The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a new major release with many new features.
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
-
ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
-
I
mproved
TLS 1.3 support when using OpenSSL 1.1.1 or newer
-
Client-specific tls-crypt keys (–tls-crypt-v2)
-
Improved Data channel cipher negotiation
-
Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
Network-related changes
-
Support IPv4 configs with /31 netmasks now
-
802.1q VLAN support on TAP servers
-
IPv6-only tunnels
-
New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
Windows-specific features
-
Wintun driver support, a faster alternative to tap-windows6
-
Setting tun/tap interface MTU
-
Setting DHCP search domain
-
Allow unicode search string in –cryptoapicert option
EasyRSA3 , a modern take on OpenVPN CA management
-
MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between
OpenVPN
2.3/2.4 and
v
2.5, most notably
t
here
are
no “default cipher BF-CBC” anymore because it is no longer considered a reasonable default.
BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN
2.4 and
v
2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the –data-ciphers setting.
Connections between OpenVPN
2.3 and
v
2.5 that have no –cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated.
U
nless
BF-CBC
is
included in –data-ciphers
or there is a “–cipher BF-CBC”
in the
OpenVPN
2.5 config, a
v
2.5 client or server will refuse to talk to a
v
2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible.
Generally, we recommend upgrading such setups to OpenVPN
2.4 or
v
2.5.
If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v
2.5+) or cipher AES-128-CBC (
v
2.4.x and older) to the configuration of all clients and servers.
I
f you
really
need to
use
a
n unsupported
OpenVPN
2.3 (or even older)
release
and need to stay on BF-CBC
(not recommended)
, the
OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC
. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
For full details see the” Data channel cipher negotiation ” section on the man page
.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some
service
providers and they are looking into it. This is not something the OpenVPN community can fix.
If your commercial VPN does not work with a
v
2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst