Hi, I just replaced my old DD-WRT router with a new OPNsense router. Configured HTTPS port forwarding to my server and when accessing from outside the network everything works as it should. But when accessing the server locally, I get a certificate warning about self signed certificate or for a certificate name that doesn’t match. When viewing the certificate I can see that it’s the OPNsense self signed certificate OPNSense.localdomain. The server runs letsencrypt and when accessing from outside I get the proper certificate.
What is happening here and how can I fix this?
I have made rudimentary experience with this. When you access from outside your network, then do you access via a fully qualified domain name or via your public IP address. When you connect from within your network do you access by IP address?
I haven’t used opnsense but look for a way of adding DNS host overrides to direct the FQDN of the servers to their local IP address.
No matter what firewall you’re using you never want to expose your management interface to the internet. As best practice it should only be accessible from your local LAN segment, through a VPN, SSH, or IP whitelists in rare use cases. I’d encourage you to make securing your admin interface your first priority.
To fix your problem you need to use your FQDN rather than OPNSense.localdomain as the URL in your web browser. And to get your FQDN working you need it to point it to your OPNsense’s local LAN IP address. Assuming you’re using unbound DNS here is how to configure an overide.
2 Likes
If it is just a warning, and it lets you select an option to carry in, the I would not worry. It’s just the browser looking after you.
If it stops it working all together… then maybe certificates and stuff needed
(As in, if you don’t trust the local website you set up and run, then perhaps you might have a different aversion to risk than I. But you trust the software to run, so it would behoove you to trust it?)
Thanks. This was very helpful. I got it working a little better now that I configured the domain in OPNsense to match my external domain name like it was described here.
Now the problem seems to be with the subdomains. For example if I locally ping server.mydomain.net I get:
64 bytes from server.mydomain.net (servers local ip-address)…
but if I ping service.server.mydomain.net I get:
64 bytes from router.mydomain.net (my external ip-address)…
I haven’t yet done the split DNS. Maybe it’s the answer. I need to study that blog post more and carefully try it out.
I’m pretty sure the process for a configuring subdomain override is exactly the same. Try adding “service” to the host field and “server.mydomain.net” to the domain field.
That doesn’t work. I need multiple subdomains (services) to work.
Maybe its because the dynamic dns name that is mapped to my external ip-address is also server.mydomain.net. So, I need to set mydomain.net as the domain in OPNsense for the local server.mydomain.net to work.
Maybe it’s wrong to use the server name as a part of the dynamic dns hostname since it is not actually pointing directly to the server but to the router? Or is it because there’s the HTTPS port forwarding in place? It has always been this way and with the DD-WRT setup it worked fine.
While this makes is simpler you don’t need to do this, you only need to create entries in your local DNS server for the addresses you’re trying to connect to so that they resolve to their local IP addresses. Otherwise when you try to connect from your network they’re resolving to your WAN address.
Your old router probably had some kind of NAT reflection which made it work and you may be able to enable that to work in the same way with opnsense but just creating the DNS host entries will work too.
2 Likes
Thanks again. I think I got it working now! I created a host override for the server and additional aliases for the subdomains. Now I get the correct certificate and everything works. 
1 Like