- Update from version 2.5.8 to 2.5.9 which is the last version in the 2.5 series
- Update of rootfile not required
- Tested openvpn-2.5.9 in my vm testbed. OpenVPN RW connection worked fine. Also tested
OpenVPN N2N connection with CU179 & OpenVPN version 2.5.9 at one end and CU177 &
OpenVPN version 2.5.8 at the other end. N2N connection worked with no problemns.
- Changelog
2.5.9
Implement optional cipher in --data-ciphers prefixed with ?
Fix handling an optional invalid cipher at the end of data-ciphers
Ensure that argument to parse_line has always space for final sentinel
Improve documentation on user/password requirement and unicodize function
Remove unused gc_arena
Fix corner case that might lead to leaked file descriptor
msvc: always call git-version.py
git-version.py: proper support for tags
Check if pkcs11_cert is NULL before freeing it
Do not add leading space to pushed options
pull-filter: ignore leading "spaces" in option names
Do not include auth-token in pulled option digest
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.5.7 to 2.5.8
- Update of rootfile not required
- Changelog
Version 2.5.8
tls-crypt-v2: bail out if the client key is too small
Remove useless empty line from CR_RESPONSE message
Allow running a default configuration with TLS libraries without BF-CBC
Change command help to match man page and implementation
Fix OpenVPN querying user/password if auth-token with user expires
t_client: Allow to force FAIL on prerequisite fails
t_client.sh: do not require fping6
Preparing release 2.5.8
msvc: add branch name and commit hash to version output
Update the replay-window backtrack log message
Do not skip ERROR:/SUCCESS: response from management interface
Fix auth-token usage with management-def-auth
Allow a few levels of recursion in virtual_output_callback()
Ensure --auth-nocache is handled during renegotiation
Purge auth-token as well while purging passwords
Do not copy auth_token username to itself
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.5.6 to 2.5.7
- Update of rootfile not required
- Changelog
2.5.7. This is mostly a bugfix release, but adds limited support for OpenSSL 3.0. Full
support will arrive in OpenVPN 2.6.
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
t_net.sh: delete dummy iface using iproute command
auth-pam.c: add missing include limits.h
Add insecure tls-cert-profile options
Refactor early initialisation and uninitialisation into methods
Allow loading of non default providers
Add ubuntu 22.04 to Github Actions
Add macos OpenSSL 3.0 and ASAN builds
Add --with-openssl-engine autoconf option (auto|yes|no)
Fix allowing/showing unsupported ciphers and digests
Remove dependency on BF-CBC existance from test_ncp
Add message when decoding PKCS12 file fails.
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Fix client-pending-auth error message to say ERROR instead of SUCCESS
cipher-negotiation.rst missing from doc/Makefile.am
vcpkg-ports\pkcs11-helper: shorten patch filename
msvc: adjust build options to harden binaries
vcpkg-ports: remove openssl port
vcpkg: switch to manifest
Fix M_ERRNO behavior on Windows
vcpkg-ports/pkcs11-helper: bump to release 1.29
tapctl: Resolve MSVC C4996 warnings
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
- Update from version 2.5.4 to 2.5.6
- Update of rootfile not required
- No changes related to ciphers or options
- Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not
available. Raised on Openvpn forum but response was that they also didn't know why xz
option was not available but they thought it was not a big deal as the gz version is
only slightly larger.
- Changelog
Overview of changes in 2.5.6
User-visible Changes
update copyright year to 2022
New features
new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple
parallel plugins that succeed/fail in direct/deferred mode
various build improvements (github actions etc)
upgrade pkcs11-helper to release 1.28.4
Bugfixes
CVE-2022-0547 see
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
If openvpn is configured with multiple authentication plugins and more than
one plugin tries to do deferred authentication, the result is not
well-defined - creating a possible authentication bypass.
In this situation the server process will now abort itself with a clear log
message. Only one plugin is allowed to do deferred authentication.
