Two years after the previous major 2.6 release, OpenVPN 2.7, a user-space VPN daemon that creates encrypted tunnels over IP networks, is now available.
The primary enhancement is the newly added multi-socket server support. A single server instance can now manage multiple addresses, ports, and protocols at once, something that previously required several server processes.
Client-side DNS handling is improved as well, with updated client implementations for Linux, BSD, and macOS now included by default. The new Windows client adds support for split DNS and DNSSEC. Servers can now send configuration updates using the PUSH_UPDATE control-channel message, enabling routing and DNS changes without requiring client reconnection.
Basic server-side support is provided through the new management interface. Windows receives several architectural updates. The block-local flag is now enforced with Windows Filtering Platform filters.
On top of that, network adapters are created on demand, and the automatic service runs as an unprivileged user. Server mode support has been added to the win-dco driver. The wintun driver has been removed; win-dco is now the default, with tap-windows6 as a fallback if needed.
The data channel now enforces AES-GCM usage limits and introduces epoch data keys with a revised packet format. Epoch data channel support on Windows is available with win-dco 2.8.0 or later.
On Linux, OpenVPN 2.7 supports the new upstream ovpn DCO kernel module, which is expected to be included in future Linux kernel releases. Backports are available through the ovpn-backports project. TLS support is extended to include mbedTLS 4 and newer versions of TLS 1.3.
Routing checks are now more precise. The “recursive routing” check drops packets in the tunnel only when the destination IP, protocol, and port match those needed to reach the VPN server.
Additional changes include two new environment variables for communicating default gateway redirection preferences to plugins like NetworkManager. Windows installer licensing details have been updated and moved to a separate repository.
For more information, see the changelog or check this.
