./net/openvpn, Easy-to-use SSL VPN daemon

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.4.3, Package name: openvpn-2.4.3, Maintainer: pkgsrc-users

OpenVPN is a robust and highly flexible tunneling application
that uses all of the encryption, authentication, and certification
features of the OpenSSL library to securely tunnel IP networks over
a single TCP/UDP port.


Required to run:
[archivers/lzo] [archivers/lz4]

Required to build:
[pkgtools/cwrappers]

Master sites:


Version history: (Expand)


CVS history: (Expand)


   2017-07-02 00:12:53 by Joerg Sonnenberger | Files touched by this commit (3)
Log message:
Use DIST_SUBDIR properly.
   2017-06-26 09:21:22 by Adam Ciarcinski | Files touched by this commit (5)
Log message:
Distfile has been changed upstream
   2017-06-21 21:00:47 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
OpenVPN 2.4.3
Ignore auth-nocache for auth-user-pass if auth-token is pushed
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Make openvpn-plugin.h self-contained again.
Pass correct buffer size to GetModuleFileNameW()
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Fix gateway detection with OpenBSD routing domains
   2017-05-24 22:35:12 by Adam Ciarcinski | Files touched by this commit (20) | Package removed
Log message:
OpenVPN 2.4.2

Compared to OpenVPN 2.3 this is a major update with a large number of new \ 
features, improvements and fixes. Some of the major features are AEAD (GCM) \ 
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack \ 
support and more seamless connection migration when client's IP address changes \ 
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users' \ 
connection privacy.

Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A \ 
summary of the changes is available in Changes.rst.
   2017-05-22 08:25:19 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
Version 2.3.16:
* fix redirect-gateway behaviour when an IPv4 default route does not exist
* Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
* Check for errors in the return value of GetModuleFileNameW()
* Fix gateway detection with OpenBSD routing domains
   2017-05-19 20:11:04 by S.P.Zeidler | Files touched by this commit (8) | Package updated
Log message:
update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044

relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>

2017.05.11 -- Version 2.3.15
David Sommerseth (5):
      dev-tools: Added script for updating copyright years in files
      Update copyrights
      docs: Further improve --reneg-bytes and SWEET32 information
      git: Merge .gitignore files into a single file
      Make --cipher/--auth none more explicit on the risks

Gert Doering (1):
      Document --proto udp6, tcp6, etc.

Julien Muchembled (1):
      Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset

Steffan Karger (6):
      Add missing includes in error.h
      cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
      Document that OpenVPN 2.3 does not check the CRL signature
      Introduce and use secure_memzero() to erase secrets
      Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
      Don't assert out on receiving too-large control packets (CVE-2017-7478)

2016.12.06 -- Version 2.3.14
Christian Hesse (1):
      update year in copyright message

David Sommerseth (1):
      Document the --auth-token option

Gert Doering (2):
      Repair topology subnet on FreeBSD 11
      Repair topology subnet on OpenBSD

Lev Stipakov (1):
      Drop recursively routed packets

Selva Nair (4):
      Support --block-outside-dns on multiple tunnels
      When parsing '--setenv opt xx ..' make sure a third parameter is present
      Map restart signals from event loop to SIGTERM during exit-notification wait
      Correctly state the default dhcp server address in man page

Steffan Karger (1):
      Clean up format_hex_ex()

2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
      Use AES ciphers in our sample configuration files and add a few modern 2.4 \ 
examples
      Incorporate the Debian typo fixes where appropriate and make show_opt \ 
default message clearer

David Sommerseth (4):
      t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
      t_client.sh: Add support for Kerberos/ksu
      t_client.sh: Improve detection if the OpenVPN process did start during tests
      t_client.sh: Add prepare/cleanup possibilties for each test case

Gert Doering (5):
      Do not abort t_client run if OpenVPN instance does not start.
      Fix t_client runs on OpenSolaris
      make t_client robust against sudoers misconfiguration
      add POSTINIT_CMD_suf to t_client.sh and sample config
      Fix --multihome for IPv6 on 64bit BSD systems.

