- A system capable of running VirtualBox
- Vagrant
- VirtualBox
Create a host-only network in VirtualBox with an IP address in 192.168.1.0/24
but not 192.168.1.1
. This is the address your OPNsense will use for the LAN
interface by default. Make sure DHCP is disabled on that interface.
You can set the variable $opnsense_release
to the desired OPNsense release e.g. 22.1
in Vagrantfile
to select the matching major release version. Likewise you can set $opnsense_box
to the base box version
to bootstrap from. For 22.1
that is punktde/freebsd-130-ufs
.
git clone [email protected]:punktDe/vagrant-opnsense.git
cd vagrant-opnsense
vi Vagrantfile # adjust OPNsense version if desired
vagrant up
This will automatically
- download a plain FreeBSD Vagrant box provided by punkt.de infrastructure.
- boot the VM.
- convert the VM into an OPNsense installation with the bootstrap method.
- adjust the configuration for this development environment - SSH will be enabled and permitted on all interfaces!
- reboot the resulting VM.
Should you need to repeat this step from the start you can always
vagrant destroy
vagrant up
If vagrant up
cannot connect via SSH initially, you need to apply the workaround below.
Use the default user and password of root/opnsense
.
Congratulations! You have a working OPNsense installation in Vagrant/Virtualbox. Now navigate through the initial setup wizard or skip it as instructed in the UI.
Use vagrant ssh
to login. sudo
will work without password.
- You should install the
os-virtualbox
plugin so you can cleanly shutdown and startup the system. - Also disable the DHCP server on LAN.
Vagrant uses a bundled Ruby based implementation for initial SSH connection to set up IP adresses,
NFS mounts, etc. vagrant ssh
on the contrary uses a plain command line SSH client.
Unfortunately the Ruby library bogusly identifies RSA 256 and higher public key exchange algorithms as RSA 1 and then tries to log in with that. Which OpenSSHd in OPNsense refuses in the default configuration.
So you need to adjust the supported algorithms in the UI for vagrant up
to fully work.
Find out which algorithms are supported and considered secure:
vagrant ssh
sudo sshd -T | awk '/pubkeyacceptedalgorithms/ { print $2 }' | tr ',' '\n'
Explicitly list the algorithms in the advanced section of the UI but add ssh-rsa:
The firewall you just created is completely functional so you can route individual networks or addresses through it on your desktop system. E.g. to access my company's web page through OPNsense you can route our entire address range appropriately.
On a Mac:
sudo route add -net 217.29.32.0/20 192.168.1.1
On Windows:
route ADD 217.29.32.0 MASK 255.240.0.0 192.168.1.1
Now when you lookup our website in your browser the traffic will go through the OPNsense running in VirtualBox/Vagrant. Make sure to disable IPv6 on your Mac for these experiments if you have a native IPv6 connection. If you don't the browser will prefer that.
If you want to change the LAN network after initial deployment, e.g. because you use
192.168.1.0/24
already, use these steps:
- Change the IP address in the UI, save and apply. Use anything but the lowest address (.1)
Keep a
/24
netmask. You will lose connectivity, of course. - Use
vagrant halt
to shutdown the VM. Vagrant connects via WAN, so this still works. - Edit
Vagrantfile
and change$virtual_machine_ip
to your new value. - Start the VM with
vagrant up
. Vagrant will automatically create a matching host-only network and use the lowest address (.1) for your development system. - Use the new address to connect via browser once the VM is up and running.
vagrant ssh
sudo su -
opnsense-code -d /var/vagrant core # first time will clone tools repo
opnsense-code -d /var/vagrant core # this will clone the OPNsense core repo proper
opnsense-code -d /var/vagrant plugins # clone plugins repo for good measure
Enjoy!