OpenVPN is a connectivity tool based on free software: SSL, VPN Virtual Private Network.
After two and a half years since the release of the 2.5 branch, the launch was announcedand the new version of OpenVPN2.6.0, a package to create virtual private networks that allows to organize an encrypted connection between two client machines or provide a centralized VPN server for multiple clients to work simultaneously.
For those who are unfamiliar with OpenVPN, you should know that this is a free software based connectivity tool, SSL (Secure Sockets Layer), VPN Virtual Private Network.
openvpn offers point-to-point connectivity with hierarchical validation of connected users and hosts remotely. It is a very good option in Wi-Fi technologies (IEEE 802.11 wireless networks) and supports a wide configuration, including load balancing.
Main new features of OpenVPN 2.6.0
In the new version it is highlighted that the ovpn-dco kernel module is included in the package, which can significantly speed up VPN performance.
Acceleration is achieved by moving all encryption operations, packet processing and communication channel management next to the linux kernel, which allows to get rid of the overhead associated with context switching, makes it possible to optimize the work by directly accessing the internal kernel, in addition to it the API and eliminates slow data transfer between the kernel and user space (the module performs the encryption, decryption, and routing without sending traffic to a controller in user space).
In the tests carried out, in comparison with the configuration based on the tun interface, the use of the module on the client and server side using AES-256-GCM encryption allowed to achieve an increase in performance of 8 times (from 370 Mbit /s to 2950 Mbit/s). By using the module only on the client side, performance increased three times for outgoing traffic and did not change for incoming traffic. By using the module only on the server side, performance increased 4 times for incoming traffic and 35% for outgoing.
Another change that stands out from the new version is that the ability to use TLS mode is provided with self-signed certificates (by using the “–peer-fingerprint” option, you can omit the “–ca” and “–capath” parameters and avoid starting a PKI server based on Easy-RSA or similar software).
In addition to this, it is also noted that the UDP server implements a cookie-based connection negotiation mode that uses an HMAC-based cookie as a session identifier, which allows the server to perform stateless verification.
On the other hand, it added support for compiling with the OpenSSL 3.0 library, as well as adding the option “–tls-cert-profile insecure” to select the minimum level of OpenSSL security.
We can also find that new control commands remote-entry-count and remote-entry-get have been added to count the number of external connections and enumerate them.
In the key negotiation process, the EKM (Exported Keying Material, RFC 5705) mechanism is now a higher priority method for obtaining key generation material, rather than the specific OpenVPN PRF mechanism. EKM requires the OpenSSL library or mbed TLS 2.18+.
Support for OpenSSL is provided in FIPS mode, allowing OpenVPN to be used on systems that meet the security requirements of FIPS 140-2.
Of the other changes that stand out from the new version:
- mlock implements checking for sufficient memory allocation. If less than 100 MB of RAM is available, setrlimit() is called to increase the limit.
- Added option “–peer-fingerprint” to validate or bind certificate by thumbprint based on SHA256 hash, without using tls-verify.
- For scripts, lazy authentication is provided, implemented by the “–auth-user-pass-verify” option. Added support for informing the client about pending authentication when using delayed authentication in scripts and plugins.
- Added compatibility mode (–compat-mode) to allow connection to older servers running OpenVPN 2.3.x or earlier.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.