Welcome to OPNsense’s documentation!

OPNsense® is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform.

OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.

Mission Statement

Give users, developers and businesses a friendly, stable and transparent environment. Make OPNsense the most widely used open source security platform. The project’s name is derived from open and sense and stands for: “Open (source) makes sense.”

Reading guide

While reading the documentation, it’s good to know how the various topics are structured, what their purpose is and how to find what you’re looking for. Maybe even more important is what this documentation doesn’t offer.

If you’re looking for deeper insights about networking and best practices in designing them, this might not be the best place to look. Most of our documents and how-to’s focus on how to use functionality included in our software and/or one of it’s plugins. Quite some books are written about networking, there are (online) courses available and wikipedia contains a lot of relevant articles as well. Some interesting reads include the fundamentals about the OSI model, IP addressing, routing and network address translation. Likely these resources are more suitable for learning about general network concepts. Although we do try to include some context in our documents, there are often assumptions made about the readers knowledge on (basic) networking.

Like many products and projects, ours grows over time, functionality extends and changes, which sometimes makes it difficult to find what you need for the version you’re using. Although we try to keep our documentation up to date, sometimes text doesn’t reflect reality anymore. If that’s the case and you think you found an omission, don’t hestitate to open a report using one of our templates on GitHub or a pull request of course if you’re able to.

Always assume the text is intended for the latest version of our product, in time we might add a version selector in the documentation, but given OPNsense is a security product, we advise to keep it up to date anyway to protect yourself against the latest threats.

The releases section contains the changelogs for all versions we published over the years, if there are remarks for an upgrade, this is a useful resource to collect the details.

Installation and setup is all about getting you started using one of the target options available.

The next sections should be quite familiair when working with OPNsense, as they reflect the options in the menu of the product. In case you’re not yet used to OPNsense, you can always use the search input in the left corner of the screen to find your topic.

Both community and third-party plugins have their own area available, although they eventually register into the same menu structure, it’s good to know about possible differences between add-ons and standard functionality. The level of support may differ between core functionality, as also explained in the “Support options” section, feature requests and bugs maybe treated different as well (a lot of questions for a plugin which is being developed by a single person, maybe less active than a group of people improving a plugin together for example).

When it comes to building software on top of OPNsense or extending existing functionality, the development chapter is the one to read. It explains all about our architecture, coding style, how to hook into available facilities and much more.

Some pointers when it comes to troubleshooting can be found in the section with the same name, it explains a bit about our issue workflow and some tips we collected over the years.

Last but not least our documentation includes some pages around project relations, legal guidelines and ways to contribute to the project.

Feature set

The feature set of OPNsense includes high-end features such as forward caching proxy, traffic shaping, intrusion detection and easy OpenVPN client setup. The latest release is based on a recent FreeBSD for long-term support and uses a newly developed MVC-framework based on Phalcon. OPNsense’s focus on security brings unique features such as the option to use LibreSSL instead of OpenSSL (selectable in the GUI).

The robust and reliable update mechanism gives OPNsense the ability to provide important security updates in a timely fashion.

OPNsense Core Features

• Traffic Shaper
• Captive portal
  • Voucher support
  • Template manager
  • Multi zone support
• Forward Caching Proxy
  • Transparent mode supported
  • Blacklist support
• Virtual Private Network
  • Site to site
  • Road warrior
  • IPsec
  • OpenVPN
• High Availability & Hardware Failover
  • Includes configuration synchronization & synchronized state tables
  • Moving virtual IPs
• Intrusion Detection and Inline Prevention
  • Built-in support for Emerging Threats rules
  • Simple setup by use of rule categories
  • Scheduler for period automatic updates
• Built-in reporting and monitoring tools
  • System Health, the modern take on RRD Graphs
  • Packet Capture
  • Netflow
• Support for plugins
• DNS Server & DNS Forwarder
• DHCP Server and Relay
• Dynamic DNS
• Backup & Restore
  • Encrypted cloud backup to Google Drive and Nextcloud
  • Configuration history with colored diff support
  • Local drive backup & restore
• Stateful inspection firewall
• Granular control over state table
• 802.1Q VLAN support
• Staying ahead

  Even though we always encourage people to update regularly, sometimes it’s not possible to do so for various reasons.

