murosorg/muros
GitHub: murosorg/muros
Stars: 2 | Forks: 0
# MurOS
[](https://github.com/murosorg/muros/releases)
[](https://github.com/murosorg/muros/actions)
[](https://github.com/murosorg/muros/actions)
[](LICENSE)
[](https://www.debian.org/)
[](https://muros.org)
MurOS is an open source firewall appliance built on Debian 13, with every
network service built natively on top and managed from a single web UI. It
is a free, self-hosted alternative to pfSense, OPNsense and FortiGate:
web-managed, Debian-native, zero subscription, runs on any hardware Linux
runs on. It covers the 90% of small and mid-size business needs: stateful
filtering, NAT, routing, multi-WAN failover, VPN (WireGuard + IPsec), high
availability, DHCP, recursive DNS, SNMP and monitoring.
Website: [muros.org](https://muros.org)
## Why MurOS
- **Pure Debian, no fork.** Boots and debugs like a regular Debian 13 box.
`journalctl`, `nft`, `ip`, `systemctl` work as you expect, no custom CLI
on top of FreeBSD.
- **Single source of truth in SQLite.** The UI, the API and the boot-time
applier all read the same DB. No drift between running config and files.
- **Dry-run by default.** Every change is staged in DB first. The kernel
push only happens when you click Apply, and bad rulesets auto-rollback.
- **Drop-ins over file rewrites.** When a daemon supports drop-ins MurOS
uses them, so your native Debian config stays untouched and visible.
- **Two ways in.** Boot the installer ISO for a ready-to-run firewall, or
just `apt install muros` on an existing Debian 13. No custom kernel, no
fork either way.
## How it compares
How MurOS lines up against the common firewall appliances. Where MurOS says
planned, the feature is on the roadmap as a native core capability, not a
third-party plugin.
| Capability | FortiGate | pfSense | OPNsense | MurOS |
| --- | :---: | :---: | :---: | :---: |
| Stateful firewall | yes | yes | yes | yes |
| NAT (SNAT / DNAT) | yes | yes | yes | yes |
| IPsec site-to-site | yes | yes | yes | yes |
| WireGuard | recent | yes | yes | yes |
| HA (VRRP active/passive) | yes | yes | yes | yes |
| Multi-WAN failover | yes | yes | yes | yes |
| DHCP + recursive DNS | yes | yes | yes | yes |
| Web UI, no CLI required | yes | yes | yes | yes |
| Base OS | FortiOS | FreeBSD | FreeBSD | Debian 13 Linux |
| License | proprietary | Apache 2.0 | BSD 2-Clause | GPL v3 |
| IDS / IPS (Suricata) | yes | package | yes | planned |
| External auth (LDAP / RADIUS) | yes | yes | yes | planned |
MurOS runs on stock Debian, so it drives the full Linux hardware and driver
set: mini-PCs, rack servers, VMs on Proxmox or VMware, and recent or cheap
NICs that the BSD-based pfSense and OPNsense often will not. Side-by-side
detail at [muros.org](https://muros.org).
## Quick start
### Installer ISO (recommended)
Download the ISO from the [latest release](https://github.com/murosorg/muros/releases/latest),
write it to a USB key (`dd`, Rufus, balenaEtcher) or attach it to a VM,
and boot it. Pick **Install MurOS**, choose your keyboard layout, then the
LAN interface and its static IP (a firewall LAN is never DHCP). The rest
installs automatically and fully offline. After reboot, open
`https://` and log in:
- Login: `root`
- Password: `root` (change it right away)
Building the ISO yourself: see [`packaging/iso`](packaging/iso).
### On an existing Debian 13
Prerequisites: a freshly installed Debian 13 machine with root access and
one reachable interface.
curl -fsSL https://download.muros.org/install.sh | sudo bash
The installer registers the signed apt repository and installs the
package, so upgrades are just `apt update && apt install --only-upgrade
muros`. Then open `https://` in a browser:
- Login: `root`
- Password: the existing system root password (MurOS does not change it)
To remove cleanly: `curl -fsSL https://download.muros.org/uninstall.sh | sudo bash`.
