OPNsense Roadmap

Planned enhancements and innovations

This is the OPNsense Roadmap, an open source, free software project supported by volunteers and businesses. We release two major versions each year, this roadmap aims to provide an insight of the direction of the project. By no means is this meant to be a detailed list. Development information, bugs and outstanding issues are available at the OPNsense page on GitHub.

Version naming

The OPNsense Roadmap version naming system consists of year.month, so the first release took place in January 2015 -> release 15.1
In the event of minor releases within the same month an extra number will be added, like 24.1.2
We plan to use a 6 months major release cycle with firm release dates. Major release versions will have code names of animals, mountains or whatever we can think of that sounds good.

Each release has a number, a code name and a release date.

NEXT RELEASE 24.7 - July 2024

= planned | = Completed



July 2024

Base system
FreeBSD 14.1 *
PHP 8.3 *
Python 3.11 *
Replace Phalcon framework components to increase performance and lower complexity *
Settings: Logging: merge into Logging / Targets page *
System Trust migration to MVC offering API support. *
Interfaces: GIF: migrate to MVC *
Interfaces: GRE: migrate to MVC *
Interfaces: Virtual IPs: Add CARP unicast support *
Firewall: Rules: add state-policy property to allow specific states to bind only to the originating interface for increased security *
NAT 1-to-1: migrate to MVC *
Wireguard usability improvements **
Wireguard QR code generation for mobile clients *
IPsec Connections - add dynamic VTI tunnel support *
VPN: OpenVPN: Instances - add (experimental) DCO support *
Unbound merge domain overrides into query forwarding *
dhcrelay migrate to MVC and deprecate isc-dhcrelay *

LATEST RELEASE 24.1 - 30th January 2024

= planned | = Completed


Savvy Shark

30th January 2024

Base system
OpenSSL 3 ports migration *
Suricata 7 *
System: limit /conf/config.xml access to administrators *
System: Configuration: History: migrate to MVC *
System: Configuration: Backups: Improve restore area selection offering fine grained import control for advanced users *
System: Gateways: Single: migrate to MVC *
System: Trust: Revocation: Restrict CRL's to one per CA to ease future migration *
Overview: migrate to MVC to allow API support and increase usability *
[new] Interfaces: Neighbors to administer static ARP and NDP entries *
Interfaces: Other Types: VXLAN: add support for non standard port numbers *
NPTv6: migrate to MVC *
os-firewall plugin inclusion to ease API usage *
os-firewall - Add API support for port definitions in automation *
OpenVPN: Instances - add carp vhid tracking for clients. *
OpenVPN: Instances - add optional OCSP support *
Improve WireGuard kernel plugin and implement it in core *
Wireguard CARP vhid tracking support *
IPsec: Virtual Tunnel Interfaces dual stack support *
KEA DHCPv4 server as alternative for isc-dhcp[4] *
Squid Web Proxy: move to plugins *

Previous Releases & Accomplishments

Some history as we are proud of the rapid development and great innovation already delivered upon.


Restless Roadrunner

31 th July 2023

Base system
FreeBSD 13.2
PHP 8.2 update *
Support for Importing Encrypted Configuration Files During OPNsense Installation *
Core system
Firmware: add tier level to plugins table *
System: Configuration: Backups - persist console settings and signal users of interface mismatches *
MVC/Core - properly support multi clause search phrases *
RADIUS Authentication - Add MSCHAPv2 support *
Native gateway watcher as dpinger alarm replacement *
Interfaces: Diagnostics: Ping: migrate to MVC *
Interfaces: Diagnostics: Trace Route: migrate to MVC *
Interfaces: Diagnostics: Port Probe: migrate to MVC *
Interfaces: LAGG: migrate to MVC *
System: Diagnostics: Services: migrate to MVC *
Services: DHCP: Leases (4+6): migrate to MVC *
Services: Unbound DNS (finalize MVC conversion) * *
Services: Intrusion Detection: Suricata Netmap API version 14 enabled
New alias type to support firewall policies for OpenVPN users *
Improve visibility in rule overview * *
Firewall: Groups: migrate to MVC * *
VPN: OpenVPN Server - Support deferred authentication using OpenVPN 2.6.x *
VPN: OpenVPN: Connection Status: migrate to MVC *
VPN: OpenVPN Instances MVC module *
VPN: IPsec: Security Policy Database - Manual assignments linking to connection children *


Quintessential Quail

January 13th 2023

Base system
PHP 8.1 update *
New system status notification system *
Phpseclib 3 support for missing EC CA revocation *
SLAAC WAN improvements *
Firewall alias BGP ASN type support *
Traffic graph polling interval selection and UX *
DNS insights dashboard *
Packet capture MVC/API conversion *
Virtual IP MVC/API conversion *
IPsec legacy ipsec.conf to swanctl.conf migration *
IPsec MVC module using swanctl.conf layout *
Unbound: DNSBL to python implementation to fluently support larger lists *
Introduce tier system for plugin support levels *


