Configuring ZenArmor, AdGuard Home, and NordVPN in OPNsense v24 on Hyper-V

Section Page

1 Download OPNsense........................................................................................................ 1

2 Configure Hyper-V............................................................................................................. 2

3 Create Virtual Switches.................................................................................................... 5

4 Create the VM...................................................................................................................... 7

5 Install OPNsense.............................................................................................................. 15

6 Initial OPNsense Configuration................................................................................... 21

7 Configure Additional Software..................................................................................... 33

8 Configure Unbound DNS............................................................................................... 33

9 Install and Configure ZenArmor.................................................................................. 41

10 Test ZenArmor............................................................................................................... 56

11 Install and Configure AdGuard.................................................................................... 56

12 Configure NordVPN...................................................................................................... 67

13 Troubleshooting.......................................................................................................... 104

1 Download OPNsense

Navigate to https://opnsense.org/download/ in your browser.

Choose the AMD64 architecture, and dvd image type to install in Hyper-V on Windows. Also, select a mirror near you. These instructions will work for v24.1, and hopefully, will work for newer versions when they are released with only minor changes.

Extract the .iso file from the .bz2 file using WinZip or another program.

2 Configure Hyper-V

This assumes that you already have two network cards installed.

If you have not already configured Hyper-V and possibly created other virtual machines, Hyper-V will need to be set up. If this is already done, you can skip this section.

2.1 Enable Virtualization in Your Computer s BIOS

Virtualization options may be under security, or virtualization, or another group of settings in your BIOS. Be sure they are enabled.

2.2 Enable the Windows Hyper-V feature

Use the search bar to find and start Turn Windows features on or off .

Click on Hyper-V to install Hyper-V Manager and other required components.

You will need to restart after installing Hyper-V Manager.
You can start the Hyper-V Manager by searching in the Windows menu, or you can choose Open file location , and then copy the shortcut from C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools to the desktop for easy access.

2.3 Change the Default Location for Hyper-V Files

If desired, change the location for virtual hard disks, and other files from C:\ProgramData\Microsoft\Windows\Virtual Hard Disks to another location.

Click Hyper-V Settings under Actions.

If needed, create a folder using Windows Explorer. Choose brows to find and select the desired folder.

Click Apply, and click Okay.

3 Create Virtual Switches

We will need WAN and LAN virtual switches bound to the physical network adapters.

In the Hyper-V Manager, under Actions, select Virtual Switch Manager.

Click New virtual network switch .

Select External for the type of switch. And click OK.

In this example, we select the motherboard NIC for the LAN switch.

For the LAN interface, allow the management operating system to share the adapter.

Click OK.

Click New virtual network switch again.

Select External for the type of switch. And click OK.

In this example, we select a PCIe NIC card for the WAN switch.

For the WAN interface, DO NOT allow the management operating system to share the adapter. We do not want Windows accessing the internet other than through the firewall.

Click OK.

4 Create the VM

Click New under Actions, and select Virtual Machine.

Read the Before You Begin section if you have not already opted out of that screen.

Specify the name and location of the VM. If you don t want all of your virtual machine files in the same directory, select a new subdirectory for this VM. Click Next.

Generation 2 is supported for OPNsense, so select that when specifying the generation. Click Next.

In theory, OPNsense can run with 4gb of RAM for a nano install. I ve often seen it using 5-6gb. Allocate 8gb or more if you have the RAM available. Leave Use Dynamic Memory selected. Click Next.

(In this example, I am using a machine with 8gb of RAM, and actually selecting 4608mb or 4.5gb.)

For connection, we will select the WAN switch. (Later, we will add the LAN switch.) Click Next.

If you added the VM name to the directory, it will appear twice twice when connecting the virtual hard disk. Edit the path as needed.

Select 16gb for the size. A full install takes less than 2gb, and you won t likely need more than 14gb for log files. Click Next.

For Installation Options, select the option to install from a bootable image file. Browse to the .iso file we downloaded and extracted from the .bz2 file earlier. Click Next.

Verify that the options are correct, and click Finish.

After a few seconds, you should see the new Virtual Machine.

Disable Secure boot. Right-click on the VM name, and choose settings. Under Security, uncheck the Enable Secure Boot option.

While under Settings, choose Add Hardware, and select Network Adapter. Click Add.

Select the LAN switch. Click Apply. Click OK.

