Published on:
OPNsense is a free and open-source firewall and router software that can secure and manage your network. Managing users and authentication is a critical component of running an OPNsense firewall. This encompasses both the creation and management of user accounts, as well as the configuration of authentication mechanisms.
OPNsense user management and authentication are critical for ensuring the integrity, confidentiality, and availability of network resources and firewall settings. It is a vital component of network security because it allows companies to manage access to important systems and ensures that only authorized individuals may modify network configurations. Organizations improve their overall network security posture and guard against possible attacks by employing strong identity and access management (IAM) procedures and effective authentication techniques.
In this article, we will provide you with information about user management and authentication types in OPNsense and present a comprehensive guide on how to implement them. The following topics are covered:
Access / User Management
Accessing the OPNsense Web Interface
Authentication
User Manager
Adding a New User
Setting User Permissions
Enabling Two-Factor Authentication (Optional)
Managing Existing Users
Creating User Groups
Authorization
LDAP/Active Directory Integration (Optional)
Setting Up Captive Portal (Optional)
Enabling Local Certificate Authority (Optional)
Configuring Authentication Servers (Radius)
Password Policy (Optional)
Authentication services
Testing User Authentication
Now, let's begin our article by addressing the topic of User Management, which is our first heading.
1. Access / User Management
OPNsense offers robust access and user management capabilities, allowing administrators to control and secure their network environment effectively. Through the intuitive web interface, administrators can create and manage user accounts, assign privileges, and control access to various network resources. User authentication methods, such as local databases, LDAP, and RADIUS, provide flexibility in integrating with existing authentication systems. Additionally, role-based access control (RBAC) enables fine-grained permission assignment, ensuring that users only have the necessary access privileges for their specific tasks while maintaining overall network security.
Firstly, let's touch upon the topic of web interface access in order for us to manage user accounts
1.1 Accessing the OPNsense Web Interface
To access the OPNsense web interface and begin user management, you can follow these steps:
Connect to the Network: Ensure that your computer or device is connected to the same network as the OPNsense firewall.
Open a Web Browser: Launch your preferred web browser (e.g., Chrome, Firefox, Safari).
Enter the IP Address: In the address bar of the web browser, enter the IP address of the OPNsense firewall. This is typically the LAN IP address of the OPNsense firewall.
Access the Web Interface: Press Enter or Return to access the OPNsense web interface. You should now see the login page.
Enter Login Credentials: Enter the username and password for an authorized user account. The username is "root" by default, and the password is the one you selected during the installation procedure or the default password "OPNsense" on the OPNsense firewall.
Figure 1. OPNsense Dashboard
You can now proceed with the management of your users.
2. Authentication
Authentication is a crucial aspect of OPNsense, ensuring secure access to network resources. This involves verifying the identity of users trying to log in, thus preventing unauthorized access. Once we understand authentication, we can move on to exploring the topic of user management, which encompasses creating, configuring, and controlling user accounts and their permissions within the system.
2.1 User Manager
To navigate to the User Manager section in OPNsense and add, edit, or delete users, you can follow these steps:
Open the Web Interface: Open the OPNsense web interface by entering the IP address of the firewall in the address bar of your web browser.
Log in: Enter the username and password for an authorized user account to log in to the web interface.
Navigate to User Management: Once logged in, navigate to the user management section of the web interface. This can usually be found under System → Access → Users
Add Users: To add a new user, click on the "+" sign at the bottom right corner of the form
Edit Users: To edit an existing user, click on the "Edit" icon (a pencil) next to the user's name
Delete Users: To delete a user, click on the "Delete" icon (a trash can) next to the user's name
Define User Privileges: In the user management section, you can define the privileges and access of each user to different parts of the GUI
Figure 2. OPNsense System: Access: Users
Let’s continue by adding a new user to our firewall.
2.2 Adding a New User
Adding a new user to your OPNsense firewall allows you to grant individuals access to your network management interface with specific permissions. This guide outlines the steps to create a new user account.
You can follow the Steps to create a New User
Step 1: Log in to the OPNsense Web Interface
Using your administrative credentials, log in to the OPNsense web interface. This is the starting point for managing users and other settings.
Step 2: Navigate to the "User Manager" Section
Find and access the "User Manager" section within the web interface. This is where you'll be able to manage user accounts and their settings.
