OPNsense 21.1, codenamed “Marvelous Meerkat”, has been released and brings extensive innovations to the open-source firewall platform.
Key New Features
HardenedBSD 12.1
OPNsense 21.1 is based on HardenedBSD 12.1, a security-hardened FreeBSD variant:
- Updated kernel with security improvements
- ASLR (Address Space Layout Randomization)
- Improved exploit mitigation
- Updated drivers and hardware support
Firmware Health Check
A new firmware health check system has been introduced:
- Automatic firmware integrity verification
- Detection of damaged packages
- Proactive warnings for issues
- Simplified troubleshooting
WireGuard Improvements
The WireGuard integration has been significantly improved:
- Kernel-based WireGuard for better performance
- Simplified configuration
- Improved status display
- Multi-peer support
- Extended routing options
Firewall Updates
- Redesigned alias management
- Improved GeoIP filtering with automatic updates
- Extended logging functionality
- Optimized rule processing
- Improved NAT configuration
DNS Improvements
- Updated Unbound DNS with DNSSEC improvements
- Improved DNS-over-TLS support
- Optimized DNS resolution
- Extended blocklist management
Intrusion Detection and Prevention
- Updated Suricata engine
- Improved rulesets
- Optimized performance
- Extended alert categorization
Web Interface
The web interface received extensive updates:
- Modernized design
- Improved dashboard widgets
- Faster navigation
- Extended search functionality
- Improved mobile view
Plugins
Numerous plugins have been updated:
- HAProxy with new features
- Nginx plugin improvements
- Updated Zabbix agent plugin
- New Crowdsec plugin
Migration from 20.7
The upgrade from OPNsense 20.7 to 21.1 can be performed via the web interface. As always, a backup of the configuration before the upgrade is recommended.
Important: Some plugin APIs have changed. Please review the release notes for possible breaking changes before upgrading.
Conclusion
OPNsense 21.1 is a solid major release with a focus on security and performance. The migration to HardenedBSD and the improved WireGuard integration make the platform even more attractive for security-conscious enterprises. We are happy to support you with the migration and operation of your OPNsense firewall.
More on these topics:
More articles
Vaultwarden: Self-Hosted Password Manager for Teams
Run Vaultwarden as a self-hosted password manager: Docker deployment, reverse proxy, SMTP, 2FA enforcement, and backup strategy — the complete guide for teams.
Fail2ban: Automating Brute-Force Protection for Linux Servers
Install and configure Fail2ban: log parsing, jail.local, protecting SSH, Nginx, Postfix, and Dovecot, whitelists, email alerts, and a comparison with CrowdSec, sshguard, and CSF.
TrueNAS Dataset Encryption: ZFS Encryption in Practice
Understanding and implementing TrueNAS ZFS Encryption: dataset vs. pool encryption, passphrase vs. key file, key management, and performance impact with AES-NI.