Depending on when OpenVPN 2.7 goes final, when I merge it into Asuswrt-Merlin, I will probably take the occasion to start removing some obsolete/deprecated settings. Some of them will already be gone with 2.7, while others may be marked as deprecated, for removal in 2.8.
I haven't done a complete analysis yet of the 2.7 changes, but one of the settings I will most likely retire is support for compression, which has been deprecated for years now (and even marked as a security liability by the OpenVPN devs).
Another possible removal might be for some obsolete ciphers and HMAC algorithms.
Whenever possible, features removal will only be on the Server. I realize that some remote servers still require support for some older settings, so provided the feature is still available in OpenVPN 2.7, I don't intend to remove any feature from the Client.
What this means is people using the OpenVPN Server at that time might possibly need to readjust some settings, and export an updated config file for their clients.
Keep an eye on the changelog. People doing remote firmware updates over OpenVPN might need to be extsra careful that time.
Be warned that once Asus finally migrates to OpenSSL 3.x (no idea when that will be, previous ETAs have come and gone by now), it might introduce additionnal changes. OpenSSL 3.x by default no longer support some obsolete ciphers, so unless Asus decides to manually re-enable them, that means that some clients will also be impacted, not just servers.
At some point I might add a new client setting to enable connectivity to legacy servers. I personally have to use that myself to connect to some older OpenVPN servers (like the very old implementation used by Mikrotik routers). That would probably set settings like "compat-mode 2.4.0" or "tls-cert-profile insecure" in the router's client config.
I'll probably start poking at the community for more feedback from people with particular client needs, especially people connecting to very old servers.
I haven't done a complete analysis yet of the 2.7 changes, but one of the settings I will most likely retire is support for compression, which has been deprecated for years now (and even marked as a security liability by the OpenVPN devs).
Another possible removal might be for some obsolete ciphers and HMAC algorithms.
Whenever possible, features removal will only be on the Server. I realize that some remote servers still require support for some older settings, so provided the feature is still available in OpenVPN 2.7, I don't intend to remove any feature from the Client.
What this means is people using the OpenVPN Server at that time might possibly need to readjust some settings, and export an updated config file for their clients.
Keep an eye on the changelog. People doing remote firmware updates over OpenVPN might need to be extsra careful that time.
Be warned that once Asus finally migrates to OpenSSL 3.x (no idea when that will be, previous ETAs have come and gone by now), it might introduce additionnal changes. OpenSSL 3.x by default no longer support some obsolete ciphers, so unless Asus decides to manually re-enable them, that means that some clients will also be impacted, not just servers.
At some point I might add a new client setting to enable connectivity to legacy servers. I personally have to use that myself to connect to some older OpenVPN servers (like the very old implementation used by Mikrotik routers). That would probably set settings like "compat-mode 2.4.0" or "tls-cert-profile insecure" in the router's client config.
I'll probably start poking at the community for more feedback from people with particular client needs, especially people connecting to very old servers.
