Access Server Release Notes

Release notes for OpenVPN Access Server 2.5.2

  • A problem with VRRP/UCARP LAN-based failover mode in version 2.5 that affected some configurations was resolved.
  • Made switching off that type of failover mode easier and better, solving some problems with disabling it.
  • Updated OpenVPN Connect Client for Windows version 2.5.0.100 to version 2.5.0.136.
  • Updated OpenVPN Connect Client for mac OS version 2.5.0.112 to version 2.5.0.136.
  • OpenVPN Connect Client mbedTLS incompatibility with PKI created by OpenSSL 1.1 fixed.
  • OpenVPN Connect Client support for ECDSA added.
  • Library mbedTLS in OpenVPN Connect Client updated to resolve CVE-2018-0487 vulnerability.
  • Problem with excessively long server DNS host name that caused ‘no VPN servers’ message is resolved.
  • Issue with TLS key refresh causing a connection failure and reconnect in OpenVPN Connect Client is fixed.
  • Fixed and improved client version and platform reporting to server in OpenVPN Connect Client.
  • Fixed launch issue on some older Windows platforms when MS Visual C++ redistributable was not present.

Release notes for OpenVPN Access Server 2.5.0

  • Implemented an updated engine for rendering the admin web interface, improved the look, and paved the way for modernizing the web interface.
  • The client web interface now defaults to letting users download the required software to their computers instead of using the connect UI by default.
  • The connect UI is now considered to be deprecated and to be removed and replaced with a better solution in future releases.
  • New OpenVPN Connect Client releases are included in this Access Server release.
  • OpenVPN Connect Client for macOS is now properly signed and the issue that existed in the past that prevented this has been resolved.
  • OpenVPN Connect Client for Windows now no longer suffers from the unwanted 0.0.0.0/0 default route that Windows added when registering the connection.
  • OpenVPN Connect Client for Windows now supports multiple DNS Resolution Zones on Windows client platforms that support NRPT.
  • For new installations, AES-256-CBC is now the new default encryption cipher for VPN tunnel data. Existing installations that are upgraded retain their old cipher.
  • SSLv2 and SSLv3 support, hidden and deprecated as it was, is now completely removed. Web service defaults to TLS 1.1 now.
  • Additional activation servers added for Amazon AWS tiered instances, this allows for tighter security settings on security groups while retaining activation status.
  • Library for mbed TLS is now updated to version 2.6.
  • OpenVPN 2.4 code now merged into Access Server.

Release notes for OpenVPN Access Server 2.1.12

  • Problems with gaps in sequentially ordered lists of keys in the configuration database are now automatically repaired when using sacli start on the command line.
  • TLS level 1.2 for the OpenVPN protocol is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
  • TLS level 1.1 for the web services is labeled the default for new installations. Upgrades of existing installations remain at the previously set level.
  • SSLv2 and SSLv3 support has been deprecated and will be removed completely in a future release.
  • SSL settings page is now renamed to TLS settings page, since TLS is now the prevalent technology and SSL is phasing out.
  • Alias interfaces like eth0:1 and such could not be selected for source NAT outgoing VPN client traffic. This bug has now been fixed.
  • An option has been added to completely disable TLS auth. This should only ever be used for compatibility with clients that offer no way to implement TLS auth at all.

Release notes for OpenVPN Access Server 2.1.9

  • Small code improvements, slightly faster response time on web interface.
  • Fixed broken ‘current users’ page in the web interface while users were connected on Access Server 2.1.8.

Release notes for OpenVPN Access Server 2.1.8

  • OpenVPN Connect Client for Windows is signed properly.
  • Disabling compression on the server no longer leads to a compression stub error.
  • Security fixes for issues reported by Guido Vranken (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) and other fixes.

Release notes for OpenVPN Access Server 2.1.6

  • OpenVPN Connect Client for Mac OS X updated to version 2.1.3.120 to address the “error no. 8" bug that occurred on some systems that have an IPv6 DNS server assigned as primary DNS server.
  • OpenVPN Connect Client for Windows updated to version 2.1.3.111 to address the problem where an autologin type profile would endlessly loop in reconnection state when the autologin profile encounters an authorization problem (no longer valid, revoked, and such).
  • Access Server web services updated to fix CRLF injection vulnerability CVE-2017-5868 reported by Sysdream Labs.
  • Access Server OpenVPN core updated to fix CVE-2017-7478 and CVE-2017-7479 as well as other issues reported by Quarkslab and Cryptography Engineering LLC.

Release notes for OpenVPN Access Server 2.1.4

  • Added MAC address reporting on OpenVPN Connect Client for Windows and macOS.
  • Added support for systemd in Ubuntu 16.