You will now see both network adapters under Hardware.

5 Install OPNsense

Connect to the VM by:

double-clicking it

right-clicking, and choosing connect

or choosing connect under the VM name under Actions.

Click Start.

When booting for the install, we do not need to click to perform manual interface assignment in the live environment from the ISO. We will assign the proper interfaces after the installing and booting from the VM.

Whenever starting a VM in Hyper-V, choose Continue instead of Revert Changes unless the recent reboot was after some kind of error. If this is the first boot of the VM, this option will not be displayed. If you forgot to disable secure boot or select both WAN and LAN network adapters and need to restart the VM, you will see this option.

You may also notice how the LAN and WAN interfaces were assigned. In this case, our WAN interface did get a DHCP address from our gateway/modem s 192.168.0.1 subnet which is good.

Select the proper keymap and press Enter.

Instead of UFS, we will choose the more advanced ZFS filesystem and then select OK.

Select the desired virtual device type. For this install, we will select stripe.

Select the virtual disk by pressing the space bar, and then press ENTER to select OK.

Tab over to YES and press ENTER to confirm destroying the contents of the new virtual disk.

Wait a few minutes depending on the speed of your system for it to clone, verify, and prepare the new system. It may appear to freeze at 80% while verifying. That is normal. Similarly, it will pause at 90% while preparing.

Do not change the root password yet. We will do that in the GUI where it is somewhat safer and we can avoid errors with mis-typing.

Before rebooting, from the Media menu in Hyper-V, select the DVD Drive, and eject the OPNsense ISO so we will be sure to boot the VM after the restart.

Down-arrow to complete the install, and press ENTER for OK.

6 Initial OPNsense Configuration

When it initially boots the VM, we can let it do automatic interface assignment again. It is normal to see the red bar at the top of the window since Secure Boot will be off. It may pause on this window for a minute before the boot process starts.

6.1 Change Interfaces If Needed

If you follow the steps as outlined above, you will likely see that the WAN interface got a DHCP IP address from a router on your LAN, or it doesn t have an IP address. The LAN address will be 192.168.1.1 by default. If that is the case, you will need to switch the WAN to hn0, and the LAN to hn1.

The LAN interface must be on your PC s subnet to continue with the GUI/web portion of the configuration.

To change interfaces, select option 1.

Select name of the interface you wish to assign to the WAN. In this case, it is either hn0 or hn1.

Then, select the interface for the LAN.

To skip optional interface configuration, press ENTER.

Type y to confirm options.

6.2 Set Interface IP Addresses If Needed

If you wish to change an interface address or switch between DHCP and manual configuration, select option 2 to set the interface IP address.

In the example below, we choose manual IP address assignment. We then enter the desired IP address, and subnet bit count. We press ENTER since this is a LAN interface.

To skip IPv6 configuration, do not accept the default the default option of assigning it via WAN tracking. Then choose N for the IP address, and ENTER to skip assigning an address.

If you wish to have your OPNsense firewall router assign DHCP IP addresses, configure the IP address range.

Do not switch to HTTP for the GUI protocol. Go ahead and generate a new certificate, and leave access defaults by pressing ENTER.

It will restart several IP-related services, and bring you back to the menu.

6.3 Install Updates

Choose 12 to update from console before we start the GUI.

Press the space bar to scroll through any notes, and q to exit from reading the release notes.

If you downloaded 24.1, it may upgrade to 24.1_1.

6.4 A Note About Subnets

If all of your PCs were connected to your ISP s router at 192.168.0.1, you will need to change your subnet to 192.168.1.1/24.

You will probably not want to have routers use a 16-bit (255.255.0.0) subnet so a browser on 192.168.0.* can log in to the OPNsense interface at 192.168.1.1. We will want everything off of the 192.168.0.* subnet so traffic will go through our new firewall at 192.168.1.1.

6.5 Log In to the GUI

In your browser, navigate to the LAN address, and log in as root/opnsense.

You will get a prompt to run updates, or continue with configuration. You can also repeat the initial configure at any time by choosing System:Wizard:General Setup.

Under General Information, you can change the hostname from OPNsense to something more applicable to your environment. You can also assign primary and secondary DNS servers. For now, we will use Quad9 DNS servers, and click Next.

Quad9 DNS servers:

9.9.9.9

149.112.112.112

Choose a city in your timezone and click next.

For the WAN Interface, accept the defaults and click Next.

