Skip to main content

How to Install Plugins on OPNsense?

OPNsense is a new FreeBSD-based firewall and routing system. It started out as a fork of pfSense® CE. Its story officially began in January 2015 with the publication of the release announcement for the first OPNsense release, the 15.1, on the official website.

OPNsense has a web-based interface and is compatible with the x86-64 platform. It has load balancing, virtual private network, and traffic shaping capabilities, and more can be added via plugins.

More information about OPNsense can be found in the Best Open-Source Firewalls article written by Sunny Valley Networks.

In this guide, we'll cover the available plugins for OPNsense and how you can install them on your firewall to enhance its capabilities. Also, we'll outline the best OPNsense plugins for securing your network. Finally, there will be a list of items to keep in mind while utilizing plugins for secure management.

What are OPNsense Plugins?

OPNsense® includes many features in the base system. However, in some cases, additional software may be required, which is either provided only as a binary package (without user interface) or as a plugin. Plugins are software packages that can be installed directly through the user interface and frequently include setup options accessible to the end-user.

The OPNsense community is welcoming and helpful. One appealing aspect of the OPNSense community is the large number of community plugins that have been created in a relatively short time. At the time of writing, OPNsense had over 70 different community-contributed plugins. These plugins help you to extend the functionality of your OPNsense firewall.

While some of the plugins are maintained and supported by the OPNsense team, many are supported by the community. Due to the fact that OPNsense® is a community-driven project, the amount of support available on these plugins may vary. There are also some third-party plugins that are available under a paid license. Sunny Valley Networks and Deciso are two vendors of these third-party plugins. OPNsense plugins are always available to everyone via web GUI as soon as they are upstreamed. The project maintains the plugin repository. If plugins are not kept up to date by their maintainer, they are removed at some point.

The following advantages come with OPNsense plugin support:

  • Allow both community and third-party developers to extend the firewall capabilities.
  • The application's size can be reduced by not loading unused features.
  • New features can be easily added
  • Because of incompatible software licenses, such as commercial packages, separate the source code from the OPNsense itself which is open-source.

OPNsense plugins can perform the following functions:

  • Add more server software and their corresponding graphical user interfaces (GUIs).
  • Develop new authentication methods for use in other subsystems.
  • Change the menu, access control lists, and overall look and feel (themes)
  • Increase the number of work tasks assigned to the backend services.
  • Customize the start, stop, and early scripts.
  • Other types of devices and interfaces can be added to the firewall.
  • Bring in additional packages that will be automatically updated.
  • Additional themes for the web interface
  • Persistent /boot/loader.conf changes

A list of plugins that are currently available is given below:

Plugin Category/ Plugin NameDescription
benchmarks/iperfConnection speed tester
databases/redisRedis DB
devel/debugDebugging Tools
devel/grid_exampleA sample framework application
devel/helloworldA sample framework application
dns/bindBIND domain name service
dns/dnscrypt-proxyFlexible DNS proxy supporting DNSCrypt and DoH
dns/dyndnsDynamic DNS Support
dns/rfc2136RFC-2136 Support
emulators/qemu-guest-agentQEMU Guest Agent for OPNsense
ftp/tftpTFTP server
mail/fetchmailRemote-mail retrieval utility
mail/postfixSMTP mail relay
mail/rspamdProtect your network from spam
misc/theme-cicadaThe cicada theme - dark grey
misc/theme-rebellionA suitably dark theme
misc/theme-tukanThe tukan theme - blue/white
misc/theme-vicunaThe vicuna theme - dark anthrazit
net/chronyChrony time synchronisation
net/firewallFirewall API supplemental package
net/freeradiusRADIUS Authentication, Authorization and Accounting Server
net/frrThe FRRouting Protocol Suite
net/ftp-proxyControl ftp-proxy processes
net/google-cloud-sdkGoogle Cloud SDK
net/haproxyReliable, high performance TCP/HTTP load balancer
net/igmp-proxyIGMP-Proxy Service
net/mdns-repeaterProxy multicast DNS between networks
net/ntopngTraffic Analysis and Flow Collection
net/radsecproxyRADIUS proxy provides both RADIUS UDP and TCP/TLS (RadSec) transport
net/realtek-reRealtek re(4) vendor driver
net/relaydRelayd Load Balancer
net/shadowsocksSecure socks5 proxy
net/siproxdSiproxd is a proxy daemon for the SIP protocol
net/taygaTayga NAT64
net/udpbroadcastrelayControl ubpbroadcastrelay processes
net/upnpUniversal Plug and Play Service
net/vnstatvnStat is a console-based network traffic monitor
net/wireguardWireGuard VPN service
net/wolWake on LAN Service
net/zerotierVirtual Networks That Just Work
net-mgmt/collectdCollect system and application performance metrics periodically
net-mgmt/lldpdLLDP allows you to know exactly on which port is a server
net-mgmt/net-snmpNet-SNMP is a daemon for the SNMP protocol
net-mgmt/netdataReal-time performance monitoring
net-mgmt/nrpeExecute nagios plugins
net-mgmt/telegrafAgent for collecting metrics and data
net-mgmt/zabbix-agentZabbix monitoring agent
net-mgmt/zabbix-proxyZabbix monitoring proxy
security/acme-clientACME Client
security/clamavAntivirus engine for detecting malicious threats
security/etpro-telemetryET Pro Telemetry Edition
security/intrusion-detection-content-et-openIDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
security/intrusion-detection-content-et-proIDS Proofpoint ET Pro ruleset (needs a valid subscription)
security/intrusion-detection-content-pt-openIDS PT Research ruleset (only for non-commercial use)
security/intrusion-detection-content-snort-vrtIDS Snort VRT ruleset (needs registration or subscription)
security/maltrailMalicious traffic detection system
security/openconnectOpenConnect Client
security/softetherCross-platform Multi-protocol VPN Program (development only)
security/stunnelStunnel TLS proxy
security/tincTinc VPN
security/torThe Onion Router
sysutils/api-backupProvide the functionality to download the config.xml
sysutils/apuledPC Engine APU LED control (development only)
sysutils/boot-delayApply a persistent 10 second boot delay
sysutils/dmidecodeDisplay hardware information on the dashboard
sysutils/git-backupTrack config changes using git
sysutils/hw-probeCollect hardware diagnostics
sysutils/lcdproc-sdeclcdLCDProc for SDEC LCD devices
sysutils/mail-backupSend configuration file backup by e-mail
sysutils/munin-nodeMunin monitoring agent
sysutils/nextcloud-backupTrack config changes using NextCloud
sysutils/node_exporterPrometheus exporter for machine metrics
sysutils/nutNetwork UPS Tools
sysutils/puppet-agentManage Puppet Agent
sysutils/smartSMART tools
sysutils/virtualboxVirtualBox guest additions
sysutils/vmwareVMware tools
sysutils/xenXen guest utilities
vendor/sunnyvalleyVendor repository for Sensei (Next Generation Firewall Extensions)
www/c-icapc-icap connects the web proxy with a virus scanner
www/cacheWebserver cache
www/nginxNginx HTTP server and reverse proxy
www/web-proxy-ssoKerberos authentication module
www/web-proxy-useraclGroup and user ACL for the web proxy

Table 1. Currently available plugins on OPNsense

Management of the Plugins on OPNsense

On OPNsense Plugins page you may perform the following tasks which will be explained below:

  • Viewing available plugins
  • Search for a plugin
  • Viewing details of a plugin
  • Install/Remove a plugin

Viewing Available Plugins

To view the available plugins on your OPNsense firewall, you may follow the steps below:

  1. Click on the System dropdown menu on the OPNsense web UI.
  2. Click on the Firmware.
  3. Click on the Plugins.
  4. You may scroll down to view all plugins.

 Viewing plugins navigating to Systems > Firmware  > Plugins  on OPNsense UI

Figure 1. Viewing plugins navigating to Systems> Firmware > Plugins on OPNsense UI.

