The Midnight Sun

Category: Technology

How I replaced my home firewall with an x86 OPNsense setup

I have been working remotely for the past 6+ years, and my wife has been working remotely for the past few years. So we have 2 internet connections at our home, with one configured as a primary and the other as a backup on the TP-Link ER605 load balancer. The load balancer is configured to fail over automatically to the backup connection when the primary connection goes down.

In our home, we have run Ethernet cables through the walls and provided one port in each of the rooms and living rooms. All these cables terminate at a central location in the hub in a switch and then go through a firewall router to the load balancer and to the internet. The high-level view of this setup looks like the following diagram.

A high-level diagram of my home network and how it connects to the internet

As shown in the above diagram, I also have a Pi-hole instance that acts as the DHCP and DNS server for my home LAN. It works well to provide network-level ad-blocking services for all devices in the LAN. However, some devices, Android devices in particular, often ignore the DNS server provided by DHCP and use the hard-coded Google DNS instead, bypassing ad-blocking. Even that is okay in many cases, except a few. We have a Sony X90H smart television that runs the Android TV operating system. Without network-level ad-blocking, it shows a lot of non-dismissible advertisements for content from apps that we haven’t installed or used. So I have always used a firewall device of some sort to force the usage of Pi-hole as the DNS server in my LAN. I have done this in the past with a Netgear Nighthawk R7000 router running the FreshTomato firmware, a Seeed Studio reRouter, and a GL.iNet Beryl AX travel router since last evening.

Speaking of that, the reRouter device, which I have used for 2+ years now, has been crashing and boot-looping frequently in the past few months and causing internet disconnections. I have been planning to replace that with a more reliable and powerful x86 mini-PC with OPNsense on it. I ordered the Skullsaints Onyx Intel 12th Gen N100 Mini PC last night for this new project. This was an easy choice since I have been hearing good things about N100 mini PCs on the Late Night Linux family of podcasts. While I waited for the delivery, I set up the GL.iNet Beryl AX travel router as a stop-gap replacement.

Skullsaints Onyx Mini PC

I bought this specific product because it has 4 2.5G Ethernet ports, which would allow me to do internet load balancing too in the future and simplify my networking setup. It came with a no-name brand 256 GB M.2 NVMe SSD preloaded with Windows 11 Pro and 8 GB of RAM. As I had read reviews about this device heating up due to lack of/dried thermal paste, I checked and confirmed that the thermal paste was intact.

Then I downloaded the latest OPNsense image, dd‘ed it to a USB flash drive and installed it on this device. Then I opened up the OPNsense web interface and went through the setup wizard to configure the firewall. When I installed it in place of my previous firewall, nothing worked and I had no idea why. I took help from the friendly folks on the #OPNsense IRC channel on libera.chat to correct my mistakes and get the configuration working the way I wanted it to. Below are the details of how I did it.

General System Information configuration

In the above page, I configured the hostname, domain and the DNS servers used by OPNsense. I specified 192.168.2.3, the IP address of my Pi-hole instance, as the primary DNS server and added the Google DNS address as the secondary. Even though it wasn’t necessary, I left the built-in Unbound resolver enabled.

Time Server configuration

I configured my timezone in this page.

WAN interface configuration

This page had a lot of options for configuring the WAN interface (I will need to revisit these when doing the multi-WAN load balancer setup in the future). I set up a static IP for the WAN interface in the 192.168.0.0/24 subnet, since that is what I had used in the previous setup. I also disabled the blocks for accessing RFC1918 networks and bogon networks (this was not necessary) from the WAN-side, since this device doesn’t directly connect to the internet.

LAN interface configuration

In this page, I configured the LAN interface address to be the same as what I had in the previous setup. In the following page, I configured the root password and completed the wizard to apply the configured changes. With this setup, I had a working router between my LAN and the load balancer.

Since the metal top of the mini PC’s case acts as a passive heat sink, I could feel it getting very hot even though the OPNsense thermal sensors showed a low, static temperature. I will monitor this in the coming days to make sure that there are no thermal issues.

