Security

Best OPNsense Plugins to Enhance Your Firewall

Learn about the top OPNsense plugins for extending the free and open-source firewall solution with better networking, management, and security

If you are looking for a great free and open-source firewall for your home lab environment, OPNsense is a great choice. It is a feature-rich open-source firewall solution that can do just about anything you want it to do. However, one of the great aspects of the solution is that you can extend it with plugins that add features and functionality to the platform to extend the capabilities. It helps to make the solution very modular. Let’s look at the best OPNsense plugins that will turn a good firewall into a great firewall.

What Are OPNsense Plugins?

First of all, what are OPNsense plugins? If you are familiar with pfSense and the packages you can install in the solution, OPNsense calls these plugins and they serve basically the same purpose for its open source security platform. They extend what OPNsense can do.

One of the great characteristics of OPNsense plugins is they are not just for one specific type of capability. These cover a wide range of areas and needs. You can extend security features, add tools for network management, and also make monitoring better than what the system can do out-of-the-box.

One of the great aspects of the solution’s open-source nature is that the community-driven project allows developers to create plugins and add them to the catalog of software plugins available for OPNsense.

Plugins can be found in the plugin repository. You can find this under the OPNsense web GUI. The plugins available contain both free plugins and ones that need a valid subscription to use.

Navigate to System > Firmware > Plugins. You will see setup options accessible from the plugins page.

Adding plugins to opnsense
Adding plugins to opnsense

There are plugins that cover a wide range of use cases, including:

  • web proxy proxy daemon for managing web traffic
  • dynamic DNS for consistent IP address management
  • reverse proxy for distributing incoming traffic efficiently

Each plugin integrates with the OPNsense firewall and adds features and improvements to the solution.

What is the difference between OPNsense plugins and packages?

Let’s look at the following differences between OPNsense plugins and packages.

Plugins

  1. Integration with GUI: Plugins in OPNsense are integrated with the (GUI). This means that they are designed to work with OPNsense
  2. Management through the GUI: Plugins can be managed (installed, configured, and removed) from the OPNsense GUI.
  3. Official Support: Plugins are developed OPNsense team or trusted third-party developers for the most part. It means they will get thorough testing and quality control to make sure they are compatible and reliable.
  4. Security and Updates: Since plugins are controlled, they will usually get more regular updates and security patches from the official OPNsense repositories. This helps to know they are secure and updated often.

Packages

  1. Broader: Packages have a broader range of software that can be installed on the underlying FreeBSD operating system. This is the OS that OPNsense is built on top of.
  2. CLI Management: Packages are normally managed through the command line interface (CLI). Like other packages you would install in FreeBSD, you can use package management tools like pkg or ports.
  3. Flexibility: Packages offer more flexibility in what can be installed. Users can install almost any software available for FreeBSD. This is a double-edge sword though as you can install packages even if it is not officially supported or integrated into OPNsense, which could lead to instability or unexpected behaviors.
  4. Potential Risks: Following closely with what we mentioned above, there can be compatibility issues or a lack of integration with the OPNsense interface.

Summary

  • Plugins: Designed specifically for OPNsense, managed through the web GUI, offer better integration and support, and are regularly updated and tested.
  • Packages: Offer a wider range of software options, managed through the CLI, provide more flexibility, but may require more technical knowledge and carry higher risks of compatibility issues.

Why Do You Need to Install OPNsense Plugins?

Installing OPNsense plugins can help to add additional functionality to what your OPNsense firewall can do by default out-of-the-box with setup options. It adds capabilities to your OPNsense firewall. These plugins add functionality that goes beyond the basic firewall features.

Some may not need to add plugins to their firewall. However, others may need features or capabilities that require adding a plugin to the solution.

Best OPNsense plugins to know about

Let’s look at the best OPNsense plugins across various categories, including:

  • Security
  • Network
  • Monitoring
  • User enhancements
  • Community and support

Security plugins

One area where plugins are valuable is in the area of security. You can add next generation firewall extensions such as the Proofpoint ET Open Ruleset or Sunny Valley Networks extension to have advanced threat detection and mitigation. These help protect your network from malicious threats more effectively and help identify and block unwanted traffic.

Sunny valley networks add on for opnsense
Sunny valley networks add on for opnsense

Open ruleset complementary subset

There is an open ruleset complementary subset that you can pull down that works with the ET Pro Telemetry edition.

Open ruleset complementary subset for opnsense
Open ruleset complementary subset for opnsense

Reverse Proxy

One of the core functions you may want to add to OPNsense is reverse proxy functionality. This feature helps provide efficient traffic distribution and improves security. You can protect servers and their details from clients.

Reverse proxy opnsense plugin
Reverse proxy opnsense plugin

Web Proxy

The web proxy plugins are essential for monitoring and controlling web access. You can do things like caching content. Caching helps speed up web requests. You can also configure proxies for filtering and access control.

Web proxy plugins for opnsense
Web proxy plugins for opnsense

Network plugins

There are plugins that allow for better network management. There are plugins, such as the accounting server, that allow for the collection of metrics. Metrics provide insights for network use and performance metrics.

These tools help track and report network traffic, which helps in resource allocation and troubleshooting.

The QEMU guest agent is useful for those managing virtualized environments. It offers better integration and performance for virtual machines.

Qemu guest agent for opnsense
Qemu guest agent for opnsense

Dynamic DNS

Dynamic DNS is a must-have for users needing consistent access to their network. This plugin automatically updates DNS records when your IP address changes, ensuring seamless connectivity.

Opnsense plugins for dns
Opnsense plugins for dns

RADIUS

There are a couple of RADIUS UDP plugins you can pull from the plugins repository:

  • os-freeradius
  • os-radsecproxy
Radius plugins for opnsense
Radius plugins for opnsense

User enhancement plugins

Some plugins help with the user interface. There are various themes you can use with the web GUI that improve the overall user experience. These plugins make configuring the firewall settings easier. You can add themes like the cicada theme rebellion, tukan, and vicuna theme.

User themes you can install in opnsense plugins
User themes you can install in opnsense plugins

Community, support, and automation

Many plugins come from both community-driven projects and vendor repositories. The plugin repository also has plugins for specific needs and tasks. For example, it includes the puppet agent for automated configuration management

Puppet opnsense plugin for configuration management
Puppet opnsense plugin for configuration management

There is also an onion router for TOR network privacy.

Onion router opnsense plugin
Onion router opnsense plugin

Track config changes with git

Another cool OPNsense plugin that is found in the plugins repository is the os-git-backup plugin. it allows you to track changes using git. How cool is that?

Os git backup for opnsense
Os git backup for opnsense

Monitoring and metrics

Monitoring and metrics-type plugins allow you to extend the capabilities to monitor and pull telemetry data from your OPNsense firewall and other backend services.

Munin Monitoring Agent

Monitoring is an important part of any security solution, and you can just use agents to pull data. The Munin monitoring agent is a plugin that helps with getting details of network traffic, system performance, and resource usage. This will help with troubleshooting issues.

Munin monitoring agent for opnsense
Munin monitoring agent for opnsense

Telegraf monitoring

Telegraf is an agent for collecting and reporting metrics and data in a time-series DB like influxDB and you can also use it to visualize data using Grafana.

Telegraf plugin for opnsense
Telegraf plugin for opnsense

Troubleshooting

If you attempt to install OPNsense plugins and you receive errors, note what the errors are. A common reason that you might not be able to install plugins is your OPNsense installation may be out of date:

Installation is out of date for opnsense
Installation is out of date for opnsense

Note any other errors you might receive so you can troubleshoot them accordingly.

Wrapping up

OPNsense is a great open-source firewall solution that many know and trust in the home lab and even in the enterprise. It has a lot of great features out-of-the-box, but you can also extend what it can do in a modular way. Using plugins allows adding features to OPNsense that it does not come with by default. These cover a wide range of features and capabilities as we have discussed, from network, user-related features, monitoring, management, security, and many others. Let me know in the comments if you have a favorite OPNsense plugin or set of plugins you use.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

2 Comments

  1. Great article – I would like to see more articles covering OPNsense plugins. Things that would be useful to cover are the hardware impacts of using the plugin, the pros and cons of putting that functionality on the firewall as opposed to elsewhere on the network. Also a community rating and/or popularity of the plugin.

    Cheers

    1. Stephen,

      Thank you for the comment! I really like OPNsense and will look to create more content in the future on the platform. Thanks again!

      Brandon

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.