Release notes for OpenVPN Access Server 2.8.5
Release date: July 2, 2020
- Improved the activation page in the Admin UI.
- Updated jQuery library to v3.5.1 to address a security issue. (CVE-2020-11023)
- Updated Twisted library to v20.3.0.
- Updated Bootstrap library to v4.5.0.
Release notes for OpenVPN Access Server 2.8.4
Release date: June 18, 2020
- Updated the OpenVPN2 core component in Access Server to latest version 2.4.9.
- Improved handling of situations with nodes in different versions on the same cluster (please always update all your nodes to latest version).
- Improved logdba tool with new –jsondict function to show information in JSON dictionaries format.
- Improved minor things in the client and admin web interface.
- Resolved a problem where session token could last longer than intended expiration timeout.
- Resolved the situation where older Connect v2 clients would be unable to login when MFA and LDAP was used.
- Resolved an issue where an activation key could activate on the wrong node in clustering mode.
- Resolved a problem where multiple LDAP referrals were not working properly.
- Resolved an error message on the User Permissions page when in layer 2 bridging mode.
- Resolved a problem with group-to-user and group-to-group access control in the web interface.
- Resolved a problem where a downloaded CSV file from the Log Report page was missing the error column.
Release notes for OpenVPN Access Server 2.8.3
Release date: March 23, 2020
- Added option to select minimum TLS 1.3 setting when the operating system’s OpenSSL library supports it.
- Resolved a temporary crash of web services if XML-RPC interface was set to full and attacked in specific way (CVE-2020-11462). Thanks to Suslov Maxim for reporting this.
- Resolved a bug on the Advanced VPN page where TLS auth and compression could not be turned back on in the Admin UI.
- Resolved a bug on the Log Reports page where some data would cause the Log Reports page to end the web session.
- Resolved a bug where secondary LDAP server would not be called if first LDAP server timed out.
- Resolved an issue with 1024 bits keys on Debian 10 and CentOS 8 by replacing 1024 bits DH key with 2048 bits DH key.
- Removed UCARP as dependency and bundled own copy so UCARP failover can still work and cloud-init will work normally.
- Released new Connect Client bundled software package (version 7) that includes new OpenVPN Connect 3.1.3 beta client for Windows.
- Released new Connect Client bundled software package (version 8) that includes new OpenVPN Connect 2.7.1 client and 3.1.1 beta client for macOS.
- Released new Connect Client bundled software package (version 9) that includes new OpenVPN Connect 2.7.1 client for Windows.
- Released new Connect Client bundled software package (version 10) that includes new OpenVPN Connect 2.7.1 client for Windows.
- Released new Connect Client bundled software package (version 11) that includes new OpenVPN Connect 2.7.1 client for Windows.
Release notes for OpenVPN Access Server 2.8.2
Release date: February 26, 2020
- Resolved a problem with LDAP search queries when spaces were used in object names.
- Resolved an issue where assigning static IPv6 addresses to VPN clients could fail.
- Resolved a problem on CentOS 7 and Ubuntu 16 where an upgrade would require a manual start of the Access Server service.
- Released new Connect Client bundled software package (version 6) that includes new OpenVPN Connect 3.1.2 beta client.
Release notes for OpenVPN Access Server 2.8.1
Release date: February 12, 2020
- Resolved a security flaw in Access Server 2.8.0 when used in combination with an LDAP server for authentication. More details are in our security advisory.
Release notes for OpenVPN Access Server 2.8.0
Release date: February 6, 2020
Important changes that may require action to resolve after upgrading an existing system to Access Server 2.8.0:
- Access Server 2.8.0 has switched to another LDAP library (Python-LDAP to LDAP3), this can affect post_auth scripting.
- When using LDAP and post_auth scripts, you may find updated post_auth scripts here: post_auth scripting page.
- Removed almost all bundled libraries and instead switched to using operating system provided libraries.
- Very old (6+ years) installations of Access Server may still use 1024 bits keys for their certificates. On Debian 10 or on systems where OpenSSL is configured with security level 2 default, these may stop functioning. To resolve this temporarily comment out “CipherString=DEFAULT@SECLEVEL=2" in /etc/ssl/openssl.cnf and restart the Access Server service to make it operational on this platform with old certificates. A more permanent resolution will become available in future releases of Access Server.
End-of-support for outdated operating systems:
- Dropped support for operating systems Ubuntu 14 (32 bits and 64 bits) due to it being end-of-life since April 30, 2019.
- Dropped support for operating systems Debian 8 (32 bits and 64 bits) due to outdated system libraries.
- Dropped support for operating systems CentOS 6 and Red Hat 6 (32 bits and 64 bits) due to outdated system libraries.
- Dropped support for all other operating systems that are 32 bits. Our focus for AS is on 64 bits operating systems.
Bug fixes and improvements:
- Added support for the CentOS 8 and Red Hat 8 operating systems.
- Certified Access Server for use on the Amazon Linux 2 operating system (version 2.7.5 and higher).
- Certified Access Server for use on the Oracle Cloud platform (version 2.7.5 and higher).
- Added TLS 1.3 support where OpenSSL library in the OS supports TLS 1.3 (centos/redhat8, ubuntu18, debian10) for web services and openvpn daemons.
- Added SNI capability to LDAP authentication backend connectivity required for certain LDAP providers (enabled by default).
- Added the ability to force Access Server to use case-sensitive username matching for LDAP and RADIUS.
- Added support for external IP address detection on Microsoft Azure cloud platform.
- Added a new version of bundled clients package with latest OpenVPN Connect v2 and v3 software.
- Removed mbedTLS support in Access Server, since OpenSSL has proven more stable and secure.
- Improved installation procedure on CentOS so required components are installed along with Access Server.
- Improved uninstallation procedure on CentOS so system service is correctly removed.
- Improved security for cluster communication API credentials.
- Improved tiered licensing support on Amazon AWS to include regions ‘Hong Kong’ and ‘Bahrain’.
- Improved redacting certain sensitive output to log file while using debug flags or failover mode.
- Improved speed of cluster admin UI by removing some unnecessary database calls.
- Improved web service interfaces by solving a number of minor problems.
- Improved handling of malformed license keys – this can no longer cause a crash.
- Improved output of command line installation post-install instructions.
- Improved handling of startup of Access Server when no configuration is present yet.
- Improved backup process to store multiple upgrade backups in timestamped directories.
- Resolved a bug with ‘Get Renewal Keys’ button that would result in error messages.
- Resolved a bug where autologin connections could fail after TLS refresh interval expired.
- Resolved a bug where RADIUS 2FA challenge/response was erroneously asking for ‘Enter Authenticator Code’.
- Resolved a bug where the web interface would not show a custom post_auth 2FA challenge if echo was turned off.
- Resolved a bug with bootstrap user. It is now possible again to start Access Server without any bootstrap user.
- Resolved the ‘MySQL server has gone away’ problem that occurred when MySQL backend was used.
- Resolved the bug where Connect v3 was not offered on the client web service when all other offerings were turned off.
- Resolved the bug where some web browsers could not download the log report from the admin web interface anymore.
- Resolved a bug in UCARP LAN-based failover mode where some settings would not be copied to failover server.
- Resolved a bug in the installation procedure by no longer requiring the presence of the libncurses5 library.
- Resolved a bug with the start/stop server button when Google MFA is switched on.
Release notes for OpenVPN Access Server 2.7.5
Release date: August 27, 2019
- New beta OpenVPN Connect v3 software for Windows and macOS is now available in the client web interface.
- The OpenVPN Connect v2 client software is also still present as secondary option.
- Control over which clients you wish to offer to your users is available in the CWS Settings page in the Admin UI.
- OpenVPN Access Server and the bundled Connect client software programs are now available as two separate packages.
- Installation of Access Server and related Connect Client software will now happen primarily via an official software repository.
- The software can still be downloaded from our website as two separate packages that belong together.
- A build for the Debian 10 operating system code-named ‘Buster’ has been added.
- A problem with retrieving and activating renewal keys from the Admin UI was resolved.
- The Google Authenticator enrollment was improved. You now have to provide a valid 6 digit code before enrollment is complete.
- The Google Authenticator global on/off setting was moved to the Authentication section in the Admin UI.
- An option was added to the Admin UI to allow users to change their own password in LOCAL authentication mode.
- If enabled, the client web service now allows users to change their own password in LOCAL authentication mode.
- The admin web service and the client web service were updated with a new logo and a new look.
- New options were added in as.conf to control some items that are customizable, like disabling/enabling the footer.
- The bootstrap library was updated to version 4.3.1.
- The jQuery library was updated to version 3.4.1.
- A bug that would not let some users download profiles on the client web service in some extremely rare cases was found and resolved.
- A bug where adding an admin-level user to a non-admin group could result in the user not being joined to the group has been resolved.
- A bug where the sacli IP command no longer functioned has been resolved.
- A bug with the Log Reports page in Internet Explorer has now been resolved.
- A regression where the 24 hour default session token timeout didn’t work correctly has now been resolved.
- Minor various adjustments in the admin and client web services have been made to improve the user experience.
Release notes for OpenVPN Access Server 2.7.4
Release date: May 14, 2019
- Resolved a problem where upon creating a new cluster, the first node would in some situations still erroneously present itself as standalone node.
- Resolve an upgrade issue where, if the default profile has been deleted, the upgraded server would fail to start the web services properly.
- A related issue where the default profile could not be deleted in 2.7.3 even when it is not in use has also been resolved.
- In cluster mode, the Admin UI could become unavailable if one of the nodes hangs, and this issue is now resolved.
- Added a hint about installing libmysqlclient-dev if it is missing on the system and conversion to MySQL database format is attempted.
- A regression where inter-client connectivity function would not work as expected in stand-alone mode has been resolved.
- Enforced redaction of MySQL DB credentials in log file in all cases even when debug mode is enabled.
- Minor CSS adjustments to the AS cluster mode overview.