Ilya Shipitsin (1):
      skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto

Lev Stipakov (2):
      Exclude peer-id from pulled options digest
      Fix compilation in pedantic mode

Samuli Seppänen (1):
      Automatically cache expected IPs for t_client.sh on the first run

Steffan Karger (6):
      Fix unittests for out-of-source builds
      Make gnu89 support explicit
      cleanup: remove code duplication in msg_test()
      Update cipher-related man page text
      Limit --reneg-bytes to 64MB when using small block ciphers
      Add a revoked cert to the sample keys

2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
      Complete push-peer-info documentation and allow IV_PLAT_VER for other \ 
platforms than Windows if the client UI supplies it.
      Move ASSERT so external-key with OpenSSL works again

David Sommerseth (3):
      Only build and run cmocka unit tests if its submodule is initialized
      Another fix related to unit test framework
      Remove NOP function and callers

Dorian Harmans (1):
      Add CHACHA20-POLY1305 ciphersuite IANA name translations.

Ivo Manca (1):
      Plug memory leak in mbedTLS backend

Jeffrey Cutter (1):
      Update contrib/pull-resolv-conf/client.up for no DOMAIN

Jens Neuhalfen (2):
      Add unit testing support via cmocka
      Add a test for auth-pam searchandreplace

Josh Cepek (1):
      Push an IPv6 CIDR mask used by the server, not the pool's size

Leon Klingele (1):
      Add link to bug tracker

Samuli Seppänen (2):
      Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
      Clarify the fact that build instructions in README are for release tarballs

Selva Nair (4):
      Make error non-fatal while deleting address using netsh
      Make block-outside-dns work with persist-tun
      Ignore SIGUSR1/SIGHUP during exit notification
      Promptly close the netcmd_semaphore handle after use

Steffan Karger (4):
      Fix polarssl / mbedtls builds
      Don't limit max incoming message size based on c2->frame
      Fix '--cipher none --cipher' crash
      Discourage using 64-bit block ciphers
   2016-09-19 15:04:29 by Thomas Klausner | Files touched by this commit (147)
Log message:
Recursive PKGREVISION bump for gnutls shlib major bump.
   2016-07-08 10:49:41 by Jonathan Perkin | Files touched by this commit (7) | Package updated
Log message:
Update net/openvpn to 2.3.11.  Changes since 2.3.6:

2016.05.09 -- Version 2.3.11
      Fixed port-share bug with DoS potential
      Make intent of utun device name validation clear
      Fix buffer overflow by user supplied data
      Correctly report TCP connection timeout on windows.
      Report Windows bitness
      Fix undefined signed shift overflow
      Fix build with libressl
      Improve LZO, PAM and OpenSSL documentation
      Ensure input read using systemd-ask-password is null terminated
      Support reading the challenge-response from console
      openssl: improve logging
      polarssl: improve logging
      Update manpage: OpenSSL might also need /dev/urandom inside chroot
      socks.c: fix check on get_user_pass() return value(s)
      Fix OCSP_check.sh
      hardening: add safe FD_SET() wrapper openvpn_fd_set()
      Fix memory leak in argv_extract_cmd_name()
      Replace MSG_TEST() macro for static inline msg_test()
      Restrict default TLS cipher list
      Various Changes.rst fixes
      Clarify mssfix documentation
      Clarify --block-outside-dns documentation
      Update --block-outside-dns to work on Windows Vista

2016.01.04 -- Version 2.3.10
      Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
      Make certificate expiry warning patch (091edd8e299686) work on OpenSSL \ 
1.0.1 and earlier.
      Repair IPv6 netsh calls if Win XP is detected
      Use bob.example.com and alice.example.com to improve clarity of documentation
      Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
      Upgrade OpenVPN 2.3 to PolarSSL 1.3
      Warn user if their certificate has expired
      Make assert_failed() print the failed condition
      cleanup: get rid of httpdigest.c type warnings
      Fix regression in setups without a client certificate
      polarssl: fix unreachable code