Release notes for OpenVPN Access Server 2.1.2

  • Fixed a problem with DNS implementation on the server side where DNS options wouldn’t be pushed if the Windows Networking NETBIOS options was used on the server.
  • Fixed OpenSSL memory leak.
  • Introduced web session cookie expiration timers and rotation.
  • New packages for Ubuntu 16 now available.

 

Release notes for OpenVPN Access Server 2.1.1

  • Updated OpenSSL to 1.0.2h to fixes a reported security vulnerability in AES-NI.
  • Fixed an installation issue in OpenVPN Connect Client where the service component would not start after installation in some specific situations.
  • In the web admin interface on the VPN Settings page, added “DNS resolution zones" for setting “dhcp-option DOMAIN …" OpenVPN settings.
  • The previous “Default Domain Suffix" field is now used to set the “dhcp-option ADAPTER_DOMAIN_SUFFIX …" OpenVPN setting.
  • DNS behavior is now altered since version 2.1.0 of the Access Server. If you encounter problems please review your DNS settings in the admin web interface.

Release notes for OpenVPN Access Server 2.1.0

  • Ensure OpenVPN Connect Client respects the route-metric setting properly to set the metric cost on the VPN interface.
  • Small issue in OpenVPN Connect Client for Windows resolved that could break the “Go to <server>" menu command.
  • Disable tls-auth when “auth none" is given in config even when “tls-auth" directive is present.

Release notes for OpenVPN Access Server 2.0.26

  • Added capability for licensing system to lock to Amazon AWS instance ID, to provide a little more flexibility when changes are made to an EC2 instance.
  • Fixed an issue on Windows 10 where tray icons would not update properly when auto-login profiles are used.
  • Fixed Windows 10 DNS issue where Windows would not select DNS server pushed by Access Server.
  • Fixed an issue where with specific network configurations, DNS servers would get removed from the network configuration after a disconnect on macOS.
  • Access Server 2.0.25 introduced a bug that required FAVOR_LZO=1 for Android/iOS clients to be able to make a connection, this is now resolved.
  • Access Server 2.0.25 introduced a bug where a TLS refresh issue could occur with Android/iOS clients, this is now also resolved.

Release notes for OpenVPN Access Server 2.0.25

  • Fixed issue with PolarSSL/mbedTLS that was preventing client connections in some cases.

Release notes for OpenVPN Access Server 2.0.24

  • Fixed potential DoS vulnerability in port-share feature.
  • Updated PolarSSL/mbedTLS to 1.3.15.
  • Added 3072-bit DH parameters, to allow 3072-bit RSA web certs with ECDH key agreement.
  • Added better error reporting when key size is used without matching DH params.
  • Enhanced current key sizes supported to include 1024, 2048, 3072, and 4096 bits.
  • The AS web interface “Server" header now defaults to “OpenVPN-AS" and can be overridden using the config key cs.web_server_name
  • Added 169.254.0.0/16 to the existing set of RFC 1918 subnets considered by the AS to be private.
  • Added “X-Frame-Options: SAMEORIGIN" header to all AS Admin UI and CWS pages to prevent click-jacking.

Release notes for OpenVPN Access Server 2.0.21

  • OpenVPN Connect Client for macOS was updated to be compatible with macOS X El Capitan.

Release notes for OpenVPN Access Server 2.0.20

  • Updated OpenSSL to 1.0.2d.
  • Updated web CA bundle.
  • Added web session timeout parameter “sa.session_expire".
  • Added support for “tls-version-min parameter" in bundled OpenVPN Connect Client for Windows and macOS.

Release notes for OpenVPN Access Server 2.0.17

  • Added support for DH and ECDH ciphersuites on the webservices of the Access Server.
  • Turned off RC4 ciphersuites as these are unsafe.
  • In OpenSSL mode, allow override of default ciphersuite string with a custom setting.
  • Added support for ECDH ciphersuites in the OpenVPN services (DH has always been supported).
  • Updated OpenSSL to 1.0.2a.

Release notes for OpenVPN Access Server 2.0.12

  • Updated PolarSSL to fix vulnerability CVE-2015-1182.

Release notes for OpenVPN Access Server 2.0.11

  • Applied fix for CVE-2014-8104 in OpenVPN core that addresses a denial-of-service vulnerability where an authenticated client could stop the server.
  • For new generated certs, use SHA256 instead of SHA1 as the cert digest algorithm.
  • For new installs, set a default minimum TLS version of 1.0 for the web server. Existing installs can set the minimum TLS version on the SSL Settings page of the Admin UI.

