OpenVPN 2.5.1 released

Announcements from OpenVPN involving bugs, updates, and new features.
Post Reply
User avatar
samuli
OpenVPN Inc.
Posts: 130
Joined: Fri Aug 13, 2010 9:05 pm

OpenVPN 2.5.1 released

Post by samuli » Wed Feb 24, 2021 1:39 pm

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows.

Source code and Windows installers can be downloaded from our download page. Debian and Ubuntu packages are available in the official apt repositories. On Red Hat derivatives we recommend using the Fedora Copr repository.

Overview of changes since OpenVPN 2.4

Faster connections
  • Connections setup is now much faster
Crypto specific changes
  • ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
  • Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  • Client-specific tls-crypt keys (--tls-crypt-v2)
  • Improved Data channel cipher negotiation
  • Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
  • HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
  • Asynchronous (deferred) authentication support for auth-pam plugin
  • Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
  • Support IPv4 configs with /31 netmasks now
  • 802.1q VLAN support on TAP servers
  • IPv6-only tunnels
  • New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
  • VRF support
  • Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
  • Wintun driver support, a faster alternative to tap-windows6
  • Setting tun/tap interface MTU
  • Setting DHCP search domain
  • Allow unicode search string in --cryptoapicert option
  • EasyRSA3, a modern take on OpenVPN CA management
  • MSI installer
Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the Data channel cipher negotiation section on the man page.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.

Linux packages are available from
Useful resources
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

TechNosticKomms
OpenVpn Newbie
Posts: 0
Joined: Sat Mar 06, 2021 8:02 am

Re: OpenVPN 2.5.1 released

Post by TechNosticKomms » Sat Mar 06, 2021 8:10 am

Today, when attempting to verify the GnuPG Signature for the latest 2.5.1-I601-amd64 Windows MSI Installer, I keep getting the following error using Kleopatra on Windows 10:
------------------------------------------------------------------------------------------------------
Signature created on Wednesday, February 24, 2021 02:39:46 AM
With certificate:
OpenVPN - Security Mailing List <security@openvpn.net> (12F5 F7B4 2F2B 01E7)
The signature is INVALID: Signing certificate is expired.
------------------------------------------------------------------------------------------------------
The Audit Log is shown below.
NOTE: The key "96AEC408005D6BB4" has just expired on "03/05/2021" and
it seems that's the reason for the signature to be now considered "INVALID"
------------------------------------------------------------------------------------------------------
[code]gpg: armor: BEGIN PGP SIGNATURE
gpg: Signature made 02/24/2021 02:39:46 AM Pacific Standard Time
gpg: using RSA key 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
gpg: Note: signature key 5DC351805ACFEAC6 expired 03/09/2020 01:25:26 PM Pacific Daylight Time
gpg: Note: signature key D72AF3448CC2B034 expired 03/06/2018 04:17:50 AM Pacific Standard Time
gpg: Note: signature key D72AF3448CC2B034 has been revoked
gpg: Note: signature key F132B1CBAF131CAE expired 03/07/2019 11:43:20 AM Pacific Standard Time
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: using subkey 96AEC408005D6BB4 instead of primary key 12F5F7B42F2B01E7
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: Note: signature key 5DC351805ACFEAC6 expired 03/09/2020 01:25:26 PM Pacific Daylight Time
gpg: Note: signature key D72AF3448CC2B034 expired 03/06/2018 04:17:50 AM Pacific Standard Time
gpg: Note: signature key D72AF3448CC2B034 has been revoked
gpg: Note: signature key F132B1CBAF131CAE expired 03/07/2019 11:43:20 AM Pacific Standard Time
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: using subkey 96AEC408005D6BB4 instead of primary key 12F5F7B42F2B01E7
gpg: key 62692ED3DFA4B995: accepted as trusted key
gpg: Good signature from "OpenVPN - Security Mailing List <security@openvpn.net>" [full]
gpg: Note: signature key 5DC351805ACFEAC6 expired 03/09/2020 01:25:26 PM Pacific Daylight Time
gpg: Note: signature key D72AF3448CC2B034 expired 03/06/2018 04:17:50 AM Pacific Standard Time
gpg: Note: signature key D72AF3448CC2B034 has been revoked
gpg: Note: signature key F132B1CBAF131CAE expired 03/07/2019 11:43:20 AM Pacific Standard Time
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: using subkey 96AEC408005D6BB4 instead of primary key 12F5F7B42F2B01E7
gpg: Note: signature key 5DC351805ACFEAC6 expired 03/09/2020 01:25:26 PM Pacific Daylight Time
gpg: Note: signature key D72AF3448CC2B034 expired 03/06/2018 04:17:50 AM Pacific Standard Time
gpg: Note: signature key D72AF3448CC2B034 has been revoked
gpg: Note: signature key F132B1CBAF131CAE expired 03/07/2019 11:43:20 AM Pacific Standard Time
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: Note: signature key 5DC351805ACFEAC6 expired 03/09/2020 01:25:26 PM Pacific Daylight Time
gpg: Note: signature key D72AF3448CC2B034 expired 03/06/2018 04:17:50 AM Pacific Standard Time
gpg: Note: signature key D72AF3448CC2B034 has been revoked
gpg: Note: signature key F132B1CBAF131CAE expired 03/07/2019 11:43:20 AM Pacific Standard Time
gpg: Note: signature key 96AEC408005D6BB4 expired 03/05/2021 04:29:54 AM Pacific Standard Time
gpg: security@openvpn.net: Verified 4 signatures in the past 10 months.
Encrypted 0 messages. (policy: good)
gpg: Note: This key has expired!
Primary key fingerprint: F554 A368 7412 CFFE BDEF E0A3 12F5 F7B4 2F2B 01E7
Subkey fingerprint: 333D 4630 6CF9 D9F1 F630 DB8D 96AE C408 005D 6BB4
gpg: binary signature, digest algorithm SHA256, key algorithm rsa4096
------------------------------------------------------------------------------------------------------[/code]

