1. Forum
  2. USENET
  3. muc.lists.freebsd.ports

  • openvpn 2.6 -> 2.7

    From Andrea Venturoli@ml@netfence.it to muc.lists.freebsd.ports on Sat May 2 10:52:51 2026
    From Newsgroup: muc.lists.freebsd.ports

    Hello.

    Foreword: I'm not complaining at all! This is just a asking for some
    comments.

    I'm been using OpenVPN 2.6 heavily for a long time.
    I see in main it was upgraded to 2.7, while in 2026Q2 there's still
    2.6.19, which is vulnerable (2.6.20 is out).

    Unfortunately 2.7 breaks many of my configs and while I can easily
    upgrade some of them, for many others it will be hard and long to have
    the other side fixed.

    Reading that 2.6 will be supported until half 2028, I'm evaluating
    staying with 2.6 a bit longer (while trying to avoid running vulnerable versions).

    I'm wondering whether an openvpn26 (or openvpn-legacy or whatever) port
    would make sense.
    I can probably easily downgrade 2.7 -> 2.6 and keep it updated in my
    local port tree, but maybe there are other people interested?

    Any other comment?

    bye & Thanks
    av.


    --
    Posted automagically by a mail2news gateway at muc.de e.V.
    Please direct questions, flames, donations, etc. to news-admin@muc.de
    --- Synchronet 3.21f-Linux NewsLink 1.2
  • From Andrea Venturoli@ml@netfence.it to muc.lists.freebsd.ports on Mon May 4 06:58:21 2026
    From Newsgroup: muc.lists.freebsd.ports

    On 5/3/26 09:46, Gert Doering wrote:
    Hi Miroslav, Andrea,

    Hello.



    Matthias copied me into this thread as I'm one of the upstream OpenVPN maintainers, and I also maintain the openvpn-devel port.

    Thanks for taking part in the discussion.
    I'll reply collectively here, also to Marek and Matthias.



    Can you elaborate on this, please? Our ("upstream") plan was to make
    2.7 a mostly-plug-in replacement for 2.6, so it really should not break "many" configs.

    I've possibly used wrong words: so far, in fact, I found *one* config
    (see later), but it's a config of which I have many instances.



    It does break *some*, though - everything with static keys (--secret)
    This is it.



    So we're really curious on what else we broke, and I'm all willing to
    help move over to 2.7 - as this is, of course, what will see more focus.

    Actually you can't help me (but thanks a lot)...
    As Marek correctly stated, these configs can be easily fixed, provided:
    a) you are the admin of both ends;
    b) you can reach the "other" end easily.

    In my case I'll have to ask other people to modify their config and/or
    make a trip to the remote site (this can be a 200km trip in some cases).



    This said, I do not object to having an openvpn26 port around - I hope
    it is not necessary ("another thing to take care of"), but the overall
    effort should not be very large. One thing important is communication
    here - "why is there an openvpn26 port?", so the scenarios where it is
    needed shoud be well understood.

    As I said, I'm not *asking* for it as I can easily do this myself
    locally; I just wanted to see if there was widespread interest. Answer
    seems to be no, so let's drop it.

    Since I use the quarterly branch, I still have a couple of months to fix everything that would break; I hope that's enough, but otherwise will cope. (BTW, I'm also evaluating moving some of these tunnels to WireGuard).

    bye & Thanks
    av.

    P.S.
    Thanks also for 2.6.20 in 2026Q2.


    --
    Posted automagically by a mail2news gateway at muc.de e.V.
    Please direct questions, flames, donations, etc. to news-admin@muc.de
    --- Synchronet 3.21f-Linux NewsLink 1.2