What is it?
OpenVPN 2.6 is the current major release of OpenVPN, the TLS-based VPN technology. In the past couple of releases, a lot of changes have been introduced into OpenVPN that we have not rolled out in IPFire because of backwards-compatibility issues.
Who is working on it?
Current Status
- Targeted Release: N/A
- Tracker Bug: #13633
- Michael's Development Tree
Description
We want to achieve the following things:
- Roll out NCP for all clients by default
- Existing clients will be supported using the "fallback cipher" option; This is required for old client as well as for clients that have a previously generated configuration file where NCP was explicitly disabled.
- New clients will only receive the NCP configuration file with no cryptographic settings (if possible) to allow changes on the server side
- Completely remove compression for all clients
- Migrate to the subnet topology (commit)
- Potentially remove the ZIP container
- Strip the configuration file as much as possible
- Tidy up as much code as possible
- Rewrite the helper binary in shell
- Make the service reloadable (no more stopping before editing)
Benefits to IPFire
IPFire users will. benefit from the latest improvements and features brought into OpenVPN. Currently some of those are disabled for backwards-compatibility.
We expect that users will have better flexibility to roll out a custom cryptographic policy and therefore experience more secure and faster VPNs.
We also expect that we will be more compatible with modern clients and leverage new features there.
Impact
A big challenge will be to roll out any changes like this without breaking any existing environments. Often, users have hundreds of OpenVPN connections that cannot be replaced at once and therefore we need to make sure that no immediate action is needed.
We expect to deprecate a couple of configurations so over time, people will have to update their clients and import a new configuration.
Due to the migration to the subnet topology there are a couple of changes:
- Users will receive a different gateway address (the first IP address of the pool)
- The client IP address remains the same
- The IP addresses that previously have been used by the /30 networks are free to allocate now
Documentation
Feedback
This is a matrix to check which clients1 work/don't work after all those changes:
| Windows | Linux (CLI) | Linux (NetworkManager) | Mac OS X (Tunnelblick) | iOS | Android | |
|---|---|---|---|---|---|---|
| Without OTP | ||||||
| OpenVPN 2.6 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.5 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.4 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.3? | N/A | N/A | N/A | N/A | N/A | N/A |
| With OTP | ||||||
| OpenVPN 2.6 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.5 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.4 | N/A | N/A | N/A | N/A | N/A | N/A |
| OpenVPN 2.3? | N/A | N/A | N/A | N/A | N/A | N/A |
Dependencies
None.
Release Notes
TODO
-
Should OpenVPN 2.7 be added to this list to be future-proof? ↩