urlscan.io logo urlscan.io
SecurityTrails logo

openvpn.net Open in urlscan Pro
104.18.110.96  Public Scan

Back to summary
Submitted URL: http://openvpn.net/community-downloads/
Effective URL: https://openvpn.net/community-downloads/
Submission: On September 15 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

<form novalidate="" class="ais-SearchBox-form" action="" role="search"><input type="search" placeholder="Search OpenVPN" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" required="" maxlength="512"
    class="ais-SearchBox-input" value=""><button type="submit" title="Submit your search query." class="ais-SearchBox-submit"><svg class="ais-SearchBox-submitIcon" xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 40 40">
      <path
        d="M26.804 29.01c-2.832 2.34-6.465 3.746-10.426 3.746C7.333 32.756 0 25.424 0 16.378 0 7.333 7.333 0 16.378 0c9.046 0 16.378 7.333 16.378 16.378 0 3.96-1.406 7.594-3.746 10.426l10.534 10.534c.607.607.61 1.59-.004 2.202-.61.61-1.597.61-2.202.004L26.804 29.01zm-10.426.627c7.323 0 13.26-5.936 13.26-13.26 0-7.32-5.937-13.257-13.26-13.257C9.056 3.12 3.12 9.056 3.12 16.378c0 7.323 5.936 13.26 13.258 13.26z">
      </path>
    </svg></button><button type="reset" title="Clear the search query." class="ais-SearchBox-reset" hidden=""><svg class="ais-SearchBox-resetIcon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" width="10" height="10">
      <path d="M8.114 10L.944 2.83 0 1.885 1.886 0l.943.943L10 8.113l7.17-7.17.944-.943L20 1.886l-.943.943-7.17 7.17 7.17 7.17.943.944L18.114 20l-.943-.943-7.17-7.17-7.17 7.17-.944.943L0 18.114l.943-.943L8.113 10z"></path>
    </svg></button></form>

Text Content

Update

NEW! Use Multiple Networks With One Account

 * Search
 * Support
 * Login
 * 

Solutions Products Pricing Resources Community
Get Started Create Account
Use Cases
 * Secure Remote Access
 * Secure IoT Communications
 * Protect Access to SaaS applications
 * Site-to-site Networking
 * Enforcing Zero Trust Access
 * Cyber Threat Protection & Content Filtering
 * Restricted Internet Access
   View All

Industries
 * Energy / Utilities
 * Engineering
 * Finance / Insurance
 * Healthcare / Pharma
 * Manufacturing
 * Technology
 * Retail and Entertainment
   View All

Who We Serve
 * Organization
 * Small Business
 * Mid-sized
 * Enterprise
 * Government
 * Role
 * CISO / CSO
 * DevSecOps
 * IT / OT

 * Managed Solution
 * Self-Hosted Solution
 * Connect Client

OpenVPN Cloud
 * Overview
 * Quick Start
 * Documentation
 * Release Notes

Get Started
 * Product Comparison
   
   Explore the differences

Access Server
 * Overview
 * Software Packages
 * Virtual Appliances
 * Cloud Images

Get Started
 * Product Comparison
   
   Explore the differences

OpenVPN Connect
 * Overview

Get The App
 * Windows App
 * Mac OS App
 * Linux App
 * 
 * 

 * OpenVPN Cloud
 * Access Server

 * Technical Resources
 * Company

Access Server
 * Documentation
 * Quick Start
 * Admin UI Manual
 * Release Notes

OpenVPN Cloud
 * Documentation
 * Quick Start
 * Release Notes

QUESTIONS

Get in touch with our technical support engineers

Contact Support
Company
 * About Us
 * Careers
 * Contact

 * Blog
 * Partner with us
 * Compliance

In The News
 * OpenVPN CEO Featured In Video Showcase
   
   Sharing His #TechTrend Predictions

Community Edition
 * Overview
 * Downloads
 * Source Code

 * Documentation
 * Wiki
 * Forums

Did you know?

