[Openvpn-users] OpenVPN 3 Linux v23 released

[David S. <daz...@eu...>]

OpenVPN 3 Linux v23 (Stable release)

The v23 release is stable release which expands the distribution target
since v22_dev was released.  The goal for this step was to stabilize the
codebase which was migrated to GDBus++ and the new Meson building
system.  The next release (v24) will also be a stable release, with focus
on further stabilisation and less intrusive changes.

The v23 release brings back the OpenVPN 3 AWS-VPC Add-on which was not
ready for the v22_dev release.  This service has also been migrated to
use GDBus++.  The behaviour of this add-on should otherwise be identical
to the service shipped in v21 and older releases.

In addition, a new add-on is included in this release.  The Cloud
Connexa service is being extended with a new functionality, referred to
as Device Posture Checks (DPC).  This feature will enable the VPN server
to request certain checks to be performed on the client side and
reported back to the server.  These checks are restricted to what the
new OpenVPN 3 Device Posture Service (openvpn3-service-devposture)
provides.

This new feature is NOT installed nor enabled by default.  To enable the
client-side functionality, the openvpn3-addon-devposture package must
be installed, the VPN client configuration must be pre-imported and
an Enterprise ID must be assigned to the configuration profile.  That
will allow the server to request Device Posture Checks to be performed.

The currently implemented DPC tests only provides platform information,
like Linux distribution name and version, kernel versions, CPU
architecture and the client's local time.  In future releases, more
tests may be implemented.  More information on available tests and
the declaration of test profiles can be found here:

 
<https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/addons/devposture/profiles/profile-format.md>


Known issues:

     - openvpn3-service-client may not exit cleanly unless stopped
       via 'openvpn3 session-manage --disconnect' first.  This may
       delay the shutdown process if a VPN session is running when
       the host is being shut down.  A fix is in progress and will
       be prepared for v24.

     - Shell completion may list duplicated options in some cases

     - openvpn3-admin journal --since has a time zone related issue
       and may not list all log events within the closest hours.


Other changes:

* Improvement: Upgrade to OpenVPN 3 Core Library v3.10.1

     This library update provides the functionality to provide the
     Device Posture Check functionality in the OpenVPN wire
     protocol.  A fix to resolve compilation errors when the
     -Wnon-virtual-dtor compiler flag is enabled is included too.


* Bugfix: Report client and version correctly in IV_GUI_VER

     The v22_dev release unfortunately changed the format of the
     IV_GUI_VER.  It would report: 'openvpn3-linux/v22:dev' when
     it should have been 'OpenVPN3/Linux/v22_dev'.  This has
     been fixed.


* Bugfix: --tag option not working with config-import or config-manage

     A regression bug was introduced in v22_dev which handled the
     available tracking of Configuration Manager features incorrectly
     and ended up disabling this feature in the openvpn3 config-import
     and openvpn3 config-manage commands.  This has been fixed.


* Bugfix: systemd-resolved support rejected IPv6 DNS resolver address

     An oversight in the systemd-resolved implementation refused to accept
     pushed DNS resolver addresses when it was an IPv6 address.  This has
     been fixed and both IPv4 and IPv6 addresses are now fully supported.


* Improvement: Python configuration parser support for 
--connect-retry{,-max}

     The Python configuration parser in the openvpn3 module did
     not provide a pass-through for --connect-retry and --connect-retry-max
     options.  This would result in configuration profiles containing
     these options would not function when using the Python based tools
     while it would work using the 'openvpn3' command.


Credits
-------

Thanks goes to those continuing testing and reporting issues.
A special thanks to Grzegorz Gutowski who provided the fix to
the Python module.  He is also the project lead behind the
openvpn3-indicator project, which provides a tray-icon for
OpenVPN 3 Linux.  If you use a graphical desktop, that's a
project worth checking out!

Many thanks also goes to Razvan Cojocaru who has stepped in providing
many great improvements and done all the work for the Device Posture
support in OpenVPN 3 Linux.  And Lev Stipakov who migrated the
OpenVPN 3 AWS-VPC add-on service to GDBus++


Supported Linux distributions
-----------------------------

     - Debian: 12
     - Fedora: 39, 40, Rawhide
     - Red Hat Enterprise Linux 8, 9
     - Ubuntu: 20.04, 22.04, 24.04

Installation and getting started instructions can be found here:

     <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux>

Debian 11, Red Hat Enterprise Linux 7 and Ubuntu 23.10 are EOL and
is no longer supported.


