Access Server Release Notes
OpenVPN Access Server 2.11.3
Release date: 26 January 2023
- Fixed a regression with handling "user data" metadata on new instance launch on Amazon AWS.
OpenVPN Access Server 2.11.2
Release date: 17 January 2023
- Fixed bugs on User Permissions page that affected pagination and could cause unintended changes.
- Fixed a bug where changing a setting on SAML authentication would inadvertently disable it.
- Fixed a bug where a SAML configuration mistake could cause all authentication methods to fail.
- Fixed a bug where an admin user in a non-admin group would not have configured static IP applied.
- Fixed a bug where the real IP of a failed VPN authentication attempt would not be logged.
- Fixed a bug where sacli actions would show in log with an incorrect timestamp.
- Fixed a bug where web session expiration would not work correctly when custom ports were used.
- Added configuration option to increase allowed amount of SQLalchemy connections.
- Added handling to block attempts to login via SAML or PAS only when combined with embedded MFA.
- Added warning on admin UI when administrator tries to configure SAML or PAS only with embedded MFA.
- Improved error handling for incorrect SAML and RADIUS authentication method configuration.
OpenVPN Access Server 2.11.1
Release date: 20 October 2022
- Added support for Red Hat 9.
- Added support for SAML AuthNContext parameter.
- Added support for SAML AuthNForce parameter.
- Added support for SAML group to Access Server group mapping using post_auth scripting.
- Added PAS only authentication method to incorporate custom authentication in post_auth better.
- Added TOTP MFA settings to User and Group Permissions pages in the Admin UI.
- Added sacli support command for easier gathering of log and diagnostic data.
- Fixed a security issue with custom post_auth authentication by implementing PAS only authentication.
- Fixed a security issue with init.log permissions on upgrades.
- Improved upgrade case when External PKI is in use, to ensure TLS Crypt v2 keys are present.
- Improved upgrade case to solve inter-node communication problems when upgrading cluster directly from v2.7.5.
- Improved upgrade case where bootstrap users not listed in User Permissions couldn't login after upgrade.
- Improved user handling in sacli when using TOTP command line functions.
- Improved end-user experience with SAML authentication completed page.
- Improved handling of CAs that use an invalid (negative) serial number.
- Improved status reporting of authentication methods on User and Group Permissions pages in Admin UI.
- Fixed a regression where TLS setting for clients would not be inherited from the server side setting.
- Fixed a regression where exceeding max-clients could crash OpenVPN server daemon.
- Fixed a regression where Disable NetBIOS setting was pushing incorrect parameter.
- Fixed a bug with the SAML on/off toggle in the Authentication settings.
- Fixed a bug where changing autologin permission could reset TOTP MFA.
- Fixed a bug where Token URL import with custom port and service forwarding disabled would fail.
- Fixed a bug with missing dependencies requirements for certain Python3 packages.
- Fixed a bug where SAML and PAS Only authentication methods were not passed to post_auth script.
- Fixed a bug where LDAP reverification for autologin users could cause MFA to be required.
- Fixed a bug where OpenVPN daemon job queue size warning would mention wrong config key.
- Fixed a bug where the most recent event from Log Reports page was not present in CSV file.
- Released bundled clients package v26 with Connect v126.96.36.19906 for macOS.
- Released bundled clients package v27 with Connect v188.8.131.5222 for macOS.
OpenVPN Access Server 2.11.0
Release date: 29 June 2022
- Added SAML authentication support.
- Added openvpn:// URI connection profile import method.
- Added support for Ubuntu 22.04 LTS (Jammy Jellyfish).
- Added multiple thread support for LDAP authentication.
- Added option to use scrypt for local user password hashes.
Bug fixes and improvements:
- Fixed weak PRNG security issue CVE-2022-33738 on the web interface. Thanks to Aliz Hammond of WatchTowr.
- Fixed init.log file permission security issue CVE-2022-33737 for new installs. Thanks to Aliz Hammond of WatchTowr.
- Fixed the amplification attack security issue CVE-2021-4234 in OpenVPN.
- Updated OpenVPN2 core to 2.6_as11.
- Changed Google Authenticator terminology to TOTP MFA.
- Changed cluster admin_c bootstrap PAM user to local user.
- Fixed a bug where OMI communication with OpenVPN daemons could stall.
- Improved logging to include client version details.
- Improved AWS licensing to use RSA 2048 bit certificates.
- Improved compatibility with operating systems running in FIPS restricted mode.
- Removed Get1, Get5, AutoGenerate, and AutoGenerateOnBehalfOf from CLI/API.
- The Get1, Get5, AutoGenerate, and AutoGenerateOnBehalfOf CLI/API functions were deprecated/removed. Automation script may need to be updated.
- For MFA on SAML accounts, please use the SAML IDP's MFA settings. The built-in MFA of Access Server is not supported on SAML accounts.
- When upgrading from version 2.7.5 in a cluster, please reset admin_c password manually. Only applies to upgrades from version 2.7.5 specifically.
- Cluster admin_c bootstrap user was changed from a PAM user to a local user. We recommend to clean up the PAM user account admin_c after upgrade.
- SAML requires OpenVPN Connect v3.3 or a very recent open source OpenVPN client supporting web authentication.
- On AS 2.11.0, AUTH_NULL custom post_auth authentication system doesn't work in cluster mode. This will be restored in a later release.
- On direct upgrades from version 2.7.5 in a cluster, inter-cluster communication breaks down. This can be solved by resetting admin_c user password manually. Only applies to upgrades from version 2.7.5 specifically.
OpenVPN Access Server 2.10.3
Release date: May 10, 2022
- Improved debug logging output for OpenVPN daemons.
- Improved logging by redacting MySQL password from upgrade log output.
- Fixed a regression where a RADIUS healthcheck function would prevent RADIUS from functioning correctly.
- Fixed a regression where the web interface would endlessly redirect.
