From 3877d1748fb4927005df1a1ed3eecec04fbe03c8 Mon Sep 17 00:00:00 2001 From: Christian <43847817+codiflow@users.noreply.github.com> Date: Wed, 22 Feb 2023 09:39:43 +0100 Subject: [PATCH 01/11] Added section "Advanced Configurations" for Monit (#455) --- source/manual/monit.rst | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/source/manual/monit.rst b/source/manual/monit.rst index f4b161a0..cef26bb0 100644 --- a/source/manual/monit.rst +++ b/source/manual/monit.rst @@ -321,3 +321,42 @@ Status The Monit status panel can be accessed via :menuselection:`Services --> Monit --> Status`. For every active service, it will show the status, along with extra information if the service provides it. + +------------------------- +Advanced Configurations +------------------------- + +Some installations require configuration settings that are not accessible in the UI. +To support these, individual configuration files with a ``.conf`` extension can be put into the +``/usr/local/etc/monit.opnsense.d`` directory. These files will be automatically included by +the UI generated configuration. Multiple configuration files can be placed there. But note that + +* The wildcard include processing in Monit is based on ``glob(7)``. So the order in which the files are included is in ascending ASCII order. +* Monit supports up to 1024 include files. If this limit is exceeded, Monit will report an error. +* It makes sense to check if the configuration file is valid. You can do so by using the following command:: + + # Run syntax check for the control file + configctl monit check + +This is a sample configuration file to customize the limits of the Monit daemon: + +:: + + ## Set limits for various tests. The following example shows the default values: + ## + set limits { + programOutput: 5120 B, # check program's output truncate limit + # sendExpectBuffer: 256 B, # limit for send/expect protocol test + fileContentBuffer: 5120 B, # limit for file content test + # httpContentBuffer: 1 MB, # limit for HTTP content test + # networkTimeout: 5 seconds # timeout for network I/O + # programTimeout: 300 seconds # timeout for check program + # stopTimeout: 30 seconds # timeout for service stop + # startTimeout: 120 seconds # timeout for service start + # restartTimeout: 30 seconds # timeout for service restart + } + + +.. Warning:: + It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is + valid. From 872bd4598aca853a081289e753f387313eefb523 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 1 Mar 2023 18:16:35 +0100 Subject: [PATCH 02/11] Firewall/Aliases - Add "OpenVPN group" type, closes https://github.com/opnsense/core/issues/6312 --- source/manual/aliases.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/manual/aliases.rst b/source/manual/aliases.rst index 91af8e29..5550ca24 100644 --- a/source/manual/aliases.rst +++ b/source/manual/aliases.rst @@ -59,6 +59,8 @@ OPNsense offers the following alias types: | BGP ASN | Maps autonomous system (AS) numbers to networks | | | where they are responsible for. | +------------------+------------------------------------------------------+ +| OpenVPN group | Map user groups to logged in OpenVPN users | ++------------------+------------------------------------------------------+ | Internal | Internal aliases which are managed by the product | | (automatic) | | +------------------+------------------------------------------------------+ @@ -322,6 +324,24 @@ alias and add or remove entries immediately. Since external alias types won't be touched by OPNsense, you can use :code:`pfctl` directly in scripts to manage its contents. (e.g. :code:`pfctl -t MyAlias -T add 10.0.0.3` to add **10.0.0.3** to **MyAlias**) + +.................................... +OpenVPN group +.................................... + +This alias type offers the possibility to build firewall policies for logged in OpenVPN users by the group they belong to +as configured in :menuselection:`System --> Access --> Groups`. + +The current users that are logged into OpenVPN can be inspected via :menuselection:`VPN --> OpenVPN --> Connection Status`, the alias +just follows this information and flushes the attached addresses to the item in question. + +For example, when a user named **fred** which is a member of group **remote_users** logs into OpenVPN and received a tunnel address +of :code:`10.10.10.2`, the alias containing "remote_users" would include this address as well. + +.. Tip:: + + When using LDAP (Active directory), you can synchronise group membership to avoid double administration in OPNsense. + .................................... Internal (automatic) .................................... From c4bb885a2120135d6e523818347c54ec42eb5d3f Mon Sep 17 00:00:00 2001 From: Michael Sims Date: Thu, 2 Mar 2023 07:42:28 -0800 Subject: [PATCH 03/11] Update git-backup document to include detailed SSH instructions. (#448) --- source/manual/git-backup.rst | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/source/manual/git-backup.rst b/source/manual/git-backup.rst index 62760b0a..b627c79f 100644 --- a/source/manual/git-backup.rst +++ b/source/manual/git-backup.rst @@ -87,9 +87,39 @@ password When using https authentication, choose a Make sure to push to a "bare" upstream repository, when pressing "Setup/Test Git" the initial commits should be send to your git server. -.. Tip:: +-------------------------- +SSH Setup +-------------------------- + +If you use GitHub, then your only option for git-backup, is to configure it for SSH access since GitHub has removed the ability for external applications to log into your account via your username and password. + +The fields in OPNSense under :code:`System / Configuration / Backups / Git` should contain the following: + +* URL absolutely MUST follow this format when using GitHub and GitLab: :code:`ssh://github.com/user_name/repo_name.git`. Any URL string that does not follow this pattern will not work. + + +* Branch should contain the word: :code:`master` + + +* SSH Private key (discussed below) + + +* User Name should ONLY contain the word :code:`git` + + +* password: leave this field empty + +You need to create your repository BEFORE enabling git-backup. Do not add any files or READMEs to the repository. In other words, create a BLANK repository. + +Next, `create a new SSH key `__ specifically for git-backup (only generate the private / public keys per that document and skip the rest). **It is imperative that you do not add a password to your key**, or your backups will fail with authentication errors. + +You should set up SSH access to just your repository by assigning your SSH public key to the repository instead of assigning it to your GitHub / GitLab account. Doing this ensures that you don't arbitrarily expose more of your git resources to OPNSense than is absolutely necessary for git-backup to work properly. + +If you use GitHub, you can add your SSH public key by going to your repository, then click on :code:`settings`, then :code:`Deploy keys`. Or you can go straight to the URL using this format: :code:`https://github.com/USER_NAME/REPOSITORY_NAME/settings/keys/new`. + +* Check the box :code:`Allow write Access`. - For GitHub and GitLab repositories, please make sure your URL follows this structure: :code:`ssh://github.com/user_name/repo_name.git`. +Make sure the fields are populated as stated above and that the Enable box is checked, then click on :code:`Setup / Test Git` and you should see a message come back at the top of the page indicating that the first backup was successful. -------------------------- Conflict resolution From 23ce3a341b7bf2500fa284946098c35fd7883736 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 2 Mar 2023 16:54:17 +0100 Subject: [PATCH 04/11] Firewall: Settings: Advanced - update documentation, remove non existnig options and add Anti DDOS section --- source/manual/firewall_settings.rst | 33 ++++++++++++++--------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/source/manual/firewall_settings.rst b/source/manual/firewall_settings.rst index 3a0f09f7..827b010d 100644 --- a/source/manual/firewall_settings.rst +++ b/source/manual/firewall_settings.rst @@ -72,11 +72,6 @@ Configure the frequency of updating the lists of IP addresses that are reserved Gateway Monitoring ------------------------------------ -Kill states -..................................... - -When unchecked (enabled) all states will be reset when a gateway is removed (see monitoring in the :doc:`gateways ` section) - Skip rules ..................................... @@ -135,16 +130,6 @@ Firewall state table optimization to use, influences the number of active states * [aggressive] Expires idle connections quicker. More efficient use of CPU and memory but can drop legitimate idle connections * [conservative] Tries to avoid dropping any legitimate idle connections at the expense of increased memory usage and CPU utilization. - -Firewall Rules Optimization -..................................... - -Influence how the firewall optimizes the generated ruleset. - -* [none] Disable the ruleset optimizer. -* [basic] (default) Basic ruleset optimization does four things to improve the performance of ruleset evaluations: remove duplicate rules; remove rules that are a subset of another rule; combine multiple rules into a table when advantageous; re-order the rules to improve evaluation performance -* [profile] Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic. - Bind states to interface ..................................... @@ -229,7 +214,21 @@ Check certificate of aliases URLs Make sure the certificate is valid for all HTTPS addresses on aliases. If it's not valid or is revoked, do not download it. -Dynamic state reset + +Anti DDOS +------------------------------------ + +Enable syncookies ..................................... -This option flushes the entire state table on IPv4 address changes in dynamic setups to e.g. allow VoIP servers to re-register. + +This option is quite similar to the `syncookies `__ kernel setting, +preventing memory allocation for local services before a proper handshake is made. + +In this case pf will be protected agains state table exhaustion. + +The following modes are available: + +* never (default) +* always +* adaptive - in which case a lower and upper percentage should be specified referring to the usage of the state table. From e5c00692028d7e78ce7b15fd06976d0562042954 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 2 Mar 2023 17:09:00 +0100 Subject: [PATCH 05/11] ditch Libre --- source/intro.rst | 3 +-- source/manual/firmware.rst | 7 ------- source/manual/install.rst | 11 ----------- source/manual/updates.rst | 1 - 4 files changed, 1 insertion(+), 21 deletions(-) diff --git a/source/intro.rst b/source/intro.rst index 83a2a083..15d8b8b7 100644 --- a/source/intro.rst +++ b/source/intro.rst @@ -95,8 +95,7 @@ The feature set of OPNsense includes high-end features such as forward caching proxy, traffic shaping, intrusion detection and easy OpenVPN client setup. The latest release is based on a recent FreeBSD for long-term support and uses a newly developed MVC-framework based on Phalcon. OPNsense’s focus on security -brings unique features such as the option to use LibreSSL instead of OpenSSL -(selectable in the GUI). +brings unique features such as easy to use one time password authentication for various components. The robust and reliable update mechanism gives OPNsense the ability to provide important security updates in a timely fashion. diff --git a/source/manual/firmware.rst b/source/manual/firmware.rst index 4c731d79..9564dab6 100644 --- a/source/manual/firmware.rst +++ b/source/manual/firmware.rst @@ -59,13 +59,6 @@ Settings The settings menu contains all available mirrors and options which you can choose for your installation. Usually the default options are good enough here, but if you want to choose a mirror more close to home you can do so here. -OPNsense supports two flavours for its TLS crypto stack, OpenSSL and LibreSSL. Our standard is `OpenSSL `__, but some more -security minded people favor OpenBSD's `LibreSSL `__ - -.. Note:: - - Since OpenSSL is more widely used, some software packages are not compatible with LibreSSL. - .. Tip:: diff --git a/source/manual/install.rst b/source/manual/install.rst index 0be05e47..5e52b70c 100644 --- a/source/manual/install.rst +++ b/source/manual/install.rst @@ -217,17 +217,6 @@ Media Filename Composition repository, see `README `__ --------------------- -OpenSSL and LibreSSL --------------------- - -OPNsense images are provided based upon `OpenSSL `__. -The `LibreSSL `__ flavor can be selected from within -the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update -must be performed after save, which can include a reboot of the system. - -.. image:: ./images/firmware_flavour.png - ------------------------- Boot preparation diff --git a/source/manual/updates.rst b/source/manual/updates.rst index 35a3ade0..0566bdef 100644 --- a/source/manual/updates.rst +++ b/source/manual/updates.rst @@ -20,7 +20,6 @@ Update settings By navigating to :menuselection:`System --> Firmware --> Settings`, you can influence the firmware update settings: * **Fimware Mirror:** this influences where OPNsense tries to get its updates from. If you have troubles updating or searching for updates, or if your current mirror is running slowly, you can change it here. -* **Firmware Flavour:** OPNsense is available in different flavours. Currently, these flavours influence which cryptographic library to use: OpenSSL (the default) or its drop-in replacement LibreSSL. * **Release Type:** With this setting, you can switch between the regular fortnightly schedule of tested releases (Production) or the newest, not fully tested code (Development). **Please leave this setting on "Production", unless you fully understand the implications of switching.** -------------- From 045c1ebb7d14ec6eff86d69e336fda9c5942296c Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 2 Mar 2023 17:25:05 +0100 Subject: [PATCH 06/11] Firmware/Settings - Add "Activate the Business Edition" section --- source/manual/firmware.rst | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/source/manual/firmware.rst b/source/manual/firmware.rst index 9564dab6..39357032 100644 --- a/source/manual/firmware.rst +++ b/source/manual/firmware.rst @@ -64,3 +64,34 @@ Usually the default options are good enough here, but if you want to choose a mi The settings menu also provides the option to test development versions, which can be practical when testing features that are planned for release. Just change the release type to **Development**. + + +Activate the Business Edition +........................................... + +When you have purchased a license for the Business Edition or received it pre-installed on an appliance, you will +have to enable the license first. + +In order to do so, please choose the following settings: + +============== ================================================================================== +Mirror: Deciso (HTTPS,NL,Commercial) +Flavour: OpenSSL +Type: Business +Subscription: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (the activation key for the product) +============== ================================================================================== + + +.. image:: ../hardware/images/quickstart_be.png + :width: 500px + + +After save, go back to the status tab and click **Check for updates** + + +.. Note:: + + Upgrading to OPNsense BE is only possible when the installed community version number is lower than the + last available business edition. E.g. you can upgrade **22.7.x** to **22.10.x**, but you can not upgrade + **23.1** to **22.10**. You can always re-install using the installer found on the `business mirror `__ + From ced7ffee37bbcbfe6a2b18adf7a870c0d6b1dfb0 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sat, 4 Mar 2023 10:08:59 +0100 Subject: [PATCH 07/11] ditch Libre, undo install.rst to prevent merge conflicts in https://github.com/opnsense/docs/pull/456 --- source/manual/install.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source/manual/install.rst b/source/manual/install.rst index 5e52b70c..0be05e47 100644 --- a/source/manual/install.rst +++ b/source/manual/install.rst @@ -217,6 +217,17 @@ Media Filename Composition repository, see `README `__ +-------------------- +OpenSSL and LibreSSL +-------------------- + +OPNsense images are provided based upon `OpenSSL `__. +The `LibreSSL `__ flavor can be selected from within +the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update +must be performed after save, which can include a reboot of the system. + +.. image:: ./images/firmware_flavour.png + ------------------------- Boot preparation From 28ca1324d10f6ef42edfde5f812c49335692057f Mon Sep 17 00:00:00 2001 From: Nick H Date: Sat, 4 Mar 2023 04:26:30 -0500 Subject: [PATCH 08/11] Update install.rst (#456) --- source/manual/images/opnsense_console.png | Bin 0 -> 9644 bytes source/manual/images/opnsense_liveenv.png | Bin 0 -> 12088 bytes source/manual/install.rst | 508 ++++++++++++---------- 3 files changed, 289 insertions(+), 219 deletions(-) create mode 100644 source/manual/images/opnsense_console.png create mode 100644 source/manual/images/opnsense_liveenv.png diff --git a/source/manual/images/opnsense_console.png b/source/manual/images/opnsense_console.png new file mode 100644 index 0000000000000000000000000000000000000000..a9c086845ea05c2eb254afdf95e1d8636bcee3c8 GIT binary patch literal 9644 zcma)?cT`hrx9%4pC|yAaO>l3D^bUe_Q4mmybV3mjPzYThgepa(E7AlZC{-W?f+Umx z5~N531Pr}LdJWR+#l62X&bRM5=iama$jH00));xm^UOJabFLL@sIN^=!$AW80KLw= zI}ZVX{5t@Uy}Cqxe&$m2=UV`99niU>VFDdpo3P0$D`5o;-yqv9BEJc4XilKr!_eU` zpA5nji@V}x(>qzO#E=2N@XkT7Dm>YSYH{$WlzDEX7@zv!nNL@R?F;?U_o&TKdtPBb zpoxFxQcr+WyhC$ybM@J~nICC*d02eA4Z|L2&?`KQIjLD@Xt}Nl(wC?|(lgq7X=CA6 z-Nt)S+8>Aj_Wj$)k+!*Ip>jyydi3hHG10S~&e@vdm?TY%J%iNAHnLSG7i{dCQD@YR zE~EYR*!aR?JDhI507u)2X<0(!X`8_vvzl*hNBURnVTrKY$6=KeTtyPES&6V@BFnnUn+KRi1rLcwmGPgPrj!Kh4m_TQzbdKDq)NQEM-R za8~PWj*Hn2r|KhL5FM;{f+1$q*=?0`EmjlAaj+in#dfVaae{QLc{*G_M`O;}SKgui zV$D7UZ%~NIv2-+#Y4d7BIPfUSwi$f9&^8HJ0n5qTd1OF%bz{_Zkp;FhWIPz4{Oy(VBRtNQV3*}*xQQ-JH_nnD8(f|^Bwn0* zJkkGVH+F* zx8v>lE`D~0DWEDGjI9<=A0Ts&p8d?*hRAsz=ndu8;{lk0f69wqwF@gLse*eG1p|?U z1tZ#e)U2&Iu?0EPP5R;>>Nm;065Ga%T_m{<*=2S z_Rf9HYJKLCZYI;@b)4mlN=ozm;HSLJi}_Vx)1)E6@NC_Xz_E}GgmsWGobpDaW7wh3 zn@8Op8&?Z5y!?z14%X0T`eMP}lmIjnt_M?S>e{d0eZTm?nO?dsf=Ly8`By~iA6Vc_ zN1?u3zWtY<<-)I3;?S<|GbO6ZGbVJh*7~0_l$WrceHf{rv!HcW3G9+gqZkv2Si0a? ztvf9GB4_-)(y0X$1|`c~BdCrIhxk9b$L3i}kVY^(<-)zsSZWgtDtfeMObSILxhBvW z%6rJZ)Ve%b3oAfwCWy)x(zQVQ%W*u`sXOD$z!WZO;PyrJbj;-^LS)kri9b5K6x+{M z4q4Uz(l$J(Zs!tbYh<|RrtjA!zvHvOn_K2~+~~ub8H@rYs_Z5=s`Xf!hmi|2*MxRx z!VC8dZ#5W^oJOEUszIUs4b~I>O*rtK{E-<|M@=8lG?*z#yQx}?bZ5i*EMapJ*5&mp zhhl14uAvqpGqt$Rxe)WyynaKUSgSPf#6jvsf8Za+0xNXr8t}Q6N~$1N>wSVlYBZ*H zv+Z?q7+u_JIpW%*TSnoQzttShsZ-`Rx5#b6gpLc_drSFLCw}=UB%(MrT7wGgHrLA> zmh`-%3&D;8%Dq8>mb;ZfB15@zE-gCE_{{@t>^u=8)~{DvUt%V8 zD>j%!BEQZ%vv{0SbyF^g;BJ=kL!gwBKiKsr4;Ov7EmM+5b>hffmvz>l#c+1x7>}{a zQ@vrI=3EZ?@D=8yo+Ei@P);2fTS>~a73^rMT|O8tXOfSfA<6Q0~H?yT&T%o7#4PR9)OtDRvSO7g7?HMoTcGi?OE_xusd6VM~?W0?sAaqh>^Or5=mo93@0gpi4h1(J;%_Sj9z7w&pOk9n>pG3u z7$E4$l>3#Mc7?%LISo4K=WjH&6$UPdVDHLCwAz#jtXAAOrLeqoeFi$OG{%&Dx%;yW zZcL}R2cdV#t8{2}7S$b`-{AR!*3)|?p0_zDwVL(X!7U)z{NDsdAA;39(kg5JJzPhy^JV<^sXZ^xly91O zRu0@uZNS%6Z%{~nbLI&7*_h@w7Cz_J+8=an)=2u_D`P%$TL*1;LR9{*fcD8odcEGS z?XS?Wt{T+WBmf%b|4vy!4#41^!mW+5Oq*x(9wc15BkVobf5xVH&Gu3sa2;P3g04C` zZhIy3r{^B~tBGQh{`jh+SGRS?-pcv=S5vpi48vr?FUM}hVOi0(9zf*!& zdueWAh?~G6S@T7)ZP98?c9t^}rJO*40GF6=(!^W5u}?I#X?eOg3B-GI?B4xcR7y3% zMkISkIizQU@RjIW{9#H3WqONqwi6VEDQ5sA=~{bNnKnHiw{OW>p-V0f$B?p*6Oh6&~?JJJQpltmGeEw-In%vWl2-rF=EeWTnZJedoFU6i_j-2PGn}2(xGXQC z-F9ZZU|#5K zY7H_h_PJ83cwhSKOFfJ6Yp4bUA&MHfwKkKvqh65AIMJxFiOJ2Dj|mXMLMXz)Pzf+H z^*z;qQDOwtzSQ3O60mnqfzBDi{9Fe8=K?S-PpxhC#iGLO;5r;4f5@a9q^rU?*)(t-T-IVrjP-c&2zXb7;iamq<$YB zDp?(deAArPl25i}`W}g#z!%}ST68R-o)g<1EKM5G7i%@n;gSZ=+Ln$iRB5%LdX=S* z(47fV7}uB~&a$u41?%Cie0ybsUKGdD&P&Za2wQptf0_=vq&(^7AA*L>ihw@_iPhdR zUVsR6?{rAyvBW$0EubE0(7Xg@eRULj*!-VUzAjV`v)sST(Q<^OCPYv|5x_; zT??vW7&4{&7SZ%8%~4`|DZTF&I9Xdml@vfSiuVf$(}?kU4c zy8)gIUYR6q%`EcDZCAMas%n@NU&77tTXo3)Ah}DqcK1A$s@p3V;{SLnBvJNX8DK{- z3-x4`by9?iOaZp@?SbaPb@ET!tmJD0=LDePLZPmC&UEgDr%%e(In_s~{!&$R0=63c zoEK1T?KM37w9w-JY#)`q2==@%0aK_}C>2Ydj%0M$xmlZz*d%#VHFX5tir+PMF~=T1 zZamUW73TM>%kK3!tH_F48=Iv&FV5aysVnB_>HsC{VP?Yinl=^Eg1RBofX0i~b0 zf1rT|84%!X2I1L@IJ=Db+JGDVrn?r%d^ z1@(wQLC3Og9|;LLKVnnHJ{pg+Jd5X!h&v+aFn;%t5?4#D*9@0y#7~Z@u4U z*#(c?QUwh@qpzkNTuR1+SHbWu;oz7Yp4cP5;1dF)lcf}j!D+{V>nxPsIf}w#QI3oI z8(fK1ntK`EP|_6`w(>DCuD9=}7O_*GQj<5P#wbxmxlsCQVroLZ`3ba*!i2VoL5Tl8 zPc+Tv?%LoBz++Az976Gz;K1R)*G5UqPXK*v?emcPENs#@L}&w8`8k4HW;XDX7P7R2 zy0NIP@Oz!(hDxe_w@I+nO?kkjS#nN1V?GDD$=YYZy{;!5{*&suu0q6DRy^xO+r|cx zb(Vc*t=L#Qk=$Y@%f^~Yf}`8!Q_vp`w|r+&HT~7bP@9|K~fFN!|mut_uEjbB9EZ`{E3*mKw2{LBr>;$N6FoKl5K< zk0RXVsIDM}Sa$3OJiaSb>+(Z~n&*0`cNvV<%j~c6Bp>5sGg6&wH`d#?mWMmlgZ7Ir zh?D1iYxo6m9N}VxkZ{?m17m;wCrAu$J<1`i-UMWjyCd!Ezd)KeXe%Q9soy=~WroK4 z5?Y&2G-3Y_ybLO3pm73e($^Zw}jIs zNEzF#oni>h$LVehl8DiZrj7DFwfAOc_N!-Um6Iz}m2)b&>>We)CV{N^5Pm0P*j|{= z#wIEK7gP5ef3*M{l=BJ~p4`do3Z142Huf&-I<$z{$f_E;HYmsAg+?r2dIq@A>o zhdi?cJu@51VUs1ba@1}OTz+mFU&mxbu z9+fV@Zcar-<`$;6aokk?ORNmrFZE=b5G0{`=5@<)n>n0>uZk!H$1kfEN`teG_--qgdhdQThCihC50tOnTFno3 zP1Hr|o5sDiP`k*hMOHFwd|QLBjdi+Z^7gAS=4l$!dMfpbjLV(!qcNo3!9+TZzmqXA zP1}g3BIS7VsN@>>?io9II$KVBXW#G>nMBSNcbU~%2d3T7BVrm0QqT4&z7jxW--mml z;b|M1}7;y0m;+myIEu z^9EO2qQ^Ky_DQ3#08QhL)O|;2gMd84qj5dHx4`+t#{1{hu%Dq}@DVK{?u$h9Mlrp< zL@b12x@8%QMU3#Woy+WpVOu4FntqnALMh=}9~8nXuthi45wvsmQqk>(+gNqw2;@4Q zK55*N;8G;)CT)=Q$yKfg+>79vnxjn~V%KK>JJ$ZUpW&g69G)A$4(^8?pPbm7oIv{a z&qxx*%}Z0Y0rYX#Jj+6KdM3Yv21^h&NgzKTY&deqBkaTRNr&qZ#`@DJbX*Vr28u<* z$lb8B$d9mLV4V|?`aKO6wk3GS%a&blJ|AVfC+&o|{V+4Zldt0`KapgPF(Q702rKj= zmervyHe!9Q>QmVsNPiiruh<8=%G*e%k&ogmnVZ}3kct@gxOloc_N29>E+MAhuWUZ4B$+Am|`JC-!ivOHg-g z)AGEd9{}0-bY<_@WaQ*0mv3U7)iJ*U21~}fDjQzZvn(|&&`&d|=pVBr>sbE=f`<5r zs-QZN`%kH9blD`bCRguG4Q?4-|E(APbsf8H z3#xZP=JafD@8*8wQvdn)BkvU=$-i1P#jV~A?=C0!`OOddq2y#* zxfuncjsnv_M4Y0w+K_E8Uh(`gsC%7|zU4@ltKKZSJ-s1BKRw&M;EpDmY+PdIN#I%o z1k*m1Dt0((?A78Ic)4|X#9m{?7P}+-_RGgH-Gd*imkSIv&JCJdtCIdLC(hxAxM(v|Uoi;Jf_ z3a)`QhH3CNS@02Wh}VItdvS-lSoS8ZW9Ioi-D&$^Zi(o)@7 ziSDG)eqK9oNJWQge3H0PiN*6= zE~`dnXm9%sJp^C*VG{(gnQ(J7BLtCzlq@ULLX$BiRa@nw^nQ_UI>o=3_tbBG+H<8t zl3z)gH}bxkKLL~LCubL6SITu*hD!Vbs;zxP-n;9&JUV8L{APPyHFq>3AU+IXwNa!d zG*)6^{}654sQPZ`d8+M?34^o{kbg0z_ZqF=@wH2zLHt}K$(QMk`C!dq=SGfR)$~~6 zzUv&9%eMHJNG{{u6I{M>P_jXrM{GIKboXOBi#qK5&tZK#*4g&u6+5;~-SM35Q@*Zl zVfpqPYfr}pRp-51(V{aoG1FV++pFt|vylAr;q0NVg7e-g{^4`t!JS~=$CyU%E#W7g z5uF>Vq9L}Qn1|q}T7y=1Oqkf=(=XkD>{BP%V`N(6wayok$<$7k&YX`?~%Q-Qz@d&GM4UUtNUq z9Bf(`rOP?{^=)TVe{nkQ5(8cPDo}8X%V(+j3TVq&$4vBW;0V0yl8F_k`XCi`^Ht~h$+n`>i&?~?gI^+l!3GvbNuWD z{~caH)8pmh5?P;uchliOR>a>bqHZw3SZQ!$0A;tvZOs_~nHuiBEn$28{TR?`f@2q5WTa zBz!sf7IU=oG+5GngVW%l6%J=qffs5dF|O?*$|$?C6}pt{`UyVDsbM`-VnoA4>swwb z4zAQ$UAg#$Ps`k~_PrxoZLR}^_mFB_9E(yFil7psobQ`@NUg0LUb3#}w3@yjtZM4& zUx|CvJgZ_8N=moeADJ&2)19grci`&%)l;k7rIOVUBkCP}<65eG1`O|ATSsvAOYpBO zfo~V)jhd*XHb|A%;vz#BJ4AM0cL@~c`QW@Cx@hS#Ta?jv+RS)}_ZNAW+9r%_VhGP0 z+aC1QxclFru}YP3HK|1NQk0@{`Cy;lmj{vguXt)}h)sn2xU2Q&%wqj*7t=$T9%9b; zGv%#0WDSU5zMpCAMS66qTAeuQ>ceP$N2PpIN+^dm4Y|b{LA=rN#zW_mqBce}m`EfX zgtE&P?@s>7v0!S_u|9TH|G1`HT!}vA{&AYpkY(4Mhm=RA)(PdAT<|Q2Uv$p> zV>xSCwTGnb2c`_VL>SvUuB0#L_V`$fi)*l6!TT%+duuLXAG^G3`iI?ZZ-0N^pe$Ku ziW`Bab-#oiAGF(Vv~fB09<6b|o|Vjn8Ny2Bg<6mgUG#9u$PF)i;_u5)6AzMSYyLM9@~JQbnl?1YcI>nK|pV;vTJS#)h^3Ii295 z^5bp$PGxVvfVof_7ddsuTEngSTg4_4zC;kw&re@@$!W1{V_^lYnsF^P)qn+?B01;x zWoocoU>yaC6jQssi4Bbyf77|jLT4(VyP-IyAY|wyr7SU4!m=FK5d76hm3K_xBQ&-< zkOV?INHMfmuTHWvF^GHYF6Ul3HOuu0yb0EUdxk)mOL+S-C#Kbw1bLnsM%KRuyNjb9u=JR(fHuxM`yJ8tM#Qwv^JTbCZ~*c;O1U(3uU8uR zdq+KcUax=XNS&)vTJCjVl2n8Xu=K}8e{1dA2=H5BLcC#r=dWh!cHMR4v4+qavQ$L% z1G?T^uccBOhGng^NNKLz717^`Vn#;bl!l3cIqYB4#eZ1he_j~2to%9<4LdqI3Tkgp zAItK1f_`RwHEfxWsAa5Md;G|QIs-2JvVGx~WyO1q@*ajG{xMg(lydrOinU;P4gvn< z?nMLgYQkhyKY8pVG2m!#Z*O(uzz0kmaZ&CQ1yRCvzdmJP^$QfHi!(y+ARzhIIcogR zgvG#FP;d?=u)!`W0zzEfFzL!Dfj0k!(~w-3Wb1l4k(uQ-%gC~^(1_1EeoF=Kh^!|U zeHfsn@R5TjuysxYg8_*%v#HQ^M9iG!{CSfQaFf)1&=VVxu*Sj^(5fVq(w?h+MNdEbtirIVhyv3_d zSv8}j4`_q2!vu4SDqEZ3QiO*Qv3@6-g?+!DJ1IimF%SVq394LE%yqwz;ncS0G5bW; z&9P{x+Y;1WlVrZblKZ1nPVa@8o5_*Gc*K*>m_4tbxs(yjYO3T!tbwW8ir>EEvYA>( zW#3I>v*~4#A4#gbmj;BZ{C-{CpX5%m0_`ouznhIQbKEM{{$tW%mUIh+`&Ig-CPX-q zr2s9ICg%NZ^_gh{u`26<6#4dfq`f!bvT629YqtIYokc#4&s2>IT`|_gwSt_I@6r`A zhqb*CCk5gGT@#<={YO3Br^TAs+>KG)GE%QDPzojEH-NMULzma zOr-9(0_u79#|#h-7Q_}h6i@=MDzGt*D@8izuPFf2tX;+OLmw!B*wc%y913D~Qs2FP P??mUW{+){3k0SmLi4WdP literal 0 HcmV?d00001 diff --git a/source/manual/images/opnsense_liveenv.png b/source/manual/images/opnsense_liveenv.png new file mode 100644 index 0000000000000000000000000000000000000000..a68ba827af3ba0fac7724b404e968e8e793927a1 GIT binary patch literal 12088 zcmcI~byQSe`|lw{8l|KW5$T4ZTR<2Fq+@8LhYo3wRFO~`BuBbC1S#nmkZxv11W7@< zxqN^3-gV#iuJ!(N*YEB>&e{8%v-e(SJ)fuc^Lh7DQa1c1kY+H(axzlGgwXzFSiseE?D2f+vg$DZo)>Kf>Az*en$%d>q3ODGHOUWHz|o#5Mra$R}Q{T&QVm7R|D2vE-b`zg|~BK6upUy9sjYOYs|{6_egNQYC_ON^o5@x5@kdW0QI;GlPdJZn)cg| z>}kU0m0}zhYtGpiGOE8i;Q;81Fq?zgINjp<HCG~4eSvx$~>VE$uk{L4p2F7}fP)4ax?jL8>uMMi^Z z!~HiXb{_T(qlW*$YaQWS?L|{}0;}5DhD#DY1kiZx+E}}j!eB3(8Z5x_F~8oA1@&tM zXk!)jJJ3Ip{a;Nd)jY7f=OF;J+|Na}El$qIyOL!+=U>J*S@`TYvo%QG?!gj`LOX%? zPXh45e(%fX6a>#sQt`i@nda73e9D}G3~UZHWb8Q+k-_Pz$BqXxEDgq1YZ{iwwddYJ z$eo}pNoCUgm-pf2U&rHxKTPb>l7XM6iT)tTi)u&1>P4fRx1pkLKk`+zRbwaKvdmc} z9F*l~Ld!_syvGKN#L*o0u!d*E0#BL}<7GJ>jy^g)vsi4FCLb0$6-P+Xdu_xvmewZd z=pDl@i+E1Ct0B^y7H>~}!7oxSZ~>#_u~M-a$>`hD0nAFx>2dwQXRgk|(CvdJ1!1GL zseYI@mwF*-py7QW>=Kv3Shd2t&gLzZ&DiFQ-(<&m{{n3TJMlrxZ!kyoM{0eN`lf!) zFZ)r`ut2=9Vq6COT;~>|8=A)FqBhxh+9vmX5K0Q*4-atHoj*OyE2Bw!#Ma9K>_4F6 zbDLyV^zmNHIwriFXuh(yV$>D)F-njt(%mU+&Wy};-&e}u552%BJ5s<)IePo{XRG5V zFo30kc~+oc=(foV|I*NH_=8T1g~o?12}Sz!IT{3D*5;+Mep=sBSW(KSx|5y}uz8+S z2`L@Harw(TVGC}^{-gBccaQ}hxcqNP|JNNc@YKsnV+adKJ~RE9e0qDjI9uF`1N+nw zg}JW<@#M&WbZGa8nPJ}tfDV7R8F&UFyR`#rBiL$~%j|H7!c>vo(Zj+Tz!d`koh}xJ zCWpWVLeyRw^-rd)Z2On@W3hq314$pgs8|&!v%XZ_d=kavNB8q|<-?(rd6w4-A0V&K z0~=?}B~f17%u$@+mUqo{wEa{^sz|%On$lUGAlSFeIt|#}KM;tk^fUAbjyVRsjMG%l zSKA!BvTjhJA4ZpQiZ6zfc2GZ^Dlz=wo)jSSxBQv&a1bZ2)2h1%5T>%?X#dB~i+dJC zyt(Fnp?%*!1z{n1<4DvIIj^d14FFvo=cYnEe>raOfXs%c2wKP!3`rutYo99?5OD7w zB@Xm*pdXg)2-y`MXow~JomQip3T4Iu!s1SUjjJp$(0%j6d>QjFc}~4rc3lf0C!NF$ z_H5Oj-WdVS_I_3R>FY;X)*V)*w!?gmOWzCA0t6!~NiLe|9e1} z^FMA8*(O_jsMCWqI!NJIToT?sWG)fai921qbZRNsdqqAhGk0)|T}uF3Yg7H!bfEHD zA#95kXo);Er#jshP&~1oBd=xLl<5@9a1R7`%6q*!c^#ovDR%WSksrg`8ZuPe#Yr($ zvhX>tZfmG`)#3Y(ryLB*x@~JQ4mg$tVK$nz>Zg$ysd&D*r9?8>0bS#7tGvUk8p))h znPY`6@QQo0OKkVkhxc(Sd zka%HEBc_*&EN+=k@@IWnYDiMT<~{ksRa5XPLoEU6py3JJTL8!r>an8tmzAt|_M2)u zAhW;!vV+Y5eo>j!gmbyZCaBn;?UJ&VbdWvCFz=DK8S7F1;UqpktIo@~8(j(VSMh68dXj-nqqbCP+>Dz!OViil|eOx+%coqgujbmmCcC*#ucG1YD4bQ*9rP=E|E^A-W4ik(-qK>y)z!1>mCETq;WuThMZdCEo{!|t0l zyjdC&6O|VS_ASLXUb%$R;Rq1faa5}@(ISeRnsb7+=BpGf!VuQRg|4 zds|njkdExCARHi!4=d&dRI2%R;Orr#DNiAYJNYn1Is6UGcpT;9@>U(Pz3-0 z`Zw#+Gd7Dv3`6zJ*V!(2@6rQk?ITqmr`g`9sdjRyCacTB^RaX`EWk(B1ancV$M+wH%F z_Br&A$iEyTePY7PLcuJ}HMWw$T-$#)5dYny^t4&@-gQXl zY65Cc?DBFFetmms!4xVi7x)M7EpMoE`_m4&Bl%b^TjLNBHGixw8~=pY$*9}GrqE3| zY_*n}HM`}iGE0=5tbv1Nqz69p7!R=A4P&h_ybq2vjy_vIy^Q1B_Ter2qMy}MY6=KM zkDctj+;TLUJ}I#v`WVt9(B2Nt%C^`LF|YJE!V^3a!jDte*LFN@YE2 z+ET8Z;w&WW!X8%yIrucR2Tdh0+pLoap*cL_Q19^?60pkxof8%1Fs%_HH>ggx`Kz`!m5yo0H`&R;yie z=kUzbuE+UT8{+f%w+0ufUTNBh2O%O3bDC1U1JbGjosr zVlAAs7p|nV?RpdN;_3J?G_zS#Iqw}PT@5RY9*?0n^H7%}-NjV2{`fmXrDPhk`eR%G zEaE~cvCQ@Mx-qVqr+1U{F3>U^E!LI(dmW+*`aSPrfDNRx zp=o~jB^%H%6pxXZ`SbSWjb*L0n#X;_C5_lpyKTbx*DdDX!dE{ zqS7FM?Yd*1{yc&C4oU2~!`cDG{gK)wI{x};m4i)FN4)j(gK+1jW)p5$!reCivC(J* zLn~^c_ye8JHgS8qTxu~Jrzpi2{`z9@VY$?mVc9Liyv#uVD?B&wkM>X_WAiLO#)NJ> zyyQoKM)>ss2xCMvrVWmO$MKwg%?jD}#Z7&N6cKQdjNA1KTioP@gx9u?7Cn0*F4VmR zE$&rG!FS`N&>$;kG%yEhg1S5;*Ce^t(^(c;oDt)!s*v&iC^)~if{~xOI>AZH_=-X0 z6#EV}eJ3XB%Q&|Z}@QZN^Di;oZ zcdKXj&?`Z0MY2Vmo^A3$uU&eUe-ZWX#-!Y=o8qd$Qz9HE5nBQ~i*L9DM?D8swIM2AAc~dhU zJ%G6fV5w&9l~lc9rto5@b^^11$X#9N*Aii942CWCZ=1T#=@3-&hL6A}R(k2z9c4faB;2HR0JRfxqXMg%xx=@orq+`Ig;g$bvypb>~M>bv3DkUWXE01BOMk*y zDd3RJpq4gJoPGR>;_1Qd*=4DOTX+<7IJ#cwFLi&fOE?%jP7F7sCexynjkh#M7@Z7x0Z znB8bNlf^1ZGh`ZjBUAM5 z6w6X{^Y69gmpZXSvXVCkuYLrQs4@E&kSK*0wv=U}Pc5#_CE4^R@^$GI^XJGLY$Z$; z6|_MF<(XrtX%Y&MpiWaxL!UX5?drzfXNDP)_n}qg=T6fYpm(N4{W1EbamoXubey?Q z!a}MnknS54bFqG(h1d}l&&gQN*M}W4%6=D^iHo>)$tLZ(UMoq4m%}-!I@IFN{a8M7 zAZdQ$U?y24U!7sC6N;<9skti2w6xq_;p`Tq>4E!4<~}gij!xZ7wwyXb74*Gw{x!kF zKZT0ps^0f}y(O?zgB2en=}!UGpC1r_X@hmcbAoIqDZ}ZtmMHi_^AchiZ#F+#lHsIM zh?IyKC>qC%`mkvGit~(sVhP7QK?+(B1`A!g6MFaDFeUT7RgspR{bh^f2i9*D!xg`o zaGP(fYUWCXaC12eAC=UdOZNM-5Xc5uJ~N1k=6d$DC2O+ARjoYoZmoviGB5nG1BCYk zUPaF(SADr=JYHK(;&i4A9ZW08GSMo1U$+u}yCa~t+RDGm-t#q#!fg}u%;3z%TUKq! zw-tqh9sh^dxv@_4I7^0G!?4t6eOXLPX|%Chk1ye!+mEA_$LsE?hIDBbRY}Ub5AenR zME|fn#dl3+>CqpLPF&MmNS|cFPLa-^NaY(|>DewfKMPOkK7Vi4p&)Yj>cjoe!lF{+ z^63W3?N1S%CS#J53{P!G4SgKTWRXSn!GB)w8@{dO9NQGiHAqgydUaFZ4*$} zj`Y}{Es`xRS50kh!P$_GUOo;}{f}7pqvY2UV8MJf3WVv!F3UKq_((@YW`i`ERszZS zFoTK`*9r+dQetwaE7Z;_uLCa2?&C82kUU|L4=)mx$jaur+MGUzYkYOQ7DT>N`KP=E8s2BVB~^26e}WF)N* z9Vg$+GRKcM-4YLfoQS6JeUZ8bF5UN(@4`wbiMe1x=o^!6Uhr3*mspNl43B1Q1$;(T z?_5}<*lJMD{EQ%^cBv|qnaNPa-3{f4q;9arevPU{suggBQe}$)LY9Ju|DtmvTA1*ha|d4&^4_ z&`(~BPx5!KB8&)ZhziwuW_Vtgan679W3QhNVt?lZc#;|;Y~|yn`~~0GKK1nbLxUe{t3%{CS0b6{f=33N3i8bB12Rjx_@WV$3ql% z&8vFgY64)R1O92;&f5t!ZHV<3sySbilfOdj36XRz_^3L@z4Q?9=%^)ll+f#{5JPvg z@6cPZvIQ>+Ql`y1{Bd36=Kp>0qJYWu{K$T^_aaiKDI@MPKg*LP@iFiGFeQs!5-~0F zwVC6T0k4IG$11Z%QYYANR~B+ot@<;}Y3oa5*;@~79bHT}#3p8z8C-}t)+Wv<1P88y zetF86k)@kMmr8Z1tdncW;}Ln%RprS7mG29u5UMJ6Y{Z+bTdZOGwB<7MpC%?~ra;l3 zsTxIEvg0%QGzDxac#c_dL`}2jlOfH`C>r6%{9{@8_4J;sTnKzJ`bDXfIwTGPwIq+g zANULMx`tn$_V647v43AUyxk7Hua43QsS+umnKD&PX7WKZz2Yc?a8q?&!x+qNV-?sq^ex&q}D1v#Nc*QS8DGy0@NDSVn@p;S5=+Ih2 zKK~xkM9p;PJa8Xv!kF+H_+(@STSoZ!S3jMSCX;jSij26{jvEFZ?iMAT1>CZwdZx-K z&F83i+_=goA+^Z85HG2RqYTpM!z#=RBN1PuT_bVIdU3L4*{9~V>_FYYmr6qudZ(Vk zoHunztL;0bWOtV7RT56w+!YSlY3%JqlylneOt|>^n~2UYHle>5SF&8;syj@HmA%~- z>X?*C5tjGlq$lHUwSo*&MIr!_vd)v@C1}0`o|H++R`H%Hr1YVZ|1T3YF3jgD-U~Fp z@#tJc=hbv~D!P<>{^UD>t=IvYe~mN#IXxh#Kot>3DG91q=gbT86Jpk@5qbUxAkvrN z;*rjH#040Y+w3}aTr4;LUxBUW95uJgd*MBtr65CiDcNn{_|2RIL|z%3@xG+t*0M=`8Y? zp0OKMBfAZlhuDRPPzx;uw(ec|uc@PR*3fmZtvcqt`S)hiatB?Z*UggeehtC4zfO0$ zz3=ED8T0zaSd(YSM!{KSi8bED^8yTq3fB*2m$1zj$n@o}I;{vZzR!)JGV}rcb{*!B&zv$%Hg< zl9AD6YIDmR;LLtd#v_EWw)gT$bTOAu6C2}9#d*>xubow8zcoJg)WL`qEq*>cMU>3s zvNb*~C>W!lsAO6#{l3L#Du1XnrE1!MGy_laC6Z)s6EfLkU~pqFdDW&uU+AFJlD*`< z?0;N!=;USY)YQwbB^UgMa@$^xUHZKfOY-bw0s$QY17|2c;Xu;j(cp<2r3<1H&6JME z*TxGWib%8P^Ah0v4#xx1ZSzQK9rHJ?Qx)6}4gE<`@|3ws)SY8RLccHCUb8 zR5n-T{(+EuNJ8BABr7Ma!~v%NC~Uf^_b>|wPJfCm+ao_{mClv{!G(ITj)xyGEzz`F6)!Ok?4}*wGxVv6KS``|+c3!#dkexlk{78jng3S( zlJT=>U;UB-=av57NVx_4y$h$6Cl{Mo_e0gnkIKu5M2iFcM^(#0Mw+UeoTWEZ>Urcj z-$AtLFj*!`t0wJLg%zfCnN?iV;0=W5G1M3%`ks6%x!cWwXV^;zWw#(*?N1r9pVmDG z(;TA?ULd{M!dM>XuA=$F{+P)CdDhq;FcEj>f_yPIB1<`sxcp4`3Gd(4BmT7su)tzd zKxlv8dCpS{31NM8-3(QX(>k&ZXVOmbNgB5U{&^7X2%awXSrg}Hxs+d@7Z(qCo0T=#hzRe+FgWuL7%`gts)}ukY z&J;%NSq(4zLZ08?suW0l#&i=z7)vkZWsU#XHD{gh(roeu_xLY}U!!DK+_}iS>Wmse z0w42Domxq2?28i2=5I~LjS}als_`wjC!^48euQJ=)#P8!R7M*|UAn-K`rZZ-1zwi?#Uv;mI;CXX@l!1IYl z{tFCk!g`i^>ua;o1^G$!?2l~bmCp~MbOJqC{rk=-ALYIFSjt|9WH#q0xYa_*iyF<> z>gH`)@wdHxBVt>3Qn`_8T-y3!Mg;E+4PqiXg|a%MR10(B6tpXss~biNC1T(W-c_4u zegz4p#TSSA(?LES7Mp;Wt+o^B=6g;H+nkE1g?{rNxw8?wInZxQ&6It#X9!jzm``9ohAX%XBANRQI zpO0PRb9{0uJV-Dn{jWOt-_e&Ru14)OyDXkwE{CSv6n#foaNV{r2fR5h-Q5|=2?-5& zrHj_%;X3idNXmQHbM!3d=!_it zWysZ?WXit3kd#iGzP7Bm8kpJE^chZlq|h9Jv@_vOSr+o>hXuXtj*_7<`9>Ahx!qi& zB9c&m9uDiJ<|T9+qM$B(_f9{228O_ltN2R)NX+{-sE+gL0#_HKwU&NkF;T@eGu(2=|l-w~4x~)B|-YHo8)xgep zkBruMe1B%n!Lgz2xY8+n{`}#2~gvB}8W~c15IM)=B>xQ|YTG_K5cIbv=$uhg z?d;>X(;F<+(sHp0?|7L}9W7h(YW9&_(MgWuXm*Di>ZNC{56V_1FkruL*v`XeRCP8C zJ8aycBrBZUSv*%SP=UY0lxX}uzmhnTCTdF2mrU8GVU&s@yG!