After almost four years since the publication of branch 2.4 and of which minor versions were being released (bug fixes and some additional features) OpenVPN 2.5.0 release was prepared.
This new version comes with a lot of major changes, of which the most interesting that we can find are related to changes in encryption, as well as the transition to IPv6 and the adoption of new protocols.
About OpenVPN
For those who are unfamiliar with OpenVPN, you should know that this is a free software based connectivity tool, SSL (Secure Sockets Layer), VPN Virtual Private Network.
openvpn offers point-to-point connectivity with hierarchical validation of connected users and hosts remotely. It is a very good option in Wi-Fi technologies (IEEE 802.11 wireless networks) and supports a wide configuration, including load balancing.
OpenVPN is a multiplatform tool that has simplified the configuration of VPNs compared to older and more difficult to configure such as IPsec and making it more accessible for inexperienced people in this type of technology.
Main new features of OpenVPN 2.5.0
Of the most important changes we can find that this new version of OpenVPN 2.5.0 is supports encryption datalink using stream encryption ChaCha20 and the algorithm message authentication (MAC) Poly1305 that are positioned as faster and more secure counterparts of AES-256-CTR and HMAC, whose software implementation allows to achieve fixed execution times without the use of special hardware support.
La ability to provide each client with a unique tls-crypt key, which allows large organizations and VPN providers to use the same TLS stack protection and DoS prevention techniques that were previously available in small configurations using tls-auth or tls-crypt.
Another important change is the improved mechanism to negotiate encryption used to protect the data transmission channel. Renamed ncp-ciphers to data-ciphers to avoid ambiguity with the tls-cipher option and to emphasize that data-ciphers is preferred for configuring data channel ciphers (the old name has been retained for compatibility).
Clients now send a list of all the data ciphers they support to the server using the IV_CIPHERS variable, which allows the server to select the first cipher that is compatible with both sides.
BF-CBC encryption support has been removed from the default settings. OpenVPN 2.5 now only supports AES-256-GCM and AES-128-GCM by default. This behavior can be changed by using the data encryption option. When upgrading to a newer version of OpenVPN, the configuration of BF-CBC encryption in old configuration files will be converted to add BF-CBC to the data cipher suite and data encryption backup mode enabled.
Added support for asynchronous authentication (deferred) to the auth-pam plugin. Similarly, the "–client-connect" option and the plugin connect API added the ability to defer returning the configuration file.
On Linux, support for network interfaces was added virtual routing and forwarding (VRF). The option "–Bind-dev" is provided to place a foreign connector in VRF.
Support for configuring IP addresses and routes using the Netlink interface provided by the Linux kernel. Netlink is used when built without the "–enable-iproute2" option and allows OpenVPN to run without the additional privileges required to run the "ip" utility.
The protocol added the ability to use two-factor authentication or additional authentication over the Web (SAML), without interrupting the session after the first verification (after the first verification, the session remains in the 'unauthenticated' state and wait for the second authentication stage to complete).
Of others changes that stand out:
- You can now work only with IPv6 addresses within the VPN tunnel (previously it was impossible to do this without specifying IPv4 addresses).
- Ability to bind data encryption and backup data encryption settings to clients from the client connection script.
- Ability to specify the MTU size for the tun / tap interface in Windows.
Support for choosing the OpenSSL engine to access the private key (eg TPM).
The "–auth-gen-token" option now supports HMAC-based token generation. - Ability to use / 31 netmasks in IPv4 settings (OpenVPN no longer tries to set a broadcast address).
- Added "–block-ipv6" option to block any IPv6 packet.
- The "–ifconfig-ipv6" and "–ifconfig-ipv6-push" options allow you to specify the host name instead of the IP address (the address will be determined by DNS).
- TLS 1.3 support. TLS 1.3 requires at least OpenSSL 1.1.1. Added "–tls-ciphersuites" and "–tls-groups" options to adjust TLS parameters.