You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Franco Fichtner dec6ce2c8b update: new kernel for 19.1.8 4 days ago
bootstrap bootstrap: kill this sentence as well 2 months ago
code bootstrap|code: remove "under development" lie 2 months ago
fetch fetch: -i is not --no-verify-peer 1 year ago
patch patch: assume that only src/ files are patchable 2 months ago
revert revert: remove unused reference #35 11 months ago
sign bootstrap|sign|update: fix these too 2 years ago
update update: new kernel for 19.1.8 4 days ago
verify verify: "merge" 11.2's pkg bootstrap code 6 months ago
.gitignore make: allow "upgrade" target for consistency with other repos 1 year ago
LICENSE update: introduce core.lock for all packages 4 months ago
Makefile make: allow "upgrade" target for consistency with other repos 1 year ago make: update is already in the subdirs... 1 year ago README: stuff 3 months ago

OPNsense update utilities

This is a collection of firmware upgrade tools specifically written for OPNsense based on FreeBSD ideas (kernel and base sets) and tools (pkg(8) and freebsd-update(8)).


opnsense-update(8) unifies the update process into a single tool usable from the command line. Since OPNsense uses FreeBSD’s package manager, but not the native upgrade mechanism, an alternative way of doing base and kernel updates needed to be introduced.

The process relies on signature verification for all moving parts (packages and sets) by plugging into pkg(8)’s native verification mechanisms.

The utility was first introduced in February 2015. In October 2016, major FreeBSD version upgrade support was added. In August 2017, debug kernel support was added.


opnsense-bootstrap(8) is a tool that can completely reinstall a running system in place for a thorough factory reset or to restore consistency of all the OPNsense files. It can also wipe the configuration directory, but won’t do that by default.

It will automatically pick up the latest available version and build a chain of trust by using current package fingerprints -> CA root certificates -> HTTPS -> OPNsense package fingerprints.

What it will also do is turn a supported stock FreeBSD release into an OPNsense installation, given that UFS was used to install the root file system.

The usage is simple, starting with a FreeBSD 11.2-RELEASE image:

# pkg install ca_root_nss
# fetch
# sh ./

After successful reboot, OPNsense should be up and running. :)

The utility was first introduced in November 2015.

opnsense-sign, opnsense-verify

opnsense-sign(8) and opnsense-verify(8) sign and verify arbitrary files using signature verification methods available by pkg(8), so that a single key store can be used for packages and sets.

opnsense-verify(8) is almost entirely based on the pkg bootstrap code present in the FreeBSD base code, but may be linked against either OpenSSL or LibreSSL from ports.

Both utilities were first introduced in December 2015.


opnsense-fetch(8) creates a watcher process for fetch(1) and passes all arguments to it. The watcher then prints progress output to the actual caller to indicate ongoing download progress.

The utility was first introduced in April 2016.


opnsense-patch(8) applies upstream git(1) patches in the order that they have been given. This helps to deploy fixes faster without the need to run manual edits or file downloads since patch(1) tries to keep the file integrity intact.

The utility was first introduced in May 2016. In February 2019, a local caching mechanism was added to provide offline patching capability.


Deriving from the utility of opnsense-patch(8), its younger sibling opnsense-code(8) can handle full code repositories using git(1) in order to fetch or update the full source code on an installed system.

The utility was first introduced in August 2016.


In the available scope of the package mirrors, this utility can revert any package to a previous state of a particular OPNsense release.

The utility was first introduced in January 2017.