A DMZ (demilitarized zone) is a segmented part of a network that is used to host all publicly accessible websites and services. The intention is to protect the internal network from external threats. It is an effective strategy to minimize public exposure of your critical assets as well as limit the damage caused when an intruder is able to penetrate your network. A great definition of a DMZ can be found here.
WireGuard is a modern designed VPN that uses the latest cryptography for stronger security, is very lightweight, and is relatively easy to set up (mostly). I say ‘mostly’ because I found setting up WireGuard in OPNsense to be more difficult than I anticipated. The basic setup of the WireGuard VPN itself was as easy as the authors claim on their website, but I came across a few gotcha’s. The gotcha’s occur with functionality that is beyond the scope of the WireGuard protocol so I cannot fault them for that.
If you have software/services running on your local network that you want to remotely access, you may have encountered a situation in which your IP address changes periodically. Many ISPs do not assign static IP addresses to non-business accounts especially for IPv4 addresses because they are extremely limited and have technically been exhausted for some time now. When your modem stays connected for a long period of time with an ISP, it is possible your IP address will not change often.
When you are new to creating VLANs on your network, you may wonder about the necessary steps in order to create a properly functioning VLAN. If you set up OPNsense with one WAN and one LAN interface, it is kind enough to set up a basic configuration for the LAN interface with DHCP enabled and a single firewall rule that allows access to the Internet. You can consider this configuration to be a “flat” network, which means that every device is on the same network and can communicate.
After installing OPNsense, the default login is the root user. Logging in as the root user is generally not advised because the root user has full access to files and processes. Linux users, for instance, are asked to create a separate user account upon installation. The user can then use the sudo command to elevate privileges to perform administrative tasks. If the user’s account is compromised, in theory the root account is still protected (assuming there is no privilege escalation vulnerability being exploited or the password has been discovered).