openvpn.net Open in urlscan Pro
2606:4700::6813:bf6a  Public Scan

Submitted URL: https://openvpn.net/index.php/open-source/downloads.html
Effective URL: https://openvpn.net/community-downloads/
Submission: On August 01 via manual from IN — Scanned from US

Form analysis 1 forms found in the DOM

<form novalidate="" class="ais-SearchBox-form" action="" role="search"><input type="search" placeholder="Search OpenVPN" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" required="" maxlength="512"
    class="ais-SearchBox-input" value=""><button type="submit" title="Submit your search query." class="ais-SearchBox-submit"><svg class="ais-SearchBox-submitIcon" xmlns="http://www.w3.org/2000/svg" width="10" height="10" viewBox="0 0 40 40"
      aria-hidden="true">
      <path
        d="M26.804 29.01c-2.832 2.34-6.465 3.746-10.426 3.746C7.333 32.756 0 25.424 0 16.378 0 7.333 7.333 0 16.378 0c9.046 0 16.378 7.333 16.378 16.378 0 3.96-1.406 7.594-3.746 10.426l10.534 10.534c.607.607.61 1.59-.004 2.202-.61.61-1.597.61-2.202.004L26.804 29.01zm-10.426.627c7.323 0 13.26-5.936 13.26-13.26 0-7.32-5.937-13.257-13.26-13.257C9.056 3.12 3.12 9.056 3.12 16.378c0 7.323 5.936 13.26 13.258 13.26z">
      </path>
    </svg></button><button type="reset" title="Clear the search query." class="ais-SearchBox-reset" hidden=""><svg class="ais-SearchBox-resetIcon" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" width="10" height="10" aria-hidden="true">
      <path d="M8.114 10L.944 2.83 0 1.885 1.886 0l.943.943L10 8.113l7.17-7.17.944-.943L20 1.886l-.943.943-7.17 7.17 7.17 7.17.943.944L18.114 20l-.943-.943-7.17-7.17-7.17 7.17-.944.943L0 18.114l.943-.943L8.113 10z"></path>
    </svg></button></form>

Text Content

NEW

Free Guide: Evaluating Network Security

 * 
 * Community
 * Support
 * Log In

Products Solutions Resources Partners Apps Pricing
Request a Demo Get Started for Free
Access Server

 * Secure remote access solution to your private network, in the cloud or
   on-prem. Get started

 * OpenVPN server with kernel acceleration (DCO)
 * Firewall and access control
 * Use multiple authentication methods simultaneously
 * High availability

CloudConnexa®

 * Cloud-delivered service to connect private networks, devices and servers. Get
   Started

 * Simple configuration
 * Zero-Trust Network Access (Private & SaaS)
 * Cybersecurity with SWG and IDS/IPS
 * Routing using domain names

Get Started
 * Product Comparison
   
   Explore the differences

 * Request Demo
   
   See OpenVPN Cloud in action

 * Customer Stories
   
   Hear what our customershave to say

 * Use Cases
 * Industry
 * Role
 * Compliance

 * Secure Remote Access
 * Secure IoT Communications
 * Protecting Access to SaaS applications
 * Site-to-site Networking

 * Enforcing Zero Trust Access
 * Cyber Threat Protection & Content Filtering
 * Restricted Internet Access

Check out an interactive product tourProduct Tour

 * Energy / Utilities
 * Engineering
 * Finance / Insurance
 * Healthcare / Pharma

 * Manufacturing
 * Technology
 * Retail and Entertainment

Check out an interactive product tourProduct Tour

 * IT Administration
 * Security & DevSecOps
 * CISO & CSO
 * Business Owner

Check out an interactive product tourProduct Tour

 * Technical Resources
 * Company
 * Blog

Access Server
 * Documentation
 * Quick Start
 * Admin UI Manual
 * Release Notes

CloudConnexa®
 * Documentation
 * Quick Start
 * Release Notes

OpenVPN Connect
 * Documentation
 * Downloads

QUESTIONS

Get in touch with our technical support engineers

Contact Support
Company
 * About Us
 * Careers
 * Contact
 * Press & Media

 * Compliance

In The News
 * OpenVPN CEO Featured In Video Showcase
   
   Sharing His #TechTrend Predictions

Partners
 * MSPs
 * VARs
 * Compliance

Program & Resources
 * Become a Partner

NEW

Free Guide: Evaluating Network Security

 * 
 * Community
 * Support
 * Log In


Products
Access Server

 * Secure remote access solution to your private network, in the cloud or
   on-prem. Get started

 * OpenVPN server with kernel acceleration (DCO)
 * Firewall and access control
 * Use multiple authentication methods simultaneously
 * High availability

CloudConnexa®

 * Cloud-delivered service to connect private networks, devices and servers. Get
   Started

 * Simple configuration
 * Zero-Trust Network Access (Private & SaaS)
 * Cybersecurity with SWG and IDS/IPS
 * Routing using domain names

Get Started
 * Product Comparison
   
   Explore the differences

 * Request Demo
   
   See OpenVPN Cloud in action

 * Customer Stories
   
   Hear what our customershave to say

Solutions
 * Use Cases
    * Secure Remote Access
    * Secure IoT Communications
    * Protecting Access to SaaS applications
    * Site-to-site Networking
   
    * Enforcing Zero Trust Access
    * Cyber Threat Protection & Content Filtering
    * Restricted Internet Access
   
   Check out an interactive product tourProduct Tour

 * Industry
    * Energy / Utilities
    * Engineering
    * Finance / Insurance
    * Healthcare / Pharma
   
