23.7 “Restless Roadrunner” Series¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
23.7.12 (January 16, 2024)¶
One more release it was indeed. We have added considerable backend work for improving security and adding a streaming function to avoid memory exhaustion for data-intense data exchanges. Note this is in preparation for 24.1 where these will be used, but direct use in 23.7 is avoided to lower the possibility for regressions.
The release date for 24.1 is January 30 and we approaching this differently this time with release candidates only being available from the development version meaning there will be no installation media before the final release.
While RC1 is mostly ready the publication is currently on hold due to chasing down a kernel panic. Watch out for the release notes of the RC1. It should be available this week with a follow-up RC2 in the following week.
Here are the full patch notes:
system: change ZFS transaction group defaults to avoid excessive disk wear [1]
firewall: validate if GeoIP and BGP ASN targets contain at least 1 kb of data before assuming timestamp is correct
firmware: automatically install os-squid plugin install when web proxy is enabled before major upgrade
firmware: refactor export and scrub Unbound DNS database before major upgrade
firmware: disallow TLS lower than 1.3 on business mirror
openvpn: add validation for netmask greater than 29 exactly as specified in the OpenVPN source code
backend: support streaming output using the “stream_output” handler
backend: implement optional trust model and add extended logging
backend: support optional configd configuration files
mvc: add an IPPortField type
mvc: split configdRun() in order to return a resource which the controller can stream with minimal memory consumption
ui: fix the missing dialog padding in some modals
ui: set a default data-size for increased readability in selectpickers
ui: show tooltip when grid td content does not fit
plugins: os-bind 1.29 [2]
plugins: os-ddclient 1.20 [3]
plugins: os-frr 1.38 [4]
plugins: os-node_exporter 1.2 [5]
plugins: os-sunnyvalley 1.4 switches to new repository layout
ports: py-netaddr 0.10.1 [6]
ports: sudo 1.9.15p5 [7]
A hotfix release was issued as 23.7.12_5:
reporting: print status message when Unbound DNS database was not found during firmware upgrade
firmware: enable upgrade path to 24.1
backend: only parse stream results when configd socket could be opened
23.7.11 (January 04, 2024)¶
The final test phase for 24.1 is starting just as 23.7 strechtes towards its inevitable end of life. At the moment it is unlcear if this release will be the last one or not so we shall refrain from stating something that may not be true in the coming weeks. ;)
Of special note is the Python rewrite of the relevant FreeBSD certctl tool bits that are needed to register certificates in the system. It should be about 30 times faster now than it was before.
Here are the full patch notes:
system: implement relevant certctl tool functionality in Python to increase performance
system: fix log severity selector (contributed by kulikov-a)
system: include IPv6 link-local interface addresses for web GUI and OpenSSH (contributed by Maurice Walker)
system: update cron and gateways model
interfaces: obey menu group sequence when specified
firewall: fix traceback in OpenVPN group alias due to wrong return type
firewall: fix missing physical_interface() in shaper template
dhcp: cache backend action “interface list macdb” to increase responsiveness
dhcp: allow saving with invalid range when IPv4 server is disabled
dhcp: do not clobber $range_to / $range_from with the legacy test for lower 64 bit only input
firmware: opnsense-update: avoid rewriting .cshrc and .profile files on base set updates
firmware: add audit messages for relevant API actions
firmware: implement “always reboot” option
firmware: add unlocked mode to launcher script
firmware: use pluggable package repository scripts
lang: assorted language updates
network time: prevent the service from listening on a wildcard when selecting specific interfaces (contributed by doktornotor)
openvpn: add virtual IPv6 address to widget and status page (contributed by cs-1)
openvpn: consider clients missing CARP VHID as disabled
unbound: replace JustDomains with Firebog blocklists (contributed by Amy Nagle)
unbound: update root hints
plugins: os-acme-client 3.20 [1]
plugins: os-ddclient 1.19 [2]
plugins: os-wireguard 2.6 [3]
ports: curl 8.5.0 [4]
ports: nss 3.95 [5]
ports: php 8.2.14 [6]
ports: py-netaddr 0.10.0 [7]
ports: squid 6.6 [8]
ports: sudo 1.9.15p4 [9]
23.7.10 (December 12, 2023)¶
A number of FreeBSD source code changes accumulated so it is better to have them delivered to your doorstep before the holidays are in full swing.
Here are the full patch notes:
system: improve config revision audit ability
system: cleanse system_get_language_code() output
system: safeguard /tmp/PHP_errors.log file before usage
system: add an optional random delay before executing remote backups
system: fix regression in log viewer level selector
reporting: OpenVPN server instances were missing from respective health graph
interfaces: move interface list widget link to assignments page
interfaces: add new backend jobs and extend with optional parameter
interfaces: add validation for proxy ARP strict subnet use
firewall: improve alias write behaviour by checking for changes beforehand
firewall: fix preg_replace() to avoid truncated network display in rules listing
firewall: add an ifconfig.debug file
firmware: switch bogons/changelog set base URL to portable “opnsense-update -X” call
ipsec: move save button on mobile page into its own container
ipsec: add support for RADIUS class groups in instances
unbound: use tls-system-cert instead of tls-cert-bundle
web proxy: fix setting unknown language directory
ui: upgrade jqTree to version 1.7.5
plugins: os-ddclient 1.18 [1]
plugins: os-dec-hw 1.0 is a Deciso hardware specific dashboard widget
plugins: os-net-snmp fix for directory setup (contributed by doktornotor)
plugins: os-telegraf 1.12.10 [2]
plugins: os-upnp now reloads on newwanip event
plugins: os-wireguard fix for missing firewall reload
plugins: os-wireguard-go fix for device registration
src: clang: sanitizer failure with ASLR enabled [3]
src: dhclient: do not add 0.0.0.0 interface alias
src: ice: match irdma interface changes
src: ixv: separate VFTA table for each interface
src: libnetmap: better fix for port parsing failure
src: pf: expose more syncookie state information to userspace
src: pf: fix mem leaks upon vnet destroy
src: pf: remove incorrect fragmentation check [4]
src: rc: fix restart _precmd issue with _setup
src: re: add support for 8168FP HW rev
src: zfs: check dnode and its data for dirtiness in dnode_is_dirty() [5]
ports: perl 5.36.3 [6]
ports: php 8.2.13 [7]
ports: phpseclib 3.0.34 [8]
ports: squid update fixes parent proxy crash [9]
ports: strongswan 5.9.13 [10]
A hotfix release was issued as 23.7.10_1:
mvc: provide iterateRecursiveItems() in BaseModel required by IPsec RADIUS support
ports: openssh 9.6p1 [11]
23.7.9 (November 23, 2023)¶
As the end of the year inches closer the changes published today are naturally smaller additions and cleanups, notably changes for IPsec VTI connection for IPv6 and dual-stack operation, a possible OpenVPN CSO mismatch bug and optional support for SHA-512 password hashing.
