The OpenVPN community project team is proud to release OpenVPN 2.6.0. This is a new stable release with some major new features.
For details see: Changes.rst
The Changes document also contains a section with workarounds for common problems encountered when using OpenVPN with OpenSSL 3.
New features and improvements in 2.6.0 compared to 2.5.8:
- Data Channel Offload (DCO) kernel acceleration support for Windows, Linux, and FreeBSD.
- OpenSSL 3 support.
- Improved handling of tunnel MTU, including support for pushable MTU.
- Outdated cryptographic algorithms disabled by default, but there are options to override if necessary.
- Reworked TLS handshake, making OpenVPN immune to replay-packet state exhaustion attacks.
- Added —peer-fingerprint mode for a more simplistic certificate setup and verification.
- Added Pre-Logon Access Provider support to OpenVPN GUI for Windows.
- Improved protocol negotiation, leading to faster connection setup.
- Included openvpn-gui updated to 11.36.0.0. See CHANGES.rst.
- Updated easy-rsa3 bundled with the installer on Windows.
- Various bug fixes.
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.6.0-I003-amd64.msi |
Windows ARM64 MSI installer |
GnuPG Signature | OpenVPN-2.6.0-I003-arm64.msi |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.6.0-I003-x86.msi |
Source zip |
GnuPG Signature | openvpn-2.6.0.tar.gz |
The OpenVPN community project team is proud to release OpenVPN 2.5.4. This release include a number of fixes and small improvements. One of the fixes is to password prompting on windows console when stderr redirection is in use — this breaks 2.5.x on Win11/ARM, and might also break on Win11/amd64. Windows executable and libraries are now built natively on Windows using MSVC, not cross-compiled on Linux as with earlier 2.5 releases. Windows installers include updated OpenSSL and new OpenVPN GUI. The latter includes several improvements, the most important of which is the ability to import profiles from URLs where available. Installer version I602 fixes loading of pkcs11 files on Windows. Installer version I603 fixes a bug in the version number as seen by Windows (was 2.5..4, not 2.5.4). Installer I604 fixes some small Windows issues.
Source tarball (gzip) |
GnuPG Signature | openvpn-2.5.4.tar.gz |
Source tarball (xz) |
GnuPG Signature | openvpn-2.5.4.tar.xz |
Source zip |
GnuPG Signature | openvpn-2.5.4.zip |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.4-I604-x86.msi |
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.4-I604-amd64.msi |
Windows ARM64 MSI installer |
GnuPG Signature | OpenVPN-2.5.4-I604-arm64.msi |
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (—tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option —block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
- VRF support
- Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
- Wintun driver support, a faster alternative to tap-windows6
- Setting tun/tap interface MTU
- Setting DHCP search domain
- Allow unicode search string in —cryptoapicert option
- EasyRSA3, a modern take on OpenVPN CA management
- MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no «default cipher BF-CBC» anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the —data-ciphers setting.
Connections between OpenVPN 2.3 and v2.5 that have no —cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in —data-ciphers or there is a «—cipher BF-CBC» in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.
If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.
The OpenVPN community project team is proud to release OpenVPN 2.5.3. Besides a number of small improvements and bug fixes, this release fixes a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606). Updated OpenVPN GUI is also included in Windows installers.
Source tarball (gzip) |
GnuPG Signature | openvpn-2.5.3.tar.gz |
Source tarball (xz) |
GnuPG Signature | openvpn-2.5.3.tar.xz |
Source zip |
GnuPG Signature | openvpn-2.5.3.zip |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.3-I601-x86.msi |
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.3-I601-amd64.msi |
Windows ARM64 MSI installer |
GnuPG Signature | OpenVPN-2.5.3-I601-arm64.msi |
Overview of changes since OpenVPN 2.4
Faster connections
- Connections setup is now much faster
Crypto specific changes
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (—tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option —block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
- VRF support
- Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
- Wintun driver support, a faster alternative to tap-windows6
- Setting tun/tap interface MTU
- Setting DHCP search domain
- Allow unicode search string in —cryptoapicert option
- EasyRSA3, a modern take on OpenVPN CA management
- MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no «default cipher BF-CBC» anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the —data-ciphers setting.
Connections between OpenVPN 2.3 and v2.5 that have no —cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in —data-ciphers or there is a «—cipher BF-CBC» in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.
If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.
The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with «—auth-gen-token» or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
Source tarball (gzip) |
GnuPG Signature | openvpn-2.5.2.tar.gz |
Source tarball (xz) |
GnuPG Signature | openvpn-2.5.2.tar.xz |
Source zip |
GnuPG Signature | openvpn-2.5.2.zip |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.2-I601-x86.msi |
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.2-I601-amd64.msi |
Overview of changes since OpenVPN 2.4
Faster connections
- Connections setup is now much faster
Crypto specific changes
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (—tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option —block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
- VRF support
- Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
- Wintun driver support, a faster alternative to tap-windows6
- Setting tun/tap interface MTU
- Setting DHCP search domain
- Allow unicode search string in —cryptoapicert option
- EasyRSA3, a modern take on OpenVPN CA management
- MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no «default cipher BF-CBC» anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the —data-ciphers setting.
Connections between OpenVPN 2.3 and v2.5 that have no —cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in —data-ciphers or there is a «—cipher BF-CBC» in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.
If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.
The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows.
Source tarball (gzip) |
GnuPG Signature | openvpn-2.5.1.tar.gz |
Source tarball (xz) |
GnuPG Signature | openvpn-2.5.1.tar.xz |
Source zip |
GnuPG Signature | openvpn-2.5.1.zip |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.1-I601-x86.msi |
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.1-I601-amd64.msi |
Overview of changes since OpenVPN 2.4
Faster connections
- Connections setup is now much faster
Crypto specific changes
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (—tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option —block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
- VRF support
- Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
- Wintun driver support, a faster alternative to tap-windows6
- Setting tun/tap interface MTU
- Setting DHCP search domain
- Allow unicode search string in —cryptoapicert option
- EasyRSA3, a modern take on OpenVPN CA management
- MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no «default cipher BF-CBC» anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the —data-ciphers setting.
Connections between OpenVPN 2.3 and v2.5 that have no —cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in —data-ciphers or there is a «—cipher BF-CBC» in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.
If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.
The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a new major release with many new features.
Source tarball (gzip) |
GnuPG Signature | openvpn-2.5.0.tar.gz |
Source tarball (xz) |
GnuPG Signature | openvpn-2.5.0.tar.xz |
Source zip |
GnuPG Signature | openvpn-2.5.0.zip |
Windows 32-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.0-I601-x86.msi |
Windows 64-bit MSI installer |
GnuPG Signature | OpenVPN-2.5.0-I601-amd64.msi |
Overview of changes since OpenVPN 2.4
Faster connections
- Connections setup is now much faster
Crypto specific changes
- ChaCha20-Poly1305 cipher in the OpenVPN data channel (Requires OpenSSL 1.1.0 or newer)
- Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
- Client-specific tls-crypt keys (—tls-crypt-v2)
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration (see below for possible incompatibilities)
Server-side improvements
- HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers.
- Asynchronous (deferred) authentication support for auth-pam plugin
- Asynchronous (deferred) support for client-connect scripts and plugins
Network-related changes
- Support IPv4 configs with /31 netmasks now
- 802.1q VLAN support on TAP servers
- IPv6-only tunnels
- New option —block-ipv6 to reject all IPv6 packets (ICMPv6)
Linux-specific features
- VRF support
- Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands)
Windows-specific features
- Wintun driver support, a faster alternative to tap-windows6
- Setting tun/tap interface MTU
- Setting DHCP search domain
- Allow unicode search string in —cryptoapicert option
- EasyRSA3, a modern take on OpenVPN CA management
- MSI installer
Important notices
BF-CBC cipher is no longer the default
Cipher handling for the data channel cipher has been significantly changed between OpenVPN 2.3/2.4 and v2.5, most notably there are no «default cipher BF-CBC» anymore because it is no longer considered a reasonable default. BF-CBC is still available, but it needs to be explicitly configured now.
