change(openvpn): Openvpn 2.4 no longer supported

internal/configuration/settings/openvpn.go

@@ -17,7 +17,7 @@ import (
 // OpenVPN contains settings to configure the OpenVPN client.
 type OpenVPN struct {
 	// Version is the OpenVPN version to run.
-	// It can only be "2.4" or "2.5".
+	// It can only be "2.5".
 	Version string
 	// User is the OpenVPN authentication username.
 	// It cannot be nil in the internal state if OpenVPN is used.
@@ -88,7 +88,7 @@ var ivpnAccountID = regexp.MustCompile(`^(i|ivpn)\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4
 
 func (o OpenVPN) validate(vpnProvider string) (err error) {
 	// Validate version
-	validVersions := []string{openvpn.Openvpn24, openvpn.Openvpn25}
+	validVersions := []string{openvpn.Openvpn25}
 	if !helpers.IsOneOf(o.Version, validVersions...) {
 		return fmt.Errorf("%w: %q can only be one of %s",
 			ErrOpenVPNVersionIsNotValid, o.Version, strings.Join(validVersions, ", "))

internal/configuration/settings/settings.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 
 	"github.com/qdm12/gluetun/internal/configuration/settings/helpers"
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/constants/providers"
 	"github.com/qdm12/gluetun/internal/constants/vpn"
 	"github.com/qdm12/gluetun/internal/models"
@@ -170,27 +169,14 @@ func (s Settings) Warnings() (warnings []string) {
 
 	if helpers.IsOneOf(*s.VPN.Provider.Name, providers.SlickVPN) &&
 		s.VPN.Type == vpn.OpenVPN {
-		if s.VPN.OpenVPN.Version == openvpn.Openvpn24 {
-			warnings = append(warnings, "OpenVPN 2.4 uses OpenSSL 1.1.1 "+
-				"which allows the usage of weak security in today's standards. "+
-				"This can be ok if good security is enforced by the VPN provider. "+
-				"However, "+*s.VPN.Provider.Name+" uses weak security so you should use "+
-				"OpenVPN 2.5 to enforce good security practices.")
-		} else {
-			warnings = append(warnings, "OpenVPN 2.5 uses OpenSSL 3 "+
-				"which prohibits the usage of weak security in today's standards. "+
-				*s.VPN.Provider.Name+" uses weak security which is out "+
-				"of Gluetun's control so the only workaround is to allow such weaknesses "+
-				`using the OpenVPN option tls-cipher "DEFAULT:@SECLEVEL=0". `+
-				"You might want to reach to your provider so they upgrade their certificates. "+
-				"Once this is done, you will have to let the Gluetun maintainers know "+
-				"by creating an issue, attaching the new certificate and we will update Gluetun.")
-		}
-	}
-
-	if s.VPN.OpenVPN.Version == openvpn.Openvpn24 {
-		warnings = append(warnings, "OpenVPN 2.4 will be removed in release v3.34.0 (around June 2023). "+
-			"Please create an issue if you have a compelling reason to keep it.")
+		warnings = append(warnings, "OpenVPN 2.5 uses OpenSSL 3 "+
+			"which prohibits the usage of weak security in today's standards. "+
+			*s.VPN.Provider.Name+" uses weak security which is out "+
+			"of Gluetun's control so the only workaround is to allow such weaknesses "+
+			`using the OpenVPN option tls-cipher "DEFAULT:@SECLEVEL=0". `+
+			"You might want to reach to your provider so they upgrade their certificates. "+
+			"Once this is done, you will have to let the Gluetun maintainers know "+
+			"by creating an issue, attaching the new certificate and we will update Gluetun.")
 	}
 
 	return warnings

internal/constants/openvpn/versions.go

@@ -1,6 +1,5 @@
 package openvpn
 
 const (
-	Openvpn24 = "2.4"
 	Openvpn25 = "2.5"
 )

internal/openvpn/start.go

@@ -14,7 +14,6 @@ import (
 var ErrVersionUnknown = errors.New("OpenVPN version is unknown")
 
 const (
-	binOpenvpn24 = "openvpn2.4"
 	binOpenvpn25 = "openvpn2.5"
 )
 
@@ -22,8 +21,6 @@ func start(ctx context.Context, starter command.Starter, version string, flags [
 	stdoutLines, stderrLines chan string, waitError chan error, err error) {
 	var bin string
 	switch version {
-	case openvpn.Openvpn24:
-		bin = binOpenvpn24
 	case openvpn.Openvpn25:
 		bin = binOpenvpn25
 	default:

internal/openvpn/version.go

@@ -8,10 +8,6 @@ import (
 	"strings"
 )
 
-func (c *Configurator) Version24(ctx context.Context) (version string, err error) {
-	return c.version(ctx, binOpenvpn24)
-}
-
 func (c *Configurator) Version25(ctx context.Context) (version string, err error) {
 	return c.version(ctx, binOpenvpn25)
 }

internal/provider/airvpn/openvpnconf.go

@@ -24,8 +24,6 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 	}
 
 	switch settings.Version {
-	case openvpn.Openvpn24:
-		providerSettings.Ciphers = []string{openvpn.AES256cbc}
 	case openvpn.Openvpn25:
 		providerSettings.Ciphers = []string{
 			openvpn.AES256gcm, openvpn.AES256cbc, openvpn.AES192gcm,

internal/provider/custom/openvpnconf.go

@@ -79,7 +79,7 @@ func modifyConfig(lines []string, connection models.Connection,
 	}
 	modified = append(modified, "verb "+strconv.Itoa(*settings.Verbosity))
 	if len(settings.Ciphers) > 0 {
-		modified = append(modified, utils.CipherLines(settings.Ciphers, settings.Version)...)
+		modified = append(modified, utils.CipherLines(settings.Ciphers)...)
 	}
 	if *settings.Auth != "" {
 		modified = append(modified, "auth "+*settings.Auth)

internal/provider/slickvpn/openvpnconf.go

@@ -28,13 +28,11 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		},
 	}
 
-	if settings.Version == openvpn.Openvpn25 {
-		// SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now
-		// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
-		// We lower the security level to 3 to allow this algorithm,
-		// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
-		providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0"
-	}
+	// SlickVPN's certificate is sha1WithRSAEncryption and sha1 is now
+	// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
+	// We lower the security level to 3 to allow this algorithm,
+	// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+	providerSettings.TLSCipher = "DEFAULT:@SECLEVEL=0"
 
