ABOUT OPNsense®
OPNsense is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
OPNsense started as a fork of pfSense® and m0n0wall in 2014, with its first official release in January 2015. The project has evolved very quickly while still retaining familiar aspects of both m0n0wall and pfSense. A strong focus on security and code quality drives the development of the project.
OPNsense offers weekly security updates with small increments to react on new emerging threats within in a fashionable time. A fixed release cycle of 2 major releases each year offers businesses the opportunity to plan upgrades ahead. For each major release a roadmap is put in place to guide development and set out clear goals.
MISSION STATEMENT
Our mission is to make OPNsense the most widely used open source security platform. We give users, developers and business a friendly, stable and transparent environment.
The project’s name is derived from open and sense and stands for: “Open (source) makes sense.”
OPNsense Core Features
- Traffic Shaper
- Two-factor Authentication throughout the system
- Captive portal
- Forward Caching Proxy (transparent) with Blacklist support
- Virtual Private Network (site to site & road warrior, IPsec, OpenVPN & legacy PPTP support)
- High Availability & Hardware Failover (with configuration synchronization & synchronized state tables)
- Intrusion Detection and Prevention
- Built-in reporting and monitoring tools including RRD Graphs
- Netflow Exporter
- Network Flow Monitoring
- Support for plugins
- DNS Server & DNS Forwarder
- DHCP Server and Relay
- Dynamic DNS
- Encrypted configuration backup to Google Drive
- Stateful inspection firewall
- Granular control over state table
- 802.1Q VLAN support
- and more.. see features
FEATURES
The feature set of OPNsense includes high-end features such as forward caching proxy, traffic shaping, intrusion detection and easy OpenVPN client setup. The latest release is based upon FreeBSD for long-term support and uses a newly developed MVC-framework based on Phalcon.
OPNsense’s focus on security brings unique features such as the option to use LibreSSL instead of OpenSSL (selectable in the GUI) and a custom version based on FreeBSD.
The robust and reliable update mechanism gives OPNsense the ability to provide important security updates in a timely fashion.
MARKETS
Protect your business network and secure your connections using OpenVPN or IPsec. From the stateful inspection firewall to the inline intrusion detection & prevention system everything is included for free. Use the traffic shaper to enhance network performance and prioritise you voice over ip above other traffic. Backup your configuration to the cloud automatically, no need for manual backups anymore!
Limit and share available bandwidth evenly amongst students and utilise the category based web filtering to filter unwanted traffic such as adult content and malicious websites. Its easy to setup as no additional plugins nor packages are required. Teach about security or use our development documentation to show how an Model Viewer Controller works. You and your students are invited to join the effort and OPNsense community!
Remote Offices & SOHO
Utilise the integrated site to site VPN (IPsec or SSL VPN / OpenVPN) to create a secure network connection to and from your remote offices. Enjoy the easy configuration and online searchable documentation with simple how-to type of articles to get you started, quickly.
Hotels & Campings
Hotels and campings usually utilise a captive portal to allow guests (paid) access to internet for a limited duration. Guests need to login using a voucher they can either buy or obtain for free at the reception. OPNsense has a built-in captive portal with voucher support and can easily create them on the fly.
FEATURE HIGHLIGHTS
OPNsense Features a complete high-end security platform for free.
Take a look at some of our highlights, but remember OPNsense Features much more than we can showcase.
Dashboard
OPNsense offers a dashboard feature to quickly check the status of your OPNsense Firewall. Shown is the latest version with drag and drop multi collumn support.
Modern User Interface
The modern user interface offers a great user experience with multi language support, built-in help and quick navigation with the searchbox.
Shown is the fast search navigation option.
Stateful Firewall
A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. OPNsense offers grouping of Firewall Rules by Category, a great feature for more demanding network setups.
Stateful Firewall
A stateful firewall is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. OPNsense offers grouping of Firewall Rules by Category, a great feature for more demanding network setups.
Traffic Shaper
Traffic shaping within OPNsense is very flexible and is organised around pipes, queues and corresponding rules. The pipes define the allowed bandwidth, the queues can be used to set a weight within the pipe and finally the rules are used to apply the shaping to a certain package flow. The shaping rules are handled independently from the firewall rules and other settings.
