2 Copyright (C) 2002-2012 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2013.01.07 -- Version 2.3.0
6 Fix parameter type for IP_TOS setsockopt on non-Linux systems.
7 Fix client crash on double PUSH_REPLY.
9 2012.12.17 -- Version 2.3_rc2
11 Fix --show-pkcs11-ids (Bug #239)
14 Error message if max-routes used incorrectly
15 Properly require --key even if defined(MANAGMENT_EXTERNAL_KEY)
16 Remove dnsflags_to_socktype, it is not used anywhere
17 Fix the proto is used inconsistently warning
20 Fix double-free issue in pf_destroy_context()
21 The get_default_gateway() function uses warn() instead of msg()
22 Avoid recursion in virtual_output_callback_func()
25 Implement --mssfix handling for IPv6 packets.
26 Fix option inconsistency warnings about "proto" and "tun-ipv6"
29 doc/management-notes.txt: fix typo
30 Fix typo in ./configure message
32 2012.10.31 -- Version 2.3_rc1
34 Fixed a bug where PolarSSL gave an error when using an inline file tag.
37 Document man agent-external-key
38 Options parsing demands unnecessary configuration if PKCS11 is used
41 Make git ignore some more files
42 Remove the support for using system() when executing external programs or scripts
45 Fix display of plugin hook types
46 Support UTF-8 --client-config-dir
49 Fix v3 plugins to support returning values back to OpenVPN.
51 2012.09.12 -- Version 2.3_beta1
53 Fixes error: --key fails with EXTERNAL_PRIVATE_KEY: No such file or directory if --management-external-key is used
54 Merge almost identical create_socket_tcp and create_socket_tcp6
55 Document the inlining of files in openvpn and document key-direction
56 Merge getaddr_multi and getaddr6 into one function
57 Document --management-client and --management-signal a bit better
58 Document that keep alive will double the second value in server mode and give a short explanation why the value is chosen.
59 Add checks for external-key-managements
62 Fix reconnect issues when --push and UDP is used on the server
65 Reduce --version string detail about IPv6 to just "[IPv6]".
66 Put actual OpenVPN command line on top of corresponding log file.
67 Keep pre-existing tun/tap devices around on *BSD
68 make "ipv6 ifconfig" on linux compatible with busybox ifconfig
71 fix regression with --http-proxy[-*] options
72 add x_msg_va() log function
73 add API for plug-ins to write to openvpn log
74 remove stale _openssl_get_subject() prototype
75 remove unused flag SSLF_NO_NAME_REMAPPING
76 Add --compat-names option
78 2012.07.20 -- Version 2.3_alpha3
80 Fix compiling with --disable-management
83 Repair "tap server" mode brokenness caused by <stdbool.h> fallout
86 make non-blocking connect work on Windows
87 don't treat socket related errors special anymore
88 remove unused show_connection_list debug function
89 add option --management-query-proxy
91 2012.06.29 -- Version 2.3_alpha2
93 Fixed off-by-one in serial length calculation
94 Migrated x509_get_subject to use of the garbage collector
95 Migrated x509_get_serial to use the garbage collector
96 Migrated x509_get_sha1_hash to use the garbage collector
97 Ensure sys/un.h autoconf detection includes sys/socket.h
98 Added support for new PolarSSL 1.1 RNG
99 Added a configuration option to enable prediction resistance in the PolarSSL random number generator.
100 Use POLARSSL_CFLAGS instead of POLARSSL_CRYPTO_CFLAGS in configure.ac
101 Removed support for PolarSSL < 1.1
102 Updated README.polarssl with build system changes.
103 Removed stray "Fox-IT hardening" string.
106 build: version should not contain '-'
107 package: rpm: strip should be handled by package management
108 cleanup: options.c: remove redundant include
109 cleanup: remove C++ warnings
110 cleanup: win32.c: wrong printf format
111 cleanup: remove redundant ';'
112 cleanup: crypto_openssl.c: remove support for pre-openssl-0.9.6
113 cleanup: tun.c: fix incorrect option in message (ip-win32)
114 cleanup: memcmp.c: remove unused source
115 fixup: init.c: add missing conditional for ENABLE_CLIENT_CR
116 build: correct place to alter WINVER is at build system
118 build: handle printf style format in mingw
119 build: rename plugin directory to plugins
120 build: plugins: properly use CC, CFLAGS and LDFLAGS
121 build: we need the sample.ovpn in future
125 cleanup: rename tap-windows function from win32 to win
126 build: remove windows specific build system
127 build: split acinclude.m4 into m4/*
128 build: m4/ax_varargs.m4: cleanup
129 build: m4/ax_emptyarray.m4: cleanup
130 build: m4/ax_socklen_t.m4: cleanup
131 build: autotools: first pass of trivial autotools changes
132 build: autoconf: remove OPENVPN_ADD_LIBS useless macro
133 build: remove awk and non-standard autoconf output processing
134 build: standard directory layout
135 build: add libtool + windows resources for executables
136 build: autoconf: commands as environment
138 build: properly detect and use socket libs
139 build: autoconf: minor cleanups
140 build: proper selinux detection and usage
141 build: distribute pkg.m4
142 build: proper pkcs11-helper detection and usage
143 build: properly process lzo-stub
144 build: proper lzo detection and usage
145 build: proper crypto detection and usage
146 build: autoconf: update defaults for options
147 build: win-msvc: msbuild format
148 build: move out config.h include from syshead
149 build: split out compat
150 build: move gettimeofday() emulation to compat
151 build: move daemon() emulation into compat
152 build: move inet_ntop(), inet_pton() emulation into compat
153 cleanup: move console related function into its own module
154 build: move wrappers into platform module
155 build: windows: install version.sh to allow installer read version
156 build: distribute samples in windows
157 build: use tap-windows.h as external dependency
158 build: ax_varargs.m4: fixups
159 build: autoconf: misc sockets fixups
160 build: enable lzo by default
161 build: windows: set vendor to openvpn project + cleanups
162 build: assume dlfcn is available on all supported platforms
163 build: openbsd: detect netinet/ip.h correctly
164 build: tap: search for tap header
165 build: msvc: upgrade to Visual Studio 2010 + fixups
166 Enable pedantic in windows compilation
167 cleanup: flags should not be bool
168 cleanup: avoid using ~0 - generic
169 cleanup: avoid using ~0 - ipv6
170 cleanup: avoid using ~0 - netmask
171 cleanup: avoid using ~0 - windows
173 build: fix some statement left from conversion
174 build: properly detect netinet/ip.h structs
175 build: properly detect TUNSETPERSIST
176 cleanup: plugin: support C++ plugin
177 cleanup: remove C++ comments
178 cleanup: add .gitattributes to control eol style explicitly
179 crash: packet_id_debug_print: sl may be null
180 build: use stdbool.h if available
181 build: fix typo in --enable-save-password
182 build: windows: convert resources to UTF-8
183 build: check minimum polarssl version
184 cleanup: update .gitignore
185 cleanup: spec: make space/tab consistent
186 build: spec: we support openssl >= 0.9.7
187 build: insall README* document using build system
188 build: detect sys/wait.h required for *bsd
189 build: add git revision to --version output if build from git repository
190 build: cleanup: yet another forgotten brackets
191 build: update INSTALL to recent changes
192 build: support platforms that does not need explicit tun headers
193 build: do not support <polarssl-1.1.0
194 build: add --with-special-build to provide special build string
195 cleanup: pkcs11.c: resolve wanings
196 build: integrate plugins build into core build
197 build: plugins: set defaults based on platform
198 cleanup: windows: convert argv (UCS-2 to UTF-8) at earliest
199 build: msvc: chdir with change drive to script location
202 Add the query to the error message.
203 Explain that route-nopull also causes the client to ignore dhcp options.
204 Add the name of the context where option is not allowed to the error message.
205 Only use tmpdir if tmp_dir is really used.
206 Completely remove ancient IANA port warning.
207 Remove ENABLE_INLINE_FILES conditionals
208 Remove ENABLE_CONNECTIONS ifdefs
210 David Sommerseth (5):
211 Clean-up: Presume that Linux is always IPv6 capable at build time
212 Simplify check_cmd_access() function
213 Change version to indicate the master branch is not a version
214 Some filesystems don't like ':', which is a path 'make dist' would use
215 Remove two unused functions
217 Frank de Brabander (1):
218 Fix reported compile issues on OSX 10.6.8
221 repair t_client.sh test after build system revolution
222 t_client.sh iproute2 script fixes
223 t_client.sh - fix for iproute2, print summary line
224 Implement search for "first free" tun/tap device on Solaris
225 cleanup and redefine metric handling for IPv6 routes
226 remove "*option" element in "struct route_ipv6"
227 Remove warning about explicit support for IPv6 support not provided MacOS X
228 Add missing pieces to IPv6 route gateway handling.
229 Update TODO.IPv6 list
230 Remove #include "config.h" from ssl_polarssl.h
233 remove wrapper code for Windows CryptoAPI function
234 fix warnings in event.c when building for win32-64
235 remove the --auto-proxy option from openvpn
238 Remove calls to OpenSSL when building with --disable-ssl
240 Jonathan K. Bullard (2):
241 Fix file access checks on commands
242 Clarified the docs and help screen about what a 'cmd' is
244 Samuli Seppänen (1):
245 Added notes about upgrading from 2.3-alpha1 and earlier to INSTALL-win32.txt
247 2012.02.21 -- Version 2.3-alpha1
248 Adriaan de Jong (127):
249 Added Doxygen doxyfile
250 Changed configure to accept --with-ssl-type=openssl
251 Refactored to rand_bytes for OpenSSL-independency
252 Refactored OpenSSL-specific constants
253 Refactored maximum cipher and hmac length constants
254 Refactored show_available_* functions
255 Refactored SSL_clear_error()
256 Refactored crypto initialisation functions
257 Refactored DES key manipulation functions
258 Refactored NTLM DES key generation
259 Refactored message digest type functions
260 Refactored message digest functions
261 Refactored HMAC functions
262 Refactored cipher key types
263 Refactored cipher functions
265 Refactored: Moved crypto.h inline functions to end of file
266 Removed stale OpenSSL defines from crypto.h
267 Added a check for Openssl or PolarSSL defines
268 Refactored: Added stubs for new files
269 Refactored SSL initialisation functions
270 Refactored TLS_PRF to new hmac and md primitives
271 Refactored tls_show_available_ciphers
272 Refactored get_highest_preference_tls_cipher
273 Refactored root SSL context initialisation
274 Refactored new external key code
275 Refactored DH paramater loading
276 Refactored root TLS option settings
277 Refactored PKCS#12 key loading
278 Refactored PKCS#11 loading
279 Refactored windows cert loading
280 Refactored load certificate functions
281 Refactored private key loading code
282 Refactored external key loading from management
283 Refactored CA and extra certs code
284 Refactored cipher restriction code
285 Refactored tls_options, key_state, and key_source data structures
286 Refactored initalisation of key_states
287 Refactored key_state free code
288 Refactored print_details
289 Refactored key_state read code (including bio_read())
290 Refactored key_state write functions
291 Refactored: Moved BIO debug functions to OpenSSL backend
292 Refactored: removed ks and ks_lame macro for clarity
293 Refactored: moved write_empty_string function back
294 Refactored Doxygen for tls_multi functions
295 Migrated data structures needed by verification functions to ssl_common.h
296 Refactored client_config_dir_exclusive function
297 Refactored certificate hash lock checks
298 Refactored common name locking functions
299 Refactored username and password authentication code
300 Add some extra comments
301 Refactored: split verify_callback into two parts
302 Added function to extract and verify the subject from a certificate
303 Added function to verify and extract the username
304 Refactored: removed global x509_username_field
305 Refactored: separated environment setup during verification
306 Refactored: Netscape certificate type verification
307 Refactored key usage verification code
308 Refactored EKU verification
309 Refactored tls-remote checking
310 Refactored tls-verify-plugin code
311 Refactored tls-verify script code
312 Refactored CRL checks
313 Minor cleanup in verify_cert:
314 Refactored: Moved verify_cert to ssl_verify
316 Refactored: made M_SSL dependent on USE_OPENSSL
317 Refactored: renamed X509 functions from verify_*
318 Separated OpenSSL-specific parts of the PKCS#11 driver
319 Modified base64 code in preparation for PolarSSL merge
320 Final cleanup before PolarSSL addition:
321 Refactored X509 track feature to be contained within the openssl backend
322 Added PolarSSL support:
323 Fixed a missing include in ssl_backend.h
324 Fixed a bug in the hash generation in ssl_verify_openssl.c
325 Added SHA_DIGEST_SIZE definition
326 Changed PolarSSL crypto backend to support v0.99-pre5
327 Updated ssl_polarssl.c to work with 0.99-pre5
328 Fixed a compilation warning for size_t key sizes
329 Added a warning that the PolarSSL library does not support pkcs12 files.
330 Added warning that --capath is not available with PolarSSL
331 Disable CryptoAPI when not using OpenSSL, and document that fact.
332 Removed support for management external keys in PolarSSL
333 Removed stray X509_free from ssl.c
334 Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
335 Added an extra define to allow building without PKCS#11
336 Added SSL library to title string
337 Disabled X.509 track and username selection for PolarSSL
338 Hardening: periodically reset the PRNG's nonce value
339 Fixes for the plugin system:
340 Further improvements to plugin support:
341 Fixed an unintentional change in the options calculated key size.
342 Moved print messages back to generic crypto.c from cipher backends
343 Moved HMAC prints back to main crypto module
344 Added back checks for ks->authenticated in verify_user_pass
345 Moved gc_new and gc_free to begin end of function
346 Fixed a bug in the return value of ssl_verify when pre_verify failed
347 Unified verification function return values:
348 Removed a stray Fox-IT tag
349 Fixed a typo: print the subject instead of the serial for verification errors
350 Made SSL_CIPHER const in print_details, to fix warning
351 Moved to PolarSSL 1.0.0:
352 Added missing #ifdef to allow --disable-managent to work again
353 Fixed disabling crypto and SSL
354 Got rid of a few magic numbers in ntlm.c
355 Removed obsolete des_cblock and des_keyschedule
356 Further removal of des_old.h based calls
357 Fixed missing comma in plugin.h
358 Moved prng_uninit out of crypto_uninit_lib
359 Moved CryptoAPI header include to the ssl_openssl.c
360 Reordered functions to ensure warning-free Windows build
361 Added options to switch between OpenSSL and PolarSSL and PKCS11...
362 Moved from strsep to strtok, for Windows compatibility
363 Minor cleanup to enable warning-free Windows build:
364 Fixed a typo when initialising cryptoapi certs
365 Minor code cleanup: cleaned up error handling in verify_cert.
366 Moved out of memory prototype to error.h, as the definition is in error.c
367 Removed support for calling gc_malloc with a NULL gc_arena struct
369 (The follwing patches from Adriaan was mistakenly merged with
370 the wrong commit author in the git tree)
371 Doxygen: Added data channel crypto docs
372 Added control channel crypto docs
373 Added compression docs
374 Added reliability layer documentation
375 Added memory management documentation
376 Added data channel fragmentation docs
377 Added main/control docs
378 Moved doxygen-specific files to a separate directory
381 autoconf fixes for building on OSX
383 David Sommerseth (50):
384 Provide 'dev_type' environment variable to plug-ins and script hooks
385 Define the new openvpn_plugin_{open,func}_v3() API
386 Implement the core v3 plug-in function calls.
387 Extend the v3 plug-in API to send over X509 certificates
388 Added a simple plug-in demonstrating the v3 plug-in API.
389 Separate the general plug-in version constant and v3 plug-in structs version
390 Use a version-less version identifier on the master branch
391 Fix the --client-cert-not-required feature
392 Change the default --tmp-dir path to a more suitable path
393 Improve the mysprintf() issue in openvpnserv.c
394 Add a simple comment regarding openvpn_snprintf() is duplicated
395 Merge branch 'feat_ipv6_transport'
396 Merge branch 'feat_ipv6_payload'
397 Merge branch 'svn-branch-2.1' into merge
398 Solved hidden merge conflicts between master and svn-branch-2.1
399 Fix const declarations in plug-in v3 structs
400 Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'
401 Don't define ENABLE_PUSH_PEER_INFO if SSL is not available
402 Fix compiling issues with pkcs11 when --disable-management is configured
403 Remove support for Linux 2.2 configuration fallback
404 Revert "Add new openssl.cnf to easy-rsa/Windows"
405 Merge remote branch SVN 2.1 into the git tree
406 Merge branch 'svn-merger'
407 Fix Microsoft Visual Studio incompatibility in plugin.c
408 Fixed compile issues on FreeBSD and Solaris
409 Fix PolarSSL and --pkcs12 option issues
410 Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
411 Make '--win-sys env' default
412 Do some file/directory tests before really starting openvpn
413 Fix bug after removing Linux 2.2 support
414 Don't look for 'stdin' file when using --auth-user-pass
415 Fix compiling with --disable-crypto and/or --disable-ssl
416 Fix a couple of issues in openvpn_execve()
417 Move away from openvpn_basename() over to platform provided basename()
418 Enable access() when building in Visual Studio
419 New Windows build fixes
420 Fix compilation errors on Linux platforms without SO_MARK
421 autotools ./configure don't like compat.h
422 Fix pool logging when IPv6 is not enabled
423 Don't check for file presence on inline files
424 Add --route-pre-down/OPENVPN_PLUGIN_ROUTE_PREDOWN script/plug-in hook
425 Enhance the error handling in _openssl_get_subject()
426 Fix assert() situations where gc_malloc() is called without a gc_arena object
427 Fix compile issues when plug-ins are disabled.
428 Remove --show-gateway if debug info is not enabled (--disable-debug)
429 Fix compile issues with status.c
430 Connection entry {tun,link}_mtu_defined not set correctly
431 Makefile.am referenced a now non-existing config-win32.h
432 Makefile.am was missing ssl_common.h
433 Revamp check_file_access() checks in stdin scenarios
436 New feauture: Add --stale-routes-check
438 Frank de Brabander (1):
439 Fixed wrong return type of cipher_kt_mode
442 Add support to forward console query to systemd
445 Add more detailed explanation regarding the function of "--rdns-internal"
446 Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.
447 remove NOTES file from commit - private scribbling
448 NetBSD fixes - on 4.0 and up, use multi-af mode.
449 new feature: "ifconfig-ipv6-push" (from ccd/ config)
450 add some TODOs to TODO.IPv6
451 undo accidential duplication of existing "--iroute" line in the help text
452 basic documentation of IPv6 related options and their syntax
453 Enable IPv6 Payload in OpenVPN p2mp tun server mode.
454 remove NOTES file from commit - private scribbling
455 env_block(): if PATH is not set, add standard PATH setting to env
456 add IPv6 route add / route delete code for windows (using "netsh")
457 - Win32 IPv6 ifconfig support, using "netsh" calls
458 drop "book ipv6" from open_tun() and tuncfg() prototypes
459 document recent changes and open TODOs, adapt --version info, tag release
460 Win32: set next-hop for IPv6 routes according to TUN/TAP mode
461 when deleting a route on win32, also add gateway address
462 WIN32: if IPv6 requested in TUN mode, check if TUN/TAP driver < 9.7
463 revert unconditionally-enabling of setenv_es() logging
464 implement IPv6 ifconfig + route setup/deletion on OpenBSD
465 full "VPN client connect" test framework for OpenVPN t_client.rc-sample
466 renamed t_client.sh to t_client.sh.in
467 2.2-beta3 has a signed TAP driver with the IPv6 code - test for 9.8
468 correct URL for "more information about IPv6 patch is *here*"
469 bugfix for linux/iproute2: IPv6 ifconfig code block was not called for "dev tun"+"topology subnet"
470 bump IPv6 version number (openvpn --version) to 20100922-1
471 Implement "ipv6 ifconfig" for TAP interfaces on Solaris interfaces
472 rebased to 2.2RC2 (beta 2.2 branch)
473 Windows IPv6 cleanup - properly remove IPv6 routes and interface config
474 For all accesses to "struct route_list * rl", check first that rl is non-NULL
475 Replace 32-bit-based add_in6_addr() implementation by an 8-bit based one
476 Platform cleanup for NetBSD
477 Move block for "stale-routes-check" config inside #ifdef P2MP_SERVER block
478 add missing break between "case IPv4" and "case IPv6"
479 bump tap driver version from 9.8 to 9.9
480 log error message and exit for "win32, tun mode, tap driver version 9.8"
481 work around inet_ntop/inet_pton problems for MSVC builds on WinXP
482 Fix build-up of duplicate IPv6 routes on reconnect.
483 Fix list-overrun checks in copy_route_[ipv6_]option_list()
484 add "print test titles" and "use sudo" functionality to t_client.rc
485 Platform cleanup for FreeBSD
486 Implement IPv6 interface config with non-/64 prefix lengths.
487 Fix RUN_SUDO functionality for t_client.sh
488 Document IPv6-related environment variables.
489 Platform cleanup for OpenBSD
492 Avoid re-defining uint32_t when using mingw compiler
494 Gustavo Zacarias (1):
495 Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto
498 add .gitignore to official repository
499 remove function is_proto_tcp()
500 remove legacy code to query IE proxy information
501 lowercase include header name in syshead.h
502 define IN6_ARE_ADDR_EQUAL macro for WIN32
503 add --mark option to set SO_MARK sockopt
504 Windows UTF-8 input/output
505 UTF-8 X.509 distinguished names
506 set Windows environment variables as UCS-2
507 handle Windows unicode paths
508 replace check for TARGET_WIN32 with WIN32
509 do not use mode_t on Windows
510 use the underscore version of stat on Windows
511 make MSVC link against shell32 as well
512 move variable declaration to top of function
513 define access mode flag X_OK as 0 on Windows
516 The code blocks enabled by ENABLE_CLIENT_CR depends on management
519 Added "management-external-key" option.
520 Minor addition of logging info before and after execution of Windows net commands.
522 Added --x509-track option.
523 * added --management-up-down option to allow management interface to be notified of tunnel up/down events.
524 Fixed minor compile issue triggered on builds where MANAGEMENT_DEF_AUTH is not enabled.
525 Implemented get_default_gateway_mac_addr for Mac OS X
527 Properly handle certificate serial numbers > 32 bits.
528 Added "client-nat" option for stateless, one-to-one NAT on the client side.
529 Renamed branch to reflect that it is no longer beta.
530 env_filter_match now includes the serial number of all certs
531 Fixed issue where a client might receive multiple push replies from a server
532 Fixed bug introduced in r7031 that might cause this error message:
533 Extended "client-kill" management interface command (server-side)
534 Client will now try to reconnect if no push reply received within handshake-window seconds.
536 Fixed compiling issues when using --disable-crypto
537 Added "management-external-key" option.
539 win/sign.py now accepts an optional tap-dir argument.
540 Added "auth-token" client directive
541 Added ./configure --enable-osxipconfig option for Mac OS X
542 Added more packet ID debug info at debug level 3 for debugging false positive packet replays.
543 Fixed bug that incorrectly placed stricter TCP packet replay rules on UDP sessions
544 Fixed bug in port-share that could cause port share process to crash
545 For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfig command on failure
547 Revert r7092 and r7151, i.e. remove --enable-osxipconfig configure option.
548 Added 'dir' flag to "crl-verify" (see man page for info).
549 Added new "extra-certs" and "verify-hash" options
550 Fixed compile issues on Windows.
551 Added --enable-lzo-stub configure option to build an OpenVPN client without LZO
552 Added optional journal directory argument to "port-share" directive
553 Reduce log verbosity at level 3, with a focus on removing excessive log verbosity generated by port-share activity.
554 env_filter_match now includes the serial number of all certs in chain
555 Added support for static challenge/response protocol.
557 Added redirect-gateway block-local flag, with support for Linux, Mac OS X
558 Extended x509-track to allow SHA1 certificate hash to be extracted
559 Added "management-query-remote" directive (client) to allow the management interface to override the "remote" directive.
561 Fixed MSVC compile error related to r7408.
562 Redact "echo" directive strings from log, since these strings (going forward) could conceivably contain security-sensitive data.
563 Modified sanitize_control_message to remove redacted data from control string rather than blotting it out with "_" chars.
564 Changed CC_PRINT character class to allow UTF-8 chars.
565 Increased the --verb threshold for "PID_ERR replay" messages to 4 from 3.
566 Fixed issue where redirect-gateway block-local code was not correctly calculating...
567 CC_PRINT character class now allows any 8-bit character value >= 32.
568 "status" management interface command (version >= 2) will now include the username for each connected user.
569 Minor fix to CC_PRINT char class
570 Fixed management interface bug where >FATAL notifications were not being output properly
571 Raised D_PID_DEBUG_LOW from level 3 to 4 to reduce replay error verbosity at level 3.
572 Added "memstats" option to maintain real-time operating stats in a memory-mapped file.
573 Fixed client issues with DHCP Router option extraction/deletion when using layer 2 with DHCP proxy:
574 Allow "tap-win32 dynamic <offset>" to be used in topology subnet mode.
575 Added support for "on-link" routes on Linux client
577 Jan Just Keijser (1):
578 Made some options connection-entry specific
581 common_name passing in auth_pam plugin
583 JuanJo Ciarlante (40):
584 * rebased openvpn-2.1_rc1b.jjo.20061206.d.patch
585 * created getaddr6(), use it from resolve_remote()
586 * migrated all getaddrinfo() to getaddr6
587 * socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,
588 * support --disable-ipv6 build properly:
589 * important fix for tcp6 reconnection was incorrectly creating a PF_INET socket
590 * added README.ipv6.txt
591 * fixed win32 non-ipv6 build
592 * ipv6 on win32 "milestone": 1st snapshot that passes all unittests
593 * document ipv6 milestone status
594 * doc update w/unittests results
595 * make possible to x-compile openvpn/win32 in Linux
596 * correctly setup hints.ai_socktype for getaddrinfo(), althought sorta hacky, see TODO.ipv6.
597 * renamed README.ipv6{.txt,}
598 * updated {README,TODO}.ipv6 from feedback at openvpn-devel mlist
599 * init.c: document the ENABLE_MANAGEMENT place to work on
600 * init.c: small in-doc tweaks
601 * fix multi-tcp crash (corrected assertion)
603 * socket.c: better buf logic in print_sockaddr_ex
604 * fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)
606 * openbsd: no IFF_MULTICAST, #ifdef around it
607 * no new funcionality, just small cleanups
608 * (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ipv6 endpoints
609 * polished redirect-gateway (ipv4 on ipv6 endpoints) support
611 * fix --disable-ipv6 build
613 * rebased to v2.1.1 release
614 * undo mroute.c changes related to ipv6 payload
615 * fix --multihome for ipv4
616 * fix --multihome for ipv6
617 * ipv6-0.4.14: fix xinetd usage
618 * ipv6-0.4.15: add --multihome support to xBSD
619 * ipv6-0.4.15b: rebase over openvpn-testing-master
620 * ipv6-0.4.16: fix mingw32 build
621 * make ipv6_payload compile under windowze
622 USE_PF_INET6 by default for v2.3
623 fix ipv6 compilation under macosx >= 1070 - v3
626 Add extv3 X509 field support to --x509-username-field
628 Matthew L. Creech (1):
629 Fix 2.2.0 build failure when management interface disabled
632 Skip rather than fail test in addressless FreeBSD jails.
635 Update man page with info about --capath
636 Update man page with info about --connect-timeout
637 Added info about --show-proxy-settings
638 Documented --x509-username-field option
639 Documented --errors-to-stderr option
640 Documented --push-peer-info option
641 Update man page with info about --remote-random-hostname
642 Added man page entry for --management-client
644 Samuli Seppänen (19):
645 Add man page entry for --redirect-private
646 Change all CRLF linefeeds to LF linefeeds
647 Fix a bug in devcon source code handling
648 Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
649 Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers
650 Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier
651 Fix a build-ca issue on Windows
652 Add new openssl.cnf to easy-rsa/Windows
653 Updated "easy-rsa" for OpenSSL 1.0.0
654 Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf
655 Fixes to easy-rsa/2.0
656 Merged TODO.IPv6 with TODO.ipv6 and README.IPv6 with README.ipv6
657 Fixed a number of fatal build errors on Visual Studio 2008
658 Fix a Visual Studio 2008 build issue in socket.c
659 Additional Visual Studio 2008 build fixes to tun.c
660 Fixed a typo in win32.h that prevented building with Visual Studio
661 Fixed a regression causing VS2008/Python build failure
662 Fix a Visual Studio 2008 build error in tun.c
663 Fix a Visual Studio 2008 build error in options.c
666 Fix issues with some older GCC compilers
668 Stefan Hellermann (2):
669 plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN case
670 Fixed typo in plugin.h
673 Clarify --tmp-dir option
676 Change the netsh.exe command from "add" to "set".
678 2011.12.25 -- Version 2.x-master
680 Added support for "on-link" routes on Linux client -- these are
681 routes where the gateway is specified as an interface rather than
682 an address. This allows redirect-gateway to work on Linux clients
683 whose connection to the internet is via a point-to-point link
686 Note that at the moment, this capability is incompatible with
687 the "redirect-gateway block-local" directive -- this is because
688 the block-local directive blocks all traffic from the local LAN
689 except for the local and gateway addresses. Since a PPP link
690 is essentially a subnet of two addresses, local and remote (i.e.
691 gateway), the set of addresses that would be blocked by block-local
692 is empty. Therefore, the "redirect-gateway block-local" directive
693 will be ignored on PPP links.
695 To view the OpenVPN client's current determination of the default
696 gateway, use this command:
698 ./openvpn --show-gateway
700 2011.03.24 -- Version 2.2-RC2
702 Windows cross-compile cleanup
704 David Sommerseth (2):
705 Open log files as text files on Windows
706 Clarify default value for the --inactive option.
709 Implement IPv6 in TUN mode for Windows TAP driver.
711 Samuli Seppänen (6):
712 Added support for prebuilt TAP-drivers. Automated embedding manifests.
713 Fixes to win/openvpn.nsi
714 Replaced config-win32.h with win/config.h.in
715 Updated INSTALL-win32.txt
717 Clarified --client-config-dir section on the man-page.
720 Fix line continuation in chkconfig init script description.
722 2011.02.28 -- Version 2.2-RC
723 David Sommerseth (3):
724 Make the --x509-username-field feature an opt-in feature
725 Fix compiler warning when compiling against OpenSSL 1.0.0
726 Fix packaging of config-win32.h and service-win32/msvc.mak
729 Minor addition of logging info before and after execution of Windows net commands.
732 Change variadic macros to C99 style.
734 Samuli Seppänen (15):
735 Added ENABLE_PASSWORD_SAVE to config-win32.h
736 Added a nmake makefile for openvpnserv.exe building
737 Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.
738 Added helper functionality to win/wb.py
739 Added support for viewing config-win32.h paramters to win/show.py
740 Added comments and made small modifications to win/msvc.mak.in
741 Added command-line switch to win/build_all.py to skip TAP driver building
742 Added configure.h and version.m4 variable parsing to win/config.py
743 Added openvpnserv.exe building to win/build.py
744 Added comments to win/build_ddk.py
745 Several modifications to win/make_dist.py to allow building the NSI installer
746 Copied install-win32/setpath.nsi to win/setpath.nsi
747 Added first version of NSI installer script to win/openvpn.nsi
748 Changes to buildsystem patchset
749 Temporary snprintf-related fix to service-win32/openvpnserv.c
751 2010.11.25 -- Version 2.2-beta5
753 Samuli Seppänen (1):
754 Fixed an issue causing a build failure with MS Visual Studio 2008.
756 2010.11.18 -- Version 2.2-beta4
758 David Sommerseth (10):
759 Clarified --explicit-exit-notify man page entry
760 Clean-up: Remove pthread and mutex locking code
761 Clean-up: Remove more dead and inactive code paths
762 Clean-up: Removing useless code - hash related functions
763 Use stricter snprintf() formatting in socks_username_password_auth() (v3)
764 Fix compiler warnings about not used dummy() functions
765 Fixed potential misinterpretation of boolean logic
766 Only add some functions when really needed
767 Removed functions not being used anywhere
768 Merged add_bypass_address() and add_host_route_if_nonlocal()
771 Integrate support for TAP mode on Solaris, written by Kazuyoshi Aizawa <admin2@whiteboard.ne.jp>.
772 Make "topology subnet" work on Solaris
773 Improved man page entry for script_type
776 Fixed initialization bug in route_list_add_default_gateway (Gert Doering).
777 Implement challenge/response authentication support in client mode
778 Make base64.h have the same conditional compilation expression as base64.c.
779 Fixed compiling issues when using --disable-crypto
780 In verify_callback, the subject var should be freed by OPENSSL_free, not free
783 Remove hardcoded path to resolvconf
786 Add HTTP/1.1 Host header
789 Adding support for SOCKS plain text authentication
791 Samuli Seppänen (2):
792 Added check for variable CONFIGURE_DEFINES into options.c
793 Added command-line option parser and an unsigned build option to build_all.py
795 2010.08.21 -- Version 2.2-beta3
797 * Attempt to fix issue where domake-win build system was not properly
798 signing drivers and .exe files.
800 Added win/tap_span.py for building multiple versions of the TAP driver
801 and tapinstall binaries using different DDK versions to span from Win2K
805 David Sommerseth (2):
806 Test framework improvment - Do not FAIL if t_client.rc is missing
807 More t_client.sh updates - exit with SKIP when we want to skip
810 Fix compile problems on NetBSD and OpenBSD
811 Fix <net/if.h> compile time problems on OpenBSD for good
812 full "VPN client connect" test framework for OpenVPN
813 Build t_client.sh by configure at run-time.
816 Fixes openssl-1.0.0 compilation warning
818 2010.08.16 -- Version 2.2-beta2
820 * Windows security issue:
821 Fixed potential local privilege escalation vulnerability in
822 Windows service. The Windows service did not properly quote the
823 executable filename passed to CreateService. A local attacker
824 with write access to the root directory C:\ could create an
825 executable that would be run with the same privilege level as
826 the OpenVPN Windows service. However, since non-Administrative
827 users normally lack write permission on C:\, this vulnerability
828 is generally not exploitable except on older versions of Windows
829 (such as Win2K) where the default permissions on C:\ would allow
830 any user to create files there.
831 Credit: Scott Laurie, MWR InfoSecurity
833 * Added Python-based based alternative build system for Windows using
834 Visual Studio 2008 (in win directory).
836 * When aborting in a non-graceful way, try to execute do_close_tun in
837 init.c prior to daemon exit to ensure that the tun/tap interface is
838 closed and any added routes are deleted.
840 * Fixed an issue where AUTH_FAILED was not being properly delivered
841 to the client when a bad password is given for mid-session reauth,
842 causing the connection to fail without an error indication.
844 * Don't advance to the next connection profile on AUTH_FAILED errors.
846 * Fixed an issue in the Management Interface that could cause
847 a process hang with 100% CPU utilization in --management-client
848 mode if the management interface client disconnected at the
849 point where credentials are queried.
851 * Fixed an issue where if reneg-sec was set to 0 on the client,
852 so that the server-side value would take precedence,
853 the auth_deferred_expire_window function would incorrectly
854 return a window period of 0 seconds. In this case, the
855 correct window period should be the handshake window
858 * Modified ">PASSWORD:Verification Failed" management interface
859 notification to include a client reason string:
861 >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
863 * Enable exponential backoff in reliability layer
866 * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
867 socket is created rather than waiting until after connect/listen.
869 * Management interface performance optimizations:
871 1. Added env-filter MI command to perform filtering on env vars
872 passed through as a part of --management-client-auth
874 2. man_write will now try to aggregate output into larger blocks
875 (up to 1024 bytes) for more efficient i/o
877 * Fixed minor issue in Windows TAP driver DEBUG builds
878 where non-null-terminated unicode strings were being
881 * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
882 was not being compiled in.
884 * Proxy improvements:
886 Improved the ability of http-auth "auto" flag to dynamically detect
887 the auth method required by the proxy.
889 Added http-auth "auto-nct" flag to reject weak proxy auth methods.
891 Added HTTP proxy digest authentication method.
893 Removed extraneous openvpn_sleep calls from proxy.c.
895 * Implemented http-proxy-override and http-proxy-fallback directives to make it
896 easier for OpenVPN client UIs to start a pre-existing client config file with
897 proxy options, or to adaptively fall back to a proxy connection if a direct
900 * Implemented a key/value auth channel from client to server.
902 * Fixed issue where bad creds provided by the management interface
903 for HTTP Proxy Basic Authentication would go into an infinite
904 retry-fail loop instead of requerying the management interface for
907 * Added support for MSVC debugging of openvpn.exe in settings.in:
909 # Build debugging version of openvpn.exe
910 !define PRODUCT_OPENVPN_DEBUG
912 * Implemented multi-address DNS expansion on the network field of route
915 When only a single IP address is desired from a multi-address DNS
916 expansion, use the first address rather than a random selection.
918 * Added --register-dns option for Windows.
920 Fixed some issues on Windows with --log, subprocess creation
921 for command execution, and stdout/stderr redirection.