All available OPNsense plugins with the following details are displayed on Plugins page:

  • Name: Name of the plugin, such as os-sunnyvalley.
tip

Installed plugins are captioned with (installed) at the end of the plugin name. They are also listed in bold font.

  • Version: Release number of the plugin, such as 1.2_1.
  • Size: Size of the package in Bytes. KBytes or MBytes, such as 652 B.
  • Repository: Repository of the plugin, such as OPNsense or SunnyValley. All community plugins are released from the OPNsense repository.
  • Comment: Description of the plugin, such as Vendor repository for Sensei (Next-Generation Firewall Extensions) in our example.

On Plugins page, there are 3 types of action buttons for each plugin:

  1. Info: Black circle button with i icon is used to view information details of the plugin
  2. Install: Square button with the + icon is used to install a plugin.
  3. Remove: Square button with a trash box icon is used to uninstall a plugin.

Action buttons for plugins on OPNsense

Figure 2. Action buttons for plugins on OPNsense

You can view the details of a plugin for more information by clicking on the Info button at the end of the plugin row.

 Viewing os-sunnyvalley plugin information details on OPNsense

Figure 3. Viewing os-sunnyvalley plugin information details on OPNsense

How to Search for a Plugin

You can easily search for a plugin by typing on the search bar in the Name column on the Plugins page. You can follow the steps given below:

  1. Navigate to the SystemFirmwarePlugins on OPNsense web UI.
  2. Type the plugin name on the search bar at the Name column, such as sunnyvalley. While you are typing, the plugins list will be updated automatically.

Searching for a plugin on OPNsense

Figure 4. Searching for a plugin on OPNsense

How to Install a Plugin

It is very straightforward to install a plugin on the OPNsense firewall. You can easily and quickly install available plugins by following these instructions:

  1. Be sure that your OPNsense system is up-to-date. Please, refer to the How to Update OPNsense article written by Sunny Valley Networks for more information.
  2. Navigate to the SystemFirmwarePlugins on OPNsense web UI.
  3. Search for the plugin you want to install, for example, os-rspamd.

 Installing plugin on OPNsense

Figure 5. Installing the plugin on OPNsense

  1. Click on the Install button. You will be redirected to the Updates page and the plugin will be installed.
  2. After the plugin is installed successfully, you should see the output similar to the figure below.

Plugin installation output on the Updates page of OPNsense

Figure 6. Plugin installation output on the Updates page of OPNsense

  1. Click on the Plugins tab to view the installed plugins. You should see the plugin that you already added as installed like in the figure below.

 Viewing installed plugins on OPNsense

Figure 7. Viewing installed plugins on OPNsense

How to Remove a Plugin

You can easily uninstall a plugin from your OPNsense firewall by following the steps below:

  1. Navigate to the SystemFirmwarePlugins on OPNsense web UI.
  2. Search for the plugin you want to uninstall, for example, os-dyndns.
  3. Click on the Remove button with a trash box icon next to the plugin. This will open a confirmation dialog box.

 Confirming the plugin removal

Figure 8. Confirming the plugin removal

  1. Click on OK to confirm the plugin uninstallation. This will redirect you to the Update page and remove the package. After removing the plugin successfully, you should see an output similar to below.

`os-dyndns` plugin removed

Figure 9. *os-dyndns plugin removed*

Best OPNsense Plugins

In this section, we will outline the top OPNsense plugins which are the most widespread among the community. They are extremely beneficial and offer excellent network security solutions to protect your valuable assets from cyber threats. We choose plugins with distinct capabilities that do not overlap to protect you across multiple attack surfaces.

1. Zenarmor

Zenarmor is a stand-alone instant firewall that can be installed almost anywhere. It offers cutting-edge, next-generation firewall features for open-source firewalls that aren't currently available in products like OPNsense and pfSense® software. Zenarmor provides Application Control, Network Analytics, and TLS Inspection, among other features to enhance your OPNsense firewall.

Zenarmor, which is based on a cloud-based web categorization of 300+ million websites divided into 60+ categories, allows administrators to create custom online filtering profiles and rules.

