25.10 Series

The OPNsense business edition transitions to this 25.10 release including revamped frontend grid UI, experimental privilege separation for the GUI, a new and improved firewall automation GUI, performance enhancements especially for numerous aliases being used at once, OpenID Connect integration, captive portal backend rewrite, Greek as a new language, FreeBSD 14.3 plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

25.10.1 (December 10, 2025)

This business release is based on the OPNsense 25.7.8 community version with additional reliability improvements, but without revamped Unbound blocklists for the time being.

Please be aware that during the update check the new package manager will be installed, but will fail to report the update status like it always had before and so you will end up with an error that will require checking for updates again. The fix is in this update, but impossible to install without upgrading the package manager first. We hope this will only be a minor inconvenience during the process.

Also, Python has reported security issues of which a DoS in http.client could potentially affect existing installations given that an HTTP server sends a malicious response which “can consume a large amount of memory and CPU time and cause swapping”. Python has not released an update for version 3.11 at this point in time.

Here are the full patch notes:

  • system: use new file_safe() in two instances

  • system: improve the HA VIP sync code

  • system: simplify RRD backup code and remove exec() usage [1] (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)

  • system: move valid_from search criteria to log_matcher for faster end of search

  • system: use file_safe() in gateway monitor watcher

  • system: refactor factory reset page to MVC and add a reset per component operating on models

  • system: fix a HA sync regression introduced in 25.7.6 that prevented a sync from succeeding in an edge case

  • system: defaults: properly delete empty model containers in the configuration

  • system: switch int/bool to string in gateway properties

  • system: ignore TypeErrors when parsing log lines in the backend

  • system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants

  • system: add host route deletion support to system_host_route()

  • system: move the general page host route removal to system_host_route()

  • system: add CA chain to PKCS12 export

  • system: fix hidden syslog HA XMLRPC sync option

  • interfaces: fix permission of packet capture file in strict security mode

  • interfaces: ifctl: always allow reads to internal state files

  • interfaces: fix overview details button not working

  • interfaces: support link-local IPv6 mode

  • interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)

  • interfaces: fix packet capture and ping buttons not working since 25.7.7

  • interfaces: limit execution of sysctl scope in PPP device edit code

  • interfaces: safer interfaces_pfsync_configure() handling

  • firewall: refactor live log using a ring buffer

  • firewall: add toggles to disable selected automatic rules

  • firewall: enable “safe delete” for categories

  • firewall: improved stats rendering on automation rules

  • firewall: allow searching aliases in automation rules inspect mode by IP address

  • firewall: automation: fix alias IP address search

  • firewall: automation: allow interface parameter to contain a list of interfaces for API users

  • firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)

  • firewall: live log: only execute redraw on visibility state transition

  • firewall: live log: optimize viewbuffer rendering

  • firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view

  • firewall: live log: fix data ordering and add table/history limit options

  • firewall: live log: use “badge” class like before

  • firewall: live log: make this grid static and slightly adjust info column width

  • firewall: live log: backwards compatibility for old “interface_name” field type

  • firewall: live log: fix wrong variable scope

  • firewall: live log: restructure DOM layout to reduce wasted header space

  • firewall: live log: revert static property, persistence is disabled for this grid

  • firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)

  • firewall: do not allow nesting in GeoIP aliases

  • firewall: automation: split search logic and normalize legacy output

  • firewall: aliases: add a few GeoIP related logging messages

  • firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use

  • firewall: aliases: missing placeholder for username in basic auth type selection

  • firewall: support “0” as valid rule ID in rule lookup redirect

  • firewall: automation: add per-rule state timeouts for “udp.first”, “udp.multiple” and “udp.single”

  • captive portal: fix selectpicker #voucher-groups not being re-rendered after change event

  • captive portal: move grid init to tab show event

  • dnsmasq: strict hostname and domain validation plus improved ipset validations

  • dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options

  • dnsmasq: switch to file_safe() use in backend

  • dnsmasq: minor safe execution changes in backend

  • firmware: package manager upgrade changes for pkg 2.x

  • intrusion detection: remove obsolete “ac-bs” pattern matcher algorithm

  • ipsec: sessions: add datakey property for row mapping

  • ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well

  • ipsec: disable model caching on SPD page

  • ipsec: add AES256GCM16 to the child ESP proposals list

  • ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2

  • ipsec: add “reqid_base” setting to advanced settings

  • ipsec: sessions: fix missing commands translation

  • ipsec: connections: prevent model caching when referring items within the same model

  • isc-dhcp: adjust backend for safe execution

  • kea-dhcp: automatic route support for PD leases

  • kea-dhcp: case insensitive MAC address comparison

  • openssh: minor safe execution change in backend

  • openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)

  • openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)

  • openvpn: use file_safe() to write CRL files

  • openvpn: swap description and mode in “tls_key” and require a description for static keys

  • openvpn: one safe execution change

  • openvpn: add fast-io option (contributed by mdten)

  • radvd: safe execution changes

  • unbound: use file_safe() for root hint creation

  • unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)

  • unbound: duplicate pointer records due to not casting the field types

  • unbound: missing lock in del_host_override action

  • wireguard: add debug option to instances

  • wireguard: fix wrong maximum value for “PersistentKeepalive”

  • backend: add file_safe() helper for atomic file creation

  • backend: rename “realif” variables to “device” in a number of spots

  • backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that

  • backend: exend shell_safe() to emulate exec() $output argument magic

  • backend: reimplement existing command execution functions with Shell class implementation

  • backend: replace mwexecf_bg() with mwexecfb() for clarity

  • mvc: add RegexField to properly validate PCRE2 syntax

  • mvc: support arrays in search clauses

  • mvc: OptionField: properly translate optgroup

  • mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model

  • mvc: persist models description in root attribute of its respective configuration

  • mvc: move translation to menu system and add “FixedName” property

  • mvc: extend ModelRelationField so it can optionally disable caching

  • mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)

  • mvc: fix default sort order being ignored in fetchBindRequest()

  • mvc: make “data_change_message_content” configurable

  • rc: do not clear /tmp on a diskless install

  • rc: secure an exec() in the recovery script

  • shell: assorted cleanups in console menu related scripts

  • ui: assorted adjustments for dark theme

  • ui: always show bootgrid reset button

  • ui: improve grid responsiveness via minWidth()

  • ui: remove this.dataIdentifier as datakey defines the key to be used when asking “row-id” or getSelectedRows

  • ui: SimpleActionButton: add support for icons in action buttons

  • ui: recompile default themes using dart sass (1.93.2) which changes color rendering

  • ui: keyboard shortcuts for “a”dvanced and “h”elp in MVC pages (contributed by Konstantinos Spartalis)

  • ui: bail out on dynamic grid resize if data is loading

  • ui: bootgrid: prevent full table redraw without onDataProcessed trigger

  • ui: bootgrid: add missing datakeys to two pages

  • ui: fix tokenizer event trigger loop

  • plugins: os-OPNWAF 2.1

  • plugins: os-ddclient 1.28 [2]

  • plugins: os-freeradius 1.9.28 [3]

  • plugins: os-frr 1.49 [4]

  • plugins: os-git-backup 1.1 [5]

  • plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy [6]

  • plugins: os-q-feeds-connector 1.3 [7]

  • plugins: os-tailscale 1.3 [8]

  • plugins: os-tayga 1.3 [9]

  • plugins: os-theme-flexcolor 1.0 is a new 3-in one theme [10] (contributed by Schnuffel2008)

  • plugins: os-zabbix-proxy 1.15 [11]

  • src: dhclient: improve UDP checksum handling

  • src: dummynet: move excessive logging messages under debug output

  • src: ice: add PCI IDs for E835 devices

  • src: ice: add support for E835-XXV-4 adapter

  • src: if_vxlan: fix byteorder of source port

  • src: ifconfig: assorted stable branch improvements

  • src: igb: fix out-of-bounds register access on VFs

  • src: ipfw: check for errors from sooptcopyin() and sooptcopyout()

