OpenVPN

Main article: VPN and privacy (anonymity)

OpenVPN is a free implementation of open source virtual private network (VPN) technology for creating encrypted point-to-point or server-to-client channels between computers. It allows you to establish connections between computers located behind the NAT and the network screen, without the need to change their settings. OpenVPN was created by James Yonan and distributed under the GNU GPL^[1] license^[2]

2023

Russian telecom operators massively block VPN protocols OpenVPN and WireGuard

Russian telecom operators, including MTS, Beeline, MegaFon, Tele2, Yota and Tinkoff Mobile, massively block the OpenVPN and WireGuard VPN protocols, which are popular in the corporate environment, in particular among large companies. This became known on August 7, 2023.

The largest number of complaints came from Moscow and the region, St. Petersburg and the Leningrad region, as well as Tatarstan, the project "On Communications" reported. According to him, connections using Wireguard, OpenVPN, IPSec, Shadowsocks, IKEv2 protocols did not work well or did not work at all. Among the services that were affected by the failure are Psiphon, VPN generator, Lantern, Windscribe, Tachyon, Betternet, Cloudflare, Urban VPN, Amnezia and others.

Russian telecom operators massively block VPN protocols OpenVPN and WireGuard

As the Terona VPN team noted, problems with VPN operation are indeed observed, especially often from mobile devices. As a reason, they call the "next wave of locks Roskomnadzor," which after OpenVPN took up WireGuard. The service promised to soon switch to "more blocking-resistant protocols."

We can say for sure that Roskomnadzor has stepped up its efforts. This has never happened. It was in several regions, a little bit, at night, on weekends usually. And here on a weekday, for a long time, there are a lot of regions, and the methods of blocking were still different. That is, there is such a suspicion that this is a global such check, how much everything works, how effective the locks are. Business really does not like to advertise such things, but I want to note that it really hurt quite a bit. This is in the sense that the large ones are not hurt, we either do not hear a trifle, or is silent - said on August 8, 2023, IT expert, author of the Esher II Telegram channel Philip Kulin.

OpenVPN is usually used not so much to bypass restrictions and gain access to blocked sites as it is used in the corporate sector by large Russian companies as a tool for verifying their employees.^[3]

OpenVPN 2.6.0

On January 25, 2023, it became known that after two and a half years from the publication of branch 2.5, the release of OpenVPN 2.6.0, a package for creating virtual private networks, was prepared, which allows organizing an encrypted connection between two client machines or ensuring the operation of a centralized VPN server for the simultaneous operation of several clients. The OpenVPN code is distributed under the GPLv2 license, ready-made binary packages are formed for Debian, Ubuntu, CentOS, RHEL and Windows.

OpenVPN 2.6.0. Illustration: pcprogs.net.

As reported, the main changes affected the following:

• There is support for an unlimited number of connections.
• The composition includes an ovpn-dco kernel module that allows you to optimize VPN performance. Optimization is achieved by removing all encryption operations, packet processing and control of the communication channel to the Linux kernel side, which eliminates the overhead associated with context switching, makes it possible to optimize work by directly accessing the internal kernel APIs and eliminates slow data transfer between the kernel and user space (encryption, decryption and routing are performed by the module without sending traffic to the handler in user space).
• In the tests performed compared to the tun interface configuration, the use of a client-side module and a server using the AES-256-GCM cipher allowed an increase in bandwidth by 8 times (from 370 Mbit/s to 2950 Mbit/s). When using the module only on the client side, the throughput has tripled for outbound traffic and has not changed for inbound traffic. When using the module on the server side only, the throughput increased by 4 times for incoming traffic and by 35% for outgoing traffic.
• It is possible to use TLS mode with self-signed certificates (when using the "--peer-fingerprint" option, you can not specify the "--ca" and "--capath" parameters and do without starting a PKI server based on Easy-RSA or similar software).
• The UDP server implements a Cookie-based connection negotiation mode, in which the session identifier is an HMAC-based cookie, which allows the server to perform verification without saving the state.
• Added support for building with OpenSSL 3.0 library. The parameter "--tls-cert-profile insecure" was added to select the minimum level of OpenSSL security.
• Additional remote-entry-count and remote-entry-get control commands have been added to count the number of external connections and display their list.
• In the key negotiation process, the higher priority method of obtaining material for key generation is now the EKM mechanism (Exported Keeping Material, RFC 5705), instead of the specific OpenVPN PRF mechanism. EKM requires OpenSSL or mbed TLS 2.18 +.
• Compatibility with OpenSSL in FIPS mode is provided, which allows you to use OpenVPN on systems that meet the FIPS 140-2 security requirements.
• In mlock, the backup of sufficient memory size is verified. If less than 100 MB of RAM is available, setrlimit () is called to raise the limit.
• The option "--peer-fingerprint" was added to check the correctness or binding of the certificate to the fingerprint based on the SHA256 hash, without using tls-verify.
• For scripts, the possibility of deferred authentication is provided, implemented using the --auth-user-pass-verify option. Scripts and plugins have added support for informing the client about pending authentication when applying deferred authentication.
• Compatibility mode (--compat-mode) has been added, allowing you to connect to older servers that use OpenVPN 2.3.x or older.
• In the list passed through the parameter "--data-ciphers," it is allowed to specify the prefix "?" to determine optional ciphers that will be used only if there is support in the SSL library.
• Added the option "--session-timeout" with which you can limit the maximum session time.
• The configuration file allows you to specify a name and password using the tag.<auth-user-pass></auth-user-pass>
• It is possible to dynamically configure the client MTU based on the MTU data transmitted by the server. To change the maximum MTU size, the option "--tun-mtu-max" (1600 by default) has been added.
• The --max-packet-size parameter has been added to determine the maximum size of control packets.
• Removed support for OpenVPN launch mode via inetd. The ncp-disable option has been removed. The verify-hash option and static key mode (only TLS left) are declared obsolete. The TLS 1.0 and 1.1 protocols have been converted to obsolete ones (the tls-version-min parameter is set to 1.2 by default). The built-in implementation of the pseudo-random number generator (--prng) has been removed, you should use the PRNG implementation from the mbed TLS or OpenSSL crypto bibliotics. PF (Packet Filtering) has been discontinued. Compression is disabled by default (--allow-compression = no).
• The CHACHA20-POLY1305^[4] added to the default cipher list].

2022: OpenVPN 2.5.6 and 2.4.12 Release with Vulnerability Remediation

Corrective releases of OpenVPN 2.5.6 and 2.4.12, a package for creating virtual private networks, have been prepared, allowing an encrypted connection between two client machines or ensuring the operation of a centralized VPN server for the simultaneous operation of several clients. This became known on March 17, 2022. The OpenVPN code is distributed under the GPLv2 license, ready-made binary packages are formed for Debian, Ubuntu, CentOS, RHEL and Windows.

These versions have fixed a vulnerability that potentially allows you to bypass authentication , through manipulation, external plugins that support deferred authentications (deferred_auth) mode. The problem arises when several plugins send delayed authentication responses, which allows an external user to gain access based on not fully correct credentials. data Starting with the OpenVPN 2.5.6 and 2.4.12 releases, attempts to use delayed authentication by several plugins will lead to an error.

Other changes include the inclusion of the sample-plugin/defer/multi-auth.c plugin, which can be useful for organizing testing the simultaneous use of different authentication plugins in order to further avoid vulnerabilities like the one discussed above. The "--mtu-disc maybe'yes" option has been set up on the Linux platform. Fixed memory leak^[5] addition procedures^[6].

Notes