OpenVPN non-TLS site-to-site mode deprecation
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dmbaturin
	Jun 8 2023, 3:39 PM

Description

OpenVPN maintainers will remove the classic non-TLS site-to-site mode with pre-shared keys in the version 2.7.

2023-06-08 02:57:19 DEPRECATED OPTION: The option --secret is deprecated.
2023-06-08 02:57:19 DEPRECATION: No tls-client or tls-server option in configuration detected. OpenVPN 2.7 will remove the functionality to run a VPN without TLS. See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.

Debian Bookworm/VyOS 1.4 has OpenVPN 2.6, so we can and will support that mode at least until the EOL of 1.4. However, we should provide an upgrade path as soon as possible to give people enough time to learn about their options and execute the migration plan.

The replacement is TLS with the new peer-fingerprint option and EC-based certs that don't need generating a DH prime (since ECDH doesn't need it), so setup time is a lot shorter than for a full-blown PKI.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Perfectly compatible
Issue type: Feature/functionality removal

Related Objects
Search...

Status	Assigned	Task
Resolved	dmbaturin	T5269 OpenVPN non-TLS site-to-site mode deprecation
Resolved	dmbaturin	T5270 Make OpenVPN `tls dh-params` optional
Resolved	dmbaturin	T5271 Add support for peer-fingerprint to OpenVPN
Resolved	c-po	T5272 Upgrade OpenVPN to 2.6 in Equuleus
Resolved	dmbaturin	T5273 Add op mode commands for displaying certificate details and fingerprints
Resolved	dmbaturin	T5274 Add a deprecation warning for OpenVPN site-to-site with pre-shared secret