Note that the HTTPS bump for the firmware mirrors updates the published URLs in the firmware selection, but if you already use LeaseWeb or NYC BUG you need to reselect them in order to move from HTTP to HTTPS connectivity.
Of further note is that the Squid web proxy will be moved to a plugin in version 24.1 but for everyone using it the upgrade procedure will make sure to install it automatically when enabled. A meta package was added to the plugins already in order for this to work just in case there are questions about what it is supposed to be doing… apart from providing dependencies it does not do anything at the moment. ;)
Last but not least, we have been successfully testing and ironing out OpenSSL 3 ports builds in the past week and inclusion in 24.1 seems very likely at this point. The effort continues and we will also be looking into backport material from FreeBSD 13 stable branches for further preparation.
Here are the full patch notes:
system: add SHA-512 password hash compliance option
system: allow special selector for plugins_configure()
system: handle broken menu XML files more gracefully
system: fix PHP warnings and SSH fail on empty “ssh” XML node
system: fix a couple of PHP warnings in auth server pages
system: add support for Google Shared drives backup (contributed by Jeremy Huylebroeck)
system: change wait time to 1 second per round, total of 7 in console prompts
system: update syslog model
interfaces: mark WireGuard devices as virtual
interfaces: update LAGG and loopback models
interfaces: improve VIP validation, fix broadcast generation
firewall: make sure firewall log reading always emits a label
firewall: fix business bogons set fetch
firewall: add section for automatic rules being added at the end of the ruleset
firewall: allow multiple networks given to wrap in the GUI
captive portal: fix log target
firmware: stop manually adjusting firmware config structure during factory reset
firmware: clear stray “pkgsave” and “pkgtemp” pkg-upgrade leftovers
firmware: changed LeaseWeb and NYC BUG mirrors to use HTTPS (contributed by jeremiah-rs)
firmware: opnsense-update: new “-X” mode for canonical bogons/changelog set fetch URL
firmware: opnsense-version: support base/kernel hash info
ipsec: mute ipsec.conf related load errors
ipsec: fix typo in VTI protocol family parsing
ipsec: add secondary tunnel address pair for VTI dual-stack purposes
ipsec: add “aes256-sha256” proposal option (no PFS)
openvpn: obey username_as_common_name setting
backend: add physical_interface and physical_interfaces as template helper function
backend: add file_exists as template helper function
mvc: instead of failing invalidate a non-match in CSVListField
mvc: split tree-view template and javascript and hook via controllers
ui: upgrade bootstrap-select to v1.13.18
ui: improve saveFormToEndpoint() UX
plugins: os-ddclient 1.17 [1]
plugins: os-frr 1.37 [2]
plugins: os-squid adds a meta package for web proxy core removal in 24.1
ports: openvpn 2.6.8 [3]
ports: sqlite 3.44.0 [4]
ports: sudo 1.9.15p2 [5]
ports: unbound 1.19.0 [6]
23.7.8 (November 09, 2023)¶
The configuration restore GUI has been improved in a number of ways due to recent demand and Squid was updated to the new major release version 6.
A number of reliability improvements were also added to the WireGuard kernel plugin which from our perspective is now ready for core inclusion. The documentation is being updated accordingly, but will take a bit more time to ensure consistency following up on the GUI changes it received.
This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.
Here are the full patch notes:
system: minor changes related to recent Gateway class refactoring
system: use unified style for “return preg_match” idiom so the caller receives a boolean
system: provide mismatching interface logic without reboot on configuration restore
system: allow new backup API to download latest configuration directly via /api/core/backup/download/this
system: extend restore to be able to migrate older configurations cleanly
system: make trust store reload conditional
interfaces: assorted bridge handling improvements
interfaces: ignore ULAs for primary IPv6 detection
interfaces: improve wireless channel parsing
firewall: keep filtered items available longer in live log
firewall: when migrating aliases make sure that nesting does not fail
firewall: port can be zero in automatic rule so render it accordingly
firewall: minor update to shaper model
firmware: invalidate GUI caches earlier since certctl blocks this longer now
firmware: add root file system to health audit
monit: minor update to model
lang: update Chinese, Czech, Italian, Korean, Polish and Spanish
openvpn: host bits must not be set for IPv4 server directive in instances
unbound: minor update to model
unbound: remove localhost from automatically created ACL
web proxy: handle the major update to version 6 and update model
mvc: enforce uniqueness and remove validation message in UnqiueIdField
mvc: config should be locked before calling checkAndThrowSafeDelete()
ui: prevent form submit for MVC pages
ui: improve default modal padding
plugins: os-bind 1.28 [1]
plugins: os-openconnect 1.4.5 [2]
plugins: os-wireguard 2.5 [3]
src: pfctl: fix incorrect mask on dynamic address
src: libpfctl: assorted improvements
src: msdosfs: zero partially valid extended cluster [4]
src: copy_file_range: require CAP_SEEK capability [5]
src: fflush: correct buffer handling in __sflush [6]
src: cap_net: correct capability name from addr2name to name2addr [7]
src: regcomp: use unsigned char when testing for escapes [8]
ports: lighttpd 1.4.73 [9]
ports: php 8.2.12 [10]
ports: squid 6.5 [11]
ports: sudo 1.9.15 [12]
A hotfix release was issued as 23.7.8_1:
interfaces: prefer GUAs over ULAs when returning addresses
plugins: os-c-icap fix for upstream update syntax error (contributed by Andy Binder)
23.7.7 (October 25, 2023)¶
The user experience of several pages has been improved. And this update is also shipping several FreeBSD-based changes for further reliability as well as core fixes and improvements as they came up on GitHub or the forum in the last weeks.
