Messages

In the announcement post OPNsense 23.7.7 released. It is mentioned

A hotfix release was issued as 23.7.7_3:

The download mirror https://mirrors.ocf.berkeley.edu/opnsense/
only has OPNsense-23.7-dvd-amd64.iso.bz2 which is from July 2023.

What is the correct way to download the latest OPNSense binaries?

Because a new key is generated for each release for security reasons.

Many apt repos in Debian, Ubuntu use the same GPG public key. That key have a comfortable validity period (a few years) so we don't need to re-import often. Same principle for TLS certificates. As long as the authors of the GPG public keys keep their GPG private key safe, there should be no security issue. Anyone attempting to modify/hack that GPG public key then the `gpg --verify` will fail.

How can generating a new pubkey at each OPNsense release could be considered safer?

Ouch, it was written in the OPNSense doc, verification must use openssl (not GPG)

Code Select Expand


openssl base64 -d -in ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2.sig -out ./OPN_image.sig

openssl dgst -sha256 -verify OPNsense-23.1.pub -signature ./OPN_image.sig ./OPNsense-23.1-OpenSSL-dvd-amd64.iso.bz2

# Console output
Verified OK


Quite complicate syntax compared to GPG but it's OK. I wonder why the OPNsense public key is named after the release like OPNsense-23.1.pub. Would it make more sense to give it an immutable name like OPNsense.pub ?

Hi,

Following instructions from OPNsense documentation Download and Verification

I checked that the OPNsense-23.1.pub file in 3 mirrors (US, FR, https://pkg.opnsense.org/releases/mirror/README) match the same value.

I then proceed to import the pub key in my GPG keyring. Using GPG v2.2.27 on Ubuntu 22.04.2

Code Select Expand


gpg --version                                                                                 
gpg (GnuPG) 2.2.27
libgcrypt 1.9.4

gpg --import ./OPNsense-23.1.pub

# Console output:
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0


Not sure what is going on, this is the first time I fail to import a GPG key. Can you please help to fix?

AdGuard Home works great and has a nice UI. It's in the community plugins collection.

In OPNSense documentation, section Community Plugins. I don't see any mention of AdGuard Home. Doesn't that mean this is an unsupported plugin?

Wandering around some reddit posts, someone also suggested Zemarmor (Sensei)  as an ads blocker plugins.

For now I am just discovering the OPNSense ecosystem, didn't read any of the documentation yet. Can you please help me to fast track a bit? AdGuard Home  vs Zenarmor, which one is more popular?

Hi,

Imitating a co-worker with his Raspberry Pi + PiHole, I have reproduced the same using PiHole on Debian. I would like to go further than a DNS sinkhole, I read that pfBlockerNG + pfSense would even be better.

Then I learnt about the controversies around pfSense vs OPNSense. Can you please suggest a solution for ads blocking with OPNSense? The goal is to repurpose the computer I am using at the moment for the PiHole server to install OPNSense + something to do ads blocking.

I am sure there is a world of cool things once I have a firewall to play around. But for now ads blocking is the feature I am looking for.