$UTZX$%>RtrrwtlcC zdd;Lu`)r6@v=43RW}5QswBvL&STD7rTBgo9?upInH<9jrE$>eTq~|HE_*w$LpaLt} z2A7jbQ?VK4zuBgP^4q1qKYe!8@p^5|_{iJ@Ddm?od=}C93ad_Tfszfj;Q)D=>ueu> zfbC-y_|}eWWTtKkRiuW9@6@M<*eeZz%v=yWN$;{NUJ+2LT{#rTrzAwD9`e?HHQ<|L8y% z@g*Ksn8`bkCGj3y=2%u>6(j0Oy`fk0NROT~K=~mpvLpdY8Cax2$#sIsZ zp5~%(m-bp-sxcjzq4wd}>%ieb5S%k_FcAMdP7Ly77IkS*Xq5chst|W z1ygf>lGS8Eg&U}Gh zt0K=QzGL->G6yW)RX7Uz6LF6Xv^_N-${B5%*PI6(+i3^nVHM6f-4f!Jv+E3*3>DoO zm!hHh2}0X71DNg18 zfDJxzg7vtf-0`B0z0;^+g<@)zZjyLR>GwPi4-3QElQoxtYviG7-6CPJ2g1F-OS&iF zC_k&^m+hzx*v{bW>8JvKznSya**`pqsW2^zWfRHxn95;;;rkJ=3rvJoXmgAmtt_7ndVzWklFl#*o!n| zyOCDj=e1JO9?8_zQ`zA>B}giKCeBW&uPtTfngEZ^X;InEv=-;}qUs7yy4DhV%aq8z zW`5yYL=;&l(?7l9&xO65Y-XnU%`||4CoRHF7(;!bxEbWO9Q4U5V{xJ1_k<* z2O3$q-4A8nkL`AJ;V?26;%Vvf7+|F@31O-Fe&Fc9E<0XoE5bRrdgH&TG_AA|`9dyx zwk1d!>4h%+oQdh#o|&M$z|9OIIFyBMWHe>1rfbi`no=)YbZwF-D&A`kXSYf|pO3bu z)AqGst6Y$V8XN``v&%VcS&7kx&D+pxcXVd#svU;Ub8y3)?Vu!GJGCUwxROI! zF6&a#Acx_sgr|TQGe%%)f3-5WiHIk_`!rV|-hT4R>^_;HVA%cvog*-tS>p9ZyCq7a z;M|c!{zt1N{k1gxTH{^eq9I}C<5-vGnDFf0U?y|W?_Z4sbz#n<_y{zEWZ&0$0?MAB zSQ)(2>fN9+yI%2bFP!*Y)JUUX_}^|%gF{xLCs$A-ZFa_-wgeo8Q|VDFJa|t{){^0g zwy!Vo%oFqhs5MmLod@v)8$^^ZBvXuE?W^=&(h_M)gR|7;{>JcE(3=1XWRr;4#^5kF zoL#J}>L)={z94;X8BzLsL#J26g*Vet8`B*ukU*oduiAA4grng44qNB>vj^L3E>LZl zl&bo{$ac=>uX+;)I_qFJZ95y`{yJ{A);W8S@3DnG;;kK%Dq;ph^(o+FlPf2Jx74HFF zppH=KFIY^pE&{`Gq*(uo_Vr(D?e8_jbJqIPURtC#?yMX&)-Cla_E!V=odNE`E)N@A zY#D5Xxi8+7&8-J5uLxr6`3F{@{0F)V#`_zwzs&L+QVja$@4U@jKWZrX>PsBc;&PX?O#nV+BoZSztg@GJD!5G3 zVvk4GacJ*NBB=}Qrt*)nbey8i!iz5>IsS>71b6^gxfr}^)$n66%W7p;62af z4;wfjr$cYSJdV?U73td8K0;CQZ7@5U{B%mqp4@7(gO|3er%@)8GX2T6wf$Pf$zPZV z`K>ZCpOz$)OU66P+Iqb8#osG)R0ounCL3IsIJ`*yd4_1e!|}F7?ORnLj*Y#VE74nk`#k=@#KG0xjXs3vR-+o+q*x#Cw{qnJ}0N_+rS69+Lt{5!04?Q z7Z6Si02@dms;;|S>LwH~_ur88uc-Qe?W3F8Lpm)k7WYmUS8X<%m{dzjj2)TIS2d0=5SB9A7KaSqrE_CS4i!0f&=o?H`xtaOpV&3?KrXX&`M_uk;t>pyM_{=d%Cd)g9|eC6lr*@Rm&0{I#!<~WPr^wWwV&>ZzR=;#A=;X)qU2rLn0?SHrz85V? zEMcileB-8gduH3vkxLWcvEi7~^D}#1+;5Do1703y4Q%m`a zpKD|!$x<$<#aF{tAo_=a4QyDne&9>lc5O7HAT}U;NS^wG+i*55;CvI_eLs{D`uv*f zVgj0FeHi5e{cb0729_03;}1I4HgH=v<5G-$;>IH+ryi?w$lHOH&g(R}Td4Er(!FV8 z+Ed%L_9N;in*R=)4)JD2X9RbhyHn0P)>XrQ8;&0gIXiBKc3NzXpI#Pv-!1zL6Za3b zJWnjQGxQ`syz9-IP7zwiyC-3<{XYM*t^3bOen;qo-WL2jj^!$L{A3xzhQa-Flo~v8 zhXHwGFJtF^_m!oIxueL-3*_H{iQ7rbwWB~}Y{1+JV3Xcm9;5MppI#DB zu-*0VDo}UVM9gihN`__ bit microprocessor +for the `x86-64 `__ microprocessor architecture only. ---------------- Embedded vs Full ---------------- -Full installs can run on `SD memory -cards `__, `solid-state -disks (SSD) `__ or -`hard disk drives +OPNsense offers two Image types with all major releases: embedded and full images. +The Embedded Image is intended for environments where preinstalling +the storage media is required due to a lack of local resources on the firewall +like storage, and/or console access (VGA/Serial). The image is tailored to reduce +write cycles as well, but the image can be used anywhere. Another reason for the +Embedded Image is to eliminate the need for local console access for installing OPNsense. +Installation is managed by prewriting the image to a storage device, installing the +storage device, and booting the system. + +Full Images provide installation tools like OPNsense Importer, Live Environment, +and Installer. Full Images are released to support different console/hardware installation +requirements. + +Both image types can be installed and run from virtual disks (VM), `SD memory +cards `__, +USB disks, `solid-state +disks (SSD) `__, or `hard disk drives (HDD) `__. -Since version 15.1.10 (04 May 2015) the option to install an -`embedded `__ -OPNsense image is also supported. - -The main differences between an embedded image and a full image are: +The main differences between embedded and full images are: +-----------------------+-----------------------+ | Embedded | Full | @@ -50,117 +59,55 @@ The main differences between an embedded image and a full image are: +-----------------------+-----------------------+ -Embedded images (nano) store logging and cache data in memory only, while full versions +Embedded image store logging and cache data in memory only, while full versions will keep the data stored on the local drive. A full version can mimic the behavior of an embedded version by enabling RAM disks, this is especially useful for SD memory card installations. .. Warning:: - See the chapter :doc:`Hardware Setup ` for - further information on hardware requirements prior to an install. - -------------------------- -Download and verification -------------------------- - -The OPNsense distribution can be `downloaded `__ -from one of our `mirrors `__. - -The OpenSSL tool is used for file verification. -4 files are needed for verification: - -* The bzip compressed ISO file (.iso.bz2) -* The SHA-256 checksum file (.sha256) -* The signature file (.sig) -* The openssl public key (.pub) - -These files can be downloaded from one of the download mirrors. To download them: - -1. Go to the OPNSense `download `__ page. -2. After selecting a mirror, right click the download button and click "open in new tab". -3. A popup will appear asking if you want to download the image. Say "no" for now. -4. Remove the file name after the last slash in the URL bar, and press enter. This will take you to the directory listing for that mirror. - -I.e. If you wanted to download from the US East Coast mirror: - -Opening the link in a new tab would take you to this link: - -``mirror.wdc1.us.leaseweb.net/opnsense/releases/22.7/OPNsense-22.7-OpenSSL-dvd-amd64.iso.bz2`` - -You should take off the file name at the end, like this: - -``mirror.wdc1.us.leaseweb.net/opnsense/releases/22.1/`` - -The OpenSSL public key is required to verify against. This file is also on -the mirror directory listing page, however you should not trust the copy -there. Download it, open it up, and verify that the public key matches the -one from other sources. If it does not, the mirror may have been hacked, -or you may be the victim of a man-in-the-middle attack. Some other sources -to get the public key from include: - -* https://pkg.opnsense.org/releases/mirror/README -* https://forum.opnsense.org/index.php?board=11.0 -* https://opnsense.org/blog/ -* https://github.com/opnsense/changelog/tree/master/community -* https://pkg.opnsense.org (///sets/changelog.txz) (lands signed and verified in the GUI of the running software) - -Note that only release announcements with images (typically all major -releases) contain the public key. I.e. 22.1 would have a copy of the public -key in the release announcement, but 22.1.9 would not. - -Once you have downloaded all the required files and a copy of the public key, -and verified that the public key matches the public key from the alternate -sources listed above, you can be relatively certain that the key has not -been tampered with. To verify the downloaded image, run the following -commands (substituting the names in brackets for the files you downloaded): - -``openssl base64 -d -in .sig -out /tmp/image.sig`` - -``openssl dgst -sha256 -verify .pub -signature /tmp/image.sig .img.bz2`` - -Make sure to change the "img" to "iso" in the second line if you downloaded -a different installer type. - -If the output of the second command is "Verified OK", your image was verified -successfully, and you can install it. If it has any other output, you may have -made an error using the commands, or the image may have been compromised. + See the chapter :doc:`Hardware Sizing & Setup ` for further information + on hardware requirements prior to an install. ------------------ -Installation Media +Installation Images ------------------ -Depending on you hardware and use case different installation media are provided: - -+--------+---------------------------------------------------+ -|Type | Description | -+========+===================================================+ -| dvd | ISO installer image with live system capabilities | -| | running in VGA-only mode with UEFI support | -+--------+---------------------------------------------------+ -| vga | USB installer image with live system capabilities | -| | running in VGA-only mode with UEFI support | -+--------+---------------------------------------------------+ -| serial | USB installer image with live system capabilities | -| | running in serial console (115200) mode only | -| | with UEFI support | -+--------+---------------------------------------------------+ -| nano | A preinstalled image for >=4 GB USB sticks, | -| | SD or CF cards for use with embedded devices | -| | running in serial console (115200) mode with | -| | secondary VGA support (no kernel messages though) | -+--------+---------------------------------------------------+ +Depending on your hardware and use case, different installation options are available: + ++--------+---------------------------------------------------+------------+ +| Type | Description | Image Type | ++========+===================================================+============+ +| dvd | ISO image boots into a live environment in | Full | +| | VGA-only mode with UEFI support | | ++--------+---------------------------------------------------+------------+ +| vga | USB image boots into a live environment | Full | +| | in VGA-only mode with UEFI support | | ++--------+---------------------------------------------------+------------+ +| serial | USB image boots into live environment running in | Full | +| | serial console (115200) mode only with | | +| | UEFI support | | ++--------+---------------------------------------------------+------------+ +| nano | Image for preinstalling onto >=4 GB USB drives, | Embedded | +| | SD, or CF cards for use with embedded devices | | +| | running in serial console (115200) mode with | | +| | secondary VGA support (no kernel messages though) | | ++--------+---------------------------------------------------+------------+ -.. Warning:: - - Flash memory cards will only tolerate a limited number of writes - and re-writes. For embedded (nano) versions memory disks for /var and /tmp are - applied by default to prolong CF (flash) card lifetimes. +.. Note:: + All Full Image types can run both **`OPNsense Importer `** + before booting into the Live environment and also run + **`Installer `** once booted into the Live environment. - To enable for non embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`, - change the setting, then reboot. Consider to enable an external syslog server as well. +.. Warning:: + Flash memory cards will only tolerate a limited number of writes and re-writes. For + Nano image memory disks for **/var/log** and **/tmp** are applied by + default to prolong CF (flash) card lifetimes. + + To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`, + change the setting, then reboot. Consider enabling an external syslog server as well. ------------------------------ -Media Filename Composition +Image Filename Composition ------------------------------ .. blockdiag:: @@ -209,77 +156,100 @@ Media Filename Composition } .. Note:: + **Please** be aware that the latest installation media does not always correspond + with the latest released version available. OPNsense installation images are provided + on a scheduled basis with major release versions in January and July. More information + on our release schedule is available from our package repository, see + `README `. We are encouraged to update + OPNsense after installation to be on the latest release available, see + `Update Page `. - **Please** be aware that the latest installation media does not always - correspond with the latest released version. OPNsense installation images are - provided on a regular basis together with major versions in January and July. - More information on our release schedule is available from our package - repository, see `README `__ +------------------------- +Download and Verification +------------------------- --------------------- -OpenSSL and LibreSSL --------------------- +The OPNsense distribution can be `downloaded `__ +from one of our `mirrors `__. -OPNsense images are provided based upon `OpenSSL `__. -The `LibreSSL `__ flavor can be selected from within -the GUI (:menuselection:`System --> Firmware --> Settings`). In order to apply your choice an update -must be performed after save, which can include a reboot of the system. +OpenSSL is used for image file verification. 4 files are needed for verification process: -.. image:: ./images/firmware_flavour.png +* The SHA-256 checksum file (.sha256) +* The bzip compressed Image file (..bz2) +* The signature file (..bz2.sig) +* The openssl public key (.pub) +Use one of the OPNsense mirrors to download these files: -------------------------- -Boot preparation -------------------------- +1. Go to the bottom of OPNSense `download `__ page. +2. Click one of the available mirrors closest to your location. +3. Download one of each file mentioned above for your Image type. -After preparing the installation media, we need to make sure we can access the console -(either via keyboard and [virtual]monitor or :doc:`serial connectivity`) and know how to -access the boot selection via the system bios. Often there's a (function) key one should press during initial boot. +The OpenSSL public key (.pub) is required to verify against. Although the file is +available on the mirror's repository, you should not trust the copy there. Download +it, open it up, and verify the public key matches the one from other sources. If it +does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle +attack. Some other sources to get the public key from include: -.. Tip:: +* https://pkg.opnsense.org/releases/mirror/README +* https://forum.opnsense.org/index.php?board=11.0 +* https://opnsense.org/blog/ +* https://github.com/opnsense/changelog/tree/master/community +* https://pkg.opnsense.org (/://sets/changelog.txz) - OPNsense devices from the `OPNsense shop `__ use :code:`` to enter the bios and boot selection - options. +.. Note:: + Only major release announcements for images contain the public key, and update + release announcements will not. i.e. 22.1 will have a copy of the public key in the release + announcement, but 22.1.9 will not. -.. Note:: +Once you download all the required files and verify that the public key matches +the public key found in one of the alternate sources listed above, you can be relatively +confident that the key has not been tampered with. To verify the downloaded image, run +the following commands (substituting the filenames in brackets for the files you downloaded): + +``openssl sha256 OPNsense-.bz2`` + +Match the checksum command output with the checksum vaules in file ``OPNsense--OpenSSL-checksums-amd64.sha256``. +If the checksums don't match, redownload your image file. If checksums match continue with the verification commands. + +``openssl base64 -d -in OPNsense-.sig -out /tmp/image.sig`` + +``openssl dgst -sha256 -verify OPNsense-.pub -signature /tmp/image.sig OPNsense-.bz2`` + + +If the output of the second command is “**Verified OK**”, your image file was verified +successfully, and its safe to install from it. Any other outputs, and you may need +to check your commands for errors, or the image file may have been compromised. - Serial connectivity settings for DECXXXX devices can be found :doc:`here ` ------------------- -Installation Method +Installation Media ------------------- -Download the installation image from one of the mirrors listed on the `OPNsense -`__ website. +Now that you have downloaded and verified the installation image from above. You must unpack the +image file before you can write the image to disk. For Unix-like OSes use ``bzip2 -d OPNsense-.bz2`` +command. For Windows use an application like `7zip `_. The ``.bz2`` will +be removed from the end of the filename after command/applcation completes. -The easiest method of installation is the USB-memstick installer. If -your target platform has a serial interface choose the "serial" image. -If you need to know more about using the serial interface, -consult the :doc:`serial access how-to`. +After unpacking the image you can create the installation media. The easiest method to install +OPNsense is to use USB "`vga `_" +Image. If your target platform has a serial console interface choose the +“`serial `_” image. If you +need to know more about using the serial console interface, consult the :doc:`serial access how-to`. -Write the image to a USB flash drive (>=1 GB) or an IDE hard disk, -either with dd under FreeBSD or under Windows with physdiskwrite +Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like +OSes and for Windows use physdiskwrite, `Etcher `_, +or `Rufus `_. -Before writing an (iso) image you need to unpack it first (use bunzip2). **FreeBSD** :: - dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k + dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/daX bs=16k Where X = the device number of your USB flash drive (check ``dmesg``) -**Linux** -:: - - dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k - -where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) -(ignore the warning about trailing garbage - it's because of the digital signature) - **OpenBSD** - :: dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rsd6c bs=16k @@ -288,113 +258,213 @@ The device must be the ENTIRE device (in Windows/DOS language: the 'C' partition), and a raw I/O device (the 'r' in front of the device "sd6"), not a block mode device. -**macOS** +**Linux** +:: + + sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/sdX bs=16k + +where X = the IDE device name of your USB flash drive (check with hdparm -i /dev/sdX) +(ignore the warning about trailing garbage - it's because of the digital signature) +**macOS** :: - sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rdiskX bs=64k + sudo dd if=OPNsense-##.#.##-[Type]-[Architecture].img of=/dev/rdiskX bs=64k where r = raw device, and where X = the disk device number of your CF card (check Disk Utility) (ignore the warning about trailing garbage - it's because of the digital signature) **Windows** - :: - physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].img + physdiskwrite -u OPNsense-##.#.##-[Type]-[Architecture].img (use v0.3 or later!) +------------------------- +System Boot Preparation +------------------------- + +After preparing the installation media, we need to make sure we can access the console +(either via keyboard and [virtual]monitor or :doc:`serial connectivity`). Next we need to know +how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function +(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the +first 2 to 3 seconds from powering up. + + +.. Tip:: + + OPNsense devices from the `OPNsense shop `__ use :code:`` to enter the bios and boot selection + options. + +.. Note:: + + Serial connectivity settings for DECXXXX devices can be found :doc:`here ` + + +------------------------- +Installation Instructions +------------------------- + +.. + Comment: Not sure how rubric:: are used. I would like to replace Installation Instructions rubric with + section above. I also don't know how :name: work + .. rubric:: Install Instructions :name: install-to-system -The boot process gives you the opportunity to run several optional configuration -steps. It has been designed to always boot into a live environment in order to -be able to access the GUI or even SSH directly. If a timeout was missed simply -restart the boot procedure. +OPNsense installation boot process allows us to run several optional configuration steps. The +boot process was designed to always boot into the live environment, allowing us to access the +GUI or even SSH directly. If a timeout was missed, restart the boot procedure. OPNsense Importer ----------------- -All images feature the new "opnsense-importer" utility, which is now invoked -instead of the early installer. You can stop the automatic timeout by pressing -any key. Afterwards you will have the opportunity to select a disk to import -from. If the option times out or the importer is exited without a disk selection, -the factory defaults will be used for the boot. +All Full Images have the OPNsense Importer feature that offers flexibility in +recovering failed firewalls, testing new releases without overwriting the current +installation by running the new version in memory with the existing configuration +or migrating configurations to new hardware installations. Using Importer is slightly +different between previous installs with existing configurations on disk vs new +installations/migrations. + +For systems that have OPNsense installed, and the configuration intact. Here is the process: + +#. Boot the system with installation media +#. Press any key when you see **“Press any key to start the configuration importer”**. + + #. If you see OPNsense logo you have past the Importer and will need to reboot. + +#. Type the device name of the existing drive that contains the configuration and press enter. + + #. If Importer is successful, the boot process will continue into the Live environment using + the stored configuration on disk. + #. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the + device name is correct and try again. Otherwise, there maybe possible disk corruption and + restoring from backup. -The next prompt will be for manual interface selection. -This step is well-established since OPNsense 15.7 . +At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration +but will not overwrite the previous installation. Use this feature for safely previewing or testing upgrades. -Live environment +For New installations/migrations follow this process: + +#. We must have a 2nd USB drive formatted with FAT or FAT32 File system. + + #. Preferable non-bootable USB drive. + +#. Create a **conf** directory on the root of the USB drive +#. Place an *unencrypted* .xml into /conf and rename the file to **config.xml** + +``/conf/config.xml`` + +#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot. +#. Boot the system from the OPNsense Installation media via Boot Menu or BIOS (UEFI). +#. Press aany key when you see: **“Press any key to start the configuration importer”** +#. Type the device name of the 2nd USB Drive, e.g. `da0`, and press Enter. + + #. If Importer is successful, the boot process will continue into the Live environment using + the configuration stored on the USB drive. + #. If unsuccessful, importer will error and return us to the device selection prompt. Suggest + repeating steps 1-3 again. + +Live Environment ---------------- -The system will then continue into a live environment. If the config importer -was used previously on an existing installation, the system will boot up with a -fully functional setup, but will not overwrite the previous installation. Use -this feature for safely previewing upgrades. - -If you have used a DVD, VGA, Serial image you are by default able to log into -the root shell using the user "root" with password "opnsense" to operate the -live environment. - -The GUI will listen on https://192.168.1.1/ for user "root" with password -"opnsense" by default unless a previous configuration was imported. Using SSH, -the "root" and "installer" users are available as well on IP 192.168.1.1. Note -that these install medias are read-only, which means your current live -configuration will be lost after reboot. - -Nano image ----------- -If you have used a Nano image, your system is already up and running as it is -designed as such. It is set to read-write attempting to minimise write cycles by -mounting relevant partitions as memory file systems and reporting features -disabled by default. +.. + Should we state the ability to manually identify network adapters before entering the live environment? -Create a bootable USB flash drive with the downloaded and unpacked image -file. Configure your system to boot from USB. +.. image:: ./images/opnsense_liveenv.png -Install to target system ------------------------- -If you have used a DVD, VGA, Serial image you are by default able to start the -installer using the user "installer" with password "opnsense". On a previously -imported configuration the password will be the same as root's password. +After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will +be in the Live environment with and without the use of OPNsense Importer. We +can interact with the Live environment via Local Console, GUI (HTTPS), or SSH. -Should the installer user not work for any reason, log in as user "root", select -option 8 from the menu and type "opnsense-installer". The "opnsense-importer" can -be run this way as well should you require to run the import again. +By default, we can log into the shell using the user `root` with the password +`opnsense` to operate the live environment via the local console. -The installer can always be run to clone an existing system, even for Nano -images. This can be useful for creating live backups for later recovery. +The GUI is accessible at `https://192.168.1.1/ ` using Username: +`root` Password: `opnsense` by default (unless a previous configuration was imported). + +Using SSH we can access the firewall at IP `192.168.1.1`. Both the `root` and `installer` +users are available, using password `opnsense`. + +.. Note:: + That the installation media is read-only, which means your current live configuration will + be lost after reboot. -The installation process involves a few simple steps. +Continue to :doc:`OPNsense Installer `` to install OPNsense to the local storage device. +OPNsense Installer +--------------------- .. Note:: To invoke the installer login with user **installer** and password **opnsense** +After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial), +the firewall will be at the Live Environment's login: prompt. To start the +installation process, login with the user ``installer`` and password ``opnsense``. +If Importer was used to import an existing configuration, the installer and root +user password would be the root password from the imported configuration. + +If the installer user does not work, log in as user root and select: ``8) Shell`` +from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also +be run this way should you require to rerun the import. +.. + Is this process documented anywhere? I'm having hard time understanding how a live + backup is created. + +The installer can always be run to clone an existing system, even for Nano +images. This can be useful for creating live backups for later recovery. + .. Tip:: - The installer can also be started from the network using ssh, default ip - address is 192.168.1.1 - -#. Keymap selection - The default configuration should be fine for most - occasions. -#. Install (UFS|ZFS) - Choose either a UFS or ZFS filesystem. ZFS is in most - cases the best option as it is the most reliable option, but does require - enough memory (a couple of gigabytes at least). -#. Partitioning (ZFS) - Choose a device type. When using a single disk the - default option (stripe) is usually fine. -#. Continue with recommended swap (UFS) - Yes is usually fine here unless - the install target is very small (< 16GB) -#. Root Password - Choose a new root password -#. Complete Install - Exits the installer and reboots the machine -#. Reboot - The system is now installed and needs to be rebooted to - continue with configuration. + The installer can also be started from an inside host using ssh. Default ip + address is ``192.168.1.1`` + +The installation process involves the following steps: + +#. Keymap selection - The default configuration should be fine for most Occasions. +#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option + as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least). +#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable + when using a single disk. +#. Disk Selection (ZFS) - Select the Storage device e.g. ``da0`` or ``nvd0`` +#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing + so will **destroy** the contents of the disk. +.. + The installer on 23.1 does not mention or ask about swap anymore. Suggest we remove? + +#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target + is very small (< 16GB) +#. Select Root Password - Change and confirm the new root password +#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed + and ready for initial configuration. +.. + Suggest we remove the warning as the install steps above covers this. If we keep it, then we should move + it to the top of the installation process. Also, there isn't Quick/Easy Install option. Is there? .. Warning:: You will lose all files on the installation disk. If another disk is to be used then choose a Custom installation instead of the Quick/Easy Install. +Nano Image +---------- +.. + Commect: Moving Nano Image section after "Install to target system". We could move it + before "System Boot Preparation". Should we detail other default settings like interfaces, DHCP, etc? + Or are you prompted for interface assignment like Full Images? + +To use the nano image follow this process: + +#. Create the system disk with using the nano image. See :doc:`Installation Media` + how to write the nano image to disk. +#. Install the system disk drive into the system. +#. Configure the system (BIOS) to boot from this disk. +#. After the system boots, the firewall is ready to be configured. + +Using the Nano image for embedded systems, your firewall is already up and running. The configuration +settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by +mounting these partitions in system memory and reporting features are disabled by default. + --------------------- -Initial configuration +Initial Configuration --------------------- After installation the system will prompt you for the interface assignment, if you ignore this then default settings are applied. From 349fed697443d82177f29cdf57e75644ea9debad Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sat, 4 Mar 2023 10:35:06 +0100 Subject: [PATCH 09/11] install.rst fix some links and start with an index due to the length of the page (https://github.com/opnsense/docs/pull/456) --- source/manual/install.rst | 198 +++++++++++++++++++------------------- 1 file changed, 98 insertions(+), 100 deletions(-) diff --git a/source/manual/install.rst b/source/manual/install.rst index e0fb5ebc..19da1fd3 100644 --- a/source/manual/install.rst +++ b/source/manual/install.rst @@ -2,14 +2,12 @@ Initial Installation & Configuration ===================================== -.. rubric:: Software setup - :name: firstHeading - :class: firstHeading page-header - .. Note:: Just looking on how to invoke the installer? When the live environment has been started just login with user **installer** and password **opnsense**. +.. contents:: Index + ------------ Architecture ------------ @@ -23,20 +21,20 @@ Embedded vs Full ---------------- OPNsense offers two Image types with all major releases: embedded and full images. -The Embedded Image is intended for environments where preinstalling -the storage media is required due to a lack of local resources on the firewall -like storage, and/or console access (VGA/Serial). The image is tailored to reduce -write cycles as well, but the image can be used anywhere. Another reason for the -Embedded Image is to eliminate the need for local console access for installing OPNsense. -Installation is managed by prewriting the image to a storage device, installing the +The Embedded Image is intended for environments where preinstalling +the storage media is required due to a lack of local resources on the firewall +like storage, and/or console access (VGA/Serial). The image is tailored to reduce +write cycles as well, but the image can be used anywhere. Another reason for the +Embedded Image is to eliminate the need for local console access for installing OPNsense. +Installation is managed by prewriting the image to a storage device, installing the storage device, and booting the system. -Full Images provide installation tools like OPNsense Importer, Live Environment, -and Installer. Full Images are released to support different console/hardware installation -requirements. +Full Images provide installation tools like OPNsense Importer, Live Environment, +and