Deprecated Options in OpenVPN
OpenVPN is a software VPN product which has been around since May 2001. And it has mostly been backwards compatible on the most important features through all these years. But the world moves forward, security issues are discovered, and expectations of how a secure VPN should be configured have changed over the years.
As OpenVPN carries a lot of options (over 230), we need to do a clean-up here from time to time. The main goal is to be as backwards compatible in regards to the configuration files as possible. We do not recommend running any older OpenVPN releases than the latest supported version. Whenever possible you should always upgrade to the latest available OpenVPN release. But some times we unfortunately need to remove old options as they impose a security risk to VPN configurations.
In this wiki page, we will try to keep an up-to-date list of all options we have deprecated, when they will be removed, the new alternative approach and the reasoning behind removing the option. This wiki page summarizes the "Deprecated features" section in the Changes.rst file which is distributed with the source code.
Table of Contents
- Remove clear-text VPN mode || Status: Under consideration
- Change default
--topology net30
tosubnet
|| Status: Pending - Option:
--key-method
|| Status: Removed in OpenVPN v2.5 - Option:
--tls-remote
|| Status: Removed in OpenVPN v2.4 - Option:
--compat-names
|| Status: Removed in OpenVPN v2.5 - Option:
--no-name-remapping
|| Status: Removed in OpenVPN v2.5 - Option:
--no-iv
|| Status: Removed in OpenVPN v2.5 - Option:
--no-replay
|| Status: Removed in OpenVPN v2.7 - Policy: Removal of insecure ciphers || Status: To be decided
- Policy: Migrate away from deprecated ciphers. Status: In progress
- Option:
--keysize
|| Status: Removed in OpenVPN v2.6 - Option:
--comp-lzo
|| Status: Pending removal - Option:
--comp-noadapt
|| Status: Pending removal - Option:
--compress
|| Status: Pending removal - Option:
--ifconfig-pool-linear
|| Status: Removed in OpenVPN v2.5 - Option:
--client-cert-not-required
|| Status: Removed in OpenVPN v2.5 - Option:
--ns-cert-type
|| Status: Pending removal - Option:
--tun-ipv6
|| Status: Ignored, pending removal - Policy: Automatic Up-casing of X509 Certificate field names || Status: …
- Option:
--max-routes
|| Status: Ignored, pending removal - Option:
--dhcp-release
|| Status: Ignored, pending removal - Option:
--route-nopull
|| Status: To be decided - Option:
--genkey --secret
|| Status: Deprecated, pending removal - Option:
--secret
|| Status: Deprecated, pending removal - Option:
--ncp-disable
|| Status: Removed in OpenVPN v2.6 - plugin:
_v1 and _v2 functions for open and func call
|| Status: … - Option:
--inetd
|| Status: Removed in OpenVPN v2.6 - Windows:
openvpn-legacy-service
|| Status: Removed - Option:
--persist-key
|| Status: To be decided - Option:
--verify-hash
|| Status: Pending removal - Option:
--link-mtu
|| Status: Pending Deprecation - Option:
--management-client-pf
|| Status: Removed in OpenVPN v2.6 - Option:
--prng
|| Status: Ignored, pending removal - Option:
--opt-verify
|| Status: Deprecated, pending removal - Option:
--disable-occ
|| Status: Deprecated, pending removal - NTLM v1 authentication support in
--http-proxy
|| Status: … - NTLM v2 authentication support in
--http-proxy
|| Status: To be …
Remove clear-text VPN mode || Status: Under consideration
Status | Under consideration |
---|---|
Deprecated in: | Not currently deprecated |
To be removed in: | N/A |
Affects: | Client and server |
Result if used: | N/A |
Replaced by: | Not replaced |
Examples: | (N/A) |
This is a place-holder for the possible deprecation of clear-text mode.
Important: OpenVPN DCO does not support clear-text mode.
Change default --topology net30
to subnet
|| Status: Pending
Status | Pending |
---|---|
Deprecated in: | OpenVPN v2.5 |
To be removed in: | TBD |
Affects: | Client and server |
Result if used: | N/A |
Replaced by: | Not replaced |
Examples: | (N/A) |
https://community.openvpn.net/openvpn/ticket/1288
Changing from --topology net30
to subnet
, for most simple servers, only requires the addition of topology subnet
to the server configuration file. However, for more complex setups there is potentially a lot more that requires changing. E.g. CCD files etc.
