I will put my modem into bridge mode - what to do to harden OPNsense?

[tkhobbes]

Ok I have a little homenetwork setup with my OPNsense protectli as the only device connectes to my ISP's modem and managing the whole network (in tandem with unify devices).
So far, I jave left my ISP's modem as-is, which obviously led to a double-nat situation.

I am now playing with the thought of moving to the next step, which will include setting up wireguard to remotely fonnext into my home network. I think this requires putting my ISP's modem into "bridge" mode.

However, I am scared to do that! I understand that all internet traffic will then hit my OPNsense box, and I do not consider myself a "pro" yet so... what should I do / check / ensure, to make everything as secure as possible?
(I assume OPNsense does a decent job out of the box but I am still nervous so... any guidance is highly appreciated :)

[viragomann]

I am now playing with the thought of moving to the next step, which will include setting up wireguard to remotely fonnext into my home network. I think this requires putting my ISP's modem into "bridge" mode.

First of all, this requires that you get a public WAN IP from your ISP. If this is assigned to the modem, you can as well forward the used ports or all to OPNsense.
But get sure, that you get any, otherwise your network is not accessible from the internet.

I assume OPNsense does a decent job out of the box but I am still nervous so...

Yes, OPNsense is hardened out of the box. There is no incoming traffic permitted on the WAN.
So it's not less secure as your ISP router.

All traffic you want to pass in require a manually added rule on the WAN, e.g. to connect to the Wireguard server.

Best to start here: https://docs.opnsense.org/firewall.html

[Jyling]

The fewer hops are between you and your RDS, the easier it is to set things up, so yes, if you put the modem in bridge mode, your task will be easier. You may technically keep the modem in router mode, but then you will have 2x routers to maintain instead of one. Open sense is as secure as it gets, so you do not have to be afraid that internet traffic hits it.

For remoting in, you need to forward port 3389 to your RDS server. If you want to further secure its login/password authentication, you can create a firewall rule on your WAN interface so as to allow access only from your client's legitimate IP/subnet. There is no other technical possibility to further harden RDP, unless you are willing to set up VPN.

[Patrick M. Hausen]

There is no other technical possibility to further harden RDP, unless you are willing to set up VPN.

You should not run RDP over the Internet but always use a VPN. Or some HTTPS based solution with 2FA enabled, like Apache Guacamole.

[coffeecup25]

There is no other technical possibility to further harden RDP, unless you are willing to set up VPN.

You should not run RDP over the Internet but always use a VPN. Or some HTTPS based solution with 2FA enabled, like Apache Guacamole.

Agree strongly.

When I travel, I never access Remote Desktop or any other internet protocol for getting back home, without going though a VPN. Let the VPN be the only open port to your home. If the VPN is set up properly, accessing your network is no different from you being on the local LAN.  Using OPNsense as a VPN server is where it shines.

I can't speak to Wireguard as I used OpenVPN and travel little now. But certificates tied to user ids and the need for each device to host a unique certificate is pretty secure. Close the port when not needed.

[tkhobbes]

Thanks for all your answers and considerations!