The securityrouter.org project is a network operating system and software distribution based on OpenBSD which is developed and maintained by Halon Security. New systems are deployed by downloading a software image. The easiest way to update existing systems is to perform an automatic update from within the product's administration.
New major versions can contain configuration syntax changes which might render a previously working configuration invalid, and thus affect the operation of the system after an update. We therefore urge all users to perform such updates with caution; take a snapshot if running it as a virtual machine, or at least backup the plain-text configuration and monitor the update on the screen/console, so that you can perform recovery or roll back to an older software version, if necessary.
If you need to rollback you can choose version for your serial number.
There is an RSS feed available.
Unreleased
Bug
Fix regression since 6.6 with multiple VLAN interfaces
Release on 2019-12-16
New
Based on OpenBSD 6.6- New
bpe
IEEE 802.1Q (PBB) interface - Support for Intel Ethernet 700 series via
ixl
- Support for Mellanox ConnectX-4/5/6 via
mcx
- The
relayd
load balancer supports SNI and binary checks - Multiprocessor (SMP) improvements
- New
Imp
Compiled with Clang 8.0.1Imp
Web administration now uses PHP 7.3Dep
OpenBSD 6.6 has disabledmobileip
in the generic kernel
Released on 2019-01-07
New
Based on OpenBSD 6.4Imp
Support for new LACP optionsmode passive
andtimeout fast
Imp
Compiled with Clang 6.0.0Imp
Added new Diffie–Hellman (DH) to IKE IPsec pageDep
The default BGP filter action was changed from allow to deny
Released on 2018-08-23
Bug
Applied 6.3 errata up to #018
Released on 2018-07-04
New
Based on OpenBSD 6.3- Improved network performance thanks to less locking
- New
syncookies
option in firewall - Support for Intel Cannon Lake and Ice Lake integrated Ethernet
- New
efi
driver for EFI runtime services - Mitigation for Meltdown vulnerability for Intel CPUs
Imp
Compiled with Clang 5.0.1Imp
Support forsyspatch
andfw_update
Imp
Reordering firewall rules in web administrationBug
Fix bug wheredhcp6-*
didn't log properlyBug
Fix bug in web administration with DHCP reserved hostsBug
Fix regression since 6.2 where some driver firmware wasn't loaded
Released on 2018-03-28
New
Based on OpenBSD 6.2- OpenBSD is compiled with Clang 4.0.0
- Support for Hyper-V StorVSC
- Improved network performance thanks to less locking
- Uses new
slaacd
daemon for IPv6 autoconfiguration
Imp
Ability to run multiplebgp
in different routing domainsImp
Support runningdhcp-server
on multiple interfaces in different routing domainsImp
Supportdhcp6-client
onpppoe
interfacesImp
Support routing domains ondhcp6-client
anddhcp6-server
Imp
Supportpppoe
interfaces onvlan
interfacesBug
Fix bug wherepppoe
interface's 0.0.0.2 route would always be in routing table 0Bug
Fix regression since 3.6 where router solicitation always enabled IA-NABug
Fix regression since 6.1 wheredhcpd
would log tostderr
instead of syslog
Released on 2017-09-30
Bug
Fixed regressions withvlan
andtrunk
interface configurationBug
Applied 6.1 errata up to #029
Released on 2017-06-22
New
Based on OpenBSD 6.1Bug
Applied 6.1 errata up to #012
Released on 2017-04-15
Imp
More options in software updateBug
Fixed subscription license issue with VPN reloadBug
Don't start NTP in cluster domain unless it existsBug
Fixed regressions in the new Bootstrap interface (IPsec, DHCP, and more)Bug
Applied 6.0 errata up to #014
Released on 2016-10-13
Imp
Simplified provisioning, such as initialising a storage disk non-interactivelyBug
Applied 6.0 errata up to #011
Released on 2016-09-20
New
Based on OpenBSD 6.0- SMP improvements in AES-NI and network stack
- MSI-X on VirtIO
- W^X is strictly enforced
- Support for new hardware, including NVMe and GPIO controllers
New
Mobile-friendly web administration based on Bootstrap
