This plugin has not seen updates to keep it synchronised
with recent openvpn, nor any updates in the last several
years. It relies on the SHA1 algo which is deprecated,
and iptables. ovpn has its own management interface.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
https://github.com/openwrt/packages/pull/28533
Enable the DCO option by default in the openvpn package to allow for
better performance and have a use case for kmod-ovpn-dco-v2 :-)
Signed-off-by: Dennis Camera <dennis.camera+openwrt@riiengineering.ch>
This is a bugfix release containing several security fixes.
Security fixes
--------------
- CVE-2024-4877: Windows: harden interactive service pipe.
Security scope: a malicious process with "some" elevated privileges
could open the pipe a second time, tricking openvn GUI
into providing user credentials (tokens), getting full access
to the account openvpn-gui.exe runs as.
- CVE-2024-5594: control channel: refuse control channel messages
with nonprintable characters in them.
Security scope: a malicious openvpn peer can send garbage to openvpn log,
or cause high CPU load.
- CVE-2024-28882: only call schedule_exit() once (on a given peer).
Security scope: an authenticated client can make the server "keep the session"
even when the server has been told to disconnect this client
Bug fixes
---------
- fix connect timeout when using SOCKS proxies
- work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
- Add bracket in fingerprint message and do not warn about missing verification
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.11/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
This commit updates openvpn to version 2.6.5 and add DCO support.
There are several changes:
- Starting with version 2.6.0, the sources are only provided as .tar.gz
file.
- removed OPENVPN_<variant>_ENABLE_MULTIHOME:
multihome support is always included and cannot be disabled anymore
with 2.6.x.
- removed OPENVPN_<variant>_ENABLE_DEF_AUTH:
deferred auth support is always included and cannot be disabled
anymore with 2.6.x.
- removed OPENVPN_<variant>_ENABLE_PF:
PF (packet filtering) support was removed in 2.6.x.
- The internal lz4 library was removed in 2.6.x; we now use the liblz4
package if needed
- To increase reproducibility, _DATE_ is only used for development
builds and not in release builds in 2.6.x.
- wolfSSL support was integrated into upstream openvpn
- DES support was removed from openvpn
The first two wolfSSL patches were created following these 2 commits:
https://github.com/OpenVPN/openvpn/commit/4cf01c8e4381403998341aa32f79f4bf24c7ccb1https://github.com/OpenVPN/openvpn/commit/028b501734b4a57dc53edb8b11a4b370f5b99e38
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4 so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Paul Donald