Access Server Release Notes

Release notes for OpenVPN Access Server 2.8.6

Release date: August 20, 2020

  • Added support for Ubuntu 20.04 LTS (Focal Fossa).
  • Added public IP detection logic for Oracle Cloud, to become available in a future image on Oracle.
  • Added CLI setting to control whether newest (default) or oldest tunnels get disconnected when exceeding subscription limit. (instructions)
  • Resolved a problem where cluster API certificates were not created with 2048 bits.
  • Resolved a problem with reporting client_ip_addr using the REST API in combination with Duo Security.
  • Submitted a patch upstream to Duo Security to improve handling of missing client_ip_addr on REST API.
  • Improved error messages on the Admin UI when common activation problems occur.
  • Released bundled clients package v13 with Connect v3.1.1.1180 for Windows and Connect v3.2.2.1899 for mac OS.

Release notes for OpenVPN Access Server 2.8.5

Release date: July 2, 2020

  • Improved the activation page in the Admin UI.
  • Updated jQuery library to v3.5.1 to address a security issue. (CVE-2020-11023)
  • Updated Twisted library to v20.3.0.
  • Updated Bootstrap library to v4.5.0.
  • Released new Connect Client bundled software package (version 12) that includes new OpenVPN Connect 3.2 stable client for Windows and macOS.

Release notes for OpenVPN Access Server 2.8.4

Release date: June 18, 2020

  • Updated the OpenVPN2 core component in Access Server to latest version 2.4.9.
  • Improved handling of situations with nodes in different versions on the same cluster (please always update all your nodes to latest version).
  • Improved logdba tool with new –jsondict function to show information in JSON dictionaries format.
  • Improved minor things in the client and admin web interface.
  • Resolved a problem where session token could last longer than intended expiration timeout (CVE-2020-15074). Thanks to Gert Döring for reporting this.
  • Resolved the situation where older Connect v2 clients would be unable to login when MFA and LDAP was used.
  • Resolved an issue where an activation key could activate on the wrong node in clustering mode.
  • Resolved a problem where multiple LDAP referrals were not working properly.
  • Resolved an error message on the User Permissions page when in layer 2 bridging mode.
  • Resolved a problem with group-to-user and group-to-group access control in the web interface.
  • Resolved a problem where a downloaded CSV file from the Log Report page was missing the error column.

Release notes for OpenVPN Access Server 2.8.3

Release date: March 23, 2020

  • Added option to select minimum TLS 1.3 setting when the operating system’s OpenSSL library supports it.
  • Resolved a temporary crash of web services if XML-RPC interface was set to full and attacked in specific way (CVE-2020-11462). Thanks to Suslov Maxim for reporting this.
  • Resolved a bug on the Advanced VPN page where TLS auth and compression could not be turned back on in the Admin UI.
  • Resolved a bug on the Log Reports page where some data would cause the Log Reports page to end the web session.
  • Resolved a bug where secondary LDAP server would not be called if first LDAP server timed out.
  • Resolved an issue with 1024 bits keys on Debian 10 and CentOS 8 by replacing 1024 bits DH key with 2048 bits DH key.
  • Removed UCARP as dependency and bundled own copy so UCARP failover can still work and cloud-init will work normally.
  • Released new Connect Client bundled software package (version 7) that includes new OpenVPN Connect 3.1.3 beta client for Windows.
  • Released new Connect Client bundled software package (version 8) that includes new OpenVPN Connect 2.7.1 client and 3.1.1 beta client for macOS.
  • Released new Connect Client bundled software package (version 9) that includes new OpenVPN Connect 2.7.1 client for Windows.
  • Released new Connect Client bundled software package (version 10) that includes new OpenVPN Connect 2.7.1 client for Windows.
  • Released new Connect Client bundled software package (version 11) that includes new OpenVPN Connect 2.7.1 client for Windows.