For connections between OpenVPN 2.4 and v2.5 clients and servers, both ends will be able to negotiate a better cipher than BF-CBC. By default they will select one of the AES-GCM ciphers, but this can be influenced using the —data-ciphers setting.
Connections between OpenVPN 2.3 and v2.5 that have no —cipher setting in the config (= defaulting to BF-CBC and not being negotiation-capable) must be updated. Unless BF-CBC is included in —data-ciphers or there is a «—cipher BF-CBC» in the OpenVPN 2.5 config, a v2.5 client or server will refuse to talk to a v2.3 server or client, because it has no common data channel cipher and negotiating a cipher is not possible. Generally, we recommend upgrading such setups to OpenVPN 2.4 or v2.5. If upgrading is not possible we recommend adding data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC (for v2.5+) or cipher AES-128-CBC (v2.4.x and older) to the configuration of all clients and servers.
If you really need to use an unsupported OpenVPN 2.3 (or even older) release and need to stay on BF-CBC (not recommended), the OpenVPN 2.5 based client will need a config file change to re-enable BF-CBC. But be warned that BF-CBC and other related weak ciphers will be removed in coming OpenVPN major releases.
Connectivity to some VPN service provider may break
Connecting with an OpenVPN 2.5 client to at least one commercial VPN service that
implemented their own cipher negotiation method that always reports back that it is using BF-CBC to the client is broken in v2.5. This has always caused warning about mismatch ciphers. We have been in contact with some service providers and they are looking into it. This is not something the OpenVPN community can fix. If your commercial VPN does not work with a v2.5 client, complain to the VPN service provider.
More details on these new features as well as a list of deprecated features and user-visible changes are available in Changes.rst.
The OpenVPN community project team is proud to release OpenVPN 2.4.11. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. This release also includes other bug fixes and improvements. The I602 Windows installers fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606). Updated OpenSSL and OpenVPN GUI are included in Windows installers.
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.11.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.11.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.11.zip |
Windows 7/8/8.1/Server 2012r2 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.11-I602-Win7.exe |
Windows 10/Server 2016/Server 2019 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.11-I602-Win10.exe |
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
This is primarily a maintenance release with bugfixes and small improvements. Windows installers include the latest OpenSSL version (1.1.1i) which includes security fixes.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.10.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.10.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.10.zip |
Windows 7/8/8.1/Server 2012r2 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.10-I601-Win7.exe |
Windows 10/Server 2016/Server 2019 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.10-I601-Win10.exe |
Instructions for verifying the signatures are available here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
The Windows installers are bundled with OpenVPN-GUI — its source code is available on its project page and as tarballs on our alternative download server.
This is primarily a maintenance release with bugfixes and improvements. This release also fixes a security issue (CVE-2020-11810, trac #1272) which allows disrupting service of a freshly connected client that has not yet not negotiated session keys. The vulnerability cannot be used to inject or steal VPN traffic.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client’s IP address changes (Peer-ID). Also, the new —tls-crypt feature can be used to increase users’ connection privacy.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.9.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.9.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.9.zip |
Windows 7/8/8.1/Server 2012r2 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.9-I601-Win7.exe |
Windows 10/Server 2016/Server 2019 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.9-I601-Win10.exe |
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
The Windows installers are bundled with OpenVPN-GUI — its source code is available on its project page and as tarballs on our alternative download server.
This is primarily a maintenance release with bugfixes and improvements. The Windows installers (I601) have several improvements compared to the previous release:
- New tap-windows6 driver (9.24.2) which fixes some suspend and resume issues
- Latest OpenVPN-GUI
- Considerable performance boost due to new compiler optimization flags
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client’s IP address changes (Peer-ID). Also, the new —tls-crypt feature can be used to increase users’ connection privacy.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.8.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.8.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.8.zip |
Windows 7/8/8.1/Server 2012r2 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.8-I602-Win7.exe |
Windows 10/Server 2016/Server 2019 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.8-I602-Win10.exe |
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
The Windows installers are bundled with OpenVPN-GUI — its source code is available on its project page and as tarballs on our alternative download server.
This is primarily a maintenance release with bugfixes and improvements. One of the big things is enhanced TLS 1.3 support. A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client’s IP address changes (Peer-ID). Also, the new —tls-crypt feature can be used to increase users’ connection privacy.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer will not work on Windows 7/8/8.1/Server 2012r2. This is because Microsoft’s driver signing requirements and tap-windows6. For the same reason you need to use an older installer with Windows Server 2016. This older installer has a local privilege escalation vulnerability issue which we cannot resolve for Windows Server 2016 until tap-windows6 passes the HLK test suite on that platform. In the meanwhile we recommend Windows Server 2016 users to avoid installing OpenVPN/tap-windows6 driver on hosts where all users can’t be trusted. Users of Windows 7-10 and Server 2012r2 are recommended to update to latest installers as soon as possible.
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.7.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.7.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.7.zip |
Windows 7/8/8.1/Server 2012r2 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.7-I607-Win7.exe |
Windows 10 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.7-I607-Win10.exe |
Windows Server 2016 installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.7-I603.exe |
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
The Windows installers are bundled with OpenVPN-GUI — its source code is available on its project page and as tarballs on our alternative download server.
This is primarily a maintenance release with minor bugfixes and improvements, and one security relevant fix for the Windows Interactive Service. Windows installer includes updated OpenVPN GUI and OpenSSL. Installer I601 included tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista support. However, in installer I602 we had to revert back to tap-windows 9.21.2 due to driver getting reject on freshly installed Windows 10 rev 1607 and later when Secure Boot was enabled. The failure was due to the new, more strict driver signing requirements. The 9.22.1 version of the driver is in the process of getting approved and signed by Microsoft and will be bundled in an upcoming Windows installer.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. Our long-term plan is to migrate to using MSI installers instead.
Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client’s IP address changes (Peer-ID). Also, the new —tls-crypt feature can be used to increase users’ connection privacy.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developha er IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Source Tarball (gzip) |
GnuPG Signature | openvpn-2.4.6.tar.gz |
Source Tarball (xz) |
GnuPG Signature | openvpn-2.4.6.tar.xz |
Source Zip |
GnuPG Signature | openvpn-2.4.6.zip |
Windows installer (NSIS) |
GnuPG Signature | openvpn-install-2.4.6-I602.exe |
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
The Windows installers are bundled with OpenVPN-GUI — its source code is available on its project page and as tarballs on our alternative download server.
You can download Windows developments snapshots (MSI installers) from here (Index of /downloads/snapshots/github-actions/openvpn2/ ). Those are automatically built from commits to OpenVPN master branch and include functionality which will be available in the next release. Development snapshots are less stable than releases, so use at your own risk.
Установим и настроим OpenVPN сервер. На сервере используется операционная система Windows Server 2019.
OpenVPN — бесплатная реализация технологии виртуальной частной сети (VPN) для создания зашифрованных каналов связи между компьютерами типа точка-точка или сервер-клиенты за NAT и Firewall.
Установка OpenVPN Server
Скачиваем дистрибутив для установки OpenVPN:
Прокручиваем вниз, выбираем стабильную версию. Я буду использовать версию 2.4.9.
Для операционной системы Windows доступны два пакета:
- WINDOWS 7/8/8.1/SERVER 2012R2 INSTALLER (NSIS)
- WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSIS)
Для Windows Server 2019 подходит второй вариант, скачиваю.
