OPNsense 25.1 released

[franco]

Hi there,

For an entire decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions,
improved security zones support and documentation, ZFS snapshot support,
a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much
more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/25.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 24.7.12:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal
o system: remove deprecated "page-getserviceprovider", "page-dashboard-all" and "page-system-groupmanager-addprivs" privileges
o system: replace file_get_contents() with curl implementation in XMLRPC sync and add verifypeer option
o system: add item edit links to several dashboard widgets
o system: prioritize index page and prevent redirection to a /api page on login
o system: mute disk space status in case of live install media
o system: optimize system status collection
o interfaces: adhere to DAD during VIP recreation in rc.newwanipv6
o interfaces: remove non-functional features from bridges
o interfaces: remove PPP edit in interfaces settings
o interfaces: batched device type creation under "devices" submenu
o interfaces: move PPP and wireless logs to system log
o interfaces: remove "Use IPv4 connectivity" setting as it will be set by default
o firewall: use "skip lo0" instead of policing lo0 explicitly following OpenBSD best practice
o firewall: remove duplicate table definition and make sure bogonsv6 table always exists
o firewall: cleanup of CARP and IPv6 rules behaviour
o firewall: filter feature parity in automation rules
o firewall: offer multi-select on source and destination addresses
o firewall: add experimental inline shaper support to filter rules
o firewall: add missing columns on one-to-one NAT page
o firewall: fix unassociated rule creation
o firewall: fix anti-lockout and "allow access to DHCP failover" automatic rules
o firewall: add optional authorization for URL type aliases
o firewall: add "URL Table in JSON format (IPs)" alias type
o dnsmasq: update ICANN Trust Anchor (contributed by Loganaden Velvindron)
o firmware: fix "r" abbreviation vs. version_compare();
o installer: fixed missing prompt and help text in ZFS disk selection
o installer: warn on low RAM for ZFS as well
o installer: added a power off option
o intrusion detection: policy content dropdown missing data-container
o intrusion detection: cleanse metadata for brackets
o ipsec: add log search button in sessions
o ipsec: add banner message when using custom configuration files
o kea-dhcp: add "match-client-id" in subnet definitions
o lang: update available translations
o monit: wrap exec in double quotes to allow arguments (contributed by Nikita Uvarov)
o monit: flag file overwrites when they exist
o network time: take IPv6 addresses into account
o network time: remove support for explicit VIP selection
o openvpn: add validation pertaining to auth-gen-token and reneg-sec combinations
o unbound: cleanup available blocklists and add hagezi blocklists
o unbound: fix root.hits permission on copy
o unbound: flag file overwrites when they exist
o backend: -m option is unused so remove its complication
o mvc: implement reusable grid template using form definitions
o mvc: add Default() method to reset a model to its factory defaults
o mvc: fix LegacyMapper when the mount point is not the XML root
o mvc: move explicit cast in BaseModel when calling field->setValue()
o mvc: fields should implement getCurrentValue() rather than __toString()
o mvc: fix value lookup in LinkAddressField
o mvc: memory preservation fix in BaseListField
o mvc: support lazy loading on alias models and use it in NetworkAliasField
o mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
o ui: upgrade Font Awesome icons to version 6
o ui: push search/edit logic towards bootgrid implementation
o ui: improved links with automatic edit and/or search
o ui: rewritten default theme for a light look and new logo
o ui: added default theme variant with a dark look
o plugins: turning binary data into JSON may fail globally
o plugins: os-acme-client 4.8[2]
o plugins: os-caddy 1.8.1[3]
o plugins: os-cpu-microcode 1.1 removes unneeded late loading code
o plugins: os-haproxy 4.5[4]
o pluginsL os-tailscale 1.2[5]
o src: FreeBSD 14.2-RELEASE[6]
o src: p9fs: add an implementation of the 9P filesystem
o ports: lighttpd 1.4.77[7]
o ports: openvpn 2.6.13[8]
o ports: php 8.3.15[9]
o ports: radvd 2.20[10]

Migration notes, known issues and limitations:

o The access management was rewritten in MVC and contains behavioural changes including not rendering UNIX accounts for non-shell users. The integrated authentication via PAM has been the default for a long time so the option to disable it has been removed. The manual LDAP importer is no longer available since LDAP/RADIUS authenticators support on-demand creation and default group setup option. The "page-system-groupmanager-addprivs" privilege was removed since the page does not exist anymore. A multi-purpose privilege editor has been added under the existing "page-system-usermanager-addprivs" instead.
o PPP devices can no longer be configured on the interface settings page. To edit the device settings use the native PPP device edit page instead.
o FreeBSD 14.2 comes with the stock pf(4) behaviour regarding ICMPv6 neighbour discovery state tracking which was avoided so far in 24.7.x.
o Let's Encrypt ends support for the OCSP Must Staple extension on 30.01.2025. Issuance requests will fail if this option is still enabled past this date.

The public key for the 25.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsnbyFjWXvUcUC4BqnQ9w
uH3yiaG7AY8UzwepXf2TqqOYt5Y0USbse3OBjxYnRs0iW5EHtdKSRcmelup374Hp
XDDeQ/mjmhhnvXryfQL57gyVpYeL5gRVhf/2DwEZELLCFUFhMNh52QPaJ5zTvdws
m1Q+OwI1WfTDR7ytm+0Too2tVerG3mM3XataZ+XOKwHp2xP0Mr8E4F+PZdR4hWbb
yC2elIzICXDWWpcEEg4JT48TIYZJPGnE2IJAzWRntrqVU2eLcEn5MffwTawXNoCZ
mvLYqguYskmeR/dAL7ZmZcPeMeibXMtld8xIZp49g7DPq7PqxCY1wxcgeuZPFOHv
kbYzL3BHbyni3K/qdLXKzy8oZeUUvlbUgaj8Xx14DSiNzJDknNf0Xg/eby7MkzgP
eUXgtB0MRQMih85BfaiH5r+uQMgPKnjutVWR8qUWglxDKIc4s69b8PXylfu2FwiP
iKMBdO8xnVvNFKOkuaUtI31cqxauw2hBAlILFvltM+adUz2rfB3Ch0bjfjDE5Hxq
En4fEUVHgQCu+Ojyyy3/8RwUpsRZq05fObypyeL3E/MvlwpaOVjwvw2ozVPGi2zi
xmXemn5CbgjD3vPR9XERXrFkHTwPnIiqz53znqn34P+NGEgD1veMhZPE6OGZRu/h
IfceSaxJ/An5SUh0zr7YgOsCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-25.1-dvd-amd64.iso.bz2) = 68efe0e5c20bd5fbe42918f000685ec10a1756126e37ca28f187b2ad7e5889ca
SHA256 (OPNsense-25.1-nano-amd64.img.bz2) = a51e4499df6394042ad804daa8e376c291e8475860343a0a44d93d8c8cf4636e
SHA256 (OPNsense-25.1-serial-amd64.img.bz2) = 57c05e935790f9b2b800a19374948284889988741cfbaf6fae7600f7a4451022
SHA256 (OPNsense-25.1-vga-amd64.img.bz2) = 89fcf5bdb1d2ea2ea6ba4cdc1268ea0a1e22b944330d7bee0711c8630cc905af

[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/25.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.1/security/tailscale/pkg-descr
[6] https://www.freebsd.org/releases/14.2R/relnotes/
[7] https://www.lighttpd.net/2025/1/10/1.4.77/
[8] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13
[9] https://www.php.net/ChangeLog-8.php#8.3.15
[10] https://radvd.litech.org/