 * We have a pre-configured, managed solution with three free connections

   Try OpenVPN Cloud

Update

NEW! Use Multiple Networks With One Account

 * Search
 * Support
 * Login
 * 


Create Account Get Started
Solutions
Use Cases
 * Secure Remote Access
 * Secure IoT Communications
 * Protect Access to SaaS applications
 * Site-to-site Networking
 * Enforcing Zero Trust Access
 * Cyber Threat Protection & Content Filtering
 * Restricted Internet Access
   View All

Industries
 * Energy / Utilities
 * Engineering
 * Finance / Insurance
 * Healthcare / Pharma
 * Manufacturing
 * Technology
 * Retail and Entertainment
   View All

Who We Serve
 * Organization
 * Small Business
 * Mid-sized
 * Enterprise
 * Government
 * Role
 * CISO / CSO
 * DevSecOps
 * IT / OT

Products
 * Managed Solution
 * Self-Hosted Solution
 * Connect Client

OpenVPN Cloud
 * Overview
 * Quick Start
 * Documentation
 * Release Notes

Get Started
 * Product Comparison
   
   Explore the differences

Access Server
 * Overview
 * Software Packages
 * Virtual Appliances
 * Cloud Images

Get Started
 * Product Comparison
   
   Explore the differences

OpenVPN Connect
 * Overview

Get The App
 * Windows App
 * Mac OS App
 * Linux App
 * 
 * 

Pricing
 * OpenVPN Cloud
 * Access Server

Resources
 * Technical Resources
 * Company

Access Server
 * Documentation
 * Quick Start
 * Admin UI Manual
 * Release Notes

OpenVPN Cloud
 * Documentation
 * Quick Start
 * Release Notes

QUESTIONS

Get in touch with our technical support engineers

Contact Support
Company
 * About Us
 * Careers
 * Contact

 * Blog
 * Partner with us
 * Compliance

In The News
 * OpenVPN CEO Featured In Video Showcase
   
   Sharing His #TechTrend Predictions

Community
Community Edition
 * Overview
 * Downloads
 * Source Code

 * Documentation
 * Wiki
 * Forums

Did you know?

 * We have a pre-configured, managed solution with three free connections

   Try OpenVPN Cloud

Login Support


COMMUNITY DOWNLOADS

OPENVPN 2.5.7 -- RELEASED 31 MAY 2022

The OpenVPN community project team is proud to release OpenVPN 2.5.7. This is
mostly a bugfix release, but adds limited support for OpenSSL 3.0. Full support
will arrive in OpenVPN 2.6.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.7.tar.gz

SOURCE ZIP

GnuPG Signature openvpn-2.5.7.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-arm64.msi

OPENVPN 2.5.6 -- RELEASED 16 MAR, 2022

The OpenVPN community project team is proud to release OpenVPN 2.5.6. This is
mostly a bugfix release including one security fix ("Disallow multiple deferred
authentication plug-ins.", CVE: 2022-0547). The I605 installers include OpenVPN
GUI with a bug fix, as well as updated OpenSSL (1.1.1o).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.6.tar.gz

SOURCE ZIP

GnuPG Signature openvpn-2.5.6.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-arm64.msi

OPENVPN 2.5.5 -- RELEASED 15 DEC, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.5. The most
notable changes are Windows-related: use of CFG Spectre-mitigations in MSVC
builds, bringing back of OpenSSL config loading and several build fixes. More
details are available in Changes.rst.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.5.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.5.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.5.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-arm64.msi

OPENVPN 2.5.4 -- RELEASED 5 OCT, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.4. This
release include a number of fixes and small improvements. One of the fixes is to
password prompting on windows console when stderr redirection is in use - this
breaks 2.5.x on Win11/ARM, and might also break on Win11/amd64. Windows
executable and libraries are now built natively on Windows using MSVC, not
cross-compiled on Linux as with earlier 2.5 releases. Windows installers include
updated OpenSSL and new OpenVPN GUI. The latter includes several improvements,
the most important of which is the ability to import profiles from URLs where
available. Installer version I602 fixes loading of pkcs11 files on Windows.
Installer version I603 fixes a bug in the version number as seen by Windows (was
2.5..4, not 2.5.4). Installer I604 fixes some small Windows issues.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.4.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.4.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.4.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-arm64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the"Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.3 -- RELEASED 17 JUNE, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.3. Besides a
number of small improvements and bug fixes, this release fixes a possible
security issue with OpenSSL config autoloading on Windows (CVE-2021-3606).
Updated OpenVPN GUI is also included in Windows installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.3.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.3.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.3.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-arm64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the"Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.2 -- RELEASED 21 APRIL, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes
two related security vulnerabilities (CVE-2020-15078) which under very specific
circumstances allow tricking a server using delayed authentication (plugin or
management) into returning a PUSH_REPLY before the AUTH_FAILED message, which
can possibly be used to gather information about a VPN setup. In combination
with "--auth-gen-token" or a user-specific token auth solution it can be
possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2
also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI
are included in Windows installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.2.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.2.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.2.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.2-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.2-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the"Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


WINDOWS ARM64 INSTALLERS

Our MSI installer do not currently support the Windows ARM64 platform. You need
to use our NSI-based snapshot installers from here. We recommend using the
latest installer that matches one of these patterns:

 * openvpn-install-2.5_git-I900-release-2.5-* (stable 2.5 version)
 * openvpn-install-2.6_git-I900-master-* (development version)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.1 -- RELEASED 24 FEBRUARY, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It
includes several bug fixes and improvements as well as updated OpenSSL and
OpenVPN GUI for Windows.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.1.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.1.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.1.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.1-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.1-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the"Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


WINDOWS ARM64 INSTALLERS

Our MSI installer do not currently support the Windows ARM64 platform. You need
to use our NSI-based snapshot installers from here. We recommend using the
latest installer that matches one of these patterns:

 * openvpn-install-2.5_git-I900-release-2.5-* (stable 2.5 version)
 * openvpn-install-2.6_git-I900-master-* (development version)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.0 -- RELEASED 28 OCTOBER, 2020

The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a
new major release with many new features.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.0.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.0.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.0.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.0-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.0-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the"Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.4.12 -- RELEASED 17 MARCH, 2022

The OpenVPN community project team is proud to release OpenVPN 2.4.12, the final
release in the 2.4.x series. This is mostly a bugfix release including one
security fix ("Disallow multiple deferred authentication plug-ins.", CVE:
2022-0547).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.12.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.12.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.12.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.12-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.12-I601-Win10.exe

OPENVPN 2.4.11 -- RELEASED 21 APRIL, 2021

The OpenVPN community project team is proud to release OpenVPN 2.4.11. It fixes
two related security vulnerabilities (CVE-2020-15078) which under very specific
circumstances allow tricking a server using delayed authentication (plugin or
management) into returning a PUSH_REPLY before the AUTH_FAILED message, which
can possibly be used to gather information about a VPN setup. This release also
includes other bug fixes and improvements. The I602 Windows installers fix a
possible security issue with OpenSSL config autoloading on Windows
(CVE-2021-3606). Updated OpenSSL and OpenVPN GUI are included in Windows
installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.11.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.11.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.11.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.11-I602-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.11-I602-Win10.exe

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

OPENVPN 2.4.10 -- RELEASED 9 DECEMBER, 2020

This is primarily a maintenance release with bugfixes and small improvements.
Windows installers include the latest OpenSSL version (1.1.1i) which includes
security fixes.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.10.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.10.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.10.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.10-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.10-I601-Win10.exe

Instructions for verifying the signatures are available here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.9 -- RELEASED 17 APRIL, 2020

