20.1 “Keen Kingfisher” Series

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed “Keen Kingfisher”, is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/20.1/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/

• South America: http://mirror.upb.edu.co/opnsense/releases/20.1/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/

• Full mirror list: https://opnsense.org/download/

20.1.9 (July 23, 2020)

20.7-RC1 is already available and the final release of 20.7 is scheduled for July 30. A hotfix release for 20.1.9 will enable the upgrade path some hours after the initial 20.7 announcement is out, but please note that updated 32-bit builds (also known as i386) will no longer be available from this day forward.

Here are the full patch notes:

• system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)

• firewall: validate if NAT destination contains a port

• firewall: prevent config_read_array() from adding an empty lo0

• network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)

• network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)

• mvc: LegacyLinkField not allowed to return null in __toString()

• plugins: os-collectd 1.3 [1]

• plugins: os-dyndns 1.22 [2]

• plugins: os-telegraf 1.8.1 [3]

• plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)

• plugins: os-tinc fixes switch mode [4]

• plugins: os-wireguard 1.2 [5]

• ports: ca_root_nss 3.54

• ports: curl 7.71.1 [6]

• ports: dnsmasq 2.82 [7]

• ports: monit 5.27.0 [8]

• ports: php 7.3.20 [9]

• ports: python 3.7.8 [10]

• ports: sqlite 3.32.3 [11]

• ports: syslog-ng 3.27.1 [12]

A hotfix release was issued as 20.1.9_1:

• firmware: enable upgrade path to 20.7 (amd64 only)

20.1.8 (July 02, 2020)

Sorry about the delay while we chased a race condition in the updates back to an issue with the latest FreeBSD package manager updates. For now we reverted to our current version but all relevant third party packages have been updated as updates became available over the last weeks, e.g. cURL and Python, and hostapd / wpa_supplicant amongst others.

Here are the full patch notes:

• system: simpler get_interface_ip() usage in IPv4 renewal

• system: allow HA sync of network time settings

• system: download all filtered items in log export

• system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)

• interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)

• firewall: fix missing address filter error by moving NAT targets to runtime resolve

• firewall: prevent gateway protocol mismatch from breaking the ruleset

• firewall: work around categories typeahead issue with recent jQuery libraries

• firewall: improve alias help text (contributed by Team Rebellion)

• firewall: switch from single log filter to one per attribute

• intrusion detection: when enabling rules prefixed with “# ” consume the extra space (contributed by Tra5is)

• intrusion detection: less sensitive rule parsing

• intrusion detection: compress stats.log backups

• ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)

• unbound: add DNS64 support (contributed by Maurice Walker)

• web proxy: fix wrong button label for Download ACLs (contributed by 90er)

• mvc: add sort_flags optional parameter support (contributed by NOYB)

• rc: add full PATH to rc.syshook invoke

• plugins: os-acme-client [1] [2]

• plugins: os-dnscrypt-proxy 1.8 [3]

• plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)

• plugins: os-freeradius 1.9.7 [4]

• plugins: os-haproxy 2.23 [5]

• plugins: os-intrusion-detection-content-snort-vrt 1.1

• plugins: os-stunnel 1.0 [6] (sponsored by Incenter Technology)

• plugins: os-tayga 1.1 [7]

• plugins: os-theme-rebellion 1.8.4 [8]

• ports: ca_root_nss 3.53

• ports: curl 7.71.0 [9]

• ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory [10]

• ports: krb5 1.18.2 [11]

• ports: ntp 4.2.8p15 [12]

• ports: pcre 8.44 [13]

• ports: perl 5.30.3 [14]

• ports: php 7.3.19 [15]

• ports: python CVE-2019-18348 and CVE-2020-8492

• ports: sqlite 3.32.2 [16]

• ports: sudo 1.9.1 [17]

• ports: unbound 1.10.1 [18]

A hotfix release was issued as 20.1.8_1:

• ipsec: fix status page display after third party library update

• plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper)

20.1.7 (May 20, 2020)

Today we move to PHP 7.3 in order to be able to complete testing for the 20.7-BETA online upgrades. Also included is a patch for the packet filter kernel code which could crash with shared forwarding when interfaces disappeared due to use after free in the default network stack path.

