OpenVPN ChangeLog
-Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
+Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
+
+2025.05.28 -- Version 2.7_alpha1
+
+5andr0 (1):
+ Implement server_poll_timeout for socks
+
+Alexander von Gluck (4):
+ Haiku: Introduce basic platform / tun support
+ Haiku: Add calls to manage routing table
+ Haiku: change del to delete in route command. del is undocumented
+ Haiku: Fix short interface path length
+
+Antonio Quartulli (32):
+ disable DCO if --secret is specified
+ dco: properly re-initialize dco_del_peer_reason
+ dco: bail out when no peer-specific message is delivered
+ dco: improve comment about hidden debug message
+ dco: print proper message in case of transport disconnection
+ dco_linux: update license for ovpn_dco_linux.h
+ Update issue templates
+ Avoid warning about missing braces when initialising key struct
+ dco: don't use NetLink to exchange control packets
+ dco: print version to log if available
+ dco-linux: remove M_ERRNO flag when printing netlink error message
+ multi: don't call DCO APIs if DCO is disabled
+ dco-freebsd: use m->instances[] instead of m->hash
+ dco-linux: implement dco_get_peer_stats{, multi} API
+ configure.ac: fix typ0 in LIBCAPNG_CFALGS
+ dco: fix crash when --multihome is used with --proto tcp
+ dco: mark peer as deleted from kernel after receiving CMD_DEL_PEER notification
+ event/multi: add event_arg object to make event handling more generic
+ pass link_socket object to i/o functions
+ io_work: convert shift argument to uintptr_t
+ io_work: pass event_arg object to event handler in case of socket event
+ sitnl: replace NLMSG_TAIL macro with noinline function
+ override ai_family if 'local' numeric address was specified
+ Adapt socket handling to support listening on multiple sockets
+ allow user to specify 'local' multiple times in config files
+ dco_linux: extend netlink error cb with extra info
+ man: extend --persist-tun section
+ dco: pass remoteaddr only for UDP peers
+ socket: use remote proto when creating client sockets
+ dco_linux: fix peer stats parsing with new ovpn kernel module
+ socket: don't transfer bind family to socket in case of ANY address
+ dco_linux: avoid bogus text when netlink message is not parsed
+
+Aquila Macedo (1):
+ doc: Correct typos in multiple documentation files
+
+Arne Schwabe (190):
+ Fix connection cookie not including address and fix endianness in test
+ Fix unit test of test_pkt on little endian Linux
+ Disable DCO when TLS mode is not used
+ Ignore connection attempts while server is shutting down
+ Improve debug logging of DCO swap key message and Linux dco_new_peer
+ Trigger a USR1 if dco_update_keys fails
+ Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range
+ Ensure that argument to parse_line has always space for final sentinel
+ Improve documentation on user/password requirement and unicodize function
+ Eliminate or comment empty blocks and switch fallthrough
+ Remove unused gc_arena
+ Fix corner case that might lead to leaked file descriptor
+ Deprecate NTLMv1 proxy auth method.
+ Use include "buffer.h" instead of include <buffer.h>
+ Ensure that dco keepalive and mssfix options are also set in pure p2p mode
+ Make management password check constant time
+ Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
+ Move dco_installed back to link_socket from link_socket.info.actual
+ Do not set nl socket buffer size
+ Also drop incoming dco packet content when dropping the packet
+ Improve logging when seeing a message for an unkown peer
+ Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
+ Replace custom min macro and use more C99 style in man_remote_entry_get
+ Replace realloc with new gc_realloc function
+ Add connect-freq-initial option to limit initial connection responses
+ Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
+ Deprecate OCC checking
+ Workaround: make ovpn-dco more reliable
+ Fix unaligned access in auth-token
+ Update LibreSSL to 3.7.0 in Github actions
+ Add printing USAN stack trace on github actions
+ Fix LibreSSL not building in Github Actions
+ Add missing stdint.h includes in unit tests files
+ Combine extra_tun/frame parameter of frame_calculate_payload_overhead
+ Update the last sections in the man page to a be a bit less outdated
+ Add building unit tests with mingw to github actions
+ Revise the cipher negotiation info about OpenVPN3 in the man page
+ Exit if a proper message instead of segfault on Android without management
+ Use proper print format/casting when converting msg_channel handle
+ Reduce initialisation spam from verb <= 3 and print summary instead
+ Dynamic tls-crypt for secure soft_reset/session renegotiation
+ Set netlink socket to be non-blocking
+ Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
+ Fix memory leaks in open_tun_dco()
+ Fix memory leaks in HMAC initial packet generation
+ Use key_state instead of multi for tls_send_payload parameter
+ Make sending plain text control message session aware
+ Only update frame calculation if we have a valid link sockets
+ Improve description of compat-mode
+ Simplify --compress parsing in options.c
+ Refuse connection if server pushes an option contradicting allow-compress
+ Add 'allow-compression stub-only' internally for DCO
+ Parse compression options and bail out when compression is disabled
+ Remove unused variable line
+ Add Apache2 linking with for new commits
+ Fix compile error on TARGET_ANDROID
+ Fix use-after-free with EVP_CIPHER_free
+ Remove key_type argument from generate_key_random
+ add basic CMake based build
+ Avoid unused function warning/error on FreeBSD (and potientially others)
+ Do not blindly assume python3 is also the interpreter that runs rst2html
+ Only add -Wno-stringop-truncation on supported compilers
+ fix warning with gcc 12.2.0 (compiler bug?)