Release notes for OpenVPN Access Server 2.8.2

Release date: February 26, 2020

  • Resolved a problem with LDAP search queries when spaces were used in object names.
  • Resolved an issue where assigning static IPv6 addresses to VPN clients could fail.
  • Resolved a problem on CentOS 7 and Ubuntu 16 where an upgrade would require a manual start of the Access Server service.
  • Released new Connect Client bundled software package (version 6) that includes new OpenVPN Connect 3.1.2 beta client.

Release notes for OpenVPN Access Server 2.8.1

Release date: February 12, 2020

  • Resolved a security flaw in Access Server 2.8.0 when used in combination with an LDAP server for authentication. More details are in our security advisory.

Release notes for OpenVPN Access Server 2.8.0

Release date: February 6, 2020

Important changes that may require action to resolve after upgrading an existing system to Access Server 2.8.0:

  • Access Server 2.8.0 has switched to another LDAP library (Python-LDAP to LDAP3), this can affect post_auth scripting.
  • When using LDAP and post_auth scripts, you may find updated post_auth scripts here: post_auth scripting page.
  • Removed almost all bundled libraries and instead switched to using operating system provided libraries.

End-of-support for outdated operating systems:

  • Dropped support for operating systems Ubuntu 14 (32 bits and 64 bits) due to it being end-of-life since April 30, 2019.
  • Dropped support for operating systems Debian 8 (32 bits and 64 bits) due to outdated system libraries.
  • Dropped support for operating systems CentOS 6 and Red Hat 6 (32 bits and 64 bits) due to outdated system libraries.
  • Dropped support for all other operating systems that are 32 bits. Our focus for AS is on 64 bits operating systems.

Bug fixes and improvements:

  • Added support for the CentOS 8 and Red Hat 8 operating systems.
  • Certified Access Server for use on the Amazon Linux 2 operating system (version 2.7.5 and higher).
  • Certified Access Server for use on the Oracle Cloud platform (version 2.7.5 and higher).
  • Added TLS 1.3 support where OpenSSL library in the OS supports TLS 1.3 (centos/redhat8, ubuntu18, debian10) for web services and openvpn daemons.
  • Added SNI capability to LDAP authentication backend connectivity required for certain LDAP providers (enabled by default).
  • Added the ability to force Access Server to use case-sensitive username matching for LDAP and RADIUS.
  • Added support for external IP address detection on Microsoft Azure cloud platform.
  • Added a new version of bundled clients package with latest OpenVPN Connect v2 and v3 software.
  • Removed mbedTLS support in Access Server, since OpenSSL has proven more stable and secure.
  • Improved installation procedure on CentOS so required components are installed along with Access Server.
  • Improved uninstallation procedure on CentOS so system service is correctly removed.
  • Improved security for cluster communication API credentials.
  • Improved tiered licensing support on Amazon AWS to include regions ‘Hong Kong’ and ‘Bahrain’.
  • Improved redacting certain sensitive output to log file while using debug flags or failover mode.
  • Improved speed of cluster admin UI by removing some unnecessary database calls.
  • Improved web service interfaces by solving a number of minor problems.
  • Improved handling of malformed license keys – this can no longer cause a crash.
  • Improved output of command line installation post-install instructions.
  • Improved handling of startup of Access Server when no configuration is present yet.
  • Improved backup process to store multiple upgrade backups in timestamped directories.
  • Resolved a bug with ‘Get Renewal Keys’ button that would result in error messages.
  • Resolved a bug where autologin connections could fail after TLS refresh interval expired.
  • Resolved a bug where RADIUS 2FA challenge/response was erroneously asking for ‘Enter Authenticator Code’.
  • Resolved a bug where the web interface would not show a custom post_auth 2FA challenge if echo was turned off.
  • Resolved a bug with bootstrap user. It is now possible again to start Access Server without any bootstrap user.
  • Resolved the ‘MySQL server has gone away’ problem that occurred when MySQL backend was used.
  • Resolved the bug where Connect v3 was not offered on the client web service when all other offerings were turned off.
  • Resolved the bug where some web browsers could not download the log report from the admin web interface anymore.
  • Resolved a bug in UCARP LAN-based failover mode where some settings would not be copied to failover server.
  • Resolved a bug in the installation procedure by no longer requiring the presence of the libncurses5 library.
  • Resolved a bug with the start/stop server button when Google MFA is switched on.