OpenVPN recommends using topology subnet
now, so that when the default is changed, you will not be affected.
Option: --key-method
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.4 |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | Not replaced |
Examples: | (N/A) |
OpenVPN has used --key-method 2
since OpenVPN v2.0 if it was not provided. Using the older --key-method 1
was primarily present to allow OpenVPN clients running older releases than v2.0 to connect to a v2.0 server. This older key-method is not recommended as the key negotiation method is not as strong as the current default.
Option: --tls-remote
|| Status: Removed in OpenVPN v2.4
Status | Removed in OpenVPN v2.4 |
---|---|
Deprecated in: | OpenVPN v2.3 |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | --verify-x509-name
|
Examples: | --verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'
|
--verify-x509-name Server-1 name
| |
--verify-x509-name Server name-prefix
|
Option: --compat-names
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.3 |
Affects: | Client and server |
Result if used: | OpenVPN will print an error message and terminate |
Replaced by: | Not replaced |
Examples: | (N/A) |
Ref: | https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html |
OpenVPN used the former OpenSSL formatting of X.509 Subject fields. They could look like this:
/C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com
As of OPenVPN v2.3, this format was changed to the more widely used X.509 formatting:
C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com
This option would in addition add remapping of characters and rendering most characters outside the typical a-z/A-Z/0-9 range to be replaced by an underscore (_) - unless the no-remapping
flag was added. This behaviour would in many cases be required by older authentication plug-ins or scripts which was not able to process the newer format. As this behaviour is now considered bad, it is expected that authentication plug-ins and scripts will have had enough time to get an update to handle the new X.509 Subject formatting.
Option: --no-name-remapping
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.3 |
Affects: | Client and server |
Result if used: | OpenVPN will print an error message and terminate |
Replaced by: | Not replaced |
Examples: | (N/A) |
Ref: | https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17804.html |
This is essentially just an alias for --compat-names no-remapping
. This option would avoid the character remapping of characters being outside the typical a-z/A-Z/0-9 range in the X.509 Subject identifiers.
Option: --no-iv
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.4 |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | Not replaced |
Examples: | (N/A) |
This option will disable OpenVPN's use of the cipher initialization vector (IV). This is considered very harmful on today's ciphers and will severely reduce the security of VPN tunnels. As the use cases for --no-iv
are few and mostly obscure, it was decided to remove this option to ensure the tunnels security can not be deliberately reduced.
Option: --no-replay
|| Status: Removed in OpenVPN v2.7
Status | Removed in OpenVPN v2.7 |
---|---|
Deprecated in: | OpenVPN v2.4 |
Affects: | Client and server |
Result if used: | OpenVPN will refuse the option and provide an error message that the option is no longer supported |
Replaced by: | Not replaced |
Examples: | (N/A) |
This option will disable OpenVPN's use of replay protection. This slightly reduces the overhead (8 bytes per packet for static keyed setups, 4 bytes for TLS with CBC mode, 0 bytes for TLS with GCM/OFB/CFB mode). The overhead reduction in CBC mode can better be achieved by switching to GCM mode. The remaining benefit for static key mode does not warrant keeping this option around. The added code complexity adds attack surface and increases the chance of users reducing their security more than they realize.
Policy: Removal of insecure ciphers || Status: To be decided
Ciphers with cipher block-size less than 128 bits; Most commonly BF
, DES
, CAST5
, IDEA
and RC2
.
Status | Pending removal |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | TBD |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to incorrect cipher being used |
Replaced by: | Replaced by stronger ciphers, most commonly AES-256-GCM |
Examples: | (N/A) |
After the discovery of the SWEET32 Birthday attacks on 64-bit block ciphers any cipher using a cipher block length smaller than 128 bits is considered insecure and prone to be successfully attacked. The cipher block length is not an indication of the cipher key length.
For now we will not officially remove them and focus on educating users. Maybe at some point the SSL libraries will start dropping them.
Policy: Migrate away from deprecated ciphers. Status: In progress
With the OpenVPN v2.4 release a new feature was introduced, Negotiated Cipher Protocol (NCP). This allows users to seamlessly migrate away from deprecated ciphers without much extra work. If both client and server runs OpenVPN v2.4, the tunnel will automatically be upgraded to AES-256-GCM
. If the environment also uses clients older than OpenVPN v2.4, the server can deploy:
--data-ciphers AES-256-GCM:AES-256-CBC:BF-CBC
This will allow older clients to add or change --cipher
to use AES-256-CBC
instead of the default BF-CBC
or any other cipher enlisted. This can be done on client configuration files on a one-by-one approach. Unmodified clients will be able to connect as before. Once all clients have been updated to OpenVPN v2.4 or later (preferred) or have their configuration altered, the --data-ciphers
list can be modified to remove BF-CBC
.
WARNING: This migration approach will not work after the release of OpenVPN v2.7. As of that release, BF-CBC
, CAST
or RC2
ciphers will not be accepted any more.
Option: --keysize
|| Status: Removed in OpenVPN v2.6
Status | Removed in OpenVPN v2.6 |
---|---|
Deprecated in: | OpenVPN v2.4 |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | Not replaced |
Examples: | (N/A) |
The --keysize
option was only useful to change the key length when using the BF
, CAST6
or RC2
ciphers. For all other ciphers the key-size is fixed with the chosen cipher. As OpenVPN v2.6 will no longer support any of these variable length ciphers, this option will be removed as well to avoid confusion.
Option: --comp-lzo
|| Status: Pending removal
Status | Currently not planned for removal, see description for details |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | (not decided) |
Affects: | Client and server |
Result if used: | OpenVPN will ignore the option and provide a warning |
Replaced by: | Not replaced |
Examples: | (N/A) |
Compression is not recommended and is a feature users should avoid using. See --compress
for more details.
Option: --comp-noadapt
|| Status: Pending removal
Status | Currently not planned for removal, see description for details |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | (not decided) |
Affects: | Client and server |
Result if used: | OpenVPN will ignore the option and provide a warning |
Replaced by: | Not replaced |
Examples: | (N/A) |
Compression is not recommended and is a feature users should avoid using. See --compress
for more details.
Option: --compress
|| Status: Pending removal
Status | Currently not planned for removal, see description for details |
---|---|
Deprecated in: | OpenVPN v2.5 |
To be removed in: | (not decided) |
Affects: | Client and server |
Result if used: | OpenVPN will ignore the option and provide a warning |
Replaced by: | Not replaced |
Examples: | (N/A) |
Compression is not recommended and is a feature users should avoid using. To signal this clearly, --comp-lzo
and --compress
are discouraged and considered deprecated features. Beginning with 2.5, these options will no longer enable compression, just enable the compression framing to be able to receive compressed packets.
Option: --ifconfig-pool-linear
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.1 |
Affects: | Client and server |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | --topology
|
Examples: | --topology p2p
|
This option will not work with Windows based clients. Since the --topology p2p
mode is equivalent to --ifconfig-pool-linear
and works with Windows, this option will be removed.
Option: --client-cert-not-required
|| Status: Removed in OpenVPN v2.5
Status | Removed in OpenVPN v2.5 |
---|---|
Deprecated in: | OpenVPN v2.4 |
Affects: | Client and server |
Result if used: | OpenVPN will print an error message and terminate |
Replaced by: | --verify-client-cert
|
Examples: | --verify-client-cert none
|
--verify-client-cert optional
| |
--verify-client-cert require
|
The replacement option allows a far more fine grained control of authentication methods, and can allow a combination of only username/password authentication, only certificate based authentication or a combination. This would not be possible with the old --client-cert-not-required
option.
Option: --ns-cert-type
|| Status: Pending removal
Status | Pending removal |
---|---|
Deprecated in: | OpenVPN v2.4 and v2.3.18 |
To be removed in: | TBD |
Affects: | Client and server |
Result if used: | OpenVPN will complain and remap to replacement option |
Replaced by: | --remote-cert-tls
|
Examples: | --remote-cert-tls server
|
--remote-cert-tls client
|
As of OpenSSL v1.1, the nsCertType extension in X.509 certificates are no longer supported. This extension is old and has been deprecated for a long time. The replacement option, --remote-cert-tls
is a macro which sets the --remote-cert-ku
and --remote-cert-eku
to appropriate values, depending on whether you to check if the remote provided certificate is a server certificate or client certificate. As the extended key usage extension is far more commonly used today, this is effectively the equivalent of --ns-cert-type
. For the time being, if --ns-cert-type
is used in OpenVPN v2.5 or later, it will currently be re-mapped to --remote-cert-tls
and complain about a deprecated option being used. (FIXME: the remapping doesn't actually seem to be implemented?)
