v4.2.0

• fix: openvpn should use embedded release version of openssl rather than system version
• enhancement: parallelize compilation steps to use all available CPUs
• upgrade: openssl/1.0.1g (was 1.0.1f)

v4.1.0

• add openvpn-clients job to support running multiple clients with raw openvpn configuration files
• upgrade: openssl/1.0.1f (was 1.0.1e)
• upgrade: openvpn/2.4.4 (was 2.4.3)

v4.0.0

Please review these changes carefully - many properties and defaults have changed which may impact connectivity. While breaking changes are generally avoided, the goals of this release necessitated some significant changes. Those goals were: utilize modern BOSH features, encourage secure defaults, avoid duplicating features, and simplify configuration requirements.

Breaking Changes

• properties are no longer prefixed with openvpn namespace
• the openvpn job will no longer act as a client (see the new openvpn-client job)
• the openvpn job improves security defaults (either explicitly use older values, or upgrade clients as necessary)
  • cipher is now AES-256-CBC (this must be in sync with clients; previous default BF-CBC)
  • tls_version_min is now 1.2 (requires clients 2.3.3+; previous default 1.0)
• custom iptables rules are no longer managed (use the iptables job of networking release instead)
• server and client certificates are now configured with the tls_server and tls_client properties, respectively (previously via ca_crt, certificate, and private_key properties)
• certificate revocation lists for openvpn are now configured with the tls_crl property (previously via crl_pem property)

New Features

• UDP is now supported (see protocol property of openvpn)
• the openvpn compress option is now supported (see compress property of openvpn)
• the openvpn tls-crypt option is now supported (see tls_crypt property of openvpn)
• new extra_configs property of openvpn and openvpn-client (similar to extra_config, but accepts an array of openvpn directives)
• new device property is now supported for explicit virtual network device usage
• certificate-related properties can now be dynamically generated

Development & Tooling

• git version tags now refer to the commit a release was created from (previously the commit which finalized the release was used)

v3.2.2

Upgrades

• openvpn 2.4.3

v3.2.1

No changes (release automation changes only)

v3.2.0

• support pushing DNS servers via openvpn.push_dns
• support pushing DNS search domains via openvpn.push_dns_search_domains

v3.1.4

• new, optional openvpn configuration properties: tls_version_min, tls_cipher
• upgrade: openvpn/2.4.2

v3.1.3

• openvpn status log now lives at /var/vcap/sys/run/openvpn/status
• upgrade: openvpn now 2.4.1 (was 2.3.14)
• upgrade: openssl now 1.1.0e (was 1.0.2k)
• upgrade: lzo now 2.10 (was 2.09)
• dev: refactor integration tests to execute within container

v3.1.2

• upgrade: openssl now 1.0.2k (was 1.0.2j)

v3.1.1

• upgrade: openvpn now 2.3.14 (was 2.3.13)