Download OpenVPN 2.4.6

OpenVPN is a robust and easy to set up open source VPN daemon that allows several private networks to be linked together through an encrypted tunnel over the internet. For security, the OpenSSL library is used, which can handle all encryption, authentication and certification. For more information, please refer to this page and an installation guide is on this page to consult. The developers released version 2.4.6 a while ago, with the following changes:

Version 2.4.6

• management: Warn if TCP port is used without password
• Correct version in ChangeLog – should be 2.4.5, was mistyped as 2.4.4
• Fix potential double-free() in Interactive Service (CVE-2018-9336)
• preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)
• manpage: improve description of –status and –status-version
• Make return code external tls key match docs
• Delete the IPv6 route to the “connected” network on tun close
• Management: warn about password only when the option is in use
• Avoid overflow in wakeup time computation
• Add missing #ifdef SSL_OP_NO_TLSv1_1/2
• Check for more data in control channel

Version 2.4.5

• reload HTTP proxy credentials when moving to the next connection profile
• Allow learning iroutes with network made up of all 0s (only if netbits < 8)
• mbedtls: fix typ0 in comment
• man page: fix simple typ0
• Treat dhcp option DNS6 and DNS identical
• show the right string for key-direction
• Fix typo in error message: “optione” -> “option”
• lz4: Fix confused version check
• lz4: Fix broken builds when pkg-config is not present but system library is
• Remove references to keychain-mcd in Changes.rst
• lz4: Rebase compat-lz4 against upstream v1.7.5
• systemd: Add and ship README.systemd
• Update copyright to include 2018 plus company name change
• man: Add .TQ rudef support macro
• man: Reword –management to prefer unix sockets over TCP
• OpenSSL: check EVP_PKEY key types before returning the pkey
• Remove warning on pushed tun-ipv6 option.
• Fix removal of on-link prefix on windows with netsh
• Preparing for release v2.4.5 (ChangeLog, version.m4, Changes.rst)
• travis-ci: add brew cache, remove ccache
• travis-ci: modify openssl build script to support openssl-1.1.0
• autoconf: Fix engine checks for openssl 1.1
• Cast time_t to long long in order to print it.
• Fix build with LibreSSL
• Check whether in pull_mode before warning about previous connection blocks
• Avoid illegal memory access when malformed data is read from the pipe
• Fix missing check for return value of malloc’d buffer
• Return NULL if GetAdaptersInfo fails
• Use RSA_meth_free instead of free
• Bring cryptoapi.c upto speed with openssl 1.1
• Add SSL_CTX_get_max_proto_version() not in openssl 1.0
• TLS v1.2 support for cryptoapicert — RSA only
• Refactor get_interface_metric to return metric and auto flag separately
• Ensure strings read from registry are null-terminated
• Make most registry values ​​optional
• Use lowest metric interface when multiple interfaces match a route
• Adapt to RegGetValue brokenness in Windows 7
• Fix format spec errors in Windows builds
• Local functions are not supported in MSVC. Bummer.
• Mixing wide and regular strings in concatenations is not allowed in MSVC.
• RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
• Simplify iphlpapi.dll API calls
• Fix local #include to use quoted form
• Document “>PASSWORD:Auth-Token” real-time message
• Fix typo in “verb” command examples
• Uniform swprintf() across MinGW and MSVC compilers
• MSVC meta files added to .gitignore list
• openvpnserv: Add support for multi-instances
• Document missing OpenVPN states
• make struct key * argument or init_key_ctx const
• buffer_list_aggregate_separator(): add unit tests
• Add –tls-cert-profile option.
• Use P_DATA_V2 for server->client packets too
• Fix memory leak in buffer unit tests
• buffer_list_aggregate_separator(): update list size after aggregating
• buffer_list_aggregate_separator(): don’t exceed max_len
• buffer_list_aggregate_separator(): prevent 0-byte malloc
• Fix types around buffer_list_push(_data)
• ssl_openssl: fix compiler warning by removing getbio() wrapper
• travis: use clang’s -fsanitize=address to catch more bugs
• Fix –tls-version-min and –tls-version-max for OpenSSL 1.1+
• Add support for TLS 1.3 in –tls-version-{min, max}
• Plug memory leak if push is interrupted
• Fix format errors when cross-compiling for Windows
• Log pre-handshake packet drops using D_MULTI_DROPPED
• Enable stricter compiler warnings by default
• Get rid of ax_check_compile_flag.m4
• mbedtls: don’t use API deprecated in mbed 2.7
• Warn if tls-version-max < tls-version-min
• Don’t throw fatal errors from create_temp_file()
• Fix ‘–bind ipv6only’

Version 2.4.4

• crypto: correct type0 in error message
• use M_ERRNO instead of explicitly printing errno
• don’t print errno twice
• ntlm: avoid useless cast
• ntlm: unwrap multiple function calls
• route: improve error message
• management: preserve wait_for_push field when asking for user/pass
• tls-crypt: avoid warnings when –disable-crypto is used
• ntlm: convert binary buffers to uint8_t *
• ntlm: restyle compressed multiple function calls
• ntlm: improve code style and readability
• OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
• make function declarations C99 compliant
• remove unused functions
• use NULL instead of 0 when assigning pointers
• add missing static attribute to functions
• ntlm: avoid breaking anti-aliasing rules
• remove the –disable-multi config switch
• rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
• route: avoid definition of unused variables in certain configurations
• fix a couple of typ0s in comments and strings
• fragment.c: simplify boolean expression
• tcp-server: ensure AF family is propagated to child context
• Set tls-cipher restriction before loading certificates
• Print ec bit details, refuse management-external-key if key is not RSA
• Use provided env vars in up/down script.
• Document down-root plugin usage in client.down
• doc: The CRL processing is not a deprecated feature
• cleanup: Move write_pid() to where it is being used
• contrib: Remove keychain-mcd code
• cleanup: Move init_random_seed() to where it is being used
• sample plugins: fix ASN1_STRING_to_UTF8 return value checks
• Highlight deprecated features
• Use consistent version references
• docs: Replace all PolarSSL references to mbed TLS
• systemd: Ensure systemd shuts down OpenVPN in a proper way
• systemd: Enable systemd’s auto-restart feature for server profiles
• lz4: Move towards a newer LZ4 API
• Prepare the release of OpenVPN 2.4.4
• OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
• OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
• OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
• Warn that DH config option is only meaningful in a tls-server context
• travis-ci: add 3 missing patches from master to release/2.4
• travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
• travis-ci: update pkcs11-helper to 1.22
• man: Corrections to doc/openvpn.8
• Fix typo in extract_x509_extension() debug message
• Move adjust_power_of_2() to integer.h
• Undo cipher push in client options state if cipher is rejected
• Remove strerror_ts()
• Move openvpn_sleep() to manage.c
• fixup: also change missed openvpn_sleep() occurrences
• Always use default keysize for NCP’d ciphers
• Move create_temp_file() out of #ifdef ENABLE_CRYPTO
• Deprecate –keysize
• Deprecate –no-replay
• Move run_up_down() to init.c
• tls-crypt: introduce tls_crypt_kt()
• crypto: create function to initialize encrypt and decrypt key
• Add coverity static analysis to Travis CI config
• tls-crypt: don’t leak memory for incorrect tls-crypt messages
• travis: reorder matrix to speed up build
• Fix bounds check in read_key()
• OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
• Fix socks_proxy_port pointing to invalid data