+ Fix CR_RESPONSE mangaement message using wrong key_id
+ Print a more user-friendly error when tls-crypt-v2 client auth fails
+ Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
+ Mock openvpn_exece on win32 also for test_tls_crypt
+ Check if the -wrap argument is actually supported by the platform's ld
+ Revert commit 423ced962d
+ Implement using --peer-fingerprint without CA certificates
+ show extra info for OpenSSL errors
+ Remove ability to use configurations without TLS by default
+ Add warning for the --show-groups command that some groups are missing
+ Print peer temporary key details
+ Add warning if a p2p NCP client connects to a p2mp server
+ Remove openssl engine method for loading the key
+ Add undefined and abort on error to clang sanitize builds
+ Add --enable-werror to all platforms in Github Actions
+ Remove saving initial frame code
+ Double check that we do not use a freed buffer when freeing a session
+ Fix using to_link buffer after freed
+ Remove CMake custom compiler flags for RELEASE and DEBUG build
+ Do not check key_state buffers that are in S_UNDEF state
+ Remove unused function prototype crypto_adjust_frame_parameters
+ Introduce report_command_status helper function
+ Log SSL alerts more prominently
+ Remove unused/unneeded/add missing defines from configure/cmake
+ Document tls-exit option mainly as test option
+ Remove dead remains of extract_x509_field_test
+ Replace character_class_debug with proper unit test
+ Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
+ Fix check_session_buf_not_used using wrong index
+ Add missing check for nl_socket_alloc failure
+ Add check for nice in cmake config
+ Minimal Solaris/OpenIndiana support to Cmake and clean up -Werror
+ Remove compat versionhelpers.h and remove cmake/configure check for it
+ Rename state_change to continue_tls_process
+ Move tls_get_cipher_name_pair and get_num_elements to ssl_utils.c
+ Fix building mbed TLS with CMake and allow specifying custom directories
+ Extend the error message when TLS 1.0 PRF fails
+ Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
+ Check PRF availability on initialisation and add --force-tls-key-material-export
+ Make it more explicit and visible when pkg-config is not found
+ Clarify that the tls-crypt-v2-verify has a very limited env set
+ Move get_tmp_dir to win32-util.c and error out on failure
+ Implement the --tls-export-cert feature
+ Use mingw compile definition also to unit tests
+ Add test_ssl unit test and test export of PEM to file
+ Remove conditional text for Apache2 linking exception
+ Fix ssl unit tests on OpenSSL 1.0.2
+ Ensure that all unit tests use unbuffered stdout and stderr
+ Allow unit tests to fall back to hard coded location
+ Add unit test for encrypting/decrypting data channel
+ Print SSL peer signature information in handshake debug details
+ Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
+ Turn dead list test code into unit test
+ Use snprintf instead of sprintf for get_ssl_library_version
+ Fix snprintf/swnprintf related compiler warnings
+ Add bracket in fingerprint message and do not warn about missing verification
+ Match ifdef for get_sigtype function with if ifdef of caller
+ Remove/combine redundant call of EVP_CipherInit before EVP_CipherInit_Ex
+ Add missing EVP_KDF_CTX_free in ssl_tls1_PRF
+ Replace macos11 with macos14 in github runners
+ Remove openvpn_snprintf and similar functions
+ Repeat the unknown command in errors from management interface
+ Only run coverity scan in OpenVPN/OpenVPN repository
+ Support OpenBSD with cmake
+ Workaround issue in LibreSSL crashing when enumerating digests/ciphers
+ Remove OpenSSL 1.0.2 support
+ Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL
+ Allow the TLS session to send out TLS alerts
+ Properly handle null bytes and invalid characters in control messages
+ Allow trailing \r and \n in control channel message
+ Add Ubuntu 24.04 runner to Github Actions
+ Implement support for AEAD tag at the end
+ Remove check for anonymous unions from configure and cmake config
+ Make read/write_tun_header static
+ Avoid SIGUSR1 to SIGHUP remapping when the configuration is read from stdin
+ Move to common backend_driver type in struct tuntap
+ Introduce DRIVER_AFUNIX backend for use with lwipovpn
+ Change dev null to be a driver type instead of a special mode of tun/tap
+ Use print_tun_backend_driver instead of custom code to print type
+ Automatically enable ifconfig-exec/route-exec behaviour for afunix tun/tap
+ Ensure that the AF_UNIX socket pair has at least 65k of buffer space
+ Fix check for CMake not detecting struct cmsg
+ Remove null check after checking for checking for did_open_tun
+ Remove a large number of unused structs and functions
+ Remove unused methods write_key/read_key
+ Refuse clients if username or password is longer than USER_PASS_LEN
+ Move should_trigger_renegotiation into its own function
+ Change --reneg-bytes and --reneg-packets to 64 bit counters
+ Use XOR instead of concatenation for calculation of IV from implicit IV
+ Trigger renegotiation of data key if getting close to the AEAD usage limit
+ Implement HKDF expand function based on RFC 8446
+ Split init_key_ctx_bi into send/recv init
+ Move initialisation of implicit IVs to init_key_ctx_bi methods
+ Change internal id of packet id to uint64
+ Add small unit test for buf_chomp
+ Add building/testing with msbuild and the clang compiler
+ Ensure that Python3 is available
+ Change API of init_key_ctx to use struct key_parameters
+ Allow DEFAULT in data-ciphers and report both expanded and user set option
+ Do not attempt to decrypt packets anymore after 2**36 failed decryptions
+ Add methods to read/write packet ids for epoch data
+ Implement methods to generate and manage OpenVPN Epoch keys
+ Rename aead-tag-at-end to aead-epoch
+ Improve peer fingerprint documentation
