How to Install OPNsense: Complete Installation Guide

Introduction

OPNsense is a FreeBSD-based open source firewall and routing platform that provides enterprise-grade security features for networks of all sizes. This comprehensive guide walks you through the complete installation process, from downloading the installation media to completing your initial configuration.

What is OPNsense?

OPNsense is a powerful, open-source firewall distribution that emerged as a fork of pfSense in 2015. Built on FreeBSD and utilizing the packet filter (pf), it offers robust security features including firewall capabilities, VPN support, intrusion detection, and routing services. The platform is suitable for both home users and enterprise environments, providing a web-based interface for easy management.

System Requirements

Before beginning the installation, ensure your system meets these minimum specifications:

Minimum Requirements

• Processor: 1 or more virtual/physical cores
• RAM: Minimum 4 GB (required for standard features)
• Storage: Minimum 8 GB for installation target
• Architecture: x86-64 microprocessor only

Recommended Specifications

For optimal performance and to run all OPNsense standard features, including disk-intensive operations like caching proxy and intrusion detection, higher specifications are recommended. The system should have adequate processing power and memory based on your network throughput requirements and feature usage.

Understanding Image Types

OPNsense provides two primary image types:

Full Images

Full images include installation tools such as the OPNsense Importer, Live Environment, and Installer. These are designed for systems with adequate local resources and console access. Full images write log data and cache to the local disk, making them suitable for standard installations.

Embedded Images (Nano)

Embedded images are tailored for environments with limited storage resources or where reducing write cycles is important, such as SD card or CF card installations. These images store logging and cache data in memory by default, with /var/log and /tmp mounted as RAM disks to extend the lifespan of flash storage.

Installation Image Options

Different installation files are available depending on your hardware and use case:

Image Type	Description	Use Case
DVD	ISO image with VGA support and UEFI compatibility	Virtual machines and systems with DVD drives
VGA	USB image with VGA console and UEFI support	Standard installations with monitor access
Serial	USB image for serial console (115200 baud) with UEFI	Headless servers and embedded devices
Nano	Pre-installed image for embedded devices	USB drives, SD cards, CF cards (≥4 GB)

Downloading OPNsense

Step 1: Access the Download Page

Visit the official OPNsense download page and select a mirror closest to your geographic location for optimal download speeds.

Step 2: Choose Your Image Type

Select the appropriate image based on your installation method:

• Use VGA image if installing with a monitor and keyboard
• Use Serial image for installations via serial console connection
• Use DVD ISO for virtual machine installations
• Use Nano image for pre-installing to embedded storage

Step 3: Download Required Files

For verification purposes, download these four files:

1. The bzip-compressed image file (.bz2)
2. The SHA-256 checksum file (.sha256)
3. The signature file (.sig)
4. The OpenSSL public key (.pub)

Verifying the Installation Image

Security is paramount when installing firewall software. Always verify your downloaded image before installation.

Obtain the Public Key

Download the public key file, but don’t rely solely on the mirror’s copy. Verify it matches the key published in these trusted sources:

• OPNsense forum announcements
• Official OPNsense blog posts
• GitHub changelog repository
• Package repository README files

Only major release announcements contain the public key – update releases will not include it.

Verification Process

After downloading all required files, unpack the compressed image:

On Unix-like systems:

bzip2 -d OPNsense-<filename>.bz2

On Windows: Use an application like 7-Zip to extract the .bz2 file.

Verify the checksum:

openssl sha256 OPNsense-<filename>.bz2

Compare the output with the values in the checksum file. If they don’t match, re-download the image.

Verify the signature:

openssl base64 -d -in OPNsense-<filename>.sig -out /tmp/image.sig
openssl dgst -sha256 -verify OPNsense-<filename>.pub -signature /tmp/image.sig OPNsense-<filename>.img

A successful verification will display “Verified OK”. Any other output indicates potential issues with the image file.

OPNsense 26.1 Open-Source Firewall Released With Threat Intelligence Feeds

Creating Installation Media

For USB Installation

The easiest installation method uses a USB flash drive (minimum 1 GB capacity).

FreeBSD:

dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k

Linux:

sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k

macOS:

sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rdiskX bs=64k

Windows:

Use physdiskwrite (version 0.3 or later):

physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].img

Alternatively, use graphical tools like Rufus or balenaEtcher for a simpler process. These applications provide intuitive interfaces for creating bootable USB drives.

For Nano Image Installation

For embedded installations:

1. Write the nano image directly to your target storage device (SD card, USB drive, or CF card)
2. Install the storage device into your system
3. Configure the BIOS to boot from this device
4. The firewall will be operational upon first boot

Preparing Your System

BIOS/UEFI Configuration

Before installation, you need to:

1. Access your system’s boot menu or BIOS (typically by pressing F2, F12, DEL, or ESC during startup)
2. Configure boot order to prioritize the installation media
3. Enable UEFI boot mode if using modern hardware
4. Save settings and restart

For serial console access, configure the appropriate baud rate (115200) in your BIOS settings.

Installation Process

Booting the Installation Media

1. Insert the USB installation media into your system
2. Power on and boot from the USB drive
3. The system will load the OPNsense boot screen

Using the OPNsense Importer (Optional)

The Importer feature allows you to restore previous configurations or test new versions without overwriting existing installations.