Step 3: Click on "Add" to Create a New User
To create a new user, click on the "Add" button. This initiates the process of adding a user account.
Step 4: Enter User Details
Now, provide the following details for the new user:
Username: Choose a unique username for the user. In this case, let's use "alex."
Password: Enter a secure password for the user. Make sure it follows password best practices.
Full Name: Provide the user's full name. For example, "Aleksandros."
E-Mail: Enter the user's email address, like "[emailprotected]."
Comment: Optionally, you can add a comment to provide additional information about the user.
Preferred Landing Page: This determines where the user will be directed after logging in. "Default" usually refers to the dashboard.
Language: Set the language preference for the user's interface.
Login Shell: This is the command interpreter that the user will use when they log in. "/sbin/nologin" restricts shell access.
In OPNsense, the login shell determines the command interpreter that is used when a user logs into the system. Here are some common login shell types that you might encounter:
/bin/sh: The Bourne shell is a simple and basic command interpreter that provides a standard set of commands for interacting with the system. It's a lightweight shell with limited features compared to more modern shells.
/bin/csh: The C shell is known for its C-like syntax and additional interactive features. It offers command-line editing, history, and other conveniences.
/bin/tcsh: This is an enhanced version of the C shell, providing improvements like better command-line editing and more advanced scripting capabilities.
/sbin/nologin: This is not a traditional shell but a way to restrict user access. When a user is set to use "/sbin/nologin," they cannot log in to the system. This is useful for system accounts or accounts that shouldn't have interactive shell access.
Expiration Date: Leave this blank if you don't want the user account to expire.
Group Memberships: Specify if the user should be a member of additional groups. For now, select "Not a member of any additional groups."
Certificate: If not creating a user certificate, you can leave this blank.
OTP Seed: If using OTP (one-time password) authentication, a secret seed is generated. You can leave this blank if not using OTP.
Authorized Keys: If using SSH keys for authentication, you can paste them here.
Step 5: Click "Save" to Create a New User
Figure 3. Adding users to OPNsense
The user "alex" with the specified details is now created in OPNsense.
Figure 4. New User is created
2.3 Setting User Permissions
Assigning appropriate user groups in OPNsense is crucial for defining access rights and privileges. User groups allow administrators to apply common access settings to multiple users simultaneously, streamlining the management process. Here's how to set user permissions:
Create User Groups (if not already done): Before setting user permissions, create user groups in OPNsense that represent different levels of access or roles within the network. For example, you can have groups like "Administrators," "Operators," and "Guests," each with distinct privileges.
2.3.1 Creating User Groups
Figure 15. Creating User Groups on OPNsense
Here's the step-by-step process to create a new group in OPNsense along with numbered steps and relevant screenshots. We have created a new group named "Operators".
Navigate to System → Access → Groups: Log in to the OPNsense web interface using your administrative credentials. From the main menu, go to "System," then select "Access," and finally choose "Groups."
Figure 5. Adding a user to a group on OPNsense
Click the + Button to Create a New Group: In the Groups section, look for the "+" button or "Add" option. This button allows you to initiate the process of creating a new group.
Figure 6. Create a New Group on OPNsense
Enter Group Details: A form will appear for you to enter details about the new group.
Name: Provide a name for the group, such as "Operators."
Description: Optionally, you can add a brief description of the group's purpose.
Figure 7. Create a New Group on OPNsense
Select Users: Look for an option to select users to add to the group. This could involve searching for users and checking boxes next to their names.
Figure 8. Select User for Group on OPNsense
Save the Group: After selecting the users, locate the "Save" button or an equivalent option to finalize the group creation process.
Figure 9. Save the created group
2.3.2 Assign Users to User Groups:
You can assign users to user groups to control their access and permissions. User groups can be configured to have specific privileges and restrictions. Here's how you can assign users to user groups in OPNsense:
Access User Manager: Log in to the OPNsense web interface using your administrative credentials. From the main menu, navigate to the "User Manager" section.
Edit User Details: Find and select the user account you want to assign to user groups. In this case, select the user "alex" that you created earlier. Click on the "Edit" option associated with the user.
Figure 10. Edit User Details
Group Memberships: In the user's editing page, locate the "Group Memberships" section. This is where you'll manage the user's group affiliations.
