Release Notes v1.8.3

OpenVPN Access Server v1.8.3

RELEASE NOTES

Changes since 1.8.0:

Client:

  • Mac tray will now remember last used username.
  • Improved responsiveness of Mac tray UI when openvpn-service is not running.
  • Mac client upgrade should now restart openvpn-service.
  • Mac tray fix -- improve detection of connection drops.
  • Mac client will now use the Mac system keychain as a trusted certificate store (previously, we used the Mozilla list of CAs). This certificate store will be used to trust SSL web servers and verify profile signatures.
  • Mac client will now call SCDynamicStoreNotifyValue on Setup:/Network/Global/IPv4 as a final step after VPN connection termination.
  • On Mac client startup, remove unix domain socket filename before attempting to open it.
  • Added KeepAlive to Mac client launchctl plist file, so that launchctl will always attempt to restart openvpn-service daemon if it crashes or otherwise exits. With this change, only "launchctl unload" can be used to stop service.
  • Tray client extensions: Added menu commands for profile import or remove. Profile import may be done from a server or local file.
  • Mac tray client will now properly generate UI notifications even if Growl isn't installed.
  • Improved tray client support for Access Servers that don't expose an XML-RPC API.
  • General stability fixes in tray client.
  • Tray client will now disconnect an active session on exit.
  • Client will now stop trying to connect/reconnect after 60 seconds for connections that follow an auth dialog. This value can be modified server-side using the vpn.client.connect_timeout key.
  • Added connection duration to Windows tray client (tooltip only).
  • Changed disconnected icon in tray client so that "X" graphic is gray rather than red.
  • Play better with Mac "Spaces" -- dialog windows and notifications from the tray now show up in all Spaces instead of just one.
  • "Basic mode" in tray client is now the default.
  • Mac client DMG post-install script will now scan all mounted DMGs when searching for the DMG from which to extract bound profile (previously, only mount points that begin with '/Volumes/OpenVPN Connect' were scanned).
  • Mac client now shows connection duration on the toolbar.
  • Revamped connecting/connected/disconnected icons.
  • Fixed issue where entering a blank password would cause UI hang in "Connecting" state.
  • Fixed Mac issue where if VPN was connected when system was put to sleep, and if system wakes up without network connectivity, that DNS settings from previous VPN session might not be properly reset.
  • Tray UI fix: fixed issue where server port number was being inserted into Server field in authentication dialog.
  • On Mac client, work around issue where system has just awoke from sleep and SystemConfiguration info on network adapters is not yet consistent, causing a potential exception in unsetdns and a subsequent client hang in the yellow state. Now we will retry unsetdns for up to 30 seconds (one try per second) before failing.
  • Mac client backend was installing SIGTERM handler too soon, causing Twisted initialization to overwrite it. Now we install it later, after the reactor has been started. This issue could potentially cause problems during client package update when a VPN session is active, since the SIGTERM sent to the client backend would cause the backend to exit without cleaning up the active VPN session.
  • In client backend, don't expire event sessions (they will now remain until the session object itself is reclaimed). Previously, event sessions expired after several minutes of non-use. This issue could cause a bug where client hangs in the yellow state after awakening from a long sleep.
  • Added profile update support to the client.
  • Fixed client issue where mid-session dynamic challenge might be dropped, causing a hang in the yellow state.
  • Better username memory in UI.
  • Fixed UI issues in handling session reauth with static challenge/response.
  • Fixed a bug in Mac Keychain CA cert enumerator that might have caused custom CA certs to be omitted. With this fix, CAs that are added with the following command will be visible:

security add-trusted-cert -d -p ssl -k /Library/Keychains/System.keychain

  • Fixed issue where the wrong version of OpenVPN was bundled with the Mac client, causing prop_block_local to not work.
  • On client, added "capicli ShowTrustedCAList" command to show all trusted CAs.

Server:

  • Re-enable LDAP fuzzy username matching (i.e. case-insensitive). After authentication, the username is converted to its canonical form, before it is used for other purposes within the Access Server. This approach retains the security properties of the LDAP fix to 1.8.0 while re-allowing LDAP usernames to be entered by the user without regard to case sensitivity. Post-auth script developers: see note in post_auth.txt doc that starts with "Important note on username matching".
  • Fixed bug with Split CA feature, where ns-cert-type requirements were being wrongly placed in client and server config files, causing OpenVPN client to reject connections with a server having a certificate that omits a specific ns-cert-type client/server use designation (as Split CA certs would do).
  • Added config key to control whether or not AS-generated iptables rules are prepended or appended to pre-existing iptables rules in standard chains such as INPUT, OUTPUT, and FORWARD. Previously all AS-generated rules were prepended to standard chains, and this remains the default. However by using the following key, this behavior can be changed to append:

iptables.append (bool, default=false) -- if true, AS-generated     iptables rules will be appended to pre-existing rules.     If false, AS-generated rules will be prepended.

