IPFire, a free, open-source Linux-based hardened firewall designed to be deployed as a dedicated firewall/router system for protecting network environments, has issued IPFire 2.29 – Core Update 197.
The main highlight in this release is a complete OpenVPN overhaul, now upgraded to version 2.6. Key improvements include:
- Simplified client configuration: Exported configs now come as a single file with embedded keys and certificates, eliminating the older ZIP format.
- Cipher negotiation: OpenVPN now negotiates supported ciphers between client and server, moving away from static settings. SHA512 becomes the default hash method where AEAD is not used.
- Compression removed: Following upstream changes, OpenVPN no longer supports compression due to security risks.
- Subnet topology dropped: Each client now uses a single IP address, significantly improving address pool efficiency.
- Runtime changes: VPN settings can now be adjusted without stopping the road warrior service, with clients automatically reconnecting when needed.
Another significant change is the introduction of CPU frequency scaling by default. Previous versions kept all cores at maximum frequency to minimize latency. However, IPFire now relies on Intel P-State or the schedutil governor to reduce power consumption and system heat, with the older cpufrequtil package removed.
On the security side, the distribution has been rebased to Linux kernel 6.12.41, which includes mitigations for transient scheduler attacks. The update also resolves a race condition that occasionally prevented some network interfaces from being initialized during boot.
IPFire Core Update 197 updates a wide range of system components, including Apache 2.4.65, Bash 5.3.3, OpenSSL 3.5.1, Suricata 7.0.11, SQLite 3.50.2, and Btrfs-progs 6.15, among others. Plus, a new Chinese translation has been added, extending the distribution’s language coverage.
Add-on updates are included as well. Tools for emulating a TPM 2.0 device have been introduced, supporting environments that require Windows 11 virtual machines.
A new package, arpwatch, provides host detection alerts on local networks. The Zabbix add-on has been updated to version 7.0.16 LTS with new functionality for WireGuard monitoring, ARP ping, and IPFire Location. Other add-ons, such as Git, Samba, and HAProxy, have also received version upgrades.
Lastly, additional refinements include improved handling of WireGuard configuration imports, support for restoring backups larger than 2 GiB through the web interface, and the removal of SSL fingerprint lists from abuse.ch, which has been discontinued.
For more information, see the announcement.
Core Update 197 is already available for download on IPFire’s website. Two build flavours cover the most common hardware: x86_64 and aarch64 for those needing a fresh install. Existing systems can be upgraded via IPFire’s web UI or the pakfire update command.
