25.1 “Ultimate Unicorn” Series

For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

25.1, nicknamed “Ultimate Unicorn”, features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/25.1/

• US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/

• South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/

• East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/

• Full mirror list: https://opnsense.org/download/

25.1.3 (March 11, 2025)

This time around a patch from OpenBSD has been added that fixes the state tracking for ICMPv6 neighbour discovery packets through pf. The user management gained a CSV import/export. Also, the bug of the missing PPP logs has been fixed in the upstream MPD package.

Please note that the FRR plugin now uses the new configuration file layout mandated by upstream and also gained reload support.

Since Google Drive is being phased out by Google, a new plugin now covers backups via SFTP. The old Google Drive backup functionality will move to plugins in 25.7 since it will only be useful for existing installs.

Here are the full patch notes:

• system: implement user CSV import/export functionality (sponsored by: m.a.x. it)

• system: switch boot logo and MOTD to the new-style logo (contributed by Gavin Chappell)

• system: migrate ‘default’ tunable value to empty one and improve UX

• system: bring back user/group audit messages lost in MVC conversion

• system: replace legacy service widget hook with a proper configd call

• interface: use shared base_bootgrid_table and base_apply_button where possible

• interfaces: remove obsolete code in get_real_interfaces() to match getRealInterface()

• interfaces: improve validation for CARP/proxy ARP VIP

• interfaces: remove defunct “other” VIP type

• interfaces: skip “nosync” processing on VIPs

• firewall: support partial alias exports

• kea-dhcp: use shared base_bootgrid_table and base_apply_button

• network time: move XMLRPC definition to correct file

• openvpn: add DCO validation for fragment size

• unbound: use shared base_bootgrid_table and base_apply_button

• unbound: fix model migration pertaining to “dots” model changes

• wireguard: use shared base_bootgrid_table and base_apply_button

• backend: allow pluginctl to filter on -x/-X option

• mvc: decode HTML tags in menu items

• mvc: fix unit tests for model relation fields

• plugins: os-caddy 1.8.3 [1]

• plugins: os-dmidecode 1.2 adds new dashboard widget (contributed by Neil Merchant)

• plugins: os-frr 1.43 [2]

• plugins: os-intrusion-detection-content-pt-open 1.0 (contributed by kulikov-a)

• plugins: os-sftp-backup 1.0 allows configuration backups over SFTP

• plugins: os-zabbix-agent 1.15 [3]

• plugins: os-zabbix-proxy 1.12 [4]

• src: carp: fix checking IPv4 multicast address

• src: icmp: use per rate limit randomized jitter

• src: ixgbe: Fix a logic error in ixgbe_read_mailbox_vf()

• src: netinet6: do not forward to the unspecified address

• src: netinet: do not forward or ICMP response to INADDR_ANY

• src: netinet: ipsec and ktls cannot coexists

• src: pf: align sanity checks for pfrw_free

• src: pf: allow all forms of neighbor advertisements in either direction

• src: pf: cleanup leftover PF_ICMP_MULTI_* code that is not needed anymore

• src: pf: do not keep state when dropping overlapping IPv6 fragments

• src: pf: drop IPv6 packets built from overlapping fragments in pf reassembly

• src: pf: fix fragment hole count

• src: sysctl: enable vnet sysctl variables to be loader tunable

• ports: mpd default logging level increased to LOG_NOTICE

• ports: nss 3.109 [5]

• ports: pftop 0.12

• ports: py-jinja 3.1.6 [6]

25.1.2 (February 28, 2025)

This was supposed to hit earlier this week, but some weeks are like this one now where QA takes more time than usual. Of note is the move of Dnsmasq to MVC and the ChartJS update to version 4 which is bundled with nice updates for widgets and the system health graphs.

The roadmap for 25.7 was also published [1] . The IPsec and OpenVPN legacy parts will move to the plugins so that the functionality can live there in community support tier. Since Kea remains a bit of an odd choice we will be offering DHCP support via Dnsmasq as a new standard feature which also offers seamless DHCP lease registration some people keep looking for.

Here are the full patch notes:

• system: adjust gateway widget to use the intended caching mechanism

• system: thermal sensors widget can now select individual sensors to display plus UX changes

• system: handle dev.pchtherm temperatures in the thermal dashboard widget (contributed by Joe Roback)

• system: use new apply button partial in tunables page

• system: move high availability option “disable preempt” to advanced mode

• system: straighten out syslog-ng rc.d scripting

• reporting: switch health graphs to ChartJS

• interfaces: add “nosync” option to VIPs and fix sync conditional

• interfaces: exclude automatic radvd like we do for manual

• firewall: properly unpack multiple source/destination items in the rules page

• firewall: hide internal aliases to align with previous legacy_list_aliases() function

• firewall: add missing “persist” on bogonsv6

• captive portal: urlencode() selector items in voucher group list

• dhcrelay: integrate layout_partials bootgrid/apply

• dnsmasq: migrate existing frontend to MVC/API

• ipsec: add deprecation notices for legacy components (will move to plugins)

• kea-dhcp: add “v6-only-preferred” option (contributed by darses)

• openvpn: add deprecation notices for legacy components (will move to plugins)

• openvpn: support “password first” for static-challenges

• unbound: add support for forward-first when configuring forwarders (contributed by Nigel Jones)

• wireguard: change tracking of peer status, improve widget and diagnostic

• backend: add an “import” rc.syshook facility

• backend: change the “monitor” rc.syshook facility and de-deprecate its use

• backend: remove unused functions and move once-used functions to their call script

• mvc: wrap locks around updates and perform some minor cleanups in ApiMutableModelControllerBase

• mvc: move “lazy loading” option to base model implementation and force usage on run_migrations.php

• mvc: safeguard checkToken() to prevent fetching an non existing POST item

• ui: upgrade ChartJS to v4

• ui: change backdrop background color to black in dark theme

• ui: create a unified layout partial for the apply button

• plugins: adjust all themes for ChartJS 4 use

• plugins: treat empty string like null on argument map

• plugins: os-acme-client 4.9 [2]

• src: ipfw: make ‘ipfw show’ output compatible with ‘ipfw add’ command

• src: pf: stop using net_epoch to synchronize access to eth rules

• src: e1000: fix vlan PCP/DEI on lem(4)

• src: igc: remove unused register IGC_RXD_SPC_VLAN_MASK

• src: ifnet: detach BPF descriptors on interface vmove event

• src: libkern: add ilog2 macro et al

• src: ipfw: add missing initializer for ‘limit’ table value

• src: pf: add extra SCTP multihoming probe points

• src: pf: verify SCTP v_tag before updating connection state

• src: pf: verify that ABORT chunks are not mixed with DATA chunks

• src: pf: allow ICMP messages related to an SCTP state to pass

• src: pf: add ‘allow-related’ to always allow SCTP multihome extra connections

• src: bpf: fix potential race conditions

• src: net: if_media for 100BASE-BX

• src: rtw89: update Realtek rtw88/rtw89 driver et al

• src: net80211: 11ac: add options to manage VHT STBC

• src: ifconfig: make -vht work

• src: iwlwifi: update Intel iwlwifi/mvm driver et al

• src: ixgbe: Add ixgbe_dev_from_hw() back

• ports: ca_root_nss / nss 3.108 [3]

• ports: curl 8.12.1 [4]

• ports: openssh 9.9p2 [5]

• ports: php83 8.3.17 [6]

• ports: py-duckdb 1.2.0 [7]

25.1.1 (February 12, 2025)

Here we are with further refinements to 25.1 and it is looking pretty well so far. Included are the recent FreeBSD security advisories and the OpenSSL 3.0.16 which came out just yesterday.

