24.1 “Savvy Shark” Series

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

24.1.10 (July 11, 2024)

Today a number of security advisories in third party software are being addressed. Also, a bad dhcp6c patch has been reverted which requires a manual reboot to take full effect.

CAUTION: The OpenSSH update prevents SSH sessions from being established. You need to restart OpenSSH from the GUI or run the console command “pluginctl -s openssh restart” or reboot the system in order to unbreak it.

Here are the full patch notes:

  • interfaces: improve DHCPv6 requirement rules on WAN interface

  • interfaces: support reading more attributes in ifconfig output parser

  • interfaces: correct logic of resolve flag in ARP table (contributed by Kevin Pelzel)

  • reporting: add NetFlow IPv6 support for destinations

  • kea-dhcp: add description field to subnets

  • kea-dhcp: add next-server option to subnets (contributed by Harm Kroon)

  • wireguard: fix IP protocol detection for manual gateway

  • ui: remove aria-hidden from dialogs (contributed by Jason Fayre)

  • ui: properly break out selectpicker options in modals

  • plugins: os-bind 1.32 [1]

  • plugins: os-caddy 1.6.0 [2]

  • plugins: os-ddclient 1.22 [3]

  • plugins: os-nginx 1.33 [4]

  • plugins: os-theme-cicada 1.36 (contributed by Team Rebellion)

  • plugins: os-theme-vicuna 1.46 (contributed by Team Rebellion)

  • plugins: os-zabbix-agent 1.14 [5]

  • plugins: os-zabbix-proxy 1.11 [6]

  • ports: dhcp6c 20240710 reverts faulty Debian patch

  • ports: krb5 1.21.3 [7]

  • ports: nss 3.101 [8]

  • ports: openssh 9.8p1 [9]

  • ports: openvpn 2.6.11 [10]

  • ports: suricata 7.0.6 [11]

A hotfix release was issued as 24.1.10_1:

  • interfaces: allow DHCPv6 server answer from a GUA

A hotfix release was issued as 24.1.10_2:

  • interfaces: allow DHCPv6 multicast as well

A hotfix release was issued as 24.1.10_3:

  • firewall: fix regression in GeoIP aliases selector

A hotfix release was issued as 24.1.10_8:

  • firewall: fix one-to-one NAT migration with external address without a subnet set

  • firmware: add fingerprint and upgrade hint for 24.7

  • firmware: prefer ZFS over UFS in upgrade message

  • firmware: remove unneeded Unbound DNS database upgrade script

  • firmware: remove stale Squid plugin upgrade script

24.1.9 (June 18, 2024)

This is the last bit of preparation for the upcoming 24.7 series reimplementing one-to-one NAT using MVC/API and a number of plumbing changes. IPv6 has also been improved with the dhcp6c client having received a number of new fixes and features.

Here are the full patch notes:

  • system: do not create an interface route without an address

  • system: add pluginctl -x/-X modes for digesting XMLRPC options

  • system: replace rand() with random_int() in remote backup script

  • firewall: migrate one-to-one NAT to MVC/API

  • interfaces: make SLAAC flush a feature of ifctl for incoming reuse

  • interfaces: in SLAAC tracking prevent accepting our own radvd configuration

  • interfaces: move SLAAC tunables to system requirements

  • interfaces: disable IPv6 interface modes when IPv6 is disabled globally

  • interfaces: avoid pluginctl giving out IPv4 info for non-interfaces

  • dhcrelay: add logging into its own space

  • firmware: change default fetch of changelog to 30 seconds

  • firmware: dump TLS information for firmware server(s) in use

  • isc-dhcp: allow root domain input as “.” (contributed by Skyler Mantysaari)

  • kea-dhcp: support static DNS mappings (contributed by Markus Reiter)

  • mvc: refactored and improved checkAndThrowSafeDelete() as checkAndThrowValueInUse()

  • ui: prevent word break for top level menu items

  • plugins: os-caddy 1.5.7 [1]

  • ports: curl 8.8.0 [2]

  • ports: dhcp6c 20240607 additions for WAN tracking, interface ID specification, etc.

  • ports: nss 3.100 [3]

  • ports: openldap 2.6.8 [4]

  • ports: openssl 3.0.14 [5]

  • ports: php 8.2.20 [6]

  • ports: py-duckdb 1.0.0 [7]

  • ports: py-netaddr 1.3.0 [8]

  • ports: sqlite 3.46.0 [9]

A hotfix release was issued as 24.1.9_1:

  • firewall: “natreflection” rule attribute missed in MVC/API migration

A hotfix release was issued as 24.1.9_3:

  • firewall: typo in “destination” migration for one-to-one NAT

  • firewall: one-to-one NAT default reflection setting was ignored

A hotfix release was issued as 24.1.9_4:

  • system: proper HA sync for new one-to-one NAT section

24.1.8 (May 29, 2024)

The endless loop packet read in the new dhcrelay daemon has been fixed. A new kernel is included in this release bringing the latest stable/13 state in the relevant networking areas. A number of small changes have also been made. Thanks for all the reports and support!