Figure 11. Group Membership
Select User Groups: In the "Group Memberships" section, you will see a list of available user groups. Check the boxes next to the appropriate user groups you want to assign to "alex." If you need to assign the user to multiple groups, hold down the CTRL key (PC) or COMMAND key (Mac) while clicking to select multiple groups.We have changed the group membership of alex user from operators to admins.
Figure 12. Select Group
Note that you can also use centralized authentication servers such as Radius or LDAP for user authentication on OPNsense
2.4 Enabling Two-Factor Authentication (Optional)
In the ever-evolving landscape of cybersecurity, ensuring the protection of sensitive data and network resources has become paramount. Two-factor authentication (2FA) emerges as a critical solution to fortify digital security. By requiring an additional layer of verification beyond the conventional password, 2FA safeguards against unauthorized access and potential breaches. For an in-depth exploration of the steps involved in enabling 2FA, you can refer to our previously authored article on the topic.
Using Google Authenticator, OPNsense provides full support for two-factor authentication (2FA) across the entire system. The following OPNsense services have 2FA support:
Virtual Private Networking (OpenVPN & IPsec)
Caching Proxy
OPNsense Graphical User Interface
Captive Portal
You may easily enable 2FA with Google Authenticator or FreeOTP for GUI and captive portal access in an OPNsense firewall.
2.5 Managing Existing Users
OPNsense provides an easy-to-use User Manager interface that allows administrators to edit or delete existing user accounts based on specific requirements. Follow the steps below to manage existing users:
Managing existing users in OPNsense involves several tasks, such as editing user details, changing passwords, modifying group assignments, and deleting users. Here's how you can manage existing users in OPNsense:
Go to System → Access → Users.
Figure 13. Edit existing users on OPNsense
Select the user that you want to edit or delete.
If you want to edit the user, click the Edit button.
Figure 14. Edit existing users on OPNsense
In the Edit User dialog box, you can make changes to the user's name, password, email address, and privileges.
Click the Save button to save your changes.
If you want to delete the user, click the Delete button.
In the confirmation dialog box, click the Delete button to confirm.
Here are some additional details about editing and deleting existing users on OPNsense:
- When editing a user, you can change the user's name, password, email address, and privileges. You can also change the user's group membership.
- When deleting a user, all of the user's data will be deleted, including the user's configuration files, firewall rules, and VPN settings.
- If you delete a user who is a member of a group, the user will be removed from the group.
- While it is possible to add, edit, or delete users in the User Manager section of the web interface, it is not possible to delete the default user "root"
3. Authorization
Authorization refers to the process of granting or denying access to specific resources or actions based on a user's privileges and permissions. In the context of OPNsense, authorization plays a crucial role in controlling and managing user access to various features, services, and configurations within the firewall.
The primary purpose of authorization on OPNsense is to enforce security and access control policies. By implementing authorization mechanisms, you can ensure that only authorized users have the appropriate level of access to different parts of the firewall's interface and functionalities. This helps prevent unauthorized individuals from making unintended or potentially harmful changes to your network settings and configurations.
Having explored the significance of authorization within the OPNsense firewall ecosystem, it's imperative to recognize that the implementation of robust authorization mechanisms is inherently intertwined with effective user management. This is where LDAP (Lightweight Directory Access Protocol) integration steps onto the stage as a powerful tool. By seamlessly connecting OPNsense to an LDAP directory or an Active Directory (AD) server, you can not only streamline user authentication but also extend the realms of authorization across your network infrastructure.
3.1 LDAP/Active Directory Integration (Optional)
LDAP/Active Directory Integration on OPNsense allows you to streamline user authentication and access control by integrating your firewall with an LDAP (Lightweight Directory Access Protocol) or Active Directory server. This integration simplifies user management and enhances security through centralized authentication and authorization mechanisms.
By connecting OPNsense to your LDAP/Active Directory server, you can achieve the following benefits:
Centralized User Management: Sync user accounts and credentials from your LDAP/Active Directory server to OPNsense, eliminating the need to manage user accounts separately on the firewall.
Single Sign-On (SSO): Users can log in to OPNsense using their LDAP/Active Directory credentials, promoting a seamless user experience without requiring separate authentication.
Enhanced Security: Leverage the security measures implemented on your LDAP/Active Directory server, ensuring consistent and robust authentication practices.
