OpenVPN 2.4 Has Been Launched - The Patch Notes

OpenVPN has been updated to version 2.4.0. It is the first major release of OpenVPN since 2.3.1 was launched over three years ago. This update contains a lot of fixes and new features, and this is a rundown of the most significant changes that are being made in this update.


General Changes - These include updates that improve compatibility or functionality of specific features in OpenVPN in 2.4.0.

Control Channel Encryption has been improved - TLS_Crypt has been updated to allow easier and more granular control of encryption of the control channel. This enables OpenVPN to better resist deep packet inspection techniques to block OpenVPN tunnels.

AEAD mode cipher support - AES in Galois Counter Mode and ChaCha20 are now supported. These are more efficient algorithms from a processor perspective and may allow OpenVPN clients and servers to utilize multiple processors with a single instance down the road if the feature is expanded. This would bring greatly enhanced performance to smartphones, tablets, and other devices that have many processors that are individually weak.

ECDH mode for key exchange - Elliptic Curve Diffie Hellman key exchange allows more efficient options for establishing connections while keeping strong cryptography. This enables a large performance improvement in the initial connection setup for OpenVPN, and when renegotiation is taking place.

No IV has been removed - This insecure option was no longer providing any benefit to OpenVPN generally, and the option use no initial value has been deprecated.

Greater integration with SystemD - systemd is very popular in Linux, with Ubuntu recently adopting the system instead of using their own by default. Improvements to compatibility with systemd will allow an easier development cycle going forward, as the behavior of the software will be the same across all Linux systems that utilize systemd.

secure_memzero() - Code has been introduced to enable OpenVPN to properly wipe secrets like keys and IVs when they are no longer needed. OpenVPN 2.3 did not properly protect this information.

cmocka remote improvements - cmocka has been improved to allow OpenVPN to function on networks where only web and email are not firewalled.

tls_remote has been removed - This has been replaced with a more robust verify-x509-name.

Detect oversized commands - If commands in your config file or script are too long, OpenVPN will now throw an error instead of silently crashing or ignoring commands.

Double Free error corrected - pf_destroy_context() had a double free error that created a security vulnerability and possible memory leak on some configurations.

LZ4 support - The LZ4 compression algorithm is now supported.

NULL-pointer crash - A null pointer crash in route_list_add_vpn_gateway() has been corrected.

Significant mbedtls (PolarSSL) improvements - This includes squashing memory leaks and improving stability.

NULL-pointer dereference - Fix null pointer dereference in options.c, a serious security vulnerability.

Improved support for Windows wake/sleep - Functionality when Windows goes to sleep and wakes has been improved, requiring restarts less often.


This is a major update to OpenVPN, and we recommend updating to OpenVPN 2.4 as soon as possible.

< last