KeeneticOS 4.3

KeeneticOS release notes for Keenetic Peak (KN-2710) in the Main Channel

KeeneticOS releases in this channel have passed our full rigorous testing and are recommended to all users, to avoid issues and maximize capabilities. This channel is updated roughly every two-three weeks with minor releases, and every two months with major releases.

Keenetic Peak (KN-2710) is currently in the Standard Updates support period and receives regular software updates, including security enhancements, new features, operating system updates, and bug fixes.

What’s new?

Welcome to KeeneticOS version 4.3! We’re delighted to announce this latest release, featuring exciting new updates, improvements, and fixes. Special attention has been given to enhancing the Web Interface, ensuring a smoother experience, improved functionality, and easier navigation.

Web Interface improvements:
- Assign network segments to Ethernet ports for extenders.
  Easily manage your wired network segmentation with the new Port Assignment option on the Extender Settings page, directly from the Mesh Wi-Fi System nodes list. Now you can easily assign a specific network segment to your Extender's Ethernet port or disable it when not in use.
- Enhanced password management.
  The updated Password field on the User Accounts page now includes a built-in password strength indicator, automatic generation of secure passwords, and a handy button to quickly copy passwords to your clipboard.
- Improved dashboard information.
  The redesigned My Networks and Wi-Fi card on the System Dashboard provides clearer visibility and detailed statistics, helping you stay informed about your network status.
Security upgrade with advanced DDoS protection.
- Improved network security with automatic defence against connection table overflow attacks.
IPv6 enhancements (CLI).
- Configure dedicated DNS servers specifically for IPv6 subnets.
- IPv6 support for OpenConnect VPN client, including routing and addressing.
- Ability to bind IPv6 static routes to specific connection policies.
- Automatic NAT66 activation for global interface prefixes (/128).
Enhanced file transfer.
- Software-based FTP acceleration for faster transfers.
- Improved security and performance for SFTP through OpenSSL AES-GCM implementation.
Storage optimisation.
- TRIM support is now enabled by default for compatible external USB drives, ensuring optimal performance and drive longevity.
Expanded 4G modem support.
- Added compatibility for popular USB modem models including Telit FN990, ZTE MF833N, and Sierra MC7304.

KeeneticOS 4.3.2

29/05/2025

New

Introduced the session-logout CLI command to terminate active VPN sessions across various servers (L2TP/IPsec, IKEv1/IPsec, IKEv2/IPsec, SSTP, PPTP, OpenConnect VPN ). [NDM-3788]
- crypto map l2tp-server session-logout {session} — Terminate {session} for L2TP/IPsec VPN server.
- crypto map virtual-ip session-logout {session} — Terminate {session} for IKEv1/IPsec VPN server and IKEv2/IPsec server.
- sstp-server session-logout {session} — Terminate {session} for SSTP VPN server.
- vpn-server session-logout {session} — Terminate {session} for PPTP VPN server.
- oc-server session-logout {session} — Terminate {session} for OpenConnect VPN server.

Added a Port assignment option to the Wi-Fi System page to assign a network segment to the Extender's Ethernet port or to turn the port off. [NWI-3571]
Added support for Object Groups with automatic Fully Qualified Domain Name (FQDN) name resolution. [NDM-3692]
- object-group fqdn {name} — Creates an FQDN object group.
- object-group fqdn {name} include {address} — Adds an address to the group.
A new CLI command to view the internal system name of the network interface is now available with the OPKG component. [NDM-3694]
- show interface {name} system-name — Displays the system name for the specified interface.

The new accept-routes option allows the OpenConnect VPN client to obtain route and IPv6 address configuration from the remote OpenConnect VPN server. [NDM-3539]
- interface {name} openconnect accept-routes — enable obtaining IP routes for OpenConnect interface {name}
The new OpenConnect VPN server option enables static route forwarding to be sent to the connected VPN clients. [NDM-3540]
- oc-server route {address} {mask} — set a static route with {address} {mask} for OpenConnect VPN server
The new OpenConnect VPN client option allows turning off the DTLS (Datagram Transport Layer Security) feature via the command line interface. [NDM-3541]
- interface {name} openconnect no dtls — disable DTLS for OpenConnect interface {name}

