Community Downloads | OpenVPN

The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a new major release with many new features.

Overview of changes since OpenVPN 2.4

Faster connections

  • Connections setup is now much faster

Crypto specific changes

  • ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)

  • I

    mproved

    TLS 1.3 support when using OpenSSL 1.1.1 or newer

  • Client-specific tls-crypt keys (–tls-crypt-v2)

  • Improved Data channel cipher negotiation

  • Removal of BF-CBC support in default configuration (see below for possible incompatibilities)

Server-side improvements

  • HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.

  • Asynchronous (deferred) authentication support for auth-pam plugin

  • Asynchronou

    s (d

    eferred

    ) support for

    client-connect

    scripts and plugins

Network-related changes

  • Support IPv4 configs with /31 netmasks now

  • 802.1q VLAN support on TAP servers

  • IPv6-only tunnels

  • New option –block-ipv6 to reject all IPv6 packets (ICMPv6)

Linux-specific features

  • VRF support

  • Netlink integration (OpenVPN no longer needs to execute ifconfig

    /route

    or ip commands)

Windows-specific features

  • Wintun driver support, a faster alternative to tap-windows6

  • Setting tun/tap interface MTU

  • Setting DHCP search domain

  • Allow unicode search string in –cryptoapicert option


  • EasyRSA3 , a modern take on OpenVPN CA management
  • MSI installer

Important notices

BF-CBC cipher is no longer the default

Cipher handling for the data channel cipher has been significantly changed between

OpenVPN

2.3/2.4 and

v

2.5, most notably

t

here

are

no “default cipher BF-CBC” anymore because it is no longer considered a reasonable default.

BF-CBC is still available, but it needs to be explicitly configured now.

For connections between OpenVPN

2.4 and

v

2.5 clients and servers, both ends will be able  to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the –data-ciphers setting.

Connections between OpenVPN

2.3 and

v

2.5 that have no –cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated.

U

nless

BF-CBC

is

included in –data-ciphers

or there is a “–cipher BF-CBC”

in the

OpenVPN

2.5 config, a

v

2.5 client or server will refuse to talk to a

v

2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible.

Generally, we recommend upgrading such setups to OpenVPN

2.4 or

v

2.5.

If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v

2.5+) or cipher AES-128-CBC (

v

2.4.x and older) to the configuration of all clients and servers.

I

f you

really

need to

use

a

n unsupported

OpenVPN

2.3 (or even older)

release

and need to stay on BF-CBC

(not recommended)

, the

OpenVPN 2.5 based client will need

a config file change to re-enable BF-CBC

.  But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the” Data channel cipher negotiation ” section on the man page

.

Connectivity to some VPN service provider may break

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that

implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some

service

providers and they are looking into it.  This is not something the OpenVPN community can fix.

  If your commercial VPN does not work with a

v

2.5 client, complain to the VPN service provider.

More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst