24.4 Series
The OPNsense business edition transitions to this 24.4 release including ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
24.4.3 (September 17, 2024)
This business release is based on the OPNsense 24.4.2 business version with additional reliability improvements.
Here are the full patch notes:
system: add snapshots (boot environments) support via MVC/API (contributed by Sheridan Computers)
system: recover stuck monitors and offer a cron job
isc-dhcp: allow to disable a DHCPv6 server with faulty settings
openvpn: add close-on-exec flag to service lock file
openvpn: add username field to the status page
wireguard: add close-on-exec flag to service lock file
mvc: improve container field cloning
ui: allow style tag on headers
ports: openssl 3.0.15 [1]
A hotfix release was issued as 24.4.3_1:
firmware: add fingerprint, migration notes and upgrade hint for 24.10
24.4.2 (August 16, 2024)
This business release is based on the OPNsense 24.1.10 community version with additional reliability improvements.
Here are the full patch notes:
system: add pluginctl -x/-X modes for digesting XMLRPC options
system: replace rand() with random_int() in remote backup script
system: skip tentative IPv6 addresses for binding in the web GUI (contributed by tionu)
firewall: migrate one-to-one NAT to MVC/API
firewall: show inspect button on “xs” size screen
interfaces: make SLAAC flush a feature of ifctl for incoming reuse
interfaces: move SLAAC tunables to system requirements
interfaces: disable IPv6 interface modes when IPv6 is disabled globally
interfaces: avoid pluginctl giving out IPv4 info for non-interfaces
interfaces: improve DHCPv6 requirement rules on WAN interface
interfaces: support reading more attributes in ifconfig output parser
interfaces: correct logic of resolve flag in ARP table (contributed by Kevin Pelzel)
reporting: add NetFlow IPv6 support for destinations
dhcrelay: add logging into its own space
firmware: prefer ZFS over UFS in upgrade message
firmware: remove unneeded Unbound DNS database upgrade script
firmware: remove stale Squid plugin upgrade script
isc-dhcp: allow root domain input as “.” (contributed by Skyler Mantysaari)
kea-dhcp: support static DNS mappings (contributed by Markus Reiter)
kea-dhcp: add description field to subnets
kea-dhcp: add next-server option to subnets (contributed by Harm Kroon)
kea-dhcp: fix privileges for page ACL
openvpn: add “float” option to instances (contributed by Christian Kohlstedde)
mvc: refactored and improved checkAndThrowSafeDelete() as checkAndThrowValueInUse()
ui: remove aria-hidden from dialogs (contributed by Jason Fayre)
plugins: os-OPNcentral 1.10
plugins: os-OPNWAF 1.5
plugins: os-bind 1.32 [1]
plugins: os-caddy 1.6.0 [2]
plugins: os-ddclient 1.22 [3]
plugins: os-nginx 1.33 [4]
plugins: os-theme-cicada 1.36 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.46 (contributed by Team Rebellion)
plugins: os-zabbix-agent 1.14 [5]
plugins: os-zabbix-proxy 1.11 [6]
ports: curl 8.8.0 [7]
ports: dhcp6c 20240710 additions for WAN tracking, interface ID specification, etc.
ports: openldap 2.6.8 [8]
ports: php 8.2.20 [9]
ports: py-duckdb 1.0.0 [10]
ports: py-netaddr 1.3.0 [11]
ports: sqlite 3.46.0 [12]
24.4.1 (June 20, 2024)
This business release is based on the OPNsense 24.1.8 community version with additional reliability improvements.