Запускаем инсталлятор OpenVPN.
Открывается мастер установки. Next.
Принимаем лицензионное соглашение. I Agree.
Выбираем компоненты. Выделите EasyRSA 2 Certificate Management Scripts. Для сервера OpenVPN GUI можно не устанавливать, если вы планируете запускать OpenVPN в качестве службы. Next.
Выбираем путь установки, я оставляю по умолчанию C:Program FilesOpenVPN. Install.
Начинается процесс установки OpenVPN.
Установка успешно завершена. Next.
Finish.
Установка выполнена в директорию C:Program FilesOpenVPN.
После установки у нас появляется новый сетевой адаптер TAP-Windows Adapter V9.
Адаптер отключён. Если по каким-то причинам нужно добавить несколько таких адаптеров, то загляните в папку C:Program FilesTAP-Windowsbin.
Здесь есть скрипты для установки адаптера, добавления адаптера и удаления всех адаптеров.
Пример установки адаптера. В командной строке под администратором:
cd "C:Program FilesTAP-Windowsbin"
"C:Program FilesTAP-Windowsbintapinstall.exe" install "C:Program FilesTAP-WindowsdriverOemVista.inf" tap0901В большинстве случаев дополнительно настраивать сетевой адаптер не требуется.
Создание ключей и сертификатов
Запускаем командную строку под администратором и переходим в рабочую директорию C:Program FilesOpenVPNeasy-rsa.
cd C:Program FilesOpenVPNeasy-rsaВ этой папке есть всё необходимое для генерации сертификатов.
Выполняем:
init-config.bat
copy vars.bat.sample vars.batСоздаётся файл vars.bat с настройками и примером готовых параметров для создания CSR запроса сертификатов. Заполним его. Открываем vars.bat блокнотом.
notepad vars.bat
Открывается vars.bat.
Здесь стоит обратить внимание на пути к рабочим директориям. Например, вы можете указать свой путь к openssl.exe, если установили OpenVPN в другую директорию. Здесь же можно изменить длину ключей шифрования.
Заполняем переменные в нижней части файла, указываем:
- KEY_COUNTRY — страна
- KEY_PROVINCE — область
- KEY_CITY — город
- KEY_ORG — организация
- KEY_EMAIL — e-mail
- KEY_CN — (Common Name) имя сервера
- KEY_NAME — (Name) имя сервера
- KEY_OU — (Organization Unit) отдел
- PKCS11_MODULE_PATH — для токенов двухфакторной аутентификации, нам не требуется, укажу имя сервера
- PKC11_PIN — ПИН для токенов двухфакторной аутентификации, нам не требуется, укажу 1234
Для каждого сертификата нужно будет указывать свои NAME и COMMON NAME, можно их не указывать в vars.bat, потому как при генерации все параметры будут запрашивать.
Обращаем внимание на строку:
set KEY_KONFIG=openssl-1.0.0.cnf
Это имя конфигурационного файла. Находим его в рабочей директории.
Откроем блокнотом.
Внутри есть параметр default_days, в котором можно указать срок действия будущих сертификатов. По умолчанию у меня стоит 3650 дней, это 10 лет. Меня устраивает. Вероятно, кому-то при генерации клиентских сертификатов может понадобиться уменьшить этот срок.
Сохраняем все изменения и возвращаемся к командной строке. Подгружаем утверждённые нами переменные:
vars.bat
Очищаем директорию с ключами:
clean-all.bat
Сертификаты, которые мы будем создавать, появятся в папке C:Program FilesOpenVPNeasy-rsakeys. Сейчас эта папка очистилась, в ней два файла: index.txt и serial.
Генерируем ключ и сертификат центра сертификации:
build-ca.bat
В процессе генерации сертификата нас будут спрашивать все те же параметры, которые мы указали в vars.bat. Если параметр нас устраивает (а он нас устраивает), просто нажимаем ввод и переходим к следующему вопросу. После завершения работы скрипта в папке C:Program FilesOpenVPNeasy-rsakeys появляется два файла:
- ca.crt — сертификат центра сертификации
- ca.key — ключ центра сертификации
Ключ секретный, никому не передавайте, он будет храниться на сервере.
Генерируем ключ Диффи-Хеллмана:
build-dh.bat
В папке C:Program FilesOpenVPNeasy-rsakeys появляется файл:
- dh2048.pem
Генерируем ключ и сертификат сервера, назовём сервер именем «server«:
build-key-server.bat server
В процессе генерации серверного сертификата нас будут спрашивать те же параметры, которые мы указали в vars.bat. Если параметр нас устраивает (а он нас снова устраивает), просто нажимаем ввод и переходим к следующему вопросу. На вопрос Sign the certificate отвечаем y. На вопрос 1 out of 1 certificate requests certified, commit отвечаем y.
После завершения работы скрипта в папке C:Program FilesOpenVPNeasy-rsakeys появляется четыре файла:
- 01.pem — не понадобится
- server.crt — сертификат сервера
- server.csr — запрос сертификата сервера, не понадобится
- server.key — ключ сервера
Ключ секретный, никому не передавайте, он будет храниться на сервере.
Генерируем ключ и сертификат первого клиента. Для каждого клиента нужно указывать своё имя файла, Name и Common Name. Назовём первого клиента именем «client«:
build-key.bat client
В процессе генерации клиентского сертификата нас будут спрашивать те же параметры, которые мы указали в vars.bat. Нас устраивают все параметры кроме NAME и COMMON NAME, на них отвечаем client. Помним, что для другого клиента имя должно быть другим. На вопрос Sign the certificate отвечаем y. На вопрос 1 out of 1 certificate requests certified, commit отвечаем y.
После завершения работы скрипта в папке C:Program FilesOpenVPNeasy-rsakeys появляется четыре файла:
- 02.pem — не понадобится
- client.crt — сертификат первого клиента
- client.csr — запрос сертификата первого клиента, не понадобится
- client.key — ключ первого клиента
Для каждого нового клиента, который будет подключаться к серверу OpenVPN необходимо сгенерировать свой клиентский сертификат. Но это можно сделать позже, пока добьёмся подключения хотя бы одного клиента.
В настройках сервера можно потом включить настройку duplicate-cn, которая позволяет подключаться всем клиентам по одному общему сертификату, но это небезопасно и не рекомендуется. Используйте только в тестовых целях.
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE «COMMON NAME»,
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
Я на сервере собираюсь использовать tls-auth для дополнительной проверки целостности, это обеспечит дополнительный уровень безопасности протокола SSL/TLS при создании соединения:
- Сканирование прослушиваемых VPN-сервером портов
- Инициация SSL/TLS-соединения несанкционированной машиной на раннем этапе
- DoS-атаки и флуд на порты OpenVPN
- Переполнение буфера SSL/TLS
При использовании tls-auth на клиенте не понадобится ключ Диффи-Хеллмана, но пусть будет. Генерируем ключ tls-auth:
openvpn --genkey --secret keys/ta.key
В папке C:Program FilesOpenVPNeasy-rsakeys появляется файл:
- ta.key
Минимальный набор сертификатов сгенерирован.
