First release of the 2.6 series.
Release announcement excerpt: --8<-- The OpenVPN community project team is proud to release OpenVPN 2.6.0. This is the new stable version of OpenVPN with some major new features. Changes since RC2: * Various bugfixes, see https://github.com/OpenVPN/openvpn/blob/v2.6.0/Changes.rst Windows MSI changes since RC2: * Included openvpn-gui updated to 11.36.0.0. See https://github.com/OpenVPN/openvpn-gui/blob/v11.36.0.0/CHANGES.rst. * DCO driver is now included as a installer module (msm) so that other products (like OpenVPN Connect) can share the DCO installation. Some highlights of 2.6.0 are: * Data Channel Offload (DCO) kernel acceleration support for Windows, Linux, and FreeBSD. * OpenSSL 3 support, which is now the default on Windows. * Improved handling of tunnel MTU, including support for pushable MTU. * Outdated cryptographic algorithms disabled by default, but there are options to override if necessary. * Reworked TLS handshake, making OpenVPN immune to replay-packet state exhaustion attacks. * Added --peer-fingerprint mode for a more simplistic certificate setup and verification. * Added Pre-Logon Access Provider support to OpenVPN GUI for Windows. * Improved protocol negotiation, leading to faster connection setup. More details can be found in the Changes document: <https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst> (The Changes document also contains a section with work-arounds for common problems encountered when using OpenVPN with OpenSSL 3) Source code and Windows installers can be downloaded from our download page: <https://community.openvpn.net/openvpn/wiki/Downloads> (The Windows installers use OpenSSL 3 now) (The Community Downloads page on openvpn.net <https://openvpn.net/community-downloads/> will probably be updated tomorrow). -->8-- Obviously the DCO support didn't magically pop up in our kernel. Even though it would improve performance and there's a FreeBSD driver to import/adapt, I'm not sure there's room in our GENERIC kernel for such kind of driver. LibreSSL related: many detection tests were dropped, which leads to no fallout. Build-tested on sparc64, client runtime tested on amd64. Tests and feedback welcome, especially if you run a server. Index: Makefile =================================================================== RCS file: /home/cvs/ports/net/openvpn/Makefile,v retrieving revision 1.114 diff -u -p -r1.114 Makefile --- Makefile 8 Nov 2022 11:16:59 -0000 1.114 +++ Makefile 26 Jan 2023 08:30:08 -0000 @@ -1,7 +1,6 @@ COMMENT= easy-to-use, robust, and highly configurable VPN -DISTNAME= openvpn-2.5.8 -REVISION= 0 +DISTNAME= openvpn-2.6.0 CATEGORIES= net security Index: distinfo =================================================================== RCS file: /home/cvs/ports/net/openvpn/distinfo,v retrieving revision 1.53 diff -u -p -r1.53 distinfo --- distinfo 6 Nov 2022 17:18:01 -0000 1.53 +++ distinfo 26 Jan 2023 08:30:12 -0000 @@ -1,2 +1,2 @@ -SHA256 (openvpn-2.5.8.tar.gz) = pvMVtyMdRFJ+ZZAf9kb4fX8HhiyH8zUx2qEJ+0jFPbI= -SIZE (openvpn-2.5.8.tar.gz) = 1875551 +SHA256 (openvpn-2.6.0.tar.gz) = 6+yTMmPJhQ72984SXi8iIUvmCxy7jM/xiJJkP+CDro8= +SIZE (openvpn-2.6.0.tar.gz) = 1840792 Index: patches/patch-configure =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-configure,v retrieving revision 1.29 diff -u -p -r1.29 patch-configure --- patches/patch-configure 6 Nov 2022 17:18:01 -0000 1.29 +++ patches/patch-configure 26 Jan 2023 09:51:18 -0000 @@ -1,7 +1,7 @@ Index: configure --- configure.orig +++ configure -@@ -19809,7 +19809,7 @@ else +@@ -19303,7 +19303,7 @@ else fi Index: patches/patch-include_Makefile_in =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-include_Makefile_in,v retrieving revision 1.14 diff -u -p -r1.14 patch-include_Makefile_in --- patches/patch-include_Makefile_in 6 Nov 2022 17:18:01 -0000 1.14 +++ patches/patch-include_Makefile_in 26 Jan 2023 09:51:18 -0000 @@ -1,7 +1,7 @@ Index: include/Makefile.in --- include/Makefile.in.orig +++ include/Makefile.in -@@ -340,7 +340,7 @@ host_cpu = @host_cpu@ +@@ -346,7 +346,7 @@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ Index: patches/patch-sample_sample-config-files_client_conf =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_client_conf,v retrieving revision 1.2 diff -u -p -r1.2 