Here are the full patch notes:

• system: default net.inet.icmp.reply_from_interface to 1

• system: fix static gateway wizard handing

• firewall: allow outbound NAT source and destination port ranges

• interfaces: use interfaces_primary_address6() inside get_interface_ipv6()

• dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)

• unbound: prevent wildcard domains for the local system domain

• backend: suppress inconsequential IDNA warnings for aliases

• backend: add option to return a key value list for TLS ciphers

• mvc: reference constraint pointing validation results to the wrong field

• plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)

• src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)

• src: fix pf shared forwarding on non-existing interfaces

• src: patch in tty 3wire autologin support

• src: fix insufficient packet length validation in libalias [1]

• src: fix memory disclosure vulnerability in libalias [2]

• src: fix improper checking in SCTP-AUTH shared key update [3]

• src: fix use after free in cryptodev module [4]

• src: update to tzdata 2020a [5]

• ports: ca_root_nss 3.52

• ports: curl 7.70.0 [6]

• ports: dhcp6c 20200512

• ports: hyperscan 5.2.1 [7]

• ports: openldap 2.4.50 [8]

• ports: pcre2 10.35 [9]

• ports: php 7.3.18 [10]

20.1.6 (April 30, 2020)

Quick update as planned. Here are the full patch notes:

• system: add data length option to gateway monitor settings

• firewall: avoid greedy matching with live log parsing regression from 20.1.5

• firmware: detect runtime defaults when using “make upgrade” with core.git

• firmware: clean up packaging code and support “.link” file extension

• firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap

• firmware: enable to optionally reach master branch when using opnsense-boostrap

• firmware: allow overriding CORE_ABI when using opnsense-bootstrap

• firmware: copy make.conf instead of linking when using opnsense-code

• firmware: always fetch tools.git when using opnsense-code

• rc: use “onifexists” for VGA TTY instead of “on”

• rc: missing ntpd user on 20.7 / 12.1

• plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)

• src: fix ipfw invalid mbuf handling [1]

• ports: libyaml 0.2.4 [2]

• ports: openssl 1.1.1g [3]

• ports: py-yaml 5.3.1 [4]

• ports: radvd 2.18 [5]

• ports: sqlite 3.31.1 [6]

• ports: squid 4.11 [7]

• ports: suricata 4.1.8 [8]

20.1.5 (April 23, 2020)

Today ships the first release version of the supplemental firewall rule API via plugin, a new firewall shaper statistics GUI and API and the usual number of improvements and third party updates.

Note that this version does not ship OpenSSL 1.1.1g as at this point our release decision would have been to push 20.1.5 to next week or do a smaller 20.1.6 next week on top.

Here are the full patch notes:

• system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs

• system: simplify validations in gateway monitor settings

• interfaces: mark VXLAN and loopback devices as configurable

• interfaces: validation typo caused failure to communicate unassignable targets

• interfaces: netstat tree view GUI and API

• interfaces: use libxo to extract ARP data

• firewall: checkbox selection ignores visibility setting

• firewall: add network group type to combine aliases cleanly

• firewall: IPv6 essential icmpv6 allow for

• firewall: new shaper statistics GUI and API

• firewall: support filter log messages with PID

• reporting: when flow times are not returned stick to receive timestamp

• openvpn: use multihome when selecting “any” interface with UDP

• unbound: create shared startup script for background task

• mvc: also store “” field value as initial state to prevent empty fields as being marked as changed

• mvc: firewall source NAT ranges support in plugins

• mvc: keep options in static set for PortField

• mvc: support interface targets without addresses

• mvc. add “migration_prefix” attribute to model

• mvc: catch ArgumentCountError

• mvc: skip empty gateway artefact

• plugins: os-acme-client 1.31 [1]

• plugins: os-firewall 1.0 API supplemental package

• plugins: os-haproxy 2.22 [2]

• plugins: os-unbound-plus 1.1 [3]

• plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)

• ports: ca_root_nss 3.51.1

• ports: dnsmasq 2.81 [4]

• ports: krb5 1.18.1 [5]

• ports: openvpn 2.4.9 [6]

• ports: php 7.2.30 [7]

• ports: py-certifi 2020.4.5.1

• ports: strongswan 5.8.4 [8]

20.1.4 (April 08, 2020)

It almost looks like business as usual. But we all know it is not. We will get through this together.

Here are the full patch notes:

• system: add missing strtolower() in LDAP sync response

• system: fix /var/run/legacy_log socket creation race with Syslog-ng

• system: add info button to display privilege / ACL endpoints

• system: make IPsec tap tunables overwriteable

• firewall: floating means either all interfaces or more than one selected

• firewall: simplify group maintenance by only applying them on filter reload

• interfaces: use primary IPv6 and support VIP tracking

• interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)

• dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)

• firmware: mirror opnsense.ieji.de renamed to opn.sense.nz

• openvpn: improve openvpn_port_used() logic

• unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint

• unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)

• mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper

• mvc: limit dropdown size to 10 if not specified

• mvc: support inheritance of the ArrayField type

• mvc: synchronize backup timestamps with revisions

• mvc: fixed width for timestamp column in logging

• mvc: init errorMessage to prevent crash reports

• shell: use interfaces_primary_address6() for correct IPv6 display

• shell: append a newline in pluginctl -g mode

• plugins: os-acme-client 1.30 [1]

• plugins: os-bind 1.13 [2]

• plugins: os-freeradius 1.9.6 [3]

• plugins: os-haproxy 2.21 [4]

• plugins: os-maltrail 1.5 [5]

• plugins: os-nginx 1.19 [6]

• plugins: os-nut 1.7 [7]

• plugins: os-postfix 1.14 [8]

• plugins: os-tayga 1.0 (contributed by Michael Muenz)

• plugins: os-telegraf 1.7.7 [9]

• plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)

• lang: multiple updates to supported languages

• lang: new Turkish translation (contributed by Aydin Yakar)

• src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers

• src: fix incorrect checksum calculations with IPv6 extension headers [10]

• src: fix TCP IPv6 SYN cache kernel information disclosure [11]

• src: fix insufficient oce(4) ioctl(2) privilege checking [12]

• src: fix incorrect user-controlled pointer use in epair [13]

• src: fix kernel memory disclosure with nested jails [14]

• ports: curl 7.69.1 [15]

• ports: krb5 1.18 [16]

• ports: openssh 8.2p1 [17]

• ports: openssl 1.1.1f [18]

• ports: perl 5.30.2 [19]

• ports: php 7.2.29 [20]

• ports: python 3.7.7 [21]

• ports: strongswan 5.8.3 [22]

• ports: sudo 1.8.31p1 [23]

20.1.3 (March 18, 2020)

Quick reliability release for all of you out there doing the impossible providing VPN for road warriors and what not. Keep it up! :)

Here are the full patch notes:

• system: match group CN case-insensitive

• system: added pluggable log format parsing facility

• system: update nsComment in OpenSSL config (contributed by vnxme)

• interfaces: fix missing default gateway switch on linkup event

• firewall: properly lock alias_util API (contributed by Cedric Deconinck)

• firewall: flush priority sections to /tmp/rules.debug

• firewall: do not escape internal URLs

• firmware: revoke 19.7 fingerprint

• ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)

• ipsec: add MVC service control API

• monit: simplify Monit reload

• openvpn: properly swapped help texts regarding routes

• unbound: multiple fixes in DHCP watcher

• mvc: fix CountryField for static options

• mvc: extend PortField to support multiple items

• mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults

• mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types

• mvc: apply PSR12 style as found on master

• ui: add jQuery plugin to support a simple service reload/action button

• ui: hook bootgrid javascript texts

• plugins: os-munin-node 1.0 (contributed by Michael Muenz)

• plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley Networks)

• plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)

• ports: ca_root_nss 3.51

• ports: ntp 4.2.8p14 [1]

20.1.2 (March 05, 2020)

Today we pick up the recent FreeBSD security advisories as well as the usual noise in bugfixes and third party updates. We are also at the brink of a first HardenedBSD 12.1 based image so stay tuned.

Here are the full patch notes:

• system: fix leap year issue in new log reader

• system: add valid from and to dates to user certs display

• system: drop unused services.inc and diag_logs_template.inc

• interfaces: make sure descriptions are properly cleansed

• interfaces: introduce interfaces_primary_address6()

• interfaces: validate interface input in packet capture

• firewall: immediately download GeoIP if not already found

• firewall: improve performance when working with large number of aliases

• firewall: fix visibility on internal CARP rules

• captive portal: fix expiry and validity for vouchers (contributed by xx4h)

• dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)

• dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)

• ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)

• unbound: minor changes while scanning ACL subnets

• web proxy: work around to skip passing additional auth properties

• backend: allow pluginctl to return config.xml values

• console: improve type checks in set address function

• rc: join CARP early startup scripts

• plugins: os-dnscrypt-proxy fix for setup.sh on reboot

• plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)

• plugins: os-maltrail 1.4 [1]

• plugins: os-nrpe fix for setup.sh on reboot

• plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)

• src: fix imprecise ordering of SSP canary initialization [2]

• src: fix nmount invalid pointer dereference [3]

• src: fix libfetch buffer overflow [4]

• src: fix kernel stack data disclosure [5]

• ports: ca_root_nss 3.50

• ports: php 7.2.28 [6]

• ports: squid 4.10 [7]

• ports: suricata 4.1.7 [8]

• ports: syslog-ng 3.25.1 [9]

• ports: unbound 1.10.0 [10]

20.1.1 (February 13, 2020)

A tiny update to keep everyone happy. :)