Release notes for OpenVPN Access Server 2.7.5

Release date: August 27, 2019

  • New beta OpenVPN Connect v3 software for Windows and macOS is now available in the client web interface.
  • The OpenVPN Connect v2 client software is also still present as secondary option.
  • Control over which clients you wish to offer to your users is available in the CWS Settings page in the Admin UI.
  • OpenVPN Access Server and the bundled Connect client software programs are now available as two separate packages.
  • Installation of Access Server and related Connect Client software will now happen primarily via an official software repository.
  • The software can still be downloaded from our website as two separate packages that belong together.
  • A build for the Debian 10 operating system code-named ‘Buster’ has been added.
  • A problem with retrieving and activating renewal keys from the Admin UI was resolved.
  • The Google Authenticator enrollment was improved. You now have to provide a valid 6 digit code before enrollment is complete.
  • The Google Authenticator global on/off setting was moved to the Authentication section in the Admin UI.
  • An option was added to the Admin UI to allow users to change their own password in LOCAL authentication mode.
  • If enabled, the client web service now allows users to change their own password in LOCAL authentication mode.
  • The admin web service and the client web service were updated with a new logo and a new look.
  • New options were added in as.conf to control some items that are customizable, like disabling/enabling the footer.
  • The bootstrap library was updated to version 4.3.1.
  • The jQuery library was updated to version 3.4.1.
  • A bug that would not let some users download profiles on the client web service in some extremely rare cases was found and resolved.
  • A bug where adding an admin-level user to a non-admin group could result in the user not being joined to the group has been resolved.
  • A bug where the sacli IP command no longer functioned has been resolved.
  • A bug with the Log Reports page in Internet Explorer has now been resolved.
  • A regression where the 24 hour default session token timeout didn’t work correctly has now been resolved.
  • Minor various adjustments in the admin and client web services have been made to improve the user experience.

Release notes for OpenVPN Access Server 2.7.4

Release date: May 14, 2019

  • Resolved a problem where upon creating a new cluster, the first node would in some situations still erroneously present itself as standalone node.
  • Resolve an upgrade issue where, if the default profile has been deleted, the upgraded server would fail to start the web services properly.
  • A related issue where the default profile could not be deleted in 2.7.3 even when it is not in use has also been resolved.
  • In cluster mode, the Admin UI could become unavailable if one of the nodes hangs, and this issue is now resolved.
  • Added a hint about installing libmysqlclient-dev if it is missing on the system and conversion to MySQL database format is attempted.
  • A regression where inter-client connectivity function would not work as expected in stand-alone mode has been resolved.
  • Enforced redaction of MySQL DB credentials in log file in all cases even when debug mode is enabled.
  • Minor CSS adjustments to the AS cluster mode overview.

Release notes for OpenVPN Access Server 2.7.3

  • Warning: this update changes the database structure of Access Server. Rollbacks are not as simple as before (during upgrade a backup of original database files will still be made, as per usual, so it’s still possible to roll back).
  • A first phase implementation of a clustering feature for Access Server is now implemented as an option.
      • Multiple access servers can be setup that share the same user database and settings, and users can connect to any of the nodes in the cluster.
      • Updated the admin UI further with a modern look.
      • Removed the ‘connect’ functionality from the client web interface, because it can no longer be supported in current browsers.
      • Added a session-token sharing function so clients connected to a cluster can automatically switch to a next available node in case of a problem.
      • Updated the Connect Client for Windows and macOS with session-token sharing functionality.
      • The Windows Connect Client has been signed with a new software publisher certificate as the old one had expired.
      • DNS server detection in the operating system Ubuntu 18 was broken, this has now been fixed in this release.
      • Making changes in the search results of User Permissions is now working properly in this release.
      • The default settings for a fresh installation of Access Server is now to listen to all interfaces, but can still be changed to listen to specific interface.
      • Fixed a regression where the WINS server fields in Advanced VPN were missing.
      • PyOpenSSL, PyRad, and other libraries were updated to modern versions.
      • mbedTLS (previously known as PolarSSL) support was dropped in Access Server. Clients can still use it, but the server now relies on just OpenSSL again.
      • Builds for Debian 7 have been dropped because that operating system is no longer in support.
      • An issue related VPN connectivity from a Windows/macOS client in combination with Google Authenticator and/or LDAP was fixed.

