Hi, The OpenVPN 3 Linux v16 (beta) is now available. This release is mostly a bug-fix release with several known issues resolved and a few minor feature additions.
Instructions how to install OpenVPN 3 Linux can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> Noticeable changes: * Bug: Incompatible OCC strings sent to server The v15_beta release updated the OpenVPN 3 Core library leading to an incompatibility for some users. This issues have now been resolved in a later update of the Core library. - OCC strings sent over the wire to the server is now always prefixed with TCPv4 or UDPv4. <https://github.com/OpenVPN/openvpn3/commit/dee1b625c3> * Bug: DNS caching issues for long-running VPN client sessions Before v16_beta, the client would do a DNS lookup before connecting and preserve those lookups if --persist-tun was used. This works fine until the configured servers changes IP address and no longer is reachable. Then the client will go into a reconnect loop trying to connect, but no other DNS lookups would be done. The Core library has implemented an improved approach which will trigger a new DNS lookup in cases where it can no longer get a connection established. Important related changes: <https://github.com/OpenVPN/openvpn3/commit/e365c44b08658> <https://github.com/OpenVPN/openvpn3/commit/2e3774c059705> NOTE: This is not a perfect solution. Clients on networks utilizing NAT64 is expected to fail when connecting to server on an IPv4 address where it changes during the runtime of the client. The best way to resolve this is to make the server available via IPv6 as well. * Bug: Pushed DNS search domains didn't work well Several reports indicated that pushing DOMAIN or DOMAIN-SEARCH didn't enable them as search domains properly when using system-resolved. This has been fixed by not tagging each domain as routing domains. This may for some users change the lookup behaviour so all DNS queries are sent to multiple DNS servers instead of just the VPN provided DNS server. We will investigate further how to reduce these side-effects when utilizing systemd-resolved. * Improvement: Do not use connection timeout by default Both the 'openvpn3 session-start' and 'openvpn3-autoload' had a timeout behaviour where it would stop running if it didn't get a connection established within approx. 30 seconds. If the server is unavailable or the client is no a network with temporarily connection issues, this is a drawback. The solution is to remove the current timeout behaviour. The 'openvpn3 session-start' command has been extended with a --timeout argument which can be used to restore the previous behaviour. * Improvement: openvpn3-as now requires properly signed https server certificates. Prior versions of openvpn3-as didn't verify the https server certificate. This has now been fixed. * Improvement: Add better systemd integration for sessions This release introduces a Python based systemd integration, which will start a pre-imported (openvpn3 config-import) configuration profile using the openvpn3-sessions@.service unit file. This can also be used to start connections automatically during boot. The advantage this has over openvpn3-autoload is that it manages VPN sessions on-by-one, while openvpn3-autoload just loaded and started everything configured without any real session management. Using the openvpn3-sessions@.service, the session status is now also available via 'systemctl' and log events are easily found via 'journalctl'. If a session is stopped via 'openvpn3 session-manage', this is also reflected in 'systemctl'. See the openvpn3-systemd(8) man page for details: <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-systemd.8.rst> This support is not complete yet, and will be extended in coming releases. * Improvement: Support for the newer WEB_AUTH pending auth method * Improvement: Extend openvpn3-admin with a sessionmgr-service command. This new command currently only supports listing all running VPN sessions on the host and list the owner of each session as well as the tun/DCO interface in use. See the openvpn3-admin-sessionmgr-service(8) man page for details. <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-admin-sessionmgr-service.8.rst> * Improvement: Python based configuration parser updates The configuration parser used by openvpn2, openvpn3-autoload and the new openvpn3-systemd integration now ignores --ncp-ciphers, --data-ciphers and --data-ciphers-fallback These options was added in OpenVPN 2.4 and 2.5 as part to help migration from prior default ciphers to better ones. Connecting to some servers could need a more specific cipher to be set. This is believed not to be needed in OpenVPN 3, so instead we just ignore these options if found. * Build: Code has been made reproducible It should now be possible to rebuild the code with using the same host or image and get the exact same binary output. The only supported distribution not capable of being reproducible at the moment is the CentOS 7 builds. Supported Linux distributions: - Debian 9 (amd64) << !! Last update for this release !! - Debian 10 (amd64, arm64) - Debian 11 (amd64, arm64) - CentOS 7 (x86_64) - CentOS 8 (x86_64, aarch64) - Fedora 33, 34 and Rawhide (x86_64, aarch64, s390x) - Red Hat Enterprise Linux 7 (x86_64) - Red Hat Enterprise Linux 8 (x86_64, aarch64) - Ubuntu 18.04, 20.04 and 21.04 (amd64, arm64) The next release will also add Ubuntu 21.10 support. The arm64 support on selected Debian and Ubuntu releases are currently considered a tech-preview. This will also be the last release which includes support for Debian 9. As of the next release Debian 10 and CentOS 7/RHEL 7 will be the oldest supported releases. The Data Channel Offload (DCO) tech-preview feature is supported in these distributions: - CentOS 8 - Fedora 33, 34 and Rawhide - Ubuntu 20.04 and 21.04 - Red Hat Enterprise Linux 8 We have not yet had any chances to test DCO on Debian 11 yet. Ubuntu 21.10 will also get ovpn-dco packages. This work will be part of the next release. -- kind regards, David Sommerseth OpenVPN Inc ---- Source tarballs --------------------------------------------------- * OpenVPN 3 Linux v16 beta <https://swupdate.openvpn.net/community/releases/openvpn3-linux-16_beta.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-16_beta.tar.xz.asc> ---- SHA256 Checksums -------------------------------------------------- 3c8a4e26feca72a7d8887426c496a148df4606b9656f720848853c1f17a030a4 openvpn3-linux-16_beta.tar.xz 7aa2ae44e8c7cfcf5b9129107ab7842b97ad6f026385c8e65c79045bb1500c9a openvpn3-linux-16_beta.tar.xz.asc ---- git references ---------------------------------------------------- git repositories: <https://gitlab.com/openvpn/openvpn3-linux> <https://github.com/OpenVPN/openvpn3-linux> git tag: v16_beta git commit: 713b35e908489579bf5246b577373880923cf6fe ---- Changes from v15 to v16 ------------------------------------------- Arne Schwabe (1): Implement WEB_AUTH auth pending method David Sommerseth (39): vendor: Upgrade to googletest 1.11 python: Harden openvpn3-as HTTPS connect ovpn3cli: Add --timeout support to session connect operations python: Remove connection attempt counting in openvpn3-autoload python: Add SessionManagerEventType constants python: Add SessionManagerEvent callback systemd: Add support for VPN session management via systemd sessionmgr: Grammar fix in an error message sessionmgr: Split out pure manager functions from OpenVPN3SessionProxy python: Use std namespace explicitly dbus: Add DBusProxy::Introspect() method tests: Make netcfg-proxy-unit test aware of other devices dbus/creds: Add new DBusCredentials::CheckACL_allowRoot() method sessionmgr: Grant root user access to read all session properties ovpn3cli/admin: Add sessionmgr-service command common: Fix duplicated imports of config.h sessionmgr: Simplify the ACL check for properties cli/sessionmgr: Simplify property extraction core: Update OpenVPN 3 Core library (DNS cache fix) common: Improve the OptionValueType::Present implementation common: Extend Configuration::File with an UnsetOption() method common: Configuration::File - Add backwards compat parsing for present opts cli/admin: Call instead Config::File::UnsetOption() on --config-unset common: Add private ParsedArgs::remove_arg() method common: Simplify ParsedArgs::ImportConfigFile() common: Don't throw on missing key in ParsedArgs::GetAllValues() cli/openvpn3: Fix missing space in config-remove warning cli/config: Fix incorrect spelling python: Handle CTRL-C in openvpn3-as gracefully python/openvpn3-as: Improve profile download error handling python/openvpn3-as: Fix incorrect exception type ovpn3cli: Fix session-start with dynamic challenge auth python: Fix dyn-challenge auth in openvpn2 cli/session: Not all connection failures are timeout related cli/session: Fix never ending session with failed 2FA lookup: Add error checking to sysconf() lookups common: Fix typo with MachineID::SourceType::NONE netcfg/resolved: Don't configure --dhcp-option DOMAIN as routing domains python: Add --data-ciphers and related options to the ignore list. Frank Lichtenheld (3): build: make gen-openvpn2-completion.py output reproducible on old Python build: Use timestamp of the constant.py source file build: Avoid generating broken bash-completion file Heiko Hund (1): netcfg: Move check for DCO availability to NetCfg-------------------------------------------------------------------------
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
