Releases | openvpn-bosh-release

the compress algorithm will now, by default, be automatically determined based on client compatibility (this adds implicit support for older, 2.3 clients)
the openvpn-client job can now be configured with a static username and password

Upgrades

openvpn 2.4.5 (was 2.4.4)
openssl 1.1.0h (was 1.1.0g)

Development

add job template testing
move artifacts into a separate artifacts branch
add dev/beta/rc/stable channels for external consumption

v4.2.1

fix: client config directories cannot be used on stemcells v3541+

v4.2.0

fix: openvpn should use embedded release version of openssl rather than system version
enhancement: parallelize compilation steps to use all available CPUs
upgrade: openssl/1.0.1g (was 1.0.1f)

v4.1.0

add openvpn-clients job to support running multiple clients with raw openvpn configuration files
upgrade: openssl/1.0.1f (was 1.0.1e)
upgrade: openvpn/2.4.4 (was 2.4.3)

Please review these changes carefully - many properties and defaults have changed which may impact connectivity. While breaking changes are generally avoided, the goals of this release necessitated some significant changes. Those goals were: utilize modern BOSH features, encourage secure defaults, avoid duplicating features, and simplify configuration requirements.

Breaking Changes

properties are no longer prefixed with openvpn namespace
the openvpn job will no longer act as a client (see the new openvpn-client job)
the openvpn job improves security defaults (either explicitly use older values, or upgrade clients as necessary)
- cipher is now AES-256-CBC (this must be in sync with clients; previous default BF-CBC)
- tls_version_min is now 1.2 (requires clients 2.3.3+; previous default 1.0)
custom iptables rules are no longer managed (use the iptables job of networking release instead)
server and client certificates are now configured with the tls_server and tls_client properties, respectively (previously via ca_crt, certificate, and private_key properties)
certificate revocation lists for openvpn are now configured with the tls_crl property (previously via crl_pem property)

New Features

UDP is now supported (see protocol property of openvpn)
the openvpn compress option is now supported (see compress property of openvpn)
the openvpn tls-crypt option is now supported (see tls_crypt property of openvpn)
new extra_configs property of openvpn and openvpn-client (similar to extra_config, but accepts an array of openvpn directives)
new device property is now supported for explicit virtual network device usage
certificate-related properties can now be dynamically generated

Development & Tooling

git version tags now refer to the commit a release was created from (previously the commit which finalized the release was used)

v3.2.2

Upgrades

openvpn 2.4.3

v3.2.1

No changes (release automation changes only)

v3.2.0

support pushing DNS servers via openvpn.push_dns
support pushing DNS search domains via openvpn.push_dns_search_domains

v3.1.4

new, optional openvpn configuration properties: tls_version_min, tls_cipher
upgrade: openvpn/2.4.2

v3.1.3

openvpn status log now lives at /var/vcap/sys/run/openvpn/status
upgrade: openvpn now 2.4.1 (was 2.3.14)
upgrade: openssl now 1.1.0e (was 1.0.2k)
upgrade: lzo now 2.10 (was 2.09)
dev: refactor integration tests to execute within container

v3.1.2

upgrade: openssl now 1.0.2k (was 1.0.2j)

v3.1.1

upgrade: openvpn now 2.3.14 (was 2.3.13)

v3.1.0

automate signature and checksum verification of blobs
bug fix: make openvpn.crl_pem actually be optional
upgrade: openvpn now 2.3.13 (was 2.3.12)

v3.0.0

make openvpn.crl_pem optional
support configuring openvpn.cipher and openvpn.keysize (default key size is now 256; existing client connection profiles may need to be updated before they can reconnect)
upgrade: openssl now 1.0.2j (was 1.0.2h)