Release notes for OpenVPN Access Server 2.0.10

  • Fixed a bug in 2.0.8 when modifying user permissions that could potentially cause the user to disappear from queries, especially when setting the “Admin" flag on a user.
    If affected by this issue, you can repair the DB by using the following command:
    /usr/local/openvpn_as/scripts/confdba -u –assign_type
  • Enable tls-version-min directive in generated client profiles when “Select minimum TLS protocol version accepted by OpenVPN server" Admin UI setting is changed from its default value.
  • Updated PolarSSL to 1.3.8.
  • Fixed bridging regression in 2.0.8 where instantiating the bridged tunnel was failing because of the introduction of two separately named openvpn binaries for OpenSSL and PolarSSL.

Release notes for OpenVPN Access Server 2.0.8

  • Updated to OpenSSL 1.0.1h to address security issues.
  • Added PolarSSL support as an alternative to OpenSSL for the OpenVPN protocol and integrated web server (In Admin UI, go to Configuration -> SSL Settings page).
  • Added options to control minimum SSL/TLS versions for both the OpenVPN protocol and web server.
  • Implemented HTTP Proxy support in OpenVPN Connect client on Windows.
  • In tray menu, go to Options -> HTTP Proxy -> Set to set the proxy address and port.  An auth dialog should pop up if proxy creds are required.
  • In OpenVPN Connect clients for Windows and Mac, allow http-proxy and related directives to be specified in imported profiles, for example:
    http-proxy ntlm.proxy.tld 3128 auto-nct
    <http-proxy-user-pass>
    myusername
    mypassword
    </http-proxy-user-pass>
  • In OpenVPN Connect Windows client, integrated NDIS 6 TAP driver.
  • Client will now detect Windows version and install NDIS 5 driver for pre-Vista and NDIS 6 for Vista and higher.
  • Fixed bug in OpenVPN Connect clients (Windows and Mac) pertaining to case sensitivity of DNS names.
  • In Windows OpenVPN Connect tray client, don’t take focus unless we are raising a dialog.
  • Allow control over the visibility of links provided to Client Web Server users (In Admin UI, go to Configuration -> Client Settings page).
  • Added pagination support to Admin UI for User Permissions and Revoke Certificates pages.  This allows the User Properties and Certificates DBs to potentially scale to millions of rows when the underlying DB engine (e.g. MySQL) supports it.

Release notes for OpenVPN Access Server 2.0.7

  • Updated bundled Windows and Mac clients to OpenSSL 1.0.1g to fix Heartbleed issue.
  • Minor NAT/routing iptables fixes.

Release notes for OpenVPN Access Server 2.0.6

  • * Updated OpenSSL to 1.0.1g to fix CVE-2014-0160 Heartbleed vulnerability. This is a critical vulnerability, and all Access Server users are advised to upgrade immediately.

Release notes for OpenVPN Access Server 2.0.5

  • Support NAT vs. routing as a fine-grained property that can apply to individual ACL items.
  • Initialize Certificate DB to use 2048-bit RSA keys (increased from 1024) for fresh installs.
  • Fixed potential security issue: in some cases, when using Google Authenticator, the Google authenticator secret might be written to the log file.
  • On EC2, have ovpn-init automatically determine the public IP address of the instance, for setting the default public hostname. This only works if the instance is launched with a public IP, not when the public IP is attached later on.
  • Added support for appliance initialization on the CloudSigma cloud platform.

Release notes for OpenVPN Access Server 2.0.3

  • Extended ACL and DMZ port settings to allow specification of a port range
  • Fixed issue where an invalid port (or port range) specified for DMZ in the User Permissions page would be silently ignored, with no error message.
  • Added a potential improvement on the iptables rule generation for DNS packets.
  • Extended the “Allow Access To these Networks" field in User/Group Permission pages to allow the full route specification syntax supported by the backend, including subnets, services, port ranges, and NAT vs. Routing flag.
  • Updated help documentation on admin web interface.

Release notes for OpenVPN Access Server 2.0.2

  • Fixed bug where TLS negotiation broke connections from iOS clients.

Release notes for OpenVPN Access Server 2.0.1

  • Revised user access rule routing implementation to resolve issues on certain systems.