Released on 2016-05-31
Bug
Fixed regression since 3.7 (pledge-related) where some programs aborted because ofTZ
pathBug
Applied 5.9 errata up to #009, including CVE-2016-2105 to 9
Released on 2016-04-25
New
Based on OpenBSD 5.9- SMP network stack improvements
- Xen paravirtualizion support
- Initial IEEE 802.11n wireless support
- New
etherip
Ethernet tunneling (RFC 3378) interface - New
pair
Ethernet encapsulation interface - New EIGRP routing daemon
- IPv6 support for pflow (NetFlow) transport
- IKEv2 interoperability with OS X El Capitan
- Support for new hardware, including network adapters from Intel and Realtek
Imp
Ability to enable/disable clustering (sasyncd) without restarting IKE daemonsBug
Prevent SIGPIPE when doing cleartext IKE packet capture inisakmpd
Dep
Movedikev2
to separateike {
context for more accurate validation
Released on 2015-11-20
New
Based on OpenBSD 5.8- New MPLS pseudowire driver
mpw
- Many improvements to BGP, OSPF and LDP (MPLS)
- The same network range can now be assigned to multiple interfaces
- MTU of VLAN devices can now be set independently from the parent interface's MTU
- Jumbo frames on PC Engines' APU and Halon's HSR-603
- Support for the NX bit on i386 for better W^X enforcement
- Support for new hardware, and improved network drivers
- New MPLS pseudowire driver
New
VPLS (layer 2) MPLS supportNew
Interface route priorityImp
UsesAUTOCONF6
for router solicitation instead ofrtsold
Dep
The default Diffie-Hellman group from IKEv1 has been changed to modp3072 (15)
Released on 2015-07-30
New
Firewall (pf.conf) editor got support for new syntax such as prio, queue, etcNew
New "basic" (non-JavaScript) firewall editor which is much faster when working with large rulesetsBug
Regressions (since 3.5) in the first-run config disk population andpkg_*
settings resolved
Released on 2015-05-27
New
Based on OpenBSD 5.7 with many improvements, such asImp
The firewall page loads faster with many rulesImp
Automatic firewall rule sorting has been replaced by a "Sort" buttonBug
Make clusterd and configure UTF-8 aware, to prevent corruption of non-ASCIIBug
Empty persistent tables were overwritten by the firewall pageBug
Fix issue on web admin's IPsec page with quoted strings containing syntax tokensDep
The load balancer has renamed the "ssl" keyword to "tls"Dep
The load balancer is TLSv1.2 only by default, you need to manually enable other protocols
Released on 2015-03-19
New
Added support for LLDPNew
Added support for vether interfacesSec
Patched OpenSSL in regards to security advisory as of 19 mar 2015Bug
Bug on load balancing page with "pftag"Bug
Regression in the HTTPS SOAP API (since 3.4)Dep
gmt0 was renamed to utc in SOAP API
Released on 2015-01-12
Imp
Backup (cluster) nodes can use NTP (ntpd
) even without working egress IP, via cluster portBug
Web admin server regression; now uses nginx
Released on 2014-12-11
New
Based on OpenBSD 5.6- Includes the Unbound DNS cache
- Reverse proxy (
match ... forward to
) support in the load balancer - Support for new hardware, including network adapters from Broadcom and Realtek
Imp
Add SIP proxy to interface pageImp
Support searching logs larger than 2 GBBug
Fixes regression on load balancer status pageBug
Fixes issue when loading/reloading isakmpdBug
Fixes issue with dhinfodBug
Fixes issue with router advertisement and DHCPv6 with some clients
Released on 2014-08-11
Bug
Re-configure IKE daemon (isakmpd) if it crashes and is restarted by the watchdogBug
Mitigate a threading issue, to prevent rare dead-locks during startup and reconfiguring
Released on 2014-06-09
Sec
Fix OpenSSL CVE-2014-0195, 2014-0221, 2014-0224 and 2014-3470Imp
Removed deprecated browser-specific CSS3 options (Mozilla, Opera)Imp
Enable auto-scroll on keypress in web terminalBug
Allow more than 1000 items to be saved (PHP introduced input data limit)Bug
Update firmware boot data on OpenBSD 5.0 systems to prevent boot issue
