Software update: OpenVPN 2.6.2

OpenVPN is a robust and easy-to-setup open source VPN daemon that can connect several private networks together via an encrypted tunnel across the Internet. The OpenSSL library is used for security, which can handle all encryption, authentication and certification. The developers have released version 2.6.2 and the changelog for that release can be found below.

New features

• implement byte counter statistics for DCO Linux (p2mp server and client)
• implement byte counter statistics for DCO Windows (client only)
• ‘–dns server address …’ now permits up to 8 v4 or v6 addresses
• fix a few cases of possibly undefined behavior detected by ASAN
• add more unit tests for Windows cryptoapi interface

Bug fixes

• sending of AUTH_PENDING and INFO_PRE messages fixed (#256)
• Windows: do not treat “setting IPv6 interface metric failed” as fatal error on “block-dns” install – this can happen if IPv6 is disabled on the interface and is not harmful in itself (GH #294)
• fix ‘–inactive’ if DCO is in use NOTE: on FreeBSD, this is not working yet (missing per-peer stats)
• DCO-Linux: do not print errno on netlink errors (errno is not set by NL)
• SOCKS client: improve error reporting on server disconnects
• DCO-Linux: fix lockups due to netlink buffer overflows on high client connect/disconnect activity. See “User visible changes” for more details of this.
• fix some uses of the OpenSSL3 API for non-default providers (enable use of quantum-crypto OpenSSL provider)
• fix memory leak of approx. 1600 bytes per incoming initial TLS packet
• fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data format conversion was not done properly)
• fix ‘make distcheck’ – unexpected side effect of ‘subdir-objects’
• fix ASSERT() with dynamic tls-crypt and –tls-crypt-v2 (GH #272)

User visible changes

• print (kernel) DCO version on startup – helpful for getting a more complete picture of the environment in use.
• New control packets flow for data channel offloading on Linux. 2.6.2+ changes the way OpenVPN control packets are handled on Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must be upgraded. The kernel module was renamed to “ovpn-dco-v2.ko” in order to highlight this change and ensure that users and userspace software could easily understand which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime.
• The client-pending-auth management command now also requires the key id. The management version has been changed to 5 to indicate this change.
• A client will now refuse a connection if pushed compression settings will contradict the setting of allow-compression as this almost always results in a non-working connection.