2 Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
6 2006.01.xx -- Version 2.1-beta9
8 * Added --management-client option to connect as a client
9 to management GUI app rather than be connected to as a
12 2006.01.03 -- Version 2.1-beta8
14 * --remap-usr1 will now also remap signals thrown during
16 * Added --connect-timeout option to control the timeout
17 on TCP client connection attempts (doesn't work on all
18 OSes). This patch also makes OpenVPN signalable during
19 TCP connection attempts.
20 * Fixed bug in acinclude.m4 where capability of compiler
21 to handle zero-length arrays in structs is tested
23 * Fixed typo in manage.c where inline function declaration
24 was declared without the "static" keyword (David Stipp).
25 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
26 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
27 proxy settings (currently Windows only).
28 * Removed redundant base64 code.
29 * Better sanity checking of --server and --server-bridge
30 IP pool ranges, so as not to hit the assertion at
32 * Fixed bug where --daemon and --management-query-passwords
33 used together would cause OpenVPN to block prior to
35 * Fixed client/server race condition which could occur
36 when --auth-retry interact is set and the initially
37 provided auth-user-pass credentials are incorrect,
38 forcing a username/password re-query.
39 * Fixed bug where if --daemon and --management-hold are
40 used together, --user or --group options would be ignored.
41 * --ip-win32 adaptive is now the default.
42 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
43 mode) can now set DNS/WINS addresses on the TAP-Win32
45 * Added new option --route-method adaptive (Win32)
46 which tries IP helper API first, then falls back to
48 * Made --route-method adaptive the default.
50 2005.11.12 -- Version 2.1-beta7
52 * Allow blank passwords to be passed via the management
54 * Fixed bug where "make check" inside a FreeBSD "jail"
55 would never complete (Matthias Andree).
56 * Fixed bug where --server directive in --dev tap mode
57 claimed that it would support subnets of /30 or less
58 but actually would only accept /29 or less.
59 * Extend byte counters to 64 bits (M. van Cuijk).
60 * Fixed bug in Linux get_default_gateway function
61 introduced in 2.0.4, which would cause redirect-gateway
62 on Linux clients to fail.
63 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
64 be compatible with 2.0.x distribution.
65 * Documented --route-nopull.
66 * Documented --ip-win32 adaptive.
67 * Windows build now linked with LZO2.
68 * Allow ca, cert, key, and dh files to be specified
69 inline via XML-like syntax without needing to
70 reference an explicit file.
75 * Allow plugin and push directives to have multi-line
76 parameter lists such as:
82 * Added connect-retry-max option (Alon Bar-Lev).
83 * Fixed problems where signals thrown during initialization
84 were not returning to a management-hold state.
85 * Added a backtrack-hardened system time algorithm.
86 * Added --remote-cert-ku, --remote-cert-eku, and
87 --remote-cert-tls options for verifying certificate
88 attributes (Alon Bar-Lev).
89 * For Windows, reverted --ip-win32 default back to "dynamic".
90 To use new adaptive mode, set explicitly.
92 2005.11.01 -- Version 2.1-beta6
94 * Security fix (merged from 2.0.4) -- Affects non-Windows
95 OpenVPN clients of version 2.0 or higher which connect to
96 a malicious or compromised server. A format string
97 vulnerability in the foreign_option function in options.c
98 could potentially allow a malicious or compromised server
99 to execute arbitrary code on the client. Only
100 non-Windows clients are affected. The vulnerability
101 only exists if (a) the client's TLS negotiation with
102 the server succeeds, (b) the server is malicious or
103 has been compromised such that it is configured to
104 push a maliciously crafted options string to the client,
105 and (c) the client indicates its willingness to accept
106 pushed options from the server by having "pull" or
107 "client" in its configuration file (Credit: Vade79).
109 * Security fix -- (merged from 2.0.4) Potential DoS
110 vulnerability on the server in TCP mode. If the TCP
111 server accept() call returns an error status, the resulting
112 exception handler may attempt to indirect through a NULL
113 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
115 * Fix attempt of assertion at multi.c:1586 (note that
116 this precise line number will vary across different
117 versions of OpenVPN).
118 * Windows reliability changes:
119 (a) Added code to make sure that the local PATH environmental
120 variable points to the Windows system32 directory.
121 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
122 and then fails over to 'netsh' if the DHCP negotiation fails.
123 (c) Made --ip-win32 adaptive the default.
124 * More PKCS#11 additions/changes (Alon Bar-Lev).
125 * Added ".PHONY: plugin" to Makefile.am to work around
127 * Fixed double fork issue that occurs when --management-hold
129 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
130 * Warn when multiple clients having the same common name or
131 username usurp each other when --duplicate-cn is not used.
132 * Modified Windows and Linux versions of get_default_gateway
133 to return the route with the smallest metric
134 if multiple 0.0.0.0/0.0.0.0 entries are present.
135 * Added ">NEED-OK" alert and "needok" command to management
136 interface to provide a general interface for sending
137 alerts to the end-user. Used by the PKCS#11 code
138 to send Token Insertion Requests to the user.
139 * Added actual remote address used to the ">STATE" alert
140 in the management interface (Rolf Fokkens).
142 2005.10.17 -- Version 2.1-beta4
144 * Fixed bug introduced in 2.1-beta3 where management
145 socket bind would fail.
146 * --capath fix in ssl.c (Zhuang Yuyao).
147 * Added ".PHONY: plugin" to Makefile.am, reverted
148 location of "plugin" directory (thanks to
149 Matthias Andree for figuring this out).
151 2005.10.16 -- Version 2.1-beta3
153 * Added PKCS#11 support (Alon Bar-Lev).
154 * Enable the use of --ca together with --pkcs12. If --ca is
155 used at the same time as --pkcs12, the CA certificate is loaded
156 from the file specified by --ca regardless if the pkcs12 file
157 contains a CA cert or not (Mathias Sundman).
158 * Merged --capath patch (Thomas Noel).
159 * Merged --multihome patch.
160 * Added --bind option for TCP client connections (Ewan Bhamrah
162 * Moved "plugin" directory to "plugins" to deal with strange
163 automake problem that ended up being also fixable with
164 ".PHONY: plugin" in Makefile.am.
166 2005.10.13 -- Version 2.1-beta2
168 * Made --sndbuf and --rcvbuf pushable.
170 2005.10.01 -- Version 2.1-beta1
172 * Made LZO setting pushable.
173 * Renamed sample-keys/tmp-ca.crt to ca.crt.
174 * Fixed bug where remove_iroutes_from_push_route_list
175 was missing routes if those routes had
176 an implied netmask (by omission) of 255.255.255.255.
177 * Merged with 2.0.3-rc1
178 * easy-rsa/2.0 moved to easy-rsa
179 * old easy-rsa moved to easy-rsa/1.0
181 2005.09.23 -- Version 2.0.2-TO4
183 * Added feature to TAP-Win32 adapter to allow it to be
184 opened from non-administrator mode. This feature
185 is enabled by default, and can be enabled/disabled
186 in the adapter advanced properties dialog.
187 * Added --allow-nonadmin standalone option for Windows to
188 set TAP adapter to allow non-admin access. This
189 is a user-mode version of the code, and duplicates
190 the same feature as the above entry.
191 * Added fix that attempts to solve corner case of tunnel not
192 forwarding packets when system clock is reset to an earlier time.
193 * Added --redirect-gateway bypass-dns option. (Developers:
194 To add bypass-dhcp or bypass-dns support to other OSes,
195 add a get_bypass_addresses function to route.c for
197 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
198 allows a client-connect plugin to return configuration text
199 in memory, rather than via a file.
200 * Fixed a bug where --mode server --proto tcp-server --cipher none
201 operation could cause tunnel packet truncation.
202 * openvpn --version will show [LZO1] or [LZO2], depending on
203 version that was linked.
205 2005.09.07 -- Version 2.0.2-TO1
207 * Added --topology directive. See man page.
208 * Added --redirect-gateway bypass-dhcp option to add a route
209 allowing DHCP packets to bypass the tunnel, when the
210 DHCP server is non-local. Currently only implemented
212 * Modified OpenVPN Service on Windows to declare the DHCP
213 client service as a dependency.
214 * Extended the plugin interface to allow plugins to declare
215 per-client constructor and destructor functions, to make
216 it simpler for plugins to maintain per-client state.
218 2005.09.25 -- Version 2.0.3-rc1
220 * openvpn_plugin_abort_v1 function wasn't being properly
221 registered on Windows.
222 * Fixed a bug where --mode server --proto tcp-server --cipher none
223 operation could cause tunnel packet truncation.
225 2005.08.25 -- Version 2.0.2
227 * No change from 2.0.2-rc1.
229 2005.08.24 -- Version 2.0.2-rc1
231 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
232 which incorrectly set OpenVPN service to autostart.
233 * Don't package source code zip file in Windows installer
234 in order to reduce the size of the installer. The source
235 zip file can always be downloaded separately if needed.
236 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
237 version of get_default_gateway. Allocated socket for route
238 manipulation is never freed so number of mbufs continuously
239 grow and exhaust system resources after a while (Jaroslav Klaus).
240 * Fixed bug where "--proto tcp-server --mode p2p --management
241 host port" would cause the management port to not respond until
242 the OpenVPN peer connects.
243 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
245 2005.08.16 -- Version 2.0.1
247 * Security Fix -- DoS attack against server when run with "verb 0" and
248 without "tls-auth". If a client connection to the server fails
249 certificate verification, the OpenSSL error queue is not properly
250 flushed, which can result in another unrelated client instance on the
251 server seeing the error and responding to it, resulting in disconnection
252 of the unrelated client (CAN-2005-2531).
253 * Security Fix -- DoS attack against server by authenticated client.
254 This bug presents a potential DoS attack vector against the server
255 which can only be initiated by a connected and authenticated client.
256 If the client sends a packet which fails to decrypt on the server,
257 the OpenSSL error queue is not properly flushed, which can result in
258 another unrelated client instance on the server seeing the error and
259 responding to it, resulting in disconnection of the unrelated client
261 * Security Fix -- DoS attack against server by authenticated client.
262 A malicious client in "dev tap" ethernet bridging mode could
263 theoretically flood the server with packets appearing to come from
264 hundreds of thousands of different MAC addresses, causing the OpenVPN
265 process to deplete system virtual memory as it expands its internal
266 routing table. A --max-routes-per-client directive has been added
267 (default=256) to limit the maximum number of routes in OpenVPN's
268 internal routing table which can be associated with a given client
270 * Security Fix -- DoS attack against server by authenticated client.
271 If two or more client machines try to connect to the server at the
272 same time via TCP, using the same client certificate, and when
273 --duplicate-cn is not enabled on the server, a race condition can
274 crash the server with "Assertion failed at mtcp.c:411"
276 * Fixed server bug where under certain circumstances, the client instance
277 object deletion function would try to delete iroutes which had never been
278 added in the first place, triggering "Assertion failed at mroute.c:349".
279 * Added --auth-retry option to prevent auth errors from being fatal
280 on the client side, and to permit username/password requeries in case
281 of error. Also controllable via new "auth-retry" management interface
282 command. See man page for more info.
283 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
284 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
286 * Implement "make check" to perform loopback tests (Matthias Andree).
288 2005.07.21 -- Version 2.0.1-rc7
290 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
291 * Include linux/types.h before checking for linux/errqueue.h (Matthias
294 2005.07.15 -- Version 2.0.1-rc6
296 * Commented out "user nobody" and "group nobody" in sample
297 client/server config files.
