The OpenVPN community has announced the release of OpenVPN 2.6, a major update to the open source protocol behind OpenVPN, Inc. products.
We want to highlight a few of the new features of the OpenVPN 2.6 release. The full list of new features and changes can be found here: Change log for OpenVPN 2.6.
Data-Channel Offload (DCO) on FreeBSD, Linux, and Windows
OpenVPN 2.6 adds the concept of dividing the control and data channel. The data channel carries the IP packets and has traditionally been in the userspace daemon together with the control channel. With OpenVPN 2.6, the data channel can be moved to kernel space on supported platforms, which results in a higher possible data throughput.
Antonio Quartulli spoke at the Netdev 0x16 Conference in Lisbon about OpenVPN and DCO. Here he explained in detail about the concept of handling OpenVPN data packets in the kernel space. This concept is now a reality in OpenVPN 2.6. Thanks to many contributors, DCO is now available on FreeBSD, Linux, and Windows.
Simplified setup for small deployments
OpenVPN 2.6 supports certificate fingerprint checking instead of requiring a full certificate PKI to verify peers. This makes setup a lot simpler for small setups. An example for this kind of setup can be found in the main openvpn-examples or here: Example fingerprint checking in OpenVPN.
Modern security standards
OpenVPN 2.6 now supports OpenSSL 3.0 and enforces stricter TLS, cipher selection, and modern security standards. The new default configuration allows only the use of AEAD ciphers AES-256-GCM and ChaCha20-Poly1305.
VPN before Login
The OpenVPN GUI Windows client that ships with OpenVPN 2.6 now has support for Pre-Logon Access Provider. This allows connecting to an OpenVPN server as part of the login process on Windows.
A word from OpenVPN Inc.
CloudConnexa® already implements data-channel offload, and so does the OpenVPN 3 Linux client. While there is already a noticeable benefit if one side supports DCO, it is best if both sides support it. To that end we’re already working towards implementing this feature on OpenVPN Access Server and OpenVPN Connect as well. With this update, it will be easier and faster for users to secure their network connections, no matter their use case.