I still had to configure the firewall to force redirect all outgoing DNS requests to the local Pi-hole server, the details of which I will share in the next blog post — Redirect all outgoing DNS requests to the local Pi-hole instance using OPNsense.
Fediverse Reactions
January 20, 2025
Ubuntu 22.04 desktop installation guide btrfs-luks full disk encryption including /boot
I am a big fan of Willi Mutschler‘s btrfs-luks full disk encryption installation guides on his site, https://mutschler.dev, and have used them for installing Manjaro and Ubuntu 20.04 and newer versions. Recently, I set up Kubuntu 22.04 full disk encryption by following the same guide and noticed a couple of changes that had to be done to get it working. So I am documenting those here till he writes a new guide for Ubuntu 22.04. 🙂

In the step 3 of his excellent guide, the optimized mount options for SSD and NVMe drives are listed. The space_cache option mentioned in that section no longer works on Ubuntu 22.04 because the option has been renamed in the newer versions of the Linux kernel. So one has to specify the option as space_cache=v2. Otherwise, the Ubiquity installer will crash, and the installation will fail.

Also, in the Install the EFI bootloader section, it is a good idea to use the HWE Linux kernel package names corresponding to 22.04 instead of 20.04 since the packages containing the old LTS version in their name are ‘dummy transitional packages’. So the corresponding command can to be updated to
```
apt install -y --reinstall grub-efi-amd64-signed linux-generic linux-headers-generic linux-generic-hwe-22.04 linux-headers-generic-hwe-22.04
```
At the time of writing this post, the HWE package installs the same kernel version as the one that shipped with Ubuntu 22.04 since there isn’t a newer kernel released yet – these are usually backported from newer LTS versions.

With these minor changes, it should be possible to follow the steps in that documentation to set up full disk encryption with btrfs and luks on Ubuntu 22.04.

As a bonus, I have used the same guide for installing Kubuntu 20.04, 21.10 and 22.04, with appropriate substitutions, wherever needed.

I have usually skipped the last section in this guide, Install Timeshift, timeshift-autosnap-apt and grub-btrfs, in favour of using my tools of choice to do the same – Snapper and snapper-gui, both of which are available in the official Ubuntu repositories. I will write a blog post about it in the future. 🤞
January 18, 2023
Updating a docker-based Wireguard server when connected to it remotely via the same VPN
I have a WireGuard server running on a Raspberry Pi 4B at my home, exposed to the internet via a static IP address and port forwarding. I set it up using the Linuxserver.io WireGuard docker container, which is straightforward to use and manage.

As I am in a different city now, I had been postponing the updates to the docker container since it is risky to do so remotely. Any issue in the upgrade process could lock me out of my home network till I am physically present in my home.

As I hate deferring updates, I decided to apply the update remotely. To prepare for that, I logged into the Raspberry Pi via the WireGuard VPN and set up a remote forwarding SSH tunnel on a server of mine hosted in the cloud, using a command like,
```
$ ssh -R 2222:127.0.0.1:22 username@remote.server.address -N
```
This command forwards the 2222 port on the remote server to 127.0.0.1:22 on the Raspberry Pi, thereby allowing access to it from the remote server. The -N flag prevents the execution of any remote command (like say, starting the user’s shell) and is useful for just forwarding ports.

Then I logged in directly to that server and logged in to the Raspberry Pi using the forwarded port on that server. Now I could destroy and re-create the WireGuard container without the fear of being locked out since I was connected to the device using SSH and not the WireGuard VPN itself. So, I ran the following command.
```
$ ssh -p2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no username@127.0.0.1
```
The UserKnownHostsfile=/dev/null option prevents the saving of the remote host’s SSH key in the ~/.ssh/known_hosts file, the StrictHostKeyChecking=no option prevents the checking of the remote host key, and the CheckHostIP=no option prevents the checking of the remote host’s IP address. These options disable a lot of important security measures that SSH provides by default ⚠️. But since we are connecting to a known host through a forwarded host, and don’t want to save any local data about it, these options are fine to use.

This command my remote SSH session, and I was worried that I had missed something important and was locked out. So, I disconnected the SSH session using the escape sequence (<enter>~.) and reconnected to my cloud server and then to the Raspberry Pi. It worked and I heaved a sigh of relief and was glad to have pulled this off without any issues. I verified that updated WireGuard container was running without any issues and that I was able to connect to the VPN. 😌
July 15, 2021
Fixing the rough edges of my Plasma setup
I use KDE Plasma on my Arch desktop and I’ve had some issues with getting my dual-monitor, mixed DPI setup to work properly as mentioned in my previous post.