Настройка OpenVPN сервера
Чтобы случайно всё не удалить, создадим папку C:Program FilesOpenVPNssl и скопируем в неё сертификаты. Это будет рабочая папка сервера.
mkdir "C:Program FilesOpenVPNssl"
copy "C:Program FilesOpenVPNeasy-rsakeys" "C:Program FilesOpenVPNssl"
Создадим конфигурационный файл сервера C:Program FilesOpenVPNconfigserver.ovpn:
copy "C:Program FilesOpenVPNsample-configserver.ovpn" "C:Program FilesOpenVPNconfigserver.ovpn"Открываем блокнотом и редактируем:
notepad "C:Program FilesOpenVPNconfigserver.ovpn"Лучше изучить конфигурационный файл, я предлагаю свой вариант конфига:
port 1194
proto udp
dev tun
ca "C:\Program Files\OpenVPN\ssl\ca.crt"
cert "C:\Program Files\OpenVPN\ssl\server.crt"
key "C:\Program Files\OpenVPN\ssl\server.key" # This file should be kept secret
dh "C:\Program Files\OpenVPN\ssl\dh2048.pem"
server 10.8.0.0 255.255.255.0
tls-auth "C:\Program Files\OpenVPN\ssl\ta.key" 0 # This file is secret
keepalive 10 120
comp-lzo
persist-key
persist-tun
cipher AES-256-CBC
status "C:\Program Files\OpenVPN\log\status.log"
log "C:\Program Files\OpenVPN\log\openvpn.log"
verb 4
mute 20Указываем параметры сервера, пути к ключам и сертификатам. Здесь же пути к логам. Для тестирования можно использовать tcp протокол:
proto tcpПереходим к службам:
services.msc
Находим службу OpenVPNService.
Настраиваем на автоматический запуск при загрузке сервера.
Запускаем службу.
Согласно настройкам сервера в папке C:Program FilesOpenVPNlog должны появиться логи. Это один из инструментов администратора OpenVPN сервера.
Активировался сетевой адаптер TAP-Windows Adapter V9.
Согласно настройкам сервера IP адрес 10.8.0.1.
Проверяем поднялся ли порт tcp 1194:
netstat -tan | find "1194"Порт должен прослушиваться.
Теперь нужно настроить firewall. Открываем Windows Defender Firewall with Advanced Security.
Переходим в Inbound Rules.
Создаём правило — New Rule…
Тип правила — Port. Next.
Протоколы и порты — UDP 1194. Как в настройках сервера. Next.
Действия — Allow the connection. Next.
Для всех сетей. Next.
Указываем название правила — OpenVPN. Next.
Правило создано, теперь firewall не блокирует входящие UDP соединения на 1194 порту.
Настройка OpenVPN клиента
На компьютере клиента устанавливаем OpenVPN точно также как на сервер. Галку EasyRSA 2 Certificate Management Scripts не указываем. Галку OpenVPN GUI указываем.
Я устанавливаю OpenVPN на клиенте в папку по умолчанию. C:Program FilesOpenVPN.
Копируем в отдельную папку for_client (её содержимое отправим потом на компьютер клиента) на сервере файлы для клиента:
- ca.crt
- client.crt
- client.key
- dh2048.pem
- ta.key
Туда же из папки C:Program FilesOpenVPNsample-config копируем client.ovpn
Переименовываю client.ovpn в config.ovpn. Можно использовать любое имя, лучше созвучное с названием организации. Вот такой получился набор.
Редактируем файл config.ovpn.
client
dev tun
proto udp
remote internet-lab.ru 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\Program Files\OpenVPN\config\ca.crt"
cert "C:\Program Files\OpenVPN\config\client.crt"
key "C:\Program Files\OpenVPN\config\client.key"
tls-auth "C:\Program Files\OpenVPN\config\ta.key" 1
#dh "C:\Program Files\OpenVPN\config\dh2048.pem"
cipher AES-256-CBC
comp-lzo
verb 0
connect-retry-max 25Здесь указываем пути к ключам и сертификатам клиента. Не забываем про адрес и порт сервера, куда подключаться, для примера я указал internet-lab.ru UDP 1194.
Отправляем подготовленные файлы на компьютер клиента и копируем в C:Program FilesOpenVPNconfig.
На клиента запускаем OpenVPN GUI.
В трее появляется значок OpenVPN.
Правой кнопкой — подключиться.
Устанавливается соединение.
Значок позеленел, назначен адрес 10.8.0.6.
Можно подключаться к серверу, если есть доступы.
Для второго и последующего клиента генерируем свой набор клиентских сертификатов.
Отзыв сертификата
Иногда нужно отозвать сертификат, выданный клиенту. Кто-то увольняется, кто-то палит сертификаты.
cd "C:Program FilesOpenVPNeasy-rsa"
vars.bat
revoke-full clientГде client — это имя клиента.
В папке C:Program FilesOpenVPNkeys появляется файл:
- crl.pem
Копируем его с заменой в рабочую директорию сервера C:Program FilesOpenVPNssl.
Добавляем строчку в конфигурационный файл сервера:
crl-verify "C:\Program Files\OpenVPN\keys\crl.pem" Перезапускаем службу OpenVPN сервера.
net stop OpenVPNService
net start OpenVPNServiceЕсли в конфигурационном файле уже был ранее указан путь к crl.pem, то службу можно не перезапускать, OpenVPN перечитывает CRL один раз в час. Но в течении этого часа клиенты с отозванными сертификатами смогут продолжать подключаться и работать.
Для клиента с отозванным сертификатом процесс подключения будет «зависать». В логе можно увидеть:
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed
Чтобы клиент не стучался постоянно на сервер, у него в конфиге есть опция:
connect-retry-max 25Передать эту опцию при отзыве сертификата нельзя, поэтому указывайте её всем клиентам заранее.
Ссылки
OpenVPN 2.5.1 сервер на Windows
Содержание
- OpenVPN 2.5.1 сервер на Windows
- Установка OpenVPN Server
- Создание ключей и сертификатов
- Настройка OpenVPN сервера
- Запуск OpenVPN сервера
- Настройка firewall
- Настройка OpenVPN клиента на ПК Windows
- Настройка OpenVPN клиента на смартфоне Android
- Community Downloads
- Overview of changes since OpenVPN 2.4
- Faster connections
- Crypto specific changes
- Server-side improvements
- Network-related changes
- Linux-specific features
- Windows-specific features
- Important notices
- BF-CBC cipher is no longer the default
- Connectivity to some VPN service provider may break
- Linux packages are available from
- Useful resources
- Overview of changes since OpenVPN 2.4
- Faster connections
- Crypto specific changes
- Server-side improvements
- Network-related changes
- Linux-specific features
- Windows-specific features
- Important notices
- BF-CBC cipher is no longer the default
- Connectivity to some VPN service provider may break
- Linux packages are available from
- Useful resources
- Overview of changes since OpenVPN 2.4
- Faster connections
- Crypto specific changes
- Server-side improvements
- Network-related changes
- Linux-specific features
- Windows-specific features
- Important notices
- BF-CBC cipher is no longer the default
- Connectivity to some VPN service provider may break
- Linux packages are available from
- Windows ARM64 installers
- Useful resources
- Overview of changes since OpenVPN 2.4
- Faster connections
- Crypto specific changes
- Server-side improvements
- Network-related changes
- Linux-specific features
- Windows-specific features
- Important notices
- BF-CBC cipher is no longer the default
- Connectivity to some VPN service provider may break
- Linux packages are available from
- Windows ARM64 installers
- Useful resources
- Overview of changes since OpenVPN 2.4
- Faster connections
- Crypto specific changes
- Server-side improvements
- Network-related changes
- Linux-specific features
- Windows-specific features
- Important notices
- BF-CBC cipher is no longer the default
- Connectivity to some VPN service provider may break
- Linux packages are available from
- Useful resources
OpenVPN 2.5.1 сервер на Windows
Вчера обнаружил, что на мой домашний сервер пытаются подобрать пароль к RDP. Спросил наших безопасников с работы, да, порт сканировали, но пароль подбирают не они. Надо что-то делать с этим, и я даже знаю что.
Ударим шифрованием по злобным брутфорсерам! Ставим OpenVPN 2.5.1 сервер на Windows Server 2016.
