Skip to main content

Lab 1 - Setting Up Your Environment

In this lab, you will focus on setting up your environment which includes two virtual machines (VMs) that you will use throughout the rest of the semester. Be sure to follow the instructions carefully, and use the internet to clarify or look up information you do not know. Please don't hesitate to ask me questions as well! Each stage represents one part of the lab. Please be sure to show me that you're completion of each stage in order to get checked off for that part of the lab.

Expected Outcomes

  • Ubuntu server and OPNSense are installed and running
  • Ubuntu is layered behind OPNSense from the "external" network
  • SSH is configured on your Ubuntu machine and accessible from outside OPNSense

Stage 1 - Accessing Proxmox

You will be hosting your virtual machines (VMs) on the School of Computing servers using a virtualization management software called Proxmox. Logging into Proxmox requires a CS account, which you should have verified access to back in Lab 1. If you do not yet have a CS account, please let me know.

Proxmox is accessible at the following URL: https://10.10.129.101:8006

In order to access the above URL, you must either use one of the computers in the lab, or have your personal device be connected to the School of Computing VPN.

proxmox_login.png

Once you visit the Proxmox URL, you should be presented with the above screen. Your username will be your Southern.edu username without the @southern.edu portion at the end, and the password will be the password you set when first logging into the CS account. Please make sure that the realm is set to cs, and not one of the other options.

Once you login, press ok if you're presenting with a "no valid subscription" message, or alternatively refresh the page if clicking ok does not appear to get rid of the message.

Stage 2 - Creating your OPNsense VM

In this stage, you'll create the OPNSense VM. This machine will act as the "router" for your future private network you'll be setting up later on in the lab. To do so, follow these steps:

1. Click Create VM on the top right of the page in Proxmox

2. Next, you should see the following box appear:

createvm_general.png

  • Set the Name field to cptr254-opnsense-cs_account_username
    • For example, if your logged into Proxmox with the username bobbyb, the server name would be cptr254-opnsense-bobbyb
  • Set the Resource Pool to the pool matching your Southern username. Let me know if you do not appear to have one.
  • Leave the rest of the fields as they are, and click next

3. Next, on the next page, you should be presented with the following options:

createvm_os.png

  • Set the Storage field to CIFS-DB
  • Set ISO Image to OPNsense-23.7-dvd-amd64.iso
  • Leave the rest of the settings as is

4. Leave all settings on the System tab at default

5. On the Disks tab, set Storage to SSD and leave the rest as is

6. Under the CPU tab, set Cores to 2

7. Leave all settings on the Memory tab at default

8. On the Network tab, please refer to the VLAN assignments, and do the following:

  • Set the Bridge to vmbr1
  • Set the VLAN Tag to 14
  • Leave the rest as is

9. Click next, verify all the settings match the specifications provided here, and click finish

  • In the event that you get an error referencing that your VM ID is already in use, navigate back to the General tab, and increment the VM ID field up until the box no longer has a red outline around it.

  • Next, navigate back to the Confirm tab and click finish

  • Your OPNsense VM should now successfully be provisioned

  • If it is not successfully created, let me know

Stage 2 - Creating your Ubuntu VM

In this section, you will go through the same steps as Stage 1, except specified for a Ubuntu VM.

1. Click Create VM once again

2. On the General tab, do the following:

  • Set the Name field to cptr254-ubuntu-cs_account_username

  • Set the Resource Pool field to the one with your CS account username

  • Leave the rest as is and click next

3. On the Storage tab, do the following:

  • Set the Storage field to CIFS-DB

  • Set ISO Image to ubuntu-24.04-live-server-amd64.iso

  • Leave the rest of the settings as is

4. Leave everything on the System tab default

5. On the Disks tab, set the Storage field to SSD

6. On the CPU tab, set the number of Cores to 2

7. On the Memory tab, set the Memory (MiB) field to 3072

8. On the Network tab, set the VLAN Tag field to the VLAN assigned to you here.

The VLAN tag for your Ubuntu machine should not be 14, but rather your own personal VLAN assigned to you

9. Click confirm. Your Ubuntu VM should now be created and ready to run

Stage 3 - Installing OPNsense

In this section, you will boot your OPNsense machine and complete the necessary configuration for this lab.