If it is not already how you would like it, set the LAN Interface IP address and subnet mask.

Now, you can set the root password using copy-paste from Notepad so you can be certain of what you are entering.

Click Reload to apply changes.

Wait a few seconds for the reload.

Now, you can continue to the dashboard, or check for updates.

Before we continue, let s verify the root password is set as expected. We don t want to find out there is a problem, and have to reinstall later.

Navigate to Lobby:Logout.

When you select Logout, you will be logged out, and be presented with a login prompt. Log in as the user root, with the password you just set. If that doesn t work, try opnsense for the password. If that doesn t work, there is a complex way to reset the password, but at this point, a reinstall may be simpler.

You can click continue to dashboard , or select Lobby: Dashboard, or click on the OPNsense logo in the top-left of the screen to see the dashboard. You will see your gateway or modem WAN address under WAN. If you did not assign an IPv6 address, the DHCPv6 server will not be running.

Thus far, this example has used a WAN connection at 192.168.0.1. From now on, we will use a WAN connection on a 172.23.173.1/24 subnet. Your WAN IP address may be different.

7 Configure Additional Software

Any combination of additional security features can be used with OPNsense. The only requirement is not installing ZenArmor after AdGuard.

That, and as part of the AdGuard install, we will change the port for Unbound so AdGuard can run on the primary port 53, and then pass requests to Unbound on port 5353.

8 Configure Unbound DNS

1. Navigate to Services -> Unbound DNS -> General.

Enable: check;
Listen port: 53;
Network Interfaces: All;
DNSSEC: uncheck;
Register DHCP Leases: check;
DHCP Domain Override: leave blank;
Register DHCP Static Mappings: check;
Do not register IPv6 Link-Local addresses: check
TXT Comment Support: leave unchecked;
DNS Query Forwarding: check; < Option does not exist >
Local Zone Type: Transparent;
Custom options: leave blank;

Click Save

2. Navigate to Services -> Unbound DNS -> Advanced and do the check the following options:

Near the top:

Hide Identity: check
Hide Version: check
Prefetch DNS Key Support: check
Under Cache Settings :

Prefetch Support: check

Optional for speed:

Check Serve expired responses

Check Prefetch Support

Message Cache Size: 50m

Number of hosts to cache: 20000

Leave anything else as it is by default, click Apply

8.1 Optional DNS blocking for Unbound DNS

Unbound DNS Blocking

OPNsense -> services -> unbound dns -> blocklist - check enable, click force safesearch

For Type of DNSBL (block list):

Choose options to block domains that you would never intentionally want to access.

You will NOT want to select any of the WindowsSpyBlocker options. They are known to block MS sites that we will need to install updates on our Windows host OS.

Click Apply when done configuring blocklist details.

In order to automatically update the lists on timed intervals you need to add a cron task, just go to System -> Settings ->Cron and click the + sign to the right of the window to create a new task for a command called Update Unbound DNSBLs .

Enter the time, command, and description. Be sure that enabled is checked. Then, click Save.

When you are done, you will see the new Update Unbound job and any others that may be scheduled. In this case, ZenArmor is already installed.

You may wish to add other cron jobs also.

Click Apply.

9 Install and Configure ZenArmor

Before we can install plugins, we must check for updates to refresh the list of available plugins. Navigate to System:Firmware:Status, and click Check for updates.

After checking for updates, it will open the Updates tab with results.

Navigate to the Plugins tab, and where it says Name at the top, type in os-su to search for the os-sunnyvalley repository. Click the + at the end of the row to add the repository.

You will then be switched to the Updates tab and see the install log concluding with ***DONE***.

Click on the Plugins tab again, and search for os-sensei. Then, click + at the right of the row to install os-sensei. That will automatically install the updater. The agent is only needed if you want to do web-based monitoring of ZenArmor using their website. You can use OPNsense to monitor it though.

There will be a warning that ZenArmor is not provided by the authors of OPNsense. Click Install. It will take several seconds to install.

To verify, we can search for all os-s plugins. The ones in bold are installed, and will have a trash can on the far right for deleting them. Others will not be bold, and have a + on the far right for adding them.

9.1 Configure ZenArmor

Press F5 to refresh your browser if you don t see Zenarmor near the bottom of the list on the left of the OPNsense window.

Click on the dashboard, and you bill be prompted to go through initial configuration.

