Highlights
- One of the great aspects of the solution’s open-source nature is that the community-driven project allows developers to create plugins and add them to the catalog of software plugins available for OPNsense.
- However, one of the great aspects of the solution is that you can extend it with plugins that add features and functionality to the platform to extend the capabilities.
- If you are familiar with pfSense and the packages you can install in the solution, OPNsense calls these plugins and they serve basically the same purpose for its open source security platform.
If you are looking for a great free and open-source firewall for your home lab environment, OPNsense is a great choice. It is a feature-rich open-source firewall solution that can do just about anything you want it to do. However, one of the great aspects of the solution is that you can extend it with plugins that add features and functionality to the platform to extend the capabilities. It helps to make the solution very modular. Let’s look at the best OPNsense plugins that will turn a good firewall into a great firewall.
Table of contents
- What Are OPNsense Plugins?
- What is the difference between OPNsense plugins and packages?
- Plugins
- Packages
- Summary
- Why Do You Need to Install OPNsense Plugins?
- Best OPNsense plugins to know about
- Security plugins
- Open ruleset complementary subset
- Reverse Proxy
- Web Proxy
- Network plugins
- Dynamic DNS
- RADIUS
- User enhancement plugins
- Community, support, and automation
- Track config changes with git
- Monitoring and metrics
- Munin Monitoring Agent
- Telegraf monitoring
- Troubleshooting
- Wrapping up
What Are OPNsense Plugins?
First of all, what are OPNsense plugins? If you are familiar with pfSense and the packages you can install in the solution, OPNsense calls these plugins and they serve basically the same purpose for its open source security platform. They extend what OPNsense can do.
One of the great characteristics of OPNsense plugins is they are not just for one specific type of capability. These cover a wide range of areas and needs. You can extend security features, add tools for network management, and also make monitoring better than what the system can do out-of-the-box.
One of the great aspects of the solution’s open-source nature is that the community-driven project allows developers to create plugins and add them to the catalog of software plugins available for OPNsense.
Plugins can be found in the plugin repository. You can find this under the OPNsense web GUI. The plugins available contain both free plugins and ones that need a valid subscription to use.
Navigate to System > Firmware > Plugins. You will see setup options accessible from the plugins page.
There are plugins that cover a wide range of use cases, including:
- web proxy proxy daemon for managing web traffic
- dynamic DNS for consistent IP address management
- reverse proxy for distributing incoming traffic efficiently
Each plugin integrates with the OPNsense firewall and adds features and improvements to the solution.
What is the difference between OPNsense plugins and packages?
Let’s look at the following differences between OPNsense plugins and packages.
Plugins
- Integration with GUI: Plugins in OPNsense are integrated with the (GUI). This means that they are designed to work with OPNsense
- Management through the GUI: Plugins can be managed (installed, configured, and removed) from the OPNsense GUI.
- Official Support: Plugins are developed OPNsense team or trusted third-party developers for the most part. It means they will get thorough testing and quality control to make sure they are compatible and reliable.
- Security and Updates: Since plugins are controlled, they will usually get more regular updates and security patches from the official OPNsense repositories. This helps to know they are secure and updated often.
Packages
- Broader: Packages have a broader range of software that can be installed on the underlying FreeBSD operating system. This is the OS that OPNsense is built on top of.
- CLI Management: Packages are normally managed through the command line interface (CLI). Like other packages you would install in FreeBSD, you can use package management tools like pkg or ports.
- Flexibility: Packages offer more flexibility in what can be installed. Users can install almost any software available for FreeBSD. This is a double-edge sword though as you can install packages even if it is not officially supported or integrated into OPNsense, which could lead to instability or unexpected behaviors.
- Potential Risks: Following closely with what we mentioned above, there can be compatibility issues or a lack of integration with the OPNsense interface.
Summary
- Plugins: Designed specifically for OPNsense, managed through the web GUI, offer better integration and support, and are regularly updated and tested.
