1. Planning Deployment
Categories:
Before you begin,let’s cover some pre-reqs you’ll need to cover:
1. OPNsense Router
Mandatory, I’m afraid!
2. Appropriate VPN
Any VPN you can configure on OPNsense should work, testing has only been performed with Wireguard VPNs though.
There is one additional caveat -
Your VPN provider must be able to support the type of IP setup that you have (IPv4/IPv6/Dual Stack IPv4+6)
Most providers support both these days
Using an IPv4 only VPN on a dual stack IPv4/6 network will result in traffic missing the VPN.
A guide for configuring a VPN can be found Here
3. An appropriate User Account on OPNsense
A guide to creating a user and API keys with the minimal needed permissions can be found Here
4. Where to run Synclias
Synclias can run anywhere you can run x86 containers.
However, you may consider deploying it on a server where you can forward all of it’s external traffic through a VPN, e.g. a VM/LXC. This will make scanning easier, avoiding problems where it can’t scan until after a Sync, but it’s not required.
Docker/Docker Compose
Before you get started, you’ll need a machine running Docker. The best place for guidance on this that I’ve seen is:
And also Docker Compose, a plugin for Docker
This is included in Docker Desktop for Windows/Mac.
For Linux - normally “docker-compose-plugin” from your package manager
If you want to use another container orchestrator, it should work fine.
5. Optional - Technitium API Token
Synclias provides optional support to clear cache entries from a Technitium server. It is not required for Synclias to function
This feature ensures the cache is refreshed with the largest possible expiration time for each site on each scan, and can provide benefits for some sites, but not all.
If you wish to use the cache clearing feature of Technitium, a guide for setup with minimal required permissions can be found here.
5. Understaning the Impact of Flush States
Flush States (an option in settings) is a very powerful tool for testing sites. It’s off by default, and generally should stay that way
- Normally, when Synclias syncs, it adjusts the ruleset, and that ruleset applies to new connections.
- If you’ve just been to a site and realised you need a VPN, you most likely have an “established connection” to that site.
- Flush States signals the router to drop any established connections
- This greatly increases the chance that when you revisit the page it works fine
- However, running this more than a couple of times in 10 minutes can cause visibile hiccups to internet connectivity.
6. Make sure you know the Emergency Exit
Synclias has been running fine for months in some environments.
However, it’s always good to know how to reverse anything when making a change.
- Log into OPNsense
- Find the Alias(es) in Firewall -> Alias
- Edit the alias
- Remove and listed IPs/Networks from the Alias
- Save
- Repeat for an IPv6 Alias, if you’re using one
- Apply Changes
- That’s it, completely backed out (and make sure you disable auto-sync if on)
7. An Understanding of Limitations
Before proceeding, it’s important to understand the limitations of Synclias.:
- Nothing it does should break any sites at all, but I’m not able to guarantee it, some site may do something truly bizarre with their code.
- You may end up at the site for your country once in a while - if a site moves IP before the next Sync
- This completely depends on the site, but in testing for over 50 sites, it was around once a month on average across all sites.
- Safety Keywords (dealt with in the setup guide) will save you a lot of issues with sites such as Youtube etc getting dragged into the VPN by accident
- Scans happen before sites are put into the VPN alias - this means the scanner cannot work on the first sync for some sites.
- Any VPN client will still function as a backup just fine
Finally, when first setting up a site:
- Browsers and cache can cause real headaches.
- You will often see advice to close/re-open another browser during setup. It’s strongly suggested to follow this guidance.
All done? Proceed to Installing Synclias