How to Install Plugins on OPNsense?
OPNsense is a new FreeBSD-based firewall and routing system. It started out as a fork of pfSense® CE. Its story officially began in January 2015 with the publication of the release announcement for the first OPNsense release, the 15.1, on the official website.
OPNsense has a web-based interface and is compatible with the x86-64 platform. It has load balancing, virtual private network, and traffic shaping capabilities, and more can be added via plugins.
More information about OPNsense can be found in the Best Open-Source Firewalls article written by Sunny Valley Networks.
In this guide, we'll cover the available plugins for OPNsense and how you can install them on your firewall to enhance its capabilities. Also, we'll outline the best OPNsense plugins for securing your network. Finally, there will be a list of items to keep in mind while utilizing plugins for secure management.
What are OPNsense Plugins?
OPNsense® includes many features in the base system. However, in some cases, additional software may be required, which is either provided only as a binary package (without user interface) or as a plugin. Plugins are software packages that can be installed directly through the user interface and frequently include setup options accessible to the end-user.
The OPNsense community is welcoming and helpful. One appealing aspect of the OPNSense community is the large number of community plugins that have been created in a relatively short time. At the time of writing, OPNsense had over 70 different community-contributed plugins. These plugins help you to extend the functionality of your OPNsense firewall.
While some of the plugins are maintained and supported by the OPNsense team, many are supported by the community. Due to the fact that OPNsense® is a community-driven project, the amount of support available on these plugins may vary. There are also some third-party plugins that are available under a paid license. Sunny Valley Networks and Deciso are two vendors of these third-party plugins. OPNsense plugins are always available to everyone via web GUI as soon as they are upstreamed. The project maintains the plugin repository. If plugins are not kept up to date by their maintainer, they are removed at some point.
The following advantages come with OPNsense plugin support:
- Allow both community and third-party developers to extend the firewall capabilities.
- The application's size can be reduced by not loading unused features.
- New features can be easily added
- Because of incompatible software licenses, such as commercial packages, separate the source code from the OPNsense itself which is open-source.
OPNsense plugins can perform the following functions:
- Add more server software and their corresponding graphical user interfaces (GUIs).
- Develop new authentication methods for use in other subsystems.
- Change the menu, access control lists, and overall look and feel (themes)
- Increase the number of work tasks assigned to the backend services.
- Customize the start, stop, and early scripts.
- Other types of devices and interfaces can be added to the firewall.
- Bring in additional packages that will be automatically updated.
- Additional themes for the web interface
- Persistent /boot/loader.conf changes
A list of plugins that are currently available is given below:
| Plugin Category/ Plugin Name | Description |
|---|---|
| benchmarks/iperf | Connection speed tester |
| databases/redis | Redis DB |
| devel/debug | Debugging Tools |
| devel/grid_example | A sample framework application |
| devel/helloworld | A sample framework application |
| dns/bind | BIND domain name service |
| dns/dnscrypt-proxy | Flexible DNS proxy supporting DNSCrypt and DoH |
| dns/dyndns | Dynamic DNS Support |
| dns/rfc2136 | RFC-2136 Support |
| emulators/qemu-guest-agent | QEMU Guest Agent for OPNsense |
| ftp/tftp | TFTP server |
| mail/fetchmail | Remote-mail retrieval utility |
| mail/postfix | SMTP mail relay |
| mail/rspamd | Protect your network from spam |
| misc/theme-cicada | The cicada theme - dark grey |
| misc/theme-rebellion | A suitably dark theme |
| misc/theme-tukan | The tukan theme - blue/white |
| misc/theme-vicuna | The vicuna theme - dark anthrazit |
| net/chrony | Chrony time synchronisation |
| net/firewall | Firewall API supplemental package |
