Software Update: OpenVPN 2.5.7

OpenVPN is a robust and easy to set up open source VPN daemon that allows several private networks to be linked together through an encrypted tunnel over the internet. For security, the OpenSSL library is used, which can handle all encryption, authentication and certification. The developers have released version 2.5.7 and the most important changes are listed below for you.

New features

• Limited OpenSSL 3.0 support

  OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies on the compatibility layer and full OpenSSL 3.0 support is coming with OpenVPN 2.6. Only features that impact usage directly have been backported:

  –tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must).

  OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option –providers allows loading the legacy provider to renable these algorithms. Most notably, reading of many PKCS#12 files encrypted with the RC2 algorithm fails unless –providers legacy default is configured.

  The OpenSSL engine feature –engine is not enabled by default anymore if OpenSSL 3.0 is detected.

• Print OpenSSL error stack if decoding PKCS12 file fails

User-visible Changes

• Windows vcpkg building includes pkcs11-helper 1.29 now
• Add MSVC build options to harden windows binaries (HW-enforced stack protection, SHA256 object hashes, SDL).

Bug fixes

• Fix omission of cipher-negotiation.rst in tarballs
• Fix errno handling on Windows (Windows has different classes of error codes, GetLastError() and C runtime errno, these should now be handled correctly)
• Fix PATH_MAX build failure in auth-pam.c
• Fix t_net.sh self-test leaving around stale “ovpn-dummy0” interface
• Fix overlong path names, leading to missing pkcs11-helper patch in tarball