298 * Allow '@' character to be used in --client-config-dir
301 2005.07.04 -- Version 2.0.1-rc5
303 * Windows version will log a for-further-info URL when
304 initialization sequence is completed with errors.
305 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
306 to control whether auth-pam plugin links to PAM via
307 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
308 behavior should be preserved. DLOPEN_PAM=0 is the preferred
309 setting to link via -lpam, but DLOPEN_PAM=1 works around
310 a bug in SuSE 9.1 (and possibly other distros as well)
311 where the PAM modules are not linked with -lpam. See
312 thread on openvpn-devel for more discussion about this
313 patch (Simon Perreault).
315 2005.06.15 -- Version 2.0.1-rc4
317 * Support LZO 2.00, including changes to configure script to
318 autodetect LZO version.
320 2005.06.12 -- Version 2.0.1-rc3
322 * Fixed a bug which caused standard file handles to not be closed
323 after daemonization when --plugin and --daemon are used together,
324 and if the plugin initialization function forks (as does auth-pam
325 and down-root) (Simon Perreault).
326 * Added client-side up/down scripts in contrib/pull-resolv-conf
327 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
328 on Linux/Unix systems (Jesse Adelman).
329 * Fixed bug where if client-connect scripts/plugins were cascaded,
330 and one (but not all) of them returned an error status, there might
331 be cases where for an individual script/plugin, client-connect was
332 called but not client-disconnect. The goal of this fix is to
333 ensure that if client-connect is called on a given client instance,
334 then client-disconnect will definitely be called. A potential
335 complication of this fix is that when client-connect functions are
336 cascaded, it's possible that the client-disconnect function would
337 be called in cases where the related client-connect function returned
338 an error status. This fix should not alter OpenVPN behavior when
339 scripts/plugins are not cascaded.
340 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
341 fatal error to a warning: "FRAG: outgoing buffer is not empty".
342 Need more info on how to reproduce this one.
343 * When --duplicate-cn is used, the --ifconfig-pool allocation
344 algorithm will now allocate the first available IP address.
345 * When --daemon and --management-hold are used together,
346 OpenVPN will daemonize before it enters the management hold state.
348 2005.05.16 -- Version 2.0.1-rc2
350 * Modified vendor test in openvpn.spec file to match against
351 "Mandrakesoft" in addition to "MandrakeSoft".
352 * Using --iroute in a --client-config-dir file while in --dev tap
353 mode is not currently supported and will produce a warning
354 message. Fixed bug where in certain cases, in addition to
355 generating a warning message, this combination of options
356 would also produce a fatal assertion in mroute.c.
357 * Pass --auth-user-pass username to server-side plugin without
358 performing any string remapping (plugins, unlike scripts,
359 don't get any security benefit from string remapping).
360 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
361 where backslash characters in a username ('\') were being remapped
363 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
364 * Documented --explicit-exit-notify in man page.
365 * --explicit-exit-notify seconds parameter defaults to 1 if
368 2005.04.30 -- Version 2.0.1-rc1
370 * Fixed bug where certain kinds of fatal errors after
371 initialization (such as port in use) would leave plugin
372 processes (such as openvpn-auth-pam) still running.
373 * Added optional openvpn_plugin_abort_v1 plugin function for
374 closing initialized plugin objects in the event of a fatal
375 error by main OpenVPN process.
376 * When the --remote list is > 1, and --resolv-retry is not
377 specified (meaning that it defaults to "infinite"), apply the
378 infinite timeout to the --remote list as a whole, but try each
379 list item only once before moving on to the next item.
380 * Added new --syslog directive which redirects output
381 to syslog without requiring the use of the --daemon or --inetd
383 * Added openvpn.spec option to allow RPM to be built with support
384 for passwords read from a file:
385 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
387 2005.04.17 -- Version 2.0
389 * Fixed minor options string typo in options.c.
391 2005.04.10 -- Version 2.0-rc21
393 * Change license description from "GPL Version 2 or (at your
394 option) any later version" to just "GPL Version 2".
396 2005.04.04 -- Version 2.0-rc20
398 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
399 excellent distro/version coverage for RH/EL/Fedora, though
400 using his own SPEC. I modified openvpn.spec to follow some of
401 the same conventions such as putting sample scripts and doc
402 files in %doc rather than /usr/share/openvpn.
403 * Minor change to init scripts to run the user-defined script
404 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
405 configs are started, and to run /etc/openvpn/openvpn-shutdown
406 after all OpenVPN configs have been stopped. The
407 openvpn-startup script can be used for stuff like
408 insmod tun.o, setting up firewall rules, or starting
411 2005.03.29 -- Version 2.0-rc19
413 * Omit additions of routes where the network and
414 gateway are equal and the netmask is 255.255.255.255.
415 This can come up if you are using both
416 server/ifconfig-pool and client-config-dir with
417 ifconfig-push static addresses for some subset of clients
418 which directly reference the server IP address as the
421 2005.03.28 -- Version 2.0-rc18
423 * Packaged Windows installer with OpenSSL 0.9.7f.
424 * Built Windows installer with NSIS 2.06.
426 2005.03.12 -- Version 2.0-rc17
428 * "MANAGEMENT: CMD" log file output will now only occur
429 at --verb 7 or greater.
430 * Added an optional name/value configuration list to
431 the openvpn-auth-pam plugin module argument list. See
432 plugin/auth-pam/README for documentation. This is necessary
433 in order for openvpn-auth-pam to work with queries generated
434 by arbitrary PAM modules.
435 * In both auth-pam and down-root plugins, in the forked process,
436 a read error on the parent process socket is no longer fatal.
437 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
438 A conditional test of the vendor has been added to
439 Require the appropriately named 'lzo' (liblzo1 / lzo).
440 (Tom Walsh - http://openhardware.net)
443 2005.02.20 -- Version 2.0-rc16
445 * Fixed bug introduced in rc13 where Windows service wrapper
446 would be installed with a startup type of Automatic.
447 This fix restores the previous behavior of installing
448 with a startup type of Manual.
450 2005.02.19 -- Version 2.0-rc15
452 * Added warning when --keepalive is not used in a server
454 * Don't include OpenSSL md4.h file if we are not building
455 NTLM proxy support (Waldemar Brodkorb).
456 * Added easy-rsa/build-key-pkcs12 and
457 easy-rsa/Windows/build-key-pkcs12.bat scripts
460 2005.02.16 -- Version 2.0-rc14
462 * Fixed small memory leak that occurs when --crl-verify
464 * Upgraded Windows installer and .nsi script to NSIS 2.05
466 * Changed #include backslash usage in cryptoapi.c to use
467 forward slashes instead (Gisle Vanem).
468 * Created easy-rsa/revoke-full to handle revocations in
469 a single step: (a) revoke crt, (b) regenerate CRL, and
470 (c) verify that revocation succeeded.
471 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
472 that both *nix and Windows scripts are equivalent.
474 2005.02.11 -- Version 2.0-rc13
476 * Improve human-readability of local/remote options
477 diff, when inconsistencies are present.
478 * For Windows easy-rsa, distribute vars.bat.sample and
479 openssl.cnf.sample, then copy them to their normal
480 filenames (without the .sample) when init-config.bat
481 is run. This is to prevent OpenVPN upgrades from
482 wiping out vars.bat and openssl.cnf edits.
483 * Modified service wrapper (Windows) to use a
484 case-insensitive search when scanning for .ovpn files
485 in \Program Files\OpenVPN\config. Prior versions
486 required an all-lower-case .ovpn file extension.
487 * Miscellaneous service wrapper code cleanup.
488 * If --user/--group is used on Windows, treat it
489 as a no-op with a warning (this makes it easier to
490 distribute the same client config file to Windows
492 * Warn if --ifconfig-pool-persist is used with
495 2005.02.05 -- Version 2.0-rc12
497 * Removed some debugging code inadvertently included
498 in rc11 which would print the --auth-user-pass
499 username/password provided by clients in the server
501 * Client code for cycling through --remote list will
502 retry the last address which successfully authenticated
503 before moving on through the list.
504 * Windows installer will now install sample configuration
505 files in \Program Files\OpenVPN\sample-configs as well
506 as generate a start menu shortcut to this directory.
507 * Minor type change in buffer.[ch] to work around char-type
508 ambiguity bug. Caused management interface lock-ups on
509 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
511 2005.02.03 -- Version 2.0-rc11
513 * Windows installer will now install easy-rsa directory
514 in \Program Files\OpenVPN
515 * Allow syslog facility to be controlled at compile time,
516 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
517 * Changed certain shell scripts in distribution to use
518 #!/bin/sh rather than #!/bin/bash for better portability.
519 * If --ifconfig-pool-persist seconds parameter is 0, treat
520 persist file as an allocation of fixed IP addresses
521 (previous versions took IP-to-common-name associations
522 from this list as hints, not mandatory static allocations).
523 * Fixed bug on *nix where if --auth-user-pass and --log
524 were used together, the username prompt would be sent to
525 the log file rather than /dev/tty.
526 * Spurious text in openvpn.8 detected by doclifter
528 * Call closelog later on daemon kill so that process
529 exit message is written to syslog.
531 2005.01.27 -- Version 2.0-rc10
533 * When ./configure is run with plugins enabled (the default),
534 check whether or not dlopen exists in libc before testing
535 for libdl. This is to fix an issue on FreeBSD and possibly
536 other OSes which bundle libdl functions in libc.
537 * On Windows, filter initial WSAEINVAL warning which occurs
538 on the initial read attempt of an unbound socket.
539 * The easy-rsa scripts build-key, build-key-pass, and
540 build-key-server will now chmod the .key file
541 to 0600. This is in addition to the fact the generated
542 keys directory has always been similarly protected
545 2005.01.23 -- Version 2.0-rc9
547 * Fixed error "ROUTE: route addition failed using
548 CreateIpForwardEntry ..." on Windows when --redirect-gateway
549 is used over a RRAS internet link.
550 * When using --route-method exe on Windows, include the
551 gateway parameter on route delete commands (Mathias Sundman).
552 * Try not to do a hard reset (i.e. SIGHUP) when two
553 SIGUSR1 signals are received in close succession.
554 * If the push list tries to grow beyond its buffer capacity,
555 the resulting error will be non-fatal.
556 * To increase the push list capacity (must be done on both
557 client and server), increase TLS_CHANNEL_BUF_SIZE in
558 common.h (default=1024).
560 2005.01.15 -- Version 2.0-rc8
562 * Fixed bug introduced in rc7 where options error
563 "--auth-user-pass requires --pull" might occur even
564 if --pull was correctly specified.
565 * Changed management interface code to bind once
566 to TCP socket, rather than rebinding after every
568 * Added "disable" directive for client-config-dir
570 * Windows binary install is now distributed with
572 * Query the management interface for --http-proxy
573 username/password if authfile is set to "stdin".
574 * Added current OpenVPN version number to "Unrecognized
575 option or missing parameter" error message.
576 * Added "-extensions server" to "openssl req" command
577 in easy-rsa/build-key-server (Nir Yeffet).
579 2005.01.10 -- Version 2.0-rc7
581 * Fixed bug in management interface which could cause
582 100% CPU utilization in --proto tcp-server mode
583 on all *nix OSes except for Linux 2.6.
584 * --ifconfig-push now accepts DNS names as well as
586 * Added sanity check errors when --pull or
587 --auth-user-pass is used in an incorrect mode.
588 * Updated man page entries for --client-connect and
590 * Added "String Types and Remapping" section to man
591 page to consisely document the way which OpenVPN
592 may convert certain types of characters in strings
594 * Modified bridging description in HOWTO to emphasize
595 the fact that bridging allows Windows file and print
596 sharing without a WINS server (Charles Duffy).
