Update for IPFire: Faster VPN thanks to OpenVPN 2.7
With OpenVPN 2.7 and Data Channel Offloading, VPN throughput in IPFire increases to up to 10 GBit/s. The update also closes critical kernel vulnerabilities.
(Image: Moritz Förster / KI / iX)
With IPFire 2.29 – Core Update 202, the free firewall distribution team is closing several security vulnerabilities in the Linux kernel, updating OpenVPN to version 2.7, and delivering numerous other security and package updates.
Kernel vulnerabilities Dirty Frag and Copy Fail
The focus is on a rebase to Linux 6.18.32. This allows IPFire to fix, among other things, the recently disclosed vulnerabilities Dirty Frag (CVE-2026-43284) and Copy Fail (CVE-2026-31431). Both allow local users to escalate privileges up to root. Dirty Frag is located in the kernel's ESP/IPsec code. Encapsulating Security Payload (ESP) is a central component of many IPsec VPNs. The vulnerability allows unprivileged local users to gain higher privileges under certain conditions.
Copy Fail affects the crypto subsystem around AF_ALG and the algif_aead module. AF_ALG provides applications with direct access to the kernel's cryptographic functions. All Linux distributions with kernels since 2017 are potentially vulnerable.
However, the project assesses the practical attack surface on typical IPFire systems as low: Both vulnerabilities require local access with an unprivileged account, and IPFire does not set up regular shell access for normal users by default. Nevertheless, the developers point to the principle of “Defence in Depth” and recommend updating regardless of the specific exploitability.
Videos by heise
OpenVPN 2.7 accelerates VPN tunnels
The most important functional innovation is OpenVPN 2.7 with support for Data Channel Offloading (DCO); thanks to better utilization of hardware crypto acceleration, CPU load is also reduced. The encryption and decryption of user data traffic moves from userspace to the kernel. Previously, the OpenVPN daemon had to process each packet itself. Through kernel integration, DCO is expected to significantly increase VPN throughput while simultaneously reducing CPU load and jitter. In their tests, throughput per tunnel increased from around 1 GBit/s to up to 10 GBit/s, according to IPFire.
In addition, the update fixes a vulnerability in glibc when processing manipulated DNS responses. The functions gethostbyaddr and gethostbyaddr_r for reverse DNS queries are affected. Attackers could use this to inject fake hostnames (GLIBC-SA-2026-0005). The developers have also updated central components such as OpenSSL 3.6.2, OpenSSH 10.3p1, Suricata 8.0.5, strongSwan 6.0.6, BIND 9.20.22, and Unbound 1.25.1. All details about Core Update 202 can be found in the Release Notes on the project website.
(fo)