Released on 2014-05-13
New
Based on OpenBSD 5.5New
Added VXLAN to grammar and web adminNew
Supports new hardware such as- VMware's VMXNET3 network interfaces and paravirtual SCSI
- VirtIO's paravirtual SCSI and random number devices
- Many new Intel platforms and NICs, such as the AES-NI capable Atom C2000
- PC Engine's APU
Imp
Support copy-pasting directly into web admin's HTML5 terminalImp
Accurately choose a local IPsec endpoint address to send probe pings fromImp
Ed25519 SSH signaturesImp
Allow omitting pflow (NetFlow/IPFIX) sender addressBug
Fixes an issue where the IKE daemonisakmpd
wouldn't run with many addresses configuredBug
Do not use cluster rdomain for updating on active cluster nodes without default routeBug
Fixes an issue where the VPN servernpppd
could fail to start
Released on 2014-04-08
Bug
Patched OpenSSL "heartbleed" vulnerability (CVE-2014-0160)
Released on 2014-04-03
New
Route prioritiesNew
Add reserved host from DHCP lease pageImp
Load balancers on front page in web adminImp
Show cancel URL when testing a commitImp
Ping with LAN addresses if a tunnels local endpoint is 0.0.0.0/0Imp
Warn about pflow protocol 9 soon being deprecatedBug
Web admin failed to set IKE phase 2 mode to noneBug
Basic setup erased aliases if having multiple IPsBug
isakmpctl capture could fail to show decrypted packetsBug
Cluster push configuration button were brokenBug
System could run out of bpf interfaces
Released on 2014-01-08
New
Addedx-superuser
login classImp
Added skeleton file for the DHCP serverImp
Support running router solicitation, syslog and NTP in routing domainsImp
Allowed web terminal to poll backend even when browser tab is in backgroundImp
Added more IPv6 auto-configuration settings to web administrationImp
Strip last dot from DHCPv6 search domainImp
Various minor improvementsBug
Don't announce SLAAC prefixes when running a DHCPv6 serverBug
Resolved issue when filtering logs based on firewall label on amd64Bug
Resolved ping-from-self through NAT issueBug
Resolved issue when moving VLANs from an unconfigured interface
Released on 2013-11-08
New
Based on OpenBSD 5.4New
Router advertisement (v6) can announce DNSImp
Router advertisement doesn't announce prefix if DHCP managedImp
Sandboxed SSH serverImp
Disabled private SNMP community by defaultImp
Various minor improvementsBug
Issue with load balancer's host page when using IPs in relays
Released on 2013-11-01
New
Buy feature licenses from within product's interfaceNew
Support for new HSR-603 modelNew
Support for reset button on HSR-1204 and ALIXImp
Real-time decrypted IKE packets (isakmpctl capture)Imp
Simplified and unified DHCP pageImp
Support temperature sensors in ALIXImp
Firewall supports interface addressing and DNS in DHCP/BGP setupsImp
Use bidirectional IPsec flows by defaultImp
Better validation of FQDNs as DHCP hostsImp
Make HTTP/SSH servers and pflow support routing domainsImp
Require both sender and server for pflow interfacesImp
Various minor improvementsBug
HTTP server didn't respect rsa-key and x509-certificateBug
Scrolling didn't always freezeBug
SSL was checked when adding new load balancer listenersBug
Couldn't type @ in web terminalBug
Do not create sessions for unauthorized web admin clients
Released on 2013-09-02
Bug
Management interfaces couldn't be disabled on administration pageBug
IKE lifetime wasn't maintained on IPsec pageBug
Tables was printed with an extra semi-colon on firewall pageBug
NTP client didn't use updated name servers (for example DHCP)
Released on 2013-08-09
Imp
Gracefully discard invalid host names in vApp deploymentBug
Warning on front page if no graphs are availableBug
XML warning on non-VMware system's interface page
Released on 2013-08-07
Imp
Support new HSR-1200 series hardwareBug
Support non-standard gateway IP in update firmwareBug
No longer consume VMware channels without vAppBug
