Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1408889

Summary: openvpn-2.4.0 is available
Product: [Fedora] Fedora Reporter: Upstream Release Monitoring <upstream-release-monitoring>
Component: openvpnAssignee: Gwyn Ciesla <gwync>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dazo, dimitris, gwync, huzaifas, invalid.path, jan.kratochvil, steve
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-13 13:54:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1411812    
Attachments:
Description Flags
Rebase-helper rebase-helper-debug.log log file. See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues. none

Description Upstream Release Monitoring 2016-12-28 00:18:48 UTC
Latest upstream release: 2.4.0
Current version/release in rawhide: 2.3.14-1.el7
URL: http://www.openvpn.net/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Based on the information from anitya:  https://release-monitoring.org/project/2567/

Comment 1 Upstream Release Monitoring 2016-12-28 00:19:36 UTC
Patching or scratch build for openvpn-2.3.14 failed.

Comment 2 Upstream Release Monitoring 2016-12-28 00:19:38 UTC
Created attachment 1235565 [details]
Rebase-helper rebase-helper-debug.log log file.
See for details and report the eventual error to rebase-helper https://github.com/phracek/rebase-helper/issues.

Comment 3 Upstream Release Monitoring 2016-12-28 00:19:41 UTC
Patches were not touched. All were applied properly

Comment 4 Gwyn Ciesla 2016-12-28 00:23:42 UTC
In git, but FTBFS due to openssl 1.1.x.  Not likely to be supported until 2.5.x

Comment 5 David Sommerseth 2016-12-31 00:11:09 UTC
(In reply to Jon Ciesla from comment #4)
> In git, but FTBFS due to openssl 1.1.x.  Not likely to be supported until
> 2.5.x

An alternative could be to build OpenVPN with ./configure --with-crypto-library=mbedtls ... And drop the OpenSSL dependency in favour of mbedtls-2.x.x.

Comment 6 Gwyn Ciesla 2017-01-03 15:25:05 UTC
Our mbedtls lacks pkcs11 support.

checking mbedtls pkcs11 support... configure: error: mbedtls has no pkcs11 wrapper compiled in

I've can file a BZ to get that done, or do it myself, but even if I do a local build that includes it, it doesn't seem to find pkcs11 in mbedtls.

Comment 7 Gwyn Ciesla 2017-01-03 15:32:26 UTC
Additonally, this would be a problem:

configure: error: mbed TLS does not support the --x509-username-field feature

Comment 8 David Sommerseth 2017-01-03 16:27:29 UTC
(In reply to Jon Ciesla from comment #7)
> Additonally, this would be a problem:
> 
> configure: error: mbed TLS does not support the --x509-username-field feature

To my knowledge this is a very little used feature, I'd let it pass for Rawhide currently.

Comment 9 Gwyn Ciesla 2017-02-06 14:01:37 UTC
Is disabling pkcs11 ok for rawhide as well?

Comment 10 Upstream Release Monitoring 2017-02-09 14:31:42 UTC
limb's openvpn-2.4.0-2.fc26 completed http://koji.fedoraproject.org/koji/buildinfo?buildID=839675

Comment 11 Fedora Update System 2017-02-09 14:44:31 UTC
openvpn-2.4.0-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-669dbe8a47

Comment 12 Fedora Update System 2017-02-09 14:44:49 UTC
openvpn-2.4.0-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1000d05d1

Comment 13 Fedora Update System 2017-02-09 21:52:53 UTC
openvpn-2.4.0-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d1000d05d1

Comment 14 Fedora Update System 2017-02-09 22:22:29 UTC
openvpn-2.4.0-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-669dbe8a47

Comment 15 Gwyn Ciesla 2017-02-13 13:54:37 UTC
Unpushed stable releases, leaving f26+ only.

Comment 16 Dimitris 2017-02-13 17:58:06 UTC
On F25 this works for me with the latest NetworkManager-openvpn plugin from updates-testing, including with server name verification (#1421241).  v2.4.0 brings better IPv6 support, allowing me to properly work with untrusted public networks that hand out global IPv6 addresses (Comcast-backed hotspots).  Other than the bug above, was there another reason to unpush this for F25?

Comment 17 Gwyn Ciesla 2017-02-13 18:08:33 UTC
See the comments in the bodhi updates linked above.

Comment 18 Dimitris 2017-02-13 18:52:26 UTC
bug 1421241, referenced by the F25 bodhi thread, seems to be moving well, at least for NM users.  As I mentioned using nm-openvpn from updates-testing it already works for me.

Is that enough to get 2.4 into F25 (and if further discussion is needed, where should I take it)?

Comment 19 Gwyn Ciesla 2017-02-13 18:55:58 UTC
I'm not sure.  The command line options changed.  Comment the above on the bodhi updates and see what the commenters think.

Comment 20 David Sommerseth 2017-02-13 22:58:02 UTC
As long as the nm-openvpn plug-in is updated, pushing this to F25 should not be an issue a real issues, IMHO.

With that said, there are more updates coming to nm-openvpn, which does some additional tricks to ease the migration for most configurations.  But it will not cover all scenarios.  It is also fairly well discussed in bugzilla #1421241.

But regardless of --tls-remote going away.  This option have been deprecated for about 3 years and it has been documented as deprecated for the same time.  At some point it is needed to tell users to update their configuration.

Comment 21 B H 2017-03-03 04:43:36 UTC
As an F25 and OpenVPN user.. Im just wondering where this left off?  My company's vpn requires at least version 2.4 so the lack of a package is stopping me from switching distros.
Do I correctly assume that the bodhi link above for F25 is correct if I wanted to try the latest iteration?

Comment 22 David Sommerseth 2017-03-24 23:19:25 UTC
OpenVPN v2.4.1 have been built for Fedora 25, 26 and Rawhide.  Hopefully this resolves most of these issues found in these builds for openvpn-2.4.0.

See bz#1435036 for more details.