This is primarily a maintenance release with bugfixes and improvements. This
release also fixes a security issue (CVE-2020-11810, trac #1272) which allows
disrupting service of a freshly connected client that has not yet not negotiated
session keys. The vulnerability cannot be used to inject or steal VPN traffic.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.9.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.9.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.9.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.9-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.9-I601-Win10.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.8 -- RELEASED 31 OCTOBER, 2019

This is primarily a maintenance release with bugfixes and improvements. The
Windows installers (I601) have several improvements compared to the previous
release:

 * New tap-windows6 driver (9.24.2) which fixes some suspend and resume issues
 * Latest OpenVPN-GUI
 * Considerable performance boost due to new compiler optimization flags

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.8.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.8.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.8.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.8-I602-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.8-I602-Win10.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.7 -- RELEASED 21 FEBRUARY, 2019

This is primarily a maintenance release with bugfixes and improvements. One of
the big things is enhanced TLS 1.3 support. A summary of the changes is
available in Changes.rst, and a full list of changes is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer will not work on Windows 7/8/8.1/Server 2012r2. This is
because Microsoft's driver signing requirements and tap-windows6. For the same
reason you need to use an older installer with Windows Server 2016. This older
installer has a local privilege escalation vulnerability issue which we cannot
resolve for Windows Server 2016 until tap-windows6 passes the HLK test suite on
that platform. In the meanwhile we recommend Windows Server 2016 users to avoid
installing OpenVPN/tap-windows6 driver on hosts where all users can't be
trusted. Users of Windows 7-10 and Server 2012r2 are recommended to update to
latest installers as soon as possible.

 

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.7.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.7.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.7.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I607-Win7.exe

WINDOWS 10 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I607-Win10.exe

WINDOWS SERVER 2016 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I603.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.6 -- RELEASED 24 APRIL, 2018

This is primarily a maintenance release with minor bugfixes and improvements,
and one security relevant fix for the Windows Interactive Service. Windows
installer includes updated OpenVPN GUI and OpenSSL. Installer I601 included
tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista
support. However, in installer I602 we had to revert back to tap-windows 9.21.2
due to driver getting reject on freshly installed Windows 10 rev 1607 and later
when Secure Boot was enabled. The failure was due to the new, more strict driver
signing requirements. The 9.22.1 version of the driver is in the process of
getting approved and signed by Microsoft and will be bundled in an upcoming
Windows installer.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. Our long-term plan is to migrate to using MSI installers instead.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developha er IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.6.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.6.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.6.zip

WINDOWS INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.6-I602.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.


UPDATES & ANNOUNCEMENTS

OpenVPN Cloud


CYBER SHIELD RELEASED

Cyber Shield protects you from cyber threats without requiring you to tunnel
internet traffic. Turn Shield ON.

Learn More 

Access Server


RELEASE NOTES 2.11.0

Access Server 2.11.0 introduces SAML authentication support. Additionally Ubuntu
22.04 LTS is now supported, the openvpn:// import URI schema is added, and 3
security issues are fixed.

Read Release Notes 


ACCESS SERVER

Our popular self-hosted solution that comes with two free VPN connections.

Sign up for Access Server


OPENVPN CLOUD

Sign up for OpenVPN-as-a-Service with three free VPN connections.

Sign up for OpenVPN Cloud

OpenVPN is a leading global private networking and cybersecurity company that
allows organizations to truly safeguard their assets in a dynamic, cost
effective, and scalable way.


 * Access Server
 * Release Notes
 * Security Advisories
 * Documentation
 * Plugins

 * OpenVPN Cloud
 * Features
 * Cyber Shield
 * Quick Start Guide
 * Documentation

 * Resources
 * Support Center
 * What is a VPN?
 * Resource Center
 * Vulnerability Reporting
 * Compliance

 * Company
 * About Us
 * Careers
 * Blog
 * Contact
 * In The News
 * Partner with us

Service Status All Systems Operational
Privacy Legal Your Privacy Settings
© Copyright 2022 OpenVPN | OpenVPN is a registered trademark of OpenVPN, Inc.


×