Handle configuration without groups on firewall pageBug
Various minor bugs fixed
Released on 2013-07-29
New
Network setup guide in OVF (VMware vCenter)Imp
Minor web administration improvementsBug
Disabled SMP due to threading regression in OpenBSD 5.3
Released on 2013-07-24
Imp
Restructured CLI menuImp
Subscription licenses are more tolerant to connectivity issuesImp
Faster boot by disabling floppy drives in kernelImp
Minor web administration improvementsBug
Could generate invalid VPN server configuration, regression
Released on 2013-07-15
New
New IKE debugging tool (isakmpctl)Imp
Support for VIA temperature sensorsImp
Perl modules needed by pkg_add includedBug
Cluster failed to detect successful synchronizations
Released on 2013-07-10
New
Based on OpenBSD 5.3 (with patches from head)New
Support for KVM Virtio para-virtualized driversNew
Added load balancer methods; least states, source hash, randomNew
Support for NetFlow 9 and 10 (IPFIX) inpflow
New
Temperature sensors on graph pageImp
Added IPsec lifetime to plain-text configuration and interfaceImp
Added DHCP server options 66 and 67Imp
Allow DHCP relay on CARP interfaceBug
Only allow valid advbase valuesBug
NTP client reload fixes
Released on 2013-06-28
Imp
Load balancer (relayd) performance improvedImp
Graphs page display load balancer namesImp
IPsec IKE tunnels page displays DH group numberImp
Firewall page removes outer brackets on lists without spaceBug
Load balancer page didn't display correctly if name ended with a digitBug
Load balancer (relayd) didn't support more than 20 relaysBug
Cluster discovery (hdpd) don't exit when missing serial
Released on 2013-05-31
Imp
PPTP proxy timeout increasedImp
Load balancer page lists available listen addressesImp
Internet failover doesn't require load balancer licenseImp
Terminal emulator page input improvedBug
Load balancer page didn't handle multiple listeners and SSLBug
License page's link to renewals didn't work
Released on 2013-05-21
Imp
System disks are grown to disk's size (CF, etc) into new data partitionImp
Buffered software update without storage disk on grown systemsImp
Support 1000base* on Intel's SFP+Imp
Interface descriptions on graphs pageImp
Ability to change CARP password from interface pageImp
Sort DHCP leases based on lease timesImp
Web terminal's input synchronisedImp
Supportsis
interfacesImp
Improved Ethernet media handlingImp
Allow svlan (QinQ) on trunk (LAG) interfacesImp
Reserved DHCP hosts excluded from rangesBug
IPsec labels such as "to host" was interpreted as a resolvable hostnameBug
Graph daemonstatd
warned about full disk too many times
Released on 2013-04-11
New
Mirror (SPAN ports) on bridgesImp
Keep logs and graphs when rebooting if using a storage diskImp
Faster software updates (writes data to disk asynchronous)Imp
Flush all GRE states when enabling the PPTP proxyImp
storageupdate
has support for explicit (IPv) -4 and -6Bug
Max addresses on bridges wasn't configurable in web administrationBug
Load balancer's wizard was to strict on detecting potential conflicts
Released on 2013-03-11
New
New model VSR-Lite available for purchaseNew
Support for PC Engine's ALIX system boardsImp
VPN servers support search domain and routes for Apple OSX and iOS clientsImp
Other minor improvementsBug
dhsyncd would fail to start if any carp interface was down
Released on 2013-02-25
New
New CLI commandreplace-swap
inconfigure
Imp
Support for Dell R320Imp
Edit buttons in tablesImp
Supportrdomain
andproxy-arp
in cluster activationImp
Other minor improvements
Released on 2013-02-20
Imp
Support for more Broadcom NICsImp
Other minor improvementsBug
Could not enable free mode (VSR-Free) without serial
Released on 2013-02-05
Imp
VLAN on trunk interfacesImp
Suppress repeated cluster errorsImp
Other minor improvementsBug
When configuring partial date and time
Released on 2012-12-14
New
Microsoft Hyper-V supportNew
Ability to use additional disk as storage for logs, etcNew