The roadmap for 25.7 is being worked on at the moment and should be ready for publication next week / release.

Here are the full patch notes:

• system: exclude pchtherm thresholds temperature thresholds

• system: regression in groupAllowed() as values are now comma-separated

• system: update button wording on new HA status page

• reporting: fix missing typecast in epoch range for DNS statistics

• interfaces: fix undefined array key warnings in DHCP client setup (contributed by Ben Smithurst)

• interfaces: remove “hellotime” configuration leftover of recent bridge cleanup

• firmware: opnsense-update: fix failure to clean up the working directory

• firmware: opnsense-update: support -B and -K with -c option check

• firmware: opnsense-update: let -u skip already installed packages set

• firmware: kernel may not be pending so be sure to check on upgrade attempt

• firmware: add an upgrade test for wrong pkg repository

• firmware: revoke 24.7 fingerprint

• captive portal: fix missing class import

• captive portal: partially revert new lighttpd TLS defaults

• ipsec: fix glob pattern for advanced configuration banner

• monit: revert “wrap exec in double quotes to allow arguments”

• ui: reverted style changes only relevant for the development version

• ui: header image scaling fixes in default light theme

• ui: remove right border from “aside” element in default dark theme

• plugins: os-caddy 1.8.2 [1]

• plugins: os-crowdsec 1.0.9 [2]

• plugins: os-ddclient 1.27 [3]

• src: pf: send ICMP destination unreachable fragmentation needed when appropriate

• src: pfil: set PFIL_FWD for IPv4 forwarding

• src: if_vxlan: use static initializers

• src: if_vxlan: prefer SYSCTL_INT over TUNABLE_INT

• src: if_vxlan: Invoke vxlan_stop event handler only when the interface is configured

• src: pf: force logging if pf_create_state() fails

• src: tarfs: fix the size of struct tarfs_fid and add a static assert

• src: ext2fs: fix the size of struct ufid and add a static assert

• src: cd9660: make sure that struct ifid fits in generic filehandle structure

• src: tzdata: import tzdata 2025a

• src: audit: fix short-circuiting in syscallenter()

• src: ktrace: fix uninitialized memory disclosure]

• src: netinet: enter epoch in garp_rexmit()

• ports: curl 8.12.0 [4]

• ports: monit 5.34.4 [5]

• ports: openssl 3.0.16 [6]

• ports: pcre2 10.45 [7]

• ports: php 8.3.16 [8]

25.1 (January 29, 2025)

For an entire decade now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

25.1, nicknamed “Ultimate Unicorn”, features numerous MVC/API conversions, improved security zones support and documentation, ZFS snapshot support, a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much more.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/25.1/

• US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/

• South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/

• East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/

• Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 24.7.12:

• system: migrate user, group and privilege management to MVC/API

• system: remove the “disable integrated authentication” feature

• system: add “Default groups” option to add standard groups when a LDAP/RADIUS user logs in

• system: remove the old manual LDAP importer

• system: migrate HA status page to MVC/API

• system: allow custom additions to sshd_config (contributed by Neil Greatorex)

• system: increase max-request-field-size for web GUI

• system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)

• system: add support for RFC 5549 routes and refactor static route creation code

• system: improve notification support to also allow persistent notifications and static banners

• system: add notifications for low disk space and OpenSSH file override use

• system: migrate tunables page to MVC/API

• system: switch to temperature sensor caching

• system: add certificate widget to track expiration dates and allow quick renewal

• system: remove deprecated “page-getserviceprovider”, “page-dashboard-all” and “page-system-groupmanager-addprivs” privileges

• system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option

• system: add item edit links to several dashboard widgets

• system: prioritize index page and prevent redirection to a /api page on login

• system: mute disk space status in case of live install media

• system: optimize system status collection

• interfaces: adhere to DAD during VIP recreation in rc.newwanipv6

• interfaces: remove non-functional features from bridges

• interfaces: remove PPP edit in interfaces settings

• interfaces: batched device type creation under “devices” submenu

• interfaces: move PPP and wireless logs to system log

• interfaces: remove “Use IPv4 connectivity” setting as it will be set by default

