OPNsense Roadmap

Planned enhancements and innovations

This is the OPNsense Roadmap, an open source, free software project supported by volunteers and businesses. We release two major versions each year, this roadmap aims to provide an insight of the direction of the project. By no means is this meant to be a detailed list. Development information, bugs and outstanding issues are available at the OPNsense page on GitHub.

Version naming

The OPNsense Roadmap version naming system consists of year.month, so the first release took place in January 2015 -> release 15.1
In the event of minor releases within the same month an extra number will be added, like 24.1.2
We plan to use a 6 months major release cycle with firm release dates. Major release versions will have code names of animals, mountains or whatever we can think of that sounds good.

Each release has a number, a code name and a release date.

NEXT RELEASE 25.1 - January 2025

= planned | = Completed

25.1

** th January 2025


Base system
PHP 8.3 *
PPP MVC conversion with all implications *
Notification improvements: banner persistent notifications *
Dashboard widget for certificates: expiration hints and delete and renew possibilities *
System: High Availability: Status MVC conversion *
Snapshot functionality for easy recovery *
API enable User and Group administration *
Reporting
RRD statistics refactoring, increases performance and maintainability *
Trust
OpenSSL legacy mode toggle, defaults to off *
Add trust settings module *
Services
Unbound: merge domain overrides into query forwarding *
VPN
VPN: IPsec: Advanced Settings - move to MVC and add some options *

LATEST RELEASE 24.7 - 25 th July 2024

= planned | = Completed

24.7

25 th July 2024


Base system
FreeBSD 14.1 *
Python 3.11 *
Replace Phalcon framework components to increase performance and lower complexity *
Settings: Logging: merge into Logging / Targets page *
System Trust migration to MVC offering API support. *
Lobby: modern dashboard replacement *
Assorted screen reader improvements *
Interfaces
Interfaces: GIF: migrate to MVC *
Interfaces: GRE: migrate to MVC *
Interfaces: Virtual IPs: Add CARP unicast support *
Interfaces: allow tracking the WAN itself in DHCPv6 mode *
Firewall
Firewall: Rules: add state-policy property to allow specific states to bind only to the originating interface for increased security *
NAT 1-to-1: migrate to MVC *
Firewall alias GUI performance improvements *
VPN
Wireguard usability improvements **
Wireguard QR code generation for mobile clients *
IPsec Connections - add dynamic VTI tunnel support *
VPN: OpenVPN: Instances - add (experimental) DCO support *
Services
dhcrelay migrate to MVC and deprecate isc-dhcrelay *
Captive Portal: add "Allow inbound" option *

Previous Releases & Accomplishments

Some history as we are proud of the rapid development and great innovation already delivered upon.

24.1

Savvy Shark

30th January 2024


Base system
OpenSSL 3 ports migration *
Suricata 7 *
System: limit /conf/config.xml access to administrators *
System: Configuration: History: migrate to MVC *
System: Configuration: Backups: Improve restore area selection offering fine grained import control for advanced users *
System: Gateways: Single: migrate to MVC *
System: Trust: Revocation: Restrict CRL's to one per CA to ease future migration *
Interfaces
Overview: migrate to MVC to allow API support and increase usability *
[new] Interfaces: Neighbors to administer static ARP and NDP entries *
Interfaces: Other Types: VXLAN: add support for non standard port numbers *
Firewall
NPTv6: migrate to MVC *
os-firewall plugin inclusion to ease API usage *
os-firewall - Add API support for port definitions in automation *
VPN
OpenVPN: Instances - add carp vhid tracking for clients. *
OpenVPN: Instances - add optional OCSP support *
Improve WireGuard kernel plugin and implement it in core *
Wireguard CARP vhid tracking support *
IPsec: Virtual Tunnel Interfaces dual stack support *
Services
KEA DHCPv4 server as alternative for isc-dhcp[4] *
Squid Web Proxy: move to plugins *

