Initial Support for Data Channel Offload (DCO):
- OpenVPN's performance was historically slower due to processing in user space.
- DCO project moves data processing to the kernel, significantly improving speed.
- DCO is currently experimental, supporting specific ciphers and L2 mode.
Site-to-site Mode with Peer Certificate Fingerprint Verification:
- OpenVPN's site-to-site mode offers value in certain network setups.
- Added option to specify trusted certificate fingerprints for security.
- Enables use of self-signed certificates for quick setup and authentication.
Deprecation of Pre-shared Keys in Site-to-site Mode:
- TLS with certificate fingerprint verification provides improved security.
- OpenVPN developers plan to remove pre-shared key support in future releases.
- Migration to certificate-based authentication is encouraged.
Removal of Blowfish Cipher:
- Blowfish, an older default cipher, had security vulnerabilities exposed.
- VyOS will remove bf128 and bf256 options due to security risks.
- Clients relying on these ciphers will need reconfiguration or upgrade.
Note: The changes and improvements mentioned are specific to OpenVPN in VyOS 1.4, with considerations for backward compatibility in VyOS 1.3.x.