Hi, The OpenVPN 3 Linux v17 (beta) is now available. This release consists mostly of several enhancements of various sizes.
* Behaviour change: Only AEAD ciphers available for data channel by default
As part of the OpenSSL 3 support, non-AEAD ciphers are no longer enabled
by default on for the data channel cipher. That means essentially only
AES-GCM and, if the TLS library supports it, ChaCha20-Poly1305.
To restore the previous behaviour, the configuration profile must be
imported via 'openvpn3 config-import' and then use an override setting:
$ openvpn3 config-manage --enable-legacy-algorithms true \
--config $CONFIG_NAME
* Command line: openvpn3 config-dump
The openvpn3 config-show command has been deprecated in favour of
openvpn3 config-dump. This to avoid ambiguity in behaviour with
commands supporting --show and to more clearly indicate it is the
configuration _file_ and not configuration profile being displayed.
* Feature: openvpn3 session-auth command
This is a new command which can be used to interact with VPN sessions
requiring interaction related to user authentications. This is
useful if the initial connection had not completed properly or that
the server requires the user to re-authenticate.
* Enhancement: Log level improvements on client log data
In prior releases, the default log level in the backend process
was set to 6, which is a debug level. With this release, the
default log level is 3. But this is now more easily configurable.
- The OpenVPN 3 VPN Client process now parses and respects the
--verb option.
- The configuration profile can set a log-level override.
- Running VPN sessions can be adjusted on-the-fly using the
the new --log-level option in openvpn3 session-manage.
Changes using this approach are instant.
- The default log level can also be changed by editing
/usr/share/dbus-1/system-services/net.openvpn.v3.backends.service.
Add the '--client-log-level 6' to the program in the Exec= line to
restore the previous default log level.
* Enhancement: Full support for --static-challenge
Both the OpenVPN 3 client implementation and Python interface has gained full support for the --static-challenge option * Enhancement: systemd user credential passing When starting a VPN session via the openvpn3-session@.service unit file, the systemd-ask-password mechanism will be used to retrieve the requested user credentials. * Enhancement: VPN session ownership transfer For configuration profiles shared with more users, it is the the session owner is the user which started the VPN session. With this release, the configuration owner can set the --transfer-owner-session flag via openvpn3 config-acl. This will make the configuration profile owner the session owner as well, regardless of which user starting the session. The user starting the session will automatically be granted ACL entries to manage the session and access the VPN log events. This is useful for VPN profiles being started automatically during boot via the systemd openvpn3-session@.service unit file. These sessions are typically started as root, but the session owner can end up being a different user on the system. But the user need to grant access to the profile for the root user for this to work. * Extend openvpn3-as with an --insecure-certs option In v16_beta, the openvpn3-as utility was extended to validate the https server certificate of the OpenVPN Access Server. For servers using self-signed certificates or signed by a unknown CA, this tool would no longer work. By using this option, the user instructs this tool to ignore such issues. * Bugfix: Persistent configuration profiles with multiple --remote Configuration files containing multiple --remote lines would not be preserved correctly in the saved configuration profile; only the last entry would be stored. This has been improved and all entries will now be preserved at import time. Beware: Configuration profiles will need to be re-imported to restore all the --remote entries. * Bugfix: Fix --tls-crypt-v2 in the Python parser In prior releases, configurations started via the Python interface would fail with an error if --tls-crypt-v2 was used. This is now fixed. * Bugfix: Fix Python file loading with spaces in file names In prior releases, the configuration parser parsed file names containing spaces incorrectly. This has been improved. * Bugfix: Non-functional shell completion for config files The prior release regressed on shell completion for OpenVPN configuration files via the openvpn3 config-import and session-start commands. This has been resolved in this release. * Distro: Builds on distributions using musl instead of glibc Building OpenVPN 3 Linux on Alpine did not work too well as there were several aspects not compatible with the development stack on this distribution. Both the OpenVPN 3 Core library and the Linux client has been modified to be able to build