+ Remove comparing username to NULL in tls_lock_username
+ Print warnings/errors when numerical parameters cannot be parsed
+ Add unit tests for atoi parsing options helper
+ Improve error reporting from AF_UNIX tun/tap support
+ Fix typo in positive_atoi
+ Fix oversight of link socket code change in Android code path
+ Implement epoch key data format
+ Extend the unit test for data channel packets with aead limit tests
+ Add (fake) Android cmake building
+ Add android build to Github Actions
+ Reconnect when TCP is on use on network-change management command
+ Implement override-username
+ Fix incorrect condition for checking password related check
+ Directly use _countof in array initialisation
+ Improve documentation for override-username
+ Mention address if not unspecific on DNS failure
+ Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
+ Allow tls-crypt-v2 to be setup only on initial packet of a session
+ Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid
+ Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username
+ Also print key agreement when printing negotiated details
+ Fix mbed TLS key exporter functionality in 3.6.x and cmake
+ Make --dh none behaviour default if not specified
+
+Ben Boeckel (1):
+ console_systemd: remove the timeout when using 'systemd-ask-password'
+
+Christoph Schug (1):
+ Update documentation references in systemd unit files
+
+Corubba Smith (3):
+ Support IPv6 towards port-share proxy receiver
+ Document x509-username-fields oid usage
+ Remove x509-username-fields uppercasing
+
+David Sommerseth (4):
+ ssl_verify: Fix memleak if creating deferred auth control files fails
+ ntlm: Clarify details on NTLM phase 3 decoding
+ Remove --tls-export-cert
+ Remove superfluous x509_write_pem()
+
+Franco Fichtner (1):
+ Allow to set ifmode for existing DCO interfaces in FreeBSD
+
+Frank Lichtenheld (174):
+ options.c: fix format security error when compiling without optimization
+ options.c: update usage description of --cipher
+ Update copyright year to 2023
+ xkey_pkcs11h_sign: fix dangling pointer
+ options: Always define options->management_flags
+ check_engine_keys: make pass with OpenSSL 3
+ documentation: update 'unsupported options' section
+ Changes.rst: document removal of --keysize
+ Windows: fix unused function setenv_foreign_option
+ Windows: fix unused variables in delete_route_ipv6
+ Windows: fix wrong printf format in x_check_status
+ Windows: fix unused variable in win32_get_arch
+ configure: enable DCO by default on FreeBSD/Linux
+ Windows: fix signedness errors with recv/send
+ configure: fix formatting of --disable-lz4 and --enable-comp-stub
+ tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled
+ GHA: remove Ubuntu 18.04 builds
+ vcpkg: request "tools" feature of openssl for MSVC build
+ Do not include net/in_systm.h
+ version.sh: remove
+ doc: run rst2* with --strict to catch warnings
+ man page: Remove cruft from --topology documentation
+ tests: do not include t_client.sh in dist
+ vcpkg-ports/pkcs11-helper: Make compatible with mingw build
+ vcpkg-ports/pkcs11-helper: Convert CONTROL to vcpkg.json
+ vcpkg-ports/pkcs11-helper: reference upstream PRs in patches
+ dco_linux: properly close dco version file
+ DCO: fix memory leak in dco_get_peer_stats_multi for Linux
+ Fix two unused assignments
+ sample-plugins: Fix memleak in client-connect example plugin
+ tests: Allow to override openvpn binary used
+ test_buffer: add tests for buf_catrunc and its caller format_hex_ex
+ buffer: use memcpy in buf_catrunc
+ options: remove --key-method from usage message
+ msvc-generate: include version.m4.in in tarball
+ dist: add more missing files only used in the MSVC build
+ vcpkg-ports/pkcs11-helper: rename patches to make file names shorter
+ unit_tests: Add missing cert_data.h to source list for unit tests
+ dist: Include all documentation in distribution
+ CMake: Add complete MinGW and MSVC build
+ Remove all traces of the previous MSVC build system
+ CMake: Add /Brepro to MSVC link options
+ GHA: update to run-vcpkg@v11
+ test_tls_crypt: Improve mock() usage to be more portable
+ CMake: Throw a clear error when config.h in top-level source directory
+ CMake: Support doc builds on Windows machines that do not have .py file association
+ Remove old Travis CI related files
+ README.cmake.md: Add new documentation for CMake buildsystem
+ GHA: refactor mingw UTs and add missing tls_crypt
+ GHA: Add macos-13
+ options: Do not hide variables from parent scope
+ pkcs11_openssl: Disable unused code
+ route: Fix overriding return value of add_route3
+ CMake: various small non-functional improvements
+ GHA: do not trigger builds in openvpn-build anymore
+ Remove --no-replay option
+ GHA: new workflow to submit scan to Coverity Scan service
+ doc: fix argument name in --route-delay documentation
+ Change type of frame.mss_fix to uint16_t
+ Remove last uses of inet_ntoa
+ mss/mtu: make all size calculations use size_t
+ dev-tools/gerrit-send-mail.py: tool to send Gerrit patchsets to Patchwork
+ gerrit-send-mail.py: Add patch version to subject
+ Add mbedtls3 GHA build
+ platform.c: Do not depend Windows build on HAVE_CHDIR
+ sample-keys: renew for the next 10 years
+ GHA: clean up libressl builds with newer libressl
+ configure.ac: Remove unused AC_TYPE_SIGNAL macro
+ documentation: remove reference to removed option --show-proxy-settings
+ unit_tests: remove includes for mock_msg.h
+ buffer: add documentation for string_mod and extend related UT
+ tests: disable automake serial_tests
+ documentation: improve documentation of --x509-track
+ configure: allow to disable NTLM
+ configure: enable silent rules by default
+ misc: make get_auth_challenge static
+ Remove support for NTLM v1 proxy authentication
+ GHA: increase verbosity for make check
+ NTLM: add length check to add_security_buffer
+ NTLM: increase size of phase 2 response we can handle
