Hi there,
For more than 6 years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you. <3
Download links, an installation guide[1] and the checksums for the images can be found below as well.
Here are the full patch notes against 20.7.7_1:
- system: use authentication factory for web GUI login
- system: allow case-insensitive matching for LDAP user authentication
- system: removed unused gateway API dashboard feed
- system: removed spurious comma from certificate subject print and unified underlying code
- system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
- system: generate a better self-signed certificate for web GUI default
- system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
- system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
- system: optionally allow TOTP users to regenerate a token from the password page
- system: set default certificate lifetime to 397 days
- system: relax gateway name validation
- system: display destination port number in firewall log widget (contributed by Team Rebellion)
- system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
- interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
- interfaces: no longer assume configuration-less interfaces can reach static setup code
- interfaces: fix PPP links not linking to linked advanced configuration
- firewall: add live log "host", "port" and "not" filters
- firewall: add manual refresh button to live log
- firewall: create an appropriate max-mss scrub rule for IPv6
- firewall: fix anti-spoof option for separate bridge interfaces
- firewall: relax schedule name validation
- firewall: fix typo in ICMPv6 validation
- firewall: add type 128 to outgoing IPv6 RFC4890 requirements
- firewall: fix minor regression in maintaining target alias file
- firewall: category selector missing caption
- firewall: fix all state value in pfTop (contributed by Lucas Held)
- firewall: remove duplicated destination field in live log
- firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
- reporting: add top talkers to revamped traffic graphs page
- dhcp: hostname validation now includes domain
- dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
- dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
- dhcp: add min-secs option for each subnet (contributed by vnxme)
- dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
- dnsmasq: remove advanced configuration in favour of plugin directory
- dnsmasq: use domain override for static hosts
- firmware: opnsense-code now updates the current directory if nothing was specified
- firmware: opnsense-code now uses flexible make.conf target from tools.git
- firmware: opnsense-update now supports snapshot access via -z option
- firmware: opnsense-update now fixes missing dependencies on the fly
- firmware: repair display of removed packages during release type transition
- firmware: fix some issues with missing repository on server
- firmware: add version output and date to audit logs
- intrusion detection: replace file-based policy changes with detailed filters
- ipsec: NAT with multiple phase 2 (sponsored by m.a.x. it)
- ipsec: prevent VTI interface to hit spurious 32768 limit
- ipsec: allow mixed IPv4/IPv6 for VTI
- ipsec: display remote host in status overview (contributed by garlic17)
- openssh: honour MAX_LISTEN_SOCKS to prevent startup failure
- openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
- openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
- openvpn: set default certificate lifetime to 397 days in wizard
- unbound: default to SO_REUSEPORT
- web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
- web proxy: lock ACL download to prevent duplicate execution
- mvc: make sure isArraySequential() is only true on array input
- mvc: speed up processing time when over 2000 users are selected in a group
- mvc: allow underscore in filter string (contributed by kulikov-a)
- images: use UFS2 as the default for nano, serial and vga
- images: support UEFI boot in serial image
- ui: add tooltips for service control widget
- ui: move sidebar stage from session to local storage
- plugins: os-bind 1.15[2]
- plugins: os-frr 1.21[3]
- src: fix OpenSSL NULL pointer de-reference[4]
- src: fix AES-CCM requests with an AAD size smaller than a single block
- src: introduce HARDEN_KLD to ensure DTrace functionality
- src: fix partial scrub of multicast packages
- src: refine pf_route* behaviour in PF_DUPTO case for shared forwarding
- src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
- ports: libressl 3.2.3[5][6]
- ports: nss 3.60.1
- ports: pkg fix for shell keyword by opening root file descriptor
- ports: radvd 2.19[7]
- ports: sudo 1.9.4p2[8]
Known issues and limitations:
- Installer currently advertises 20.7
The public key for the 21.1 series is:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
-----END PUBLIC KEY-----
Please let us know about your experience!
Stay safe,
Your OPNsense team
SHA256 (OPNsense-21.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6cfdd88227bb58c94634dca01e9108647a83278a4549291a4b772094342c81a
SHA256 (OPNsense-21.1.r1-OpenSSL-nano-amd64.img.bz2) = a60c3cb077b56202d3b02637054607f6180121b7da9faaf870f73a814dcfc2c7
SHA256 (OPNsense-21.1.r1-OpenSSL-serial-amd64.img.bz2) = cba8578d7acbb323fd1fa6fe93d648c5d227010e1169ccbdf1111980d73fa447
SHA256 (OPNsense-21.1.r1-OpenSSL-vga-amd64.img.bz2) = 1fce48c99e5c46d92fca7a00805873154832357c7de71f5035a01ca8047041dc