OpenVPN 3 Linux v17 (beta)
This release consists mostly of several enhancements of various sizes.
* Behavior change: Only AEAD ciphers available for data channel by default
As part of the OpenSSL 3 support, non-AEAD ciphers are no longer enabled
by default on for the data channel cipher. That means essentially only
AES-GCM and, if the TLS library supports it, ChaCha20-Poly1305.
To restore the previous behaviour, the configuration profile must be
imported via 'openvpn3 config-import' and then use an override setting:
$ openvpn3 config-manage --enable-legacy-algorithms true --config $CONFIG_NAME
* Command line: openvpn3 config-dump
The openvpn3 config-show command has been deprecated in favour of
openvpn3 config-dump. This to avoid ambiguity in behaviour with
commands supporting --show and to more clearly indicate it is the
configuration _file_ and not configuration profile being displayed.
* Feature: openvpn3 session-auth command
This is a new command which can be used to interact with VPN sessions
requiring interaction related to user authentications. This is
useful if the initial connection had not completed properly or that
the server requires the user to re-authenticate.
* Enhancement: Log level improvements on client log data
In prior releases, the default log level in the backend process
was set to 6, which is a debug level. With this release, the
default log level is 3. But this is now more easily configurable.
- The OpenVPN 3 VPN Client process now parses and respects the
--verb option.
- The configuration profile can set a log-level override.
- Running VPN sessions can be adjusted on-the-fly using the
the new --log-level option in openvpn3 session-manage.
Changes using this approach are instant.
- The default log level can also be changed by editing
/usr/share/dbus-1/system-services/net.openvpn.v3.backends.service.
Add the '--client-log-level 6' to the program in the Exec= line to
restore the previous default log level.
* Enhancement: Full support for --static-challenge
Both the OpenVPN 3 client implementation and Python interface
has gained full support for the --static-challenge option
* Enhancement: systemd user credential passing
When starting a VPN session via the openvpn3-session@.service unit
file, the systemd-ask-password mechanism will be used to retrieve the
requested user credentials.
* Enhancement: VPN session ownership transfer
For configuration profiles shared with more users, it is the
the session owner is the user which started the VPN session.
With this release, the configuration owner can set the
--transfer-owner-session flag via openvpn3 config-acl. This
will make the configuration profile owner the session owner
as well, regardless of which user starting the session. The
user starting the session will automatically be granted ACL
entries to manage the session and access the VPN log events.
This is useful for VPN profiles being started automatically during
boot via the systemd openvpn3-session@.service unit file. These
sessions are typically started as root, but the session owner
can end up being a different user on the system. But the user
need to grant access to the profile for the root user for this
to work.
* Extend openvpn3-as with an --insecure-certs option
In v16_beta, the openvpn3-as utility was extended to validate the
https server certificate of the OpenVPN Access Server. For servers
using self-signed certificates or signed by a unknown CA, this tool
would no longer work. By using this option, the user instructs this
tool to ignore such issues.
* Bugfix: Persistent configuration profiles with multiple --remote
Configuration files containing multiple --remote lines would not
be preserved correctly in the saved configuration profile; only the
last entry would be stored. This has been improved and all entries
will now be preserved at import time.
Beware: Configuration profiles will need to be re-imported to
restore all the --remote entries.
* Bugfix: Fix --tls-crypt-v2 in the Python parser
In prior releases, configurations started via the Python interface
would fail with an error if --tls-crypt-v2 was used. This is now
fixed.
* Bugfix: Fix Python file loading of files with spaces in file names
In prior releases, the configuration parser incorrectly parsed
file names containing spaces. This has been improved.
* Bugfix: Non-functional shell completion for config files
The prior release regressed on shell completion for OpenVPN
configuration files via the openvpn3 config-import and session-start
commands. This has been resolved in this release.
* Distro: Builds on distributions using musl instead of glibc
Building OpenVPN 3 Linux on Alpine did not work too well as there
were several aspects not compatible with the development stack on
this distribution. Both the OpenVPN 3 Core library and the Linux
client has been modified to be able to build successfully.
* Distro: Python 3.6 or newer is now required
As of this release, any Linux distribution with Python older
than version 3.6 is no longer supported. This removes the
support for Debian 9.
The complete list of changes:
David Sommerseth (61):
cli/session-start: Add --background support
log: Improve LogEvent formatting
log: Use the LogEvent GVariant generator in LogSender
log: Extend the LogSender::Log() with duplicate check
client: Simplify BackendSignals::Log()
client: Remove some not needed log duplication
client: Don't switch to Reconnecting state on initial connect
python: Remove aenum workaround for Python 3.5 or older
python: Remove spurious import line from openvpn2
python: Ignore --mute-replay-warnings option
python: Add --insecure-certs option to openvpn3-as
git: Switch to https for submodules
python: Extend ConfigParser to understand --tls-crypt-v2
python: Fix a few errors in ConfigParser
sessionmgr: Fix incorrect LogEvent proxy format
core-ext: Properly parse options which may be used more times
common: Extend MachineID to support systemd API for machine-id
python: Fix incorrect parsing of filenames with spaces
client: Add support for static-challenge configurations
common: Extend command line parser with alias command support
ovpn3cli: Depreacte config-show in favour of config-dump
core: Update to latest OpenVPN 3 Core library
build: Avoid GNUism in Makefile.am
configmgr/client: Remove support for forcing AES-CBC cipher
configmgr: Extend with session ownership transfer flag
ovpn3cli: Extend config-acl to support --transfer-owner-session
sessionmgr: Respect the configuration profile transfer-ownership flag
client: Parse the --verb option to set log-level
client: Add support for 'log-level' override
sessionmgr: Retrieve the client log-level for the session log-level
sessionmgr: Proxy log-level settings in session to backend
tests: Extend config-export-json-test to process files too
core-ext: Fix incorrect handling of --static-challenge in JSON export
systemd: Fix incorrect access to mainloop object in status handler
systemd: Fix incorrect sd_notify() behaviour
systemd: Add support for profiles needing user credentials
common/shell: Fix bash-completion for options with optional arguments
common: Don't throw an exception in ParsedArgs::GetValueLen()
ovn3cli/session: Extend session-manage to set session log-level
core: Update to latest OpenVPN 3 Core library
dbus: Change the proxy call timeout to 5 seconds
log: Don't throw exception on invalid LogGroup/LogCategory
client: Use the proper index value to retrieve the --verb value
client: Change default log-level to 3
systemd: Do not change the log level at startup by default
client: Extend StatusEvent with stringstream formatting control
cli/session: Extend the session module with session-auth
cli/session: Extend session-auth to also list URL based auth
cli/session: Implement completing on-going auth in session-auth
cli/session: Add shell-completion support for session-auth
cli/session: Remove "Auth URL" from sessions-list
man: Add missing --log-level entry in openvpn3-config-manage
client: Set proper status when needing user credentials
ovpn-dco: Update to latest git master
client: Configuration file --verb must not override profile log-level
sessionmgr: Always change the SessionObject log level
dbus/creds: Use creds specific exception for user lookup issues
sessionmgr: Add more debug details of credentials check fails
core: Update to latest OpenVPN 3 Core library
client/cli: Add --enable-legacy-algorithms override
shell: Fix bash completion for file/directory names
Samuli Seppänen (2):
docs: Remove redundant package from Fedora build deps command-line
docs: Fix setup instructions for CentOS 8