Access Control and Permissions: Assign specific user groups and permissions based on your LDAP/Active Directory structure, enabling fine-grained control over who can access which resources on the firewall.
Reduced Administrative Overhead: Changes in user accounts or passwords are reflected automatically, reducing the manual effort required for user management.
To implement LDAP Integration on OPNsense, follow the steps outlined in the official documentation or refer to our comprehensive guide. By successfully integrating LDAP/Active Directory with OPNsense, you'll enhance security, streamline user management, and establish a more efficient network infrastructure.
3.2 Setting Up Captive Portal (Optional)
The captive portal is a network security solution that automates the control and management of user access to public and private networks. Captive portals are commonly used for guest access management in open access networks, which are found in hotels, hospitals, airports, restaurants, and corporate networks. When the captive portal is enabled, access to the Internet is restricted unless the user provides personal information such as e-mail, name, and Social Security number, or authentication via a voucher via a web-based registration form completed in a web browser.
A captive portal in OPNsense is a powerful feature that enables network administrators to manage guest access and control user authentication on their network. It serves as an authentication gateway, typically used in public Wi-Fi networks or other controlled environments. With a captive portal, users connecting to the network are redirected to a login page where they need to provide credentials or agree to terms of use before gaining access to the internet or specific network resources. This feature allows administrators to ensure network security, track user activity, and implement access controls effectively.
In addition to its captive portal functionality, OPNsense offers user-based filtering, which enhances network security and control. User-based filtering allows administrators to implement specific Internet access policies based on individual user accounts. This feature enables network administrators to tailor internet access rights, content filtering, and bandwidth allocation according to different users or user groups.
3.3 Enabling Local Certificate Authority (Optional)
Enhance the security of your network infrastructure by setting up a Local Certificate Authority (CA) on OPNsense. In this guide, we'll delve into the process of enabling this crucial feature, ensuring robust encryption and authentication for your network communications.
Here are the step-by-step instructions to enable Local Certificate Authority on OPNsense:
Log in to the OPNsense Web UI: Use your credentials to access the OPNsense web interface.
Navigate to Trust Authorities: From the left-hand menu, go to System → Trust → Authorities.
Create a Root Certificate: Click the "+" (plus) sign located in the upper right corner to initiate the root certificate creation process.
Fill Out the Form:
What are the other methods?
Let's touch a little bit here.
Create an Internal Certificate: This option allows you to establish your own private Certificate Authority (CA) within your network.
Import an Existing Certificate: With this option, you can import a pre-existing certificate from an external source.
Create a Certificate Signing Request: This option generates a Certificate Signing Request (CSR) that you can provide to a trusted external Certificate Authority.
Sign a Certificate Signing Request: This allows you to take on the role of a CA and sign a certificate with your internal CA's private key.
Descriptive Name: Enter a name that will help you identify the certificate (e.g., "Local CA").
Certificate Authority:
- If no internal Certificate Authorities have been defined, you need to add one before creating an internal certificate.
Type: Client Certificate
- Choose the type of certificate you want to generate. The type defines constraints on its usage.
In OPNsense, the following types of certificates can be generated:
Client Certificate: A certificate used to authenticate a client to a server. It is used to verify the identity of the client and establish a secure connection.
Server Certificate: A certificate used to authenticate a server to a client. It is used to verify the identity of the server and establish a secure connection.
Combined Client/Server Certificate: A certificate that can be used for both client and server authentication. It is used to verify the identity of both the client and server and establish a secure connection.
Certificate Authority: A certificate used to sign other certificates and establish a trust relationship between the certificate holder and the entities that rely on the certificate
Key Type: RSA
Select RSA as the key type.
RSA: RSA (Rivest-Shamir-Adleman) is a widely used asymmetric encryption algorithm. It is based on the mathematical properties of prime numbers and the difficulty of factoring large numbers. In the context of certificates, RSA is used for generating key pairs, where the private key is kept secret and the public key is used for encryption and verifying digital signatures.
Elliptic Curve: Elliptic Curve Cryptography (ECC) is another type of asymmetric encryption algorithm that is based on the mathematics of elliptic curves. ECC offers the same level of security as RSA but with smaller key sizes, making it more efficient in terms of computation and storage requirements. It is commonly used in modern cryptographic protocols and systems.
