Hello everyone, OpenVPN 2.7 is out! Finally.
However, I am not entirely sure when we should make the switch. We would gain a couple of features like DCO, but so far not many people have actually asked for them. Although it would improve bandwidth, I don’t think many people have a lot of OpenVPN traffic on weak hardware so that this is an issue. On the other hand, Adolf is right. Every OpenVPN upgrade is a huge job. A lot of things are being changed and we only find out in the middle of the testing phase. So what should we do? I suppose at some point we have to make the switch. But until then I would not mind to have at least a few of the teething issues resolved in a .1, or even .2 release. Regarding the redirect-gateway problem, I cannot see anything in the change log that touched this. This therefore proves my point from above that there are a lot of hidden “features” to find. Erik, what needs to be changed to make the message go away; what change of behaviour would we see? -Michael > On 19 Feb 2026, at 17:38, Adolf Belka <[email protected]> wrote: > > Hi Erik, > > On 19/02/2026 18:25, ummeegge wrote: >> Hello Adolf, >> great so you know about :-) . >> Have you recognized the redirect-gateway message too ? > > No. I tested the build with my existing client connections by installing 2.7 > and restoring my backup and testing out the connections for roadwarrior and > n2n. None of my connections had the redirect-gateway option selected. > > >> Also, did you check the new script in libexec `dns-updown` ? It seems >> that this is a kind of new feature from 2.7.0 (haven´t digged deeper) ? > > No. I was just checking that existing connections would still work with 2.7 > on my thought that we would first move from 2.6 to 2.7 and then look at > additional options like DCO etc as follow-up modifications. Of course we > could also jump right in to them but then there would need to be more testing > for both the major version change and the additional options, especially if > those are globally applied and implemented ones. I am not familiar enough > with those options to come to any conclusion on that. > > I was just thinking of making any changes in smaller steps that are easier to > confirm as working. > I don't fancy another change like we had to do from 2.5 running without > negotiation to 2.6 with all its changes. > > Regards, > > Adolf. > > >> Best, >> Erik >> Am Donnerstag, dem 19.02.2026 um 17:04 +0100 schrieb Adolf Belka: >>> Hi Erik, >>> >>> >>> On 19/02/2026 16:03, ummeegge wrote: >>>> Hi all, >>>> >>>> since OpenVPN 2.7.0 was released last week, I’ve done some more >>>> testing >>>> with the new DCO flag. >>>> >>>> ``` >>>> @@ -73,10 +73,10 @@ $(TARGET) : $(patsubst >>>> %,$(DIR_DL)/%,$(objects)) >>>> cd $(DIR_APP) && ./configure \ >>>> --prefix=/usr \ >>>> --sysconfdir=/var/ipfire/ovpn \ >>>> - --enable-iproute2 \ >>>> --enable-plugins \ >>>> --enable-plugin-auth-pam \ >>>> - --enable-plugin-down-root >>>> + --enable-plugin-down-root \ >>>> + --enable-dco >>>> ``` >>>> >>>> I’ve found a couple of other issues: >>>> >>>> There have been some changes in the management interface, and a >>>> protocol prefix is now included (e.g. udp4:). >>>> As a result, the old regex patterns for >>>> a) OpenVPN Connection Statistics and >>>> b) Connection Status >>>> no longer update or show data. This shouldn’t be hard to fix. >>> >>> I already have patch fixes for this from my testing of the alpha3, >>> beta1 and rc1. If you go to my IPFire git repo (link at end of this >>> mail) the patch is in that rc1 branch. There is also the removal of >>> the deprecated persist-key which is now always enabled by default. >>> >>> Regards, >>> >>> Adolf. >>> >>>> >>>> With OpenVPN 2.7.0, a MULTI ERROR appears when creating a client >>>> with >>>> “redirect-gateway”. Example message: >>>> >>>> ``` >>>> Feb 19 13:34:36 ipfire-prime openvpnserver[7329]: >>>> PeterForden/udp4:192.168.110.10:38103 MULTI ERROR: primary virtual >>>> IP >>>> for PeterForden/udp4:192.168.110.10:38103 (10.12.52.2) violates >>>> tunnel >>>> network/netmask constraint (10.73.104.0/255.255.255.0) >>>> ``` >>>> >>>> The connection still works fine, but the log entries don’t look >>>> good. >>>> This happens because older setups used `redirect-gateway def1` in >>>> the >>>> advanced options, and remnants of this are still present in >>>> server.conf >>>> (push "redirect-gateway def1"), even though the checkbox for this >>>> option has disappeared. >>>> >>>> When creating a new client, enabling redirect-gateway (here without >>>> def1) now triggers this MULTI ERROR (“violates tunnel >>>> network/netmask >>>> constraint”). >>>> >>>> Using redirect-gateway def1 might actually be the better and more >>>> modern approach, since it adds two more specific routes (0.0.0.0/1 >>>> and >>>> 128.0.0.0/1) instead of replacing the original default route — >>>> keeping >>>> it available as a fallback. >>>> >>>> → Should `redirect-gateway def1` therefore be pushed globally for >>>> all >>>> clients? If not explicitly configured otherwise, it would still >>>> apply. >>>> >>>> So far, DCO seems to makes his job. >>>> >>>> Some smaller issues have been noticed, but I think these are the >>>> key >>>> points so far. >>>> >>>> Hope this mail isn’t **too long**, but I thought it might be useful >>>> to >>>> share. >>>> >>>> Best, >>>> >>>> Erik >>>> >>>> Am Donnerstag, dem 06.11.2025 um 22:19 +0100 schrieb Adolf Belka: >>>>> Hi All, >>>>> >>>>> Follow-on from my previous mails about testing openvpn- >>>>> 2.7_alpha3. >>>>> >>>>> Since then I have tested out openvpn-2.7_beta1 and today I tested >>>>> out >>>>> openvpn-2.7_rc1 >>>>> >>>>> It built without any problems and I also tested it on my vm >>>>> system >>>>> and confirmed that my android phone and linux laptop road >>>>> warriors >>>>> worked without any problems. >>>>> I also tested out the n2 connection with openvpn-2.7_rc1 at one >>>>> end >>>>> and openvpn-2.6.15 at the other end and it connected without any >>>>> issues. >>>>> >>>>> So the rc1 version has performed as the previous alpha3 and beta1 >>>>> versions. >>>>> >>>>> I have merged the build branch into my ipfire repo >>>>> >>>>> https://git.ipfire.org/?p=people/bonnietwin/ipfire-2.x.git;a=shortlog;h=refs/heads/openvpn-2.7_rc1 >>>>> >>>>> Regards, >>>>> >>>>> Adolf. >>>> >>> > >
