Hi Michael,
I suppose Erik is best to upgrade to openvpn 2.4,
yes i can try that. It seems that OpenVPN-2.4.3 should be OpenSSL-1.1.0 ready --> https://community.openvpn.net/openvpn/ticket/759#comment:11 nevertheless i found a lot of problems in the net but most of them used exotic configure options as far i can see now.
Since Michael Horace do supports me in the forum tests we found some more things where more work needs to be done: - Have found a bug in the openvpnctrl with a fix --> https://forum.ipfire.org/viewtopic.php?f=50&t=18067&start=30#p112483 . - Have found another problem in openvpnctrl currently without a fix (may you can take also a look over it, will send you a separate request). - The 2.4 version refractors meanwhile the CRL which means OpenSSL (not OpenVPN) do checks now also the "validBefore" and "validAfter" fields. So the problem arises that after 30 days (ovpn.cnf) the CRL needs to be renewed. If nothing has been done until then (revoking is the only function i could found until now which does that) the connection build up attempts in a "VERIFY ERROR: depth=0, error=CRL has expired:" and won´t come up . <-- Michael is working there on a cronjob --> https://forum.ipfire.org/viewtopic.php?f=50&t=18067&start=30#p112586 . One positive thing is, - somewhen after 2.4.0 a smoother transition from 2.3.x to 2.4.x seems to be possible since the cipher negotiation "--ncp-cipher cipher_list" can be used beneath the regular "--cipher alg" choice and OpenVPN checks if the client is 2.4 ready if not the old ciphers will be used which was in my first testings not possible (after checking this, i need to change there some things in the CGI).
As far as i can see the time is very short (my free time is currently also a little rare) so i tend to leave out all the nice to have features and try to deliver for the first a must have ?
Greetings,
Erik