dmauser / opnazure

This template allows you to deploy an OPNsense Firewall Azure VM using the opnsense-bootsrtap installation method
MIT License
156 stars 68 forks source link
azure opnsense-firewall

OPNsense Firewall on FreeBSD VM

CI Name Actions Workflow CI Status
BicepBuild bicepBuild.yml bicepBuildCI
Deployment Checker - Active Active deploymentChecker-active-active.yml deploymentCheckeractiveactiveactiveCI
Deployment Checker - two nics deploymentChecker-two-nics.yml deploymentCheckertwonicsCI
Deployment Checker - new vnet Active Active deploymentChecker-newvnet-active-active.yml deploymentCheckeractivenewvnetactiveactiveCI
Deployment Checker - new vnet two nics deploymentChecker-newvnet-two-nics.yml deploymentCheckernewvnettwonicsCI

Deployment Wizard

Deploy To Azure

The template allows you to deploy an OPNsense Firewall VM using the opnsense-bootsrtap installation method. It creates an FreeBSD VM, does a silent install of OPNsense using a modified version of opnsense-bootstrap.sh with the settings provided.

OPNSense is based in FreeBSD what is the official OS image publisher in Azure. This template deploys a FreeBSD 14.1 VM and installs OPNSense using the opnsense-bootstrap installation method. For the first deployment in an Azure Subscription it's required to accept the legal terms of the Offer with PublisherId: 'thefreebsdfoundation', OfferId: 'freebsd-14_1'.

You can accept it using either Azure CLI or Azure PowerShell as follow:

az vm image terms accept --urn thefreebsdfoundation:freebsd-14_1:14_1-release-amd64-gen2-zfs:14.1.0 -o none
Get-AzMarketplaceTerms -Publisher 'thefreebsdfoundation' -Product 'freebsd-14_1' -Name '14_1-release-amd64-gen2-zfs' -OfferType 'latest' | Set-AzMarketplaceTerms -Accept

The login credentials are set during the installation process to:

Please Change default password!!! (In case of using Active-Active scenario the password must be changed in both Firewalls and under High availability settings)

After deployment, you can go to https://PublicIP, then input the user and password, to configure the OPNsense firewall. In case of Active-Active the URL should be https://PublicIP:50443 for Primary server and https://PublicIP:50444 for Secondary server.

Updates

Aug-2024

July-2024

May-2024

Nov-2023

Feb-2023

October-2022

April-2022

Nov-2021

Overview

This OPNsense solution is installed in FreeBSD 12.0 (Azure Image). Here is what you will see when you deploy this Template:

There are 2 different deployment scenarios:

Design

Design of two Nic deployment Design of Active-Active deployment
opnsense design opnsense design

Deployment

Here are few considerations to deploy this solution correctly:

Note: It takes about 10 min to complete the whole process when VM is created and a new VM CustomScript is started to install OPNsense.

Usage

Roadmap

Build custom deployment form

Feedbacks

Please use Github issues tab to provide feedback.

Credits

Thanks for direct feedbacks and contributions from: Adam Torkar, Brian Wurzbacher, Victor Santana and Brady Sondreal, and many others shown on this repository as contributors.