Cloudflare Integration: SSL & DNS#
What Was Established#
Methodology for securing OPNsense and Proxmox web interfaces using Cloudflare’s Origin CA certificates and protecting the WAN via Cloudflare-specific firewall rules.
Key Decisions#
- SSL Mode: Cloudflare SSL/TLS setting must be set to Full (Strict).
- Security Pattern: Use Cloudflare IP Aliases on OPNsense to restrict WAN HTTPS (Port 443) access exclusively to Cloudflare’s IP ranges.
- DNS Strategy: Use A records with Proxy (Orange Cloud) enabled for web services to leverage DDoS protection.
Current Configuration#
Cloudflare Origin SSL (OPNsense)#
- Generate Cert: In Cloudflare, go to
SSL/TLS → Origin Server and create a certificate for the domain.
- Import to OPNsense:
System → Trust → Certificates → Import existing Certificate.- Paste PEM (Cert) and Private Key.
- Assign to WebUI:
System → Settings → Administration → Set SSL Certificate to the imported Cloudflare cert.- Restart WebGUI:
configctl webgui restart.
WAN Hardening (OPNsense)#
- Create Alias:
Firewall → Aliases → URL Table Alias.
- Name:
Cloudflare_IPs.
- URL:
https://www.cloudflare.com/ips-v4.
- Firewall Rule:
Firewall → Rules → WAN.
- Action:
Pass.
- Source:
Cloudflare_IPs.
- Destination Port:
443.
- Block Rule: Add a block rule for port 443 from all other sources at the bottom of the WAN list.
Historical Notes#
Note: If the browser shows “Not Secure” after import, ensure the Cloudflare Origin CA Root Certificate is also imported into OPNsense System → Trust → Authorities.
