1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
openvpn (2.4.9-3) unstable; urgency=medium
To ensure the functionality of OpenVPN connections during an update,
OpenVPN is not restarted after the update since this version.
Please restart OpenVPN or reboot the computer manually after the update.
-- Jörg Frings-Fürst <debian@jff.email> Sat, 02 May 2020 12:11:51 +0200
openvpn (2.4.0-4) unstable; urgency=medium
If you're upgrading a previous OpenVPN installation, you should check your
current CRL file expiraton date. "crl-verify" option now also checks that.
Regenerate your CRL file if the expiration date is in the past or your
clients won't be able to connect.
OpenVPN 2.4 will try to connect using IPv6 first if you're using a hostname
with both A and AAAA entries, if your VPN server is still running a
previous (<2.4) version a long wait may occur until your 2.4 client tries
with the IPv4 address.
-- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 02 Feb 2017 14:15:42 +0100
openvpn (2.4.0-1) unstable; urgency=medium
OpenVPN 2.4 removed tls-remote option. Current setups using that option
will fail to work. Update your configuration to use verify-x509-name
instead.
-- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 27 Dec 2016 22:50:20 +0100
openvpn (2.3~rc1-1) experimental; urgency=low
auth-pam and down-root plugins renamed to:
openvpn-plugin-auth-pam.so
openvpn-plugin-down-root.so
-- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 06 Nov 2012 13:22:13 +0100
openvpn (2.1~rc15-1) unstable; urgency=low
The openvpn utility changed its handling of pkcs11 certificates when it
switched from built-in code to the pkcs11-helper library (package
libpkcs11-helper1 on Debian). This means that you will have to update your
openvpn configuration files if you are using such certificates. For
example, a stanza in a configuration file might previously have referred to
a given pkcs11 certificate like this:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-slot-type id
pkcs11-slot 0
pkcs11-id-type label
pkcs11-id "YOUR_LABEL"
This stanza has to be rewritten now in the following way:
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-id 'YOUR_PKCS11_SERIALIZED_ID'
The pkcs11-slot, pkcs11-slot-type, pkcs11-id-type options are obsolete;
a long ID string that is unique for each certificate is now used as the
only identifier. Note that YOUR_PKCS11_SERIALIZED_ID will almost
certainly be different from YOUR_LABEL that you used previously with the
pkcs11-id option. To find out the correct serialized ID(s) for your
certificate(s), you have to query the pkcs11-provider library:
$ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
The following objects are available for use.
Each object shown below may be used as parameter to --pkcs11-id option
please remember to use single quote mark.
Certificate
DN: /CN=YOUR_USER
Serial: SERIAL_NUMBER
Serialized id: YOUR_PKCS11_SERIALIZED_ID
You have to paste YOUR_PKCS11_SERIALIZED_ID as seen in this output into
your openvpn configuration file and make sure that the string is enclosed
in single quotation marks.
The example above assumes that your cryptographic token can be accessed
via the opensc-pkcs11.so library from libopensc2. If you have to use
another library, for example a proprietary driver from the vendor of your
token, then you have to adapt both the stanza in the configuration file
and the path given on the command line accordingly.
Florian Kulzer
-- Alberto Gonzalez Iniesta <agi@inittab.org> Thu, 30 Apr 2009 12:35:05 +0200
openvpn (2.1~rc9-3) unstable; urgency=low
Calling of external commands/scripts
Starting with version 2.1~rc9, openvpn has a new option to control the
ability to execute external commands (--script-security).
By default (script-security 1) it will only allow the execution of
built-in commands (ip, ifconfig, route,...). If you require the execution
of external commands, such as /etc/openvpn/update-resolv-conf, you'll have
to include the following option in your configuration file:
script-security 2
-- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 16 Aug 2008 13:34:24 +0200
|