    * Manufacturing
    * Technology
    * Retail and Entertainment
   
   Check out an interactive product tourProduct Tour

 * Role
    * IT Administration
    * Security & DevSecOps
    * CISO & CSO
    * Business Owner
   
   Check out an interactive product tourProduct Tour

 * Compliance

Resources
 * Technical Resources
   Access Server
    * Documentation
    * Quick Start
    * Admin UI Manual
    * Release Notes
   
   CloudConnexa®
    * Documentation
    * Quick Start
    * Release Notes
   
   OpenVPN Connect
    * Documentation
    * Downloads
   
   QUESTIONS
   
   Get in touch with our technical support engineers
   
   Contact Support
 * Company
   Company
    * About Us
    * Careers
    * Contact
    * Press & Media
   
    * Compliance
   
   In The News
    * OpenVPN CEO Featured In Video Showcase
      
      Sharing His #TechTrend Predictions

 * Blog

Partners
Partners
 * MSPs
 * VARs
 * Compliance

Program & Resources
 * Become a Partner

Apps Pricing
 * Support
 * Community
 * Legal
 * Contact

 * Request a Demo
 * Careers
 * About

Get Started for Free Log In


COMMUNITY DOWNLOADS

OPENVPN 2.6.12 -- RELEASED 18 JULY 2024

The OpenVPN community project team is proud to release OpenVPN 2.6.12. This is a
bugfix release.

For details see  Changes.rst

Bug fixes:

 * the fix for CVE-2024-5594 (refuse control channel messages with nonprintable
   characters) was too strict, breaking user configurations with AUTH_FAIL
   messages having trailing CR/NL characters. This often happens if the
   AUTH_FAIL reason is set by a script. Strip those before testing the command
   buffer (github  #568). Also, add unit test.
 * Http-proxy: fix bug preventing proxy credentials caching (trac #1187)

Windows MSI changes since 2.6.11:

 * Built against OpenSSL 3.3.1
 * Included openvpn-gui updated to 11.50.0.0
   * Update Italian language (github  #696)

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.12-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.12-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.12-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.12.tar.gz

OPENVPN 2.6.11 -- RELEASED 20 JUNE 2024

The OpenVPN community project team is proud to release OpenVPN 2.6.11. This is a
bugfix release containing several security fixes.

For details see  Changes.rst

Security fixes:

 * CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a
   malicious process with "some" elevated privileges (SeImpersonatePrivilege)
   could open the pipe a second time, tricking openvn GUI into providing user
   credentials (tokens), getting full access to the account openvpn-gui.exe runs
   as. (Zeze with TeamT5)
 * CVE-2024-5594: control channel: refuse control channel messages with
   nonprintable characters in them. Security scope: a malicious openvpn peer can
   send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)
 * CVE-2024-28882: only call schedule_exit() once (on a given peer). Security
   scope: an authenticated client can make the server "keep the session" even
   when the server has been told to disconnect this client (Reynir Björnsson)

New features:

 * Windows Crypto-API: Implement Windows CA template match for searching
   certificates in windows crypto store.
 * Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set
   ifmode p2p/subnet otherwise)

Bug fixes:

 * Fix connect timeout when using SOCKS proxies (trac #328, github  #267)
 * Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers
   (LibreSSL bug, already fixed upstream, but not backported to OpenBSD 7.5, see
   also  LibreSSL/OpenBSD#150)
 * Add bracket in fingerprint message and do not warn about missing verification
   (github  #516)

Documentation:

 * Remove "experimental" denotation for --fast-io
 * Correctly document ifconfig_* variables passed to scripts
 * Documentation: make section levels consistent
 * Samples: Update sample configurations (remove compression & old cipher
   settings, add more informative comments)

Windows MSI changes since 2.6.10:

 * For the Windows-specific security fixes see above
 * Built against OpenSSL 3.3.1
 * Included openvpn-gui updated to 11.49.0.0
   * Contains part of the fix for  CVE-2024-4877

Note: Windows MSI was updated to I002 on June 26th. Changes in I002:

 * Group names are localized in some localizations, so we have to use SIDs.
   (Github:  #671)

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.11-I002-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.11-I002-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.11-I002-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.11.tar.gz

OPENVPN 2.6.10 -- RELEASED 20 MARCH 2024

The OpenVPN community project team is proud to release OpenVPN 2.6.10. This is a
bugfix release containing several security fixes specific to the Windows
platform.

For details see  Changes.rst

Security fixes:

 * CVE-2024-27459: Windows: fix a possible stack overflow in the interactive
   service component which might lead to a local privilege escalation.
   Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
 * CVE-2024-24974: Windows: disallow access to the interactive service pipe from
   remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
 * CVE-2024-27903: Windows: disallow loading of plugins from untrusted
   installation paths, which could be used to attack openvpn.exe via a malicious
   plugin. Plugins can now only be loaded from the OpenVPN install directory,
   the Windows system directory, and possibly from a directory specified
   by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev
   <vtokarev@microsoft.com>
 * CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in
   TapSharedSendPacket. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>

New features:

 * t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip
   NTLM proxy tests if SSL library does not support MD4)

User visible changes:

 * Update copyright notices to 2024

Bug fixes:

 * Windows: if the win-dco driver is used (default) and the GUI requests use of
   a proxy server, the connection would fail. Disable DCO in this case.
   (Github:  #522)
 * Compression: minor bugfix in checking option consistency vs. compiled-in
   algorithm support
 * systemd unit files: remove obsolete syslog.target

Documentation:

 * remove license warnings about mbedTLS linking (README.mbedtls)
 * update documentation references in systemd unit files
 * sample config files: remove obsolete tls-*.conf files
 * document that auth-user-pass may be inlined

