Download OpenVPN 2.4.3

OpenVPN is a robust and easy to set up open source VPN daemon that allows several private networks to be linked together by means of an encrypted tunnel over the internet. The OpenSSL library is used for security, with which all encryption, authentication and certification can be handled. For more information, please refer to this page and an installation guide is on this page to consult. The developers have released version 2.4.3 with the following changes:

OpenVPN 2.4.3

OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In the process several vulnerabilities were found, some of which are remotely exploitable in certain circumstances. We recommend you to upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are available in our official security announcement.

Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client’s IP address changes (Peer-ID). Also, the new –tls-crypt feature can be used to increase users’ connection privacy.

Compared to OpenVPN 2.4.2 there are several bug fixes and one major feature: support for building with OpenSSL 1.1.

A summary of the changes is available in changes.rstand a full list of changes is available here.

Changes in 2.4.3

• Ignore auth-nocache for auth-user-pass if auth-token is pushed
• crypto: Enable SHA256 fingerprint checking in –verify-hash
• copyright: Update GPLv2 license texts
• auth-token with auth-nocache fix broke –disable-crypto builds
• OpenSSL: don’t use direct access to the internal of X509
• OpenSSL: don’t use direct access to the internal of EVP_PKEY
• OpenSSL: don’t use direct access to the internal of RSA
• OpenSSL: don’t use direct access to the internal of DSA
• OpenSSL: force meth->name as non-const when we free() it
• OpenSSL: don’t use direct access to the internal of EVP_MD_CTX
• OpenSSL: don’t use direct access to the internal of EVP_CIPHER_CTX
• OpenSSL: don’t use direct access to the internal of HMAC_CTX
• Fix NCP behavior on TLS reconnect.
• Remove erroneous limitation on max number of args for –plugin
• Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
• Fix potential 1-byte overread in TCP option parsing.
• Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
• Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
• refactor my_strupr
• Fix 2 memory leaks in proxy authentication routine
• Fix memory leak in add_option() for option ‘connection’
• Ensure option array p[] is always NULL-terminated
• Fix a null pointer dereference in establish_http_proxy_passthru()
• Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
• Fix an unaligned access on OpenBSD/sparc64
• Missing include for socket-flags TCP_NODELAY on OpenBSD
• Make openvpn-plugin.h self-contained again.
• Pass correct buffer size to GetModuleFileNameW()
• Log the negotiated (NCP) cipher
• Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
• Skip tls-crypt unit tests if required crypto mode not supported
• openssl: fix overflow check for long –tls-cipher option
• Add a DSA test key/cert pair to sample-keys
• Fix mbedtls fingerprint calculation
• mbedtls:fix –x509-track post-authentication remote DoS (CVE-2017-7522)
• mbedtls: require C-string compatible types for –x509-username-field
• Fix remote triggerable memory leaks (CVE-2017-7521)
• Restrict –x509-alt-username extension types
• Fix potential double-free in –x509-alt-username (CVE-2017-7521)
• Fix gateway detection with OpenBSD routing domains