packages/net/openvpn/patches, branch master

openvpn: disable wolfssl support

2026-05-05T06:02:59Z

WolfSSL support for OpenVPN is currently broken: https://github.com/wolfSSL/wolfssl/pull/10309 Until a fix is available, disable WolfSSL as variant. Support can be re-enabled when WolfSSL is updated. Signed-off-by: Sander van Deijck

openvpn: update to 2.7.4

2026-05-05T06:02:59Z

Update the OpenVPN package to 2.7.4 For changes, see: https://github.com/OpenVPN/openvpn/blob/v2.7.4/Changes.rst Signed-off-by: Sander van Deijck

openvpn: update to 2.7.1

2026-04-13T16:24:25Z

The new DCO module depends on OpenVPN 2.7.1. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst Removed upstreamed wolfSSL patches: - 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch - 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch Reworked 100-mbedtls-disable-runtime-version-check.patch to use MBEDTLS_VERSION_STRING instead of a mutable buffer. Signed-off-by: Qingfang Deng

openvpn: update to 2.6.19

2026-03-18T10:14:11Z

Update the openvpn package to the latest version in the 2.6.x branch while development of the 2.7.x branch become stable enough to merge. Signed-off-by: Sander van Deijck

openvpn: update to 2.6.14

2025-04-04T12:41:46Z

Security fixes: CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2 Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets. No crypto integrity is violated, no data is leaked, and no remote code execution is possible. This bug does not affect OpenVPN clients. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst Signed-off-by: Ivan Pavlov

openvpn: update to 2.6.11

2024-06-21T22:28:10Z

This is a bugfix release containing several security fixes. Security fixes -------------- - CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. - CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. - CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client Bug fixes --------- - fix connect timeout when using SOCKS proxies - work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers - Add bracket in fingerprint message and do not warn about missing verification For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.11/Changes.rst Signed-off-by: Ivan Pavlov

openvpn: update to 2.6.9

2024-02-23T00:04:42Z

- license change is now complete, and all code has been re-licensed under the new license (still GPLv2, but with new linking exception for Apache2 licensed code). Code that could not be re-licensed has been removed or rewritten. - add support for building with mbedTLS 3.x.x - new option "--force-tls-key-material-export" to only accept clients that can do TLS keying material export to generate session keys (mostly an internal option to better deal with TLS 1.0 PRF failures). - Windows: bump vcpkg-ports/pkcs11-helper to 1.30 - Log incoming SSL alerts in easier to understand form and move logging from "--verb 8" to "--verb 3". - protocol_dump(): add support for printing "--tls-crypt" packets and other fixes For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.9/Changes.rst Signed-off-by: Ivan Pavlov

openvpn: update to 2.6.8

2023-11-19T20:24:11Z

This is a bugfix release containing security fixes. Security Fixes (included in 2.6.7): CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst Signed-off-by: Ivan Pavlov

openvpn: update to 2.6.6

2023-08-18T03:17:38Z

Small bugfix release For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.6/Changes.rst Also, set depends on DCO kernel module when ENABLE_DCO flag is set. Signed-off-by: Ivan Pavlov

openvpn: update to 2.6.5 and add DCO support

2023-07-25T05:50:06Z

This commit updates openvpn to version 2.6.5 and add DCO support. There are several changes: - Starting with version 2.6.0, the sources are only provided as .tar.gz file. - removed OPENVPN__ENABLE_MULTIHOME: multihome support is always included and cannot be disabled anymore with 2.6.x. - removed OPENVPN__ENABLE_DEF_AUTH: deferred auth support is always included and cannot be disabled anymore with 2.6.x. - removed OPENVPN__ENABLE_PF: PF (packet filtering) support was removed in 2.6.x. - The internal lz4 library was removed in 2.6.x; we now use the liblz4 package if needed - To increase reproducibility, _DATE_ is only used for development builds and not in release builds in 2.6.x. - wolfSSL support was integrated into upstream openvpn - DES support was removed from openvpn The first two wolfSSL patches were created following these 2 commits: https://github.com/OpenVPN/openvpn/commit/4cf01c8e4381403998341aa32f79f4bf24c7ccb1 https://github.com/OpenVPN/openvpn/commit/028b501734b4a57dc53edb8b11a4b370f5b99e38 Signed-off-by: Martin Schiller