  • src: ipfw: pmod: avoid further rule processing after tcp-mod failures

  • src: ix/ixv: add support for new Intel Ethernet E610 family devices

  • src: ixl: fix multicast promiscuous mode state tracking and filter management

  • src: net: validate interface group names in ioctl handlers

  • src: netlink: in snl_init_writer() do not overwrite error in case of failure

  • src: pf: improve add state validation

  • src: pf: improve DIOCRCLRTABLES validation

  • src: pf: SCTP abort messages fully close the connection

  • src: sctp, tcp, udp: improve deferred computation of checksums

  • src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets [12]

  • src: vtnet: assorted stable branch improvements

  • ports: curl 8.17.0 [13]

  • ports: kea 3.0.2 [14]

  • ports: libxml 2.14.6 [15]

  • ports: nss 3.118.1 [16]

  • ports: openssh 10.2p1 [17]

  • ports: openvpn 2.6.17 [18]

  • ports: pcre2 10.47 [19]

  • ports: php 8.3.28 [20]

  • ports: pkg 2.3.1

  • ports: python 3.11.14 [21]

  • ports: sqlite 3.50.4 [22]

  • ports: strongswan 6.0.3 [23]

  • ports: suricata 8.0.2 [24]

  • ports: syslog-ng 4.10.2 [25]

  • ports: unbound 1.24.2 [26]

A hotfix release was issued as 25.10.1_2:

  • firewall: clean up rules edit cancel button

  • firmware: opnsense-update: remove architecture pinning for -X option

  • mvc: FilterBaseController: move shared automation rule logic here

  • src: e1000: do not enable ASPM L1 without L0s

  • src: e1000: bump 82574/82583 PBA to 32K

  • src: if_ovpn: use IFT_TUNNEL

  • src: ifconfig: bring back -L for netlink

  • src: igb: fix VLAN support on VFs

  • src: irdma: fix potential memory leak on qhash cqp operation

  • src: ix: add support for debug dump for E610 adapters

  • src: netmap: fix error handling in nm_os_extmem_create()

  • src: pf: reading rules with a read lock on ioctl

  • src: pf: relax sctp v_tag verification

  • src: pf: handle divert packets

  • src: pfsync: fix incorrect unlock during destroy

  • src: rtsold: remote code execution via ND6 router advertisements [27]

25.10 (October 15, 2025)

The OPNsense business edition transitions to this 25.10 release including revamped frontend grid UI, experimental privilege separation for the GUI, a new and improved firewall automation GUI, performance enhancements especially for numerous aliases being used at once, OpenID Connect integration, captive portal backend rewrite, Greek as a new language, FreeBSD 14.3 plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 25.7.5 community version with additional reliability improvements.

Here are the full patch notes against version 25.4.3:

  • system: the setup wizard was rewritten using MVC/API

  • system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments

  • system: numerous permission, ownership and directory alignments for web GUI privilege separation

  • system: allow experimental feature to run web GUI privilege separated as “wwwonly” user

  • system: add a banner when trying to revert the privilege separated GUI back to root at run time

  • system: consistently use empty() checks on “blockbogons”, “blockpriv”, “dnsallowoverride” and “dnsallowoverride_exclude”

  • system: change default system domain to “internal” (contributed by Self-Hosting-Group)

  • system: remove the “optional” notion of tunables known to the system

  • system: enable kernel timestamps by default

  • system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)

  • system: HTML decode entities when generating new QR code for user

  • system: add missing timestamp formatter in snapshots

  • system: prevent misconfigurations with the automatic user creation option

  • system: add pluginctl hook for cache_flush

  • system: rewrite wwwonly bootstrap procedure

  • system: allow authentication events from wwwonly user

  • system: fix two regressions due to stream output path safety addition

  • system: fix reconfigure control on HA status page for small viewports

  • system: add pluginctl -m and -v options for model migrations and validations calls

  • system: add “power off” backend action to GUI cron options

  • system: add the pfsync “defer” option to high availability

  • system: return both interfaces in a single call for get_nameservers()

  • system: safeguard legacy local_sync_accounts() against malformed user entries

  • system: change atrun interval to every minute

  • reporting: removed the unused second argument in getSystemHealthAction()

  • reporting: renamed getRRDlistAction() to getRrdListAction()

  • reporting: fixed internal parameter names in insight graphs

  • interfaces: fix media settings write issue since 24.7 as it would not apply when “autoselect” result already matched

  • interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)

  • interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now

  • interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()

  • interfaces: add VIP grid formatter to hide row field content based on the set mode

  • interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)

  • interfaces: moved get_real_interface() to util.inc

  • interfaces: replace MAC vendor database from py-netaddr with a simple local implementation

  • interfaces: refactor getting both devices from interface in settings page

  • interfaces: get both devices of interface in one call

  • interfaces: fix flags display in interface overview detail

  • firewall: add expire option to external aliases to automatically cleanup tables via cron

  • firewall: removed the expiretable binary use in favour of the builtin pfctl

  • firewall: speed up alias functionality by using the new model caching

  • firewall: consolidated ipfw/dnctl scripting and fix edge case reloads

  • firewall: code cleanup and performance improvements for alias diagnostics page

  • firewall: assorted UI updates for automation pages

  • firewall: a few minor improvements in automation GUI

  • firewall: remove unused “set loginterface” clause

  • firewall: additional statistics for alias grid

  • firewall: fix shaper reset button

  • firewall: add “quick” mode in alias update to skip table size comparison during schedules

  • firewall: adjust firewall_rule_lookup to open correct interface and rule from firewall live log

  • firewall: add port alias selection to source_port and destination_port

  • firewall: implement alias description tooltip and other UX tweaks

  • firewall: add optional Tabulator tree view to show categories as rule folders in automation

  • firewall: put sequence and sort_order in advanced mode of automation rules

  • firewall: front-end table rendering performance improvement for alias diagnostics

  • firewall: also set groups for special IPv6 interfaces

  • firewall: ignore empty lines for pf table counting

  • firewall: support tags in source NAT automation rules

  • firewall: allow alias nesting for URL tables

  • firewall: fix interface_net aliases not being populated

  • firewall: fix return value when failing to resolve host entries for aliases and no previous content is known

  • firewall: treat “skip” protocol as a string to avoid syntax error

  • firewall: improve alias parsing performance in diagnostics page

  • firewall: support IPinfo format for GeoIP [2]

  • firewall: adapt default table size calculation

  • captive portal: migrate backend from IPFW to PF

  • captive portal: fix regression when NAT reflection is enabled

  • captive portal: fix command line argument parsing in backend

  • captive portal: remove obsolete interfaces_inbound option that works by default now

  • captive portal: missing fix for command line argument parsing in backend

  • captive portal: fix display issue for pass rule when client not in zone

  • captive portal: allow disabling automatic firewall rules

  • captive portal: exclude portal table in destination

  • captive portal: restore the logging of drop reasons

  • captive portal: fix last_accessed being cached from previous entries if N/A

  • captive portal: mark alias as type external for use in rules

  • captive portal: align accounting session timeout with API

  • captive portal: balance fastcgi servers a bit better

  • captive portal: do not share a fastcgi socket with web GUIo firewall: fix flags not showing on GeoIP selection

  • captive portal: make room for additional authentication profiles

  • captive portal: API dispatcher is now privilege separated via “wwwonly” user and group

  • captive portal: preparations for SSO identification support

  • captive portal: move backend scripts directory

  • captive portal: various style cleanups

  • captive portal: restyle default login template

  • captive portal: case insensitive MAC parsing

  • captive portal: remove stale dir-listing.activate from web server

  • captive portal: support OpenID Connect authentication through custom template

  • dnsmasq: add optional subnet mask to “dhcp-range” to satisfy DHCP relay requirements

  • dnsmasq: sync CSV export with ISC and Kea structure

  • dnsmasq: add CNAME configuration option to host overrides

  • dnsmasq: add ipset support

  • dnsmasq: swap hosts and domains tab for consistency reasons

  • dnsmasq: allow disabling local for DHCP domains

  • dnsmasq: add Tabulator “groupBy” functionality to group by interfaces

  • dnsmasq: add leases widget that shows latest leases

  • dnsmasq: refine the selection of automatic DHCP rules for eligible interfaces

  • firmware: opnsense-version: build time package variable replacements can now be read at run time

  • firmware: hide community plugins by default and add a checkbox to unhide them on the same page

  • firmware: introduce a new support tier 4 for development and otherwise unknown plugins

  • firmware: disable the FreeBSD-kmods repository by default

  • firmware: opnsense-version: support more elaborate -R replacement

  • firmware: store update and upgrade logs in edge cases

  • firmware: opnsense-version: support file based -R option

  • firmware: opnsense-update: support -g for update log view

  • firmware: remove tier 2 workaround for Zenarmor plugins

  • firmware: add date to modal header

  • firmware: opnsense-patch: fix cache flush using new hook

  • firmware: add vuxml.freebsd.org to CRL handling hostnames

  • firmware: switch business mirror layout

  • intrusion detection: add JA4 support (contributed by Maxime Thiebaut)

  • intrusion detection: fix interface name conversion

  • intrusion detection: fix ja4 option templating

  • intrusion detection: fix and simplify grid search in download tab

  • intrusion detection: fix downloads tab not loading with Tabulator

  • intrusion detection: revert “fix downloads tab not loading with Tabulator”

  • intrusion detection: make grids virtual to fix performance issues

  • ipsec: fix regression in configuration write with introduced volatile fields

  • ipsec: add firewall rules skip option for VTIs

  • ipsec: deprecate legacy stroke and implement swanctl for overview

  • ipsec: add default value to “make_before_break” that retains disabled default

  • ipsec: fix bulk operations in SPD page

  • ipsec: dots are not allowed in pool names

  • ipsec: allow underscores in PSK identifiers

  • isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable

  • isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience

  • isc-dhcp: add static mapping CSV export

  • isc-dhcp: allow static mapping export for disabled entries

  • kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB)

  • kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis)

  • kea-dhcp: support DHCP option 121 (classless static routes)

  • lang: add Greek as a new language (contributed by sopex)

  • lang: make more strings translate-able (contributed by Tobias Degen)

  • lang: updates for Chinese, Czech, German and Greek

  • lang: new Ukrainian language and assorted updates

  • monit: move backend scripts directory

  • monit: fix migration weirdness with run/post use

  • openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation

  • radvd: refine checks that ignored 6rd and 6to4

  • wireguard: move backend scripts to proper location

  • unbound: fix error in edge case of initial model migration

  • unbound: configurable top domain list length in reporting view (contributed by sopex)

  • unbound: remove unknown model reference and protect/simplify remaining one

  • unbound: add support for TXT records in host overrides

  • backend: trigger boot template reload without using configd

  • backend: added IPv6 bracket helper for templates (contributed by BPplays)

  • backend: add “!” operator to execute and flush cache when it exists

  • mvc: introduce generic model caching to improve operational performance

  • mvc: field types quality of life improvements with new getValues() and isEqual() functions

  • mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()

  • mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests

  • mvc: support chown/chgrp in File and FileObject classes

  • mvc: use getNodeContent() to gather grid data

  • mvc: allow PortOptional=Y for IPPortField

  • mvc: remove SelectOptions support for CSVListField

  • mvc: migrated use of setInternalIsVirtual() to volatile field types

  • mvc: fix getDescription() in NetworkAliasField

  • mvc: improve resilience of VPNIdField and LinkAddressField

  • mvc: repair side affect of getDescription() change causing performance regressions

  • mvc: modify existing and add missing descriptions in models

  • mvc: set default validation message for CertificateField

  • mvc: BaseModel: minor non-functional cleanups

  • mvc: ModelRelationField: keep array structure in memory to avoid reinitiating object construction

  • mvc: tweaked model definitions, especially descriptions and validation message style

  • mvc: slightly adjust two getOption() calls in constraints

  • mvc: BaseListField: always map values in getDescription()

  • mvc: BaseListField: account for option container and passthrough value

  • mvc: remove getCurrentValue() compatibility wrapper

  • mvc: Backend: always return strings in configdRun() and configdpRun()

