{"id":50215076,"url":"https://github.com/murosorg/muros","last_synced_at":"2026-06-14T22:02:38.011Z","repository":{"id":360267965,"uuid":"1248169370","full_name":"murosorg/muros","owner":"murosorg","description":"MurOS turn Linux into a firewall. Web-managed Debian 13 base.","archived":false,"fork":false,"pushed_at":"2026-06-14T17:57:07.000Z","size":1122,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-14T18:04:37.455Z","etag":null,"topics":["agpl","debian","fastapi","firewall","ha-firewall","homelab","ipsec","keepalived","network-security","nftables","nginx","opensource","opnsense-alternative","pfsense-alternative","self-hosted","stateful-firewall","sysadmin","vpn","web-ui","wireguard"],"latest_commit_sha":null,"homepage":"https://muros.org","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/murosorg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-24T09:25:07.000Z","updated_at":"2026-06-14T17:57:09.000Z","dependencies_parsed_at":null,"dependency_job_id":"c2e3cd51-cb31-420c-82d8-c6189e1cfe06","html_url":"https://github.com/murosorg/muros","commit_stats":null,"previous_names":["murosorg/muros"],"tags_count":247,"template":false,"template_full_name":null,"purl":"pkg:github/murosorg/muros","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murosorg%2Fmuros","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murosorg%2Fmuros/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murosorg%2Fmuros/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murosorg%2Fmuros/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/murosorg","download_url":"https://codeload.github.com/murosorg/muros/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/murosorg%2Fmuros/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34339195,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-14T02:00:07.365Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agpl","debian","fastapi","firewall","ha-firewall","homelab","ipsec","keepalived","network-security","nftables","nginx","opensource","opnsense-alternative","pfsense-alternative","self-hosted","stateful-firewall","sysadmin","vpn","web-ui","wireguard"],"created_at":"2026-05-26T08:08:08.141Z","updated_at":"2026-06-14T22:02:38.003Z","avatar_url":"https://github.com/murosorg.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MurOS\n\n[![Release](https://img.shields.io/github/v/release/murosorg/muros?include_prereleases\u0026label=release)](https://github.com/murosorg/muros/releases)\n[![CI](https://img.shields.io/github/actions/workflow/status/murosorg/muros/ci.yml?branch=main\u0026label=CI)](https://github.com/murosorg/muros/actions)\n[![Integration](https://img.shields.io/github/actions/workflow/status/murosorg/muros/integration.yml?branch=main\u0026label=integration)](https://github.com/murosorg/muros/actions)\n[![License: GPL v3](https://img.shields.io/badge/license-GPL%20v3-blue.svg)](LICENSE)\n[![Debian 13](https://img.shields.io/badge/Debian-13%20Trixie-A81D33?logo=debian\u0026logoColor=white)](https://www.debian.org/)\n[![Website](https://img.shields.io/badge/website-muros.org-f59e0b)](https://muros.org)\n\nMurOS is an open source firewall appliance built on Debian 13, with every\nnetwork service built natively on top and managed from a single web UI. It\nis a free, self-hosted alternative to OPNsense and FortiGate:\nweb-managed, Debian-native, zero subscription, runs on any hardware Linux\nruns on. It covers the 90% of small and mid-size business needs: stateful\nfiltering, NAT, routing, multi-WAN failover, VPN (WireGuard + IPsec), high\navailability, DHCP, recursive DNS, SNMP and monitoring.\n\nWebsite: [muros.org](https://muros.org)\n\n![MurOS dashboard](docs/screenshots/dashboard.png)\n\n## Why MurOS\n\n- **Pure Debian, no fork.** Boots and debugs like a regular Debian 13 box.