Here are the full patch notes:

• system: increase size of user SSH key input box

• system: fix faulty PPP log link in the menu

• system: fix a PHP warning on the general settings page

• interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)

• firewall: fix rule statistics display for rules using tagging

• reporting: fix missing separator in NetFlow configuration

• firmware: add Quantum mirror in Hungary

• openvpn: fix ifconfig-ipv6-push format

• plugins: os-dnscrypt-proxy 1.7 [1]

• plugins: os-net-snmp 1.4 [2]

• plugins: os-nginx 1.18 [3]

• plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)

• ports: lighttpd 1.4.55 [4]

• ports: openldap 2.4.49 [5]

• ports: pkg libfetch security fix [6]

• ports: sudo 1.8.31 [7]

20.1 (January 30, 2020)

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed “Keen Kingfisher”, is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/20.1/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/

• South America: http://mirror.upb.edu.co/opnsense/releases/20.1/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/

• Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.7:

• Captive portal performance improvements

• IPsec public key authentication support

• Elliptic curve TLS certificate creation

• CARP service demotion hook

• VXLAN device support

• Loopback device support

• Extended firmware health audit checks

• Support direction and non-quick on interface rules

• Logging frontend migrated to MVC / API

• PSR 12 coding style

• Documentation for all core components

• Python 3.7 is now the default Python version

• LibreSSL 3.0 and OpenSSL 1.1.1

• Google Backup API 2.4

• jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

• installer: welcome users as genuine 20.1 installer

• rc: revert growfs change since Nano does not grow anymore

• plugins: os-mail-backup 1.1 [2]

• plugins: os-nrpe 1.0 (contributed by Michael Muenz)

• plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)

• plugins: os-vnstat 1.2 [3]

• plugins: zabbix4-proxy 1.2 [4]

• ports: ca_root_nss 3.49.2

• ports: curl 7.68.0 [5]

• ports: isc-dhcp 4.4.2 [6]

• ports: php 7.2.27 [7]

• ports: urllib3 1.27.7 [8]

Known issues and limitations:

• HardenedBSD 12.1 has been postponed to the next major release

• Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates

• To prevent stale configuration files for remote syslog we advise to setup the new targets first [9] and disable the old ones under System: Settings: Logging

• i386 has not been deprecated for the time being ;)

The public key for the 20.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
# -----END PUBLIC KEY-----

# SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
# SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
# SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
# SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

# SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
# SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
# SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
# SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64

20.1.r1 (January 24, 2020)

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide [1] and the checksums for the images can be found below as well.

• Europe: https://opnsense.c0urier.net/releases/20.1/

• US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/

• US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/

• South America: http://mirror.upb.edu.co/opnsense/releases/20.1/

• South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/

• Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 19.7.9_1:

• system: support for manually removing static route entries

• system: migrated logging to MVC

• system: regenerate default DH parameters

• system: randomize session ID in test cookie

• system: remove legacy XMLRPC push on changes

• system: deprecate the use of services.inc

• system: opt-out on “Allow DNS server list to be overridden by DHCP/PPP on WAN” for selected interfaces

• system: increase PHP memory limit to 512 MB

• system: opnsense-auth can now respond with extended properties in JSON on successful authentication

• interfaces: loopback device support

• interfaces: VXLAN device support

• interfaces: first steps toward fully pluggable device infrastructure

• interfaces: remove default load of netgraph framework on bootup

• interfaces: interfaces: move description into top block and rename titles

• interfaces: only trigger newwanip event for affected interfaces

• firmware: revoke 19.1, trust 20.1 fingerprint

• firmware: new mirror in Zurich, CH contributed by ServerBase AG

• firmware: add live search to mirror selection

• dhcp: add OMAPI configuration support (contributed by Yuri Moens)

• ipsec: add configurable dpdaction (contributed by Marcel Menzel)

• ipsec: refactor tunnel settings page

• unbound: add options for logging queries and extended statistics (contributed by Flightkick)

• mvc: BaseListField ignoring empty selected field

• ui: jQuery 3.4.1

• plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)

• plugins: os-haproxy 2.20 [2]

• plugins: os-zabbix-agent 1.7 [3] [4]

• ports: ca_root_nss 3.49.1

• ports: curl 7.68.0 [5]

• ports: openssl 1.1.1d [6]

Known issues and limitations:

• HardenedBSD 12.1 has been postponed to the next major release

• Nano growfs does not work on this release candidate, but a fix for 20.1 already exists

• Installer still advertises 19.7, but a fix for 20.1 already exists

• Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates

• i386 has not been deprecated for the time being ;)

The public key for the 20.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!

# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b

# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff