Gert Doering [Wed, 28 Jan 2026 13:33:08 +0000 (14:33 +0100)]
OpenVPN Release 2.7_rc6
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc6" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc5 -> rc6 are:
- bugfix on restarting a p2mp server instance with SIGUSR1 (inadvertedly
closing fd 0, causing a crash on the next restart - GH #966)
- prevent NULL pointer crash on suitable combination of --dns-updown
statements in openvpn config file (not pushable)
- prevent inappropriate management interface activity if a password is
set and --management-forget-disconnect or --management-signal are active
- more conversion warnings fixed
- Windows: interactive service - some initial unit tests added for the
most complex string conversion function (ConvertItfDnsDomains())
- remove #ifdefs around socket sendbuf/receive buf handling, assuming that
all platforms that have POSIX sockets have this.
- add mbedTLS 4 support
- fix check for failed fork() in port-share code
Gert Doering [Wed, 28 Jan 2026 11:04:19 +0000 (12:04 +0100)]
tunnel_server(): close correct inotify fd
On a full SIGUSR1 restart of a p2mp server compiled with
--enable-async-push, tunnel_server() will try to close and reopen
the "inotify" control file descriptor. For whatever reason, the
original code referenced the wrong context, always closing fd 0.
As a consequence of this, on the second SIGUSR1 restart, the server
will close() the first active socket file descriptor, and if there
are active DCO clients, the resulting event confusion will lead to
an ASSERT(!mi->halt).
Fix by closing the correct FD. Add logging.
Github: fixes OpenVPN/openvpn#966
Change-Id: Iabc117848ad7b67d240c392f1a6aa2d7531fd5bb Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1497
Message-Id: <20260128110425.24350-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 28 Jan 2026 11:04:37 +0000 (12:04 +0100)]
Prevent NULL pointer dereference with --dns-updown
If the dns-updown option appears in the config twice, there is a chance
of a NULL pointer dereference when comparing the script path to the
default script path. This happens when a custom script is set, after the
dns-updown script was disabled first. In that case the script path is
NULL, which leads to the deref during a strcmp(3).
manage: Do not trigger actions on management disconnect if not authenticated
If the management interface requires authentication via password
and the remote did not specify it, do not do trigger actions
requested by --management-forget-disconnect and --management-signal
on disconnect.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#5
Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484
Message-Id: <20260122125707.108048-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Fri, 23 Jan 2026 16:47:39 +0000 (17:47 +0100)]
Add support for Mbed TLS 4
This commit adds support for Mbed TLS 4. This version comes with some
drastic changes. The crypto library has been completely redesigned, so
the contents of crypto_mbedtls.c are moved to crypto_mbedtls_legacy.c
and crypto_mbedtls.c handles the crypto for version 4.
Mbed TLS 4 also removed the feature for looking up a crypto algorithm by
name, so we need to translate algorithm names to Mbed TLS numbers in
OpenVPN. The tables are not yet complete. For symmetric algorithms, I
have added AES and Chacha-Poly which should be enough for most use
cases.
Change-Id: Ib251d546d993b96ed3bd8cb9111bcc627cdb0fae Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1441
Message-Id: <20260123164746.7333-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 21 Jan 2026 12:18:30 +0000 (13:18 +0100)]
Silence compiler truncation warning by checking snprintf return value
On the more recent mingw compilers (homebrew mingw 13.0.0, GCC 15.2.0) the
compiler complains about a potential truncation in these two places.
src/openvpn/tun.c:3806:57:
error: '%s' directive output may be truncated writing up
to 255 bytes into a region of size 178
[-Werror=format-truncation=]
This not very helpful but checking the snprintf return value
will make the compiler not warn about this.
Change-Id: I54b11a5540fb236580a3b80c6d1e8678b24bd852 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1272
Message-Id: <20260121121830.27244-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Due to the differences in the types of APIs
between xkey provider and Windows cryptoapi
we can't avoid the casts. And they should be
safe generally since the involved sizes should
be small compared to the maximum values. So
just add asserts and explicit cast to avoid
the warnings.
EVP_CIPHER_CTX_flags is documented to output
int in OpenSSL, but is actually unsigned long
in OpenSSL 3.
In libressl it is correctly documented to output
unsigned long.
Change-Id: I99bc4692526f9143a913e29b266a1816295dfd51 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1446
Message-Id: <20260116172010.25278-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35311.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 18:21:19 +0000 (19:21 +0100)]
OpenVPN Release 2.7_rc5
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc5" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc4 -> rc5 are:
- CVE 2025-15497 in epoch key handling (an authenticated remote system
can send a valid OpenVPN data packet that triggers an edge case
where a too-strict check would trigger an ASSERT(), exiting OpenVPN)
- remove "resolve --remote on incoming TCP connects on --tcp-server"
code base, because that did not work in a long time (since 2.4) and
is seen as too obscure and too complicated to rescue.
- repair interaction between DCO and persist-tun after reconnection
(in this case the client side would fail to set up the DCO event
handler, and not notice further --ping timeouts - GH: #947)
- remove ENABLE_X509ALTUSERNAME conditional, always enabling
"configure --enable-x509-alt-username". Effectively no change in
code size, and one less build variant to maintain and test (GH: #917).
- require "script-security 2" when using --dev unix:<program>
- socks client: fix and improve various code parts
- configure etc: drop support for systemd 216 and older, adapt
other checks to reflect modern systemd setups
- fix unit test building with libcmocka 2.0+
- fix Android build warnings about unused variables/methods
- allow --test-crypto to run without --secret
(prepare for removal of --secret after 2.7)
- improve WolfSSL build compatibility
When the sender jumps forwards exactly epoch_data_keys_future_count in its
epoch key use the housekeeping logic does not handle this correctly and
triggers an ASSERT.
Change the code to correctly implement the special case when the new epoch
key of the sender is the highest valid key epoch in the current window of
valid epoch keys for receiving data.
Change-Id: Ib581c02a29b974184256a9f4ad0ce15ba5f9db3b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com> Reported-By: Pavel Kohout of Aisle Research <pavel.kohout@aisle.com>
Github: closes OpenVPN/openvpn-private-issues#103
CVE: 2025-15497
socks: In establish_socks_proxy_udpassoc check result of recv_socks_reply
Not just check the return value but also that relay_addr
is valid. recv_socks_reply doesn't care whether the answer
is what we expected. This is probably a very unlikely edge
case but it doesn't hurt to check for it here.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Github: openvpn-private-issues#13
Change-Id: Ic1c8f24de423541bdc85e70b5a688213800d86de Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1469
Message-Id: <20260114135807.20637-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35249.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
So apparently when using --proto tcp-server --tls-server
--remote, AND the remote is not resolvable on startup
then we would preserve the remote name and resolve it
later on connect. Except that when the remote is not
resolvable I never managed to get it to create a
listening socket in the first place.
Originally I looked into this code because ZeroPath
claimed it was broken. I think that report was
correct but I think it is much easier to declare this
feature dead instead of trying to fix it. It is
undocumented and if it is usable then only in very
specific circumstances that are hard to figure out.
Github: openvpn-private-issues#13
Change-Id: I0141945469dd11340bfb42ec37a3c5f90ed0ff52 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1468
Message-Id: <20260113121512.12057-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35232.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:23:49 +0000 (12:23 +0100)]
Repair interaction between DCO and persist-tun after reconnection
When --persist-tun is active, openvpn userland on Linux and FreeBSD fails
to re-enable "poll for DCO events" after a reconnect (e.g. triggered by
a ping timeout). The reconnect will still work fine, but the *next*
DCO event notification from the kernel will not be received by OpenVPN
userland, and so the system will get into an inconsistent state (Userland
assumes "all is well", kernel DCO has disconnected the peer, connection
is broken until the next tls-renegotion and/or manual restart, *and* the
next DCO key setup might fail due to "peer id gone").
This only affects client side, --server tun is always "persistent", and
there is no "full restart" (and the code path in question is also
only used for client and p2p server).