## Modules
| Domain | Features |
| --- | --- |
| Filtering | Zones, interfaces (IP, VLAN, MTU), nft rules, rate-limit, log, live per-rule counters |
| NAT | SNAT, DNAT, masquerade, redirects, drag-and-drop reorder |
| Routing | Static routes, multi-WAN failover with ICMP probes |
| DHCP | Kea backend, per-interface pools, static leases, live lease view |
| DNS | Unbound recursive resolver, DNSSEC, forwarders, local records |
| NTP | chrony, custom server list, live sync status |
| VPN | WireGuard (config + peers) and IPsec (PSK/cert, integrated PKI) |
| HA | VRRP, conntrackd, VIPs, inter-node DB sync, automatic takeover |
| Monitoring | CPU/RAM/conntrack/traffic, SNMP, firewall logs, UI audit log |
| Notifications | Direct SMTP mail to an external smarthost, event watcher |
| Backups | Local DB snapshot/restore, remote (rclone, ftp, ssh) |
| Diagnostic | ping, traceroute, dig, tcpdump, conntrack from the UI |
| System | Hostname, timezone/locale, DNS, apt updates, reboot/shutdown |
| Access | TLS UI cert, SSH, nginx HTTP access, PAM accounts (UI + SSH share Linux users) |
| Hardening | sysctl, sshd, fail2ban, journald (clean drop-ins) |
Everything that ships is built natively into the core, with no plugins to
add. On the roadmap: OSPF/BGP, IDS/IPS (Suricata), external auth (LDAP/AD).
## Source of truth in SQLite
The DB is the source of truth and the only thing you need to back up. MurOS
uses drop-ins when a service supports them, and regenerates the full file
otherwise. It **never writes** to `/etc/network/interfaces`,
`/etc/systemd/network/` nor `/etc/netplan/`: interfaces, VLANs and routes
are replayed from the DB at boot by `muros-boot.service`.
## API
The UI consumes a complete REST API under `/api/*` with JWT Bearer auth.
Auto-generated OpenAPI doc at `https:///docs`.
TOKEN=$(curl -sk -X POST https://firewall/api/auth/login \\
-H 'Content-Type: application/json' \\
-d '{"username":"root","password":"mypass"}' | jq -r .access_token)
curl -sk https://firewall/api/firewall/rules -H "Authorization: Bearer $TOKEN"
## Documentation
See the [`docs/`](docs/) folder: [concepts](docs/concepts.md),
[first filter](docs/first-filter.md), [FAQ](docs/faq.md). Delivered
features are tracked in [`CHANGELOG.md`](CHANGELOG.md).
## FAQ
**Is MurOS a fork of pfSense or OPNsense?**
No. MurOS is a fresh codebase built on stock Debian 13. It drives nftables,
iproute2, WireGuard, strongSwan, keepalived, Kea and Unbound directly, with
a FastAPI backend and a React web UI. It shares no code with the BSD-based
pfSense or OPNsense.
**Is it free?**
Yes. MurOS is free and open source under the GPL v3, with no paid tier, no
subscription and no per-feature licensing.
**What hardware does it run on?**
Anything Debian 13 supports: mini-PCs, rack servers, and virtual machines on
Proxmox, VMware, KVM or Hyper-V. Because it uses the Linux driver set rather
than FreeBSD, it covers a far wider range of NICs and platforms than pfSense
or OPNsense.
**Can I manage everything from the web UI?**
Yes. Filtering, NAT, routing, multi-WAN, VPN, HA, DHCP, DNS, monitoring and
system settings are all managed from the web UI, with no command line
required. The underlying box is still plain Debian, so `nft`, `ip`,
`systemctl` and `journalctl` work as usual when you want them.
**How do I install it?**
Either boot the installer ISO for a ready-to-run firewall, or run
`apt install muros` on an existing Debian 13 host from the signed apt
repository. See [Quick start](#quick-start).
## License
MurOS is distributed under the **GNU GPL v3.0 or later**. See
[`LICENSE`](LICENSE) for the full text.
The canonical spelling is **MurOS**. It is unrelated to *Murus*, the
commercial macOS PF front-end at