TL; DR: Is it possible (and if so, desirable) to configure my OPNsense router to handle non-standard traffic instead of needing to configure each client device manually? Examples of what I mean by ‘non-standard traffic’ include Handshake, I2P, ZeroNet, and Tor.
Not sure if you mean to run the service on the FW or what ‘handle’ means here. If you have a second box though it would be easy enough to run all those services on a distinct server and then route their relevant ports through there with a policy based route on the firewall. That way you would only have to set up one for node for example and just have the client machines use that.
Sorry, I should clarify. I’m hoping to possibly have a setup like this:
- Browser makes a request to an eepsite
- The router sees the request is to a domain ending in
.i2p
and forwards the request to a service running on the router - That service then performs the necessary encryption and establishes connection with the I2P network.
I’d imagine it’s a similar process for other protocols and networks. No idea if this is possible or desirable.
https://www.grepular.com/Transparent_Access_to_I2P_eepSites
Something like this makes logical sense, but can’t say I’ve ever tried such a feat. As a general rule though keeping the gateway/firewall free of extraneous software is a good practice just to limit the potential attack surface. If you try it I’d create a dedicated VM somewhere to host the i2p/Tor gateway from to keep it off the network edge directly.
You mean run those programs directly on opnsense? I don’t believe there is any way to do that.
No configuration is needed on opnsense to use them as normal on your devices though, so that’s your best option.
If your looking to allow that kind of traffic in and out of opensense, then yes if you use it. Just be mindful of what you need and only allow that in, outbound is normally everything.