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }

internal/provider/utils/cipher.go

@@ -2,25 +2,15 @@ package utils
 
 import (
 	"strings"
-
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
 )
 
-func CipherLines(ciphers []string, version string) (lines []string) {
+func CipherLines(ciphers []string) (lines []string) {
 	if len(ciphers) == 0 {
 		return nil
 	}
 
-	switch version {
-	case openvpn.Openvpn24:
-		return []string{
-			"cipher " + ciphers[0],
-			"ncp-ciphers " + strings.Join(ciphers, ":"),
-		}
-	default: // 2.5 and above
-		return []string{
-			"data-ciphers-fallback " + ciphers[0],
-			"data-ciphers " + strings.Join(ciphers, ":"),
-		}
+	return []string{
+		"data-ciphers-fallback " + ciphers[0],
+		"data-ciphers " + strings.Join(ciphers, ":"),
 	}
 }

internal/provider/utils/cipher_test.go

@@ -20,14 +20,6 @@ func Test_CipherLines(t *testing.T) {
 				"data-ciphers AES",
 			},
 		},
-		"2.4": {
-			ciphers: []string{"AES", "CBC"},
-			version: "2.4",
-			lines: []string{
-				"cipher AES",
-				"ncp-ciphers AES:CBC",
-			},
-		},
 		"2.5": {
 			ciphers: []string{"AES", "CBC"},
 			version: "2.5",
@@ -42,7 +34,7 @@ func Test_CipherLines(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			lines := CipherLines(testCase.ciphers, testCase.version)
+			lines := CipherLines(testCase.ciphers)
 
 			assert.Equal(t, testCase.lines, lines)
 		})

internal/provider/utils/openvpn.go

@@ -119,7 +119,7 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 	}
 
 	ciphers := defaultStringSlice(settings.Ciphers, provider.Ciphers)
-	cipherLines := CipherLines(ciphers, settings.Version)
+	cipherLines := CipherLines(ciphers)
 	lines.addLines(cipherLines)
 
 	auth := defaultString(*settings.Auth, provider.Auth)
@@ -198,16 +198,14 @@ func OpenVPNConfig(provider OpenVPNProviderSettings,
 
 	if *settings.EncryptedKey != "" {
 		encryptedBase64DERKey := *settings.EncryptedKey
-		if settings.Version != openvpn.Openvpn24 {
-			// OpenVPN above 2.4 does not support old encryption schemes such as
-			// DES-CBC, so decrypt and reencrypt the key.
-			// This is a workaround for VPN secure.
-			var err error
-			encryptedBase64DERKey, err = pkcs8.UpgradeEncryptedKey(encryptedBase64DERKey, *settings.KeyPassphrase)
-			if err != nil {
-				// TODO return an error instead.
-				panic(fmt.Sprintf("upgrading encrypted key: %s", err))
-			}
+		// OpenVPN above 2.4 does not support old encryption schemes such as
+		// DES-CBC, so decrypt and reencrypt the key.
+		// This is a workaround for VPN secure.
+		var err error
+		encryptedBase64DERKey, err = pkcs8.UpgradeEncryptedKey(encryptedBase64DERKey, *settings.KeyPassphrase)
+		if err != nil {
+			// TODO return an error instead.
+			panic(fmt.Sprintf("upgrading encrypted key: %s", err))
 		}
 		lines.add("askpass", openvpn.AskPassPath)
 		lines.addLines(WrapOpenvpnEncryptedKey(encryptedBase64DERKey))

internal/provider/vpnunlimited/openvpnconf.go

@@ -2,7 +2,6 @@ package vpnunlimited
 
 import (
 	"github.com/qdm12/gluetun/internal/configuration/settings"
-	"github.com/qdm12/gluetun/internal/constants/openvpn"
 	"github.com/qdm12/gluetun/internal/models"
 	"github.com/qdm12/gluetun/internal/provider/utils"
 )
@@ -20,13 +19,11 @@ func (p *Provider) OpenVPNConfig(connection models.Connection,
 		},
 	}
 
-	if settings.Version != openvpn.Openvpn24 {
-		// VPN Unlimited's certificate is sha1WithRSAEncryption and sha1 is now
-		// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
-		// We lower the security level to 0 to allow this algorithm,
-		// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
-		providerSettings.TLSCipher = `"DEFAULT:@SECLEVEL=0"`
-	}
+	// VPN Unlimited's certificate is sha1WithRSAEncryption and sha1 is now
+	// rejected by openssl 3.x.x which is used by OpenVPN >= 2.5.
+	// We lower the security level to 0 to allow this algorithm,
+	// see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+	providerSettings.TLSCipher = `"DEFAULT:@SECLEVEL=0"`
 
 	return utils.OpenVPNConfig(providerSettings, connection, settings, ipv6Supported)
 }