Phillip Moore's picture

Hello, I had a simple question.  If I'm installing OpenVPN turnkey, does it always install the latest OpenVPN with all the security updates?  Or is it a staticically set version of OpenVPN?

My guess is it uses openvpn from the Debian repository as if it were doing an install like "apt-get install openvpn".

Also how are updates handled?  Are they also handled from the Debian repository like "apt-get upgrade openvpn"?

I was a little unclear on how that actually worked.  Any information is appreciated, thanks!

Forum: 
Jeremy Davis's picture

There are pluses and minuses of both options although generally the Debian version will be more secure for the average user hence why we go with that one. It also has a lower maintenance overhead for us. Obviously reduced overhead isn't a totally compelling reason on it's own but if everything else stacks up it's hard to argue with when you are giving it away! :)

TurnKey appliances are configured to automatically check (via cron) the Debian (and TurnKey) security repos every day and if security patched software is available then it also auto installs. So essentially yes an "apt-get update && apt-get install openvpn" but only if a patch is available via the security repo. If for some reason a non-security update was released you would need to manually trigger the installation of that. This level of automated security patching combined with rock solid stability is just not possible using upstream software.

The obvious downside though is that the version is "stuck" and you don't get any new features. In the case of v13.0 (based on Debian Wheezy) that's v2.2.1; in the upcoming v14.0 (based on Debian Jessie) it's v2.3.4. Whilst that trade off won't work for everyone; it's good enough for us in the case of OpenVPN.

The TurnKey appliance also contains some helper scripts to assist initial config and setup of your VPN (depending on what you want from it). Also it might also interest you that (as hinted above) we are working on the v14.0 (Jessie based) release right now (see here for the most recent public progress report). The OpenVPN build code has been updated and builds successfully. We haven't yet properly run it through it paces though so if you have an interest in OpenVPN and would like to see if there is anything that doesn't do what it should or ways that you might make it better, then now is the ideal time! :) You can build an ISO if you are interested or let me know and I'll upload one somewhere to test...

Phillip Moore's picture

Thank you for your response.  That is exactly the information I was looking for.  For work I think I'll just plan on using the Debian Wheezy OpenVPN build.  Though I do have a home lab and would definitely like to try out the Debian Jessie OpenVPN build.  I will try and work on building an ISO.  If I have any issues, maybe I can let you know and get some then.  Thank you again!

Jeremy Davis's picture

The Wheezy based v13.0 should be fine for your immediate (work) purposes.

With the success of the Squeeze LTS extended life I would expect that Wheezy will also go LTS. AFAIK the Debian LTS team are negotiating with the Debian security team to take over the Debian security repo (once Wheezy goes LTS) so you won't even need to adjust the repos to use LTS...

Assuming they get that all sorted out, that will give you another ~5yrs of auto security updates! :)

And yes we would LOVE your testing, feedback and/or input! The more the merrier! Even post release if you have any improvements or other feedback to offer we'd love to hear it. :)

Any issues you have with TKLDev let me know and I'll help out.

Phillip Moore's picture

Thanks, I got the TKLDev ISO for 14.0rc1 and isntalled it as a virtual on my XenServer.  The instructions got me through it pretty well.  From there I was able to pull in OpenVPN from github and then make the ISO.  I then was able to create the Turnkey 14 OpenVPN w/o any issues.  I'm sort of used to the Access Server OpenVPN, so now I'm just trying to figure out how the OpenVPN works w/o it, lol.  Before we would always use Turnkey Core and then just install the Access Server from OpenVPN's website.

 One thing that through me off a little was that the webmin service didn't run on initial boot, but maybe it usually does that, I don't remember.

Add new comment