Notice: OpenVPN 2.3 with integrated IPv6 released

  • Hi

    OpenVPN 2.3 with integrated IPv6 support has been released today!

    As of now pfSense includes OpenVPN 2.2.0 + a IPv6 patch.
    Seems by incorporating 2.3 we could get rid of the extra patch, but I don't know if
    2.3 causes too much churn.

    As of writing FreeBSD's port is at 2.2.2 and recently change to OptionsNG, so maybe
    their port will be updated soon.

  • Does OpenVPN 2.3 also require a recent version of openssl ?

    A couple of days ago, there was a new release of ipsec-tools 0.8.1, which requires a new openssl 0.9.8s (latest version of that branch is 0.9.8x, whereas pfsense 2.1-BETA is currently using 0.9.8q)

    Edit: Apparently new OpenVPN needs openssl >0.9.7

  • Rebel Alliance Developer Netgate

    We will probably update shortly. I think 2.3 does all we need, but we may want to put it in as a separate pfPort so that 2.0.x doesn't get the 2.3 version.

    I'll also have to update the exe files for windows installers in the export package.

  • Rebel Alliance Developer Netgate

    Updated the export package… the actual pfSense binary will come another day (may need databeestje to look it over since he's more familiar with the patches)

  • OpenVPN also offers building with PolarSSL support.

    For IPSec tools we may have to update the base system's OpenSSL either from ports or by updating what's inside the 8-STABLE branch since
    RELENG 8.3 remained at 0.9.8q (including security fixes).

    We already have a couple of backports from 8-STABLE (caused partly by mself), but OpenSSL, don't know of we should or could risk it
    (which in turn requires us to maintain OpenSSL secure on our side RELENG 8.3 will only fix security bugs)
    The diff stat between the 2 branches show quite some difference:

    git diff --shortstat origin/releng/8.3 origin/stable/8 crypto/openssl/
     85 files changed, 1646 insertions(+), 968 deletions(-)

  • Rebel Alliance Developer Netgate

    Better option may just be to install openssl from ports and use both, the older stable one for the base OS bits and the ports one for things like racoon, php, etc.

    There used to be an openssl port that overwrote the base version but it seems to have disappeared over the years.

    We would need to make sure that things like certificate generation and other operations the require openssl don't break in the process.

    At the very least I know we need to change/fix the code that generates certificates so that it puts the openssl config files in the right/expected place.

  • Just in case, the patch in 8-STABLE bumping OpenSSL applies cleanly on RELENG_8_3:

    Extracting a patch for pfsense-tools is easy - but would you be willing to try?

  • Rebel Alliance Developer Netgate

    might be worth trying.

    If you can turn that into a pull request and reference ticket (It's in the pfSense-tools project area) we can look it over deeper, maybe do a test run.

  • Done so, if you can pipe it through some builders.
    This also the version realease version of 9.1 ships with - at least in terms of testing it has gone through the 9.1 release engineering process.

    I'm definitely not an expert on OpenSSL, the only thing I did was to extract this one huge patch and add the patch to the tools. ;-)

  • Rebel Alliance Developer Netgate

    Not sure this alone is going to be sufficient the more I think about it, since the port would still fail unless this patch was applied to the builder itself and compiled before building the pfPort. Not really a bad thing per se, but it adds another manual step to an otherwise automated process, unless we add more code to account for that as well…

    Using the ports version of OpenSSL may end up being easier.

  • Yes, as of now the pfPorts are built prior to 'make world' with the patches.
    Didn't think of this first, hmm.

    Well, adding the port could then be a better option, anyway maintaing OpenSSL
    then on our own is definitely something I'm very forward looking as well, OpenSSL still os considered being somehow a bit of a mess ;-)

  • Rebel Alliance Developer Netgate

    yeah, I think the time would be better spent making sure the openssl port works for us.

    I believe it does, since we did run that way for a time earlier in the 2.x cycle accidentally, the only negative I recall was that we had to relocate the ssl configs otherwise cert generation failed.

    PolarSSL looks interesting, not sure if that's another long-term option.