The new option for interface-specific DHCP relay agents is now accessible from the command line interface (CLI). [NDM-3401]
- interface {name} ip dhcp relay enable — enable DHCP relay on an interface.
- interface {name} ip dhcp relay upstream server {address} — specify an upstream DHCP server.
- interface {name} ip dhcp relay upstream interface {interface} — bind DHCP upstream to a specific interface (optional).
Implemented a new connect method of the KeenDNS proxy service for web applications, allowing remote access to the OpenVPN server using a KeenDNS name. [NDM-3497]
- ip http proxy {name} upstream (http | https | connect) {upstream} [port] — set connect method for KeenDNS proxy {name}
The new IPv4 and IPv6 static route settings for binding to specified connection policies have been implemented. [NDM-3435]
- ip policy {name} route ( {network} {mask} | {host} ) ( {gateway} [interface] | {interface}) [auto] [metric] [reject]
- ip policy {name} ipv6 route {prefix} ( {interface} [gateway] | {gateway} ) [auto] [metric] [reject]
Enhanced security: Implementation of DDoS protection against connection table overflow. [NDM-3362]
- ip conntrack max-entries {max-entries} — set conntrack table size.
- ip conntrack lockout disable — disable conntrack table protection (enabled by default).
- ip conntrack lockout threshold public {public} — set maximum number of connections from public interfaces (percentage of the conntrack table size, from 50 to 99, default value: 80).
- ip conntrack lockout duration {duration} — set lockout duration in seconds (from 60 to 3600, default value: 600).
- ip conntrack sweep threshold {threshold} — set threshold to start cleaning up waiting sessions (percentage of the conntrack table size, from 50 to 99, default value: 70).
- show ip conntrack lockout — view lockout status.
The Download Station component now supports the setting of background priority for disk I/O operations via the command line interface (CLI). [NDM-3436]
- torrent io-priority low — enable low priority for disk I/O operations.

Improved

Fixed redundant exposure of device details in the Web Interface server, addressing vulnerabilities CVE-2024-4021 and CVE-2024-4022. [NDM-3783]
The improvements have been applied to the Web interface.
- Users without system accounts are now shown in the File Browser → Permissions for the selected folder popup. [NWI-3951]
- Alphabetically sorted the client list in Connection Policies → Policy Bindings for better navigation. [NWI-4092]
- Automatically adds an https:// prefix when copying URIs if the camouflage option is active in OpenConnect VPN server settings. [NWI-4146]
The SMB file and printer sharing component now supports extended attributes, ensuring accurate copying of files with extended metadata to network resources. [NDM-3645]
Added random padding to TLS packets for enhanced connection stability on OpenConnect and SSTP protocols. [NDM-3791]

The improvements have been applied to the Web interface.
- The Password field on the User Accounts page now includes additional security features: password strength assessment, automatic secure password generation, and a button to copy the password to the clipboard. [NWI-4030]
- The left-side navigation menu (hamburger button) has been redesigned for a more compact and organised submenu structure. [NWI-3839]
- The Show signal levels button is now disabled when no mobile connection is detected. [NWI-4015]
Proxy Connections now reset their traffic counters after a manual restart. [NDM-3724]
Updated the OpenSSL library to version 3.3.3, addressing the CVE-2024-12797 and CVE-2024-13176 vulnerabilities. [SYS-1306]

Fixed

Resolved incorrect assignment of the Segment default policy (conform) for automatically registered clients in the home network segment. [NDM-3810]
Fixed an issue with incorrect crypto map configuration in the L2TP/IPsec VPN server during upgrades from OS 4.2.x to 4.3.x. [NDM-3811]
Addressed an issue where duplicate static routes were incorrectly assigned across multiple Connection Policies. [NDM-3814]
Corrected CLI saving issue for the dyndns nobind configuration option. [NDM-3816]
Fixed issues for clients accessing the local network over the OpenConnect VPN server. [NDM-3820]

The following fixes have been applied to the Web interface.
- Resolved an issue where it was previously possible to create a user account for OPKG and Applications without setting a password. [NWI-3700]
- Fixed tooltip display issues affecting longer lists within the Mesh Wi-Fi System interface card. [NWI-4062]
Corrected multicast forwarding to IPTV ports when Internet and IPTV services have different VLAN configurations. [NDM-3767]
Resolved an issue affecting the application of static custom routes to remote VPN client networks on the L2TP/IPsec VPN server. [NDM-3758]

In this section:

KeeneticOS updates — Main Channel