Hi all, i am currently in the update process of the already realeased OpenVPN- 2.5.0 --> https://openvpn.net/community-downloads-2/ . The update has been tested and worked so far also with the old default client configuration (tested with 2.4.9 client). There are two warnings -->
1) DEPRECATED OPTION: ncp-disable. Disabling dynamic cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
2) WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
in the server log but it nevertheless works flawlessly.
Am working currently on an "Advanced Encryption Settings" page which includes currently four new directives --data-ciphers (data channel encryption), --data-ciphers-fallback (data-channel encryption for clients <= OpenVPN-2.3.9), --tls-ciphers (control channel TLSv2 only) and --tls-ciphersuites (control channel >= TLSv3) all options are explained in here --> https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html , which works here currently and looks like this:
Button to belong to this page: https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced_...
And the page itself: https://people.ipfire.org/~ummeegge/OpenVPN-2.5.0/screenshots/ovpn_advanced_...
You can see also the default settings, were i need also your ideas and comments for may better defaults. On the page itself is also more planned but to not overload this here now, i wanted to go now a two step procedure with this update.
1) Push OpenVPN-2.5.0 update with the new ciphers and HMACs for regukar global settings for RW and N2N. A overview of the new crypto can be found in here --> https://community.ipfire.org/t/openvpn-2-5-development-version/2173 . 2) I would push the "Advanced Encryption settings" development as seen above then as one patch <-- this would also eliminate the first warning causing --ncp-disable since we can delete this option then.
Everything else would come detached from this.
Some feedback might be nice.
Best,
Erik