A word of caution for third party repository users. FreeBSD currently changes a number of things in their ecosystem. The first change is the move of the “openssl” package to “openssl111” since the former is now based on version 3. This can and likely will disrupt updates of third party packages not having followed this change. While we want to use OpenSSL 3 eventually being in the middle of a stable run is not the time and place to do it. Secondly, FreeBSD makes its port stop relying on ca_root_nss package trust store provided by Mozilla which introduces technical barriers for integration of our own trust store. This update changes curl to not use the old bundle files, but then also ensures that the base system will register all CA certificates brought in by our trust store as well. The biggest caveat at the moment is that this process is slower than before and may end up untrusting user CAs if they happen to be on the FreeBSD-provided untrusted list. During upgrades you will see when it writes the trust files and bundles and if any errors occur.
In both instances we feel nothing can be gained in postponing these changes so we are carrying them out swiftly after ensuring they do the right thing for our user base and voicing our reservations where it matters.
You can also find and follow us on Bluesky now:
https://bsky.app/profile/opnsense.org
Here are the full patch notes:
system: rewrite trust integration for certctl use
system: improve UX on new configuration history page
system: update recovery pattern for /etc/ttys
system: improve service sync UX on high availability settings page
system: migrate gateways to model representation
system: detect a on/off password shift when syncing user accounts
system: improve backup restore area selection
system: keep polling if watcher cannot load a class to fetch status
system: add “Constraint groups” option to LDAP authentication
reporting: refactor RRD data retrieval and simplify health page UX
interfaces: make link-local VIPs unique per interface
interfaces: make VIPs sortable and searchable
interfaces: improve assignments page UX and simplify its bridge validation
interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)
interfaces: enable IPv6 early on trackers
interfaces: do not reload filter in rc.linkup
interfaces: add input validations to VXLAN model (contributed by Monviech)
interfaces: add NO_DAD flag to static IPv6 configurations
interfaces: fix config locking when deleting a VIP node
firewall: sort auto-generated rules by priority set
firewall: fix regression in BaseContentParser throwing an error
firmware: stop using the “pkg+http(s)” scheme which breaks using newer pkg 1.20
ipsec: count user in “Overview” tab and improve “Mobile Users” tab (contributed by Monviech)
ipsec: make description in connections required (contributed by Michael Muenz)
ipsec: connection proposal sorting and additions
lang: assorted updates and completed French translation
openvpn: change verify-client-cert to a server only setting and fix validation
openvpn: do not flush state table on linkdown
unbound: avoid dynamic reloads when possible
unbound: add support for wildcard domain lists
unbound: improved UX of the overrides page
backend: pluginctl: improve listing plugins of selected type
mvc: add hasChanged() to detect changes to the config file
mvc: allow empty value in UniqueConstraint if not required by field
mvc: improve field validation message handling
mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names
mvc: style update in diagnostics, firewall, intrusion detection and ipsec models
ui: fix the styling of the base form button when overriding the label
ui: trigger change message on toggle and delete
plugins: os-nginx 1.32.2 [1]
plugins: os-radsecproxy fixes for stale rc script / pidfile issues
plugins: os-rspamd 1.13 [2]
plugins: os-theme-ciada fix for previous regression
plugins: os-wireguard 2.4 [3]
src: pf: enable the syncookie feature for IPv6
src: pflog: log packet dropped by default rule with drop
src: re: add Realtek Killer Ethernet E2600 IDs
src: libnetmap: fix interface name parsing restriction
src: tun/tap: correct ref count on cloned cdevs
src: bpf: fix writing of buffer bigger than PAGESIZE
src: net: check per-flow priority code point for untagged traffic
src: libpfctl: implement status counter accessor functions
src: pf: expose syncookie active/inactive status
src: iavf: add explicit ifdi_needs_reset for VLAN changes
src: vmxnet3: do restart on VLAN changes
src: iflib: invert default restart on VLAN changes
src: pf: fix state leak
ports: curl 8.4.0 [4]
ports: lighttpd 1.4.72 [5]
ports: nss 3.94 [6]
ports: openssl111 supersedes openssl package
ports: perl 5.36.1 [7]
ports: suricata 6.0.15 [8]
A hotfix release was issued as 23.7.7_1:
firmware: speed up saving the firmware settings by avoiding the newly extended trust store rewrite
firmware: opnsense-update: fix mirror replacement broken by pkg 1.20 compatibility effort
A hotfix release was issued as 23.7.7_3:
reporting: fix regression in single measurement RRD data reads
ipsec: re-add previously missing PRF hashing options to GCM cipher selection
23.7.6 (October 11, 2023)¶
This update is a maintenance release improving the DS-Lite use via separate GIF tunnels on top of IPv6-only connectivity. We are still continuing the efforts to provide better MVC integration for the gateways abstraction as well as working towards better MVC model consistency.
