Skip to content

Releases: OpenVPN/openvpn

v2.6.17

28 Nov 19:33
@uddr uddr
v2.6.17
fa20154

Choose a tag to compare

View all tags
v2.6.17 Latest
Latest

Security fixes:

  • CVE-2025-13751: Windows/interactive service: fix erroneous exit on error that could be
    used by a local Windows users to achieve a local denial-of-service

Bug fixes:

  • Windows/interactive service: improve service pipe robustness against
    file access races (uuid) and access by unauthorized processes (ACL).
  • upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper
    to 1.31, fixing a parser bug

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.16...v2.6.17

Assets 4
Loading

v2.6.16

18 Nov 18:37
@uddr uddr
v2.6.16
647b115

Choose a tag to compare

View all tags
v2.6.16

Security fixes:

  • CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake.
    This bug renders the HMAC based protection against state exhaustion on
    receiving spoofed TLS handshake packets in the OpenVPN server inefficient.

Bug fixes:

  • fix invalid pointer creation in tls_pre_decrypt() - technically this is
    a memory over-read issue, in practice, the compilers optimize it away
    so no negative effects could be observed.
  • Windows: in the interactive service, fix the "undo DNS config" handling.
  • Windows: in the interactive service, disallow using of "stdin" for the
    config file, unless the caller is authorized OpenVPN Administrator
  • Windows: in the interactive service, change all netsh calls to use
    interface index and not interface name - sidesteps all possible attack
    avenues with special characters in interface names.
  • Windows: in the interactive service, improve error handling in
    some "unlikely to happen" paths.
  • auth plugin/script handling: properly check for errors in creation on
    $auth_failed_reason_file (arf).
  • for incoming TCP connections, close-on-exec option was applied to
    the wrong socket fd, leaking socket FDs to child processes.
  • sitnl: set close-on-exec flag on netlink socket
  • ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.15...v2.6.16

Loading

v2.6.15

17 Nov 15:45
@uddr uddr
v2.6.15
90bdd59

Choose a tag to compare

View all tags
v2.6.15

Bug fixes:

  • on Windows, do not use "wmic.exe" any longer to set DNS search domain
    (discontinued by Microsoft), use "powershell" fragment instead.
  • on Windows, logging to the windows event log has been improved
    (and logging of GetLastError() strings repaired). To make this work,
    a new "openvpnmsgserv.dll" library is now installed and registered.
  • DNS domain names are now strictly validated with a positive-list of
    allowed characters (including UTF-8 high-bit-set bytes) before being
    handed to powershell.
  • Apply more checks to incoming TLS handshake packets before creating
    new state - namely, verify message ID / acked ID for "valid range for
    an initial packet". This fixes a problem with clients that float
    very early but send control channel packet from the pre-float IP
    (Github: OpenVPN/openvpn#704,
    backported from 2.7_beta1.
  • backport handling of client float notifications on FreeBSD 14/STABLE DCO
    (see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289303)
  • update GPL license text to latest version from FSF
  • on Linux, on interfaces where applicable, OpenVPN explicitly configures
    the broadcast address again. This was dropped for 2.6.0 "because
    computers are smart and can do it themselves", but the kernel netlink
    interface isn't, and will install "0.0.0.0". This does not normally
    matter, but for broadcast-based applications that get the address to
    use from "ifconfig", this change repairs functionality.

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.14...v2.6.15

Loading

v2.6.14

02 Apr 17:55
@uddr uddr
v2.6.14
f588592

Choose a tag to compare

View all tags
v2.6.14

Security fixes:

  • CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
    Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using
    --tls-crypt-v2 can be made to abort with an ASSERT() message by
    sending a particular combination of authenticated and malformed packets.
    To trigger the bug, a valid tls-crypt-v2 client key is needed, or
    network observation of a handshake with a valid tls-crypt-v2 client key.
    No crypto integrity is violated, no data is leaked, and no remote
    code execution is possible.
    This bug does not affect OpenVPN clients.
    (Bug found by internal QA at OpenVPN Inc)

Bug fixes:

  • Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.13...v2.6.14

Loading

v2.6.13

15 Jan 15:17
@flichtenheld flichtenheld
v2.6.13
5662b3a

Choose a tag to compare

View all tags
v2.6.13

Feature changes:

  • on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server - while highly OS specific this is still helpful to keep track of OS versions used on the client side (​#637)
  • Windows: protect cached username, password and token in client memory (using the CryptProtectMemory() windows API)
  • Windows: use new API to get dco-win driver version from driver (newly introduced non-exclusive control device) (OpenVPN/ovpn-dco-win#76)
  • Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds ("console prompting also has no timeout") (#649)

Security fixes:

  • improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.

Notable bug fixes:

  • FreeBSD DCO: fix memory leaks in nvlist handling (#636)
  • purge proxy authentication credentials from memory after use (if --auth-nocache is in use)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.12...v2.6.13

Loading

v2.5.11

18 Jul 14:59
@flichtenheld flichtenheld
v2.5.11
6fb2a25

Choose a tag to compare

View all tags
v2.5.11

Security fixes

  • CVE-2024-5594: control channel: refuse control channel messages with
    nonprintable characters in them. Security scope: a malicious openvpn
    peer can send garbage to openvpn log, or cause high CPU load.
    (Reynir Björnsson)

    (Backport of the security fix in 2.6.11 and the fix for the bugfix
    in 2.6.12)

Full Changelog: v2.5.10...v2.5.11

Loading

v2.6.12

18 Jul 11:44
@uddr uddr
v2.6.12
038a94b

Choose a tag to compare

View all tags
v2.6.12

Bug fixes:

  • the fix for CVE-2024-5594 (refuse control channel messages with
    nonprintable characters) was too strict, breaking user configurations
    with AUTH_FAIL messages having trailing CR/NL characters. This often
    happens if the AUTH_FAIL reason is set by a script. Strip those before
    testing the command buffer (github: #568). Also, add unit test.
  • Http-proxy: fix bug preventing proxy credentials caching (trac #1187

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.11...v2.6.12

Loading

v2.6.11

20 Jun 12:17
@flichtenheld flichtenheld
v2.6.11
ddf6bf6

Choose a tag to compare

View all tags
v2.6.11

Security fixes:

  • CVE-2024-4877: Windows: harden interactive service pipe.
    Security scope: a malicious process with "some" elevated privileges
    (SeImpersonatePrivilege) could open the pipe a second time, tricking
    openvn GUI into providing user credentials (tokens), getting full
    access to the account openvpn-gui.exe runs as.
    (Zeze with TeamT5)
  • CVE-2024-5594: control channel: refuse control channel messages with
    nonprintable characters in them. Security scope: a malicious openvpn
    peer can send garbage to openvpn log, or cause high CPU load.
    (Reynir Björnsson)
  • CVE-2024-28882: only call schedule_exit() once (on a given peer).
    Security scope: an authenticated client can make the server "keep the
    session" even when the server has been told to disconnect this client
    (Reynir Björnsson)

New features:

  • Windows Crypto-API: Implement Windows CA template match for searching
    certificates in windows crypto store.
  • Support pre-created DCO interface on FreeBSD (OpenVPN would fail to
    set ifmode p2p/subnet otherwise)

Bug fixes:

  • Fix connect timeout when using SOCKS proxies (trac #328, github #267)
  • Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
    (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5,
    see also libressl/openbsd#150)
  • Add bracket in fingerprint message and do not warn about missing
    verification (github #516)

Documentation:

  • Remove "experimental" denotation for --fast-io
  • Correctly document ifconfig_* variables passed to scripts
  • Documentation: make section levels consistent
  • Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.10...v2.6.11

Loading

v2.5.10

22 Mar 13:49
@flichtenheld flichtenheld
v2.5.10
fccae1f

Choose a tag to compare

View all tags
v2.5.10

Security fixes:

  • ​CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • ​CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • ​CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>
  • ​CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in TapSharedSendPacket. Reported-by: Vladimir Tokarev <​vtokarev@microsoft.com>

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Note that OpenVPN 2.5.x is in Old Stable Support status (see SupportedVersions). This usually means that we do not provide updated Windows Installers anymore, even for security fixes. Since this release fixes several issues specific to the Windows platform we decided to provide installers anyway. This does not change the support status of 2.5.x branch. We might not provide security updates for issues found in the future. We recommend that everyone switch to the 2.6.x versions of installers as soon as possible.

Full Changelog: v2.5.9...v2.5.10

Loading

v2.6.10

20 Mar 19:13
@uddr uddr
v2.6.10
ba0f62f

Choose a tag to compare

View all tags
v2.6.10

Security fixes:

  • CVE-2024-27459: Windows: fix a possible stack overflow in the
    interactive service component which might lead to a local privilege escalation.
    Reported-by: Vladimir Tokarev vtokarev@microsoft.com
  • CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers.
    Reported-by: Vladimir Tokarev vtokarev@microsoft.com
  • CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
    Reported-by: Vladimir Tokarev vtokarev@microsoft.com
  • CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in !TapSharedSendPacket.
    Reported-by: Vladimir Tokarev vtokarev@microsoft.com

New features:

  • t_client.sh can now run pre-tests and skip a test block if needed
    (e.g. skip NTLM proxy tests if SSL library does not support MD4)

User visible changes:

  • Update copyright notices to 2024

Bug fixes:

  • Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (#522)
  • Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
  • systemd unit files: remove obsolete syslog.target

Windows Client: Community MSI installer for Windows client can be found at Community Downloads.

Linux Packages: Instructions for installing community-maintained Linux packages can be found in the Community Wiki.

Full Changelog: v2.6.9...v2.6.10

Loading