OpenVPN have been rebased to the latest upstream version - v2.4.3.

This update adds a lot of improvements, most notably is improved elliptic curve support (ECDH), support for AES-GCM, an additional encryption layer of the control channel (--tls-crypt) and a type of cipher negotiation which allows gradually updating client ciphers to stronger ones without much extra complexity. In addition is also a seamless client IP/port floating allowing clients to change IP address or port without going through a full renegotiation of the established tunnel. For the full set of changes, see https://github.com/OpenVPN/openvpn/blob/v2.4.1/Changes.rst

The overall systemd integration have also improved, allowing systemd to better manage the OpenVPN processes. This update also ships with brand new systemd unit files, which adds additionally security hardening. These new unit files are preferred over the old openvpn@.service unit file. These new unit files are also used as is in other systemd Linux distributions, which ensures a more consistent behaviour and usage of OpenVPN on systemd based systems. Please see /usr/share/doc/openvpn/README.systemd for more information.

This update may introduce some surprises too.

• CRL checking is now done by the SSL libraries directly. These libraries have a far more stricter acceptance policy than the old approach OpenVPN used earlier. For example, if your CRL file have expired, this will have an impact on all your users regardless if their certificates are revoked or not.

• In Fedora 26, OpenVPN will currently use compat-openssl10 and compat-openssl10-pkcs11-helper. These compat packages is considered a workaround until the openssl-1.1 support which have arrived in OpenVPN quite recently, have been more thoroughly tested. In a later update the OpenVPN package will be updated to make use of the newer openssl-1.1 library.