The root cause is an incorrect check for "is this interface up?" when
calling dco_event_set() in forard.c::io_wait() - "c2.did_open_tun" is
only true if the tun interface was actually configured on this reconnect,
which it isn't if --persist-tun is active. Replace with a check for
"do we have a tuntap structure, and if yes, do we have active DCO?"
which reflects the original intent much better.
The original code also had a check for "out_socket & EVENT_READ" there,
which did to some extend avoid calling dco_event_set() for every single
UDP packet sent and received by userland - but this only worked on initial
connection, and is always true on reconnect, so this condition was removed
for simplicity. We should come back here...
v2:
- some language fixes on the commit message
- do not check ->dco.open in forward.c, as this is not available if
not on FreeBSD, or if compiled with --disable-dco.
FreeBSD DCO does the "if (!dco || !dco->open)" check in dco_event_set()
anyway, so it's not needed, and Linux DCO has "dco->nl_sock", which is
also reliably set/unset, and checked by dco_event_set() already.
Github: OpenVPN/openvpn#947
Change-Id: Idbd0a47ba4d297a833a350611a23f19fd9a797b5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1473
Message-Id: <20260114112403.7046-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35239.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 14 Jan 2026 11:04:47 +0000 (12:04 +0100)]
remove ENABLE_X509ALTUSERNAME conditional
This is one of the #ifdef producing compile-time variants that make the
code harder to read and harder to test. The extra code size due to
turning it on is marginal.
The mbedTLS backend does not (yet) support it. To cope with that,
add a minimum function x509_username_field_ext_supported() that always
returns "false", and omit the --x509-username-field from the help
text if ENABLE_CRYPTO_MBEDTLS. Implement this on another day.
Github: closes OpenVPN/openvpn#917
Change-Id: I3f661cf305c52652e430b8d219df5186dd8ea4f7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1442
Message-Id: <20260114110452.4976-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 13 Jan 2026 07:27:45 +0000 (08:27 +0100)]
Require script-security 2 when using unix: tun
Since this executes an executable from an arbitrary path, it should follow
the same rules as other scripts/executable.
Reported-By: Petr Simecek, Pavel Kohout and Stanislav Fort from Aisle Research
Change-Id: I89dcab24ba510094ce1672e382960bf15def310a Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1465
Message-Id: <20260113072750.16015-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35223.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Do not try to handle very old systemd that was released
over ten years ago (remove SYSTEMD_NEWER_THAN_216)
- Do not require systemd.pc. I can't find any indication
that we use any of the variables defined by it. (It
does not define any libraries, just variables)
- Remove check for sd-daemon.h. We did not use the
conditional and assumed it was there already.
- Allow libsystemd.pc to define cflags. Previously we
ignored those.
Change-Id: Ie59e03ce01575acaeaf690f582eb5cfa80eb37fc Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1463
Message-Id: <20260109163514.23051-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35203.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Includes the following renovate changes:
- chore(deps): update dependency aws/aws-lc to v1.66.2
- Update lukka/get-cmake action to v4.2.1
- chore(deps): update github actions
- chore(deps): update vcpkg digest to eeb00f1
Arne Schwabe [Fri, 19 Dec 2025 13:51:10 +0000 (14:51 +0100)]
Allow test-crypto to work without the --secret argument
The --test-crypto still requires the --secret argument. Since --secret
will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove
the dependency of test-crypto on --static.
Instead we will just generate a random key for this selftest method.
This also removes the extra logic that is a leftover from the early
multi-thread implementation attempt.
Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435
Message-Id: <20251219135110.166468-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35157.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
But add compat layer so that we can still build
against older versions of cmocka. Mostly this is
trivial but the custom check function changed its
prototype, so that requires some more work.
Change-Id: Ifb6594700db71d219643a29c581099c778bcbbc6 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1449
Message-Id: <20251218104042.5961-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35144.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 17 Dec 2025 13:07:38 +0000 (14:07 +0100)]
Ensure wolfSSL uses old pre 1.1.0 OpenSSL path for getting ciphers
Normally when wolfSSL is compiled with --enable-openvpn it reports an
OpenSSL version before 1.1.0. When compiled normally it reports an
OpenSSL version higher than this.
