Why I am not using OPNSense

LTS_Tom · June 2, 2024, 4:00am

This question comes up a lot on YouTube, forums, and many other sites. I wanted to have a reply with links and details for the people who keep asking, or sometimes insisting, that I do OPNSense videos.

Despite OPNsense having a more frequent update cycle, they are slower to get out security fixes. Here are some examples with links to posts from OPNSense & pfsense:

OpenSSL 1.1.1 is no long supported & Systems must be upgraded to supported version to 3
Fixed in pfsense Plus November 06, 2023
Netgate Releases pfSense Plus Software Version 23.09
Fixed in pfsense CE November 16, 2023
Netgate Releases pfSense CE Software Version 2.7.1
Fixed in OPNSense 24.1.1 released Feb 6 2024
OPNsense 24.1.1 released
SSH Terrapin
Fixed in pfsense on December 18th, 2023
Terrapin SSH Attack | Netgate Forum
Fixed in OPNSense on December 28th 2023
[SOLVED] Mitigations for Terrapin ssh attack?
TCP spoofing vulnerability
Fixed in pfsense December 7th 2023
Netgate Releases pfSense Plus Software Version 23.09.1 and pfSense CE Software Version 2.7.2
Fixed in OPNSense December 12th 2023
OPNsense 23.7.10 released
Fixed in OPNSense business December 19th 2023
Netgate sponsored the fix for that issue pf: remove incorrect fragmentation check · freebsd/freebsd-src@6284d5f · GitHub

While I recognize from an interface standpoint the their code base has drifted apart since the fork, for clarification when I say “OPNSense relies on Netgate for features and fixes” that is because Netgate contributes a lot back to upstream FreeBSD.

Netgate is funded by selling their hardware that comes with pfsense+ or selling licences for pfsense+. This is similar to OPNSense that sells hardware and business licences.

From that income Netgate staffs numerous developers who’s job at Negate is to contribute to code for FreeBSD and continue creating builds for pfsnese CE which is free. And more important than just the percentage of the code that is committed, is what code they commit. Which of course is lots of enchantments benefit firewall related features and performance.

Source

Source at the 1:13:20 mark

And you can use the GitHub search for “Rubicon Communications, LLC (Netgate)” to see all that code pulled downstream into OPNSense.

This is also why pfsense out performs OPNSense when it comes to WireGuard VPN performance. While the code is open source, how that code is integrated is very important.

OpenVPN DCO work was upstreamed to FreeBSD sponsored by (paid for) by Netgate back in 2022

Almost 2 years later it’s getting coming to OPNSense.
https://www.reddit.com/r/opnsense/comments/1czpnuy/247_community_release_freebsd_141_et_al/

Probably not an issue with the home user market but pfsense supports GW Group which allows you to select the GW Group as the interface in the Phase1 setup, whereas OpnSense does not.

Also worth noting that pfsnese moved to FreeBSD Main but OPNsense has not. Here is a post from Franco at OPNSense pointing out that they are lagging behind on features because they are using FreeBSD 13 and new features are not being backported.

Jiibus · June 3, 2024, 1:51pm

After watching the video, I think all your technical reasons are plenty valid and won’t argue against them.

I stopped using pfSense because of the actions of the company behind it. The combination of that really weird opnsense website they created and how they handled getting wireguard in the kernel initially put me off using any of their products.

LTS_Tom · June 4, 2024, 1:41pm

Typo squatting is immature and so is the OPNSense people defacing the pfsense wikipedia page. As for the article about the Wiregaurd issue, that was overblown. Yes, there was a miscommunication but since this is all open source and public mailing lists you can read the conversations and see how it got sorted out, it’s not nearly as dramatic as the article, but people sorting out a misunderstanding would not get the clicks.

No need to take my word for it, read it for yourself. Jason even thanked them for their work.

Jason Donefield: “I should point out, again to you, how grateful I am that Netgate got the initial work on this started”

https://lists.zx2c4.com/pipermail/wireguard/2021-March/006499.html

Paul · June 4, 2024, 1:48pm

Cyber Security is becoming a requirement more in the UK (being requested by insurance companies)

We have to update system when CVC are identified and patches are released - Netgate does this in a timely manner , where it would appear Opensense does not

mrfai · July 29, 2024, 2:11pm

Thank you for sharing. However, for the security fix, does that only apply to pfSense Plus?

CE latest is still 2.7.2, which was released on December 17, 2023.

Personally, I have used pfSense more than 10 years and recently switched to OPNsense because pfSense doesn’t update as frequently.

I am also experiencing some stability issues with Squid proxy on OPNsense.

So I agree for enterprise, maybe pfSense plus is a better option.

OhioYJ · July 29, 2024, 10:11pm

This. It was shortly after the licensing mess that made me jump ship to OPNSense. Then I find out about their history of all the other stuff, and it just made me even more glad I switched.

hs6666 · July 30, 2024, 11:01am

hey Tom, can’t understand why rehash all this as just going over already discussed stuff

i understand the techical reasons, but surely you gotta realise this is a contentious issue with peoples that goes beyond purely “technical reasons” … me included

Are you still getting trolled over it, soz but this won’t help that situ dude, going to make it worse.

sex/religion/pfsenes-or-opnsense topics best avoided by a content creator

LTS_Tom · July 30, 2024, 11:37am

For both pfsense CE and pfsense Plus the patches are done via the patching plugin.

I don’t tell people what to use, I just give the reasons I use it. Use what makes you happy.

hs6666 · July 30, 2024, 11:55am

true in most cases Tom, but certain topics just come with baggage you can’t avoid