[Openvpn-announce] OpenVPN client released for iOS
Just wanted to let everyone know that the OpenVPN Connect client for iOS has just been released and is now available in the app store. This is an official Apple-sanctioned OpenVPN client developed by OpenVPN Technologies in collaboration with Apple. Enjoy, James
[Openvpn-announce] OpenVPN client released for iOS
Just wanted to let everyone know that the OpenVPN Connect client for iOS has just been released and is now available in the app store. This is an official Apple-sanctioned OpenVPN client developed by OpenVPN Technologies in collaboration with Apple. Enjoy, James
[Openvpn-announce] OpenVPN 2.1.0 released
I'm happy to announce the release of OpenVPN 2.1.0. This release is basically 2.1_rc22 + some last-minute trivial fixes to documentation and plugin sample code. Enjoy! James
[Openvpn-announce] OpenVPN 2.1.0 released
I'm happy to announce the release of OpenVPN 2.1.0. This release is basically 2.1_rc22 + some last-minute trivial fixes to documentation and plugin sample code. Enjoy! James
[Openvpn-announce] ANNOUNCEMENT: OpenVPN Access Server beta available
8, 9, 10 * 64-bit Ubuntu 8, 9 -- OpenVPN Access Server v1.1.0b2 (beta 2) RELEASE NOTES Feedback and Support: We appreciate your feedback on this release. Register and login at the Support Center to use the support ticketing system: http://beta.openvpn.net/index.php/access-server/support-center.html New in Access Server v1.1.0: --- Below are the main enhancements added since the Access Server v1.0.0 release: -- Admin Web UI for configuration and management, including improved configuration options -- Simplified CLI utility (ovpn-init) for initial configuration -- Multi-profile support on Windows Client GUI -- New method of authenticating via LDAP with enhanced configurability Changes Since Access Server v1.1.0b: --- The Access Server v1.1.0b2 contains these improvements since the v1.1.0b release: -- Better interoperation with installed OpenVPN open-source clients (installer no longer removes all TAP interfaces) -- Corrected version numbering of the Windows Client, so that it properly detects an installed OpenVPN-AS v1.0.0 client. -- Fix for an issue occasionally seen on Windows Client GUI where the TAP adapter cannot get an IP address due to a problem in DHCP handshaking between the TAP adapter and the Windows DHCP client. -- Fix for an iptables issue that caused NAT forwarding to fail. Installation: After installing the OpenVPN-AS package (e.g., using 'yum' on Fedora platforms), run the initialization script: /usr/local/openvpn_as/bin/ovpn-init You will be prompted for initial settings for the Admin Web UI networking and for authenticating the administrator. When ovpn-init completes, it displays the URL to use for logging into the Admin Web UI to continue configuring OpenVPN-AS. License Keys: You can use the Admin UI after ovpn-init completes. However, to turn on the VPN Server component of OpenVPN-AS, you must have an activated license key. To get started, you can obtain a free, 5-concurrent-user license by registering and logging in at the License Key page: http://beta.openvpn.net/index.php/access-server/license-key.html Enter the license key into the "New License Key" box of the "License" page in the Admin Web UI. Known Issues: -- Accessing the Client Web Server without an activated license key yields an error message "error communicating with server agent". -- Windows Client status display may remain at "Connecting TCP..." or "Connecting UDP..." when communication with VPN server fails. -- Occasionally, when the Windows Client GUI attempts to connect to the VPN Server for the first time, the connection may stall at the "Connecting" stage and not complete. -- Administrators should ensure that the VPN Server is not configured to run on the same (IP Address:port) combination as the Client Web Server or Admin UI. Currently, the Admin UI does not flag this condition with an error, though it is an invalid configuration. -- The PAM authentication module uses the 'sshd' PAM service, so the /etc/pam.d/sshd file must exist and be properly configured for user authentication. -- The Ubuntu package does not configure the system so that the openvpnas service starts during system startup. Best Regards, James Yonan & the OpenVPN Technologies Team
[Openvpn-announce] ANNOUNCEMENT: OpenVPN Access Server beta available
