Early access · v0.5.0 · runs on OpenBSD 7.x

Firewall management, engineered like a security product.

OgmaProtect is a secure web management plane for OpenBSD routers and firewalls. Every domain runs in its own sandboxed daemon, every change is validated and reversible, and every action leaves an audit trail. Free for qualifying small businesses.

Source-available · no phone-home · your configuration never leaves your router

16 daemons. One responsibility each. That is the whole design.

  • netd
  • rtd
  • pfd
  • dnsd
  • dhcpd
  • routed
  • diagd
  • healthd
  • arpd
  • logd
  • timed
  • ipsecd
  • sysd
  • alertd
  • gwmond
  • authd
Why OgmaProtect

Built for the box you cannot afford to lose

A firewall is the one machine where a bad change locks you out and a quiet failure exposes everything behind it. OgmaProtect is designed around that reality.

Privilege separation everywhere

The web tier can never touch your configuration directly. Each domain — firewall, routing, DNS, DHCP, VPN — is its own OpenBSD-sandboxed daemon (pledge and unveil), reachable only through authenticated, role-checked control sockets.

Changes that cannot strand you

Every apply is validated first, written atomically, and recorded as a revision you can roll back. Risky changes run in commit-confirmed windows that revert automatically if you lose access — and drift detection tells you when live state stops matching intent.

Audited before it is sold

Before commercial launch, the entire codebase went through an eight-lens structural audit — architecture, security, state and recovery, tests, supportability and more. The findings drive the hardening programme we are shipping right now, in the open with our early-access users.

Platform

One coherent interface across the whole router

Everything below is configured through the same model: validate, apply live, write atomically, record a revision — with per-domain drift detection watching the result.

Firewall (PF)

Structured rules with inline NAT, tables, macros and traffic policing; a live state browser with surgical state kill; brute-force auto-ban; anti-lockout and default-deny baselines built in.

Dynamic routing

OSPF and BGP with depth few GUIs expose: a full BGP policy engine, peer groups and templates, per-neighbor tuning, TCP-MD5, zero-downtime OSPF key rotation — with a route-leak safety gate.

VPN & tunnels

WireGuard with a complete key lifecycle, IPsec (IKEv2 and manual keying), and GRE, VXLAN, EtherIP and gif tunnels — all with drift detection and reversible applies.

Resilient edge

Multi-WAN failover driven by real gateway health probes, PPPoE WAN, IPv6 WAN and LAN (SLAAC, DHCPv6-PD, router advertisements), VLANs and bridges.

Network services

DHCP server with live leases and one-click static reservations; DNS with DNS-over-TLS upstreams, DNSSEC, local zones and block-lists; managed NTP.

High availability

CARP virtual IPs with safe preemption windows, pfsync state synchronisation, and authenticated cross-peer configuration sync for active/backup pairs.

Day-2 operations

Users, roles and TOTP MFA with hard anti-lockout; configuration revisions with rollback; alerting to TLS syslog and webhooks; capture, sweep and reachability diagnostics.

Backup & recovery

Full-configuration export with validated dry-run import and revision history. Backup signing and encryption are landing in the current hardening programme.

The full feature breakdown, with evidence badges →

Security & assurance

Trust is an engineering artifact, not a claim

  • OpenBSD foundations. Built on the operating system with the strongest default-security reputation in the industry — and on its native tools: PF, CARP, pfsync, Unbound, WireGuard.
  • Least privilege by construction. 16 daemons, each pledged and unveiled to the minimum it needs; root-only control sockets; capability tokens between services; immutable stored SQL statements.
  • Fail-closed safety gates. Anti-lockout rules, management-interface guards, route-leak prevention and confirm-gates on dangerous operations — the system refuses configurations that would cut you off.
  • A real audit, honestly reported. An eight-lens pre-commercial structural audit produced 107 findings, distilled to 23 root causes — now being remediated durability-first, before commercial support, not after.
16privilege-separated daemons
8audit lenses, pre-commercial
107 → 23findings distilled to root causes, in remediation
0phone-home connections in the base product

The source is available to auditors and licensees on request. Security reports: hello@ogmaprotect.com. The full security story →

Coming

Ready-built OgmaProtect appliances

A range of hardware appliances — multiple sizes and throughput classes, shipped with OgmaProtect pre-installed, configured and tested. Unbox, connect, and manage from the same interface. The lineup will be announced here.

Editions & licensing

Free for small businesses. Licensed for everyone else.

Available

Small business — free

The full platform, free to use for the benefit of a company with fewer than 100 people and under USD 1M (2019, inflation-adjusted) revenue in the prior tax year — both conditions must hold.

Request early access

Available

Commercial

The same product for organisations beyond the small-business threshold, licensed directly by Wireless Connect Ltd. — with the commercial terms, support expectations and distribution rights agreed to fit.

Contact us

Planned

Premium subscriptions

In design, shown here for roadmap transparency: curated IP and DNS threat-feed subscriptions with block reporting, and external-vantage exposure scanning that verifies your firewall from the outside. Not yet available.

See the roadmap

Coming

Appliances

Pre-installed, pre-tested OgmaProtect hardware in a range of sizes and throughput classes. Register interest.

OgmaProtect is licensed under the PolyForm Small Business License 1.0.0 — source-available, not open source; redistribution requires a separate agreement. Details on the pricing & licensing page.

Early access

Run it on your own OpenBSD box

OgmaProtect is in early access (v0.5.0) while the pre-1.0 hardening programme completes. Access is granted per request — you get the real package, the quickstart, and a direct line to the people building it.

  1. Tell us about your setup. Email hello@ogmaprotect.com — who you are, roughly what your network looks like, and whether the small-business terms apply to you. Prefer to talk? Call +353 1 620 5585.
  2. Receive the package. We reply with the pkg_add-able package and quickstart under the license terms — installs on a stock OpenBSD 7.x system. Full walkthrough on the Get started page.
  3. Bring it up in minutes. Enable the daemons in the documented order, create your admin user, and manage the router over HTTPS from your browser.

Requirements: OpenBSD 7.x on the router, a browser on your side. No cloud account, no telemetry, no external dependencies.