SparkLabs Blog.

The latest news and releases.


Viscosity For Mac & Windows: Version 1.7.5

Version 1.7.5 of Viscosity has been released for both Mac and Windows! This release includes a number of small improvements and bug fixes, and updates OpenVPN to versions 2.4.4 and 2.3.18. The OpenVPN updates address a potential security issue related to an old data channel key negotiation method, and users are encouraged to update.

This update also changes the name of Viscosity's TAP network interfaces on macOS from "tap" (e.g. "tap0") to "vtap". This is designed to prevent clashes with other VPN clients installed on the same system that are loading their own version of the TAP driver. We've received reports of some poorly managed clients that were conflicting with Viscosity's TAP support, which this change will resolve. Users with advanced custom scripts or actions may need to update the network interface name accordingly, however no changes are otherwise needed.


Version 1.7.5 Mac Release Notes:

improved
TAP interfaces renamed to vtap to avoid driver clashes
updated
OpenVPN 2.4 updated to version 2.4.4
updated
OpenVPN 2.3 updated to version 2.3.18
fixed
Various bug fixes and enhancements


Version 1.7.5 Windows Release Notes:

updated
OpenVPN updated to version 2.4.4
updated
OpenVPN updated to version 2.3.18
fixed
Various bug fixes and enhancements

The 1.7.5 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.7.4

Viscosity version 1.7.4 is now available for both Mac and Windows. This update is a maintenance release that includes a number of small bug fixes and improvements. Also included is finalised support for the upcoming macOS 10.13 (High Sierra) release, improved high resolution support for Windows, and updated menu icons for Windows 10 users that look more at home. For further details please refer to the release notes below.


Version 1.7.4 Mac Release Notes:

improved
Improved support for macOS 10.13 (High Sierra)
improved
Enables keyboard navigation of the main menu
improved
Adds a Save Log button to the Details window
fixed
Various bug fixes and enhancements


Version 1.7.4 Windows Release Notes:

improved
New notification area menu icons added
improved
Adds a Save Log button to the Details window
improved
Further interface improvements for high DPI displays
fixed
Various bug fixes and enhancements

The 1.7.4 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Getting Started Running Your Own VPN Server

Running your own Virtual Private Network (VPN) server is one of the easiest, and indeed recommended, ways to get started using a VPN setup. Whether you want to connect back to your home while on the road, protect yourself while on public Wi-Fi networks, allow your staff to connect securely to your business network while working remotely, or simply want to learn more about how VPNs work, running your own VPN server is a great way to get started.

We often get people reaching out for advice about how to get started running an OpenVPN server for connecting to with Viscosity, however sadly there has never been a great resource we can point people to. We've written this blog post to serve as a starting point for those new to setting up a VPN server. If you're also new to the concept of VPNs, be sure to also check out our Introduction to VPN guide.

What Do I Need?

To run your own OpenVPN server you only need two things: a device connected to the network that is capable of acting as an OpenVPN server, such as a router or spare computer, and an internet connection.

These days the vast majority of modern home and business routers, as well as many home file and media servers, support acting as an OpenVPN server making it easy to get started. And for those who have a spare computer it's possible to create an even more powerful and high-performance setup.

Server Setup Guides

We've been putting together setup guides for a number of different operating systems and devices. These guides detail the basics of setting up a standard OpenVPN server. They are designed as a starting point for most common OpenVPN server setups.


Guides for Operating Systems:


Guides for Routers and Devices:


However before jumping into one of these guides it's a good idea to see what type of VPN setup you desire and proceed accordingly. We've found most VPN setups fall roughly into one of four categories which are discussed further below.

Accessing a Home Network Remotely

Being able to access your home network remotely can have huge advantages, and using a VPN for remote access ensures that your network and traffic is kept secure. Other techniques, such as port forwarding, may expose your network and its devices. Your VPN setup can be configured to act just like your computer was plugged in at home, or you can limit access to just what you'd like to be available remotely.

Common tasks that a VPN server at home allows you to do include access files on your home computer remotely, access and stream your music collection from home, access home file servers, access home media/video servers (such as Plex), access and stream security camera feeds, and control home-automation devices.

When deciding how to set up a VPN server it's best starting with your internet router. Many modern home routers support acting as an OpenVPN server. These are typically straightforward to setup and the easiest way to get started. Check with your router's documentation to see if it supports this functionality, and if so, see if we have a guide for it above. Some routers may not have inbuilt OpenVPN server functionality by default, but support custom firmware projects (such as DD-WRT) which do.

However while home routers are easiest to set up they typically have limited VPN performance due to low-power processors and poor hardware-encryption support. If you don't have a router that supports OpenVPN, or you are worried about performance, it may be worth considering using a file-server or spare computer instead.

Some home file/media servers support acting as an OpenVPN server, such as Synology servers. Otherwise an old or spare computer can make a great server. Most old computers will have no trouble hosting a high-performance VPN server, and running your own server in this way will offer you much more customisation, flexibility, and stronger security. Check the guides above to see if there is one for your file server or old computer's operating system (or if formatting the old computer, your operating system of choice).

Accessing a Business Network Remotely

If you're seeking a way to give your staff or contractors a secure way to access your internal business network from a remote location, then this is the setup for you. A VPN allows businesses to not only provide remote access, but also perform advanced access control and authentication so you can restrict users to certain network areas or services.

Most modern workplace environments are behind an enterprise-grade router or gateway, many of which support acting as an OpenVPN server. Check with the documentation of the manufacturer to see whether this is supported for the device/s in use. Popular router and gateway devices/software that support acting as an OpenVPN server include VyOS, pfSense, Sophos UTM, and Ubiquiti EdgeRouters. If you have a supported device check further above for whether we have a setup guide for it.

However if offering access to a large number of users it's recommended using a dedicated VPN server to avoid performance issues. Encrypting a large number of simultaneous connections places a high demand on a device's processor, and many routers and gateway devices can start to struggle, resulting in lowered throughput and performance. In these cases a dedicated on-site computer or virtual machine is recommended.

Please refer to our setup guides further above if choosing a dedicated setup. Often a custom setup allows for more flexibility when configuring a VPN server, allowing different back-ends (such as LDAP or Radius) be used for authentication, along with two-factor authentication options, access control rules, and custom routing. We'll likely be publishing more information about implementing these in the future, so please keep an eye on our blog.

Protecting Your Traffic on Public & Wireless Networks

Public and Wi-Fi networks, such as in a hotel, in a coffee shop, at a conference etc., can be attractive targets for attackers and malicious users who are interested in stealing private data and login credentials. While unencrypted and weakly-encrypted (such as WEP) Wi-Fi networks are thankfully mostly relegated to history, sadly Man-in-the-Middle (MITM) attacks and data sniffing are still very real threats. Indeed, many "free" internet providing networks pay for themselves by harvesting network traffic and selling the data to advertising platforms and companies.

By authenticating and encrypting network traffic between you and a trusted VPN server these kinds of threats are protected against. Viscosity even has obfuscation technology built in to allow VPN connections to establish even when an attacker or network operator is attempting to block VPN traffic.

Setting up a VPN server differs in a key way from a home or business VPN server: instead of just making an internal network accessible remotely you're instead creating a VPN server to handle all network traffic. This means all network traffic flows through the VPN connection.

A home or business VPN server can be easily set up to handle all traffic - our guides further above cover this scenario. However keep in mind your internet connection's upload speed is your VPN connection's maximum download speed, and for home ADSL/VDSL/FTTN connections this is usually quite poor.

An alternative to running your own VPN server at home/work is to run a server in a datacenter. This avoids any performance pitfalls, and a low-cost Virtual Private Server (VPS) is all that is required. This is covered in more detail below.

Being Your own VPN Service Provider

The final common use-case for running your own server is to act as your own VPN Service Provider. A commercial VPN Service run by a provider is typically a paid subscription service that provides you with different VPN servers around the world to connect to. These services provide an easy way to protect your data on local networks, escape restrictive blocking and censorship, as well as offer additional level of anonymity by sharing your public IP address with hundreds or thousands of other users.

However, there are times where you may like to be your own provider. You may prefer that your VPN IP address isn't associated with the activity of other potentially malicious users using the same VPN server, which can often result in web sites and services blocking or restricting access. You may find you're able to achieve faster performance when running your own server, or improved latency by setting up a server closer to your physical network location. You may be uncomfortable with the idea of a commercial VPN Service Provider potentially having access to your network traffic. Or you may only need a VPN server for a short period of time. In these instances, you can become your own provider by setting up one or more VPN servers to connect to.