- Fixed a bug where newly registered users on external authentication would not inherit prop_deny flag.
- Fixed a bug where autologin profile would be removed if permission was revoked on user but still present on group.
- Fixed a bug that could occur on upgrades when LDAP account validity check was explicitly enabled.
- Released bundled clients package v25 with Connect v184.108.40.20668 for macOS.
OpenVPN Access Server 2.10.2
Release date: March 22, 2022
- Dropped support for CentOS 8 due to end-of-life of platform.
- Fixed security issue where empty or no host header could reveal internal IP of server.
- Fixed a regression where web server name defaulted to internal Twisted version.
- Fixed a regression where /robots.txt was malformed.
- Fixed a regression that prevented profile download in combination with Duo post_auth script.
- Fixed a regression that prevented concurrent authentication requests with default settings.
- Fixed a regression where RADIUS accounting start packet was not sent upon VPN connection.
- Fixed a regression where local user could not change password if local is not the default auth method.
- Fixed a regression where data channel cipher was upgraded unintentionally for specific old configurations.
- Fixed a bug in the additional LDAP account validity check for autologin users.
- Fixed a bug where LDAP/RADIUS could inadvertently end up being disabled in the Admin UI.
- Updated Admin UI authentication section and related settings.
- Improved error handling of trying to set local password on non-local account.
- Added status of authentication methods in sacli command line tool.
- Added upgrade debug information by default.
- Released bundled clients package v23 with Connect v220.127.116.1152 for Windows.
- Released bundled clients package v24 with Connect v18.104.22.16810 for macOS.
OpenVPN Access Server 2.10.1
Release date: January 12, 2022
- Fixed an open redirect security issue with the referrer HTTP header.
- Fixed an assertion failed crash in the OpenVPN2 core.
- Fixed a bug where MFA enrollment could be bypassed by an administrative user.
- Fixed a bug where FIPS mode on RedHat, CentOS, and Amazon Linux, would prevent Access Server from working.
- Fixed a bug where the Client Web UI didn't work if XML-RPC and web service forwarding were both turned off.
- Fixed a bug where the Change Password button was visible for externally authenticated users.
- Fixed a bug where unlisted externally authenticated users were added with the 'deny' flag set on them.
- Fixed a bug where session IP lock was still applied in a specific case while this was deprecated.
- Fixed a bug where ovpn-init summary showed wrong username when a custom username was specified.
- Fixed a bug where certain upgrade steps would not run as expected.
- Fixed a bug where configurations using ns external certificate types would no longer work.
- Fixed a bug where TLS security level would not be correctly set to TLS 1.2 in some cases.
- Fixed a bug where a restart notification would not appear on a cluster after configuring RADIUS.
- Updated hashing method for new local user passwords from unsalted SHA256 to salted PBKDF2.
- Improved Admin Web UI by greying out authentication options that are not enabled.
- Improved error handling for the upload function for offline activation.
- Added sacli to path so it can be called from anywhere.
- Added ConfigReplace function to sacli for text-file based configuration dumping and loading.
- Released bundled clients package v22 with Connect v22.214.171.12400 for Windows and Connect v126.96.36.19963 for macOS.
OpenVPN Access Server 2.10.0
Release date: November 25, 2021
- Added feature to use multiple authentication methods, which can be set per user and group. Refer to OpenVPN Access Server's User Authentication System for details.
- Added new internal upgrade tracking logic designed to ensure smoother upgrades in the future.
- Added separate software repository for RHEL 8 operating system.
- Added support for Debian 11 (Bullseye).
- Added field to activation screen to ease offline activation of fixed license keys.
- Added re-verification check on LDAP account validity for autologin accounts.
Bug fixes and improvements:
- Replaced Diffie-Hellman key with recommended DH groups as defined in RFC7919.
- Deprecated default openvpn admin bootstrap account, new installations will use a local admin user.
- Fixed a bug when upgrading from Access Server version 2.6.1 to 2.9.5 and newer.
- Fixed a bug when upgrading with a 9+ year old certificates database.
- Fixed a bug where group assignment would become explicit instead of inheriting default group.
- Fixed a bug where default group dropdown might show different group than the currently set group.
- Fixed a bug where wrong MIME-type was sent when obtaining connection profile via REST API.
- Fixed a bug where ovpn-init picked incorrect option for interface/IP selection.
- Changed default for lockout policy from 3 failed attempts to 5 failed attempts before triggering.
- Changed bootstrap account behavior to no longer bypass MFA or lockout requirements.
- Released bundled clients package v21 with Connect v188.8.131.5262 for Windows and Connect v184.108.40.20625 for macOS.
- Bootstrap accounts now no longer bypass MFA or lockout requirements. If you have MFA enabled globally on your server you may have to enroll bootstrap accounts in MFA on the client web service or disable MFA requirement for that account. On upgrades bootstrap accounts configured in as.conf will continue to authenticate via PAM.
- For RHEL 8 we now use a separate software repository. Use the new repository for installations and upgrades for RHEL8.
- For CentOS 8 we will soon cease to build Access Server releases due to planned EOL of that OS.
- If you choose to use the new multiple authentication methods feature please note that your post_auth scripts may need to be adjusted.
- Duo MFA enrollment message is not shown on admin web service. You may use the client web service or Duo's site to enroll admin users for Duo MFA.
- On AS 2.10.2 and 2.10.3, AUTH_NULL custom post_auth authentication system does not work. This is mostly restored in AS 2.11.0.
OpenVPN Access Server 2.9.6
Release date: November 16, 2021
- Fixed a TLS session token validity period security issue (CVE-2020-15074).
OpenVPN Access Server 2.9.5
Release date: September 23, 2021
- Fixed cross-site scripting security issue CVE-2021-3824 on the web interface. Thanks to Daniel Matsumoto.
- Fixed a bug where VPN connection amount might be miscounted, particularly when RADIUS with external 2FA is used.