To spread the news… 24.7 will be based on FreeBSD 14.1. Stay tuned.

Here are the full patch notes:

  • system: fix regression in gateways migration causing far gateway option to be set incorrectly

  • system: work around fatal password_hash() change in PHP 8.2.18

  • system: move net.inet.icmp.drop_redirect sysctl to automatic mode

  • system: add Google Drive configuration as an XMLRPC sync target

  • interfaces: detect and ignore “detached” state for IPv6

  • interfaces: remove unused imports from sockstat list

  • firewall: use the new $.replaceInputWithSelector() for source/destination networks in MVC filter pages

  • firewall: fix empty rule label rendered as “null” on sessions page

  • ipsec: fix faulty “-” usage in URIs

  • isc-dhcp: take into account that multiple ia-pd can be delegated

  • kea-dhcp: simplified the controller code

  • unbound: change blocklist processing in _blocklist_reader()

  • unbound: allow RFC 2181 compatible names in query forwarding

  • mvc: silence spurious validation message when explicitly asked to ignore them

  • ui: prevent vertical modal overflows and instead present a scrollbar

  • ui: add $.replaceInputWithSelector() action

  • ui: handle static page CSRF without Phalcon

  • plugins: os-caddy 1.5.6 [1]

  • src: pfsync: fix use of invalidated stack variable

  • src: pfsync: cope with multiple pending plus messages

  • src: ipfw: skip to the start of the loop when following a keep-state rule

  • src: bridge: use IF_MINMTU

  • src: bridge: change MTU for new members

  • src: ethernet: support ARP for 802 networks

  • src: ethernet: fix logging of frame length

  • src: debugnet: fix logging of frame length

  • src: wg: use ENETUNREACH when transmitting to a non-existent peer

  • src: fib_algo: lower level of algorithm switching messages to LOG_INFO

  • src: libpfctl: fix incorrect pcounters array size

  • src: pf: always mark states as unlinked before detaching them

  • src: vxlan: add checking for loops and nesting of tunnels

  • src: igc: increase default per-queue interrupt rate to 20000

  • ports: dhcrelay 0.5 fixes endless loop on packet read

  • ports: hyperscan 5.4.2 [2]

  • ports: libxml 2.11.8 [3]

  • ports: ntp 4.2.8p18 [4]

  • ports: openssl fix for CVE-2024-4603

  • ports: phalcon 5.7.0 [5]

  • ports: py-duckdb 0.10.3 [6]

24.1.7 (May 16, 2024)

Python was updated to version 3.11 along with the usual reliability patches in the core, plugins and third party software.

At the moment we are working on removing most of the Phalcon framework dependencies which have the side effect of speeding up the MVC/API bits. The new dashboard is also taking shape. Try it on the development version if you can and let us know what you think.

Here are the full patch notes:

  • system: fix maximum log file size being ignored when there is only one file

  • system: make log rotate action available to Cron

  • system: remove get_current_theme() and improve static page templating

  • system: move radvd and rtsold to system log where they belong

  • system: deny access to .core files from web GUI and disable core dumps by default

  • system: adjust log levels in Google Drive backup

  • system: prevent out of memory on gateways migrations

  • interfaces: give DAD another second of delay to finish for the IPv6 renew

  • interfaces: reword the gateway selector default and help text to describe its function more accurately

  • ipsec: allow the equal sign for identity parsing in connections

  • isc-dhcp: make private consumers actually private where it matters

  • kea-dhcp: generate JSON payload from model

  • kea-dhcp: fix field separator for subnet domain search (contributed by KitKat31337)

  • openvpn: fix “attempt to read property…” in status page

  • openvpn: safeguard config access in updown_event.py

  • wireguard: pass endpoint to validator to avoid invalid QR code errors on mobile app

  • wireguard: add MTU when set on the instance

  • backend: allow to query multiple sysctl queries at once

  • mvc: pass isFieldChanged() to children in ContainerField

  • mvc: replace PhalconFilterValidationException with OPNsenseBaseValidationException wrapper

  • mvc: extend model implementation to ease legacy migrations

  • mvc: change exception handling in runMigrations() to avoid mismatches in attributes being silently ignored

  • mvc: refactor grid search to fetch descriptive values from the model instead of trying to reconstruct them

