openvpn-announce — OpenVPN announcements

[Openvpn-announce] OpenVPN 2.7_rc3 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_rc3.

This is the third release candidate for the feature release 2.7.0.

Security fixes:

* CVE-2025-13751: Windows/interactive service: fix bug where the interactive service would error-exit in
  certain error conditions instead of just logging the fact and
  continuing.  After the error-exit, OpenVPN connections will no
  longer work until the service is restarted (or the system rebooted).
  This can be triggered by any authenticated local user, and has
  thus been classified as a "local denial of service" attack.

Important bug fixes since 2.7_rc2:

* Windows/Interactive Service bugfixes:
  many small bugfixes to registry-related DNS domain handling
* Windows/Interactive Service: harden service pipe handling
  close a small race condition, and add restrictive ACLs
* more type conversion related warnings have been fixed
* --multihome behaviour regarding egress interface selection has been
  changed. See Changes.rst and manpage for details.
* cleanup dead code in event handling code (leftover of the multisocket
  patch set)
* add new feature, --tls-crypt-v2-max-age n.  See Changes.rst and
  manpage for details.
* improve documentation to point out the pitfalls of case-insensitive
  filesystems and --client-config-dir
* split default gateway query logic in two: 
    * for --redirect-gateway functionality, query for the gateway towards 
      the actual IP address of the VPN server connecting to
    * for the "net_gateway" special destination for --route, and the 
      corresponding environment variable, always query for 0.0.0.0 / ::
  (this will only make a difference in certain scenarios using a local 
  proxy, or on a system with multiple interfaces, not using the "default
  route" for the VPN connection * see github#890)
* upgrade embedded pkcs11-helper vcpkg + pkcs11-uri patch to 1.31 
* CMake / autoconf cleanup wrt unused checks, outdated old-Linux checks, 
  Windows oddities
* DCO (primarily Linux): improve handling of bulk notifications from
  kernel (do not lose notifications, do not crash) (github#900)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.17 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.17.

This is a bugfix release containing one security fix.

Security fixes:

* CVE-2025-13751: Windows/interactive service: fix erroneous exit on error that could be
  used by a local Windows users to achieve a local denial-of-service

Bug fixes:

* Windows/interactive service: improve service pipe robustness against
  file access races (uuid) and access by unauthorized processes (ACL).
* upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper
  to 1.31, fixing a parser bug

Windows MSI changes since 2.6.16-I001:

* Built against OpenSSL 3.6.0
* Included openvpn-gui updated to 11.59.0.0
	* Authorize config before opening the service pipe
	* Remove dependence on pathcch.dll not in Windows 7
* Included win-dco driver updated to 2.8.0

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/g/OpenVPN/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_rc2 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_rc2.

This is the second release candidate for the feature release 2.7.0.

Security fixes:

* CVE-2025-12106: IPv6 address parsing: fix buffer overread on invalid input
* CVE-2025-13086: HMAC verification check: fix incorrect memcmp() call

Important bug fixes since 2.7_rc1:

* even more type conversion related warnings have been fixed
* DCO FreeBSD improvements:
    * improving debug messages (verb 6)
    * implement client-side counter handling
    * repair --inactive (and document shortcomings)
    * repair handling of DCO disconnection notifications in --client mode
* Windows/Service improvements, hardening, bugfixes
    * fix DNS address list generation (if 3 or more --dns addresses in use)
    * fix DNS server undo_list
    * disallow "stdin" as config name unless user has OpenVPN admin privs
    * fix compilation errors with MSVC v19
    * iservice: improve validation of config path (pathcc lib)
         * [NOTE: this breaks OpenVPN compatibility with Windows 7]
    * tapctl: refactor, improve output, change driver default to ovpn-dco
    * iservice: when restoring iface metrics, enforce correct ifindex
* improve cmocka unit test assert() handling
* PUSH_UPDATE server: fix reporting of client IPs in ``status`` output after pushing a new IPv4/IPv6 address to client
* AEAD cipher safety margins: fix calculation of AEAD blocks in use (old code would undercount blocks)
* fix invalid pointer creation / memory overread in tls_pre_decrypt
* deprecate ``--opt-verify`` (change into no-op + warning)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.16 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.16.

This is a bugfix release containing one security fix.

Security fixes:

* CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake.
  This bug renders the HMAC based protection against state exhaustion on
  receiving spoofed TLS handshake packets in the OpenVPN server inefficient.