Here are the full patch notes:
system: fix maximum log file size being ignored when there is only one file
system: make log rotate action available to Cron
system: remove get_current_theme() and improve static page templating
system: move radvd and rtsold to system log where they belong
system: deny access to .core files from web GUI and disable core dumps by default
system: move net.inet.icmp.drop_redirect sysctl to automatic mode
system: add Google Drive configuration as an XMLRPC sync target
system: do not create an interface route without an address
firewall: use the new $.replaceInputWithSelector() for source/destination networks in MVC filter pages
firewall: fix empty rule label rendered as “null” on sessions page
interfaces: give DAD another second of delay to finish for the IPv6 renew
interfaces: reword the gateway selector default and help text to describe its function more accurately
interfaces: detect and ignore “detached” state for IPv6
interfaces: remove unused imports from sockstat list
interfaces: in SLAAC tracking prevent accepting our own radvd configuration
firmware: change default fetch of changelog to 30 seconds
firmware: dump TLS information for firmware server(s) in use
ipsec: fix faulty “-” usage in URIs
kea-dhcp: simplified the controller code
kea-dhcp: generate JSON payload from model
kea-dhcp: fix field separator for subnet domain search (contributed by KitKat31337)
isc-dhcp: make private consumers actually private where it matters
isc-dhcp: take into account that multiple ia-pd can be delegated
openvpn: fix “attempt to read property…” in status page
openvpn: safeguard config access in updown_event.py
wireguard: pass endpoint to validator to avoid invalid QR code errors on mobile app
wireguard: add MTU when set on the instance
wireguard: move validation to correct spot when no instance address and peer address was provided
wireguard: also validate hostnames correctly in peer generator endpoint
unbound: change blocklist processing in _blocklist_reader()
unbound: allow RFC 2181 compatible names in query forwarding
backend: allow to query multiple sysctl queries at once
backend: resolve deprecation warnings for sre_constants (contributed by MaxXor)
mvc: pass isFieldChanged() to children in ContainerField
mvc: replace PhalconFilterValidationException with OPNsenseBaseValidationException wrapper
mvc: extend model implementation to ease legacy migrations
mvc: change exception handling in runMigrations() to avoid mismatches in attributes being silently ignored
mvc: refactor grid search to fetch descriptive values from the model instead of trying to reconstruct them
mvc: replace array_map+strval for loop with cast to preserve execution time in BaseListField
mvc: silence spurious validation message when explicitly asked to ignore them
ui: fix bootgrid parsing of timestamp
ui: improve tokenizer paste behaviour
ui: prevent vertical modal overflows and instead present a scrollbar
ui: add $.replaceInputWithSelector() action
ui: handle static page CSRF without Phalcon
ui: prevent word break for top level menu items
plugins: os-OPNWAF 1.4
plugins: os-acme-client 4.3 [1]
plugins: os-caddy 1.5.6 [2]
plugins: os-crowdsec 1.0.8 [3]
plugins: os-freeradius 1.9.23 [4]
plugins: os-frr 1.40 [5]
plugins: os-relayd 2.9 moves validation to model where it belongs
plugins: os-shadowsocks 1.1 adds transport mode option (contributed by xabbok255)
plugins: os-squid workaround for broken OpenSSL legacy provider handling
plugins: os-telegraf 1.12.11 [6]
src: pfsync: fix use of invalidated stack variable
src: pfsync: cope with multiple pending plus messages
src: ipfw: skip to the start of the loop when following a keep-state rule
src: bridge: use IF_MINMTU
src: bridge: change MTU for new members
src: ethernet: support ARP for 802 networks
src: ethernet: fix logging of frame length
src: debugnet: fix logging of frame length
src: wg: use ENETUNREACH when transmitting to a non-existent peer
src: fib_algo: lower level of algorithm switching messages to LOG_INFO
src: libpfctl: fix incorrect pcounters array size
src: pf: always mark states as unlinked before detaching them
src: vxlan: add checking for loops and nesting of tunnels
src: igc: increase default per-queue interrupt rate to 20000
ports: hyperscan 5.4.2 [7]
ports: libpfctl 0.11
ports: libucl 0.9.2
ports: libxml 2.11.8 [8]
ports: lighttpd 1.4.76 [9]
ports: ntp 4.2.8p18 [10]
ports: openssl 3.0.14 [11]
ports: pecl-mcrypt 1.0.7
ports: phalcon 5.7.0 [12]
ports: php 8.2.19 [13]
ports: py-duckdb 0.10.3 [14]
ports: python 3.11.9 [15]
ports: strongswan 5.9.14 [16]
ports: suricata 7.0.5 [17]
ports: syslog-ng 4.7.1 [18]
ports: unbound 1.20.0 [19]
A hotfix release was issued as 24.4.1_2:
wireguard: fix IP protocol detection for manual gateway
ui: properly break out selectpicker options in modals
ports: krb5 1.21.3 [20]
ports: nss 3.101 [21]
ports: openssh 9.8p1 [22]
ports: openvpn 2.6.11 [23]
ports: suricata 7.0.6 [24]
A hotfix release was issued as 24.4.1_3:
firewall: fix regression in GeoIP aliases selector
24.4 (April 30, 2024)
The OPNsense business edition transitions to this 24.4 release including ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
This business release is based on the OPNsense 24.1.6 community version with additional reliability improvements.