\n  `journalctl`, `nft`, `ip`, `systemctl` work as you expect, no custom CLI\n  on top of FreeBSD.\n- **Single source of truth in SQLite.** The UI, the API and the boot-time\n  applier all read the same DB. No drift between running config and files.\n- **Dry-run by default.** Every change is staged in DB first. The kernel\n  push only happens when you click Apply, and bad rulesets auto-rollback.\n- **Drop-ins over file rewrites.** When a daemon supports drop-ins MurOS\n  uses them, so your native Debian config stays untouched and visible.\n- **Two ways in.** Boot the installer ISO for a ready-to-run firewall, or\n  just `apt install muros` on an existing Debian 13. No custom kernel, no\n  fork either way.\n\n## How it compares\n\nHow MurOS lines up against the common firewall appliances. Where MurOS says\nplanned, the feature is on the roadmap as a native core capability, not a\nthird-party plugin.\n\n| Capability | FortiGate | OPNsense | MurOS |\n| --- | :---: | :---: | :---: |\n| Stateful firewall | yes | yes | yes |\n| NAT (SNAT / DNAT) | yes | yes | yes |\n| IPsec site-to-site | yes | yes | yes |\n| WireGuard | recent | yes | yes |\n| HA (VRRP active/passive) | yes | yes | yes |\n| Multi-WAN failover | yes | yes | yes |\n| DHCP + recursive DNS | yes | yes | yes |\n| Web UI, no CLI required | yes | yes | yes |\n| Base OS | FortiOS | FreeBSD | Debian 13 Linux |\n| License | proprietary | BSD 2-Clause | GPL v3 |\n| IDS / IPS (Suricata) | yes | yes | planned |\n| External auth (LDAP / RADIUS) | yes | yes | planned |\n\nMurOS runs on stock Debian, so it drives the full Linux hardware and driver\nset: mini-PCs, rack servers, VMs on Proxmox or VMware, and recent or cheap\nNICs that the BSD-based OPNsense often will not. Side-by-side\ndetail at [muros.org](https://muros.org).\n\n## Quick start\n\n### Installer ISO (recommended)\n\nDownload the ISO from the [latest release](https://github.com/murosorg/muros/releases/latest),\nwrite it to a USB key (`dd`, Rufus, balenaEtcher) or attach it to a VM,\nand boot it. Pick **Install MurOS**, choose your keyboard layout, then the\nLAN interface and its static IP (a firewall LAN is never DHCP). The rest\ninstalls automatically and fully offline. After reboot, open\n`https://\u003cthe-LAN-IP\u003e` and log in:\n\n- Login: `root`\n- Password: `root` (change it right away)\n\nBuilding the ISO yourself: see [`packaging/iso`](packaging/iso).\n\n### On an existing Debian 13\n\nPrerequisites: a freshly installed Debian 13 machine with root access and\none reachable interface.\n\n```bash\ncurl -fsSL https://download.muros.org/install.sh | sudo bash\n```\n\nThe installer registers the signed apt repository and installs the\npackage, so upgrades are just `apt update \u0026\u0026 apt install --only-upgrade\nmuros`. Then open `https://\u003cfirewall-ip\u003e` in a browser:\n\n- Login: `root`\n- Password: the existing system root password (MurOS does not change it)\n\nTo remove cleanly: `curl -fsSL https://download.muros.org/uninstall.sh | sudo bash`.\n\nIf `apt update` later fails with `Missing key ... / repository is not\nsigned`, the repository signing key was rotated. Refresh the local\nkeyring (or just re-run the installer, which re-imports it):\n\n```bash\ncurl -fsSL https://download.muros.org/muros.asc \\\n  | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/muros-archive-keyring.gpg\nsudo apt update\n```\n\n## Modules\n\n| Domain | Features |\n| --- | --- |\n| Filtering | Zones, interfaces (IP, VLAN, MTU), nft rules, rate-limit, log, live per-rule counters |\n| NAT | SNAT, DNAT, masquerade, redirects, drag-and-drop reorder |\n| Routing | Static routes, multi-WAN failover with ICMP probes |\n| DHCP | Kea backend, per-interface pools, static leases, live lease view |\n| DNS | Unbound recursive resolver, DNSSEC, forwarders, local