| | 1 | = Deprecated Options in OpenVPN |
| | 2 | |
| | 3 | [https://openvpn.net/ OpenVPN] is a software VPN product which have been around since [https://en.wikipedia.org/wiki/OpenVPN May 2001]. And it have mostly been backwards compatible on the most important features through all these years. Unfortunately, the world moves forward, security issues are discovered, and expectations of how a secure VPN should be configured have changed over the years. |
| | 4 | |
| | 5 | As OpenVPN carries a lot of options (over 230), we need to do a clean-up here from time to time. The main goal is to be as backwards compatible in regards to the ''configuration files'' as possible. We do not recommend running any older OpenVPN releases than the latest v2.3 series. Whenever possible you should always upgrade to the latest available OpenVPN release. But some times we unfortunately need to remove old options as they impose a security risk to VPN configurations. |
| | 6 | |
| | 7 | In this wiki page, we will try to keep an up-to-date list of all options we have deprecated, when they will be removed, the new alternative approach and the reasoning behind removing the option. This wiki page summarizes the "Deprecated features" section in the [https://github.com/OpenVPN/openvpn/blob/master/Changes.rst#deprecated-features Changes.rst] file which is distributed with the source code. |
| | 8 | |
| | 9 | [[TOC(notitle,inline, depth=1)]] |
| | 10 | |
| | 11 | == `--key-method` == |
| | 12 | ||=Status =||Pending removal || |
| | 13 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 14 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 15 | ||=Affects: =||Client and server || |
| | 16 | ||=Result if used: =||OpenVPN will ignore the option and provide a warning || |
| | 17 | ||=Replaced by: =||Not replaced || |
| | 18 | ||=Examples: =||(N/A)|| |
| | 19 | OpenVPN have used `--key-method 2` since OpenVPN v2.0 if it was not provided. Using the older `--key-method 1` was primarily present to allow OpenVPN clients running older releases than v2.0 to connect to a v2.0 server. This older key-method is not recommended as the key negotiation method is not as strong as the current default. |
| | 20 | |
| | 21 | == `--tls-remote` == |
| | 22 | ||=Status =||Removed in OpenVPN v2.4.0 || |
| | 23 | ||=Deprecated in: =||OpenVPN v2.3 || |
| | 24 | ||=To be removed in: =||'''OpenVPN v2.4''' || |
| | 25 | ||=Affects: =||Client and server || |
| | 26 | ||=Result if used: =||OpenVPN will not start due to unknown option || |
| | 27 | ||=Replaced by: =||`--verify-x509-name` || |
| | 28 | ||=Examples: =||`--verify-x509-name 'C=KG, ST=NA, L=Bishkek, CN=Server-1'`|| |
| | 29 | || ||`--verify-x509-name Server-1 name` || |
| | 30 | || ||`--verify-x509-name Server name-prefix` || |
| | 31 | |
| | 32 | == `--compat-names` == |
| | 33 | ||=Status =||Pending removal || |
| | 34 | ||=Deprecated in: =||OpenVPN v2.3 || |
| | 35 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 36 | ||=Affects: =||Client and server || |
| | 37 | ||=Result if used: =||OpenVPN will ignore the option and provide a warning || |
| | 38 | ||=Replaced by: =||Not replaced || |
| | 39 | ||=Examples: =||(N/A)|| |
| | 40 | OpenVPN used the former OpenSSL formatting of X.509 Subject fields. They could look like this: |
| | 41 | {{{ |
| | 42 | /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com |
| | 43 | }}} |
| | 44 | As of OPenVPN v2.3, this format was changed to the more widely used X.509 formatting: |
| | 45 | {{{ |
| | 46 | C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com |
| | 47 | }}} |
| | 48 | This option would in addition add remapping of characters and rendering most characters outside the typical a-z/A-Z/0-9 range to be replaced by an underscore (_) - unless the `no-remapping` flag was added. This behaviour would in many cases be required by older authentication plug-ins or scripts which was not able to process the newer format. As this behaviour is now considered bad, it is expected that authentication plug-ins and scripts will have had enough time to get an update to handle the new X.509 Subject formatting. |