2015.12.15 -- Version 2.3.9
      Show extra-certs in current parameters.
      Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
      Do not set the buffer size by default but rely on the operation system default.
      Remove --enable-password-save option
      Reflect enable-password-save change in documentation
      Also remove second instance of enable-password-save in the man page
      Detect config lines that are too long and give a warning/error
      Log serial number of revoked certificate
      Adjust server-ipv6 documentation
      Avoid partial authentication state when using --disabled in CCD configs
      Make "block-outside-dns" option platform agnostic
      Un-break --auth-user-pass on windows
      Replace unaligned 16bit access to TCP MSS value with bytewise access
      Repair test_local_addr() on WIN32
      Fix possible heap overflow on read accessing getaddrinfo() result.
      Fix FreeBSD-specific mishandling of gc arena pointer in \ 
create_arbitrary_remote()
      remove unused gc_arena in FreeBSD close_tun()
      Fix isatty() check for good.
      put virtual IPv6 addresses into env
      Use adapter index instead of name for windows IPv6 interface config
      Client-side part for server restart notification
      Use adapter index for add/delete_route_ipv6
      Pass adapter index to up/down scripts
      Fix VS2013 compilation
      Fix privilege drop if first connection attempt fails
      Support for username-only auth file.
      Add CONTRIBUTING.rst
      Updates to Changes.rst
      Fix termination when windows suspends/sleeps
      Do not hard-code windows systemroot in env_block
      Handle ctrl-C and ctrl-break events on Windows
      Unbreak read username password from management
      Replace strdup() calls for string_alloc() calls
      Check return value of ms_error_text()
      Increase control channel packet size for faster handshakes
      hardening: add insurance to exit on a failed ASSERT()
      Fix memory leak in auth-pam plugin
      Fix (potential) memory leak in init_route_list()
      Fix unintialized variable in plugin_vlog()
      Add macro to ensure we exit on fatal errors
      Fix memory leak in add_option() by simplifying get_ipv6_addr
      openssl: properly check return value of RAND_bytes()
      Fix rand_bytes return value checking
      Add Windows DNS Leak fix using WFP ('block-outside-dns')
      Fix "White space before end tags can break the config parser"

2015.08.03 -- Version 2.3.8
      Report missing endtags of inline files as warnings
      Fix commit e473b7c if an inline file happens to have a line break exactly \ 
at buffer limit
      Produce a meaningful error message if --daemon gets in the way of asking \ 
for passwords.
      Document --daemon changes and consequences (--askpass, --auth-nocache).
      Del ipv6 addr on close of linux tun interface
      Fix --askpass not allowing for password input via stdin
      write pid file immediately after daemonizing
      Make __func__ work with Visual Studio too
      fix regression: query password before becoming daemon
      Fix using management interface to get passwords.
      Fix overflow check in openvpn_decrypt()

2015.06.02 -- Version 2.3.7
      Default gateway can't be determined on illumos/Solaris platforms
      Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
      autotools: Fix wrong ./configure help screen default values
      down-root plugin: Replaced system() calls with execve()
      down-root: Improve error messages
      plugin, down-root: Fix compiler warnings
      sockets: Remove the limitation of --tcp-nodelay to be server-only
      plugins, down-root: Code style clean-up
      pkcs11: Load p11-kit-proxy.so module by default
      Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
      Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
      New approach to handle peer-id related changes to link-mtu (2.3 version)
      Fix incorrect use of get_ipv6_addr() for iroute options.
      Print helpful error message on --mktun/--rmtun if not available.
      explain effect of --topology subnet on --ifconfig
      Add note about file permissions and --crl-verify to manpage.
      repair --dev null breakage caused by db950be85d37
      assume res_init() is always there.
      Correct note about DNS randomization in openvpn.8
      Disallow usage of --server-poll-timeout in --secret key mode.
      slightly enhance documentation about --cipher
      Enforce "serial-tests" behaviour for tests/Makefile
      Revert "Enforce "serial-tests" behaviour for \ 
tests/Makefile"
      On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
      Use configure.ac hack to apply serial_test AM option only if supported.
      Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
      Move res_init() call to inner openvpn_getaddrinfo() loop
      Fix FreeBSD ifconfig for topology subnet tunnels.
      Fix --redirect-private in --dev tap mode.
      include ifconfig_ environment variables in --up-restart env set
      Fix null pointer dereference in options.c
      Fix mssfix default value in connection_list context
      Manual page update for Re-enabled TLS version negotiation.
      Include systemd units in the source tarball (make dist)
      Updated manpage for --rport and --lport
      Properly escape dashes on the man-page
      Improve documentation in --script-security section of the man-page
      Really fix '--cipher none' regression
      Update doxygen (a bit)
      Set tls-version-max to 1.1 if cryptoapicert is used
      Account for peer-id in frame size calculation
      Disable SSL compression
      Fix frame size calculation for non-CBC modes.
      Allow for CN/username of 64 characters (fixes off-by-one)
      Remove unneeded parameter 'first_time' from possibly_become_daemon()
      Re-enable TLS version negotiation by default
      Remove size limit for files inlined in config
      Improve --tls-cipher and --show-tls man page description
      Re-read auth-user-pass file on (re)connect if required
      Clarify --capath option in manpage
      Call daemon() before initializing crypto library