Skip to main content

How to Update OPNsense?

OPNsense update is critical for cyber security. The sooner you update, the sooner you'll be able to rest assured that your network is more secure. Keeping your systems up-to-date by regular updates has the following benefits:

  • Updates may provide new or improved features, as well as improved compatibility with various devices or applications. They may also improve the stability of the system and remove outdated features.
  • They frequently include critical security patches. So that, you may keep hackers out and protect your network infrastructure against cyber attacks.
  • They generally fix or remove software bugs.

The update schedule for OPNsense consists of two major releases per year, which are updated every two weeks. In addition to scheduled major updates, OPNsense is updated weekly to act quickly on known security threats. The version number of major releases consists of the year and month of release (e.g., 21.7 for the July 2021 release), with fortnightly updates adding a third number (e.g. 21.7.2 for the second update to 21.7).

VersionRelease Date
21.7.2September 8th 2021
21.7.1August 4th 2021
21.7July 28th 2021
21.1.9July 27, 2021
21.1.8July 7, 2021
21.1.7June 17, 2021
21.1.6Mayy 27, 2021
21.1.5April 21, 2021
21.1.4March 30, 2021
21.1.3March 10, 2021
21.1.2February 23, 2021
21.1.1February 09, 2021
21.1January 28, 2021
21.1.r1January 13, 2021

Table 1. OPNsense 21.x Community Edition relase dates

You may follow the announcements on the OPNsense forum (https://forum.opnsense.org/index.php?board=11.0) for all OPNsense releases. Also, major releases are announced on the OPNsense blog posts (https://opnsense.org/blog/). Full patch notes, fix notes, known issues, and limitations are shared on these announcements. Some updates may require a system reboot. Also, there may be issues or limitations that cause service interruptions on your system. Therefore, It is strongly recommended to read the release notes before upgrading the OPNsense system.

When there is an OPNsense release update available, you may see the update reminder on the OPNsense web UI dashboard.

OPNsense manual update is a straightforward process that can be accomplished via both OPNsense web UI or console/CLI easily. In this OPNsense update guide, we will cover both methods briefly.

warning

OPNsense automatic updates, especially for major releases are not recommended.

How to Update OPNsense Settings?#

You may change the OPNsense update settings according to your requirements by doing the following or leave them as default:

  • Navigate to the System -> Firmware -> Settings.
  • Set the next options listed below as you need and then click Save to apply the changes.

1. Firmware Mirror#

You can specify the mirror site from which OPNsense attempts to obtain updates. If you're having trouble updating or searching for updates, or if your current mirror is running slowly, you can switch to another one here.

Selecting OPNsense Mirror

Figure 1. Selecting OPNsense Mirror

2. Firmware Flavour#

OPNsense comes in a variety of firmware cryptography flavours. Currently, these flavours determine whether to use OpenSSL or LibreSSL. The default setting is OpenSSL.

Selecting OPNsense Flavour

Figure 2. Selecting OPNsense Flavour.

3. Release Type#

There are three options available for the release type of the OPNsense.

  • Business: OPNsense Business Edition is destined for businesses, enterprises, and professionals seeking a more selective upgrade path, additional commercial features, and a more commercial way to support the project than donating.
  • Community: This release is tested on a fortnightly basis and is suitable for production environments.
  • Development: This release is the most recent release but untested.
warning

Please keep this setting set to Community unless you fully understand the implications of changing it.

Selecting OPNsense Release Type

Figure 3. Selecting OPNsense Release Type

4. Subscription#

If you have a Business license, you should provide your subscription key in this field.

Firmware Status

Figure 4. Firmware Status

How to Upgrade OPNsense?#

You may update the OPNsense firewall via either OPNsense web GUI or OPNsense console/command line(CLI). However, major release upgrades should be performed via console which is also known as an offline upgrade. You may find more information about the offline upgrade of the OPNsense below.

Updating OPNsense on Web GUI#

To update the OPNsense node on the web GUI, follow the steps given below.

  1. Login OPNsense web GUI as root.

OPNsense web login

Figure 5. OPNsense web login

  1. Navigate to the System -> Firmware -> Updates->Status.
  2. Click Check for updates button under the Status tab.

Checking for OPNsense updates on Web GUI

Figure 6. Checking for OPNsense updates on Web GUI

info

You may also click on the Click to check for updates. link in the System Information pane on the Dashboard and then click on the Update button.

Checking for updates on OPNsense Dashboard

Figure 7. Checking for updates on OPNsense Dashboard

  1. When there is an update available, the Update button is displayed at the bottom of the update packages list.

OPNsense available update packages list

Figure 8. OPNsense available update packages list

Also, when there is a new release available, release notes will be displayed. After reading the notes, you may click the Close button to close the notification window.

OPNsense 21.1.9 Release notes

Figure 9. OPNsense 21.1.9 Release notes

  1. Click Update button for update. This will fetch and update the packages on the OPNsense system.

Fetching and updating the OPNsense packages

Figure 10. Fetching and updating the OPNsense packages

  1. When the OPNsense update is completed successfully, DONE message is displayed under the Updates pane.

Updating the OPNsense is completed

Figure 11. Updating the OPNsense is completed

  1. You may view the installed OPNsense version in the System Information pane on Dashboard.

Viewing the OPNsense version on Dashboard

Figure 12. Viewing the OPNsense version on Dashboard

  1. After updating your OPNsense firewall, you may run the audit by clicking on the Run Audit dropdown menu on the Status pane of the Systems: Firmware page.