  • mvc: replace array_map+strval for loop with cast to preserve execution time in BaseListField

  • ui: fix bootgrid parsing of timestamp

  • ui: improve tokenizer paste behaviour

  • plugins: os-acme-client 4.3 [1]

  • plugins: os-caddy 1.5.5 [2]

  • plugins: os-crowdsec 1.0.8 [3]

  • plugins: os-freeradius 1.9.23 [4]

  • plugins: os-frr 1.40 [5]

  • plugins: os-relayd 2.9 moves validation to model where it belongs

  • plugins: os-shadowsocks 1.1 adds transport mode option (contributed by xabbok255)

  • plugins: os-squid workaround for broken OpenSSL legacy provider handling

  • plugins: os-telegraf 1.12.11 [6]

  • ports: libpfctl 0.11

  • ports: libucl 0.9.2

  • ports: lighttpd 1.4.76 [7]

  • ports: php 8.2.19 [8]

  • ports: pecl-mcrypt 1.0.7

  • ports: python 3.11.9 [9]

  • ports: strongswan 5.9.14 [10]

  • ports: suricata 7.0.5 [11]

  • ports: syslog-ng 4.7.1 [12]

  • ports: unbound 1.20.0 [13]

A hotfix release was issued as 24.1.7_4:

  • monit: fix referential constraint issue when dependency is removed

  • wireguard: move validation to correct spot when no instance address and peer address was provided

  • wireguard: also validate hostnames correctly in peer generator endpoint

  • backend: resolve deprecation warnings for sre_constants (contributed by MaxXor)

  • plugins: os-caddy fix for setup.sh not executing on a reload

  • plugins: os-crowdsec fix for LAPI mode startup problem

  • plugins: os-squid fix for another netaddr/ipaddr related migration issue

24.1.6 (April 18, 2024)

Today we are happy to announce another milestone regarding ISC DHCP removal: the arrival of a DHCRelay replacement based on code forked and maintained by OpenBSD. While here the whole DHCP relay section was moved to MVC/API for the usual reasons and now offers a combined GUI for both DHCPv4 and DHCPv6 relay. As a special treat this also includes being able to run ISC DHCP as well as any desired relay at the same time.

The feedback for the WireGuard peer generator was quite extensive so a few more tweaks and fixes have been done in that area. Thank you for all the responses regarding that feature addition!

Otherwise this update simply moves ahead with security-related third party updates in OpenSSL and PHP.

Last but not least we are releasing the OPNProxy (formerly business) plugin to the community version for fine-grained access control using Squid with Redis as a database backend. For more details please consult the available documentation linked below.

Here are the full patch notes:

  • firewall: show automation rules in their own section

  • firewall: keep permissions to standard for filter.lock file

  • firewall: replace searchNoCategoryItemAction() with new searchBase() extension

  • firewall: add gateway to the states diagnostics output

  • firewall: fix visible rows quantity off-by-one (contributed by NYOB)

  • intrusion detection: query all fields for searchBase() actions

  • dhcrelay: functional MVC/API replacement using the OpenBSD dhcrelay(6) fork

  • isc-dhcp: fix log file location

  • wireguard: add DNS field to peer generator and store previous used values in instance

  • wireguard: add address field to peer generator which auto-calculates the next available address in the pool

  • wireguard: add restart action to available cron tasks (contributed by Michael Muenz)

  • wireguard: unlink instance on peer delete

  • mvc: extend searchBase() to return all fields when no list is provided

  • mvc: fix config locking issue when already owning the lock

  • plugins: add globbing for plugin run tasks as well

  • plugins: os-OPNProxy 1.0.5 business plugin released to community version [1]

  • plugins: os-acme-client 4.2 [2]

  • plugins: os-caddy 1.5.4 [3]

  • plugins: os-zabbix-proxy 1.10 [4]

  • ports: dhcrelay 0.4 [5]

  • ports: openssl fix for CVE-2024-2511 [6]

  • ports: php 8.2.18 [7]

24.1.5 (April 04, 2024)

Today the kernel receives a number of minor updates that have accumulated since 24.1.2 was released. The primary focus for the time being is adding fixes and MVC improvements for upcoming feature backports into the next 24.1.x versions.

The update presents itself as a hotfix release 24.1.5_1 but that is only due to catching an issue during the last QA stage with an update of the gettext library.