Fix "--mtu-disc maybe|yes" on Linux
Due to configure/syshead.h/#ifdef confusion, the code in question was not
compiled-in since a long time. Fixed. Trac: #1452
Fix $common_name variable passed to scripts when username-as-common-name is
in effect.
This was not consistently set - sometimes, OpenVPN exported the username,
sometimes the common name from the client cert. Fixed. Trac: #1434
Fix potential memory leaks in add_route() and add_route_ipv6().
Apply connect-retry backoff only to one side of the connection in p2p mode.
Without that fix/enhancement, two sides could end up only sending packets
when the other end is not ready. Trac: #1010, #1384
remove unused sitnl.h file
clean up msvc build files, remove unused MSVC build .bat files
repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes
due to integer overflow, this ended up being "0" on Linux, but on Windows
with MSVC it ends up being "always 2 Gbyte", both not doing what is
requested. Trac: #1448
repair handling of EC certificates on Windows with pkcs11-helper
(wrong compile-time defines for OpenSSL 1.1.1)
Documentation
documentation improvements related to DynDNS. Trac: #1417
clean up documentation for --proto and related options
rebuild rst docs if input files change (proper dependency handling)
Overview of changes in 2.5.5
User-visible Changes
SWEET32/64bit cipher deprecation change was postponed to 2.7
Windows: use network address for emulated DHCP server as default this
enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud.
require EC support in windows builds (this means it's no longer possible to
build a Windows OpenVPN binary with an OpenSSL lib without EC support)
New features
Windows build: use CFG and Spectre mitigations on MSVC builds
bring back OpenSSL config loading to Windows builds. OpenSSL config is
loaded from %installdir%\ssl\openssl.cnf (typically:
c:\program files\openvpn\ssl\openssl.cnf) if it exists.
This is important for some hardware tokens which need special OpenSSL
config for correct operation. Trac #1296
Bugfixes
Windows build: enable EKM
Windows build: improve various vcpkg related build issues
Windows build: fix regression related to non-writeable status files
(Trac #1430)
Windows build: fix regression that broke OpenSSL EC support
Windows build: fix "product version" display (2.5..4 -> 2.5.4)
Windows build: fix regression preventing use of PKCS12 files
improve "make check" to notice if "openvpn --show-cipher" crashes
improve argv unit tests
ensure unit tests work with mbedTLS builds without BF-CBC ciphers
include "--push-remove" in the output of "openvpn --help"
fix error in iptables syntax in example firewall.sh script
fix "resolvconf -p" invocation in example "up" script
fix "common_name" environment for script calls when
"--username-as-common-name" is in effect (Trac #1434)
Documentation
move "push-peer-info" documentation from "server options" to "client"
(where it belongs)
correct "foreign_option_{n}" typo in manpage
update IRC information in CONTRIBUTING.rst (libera.chat)
README.down-root: fix plugin module name
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
- Update from 2.5.0 to 2.5.4
- Update rootfile
- Tested new version in vm testbed. Openvpn server successfully started.
Client connections working with 2.5.0 also successfully worked with 2.5.4
- Changelog
Overview of changes in 2.5.4
Bugfixes
- fix prompting for password on windows console if stderr redirection
is in use - this breaks 2.5.x on Win11/ARM, and might also break
on Win11/adm64 when released.
- fix setting MAC address on TAP adapters (--lladdr) to use sitnl
(was overlooked, and still used "ifconfig" calls)
- various improvements for man page building (rst2man/rst2html etc)
- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
at least one platform strictly checking this)
- fix minor memory leak under certain conditions in add_route() and
add_route_ipv6()
User-visible Changes
- documentation improvements
- copyright updates where needed
- better error reporting when win32 console access fails
New features
- also build man page on Windows builds
Overview of changes in 2.5.3
Bugfixes
- CVE-2121-3606
see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
OpenVPN windows builds could possibly load OpenSSL Config files from
world writeable locations, thus posing a security risk to OpenVPN.
As a fix, disable OpenSSL config loading completely on Windows.
- disable connect-retry backoff for p2p (--secret) instances
(Trac #1010, #1384)
- fix build with mbedtls w/o SSL renegotiation support
- Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
- MSI installers: properly schedule reboot in the end of installation
- fix small memory leak in free_key_ctx for auth_token
User-visible Changes
- update copyright messages in files and --version output
New features
- add --auth-token-user option (for --auth-token deployments without
--auth-user-pass in client config)
- improve MSVC building for Windows
- official MSI installers will now contain arm64 drivers and binaries
(x86, amd64, arm64)
Overview of changes in 2.5.2
Bugfixes
- CVE-2020-15078
see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) into
returning a PUSH_REPLY before the AUTH_FAILED message, which can
possibly be used to gather information about a VPN setup.
In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
- restore pushed "ping" settings correctly on a SIGUSR1 restart
- avoid generating unecessary mbed debug messages - this is actually
a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
ED curves - mbedTLS crashes on preparing debug infos that we do not
actually need unless running with "--verb 8"
- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
- fix Linux/SITNL default route lookup in case of multiple routing tables
with more than one default route present (always use "main table" for now)
- Fix CRL file handling in combination with chroot
User-visible Changes
- OpenVPN will now refuse to start if CRL file is not present at startup
time. At "reload time" absense of the CRL file is still OK (and the
in memory copy is used) but at startup it is now considered an error.
New features
- printing of the TLS ciphers negotiated has been extended, especially
displaying TLS 1.3 and EC certificates more correctly.
Overview of changes in 2.5.1
New features
- "echo msg" support, to enable the server to pushed messages that are
then displayed by the client-side GUI. See doc/gui-notes.txt and
doc/management-notes.txt.
Supported by the Windows GUI shipped in 2.5.1, not yet supported by
Tunnelblick and the Android GUI.
User-visible Changes
- make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
to set the "openvpn packet filter", and returns a failure when requested
to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
structure members. Since PF is going away in 2.6.0, this is just turning
the crash into a well-defined program abort, and no further effort has
been spent in rewriting the PF plugin error handling (see trac #1377).
Documentation
- rework sample-plugins/defer/simple.c - this is an extensive rewrite
of the plugin to bring code quality to acceptable standards and add
documentation on the various plugin API aspects. Since it's just
example code, filed under "Documentation", not under "Bugfix".
- various man page improvements.
- clarify ``--block-ipv6`` intent and direction
Bugfixes
- fix installation of openvpn.8 manpage on systems without docutils.
- Windows: fix DNS search list setup for domains with "-" chars.
- Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
- Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
DHCP, so this was just causing an - harmless - error and needless delay).
- Windows: Remove 1 second delay before running netsh - speeds up
interface init for wintun setups not using the interactive service.
- Windows: Fix too early argv freeing when registering DNS - this would
cause a client side crash on Windows if ``register-dns`` is used,
and the interactive service is not used.
- Android: Zero initialise msghdr prior to calling sendmesg.
- Fix line number reporting on config file errors after <inline> segments
(see Trac #1325).
- Fix port-share option with TLS-Crypt v2.
- tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
dropping privs on the server would fail.
- tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
client with tls-crypt-v2)
- rework handling of server-pushed ``--auth-token`` in combination with
``--auth-nocache`` on reconnection / TLS renegotiation events. This
used to "forget" to update new incoming token after a reconnection event
(leading to failure to reauth some time later) and now works in all
tested cases.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
Script checks the next update field from the CRL and executes an update before it expires.
Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Besides an error in the update.sh file, openvpn now uses a lease file, to
to be able to "remember" dynamic ips not just for runtime but beyond reboots
or restarts of openvpn.
Also modified rootfiles and cgi as well as lfs.
