OpenVPN 3 Linux v16 (beta)
This release is mostly a bug-fix release with several known issues resolved
and a few minor feature additions.
* Bug: Incompatible OCC strings sent to server
v15_beta updated the OpenVPN 3 Core library, leading to an
incompatibility. This issues have now been resolved in a
later update of the Core library.
- OCC strings sent over the wire to the server is now always
prefixed with TCPv4 or UDPv4.
<https://github.com/OpenVPN/openvpn3/commit/dee1b625c3>
* Bug: DNS caching issues for long-running VPN client sessions
Before v16_beta, the client would do a DNS lookup before
connecting and preserve those lookups if --persist-tun was
used. This works fine until the configured servers changes
IP address and no longer is reachable. Then the client will
go into a reconnect loop trying to connect, but no other DNS
lookups would be done. The Core library has implemented an
improved approach which will trigger a new DNS lookup in cases
where it can no longer get a connection established.
Important related changes:
<https://github.com/OpenVPN/openvpn3/commit/e365c44b08658>
<https://github.com/OpenVPN/openvpn3/commit/2e3774c059705>
NOTE: This is not a perfect solution. Clients on networks
utilizing NAT64 is expected to fail when connecting
to server on an IPv4 address where it changes during
the runtime of the client. The best way to resolve
this is to make the server available via IPv6 as well.
* Bug: Pushed DNS search domains didn't work well
Several reports indicated that pushing DOMAIN or
DOMAIN-SEARCH didn't enable them as search domains properly
when using system-resolved. This has been fixed by not
tagging each domain as routing domains. This may for some
users change the lookup behaviour so all DNS queries are sent
to multiple DNS servers instead of just the VPN provided DNS
server. We will investigate further how to reduce these
side-effects when utilizing systemd-resolved.
* Improvement: Do not use connection timeout by default
Both the 'openvpn3 session-start' and 'openvpn3-autoload'
had a timeout behaviour where it would stop running if it
didn't get a connection established within approx. 30 seconds.
If the server is unavailable or the client is no a network
with temporarily connection issues, this is a drawback.
The solution is to remove the current timeout behaviour. The
'openvpn3 session-start' command has been extended with a
--timeout argument which can be used to restore the previous
behaviour.
* Improvement: openvpn3-as now requires properly signed https server
certificates.
Prior versions of openvpn3-as didn't verify the https server
certificate. This has now been fixed.
* Improvement: Add better systemd integration for sessions
This release introduces a Python based systemd integration,
which will start a pre-imported (openvpn3 config-import)
configuration profile using the openvpn3-sessions@.service
unit file. This can also be used to start connections
automatically during boot.
The advantage this has over openvpn3-autoload is that it
manages VPN sessions on-by-one, while openvpn3-autoload just
loaded and started everything configured without any real
session management. Using the openvpn3-sessions@.service,
the session status is now also available via 'systemctl' and
log events are easily found via 'journalctl'. If a session
is stopped via 'openvpn3 session-manage', this is also
reflected in 'systemctl'.
See the openvpn3-systemd(8) man page for details:
<https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-systemd.8.rst>
This support is not complete yet, and will be extended
in coming releases.
* Improvement: Support for the newer WEB_AUTH pending authentication method
* Improvement: Extend openvpn3-admin with a sessionmgr-service command.
This new command currently only supports listing
all running VPN sessions on the host and list the owner of
each session as well as the tun/DCO interface in use.
See the openvpn3-admin-sessionmgr-service(8) man page for
details.
<https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-admin-sessionmgr-service.8.rst>
* Improvement: Python based configuration parser updates
The configuration parser used by openvpn2, openvpn3-autoload
and the new openvpn3-systemd integration now ignores
--ncp-ciphers, --data-ciphers and --data-ciphers-fallback
These options was added in OpenVPN 2.4 and 2.5 as part to
help migration from prior default ciphers to better ones.
Connecting to some servers could need a more specific cipher
to be set. This is believed not to be needed in OpenVPN 3,
so instead we just ignore these options if found.
Complete list of changes:
Arne Schwabe (1):
Implement WEB_AUTH auth pending method
David Sommerseth (39):
vendor: Upgrade to googletest 1.11
python: Harden openvpn3-as HTTPS connect
ovpn3cli: Add --timeout support to session connect operations
python: Remove connection attempt counting in openvpn3-autoload
python: Add SessionManagerEventType constants
python: Add SessionManagerEvent callback
systemd: Add support for VPN session management via systemd
sessionmgr: Grammar fix in an error message
sessionmgr: Split out pure manager functions from OpenVPN3SessionProxy
python: Use std namespace explicitly
dbus: Add DBusProxy::Introspect() method
tests: Make netcfg-proxy-unit test aware of other devices
dbus/creds: Add new DBusCredentials::CheckACL_allowRoot() method
sessionmgr: Grant root user access to read all session properties
ovpn3cli/admin: Add sessionmgr-service command
common: Fix duplicated imports of config.h
sessionmgr: Simplify the ACL check for properties
cli/sessionmgr: Simplify property extraction
core: Update OpenVPN 3 Core library (DNS cache fix)
common: Improve the OptionValueType::Present implementation
common: Extend Configuration::File with an UnsetOption() method
common: Configuration::File - Add backwards compat parsing for present opts
cli/admin: Call instead Config::File::UnsetOption() on --config-unset
common: Add private ParsedArgs::remove_arg() method
common: Simplify ParsedArgs::ImportConfigFile()
common: Don't throw on missing key in ParsedArgs::GetAllValues()
cli/openvpn3: Fix missing space in config-remove warning
cli/config: Fix incorrect spelling
python: Handle CTRL-C in openvpn3-as gracefully
python/openvpn3-as: Improve profile download error handling
python/openvpn3-as: Fix incorrect exception type
ovpn3cli: Fix session-start with dynamic challenge auth
python: Fix dyn-challenge auth in openvpn2
cli/session: Not all connection failures are timeout related
cli/session: Fix never ending session with failed 2FA
lookup: Add error checking to sysconf() lookups
common: Fix typo with MachineID::SourceType::NONE
netcfg/resolved: Don't configure --dhcp-option DOMAIN as routing domains
python: Add --data-ciphers and related options to the ignore list.
Frank Lichtenheld (3):
build: make gen-openvpn2-completion.py output reproducible on old Python
build: Use timestamp of the constant.py source file
build: Avoid generating broken bash-completion file
Heiko Hund (1):
netcfg: Move check for DCO availability to NetCfg