So explicitly check for wolfSSL instead of relying on its OpenSSL version
trickery.
Change-Id: I47fc0dc93a7ed6b71feb611194cee02a81d91769 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1448
Message-Id: <20251217130743.28786-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35127.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 10 Dec 2025 09:53:55 +0000 (10:53 +0100)]
OpenVPN Release 2.7_rc4
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc4" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc3 -> rc4 are:
- Windows interactive service: do not configure adapter DNS if
there are no search-domains but there are resolve-domains (which
get resolved via NRPT rules) - GH: OpenVPN/openvpn#473
- improve documentation and error messages for a number of deprecated
options
- improve documentation for not-really-deprecated-yet ``--ns-cert-type``
- Windows IPv4 configuration with netsh.exe: ensure addresses are added
with "store=active" (ensure proper cleanup) - GH: OpenVPN/openvpn#915
- Windows: set UTF8 code page in openvpn.exe manifest, to make cert/key
loading work again for files with non-ASCII characters in their file
name (GH: OpenVPN/openvpn#920)
- tun.c: unify read_tun()/write_tun() functions for all BSD platforms
- more type conversion related cleanups
- add NULL check before freeaddrinfo() call, which might lead to a
crash on OpenBSD (GH: OpenVPN/openvpn#930)
- add NULL check to mbedtls handling of external and inline certificates
- add check for auth none / cipher none on FreeBSD DCO
- add CAP_SYS_NICE to positive list in Linux systemd unit files
(GH: OpenVPN/openvpn#834)
- drop mbedtls 2.x support (which is end of life, and work on mbedtls 4
is much simplified by not having to take care of 2.x compat as well)
- PUSH_UPDATE: bugfix for the client side where split/continued messages
(due to large number of "route" statements) would not correctly handle
the full set of routes. Add unit test. (GH: OpenVPN/openvpn#925)
- new unit test module for mbuf handling
- deprecate --fast-io option (it got partially broken by the multisocket
implementation, and the benefits of the existing implementation did
not outweigh the extra code complexity to make it work again)
- change the ssl_ctx in struct tls_options to be a pointer - this is
a shared data structure between various contexts, but previously it
was shallow-copied, leading to needless CRL reloading - and when
working on implementing the new OpenSSL CRL API, to segfaults
(the existing code works, as these new APIs are not used yet).
Arne Schwabe [Tue, 16 Dec 2025 14:42:00 +0000 (15:42 +0100)]
Change ssl_ctx in struct tls_options to be a pointer
The SSL CTX is shared between all of the instances. So any change to the
SSL CTX will affect all instances. Currently the CRL is also reloaded
potentially multiple times as each copy of tls_root_ctx has its own
crl_last_mtime and crl_last_size values that will be checked if the CRL
reload is necessary.
Changing it to a pointer will make it more clear that this is shared
and also the CRL being reloaded multiple times.
Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431
Message-Id: <20251216144207.12171-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35116.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi: Warn about failing read in multi_process_file_closed()
Handle failure explicitly instead of the implicit
handling by "while (buffer_i < r)". That error
checking was previously broken but was fixed by
commit 5e5ead5ba019fc2a8266f77a7d840b30fd545198.
Reported-by: Marc Heuse <marc@srlabs.de>
Github: openvpn-private-issues#101
Change-Id: Ie982f620a8af80564a70d993e6e84ec4e525236a Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1443
Message-Id: <20251215155652.23362-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35095.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
buffer: Change buf_prepend and buf_advance to accept ssize_t for length
We already have tests to make sure the value is sane.
Changing the argument to ssize_t allows to use it in
more places without needing to do a cast before the
checks.
Change-Id: I123002255b37160d48ef6481f68a89d03073236b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1437
Message-Id: <20251215160541.24237-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35099.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi: Fix wrong sigma value in multi_push_restart_schedule_exit
Sigma was computed based on the absolute time and
not the delta.
Note that this probably makes no actual difference in
practice. The sigma value is irrelevant on first call
and multi_push_restart_schedule_exit should not be
called multiple times since it is only called
if deferred_shutdown_signal.signal_received is not set,
yet.
