Hi there,

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

Europe: https://opnsense.c0urier.net/releases/20.1/
US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.7:

Captive portal performance improvements
IPsec public key authentication support
Elliptic curve TLS certificate creation
CARP service demotion hook
VXLAN device support
Loopback device support
Extended firmware health audit checks
Support direction and non-quick on interface rules
Logging frontend migrated to MVC / API
PSR 12 coding style
Documentation for all core components
Python 3.7 is now the default Python version
LibreSSL 3.0 and OpenSSL 1.1.1
Google Backup API 2.4
jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

installer: welcome users as genuine 20.1 installer
rc: revert growfs change since Nano does not grow anymore
plugins: os-mail-backup 1.1[2]
plugins: os-nrpe 1.0 (contributed by Michael Muenz)
plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
plugins: os-vnstat 1.2[3]
plugins: zabbix4-proxy 1.2[4]
ports: ca_root_nss 3.49.2
ports: curl 7.68.0[5]
ports: isc-dhcp 4.4.2[6]
ports: php 7.2.27[7]
ports: urllib3 1.27.7[8]

Known issues and limitations:

HardenedBSD 12.1 has been postponed to the next major release
Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
To prevent stale configuration files for remote syslog we advise to setup the new targets first[9] and disable the old ones under System: Settings: Logging
i386 has not been deprecated for the time being ;)

The public key for the 20.1 series is:

Stay safe,
Your OPNsense team

SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64