OpenVPN 2.5

[jkroepke]

Hi,

first beta versions of 2.5 are out. Could u provide such images please?

[Neustradamus]

@kylemanna: The final is out!

OpenVPN 2.5.0 (2020-10-27):

• https://openvpn.net/
• https://github.com/OpenVPN/openvpn/releases

Announcement:

• https://sourceforge.net/p/openvpn/mailman/message/37138737/

OpenVPN 2.5 is a new major release with many new features:

• Client-specific tls-crypt keys (–tls-crypt-v2)
• Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel
• Improved Data channel cipher negotiation
• Removal of BF-CBC support in default configuration
• Asynchronous (deferred) authentication support for auth-pam plugin
• Deferred client-connect
• Faster connection setup
• Netlink support
• Wintun support
• IPv6-only operation
• Improved Windows 10 detection
• Linux VRF support
• TLS 1.3 support
• Support setting DHCP search domain
• Handle setting of tun/tap interface MTU on Windows
• HMAC based auth-token support
• VLAN support
• Support building of .msi installers for Windows
• Allow unicode search string in –cryptoapicert option (Windows)
• Support IPv4 configs with /31 netmasks now
• New option –block-ipv6 to reject all IPv6 packets (ICMPv6)
• MSI installer (Windows)
• The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA management

Overview of changes in OpenVPN v2.5:

• https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25

Overview of changes in OpenVPN v2.4:

• https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

[kylemanna]

Waiting and watching for it to land in Alpine:

https://pkgs.alpinelinux.org/packages?name=openvpn&branch=edge

[erhan-]

Looks like it is ready https://pkgs.alpinelinux.org/package/edge/main/x86_64/openvpn

[kylemanna]

Can those interested test out the edge Docker tag / git branch?

~/t/r/docker-openvpn ❯❯❯ docker pull kylemanna/openvpn:edge ; docker run --rm -it kylemanna/openvpn:edge openvpn --version
7597eaba0060: Already exists 
863e5229deb4: Pull complete 
381227b57d63: Pull complete 
2b80629331c3: Pull complete 
dceb0e632215: Pull complete 
Digest: sha256:24ea4611c1fd2a7e84750c7c92cae7ddee100d02bd4f609c6621974b5745a1f8
Status: Downloaded newer image for kylemanna/openvpn:edge
docker.io/kylemanna/openvpn:edge
OpenVPN 2.5.0 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec  5 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push='no' enable_comp_stub='no' enable_crypto='yes' enable_crypto_ofb_cfb='yes' enable_debug='yes' enable_def_auth='yes' enable_dlopen='unknown' enable_dlopen_self='unknown' enable_dlopen_self_static='unknown' enable_fast_install='yes' enable_fragment='yes' enable_iproute2='yes' enable_libtool_lock='yes' enable_lz4='yes' enable_lzo='yes' enable_management='yes' enable_multihome='yes' enable_pam_dlopen='no' enable_pedantic='no' enable_pf='yes' enable_pkcs11='no' enable_plugin_auth_pam='yes' enable_plugin_down_root='yes' enable_plugins='yes' enable_port_share='yes' enable_selinux='no' enable_shared='yes' enable_shared_with_static_runtimes='no' enable_small='no' enable_static='yes' enable_strict='no' enable_strict_options='no' enable_systemd='no' enable_werror='no' enable_win32_dll='yes' enable_x509_alt_username='no' with_aix_soname='aix' with_crypto_library='openssl' with_gnu_ld='yes' with_mem_check='no' with_sysroot='no'

[erhan-]

I do not have any problems beside the Issues that were present before.

[juriansluiman]

Can those interested test out the edge Docker tag / git branch?

I have now deployed the edge container to my server, several clients (Linux desktop / Android phones) work fine as before. I am not using any advance configurations though.

[erhan-]

I am still using it since the last time I wrote and never had problems.

[juriansluiman]

@kylemanna could you tag edge also as 2.5 to make explicit users could pin a container to a specific image version?

[ruimarinho]

With 2.5.1 out, it'd be great to have edge updated!

[kimsyversen]

@kylemanna could you tag edge also as 2.5 to make explicit users could pin a container to a specific image version?

Yes, please make that explicit.

[Hazmi35]

What's the status of this?

[lisenet]

The image with the latest tag was pushed to Docker Hub more than a year ago, back in 2020, which is a bit out of date if you ask me. I've just built a new one using Dockerfile provided in this repo. Feel free to use it docker pull lisenet/openvpn:2.5.

[nextcloudfan]

@kylemanna: Are there any plans to update the container image to the latest OpenVPN version? Or is this project deprecated?

[nextcloudfan]

Seems that developer has no interest in this project anymore... Would be great to have an official statement, then everybody can decicde hisself

[nextcloudfan]

No news??

[kimsyversen]

I use the script below to build a new image which is saved to Gitlab's registry. If you use this you must update the Gitlab URL's. Feel free to use and/or improve it (it is a bit hacky)

#!/usr/bin/env bash

# Require sudo
if [[ $UID != 0 ]]; then
    echo "Please run this script with sudo:"
    echo "sudo $0 $*"
    exit 1
fi

# Set this variable to the last openvpn-version at http://dl-cdn.alpinelinux.org/alpine/latest-stable/main/x86_64/
OPENVPN_VERSION="2.5."

