New OPNsense Release

Hey everyone,

Now that we got the chance to ship not one, but two OpenSSL bumps at the same time we barely missed the LibreSSL updates. That is life. But we still have a few great things to offer this week.

First and foremost, users noted that the captive portal did not work with the transparent proxy. This lead to internal investigation into the operating system kernel itself, where a number of issues with using several packet filters in a row can lead to shortcuts in packet paths through the networking stack.

This circled back to a simple fix for the captive portal: you can now edit each zone to enable the proxy for HTTP (port 3128) or HTTPS (port 3129) for captive portal use without requiring the firewall redirect. You only have to make sure you actually have your captive portal interface set up as an interface in the proxy.

We will continue to look into the remaining kernel issues and give updates and calls for testing when we reach new milestones.

In other news, both OpenVPN and IPsec received several improvements for interoperability and the occasional bug with the missing firewall rules tab for their respective interfaces.

Here are the full patch notes:

  • captive portal: handle transparent proxy from within the zone configuration
  • openvpn: adapt to cipher output changes in OpenVPN 2.3.12
  • openvpn: improve plugin probing for virtual interface
  • openvpn: added missing IPv6 tunnel network to overrides
  • ipsec: human-readable format of authentication method in overview
  • ipsec: refine behaviour of enable/apply on main page
  • ipsec: deduplicate leftsubnet/rightsubnet for meshed IKEv2
  • ipsec: more elegant interface and service plugging
  • ipsec: added unmeshed “tunnel isolation” mode for IKEv2
  • ipsec: cleanup pass over backend code
  • ipsec: allow Camellia for IKEv2
  • ipsec: allow %any in phase 1
  • ipsec: allow EAP-MSCHAPV2
  • system: load if_bridge on boot to correctly set its sysctl values
  • system: do not explicitly call plugins_interfaces() anymore
  • services: DNS resolver translation fixes (contributed by Fabian Franz)
  • services: fix a race in the DynDNS widget display
  • ports: curl 7.50.3[1], sudo 1.8.18[2], php 5.6.26[3], openssl 1.0.2j[4][5]
  • src: Multiple OpenSSL vulnerabilities[6]
  • src: updated tzdata to 2016f[7]

Stay safe,
Your OPNsense team


[1] https://curl.haxx.se/mail/lib-2016-09/0040.html
[2] https://www.sudo.ws/stable.html#1.8.18
[3] http://php.net/ChangeLog-5.php#5.6.26
[4] https://www.openssl.org/news/secadv/20160922.txt
[5] https://www.openssl.org/news/secadv/20160926.txt
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:26.openssl.asc
[7] http://mm.icann.org/pipermail/tz-announce/2016-July/000040.html