From 7b1b283478ec008fad163c8a54659a1ed97ed727 Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Thu, 31 Jul 2025 08:51:26 +0200 Subject: [PATCH] OpenVPN Release 2.7_alpha3 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_alpha3" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. New features alpha2 -> alpha3 are - --dns-updown script for macOS - client-side support for PUSH_UPDATE handling - support for floating TLS clients when DCO is active (handling float notifications sent from kernel to userland) - use of user-defined routing tables on Linux - PQE support for WolfSSL Besides new features, alpha3 sees a rewrite of the way kernel events are handled by the linux DCO module, because under certain circumstances notifications could get lost, leading to problems later. Signed-off-by: Gert Doering --- ChangeLog | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 36 ++++++++++++++++++----- version.m4 | 2 +- 3 files changed, 113 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4fd1f59a..722486a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,90 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.07.31 -- Version 2.7_alpha3 + +Antonio Quartulli (10): + README.dco: update Linux instructions + dco_linux: fix case statement by using proper error value + dco_linux: use M_FATAL instead of M_ERR in netlink error code paths + dco_linux: rearrange functions + multi: store multi_context address inside top instance + dco: only pass struct context to init function + dco_linux: factor out netlink notification code + dco_linux: fix async message reception + multi: make some multi_*() functions static + dco_linux: clean up PEER_GET trigger and parser + +Arne Schwabe (1): + Cleanup/simplify mbed TLS related define from autoconf + +Christian Schürmann (1): + Replace deprecated OpenSSL.crypto.load_crl + +Frank Lichtenheld (8): + packet_id: Fix build with --disable-debug + Fix new doxygen warnings about using @return in void functions + Fix compiler warning in reliable.c with --disable-debug + reliable: Review and fix gc_arena usage + configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks + GHA: Dependency updates July 2025 + plugins: Clean up -Wconversion warnings + options: Simplify function setenv_foreign_option + +Gert Doering (3): + mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs + unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42 + OpenVPN Release 2.7_alpha3 + +Gianmarco De Gregori (2): + Route: add support for user defined routing table + Multi-socket: Fix assert triggered by stale peer-id reuse + +Heiko Hund (9): + dns: add updown script for macOS + fix macOS dns-updown handling of parallel full redirects + run forced --dns-updown without --script-security + dns: create NRPT registry key if it doesn't exist + dns: do not run updown scripts with lwipovpn + prevent search domain races with macOS dns-updown + move macOS dns-updown common code into functions + mac dns: compare servers before restoring backup + mac dns: do not run dns-updown in parallel + +Kristof Provost (3): + dco: support float notifications on FreeBSD + dco-freebsd: always enable float notification support + dco-freebsd: pass address scope to the kernel + +Lev Stipakov (4): + Fix broken DHCP options + Fix --dns options for TAP adapter + Fix DNS options duplication on PUSH_UPDATE + Fix wrong byte order of --dns server + +Marco Baffo (3): + PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime. + PUSH_UPDATE: Added remove_option() and do_update(). + PUSH_UPDATE: Added update_option() function. + +Ralf Lici (5): + dco linux: avoid redefining ovpn enums + dco linux: avoid sending local port to ovpn + dco: Add support for float notifications + improve float collision logging + add flag to print addresses in a consistent format during float + +Samuli Seppänen (2): + t_server_null: add multi-socket testing + t_server_null: match test numbers with server numbers + +Terrance (1): + Update systemd service name param to match command + +rein.vanbaaren (1): + Added PQE to WolfSSL + + 2025.06.18 -- Version 2.7_alpha2 Antonio Quartulli (1): diff --git a/Changes.rst b/Changes.rst index bfb6742d..1bc5a8e5 100644 --- a/Changes.rst +++ b/Changes.rst @@ -9,14 +9,15 @@ Multi-socket support for servers and TCP connections at the same time, or listen on multiple addresses and/or ports. -Client implementations for DNS options sent by server for Linux/BSD - Linux and BSD versions of OpenVPN now ship with a default ``dns-updown`` - script that implements proper handling of DNS configuration sent - by the server. The scripts should work on systems that use - ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as - raw ``/etc/resolv.conf`` files. However, the exact features supported - will depend on the configuration method. On Linux this should usually - mean that split-DNS configurations are supported out-of-the-box now. +Client implementations for DNS options sent by server for Linux/BSD/macOS + Linux, BSD and macOS versions of OpenVPN now ship with a per-platform + default ``--dns-updown`` script that implements proper handling of + DNS configuration sent by the server. The scripts should work on + systems that use ``systemd`` or ``resolveconf`` to manage the DNS + setup, as well as raw ``/etc/resolv.conf`` files. However, the exact + features supported will depend on the configuration method. + On Linux and MacOS this should usually make split-DNS configurations + supported out-of-the-box now. Note that this new script will not be used by default if a ``--up`` script is already in use to reduce problems with @@ -55,6 +56,12 @@ Support for new version of Linux DCO module Support for server mode in win-dco driver On Windows the win-dco driver can now be used in server setups. +Support for TLS client floating in DCO implementations + The kernel modules will detect clients floating to a new IP address + and notify userland so both data packets (kernel) and TLS packets + (sent by userland) can reach the new client IP. + (Actual support depends on recent-enough kernel implementation) + Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same confidentiality margin as TLS 1.3 does. This mean that renegotiation will @@ -116,6 +123,19 @@ Support for Haiku OS TLS1.3 support with mbedTLS (very recent mbedTLS development versions only) +PUSH_UPDATE client support + It is now possible to update parts of the client-side configuration + (IP address, routes, MTU, DNS) by sending a new server-to-client + control message, PUSH_UPDATE,. Server-side support is + currently only supported by OpenVPN Inc commercial offerings, the + implementation for OpenVPN 2.x is still under development. + See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html + +Support for user-defined routing tables on Linux + see the ``--route-table`` option in the manpage + +PQE support for WolfSSL + Deprecated features ------------------- diff --git a/version.m4 b/version.m4 index 6efb67cc..601b7e25 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_alpha2]) +define([PRODUCT_VERSION_PATCH], [_alpha3]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.2