8, 9, 10 * 64-bit Ubuntu 8, 9 -- OpenVPN Access Server v1.1.0b2 (beta 2) RELEASE NOTES Feedback and Support: We appreciate your feedback on this release. Register and login at the Support Center to use the support ticketing system: http://beta.openvpn.net/index.php/access-server/support-center.html New in Access Server v1.1.0: --- Below are the main enhancements added since the Access Server v1.0.0 release: -- Admin Web UI for configuration and management, including improved configuration options -- Simplified CLI utility (ovpn-init) for initial configuration -- Multi-profile support on Windows Client GUI -- New method of authenticating via LDAP with enhanced configurability Changes Since Access Server v1.1.0b: --- The Access Server v1.1.0b2 contains these improvements since the v1.1.0b release: -- Better interoperation with installed OpenVPN open-source clients (installer no longer removes all TAP interfaces) -- Corrected version numbering of the Windows Client, so that it properly detects an installed OpenVPN-AS v1.0.0 client. -- Fix for an issue occasionally seen on Windows Client GUI where the TAP adapter cannot get an IP address due to a problem in DHCP handshaking between the TAP adapter and the Windows DHCP client. -- Fix for an iptables issue that caused NAT forwarding to fail. Installation: After installing the OpenVPN-AS package (e.g., using 'yum' on Fedora platforms), run the initialization script: /usr/local/openvpn_as/bin/ovpn-init You will be prompted for initial settings for the Admin Web UI networking and for authenticating the administrator. When ovpn-init completes, it displays the URL to use for logging into the Admin Web UI to continue configuring OpenVPN-AS. License Keys: You can use the Admin UI after ovpn-init completes. However, to turn on the VPN Server component of OpenVPN-AS, you must have an activated license key. To get started, you can obtain a free, 5-concurrent-user license by registering and logging in at the License Key page: http://beta.openvpn.net/index.php/access-server/license-key.html Enter the license key into the "New License Key" box of the "License" page in the Admin Web UI. Known Issues: -- Accessing the Client Web Server without an activated license key yields an error message "error communicating with server agent". -- Windows Client status display may remain at "Connecting TCP..." or "Connecting UDP..." when communication with VPN server fails. -- Occasionally, when the Windows Client GUI attempts to connect to the VPN Server for the first time, the connection may stall at the "Connecting" stage and not complete. -- Administrators should ensure that the VPN Server is not configured to run on the same (IP Address:port) combination as the Client Web Server or Admin UI. Currently, the Admin UI does not flag this condition with an error, though it is an invalid configuration. -- The PAM authentication module uses the 'sshd' PAM service, so the /etc/pam.d/sshd file must exist and be properly configured for user authentication. -- The Ubuntu package does not configure the system so that the openvpnas service starts during system startup. Best Regards, James Yonan & the OpenVPN Technologies Team
[Openvpn-announce] 1.4.0 Released
Download: http://sourceforge.net/projects/openvpn/ Release Notes: This release adds options for persistence of replay protection information across sessions, pass through of IPv4 TOS bits from the TUN/TAP device to the UDP link, some advanced MTU control options, moderate revamping of the build system to improve portability, and misc bug fixes and web site additions. Also new is a major restructuring of MTU and fragmentation handling. Much of this code is experimental and must be explicitly enabled by defining FRAGMENT_ENABLE and rebuilding. Change Log: * Added --replay-persist feature to allow replay protection across sessions. * Fixed bug where --ifconfig could not be used with --tun-mtu. * Added --tun-mtu-extra parameter to deal with the situation where a read on a TUN/TAP device returns more data than the device's MTU size. * Fixed bug where some IPv6 support code for Linux was not being properly ifdefed out for Linux 2.2, causing compile errors. * Added OPENVPN_EXIT_STATUS_x codes to openvpn.h to control which status value openvpn returns to its caller (such as a shell or inetd/xinetd) for various conditions. * Added OPENVPN_DEBUG_COMMAND_LINE flag to openvpn.h to allow debugging in situations where stdout, stderr, and syslog cannot be used for message output, such as when OpenVPN is instantiated by inetd/xinetd. * Removed owner-execute permission from file