I nuked and paved my existing installation a few weeks ago and set up Arch afresh on the same computer on a new SSD. On the previous install, I had set up the root filesystem on a hard drive with LVM and the system startup was very slow – ~45 seconds to reach SDDM, an additional ~30 seconds to drop to a usable desktop, and then ~5 seconds to run my xrandr script.

The boot time and the time taken to reach a usable desktop was significantly lesser with the SSD – ~8 seconds to start SDDM, ~5 seconds to the desktop, ~3 seconds to run the xrandr script. So I was happy.

As exciting as that was, I still had many rough edges and paper cuts, most of them persisting across multiple re-installations. Thanks to the posts by various posts by fellow Plasma users, I was able to solve them 🙂

SDDM

Monitor layout

When SDDM started, it always did with my monitor layout and DPI configured wrong. My secondary 1080p monitor is placed to the left of my primary 4K monitor and SDDM always placed the former to the right of the latter.

Thanks to this useful post, I was able to create a custom Xsetup script by adding the xrandr command from my previous post and configuring SDDM to run it when starting the display server.
```
# /etc/sddm.conf
[XDisplay]
DisplayCommand=/usr/share/sddm/scripts/Xsetup
```
Theme

I don’t like the default theme used by SDDM, maui. Since Arch is a DIY distro, it doesn’t automatically set up the default Plasma theme, breeze, like many other distros do when Plasma is installed.

Previously, I was using the Chili login theme to make the SDDM greeter look nice. I was unsure why and how, the Manjaro installation on my laptop, had a nice Plasma theme for SDDM. But I didn’t spend any time investigating at all till now.

I checked the Arch wiki page on SDDM theming to check if there are nice themes listed there that I could use and found that it is possible to configure the SDDM theme using the Plasma System Settings application after installing the sddm-kcm package. I found the default Breeze theme which I liked very much and set it as the theme. But that didn’t work. So I went ahead and configured it manually in sddm.conf and voilà, it worked! 😀
```
# /etc/sddm.conf
[XDisplay]
DisplayCommand=/usr/share/sddm/scripts/Xsetup

[Theme]
Current=breeze
```
Desktop scaling

I was pleasantly surprised to see that Plasma automatically scaled my 4K monitor without having to configure scaling manually via the Display settings application. Everything in the secondary monitor looked large as expected and I had to run my xrandr command from the previous post, with some changes to restart Plasma shell for making the wallpaper fit the scaled display, manually every time due to something in the Plasma startup process resetting the screen configuration irrespective of when my xrandr auto-start script ran.

Thanks to this post on Reddit by a fellow Plasma user, I found that the kscreen2 service was the culprit and disabling it ensured that the display configuration set up by the SDDM Xsetup script persisted and as a result, I didn’t have to manually run my xrandr script 😀 😌

There could be some side-effects caused by disabling the kscreen2 service, but I haven’t run into any till now 🙂

Emoji picker

The built-in emoji picker, introduced in Plasma 5.18, is very convenient and something that Plasma was sorely missing before. However, in spite of installing an appropriate emoji font, the emoji picker had a lot of missing emoji with blank squares and the color/gender variants of some emoji looked broken with those showing up as two separate symbols (one for the emoji and the other for the color/gender variant) overlapping each other.

Thanks to this Reddit post, I was able to solve the issue by creating a custom fontconfig configuration file, ~/.config/fontconfig/fonts.conf, with the configuration below and by forcefully rebuilding the font info cache files by running fc-cache -f.
```
<?xml version='1.0'?>
<!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
<fontconfig>
	<match target="font">
		<edit mode="assign" name="rgba">
		<const>rgb</const>
		</edit>
	</match>
	<match target="font">
		<edit mode="assign" name="hinting">
		<bool>true</bool>
		</edit>
	</match>
	<match target="font">
		<edit mode="assign" name="hintstyle">
		<const>hintfull</const>
		</edit>
	</match>
	<match target="font">
		<edit mode="assign" name="antialias">
		<bool>true</bool>
		</edit>
	</match>
	<match target="font">
		<edit mode="assign" name="lcdfilter">
		<const>lcddefault</const>
		</edit>
	</match>
	<match target="font">
		<edit name="autohint" mode="assign">
		<bool>false</bool>
		</edit>
	</match>
	<match target="pattern"> 
		<edit name="family" mode="prepend"> 
		<string>Noto Color Emoji</string> 
		</edit> 
	</match> 
</fontconfig>
```
It looks nice after the fix 👌🏼
July 19, 2020
How to get a dual monitor setup with mixed DPI working on Xorg
Last year, I purchased a new 4K monitor to use as my primary display in addition to my existing 1080p monitor. Like with most 4K monitors, this one required scaling to display text and interface elements in a readable size. While the dual monitor setup worked okay out of the box on Windows 10, it didn’t on my Arch install running an up-to-date KDE Plasma.

