Recently, I replaced my consumer router with a custom OPNSense build to handle routing for my home network. It’s been quite an adventure in learning about DNS, routing, aggressive firewall rules, and more details about networking. As a software engineer, this hasn’t been one of the stronger sets of my skills. But I’m always up for learning.

In general, OPNSense and a custom setup gave me much greater power to setup my local network and much better performance than what I could get with a $200 consumer router/switch/access point combination. I love it.

This isn’t a review of OPNSense, however that may come later, this article is meant to list a few of the things and considerations of what you should do immediately after installing and getting OPNSense working:

1. Setup a DNS Server

This will allow for you to block DNS queries to abuses services (i.e. Firefox and Instagram telemetry, ad servers, etc). This change is network wide. Any device that navigates through your router is protected. This is transparent to your mobile or any computer inside your local network. You can setup caching, which will speed up queries. Additionally, it will allow you to setup custom domain names within your private network. I used and found Unbound DNS helpful on this.

2. Create Custom DNS Names for Devices

This enables anyone in your network to access your devices by their name rather than their IP address. It’s a lot easier to setup a NAS connection with: nas.local rather than its IP address.

3. Setup your CrowdSec settings

CrowdSec is a collaborative network rules list that allows for the blocking of abusive hosts. For even deeper inspection, you can look into ZenArmor, which does deep packet inspection to eliminate threats. (I’m still exploring ZenArmor, so I won’t make a strong recommendation just yet.)

4. Setting up and installing vnStats

If your ISP enforces data caps (and has a terrible portal for checking usage.. uhh Comcast), this plugin is essential. It reports your bandwidth usage daily, monthly, and yearly.

5. Wireguard

After years of on-and-off use with OpenVPN, I find WireGuard incredible. It’s lightweight, high-performance, and surprisingly easy to set up. WireGuard gives you access to your entire network from anywhere.

6. Create your own Certificate Authority

Ok, this is pretty much a very degenerate thing to do. But, it makes more sense when you’re focused on local services and you can’t afford to communicate how your network is structured to a public CA. Creating your own CA in your private network will require a certificate being loaded on every client accessing your network. However, it will allow for you to open up secure communications and features that need it within your network. An tutorial about this will be written later. This is also how I got my Open-Webui instance to work with voice mode on mobile. (STT requires an encrypted route for the browser to allow for this)

A heads-up on public certificates: When you’re setting up certificates on sub-domains, those certificates are publically findable. That can lead to attacks if you’re using known names.

What’s your favorite features of OPNSense, please leave them in the comments below.