+ Fix various 'Uninitialized scalar variable' warnings from Coverity
+ proxy-options.rst: Add proper documentation for --http-proxy-user-pass
+ NTLM: when NTLMv1 is requested, try NTLMv2 instead
+ buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
+ --http-proxy-user-pass: allow to specify in either order with --http-proxy
+ test_user_pass: new UT for get_user_pass
+ test_user_pass: Add UTs for character filtering
+ gerrit-send-mail: Make output consistent across systems
+ README.cmake.md: Document minimum required CMake version for --preset
+ documentation: Update and fix documentation for --push-peer-info
+ documentation: Fixes for previous fixes to --push-peer-info
+ test_user_pass: add basic tests for static/dynamic challenges
+ Fix typo --data-cipher-fallback
+ samples: Remove tls-*.conf
+ check_compression_settings_valid: Do not test for LZ4 in LZO check
+ t_client.sh: Allow to skip tests
+ gerrit-send-mail: add missing Signed-off-by
+ Update Copyright statements to 2024
+ GHA: general update March 2024
+ samples: Update sample configurations
+ documentation: make section levels consistent
+ phase2_tcp_server: fix Coverity issue 'Dereference after null check'
+ script-options.rst: Update ifconfig_* variables
+ crypto_backend: fix type of enc parameter
+ tests: fork default automake test-driver
+ forked-test-driver: Show test output always
+ Change default of "topology" to "subnet"
+ Use topology default of "subnet" only for server mode
+ Fix 'binary or' vs 'boolean or' related to server_bridge_proxy_dhcp
+ configure: update old copy of pkg.m4
+ LZO: do not use lzoutils.h macros
+ test_user_pass: Fix building with --enable-systemd
+ Remove "experimental" denotation for --fast-io
+ t_server_null.sh: Fix failure case
+ configure: Add -Wstrict-prototypes and -Wold-style-definition
+ configure: Try to detect LZO with pkg-config
+ configure: Switch to C11 by default
+ Fix missing spaces in various messages
+ console_systemd: rename query_user_exec to query_user_systemd
+ configure: Allow to detect git checkout if .git is not a directory
+ GHA: Configure Renovate
+ configure: Try to use pkg-config to detect mbedTLS
+ tun: use is_tun_p2p more consistently
+ Various fixes for -Wconversion errors
+ generate_auth_token: simplify code
+ GHA: Update dependency Mbed-TLS/mbedtls to v3.6.1
+ GHA: Enable t_server_null tests
+ configure: Handle libnl-genl and libcap-ng consistent with other libs
+ configure: Review use of standard AC macros
+ socket: Change return types of link_socket_write* to ssize_t
+ GHA: Pin dependencies
+ GHA: Update macOS runners
+ GHA: Simplify macOS builds
+ Remove support for compression on send
+ Fix wrong doxygen comments
+ Various typo fixes
+ macOS: Assume that net/if_utun.h is always present
+ Fix some formatting related to if/else and macros
+ Fix memory leak in ntlm_support
+ forward: Fix potential unaligned access in drop_if_recursive_routing
+ GHA: General update December 2024
+ Review doxygen warnings
+ Regenerate doxygen config file with doxygen -u
+ Fix 'uninitialized pointer read' in openvpn_decrypt_aead
+ ssl_openssl: Clean up unused functions and add missing "static"
+ Fix some trivial sign-compare compiler warnings
+ tls_crypt_v2_write_client_key_file: Fix missing-field-initializers compiler warning
+ openvpnserv: Fix some inconsistent usages of TEXT()
+ Fix doxygen warnings in crypto_epoch.h
+ GHA: Drop Ubuntu 20.04 and other maintenance
+ GHA: Publish Doxygen documentation to Github Pages
+ Add more 'intentional fallthrough' comments
+ Remove various unused function parameters
+ Remove unused function check_subnet_conflict
+ options: Cleanup and simplify options_postprocess_verify_ce
+ Apply text-removal.sh script to Windows codebase
+ openvpnserv: Clean up use of TEXT() from DNS patches
+ Post tchar.h removal cleanup
+ Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
+ t_server_null_default.rc: Add some tests with --data-ciphers
+ GHA: Pin version of CMake for all builds
+ GHA: Dependency and Actions update April 2025
+ GHA: Make sure renovate notifies us about AWS LC releases
+ Doxygen: Fix obsolete links to OpenSSL documentation
+ GHA: Use CMake 4.0 and apply required fixes
+ Doxygen: Clean up tls-crypt documentation
+ Doxygen: Remove useless Python information
+ Manually reformat some long trailing comments
+ CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path
+ CMake: Sync list of compiler flags with configure.ac
+ CMake: Reorganize header and symbol tests
+ GHA: Dependency and Actions update May 2025
+ Doxygen: Fix missing parameter warnings
+ Changes.rst: Collect, fix, and improve entries for 2.7 release
+
+George Pchelkin (1):
+ fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
+
+Gert Doering (21):
+ Change version.m4 to 2.7_git
+ bandaid fix for TCP multipoint server crash with Linux-DCO
+ Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up
+ Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode
+ Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO
+ Repair special-casing of EEXIST for Linux/SITNL route install
+ Get rid of unused 'bool tuntap_buffer' arguments.
+ FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well
+ Make received OCC exit messages more visible in log.
+ OpenBSD: repair --show-gateway
+ get_default_gateway() HWADDR overhaul
+ make t_server_null 'server alive?' check more robust
+ t_client.sh: conditionally skip ifconfig+route check
+ send uname() release as IV_PLAT_VER= on non-windows versions
+ options: add IPv4 support to '--show-gateway <arg>'
+ get_default_gateway(): implement platform support for Linux/SITNL
+ get_default_gateway(): implement platform support for Linux/IPROUTE2
+ add missing (void) to win32 function declarations
+ add more (void) to windows specific function prototypes and declarations
+ Make 'lport 0' no longer sufficient to do '--bind'.
