New OPNsense Release

OPNsense 17.1.4 released


Dear friends and followers,

The update finally addresses one of the larger issues with IPsec in 17.1 where traffic was not properly tracked by the packet filter and therefore causing spurious connection drops in TCP sessions. Another cool addition is the merge of the HardenedBSD SafeStack work to further harden our operating system application binaries.

Last but not least, the switch to the new virtual terminal driver is now fully functional and we intend to release new images based on 17.1.4 on Monday next week. Note this does not affect running installations.

Upgrading from a physical console may abort the firmware update due to an incompatible switch in the TTY settings. Simply log in again and restart the update to continue. Note this does not affect upgrades via GUI or SSH.

Here are the full patch notes:

  • system: early installer switched for simpler config importer
  • system: no longer set shell privileges on password reset
  • system: avoid misinterpreting obsoleted options use_mfs_tmp_size and use_mfs_var_size
  • system: do not prompt for password on user edit
  • system: modernise console/tty settings
  • interfaces: always wait for dhclient exit
  • firewall: handle scheduled restarts via new plugin_cron() facility
  • traffic shaper: exclude IP address when using 3G/4G modems
  • dnsmasq: configure exclusively via plugin calls
  • ipsec: remove filtertunnel workaround in light of bundled kernel fix
  • ipsec: fix missing CA selection for mutual RSA
  • ipsec: require authentication header as first file
  • ipsec: include path consolidation
  • openvpn: allow tunnel network overrides to contain host addresses
  • openvpn: take client IP for topology subnet in CSC
  • openvpn: include patch consolidation
  • unbound: configure exclusively via plugin calls
  • web proxy: harden SSL ciphers (contributed by Fabian Franz)
  • mvc: fix multiple scoping issues in base volt templates
  • lang: updates for Chinese, Czech, French, German, Portuguese
  • plugins: Let’s Encrypt 1.4[1][2] (contributed by Felix Kling and Frank Wall)
  • plugins: HAproxy 1.13[3] (contributed by Frank Wall)
  • src: tzdata version 2017b[4]
  • src: HardenedBSD SafeStack for base applications[5]
  • src: fix IPsec skip parameter handling in IPv4
  • src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)
  • ports: ca_root_nss 3.30
  • ports: php 7.0.17[6]
  • ports: libarchive 3.3.1
  • ports: ntp 4.2.8p10[7]

Stay safe,
Your OPNsense team


[1] https://github.com/opnsense/plugins/pull/91
[2] https://github.com/opnsense/plugins/pull/103
[3] https://github.com/opnsense/plugins/pull/94
[4] http://mm.icann.org/pipermail/tz-announce/2017-March/000046.html
[5] https://hardenedbsd.org/article/shawn-webb/2016-11-27/introducing-safestack
[6] http://php.net/ChangeLog-7.php#7.0.17
[7] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable