OpenVPN 2.5.4 released

Announcements from OpenVPN involving bugs, updates, and new features.
Post Reply
User avatar
OpenVPN Inc.
Posts: 137
Joined: Fri Aug 13, 2010 9:05 pm

OpenVPN 2.5.4 released

Post by samuli » Tue Oct 05, 2021 9:15 am

The OpenVPN community project team is proud to release OpenVPN 2.5.4. This release include a number of fixes and small improvements. One of the fixes is to password prompting on windows console when stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/amd64. Windows executable and libraries are now built natively on Windows using MSVC, not cross-compiled on Linux as with earlier 2.5 releases. Windows installers include updated OpenSSL and new OpenVPN GUI. The latter includes several improvements, the most important of which is the ability to import profiles from URLs where available.

Source code and Windows installers can be downloaded from our download page. Debian and Ubuntu packages are available in the official apt repositories. On Red Hat derivatives we recommend using the Fedora Copr repository.

Overview of changes since OpenVPN 2.4

Faster connections
  • Connections setup is now much faster
Crypto specific changes
  • ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
  • Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  • Client-specific tls-crypt keys (--tls-crypt-v2)
  • Improved Data channel cipher negotiation
  • Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
  • HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
  • Asynchronous (deferred) authentication support for auth-pam plugin
  • Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
  • Support IPv4 configs with /31 netmasks now
  • 802.1q VLAN support on TAP servers
  • IPv6-only tunnels
  • New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
  • VRF support
  • Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
  • Wintun driver support, a faster alternative to tap-windows6
  • Setting tun/tap interface MTU
  • Setting DHCP search domain
  • Allow unicode search string in --cryptoapicert option
  • EasyRSA3, a modern take on OpenVPN CA management
  • MSI installer
Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.

Linux packages are available from
Useful resources
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

OpenVpn Newbie
Posts: 4
Joined: Sun Oct 10, 2021 6:07 pm

Re: OpenVPN 2.5.4 released

Post by cs » Sun Oct 10, 2021 6:23 pm

On Thursday evening I have installed upgrade od OpenVPN to ver 2.5.4, downloaded here:, => Windows 64-bit MSI installer
Previously my ver was 2.5.3
Installation on PCs was fine. But on server side (Windows server) there is probably a bug: Openvpon service makes file openvpn-status.log, located in folder (…OpenVPN\config-auto) read-only (attribute), as shown on the screen below:
This feature makes OpenVPN not working
The solution, found over a couple of hours finding, was to make this attribute readable (uncheck this option)
Upgrade was performed on two servers, and this behavior took place twice
So we suspect it is a bug ?

Post Reply