OPNsense® roadmap planned innovations

This roadmap offers an overview of the project's direction. It is not intended to be a detailed list. For development information, bugs, and outstanding issues, please visit the OPNsense® page on GitHub.

Version naming

The OPNsense Roadmap version naming system consists of year.month, so the first release took place in January 2015 -> release 15.1

In the event of minor releases within the same month an extra number will be added, like 24.1.2

We use a 6 months major release cycle with firm release dates. Major release versions will have code names of animals, mountains, or whatever idea we can think of that sounds good..

Each release has a number, a code name and a release date.

Next release - **th July 2025

25.7

  • Planned

  • Completed

Base system

  • Replace general setup wizard *

  • Switch to reusable frontend code *

  • ChartJS 4 (upgrade) *

  • Usermanager csv export and import option *

  • Deprecate google drive backups due to upstream policy changes (move to plugins for existing users) *

  • Add sftp backup option [plugin] *

Firewall

  • JSON container for alias imports *

Services

  • Dnsmasq DHCP support for small and medium sized setups *

  • Kea, support advanced (manual) configurations *

Interfaces

  • Bridges mvc migration *

Routing

  • Router advertisements MVC migration *

VPN

  • Move OpenVPN legacy to plugins as a first step to deprecation *

  • Move IPsec legacy to plugins as a first step to deprecation *

  • Migrate IPsec mobile page to MVC *

Latest release - 29th January 2025

25.1
Ultimate Unicorn

  • Completed

Base system

  • FreeBSD 14.2 *

  • PHP 8.3 *

  • Restructure PPP to allow complex IPv6-only deployments with all implications *

  • Notification improvements: banner persistent notifications *

  • Dashboard widget for certificates: expiration hints and delete and renew possibilities *

  • System: High Availability: Status MVC conversion *

  • Snapshot functionality for easy recovery *

  • API enable User and Group administration *

  • Theme update with new styling and add official dark theme. *

  • System: Settings: Tunables MVC conversion adding API support *

Firewall

  • Improved security zone support and documentation *

Reporting

  • RRD statistics refactoring, increases performance and maintainability *

Trust

  • OpenSSL legacy mode toggle, defaults to off *

  • Add trust settings module *

Services

  • Unbound: merge domain overrides into query forwarding *

VPN

  • VPN: IPsec: Advanced Settings - move to MVC and add some options *

Previous releases & accomplishments

24.7
Thriving Tiger

25th July 2024

  • Completed

Base system

  • FreeBSD 14.1 *

  • Python 3.11 *

  • Replace Phalcon framework components to increase performance and lower complexity *

  • Settings: Logging: merge into Logging / Targets page *

  • System Trust migration to MVC offering API support. *

  • Lobby: modern dashboard replacement *

  • Assorted screen reader improvements *

Interfaces

  • Interfaces: GIF: migrate to MVC *

  • Interfaces: GRE: migrate to MVC *

  • Interfaces: Virtual IPs: Add CARP unicast support *

  • Interfaces: allow tracking the WAN itself in DHCPv6 mode *

Firewall

  • Firewall: Rules: add state-policy property to allow specific states to bind only to the originating interface for increased security *

  • NAT 1-to-1: migrate to MVC *

  • Firewall alias GUI performance improvements *

VPN

  • Wireguard usability improvements * *

  • Wireguard QR code generation for mobile clients *

  • IPsec Connections - add dynamic VTI tunnel support *

  • VPN: OpenVPN: Instances - add (experimental) DCO support *

Services

  • dhcrelay migrate to MVC and deprecate isc-dhcrelay *

  • Captive Portal: add "Allow inbound" option *

24.1
Savvy Shark

30th January 2024

  • Completed

Base system

  • OpenSSL 3 ports migration *

  • Suricata 7 *

  • System: limit /conf/config.xml access to administrators *

  • System: Configuration: History: migrate to MVC *

  • System: Configuration: Backups: Improve restore area selection offering fine grained import control for advanced users *

  • System: Gateways: Single: migrate to MVC *

  • System: Trust: Revocation: Restrict CRL's to one per CA to ease future migration *

Interfaces

  • Overview: migrate to MVC to allow API support and increase usability *

  • [new] Interfaces: Neighbors to administer static ARP and NDP entries *

  • Interfaces: Other Types: VXLAN: add support for non standard port numbers *

Firewall

  • NPTv6: migrate to MVC *

  • os-firewall plugin inclusion to ease API usage *

  • os-firewall - Add API support for port definitions in automation *

VPN

  • OpenVPN: Instances - add carp vhid tracking for clients. *

  • OpenVPN: Instances - add optional OCSP support *

  • Improve WireGuard kernel plugin and implement it in core *

  • Wireguard CARP vhid tracking support *

  • IPsec: Virtual Tunnel Interfaces dual stack support *

Services

  • KEA DHCPv4 server as alternative for isc-dhcp[4] *

  • Squid Web Proxy: move to plugins *

23.7
Restless Roadrunner

31th July 2023

  • Completed

Base system

  • FreeBSD 13.2

  • PHP 8.2 update *

  • Support for Importing Encrypted Configuration Files During OPNsense Installation *

Core system

  • Firmware: add tier level to plugins table *

  • System: Configuration: Backups - persist console settings and signal users of interface mismatches *

  • MVC/Core - properly support multi clause search phrases *

  • RADIUS Authentication - Add MSCHAPv2 support *

  • Native gateway watcher as dpinger alarm replacement *

Interfaces

  • Interfaces: Diagnostics: Ping: migrate to MVC *

  • Interfaces: Diagnostics: Trace Route: migrate to MVC *

  • Interfaces: Diagnostics: Port Probe: migrate to MVC *

  • Interfaces: LAGG: migrate to MVC *

Services

  • System: Diagnostics: Services: migrate to MVC *

  • Services: DHCP: Leases (4+6): migrate to MVC *

  • Services: Unbound DNS (finalize MVC conversion) * *

  • Services: Intrusion Detection: Suricata Netmap API version 14 enabled

Firewall

  • New alias type to support firewall policies for OpenVPN users *

  • Improve visibility in rule overview * *

  • Firewall: Groups: migrate to MVC * *

VPN

  • VPN: OpenVPN Server - Support deferred authentication using OpenVPN 2.6.x *

  • VPN: OpenVPN: Connection Status: migrate to MVC *

  • VPN: OpenVPN Instances MVC module *

  • VPN: IPsec: Security Policy Database - Manual assignments linking to connection children *

See all previous releases

23.1
Quintessential Quail

13th January 2023

  • Completed

Base system

  • PHP 8.1 update *

  • New system status notification system *

  • Phpseclib 3 support for missing EC CA revocation *

Interfaces

  • SLAAC WAN improvements *

Firewall

  • Firewall alias BGP ASN type support *

Reporting

  • Traffic graph polling interval selection and UX *

  • DNS insights dashboard *

Interfaces

  • Packet capture MVC/API conversion *

  • Virtual IP MVC/API conversion *

VPN

  • IPsec legacy ipsec.conf to swanctl.conf migration *

  • IPsec MVC module using swanctl.conf layout *

Services

  • Unbound: DNSBL to python implementation to fluently support larger lists *

Project

  • Introduce tier system for plugin support levels *

22.7
Powerful Panther

28th July 2022

  • Completed

Base system

  • PHP 8.x upgrade *

  • Phalcon upgrade *

  • FreeBSD 13.1

  • Intel QuickAssist (QAT) support *

Interfaces

  • Add stacked VLAN support (IEEE 802.1ad / QinQ) *

Firewall

  • Advanced DDos protection using syncookies *

  • Configurable per rule adaptive timeouts *

Services

  • Unbound - migrate overrides to mvc enabling API support. *

22.1
Observant Owl

27th January 2022

  • Completed

Base system

  • FreeBSD 13

  • Tunables - improve visibility

  • Configure LAGG interface from console menu

  • Authentication / LDAP automatic user creation on login

  • Logging - switch to rfc5424 format and remove circular logging

Interfaces

  • VIPs now support the “no bind” option to exclude them from automatic service use when configured

Firewall

  • Improve alias hostname resolve performance

  • Improved firewall statistics

  • Support overload table on max new connections

VPN

  • Add "auto" option to peer identifier options

  • Change overview page to support large deployments

  • Remove insecure ciphers and hash methods in IPsec phase 2 entries

21.7
Noble Nightingale

28th July 2021

  • Completed

Base system

  • Migrate bsdinstaller to bsdinstall

  • AXGBE 10Gbps network card driver inclusion

  • New audit logging to support enterprise compliance requirements

  • Syslog-ng TLS transport options

  • Translation updates

  • GRE/GIF consolidation

  • Dhclient VLAN 0 support

  • Overridable interface checksum settings

  • NTPD client mode

  • Encryption standard updates for config.xml export

  • GUI consolidation for add buttons / table layouts

  • Upgrade PHP to 7.4

  • Upgrade Python to 3.8

  • OpenVPN 2.5

  • LibreSSL 3.3

  • Upgrade core MVC component Phalcon to version 4

  • Optional automatic scheduled HA-synchronisation

  • Firmware Update Revamp

Firewall

  • Extend category filter functionality with tooltips

  • Support large source/destination address lists in the Traffic Shaper.