Two-factor authentication
Two-factor authentication also known as 2FA or 2-Step Verification is an authentication method that requires two components, such as a pin/password + a token. OPNsense offers full support for Two-factor authentication ( 2FA ) throughout the entire system utilising TOTP with for instance Google Authenticator.
Supported 2FA services include:
- OPNsense Graphical User Interface
- Captive Portal
- Virtual Private Networking – OpenVPN & IPsec
- Caching Proxy
Captive Portal
Captive Portal allows you to force authentication, or redirection to a click through page for network access. This is commonly used on hot spot networks, but is also widely used in corporate networks for an additional layer of security on wireless or Internet access.OPNsense offer most enterprise features including Radius and voucher support.
Virtual Private Network – IPsec & OpenVPN GUI
OPNsense offers a wide range of VPN technologies ranging from modern SSL VPN’s to well known IPsec as well as older (now considered insecure) legacy options such as L2TP and PPTP. Site-to-Site and road warrior setups are possible and with the integrated OpenVPN client exporter, the client can be configured within minutes. Looking for a IPsec or OpenVPN GUI, you just found something better!
High Availability / Hardware Failover (CARP)
OPNsense utilises the Common Address Redundancy Protocol or CARP for hardware failover. Two or more firewalls can be configured as a failover group. If one interface fails on the primary or the primary goes offline entirely, the secondary becomes active. Utilising this powerful feature of OPNsense creates a fully redundant firewall with automatic and seamless fail-over. While switching to the backup network connections will stay active with minimal interruption for the users.
Caching Proxy
The caching proxy offered by OPNsense is fully featured and includes category based webfiltering, extensive Access Control Lists and can run in transparent mode. The proxy can be combined with the traffic shaper to enhance user experience. Integration with most professional Anti-Virus solutions is possible trough the ICAP interface.
Intrusion Detection & Prevention
The inline IPS system of OPNsense is based on Suricata and utilises Netmap to enhance performance and minimize cpu utilisation. This deep packet inspection system is very powerful and can be used to mitigate security threats at wire speed.
Integrated support for ET Open rules.
The ETOpen Ruleset is an excellent anti-malware IDS/IPS ruleset that enables users with cost constraints to significantly enhance their existing network-based malware detection.
Integrated SSL Blacklist (SSLBL)
A project maintained by abuse.ch. The goal is to provide a list of “bad” SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists.
Intergrated Feodo Tracker
Feodo (also known as Cridex or Bugat) is a Trojan used to commit embanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo.
SSL Finger Printing
The IPS option to allow user defined rules include the option for SSL fingerprinting. With this option SSL communication can be blocked at the initial connection attempt by dropping the SSL key exchange.
Backup & Restore
Better safe than sorry, always keep an up to date backup of your configuration. It’s easy with OPNsense.
History
Automatic backups of configuration changes make it possible to review history and restore previous settings.
Backup
Easily download a backup from within the GUI and store on a safe place.
Encrypt the backup with a strong password and make plain text unreadable for unauthorised persons.
Restore
Upload your configuration backup file and restore it with ease.
Cloud Backup
OPNsense supports encrypted cloud backup of your configuration with the option to keep backups of older files (history). For this purpose Google drive support has been integrated into the user interface.
Reporting & Monitoring
OPNsense offers many options for reporting and monitoring the system, these include:
System Health
A modern take on RRD graphs with the option to zoom in and export data.
Netflow Exporter
Use your favorite netflow analyser to see most active users, interfaces, ports & applications.
Insight – Intergrated Netflow Analyser
OPNsense also offers an integrated Netflow analyser without the need for additional plugins or tools, similar to what you may find in high-end commercial products.
Firmware & Plugins
Offering a robust firmware upgrade path to react on emerging threats in a fashionable time; OPNsense is equipped with a reliable and secure update mechanism to provide weekly security updates. A plugin mechanism can be used to install additional packages and customisations.
Free Up-to-Date Online Manual
Our online documentation is completely searchable, up-to-date and offered for free. Features are explained in detail and examples are provided in the form of how-to’s , making configuring OPNsense as simple as possible. And if you are a developer then you’ll find all about our framework, coding guidelines and hello-world plugin well organized in the Developers section. See docs.opnsense.org.