| net/freeradius | RADIUS Authentication, Authorization and Accounting Server |
| net/frr | The FRRouting Protocol Suite |
| net/ftp-proxy | Control ftp-proxy processes |
| net/google-cloud-sdk | Google Cloud SDK |
| net/haproxy | Reliable, high performance TCP/HTTP load balancer |
| net/igmp-proxy | IGMP-Proxy Service |
| net/mdns-repeater | Proxy multicast DNS between networks |
| net/ntopng | Traffic Analysis and Flow Collection |
| net/radsecproxy | RADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport |
| net/realtek-re | Realtek re(4) vendor driver |
| net/relayd | Relayd Load Balancer |
| net/shadowsocks | Secure socks5 proxy |
| net/siproxd | Siproxd is a proxy daemon for the SIP protocol |
| net/tayga | Tayga NAT64 |
| net/udpbroadcastrelay | Control ubpbroadcastrelay processes |
| net/upnp | Universal Plug and Play Service |
| net/vnstat | vnStat is a console-based network traffic monitor |
| net/wireguard | WireGuard VPN service |
| net/wol | Wake on LAN Service |
| net/zerotier | Virtual Networks That Just Work |
| net-mgmt/collectd | Collect system and application performance metrics periodically |
| net-mgmt/lldpd | LLDP allows you to know exactly on which port is a server |
| net-mgmt/net-snmp | Net-SNMP is a daemon for the SNMP protocol |
| net-mgmt/netdata | Real-time performance monitoring |
| net-mgmt/nrpe | Execute nagios plugins |
| net-mgmt/telegraf | Agent for collecting metrics and data |
| net-mgmt/zabbix-agent | Zabbix monitoring agent |
| net-mgmt/zabbix-proxy | Zabbix monitoring proxy |
| security/acme-client | ACME Client |
| security/clamav | Antivirus engine for detecting malicious threats |
| security/etpro-telemetry | ET Pro Telemetry Edition |
| security/intrusion-detection-content-et-open | IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition |
| security/intrusion-detection-content-et-pro | IDS Proofpoint ET Pro ruleset (needs a valid subscription) |
| security/intrusion-detection-content-pt-open | IDS PT Research ruleset (only for non-commercial use) |
| security/intrusion-detection-content-snort-vrt | IDS Snort VRT ruleset (needs registration or subscription) |
| security/maltrail | Malicious traffic detection system |
| security/openconnect | OpenConnect Client |
| security/softether | Cross-platform Multi-protocol VPN Program (development only) |
| security/stunnel | Stunnel TLS proxy |
| security/tinc | Tinc VPN |
| security/tor | The Onion Router |
| sysutils/api-backup | Provide the functionality to download the config.xml |
| sysutils/apuled | PC Engine APU LED control (development only) |
| sysutils/boot-delay | Apply a persistent 10 second boot delay |
| sysutils/dmidecode | Display hardware information on the dashboard |
| sysutils/git-backup | Track config changes using git |
| sysutils/hw-probe | Collect hardware diagnostics |
| sysutils/lcdproc-sdeclcd | LCDProc for SDEC LCD devices |
| sysutils/mail-backup | Send configuration file backup by e-mail |
| sysutils/munin-node | Munin monitoring agent |
| sysutils/nextcloud-backup | Track config changes using NextCloud |
| sysutils/node_exporter | Prometheus exporter for machine metrics |
| sysutils/nut | Network UPS Tools |
| sysutils/puppet-agent | Manage Puppet Agent |
| sysutils/smart | SMART tools |
| sysutils/virtualbox | VirtualBox guest additions |
| sysutils/vmware | VMware tools |
| sysutils/xen | Xen guest utilities |
| vendor/sunnyvalley | Vendor repository for Sensei (Next Generation Firewall Extensions) |
| www/c-icap | c-icap connects the web proxy with a virus scanner |
| www/cache | Webserver cache |
| www/nginx | Nginx HTTP server and reverse proxy |
| www/web-proxy-sso | Kerberos authentication module |
| www/web-proxy-useracl | Group and user ACL for the web proxy |
Table 1. Currently available plugins on OPNsense
Management of the Plugins on OPNsense
On OPNsense Plugins page you may perform the following tasks which will be explained below:
- Viewing available plugins
- Search for a plugin
- Viewing details of a plugin
- Install/Remove a plugin
Viewing Available Plugins
To view the available plugins on your OPNsense firewall, you may follow the steps below:
- Click on the
Systemdropdown menu on the OPNsense web UI. - Click on the
Firmware. - Click on the
Plugins. - You may scroll down to view all plugins.
