A new version of OpenVPN-NL (2.4.4-nl1) is available on the OpenVPN-NL website [1]. This version is based on OpenVPN 2.4.4 [2], and mbed TLS 2.6.0 [3].
This release does not fix any imminent security issues, but does further tighten overall security. Users are advised to upgrade to OpenVPN-NL 2.4.4-nl1 at any convenient time.
OpenVPN-NL 2.4 comes with a number of new features. Most of these are equal to the new features in upstream OpenVPN 2.4, see [4] for details. For OpenVPN-NL specifically, we'd like to highlight a few:
New ciphers:
The control channel now support the following cipher suites by default: TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
The --tls-cipher option allows to also include the backwards-compatibility cipher suite: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
The data channel now supports both --cipher AES-256-CBC + --auth SHA256 (like 2.3 did), and --cipher AES-256-GCM (which doesn't need --auth).
Data channel cipher negotiation: Negotiable Cipher Parameters (NCP) allows users to upgrade from the previous OpenVPN-NL data channel cipher (AES-256-CBC + HMAC-SHA256) to the new data channel cipher (AES-256-GCM) without running multiple server instances. The new cipher has better performance and a lower per-packet overhead. If NCP is enabled at both ends, AES-256-GCM is automatically negotiated. In OpenVPN-NL 2.4, NCP is enabled by default on client instances, but disabled by default on server instances to allow server administrators to have full control over the cipher upgrade. NCP can be enabled using the --ncp-enable option.
Control channel encryption: The new --tls-crypt option can be used instead of --tls-auth, to both encrypt and authenticate control channel packets. This hides the TLS certificate contents from attackers without the --tls-crypt key.
Better support for roaming clients: UDP mode now supports client IP/port changes without requiring a reconnect. This reduces the need for clients to reconnect often, improving connection stability and reducing server load.
Stricter CRL checking: The CRL verification implementation now verifies that the CRL is correctly signed by the CA, and interprets the CRL 'nextUpdate' field as an expiration date. If the CRL is expired, connections will be rejected.
Stricter config file checking: Unused parameters to config options are no longer silently ignored. Instead, such configs are now rejected on startup.
For more details, please refer to the upstream Changes document on [4].
References ---------- [1] https://openvpn.fox-it.com/ [2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 [3] https://tls.mbed.org/tech-updates/releases/mbedtls-2.6.0-2.1.9-and-1.3.21-re... [4] https://github.com/OpenVPN/openvpn/blob/v2.4.4/Changes.rst