When becoming your own VPN Service Provider it's recommended any VPN servers your create are hosted in a datacenter to assure performance and accessibility. This can be done cheaply by getting a Virtual Private Server (VPS) with a provider such as Digital Ocean, Vultr, Amazon EC2, etc., rather than needing to go to the expense of co-locating a physical server. At the time of writing typical VPS plans start from around $2.50/month. When signing up for a plan check that the bandwidth and throughput allocations are sufficient for your needs. Also ensure that the VPS server is in the location you desire, whether that means nearby for the lowest-latency possible, or in a particular country or city if seeking to use a VPN to escape censorship or geo-restrictions.

The final step when creating a VPS is to choose the operating system it should run, such as Ubuntu. Once you've made this choice, you can follow one of the guides above to complete the setup.

Wrapping Up

We'll be continuing to add new guides for additional operating systems and devices to our support section, so if your device isn't listed above be sure to check the VPN Server Setup Guides support category. For more information about running your own VPN server be sure to also check out the Introduction to Running an OpenVPN Server support article.

Finally, if you have any suggestions for server setup guides you'd like to see please don't hesitate to get in touch with us via email or Twitter.

Viscosity For Mac & Windows: Version 1.7.3

Version 1.7.3 of Viscosity is now available for both Mac and Windows! Version 1.7.3 was released shortly after 1.7.2, and fixes two small regressions introduced in version 1.7.2. This release includes updates to the latest versions of the OpenVPN 2.3 and 2.4 branches.

The OpenVPN updates address a number of recently discovered potential security vulnerabilities in the OpenVPN codebase. While these are considered low-impact for OpenVPN clients, we still encourage all users to update as soon as possible. These vulnerabilities largely centre on DoS (Denial of Service) attacks that could potentially stall or terminate a VPN connection rather than VPN traffic disclosure. However users connecting through HTTP proxies that use NTLM authentication are potentially at risk of memory disclosure if using the proxy through an insecure network environment.


Version 1.7.3 Mac Release Notes:

fixed
Fixes regression where Viscosity will quit after successfully installing the helper


Version 1.7.2 Mac Release Notes:
improved
Improved support for macOS 10.13 (High Sierra)
updated
OpenVPN 2.4 updated to version 2.4.3
updated
OpenVPN 2.3 updated to version 2.3.17
fixed
Various bug fixes and enhancements


Version 1.7.3 Windows Release Notes:

fixed
Resolves issue where Split DNS lookups may fail on multilingual systems
fixed
Various bug fixes and enhancements


Version 1.7.2 Windows Release Notes:
updated
OpenVPN updated to 2.4.3
updated
OpenVPN updated to 2.3.17
fixed
Various bug fixes and enhancements

The 1.7.3 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.7.1

Version 1.7.1 of Viscosity is now available for both Mac and Windows! This update is largely a maintenance release, fixing a number of small bugs and regressions. Please see the release notes below for the full details.


Version 1.7.1 Mac Release Notes:

updated
OpenSSL updated to version 1.0.2l
fixed
Resolves issue when processing "dhcp-option DNSMODE" commands
fixed
The Allow unsafe commands option will no longer reset when opening Viscosity
fixed
Resolves issue where an acknowledgement request dialog may be empty
fixed
Resolves issue where certain AppleScript commands had no effect
fixed
Various bug fixes and enhancements


Version 1.7.1 Windows Release Notes:

updated
OpenSSL updated to version 1.0.2l
fixed
All ciphers are now available under OpenVPN 2.4
fixed
Various bug fixes and enhancements

The 1.7.1 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.7

We're very pleased to announce that version 1.7 of Viscosity is now available for both Mac and Windows! This is one of our biggest updates yet, with significant engineering changes for improved speed and performance, new features, and lots of small tweaks and fixes.

There are a number of enhancements to the user interface, including new ways to manage and import connections. Viscosity's main menu has been overhauled to offer more information at a glance and to make active connections more accessible. IP addresses, traffic totals, and traffic rates can now all be displayed alongside the connection status. The Details window has also been updated to display additional connection information, in particular DNS servers and encryption details for active connections.



Viscosity 1.7 adds support for OpenVPN 2.4, which offers new encryption functionality, improved dual-stack IP support, and many small enhancements. As well as OpenVPN 2.4.2, the OpenVPN 2.3 branch has been updated to version 2.3.16.