Release notes for OpenVPN Access Server 2.6.1

  • Added Support for secure LDAP and connecting with Google Identity.
  • Please note that SSLv2 and SSLv3 support for LDAP connections has been dropped. TLS 1.1 is now the new default.
  • In case of communication problems with LDAP server after upgrading, please see documentation for TLS settings for LDAP connectivity.
  • Bundled Access Server with new OpenVPN Connect Client for macOS and Windows that can implement a proxy server in the OS.
  • Also includes a change in split-DNS handling for macOS to fall in line with our other products.
  • Resolved a small issue with DNS default suffix on Windows 10 when the client PC already had a DNS default suffix.
  • Updated the Access Server licensing system to be compatible with our improved secure licensing system.
  • Disabled compression by default to resolve VORACLE vulnerability (see security advisory regarding VORACLE)
  • Resolved a problem with post_auth script and LDAP group mapping that occurred in AS 2.5.3.
  • Changed buffer default settings to resolve very slow web interface loading on Amazon AWS in specific circumstances.
  • OpenSUSE build support was dropped as of this version of AS.

Release notes for OpenVPN Access Server 2.5.2

  • A problem with VRRP/UCARP LAN-based failover mode in version 2.5 that affected some configurations was resolved.
  • Made switching off that type of failover mode easier and better, solving some problems with disabling it.
  • Updated OpenVPN Connect Client for Windows version to version
  • Updated OpenVPN Connect Client for mac OS version to version
  • OpenVPN Connect Client mbedTLS incompatibility with PKI created by OpenSSL 1.1 fixed.
  • OpenVPN Connect Client support for ECDSA added.
  • Library mbedTLS in OpenVPN Connect Client updated to resolve CVE-2018-0487 vulnerability.
  • Problem with excessively long server DNS host name that caused ‘no VPN servers’ message is resolved.
  • Issue with TLS key refresh causing a connection failure and reconnect in OpenVPN Connect Client is fixed.
  • Fixed and improved client version and platform reporting to server in OpenVPN Connect Client.
  • Fixed launch issue on some older Windows platforms when MS Visual C++ redistributable was not present.

Release notes for OpenVPN Access Server 2.5.0

  • Implemented an updated engine for rendering the admin web interface, improved the look, and paved the way for modernizing the web interface.
  • The client web interface now defaults to letting users download the required software to their computers instead of using the connect UI by default.
  • The connect UI is now considered to be deprecated and to be removed and replaced with a better solution in future releases.
  • New OpenVPN Connect Client releases are included in this Access Server release.
  • OpenVPN Connect Client for macOS is now properly signed and the issue that existed in the past that prevented this has been resolved.
  • OpenVPN Connect Client for Windows now no longer suffers from the unwanted default route that Windows added when registering the connection.
  • OpenVPN Connect Client for Windows now supports multiple DNS Resolution Zones on Windows client platforms that support NRPT.
  • For new installations, AES-256-CBC is now the new default encryption cipher for VPN tunnel data. Existing installations that are upgraded retain their old cipher.
  • SSLv2 and SSLv3 support, hidden and deprecated as it was, is now completely removed. Web service defaults to TLS 1.1 now.
  • Additional activation servers added for Amazon AWS tiered instances, this allows for tighter security settings on security groups while retaining activation status.
  • Library for mbed TLS is now updated to version 2.6.
  • OpenVPN 2.4 code now merged into Access Server.