This cannot be turned into a "hard error" due to compatibility issues with OpenVPN AS and commercial upgrade cycles.
In OpenVPN v2.7 support for this option was dropped when compiling OpenVPN with mbedTLS.
Option: --tun-ipv6
|| Status: Ignored, pending removal
Status | Ignored since in OpenVPN 2.4l |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | OpenVPN v2.7 |
Affects: | Client and server |
Result if used: | OpenVPN will complain and ignore the option |
Replaced by: | Not replaced |
Examples: |
This option was useful when IPv6 tun support was non standard and was an internal/user specified flag that tracked the Ipv6 capability of the tun device.
Today, all supported OS support IPv6 and indicating explicit support is not needed any more. Also tun-ipv6 is pushable by the remote so not putting tun-ipv6 does not forbid ipv6 addresses.
Policy: Automatic Up-casing of X509 Certificate field names || Status: Completed in OpenVPN 2.5
Status | Planned for removal |
---|---|
Deprecated in: | OpenVPN v2.3 |
To be removed in: | |
Affects: | Server |
Result if used: | n/a (Always used) |
Replaced by: | Not replaced |
Examples: | This feature converts an all-lowercase field name to uppercase characters, e.g., ou -> OU |
See --x509-username-field in https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage for a detailed explanation.
Option: --max-routes
|| Status: Ignored, pending removal
Status | Planned for removal |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | |
Affects: | |
Result if used: | OpenVPN warns and ignores the option |
Replaced by: | N/A |
Examples: |
Option: --dhcp-release
|| Status: Ignored, pending removal
Status | Enabled by default |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | |
Affects: | |
Result if used: | OpenVPN warns and ignores the option |
Replaced by: | N/A |
Examples: | |
Notes: | Windows only |
Option: --route-nopull
|| Status: To be decided
Status | Disabled by default |
---|---|
Deprecated in: | Deprecation is under discussion |
To be removed in: | |
Affects: | Client routing, dhcp-options and Windows firewall |
Result if used: | See the manual |
Replaced by: | --pull-filter
|
Examples: | |
Notes: | Openvpn devs would like to know if you use this option |
To emulate --route-nopull
with --pull-filter
:
--pull-filter ignore redirect-private redirect-gateway block-ipv6 client-nat route route-ipv6 route-metric ip-win32 dhcp-option dhcp-renew register-dns tap-sleep block-outside-dns
- Optionally, also
ignore
:route-gateway
route-delay
Option: --genkey --secret
|| Status: Deprecated, pending removal
Status | Warning |
---|---|
Deprecated in: | OpenVPN v2.4 |
To be removed in: | OpenVPN v2.8 |
Affects: | --genkey
|
Result if used: | User Warning printed |
Replaced by: | secret (No leading double dash)
|
Examples: | Use --genkey secret filename
|
Notes: |
Option: --secret
|| Status: Deprecated, pending removal
Status | Warning in OpenVPN 2.6, error in OpenVPN 2.7 (can be overridden with --allow-deprecated-insecure-static-crypto )
|
---|---|
Deprecated in: | OpenVPN v2.6 |
To be removed in: | OpenVPN v2.8 |
Affects: | --secret
|
Result if used: | User Warning printed |
Replaced by: | --peer-fingerprint
|
Examples: | See man 5 openvpn-examples
|
Notes: |
static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA
is considered "too complicated", using --peer-fingerprint
makes TLS mode about as easy as using --secret
.
This mode can still be enabled by using --allow-deprecated-insecure-static-crypto
but will be removed in OpenVPN 2.8.
Option: --ncp-disable
|| Status: Removed in OpenVPN v2.6
Status | Removed in OpenVPN v2.6 |
---|---|
Deprecated in: | OpenVPN v2.5 |
Affects: | |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | |
Examples: | |
Notes: | ncp-disable was mainly a debug option that allowed disabling ncp if there were problem with dynamic cipher negotiation. With the current status of NCP, this option is no longer necessary.
