OpenVPN-NL

OpenVPN-NL lifecycle

The OpenVPN-NL lifecycle

Current release

The current release of OpenVPN-NL is based on:

Required cryptographic options:

OpenVPN-NL is available as compiled installable packages for the following platforms:

The source code is available as a tarball as well, but not supported.

The current release of the Deployment Advisory is Version 1.3

Releases

Deployment advisory Build Status Notes
OpenVPN-NL v1.3 2.4.4-nl1 Current This release is based on OpenVPN 2.4.4 and mbed TLS 2.6.0. This release adds GCM mode, Control Channel encryption, better support for roaming clients and many other new features. (announcement)
2.3.9-nl4 Deprecated This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. This release removes support for the less secure key-method 1 data channel key exchange. (announcement)
2.3.9-nl3 Untrusted This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. A number of security issues in OpenVPN are fixed. (announcement)
2.3.9-nl2 Untrusted This release is based on OpenVPN 2.3.9 and PolarSSL to 1.2.19. A number of minor security issues in both OpenVPN and PolarSSL are fixed. (announcement)
2.3.8-nl1 Untrusted This release is based on OpenVPN 2.3.8 and PolarSSL to 1.2.15. A number of minor security issues in PolarSSL are fixed. (announcement)
2.3.5-nl3 Untrusted Fixes a remote exploitable vulnerabilty in PolarSSL's ASN1 sequence parsing. (announcement)
2.3.5-nl2 Untrusted New fix for a denial-of-service vulnerabilty in OpenVPN-NL server control channel message parsing. This release is based on OpenVPN 2.3.5. (announcement)
2.3.5-nl1 Untrusted New PolarSSL (1.2.12), which includes a fix for a denial-of-service vulnerabilty in X509 parsing. This release is based on OpenVPN 2.3.5. (announcement)
2.3.4-nl1 Untrusted New PolarSSL (1.2.11), which includes a fix for a denial-of-service vulnerabilty when GCM TLS cipher suites are used. This release is based on OpenVPN 2.3.4. (announcement)
2.3.2-nl2 Untrusted New PolarSSL (1.2.10), which includes a fix for a possible side-channel attack. This release is based on OpenVPN 2.3.2. (announcement)
2.3.2-nl1 Untrusted New PolarSSL (1.2.8), which includes a fix for a denial-of-service exploit during a TLS handshake. This release is based on OpenVPN 2.3.2. (announcement)
2.3.1-nl1 Untrusted New OpenVPN-NL release, based on OpenVPN 2.3.1. This release upgrades PolarSSL to version 1.2.6 and adds support for AES-GCM TLS ciphers. (announcement)
OpenVPN-NL v1.2 2.1.4-fox6 Untrusted New PolarSSL RNG based on multiple entropy sources; deployment advisory updated with a new section about virtual machines. (announcement)
OpenVPN-NL v1.1 2.1.4-fox5 Untrusted Deployment advisory update: advises against the use of OpenVPN-NL on virtual machines, pending investigation. (announcement)
OpenVPN-NL v1.0 2.1.4-fox5 Untrusted Initial release. Secure on bare metal PCs, random number generation may be insecure on certain virtual machines

New releases

The following events can trigger new releases:

Releases which address security issues will be released as quickly as possible, other releases will be dealt with at a more planned pace.

In line with the upstream OpenVPN policy, new releases of OpenVPN-NL will if possible, be backwards compatible in the sense that two different OpenVPN(-NL) releases can connect to one another (they do not break the protocol), and that new OpenVPN(-NL) releases can read the configuration files of older versions of OpenVPN(-NL).

Announcements

When a new release of OpenVPN-NL is available, this will always be announced through the OpenVPN-NL mailing list. This is a low-volume read-only mailing list for this purpose only. Announcements include a statement on whether the new release addresses security issues.

New upstream OpenVPN releases

New upstream OpenVPN releases may add new functionality. While the basic attitude is to adopt these new functions into OpenVPN-NL, this is not guaranteed. Some new functionality may not be adopted for practical or security reasons.

New and old releases of a Linux platform

If one of the supported Linux platforms has a new release, the following will happen:

Windows: special notes on XP, Vista, 10 and future versions

Compared to Linux, Windows is a rather complicated platform to build packages for. Counted in man-hours of work, the majority of time is dedicated to supporting the Windows platform. The Windows release of OpenVPN will be tested against 7, 2008 Server, and 8.1.

Source code

The source code of OpenVPN-NL finds its way to the public via two channels:

Old releases

A specific release for a platform is always in one of the following three states:

The state of a release always moves down, and may skip the deprecated state. For example, a current release might directly become untrusted/insecure, skipping the deprecated state. A release in the deprecated state may quickly advance into the untrusted/insecure state.

On the OpenVPN-NL website, current and deprecated releases will be available for download, but untrusted/insecure versions and their corresponding source code will never be available for download. Untrusted/insecure versions or corresponding source code will also not be available via other channels from NBV or Fox-IT.

System administrators that for some reason are dependent on a specific release of OpenVPN should be aware that it may become untrusted/insecure at some time in the future. Workarounds might exist which mitigate the vulnerabilities in a specific context to some extent. However, such an untrusted/insecure release will no longer be available for download, so the administrator that heavily depends on such a particular release might choose to pre-emptively hold a backup of the OpenVPN-NL release. Nevertheless, under all circumstances, NBV advises to use a current OpenVPN-NL release.

When an OpenVPN-NL release moves into the untrusted/insecure state, this will be announced on the OpenVPN-NL mailing list. This announcement will typically be complemented with the announcement of a new release.