• firewall: use “skip lo0” instead of policing lo0 explicitly following OpenBSD best practice

• firewall: remove duplicate table definition and make sure bogonsv6 table always exists

• firewall: cleanup of CARP and IPv6 rules behaviour

• firewall: filter feature parity in automation rules

• firewall: offer multi-select on source and destination addresses

• firewall: add experimental inline shaper support to filter rules

• firewall: add missing columns on one-to-one NAT page

• firewall: fix unassociated rule creation

• firewall: fix anti-lockout and “allow access to DHCP failover” automatic rules

• firewall: add optional authorization for URL type aliases

• firewall: add “URL Table in JSON format (IPs)” alias type

• dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)

• firmware: fix “r” abbreviation vs. version_compare();

• installer: fixed missing prompt and help text in ZFS disk selection

• installer: warn on low RAM for ZFS as well

• installer: added a power off option

• intrusion detection: policy content dropdown missing data-container

• intrusion detection: cleanse metadata for brackets

• ipsec: add log search button in sessions

• ipsec: add banner message when using custom configuration files

• kea-dhcp: add “match-client-id” in subnet definitions

• lang: update available translations

• monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)

• monit: flag file overwrites when they exist

• network time: take IPv6 addresses into account

• network time: remove support for explicit VIP selection

• openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations

• unbound: cleanup available blocklists and add hagezi blocklists

• unbound: fix root.hits permission on copy

• unbound: flag file overwrites when they exist

• backend: -m option is unused so remove its complication

• mvc: implement reusable grid template using form definitions

• mvc: add Default() method to reset a model to its factory defaults

• mvc: fix LegacyMapper when the mount point is not the XML root

• mvc: move explicit cast in BaseModel when calling field->setValue()

• mvc: fields should implement getCurrentValue() rather than __toString()

• mvc: fix value lookup in LinkAddressField

• mvc: memory preservation fix in BaseListField

• mvc: support lazy loading on alias models and use it in NetworkAliasField

• mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)

• ui: upgrade Font Awesome icons to version 6

• ui: push search/edit logic towards bootgrid implementation

• ui: improved links with automatic edit and/or search

• ui: rewritten default theme for a light look and new logo

• ui: added default theme variant with a dark look

• plugins: turning binary data into JSON may fail globally

• plugins: os-acme-client 4.8 [2]

• plugins: os-caddy 1.8.1 [3]

• plugins: os-cpu-microcode 1.1 removes unneeded late loading code

• plugins: os-haproxy 4.5 [4]

• pluginsL os-tailscale 1.2 [5]

• src: FreeBSD 14.2-RELEASE [6]

• src: p9fs: add an implementation of the 9P filesystem

• ports: lighttpd 1.4.77 [7]

• ports: openvpn 2.6.13 [8]

• ports: php 8.3.15 [9]

• ports: radvd 2.20 [10]

Migration notes, known issues and limitations:

• The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The “page-system-groupmanager-addprivs” privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing “page-system-usermanager-addprivs” instead.

• PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.

• FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.

• Let’s Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.

The public key for the 25.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-25.1-dvd-amd64.iso.bz2) = 68efe0e5c20bd5fbe42918f000685ec10a1756126e37ca28f187b2ad7e5889ca
# SHA256 (OPNsense-25.1-nano-amd64.img.bz2) = a51e4499df6394042ad804daa8e376c291e8475860343a0a44d93d8c8cf4636e
# SHA256 (OPNsense-25.1-serial-amd64.img.bz2) = 57c05e935790f9b2b800a19374948284889988741cfbaf6fae7600f7a4451022
# SHA256 (OPNsense-25.1-vga-amd64.img.bz2) = 89fcf5bdb1d2ea2ea6ba4cdc1268ea0a1e22b944330d7bee0711c8630cc905af

25.1.r2 (January 24, 2025)

Just a small update to ship the latest changes and fixes. The anti-lockout not working was finally addressed. Thanks for all the valuable feedback on the forum!

