Opening up your local area network (LAN) to the outside world is easy, but doing it securely is a different beast. When running a custom router with OPNsense, multiple routes are available, including reverse proxies and a virtual private network (VPN). You could forward some ports and call it a day, but I'll show you some ways to configure OPNsense with a domain, VPN, and reverse proxies with some firewall rules thrown in for good measure. Once configured, you'll be accessing your LAN from anywhere in the world with a secure connection.

Why open your LAN to the outside world?

I recommend keeping your network closed for maximum security, but if you have a service or two behind the firewall and need to access them from the outside, safely opening up the LAN is possible. When moving from paid services to self-hosting, you'll end up with web hosting and media streaming at home. Accessing from within your network is easy since everything is open through the router, but OPNsense blocks most traffic through for obvious reasons and your ISP likely provides a dynamic IP address, which only compounds the issue as you'll need to update apps with the new IP.

Thankfully, OPNsense makes it easy to configure everything. We'll need to set up static IPs through OPNsense for the services we'll be allowing through the firewall and dynamic domain name system (DDNS) to maintain connectivity even if your external IP changes. The goal is to provide limited access, placing restrictions on as much as possible without hampering service availability. For instance, to connect to a NAS through OPNsense, we'd only allow singular access to the server and nothing else. And because we're opening up access, we'll need to make sure our hardware is all updated.

How to allow external access through OPNsense

The process of opening up your LAN to the outside world through OPNsense depends on how you plan to go about it. There are several routes one can take, but I recommend a virtual private network (VPN) or a combination of dynamic domain name service (DDNS) and reverse proxies. A VPN is more straightforward but limits how access can be granted. You can't simply load up a domain name or IP and enjoy accessing all your services behind OPNsense. You'd need to connect to the VPN using a client, which requires installing software (or setting up integration) on every device.

A DDNS with reverse proxies is easier to work with when configured, but they're more advanced and require tinkering with the firewall and installing a plugin (or two). For the VPN method, you'll need to use OpenVPN to configure a server within the LAN. Unlike using a Open VPN client through OPNsense to protect your privacy on all devices connecting to the outside world, we need to run an internal server for clients outside the LAN to communicate with. This is secure as it means your LAN is still blocking all traffic except those with necessary credentials for accessing the VPN.

Using reverse proxies and a DDNS is slightly more advanced, but there are some excellent guides available within the OPNsense community. If you've used pfSense before, it's a similar process with a few different steps here and there. I recommend following this comprehensive guide by (the aptly named) TheHellSite. This resource covers DDNS, HAProxy, and SSL certificate management for a fully secure deployment. And remember, we always want to be using SSL in some form or another to ensure all your traffic is encrypted. This is vital for running shome-based services, such as password managers.