# Set absolute path to the same directory as this script is placed in.
ABSOLUTE_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

read -p "Open http://dl-cdn.alpinelinux.org/alpine/latest-stable/main/x86_64/ and enter the latest version of openvpn (e.g. 2.5.2)# " -e -i "$OPENVPN_VERSION" OPENVPN_VERSION

# Pull down latest version of alpine (or the image will be built with cached version)
docker pull alpine:latest

# Clone docker-openvpn repository
git clone https://github.com/kylemanna/docker-openvpn

# Build image
cd ${ABSOLUTE_PATH}/docker-openvpn

# Look for the testing repo and add main repo afterwards
sed '/^RUN echo "http:\/\/dl-cdn.alpinelinux.org\/alpine\/edge\/testing\/"/a echo "http://dl-cdn.alpinelinux.org/alpine/latest-stable/main/" >> /etc/apk/repositories && \\' -i Dockerfile

sudo docker login registry.gitlab.com
sudo docker build -t registry.gitlab.com/<USERNAME>/vpn:$OPENVPN_VERSION .
sudo docker push registry.gitlab.com/<USERNAME>/vpn:$OPENVPN_VERSION

cd ..

# Update the OPENVPN_VERSION in docker compose file
sed "/image/c \    image: registry.gitlab.com/<USERNAME>/vpn:$OPENVPN_VERSION" -i docker-compose.yml

# Rebuild the container to use the new image
sudo docker-compose build --pull --no-cache vpn          # Uses an image, build has no effect
sudo docker-compose rm --stop --force vpn
sudo docker-compose up --no-deps -d vpn
sudo docker image prune --force                             # Delete old images that are are not in use and do not have tags

git commit -a -m "Updated OpenVPN to $OPENVPN_VERSION"
git push

[lisenet]

Latest OpenVPN version: lisenet/openvpn:2.5.7

[nextcloudfan]

@lisenet : Thanks for the link. Is there any way to use your container to upate a running installation of kylemanna / docker-openvpn ? Otherwise I have to setup up everything and all keys for all devices again

[lisenet]

@nextcloudfan simply use the new image and it should "just work". I used the same Docker file but had updated the repo to the stable one.

[nextcloudfan]

@lisenet If I get you right I should replace the kylemanna image with your image. I`m using portainer, how do I do this there?

[lisenet]

@nextcloudfan not sure TBH as I'm running on Kubernetes. Via Portainer WebUI I presume? How did you deploy the image in the first place?

[nextcloudfan]

@lisenet My bad, using portainer WebUI, thats true. But I did deploy the image as described here (didn`t have that in mind, too long ago): https://hub.docker.com/r/kylemanna/openvpn => Quick start

[juriansluiman]

@nextcloudfan the key here is the container is built by an image where all container data is kept in a separate volume. So as long as you did follow the instructions, all your container VPN data is in a storage volume. So if you swap your container image for @lisenet ones, you would have access to the same configuration.

I am not sure how to work with portainer, but conceptually I would:

1. Stop your current container (do not delete it!)
2. Start the new one with lisenet/openvpn:2.5.7
3. Test if everything works as expected
4. Remove the old image and continue using @lisenet images

@lisenet as @kylemanna is less active on Github (perhaps not supporting this image anymore), should we have a discussion migrating to a new maintainer?

[lisenet]

@nextcloudfan your certs, config and data in general is not stored in the docker image but a separate volume, therefore you should be able to simply change the Docker image.

[lisenet]

@juriansluiman that sounds sensible to me.

[nextcloudfan]

@lisenet @juriansluiman I will try this the next days, for now I got this when trying to pull new images from docker hub: Error response from daemon: Get "https://registry-1.docker.io/v2/": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

[lisenet]

@nextcloudfan that's Docker Hub, they've been having problems with their service lately:

https://status.docker.com/pages/history/533c6539221ae15e3f000031

[nextcloudfan]

@lisenet @ruimarinho : Docker hub is working again. I simply changed the image to lisenet`s in Portainer, redeployed and it is working:) That was simple....

@lisenet : Is there a possibility in your Image to use to different Port ? Right now I´m on 1194 UDP. Had some issues in the past where this port was blocked. My idea is to use 1194 UDP and 443 TCP parallel. But I already hae things running on 44e TCP. I heard about OpenVpn prt forwarding, but did not manage it running with any image.

[lisenet]

@nextcloudfan my image uses the same Dockerfile as the original image, with some very minor tweaks to pull the latest stable OpenVPN version. I did not customise it in any way therefore the port remains the same.

I have my container using 1194 UDP but on the outside I port-forward through my load balancer via 443 UDP. E.g.

PUBLIC_IP_OF_THE_LOAD_BALANCER:443 > PRIVATE_IP_OF_THE_CONTAINER_SERVICE:1194

[jc-59]

thank you very much @lisenet

[nextcloudfan]

@lisenet

Do you have a changelog for the version provided on the last days of Dec 2022?

[lisenet]

@nextcloudfan https://github.com/lisenet/docker-openvpn/releases/tag/2.6.6-build20

Latest OpenVPN version: lisenet/openvpn:latest

[lisenet]

This is the repo that I maintain: https://hub.docker.com/r/lisenet/openvpn

It gets the latest version short after one has been published.

[daweedm]

@lisenet could you please share the Dockerfile ? thanks

[lisenet]

@daweedm https://github.com/lisenet/docker-openvpn/blob/master/Dockerfile