created by static key generator (Herbert Xu and Alberto Gonzalez Iniesta). * Added --passtos option to allow IPv4 TOS bits to be passed from TUN/TAP input packets to the outgoing UDP socket (Craig Knox). * Added code to prevent open socket file descriptors from being accessible to called scripts. * Added --dev-name option (Christian Lademann). * Added --mtu-disc option for manual control over MTU options. * Show OS MTU value on UDP socket write failures (linux only). * Numerous build system and portability fixes (Matthias Andree). * Added better sensing of compiler support for variable argument macros, including (a) gcc style, (b) ISO C 1999 style, and (c) no support. * Removed generated files from CVS. Note INSTALL file for new CVS build commands. * Changed all internal _* symbols to x_* for C standards compliance. * Added TUN/TAP open code to cycle dynamically through unit numbers until it finds a free unit (based on code from Thomas Gielfeldt and VTun). * Added dynamic MTU and fragmenting infrastructure (Experimental). Rebuild with FRAGMENT_ENABLE defined to enable. * Minor changes to SSL/TLS negotiation, use exponential backoff on retransmits, and use a smaller MTU size (note that no protocol changes have been made which would break compatibility with 1.3.x). * Added --enable-strict-options flag to ./configure. This option will cause a more strict check for options compatibility between peers when SSL/TLS negotiation is used, but should only be used when both OpenVPN peers are of the same version. * Reorganization of debugging levels. * Added a workaround in configure.ac for default SSL header location on Linux to fix RH9 build problem. * Fixed potential deadlock when pthread support is used on OSes that allocate a small socketpair() message buffer. * Fixed openvpn.init to be sh compliant (Bishop Clark). * Changed --daemon to wait until all initialization is finished before becoming a daemon, for the benefit of initialization scripts that want a useful return status from the openvpn command. * Made openvpn.init script more robust, including positive indication of initialization errors in the openvpn daemon and better sanity checks. * Changed --chroot to wait until initialization is finished before calling chroot(), and allow the use of --user and --group with --chroot. * When syslog logging is enabled (--daemon or --inetd), set stdin/stdout/stderr to point to /dev/null. * For inetd instantiations, dup socket descriptor to a >2 value. * Fixed bug in verify-cn script, where test would incorrectly fail if CN=x was the last component of the X509 composite string (Anonymous). * Added Markus F.X.J. Oberhumer's special license exception to COPYING. James
[Openvpn-announce] 1.4.0 Released
Download: http://sourceforge.net/projects/openvpn/ Release Notes: This release adds options for persistence of replay protection information across sessions, pass through of IPv4 TOS bits from the TUN/TAP device to the UDP link, some advanced MTU control options, moderate revamping of the build system to improve portability, and misc bug fixes and web site additions. Also new is a major restructuring of MTU and fragmentation handling. Much of this code is experimental and must be explicitly enabled by defining FRAGMENT_ENABLE and rebuilding. Change Log: * Added --replay-persist feature to allow replay protection across sessions. * Fixed bug where --ifconfig could not be used with --tun-mtu. * Added --tun-mtu-extra parameter to deal with the situation where a read on a TUN/TAP device returns more data than the device's MTU size. * Fixed bug where some IPv6 support code for Linux was not being properly ifdefed out for Linux 2.2, causing compile errors. * Added OPENVPN_EXIT_STATUS_x codes to openvpn.h to control which status value openvpn returns to its caller (such as a shell or inetd/xinetd) for various conditions. * Added OPENVPN_DEBUG_COMMAND_LINE flag to openvpn.h to allow debugging in situations where stdout, stderr, and syslog cannot be used for message output, such as when OpenVPN is instantiated by inetd/xinetd. * Removed owner-execute permission from file created by static key generator (Herbert Xu and Alberto Gonzalez Iniesta). * Added --passtos option to allow IPv4 TOS bits to be passed from TUN/TAP input packets to the outgoing UDP socket (Craig Knox). * Added code to prevent open socket file descriptors from being accessible to called scripts. * Added --dev-name option (Christian Lademann). * Added --mtu-disc option for manual