Check to agree with the terms and policy and click I Agree.

It will perform a check to see if your system can run ZenArmor successfully and then present you with a list of database options.

Choose to install a local elasticsearch database if your system has enough memory, and that option is displayed. Otherwise, choose a smaller SQLite database. The Elasticsearch database is much more robust, but SQLite will work if you limited on memory, and are retaining 1-2 days of activity history.

Once the chosen database is installed, click Next.

Choose the default routed mode unless you are very familiar with the product, and need another setting.

Check: Allow ZenArmor to pin processors to cores.

Select the LAN interface, and assign it to the LAN security zone.

Unless you have a license for ZenArmor, click on the option for the free edition.

Enter your e-mail address to get updates, and click Next.

Click Complete to finalize the configuration.

9.2 Configure ZenArmor Policies

Navigate to Zenarmor:Policies.

Click on the name of the Default policy to edit it.

Click on the security tab, and then click on the three dots to the right of Essential Security.

Choose High Control to block all of the questionable categories, or choose another option if you wish.

Once you have made your choice, you will see what categories will be blocked.

Click Apply Changes.

9.3 Configure ZenArmor Update Job

Configure a job to check for ZenArmor updates. There will already be a Zenarmor periodicals job created during the install.

Navigate to System:Settings:Cron and click + to create a new job.

Add a Check zenarmor updates job. Be sure that enabled is checked.

Enter the time you wish the job to run during a time of low system activity.

Select the Check zenarmor updates command.

Give it a description, and click Save.

When you are done, the new job to check for ZenArmor updates will be in the list.

Click Apply.

10 Test ZenArmor

It will be good to test ZenArmor before setting up DNS blockers.

The following site is designed specifically to test firewalls and next generation firewalls like ZenArmor. The 17 tests all contain benign links that should be stopped by a properly configured firewall. The page has details about the tests and risks.

https://www.wicar.org/test-malware.html

If you have configured the Microsoft Defender Application Guard Extension, that may also block the threats.

11 Install and Configure AdGuard

If you wish to use ZenArmor, install it before installing AdGuard to avoid conflicts with the Elasticsearch database software.

11.1 Fetch the package repository, and update

If it is not open, open a console window in Hyper-V. Right-click on the VM name, and choose Connect.

Choose option 8 for a Shell.

Fetch the mimugmail repository using the command in bold below.

Run pkg update to install the repository so it shows up in the list of available packages in OPNsense.

root@OPNsense:~ # fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

/usr/local/etc/pkg/repos/mimugmail.conf 107 B 1024 kBps 00s

root@OPNsense:~ # pkg update

...

Updating mimugmail repository catalogue...

...

All repositories are up to date.

11.2 Install the Plugin

Navigate to System:Firmware:Status, and check for updates.

Click on the Plugins tab.

Search for the os-adguardhome-maxit package.

Click the + at the end of the line to install it.

Press F5 to refresh the browser.

11.3 Switch Unbound DNS Port and Enable AdGuard

Since Unbound DNS and AdGuard both filter DNS requests, we will enable AdGuard on the standard DNS port (53), but BEFORE WE DO THAT, we will configure Unbound DNS to use port 5353.

Navigate to Services:Unbound DNS:General

Change the Listen Port to 5353, and click Apply.

AFTER changing the Unbound DNS listen port, navigate to Services:Adguardhome:General.

Select Enable, and Primary DNS.

Click Save.

In your browser, navigate to port 3000 of the IP address of your OPNsense install. For this example, it is 192.168.1.1:3000.

Click Get Started.

We will expect a conflict on port 80 for the Admin Web Interface Listen interface. There should not be a conflict on port 53 for the DNS server Listen interface.

Change the Admin Web Interface to port 3000.

Click Next.

Enter a username and password for AdGuard Home.

When you are done, click Next.

If OPNsense is to be your primary router, it will be the only router with DHCP active, so all clients will automatically connect to 192.168.1.1, or the OPNsense IP you are using. Otherwise, configure devices to use 192.168.1.1 as the DNS server, and gateway.

Click Open Dashboard.

You will be prompted for the AdGuard username and password.

If you can t log in, the easiest way to reset the password is to use a shell in Hyper-V and delete /usr/local/AdGuardHome/AdGuardHome.yaml. Then, will be able to restart the initial configuration process.

Click Update Now.

