Software-update: OpenVPN 2.6.15

OpenVPN is een robuuste en gemakkelijk in te stellen opensource vpn-daemon waarmee verschillende private netwerken aan elkaar geknoopt kunnen worden via een versleutelde tunnel over internet. Voor de beveiliging wordt gebruikgemaakt van de OpenSSL-library, waarmee alle encryptie, authenticatie en certificatie kunnen worden afgehandeld. De ontwikkelaars hebben versie 2.6.15 uitgebracht en de changelog voor die uitgave kan hieronder worden gevonden.

New features / User visible changes

• On Windows, do not use "wmic.exe" any longer to set DNS search domain (discontinued by Microsoft), use "powershell" fragment instead.
• On Windows, logging to the windows event log has been improved (and logging of GetLastError() strings repaired). To make this work, a new "openvpnmsgserv.dll" library is now installed and registered.
• DNS domain names are now strictly validated with a positive-list of allowed characters (including UTF-8 high-bit-set bytes) before being handed to powershell.
• Apply more checks to incoming TLS handshake packets before creating new state - namely, verify message ID / acked ID for "valid range for an initial packet". This fixes a problem with clients that float very early but send control channel packet from the pre-float IP (Github: #704), backported from 2.7_beta1.
• Backport handling of client float notifications on FreeBSD 14/STABLE DCO (see here)
• Update GPL license text to latest version from FSF
• On Linux, on interfaces where applicable, OpenVPN explicitly configures the broadcast address again. This was dropped for 2.6.0 "because computers are smart and can do it themselves", but the kernel netlink interface isn't, and will install "0.0.0.0". This does not normally matter, but for broadcast-based applications that get the address to use from "ifconfig", this change repairs functionality.

Code maintenance

• Remove a few extra newline characters at the end of rarely-seen log lines
• Replace assert() calls in the code with OpenVPN ASSERT() calls (not subject to -DNDEBUG, plus better logging on the actual cause)
• Remove "dh 20248.pem" from all sample configurations, remove "dh2048.pem" file from source tree - OpenSSL 3.5 Seclevel=3 considers this "not secure enough" and OpenVPN has not needed an explit DH file in a long while.
• Properly handle "old Linux DCO" enum definitions conflicting with "new Linux DCO" kernel headers (uapi/linux/if_link.h)
• Fix stdint.h related build errors on Fedora 42
• GHA: update dependencies, pin CMake version
• Fix MBEDTLS_DEPRECATED_REMOVED build errors (improve compatibility with recent versions of mbedTLS)

Documentation Updates

• Improve --tmp-dir documentation

Bugfixes

• Dco-win: fix a possible "out of scope" access on access to the "OVERLAPPED" Structure (backport of master commit f60a493)
• Bring back configuring of broadcast address on Linux tun/tap interface (see above)