  • Added memory usage monitoring to both client and server (on the server, both the server backend and web server are monitored). Monitoring is on by default and will output a list of the top 20 Python types/classes that have the most instances outstanding, as well as any accumulation of uncollectable objects. By default, memory info will be logged once per 6 hours, but can be changed with the following settings.

Controlling parameters (as.conf):

MEMTRACK_SECONDS (int, default=21600) -- log report every n seconds.

MEMTRACK_TOP_SHOW (int, default=20) -- show top n types by number       of outstanding object instances.

  • When running in UCARP failover mode, periodically push session token store to backup, so that in the event of a failover handoff to the backup node, it will be able to accept relogins from active clients without having to reprompt for creds (assuming the clients present a valid session token from the previous node).
  • Change group/permissions of AS unix domain socket so that only root or openvpn_as can access the socket.
  • Added AS capability to push OpenVPN "inactive" directive to client. The inactive directive can be used to compel clients to disconnect if their bandwidth is below a given threshold for a given length of time.
  • Control with the following user/group properties:

prop_isec (int, number of seconds over which to sample bytes     in/out)

prop_ibytes (int, minimum number of in/out bytes over     prop_isec seconds to allow connection to continue)

  • Fixed memory leak that occurred when foreground fork() raised an exception in spawnProcess.
  • Fixed bug where changes made to the configuration DBs outside of the Admin UI, using the command line tools or API, would not be immediately visible in the Admin UI. With this change, refreshing a page in the Admin UI should show the current DB settings.
  • Significant updates to CLI (command line interface) document in /usr/local/openvpn_as/doc/cli.txt
  • Revamped the "Web Server" page in the Admin UI:
  1. Web certs/keys can now be uploaded via the browser.
  2. For security, raw cert/key data is no longer visible after upload.
  3. The page now shows human-readable cert info instead of raw cert/key data.
  4. A validation button is provided to validate certs/keys before they are committed to the server.
  • Added a new Static Challenge/Response protocol to augment the existing Dynamic Challenge/Response protocol. A Static Challenge is a constant challenge string which is placed at the end of the initial username/password auth dialog, along with a response input field. The user's response to the static challenge is delivered to a custom post_auth script in the same transaction as the initial username/password (by contrast, Dynamic Challenge/Response delivers the response in a second transaction). Please see the post_auth script documentation for more info:

/usr/local/openvpn_as/doc/post_auth/post_auth.txt

Also see a new post-auth scripting example that shows a challenge/response authentication extension with support for both the Static and Dynamic challenge/response protocols.

/usr/local/openvpn_as/doc/post_auth/pascrs.py

  • On the client side, the Static Challenge/Response protocol is supported by OpenVPN 2.1.3x or higher.
  • Added client-side functionality (that may be controlled from the server) to restrict client access to its local LAN while the VPN is active. This feature is described in more detail in the command line documentation in the section entitled "Block client access to local LAN":

/usr/local/openvpn_as/doc/cli.txt

  • Client-side support for this feature is implemented for Mac, Linux, and Windows clients as of OpenVPN 2.1.3y or higher.
  • Allow groups to define multiple non-contiguous IP address ranges for dynamic allocation to connecting clients. These ranges can be configured on the Group Permissions page in the Admin UI.
  • Changed client adaptive mode (where the client attempts a connection via UDP then falls back to TCP) to strongly favor UDP over TCP. This is intended to fix an issue where a client reconnecting after a network outage might connect by TCP (with the inferior performance semantics of TCP-over-TCP) instead of UDP even when both are available.

vpn.client.connect_timeout (int, default=60) -- set the client-side     connect timeout in seconds, where the client will stop connecting     to an unresponsive server.  Set to 0 to disable the timeout and     retry indefinitely.

  • Fixed pyOpenSSL bug that was causing memory leakage in server on CRL reload.
  • Turn on /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal kernel parameter to better handle NATing client internet traffic through server.
  • Added server flag for disabling source-NAT of client traffic that is routed through the server:

vpn.server.nat (bool, default=true)

  • "sacli start" will now return a failure status code (1) to calling shell when errors are defined in the return dictionary.
  • Added new post_auth script pasvar.py in /usr/local/openvpn_as/doc/post_auth to demonstrate the following new post_auth capabilities:

using RETAIN_PASSWORD to allow post_auth script to access the auth password

using AUTH_NULL to disable primary auth -- this means that post_auth script must assume full responsibility for authentication

securely passing an arbitrary python dictionary to client-side connect script (clivar.py is the client-side receiver script)

  • Fixed issue with sshrpc_agent that could cause 100% CPU usage if socket is prematurely reset. This could cause issue where backup AS node shows sshrpc_agent process running at 100% CPU usage.
  • Added config keys for varying the frequency of internal timers.
  • Extended CRL capability to support multiple CRLs for different root/intermediate CAs in the client cert chain. The CRL file (vpn.server.crl) may now contain multiple PEM-format CRLs concatenated together. The CRL documentation in /usr/local/openvpn_as/doc/cli.txt has been updated.
  • Added server-side flags for controlling client tray UI functionality:

vpn.client.basic (bool, default=false) -- if true, UI assumes a     basic layout with functionality that is limited to     connect/disconnect without profile import or remove.

vpn.client.host_field (bool, default=false) -- if true, auth dialog     will include a host field that allows the OpenVPN server domain     name to be overriden for User-Locked or External PKI profiles.

vpn.client.no_web (bool, default=false) -- if true, UI will not     assume that the AS for this profile is reachable via web     or XML-RPC API.  For example, if this flag is true, then the     UI will not show a "Go To" menu item for the server.

profile.friendly_name (string) -- if defined, this string will     designate the customer-visible name of the profile in the UI.

  • Allow decoupling of web cert from profile signing cert.
  • These keys allow the profile signing ca/cert/key info to be explicitly defined:

profile.sign.ca_bundle (defaults to cs.ca_bundle)     profile.sign.cert (defaults to cs.cert)     profile.sign.priv_key (defaults to cs.priv_key)

  • Fixed issue where client backend was wrongly caching static_response.
  • Revamped ca-bundle/cert/key validation to allow extraneous text to exist before or after certs/keys (the text will be removed before certs/keys are handled).
  • Fixed issue in post-auth scripts, where scripts that set conn_group were failing to influence the loading of user properties, since user properties were loaded before the post-auth script was called.
  • When setting conn_group in a post-auth script, you should now include:

GROUP_SELECT = True

in the top-level, global part of your script. This tells the AS to do late user properties lookup, so that the user properties will be taken from the group chosen by the post-auth script. Additionally, any user properties returned by the script in authret['proplist'] will override those read from user properties DB.

Since this option causes user properties to be read AFTER the post_auth/post_auth_cr method is called (rather than before), keep in mind that authret['proplist'] will be an empty dictionary on method entry.

 

New changes since 1.7.1:


General changes:


* Security Fix -- Modified LDAP auth module to work around LDAP
"fuzzy equality" property where usernames with different character
case and/or leading/trailing space would count as the same user.
This fix has security implications -- if an LDAP server had an
account for "john.doe", and if this account was limited or
restricted in some way by the Access Server, the user could
potentially escape these restrictions by logging in as "John.Doe".
This fix addresses the issue by enforcing strict username comparison
rules even when the underlying LDAP server does not.  Access Servers
that (a) don't use LDAP for authentication, (b) are configured in
External PKI mode, or (c) use LDAP servers that enforce strict
username equality are not affected by this issue.

* Further developed the Tray Icon UI with sufficient functionality
that it can act as a standalone client.

* Fixed issue with Mac DNS settings on client, where server-pushed
settings would not take effect on the client if its primary network
interface used a fixed IP address.

* Fixed client bug that could cause packet replay errors and
reconnections in UDP mode.

* Fixed server bug that could cause server port-share proxy
to become unresponsive after error message like this:
EVENT: epoll_ctl EPOLL_CTL_MOD failed: Bad file descriptor (errno=9)

* Fixed issue where a client might receive multiple push replies from
a server if it sent multiple push requests due to the server being
slow to respond.

* Hardened session.json file (used for communication of session token
ID between Access Server and local web server) so that Session ID
is not actually stored in the file.

* Added support for Windows certificate store.  This allows the
External PKI feature to work on both Mac and Windows clients
(see doc/epki.txt with details on how to load
certificate/private-key pairs into the Mac Keychain or Windows
Certificate Store).

* Added "mandep" script for package dependency management.  mandep
can be used, for example, to configure the OAS daemon to link to
the linux distribution version of OpenSSL instead of the
OAS-bundled version.  See /usr/local/openvpn_as/doc/cli.txt for
documentation.

* Built Access Server package for Ubuntu 10.04.1 LTS.

* For security, session tokens are now locked to the client IP
address that created them.

* Fixed issue where logging of web sessions routed through the
shared VPN port would be shown as originating from 127.0.0.1
instead of the actual client IP address.

* By default, OpenVPN server daemons will now be executed in a
chroot jail (users that explicitly enable chroot as a server-side
OpenVPN directive should remove the directive since it will now
be enabled by default, and OAS needs to control the chroot
directory).

* Fixed a bug that could cause a failure in OSI layer 2
configurations (i.e. ethernet bridging).

* Require web clients to support cookies, and disable support for web
Session IDs to be embedded in the URL.

* For post_auth scripts, validate x509_track return value before AS
commits itself to loading/reloading the script.

* For Mac Keychain / Windows Certificate Store support, internally
index certs by serial number rather than Common Name because the
Common Name might not be unique.

* For Mac Keychain / Windows Certificate Store support, when multiple
near-identical client certs are available, choose the one with the
latest expiration (or largest serial number if expirations are
equal).

* Added GetAutologin5 and GetUserlogin5 API (and sacli methods) for
getting autologin and userlogin profiles as multiple files.

* Modified ovpn-init to detect private subnets on the server and make
these available by default to clients.  ovpn-init will no longer
make all RFC-1918 subnets available by default as it did
previously -- only those specific subnets that are detected will be
made available.

* Fixed a longstanding issue where if two or more clients try to
connect to the server, and the user is not capable of
multi-instancing due to server-side user properties, the older
client will now be gracefully usurped by the new client, and the
older client will show an error "disconnected due to new connection
by same user".

* Extended DisconnectUser and DisconnectClient API methods (and sacli
equivalents) with additional parameters --reason, --client_reason,
--restart, and --psid.

* Added vpn.server.session_expire config key (integer, disabled
by default) to force reauthentication of non-autologin
profiles after a given number of seconds.

* Produce a more clear error message if the required "openvpn_as"
linux user (used internally by the server) is missing.

* The server will now sign client profiles with its SSL web key.
If the server is running with a commercial web SSL certificate,
this will allow clients to verify the domain of the server that
produced the profile (this verification is in addition to normal
integrity checks performed by SSL client to verify SSL server
certificate).

* Reduced both server and client log verbosity.

Bugs:

* Fixed an issue in Mac client where AS-pushed DNS servers sometimes
did not have priority over other interfaces with a lower "order"
value.  We now explicitly set the "order" value to 5000.  This
should be well below that of other services and allow the VPN
DNS servers to have priority.

* Mac client now does an SCDynamicStoreNotifyValue on
Setup:/Network/Global/IPv4 as a final tunnel initialization step,
to notify other apps that a network reconfiguration event
has occurred.

* Fixed an issue in Mac client when External PKI mode is enabled,
where login.keychain couldn't be found by the Mac Keychain.

* Fixed a tray app issue where authentication challenge dialog
was not being presented, causing authentication failure.

* Fixed "Installed-Size" variable in Debian package builder, which
was being incorrectly set.

* Added workaround for VPS when venet0 lacks an IPv4 address.

* Session management code has been revamped, this should address
the issue of disconnects at exactly 6 hours into the connection.

Harden JSON/Session-Token Exchanges

* JSON files are now prepended with an "execution breaker": ")]}\n"

* Expanded the use of the "x-openvpn: 1" custom HTTP header so
that neither HTTP server (AS or local client) will return JSON
if this header is not set by the requesting client.

* Moved security-sensitive information such as the Session
token from the JSON body to a custom HTTP header.  This information
is never stored in a cookie or any other form of browser-persistent
storage.

* Because the above changes break previous assumptions about the web
client protocol, we have designated these changes as the
CWS version 2 protocol.  To enable these changes, enable the
config key cs.cws_proto_v2.  Note that doing so will break
compatibility with pre-1.8 clients.

./sacli -k cs.cws_proto_v2 -v true ConfigPut
./sacli start

Warning Dialogs

* Added explicit warning dialogs for:

(a) Connection to AS web server not having a legitimate SSL cert
(b) VPN connection instantiation on a profile
(c) Receiving pushed scripts from server

The user is given a "Don't ask again" option to prevent
repeated warnings about the same issue.  The user is also
given the ability to view detailed information about the
warning such as (a) the SSL cert details, (b) the profile
content, or (c) the actual script content.

When "Don't ask again" is enabled, the precise signature of
the event that generated the warning is remembered, so that
the warning will still be repeated in the future if the
underlying signature changes.  The signatures are derived
from (a) the SHA-256 signature of the SSL cert, (b)
a secure hash of the profile, and (c) a secure hash of the
script content and provider.

Selectively Disabling Web Access

These new config parameters disable various web client features
for customizing the security exposure of the product.

cs.enable_connect (bool, default=true) -- when false, disables
the OpenVPN Connect web client (i.e. port 946 is not listened to),
meaning that only the tray app or standalone OpenVPN client may be
used to connect. On Mac this means that the only communication
channel to the client backend daemon is via a unix domain socket.

cs.allow_web_import (bool, default=true) -- when false, disables
/import on the client.  This prevents "server-switching", i.e.
connecting via the web interface to a different Access Server
than the one that originally provided the client installer.

cs.enable_xd_proxy (bool, default=true) -- when false, disables
xd_proxy.html on both server and client.  xd_proxy is used for
cross domain communication and is only needed to support older
browsers.  On modern browsers, the web client uses the
more secure document.domain method for cross domain
communication.

Note that all of the above parameters are communicated to the
client via a bundled profile (i.e. a profile bound to a client
installer package), therefore changes in these parameters will
only be visible to clients downloaded after the changes have
been made.

Certificate Revocation List capability

* Use a CRL (certificate revocation list) to deny access to specific
client certificate serial numbers.  Clients that attempt to connect
whose client certificate is listed in the CRL will be denied access,
and further, any connected clients listed in the CRL at the time
that it is loaded will be immediately disconnected.  Once a CRL file
has been named via the vpn.server.crl key and initially loaded using
./sacli start, the file may be updated at any time and it will be
automatically reloaded by the server within a few seconds.  The CRL
file should be in PEM format.

./sacli -k vpn.server.crl -v ConfigPut
./sacli start

External PKI features

* Added Split CA mode, where a separate CA chain for client and server
certificates can be used.

By default, one CA chain is assumed for both client and server
certificates.  To use a separate chain for each, first enable
split CA mode:

./confdba -mk external_pki.remote_cert_usage -v split

Next, replace the following line (from above):

./confdba -mk external_pki.ca_crt --value_file

with:

./confdba -mk external_pki.server_ca_crt --value_file
./confdba -mk external_pki.client_ca_crt --value_file

When using split CA mode, marking certificates as client or server
becomes unnecessary.  Therefore, settings for Netscape certificate
type or X509 explicit/extended key usage based on RFC3280 TLS rules
can be safely omitted.

When running a standalone OpenVPN client to connect to an AS that
uses a split-CA configuration, you must use a newer version of
OpenVPN that supports the "extra-certs" directive.  Use at least
version 2.1.3w available from:

http://svn.openvpn.net/projects/openvpn/branches/2.1/openvpn

* CN/username requirement can be enabled/disabled:

By default, it is required that client logins use a username that
matches the Common Name on the client certificate.  This requirement
may be dropped by disabling the external_pki.cn_username_requirement
boolean key:

./sacli -k external_pki.cn_username_requirement -v false ConfigPut

Note that this option only affects user logins.  Autologins,
if allowed by autologin_x509_spec setting, derive their username
from the Common Name field of the client certificate.

* Controlling which certificate store the client uses to fetch the
client certificate:

By default, the client will fetch certificates from the "user" store.
This corresponds to the user's ~/Library/Keychains/login.keychain
store on Mac, and the the "MY" store on Windows.  Alternatively, the
user properties key "cert_store" may be set to "user" or "system" to
explicitly control the store that clients use.  If set to "system",
the /Library/Keychains/System.keychain keychain will be used on the
Mac. For example, set the store to "system":

./sacli --user __DEFAULT__ --key cert_store --value "system" UserPropPut

Session Management changes:

* When a VPN client disconnects from the server without explicitly
closing its session, we currently reset the expiration of the
session token to 5 minutes into the future.  This allows
disconnect/reconnect cycles caused by adverse network conditions
to automatically complete without a credential challenge.  This
"keepalive after disconnect" feature can be calibrated via the
following config key:

vpn.server.inactive_expire (int number of seconds, default=300) --
The number of seconds after VPN disconnect, if session was not
explicitly closed, that the session ID is kept alive for.  Set
to 0 to disable.  If disabled, any reconnect by the OpenVPN
client will trigger a new credential challenge.

Configuration changes:

* By default, set cs.generic_all_users to true so that all users
will have access to server-locked profile.

New Changes in 1.7.1:

* Added support for OpenVPN clients built without LZO-support (requires that non-LZO-enabled OpenVPN clients are built with the ./configure --enable-lzo-stub option).

* Added boolean config setting (vpn.routing.allow_mcast) to generate iptables rules that allow UDP multicast and IGMP packets to flow freely between clients and server.

* Support 64-bit certificate serial numbers.

* Fixed bug where authentication challenge responses of more than a few characters would fail on the server with an empty username error.

* Fixed bug where clients in a group might not be able to access a gateway, because return routes needed to reach the client were not pushed to the gateway (a gateway is a client that acts as a VPN gateway on behalf of other machines on a LAN).

* Work around issue where DHCP client on Mac OS X was overwriting VPN DNS settings.

* Deal more robustly with session token management.  This should fix the issue where long-term VPN client sessions are broken ~6 hours into the session.

* UCARP failover fix -- robustly handle the case where UCARP virtual IP was not properly removed by previous shutdown.

* Fixed some stability issues in Client Web Server when Access Server is running in External PKI mode.

* Mac OS X client can now report ethernet MAC address to server for host-checking purposes.

* Add error messages for denied (banned) users, revoked certificates, and AS license exceeded failures.

* Improve reporting of connection status in the tray icon.

* If the AS is configured with a hostname and a client tries to access it with an IP address from the browser, redirect to the IP address instead, and vice versa.

* When switching servers, remove the question prompt.

* When switching to a server accessed with an IP address and another server is already connected, don't show the connected status page for the connected server.


New Changes in 1.7.0:

 

New features:

* Add support for Mac OS X

* Allow users to change servers without reinstalling, by going to the URL of the new Access Server

* Added External PKI support (beta) where the Access Server can be driven by an externally-managed certificate system.

* Post-auth scripts can now initiate a challenge/response authentication handshake.

* Fixed a client issue where CA cert bundles that include a root cert that is also included in the Mozilla trusted cert set would fail to load.

 

Bugs fixed:

* Inability to connect from the Connect web client when it's accessed using a non-443 port with an IP address.

* It is recommended to disconnect existing connections before switching to a new server that is accessed using an IP address instead of a hostname.

New Changes in 1.6.1:

 

New feature:

* tray icon will notify user when a software update is available

Bugs fixed:

* using IP address to access Connect

* autologin to regular user switching

* fixed issue where intermediate web CA bundles would fail client validation if the root certificate was absent      (issue observed with recent Comodo CA bundles). 

* traffic will now pass through venet adapters 

 




New Changes in 1.6.0:

* New Connect client features:

 


1. Dramatically simplified web-based VPN install and connection.
2. No longer requires .NET libraries.
3. Client download size reduced from 15 to ~5 MB.

If you would like to use the Connect Client after upgrading from a previous version please follow these intstructions:

If upgrading your current OpenVPN-AS build to thi version you will need to edit as.conf which is located in /usr/local/openvpn_as/etc/ and add the following line:

AS_CONNECT=true

After adding that line to your as.conf you will need to restart OpenVPN-AS by runnning the following command:

/etc/init.d/openvpnas restart

* Client backend references to AS web server, when a port is not
explicitly specified, will attempt ports 443 then 943.

* Security Fix

* ovpn-init is now run automatically, with default parameters, on
rpm/deb package initial install.  License EULA is now presented
on initial login to Admin UI.

* Client Settings page now supports exporting the complete AS backend
API to admin users (off by default).

* Fixed an issue in client backend where initialization might fail if
the backend started up before the default gateway and DNS servers
were defined.  Now the backend will wait for these resources to
become available.

* Admins can now define a different RADIUS dictionary file than the
default by setting auth.radius.0.dictionary in the config DB.

* Fixed bug in parsing as.conf lines that use "~" as a shortcut for
the package install home.  The bug would trigger an exception
"bogus escape (end of line)" if the home directory contained a
trailing backslash.

* Add options to ./confdba --assign_type to
allow control over marking user properties records as
hidden from the Admin UI:

For example, to hide all users except for root and test from the
Admin UI, use this command:

./confdba -u --assign_type --hide=true --exclude=root,test

or to un-hide all users:

./confdba -u --assign_type --hide=false

* Fixed issue with memory allocation/free in openvpn.exe that could
cause a crash.

* In Admin UI, remove arbitrary 255-character limit on certain input
fields, particularly LDAP settings.

* When authentication fails because of: (a) licensed concurrent
connections exceeded on server, or (b) autologin attempt barred
by user properties record on server, return a human-readable reason
string to client explaining the cause of error.

* Try to fix the issue where admin users are single-instanced by the
AS, preventing concurrent connections by the same user (single
instancing means that every connection by a user will disconnect
previously connected instances of that user).  With this change,
admin users will only be single-instanced if
vpn.client.routing.superuser_c2c_access is true (which is controlled
on the Advanced VPN page under "Allow VPN users with Administrator
privilege to access all VPN client IP addresses").

* AS will now use the system OpenSSL libs when those libs
are >= 0.9.8.  This allows admins to keep OpenSSL up
to date using distro tools, and reduces the need for
OpenVPN Tech to issue an AS update every time that
OpenSSL is updated.

* Don't allow bundled profiles to control extremely security-sensitive
global settings, including 'exec_admin' (allow admin-level scripts)
and 'exec_silent' (run scripts without getting confirmation from
user).

* ovpn-init will now select "openvpn" as the default
AS Admin user, and will advise the user to set a
password for "openvpn" before connecting to the
Admin UI.  Also, the Admin UI and Client UI URLs
are shown at the end of the ovpn-init output.


New Changes since 1.5.5:

Admin UI:

* We now Auto-Clear fields when 'No' option selected 1)In User Perms for Access Control, Dynamic Address and DMZ 2)and Group Perms for Access Control and Client Scripting.

Clearing was done after validation which caused problems and also not all fields were been cleared.


* Fixed Admin UI issue where new group ACL rule features were being flagged by validation.


Core:

Allow an alternative /etc/hosts path to be specified in as.conf, for example:

etc_hosts=/home/alicebob/pyovpn-build/scripts/hosts



Added new client global setting:

* allow_ssl_v2 (bool, default=False) -- If true, allow connections

to CWS via SSLv2 protocol (potentially insecure).  If false, require

SSLv3 or higher.


New Changes since 1.5.4:

Server:

 

* The Access Server will now support 2 concurrent connections without
a license.

* LZO compression is now enabled by default.

* Extended the Access Control spec to allow:

1. hostnames from /etc/hosts can be used instead of IP addresses
(but not DNS names due to the security concerns of
configuring the firewall via an insecure protocol such as DNS).

2. ICMP types can be specified using the notation icmp-X where X
is the ICMP type.  For example icmp-echo-request can be added
to an ACL to indicate that pings are allowed.

Example:

+SUBNET:my-host:http,icmp-echo-request

where my-host is defined in /etc/hosts

* Admin UI fixes:

1. Restored compatibility with 1.3.x user-based access control.

2. Fixed issue with Group and User Access Control properties
being sometimes cleared when successive changes are committed.

3. Fixed issue where attempt to delete a group with users attached
would fail validation.

* Added the capability for the server to be remotely controlled via
an XML-RPC over HTTPS port, using either the sacli tool or any
custom XML-RPC client.  For more info, see the section entitled
"Controlling the Access Server API remotely" in the Access Server
Command Line guide.

* When sacli is run locally from a root shell, it is no longer required
that authentication credentials be supplied for each command.  This
behaviour can be disabled by setting local_root_granted_admin=false
in as.conf.

Client:

* Fixed issue where import profile was sometimes raising
an exception that as.conf could not be found.

* Hide profiles that the user doesn't have access to, unless they are
currently connected.

* Importing remote profiles should no longer cause phantom connections
in the Status tab.

* Created a workaround for issue where VPN and web server listen on
different IP addresses, and universal or server-locked profile
access from the client would fail.  To enable the workaround:

Set "cs.ws_direct": "true" to tell the AS to have client profiles
connect directly to web server IP address, without assuming
port sharing or port forwarding of the "Hostname or IP address
setting" on the Server Network Settings page.  This can be done
with the following commands from the scripts directory on the
server:

./sacli --key cs.ws_direct --value true ConfigPut
./sacli start



New Changes to Access Server since 1.5.2:

* RADIUS dual-factor support has been improved:
1. Added support for asynchronous challenge/response
2. Added support for long-timeout servers such as the Phonefactor Agent

 

* On the client, added a checkbox to cache the password for the duration
of the connection.  This capability can be hidden from users via a
global setting.

* Fixed an issue with the TAP driver update in the MSI installer that
caused the automated update from 1.5.1 -> 1.5.2 to fail.

* Admin UI fix for this error: SESSION ERROR: GuardSession instance has
no attribute 'user_profiles_dict':
internet/defer:102,admin/auserperm:1568 (exceptions.AttributeError)

* Support the pushing of Visual Basic scripts to the Windows client.
Just add these two lines to the beginning of the script:

'!cscript.exe
'EXT vbs

* Fixed a bug that could cause server-locked clients to fail when the AS
is using default self-signed web certs.

* Fixed an issue in client backend where the VPN was failing to start
due to a possible port conflict.

* Added the following commands to be executed by the Windows client on
VPN connection initiation (only when DNS servers are pushed to the client):

net stop dnscache
net start dnscache
ipconfig /flushdns
ipconfig /registerdns

This is intended to fix a Windows issue where pushed DNS servers are not
accepted by the client.

* Increased default Connection Security Refresh parameter to 6 hours
from 1 hour.  Note that this new default only applies to new AS
installs.  AS updates will still use the previously configured value
New changes to Access Server:

New Changes to Access Server since 1.3.5:

Changes to Client:

OpenVPN Access Server 1.5.0 ships with a brand-new client that we've
redeveloped from the ground up. The client is currently available
for Windows and we're in the process of porting it to Mac OS X and
Linux.

  • Fully modern UI with multi-language support.
  • Split-privilege security model, allowing unprivileged local users
    to open and close VPN connections, with privileged operations
    occurring in background processes.
  • Web-browser-like connection interface allowing client to connect to
    an Access Server by simply entering its address into an address bar
    (Of course importing of Access Server profiles or OpenVPN
    configuration files is still fully supported.)
  • Service mode -- client can be configured to connect automatically on
    system startup.
  • Scripting capability -- Access Servers can push scripts to the
    client for execution on VPN connection initiation or shutdown.
    Scripts can be as simple as launching a web page or as complex as
    downloading and installing an application. A security model is
    provided to ensure that scripts are only accepted from trusted
    Access Servers and with explict user approval.
  • UDP/TCP/HTTP-Proxy fallback support -- client will attempt a UDP
    connection first, fall back to TCP, and then attempt to connect
    through an HTTP proxy.
  • Automatic HTTP proxy detection using WPAD. Automatic detection of
    HTTP Proxy authentication method, with support for Basic, Digest,
    and (Microsoft ISA) NTLM authentication.
  • Support for automated client installer distribution. Client
    installer can be customized by server-side settings, then pushed to
    client machines using MSI application publishing capability such as
    Active Directory publish.
  • Client now supports automated update capability. (Unattended / Attended updates)
  • Locking the VPN client to a specific machine -- two methods are
    provided to ensure that OpenVPN client configurations are locked to
    known hardware, and cannot be copied to unmanaged hardware:

    1. Split privilege model -- under this model, where the end user
    lacks administrative privileges, the user can initiate a VPN
    session even though the OpenVPN client configuration
    (including client certificate/key) are not readable except by a
    local Administrator.

    2. Hardware address ID -- using server-side scripting methods, a VPN
    user can be locked to a specific client machine using the MAC
    address of the machine as a hardware ID.

  • Windows client is now packaged in MSI format (instead of EXE format)
    for greater ease of management and distribution.

New Access Server 1.5.0 Features

  • Group permissions and access control -- user management and access
    control can be streamlined by defining groups and their associated
    access control rules and IP address pools. User assignment to
    groups can be accomplished using the Access Server's integrated user
    properties DB, or via post-authentication attributes provided by
    LDAP or RADIUS. See new "User Permissions" and "Group Permissions"
    pages in Admin UI.
  • Added Active/Standby failover capability, with Ucarp now fully
    integrated with the Access Server. See "Failover" page in Admin
    UI.
  • RADIUS improvements:

    1. Added support for CHAP and MS-CHAP v2 authentication methods.
    2. Added support for Interim-Update accounting records.
    3. Added support for Acct-Input-Gigawords and Acct-Output-Gigawords.

