How to Update OPNsense?
OPNsense update is critical for cyber security. The sooner you update, the sooner you'll be able to rest assured that your network is more secure. Keeping your systems up-to-date by regular updates has the following benefits:
- Updates may provide new or improved features, as well as improved compatibility with various devices or applications. They may also improve the stability of the system and remove outdated features.
- They frequently include critical security patches. So that, you may keep hackers out and protect your network infrastructure against cyber attacks.
- They generally fix or remove software bugs.
The update schedule for OPNsense consists of two major releases per year, which are updated every two weeks. In addition to scheduled major updates, OPNsense is updated weekly to act quickly on known security threats. The version number of major releases consists of the year and month of release (e.g., 21.7
for the July 2021 release), with fortnightly updates adding a third number (e.g. 21.7.2
for the second update to 21.7).
Version | Release Date |
---|---|
21.7.2 | September 8th 2021 |
21.7.1 | August 4th 2021 |
21.7 | July 28th 2021 |
21.1.9 | July 27, 2021 |
21.1.8 | July 7, 2021 |
21.1.7 | June 17, 2021 |
21.1.6 | Mayy 27, 2021 |
21.1.5 | April 21, 2021 |
21.1.4 | March 30, 2021 |
21.1.3 | March 10, 2021 |
21.1.2 | February 23, 2021 |
21.1.1 | February 09, 2021 |
21.1 | January 28, 2021 |
21.1.r1 | January 13, 2021 |
Table 1. OPNsense 21.x Community Edition relase dates
You may follow the announcements on the OPNsense forum (https://forum.opnsense.org/index.php?board=11.0) for all OPNsense releases. Also, major releases are announced on the OPNsense blog posts (https://opnsense.org/blog/). Full patch notes, fix notes, known issues, and limitations are shared on these announcements. Some updates may require a system reboot. Also, there may be issues or limitations that cause service interruptions on your system. Therefore, It is strongly recommended to read the release notes before upgrading the OPNsense system.
When there is an OPNsense release update available, you may see the update reminder on the OPNsense web UI dashboard.
OPNsense manual update is a straightforward process that can be accomplished via both OPNsense web UI or console/CLI easily. In this OPNsense update guide, we will cover both methods briefly.
warning
OPNsense automatic updates, especially for major releases are not recommended.
How to Update OPNsense Settings?โ
You may change the OPNsense update settings according to your requirements by doing the following or leave them as default:
- Navigate to the
System
->Firmware
->Settings
. - Set the next options listed below as you need and then click
Save
to apply the changes.
1. Firmware Mirrorโ
You can specify the mirror site from which OPNsense attempts to obtain updates. If you're having trouble updating or searching for updates, or if your current mirror is running slowly, you can switch to another one here.
Figure 1. Selecting OPNsense Mirror
2. Firmware Flavourโ
OPNsense comes in a variety of firmware cryptography flavours. Currently, these flavours determine whether to use OpenSSL or LibreSSL. The default setting is OpenSSL.
Figure 2. Selecting OPNsense Flavour.
3. Release Typeโ
There are three options available for the release type of the OPNsense.
- Business: OPNsense Business Edition is destined for businesses, enterprises, and professionals seeking a more selective upgrade path, additional commercial features, and a more commercial way to support the project than donating.
- Community: This release is tested on a fortnightly basis and is suitable for production environments.
- Development: This release is the most recent release but untested.
warning
Please keep this setting set to Community
unless you fully understand the implications of changing it.
Figure 3. Selecting OPNsense Release Type
4. Subscriptionโ
If you have a Business license, you should provide your subscription key in this field.
Figure 4. Firmware Status
How to Upgrade OPNsense?โ
You may update the OPNsense firewall via either OPNsense web GUI or OPNsense console/command line(CLI). However, major release upgrades should be performed via console which is also known as an offline upgrade. You may find more information about the offline upgrade of the OPNsense below.
Updating OPNsense on Web GUIโ
To update the OPNsense node on the web GUI, follow the steps given below.
- Login OPNsense web GUI as
root
.
Figure 5. OPNsense web login
- Navigate to the
System
->Firmware
->Updates
->Status
. - Click
Check for updates
button under theStatus
tab.
Figure 6. Checking for OPNsense updates on Web GUI
info
You may also click on the Click to check for updates.
link in the System Information
pane on the Dashboard
and then click on the Update
button.
Figure 7. Checking for updates on OPNsense Dashboard
- When there is an update available, the
Update
button is displayed at the bottom of the update packages list.
Figure 8. OPNsense available update packages list
Also, when there is a new release available, release notes will be displayed. After reading the notes, you may click the Close
button to close the notification window.
Figure 9. OPNsense 21.1.9 Release notes
- Click
Update
button for update. This will fetch and update the packages on the OPNsense system.
Figure 10. Fetching and updating the OPNsense packages
- When the OPNsense update is completed successfully,
DONE
message is displayed under theUpdates
pane.
Figure 11. Updating the OPNsense is completed
- You may view the installed OPNsense version in the
System Information
pane onDashboard
.