SVN Cloud is a massive database that serves millions of searches per day and contains reputation and security information on over 300 million websites, with more being added regularly. Zenarmor can respond to malware threats and viral outbreaks in real-time thanks to SVN Cloud.

Since 2017, there have been thousands of Zenarmor deployments in homes, small businesses, and some enterprise-level networks around the world. It doesn't matter who you are, whether an IT manager of an enterprise network or a parent who needs cyber hygiene at the home network to keep kids safe, let you give a chance to Zenarmor by installing os-sunnyvalley and os-sensei plugins respectively for free.

Best Practice

Zenarmor NGFW Plug-in allows you to easily upgrade your firewall to a Next Generation Firewall in seconds. NG Firewalls empower you to combat modern-day cyber attacks that are becoming more sophisticated every day.

Some of the capabilities are layer-7 application/user aware blocking, granular filtering policies, commercial-grade web filtering utilizing cloud-delivered AI-based Threat Intelligence, parental controls, and the industry's best network analytics and reporting.

Zenarmor Free Edition is available at no cost for all OPNsense users.

2. WireGuard

WireGuard is a fast, simple, and modern VPN that employs cutting-edge cryptography. It intends to be faster, simpler, leaner, and more useful than other VPN protocols, such as IPsec or OpenVPN. WireGuard is planned to be a general-purpose VPN that can be used on embedded interfaces as well as supercomputers in a variety of situations.

It was originally designed for the Linux kernel, but it is now cross-platform and widely deployed. Although it is still in the early stages of development, it has the potential to be the most user-friendly, secure, and straightforward VPN solution in the cyber security world. If you need to provide remote connections for your users, you may find more information on the following articles written by Sunny Valley Networks:

3. NGINX

NGINX is a high-performance edge web server with the smallest memory footprint and the essential features for constructing efficient and modern web infrastructure.

An HTTP server, HTTP and mail reverse proxy, load balancing, caching, request throttling, SSL offloading, compression, connection multiplexing, and reuse, and HTTP media streaming are all features of NGINX. If you need a fast and secure web service or a WAF, you can easily install the os-nginx plugin on your OPNsense system.

4. Rspamd

For spam protection, OPNsense also includes the 'rspamd' plugin. Rspamd is a spam filter that is fast, modular, and lightweight. It is designed to handle large amounts of mail and can be easily extended with custom lua filters.

It evaluates communications using a variety of rules including statistical analysis, regular expressions, and specialized services such as URL ban lists. Each message is examined and a spam score is assigned.

Based on the spam score and the user's settings, Rspamd suggests an action for the MTA to take with the message, such as passing, rejecting, or adding a header. It can process hundreds of messages per second and has a plethora of useful features.

5. Freeradius

The most widely used RADIUS server in the world is FreeRADIUS. It includes a RADIUS server, a PAM library, a client library licensed under the BSD license, and an Apache module. The server is quick, loaded with features, modular, and scalable.

It serves as the foundation for a variety of commercial offerings. It meets the AAA requirements of many Fortune 500 companies and Tier 1 ISPs. It is also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in academic settings such as eduroam.

By installing the os-freeradius plugin on your OPNsense firewall, you will have an Authentication, Authorization, and Accounting Server on your network.

Things To Consider When Using a Plugin

You should consider the following tips when choosing and using a plugin to keep your firewall secure and efficient.

  1. Do not install unnecessary plugins

Every service on your system comes with its own security risk. To narrow the cyber attack surface remove the plugins entirely if you aren't using them. If you need one of them later, you can always reinstall the plugin easily.

  1. Keep your system up-to-date

Software updates not only provide new features but also patch security holes and fix the bugs. Therefore, you should always keep your firewall up-to-date. If you don't update your firewall when the new updates are released by OPNsense, you expose yourself to potential frustrations and security breaches.

  1. Avoid Similar Plugins

Plugins that overlap in services waste your system resources, such as disk, CPU, memory, and bandwidth while potentially posing additional security risks.

  1. Read the documentation

Before installing a plugin, you should understand what it can do and what effects it may have on your network. If you do not, you may find yourself in the middle of big trouble by causing service interruptions in your company.