Release Notes v1.7.1

OpenVPN Access Server v1.7.1

RELEASE NOTES

New Changes in 1.7.1:

* Added support for OpenVPN clients built without LZO-support (requires that non-LZO-enabled OpenVPN clients are built with the ./configure --enable-lzo-stub option).

* Added boolean config setting (vpn.routing.allow_mcast) to generate iptables rules that allow UDP multicast and IGMP packets to flow freely between clients and server.

* Support 64-bit certificate serial numbers.

* Fixed bug where authentication challenge responses of more than a few characters would fail on the server with an empty username error.

* Fixed bug where clients in a group might not be able to access a gateway, because return routes needed to reach the client were not pushed to the gateway (a gateway is a client that acts as a VPN gateway on behalf of other machines on a LAN).

* Work around issue where DHCP client on Mac OS X was overwriting VPN DNS settings.

* Deal more robustly with session token management.  This should fix the issue where long-term VPN client sessions are broken ~6 hours into the session.

* UCARP failover fix -- robustly handle the case where UCARP virtual IP was not properly removed by previous shutdown.

* Fixed some stability issues in Client Web Server when Access Server is running in External PKI mode.

* Mac OS X client can now report ethernet MAC address to server for host-checking purposes.

* Add error messages for denied (banned) users, revoked certificates, and AS license exceeded failures.

* Improve reporting of connection status in the tray icon.

* If the AS is configured with a hostname and a client tries to access it with an IP address from the browser, redirect to the IP address instead, and vice versa.

* When switching servers, remove the question prompt.

* When switching to a server accessed with an IP address and another server is already connected, don't show the connected status page for the connected server.


New Changes in 1.7.0:

New features:

* Add support for Mac OS X

* Allow users to change servers without reinstalling, by going to the URL of the new Access Server

* Added External PKI support (beta) where the Access Server can be driven by an externally-managed certificate system.

* Post-auth scripts can now initiate a challenge/response authentication handshake.

* Fixed a client issue where CA cert bundles that include a root cert that is also included in the Mozilla trusted cert set would fail to load.

 

Bugs fixed:

* Inability to connect from the Connect web client when it's accessed using a non-443 port with an IP address.

* It is recommended to disconnect existing connections before switching to a new server that is accessed using an IP address instead of a hostname.

New Changes in 1.6.1:

 

New feature:

* tray icon will notify user when a software update is available

Bugs fixed:

* using IP address to access Connect

* autologin to regular user switching

* fixed issue where intermediate web CA bundles would fail client validation if the root certificate was absent      (issue observed with recent Comodo CA bundles). 

* traffic will now pass through venet adapters 

 




New Changes in 1.6.0:

* New Connect client features:

 


1. Dramatically simplified web-based VPN install and connection.
2. No longer requires .NET libraries.
3. Client download size reduced from 15 to ~5 MB.

If you would like to use the Connect Client after upgrading from a previous version please follow these intstructions:

If upgrading your current OpenVPN-AS build to thi version you will need to edit as.conf which is located in /usr/local/openvpn_as/etc/ and add the following line:

AS_CONNECT=true

After adding that line to your as.conf you will need to restart OpenVPN-AS by runnning the following command:

/etc/init.d/openvpnas restart

* Client backend references to AS web server, when a port is not
explicitly specified, will attempt ports 443 then 943.

* Security Fix

* ovpn-init is now run automatically, with default parameters, on
rpm/deb package initial install.  License EULA is now presented
on initial login to Admin UI.

* Client Settings page now supports exporting the complete AS backend
API to admin users (off by default).

* Fixed an issue in client backend where initialization might fail if
the backend started up before the default gateway and DNS servers
were defined.  Now the backend will wait for these resources to
become available.

* Admins can now define a different RADIUS dictionary file than the
default by setting auth.radius.0.dictionary in the config DB.

* Fixed bug in parsing as.conf lines that use "~" as a shortcut for
the package install home.  The bug would trigger an exception
"bogus escape (end of line)" if the home directory contained a
trailing backslash.

* Add options to ./confdba --assign_type to
allow control over marking user properties records as
hidden from the Admin UI:

For example, to hide all users except for root and test from the
Admin UI, use this command:

./confdba -u --assign_type --hide=true --exclude=root,test

or to un-hide all users:

./confdba -u --assign_type --hide=false

* Fixed issue with memory allocation/free in openvpn.exe that could
cause a crash.

* In Admin UI, remove arbitrary 255-character limit on certain input
fields, particularly LDAP settings.

* When authentication fails because of: (a) licensed concurrent
connections exceeded on server, or (b) autologin attempt barred
by user properties record on server, return a human-readable reason
string to client explaining the cause of error.

* Try to fix the issue where admin users are single-instanced by the
AS, preventing concurrent connections by the same user (single
instancing means that every connection by a user will disconnect
previously connected instances of that user).  With this change,
admin users will only be single-instanced if
vpn.client.routing.superuser_c2c_access is true (which is controlled
on the Advanced VPN page under "Allow VPN users with Administrator
privilege to access all VPN client IP addresses").

* AS will now use the system OpenSSL libs when those libs
are >= 0.9.8.  This allows admins to keep OpenSSL up
to date using distro tools, and reduces the need for
OpenVPN Tech to issue an AS update every time that
OpenSSL is updated.

* Don't allow bundled profiles to control extremely security-sensitive
global settings, including 'exec_admin' (allow admin-level scripts)
and 'exec_silent' (run scripts without getting confirmation from
user).

* ovpn-init will now select "openvpn" as the default
AS Admin user, and will advise the user to set a
password for "openvpn" before connecting to the
Admin UI.  Also, the Admin UI and Client UI URLs
are shown at the end of the ovpn-init output.


New Changes since 1.5.5:

Admin UI:

* We now Auto-Clear fields when 'No' option selected 1)In User Perms for Access Control, Dynamic Address and DMZ 2)and Group Perms for Access Control and Client Scripting.

Clearing was done after validation which caused problems and also not all fields were been cleared.


* Fixed Admin UI issue where new group ACL rule features were being flagged by validation.


Core:

Allow an alternative /etc/hosts path to be specified in as.conf, for example:

etc_hosts=/home/alicebob/pyovpn-build/scripts/hosts



Added new client global setting:

* allow_ssl_v2 (bool, default=False) -- If true, allow connections

to CWS via SSLv2 protocol (potentially insecure).  If false, require

SSLv3 or higher.


New Changes since 1.5.4:

Server:

 

* The Access Server will now support 2 concurrent connections without
a license.

* LZO compression is now enabled by default.

* Extended the Access Control spec to allow:

1. hostnames from /etc/hosts can be used instead of IP addresses
(but not DNS names due to the security concerns of
configuring the firewall via an insecure protocol such as DNS).

2. ICMP types can be specified using the notation icmp-X where X
is the ICMP type.  For example icmp-echo-request can be added
to an ACL to indicate that pings are allowed.

Example:

+SUBNET:my-host:http,icmp-echo-request

where my-host is defined in /etc/hosts

* Admin UI fixes:

1. Restored compatibility with 1.3.x user-based access control.

2. Fixed issue with Group and User Access Control properties
being sometimes cleared when successive changes are committed.

3. Fixed issue where attempt to delete a group with users attached
would fail validation.

* Added the capability for the server to be remotely controlled via
an XML-RPC over HTTPS port, using either the sacli tool or any
custom XML-RPC client.  For more info, see the section entitled
"Controlling the Access Server API remotely" in the Access Server
Command Line guide.

* When sacli is run locally from a root shell, it is no longer required
that authentication credentials be supplied for each command.  This
behaviour can be disabled by setting local_root_granted_admin=false
in as.conf.

Client:

* Fixed issue where import profile was sometimes raising
an exception that as.conf could not be found.

* Hide profiles that the user doesn't have access to, unless they are
currently connected.

* Importing remote profiles should no longer cause phantom connections
in the Status tab.

* Created a workaround for issue where VPN and web server listen on
different IP addresses, and universal or server-locked profile
access from the client would fail.  To enable the workaround:

Set "cs.ws_direct": "true" to tell the AS to have client profiles
connect directly to web server IP address, without assuming
port sharing or port forwarding of the "Hostname or IP address
setting" on the Server Network Settings page.  This can be done
with the following commands from the scripts directory on the
server:

./sacli --key cs.ws_direct --value true ConfigPut
./sacli start



New Changes to Access Server since 1.5.2:

* RADIUS dual-factor support has been improved:
1. Added support for asynchronous challenge/response
2. Added support for long-timeout servers such as the Phonefactor Agent

 

* On the client, added a checkbox to cache the password for the duration
of the connection.  This capability can be hidden from users via a
global setting.

* Fixed an issue with the TAP driver update in the MSI installer that
caused the automated update from 1.5.1 -> 1.5.2 to fail.

* Admin UI fix for this error: SESSION ERROR: GuardSession instance has
no attribute 'user_profiles_dict':
internet/defer:102,admin/auserperm:1568 (exceptions.AttributeError)

* Support the pushing of Visual Basic scripts to the Windows client.
Just add these two lines to the beginning of the script:

'!cscript.exe
'EXT vbs

* Fixed a bug that could cause server-locked clients to fail when the AS
is using default self-signed web certs.

* Fixed an issue in client backend where the VPN was failing to start
due to a possible port conflict.

* Added the following commands to be executed by the Windows client on
VPN connection initiation (only when DNS servers are pushed to the client):

net stop dnscache
net start dnscache
ipconfig /flushdns
ipconfig /registerdns

This is intended to fix a Windows issue where pushed DNS servers are not
accepted by the client.

* Increased default Connection Security Refresh parameter to 6 hours
from 1 hour.  Note that this new default only applies to new AS
installs.  AS updates will still use the previously configured value
New changes to Access Server:

New Changes to Access Server since 1.3.5:

Changes to Client:

OpenVPN Access Server 1.5.0 ships with a brand-new client that we've
redeveloped from the ground up. The client is currently available
for Windows and we're in the process of porting it to Mac OS X and
Linux.

  • Fully modern UI with multi-language support.
  • Split-privilege security model, allowing unprivileged local users
    to open and close VPN connections, with privileged operations
    occurring in background processes.
  • Web-browser-like connection interface allowing client to connect to
    an Access Server by simply entering its address into an address bar
    (Of course importing of Access Server profiles or OpenVPN
    configuration files is still fully supported.)
  • Service mode -- client can be configured to connect automatically on
    system startup.
  • Scripting capability -- Access Servers can push scripts to the
    client for execution on VPN connection initiation or shutdown.
    Scripts can be as simple as launching a web page or as complex as
    downloading and installing an application. A security model is
    provided to ensure that scripts are only accepted from trusted
    Access Servers and with explict user approval.
  • UDP/TCP/HTTP-Proxy fallback support -- client will attempt a UDP
    connection first, fall back to TCP, and then attempt to connect
    through an HTTP proxy.
  • Automatic HTTP proxy detection using WPAD. Automatic detection of
    HTTP Proxy authentication method, with support for Basic, Digest,
    and (Microsoft ISA) NTLM authentication.
  • Support for automated client installer distribution. Client
    installer can be customized by server-side settings, then pushed to
    client machines using MSI application publishing capability such as
    Active Directory publish.
  • Client now supports automated update capability. (Unattended / Attended updates)
  • Locking the VPN client to a specific machine -- two methods are
    provided to ensure that OpenVPN client configurations are locked to
    known hardware, and cannot be copied to unmanaged hardware:

    1. Split privilege model -- under this model, where the end user
    lacks administrative privileges, the user can initiate a VPN
    session even though the OpenVPN client configuration
    (including client certificate/key) are not readable except by a
    local Administrator.

    2. Hardware address ID -- using server-side scripting methods, a VPN
    user can be locked to a specific client machine using the MAC
    address of the machine as a hardware ID.

  • Windows client is now packaged in MSI format (instead of EXE format)
    for greater ease of management and distribution.

New Access Server 1.5.0 Features

  • Group permissions and access control -- user management and access
    control can be streamlined by defining groups and their associated
    access control rules and IP address pools. User assignment to
    groups can be accomplished using the Access Server's integrated user
    properties DB, or via post-authentication attributes provided by
    LDAP or RADIUS. See new "User Permissions" and "Group Permissions"
    pages in Admin UI.
  • Added Active/Standby failover capability, with Ucarp now fully
    integrated with the Access Server. See "Failover" page in Admin
    UI.
  • RADIUS improvements:

    1. Added support for CHAP and MS-CHAP v2 authentication methods.
    2. Added support for Interim-Update accounting records.
    3. Added support for Acct-Input-Gigawords and Acct-Output-Gigawords.

  • Local users authentication. The Access Server can now authenticate
    users using an integrated user properties DB, as an alternative to
    PAM, RADIUS, or LDAP.
  • Certificate Revocation -- Added a new Admin UI page for client
    certificate revocation.
  • Multi-daemon mode -- by default, the Access Server will run multiple
    OpenVPN daemons and load balance connections between them to fully
    utilize multi-core machines.
  • Simultaneously support both TCP and UDP-based VPN connections.
  • A rich server-side scripting capability is provided that allows
    extension of the Access Server authentication model. Scripts can
    accomplish such things as:

    1. Set a connecting user's Access Server group based on LDAP
    group membership for the user.
    2. Set up a dual-authentication system where initial authentication
    is provided by a one-time-password, RADIUS-based token system,
    and then group assignment is provided by LDAP.
    3. Verify that a given Access Server user only logs in using
    a known client machine, by using the MAC address of the client
    machine as a hardware ID.
    4. Verify that a given Access Server user only logs in from a known
    IP address.
    5. Verify that the client machine contains up-to-date applications
    (such as virus checker and other security software) before
    allowing it to connect to the VPN server.

  • The default VPN IP address subnet has been changed to 5.5.0.0/20
    (from 10.8.0.0/24) to reduce the chances of subnet conflicts.
  • Changes to SSL configuration on web servers, as selected onÂ
    Server Network Settings page:

    1. When SSLv3 method is chosen, allow TLS as well.
    2. When SSLv3 or higher method is chosen, disable weak SSL ciphers.

  • Command line management tools: as an alternative to the Admin UI,
    command line tools are provided to allow full programmatic control
    over Access Server configuration, operation, and user management.
  • Branding capabilities:

    1. Organization name and graphic can be customized on web server
    login pages.
    2. Custom icon can be configured for a given Access Server that will
    be visible on the client and can be used to graphically represent
    the Access Server on the client.
Server Bug Fixes:
  • Fixed bug where redirect-gateway was always enabled for Layer 2
    mode, even when explicitly disabled.
Performance Optimizations:
  • Multi-daemon mode allows AS to scale up to the capabilities of multi-core
    hardware by load-balancing incoming client connections across multiple
    OpenVPN daemons.
  • OpenVPN client on Windows is now built with MS Visual C++ for greater
    performance.
  • Improved authentication performance to support a greater number
    of connections per second.
Changes since 1.5.1 include:
  • Fixed openvpn.exe crash caused by autoproxy bug.
  • Bypass routes capability added, supporting IP addresses, subnets, or DNS names (configurable from CLI -- no Admin UI implementation yet).
  • Added a new Admin UI Client Settings checkbox:  "Make User-locked Profiles visible to each user on the Client Web Server" (enabled by default).  By checking this off, the user-locked profiles can be hidden in the CWS.
  • Fixed issue where the client profile generator would raise an exception if the company name was not defined in as.conf.

Installation:

For new installations (not a package upgrade), install the OpenVPN-AS package using the following commands, substituting the filename of the v1.6.1 package you downloaded:

Fedora/RHEL/CentOS:
rpm -i openvpn-as-1.6.1-Fedora9.x86_64.rpm

Ubuntu:
dpkg -i openvpn-as-1.6.1-Ubuntu10.amd_64.deb

After the package is installed, run the "ovpn-init" initialization script:

/usr/local/openvpn_as/bin/ovpn-init 


You will be prompted for initial settings for the Admin Web UI networking and for authenticating the administrator. When ovpn-init completes, it displays the URL to use for logging into the Admin Web UI to continue configuring OpenVPN-AS.


Package Upgrades:

When you perform a package upgrade from a previous v1.1.* release and above, your configuration (including all license, certificate and key information) is retained. You do not need to run ovpn-init again after upgrading the package.

If you are upgrading from the Access Server v1.1.*, v1.2.* or v1.3.x release, you only need to install the v1.6.1 package (using dpkg or rpm), for example:



Fedora/RHEL/CentOS:




rpm -U openvpn-as-1.6.1-Fedora9.x86_64.rpm



Ubuntu:


dpkg -i openvpn-as-1.6.1-Ubuntu10.amd_64.deb



 


Feedback and Support:


We appreciate your feedback on this release. Register and login at the Support Center to use the support ticketing system: Support Center.




Known Issues:



Users who have upgraded to Access Server 1.5.0 from earlier versions and who have checked the "Deny access to all users not listed above" in the User Permissions page before upgrading to 1.5.0, need to do the following, after upgrade to 1.5.0, this has been corrected in 1.5.4+license:




Stop the Access Server:




/etc/init.d/openvpnas stop




CD to the Access Server script directory:




cd /usr/local/openvpn_as/scripts




Do the following commands:




./confdba -ud -p __DEFAULT__ -k prop_deny


./confdba -um -p __DEFAULT__ -k def_deny -v true




Restart the Access Server:




/etc/init.d/openvpnas start



Copyright (c) 2010 OpenVPN Technologies, Inc. All rights reserved