Figure 12. Viewing the OPNsense version on Dashboard
- After updating your OPNsense firewall, you may run the audit by clicking on the
Run Audit
dropdown menu on theStatus
pane of theSystems: Firmware
page.
Figure 13. Running Audit on OPNsense
The following options are available for OPNsense audit:
- Connectivity: Checks the mirror connection and updates the repositories
Figure 14. Connectivity Audit
- Health: Health audit checks for missing dependencies, missing kernel files, core package consistencies
Figure 15. Health Audit
- Security: Vulnerabilities on the OPNsense listed on the audit security report.
Figure 16. Audit security report
Updating OPNsense on Console/CLIโ
- Connect the OPNsense via VGA display or serial port.
- Login as
root
. Then, the console menu will be displayed. - Select
12) Update from console
. Beware that reboot may be necessary. You're asked to proceed to continue. Typey
and press enter. This will automatically fetch all available updates and apply them.
Figure 17. Update OPNsense from console
- If necessary, OPNsense may reboot. Then, it will be on the desired release.
What is the Offline Upgrade of OPNsense?โ
Major updates of OPNsense are installed offline. That means no web interface or SSH is available to monitor the upgrade. If something goes wrong, you'll need a second connection or direct access to revert or repair the VM. Major upgrades of OPNsense should be performed using a VGA display or serial port so that you can see what is going on.
If there is a major upgrade available for the OPNsense firewall, upgrade instructions are displayed similar to the Figure 18 below when you check for updates on OPNsense web GUI.
Figure 18. OPNsense 21.7 major upgrade instructions
How to connect OPNsense from the serial console?โ
OPNsense can be controlled via serial in addition to the web user interface, monitor and SSH. Accessing OPNsense via serial is similar to SSH. You can access your OPNsense node at any time via serial, even when it is not accessible via the network. This makes it particularly useful for installing OPNsense, performing major system upgrades and performing emergency troubleshooting when there is a network outage.
Prerequisitesโ
Requirements for the OPNsense serial access are as follows:
- A serial interface must be provided as part of the OPNsense installation ( hardware or virtual)
- Software that can be used to connect to the serial interface, such as PuTTY, minicom, screen, etc.)
For a bare metal installation, you will also require the following:
- a null modem cable
- If your computer does not have an RS232 port, you will require a USB to RS232 converter.
Connecting to the serial consoleโ
If you previously installed OPNsense using a non-serial installer, serial access must be enabled. To enable serial access on OPNsense,
- Login as
root
via the web interface. - Navigate to
System
->Settings
->Administration
. - Scroll down to
Console
and selectSerial console
as the primary or secondary console. - Click
Save
button at the bottom of the page.
Figure 19. Console settings on OPNsense
warning
Please keep in mind that this is only required if you have already installed OPNsense and did not use the serial installer. Serial access is already available in all other cases (accessing BIOS, running the serial installer, connecting to a serial installation).
On Unix-like systems, use the minicom
to connect to the serial console at 115200 baud. The device name can differ depending on the system and serial device. Here are some examples of names:
- /dev/cuau0 (serial port, FreeBSD or HardenedBSD)
- /dev/cuaU0 (usb-to-serial, FreeBSD or HardenedBSD)
- /dev/ttyS0 (serial port, Linux)
- /dev/ttyUSB0 (usb-to-serial, Linux)
- COM1, COM2, etc. (Windows)
- /dev/tty.usbmodem1112421 (usb-to-serial, macOS)
minicom -b 115200 -D /dev/ttyS0
info
If you have a number of devices of the same type, as shown here:
ls /dev/ttyUSB*
/dev/ttyUSB0 /dev/ttyUSB1
You may disconnect one of the serial devices to see which one is still active, or you may investigate the dmesg
log to find out the vendor of the device node. To determine which device it is, look for a message that contains the phrase now attached to ttyUSB1
. Following that, you may compare the previous output to the output of a tool such as lsusb
.
note
Since accessing the serial device is restricted, you should run the command as root on Linux / BSD.
If authentication is enabled and OPNsense is running, you will now be prompted for your username and password. Otherwise, the menu appears (at least after pressing enter). The credentials are identical to those required for SSH.
note
The screen does not always update automatically. If you connect but receive no output, try pressing Enter
first before looking into the other (more complex) potentials.
Another issue is that when connecting via screen
, you may be unable to scroll but you can still pipe the output using more
or less
.
Major Upgrade of OPNsense from Console/CLIโ
To deploy a major upgrade on an OPNsense firewall, you may follow the next instructions given below:
- Connect the OPNsense via VGA display or serial port.
- Login as
root
. Then, the console menu will be displayed. - Select
12) Update from console
. You're asked whether you want to upgrade to the most recent version or the next major release.
Figure 20. Update OPNsense from console
- Type in the major release number (for example
21.7
) and press enter. All release files will be downloaded for an offline upgrade (kernel, packages etc.). Then, OPNsense will reboot.
Figure 21. Installing major updates for OPNsense 21.7 on console
- After a reboot, it will install all updates. Once the installation is completed, it will reboot again, at which point it should be on the preferred release.