OPNsense Roadmap
Planned enhancements and innovations
This is the OPNsense Roadmap, an open source, free software project supported by volunteers and businesses. We release two major versions each year, this roadmap aims to provide an insight of the direction of the project. By no means is this meant to be a detailed list. Development information, bugs and outstanding issues are available at the OPNsense page on GitHub.
Version naming
The OPNsense Roadmap version naming system consists of year.month, so the first release took place in January 2015 -> release 15.1
In the event of minor releases within the same month an extra number will be added, like 24.1.2
We plan to use a 6 months major release cycle with firm release dates. Major release versions will have code names of animals, mountains or whatever we can think of that sounds good.
Each release has a number, a code name and a release date.
NEXT RELEASE 25.1 - January 2025
= planned | = Completed
|
25.1 ** th January 2025 |
Base system PHP 8.3 * PPP MVC conversion with all implications * Notification improvements: banner persistent notifications * Dashboard widget for certificates: expiration hints and delete and renew possibilities * System: High Availability: Status MVC conversion * Snapshot functionality for easy recovery * API enable User and Group administration * Reporting RRD statistics refactoring, increases performance and maintainability * Trust OpenSSL legacy mode toggle, defaults to off * Add trust settings module * Services Unbound: merge domain overrides into query forwarding * VPN VPN: IPsec: Advanced Settings - move to MVC and add some options * |
LATEST RELEASE 24.7 - 25 th July 2024
= planned | = Completed
|
24.7 25 th July 2024 |
Base system FreeBSD 14.1 * Python 3.11 * Replace Phalcon framework components to increase performance and lower complexity * Settings: Logging: merge into Logging / Targets page * System Trust migration to MVC offering API support. * Lobby: modern dashboard replacement * Assorted screen reader improvements * Interfaces Interfaces: GIF: migrate to MVC * Interfaces: GRE: migrate to MVC * Interfaces: Virtual IPs: Add CARP unicast support * Interfaces: allow tracking the WAN itself in DHCPv6 mode * Firewall Firewall: Rules: add state-policy property to allow specific states to bind only to the originating interface for increased security * NAT 1-to-1: migrate to MVC * Firewall alias GUI performance improvements * VPN Wireguard usability improvements ** Wireguard QR code generation for mobile clients * IPsec Connections - add dynamic VTI tunnel support * VPN: OpenVPN: Instances - add (experimental) DCO support * Services dhcrelay migrate to MVC and deprecate isc-dhcrelay * Captive Portal: add "Allow inbound" option * |
Previous Releases & Accomplishments
Some history as we are proud of the rapid development and great innovation already delivered upon.
|
24.1 Savvy Shark 30th January 2024 |
Base system OpenSSL 3 ports migration * Suricata 7 * System: limit /conf/config.xml access to administrators * System: Configuration: History: migrate to MVC * System: Configuration: Backups: Improve restore area selection offering fine grained import control for advanced users * System: Gateways: Single: migrate to MVC * System: Trust: Revocation: Restrict CRL's to one per CA to ease future migration * Interfaces Overview: migrate to MVC to allow API support and increase usability * [new] Interfaces: Neighbors to administer static ARP and NDP entries * Interfaces: Other Types: VXLAN: add support for non standard port numbers * Firewall NPTv6: migrate to MVC * os-firewall plugin inclusion to ease API usage * os-firewall - Add API support for port definitions in automation * VPN OpenVPN: Instances - add carp vhid tracking for clients. * OpenVPN: Instances - add optional OCSP support * Improve WireGuard kernel plugin and implement it in core * Wireguard CARP vhid tracking support * IPsec: Virtual Tunnel Interfaces dual stack support * Services KEA DHCPv4 server as alternative for isc-dhcp[4] * Squid Web Proxy: move to plugins * |
|
23.7 Restless Roadrunner 31 th July 2023 |
Base system FreeBSD 13.2 PHP 8.2 update * Support for Importing Encrypted Configuration Files During OPNsense Installation * Core system Firmware: add tier level to plugins table * System: Configuration: Backups - persist console settings and signal users of interface mismatches * MVC/Core - properly support multi clause search phrases * RADIUS Authentication - Add MSCHAPv2 support * Native gateway watcher as dpinger alarm replacement * Interfaces Interfaces: Diagnostics: Ping: migrate to MVC * Interfaces: Diagnostics: Trace Route: migrate to MVC * Interfaces: Diagnostics: Port Probe: migrate to MVC * Interfaces: LAGG: migrate to MVC * Services System: Diagnostics: Services: migrate to MVC * Services: DHCP: Leases (4+6): migrate to MVC * Services: Unbound DNS (finalize MVC conversion) * * Services: Intrusion Detection: Suricata Netmap API version 14 enabled Firewall New alias type to support firewall policies for OpenVPN users * Improve visibility in rule overview * * Firewall: Groups: migrate to MVC * * VPN VPN: OpenVPN Server - Support deferred authentication using OpenVPN 2.6.x * VPN: OpenVPN: Connection Status: migrate to MVC * VPN: OpenVPN Instances MVC module * VPN: IPsec: Security Policy Database - Manual assignments linking to connection children * |
|
23.1 Quintessential Quail January 13th 2023 |
Base system PHP 8.1 update * New system status notification system * Phpseclib 3 support for missing EC CA revocation * Interfaces SLAAC WAN improvements * Firewall Firewall alias BGP ASN type support * Reporting Traffic graph polling interval selection and UX * DNS insights dashboard * Interfaces Packet capture MVC/API conversion * Virtual IP MVC/API conversion * VPN IPsec legacy ipsec.conf to swanctl.conf migration * IPsec MVC module using swanctl.conf layout * Services Unbound: DNSBL to python implementation to fluently support larger lists * Project Introduce tier system for plugin support levels * |
|
22.7 Powerful Panther Juli 28th 2022 |
Base system PHP 8.x upgrade * Phalcon upgrade * FreeBSD 13.1 Intel QuickAssist (QAT) support * Interfaces Add stacked VLAN support (IEEE 802.1ad / QinQ) * Firewall Advanced DDos protection using syncookies * Configurable per rule adaptive timeouts * Services Unbound - migrate overrides to mvc enabling API support. * |
|
22.1 Observant Owl January 27th 2022 |
Base system FreeBSD 13 Tunables - improve visibility Configure LAGG interface from console menu Authentication / LDAP automatic user creation on login Logging - switch to rfc5424 format and remove circular logging Interfaces VIPs now support the “no bind” option to exclude them from automatic service use when configured Firewall Improve alias hostname resolve performance Improved firewall statistics Support overload table on max new connections VPN Add "auto" option to peer identifier options Change overview page to support large deployments Remove insecure ciphers and hash methods in IPsec phase 2 entries |
|
21.7 Noble Nightingale July 28th 2021 |
Base system Migrate bsdinstaller to bsdinstall AXGBE 10Gbps network card driver inclusion New audit logging to support enterprise compliance requirements Syslog-ng TLS transport options Translation updates GRE/GIF consolidation Dhclient VLAN 0 support Overridable interface checksum settings NTPD client mode Encryption standard updates for config.xml export GUI consolidation for add buttons / table layouts Upgrade PHP to 7.4 Upgrade Python to 3.8 OpenVPN 2.5 LibreSSL 3.3 Upgrade core MVC component Phalcon to version 4 Optional automatic scheduled HA-synchronisation Firmware Update Revamp Firewall Extend category filter functionality with tooltips Support large source/destination address lists in the Traffic Shaper. Sticky rule label support in firewall live log Wildcard netmasks in aliases Firewall states diagnostic API/GUI Reporting Improve traffic graph top-talker section Services Unbound custom option removal IPv6 prefix DHCP lease registration in Unbound/Dnsmasq |
|
21.1 Marvelous Meerkat January 28th 2021 |
Base system Fix stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers. Add chart.js to core components (deprecate nvd3 in the long run) Support local trust store for various python based scripts Extend user password page with optional OTP seed request option to ease provisioning LibreSSL 3.2 Firewall Alias: Add mac address type Alias: Allow host and network exclusions using new prefix [!] Alias: Improve validation excluding unusable internal keywords Improve live log view filter usage Reporting New and improved live traffic report Services IDPS: New policy definition using metadata tags (e.g. drop all critical events aimed at the perimeter) Dnsmasq DNS: Deprecate custom options Proxy: add JSON log output type following Elastic Common Schema Documentation Development: add documentation for Javascript helpers API Add gateway status endpoint |
|
20.7 Legendary Lion 30th July 2020 |
Base system HardenedBSD 12.1 Firmware: reinstall missing plugins OpenSSH, allow various customisable security settings User manager: Show certificate validity User manager: Optionally show ACL patterns General MVC Logging frontend support pluggable log file formats MVC Logging remove row limitation on download Interfaces Replace old socket diagnostics with more advanced Netstat tree viewer Firewall Basic firewall api support (via additional plugin) Traffic shaper status page rewrite Easy accessible filters in live log. Services Suricata 5 Unbound + DHCPDv4: Properly support expired leases. Unbound: Improve startup when root servers are unreachable Unbound: Integrate Unbound plus functionality including DNS blacklisting Documentation Add API documentation script (eases api doc maintenance) Explain how to API enable standard services Code quality PHP expand code styling to PSR-12 (https://www.php-fig.org/psr/psr-12/) |
|
20.1 Keen Kingfisher 30th January 2020 |
