AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Filter forge 6 94fbr11/8/2023 Improved Data channel cipher negotiation.Removal of BF-CBC support in default configuration (see below for possible incompatibilities).HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.Asynchronous (deferred) authentication support for auth-pam plugin. ![]() Asynchronous (deferred) support for client-connect scripts and plugins.Support IPv4 configs with /31 netmasks now.New option -block-ipv6 to reject all IPv6 packets (ICMPv6).Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands).Wintun driver support, a faster alternative to tap-windows6.Allow unicode search string in -cryptoapicert option.EasyRSA3, a modern take on OpenVPN CA managementĬipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher BF-CBC" anymore because it is no longer considered a reasonable default. ![]() BF-CBC is still available, but it needs to be explicitly configured now.įor connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the -data-ciphers setting.Ĭonnections between OpenVPN 2.3 and v2.5 that have no -cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in -data-ciphers or there is a "-cipher BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible.
0 Comments
Read More
Leave a Reply. |