| | 49 | |
| | 50 | == `--no-name-remapping` == |
| | 51 | ||=Status =||Pending removal || |
| | 52 | ||=Deprecated in: =||OpenVPN v2.3 || |
| | 53 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 54 | ||=Affects: =||Client and server || |
| | 55 | ||=Result if used: =||OpenVPN will not start due to unknown option || |
| | 56 | ||=Replaced by: =||Not replaced || |
| | 57 | ||=Examples: =||(N/A) || |
| | 58 | This is essentially just an alias for `--compat-names no-remapping`. This option would avoid the character remapping of characters being outside the typical a-z/A-Z/0-9 range in the X.509 Subject identifiers. |
| | 59 | |
| | 60 | == `--no-iv` == |
| | 61 | ||=Status =||Pending removal || |
| | 62 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 63 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 64 | ||=Affects: =||Client and server || |
| | 65 | ||=Result if used: =||OpenVPN will ignore the option and provide a warning || |
| | 66 | ||=Replaced by: =||Not replaced || |
| | 67 | ||=Examples: =||(N/A) || |
| | 68 | This option will disable OpenVPN' use of the cipher initialization vector (IV). This is considered very harmful on today's ciphers and will severely reduce the security of VPN tunnels. As the use cases for `--no-iv` are few and mostly obscure, it was decided to remove this option to ensure the tunnels security can not be deliberately reduced. |
| | 69 | |
| | 70 | |
| | 71 | == Removal of insecure ciphers: Ciphers with cipher block-size less than 128 bits (most commonly `BF`, `DES`, `CAST5`, `IDEA` and `RC2`) == |
| | 72 | ||=Status =||Pending removal || |
| | 73 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 74 | ||=To be removed in: =||'''OpenVPN v2.6''' || |
| | 75 | ||=Affects: =||Client and server || |
| | 76 | ||=Result if used: =||OpenVPN will not start due to incorrect cipher being used|| |
| | 77 | ||=Replaced by: =||Replaced by stronger ciphers, most commonly AES-256-GCM || |
| | 78 | ||=Examples: =||(N/A) || |
| | 79 | After the discovery of the [https://sweet32.info SWEET32 Birthday attacks on 64-bit block ciphers] any cipher using a cipher block length smaller than 128 bits is considered insecure and prune to be successfully attacked. The cipher block length is '''''not''''' an indication of the cipher ''key'' length. |
| | 80 | |
| | 81 | === Migrating away from deprecated ciphers === |
| | 82 | With the OpenVPN v2.4 release a new feature was introduced, Negotiable Crypto Parameters (NCP). This allows users to seamlessly migrate away from deprecated ciphers without much extra work. If both client and server runs OpenVPN v2.4 ''without'' NCP being disabled (`--ncp-disable`), the tunnel will automatically be upgraded to `AES-256-GCM`. If the environment also uses clients older than OpenVPN v2.4, the server can deploy: |
| | 83 | {{{ |
| | 84 | --ncp-ciphers AES-256-GCM:AES-256-CBC:BF-CBC |
| | 85 | }}} |
| | 86 | This will allow older clients to add or change `--cipher` to use `AES-256-CBC` instead of the default `BF-CBC` or any other cipher enlisted. This can be done on client configuration files on a one-by-one approach. Unmodified clients will be able to connect as before. Once all clients have been updated to OpenVPN v2.4 or later (preferred) or have their configuration altered, the `--ncp-ciphers` list can be modified to remove `BF-CBC`. |
| | 87 | |
| | 88 | '''WARNING:''' This migration approach '''will not''' work after the release of OpenVPN v2.6. As of that release, `BF-CBC`, `CAST` or `RC2` ciphers '''will not''' be accepted any more. |
| | 89 | |
| | 90 | '''NOTE:''' For Fedora 27, if the `openvpn-server@.service` unit file is used for ''server configurations'', this migration path have already been enabled. |
| | 91 | |
| | 92 | == `--keysize` == |
| | 93 | ||=Status =||Pending removal || |
| | 94 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 95 | ||=To be removed in: =||'''OpenVPN v2.6''' || |
| | 96 | ||=Affects: =||Client and server || |
