24.1 “Savvy Shark” Series

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

24.1.2 (February 20, 2024)

It is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations.

Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.

Here are the full patch notes:

  • system: accept colon character in log queries

  • system: add issuer and logo to OTP link

  • system: fix gateway migration issue causing individual items to be skipped

  • reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)

  • interfaces: fix strpos() deprecation null haystack

  • interfaces: add missing ACL entries for ARP/NDP tables

  • interfaces: fix VXLAN validation

  • firewall: change default traffic normalization behavior and choose “in” as standard direction for manual rules

  • firewall: make select width more consistent on alias diagnostics table selection

  • dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements

  • dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP

  • dhcp: make option_data_autocollect option more explicit in Kea

  • dhcp: gather missing Kea leases another way since the logs are unreliable

  • dhcp: add address constraint to Kea reservations

  • dhcp: add unique constraint for MAC address + subnet in Kea

  • dhcp: add domain-name to client configuration in Kea

  • dhcp: loosen constraints for TFTP boot in Kea

  • intrusion detection: adjust for default behaviour changes in Suricata 7

  • ipsec: improve enable button placement on connections page

  • ipsec: show EAP-RADIUS settings only when legacy tunnels are being used

  • ipsec: allow % to support %any in ID for connections

  • openvpn: when “cert_depth” is left empty it should ignore the value

  • openvpn: data-ciphers-fallback should be a single option

  • openvpn: fix support for /30 p2p/net30 instances

  • openvpn: add “various_push_flags” field for simple boolean server push options in connections

  • unbound: prevent os.write() on None when another thread closed the pipe in Python module

  • wireguard: key constraints should only apply on peers and not instances

  • wireguard: peer uniqueness should depend on pubkey + endpoint

  • wireguard: skip attached instance address routes

  • wireguard: remove duplicate ID columns

  • mvc: fix Phalcon 5.4 and up

  • src: jail: fix information leak [1]

  • src: bhyveload: use a dirfd to support -h [2]

  • src: EVFILT_SIGNAL: do not use target process pointer on detach [3]

  • src: setusercontext(): apply personal settings only on matching effective UID [4]

  • src: re: generate an address if there is none in the EEPROM

  • src: wg: detect loops in netmap mode

  • src: wg: detach bpf upon destroy as well

  • src: wg: fix access to noise_local->l_has_identity and l_private

  • src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0

  • plugins: os-acme-client 4.1 [5]

  • plugins: os-ddclient 1.21 [6]

  • plugins: os-dnscrypt-proxy 1.15 [7]

  • ports: dnsmasq 2.90 [8]

  • ports: openvpn 2.6.9 [9]

  • ports: phalcon 5.6.1 [10]

  • ports: radvd adds upstream patch for RemoveAdvOnExit option

  • ports: suricata 7.0.3 [11]

  • ports: unbound 1.19.1 [12]

A hotfix release was issued as 24.1.2_1:

  • system: fix dynamic gateway persisting its address

24.1.1 (February 06, 2024)

Apart from rolling back Suricata 7 to 6 the new major version is looking good. The two intertwined Suricata default config changes in version 7 have been identified and fixed in the development version so that we can move back to version 7 in 24.1.2.

This minor release is intended as a small round of fixes and third party updates to ensure reliability and security.

Here are the full patch notes:

  • system: enable OpenSSL legacy provider by default to allow Google Drive backup to continue working with OpenSSL 3

  • system: bring back the interface statistics dashboard widget update interval

  • system: fix all items in the OPNsense container being synced in XMLRCP when NAT option is selected

  • interfaces: overview page UX improvements

  • firewall: align GeoIP file check with documentation

  • firewall: fix virtual IP API use with subnet/subnet_bits usage

  • wireguard: allow instances to start their ID at 0 like they used to a long time ago

  • dhcp: omit faulty comma in Kea config when control agent is disabled

  • dhcp: add opt-out automatic firewall rules for Kea server access

  • ipsec: remove AEAD algorithms without a PRF for IKE proposals in connections

  • openvpn: fix cso_login_matching being ignored during authentication

  • backend: optimise stream_handler to exit and kill running process when no listener is attached

  • plugins: os-frr 1.39 [1]

  • plugins: os-haproxy 4.3 [2]

  • plugins: os-ntopng 1.3 [3]

  • plugins: os-tor 1.10 adds MyFamily support (contributed by Mike Bishop)