control over MTU options. * Show OS MTU value on UDP socket write failures (linux only). * Numerous build system and portability fixes (Matthias Andree). * Added better sensing of compiler support for variable argument macros, including (a) gcc style, (b) ISO C 1999 style, and (c) no support. * Removed generated files from CVS. Note INSTALL file for new CVS build commands. * Changed all internal _* symbols to x_* for C standards compliance. * Added TUN/TAP open code to cycle dynamically through unit numbers until it finds a free unit (based on code from Thomas Gielfeldt and VTun). * Added dynamic MTU and fragmenting infrastructure (Experimental). Rebuild with FRAGMENT_ENABLE defined to enable. * Minor changes to SSL/TLS negotiation, use exponential backoff on retransmits, and use a smaller MTU size (note that no protocol changes have been made which would break compatibility with 1.3.x). * Added --enable-strict-options flag to ./configure. This option will cause a more strict check for options compatibility between peers when SSL/TLS negotiation is used, but should only be used when both OpenVPN peers are of the same version. * Reorganization of debugging levels. * Added a workaround in configure.ac for default SSL header location on Linux to fix RH9 build problem. * Fixed potential deadlock when pthread support is used on OSes that allocate a small socketpair() message buffer. * Fixed openvpn.init to be sh compliant (Bishop Clark). * Changed --daemon to wait until all initialization is finished before becoming a daemon, for the benefit of initialization scripts that want a useful return status from the openvpn command. * Made openvpn.init script more robust, including positive indication of initialization errors in the openvpn daemon and better sanity checks. * Changed --chroot to wait until initialization is finished before calling chroot(), and allow the use of --user and --group with --chroot. * When syslog logging is enabled (--daemon or --inetd), set stdin/stdout/stderr to point to /dev/null. * For inetd instantiations, dup socket descriptor to a >2 value. * Fixed bug in verify-cn script, where test would incorrectly fail if CN=x was the last component of the X509 composite string (Anonymous). * Added Markus F.X.J. Oberhumer's special license exception to COPYING. James
[Openvpn-announce] OpenVPN Project Update
CURRENT STATUS -- Here's an update on OpenVPN progress for the last two months... 1.3.1 appears to be very stable and there haven't been a lot of new patches recently, though having said that there are certainly a few, most notably a minor patch to enable NetBSD support, and better support for intermediate CAs. WISH LIST - The current wish list stands as follows: (1) Forking server support (2) Automatic Secure MTU discovery (3) IPv6 endpoints or IPv6 over tun device (4) Windows port While none of these (with perhaps the exception of the last :) is rocket science, all require some work, and given that OpenVPN has reached a nice stability plateau, I'd like to hear your opinions on future directions in the development effort. DONATIONS - I'd also like to bring to your attention the fact that the OpenVPN project is now accepting donations. Please consider a small donation (such as $20) if you are actively using OpenVPN and possibly more if you are deriving significant utility from the software. Right now I am "between jobs" and therefore don't have as much time as I'd like to spend on open source, but with enough support from the user community I hope to forge ahead on more of the wish list. Having said that, I'd like to emphasize that OpenVPN has been a team effort with many individuals now cited in the change log or offering support on the lists. Still, there's a lot of less glamorous work required to keep an open source project alive, such as merging contributions, testing on multiple platforms, documentation, releases, web site and mailing list admin, tech support, answering questions, keeping up to date with libraries, staying on top of security issues, trying to figure out whether problem reports ar! e bugs or operator error, etc. etc. Those all add up to a significant time commitment, and bear in mind that even a small donation can go a long way towards funding this kind of work. If you would like to donate, you can do so via pay-pal: https://www.paypal.com/xclick/business=paypal%40yonan.net I you have deeper pockets and want to make a more dramatic gesture, you might even consider hiring me :) My resume