598 2004.12.20 -- Version 2.0-rc6
600 * Improved checking for epoll support in ./configure
601 to fix false positive on RH9 (Jan Just Keijser).
602 * Made the "MULTI TCP: I/O wait required blocking in
603 multi_tcp_action, action=7" error nonfatal and replaced
604 with "MULTI: Outgoing TUN queue full, dropped packet".
605 So far the issue only seems to occur on Linux 2.2
606 in --mode server --proto tcp mode. It occurs when
607 the TUN/TAP driver locks up and refuses to accept
608 new packet writes for a second or more.
609 * Fixed bug where if a --client-config-dir file tried
610 to include another file using "config", and if that
611 include failed, OpenVPN would abort with a fatal
612 error. Now such inclusion failures will be logged
613 but are no longer fatal.
614 * Global changes to the way that packet buffer alignment
615 is handled. Previously we didn't care about alignment
616 and took care, when handling 16 and 32 bit words
617 in buffers, to always use alignment-safe transfers.
618 This approach appears to be inadequate on some
619 architectures such as alpha. The new approach is
620 to initialize packet buffers in a way that anticipates
621 how component structures will be allocated within
622 them, to maintain correct alignment.
623 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
624 over TCP (Jan Just Keijser).
625 * Added --http-proxy-option directive for controlling
626 miscellaneous HTTP proxy options.
627 * Management state will no longer transition to "WAIT"
628 during TLS renegotiations.
630 2004.12.16 -- Version 2.0-rc5
632 * The --client-config-dir option will now try to open
633 a default file called "DEFAULT" if no file matching
634 the common name of the incoming client was found.
635 * The --client-connect script/plugin can now veto client
636 authentication by returning a failure code.
637 * The --learn-address script/plugin can now prevent a
638 client-instance/address association from being learned
639 by returning a failure code.
640 * Changed RPM group in .spec file to Applications/Internet.
642 2004.12.14 -- Version 2.0-rc4
644 * SuSE only -- Fixed interaction between openvpn.spec and
645 suse/openvpn.init where the .spec file was writing the
646 OpenVPN binary to a different location than where the
647 .init script was referencing it (Stefan Engel).
648 * Solaris only -- Split Solaris ifconfig command into two
649 parts (Jan Just Keijser).
650 * Some cleanup in add_option().
651 * Better error checking on input dotted quad IP addresses.
652 * Verify that --push argument is quoted, if there is
654 * More miscellaneous option sanity checks.
656 2004.12.13 -- Version 2.0-rc3
658 * On Windows, when --log or --log-append is used,
659 save the original stderr for username and password
661 * Fixed a bug introduced in the late 2.0 betas where
662 if a "verb" parameter >= 16 was used, it would be
663 ignored and the actual verb level would remain at 1.
664 * Fixed a bug mostly seen on OS X where --management-hold
665 or --management-query-passwords would cause the management
666 interface to be unresponsive to incoming client connections.
667 * Trigger an options error if one of the management-modifying
668 options is used without "management" itself.
670 2004.12.12 -- Version 2.0-rc2
672 * Amplified warnings in documentation about possible
673 man-in-the-middle attack when clients do not properly
674 verify server certificate. Changes to easy-rsa README,
675 FAQ, HOWTO, man page, and sample client config file.
676 * Added a warning message if --tls-client or --client
677 is used without also specifying one of either
678 --ns-cert-type, --tls-remote, or --tls-verify.
679 * status_open() fixes for MSVC builds (Blaine Fleming).
680 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
681 compiler error which has been reported on some platforms.
682 * The openvpn.spec file for rpmbuild has several
683 new build-time options. See comments in the file.
684 * Plugins are now built and packaged in the RPM and
685 will be saved in /usr/share/openvpn/plugin/lib.
686 * Added --management-hold directive to start OpenVPN
687 in a hibernating state until released by the
688 management interface. Also added "hold" command
689 to the management interface.
691 2004.12.07 -- Version 2.0-rc1
693 * openvpn.spec workaround for SuSE confusion regarding
694 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
696 2004.12.05 -- Version 2.0-beta20
698 * The ability to read --askpass and --auth-user-pass
699 passwords from a file has been disabled by default.
700 To re-enable, use ./configure --enable-password-save.
701 * Added additional pre-connected states to management
702 interface. See management/management-notes.txt
704 * State history is now recorded by the management
705 interface, and the "state" command now works like
706 the log or echo commands.
707 * State history and real-time state change notifications
708 are now prepended with an integer unix timestamp.
709 * Added --http-proxy-timeout option, previously
710 the timeout was hardcoded to 5 seconds.
712 2004.12.02 -- Version 2.0-beta19
714 * Fixed bug in management interface line termination
715 where output lines incorrectly contained a \00 char
716 after the customary \0d \0a.
717 * Fixed bug introduced in beta18 where Windows version
718 would segfault on options errors.
719 * Fixed bug in management interface where an empty
720 quoted string ("") entered as a parameter would cause
722 * Fixed bug where --resolv-retry was not working
723 properly with multiple --remote hosts.
724 * Added additional ./configure options to reduce
725 executable size for embedded applications.
726 See ./configure --help.
728 2004.11.28 -- Version 2.0-beta18
730 * Added management interface. See new --management-*
731 options or the full management interface documentation
732 in management/management-notes.txt in the tarball.
733 Management interface inclusion can be disabled by
734 ./configure --disable-management.
735 * Added two new plugin modules: auth-pam and down-root.
736 Auth-pam supports pam-based authentication using a
737 split privilege execution model, while down-root enables
738 a down script to be executed with root privileges, even
739 when --user/--group is used to drop root privileges.
740 See the plugin directory in the tarball for READMEs,
741 source code, and Makefiles.
742 * Plugin developers should note that some changes were
743 made to the plugin interface since beta17. See
744 openvpn-plugin.h for details.
745 Plugin interface inclusion can be disabled with
746 ./configure --disable-plugins
747 * Added easy-rsa/build-key-server script which will
748 build a certificate with with nsCertType=server.
749 * Added --ns-cert-type option for verification
750 of nsCertType field in peer certificate.
751 * If --fragment n is specified and --mssfix is specified
752 without a parameter, default --mssfix to n. This restores
753 the 1.6 behavior when using --mssfix without a parameter.
754 * Fixed SSL context initialization bug introduced in beta14
755 where this error might occur on restarts: "Cannot load
756 certificate chain ... PEM_read_bio:no start line".
758 2004.11.11 -- Version 2.0-beta17
760 * Changed default port number to 1194 per IANA official
761 port number assignment.
762 * Added --plugin directive which allows compiled
763 modules to intercept script callbacks. See
764 plugin folder in tarball for more info.
765 * Fixed bug introduced in beta12 where --key-method 1
766 authentications which should have succeeded would fail.
767 * Ignore SIGUSR1 during DNS resolution.
768 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
769 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
772 2004.11.07 -- Version 2.0-beta16
774 * Modified sample-scripts/auth-pam.pl to get username
775 and password from OpenVPN via a file rather than
776 via environmental variables.
777 * Added bytes_sent and bytes_received environmental
778 variables to be set prior to client-disconnect script.
779 * Changed client virtual IP derivation precedence:
780 (1) use --ifconfig-push directive from --client-connect
781 script, (2) use --ifconfig-push directive from
782 --client-config-dir, and (3) use --ifconfig-pool
784 * If a --client-config-dir file specifies --ifconfig-push,
785 it will be visible to the --client-connect-script in
786 the ifconfig_pool_remote_ip environmental variable.
787 * For tun-style tunnels, the ifconfig_pool_local_ip
788 environmental variable will be set, while for
789 tap-style tunnels, the ifconfig_pool_netmask variable
791 * Added intelligence to autoconf script to test
792 compiler for the accepted form of zero-length arrays.
793 * Fixed a bug introduced in beta12 where --ip-win32
794 netsh would fail if --dev-node was not explicitly
796 * --ip-win32 netsh will now work on hidden adapters.
797 * Fix attempt of "Assertion failed at crypto.c:149".
798 This assertion has also been reported on 1.x with a
799 slightly different line number. The fix is twofold:
800 (1) In previous releases, --mtu-test may trigger this
801 assertion -- this bug has been fixed. (2) If something
802 else causes the assertion to be thrown, don't panic,
803 just output a nonfatal warning to the log and drop
804 the packet which generated the error.
805 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
806 * Added --echo directive.
807 * Added --auth-nocache directive.
809 2004.10.28 -- Version 2.0-beta15
811 * Changed environmental variable character classes
812 so that names must consist of alphanumeric or
813 underbar chars and values must consist of printable
814 characters. Illegal chars will be deleted.
815 Versions prior to 2.0-beta12 were more restrictive
816 and would map spaces to '.'.
817 * On Windows, when the TAP adapter fails to
818 initialize with the correct IP address, output
819 "Initialization Sequence Completed with Errors"
820 to the console or log file.
821 * Added a warning when user/group/chroot is used
822 without persist-tun and persist-key.
823 * Added cryptoapi.[ch] to tarball and source zip.
824 * --tls-remote option now works with common name
825 prefixes as well as with the full X509 subject
826 string. This is a useful alternative to using
828 * common names associated with a static
829 --ifconfig-push setting will no longer leave
830 any state in the --ifconfig-pool-persist file.
831 * Hard TLS errors (TLS handshake failed) will now
832 trigger either a SIGUSR1 signal by default
833 or SIGTERM (if --tls-exit is specified). In TCP
834 mode, all TLS errors are considered to be hard.
835 In server mode, the signal will be local to the
837 * Added method parameter to --auth-user-pass-verify
838 directive to select whether username/password
839 is passed to script via environment or a temporary
841 * Added --status-version option to control format
842 of --status file. The --mode server
843 --status-version 2 format now includes a line
844 type token, the virtual IP address is shown
845 in the client list (even in --dev tap mode),
846 and the integer time_t value is shown anywhere
847 an ascii-formatted time/date is also shown.
848 * Added --remap-usr1 directive which can be used
849 to control whether internally or externally
850 generated SIGUSR1 signals are remapped to
851 SIGHUP (restart without persisting state) or
853 * When running as a Windows service (using
854 --service option), check the exit event before
855 and after reading one line of input from
856 stdin, when reading username/password info.
857 * For developers: Extended the --gremlin function
858 to better stress-test the new 2.0 features,
859 added Valgrind support on Linux and Dmalloc
862 2004.10.19 -- Version 2.0-beta14
864 * Fixed a bug introduced in Beta12 that would occur
865 if you use a --client-connect script without also
867 * Fixed a bug introduced in Beta12 where a learn-address
868 script might segfault on the delete method.
869 * Added Crypto API support in Windows version via
870 the --cryptoapicert option (Peter 'Luna' Runestig).
872 2004.10.18 -- Version 2.0-beta13
874 * Fixed an issue introduced in Beta12 where the private
875 key password would not be prompted for unless --askpass
876 was explicitly specified in the config.
878 2004.10.17 -- Version 2.0-beta12
880 * Added support for username/password-based authentication.
881 Clients can now authentication themselves with the server
882 using either a certificate, a username/password, or both.
883 New directives: --auth-user-pass, --auth-user-pass-verify,
884 --client-cert-not-required, and --username-as-common-name.
885 * Added NTLM proxy patch (William Preston).
886 * Added --ifconfig-pool-linear server flag to allocate
887 individual tun addresses for clients rather than /30
888 subnets (won't work with Windows clients).
889 * Modified --http-proxy code to cache username/password
891 * Modified --http-proxy code to read username/password
892 from the console when the auth file is given as "stdin".
893 * Modified --askpass to take an optional filename argument.
894 * --persist-tun and --persist-key now work in client mode
895 and can be pushed to clients as well.
896 * Added --ifconfig-pool-persist directive, to maintain
897 ifconfig-pool info in a file which is persistent across
898 daemon instantiations.
899 * --user and --group privilege downgrades as well as
900 --chroot now also work in client mode (the
901 dowgrade/chroot will be delayed until the initialization
902 sequence is completed).
903 * Added --show-engines standalone directive to show
904 available OpenSSL crypto accelerator engine support.
905 * --engine directive now accepts an optional engine-ID
906 parameter to control which engine is used.
907 * "Connection reset, restarting" log message now shows
908 which client is being reset.
909 * Added --dhcp-pre-release directive in Windows version.
910 * Second parm to --ip-win32 can be "default", e.g.
911 --ip-win32 dynamic default 60.
912 * Fixed documentation bug regarding environmental
913 variable settings for --ifconfig-pool IP addresses.
914 The correct environmental variable names are:
915 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
916 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
917 environmental variables are now passed to the
918 client-disconnect script.
919 * In server mode, environmental variables are now scoped
920 according to the client they are associated with,
921 to solve the problem of "crosstalk" between different
922 client's environmental variable sets.
923 * Added --down-pre flag to cause --down script to be
924 called before TUN/TAP close (rather than after).
925 * Added --tls-exit flag which will cause OpenVPN
926 to exit on any TLS errors.
927 * Don't push a route to a client if it exactly
928 matches an iroute (this lets you push routes to
929 all clients, and OpenVPN will automatically remove
930 the route from the route push list only for that client
931 which the route actually belongs to).
932 * Made '--resolv-retry infinite' the default.
933 --resolv-retry can be disabled by using a parameter of 0.
934 * For clients which plan to pull config info from server,
935 set an initial default ping-restart of 60 seconds.
936 * Optimized mute code to lessen the load on the processor
937 when messages are being muted at a higher frequency.
938 * Made route log messages non-mutable.
939 * Silence the Linux "No buffer space available" message.
940 * Added miscellaneous additional option sanity checks.
941 * Added Windows version of easy-rsa scripts in
942 easy-rsa/Windows directory (Andrew J. Richardson).
943 * Added NetBSD route patch (Ed Ravin).
944 * Added OpenBSD patch for TAP + --redirect-gateway
946 * Directives which prompt for a username and/or password
947 will now work with --daemon (OpenVPN will prompt
949 * Warn if CRL is from a different issuer than the
950 issuer of the peer certificate (Bernhard Weisshuhn).
951 * Changed init script chkconfig parameters to start
952 OpenVPN daemon(s) before NFS.
953 * Bug fix attempt of "too many I/O wait events" which occurs
954 on OSes which prefer select() over poll() such as Mac OS X.
955 * Added --ccd-exclusive flag. This flag will require, as a
956 condition of authentication, that a connecting client has
957 a --client-config-dir file.
958 * TAP-Win32 open code will attempt to open a free adapter
959 if --dev-node is not specified (Mathias Sundman).
960 * Resequenced --nice and --chroot ordering so that --nice
962 * Added --suppress-timestamps flag (Charles Duffy).
963 * Source code changes to allow compilation by MSVC
964 (Peter 'Luna' Runestig).
965 * Added experimental --fast-io flag which optimizes
966 TUN/TAP/UDP writes on non-Windows systems.
968 2004.08.18 -- Version 2.0-beta11
970 * Added --server, --server-bridge, --client, and
971 --keepalive helper directives. See client.conf
972 and server.conf in sample-config-files for sample
973 configurations which use the new directives.
974 * On Windows, added --route-method to control
975 whether IP Helper API or route.exe is used
976 to add/delete routes.
977 * On Windows, added a second parameter to
978 --route-delay to control the maximum time period
979 to wait for the TAP-Win32 adapter to come up
980 before adding routes.
981 * Fixed bug in Windows version where configurations
982 which omit --ifconfig might fail to recognize when
983 the TAP adapter is up.
984 * Proxy connection failures will now retry according
985 to the --connect-retry parameter.
986 * Fixed --dev null handling on Windows so that TLS
987 loopback test described in INSTALL file works
988 correctly on Windows.
989 * Added "Initialization Sequence Completed" message
990 after all initialization steps have been completed
991 and the VPN can be considered "up".
992 * Better sanity-checking on --ifconfig-pool parameters.
993 * Added --tcp-queue-limit option to control
994 TUN/TAP -> TCP socket overflow.
995 * --ifconfig-nowarn flag will now silence general
996 warnings about possible --ifconfig address
997 conflicts, including the warning about --ifconfig
998 and --remote addresses being in same /24 subnet.
999 * Fixed case where server mode did not correctly
1000 identify certain types of ethernet multicast packets
1002 * Added --explicit-exit-notify option (experimental).
1004 2004.08.02 -- Version 2.0-beta10
1006 * Fixed possible reference after free of option strings
1007 after a restart, bug was introduced in beta8.
1008 * Fixed segfault at route.c:919 in the beta9
1009 Windows version that was being caused by indirection
1010 through a NULL pointer.
1011 * Mistakenly built debug version of TAP-Win32 driver
1012 for beta9. Beta10 has correct release build.
1014 2004.07.30 -- Version 2.0-beta9
1016 * Fixed --route issue on Windows that was introduced with
1017 the new beta8 route implementation based on the
1020 2004.07.27 -- Version 2.0-beta8
1022 * Added TCP support in server mode.
1023 * Added PKCS #12 support (Mathias Sundman).
1024 * Added patch to make revoke-crt and make-crl work
1025 seamlessly within the easy-rsa environment (Jan Kiszka).
1026 * Modified --mode server ethernet bridge code to forward
1027 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
1028 * Added --dhcp-renew and --dhcp-release flags to Windows
1029 version. Normally DHCP renewal and release on the TAP
1030 adapter occurs automatically under Windows, however
1031 if you set the TAP-Win32 adapter Media Status property
1032 to "Always Connected", you may need these flags.
1033 * Added --show-net standalone flag to Windows version to
1034 show OpenVPN's view of the system adapter and routing
1036 * Added --show-net-up flag to Windows version to output
1037 the system routing table and network adapter list to
1038 the log file after the TAP-Win32 adapter has been brought
1039 up and any routes have been added.
1040 * Modified Windows version to add routes using the IP Helper
1041 API rather than by calling route.exe.
1042 * Fixed bug where --route-up script was not being called
1043 if no --route options were specified.
1044 * Added --mute-replay-warnings to suppress packet replay
1045 warnings. This is a common false alarm on WiFi nets.
1046 * Added "def1" flag to --redirect-gateway option to override
1047 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1048 rather than 0.0.0.0/0. This has the benefit of overriding
1049 but not wiping out the original default gateway.
1050 (Thanks to Jim Carter for pointing out this idea).
1051 * You can now run OpenVPN with a single config file argument.
1052 For example, you can now say "openvpn config.conf"
1053 rather than "openvpn --config config.conf".
1054 * On Windows, made --route and --route-delay more adaptive
1055 with respect to waiting for interfaces referenced by the
1056 route destination to come up. Routes added by --route
1057 should now be added as soon as the interface comes up,
1058 rather than after an obligatory 10 second delay. The
1059 way this works internally is that --route-delay now
1060 defaults to 0 on Windows. Previous versions would
1061 wait for --route-delay seconds then add the routes.
1062 This version will wait --route-delay seconds and then
1063 test the routing table at one second intervals for the
1064 next 30 seconds and will not add the routes until they
1065 can be added without errors.
1066 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
1067 default on TCP/UDP socket in light of reports that this
1068 action can have undesirable global side effects on the
1069 MTU settings of other adapters. These parameters can
1070 still be set, but you need to explicitly specify
1071 --sndbuf and/or --rcvbuf.
1072 * Added --max-clients option to limit the maximum number
1073 of simultaneously connected clients in server mode.
1074 * Added error message to illuminate shell escape gotcha when
1075 single backslashes are used in Windows path names.
1076 * Added optional netmask parm to --ifconfig-pool.
1077 * Fixed bug where http-proxy connect retry attempts were
1078 incorrectly going to the remote OpenVPN server,
1079 not to the HTTP proxy server.
1081 2004.06.29 -- Version 2.0-beta7
1083 * Fixed bug in link_socket_verify_incoming_addr() which
1084 under certain circumstances could have caused --float
1085 behavior even if --float was not specified.
1086 * --tls-auth option now works with --mode server.
1087 All clients and the server should use the same
1088 --tls-auth key when operating in client/server mode.
1089 * Added --engine option to make use of OpenSSL-supported
1090 crypto acceleration hardware.
1091 * Fixed some high verbosity print format size issues
1092 in event.c for 64 bit platforms (Janne Johansson).
1093 * Made failure to open --log or --log-append file
1096 2004.06.23 -- Version 2.0-beta6
1098 * Fixed Windows installer to intelligently put
1099 up a reboot dialog only if tapinstall tells
1100 us that it's really necessary.
1101 * Fixed "Assertion failed at fragment.c:309"
1102 bug when --mode server and --fragment are used
1104 * Ignore HUP, USR1, and USR2 signals during
1105 initialization. Prior versions would abort.
1106 * Fixed bug on OS X: "Assertion failed at event.c:406".
1107 * Added --service option to Windows version, for use
1108 when OpenVPN is being programmatically instantiated
1109 by another process (see man page for info).
1110 * --log and --log-append options now work on Windows.
1111 * Update OpenBSD INSTALL notes (Janne Johansson).
1112 * Enable multicast on tun interface when running on
1113 OpenBSD (Pavlin Radoslavov).
1114 * Fixed recent --test-crypto breakage, where options
1115 such as --cipher were not being parsed correctly.
1116 * Modified options compatibility string by removing
1117 ifconfig substring if it is empty. Incremented
1118 options compatibility string version number to 4.
1119 * Fixed typo in --tls-timeout option parsing
1122 2004.06.13 -- Version 2.0-beta5
1124 * Fixed rare --mode server crash that could occur
1125 if data was being routed to a client at
1126 high bandwidth at the precise moment that the
1127 client instance object on the server was being
1129 * Fixed issue on machines which have epoll.h and
1130 the epoll_create glibc call defined, but which
1131 don't actually implement epoll in the kernel.
1132 OpenVPN will now gracefully fall back to the
1133 poll API in this case.
1134 * Fixed Windows bug which would cause the following
1135 error in a --mode server --dev tap configuration:
1136 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
1138 * Added CRL (certificate revocation list) management
1139 scripts to easy-rsa directory (Jon Bendtsen).
1140 * Do a better job of getting the ifconfig component
1141 of the options consistency check to work correctly
1142 when --up-delay is used.
1143 * De-inlined some functions which were too complex
1144 to be inlined anyway with gcc.
1145 * If a --dhcp-option option is pushed to a non-windows
1146 client, the option will be saved in the client's
1147 environment before the --up script is called, under
1148 the name "foreign_option_{n}".
1149 * Added --learn-address script (see man page) which
1150 allows for firewall access through the VPN to be
1151 controlled based on the client common name.
1152 * In mode --server mode, when a client connects to
1153 the server, the server will disconnect any
1154 still-active clients which use the same common
1155 name. Use --duplicate-cn flag to revert to
1156 previous behavior of allowing multiple clients
1157 to concurrently connect with the same common name.