11.4 Configuring AdGuard DNS

Under the Settings menu, choose DNS settings.

Under Upstream DNS servers, replace the http address there with 0.0.0.0:5353. This will allow AdGuard to work with Unbound DNS.

Also, put 0.0.0.0:5353 under Private reverse DNS servers.

Click Test upstreams to verify that it is working.

Click apply.

11.5 Configuring Blocking of DNS requests in AdGuard

If one of your network devices is having problems, you can select Query Log in AdGuard. Then, on the top-right, select Blocked to filter it to just the blocked requests.

You can then choose to unblock the DNS name for all clients, or just the selected client.

Similarly, choose Processed, or All Queries to see DNS queries that have been processed if you want to find a recently-accessed site to block.

Below, we can see play.google.com blocked for one client under the Filters:Custom filtering rules.

We can delete or modify the rule from here if desired. We can also copy it to other firewalls if we have more than one AdGuard Home installation.

12 Configure NordVPN

When using NordVPN on OPNsense, we will use one certificate to access any NordVPN server. We will start by configuring the NordVPN Certifiate Authority.

12.1 Before You Start

We will need a few pieces of information to configure NordVPN so we will get those now.

1. We will need to configure OpenVPN to connect to NordVPN servers near us for the fastest performance.

2. Navigate to https://nordvpn.com/servers/tools/ to find a server near you. Refresh the page a few times and note down the server numbers if you want to configure more than one server. For this example, we will use servers 9837 and 6540.

Alternately, use the app on your phone to connect to server near you and that will give you a server number. You can disconnect, and reconnect several times on your phone to find multiple servers if you want to configure multiple servers to select at random.

3. Find your NordVPN username and password.

Log into your Nord Account dashboard at https://my.nordaccount.com/dashboard.

Click on Set up NordVPN manually.

You may be prompted for a PIN sent to the e-mail address you used when you registered.

You will then see a window with your username and password. Both will be complex strings. Save those in Notepad, or somewhere handy.

12.2 Configure the CA

In OPNsense, navigate to System:Trust:Authorities. Click + to add a CA.

We will name it NordVPN_CA and use the certificate from NordVPN s instructions on setting up NordVPN on OPNsense version 21 though we are using version 24.

It will look like this when we have filled in the name, and certificate data.

12.3 Configure the OpenVPN Client

4. Navigate to VPN: OpenVPN: Clients [legacy] and press + Add button.

5. Fill in the fields:

GENERAL INFORMATION

Disabled: leave unchecked.

Description: Any name you like. We will use NordVPN_Client.

Server mode: Peer to Peer (SSL/TLS);

Protocol: UDP4 (you can also use TCP4);

Device mode: tun;

Interface: any;

Either single remote server:

Host or address: us####.nordvpn.com where #### is the server number you found from the NordVPN website or app

Port: 1194 (use 443 if you use TCP)

leave Select remote server at random unselected

Or multiple remote servers:

Optionally, configure multiple hosts on port 1194

check Select remote server at random .

Retry DNS resolution: check;

Proxy host or address: leave blank;

Proxy port: leave blank;

Proxy Authentication: None;

Enter the username and password from your NordVPN you recorded earlier.

Renegotiate time: leave blank;

12.4 Cryptographic Settings

Uncheck: Automatically generate a shared TLS authentication key.

TLS Authentication: Enabled - Authentication only

TLS Shared Key: Paste the contents below

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f51e937e670eee09d4f2ea5a6e4e6996
5db852c275351b86fc4ca892d78ae002
d6f70d029bd79c4d1c26cf14e9588033
cf639f8a74809f29f72b9d58f9b8f5fe
fc7938eade40e9fed6cb92184abb2cc1
0eb1a296df243b251df0643d53724cdb
5a92a1d6cb817804c4a9319b57d53be5
80815bcfcb2df55018cc83fc43bc7ff8
2d51f9b88364776ee9d12fc85cc7ea5b
9741c4f598c485316db066d52db4540e
212e1518a9bd4828219e24b20d88f598
a196c9de96012090e333519ae18d3509
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----

Though the encryption algorithm is deprecated, NordVPN recommends AES-256-GCM

Select SHA-512 (512-bit) for the Auth Digest Algorithm

IPv4 tunnel network: leave blank;

IPv6 tunnel network: leave blank;

IPv4 remote network: leave blank;

IPv6 remote network: leave blank;

Limit outgoing bandwidth: leave blank;

Compression: Legacy - Disabled LZO algorithm (--comp-lzo no)

Type-of-service: leave unchecked;

Don t pull routes: leave unchecked;

Don t add/remove routes: check.