Viscosity has also seen many internal improvements on both Mac and Windows platforms to boost speed and performance. The Mac version has been re-implemented from the ground up to remove legacy code and adopt more moden APIs. This has a large and noticeable impact on Viscosity's performance, with everything from startup time to connection processing speed enhanced.

A new "Block IPv6 traffic while connected to IPv4-only connections" option has been added to prevent IPv6 traffic leaks when connecting to VPN connections that tunnel all IPv4 traffic only. The Windows version of Viscosity also now uses the Viscosity DNS System for Full DNS Mode (instead of just Split DNS mode) to prevent any potential DNS leaks due to the Windows DNS System changes in the Windows 10 Creators Update.

We're also pleased to introduce traffic obfuscation (obfsproxy) support in Viscosity. By setting up an obfsproxy server and enabling obfuscation in Viscosity you can avoid connectivity problems on networks that may attempt to block or limit VPN connections, such as some Wi-Fi hotspots or censorship prone areas.

Version 1.7 also contains a large assortment of other small improvements, including editor changes, connection management improvements, improved reconnection behaviour, small requested tweaks, and much more. Please refer to the release notes below for a complete list of changes.


Version 1.7 Mac Release Notes:

added
Active connections are now listed separately in the main menu
added
OpenVPN 2.4 Support
added
Traffic obfuscation support (obfsproxy)
added
New right/control click menu for Preferences->Connections
added
Connections can now be imported by dragging them onto the connections list
added
DNS and encryption information now displayed in the Details window
added
New Block IPv6 when connected to an IPv4 only connection option
added
New Automatically reconnect if disconnected option for connections and folders
improved
Significant performance improvements
improved
Significant memory usage improvements
improved
The system Python framework is no longer required
improved
Ability to get additional connection details via AppleScript
improved
Ability to delete multiple selected connections at once
updated
OpenVPN 2.4 updated to version 2.4.2
updated
OpenVPN 2.3 updated to version 2.3.16
updated
OpenSSL updated to version 1.0.2k
fixed
Various bug fixes and enhancements
removed
OS X 10.8 is no longer supported


Version 1.7 Windows Release Notes:

added
Active connections are now listed separately in the notification tray menu
added
OpenVPN 2.4 Support
added
Traffic obfuscation suppport (obfsproxy)
added
Connections can now be imported by dragging them onto the connections list
added
DNS and encryption information now displayed in the Details window
added
New Block IPv6 when connected to an IPv4-only connection option
added
New Automatically reconnect if disconnected option for connections and folders
improved
DPI scaling improved for multiple windows
improved
Viscosity's DNS System is now used for all DNS modes by defualt
improved
Use Windows DNS System for Full DNS option to disable the above behaviour
updated
OpenVPN updated to 2.4.2
updated
OpenVPN updated to 2.3.16
updated
OpenSSL updated to 1.0.2k
updated
.NET 4.5.2 or later is now required
fixed
Mitigates against stuck DNS servers caused by a forced reboot
fixed
Scripting return values are no longer localized
fixed
Various bug fixes and enhancements
removed
Windows Vista is no longer supported

Finally, please note that version 1.7 ends support for OS X 10.8 and Windows Vista. OS X 10.9 and Windows 7 are now the minimum operating system versions required to be able to run Viscosity.

The 1.7 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.6.8

Version 1.6.8 of Viscosity has been released for both Mac and Windows! This release includes a number of improvements and bug fixes, an update to OpenVPN 2.3.14, and an important security fix for the Windows version (more information below).


Version 1.6.8 Mac Release Notes:

improved
PKCS#11 users will now be prompted to insert their token when needed
improved
The connection name is now displayed in challenge and password prompts
improved
Improved support for OpenVPN-AS connection scripts
improved
Unsafe command detection updated to allow commands using safe parameters
updated
OpenVPN updated to version 2.3.14
fixed
Resolves issue where an IPv6 Reachability Check may fail under macOS 10.12
fixed
Resolves potential crash when using the main menu while an alert is visible under macOS 10.12
fixed
Reset network interfaces on disconnect option now behaves correctly for multiple active connections
fixed
Various bug fixes and enhancements


Version 1.6.8 Windows Release Notes:

improved
PKCS#11 users will now be prompted to insert their token when needed
improved
Unsafe command detection updated to allow commands using safe parameters
updated
OpenVPN updated to version 2.3.14
fixed
Security: Fixes a potential privilege escalation attack against Viscosity's service
fixed
Various bug fixes and enhancements

This version includes more fine-grained detection of unsafe commands by now also taking the command's parameters into account. Where previously Viscosity may block a command as unsafe, the command could now be considered safe when certain parameter combinations are used. This should allow for less instances where the "Allow unsafe OpenVPN commands to be used" option needs to be enabled without compromising security.