We would like to thank GitHub user Monviech for his special contributions in the documentation on the subject of reflection and hairpin NAT [1] .
Here are the full patch notes:
system: do not mark “defunct” gateway as “disabled” as well
system: skip all unusable gateways for monitoring
system: simplify the code in dpinger_status()
system: rewrite configuration history using MVC/API
interfaces: drop obsolete PPP default route handling
interfaces: change GRE/GIF to split reload per address family on dynamic connectivity
interfaces: prevent reading stale configuration data in interfaces_has_prefix_only()
interfaces: for consistency bootstrap the implicit ‘none’ value of the IP address modes
interfaces: prevent extended array data from being passed in interface_bring_down()
interfaces: fix warning due to use of an unassigned variable
firewall: quote “a/n” protocol in pf.conf to avoid a syntax error
firewall: fix wrong link to virtual IP page
firewall: add “Interface / Invert” rule toggle
firewall: fix help button in dialog for categories
firewall: update alias and shaper models
captive portal: update model
dhcp: fix “ends never” parsing in DHCPv6 lease page
dhcp: add scope to link-local DHCPv6 static mapping when creating route for delegated prefix (contributed by Maurice Walker)
dhcp: merge_ipv6_address() was too intrusive
intrusion detection: update model and persist values for transparency
intrusion detection: improve locking during sqlite database creation
ipsec: add IP4_DNS and IP6_DNS configuration payloads to connection pools (contributed by Monviech)
ipsec: require setting a connection pool name
ipsec: update models
monit: update model
openvpn: allow instances authentication without certificates when verify_client_cert is set to none
openvpn: add role to “proto” for TCP sessions as required for TAP type tunnels
openvpn: missing “selectpicker” class on VHID selector
openvpn: update model
backend: template reload wildcard was returning “OK” on partial failures
mvc: emit correct message on required validation in BaseField
mvc: throw on template reload issues in mutable service controller
mvc: inline one time use of $parentKey
mvc: set Required=Y for GroupNameField
mvc: remove special validation messages likely never seen
mvc: introduce isVolatile() for BaseModel
mvc: propagate isFieldChanged() from connected children in ArrayField
ui: remove the bootstrap-select version from the provided file in the default theme
plugins: remove the bootstrap-select version from the provided file in all themes
plugins: os-crowdsec 1.0.7 [2]
plugins: os-smart reverts the use of smartctl to gather disks
plugins: os-telegraf 1.12.9 [3]
plugins: os-theme-rebellion 1.8.9 fixes Unbound DNS reporting page
plugins: os-wireguard 2.3 [4]
ports: php 8.2.11 [5]
ports: syslog-ng 4.4.0 [6]
23.7.5 (September 26, 2023)¶
Today introduces a change in MTU handling for parent interfaces mostly noticed by PPPoE use where the respective MTU values need to fit the parent plus the additional header of the VLAN or PPPoE. Should the MTU already be misconfigured to a smaller value it will be used as configured so check your configuration and clear the MTU value if you want the system to decide about the effective parent MTU size.
Another change in far gateway handling is also included which prevents a monitoring failure if that particular gateway was not being designated as default during boot which made the routing table miss the essential interface route and monitoring would always report it as down. Now the interface route is ensured but not only when applying the default gateway so that it works all the time.
Also fixed was the problematic migration of the Unbound interfaces settings which now clears the possibly unknown interfaces in order to proceed and have Unbound up and running post update which was not the case for some users previously.
Other reliability improvements and third party security updates are included as well. We also continue our effort to clean up the interface handling code and audit the MVC model files for consistency. A missing change for out of the box DS-Lite support is also being tested on the development version now and will likely hit in 23.7.6.
Here are the full patch notes:
system: pluginctl: allow -f mode to drop config properties
system: switch to /usr/sbin/nologin as authoritative command location
system: remove remaining spurious ifconfig data pass to Gateways class
system: fix data cleansing issue in “column_count” and “sequence” values on dashboard
system: start gateway monitors after firewall rules are in place (contributed by Daggolin)
system: refactor far gateway handling out of default route handling
interfaces: use interfaces_restart_by_device() where appropriate
interfaces: allow get_interface_ipv6() to return in all three IPv6 variants
interfaces: add GRE/GIF/bridge/wlan return values
interfaces: signal wlan device creation success/failure
interfaces: update link functions for GIF/GRE
interfaces: remove the ancient OpenVPN-tap-on-a-bridge magic on IPv4 reload
interfaces: update read-only bridge member code
interfaces: redirect after successful interface add
interfaces: add interface return feature for use on bridges/assignment page
interfaces: VIP model style update
interfaces: implement interface_configure_mtu()
interfaces: allow clean MVC access to primary IPv4 address (pluginctl -4 mode)
firewall: fix cleanup issue when renaming an alias
dhcp: make dhcrelay code use the Gateways class
ipsec: add local_port and remote_port to connections (contributed by Monviech)
openvpn: force instance interface down before handing it over to daemon
openvpn: add missing up and down scripts to instances (contributed by Daggolin)
unbound: properly set a default value for private address configuration
unbound: allow disabled interfaces in interface field
unbound: migrate active/outgoing interfaces discarding invalid values
unbound: UX improvements on several pages
unbound: update model
mvc: update diagnostics models
mvc: add isLinkLocal()
plugins: os-upnp replaces calls to obsolete get_interface_ip()
plugins: os-rfc2136 replaces calls to obsolete get_interface_ip[v6]()
plugins: os-sunnyvalley 1.3 changes repository URL (contributed by Sunny Valley Networks)
plugins: os-tinc adds missing subnet-down script (contributed by andrewhotlab)
ports: curl 8.3.0 [1]
ports: nss 3.93 [2]
ports: openssl 1.1.1w [3]
ports: phalcon 5.3.1 [4]
ports: phpseclib 3.0.23 [5]
ports: sqlite 3.43.1 [6]
ports: suricata 6.0.14 [7]
23.7.4 (September 14, 2023)¶
The usual amount of improvements go out today with FreeBSD security advisories on top. The new Python version was also picked up.
