From: Gert Doering Date: Sun, 12 Oct 2025 16:59:36 +0000 (+0200) Subject: OpenVPN Release 2.7_beta3 X-Git-Tag: v2.7_beta3^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=23a56395f8adec78a2dfd357a42059c0890b8631;p=thirdparty%2Fopenvpn.git OpenVPN Release 2.7_beta3 version.m4, ChangeLog, Changes.rst Changes.rst has not received an "2.7_beta3" section - it has the "highlevel" overview of what is new in 2.7, but for alpha/beta releases it's better to look at git log to see what has been added/fixed. Notable changes beta2 -> beta3 are: - even more of signed/unsigned related warnings have been fixed - document that PUSH_UPDATE is (as of now) not compatible with DCO, and add adequate checks - improvements on PUSH_UPDATE handling on the server side - bugfixes reconnect and PUSH_UPDATE handling on the client side (notably handling of ifconfig/ifconfig-ipv6/redirect-gateway ipv6 if the server is not always pushing the same address families) - improve "recursive routing checks", prepare the way for a policy-based setup where "packets to VPN server" could end up in the tunnel without interfering with OpenVPN operations - improve unit testing, add more unit tests, fix unit test bugs - add support for "eoch" data format to DCO on Windows (needs dco-win driver 2.8.0+) - clean up and remove outdated stuff from COPYING Signed-off-by: Gert Doering --- diff --git a/ChangeLog b/ChangeLog index 5cb6d17ba..1e9e0eced 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,66 @@ OpenVPN ChangeLog Copyright (C) 2002-2025 OpenVPN Inc +2025.10.13 -- Version 2.7_beta3 + +Arne Schwabe (2): + Allowing installing FreeBSD routes with interface instead of next-hop + Allow route_ipv6_match_host to be used outside of route.c + +Frank Lichtenheld (33): + GHA: Dependency updates September 2025 + comp-lz4: Fix types in call to LZ4_decompress_safe + dco_win: In dco_new_key, document size assumptions for the integer casts + dco_linux: Fix -Wconversion warnings + ssl_openssl: Use uint16_t internally for TLS versions + dco: Change sd argument to dco_new_peer from int to socket_descriptor_t + crypto_epoch: Clean up type handling in ovpn_expand_label() + route: Fix a unused-but-set-variable warning on OpenBSD + platform: Do not assume uid_t/gid_t are signed + mtu: Trivial -Wconversion fix + Review CMocka assertion usage + dhcp: Fix conversion warnings + COPYING: Remove licenses for software bundled in the Windows client + sitnl: Clean up type handling + options: Factor out parsing code to separate options_parse.c + unit_tests: Remove useless wrapping for argv/buffer tests + crypto: Make some casts to int explicit + test_options_parse: Start new UT for options_parse.c + buffer: Fix buf_parse eating input + test_options_parse: Add test for read_config_string + vlan: Remove -Wconversion override + GHA: Run options_parse test for MinGW + test_options_parse: Do not use uintmax_t instead of LargestIntegralType + proto: Clean up conversion warnings related to checksum macros + test_options_parse: Remove --wrap + lzo: Fix conversion warning + options_util: Fix conversion warning in atoi_constrained + options: Review use of positive_atoi vs atoi_constrained + console: Simplify query_user_add interface + socks: Fix conversion warnings with MinGW + Move build_dhcp_options_string from tun to dhcp + dhcp: Replace DHCP Option types with defines + test_user_pass: Check fatal errors for empty username/password + +Lev Stipakov (4): + dco-win: fix broken ASSERT in dco_new_key + dco-win: support for epoch data channel + Preserve ifconfig(_ipv6)_local across reconnect + Make recursive routing check more fine-grained + +Marco Baffo (4): + PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled + PUSH_UPDATE server: bug-fix, reset buffer after processing + PUSH_UPDATE server: check IV_PROTO before sending the message to the client + redirect-gateway: only redirect traffic through TUN if address families match + +Selva Nair (1): + Fix PIN cache time in test_pkcs11.c + +Steffan Karger (1): + Document that tls-crypt-v2 can be used in connection profile + + 2025.09.25 -- Version 2.7_beta2 Antonio Quartulli (1): diff --git a/Changes.rst b/Changes.rst index a8b160587..4feacad2f 100644 --- a/Changes.rst +++ b/Changes.rst @@ -87,6 +87,8 @@ Epoch data keys and packet format - IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire +Support for Epoch data channel on Windows, using the win-dco driver (2.8.0+) + Default ciphers in ``--data-ciphers`` Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is replaced by the default ciphers used by OpenVPN, making it easier to @@ -133,6 +135,8 @@ PUSH_UPDATE client support currently only supported by OpenVPN Inc commercial offerings, the implementation for OpenVPN 2.x is still under development. See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html + NOTE: PUSH_UPDATE client support is currently disabled if DCO + is active (on all platforms). PUSH_UPDATE server support (minimal) new management interface commands ``push-update-broad`` and @@ -140,6 +144,8 @@ PUSH_UPDATE server support (minimal) clients ("there is a new DNS server") or only a specific client ID ("privileges have changed, here's a new IP address"). See doc/management-notes.txt + NOTE: PUSH_UPDATE server support is currently disabled if DCO + is active (on all platforms). Support for user-defined routing tables on Linux see the ``--route-table`` option in the manpage @@ -153,6 +159,17 @@ Two new environment variables have been introduced to communicate desired Improved logging of service events/errors to event log on Windows. +"Recursive Routing" check is now more granular, and will only drop + packets-in-tunnel if destination IP, protocol and port matches with + those needed to reach the VPN server. With that change, you can now + use policies that direct "everything that is not OpenVPN" into the + tunnel, and have IP packets to the VPN server address arrive as + expected (no such policies are currently installed by OpenVPN) + (github #669). + +COPYING: license details only relevant to our Windows installers have + been updated and moved to the openvpn-build repo + Deprecated features ------------------- @@ -278,6 +295,13 @@ User-visible Changes use from "ifconfig", this change repairs functionality (this has been backported to 2.6.15, but is not in earlier 2.6 versions). +- `max-routes-per-client 0` used to be silently upgraded to `1`. This + now produces an error. + +- `ifconfig` and `ifconfig-ipv6` values are now stored in pre-connect + options cache, and will be restored to pre-connect values on reconnects + if the server stops pushing the respective option. + Overview of changes in 2.6 ========================== diff --git a/version.m4 b/version.m4 index 3b889b2e8..916a640f7 100644 --- a/version.m4 +++ b/version.m4 @@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [7]) -define([PRODUCT_VERSION_PATCH], [_beta2]) +define([PRODUCT_VERSION_PATCH], [_beta3]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])