923 * Fixed an issue where application payload transmissions on the
924 TLS control channel (such as AUTH_FAILED) that occur during
925 or immediately after a TLS renegotiation might be dropped.
927 * Added warning about tls-remote option in man page.
929 2009.12.11 -- Version 2.1.1
931 * Fixed some breakage in openvpn.spec (which is required to build an
932 RPM distribution) where it was referencing a non-existent
933 subdirectory in the tarball, causing it to fail (patch from
936 2009.12.11 -- Version 2.1.0
938 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
939 (1) Fail gracefully rather than segfault if calloc returns NULL.
940 (2) The openvpn_plugin_abort_v1 function can potentially be called
941 with handle == NULL. Add code to detect this case, and if so, avoid
942 dereferencing pointers derived from handle (Thanks to David
943 Sommerseth for finding this bug).
945 * Documented "multihome" option in the man page.
947 2009.11.20 -- Version 2.1_rc22
949 * Fixed a client-side bug on Windows that occurred when the
950 "dhcp-pre-release" or "dhcp-renew" options were combined with
951 "route-gateway dhcp". The release/renew would not occur
952 because the Windows DHCP renew function is blocking and
953 therefore must be called from another process or thread
954 so as not to stall the tunnel.
956 * Added a hard failure when peer provides a certificate chain
957 with depth > 16. Previously, a warning was issued.
959 2009.11.12 -- Version 2.1_rc21
961 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
962 CVE-2009-3555. Note that OpenVPN has never relied on the session
963 renegotiation capabilities that are built into the SSL/TLS protocol,
964 therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
965 completely) will not adversely affect OpenVPN mid-session SSL/TLS
966 renegotation or any other OpenVPN capabilities.
968 * Added additional session renegotiation hardening. OpenVPN has always
969 required that mid-session renegotiations build up a new SSL/TLS
970 session from scratch. While the client certificate common name is
971 already locked against changes in mid-session TLS renegotiations, we
972 now extend this locking to the auth-user-pass username as well as all
973 certificate content in the full client certificate chain.
975 2009.10.01 -- Version 2.1_rc20
977 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
978 redirect-gateway option by itself, without any extra parameters,
979 would cause the option to be ignored.
981 * Fixed build problem when ./configure --disable-server is used.
983 * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
985 * Added --remote-random-hostname option.
987 * Added "load-stats" management interface command to get global server
990 * Added new ./configure flags:
992 --disable-def-auth Disable deferred authentication
993 --disable-pf Disable internal packet filter
995 * Added "setcon" directive for interoperability with SELinux (Sebastien
998 * Optimized PUSH_REQUEST handshake sequence to shave several seconds
999 off of a typical client connection initiation.
1001 * The maximum number of "route" directives (specified in the config
1002 file or pulled from a server) can now be configured via the new
1003 "max-routes" directive.
1005 * Eliminated the limitation on the number of options that can be pushed
1006 to clients, including routes. Previously, all pushed options needed
1007 to fit within a 1024 byte options string.
1009 * Added --server-poll-timeout option : when polling possible remote
1010 servers to connect to in a round-robin fashion, spend no more than
1011 n seconds waiting for a response before trying the next server.
1013 * Added the ability for the server to provide a custom reason string
1014 when an AUTH_FAILED message is returned to the client. This
1015 string can be set by the server-side managment interface and read
1016 by the client-side management interface.
1018 * client-kill management interface command, when issued on server, will
1019 now send a RESTART message to client.
1020 This feature is intended to make UDP clients respond the same as TCP
1021 clients in the case where the server issues a RESTART message in
1022 order to force the client to reconnect and pull a new options/route
1025 2009.07.16 -- Version 2.1_rc19
1027 * In Windows TAP driver, refactor DHCP/ARP packet injection code to
1028 use a DPC (deferred procedure call) to defer packet injection until
1029 IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
1030 in the context of AdapterTransmit. This is an attempt to reduce kernel
1031 stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
1032 observed on Vista. Updated TAP driver version number to 9.6.
1034 * In configure.ac, use datadir instead of datarootdir for compatibility
1035 with <autoconf-2.60.
1037 2009.06.07 -- Version 2.1_rc18
1039 * Fixed compile error on ./configure --enable-small
1041 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
1042 does not build on Windows on non-MINGW32.
1044 2009.05.30 -- Version 2.1_rc17
1046 * Reduce the debug level (--verb) at which received management interface
1047 commands are echoed from 7 to 3. Passwords will be filtered.
1049 * Fixed race condition in management interface recv code on
1050 Windows, where sending a set of several commands to the
1051 management interface in quick succession might cause the
1052 latter commands in the set to be ignored.
1054 * Increased management interface input command buffer size
1055 from 256 to 1024 bytes.
1057 * Minor tweaks to Windows build system.
1059 * Added "redirect-private" option which allows private subnets
1060 to be pushed to the client in such a way that they don't accidently
1061 obscure critical local addresses such as the DHCP server address and
1062 DNS server addresses.
1064 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
1065 client will examine the routing table and determine whether (a) the
1066 OpenVPN server is reachable via a locally connected interface, or (b)
1067 traffic to the server must be forwarded through the default router.
1068 Only add a special bypass route for the OpenVPN server if (b) is true.
1069 If (a) is true, behave as if the 'local' flag is specified, and do not
1072 The new 'autolocal' flag depends on the non-portable test_local_addr()
1073 function in route.c, which is currently only implemented for Windows.
1074 The 'autolocal' flag will act as a no-op on platforms that have not
1075 yet defined a test_local_addr() function.
1077 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
1078 more option content to be pushed from server to client).
1080 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
1081 levels <=3) a common and usually innocuous warning.
1083 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
1084 functionality (Alon Bar-Lev).
1086 * Fixed bug where the remote_X environmental variables were not being
1087 set correctly when the 'local' option is specifed.
1089 2009.05.17 -- Version 2.1_rc16
1091 * Windows installer changes:
1093 1. ifdefed out the check Windows version code which is causing
1094 problems on Windows 7
1096 2. don't define SF_SELECTED if it is already defined
1098 3. Use LZMA instead of BZIP2 compression for better compression
1100 4. Upgraded OpenSSL to 0.9.8k
1102 * Added the ability to read the configuration file
1103 from stdin, when "stdin" is given as the config
1106 * Allow "management-client" directive to be used
1107 with unix domain sockets.
1109 * Added errors-to-stderr option. When enabled, fatal errors
1110 that result in the termination of the daemon will be written
1113 * Added optional "nogw" (no gateway) flag to --server-bridge
1114 to inhibit the pushing of the route-gateway parameter to
1117 * Added new management interface command "pid" to show the
1118 process ID of the current OpenVPN process (Angelo Laub).
1120 * Fixed issue where SIGUSR1 restarts would fail if private
1121 key was specified as an inline file.
1123 * Added daemon_start_time and daemon_pid environmental variables.
1125 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
1129 1. Fixed some issues with C++ style comments that leaked into the code.
1131 2. Updated configure.ac to work on MinGW64.
1133 3. Updated common.h types for _WIN64.
1135 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
1138 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
1139 OpenVPNCryptAcquireCertificatePrivateKey to work around
1140 a symbol conflict in MinGW-5.1.4.
1142 2008.11.19 -- Version 2.1_rc15
1144 * Fixed issue introduced in 2.1_rc14 that may cause a
1145 segfault when a --plugin module is used.
1147 * Added server-side --opt-verify option: clients that connect
1148 with options that are incompatible with those of the server
1149 will be disconnected (without this option, incompatible
1150 clients would trigger a warning message in the server log
1151 but would not be disconnected).
1153 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
1154 flag on the server as well as pushes it to connecting clients.
1156 * Minor options check fix: --no-name-remapping is a
1157 server-only option and should therefore generate an
1158 error when used on the client.
1160 * Added --prng option to control PRNG (pseudo-random
1161 number generator) parameters. In previous OpenVPN
1162 versions, the PRNG was hardcoded to use the SHA1
1163 hash. Now any OpenSSL hash may be used. This is
1164 part of an effort to remove hardcoded references to
1165 a specific cipher or cryptographic hash algorithm.
1167 * Cleaned up man page synopsis.
1169 2008.11.16 -- Version 2.1_rc14
1171 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
1172 with the goal of fixing a build issue on Fedora 9 that was
1173 introduced in 2.1_rc13.
1175 * Added additional method parameter to --script-security to preserve
1176 backward compatibility with system() call semantics used in OpenVPN
1177 2.1_rc8 and earlier. To preserve backward compatibility use:
1179 script-security 3 system
1181 * Added additional warning messages about --script-security 2
1182 or higher being required to execute user-defined scripts or
1185 * Windows build system changes:
1187 Modified Windows domake-win build system to write all openvpn.nsi
1188 input files to gen, so that gen can be disconnected from
1189 the rest of the source tree and makensis openvpn.nsi will
1190 still function correctly.
1192 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
1193 (commented out by default).
1195 Added optional files SAMPCONF_CONF2 (second sample configuration
1196 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
1197 build system, and may be defined in settings.in.
1199 * Extended Management Interface "bytecount" command
1200 to work when OpenVPN is running as a server.
1201 Documented Management Interface "bytecount" command in
1202 management/management-notes.txt.
1204 * Fixed informational message in ssl.c to properly indicate
1205 deferred authentication.
1207 * Added server-side --auth-user-pass-optional directive, to allow
1208 connections by clients that do not specify a username/password, when a
1209 user-defined authentication script/module is in place (via
1210 --auth-user-pass-verify, --management-client-auth, or a plugin module).
1212 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
1214 Calling scripts can set the KEY_NAME environmental variable to set
1215 the "name" X509 subject field in generated certificates.
1217 Modified pkitool to allow flexibility in separating the Common Name
1218 convention from the cert/key filename convention.
1222 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
1224 will create a client certificate/key pair of james.crt/james.key
1225 having a Common Name of "James's Laptop" and a Name of "james".
1227 * Added --no-name-remapping option to allow Common Name, X509 Subject,
1228 and username strings to include any printable character including
1229 space, but excluding control characters such as tab, newline, and
1230 carriage-return (this is important for compatibility with external
1231 authentication systems).
1233 As a related change, added --status-version 3 format (and "status 3"
1234 in the management interface) which uses the version 2 format except
1235 that tabs are used as delimiters instead of commas so that there
1236 is no ambiguity when parsing a Common Name that contains a comma.
1238 Also, save X509 Subject fields to environment, using the naming
1241 X509_{cert_depth}_{name}={value}
1243 This is to avoid ambiguities when parsing out the X509 subject string
1244 since "/" characters could potentially be used in the common name.
1246 * Fixed some ifconfig-pool issues that precluded it from being combined
1247 with --server directive.
1249 Now, for example, we can configure thusly:
1251 server 10.8.0.0 255.255.255.0 nopool
1252 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
1254 to have ifconfig-pool manage only a subset
1257 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
1258 config file syntax checking to allow directives for future OpenVPN
1259 versions to be ignored.
1261 2008.10.07 -- Version 2.1_rc13
1263 * Bundled OpenSSL 0.9.8i with Windows installer.
1265 * Management interface can now listen on a unix
1266 domain socket, for example:
1268 management /tmp/openvpn unix
1270 Also added management-client-user and management-client-group
1271 directives to control which processes are allowed to connect
1274 * Copyright change to OpenVPN Technologies, Inc.
1276 2008.09.23 -- Version 2.1_rc12
1278 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
1279 part of the tarball (Matthias Andree).
1281 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
1282 was incorrectly expecting the lladdr parameter to be an IP address
1283 when it is actually a MAC address (HoverHell).
1285 2008.09.14 -- Version 2.1_rc11
1287 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
1288 to fail if UDP packets are dropped.
1290 2008.09.10 -- Version 2.1_rc10
1292 * Added "--server-bridge" (without parameters) to enable
1293 DHCP proxy mode: Configure server mode for ethernet
1294 bridging using a DHCP-proxy, where clients talk to the
1295 OpenVPN server-side DHCP server to receive their IP address
1296 allocation and DNS server addresses.
1298 * Added "--route-gateway dhcp", to enable the extraction
1299 of the gateway address from a DHCP negotiation with the
1300 OpenVPN server-side LAN.
1302 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
1303 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
1306 * Warn when ethernet bridging that the IP address of the bridge adapter
1307 is probably not the same address that the LAN adapter was set to
1310 * When running as a server, warn if the LAN network address is
1311 the all-popular 192.168.[0|1].x, since this condition commonly
1312 leads to subnet conflicts down the road.
1314 * Primarily on the client, check for subnet conflicts between
1315 the local LAN and the VPN subnet.
1317 * Added a 'netmask' parameter to get_default_gateway, to return
1318 the netmask of the adapter containing the default gateway.
1319 Only implemented on Windows so far. Other platforms will
1320 return 255.255.255.0. Currently the netmask information is
1321 only used to warn about subnet conflicts.
1323 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
1324 and USE_SSL flags are enabled (Alon Bar-Lev).
1326 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
1327 --script-security rules. Also adds retrying if the addresses are in
1328 use (Matthias Andree).
1330 * Fixed build issue with ./configure --disable-socks --disable-http.
1332 * Fixed separate compile errors in options.c and ntlm.c that occur
1333 on strict C compilers (such as old versions of gcc) that require
1334 that C variable declarations occur at the start of a {} block,
1337 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
1338 the new implementation of extract_x509_field_ssl depends on.
1340 * LZO compression buffer overflow errors will now invalidate
1341 the packet rather than trigger a fatal assertion.
1343 * Fixed minor compile issue in ntlm.c (mid-block declaration).
1345 * Added --allow-pull-fqdn option which allows client to pull DNS names
1346 from server (rather than only IP address) for --ifconfig, --route, and
1347 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
1348 for these options to be pulled and translated to IP addresses by default.
1349 Now --allow-pull-fqdn will be explicitly required on the client to enable
1350 DNS-name-to-IP-address translation of pulled options.
1352 * 2.1_rc8 and earlier did implicit shell expansion on script
1353 arguments since all scripts were called by system().
1354 The security hardening changes made to 2.1_rc9 no longer
1355 use system(), but rather use the safer execve or CreateProcess
1356 system calls. The security hardening also introduced a
1357 backward incompatibility with 2.1_rc8 and earlier in that
1358 script parameters were no longer shell-expanded, so
1361 client-connect "docc CLIENT-CONNECT"
1363 would fail to work because execve would try to execute
1364 a script called "docc CLIENT-CONNECT" instead of "docc"
1365 with "CLIENT-CONNECT" as the first argument.
1367 This patch fixes the issue, bringing the script argument
1368 semantics back to pre 2.1_rc9 behavior in order to preserve
1369 backward compatibility while still using execve or CreateProcess
1370 to execute the script/executable.
1372 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
1373 to more closely conform to RFC 3696:
1375 (1) DNS name length must not exceed 255 characters
1377 (2) DNS name characters must be limited to alphanumeric,
1378 dash ('-'), and dot ('.')
1380 * Fixed bug in intra-session TLS key rollover that was introduced with
1381 deferred authentication features in 2.1_rc8.
1383 2008.07.31 -- Version 2.1_rc9
1385 * Security Fix -- affects non-Windows OpenVPN clients running
1386 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
1387 vulnerable nor are any versions of the OpenVPN server vulnerable).
1388 An OpenVPN client connecting to a malicious or compromised
1389 server could potentially receive an "lladdr" or "iproute" configuration
1390 directive from the server which could cause arbitrary code execution on
1391 the client. A successful attack requires that (a) the client has agreed
1392 to allow the server to push configuration directives to it by including
1393 "pull" or the macro "client" in its configuration file, (b) the client
1394 successfully authenticates the server, (c) the server is malicious or has
1395 been compromised and is under the control of the attacker, and (d) the
1396 client is running a non-Windows OS. Credit: David Wagner.
1399 * Miscellaneous defensive programming changes to multiple
1400 areas of the code. In particular, use of the system() call
1401 for calling executables such as ifconfig, route, and
1402 user-defined scripts has been completely revamped in favor
1403 of execve() on unix and CreateProcess() on Windows.
1405 * In Windows build, package a statically linked openssl.exe to work around
1406 observed instabilities in the dynamic build since the migration to
1409 2008.06.11 -- Version 2.1_rc8
1411 * Added client authentication and packet filtering capability
1412 to management interface. In addition, allow OpenVPN plugins
1413 to take advantage of deferred authentication and packet
1414 filtering capability.
1416 * Added support for client-side connection profiles.
1418 * Fixed unbounded memory growth bug in environmental variable
1419 code that could have caused long-running OpenVPN sessions
1420 with many TLS renegotiations to incrementally
1421 increase memory usage over time.
1423 * Windows release now packages openssl-0.9.8h.
1425 * Build system changes -- allow building on Windows using
1426 autoconf/automake scripts (Alon Bar-Lev).
1428 * Changes to Windows build system to make it easier to do
1429 partial builds, with a reduced set of prerequisites,
1430 where only a subset of OpenVPN installer
1431 components are built. See ./domake-win comments.
1433 * Cleanup IP address for persistence interfaces for tap and also
1434 using ifconfig, gentoo#209055 (Alon Bar-Lev).
1436 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
1438 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
1440 * Added new OpenVPN icon and installer graphic.
1442 * Minor pkitool changes.
1444 * Added --pkcs11-id-management option, which will cause OpenVPN to
1445 query the management interface via the new NEED-STR asynchronous
1446 notification query to get additional PKCS#11 options (Alon Bar-Lev).
1448 * Added NEED-STR management interface asynchronous query and
1449 "needstr" management interface command to respond to the query
1452 * Added Dragonfly BSD support (Francis-Gudin).
1454 * Quote device names before passing to up/down script (Josh Cepek).
1456 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
1457 prevent structure padding from causing an incorrect length
1458 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
1461 * On systems that support res_init, always call it
1462 before calling gethostbyname to ensure that
1463 resolver configuration state is current.
1465 * Added NTLMv2 proxy support (Miroslav Zajic).
1467 * Fixed an issue in extract_x509_field_ssl where the extraction
1468 would fail on the first field of the subject name, such as
1469 the common name in: /CN=foo/emailAddress=foo@bar.com
1471 * Made "Linux ip addr del failed" error nonfatal.
1473 * Amplified --client-cert-not-required warning.
1475 * Added #pragma pack to proto.h.
1477 2008.01.29 -- Version 2.1_rc7
1479 * Added a few extra files that exist in the svn repo but were
1480 not being copied into the tarball by make dist.
1482 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
1484 2008.01.24 -- Version 2.1_rc6
1486 * Fixed options checking bug introduced in rc5 where legitimate configuration
1487 files might elicit the error: "Options error: Parameter pkcs11_private_mode
1488 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
1491 2008.01.23 -- Version 2.1_rc5
1493 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
1494 incremented driver version to 9.4.
1496 * Windows build system changes:
1498 Incremented included OpenSSL version to openssl-0.9.7m.
1500 Updated openssl.patch for openssl-0.9.7m and added some
1501 brief usage comments to the head of the patch.
1503 Added build-pkcs11-helper.sh for building the pkcs11-helper
1506 Integrated inclusion of pkcs11-helper into Windows build
1509 Upgraded TAP build scripts to use WDK 6001.17121
1510 (Windows 2008 Server pre-RTM).
1512 * Windows installer changes:
1514 Clean up the start menu folder.
1516 Allow for a site-specific sample configuration file and keys
1517 to be included in a custom installer (see SAMPCONF macros
1520 New icon (temporary).
1522 * Added "forget-passwords" command to the management interface
1525 * Added --management-signal option to signal SIGUSR1 when the
1526 management interface disconnects (Alon Bar-Lev).
1528 * Modified command line and config file parser to allow
1529 quoted strings using single quotes ('') (Alon Bar-Lev).
1531 * Use pkcs11-helper as external library, can be downloaded from
1532 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
1534 * Fixed interim memory growth issue in TCP connect loop where
1535 "TCP: connect to %s failed, will try again in %d seconds: %s"
1538 * Fixed bug in epoll driver in event.c, where the lack of a
1539 handler for EPOLLHUP could cause 99% CPU usage.
1541 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
1542 want to use a CBC cipher for OpenVPN's data channel.
1544 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
1545 plugin directory to the dlopen search list when the user
1546 specifies the basename of the plugin only (Marius Tomaschewski).
1548 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
1549 to allow forward slash characters ("/") in the X509 common name
1552 * Allow OpenVPN to run completely unprivileged under Linux
1553 by allowing openvpn --mktun to be used with --user and --group
1554 to set the UID/GID of the tun device node. Also added --iproute
1555 option to allow an alternative command to be executed in place
1556 of the default iproute2 command (Alon Bar-Lev).
1558 * Fixed --disable-iproute2 in ./configure to actually disable
1559 iproute2 usage (Alon Bar-Lev).
1561 * Added --management-forget-disconnect option -- forget
1562 passwords when management session disconnects (Alon Bar-Lev).
1564 2007.04.25 -- Version 2.1_rc4
1566 * Worked out remaining issues with TAP driver signing
1567 on Vista x64. OpenVPN will now run on Vista x64
1568 with driver signing enforcement enabled.
1570 * Fixed 64-bit portability bug in time_string function
1573 2007.04.22 -- Version 2.1_rc3
1575 * Additional fixes to TAP driver for Windows x64. Driver
1576 now runs successfully on Vista x64 if driver signing
1577 enforcement is disabled.
1579 * The Windows Installer and TAP driver are now signed by
1580 OpenVPN Solutions LLC (in addition to the usual GnuPG
1583 * Added OpenVPN GUI (Mathias Sundman version) as install
1584 option in Windows installer.
1586 * Clean up configure on FreeBSD for recent autotool versions
1587 that require that all .h files have to be compiled.
1588 Also, FreeBSD install does not support GNU long options
1589 which the Makefile in easy-rsa/2.0 uses (not checked the
1590 others as we don't install those on Gentoo) (Roy Marples).
1592 * Added additional scripts to easy-rsa/Windows for working
1593 with password-protected keys; also add -extensions server
1594 option when generating server cert via
1595 build-key-server-pass.bat (Daniel Zauft).
1597 2007.02.27 -- Version 2.1_rc2
1599 * auth-pam change: link with -lpam rather
1600 than dlopen (Roy Marples).
1602 * Prevent SIGUSR1 or SIGHUP from causing program
1603 exit from initial management hold.
1605 * SO_REUSEADDR should not be set on Windows TCP sockets
1606 because it will cause bind to succeed on port conflicts.
1608 * Added time_ascii, time_duration, and time_unix
1609 environmental variables for plugins and callback
1612 * Fixed issue where OpenVPN does not apply the --txqueuelen option
1613 to persistent interfaces made with --mktun (Roy Marples).
1615 * Attempt at rational signal handling when in the
1616 management hold state. During management hold, ignore
1617 SIGUSR1/SIGHUP signals thrown with the "signal" command.
1618 Also, "signal" command will now apply remapping as
1619 specified with the --remap-usr1 option.
1620 When a signal entered using the "signal" command from a management
1621 hold is ignored, output: >HOLD:Waiting for hold release
1623 * Fixed issue where struct env_set methods that
1624 change the value of an existing name=value pair
1625 would delay the freeing of the memory held by
1626 the previous name=value pair until the underlying
1627 client instance object is closed.
1628 This could cause a server that handles long-term
1629 client connections, resulting in many periodic calls
1630 to verify_callback, to needlessly grow the env_set
1631 memory allocation until the underlying client instance
1634 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
1635 to reflect the fact that Vista has blacklisted the tap0801.sys
1636 file name due to previous compatibility issues which have now
1637 been resolved. TAP-Win32 major/minor version number is now 9/1.
1639 * Windows installer will delete a previously installed
1640 tap0801.sys TAP driver before installing tap0901.sys.
1642 * Added code to Windows installer to fail gracefully on 64 bit
1643 installs until 64-bit TAP driver issues can be resolved.
1645 * Added code to Windows installer to fail gracefully on
1646 versions of Windows which are not explicitly supported.
1648 * The Windows version will now use a default route-delay
1649 of 5 seconds to deal with an apparent routing table race
1652 * Worked around an incompatibility in the Windows Vista
1653 version of CreateIpForwardEntry as described in
1654 http://www.nynaeve.net/?p=59
1655 This issue would cause route additions using the
1656 IP Helper API to fail on Vista.
1658 * On Windows, revert to "ip-win32 dynamic" as the default.
1660 2006.10.31 -- Version 2.1_rc1
1662 * Support recovery (return to hold) from signal at
1663 management password prompt.
1665 * Added workaround for OpenSC PKCS#11 bug#108
1668 2006.10.01 -- Version 2.1-beta16
1670 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
1671 published vulnerabilities.
1673 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
1676 * Autodetect 32/64 bit Windows in installer and install
1677 appropriate TAP driver (Mathias Sundman, Hypherion).
1679 * Fixed bug in loopback self-test introduced
1680 in 2.1-beta15 where self test as invoked by
1681 "make check" would not properly exit after
1682 2 minutes (Paul Howarth).
1684 2006.09.12 -- Version 2.1-beta15
1686 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
1687 RSA Signature Forgery (CVE-2006-4339).
1689 * Fixed bug introduced with the --port-share directive
1690 (back in 2.1-beta9 which causes TLS soft resets
1691 (1 per hour by default) in TCP server mode to force
1692 a blockage of tunnel packets and later time-out and
1693 restart the connection.
1695 * easy-rsa update (Alon Bar-Lev)
1696 Makefile (install) is now available so that
1697 distribs will be able to install it safely.
1699 * PKCS#11 changes: (Alon Bar-Lev)
1700 - Modified ssl.c to not FATAL and return to init.c
1701 so auth-retry will work.
1702 - Modifed pkcs11-helper.c to fix some problem with
1704 - Added retry counter to PKCS#11 PIN hook.
1705 - Modified PKCS#11 PIN retry loop to return correct error
1706 code when PIN is incorrect.
1707 - Fix handling (ignoring) zero sized attributes.
1709 - Fix openssl 0.9.6 (first version) issues.
1711 * Minor fixes of lladdr (Alon Bar-Lev)
1712 Updated makefile.w32-vc to include lladdr.*, updated
1714 Modified lladdr.c to be compiled under visual C.
1716 * Added two new management states:
1717 OPENVPN_STATE_RESOLVE -- DNS lookup
1718 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
1720 * Echo management state change to log.
1722 * Minor syshead.h change for NetBSD to allow
1723 TCP_NODELAY flag to work.
1725 * Modified --port-share code to remove the assumption that
1726 CMSG_SPACE always evaluates to a constant, to enable
1727 compilation on NetBSD and possibly other BSDs as well.
1729 * Eliminated gcc 3.3.3 warnings on NetBSD
1730 when ./configure --enable-strict is used.
1732 * Added optional minimum-number-of-bytes parameter
1733 to --inactive directive.
1735 2006.04.13 -- Version 2.1-beta14
1737 * Fixed Windows server bug in time backtrack handling code which
1738 could cause TLS negotiation failures on legitimate clients.
1740 * Rewrote gettimeofday function for Windows to be
1741 simpler and more efficient.
1743 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
1745 * Added --route-metric option to set a default route metric
1746 for --route (Roy Marples).
1748 * Added --lladdr option to specify the link layer (MAC) address
1749 for the tap interface on non-Windows platforms (Roy Marples).
1751 2006.04.12 -- Version 2.1-beta13
1753 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
1754 to 64 bits caused a bug in the Windows version which has now
1755 been fixed. The bug could cause intermittent crashes.
1757 2006.04.05 -- Version 2.1-beta12
1759 * Security Vulnerability -- An OpenVPN client connecting to a
1760 malicious or compromised server could potentially receive
1761 "setenv" configuration directives from the server which could
1762 cause arbitrary code execution on the client via a LD_PRELOAD
1763 attack. A successful attack appears to require that (a) the
1764 client has agreed to allow the server to push configuration
1765 directives to it by including "pull" or the macro "client" in
1766 its configuration file, (b) the client configuration file uses
1767 a scripting directive such as "up" or "down", (c) the client
1768 succesfully authenticates the server, (d) the server is
1769 malicious or has been compromised and is under the control of
1770 the attacker, and (e) the attacker has at least some level of
1771 pre-existing control over files on the client (this might be
1772 accomplished by having the server respond to a client web request
1773 with a specially crafted file). Credit: Hendrik Weimer.
1776 The fix is to disallow "setenv" to be pushed to clients from
1777 the server, and to add a new directive "setenv-safe" which is
1778 pushable from the server, but which appends "OPENVPN_" to the
1779 name of each remotely set environmental variable.
1781 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
1783 * PKCS11 fixes (Alon Bar-Lev). For full description:
1784 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
1786 * When deleting routes under Linux, use the route metric
1787 as a differentiator to ensure that the route teardown
1788 process only deletes the identical route which was originally
1789 added via the "route" directive (Roy Marples).
1791 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
1792 (Matthias Andree, Dirk Meyer, Vasil Dimov).
1794 * Extended tun device configure code to support ethernet
1795 bridging on NetBSD (Emmanuel Kasper).
1797 2006.02.19 -- Version 2.1-beta11
1799 * Fixed --port-share bug that caused premature closing
1800 of proxied sessions.
1802 2006.02.17 -- Version 2.1-beta10
1804 * Fixed --port-share breakage introduced in 2.1-beta9.
1806 2006.02.16 -- Version 2.1-beta9
1808 * Added --port-share option for allowing OpenVPN and HTTPS
1809 server to share the same port number.
1810 * Added --management-client option to connect as a client
1811 to management GUI app rather than be connected to as a
1813 * Added "bytecount" command to management interface.
1814 * --remote-cert-tls fixes (Alon Bar-Lev).
1816 2006.01.03 -- Version 2.1-beta8
1818 * --remap-usr1 will now also remap signals thrown during
1820 * Added --connect-timeout option to control the timeout
1821 on TCP client connection attempts (doesn't work on all
1822 OSes). This patch also makes OpenVPN signalable during
1823 TCP connection attempts.
1824 * Fixed bug in acinclude.m4 where capability of compiler
1825 to handle zero-length arrays in structs is tested
1827 * Fixed typo in manage.c where inline function declaration
1828 was declared without the "static" keyword (David Stipp).
1829 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
1830 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
1831 proxy settings (currently Windows only).
1832 * Removed redundant base64 code.
1833 * Better sanity checking of --server and --server-bridge
1834 IP pool ranges, so as not to hit the assertion at
1836 * Fixed bug where --daemon and --management-query-passwords
1837 used together would cause OpenVPN to block prior to
1839 * Fixed client/server race condition which could occur
1840 when --auth-retry interact is set and the initially
1841 provided auth-user-pass credentials are incorrect,
1842 forcing a username/password re-query.
1843 * Fixed bug where if --daemon and --management-hold are
1844 used together, --user or --group options would be ignored.
1845 * --ip-win32 adaptive is now the default.
1846 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
1847 mode) can now set DNS/WINS addresses on the TAP-Win32
1849 * Added new option --route-method adaptive (Win32)
1850 which tries IP helper API first, then falls back to
1852 * Made --route-method adaptive the default.
1854 2005.11.12 -- Version 2.1-beta7
1856 * Allow blank passwords to be passed via the management
1858 * Fixed bug where "make check" inside a FreeBSD "jail"
1859 would never complete (Matthias Andree).
1860 * Fixed bug where --server directive in --dev tap mode
1861 claimed that it would support subnets of /30 or less
1862 but actually would only accept /29 or less.
1863 * Extend byte counters to 64 bits (M. van Cuijk).
1864 * Fixed bug in Linux get_default_gateway function
1865 introduced in 2.0.4, which would cause redirect-gateway
1866 on Linux clients to fail.
1867 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
1868 be compatible with 2.0.x distribution.
1869 * Documented --route-nopull.
1870 * Documented --ip-win32 adaptive.
1871 * Windows build now linked with LZO2.
1872 * Allow ca, cert, key, and dh files to be specified
1873 inline via XML-like syntax without needing to
1874 reference an explicit file.
1879 * Allow plugin and push directives to have multi-line
1880 parameter lists such as:
1886 * Added connect-retry-max option (Alon Bar-Lev).
1887 * Fixed problems where signals thrown during initialization
1888 were not returning to a management-hold state.
1889 * Added a backtrack-hardened system time algorithm.
1890 * Added --remote-cert-ku, --remote-cert-eku, and
1891 --remote-cert-tls options for verifying certificate
1892 attributes (Alon Bar-Lev).
1893 * For Windows, reverted --ip-win32 default back to "dynamic".
1894 To use new adaptive mode, set explicitly.
1896 2005.11.01 -- Version 2.1-beta6
1898 * Security fix (merged from 2.0.4) -- Affects non-Windows
1899 OpenVPN clients of version 2.0 or higher which connect to
1900 a malicious or compromised server. A format string
1901 vulnerability in the foreign_option function in options.c
1902 could potentially allow a malicious or compromised server
1903 to execute arbitrary code on the client. Only
1904 non-Windows clients are affected. The vulnerability
1905 only exists if (a) the client's TLS negotiation with
1906 the server succeeds, (b) the server is malicious or
1907 has been compromised such that it is configured to
1908 push a maliciously crafted options string to the client,
1909 and (c) the client indicates its willingness to accept
1910 pushed options from the server by having "pull" or
1911 "client" in its configuration file (Credit: Vade79).
1913 * Security fix -- (merged from 2.0.4) Potential DoS
1914 vulnerability on the server in TCP mode. If the TCP
1915 server accept() call returns an error status, the resulting
1916 exception handler may attempt to indirect through a NULL
1917 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
1919 * Fix attempt of assertion at multi.c:1586 (note that
1920 this precise line number will vary across different
1921 versions of OpenVPN).
1922 * Windows reliability changes:
1923 (a) Added code to make sure that the local PATH environmental
1924 variable points to the Windows system32 directory.
1925 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
1926 and then fails over to 'netsh' if the DHCP negotiation fails.
1927 (c) Made --ip-win32 adaptive the default.
1928 * More PKCS#11 additions/changes (Alon Bar-Lev).
1929 * Added ".PHONY: plugin" to Makefile.am to work around
1931 * Fixed double fork issue that occurs when --management-hold
1933 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
1934 * Warn when multiple clients having the same common name or
1935 username usurp each other when --duplicate-cn is not used.
1936 * Modified Windows and Linux versions of get_default_gateway
1937 to return the route with the smallest metric
1938 if multiple 0.0.0.0/0.0.0.0 entries are present.
1939 * Added ">NEED-OK" alert and "needok" command to management
1940 interface to provide a general interface for sending
1941 alerts to the end-user. Used by the PKCS#11 code
1942 to send Token Insertion Requests to the user.
1943 * Added actual remote address used to the ">STATE" alert
1944 in the management interface (Rolf Fokkens).
1946 2005.10.17 -- Version 2.1-beta4
1948 * Fixed bug introduced in 2.1-beta3 where management
1949 socket bind would fail.
1950 * --capath fix in ssl.c (Zhuang Yuyao).
1951 * Added ".PHONY: plugin" to Makefile.am, reverted
1952 location of "plugin" directory (thanks to
1953 Matthias Andree for figuring this out).
1955 2005.10.16 -- Version 2.1-beta3
1957 * Added PKCS#11 support (Alon Bar-Lev).
1958 * Enable the use of --ca together with --pkcs12. If --ca is
1959 used at the same time as --pkcs12, the CA certificate is loaded
1960 from the file specified by --ca regardless if the pkcs12 file
1961 contains a CA cert or not (Mathias Sundman).
1962 * Merged --capath patch (Thomas Noel).
1963 * Merged --multihome patch.
1964 * Added --bind option for TCP client connections (Ewan Bhamrah
1966 * Moved "plugin" directory to "plugins" to deal with strange
1967 automake problem that ended up being also fixable with
1968 ".PHONY: plugin" in Makefile.am.
1970 2005.10.13 -- Version 2.1-beta2
1972 * Made --sndbuf and --rcvbuf pushable.
1974 2005.10.01 -- Version 2.1-beta1
1976 * Made LZO setting pushable.
1977 * Renamed sample-keys/tmp-ca.crt to ca.crt.
1978 * Fixed bug where remove_iroutes_from_push_route_list
1979 was missing routes if those routes had
1980 an implied netmask (by omission) of 255.255.255.255.
1981 * Merged with 2.0.3-rc1
1982 * easy-rsa/2.0 moved to easy-rsa
1983 * old easy-rsa moved to easy-rsa/1.0
1985 2005.09.23 -- Version 2.0.2-TO4
1987 * Added feature to TAP-Win32 adapter to allow it to be
1988 opened from non-administrator mode. This feature
1989 is enabled by default, and can be enabled/disabled
1990 in the adapter advanced properties dialog.
1991 * Added --allow-nonadmin standalone option for Windows to
1992 set TAP adapter to allow non-admin access. This
1993 is a user-mode version of the code, and duplicates
1994 the same feature as the above entry.
1995 * Added fix that attempts to solve corner case of tunnel not
1996 forwarding packets when system clock is reset to an earlier time.
1997 * Added --redirect-gateway bypass-dns option. (Developers:
1998 To add bypass-dhcp or bypass-dns support to other OSes,
1999 add a get_bypass_addresses function to route.c for
2001 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
2002 allows a client-connect plugin to return configuration text
2003 in memory, rather than via a file.