Powerful Panther

Juli 28th 2022

Base system
PHP 8.x upgrade *
Phalcon upgrade *
FreeBSD 13.1
Intel QuickAssist (QAT) support *
Add stacked VLAN support (IEEE 802.1ad / QinQ) *
Advanced DDos protection using syncookies *
Configurable per rule adaptive timeouts *
Unbound - migrate overrides to mvc enabling API support. *


Observant Owl

January 27th 2022

Base system
FreeBSD 13
Tunables - improve visibility
Configure LAGG interface from console menu
Authentication / LDAP automatic user creation on login
Logging - switch to rfc5424 format and remove circular logging
VIPs now support the “no bind” option to exclude them from automatic service use when configured
Improve alias hostname resolve performance
Improved firewall statistics
Support overload table on max new connections
Add "auto" option to peer identifier options
Change overview page to support large deployments
Remove insecure ciphers and hash methods in IPsec phase 2 entries


Noble Nightingale

July 28th 2021

Base system
Migrate bsdinstaller to bsdinstall
AXGBE 10Gbps network card driver inclusion
New audit logging to support enterprise compliance requirements
Syslog-ng TLS transport options
Translation updates
GRE/GIF consolidation
Dhclient VLAN 0 support
Overridable interface checksum settings
NTPD client mode
Encryption standard updates for config.xml export
GUI consolidation for add buttons / table layouts
Upgrade PHP to 7.4
Upgrade Python to 3.8
OpenVPN 2.5
LibreSSL 3.3
Upgrade core MVC component Phalcon to version 4
Optional automatic scheduled HA-synchronisation
Firmware Update Revamp
Extend category filter functionality with tooltips
Support large source/destination address lists in the Traffic Shaper.
Sticky rule label support in firewall live log
Wildcard netmasks in aliases
Firewall states diagnostic API/GUI
Improve traffic graph top-talker section
Unbound custom option removal
IPv6 prefix DHCP lease registration in Unbound/Dnsmasq


Marvelous Meerkat

January 28th 2021

Base system
Fix stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.
Add chart.js to core components (deprecate nvd3 in the long run)
Support local trust store for various python based scripts
Extend user password page with optional OTP seed request option to ease provisioning
LibreSSL 3.2
Alias: Add mac address type
Alias: Allow host and network exclusions using new prefix [!]
Alias: Improve validation excluding unusable internal keywords
Improve live log view filter usage
New and improved live traffic report
IDPS: New policy definition using metadata tags (e.g. drop all critical events aimed at the perimeter)
Dnsmasq DNS: Deprecate custom options
Proxy: add JSON log output type following Elastic Common Schema
Development: add documentation for Javascript helpers
Add gateway status endpoint


Legendary Lion

30th July 2020

Base system
HardenedBSD 12.1
Firmware: reinstall missing plugins
OpenSSH, allow various customisable security settings
User manager: Show certificate validity
User manager: Optionally show ACL patterns
MVC Logging frontend support pluggable log file formats
MVC Logging remove row limitation on download
Replace old socket diagnostics with more advanced Netstat tree viewer
Basic firewall api support (via additional plugin)
Traffic shaper status page rewrite
Easy accessible filters in live log.
Suricata 5
Unbound + DHCPDv4: Properly support expired leases.
Unbound: Improve startup when root servers are unreachable
Unbound: Integrate Unbound plus functionality including DNS blacklisting
Add API documentation script (eases api doc maintenance)
Explain how to API enable standard services
Code quality
PHP expand code styling to PSR-12 (https://www.php-fig.org/psr/psr-12/)


Keen Kingfisher

30th January 2020

Base system
Deprecate Python 2.7
jQuery 3.4.1
Google backup API 2.4.0
OpenSSL 1.1.1
LibreSSL 3.0
Support elliptic curve TLS certificate creation
PSR 12 coding style
Logging frontend migrated to MVC / API
VXLAN support
Support for additional loopback interfaces
Support direction and non-quick on interface rules
High availability
CARP service demotion hook
HASync only on command (legacy cleanup)
Captive portal performance improvements for large setups
IPsec: add support for public key authentication
Add documentation for all core components
Deprecate PPPoe, L2TP, PPTP server plugins


Jazzy Jaguar

17th July 2019

Base system
LibreSSL 2.9
PHP upgrade to 7.2
Python add 3.7 to deprecate 2.7 in 2020
Tokenize2.js upgrade including sortable feature
Bootstrap 3.4.1 security upgrade
Squid 4
Spanish translation
Core system extend PAM support
Convert python 2.7 scripts to 3.7 for all core components
Gateways influence default switching order by weight
Support LDAP group synchronisation to enforce remote configured policies
Syslog-ng integration supporting both udp and tcp targets
High availability
More fluent switching into maintenance mode when using CARP
XML-RPC synchronise carp relevant ip aliases to backup node
Firewall rule statistics
Firewall insights in generated rules
Firewall aliases, export + import functions
IPsec Route based mode (VTI)
IPsec switch to PAM for authentication
OpenVPN export add Microsoft certificate store option
OpenVPN server improve input validation to prevent wrong certificate type selection
OpenVPN server support static-challenge formatted passwords
Suricata eve logging over syslog
Suricata improve rule toggle actions
Unbound add aliases in host overrides