Note that the WireGuard plugin improvement effort is still going on and this time we refreshed the dashboard widget as that was being requested a number of times. The Polish language has been added to the GUI as well.
Here are the full patch notes:
system: correctly set RFC 5424 on remote TLS system logging
system: remove hasGateways() and write DHCP router option unconditionally
system: avoid plugin system for gateways monitor status fetch
system: remove passing unused ifconfig data to Gateways class on static pages
system: remove passing unused ifconfig data on gateway monitor status fetch
system: remove the unused “alert interval” option from the gateway configuration
interfaces: calculate_ipv6_delegation_length() should take advanced and custom dhcp6c into account
interfaces: teach ifctl to dump all files and its data for an interface
interfaces: remove dead link/hint in GIF table
interfaces: avoid duplicating $vfaces array
interfaces: introduce interfaces_restart_by_device()
firewall: remove old __empty__ options trick from shaper model
firewall: update models for clarity
firmware: update model for clarity
ipsec: omit conditional authentication properties when not applicable on connections
ipsec: fix key pair generator for secp256k1 EC and add properer naming to GUI (contributed by Manuel Faux)
ipsec: allow the use of eap_id = %any in instances
openvpn: fix certificate list for client export when optional CA specified (contributed by Manuel Faux)
openvpn: add CARP VHID tracking for client instances
openvpn: add tun-mtu/fragment/mssfix combo for instances
openvpn: add “route-gateway” advanced option to CSO
openvpn: use new File::file_put_contents() wrapper for instances
openvpn: updated model and clarified “auth” default option
mvc: remove “non-functional” hints from form input elements
mvc: uppercase default label in BaseListField is more likely
ui: add bytes format to standard formatters list
plugins: os-ddclient 1.16 [1]
plugins: os-frr 1.36 [2]
plugins: os-wireguard 2.1 [3]
plugins: os-tinc 1.7 adds support for “StrictSubnets” variable (contributed by andrewhotlab)
lang: update translations and add Polish
src: bring back netmap tun(4) ethernet header emulation (contributed by Sunny Valley Networks)
src: axgbe: gracefully handle i2c bus failures
src: bnxt: do not restart on VLAN changes
src: ice: do not restart on VLAN changes
src: net: do not overwrite VLAN PCP
src: net: remove VLAN metadata on PCP / VLAN encapsulation
src: if_vlan: always default to 802.1
src: iflib: fix panic during driver reload stress test
src: iflib: fix white space and reduce some line lengths
src: ixgbe: define IXGBE_LE32_TO_CPUS
src: ixgbe: check for fw_recovery
src: net80211: fail for unicast traffic without unicast key [4]
src: pcib: allocate the memory BAR with the MSI-X table [5]
ports: php 8.2.10 [6]
ports: python 3.9.18 [7]
ports: unbound 1.18.0 [8]
23.7.3 (August 30, 2023)¶
Recently we improved the workflow for bringing language updates to the release so here we are with an updated translation package including added support for Korean. Thanks a lot to all contributors for keeping this going strong!
If you would like to help with translations you can sign up via:
https://poeditor.com/projects/view?id=179921
Of note is also the largely rewritten backend for the WireGuard kernel module plugin which offers separate services for each instance much like OpenVPN offers it. The requirement of the wireguard-tools and bash packages were removed. This also means the plugin will be moved to the core for 24.1 along with Wireguard go plugin being removed completely since on FreeBSD 13.2 no external package is needed to enjoy WireGuard and the permanent existence of a kernel module renders the Go fallback defunct through wireguard-tools/wg-quick implementation quirks.
Here are the full patch notes:
system: fix missing config save when RRD data is supplied during backup import
system: defer config reload to SIGHUP in gateway watcher
system: handle “force_down” state correctly in gateway watcher
system: make Gateways class argument optional
interfaces: tweak UX of interface settings page
interfaces: further improve PPP MTU handling
interfaces: remove workaround to re-reload the routing during bootup for edge case that no longer exist
firewall: fix group priority handling regression
firewall: improve filter functionality to combine multiple network clauses in states page
dhcp: map interfaces to interface names instead of devices
dhcp: fix iaid_duid parsing in IPv6 lease page
intrusion detection: support “bypass” keyword in user-defined rules (contributed by Monviech)
openvpn: fix mismatch issue when pinning a CSO to a specific instance
openvpn: add advanced option for optional CA selection
unbound: fix concurrent session closing the handle while still writing data in Python module
web proxy: remove long deprecated “dns_v4_first” setting from GUI
mvc: extend PortField to optionally allow port type aliases
lang: update all languages and add Korean
plugins: os-firewall 1.4 adds port alias support
plugins: os-frr 1.35 [1]
plugins: os-wireguard 2.0 [2]
ports: filterlog fix to prevent crash on default rule number -1
23.7.2 (August 23, 2023)¶
Assorted improvements are being shipped with this release. Of special note is the proper monitoring of down gateways which allows the new gateway watcher to see the gateway come back online when plugging a cable. A Wazuh agent plugin was added and the ddclient plugin received new protocol support including AWS Route53 amongst others.
Here are the full patch notes:
system: improve monitoring of down gateways
system: clear all /var/run directories on bootup
system: put lock()/unlock() back for legacy plugin compatibility
interfaces: fix special device name chars used in shell variables
interfaces: prevent IPv6 mismatches when using compressed format in VIP
interfaces: remove descriptive name from newwanip logging
interfaces: typo in MRU handling for PPP
interfaces: improve PPPoE MTU handling
interfaces: switch rtsold to -A mode
firewall: missing interface group registration on group creation
dhcp: improve UX of the new MVC lease pages
firmware: remove defunct mirror “Dept. of CSE, Yuan Ze University”
intrusion detection: fix events originating from “int^” due to IPS mode use
ipsec: add colon to supported character list for pre-shared key IDs
ipsec: reqid should not stick when copying a phase 1
monit: fix empty timeout value (contributed by Michael Muenz)
openvpn: properly map user groups for authentication
openvpn: bring instances into server field
openvpn: fix separator for redirect-gateway attribute in instances and CSO
unbound: fixed configuration when custom blocks are used (contributed by Evgeny Grin)
plugins: os-ddclient 1.15 [1]
plugins: os-iperf adds rubygem-rexml dependency (contributed by Hannah Kiekens)
plugins: os-relayd 2.7 now supports newer upstream release of relayd
plugins: os-wazuh-agent 1.0 [2]
src: remove if_wg from kernel modules to unbreak current wireguard-go use
src: axgbe: LED control for A30 platform
src: gif: revert in{,6}_gif_output() misalignment handling
src: igc: sync srrctl buffer sizing with e1000
src: ip_output: ensure that mbufs are mapped if ipsec is enabled
src: ixgbe: warn once for unsupported SFPs
src: ixgbe: add support for 82599 LS
src: ixl: add link state polling
src: ixl: port ice’s atomic API to ixl
src: rss: set pin_default_swi to 0 by default
src: rtsol: introduce an ‘always’ script
ports: dnspython 2.4.2
ports: krb5 1.21.2 [3]
ports: openldap 2.6.6 [4]
ports: openvpn 2.6.6 [5]
ports: php 8.2.9 [6]
ports: phalcon 5.3.0 [7]
ports: phpseclib 3.0.21 [8]
23.7.1 (August 08, 2023)¶
23.7 looks pretty good so far but no reason not to make it better. The MVC changes for DHCP, firewall groups, OpenVPN and Unbound receive several required fixes and the latest FreeBSD security advisories were added as well.
Here are the full patch notes:
system: close boot file after probing to avoid lock inheritance
system: fix lock() inheriting the lock state
system: give more context in process kill error case since we operate PID numbers only
firewall: groups were not correctly parsed for menu post-migration
firewall: hide row command buttons for internal groups
firewall: add “ipv6-icmp” to protocol list in shaper
firewall: fix PHP warnings on the rules pages
dhcp: check if manufacturer exists for IPv4 lease page to prevent error
dhcp: use base16 for iaid_duid decode for IPv6 lease page to prevent error
dhcp: fix validation for static entry requirement
firmware: revoke 23.1 fingerprint
network time: support pool directive and maxclock (contributed by Kevin Fason)
openvpn: fix static key delete
openvpn: fix “mode” typo and push auth “digest” into export config
openvpn: fix race condition when using CRLs in instances
openvpn: remove arbitrary upper bounds on some integer values in instances
unbound: migration of empty nodes failed from 23.1.11 to 23.7
unbound: fix regression when disabling first domain override
mvc: fix empty item selection issue in BaseListField
plugins: os-ddclient 1.14 [1]
plugins: os-acme-client 3.19 [2]
src: bhyve: fully reset the fwctl state machine if the guest requests a reset [3]
src: frag6: avoid a possible integer overflow in fragment handling [4]
src: amdtemp: Fix missing 49 degree offset on current EPYC CPUs
src: libpfctl: ensure the initial allocation is large enough
src: pf: handle multiple IPv6 fragment headers
ports: curl 8.2.1 [5]
ports: dnspython 2.4.1
ports: nss 3.92 [6]
ports: openssl 1.1.1v [7]
ports: perl 5.34.1 [8]
ports: strongswan 5.9.11 [9]
ports: syslog-ng 4.3.1 [10]
A hotfix release was issued as 23.7.1_3:
firewall: do not clone “associated-rule-id”
network time: fix “Soliciting pool server” regression (contributed by Allan Que)
dhcp: fix IPv4 lease removal
23.7 (July 31, 2023)¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
23.7, nicknamed “Restless Roadrunner”, features numerous MVC/API conversions including the new OpenVPN “instances” configuration option, OpenVPN group alias support, deferred authentication for OpenVPN, FreeBSD 13.2, PHP 8.2 plus much more.
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 23.1.11:
system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
system: fix assorted PHP 8.2 deprecation notes
system: fix assorted permission-after-write problems
system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported
system: enabled web GUI compression (contributed by kulikov-a)
system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
system: allow “.” DNS search domain override
system: on boot let template generation wait for configd socket for up to 10 seconds
system: do not allow state modification on GET for power off and reboot actions
system: better validation and escaping for cron commands
system: better validation for logging user input
system: improve configuration import when interfaces or console settings do not match
system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader
system: sanitize $act parameter in trust pages
system: add severity filter in system log widget (contributed by kulikov-a)
system: mute openssl errors pushed to stderr
system: add opnsense-crypt utility to encrypt/decrypt a config.xml
system: call opnsense-crypt from opnsense-import to deal with encrypted imports
interfaces: extend/modify IPv6 primary address behaviour
interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
interfaces: introduce a lock and DAD timer into newwanip for IPv6
interfaces: rewrite LAGG pages via MVC/API
interfaces: allow manual protocol selection for VLANs
interfaces: remove null_service toggle as empty service name in PPPoE works fine
interfaces: on forceful IPv6 reload do not lose the event handling
interfaces: allow primary address function to emit device used
firewall: move all automatic rules for interface connectivity to priority 1
firewall: rewrote group handling using MVC/API
firewall: clean up AliasField to use new getStaticChildren()
firewall: “kill states in selection” button was hidden when selecting only a rule for state search
firewall: cleanup port forward page and only show the associated filter rule for this entry
captive portal: safeguard template overlay distribution
dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
dhcp: align router advertisements VIP code and exclude /128
dhcp: allow “.” for DNSSL in router advertisements
dhcp: print interface identifier and underlying device in “found no suitable address” warnings
firmware: opnsense-version: remove obsolete “-f” option stub
firmware: properly escape crash reports shown
firmware: fix a faulty JSON construction during partial upgrade check
firmware: fetch bogons/changelogs from amd64 ABI only
ipsec: add missing config section for HA sync
ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration
ipsec: only write /var/db/ipsecpinghosts if not empty
ipsec: check IPsec config exists before use (contributed by agh1467)
ipsec: fix RSA key pair generation with size other than 2048
ipsec: deprecating tunnel configuration in favour of new connections GUI
ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them
monit: fix alert script includes
openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]
openvpn: rewrote client specific overrides using MVC/API
unbound: rewrote general settings and ACL handling using MVC/API
unbound: add forward-tcp-upstream in advanced settings
unbound: move unbound-blocklists.conf to configuration location
unbound: add database import/export functions for when DuckDB version changes on upgrades
unbound: add cache-max-negative-ttl setting (contributed by hp197)
unbound: fix upgrade migration when database is not enabled
unbound: minor endpoint cleanups for DNS reporting page
wizard: restrict to validating only IPv4 addresses
backend: minor regression in deeper nested command structures in configd
mvc: fill missing keys when sorting in searchRecordsetBase()
mvc: properly support multi clause search phrases
mvc: allow legacy services to hook into ApiMutableServiceController
mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
mvc: add generic static record definition for ArrayField
ui: introduce collapsible table headers for MVC forms
plugins: os-acme-client 3.18 [3]
plugins: os-bind 1.27 [4]
plugins: os-dnscrypt-proxy 1.14 [5]
plugins: os-dyndns removed due to unmaintained code base
plugins: os-frr 1.34 [6]
plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)
plugins: os-telegraf 1.12.8 [7]
plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
src: ipsec: add PMTUD support
src: FreeBSD 13.2-RELEASE [8]
ports: krb5 1.21.1 [9]
ports: nss 3.91 [10]
ports: phalcon 5.2.3 [11]
ports: php 8.2.8 [12]
ports: py-duckdb 0.8.1
ports: py-vici 5.9.11
ports: sudo 1.9.14p3 [13]
ports: suricata now enables Netmap V14 API
Migration notes, known issues and limitations:
The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.
IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.
The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
The public key for the 23.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-23.7-dvd-amd64.iso.bz2) = bf67374d04fb00a29d80f9870ac86491b0a87d5dd386c2bd97def0691547e263
# SHA256 (OPNsense-23.7-nano-amd64.img.bz2) = 4adbbd69d0ce1766395555475ea29713f9043735a0c9067206d9945cb626200a
# SHA256 (OPNsense-23.7-serial-amd64.img.bz2) = 03c774f53520414c73cdcaa4fe3b34c4165395963bef74c533c3878a07b80138
# SHA256 (OPNsense-23.7-vga-amd64.img.bz2) = 8a235d2cba717b9b2ea4d5588028c087adc6ff472ae8efd381a26a9640298c67
23.7.r3 (July 26, 2023)¶
Quick release candidate update. Last one. Promise.
Still on track for the final release on July 31.
Here are the full patch notes:
interfaces: on forceful IPv6 reload do not lose the event handling
interfaces: allow primary address function to emit device used
dhcp: print interface identifier and underlying device in “found no suitable address” warnings
wizard: restrict to validating only IPv4 addresses
Stay safe, Your OPNsense team
23.7.r2 (July 24, 2023)¶
Quick release candidate update. May or may not be the last one this week depending on the feedback we will receive. So far thanks to all the brave testers!
Still on track for the final release on July 31.
Here are the full patch notes:
system: mute openssl errors pushed to stderr
system: add opnsense-crypt utility to encrypt/decrypt a config.xml
system: call opnsense-crypt from opnsense-import to deal with encrypted imports
interfaces: rewrite LAGG pages via MVC/API
interfaces: allow manual protocol selection for VLANs
interfaces: remove null_service toggle as empty service name in PPPoE works fine
monit: fix alert script includes
ipsec: add passthrough networks when specified to prevent overlapping “connections” missing them
unbound: fix upgrade migration when database is not enabled
unbound: minor endpoint cleanups for DNS reporting page
firmware: fix a faulty JSON construction during partial upgrade check
ports: openssh 9.3p2 [1]
23.7.r1 (July 20, 2023)¶
For more than 8 and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide [1] and the checksums for the images can be found below as well.
US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/23.7/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/23.7/
South America: http://mirror.ueb.edu.ec/opnsense/releases/23.7/
East Asia: https://mirror.ntct.edu.tw/opnsense/releases/23.7/
Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 23.1.11:
system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
system: fix assorted PHP 8.2 deprecation notes
system: fix assorted permission-after-write problems
system: introduce a gateway watcher service and fix issue with unhandled “loss” trigger when “delay” is also reported
system: enabled web GUI compression (contributed by kulikov-a)
system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
system: allow “.” DNS search domain override
system: on boot let template generation wait for configd socket for up to 10 seconds
system: do not allow state modification on GET for power off and reboot actions
system: better validation and escaping for cron commands
system: better validation for logging user input
system: improve configuration import when interfaces or console settings do not match
system: name unknown tunables as “environment” as they could still be supported by e.g. the boot loader
system: sanitize $act parameter in trust pages
system: add severity filter in system log widget (contributed by kulikov-a)
interfaces: extend/modify IPv6 primary address behaviour
interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
interfaces: introduce a lock and DAD timer into newwanip for IPv6
firewall: move all automatic rules for interface connectivity to priority 1
firewall: rewrote group handling using MVC/API
firewall: clean up AliasField to use new getStaticChildren()
firewall: “kill states in selection” button was hidden when selecting only a rule for state search
firewall: cleanup port forward page and only show the associated filter rule for this entry
captive portal: safeguard template overlay distribution
dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
dhcp: align router advertisements VIP code and exclude /128
dhcp: allow “.” for DNSSL in router advertisements
firmware: opnsense-version: remove obsolete “-f” option stub
firmware: properly escape crash reports shown
ipsec: add missing config section for HA sync
ipsec: add RADIUS server selection for “Connections” when RADIUS is not defined in legacy tunnel configuration
ipsec: only write /var/db/ipsecpinghosts if not empty
ipsec: check IPsec config exists before use (contributed by agh1467)
ipsec: fix RSA key pair generation with size other than 2048
ipsec: deprecating tunnel configuration in favour of new connections GUI
ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
openvpn: rewrote OpenVPN configuration as “Instances” using MVC/API available as a separate configuration option [2]
openvpn: rewrote client specific overrides using MVC/API
unbound: rewrote general settings and ACL handling using MVC/API
unbound: add forward-tcp-upstream in advanced settings
unbound: move unbound-blocklists.conf to configuration location
unbound: add database import/export functions for when DuckDB version changes on upgrades
unbound: add cache-max-negative-ttl setting (contributed by hp197)
backend: minor regression in deeper nested command structures in configd
mvc: fill missing keys when sorting in searchRecordsetBase()
mvc: properly support multi clause search phrases
mvc: allow legacy services to hook into ApiMutableServiceController
mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
mvc: add generic static record definition for ArrayField
ui: introduce collapsible table headers for MVC forms
plugins: os-acme-client 3.18 [3]
plugins: os-dnscrypt-proxy 1.14 [4]
plugins: os-dyndns removed due to unmaintained code base
plugins: os-frr 1.34 [5]
plugins: os-telegraf 1.12.8 [6]
plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
src: ipsec: add PMTUD support
src: FreeBSD 13.2-RELEASE [7]
ports: krb5 1.21.1 [8]
ports: nss 3.91 [9]
ports: php 8.2.8 [10]
ports: py-duckdb 0.8.1
ports: py-vici 5.9.11
ports: sudo 1.9.14p2 [11]
ports: suricata now enables Netmap V14 API
Migration notes, known issues and limitations:
The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries. This was done to avoid connectivity issues on dynamic address setups – especially with VPN interfaces. If this is undesirable you can set it to default to block instead and add your manual entries to pass.
Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago. Delay and loss triggers have been fixed and logging was improved. The rc.syshook facility “monitor” still exists but is only provided for compatibility reasons with existing user scripts.
IPsec “tunnel settings” GUI is now deprecated and manual migration to the “connections” GUI is recommended. An appropriate EoL announcement will be made next year.
The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN. Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient. We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin. We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.
The public key for the 23.7 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu90d9OlhEEqfPTRC5tVp
# XK1KAtvzKPVf2jvmTtWgFRFCB3fuYQcO7oNefXJoK0LaHNQgiOsBTvepVMicl2aI
# zrehgdbljjNFmp6KzEM55x05zOfZV8Gi8AEaJzEbb3rkWLkiXHnANfhHGvtHOrGr
# Hct84NMCcfCZZerwaQMqi+SAjgUzA+asmhAvjN0fbdH2SLx/ZMNzDcyPRFGtGiC7
# RQCzgCGz39ppJP4qordzRSy5YiwCxNe/SL/4ZG04eMVti47BPTCtioBzuASHqALJ
# BVOFzZpr1WZ89PT/T5W6xYzoyWemOyv9Rh+rhaTAhnq+OO4yudaytpPCAtXBULr/
# VOlDOX//qaZR8qbQOC9y9kIETH8Iivis5tonBAQmYPIJiqcxfjM4/R7yP2Q7mEsr
# PLNyP6HNe77JGoW1axNZlB/OL1XUI3r+Kksc2woIqTQ5sq95tHbddNqGIDg4cEOX
# FM5Y7tdvVEwl/nutaAzP07sqEyF8uNScLGsQwpBxHwV/qGGc+PbGqmbmWg3+Kt+e
# UeNcMvrgayhRt+lpVCAorVVjUTp0Y2+1x+V/IpukOaS2oldPIF0iXLZsQ90KYP3X
# QtmuxbiC2Em+eGHB6nSg1UZgUEaAb3xP1fpuLbi9McoUPxMXxVdfihSfSfUFXJTH
# SmqdO1BdG7VSwiQq9Ekbu5UCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
# SHA256 (OPNsense-23.7.r1-dvd-amd64.iso.bz2) = ffc2fe24b16bf45b84223ccf78780e94715e695d6ef50bbb041dc1697dcd7862
# SHA256 (OPNsense-23.7.r1-nano-amd64.img.bz2) = d2e3de7d7919b0aaafe80c92ec944b94ebb005220e46ed71d8f816236bf4feab
# SHA256 (OPNsense-23.7.r1-serial-amd64.img.bz2) = 61b594799c1ab9c2daab9adcff93793bf54f875067a7ddec070ade1d67db3689
# SHA256 (OPNsense-23.7.r1-vga-amd64.img.bz2) = 5e90b9fd076a206409474d3667ee11439ecb86f44dbcb1bc339e96b5a83c5a28