2004 * Fixed a bug where --mode server --proto tcp-server --cipher none
2005 operation could cause tunnel packet truncation.
2006 * openvpn --version will show [LZO1] or [LZO2], depending on
2007 version that was linked.
2009 2005.09.07 -- Version 2.0.2-TO1
2011 * Added --topology directive. See man page.
2012 * Added --redirect-gateway bypass-dhcp option to add a route
2013 allowing DHCP packets to bypass the tunnel, when the
2014 DHCP server is non-local. Currently only implemented
2016 * Modified OpenVPN Service on Windows to declare the DHCP
2017 client service as a dependency.
2018 * Extended the plugin interface to allow plugins to declare
2019 per-client constructor and destructor functions, to make
2020 it simpler for plugins to maintain per-client state.
2022 2005.09.25 -- Version 2.0.3-rc1
2024 * openvpn_plugin_abort_v1 function wasn't being properly
2025 registered on Windows.
2026 * Fixed a bug where --mode server --proto tcp-server --cipher none
2027 operation could cause tunnel packet truncation.
2029 2005.08.25 -- Version 2.0.2
2031 * No change from 2.0.2-rc1.
2033 2005.08.24 -- Version 2.0.2-rc1
2035 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
2036 which incorrectly set OpenVPN service to autostart.
2037 * Don't package source code zip file in Windows installer
2038 in order to reduce the size of the installer. The source
2039 zip file can always be downloaded separately if needed.
2040 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
2041 version of get_default_gateway. Allocated socket for route
2042 manipulation is never freed so number of mbufs continuously
2043 grow and exhaust system resources after a while (Jaroslav Klaus).
2044 * Fixed bug where "--proto tcp-server --mode p2p --management
2045 host port" would cause the management port to not respond until
2046 the OpenVPN peer connects.
2047 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
2049 2005.08.16 -- Version 2.0.1
2051 * Security Fix -- DoS attack against server when run with "verb 0" and
2052 without "tls-auth". If a client connection to the server fails
2053 certificate verification, the OpenSSL error queue is not properly
2054 flushed, which can result in another unrelated client instance on the
2055 server seeing the error and responding to it, resulting in disconnection
2056 of the unrelated client (CAN-2005-2531).
2057 * Security Fix -- DoS attack against server by authenticated client.
2058 This bug presents a potential DoS attack vector against the server
2059 which can only be initiated by a connected and authenticated client.
2060 If the client sends a packet which fails to decrypt on the server,
2061 the OpenSSL error queue is not properly flushed, which can result in
2062 another unrelated client instance on the server seeing the error and
2063 responding to it, resulting in disconnection of the unrelated client
2064 (CAN-2005-2532). Credit: Mike Ireton.
2065 * Security Fix -- DoS attack against server by authenticated client.
2066 A malicious client in "dev tap" ethernet bridging mode could
2067 theoretically flood the server with packets appearing to come from
2068 hundreds of thousands of different MAC addresses, causing the OpenVPN
2069 process to deplete system virtual memory as it expands its internal
2070 routing table. A --max-routes-per-client directive has been added
2071 (default=256) to limit the maximum number of routes in OpenVPN's
2072 internal routing table which can be associated with a given client
2074 * Security Fix -- DoS attack against server by authenticated client.
2075 If two or more client machines try to connect to the server at the
2076 same time via TCP, using the same client certificate, and when
2077 --duplicate-cn is not enabled on the server, a race condition can
2078 crash the server with "Assertion failed at mtcp.c:411"
2080 * Fixed server bug where under certain circumstances, the client instance
2081 object deletion function would try to delete iroutes which had never been
2082 added in the first place, triggering "Assertion failed at mroute.c:349".
2083 * Added --auth-retry option to prevent auth errors from being fatal
2084 on the client side, and to permit username/password requeries in case
2085 of error. Also controllable via new "auth-retry" management interface
2086 command. See man page for more info.
2087 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
2088 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
2089 would fail to build.
2090 * Implement "make check" to perform loopback tests (Matthias Andree).
2092 2005.07.21 -- Version 2.0.1-rc7
2094 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
2095 * Include linux/types.h before checking for linux/errqueue.h (Matthias
2098 2005.07.15 -- Version 2.0.1-rc6
2100 * Commented out "user nobody" and "group nobody" in sample
2101 client/server config files.
2102 * Allow '@' character to be used in --client-config-dir
2105 2005.07.04 -- Version 2.0.1-rc5
2107 * Windows version will log a for-further-info URL when
2108 initialization sequence is completed with errors.
2109 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
2110 to control whether auth-pam plugin links to PAM via
2111 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
2112 behavior should be preserved. DLOPEN_PAM=0 is the preferred
2113 setting to link via -lpam, but DLOPEN_PAM=1 works around
2114 a bug in SuSE 9.1 (and possibly other distros as well)
2115 where the PAM modules are not linked with -lpam. See
2116 thread on openvpn-devel for more discussion about this
2117 patch (Simon Perreault).
2119 2005.06.15 -- Version 2.0.1-rc4
2121 * Support LZO 2.00, including changes to configure script to
2122 autodetect LZO version.
2124 2005.06.12 -- Version 2.0.1-rc3
2126 * Fixed a bug which caused standard file handles to not be closed
2127 after daemonization when --plugin and --daemon are used together,
2128 and if the plugin initialization function forks (as does auth-pam
2129 and down-root) (Simon Perreault).
2130 * Added client-side up/down scripts in contrib/pull-resolv-conf
2131 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
2132 on Linux/Unix systems (Jesse Adelman).
2133 * Fixed bug where if client-connect scripts/plugins were cascaded,
2134 and one (but not all) of them returned an error status, there might
2135 be cases where for an individual script/plugin, client-connect was
2136 called but not client-disconnect. The goal of this fix is to
2137 ensure that if client-connect is called on a given client instance,
2138 then client-disconnect will definitely be called. A potential
2139 complication of this fix is that when client-connect functions are
2140 cascaded, it's possible that the client-disconnect function would
2141 be called in cases where the related client-connect function returned
2142 an error status. This fix should not alter OpenVPN behavior when
2143 scripts/plugins are not cascaded.
2144 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
2145 fatal error to a warning: "FRAG: outgoing buffer is not empty".
2146 Need more info on how to reproduce this one.
2147 * When --duplicate-cn is used, the --ifconfig-pool allocation
2148 algorithm will now allocate the first available IP address.
2149 * When --daemon and --management-hold are used together,
2150 OpenVPN will daemonize before it enters the management hold state.
2152 2005.05.16 -- Version 2.0.1-rc2
2154 * Modified vendor test in openvpn.spec file to match against
2155 "Mandrakesoft" in addition to "MandrakeSoft".
2156 * Using --iroute in a --client-config-dir file while in --dev tap
2157 mode is not currently supported and will produce a warning
2158 message. Fixed bug where in certain cases, in addition to
2159 generating a warning message, this combination of options
2160 would also produce a fatal assertion in mroute.c.
2161 * Pass --auth-user-pass username to server-side plugin without
2162 performing any string remapping (plugins, unlike scripts,
2163 don't get any security benefit from string remapping).
2164 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
2165 where backslash characters in a username ('\') were being remapped
2166 to underscore ('_').
2167 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
2168 * Documented --explicit-exit-notify in man page.
2169 * --explicit-exit-notify seconds parameter defaults to 1 if
2172 2005.04.30 -- Version 2.0.1-rc1
2174 * Fixed bug where certain kinds of fatal errors after
2175 initialization (such as port in use) would leave plugin
2176 processes (such as openvpn-auth-pam) still running.
2177 * Added optional openvpn_plugin_abort_v1 plugin function for
2178 closing initialized plugin objects in the event of a fatal
2179 error by main OpenVPN process.
2180 * When the --remote list is > 1, and --resolv-retry is not
2181 specified (meaning that it defaults to "infinite"), apply the
2182 infinite timeout to the --remote list as a whole, but try each
2183 list item only once before moving on to the next item.
2184 * Added new --syslog directive which redirects output
2185 to syslog without requiring the use of the --daemon or --inetd
2187 * Added openvpn.spec option to allow RPM to be built with support
2188 for passwords read from a file:
2189 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
2191 2005.04.17 -- Version 2.0
2193 * Fixed minor options string typo in options.c.
2195 2005.04.10 -- Version 2.0-rc21
2197 * Change license description from "GPL Version 2 or (at your
2198 option) any later version" to just "GPL Version 2".
2200 2005.04.04 -- Version 2.0-rc20
2202 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
2203 excellent distro/version coverage for RH/EL/Fedora, though
2204 using his own SPEC. I modified openvpn.spec to follow some of
2205 the same conventions such as putting sample scripts and doc
2206 files in %doc rather than /usr/share/openvpn.
2207 * Minor change to init scripts to run the user-defined script
2208 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
2209 configs are started, and to run /etc/openvpn/openvpn-shutdown
2210 after all OpenVPN configs have been stopped. The
2211 openvpn-startup script can be used for stuff like
2212 insmod tun.o, setting up firewall rules, or starting
2215 2005.03.29 -- Version 2.0-rc19
2217 * Omit additions of routes where the network and
2218 gateway are equal and the netmask is 255.255.255.255.
2219 This can come up if you are using both
2220 server/ifconfig-pool and client-config-dir with
2221 ifconfig-push static addresses for some subset of clients
2222 which directly reference the server IP address as the
2225 2005.03.28 -- Version 2.0-rc18
2227 * Packaged Windows installer with OpenSSL 0.9.7f.
2228 * Built Windows installer with NSIS 2.06.
2230 2005.03.12 -- Version 2.0-rc17
2232 * "MANAGEMENT: CMD" log file output will now only occur
2233 at --verb 7 or greater.
2234 * Added an optional name/value configuration list to
2235 the openvpn-auth-pam plugin module argument list. See
2236 plugin/auth-pam/README for documentation. This is necessary
2237 in order for openvpn-auth-pam to work with queries generated
2238 by arbitrary PAM modules.
2239 * In both auth-pam and down-root plugins, in the forked process,
2240 a read error on the parent process socket is no longer fatal.
2241 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
2242 A conditional test of the vendor has been added to
2243 Require the appropriately named 'lzo' (liblzo1 / lzo).
2244 (Tom Walsh - http://openhardware.net)
2247 2005.02.20 -- Version 2.0-rc16
2249 * Fixed bug introduced in rc13 where Windows service wrapper
2250 would be installed with a startup type of Automatic.
2251 This fix restores the previous behavior of installing
2252 with a startup type of Manual.
2254 2005.02.19 -- Version 2.0-rc15
2256 * Added warning when --keepalive is not used in a server
2258 * Don't include OpenSSL md4.h file if we are not building
2259 NTLM proxy support (Waldemar Brodkorb).
2260 * Added easy-rsa/build-key-pkcs12 and
2261 easy-rsa/Windows/build-key-pkcs12.bat scripts
2264 2005.02.16 -- Version 2.0-rc14
2266 * Fixed small memory leak that occurs when --crl-verify
2268 * Upgraded Windows installer and .nsi script to NSIS 2.05
2270 * Changed #include backslash usage in cryptoapi.c to use
2271 forward slashes instead (Gisle Vanem).
2272 * Created easy-rsa/revoke-full to handle revocations in
2273 a single step: (a) revoke crt, (b) regenerate CRL, and
2274 (c) verify that revocation succeeded.
2275 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
2276 that both *nix and Windows scripts are equivalent.
2278 2005.02.11 -- Version 2.0-rc13
2280 * Improve human-readability of local/remote options
2281 diff, when inconsistencies are present.
2282 * For Windows easy-rsa, distribute vars.bat.sample and
2283 openssl.cnf.sample, then copy them to their normal
2284 filenames (without the .sample) when init-config.bat
2285 is run. This is to prevent OpenVPN upgrades from
2286 wiping out vars.bat and openssl.cnf edits.
2287 * Modified service wrapper (Windows) to use a
2288 case-insensitive search when scanning for .ovpn files
2289 in \Program Files\OpenVPN\config. Prior versions
2290 required an all-lower-case .ovpn file extension.
2291 * Miscellaneous service wrapper code cleanup.
2292 * If --user/--group is used on Windows, treat it
2293 as a no-op with a warning (this makes it easier to
2294 distribute the same client config file to Windows
2296 * Warn if --ifconfig-pool-persist is used with
2299 2005.02.05 -- Version 2.0-rc12
2301 * Removed some debugging code inadvertently included
2302 in rc11 which would print the --auth-user-pass
2303 username/password provided by clients in the server
2305 * Client code for cycling through --remote list will
2306 retry the last address which successfully authenticated
2307 before moving on through the list.