Here are the full patch notes against version 25.1-RC1:

• system: prioritize index page and prevent redirection to a /api page on login

• system: mute disk space status in case of live install media

• system: optimize system status collection

• firewall: add experimental inline shaper support to filter rules

• firewall: add missing columns on one-to-one NAT page

• firewall: fix unassociated rule creation

• firewall: fix anti-lockout and “allow access to DHCP failover” automatic rules

• firewall: add optional authorization for URL type aliases

• installer: fixed missing prompt and help text in ZFS disk selection

• installer: warn on low RAM for ZFS as well

• installer: added a power off option

• intrusion detection: policy content dropdown missing data-container

• intrusion detection: cleanse metadata for brackets

• ipsec: add banner message when using custom configuration files

• monit: flag file overwrites when they exist

• openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations

• unbound: cleanup available blocklists and add hagezi blocklists

• unbound: flag file overwrites when they exist

• mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)

• plugins: turning binary data into JSON may fail globally

• plugins: os-caddy 1.8.1 [1]

25.1.r1 (January 22, 2025)

The 25.1 series is nigh! This offers images based on an RC1 state with stable packages and online upgrades for the development version of 24.7. We will likely release a small RC2 online update in the near future. The final release date for 25.1 is January 29.

https://pkg.opnsense.org/releases/25.1/

Here are the full patch notes against version 24.7.12:

• system: migrate user, group and privilege management to MVC/API

• system: remove the “disable integrated authentication” feature

• system: add “Default groups” option to add standard groups when a LDAP/RADIUS user logs in

• system: remove the old manual LDAP importer

• system: migrate HA status page to MVC/API

• system: allow custom additions to sshd_config (contributed by Neil Greatorex)

• system: increase max-request-field-size for web GUI

• system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)

• system: add support for RFC 5549 routes and refactor static route creation code

• system: improve notification support to also allow persistent notifications and static banners

• system: add notifications for low disk space and OpenSSH file override use

• system: migrate tunables page to MVC/API

• system: switch to temperature sensor caching

• system: add certificate widget to track expiration dates and allow quick renewal

• system: remove deprecated “page-getserviceprovider”, “page-dashboard-all” and “page-system-groupmanager-addprivs” privileges

• system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option

• system: add item edit links to several dashboard widgets

• interfaces: adhere to DAD during VIP recreation in rc.newwanipv6

• interfaces: remove non-functional features from bridges

• interfaces: remove PPP edit in interfaces settings

• interfaces: batched device type creation under “devices” submenu

• interfaces: move PPP and wireless logs to system log

• interfaces: remove “Use IPv4 connectivity” setting as it will be set by default

• firewall: use “skip lo0” instead of policing lo0 explicitly following OpenBSD best practice

• firewall: remove duplicate table definition and make sure bogonsv6 table always exists

• firewall: cleanup of CARP and IPv6 rules behaviour

• firewall: filter feature parity in automation rules

• firewall: experimental dummynet support in rules

• firewall: offer multi-select on source and destination addresses

• dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)

• ipsec: add log search button in sessions

• kea-dhcp: add “match-client-id” in subnet definitions

• lang: update available translations

• monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)

• network time: take IPv6 addresses into account

• network time: remove support for explicit VIP selection

• unbound: fix root.hits permission on copy

• backend: -m option is unused so remove its complication

• mvc: implement reusable grid template using form definitions

• mvc: add Default() method to reset a model to its factory defaults

• mvc: fix LegacyMapper when the mount point is not the XML root

• mvc: move explicit cast in BaseModel when calling field->setValue()

• mvc: fields should implement getCurrentValue() rather than __toString()

