OpenVPN, a widely adopted user-space VPN daemon that creates encrypted tunnels over IP networks, has just released v2.7.1 as the first maintenance update to the 2.7 series. The main highlight is the new option for the --auth-user-pass directive.
With it, OpenVPN can now request only a username and send a dummy password. This is useful for setups that use external authentication, where only the username is needed to start a challenge-response process on the server.
Performance has been improved by changing how internal hash maps are sized. Instead of a fixed default of 256, the default is now four times the value of --max-clients. The old setting could slow things down with many clients, but the new method matches memory use to actual needs.
There are also some changes users will notice. If OpenVPN is built with AWS-LC, the --tls-cert-profile option now gives a warning at runtime because this feature is not supported. For systems using systemd, unit files now use TasksMax instead of LimitNPROC, and the limit has been raised. Plus, logging for port-share has changed too: incoming connections are now logged at verbosity level 3 instead of as errors.
On the bug fixes side, the --lport directive now works correctly inside <connection> blocks, after being broken by earlier changes. There is also a fix for failures with private key passphrases that are 64 characters or longer. Another issue causing crashes with TCP connections using TAP interfaces and missing IP settings has been fixed, too.
OpenVPN 2.7.1 also includes important fixes for certain platforms. Data Channel Offload now works properly on FreeBSD systems without IPv4 kernel support and on Linux systems with big-endian CPUs like MIPS and PowerPC. There are also fixes for FreeBSD 15, including better handling of async push without needing libinotify.
Other changes improve management interface responses, test runs during cross-compilation, and support for newer toolchains. To see all of them in detail, refer to the changelog.