Ability to update with verification using storage diskImp
Improved performance during commit/testImp
Question on drain/flush load balancer node pausingImp
Changed Subversion format to FSFSImp
Improved loading time on firewall page with many rulesImp
Overall improvementsBug
IP ranges in macros on firewall pageBug
Load balancer wizard didn't work with missing statementNote
Reserved routing domain 239-255
Released on 2012-11-21
New
Theproxy-arp
makes it possible to use LAN network in VPN serverImp
Cluster (hdpd
) keeps information about dead hostsImp
Improved macro/table presentation on Network > FirewallImp
Many load balancer improvements- Proper source-tracking per redirect
- Summarise statistics for multiple "listen on"
- Ability to enable/disable hosts in all relays/redirects
- Creates automatic rules for relays (tagged relayd)
- Wizard for adding relays and redirects
- User interface for global settings
- MIB for traps
Imp
User interface for SNMP settings on System > SNMPBug
Fixed problem when renaming duplicate macros/tablesBug
Exports on Configuration > Revision management named properlyBug
Fixed issue withstatd
removing graphs when redirects is down
Released on 2012-10-25
Imp
Allow more than 4 VPN server groups by creating /dev/tunX dynamicallyImp
Visual noise when displaying all rulesets on firewall page removedImp
Permit hyphens in the host part in FQDNs (search-domain and host-name)Imp
Other minor improvements
Released on 2012-10-22
New
Real-time graphsNew
Graphs for firewall statesNew
Login banner in web administrationNew
Highlight text in CLI output with | markImp
Forwarding (firewall/routing) performance improvedImp
Ability to configure DNS, routes, etc per VPN groupImp
Always allow DHCP on VPN interfaces for dhinfod to workImp
Shortcuts to rule and state statistics on Firewall pageImp
Better logging when using SOAP's commandRunImp
Go directly to deploy/diff when saving on clear-text pageImp
Ability to restore the terminal using CLI's "reset"Imp
Display line numbers of configuration error pageImp
Firewall page now visually renders more protocolsImp
Less obstructive reloading of VPN serverImp
Other minor improvementsBug
Bug in PHP/CURL's DNS reloading remediedBug
Memory leak in UUID generationBug
Invalid netmask displayed as 0.0.0.0 on basic setup page
Released on 2012-09-25
Imp
Web admin settings for VPN-server client routesImp
Usability improvementsBug
Real-time firewall log issue resolved
Released on 2012-09-24
- New: VPN-server (L2TP/PPTP) supports client routes
- Bug: Issue with IPsec 3DES key generation button resolved
Released on 2012-09-10
New
VPN-server (L2TP) NAT-T supportNew
VPN-server (L2TP/PPTP) DNS suffix supportNew
Replacedconfigure
"diff" with new "compare" commandImp
Various graphical usability improvementsBug
Saving a firewall macro with multiple items resulted in duplicate bracketsBug
L2TP passphrase not saved when editing existing server
Released on 2012-09-02
New
VSR-Free, a free licenseNew
License subscription, option to automatically downloads license keysImp
CLI can install and remove license keysImp
Log failed password attempts via HTTPSImp
Added support for option 82 in the dhcp-relayBug
Multiple negations on firewall page didn't render properly
Released on 2012-08-22
New
DHCPv6 server, client and prefix delegationNew
IPv6 router solicitation clientNew
User classes, including read-only users (login.conf)New
Web graph layout is customisable and auto savedImp
Ability to renew DHCP leasesImp
Web improvements for Apple iOS and Microsoft IE 9Imp
Web terminal has better scroll-backImp
Web shows disk usage on System > HardwareImp
Changed system paths according to BSD defaultsImp
CLI parsing improved with quoted stringsImp
Web settings stored in HTML5 local storageImp
Updated jQueryBug
Resolved cluster memory leak in backendBug
Resolved issue with /tmp getting fullBug
