Web-based SSL VPN plugin for OPNsense

Cloudfence
7 min readOct 31, 2023

Introduction

This plugin has been developed based on Apache Guacamole, bringing a range of advantages, especially when it comes to integration with OPNsense.

One of its greatest advantages is that it runs Apache Guacamole directly on OPNsense without needing an external server or installation, all within a secure jail environment.

Some of the advantages of our plugin include:

Browser-Based Access: The Web VPN plugin allows remote access via a web browser, eliminating the need to install a VPN client on each device. This simplifies connections.

Support for Multiple Protocols: Supporting various protocols such as RDP, SSH, and VNC, this plugin provides access to a wide range of systems remotely.

Ease of Implementation and Maintenance: Compared to a conventional VPN, the plugin is easier to deploy and manage, saving time and effort.

Access from Anywhere: With the Web VPN plugin, you can access remote resources from anywhere with an internet connection, making it ideal for remote teams or remote connections.

Advanced Security Integration: The plugin offers advanced security, including multi-factor authentication (MFA), to protect your remote connections.

Integration with Active Directory: Additionally, the plugin seamlessly integrates with AD, simplifying identity and access management for organizations that use it.

Note: The plugin is currently in the beta development phase.

Prerequisites

To use the Cloudfence Web VPN, you will need to install three plugins on OPNsense:

  1. Activate our plugin repository (community): Learn how in this article — How to install Cloudfence plugins?
  2. Cloudfence Web VPN Portal plugin (os-cloudfence-vpnwebportal): the plugin itself. Download instructions here
  3. HA Proxy (os-haproxy): Required for reverse proxy access via HTTPS.

Configuration:

After installing the Cloudfence Web VPN plugin, go to Cloudfence > VPN Web Portal

VPN Web Portal menu

To enable the plugin with session recording, checking the “Enable” and “Session Recording” options.

In the “LDAP authentication” option, select the type of authentication to be used. If you have an AD server configured, you can select it here. Otherwise, leave the “none” option selected, and users will be managed directly in Guacamole.

Enabling plugin

Note: The “Local Database” option will have no effect if it remains selected.

Enable MFA: Choose one (or both if you want) of the two multi-factor authentication options, which are OTP and DUO (needs an extra subscription on Cisco DUO)

Note: To use OTP with users created directly in Guacamole, the key must be collected on your first access on the Guacamole login screen after completing the remaining configurations.

Click on Save to start the jail´s plugin.

Enabling External Access through HAProxy — Installation and Configuration

To ensure secure access to the Web VPN portal, it is imperative to publish it exclusively via HTTPS. This requires the use of a reverse proxy to establish the connection between the Internet and our VPN portal. In this article, we will use HAProxy.

Below are the essential steps to configure HAProxy to work seamlessly with the VPN portal:

Note: It is strongly discouraged to make the VPN portal available over the web without encryption (HTTP instead of HTTPS).

Once you’ve installed the HAProxy plugin, navigate to Services > HAProxy > Settings:

HAProxy menu

In the “Real Servers” tab, click the “+” button to create a new configuration and follow these instructions:

HAProxy — Real Servers
  • Name or Prefix — Set it as “WebVPN_Jail.”
  • Type — Choose “static”
  • FQDN or IP — Set it to “127.0.0.11
  • Port — Specify it as 8080
HAProxy — Edit Server

In the “Virtual Services — Backend Pools” tab, click the “+” button to establish a new configuration:

HAProxy — Backend Pools
  • Name — Label it as “WebVPN_Pool
  • Servers — Select the name you assigned earlier in the “Real Servers” section, which in this tutorial is “WebVPN_Jail
Edit Backend Pool

In the “Virtual Services — Public Servers” tab, click the “+” button to add a new configuration, and follow these steps:

Virtual Services
  • Name — Label it as “WebVPN_FrontEnd
  • Listen Addresses — Input the IP address to be used for accessing the Web VPN Portal, followed by “ : “ and port 443: XXX.XXX.XXX.XXX:443
Edit Public Service

Note: If your firewall lacks a public IP on its interfaces, you will need to configure the private IP in HAProxy. However, the device with the public IP (usually found in the modem or the internet service provider’s router) must forward all traffic to the firewall interfaces without restrictions for the Cloudfence Web VPN to function correctly.

Default Backend Pool — Choose the Backend Pool you established earlier, which in this tutorial is “WebVPN_Pool

Enable SSL offloading — Check this option.

Certificates — Select a self-signed certificate, which can be the Web GUI certificate itself, provided it has not expired. It is advisable to use a valid certificate rather than a self-signed one, which can be installed on your OPNsense or obtained for free using the Acme plugin (Let’s Encrypt).

Edit Backend Pool

In the “Settings — Service” tab:

  • Enable HAProxy — Check this option to activate HAProxy.
  • Click “Save & Test syntax” to apply all changes and perform validation tests.
Enabling HAProxy service

If you encounter a message like the one in the image below, it confirms that your settings have been successfully validated:

HAProxy configuration test result

Firewall Rules — WAN

Here, you need to create an inbound rule on the WAN interface to allow access to the Cloudfence Web VPN Portal. Below is an example of the rule to create:

  • Protocol: TCP
  • Source: any
  • Destination: WAN Address (or the IP you configured in HAProxy)
  • Destination Port: 443 (HTTPS)
  • Description (suggested): Web VPN Cloudfence

Firewall — NAT — Outbound

In order for the connections between the Web VPN Portal to work, there is still a need to add an Outbound NAT where the connections from the jail source should exit with the LAN IP (or the IP of the interface on the same network that is making the access).

First, check if the Outbound NAT is in HYBRID mode. If it is not, change it by selecting the “Hybrid outbound NAT rule generation” option. Save, and then click on the '+' sign to add a new NAT rule.

Below is an example of the Outbound NAT rule to be configured:

Interface: LAN (or the local network interface used)
Source: Loopback net
Source Port: any
Destination: LAN net (or the local network used)
Destination Port: any
NAT Address: Interface Address
NAT Port: any
Static Port: no
Description (suggestion): Web VPN Local Servers

NAT Outbound mode

Testing — Accessing the VPN Web Portal

Using HTTPS, access the VPN Web Portal by typing the public IP address into a web browser. This IP address should have been pre-configured in HAProxy or is the public IP provided by your internet distribution device (modem or router supplying the IP to your firewall).

For example: https://123.123.123.123

VPN Web Portal login page

Important:

1. Upon the first access to the portal, use the username “guacadmin” and the default password: “cloudfence”
2. You will be prompted to change the password after the initial login.
3. If you encounter issues with OTP code insertion during your first access, temporarily uncheck the “OTP authentication” option in the VPN Web Portal settings (Cloudfence > VPN Web Portal).

Note: If your firewall does not have a public IP directly on its WAN interface, you will need to configure the local WAN IP in HAProxy. However, when accessing the Web Portal, you must enter the current public IP that the firewall is using to connect to the internet. In other words, use the public IP used by the modem or router on your network (the one supplying internet to the firewall).

Conclusion

In this article, we have learned how to install and configure the Cloudfence Web VPN portal plugin. We discussed important steps such as enabling two-factor authentication and setting up HTTPS access using the HAProxy plugin. If you require assistance with the plugin, we provide community support on our Discord server.

--

--