I have started working on OpenVPN 2.7 support, and am reviewing some of the changes that came with it. Two important things:
--secret support is now disabled by default. That authentication method is deemed no longer safe, so by default OpenVPN no longer supports it. Unless I can get a good case for it to be kept (it will require manually re-enabling it at compile time), I intend to also fully remove it, in both server and client configurations. Note that secret support will be fully removed in OpenVPN 2.8, so now's as good a time as any for people still using it to modernize their setup.
OpenVPN will no longer send compressed data. Compression has been labeled as deprecated for quite a few years already. Starting with 2.7, OpenVPN can still accept inbound compressed data (probably for backward compatibility) but it will no longer send any compressed data itself. This one I am on the fence as to how to handle. On one hand, it's been labeled as both deprecated and unsafe for many years already by the OpenVPN devs. On the other hand, how many users are still unaware of this, and would enable it thinking it was a good thing to do (even tho the majority of modern traffic is either compressed or pre-encrypted data, so it doesn't really compress well in the tunnel context). Any thoughts?
In any case, both of these will be documented explicitely in the changelog, so router admins will be aware of it before they upgrade (assuming they actually read the changelog - if they don't, then I blame them).
Another noteworthy change is that the subnet topology is now the default. But that's something I already changed many years ago in the default server configuration, so it might only come into effect if someone has a really unusual setup and were using a postconf script to replace "topology subnet" with "topology net30". Now, they would have to just append "topology net30", there won't be any existing config line to modify.
--secret support is now disabled by default. That authentication method is deemed no longer safe, so by default OpenVPN no longer supports it. Unless I can get a good case for it to be kept (it will require manually re-enabling it at compile time), I intend to also fully remove it, in both server and client configurations. Note that secret support will be fully removed in OpenVPN 2.8, so now's as good a time as any for people still using it to modernize their setup.
OpenVPN will no longer send compressed data. Compression has been labeled as deprecated for quite a few years already. Starting with 2.7, OpenVPN can still accept inbound compressed data (probably for backward compatibility) but it will no longer send any compressed data itself. This one I am on the fence as to how to handle. On one hand, it's been labeled as both deprecated and unsafe for many years already by the OpenVPN devs. On the other hand, how many users are still unaware of this, and would enable it thinking it was a good thing to do (even tho the majority of modern traffic is either compressed or pre-encrypted data, so it doesn't really compress well in the tunnel context). Any thoughts?
In any case, both of these will be documented explicitely in the changelog, so router admins will be aware of it before they upgrade (assuming they actually read the changelog - if they don't, then I blame them).
Another noteworthy change is that the subnet topology is now the default. But that's something I already changed many years ago in the default server configuration, so it might only come into effect if someone has a really unusual setup and were using a postconf script to replace "topology subnet" with "topology net30". Now, they would have to just append "topology net30", there won't be any existing config line to modify.
