[Openvpn-devel] Release of OpenVPN 3 Linux v1 (Beta)

Message ID c1c90dfe-c6b6-3304-3c1b-703bbdc54133@sf.lists.topphemmelig.net
State Not Applicable
Headers show
Series
  • [Openvpn-devel] Release of OpenVPN 3 Linux v1 (Beta)
Related show

Commit Message

David Sommerseth Dec. 8, 2018, 3:03 a.m.
OpenVPN 3 Linux v1 (beta) release
=================================

The first beta release of the new OpenVPN 3 Linux client is now available.
This is release is considered reasonably stable and is suitable for daily
usage by people willing to test new cutting edge software.

The OpenVPN 3 Linux client is a very different way of interfacing with
VPN tunnels than the previous OpenVPN 2.x releases, where privilege
separation and runtime security is tightened a lot more.  This is done
by building on the capabilities D-Bus provides.  The result is that
unprivileged end-users are capable of starting and managing their own
VPN connections and sessions without needing any additional privileges.

This is also the first release to provide a new API (over D-Bus) used to
create, configure and manage TUN devices, including DNS configuration.
This new interface has been modelled after the Android VPN API.

What is really the biggest change is the handling of DNS configurations.
Currently, the DNS handling is done by taking control over /etc/resolv.conf
directly; similar to what the update-resolv-conf approach OpenVPN 2 needs
to use.  But the difference is that this works out-of-the-box with the
default install.  In coming releases we will extend this to support
more backends for DNS configuration, such as systemd-resolved and similar.
Unfortunately, currently NetworkManager does not provide an external API
for doing similar approaches.

Another big difference is the provided Python 3 module for OpenVPN 3.  This
is a reference implementation of how to write your own tooling in Python
to manage VPN configurations as well as starting and managing VPN sessions.
Since this builds on the D-Bus API enabled in OpenVPN 3 Linux, this is not
restricted to Python itself, but the Python implementation can be
considered a reasonable study case for other platforms supporting D-Bus.

Finally, this OpenVPN 3 Core library provided in this release very recently
been extended with tls-crypt-v2 support, which can be tested against
OpenVPN 2 git master branch builds, which contains the coming v2.5 release.

The OpenVPN 3 Linux release needs to be heavily tested.  But there are some
features which are not available in OpenVPN 3 in general.  There are no TAP
device support planned, further features like --fragment is unsupported.
Other missing features are the script hooks and plug-in interface (which
can use the D-Bus interface to trigger external events).

In general, if your existing VPN client configuration works with OpenVPN
Connect or OpenVPN for Android with the OpenVPN 3 backend enabled, then it
will work with the Linux client.


Source code
-----------
- Source package:
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-1_beta.tar.xz>
- PGP signature:
<https://swupdate.openvpn.net/community/releases/openvpn3-linux-1_beta.tar.xz.asc>

- GitLab: <https://gitlab.com/openvpn/openvpn3-linux>
- GitHub: <https://github.com/OpenVPN/openvpn3-linux>


Binary packages
---------------
Fedora 28, 29 and EPEL:
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn3/>
The Fedora EPEL repository provides packages for Red Hat Enterprise Linux 7
which also works on CentOS 7 and Scientific Linux 7.

Debian and Ubuntu packages are in the pipe and we will announce their
availability as soon as they are ready.


Known issues
------------

- man-pages are far from completed.  Currently man-pages for openvpn2 and
  openvpn3-autoload are generated as well as a brief overview of the
  openvpn3 front-end.  But this will be improved with time.

- mbed TLS v2.7.0 or newer is required
  Quite recently the OpenVPN 3 Core library added a fix to avoid using
  a deprecated function.  It was not noticed at that point that this
  change would break the building of OpenVPN 3 on Debian 9 or similar
  distributions which ships an older mbed TLS library.
  Current workaround is to apply the attached patch, which will restore
  the old API present in older mbed TLS versions.

  To apply the attached patch:

    $ tar xvJf openvpn3-linux-1_beta.tar.xz
    $ cd openvpn3-linux-1_beta
    $ patch -p1 < /path/to/fix-openvpn3-linux-mbedtls-older-than-2.7.patch

  Then follow the build instructions in the README.md file.

- Lacking OpenSSL build support.  In a coming release, the OpenSSL library
  will be replacing the current mbed TLS library as the default.  But
  it will be possible to build with both of them.

- Read the README.md file carefully when building OpenVPN 3 Linux yourself.
  One important detail which might make things simpler for you, is to
  ensure the 'openvpn' user and group accounts are created before you
  start building and in particular run 'make install'.

- On Debian and Ubuntu, the OpenVPN 3 Python library is installed in
  the wrong directory.  Most distributions use
  /usr/lib/python3.Y/site-packages, while Debian 9 uses just
  /usr/lib/python3.Y.  Quick workaround is to just install a symlink:

     # cd /usr/lib/python3.X && ln -sf site-packages/openvpn3

  The Python module must be functional for the 'openvpn2' and
  'openvpn3-autoload' tools can work.

- *Some* systems *might* not reload the D-Bus policy as quickly as expected.
  Sometimes it works better when forcing the dbus-daemon to reload its
  configuration.  This can be done via: systemctl reload dbus
  (Do _NOT_ attempt to _restart_ dbus-daemon on a running system, it
  might make your system misbehave afterwards)

Patch

--- a/openvpn3-core/openvpn/mbedtls/ssl/sslctx.hpp.orig	2018-12-07 23:35:14.288411887 +0100
+++ b/openvpn3-core/openvpn/mbedtls/ssl/sslctx.hpp	2018-12-07 23:35:27.648043080 +0100
@@ -1224,11 +1224,7 @@ 
 	    {
 	      const int SHA_DIGEST_LEN = 20;
 	      static_assert(sizeof(AuthCert::issuer_fp) == SHA_DIGEST_LEN, "size inconsistency");
-	      if(mbedtls_sha1_ret(cert->raw.p, cert->raw.len, ssl->authcert->issuer_fp))
-		{
-		  OPENVPN_LOG_SSL("VERIFY FAIL -- SHA1 calculation failed.");
-		  fail = true;
-		}
+	      mbedtls_sha1(cert->raw.p, cert->raw.len, ssl->authcert->issuer_fp);
 	    }
 	}
       else if (depth == 0) // leaf-cert