Release notes for OpenVPN Access Server 2.1.12

  • Problems with gaps in sequentially ordered lists of keys in the configuration database are now automatically repaired when using sacli start on the command line.
  • TLS level 1.2 for the OpenVPN protocol is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
  • TLS level 1.1 for the web services is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
  • SSLv2 and SSLv3 support has been deprecated and will be removed completely in a future release.
  • SSL settings page is now renamed to TLS settings page, since TLS is now the prevalent technology and SSL is phasing out.
  • Alias interfaces like eth0:1 and such could not be selected for source NAT outgoing VPN client traffic. This bug has now been fixed.
  • An option has been added to completely disable TLS auth. This should only ever be used for compatibility with clients that offer no way to implement TLS auth at all.

Release notes for OpenVPN Access Server 2.1.9

  • Small code improvements, slightly faster response time on web interface.
  • Fixed broken ‘current users’ page in the web interface while users were connected on Access Server 2.1.8.

Release notes for OpenVPN Access Server 2.1.8

  • OpenVPN Connect Client for Windows is signed properly.
  • Disabling compression on the server no longer leads to a compression stub error.
  • Security fixes for issues reported by Guido Vranken (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) and other fixes.

Release notes for OpenVPN Access Server 2.1.6

  • OpenVPN Connect Client for Mac OS X updated to version to address the “error no. 8″ bug that occurred on some systems that have an IPv6 DNS server assigned as primary DNS server.
  • OpenVPN Connect Client for Windows updated to version to address the problem where an autologin type profile would endlessly loop in reconnection state when the autologin profile encounters an authorization problem (no longer valid, revoked, and such).
  • Access Server web services updated to fix CRLF injection vulnerability CVE-2017-5868 reported by Sysdream Labs.
  • Access Server OpenVPN core updated to fix CVE-2017-7478 and CVE-2017-7479 as well as other issues reported by Quarkslab and Cryptography Engineering LLC.

Release notes for OpenVPN Access Server 2.1.4

  • Added MAC address reporting on OpenVPN Connect Client for Windows and macOS.
  • Added support for systemd in Ubuntu 16.

Release notes for OpenVPN Access Server 2.1.2

  • Fixed a problem with DNS implementation on the server side where DNS options wouldn’t be pushed if the Windows Networking NETBIOS options was used on the server.
  • Fixed OpenSSL memory leak.
  • Introduced web session cookie expiration timers and rotation.
  • New packages for Ubuntu 16 now available.


Release notes for OpenVPN Access Server 2.1.1

  • Updated OpenSSL to 1.0.2h to fixes a reported security vulnerability in AES-NI.
  • Fixed an installation issue in OpenVPN Connect Client where the service component would not start after installation in some specific situations.
  • In the web admin interface on the VPN Settings page, added “DNS resolution zones” for setting “dhcp-option DOMAIN …” OpenVPN settings.
  • The previous “Default Domain Suffix” field is now used to set the “dhcp-option ADAPTER_DOMAIN_SUFFIX …” OpenVPN setting.
  • DNS behavior is now altered since version 2.1.0 of the Access Server. If you encounter problems please review your DNS settings in the admin web interface.

Release notes for OpenVPN Access Server 2.1.0

  • Ensure OpenVPN Connect Client respects the route-metric setting properly to set the metric cost on the VPN interface.
  • Small issue in OpenVPN Connect Client for Windows resolved that could break the “Go to <server>” menu command.
  • Disable tls-auth when “auth none” is given in config even when “tls-auth” directive is present.

Release notes for OpenVPN Access Server 2.0.26

  • Added capability for licensing system to lock to Amazon AWS instance ID, to provide a little more flexibility when changes are made to an EC2 instance.
  • Fixed an issue on Windows 10 where tray icons would not update properly when auto-login profiles are used.
  • Fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server.
  • Fixed an issue where with specific network configurations, DNS servers would get removed from the network configuration after a disconnect on macOS.
  • Access Server 2.0.25 introduced a bug that required FAVOR_LZO=1 for Android/iOS clients to be able to make a connection, this is now resolved.
  • Access Server 2.0.25 introduced a bug where a TLS refresh issue could occur with Android/iOS clients, this is now also resolved.

Release notes for OpenVPN Access Server 2.0.25

  • Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.

Release notes for OpenVPN Access Server 2.0.24

  • Fixed potential DoS vulnerability in port-share feature.
  • Updated PolarSSL/mbedTLS to 1.3.15.
  • Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.
  • Added better error reporting when key size is used without matching DH params.
  • Enhanced current key sizes supported to include 1024, 2048, 3072, and 4096 bits.
  • The AS web interface “Server” header now defaults to “OpenVPN-AS” and can be overridden using the config key cs.web_server_name
  • Added to the existing set of RFC 1918 subnets considered by the AS to be private.
  • Added “X-Frame-Options: SAMEORIGIN” header to all AS Admin UI and CWS pages to prevent click-jacking.

Release notes for OpenVPN Access Server 2.0.21

  • OpenVPN Connect Client for macOS was updated to be compatible with macOS X El Capitan.

Release notes for OpenVPN Access Server 2.0.20

  • Updated OpenSSL to 1.0.2d.
  • Updated web CA bundle.
  • Added web session timeout parameter “sa.session_expire”.
  • Added support for “tls-version-min parameter” in bundled OpenVPN Connect Client for Windows and macOS.

Release notes for OpenVPN Access Server 2.0.17

  • Added support for DH and ECDH ciphersuites on the webservices of the Access Server.
  • Turned off RC4 ciphersuites as these are unsafe.
  • In OpenSSL mode, allow override of default ciphersuite string with a custom setting.
  • Added support for ECDH ciphersuites in the OpenVPN services (DH has always been supported).
  • Updated OpenSSL to 1.0.2a.

Release notes for OpenVPN Access Server 2.0.12

  • Updated PolarSSL to fix vulnerability CVE-2015-1182.

Release notes for OpenVPN Access Server 2.0.11

  • Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.
  • For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.
  • For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.

Release notes for OpenVPN Access Server 2.0.10

  • Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the “Admin” flag on a user.
    If affected by this issue, you can repair the DB by using the following command:
    /usr/local/openvpn_as/scripts/confdba -u –assign_type
  • Enable tls-version-min directive in generated client profiles when “Select minimum TLS protocol version accepted by OpenVPN server” Admin UI setting is changed from its default value.
  • Updated PolarSSL to 1.3.8.
  • Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.

Release notes for OpenVPN Access Server 2.0.8

  • Updated to OpenSSL 1.0.1h to address security issues.
  • Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).
  • Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.
  • Implemented HTTP Proxy support in OpenVPN Connect client on Windows.
  • In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port.  An auth dialog should pop up if proxy creds are required.
  • In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles, for example:
    http-proxy ntlm.proxy.tld 3128 auto-nct
  • In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.
  • Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.
  • Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.
  • In Windows OpenVPN Connect tray client, don’t take focus unless we are raising a dialog.
  • Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).
  • Added pagination support to Admin UI for User Permissions and Revoke Certificates pages.  This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.

Release notes for OpenVPN Access Server 2.0.7

  • Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.
  • Minor NAT/routing iptables fixes.

Release notes for OpenVPN Access Server 2.0.6

  • * Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 Heartbleed vulnerability. This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.

Release notes for OpenVPN Access Server 2.0.5

  • Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.
  • Initialize Certificate DB to use 2048-bit RSA keys (increased from 1024) for fresh installs.
  • Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.
  • On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname. This only works if the instance is launched with a public IP, not when the public IP is attached later on.
  • Added support for appliance initialization on the CloudSigma cloud platform.

Release notes for OpenVPN Access Server 2.0.3

  • Extended ACL and DMZ port settings to allow specification of a port range
  • Fixed issue where an invalid port (or port range) specified for DMZ in the User Permissions page would be silently ignored, with no error message.
  • Added a potential improvement on the iptables rule generation for DNS packets.
  • Extended the “Allow Access To these Networks” field in User/Group Permission pages to allow the full route specification syntax supported by the backend, including subnets, services, port ranges, and NAT vs. Routing flag.
  • Updated help documentation on admin web interface.