Change-Id: I62b8263f18c4e2e7f5ecacb4616737f5ba836303 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1311
Message-Id: <20251215150500.18898-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35075.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
While fixing the conversion warning I was
somewhat confused how this works, so added
UTs to verify I understood it.
v2:
- disable assert test for MS VS
- add define for memory-intensive UTs and
only enable it by default for CMake builds,
so we do not break a lot of builds out there
due to memory allocation failures
Change-Id: Icab68a5fd1b6288955f0073179f1ddde1468d951 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1432
Message-Id: <20251212120352.17402-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35050.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Lower the limit to 1GB on 32bit systems.
The limit of 4GB-1 makes no sense on systems that usually
don't allow a single process to allocate anything near to
this limit.
- Increate the limit from 4GB-1 to 4GB on other systems. It
makes no difference in protection but makes it much easier
to use the limit in other contexts, e.g. if dividing it.
Change-Id: I4f95edd7ce2098180aa620a231727217f333a12d Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1436
Message-Id: <20251212100920.7671-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35044.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Moritz Fain [Mon, 1 Dec 2025 14:04:18 +0000 (15:04 +0100)]
PUSH_UPDATE: fix option reset logic in continuation messages
Previously, the logic for resetting push options (like 'route') was based on
`update_options_found` which was local to `apply_push_options`. This meant
that if a PUSH_UPDATE was split across multiple continuation messages,
the state was lost, causing routes to be reset multiple times (once per
message chunk) rather than once per update sequence.
This patch moves the state tracking to `struct options` as
`push_update_options_found`, allowing it to persist across the entire
PUSH_UPDATE sequence.
This fixes an issue where large route lists sent via PUSH_UPDATE would
result in only the last chunk's routes being applied, or previous routes
being continuously deleted and re-added.
Added unit test `test_incoming_push_continuation_route_accumulation` to
verify the fix.
Github: OpenVPN/openvpn#925
Signed-off-by: Moritz Fain <moritz-openvpn@fain.io> Acked-by: Marco Baffo <marco@mandelbit.com>
Message-Id: <CAM8w-qEE6vHj=yUOpTFbM7DqPKzUV0NupvEG4rUefY=kNB2DxQ@mail.gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34814.html
mudp: fix unaligned 32-bit read when parsing peer ID
The code previously read a 32-bit value from a uint8_t
buffer using a direct cast and dereference.
This can cause unaligned memory access and undefined
behavior on architectures that do not support unaligned
reads, potentially leading to a one-packet crash.
Fix this by reading the bytes individually and
combining them manually.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-By: ZeroPath (https://zeropath.com)
Change-Id: Id0bb4c45d373437ab8dbaff7a311745f9b538cbf Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1348
Message-Id: <20251210104839.8270-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 10 Dec 2025 07:29:44 +0000 (08:29 +0100)]
iservice: set adapter DNS only with search domains
With NRPT the adapter name server configuration is not needed
theoretically. However DNS config is not showing with traditional
tools like ipconfig if they are left out. More importantly if
there are no DNS servers configured for an adapter the adapter
specific search domains are not recognized by the Windows resolver.
However, adding the servers to the adapter has the side effect, that
general look-ups are now also done using this adapter, which might
come as unexpected and yield wrong results, if there is some trickery
happening with the default DNS, for example.
As a workaround, set the adapter DNS only when strictly needed.
Lev Stipakov [Wed, 10 Dec 2025 07:59:00 +0000 (08:59 +0100)]
tun.c: set IPv4 address temporary on Windows
Use store=active to set IPv4 address temporary so that
it will be removed on reboot. This makes the behavior
consistent with deletion and IPv6, where we already use
store=active.
tun: Change return type of write_tun/read_tun to ssize_t
So we can directly give back the actual return
type from write/read. Even if we then cast it
back to int. The cast should be safe since we
also specify an int as we also put an int in
as length.
Change-Id: I67f5bf53b80f53fd2e349f844479ed172a7b3aa1 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1376
Message-Id: <20251209153715.15832-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34961.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Tue, 9 Dec 2025 07:02:11 +0000 (08:02 +0100)]
pull-filter: improve documentation
Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.
