4 unofficial OPNsense plugins that are surprisingly useful

OPNsense isn't just one of the best options for your home network, with the ability to handle routing and firewall duties to secure your network from the wider internet. It's also easily extendable for new functionality, as it offers a wide selection of plugins to utilize. These add new security features, valuable tools, monitoring software, and other handy things, and they're all easily installed with a few clicks.

But because it's FreeBSD-based, there are plenty of other plugins and useful packages that you can install from other sources. I've been using some on my OPNsense installation, and they add numerous utilities and features that I've utilized on other networking installations to make things easier overall.

Now, all of these plugins are from a community repository for OPNsense, and not the official ones. Some aren't even plugins, per se, but the packages are easily installed from the CLI and are just as usable afterwards. It's also worth noting that these come with no expectation of technical support if things go wrong, so it's recommended to back up your OPNsense install before you begin.

4 Cloudflared

Manage Cloudflare Tunnels right from your router

Being able to use Cloudflare Tunnels to connect securely to your home network is awesome, no doubt about it. OPNsense doesn't have a plugin to manage them easily, but that doesn't matter because all you need is the Cloudflared service. This can be installed from the unofficial repository we mentioned earlier, which you'll need to do since there isn't a native BSD app from Cloudflare. Then, it's a simple matter of running some CLI commands while SSH'd into the router.

Head to your Cloudflare Zero Trust dashboard, as you would to set up any other Tunnel, and create one for OPNsense. Bringing the details for that Tunnel token into the CLI for OPNsense lets you start the Cloudflared service to connect to the Tunnel, and set it up to automatically connect every time the OPNsense box reboots. No more worrying about getting locked out of the router when away from home, and you'll be able to use the Tunnel to use any local network resources as if you're at home.

3 AdGuard Home

Block annoyances before they get to your devices

There are plenty of ways to keep ads, malware, and insalubrious domains from touching your network devices, but isn't it better to cut it off at the source and run the blocking programs on your router? Yes, Pi-holes still work, and yes, you could run them on your NAS, server, or anywhere else on your home network as long as you point your device DNS records to the blocking DNS server, but I like having it on my router.

The best part is that on OPNsense, AdGuard Home is a plugin, so it integrates seamlessly with the GUI, and you can manage it by connecting to your LAN side on port 3000. I've been using AdGuard DNS servers on my iPad Pro and a few other devices that can't run ad-blocking software natively, and it works well. I don't care that much about intrusive advertising for my own sake, but I have a small child, and I don't like the barrage of consumerism that shows up while browsing on a tablet.

Bonus points to AdGuard for providing IPv6 DNS servers to add, as well as a local loopback address, so that every facet of your network can be protected. If you weren't using OPNsense, you could even set it up as a DHCP server, so it's a very versatile blocking tool. Plus you can leverage the custom DNS filtering to use local domain names for your self-hosted services. Yes, OPNsense has Unbound where you can do the same thing, but it's nice to have options, and sometimes AdGuard is easier to use.

2 Home Assistant

Add some deep integrations for your home automation needs

We love adding things to our Home Assistant dashboards, so why shouldn't we control OPNsense there as well? The plugin for OPNsense is only part of the equation; you'll also need to add a new repository to HACS and connect it to OPNsense via an API key pair generated in the OPNsense user dashboard. If you don't want the API linked to the main admin role, you'll need to create a secondary user account, but it must have the admin role; otherwise, the integration will have trouble controlling things.

You'll gain a new dashboard card, with a ton of information about your router. Things like CARP status, system notices, and notifications about firmware updates, a scanner to add new devices from the OPNsense ARP table, sensors for boot time, temperatures, CPU details, and more.

1 OPNarp

Guard against ARP poisoning attacks and other nasties

OPN-Arp is a simple yet handy plugin that polls the ARP cache and writes a log entry every time it detects a new IP address and MAC address pairing. This will display network changes, whether planned, automated, or unauthorized, providing you with another tool for debugging and incident response. It logs new station/activity, flip-flops, changed and reused old addresses,

Perhaps one of your network devices is misconfigured, which may manifest in various ways, including dropping off the network, then reconnecting repeatedly, or changing IP addresses as it does so. It can spot hackers who are MAC spoofing to gain access to your Wi-Fi network, or provide a list of all your network appliances and devices for administrative purposes. And by linking it to Monit, you can get email notifications of those logged entries, which is handier than poring through logs.

OPNsense has plenty of handy plugins, or you could even write your own

The open-source nature of OPNsense means that anyone can write plugins for it, and tools from other *nix-based operating systems can be converted into FreeBSD packages for installation. That makes it an even more powerful platform, as your router can run your intrusion detection, remote access solutions, and other relevant tools. It's up to you to decide how many of these tools you want running on the same box, because some might make more sense on your server, or not at all, depending on your particular network needs.