Windows MSI changes since 2.6.9:

 * For the Windows-specific security fixes see above
 * Built against OpenSSL 3.2.1
 * Included tap6-windows driver updated to 9.27.0
   * Security fix, see above
 * Included ovpn-dco-win driver updated to 1.0.1
   * Ensure we don't pass too large key size to CryptoNG. We do not consider
     this a security issue since the CryptoNG API handles this gracefully either
     way.
 * Included openvpn-gui updated to 11.48.0.0
   * Position tray tooltip above the taskbar
   * Combine title and message in tray icon tip text
   * Use a custom tooltip window for the tray icon

Note: Windows MSI was updated to I002 on April 15th. Changes in I002:

 * Update include ovpn-dco-win to v1.1.1
   * Improves reconnect behavior after hibernate/standby. (Github:  #64)

Note: Windows MSI was updated to I003 on May 23rd. Changes in I003:

 * Update include ovpn-dco-win to v1.2.1
   * Fix bug check in timer management routines. (Github:  #70)

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.10-I003-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.10-I003-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.10-I003-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.10.tar.gz

OPENVPN 2.6.9 -- RELEASED 12 FEBRUARY 2024

The OpenVPN community project team is proud to release OpenVPN 2.6.9. This is a
bugfix release containing one security fix for the Windows installer.

For details see  Changes.rst

Security fixes:

 * Windows Installer: fix  CVE-2023-7235 where installing to a non-default
   directory could lead to a local privilege escalation. Reported by Will
   Dormann.

New features:

 * Add support for building with mbedTLS 3.x.x
 * New option --force-tls-key-material-export to only accept clients that can do
   TLS keying material export to generate session keys (mostly an internal
   option to better deal with TLS 1.0 PRF failures).
 * Windows: bump vcpkg-ports/pkcs11-helper to 1.30
 * Log incoming SSL alerts in easier to understand form and move logging
   from --verb 8 to --verb 3.
 * protocol_dump(): add support for printing --tls-crypt packets

User visible changes:

 * License change is now complete, and all code has been re-licensed under the
   new license (still GPLv2, but with new linking exception for Apache2 licensed
   code). See  COPYING for details.

> Code that could not be re-licensed has been removed or rewritten.

 * The original code for the --tls-export-cert feature has been removed (due to
   the re-licensing effort) and rewritten without looking at the original code.
   Feature-compatibility has been tested by other developers, looking at both
   old and new code and documentation, so there *should* not be a user-visible
   change here.
 * IPv6 route addition/deletion are now logged on the same level (3) as for
   IPv4. Previously IPv6 was always logged at --verb 1.
 * Better handling of TLS 1.0 PRF failures in the underlying SSL library (e.g.
   on some FIPS builds) - this is now reported on startup, and clients before
   2.6.0 that can not use TLS EKM to generate key material are rejected by the
   server. Also, error messages are improved to see what exactly failed.

Notable bug fixes:

 * FreeBSD: for servers with multiple clients, reporting of peer traffic
   statistics would fail due to insufficient buffer space (Github:  #487)

Windows MSI changes since 2.6.8:

 * Security fix, see above
 * Built against OpenSSL 3.2.0
 * Included openvpn-gui updated to 11.47.0.0
   * Windows GUI: always update tray icon on state change (Github:  #669) (for
     persistent connection profiles, "connecting" state would not show)

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.9-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.9-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.9-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.9.tar.gz

OPENVPN 2.6.8 -- RELEASED 17 NOVEMBER 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.8. This is a
small bugfix release fixing a few regressions in 2.6.7 release.

For details see  Changes.rst

User visible changes:

 * Windows: print warning if pushed options require DHCP (e.g. DOMAIN-SEARCH)
   and driver in use does not use DHCP (wintun, dco).

Bug fixes:

 * SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state
   (Github  #449) - the new sanity check function introduced in 2.6.7 sometimes
   tried to use a NULL pointer after an unsuccessful TLS handshake
 * Windows: --dns option did not work when tap-windows6 driver was used, because
   internal flag for "apply DNS option to DHCP server" wasn't set (Github  #447)
 * Windows: fix status/log file permissions, caused by regression after changing
   to CMake build system (Github:  #454, Trac:  #1430)
 * Windows: fix --chdir failures, also caused by error in CMake build system
   (Github  #448)

Windows MSI changes since 2.6.7:

 * Included openvpn-gui updated to 11.46.0.0

For Community-maintained packages for Linux distributions
see OpenvpnSoftwareRepos

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.8-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.8-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.8-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.8.tar.gz

OPENVPN 2.6.7 -- RELEASED 9 NOVEMBER 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.7. This is a
bugfix release containing security fixes.

For details see  Changes.rst

Security Fixes:

 * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a
   send buffer after it has been free()d in some circumstances, causing some
   free()d memory to be sent to the peer. All configurations using TLS (e.g. not
   using --secret) are affected by this issue. (found while tracking down
   CVE-2023-46849 / Github  #400,  #417)
 * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
   restore --fragment configuration in some circumstances, leading to a division
   by zero when --fragment is used. On platforms where division by zero is
   fatal, this will cause an OpenVPN crash. (Github  #400,  #417).

