Thanks! I’m working on it! Sometimes I focus on a slightly different topic than what I’ve written about so they’re not always exactly the same as the written guides. For new guides, I try to do both a written and a video version around the same time to keep them more consistent and saves some time as well.
You're welcome! I'm glad it has helped! I'm just getting started with the video content, but I'm trying to get more of it produced for those who prefer videos over written content.
Glad it helped you make the move! I do this same basic process for my reverse proxy on my DMZ network so I can have legitimate certificates for all my apps/services.
@@homenetworkguy That's awesome you've done legitimate certificates for all your services! Your "Deploy Nginx Proxy Manager in a DMZ with OPNsense" is great! I've dreaded properly deploying and hardening a CA for my homelab. Finishing off my remaining cert needs with a reverse proxy, Let's Encrypt and ACME is a much better phased approach. PS: Your blog posts have really helped me over the years and I've recommended them to many people who've made the switch over to OPNsense!
This is super easy and fun way to explain cert in opnsense. Thank you. even though not using the same provider for dns but it works like a charm. Just one request, i hope you can slow down a bit while explain the topic. Does not have to but makes a bit easy follow. :)
Thanks! Glad you found it easy. I’ll try to slow down a bit but I know I’m still slower than some other videos I’ve watched from other content creators. There’s a fine line between slow and boring. Haha.
@@homenetworkguy hehe! yes, there is a fine line. since you are slower and your choice of words and devliery is more easy to understadn the experience to watch your content is edifying. And a reason to be watching your channel than going to some other channel!
You can use DNS challenges so internal apps/services do not need exposed directly to the Internet to obtain certificates. What I like to do is use a reverse proxy for my internal services. The reverse proxy uses DNS challenges to obtain certificates. It’s pretty nice when internal services have legitimate certificates because there’s no browser warnings!
@@homenetworkguy Oh ok. I would love to see you post a video about how to do that. I've only been doing this stuff for a couple of weeks now and your videos have helped me more than any of the other hundred or more I've watched so far. Great work!
Yes I was going to mention that! There is also a Caddy plugin on OPNsense which would be easier to set up. I made this video literally a week or 2 before the plugin came out! Haha. But I prefer to run a reverse proxy on the DMZ or other internal network rather running it on OPNsense since I feel like it might be less of an impact if my reverse proxy got compromised (at least it would be confined to the DMZ or other network instead of on the OPNsense box where more damage could occur!)
Great and useful video. It works like a charm. One question. I have a website running on a pc behind OPNsense, in its LAN, and I'd like to enable https for it. Do I need to create another token? Thanks
No, you can use the same token. If you're using Nginx Proxy Manager for instance, you can use the same token for Cloudflare to generate and renew certificates for apps/services behind your proxy. I use a wildcard certificate for all my apps/services behind my proxy.
@@homenetworkguy Both opensense and the webserver run in a virtual environment. No Nginx PM. It would be great a video on wild certificates as well, I have never used one. I don't know how to set it up actually. Thanks
Could there be additional configuration when using adguard and using unbound as upstream? I’m able to get a cert and everything else up but otherwise times out when using the domain name. I’m still able to access the router via ip or the name I gave it as a dns rewrite in adguard
What IP address does your router's domain name point to? I typically like to only have my web UI in OPNsense listen to the management interface but I have one PC on a different network so I encounter an issue where it wants to use the gateway IP address for that PC network rather than 192.168.1.1. I created an entry in the hosts file to point to 192.168.1.1 on my PC to resolve the issue, but there are other ways to handle that. Someone emailed me and tried explain a complicated way to resolve the issue but I didn't fully understand all the details. I took the simplest approach and added the hosts entry since there's only one machine on a different network that needs access.
Sorry. It’s also probably how I had to cut the video in certain places and how I end sentences with an inflection when I’m not supposed to. I’m trying to improve this over time. It’s tough speaking to a camera. Some people make it look easy. Haha.
@@homenetworkguy No, man. You are fine. No need to apologize. Your video is fine and so is your accent. Being humble is a nice attitude to have, so 👍. Your video is great. I didn't notice anything about any cuts. You're fine. You took time to do something useful for the internet. Useful stuff. Thanks!
Hi, great tutorial, but my process stops at the part about Cloudflare ID and zone. Because I don't have any webpages, I can't find these in my profile.
If you registered your DNS through Cloudflare, you should have sites listed under "Websites". Otherwise, if you are registered elsewhere and have your nameservers pointed to Cloudflare's servers, you will need to add your domain on the "Websites" page so you can see your Zone/Account ID for that domain.
It is easy if you have a DNS provider with a supported API. Bought a silly domain this morning just for my internal network. Migration from a madeup domain was easy enough. Also used it for my Proxmox server. Any thoughts about: 1. What to still configure for a domain you only use for an internal network? I did setup Secure DNS, an abuse email and antispam protection. 2. Any thoughts about managing let's encrypt certificates from a central place? 3 wildcard certificates for a Truenas Kubernetes environment?
1. You don’t really need to do anything for a domain name you own if you only want to use it internally. If you are using an external email provider with your custom domain name, you would want to set up the appropriate settings for that provider (DKIM, etc) to prevent spoofing emails from your domain and other abuse. If you’re not using external email, you don’t really need to do anything for internal use. 2. You don’t really need to manage Lets Encrypt from a centralized location on your network especially since they are autogenerated. I have my OPNsense box generate LE certs and I also have a reverse proxy that generates certs. The reverse proxy can be an automatic centralized location for certs for any apps/services running behind the proxy so in a way it could be your centralized location (but you don’t need to manually copy paste certs to servers that need new certs). 3. If you use a DNS challenge with LE, you can make use of wildcard certs on your reverse proxy and I imagine also with Kubernetes (I haven’t tried Kubernetes before to know how to set it up).
