Regression #16825
closed
Shared Key OpenVPN tunnels need directive to bypass deprecation error
100%
Description
Starting with OpenVPN 2.7, OpenVPN has further moved to deprecate shared key tunnels. OpenVPN will fail to start with a shared key setup without a new directive acknowledging the deprecation:
allow-deprecated-insecure-static-crypto
Recent development snapshot builds now include OpenVPN 2.7.x, so existing shared key tunnels are failing to start.
This small change works around it and allows it to continue functioning.
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
index 23fce38576..7d52119566 100644
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -1319,6 +1319,7 @@ function openvpn_reconfigure($mode, $settings) {
// Write the settings for the keys
switch ($settings['mode']) {
case 'p2p_shared_key':
+ $conf .= "allow-deprecated-insecure-static-crypto\n";
openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret");
break;
case 'p2p_tls':
Shared Key mode will be completely removed from OpenVPN 2.8, so users should migrate to TLS configurations ASAP.
Updated by Jim Pingle about 1 month ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Fixed by commit 7a1ab55cdecbdc969a167ad41f1fe2762c3872de
Updated by Georgiy Tyutyunnik 22 days ago
- Status changed from Feedback to Resolved
tested on:
26.07-DEVELOPMENT (amd64)
built on Thu May 14 6:00:00 UTC 2026
FreeBSD 16.0-CURRENT
works, openvpn server config with shared key now includes
allow-deprecated-insecure-static-crypto
by default, starts normally