Установка OpenVPN Server
Скачиваем дистрибутив для установки OpenVPN:
Доступна версия OpenVPN 2.5.1. Скачиваю Windows 64-bit MSI installer, файл OpenVPN-2.5.1-I601-amd64.msi.
Запускаем инсталлятор OpenVPN.
Открывается мастер установки, предлагают выбрать тип установки, естественно, нажимаем Customize. Установка по умолчанию нас не устроит.
OpenVPN GUI отключаю. Мне нужно, чтобы OpenVPN на сервере работал автоматически.
А OpenVPN Service, наоборот, включаю. OpenVPN у меня будет работать как служба Windows.
Документацию и примеры конфигурации оставляю. Конфигурационные примеры будут использоваться в качестве шаблонов.
Начиная с версии OpenVPN 2.5 появилась поддержка драйвера WinTUN от разработчиков WireGuard. Говорят, что работает быстрее чем TAP-Windows6. Поэтому драйвер TAP-Windows6 отключаю и включаю Wintun.
ПРИМЕЧАНИЕ: для включения драйвера Wintun необходимо в файле конфигурации сервера включить параметр:
Утилиты OpenSSL EasyRSA 3 Certificate Management Scripts включаю. Install Now.
Начинается процесс установки OpenVPN.
Установка успешно завершена. Close.
Установка выполнена в директорию C:Program FilesOpenVPN.
После установки у нас появляется новый сетевой адаптер Wintun Userspace Tunnel.
Создание ключей и сертификатов
Запускаем командную строку под администратором и переходим в рабочую директорию C:Program FilesOpenVPNeasy-rsa.
В этой папке есть всё необходимое для генерации сертификатов.
Для работы в Windows нас интересует файл EasyRSA-Start.bat.
Запускается оболочка EasyRSA Shell.
Инициализируем новую конфигурацию:
Появляется новая директория C:Program FilesOpenVPNeasy-rsapki.
Генерируем ключ и сертификат центра сертификации. Внимание, сейчас мы наступим на грабли, исправим ошибку и снова вернёмся к генерации файлов для центра сертификации.
Нас попросят для раза ввести пароль. Придумываем и вводим.
Failed create CA private key
Исправим этот баг. Мне не совсем понятно, почему нельзя было всё сделать сразу по-человечески, чтобы люди не встречали эту ошибку. Копируем файл C:Program FilesOpenVPNeasy-rsavars.example, называем копию C:Program FilesOpenVPNeasy-rsavars.
Редактируем C:Program FilesOpenVPNeasy-rsavars. В данном файле можно много чего прописать, но я не буду на этом сейчас останавливаться подробно. Находим строку:
Собственно, ошибка и заключалась в том, что оболочка по какой-то причине не могла создать временный файл.
Генерируем ключ и сертификат центра сертификации:
Нас попросят для раза ввести пароль. Придумываем и вводим. После нас просят указать Common Name для центра сертификации, указываю «internet-lab.ru».
Операция проходит успешно.
Создаётся сертификат центра сертификации:
Сертификат создаётся на 10 лет, это значение можно переопределить в файле vars.
И ключ центра сертификации:
Ключ секретный, никому не показываем. он будет храниться на сервере.
Генерируем ключ и запрос на сертификат сервера, назовём сервер именем «server«:
Нас просят указать Common Name для сервера, указываю «internet-lab.ru».
Операция проходит успешно.
Создаётся запрос на сертификат сервера:
Ключ секретный, никому не показываем. он будет храниться на сервере.
Для создания сертификата сервера нужно подписать запрос на сертификат:
Для подписи нужно ввести слово «yes» и указать пароль от центра сертификации.
Создаётся сертификат сервера:
Сертификат сервера создаётся на 825 дней, это значение можно переопределить в файле vars.
Теперь создадим клиентский сертификат. По хорошему клиентский ключ следует запаролить, чтобы исключить утечку при передаче. Для этого есть несколько способов.
Первый
На клиентской машине генерируем запрос на сертификат клиента и ключ без пароля:
Второй
а машине с CA генерируем сертификат клиента и ключ с паролем:
Третий
Но поскольку я генерирую ключ сам для себя, то воспользуюсь небезопасным третьим способом.
Генерируем ключ и запрос на сертификат клиента, назовём клиента именем «client«:
Нас просят указать Common Name для клиента, указываю «v.pupkin».
Операция проходит успешно.
Создаётся запрос на сертификат клиента:
Для создания сертификата клиента нужно подписать запрос на сертификат:
Для подписи нужно ввести слово «yes» и указать пароль от центра сертификации.
Создаётся сертификат клиента:
Сертификат сервера создаётся на 825 дней, это значение можно переопределить в файле vars.
Генерируем ключ Диффи-Хеллмана:
Операция займёт некоторое время.
Я на сервере собираюсь использовать tls-auth для дополнительной проверки целостности, это обеспечит дополнительный уровень безопасности протокола SSL/TLS при создании соединения:
При использовании tls-auth на клиенте не понадобится ключ Диффи-Хеллмана, но пусть будет. Генерируем ключ tls-auth. Для этого запускаем командную строку под администратором и выполняем:
В папке C:Program FilesOpenVPNbin создаётся файл ta.key.
Переносим его в папку C:Program FilesOpenVPNeasy-rsapki.
Минимальный набор сертификатов сгенерирован.
Настройка OpenVPN сервера
Создадим конфигурационный файл сервера C:Program FilesOpenVPNconfig-autoserver.ovpn:
Открываем блокнотом и редактируем:
Лучше изучить конфигурационный файл, я предлагаю свой вариант конфига:
У меня здесь указаны пути к ключам и сертификатам, используется порт TCP 1194. Параметр duplicate-cn позволяет подключаться всем клиентам по одному общему сертификату, но это небезопасно и не рекомендуется. Используйте только в тестовых целях. Я использую для того, чтобы с помощью одного и того же сертификата подключиться к OpenVPN серверу и с клиентской машины и со смартфона. Параметр windows-driver wintun подключает использование драйвера WinTun. И что им стоило этот параметр указать в примере конфигурации? Остальное по умолчанию.
ВНИМАНИЕ: в конфигурационных файлах допускается в путях использование прямого слеша:
ca «C:/Program Files/OpenVPN/easy-rsa/pki/ca.crt»
или двойного обратного слеша:
ca «C:\Program Files\OpenVPN\easy-rsa\pki\ca.crt»
Запуск OpenVPN сервера
Переходим к службам:
Находим службу OpenVPNService.
Настраиваем на автоматический запуск при загрузке сервера.
Запускаем (перезапускаем) службу.
Согласно настройкам сервера в папке C:Program FilesOpenVPNlog должны появиться логи. Это один из инструментов администратора OpenVPN сервера.
Активировался сетевой адаптер OpenVPN Wintun.
Согласно настройкам сервера IP адрес 10.8.0.1.
Проверяем поднялся ли порт tcp 1194:
Порт должен прослушиваться.
Настройка firewall
Теперь нужно настроить firewall. Открываем Windows Defender Firewall with Advanced Security.
Переходим в Inbound Rules.
Создаём правило — New Rule.
Тип правила — Port. Next.
Протоколы и порты — TCP 1194. Как в настройках сервера. Next.
Действия — Allow the connection. Next.
Для всех сетей. Next.
Указываем название правила — OpenVPN. Next.
Правило создано, теперь firewall не блокирует входящие TCP соединения на 1194 порту.
Настройка OpenVPN клиента на ПК Windows
На компьютере клиента устанавливаем OpenVPN Connect.
Я скачиваю версию для Windows.
Принимаем лицензионное соглашение. Next.
OpenVPN Connect устанавливается.
Установка завершена. Finish.
На рабочем столе появляется иконка OpenVPN Connect.
На сервере файл примера конфигурации client.ovpn копируем как internet-lab.ru.ovpn.