TechNosticKomms
OpenVpn Newbie
Posts: 0
Joined: Sat Mar 06, 2021 8:02 am

Re: OpenVPN 2.5.1 released

Post by TechNosticKomms » Thu Mar 11, 2021 12:15 am

As described in my previous post from 4 days ago (dated Mar-06-2021), I cannot verify the OpenVPN 2.5.1 Windows 64-bit MSI installer with the GnuPG Signature file provided on the Community Downloads page. Since I have not seen a reply to my post from an official OpenVPN source, there are a few assumptions I can make regarding this "INVALID Signature" issue:

1) The issue is currently being looked at or worked on.
2) The issue is not important enough to issue a reply.
3) The issue is being ignored and no one is looking at it.
4) The issue has "fallen between the cracks" since there are other more important topics/issues.
5) No one cares whether the given GnuPG Signatures are valid or not.
6) It takes time to look into this kind of "INVALID Signature" issue.
7) To fix this signature issue a new release must be made which takes time, so patience is required.
8) Very few people really use the GnuPG Signatures to verify the installers so this issue has a very low priority.

I'm sure there are others that escape me at this moment.

In any case, I'd appreciate a short reply about whether the "INVALID Signature" issue is considered a problem worth fixing, and if so when we could expect a resolution.

Thank you.

becm
OpenVpn Newbie
Posts: 8
Joined: Tue Sep 01, 2020 1:27 pm

Re: OpenVPN 2.5.1 released

Post by becm » Fri Mar 12, 2021 4:29 pm

Not being an "official source", I can hint to developer meeting on 2021-03-10:
- Key renewal has been completed
- OpenVPN 2.5.2 is planned for 2021-03-17 (installer will get signed with new key)

New signature/encryption keys already in keyring (created 2021-03-08).

Kleopatra is a overly picky here: It was able to get a "Good signature", which should have been the essential message.
A key being expired at the time of check would (at most) warrant an additional "Note" (see how the GPG command line application handles this condition).
A missing signature key on the other hand is a genuine hard failure, so ensure the OpenVPN keyring is up to date.

TechNosticKomms
OpenVpn Newbie
Posts: 0
Joined: Sat Mar 06, 2021 8:02 am

Re: OpenVPN 2.5.1 released

Post by TechNosticKomms » Wed Mar 17, 2021 12:12 am

@becm,

Thank you for taking the time to respond and provide some useful info even if it's not from an "official source." I'll inform our IT folks that a new OpenVPN Client installer with new signature/encryption keys is going to be released soon.

RE: Kleopatra is a overly picky here...
Our IT folks are picky as well (which is not necessarily a bad thing) WRT all the 3rd-party software & applications which must be vetted before getting installed on our work laptops, so I can understand their concern about the "Invalid Signature" issue due to an expired signing certificate, and thus their hesitancy to approve it for general installation.

Thanks again for your reply.

Post Reply