successfully. * Distro: Python 3.6 or newer is now required As of this release, any Linux distribution with Python older than version 3.6 is no longer supported. This removes the support for Debian 9. Supported Linux distributions ----------------------------- - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 34, 35 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 21.04 (amd64, arm64) - Ubuntu 21.10 (amd64, arm64) is available for testing The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. -- kind regards, David Sommerseth OpenVPN Inc ---- Source tarballs --------------------------------------------------- * OpenVPN 3 Linux v17 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-17_beta.tar.xz.asc> ---- SHA256 Checksums -------------------------------------------------- 9eba02c67d3e5606ee8d02e0d60032009d3f97a0564d42c91ff154fb06b47e61 openvpn3-linux-17_beta.tar.xz b1a3928074eed09ebde6ad03b51551883abd357fa2dd5f61bdb07285bf5b50d1 openvpn3-linux-17_beta.tar.xz.asc ---- git references ---------------------------------------------------- git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v17_beta git commit: 079e9da7f66f5cca59cf80ba8c548f0dedd433db ---- Changes from v16 to v17 ------------------------------------------- David Sommerseth (61): cli/session-start: Add --background support log: Improve LogEvent formatting log: Use the LogEvent GVariant generator in LogSender log: Extend the LogSender::Log() with duplicate check client: Simplify BackendSignals::Log() client: Remove some not needed log duplication client: Don't switch to Reconnecting state on initial connect python: Remove aenum workaround for Python 3.5 or older python: Remove spurious import line from openvpn2 python: Ignore --mute-replay-warnings option python: Add --insecure-certs option to openvpn3-as git: Switch to https for submodules python: Extend ConfigParser to understand --tls-crypt-v2 python: Fix a few errors in ConfigParser sessionmgr: Fix incorrect LogEvent proxy format core-ext: Properly parse options which may be used more times common: Extend MachineID to support systemd API for machine-id python: Fix incorrect parsing of filenames with spaces client: Add support for static-challenge configurations common: Extend command line parser with alias command support ovpn3cli: Depreacte config-show in favour of config-dump core: Update to latest OpenVPN 3 Core library build: Avoid GNUism in Makefile.am configmgr/client: Remove support for forcing AES-CBC cipher configmgr: Extend with session ownership transfer flag ovpn3cli: Extend config-acl to support --transfer-owner-session sessionmgr: Respect the configuration profile transfer-ownership flag client: Parse the --verb option to set log-level client: Add support for 'log-level' override sessionmgr: Retrieve the client log-level for the session log-level sessionmgr: Proxy log-level settings in session to backend tests: Extend config-export-json-test to process files too core-ext: Fix incorrect handling of --static-challenge in JSON export systemd: Fix incorrect access to mainloop object in status handler systemd: Fix incorrect sd_notify() behaviour systemd: Add support for profiles needing user credentials common/shell: Fix bash-completion for options with optional arguments common: Don't throw an exception in ParsedArgs::GetValueLen() ovn3cli/session: Extend session-manage to set session log-level core: Update to latest OpenVPN 3 Core library dbus: Change the proxy call timeout to 5 seconds log: Don't throw exception on invalid LogGroup/LogCategory client: Use the proper index value to retrieve the --verb value client: Change default log-level to 3 systemd: Do not change the log level at startup by default client: Extend StatusEvent with stringstream formatting control cli/session: Extend the session module with session-auth cli/session: Extend session-auth to also list URL based auth cli/session: Implement completing on-going auth in session-auth cli/session: Add shell-completion support for session-auth cli/session: Remove "Auth URL" from sessions-list man: Add missing --log-level entry in openvpn3-config-manage client: Set proper status when needing user credentials ovpn-dco: Update to latest git master client: Configuration file --verb must not override profile log-level sessionmgr: Always change the SessionObject log level dbus/creds: Use creds specific exception for user lookup issues sessionmgr: Add more debug details of credentials check fails core: Update to latest OpenVPN 3 Core library client/cli: Add --enable-legacy-algorithms override shell: Fix bash completion for file/directory names Samuli Seppänen (2): docs: Remove redundant package from Fedora build deps command-line docs: Fix setup instructions for CentOS 8 -------------------------------------------------------------------------
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