--
kind regards,

David Sommerseth
OpenVPN Inc


---- Source tarballs ---------------------------------------------------
* OpenVPN 3 Linux v23

 
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-23.tar.xz>
 
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-23.tar.xz.asc>

* GDBus++ v2

     <https://swupdate.openvpn.net/community/releases/gdbuspp-2.tar.xz>
     <https://swupdate.openvpn.net/community/releases/gdbuspp-2.tar.xz.asc>

---- SHA256 Checksums --------------------------------------------------

3c5a4e27e0618f395c1688b50b62b887543ff203d4c99af7f7bfe1d61d0e753b 
openvpn3-linux-23.tar.xz
cc801911df93072101e6218ac62c45e8f524cb42c0536e692d8da5fe8b1253d8 
openvpn3-linux-23.tar.xz.asc
0a3eab5c7f1f5ba803bec0902bb008b8c7a7040fdaf0e0e94b4ac77ffebf0bfd 
gdbuspp-2.tar.xz
361fe7f8ced70d49a2899ad4e790d6e9e1832f419ef3d7875226d44d997b7397 
gdbuspp-2.tar.xz.asc

---- git references ----------------------------------------------------

git repositories:

    - OpenVPN 3 Linux
      <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY)
      <https://gitlab.com/openvpn/openvpn3-linux>   (code-only mirror)
      <https://github.com/OpenVPN/openvpn3-linux>   (code-only mirror)

      git tag: v23
      git commit: d8239ede97fc91919f35a59a14a116769defcc49

    - GDBus++
      <https://codeberg.org/OpenVPN/gdbuspp/>       (PRIMARY)
      <https://gitlab.com/openvpn/gdbuspp/>         (code-only mirror)
      <https://github.com/openvpn/gdbuspp/>         (code-only mirror)

      git tag: v2
      git commit: 94f29d20accb755a08a9890efe5242d89d5b51bc

---- Changes from v22_dev to v23 ---------------------------------------

David Sommerseth (24):
         configmgr: Load configuration profiles before starting the 
D-Bus service
         netcfg: Make NetCfgNotifSubscriptions use uint32_t as filter 
bit mask
         codestyle: Fix minor code style deviations
         build: Enable overriding OpenVPN 3 Core Library version string
         scripts: Modify the output of the --gui-version
         addons/devposture: Fix compilation error with older JsonCpp 
libraries
         addons/devposture: Make devposture-proxy test program more generic
         addons/devposture: Document the Enterprise Profile file format
         build: Install some additional documentation by default
         docs: Clarify a GDBus++ and mbed TLS build dependencies better
         build: Set PACKAGE_NAME to 'OpenVPN3/Linux'
         Some minor #include clean-ups
         configmgr: Cleaning up #include files
         configmgr: Use CoreLog for logging events from the Core library.
         client: Don't stop if devposture service is unavailable
         devposture/test: Improve argument parsing in devposture-proxy
         addon/devposture/proxy: Properly re-throw 
DevPosture::Proxy::Handler exceptions
         netcfg/resolved: Factor out resolved::Exception to a separate file
         tests/resolved: Extend systemd-resolved proxy test client with 
IPv6 support
         netcfg/resolved: Add new D-Bus IP Address parser class
         netcfg/resolved: Use GDBus++ glib2 helpers extracting data in 
SearchDomains::GetGVariant
         netcfg/resolved: Plug-in resolved::IPAddress into ResolverRecord
         netcfg/resolved: Refactor out resolved::ResolverRecord
         core: Update to OpenVPN 3 Core Library v3.10.1

Grzegorz Gutowski (1):
         python: Pass through --connect-retry and --connect-retry-max

Lev Stipakov (5):
         netcfg: use proper C++ base type for NetCfgChangeType
         netcfg/proxy: Check non-response call for nullptr before freeing
         configmgr: remove unused class members
         addons/aws: Switch to GDBus++
         addons/aws: adapt to core RandomAPI changes

Razvan Cojocaru (10):
         core: Update to OpenVPN 3 Core Library releaseprep/3.10
         addons/devposture: Add openvpn3-linux-devposture
         configmgr: Add the enterprise-profile override
         ovpn3cli/config: Add openvpn3 config-manage --enterprise-profile
         client: Plug in Device Posture support
         configmgr: Use a regular expression to determine version number
         configmgr: Accumulate proxy feature flags instead of overwriting
         netcfg: Check stub-resolv.conf before giving up on systemd-resolved
         common: give SingleCommand a virtual destructor
         addons/devposture: Add core_ver and extra_ver to client_info

------------------------------------------------------------------------



-- 
kind regards,

David Sommerseth
OpenVPN Inc