Figure 1. Viewing plugins navigating to Systems> Firmware > Plugins on OPNsense UI.
All available OPNsense plugins with the following details are displayed on Plugins page:
- Name: Name of the plugin, such as
os-sunnyvalley.
Installed plugins are captioned with (installed) at the end of the plugin name. They are also listed in bold font.
- Version: Release number of the plugin, such as
1.2_1. - Size: Size of the package in Bytes. KBytes or MBytes, such as
652 B. - Repository: Repository of the plugin, such as
OPNsenseorSunnyValley. All community plugins are released from theOPNsenserepository. - Comment: Description of the plugin, such as
Vendor repository for Sensei (Next-Generation Firewall Extensions)in our example.
On Plugins page, there are 3 types of action buttons for each plugin:
- Info: Black circle button with
iicon is used to view information details of the plugin - Install: Square button with the
+icon is used to install a plugin. - Remove: Square button with a trash box icon is used to uninstall a plugin.
Figure 2. Action buttons for plugins on OPNsense
You can view the details of a plugin for more information by clicking on the Info button at the end of the plugin row.
Figure 3. Viewing os-sunnyvalley plugin information details on OPNsense
How to Search for a Plugin
You can easily search for a plugin by typing on the search bar in the Name column on the Plugins page. You can follow the steps given below:
- Navigate to the
System→Firmware→Pluginson OPNsense web UI. - Type the plugin name on the search bar at the
Namecolumn, such assunnyvalley. While you are typing, the plugins list will be updated automatically.
Figure 4. Searching for a plugin on OPNsense
How to Install a Plugin
It is very straightforward to install a plugin on the OPNsense firewall. You can easily and quickly install available plugins by following these instructions:
- Be sure that your OPNsense system is up-to-date. Please, refer to the How to Update OPNsense article written by Sunny Valley Networks for more information.
- Navigate to the
System→Firmware→Pluginson OPNsense web UI. - Search for the plugin you want to install, for example,
os-rspamd.
Figure 5. Installing the plugin on OPNsense
- Click on the
Installbutton. You will be redirected to theUpdatespage and the plugin will be installed. - After the plugin is installed successfully, you should see the output similar to the figure below.
Figure 6. Plugin installation output on the Updates page of OPNsense
- Click on the
Pluginstab to view the installed plugins. You should see the plugin that you already added as installed like in the figure below.
Figure 7. Viewing installed plugins on OPNsense
How to Remove a Plugin
You can easily uninstall a plugin from your OPNsense firewall by following the steps below:
- Navigate to the
System→Firmware→Pluginson OPNsense web UI. - Search for the plugin you want to uninstall, for example,
os-dyndns. - Click on the
Removebutton with a trash box icon next to the plugin. This will open a confirmation dialog box.
Figure 8. Confirming the plugin removal
- Click on
OKto confirm the plugin uninstallation. This will redirect you to theUpdatepage and remove the package. After removing the plugin successfully, you should see an output similar to below.
Figure 9. *os-dyndns plugin removed*
Best OPNsense Plugins
In this section, we will outline the top OPNsense plugins which are the most widespread among the community. They are extremely beneficial and offer excellent network security solutions to protect your valuable assets from cyber threats. We choose plugins with distinct capabilities that do not overlap to protect you across multiple attack surfaces.
1. Zenarmor
Zenarmor is a stand-alone instant firewall that can be installed almost anywhere. It offers cutting-edge, next-generation firewall features for open-source firewalls that aren't currently available in products like OPNsense and pfSense® software. Zenarmor provides Application Control, Network Analytics, and TLS Inspection, among other features to enhance your OPNsense firewall.