- Packages: Offer a wider range of software options, managed through the CLI, provide more flexibility, but may require more technical knowledge and carry higher risks of compatibility issues.
Why Do You Need to Install OPNsense Plugins?
Installing OPNsense plugins can help to add additional functionality to what your OPNsense firewall can do by default out-of-the-box with setup options. It adds capabilities to your OPNsense firewall. These plugins add functionality that goes beyond the basic firewall features.
Some may not need to add plugins to their firewall. However, others may need features or capabilities that require adding a plugin to the solution.
Best OPNsense plugins to know about
Let’s look at the best OPNsense plugins across various categories, including:
- Security
- Network
- Monitoring
- User enhancements
- Community and support
Security plugins
One area where plugins are valuable is in the area of security. You can add next generation firewall extensions such as the Proofpoint ET Open Ruleset or Sunny Valley Networks extension to have advanced threat detection and mitigation. These help protect your network from malicious threats more effectively and help identify and block unwanted traffic.
Open ruleset complementary subset
There is an open ruleset complementary subset that you can pull down that works with the ET Pro Telemetry edition.
Reverse Proxy
One of the core functions you may want to add to OPNsense is reverse proxy functionality. This feature helps provide efficient traffic distribution and improves security. You can protect servers and their details from clients.
Web Proxy
The web proxy plugins are essential for monitoring and controlling web access. You can do things like caching content. Caching helps speed up web requests. You can also configure proxies for filtering and access control.
Network plugins
There are plugins that allow for better network management. There are plugins, such as the accounting server, that allow for the collection of metrics. Metrics provide insights for network use and performance metrics.
These tools help track and report network traffic, which helps in resource allocation and troubleshooting.
The QEMU guest agent is useful for those managing virtualized environments. It offers better integration and performance for virtual machines.
Dynamic DNS
Dynamic DNS is a must-have for users needing consistent access to their network. This plugin automatically updates DNS records when your IP address changes, ensuring seamless connectivity.
RADIUS
There are a couple of RADIUS UDP plugins you can pull from the plugins repository:
- os-freeradius
- os-radsecproxy
User enhancement plugins
Some plugins help with the user interface. There are various themes you can use with the web GUI that improve the overall user experience. These plugins make configuring the firewall settings easier. You can add themes like the cicada theme rebellion, tukan, and vicuna theme.
Community, support, and automation
Many plugins come from both community-driven projects and vendor repositories. The plugin repository also has plugins for specific needs and tasks. For example, it includes the puppet agent for automated configuration management
There is also an onion router for TOR network privacy.
Track config changes with git
Another cool OPNsense plugin that is found in the plugins repository is the os-git-backup plugin. it allows you to track changes using git. How cool is that?
Monitoring and metrics
Monitoring and metrics-type plugins allow you to extend the capabilities to monitor and pull telemetry data from your OPNsense firewall and other backend services.
Munin Monitoring Agent
Monitoring is an important part of any security solution, and you can just use agents to pull data. The Munin monitoring agent is a plugin that helps with getting details of network traffic, system performance, and resource usage. This will help with troubleshooting issues.
Telegraf monitoring
Telegraf is an agent for collecting and reporting metrics and data in a time-series DB like influxDB and you can also use it to visualize data using Grafana.
Troubleshooting
If you attempt to install OPNsense plugins and you receive errors, note what the errors are. A common reason that you might not be able to install plugins is your OPNsense installation may be out of date:
Note any other errors you might receive so you can troubleshoot them accordingly.
Wrapping up
OPNsense is a great open-source firewall solution that many know and trust in the home lab and even in the enterprise. It has a lot of great features out-of-the-box, but you can also extend what it can do in a modular way. Using plugins allows adding features to OPNsense that it does not come with by default. These cover a wide range of features and capabilities as we have discussed, from network, user-related features, monitoring, management, security, and many others. Let me know in the comments if you have a favorite OPNsense plugin or set of plugins you use.