Inspiring Iguana

January 31th 2019

Fully functional firewall alias API
PIE firewall shaper support
firewall NAT rule logging support
WPAD / PAC and parent proxy support in the web proxy
API enabled OpenVPN client export utility
ET Pro Telemetry edition plugin
2FA via LDAP-TOTP combination
P12 certificate export with custom passwords
Dnsmasq DNSSEC support
HardenedBSD 11.2
extended IPv6 DUID support
Influence default gateway switching order by weight


"Happy Hippo"

31st July 2018

 Pluggable backup modules
Nextcloud backup support
Improve multiwan support
IDS / upgrade ET-open rules to suricata 4
Remove QinQ interface type
FreeBSD Meltdown and Spectre V2 mitigations
Gateway monitoring via dpinger utility
OpenVPN support for Radius Framed-IP-Address
GUI/API hardening
Intel NIC driver updates from FreeBSD 11.2
Revive IPv6 Rapid Deployment (6RD)
IDS/IPS application detection rules
Easily accessible API docs
Monit core integration


Groovy Gecko

January 29th 2018

 Improved shared forwarding with IPv6 and tryforward support
Portable NAT before IPsec support
UTM plugins: antivirus, antispam, mail, web proxy extensions
Reverse DNS lookup API for Insight and Live Log
IDS alert log improvements
UI layout improvements and consolidation
Local group restriction feature in OpenVPN and IPsec
OpenVPN multi-remote support for clients
Debug kernel support
FreeBSD 11.1
LibreSSL 2.6
PHP 7.1
jQuery 3.2.1
pluggable NAT rules

Free Fox
31 Julyth 2017


 HardenedBSD SafeStack for base applications and selected ports
RFC 2136 and Dynamic DNS services as plugins
HardenedBSD procfs hardening
Interface code speedup
Completed translations for Chinese, Czech, Portuguese (Portugal), Portuguese (Brazil), German
CARP preempt

Eclectic Eagle
January 31th 2017

 CSRF replacement for static PHP pages
 Pluggable firewall rules
PHP 7.0
FreeBSD 11
PAM support for OPNsense authentication system
Incorporate HardenedBSD's SEGVGUARD
Position Independent Executables
 Pluggable authentication
 Extensions on the mvc model, like referential checks
 Phalcon 3.0
 installer per SSH
Unit tests for main mvc parts
Single-slice Nano with auto-resize after first boot
Lets Encrypt plugin
Tinc plugin -full mesh routing for virtual private networks
Load Balancer, UPnP, SNMP, IGMP, WOL as plugins

Dancing Dolphin
July 28th 2016

 Pluggable service infrastructure
Remove PPPoE, L2TP and PPTP servers from base installation
OpenVPN, add server specific client overrides
RFC 4638 support (MTU > 1492 in PPPoE)
HTTPS proxy support
Restyle services section
Add traffic analysis and netflow export
Active Queue Management (AQM): Controlled delay (CoDel) and FlowQueue-CoDel
PPTP, L2TP and PPPoE Servers ported to MPD5
Documentation for all major features
Dashboard feature revamp
Two factor authentication using RFC 6238
Virtual machine disk images build options
Pluggable interface infrastructure
Japanese and Russian translations completed
Firmware Improvements and development/stable versions
Cron GUI and API
FreeBSD 10.3
HardenedBSD's ASLR implementation
IDS reporting enhancements

Crafty Coyote
January 28th 2016

Plugin support
-- Replace ACL
-- Extensible menu system
-- Build framework and repository
-- GUI plugin management
OpenVPN/IPSec pages rework
Firewall pages rework
Firmware mirror location and crypto selection
Replace RRD frontend using a modern alternative
Crash reporter revamp for direct problem submissions
Rewrite the captive portal application using new framework components
Implement API session handling to make use of the already build (RESTful) services
Menu/navigation restructuring
Switch to FreeBSD 10.2
Quick navigation feature

Brave Badger
July 2nd 2015

Base proxy support
Base IDS support
OpenSSH/OpenSSL updates via ports
Support both OpenSSL and LibreSSL
pfSense config importer (for versions ≤ 2.1.5)
BSDinstaller support for embedded installations
Move to FreeBSD 10.1 for long term support
Support Base upgrade
Initial implementation of MVC framework
Code refactoring
Replace backend service (check_reload_status) with new configurable configd system
OpenVPN client exporter

Ascending Albatross
January 5th 2015

Feature enhancements
Limited additional features
Code cleanup