  • mvc: improve replaceInputWithSelector() to support an empty placeholder

  • mvc: setDefault() not fired as setValue() was set with an empty string

  • mvc: allow empty responses to fix a regression due to stream output safety path addition

  • mvc: remove empty string fallbacks for backend invokes that are no longer needed

  • mvc: more style changes on existing core models

  • mvc: disable Dnsmasq/Unbound template generation

  • mvc: remove getDescription() overlay in ModelRelationField

  • mvc: protect JSON response against UFT-8 encoding failures

  • mvc: HTML-decode select element values

  • rc: make changes to php,var,tmp bootstrap

  • ui: switch from Bootgrid to Tabulator for MVC grid rendering

  • ui: numerous switches to shared base_bootgrid_table and base_apply_button use

  • ui: flatten nested containers for grid inclusion

  • ui: use snake_case for all API URLs and adjust ACLs accordingly

  • ui: move tooltip load event to single-fire mode

  • ui: add checkmark to SimpleActionButton as additional indicator

  • ui: improve menu icons/text spacing (contributed by sopex)

  • ui: bootgrid: clean up leftover compatibility bits

  • ui: bootgrid: add missing sortable option

  • ui: bootgrid: provide more styling possibilities from formatters

  • ui: fix language selection for low vertical resolution screens (contributed by sopex)

  • ui: hide header of the picture widget on the dashboard (contributed by sopex)

  • ui: bootgrid: add tabulatorOptions to translateCompatOptions()

  • ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages

  • ui: bootgrid: simplify custom grid command additions

  • ui: do not add an empty option into an empty option group

  • ui: add datetime-local to field types

  • plugins: replace variables in package scripts by default

  • plugins: os-OPNBEcore 1.6 with OpenID Connect and scheduled jobs support

  • plugins: os-OPNWAF 2.0 with OpenID Connect support, customizable error documents and updated rule set

  • plugins: os-acme-client 4.10 [3]

  • plugins: os-bind 1.34 [4]

  • plugins: os-c-icap 1.9 [5]

  • plugins: os-caddy 2.0.4 [6]

  • plugins: os-clamav 1.8.1 [7]

  • plugins: os-crowdsec 1.0.12 [8]

  • plugins: os-dnscrypt-proxy 1.16 [9]

  • plugins: os-etpro-telemetry 1.8 now shows more status responses in widget

  • plugins: os-frr 1.47 [10]

  • plugins: os-gdrive-backup 1.0 for Google Drive backup support

  • plugins: os-grid_example 1.1 updates best practice on grid development

  • plugins: os-netbird 1.0 (contributed by Gauss23 and Bethuel Mmbaga)

  • plugins: os-netbird 1.1 fixes service startup and switches to syslog (contributed by Bethuel Mmbaga)

  • plugins: os-nginx 1.35 [11]

  • plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support

  • plugins: os-puppet-agent 1.2 [12]

  • plugins: os-shadowsocks 1.3 [13]

  • plugins: os-smart 2.4 adds extended info option (contributed by poisonbl)

  • plugins: os-squid 1.3 [14]

  • plugins: os-strongswan-legacy 1.0 for legacy IPsec components support

  • plugins: os-telegraf 1.12.13 [15]

  • plugins: os-theme-advanced 1.1 (contributed by Jaka Prašnikar and Raushan Patel)

  • plugins: os-theme-cicada 1.40 (contributed by Team Rebellion)

  • plugins: os-theme-tukan 1.30 (contributed by Team Rebellion)

  • plugins: os-theme-vicuna 1.50 (contributed by Team Rebellion)

  • plugins: os-zabbix-agent 1.17 [16]

  • plugins: os-zabbix-proxy 1.14 [17]

  • src: FreeBSD 14.3-RELEASE-p4 plus assorted stable/14 networking commits [18]

  • src: add a new sysctl in order to differentiate UEFI architectures [19]

  • src: libarchive: merge version 3.8.1 [20]

