Block VPN brute force attacks on your OPNsense firewall with ThreatListPro's automated IP blocklist. Configure a URL alias and firewall rule in under 5 minutes.
Start Blocking Attacks -- $9.99/moOPNsense is a powerful open-source firewall, but its VPN endpoints are still visible to the internet. Attackers don't care if you're running open source or commercial -- they scan and attack every exposed port.
Whether you run OpenVPN, WireGuard, or IPsec on OPNsense, your VPN endpoint is discoverable by mass-scanning bots like Shodan and Censys. Once found, attackers launch automated credential-stuffing and brute force campaigns. OPNsense's built-in rate limiting helps but doesn't stop distributed attacks from thousands of source IPs.
OPNsense supports URL Table aliases that fetch external IP lists on a schedule. ThreatListPro's feed plugs directly into this feature. A single firewall rule referencing the alias blocks all known VPN attackers at the packet filter level -- before any VPN handshake or authentication attempt occurs.
Add ThreatListPro as a URL Table alias and create a blocking firewall rule in OPNsense.
Sign up at threatlistpro.com and copy your unique feed URL from the dashboard:https://feed.threatlistpro.com/v1/edl/YOUR_API_KEY
In OPNsense, navigate to Firewall > Aliases and click Add. Set the name to ThreatListPro, type to URL Table (IPs), and paste your feed URL in the Content field. Set the refresh frequency (e.g., 1 day). Click Save and Apply.
Go to Firewall > Rules > WAN. Add a new rule at the top of the list. Set action to Block, direction to in, source to the ThreatListPro alias, and destination to This Firewall (or your VPN interface address). Save and apply changes.
For more frequent updates than the default 1-day cycle, navigate to System > Settings > Cron and add a job that runs configctl filter refresh_url_alias every hour or more frequently. This pulls the latest ThreatListPro data on your preferred schedule.
Navigate to Firewall > Diagnostics > Aliases and click on your ThreatListPro alias to verify it contains IPs. Check Firewall > Log Files > Live View to see blocked connections in real time.
Compare automated VPN-focused blocking against other approaches for protecting your OPNsense firewall.
| Feature | ThreatListPro | Manual Blocking | Enterprise Threat Feeds |
|---|---|---|---|
| VPN brute-force focused | ✓ | ✗ | ✗ |
| Real-time updates (60s) | ✓ | ✗ | ✓ |
| OPNsense URL alias compatible | ✓ | ✗ | ✓ |
| Automatic stale IP removal | ✓ | ✗ | ✓ |
| Setup in under 5 minutes | ✓ | ✗ | ✗ |
| Price | $9.99/mo | Staff time | $500+/mo |
In OPNsense, go to Firewall > Aliases and click Add. Set the type to URL Table (IPs), give it a name like ThreatListPro, and paste your feed URL. Set the refresh frequency to 1 day or use a cron job for more frequent updates. Then reference this alias in a firewall rule to block inbound traffic.
ThreatListPro works alongside OPNsense's Suricata-based IDS/IPS. While IDS catches attack patterns in traffic, ThreatListPro blocks known attacker IPs before they can even establish a connection. The two approaches are complementary: ThreatListPro provides proactive blocking, while IDS provides reactive detection.
Yes. ThreatListPro provides both IPv4 and IPv6 blocklist feeds. In OPNsense, create two URL Table aliases (one for each address family) or use a combined feed. Both formats are supported and updated at the same 60-second frequency.
Automated VPN brute force protection in a single URL alias. No plugins required.
Get ThreatListPro -- $9.99/moThreatListPro provides a standard IP blocklist feed compatible with any firewall that supports external lists.
Learn more about IP blocklists, VPN security, and how ThreatListPro compares to alternatives.