[change] Upgraded OpenVPN base image to lisenet/openvpn:2.6.17

[pandafy]

Checklist

• I have read the OpenWISP Contributing Guidelines.
• I have manually tested the changes proposed in this pull request.
• N/A I have written new test cases for new code and/or updated existing tests for changes to existing code.
• N/A I have updated the documentation.

Description of Changes

kylemanna/openvpn has not been maintained for last 6 years. Due to this, the OpeVPN container was running OpenVPN 2.4.

I have changed the base image to lisenet/openvpn which is based on kylemanna/openvpn. This will allow up to run the latest version of OpenVPN.

This patch also fixes the "data_ciphers" field in the OpenVPN configuration which was changed in #566

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates two OpenVPN-related files: images/openwisp_dashboard/openvpn.json changes the data_ciphers from the string "AES-128-GCM:none" to an array of cipher objects [{cipher: "AES-128-GCM", optional: false}, {cipher: "none", optional: false}]; images/openwisp_openvpn/Dockerfile updates the base image from kylemanna/openvpn:2.4 to lisenet/openvpn:2.6.17.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [change] Made Site name configurable and updated OpenVPN template conf #566 — Modifies the same openvpn.json fields and cipher specification format.

Suggested reviewers

• nemesifier

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading the OpenVPN base image to lisenet/openvpn:2.6.17, which aligns with the primary objective of the pull request.
Description check	✅ Passed	The description covers the main changes, includes context about why the upgrade was necessary, and addresses all key sections from the template despite marking some as N/A.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch upgrade-openvpn

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@images/openwisp_openvpn/Dockerfile`:
- Line 2: The Dockerfile currently uses the moving tag "FROM
lisenet/openvpn:2.6.17"; update this to an immutable image tag or digest (for
example "lisenet/openvpn:2.6.17-build37" or the image SHA digest) so builds are
reproducible—edit the FROM line in the Dockerfile to replace
"lisenet/openvpn:2.6.17" with the chosen build-suffixed tag or digest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b464a7df-c76e-4aaf-a752-623287d843be

📥 Commits

Reviewing files that changed from the base of the PR and between ae3961a and df1afd6.

📒 Files selected for processing (2)

• images/openwisp_dashboard/openvpn.json
• images/openwisp_openvpn/Dockerfile

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: CI Build

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: nemesifier
Repo: openwisp/docker-openwisp PR: 0
File: :0-0
Timestamp: 2026-03-02T19:44:00.554Z
Learning: In the OpenVPN configuration (openvpn.json), "none" is included in the data_ciphers field (e.g., "AES-128-GCM:none") for backward compatibility with older configurations or devices.

📚 Learning: 2026-03-02T19:44:00.554Z

Learnt from: nemesifier
Repo: openwisp/docker-openwisp PR: 0
File: :0-0
Timestamp: 2026-03-02T19:44:00.554Z
Learning: In the OpenVPN configuration (openvpn.json), "none" is included in the data_ciphers field (e.g., "AES-128-GCM:none") for backward compatibility with older configurations or devices.

Applied to files:

• images/openwisp_dashboard/openvpn.json

🔇 Additional comments (1)

images/openwisp_dashboard/openvpn.json (1)

14-23: This data_ciphers shape matches the current backend schema.

load_init_data.py feeds this JSON straight into model validation, and the OpenVPN backend schema now defines data_ciphers as a list of dicts containing cipher and optional. This change aligns with that contract while still preserving the prior inclusion of none from the old scalar value. (netjsonconfig.openwisp.org)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

lisenet docker-openvpn tagging strategy build tags

💡 Result:

lisenet/docker-openvpn publishes three tags per build (via GitHub workflows) [1]:

1. ${OPENVPN_VERSION} (e.g., 2.6.17)
   Tracks the OpenVPN version, but is a “moving” tag (it can be overwritten by later rebuilds for the same OpenVPN version). [1]

2. ${OPENVPN_VERSION}-build${BUILD_ID} (e.g., 2.6.17-build37)
   Immutable/reproducible tag meant to “preserve builds”; it is not overwritten, so use this if you need a fixed image. [1]
   Docker Hub shows these tags in the registry (for example, 2.6.17, 2.6.17-build37). [2]

3. latest
   Always updated to the newest build (newest OpenVPN + newest repo changes). [1][2]

Practical recommendation: pin production to X.Y.Z-buildN; use latest only if you want automatic updates; use X.Y.Z if you accept rebuild churn while staying on that OpenVPN minor/patch version. [1]

Sources: [1] [2]

---

🌐 Web query:

lisenet/openvpn:2.6.17 Docker Hub available tags

💡 Result:

Docker Hub tags for lisenet/openvpn that correspond to OpenVPN 2.6.17 are: 2.6.17 and 2.6.17-build37 (and latest currently points to the same image digest). [1]

Pull examples

• docker pull lisenet/openvpn:2.6.17 [1]
• docker pull lisenet/openvpn:2.6.17-build37 [1]

Sources
[1] Docker Hub – lisenet/openvpn tags page (hub.docker.com)

Citations:

• 1: https://hub.docker.com/r/lisenet/openvpn/tags

---

🌐 Web query:

site:github.com lisenet docker-openvpn releases tags

💡 Result:

• Repo: lisenet/docker-openvpn (GitHub) — tags + releases are published here. [1]
• Releases page (currently 19 releases; latest is 2.6.17-build37 dated Jan 2, 2026): https://github.com/lisenet/docker-openvpn/releases [1][2]
• Tags page (shows the same tags; newest tags include 2.6.17-build37, 2.6.16-build36, 2.6.14-build35, 2.6.14-build34, 2.6.14-build33, etc.): https://github.com/lisenet/docker-openvpn/tags [3]

Sources: [1] https://github.com/lisenet/docker-openvpn • [2] https://github.com/lisenet/docker-openvpn/releases • [3] https://github.com/lisenet/docker-openvpn/tags

---

Pin the base image to an immutable build tag.

lisenet/openvpn:2.6.17 is a moving tag—future rebuilds can silently pull a different image. The upstream project publishes immutable build-suffixed tags (e.g., 2.6.17-build37, released January 2, 2026) for reproducible builds. Pin to 2.6.17-build37 or use a digest instead.

♻️ Proposed fix

-FROM lisenet/openvpn:2.6.17
+FROM lisenet/openvpn:2.6.17-build37

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM lisenet/openvpn:2.6.17
	FROM lisenet/openvpn:2.6.17-build37

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@images/openwisp_openvpn/Dockerfile` at line 2, The Dockerfile currently uses
the moving tag "FROM lisenet/openvpn:2.6.17"; update this to an immutable image
tag or digest (for example "lisenet/openvpn:2.6.17-build37" or the image SHA
digest) so builds are reproducible—edit the FROM line in the Dockerfile to
replace "lisenet/openvpn:2.6.17" with the chosen build-suffixed tag or digest.