OPNsense – Transparent Caching Filtering Proxy with Virus Scanning
As many of you are aware, there are many firewalls out there that are highly secure Open Source systems. I have personally used a few, starting with pfSense years ago and trying out a few others such as Zentyal and ClearOS. As pfSense can be difficult to get modules working and configured, I was happy to hear about OPNsense a while back and their commitment to ease of usage and plugability, and have been using OPNsense ever since.
OPNsense has many built-in features that are easy to configure; that said they still have one highly desired (by me) feature lacking, but that can be delivered without too much added difficulty – Antivirus scanning. The remainder of the features for proxy are already in place and easy enough to configure, with a minor exception regarding firewall rules that are needed for the Transparent Proxy.
I am starting this with a OPNsense 17.1.2 deployment. Mine is running as a Virtual Machine and is a firewall/router between the various VLANS in my ESXi environment. That shouldn’t affect your deployment of the Proxy so long as you follow these steps.
There are several pieces to a Transparent, Caching, Filtering proxy with Virus Scanning. OPNsense can accomplish most of this on it’s own, however the Virus Scanning piece must be done on a separate server. To do this, we will spin up a CentOS 7 x64 virtual machine and configure it.
As this is the most time-consuming part, I will start with CentOS 7 x64 deployment and configuration with several sections, which I have included screenshots to help you along, but not everything is detailed with step-by-step pictures, as it’s expected you have some experience.
This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us! The steps are all below.
Introduction: Basics and an Overview (This Page)
Step 1 – Prerequisites: Install CentOS, secure the SSH server, temporarily disable SElinux and firewall, Install Apache and PHP, and Setup the Antivirus Error Page
Step 2 – Install and configure ClamAV and SquidClamAV
Step 3 – Configure OPNsense Caching Proxy
Step 4 – Adding Antivirus Scanning
Step 5 – Adding Filtering
Step 6 – Make it a Transparent Proxy
Step 7 – Adding HTTPS Filtering to the Transparent Proxy
Step 8 – OPTIONAL – SSL Content Scanning and Certificate Import
Step 9 – OPTIONAL – Deploy CA Certificate with GPO
Step 10 – Final steps