But exclude the added checks that currently have failures
so that we can keep /WX enabled.
Basically this excludes -Wconversion and -Wsign-compare,
as expected from our GCC/Clang flags.
Github: #382
Change-Id: Iffc114939cb37129057e9c4864fae9e09c3c7fe4 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1417
Message-Id: <20251208113636.9650-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34876.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Documentation: Various syntax fixes and text improvements
This started as a fix for OpenVPN/openvpn#606 but while
reviewing the documentation referenced from there I
identified more and more issues.
There a few classes of changes in here:
- Fix wrong `...` syntax, which makes no sense in rst.
- Remove some very old references to OpenVPN v1 behavior.
- Fix typos or other small text issues.
Note: The usage of ``...`` vs :code:`...` is very
inconsistent, but fixing that is outside of the scope
of this patch. I have tried to make it at least
locally consistent.
Github: Fixes OpenVPN/openvpn#606
Change-Id: Iee535f1502ab3dcb7bde7f2593c2e122d27d9189 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1414
Message-Id: <20251208114224.10223-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34878.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 4 Dec 2025 13:45:16 +0000 (14:45 +0100)]
Fix dco with null cipher being enabled without auth none
This is a corner case and only the FreeBSD DCO module support the
none encryption but as long as it supports it, we should only
enable it when the configuration actually allows to enable it.
Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <20251204134521.20025-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34847.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Max Fillinger [Mon, 1 Dec 2025 13:39:50 +0000 (14:39 +0100)]
Drop Mbed TLS 2.X compatibility
Mbed TLS 2.28 is out of support since March and adding support for
Mbed TLS 4 will get ugly enough without the old compatibility code lying
around too.
Mbed TLS 2.28 still ships on some supported distributions
(e.g. Ubuntu 24.04) but nobody is maintaining openvpn-mbedtls packages
there. This commit will probably break on some test machines.
Change-Id: Ia4afabcb6006dc9304a4c09f824d9c7c2d4d64ad Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1412
Message-Id: <20251201133956.29880-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Mon, 1 Dec 2025 09:01:03 +0000 (10:01 +0100)]
Set UTF-8 as the codepage using manifest declaration
Works on Windows 10+. This ensures any UTF-8 string we pass to
ANSI API will not get interpreted in some local code page
in effect at runtime.
Although we do not use any such API, OpenSSL dll we link to
does (e.g., the store API used for reading certificate and
key from files). OpenSSL may fix this in future versions,
but this is an easy workaround that looks harmless and appropriate.
Fixes failure to read certificates when filenames contain non-ascii
characters reported by: Carsten Mietzsch <Carsten.Mietzsch@atelios.de>
Gert Doering [Thu, 27 Nov 2025 08:49:36 +0000 (09:49 +0100)]
OpenVPN Release 2.7_rc3
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_rc3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta/rc*
releases it's better to look at git log to see what has been added/fixed.
Notable changes rc2 -> rc3 are:
- Windows/Interactive Service bugfixes
many small bugfixes to registry-related DNS domain handling
- Windows/Interactive Service: harden service pipe handling
close a small race condition, and add restrictive ACLs
- Windows/Interactive Service: CVE-2025-13751
fix bug where the interactive service would error-exit in
certain error conditions instead of just logging the fact and
continuing. After the error-exit, OpenVPN connections will no
longer work until the service is restarted (or the system rebooted).
This can be triggered by any authenticated local user, and has
thus been classified as a "local denial of service" attack.
- more type conversion related warnings have been fixed
- --multihome behaviour regarding egress interface selection has been
changed. See Changes.rst and manpage for details.
- cleanup dead code in event handling code (leftover of the multisocket
patch set)
- add new feature, --tls-crypt-v2-max-age n. See Changes.rst and
manpage for details.
