OpenVPN 2.7.0 Launches with New Protocols & Platform Support

The latest iteration of the popular VPN software, OpenVPN 2.7.0, has been officially released, bringing a host of significant upgrades for both server administrators and end-users. This update focuses on improving flexibility, security, and performance across various platforms, with notable enhancements in multi-address server management, client-side DNS handling, and support for modern cryptographic standards. These improvements aim to streamline complex network configurations and bolster the overall robustness of secure connections.

A major advancement in this version is the introduction of multi-socket support for server instances. This feature allows a single server process to efficiently manage multiple IP addresses, ports, and protocols simultaneously. It simplifies setups where a service must listen on several network interfaces or handle different transport methods, like TCP and UDP, at the same time, reducing administrative overhead.

The release also incorporates preliminary support for the upstream DCO Linux kernel module. This module, slated for inclusion in future Linux kernel versions, is intended to replace the previous out-of-tree driver. For systems running current kernels, backported versions of this new module will be accessible through associated projects, paving the way for better integration and performance.

On the client side, there are substantial updates. DNS option support has been enhanced for Linux, BSD, and macOS, providing greater control over domain name resolution within the VPN tunnel. A refreshed Windows client implementation now includes advanced control channel features such as split DNS and DNSSEC handling, improving security and configuration granularity for Windows users.

A new PUSH_UPDATE message for the control channel is another key addition. This functionality enables a server to dynamically update a client’s settings, such as routing tables or DNS configurations, during an active session without forcing the client to disconnect and reconnect. New management interface commands have been added to facilitate broadcasting these updates to specific clients or groups.

Significant architectural changes have been made for the Windows platform. The system now utilizes Windows Filtering Platform filters for the block-local flag, enhances efficiency by generating network adapters on demand, and runs services automatically under unprivileged user accounts for improved security. Server mode support for the win-dco driver is included, with the tap-windows6 driver remaining as a reliable fallback option.

Under the hood, the update refines data channel operations. It enforces usage limits for the AES-GCM cipher, integrates support for epoch data keys and an updated packet format, and adds compatibility with TLS 1.3 when used with newer cryptographic libraries. The codebase also now supports mbedTLS version 4, ensuring alignment with current encryption technologies.

For routing and external integration, two new environment variables have been introduced. These variables communicate preferred gateway redirection information to external plugins, which is particularly useful for network management software. Furthermore, a modification to the “recursive routing” check helps reduce the number of tunneled packets that are incorrectly dropped when the destination path matches that of the VPN server itself.

This comprehensive update is freely available for download on GitHub.

(Source: HelpNet Security)