diff --git a/website/docs/integrations/services/opnsense/index.md b/website/docs/integrations/services/opnsense/index.md new file mode 100644 index 000000000..937b4a357 --- /dev/null +++ b/website/docs/integrations/services/opnsense/index.md @@ -0,0 +1,96 @@ +--- +title: OPNsense +--- + +## What is OPNsense + +From https://opnsense.org/ + +:::note +OPNsense is a free and Open-Source FreeBSD-based firewall and routing software. It is licensed under an Open Source Initiative approved license. +::: + +:::note +This is based on authentik 2021.10.3 and OPNsense 21.7.4-amd64 installed using https://docs.opnsense.org/manual/install.html. Instructions may differ between versions. +::: + +## Preparation + +The following placeholders will be used: + +- `authentik.company` is the FQDN of authentik. +- `opnsense-user` is the name of the authentik Service account we'll create. +- `DC=ldap,DC=goauthentik,DC=io` is the Base DN of the LDAP Provider (default) + +### Step 1 + +In authentik, create a service account (under _Identity & Cryptography/Users_) for OPNsense to use as the LDAP Binder. + +In this example, we'll use `opnsense-user` as the Service account's username + +:::note +Take note of the password for this user as you'll need to give it to OPNsense in _Step 4_. +::: + +### Step 2 + +In authentik, create an _LDAP Provider_ (under _Resources/Providers_) with these settings: + +:::note +Only settings that have been modified from default have been listed. +::: + +**Protocol Settings** +- Name: LDAP +- Certificate: authentik Self-signed certificate + +### Step 3 + +In authentik, create an application (under _Resources/Applications_) which uses this provider. Optionally apply access restrictions to the application using policy bindings. + +:::note +Only settings that have been modified from default have been listed. +::: + +- Name: LDAP +- Slug: ldap +- Provider: LDAP + +### Step 4 + +In authentik, create an outpost (under _Outposts/Outposts_) of type `LDAP` that uses the LDAP Application you created in _Step 2_. + +:::note +Only settings that have been modified from default have been listed. +::: + +- Name: LDAP +- Type: LDAP +### Step 5 + +Add your authentik LDAP server to OPNsense by going to your OPNsense Web UI and clicking the `+` under _System/Access/Servers_. + +Change the following fields + +- Descriptive name: authentik +- Hostname or IP address: authentik.company +- Transport: SSL - Encrypted +- Bind credentials + - User DN: CN=CN=opnsense-user,OU=users,DC=ldap,DC=goauthentik,DC=io + - Password: whatever-you-set + - Base DN: DC=ldap,DC=goauthentik,DC=io +- Authentication containers: OU=users,DC=ldap,DC=goauthentik,DC=io;OU=groups,DC=ldap,DC=goauthentik,DC=io +- Extended Query: &(objectClass=user) + +![](./opnsense1.png) +### Step 6 + +In OPNsense, go to _System/Settings/Administration_ and under _Authentication_ at the bottom of that page, add `authentik` to the Server list + +![](./opnsense2.png) + +## Notes + +:::note +Secure LDAP more by creating a group for your `DN Bind` users and restricting the `Search group` of the LDAP Provider to them. +::: diff --git a/website/docs/integrations/services/opnsense/opnsense1.png b/website/docs/integrations/services/opnsense/opnsense1.png new file mode 100644 index 000000000..69d85e031 Binary files /dev/null and b/website/docs/integrations/services/opnsense/opnsense1.png differ diff --git a/website/docs/integrations/services/opnsense/opnsense2.png b/website/docs/integrations/services/opnsense/opnsense2.png new file mode 100644 index 000000000..46e6b59ee Binary files /dev/null and b/website/docs/integrations/services/opnsense/opnsense2.png differ diff --git a/website/sidebars.js b/website/sidebars.js index bcf0a9f0b..5256c068b 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -101,6 +101,7 @@ module.exports = { "integrations/services/matrix-synapse/index", "integrations/services/minio/index", "integrations/services/nextcloud/index", + "integrations/services/opnsense/index", "integrations/services/portainer/index", "integrations/services/proxmox-ve/index", "integrations/services/rancher/index",