- Fixed a bug when a specific web service debug flag was set in as.conf.
- Fixed a bug with certificate check failing when using External PKI.
- Fixed a regression with offline activation on command line.
- Fixed a regression with downloading connection profiles and bundled installers when using host-checking.
- Updated library jQuery to v3.6.0.
- Released bundled clients package v19 with Connect v220.127.116.1100 for macOS.
- Released bundled clients package v20 with Connect v18.104.22.1685 for Windows.
OpenVPN Access Server 2.9.4
Release date: August 19, 2021
- Added ability in admin web interface to configure OpenVPN data channel encryption algorithm.
- Added compatibility option for legacy OpenVPN clients that do not indicate their cipher capability.
- Added ability to specify custom HTTP headers using the command line.
- Improved profile generation (removed blank line) to avoid issue with a specific vendor device.
- Improved speed of sacli command line tool.
- Fixed a bug with unexpected or missing content in web-ssl directory.
- Fixed a bug where auto-login profile generation privilege was not inherited from the default group.
- Fixed a bug with MFA enrollment on the admin web interface in a cluster.
- Fixed a bug with setting the subscription enforcement order configuration key.
- Fixed a bug with setting the subscription connection limit configuration key.
- Fixed a bug with GROUP_SELECT=True in post_auth scripts.
- Fixed a bug with handling certificates that have no common name at all.
- Fixed a bug where heap comparison warning would get logged on too many parallel connections.
- Removed mention of Linux client-side scripting from admin web interface.
- Released bundled clients package v18 with Connect v22.214.171.12424 for macOS.
OpenVPN Access Server 2.9.3
Release date: August 3, 2021
- Changed default TLS rekey value to 1 hour for increased security.
- Improved web interface handling of long names for CA and user management.
- Improved command line tool error handling of incorrect passed flags.
- Fixed a TLS session token validity period security issue.
- Fixed a regression where auto-login users wouldn't get auto-login bundled installers.
- Fixed a regression in XML-RPC API calls used for remote control of the Access Server.
- Fixed an issue where local_cc_limit setting wouldn't work upon a failover event.
- Fixed a regression where the user permissions page would not paginate correctly.
OpenVPN Access Server 2.9.2
Release date: July 8, 2021
- Improved TLS control channel security setting upgrade logic when old configuration is loaded.
- Improved handling of 1024-bit CA. A warning will show how to upgrade to a more secure CA.
- Improved web certificate handling and corrected an issue with (re)loading self-signed certs correctly.
- Improved ovpn-init handling of command line parameters regarding bit-size specification.
- Added ability to require MFA for auto-login profiles - requires Connect v3.3 or recent OpenVPN 2 client.
- Fixed a bug where sacli commands for generating profiles would erroneously generate compat type profiles.
- Fixed a bug with local MySQL database server default socket setting on CentOS/Red Hat OS.
- Fixed a bug with generating correct TLS Cryptv2 profiles for legacy (compat) clients.
- Fixed a bug with MFA when using dynamic challenge and Connect v3.3.
- Fixed a regression when XML-RPC would not work with admin and client web services on separate ports.
- Fixed a regression with MFA enrollment for new users.
- Fixed a regression where auto-login profile generation privilege was not inherited from a group.
- Fixed a regression where certain cleanup tasks after stopping Access Server were not executed.
OpenVPN Access Server 2.9.1
Release date: June 22, 2021
- Fixed a regression with bypass_route setting in user/group properties.
- Fixed a regression where the virtual shared IP would not be correctly cleaned up after a failover event.
- Fixed a bug where the cluster API web service would not adhere to custom cipher suite strings.
- Added a separate setting for the cluster API web service's TLS settings and cipher suite string.
- Improved the default cipher suite string for the web services to be more secure.
- Improved the detection and messaging for missing AES instruction sets.
- Released bundled clients package v17 with Connect v126.96.36.1992 for Windows.
OpenVPN Access Server 2.9.0
Release date: June 15, 2021
- Converted Access Server from Python2 to Python3.
- Added compatibility to run in an operating system with FIPS restricted mode.
- Added ability to generate and download profiles for users from the Admin UI directly.
- Added ability to add comments/device info to profiles that are generated.
- Added capability for Elliptic Curve type VPN and web certificates.
- Added EKU type certificate verification with remote-tls to replace deprecated ns-cert-type.
- Added automatic server CA certificate renewal.
- Added functionality to migrate gracefully to a new PKI structure.
- Added per-device VPN certificate functionality.
- Added support for control channel security TLS-crypt (v1 and v2) which can be used by recent clients.
- Added server-locked v2 profiles, compatible with open source OpenVPN.
- Added functionality that adds all users that log in successfully to User Permissions.
- Added performance warning to status overview when AES hardware acceleration is not present.
- Added separate software repository for Amazon Linux 2 operating system.
Bug fixes and improvements:
- Improved VPN certificate management.
- Improved MySQL connectivity with SSL encryption security and certificates.
- Improved self-signed certificate generation to meet stricter requirements (particularly on macOS).
- Improved database session handling to be more resilient to transient issues.
- Fixed a bug whereby unenrolled Google Authenticator 2FA users could still import profile via REST API.
- Fixed an issue where VPN client had to do 2FA twice in a row with server-locked profiles in a cluster.
- Fixed a bug where blocking a user connected through server-locked profile didn’t stop active connections.
- Fixed an issue where SHA256 fingerprint was not shown correctly on web server certificate overview.
- Fixed a bug where clients with server-locked profiles could not connect if web services were set to TLS 1.3.
- Removed ‘comp-lzo’ setting in profiles with graceful backwards compatibility.
- Removed ‘forward_compatible’ option in profiles in favor of more sensible options to retain compatibility.
- Removed TLS renegotiation capability on all platforms with OpenSSL 1.1.0 or above.
- Updated post_auth scripts to be Python2/Python3 compatible (including Duo Security script).
- Updated LDAP group mapping script to solve issue when LDAP server reports no group name.
- Updated LDAP3 library to version 2.81.
- Updated ovpn-init with more selection options for type of VPN and web certificates.
- Updated OpenVPN2 core to version 2.5.2 plus latest patches.
- Updated End-User License Agreement (EULA).
- Dropped support for operating system Ubuntu 16 due to it being end-of-life.
- Dropped support for operating system Debian 9 due to it being end-of-life.
- For Amazon Linux 2 we now use a separate software repository. Use the new repository for installations and upgrades for Amazon Linux 2.
- MySQL caching_sha2_password or sha256_password functions are not supported on Ubuntu 20 and Debian 10 due to missing support in the distribution provided libraries for MariaDB caused by possible licensing issues in regards to OpenSSL. Normal authentication methods other than those mentioned work as expected. See also this commit.
- Updated End-User License Agreement (EULA). You will be asked to accept again on the Admin UI.
- Post_auth scripts may need to be updated for Python3 compatibility. Scripts on our site are updated.
- This release will update your VPN certificate structure. The upgrade process will take care of this automatically.
- Due to changes to the databases, rolling back from this version to an older version now requires restoring a database backup.
OpenVPN Access Server 2.8.8
Release date: April 21, 2021
- Resolved security issues CVE-2020-36382 and CVE-2020-15077 related to CVE-2020-15078. See also the security advisory.
- Resolved a bug where disabling client certificates would not work.
- Resolved an unnecessary warning message in the log when External PKI was in use.
- Resolved a rare crash of the web services.
- Resolved a bug with querying more than 1000 user records on CentOS 8 when using SQLite databases.
- Improved reliability of connectivity to Subscription licensing system when there are network connectivity problems.
OpenVPN Access Server 2.8.7
Release date: December 8, 2020
- Resolved an activation problem with fixed license keys on Ubuntu 20.
- Resolved missing dependency on CentOS 8 for MySQL/MariaDB operations.
- Added missing capability to select the group itself when granting access to groups.
- Released bundled clients package v16 with Connect v188.8.131.521 for Windows and Connect v184.108.40.20620 for macOS.
OpenVPN Access Server 2.8.6
Release date: August 20, 2020
- Added support for Ubuntu 20.04 LTS (Focal Fossa).
- Added public IP detection logic for Oracle Cloud, to become available in a future image on Oracle.
- Added CLI setting to control whether newest (default) or oldest tunnels get disconnected when exceeding subscription limit. (instructions)
- Resolved a problem where cluster API certificates were not created with 2048 bits.
- Resolved a problem with reporting client_ip_addr using the REST API in combination with Duo Security.
- Submitted a patch upstream to Duo Security to improve handling of missing client_ip_addr on REST API.
- Improved error messages on the Admin UI when common activation problems occur.
- Released bundled clients package v13 with Connect v220.127.116.110 for Windows and Connect v18.104.22.1689 for macOS.
- Released bundled clients package v14 with Connect v22.214.171.1242 for macOS and Connect v126.96.36.199 for Windows and macOS.
- Released bundled clients package v15 with Connect v188.8.131.525 for Windows and Connect v184.108.40.2068 for macOS.
OpenVPN Access Server 2.8.5
Release date: July 2, 2020
- Improved the activation page in the Admin UI.
- Updated jQuery library to v3.5.1 to address a security issue. (CVE-2020-11023)
- Updated Twisted library to v20.3.0.
- Updated Bootstrap library to v4.5.0.
- Released new Connect Client bundled software package (version 12) that includes new OpenVPN Connect 3.2 stable client for Windows and macOS.
OpenVPN Access Server 2.8.4
Release date: June 18, 2020
- Updated the OpenVPN2 core component in Access Server to latest version 2.4.9.
- Improved handling of situations with nodes in different versions on the same cluster (please always update all your nodes to latest version).
- Improved logdba tool with new –jsondict function to show information in JSON dictionaries format.
- Improved minor things in the client and admin web interface.
- Resolved a problem where session token could last longer than intended expiration timeout (CVE-2020-15074). Thanks to Gert Döring for reporting this.
- Resolved the situation where older Connect v2 clients would be unable to login when MFA and LDAP was used.
- Resolved an issue where an activation key could activate on the wrong node in clustering mode.
- Resolved a problem where multiple LDAP referrals were not working properly.
- Resolved an error message on the User Permissions page when in layer 2 bridging mode.
- Resolved a problem with group-to-user and group-to-group access control in the web interface.
- Resolved a problem where a downloaded CSV file from the Log Report page was missing the error column.
OpenVPN Access Server 2.8.3
Release date: March 23, 2020
- Added option to select minimum TLS 1.3 setting when the operating system’s OpenSSL library supports it.
- Resolved a temporary crash of web services if XML-RPC interface was set to full and attacked in specific way (CVE-2020-11462). Thanks to Suslov Maxim for reporting this.
- Resolved a bug on the Advanced VPN page where TLS auth and compression could not be turned back on in the Admin UI.
- Resolved a bug on the Log Reports page where some data would cause the Log Reports page to end the web session.
- Resolved a bug where secondary LDAP server would not be called if first LDAP server timed out.
- Resolved an issue with 1024 bits keys on Debian 10 and CentOS 8 by replacing 1024 bits DH key with 2048 bits DH key.
- Removed UCARP as dependency and bundled own copy so UCARP failover can still work and cloud-init will work normally.
- Released new Connect Client bundled software package (version 7) that includes new OpenVPN Connect 3.1.3 beta client for Windows.
- Released new Connect Client bundled software package (version 8) that includes new OpenVPN Connect 2.7.1 client and 3.1.1 beta client for macOS.
- Released new Connect Client bundled software package (version 9) that includes new OpenVPN Connect 2.7.1 client for Windows.
- Released new Connect Client bundled software package (version 10) that includes new OpenVPN Connect 2.7.1 client for Windows.