- improve documentation to point out the pitfalls of case-insensitive
filesystems and --client-config-dir
- split default gateway query logic in two:
- for --redirect-gateway functionality, query for the gateway towards
the actual IP address of the VPN server connecting to
- for the "net_gateway" special destination for --route, and the
corresponding environment variable, always query for 0.0.0.0 / ::
(this will only make a difference in certain scenarios using a local
proxy, or on a system with multiple interfaces, not using the "default
route" for the VPN connection - see github#890)
- upgrade embedded pkcs11-helper vcpkg + pkcs11-uri patch to 1.31
- CMake / autoconf cleanup wrt unused checks, outdated old-Linux checks,
Windows oddities
- DCO (primarily Linux): improve handling of bulk notifications from
kernel (do not lose notifications, do not crash) (github#900)
Lev Stipakov [Mon, 24 Nov 2025 10:09:23 +0000 (12:09 +0200)]
interactive.c: harden pipe handling against misbehaving clients
- Handle ConnectNamedPipe ERROR_NO_DATA as a normal
connect/drop race: log the drop, disconnect/reset
that instance, and keep listening instead of letting
a trivial local DoS stop the service.
- Add a timed peek for startup data so a client that
connects and sends nothing is timed out (IO_TIMEOUT)
and rejected, instead of leaving a worker thread blocked
forever and piling up handles.
- Protect the accept loop from resource exhaustion: before
spawning a worker, check the wait set and reject the client
if adding another handle would exceed MAXIMUM_WAIT_OBJECTS;
also skip FlushFileBuffers when no startup data was received
to avoid hangs on silent clients.
Without these fixes, a malicious local windows user can make the OpenVPN
Interactive Service exit-on-error, thus breaking all OpenVPN connections
until the service is restarted (or the system rebooted). Thus this has
been classified as "local denial of service" and CVE-2025-13751 has been
assigned.
Ralf Lici [Fri, 28 Nov 2025 11:26:59 +0000 (12:26 +0100)]
dco: process messages immediately after read
Currently, reading and processing of incoming DCO messages are
decoupled: notifications are read, parsed, and the relevant information
is stored in fields of dco_context_t for later processing (with the only
exception being stats). This approach is problematic on Linux, since
libnl does not allow reading a single netlink message at a time, which
can result in loss of information when multiple notifications are
available.
This change adopts a read -> parse -> process paradigm. On Linux,
processing is now invoked directly from within the parsing callback,
which libnl calls for each received netlink packet. The other interfaces
are adapted accordingly to unify the processing model across all
platforms.
On Linux, however, a DEL_PEER notification from the kernel triggers a
GET_PEER request from userspace, which clutters the netlink
communication logic and can lead to errors or even process exit when
multiple simultaneous DEL_PEER notifications are received. To avoid
this, introduce a lock that prevents requesting stats while we are still
busy parsing other messages.
Gert Doering [Thu, 27 Nov 2025 11:35:12 +0000 (12:35 +0100)]
extract_x509_field_ssl(): verify that X509_NAME is not NULL.
This seems to be unlikely to ever happen, but this check won't harm
- as a matter of coding convention, we do not ensure this inside
extract_x509_field_ssl(), but in the (single) caller.
While at it, fix pre-C99 local-variable indent block, and missing {}
block in else/#endif construction.
Reported-By: Joshua Rogers <contact@joshua.hu> Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
Message-Id: <20251127113517.1352-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34748.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Some things were detected in configure.ac and just
hard-coded in CMake. Move the hard-coding to
syshead.h instead and remove the additional code
in configure.ac. These are really Windows-specific
so I think not dynamically detecting is okay.
Change-Id: Ic55e1288b0d3160e68eef07ff4edbb070a03dd31 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1410
Message-Id: <20251127103710.29341-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34736.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
error: Allow status argument to check_status to be ssize_t
We only check for < 0 so no reason not to allow bigger
signed values. This makes it easier to feed result
values of read/write to it. Fixes a conversion warning
in process_outgoing_tun.
Also changes register_activity to int64_t for similar
reasons.
