Audience: IT administrators, network engineers, and virtualization enthusiasts
Environment: Proxmox VE + OPNsense (FreeBSD-based firewall)
๐ 1. Why Choose OPNsense?
OPNsense is a FreeBSD-based open-source firewall maintained by Deciso.
It offers enterprise-grade features โ IDS/IPS, traffic shaping, VPN, proxy, and QoS โ in a modern web interface with active updates.
When running Proxmox VE, OPNsense is one of the best virtual firewall solutions for isolating, routing, and protecting your virtual networks.
โ๏ธ 2. Installing OPNsense on Proxmox VE
๐งฉ System Requirements
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 2 Cores | 2โ4 Cores (VT-x / AMD-V enabled) |
| RAM | 2 GB | 4โ8 GB (more for IDS/IPS) |
| Disk | 10 GB | 20 GB+ |
| NICs | 2 | One for WAN, one for LAN (add DMZ if needed) |
๐ง Network Bridge Layout
| Purpose | Bridge | Description |
|---|---|---|
| WAN | vmbr0 | External Internet connection |
| LAN | vmbr1 | Internal virtual network |
๐ฟ Upload the OPNsense ISO
Download the latest ISO from
๐ https://opnsense.org/download/
Then upload it to your Proxmox node:
scp OPNsense-*.iso root@<pve_ip>:/var/lib/vz/template/iso/
โ๏ธ Create the VM via CLI
qm create 101 \
--name opnsense \
--memory 4096 \
--cores 2 \
--cpu host \
--machine q35 \
--bios ovmf \
--ostype l26 \
--scsihw virtio-scsi-pci \
--bootdisk scsi0 \
--boot order=scsi0;ide2;net0 \
--agent 1 \
--rng0 source=/dev/urandom
Add disk and network interfaces:
qm set 101 --scsi0 local-lvm:20
qm set 101 --ide2 local:iso/OPNsense-25.1.iso,media=cdrom
qm set 101 --net0 virtio,bridge=vmbr0 # WAN
qm set 101 --net1 virtio,bridge=vmbr1 # LAN
qm set 101 --vga serial0 --serial0 socket
Start the VM:
qm start 101
๐ป Install OPNsense
At the console:
Login: installer
Password: opnsense
Select Install, choose Auto (UFS) for partitioning, and set a root password.
After reboot:
LAN IP: 192.168.1.1/24
User: root
Pass: opnsense
๐ 3. Accessing the Web GUI
Open your browser and go to:
https://192.168.1.1
Log in with default credentials.
Follow the setup wizard:
- Hostname, DNS, NTP
- WAN configuration (DHCP / PPPoE / Static)
- LAN IP setup
๐งฉ 4. Configure WAN Gateway (Static IP)
If your WAN uses a static IP:
System โ Routing โ Gateways โ +Add
Example:
Interface: WAN
Gateway IP: 203.66.123.1
Default Gateway: โ
๐ง 5. If the Web GUI Fails to Start
At the console:
service configd start
service nginx start
Or from the text menu:
12) Restore the web GUI configuration
๐ 6. Setting Up OpenVPN
๐ชช Step 1 โ Create a Certificate Authority (CA)
System โ Trust โ Authorities โ +Add
Choose โCreate an internal Certificate Authorityโ
๐งพ Step 2 โ Create a Server Certificate
System โ Trust โ Certificates โ +Add
- Certificate authority: VPN_CA
- Type: Server Certificate
๐งฑ Step 3 โ Create an OpenVPN Server
VPN โ OpenVPN โ Servers โ +Add
Recommended settings:
Server Mode: Remote Access (SSL/TLS + User Auth)
Protocol: UDP
Device Mode: tun
Interface: WAN
Tunnel Network: 10.8.0.0/24
Local Network: 192.168.1.0/24
Redirect Gateway: โ
๐ค Step 4 โ Create VPN Users
System โ Access โ Users โ +Add
Enable โCreate Certificateโ for each user.
๐ฆ Step 5 โ Export the Client Configuration
VPN โ OpenVPN โ Client Export โ Select user โ Download
.ovpnfile
๐งฐ 7. Allow VPN Clients to Access Multiple Internal Networks
If you have multiple LANs:
LAN1: 192.168.1.0/24
LAN2: 192.168.2.0/24
Add both in OpenVPN โ Server โ Routing โ Local Network:
192.168.1.0/24,192.168.2.0/24
Then open Firewall โ Rules โ OpenVPN:
Action: Pass
Source: 10.8.0.0/24
Destination: any
Clients will automatically get routes to both LANs.
๐ง 8. Layer-7 (L7) Application Control
By default, pf (the firewall engine) supports Layer-3/4 filtering only.
To implement L7 (application-level) control, OPNsense uses add-ons:
| Module | Purpose | L7 Capabilities |
|---|---|---|
| Zenarmor (Sensei) | Deep packet inspection, app blocking | โ App-based filtering (YouTube, VPNs, etc.) |
| Suricata | IDS/IPS with signature-based DPI | โ Protocol recognition, threat detection |
| Squid Proxy | Web filtering & caching | โ ๏ธ HTTP/HTTPS only |
๐ก Recommended combo: Zenarmor + Suricata โ visibility + protection.
๐งฉ 9. Troubleshooting Quick Reference
| Problem | Solution |
|---|---|
| Web GUI not loading | service nginx restart |
| VPN connection fails | Ensure UDP/1194 allowed on WAN |
| Certificate error | Recreate CA and re-issue server cert |
| VPN client canโt reach LAN | Add routes in Local Network and firewall rules |
| Gateway shows โOfflineโ | Change monitor IP or check upstream connectivity |
โ 10. Conclusion
Deploying OPNsense on Proxmox VE gives you a flexible, secure, and cost-effective virtual firewall solution.
It can handle multi-WAN routing, VLAN segmentation, VPN connectivity, Layer-7 controls, and IDS/IPS โ all without license fees.
For small and mid-sized enterprises, itโs a robust, open-source platform that brings security, visibility, and control directly into your virtual infrastructure.