is here: http://openvpn.sourceforge.net/resume2002/ PRE-1.3.2 BETA AVAILABLE While there hasn't been a great deal of development activity over the past two months, there are a small number of low-impact patches waiting in the queue that I'd like to release. Here's the change log: * Added SSL_CTX_set_client_CA_list call to follow the canonical form for TLS initialization recommended by the OpenSSL docs. This change allows better support for intermediate CAs and has no impact on security. * Added build-inter script to easy-rsa package, to facilitate the generation of intermediate CAs. * Ported to NetBSD (Dimitri Goldin). * Fixed minor bug in easy-rsa/sign-req. It refers to openssl.cnf file, instead of $KEY_CONFIG, like all other scripts (Ernesto Baschny). * Added --days 3650 to the root CA generation command in the howto to override the woefully small 30 day default (Dominik 'Aeneas' Schnitzer). * Added paypal links to website for project donations. * Configured sourceforge mailing lists to require admin approval for non-member posts to reduce spam. If you have time, are using TLS, and especially if you are using an intermediate CA, I would encourage you to test this beta and verify that the first point in the change log does not cause problems. Download beta: http://openvpn.sourceforge.net/beta/openvpn-1.3.1.4.tar.gz SPAM In other news, openvpn-users got its first spam the other day. While spam certainly has not been a big problem here, I want to be as proactive as possible in keeping these lists from becoming spam vectors, so I've reconfigured the lists to require admin approval for non-member posts. I'm willing to be the admin on this as long as it doesn't become a big time sink, and you can make life easier for me by subscribing before you post. Thanks, James Yonan OpenVPN Project Leader
[Openvpn-announce] OpenVPN Project Update
CURRENT STATUS -- Here's an update on OpenVPN progress for the last two months... 1.3.1 appears to be very stable and there haven't been a lot of new patches recently, though having said that there are certainly a few, most notably a minor patch to enable NetBSD support, and better support for intermediate CAs. WISH LIST - The current wish list stands as follows: (1) Forking server support (2) Automatic Secure MTU discovery (3) IPv6 endpoints or IPv6 over tun device (4) Windows port While none of these (with perhaps the exception of the last :) is rocket science, all require some work, and given that OpenVPN has reached a nice stability plateau, I'd like to hear your opinions on future directions in the development effort. DONATIONS - I'd also like to bring to your attention the fact that the OpenVPN project is now accepting donations. Please consider a small donation (such as $20) if you are actively using OpenVPN and possibly more if you are deriving significant utility from the software. Right now I am "between jobs" and therefore don't have as much time as I'd like to spend on open source, but with enough support from the user community I hope to forge ahead on more of the wish list. Having said that, I'd like to emphasize that OpenVPN has been a team effort with many individuals now cited in the change log or offering support on the lists. Still, there's a lot of less glamorous work required to keep an open source project alive, such as merging contributions, testing on multiple platforms, documentation, releases, web site and mailing list admin, tech support, answering questions, keeping up to date with libraries, staying on top of security issues, trying to figure out whether problem reports ar! e bugs or operator error, etc. etc. Those all add up to a significant time commitment, and bear in mind that even a small donation can go a long way towards funding this kind of work. If you would like to donate, you can do so via pay-pal: https://www.paypal.com/xclick/business=paypal%40yonan.net I you have deeper pockets and want to make a more dramatic gesture, you might even consider hiring me :) My resume is here: http://openvpn.sourceforge.net/resume2002/ PRE-1.3.2 BETA AVAILABLE While there hasn't been a great deal of development activity over the past two months, there are a small number of low-impact patches waiting in the queue that I'd like to release. Here's the change log: * Added SSL_CTX_set_client_CA_list call to follow the canonical form for TLS initialization recommended by the OpenSSL docs. This change allows better support for intermediate CAs and has no impact on