  • Sticky rule label support in firewall live log

  • Wildcard netmasks in aliases

  • Firewall states diagnostic API/GUI

Reporting

  • Improve traffic graph top-talker section

Services

  • Unbound custom option removal

  • IPv6 prefix DHCP lease registration in Unbound/Dnsmasq

21.1
Marvelous Meerkat

28th January 2021

  • Completed

Base system

  • Fix stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.

  • Add chart.js to core components (deprecate nvd3 in the long run)

  • Support local trust store for various python based scripts

  • Extend user password page with optional OTP seed request option to ease provisioning

  • LibreSSL 3.2

Firewall

  • Alias: Add mac address type

  • Alias: Allow host and network exclusions using new prefix [!]

  • Alias: Improve validation excluding unusable internal keywords

  • Improve live log view filter usage

Reporting

  • New and improved live traffic report

Services

  • IDPS: New policy definition using metadata tags (e.g. drop all critical events aimed at the perimeter)

  • Dnsmasq DNS: Deprecate custom options

  • Proxy: add JSON log output type following Elastic Common Schema

Documentation

  • Development: add documentation for Javascript helpers

API

  • Add gateway status endpoint

20.7
Legendary Lion

30th July 2020

  • Completed

Base system

  • HardenedBSD 12.1

  • Firmware: reinstall missing plugins

  • OpenSSH, allow various customisable security settings

  • User manager: Show certificate validity

  • User manager: Optionally show ACL patterns

General

  • MVC Logging frontend support pluggable log file formats

  • MVC Logging remove row limitation on download

Interfaces

  • Replace old socket diagnostics with more advanced Netstat tree viewer

Firewall

  • Basic firewall api support (via additional plugin)

  • Traffic shaper status page rewrite

  • Easy accessible filters in live log.

Services

  • Suricata 5

  • Unbound + DHCPDv4: Properly support expired leases.

  • Unbound: Improve startup when root servers are unreachable

  • Unbound: Integrate Unbound plus functionality including DNS blacklisting

Documentation

  • Add API documentation script (eases api doc maintenance)

  • Explain how to API enable standard services

Code quality

  • PHP expand code styling to PSR-12 (https://www.php-fig.org/psr/psr-12/)

20.1
Keen Kingfisher

30th January 2020

  • Completed

Base system

  • Deprecate Python 2.7

  • jQuery 3.4.1

  • Google backup API 2.4.0

  • OpenSSL 1.1.1

  • LibreSSL 3.0

  • Support elliptic curve TLS certificate creation

  • PSR 12 coding style

  • Logging frontend migrated to MVC / API

Interfaces

  • VXLAN support

  • Support for additional loopback interfaces

Firewall

  • Support direction and non-quick on interface rules

High availability

  • CARP service demotion hook

  • HASync only on command (legacy cleanup)

Services

  • Captive portal performance improvements for large setups

  • IPsec: add support for public key authentication

Documentation

  • Add documentation for all core components

Plugins

  • Deprecate PPPoe, L2TP, PPTP server plugins

19.7
Jazzy Jaguar

17th July 2019

  • Completed

Base system

  • LibreSSL 2.9

  • PHP upgrade to 7.2

  • Python add 3.7 to deprecate 2.7 in 2020

  • Tokenize2.js upgrade including sortable feature

  • Bootstrap 3.4.1 security upgrade

  • Squid 4

General

  • Spanish translation

  • Core system extend PAM support

  • Convert python 2.7 scripts to 3.7 for all core components

  • Gateways influence default switching order by weight

  • Support LDAP group synchronisation to enforce remote configured policies

  • Syslog-ng integration supporting both udp and tcp targets

High availability

  • More fluent switching into maintenance mode when using CARP

  • XML-RPC synchronise carp relevant ip aliases to backup node

Firewall

  • Firewall rule statistics

  • Firewall insights in generated rules

  • Firewall aliases, export + import functions

VPN

  • IPsec Route based mode (VTI)

  • IPsec switch to PAM for authentication

  • OpenVPN export add Microsoft certificate store option

  • OpenVPN server improve input validation to prevent wrong certificate type selection

  • OpenVPN server support static-challenge formatted passwords

Services

  • Suricata eve logging over syslog

  • Suricata improve rule toggle actions

  • Unbound add aliases in host overrides

19.1
Inspiring Iguana

31th January 2019

  • Completed

  • Fully functional firewall alias API

  • PIE firewall shaper support

  • firewall NAT rule logging support

  • WPAD / PAC and parent proxy support in the web proxy

  • API enabled OpenVPN client export utility

  • ET Pro Telemetry edition plugin

  • 2FA via LDAP-TOTP combination

  • P12 certificate export with custom passwords

  • Dnsmasq DNSSEC support

  • HardenedBSD 11.2

  • extended IPv6 DUID support

  • Influence default gateway switching order by weight

18.7
Happy Hippo

31th July 2018

  • Completed

  • Pluggable backup modules

  • Nextcloud backup support

  • Improve multiwan support

  • IDS / upgrade ET-open rules to suricata 4

  • Remove QinQ interface type

  • FreeBSD Meltdown and Spectre V2 mitigations

  • Gateway monitoring via dpinger utility

  • OpenVPN support for Radius Framed-IP-Address

  • GUI/API hardening

  • Intel NIC driver updates from FreeBSD 11.2

  • Revive IPv6 Rapid Deployment (6RD)