Bug fixes:

* fix invalid pointer creation in tls_pre_decrypt() - technically this is
  a memory over-read issue, in practice, the compilers optimize it away
  so no negative effects could be observed.
* Windows: in the interactive service, fix the "undo DNS config" handling.
* Windows: in the interactive service, disallow using of "stdin" for the
  config file, unless the caller is authorized OpenVPN Administrator
* Windows: in the interactive service, change all netsh calls to use
  interface index and not interface name - sidesteps all possible attack
  avenues with special characters in interface names.
* Windows: in the interactive service, improve error handling in
  some "unlikely to happen" paths.
* auth plugin/script handling: properly check for errors in creation on
  $auth_failed_reason_file (arf).
* for incoming TCP connections, close-on-exec option was applied to
  the wrong socket fd, leaking socket FDs to child processes.
* sitnl: set close-on-exec flag on netlink socket
* ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Windows MSI changes since 2.6.15-I001:

* Built against OpenSSL 3.6.0
* Included openvpn-gui updated to 11.58.0.0
	* Check the return value of GetProp()
	* Make config path check similar to that in interactive service
	* Escape the type id of password message received from openvpn
	* Add a message source for event logging
	* Check correct management daemon path when OpenVPN3 is enabled
	* Fix OpenVPN3 radio button label size when OVPN3 is enabled
	* Use GetTempPath() for debug file in plap as well
	* Migrate all saved plain usernames to encrypted format
* Included win-dco driver updated to 2.8.0

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/g/OpenVPN/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_rc1 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_rc1.
This is a first release candidate for the feature release 2.7.0 which includes improvements and bug fixes.

Feature changes since 2.7_beta3:

* add warning for unsupported combination of --push and --tls-server
* add warning for unsupported combination of --reneg-bytes or --reneg-pkts with DCO
* remove perf_push()/perf_pop() infrastructure (because it did not work anymore, and compiler profiling will give
  better results today)
* ensure compatibility with OpenSSL 3.6.0 - specifically, do not crash in t_lpback.sh trying to use 
   new encrypt-then-mac (ETM) ciphers
* improved PUSH_UPDATE server side support, which now handles changes of pushed ifconfig/ifconfig-ipv6 addresses
   correctly (send packets to new IP addresses to this client, stop sending packets to the old addresses).
* freshen URLs all over the tree, and change to HTTPS where possible
* on DCO Linux/FreeBSD, add support for clients receiving an IPv4/IPv6 address that is not part of
   the --server/--server-ipv6 subnet (= install extra on-interface host routes).
* Windows programs use a new API for path name canonicalization now (PathCchCanonicalizeEx()) which will break building
   with MinGW on Ubuntu 22.04 -> Upgrade to 24.04 to make builds work again.
* on Windows, when setting up WINS servers using netsh, use interface index instead of adapter name now
   ("as for all other netsh calls")
* remove undocumented and unused --memstats feature

Important bug fixes since 2.7_beta3:

* even more type conversion related warnings have been fixed
* more bugfixes related to BYTECOUNT display on the management interface and byte counters on DCO platforms in general
* numerous minibugs reported by ZeroPath AI have been fixed (small memleaks, possible file descriptor leaks,
  improved sanity checks, add ASSERT() on function contracts, etc.)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_beta3 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_beta3.
This is a third beta which includes improvements and bug fixes.

Feature changes since 2.7_beta2:

* improvements on PUSH_UPDATE handling on the server side
* improve "recursive routing checks", prepare the way for a policy-based setup where "packets to VPN server"
  could end up in the tunnel without interfering with OpenVPN operations
* add support for "eoch" data format to DCO on Windows (needs dco-win driver 2.8.0+)
* clean up and remove outdated stuff from COPYING

Important bug fixes since 2.7_beta2:

* bugfixes reconnect and PUSH_UPDATE handling on the client side (notably handling of 
  ifconfig/ifconfig-ipv6/redirect-gateway ipv6 if the server is not always pushing the same address families)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_beta2 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_beta2.
This is a second beta which includes important bugfixes.

Feature changes since 2.7_beta1:

* greatly improved event log handling for the Windows interactive service - this brings build system
changes and a new openvpnservmsg.dll

Important bug fixes since 2.7_beta1:

* add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous
OpenVPN server (CVE-2025-10680, affects unixoid systems with --dns-updown scripts and windows
using the built-in powershell call)
* bugfixes when using multi-socket on windows (properly recognize that TCP server mode does not work
with DCO, properly handle TCP multi-socket server setups without DCO)
* bring back configuring of IPv4 broadcast addresses on Linux
* repair "--dhcp-option DNS" setting in combination with DHCP (TAP) or "--up" scripts
(Github: OpenVPN/openvpn#839, OpenVPN/openvpn#840)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.15 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.15.

This is a bugfix release.

