OpenVPN 2.7.0 with multi-socket support and new Windows driver
The new version of OpenVPN brings multi-socket support for servers and revised Windows features. Several security vulnerabilities have been fixed.
(Image: heise medien)
The open-source VPN software OpenVPN has been released in version 2.7.0. It brings numerous improvements for servers and Windows clients. Among the most important new features are multi-socket support for OpenVPN servers and a fundamentally revised Windows implementation with split DNS support.
OpenVPN servers can now listen on multiple sockets simultaneously. Administrators can specify multiple --local directives in the configuration, allowing them to handle UDP and TCP connections on different addresses and ports concurrently. This improves resource utilization and enables better load balancing without needing to start additional server instances.
On Windows clients, OpenVPN has fundamentally renewed its DNS implementation. The new version uses the Windows Name Resolution Policy Table (NRPT) for true split DNS. This allows corporate domains to be resolved via the VPN, while public domains continue to be queried locally. Furthermore, the Windows implementation now supports DNSSEC validation.
Videos by heise
Win-dco replaces Wintun
There is an important change regarding the Windows drivers: the new win-dco (Windows Data Channel Offload) driver is now the default and completely replaces the previously used Wintun driver. The Wintun developer only wants to allow the use of his binaries. OpenVPN is therefore focusing on win-dco, which offers better performance thanks to kernel-level integration and now also supports server mode. The tap-windows6 driver remains available as a fallback for special use cases.
Another important innovation is the PUSH_UPDATE control channel message. This allows servers to update routing and DNS configurations without clients having to disconnect. This is particularly advantageous in corporate environments with frequent configuration changes. Server administrators can use the function via the management interface commands push-update-broad and push-update-cid.
Stricter Security Measures
In terms of encryption, OpenVPN 2.7.0 now enforces strict usage limits for AES-GCM. The system forces a renegotiation after approximately 2^28 to 2^31 transmitted packets, depending on the packet size. The security margin thus corresponds to the TLS 1.3 standard and is based on an IETF draft on AEAD limits. This prevents attacks based on the reuse of encryption keys.
The Windows version now uses the Windows Filtering Platform (WFP) to enforce the block-local flag. This allows VPN administrators to prevent clients from accessing local networks when not explicitly configured. Additionally, the Windows service now runs as an unprivileged user instead of with administrator rights, reducing the attack surface. Network adapters are also only generated when needed.
OpenVPN 2.7.0 supports the new ovpn-DCO Linux kernel module, which will be included in future Linux kernel versions. Backports for current kernels are available via the ovpn-backports project. The module offers kernel-level offloading for better performance. Furthermore, the version brings support for TLS 1.3 with mbedTLS 4, enabling more modern encryption protocols, better forward secrecy, and faster handshakes.
Fixed Security Vulnerabilities
Several security vulnerabilities were discovered and fixed in the release candidates of OpenVPN 2.7. The most critical was CVE-2025-12106, a heap buffer over-read in versions 2.7_alpha1 to 2.7_rc1. The vulnerability arose from insufficient argument validation and allowed DoS attacks against OpenVPN clients. In version 2.7_rc3, the developers also fixed logic errors in HMAC verification, stability issues in the Windows Interactive Service, and buffer over-reads. All these security problems are closed in the stable version 2.7.0.
When upgrading from version 2.6.x, administrators should primarily note that Wintun is no longer supported. Additionally, there are known compatibility issues with Windows servers using the DCO driver when upgrading from 2.7_rc3. Client-to-client communication may be affected when switching from Wintun to DCO.
All details of the new version 2.7.0 can be found in the Release Notes on OpenVPN's GitHub page.
(fo)