security. * Added build-inter script to easy-rsa package, to facilitate the generation of intermediate CAs. * Ported to NetBSD (Dimitri Goldin). * Fixed minor bug in easy-rsa/sign-req. It refers to openssl.cnf file, instead of $KEY_CONFIG, like all other scripts (Ernesto Baschny). * Added --days 3650 to the root CA generation command in the howto to override the woefully small 30 day default (Dominik 'Aeneas' Schnitzer). * Added paypal links to website for project donations. * Configured sourceforge mailing lists to require admin approval for non-member posts to reduce spam. If you have time, are using TLS, and especially if you are using an intermediate CA, I would encourage you to test this beta and verify that the first point in the change log does not cause problems. Download beta: http://openvpn.sourceforge.net/beta/openvpn-1.3.1.4.tar.gz SPAM In other news, openvpn-users got its first spam the other day. While spam certainly has not been a big problem here, I want to be as proactive as possible in keeping these lists from becoming spam vectors, so I've reconfigured the lists to require admin approval for non-member posts. I'm willing to be the admin on this as long as it doesn't become a big time sink, and you can make life easier for me by subscribing before you post. Thanks, James Yonan OpenVPN Project Leader
[Openvpn-announce] Ramifications on OpenVPN of OpenSSL security announcement
As many of you have probably noticed, the OpenSSL project released a security update today which fixes potential remote buffer overflows. What you may not have known is that the ASN1 parser bug was independently discovered in the process of stress testing OpenVPN, earning yours truly the dubious distinction of being acknowledged in the security advisory. So here's the scoop for OpenVPN users: (1) If you are using preshared static key mode, you are not vulnerable. (2) If you are using TLS mode with --tls-auth, you are not vulnerable. (3) If you are using TLS mode without --tls-auth, you may be vulnerable if you are also using --float. If you think you are vulnerable, the quickest fix is to start using --tls-auth, which was explicitly designed to protect against buffer overflows in OpenSSL by creating a two-tier authentication hierarchy that forces ALL incoming packets to authenticate via HMAC before they are passed on to the TLS code in OpenSSL. Think of it as a kind of MAC firewall. In general you should also consider downgrading privileges with --user and/or --group, to limit the damage that would be caused by a remote buffer overflow attack. If for whatever reason you must run as root, then consider using the --chroot option to lock the OpenVPN daemon into a restricted filesystem, so that a remote attack would not be able to modify sensitive files. Of course most systems have a lot of other apps and daemons that depend on OpenSSL so upgrading ASAP is probably the best course. James
[Openvpn-announce] Ramifications on OpenVPN of OpenSSL security announcement
As many of you have probably noticed, the OpenSSL project released a security update today which fixes potential remote buffer overflows. What you may not have known is that the ASN1 parser bug was independently discovered in the process of stress testing OpenVPN, earning yours truly the dubious distinction of being acknowledged in the security advisory. So here's the scoop for OpenVPN users: (1) If you are using preshared static key mode, you are not vulnerable. (2) If you are using TLS mode with --tls-auth, you are not vulnerable. (3) If you are using TLS mode without --tls-auth, you may be vulnerable if you are also using --float. If you think you are vulnerable, the quickest fix is to start using --tls-auth, which was explicitly designed to protect against buffer overflows in OpenSSL by creating a two-tier authentication hierarchy that forces ALL incoming packets to authenticate via HMAC before they are passed on to the TLS code in OpenSSL. Think of it as a kind of MAC firewall. In general you should also consider downgrading privileges with --user and/or --group, to limit the damage that would be caused by a remote buffer overflow attack. If for whatever reason you must run as root, then consider using the --chroot option to lock the OpenVPN daemon into a restricted filesystem, so that a remote attack would not be able to modify sensitive files. Of course most systems have a lot of other apps and daemons that depend on OpenSSL so upgrading ASAP is probably the best course. James