User visible changes:

 * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
   incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server,
   and the only fix is to use --disable-dco.
 * Remove OpenSSL Engine method for loading a key. This had to be removed
   because the original author did not agree to relicensing the code with the
   new linking exception added. This was a somewhat obsolete feature anyway as
   it only worked with OpenSSL 1.x, which is end-of-support.
 * add warning if p2p NCP client connects to a p2mp server - this is a
   combination that used to work without cipher negotiation (pre 2.6 on both
   ends), but would fail in non-obvious ways with 2.6 to 2.6.
 * add warning to --show-groups that not all supported groups are listed (this
   is due the internal enumeration in OpenSSL being a bit weird, omitting X448
   and X25519 curves).
 * --dns: remove support for exclude-domains argument (this was a new 2.6
   option, with no backend support implemented yet on any platform, and it turns
   out that no platform supported it at all - so remove option again)
 * warn user if INFO control message too long, do not forward to management
   client (safeguard against protocol-violating server implementations)

New features:

 * DCO-WIN: get and log driver version (for easier debugging).
 * print "peer temporary key details" in TLS handshake
 * log OpenSSL errors on failure to set certificate, for example if the
   algorithms used are in acceptable to OpenSSL (misleading message would be
   printed in cryptoapi / pkcs11 scenarios)
 * add CMake build system for MinGW and MSVC builds
 * remove old MSVC build system
 * improve cmocka unit test building for Windows

Windows MSI changes since 2.6.6:

 * Included openvpn-gui updated to 11.45.0.0
   * Add clarity for error on missing management parameter. See GH  #657
   * Improve "OpenVPN GUI" tooltip handling See GH  #649
 * MSIs now use OpenSSL 3.1.4

For Community-maintained packages for Linux distributions
see OpenvpnSoftwareRepos

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.7-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.7-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.7-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.7.tar.gz

OPENVPN 2.6.6 -- RELEASED 15 AUGUST 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.6. This is a
small bugfix release.

For details see  Changes.rst

User visible changes:

 * OCC exit messages are now logged more visibly See GH  #391.
 * OpenSSL error messages are now logged with more details (for example, when
   loading a provider fails, which .so was tried, and why did it fail) See GH 
   #361.
 * print a more user-friendly message when tls-crypt-v2 client auth fails
 * packaging now includes all documentation in the source tarball

New features:

 * set WINS server via interactive service - this adds support for "dhcp-option
   WINS 192.0.2.1" for DCO + wintun interfaces where no DHCP server is used. See
   GH  #373.

Windows MSI changes since 2.6.5:

 * Included openvpn-gui updated to 11.44.0.0
 * MSIs now use OpenSSL 3.1.2

For Community-maintained packages for Linux distributions
see OpenvpnSoftwareRepos

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.6-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.6-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.6-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.6.tar.gz

OPENVPN 2.6.5 -- RELEASED 13 JUNE 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.5. This is a
small bugfix release.

For details see  Changes.rst

User visible changes:

 * tapctl (windows): generate driver-specific names (if using tapctl to create
   additional tap/wintun/dco devices, and not using --name). See GH  #337.
 * interactive service (windows): do not force target desktop for openvpn.exe -
   this has no impact for normal use, but enables running of OpenVPN in a
   scripted way when no user is logged on (for example, via task scheduler). See
   GH  openvpn-gui#626

Windows MSI changes since 2.6.4:

 * MSIs now use OpenSSL 3.1.1

Debian/Ubuntu packages in OpenvpnSoftwareRepos are now available for arm64.

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.5-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.5-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.5-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.5.tar.gz

OPENVPN 2.6.4 -- RELEASED 11 MAY 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.4. This is a
small bugfix release.

For details see  Changes.rst

Note:

 * License amendment: all new commits fall under a modified license that
   explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see
   COPYING for details. Existing code will fall under the new license as soon as
   all contributors have agreed to the change - work ongoing.

Feature changes:

 * DCO: support kernel-triggered key rotation (avoid IV reuse after
   232 packets). This is the userland side, accepting a message from kernel, and
   initiating a TLS renegotiation. As of 2.6.4 release, only implemented in
   FreeBSD kernel.

Windows MSI changes since 2.6.3:

 * Rebuilt included tap-windows driver with the correct version of the old
   Windows 7 driver, removing a warning about unsigned driver on Windows 7
   installation. See GH  openvpn-build#365.

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.4-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.4-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.4-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.4.tar.gz

OPENVPN 2.6.3 -- RELEASED 13 APRIL 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.3. This is a
small bugfix release.

For details see  Changes.rst

Feature changes:

 * Windows: support setting DNS domain in configurations without GUI and DHCP
   (typically wintun or windco drivers), see GH  openvpn#306.

Windows MSI changes since 2.6.2:

 * Several Windows-specific issues fixed:
   * ensure interactive service stays enabled after silent reinstall, see GH 
     openvpn-build#348,  openvpn-build#349 and  openvpn-build#351
   * repair querying install path info for easyrsa-start.bat on some Windows
     language versions, see GH  openvpn-build#352.
 * MSIs are now built against OpenSSL 3.1.0.
 * Update included openvpn-gui to 11.41.0.0
   * This update removes the ability to change the password of a private key
     from the GUI. This was a niche feature which caused a direct dependency of
     GUI on OpenSSL. Use openssl.exe directly if you need to edit a private key.

Note: Windows MSI was updated to I003 on April 26th. Changes in I003:

 * The GPG subkey for creating the .asc files for the downloads has been
   updated. You might need to re-download or update the GPG key if verifying the
   signatures.
 * Fix the encoding of some documentation/sample files included in the
   installer. See GH  openvpn-build#358
 * Update include tap-windows6 driver to 9.25.0
   * Fixes a problem with sending small non-IP packets (e.g. PPPoE) over the VPN
     connection. See GH  tap-windows6#158
   * Note: The new driver is only used on Windows 10 and newer. We can't rebuild
     drivers for Windows 7/8 since Microsoft doesn't support the signing
     mechanism anymore. We include the previous driver version to still allow
     installation on Windows 7/8.
 * Update included openvpn-gui to 11.42.0.0
   * Fixes a problem with passphrase prompt was sometimes not displayed. See GH 
     openvpn-gui#619
   * Adds "Password Reveal" feature which allows you to see passwords while
     entering them.