Zenarmor, which is based on a cloud-based web categorization of 300+ million websites divided into 60+ categories, allows administrators to create custom online filtering profiles and rules.
SVN Cloud is a massive database that serves millions of searches per day and contains reputation and security information on over 300 million websites, with more being added regularly. Zenarmor can respond to malware threats and viral outbreaks in real-time thanks to SVN Cloud.
Since 2017, there have been thousands of Zenarmor deployments in homes, small businesses, and some enterprise-level networks around the world. It doesn't matter who you are, whether an IT manager of an enterprise network or a parent who needs cyber hygiene at the home network to keep kids safe, let you give a chance to Zenarmor by installing os-sunnyvalley and os-sensei plugins respectively for free.
Zenarmor NGFW Plug-in allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.
Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.
Zenarmor Free Edition is available at no cost for all OPNsense users.
2. WireGuard
WireGuard is a fast, simple, and modern VPN that employs cutting-edge cryptography. It intends to be faster, simpler, leaner, and more useful than other VPN protocols, such as IPsec or OpenVPN. WireGuard is planned to be a general-purpose VPN that can be used on embedded interfaces as well as supercomputers in a variety of situations.
It was originally designed for the Linux kernel, but it is now cross-platform and widely deployed. Although it is still in the early stages of development, it has the potential to be the most user-friendly, secure, and straightforward VPN solution in the cyber security world. If you need to provide remote connections for your users, you may find more information on the following articles written by Sunny Valley Networks:
3. NGINX
NGINX is a high-performance edge web server with the smallest memory footprint and the essential features for constructing efficient and modern web infrastructure.
An HTTP server, HTTP and mail reverse proxy, load balancing, caching, request throttling, SSL offloading, compression, connection multiplexing, and reuse, and HTTP media streaming are all features of NGINX. If you need a fast and secure web service or a WAF, you can easily install the os-nginx plugin on your OPNsense system.
4. Rspamd
For spam protection, OPNsense also includes the 'rspamd' plugin. Rspamd is a spam filter that is fast, modular, and lightweight. It is designed to handle large amounts of mail and can be easily extended with custom lua filters.
It evaluates communications using a variety of rules including statistical analysis, regular expressions, and specialized services such as URL ban lists. Each message is examined and a spam score is assigned.
Based on the spam score and the user's settings, Rspamd suggests an action for the MTA to take with the message, such as passing, rejecting, or adding a header. It can process hundreds of messages per second and has a plethora of useful features.
5. Freeradius
The most widely used RADIUS server in the world is FreeRADIUS. It includes a RADIUS server, a PAM library, a client library licensed under the BSD license, and an Apache module. The server is quick, loaded with features, modular, and scalable.
It serves as the foundation for a variety of commercial offerings. It meets the AAA requirements of many Fortune 500 companies and Tier 1 ISPs. It is also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in academic settings such as eduroam.
By installing the os-freeradius plugin on your OPNsense firewall, you will have an Authentication, Authorization, and Accounting Server on your network.
Things To Consider When Using a Plugin
You should consider the following tips when choosing and using a plugin to keep your firewall secure and efficient.
- Do not install unnecessary plugins
Every service on your system comes with its own security risk. To narrow the cyber attack surface remove the plugins entirely if you aren't using them. If you need one of them later, you can always reinstall the plugin easily.
- Keep your system up-to-date
Software updates not only provide new features but also patch security holes and fix the bugs. Therefore, you should always keep your firewall up-to-date. If you don't update your firewall when the new updates are released by OPNsense, you expose yourself to potential frustrations and security breaches.
- Avoid Similar Plugins
Plugins that overlap in services waste your system resources, such as disk, CPU, memory, and bandwidth while potentially posing additional security risks.
- Read the documentation
Before installing a plugin, you should understand what it can do and what effects it may have on your network. If you do not, you may find yourself in the middle of big trouble by causing service interruptions in your company.