How to Integrate an OPNsense Firewall on a Kamatera server

This guide provides a comprehensive walkthrough for deploying and configuring an OPNsense firewall on a Kamatera server. By integrating OPNsense, users can transition from basic cloud networking to a robust, enterprise-grade security posture, enabling advanced traffic filtering, VPN capabilities, and granular network monitoring for their cloud resources.

Prerequisites

To start, you will need:

• • A Kamatera account
  • Network requirements:
    • Dedicated Public IP (Static IP) for WAN.
    • Private subnet for LAN (e.g., 192.168.0.0/24.)

Note: Each Kamatera server instance comes with one dedicated public IP address by default.

Create an OPNSense server

Create an OPNSense server by following these steps:

1. From the sidebar select My Cloud > Create New Server.
2. Choose the preferred Zone.
3. Set the Data Center to host your server.
   

4. Navigate to Service Images.
5. Select OPNSense from the service list.

6. Choose the OPNSense version.

The 25.7 64bit version will be used for this tutorial. The requirements for an OPNSense server are:

Network configuration

Set a Static IP and a Prefix to turn OPNsense into a gateway in order to enable access to the Internet by following these steps:

1. Select Advanced Mode
2. Click on the Add Network

Note: It’s highly recommended to run a firewall server with a LAN network in addition to the WAN network to increase traffic security. New Lan provides the necessary options to set the OPNSense IP as a gateway automatically.

3. Setup OPNSense IP as a gateway:

Do not forget to switch the Set as a gateway button to ON.

1. Set Admin Password, server Name, and leave the button Power On Servers untouched, unless you wish to deploy a turned off server.
2. Set the preferred Billing Cycle as monthly or hourly.
3. Select CREATE SERVER button to deploy.

After a couple of minutes and deploy process is finished, the newly created OPNSense server will be visible at the Servers tab.

Accessing the server console (optional)

It’s possible to connect directly to the server’s command-line interface to perform advanced troubleshooting or regain access if the OPNSense Web GUI ever becomes unreachable.

Note: In this tutorial, stick to the Web GUI version for convenience. You may access the CLI OPN Sense Initial Configuration Instructions if necessary.

1. Select Actions > Console to open the CLI tab/window.

2. Log in with root and the Admin password created previously.
3. This is what the OPNSense console menu looks like.

Initial steps at OPNSense Web GUI

Connect to the OPNSense panel to configure your server, firewall and VPN preferences:

1. Access the Overview Tab
2. Copy the WAN Address and paste it to your browser URL field.

Your browser might emit a security warning for the lack of SSL certificate because you’re connecting to an IP instead of a domain name. You may ignore it and proceed bypassing the warning.

3. Log in as root and use your server password from Kamatera:
4. Check for Pending Updates on the OPNSense dashboard to make sure your firewall version is up to date.

5. The system will look for available updates and download them automatically.
6. Select the Update button to install the updates. And then, hit OK to reboot the OPNSense firewall.

OPNSense general settings

Configure the General Settings to define your firewall’s identity (Hostname/Domain) and DNS servers, ensuring it can properly resolve internet names and validate security certificates.

1. From the sidebar, select System > Settings > General and insert the following values:

Use Gateway None for both DNS listed above

2. In the same section, UNCHECK Allow DNS server list to be overridden by DHCP/PPP option in order to force the firewall to use a custom DNS, such as 8.8.8 and 8.8.4.4.
3. Leave the DNS Gateway values set to None, since OPNsense will automatically route the DNS queries out through the default gateway (WAN).

4. After unchecking the DNS Override checkbox, hit the Save button to apply the changes.

Add firewall rules (LAN)

To implement or update IP exceptions to allow traffic, navigate from the OPNSense sidebar:

1. Access Firewall > Rules > LAN
2. Select the + Add Button in the LAN Rules card (top right).

3. Setup the LAN Rule with the following parameters:

4. Select the Save button to apply the new Rule.
5. Hit the Apply Changes button to apply the new rules you’ve just created.

Your OPNsense firewall is now fully operational.

Note: At this point, if you decide to run some tests, you may launch a new web server or database on your server. In this case, verify these two things when creating your item:

Network: Connect it only to the private LAN (192.168.0.0.)

Gateway: It should automatically pick up 192.168.0.254 (your OPNsense box) as its gateway.

That server will now be safe behind your firewall, but still able to download updates and communicate with the Internet.

OPNSense web GUI NAT setup

The ports for HTTP and HTTPS at Kamatera have been opened. Now you must tell OPNsense exactly where to send that traffic.

