Remote Support Start download

OPNsense 26.7 Release: What's Coming

OPNsenseReleaseNetwork
OPNsense 26.7 Release: What's Coming

OPNsense has followed a fixed release cadence for years: a major release appears in January and July (X.1 and X.7), with minor updates and security patches in between. The 2026 summer release therefore falls in July under this pattern — either version 26.7 has just shipped as this article is published, or it is days away.

We link to the official release notes at the end of this article; everything definitive lives there. Here we set expectations based on the established OPNsense roadmap and the preceding releases — and we cover what really matters when you upgrade.

The OPNsense Release Cadence

A short look back at the major releases shows the logic:

ReleaseDateCodenameFocus
24.1January 2024Savvy SharkUI modernization, MFA, API
24.7July 2024Thriving TigerFreeBSD jump, OpenVPN DCO
25.1January 2025Ultimate UnicornPlugin refactoring, MVC migration
25.7July 2025(see release notes)
26.1January 2026(see release notes)
26.7July 2026(t.b.a.)HardenedBSD/FreeBSD update, plugin refresh

Major releases typically include:

  • Major upstream update of the base (HardenedBSD / FreeBSD)
  • New kernel version with refreshed drivers
  • Updated plugins (Suricata, Zenarmor, HAProxy, ACME client)
  • GUI improvements and API extensions
  • Security patches for PHP, OpenSSL, Unbound, OpenVPN

What Deciso traditionally does not ship in a .7 release: experimental refactors that still need to settle in a January LTS line. The July releases are usually the “platform jump” releases with the fresher upstream base.

What to Realistically Expect from 26.7

We deliberately separate confirmed items from the public roadmap from likely updates:

Confirmed / publicly prepared

  • FreeBSD / HardenedBSD update. Historically the July major releases were the points where the upstream base was bumped. The exact version target for 26.7 will be in the release notes.
  • Plugin updates. Suricata, Zenarmor, HAProxy and the ACME client routinely receive functional updates in major releases.
  • Security updates for the core components (PHP, OpenSSL, Unbound, OpenVPN, IPsec/strongSwan, WireGuard).

Plausible based on the roadmap

  • Further MVC migrations in the UI — OPNsense has been moving older legacy pages into the modern MVC framework for several years.
  • API extensions covering more endpoints that today are only reachable through the UI.
  • Performance improvements in Suricata (multi-threading, DPDK paths depending on platform).
  • Better WireGuard integration — both in the UI and in the reporting layer.

What we don’t speculate on

What concrete features ship in 26.7 and what they are named — please read the official release notes. We deliberately avoid invented feature lists that would later be wrong.

Upgrade Path: How to Proceed

Regardless of the exact features 26.7 brings, the upgrade process follows the established pattern:

1. Preparation

  • Configuration backup via System → Configuration → Backups. Ideally encrypted and stored externally.
  • Document your plugin list. Which plugins are active? At which version?
  • Read the release notes. Especially the “Known Issues” and “Backward Incompatibility” sections.
  • Schedule a maintenance window. A reboot after a major release upgrade is mandatory.

2. Run the Update

Via the UI in System → Firmware → Updates:

1. Click "Check for updates"
2. The major release notice appears
3. Read the release notes linked in the UI
4. "Click to upgrade" starts the download
5. After completion: reboot

On the console via SSH:

opnsense-update
opnsense-update -k   # kernel
reboot

3. After the Update

  • Re-check plugins — some require a separate update.
  • Reload Suricata rules (usually automatic).
  • Test VPN connections (WireGuard, OpenVPN, IPsec).
  • DHCP, DNS, captive portal — verify the core services.
  • Check reporting data (some statistics tables are migrated during major updates).

Rollback Strategy

OPNsense supports boot environments (BE) on ZFS installations. Before the update a BE snapshot is created automatically — from the boot menu you can roll back to the previous version.

On UFS installations (older setups) rollback is more painful: reinstall from a recent backup. If you haven’t moved to ZFS, do so before a major release — the effort pays off on every subsequent update.

When Should You Wait?

Some administrators deliberately skip the day-one of a major release. Reasonable waiting windows:

  • Production firewalls in critical infrastructure: Wait 2–4 weeks for the first patch release (e.g. 26.7.1). Experience shows that minor fixes arrive in the first weeks after a major release.
  • Standby cluster with CARP: Upgrade the backup node first, run a load test, then the master. See also OPNsense High Availability with CARP.
  • Test environments: Right away. That’s the point of having them.

Don’t Forget Security Updates in Parallel

Major releases are not the only update path. OPNsense ships regular security updates between major versions. If you postpone a major upgrade for caution, still apply ongoing security patches on the older line — a 26.1 on the latest patch level is safer than an unmaintained 26.7.

Strategic Shifts at OPNsense

From an advisory perspective, what stands out: OPNsense has become noticeably more enterprise-ready over the past few years. Concrete observations from DATAZONE projects:

  • HA via CARP runs reliably in practice and without exotic hardware requirements.
  • WireGuard integration is no longer a bolt-on plugin but a first-class citizen in the UI.
  • API-first tendency makes automation (Ansible, Terraform) workable.
  • The Zenarmor NGFW plugin closes the gap to commercial NGFW vendors on the application layer.
  • Reporting is significantly better than two years ago — Grafana integration is now standard.

This maturity is why we at DATAZONE consider OPNsense a serious alternative to Sophos, Fortinet and WatchGuard in the professional mid-market — see Sophos / Fortinet — Switch to OPNsense.

Plugin Status at Release Time

An experience-based observation on major releases: not every plugin is ready on day one. Zenarmor and some community plugins typically need a few days to catch up. If you depend on a specific plugin, check the OPNsense forum briefly before upgrading whether the plugin is marked for the new major version.

For plugins not yet listed in the major-version compatibility matrix: wait or test in a non-production setup — don’t push to production without validation.

What Does 26.7 Mean for Ongoing Projects?

From DATAZONE’s view on current customer projects:

  • New OPNsense installs from today onward: start with 26.7 (or wait for the first patch release 26.7.1).
  • Existing 26.1 installs: schedule the move to 26.7 in the next 4–8 weeks — plan the maintenance window in advance.
  • Older installs (25.x or earlier): move to 26.1 first, then to 26.7. Don’t skip two major versions at once.

Conclusion

OPNsense 26.7 fits into the established release pattern — major upstream update, plugin refresh, GUI improvements. The exact feature highlights live in the official release notes; we don’t speculate.

What stays timeless: the upgrade process itself. Anyone who takes backup, maintenance window and rollback strategy seriously has little to fear from even a larger-than-expected jump.

Sources and Further Reading

More on these topics:

Need IT consulting?

Contact us for a no-obligation consultation on Proxmox, OPNsense, TrueNAS and more.

Get in touch