1. First, locate your newly created OPNsense VM, right click on it and click start

2. Next, navigate to the Console tab on the right in Proxmox. You should be presented with the following:

opnsense_initial.png

3. Next, login as the installer user

  • It will prompt you for a password. OPNsense has a default password that is initially set, where might you go to find it?

WARNING: Failing to run the installer user will mean you skip the installation process, and will result in OPNsense being reset upon every boot. Please ensure you run the installer user.

4. Once you successfully login as installer, you should be presented with the following display:

opnsense_installer_1.png

  • Go ahead and press the Enter key to accept defaults

If you do not see the above display upon running the installer user, let me know

5. Next, you will be presented with several options, the top of which is Install (UFS). Simply accept the default setting by pressing Enter

6. On the next screen, you will be prompted to "select a disk to continue"

  • You should be presented with two options: cd0 and da0. Read the descriptions and decide which of the two options would be better suited to act as the target installation disk. Use the up/down arrow keys to change your selection, and press Enter to confirm.

7. On the next page, select Yes when prompted to "Continue with a recommended swap partition of size 8GB

8. At this last stage, you will be prompted with a message warning you that you are about to destroy the contents of a disk. Select Yes and continue

9. Wait for the installer to finish. You will be prompted with the option to either change your root password or complete install. If you choose to change your root password, try not to forget it. Otherwise you will have to restart your OPNsense installation. Finally, click Complete Install

I would advise changing the root password soon, if not now. It's good security practice to always change default passwords

10. After clicking Complete Install, your OPNsense server should reboot on it's own, and you should once again be prompted with the login screen from Step 2

This new login display should look nearly identical to the screenshot from Step 2, except for one critical difference. If it still says "Welcome! OPNsense is currently running from live installation media", let me know. This message means OPNsense is currently running off of read-only installation media, and any changes you make will disappear upon reboot in this mode.

Stage 4 - Initial OPNsense Configuration

1. Login to your OPNsense as the root user, with either the root password you set, or the default, depending on wait you did in Stage 3.9

2. Upon successfully logging in, you should be presented with the following:

opnsense_initiallogin.png

Take a moment to look at the available options presented before you. We will be using several of these in the next few steps

3. Before we continue configuring OPNsense, a new network device must be added to it. To do so, please navigate to the Hardware tab, located right below the Console tab in Proxmox. You should be presented with the following:

opnsense_hardware.png

4. Click the Add button at the top, and select Network device from the dropdown

opnsense_vlanconfig.png

5. You will be presented with a small window where you can configure the network device

  • Set the Bridge field to vmbr1

  • Set the VLAN Tag field to to VLAN next to your name on the VLAN Assignments page

  • Click Add

  • Select the CD/DVD Drive, and click Remove

6. Your current hardware should look like the following:

opnsense_hardware2.png

You should now have two network devices. The one with net0 in the name should have tag=14 at the end, while the end ending in net1 should have tag=<YOUR_VLAN_TAG_HERE>

If a hardware device is crossed out and yellow on this screen, it means it will be removed upon next reboot

If your VLAN tags are not configured properly, later portions of the lab will not function. Please check these carefully!

7. Next, navigate back to the Console tab. You should see a new message that indicates a new network device has been detected and added. Press Enter to move past this message and resume configuration.

opnsense_deviceadded.png

8. After pressing enter, you should once again be prompted to Enter an Option. Type 1 to assign interfaces and submit

9. Next, you will be asked whether you want to configure LAGGs, then VLANs; say no to both

10. When prompted to enter the WAN interface name, type vtnet0 and submit

11. Next, type vtnet1 when prompted for the LAN interface name

12. Finally, you should be prompted with something similar to the following screenshot. Proceed if it matches

opnsense_assignint.png

13. After a short delay you should be returned back to the options menu. Please select option 2 (Set interface IP address)

14. When prompted to Enter the number of the interface to configure, type 2 and select

opnsense_wanipassign.png

At this point in the lab, we are configuring your WAN interface, with the goal of acquiring an IP address that will allow you to access OPNsense's Web GUI and start to make advanced configuration changes.

