OPNsense 19.1 released

jan 31, 2019

OPNsense 19.1 released

Hi there,

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over12 intermediate releases including the recent release candidates.  That is the average of 2 stable releases per month, security updates and important bug fixes included!  If we had to pick a few highlights it would be: The firewall alias API is finally in place.  The migration to HardenedBSD 11.2 has been completed.  2FA now works with a remote LDAP / local TOTP
combination.  And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 18.7:

o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin[2]
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy

Here are the full changes against version 19.1-RC2:

o ipsec: add firewall interface as soon as phase 1 is enabled
o ipsec: phase 1 selection GUI JavaScript compatibility fix
o monit: widget improvements and bug fix (contributed by Frank Brendel)
o ui: fix regression in single host or network subnet select in static pages
o plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
o plugins: os-telegraf 1.7.4 fixes packet filter input
o plugins: os-theme-rebellion 1.8.2 adds image colour invert
o plugins: os-vnstat 1.1[3]
o plugins: os-zabbix-agent now uses Zabbix version 4.0
o src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
o src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
o src: import tzdata 2018h, 2018i[5]
o src: avoid unsynchronized updates to kn_status[6]
o ports: ca_root_nss 3.42
o ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
o ports: sudo patch to fix listpw=never[7]

Migration notes and minor incompatibilities to look out for:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.  Apinger is no longer available.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Quagga plugin has been superseded by FRR plugin.  A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[8].
o Bhyve UEFI boot may fail as a guest.  The problem is being investigated.
o SNMP plugin has been superseded by Net-SNMP plugin.

The public key for the 19.1 series is:

-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/manual/etpro_telemetry.html
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=869
[8] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9

SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6