ADVANCED CONFIGURATION:

Advanced: paste the contents below

(You can expand the window by grabbing the lower-right corner if desired.)

remote-random;

tun-mtu 1500;

tun-mtu-extra 32;

mssfix 1450;

persist-key;

persist-tun;

reneg-sec 0;

remote-cert-tls server;

Verbosity level: 3 (recommended);

Click Save.

Since we chose two servers, the client line will look like this:

12.5 Configure Interface Assignments

Navigate to Interfaces:Assignments.

Type in a description of the ovpnc1 interface using the NordVPN client and click Add. This one will be named NordVPN_IF.

Click on the interface name we just created.

Enable it, and click Save.

Click Apply changes.

12.6 Configure Unbound DNS

Some of these steps may have already been done during initial configuration of Unbound DNS.

Navigate to Services:Unbound DNS:General.

Enable: check;

Listen port: 5353; (Changed from 5353 if using AdGuard. If not using AdGuard, leave it at 53.)

Network Interfaces: All;

DNSSEC: uncheck;

*Register DHCP Leases: check;

DHCP Domain Override: leave blank;

*Register DHCP Static Mappings: check;

*Do not register IPv6 Link-Local addresses: check

TXT Comment Support: leave unchecked;

Local Zone Type: Transparent;

Custom options: leave blank;

Click advanced mode in the top-left.

*Outgoing Network Interfaces: NordVPN_IF

WPAD Records: leave unchecked;

Click Apply.

Navigate to Services:Unbound DNS:Advanced.

Near the top:

Hide Identity: check

Hide Version: check

Prefetch DNS Key Support: check

Optional for speed:

Check Serve expired responses

Leave default selections under Logging Settings.

Under Cache Settings :

Prefetch Support: check

Optional for speed under Cache Settings:

Check Prefetch Support

Message Cache Size: 50m

Number of hosts to cache: 20000

Click Apply

12.7 Configure Firewall NAT Outbound

Navigate to Firewall:NAT:Outbound

Click the Hybrid option.

Click Save.

Click Apply Changes.

In the Manual Rules section, click + .

For the interface, select NordVPN_IF.

Click Save.

Click Apply Changes

You will see the new Manual rule.

12.8 LAN Firewall Rules

Navigate to Firewall:Rules:LAN

Delete the IPv6 rule.

After that, click on the edit button next to IPv4. Scroll down and select Gateway as NORDVPN_IF_VPN4. Click Save.

Click the + button.

Set Source to LAN net, and destination to LAN address. Leave other settings with default values.

Click Save.

Click Apply changes.

You will see the NORDVPN_IF_VPNV4 rule first, and the LAN address rule second.

Check the box next to the LAN address rule. Then, click the arrow next to the NORDVPN_IF_VPNV4 rule to move the selected rule before it. You should now see the LAN address rule first.

Click Apply changes.

12.9 General System Settings

Navigate to System:Settings:General

Set the hostname: OPNsense10

Under Networking, check the Prefer IPv4 over IPv6;

DNS servers:
If you wish to utilize the Threat Protection Lite feature on your router, ask NordVPN support for those IP addresses.

To use NordVPN regular DNS:

103.86.96.100 Use Gateway: none;
103.86.99.100 Use Gateway: none.

12.10 System Gateway Configuration

Navigate to System:Gateways:Configuration

Edit the NORDVPN_IF_VPNV6.

Check Disabled, and click Save.

The NORDVPN_IF_VPNV6 will now be gray icons instead of green.

Click Apply.

Navigate to Lobby:Dashboard

The bottom-right Interfaces section should show NordVPN_IF is up.

The NORDVPN_IF_VPNV6 will now be gray icons instead of green.

Click Apply.

12.11 Check and Verify

Navigate to VPN:OpenVPN:Connection Status

The status should be connected.

We can also look at the console on the Hyper-V Manager and note that we now have a new NordVPN_IF interface.

If all steps above are performed, we should have some advanced filtering. Also, ZenArmor provides some next generation firewall (NGFW) capabilities like packet filtering.

Check DNS from the command line.

These two should return multiple IP addresses.

nslookup abc.com

nslookup cnn.com

These three should return 0.0.0.0 for the IP address.

nslookup adblock-one-protection.com

nslookup uvsvlisbartwq.com

nslookup wooden-comfort.com

If NordVPN is configured, your IP address and DNS server should be hidden. You should not see the IP address of your internet service provider (ISP). For example, if you use AT&T, you should not see att.net in results from the sites below.

Please note, dnsleaktest.com will start with a hello message including your ISP and IP details. The test should not reveal those though.

We can test if our queries are going in encrypted format by visiting sites:

https://www.dnsleaktest.com/

https://dnsleak.com/

https://browserleaks.com/dns

https://tenta.com/test/

https://www.iplocation.net/find-ip-address Has lots of detail on your IP.

https://whatismyipaddress.com/

https://www.whatismyip.com/

https://ipleak.net/

Since I chose NordVPN s Chigago, IL servers, my output for ipleak.net looks like this:

Please note, I am not in Illinois, and Nexeon is not my ISP. That means it is working.

13 Backups, Checkpoints, and Disk Space

If you haven t already, now is a GREAT time to look at disk space, and back up the OPNsense server.

13.1 Disk Space

1. In the OPNsense Web GUI, choose Power:Power Off. That, or from the console in Hyper-V choose option 5 to power off the system.

2. Wait until the state in the Hyper-V manager is Off.

3. At this the D:\Hyper-V\FW1 folder on my system is 5.56gb. The size of your VM may vary. While running, it can be up to double that size due to checkpoints. A quick restart not reverting to the previous checkpoint shrunk it down to under 5gb.

4. In the Hyper-V Manager, we can right-click on the VM, and choose settings to see the settings for the VM. We can then click on checkpoints and see that we have the default standard checkpoints configured.

5. If we select no checkpoints, and we delete the existing automatic checkpoint. That won t prevent it from using nearly double the disk space when the VM is running so it is not recommended.

13.2 Backups or Exports

With the VM shut down, we can right-click on the VM and select Export to make a backup of the system. While the export is running, we will see an option to Cancel Exporting under the VM name in the bottom-right of Hyper-V Manager. That, and other options will be missing while the export is running.

The backup is about 5gb, and most of that is the .vhdx file.

D:\Hyper-V\Backups>dir /s

Volume in drive D is Images

Volume Serial Number is 84E1-D8CE

Directory of D:\Hyper-V\Backups

02/05/2024 05:15 PM <DIR> .

02/05/2024 05:15 PM <DIR> ..

02/05/2024 05:16 PM <DIR> 2024-02-05 Fully configured 192.168

0 File(s) 0 bytes

Directory of D:\Hyper-V\Backups\2024-02-05 Fully configured 192.168

02/05/2024 05:16 PM <DIR> .

02/05/2024 05:15 PM <DIR> ..

02/05/2024 05:16 PM <DIR> FW1

0 File(s) 0 bytes

Directory of D:\Hyper-V\Backups\2024-02-05 Fully configured 192.168\FW1

02/05/2024 05:16 PM <DIR> .

02/05/2024 05:16 PM <DIR> ..

02/05/2024 05:16 PM <DIR> Snapshots

02/05/2024 05:16 PM <DIR> Virtual Hard Disks

02/05/2024 05:17 PM <DIR> Virtual Machines

0 File(s) 0 bytes

Directory of D:\Hyper-V\Backups\2024-02-05 Fully configured 192.168\FW1\Snapshots

02/05/2024 05:16 PM <DIR> .

02/05/2024 05:16 PM <DIR> ..

0 File(s) 0 bytes

Directory of D:\Hyper-V\Backups\2024-02-05 Fully configured 192.168\FW1\Virtual Hard Disks

02/05/2024 05:16 PM <DIR> .

02/05/2024 05:16 PM <DIR> ..

02/05/2024 05:15 PM 5,171,576,832 FW1.vhdx

1 File(s) 5,171,576,832 bytes

Directory of D:\Hyper-V\Backups\2024-02-05 Fully configured 192.168\FW1\Virtual Machines

02/05/2024 05:17 PM <DIR> .

02/05/2024 05:16 PM <DIR> ..