This version also resolves a security issue that been identified in the Windows version of Viscosity that could potentially allow a local user to gain elevated privileges. Local machine access is required, it cannot be exploited remotely, and it does not affect the security of VPN connections. We encourage all Windows users update to version 1.6.8 as soon as possible, particularly those in multi-user or enterprise environments. Thanks to Kacper Szurek for the discovery and notification.

The 1.6.8 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.6.7

Viscosity version 1.6.7 is now available for both Mac and Windows. This version is a small maintenance release that includes updated versions of OpenVPN and OpenSSL as well as small tweaks and fixes.

The Mac version also includes a work-around for instances where Viscosity may become unresponsive while waiting for a stuck ifconfig process. ifconfig is a system networking tool used by Viscosity and OpenVPN, and there have been reports of it hanging or freezing under OS X 10.11.6 and macOS 10.12.


Version 1.6.7 Mac Release Notes:

updated
OpenVPN updated to version 2.3.13
updated
OpenSSL updated to version 1.0.2j
fixed
Workaround for a potential hang if an ifconfig process is stuck
fixed
Various bug fixes and enhancements


Version 1.6.7 Windows Release Notes:

updated
OpenVPN updated to version 2.3.13
updated
OpenSSL updated to version 1.0.2j
fixed
Various bug fixes and enhancements

The 1.6.7 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.6.6

Version 1.6.6 of Viscosity has been released for both Mac and Windows! There are a number of new feature additions, improvements, and bug fixes, including an update to OpenVPN 2.3.12.

In particular this release makes it easier to manage multiple connections that share login credentials or scripting actions. Connection folders can now be edited to allow saved credentials to be shared among all connections in the folder, as well as Before Connect, Connected, and Disconnected scripts to be run for all connections in the folder as well. For more information please see Sharing Credentials and Scripts with Multiple Connections.



As part of the update to OpenVPN 2.3.12, a warning message will be now displayed in the connection log if the encryption algorithm (the cipher) being used has a block size of less than 128 bit. This is in response to the recent "Sweet32" attack against ciphers using a 64 block size.

While difficult to exploit, users receiving this warning should consider contacting their VPN Provider and encourage them to update their OpenVPN configuration to use a more secure cipher, such as AES-128-CBC. For example, this can be easily done by adding the command "cipher AES-128-CBC" to the OpenVPN server and client configurations. For more information, and other available countermeasures, please see the Sweet32 information page.


Version 1.6.6 Mac Release Notes:

added
Connections inside a folder can now optionally share saved credentials
added
AppleScript scripts can now be assigned to run for all connections inside a folder
updated
OpenVPN updated to version 2.3.12
fixed
Various bug fixes and enhancements


Version 1.6.6 Windows Release Notes:

added
Connections inside a folder can now optionally share saved credentials
added
Batch and VBS scripts can now be assigned to run for all connections inside a folder
updated
OpenVPN updated to version 2.3.12
fixed
Various bug fixes and enhancements

The 1.6.6 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.

Viscosity For Mac & Windows: Version 1.6.5

Viscosity version 1.6.5 is now available for both Mac and Windows. This version includes a number of improvements for Mac users with IPv6 enabled VPN connections and networks, as well as a array of small bug fixes and improvements for both Mac and Windows platforms. The Windows version also updates the VPN Network Adapter driver to better support future Windows versions.


Version 1.6.5 Mac Release Notes:

added
Automatic IPv6 configuration will be automatically enabled/disabled as required for bridged TAP connections
improved
Removes "Display menu icon on right side of menu bar" option under macOS 10.12. The icon can now be rearranged by holding down the Command key and dragging the icon.
improved
The Reset network interfaces on disconnect option is now faster and more effective
fixed
Manual IPv6 addresses will now stay assigned for bridged TAP connections
fixed
Various bug fixes and enhancements


Version 1.6.5 Windows Release Notes:

updated
VPN Network Adapter driver updated
fixed
Various bug fixes and enhancements

The 1.6.5 update can be automatically installed from inside Viscosity, or downloaded and manually installed. For support with this version please visit our support section.