OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

OpenVPN Access Server Beta Program

Introduction

For our enthusiastic users we offer the option of downloading beta releases of Access Server, when they are available. We normally build development builds internally that undergo rigorous testing until finally a build is made that we consider to be ready for release, but which requires some final in-the-field testing. Some of our regular customers have expressed an avid interest in accessing these release candidate builds. As such we have created a beta program for the OpenVPN Access Server program. There is no special membership required, these builds function just like the ordinary releases, meaning they work even without a license key, allowing 2 connections (or as many as you are licensed for, if you want to test it on a production system) but obviously with the caveat that since it’s beta software, it may still be possible that the product contains some unforeseen bugs.

Legal information

Our normal software license agreement for OpenVPN Access Server applies to the beta releases, as well as a warning that since this is beta software, you may not expect production level performance from the beta builds. In other words we take no responsibility if the server crashes because of an installation of a beta build of OpenVPN Access Server. Having said that, we do of course do our best to try to ensure that the product performs as expected.

To clarify: these builds are not for production use and if you do so it is at your own risk. People seeking to upgrade Access Server to the latest stable release should go here:

Beta release notes for Access Server 2.5.3

  • This release includes various TLS improvements for LDAPS based connections (please see LDAP documentation for full syntax documentation):
    • SASL EXTERNAL bind support via the “sasl_external" directive.
    • Manual TLS cipher selections via the “ssl_ciphers" directive.
    • Minimum TLS version requirement via the “min_ssl" directive (supported: TLS 1.0, TLS 1.1, TLS 1.2).
    • LDAP StartTLS support via the “start_ssl" directive.
    • SSL certificate validation now defaults to an internal CA bundle via /usr/local/openvpn_as/etc/cacert.pem (set via “ssl_verify" to “internal"). If a self-signed certificate is to be used, “ssl_verify" will need to be set to “never" to disable SSL certificate validation.
    • SSL peer certificate authentication via the “ssl_auth_cert" and “ssl_auth_key" parameters. Both values need to be set for certificate authentication to be used. The values need to be set to a path that can be read by Access Server containing a PEM based certificate/key.
    • SSL certificate validation via the “ssl_ca_dir" directive. This can be used in lieu of the default “ssl_ca_cert" parameter if a folder containing the appropriate certificates is to be used instead.

Beta release notes for Access Server 2.6.beta.2 (cluster release)

  • Beta release is not suitable for AWS tiered instance licensing instances, please take this into account when testing.
  • The biggest feature update is support for clustering mode. This will be further explained in our documentation (coming soon).
  • The admin web UI has been updated further, this is an ongoing process to improve its functionality and looks.

Downloads overview, AS 2.5.3

Downloads overview, AS 2.6.beta.2 (cluster release)

Installation instructions

If you are currently running a failover setup, you should not install the 2.6 beta of Access Server. Aside from the fact that this is a beta release and as such stability cannot yet be guaranteed, and that a failover setup is designed for stability primarily, there is also a known issue when installing this version as an upgrade to a failover system. This will be resolved in a future release so that a failover system can be upgraded to a cluster build. Currently this is not yet possible. Other than that, installation (for both 2.5 and 2.6 betas) is the same as for any Access Server installation. Since this is only available as a separate package installer file and not as a whole appliance, we refer you to the instructions on how to install Access Server on any supported Linux operating system. Note that the commands used in the installation procedure on the page linked below will also detect and start an upgrade procedure keeping existing configuration settings intact.

Instructions on setting up a cluster on the new beta build:

Feedback

Obviously, the whole point of this is to get feedback from our users, to learn what you, our customers, want to see and to report any problems you may find. You can reach us best at our support ticket system. Kindly do take care to notify us when you are about to give us feedback about the beta system, and not about the stable release!

Share