Здесь нужно указать протокол, порт адрес сервера и прочие параметры. Пути к ключам и сертификатам относительные.
Создаём директорию, например, C:openvpn. Копируем в неё с сервера файлы:
Запускаем OpenVPN Connect.
Agree. Переключаемся на File.
Перетаскиваем мышкой в окно файл C:openvpninternet-lab.ru.ovpn, или указываем через кнопку Browse.
Ставим галку «Connect after import».
Соединение с OpenVPN сервером установлено.
В логах сервера видим, что соединился юзер v.pupkin.
Настройка OpenVPN клиента на смартфоне Android
Копируем на телефон все те же файлы, что и для клиента.
Источник
Source tarball (gzip)
Source tarball (xz)
Source zip
Windows 32-bit MSI installer
Windows 64-bit MSI installer
Windows ARM64 MSI installer
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
Server-side improvements
Linux-specific features
Windows-specific features
Important notices
BF-CBC cipher is no longer the default
Connectivity to some VPN service provider may break
Linux packages are available from
Useful resources
The OpenVPN community project team is proud to release OpenVPN 2.5.3. Besides a number of small improvements and bug fixes, this release fixes a possible security issue with OpenSSL config autoloading on Windows (CVE-2022-3606). Updated OpenVPN GUI is also included in Windows installers.
Source tarball (gzip)
Source tarball (xz)
Source zip
Windows 32-bit MSI installer
Windows 64-bit MSI installer
Windows ARM64 MSI installer
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
Server-side improvements
Linux-specific features
Windows-specific features
Important notices
BF-CBC cipher is no longer the default
Connectivity to some VPN service provider may break
Linux packages are available from
Useful resources
The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with «—auth-gen-token» or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
Source tarball (gzip)
Source tarball (xz)
Source zip
Windows 32-bit MSI installer
Windows 64-bit MSI installer
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
Server-side improvements
Linux-specific features
Windows-specific features
Important notices
BF-CBC cipher is no longer the default
Connectivity to some VPN service provider may break
Linux packages are available from
Windows ARM64 installers
Our MSI installer do not currently support the Windows ARM64 platform. You need to use our NSI-based snapshot installers from here. We recommend using the latest installer that matches one of these patterns:
Useful resources
The OpenVPN community project team is proud to release OpenVPN 2.5.1. It includes several bug fixes and improvements as well as updated OpenSSL and OpenVPN GUI for Windows.
Source tarball (gzip)
Source tarball (xz)
Source zip
Windows 32-bit MSI installer
Windows 64-bit MSI installer
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
Server-side improvements
Linux-specific features
Windows-specific features
Important notices
BF-CBC cipher is no longer the default
Connectivity to some VPN service provider may break
Linux packages are available from
Windows ARM64 installers
Our MSI installer do not currently support the Windows ARM64 platform. You need to use our NSI-based snapshot installers from here. We recommend using the latest installer that matches one of these patterns:
Useful resources
The OpenVPN community project team is proud to release OpenVPN 2.5.0 which is a new major release with many new features.
Source tarball (gzip)
Source tarball (xz)
Source zip
Windows 32-bit MSI installer
Windows 64-bit MSI installer
Overview of changes since OpenVPN 2.4
Faster connections
Crypto specific changes
Server-side improvements
Linux-specific features
Windows-specific features
Important notices
BF-CBC cipher is no longer the default
Connectivity to some VPN service provider may break
Linux packages are available from
Useful resources
The OpenVPN community project team is proud to release OpenVPN 2.4.11. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. This release also includes other bug fixes and improvements. The I602 Windows installers fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2022-3606). Updated OpenSSL and OpenVPN GUI are included in Windows installers.
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows 7/8/8.1/Server 2012r2 installer (NSIS)
Windows 10/Server 2016/Server 2019 installer (NSIS)
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
This is primarily a maintenance release with bugfixes and small improvements. Windows installers include the latest OpenSSL version (1.1.1i) which includes security fixes.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows 7/8/8.1/Server 2012r2 installer (NSIS)
Windows 10/Server 2016/Server 2019 installer (NSIS)
Instructions for verifying the signatures are available here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
This is primarily a maintenance release with bugfixes and improvements. This release also fixes a security issue (CVE-2020-11810, trac #1272) which allows disrupting service of a freshly connected client that has not yet not negotiated session keys. The vulnerability cannot be used to inject or steal VPN traffic.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows 7/8/8.1/Server 2012r2 installer (NSIS)
Windows 10/Server 2016/Server 2019 installer (NSIS)
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
This is primarily a maintenance release with bugfixes and improvements. The Windows installers (I601) have several improvements compared to the previous release:
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer works on Windows 10 and Windows Server 2016/2019. The Windows 7 installer will work on Windows 7/8/8.1/Server 2012r2. This is because of Microsoft’s driver signing requirements are different for kernel-mode devices drivers, which in our case affects OpenVPN’s tap driver (tap-windows6).
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows 7/8/8.1/Server 2012r2 installer (NSIS)
Windows 10/Server 2016/Server 2019 installer (NSIS)
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
This is primarily a maintenance release with bugfixes and improvements. One of the big things is enhanced TLS 1.3 support. A summary of the changes is available in Changes.rst, and a full list of changes is available here.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. We are moving to MSI installers in OpenVPN 2.5, but OpenVPN 2.4.x will remain NSIS-only.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP. The last OpenVPN version that supports Windows XP is 2.3.18, which is downloadable as 32-bit and 64-bit versions.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developer IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Important: you will need to use the correct installer for your operating system. The Windows 10 installer will not work on Windows 7/8/8.1/Server 2012r2. This is because Microsoft’s driver signing requirements and tap-windows6. For the same reason you need to use an older installer with Windows Server 2016. This older installer has a local privilege escalation vulnerability issue which we cannot resolve for Windows Server 2016 until tap-windows6 passes the HLK test suite on that platform. In the meanwhile we recommend Windows Server 2016 users to avoid installing OpenVPN/tap-windows6 driver on hosts where all users can’t be trusted. Users of Windows 7-10 and Server 2012r2 are recommended to update to latest installers as soon as possible.
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows 7/8/8.1/Server 2012r2 installer (NSIS)
Windows 10 installer (NSIS)
Windows Server 2016 installer (NSIS)
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
This is primarily a maintenance release with minor bugfixes and improvements, and one security relevant fix for the Windows Interactive Service. Windows installer includes updated OpenVPN GUI and OpenSSL. Installer I601 included tap-windows6 driver 9.22.1 which had one security fix and dropped Windows Vista support. However, in installer I602 we had to revert back to tap-windows 9.21.2 due to driver getting reject on freshly installed Windows 10 rev 1607 and later when Secure Boot was enabled. The failure was due to the new, more strict driver signing requirements. The 9.22.1 version of the driver is in the process of getting approved and signed by Microsoft and will be bundled in an upcoming Windows installer.
Please note that LibreSSL is not a supported crypto backend. We accept patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if newer versions of LibreSSL break API compatibility we do not take responsibility to fix that.
Also note that Windows installers have been built with NSIS version that has been patched against several NSIS installer code execution and privilege escalation problems. Based on our testing, though, older Windows versions such as Windows 7 might not benefit from these fixes. We thus strongly encourage you to always move NSIS installers to a non-user-writeable location before running them. Our long-term plan is to migrate to using MSI installers instead.
A summary of the changes is available in Changes.rst, and a full list of changes is available here.
OpenVPN GUI bundled with the Windows installer has a large number of new features compared to the one bundled with OpenVPN 2.3. One of major features is the ability to run OpenVPN GUI without administrator privileges. For full details, see the changelog. The new OpenVPN GUI features are documented here.