Here are the full patch notes:
system: prevent activating shell for non-admins
system: add OCSP trust extensions and improved authorities implementation
system: migrate single gateway configuration to MVC/API
system: use new backend streaming functionality in the log viewer
system: limit file system /conf/config.xml and backups access to administrators
system: migrate gateways model to match new class introduced in 23.7.x
system: refactor get_single_sysctl()
system: update cron model
system: fix migration issue in new gateways model
system: enable OpenSSL legacy provider by default to allow Google Drive backup to continue working with OpenSSL 3
system: bring back the interface statistics dashboard widget update interval
system: fix all items in the OPNsense container being synced in XMLRCP when NAT option is selected
system: accept colon character in log queries
system: fix gateway migration issue causing individual items to be skipped
system: fix dynamic gateway persisting its address
system: prevent gateway removal when it is currently bound to an interface
system: merge static logging settings into existing MVC page
system: fix PHP warnings and spurious validation in route model
system: fix translation of static PHP pages with newer gettext
reporting: print status message when Unbound DNS database was not found during firmware upgrade
reporting: update NetFlow model
reporting: top talkers fix for backend required by new py-netaddr
interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API
interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()
interfaces: migrate the overview page to MVC/API
interfaces: add optional local/remote port to VXLAN
interfaces: remove unused code from native dhclient-script
interfaces: do not flush states on clear event
interfaces: overview page UX improvements
interfaces: fix strpos() deprecation null haystack
interfaces: fix VXLAN validation
interfaces: support a primary interface in LAGG failover mode
interfaces: stop caching IPv6 address to decide if reload is required
firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin
firewall: migrate NPTv6 page to MVC/API
firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes
firewall: show automation rules in their own section
firewall: keep permissions to standard for filter.lock file
firewall: replace searchNoCategoryItemAction() with new searchBase() extension
firewall: add gateway to the states diagnostics output
firewall: fix visible rows quantity off-by-one (contributed by NYOB)
dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP
dhcp: omit faulty comma in Kea config when control agent is disabled
dhcp: add opt-out automatic firewall rules for Kea server access
dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements
dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP
dhcp: make option_data_autocollect option more explicit in Kea
dhcp: gather missing Kea leases another way since the logs are unreliable
dhcp: add address constraint to Kea reservations
dhcp: add unique constraint for MAC address + subnet in Kea
dhcp: add domain-name to client configuration in Kea
dhcp: loosen constraints for TFTP boot in Kea
dhcp: clean up duplicated domain-name-servers option
dhcp: cleanup get_lease6 script and fix parsing issue
dhcp: deduplicate records in Kea leases
dhcrelay: functional MVC/API replacement using the OpenBSD dhcrelay(6) fork
firmware: opnsense-revert: fix issue with downloaded package install
firmware: fix missing space in audit message
intrusion detection: adjust for default behaviour changes in Suricata 7
intrusion detection: set exception-policy and app-layer.error-policy to their advertised defaults
intrusion detection: fix whitespace issue in yaml configuration file
intrusion detection: align performValidation()->count() to use count() instead
intrusion detection: query all fields for searchBase() actions
ipsec: remove AEAD algorithms without a PRF for IKE proposals in connections
ipsec: improve enable button placement on connections page
ipsec: allow % to support %any in ID for connections
ipsec: optionally hook VTI tunnel configuration to connection up event to support dynamic DNS
ipsec: fix typo in config generation for AH proposals
isc-dhcp: do not add interfaces for non-Ethernet types to relaying
isc-dhcp: fix log file location
kea-dhcp: add import/export as CSV on reservations
kea-dhcp: add domain-search, time-servers and static-routes client options to subnet configuration
lang: added traditional Chinese translation (contributed by Jason Cheng)
openvpn: allow optional OCSP checking per instance
openvpn: emit device name upon creation