Here are the full patch notes:

  • system: fix PHP warnings and spurious validation in route model

  • system: fix translation of static PHP pages with newer gettext

  • interfaces: support a primary interface in LAGG failover mode

  • interfaces: stop caching IPv6 address to decide if reload is required

  • firmware: opnsense-revert: fix issue with downloaded package install

  • ipsec: fix typo in config generation for AH proposals

  • unbound: duckduckgo.com blocklist fix

  • wireguard: add a peer configuration generator with QR code capability

  • wireguard: improve overall configuration UX

  • mvc: add “safe” filter in Phalcon volt templates

  • mvc: feed current language into view to replace hardcoded “en-US”

  • mvc: fix minor regression with “allownew” not having a default

  • mvc: extend model implementation to support volatile fields

  • mvc: add setBaseHook() to ApiMutableModelControllerBase

  • rc: fix wrong order in service startup (contributed by Frank Wall)

  • ui: move cache_safe() functions to appropriate include

  • ui: add a “statusled” formatter to bootgrid

  • ui: add a “grid-reload” helper to SimpleActionButton

  • plugins: os-bind 1.21 [1]

  • plugins: os-caddy 1.5.3 [2]

  • src: wg: fix handling of errors in wg_transmit()

  • src: wg: use proper barriers around pkt->p_state

  • src: kern: fix panic with disabled ttys

  • src: opencrypto: advance the correct pointer in crypto_cursor_copydata()

  • src: opencrypto: handle end-of-cursor conditions in crypto_cursor_segment()

  • src: opencrypto: respect alignment constraints in xor_and_encrypt()

  • src: ccr,ccp: fix argument order to sglist_append_vmpages

  • src: ossl: add missing labels to bsaes-armv7.S

  • src: ipsec esp: avoid dereferencing freed secasindex

  • src: irdma: upgrade to 1.2.36-k

  • src: irdma: remove artificial completion generator

  • src: tcp: cubic - restart epoch after RTO

  • src: tcp: prevent div by zero in cc_htcp

  • src: net80211: adjust more VHT structures/fields

  • ports: curl 8.7.1 [3]

  • ports: expat 2.6.2 [4]

  • ports: libucl 0.9.1

  • ports: lighttpd 1.4.75 [5]

  • ports: nss 3.99 [6]

  • ports: openssh-portable 9.7p1 [7]

  • ports: openvpn 2.6.10 [8]

  • ports: php 8.2.17 [9]

  • ports: py-duckdb 0.10.1 [10]

  • ports: py-netaddr 1.2.1 [11]

A hotfix release was issued as 24.1.5_2:

  • wireguard: store attached instance during peer generation

A hotfix release was issued as 24.1.5_3:

  • reporting: top talkers fix for backend required by new py-netaddr

24.1.4 (March 20, 2024)

Suricata and Unbound have been updated to their latest versions. Support for dynamic DNS VTI connections has also been added amongst other things.

We would like to thank Cedrik Pischem (Monviech) for upstreaming his Caddy plugin to the official packages. If you already have this plugin installed no further action has to be taken and updates should proceed through the standard firmware channel from now on. Documentation for it was added to the manual as well.

For 24.7, we are currently working on a DHCP-Relay replacement, a rewrite of the trust section in MVC as well as a new dashboard implementation. It has been busy and we will keep it that way. :)

Here are the full patch notes:

  • system: allow 0 length voucher passwords in authentication server

  • system: merge static logging settings into existing MVC page

  • system: fix handling of empty “serialusb” node set during import

  • system: prevent empty “user” node to crash during boot

  • interfaces: prevent modal x-axis overflow on packet capture page

  • firewall: refactor schedule matching and fix an end-of-the-month bug

  • firewall: fix incorrect packet counters statistics collection

  • intrusion detection: align performValidation()->count() to use count() instead

  • ipsec: optionally hook VTI tunnel configuration to connection up event to support dynamic DNS

  • isc-dhcp: do not add interfaces for non-Ethernet types to relaying

  • kea-dhcp: add domain-search, time-servers and static-routes client options to subnet configuration

  • openvpn: various improvements for TAP servers

  • wireguard: migrate non-netmask allowed IP entries and enforce them in validation

  • wireguard: show proper names when public keys overlap between instances

  • mvc: fix PHP_FLOAT_MIN being unreliable

  • mvc: add simple Message class and remove the previous Phalcon dependency

  • mvc: refactor HostnameField, remove HostValidator dependency and add unit test

  • mvc: add new static Autoconf class to access information collected by ifctl

  • mvc: fix rewind() stream not supporting seeking error

  • mvc: add copy of our html_safe() and use it in the translator

  • ui: adjust margin of hr elements to match __mX helpers

  • ui: add a button to allow textarea style edits of free-form tokenizers

  • ui: when an error is raised make sure it is always visible

  • ui: fix copy/paste buttons not showing for tokenizers in some situations

  • plugins: os-bind 1.30 [1]

  • plugins: os-caddy 1.5.2 [2] (contributed by Monviech)

  • ports: expat 2.6.1 [3]

  • ports: libpfctl 0.10

  • ports: nss 3.98 [4]

  • ports: phalcon 5.6.2 [5]

  • ports: sqlite 3.45.1 [6]

  • ports: suricata 7.0.4 [7]

  • ports: unbound 1.19.3 [8]

24.1.3 (March 06, 2024)

This update fixes minor issues in the software and adds a CSV import/export to the Kea DHCP reservations to make bulk edits much easier. It also fixes defaults in Suricata 7 that would negatively impact the IPS mode usage and updates the curl package to its current latest version.