- Released new Connect Client bundled software package (version 11) that includes new OpenVPN Connect 2.7.1 client for Windows.
OpenVPN Access Server 2.8.2
Release date: February 26, 2020
- Resolved a problem with LDAP search queries when spaces were used in object names.
- Resolved an issue where assigning static IPv6 addresses to VPN clients could fail.
- Resolved a problem on CentOS 7 and Ubuntu 16 where an upgrade would require a manual start of the Access Server service.
- Released new Connect Client bundled software package (version 6) that includes new OpenVPN Connect 3.1.2 beta client.
OpenVPN Access Server 2.8.1
Release date: February 12, 2020
- Resolved a security flaw in Access Server 2.8.0 when used in combination with an LDAP server for authentication. More details are in our security advisory.
OpenVPN Access Server 2.8.0
Release date: February 6, 2020
Important changes that may require action to resolve after upgrading an existing system to Access Server 2.8.0:
- Access Server 2.8.0 has switched to another LDAP library (Python-LDAP to LDAP3), this can affect post_auth scripting.
- When using LDAP and post_auth scripts, you may find updated post_auth scripts here: post_auth scripting page.
- Removed almost all bundled libraries and instead switched to using operating system provided libraries.
End-of-support for outdated operating systems:
- Dropped support for operating systems Ubuntu 14 (32 bits and 64 bits) due to it being end-of-life since April 30, 2019.
- Dropped support for operating systems Debian 8 (32 bits and 64 bits) due to outdated system libraries.
- Dropped support for operating systems CentOS 6 and Red Hat 6 (32 bits and 64 bits) due to outdated system libraries.
- Dropped support for all other operating systems that are 32 bits. Our focus for AS is on 64 bits operating systems.
Bug fixes and improvements:
- Added support for the CentOS 8 and Red Hat 8 operating systems.
- Certified Access Server for use on the Amazon Linux 2 operating system (version 2.7.5 and higher).
- Certified Access Server for use on the Oracle Cloud platform (version 2.7.5 and higher).
- Added TLS 1.3 support where OpenSSL library in the OS supports TLS 1.3 (centos/redhat8, ubuntu18, debian10) for web services and openvpn daemons.
- Added SNI capability to LDAP authentication backend connectivity required for certain LDAP providers (enabled by default).
- Added the ability to force Access Server to use case-sensitive username matching for LDAP and RADIUS.
- Added support for external IP address detection on Microsoft Azure cloud platform.
- Added a new version of bundled clients package with latest OpenVPN Connect v2 and v3 software.
- Removed mbedTLS support in Access Server, since OpenSSL has proven more stable and secure.
- Improved installation procedure on CentOS so required components are installed along with Access Server.
- Improved uninstallation procedure on CentOS so system service is correctly removed.
- Improved security for cluster communication API credentials.
- Improved tiered licensing support on Amazon AWS to include regions ‘Hong Kong’ and ‘Bahrain’.
- Improved redacting certain sensitive output to log file while using debug flags or failover mode.
- Improved speed of cluster admin UI by removing some unnecessary database calls.
- Improved web service interfaces by solving a number of minor problems.
- Improved handling of malformed license keys – this can no longer cause a crash.
- Improved output of command line installation post-install instructions.
- Improved handling of startup of Access Server when no configuration is present yet.
- Improved backup process to store multiple upgrade backups in timestamped directories.
- Resolved a bug with ‘Get Renewal Keys’ button that would result in error messages.
- Resolved a bug where autologin connections could fail after TLS refresh interval expired.
- Resolved a bug where RADIUS 2FA challenge/response was erroneously asking for ‘Enter Authenticator Code’.
- Resolved a bug where the web interface would not show a custom post_auth 2FA challenge if echo was turned off.
- Resolved a bug with bootstrap user. It is now possible again to start Access Server without any bootstrap user.
- Resolved the ‘MySQL server has gone away’ problem that occurred when MySQL backend was used.
- Resolved the bug where Connect v3 was not offered on the client web service when all other offerings were turned off.
- Resolved the bug where some web browsers could not download the log report from the admin web interface anymore.
- Resolved a bug in UCARP LAN-based failover mode where some settings would not be copied to failover server.
- Resolved a bug in the installation procedure by no longer requiring the presence of the libncurses5 library.
- Resolved a bug with the start/stop server button when Google MFA is switched on.
OpenVPN Access Server 2.7.5
Release date: August 27, 2019
- New beta OpenVPN Connect v3 software for Windows and macOS is now available in the client web interface.
- The OpenVPN Connect v2 client software is also still present as secondary option.
- Control over which clients you wish to offer to your users is available in the CWS Settings page in the Admin UI.
- OpenVPN Access Server and the bundled Connect client software programs are now available as two separate packages.
- Installation of Access Server and related Connect Client software will now happen primarily via an official software repository.
- The software can still be downloaded from our website as two separate packages that belong together.
- A build for the Debian 10 operating system code-named ‘Buster’ has been added.
- A problem with retrieving and activating renewal keys from the Admin UI was resolved.
- The Google Authenticator enrollment was improved. You now have to provide a valid 6 digit code before enrollment is complete.
- The Google Authenticator global on/off setting was moved to the Authentication section in the Admin UI.
- An option was added to the Admin UI to allow users to change their own password in LOCAL authentication mode.
- If enabled, the client web service now allows users to change their own password in LOCAL authentication mode.
- The admin web service and the client web service were updated with a new logo and a new look.
- New options were added in as.conf to control some items that are customizable, like disabling/enabling the footer.
- The bootstrap library was updated to version 4.3.1.
- The jQuery library was updated to version 3.4.1.
- A bug that would not let some users download profiles on the client web service in some extremely rare cases was found and resolved.
- A bug where adding an admin-level user to a non-admin group could result in the user not being joined to the group has been resolved.
- A bug where the sacli IP command no longer functioned has been resolved.
