Networking

OpenVPN Rebased to Version 2.4.3

OpenVPN has been rebased to version 2.4.3. This update adds many improvements, notably improved elliptic curve cryptography support (ECDH), support for AES-GCM, and additional encryption layer of the control channel (the --tls-crypt option), and a type of cipher negotiation which allows for gradually upgrading client ciphers to stronger ones without significant added complexity. Additionally, there is now a seamless client IP and port available, allowing clients to change their IP address or port without having to fully renegotiate an established tunnel.

For a full list of changes in this version, see the upstream changelog on GitHub.

Overall integration with systemd has also improved, and systemd can now better manage OpenVPN processes. This update ships with brand new systemd unit files, which add additional security hardening. These new unit files are preferred over the old openvpn@.service file. The same unit files are used in other Linux distributions which use systemd, ensuring a more consistent behavior and usage between different systemd-based systems. See installed documentation in /usr/share/doc/openvpn/README.systemd for more information about this topic.

Additional Notes

In other changes, Certificate Revocation List (CRL) checking is now done by SSL libraries directly. These libraries have a far more strict acceptance policy than the approach previously used in OpenVPN. For example, if your CRL file has expired, this will have an impact on every user, regardless of whether their certificates are revoked or not.

Additionally, OpenVPN in Fedora 26 currently use the compat-openssl10 and compat-openssl10-pkcs11-helper compatibility packages, which are considered to be a workaround until more thorough testing can be done on OpenSSL 1.1, which has only been introduced in OpenVPN recently. In a later update, the OpenVPN package is expected to be upgraded to make use of the newer openssl-1.1 library.