From 1e7b9a0fb021f0a64e76369f4efd2001d50ef42b Mon Sep 17 00:00:00 2001 From: Gert Doering Date: Wed, 3 Sep 2025 19:03:39 +0200 Subject: [PATCH] OpenVPN Release 2.7_beta1 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_beta1" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. New features alpha3 -> beta1 are - a large number of signed/unsigned related warnings have been fixed - bugfixes in --dns-updown script for linux systems using resolvconf - rewrite of the management interface "bytecount" infastructure to better interact with DCO - PUSH_UPDATE server support (via management interface) - introduction of route_redirect_gateway_ipv4 and _ipv6 env variables - speeding up t_client tests by reducing per-test startup delay 3s -> 1s The biggest noticeable difference in beta1 is the reformatting using clang-format, leaving uncrustify as that wasn't stable across versions. Signed-off-by: Gert Doering --- ChangeLog | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++ Changes.rst | 30 +++++++++++++++++++++++++ version.m4 | 2 +- 3 files changed, 96 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 722486a66..f89c784cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,71 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.09.04 -- Version 2.7_beta1 + +Arne Schwabe (1): + Check message id/acked ids too when doing sessionid cookie checks + +Frank Lichtenheld (27): + Update text of GPL to latest version from FSF + Update GPL header in all source files to current recommended version + Define a .clang-format file for the project + Disable clang-format for some code parts + Update git-pre-commit-uncrustify.sh to handle clang-format + GHA: enable -Werror for mbedTLS v3 and AWS LC builds + Reformat the whole project with clang-format + Fix build error with clang-cl on latest Windows SDK + clang-format: Switch to ColumnLimit 0 + Add clang-format reformat commit to .git-blame-ignore-revs + Remove uncrustify config and reformat-all.sh + buffer: remove unused function buf_write_alloc_prepend + t_client.sh: Do not wait 3 seconds for OpenVPN to come up + Collect trivial conversion fixes + options: Fix --hash-size virtual argument + Clean up documentation for --tun-mtu-max + comp: Make sure comp flags are treated as unsigned + crypto: Make sure crypto flags are treated as unsigned + options: Make sure option types are treated as unsigned + route: Make sure various route flags are treated as unsigned + socket: Create socket_util with non-socket functions + Add new unit test module test_socket + socket_util: Clean up conversion warnings in add_in6_addr + manage: Make sure various management flags are treated as unsigned + forward: Make sure pip flags are treated as unsigned + options: Introduce atoi_constrained and review usages of atoi_warn + ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options + +Gert Doering (3): + Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file + Introduce env variables to communicate desired gateway redirection to NM. + OpenVPN Release 2.7_beta1 + +Gianmarco De Gregori (1): + dco: avoid printing mi prefix on debug messages + +Heiko Hund (1): + dns: fix systemd dns-updown script + +Ilia Shipitsin (1): + GHA: limit 'Deploy Doxygen documentation' to main repo only + +Lev Stipakov (3): + Log setting DNS via NRPT + dco-win: add support for multipeer stats + Refactor management bytecount tracking + +Marco Baffo (1): + PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages + +Ralf Lici (3): + management: resync timer on bytecount interval change + dco_linux: validate tun interface before fetching stats + management: stop bytecount on client disconnection + +Samuli Seppänen (2): + Add sample FFDH parameters file and use that in t_server_null tests + + 2025.07.31 -- Version 2.7_alpha3 Antonio Quartulli (10): diff --git a/Changes.rst b/Changes.rst index 1bc5a8e51..e27294ece 100644 --- a/Changes.rst +++ b/Changes.rst @@ -131,11 +131,23 @@ PUSH_UPDATE client support implementation for OpenVPN 2.x is still under development. See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html +PUSH_UPDATE server support (minimal) + new management interface commands ``push-update-broad`` and + ``push-update-cid`` to send PUSH_UPDATE option updates to all + clients ("there is a new DNS server") or only a specific client ID + ("privileges have changed, here's a new IP address"). See + doc/management-notes.txt + Support for user-defined routing tables on Linux see the ``--route-table`` option in the manpage PQE support for WolfSSL +Two new environment variables have been introduced to communicate desired + default gateway redirection to plugins like Network Manager, + ``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``. + See the "Environmental Variables" section in the man page + Deprecated features ------------------- @@ -235,6 +247,24 @@ User-visible Changes server pushes DCO incompatible options), use the ``--disable-dco`` option. +- Apply more checks to incoming TLS handshake packets before creating + new state - namely, verify message ID / acked ID for "valid range for + an initial packet". This fixes a problem with clients that float + very early but send control channel packet from the pre-float IP + (Github: OpenVPN/openvpn#704). + +- Use of ``--dh dh2048.pem`` in all sample configs has been replaced + with ``--dh none``. The ``dh2048.pem`` file has been removed, and + has been replaced with ``ffdhe2048.pem`` for the benefit of the + t_server_null test (to test all variants of ``--dh``). + +- the startup delay in ``t_client.sh`` has been reduced from 3s to 1s, + making a noticeable difference for setups with many tests. + +- changed from using ``uncrustify`` for code formatting and pre-commit checks + to ``clang-format``. This reformatted quite a bit of code, and requires + that regular committers change their pre-commit checks accordingly. + Overview of changes in 2.6 ========================== diff --git a/version.m4 b/version.m4 index 601b7e25b..8594535e5 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_alpha3]) +define([PRODUCT_VERSION_PATCH], [_beta1]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) -- 2.47.3