OpenVPN 2.5 released - Overview of changes

jimp

After we have time to properly evaluate and test it. Looking at the changelog I didn't see much that looked like it would affect many people running pfSense (positive or negative).

JKnott

@johnpoz said in OpenVPN 2.5 released - Overview of changes:

It just dropped today for gosh sake..

Well, what's taking so long?

Hopefully, it will fix the issues we're seeing.

johnpoz

@jknott said in OpenVPN 2.5 released - Overview of changes:

it will fix the issues we're seeing.

Not seeing any issues, have both outbound to open access server. And inbound from different clients.. ZERO issues.. Both outbound and inbound working with zero need to do anything after upgrade.

If you had some odd config that was causing you problems with the new version of openvpn, not sure how upgrade to 2.5.1 openvpn is going to correct whatever current configuration issue you have.

JKnott

@johnpoz

Initially, I used the config from the previous pfsense version, which worked there, but failed with 2.5.0. I then started a new config from scratch, which also didn't work. I can connect if my notebook is connected to my local LAN (yeah, real useful), but not if I connect from outside my network. This tells me the config for OpenVPN is correct, otherwise I couldn't connect at all, but something is preventing it from working from elsewhere. What that something is, I haven't a clue, as I have never seen anything like this before.

As I mentioned in another thread, I have been setting up VPNs for almost 20 years, going back to CIPE on Redhat Linux, but also IPSec in my work and OpenVPN on my home network, so I'm not exactly a newbie at this.

jimp

Probably best to keep discussions of issues on their own threads. A lot changed in OpenVPN 2.5.0, and we tried to make the upgrade smooth, but there is only so much we can do for one side or the other to cope with the changes as well as to ensure we're not using deprecated features. There are some OS-level issues that can contribute to problems (like some reported issues with reply-to) but also some things are out of our control (like servers with unexpected data cipher lists that weren't used before, but are now).

Most of the individual threads I've seen have had a variety of misunderstandings but eventually got solved one way or another before I could chime in.

Bob.Dig

OpenVPN 2.5.2 released

It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.

Gertjan

@bob-dig

Yeah, thanks. That will be good.
It's time for some new issues ;)

Bob.Dig

@gertjan pfSense 2.5.2 is due anyways.

Bob.Dig

OpenVPN 2.5.3 released, working fine so far.

Bugfixes

CVE-2121-3606 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

OpenVPN windows builds could possibly load OpenSSL Config files from world writeable locations, thus posing a security risk to OpenVPN.

As a fix, disable OpenSSL config loading completely on Windows.

disable connect-retry backoff for p2p (--secret) instances (Trac #1010, #1384)

fix build with mbedtls w/o SSL renegotiation support

Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)

MSI installers: properly schedule reboot in the end of installation

fix small memory leak in free_key_ctx for auth_token

User-visible Changes

update copyright messages in files and --version output

New features

add --auth-token-user option (for --auth-token deployments without --auth-user-pass in client config)
improve MSVC building for Windows
official MSI installers will now contain arm64 drivers and binaries (x86, amd64, arm64)

bcruze

@bob-dig said in OpenVPN 2.5 released - Overview of changes:

OpenVPN 2.5.3 released, working fine so far.

Bugfixes

CVE-2121-3606 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements

OpenVPN windows builds could possibly load OpenSSL Config files from world writeable locations, thus posing a security risk to OpenVPN.

As a fix, disable OpenSSL config loading completely on Windows.

disable connect-retry backoff for p2p (--secret) instances (Trac #1010, #1384)

fix build with mbedtls w/o SSL renegotiation support

Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)

MSI installers: properly schedule reboot in the end of installation

fix small memory leak in free_key_ctx for auth_token

User-visible Changes

update copyright messages in files and --version output

New features

add --auth-token-user option (for --auth-token deployments without --auth-user-pass in client config)
improve MSVC building for Windows
official MSI installers will now contain arm64 drivers and binaries (x86, amd64, arm64)

Did you update Pfsense somehow?
I would expect to see this in three months on the next version of plus?
but I could be wrong

Bob.Dig

@bcruze said in OpenVPN 2.5 released - Overview of changes:

Did you update Pfsense somehow?

No, I just used the new Windows-Client with the Server on pfSense.