|
plugin: _v1 and _v2 functions for open and func call
|| Status: Pending removal
Status | Planned for removal |
---|---|
Deprecated in: | OpenVPN v2.5 (to be done) |
To be removed in: | OpenVPN v2.7 |
Affects: | plugins still use the old API |
Result if used: | User Warning printed, later: refuse to load plugin |
Replaced by: | _v3 functions |
Examples: | |
Notes: | the _v3 API functions can do everything _v1 and _v2 can do, and the existence of the old functions mostly confuses everyone |
Option: --inetd
|| Status: Removed in OpenVPN v2.6
Status | Removed in OpenVPN v2.6 |
---|---|
Deprecated in: | OpenVPN v2.5 |
Affects: | --inetd
|
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | |
Examples: | |
Notes: | This is a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only, which complicates the code quite a bit for little gain. |
Windows: openvpn-legacy-service
|| Status: Removed
Status | Gone |
---|---|
Deprecated in: | A Galaxy a long time ago .. |
To be removed in: | It's Gone MacREADY! |
Affects: | Windows only |
Result if used: | Service is not configured and cannot be used: See #1344 |
Replaced by: | openvpnserv2.exe Windows Service: OpenVPNService
|
Examples: | n/a |
Notes: | To use openvpnserv2.exe see C:\Program Files\Openvpn\config-auto\readme.txt
|
Option: --persist-key
|| Status: To be decided
Status | TBD |
---|---|
Deprecated in: | TBD |
To be removed in: | TBD |
Affects: | ALL |
Result if used: | Nothing, always enabled: See #1405 |
Replaced by: | Nothing |
Examples: | n/a |
Notes: | --persist-key will be always enabled
|
Option: --verify-hash
|| Status: Pending removal
Status | Deprecated |
---|---|
Deprecated in: | OpenVPN v2.6 |
To be removed in: | TBD |
Affects: | Client and Server |
Result if used: | Warns about deprecation |
Replaced by: | Nothing, potential alternatives are specifying an intermediate CA as --ca , using a --tls-verify script, or --peer-fingerprint
|
Examples: | |
Notes: |
Option: --link-mtu
|| Status: Pending Deprecation
Status | TBD |
---|---|
Deprecated in: | TBD |
To be removed in: | TBD |
Affects: | ALL |
Result if used: | n/a |
Replaced by: | Nothing |
Examples: | n/a |
Notes: | n/a |
Option: --management-client-pf
|| Status: Removed in OpenVPN v2.6
Status | Removed in OpenVPN v2.6 |
---|---|
Deprecated in: | OpenVPN v2.5 |
Affects: | Server and Client |
Result if used: | OpenVPN will not start due to unknown option |
Replaced by: | Nothing |
Examples: | n/a |
Notes: | n/a |
Option: --prng
|| Status: Ignored, pending removal
Status | Ignored in OpenVPN 2.6 |
---|---|
Deprecated in: | OpenVPN v2.5 |
Affects: | ALL |
Result if used: | OpenVPN warns and ignores the option |
Replaced by: | SSL library |
Examples: | n/a |
Notes: | n/a |
OpenVPN used to implement its own PRNG based on a hash. However implementing a PRNG is better left to a crypto library. So we use the PRNG of the used SSL library now.
Option: --opt-verify
|| Status: Deprecated, pending removal
Status | Warns about deprecation |
---|---|
Deprecated in: | OpenVPN v2.6 |
Affects: | ALL |
Result if used: | OpenVPN warns |
Replaced by: | n/a |
Examples: | n/a |
Notes: | n/a |
Option: --disable-occ
|| Status: Deprecated, pending removal
Status | Warns about deprecation |
---|---|
Deprecated in: | OpenVPN v2.6 |
Affects: | ALL |
Result if used: | OpenVPN warns |
Replaced by: | n/a |
Examples: | n/a |
Notes: | n/a |
NTLM v1 authentication support in --http-proxy
|| Status: Deprecated, pending removal
Status | Deprecated in 2.6. To be removed in 2.7 |
---|---|
Deprecated in: | OpenVPN v2.6 |
Affects: | --http-proxy
|
Result if used: | Currently warns about deprecation. In 2.7 will try NTLM v2 instead. |
Replaced by: | basic auth |
Examples: | n/a |
Notes: | Generally considered insecure. If you don't care about that, just use basic auth. |
NTLM v2 authentication support in --http-proxy
|| Status: To be deprecated in 2.7
Status | Considered to be declared deprecated in 2.7 |
---|---|
Deprecated in: | TBD |
Affects: | --http-proxy
|
Result if used: | TBD |
Replaced by: | basic auth |
Examples: | n/a |
Notes: | Weak crypto. If you don't care about that, just use basic auth. |