1.5x scaling in the Display settings on Plasma made everything look okay on the primary 4K monitor but look large and ugly on the 1080p monitor. I was aware that Wayland supports mixed DPI environments very well but I was stuck on Xorg due to having an Nvidia GPU and Plasma’s support for EGLStreams still being a work in progress.

I read multiple recommendations on the internet to scale (mentioned correctly in a few places as “upscaling”) the 1080p display using xrandr to compensate for the scaling done by the desktop environment so that everything looks okay on both displays. What confused me a long time is that “scaling” meant different things when it came to xrandr and the desktop environment. Scaling in the desktop environment translated to zooming in the desktop by 1.5x (“downscaling”) to make everything look larger and (up)scaling the display using xrandr meant zooming out the Xorg display for the monitor 1.5x to make everything look smaller.

A lot of different xrandr commands were given as examples. However, all of those were for setups different from mine and used a lot of parameters and flags without a general explanation of what they do and how to adapt them for other scenarios. This was very important for someone like me who isn’t familiar with the terminology. So for a while, I had to resort using just konsole on the secondary 1080p monitor with the font size reduced to make it look okay and the interface elements still looking large and ugly.

Eventually, I found out the solution that I needed – scale the desktop environment 1.5x which reduced the effective resolution of the 4K (3840×2160) monitor to 1440p (2560×1440) and that of the 1080p (1920×1080) monitor by 1.5x to 720p (1280×720). That made everything on the 4K monitor look properly sized and large on the 1080p monitor. To fix that, I had to use xrandr to upscale the 1080p display by 1.5x (2880×1620) to compensate for the desktop environment’s 1.5x scaling. With that, everything looked good on both monitors. Below is the xrandr command that I used.
```
xrandr --fbmm 6720x3780 --output DP-0 --pos 2880x0 --mode 3840x2160 --scale 1x1 --primary --output HDMI-0 --pos 0x0 --mode 1920x1080 --scale 1.5x1.5
```
The fbmm flag sets the reported physical size of the X screen as a whole. In this case it is (3840+2880)x(2160+1620), which is the sum of the resolutions of both monitors after running the xrandr command. The --pos flag is used to position the monitors in the 6720x3780 display. Since the 1080p monitor is present to the left of the primary 4K monitor, its position is at 0x0. The starting position of the 4K monitor is 2880x0, where 2880 is the horizontal resolution of the 1080p monitor, so that it is positioned right after the latter ends.

This still caused an issue on the 1080p monitor where the Plasma desktop screen was reduced in size by 1.5x and was not filling the whole display. This also meant that the wallpaper was not filling the whole display. The unfilled area in that display was black in color. (Update May 2020: this can be fixed by restarting the Plasma Shell) To work around this issue, I used black color as the wallpaper for that screen and removed all the elements on that desktop. Till very recently, I continued using black color as the wallpaper and when I found that this was fixed in a recent Plasma update (not sure when and which version), I was able to use a proper wallpaper on the 1080p monitor as well.

While this solved the major problem with mixed DPIs, the GUI toolkits (Qt 5, GTK 3) and some applications like Firefox needed some additional scaling tweaks to get them looking okay. For this I used the excellent documentation on HiDPI in the Arch wiki which covered almost everything. Steam and VirtualBox were a couple of notable exceptions that didn’t work okay. The former didn’t support fractional scaling and only worked with 2x scaling which makes everything noticeably larger. The latter was broken and had a lot of issues with the menus appearing in the wrong places and the guest VMs unable to use a proper resolution. Fixing this issue required setting QT_SCREEN_SCALE_FACTORS to 1.0.
January 13, 2020