Installer. Full Images are released to support different console/hardware installation +requirements. Both image types can be installed and run from virtual disks (VM), `SD memory -cards `__, +cards `__, USB disks, `solid-state disks (SSD) `__, or `hard disk drives (HDD) `__. @@ -65,7 +63,7 @@ behavior of an embedded version by enabling RAM disks, this is especially useful for SD memory card installations. .. Warning:: - See the chapter :doc:`Hardware Sizing & Setup ` for further information + See the chapter :doc:`Hardware Sizing & Setup ` for further information on hardware requirements prior to an install. ------------------ @@ -94,16 +92,16 @@ Depending on your hardware and use case, different installation options are avai +--------+---------------------------------------------------+------------+ .. Note:: - All Full Image types can run both **`OPNsense Importer `** - before booting into the Live environment and also run - **`Installer `** once booted into the Live environment. + All Full Image types can run both `OPNsense Importer `__ + before booting into the Live environment and also run + `Installer `__ once booted into the Live environment. .. Warning:: - Flash memory cards will only tolerate a limited number of writes and re-writes. For - Nano image memory disks for **/var/log** and **/tmp** are applied by + Flash memory cards will only tolerate a limited number of writes and re-writes. For + Nano image memory disks for **/var/log** and **/tmp** are applied by default to prolong CF (flash) card lifetimes. - - To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`, + + To enable non-embedded versions: Go to :menuselection:`System --> Settings --> Miscellaneous --> Disk / Memory Settings`, change the setting, then reboot. Consider enabling an external syslog server as well. ------------------------------ @@ -156,13 +154,13 @@ Image Filename Composition } .. Note:: - **Please** be aware that the latest installation media does not always correspond - with the latest released version available. OPNsense installation images are provided - on a scheduled basis with major release versions in January and July. More information - on our release schedule is available from our package repository, see - `README `. We are encouraged to update - OPNsense after installation to be on the latest release available, see - `Update Page `. + **Please** be aware that the latest installation media does not always correspond + with the latest released version available. OPNsense installation images are provided + on a scheduled basis with major release versions in January and July. More information + on our release schedule is available from our package repository, see + `README `__. We are encouraged to update + OPNsense after installation to be on the latest release available, see + `Update Page `__. ------------------------- @@ -185,10 +183,10 @@ Use one of the OPNsense mirrors to download these files: 2. Click one of the available mirrors closest to your location. 3. Download one of each file mentioned above for your Image type. -The OpenSSL public key (.pub) is required to verify against. Although the file is -available on the mirror's repository, you should not trust the copy there. Download -it, open it up, and verify the public key matches the one from other sources. If it -does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle +The OpenSSL public key (.pub) is required to verify against. Although the file is +available on the mirror's repository, you should not trust the copy there. Download +it, open it up, and verify the public key matches the one from other sources. If it +does not, the mirror may have been hacked, or you may be the victim of a man-in-the-middle attack. Some other sources to get the public key from include: * https://pkg.opnsense.org/releases/mirror/README @@ -197,19 +195,19 @@ attack. Some other sources to get the public key from include: * https://github.com/opnsense/changelog/tree/master/community * https://pkg.opnsense.org (/://sets/changelog.txz) -.. Note:: - Only major release announcements for images contain the public key, and update - release announcements will not. i.e. 22.1 will have a copy of the public key in the release +.. Note:: + Only major release announcements for images contain the public key, and update + release announcements will not. i.e. 22.1 will have a copy of the public key in the release announcement, but 22.1.9 will not. -Once you download all the required files and verify that the public key matches -the public key found in one of the alternate sources listed above, you can be relatively -confident that the key has not been tampered with. To verify the downloaded image, run +Once you download all the required files and verify that the public key matches +the public key found in one of the alternate sources listed above, you can be relatively +confident that the key has not been tampered with. To verify the downloaded image, run the following commands (substituting the filenames in brackets for the files you downloaded): ``openssl sha256 OPNsense-.bz2`` -Match the checksum command output with the checksum vaules in file ``OPNsense--OpenSSL-checksums-amd64.sha256``. +Match the checksum command output with the checksum vaules in file ``OPNsense--OpenSSL-checksums-amd64.sha256``. If the checksums don't match, redownload your image file. If checksums match continue with the verification commands. ``openssl base64 -d -in OPNsense-.sig -out /tmp/image.sig`` @@ -217,8 +215,8 @@ If the checksums don't match, redownload your image file. If checksums match co ``openssl dgst -sha256 -verify OPNsense-.pub -signature /tmp/image.sig OPNsense-.bz2`` -If the output of the second command is “**Verified OK**”, your image file was verified -successfully, and its safe to install from it. Any other outputs, and you may need +If the output of the second command is “**Verified OK**”, your image file was verified +successfully, and its safe to install from it. Any other outputs, and you may need to check your commands for errors, or the image file may have been compromised. @@ -226,19 +224,19 @@ to check your commands for errors, or the image file may have been compromised. Installation Media ------------------- -Now that you have downloaded and verified the installation image from above. You must unpack the -image file before you can write the image to disk. For Unix-like OSes use ``bzip2 -d OPNsense-.bz2`` -command. For Windows use an application like `7zip `_. The ``.bz2`` will +Now that you have downloaded and verified the installation image from above. You must unpack the +image file before you can write the image to disk. For Unix-like OSes use ``bzip2 -d OPNsense-.bz2`` +command. For Windows use an application like `7zip `_. The ``.bz2`` will be removed from the end of the filename after command/applcation completes. -After unpacking the image you can create the installation media. The easiest method to install -OPNsense is to use USB "`vga `_" -Image. If your target platform has a serial console interface choose the -“`serial `_” image. If you +After unpacking the image you can create the installation media. The easiest method to install +OPNsense is to use USB "`vga `_" +Image. If your target platform has a serial console interface choose the +“`serial `_” image. If you need to know more about using the serial console interface, consult the :doc:`serial access how-to`. -Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like -OSes and for Windows use physdiskwrite, `Etcher `_, +Write the image to a USB flash drive (>=1 GB) or hard disk, using either dd for Unix-like +OSes and for Windows use physdiskwrite, `Etcher `_, or `Rufus `_. @@ -287,9 +285,9 @@ System Boot Preparation ------------------------- After preparing the installation media, we need to make sure we can access the console -(either via keyboard and [virtual]monitor or :doc:`serial connectivity`). Next we need to know -how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function -(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the +(either via keyboard and [virtual]monitor or :doc:`serial connectivity`). Next we need to know +how to access the boot menu or the system bios (UEFI) to boot from the installation media. Most times will be a function +(F#), Del, or ESC key that needs to pressed immediately after powering on (or rebooting) the system. Usually within the first 2 to 3 seconds from powering up. @@ -308,41 +306,41 @@ Installation Instructions ------------------------- .. - Comment: Not sure how rubric:: are used. I would like to replace Installation Instructions rubric with + Comment: Not sure how rubric:: are used. I would like to replace Installation Instructions rubric with section above. I also don't know how :name: work .. rubric:: Install Instructions :name: install-to-system -OPNsense installation boot process allows us to run several optional configuration steps. The -boot process was designed to always boot into the live environment, allowing us to access the +OPNsense installation boot process allows us to run several optional configuration steps. The +boot process was designed to always boot into the live environment, allowing us to access the GUI or even SSH directly. If a timeout was missed, restart the boot procedure. OPNsense Importer ----------------- -All Full Images have the OPNsense Importer feature that offers flexibility in -recovering failed firewalls, testing new releases without overwriting the current -installation by running the new version in memory with the existing configuration -or migrating configurations to new hardware installations. Using Importer is slightly -different between previous installs with existing configurations on disk vs new +All Full Images have the OPNsense Importer feature that offers flexibility in +recovering failed firewalls, testing new releases without overwriting the current +installation by running the new version in memory with the existing configuration +or migrating configurations to new hardware installations. Using Importer is slightly +different between previous installs with existing configurations on disk vs new installations/migrations. For systems that have OPNsense installed, and the configuration intact. Here is the process: #. Boot the system with installation media -#. Press any key when you see **“Press any key to start the configuration importer”**. +#. Press any key when you see **“Press any key to start the configuration importer”**. #. If you see OPNsense logo you have past the Importer and will need to reboot. - + #. Type the device name of the existing drive that contains the configuration and press enter. - #. If Importer is successful, the boot process will continue into the Live environment using - the stored configuration on disk. - #. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the - device name is correct and try again. Otherwise, there maybe possible disk corruption and + #. If Importer is successful, the boot process will continue into the Live environment using + the stored configuration on disk. + #. If Importer was unsuccessful, we will returned to the device selection prompt. Confirm the + device name is correct and try again. Otherwise, there maybe possible disk corruption and restoring from backup. -At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration +At this point the system will boot up with a fully functional firewall in Live enironment using existing configuration but will not overwrite the previous installation. Use this feature for safely previewing or testing upgrades. For New installations/migrations follow this process: @@ -350,20 +348,20 @@ For New installations/migrations follow this process: #. We must have a 2nd USB drive formatted with FAT or FAT32 File system. #. Preferable non-bootable USB drive. - + #. Create a **conf** directory on the root of the USB drive #. Place an *unencrypted* .xml into /conf and rename the file to **config.xml** ``/conf/config.xml`` -#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot. +#. Put both the Installation media and the 2nd USB drive into the system and power up / reboot. #. Boot the system from the OPNsense Installation media via Boot Menu or BIOS (UEFI). #. Press aany key when you see: **“Press any key to start the configuration importer”** #. Type the device name of the 2nd USB Drive, e.g. `da0`, and press Enter. - #. If Importer is successful, the boot process will continue into the Live environment using + #. If Importer is successful, the boot process will continue into the Live environment using the configuration stored on the USB drive. - #. If unsuccessful, importer will error and return us to the device selection prompt. Suggest + #. If unsuccessful, importer will error and return us to the device selection prompt. Suggest repeating steps 1-3 again. Live Environment @@ -373,21 +371,21 @@ Live Environment .. image:: ./images/opnsense_liveenv.png -After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will -be in the Live environment with and without the use of OPNsense Importer. We +After booting with an OPNsense Full Image (DVD, VGA, Serial), the firewall will +be in the Live environment with and without the use of OPNsense Importer. We can interact with the Live environment via Local Console, GUI (HTTPS), or SSH. -By default, we can log into the shell using the user `root` with the password +By default, we can log into the shell using the user `root` with the password `opnsense` to operate the live environment via the local console. -The GUI is accessible at `https://192.168.1.1/ ` using Username: -`root` Password: `opnsense` by default (unless a previous configuration was imported). +The GUI is accessible at `https://192.168.1.1/ ` using Username: +`root` Password: `opnsense` by default (unless a previous configuration was imported). -Using SSH we can access the firewall at IP `192.168.1.1`. Both the `root` and `installer` -users are available, using password `opnsense`. +Using SSH we can access the firewall at IP `192.168.1.1`. Both the `root` and `installer` +users are available, using password `opnsense`. .. Note:: - That the installation media is read-only, which means your current live configuration will + That the installation media is read-only, which means your current live configuration will be lost after reboot. Continue to :doc:`OPNsense Installer `` to install OPNsense to the local storage device. @@ -398,18 +396,18 @@ OPNsense Installer To invoke the installer login with user **installer** and password **opnsense** -After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial), -the firewall will be at the Live Environment's login: prompt. To start the -installation process, login with the user ``installer`` and password ``opnsense``. -If Importer was used to import an existing configuration, the installer and root -user password would be the root password from the imported configuration. +After successfully booting up with the OPNsense Full Image (DVD, VGA, Serial), +the firewall will be at the Live Environment's login: prompt. To start the +installation process, login with the user ``installer`` and password ``opnsense``. +If Importer was used to import an existing configuration, the installer and root +user password would be the root password from the imported configuration. -If the installer user does not work, log in as user root and select: ``8) Shell`` -from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also +If the installer user does not work, log in as user root and select: ``8) Shell`` +from the menu and type ``opnsense-installer``. The ``opnsense-importer`` can also be run this way should you require to rerun the import. .. - Is this process documented anywhere? I'm having hard time understanding how a live - backup is created. + Is this process documented anywhere? I'm having hard time understanding how a live + backup is created. The installer can always be run to clone an existing system, even for Nano images. This can be useful for creating live backups for later recovery. @@ -421,23 +419,23 @@ images. This can be useful for creating live backups for later recovery. The installation process involves the following steps: #. Keymap selection - The default configuration should be fine for most Occasions. -#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option +#. Install (UFS|ZFS) - Choose UFS or ZFS filesystem. ZFS is in most cases the best option as it is the most reliable option, but it does require enough capacity (a couple of gigabytes at least). -#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable +#. Partitioning (ZFS) - Choose a device type. The default option (stripe) is usually acceptable when using a single disk. #. Disk Selection (ZFS) - Select the Storage device e.g. ``da0`` or ``nvd0`` -#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing +#. Last Chance! - Select Yes to continue with partitioning and to format the disk. However, doing so will **destroy** the contents of the disk. .. The installer on 23.1 does not mention or ask about swap anymore. Suggest we remove? -#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target +#. Continue with recommended swap (UFS) - Yes is usually fine here unless the install target is very small (< 16GB) #. Select Root Password - Change and confirm the new root password -#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed +#. Select Complete Install - Exits the installer and reboots the machine. The system is now installed and ready for initial configuration. .. - Suggest we remove the warning as the install steps above covers this. If we keep it, then we should move + Suggest we remove the warning as the install steps above covers this. If we keep it, then we should move it to the top of the installation process. Also, there isn't Quick/Easy Install option. Is there? .. Warning:: @@ -446,21 +444,21 @@ The installation process involves the following steps: Nano Image ---------- -.. +.. Commect: Moving Nano Image section after "Install to target system". We could move it before "System Boot Preparation". Should we detail other default settings like interfaces, DHCP, etc? Or are you prompted for interface assignment like Full Images? To use the nano image follow this process: -#. Create the system disk with using the nano image. See :doc:`Installation Media` +#. Create the system disk with using the nano image. See :doc:`Installation Media` how to write the nano image to disk. #. Install the system disk drive into the system. #. Configure the system (BIOS) to boot from this disk. #. After the system boots, the firewall is ready to be configured. -Using the Nano image for embedded systems, your firewall is already up and running. The configuration -settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by +Using the Nano image for embedded systems, your firewall is already up and running. The configuration +settings to enable Memory Disks (RAM disks) that minimize write cycles to relevant partitions by mounting these partitions in system memory and reporting features are disabled by default. --------------------- From b93ca29af362a4d9dc5ac4a67ab9e4d791c5c3e6 Mon Sep 17 00:00:00 2001 From: Joseph Shanak Date: Sat, 4 Mar 2023 14:10:54 -0600 Subject: [PATCH 10/11] Fix typo (#458) --- source/manual/how-tos/self-signed-chain.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/manual/how-tos/self-signed-chain.rst b/source/manual/how-tos/self-signed-chain.rst index d64dce7f..e5f0b410 100644 --- a/source/manual/how-tos/self-signed-chain.rst +++ b/source/manual/how-tos/self-signed-chain.rst @@ -108,7 +108,7 @@ Have a look at the form, create an intermediate CA and save it. The Certificate --------------- -The thirth certificate will be a **server certificate** signed by the intermediate CA we just created. +The third certificate will be a **server certificate** signed by the intermediate CA we just created. This will also be the last one we create for this chain. Go to **Trust/Certificates** From d5f3033ae9778167c696151be27579757c3b873f Mon Sep 17 00:00:00 2001 From: Justin Horton <18197817+justinhorton@users.noreply.github.com> Date: Sun, 5 Mar 2023 01:51:26 -0800 Subject: [PATCH 11/11] Update "first" WireGuard instance number (#459) --- source/manual/how-tos/wireguard-client.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/manual/how-tos/wireguard-client.rst b/source/manual/how-tos/wireguard-client.rst index 9d83a334..93a9c536 100644 --- a/source/manual/how-tos/wireguard-client.rst +++ b/source/manual/how-tos/wireguard-client.rst @@ -102,7 +102,7 @@ Step 5(a) - Assign an interface to WireGuard (recommended) Finally, it allows separation of the firewall rules of each WireGuard instance (each :code:`wgX` device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance - Go to :menuselection:`Interfaces --> Assignments` -- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg0` if this is your first one) +- In the dropdown next to “New interface:”, select the WireGuard device (:code:`wg1` if this is your first one) - Add a description (eg :code:`HomeWireGuard`) - Click **+** to add it, then click **Save** - Then select your new interface under the Interfaces menu