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.3-I003-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.3-I003-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.3-I003-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.3.tar.gz

OPENVPN 2.6.2 -- RELEASED 24 MARCH 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.2. This is
mostly a bugfix release with some improvements.

For details see  Changes.rst

Feature changes:

 * implement byte counter statistics for DCO Linux (p2mp server and client)
 * implement byte counter statistics for DCO Windows (client only)
 * --dns server <n> address ... now permits up to 8 v4 or v6 addresses

Important note for Linux DCO users:

 * New control packets flow for data channel offloading on Linux: 2.6.2+ changes
   the way OpenVPN control packets are handled on Linux when DCO is active,
   fixing the lockups observed with 2.6.0/2.6.1 under high client
   connect/disconnect activity. This is an INCOMPATIBLE change and therefore an
   ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will
   not work anymore and must be upgraded. The kernel module was renamed to
   "ovpn-dco-v2.ko" in order to highlight this change and ensure that users and
   userspace software could easily understand which version is loaded.
   Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at
   runtime.

Windows MSI changes since 2.6.1:

 * Update included openvpn-gui to 11.39.0.0

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.2-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.2-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.2-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.2.tar.gz

OPENVPN 2.6.1 -- RELEASED 8 MARCH 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.1. This is
mostly a bugfix release with some improvements.

For details see  Changes.rst

Feature changes:

 * Dynamic TLS Crypt: When both peers are OpenVPN 2.6.1+, OpenVPN will
   dynamically create a tls-crypt key that is used for renegotiation. This
   ensure that only the previously authenticated peer can do trigger
   renegotiation and complete renegotiations.
 * CryptoAPI (Windows): support issuer name as a selector. Certificate selection
   string can now specify a partial issuer name string as
   "--cryptoapicert ISSUER:<string>" where <string> is matched as a substring of
   the issuer (CA) name in the certificate.

Note: configure now enables DCO build by default on FreeBSD and Linux. On Linux
this brings in a new default dependency for libnl-genl (for Linux distributions
that are too old to have a suitable version of the library, use "configure
--disable-dco")

Windows MSI changes since 2.6.1:

 * Update included ovpn-dco-win driver to 0.9.2

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.1-I001-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.1-I001-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.1-I001-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.1.tar.gz

OPENVPN 2.6.0 -- RELEASED 25 JANUARY 2023

The OpenVPN community project team is proud to release OpenVPN 2.6.0. This is a
new stable release with some major new features.

For details see: Changes.rst

The Changes document also contains a section with workarounds for common
problems encountered when using OpenVPN with OpenSSL 3.

New features and improvements in 2.6.0 compared to 2.5.8:

 * Data Channel Offload (DCO) kernel acceleration support for Windows, Linux,
   and FreeBSD.
 * OpenSSL 3 support.
 * Improved handling of tunnel MTU, including support for pushable MTU.
 * Outdated cryptographic algorithms disabled by default, but there are options
   to override if necessary.
 * Reworked TLS handshake, making OpenVPN immune to replay-packet state
   exhaustion attacks.
 * Added --peer-fingerprint mode for a more simplistic certificate setup and
   verification.
 * Added Pre-Logon Access Provider support to OpenVPN GUI for Windows.
 * Improved protocol negotiation, leading to faster connection setup.
 * Included openvpn-gui updated to 11.37.0.0. See CHANGES.rst.
 * Updated easy-rsa3 bundled with the installer on Windows.
 * Various bug fixes.

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.0-I005-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.6.0-I005-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.6.0-I005-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.6.0.tar.gz

OPENVPN 2.5.10 -- RELEASED 21 MARCH 2024

The OpenVPN community project team is proud to release OpenVPN 2.5.10. This is a
bugfix release containing several security fixes specific to the Windows
platform.

For details see  Changes.rst

Note that OpenVPN 2.5.x is in "Old Stable Support" status
(see SupportedVersions). This usually means that we do not provide updated
Windows Installers anymore, even for security fixes. Since this release fixes
several issues specific to the Windows platform we decided to provide installers
anyway. This does not change the support status of 2.5.x branch. We might not
provide security updates for issues found in the future. We recommend that
everyone switch to the 2.6.x versions of installers as soon as possible.

Security fixes:

 * CVE-2024-27459: Windows: fix a possible stack overflow in the interactive
   service component which might lead to a local privilege escalation.
   Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
 * CVE-2024-24974: Windows: disallow access to the interactive service pipe from
   remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
 * CVE-2024-27903: Windows: disallow loading of plugins from untrusted
   installation paths, which could be used to attack openvpn.exe via a malicious
   plugin. Plugins can now only be loaded from the OpenVPN install directory,
   the Windows system directory, and possibly from a directory specified
   by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev
   <vtokarev@microsoft.com>
 * CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in
   TapSharedSendPacket. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>

Windows MSI changes since 2.5.10:

 * For the Windows-specific security fixes see above
 * Built against OpenSSL 1.1.1w
   * Note that OpenSSL 1.1.1 is not supported anymore, so this might not address
     all known issues in OpenSSL 1.1.1. If that concerns you, please switch to
     OpenVPN 2.6.x
 * Included tap6-windows driver updated to 9.27.0
   * Security fix, see above

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.10-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.10-I601-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.10-I601-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.5.10.tar.gz

OPENVPN 2.5.9 -- RELEASED 15 FEBRUARY 2023

2The OpenVPN community project team is proud to release OpenVPN 2.5.9.  This is
a small bugfix release.

For details see Changes.rst

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.9-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.9-I601-arm64.msi

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.9-I601-x86.msi

SOURCE ARCHIVE FILE

GnuPG Signature openvpn-2.5.9.tar.gz

OPENVPN 2.5.8 -- RELEASED 2 NOVEMBER 2022

The OpenVPN community project team is proud to release OpenVPN 2.5.8. This is
mostly a bugfix release.

For details see Changes.rst

However, there were several enhancements of the Windows GUI component:

 * OpenVPN 3 support -- the GUI can also work as a user interface for the
   OpenVPN 3 client.
 * pkcs11-id-management -- the GUI can list available pkcs11-ids and allows the
   user to select one.
 * Persistent connections -- the GUI lists connections started at boot by the
   automatic service and lets the user control them. Interactive inputs such as
   username/password with such connections are possible.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.8.tar.gz

SOURCE ZIP

GnuPG Signature openvpn-2.5.8.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.8-I604-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.8-I604-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.8-I604-arm64.msi

OPENVPN 2.5.7 -- RELEASED 31 MAY 2022

The OpenVPN community project team is proud to release OpenVPN 2.5.7. This is
mostly a bugfix release, but adds limited support for OpenSSL 3.0. Full support
will arrive in OpenVPN 2.6.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.7.tar.gz

SOURCE ZIP

GnuPG Signature openvpn-2.5.7.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.7-I602-arm64.msi

OPENVPN 2.5.6 -- RELEASED 16 MAR, 2022

The OpenVPN community project team is proud to release OpenVPN 2.5.6. This is
mostly a bugfix release including one security fix ("Disallow multiple deferred
authentication plug-ins.", CVE: 2022-0547). The I605 installers include OpenVPN
GUI with a bug fix, as well as updated OpenSSL (1.1.1o).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.6.tar.gz

SOURCE ZIP

GnuPG Signature openvpn-2.5.6.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.6-I601-arm64.msi

OPENVPN 2.5.5 -- RELEASED 15 DEC, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.5. The most
notable changes are Windows-related: use of CFG Spectre-mitigations in MSVC
builds, bringing back of OpenSSL config loading and several build fixes. More
details are available in Changes.rst.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.5.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.5.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.5.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.5-I602-arm64.msi

OPENVPN 2.5.4 -- RELEASED 5 OCT, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.4. This
release include a number of fixes and small improvements. One of the fixes is to
password prompting on windows console when stderr redirection is in use - this
breaks 2.5.x on Win11/ARM, and might also break on Win11/amd64. Windows
executable and libraries are now built natively on Windows using MSVC, not
cross-compiled on Linux as with earlier 2.5 releases. Windows installers include
updated OpenSSL and new OpenVPN GUI. The latter includes several improvements,
the most important of which is the ability to import profiles from URLs where
available. Installer version I602 fixes loading of pkcs11 files on Windows.
Installer version I603 fixes a bug in the version number as seen by Windows (was
2.5..4, not 2.5.4). Installer I604 fixes some small Windows issues.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.4.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.4.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.4.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.4-I604-arm64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the "Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.3 -- RELEASED 17 JUNE, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.3. Besides a
number of small improvements and bug fixes, this release fixes a possible
security issue with OpenSSL config autoloading on Windows (CVE-2021-3606).
Updated OpenVPN GUI is also included in Windows installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.3.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.3.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.3.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-amd64.msi

WINDOWS ARM64 MSI INSTALLER

GnuPG Signature OpenVPN-2.5.3-I601-arm64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the "Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.2 -- RELEASED 21 APRIL, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes
two related security vulnerabilities (CVE-2020-15078) which under very specific
circumstances allow tricking a server using delayed authentication (plugin or
management) into returning a PUSH_REPLY before the AUTH_FAILED message, which
can possibly be used to gather information about a VPN setup. In combination
with "--auth-gen-token" or a user-specific token auth solution it can be
possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2
also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI
are included in Windows installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.2.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.2.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.2.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.2-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.2-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the "Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


WINDOWS ARM64 INSTALLERS

Our MSI installer do not currently support the Windows ARM64 platform. You need
to use our NSI-based snapshot installers from here. We recommend using the
latest installer that matches one of these patterns:

 * openvpn-install-2.5_git-I900-release-2.5-* (stable 2.5 version)
 * openvpn-install-2.6_git-I900-master-* (development version)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.1 -- RELEASED 24 FEBRUARY, 2021

The OpenVPN community project team is proud to release OpenVPN 2.5.1. It
includes several bug fixes and improvements as well as updated OpenSSL and
OpenVPN GUI for Windows.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.1.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.1.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.1.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.1-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.1-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the "Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


WINDOWS ARM64 INSTALLERS

Our MSI installer do not currently support the Windows ARM64 platform. You need
to use our NSI-based snapshot installers from here. We recommend using the
latest installer that matches one of these patterns:

 * openvpn-install-2.5_git-I900-release-2.5-* (stable 2.5 version)
 * openvpn-install-2.6_git-I900-master-* (development version)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.5.0 -- RELEASED 28 OCTOBER, 2020

The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a
new major release with many new features.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.5.0.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.5.0.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.5.0.zip