  • Local users authentication. The Access Server can now authenticate
    users using an integrated user properties DB, as an alternative to
    PAM, RADIUS, or LDAP.
  • Certificate Revocation -- Added a new Admin UI page for client
    certificate revocation.
  • Multi-daemon mode -- by default, the Access Server will run multiple
    OpenVPN daemons and load balance connections between them to fully
    utilize multi-core machines.
  • Simultaneously support both TCP and UDP-based VPN connections.
  • A rich server-side scripting capability is provided that allows
    extension of the Access Server authentication model. Scripts can
    accomplish such things as:

    1. Set a connecting user's Access Server group based on LDAP
    group membership for the user.
    2. Set up a dual-authentication system where initial authentication
    is provided by a one-time-password, RADIUS-based token system,
    and then group assignment is provided by LDAP.
    3. Verify that a given Access Server user only logs in using
    a known client machine, by using the MAC address of the client
    machine as a hardware ID.
    4. Verify that a given Access Server user only logs in from a known
    IP address.
    5. Verify that the client machine contains up-to-date applications
    (such as virus checker and other security software) before
    allowing it to connect to the VPN server.

  • The default VPN IP address subnet has been changed to 5.5.0.0/20
    (from 10.8.0.0/24) to reduce the chances of subnet conflicts.
  • Changes to SSL configuration on web servers, as selected onÂ
    Server Network Settings page:

    1. When SSLv3 method is chosen, allow TLS as well.
    2. When SSLv3 or higher method is chosen, disable weak SSL ciphers.

  • Command line management tools: as an alternative to the Admin UI,
    command line tools are provided to allow full programmatic control
    over Access Server configuration, operation, and user management.
  • Branding capabilities:

    1. Organization name and graphic can be customized on web server
    login pages.
    2. Custom icon can be configured for a given Access Server that will
    be visible on the client and can be used to graphically represent
    the Access Server on the client.
Server Bug Fixes:
  • Fixed bug where redirect-gateway was always enabled for Layer 2
    mode, even when explicitly disabled.
Performance Optimizations:
  • Multi-daemon mode allows AS to scale up to the capabilities of multi-core
    hardware by load-balancing incoming client connections across multiple
    OpenVPN daemons.
  • OpenVPN client on Windows is now built with MS Visual C++ for greater
    performance.
  • Improved authentication performance to support a greater number
    of connections per second.
Changes since 1.5.1 include:
  • Fixed openvpn.exe crash caused by autoproxy bug.
  • Bypass routes capability added, supporting IP addresses, subnets, or DNS names (configurable from CLI -- no Admin UI implementation yet).
  • Added a new Admin UI Client Settings checkbox:  "Make User-locked Profiles visible to each user on the Client Web Server" (enabled by default).  By checking this off, the user-locked profiles can be hidden in the CWS.
  • Fixed issue where the client profile generator would raise an exception if the company name was not defined in as.conf.

Installation:

For new installations (not a package upgrade), install the OpenVPN-AS package using the following commands, substituting the filename of the v1.6.1 package you downloaded:

Fedora/RHEL/CentOS:
rpm -i openvpn-as-1.6.1-Fedora9.x86_64.rpm

Ubuntu:
dpkg -i openvpn-as-1.6.1-Ubuntu10.amd_64.deb

After the package is installed, run the "ovpn-init" initialization script:

/usr/local/openvpn_as/bin/ovpn-init 


You will be prompted for initial settings for the Admin Web UI networking and for authenticating the administrator. When ovpn-init completes, it displays the URL to use for logging into the Admin Web UI to continue configuring OpenVPN-AS.


Package Upgrades:

When you perform a package upgrade from a previous v1.1.* release and above, your configuration (including all license, certificate and key information) is retained. You do not need to run ovpn-init again after upgrading the package.

If you are upgrading from the Access Server v1.1.*, v1.2.* or v1.3.x release, you only need to install the v1.6.1 package (using dpkg or rpm), for example:



Fedora/RHEL/CentOS:




rpm -U openvpn-as-1.6.1-Fedora9.x86_64.rpm



Ubuntu:


dpkg -i openvpn-as-1.6.1-Ubuntu10.amd_64.deb



 


Feedback and Support:


We appreciate your feedback on this release. Register and login at the Support Center to use the support ticketing system: Support Center.




Known Issues:



Users who have upgraded to Access Server 1.5.0 from earlier versions and who have checked the "Deny access to all users not listed above" in the User Permissions page before upgrading to 1.5.0, need to do the following, after upgrade to 1.5.0, this has been corrected in 1.5.4+license:




Stop the Access Server:




/etc/init.d/openvpnas stop




CD to the Access Server script directory:




cd /usr/local/openvpn_as/scripts




Do the following commands:




./confdba -ud -p __DEFAULT__ -k prop_deny


./confdba -um -p __DEFAULT__ -k def_deny -v true




Restart the Access Server:




/etc/init.d/openvpnas start



Copyright (c) 2010 OpenVPN Technologies, Inc. All rights reserved