Deploying OPNsense on Oracle Cloud Infrastructure (OCI) Always Free Tier: A Technical Guide

Networking
, ,
1

Deploying OPNsense on Oracle Cloud Infrastructure (OCI) Always Free Tier: A Comprehensive Technical Guide

In this post, I am documenting a implementation of OPNsense on an OCI Always Free compute instance.

OCI Always Free Instance Deployment Procedure

The following outlines the step-by-step process for deploying OPNsense on an OCI Always Free AMD instance (e.g., VM.Standard.E2.1.Micro: 1 core at 2.55 GHz based on AMD EPYC processor).

Step 1: Prepare Configuration File Locally

On a local workstation, generate or modify an OPNsense config.xml file tailored for the OCI environment. Key modifications from a default configuration include:

  • Configuring a single network interface card (NIC) for WAN, assigned via DHCP to acquire an IP address dynamically.
  • Disabling HTTP_REFERER enforcement to accommodate OCI’s networking constraints.

This file will be uploaded later for initial setup.

Step 2: Configure Virtual Cloud Network (VCN) and Subnet

  • Create a VCN within OCI.
  • Establish a public subnet within the VCN.
  • Configure the OCI security list (firewall rules) to permit ingress traffic for SSH (TCP port 22), HTTP (TCP port 80), and HTTPS (TCP port 443).

Step 3: Provision Initial Oracle Linux Instance

  • Launch an Oracle Linux instance on the AMD shape (e.g., VM.Standard.E2.1.Micro).
  • During instance creation, upload an SSH public key for secure remote access.

Step 4: Convert to FreeBSD

Access the instance via SSH and execute the following commands to overwrite the boot disk with a FreeBSD image:

wget https://download.freebsd.org/ftp/releases/VM-IMAGES/14-RELEASE/amd64/Latest/FreeBSD-14-RELEASE-amd64.raw.xz
xz -dc FreeBSD-14-RELEASE-amd64.raw.xz | sudo dd of=/dev/sda bs=1M conv=fdatasync

(Note: /dev/sda refers to the boot disk; verify the device identifier as needed. This operation overwrites the running Oracle Linux system, which carries a risk of data corruption. To mitigate, detach the boot volume and attach it to a secondary instance for imaging.)

Reboot the instance to boot into FreeBSD.

Step 5: Upload Configuration File

Using SCP or SFTP, transfer the prepared config.xml to the FreeBSD instance.

Step 6: Bootstrap OPNsense

Via SSH, install prerequisites and run the OPNsense bootstrap script:

pkg install ca_root_nss
fetch https://raw.githubusercontent.com/opnsense/update/master/src/bootstrap/opnsense-bootstrap.sh.in
sh ./opnsense-bootstrap.sh.in -r 25.7

This converts the FreeBSD base into a fully functional OPNsense installation (version 25.7 in this example).

Step 7: Initial Configuration via Cloud Console

Utilize OCI’s web-based serial console to interact with the OPNsense boot process:

  • Import the uploaded config.xml during the first boot wizard.
    Alternatively, if no custom config is used, perform initial interface assignment via the console, as OPNsense defaults to allowing WAN-side web GUI access on single-interface setups.

The OPNsense instance is now accessible via its web GUI for advanced configuration. Leveraging the Always Free tier ensures this cloud-hosted edge router incurs no operational costs.

Use Cases and Enhancements

This deployment serves multiple purposes:

  • DNS-over-TLS Server with Ad Blocking: Configured for integration with Android devices to provide secure, privacy-enhanced DNS resolution.
  • WireGuard Tunnel Endpoint: Acts as a resilient remote access point.

Addressing IPv6 and Access Challenges

OCI employs IPv4 Source Network Address Translation (SNAT), which can complicate direct inbound connections. To resolve:

  • Assign an IPv6 address during instance creation or via network settings post-deployment.
  • Access the web GUI initially using the IPv6 literal address (e.g., https://[2001:db8:1:2::a]).
  • In System > Settings > General, specify a hostname and domain.
  • Create corresponding AAAA (IPv6) and A (IPv4) DNS records.
  • Access via the hostname (e.g., https://opnsense.example.com).
  • Install a valid SSL certificate using the ACME plugin for enhanced security.

Alternative Approach: Uploading Custom OPNsense Image to Object Storage

For a more streamlined deployment, particularly on AMD shapes:

  1. Decompress the OPNsense image file locally.
  2. Create an Object Storage bucket (refer to OCI documentation: Object Storage and Creating an Object Storage Bucket ).
  3. Upload the decompressed image to the bucket.

Import Custom Image

  • Navigate to Compute > Custom Images.
  • Import the uploaded image, enabling compatibility with preferred shapes (e.g., E4.Flex, E5.Flex; note ARM/A1 shapes are unsupported natively).
  • Edit image details to confirm shape compatibility.

Create Compute Instance from Custom Image

  • Select the imported image and provision the instance.
  • Attach to a public subnet for public IP assignment.
  • No SSH key is required initially, as OPNsense is an appliance; configure later via internal settings.
  • For optimal cost-performance, prioritize AMD shapes.

Configure OPNsense via Console

  • Launch the serial console connection.
  • Log in as root with the default password.
  • Assign interfaces (typically vtnet0 as WAN; no LAN needed for basic setups).
  • Reset the root password via menu option 3.
  • Access the shell (option 8) to edit /conf/config.xml:

    • Backup: cp config.xml config.bkp

    • Edit with vi to add:

      <webgui>
  <protocol>https</protocol>
  <ssl-certref>64b1234567</ssl-certref>
  <nohttpreferercheck>1</nohttpreferercheck>
  <nodnsrebindcheck>1</nodnsrebindcheck>
  <port/>
  <ssl-ciphers/>
  <interfaces/>
  <compression/>
  <httpaccesslog>1</httpaccesslog>
  <authmode>Local Database</authmode>
</webgui>

Enable Public Access

  • Attach a Network Security Group (NSG) with rules allowing HTTPS (443) and SSH (22).
  • Assign public IPv4/IPv6 addresses to the VNIC.
  • Access the web GUI via the public IP.

Appendix: Firewall Management and Future Challenges

Disabling/Enabling Firewall via CLI

In case of lockout due to misconfiguration:

  • Connect via OCI serial console.
  • Log in as root.
  • Disable: pfctl -d
  • Re-enable: pfctl -e

Future Exploration: OPNsense on OCI Ampere (AArch64) Instances

Ampere instances offer superior performance at no cost. An official FreeBSD 13.1 image exists for Ampere, bypassing the dd step.

This guide aims to provide a thorough, technically precise walkthrough. Feedback or questions are welcome.