Resolved web cluster page script errorBug
Suppressed warning when confirming deploymentBug
Spelling corrections
Released on 2012-07-10
New
Diagnostics > Terminal with full ANSI supportNew
Working copy allows for atomic apply of multiple changesImp
Ability to tag configuration revisions with a messageImp
Ability to cancel a pending configuration testImp
Network > Interface got statisticsImp
Network > Interface got PPPoE supportImp
Network > Firewall supports negation of addressesImp
Network > Basic setup got PPPoE supportImp
Network > DHCP server lists connected clients (leases)Imp
PPPoE interface automatically adds routes and rulesImp
Welcome texts on first bootImp
New layout on login screenImp
Highlights save or warns about unsaved changesImp
Validating function configCheck() in SOAP APIImp
Default arguments in SOAP APIImp
Command for showing licenses in CLIBug
Now validates reserved DHCP host's name more strictlyBug
No longer kicked out of console when setting root passwordBug
Resolved issue with dhsyncd causing sawtooth CPU usage
Released on 2012-06-11
Imp
Support for ne (NE1000) interfaces (used by Parallels Desktop)Imp
Changed the fail-path when activating clusteringBug
Error on first page for un-configured interfaces resolvedBug
Issue when duplicating rules on the firewall page resolved
Released on 2012-06-08
New
Introduced cluster support using SSL certificatesNew
Introduced PPPoE supportNew
Introduced RADIUS support for PPTP and L2TP server with groupsNew
Last ethernet interface automatically becomes cluster sync on installationNew
Possibility to update a cluster node through other node via sync interfaceNew
New replace command in CLI configureNew
Load balancer shows statistics for layer 3 (redirects)New
Keyboard layout support for video consolesImp
Internal IPC moved from TCP to Unix sockets for increased local securityImp
Firewall page supports "received-on" routing domainsImp
Friendly warning on password change in web administrationImp
DHCP server supports clusteringImp
DHCP server supports DHCP option 43Imp
Make DHCP server leases persistent across rebootsImp
Possibility to only change one of the DHCP range valuesImp
Router advertisements supports clusteringImp
Basic setup displays unplugged cable correctlyImp
Support Intel 10/100 network cards (fxp)Imp
HTTPS server supports certificates and keys in configurationImp
Renamed "cd" to "edit" in CLI configureImp
License page more detailed explains license keysImp
Overview page consumes less CPUImp
Load balancer inherits default SSL certificate unless overriddenImp
Load balancer page layout improvedImp
Web browser cache is automatically flushed after software updatesImp
Users "admin" and "root" can force reboots from CLIImp
Users "admin" and "root" can perform a factory reset from CLIImp
Allowed all users to view packets in tcpdump from CLIImp
License, copyright and credit page added under Help pageImp
Prevents users from removing themselves by mistakeImp
IPsec tunnel ping test works on /0 networksImp
Hide shutdown button on hardware page by defaultBug
Bug in tcpbench resolved (patch sent upstream)Bug
Display error on DHCP page resolvedBug
The PPTP proxy has issues with clients sending GRE too earlyBug
Monotonic time were not always used for wake upsBug
Change of order of some keys in configuration didn't triggering a commitBug
Parsing error on load balancer page resolvedBug
Syslog didn't log with host nameBug
DHCP settings link on interface page didn't work for all interface types
Released on 2012-03-22
Bug
DHCP relay regression issue resolved
Released on 2012-03-20
New
Hardware detection for Halon HSR-1000
Released on 2012-03-16
New
Load balancer user interfaceNew
FTP proxy for NAT calledinterface X { ftp-proxy
New
PPTP proxy for NAT calledinterface X { pptp-proxy
Imp
Firewall user interface supportsdivert
Bug
Load balancer stability issue patchedBug
Suppressed unnecessaryinterface-group
events