openvpn: add optional “route-metric” push option for server instances
openvpn: fix cso_login_matching being ignored during authentication
openvpn: when “cert_depth” is left empty it should ignore the value
openvpn: data-ciphers-fallback should be a single option
openvpn: fix support for /30 p2p/net30 instances
openvpn: add “various_push_flags” field for simple boolean server push options in connections
openvpn: various improvements for TAP servers
unbound: duckduckgo.com blocklist fix
web proxy: integration moved to os-squid plugin
wireguard: installed by default using the bundled FreeBSD 13.2 kernel module
wireguard: allow instances to start their ID at 0 like they used to a long time ago
wireguard: key constraints should only apply on peers and not instances
wireguard: peer uniqueness should depend on pubkey + endpoint
wireguard: skip attached instance address routes
wireguard: remove duplicate ID columns
wireguard: remove duplicate “pubkey” field, remove required tag and validate on Base64 in model
wireguard: address assorted interface configuration inconsistencies during configuration
wireguard: migrate non-netmask allowed IP entries and enforce them in validation
wireguard: show proper names when public keys overlap between instances
wireguard: add a peer configuration generator with QR code capability
wireguard: improve overall configuration UX
wireguard: store attached instance during peer generation
wireguard: add DNS field to peer generator and store previous used values in instance
wireguard: add address field to peer generator which auto-calculates the next available address in the pool
wireguard: add restart action to available cron tasks (contributed by Michael Muenz)
wireguard: unlink instance on peer delete
wizard: reorder storage sequence to fix hostname/domain change bug
backend: constrain execution of user add/change/list actions to members of the wheel group
backend: wait for all configd results and add it to the log message when detached
backend: optimise stream_handler to exit and kill running process when no listener is attached
mvc: remove legacy Phalcon migration glue
mvc: add configdStream action to ApiControllerBase
mvc: support array structures for better search functionality in ApiControllerBase
mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase
mvc: remove Phalcon syslog implementation with a simple wrapper
mvc: add a DescriptionField type
mvc: add a MacAddressField type
mvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameField
mvc: fix Phalcon 5.4 and up
mvc: fix model cloning when array items contain nested containers
mvc: add simple Message class and remove the previous Phalcon dependency
mvc: refactor HostnameField, remove HostValidator dependency and add unit test
mvc: add new static Autoconf class to access information collected by ifctl
mvc: fix rewind() stream not supporting seeking error
mvc: add copy of our html_safe() and use it in the translator
mvc: add “safe” filter in Phalcon volt templates
mvc: feed current language into view to replace hardcoded “en-US”
mvc: fix minor regression with “allownew” not having a default
mvc: extend model implementation to support volatile fields
mvc: add setBaseHook() to ApiMutableModelControllerBase
mvc: extend searchBase() to return all fields when no list is provided
mvc: fix config locking issue when already owning the lock
rc: fix wrong order in service startup (contributed by Frank Wall)
ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)
ui: add double click event with grid dialog in tree view to show a row layout instead
ui: auto-trim MVC input fields when being pasted
ui: increase standard search delay from 250 ms to 1000 ms
ui: make modal dialogs draggable
ui: support key/value combinations for error messages in do_input_validation()
ui: adjust margin of hr elements to match __mX helpers
ui: add a button to allow textarea style edits of free-form tokenizers
ui: when an error is raised make sure it is always visible
ui: fix copy/paste buttons not showing for tokenizers in some situations
ui: move cache_safe() functions to appropriate include
ui: add a “statusled” formatter to bootgrid
ui: add a “grid-reload” helper to SimpleActionButton
plugins: add globbing for plugin run tasks as well
plugins: os-OPNProxy 1.0.5 business plugin released to community version
plugins: os-acme-client 4.2 [2]
plugins: os-api-backup was discontinued due to overlapping functionality in core
plugins: os-bind 1.30 [3]
plugins: os-caddy 1.5.4 [4] (contributed by Monviech)
plugins: os-ddclient 1.21 [5]
plugins: os-dnscrypt-proxy 1.15 [6]
plugins: os-firewall moved to core
plugins: os-frr 1.39 [7]
plugins: os-haproxy 4.3 [8]
plugins: os-nrpe updated to NRPE 4.1.x
plugins: os-ntopng 1.3 [9]
plugins: os-postfix updated to Postfix 3.8.x
plugins: os-squid 1.0 offers the removed web proxy core functionality
plugins: os-theme-cicada 1.35 (contributed by Team Rebellion)
plugins: os-theme-rebellion 1.8.10 (contributed by Team Rebellion)
plugins: os-tor 1.10 adds MyFamily support (contributed by Mike Bishop)
plugins: os-wireguard moved to core
plugins: os-wireguard-go was discontinued
plugins: os-zabbix-proxy 1.10 [10]
src: NFS client data corruption and kernel memory disclosure [11]
src: pf: merge extended support for SCTP and related stable changes
src: e1000: merge assorted driver improvements for hardware capabilities
src: bsdinstall: merge assorted stable changes
src: tuntap: merge assorted stable changes
src: wireguard: add experimental netmap support
src: sys: Use mbufq_empty instead of comparing mbufq_len against 0
src: e1000/igc: remove disconnected sysctl
src: jail: fix information leak [12]
src: bhyveload: use a dirfd to support -h [13]
src: EVFILT_SIGNAL: do not use target process pointer on detach [14]
src: setusercontext(): apply personal settings only on matching effective UID [15]
src: re: generate an address if there is none in the EEPROM
src: wg: detect loops in netmap mode
src: wg: detach bpf upon destroy as well
src: wg: fix access to noise_local->l_has_identity and l_private
src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0
src: wg: fix handling of errors in wg_transmit()
src: wg: use proper barriers around pkt->p_state
src: kern: fix panic with disabled ttys
src: opencrypto: advance the correct pointer in crypto_cursor_copydata()
src: opencrypto: handle end-of-cursor conditions in crypto_cursor_segment()
src: opencrypto: respect alignment constraints in xor_and_encrypt()
src: ccr,ccp: fix argument order to sglist_append_vmpages
src: ossl: add missing labels to bsaes-armv7.S
src: ipsec esp: avoid dereferencing freed secasindex
src: irdma: upgrade to 1.2.36-k
src: irdma: remove artificial completion generator
src: tcp: cubic - restart epoch after RTO
src: tcp: prevent div by zero in cc_htcp
src: net80211: adjust more VHT structures/fields
ports: curl 8.7.1 [16]
ports: dhcrelay 0.4 [17]
ports: dnsmasq 2.90 [18]
ports: dnspython 2.6.1
ports: expat 2.6.2 [19]
ports: libpfctl 0.10
ports: libucl 0.9.1
ports: libxml 2.11.7 [20]
ports: lighttpd 1.4.75 [21]
ports: nss 3.99 [22]
ports: openldap 2.6.7 [23]
ports: openssh-portable 9.7p1 [24]
ports: openssl 3.0.13 [25]
ports: openssl fix for CVE-2024-2511 [26]
ports: openvpn 2.6.10 [27]
ports: pcre2 10.43 [28]
ports: phalcon 5.6.2 [29]
ports: php 8.2.18 [30]
ports: py-duckdb 0.10.1 [31]
ports: py-netaddr 1.2.1 [32]
ports: radvd adds upstream patch for RemoveAdvOnExit option
ports: sqlite 3.45.1 [33]
ports: suricata 7.0.4 [34]
ports: syslog-ng 4.6.0 [35]
A hotfix release was issued as 24.4_5:
system: prevent out of memory on gateways migrations
system: adjust log levels in Google Drive backup
ipsec: allow the equal sign for identity parsing in connections
plugins: os-OPNBEcore fix for rule sync behaviour
A hotfix release was issued as 24.4_7:
system: work around fatal password_hash() change in PHP 8.2.18
monit: fix referential constraint issue when dependency is removed
ports: openssl fix for CVE-2024-4603
A hotfix release was issued as 24.4_8:
system: fix regression in gateways migration causing far gateway option to be set incorrectly
ports: dhcrelay 0.5 fixes endless loop on packet read
Migration notes, known issues and limitations:
Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be possible to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.
ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore. ISC DHCP Relay has been replaced with an OpenBSD-based code alternative and is now found unter “DHCRelay”.
The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.
The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version. The OPNProxy plugin is still available, but also moved to the community plugins due to this.
The public key for the 24.4 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-24.4-dvd-amd64.iso.bz2) = a522510e89e52e209e4b241408ae9c3f49b78e42e17a6e2f96a06ac3f8f379b9
# SHA256 (OPNsense-business-24.4-nano-amd64.img.bz2) = 2237c9e1a87e0da82a1ccf42cd84c0ac8b1048ede480cd35430032bc64540739
# SHA256 (OPNsense-business-24.4-serial-amd64.img.bz2) = c1c7552a05dd12ae8ae17a980d8057bbd66506e8c9a98e66e22c51e74b139e2e
# SHA256 (OPNsense-business-24.4-vga-amd64.img.bz2) = b738634684354432d8a98a6bc8b720135c5d6940a0a82edacd36728d4ac2b854