OPNsense

Updated 2023-05-16. Since the project is security-critical, a detailed writeup on how to verify images is provided. A quick summary of the chain of trust is replicated below:

          .img.bz2 --(SHA2)--> .sha256 -----+
                                   ^        |
                                   |        +-- [OPNsense private key]
                          .pub ----+        |
                                   |        |
  .img.bz2.sig <--(base64)-- [signature] <--+

The only critical files are the (bzip-compressed) image, the (base64) signature, and the public key associated with the major release.

• bzip-compressed image + signature from Download page
  • Typically either VGA/full (via HDMI/VGA) or serial/full (console) images are preferred
  • Verify integrity of file via the SHA256 checksums provided
• Release public key
  • Multiple sources, e.g. GitHub changelog (e.g. 23.1), download page, mirror host, etc.
  • Cross-validate across multiple sources

# Generate SHA2 checksum
openssl dgst -sha256 OPNsense-<filename>.img.bz2

# Decode base64-encoded signature
openssl base64 -d -in OPNsense-<filename>.img.bz2.sig -out tmp.sig

# Verify SHA2 checksum using signature signed by public key
openssl dgst -sha256 \
    -verify OPNsense-<filename>.pub \
    -signature tmp.sig \
    OPNsense-<filename>.img.bz2

Be careful not to overlap DHCP pool with static addresses. The ISC DHCP router does not check if a static IP address has been assigned.

OPNsense by default deploys an NTP service:

• NTP synchronization should use OPNsense's time server, may need to open interface for listening as well.
• The default rate limits are very severe, roughly 32s average with minimum separation of 4s (src). This makes it incompatible with NTP server configurations using iburst (which is a burst of 8), triggering kiss of death. Either disable this rate limit, or disable iburst from downstream (then restart "chrony").
• Default settings of 64s poll, with around 16 polls needed to choose candidates, so about 17 mins.