02/05/2024 05:17 PM 45,090 E15A5EB9-1C86-4637-97F5-A13556CF717C.vmcx

02/05/2024 05:17 PM 4,194,816 E15A5EB9-1C86-4637-97F5-A13556CF717C.vmgs

02/05/2024 05:15 PM 49,152 E15A5EB9-1C86-4637-97F5-A13556CF717C.VMRS

3 File(s) 4,289,058 bytes

Total Files Listed:

4 File(s) 5,175,865,890 bytes

14 Importing or Cloning

After exporting a VM, we can import it as a way to restore the VM to a previous state. We can also create a new VM based off of the export. Below, we will import the VM, and move it from 192.168.1.1 to 192.168.1.2. (Normally, a firewall would end with a .1 . For this test, we will use .1 to avoid subnet issues.) We could use this to move it to any other IP address. This will be handy if we want two firewalls running in parallel on the same network. We would probably want to use a subnet mask of 255.255.0.0 to allow access to either firewall.

1. Under the Actions tab, and our Windows PC name, select Import Virtual Machine.

2. Browse to the folder we used for the export.

3. Click Next.

4. Select the virtual machine to import. In this case, FW1.

5. Because we want to create a separate VM, choose Copy for the import type.

6. Since we don t want to overwrite FW1, we will put FW2 in a different directory.

7. We will put the virtual hard disks in the same folder.

(Please note, I am not sure if putting everything in the same folder is a best practice. I may change that later.)

8. Verify the settings, and choose Finish to perform the import.

9. It will take a little while to copy FW1.vhdx. Once that is done, the import will finish.

10. We will now have two machines with the same name. Note the creation time on the top one will be a while ago. The creation time on the bottom will be very recent. That is the imported one.

11. Right-click on the VM we just imported, and choose settings.

12. Click Name under Management, and change the name to FW2.

13. Make sure the original VM is not running to avoid an IP address conflict.

14. Now start the VM and change the LAN interface IP address as desired. Since AdGuard is configured to use 0.0.0.0:5353, that should be the only IP change required.

Choose option 2 to change an IP address.

Choose 1 to change the LAN address.

We do not want to configure it by DHCP.

Type in the desired IP address.

Then, type in the desired subnet bit count.

Press enter to skip configuring an upstream gateway.

If we configure DHCP on the same subnet, we need to use a different IP range.

Accept defaults for the remaining options. Services will then restart, and we will see the new LAN IP address and bit count: 192.168.1.2/24.

We can log in to the new web interface at 192.168.1.2 from a PC on that subnet. (That, or we could make sure that everything uses a /16 bit count.)

We will notice that all three interfaces are up when we look at the bottom-right of the dashboard.

15. We can also change the host name for the new machine under Settings:General.

15 Troubleshooting

If your DNS blocking is overly aggressive, you may be getting obvious connection errors.

Also, simply opening a website that used to be quick, may take several seconds while it waits for several ad queries to time out.

1. The first place to start is with AdGuard filtering as described above. See if it is showing blocked sites that you may need to access. You can also filter on the IP address of the device having problems.

2. Next, you can disable Unbound DNS blocking under Serivces:Unbound DNS:Blocklist. Uncheck Enable. Then click the circle-arrow in the top-right to restart Unbound DNS.

2.1 Enable Virtualization in Your Computer s BIOS

2.2 Enable the Windows Hyper-V feature

2.3 Change the Default Location for Hyper-V Files

6.1 Change Interfaces If Needed

6.2 Set Interface IP Addresses If Needed

6.3 Install Updates

6.4 A Note About Subnets

6.5 Log In to the GUI

8.1 Optional DNS blocking for Unbound DNS

9.1 Configure ZenArmor

9.2 Configure ZenArmor Policies

9.3 Configure ZenArmor Update Job

11.1 Fetch the package repository, and update

11.2 Install the Plugin

11.3 Switch Unbound DNS Port and Enable AdGuard

11.4 Configuring AdGuard DNS

11.5 Configuring Blocking of DNS requests in AdGuard

12.1 Before You Start

12.2 Configure the CA

12.3 Configure the OpenVPN Client

12.4 Cryptographic Settings

12.5 Configure Interface Assignments

12.6 Configure Unbound DNS

12.7 Configure Firewall NAT Outbound

12.8 LAN Firewall Rules

12.9 General System Settings

12.10 System Gateway Configuration

12.11 Check and Verify

13.1 Disk Space

13.2 Backups or Exports

14 Importing or Cloning

15 Troubleshooting

Comments

Post a Comment