- A bug with the Log Reports page in Internet Explorer has now been resolved.
- A regression where the 24 hour default session token timeout didn’t work correctly has now been resolved.
- Minor various adjustments in the admin and client web services have been made to improve the user experience.
OpenVPN Access Server 2.7.4
Release date: May 14, 2019
- Resolved a problem where upon creating a new cluster, the first node would in some situations still erroneously present itself as standalone node.
- Resolve an upgrade issue where, if the default profile has been deleted, the upgraded server would fail to start the web services properly.
- A related issue where the default profile could not be deleted in 2.7.3 even when it is not in use has also been resolved.
- In cluster mode, the Admin UI could become unavailable if one of the nodes hangs, and this issue is now resolved.
- Added a hint about installing libmysqlclient-dev if it is missing on the system and conversion to MySQL database format is attempted.
- A regression where inter-client connectivity function would not work as expected in stand-alone mode has been resolved.
- Enforced redaction of MySQL DB credentials in log file in all cases even when debug mode is enabled.
- Minor CSS adjustments to the AS cluster mode overview.
OpenVPN Access Server 2.7.3
Release date: March 26, 2019
- Warning: this update changes the database structure of Access Server. Rollbacks are not as simple as before (during upgrade a backup of original database files will still be made, as per usual, so it’s still possible to roll back).
- A first phase implementation of a clustering feature for Access Server is now implemented as an option.
- Multiple access servers can be setup that share the same user database and settings, and users can connect to any of the nodes in the cluster.
- Updated the admin UI further with a modern look.
- Removed the ‘connect’ functionality from the client web interface, because it can no longer be supported in current browsers.
- Added a session-token sharing function so clients connected to a cluster can automatically switch to a next available node in case of a problem.
- Updated the Connect Client for Windows and macOS with session-token sharing functionality.
- The Windows Connect Client has been signed with a new software publisher certificate as the old one had expired.
- DNS server detection in the operating system Ubuntu 18 was broken, this has now been fixed in this release.
- Making changes in the search results of User Permissions is now working properly in this release.
- The default settings for a fresh installation of Access Server is now to listen to all interfaces, but can still be changed to listen to specific interface.
- Fixed a regression where the WINS server fields in Advanced VPN were missing.
- PyOpenSSL, PyRad, and other libraries were updated to modern versions.
- mbedTLS (previously known as PolarSSL) support was dropped in Access Server. Clients can still use it, but the server now relies on just OpenSSL again.
- Builds for Debian 7 have been dropped because that operating system is no longer in support.
- An issue related VPN connectivity from a Windows/macOS client in combination with Google Authenticator and/or LDAP was fixed.
OpenVPN Access Server 2.6.1
Release date: December 11, 2018
- Added Support for secure LDAP and connecting with Google Identity.
- Please note that SSLv2 and SSLv3 support for LDAP connections has been dropped. TLS 1.1 is now the new default.
- In case of communication problems with LDAP server after upgrading, please see documentation for TLS settings for LDAP connectivity.
- Bundled Access Server with new OpenVPN Connect Client for macOS and Windows that can implement a proxy server in the OS.
- Also includes a change in split-DNS handling for macOS to fall in line with our other products.
- Resolved a small issue with DNS default suffix on Windows 10 when the client PC already had a DNS default suffix.
- Updated the Access Server licensing system to be compatible with our improved secure licensing system.
- Disabled compression by default to resolve VORACLE vulnerability (see security advisory regarding VORACLE)
- Resolved a problem with post_auth script and LDAP group mapping that occurred in AS 2.5.3.
- Changed buffer default settings to resolve very slow web interface loading on Amazon AWS in specific circumstances.
- OpenSUSE build support was dropped as of this version of AS.
OpenVPN Access Server 2.5.2
Release date: May 8, 2018
- A problem with VRRP/UCARP LAN-based failover mode in version 2.5 that affected some configurations was resolved.
- Made switching off that type of failover mode easier and better, solving some problems with disabling it.
- Updated OpenVPN Connect Client for Windows version 220.127.116.11 to version 18.104.22.168.
- Updated OpenVPN Connect Client for mac OS version 22.214.171.124 to version 126.96.36.199.
- OpenVPN Connect Client mbedTLS incompatibility with PKI created by OpenSSL 1.1 fixed.
- OpenVPN Connect Client support for ECDSA added.
- Library mbedTLS in OpenVPN Connect Client updated to resolve CVE-2018-0487 vulnerability.
- Problem with excessively long server DNS host name that caused ‘no VPN servers’ message is resolved.
- Issue with TLS key refresh causing a connection failure and reconnect in OpenVPN Connect Client is fixed.
- Fixed and improved client version and platform reporting to server in OpenVPN Connect Client.
- Fixed launch issue on some older Windows platforms when MS Visual C++ redistributable was not present.
OpenVPN Access Server 2.5.0
Release date: February 1, 2018
- Implemented an updated engine for rendering the admin web interface, improved the look, and paved the way for modernizing the web interface.
- The client web interface now defaults to letting users download the required software to their computers instead of using the connect UI by default.
- The connect UI is now considered to be deprecated and to be removed and replaced with a better solution in future releases.
- New OpenVPN Connect Client releases are included in this Access Server release.
- OpenVPN Connect Client for macOS is now properly signed and the issue that existed in the past that prevented this has been resolved.
- OpenVPN Connect Client for Windows now no longer suffers from the unwanted 0.0.0.0/0 default route that Windows added when registering the connection.
- OpenVPN Connect Client for Windows now supports multiple DNS Resolution Zones on Windows client platforms that support NRPT.
- For new installations, AES-256-CBC is now the new default encryption cipher for VPN tunnel data. Existing installations that are upgraded retain their old cipher.
- SSLv2 and SSLv3 support, hidden and deprecated as it was, is now completely removed. Web service defaults to TLS 1.1 now.