| | 97 | ||=Result if used: =||OpenVPN will ignore the option and provide a warning|| |
| | 98 | ||=Replaced by: =||Not replaced || |
| | 99 | ||=Examples: =||(N/A) || |
| | 100 | The `--keysize` option was only useful to change the key length when using the `BF`, `CAST6` or `RC2` ciphers. For all other ciphers the key-size is fixed with the chosen cipher. As OpenVPN v2.6 will no longer support any of these variable length ciphers, this option will be removed as well to avoid confusion. |
| | 101 | |
| | 102 | == `--comp-lzo` == |
| | 103 | ||=Status =||Planned for removal || |
| | 104 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 105 | ||=To be removed in: =||(not decided) || |
| | 106 | ||=Affects: =||Client and server || |
| | 107 | ||=Result if used: =||OpenVPN will ignore the option and provide a warning|| |
| | 108 | ||=Replaced by: =||`--compress` || |
| | 109 | ||=Examples: =||`--compress` || |
| | 110 | || ||`--compress lzo` || |
| | 111 | || ||`--compress lz4` || |
| | 112 | The `--comp-lzo` option would only enable the LZO compression algorithm. The `--compress` option allows also to use the improves LZ4 algorithm instead. Providing just `--compress` without an algorithm is the equivalent of `--comp-lzo no` which disables compression but enables the packet framing for compression. This will allow `--compress` to be pushed by the server on a per-client basis. |
| | 113 | |
| | 114 | == `--ifconfig-pool-linear` == |
| | 115 | ||=Status =||Pending removal || |
| | 116 | ||=Deprecated in: =||OpenVPN v2.1 || |
| | 117 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 118 | ||=Affects: =||Client and server || |
| | 119 | ||=Result if used: =||OpenVPN will not start due to unknown option|| |
| | 120 | ||=Replaced by: =||`--topology` || |
| | 121 | ||=Examples: =||`--topology p2p` || |
| | 122 | This option will not work with Windows based clients. Since the `--topology p2p` mode is equivalent to `--ifconfig-pool-linear` and works with Windows, this option will be removed. |
| | 123 | |
| | 124 | == `--client-cert-not-required` == |
| | 125 | ||=Status =||Pending removal || |
| | 126 | ||=Deprecated in: =||OpenVPN v2.4 || |
| | 127 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 128 | ||=Affects: =||Client and server || |
| | 129 | ||=Result if used: =||OpenVPN will not start due to unknown option|| |
| | 130 | ||=Replaced by: =||`--verify-client-cert` || |
| | 131 | ||=Examples: =||`--verify-client-cert none` || |
| | 132 | || || `--verify-client-cert optional` || |
| | 133 | || || `--verify-client-cert require` || |
| | 134 | The replacement option allows a far more fine grained control of authentication methods, and can allow a combination of only username/password authentication, only certificate based authentication or a combination. This would not be possible with the old `--client-cert-not-required` option. |
| | 135 | |
| | 136 | == `--ns-cert-type` == |
| | 137 | ||=Status =||Pending removal || |
| | 138 | ||=Deprecated in: =||OpenVPN v2.4 and v2.3.18 || |
| | 139 | ||=To be removed in: =||'''OpenVPN v2.5''' || |
| | 140 | ||=Affects: =||Client and server || |
| | 141 | ||=Result if used: =||OpenVPN will complain and remap to replacement option|| |
| | 142 | ||=Replaced by: =||`--remote-cert-tls` || |
| | 143 | ||=Examples: =||`--remote-cert-tls server` || |
| | 144 | || ||`--remote-cert-tls client` || |
| | 145 | As of OpenSSL v1.1, the nsCertType extension in X.509 certificates are no longer supported. This extension is old and have been deprecated for a long time. The replacement option, `---remote-cert-tls` is a macro which sets the `--remote-cert-ku` and `--remote-cert-eku` to appropriate values, depending on it is wanted to check if the remote provided certificate is a server or client certificate. As the extended key usage extension is far more commonly used today, this is effectively the equivalent of `--ns-cert-type`. For the time being, if `--ns-cert-type` is used in OpenVPN v2.5 or later, it will currently be re-mapped to `--remote-cert-tls` and complain about a deprecated option being used. |
