Home Visual Guide to OPNsense multi-site with HAProxy, Unbound
Post
Cancel

Visual Guide to OPNsense multi-site with HAProxy, Unbound

Screenshot tutorial to use OPNsense for a Reverse Proxy using multiple domains with splitdns


REMOTE LOCATION

What is the current system these screen shots are from?

I am using two different desktops/browsers/systems but the same OPNsense between them.

Linux system screenshots

screenshots-system

OPNSense version screenshot

screenshots-opnsense-version

DNSCrypt-Proxy Install

This is a screen shot of the installer page.

os-dnscrypt-proxy installed

dnscrypt-proxy-install

DNSCrypt-Proxy pick a server

This is the main configuration of DNSCrypt-Proxy.

Enable DNSCrypt-Proxy and provide a listen address

dnscrypt-proxy-enable

Click the ‘i’ icon to reveal the server list

dnscrypt-proxy-find-server-list

Known Server list can be found in the help for Server List

dnscrypt-proxy-found-server-list

Open this in a new page to pick a server

dnscrypt-proxy-open-server-list

This is a demonstration of the list of servers available for DNSCrypt.

dnscrypt-server-list

Pick one to meet your needs

dnscrypt-server-list-selection

Clear and previous DNS

To use our new DNS server we want to be sure any previous DNS entries have been removed or disabled.

No DNS servers in the general settings

cleardns-general-settings

Dont allow WAN to set DNS settings

cleardns-general-settings-no-wan-dns

If you have DNS servers in Unbound’s DNS over TLS, be sure they are not Enabled.

cleardns-unbound-nds-over-tls

Make sure your upstream DNS server is OPNsense

You can set this to your PiHole if you like, or your Zentyal server.

But make sure their upstream DNS is going to be OPNsense. Dont let them just jet out to the root for domain lookups.

cleardns-dhcp-with-dns-to-opnsense

Setting up Unbound

Unbound will still be the primary DNS provider for OPNsense, we just need to make some changes.

Enable Unbound and use standard DNS port

unbound-enable-service

Dont set your Network Interface to WAN. Remove that.

unbound-disable-wan-interface

Query Forwarding with Unbound

Set the remote resolver with the domain to resolve, set the local resolver (DNSCrypt) and demo that the server ip is on a remote network. Not within our routes.

This is the main page for Query Forwarding on Unbound

unbound-query-forwarding-setup

Add a new Server for DNSCrypt

unbound-query-forwarding-dnscrypt-catch-all

Add an entry for any remote domains and corresponding DNS server

unbound-query-forwarding-remote-domain-override

Looks like that Query Forwarding server is a remote server

unbound-query-forwarding-told-you-it-was-a-remote-domain-override

Unbound local domain overrides

These are the domains on your network. No remote servers here. Be sure to list the IP Address as the HAProxy connection you want to make, if using a virtual IP or if just applying it to an interface on an OPNsense subnet.

This is the Unbound overrides page

unbound-local-domain-overrides

Setup a domain override for to a local address

unbound-local-domain-host-override

Wireguard

Quick example setup of my Wireguard:

  • Endpoint Addresses

  • Public Key

  • Allowed IPs

The wireguard instance page

wireguard-remote-instances-enabled-wireguard

Create a wireguard instance

wireguard-remote-create-instance

Demo how an instance is used by a peer to connect

wireguard-remote-instance-being-used-by-peer

The wireguard peer page

wireguard-remote-peers

Create a wireguard peer

wireguard-remote-create-peer-to-connect-to

Looks like it works for me

wireguard-remote-it-works-for-me

HAProxy

This is the reverse proxy.

Install HAProxy

haproxy-install

HAProxy Real Servers Page

haproxy-real-servers

The address of the server with Traefik on it, also the proxy-protocol version.

haproxy-enable-real-server-add-ip-port

Be sure to send-proxy to the receving end

haproxy-enable-real-server-add-option-send-proxy

HAProxy Backend Pools Page

haproxy-backend-pools

Backend pool creation

Backend pool specifies:

  • Protocol Mode: TCP

  • Proxy Protocol Version: 2

  • Real Servers to use:

  • Options pass-through for config: option tcp-smart-connect

haproxy-backend-pool-creation-tcp-mode-proxy-protocol-version

Options pass-through for config: option tcp-smart-connect

haproxy-backend-pool-creation-option-tcp-smart-connect

HAProxy Conditions Page

haproxy-conditions

Condition sets the domain to look out for.

haproxy-create-condition-host-contains

HAProxy Rules Page

haproxy-rules

Rule specifies what to do when your condition comes up. Use the correct pool for the subdomain.

haproxy-if-rule-contains-condition-use-backend-pool

Here is the HAProxy frontend page, public servers

haproxy-public-services

Frontend listen address and type

Frontend is what people connect to.

You need to set the address, and port, this could be a virtual IP.

You also need to be sure the:

  • Type: SS/HTTPS (TCP mode)

  • Advanced Settings:

There are a bulk of things to put here. They all help, but really you just need req_ssl_hello_type 1

  • Select Rules: Enter the rule tied to the backend for which this front end will go to.

  • Save and Apply.

haproxy-create-public-service-type-tcp

Frontend option pass-through and rules

haproxy-create-public-service-options-and-rules

Apply all changes

haproxy-apply-haproxy-changes


LOCAL LOCATION

text

system

text

opnsense-version

text

dnscrypt-proxy-install

text

dnscrypt-proxy-enable

text

dnscrypt-proxy-find-server-list

text

dnscrypt-proxy-found-server-list

text

dnscrypt-proxy-open-server-list

text

dnscrypt-server-list

text

dnscrypt-server-list-selection

text

cleardns-general-settings

text

cleardns-general-settings-no-wan-dns

text

cleardns-unbound-dns-over-tls

text

cleardns-dhcp-with-dns-to-opnsense

text

unbound-query-forwarding-setup

text

unbound-query-forwarding-dnscrypt-catch-all

text

unbound-query-forwarding-remote-domain-override

text

unbound-query-forwarding-told-you-it-was-a-remote-domain-override

text

unbound-local-domain-overrides.png

text

unbound-local-domain-host-override.png

text

wireguard-local-instances-enabled-wireguard

text

wireguard-local-create-instance

text

wireguard-local-instance-being-used-by-peer

text

wireguard-local-peers

text

wireguard-local-create-peer-to-connect-to

text

wireguard-local-peer-and-remote-instance

text

wireguard-remote-it-works-for-me

text

haproxy-real-servers

text

haproxy-enable-real-server-add-ip-port

text

haproxy-enable-real-server-add-option-send-proxy

text

haproxy-backend-pools

text

haproxy-backend-pool-creation-tcp-mode-proxy-protocol-version

text

haproxy-backend-pool-creation-option-tcp-smart-connect

text

haproxy-conditions

text

haproxy-create-condition-host-contains

text

haproxy-rules

text

haproxy-if-rule-contains-condition-use-backend-pool

text

haproxy-public-services

text

haproxy-create-public-service-type-tcp

text

haproxy-create-public-service-options-and-rules

text

haproxy-apply-haproxy-changes

This post is licensed under CC BY 4.0 by the author.