openvpn/4.0.0

Please review these changes carefully - many properties and defaults have changed which may impact connectivity. While breaking changes are generally avoided, the goals of this release necessitated some significant changes. Those goals were: utilize modern BOSH features, encourage secure defaults, avoid duplicating features, and simplify configuration requirements.

Breaking Changes

• properties are no longer prefixed with openvpn namespace
• the openvpn job will no longer act as a client (see the new openvpn-client job)
• the openvpn job improves security defaults (either explicitly use older values, or upgrade clients as necessary)
  • cipher is now AES-256-CBC (this must be in sync with clients; previous default BF-CBC)
  • tls_version_min is now 1.2 (requires clients 2.3.3+; previous default 1.0)
• custom iptables rules are no longer managed (use the iptables job of networking release instead)
• server and client certificates are now configured with the tls_server and tls_client properties, respectively (previously via ca_crt, certificate, and private_key properties)
• certificate revocation lists for openvpn are now configured with the tls_crl property (previously via crl_pem property)

New Features

• UDP is now supported (see protocol property of openvpn)
• the openvpn compress option is now supported (see compress property of openvpn)
• the openvpn tls-crypt option is now supported (see tls_crypt property of openvpn)
• new extra_configs property of openvpn and openvpn-client (similar to extra_config, but accepts an array of openvpn directives)
• new device property is now supported for explicit virtual network device usage
• certificate-related properties can now be dynamically generated

Development & Tooling

• git version tags now refer to the commit a release was created from (previously the commit which finalized the release was used)