Skip to content

Instantly share code, notes, and snippets.

@nsoui

nsoui/opnsense-xen.md

Last active December 29, 2023 07:00
Show Gist options
  • Save nsoui/9af755f3568eff973de3bf920f725061 to your computer and use it in GitHub Desktop.
Save nsoui/9af755f3568eff973de3bf920f725061 to your computer and use it in GitHub Desktop.
Download ZIP
Run OPNSense under XEN
Raw
opnsense-xen.md

Network Topology

I really like the Qubes philosophy, routing all the traffic through the SysNET domU. For this reason, I chose to install OPNsense as my network domain and route the whole traffic, including that of Dom0, through it. For this, I made the following Open-VSwitch setup.

OpenVSwitch

Install openvswitch, if not already installed

sudo apt-get install openvswitch

Create the two bridges:

sudo ovs-vsctl add-br ovsbr0
sudo ovs-vsctl add-br ovssec

The two bridges are for the two sides of the router, with ovssec being the secure one, to which I will be attaching all my virtual machines. ovsbr0 will be exposed to the outside world, thus, it will be connected to the physical network interface

sudo ovs-vsctl add-port ovsbr0 eth0

XL CFG file

# This configures an HVM rather than PV guest 
builder = "hvm"                               

# Guest name                                  
name = "router"                               

# Initial memory allocation (MB)              
memory = 2048                                 

# Number of VCPUS                             
vcpus = 2                                     

# Two network devices, later assigned to 
# ovsbr0: WAN
# ovssec: LAN
vif = [ 'script=vif-openvswitch,bridge=ovsbr0'                                              
        , 'script=vif-openvswitch,bridge=ovssec'                                            
]                                             

# Disk Devices                                
disk = [ '/mnt/xen/disks/opnsense.qcow2,qcow2,xvda,rw'                                      
# the following line can be commented out after the installation is finished
       , '/opt/iso/OPNsense-17.7.5-OpenSSL-dvd-amd64.iso,raw,xvdc,devtype=cdrom,r'         
        ]                                     

#pci = [ '0000:02:00.0' ]                     

# Guest VGA console configuration, either SDL or VNC                                        
#sdl = 1                                      
#vnc = 1                                      

spice=1                                       
spicehost='0.0.0.0'                           
spiceport=6001                                
## spicedisable_ticketing enabled is for no spice password, instead use spicepasswd         
spicedisable_ticketing=1                      
# #spicepasswd="test"                         
spicevdagent=1                                
spice_clipboard_sharing=1                     
## this will automatically redirect up to 4 usb devices from spice client to domUs          
spiceusbredirection=4

Installation

Start the image using

sudo xl create /etc/xen/opnsense.cfg

and go over the installation steps. Configure (assign) the interfaces. You might want to enable DHCP on the LAN interface, so that OPNsense assigns the IP addresses automatically to all machines connected to ovssec

In order to check the connectivity through the new router, switch to Dom0 and

sudo dhclient ovssec

If you get an IP address, then the DHCP server on the router is working.

ping google.com
wget google.com

Auto-Start

As I am using OPNsense for networking, I need it to be auto-started. For this, moce the opnsense.cfg file into the folder /etc/xen/auto. You might need to create the folder.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment