IPFire 2.29 - Core Update 197 is available for testing

by Michael Tremer, August 11

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

IPFire 2.29 – Core Update 197 is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.

A great deal of work from many contributors has gone into making this update possible. Unfortunately, donations have been lower than usual recently. If IPFire helps you protect your network, now is an excellent time to show your appreciation and help us continue improving it. Every contribution directly supports the development team and enables us to keep delivering a faster, more secure, and more capable firewall for everyone. Donate Now!

OpenVPN 2.6

After recently releasing full-fledged support for WireGuard to IPFire this update brings a substantial overhaul for OpenVPN. We are upgrading to OpenVPN 2.6 which has added some new features, but has deprecated a lot, too. The IPFire team has worked very hard to bring you these changes without requiring any configuration changes on the client side and we are still able to support older and newer OpenVPN clients at the same time. Here is the list of notable changes:

  • Simpler Client Configuration Export: The client configuration has now been unified and the ZIP container has been dropped. All certificate and key material is now embedded into a single configuration file which can be easily imported into all available clients.
  • Cryptography
    • OpenVPN will now perform cipher negotiation between the server and client if they support it
    • Formerly, the cipher and hash algorithm were statically chosen and configured on both, the client and server side. This is still supported as "Fallback Cipher" for clients which don't support cipher negotiation. New installations will no longer offer a fallback and require cipher negotiation.
    • SHA512 is chosen as the default hash method if no AEAD cipher is being used
    • The cryptographic settings have been moved to the "Advanced Settings" section
  • Compression
    • OpenVPN has entirely removed support for compression as it can be used as an attack vector
    • Clients that still try to use compression will be able to do so without any changes, but the server will try to disable compression wherever possible. It is no longer possible forcibly enable this.
  • Subnet Topology: OpenVPN has removed support for the previously default way of IP address allocation where each client received a small subnet of four IP address. Instead a single IP address will now be used for each client. This frees all previously unusable IP addresses in the pools and quadruples their size.
  • OpenVPN settings can now be changed without stopping the road warrior service first. When the server is being restarted, clients will be notified so that they will reconnect immediately.
  • Descriptions, labels and headlines in the web UI have been clarified for a much easier configuration experience
  • The code has been substantially cleaned up and largely refactored for better maintainability
    • Where formerly the web UI only accepted the older subnet notation the CIDR notation is now supported, too
  • The permanent certificate warning has been removed

Power Saving Or Keeping Cool In The Summer

IPFire will now by default clock down its CPUs. When previously all CPU cores have been running on full clock speed by default, we were able to keep latency to a minimum as they were always ready to process any packets. As modern processors have massively improved how quickly they can clock up and down and CPUs with many cores being widely available, we have now decided to change this based on our benchmark results.

Where supported, we will use Intel P-State or otherwise fall back to the new schedutil governor which has recently been introduced into the Linux kernel and has proven to not increase any packet forwarding latency in our benchmarks.

When clocked down, systems will reduce their power consumption and therefore lowering the amount of emitted heat. The "cpufrequtil" package which used to implement this feature has been dropped as it is no longer needed.

Misc.

  • WireGuard
    • Configuration files using Windows line breaks can now be imported without manual conversion
    • Any IPv6 routes in imported configurations are being ignored
  • Intrusion Prevention System: The SSL fingerprint list from abuse.ch has been removed as it was discontinued
  • Backup: It is now possible to restore backups that are larger than 2 GiB through the web UI
  • A race condition which could cause that some network interfaces were not brought up properly at boot time has been fixed
  • The IPFire kernel has been rebased on Linux 6.12.41
    • New mitigations against Transient Scheduler Attacks have been added and the status is shown on the hardware vulnerabilities page
  • Updated packages: Apache 2.4.65, automake 1.18.1, bash 5.3.3, bind 9.20.11, btrfs-progs 6.15, cURL 8.15.0, e2fsprogs 1.47.3, fontconfig 2.17.1, gettext 0.26, GnuTLS 3.8.10, jq 1.8.1, libhtp 0.5.51, libjpeg 3.1.1, libpng 1.6.50, libssh 0.11.2, libtalloc 2.4.3, libtasn1 4.20.0, libunistring: New package, lm_sensors 3.6.2, LVM2 2.03.33, nettle 3.10.2, OpenSSL 3.5.1, OpenVPN 2.6.14, pango 1.56.4, pciutils 3.14.0, readline 8.3.1, shadow 4.18.0, SQLite 3.50.2, strongSwan 6.0.2, Suricata 7.0.11, unbound 1.23.1, util-linux 2.41.1
  • A Chinese translation has been added

Add-Ons

  • New Packages:
    • Daniel Weismüller has added tools that allow to emulate a TPM 2.0 device which is required to run virtual machines using Microsoft Windows 11 or later
    • arpwatch has been added. This tool is able to send an email whenever a host is being detected on a local network interface for the first time.
  • Robin Roevens has updated the Zabbix add-on to version 7.0.16 LTS
    • Additionally he has added monitoring for WireGuard connections, ARP ping support for the internet gateway and IPFire Location functionality
  • Borg Backup: The libxxhash package which is required as a dependency is now automatically installed (#13868)
  • Updated packages: cifs-utils 7.4, dnsdist 2.0.0, FreeRADIUS 3.2.7, Git 2.50.1, HAProxy 3.2.2, ncdu 1.22, taglib 2.1.1, tshark 4.4.8, Samba 4.22.3