Here are the full patch notes:

  • system: prevent gateway removal when it is currently bound to an interface

  • system: fix assorted PHP deprecation warnings

  • firewall: add optional advanced property “State policy” to influence state creation on a per rule base

  • firewall: fix floating rule display (contributed by lin-xianming)

  • firewall: fix display of ICMP tooltip (contributed by lin-xianming)

  • firmware: fix missing space in audit message

  • kea-dhcp: add import/export as CSV on reservations

  • intrusion detection: set exception-policy and app-layer.error-policy to their advertised defaults

  • unbound: make atomic copies of root.hints file to hopefully appease Unbound startup problems

  • unbound: fix missing /lib nullfs mount in chroot

  • unbound: add aggressive-nsec option toggle (contributed by kulikov-a)

  • wireguard: remove duplicate “pubkey” field, remove required tag and validate on Base64 in model

  • wireguard: address assorted interface configuration inconsistencies during configuration

  • mvc: fix model cloning when array items contain nested containers

  • ui: fix epoch support as number in bootgrid

  • ui: replace all > and < occurrences in treeview (contributed by lin-xianming)

  • wizard: reorder storage sequence to fix hostname/domain change bug

  • plugins: os-theme-cicada 1.35 (contributed by Team Rebellion)

  • plugins: os-theme-rebellion 1.8.10 (contributed by Team Rebellion)

  • ports: curl 8.6.0 [1]

  • ports: dnspython 2.6.1

  • ports: expat 2.6.0 [2]

  • ports: libpfctl 0.9

  • ports: libxml 2.11.7 [3]

  • ports: lighttpd 1.4.74 [4]

  • ports: pcre2 10.43 [5]

  • ports: php 8.2.16 [6]

A hotfix release was issued as 24.1.3_1:

  • intrusion detection: fix whitespace issue in yaml configuration file

24.1.2 (February 20, 2024)

It is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations.

Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.

Here are the full patch notes:

  • system: accept colon character in log queries

  • system: add issuer and logo to OTP link

  • system: fix gateway migration issue causing individual items to be skipped

  • reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)

  • interfaces: fix strpos() deprecation null haystack

  • interfaces: add missing ACL entries for ARP/NDP tables

  • interfaces: fix VXLAN validation

  • firewall: change default traffic normalization behavior and choose “in” as standard direction for manual rules

  • firewall: make select width more consistent on alias diagnostics table selection

  • dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements

  • dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP

  • dhcp: make option_data_autocollect option more explicit in Kea

  • dhcp: gather missing Kea leases another way since the logs are unreliable

  • dhcp: add address constraint to Kea reservations

  • dhcp: add unique constraint for MAC address + subnet in Kea

  • dhcp: add domain-name to client configuration in Kea

  • dhcp: loosen constraints for TFTP boot in Kea

  • intrusion detection: adjust for default behaviour changes in Suricata 7

  • ipsec: improve enable button placement on connections page

  • ipsec: show EAP-RADIUS settings only when legacy tunnels are being used

  • ipsec: allow % to support %any in ID for connections

  • openvpn: when “cert_depth” is left empty it should ignore the value

  • openvpn: data-ciphers-fallback should be a single option

  • openvpn: fix support for /30 p2p/net30 instances

  • openvpn: add “various_push_flags” field for simple boolean server push options in connections

  • unbound: prevent os.write() on None when another thread closed the pipe in Python module

  • wireguard: key constraints should only apply on peers and not instances

  • wireguard: peer uniqueness should depend on pubkey + endpoint

  • wireguard: skip attached instance address routes

  • wireguard: remove duplicate ID columns

  • mvc: fix Phalcon 5.4 and up

  • src: jail: fix information leak [1]

  • src: bhyveload: use a dirfd to support -h [2]

  • src: EVFILT_SIGNAL: do not use target process pointer on detach [3]

  • src: setusercontext(): apply personal settings only on matching effective UID [4]