1159 2004.06.08 -- Version 2.0-beta4
1161 * Fixed issue with beta3 where Win32 service wrapper
1162 was keying off of old TAP HWID as a dependency. To
1163 ensure that the new service wrapper is correctly
1164 installed, the Windows install script will uninstall
1165 the old wrapper before installing the new one,
1166 causing a reset of service properties.
1167 * Fixed permissions issue on --status output file,
1168 with default access permissions of owner read/write
1169 only (default permissions can be changed of course with
1172 2004.06.05 -- Version 2.0-beta3
1174 * More changes to TAP-Win32 driver's INF file which
1175 affects the placement of the driver in the Windows
1176 device namespace. This is done to work around an
1177 apparent bug in Windows when short HWIDs are used,
1178 and will also ease the upgrade from 1.x to 2.0 by
1179 reducing the chances that a reboot will be needed
1180 on upgrade. Like beta2, this upgrade will
1181 delete existing TAP-Win32 interfaces, and reinstall
1182 a single new interface with default properties.
1183 * Major rewrite of I/O event wait layer in the style
1184 of libevent. This is a precursor to TCP support
1186 * New feature: --status. Outputs a SIGUSR2-like
1187 status summary to a given file, updated once
1188 per n seconds. The status file is comma delimited
1189 for easy machine parsing.
1190 * --ifconfig-pool now remembers common names and
1191 will try to assign a consistent IP to a given
1192 common name. Still to do: persist --ifconfig-pool
1193 memory across restarts by saving state in file.
1194 * Fixed bug in event timer queue which could cause
1195 recurring timer events such as --ping to not
1196 correctly schedule again after firing. This in
1197 turn would cause spurrious ping restarts and possible
1198 connection outages. Thanks to Denis Vlasenko for
1200 * Possible fix to reported bug where --daemon argument
1201 was not printing to syslog correctly after restart.
1202 * Fixed bug where pulling --route or --dhcp-option
1203 directives from a server would problematically
1204 interact with --persist-tun on the client.
1205 * Updated contrib/multilevel-init.patch (Farkas Levente).
1206 * Added RPM build option to .spec and .spec.in files
1207 to optionally disable LZO inclusion (Ian Pilcher).
1208 * The latest MingW runtime and headers define
1209 'ssize_t', so a patch is needed (Gisle Vanem).
1211 2004.05.14 -- Version 2.0-beta2
1213 * Fixed signal handling bug in --mode server, where
1214 SIGHUP and SIGUSR1 were treated as SIGTERM.
1215 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
1216 Apparently the larger string may work around
1217 a problem where the TAP adapter is sometimes missing
1218 from the network connections panel, especially under
1219 XP SP2. Also note that installing this upgrade will
1220 uninstall any pre-existing TAP-Win32 adapters, and then
1221 install a single new adapter, meaning that old adapter
1222 properties will be lost. Thanks to Md5Chap for solving
1224 * For --mode server --dev tap, the options --ifconfig and
1225 --ifconfig-pool are now optional. This allows address
1226 assignment via DHCP or use of a TAP VPN without
1227 IP support, as has always been possible with 1.x.
1228 * Fixed bug where --ifconfig may not work correctly on
1230 * Added 'local' flag to --redirect-gateway for use on
1231 networks where both OpenVPN daemons are connected
1232 to a shared subnet, such as wireless.
1234 2004.05.09 -- Version 2.0-beta1
1236 * Unchanged from test29 except for version number
1239 2004.05.08 -- Version 2.0-test29
1241 * Modified --dev-node on Windows to accept a TAP-Win32
1242 GUID name. In addition, --show-adapters will now
1243 display the high-level name and GUID of each adapter.
1244 This is an attempt to work around an issue in Windows
1245 where sometimes the TAP-Win32 adapter installs correctly
1246 but has no icon in the network connections control
1247 panel. In such cases, being able to specify
1248 --dev-node {TAP-GUID} can work around the missing icon.
1250 2004.05.07 -- Version 2.0-test28
1252 * Fixed bug which could cause segfault on program
1253 shutdown if --route and --persist-tun are used
1256 2004.05.06 -- Version 2.0-test27
1258 * Fixed bug in close_instance() which might cause
1259 memory to be accessed after it had already been freed.
1260 * Fixed bug in verify_callback() that might have
1261 caused uninitialized data to be referenced.
1262 * --iroute now allows full CIDR subnet routing.
1263 * In "--mode server --dev tun" usage, source addresses
1264 on VPN packets coming from a particular client must
1265 be associated with that client in the OpenVPN internal
1268 2004.04.28 -- Version 2.0-test26
1270 * Optimized broadcast path in multi-client mode.
1271 * Added socket buffer size options --rcvbuf & --sndbuf.
1272 * Configure Linux tun/tap driver to use a more sensible
1273 txqueuelen default. Also allow explicit setting
1274 via --txqueuelen option (Harald Roelle).
1275 * The --remote option now allows the port number
1276 to be specified as the second parameter. If
1277 unspecified, the port number defaults to the
1279 * Multiple --remote options on the client can now be
1280 specified for load balancing and failover. The
1281 --remote-random flag can be used to initially randomize
1282 the --remote list for basic load balancing.
1283 * If a remote DNS name resolves to multiple DNS addresses,
1284 one will be chosen by random as a kind of basic
1285 load-balancing feature if --remote-random is used.
1286 * Added --connect-freq option to control maximum
1287 new connection frequency in multi-client mode.
1288 * In multi-client mode, all syslog messages associated
1289 with a specific client now include a client-ID prefix.
1290 * For Windows, use a gettimeofday() function based
1291 on QueryPerformanceCounter (Derek Burdick).
1292 * Fixed bug in interaction between --key-method 2
1293 and DES ciphers, where dynamic keys would be generated
1294 with bad parity and then be rejected.
1296 2004.04.17 -- Version 2.0-test24
1298 * Reworked multi-client broadcast handling.
1300 2004.04.13 -- Version 2.0-test23
1302 * Fixed bug in --dev tun --client-to-client routing.
1303 * Fixed a potential deadlock in --pull.
1304 * Fixed a problem with select() usage which could
1305 cause a repeating sequence of "select : Invalid
1308 2004.04.11 -- Version 2.0-test22
1310 * Fixed bug where --mode server + --daemon was
1311 prematurely closing syslog connection.
1312 * Added support for --redirect-gateway on Mac OS X
1314 * Minor changes to TAP-Win32 driver based on feedback
1315 from the NDISTest tool.
1317 2004.04.11 -- Version 2.0-test21
1319 * Optimizations in multi-client server event loop.
1321 2004.04.10 -- Version 2.0-test20
1323 * --mode server capability now works with either tun
1324 or tap interfaces. When used with tap interfaces,
1325 OpenVPN will internally bridge all client tap
1326 interfaces with the server tap interface.
1327 * Connecting clients can now have a client-specific
1328 configuration on the server, based on the client
1329 common name embedded in the client certificate.
1330 See --client-config-dir and --client-connect.
1331 These options can be used to configure client-specific
1333 * Added an option --client-to-client that enables
1334 internal client-to-client routing or bridging.
1335 Otherwise, clients will only "see" the server,
1336 not other connected clients.
1337 * Fixed bug in route scheduling which would have caused
1338 --mode server to not work on Windows in test18
1339 and test19 with the sample config file.
1340 * Man page is up to date with all new options.
1341 * OpenVPN 2.0 release notes on web site updated
1342 with tap-style tunnel examples.
1344 2004.04.02 -- Version 2.0-test19
1346 * Fixed bug where routes pushed from server were
1347 not working correctly on Windows clients.
1348 * Added Mac OS X route patch (Jeremy Apple).
1350 2004.03.30 -- Version 2.0-test18
1352 * Minor fixes + Windows self-install modified
1353 to use OpenSSL 0.9.7d.
1355 2004.03.29 -- Version 2.0-test17
1357 * Fixed some bugs related to instance timeout and deletion.
1358 * Extended --push/--pull option to support additional
1361 2004.03.28 -- Version 2.0-test16
1363 * Successful test of --mode udp-server, --push,
1364 --pull, and --ifconfig-pool with server on
1365 Linux 2.4 and clients on Linux and Windows.
1367 2004.03.25 -- Version 2.0-test15
1369 * Implemented hash-table lookup of client instances
1370 based either on remote UDP address/port or remote
1372 * Implemented a randomized binary tree based
1373 scheduler for scalably scheduling a large number
1374 of client instance events. Uses the treap
1375 data structure and node rotation algorithm
1376 to keep the tree balanced.
1377 * Initial implementation of ifconfig-pool.
1378 * Made --key-method 2 the default.
1380 2004.03.20 -- Version 2.0-test14
1382 * Implemented --push and --pull.
1384 2004.03.20 -- Version 2.0-test13
1386 * Reduced struct tls_multi and --single-session
1388 * Modified --single-session flag to be used
1389 in multi-client UDP server client instances.
1391 2004.03.19 -- Version 2.0-test12
1393 * Added the key multi-client UDP server options,
1394 --mode, --push, --pull, and --ifconfig-pool.
1395 * Revamped GC (garbage collection) code to not rely
1397 * Modifications to thread.[ch] to allow a more
1398 flexible thread model.
1400 2004.03.16 -- Version 2.0-test11
1402 * Moved all timer code to interval.h, added new file
1404 * Fixed missing include.
1406 2004.03.16 -- Version 2.0-test10
1408 * More TAP-Win32 fixes.
1409 * Initial debugging and testing of multi.[ch].
1411 2004.03.14 -- Version 2.0-test9
1413 * Branch merge with 1.6-rc3
1414 * More point-to-multipoint work in multi.[ch].
1415 * Major TAP-Win32 driver restructuring to use
1416 NdisMRegisterDevice instead of
1417 IoCreateDevice/IoCreateSymbolicLink.
1418 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
1420 * In the majority of cases, TAP-Win32 should now be
1421 able to install and uninstall on Win2K without requiring
1423 * TAP-Win32 MAC address can now be explicitly set in the
1424 adapter advanced properties page.
1426 2004.03.04 -- Version 2.0-test8
1428 * Branch merge with 1.6-rc2.
1430 2004.03.03 -- Version 2.0-test7
1432 * Branch merge with 1.6-rc1.2.
1434 2004.03.02 -- Version 2.0-test6
1436 * Branch merge with 1.6-rc1.
1438 2004.03.02 -- Version 2.0-test5
1440 * Move Socks5 UDP header append/remove to socks.c, and is
1441 called from forward.c.
1442 * Moved verify statics from ssl.c into struct tls_session.
1443 * Wrote multi.[ch] to handle top level of point-to-multipoint
1445 * Wrote some code to allow a struct link_socket in a child context
1446 to be slaved to the parent context.
1447 * Broke up packet read and process functions in forward.c
1448 (from socket or tuntap) into separate functions for read
1449 and process, so that point-to-point and point-to-multipoint can
1450 share the same code.
1451 * Expand TLS control channel to allow the passing of configuration
1453 * Wrote mroute.[ch] to handle internal packet routing for
1454 point-to-multipoint mode.
1456 2004.02.22 -- Version 2.0-test3
1458 * Initial work on UDP multi-client server.
1459 * Branch merge of 1.6-beta7
1461 2004.02.14 -- Version 2.0-test2
1463 * Refactorization of openvpn.c into openvpn.[ch]
1464 init.[ch] forward.[ch] forward-inline.h
1465 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
1466 sig.[ch]. Created a master per-tunnel
1467 struct context in openvpn.h.
1468 * Branch merge of 1.6-beta6.2
1470 2003.11.06 -- Version 2.0-test1
1472 * Initial testbed for 2.0.