Change-Id: I750a46246c0d2447a6691e5c25c4732e3d335a63 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1357
Message-Id: <20251126114047.10280-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34701.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Traditional OpenVPN ``--multihome`` behaviour is to send packets out the
same interface that they were received on (copy ipi_ifindex from ingress
to egress packet info). For some scenarios this makes sense, for other
scenarios it is breaking connectivity when there are no routes pointing
out the ingress interface (intentionally asymmetric traffic).
For 2.7.0, change the default(!) to always send out packets with
ipi_ifindex = 0, to follow normal system interface selection rules.
Add a flag ``--multihome same-interface`` to restore the pre-2.7 behavior
of copying ipi_ifindex from ingress to egress packets. There are use
cases for this, and we want to give users a chance to read the release
notes and adjust their setups to "not break after upgrading to 2.7.0".
Heiko Hund [Mon, 24 Nov 2025 17:00:50 +0000 (18:00 +0100)]
iservice: rename one_glyph to glyph_size
Throughout the function variables which deal with byte counts have a
_size postfix. one_glyph is the number of bytes in one character.
Reading the code is easier and more consistent this way.
Heiko Hund [Wed, 26 Nov 2025 10:49:32 +0000 (11:49 +0100)]
iservice: fix off by one error
In case there is more than one non-ignored interface domain, the start
of the next domain was off by one glyph. That meant that all but the
first domain was ignored when converting to MULTI_SZ.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I3ebf30f6d9edc66eb54fb3f1b5634c96d156b1ca Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1395
Message-Id: <20251126104938.5612-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34678.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:47:01 +0000 (11:47 +0100)]
iservice: handle ignoring itf domains correctly
GetItfDnsDomains() does ignore domains, which are in the search domains
list. Handling of this was done wrong if there was more than one
interface domain. In any case the size returned to the caller was
calculated wrong.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I02e2c7b27b5a39b11556e4753c648baa05344ffc Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1394
Message-Id: <20251126104706.5378-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34677.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:43:07 +0000 (11:43 +0100)]
iservice: return correct size when domains are truncated
In case not all domains can be converted in the available buffer, return
the size of the already converted domains size plus the second terminating
zero for the MULTI_SZ.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: Iabad046c930dd0f38ec50d1c43d8b3288816df7d Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1391
Message-Id: <20251126104315.4776-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34680.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 26 Nov 2025 10:34:21 +0000 (11:34 +0100)]
iservice: fix calculation of converted domains size
To keep track of how much of the buffer is already used, the difference
of the current position and the start of the buffer needs to be
multiplied with the size of a character / glyph to bet the byte count,
with which calculations are done further down below.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: I16f9426e57f4802ba038ab51f5b70161464b9428 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1390
Message-Id: <20251126103427.4085-1-gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi-socket: do not return tuntap flags on server-side
Tuntap flags are already handled within
multi_io_process_io() so return them by
multi_io_process_flags() would be redoundant,
since we need them only for tun_set().
While at it, removed part of the I/O process
from multi_process_io_udp() since those are
also handled within multi_io_process_io(),
removed the FILE_CLOSED and FILE_SHIFT
defines since we now handle that kind of
event in multi_io_process_io() through
the MULTI_IO_FILE_CLOSE_WRITE define.
Change-Id: I6a5110a0583b8b33496b06d9c27c1084df38e842 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1364
Message-Id: <20251124175832.21352-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair [Mon, 24 Nov 2025 16:53:47 +0000 (17:53 +0100)]
Restrict access to the service pipe to SYSTEM and owner
Access is restricted to SYSTEM and pipe client user
(the user starting openvpn.exe). The default is
full access to Administrtors, owner, and read access
to everyone. This hardens the pipe further.
Heiko Hund [Sun, 23 Nov 2025 11:58:46 +0000 (12:58 +0100)]
iservice: make sure registry string is terminated
When reading the interface domains from the registry, check that the
string is zero terminated, since the code in GetItfDnsDomains depends
on the fact when doing size calculations during the conversion.
Reported-by: Marc Heuse <marc@srlabs.de> Reported-by: stephan@srlabs.de
Change-Id: Icaeca22bdbd8ead0cb12345b1bcc2b5c0f46236f Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1392
Message-Id: <20251123115851.19555-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34610.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
