OpenVPN version 2.7.0 is now available. This update improves support for multi-address server configurations and updates client functionality across operating systems. This release includes data channel processing enhancements and support for evolving kernel and cryptographic components.

Server enhancements

Version 2.7.0 adds multi-socket support for server instances. This allows the server to manage multiple addresses, ports, and protocols from a single process. This change is intended to simplify configuration when a service listens on multiple interfaces or needs to handle different transport options simultaneously.

The new release also includes preliminary support for upstream DCO Linux kernel modules. This module is expected to appear in future Linux kernels and replaces the previous out-of-tree ovpn-dco-v2 driver. Backport versions of upstream modules are available through associated projects in the current kernel.

Client and control channel updates

Client support for DNS options has been improved across Linux, BSD, and macOS platforms. A new Windows client implementation is also included, providing control channel features such as split DNS. DNSSEC handling.

The control channel gains support for PUSH_UPDATE messages. This allows the server to update client options such as routing and DNS configuration during an active session without triggering a reconnection. This update comes with new management interface commands to broadcast and target changes to these options.

Windows platform changes

Architectural adjustments affect how OpenVPN works on Windows. Block-local flags now use Windows Filtering Platform filters. Network adapters are generated on demand, and automatic service execution occurs in an unprivileged user context. Support for server mode in the win-dco driver is part of this release, and tap-windows6 remains available as a fallback.

Data channels and encryption

This release includes updated data channel handling, including enforcement of AES-GCM usage limits. Integrated support for epoch data keys and updated packet formats. This codebase adds support for TLS 1.3 when combined with certain new cryptographic libraries and is compatible with mbedTLS version 4.

Routing and environmental control

Two environment variables have been introduced to communicate preferred gateway redirects to external plugins used by network management software. The “recursive routing” check has been changed to drop fewer tunneled packets if the destination matches the VPN server path.

OpenVPN release 2.7.0 is available for free at: GitHub.

Must read:

Subscribe to Help Net Security’s ad-free monthly newsletter to stay up to date on important open source cybersecurity tools. Subscribe here!