OpenVPN 2.6_beta1 released

[openvpn_inc]

The OpenVPN community project team is proud to release OpenVPN 2.6_beta1. This is a release with some major new features and currently in beta (stable release 2.5.8 remains availabe should you require it).

For details see: Changes.rst

There were a number of new features and improvements:

• Data Channel Offload (DCO) kernel acceleration support for Windows, Linux, and FreeBSD.
• OpenSSL 3 support.
• Improved handling of tunnel MTU, including support for pushable MTU.
• Reworked TLS handshake, making OpenVPN immune to replay-packet state exhaustion attacks.
• Added --peer-fingerprint mode for a more simplistic certificate setup and verification.
• Improved protocol negotiation, leading to faster connection setup.

Downloads

• Windows installers
• Official Debian and Ubuntu apt repositories
• Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)
• Source archive file

Useful resources

• Documentation
• Community wiki
• Community forums
• Report issues
• User mailing list
• Easy RSA 3 HOWTO
• User IRC channel: #openvpn at irc.libera.chat

Kind regards,
Johan

[RemoteOne]

Centos 8 epel has an openssl3 package available. It installs side-by-side with the default openssl 1.1.1k package.

Is there any way to have the new OpenVPN 2.6 beta1 utilise the openssl3 library?

Thanks

[dazo]

Centos 8 epel has an openssl3 package available. It installs side-by-side with the default openssl 1.1.1k package.

Is there any way to have the new OpenVPN 2.6 beta1 utilise the openssl3 library?

Hi,

I'm the Fedora and Fedora Copr package maintainer for the OpenVPN packages and have looked into the openssl3 package on EL8.

I have decided to not use the openssl3 package for a few reasons. First the packages themselves:

• The ordinary openssl package is maintained by Red Hat people, via the official RHEL repositories

• The openssl3 is maintained by a single Fedora community member, provided via the Fedora EPEL repositories.

I do see that openssl3 pulls in changes regularly and seems to up-to-date. But that it is a community effort. The official openssl package is maintained by Red Hat people, who I know works closely with the Red Hat security teams to ensure the criticical packages are up-to-date and carries the important backported security and bug fixes.

Since the OpenSSL library is a highly security sensitive package, I am very reluctant to build OpenVPN with a dependency on a not official distribution package.

This is not because I don't trust the openssl3 package maintainer; he may very well do a superb job. But it is an external package maintained by a single person plus being security sensitive. In that context, I don't think the Fedora Copr builds of OpenVPN is a good target for this this package.

Further, when the final OpenVPN 2.6.0 release happens, there will be Fedora Copr repositories for this release as well. Based on the arguments above, putting OpenVPN 2.6.0 into production servers with a third-party openssl3 package, it feels even more risky. And since I want to release the EL-8 builds using the distro provided openssl, we need that to be well tested with the distro provided openssl.

If you want the OpenSSL 3 features, I would rather encourage you to upgrade/migrate to EL-9. That ships OpenSSL 3, and the Fedora Copr builds of OpenVPN (all versions) are built against OpenSSL 3.

[RemoteOne]

OK. Thanks for the detailed explanation