Please note that OpenVPN 2.4 installers will not work on Windows XP.
If you find a bug in this release, please file a bug report to our Trac bug tracker. In uncertain cases please contact our developers first, either using the openvpn-devel mailinglist or the developha er IRC channel (#openvpn-devel at irc.libera.chat). For generic help take a look at our official documentation, wiki, forums, openvpn-users mailing list and user IRC channel (#openvpn at irc.libera.chat).
Source Tarball (gzip)
Source Tarball (xz)
Source Zip
Windows installer (NSIS)
NOTE: the GPG key used to sign the release files has been changed since OpenVPN 2.4.0. Instructions for verifying the signatures, as well as the new GPG public key are available here.
We also provide static URLs pointing to latest releases to ease automation. For a list of files look here.
This release is also available in our own software repositories for Debian and Ubuntu, Supported architectures are i386 and amd64. For details. look here.
You can use EasyRSA 2 or EasyRSA 3 for generating your own certificate authority. The former is bundled with Windows installers. The latter is a more modern alternative for UNIX-like operating systems.
Источник
Скачать Windows Server
Скачать официальные дистрибутивы Windows Server от Windows Server 2008, до 2019.
Windows Server — семейство операционных систем от Microsoft прежде всего для серверных компьютеров, содержит в себе решения для корпоративных серверных задач. Предоставляет в себе облачные сервисы, виртуализацию, построение сетей, защиту информации и т.п. В нашем каталоге можете скачать следующие редакции Windows Server:
— Windows Server 2022 Standard
— Windows Server 2022 Datacenter
— Windows Server 2019 Standard
— Windows Server 2019 Datacenter
— Windows Server 2016 Standard
— Windows Server 2016 Datacenter
— Windows Server 2012 R2 Standard
— Windows Server 2012 R2 Datacenter
— Windows Server 2008 R2 Standard
— Windows Server 2008 R2 Datacenter
— Windows Server 2008 R2 Enterprise
Купить лицензионные ключи для Windows Server
В интернет-магазине SoftComputers Вы можете приобрети лицензионные ключи активации к дистрибутиву Windows Server. После оплаты моментально, в автоматическом режиме Вы получите лицензионный ключ на Вашу электронную почту.
Но мало того, что у нас дешевые ключи, но еще Вы их можете оплатить в пару кликов мышкой. Наш магазин поддерживает все популярные виды электронных платежей и Вы определенно сможете подобрать самый удобный для Вас вариант!
In this blog I am sharing how I upgraded my Windows Server 2016 Hyper-V host that been running an Intel NUC for a solid 3 years now to Windows Server 2019. Before anything else I’m taking my collecting my current server info (reference link: here)
- Open a command prompt and type systeminfo.exe.
- Copy, paste the info to a notepad or OneNote save to another device or storage other than the machine that will be upgrading.
- Type ipconfig /all and take note of the IP settings.
- Open the Registry Editor this this hive:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionand take note the Windows Server BuildLabEx (version) and EditionID (edition).
It’s also worth the trouble to that we backup the operating system, apps, and virtual machines.
As you can see above, we can’t have any virtual machines running during the in-place upgrade process, so we have to make sure that they are turned off.
Now, after this checklist are met, it’s time to launch the Windows Server 2019 installer.
If you are prompted a UAC – click Yes.
The next screen will ask for either Download updates, drivers and optional features (recommended) or Not right now options, if your device is internet-connected you may select the first option and then select Next.
Enter your Windows Server 2019 Product, in this example I have a Standard License (you won’t see any Datacenter options here).
I selected the Windows Server 2019 Standard (Desktop Experience) then clicked Next.
Select Accept to accept the terms of your licensing agreement
On the next screen you may select to Keep your personal files and apps or just wipe everything, I have chosen the keep my files, then I clicked Next.
The setup will then analyzes the device and will call your attention if needed (same in the example above of the running VMs), once all is good to go it will prompt you to proceed with the Installation.
Click install to proceed.
After the upgrade is completed, verify that the upgrade to Windows Server 2019 was successful by going the the System Properties.
Now this Windows Server 2019 is ready.
Задача: Проработать обновление Windows Server 2016 до Windows Server 2019
Как по мне использовать обновление серверной операционной системы Windows с одного релиза на другой с установленными сервисами – это обрекать себя на получение дополнительных проблем и порой не понимания, а почему сервисы перестали работать. Уж лучше развернуть их заново с нуля по своим наработкам, да долго и время, но так Вы будете уверены, что работает как нужно. Я хочу в тестовых условиях под Debian 10 + Proxmox 6 проработать процедуру обновления виртуальной машины Windows Server 2016 Standard установленной из образа: SW_DVD9_Win_Server_STD_CORE_2016_64Bit_English_-4_DC_STD_MLF_X21-70526.ISO. Возможно и буду использовать данную заметку, а возможно и нет, все решит случай.
Требования:
RAM: не менее 4GbHDD: на логическом диске C: должно быть свободно не менее 40GbEth: потребуется выход в интернет или доступ к WSUS сервису для выкачивания обновлений.Права локального администратора в системеСлужба Windows Updates должна быть включена
Шаг №1: Запускаю VM srv-s2016 под Debian 10 + Proxmox 6
Шаг №2: Копирую дистрибутив Windows Server 2019 в систему.
У меня в моей локальной сети есть ресурс где лежат книги, программы, образа. С этого ресурса копирую образ Windows Server 2019 Std (SW_DVD9_Win_Server_STD_CORE_2019_1809.18_64Bit_English_DC_STD_MLF_X22-74330.ISO)
Шаг №3: Проверяю, что VM той редакции, которая нужна:
|
C:Windowssystem32>reg query «HKLMSOFTWAREMicrosoftWindows NTCurrentVersion» /v EditionID HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion EditionID REG_SZ ServerStandard C:Windowssystem32>systeminfo | findstr /I «OS Name» Host Name: WIN—AAURVT4CB0C OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free BIOS Version: SeaBIOS rel—1.14.0—0—g155821a1990b—prebuilt.qemu.org, 4/1/2014 Time Zone: (UTC+03:00) Moscow, St. Petersburg, Volgograd Connection Name: Ethernet |
Все правильно.
Шаг №4: Распаковываю образ Windows Server 2019 Std, понадобится архиватор 7zip и запускаю процедуру обновления:
Запускаю C:SoftSW_DVD9_Win_Server_STD_CORE_2019_1809.18_64Bit_English_DC_STD_MLF_X22-74330setup.exe – Run as Administrator — выбираю вариант "Download updates, drivers and optional features (recommended) / Скачать обновления, драйверы и дополнительные компоненты (рекомендуется)"
I want to help make the installation for Windows better Privacy statement: снимаю галочку
И нажимаю Next
Выбираю выпуск Windows Server 2019 который в итоге будет, для меня это Windows Server 2019 Standard (Desktop Experience) и нажимаю Next
Нажимаю Accept
Choose what to keep: выбираю Keep personal files and apps (Сохранить личные файлы и приложения)
И нажимаю Next
Ожидаю, идет проверка
Getting updates
This may take a few minutes.
В итоге проверка завершается успешно, и установщик готов приступить
Ready to install
You won’t be able to use your PC while Windows installs. Save and close your files before you begin.
To recap, you’ve chosen to:
И нажимаю Install
Система по завершении самостоятельно отправится в перезагрузку
Вот что я получил в консоли Proxmox по этой VM, когда наблюдал за процессом обновления, но после снова продолжился процесс обновления как ни в чем не бывало.