Please ensure you are selecting the the WAN interface to configure. Failure to do this will cause the next few steps to not work

15. When prompted to Configure IPv4 address WAN interface via DHCP, say yes

16. Say no to configuring the IPv6 address, and press Enter to specify no IPv6 address when prompted to add one manually

17. Say yes to changing the web GUI protocol from HTTPS to HTTP, and yes to restoring web GUI access defaults

18. After a short delay, you should be returned back to the options screen. Additionally, you should see the following displays above the options:

  • LAN (vtnet1)    -> v4: 192.168.1.1/24
  • WAN (vtnet0)   -> v4/DHCP4: 10.10.6.XX/22

While the LAN address should be exact, the "XX" in the WAN address will be unique to each person. Anytime you see XX in an IP address, replace it with the numbers relevant to you

Stage 5 - Ensuring OPNSense WebGUI Access

At this point, we are nearly done interacting with OPNsense via the console. Only a few more changes are required before we can do so.

1. First, navigate to your OPNsense Web GUI by opening a new tab in a browser and typing https://10.10.6.XX

You may notice that in the OPNsense console, IP address have a /22 or a /24 at the end. This is not part of the IP, but is a separate number known as the subnet mask. We will cover these later, but for now do not add these at the end of an IP address in URL bars, it will not work

2. You will notice that nothing happens. That is because we first must disable the firewall in OPNsense to allow requests through the WAN interface (The one assigned the 10.10.6.XX IP address)

  • Take a minute to consider why this might be. What is a WAN interface? Why might a firewall be setup to block requests through it by default?

3. Open the OPNsense console back up, and select option 8 (Shell). This will open up OPNsense's command line. You should notice that you see a prompt at the bottom of your screen: root@OPNsense:~ # _

  • This is a common "prompt" used in command lines, and can be broken into several parts
  • The first part (In this case, root), indicates you are running as the user root
  • The next part, OPNsense, is the machine name of the computer you're currently on
  • The third part after the colon displays your current active path. A ~ indicates you are in the user's home directory
  • The last part is #, and in this CLI is used to denote the end of the prompt, and the beginning of where user input is expected

4. In order to disable the firewall from the CLI, run the following command: pfctl -d. You should see the message pf disabled.

5. Next, navigate to http://10.10.6.XX (Notice that the beginning must now be HTTP instead of HTTPS)

6. If all goes well, you should be prompted with your OPNsense login

opnsense_login.png

7. Login with the username root, and the accompanying root password. Upon successful login, you will be presented with the OPNsense dashboard.

opnsense_dashboard.png

If you are presented with the OPNsense installation wizard, ignore it. Instead, navigate Lobby > Dashboard to see the screen above.

8. In order to ensure Web GUI access even with the firewall enabled, we must first create a firewall rule to allow access through the WAN interface. Navigate to Firewall > Rules -> WAN

opnsense_rulespre.png

9. Next, click the orange plus button, and do the following:

opnsense_wanrule.png

  • Set the Protocol field to TCP
  • Set the Destination field to WAN Address
  • Set the Destination Port Range to HTTP for both the from and to options
  • Finally, click save

10. You should be returned to the Firewall Rules page with a button to Apply Changes at the top. Do not do so yet

11. Next, navigate to Interfaces > WAN, and disable Block Private Networks it if is showing as enabled

12. Click Apply Changes when prompted (This may take a minute)

13. Finally, navigate back to Firewall > Rules, and click Apply Changes if prompted

14. If all goes well, the page should refresh shortly, and OPNsense's Web GUI should still be accessible

Stage 6 - Installing Ubuntu

1. Boot your Ubuntu VM in Proxmox if you have not yet, and navigate to the Console tab in Proxmox for it

2. You will be presented with a display offering to Try or Install Ubuntu or Perform a Memory Test. Select the option to install ubuntu

3. Ubuntu will go through a short boot procedure, then present you with a language selection option. Choose English, and press Enter