- Additional activation servers added for Amazon AWS tiered instances, this allows for tighter security settings on security groups while retaining activation status.
- Library for mbed TLS is now updated to version 2.6.
- OpenVPN 2.4 code now merged into Access Server.
OpenVPN Access Server 2.1.12
Release date: August 30, 2017
- Problems with gaps in sequentially ordered lists of keys in the configuration database are now automatically repaired when using sacli start on the command line.
- TLS level 1.2 for the OpenVPN protocol is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
- TLS level 1.1 for the web services is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
- SSLv2 and SSLv3 support has been deprecated and will be removed completely in a future release.
- SSL settings page is now renamed to TLS settings page, since TLS is now the prevalent technology and SSL is phasing out.
- Alias interfaces like eth0:1 and such could not be selected for source NAT outgoing VPN client traffic. This bug has now been fixed.
- An option has been added to completely disable TLS auth. This should only ever be used for compatibility with clients that offer no way to implement TLS auth at all.
OpenVPN Access Server 2.1.9
Release date: June 28, 2017
- Small code improvements, faster response time on web interface.
- Fixed regression with broken overview in current users page.
OpenVPN Access Server 2.1.8
Release date: June 26, 2017
- OpenVPN Connect Client for Windows is signed properly.
- Disabling compression on the server no longer leads to a compression stub error.
- Security fixes for issues reported by Guido Vranken (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) and other fixes.
OpenVPN Access Server 2.1.6
Release date: May 25, 2017
- OpenVPN Connect Client for Mac OS X updated to version 188.8.131.52 to address the “error no. 8″ bug that occurred on some systems that have an IPv6 DNS server assigned as primary DNS server.
- OpenVPN Connect Client for Windows updated to version 184.108.40.206 to address the problem where an autologin type profile would endlessly loop in reconnection state when the autologin profile encounters an authorization problem (no longer valid, revoked, and such).
- Access Server web services updated to fix CRLF injection vulnerability CVE-2017-5868 reported by Sysdream Labs.
- Access Server OpenVPN core updated to fix CVE-2017-7478 and CVE-2017-7479 as well as other issues reported by Quarkslab and Cryptography Engineering LLC.
OpenVPN Access Server 2.1.4
Release date: September 30, 2016
- Added MAC address reporting on OpenVPN Connect Client for Windows and macOS.
- Added support for systemd in Ubuntu 16.
OpenVPN Access Server 2.1.2
Release date: June 29, 2016
- Fixed a problem with DNS implementation on the server side where DNS options wouldn’t be pushed if the Windows Networking NETBIOS options was used on the server.
- Fixed OpenSSL memory leak.
- Introduced web session cookie expiration timers and rotation.
- New packages for Ubuntu 16 now available.
OpenVPN Access Server 2.1.1
- Updated OpenSSL to 1.0.2h to fixes a reported security vulnerability in AES-NI.
- Fixed an installation issue in OpenVPN Connect Client where the service component would not start after installation in some specific situations.
- In the web admin interface on the VPN Settings page, added “DNS resolution zones” for setting “dhcp-option DOMAIN …” OpenVPN settings.
- The previous “Default Domain Suffix” field is now used to set the “dhcp-option ADAPTER_DOMAIN_SUFFIX …” OpenVPN setting.
- DNS behavior is now altered since version 2.1.0 of the Access Server. If you encounter problems please review your DNS settings in the admin web interface.
OpenVPN Access Server 2.1.0
- Ensure OpenVPN Connect Client respects the route-metric setting properly to set the metric cost on the VPN interface.
- Small issue in OpenVPN Connect Client for Windows resolved that could break the “Go to <server>” menu command.
- Disable tls-auth when “auth none” is given in config even when “tls-auth” directive is present.
OpenVPN Access Server 2.0.26
- Added capability for licensing system to lock to Amazon AWS instance ID, to provide a little more flexibility when changes are made to an EC2 instance.
- Fixed an issue on Windows 10 where tray icons would not update properly when auto-login profiles are used.
- Fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server.
- Fixed an issue where with specific network configurations, DNS servers would get removed from the network configuration after a disconnect on macOS.
- Access Server 2.0.25 introduced a bug that required FAVOR_LZO=1 for Android/iOS clients to be able to make a connection, this is now resolved.
- Access Server 2.0.25 introduced a bug where a TLS refresh issue could occur with Android/iOS clients, this is now also resolved.
OpenVPN Access Server 2.0.25
- Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.
OpenVPN Access Server 2.0.24
- Fixed potential DoS vulnerability in port-share feature.
- Updated PolarSSL/mbedTLS to 1.3.15.
- Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.
- Added better error reporting when key size is used without matching DH params.
- Enhanced current key sizes supported to include 1024, 2048, 3072, and 4096 bits.
- The AS web interface “Server” header now defaults to “OpenVPN-AS” and can be overridden using the config key cs.web_server_name
- Added 169.254.0.0/16 to the existing set of RFC 1918 subnets considered by the AS to be private.
- Added “X-Frame-Options: SAMEORIGIN” header to all AS Admin UI and CWS pages to prevent click-jacking.
OpenVPN Access Server 2.0.21
- OpenVPN Connect Client for macOS was updated to be compatible with macOS X El Capitan.
OpenVPN Access Server 2.0.20
- Updated OpenSSL to 1.0.2d.
- Updated web CA bundle.
- Added web session timeout parameter “sa.session_expire”.
- Added support for “tls-version-min parameter” in bundled OpenVPN Connect Client for Windows and macOS.
OpenVPN Access Server 2.0.17
- Added support for DH and ECDH ciphersuites on the webservices of the Access Server.
- Turned off RC4 ciphersuites as these are unsafe.
- In OpenSSL mode, allow override of default ciphersuite string with a custom setting.
- Added support for ECDH ciphersuites in the OpenVPN services (DH has always been supported).
- Updated OpenSSL to 1.0.2a.