• mvc: fix value lookup in LinkAddressField

• mvc: memory preservation fix in BaseListField

• mvc: support lazy loading on alias models and use it in NetworkAliasField

• ui: upgrade Font Awesome icons to version 6

• ui: push search/edit logic towards bootgrid implementation

• ui: improved links with automatic edit and/or search

• ui: rewritten default theme for a light look and new logo

• ui: added default theme variant with a dark look

• plugins: os-acme-client 4.8 [1]

• plugins: os-cpu-microcode 1.1 removes unneeded late loading code

• plugins: os-haproxy 4.5 [2]

• src: FreeBSD 14.2-RELEASE [3]

• src: p9fs: add an implementation of the 9P filesystem

• ports: lighttpd 1.4.77 [4]

• ports: openvpn 2.6.13 [5]

• ports: php 8.3.15 [6]

• ports: radvd 2.20 [7]

Migration notes, known issues and limitations:

• The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The “page-system-groupmanager-addprivs” privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing “page-system-usermanager-addprivs” instead.

• PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.

• FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.

• Let’s Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.

The public key for the 25.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-25.1.r1-dvd-amd64.iso.bz2) = dbd65194b02dfda2abe0542c8660c5a8d5311719448fbacf8e7e08b260c90e15
# SHA256 (OPNsense-25.1.r1-nano-amd64.img.bz2) = 1600a1b26114aec1e99653efed1dddf1869bddfa422d8e85ad34a1acf2e3e4fc
# SHA256 (OPNsense-25.1.r1-serial-amd64.img.bz2) = ff709c926bd097bb52726944cde2c3363386d5062765bd4a75cce9009353f853
# SHA256 (OPNsense-25.1.r1-vga-amd64.img.bz2) = 9cdb74c9f43f9ee6eb66fbe3ad8b4050938273e053872e063b1bc73cedcd6410

25.1.b (December 19, 2024)

The 25.1 series will include FreeBSD 14.2 so we are putting this BETA version out based on the latest development state. This is not meant for production use but all plugins are provided and future updates of installations based on these images will be possible.

https://pkg.opnsense.org/releases/25.1/

There is a bit more work to be done yet most of the milestones have already been reached. If you have a test deployment or would like to check out some of the new features these images are for you. Together we can make OPNsense better than it ever was.

The final release date for 25.1 is January 29. A release candidate will follow in early January.

Highlights over version 24.7 include:

• system: restructure PPP to accomodate IPv6-only deployments

• system: implement persistent notifications banner

• system: dashboard widget for certificate expiry and renew

• system: high availablilty status MVC/API conversion

• system: users and groups MVC/API conversion

• system: advanced trust settings page

• system: ZFS snapshot GUI

• reporting: RRD health graph refactoring

• firewall: improved security zones support and documentation

• ipsec: advanced settings MVC/API conversion

• unbound: merge domain overrides into query forwarding

• ui: theme update with new styling and add official dark theme

• src: FreeBSD 14.2

The public key for the 25.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
# uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
# XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
# m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
# yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
# mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
# kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
# eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
# iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
# En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
# xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
# IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-devel-25.1.b-dvd-amd64.iso.bz2) = 7a9a5eacc65f7128273558c7e5f4cf63e555004d4d938fb827280cf691fc1cfd
# SHA256 (OPNsense-devel-25.1.b-nano-amd64.img.bz2) = 83b3a9b599477773b8f4877bf8c4a38436895477fef91a0dbfabdbfdbb7be2c3
# SHA256 (OPNsense-devel-25.1.b-serial-amd64.img.bz2) = 57d087cf66d168338de4a611871c31813b3e42bb71d7b71be75aa20521c6d8a1
# SHA256 (OPNsense-devel-25.1.b-vga-amd64.img.bz2) = 5bc51cc93bc64cc15d6fa68611d3cee4cf45b70b85e713cbdd3c0c8d2ebd4137