I've published a new build of OPNSense 16.1.1 with HardenedBSD 11-CURRENT! You can grab the build from here: download.
Future things to work on:
For item #1, I've started work on getting wireless working with this commit. I need to ping Adrian Chadd to figure out how to get the MAC address and the other bits from ifconfig that are now hidden that the network interface code expects without having to do a temporary clone of the device.
For item #2, OPNSense recently revamped how they provide binary updates for base. HardenedBSD now has an official binary updating mechanism as well (thanks G2, Inc for sponsoring the work!). Instead of using OPNSense's updating mechanism, I'd rather eat my own dogfood and use hbsd-update. More info about hbsd-update can be found here.
For item #3, I'll need help with this one. If I were to tackle this, I'd first redo the build, but with FreeBSD 11-CURRENT instead of HardenedBSD 11-CURRENT and see if the behavior matches. If it does, then it's not a problem with HardenedBSD. If it doesn't, then the behavior is specific to HardenedBSD. I currently don't have the time it would take to do these steps, but I'd certainly love to help someone debug this if they have the time.
If anyone wants to dig into the pfsync issue, here's the crash I got: