Skip to main content

How to Install OPNsense on AWS?

Amazon Web Services (AWS) is the world's most complete and commonly utilized cloud platform, offering over 200 fully-featured services from data centers worldwide. Millions of customers, including startups, enterprises, and government agencies, use AWS to reduce costs, become more agile, and innovate more quickly. Gartner Research has placed Amazon Web Services in the Leaders quadrant of the new 2021 Magic Quadrant for Cloud Infrastructure & Platform Services (CIPS).

OPNsense is the fastest-growing open-source firewall and routing platform with an Open Source Initiative (OSI) certified 2-clause or simplified BSD license. It has a comprehensive feature set that includes everything from a router/firewall to integrated intrusion detection and prevention.

Modularization, multi-language support, hardened security, simple and reliable firmware upgrades, rapid adoption of upstream software updates, and a huge and welcoming community are all hallmarks of the project. Although it is commonly referred to as a traditional packet filtering firewall, OPNsense powered by the Zenarmor plugin provides next-generation firewall capabilities and is getting widely deployed in enterprise networks. There is an officially supported OPNsense image for Amazon Cloud. However, there is no publicly available OPNsense image on the Google Cloud Platform. But, you can also create and launch an OPNsense instance on your Google Cloud console.

OPNsense instance on AWS provides the following features:

  • Stateful Inspection Firewall with extensive routing functions, including OSPF and BGP, and many dynamic protocols
  • OpenVPN, IPsec, and WireGuard are some of the well-known VPN technologies that can assist secure your cloud architecture.
  • Proofpoint's high-quality rulesets (ET Open, ET Pro [Telemetry], depending on license) are included in inline intrusion detection and prevention.

In this article, we will explain to you 9 steps for installing an OPNsense firewall on AWS Cloud. This will allow you to establish a powerful firewall on AWS Cloud to deliver a VPN server. After installing your OPNsense instance you can install either WireGuard or OpenVPN service on it as you wish.

Best Practice

You can quickly install Zenarmor NGFW Plug-in on your OPNsense VPN server running on AWS to protect remote employees from cyber threats.

Zenarmor NGFW Plug-in for OPNsense is one of the most popular OPNsense plug-ins and allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

Cost of OPNsense on AWS

In the AWS Cloud, an instance is a virtual server. An Amazon Machine Image is used to start an instance (AMI). Your instance's operating system, application server, and apps are all provided by the AMI.

The AWS Free Tier allows you to get started with Amazon EC2 for free when you sign up for AWS. You can launch and utilize a t2.micro instance for free for 12 months if you select the free tier (in Regions where t2.micro is unavailable, you can use a t3.micro instance under the free tier). If you launch an instance that isn't in the free tier, you'll have to pay the usual Amazon EC2 use fees.

OPNsense EC2 image is available in AWS Marketplace for a free trial from Deciso Sales B.V. This product is available for a 30-day trial period. There will be no software fees for that unit, but there will be AWS infrastructure fees. Depending on your setup selections, infrastructure fees will be incurred. When your free trial period ends, it will automatically convert to a paid subscription, and you will be charged for any subsequent usage above the free units you were given.

OPNsense instances on AWS can optionally be upgraded to the Business Edition by purchasing a separate license from shop.opnsense.com. Volume discounts are also available.

Deploying OPNsense on AWS

The launch instance wizard can be used to start an OPNsense instance on AWS. The instance launch wizard specifies all of the launch parameters required to launch the instance. When the launch instance wizard offers a default value, you can accept it or enter your own. To launch an instance, you must first choose an AMI and a key pair.

To install an OPNsense instance on AWS, you may follow the steps explained below.

Step 1 - Select OPNsense AMI

To select OPNsense AMI you can follow the steps below:

  1. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. Click Launch instance in your EC2 view to start a new instance. This will redirect you to the Choose an Amazon Machine Image (AMI) page.

Launch new instance on AWS

Figure 1. Launch new instance on AWS

  1. Type opnsense in the search bar.
  2. Click on the AWS Marketplace on the left sidebar.
  3. Select the OPNsense® Firewall/Router/VPN/IDPS image sold by Deciso Sales B.V..

Selecting OPNsense AMI

Figure 2. Selecting OPNsense AMI

  1. Click Continue at the right bottom of the dialog box that includes Product Details and Pricing Details appears. This will take you to the Choose an Instance Type page.

Product and Pricing Details of OPNsense AWS Instance

Figure 3. Product and Pricing Details of OPNsense AWS Instance

Step 2: Choose an Instance Type

Amazon EC2 offers a diverse set of instance types that are tailored to specific use cases. Instances are virtual servers on which applications can be run. They have varying combinations of CPU, memory, storage, and networking capacity, giving you the freedom to select the best resource mix for your applications.

You can select the hardware configuration and size of the OPNsense instance to launch on the Choose an Instance Type page. Though Deciso recommends using an m4.large instance (or larger) for the best experience with OPNsense, you can select t2.micro (- ECUs, 1 vCPUs, 2.5 GHz, -, 1 GiB memory, EBS only) to remain eligible for the free tier for your trial.

To choose the instance type, you may follow the next steps:

  1. Select t2.micro or m4.large depending on your requirements by clicking on the check box in the first column.
  2. Click on the Next: Configure Instance Details to configure your instance further.

Selecting Instance Type

Figure 4. Selecting Instance Type

Step 3: Configure Instance Details

On the Configure Instance Details page, You can configure the OPNsense instance to meet your needs. You can launch multiple instances from the same AMI, request Spot instances to benefit from lower pricing, assign an access management role to the instance, and do other things.

By default, a network is assigned which is accessible from an external IPv4 address.

You can change the instance settings by following the next steps.

  1. Leave all options as default or change the setting depending on your requirements.
  2. Click Next: Add Storage.

Configure Instance Details

Figure 5. Configure Instance Details

Step 4 - Add Storage

Your instance will be launched with the storage device settings listed on this page. You can add more EBS volumes and instance store volumes to your instance, as well as change the root volume's settings. After launching an instance, you can also attach additional EBS volumes, but not instance store volumes.

To configure the OPNsense instance storage, you may follow the next steps:

  1. Set the Size, such as 30.
  2. Select the Volume Type. Free tier eligible customers can get up to 30 GB of EBS General Purpose (SSD) or Magnetic storage.
  3. You may select Delete on Termination to delete the volume when the instance is terminated.
  4. Click Next: Add Tags.

Add Storage AWS Instance

Figure 6. Add Storage

Step 5 - Add Tags

On the Add Tags page, optionally you may enter key and value combinations to specify tags. You have the option of tagging the instance, the volumes, or both. To add a tag you may follow the steps below:

  1. Click Add Tag button.
  2. Specify Key, such as Name.
  3. Specify Value, such as OPNsense.
  4. To add more than one tag to your resources, you can select Add another tag.
  5. When you're finished, click Next: Configure Security Group.

Add Tags

Figure 7. Add Tags

Step 6 - Configure security group

A security group is a collection of firewall rules that govern the traffic to and from your instance. You can add rules to this page to allow specific traffic to reach your instance. To configure the security group, you may follow the steps listed below:

  1. Leave all settings as default and then click Review and Launch.
danger

Rules that allow all IP addresses (0.0.0.0/0) to connect to your instance via SSH and HTTP(S) are fine for this short exercise but are dangerous in production environments. Only a specific IP address or range of IP addresses should be allowed to access your instance.

Configure Security Group for OPNsense instance on AWS

Figure 8. Configure Security Group for OPNsense instance on AWS

Step 7 - Review Instance Launch and Select Key Pair

To review instance launch and select SSH key pair, you may follow the next steps:

  1. Check the details of your instance on the Review Instance Launch page and make any necessary changes by selecting the appropriate Edit link.
  1. When you're ready, click Launch.

Review Instance Launch

Figure 9. Review Instance Launch

  1. Choose an existing key pair and select a key pair or create a new one in the Select an existing key pair or create a new key pair dialog box.
  2. Select the acknowledgment check box, then click Launch Instances.

Select an existing key pair or create a new key pair

Figure 10. Select an existing key pair or create a new key pair

Step 8. Obtain Initial Password

To obtain the initial ec2-user and root password for your OPNsense instance, you may follow the steps below:

  1. Go to the EC2 instances page on your AWS console.
  2. Select the OPNsense instance.
  3. Navigate to the Actions > Monitor and troubleshoot > Get system log.

Getting System Log for OPNsense instance on AWS

Figure 11. Getting System Log for OPNsense instance on AWS

  1. Scroll up to the initial password in the log window. You can view both ec2-user and root initial passwords.

Viewing System Log to obtain initial OPNsense instance passwords on AWS

Figure 12. Viewing System Log to obtain initial OPNsense instance passwords on AWS

Step 9. Initial Configuration

You can connect to your OPNsense web UI via https://public_ip_of_opnsense_instance and complete WebUI wizard by following the steps below.

  1. Connect https://public_ip_of_opnsense_instance using your favorite browser.
  1. Login as root using the default OPNsense password which is opnsense.
  1. Complete Initial Configuration of the OPNsense Firewall by accepting default settings.

Initial Configuration Wizard for OPNsense instance on AWS

Figure 13. Initial Configuration Wizard for OPNsense instance on AWS

  1. Change the root password with a new one. After completing the wizard, you should enable SSH and add firewall rules.

5.Navigate to the System > Settings > Administration in OPNsense Web UI.

  1. Scroll down to the Secure Shell Server.
  1. Check Enable Secure Shell option.
  1. Check Permit root user login option.
  1. Check Permit password login option.
  1. Click Save at the bottom of the page.

Enable Secure Shell for OPNsense

Figure 14. Enable Secure Shell for OPNsense

  1. To define a firewall rule on OPNsense firewall instance to allow SSH and HTTP(S) from firewall admin IP addresses navigate to Firewall > Rules > WAN.
  1. Set Action to Pass.
  1. Set Interface to WAN.
  1. Set Protocol to TCP.
  1. Select Source as Single Host or Network and type the IP address of your administrator.
  1. Set Destination: WAN Address.
  1. Set Destination Port Range to any.
  1. Check the Log packets that are handled by this rule option.
  1. Set Description: to Allow admin access to OPNsense
  1. Click Save.

WAN Firewall Rules for unlimited administrator access on OPNsense

Figure 15. WAN Firewall Rules for unlimited administrator access on OPNsense

  1. Apply Changes to activate the changes.
  1. Navigate to the Firewall > Settings > Advanced to disable anti-lockout rule.
  1. Check the Disable administration anti-lockout rule option.

Disabling administrator anti-lockout rule on OPNsense

Figure 16. Disabling administrator anti-lockout rule on OPNsense

  1. Click Save at the bottom of the page.
  1. Lastly, update the OPNsense firewall and always keep your firewall up-to-date for better network security.

Your OPNsense firewall instance is ready to use on AWS Cloud now.

Here is the hands on video for installing an OPNsense instance on Amazon Web Services(AWS):