Notice: OpenVPN 2.3 with integrated IPv6 released
-
Hi
OpenVPN 2.3 with integrated IPv6 support has been released today!
As of now pfSense includes OpenVPN 2.2.0 + a IPv6 patch.
Seems by incorporating 2.3 we could get rid of the extra patch, but I don't know if
2.3 causes too much churn.As of writing FreeBSD's port is at 2.2.2 and recently change to OptionsNG, so maybe
their port will be updated soon. -
Does OpenVPN 2.3 also require a recent version of openssl ?
A couple of days ago, there was a new release of ipsec-tools 0.8.1, which requires a new openssl 0.9.8s (latest version of that branch is 0.9.8x, whereas pfsense 2.1-BETA is currently using 0.9.8q)
http://sourceforge.net/projects/ipsec-tools/files/ipsec-tools/0.8.1/
http://redmine.pfsense.org/issues/2616Edit: Apparently new OpenVPN needs openssl >0.9.7
-
We will probably update shortly. I think 2.3 does all we need, but we may want to put it in as a separate pfPort so that 2.0.x doesn't get the 2.3 version.
I'll also have to update the exe files for windows installers in the export package.
-
Updated the export packageโฆ the actual pfSense binary will come another day (may need databeestje to look it over since he's more familiar with the patches)
-
OpenVPN also offers building with PolarSSL support.
For IPSec tools we may have to update the base system's OpenSSL either from ports or by updating what's inside the 8-STABLE branch since
RELENG 8.3 remained at 0.9.8q (including security fixes).We already have a couple of backports from 8-STABLE (caused partly by mself), but OpenSSL, don't know of we should or could risk it
(which in turn requires us to maintain OpenSSL secure on our side RELENG 8.3 will only fix security bugs)
The diff stat between the 2 branches show quite some difference:git diff --shortstat origin/releng/8.3 origin/stable/8 crypto/openssl/ 85 files changed, 1646 insertions(+), 968 deletions(-)
-
Better option may just be to install openssl from ports and use both, the older stable one for the base OS bits and the ports one for things like racoon, php, etc.
There used to be an openssl port that overwrote the base version but it seems to have disappeared over the years.
We would need to make sure that things like certificate generation and other operations the require openssl don't break in the process.
At the very least I know we need to change/fix the code that generates certificates so that it puts the openssl config files in the right/expected place.
-
Just in case, the patch in 8-STABLE bumping OpenSSL applies cleanly on RELENG_8_3:
https://github.com/matsimon/pfsense-freebsd-patched/commit/ec497cbed721f4c6ccad30eccca599749fdfe438Extracting a patch for pfsense-tools is easy - but would you be willing to try?
-
might be worth trying.
If you can turn that into a pull request and reference ticket https://redmine.pfsense.org/issues/2616 (It's in the pfSense-tools project area) we can look it over deeper, maybe do a test run.
-
Done so, if you can pipe it through some builders.
This also the version realease version of 9.1 ships with - at least in terms of testing it has gone through the 9.1 release engineering process.I'm definitely not an expert on OpenSSL, the only thing I did was to extract this one huge patch and add the patch to the tools. ;-)
-
Not sure this alone is going to be sufficient the more I think about it, since the port would still fail unless this patch was applied to the builder itself and compiled before building the pfPort. Not really a bad thing per se, but it adds another manual step to an otherwise automated process, unless we add more code to account for that as wellโฆ
Using the ports version of OpenSSL may end up being easier.
-
Yes, as of now the pfPorts are built prior to 'make world' with the patches.
Didn't think of this first, hmm.Well, adding the port could then be a better option, anyway maintaing OpenSSL
then on our own is definitely something I'm very forward looking as well, OpenSSL still os considered being somehow a bit of a mess ;-) -
yeah, I think the time would be better spent making sure the openssl port works for us.
I believe it does, since we did run that way for a time earlier in the 2.x cycle accidentally, the only negative I recall was that we had to relocate the ssl configs otherwise cert generation failed.
PolarSSL looks interesting, not sure if that's another long-term option.
-
Just as another update: While ipsec-tools require bumping OpenSSL somehow, OpenVPN 2.3 does not (yet) require us to do so.
I just used portmaster on a vanilla 8.3 to build from the now updated ports. Currently looking at how to mangle our port - and possibly
detect issues with the GUI - I hope databeestje will also be able to have a look. -
Yes, OpenVPN 2.3 should be an easy swap. I see the FreeBSD ports tree has openvpn at 2.3_1 already, too.
-
Current snapshot build run will contain openvpn 2.3 when it finishes baking.
snapshots-8_3-amd64# pkg_info -Ix openvpn openvpn-2.3.0_1ย ย Secure IP/Ethernet tunnel daemon
-
OK, good, I saw you catched the password file modification.
awaiting crashes ;-)
-
Yeah and I also disabled easyrsa since we do not want that to be installed by default.
-
as usual, the upgrade was a snoozefest.
I cheated and downloaded the update tgz directly from the builder so I wouldn't have to wait for the whole snapshot run to upload.
tablet connected right up to the vpn and it's like nothing really changed. Pulled an IPv4 and IPv6 IP over the VPN tunnel and things look happy. I'll wait for others to report success or failure but to me it looks like an all-around win. So far.
-
Hehe - the positive effect of having had those large IPv6 patches allows now to quickly switch to 2.3 and its IPv6 capability.
My ISP doesn't do v6 but I'll at least v4 since that's what I can test more readily.
If things go right, any worries about dumping openvpn-ipv6 used in pfSense 2.0 and also switch to 2.3?P.S. Thanks for you testings jimp!
-
No reservations from me, but I'll ask around.
-
@MatSim:
If things go right, any worries about dumping openvpn-ipv6 used in pfSense 2.0 and also switch to 2.3?
IMHO it'd be best to focus onto finally shipping out 2.1, which is based on a supported FreeBSD release (whereas 2.0.x's FreeBSD 8.1 is EoL since Jul-2012) โฆ
-
@dhatz - 2.0.3 is already happening. Too many issues in 2.0.2 to leave it until 2.1 ships.
2.1 is getting closer, but the type of issues we can fix here take different people/resources than the things still broken on 2.1. It's not holding up anything on 2.1 to do this. The main question is if it could break something on 2.0.x in the process. If there's really any doubt, we tend to leave things alone, but openvpn tends to have really good releases that don't break much if anything at all.
-
2.1-BETA1 (i386)
built on Mon Jan 14 11:26:01 EST 2013
FreeBSD 8.3-RELEASE-p5
OpenVPN 2.3.0 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jan 14 2013
Alix 2D13 nanoBSD
Test system running a simple OpenVPN config fine - 2 IPV4-only site-to-site clients connecting out to 2 remote offices. (No IPv6 on this one) -
(whereas 2.0.x's FreeBSD 8.1 is EoL since Jul-2012) โฆ
We're continuing to support 8.1, as we have since July. Most vendors use much older versions than 8.1 including a number of commercial firewall vendors.
-
@dhatz: If you look at pfsense-tools, it's more about getting rid of different openvpn ports laying around there.
Actually 2.0.2 ships wih OpenVPN 2.2.0 with an IPv6 patch, so did 2.1 snapshots until today.While 8.1 is EoL deemed by FreeBSD, last time a vulnerability was discovered against in 8.3/9.x and found present in pfSense has backported it to 2.0, so no worries in terms of security.
(https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_1/hostapd-8.diff) -
while ur at it, can u add a config for openvpn client connection to disable ipv6 if not required at all
-
while ur at it, can u add a config for openvpn client connection to disable ipv6 if not required at all
Not relevant to this thread at all, please don't hijack threads.
-
sorry