  • src: re: generate an address if there is none in the EEPROM

  • src: wg: detect loops in netmap mode

  • src: wg: detach bpf upon destroy as well

  • src: wg: fix access to noise_local->l_has_identity and l_private

  • src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0

  • plugins: os-acme-client 4.1 [5]

  • plugins: os-ddclient 1.21 [6]

  • plugins: os-dnscrypt-proxy 1.15 [7]

  • ports: dnsmasq 2.90 [8]

  • ports: openvpn 2.6.9 [9]

  • ports: phalcon 5.6.1 [10]

  • ports: radvd adds upstream patch for RemoveAdvOnExit option

  • ports: suricata 7.0.3 [11]

  • ports: unbound 1.19.1 [12]

A hotfix release was issued as 24.1.2_1:

  • system: fix dynamic gateway persisting its address

24.1.1 (February 06, 2024)

Apart from rolling back Suricata 7 to 6 the new major version is looking good. The two intertwined Suricata default config changes in version 7 have been identified and fixed in the development version so that we can move back to version 7 in 24.1.2.

This minor release is intended as a small round of fixes and third party updates to ensure reliability and security.

Here are the full patch notes:

  • system: enable OpenSSL legacy provider by default to allow Google Drive backup to continue working with OpenSSL 3

  • system: bring back the interface statistics dashboard widget update interval

  • system: fix all items in the OPNsense container being synced in XMLRCP when NAT option is selected

  • interfaces: overview page UX improvements

  • firewall: align GeoIP file check with documentation

  • firewall: fix virtual IP API use with subnet/subnet_bits usage

  • wireguard: allow instances to start their ID at 0 like they used to a long time ago

  • dhcp: omit faulty comma in Kea config when control agent is disabled

  • dhcp: add opt-out automatic firewall rules for Kea server access

  • ipsec: remove AEAD algorithms without a PRF for IKE proposals in connections

  • openvpn: fix cso_login_matching being ignored during authentication

  • backend: optimise stream_handler to exit and kill running process when no listener is attached

  • plugins: os-frr 1.39 [1]

  • plugins: os-haproxy 4.3 [2]

  • plugins: os-ntopng 1.3 [3]

  • plugins: os-tor 1.10 adds MyFamily support (contributed by Mike Bishop)

  • ports: nss 3.97 [4]

  • ports: openldap 2.6.7 [5]

  • ports: openssl 3.0.13 [6]

  • ports: syslog-ng 4.6.0 [7]

24.1 (January 30, 2024)

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

24.1, nicknamed “Savvy Shark”, features ports-based OpenSSL 3, Suricata 7, several MVC/API conversions, a new neighbor configuration feature for ARP/NDP, core inclusion of the os-firewall and os-wireguard plugins, CARP VHID tracking for OpenVPN and WireGuard, functional Kea DHCPv4 server with HA support plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

Here are the full patch notes against 23.7.12:

  • system: prevent activating shell for non-admins

  • system: add OCSP trust extensions and improved authorities implementation

  • system: migrate single gateway configuration to MVC/API

  • system: use new backend streaming functionality in the log viewer

  • system: limit file system /conf/config.xml and backups access to administrators

  • system: migrate gateways model to match new class introduced in 23.7.x

  • system: refactor get_single_sysctl()

  • system: update cron model

  • system: fix migration issue in new gateways model

  • system: handle case insensitivity while reading groups

  • system: shuffle authentication templates to the end of login configuration

  • system: add “maxfilesize” option to enforce a log rotate when files exceed their limit

  • reporting: print status message when Unbound DNS database was not found during firmware upgrade

  • reporting: update NetFlow model

  • interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API

  • interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()

  • interfaces: migrate the overview page to MVC/API

  • interfaces: add optional local/remote port to VXLAN

  • interfaces: remove unused code from native dhclient-script

  • interfaces: do not flush states on clear event

  • firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin

  • firewall: migrate NPTv6 page to MVC/API

  • firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes

  • captive portal: fix integer validation in vouchers

  • captive portal: update model

  • dhcp: clean up duplicated domain-name-servers option

  • dhcp: cleanup get_lease6 script and fix parsing issue

  • dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP

  • dhcp: deduplicate records in Kea leases

  • intrusion detection: show rule origin in rule adjustments grid

  • ipsec: extend connection proposals tooltip to children and fix tooltip style issue

  • lang: added traditional Chinese translation (contributed by Jason Cheng)

  • monit: update model

  • openvpn: allow optional OCSP checking per instance

  • openvpn: emit device name upon creation

  • openvpn: add workaround for net30/p2p smaller than /29 networks

  • openvpn: add optional “route-metric” push option for server instances

  • web proxy: integration moved to os-squid plugin

  • wireguard: installed by default using the bundled FreeBSD 13.2 kernel module

  • backend: constrain execution of user add/change/list actions to members of the wheel group

