Page MenuHomeVyOS Platform

OpenVPN non-TLS site-to-site mode deprecation
Closed, ResolvedPublic


OpenVPN maintainers will remove the classic non-TLS site-to-site mode with pre-shared keys in the version 2.7.

2023-06-08 02:57:19 DEPRECATED OPTION: The option --secret is deprecated.
2023-06-08 02:57:19 DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.

Debian Bookworm/VyOS 1.4 has OpenVPN 2.6, so we can and will support that mode at least until the EOL of 1.4. However, we should provide an upgrade path as soon as possible to give people enough time to learn about their options and execute the migration plan.

The replacement is TLS with the new peer-fingerprint option and EC-based certs that don't need generating a DH prime (since ECDH doesn't need it), so setup time is a lot shorter than for a full-blown PKI.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature/functionality removal