Bug fixes:

* On Windows, do not use "wmic.exe" any longer to set DNS search domain
  (discontinued by Microsoft), use "powershell" fragment instead.
* On Windows, logging to the windows event log has been improved
  (and logging of GetLastError() strings repaired).
  To make this work, a new "openvpnmsgserv.dll" library is now installed and
  registered.
* DNS domain names are now strictly validated with a positive-list of
  allowed characters (including UTF-8 high-bit-set bytes) before being handed
  to powershell.
* Apply more checks to incoming TLS handshake packets before creating new state
  - namely, verify message ID / acked ID for "valid range for an initial packet".
  This fixes a problem with clients that float very early but send control
  channel packet from the pre-float IP (Github: OpenVPN/openvpn#704, backported
  from 2.7_beta1).
* Backport handling of client float notifications on FreeBSD 14/STABLE DCO.
  (FreeBSD: #289303)
* Update GPL license text to latest version from FSF.
* On Linux, on interfaces where applicable, OpenVPN explicitly configures the
  broadcast address again. This was dropped for 2.6.0 "because computers are
  smart and can do it themselves", but the kernel netlink interface isn't, and
  will install "0.0.0.0". This does not normally matter, but for broadcast-based
  applications that get the address to use from "ifconfig", this change repairs
  functionality.

Windows MSI changes since 2.6.14-I004:

* Built against OpenSSL 3.5.3
* Included openvpn-gui updated to 11.56.0.0
  * Fix "Cannot open the System Tray Menu with Keyboard"
    (Github: OpenVPN/openvpn-gui#763)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/g/OpenVPN/openvpn-release-2.6/>

Regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 3 Linux v26 released

[David S. <daz...@eu...>]

OpenVPN 3 Linux v26 (Stable release)

The v26 release is a small bugfix and enhancement release.

Please notice the deprecation of openvpn3-autoload.

* Enhancement: Improve user feedback when a VPN profile is not valid
  Since the OpenVPN 3 Linux v22_dev release, the
  openvpn3-service-configmgr service has provided an API to validate
  VPN profiles it manages.  This has been used in the rest of the
  available tools to check if everything is in order before
  attempting to start a VPN session.

  When a configuration profile was lacking certain required options,
  it would fail this validation.  But the feedback to the user was
  not much helpful and the user would need to check the
  configuration profile manually.

  With the v26 release, the end user will be provided a list of
  required configuration options missing.


* Enhancement: Set route metric value when provided via VPN session
  Since the very beginning of OpenVPN 3 Linux, the route metric
  value has been ignored.  This has been improved in the v26 release
  and the metric values provided in the configuration profile or
  pushed from the VPN server will now be respected.
  

* FEATURE DEPRECATION: openvpn3-autoload

  The openvpn3-autoload feature was deprecated already in the
  v20 release.  This feature will be removed in a coming stable
  release.

  The replacement is the openvpn3-session@.service systemd unit.
  Please see the openvpn3-systemd man page [1] for more details.

  If you depend on openvpn3-autoload today, please migrate ASAP
  to the systemd approach.

  [1] <https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-systemd.8.rst>


* Bugfix: Proper parsing of <connection/> tags in OpenVPN configs
  The internal VPN profile configuration parser did not properly
  parse configuration files containing <connection>...</connection>
  tags to configure a remote server.  This has been fixed and both
  the openvpn3-service-configmgr and the openvpn3 Python module has
  been updated to support this feature.


* Bugfix: Proper parsing of semicolon (;) as comment line
  The openvpn3 Python module did not properly parse configuration
  files which used semicolon (;) as a comment separator.  This
  has been improved and both hash (#) and semicolon can now be
  used for comments in configuration profiles.


* Bugfix: openvpn3-service-netcfg may stop on route setup errors
  In some corner cases, when the openvpn3-service-client (VPN
  client) process called the Network Configuration service
  (openvpn3-service-netcfg) to establish the VPN network
  interface, the Network Configuration service could crash
  and not recover, resulting in the VPN session not being able
  to be established.  This has been improved and this error
  situation is now handled and logged properly.


* Bugfix: Background D-Bus calls to systemd-resolved fails
  On some systems the D-Bus communication between the
  openvpn3-service-netcfg (NetCfg) process and systemd-resolved
  could be too slow, resulting in the NetCfg process retrying
  the D-Bus call.  Due to an incorrect retry logic, the parameters
  systemd-resolved would need had been released from memory and
  was no longer accessible.  This has been resolved and the
  retry logic now behaves as expected.


* Bugfix: VPN session restart triggers assertion warning in logs
  When an on-going VPN session is attempted restarted, for example
  via the openvpn3 session-manage command, the NetCfg service
  would log an assertion warning in the system logs.  This has
  been resolved and VPN session restarts will now work as expected.


* Bugfix: OpenVPN 3 AWS-VPC fails changing IPv6 routes
  Due to a typo in the parameter name used for changing IPv6
  routes in the AWS VPC service, setting IPv6 routes would result
  in an error.  This has been resolved in the OpenVPN 3 Core
  version 3.11.5 release, which OpenVPN 3 Linux v26 has
  upgraded to.


* OpenVPN 3 Core Library update
  The OpenVPN 3 Core Library has been updated to version 3.11.5,
  which is contains the fix for the AWS VPC route fix.  It also
  enables building against Linux 6.16 kernel headers.


Known issues:

  - The openvpn3-service-netcfg service does not differentiate between
    --dns server X resolve-domains and --dns search-domains when using
    the --resolv-conf mode, which is not as this feature is
    intended to work.  This was discovered in the v24 release and is
    on the schedule to be fixed in the next releases.  When this gets
    fixed, only --dns search-domains will be considered as search
    domains and --dns server X resolve-domains will enable split-DNS
    when using --systemd-resolved and otherwise ignored when using
    --resolv-conf with openvpn3-service-netcfg.


Supported Linux distributions
-----------------------------

  - Debian: 12, 13[*]
  - Fedora: 41, 42
  - Red Hat Enterprise Linux 8, 9, 10[*]
  - Ubuntu: 22.04, 24.04, 25.05

Installation and getting started instructions can be found here:

  <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux>

There are in addition other Linux distributions now providing
OpenVPN 3 Linux packages.  These distributions are primarily
supported by their respective distribution communities.  We will
naturally review and apply fixes deemed needed for any
distributions as they occur.

NOTE: Red Hat Enterprise Linux 10
  The Fedora Copr repository definition for RHEL+EPEL-10 *may*
  use a wrong URL.  After doing the 'dnf copr enable' step
  on RHEL-10, please ensure the URL contains 'rhel+epel' and
  not just 'epel'.  This is expected to automatically improve
  with time.

  The stable repositories provided by OpenVPN Inc should not
  have this issue.

NOTE: Debian 13 (Trixie)
  Debian 13 is added to the list of supported distribution versions.
  With Debian 13 there is now also an upstream distribution package
  as well, openvpn3-client, as well as the GDBus++ library.  The
  version in the distribution repository is at OpenVPN 3 Linux v24.1.
  This cannot be upgraded to a newer base line, due to Debian
  packaging rules.  The package maintainer will apply bug and security
  fixes as needed.

  If you want to use a newer OpenVPN 3 Linux on Debian 13, you will
  need to install the third-party repository provided by OpenVPN Inc.
  This is the same procedure as in Debian 12 and earlier.  With the
  v26 release, the package has been renamed to 'openvpn3-client' and
  an upgrade path from the openvpn3 package has been added.  After
  upgrading to v26, the openvpn3 transitional package can be removed
  via 'apt autoremove'.


--
kind regards,

David Sommerseth
OpenVPN Inc


---- Source tarballs ---------------------------------------------------
* OpenVPN 3 Linux v26

  <https://swupdate.openvpn.net/community/releases/openvpn3-linux-26.tar.xz>
  <https://swupdate.openvpn.net/community/releases/openvpn3-linux-26.tar.xz.asc>

* GDBus++ v3

  <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz>
  <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz.asc>

---- SHA256 Checksums --------------------------------------------------

80e35615ae913fbdbdda53495b27934a3bbb21d8b15c49a624d4992c15e196e1  openvpn3-linux-26.tar.xz
474ba43ae9a6f4e8e5488750ed779bf57e7e2efe9bc05d196f65adb83f830eb4  openvpn3-linux-26.tar.xz.asc
c7a053a13c4eb5811a542b747d5fcdb3a8e58a4a42c7237cc5e2e2ca72e0c94e  gdbuspp-3.tar.xz
b9cf732d7a347f324d6a5532dc48f80c2815dbf6704c169b4ee97a411506a99b  gdbuspp-3.tar.xz.asc

---- git references ----------------------------------------------------

git repositories:

 - OpenVPN 3 Linux
   <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY)
   <https://gitlab.com/openvpn/openvpn3-linux>   (code-only mirror)
   <https://github.com/OpenVPN/openvpn3-linux>   (code-only mirror)

   git tag: v26
   git commit: 42ecc42a782025f8774e907a8c1966524424bcee

 - GDBus++
   <https://codeberg.org/OpenVPN/gdbuspp/>       (PRIMARY)
   <https://gitlab.com/openvpn/gdbuspp/>         (code-only mirror)
   <https://github.com/openvpn/gdbuspp/>         (code-only mirror)

   git tag: v3
   git commit: 96f7fb688ed2dea3f192c63c5fe283dbe4900f16

---- Changes from v25 to v26 ---------------------------------------

David Sommerseth (30):
      build: Add fmt subproject
      configmgr: Add details when profile validation fails
      ovpn3cli/config-import: Show warning if imported profile is invalid
      netcfg/resolved: Ensure glib2 params are available on retries
      common: Refactor and clean-up core-extensions.hpp
      common/core-extensions: Move helper functions into OptionListJSON class
      tests: Parse Access Server meta options in config-export-json-test
      common: Properly parse <connection/> blocks
      netcfg: Catch Core library exceptions in method_establish()
      configmgr: Let <connection/> tags be equivalent to --remote when validating the profile
      python: Deprecate openvpn3.ConfigParser.SanityCheck()
      python/openvpn2: Make Configuration.Validate() errors more user friendly
      python/openvpn2: Add IMPORT_ONLY debug more
      python: Implement <connection/> tag support in ConfigParser
      netcfg: Clarify IP address 'prefix' usage
      netcfg: Split up the NetCfgProxy::Network object construction
      netcfg: Small clean-up/codestyle fixup for IPAddr, Network and VPNAddress classes
      netcfg: Add support for route metric when assing VPN routes
      netcfg/proxy: Add service version check for D-Bus API compatibility
      python: Semicolon is not accepted by openvpn3.ConfigParser
      common: Minor cleanups in cmdargparser code
      netcfg/resolved: Fix g_variant_ref assertion warning on session restarts
      core: Update to OpenVPN 3 Core Library v3.11.4
      docs: Minor updates to the coding style guide
      Code style cleanup
      git: Update .git-blame-ignore-revs ignoring last code-style changes
      Quick spellcheck fixes all over project
      configmgr: Fix auth-user-pass handling regression
      netcfg: Make logged metric details more user friendly
      core: Update to OpenVPN 3 Core Library v3.11.5

--------------------------------------------------------------------

[Openvpn-announce] OpenVPN 2.7_beta1 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_beta1.
This is the first Beta release for the feature release 2.7.0. As the Beta name implies 
this is an early release build, it is not intended for production use.

Feature changes since 2.7_alpha3:

- Introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
- PUSH_UPDATE server support (via management interface)
- Rewrite of the management interface "bytecount" infastructure to better interact with DCO

Important bug fixes since 2.7_alpha3:

- Bugfixes in --dns-updown script for linux systems using resolvconf
- A large number of signed/unsigned related warnings have been fixed

The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_alpha3 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_alpha3.
This is the third Alpha release for the feature release 2.7.0.
As the Alpha name implies this is an early release build, it is not intended
for production use.

Feature changes since 2.7_alpha2:

* --dns-updown script for macOS
* Client-side support for PUSH_UPDATE handling
* Support for floating TLS clients when DCO is active
  (requires latest versions of DCO drivers)
* Use of user-defined routing tables on Linux
* PQE support for WolfSSL

Important bug fixes since 2.7_alpha2:

* Fix issue in handling DCO messages on Linux that could lead to
  various problems due to unhandled messages
* Fix issues with DHCP on Windows with tap driver

Highlights of 2.7 include:
* Multi-socket support for servers -- Handle multiple addresses/ports/protocols
within one server
* Improved Client support for DNS options
  * Client implementations for Linux/BSD, included with the default install
  * New client implementation for Windows, adding support for features like split
DNS and DNSSEC
* Architectural improvements on Windows
  * The block-local flag is now enforced with WFP filters
  * Windows network adapters are now generated on demand
  * Windows automatic service now runs as an unprivileged user
  * Support for server mode in win-dco driver
    Note: Support for the wintun driver has been removed. win-dco is now the
    default, tap-windows6 is the fallback solution for use-cases not covered by win-dco.
* Improved data channel
  * Enforcement of AES-GCM usage limit
  * Epoch data keys and packet format
* Support for new upstream DCO Linux kernel module
  This release supports the new ovpn DCO Linux kernel module which will be
available in future upstream Linux kernel releases. Backports of the new module
to current kernels are available via the ovpn-backports project.
* Client-side support for new PUSH_UPDATE control-channel message
  This allows servers to send updates to options like routing and DNS config without
  triggering a reconnect.
* TLS 1.3 support with bleeding-edge mbedTLS versions

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://community.openvpn.net/Downloads>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.7_alpha2 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_alpha2.
This is the second Alpha release for the feature release 2.7.0.
As the Alpha name implies this is an early release build, this is not intended 
for production use.

This release include security fix for CVE-2025-50054

Highlights of this release include:
* Multi-socket support for servers -- Handle multiple addresses/ports/protocols 
within one server
* Improved Client support for DNS options
* Client implementations for Linux/BSD, included with the default install
* New client implementation for Windows, adding support for features like split 
DNS and DNSSEC
* Architectural improvements on Windows
* The block-local flag is now enforced with WFP filters
* Windows network adapters are now generated on demand
* Windows automatic service now runs as an unprivileged user
* Support for server mode in win-dco driver
Note: Support for the wintun driver has been removed. win-dco is now the 
default, tap-windows6 is the fallback solution for use-cases not covered by win-dco.
* Improved data channel
* Enforcement of AES-GCM usage limit
* Epoch data keys and packet format
* Support for new upstream DCO Linux kernel module
* This release supports the new ovpn DCO Linux kernel module which will be 
available in future upstream Linux kernel releases. Backports of the new module 
to current kernels are available via the ovpn-backports project.
* TLS 1.3 support with bleeding-edge mbedTLS versions

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.7_alpha1 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.7_alpha1.
This is the first Alpha release for the feature release 2.7.0.
As the "Alpha" name implies this is an early release build, this is not intended
for production use.

Highlights of this release include:
* Multi-socket support for servers -- Handle multiple addresses/ports/protocols
  within one server
* Improved Client support for DNS options
  * Client implementations for Linux/BSD, included with the default install
  * New client implementation for Windows, adding support for features like split
    DNS and DNSSEC
* Architectural improvements on Windows
  * The block-local flag is now enforced with WFP filters
  * Windows network adapters are now generated on demand
  * Windows automatic service now runs as an unprivileged user
  * Support for server mode in win-dco driver
  * Note: Support for the wintun driver has been removed.
    win-dco is now the default, tap-windows6 is the fallback solution for
    use-cases not covered by win-dco.
* Improved data channel
  * Enforcement of AES-GCM usage limit
  * Epoch data keys and packet format
* Support for new upstream DCO Linux kernel module
  * This release supports the new ovpn DCO Linux kernel module which will be
    available in future upstream Linux kernel releases. Backports of the new
    module to current kernels are available via the ovpn-backports project.

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various
official Community repositories:

<https://community.openvpn.net/Pages/OpenVPN%20software%20repos>

Regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.14 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.14.

This is a bugfix release containing one security fix.

Security fixes:

* CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers
  between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular
  combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or network
  observation of a handshake with a valid tls-crypt-v2 client key. No crypto integrity is violated, no data is leaked, and no remote
  code execution is possible. This bug does not affect OpenVPN clients. (Bug found by internal QA at OpenVPN Inc)

Bug fixes:

* Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Windows MSI changes since 2.6.13:

* Built against OpenSSL 3.4.1
* Included openvpn-gui updated to 11.52.0.0

    * Use correct %TEMP% directory for debug log file.
    * Disable config in menu listing if its ovpn file becomes inaccessible (github openvpn-gui#729)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.13 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.13.

This is a bugfix release.

Feature changes:

* on non-windows clients (MacOS, Linux, Unix) send "release" string from uname()
  call as IV_PLAT_VER to server - while highly OS specific this is still helpful
  to keep track of OS versions used on the client side (github ​#637)
* Windows: protect cached username, password and token in client memory (using
  the CryptProtectMemory() windows API)
* Windows: use new API to get dco-win driver version from driver (newly introduced
  non-exclusive control device) (github ​ovpn-dco-win#76)
* Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout
  of 90 seconds ("console prompting also has no timeout") (github ​#649) 

Security fixes:

* improve server-side handling of clients sending usernames or passwords longer than
  USER_PASS_LEN - this would not result in a crash, buffer overflow or other security
  issues, but the server would then misparse incoming IV variables and produce
  misleading error messages. 

Notable bug fixes:

* FreeBSD DCO: fix memory leaks in nvlist handling (github ​#636)
* purge proxy authentication credentials from memory after use
  (if --auth-nocache is in use) 

Windows MSI changes since 2.6.12:

* Built against OpenSSL 3.4.0
* Included openvpn-gui updated to 11.51.0.0
  * Higher resolution eye icons (github ​openvpn-gui#697)
  * Support for concatenating OTP with password
  * Optionally always prompt for OTP
  * Fix tooltip positioning when the taskbar is at top (github ​openvpn-gui#710) 

Debian/Ubuntu community packages are now available for Ubuntu 24.10 (oracular). 

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.12 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.12.

This is a bugfix release.

Bug fixes:

* the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user
   configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason
   is set by a script. Strip those before testing the command buffer (github ​#568). Also, add unit test.
* Http-proxy: fix bug preventing proxy credentials caching (trac #1187)

Windows MSI changes since 2.6.11:

* Built against OpenSSL 3.3.1
* Included openvpn-gui updated to 11.50.0.0
   *Update Italian language (github ​#696)

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.11 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.11.

This is a bugfix release containing several security fixes.

Security fixes:

* CVE-2024-4877: Windows: harden interactive service pipe.
  Security scope: a malicious process with "some" elevated privileges
  (SeImpersonatePrivilege) could open the pipe a second time, tricking
  openvn GUI into providing user credentials (tokens), getting full
  access to the account openvpn-gui.exe runs as. (Zeze with TeamT5)
* ​CVE-2024-5594: control channel: refuse control channel messages with
  nonprintable characters in them.
  Security scope: a malicious openvpn peer can send garbage to openvpn
  log, or cause high CPU load. (Reynir Björnsson)
* CVE-2024-28882: only call schedule_exit() once (on a given peer).
  Security scope: an authenticated client can make the server "keep the
  session" even when the server has been told to disconnect this client
  (Reynir Björnsson) 

New features:

* Windows Crypto-API: Implement Windows CA template match for searching
  certificates in windows crypto store.
* Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set
  ifmode p2p/subnet otherwise) 

Bug fixes:

* Fix connect timeout when using SOCKS proxies (trac #328, github ​#267)
* Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
  (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
   see also ​https://github.com/libressl/openbsd/issues/150)
* Add bracket in fingerprint message and do not warn about missing
  verification (github ​#516) 

Documentation:

* Remove "experimental" denotation for --fast-io
* Correctly document ifconfig_* variables passed to scripts
* Documentation: make section levels consistent
* Samples: Update sample configurations (remove compression & old cipher
  settings, add more informative comments) 

Windows MSI changes since 2.6.10:

* For the Windows-specific security fix see above
* Built against OpenSSL 3.3.1
* Included openvpn-gui updated to 11.49.0.0
  * Contains part of the fix for ​CVE-2024-4877

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.10 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.10.

This is a bugfix release containing several security fixes for Windows and Windows TAP driver and documentation updates.

Security fixes:

* CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation.
  Reported-by: Vladimir Tokarev <vto...@mi...>
* CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers.
  Reported-by: Vladimir Tokarev <vto...@mi...>
* CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe
  via a malicious plugin.  Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly
  from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
  Reported-by: Vladimir Tokarev <vto...@mi...>
* CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in !TapSharedSendPacket.
  Reported-by: Vladimir Tokarev <vto...@mi...>

User visible changes:

* Update copyright notices to 2024

Bug fixes:

* Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail.
  Disable DCO in this case.  (Github: #522)
* Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
* systemd unit files: remove obsolete syslog.target

Documentation:

* remove license warnings about mbedTLS linking (README.mbedtls)
* update documentation references in systemd unit files
* sample config files: remove obsolete tls-*.conf files
* document that auth-user-pass may be inlined

Windows MSI changes since 2.6.9:

* For the Windows-specific security fixes see above
* Built against OpenSSL 3.2.1
* Included tap6-windows driver updated to 9.27.0
  * Security fix, see above
* Included ovpn-dco-win driver updated to 1.0.1
  * Ensure we don't pass too large key size to CryptoNG. We do not consider this a security issue since the CryptoNG API handles
    this gracefully either way.
* Included openvpn-gui updated to 11.48.0.0
  * Position tray tooltip above the taskbar
  * Combine title and message in tray icon tip text
  * Use a custom tooltip window for the tray icon
More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.9 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.9.

This is a bugfix release containing one security fix for the Windows installer.

Security fixes:

* Windows Installer: fix ​CVE-2023-7235 where installing to a non-default directory
  could lead to a local privilege escalation. Reported by Will Dormann. 

New features:

* Add support for building with mbedTLS 3.x.x
* New option --force-tls-key-material-export to only accept clients that can do
  TLS keying material export to generate session keys
  (mostly an internal option to better deal with TLS 1.0 PRF failures).
* Windows: bump vcpkg-ports/pkcs11-helper to 1.30
* Log incoming SSL alerts in easier to understand form and move logging from --verb 8
  to --verb 3.
* protocol_dump(): add support for printing --tls-crypt packets 

User visible changes:

* License change is now complete, and all code has been re-licensed under the new license
  (still GPLv2, but with new linking exception for Apache2 licensed code).
  See ​COPYING for details. 
  Code that could not be re-licensed has been removed or rewritten.
* The original code for the --tls-export-cert feature has been removed (due to the
  re-licensing effort) and rewritten without looking at the original code.
  Feature-compatibility has been tested by other developers, looking at both old and
  new code and documentation, so there *should* not be a user-visible change here.
* IPv6 route addition/deletion are now logged on the same level (3) as for IPv4.
  Previously IPv6 was always logged at --verb 1.
* Better handling of TLS 1.0 PRF failures in the underlying SSL library (e.g. on some
  FIPS builds) - this is now reported on startup, and clients before 2.6.0 that can not
  use TLS EKM to generate key material are rejected by the server. Also, error messages
  are improved to see what exactly failed. 

Notable bug fixes:

* FreeBSD: for servers with multiple clients, reporting of peer traffic statistics would
  fail due to insufficient buffer space (Github: ​#487) 

Windows MSI changes since 2.6.8:

* Security fix, see above
* Built against OpenSSL 3.2.0
* Included openvpn-gui updated to 11.47.0.0
  * Windows GUI: always update tray icon on state change (Github: ​#openvpn-gui/669)
    (for persistent connection profiles, "connecting" state would not show) 

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.8 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.8.

This is a small bugfix release fixing a few regressions in 2.6.7 release.

User visible changes:

* Windows: print warning if pushed options require DHCP (e.g. DOMAIN-SEARCH) and driver in use does not use DHCP (wintun, dco).

Bug fixes:

* SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state (Github ​#449) - the new sanity check function introduced in 2.6.7 sometimes tried to use a NULL pointer after an unsuccessful TLS handshake
* Windows: --dns option did not work when tap-windows6 driver was used, because internal flag for "apply DNS option to DHCP server" wasn't set (Github ​#447)
* Windows: fix status/log file permissions, caused by regression after changing to CMake build system (Github: ​#454, Trac: ​#1430)
* Windows: fix --chdir failures, also caused by error in CMake build system (Github ​#448)

Windows MSI changes since 2.6.7:

* Included openvpn-gui updated to 11.46.0.0

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.7 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.7.

This is a bugfix release containing security fixes.

Security Fixes:

* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after
 it has been free()d in some circumstances, causing some free()d memory to be sent to the peer.
 All configurations using TLS (e.g. not using --secret) are affected by this issue.
 (found while tracking down CVE-2023-46849 / Github #400, #417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration
 in some circumstances, leading to a division by zero when --fragment is used. On platforms where
 division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417).

User visible changes:

* DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between
 a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed because the original author
 did not agree to relicensing the code with the new linking exception added. This was a somewhat
 obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work
 without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed (this is
 due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6 option,
 with no backend support implemented yet on any platform, and it turns out that 
 no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management client
 (safeguard against protocol-violating server implementations)

New features:

* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the algorithms used 
 are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows

Windows MSI changes since 2.6.6:

* Included openvpn-gui updated to 11.45.0.0
   * Add clarity for error on missing management parameter. See GH #657
   * Improve "OpenVPN GUI" tooltip handling See GH #649
* MSIs now use OpenSSL 3.1.4

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.7 released

[Yuriy D. <yur...@op...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.7.

This is a bugfix release containing security fixes.

Security Fixes:

* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after
  it has been free()d in some circumstances, causing some free()d memory to be sent to the peer.
  All configurations using TLS (e.g. not using --secret) are affected by this issue.
  (found while tracking down CVE-2023-46849 / Github #400, #417)
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration
  in some circumstances, leading to a division by zero when --fragment is used. On platforms where
  division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417).

User visible changes:

* DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between
  a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed because the original author
  did not agree to relicensing the code with the new linking exception added. This was a somewhat
  obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work
  without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed (this is
  due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6 option,
  with no backend support implemented yet on any platform, and it turns out that 
  no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management client
  (safeguard against protocol-violating server implementations)

New features:

* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the algorithms used 
  are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows

Windows MSI changes since 2.6.6:

* Included openvpn-gui updated to 11.45.0.0
    * Add clarity for error on missing management parameter. See GH #657
    * Improve "OpenVPN GUI" tooltip handling See GH #649
* MSIs now use OpenSSL 3.1.4

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
Yuriy Darnobyt

[Openvpn-announce] OpenVPN 2.6.6 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.6.

This is a small bugfix release.

User visible changes:

* OCC exit messages are now logged more visibly. See GH ​#391.
* OpenSSL error messages are now logged with more details
  (for example, when loading a provider fails, which .so was tried, and why did it fail).
  See GH ​#361.
* print a more user-friendly message when tls-crypt-v2 client auth fails
* packaging now includes all documentation in the source tarball 

New features:

* set WINS server via interactive service - this adds support for
  "dhcp-option WINS 192.0.2.1" for DCO + wintun interfaces where
  no DHCP server is used. See GH ​#373. 

Windows MSI changes since 2.6.5:

* Included openvpn-gui updated to 11.44.0.0
* MSIs now use OpenSSL 3.1.2 

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.5 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.5.

This is a small bugfix release.

User visible changes:

* tapctl (windows): generate driver-specific names (if using tapctl to create
  additional tap/wintun/dco devices, and not using --name).
  See GH ​#337.
* interactive service (windows): do not force target desktop for openvpn.exe
  - this has no impact for normal use, but enables running of OpenVPN in a scripted
  way when no user is logged on (for example, via task scheduler).
  See GH ​openvpn-gui#626 

Windows MSI changes since 2.6.4:

* MSIs now use OpenSSL 3.1.1 

Debian/Ubuntu packages in official apt repositories are now available for arm64. 

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
-- 
  Frank Lichtenheld

[Openvpn-announce] OpenVPN 2.6.4 released

[Frank L. <fr...@li...>]

The OpenVPN community project team is proud to release OpenVPN 2.6.4.

This is a small bugfix release.

Note:

* License amendment: all NEW commits fall under a modified license that explicitly permits
  linking with Apache2 libraries (mbedTLS, OpenSSL).
  See COPYING for details. Existing code will fall under the new license as soon as all
  contributors have agreed to the change - work ongoing.

Feature changes:

* DCO: support kernel-triggered key rotation (avoid IV reuse after 232 packets).
  This is the userland side, accepting a message from kernel, and initiating a
  TLS renegotiation. As of 2.6.4 release, only implemented in FreeBSD kernel. 

Windows MSI changes since 2.6.3:

* Rebuilt included tap-windows driver with the correct version of the old Windows 7 driver,
  removing a warning about unsigned driver on Windows 7 installation.
  See GH ​openvpn-build#365. 

More details can be found in the Changes document:

<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>

(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)

Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>

On Red Hat derivatives we recommend using the Fedora Copr repository.

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/>

Kind regards,
-- 
  Frank Lichtenheld