1474 2004.05.09 -- Version 1.6.0
1476 * Unchanged from 1.6-rc4 except for version number
1479 2004.04.01 -- Version 1.6-rc4
1481 * Made minor customizations to devcon and
1482 renamed as tapinstall.exe for Windows version.
1483 * Fixed "storage size of `iv' isn't known" build
1485 * OpenSSL 0.9.7d bundled with Windows self-install.
1487 2004.03.13 -- Version 1.6-rc3
1489 * Minor Windows fixes for --ip-win32 dynamic, relating to
1490 the way the TAP-Win32 driver responds to a DHCP request
1491 from the Windows DHCP client.
1492 * The net_gateway environmental variable wasn't being
1493 set correctly for called scripts (Paul Zuber).
1494 * Added code to determine the default gateway on FreeBSD,
1495 allowing the --redirect-gateway option to work
1496 (Juan Rodriguez Hervella).
1498 2004.03.04 -- Version 1.6-rc2
1500 * Fixed bug in Windows version where the NetBIOS node-type
1501 DHCP option might have been passed even if it was not
1503 * Fixed bug in Windows version introduced in 1.6-rc1, where
1504 DHCP timeout would be set to 0 seconds if --ifconfig option
1505 was used and --ip-win32 option was not explicitly specified.
1506 * Added some new --dhcp-option types for Windows version.
1508 2004.03.02 -- Version 1.6-rc1
1510 * For Windows, make "--ip-win32 dynamic" the default.
1511 * For Windows, make "--route-delay 10" the default
1512 unless --ip-win32 dynamic is not used or --route-delay
1513 is explicitly specified.
1514 * L_TLS mutex could have been left in a locked state
1515 for certain kinds of TLS errors.
1517 2004.02.22 -- Version 1.6-beta7
1519 * Allow scheduling priority increase (--nice) together
1520 with UID/GID downgrade (--user/--group).
1521 * Code that causes SIGUSR1 restart on TLS errors in TCP
1522 mode was not activated in pthread builds.
1523 * Save the certificate serial number in an environmental
1524 variable called tls_serial_{n} prior to calling the
1525 --tls-verify script. n is the current cert chain level.
1526 * Added NetBSD IPv6 tunnel capability (also requires
1527 a kernel patch) (Horst Laschinsky).
1528 * Fixed bug in checking the return value of the nice()
1529 function (Ian Pilcher).
1530 * Bug fix in new FreeBSD IPv6 over TUN code which was
1531 originally added in 1.6-beta5 (Nathanael Rensen).
1532 * More Socks5 fixes -- extended the struct frame
1533 infrastructure to accomodate proxy-based encapsulation
1535 * Added --dhcp-option to Windows version for setting
1536 adapter properties such as WINS & DNS servers.
1537 * Use a default route-delay of 5 seconds when
1538 --ip-win32 dynamic is specified (only applicable when
1539 --route-delay is not explicitly specified).
1540 * Added "log_append" registry variable to control
1541 whether the OpenVPN service wrapper on Windows
1542 opens log files in append (log_append="1") or
1543 truncate (log_append="0") mode. The default
1546 2004.02.05 -- Version 1.6-beta6
1548 * UDP over Socks5 fix to accomodate Socks5 encapsulation
1549 overhead (Christof Meerwald).
1550 * Minor --ip-win32 dynamic tweaks (use long lease time,
1551 invalidate existing lease with DHCPNAK).
1553 2004.02.01 -- Version 1.6-beta5
1555 * Added Socks5 proxy support (Christof Meerwald).
1556 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
1557 * Special TAP-Win32 debug mode for Windows self-install that was
1558 enabled in beta4 is now turned off.
1559 * Added some new Solaris notes to INSTALL (Koen Maris).
1560 * More work on --ip-win32 dynamic.
1562 2004.01.27 -- Version 1.6-beta4
1564 * For this beta, the Windows self-install is a debug version
1565 and will run slower -- use only for testing.
1566 * Reverted the --ip-win32 default back to 'ipapi'
1568 * Added the offset parameter to '--ip-win32 dynamic' which
1569 can be used to control the address of the masqueraded
1570 DHCP server which replies to Windows DHCP requests.
1571 * Added a wait/nowait option to --inetd (nowait can only
1572 be used with TCP sockets, TLS authentication, and over
1573 a bridged configuration -- see FAQ for more info)
1574 (Stefan `Sec` Zehl).
1575 * Added a build-time capability where TAP-Win32 driver
1576 debug messages can be output by OpenVPN at --verb 6
1579 2004.01.20 -- Version 1.6-beta2
1581 * Added ./configure --enable-iproute2 flag which
1582 uses iproute2 instead of route + ifconfig --
1583 this is necessary for the LEAF Linux distro
1585 * Added renewal-time and rebind-time to set of
1586 DHCP options returned by the TAP-Win32 driver when
1587 "--ip-win32 dynamic" is used.
1589 2004.01.14 -- Version 1.6-beta1
1591 * Fixed --proxy bug that sometimes caused plaintext
1592 control info generated by the proxy prior to http
1593 CONNECT method establishment to be incorrectly
1594 parsed as OpenVPN data.
1595 * For Windows version, implemented the
1596 "--ip-win32 dynamic" method and made it the default.
1597 This method sets the TAP-Win32 adapter IP address
1598 and netmask by replying to the kernel's DHCP queries.
1599 See the man page for more detailed info.
1600 * Added --connect-retry parameter which controls
1601 the time interval (in seconds) between connect()
1602 retries when --proto tcp-client is used. Previously,
1603 this value was hardcoded to 5 seconds, and still
1605 * --resolv-retry can now be used with a parameter
1606 of "infinite" to retry indefinitely.
1607 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
1608 for support of multi-level certificate chains
1610 * Fixed --tls-auth incompatibility with 1.4.x and earlier
1611 versions of OpenVPN when the passphrase file is an
1612 OpenVPN static key file (as generated by --genkey).
1613 * Added shell-escape support in config files using
1614 the backslash character ("\") so that (for example)
1615 double quotes can be passed to the shell.
1616 * Added "contrib" subdirectory on tarball, source zip,
1617 and CVS containing user-submitted contributions.
1618 * Added an optional patch to the Redhat init script to
1619 allow the configuration file directory to be a
1620 multi-level directory hierarchy (Farkas Levente).
1621 See contrib/multilevel-init.patch
1622 * Added some scripts and documentation on using
1623 Linux "fwmark" iptables rules to enable
1624 fine-grained routing control over the VPN
1625 (Sean Reifschneider, <jafo@tummy.com>).
1626 See contrib/openvpn-fwmarkroute-1.00
1628 2003.11.20 -- Version 1.5.0
1630 * Minor documentation changes.
1632 2003.11.04 -- Version 1.5-beta14
1634 * Fixed build problem with ./configure --disable-ssl
1635 that was reported on Debian woody.
1636 * Fixed bug where --redirect-gateway could not be used
1637 together with --resolv-retry.
1639 2003.11.03 -- Version 1.5-beta13
1641 * Added CRL (certificate revocation list) capability using
1642 --crl-verify option (Stefano Bracalenti).
1643 * Added --replay-window option for variable replay-protection
1645 * Fixed --fragment bug which might have caused certain large
1646 packets to be sent unfragmented.
1647 * Modified --secret and --tls-auth to permit different cipher and
1648 HMAC keys to be used for each data flow direction. Also
1649 increased static key file size generated by --genkey from
1650 1024 to 2048 bits, where 512 bits each are reserved for
1651 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
1652 and backward compatibility is maintained. See --secret option
1653 documentation on the man page for more info.
1654 * Added --tls-remote option (Teemu Kiviniemi).
1655 * Fixed --tls-cipher documention regarding correct delimiter
1656 usage (Teemu Kiviniemi).
1657 * Added --key-method option for selecting alternative data
1658 channel key negotiation methods. Method 1 is the default.
1659 Method 2 has been added (see man page for more info).
1660 * Added French translation of HOWTO to web site
1661 (Guillaume Lehmann).
1662 * Fixed problem caused by late resolver library load on
1663 certain platforms when --resolv-retry and --chroot are
1664 used together (Teemu Kiviniemi).
1665 * In TCP mode, all decryption or TLS errors will abort the current
1666 connection (this is not done in UDP mode because UDP is
1668 * Fixed a TCP client reconnect bug that only occurs on the
1669 BSDs, where connect() fails with an invalid argument. This
1670 bug was partially (but not completely) fixed in beta7.
1671 * Added "route_net_gateway" environmental variable which contains
1672 the pre-existing default gateway address from the routing table
1673 (there's no standard API for getting the default gateway, so
1674 right now this feature only works on Windows or Linux).
1675 * Renamed the "route_default_gateway" enviromental variable to
1676 "route_vpn_gateway" -- this is the remote VPN endpoint.
1677 * The special keywords vpn_gateway, net_gateway, and remote_host
1678 can now be used for the network or gateway components of the
1679 --route option. See the man page for more info.
1680 * Added the --redirect-gateway option to configure the VPN
1681 as the default gateway (implemented on Linux and Windows only).
1682 * Added the --http-proxy option with basic authentication
1683 support for use in TCP client mode. Successfully tested
1684 using Squid as the HTTP proxy, with and without authentication.
1686 2003.10.12 -- Version 1.5-beta12
1688 * Fixed Linux-only bug in --mktun and --rmtun which was
1689 introduced around beta8 or so, which would cause
1690 an error such as "I don't recognize device tun0 as a
1691 tun or tap device1".
1692 * Added --ifconfig-nowarn option to disable options
1693 consistency warnings about --ifconfig parameters.
1694 * Don't allow any kind of sequence number backtracking or
1695 message reordering when in TCP mode.
1696 * Changed beta naming convention to use '_' (underscore)
1697 rather than '-' (dash) to pacify rpmbuild.
1699 2003.10.08 -- Version 1.5-beta11
1701 * Modified code in the Windows version which sets the IP address
1702 and netmask of the TAP-Win32 adapter using the IP Helper API.
1703 Most of the changes involve better error recovery when
1704 the IP Helper API returns an error status. See the
1705 manual page entry on --ip-win32 for more info.
1707 2003.10.08 -- Version 1.5-beta10
1709 * Added getpass() function for Windows version so that --askpass
1710 option works correctly (Stefano Bracalenti).
1711 * Added reboot advisory to end of Win32 install script.
1712 * Changed crypto code to use pseudo-random IVs rather than
1713 carrying forward the IV state from the previous packet.
1714 This is in response to item 2 in the following document:
1715 http://www.openssl.org/~bodo/tls-cbc.txt which points
1716 out weaknesses in TLS's use of the same IV carryforward
1717 approach. This change does not break protocol compatibility
1718 with previous versions of OpenVPN.
1719 * Made a change to the crypto replay protection code to also
1720 protect against certain kinds of packet reordering attacks.
1721 This change does not break protocol compatibility with
1722 previous versions of OpenVPN.
1723 * Added --ip-win32 option to provide several choices for
1724 setting the IP address on the TAP-Win32 adapter.
1725 * #ifdefed out non-CBC crypto modes by default.
1726 * Added --up-delay option to delay TUN/TAP open and --up script
1727 execution until after connection establishment. This option
1728 replaces the earlier windows-only option --tap-delay.
1730 2003.10.01 -- Version 1.5-beta9
1732 * Fixed --route-noexec bug where option was not parsed correctly.
1733 * Complain if --dev tun is specified without --ifconfig on Windows.