  • ports: nss 3.97 [4]

  • ports: openldap 2.6.7 [5]

  • ports: openssl 3.0.13 [6]

  • ports: syslog-ng 4.6.0 [7]

24.1 (January 30, 2024)

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 23.7.12:

  • system: prevent activating shell for non-admins

  • system: add OCSP trust extensions and improved authorities implementation

  • system: migrate single gateway configuration to MVC/API

  • system: use new backend streaming functionality in the log viewer

  • system: limit file system /conf/config.xml and backups access to administrators

  • system: migrate gateways model to match new class introduced in 23.7.x

  • system: refactor get_single_sysctl()

  • system: update cron model

  • system: fix migration issue in new gateways model

  • system: handle case insensitivity while reading groups

  • system: shuffle authentication templates to the end of login configuration

  • system: add “maxfilesize” option to enforce a log rotate when files exceed their limit

  • reporting: print status message when Unbound DNS database was not found during firmware upgrade

  • reporting: update NetFlow model

  • interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API

  • interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()

  • interfaces: migrate the overview page to MVC/API

  • interfaces: add optional local/remote port to VXLAN

  • interfaces: remove unused code from native dhclient-script

  • interfaces: do not flush states on clear event

  • firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin

  • firewall: migrate NPTv6 page to MVC/API

  • firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes

  • captive portal: fix integer validation in vouchers

  • captive portal: update model

  • dhcp: clean up duplicated domain-name-servers option

  • dhcp: cleanup get_lease6 script and fix parsing issue

  • dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP

  • dhcp: deduplicate records in Kea leases

  • intrusion detection: show rule origin in rule adjustments grid

  • ipsec: extend connection proposals tooltip to children and fix tooltip style issue

  • lang: added traditional Chinese translation (contributed by Jason Cheng)

  • monit: update model

  • openvpn: allow optional OCSP checking per instance

  • openvpn: emit device name upon creation

  • openvpn: add workaround for net30/p2p smaller than /29 networks

  • openvpn: add optional “route-metric” push option for server instances

  • web proxy: integration moved to os-squid plugin

  • wireguard: installed by default using the bundled FreeBSD 13.2 kernel module

  • backend: constrain execution of user add/change/list actions to members of the wheel group

  • backend: only parse stream results when configd socket could be opened

  • backend: wait for all configd results and add it to the log message when detached

  • mvc: remove legacy Phalcon migration glue

  • mvc: add configdStream action to ApiControllerBase

  • mvc: support array structures for better search functionality in ApiControllerBase

  • mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase

  • mvc: remove Phalcon syslog implementation with a simple wrapper

  • mvc: add a DescriptionField type

  • mvc: add a MacAddressField type

  • mvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameField

  • ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)

  • ui: add double click event with grid dialog in tree view to show a row layout instead

  • ui: auto-trim MVC input fields when being pasted

  • ui: increase standard search delay from 250 ms to 1000 ms

  • ui: make modal dialogs draggable

  • ui: support key/value combinations for error messages in do_input_validation()

  • plugins: os-acme-client 4.0 [2]

  • plugins: os-api-backup was discontinued due to overlapping functionality in core

  • plugins: os-firewall moved to core

  • plugins: os-haproxy 4.2 [3]

  • plugins: os-nrpe updated to NRPE 4.1.x

  • plugins: os-postfix updated to Postfix 3.8.x

  • plugins: os-squid 1.0 offers the removed web proxy core functionality

  • plugins: os-wireguard moved to core

  • plugins: os-wireguard-go was discontinued

  • src: NFS client data corruption and kernel memory disclosure [4]

  • src: pf: merge extended support for SCTP and related stable changes

  • src: e1000: merge assorted driver improvements for hardware capabilities

  • src: bsdinstall: merge assorted stable changes

  • src: tuntap: merge assorted stable changes

  • src: wireguard: add experimental netmap support

  • src: sys: Use mbufq_empty instead of comparing mbufq_len against 0

  • src: e1000/igc: remove disconnected sysctl

  • ports: libxml 2.11.6 [5]

  • ports: openssl 3.0.12 [6]

  • ports: php 8.2.15 [7]

  • ports: py-duckdb 0.9.2

  • ports: sqlite 3.45.0 [8]

  • ports: suricata 7.0.2 [9]

A hotfix release was issued as 24.1_1:

  • ports: revert back to suricata 6.0.15 for the time being

Migration notes, known issues and limitations:

  • Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.

  • ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

  • The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.

  • The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

The public key for the 24.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-24.1-dvd-amd64.iso.bz2) = 6d1e22713bf031d0a36a73b3820cd1564f426cae9c67a6ade4b7fa6518afa2d5
# SHA256 (OPNsense-24.1-nano-amd64.img.bz2) = 6bc86a13bda81702382383b1e9b31550177bafe88fa599e0c2ed8064040461b1
# SHA256 (OPNsense-24.1-serial-amd64.img.bz2) = c4c53e5dd80660cc67b349fa588b3ca11efd9f45d09f6cb391d8e19b48dd7fcc
# SHA256 (OPNsense-24.1-vga-amd64.img.bz2) = ec08755245017cd449a8d174b6ea7c4e2038c454a8abecfad0d0378729d8b331

24.1.r1 (January 19, 2024)

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

24.1-RC1 is an online uppgrade only. We will be publishing images with the final 24.1 release of course.

Here are the full patch notes against 23.7.12:

  • system: prevent activating shell for non-admins

  • system: add OCSP trust extensions and improved authorities implementation

  • system: migrate single gateway configuration to MVC/API

  • system: use new backend streaming functionality in the log viewer

  • system: limit file system /conf/config.xml and backups access to administrators

  • system: migrate gateways model to match new class introduced in 23.7.x

  • system: refactor get_single_sysctl()

  • system: update cron model

  • reporting: update NetFlow model

  • interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API

  • interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()

  • interfaces: migrate the overview page to MVC/API

  • interfaces: add optional local/remote port to VXLAN

  • interfaces: remove unused code from native dhclient-script

  • interfaces: do not flush states on clear event

  • firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin

  • firewall: migrate NPTv6 page to MVC/API

  • firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes

  • captive portal: fix integer validation in vouchers

  • captive portal: update model

  • dhcp: clean up duplicated domain-name-servers option

  • dhcp: cleanup get_lease6 script and fix parsing issue

  • dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP

  • intrusion detection: show rule origin in rule adjustments grid

  • ipsec: extend connection proposals tooltip to children and fix tooltip style issue

  • lang: added traditional Chinese translation (contributed by Jason Cheng)

  • monit: update model

  • openvpn: allow optional OCSP checking per instance

  • openvpn: emit device name upon creation

  • openvpn: add workaround for net30/p2p smaller than /29 networks

  • web proxy: integration moved to os-squid plugin

  • wireguard: installed by default using the bundled FreeBSD 13.2 kernel module

  • backend: constrain execution of user add/change/list actions to members of the wheel group

  • mvc: remove legacy Phalcon migration glue

  • mvc: add configdStream action to ApiControllerBase

  • mvc: support array structures for better search functionality in ApiControllerBase

  • mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase

  • mvc: remove Phalcon syslog implementation with a simple wrapper

  • mvc: add a DescriptionField type

  • mvc: add a MacAddressField type

  • ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)

  • ui: add double click event with grid dialog in tree view to show a row layout instead

  • ui: auto-trim MVC input fields when being pasted

  • ui: increase standard search delay from 250 ms to 1000 ms

  • ui: make modal dialogs draggable

  • ui: support key/value combinations for error messages in do_input_validation()

  • plugins: os-api-backup was discontinued due to overlapping functionality in core

  • plugins: os-firewall moved to core

  • plugins: os-nrpe updated to NRPE 4.1.x

  • plugins: os-postfix updated to Postfix 3.8.x

  • plugins: os-squid 1.0 offers the removed web proxy core functionality

  • plugins: os-wireguard moved to core

  • plugins: os-wireguard-go was discontinued

  • src: NFS client data corruption and kernel memory disclosure [1]

  • src: pf: merge extended support for SCTP and related stable changes

  • src: e1000: merge assorted driver improvements for hardware capabilities

  • src: bsdinstall: merge assorted stable changes

  • src: tuntap: merge assorted stable changes

  • src: wireguard: add netmap support

  • ports: libxml 2.11.6 [2]

  • ports: openssl 3.0.12 [3]

  • ports: py-duckdb 0.9.2

  • ports: suricata 7.0.2 [4]

Migration notes, known issues and limitations:

  • Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.

  • ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

  • The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.

  • The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

The public key for the 24.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!