[VyOS] What's coming for OpenVPN in VyOS 1.4?

What’s coming for OpenVPN in VyOS 1.4?

Great new features from recent releases, such as offload and new site-to-site mode with TLS. But some legacy also has to go away — read on for details! #openvpn #vyos

VyOS IncDaniil Baturin

Initial Support for Data Channel Offload (DCO):

• OpenVPN's performance was historically slower due to processing in user space.
• DCO project moves data processing to the kernel, significantly improving speed.
• DCO is currently experimental, supporting specific ciphers and L2 mode.

Site-to-site Mode with Peer Certificate Fingerprint Verification:

• OpenVPN's site-to-site mode offers value in certain network setups.
• Added option to specify trusted certificate fingerprints for security.
• Enables use of self-signed certificates for quick setup and authentication.

Deprecation of Pre-shared Keys in Site-to-site Mode:

• TLS with certificate fingerprint verification provides improved security.
• OpenVPN developers plan to remove pre-shared key support in future releases.
• Migration to certificate-based authentication is encouraged.

Removal of Blowfish Cipher:

• Blowfish, an older default cipher, had security vulnerabilities exposed.
• VyOS will remove bf128 and bf256 options due to security risks.
• Clients relying on these ciphers will need reconfiguration or upgrade.

Note: The changes and improvements mentioned are specific to OpenVPN in VyOS 1.4, with considerations for backward compatibility in VyOS 1.3.x.