1 min read

[VyOS] What's coming for OpenVPN in VyOS 1.4?

VyOS 1.4 brings major OpenVPN enhancements: Data Channel Offload, secure site-to-site mode, deprecation of pre-shared keys, and removal of Blowfish cipher.
[VyOS] What's coming for OpenVPN in VyOS 1.4?
Photo by Roth Melinda / Unsplash
What’s coming for OpenVPN in VyOS 1.4?
Great new features from recent releases, such as offload and new site-to-site mode with TLS. But some legacy also has to go away — read on for details! #openvpn #vyos

Initial Support for Data Channel Offload (DCO):

  • OpenVPN's performance was historically slower due to processing in user space.
  • DCO project moves data processing to the kernel, significantly improving speed.
  • DCO is currently experimental, supporting specific ciphers and L2 mode.

Site-to-site Mode with Peer Certificate Fingerprint Verification:

  • OpenVPN's site-to-site mode offers value in certain network setups.
  • Added option to specify trusted certificate fingerprints for security.
  • Enables use of self-signed certificates for quick setup and authentication.

Deprecation of Pre-shared Keys in Site-to-site Mode:

  • TLS with certificate fingerprint verification provides improved security.
  • OpenVPN developers plan to remove pre-shared key support in future releases.
  • Migration to certificate-based authentication is encouraged.

Removal of Blowfish Cipher:

  • Blowfish, an older default cipher, had security vulnerabilities exposed.
  • VyOS will remove bf128 and bf256 options due to security risks.
  • Clients relying on these ciphers will need reconfiguration or upgrade.

Note: The changes and improvements mentioned are specific to OpenVPN in VyOS 1.4, with considerations for backward compatibility in VyOS 1.3.x.