Netgate announced that pfSense Plus software version 21.02 and pfSense Community Edition software version 2.5.0 are now available for upgrades and new installations. This is the first release of pfSense Plus software, formerly known as Factory Edition. Users running the Factory Edition of pfSense software version 2.4.5-p1 and older will be able to upgrade in-place to the latest pfSense Plus version as with any other previous upgrade. pfSense software Community Edition version 2.5.0-RELEASE is also available for download now.
Notably, pfSense Plus adds:
- Support for Intel QuickAssist Technology, also known as QAT.
- QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
- Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
- Improved SafeXcel cryptographic accelerator support for the Netgate SG-2100 and Netgate SG-1100 which can improve IPsec performance.
- Updated IPsec profile export
- Exports Apple profiles compatible with current iOS and OS X versions
- New export function for Windows clients to configure tunnels using PowerShell
Both pfSense Plus and pfSense CE include:
- Base OS upgraded to FreeBSD 12.2-STABLE
- OpenSSL upgraded to 1.1.1
- Performance improvements
- Kernel WireGuard implementation, as mentioned in a previous WireGuard blog post
- WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity
- The pfSense documentation site includes information on how to configure WireGuard as well as example configuration recipes
- IPsec enhancements
- Configuration for the strongSwan IPsec backend was changed from the deprecated ipsec.conf/stroke format to the new swanctl/VICI format
- Various improvements to tunnel configuration, including better options for lifetime and rekey to avoid duplicate security associations
- OpenVPN upgraded to 2.5.0
- OpenVPN 2.5.0 now mandates data cipher negotiation, but also tries to be friendly to older clients
- ChaCha20-Poly1305 is now supported, which is the same cipher used by WireGuard and may offer speed improvements on some platforms
- OpenVPN now disables compression by default because it is insecure, but it can still decompress traffic received from clients while not transmitting compressed packets
- Certificate Manager updates
- The GUI now supports renewing certificate manager entries (certificate authorities and certificates)
- Notifications are generated for expiring certificate entries
- Certificate keys and PKCS #12 archives can now be exported with password protection
- Support was added for elliptic curve (ECDSA) certificates
- Internal and imported CA entries can be added to the system-wide trust store
- Significant changes in Captive Portal backend and HA behavior