OpenVPN Access Server 2.0.12
- Updated PolarSSL to fix vulnerability CVE-2015-1182.
OpenVPN Access Server 2.0.11
- Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.
- For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.
- For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.
OpenVPN Access Server 2.0.10
- Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the “Admin” flag on a user.
If affected by this issue, you can repair the DB by using the following command:
/usr/local/openvpn_as/scripts/confdba -u –assign_type
- Enable tls-version-min directive in generated client profiles when “Select minimum TLS protocol version accepted by OpenVPN server” Admin UI setting is changed from its default value.
- Updated PolarSSL to 1.3.8.
- Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.
OpenVPN Access Server 2.0.8
- Updated to OpenSSL 1.0.1h to address security issues.
- Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).
- Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.
- Implemented HTTP Proxy support in OpenVPN Connect client on Windows.
- In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port. An auth dialog should pop up if proxy creds are required.
- In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles, for example:
http-proxy ntlm.proxy.tld 3128 auto-nct
- In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.
- Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.
- Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.
- In Windows OpenVPN Connect tray client, don’t take focus unless we are raising a dialog.
- Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).
- Added pagination support to Admin UI for User Permissions and Revoke Certificates pages. This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.
OpenVPN Access Server 2.0.7
- Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.
- Minor NAT/routing iptables fixes.
OpenVPN Access Server 2.0.6
- * Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 Heartbleed vulnerability. This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.
OpenVPN Access Server 2.0.5
- Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.
- Initialize Certificate DB to use 2048-bit RSA keys (increased from 1024) for fresh installs.
- Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.
- On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname. This only works if the instance is launched with a public IP, not when the public IP is attached later on.
- Added support for appliance initialization on the CloudSigma cloud platform.
OpenVPN Access Server 2.0.3
- Extended ACL and DMZ port settings to allow specification of a port range
- Fixed issue where an invalid port (or port range) specified for DMZ in the User Permissions page would be silently ignored, with no error message.
- Added a potential improvement on the iptables rule generation for DNS packets.
- Extended the “Allow Access To these Networks” field in User/Group Permission pages to allow the full route specification syntax supported by the backend, including subnets, services, port ranges, and NAT vs. Routing flag.
- Updated help documentation on admin web interface.
OpenVPN Access Server 2.0.2
- Fixed bug where TLS negotiation broke connections from iOS clients.
OpenVPN Access Server 2.0.1
- Revised user access rule routing implementation to resolve issues on certain systems.
Access Server 2.0.0
- Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union derived from ovpn3 (swig-wrapped) module.
- Added necessary swig patch to build ovpn3 python module.
- Fix admin web interface cross-site request forgery (CSRF) vulnerability (CVE-2013-2692).
- Added Android and iOS client links to client web interface.
- Fixed issue where pressing logout button from client web interface would raise web exception.
- Add constant-time hash compare for authlocal module.
- Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/udp transport protocol.
- Fixed issue where astatus.py would endlessly ask for EULA agreement.
- Changes made to admin web interface “At a glance” sidebar.
1. To avoid CSRF attacks, start/stop link on Server Status row has been replaced by “More” link which redirects to server status page where server can be started/stopped.
2. Links in “At a glance” sidebar vanish when current page would be the destination of link.
- Update IPv6 AS branch to use Python 2.7.
- Updated most pyovpn dependencies other than Twisted/Nevow — contents of current bundle:
- Build Python with readline support.
- Changed pyovpn version number to 2.0.
- Changed all scripts that reference python version number to use 2.7.
- Fix to generation of iptables rules for DNS traffic:
Because generated iptables rules trap DNS requests early in ASx_IN_PRE chain, if initial call to dns_server_subnets did not reduce the rules to empty, we must instead use the whole list of non-reduced rules, i.e. we cannot reduce them further based on access granted to private subnets or the public internet.
- Added comment in LinuxIPv4Forward to extend to IPv6 so that /proc/sys/net/ipv6/conf/all/forwarding is also set.
- Added CC_CMDS env var for debugging. CC_CMDS is a comma-delimited list of OpenVPN directives (such as iroute) to be appended to client-config list.
- Major IPv6 patch that adds IPv6 tunnel support to AS.
- Added Python-2.7 patch.
- Minor script updates.
- On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.
- Raised some string length limits from 128 and 256 to 512.
- Moved AS default private subnets to RFC-1918 backwater.
- Fixed regression in usersvc.py related to regeneration of Client object.
- Added post_auth script pasfp.py that shows connecting user, serial number, CN, and SHA1 fingerprint of leaf cert.
- Fixed some instances where transport.write (in Twisted) might be called with a unicode string, causing a Twisted exception. This was likely causing an issue with failover rsync where the ssh password was being passed as unicode to transport.write.
- Minor text updates to Admin UI. Due to IPv6 address notation, ranges should now be delimited by ‘;’ instead of ‘:’.
- Because of tradeoff between Beast mitigation with RC4 and RC4′s own weaknesses, turn off Beast mitigation by default, and change some of the related text in the Admin UI. In particular, Beast flag now defaults to false and is keyed by cs.beast_workaround2
- Added support for OpenVPN tls-version-min directive.
- Removed some debugging and redundant code.
- Added connect_timeout and server_poll_timeout parameters to Connect and VPNConnect methods (and capicli and ovpncli tools).
connect_timeout (optional int|str) : set connection timeout (seconds)
server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN
parameter (seconds) — the number of seconds to try each remote entry before moving on to the next
- The client backend as.conf can now specify a list of prepend and append config file directives to be applied before and after the config file.
- For example:
prepend_config.3=route 0.0.0.0 0.0.0.0
- Minor change in clisite to use new method IP.is_lo() to test whether address is a loopback address.
- Fixed issue where exceptions in AuthRPCServer._render_finalize were causing server-side stack traces to be sent to client.
- Minor rewording of BEAST option in Admin UI for clarity.
- If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT interface list rather than enum_interfaces