FAQ

Straight answers

If your question isn't here, email us — questions we hear twice get added.

Licensing & pricing

Is OgmaProtect open source?

No — it is source-available under the PolyForm Small Business License 1.0.0. That license makes it free for qualifying small businesses and lets you modify it for permitted use, but it does not allow general redistribution and does not meet the open-source definition. We say this plainly because the difference matters.

Do I qualify for the free tier?

You qualify if the company benefiting from OgmaProtect has fewer than 100 people (employees plus contractors) and under USD 1M (2019, inflation-adjusted) total revenue in the prior tax year. Both conditions must hold. If you outgrow the threshold later, congratulations — talk to us about a commercial license then.

I'm an MSP — can I deploy it for my clients?

Deploying for clients is distribution, which the free grant doesn't cover — you need a commercial/distribution agreement with Wireless Connect Ltd. Get in touch; this is exactly the conversation we want to have.

Can I mirror it, fork it publicly, or bundle it into my product?

No. The license grants no general redistribution — no public mirrors, no bundling, no publishing copies. You may modify it for your own permitted use, and the license text and Required Notice must travel with any copy you are permitted to make.

What does a commercial license cost?

There is no public price list yet — commercial terms are agreed per organisation. Email hello@ogmaprotect.com or call +353 1 620 5585 and we'll give you a straight answer quickly.

Product & installation

What do I need to run it?

A router running OpenBSD 7.x (base system) plus the sqlite3 package, and a browser on your side. Any hardware OpenBSD supports works — small fanless boards up to rack servers. Ready-built appliances are coming.

Does it phone home?

No. No telemetry, no license checks, no update pings. The only outbound connections are ones you configure — DNS upstreams, NTP, alert destinations, VPN peers, HA peers. It runs fully functional on an isolated network.

Can I import my config from pfSense / OPNsense / another firewall?

Not today, and we won't pretend otherwise. OgmaProtect manages its own canonical configuration model; migrating means configuring through the interface. For most networks that's an afternoon — and the result is a config with revision history and drift detection from day one.

How do updates work?

Releases are versioned OpenBSD packages built in CI. Upgrading is: stop the daemons, back up /var/db/ogmaprotect/, install the new package, start again — configuration is versioned and forward-migrated automatically. See Get started.

Can I still use the OpenBSD shell alongside it?

It's your machine and nothing is hidden — but OgmaProtect owns the configuration it manages, and its drift detection will flag hand-edits to managed domains as exactly that. Best practice: let it manage what it manages, and enjoy the shell for everything else.

Early access & support

What does “early access” actually mean?

The product is pre-1.0 (currently v0.5.0). The feature set on the features page is real and in use, and an audit-derived hardening programme is actively landing. Early-access users get every release and a direct channel to the engineers. Whether to run it in production within the license terms is your call to make with clear information — see the roadmap page.

What support do I get?

During early access: direct email support from the people building the product, best-effort. Formal support agreements come with commercial licensing — ask us.

How do I get access?

Request it — a short email about who you are and what your network looks like. We reply with the package and quickstart.

Security

How do I report a security issue?

Email hello@ogmaprotect.com. We practise coordinated disclosure, respond quickly, and credit researchers who want credit.

Can I audit the source before trusting it?

Yes — the source is available to auditors and licensees on request. The security page describes the architecture and the 8-lens structural audit the codebase went through before commercial launch.

Glossary

The jargon on this site, in plain English.

Canonical configuration
The single structured description of your router's intended state, from which OgmaProtect renders the native OpenBSD config files. It is versioned: every change becomes a revision.
Drift
When the router's live state stops matching the configured intent — a hand edit, a failed apply, a reboot surprise. OgmaProtect detects drift per domain and shows you exactly what differs.
Commit-confirmed apply
A change that arms a timer: if you don't confirm it worked (because it cut you off), the router automatically reverts to the previous state.
Revision
A recorded snapshot of configuration at each apply — who changed it, what, when — that you can browse and roll back to.
CARP / pfsync
OpenBSD's high-availability pair: CARP lets two routers share one IP address (one master, one backup); pfsync copies live connection state between them so a failover doesn't drop sessions.
PF
OpenBSD's packet filter — the firewall engine itself, widely considered the cleanest in the business.
pledge / unveil
OpenBSD security features a program applies to itself: pledge limits which system calls it may make, unveil limits which files it may see. The kernel terminates a process that breaks its promise.
RBAC
Role-based access control — operators get roles, roles carry precise permissions, and every privileged action is checked against them.
Source-available
You can obtain and read the source code, but the license is not an open-source license — use is granted on specific terms (here: free for qualifying small businesses) and redistribution is restricted.