Access Server 2.0 versions
Added capability for licensing system to lock to Amazon AWS instance ID, to provide a little more flexibility when changes are made to an EC2 instance.
Fixed an issue on Windows 10 where tray icons would not update properly when auto-login profiles are used.
Fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server.
Fixed an issue where with specific network configurations, DNS servers would get removed from the network configuration after a disconnect on macOS.
Access Server 2.0.25 introduced a bug that required FAVOR_LZO=1 for Android/iOS clients to be able to make a connection, this is now resolved.
Access Server 2.0.25 introduced a bug where a TLS refresh issue could occur with Android/iOS clients, this is now also resolved.
Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.
Fixed potential DoS vulnerability in port-share feature.
Updated PolarSSL/mbedTLS to 1.3.15.
Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.
Added better error reporting when key size is used without matching DH params.
Enhanced current key sizes supported to include 1024, 2048, 3072, and 4096 bits.
The AS web interface “Server” header now defaults to “OpenVPN-AS” and can be overridden using the config key cs.web_server_name
Added 169.254.0.0/16 to the existing set of RFC 1918 subnets considered by the AS to be private.
Added “X-Frame-Options: SAMEORIGIN” header to all AS Admin UI and CWS pages to prevent click-jacking.
OpenVPN Connect Client for macOS was updated to be compatible with macOS X El Capitan.
Updated OpenSSL to 1.0.2d.
Updated web CA bundle.
Added web session timeout parameter “sa.session_expire”.
Added support for “tls-version-min parameter” in bundled OpenVPN Connect Client for Windows and macOS.
Added support for DH and ECDH ciphersuites on the webservices of the Access Server.
Turned off RC4 ciphersuites as these are unsafe.
In OpenSSL mode, allow override of default ciphersuite string with a custom setting.
Added support for ECDH ciphersuites in the OpenVPN services (DH has always been supported).
Updated OpenSSL to 1.0.2a.
Updated PolarSSL to fix vulnerability CVE-2015-1182.
Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.
For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.
For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.
Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the “Admin” flag on a user.
If affected by this issue, you can repair the DB by using the following command:
/usr/local/openvpn_as/scripts/confdba -u –assign_type
Enable tls-version-min directive in generated client profiles when “Select minimum TLS protocol version accepted by OpenVPN server” Admin UI setting is changed from its default value.
Updated PolarSSL to 1.3.8.
Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.
Updated to OpenSSL 1.0.1h to address security issues.
Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).
Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.
Implemented HTTP Proxy support in OpenVPN Connect client on Windows.
In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port. An auth dialog should pop up if proxy creds are required.
In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles.
Example 1.http-proxy ntlm.proxy.tld 3128 auto-nct
<http-proxy-user-pass>
myusername
mypassword
<http-proxy-user-pass>
In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.
Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.
Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.
In Windows OpenVPN Connect tray client, don’t take focus unless we are raising a dialog.
Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).
Added pagination support to Admin UI for User Permissions and Revoke Certificates pages. This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.
Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.
Minor NAT/routing iptables fixes.
Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 Heartbleed vulnerability. This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.
Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.
Initialize Certificate DB to use 2048-bit RSA keys (increased from 1024) for fresh installs.
Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.
On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname. This only works if the instance is launched with a public IP, not when the public IP is attached later on.
Added support for appliance initialization on the CloudSigma cloud platform.
Extended ACL and DMZ port settings to allow specification of a port range.
Fixed issue where an invalid port (or port range) specified for DMZ in the User Permissions page would be silently ignored, with no error message.
Added a potential improvement on the iptables rule generation for DNS packets.
Extended the “Allow Access To these Networks” field in User/Group Permission pages to allow the full route specification syntax supported by the backend, including subnets, services, port ranges, and NAT vs. Routing flag.
Updated help documentation on admin web interface.
Fixed bug where TLS negotiation broke connections from iOS clients.
Revised user access rule routing implementation to resolve issues on certain systems.
Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union derived from ovpn3 (swig-wrapped) module.
Added necessary swig patch to build ovpn3 python module.
Fix admin web interface cross-site request forgery (CSRF) vulnerability (CVE-2013-2692).
Added Android and iOS client links to client web interface.
Fixed issue where pressing logout button from client web interface would raise web exception.
Add constant-time hash compare for authlocal module.
Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/udp transport protocol.
Fixed issue where astatus.py would endlessly ask for EULA agreement.
Changes made to admin web interface “At a glance” sidebar.