WINDOWS 32-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.0-I601-x86.msi

WINDOWS 64-BIT MSI INSTALLER

GnuPG Signature OpenVPN-2.5.0-I601-amd64.msi


OVERVIEW OF CHANGES SINCE OPENVPN 2.4


FASTER CONNECTIONS

 * Connections setup is now much faster
   


CRYPTO SPECIFIC CHANGES

 * ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0
   or newer)
 * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
 * Client-specific tls-crypt keys (--tls-crypt-v2)
 * Improved Data channel cipher negotiation
 * Removal of BF-CBC support in default configuration (see below for possible
   incompatibilities)


SERVER-SIDE IMPROVEMENTS

 * HMAC based auth-token support for seamless reconnects to standalone servers
   or a group of servers.
 * Asynchronous (deferred) authentication support for auth-pam plugin
 * Asynchronous (deferred) support for client-connect scripts and plugins


NETWORK-RELATED CHANGES

 * Support IPv4 configs with /31 netmasks now
 * 802.1q VLAN support on TAP servers
 * IPv6-only tunnels
 * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)


LINUX-SPECIFIC FEATURES

 * VRF support
 * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip
   commands)


WINDOWS-SPECIFIC FEATURES

 * Wintun driver support, a faster alternative to tap-windows6
 * Setting tun/tap interface MTU
 * Setting DHCP search domain
 * Allow unicode search string in --cryptoapicert option
 * EasyRSA3, a modern take on OpenVPN CA management
   
 * MSI installer


IMPORTANT NOTICES



BF-CBC CIPHER IS NO LONGER THE DEFAULT

Cipher handling for the data channel cipher has been significantly changed
between OpenVPN 2.3/2.4 and v2.5, most notably there are no "default cipher
BF-CBC" anymore because it is no longer considered a reasonable default. BF-CBC
is still available, but it needs to be explicitly configured now.

For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will
be able  to negotiate a better cipher than BF-CBC. By default they will select
one of the AES-GCM ciphers, but this can be influenced using the --data-ciphers
setting.

Connections between OpenVPN 2.3 and v2.5 that have no --cipher setting in the
config (= defaulting to BF-CBC and not being negotiation-capable) must be
updated. Unless BF-CBC is included in --data-ciphers or there is a "--cipher
BF-CBC" in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk
to a v2.3 server or client, because it has no common data channel cipher and
negotiating a cipher is not possible. Generally, we recommend upgrading such
setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher
AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.

If you really need to use an unsupported OpenVPN 2.3 (or even older) release and
need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need
a config file change to re-enable BF-CBC.  But be warned that BF-CBC and other
related weak ciphers will be removed in coming OpenVPN major releases.

For full details see the "Data channel cipher negotiation" section on the man
page.


CONNECTIVITY TO SOME VPN SERVICE PROVIDER MAY BREAK

Connecting with an OpenVPN 2.5 client to at least one commercial VPN service
that
implemented their own cipher negotiation method that always reports back that it
is using BF-CBC to the client is broken in v2.5. This has always caused warning
about mismatch ciphers. We have been in contact with some service providers and
they are looking into it.  This is not something the OpenVPN community can fix. 
If your commercial VPN does not work with a v2.5 client, complain to the VPN
service provider.

More details on these new features as well as a list of deprecated features and
user-visible changes are available in Changes.rst.


LINUX PACKAGES ARE AVAILABLE FROM

 * Official Debian and Ubuntu apt repositories
 * Red Hat/Fedora dnf/yum repositories (provided by Fedora Copr)


USEFUL RESOURCES

 * Official documentation
 * Wiki
 * Bug tracker
 * Support forums
 * User mailing list
 * User IRC channel (#openvpn at irc.libera.chat)

OPENVPN 2.4.12 -- RELEASED 17 MARCH, 2022

The OpenVPN community project team is proud to release OpenVPN 2.4.12, the final
release in the 2.4.x series. This is mostly a bugfix release including one
security fix ("Disallow multiple deferred authentication plug-ins.", CVE:
2022-0547).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.12.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.12.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.12.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.12-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.12-I601-Win10.exe

OPENVPN 2.4.11 -- RELEASED 21 APRIL, 2021

The OpenVPN community project team is proud to release OpenVPN 2.4.11. It fixes
two related security vulnerabilities (CVE-2020-15078) which under very specific
circumstances allow tricking a server using delayed authentication (plugin or
management) into returning a PUSH_REPLY before the AUTH_FAILED message, which
can possibly be used to gather information about a VPN setup. This release also
includes other bug fixes and improvements. The I602 Windows installers fix a
possible security issue with OpenSSL config autoloading on Windows
(CVE-2021-3606). Updated OpenSSL and OpenVPN GUI are included in Windows
installers.

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.11.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.11.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.11.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.11-I602-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.11-I602-Win10.exe

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

OPENVPN 2.4.10 -- RELEASED 9 DECEMBER, 2020

This is primarily a maintenance release with bugfixes and small improvements.
Windows installers include the latest OpenSSL version (1.1.1i) which includes
security fixes.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.10.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.10.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.10.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.10-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.10-I601-Win10.exe

Instructions for verifying the signatures are available here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.9 -- RELEASED 17 APRIL, 2020

This is primarily a maintenance release with bugfixes and improvements. This
release also fixes a security issue (CVE-2020-11810, trac #1272) which allows
disrupting service of a freshly connected client that has not yet not negotiated
session keys. The vulnerability cannot be used to inject or steal VPN traffic.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.9.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.9.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.9.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.9-I601-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.9-I601-Win10.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.8 -- RELEASED 31 OCTOBER, 2019

This is primarily a maintenance release with bugfixes and improvements. The
Windows installers (I601) have several improvements compared to the previous
release:

 * New tap-windows6 driver (9.24.2) which fixes some suspend and resume issues
 * Latest OpenVPN-GUI
 * Considerable performance boost due to new compiler optimization flags

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The
Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because
of Microsoft's driver signing requirements are different for kernel-mode devices
drivers, which in our case affects OpenVPN's tap driver (tap-windows6).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.8.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.8.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.8.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.8-I602-Win7.exe

WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.8-I602-Win10.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.7 -- RELEASED 21 FEBRUARY, 2019

This is primarily a maintenance release with bugfixes and improvements. One of
the big things is enhanced TLS 1.3 support. A summary of the changes is
available in Changes.rst, and a full list of changes is available here.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will
remain NSIS-only.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP. The last
OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as
32-bit and 64-bit versions.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

Important: you will need to use the correct installer for your operating system.
The Windows 10 installer will not work on Windows 7/8/8.1/Server 2012r2. This is
because Microsoft's driver signing requirements and tap-windows6. For the same
reason you need to use an older installer with Windows Server 2016. This older
installer has a local privilege escalation vulnerability issue which we cannot
resolve for Windows Server 2016 until tap-windows6 passes the HLK test suite on
that platform. In the meanwhile we recommend Windows Server 2016 users to avoid
installing OpenVPN/tap-windows6 driver on hosts where all users can't be
trusted. Users of Windows 7-10 and Server 2012r2 are recommended to update to
latest installers as soon as possible.

 

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.7.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.7.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.7.zip

WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I607-Win7.exe

WINDOWS 10 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I607-Win10.exe

WINDOWS SERVER 2016 INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.7-I603.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

OPENVPN 2.4.6 -- RELEASED 24 APRIL, 2018

This is primarily a maintenance release with minor bugfixes and improvements,
and one security relevant fix for the Windows Interactive Service. Windows
installer includes updated OpenVPN GUI and OpenSSL. Installer I601 included
tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista
support. However, in installer I602 we had to revert back to tap-windows 9.21.2
due to driver getting reject on freshly installed Windows 10 rev 1607 and later
when Secure Boot was enabled. The failure was due to the new, more strict driver
signing requirements. The 9.22.1 version of the driver is in the process of
getting approved and signed by Microsoft and will be bundled in an upcoming
Windows installer.

Please note that LibreSSL is not a supported crypto backend. We accept patches
and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions
of LibreSSL break API compatibility we do not take responsibility to fix that.

Also note that Windows installers have been built with NSIS version that has
been patched against several NSIS installer code execution and privilege
escalation problems. Based on our testing, though, older Windows versions such
as Windows 7 might not benefit from these fixes. We thus strongly encourage you
to always move NSIS installers to a non-user-writeable location before running
them. Our long-term plan is to migrate to using MSI installers instead.

Compared to OpenVPN 2.3 this is a major update with a large number of new
features, improvements and fixes. Some of the major features are AEAD (GCM)
cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack
support and more seamless connection migration when client's IP address changes
(Peer-ID). Also, the new --tls-crypt feature can be used to increase users'
connection privacy.

A summary of the changes is available in Changes.rst, and a full list of changes
is available here.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major features is
the ability to run OpenVPN GUI without administrator privileges. For full
details, see the changelog. The new OpenVPN GUI features are documented here.

Please note that OpenVPN 2.4 installers will not work on Windows XP.

If you find a bug in this release, please file a bug report to our Trac bug
tracker. In uncertain cases please contact our developers first, either using
the openvpn-devel mailinglist or the developha er IRC channel (#openvpn-devel at
irc.libera.chat). For generic help take a look at our official documentation,
wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at
irc.libera.chat).

SOURCE TARBALL (GZIP)

GnuPG Signature openvpn-2.4.6.tar.gz

SOURCE TARBALL (XZ)

GnuPG Signature openvpn-2.4.6.tar.xz

SOURCE ZIP

GnuPG Signature openvpn-2.4.6.zip

WINDOWS INSTALLER (NSIS)

GnuPG Signature openvpn-install-2.4.6-I602.exe

NOTE: the GPG key used to sign the release files has been changed since OpenVPN
2.4.0. Instructions for verifying the signatures, as well as the new GPG public
key are available here.

We also provide static URLs pointing to latest releases to ease automation. For
a list of files look here.

This release is also available in our own software repositories for Debian and
Ubuntu, Supported architectures are i386 and amd64. For details. look here.

You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate
authority. The former is bundled with Windows installers. The latter is a more
modern alternative for UNIX-like operating systems.

The Windows installers are bundled with OpenVPN-GUI - its source code is
available on its project page and as tarballs on our alternative download
server.

WINDOWS DEVELOPMENT SNAPSHOTS

You can download Windows developments snapshots (MSI installers) from here
(Index of /downloads/snapshots/github-actions/openvpn2/ ). Those are
automatically built from commits to OpenVPN master branch and include
functionality which will be available in the next release. Development snapshots
are less stable than releases, so use at your own risk.

 * Privacy Policy
 * Legal
 * Your Privacy Settings

Access Server
 * Plugins
 * Release Notes
 * Documentation

CloudConnexa®
 * Features
 * Cyber Shield
 * Quick Start Guide
 * Documentation

Resources
 * Support Center
 * What is a VPN?
 * Resource Center

Company
 * About Us
 * Careers
 * Newsroom
 * Compliance
 * Contact

© Copyright 2024 OpenVPN|OpenVPN is a registered trademark of OpenVPN,
Inc.|CloudConnexa is a registered trademark of OpenVPN, Inc.

Service Status


×