Key Length (bits): 2048
- Choose the key length. In this case, select 2048 bits.
Digest Algorithm: SHA256
- Select the digest algorithm. It's recommended to use a stronger algorithm than SHA1 whenever possible.
Lifetime (days): 364
- Specify the lifetime of the certificate in days.
Private Key Location: Save on this firewall
Select "Save on this firewall" to save the private key on the current firewall.
If the certificate is for use on another device and you intend to download the private key later, you can choose the "Download and do not save" option.
Distinguished Name Fields
In the context of certificate creation, the "Distinguished Name" (DN) refers to a set of fields that provide information about the identity of the entity for which the certificate is issued. These fields are part of the X.509 standard for defining the format of public key certificates.
Here are the common Distinguished Name fields and their explanations:
Country Code: Enter the country code (e.g., AD for Andorra).
State or Province: Enter the state or province (e.g., Sachsen).
City: Enter the city (e.g., Leipzig).
Organization: Enter the organization name (e.g., My Company Inc).
Email Address: Enter the email address (e.g., [emailprotected]).
Common Name: Enter the common name (e.g., internal-ca).
Alternative Names:
"Alternative Names" (also known as Subject Alternative Names or SANs) extension in a certificate allows you to specify additional identifiers for the entity associated with the certificate. These alternative names can include various types of identifiers, such as:
DNS Names: These are domain names or fully qualified domain names (FQDNs) that the certificate should be valid for. For example, you can include multiple subdomains like "www.example.com," "mail.example.com," and so on.
IP Addresses: You can specify one or more IP addresses (IPv4 or IPv6) for which the certificate is valid. This is especially useful in scenarios where the certificate needs to cover multiple IP addresses associated with a server.
Email Addresses: If the certificate is used for email encryption or authentication, you can include email addresses as alternative names. This allows the certificate to be used for securing email communications.
Uniform Resource Identifiers (URIs): URIs, such as web URLs, can be included as alternative names. This is relevant when the certificate is used for web services or applications that have specific URI requirements.
- If needed, you can add alternative names (e.g., DNS entries) for the certificate.
Including alternative names in a certificate is valuable because it allows a single certificate to be valid for multiple purposes or multiple domains. For example, a server certificate for a web server can include alternative names for different subdomains, ensuring that the same certificate can be used for various services hosted on different subdomains of a domain.
When configuring a certificate with alternative names, it's essential to ensure that all the specified names are accurate and relevant to the certificate's intended use. This flexibility simplifies certificate management for multi-domain environments and services that require multiple identifiers to function securely.
Once you've filled out all the necessary fields, review your selections and click "Save" to generate the certificate. This certificate can be used for various purposes, including client authentication and secure communications within your network environment.
Figure 16. Enabling Local Certificate Authority on OPNsense
Figure 17. Added Local Certificate Authority on OPNsense
3.4 Configuring Authentication Servers (Radius)
Setting up authentication servers like RADIUS on OPNsense is an essential process to enhance security and manage user access efficiently. By configuring RADIUS authentication, administrators can centralize user authentication and provide an extra layer of protection. Let's walk through the step-by-step process of configuring RADIUS authentication to ensure a smooth and secure network environment.
Step 1: Install the FreeRADIUS Plugin (if not already installed)
The purpose of installing the FreeRADIUS plugin on OPNsense is to establish a robust framework for user authentication and access control. By centralizing authentication processes through FreeRADIUS, you can ensure that users' identities are verified before granting them access to network resources.
Log in to your OPNsense web interface.
Navigate to "System" → "Firmware" → "Plugins".
Search for "FreeRADIUS" and install the plugin.
Figure 18. Install the FreeRADIUS Plugin
Step 2: Configure RADIUS Server
By configuring the RADIUS server, you enable a centralized authentication mechanism that bolsters network protection and simplifies user management.
Now, let's delve into the steps to configure the RADIUS server on your OPNsense firewall.
After installing the FreeRADIUS plugin, navigate to "Services" → "FreeRADIUS".
Click on the "Servers" tab.
Click the "+" button to add a new RADIUS server.
Server name: Give your server a descriptive name.
IP Address: Enter the IP address of your RADIUS server.
Shared Secret: Enter a shared secret that will be used to secure communications between OPNsense and the RADIUS server.