  • backend: only parse stream results when configd socket could be opened

  • backend: wait for all configd results and add it to the log message when detached

  • mvc: remove legacy Phalcon migration glue

  • mvc: add configdStream action to ApiControllerBase

  • mvc: support array structures for better search functionality in ApiControllerBase

  • mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase

  • mvc: remove Phalcon syslog implementation with a simple wrapper

  • mvc: add a DescriptionField type

  • mvc: add a MacAddressField type

  • mvc: add IsDNSName to support DNS names as specified by RFC2181 in HostnameField

  • ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)

  • ui: add double click event with grid dialog in tree view to show a row layout instead

  • ui: auto-trim MVC input fields when being pasted

  • ui: increase standard search delay from 250 ms to 1000 ms

  • ui: make modal dialogs draggable

  • ui: support key/value combinations for error messages in do_input_validation()

  • plugins: os-acme-client 4.0 [2]

  • plugins: os-api-backup was discontinued due to overlapping functionality in core

  • plugins: os-firewall moved to core

  • plugins: os-haproxy 4.2 [3]

  • plugins: os-nrpe updated to NRPE 4.1.x

  • plugins: os-postfix updated to Postfix 3.8.x

  • plugins: os-squid 1.0 offers the removed web proxy core functionality

  • plugins: os-wireguard moved to core

  • plugins: os-wireguard-go was discontinued

  • src: NFS client data corruption and kernel memory disclosure [4]

  • src: pf: merge extended support for SCTP and related stable changes

  • src: e1000: merge assorted driver improvements for hardware capabilities

  • src: bsdinstall: merge assorted stable changes

  • src: tuntap: merge assorted stable changes

  • src: wireguard: add experimental netmap support

  • src: sys: Use mbufq_empty instead of comparing mbufq_len against 0

  • src: e1000/igc: remove disconnected sysctl

  • ports: libxml 2.11.6 [5]

  • ports: openssl 3.0.12 [6]

  • ports: php 8.2.15 [7]

  • ports: py-duckdb 0.9.2

  • ports: sqlite 3.45.0 [8]

  • ports: suricata 7.0.2 [9]

A hotfix release was issued as 24.1_1:

  • ports: revert back to suricata 6.0.15 for the time being

Migration notes, known issues and limitations:

  • Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be possible to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.

  • ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

  • The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.

  • The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

The public key for the 24.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-24.1-dvd-amd64.iso.bz2) = 6d1e22713bf031d0a36a73b3820cd1564f426cae9c67a6ade4b7fa6518afa2d5
# SHA256 (OPNsense-24.1-nano-amd64.img.bz2) = 6bc86a13bda81702382383b1e9b31550177bafe88fa599e0c2ed8064040461b1
# SHA256 (OPNsense-24.1-serial-amd64.img.bz2) = c4c53e5dd80660cc67b349fa588b3ca11efd9f45d09f6cb391d8e19b48dd7fcc
# SHA256 (OPNsense-24.1-vga-amd64.img.bz2) = ec08755245017cd449a8d174b6ea7c4e2038c454a8abecfad0d0378729d8b331

24.1.r1 (January 19, 2024)

For more than 9 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3

24.1-RC1 is an online uppgrade only. We will be publishing images with the final 24.1 release of course.

Here are the full patch notes against 23.7.12:

  • system: prevent activating shell for non-admins

  • system: add OCSP trust extensions and improved authorities implementation

  • system: migrate single gateway configuration to MVC/API

  • system: use new backend streaming functionality in the log viewer

  • system: limit file system /conf/config.xml and backups access to administrators

  • system: migrate gateways model to match new class introduced in 23.7.x

  • system: refactor get_single_sysctl()

  • system: update cron model

  • reporting: update NetFlow model

  • interfaces: implement new neighbor configuration for ARP and NDP entries using MVC/API

  • interfaces: refactor interface_bring_down() into interface_reset() and interface_suspend()

  • interfaces: migrate the overview page to MVC/API

  • interfaces: add optional local/remote port to VXLAN

  • interfaces: remove unused code from native dhclient-script

  • interfaces: do not flush states on clear event

  • firewall: add automation category for filter rules and source NAT using MVC/API, formerly known as os-firewall plugin

  • firewall: migrate NPTv6 page to MVC/API

  • firewall: add a track interface selection to NPTv6 as an alternative to the automatic rule interface fallback when dealing with dynamic prefixes

  • captive portal: fix integer validation in vouchers

  • captive portal: update model

  • dhcp: clean up duplicated domain-name-servers option

  • dhcp: cleanup get_lease6 script and fix parsing issue

  • dhcp: add Kea DHCPv4 server option with HA capabilities as an alternative to the end of life ISC DHCP

  • intrusion detection: show rule origin in rule adjustments grid

  • ipsec: extend connection proposals tooltip to children and fix tooltip style issue

  • lang: added traditional Chinese translation (contributed by Jason Cheng)

  • monit: update model

  • openvpn: allow optional OCSP checking per instance

  • openvpn: emit device name upon creation

  • openvpn: add workaround for net30/p2p smaller than /29 networks

  • web proxy: integration moved to os-squid plugin

  • wireguard: installed by default using the bundled FreeBSD 13.2 kernel module

  • backend: constrain execution of user add/change/list actions to members of the wheel group

  • mvc: remove legacy Phalcon migration glue

  • mvc: add configdStream action to ApiControllerBase

  • mvc: support array structures for better search functionality in ApiControllerBase

  • mvc: scope xxxBase validations to the item in question in ApiMutableModelControllerBase

  • mvc: remove Phalcon syslog implementation with a simple wrapper

  • mvc: add a DescriptionField type

  • mvc: add a MacAddressField type

  • ui: include meta tags for standalone/full-screen on Android and iOS (contributed by Shane Lord)

  • ui: add double click event with grid dialog in tree view to show a row layout instead

  • ui: auto-trim MVC input fields when being pasted

  • ui: increase standard search delay from 250 ms to 1000 ms

  • ui: make modal dialogs draggable

  • ui: support key/value combinations for error messages in do_input_validation()

  • plugins: os-api-backup was discontinued due to overlapping functionality in core

  • plugins: os-firewall moved to core

  • plugins: os-nrpe updated to NRPE 4.1.x

  • plugins: os-postfix updated to Postfix 3.8.x

  • plugins: os-squid 1.0 offers the removed web proxy core functionality

  • plugins: os-wireguard moved to core

  • plugins: os-wireguard-go was discontinued

  • src: NFS client data corruption and kernel memory disclosure [1]

  • src: pf: merge extended support for SCTP and related stable changes

  • src: e1000: merge assorted driver improvements for hardware capabilities

  • src: bsdinstall: merge assorted stable changes

  • src: tuntap: merge assorted stable changes

  • src: wireguard: add netmap support

  • ports: libxml 2.11.6 [2]

  • ports: openssl 3.0.12 [3]

  • ports: py-duckdb 0.9.2

  • ports: suricata 7.0.2 [4]

Migration notes, known issues and limitations:

  • Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular). It will no longer be able to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable. This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.

  • ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.

  • The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly. Please note that we do not vet third party repositories and do not have control over them so their response time may vary.

  • The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations. However, if you have Squid enabled the plugin will automatically be installed during the upgrade. There is no code difference in the implementation and integration of the plugin compared to the core version.

The public key for the 24.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjthZplSNhbgab8VYDYl
# jn3rNni+Fson28prwolUac0EHlu1e9ckM03BjYfRYUcpHRdNTglPr+likmgQ3K7j
# 01oq0/H2krvXUbxUq8CQDYgHUM9QDBubdC06/oQ/S20YGHlHJ+odexUbLF0YvW04
# RfzlEozBW0eUjc3LLYAvr1RwXoiZyB/Qit5bBC7No6fKIlCD9uZ3+7b1pO+Gjfq0
# mPF01kE7P55Y9WqaEU9odS4xE+viGlj+k1+YZBsEWWzX+J3z5zGDhWcsWWskd92z
# eMOUkJyVeiIWkW4draQ7CC0tJ4e+f/1PUkkLRfMMO55pGeunu3xwEgD4ALyD1A+y
# 029sKMXF6OSWgDQDrxDOe4bA7RW4yUba3EhSz8UyAvL3HIKQ0OuOJaGYkRee9DBQ
# DmCjIvPs6yCdAiuDbwO7V6RsH4k3yIONotST3qwf3sJXU3vvwsHi1n3ssccZBzw4
# sKwQ1xQN1eIc5+At+OJ6bzkdb/vg+UrFUfuCknqxuxvwg99+3Wx6vvemW7yqIUY4
# Vkhqs7WUZ0ucwo1zjLM12K4yS7kEQbOzHykYQzXXYxhzJIai+BZAJFytSER+Wl7Z
# AyIioWGKwTD/WTEzyfK5svnSmosWlikagMhl3+XyF2cma1rPqOOyuFpcFhmV6nlR
# vWhn568tDgJAyWqOCCHZqOMCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!