OpenVPN version 2.7.0 is now available. The update advances support for multi-address server configurations and updates client functionality across operating systems. The release includes enhancements in data channel handling and support for evolving kernel and cryptographic components.
Server enhancements
Version 2.7.0 adds multi-socket support for server instances. This allows servers to manage multiple addresses, ports, and protocols from a single process. The change aims to simplify configurations where services listen on more than one interface or need to handle different transport options concurrently.
The new release also includes preliminary support for the upstream DCO Linux kernel module. This module, which is expected to appear in future Linux kernels, replaces the earlier out-of-tree ovpn-dco-v2 driver. Backported versions of the upstream module will be available through related projects for current kernels.
Client and control channel updates
Client support for DNS options has been improved across Linux, BSD, and macOS platforms. A new Windows client implementation is also included, offering control channel features such as split DNS and DNSSEC handling.
The control channel gains support for a PUSH_UPDATE message. This allows servers to update client options like routing or DNS configuration during an active session without triggering a reconnect. New management interface commands accompany this update to broadcast and target these option changes.
Windows platform changes
Architectural adjustments affect how OpenVPN operates on Windows. The block-local flag now uses Windows Filtering Platform filters. Network adapters are generated on demand, and automatic service execution occurs under unprivileged user contexts. Support for server mode in the win-dco driver is part of this release, with tap-windows6 remaining available as a fallback.
Data channel and cryptography
The release includes updated data channel handling, such as enforced usage limits for AES-GCM. Support for epoch data keys and an updated packet format are integrated. The codebase adds support for TLS 1.3 when paired with certain newer cryptographic libraries, and compatibility with mbedTLS version 4 is present.
Routing and environment controls
Two environment variables have been introduced to communicate preferred gateway redirection to external plugins, such as those used in network management software. A “recursive routing” check has changed to drop fewer tunneled packets when the destination matches the VPN server path.
OpenVPN releases 2.7.0 is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!