Idea(s) for the road map

[fabian]

• migrate to PHP 7 and Phalcon 3

[Andreas]

OTP
Make it configable when OTP is used (e.g. Login via WAN you need OTP, LAN you need no OTP)
OTP
Offer to enter the OTP in a extra field instead of before the "normal" password

GUI - Reporting
Use the given Interface name instead of the "technical" (e.g. opt7 is named as WAN 100Mbit but displayed in Reporting as opt7) (Reporting- Settings)

GUI- Debugging while vpn
make it more live in viewing logs while trying to make vpn connections for better understanding why its not working - or filtering logs for each connection to make it easier identify

VPN - SSL VPN (WEB-VPN)
take a look at https://service.tu-dortmund.de/ssl-vpn-web-vpn or https://www.barracuda.com/products/sslvpn?L=de for example

GUI - Console
a console in the GUI

GUI - Rework of the Interface Overview
The overview is better, but I think it can be better. For Example Status Color, direct links to edit
for example is the dashboard view for me really better than the special site for the overview

GUI - Reference to my Point GUI- Debugging while vpn
While working on the interface or the settings of things a popup with the live view of what happening to debug

GUI - OPENVPN
Adminstrable Settings to customize the Site for the normal clients to download when they log in to export their profiles

GUI - OPENVPN/Firewall
Customizable Profiles with specialed firewall settings. Make it possible to define for groups or user special firewall settings for user/groups.

SQUID Settings
for multiwan situation more customizing options in the squid config site

GUI - Firewall log
make it work that a click on the block button shows why the connection was blocked
perhaps make buttons to make a rule to allow the connection

GUI - Diagnostic
Make a new menu point with diagnostic tools

Apinger / Gateway Status
make it customizable (time between ping etc.)

THANKS FOR YOUR WORK

[franco]

Uh, Phalcon 3 is out? Shiny....

Here are some of my items:

o FreeBSD 11
o Suricata and Squid as a plugin
o Single-slice nano with growfs
o Screen reader optimisations

[lattera]

PIE base is already done and PIE ports is nearing completion. Dogfooding PIE ports in HardenedBSD first. But wait! There's more! Also included will be RELRO + BIND_NOW.

[fabian]

@Andreas: The german forum has already a topic for SSL VPN: https://forum.opnsense.org/index.php?topic=1279.0

[Andreas]

right @fabian
its a try to get it on the roadmap

[tillsense]

• more customizing options on the squid.conf
• sarg or lightsquid features fully integrated

 

[tillsense]

• gui option for bandwidth throttling one or more domain

[tillsense]

• own cron jobs

[wurmloch]

Change behaviour of opnsense so that answer packages on the WAN interface will be send to the originator in the same WAN subnet and not always to the (upstream) gateway,

[Strykar]

fail2ban plugin - especially useful for those of use using it in a hosted VM and have to enable HTTPS WAN access. Currently I've moved the HTTPS port from 443 to keep script kiddies out, a configurable fail2ban would be useful to those testing to deploy on Linode/DO.

And it's a great plugin that's useful for almost every public facing network service.

[AdSchellevis]

@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).

[srijan]

Can you please take Captive Portal with Multi-WAN in this release?

[Strykar]

@Strykar fail2ban like functionality for the webgui and ssh is enabled by default in OPNsense (https://github.com/opnsense/sshlockout_pf).
After 15 retries it locks the ip address using two aliases (sshlockout, webConfiguratorlockout).

Nice! Any chance this could be made port/application agnostic and configurable via the web interface? It could then be used for slowing down brute force attempts of any network facing services.

[Strykar]

Add RADIUS support for IPsec authentication and accounting.

Currently IPsec supports just PSK and RSA, since we currently already support adding external RADIUS servers, let strongSwan forward authentication and accounting traffic to the same RADIUS server if selected.
FreeRADIUS and Microsoft NPS are tested as working by strongSwan and shouldn't be too much effort to integrate.

This would require strongswan be compiled with '--enable-eap-radius'. Specify the RADIUS server IP + auth and accounting port in '/usr/local/etc/strongswan.d/eap-radius.conf' and set 'rightauth=eap-radius'.

strongSwan also supports DAE with RADIUS.
'The Dynamic Authorization Extension allows a RADIUS backend to actively terminate a session using a Disconnect-Request, or change the timeout of a session using a Session-Timeout attribute in a CoA-Request. The extension is enabled using a dae section in the eap-radius configuration.'

See https://wiki.strongswan.org/projects/strongswan/wiki/EAPRAdius