@@homenetworkguy One nasty thing I discovered is that Opnsense registers the same internal name for all (v) lans it has the web interface enabled as well as for the external wan interface. Since DNS works Round Robin random in my browser the web interface is partially not usable by internal domain name. I solved this by disabling unbound on the wan side and having the web interface only listen on LAN. It can be accessed from some vlans by setting firewall rules.
I'm getting ready to setup my Let's Encrypt certificate and had a question after rewatching your video. You mentioned that you didn't need a DNS entry for the router-test subdomain but how does it get resolved to 192.168.1.1?
Sorry, didn’t see this earlier because it held the comment for review. I meant that you don’t need to create a subdomain with your registrar if you only are using the hostname internally on your network. Unbound DNS in OPNsense will be able to resolve your router’s hostname.
I’m happy to have saved you some effort! Hmm, I’m not quite sure why it would work for some and not the other networks without more info and digging in. I did notice that if I tried to use the hostname of the router but tried to access it on a different network (such as accessing 192.168.1.1 from the 182.168.20.1 network which is a VLAN), it would work because the router’s hostname represents all IP addresses of all the interfaces. So it was using the IP address of 192.168.20.1 instead of 192.168.1.1 but I only had the OPNsense interface listening on the 192.168.1.1 interface.
Yes you can import other certificates but those don’t auto-renew so you would have to import new ones manually (but you can set a longer expiration date than the shorter lives Let’s Encrypt certificates).
This is the Cloudflare dashboard so if you’re using Cloudflare as your DNS registrar, the account ID should be listed on the right hand side of the page after you click on your website domain name from the dashboard. I just checked and it looks the same.
I think for Let’s Encrypt certificates you need to use real domains so you need to have hostname + domain name. I saw someone mention on Reddit that one of the advantages of using a traditional certificate authority (that isn’t free) is that you can assign certificates to .local and other internal host names: www.reddit.com/r/opnsense/s/Fw70ffAs6H
thank you for your video. i cannot seems to get it set up. error [Wed Nov 15 23:22:06 CET 2023] Not valid yet, let's wait 10 seconds and check next one. / failed to update txt record
That is very strange. I don’t know exactly what that means. You may have to consult the ddclient documentation or examples on how to set it up with your DNS provider of choice (unless you are also using Cloudflare). I know the other day when Cloudflare had some outages, I was getting some errors accessing their API to update the DNS records.
This was great. Thanks for this. I did notice, however, now I can access the web GUI from the internet (using my WAN IP address). Not sure why this happened.
It sounds like you have NAT reflection enabled. I doubt your web interface is exposed to the Internet unless you created firewall wall rules to open access. Look under the Firewall > Settings > Advanced to see if you have any options checked under the “Network Address Translation” section. You could always test connecting to your web interface from your phone using the external IP (from your Cellualr connection) to verify if your web interface is actually exposed to the Internet or not.
@@homenetworkguy Thanks for your quick reply. I don't have any options checked there. I tested from my phone and was indeed able to access the GUI. I found in one of your other videos to change the web GUI listen interface which I think fixed the issue. system > settings > administration > webgui > Listen interfaces
Ohh, if you had the web interface listening on the WAN that could explain the problem (although I would think you would still need firewall rules to allow access). You may want to review the firewall rules just to make sure you don't have more access allowed than necessary (like allowing port 443 on the WAN interface).
I haven't touched the WAN firewall rules. I don't see anything allowing port 443, but I'm still wrapping my head around firewall rules in general. I can see that there are 24 rules that are there by default.
Some of the other proxy plugins in OPNsense like HAProxy support using certificates generated from the ACME Let’s Encrypt plugin so you could put websites behind that. I personally prefer to put the reverse proxy in the DMZ network so if a compromise occurs, it’s not on the router/firewall system. Not sure how much security it buys you but makes me nervous to run the reverse proxy on the firewall box itself (unless perhaps they were virtualized on the same system and in separate VMs/CTs). There’s nothing preventing you from using ACME on multiple systems generating Let’s Encrypt certificates for the same domain name. I do it for various reasons and it works great.
Really? I haven't heard of that yet but I also haven't updated to the 23.7.3 yet because I like to wait a few days or a week before updating to the latest version to make sure all is good (mostly with Zenarmor since OPNsense doesn't test out all of the 3rd party plugins).
Hmm, really? At 10:52, I haven't even switched over to use the new certificate so nothing should have changed with the web interface. I have rarely encountered 503 issues but I think some could have been due to other services I had running and something was a bit wonky (so I restarted the services or rebooted the machine and all was well).
@@homenetworkguy sorry router froze at that point. I rebooted it and got back into router, then completed it. All up and running. Thank you for all your great videos
Yeah I guess that’s ok. Also the API key I used in the video is one I created just for demo purposes so I don’t use it for my main certificates. Even if that key was shown, it cannot be used. It’s hard to show a real world example of creating valid certificates without using a real account. Still, I need to be more diligent with blurring out sensitive information.
As you can see in the outtakes, that happened to me, but after copying pasting the API key, account ID, and zone ID again, it worked for me. I believe validation failed means there is something wrong with the credentials or the permissions assigned to the ones you are using (or you are using the wrong zone ID). Not sure if the logs can help explain the issue in more detail.
I don't have UPnP installed so I haven't experimented with that yet since NAT-PMP works well enough for my purposes but I know many that want to use UPnP is for their game consoles.
@@homenetworkguy Exactly... I started the endeavor yesterday following a Reddit post on the OPNSense sub... Had to set Outbound NAT to Hybrid, etc... Let's see how it goes haha. Thanks again.