OPNsense 25.1.11: Last maintenance release before version 25.7

Contents

The FreeBSD-based router and firewall distribution OPNsense delivers the latest update for the 25.1 branch. At the same time, there is an RC2 for version 25.7. OPNsense, originally a fork of pfSense, now has an almost completely independent code base and recently celebrated its tenth anniversary. OPNsense 25.1 “Ultimate Unicorn” receives its eleventh and final update with patch level 11.

According to the developers, OPNsense 25.1.11 contains a number of the “latest FreeBSD SA/EN patches”. This refers to the FreeBSD Security Advisories (SA, security vulnerabilities) and the FreeBSD Errata Notices (EN, software errors). This means that OPNsense is up to date with the FreeBSD 14.2 base in terms of security and bugs. The change to the current FreeBSD 14.3 will only take place with the upcoming OPNsense 25.7.x.

Many fixes including a fixed OpenZFS bug

Other fixes include the passing of parameters to cron(8) jobs, various dnsmasq(8) bugs and a problem with openvpn(8). The plug-ins for the universal TLS/SSL tunnel service (os-stunnel) and Zabbix (monitoring) have been improved. OpenZFS, whose development has been much faster since the merger with GNU/Linux, also requires frequent bug fixes – in this case to prevent corruption in ZFS replication streams of encrypted datasets.

Outside the FreeBSD base system, i.e., in the ports, many bug fixes have also been incorporated: libxml, nss, PHP, sqlite as well as a local privilege escalation attack in sudo(8) and a vulnerability in OpenSSL. OPNsense initially (version 15.7) offered the option of choosing between OpenSSL and the security-optimized OpenBSD project LibreSSL. With OPNsense 23.1, the developers have removed LibreSSL from their product.

Cloud metrics with a small stumbling block in libuuid(3)

There appears to be a problem with OPNsense 25.1.11 that has not been completely solved with slightly outdated versions of libuuid(3), which is part of the e2fsprogs package. OPNsense does not need this to manage ext2/3/4 file systems, but to generate UUIDs, for example for HTTP cookies. This in turn requires the widely used and cloud-based Netdata.

Netdata collects all telemetry data from the OPNsense firewall to the second, sends it to the cloud and can be displayed there quite nicely. If Netdata cannot be installed, the OPNsense developers recommend deactivating any additional repositories and restarting the update.

Coming soon: The new OPNsense 25.7

The upcoming OPNsense 25.7 will be released in July. It brings an upgrade of the FreeBSD base from version 14.2 to the current 14.3, including all improvements and bug fixes, many of which have already been incorporated into the previous version. If you would like to try out the recently published Release Candidate 2 (OPNsense 25.7-RC2), you must first install RC1, as RC2 is only available as an online update. The announcement at the bottom contains important information about a possible upcoming migration from 25.1 to 25.7, for example regarding backups to Google Drive, OpenVPN or IPsec.

The OPNsense version numbers follow a clear pattern. The free OPNsense “Basic Edition” is usually released twice a year in January and July. The version number is derived from the year and month as well as a patch level. OPNsense 25.1.11 was therefore released for the first time in January and has received 11 maintenance updates to date. Version 25.7.1 will therefore be released this month. The commercial “Business Edition” with additional plug-ins for enterprise customers will be released three months later and will not receive an update label: the upcoming free OPNsense 25.7.x will become the commercial version 25.10 in October with the same software basis.

Additional information and availability

OPNsense is an open-source firewall distribution based on the FreeBSD operating system and its packet filter pf(8) borrowed from OpenBSD and is released under the truly free “2-clause BSD License”. In addition to the basic functions of a router and a firewall, OPNsense also offers a range of plug-ins that can be easily installed via the WebUI. Most of the plug-ins are free community plug-ins, the commercial version also offers plug-ins such as central management (OPNCentral), a web application firewall (OPNWAF), or a GeoIP database. A 3-year license is available from 399 euros in the web store, where hardware appliances are also offered.

(dahe)