Authentication Port: Typically set to 1812.
Accounting Port: Typically set to 1813.
Timeout: Set a reasonable timeout value.
Retries: Set the number of retries for requests.
Description: Provide a brief description of the server configuration.
Synchronize groups: Enable to synchronize groups, requires the option above.
Limit groups: Select a list of groups that may be considered during sync1.
Automatic user creation: When groups are automatically synchronized, this offers the ability to automatically create the user when it doesn't exist
Figure 19. Configure RADIUS Server
Click "Save" to save the RADIUS server configuration.
Figure 20. Setting up authentication servers ( RADIUS) in OPNsense
Step 3: Configure FreeRADIUS Client
By configuring the FreeRADIUS client on your OPNsense firewall, you establish the necessary connection between the firewall and the RADIUS server, paving the way for centralized authentication and enhanced network security.
Follow the steps below to configure the FreeRADIUS client:
Still in the FreeRADIUS plugin section, click on the "Clients" tab.
Click the "+" button to add a new client.
- Client name: Give it a name (e.g., OPNsense).
- IP Address: Enter the IP address of the OPNsense firewall.
- Shared Secret: Use the same secure shared secret you configured for the local server.
Click "Save" to save the client configuration.
Figure 21. Configure FreeRADIUS Client
Step 4: Configure Authentication Sources
By defining authentication sources, you determine where the firewall should look to verify user credentials. This flexibility allows you to integrate various authentication methods and services, including local user databases, external LDAP or Active Directory servers, and more. Follow the steps below to configure authentication sources on OPNsense:
Navigate to "System" → "Access" → "Settings> Administration" tab.
Under "Authentication Servers," you can now select the local RADIUS server you configured from the drop-down list.
Click Save button to activate the settings.
Figure 22. Configure Authentication Sources
Step 5: Test RADIUS Authentication
Test the setup by attempting to log in using a user that you've configured in the FreeRADIUS Users section. OPNsense should send authentication requests to the FreeRADIUS server running locally.
Remember, always refer to the official documentation and guidelines for your specific OPNsense version to ensure accuracy in configuration.
Here are the steps to Test RADIUS Authentication
Figure 23. Create a Test User in FreeRADIUS
- Create a Test User in FreeRADIUS (if not done already):
Creating a test user in FreeRADIUS on your OPNsense firewall allows you to verify the functionality of the RADIUS server and test user authentication. Follow these steps to create a test user:
In the FreeRADIUS plugin section of OPNsense, navigate to the "Users" tab and create a test user with a username and password.
Attempt to Log In:
Using a device that's on the network where OPNsense is being used, follow these steps:Enter the username and password of the test user you created in the FreeRADIUS Users section.
Click the "Login" button.
Observe the Result:
If the authentication is successful, you will be logged in to the OPNsense interface.
If the authentication fails, you'll likely see an error message indicating that the login credentials are incorrect.
Check the RADIUS Logs (Optional):
If you encounter any issues, you might want to check the RADIUS server logs to gather more information. In the FreeRADIUS plugin section of OPNsense, you can find a link to the FreeRADIUS logs. Look for any authentication-related entries to diagnose the problem.
Troubleshooting:
If you're unable to log in successfully, you may follow the next troubleshooting steps and double-check the following configuration double-check the following:
The RADIUS server IP, shared secret, and ports are correctly configured in both the RADIUS server settings and the OPNsense authentication server settings.
The test user's credentials are correctly entered.
The RADIUS server's firewall is not blocking incoming authentication requests from OPNsense.
3.5 Password Policy (Optional)
A well-defined password policy holds critical importance in maintaining the security and integrity of network resources. Strong password practices serve as the first line of defense against unauthorized access and potential breaches. By implementing a well-crafted password management policy, administrators can prevent unauthorized users from compromising the system and gain better control over user access.
Figure 24. Password Policy on OPNsense
To set a password policy on OPNsense, follow these steps:
Access the OPNsense web interface and log in as an administrator.
Go to System → Access → Servers.
Click on the 'Edit' icon (a pencil) for 'Local Database' under the 'Servers' section.
In the 'Local Database' settings, you can configure the password policy for local users.
Set the desired password policy options, such as password complexity requirements, minimum password length, and password expiration.
Save the changes.
