Create Subdomain > opnsense.yourdomain.com

Caution

You can only take this step if you have successfully installed and setup NGINX.

Create DNS Record (Domain-Provider)

First of all, we create a DNS record for our first subdomain with our website provider.
Since I run my domain via Cloudflare, I will also create my first DNS record there.

• Open your DNS-Record-Area
• Create the record with the following values
• Save and Apply

Type

A

Name

opnsense
(your subdomain for the proxy manager like opnsense.yourdomain.com)

IPv4-Address

TAILSCALE-ADRESS from OPNsense or your public IP

Proxy Status

False - If you use Tailscaleadress
True - If you use Public IP

TTL

Auto or 120 Seconds

Connecting to OPNsense-WebUI

We would like to create a temporary firewall rule to access the WebUI via port 81. To do this, first open opnsense via your SSH-Tunnel.

• Open Windows Terminal
• Use the command: ssh root@<yourIP4> -L 443:<WAN_IP4>:9443

This will open up a tunnel. After that you should be able to connect via https://localhost. To setup everything important I recommend running the setup wizard.
It will configure some important things needed for further configuration

Note

If you cannot reach the OPNSense make sure that the firewall is disabled in OPNSense.

You can do so from Proxmox in the OPNSense console by selecting option 8.
In the OPNSense console you can then type pfctl -d to disable the firewall.
It will reenable after each apply you do inside of the OPNSense WebUI or by running pfctl -e.
All Rules will be disabled when the firewall is disabled.
If every you can’t reach OPNSense on the tunnel or you need to trubbleshoot make sure to disable the firewall again.

THIS WILL HAPPEN A LOT DURING SETUP!

Create NAT-Rule

• Go to Firewall > NAT > Port Forward
• Add Rule by clicking the plus-button
• Enter the following values
• Hit ‘safe’ and then ‘apply’

NATrule-Settings

Edit Redirect entry

Interface - 102_proxy
Destination / Invert - false
Destination - 102_Proxy-Address
Destination port from - (other) 9443
Destination port to - (other) 9443
Redirect Target IP - 127.0.0.1 or localhost
Redirect Target Port - (other) 9443

Connecting to NGINX-WebUI

Now you can access the web interface of your proxy manager with your browser.

https://proxy.yourdomain.com

Create Proxy host

• Go to Hosts > Proxy Hosts
• Click green Add Proxy Host-Button
• Now enter the following values
• Click Safe-button

Proxysettings

Details-Tab

Domain Names - opnsense.yourdomain.com
Scheme - https
Forward Hostname / IP - 10.1.2.1
Forward port - 9443 (OPNsense-Port)
Cache Assets - false
Block Common Exploits - false
Websockets Support - true
Access List - “Publicly Accessible”

Custom locations-Tab

Change nothing

SSL-Tab

SSL Certificate - “Request a new SSL Certificate”
Force SSL - true
HTTP/2 Support - true
HSTS Enabled - false
HSTS Subdomains - false
Use a DNS Challenge - true (only if you use tailscale)

• DNS Provider > Cloudflare
• Credentials File Content > Change the token to your token
• Propagation Seconds > empty

Email Address - Your E-Mailadress
Terms of Service - true

Advanced-Tab

Change nothing

If the host you have just created has the status "Online", everything has worked and you can reach your proxy manager at opnsense.yourdomain.com.
You can now close the SSh tunnel via the Windows console.