23.7

Restless Roadrunner

31 th July 2023


Base system
FreeBSD 13.2
PHP 8.2 update *
Support for Importing Encrypted Configuration Files During OPNsense Installation *
Core system
Firmware: add tier level to plugins table *
System: Configuration: Backups - persist console settings and signal users of interface mismatches *
MVC/Core - properly support multi clause search phrases *
RADIUS Authentication - Add MSCHAPv2 support *
Native gateway watcher as dpinger alarm replacement *
Interfaces
Interfaces: Diagnostics: Ping: migrate to MVC *
Interfaces: Diagnostics: Trace Route: migrate to MVC *
Interfaces: Diagnostics: Port Probe: migrate to MVC *
Interfaces: LAGG: migrate to MVC *
Services
System: Diagnostics: Services: migrate to MVC *
Services: DHCP: Leases (4+6): migrate to MVC *
Services: Unbound DNS (finalize MVC conversion) * *
Services: Intrusion Detection: Suricata Netmap API version 14 enabled
Firewall
New alias type to support firewall policies for OpenVPN users *
Improve visibility in rule overview * *
Firewall: Groups: migrate to MVC * *
VPN
VPN: OpenVPN Server - Support deferred authentication using OpenVPN 2.6.x *
VPN: OpenVPN: Connection Status: migrate to MVC *
VPN: OpenVPN Instances MVC module *
VPN: IPsec: Security Policy Database - Manual assignments linking to connection children *
 

23.1

Quintessential Quail

January 13th 2023


Base system
PHP 8.1 update *
New system status notification system *
Phpseclib 3 support for missing EC CA revocation *
Interfaces
SLAAC WAN improvements *
Firewall
Firewall alias BGP ASN type support *
Reporting
Traffic graph polling interval selection and UX *
DNS insights dashboard *
Interfaces
Packet capture MVC/API conversion *
Virtual IP MVC/API conversion *
VPN
IPsec legacy ipsec.conf to swanctl.conf migration *
IPsec MVC module using swanctl.conf layout *
Services
Unbound: DNSBL to python implementation to fluently support larger lists *
Project
Introduce tier system for plugin support levels *

22.7

Powerful Panther

Juli 28th 2022


Base system
PHP 8.x upgrade *
Phalcon upgrade *
FreeBSD 13.1
Intel QuickAssist (QAT) support *
Interfaces
Add stacked VLAN support (IEEE 802.1ad / QinQ) *
Firewall
Advanced DDos protection using syncookies *
Configurable per rule adaptive timeouts *
Services
Unbound - migrate overrides to mvc enabling API support. *

22.1

Observant Owl

January 27th 2022


Base system
FreeBSD 13
Tunables - improve visibility
Configure LAGG interface from console menu
Authentication / LDAP automatic user creation on login
Logging - switch to rfc5424 format and remove circular logging
Interfaces
VIPs now support the “no bind” option to exclude them from automatic service use when configured
Firewall
Improve alias hostname resolve performance
Improved firewall statistics
Support overload table on max new connections
VPN
Add "auto" option to peer identifier options
Change overview page to support large deployments
Remove insecure ciphers and hash methods in IPsec phase 2 entries

21.7

Noble Nightingale

July 28th 2021


Base system
Migrate bsdinstaller to bsdinstall
AXGBE 10Gbps network card driver inclusion
New audit logging to support enterprise compliance requirements
Syslog-ng TLS transport options
Translation updates
GRE/GIF consolidation
Dhclient VLAN 0 support
Overridable interface checksum settings
NTPD client mode
Encryption standard updates for config.xml export
GUI consolidation for add buttons / table layouts
Upgrade PHP to 7.4
Upgrade Python to 3.8
OpenVPN 2.5
LibreSSL 3.3
Upgrade core MVC component Phalcon to version 4
Optional automatic scheduled HA-synchronisation
Firmware Update Revamp
Firewall
Extend category filter functionality with tooltips
Support large source/destination address lists in the Traffic Shaper.
Sticky rule label support in firewall live log
Wildcard netmasks in aliases
Firewall states diagnostic API/GUI
Reporting
Improve traffic graph top-talker section
Services
Unbound custom option removal
IPv6 prefix DHCP lease registration in Unbound/Dnsmasq