Шаг №5: Система загрузилась, и я проверяю какая сейчас редакция:
|
C:UsersAdministrator>systeminfo | findstr /I «OS Name» Host Name: WIN—AAURVT4CB0C OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free BIOS Version: SeaBIOS rel—1.14.0—0—g155821a1990b—prebuilt.qemu.org, 4/1/2014 Time Zone: (UTC+03:00) Moscow, St. Petersburg Connection Name: Ethernet |
Отлично в тестовых условиях процесс обновления прошел успешно, а что до боевого, ну знаете я, пожалуй, пасс. Лучше работающий сервис чем после обновления не работающий вовсе. На этом заметка завершена, с уважением автор блога Олло Александр aka ekzorchik.
Windows Server 2019 is the operating system that bridges on-premises environments with Azure services enabling hybrid scenarios maximizing existing investments. Increase security and reduce business risk with multiple layers of protection built into the operating system. Evolve your datacenter infrastructure to achieve greater efficiency and scale with Hyper-converged Infrastructure. Windows Server 2019 also enables you to create cloud native and modernize traditional apps using containers and micro-services. For more details, check out the Windows Server Website.
In addition to downloading the ISO, run Windows Server on Azure. Azure provides a great way to test Windows Server 2019 with pre-built images.
Choose an edition and an installation option:
Customers who download the full ISO will need to choose an edition and an installation option. This ISO evaluation is for the Datacenter and Standard editions. The Datacenter edition is the most complete edition and includes the new Datacenter-specific features (Shielded Virtual Machines, Storage Spaces Direct, and Software-Defined Networking) in addition to unlimited server virtualization.
Installation options:
- Server Core: This is the recommended installation option. It’s a smaller installation that includes the core components of Windows Server and supports all server roles but does not include a local graphical user interface (GUI). It is used for “headless” deployments which are managed remotely through Windows Admin Center, PowerShell, or other server management tools.
- Server with Desktop Experience: This is the complete installation and includes a full GUI for customers who prefer this option.
Before you begin your evaluation, be sure to check out What’s new in Windows Server 2019.
When you complete your evaluation, you can convert your evaluation versions to retail. Also, check out our technical documentation to learn how to upgrade or migrate your other existing servers to Windows Server 2022.
Languages:
- Chinese (Simplified), English, French, German, Italian, Japanese, Russian, Spanish
Evaluation Options:
- Windows Server 2019 on Microsoft Azure
- Windows Server 2019 | 64-bit ISO
- Windows Server 2019 | 64-bit VHD
- Review Windows Server 2019 release notes and system requirements.
- Register, then download and install. (Note: This evaluation edition expires in 180 days.)
- Receive emails with resources to guide you through your evaluation.
Installation Guidelines
After installation, install the latest servicing package.
- Go to: Microsoft update catalog and search for «Windows Server 2019”.
- Evaluation versions of Windows Server must activate over the internet in the first 10 days to avoid automatic shutdown.
WinServer 2016 действительно можно использовать как обычную настольную ОС. Вы должны включать и отключать определенные вещи, но обязательно. Раньше я использовал Server 2003 и 2008 как обычный рабочий стол. Сервер 2016 прямо сейчас находится в процессе становления ОС для моего HTPC.
Можно ли использовать в качестве сервера обычный ПК?
Ответ
Практически любой компьютер можно использовать в качестве веб-сервера.при условии, что он может подключаться к сети и запускать программное обеспечение веб-сервера. Поскольку веб-сервер может быть довольно простым и доступны бесплатные веб-серверы с открытым исходным кодом, на практике любое устройство может выступать в качестве веб-сервера.
Windows Server 2019 — это почти так же легко установить как Windows 10.
Могу ли я установить Windows Server 2019 на ПК?
Шаги установки Windows Server 2019. После создания загрузочного USB- или DVD-носителя вставьте его и запустите компьютер. Пользователям VirtualBox, KVM и VMware нужно только прикрепить файл ISO во время создания виртуальной машины и выполнить указанные шаги по установке. … Выберите Windows Server 2019 выпуск для установки и нажмите Далее.
Как мне установить Windows Server 2016?
Вставьте DVD с Windows Server 2016 и загрузите компьютер с DVD. Загрузитесь с DVD / USB ISO (возможно, вам придется войти в BIOS или прервать загрузку для загрузки с внешнего носителя). ПРОЧИТАЙТЕ условия лицензии. Нажмите «Я принимаю условия лицензии», затем нажмите кнопку «Далее».
Как я могу превратить свой компьютер в сервер?
Превратите старый компьютер в веб-сервер!
- Шаг 1. Подготовьте компьютер. …
- Шаг 2. Получите операционную систему. …
- Шаг 3: Установите операционную систему. …
- Шаг 4: Webmin. …
- Шаг 5: Перенаправление портов. …
- Шаг 6: Получите бесплатное доменное имя. …
- Шаг 7: Протестируйте свой сайт! …
- Шаг 8: Разрешения.
В чем разница между сервером и ПК?
Настольная компьютерная система обычно запускает удобную для пользователя операционную систему и настольные приложения для облегчения задач, ориентированных на настольный компьютер. Напротив, сервер управляет всеми сетевыми ресурсами. Серверы часто являются выделенными (это означает, что он не выполняет никаких других задач, кроме задач сервера).
Windows Server 2019 бесплатна?
Ничто не бесплатное, особенно если это от Microsoft. Microsoft признала, что запуск Windows Server 2019 будет стоить дороже, чем его предшественник, но не раскрывает, насколько дороже. «Весьма вероятно, что мы повысим цены на лицензирование клиентского доступа Windows Server (CAL)», — сказал Чаппл в своем сообщении во вторник.
Могу ли я установить Windows на сервер?
С учетом всего сказанного, Windows 10 это не серверное программное обеспечение. Он не предназначен для использования в качестве серверной ОС. Он изначально не может делать то, что могут делать серверы. Но с небольшой помощью стороннего программного обеспечения он неплохо справляется.
Windows Server 2016 — это то же самое, что Windows 10?
Windows 10 и Server 2016 очень похожи по интерфейсу. Под капотом реальная разница между ними заключается просто в том, что Windows 10 предоставляет приложения универсальной платформы Windows (UWP) или «Магазин Windows», тогда как Server 2016 — поэтому далеко — не.
Какие есть версии Windows Server 2019?
Windows Server 2019 имеет три редакции: Essentials, Standard и Datacenter. Как следует из их названий, они предназначены для организаций разного размера и с различными требованиями к виртуализации и центрам обработки данных.
Как установить операционную систему на сервер?
Задачи по установке операционной системы
- Настройте среду отображения. …
- Сотрите основной загрузочный диск. …
- Настройте BIOS. …
- Установите операционную систему. …
- Настройте свой сервер для RAID. …
- Установите операционную систему, обновите драйверы и при необходимости запустите обновления операционной системы.
Windows Server 2019 — это то же самое, что Windows 10?
Microsoft Windows Server 2019 — это последняя серверная редакция Windows 10. Он предназначен для бизнеса и поддерживает оборудование более высокого класса. Используя одну и ту же кнопку просмотра задач и используя одно и то же меню «Пуск», трудно найти, чем отличаются эти два брата и сестры.
Сколько оперативной памяти мне нужно для сервера 2016?
Память — минимум, который вам нужен, это 2GBили 4 ГБ, если вы планируете использовать Windows Server 2016 Essentials в качестве виртуального сервера. Рекомендуемый размер — 16 ГБ, а максимальный, который вы можете использовать, — 64 ГБ. Жесткие диски. Вам понадобится как минимум жесткий диск объемом 160 ГБ с системным разделом на 60 ГБ.
В чем разница между Windows Server 2016 и 2019?
Windows Server 2019 — это последняя версия Microsoft Windows Server. Текущая версия Windows Server 2019 улучшена по сравнению с предыдущей версией Windows 2016 в отношении лучшей производительности, улучшенная безопасность и отличная оптимизация для гибридной интеграции.