OPNsense 25.7 released

[franco]

Hi there,

For over a decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.7, nicknamed "Visionary Viper", features reusable and thoroughly
revamped frontend code, an SFTP backup plugin, experimental privilege
separation for the GUI, JSON container support for aliases, a new and
improved firewall automation GUI, performance enhancements especially
for numerous aliases being used at once, Dnsmasq DHCP support, Kea DHCPv6
support, Greek as a new language, FreeBSD 14.3 plus much more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/25.7/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.7/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/25.7/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.7/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes:

o system: the setup wizard was rewritten using MVC/API
o system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments
o system: numerous permission, ownership and directory alignments for web GUI privilege separation
o system: allow experimental feature to run web GUI privilege separated as "wwwonly" user
o system: add a banner when trying to revert the privilege separated GUI back to root at run time
o system: consistently use empty() checks on "blockbogons", "blockpriv", "dnsallowoverride" and "dnsallowoverride_exclude"
o system: change default system domain to "internal" (contributed by Self-Hosting-Group)
o system: add missing "kernel" application for remote logging
o system: remove the "optional" notion of tunables known to the system
o system: enable kernel timestamps by default
o system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)
o reporting: removed the unused second argument in getSystemHealthAction()
o reporting: renamed getRRDlistAction() to getRrdListAction()
o interfaces: fix media settings write issue since 24.7 as it would not apply when "autoselect" result already matched
o interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)
o interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now
o interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()
o interfaces: add VIP grid formatter to hide row field content based on the set mode
o interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)
o firewall: add expire option to external aliases to automatically cleanup tables via cron
o firewall: removed the expiretable binary use in favour of the builtin pfctl
o firewall: speed up alias functionality by using the new model caching
o firewall: consolidated ipfw/dnctl scripting and fix edge case reloads
o firewall: code cleanup and performance improvements for alias diagnostics page
o firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases
o firewall: assorted UI updates for automation pages
o captive portal: make room for additional authentication profiles
o captive portal: API dispatcher is now privilege separated via "wwwonly" user and group
o dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
o dnsmasq: sync CSV export with ISC and Kea structure
o dnsmasq: add CNAME configuration option to host overrides
o dnsmasq: add ipset support
o firmware: opnsense-version: build time package variable replacements can now be read at run time
o firmware: hide community plugins by default and add a checkbox to unhide them on the same page
o firmware: introduce a new support tier 4 for development and otherwise unknown plugins
o firmware: disable the FreeBSD-kmods repository by default
o firmware: sunset mirror dns-root.de (many thanks to Alexander Lauster for maintaining it for almost a decade!)
o intrusion detection: add an override banner for custom.yaml use
o intrusion detection: add JA4 support (contributed by Maxime Thiebaut)
o isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable
o isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience
o isc-dhcp: add static mapping CSV export
o kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
o lang: add Greek as a new language (contributed by sopex)
o lang: make more strings translate-able (contributed by Tobias Degen)
o openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation
o openvpn: "keepalive_timeout" must be at least twice the interval value validation
o wireguard: add diagnostics and log file ACL
o backend: trigger boot template reload without using configd
o mvc: introduce generic model caching to improve operational performance
o mvc: field types quality of life improvements with new getValues() and isEqual() functions
o mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()
o mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests
o mvc: support chown/chgrp in File and FileObject classes
o mvc: use getNodeContent() to gather grid data
o mvc: allow PortOptional=Y for IPPortField
o mvc: remove SelectOptions support for CSVListField
o ui: switch from Bootgrid to Tabulator for MVC grid rendering
o ui: numerous switches to shared base_bootgrid_table and base_apply_button use
o ui: flatten nested containers for grid inclusion
o ui: use snake_case for all API URLs and adjust ACLs accordingly
o ui: add standard HTML color input support
o ui: move tooltip load event to single-fire mode
o ui: add checkmark to SimpleActionButton as additional indicator
o ui: improve menu icons/text spacing (contributed by sopex)
o plugins: replace variables in package scripts by default
o plugins: os-acme-client 4.10[2]
o plugins: os-bind 1.34[3]
o plugins: os-crowdsec 1.0.11[4]
o plugins: os-frr 1.45[5]
o plugins: os-gdrive-backup 1.0 for Google Drive backup support
o plugins: os-grid_example 1.1 updates best practice on grid development
o plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support
o plugins: os-puppet-agent 1.2[6]
o plugins: os-strongswan-legacy 1.0 for legacy IPsec components support
o src: FreeBSD 14.3-RELEASE-p1 plus assorted stable/14 networking commits[7]

Migration notes, known issues and limitations:

o Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
o API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
o API grid return values now offer "%field" for a value description when available.  "field" will now always be the literal value from the configuration. The API previously returned a display value for some field types, but not all.
o Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults.  If you want these set differently, then add them with an explicit value.
o While the mirror dns-root.de has been removed it will not be stripped from a running configuration and may keep working for a while longer.  To ensure updates, however, please choose a different mirror at your own convenience.
o Moved OpenVPN legacy to plugins as a first step to deprecation.
o Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe and keep believing,
Your OPNsense team

--
SHA256 (OPNsense-25.7-dvd-amd64.iso.bz2) = fa4b30df3f5fd7a2b1a1b2bdfaecfe02337ee42f77e2d0ae8a60753ea7eb153e
SHA256 (OPNsense-25.7-nano-amd64.img.bz2) = f58f57da42a2a6d445b6e04780572d6e2d6d9ceaff8a9e5f7bbefd0fedeaa3c0
SHA256 (OPNsense-25.7-serial-amd64.img.bz2) = 889d81fa738d472b996008c35718278e2076d19b7bbc108f2dc04353e01766fd
SHA256 (OPNsense-25.7-vga-amd64.img.bz2) = 705e112e3c0566e6e568605173a8353a51d48074d48facf5c5831d2a0f7fb175

[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/puppet-agent/pkg-descr
[7] https://www.freebsd.org/releases/14.3R/relnotes/