21.1

Marvelous Meerkat

January 28th 2021


Base system
Fix stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.
Add chart.js to core components (deprecate nvd3 in the long run)
Support local trust store for various python based scripts
Extend user password page with optional OTP seed request option to ease provisioning
LibreSSL 3.2
Firewall
Alias: Add mac address type
Alias: Allow host and network exclusions using new prefix [!]
Alias: Improve validation excluding unusable internal keywords
Improve live log view filter usage
Reporting
New and improved live traffic report
Services
IDPS: New policy definition using metadata tags (e.g. drop all critical events aimed at the perimeter)
Dnsmasq DNS: Deprecate custom options
Proxy: add JSON log output type following Elastic Common Schema
Documentation
Development: add documentation for Javascript helpers
API
Add gateway status endpoint

20.7

Legendary Lion

30th July 2020


Base system
HardenedBSD 12.1
Firmware: reinstall missing plugins
OpenSSH, allow various customisable security settings
User manager: Show certificate validity
User manager: Optionally show ACL patterns
General
MVC Logging frontend support pluggable log file formats
MVC Logging remove row limitation on download
Interfaces
Replace old socket diagnostics with more advanced Netstat tree viewer
Firewall
Basic firewall api support (via additional plugin)
Traffic shaper status page rewrite
Easy accessible filters in live log.
Services
Suricata 5
Unbound + DHCPDv4: Properly support expired leases.
Unbound: Improve startup when root servers are unreachable
Unbound: Integrate Unbound plus functionality including DNS blacklisting
Documentation
Add API documentation script (eases api doc maintenance)
Explain how to API enable standard services
Code quality
PHP expand code styling to PSR-12 (https://www.php-fig.org/psr/psr-12/)

20.1

Keen Kingfisher

30th January 2020


Base system
Deprecate Python 2.7
jQuery 3.4.1
Google backup API 2.4.0
OpenSSL 1.1.1
LibreSSL 3.0
Support elliptic curve TLS certificate creation
PSR 12 coding style
Logging frontend migrated to MVC / API
Interfaces
VXLAN support
Support for additional loopback interfaces
Firewall
Support direction and non-quick on interface rules
High availability
CARP service demotion hook
HASync only on command (legacy cleanup)
Services
Captive portal performance improvements for large setups
IPsec: add support for public key authentication
Documentation
Add documentation for all core components
Plugins
Deprecate PPPoe, L2TP, PPTP server plugins


19.7

Jazzy Jaguar

17th July 2019


Base system
LibreSSL 2.9
PHP upgrade to 7.2
Python add 3.7 to deprecate 2.7 in 2020
Tokenize2.js upgrade including sortable feature
Bootstrap 3.4.1 security upgrade
Squid 4
General
Spanish translation
Core system extend PAM support
Convert python 2.7 scripts to 3.7 for all core components
Gateways influence default switching order by weight
Support LDAP group synchronisation to enforce remote configured policies
Syslog-ng integration supporting both udp and tcp targets
High availability
More fluent switching into maintenance mode when using CARP
XML-RPC synchronise carp relevant ip aliases to backup node
Firewall
Firewall rule statistics
Firewall insights in generated rules
Firewall aliases, export + import functions
VPN
IPsec Route based mode (VTI)
IPsec switch to PAM for authentication
OpenVPN export add Microsoft certificate store option
OpenVPN server improve input validation to prevent wrong certificate type selection
OpenVPN server support static-challenge formatted passwords
Services
Suricata eve logging over syslog
Suricata improve rule toggle actions
Unbound add aliases in host overrides

19.1

Inspiring Iguana

January 31th 2019


Fully functional firewall alias API
PIE firewall shaper support
firewall NAT rule logging support
WPAD / PAC and parent proxy support in the web proxy
API enabled OpenVPN client export utility
ET Pro Telemetry edition plugin
2FA via LDAP-TOTP combination
P12 certificate export with custom passwords
Dnsmasq DNSSEC support
HardenedBSD 11.2
extended IPv6 DUID support
Influence default gateway switching order by weight

18.7

"Happy Hippo"

31st July 2018


 Pluggable backup modules
Nextcloud backup support
Improve multiwan support
IDS / upgrade ET-open rules to suricata 4
Remove QinQ interface type
FreeBSD Meltdown and Spectre V2 mitigations
Gateway monitoring via dpinger utility
OpenVPN support for Radius Framed-IP-Address
GUI/API hardening
Intel NIC driver updates from FreeBSD 11.2
Revive IPv6 Rapid Deployment (6RD)
IDS/IPS application detection rules
Easily accessible API docs
Monit core integration

18.1

Groovy Gecko

January 29th 2018


 Improved shared forwarding with IPv6 and tryforward support
Portable NAT before IPsec support
UTM plugins: antivirus, antispam, mail, web proxy extensions
Reverse DNS lookup API for Insight and Live Log
IDS alert log improvements
UI layout improvements and consolidation
Local group restriction feature in OpenVPN and IPsec
OpenVPN multi-remote support for clients
Debug kernel support
FreeBSD 11.1
LibreSSL 2.6
PHP 7.1
jQuery 3.2.1
pluggable NAT rules

17.7
Free Fox
31 Julyth 2017

 

 HardenedBSD SafeStack for base applications and selected ports
RFC 2136 and Dynamic DNS services as plugins
HardenedBSD procfs hardening
Interface code speedup
Completed translations for Chinese, Czech, Portuguese (Portugal), Portuguese (Brazil), German
CARP preempt

17.1
Eclectic Eagle
January 31th 2017


 CSRF replacement for static PHP pages
 Pluggable firewall rules
PHP 7.0
FreeBSD 11
PAM support for OPNsense authentication system
Incorporate HardenedBSD's SEGVGUARD
Position Independent Executables
 Pluggable authentication
 Extensions on the mvc model, like referential checks
 Phalcon 3.0
 installer per SSH
Unit tests for main mvc parts
Single-slice Nano with auto-resize after first boot
Lets Encrypt plugin
Tinc plugin -full mesh routing for virtual private networks
Load Balancer, UPnP, SNMP, IGMP, WOL as plugins

16.7
Dancing Dolphin
July 28th 2016


 Pluggable service infrastructure
Remove PPPoE, L2TP and PPTP servers from base installation
OpenVPN, add server specific client overrides
RFC 4638 support (MTU > 1492 in PPPoE)
HTTPS proxy support
Restyle services section
Add traffic analysis and netflow export
Active Queue Management (AQM): Controlled delay (CoDel) and FlowQueue-CoDel
PPTP, L2TP and PPPoE Servers ported to MPD5
Documentation for all major features
Dashboard feature revamp
Two factor authentication using RFC 6238
Virtual machine disk images build options
Pluggable interface infrastructure
Japanese and Russian translations completed
Firmware Improvements and development/stable versions
Cron GUI and API
FreeBSD 10.3
HardenedBSD's ASLR implementation
UEFI/GPT boot
IDS reporting enhancements

16.1
Crafty Coyote
January 28th 2016

Plugin support
-- Replace ACL
-- Extensible menu system
-- Build framework and repository
-- GUI plugin management
OpenVPN/IPSec pages rework
Firewall pages rework
Firmware mirror location and crypto selection
Replace RRD frontend using a modern alternative
Crash reporter revamp for direct problem submissions
Rewrite the captive portal application using new framework components
Implement API session handling to make use of the already build (RESTful) services
IPS
Menu/navigation restructuring
Switch to FreeBSD 10.2
Quick navigation feature

15.7
Brave Badger
July 2nd 2015

Base proxy support
Base IDS support
OpenSSH/OpenSSL updates via ports
Support both OpenSSL and LibreSSL
pfSense config importer (for versions ≤ 2.1.5)
BSDinstaller support for embedded installations
Move to FreeBSD 10.1 for long term support
Support Base upgrade
Initial implementation of MVC framework
Code refactoring
Replace backend service (check_reload_status) with new configurable configd system
OpenVPN client exporter

15.1
Ascending Albatross
January 5th 2015

Feature enhancements
Limited additional features
Code cleanup