  Luckily OPNsense comes with an integrated security check for know vulnerabilities, which can be found in our firmware module. In which case you do have the opportunity to validate for yourself what the risk is to keep using the current version for a bit longer.

  You can reach it via System -> Firmware in the status pane, the button “Run an Audit” will bring you right into the security report.

  Upstream vulnerabilities

  Since OPNsense is a collection of opensource software, when finding an issue, it is always a good idea to inspect where is should be fixed first. In case you don’t know or aren’t sure, you can still ask on our end, just know that we don’t have the manpower to act as an intermediate between various projects.

  Information handling policies

  As a general policy we do favor full disclosure of vulnerability information after a reasonable amount of time to permit safe analysis and correction as well as appropriate testing for the correction at hand.

  In order to coordinate with other affected parties, we might share parts of the information provided to us to them as well or ask the reporter to do so.

  When the submitter is interested in a coordinated disclosure process, this should be indicated in any submission to avoid discussions later on.

  Third party security verification

  Within the OPNsense team and community we spend a lot of time safeguarding our software and keeping up with the latest threats, like checking used software against CVE’s on every release, implementing best practices in our development methods and offering clear and transparent release engineering.

  To even improve this further, we decided to bring a third party on board and mold a process around our security verification by trained security professionals.

  Business Edition

  As our business edition is aimed at professional users, it does make sense to offer additional safeguards, like even more extensive testing on this product. Looking at the lifecycle of our software, this is also the most mature stage of what we do have to offer:

  • Development version
    • Available at every release, offers a glimpse of what to expect in the near future
  • Community version
    • When changes survive the development version, these are included in the community version, these are internally tested and feedback has been offered by community members.
  • Business Edition
    • Functional changes are being included in a more conservative manner, more feedback has been collected from development and community, leading to a mission critical version of your well known OPNsense firewall.

  As security testing is quite time-consuming, we aim to offer a full qualification cycle at every major release.

  Framework / Type of testing (LINCE)

  In our quest for a framework to use, we found the LINCE methodology.

  LINCE is a lightweight methodology for evaluating and certifying ICT products, created by Spain’s National Cryptologic Center (CCN), based on Common Criteria principles and oriented to vulnerability analysis and penetration tests.

  LINCE strengths over other methodologies mainly consist of reduced effort and duration. However, the way in which it is applied also makes it possible to pay more attention to the critical points of each product, giving more weight to concrete and practical tests that combat real threats than to dense documentation or exhaustive functionality tests.

  As most frameworks are not intended to be repeated very regularly, together with jtsec we came up with an approach which makes it possible to pass the test twice a year, which is needed to align with our Business Edition releases.

  During every cycle, there’s always a chance that (small) issues appear which should be fixed, in close accordance with jtsec, the OPNSense team prepares fixes for the findings and makes sure that these are included in a future (minor) release.

  Steps in the process

  To better understand where a version of OPNsense is at in terms of verification, we distinct the following stages in the process, which we will also note on the version at hand.

  1. In test – Software delivered to jtsec, in process (interaction between OPNsense and jtsec).
  2. Tested – Software verified / tested, documentation not yet published.
  3. LINCE Compliant – Test complete including summarised report (by jtsec)
  4. Certification pending – Offered for formal certification. (as of 2023)
  5. LINCE Certified – Certified by CCN (as of 2023)

  The certification steps are planned to be executed once a year starting in 2023, this process is quite time consuming, but adds another independent party to the mix.

  Timeline

  The first fully certified product has been a community version (21.7.1), which offered us insights into the process and helped us improve the process which we would like to use for the business edition. We started this cycle with version 22.4 including full testing by jtsec and made plans for the future.

  Sales Number : +91 95 8290 7788
  Support Number : +91 94 8585 7788
  Sales Email : sales@itmonteur.net
  Support Email : support@itmonteur.net

  Register & Request Quote
  Submit Support Ticket