Warning: Prevent a port conflict (lockout risk)! By default, OPNsense uses Port 443 for its admin panel. Your web server also needs this port for secure HTTPS traffic. You must change the OPNsense admin panel to a different port (e.g., 8443) before creating your NAT rules. If you skip this, forwarding port 443 to your web server will cut off your admin access immediately. Browsers do not automatically use SSL on custom ports. You must explicitly type https:// followed by the IP and the new port:

# URL format after migrating OPNSense Panel Port:
https://<WAN_IP>:<NEW_PORT>
# e.g.
https://199.19.75.12:8443

With that in mind, if you decide to change the OPNsense admin port for the Web GUI, follow these steps exactly in this order:

1. Go back to the Firewall Rules section on the Kamatera console and add a new Rule with the following values:

2. Go to OPNSense System > Settings > Administration.
3. Find the TCP port field and change the value to 8443.

4. Scroll down and select the Save button to apply the changes.

Important: The page will load for a while and then time out. > This is normal because the Port just changed.

5. Log in on the new port 8443 by typing your server IP with the new port in your browser (e.g https://199.19.75.12:8443). After that, you should see your login screen again. Do not forget to manually include https:// before the IP.

OPNSense NAT rules

Now you need to create the OPNSense NAT rules (port forwarding) to direct incoming internet traffic to your internal web server, allowing the public to access your website. Note: This does not cover NAT 1:1.

1. Head back to the OPNSense dashboard.
2. Navigate to Firewall > NAT > Port Forward.
3. Select the + Add Button in the NAT Rules card top-right.

Caution: Prevent a lockout. Before creating the HTTPS (Port 443) rule below, verify that you have successfully moved your OPNsense admin panel to port 8443 (as shown in the previous section). If your OPNSense admin panel is still on port 443 and you create this NAT rule, you will be locked out immediately because the firewall will forward your own login attempts to the (empty) web server instead of the admin panel.

4. Fill in these specific fields for the HTTPS NAT Rule if you successfully moved your OPNSense Port from 443 to 8443 (leave the other fields as default):

Note: The setting Add associated filter rule ensures OPNsense automatically creates the permission rule to let the traffic in.

5. Select the Save button to apply the changes.
6. Create a second rule for the HTTP NAT by selecting the + Add Button in the NAT rules card top right.

Note: Keep everything the same, except for Destination Port Range and Redirect Target Port (Both fields must be set to HTTP).

|

7. After saving this rule, hit the Apply Changes button to update the new NAT rules.

Tip: Once you create your web server (e.g., at 10.0.0.2), you can test this by typing your Public WAN IP into your phone’s browser (using 4G/5G, not your own wifi). If it loads your website, your NAT is working.

Create the Internal Certificate Authority

To make a VPN secure, your firewall needs to issue the certificates to prove who you are.

1. Inside OPNsense, go to System > Trust > Authorities.
2. Select the + Add Button in the Authorities card bottom-right.

3. Fill in these fields:

4. Select the Save button to apply the changes.

Create the server certificate

This is the “ID Card” the VPN server will show to your phone/laptop to prove it’s legitimate.

1. Go to System > Trust > Certificates.
2. Select the Add + button in the Certificates card bottom-right.

3. Fill in these fields:

Field                          Value

4. Hit the Save button to apply the changes.

Set the OpenVPN instance

Now you need to configure the OpenVPN instance by defining the protocol, port, and encryption settings for the VPN Server to establish a secure tunnel for remote access.

1. Go to VPN > OpenVPN > Instances.
2. Select the + Add Button in the Instances card bottom-right. A big form will open.

3. Toggle the Advanced Mode switch on the top-left corner of the form to see all options.
4. Fill in the following fields with these values:

5. Select the Save button to apply the changes.
6. Hit the Apply button to update the changes, otherwise the OpenVPN instance will not show up in the firewall rules section.

Set the OpenVPN rules

Configure firewall rules to explicitly allow traffic from connected VPN users to access your internal network or reach the internet.

1. Go to Firewall > Rules > OpenVPN.
2. Select the Add + button in the OpenVPN Rules card (top-right).

3. Fill in these exact fields (leave the others as default):

4. Select the Save button to apply the changes.
5. Hit the Apply Changes to validate the rule.

Create OpenVPN admin user

In order to create a VPN user, it’s necessary to create the account and issue a personal certificate for them at the same time.

1. Go to System > Access > Users.
2. Select the Add + button in the Users card bottom-right.

3. Fill in these exact fields (leave the others as default):

4. Hit the Save button to apply the changes.

Create a certificate for the OpenVPN admin

Generate a unique User Certificate that acts as a digital key, allowing the administrator to prove their identity and connect to the VPN.

1. Go to System > Trust > Certificates.
2. Select the Add + button in the Certificates card bottom-right.

1. Fill in these exact fields:

4. Select the Save button to apply the changes.

OpenVPN client export

Generate and download a ready-to-use configuration file that automatically installs the correct OpenVPN keys and settings onto your phone or laptop.

1. Go to VPN > OpenVPN > Client export.
2. Find admin_vpn in the list at the bottom.
3. Click the Cloud download icon to get your .ovpn file.

Congratulations! You now have a fully-working OPNSense firewall service with NAT and VPN on your Kamatera server.