OPNsense on ARM

 +

OPNsense is a great firewall built on FreeBSD. However, FreeBSD doesn't currently support ARM devices. Fortunately, SleepWalker has ported it to some ARM devices. It took me a little trial and error to get it working so here are my steps:

1. Make sure you have a supported device. Currently: Helios64 (discontinued), NanoPi R2S, NanoPi R4S, Rock Pi 4 (models A, A+, B, B+), Rock Pi 4C (models C, C+), & Rock Pi E.

2. Load the image:

If you plan to boot from an SD card:

Download the OPNsense image for your device to another computer and use Etcher to load the OPNsense image onto the SD card, then insert the SD card into your device, connect an Ethernet cable, keyboard and monitor, then power it on.

If you plan to boot from the device eMMC:

Use your device manufacturer instructions to load an SD card with Linux and boot into the device. Then use curl or wget to download the OPNsense image for your device to the /tmp directory. Install pv and xz (sudo apt-get install -y pv xz-utils) and then run this command (you may need to replace mmcblk1 with your eMMC device value):

sudo su -

cd /tmp

unxz OPNsense*.xz

pv -ptera < "$(ls | grep -m1 'OPNsense'*'.img')" | dd of=/dev/mmcblk1 obs=512

shutdown now

Unplug the device, remove the SD card, connect a keyboard and monitor, then power it back on

3. Once the OPNsense device boots, login at the terminal with the default credentials:

Username: root

Password: opnsense

4. Once logged in to the terminal, you'll be presented with a list of options to choose from. Select "3" to set a new strong password for root.

5. Then select "2" to configure your IP address:

• Configure IPv4 via DHCP?  y
• Configure IPv6 via DHCP6?  y
• Change web GUI protocol from HTTPS to HTTP?  n
• Generate a new self-signed certificate?  y
• Restore web GUI defaults?  n

6. Once completed, select "0" to logout and then in another machine's web browser, go to https://ip-address-of-the-OPNsense-device . You'll see a browser warning:

We'll fix this in a moment but for now click "Advanced" and then the "Proceed to ..." link. You should now see an OPNsense login. Use your root credentials to login.

7. OPNsense will load a first-launch wizard. Click "Next":

8. Once the wizard completes, the login page will display. Login and then click on "Click to check for updates" and then click "Update"

9. Once the update completes and device has rebooted, login again. 

10. In the left-hand column, select "System > Trust > Authorities", then click on the orange + button:

11. Set Method to "Create an internal Certificate Authority", then provide a descriptive name, country code, and any blank field with an orange "i" that signifies a required field. For "Common Name" enter "opnsense.test". Then click "Save"

12. In the left-hand column, select "System > Trust > Certificates", then click on the orange + button:

13. Set Method to "Create an internal Certificate" and Type to "Server Certificate", provide a descriptive name, set "Common Name" to "opnsense.test", set "Alternative Names > DNS" to "opnsense.test", then click "Save"

14. In the resulting list, to the right of the newly created certificate, click the third download button (ca+user cert+user key in .p12 format) and save to your local machine (optionally password protect it when prompted):

15. Import the downloaded certificate into your browser. Depending on the browser, you may need to open the CA and explicitly trust it

16. Add "your-opnsens-ip-address  opnsense.test" to your hosts file (replacing the prefix with the actual IP address)

17. Back in the OPNsense dashboard, in the left-hand column, select "System > Settings > Administration", set "SSL Certificate" to the newly created cert, set "Alternate Hostnames" to "opnsense.test", then click "Save"

17. Wait 30 seconds and if the page doesn't refresh, click the link provided in the popup message:

18. Close the browser entirely (not just the tab), then reopen and browse to https://opnsense.test/

You should now have an OPNsense login with a valid TLS certificate

Enjoy!