1734 * Fixed bug where TCP connections on windows would sometimes cause
1735 an assertion failure.
1736 * Added a new flag to TAP-Win32 advanced properties that allows one
1737 to set the adapter to be always "connected" even when an OpenVPN
1738 process doesn't have it open. The default behavior is to report
1739 a media status of connected only when an OpenVPN process has the
1741 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
1742 DLLs in response to an OpenSSL security advisory.
1744 2003.09.30 -- Version 1.5-beta8
1746 * Extended the --ifconfig option to work on tap devices as well
1748 * Implemented the --ifconfig option for Windows, by calling the
1750 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
1751 refresh the MAC cache. This behaviour can be disabled with
1753 * On Windows, allow the --dev-node parameter (which specifies
1754 the name of the TAP-Win32 adapter) to be omitted in cases where
1755 there is a single TAP-Win32 adapter on the system which can be
1756 assumed to be the default.
1757 * Modified the diagnostic --verb 5 debugging level to print 'R'
1758 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
1759 and 'w' for TUN/TAP write.
1760 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
1762 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
1763 * Make the --enable-mtu-dynamic ./configure option enabled by
1765 * Deprecated the --mtu-dynamic run-time option, in favor of
1767 * DNS names can now be used as --ifconfig parameters.
1768 * Significant work on TAP-Win32 driver to bring up to SMP standards.
1769 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
1770 unloaded or disabled, while a user-space process has it open.
1771 * On Windows, if --tun-mtu is not specified, it will be read from
1772 the TAP-Win32 driver via ioctl.
1773 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
1774 signal (only when run from a console window).
1775 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
1776 * Renamed --mtu-dynamic option to --fragment to more accurately
1777 reflect its function. Fragment accepts a single parameter which
1778 is the upper limit on acceptable UDP packet size.
1779 * Changed default --tun-mtu-extra parameter to 32 from 64.
1780 * Eliminated reference to malloc.o in configure.ac.
1781 * Added tun device emulation to the TAP-Win32 driver.
1782 * Added --route and related options.
1783 * Added init script for SuSE Linux (Frank Plohmann).
1784 * Extended option consistency check between peers to function
1785 in all crypto modes, including static-key and cleartext modes.
1786 Previously only TLS mode was supported. Disable with
1788 * Overall, increased the amount of configuration option sanity
1789 checking, especially of networking parameters.
1790 * Added --mtu-test option for empirical MTU measurement.
1791 * Added Windows-only option --tap-delay to not set the TAP-Win32
1792 adapter media state to 'connected' until TCP/UDP connection
1793 establishment with peer.
1794 * Slightly modified --route/--route-delay semantics so that when
1795 --route is given without --route-delay, routes are added
1796 immediately after tun/tap device open. When --route-delay is
1797 specified, routes will be added n seconds after connection
1798 initiation, where n is the --route-delay parameter (which
1800 * Made TCP framing error into a non-fatal error that triggers a
1803 2003.08.28 -- Version 1.5-beta7
1805 * Fixed bug that caused OpenVPN not to respond to exit/restart
1806 signals when --resolv-retry is used and a local or remote DNS
1807 name cannot be resolved.
1808 * Exported a series of environmental variables with useful
1809 info for scripts. See man page for more info. Based
1810 on a suggestion by Anthony Ciaravalo.
1811 * Moved TCP/UDP socket bind to a point in the initialization
1812 before the --up script gets called. This is desirable
1813 because (a) a socket bind failure will happen before
1814 daemonization, allowing an error status code to be returned
1815 to the shell and (b) the possibility is eliminated of a
1816 socket bind failure causing the --up script to be run
1817 but not the --down script. This change has a side effect
1818 that --resolv-retry will no longer work with --local.
1819 * Fixed bug where if an OpenVPN TCP server went down and back
1820 up again, Solaris or FreeBSD clients would fail to reconnect
1822 * Fixed bug that prevented OpenVPN from being run by
1823 inetd/xinetd in TCP mode.
1824 * Added --log and --log-append options for logging messages to
1826 * On Windows, check that the current user is a member of the
1827 Administrator group before attempting install or uninstall.
1829 2003.08.16 -- Version 1.5-beta6
1831 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
1833 2003.08.14 -- Version 1.5-beta5
1835 * Added user-configurability of the TAP-Win32 adapter MTU
1836 through the adapter advanced properties page.
1837 * Added Windows Service support.
1838 * On Windows, added file association and right-clickability
1839 for .ovpn files (OpenVPN config files).
1841 2003.08.05 -- Version 1.5-beta4
1843 * Extra refinements and error checking added to Windows
1844 NSIS install script.
1846 2003.08.05 -- Version 1.5-beta3
1848 * Added md5.h include to crypto.c to fix build problem on
1850 * Created a Win32 installer using NSIS.
1851 * Removed DelService command from TAP-Win32 INF file. It appears
1852 to be not necessary and it interfered with the ability to
1853 uninstall and reinstall the driver without needing to reboot.
1854 * On Windows version, added "addtap" and "deltapall" batch
1855 files to add and delete TAP-Win32 adapter instances.
1857 2003.07.31 -- Version 1.5-beta2
1859 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
1860 in Windows ASCII so it's easier to click and view.
1861 * Added postscript and PDF versions of the HOWTO to the web
1863 * Merged Michael Clarke's stability patch into TAP-Win32
1864 driver which appears to fix the suspend/resume driver bug
1865 and significantly improve driver stability.
1866 * Added Christof Meerwald's Media Status patch to the
1867 TAP-Win32 driver which shows the TAP adapter to be
1868 disconnected when OpenVPN is not running.
1869 * Moved socket connect and TCP server listen code to a later
1870 point in openvpn() function so that the TCP server listen
1871 state is entered after daemonization.
1872 * Added keyboard shortcuts to simulate signals in the Windows
1873 version, see the window title bar for descriptions.
1875 2003.07.24 -- Version 1.5-beta1
1877 * Added TCP support via the new --proto option.
1878 * Renamed udp-centric options such as --udp-mtu to
1879 --link-mtu (old option names preserved for compatibility).
1880 * Ported to Windows 2000 + XP using mingw and a TAP driver
1881 derived from the Cipe-Win32 project by Damion K. Wilson.
1882 * Added --show-adapters flag for windows version.
1883 * Reworked the SSL/TLS packet acknowledge code to better
1884 handle certain corner cases.
1885 * Turned off the default enabling of IP forwarding in the
1886 sample-scripts/openvpn.init script for Redhat.
1887 Forwarding can be enabled by users in their --up scripts
1889 * Added --up-restart option based on suggestion from Sean
1891 * If --dev tap or --dev-type tap is specified, --tun-mtu
1892 defaults to 1500 and --tun-mtu-extra defaults to 64.
1893 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
1894 for each packet read or write on the TCP/UDP socket.
1896 2003.08.04 -- Version 1.4.3
1898 * Added md5.h include to crypto.c
1899 to fix build problem on OpenBSD.
1901 2003.07.15 -- Version 1.4.2
1903 * Removed adaptive bandwidth from
1904 --mtu-dynamic -- its absence appears
1905 to work better than its existence (1.4.1.2).
1906 * Minor changes to --shaper to fix long
1907 retransmit timeouts at low bandwidth
1909 * Added LOG_RW flag to openvpn.h for
1910 debugging (1.4.1.2).
1911 * Silenced spurious configure warnings (1.4.1.2).
1912 * Backed out --dev-name patch, modified --dev
1913 to offer equivalent functionality (1.4.1.4).
1914 * Added an optional parameter to --daemon and
1915 --inetd to support the passing of a custom
1916 program name to the system logger (1.4.1.5).
1917 * Add compiled-in options to the program title
1919 * Coded the beginnings of a WIN32 port (1.4.1.5).
1920 * Succeeded in porting to Win32 Mingw environment
1921 and running loopback tests (1.4.1.6). Still
1922 need a kernel driver for full Win32
1924 * Fixed a bug in error.h where
1925 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
1926 This would have caused a significant slowdown
1927 of OpenVPN when built by compilers that
1928 lack ISO C99 vararg macros (1.4.1.6).
1929 * Created an init script for Gentoo Linux
1930 in ./gentoo directory (1.4.1.6).
1932 2003.05.15 -- Version 1.4.1
1934 * Modified the Linux 2.4 TUN/TAP open code to
1935 fall back to the 2.2 TUN/TAP interface if the
1936 open or ioctl fails.
1937 * Fixed bug when --verb is set to 0 and non-fatal
1938 socket errors occur, causing 100% CPU utilization.
1939 Occurs on platorms where
1940 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
1942 * Fixed typo in tun.c that was preventing
1944 * Added --enable-mtu-dynamic configure option
1945 to enable --mtu-dynamic experimental option.
1947 2003.05.07 -- Version 1.4.0
1949 * Added --replay-persist feature to allow replay
1950 protection across sessions.
1951 * Fixed bug where --ifconfig could not be used
1953 * Added --tun-mtu-extra parameter to deal with
1954 the situation where a read on a TUN/TAP device
1955 returns more data than the device's MTU size.
1956 * Fixed bug where some IPv6 support code for
1957 Linux was not being properly ifdefed out for
1958 Linux 2.2, causing compile errors.
1959 * Added OPENVPN_EXIT_STATUS_x codes to
1960 openvpn.h to control which status value
1961 openvpn returns to its caller (such as
1962 a shell or inetd/xinetd) for various conditions.
1963 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
1964 openvpn.h to allow debugging in situations
1965 where stdout, stderr, and syslog cannot be used
1966 for message output, such as when OpenVPN is
1967 instantiated by inetd/xinetd.
1968 * Removed owner-execute permission from file
1969 created by static key generator (Herbert Xu
1970 and Alberto Gonzalez Iniesta).
1971 * Added --passtos option to allow IPv4 TOS bits
1972 to be passed from TUN/TAP input packets to
1973 the outgoing UDP socket (Craig Knox).
1974 * Added code to prevent open socket file descriptors
1975 from being accessible to called scripts.
1976 * Added --dev-name option (Christian Lademann).
1977 * Added --mtu-disc option for manual control
1979 * Show OS MTU value on UDP socket write failures
1981 * Numerous build system and portability
1982 fixes (Matthias Andree).
1983 * Added better sensing of compiler support for
1984 variable argument macros, including (a) gcc
1985 style, (b) ISO C 1999 style, and (c) no support.
1986 * Removed generated files from CVS. Note INSTALL
1987 file for new CVS build commands.
1988 * Changed certain internal symbol names
1989 for C standards compliance.
1990 * Added TUN/TAP open code to cycle dynamically
1991 through unit numbers until it finds a free
1992 unit (based on code from Thomas Gielfeldt
1994 * Added dynamic MTU and fragmenting infrastructure
1995 (Experimental). Rebuild with FRAGMENT_ENABLE
1997 * Minor changes to SSL/TLS negotiation, use
1998 exponential backoff on retransmits, and use
1999 a smaller MTU size (note that no protocol
2000 changes have been made which would break
2001 compatibility with 1.3.x).
2002 * Added --enable-strict-options flag
2003 to ./configure. This option will cause
2004 a more strict check for options compatibility
2005 between peers when SSL/TLS negotiation is used,
2006 but should only be used when both OpenVPN peers
2007 are of the same version.
2008 * Reorganization of debugging levels.
2009 * Added a workaround in configure.ac for
2010 default SSL header location on Linux
2011 to fix RH9 build problem.
2012 * Fixed potential deadlock when pthread support
2013 is used on OSes that allocate a small socketpair()
2015 * Fixed openvpn.init to be sh compliant
2017 * Changed --daemon to wait until all
2018 initialization is finished before becoming a
2019 daemon, for the benefit of initialization
2020 scripts that want a useful return status from
2021 the openvpn command.