+ Add information-gathering about DNS resolvers configured to t_client.sh(.in)
+
+Gianmarco De Gregori (17):
+ Persist-key: enable persist-key option by default
+ Minor fix to process_ip_header
+ Http-proxy: fix bug preventing proxy credentials caching
+ Ensures all params are ready before invoking dco_set_peer()
+ Route: remove incorrect routes on exit
+ Fix for msbuild/mingw GHA failures
+ multiproto: move generic event handling code in dedicated files
+ Fix PASS_BY_VALUE issue in options_postprocess_mutate_le()
+ mroute: adapt to new protocol handling and hashing improvements
+ mroute/management: repair mgmt client-kill for mroute with proto
+ Add support for simultaneous use of UDP and TCP sockets
+ Rename occurences of 'struct link_socket' from 'ls' to 'sock'
+ Fix FreeBSD-DCO and Multisocket interaction
+ manpage: fix HTML format for --local
+ Fix dco_win and multisocket interaction
+ dco_linux: Introduce new uAPIs
+ Explicit-exit-notify and multisocket interaction
+
+Heiko Hund (21):
+ dns option: allow up to eight addresses per server
+ work around false positive warning with mingw 12
+ dns option: remove support for exclude-domains
+ cmake: create and link compile_commands.json file
+ cmake: symlink whole build dir not just .json file
+ Windows: enforce 'block-local' with WFP filters
+ add and send IV_PROTO_DNS_OPTION_V2 flag
+ dns: store IPv4 addresses in network byte order
+ dns: clone options via pointer instead of copy
+ service: add utf8to16 function that takes a size
+ dns: support multiple domains without DHCP
+ dns: do not use netsh to set name server addresses
+ win: calculate address string buffer size
+ win: implement --dns option support with NRPT
+ dns: apply settings via script on unixoid systems
+ fix typo in haikuos dns-updown script
+ dns: support running up/down command with privsep
+ dns: don't publish env vars to non-dns scripts
+ dns: fix potential NULL pointer dereference
+ win: match search domains when creating exclude rules
+ win: fix collecting DNS exclude data
+
+Heiko Wundram (1):
+ Implement Windows CA template match for Crypto-API selector
+
+Ilia Shipitsin (3):
+ src/openvpn/init.c: handle strdup failures
+ sample/sample-plugins/defer/multi-auth.c: handle strdup errors
+ tests/unit_tests/openvpn/test_auth_token.c: handle strdup errors
+
+Ilya Shipitsin (1):
+ src/openvpn/dco_freebsd.c: handle malloc failure
+
+Juliusz Sosinowicz (1):
+ Change include order for tests
+
+Klemens Nanni (1):
+ Fix tmp-dir documentation
+
+Kristof Provost (10):
+ Read DCO traffic stats from the kernel
+ dco: Update counters when a client disconnects
+ Read the peer deletion reason from the kernel
+ dco: cleanup FreeBSD dco_do_read()
+ options.c: enforce a minimal fragment size
+ configure: improve FreeBSD DCO check
+ dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD
+ dco: print FreeBSD version
+ DCO: support key rotation notifications
+ dco-freebsd: dynamically re-allocate buffer if it's too small
+
+Lev Stipakov (63):
+ Rename dco_get_peer_stats to dco_get_peer_stats_multi
+ management: add timer to output BYTECOUNT
+ Introduce dco_get_peer_stats API and Windows implementation
+ git-version.py: proper support for tags
+ msvc: upgrade to Visual Studio 2022
+ tun: move print_windows_driver() out of tun.h
+ openvpnmsica: remove dco installer custom actions
+ openvpnmsica: remove unused declarations
+ openvpnmsica: fix adapters discovery logic for DCO
+ Allow certain DHCP options to be used without DHCP server
+ dco-win: use proper calling convention on x86
+ Improve format specifier for socket handle in Windows
+ Disable DCO if proxy is set via management
+ Add logging for windows driver selection process
+ Avoid management log loop with verb >= 6
+ Support --inactive option for DCO
+ Fix '--inactive <time> 0' behavior for DCO
+ Print DCO client stats on SIGUSR2
+ Don't overwrite socket flags when using DCO on Windows
+ Support of DNS domain for DHCP-less drivers
+ dco-win: support for --dev-node
+ tapctl: generate driver-specific adapter names
+ openvpnmsica: link C runtime statically
+ tun.c: enclose DNS domain in single quotes in WMIC call
+ manage.c: document missing KID parameter
+ Set WINS servers via interactice service
+ CMake: fix broken daemonization and syslog functionality
+ Warn user if INFO control command is too long
+ CMake: fix HAVE_DAEMON detection on Linux
+ dco-win: get driver version
+ dco: warn if DATA_V1 packets are sent to userspace
+ config.h: fix incorrect defines for _wopen()
+ Make --dns options apply for tap-windows6 driver
+ Warn if pushed options require DHCP
+ tun.c: don't attempt to delete DNS and WINS servers if they're not set
+ win32: Enforce loading of plugins from a trusted directory
+ interactive.c: disable remote access to the service pipe
+ interactive.c: Fix potential stack overflow issue
+ Disable DCO if proxy is set via management
+ misc.c: remove unused code
+ interactive.c: Improve access control for gui<->service pipe
+ Use a more robust way to get dco-win version
+ dco: better naming for function parameters
+ repair DNS address option
+ dco-win: factor out getting dco version
+ dco-win: enable mode server on supported configuration
+ dco-win: simplify do_close_link_socket()
+ route.c: change the signature of get_default_gateway()
+ route.c: improve get_default_gateway() logic on Windows
+ mudp.c: keep offset value when resetting buffer
+ multi.c: add iroutes after dco peer is added
+ dco-win: disable dco in server mode if multiple --local options defined
+ dco-win: multipeer support
+ dco-win: simplify control packets prepend code
+ dco-win: kernel notifications
+ dco-win: support for iroutes
+ dco-win: Fix crash when cancelling pending operation
+ Remove UINT8_MAX definition
+ win: allow OpenVPN service account to use any command-line options
+ ssl_openssl.c: Prevent potential double-free
+ win: refactor get_windows_version()
+ win: create adapter on demand
+ win: remove Wintun support
+
+Marc Becker (5):
+ unify code path for adding PKCS#11 providers
+ use new pkcs11-helper interface to add providers
+ special handling for PKCS11 providers on win32
+ vcpkg-ports/pkcs11-helper: support loader flags
+ vcpkg-ports/pkcs11-helper: bump to version 1.30
+
+Marco Baffo (3):
+ tun: removed unnecessary route installations
+ IPv6 MADDR LOG: Wrap IPv6 addresses in square brackets and print port when the port is specified
+ get_default_gateway(): Prevent passing IPV4_INVALID_ADDR as a destination
+
+Martin Rys (1):
+ openvpn-[client|server].service: Remove syslog.target
+
+Matthias Andree (1):
+ make dist: Ship ovpn_dco_freebsd.h, too
+
+Max Fillinger (10):
+ Correct tls-crypt-v2 metadata length in man page
+ Fix message for too long tls-crypt-v2 metadata
+ Add support for mbedtls 3.X.Y
+ Update README.mbedtls
+ Disable TLS 1.3 support with mbed TLS
+ Enable key export with mbed TLS 3.x.y
+ Remove license warning from README.mbedtls
+ mbedtls: Remove support for old TLS versions
+ mbedtls: Warn if --tls-version-min is too low
+ Remove HAVE_EXPORT_KEYING_MATERIAL macro
+
+Michael Baentsch (1):
+ using OpenSSL3 API for EVP PKEY type name reporting
+
+Michael Nix (1):
+ fix typo in help text: --ignore-unknown-option
+
+Qingfang Deng (1):
+ dco: fix source IP selection when multihome
+
+Ralf Lici (3):
+ Fix check_addr_clash argument order
+ Handle missing DCO peer by restarting the session
+ Implement ovpn version detection
+
+Reynir Björnsson (2):
+ protocol_dump: tls-crypt support
+ Only schedule_exit() once
+
+Rémi Farault (1):
+ Add calls to nvlist_destroy to avoid leaks
+
+Samuli Seppänen (6):
+ Add t_server_null test suite
+ t_server_null: multiple improvements and fixes
+ t_server_null: persist test log files
+ t_server_null: forcibly kill misbehaving servers
+ t_server_null: use wait instead of marker files
+ Add lwip support to t_server_null
+
+Selva Nair (63):
+ Reduce default restart pause to 1 second
+ Do not include auth-token in pulled option digest
+ Persist DCO client data channel traffic stats on restart
+ Add remote-count and remote-entry query via management
+ Permit unlimited connection entries and remotes
+ Use a template for 'unsupported management commands' error
+ Allow skipping multple remotes via management interface
+ Properly unmap ring buffer file-map in interactive service
+ Use undo_lists for saving ring-buffer handles in interactive service
+ Cleanup: Close duplicated handles in interactive service
+ Preparing for better signal handling: some code refactoring
+ Refactor signal handling in openvpn_getaddrinfo
+ Use IPAPI for setting ipv6 routes when iservice not available
+ Fix signal handling on Windows
+ Assign and honour signal priority order
+ Distinguish route addition errors from route already exists
+ Propagate route error to initialization_completed()
+ Include CE_DISABLED status of remote in "remote-entry-get" response
+ Define and use macros for route addition status code
+ Warn when pkcs11-id or pkcs11-id-management options are ignored
+ Cleanup route error and debug logging on Windows
+ Fix one more 'existing route may get deleted' case
+ block-dns using iservice: fix a potential double free
+ Conditionally add subdir-objects option to automake
+ Build unit tests in mingw Windows build
+ cyryptapi.c: log the selected certificate's name
+ cryptoapi.c: remove pre OpenSSL-3.01 support
+ cryptoapi.c: simplify parsing of thumbprint hex string
+ Option --cryptoapicert: support issuer name as a selector
+ Add a unit test for functions in cryptoapi.c
+ Do not save pointer to 'struct passwd' returned by getpwnam etc.
+ Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
+ Import some sample certificates into Windows store for testing
+ Add tests for finding certificates in Windows cert store
+ Refactor SSL_CTX_use_CryptoAPI_certificate()
+ Add a test for signing with certificates in Windows store
+ Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
+ Improve error message on short read from socks proxy
+ Make error in setting metric for IPv6 interface non-fatal
+ Bug-fix: segfault in dco_get_peer_stats()
+ Move digest_sign_verify out of test_cryptoapi.c
+ Unit tests: Test for PKCS#11 using a softhsm2 token
+ Enable pkcs11 an dtest_pkcs11 in github actions
+ Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
+ Format Windows error message in Unicode
+ Bugfix: dangling pointer passed to pkcs11-helper
+ Correctly handle Unicode names for exit event
+ Interactive service: do not force a target desktop for openvpn.exe
+ Improve signal handling using POSIX sigaction
+ signal_reset(): combine check and reset operations
+ Log OpenSSL errors on failure to set certificate
+ Document that auth-user-pass may be inlined
+ test_pkcs11.c: set file offset to 0 after ftruncate
+ proxy.c: Clear sensitive data after use
+ Protect cached username, password and token on client
+ Interpret --key and --cert option argument as URI
+ Add a test for loading certificate and key to ssl context
+ Add a test for loading certificate and key using file: URI
+ Initialize before use struct user_pass in ui_reader()
+ Static-challenge concatenation option
+ Add test for static-challenge concatenation option
+ Fix more of uninitialized struct user_pass local vars
+ Do not stop reading from file/uri when OPENSSL_STORE_load() returns error
+
+Sergey Korolev (1):
+ dco-linux: fix counter print format
+
+Shubham Mittal (2):
+ Add compatibility to build OpenVPN with AWS-LC.
+ Adding AWS-LC to the OpenVPN CI
+
+Shuji Furukawa (1):
+ Improve shuffling algorithm of connection list
+
+Steffan Karger (2):
+ Fix IPv6 route add/delete message log level
+ Improve data channel crypto error messages
+
+Timo Rothenpieler (1):
+ Don't clear capability bounding set on capng_change_id
+
+corubba (2):
+ Fix IPv6 in port-share journal
+ Fix port-share journal doc
+
+orbea (1):
+ configure: disable engines if OPENSSL_NO_ENGINE is defined
+
+rein.vanbaaren (1):
+ Fix MBEDTLS_DEPRECATED_REMOVED build errors
+
+wellweek (1):
+ remove repetitive words in documentation and comments
+
+yatta (1):
+ fix(ssl): init peer_id when init tls_multi
-This file is not maintained in this branch of the OpenVPN git repository.
-Release branches (release/2.5, release/2.4, etc) have individual ChangeLog
-files with all changes relevant for these releases.
==========================
New features
------------
-TLS alerts
- OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS
- session shuts down or when the TLS implementation informs the peer about
- an error in the TLS session (e.g. mismatching TLS versions). This improves
- the user experience as the client shows an error instead of running into
- a timeout when the server just stops responding completely.
+Multi-socket support for servers
+ OpenVPN servers now can listen on multiple sockets at the same time.
+ Multiple ``--local`` statements in the configuration can be used to
+ configure this. This way the same server can e.g. listen for UDP
+ and TCP connections at the same time, or listen on multiple addresses
+ and/or ports.
+
+Client implementations for DNS options sent by server for Linux/BSD
+ Linux and BSD versions of OpenVPN now ship with a default ``dns-updown``
+ script that implements proper handling of DNS configuration sent
+ by the server. The scripts should work on systems that use
+ ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as
+ raw ``/etc/resolv.conf`` files. However, the exact features supported
+ will depend on the configuration method. On Linux this should usually
+ mean that split-DNS configurations are supported out-of-the-box now.
+
+ Note that this new script will not be used by default if a ``--up``
+ script is already in use to reduce problems with
+ backwards compatibility.
+
+ See documentation for ``--dns-updown`` and ``--dns`` for more details.
+
+New client implementation for DNS options sent by server for Windows
+ The Windows client now uses NRPT (Name Resolution Policy Table) to
+ handle DNS configurations. This adds support for split-DNS and DNSSEC
+ and improves the compatbility with local DNS resolvers. Requires the
+ interactive service.
-Support for tun/tap via unix domain socket and lwipovpn support
- To allow better testing and emulating a full client with a full
- network stack OpenVPN now allows a program executed to provide
- a tun/tap device instead of opening a device.
+On Windows the ``block-local`` flag is now enforced with WFP filters.
+ The ``block-local`` flag to ``--redirect-gateway`` and
+ ``--redirect-private`` is now also enforced via the Windows Firewall,
+ making sure packets can't be sent to the local network.
+ This provides stronger protection against TunnelCrack-style attacks.
- The co-developed lwipovpn program based on lwIP stack allows to
- simulate full IP stack and an OpenVPN client using
- ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that
- can be pinged, can serve a website and more without requiring any
- elevated permission. This can make testing OpenVPN much easier.
+Windows network adapters are now generated on demand
+ This means that on systems that run multiple OpenVPN connections at
+ the same time the users don't need to manually create enough network
+ adapters anymore (in addition to the ones created by the installer).
- For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn).
+Windows automatic service now runs as an unpriviledged user
+ All tasks that need privileges are now delegated to the interactive
+ service.
+
+Support for new version of Linux DCO module
+ OpenVPN DCO module is moving upstream and being merged into the
+ main Linux kernel. For this process some API changes were required.
+ OpenVPN 2.7 will only support the new API. The new module is called
+ ``ovpn``. Out-of-tree builds for older kernels are available. Please
+ see the release announcements for futher information.
+
+Support for server mode in win-dco driver
+ On Windows the win-dco driver can now be used in server setups.
Enforcement of AES-GCM usage limit
OpenVPN will now enforce the usage limits on AES-GCM with the same
https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/
-Default ciphers in ``--data-ciphers``
- Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is
- replaced by the default ciphers used by OpenVPN, making it easier to
- add an allowed cipher without having to spell out the default ciphers.
-
Epoch data keys and packet format
This introduces the epoch data format for AEAD data channel
ciphers in TLS mode ciphers. This new data format has a number of
- IV constructed with XOR instead of concatenation to not have (parts) of
the real IV on the wire
+Default ciphers in ``--data-ciphers``
+ Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is
+ replaced by the default ciphers used by OpenVPN, making it easier to
+ add an allowed cipher without having to spell out the default ciphers.
+
+TLS alerts
+ OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS
+ session shuts down or when the TLS implementation informs the peer about
+ an error in the TLS session (e.g. mismatching TLS versions). This improves
+ the user experience as the client shows an error instead of running into
+ a timeout when the server just stops responding completely.
+
+Support for tun/tap via unix domain socket and lwipovpn support
+ To allow better testing and emulating a full client with a full
+ network stack OpenVPN now allows a program executed to provide
+ a tun/tap device instead of opening a device.
+
+ The co-developed lwipovpn program based on lwIP stack allows to
+ simulate full IP stack. An OpenVPN client using
+ ``--dev-node unix:/path/to/lwipovpn`` can emulate a full client that
+ can be pinged, can serve a website and more without requiring any
+ elevated permission. This can make testing OpenVPN much easier.
+
+ For more details see [lwipovpn on Gihtub](https://github.com/OpenVPN/lwipovpn).
+
Allow overriding username with ``--override-username``
This is intended to allow using auth-gen-token in scenarios where the
clients use certificates and multi-factor authentication. This will
also generate a 'push "auth-token-user newusername"' directives in
push replies.
+``--port-share`` now properly supports IPv6
+ Issues with logging of IPv6 addresses were fixed. The feature now allows
+ IPv6 connections towards the proxy receiver.
+
+Support for Haiku OS
+
Deprecated features
-------------------
-``secret`` support has been removed by default.
+``secret`` support has been removed (by default).
static key mode (non-TLS) is no longer considered "good and secure enough"
for today's requirements. Use TLS mode instead. If deploying a PKI CA
is considered "too complicated", using ``--peer-fingerprint`` makes
``--allow-deprecated-insecure-static-crypto`` but will be removed in
OpenVPN 2.8.
+Support for wintun Windows driver has been removed.
+ OpenVPN 2.6 added support for the new dco-win driver, so it supported
+ three different device drivers: dco-win, wintun, and tap-windows6.
+ OpenVPN 2.7 now drops the support for wintun driver. By default
+ all modern configs should be supported by dco-win driver. In all
+ other cases OpenVPN will fall back automatically to tap-windows6
+ driver.
+
NTLMv1 authentication support for HTTP proxies has been removed.
This is considered an insecure method of authentication that uses
obsolete crypto algorithms.
``persist-key`` option has been enabled by default.
All the keys will be kept in memory across restart.
-Default for ``--topology`` changed to ``subnet`` for ``--mode server``
- Previous releases always used ``net30`` as default. This only affects
- configs with ``--mode server`` or ``--server`` (the latter implies the
- former), and ``--dev tun``, and only if IPv4 is enabled.
- Note that this changes the semantics of ``--ifconfig``, so if you have
- manual settings for that in your config but not set ``--topology``
- your config might fail to parse with the new version. Just adding
- ``--topology net30`` to the config should fix the problem.
- By default ``--topology`` is pushed from server to client.
-
-OpenSSL 1.0.2 support
+OpenSSL 1.0.2 support has been removed.
Support for building with OpenSSL 1.0.2 has been removed. The minimum
supported OpenSSL version is now 1.1.0.
-Compression on send
+Support for mbedTLS older than 2.18.0 has been removed.
+ We now require all SSL libraries to have support for exporting
+ keying material. The only previously supported library versions
+ this affects are older mbedTLS releases.
+
+Compression on send has been removed.
OpenVPN 2.7 will never compress data before sending. Decompression of
received data is still supported.
``--allow-compression yes`` is now an alias for
``--allow-compression asym``.
+
User-visible Changes
--------------------
+- Default for ``--topology`` changed to ``subnet`` for ``--mode server``.
+ Previous releases always used ``net30`` as default. This only affects
+ configs with ``--mode server`` or ``--server`` (the latter implies the
+ former), and ``--dev tun``, and only if IPv4 is enabled.
+ Note that this changes the semantics of ``--ifconfig``, so if you have
+ manual settings for that in your config but not set ``--topology``
+ your config might fail to parse with the new version. Just adding
+ ``--topology net30`` to the config should fix the problem.
+ By default ``--topology`` is pushed from server to client.
+
- ``--x509-username-field`` will no longer automatically convert fieldnames to
uppercase. This is deprecated since OpenVPN 2.4, and has now been removed.
And finite field Diffie Hellman is in the proces of being deprecated
(see draft-ietf-tls-deprecate-obsolete-kex)
+- ``--lport 0`` does not imply ``--bind`` anymore.
+
+- ``--redirect--gateway`` now works correctly if the VPN remote is not
+ reachable by the default gateway.
+
+- ``--show-gateway`` now supports querying the gateway for IPv4 addresses.
+
+- ``--static-challenge`` option now has a third parameter ``format`` that
+ can change how password and challenge response should be combined.
+
+- ``--key`` and ``--cert`` now accept URIs implemented in OpenSSL 3 as well as
+ optional OpenSSL 3 providers loaded using ``--providers`` option.
+
+- ``--cryptoapicert`` now supports issuer name as well as Windows CA template
+ name or OID as selector string.
+
+- TLS handshake debugging information contains much more details now when
+ using recent versions of OpenSSL.
+
+- The ``IV_PLAT_VER`` variable sent by Windows clients now contains the
+ full Windows build version to make it possible to determine the
+ Windows 10 or Windows 11 version used.
+
+- The ``--windows-driver`` option to select between various windows
+ drivers will no longer do anything - it's kept so existing configs
+ will not become invalid, but it is ignored with a warning. The default
+ is now ``ovpn-dco`` if all options used are compatible with DCO, with
+ a fallback to ``tap-windows6``. To force TAP (for example because a
+ server pushes DCO incompatible options), use the ``--disable-dco``
+ option.
+
+
Overview of changes in 2.6
==========================
projects / thirdparty / openvpn.git / commitdiff