Running Audit on OPNsense

Figure 13. Running Audit on OPNsense

The following options are available for OPNsense audit:

  1. Connectivity: Checks the mirror connection and updates the repositories

Connectivity Audit

Figure 14. Connectivity Audit

  1. Health: Health audit checks for missing dependencies, missing kernel files, core package consistencies

Health Audit

Figure 15. Health Audit

  1. Security: Vulnerabilities on the OPNsense listed on the audit security report.

Audit security report

Figure 16. Audit security report

Updating OPNsense on Console/CLI#

  1. Connect the OPNsense via VGA display or serial port.
  2. Login as root. Then, the console menu will be displayed.
  3. Select 12) Update from console. Beware that reboot may be necessary. You're asked to proceed to continue. Type y and press enter. This will automatically fetch all available updates and apply them.

Update OPNsense from console

Figure 17. Update OPNsense from console

  1. If necessary, OPNsense may reboot. Then, it will be on the desired release.

What is the Offline Upgrade of OPNsense?#

Major updates of OPNsense are installed offline. That means no web interface or SSH is available to monitor the upgrade. If something goes wrong, you'll need a second connection or direct access to revert or repair the VM. Major upgrades of OPNsense should be performed using a VGA display or serial port so that you can see what is going on.

If there is a major upgrade available for the OPNsense firewall, upgrade instructions are displayed similar to the Figure 18 below when you check for updates on OPNsense web GUI.

OPNsense 21.7 major upgrade instructions

Figure 18. OPNsense 21.7 major upgrade instructions

How to connect OPNsense from the serial console?#

OPNsense can be controlled via serial in addition to the web user interface, monitor and SSH. Accessing OPNsense via serial is similar to SSH. You can access your OPNsense node at any time via serial, even when it is not accessible via the network. This makes it particularly useful for installing OPNsense, performing major system upgrades and performing emergency troubleshooting when there is a network outage.

Prerequisites#

Requirements for the OPNsense serial access are as follows:

  • A serial interface must be provided as part of the OPNsense installation ( hardware or virtual)
  • Software that can be used to connect to the serial interface, such as PuTTY, minicom, screen, etc.)

For a bare metal installation, you will also require the following:

  • a null modem cable
  • If your computer does not have an RS232 port, you will require a USB to RS232 converter.

Connecting to the serial console#

If you previously installed OPNsense using a non-serial installer, serial access must be enabled. To enable serial access on OPNsense,

  1. Login as root via the web interface.
  2. Navigate to System -> Settings -> Administration.
  3. Scroll down to Console and select Serial console as the primary or secondary console.
  4. Click Save button at the bottom of the page.

Console settings on OPNsense

Figure 19. Console settings on OPNsense

warning

Please keep in mind that this is only required if you have already installed OPNsense and did not use the serial installer. Serial access is already available in all other cases (accessing BIOS, running the serial installer, connecting to a serial installation).

On Unix-like systems, use the minicom to connect to the serial console at 115200 baud. The device name can differ depending on the system and serial device. Here are some examples of names:

  • /dev/cuau0 (serial port, FreeBSD or HardenedBSD)
  • /dev/cuaU0 (usb-to-serial, FreeBSD or HardenedBSD)
  • /dev/ttyS0 (serial port, Linux)
  • /dev/ttyUSB0 (usb-to-serial, Linux)
  • COM1, COM2, etc. (Windows)
  • /dev/tty.usbmodem1112421 (usb-to-serial, macOS)
minicom -b 115200  -D /dev/ttyS0
info

If you have a number of devices of the same type, as shown here:

ls /dev/ttyUSB*/dev/ttyUSB0 /dev/ttyUSB1

You may disconnect one of the serial devices to see which one is still active, or you may investigate the dmesg log to find out the vendor of the device node. To determine which device it is, look for a message that contains the phrase now attached to ttyUSB1. Following that, you may compare the previous output to the output of a tool such as lsusb.

note

Since accessing the serial device is restricted, you should run the command as root on Linux / BSD.

If authentication is enabled and OPNsense is running, you will now be prompted for your username and password. Otherwise, the menu appears (at least after pressing enter). The credentials are identical to those required for SSH.

note

The screen does not always update automatically. If you connect but receive no output, try pressing Enter first before looking into the other (more complex) potentials.

Another issue is that when connecting via screen, you may be unable to scroll but you can still pipe the output using more or less.

Major Upgrade of OPNsense from Console/CLI#

To deploy a major upgrade on an OPNsense firewall, you may follow the next instructions given below:

  1. Connect the OPNsense via VGA display or serial port.
  2. Login as root. Then, the console menu will be displayed.
  3. Select 12) Update from console. You're asked whether you want to upgrade to the most recent version or the next major release.

Update OPNsense from console

Figure 20. Update OPNsense from console

  1. Type in the major release number (for example 21.7) and press enter. All release files will be downloaded for an offline upgrade (kernel, packages etc.). Then, OPNsense will reboot.

Installing major updates for OPNsense 21.7 on console

Figure 21. Installing major updates for OPNsense 21.7 on console

  1. After a reboot, it will install all updates. Once the installation is completed, it will reboot again, at which point it should be on the preferred release.