Cloudflare Integration: SSL & DNS#

What Was Established#

Methodology for securing OPNsense and Proxmox web interfaces using Cloudflare’s Origin CA certificates and protecting the WAN via Cloudflare-specific firewall rules.

Key Decisions#

• SSL Mode: Cloudflare SSL/TLS setting must be set to Full (Strict).
• Security Pattern: Use Cloudflare IP Aliases on OPNsense to restrict WAN HTTPS (Port 443) access exclusively to Cloudflare’s IP ranges.
• DNS Strategy: Use A records with Proxy (Orange Cloud) enabled for web services to leverage DDoS protection.

Current Configuration#

Cloudflare Origin SSL (OPNsense)#

1. Generate Cert: In Cloudflare, go to SSL/TLS → Origin Server and create a certificate for the domain.
2. Import to OPNsense:
   • System → Trust → Certificates → Import existing Certificate.
   • Paste PEM (Cert) and Private Key.
3. Assign to WebUI:
   • System → Settings → Administration → Set SSL Certificate to the imported Cloudflare cert.
   • Restart WebGUI: configctl webgui restart.

WAN Hardening (OPNsense)#

1. Create Alias: Firewall → Aliases → URL Table Alias.
   • Name: Cloudflare_IPs.
   • URL: https://www.cloudflare.com/ips-v4.
2. Firewall Rule: Firewall → Rules → WAN.
   • Action: Pass.
   • Source: Cloudflare_IPs.
   • Destination Port: 443.
3. Block Rule: Add a block rule for port 443 from all other sources at the bottom of the WAN list.

Historical Notes#

Note: If the browser shows “Not Secure” after import, ensure the Cloudflare Origin CA Root Certificate is also imported into OPNsense System → Trust → Authorities.

Related Pages#

VLAN Configuration: OPNsense & Netgear MS308E, OPNsense DHCP Configuration, Proxy Management & Cloudflare Tunnels

Sources#

Adjust IP Assignment Range in OPNsense · ingested/chats/adjust_ip_assignment_range_in_opnsense.md