This document is describing an outdated version (v4.0.0). Please consider switching to the latest version (v5.8.0).

openvpn/4.0.0

Released

Release Notes

Please review these changes carefully - many properties and defaults have changed which may impact connectivity. While breaking changes are generally avoided, the goals of this release necessitated some significant changes. Those goals were: utilize modern BOSH features, encourage secure defaults, avoid duplicating features, and simplify configuration requirements.

Breaking Changes

  • properties are no longer prefixed with openvpn namespace
  • the openvpn job will no longer act as a client (see the new openvpn-client job)
  • the openvpn job improves security defaults (either explicitly use older values, or upgrade clients as necessary)
    • cipher is now AES-256-CBC (this must be in sync with clients; previous default BF-CBC)
    • tls_version_min is now 1.2 (requires clients 2.3.3+; previous default 1.0)
  • custom iptables rules are no longer managed (use the iptables job of networking release instead)
  • server and client certificates are now configured with the tls_server and tls_client properties, respectively (previously via ca_crt, certificate, and private_key properties)
  • certificate revocation lists for openvpn are now configured with the tls_crl property (previously via crl_pem property)

New Features

  • UDP is now supported (see protocol property of openvpn)
  • the openvpn compress option is now supported (see compress property of openvpn)
  • the openvpn tls-crypt option is now supported (see tls_crypt property of openvpn)
  • new extra_configs property of openvpn and openvpn-client (similar to extra_config, but accepts an array of openvpn directives)
  • new device property is now supported for explicit virtual network device usage
  • certificate-related properties can now be dynamically generated

Development & Tooling

  • git version tags now refer to the commit a release was created from (previously the commit which finalized the release was used)

Usage

Upload the release tarball from the command line:

bosh upload-release --name="openvpn" --version="5.8.0" \
  "https://s3-external-1.amazonaws.com/dpb587-bosh-release-openvpn-us-east-1/artifacts/release/4b87886e5253b819592c2b0f59fd7dfffca50508" \
  --sha1="sha256:5024f33cd5aeef5eb8cb4a1d3126178a2e1f5fbb46e080a1098a917ae901c197"

Or reference the release from a manifest:

releases:
- name: "openvpn"
  version: "5.8.0"
  url: "https://s3-external-1.amazonaws.com/dpb587-bosh-release-openvpn-us-east-1/artifacts/release/4b87886e5253b819592c2b0f59fd7dfffca50508"
  sha1: "sha256:5024f33cd5aeef5eb8cb4a1d3126178a2e1f5fbb46e080a1098a917ae901c197"

Jobs

openvpn

The openvpn job provides an OpenVPN server for clients to connect to.

openvpn-client

The openvpn-client job runs an OpenVPN client, connecting to a remote server.

Packages

openvpn

Source

Based on releases/openvpn/openvpn-4.0.0.yml (source).