OpenVPN 3 Linux v24 (Stable release)
The v24 release is another stable release. This resolves issues
reported in several earlier releases and improves OpenVPN 3 Linux
in several areas.
* Improvement: Add --dns option support
DNS resolver settings has been troublesome for many years, since
there are slightly different implementations which handles the
possible pushed DNS options differently between OS platforms and
even across client implementations on a single platform. This
is being attempted resolved by a new --dns option which can be
used instead of the various --dhcp-option settings related to
DNS.
The --dns option has been available since OpenVPN 2.6. The
OpenVPN 3 Core Library has had this support v3.7. But the needed
processing of this option has been lacking in OpenVPN 3 Linux
until now.
With the --dns option, it provides possibilities to configure
more modern DNS features such as split-DNS, DNS-over-TLS and
DNSSEC. This will in most cases work out-of-the box when using
systemd-resolved as the local DNS resolver - but it also depends
on the features available in systemd-resolved in the Linux
distribution being used.
Currently, systemd-resolved does not support DNS-over-HTTPS [1].
If this is being attempted, the connection will disconnect.
For users only using /etc/resolv.conf, only the traditional
DNS server and search domain settings will be configured.
All the additional DNS features will be ignored.
[1] <https://github.com/systemd/systemd/issues/8639>
* Improvement: Provide better details about the remote server
The openvpn3 sessions-list would list a "Session name" when
a client session has successfully connected to a remote server.
This information was static and not changed since the initial
connection. If the VPN configuration profile had more and
different --remote lines, only the first connection would be
reflected in this "Session name".
In v24 this has been changed by querying the VPN client
process about the server it is currently connected to. The
"Session name" line has thus been replaced with a "Connected to"
line which will also include details about connection protocol,
DCO mode and port number in use.
Note: Due to an issue in the OpenVPN 3 Core Library, the
port number is currently not provided on DCO connections.
* Improvement: Provide better messages to end-user on session start issues
When starting a VPN session, it could fail for various reasons.
The reason itself was never provided to the end-user starting the
session and it was needed to dig into the log files to figure out
why it was failing.
With this release, the openvpn3 session-start command will present
an end-user friendly reason when the client process provides a
reason for the failure. This reduces the need to search the
logs for the initial understanding why it failed.
* Improvement: Better error message when modifying sealed configurations
When attempting to modify a sealed VPN configuration profile
(which are read-only), a fairly verbose, debug-like error
message was provided to the user. This has been improved
to give a more end-user friendly error message instead.
* Improvement: Upgrade to OpenVPN 3 Core Library v3.10.4
This resolves an issue where a configuration profile using
--pull-filter with single quotes instead of double quotes would
be incorrectly parsed.
There could also appear issues for VPN sessions with DCO enabled
could fail if --inactive was used. This has been fixed in this
Core Library release.
* Bugfix: Starting VPN sessions could fail on slower systems
In some cases, the openvpn3-service-backendstart would not
start quickly enough. This would result in the Session Manager
as it would not get a response back soon enough that the
VPN client process has been started - and it would fail
the VPN session start.
With the updated GDBus++ and further improvements in the
Session Manager, it will now be more graceful to slower
starting services and not fail as quickly. This allows
the supporting helper services to be able to start properly
before interacting with them.
* Bugfix: Add support for dhcp-option ADAPTER_DOMAIN_SUFFIX
The ADAPTER_DOMAIN_SUFFIX is one of these ambiguous
--dhcp-options being treated differently across client
implementations. This setting has so far been ignored in
OpenVPN 3 Linux until this release. The best user experience
seemed to be achieved by parsing this as an alias to the
DOMAIN-SEARCH feature. This seems to align best with
common user expectations.
* Bugfix: DNS search domains might not be removed from /etc/resolv.conf
Under some unclear situations, the DNS search domains was not
always removed in /etc/resolv.conf. This has been an open issue
for a long time, but it seems to have improved since the v22_dev
with GDBus++. We still see this occasionally on a few Linux
distributions with systemd-resolved. But since we also see the
systemd-resolved accepting the DNS updates and removals, we
believe this is might be more an issue in systemd-resolved at
this point. This issue appears now only with systemd-resolved
and is not reproducible in all environments.
* Bugfix: Duplicated name servers or search domains to /etc/resolv.conf
In prior releases, when the Network Configuration service was
configured to use /etc/resolv.conf for DNS resolving it could
append duplicated DNS name servers and search domains if
duplicates where pushed or added by other VPN connections or
present prior to starting the VPN session.
In v24 duplicated name servers and search domains are filtered
out to only have a single presence of them in /etc/resolv.conf.
* Bugfix: openvpn3 sessions-list does not reflect the correct DCO status
When running the openvpn3 sessions-list and
openvpn3-admin sessionmgr-service --list-sessions commands, the
DCO status was not necessarily reflecting the reality.
Typically, if the VPN client process failed to activate and use
the DCO kernel module, it would still be listed as DCO enabled
while in reality being a normal tun interface.
This has been resolved in v24 where it will now query the VPN
client process for the actual DCO status - not just the
configured and requested DCO mode.
* Bugfix: Stray VPN sessions not cleaned up
In cases where a VPN session have had a log forwarder enabled
(like via the openvpn3 log command) and that log forwarder
has been stopped, the VPN session would be lingering
in the Session Manager as a stray session with no available
session details. This is also seen via openvpn3 sessions-list.
Attempting to remove the session using openvpn3 session-manage
would fail with an error.
This has been resolved in v24, where the error situations which
might appear if a previous log forwarder could not be identified
are now properly handled and will not block the internal session
clean-up in the Session Manager.
