Skip to main content

How to Install OPNsense on Google Cloud Platform

The Google Cloud Platform is a collection of Google's public cloud computing services. The platform contains a number of Google-hosted services for computation, app development, and storage. Cloud administrators, software developers, and enterprise IT professionals can access Google Cloud Platform services via the public internet or a dedicated network connection.

The Google Cloud Free Program offers the following components:

  • $300 Free Trial for 90 days: To explore and evaluate Google Cloud and Google Maps Platform products and services, new Google Cloud and Google Maps Platform users can take advantage of a 90-day trial period that includes $300 in free Cloud Billing credits. These credits can be applied to any product or a combination of products.
  • Free Tier: All Google Cloud users can use specific Google Cloud products for free, up to certain monthly consumption limits, such as Compute Engine and Cloud Storage. These resources are not debited against your Free Trial credits or to your Cloud Billing account's payment method after your trial finishes if you stay within the Free Tier limits.

One of the following operating system image types can be used to create boot disks for an instance on Google Cloud Portal:

  • Public Images: Google, open-source communities, and third-party companies supply and preserve public images. These images are available to all Google Cloud projects by default, and they can be used to generate instances.
  • Custom images: Only your Cloud project has access to custom images. Boot disks and other images can be combined to build a custom image. Then, create an instance with the custom image.

Most public images are free to use, but there are a few premium images that will cost you money.

Custom images imported into Compute Engine have no cost to your instances, but there is an image storage charge while your custom image is in your project.

OPNsense is one of the best open-source firewalls and is widely used as a firewall and routing platform, especially in home and small business networks. It is a fork of pfSense software, which was forked from m0n0wall, a FreeBSD-based firewall. Deciso, a Dutch company, not only develops software packages for OPNsense but also produces hardware firewalls. Although it is generally considered as a traditional packet filtering firewall, OPNsense powered with Zenarmor plugin provides next-generation firewall capabilities and is getting widely deployed in enterprise networks. However, there is no OPNsense image publicly available on the Google Cloud Platform. For Amazon Cloud, there's an officially supported OPNsense image and you can easily install an OPNsense firewall on AWS..

In this article, we will explain to you 11 steps for creating a custom OPNsense 22.1 image and installing an OPNsense firewall on Google Cloud Portal. This will allow you to establish a powerful firewall on Google Cloud Platform to deliver a VPN server. After installing your OPNsense instance you can install either WireGuard or OpenVPN service on it as you wish.

tip

It is strongly recommended that installing the Zenarmor on your VPN server will make your network more secure. By configuring the Zenarmor, applying web filtering, and application control, you can block security threats coming from your VPN tunnel interface. For more information, please refer to installing Zenarmor and managing policies.

Even if you don't have deep knowledge or any experience on Google Cloud Portal, you can easily install an OPNsense instance on GCP by following the steps in this article. We'll also provide some tricks to ensure that you don't run into any issues throughout the installation.

1. Create GCP Compatible OPNsense Image File

First, the OPNsense distribution image must be converted to a Google Cloud Portal compatible format. You can easily create a GCP compatible OPNsense image by following the steps below:

1.1. Download the AMD64 USB serial console installer image from OPNsense official site. You can download OPNsense image via your favorite browser or CLI. For example, you may run the following command in your CLI to download the OPNsense-22.1 serial image file.

wget https://mirror.dns-root.de/opnsense/releases/22.1/OPNsense-22.1-OpenSSL-serial-amd64.img.bz2

Downloading OPNsense serial image for GCP

Figure 1. Downloading OPNsense serial image for GCP

1.2. Decompress the disk image by running the following command in your Linux terminal.

bunzip2 OPNsense-22.1-OpenSSL-serial-amd64.img.bz2

You should now have a file called OPNsense-22.1-OpenSSL-serial-amd64.img.

1.3. Run as the following one line to create a new .raw disk image from this .img image file:

dd if=OPNsense-22.1-OpenSSL-serial-amd64.img of=disk.raw bs=4M conv=sparse
danger

Make sure your output file name is disk.raw, as this is the file name Google Cloud searches for when creating your instance boot disk.

You should see the following files in your current directory:

ls -l

total 1216322
-rw-r--r-- 1 root wheel 1595881984 Mar 10 07:26 OPNsense-22.1-OpenSSL-serial-amd64.img
-rw-r--r-- 1 root wheel 1595881984 Mar 10 08:48 disk.raw

1.4. Re-compress this new .raw disk image into a .tar.gz file. This stage compresses the image file so that it may be uploaded to Cloud Storage more rapidly.

tar --format=oldgnu -Sczf OPNsense-22.1-OpenSSL-serial-amd64.img.tar.gz disk.raw
danger

The compressed file must be a .tar.gz file with gzip compression and the tar utility's --format=oldgnu option.

You should see the following files in your current directory:

ls -l
total 1621227
-rw-r--r-- 1 root wheel 1595881984 Mar 10 07:26 OPNsense-22.1-OpenSSL-serial-amd64.img
-rw-r--r-- 1 root wheel 414548025 Mar 10 08:53 OPNsense-22.1-OpenSSL-serial-amd64.img.tar.gz
-rw-r--r-- 1 root wheel 1595881984 Mar 10 08:48 disk.raw

Now, your OPNsense image is Google Cloud compatible.

2. Upload OPNsense image to Google Cloud Storage Bucket

Now, you should upload your OPNsense image to Cloud Storage and add it to your custom images list by following the next steps.

2.1. Open your Google Cloud Console via your favorite browser.

2.2. Navigate to the Cloud Storage > Browser. You must either create a new bucket or use an existing bucket. If you will use an existing one, you can skip the related steps.

Navigating to Google Cloud Storage Browser

Figure 2. Navigating to Google Cloud Storage Browser

2.3. To create a new bucket, click Create bucket at the top of the page.

2.4. Specify a unique bucket name, such as svn-opnsense.

2.5. Select a location where you want to store your image files.

2.6. Select the Standard storage class.

2.7. You may set Public access prevention to on.

2.8. You may set Access Control to Fine-grained.

2.9. You may leave other settings as default.

2.10. Click Create to create the bucket. The browser page navigates to the new bucket.

Creating a new bucket on Google Cloud

Figure 3. Creating a new bucket on Google Cloud

2.11. Click Upload Files at the top of the Bucket Details page to upload the OPNsense-22.1-OpenSSL-serial-amd64.img.tar.gz image file.

Bucket details page on Google Cloud

Figure 4. Bucket details page on Google Cloud

2.12. Select the compressed image .tar.gz file from your computer in the file dialog. Depending on the speed of your network connection, this process could take half an hour. You may also upload the file via the Google Command line Utility by running the next command:

gsutil cp OPNsense-22.1-OpenSSL-serial-amd64.img.tar.gz gs://svn-opnsense

3. Create an OPNsense Image on Google Cloud Platform

You may create an OPNsense image on the Google Cloud Platform by following the next steps.

3.1. Navigate to the Compute Engine > Images in Google Cloud Console.

Navigating to Images on Google Cloud Console

Figure 5. Navigating to Images on Google Cloud Console

3.2. Click Create image at the top of the page.

3.3. Specify a unique name for the image in the Name field, such as opnsense-22-1-installer.

3.4. You may specify an image family for your new image, or configure specific encryption settings for the image.

3.5. Click the Source menu and select Cloud Storage file.

3.6. Browse and select the compressed OPNsense image.tar.gz file that you uploaded to Cloud Storage.

3.7. Click Create to import the image. The process can take several minutes. Your OPNsense image is now included on your Images page. You can create an OPNsense instance VM using this imported image.

Creating OPNsense image on Google Cloud Platform

Figure 6. Creating OPNsense image on Google Cloud Platform

Viewing newly created OPNsense image on Google Cloud Platform

Figure 7. Viewing newly created OPNsense image on Google Cloud Platform

4. Create a New Instance for OPNsense Installer

In this stage, a new instance will be established and OPNsense will be installed on a second disk using the installer image. To create an instance as an OPNsense installer, you may follow the next steps given below:

4.1. Navigate to the Compute Engine > VM Instance in the Cloud Console.

4.2. Click Create Instance at the top of the page.

4.3. In the Boot disk section, click Change.

4.4. Select the Custom images tab.

4.5. To select the image project, click Select a project.

4.6. Select the project that contains the image.

4.7. Click Open.

4.8. Click the image that you imported, for our case opnsense-22-1-installer, in the Image list.

4.9. Select the type and size of your boot disk.

4.10.Click Select to confirm your boot disk options

Selecting Custom OPNsense Installer Image as Boot Disk

Figure 8. Selecting Custom OPNsense Installer Image as Boot Disk

4.11. Click the advanced drop-down link to create an additional disk.

4.12. Specify Name, such as opnsense-22-1-clean-install. Default is disk-2.

4.13. Set Source Type to None (blank disk).

4.14. Specify the Disk Type, such as SSD persistent disk.

4.15. Specify the Size, such as 40GB.

4.16. Click Create. This will create and launch your new OPNsense installer instance.

5. Enable and Connect to OPNsense Installer Serial Console

Even if serial access is disabled for the project, you can explicitly or by default enable access for one or more instances on Google Cloud Portal. You can enable and connect to your OPNsense Installer Serial Console by following the next steps:

5.1. Navigate to the VM instances page, in the Google Cloud Console.

5.2. Click the newly created OPNsense installer instance you want to enable serial access for.

5.3. Click Edit.

5.4. Under the Remote access section, check the Enable connecting to serial ports checkbox.

5.5. Save your changes.

Enable serial console access for Google Cloud instance

Figure 9. Enable serial console access for Google Cloud instance

info

You can connect to a serial console using the Google Cloud Console, the Google Cloud CLI, or a third-party SSH client after allowing interactive access for an instance's serial console.

SSH keys are used to authenticate users on the serial console. You must save your private key on the local machine from which you want to login and add your public SSH key to the project or instance information. SSH keys are automatically added to the project via the gcloud CLI and the Google Cloud Console.

5.6. Click Connect to serial console drop-down menu in the instance details page.

5.7. Click serial port.

Connecting to an instance via serial console on Google Cloud

Figure 10. Connecting to an instance via serial console on Google Cloud

6. Install OPNsense on Second Disk of OPNsense Installer Instance

After connecting to the OPNsense installer instance via the serial console, you may install OPNsense by following the next steps given below.

6.1. Login as installer using password opnsense.

Installer login to OPNsense instance via serial port on Google Cloud

Figure 11. Installer login to OPNsense instance via the serial port on Google Cloud

6.2. Defaults are all acceptable for all settings except disk partition. You must select the second disk partition of the instance, for our example da1 or disk2 for installation.

Disk Selection for OPNsense Installation

Figure 12. Disk Selection for OPNsense Installation

6.3. Stop the instance on Cloud Console after completing the installation instead of rebooting.

Stopping OPNsense Instance

Figure 13. Stopping OPNsense Instance

7. Create Snapshot of the OPNsense Installed Disk

You may create a snapshot of the OPNsense Installed Disk by following the instructions below:

7.1. Navigate to the Compute Engine > Disks page in the Google Cloud Console.

7.2. Click Create a Snapshot at the top of the page.

7.3. Enter a snapshot Name, such as opnsense-22-1-image.

7.4. Optionally, enter a Description of the snapshot.

7.5. Under Source disk, select the OPNsense installed disk, in our example opnsense-22-1 or disk2 from which you want to create a snapshot.

7.6. Optionally, you can specify a custom storage location. Under Location, select the Multi-regional location or a Regional location.

7.7. Select which specific region or multi-region that you want to use. To use the region or multi-region that is closest to your source disk, select Based on disk's location.

7.8. Click Create to create the snapshot.

 Creating a snapshot of OPNsense installed disk on Google Cloud

Figure 14. Creating a snapshot of OPNsense installed disk on Google Cloud

8. Create and Launch New OPNsense Instance Using Snapshot

You may create and launch a new OPNsense instance using the snapshot of OPNsense installed disk on Google Cloud by following the steps below:

8.1. Navigate to Compute Engine > VM Instance on Google Cloud Console.

8.2. Click Create an instance.

8.3. Specify Name, such as opnsense-22-1-fw

8.4. Select a Region and Zone as you wish.

8.5. Set Machine type to something applicable to your workload or leave it as default.

8.6. Click the Change button under the Boot disk option.

8.7. Click Snapshots tab.

8.8. Select opnsense-22-1-image from the Snapshots drop-down menu.

8.9. You may select Boot disk type as SSD persistent disk.

8.10. You may set Size, such as 40GB.

8.11. Click Select for completing boot disk selection.

Selecting OPNsense installed snapshot as a boot disk on Google Cloud

Figure 15. Selecting OPNsense installed snapshot as a boot disk on Google Cloud

8.12. You may click both Allow HTTP traffic and Allow HTTPS traffic options under the Firewall section.

8.13. Click Networking advanced drop-down menu.

8.14. Specify networking tags, such as opnsense-fw, This will be useful for firewall configuration.

Adding tags and firewall rules for OPNsense instance on Google Cloud

Figure 16. Adding tags and firewall rules for OPNsense instance on Google Cloud

8.15. Click Create at the bottom of the page. This will launch your new OPNsense firewall instance.

9. Enable and Connect to Serial Console For Initial OPNsense Configuration

You should enable and connect to the new OPNsense instance, opnsense-22-1-fw, for initial OPNsense configuration as explained in section 5 above. After connecting to your instance via serial port, you may follow the steps below for the initial OPNsense configuration.