  • Just as another update: While ipsec-tools require bumping OpenSSL somehow, OpenVPN 2.3 does not (yet) require us to do so.

    I just used portmaster on a vanilla 8.3 to build from the now updated ports. Currently looking at how to mangle our port - and possibly
    detect issues with the GUI - I hope databeestje will also be able to have a look.

  • Rebel Alliance Developer Netgate

    Yes, OpenVPN 2.3 should be an easy swap. I see the FreeBSD ports tree has openvpn at 2.3_1 already, too.

  • Rebel Alliance Developer Netgate

    Current snapshot build run will contain openvpn 2.3 when it finishes baking.

    snapshots-8_3-amd64# pkg_info -Ix openvpn
    openvpn-2.3.0_1     Secure IP/Ethernet tunnel daemon

  • OK, good, I saw you catched the password file modification.

    awaiting crashes ;-)

  • Rebel Alliance Developer Netgate

    Yeah and I also disabled easyrsa since we do not want that to be installed by default.

  • Rebel Alliance Developer Netgate

    as usual, the upgrade was a snoozefest.

    I cheated and downloaded the update tgz directly from the builder so I wouldn't have to wait for the whole snapshot run to upload.

    tablet connected right up to the vpn and it's like nothing really changed. Pulled an IPv4 and IPv6 IP over the VPN tunnel and things look happy. I'll wait for others to report success or failure but to me it looks like an all-around win. So far.

  • Hehe - the positive effect of having had those large IPv6 patches allows now to quickly switch to 2.3 and its IPv6 capability.

    My ISP doesn't do v6 but I'll at least v4 since that's what I can test more readily.
    If things go right, any worries about dumping openvpn-ipv6 used in pfSense 2.0 and also switch to 2.3?

    P.S. Thanks for you testings jimp!

  • Rebel Alliance Developer Netgate

    No reservations from me, but I'll ask around.

  • @MatSim:

    If things go right, any worries about dumping openvpn-ipv6 used in pfSense 2.0 and also switch to 2.3?

    IMHO it'd be best to focus onto finally shipping out 2.1, which is based on a supported FreeBSD release (whereas 2.0.x's FreeBSD 8.1 is EoL since Jul-2012) …

  • Rebel Alliance Developer Netgate

    @dhatz - 2.0.3 is already happening. Too many issues in 2.0.2 to leave it until 2.1 ships.

    2.1 is getting closer, but the type of issues we can fix here take different people/resources than the things still broken on 2.1. It's not holding up anything on 2.1 to do this. The main question is if it could break something on 2.0.x in the process. If there's really any doubt, we tend to leave things alone, but openvpn tends to have really good releases that don't break much if anything at all.

  • 2.1-BETA1 (i386)
    built on Mon Jan 14 11:26:01 EST 2013
    FreeBSD 8.3-RELEASE-p5
    OpenVPN 2.3.0 i386-portbld-freebsd8.3 [SSL (OpenSSL)] [LZO] [eurephia] [MH] [IPv6] built on Jan 14 2013
    Alix 2D13 nanoBSD
    Test system running a simple OpenVPN config fine - 2 IPV4-only site-to-site clients connecting out to 2 remote offices. (No IPv6 on this one)

  • @dhatz:

    (whereas 2.0.x's FreeBSD 8.1 is EoL since Jul-2012) …

    We're continuing to support 8.1, as we have since July. Most vendors use much older versions than 8.1 including a number of commercial firewall vendors.

  • @dhatz: If you look at pfsense-tools, it's more about getting rid of different openvpn ports laying around there.
    Actually 2.0.2 ships wih OpenVPN 2.2.0 with an IPv6 patch, so did 2.1 snapshots until today.

    While 8.1 is EoL deemed by FreeBSD, last time a vulnerability was discovered against in 8.3/9.x and found present in pfSense has backported it to 2.0, so no worries in terms of security.

  • while ur at it, can u add a config for openvpn client connection to disable ipv6 if not required at all

  • Rebel Alliance Developer Netgate


    while ur at it, can u add a config for openvpn client connection to disable ipv6 if not required at all

    Not relevant to this thread at all, please don't hijack threads.

  • sorry