* Bugfix: Spurious CreateVirtualInterface() errors when re-starting failing sessions
In some special situations where a running VPN session stopped
and attempted restarted after a openvpn3 session-manage --cleanup,
the tunnel would fail with various CreateVirtualInterface() and
TUN_SETUP_FAILED errors.
The session management code has been gradually improved since
v22_dev, v23 and now v24 - where stopped and failing sessions
are handled better and removed correctly in the Session Manager.
* Bugfix: openvpn3 log with --session-path does not work
In some scenarios, using openvpn3 log --session-path did not
work and did not report any log events. This has been under
investigation for a long time and this issue has not been seen
since the release with v22_dev and GDBus++. We consider this
issue resolved with the updated openvpn3-service-log service in
the v22_dev release.
* Bugfix: openvpn3 session-start fails with only 2FA authentication
The openvpn3 session-start would fail to start a session if the
configuration profile would only require 2FA authentication. This
has also been fixed since the v22_dev with GDBus++ release which
included a refactoring of how VPN sessions were established.
* Bugfix: Spurious GLib error messages
The shell completion (with bash-completion installed) could
often appear with disturbing and confusing GLib-GObject-CRITICAL
errors in the output. This has most likely been fixed since
v22_dev and the migration to the GDBus++ library. Since this did
not happen each time and it varied a bit which Linux distributions
it happened on we've kept this on our radar for some time. We
now feel more confident this type of errors is being handled
properly and should not disturb the user any more.
Known issues:
- openvpn3-admin journal --since has a time zone related issue
and may not list all log events within the closest hours.
---- Changes from v23 to v24 ---------------------------------------
David Sommerseth (56):
configmgr: Improve error message on sealed config profiles
configmgr: Switch to std::set<> for target lists for ACL checks
docs: Re-enable doxygen build target
client: Add support for --dhcp-option ADAPTER_DOMAIN_SUFFIX
client: Stop running VPN clients in client destructor
client: Properly plug-in DBus::MainLoop handling in BackendClientObject
client: Make BackendSignals::LogFATAL() thread safe
client: Extend BackendSignals to have access to a DBus::MainLoop object
client: Improve exception handling when starting client worker thread
client: Handle COMPRESS_ERROR events
ovpn3cli/session-start: Retrieve more status details when throwing SessionException
client: Fix incorrect error message in NetCfgTunBuilder::socket_protect()
client: Move DNS scope logging from LOG_DEBUG to LOG_VERB2
cleanup: Remove pointless local scope ovpn3cli::session::start_session()
configmgr: Add debug option --use-session-bus
log: Rework the tear-down of ProxyLogEvents objects
netcfg: Cleanup NetCfgException
dbus/signals: Add Signals::StatusChange::LastEvent()
client: Add BackendSignals::LastStatusEvent()
client: Add new property: connection
sessionmgr: Implement extraction of connection details from client
client: Extract DCO status from ConnectionInfo when available
ovpn3cli/sessions-list: Improve session information with connection details
build: Minor tweaks to D-Bus/systemd/state-dir build options
netcfg/proxy: Make all proxy methods const methods
netcfg/proxy: Extend NetCfgProxy::Device with openvpn::DnsOptions parsing
client: Enable --dns option parsing in the VPN client
netcfg/resolved: Extend systemd-resolved proxy with DNSSEC support
policy/netcfg: Grant privilege to set DNSSEC on systemd-resolved
netcfg/systemd-resolved: Implement support for setting the DNSSEC mode
netcfg: Extend NetCfgDevice with D-Bus APIs for DNSSEC
netcfg/proxy: Extend NetCfgProxy::Device with DNSSEC support
netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNSSEC support
netcfg/resolved: Extend systemd-resolved proxy with SetDNSOverTLS()
policy/netcfg: Grant privilege to set DNS-overTLS in systemd-resolved
netcfg/systemd-resolved: Implement support for setting the DNS transport mode
netcfg/systemd-resolved: Refactor and simplify the code
netcfg: Extend NetCfgDevice with D-Bus APIs for setting DNS transport
netcfg/proxy: Extend NetCfgProxy::Device with DNS transport support
netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNS transport support
codestyle: Fix misc deviating code style to conform with .clang-format
dbus/signals: Include iostream
client: Improve debugging in openvpn3-service-backendstart
client/backendstart: Move LogServiceProxy inside the service object
sessionmgr: Add RegistrationRequest debug logging
sessionmgr: Allow net.openvpn.v3.backends to settle before accessing it
ovpn3cli: Start a glib2 MainLoop in the command line tools
sessionmgr/proxy: Replace sleep with waiting for SESS_CREATED signal
ovpn3cli/sessions-list: Don't show "Connected to" without any details
netcfg/proxy: Disable support for DoH
core: Update to latest OpenVPN 3 Core Library v3.10.4
vendor: Update to ASIO 1.32.0
client: Fix missing handling of the delayed shutdown thread in BackendSignals
sessionmgr: Fix misbehaviour if GetUID() fails in Session::helper_stop_log_forwards()
client: Add support for a couple more TLS error events
ovpn3cli: Improve mainloop start synchronisation
Petr Portnov (2):
build: reduce hardcoded 'asio_path'
build: allow installation directories' customization
Razvan Cojocaru (7):
cleanup: Remove stray semicolons
configmgr/overrides: Remove OverrideType::invalid
configmgr/overrides: Use glib2::DataType::Extract(value)
configmgr/overrides: Remove struct OverrideValue
configmgr/overrides: Rename ValidOverride -> Override
sessionmgr: Remove unused Session::connection_started bool
netcfg/resolvconf-file: Don't add nameservers that already exist
--------------------------------------------------------------------