Base system Deprecate Python 2.7 jQuery 3.4.1 Google backup API 2.4.0 OpenSSL 1.1.1 LibreSSL 3.0 Support elliptic curve TLS certificate creation PSR 12 coding style Logging frontend migrated to MVC / API Interfaces VXLAN support Support for additional loopback interfaces Firewall Support direction and non-quick on interface rules High availability CARP service demotion hook HASync only on command (legacy cleanup) Services Captive portal performance improvements for large setups IPsec: add support for public key authentication Documentation Add documentation for all core components Plugins Deprecate PPPoe, L2TP, PPTP server plugins |
|
19.7 Jazzy Jaguar 17th July 2019 |
Base system LibreSSL 2.9 PHP upgrade to 7.2 Python add 3.7 to deprecate 2.7 in 2020 Tokenize2.js upgrade including sortable feature Bootstrap 3.4.1 security upgrade Squid 4 General Spanish translation Core system extend PAM support Convert python 2.7 scripts to 3.7 for all core components Gateways influence default switching order by weight Support LDAP group synchronisation to enforce remote configured policies Syslog-ng integration supporting both udp and tcp targets High availability More fluent switching into maintenance mode when using CARP XML-RPC synchronise carp relevant ip aliases to backup node Firewall Firewall rule statistics Firewall insights in generated rules Firewall aliases, export + import functions VPN IPsec Route based mode (VTI) IPsec switch to PAM for authentication OpenVPN export add Microsoft certificate store option OpenVPN server improve input validation to prevent wrong certificate type selection OpenVPN server support static-challenge formatted passwords Services Suricata eve logging over syslog Suricata improve rule toggle actions Unbound add aliases in host overrides |
|
19.1 Inspiring Iguana January 31th 2019 |
Fully functional firewall alias API PIE firewall shaper support firewall NAT rule logging support WPAD / PAC and parent proxy support in the web proxy API enabled OpenVPN client export utility ET Pro Telemetry edition plugin 2FA via LDAP-TOTP combination P12 certificate export with custom passwords Dnsmasq DNSSEC support HardenedBSD 11.2 extended IPv6 DUID support Influence default gateway switching order by weight |
|
18.7 "Happy Hippo" 31st July 2018 |
Pluggable backup modules Nextcloud backup support Improve multiwan support IDS / upgrade ET-open rules to suricata 4 Remove QinQ interface type FreeBSD Meltdown and Spectre V2 mitigations Gateway monitoring via dpinger utility OpenVPN support for Radius Framed-IP-Address GUI/API hardening Intel NIC driver updates from FreeBSD 11.2 Revive IPv6 Rapid Deployment (6RD) IDS/IPS application detection rules Easily accessible API docs Monit core integration |
|
18.1 Groovy Gecko January 29th 2018 |
Improved shared forwarding with IPv6 and tryforward support Portable NAT before IPsec support UTM plugins: antivirus, antispam, mail, web proxy extensions Reverse DNS lookup API for Insight and Live Log IDS alert log improvements UI layout improvements and consolidation Local group restriction feature in OpenVPN and IPsec OpenVPN multi-remote support for clients Debug kernel support FreeBSD 11.1 LibreSSL 2.6 PHP 7.1 jQuery 3.2.1 pluggable NAT rules |
|
17.7 |
HardenedBSD SafeStack for base applications and selected ports |
|
17.1 |
CSRF replacement for static PHP pages Pluggable firewall rules PHP 7.0 FreeBSD 11 PAM support for OPNsense authentication system Incorporate HardenedBSD's SEGVGUARD Position Independent Executables Pluggable authentication Extensions on the mvc model, like referential checks Phalcon 3.0 installer per SSH Unit tests for main mvc parts Single-slice Nano with auto-resize after first boot Lets Encrypt plugin Tinc plugin -full mesh routing for virtual private networks Load Balancer, UPnP, SNMP, IGMP, WOL as plugins |
|
16.7 |
Pluggable service infrastructure Remove PPPoE, L2TP and PPTP servers from base installation OpenVPN, add server specific client overrides RFC 4638 support (MTU > 1492 in PPPoE) HTTPS proxy support Restyle services section Add traffic analysis and netflow export Active Queue Management (AQM): Controlled delay (CoDel) and FlowQueue-CoDel PPTP, L2TP and PPPoE Servers ported to MPD5 Documentation for all major features Dashboard feature revamp Two factor authentication using RFC 6238 Virtual machine disk images build options Pluggable interface infrastructure Japanese and Russian translations completed Firmware Improvements and development/stable versions Cron GUI and API FreeBSD 10.3 HardenedBSD's ASLR implementation UEFI/GPT boot IDS reporting enhancements |
|
16.1 |
Plugin support -- Replace ACL -- Extensible menu system -- Build framework and repository -- GUI plugin management OpenVPN/IPSec pages rework Firewall pages rework Firmware mirror location and crypto selection Replace RRD frontend using a modern alternative Crash reporter revamp for direct problem submissions Rewrite the captive portal application using new framework components Implement API session handling to make use of the already build (RESTful) services IPS Menu/navigation restructuring Switch to FreeBSD 10.2 Quick navigation feature |
|
15.7 |
Base proxy support |
|
15.1 |
Feature enhancements |