patch-sample_sample-config-files_client_conf --- patches/patch-sample_sample-config-files_client_conf 10 Mar 2022 00:04:07 -0000 1.2 +++ patches/patch-sample_sample-config-files_client_conf 26 Jan 2023 09:51:18 -0000 @@ -1,11 +1,12 @@ ---- sample/sample-config-files/client.conf.orig Mon Sep 10 17:01:08 2012 -+++ sample/sample-config-files/client.conf Thu Mar 7 14:02:35 2013 +Index: sample/sample-config-files/client.conf +--- sample/sample-config-files/client.conf.orig ++++ sample/sample-config-files/client.conf @@ -58,8 +58,8 @@ resolv-retry infinite nobind # Downgrade privileges after initialization (non-Windows only) --;user nobody --;group nobody +-;user openvpn +-;group openvpn +user _openvpn +group _openvpn Index: patches/patch-sample_sample-config-files_server_conf =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_server_conf,v retrieving revision 1.5 diff -u -p -r1.5 patch-sample_sample-config-files_server_conf --- patches/patch-sample_sample-config-files_server_conf 10 Mar 2022 00:04:07 -0000 1.5 +++ patches/patch-sample_sample-config-files_server_conf 26 Jan 2023 09:51:18 -0000 @@ -1,11 +1,12 @@ ---- sample/sample-config-files/server.conf.orig Thu Nov 3 09:52:28 2016 -+++ sample/sample-config-files/server.conf Fri Nov 18 17:49:59 2016 +Index: sample/sample-config-files/server.conf +--- sample/sample-config-files/server.conf.orig ++++ sample/sample-config-files/server.conf @@ -271,8 +271,8 @@ cipher AES-256-CBC # - # You can uncomment this out on - # non-Windows systems. --;user nobody --;group nobody + # You can uncomment this on non-Windows + # systems after creating a dedicated user. +-;user openvpn +-;group openvpn +user _openvpn +group _openvpn Index: patches/patch-sample_sample-config-files_tls-home_conf =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_tls-home_conf,v retrieving revision 1.3 diff -u -p -r1.3 patch-sample_sample-config-files_tls-home_conf --- patches/patch-sample_sample-config-files_tls-home_conf 10 Mar 2022 00:04:07 -0000 1.3 +++ patches/patch-sample_sample-config-files_tls-home_conf 26 Jan 2023 09:51:18 -0000 @@ -1,15 +1,12 @@ Index: sample/sample-config-files/tls-home.conf --- sample/sample-config-files/tls-home.conf.orig +++ sample/sample-config-files/tls-home.conf -@@ -48,10 +48,10 @@ cipher AES-256-GCM - ; port 1194 - - # Downgrade UID and GID to --# "nobody" after initialization -+# "_openvpn" after initialization +@@ -50,8 +50,8 @@ cipher AES-256-GCM + # Downgrade UID and GID to an + # unpriviledged user after initialization # for extra security. --; user nobody --; group nobody +-; user openvpn +-; group openvpn +user _openvpn +group _openvpn Index: patches/patch-sample_sample-config-files_tls-office_conf =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-sample_sample-config-files_tls-office_conf,v retrieving revision 1.3 diff -u -p -r1.3 patch-sample_sample-config-files_tls-office_conf --- patches/patch-sample_sample-config-files_tls-office_conf 10 Mar 2022 00:04:07 -0000 1.3 +++ patches/patch-sample_sample-config-files_tls-office_conf 26 Jan 2023 09:51:18 -0000 @@ -1,15 +1,12 @@ Index: sample/sample-config-files/tls-office.conf --- sample/sample-config-files/tls-office.conf.orig +++ sample/sample-config-files/tls-office.conf -@@ -51,10 +51,10 @@ cipher AES-256-GCM - ; port 1194 - - # Downgrade UID and GID to --# "nobody" after initialization -+# "_openvpn" after initialization +@@ -53,8 +53,8 @@ cipher AES-256-GCM + # Downgrade UID and GID to an + # unpriviledged user after initialization # for extra security. --; user nobody --; group nobody +-; user openvpn +-; group openvpn +user _openvpn +group _openvpn Index: patches/patch-sample_sample-config-files_xinetd-client-config =================================================================== RCS file: patches/patch-sample_sample-config-files_xinetd-client-config diff -N patches/patch-sample_sample-config-files_xinetd-client-config --- patches/patch-sample_sample-config-files_xinetd-client-config 10 Mar 2022 00:04:07 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,10 +0,0 @@ ---- sample/sample-config-files/xinetd-client-config.orig Mon Sep 10 17:01:08 2012 -+++ sample/sample-config-files/xinetd-client-config Thu Mar 7 14:02:35 2013 -@@ -6,6 +6,6 @@ dev tun - ifconfig 10.4.0.1 10.4.0.2 - remote my-server - port 1194 --user nobody -+user _openvpn - secret /root/openvpn/key - inactive 600 Index: patches/patch-sample_sample-config-files_xinetd-server-config =================================================================== RCS file: patches/patch-sample_sample-config-files_xinetd-server-config diff -N patches/patch-sample_sample-config-files_xinetd-server-config --- patches/patch-sample_sample-config-files_xinetd-server-config 10 Mar 2022 00:04:07 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,9 +0,0 @@ ---- sample/sample-config-files/xinetd-server-config.orig Mon Sep 10 17:01:08 2012 -+++ sample/sample-config-files/xinetd-server-config Thu Mar 7 14:02:35 2013 -@@ -21,5 +21,5 @@ service openvpn_1 - wait = yes - user = root - server = /root/openvpn/openvpn -- server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody -+ server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user _openvpn - } Index: patches/patch-src_openvpn_route_c =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-src_openvpn_route_c,v retrieving revision 1.17 diff -u -p -r1.17 patch-src_openvpn_route_c --- patches/patch-src_openvpn_route_c 10 Mar 2022 00:04:07 -0000 1.17 +++ patches/patch-src_openvpn_route_c 26 Jan 2023 09:51:18 -0000 @@ -5,7 +5,7 @@ Index: src/openvpn/route.c --- src/openvpn/route.c.orig +++ src/openvpn/route.c -@@ -1809,12 +1809,17 @@ add_route(struct route_ipv4 *r, +@@ -1815,12 +1815,17 @@ add_route(struct route_ipv4 *r, } #endif @@ -25,8 +25,8 @@ Index: src/openvpn/route.c + argv_printf_cat (&argv, "%s", gateway); argv_msg(D_ROUTE, &argv); - status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed"); -@@ -3482,7 +3487,7 @@ get_default_gateway(struct route_gateway_info *rgi, op + bool ret = openvpn_execve_check(&argv, es, 0, +@@ -3507,7 +3512,7 @@ get_default_gateway(struct route_gateway_info *rgi, op /* setup data to send to routing socket */ pid = getpid(); seq = 0; @@ -35,7 +35,7 @@ Index: src/openvpn/route.c bzero(&m_rtmsg, sizeof(m_rtmsg)); bzero(&so_dst, sizeof(so_dst)); -@@ -3700,7 +3705,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_inf +@@ -3725,7 +3730,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_inf /* setup data to send to routing socket */ pid = getpid(); seq = 0; Index: patches/patch-src_openvpn_tun_c =================================================================== RCS file: /home/cvs/ports/net/openvpn/patches/patch-src_openvpn_tun_c,v retrieving revision 1.19 diff -u -p -r1.19 patch-src_openvpn_tun_c --- patches/patch-src_openvpn_tun_c 10 Mar 2022 00:04:07 -0000 1.19 +++ patches/patch-src_openvpn_tun_c 26 Jan 2023 09:51:18 -0000 @@ -4,7 +4,7 @@ Index: src/openvpn/tun.c --- src/openvpn/tun.c.orig +++ src/openvpn/tun.c -@@ -1346,21 +1346,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname +@@ -1353,21 +1353,26 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname if (tun) { argv_printf(&argv, Index: pkg/PLIST =================================================================== RCS file: /home/cvs/ports/net/openvpn/pkg/PLIST,v retrieving revision 1.31 diff -u -p -r1.31 PLIST --- pkg/PLIST 8 Nov 2022 11:16:59 -0000 1.31 +++ pkg/PLIST 26 Jan 2023 11:04:09 -0000 @@ -17,7 +17,6 @@ share/doc/openvpn/COPYING share/doc/openvpn/COPYRIGHT.GPL share/doc/openvpn/Changes.rst share/doc/openvpn/README -share/doc/openvpn/README.IPv6 share/doc/openvpn/README.down-root share/doc/openvpn/README.mbedtls share/doc/openvpn/gui-notes.txt @@ -39,8 +38,6 @@ share/examples/openvpn/sample-config-fil share/examples/openvpn/sample-config-files/server.conf share/examples/openvpn/sample-config-files/tls-home.conf share/examples/openvpn/sample-config-files/tls-office.conf -share/examples/openvpn/sample-config-files/xinetd-client-config -share/examples/openvpn/sample-config-files/xinetd-server-config share/examples/openvpn/sample-keys/ share/examples/openvpn/sample-keys/README share/examples/openvpn/sample-keys/ca.crt @@ -63,5 +60,6 @@ share/examples/openvpn/sample-scripts/ share/examples/openvpn/sample-scripts/auth-pam.pl share/examples/openvpn/sample-scripts/bridge-start share/examples/openvpn/sample-scripts/bridge-stop +share/examples/openvpn/sample-scripts/totpauth.py share/examples/openvpn/sample-scripts/ucn.pl share/examples/openvpn/sample-scripts/verify-cn -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
