OpenVPN 2.5 released - Overview of changes
-
My 2.5 was short for pfSense 2.5.0, as this version would use OpenVPN 2.5.
2.4.5-p1 is using ..... well, you know.Sorry for the confusion.
-
@jimp said in OpenVPN 2.5-beta 1 released - Overview of changes in 2.5:
It's backward compatible as always
So it is good practice to use OVPN 2.5 in conjunction with pfSenses OVPN 2.4.*.
-
@Bob-Dig said in OpenVPN 2.5-beta 1 released - Overview of changes in 2.5:
So it is good practice to use 2.5 in conjunction with pfSenses 2.4.*.
As a client VPN in front of pfSense ?
Or in-place upgrading of the pfSense - OpenVPN - core files ?? From 2.4.9 to 2.5.
I which you good luck - tell us how you did it ;) -
@jimp isn't the
data-ciphers
parameter another problem? Current export packages export configs for 2.5.0clients with data-ciphers instead of ncp-ciphers. But even the config files for the 2.4.9 buttons contain that config statement that result in aOptions error: Unrecognized option or missing or extra parameter(s) in fwl01-UDP4-1194-<username>.ovpn:5: data-ciphers (2.4.9)
Isn't that something that needs to still be fixed?
-
There is probably a flaw in my logic in there, I made it so that if you checked the Legacy box it changed over to
ncp-
rather thandata-
but I must have missed making it assume legacy mode when exporting 2.4.x. -
@jimp said in OpenVPN 2.5 released - Overview of changes in 2.5:
There is probably a flaw in my logic in there, I made it so that if you checked the Legacy box it changed over to
ncp-
rather thandata-
but I must have missed making it assume legacy mode when exporting 2.4.x.Ah thought so :)
That exploded at a customers location today as the exported the config to a system that is still on 2.4.9 that threw errors. Then exported the 2.4.9 exe again - still errors. Fixed it after calling us by installing 2.5.0 over it but it's a weak point ATM. Perhaps the legacy section needs a config only point to export 2.4.x compat config. Not all admins have access to all clients' PCs or laptops. Mostly they already have ovpn installed so only send new configs that now don't work anymore but users may not be able to install new software themselves. -
I found a few problems with how I was building the cipher list for pfSense 2.5.0/2.4.5 and OpenVPN 2.5.0/2.4.x. I just pushed a fix, it'll be up shortly and should hopefully work for everyone.
-
And just when I thought I found them all, I came up with a couple more edge cases/incompatible cases that I addressed. New package is building and will be up shortly.
Hopefully now it's impossible to create a config with an empty cipher set or incompatible ciphers. For example now you can't set
CHACHA20-POLY1305
on legacy clients (OpenVPN 2.4.x and older) -
OpenVPN 2.5.1 โ Released 24 February, 2021
The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows.
-
When will it be available for pfsense?
-
@jknott said in OpenVPN 2.5 released - Overview of changes:
When will it be available for pfsense?
When its ready ;) heheh
It just dropped today for gosh sake..
-
After we have time to properly evaluate and test it. Looking at the changelog I didn't see much that looked like it would affect many people running pfSense (positive or negative).
-
@johnpoz said in OpenVPN 2.5 released - Overview of changes:
It just dropped today for gosh sake..
Well, what's taking so long?
Hopefully, it will fix the issues we're seeing.
-
@jknott said in OpenVPN 2.5 released - Overview of changes:
it will fix the issues we're seeing.
Not seeing any issues, have both outbound to open access server. And inbound from different clients.. ZERO issues.. Both outbound and inbound working with zero need to do anything after upgrade.
If you had some odd config that was causing you problems with the new version of openvpn, not sure how upgrade to 2.5.1 openvpn is going to correct whatever current configuration issue you have.
-
Initially, I used the config from the previous pfsense version, which worked there, but failed with 2.5.0. I then started a new config from scratch, which also didn't work. I can connect if my notebook is connected to my local LAN (yeah, real useful), but not if I connect from outside my network. This tells me the config for OpenVPN is correct, otherwise I couldn't connect at all, but something is preventing it from working from elsewhere. What that something is, I haven't a clue, as I have never seen anything like this before.
As I mentioned in another thread, I have been setting up VPNs for almost 20 years, going back to CIPE on Redhat Linux, but also IPSec in my work and OpenVPN on my home network, so I'm not exactly a newbie at this.
-
Probably best to keep discussions of issues on their own threads. A lot changed in OpenVPN 2.5.0, and we tried to make the upgrade smooth, but there is only so much we can do for one side or the other to cope with the changes as well as to ensure we're not using deprecated features. There are some OS-level issues that can contribute to problems (like some reported issues with
reply-to
) but also some things are out of our control (like servers with unexpected data cipher lists that weren't used before, but are now).Most of the individual threads I've seen have had a variety of misunderstandings but eventually got solved one way or another before I could chime in.
-
OpenVPN 2.5.2 released
It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with โโauth-gen-tokenโ or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
-
Yeah, thanks. That will be good.
It's time for some new issues ;) -
@gertjan pfSense 2.5.2 is due anyways.
-
OpenVPN 2.5.3 released, working fine so far.
Bugfixes
CVE-2121-3606 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements OpenVPN windows builds could possibly load OpenSSL Config files from world writeable locations, thus posing a security risk to OpenVPN. As a fix, disable OpenSSL config loading completely on Windows. disable connect-retry backoff for p2p (--secret) instances (Trac #1010, #1384) fix build with mbedtls w/o SSL renegotiation support Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409) MSI installers: properly schedule reboot in the end of installation fix small memory leak in free_key_ctx for auth_token
User-visible Changes
update copyright messages in files and --version output
New features
add --auth-token-user option (for --auth-token deployments without --auth-user-pass in client config) improve MSVC building for Windows official MSI installers will now contain arm64 drivers and binaries (x86, amd64, arm64)