To avoid CSRF attacks, start/stop link on Server Status row has been replaced by “More” link which redirects to server status page where server can be started/stopped.
Links in “At a glance” sidebar vanish when current page would be the destination of link.
Update IPv6 AS branch to use Python 2.7.
Updated most pyovpn dependencies other than Twisted/Nevow — contents of current bundle:
bison-2.4.tar.bz2
boost_1_53_0.tar.gz
bridge-utils-jy-1.5.tar.gz
cyrus-sasl-2.1.26.tar.gz
flex-2.5.35.tar.bz2
libpcap-1.3.0.tar.gz
linet-1.0.tar.gz
lzo-2.06.tar.gz
m4-1.4.13.tar.bz2
MySQL-python-1.2.4b4.tar.gz
Nevow-0.10.0.tar.gz
openldap-2.4.35.tgz
openssl-1.0.1e.tar.gz
openvpn-2.3_as1.tar.gz
openvpn3.tar.gz
pcre-8.32.tar.gz
pycrypto-2.6.tar.gz
pyOpenSSL-0.10.tar.gz
pyovpnc-1.2.tar.gz
pyovpn.tgz
pyrad-1.1.tar.gz
Python-2.7.4.tgz
python-ldap-2.4.10.tar.gz
readline-6.2.tar.gz
setuptools-0.6c11.tar.gz
snappy-1.1.0.tar.gz
SQLAlchemy-0.7.10.tar.gz
sqlite-autoconf-3071602.tar.gz
swig-2.0.9.tar.gz
tcl8.5.5-src.tar.gz
termcap-1.3.1.tar.gz
tidy-20090316.tar.gz
Twisted-9.0.0.tar.bz2
ucarp-1.5.2.tar.gz
uTidylib-0.2.tar.gz
zope.interface-3.3.0.tar.gz
Build Python with readline support.
Changed pyovpn version number to 2.0.
Changed all scripts that reference python version number to use 2.7.
Fix to generation of iptables rules for DNS traffic:
Because generated iptables rules trap DNS requests early in ASx_IN_PRE chain, if initial call to dns_server_subnets did not reduce the rules to empty, we must instead use the whole list of non-reduced rules, i.e. we cannot reduce them further based on access granted to private subnets or the public internet.
Added comment in LinuxIPv4Forward to extend to IPv6 so that /proc/sys/net/ipv6/conf/all/forwarding is also set.
Added CC_CMDS env var for debugging. CC_CMDS is a comma-delimited list of OpenVPN directives (such as iroute) to be appended to client-config list.
Major IPv6 patch that adds IPv6 tunnel support to AS.
Added Python-2.7 patch.
Minor script updates.
On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.
Raised some string length limits from 128 and 256 to 512.
Moved AS default private subnets to RFC-1918 backwater.
Fixed regression in usersvc.py related to regeneration of Client object.
Added post_auth script pasfp.py that shows connecting user, serial number, CN, and SHA1 fingerprint of leaf cert.
Fixed some instances where transport.write (in Twisted) might be called with a unicode string, causing a Twisted exception. This was likely causing an issue with failover rsync where the ssh password was being passed as unicode to transport.write.
Minor text updates to Admin UI. Due to IPv6 address notation, ranges should now be delimited by ‘;’ instead of ‘:’.
Because of tradeoff between Beast mitigation with RC4 and RC4′s own weaknesses, turn off Beast mitigation by default, and change some of the related text in the Admin UI. In particular, Beast flag now defaults to false and is keyed by cs.beast_workaround2
Added support for OpenVPN tls-version-min directive.
Removed some debugging and redundant code.
Added connect_timeout and server_poll_timeout parameters to Connect and VPNConnect methods (and capicli and ovpncli tools).
connect_timeout (optional int|str) : set connection timeout (seconds)
server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN
parameter (seconds) — the number of seconds to try each remote entry before moving on to the next
The client backend as.conf can now specify a list of prepend and append config file directives to be applied before and after the config file.
Example 2.[capi]
prepend_config.0=route-method exe
prepend_config.1=route-delay 30
prepend_config.2=route-metric 512
prepend_config.3=route 0.0.0.0 0.0.0.0
Minor change in clisite to use new method IP.is_lo() to test whether address is a loopback address.
Fixed issue where exceptions in AuthRPCServer._render_finalize were causing server-side stack traces to be sent to client.
Minor rewording of BEAST option in Admin UI for clarity.
If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT interface list rather than enum_interfaces