  • src: lagg: fix if_hw_tsomax_update() not being called

  • src: wg: add support for removing allowed-ip entries and assorted cleanups

  • src: ovpn: support multihomed server configurations and assorted cleanups

  • src: netlink: fully clear parser state between messages

  • src: udp: fix a inpcb refcount leak in the tunnel receive path

  • src: p9fs: assorted fixes

  • src: assorted network stack fixes via stable/14

  • src: if_ovpn: support IPv6 link-local addresses

  • src: if_ovpn: support floating clients

  • src: if_ovpn: fill out sin_len/sin6_len

  • src: if_ovpn: destroy cloned interfaces via a prison removal callback

  • src: ifconfig: support VLAN ID in static/deladdr

  • src: bnxt: fix the request length in bnxt_hwrm_func_backing_store_cfg()

  • src: iflib: set the get counter routine prior to attaching the interface

  • src: ifnet: defer detaching address family dependent data

  • src: ixgbe: fix incomplete speed coverage in link status logging

  • src: ixl: fix queue MSI and legacy IRQ rearming

  • src: openssl: fix multiple vulnerabilities [21]

  • src: re: add PNP info for module

  • src: re: make sure re_rxeof() is called in net epoch context

  • src: vfs: fix copy_file_range() failing to set output parameters [22]

  • ports: curl 8.16.0 [23]

  • ports: dnspython 2.8.0 [24]

  • ports: expat 2.7.3 [25]

  • ports: kea 3.0.1 [26]

  • ports: krb5 1.22.1 [27]

  • ports: libpfctl 0.17

  • ports: lighttpd 1.4.82 [28]

  • ports: nss 3.117 [29]

  • ports: openssl 3.0.18 [30]

  • ports: openvpn 2.6.15 [31]

  • ports: pcre2 10.46 [32]

  • ports: perl 5.42.0 [33]

  • ports: php 8.3.26 [34]

  • ports: phpseclib 3.0.47 [35]

  • ports: py-duckdb 1.3.2 [36]

  • ports: py-jq 1.10.0 [37]

  • ports: py-requests 2.32.5

  • ports: strongswan 6.0.1 [38] [39]

  • ports: sudo 1.9.17p2 [40]

  • ports: suricata 7.0.12 [41]

  • ports: unbound 1.24.0 [42]

A hotfix release was issued as 25.10_2:

  • system: safeguard config history delete and revert by requiring HTTP POST method

  • rc: make sure /var/lib/php/tmp can be accessed by “other” users

  • plugins: os-OPNBEcore 1.7

  • plugins: os-OPNcentral 1.12

  • plugins: os-q-feeds-connector 1.2 [43] [44]

  • plugins: os-squid 1.4 works around CVE-2025-62168 (contributed by m.a.x. it)

Migration notes, known issues and limitations:

  • The captive portal implementation moves from IPFW to PF. Check the technical details first, especially regarding the new ruleset behaviours. [45]

  • Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.

  • API URLs registered in the default ACLs have been switched from “camelCase” to “snake_case”.

  • API grid return values now offer “%field” for a value description when available. “field” will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.

  • Reverted tunables “hw.ibrs_disable” and “vm.pmap.pti” to FreeBSD defaults when no explicit values have been set in tunables.

  • Moved OpenVPN legacy to plugins as a first step to deprecation.

  • Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.10 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
# drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
# pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
# VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
# c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
# HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
# LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
# T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
# 9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
# Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
# H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
# 4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-business-25.10-dvd-amd64.iso.bz2) = 6c45cd311960d42aa87933d2134c19825565d1ab74caa4129d08a938dbf621e8
# SHA256 (OPNsense-business-25.10-nano-amd64.img.bz2) = 2a706e56c45a1ecc8d4f14f85d3e07f1f3be85ac2d79459f62e9fed860edae19
# SHA256 (OPNsense-business-25.10-serial-amd64.img.bz2) = 8e8460dc8751cb0c7ab863d44ceb59a59a3eadbb9622ac707e43aeda002a3d7e
# SHA256 (OPNsense-business-25.10-vga-amd64.img.bz2) = fefac8e50c30c463072fbda508c675d176a0f0a7d910eacede3112e7a76dc365