2022 * Made openvpn.init script more robust, including
2023 positive indication of initialization errors
2024 in the openvpn daemon and better sanity checks.
2025 * Changed --chroot to wait until initialization
2026 is finished before calling chroot(), and allow
2027 the use of --user and --group with --chroot.
2028 * When syslog logging is enabled (--daemon or
2029 --inetd), set stdin/stdout/stderr to point
2031 * For inetd instantiations, dup socket descriptor
2033 * Fixed bug in verify-cn script, where test would
2034 incorrectly fail if CN=x was the last component
2035 of the X509 composite string (Anonymous).
2036 * Added Markus F.X.J. Oberhumer's special
2037 license exception to COPYING.
2039 2002.10.23 -- Version 1.3.2
2041 * Added SSL_CTX_set_client_CA_list call
2042 to follow the canonical form for TLS initialization
2043 recommended by the OpenSSL docs. This change allows
2044 better support for intermediate CAs and has no impact
2046 * Added build-inter script to easy-rsa package, to
2047 facilitate the generation of intermediate CAs.
2048 * Ported to NetBSD (Dimitri Goldin).
2049 * Fixed minor bug in easy-rsa/sign-req. It refers to
2050 openssl.cnf file, instead of $KEY_CONFIG, like all
2051 other scripts (Ernesto Baschny).
2052 * Added --days 3650 to the root CA generation command
2053 in the HOWTO to override the woefully small 30 day
2054 default (Dominik 'Aeneas' Schnitzer).
2055 * Fixed bug where --ping-restart would sometimes
2056 not re-resolve remote DNS hostname.
2057 * Added --tun-ipv6 option and related infrastructure
2058 support for IPv6 over tun.
2059 * Added IPv6 over tun support for Linux (Aaron Sethman).
2060 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
2061 INSTALL (Matthias Andree).
2062 * Added inetd/xinetd support (--inetd) including
2063 documentation in the HOWTO.
2064 * Added "Important Note on the use of commercial certificate
2065 authorities (CAs) with OpenVPN" to HOWTO based on
2066 issues raised on the openvpn-users list.
2068 2002.07.10 -- Version 1.3.1
2070 * Fixed bug in openvpn.spec and openvpn.init
2071 which caused RPM upgrade to fail.
2073 2002.07.10 -- Version 1.3.0
2075 * Added --dev-node option to allow explicit selection of
2076 tun/tap device node.
2077 * Removed mlockall call from child thread, as it doesn't
2078 appear to be necessary (child thread inherits mlockall
2080 * Added --ping-timer-rem which causes timer for --ping-exit
2081 and --ping-restart not to run unless we have a remote IP
2083 * Added condrestart to openvpn.init and openvpn.spec
2085 * Added --ifconfig case for FreeBSD (Matthias Andree).
2086 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2087 * Changed LOG_INFO messages to LOG_NOTICE.
2088 * Added warning when key files are group/others accessible.
2089 * Added --single-session flag for TLS mode.
2090 * Fixed bug where --writepid would segfault if used with
2091 an invalid filename.
2092 * Fixed bug where --ipchange status message was formatted
2094 * Print more concise error message when system() call
2096 * Added --disable-occ option.
2097 * Added --local, --remote, and --ifconfig options sanity
2099 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2101 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2102 * Broke out debug level definitions to errlevel.h
2103 * Minor documentation and web site changes.
2104 * All changes maintain protocol compatibility
2105 with OpenVPN versions since 1.1.0, however default
2106 MTU changes will require setting the MTU explicitly
2107 by command line option, if you want 1.3.0 to
2108 communicate with previous versions.
2110 2002.06.12 -- Version 1.2.1
2112 * Added --ping-restart option to restart
2113 connection on ping timeout using SIGUSR1
2114 logic (Matthias Andree).
2115 * Added --persist-tun, --persist-key,
2116 --persist-local-ip, and --persist-remote-ip
2117 options for finer-grained control over SIGUSR1
2118 and --ping-restart restarts. To
2119 replicate previous SIGUSR1 functionality,
2120 use --persist-remote-ip.
2121 * Changed residual IV fetching code to take
2122 IV from tail of ciphertext.
2123 * Added check to make sure that CFB or OFB
2124 cipher modes are only used with SSL/TLS
2125 authentication mode, and added a caveat
2127 * Changed signal handling during initialization
2128 (including re-initialization during restarts)
2129 to exit on SIGTERM or SIGINT and ignore other
2130 signals which would ordinarily be caught.
2131 * Added --resolv-retry option to allow
2132 retries on hostname resolution.
2133 * Expanded the --float option to also
2134 allow dynamic changes in source port number
2135 on incoming datagrams.
2136 * Added --mute option to limit repetitive
2137 logging of similar message types.
2138 * Added --group option to downgrade GID
2139 after initialization.
2140 * Try to set ifconfig path automatically
2142 * Added --ifconfig code for Mac OS X
2143 (Christoph Pfisterer).
2144 * Moved "Peer Connection Initiated" message
2146 * Successfully tested with
2147 OpenSSL 0.9.7 Beta 1 and AES cipher.
2148 * Added RPM notes to INSTALL.
2149 * Added ACX_PTHREAD (from the autoconf
2150 macro archive) to configure.ac
2151 to figure out the right pthread
2152 options for a given platform.
2153 * Broke out macro definitions from
2154 configure.ac to acinclude.m4.
2155 * Minor changes to docs and HOWTO.
2156 * All changes maintain protocol compatibility
2157 with OpenVPN versions since 1.1.0.
2159 2002.05.22 -- Version 1.2.0
2161 * Added configuration file support via
2162 the --config option.
2163 * Added pthread support to improve latency.
2164 With pthread support, OpenVPN
2165 will offload CPU-intensive tasks such as RSA
2166 key number crunching to a background thread
2167 to improve tunnel packet forwarding
2168 latency. pthread support can be enabled
2169 with the --enable-pthread configure option.
2170 Pthread support is currently available
2171 only for Linux and Solaris.
2172 * Added --dev-type option so that tun/tap
2173 device names don't need to begin with
2175 * Added --writepid option to write main
2176 process ID to a file.
2177 * Numerous portability fixes to ease
2178 porting to other OSes including changing
2179 all network types to uint8_t and uint32_t,
2180 and not assuming that time_t is 32 bits.
2181 * Backported to OpenSSL 0.9.5.
2182 * Ported to Solaris.
2183 * Finished OpenBSD port except for
2185 * Added initialization script:
2186 sample-scripts/openvpn.init
2188 * Ported to Mac OS X (Christoph Pfisterer).
2189 * Improved resilience to DoS attacks when
2190 TLS mode is used without --remote or
2191 --tls-auth, or when --float is used
2192 with --remote. Note however that the best
2193 defense against DoS attacks in TLS mode
2194 is to use --tls-auth.
2195 * Eliminated automake/autoconf dependency
2197 * Ported configure.in to configure.ac
2199 * SIGHUP signal now causes OpenVPN to restart
2200 and re-read command line and or config file,
2201 in conformance with canonical daemon behaviour.
2202 * SIGUSR1 now does what SIGHUP did in
2203 version 1.1.1 and earlier -- close and reopen
2204 the UDP socket for use when DHCP changes
2205 host's IP address and preserve most recently
2206 authenticated peer address without rereading
2208 * SIGUSR2 added -- outputs current statistics,
2209 including compression statistics.
2210 * All changes maintain protocol compatibility
2211 with 1.1.1 and 1.1.0.
2213 2002.04.22 -- Version 1.1.1
2215 * Added --ifconfig option to automatically configure
2217 * Added inactivity disconnect (--inactive
2218 and --ping-exit options).
2219 * Added --ping option to keep stateful firewalls
2221 * Added sanity check to command line parser to
2222 err if any TLS options are used in non-TLS mode.
2223 * Fixed build problem with compiler environments that
2224 define printf as a macro.
2225 * Fixed build problem on linux systems that have
2226 an integrated TUN/TAP driver but lack the persistent
2227 tunnel feature (TUNSETPERSIST). Some linux kernels
2228 >= 2.4.0 and < 2.4.7 fall into this category.
2229 * Changed all calls to EVP_CipherInit to use explicit
2230 encrypt/decrypt mode in order to fix problem with
2231 IDEA-CBC and AES-256-CBC ciphers.
2232 * Minor changes to control channel transmit limiter
2233 algorithm to fix problem where TLS control channel
2234 might not renegotiate within the default 60 second window.
2235 * Simplified man page examples by taking advantage
2236 of the new --ifconfig option.
2237 * Minor changes to configure.in to check more
2238 rigourously for OpenSSL 0.9.6 or greater.
2239 * Put back openvpn.spec, eliminated
2241 * Modified openvpn.spec to reflect new automake-based
2242 build environment (Bishop Clark).
2243 * Other documentation changes.
2244 * Added --test-crypto option for debugging.
2245 * Added "missing" and "mkinstalldirs" automake
2249 2002.04.09 -- Version 1.1.0
2251 * Strengthened replay protection and IV handling,
2252 extending it fully to both static key and
2253 TLS dynamic key exchange modes.
2254 * Added --mlock option to disable paging and ensure that key
2255 material and tunnel data is never paged to disk.
2256 * Added optional traffic shaping feature to cap the maximum
2257 data rate of the tunnel.
2258 * Converted to automake (The Platypus Brothers 2002-04-01).
2259 * Ported to OpenBSD by Janne Johansson.
2260 * Added --tun-af-inet option to work around an incompatibility
2261 between Linux and BSD tun drivers.
2262 * Sequence number-based replay protection using the
2263 IPSec sliding window model is now the default,
2264 disable with --no-replay.
2265 * Explicit IV is now the default, disable with --no-iv.
2266 * Disabled all cipher modes except CBC, CFB, and OFB.
2267 * In CBC mode, use explicit IV and carry forward residuals,
2269 * In CFB/OFB mode, IV is timestamp, sequence number.
2270 * Eliminated --packet-id, --timestamp, and max-delta parameter to
2271 the --tls-auth option as they are now supplanted by improved
2272 replay code which is enabled by default.
2273 * Eliminated --rand-iv as it is now obsolete with improved
2275 * Eliminated --reneg-err option as it increases vulnerability
2277 * Added weak key check for DES ciphers.
2278 * --tls-freq option is no longer specified on the command line,
2279 instead it now inherits its parameter from the
2280 --tls-timeout option.
2281 * Fixed bug that would try to free memory on exit that was
2282 never malloced if --comp-lzo was not specified.
2283 * Errata fixed in the man page examples: "test-ca" should be
2285 * Updated manual page.
2286 * Preliminary work in porting to OpenSSL 0.9.7.
2287 * Changed license to allowing linking with OpenSSL.
2289 2002.03.29 -- Version 1.0.3
2291 * Fixed a problem in configure with library ordering on the
2294 2002.03.28 -- Version 1.0.2
2296 * Improved the efficiency of the inner event loop.
2297 * Fixed a minor bug with timeout handling.
2298 * Improved the build system to build on RH 6.2 through 7.2.
2299 * Added an openvpn.spec file for RPM builders (Bishop Clark).
2301 2002.03.23 -- Version 1.0
2303 * Added TLS-based authentication and key exchange.
2304 * Added gremlin mode to stress test.
2307 2001.12.26 -- Version 0.91
2309 * Added any choice of cipher or HMAC digest.
2311 2001.5.13 -- Version 0.90
2314 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.