9.1. Login as root using opnsense password.

9.2. Select 1 to Assign Network Interfaces in the OPNsense menu.

9.3. Assign WAN interface to vtnet0, no lagg, no vlan, vtnet0 as wan, no lan, no opt

9.4. Select 2 to Set IP address in the OPNsense menu.

9.5. Select 8 for shell access.

9.6. Run the next command given below. Due to administrative overhead in the Google network, Google Cloud requires an MTU of 1460 or less.

ifconfig vtnet0 mtu 1460
danger

This is only a temporary fix; the WebUI will be fixed permanently later.

9.7. Edit /conf/config.xml using a text editor, such as vi, and add the following line between <webgui> section. If you skip this step OPNsense web UI will throw an issue due to the way GCP internal IPs work.

<webgui>
<nohttpreferercheck>1</nohttpreferercheck>
</webgui>

9.8. Disable packet filtering temporarily by running the following command.

pfctl -d

10. Create a Cloud Firewall Rule to Allow Admin Access to the OPNsense Instance

You may create cloud firewall rules to allow Admin Access and to forbid others access to the OPNsense Instance by following the steps below:

10.1. Navigate to VPC Network > Firewall in Cloud Console.

10.2. Click Create a firewall rule.

10.3. Specify Name, such as opnsense-fw-admin-access.

10.4. Set Priority to 100.

10.5.Type Description, such as opnsense-fw-admin-access from admin IP.

10.6. Set Target tags to networking tags of OPNsense instance, for our example opnsense-fw.

10.7. Set Source IP ranges to IP address of your firewall admins.

10.8. Set Specified protocols and ports to tcp:22, 80, 443.

10.9. Click Create to activate the firewall rule and give it some time to propagate to the cloud firewalls.

10.10 Click Create a firewall rule.

10.11. Specify Name, such as opnsense-fw-access-block.

10.12.Type Description, such as opnsense-fw-access from all.

10.13. Set Priority to 110.

10.14. Set Action on match to Deny.

10.15 Set Target tags to networking tags of OPNsense instance, for our example opnsense-fw.

10.16. Set Source IP ranges to 0.0.0.0/0.

10.17. Set protocols and ports to Deny all.

10.18. Click Create to activate the firewall rule

11. Complete the WebUI Wizard and Initial Firewall Configuration

You can connect to your OPNsense web UI via https://public_ip_of_opnsense_instance and complete WebUI wizard by following the steps below.

11.1. Connect https://public_ip_of_opnsense_instance using your favorite browser.

11.2. Login as root using default OPNsense password which is opnsense.

11.3. Complete Initial Configuration of the OPNsense Firewall by accepting default settings except WAN MTU option which should be set to 1460.

danger

Do not forget to set WAN MTU to 1460.

Setting WAN MTU size to 1460 on Google Cloud

Figure 17. Setting WAN MTU size to 1460 on Google Cloud

11.4. Change root password with a strong one. After completing the wizard, you should enable SSH and add firewall rules.

11.5.Navigate to the System > Settings > Administration in OPNsense Web UI.

11.6. Scroll down to the Secure Shell Server.

11.7. Check Enable Secure Shell option.

11.8. Check Permit root user login option.

11.9. Check Permit password login option.

11.10. Click Save at the bottom of the page.

Enable Secure Shell for OPNsense

Figure 18. Enable Secure Shell for OPNsense

11.11. To define a firewall rule on OPNsense firewall instance to allow SSH and HTTP(S) from firewall admin IP addresses navigate to Firewall > Rules > WAN.

11.12. Set Action to Pass.

11.13. Set Interface to WAN.

11.14. Set Protocol to TCP.

11.15. Select Source as Single Host or Network and type the IP address of your administrator.

11.16. Set Destination: WAN Address.

11.17. Set Destination Port Range to any.

11.18. Check the Log packets that are handled by this rule option.

11.19. Set Description: to Allow admin access to OPNsense

11.20. Click Save.

WAN Firewall Rules for unlimited administrator access on OPNsense

Figure 19. WAN Firewall Rules for unlimited administrator access on OPNsense

11.21. Apply Changes to activate the changes.

11.22. Navigate to the Firewall > Settings > Advanced to disable anti-lockout rule.

11.23. Check the Disable administration anti-lockout rule option.

Disabling administrator anti-lockout rule on OPNsense

Figure 20. Disabling administrator anti-lockout rule on OPNsense

11.24. Click Save at the bottom of the page.

11.25. Lastly and most importantly update the OPNsense firewall and always keep your firewall up-to-date for better network security.

Your OPNsense firewall instance is ready to use on Google Cloud Portal now.

note

You can delete your OPNsense installer VM instance since it is no longer required after creating the install snapshot.

Hands on Video

Here is a video that will guide you through the steps of the OPNsense installation on Google Cloud Platform.