Access Server release notes for 2.0.0

  • Initial AS IPv6 milestone — IPv4.Addr is now an IPv4/6 discriminated union derived from ovpn3 (swig-wrapped) module.
  • Added necessary swig patch to build ovpn3 python module.
  • Fix admin web interface cross-site request forgery (CSRF) vulnerability (CVE-2013-2692).
  • Added Android and iOS client links to client web interface.
  • Fixed issue where pressing logout button from client web interface would raise web exception.
  • Add constant-time hash compare for authlocal module.
  • Added “proto” parameter to VPNConnect and ovpncli tool, for selecting tcp/udp transport protocol.
  • Fixed issue where astatus.py would endlessly ask for EULA agreement.
  • Changes made to admin web interface “At a glance” sidebar.
    1. To avoid CSRF attacks, start/stop link on Server Status row has been replaced by “More” link which redirects to server status page where server can be started/stopped.
    2. Links in “At a glance” sidebar vanish when current page would be the destination of link.
  • Update IPv6 AS branch to use Python 2.7.
  • Updated most pyovpn dependencies other than Twisted/Nevow — contents of current bundle:
    bison-2.4.tar.bz2
    boost_1_53_0.tar.gz
    bridge-utils-jy-1.5.tar.gz
    cyrus-sasl-2.1.26.tar.gz
    flex-2.5.35.tar.bz2
    libpcap-1.3.0.tar.gz
    linet-1.0.tar.gz
    lzo-2.06.tar.gz
    m4-1.4.13.tar.bz2
    MySQL-python-1.2.4b4.tar.gz
    Nevow-0.10.0.tar.gz
    openldap-2.4.35.tgz
    openssl-1.0.1e.tar.gz
    openvpn-2.3_as1.tar.gz
    openvpn3.tar.gz
    pcre-8.32.tar.gz
    pycrypto-2.6.tar.gz
    pyOpenSSL-0.10.tar.gz
    pyovpnc-1.2.tar.gz
    pyovpn.tgz
    pyrad-1.1.tar.gz
    Python-2.7.4.tgz
    python-ldap-2.4.10.tar.gz
    readline-6.2.tar.gz
    setuptools-0.6c11.tar.gz
    snappy-1.1.0.tar.gz
    SQLAlchemy-0.7.10.tar.gz
    sqlite-autoconf-3071602.tar.gz
    swig-2.0.9.tar.gz
    tcl8.5.5-src.tar.gz
    termcap-1.3.1.tar.gz
    tidy-20090316.tar.gz
    Twisted-9.0.0.tar.bz2
    ucarp-1.5.2.tar.gz
    uTidylib-0.2.tar.gz
    zope.interface-3.3.0.tar.gz
  • Build Python with readline support.
  • Changed pyovpn version number to 2.0.
  • Changed all scripts that reference python version number to use 2.7.
  • Fix to generation of iptables rules for DNS traffic:
    Because generated iptables rules trap DNS requests early in ASx_IN_PRE chain, if initial call to dns_server_subnets did not reduce the rules to empty, we must instead use the whole list of non-reduced rules, i.e. we cannot reduce them further based on access granted to private subnets or the public internet.
  • Added comment in LinuxIPv4Forward to extend to IPv6 so that /proc/sys/net/ipv6/conf/all/forwarding is also set.
  • Added CC_CMDS env var for debugging.  CC_CMDS is a comma-delimited list of OpenVPN directives (such as iroute) to be appended to client-config list.
  • Major IPv6 patch that adds IPv6 tunnel support to AS.
  • Added Python-2.7 patch.
  • Minor script updates.
  • On Admin UI Current Users page, properly show both IPv4 and IPv6 addresses.
  • Raised some string length limits from 128 and 256 to 512.
  • Moved AS default private subnets to RFC-1918 backwater.
  • Fixed regression in usersvc.py related to regeneration of Client object.
  • Added post_auth script pasfp.py that shows connecting user, serial number, CN, and SHA1 fingerprint of leaf cert.
  • Fixed some instances where transport.write (in Twisted) might be called with a unicode string, causing a Twisted exception. This was likely causing an issue with failover rsync where the ssh password was being passed as unicode to transport.write.
  • Minor text updates to Admin UI. Due to IPv6 address notation, ranges should now be delimited by ‘;’ instead of ‘:’.
  • Because of tradeoff between Beast mitigation with RC4 and RC4′s own weaknesses, turn off Beast mitigation by default, and change some of the related text in the Admin UI. In particular, Beast flag now defaults to false and is keyed by cs.beast_workaround2
  • Added support for OpenVPN tls-version-min directive.
  • Removed some debugging and redundant code.
  • Added connect_timeout and server_poll_timeout parameters to Connect and VPNConnect methods (and capicli and ovpncli tools).
    connect_timeout (optional int|str) : set connection timeout (seconds)
    server_poll_timeout (optional int|str) : set server-poll-timeout OpenVPN
    parameter (seconds) — the number of seconds to try each remote entry before moving on to the next
  • The client backend as.conf can now specify a list of prepend and append config file directives to be applied before and after the config file.
  • For example:
    [capi]
    prepend_config.0=route-method exe
    prepend_config.1=route-delay 30
    prepend_config.2=route-metric 512
    prepend_config.3=route 0.0.0.0 0.0.0.0
  • Minor change in clisite to use new method IP.is_lo() to test whether address is a loopback address.
  • Fixed issue where exceptions in AuthRPCServer._render_finalize were causing server-side stack traces to be sent to client.
  • Minor rewording of BEAST option in Admin UI for clarity.
  • If vpn.server.routing.snat_source list is non-empty, use it to generate SNAT interface list rather than enum_interfaces

Share