records |\n| NTP | chrony, custom server list, live sync status |\n| VPN | WireGuard (config + peers) and IPsec (PSK/cert, integrated PKI) |\n| HA | VRRP, conntrackd, VIPs, inter-node DB sync, automatic takeover |\n| Monitoring | CPU/RAM/conntrack/traffic, SNMP, firewall logs, UI audit log |\n| Notifications | Direct SMTP mail to an external smarthost, event watcher |\n| Backups | Local DB snapshot/restore, remote (rclone, ftp, ssh) |\n| Diagnostic | ping, traceroute, dig, tcpdump, conntrack from the UI |\n| System | Hostname, timezone/locale, DNS, apt updates, reboot/shutdown |\n| Access | TLS UI cert, SSH, nginx HTTP access, PAM accounts (UI + SSH share Linux users) |\n| Hardening | sysctl, sshd, fail2ban, journald (clean drop-ins) |\n\nEverything that ships is built natively into the core, with no plugins to\nadd. On the roadmap: OSPF/BGP, IDS/IPS (Suricata), external auth (LDAP/AD).\n\n## Source of truth in SQLite\n\nThe DB is the source of truth and the only thing you need to back up. MurOS\nuses drop-ins when a service supports them, and regenerates the full file\notherwise. It **never writes** to `/etc/network/interfaces`,\n`/etc/systemd/network/` nor `/etc/netplan/`: interfaces, VLANs and routes\nare replayed from the DB at boot by `muros-boot.service`.\n\n## API\n\nThe UI consumes a complete REST API under `/api/*` with JWT Bearer auth.\nAuto-generated OpenAPI doc at `https://\u003cfirewall\u003e/docs`.\n\n```bash\nTOKEN=$(curl -sk -X POST https://firewall/api/auth/login \\\\\n  -H 'Content-Type: application/json' \\\\\n  -d '{\"username\":\"root\",\"password\":\"mypass\"}' | jq -r .access_token)\n\ncurl -sk https://firewall/api/firewall/rules -H \"Authorization: Bearer $TOKEN\"\n```\n\n## Documentation\n\nSee the [`docs/`](docs/) folder: [concepts](docs/concepts.md),\n[first filter](docs/first-filter.md), [FAQ](docs/faq.md). Delivered\nfeatures are tracked in [`CHANGELOG.md`](CHANGELOG.md).\n\n## FAQ\n\n**Is MurOS a fork of OPNsense?**\nNo. MurOS is a fresh codebase built on stock Debian 13. It drives nftables,\niproute2, WireGuard, strongSwan, keepalived, Kea and Unbound directly, with\na FastAPI backend and a React web UI. It shares no code with the BSD-based\nOPNsense.\n\n**Is it free?**\nYes. MurOS is free and open source under the GPL v3, with no paid tier, no\nsubscription and no per-feature licensing.\n\n**What hardware does it run on?**\nAnything Debian 13 supports: mini-PCs, rack servers, and virtual machines on\nProxmox, VMware, KVM or Hyper-V. Because it uses the Linux driver set rather\nthan FreeBSD, it covers a far wider range of NICs and platforms than\nOPNsense.\n\n**Can I manage everything from the web UI?**\nYes. Filtering, NAT, routing, multi-WAN, VPN, HA, DHCP, DNS, monitoring and\nsystem settings are all managed from the web UI, with no command line\nrequired. The underlying box is still plain Debian, so `nft`, `ip`,\n`systemctl` and `journalctl` work as usual when you want them.\n\n**How do I install it?**\nEither boot the installer ISO for a ready-to-run firewall, or run\n`apt install muros` on an existing Debian 13 host from the signed apt\nrepository. See [Quick start](#quick-start).\n\n## License\n\nMurOS is distributed under the **GNU GPL v3.0 or later**. See\n[`LICENSE`](LICENSE) for the full text.\n\nThe canonical spelling is **MurOS**. It is unrelated to *Murus*, the\ncommercial macOS PF front-end at \u003chttps://www.murusfirewall.com/\u003e; both\nnames derive from Latin *murus* (wall) and the proximity is coincidental.\n\nIssues: \u003chttps://github.com/murosorg/muros/issues\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmurosorg%2Fmuros","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmurosorg%2Fmuros","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmurosorg%2Fmuros/lists"}