure, there are 500 packages that can be installed on our edge routers now, but just because something is possible, that doesn't make it a good idea. I use OPNSense on my router. No way would I run a VPN on it and I won't use openVPN at all due to the complexity. OPNSense is just a router distro that runs on x86-64 systems using BSD as the base OS. I stopped using OpenVPN a few years ago and switched to Wireguard. It is 100x easier to setup and faster for transfers.
Fine. It is best practice to separate concerns. Firewall just routing and firewalling, sure. Indeed enterprises do it that way, and purchase, manage and administer separate devices.
The ability to put a VPN connector on it is there but depending on budget, preferences, etc. many people accept the compromises. Some people prefer not to.

QuoteAs it seems I can't use OPNsense (unless fitting a PCIe NIC card will work?), I'm wondering if its possible to run Wireguard VPN in Virtualbox on my Dell T30 Ubuntu server ?  Then my parents could use a VPN client to connect to my server and I can then perform offsite backups.
Well, you CAN use OPN but not with your current hardware and software setup. Ideally: a separate device with at least two NICs for OPN. Remember in this case you still are puttinig a router inside your already routed network. If all you want is connect your parents to Ubuntu server, you can simply install wireguard on Ubuntu and (you need to research this) wireguard client on your parent's machine. Point to point connection, not network to network.

QuoteI initially was looking at setting up a VPN connection and OPNsense was recommended by several people as a way to do this, but it sounded like OPNsense also provides extra protection which is why I started looking at it.

These people run OPNsense on their router, would it be possible to run it on my Fritzbox router if I decided to in the future ?
Don't know if these routers can be changed the firmware.

QuoteIf required I can replace the router at my house and my parents house, although I wouldn't know which router to replace them with.  I also get the impression Virgin ISP is more restrictive when trying to setup things like this ?
I haven't been with Virgin media (UK) in many years, I don't know what they allow or don't, sorry.

Again, ideal scenario is new device on each end replacing the current ISP routers. OPN on them, make a VPN (there are various flavours) connection between them that.
Second thought, fritz on each end and VPN between them as per the link. No OPN required.
Print
Go Up Pages1
User actions