4. On the next screen, select Continue without updating, then select Done

5. Leave the defaults on the next display (Ubuntu Server, not the minimized edition), and continue

6. On the next screen, Ubuntu will attempt to obtain an IP address from OPNsense.

  • At first, it may say Continue Without Network
  • Wait a few moments, and see if it changes to simply saying Done
  • If it does not, let me know
  • Otherwise, continue

7. On the Proxy configuration screen, leave it blank and select Done. Do the same for the Mirror Address

8. On the Guided Storage Configuration, leave all defaults and use the down arrow to navigate to the Done button and continue

9. Finally, you will be presented a File System Summary. Continue past this and press Continue when asked to Confirm destructive action

10. On the Profile configuration page, enter these to be whatever you like, but do not forget your Ubuntu password you set

11. Skip past Ubuntu Pro

12. When prompted to Install OpenSSH Server, enable it and continue

13. On the Featured Server Snaps page, continue with the defaults (None selected)

14. At this point, Ubuntu should begin installation. Once it's complete, instruct Ubuntu to Reboot Now

15. You will likely get an error message asking you to Please remove the installation medium, then press Enter

  • To do so, navigate to the Hardware tab for Ubuntu, select the CD/DVD drive, and select REMOVE
  • Next, continue in the Console and press Enter. Ubuntu should move forward and reboot

Stage 7 - Enabling SSH into Ubuntu through OPNsense

1. Login to the Ubuntu terminal using the username and password you created during the installation process

2. Next, run the following command: sudo systemctl status ssh

ubuntu_sshstatus.png

3. You will notice that the SSH Service is showing as both disabled and inactive

  • This means that the service is will not start at boot (disabled), and is not running (inactive)
  • To set SSH to run at boot, do sudo systemctl enable ssh
  • To start the SSH service, run sudo systemctl start ssh
  • If you run the status option again, you should see the following output:

ubuntu_sshstarted.png

4. Next, we must disable the firewall on Ubuntu so that it does not block incoming requests (Such as SSH)

  • To do so, run sudo ufw disable

In a real environment, all machines have the firewalls turned on. However, we turn off the Ubuntu's firewall to simplify our network administration tasks

5. Before we can make a firewall rule in OPNsense, we must get the Ubuntu IP address, which can be done through either of the following:

  • From inside the Ubuntu terminal, type ip addr - this command will output a big blob of text that looks like so:
    • ubuntu_ip.png
    • The Ubuntu IP address will be in the 2 (ens18) interface, and will come after the inet keyword
    • In this case, this Ubuntu server's IP address is 192.168.1.101, but yours will likely be different
  • Alternatively, you can navigate to Services > DHCPv4 > Leases, where your Ubuntu should appear with an IP address provided
  • Make sure to remember this IP address, you'll need it in the next step!

5. Next, we must Port Forward the SSH port in OPNsense to allow SSH requests to reach Ubuntu

  • Navigate to Firewall > NAT > Port Forward
  • Click the orange plus on the far right
  • Next, set the following parameters:
    • Change Destination from Single host or Network to This Firewall
    • Set Destination Port Range to SSH for both the from and to fields
    • In the empty text box for Redirect Target IP, set it to the IP Address of the Ubuntu machine (In this case, 192.168.1.101
    • Set Redirect Target Port to SSH as well
  • Click Save and Apply Changes in the next page

6. Finally, we must test whether we can SSH into the Ubuntu server. To do so, open up a native terminal on a device that can also access Proxmox (Either one of the lab computers, or your own device if you have the SoC VPN setup)

7. In this terminal, run the following command: ssh your_ubuntu_username@your_opnsense_wan_ip

  • It should look something like ssh miro@10.10.6.64
  • Assuming this works, you will likely be asked whether to continue connecting despite the fingerprint being unknown. Type yes and continue
  • When prompted for a password, type your Ubuntu password in

8. If all goes well, you should see something similar to the screenshot below. At this point you have completed Lab 1. Please see me to get checked off.

ubuntu_sshin.png

No Comments
Back to top