From: Gert Doering <gert@greenie.muc.de>
Date: Wed, 12 Aug 2020 10:08:21 +0000 (+0200)
Subject: Changes.rst updates in preparation to 2.5_beta1
X-Git-Tag: v2.5_beta1~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=26b658ea10256a749f9cc55bd89dd2e65aea9772;p=thirdparty%2Fopenvpn.git

Changes.rst updates in preparation to 2.5_beta1

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/Changes.rst b/Changes.rst
index bacc98cd2..0aee36030 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -68,6 +68,106 @@ Faster connection setup
     significantly reduces the connection setup time by avoiding one
     extra packet round-trip and 1s of internal event delays.
 
+Netlink support
+    On Linux, if configured without ``--enable-iproute2``, configuring IP
+    addresses and adding/removing routes is now done via the netlink(3)
+    kernel interface.  This is much faster than calling ``ifconfig`` or
+    ``route`` and also enables OpenVPN to run with less privileges.
+
+    If configured with --enable-iproute2, the ``ip`` command is used
+    (as in 2.4).  Support for ``ifconfig`` and ``route`` is gone.
+
+Wintun support
+    On Windows, OpenVPN can now use ``wintun`` devices.  They are faster
+    than the traditional ``tap9`` tun/tap devices, but do not provide
+    ``--dev tap`` mode - so the official installers contain both.  To use
+    a wintun device, add ``--windows-driver wintun`` to your config
+    (and use of the interactive service is required as wintun needs
+    SYSTEM privileges to enable access).
+
+IPv6-only operation
+    It is now possible to have only IPv6 addresses inside the VPN tunnel,
+    and IPv6-only address pools (2.4 always required IPv4 config/pools
+    and IPv6 was the "optional extra").
+
+Improved Windows 10 detection
+    Correctly log OS on Windows 10 now.
+
+Linux VRF support
+    Using the new ``--bind-dev`` option, the OpenVPN outside socket can
+    now be put into a Linux VRF.  See the "Virtual Routing and Forwarding"
+    documentation in the man page.
+
+TLS 1.3 support
+    TLS 1.3 support has been added to OpenVPN.  Currently, this requires
+    OpenSSL 1.1.1+.
+    The options ``--tls-cipher-suites`` and ``--tls-groups`` have been
+    added to fine tune TLS protocol options.  Most of the improvements
+    were also backported to OpenVPN 2.4 as part of the maintainance
+    releases.
+
+Support setting DHCP search domain
+    A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been
+    defined, and Windows support for it is implemented (tun/tap only, no
+    wintun support yet).  Other platforms need to support this via ``--up``
+    script (Linux) or GUI (OSX/Tunnelblick).
+
+per-client changing of ``--data-cipher`` or ``data-ciphers-fallback``
+    from client-connect script/dir (NOTE: this only changes preference of
+    ciphers for NCP, but can not override what the client announces as
+    "willing to accept")
+
+Handle setting of tun/tap interface MTU on Windows
+    If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements)
+
+Add support for OpenSSL engines to access private key material (like TPM).
+
+HMAC based auth-token support
+    The ``--auth-gen-token`` support has been improved and now generates HMAC
+    based user token. If the optional ``--auth-gen-token-secret`` option is
+    used clients will be able to seamlessly reconnect to a different server
+    using the same secret file or to the same server after a server restart.
+
+Improved support for pending authentication
+    The protocol has been enhanced to be able to signal that
+    the authentication should use a secondary authentication
+    via web (like SAML) or a two factor authentication without
+    disconnecting the OpenVPN session with AUTH_FAILED. The
+    session will instead be stay in a authenticated state and
+    wait for the second factor authentication to complete.
+
+    This feature currently requires usage of the managent interface
+    on both client and server side. See the `management-notes.txt`
+    ``client-pending-auth`` and ``cr-response`` commands for more
+    details.
+
+VLAN support
+    OpenVPN servers in TAP mode can now use 802.1q tagged VLANs
+    on the TAP interface to separate clients into different groups
+    that can then be handled differently (different subnets / DHCP,
+    firewall zones, ...) further down the network.  See the new
+    options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``.
+
+    802.1q tagging on the client side TAP interface is not handled
+    today (= tags are just forwarded transparently to the server).
+
+Support building of .msi installers for Windows
+
+Allow unicode search string in ``--cryptoapicert`` option (Windows)
+
+Support IPv4 configs with /31 netmasks now
+    (By no longer trying to configure ``broadcast x.x.x.x'' in
+    ifconfig calls, /31 support "just works")
+
+New option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6)
+    this is useful if the VPN service has no IPv6, but the clients
+    might have (LAN), to avoid client connections to IPv6-enabled
+    servers leaking "around" the IPv4-only VPN.
+
+``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept
+    hostnames and do a DNS lookup to get the IPv6 address to use
+
+
 Deprecated features
 -------------------
 For an up-to-date list of all deprecated options, see this wiki page:
@@ -91,7 +191,13 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
   ``--verify-client-cert none`` instead.
 
 - ``--ifconfig-pool-linear`` has been removed
-  This option is removed.  Use ``--topology p2p`` instead.
+  This option is removed.  Use ``--topology p2p`` or ``--topology subnet``
+  instead.
+
+- ``--compress xxx`` is considered risky and is warned against, see below.
+
+- ``--key-method 1`` has been removed
+
 
 User-visible Changes
 --------------------
@@ -107,6 +213,81 @@ User-visible Changes
   the client configuration almost immediately as result of the
   faster connection setup feature.
 
+- ``--compression`` is nowadays considered risky, because attacks exist
+  leveraging compression-inside-crypto to reveal plaintext (VORACLE).  So
+  by default, ``--compression xxx`` will now accept incoming compressed
+  packets (for compatibility with peers that have not been upgraded yet),
+  but will not use compression outgoing packets.  This can be controlled with
+  the new option ``--allow-compression yes|no|asym``.
+
+- Stop changing ``--txlen`` aways from OS defaults unless explicitly specified
+  in config file.  OS defaults nowadays are actually larger then what we used
+  to configure, so our defaults sometimes caused packet drops = bad performance.
+
+- remove ``--writepid`` pid file on exit now
+
+- plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr
+  (this means you'll have log messages in syslog or openvpn log file now)
+
+- use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd)
+  (syslog is not affected, nor is ``--machine-readable-output``)
+
+- ``--clr-verify`` now loads all CRLs if more than one CRL is in the same
+  file (OpenSSL backend only, mbedTLS always did that)
+
+- when ``--auth-user-pass file`` has no password, and the management interface
+  is active, query management interface (instead of trying console query,
+  which does not work on windows)
+
+- skip expired certificates in Windows certificate store (``--cryptoapicert``)
+
+- ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if
+  IPv6 is requested and available.  Our SOCKS code does not handle IPv6+UDP,
+  and before that change it would just fail in non-obvious ways.
+
+- TCP listen() backlog queue is now set to 32 - this helps TCP servers that
+  receive lots of "invalid" connects by TCP port scanners
+
+- do no longer print OCC warnings ("option mismatch") about ``key-method``,
+  ``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or
+  negotiated, and the warnings do not serve a useful purpose.
+
+- ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically
+  (= both accept an IPv4 or IPv6 address for the nameserver)
+
+
+Maintainer-visible changes
+--------------------------
+- the man page is now in maintained in .rst format, so building the openvpn.8
+  manpage from a git checkout now requires python-docutils (if this is missing,
+  the manpage will not be built - which is not considered an error generally,
+  but for package builders or ``make distcheck`` it is).  Release tarballs
+  contain the openvpn.8 file, so unless some .rst is changed, doc-utils are
+  not needed for building.
+
+- OCC support can no longer be disabled
+
+- AEAD support is now required in the crypto library
+
+- ``--disable-server`` has been removed from configure (so it is no longer
+  possible to build a client-/p2p-only OpenVPN binary) - the saving in code
+  size no longer outweighs the extra maintenance effort.
+
+- ``--enable-iproute2`` will disable netlink(3) support, so maybe remove
+  that from package building configs (see above)
+
+- support building with MSVC 2019
+
+- cmocka based unit tests are now only run if cmocka is installed externally
+  (2.4 used to ship a local git submodule which was painful to maintain)
+
+- ``--disable-crypto`` configure option has been removed.  OpenVPN is now always
+  built with crypto support, which makes the code much easier to maintain.
+  This does not affect ``--cipher none`` to do a tunnel without encryption.
+
+- ``--disable-multi`` configure option has been removed
+
+
 
 Overview of changes in 2.4
 ==========================