Release notes for OpenVPN Access Server 2.0.2

  • Fixed bug where TLS negotiation broke connections from iOS clients.

Release notes for OpenVPN Access Server 2.0.1

  • Revised user access rule routing implementation to resolve issues on certain systems.

Access Server release notes for 2.0.0

  • Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union derived from ovpn3 (swig-wrapped) module.
  • Added necessary swig patch to build ovpn3 python module.
  • Fix admin web interface cross-site request forgery (CSRF) vulnerability (CVE-2013-2692).
  • Added Android and iOS client links to client web interface.
  • Fixed issue where pressing logout button from client web interface would raise web exception.
  • Add constant-time hash compare for authlocal module.
  • Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/udp transport protocol.
  • Fixed issue where would endlessly ask for EULA agreement.
  • Changes made to admin web interface “At a glance” sidebar.
    1. To avoid CSRF attacks, start/stop link on Server Status row has been replaced by “More” link which redirects to server status page where server can be started/stopped.
    2. Links in “At a glance” sidebar vanish when current page would be the destination of link.
  • Update IPv6 AS branch to use Python 2.7.
  • Updated most pyovpn dependencies other than Twisted/Nevow — contents of current bundle:
  • Build Python with readline support.
  • Changed pyovpn version number to 2.0.
  • Changed all scripts that reference python version number to use 2.7.
  • Fix to generation of iptables rules for DNS traffic:
    Because generated iptables rules trap DNS requests early in ASx_IN_PRE chain, if initial call to dns_server_subnets did not reduce the rules to empty, we must instead use the whole list of non-reduced rules, i.e. we cannot reduce them further based on access granted to private subnets or the public internet.
  • Added comment in LinuxIPv4Forward to extend to IPv6 so that /proc/sys/net/ipv6/conf/all/forwarding is also set.
  • Added CC_CMDS env var for debugging.  CC_CMDS is a comma-delimited list of OpenVPN directives (such as iroute) to be appended to client-config list.
  • Major IPv6 patch that adds IPv6 tunnel support to AS.
  • Added Python-2.7 patch.
  • Minor script updates.
  • On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.
  • Raised some string length limits from 128 and 256 to 512.
  • Moved AS default private subnets to RFC-1918 backwater.
  • Fixed regression in related to regeneration of Client object.
  • Added post_auth script that shows connecting user, serial number, CN, and SHA1 fingerprint of leaf cert.
  • Fixed some instances where transport.write (in Twisted) might be called with a unicode string, causing a Twisted exception. This was likely causing an issue with failover rsync where the ssh password was being passed as unicode to transport.write.
  • Minor text updates to Admin UI. Due to IPv6 address notation, ranges should now be delimited by ‘;’ instead of ‘:’.
  • Because of tradeoff between Beast mitigation with RC4 and RC4′s own weaknesses, turn off Beast mitigation by default, and change some of the related text in the Admin UI. In particular, Beast flag now defaults to false and is keyed by cs.beast_workaround2
  • Added support for OpenVPN tls-version-min directive.
  • Removed some debugging and redundant code.
  • Added connect_timeout and server_poll_timeout parameters to Connect and VPNConnect methods (and capicli and ovpncli tools).
    connect_timeout (optional int|str) : set connection timeout (seconds)
    server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN
    parameter (seconds) — the number of seconds to try each remote entry before moving on to the next
  • The client backend as.conf can now specify a list of prepend and append config file directives to be applied before and after the config file.
  • For example:
    prepend_config.0=route-method exe
    prepend_config.1=route-delay 30
    prepend_config.2=route-metric 512
  • Minor change in clisite to use new method IP.is_lo() to test whether address is a loopback address.
  • Fixed issue where exceptions in AuthRPCServer._render_finalize were causing server-side stack traces to be sent to client.
  • Minor rewording of BEAST option in Admin UI for clarity.
  • If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT interface list rather than enum_interfaces