  • IDS/IPS application detection rules

  • Easily accessible API docs

  • Monit core integration

18.1
Groovy Gecko

29th January 2018

  • Completed

  • Improved shared forwarding with IPv6 and tryforward support

  • Portable NAT before IPsec support

  • UTM plugins: antivirus, antispam, mail, web proxy extensions

  • Reverse DNS lookup API for Insight and Live Log

  • IDS alert log improvements

  • UI layout improvements and consolidation

  • Local group restriction feature in OpenVPN and IPsec

  • OpenVPN multi-remote support for clients

  • Debug kernel support

  • FreeBSD 11.1

  • LibreSSL 2.6

  • PHP 7.1

  • jQuery 3.2.1

  • pluggable NAT rules

17.7
Free Fox

31th July 2017

  • Completed

  • HardenedBSD SafeStack for base applications and selected ports

  • RFC 2136 and Dynamic DNS services as plugins

  • HardenedBSD procfs hardening

  • Interface code speedup

  • Completed translations for Chinese, Czech, Portuguese (Portugal), Portuguese (Brazil), German

  • CARP preempt

17.1
Eclectic Eagle

31th January 2017

  • Completed

  • CSRF replacement for static PHP pages

  • Pluggable firewall rules

  • PHP 7.0

  • FreeBSD 11

  • PAM support for OPNsense authentication system

  • Incorporate HardenedBSD's SEGVGUARD

  • Position Independent Executables

  • Pluggable authentication

  • Extensions on the mvc model, like referential checks

  • Phalcon 3.0

  • installer per SSH

  • Unit tests for main mvc parts

  • Single-slice Nano with auto-resize after first boot

  • Lets Encrypt plugin

  • Tinc plugin -full mesh routing for virtual private networks

  • Load Balancer, UPnP, SNMP, IGMP, WOL as plugins

16.7
Dancing Dolphin

28th July 2016

  • Completed

  • Pluggable service infrastructure

  • Remove PPPoE, L2TP and PPTP servers from base installation

  • OpenVPN, add server specific client overrides

  • RFC 4638 support (MTU > 1492 in PPPoE)

  • HTTPS proxy support

  • Restyle services section

  • Add traffic analysis and netflow export

  • Active Queue Management (AQM): Controlled delay (CoDel) and FlowQueue-CoDel

  • PPTP, L2TP and PPPoE Servers ported to MPD5

  • Documentation for all major features

  • Dashboard feature revamp

  • Two factor authentication using RFC 6238

  • Virtual machine disk images build options

  • Pluggable interface infrastructure

  • Japanese and Russian translations completed

  • Firmware Improvements and development/stable versions

  • Cron GUI and API

  • FreeBSD 10.3

  • HardenedBSD's ASLR implementation

  • UEFI/GPT boot

  • IDS reporting enhancements

16.1
Crafty Coyote

28th January 2016

  • Completed

  • Plugin support

  • -- Replace ACL

  • -- Extensible menu system

  • -- Build framework and repository

  • -- GUI plugin management

  • OpenVPN/IPSec pages rework

  • Firewall pages rework

  • Firmware mirror location and crypto selection

  • Replace RRD frontend using a modern alternative

  • Crash reporter revamp for direct problem submissions

  • Rewrite the captive portal application using new framework components

  • Implement API session handling to make use of the already build (RESTful) services

  • IPS

  • Menu/navigation restructuring

  • Switch to FreeBSD 10.2

  • Quick navigation feature

15.7
Brave Badger

2th July 2015

  • Completed

  • Base proxy support

  • Base IDS support

  • OpenSSH/OpenSSL updates via ports

  • Support both OpenSSL and LibreSSL

  • pfSense config importer (for versions ≤ 2.1.5)

  • BSDinstaller support for embedded installations

  • Move to FreeBSD 10.1 for long term support

  • Support Base upgrade

  • Initial implementation of MVC framework

  • Code refactoring

  • Replace backend service (check_reload_status) with new configurable configd system

  • OpenVPN client exporter

15.1
Ascending Albatross

5th January 2015

  • Completed

  • Feature enhancements

  • Limited additional features

  • Code cleanup