For systems with existing OPNsense installations:

1. When prompted, press any key at “Press any key to start the configuration importer”
2. Enter the device name containing your existing configuration
3. The system will boot into the live environment using your stored configuration

For new installations with backed-up configurations:

1. Prepare a second USB drive formatted as FAT32
2. Create a “conf” directory at the root
3. Place your unencrypted configuration file as /conf/config.xml
4. Insert both USB drives and boot from the installation media
5. When prompted, specify the device name of the configuration USB drive

Live Environment

After booting, the system enters a fully functional live environment. Default access credentials are:

• Username: root
• Password: opnsense
• GUI Access: https://192.168.1.1/

The live environment is read-only, so configurations will be lost upon reboot until you complete the installation.

Running the Installer

To begin permanent installation:

1. At the login prompt, use:
   • Username: installer
   • Password: opnsense
2. Configure Console Settings
   • The default keymap configuration is suitable for most users
   • Select your preferred layout if needed (e.g., German, French)
   • Confirm your selection
3. Select Installation Type
   • Choose between UFS and ZFS filesystems
   • ZFS is recommended for most installations due to superior reliability
   • UFS is acceptable for smaller installations or single-disk setups
   • For ZFS, select the device type (stripe is default for single disks)
4. Disk Selection
   • Select your target storage device (e.g., da0, nvd0, mmcsd0)
   • For appliances with SD/MMC storage, ensure you select the correct device
   • Confirm your selection carefully – the installation will erase all data
5. Partitioning Confirmation
   • Review the “Last Chance!” warning
   • Selecting “Yes” will format the disk and destroy all existing data
   • Proceed only when certain
6. Swap Configuration (UFS installations)
   • Accept the recommended swap settings for most installations
   • For very small installations (<16GB), consider custom partitioning without swap
   • For embedded systems, skip swap creation
7. Set Root Password
   • Create a strong root password
   • Confirm the password entry
   • This password will be used for GUI and console access
8. Complete Installation
   • Select “Complete Install”
   • The system will finalize the installation
   • Remove the installation media when prompted
   • The system will reboot

Initial Configuration

Interface Assignment

Upon first boot, the system will prompt for interface assignment:

1. VLAN Configuration
   • Enter “N” if you don’t need VLANs initially
   • VLANs can be configured later through the web interface
2. Interface Selection
   • First interface: LAN (typically the first physical port)
   • Second interface: WAN (typically the second physical port)
   • Additional interfaces can be assigned as OPT1, OPT2, etc.
   • Press Enter when all interfaces are assigned
3. Automatic Detection
   • Some systems support automatic interface detection
   • Verify the assignments match your physical port layout

Default Network Configuration

After installation, OPNsense applies these default settings:

WAN Interface:

• DHCP client enabled
• Expects IP address assignment from your ISP or upstream router

LAN Interface:

• Static IP: 192.168.1.1/24
• DHCP server enabled
• DHCP range: 192.168.1.100 – 192.168.1.200

First Login

Access the web interface:

1. Connect a computer to the LAN port
2. Navigate to https://192.168.1.1
3. Accept the self-signed certificate warning
4. Log in with username “root” and your chosen password

Setup Wizard

The initial setup wizard guides you through:

1. General Settings
   • Hostname and domain configuration
   • Time zone selection
2. Time Server Configuration
   • NTP server settings
   • Recommended to keep default NTP servers
3. WAN Interface Setup
   • DHCP or static IP configuration
   • DNS server settings
   • RFC1918 network handling
4. LAN Interface Adjustment
   • Modify IP address if needed
   • Adjust DHCP range
5. Password Confirmation
   • Option to change root password again
   • Apply final configuration

Post-Installation Steps

Update OPNsense

Installation images may not contain the latest version. Always update after installation:

1. Navigate to System → Firmware → Updates in the GUI
2. Check for available updates
3. Install all pending updates
4. Reboot if required

Alternatively, use the console option “12) Upgrade from console” or the command-line tool opnsense-update from the shell.

Enable Additional Features

Consider these important post-installation configurations:

For SD Card/Flash Storage:

• Navigate to System → Settings → Miscellaneous → Disk/Memory Settings
• Enable RAM disks to reduce write cycles
• Set appropriate memory disk sizes (100-128 MB minimum)
• Reboot to apply changes

SSH Access:

• SSH is disabled by default for security
• Enable through System → Settings → Administration if needed
• Use key-based authentication when possible

External Logging:

• Configure external syslog server for embedded installations
• Found under System → Settings → Logging

Security Hardening

1. Change default LAN subnet if it conflicts with your network
2. Disable unused services
3. Configure firewall rules appropriately
4. Enable automatic updates for security patches
5. Review and customize default firewall rules

Virtual Machine Installation Considerations

When installing on virtual platforms:

1. Disk Type Selection
   • Select appropriate virtual disk (typically da0 or nvd0)
   • Avoid selecting the USB installation device
2. Network Adapters
   • Configure at least two network adapters
   • Ensure proper bridging or host-only networking setup
3. Guest Tools
   • Install vmware-tools or xen-tools plugins after installation
   • Access through System → Firmware → Plugins
   • Enhances performance and compatibility
4. Resource Allocation
   • Allocate adequate CPU cores based on throughput needs
   • Provide sufficient RAM for your feature set
   • Ensure adequate disk space for logging if not using RAM disks

Conclusion

Installing OPNsense provides a powerful, enterprise-grade firewall solution for your network. By following this comprehensive guide, you can successfully deploy OPNsense on various hardware platforms, from embedded devices to virtual machines. The flexibility of installation options, combined with robust security features, makes OPNsense suitable for environments ranging from home networks to large enterprise deployments.

Click here to read more about OPNsense vs PfSense