2308 * Windows installer will now install sample configuration
2309 files in \Program Files\OpenVPN\sample-configs as well
2310 as generate a start menu shortcut to this directory.
2311 * Minor type change in buffer.[ch] to work around char-type
2312 ambiguity bug. Caused management interface lock-ups on
2313 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
2315 2005.02.03 -- Version 2.0-rc11
2317 * Windows installer will now install easy-rsa directory
2318 in \Program Files\OpenVPN
2319 * Allow syslog facility to be controlled at compile time,
2320 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
2321 * Changed certain shell scripts in distribution to use
2322 #!/bin/sh rather than #!/bin/bash for better portability.
2323 * If --ifconfig-pool-persist seconds parameter is 0, treat
2324 persist file as an allocation of fixed IP addresses
2325 (previous versions took IP-to-common-name associations
2326 from this list as hints, not mandatory static allocations).
2327 * Fixed bug on *nix where if --auth-user-pass and --log
2328 were used together, the username prompt would be sent to
2329 the log file rather than /dev/tty.
2330 * Spurious text in openvpn.8 detected by doclifter
2332 * Call closelog later on daemon kill so that process
2333 exit message is written to syslog.
2335 2005.01.27 -- Version 2.0-rc10
2337 * When ./configure is run with plugins enabled (the default),
2338 check whether or not dlopen exists in libc before testing
2339 for libdl. This is to fix an issue on FreeBSD and possibly
2340 other OSes which bundle libdl functions in libc.
2341 * On Windows, filter initial WSAEINVAL warning which occurs
2342 on the initial read attempt of an unbound socket.
2343 * The easy-rsa scripts build-key, build-key-pass, and
2344 build-key-server will now chmod the .key file
2345 to 0600. This is in addition to the fact the generated
2346 keys directory has always been similarly protected
2349 2005.01.23 -- Version 2.0-rc9
2351 * Fixed error "ROUTE: route addition failed using
2352 CreateIpForwardEntry ..." on Windows when --redirect-gateway
2353 is used over a RRAS internet link.
2354 * When using --route-method exe on Windows, include the
2355 gateway parameter on route delete commands (Mathias Sundman).
2356 * Try not to do a hard reset (i.e. SIGHUP) when two
2357 SIGUSR1 signals are received in close succession.
2358 * If the push list tries to grow beyond its buffer capacity,
2359 the resulting error will be non-fatal.
2360 * To increase the push list capacity (must be done on both
2361 client and server), increase TLS_CHANNEL_BUF_SIZE in
2362 common.h (default=1024).
2364 2005.01.15 -- Version 2.0-rc8
2366 * Fixed bug introduced in rc7 where options error
2367 "--auth-user-pass requires --pull" might occur even
2368 if --pull was correctly specified.
2369 * Changed management interface code to bind once
2370 to TCP socket, rather than rebinding after every
2372 * Added "disable" directive for client-config-dir
2374 * Windows binary install is now distributed with
2376 * Query the management interface for --http-proxy
2377 username/password if authfile is set to "stdin".
2378 * Added current OpenVPN version number to "Unrecognized
2379 option or missing parameter" error message.
2380 * Added "-extensions server" to "openssl req" command
2381 in easy-rsa/build-key-server (Nir Yeffet).
2383 2005.01.10 -- Version 2.0-rc7
2385 * Fixed bug in management interface which could cause
2386 100% CPU utilization in --proto tcp-server mode
2387 on all *nix OSes except for Linux 2.6.
2388 * --ifconfig-push now accepts DNS names as well as
2390 * Added sanity check errors when --pull or
2391 --auth-user-pass is used in an incorrect mode.
2392 * Updated man page entries for --client-connect and
2394 * Added "String Types and Remapping" section to man
2395 page to consisely document the way which OpenVPN
2396 may convert certain types of characters in strings
2398 * Modified bridging description in HOWTO to emphasize
2399 the fact that bridging allows Windows file and print
2400 sharing without a WINS server (Charles Duffy).
2402 2004.12.20 -- Version 2.0-rc6
2404 * Improved checking for epoll support in ./configure
2405 to fix false positive on RH9 (Jan Just Keijser).
2406 * Made the "MULTI TCP: I/O wait required blocking in
2407 multi_tcp_action, action=7" error nonfatal and replaced
2408 with "MULTI: Outgoing TUN queue full, dropped packet".
2409 So far the issue only seems to occur on Linux 2.2
2410 in --mode server --proto tcp mode. It occurs when
2411 the TUN/TAP driver locks up and refuses to accept
2412 new packet writes for a second or more.
2413 * Fixed bug where if a --client-config-dir file tried
2414 to include another file using "config", and if that
2415 include failed, OpenVPN would abort with a fatal
2416 error. Now such inclusion failures will be logged
2417 but are no longer fatal.
2418 * Global changes to the way that packet buffer alignment
2419 is handled. Previously we didn't care about alignment
2420 and took care, when handling 16 and 32 bit words
2421 in buffers, to always use alignment-safe transfers.
2422 This approach appears to be inadequate on some
2423 architectures such as alpha. The new approach is
2424 to initialize packet buffers in a way that anticipates
2425 how component structures will be allocated within
2426 them, to maintain correct alignment.
2427 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
2428 over TCP (Jan Just Keijser).
2429 * Added --http-proxy-option directive for controlling
2430 miscellaneous HTTP proxy options.
2431 * Management state will no longer transition to "WAIT"
2432 during TLS renegotiations.
2434 2004.12.16 -- Version 2.0-rc5
2436 * The --client-config-dir option will now try to open
2437 a default file called "DEFAULT" if no file matching
2438 the common name of the incoming client was found.
2439 * The --client-connect script/plugin can now veto client
2440 authentication by returning a failure code.
2441 * The --learn-address script/plugin can now prevent a
2442 client-instance/address association from being learned
2443 by returning a failure code.
2444 * Changed RPM group in .spec file to Applications/Internet.
2446 2004.12.14 -- Version 2.0-rc4
2448 * SuSE only -- Fixed interaction between openvpn.spec and
2449 suse/openvpn.init where the .spec file was writing the
2450 OpenVPN binary to a different location than where the
2451 .init script was referencing it (Stefan Engel).
2452 * Solaris only -- Split Solaris ifconfig command into two
2453 parts (Jan Just Keijser).
2454 * Some cleanup in add_option().
2455 * Better error checking on input dotted quad IP addresses.
2456 * Verify that --push argument is quoted, if there is
2458 * More miscellaneous option sanity checks.
2460 2004.12.13 -- Version 2.0-rc3
2462 * On Windows, when --log or --log-append is used,
2463 save the original stderr for username and password
2465 * Fixed a bug introduced in the late 2.0 betas where
2466 if a "verb" parameter >= 16 was used, it would be
2467 ignored and the actual verb level would remain at 1.
2468 * Fixed a bug mostly seen on OS X where --management-hold
2469 or --management-query-passwords would cause the management
2470 interface to be unresponsive to incoming client connections.
2471 * Trigger an options error if one of the management-modifying
2472 options is used without "management" itself.
2474 2004.12.12 -- Version 2.0-rc2
2476 * Amplified warnings in documentation about possible
2477 man-in-the-middle attack when clients do not properly
2478 verify server certificate. Changes to easy-rsa README,
2479 FAQ, HOWTO, man page, and sample client config file.
2480 * Added a warning message if --tls-client or --client
2481 is used without also specifying one of either
2482 --ns-cert-type, --tls-remote, or --tls-verify.
2483 * status_open() fixes for MSVC builds (Blaine Fleming).
2484 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
2485 compiler error which has been reported on some platforms.
2486 * The openvpn.spec file for rpmbuild has several
2487 new build-time options. See comments in the file.
2488 * Plugins are now built and packaged in the RPM and
2489 will be saved in /usr/share/openvpn/plugin/lib.
2490 * Added --management-hold directive to start OpenVPN
2491 in a hibernating state until released by the
2492 management interface. Also added "hold" command
2493 to the management interface.
2495 2004.12.07 -- Version 2.0-rc1
2497 * openvpn.spec workaround for SuSE confusion regarding
2498 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
2500 2004.12.05 -- Version 2.0-beta20
2502 * The ability to read --askpass and --auth-user-pass
2503 passwords from a file has been disabled by default.
2504 To re-enable, use ./configure --enable-password-save.
2505 * Added additional pre-connected states to management
2506 interface. See management/management-notes.txt
2508 * State history is now recorded by the management
2509 interface, and the "state" command now works like
2510 the log or echo commands.
2511 * State history and real-time state change notifications
2512 are now prepended with an integer unix timestamp.
2513 * Added --http-proxy-timeout option, previously
2514 the timeout was hardcoded to 5 seconds.
2516 2004.12.02 -- Version 2.0-beta19
2518 * Fixed bug in management interface line termination
2519 where output lines incorrectly contained a \00 char
2520 after the customary \0d \0a.
2521 * Fixed bug introduced in beta18 where Windows version
2522 would segfault on options errors.
2523 * Fixed bug in management interface where an empty
2524 quoted string ("") entered as a parameter would cause
2526 * Fixed bug where --resolv-retry was not working
2527 properly with multiple --remote hosts.
2528 * Added additional ./configure options to reduce
2529 executable size for embedded applications.
2530 See ./configure --help.
2532 2004.11.28 -- Version 2.0-beta18
2534 * Added management interface. See new --management-*
2535 options or the full management interface documentation
2536 in management/management-notes.txt in the tarball.
2537 Management interface inclusion can be disabled by
2538 ./configure --disable-management.
2539 * Added two new plugin modules: auth-pam and down-root.
2540 Auth-pam supports pam-based authentication using a
2541 split privilege execution model, while down-root enables
2542 a down script to be executed with root privileges, even
2543 when --user/--group is used to drop root privileges.
2544 See the plugin directory in the tarball for READMEs,
2545 source code, and Makefiles.
2546 * Plugin developers should note that some changes were
2547 made to the plugin interface since beta17. See
2548 openvpn-plugin.h for details.
2549 Plugin interface inclusion can be disabled with
2550 ./configure --disable-plugins
2551 * Added easy-rsa/build-key-server script which will
2552 build a certificate with with nsCertType=server.
2553 * Added --ns-cert-type option for verification
2554 of nsCertType field in peer certificate.
2555 * If --fragment n is specified and --mssfix is specified
2556 without a parameter, default --mssfix to n. This restores
2557 the 1.6 behavior when using --mssfix without a parameter.
2558 * Fixed SSL context initialization bug introduced in beta14
2559 where this error might occur on restarts: "Cannot load
2560 certificate chain ... PEM_read_bio:no start line".
2562 2004.11.11 -- Version 2.0-beta17
2564 * Changed default port number to 1194 per IANA official
2565 port number assignment.
2566 * Added --plugin directive which allows compiled
2567 modules to intercept script callbacks. See
2568 plugin folder in tarball for more info.
2569 * Fixed bug introduced in beta12 where --key-method 1
2570 authentications which should have succeeded would fail.
2571 * Ignore SIGUSR1 during DNS resolution.
2572 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
2573 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
2576 2004.11.07 -- Version 2.0-beta16
2578 * Modified sample-scripts/auth-pam.pl to get username
2579 and password from OpenVPN via a file rather than
2580 via environmental variables.
2581 * Added bytes_sent and bytes_received environmental
2582 variables to be set prior to client-disconnect script.
2583 * Changed client virtual IP derivation precedence:
2584 (1) use --ifconfig-push directive from --client-connect
2585 script, (2) use --ifconfig-push directive from
2586 --client-config-dir, and (3) use --ifconfig-pool
2588 * If a --client-config-dir file specifies --ifconfig-push,
2589 it will be visible to the --client-connect-script in
2590 the ifconfig_pool_remote_ip environmental variable.
2591 * For tun-style tunnels, the ifconfig_pool_local_ip
2592 environmental variable will be set, while for
2593 tap-style tunnels, the ifconfig_pool_netmask variable
2595 * Added intelligence to autoconf script to test
2596 compiler for the accepted form of zero-length arrays.
2597 * Fixed a bug introduced in beta12 where --ip-win32
2598 netsh would fail if --dev-node was not explicitly
2600 * --ip-win32 netsh will now work on hidden adapters.
2601 * Fix attempt of "Assertion failed at crypto.c:149".
2602 This assertion has also been reported on 1.x with a
2603 slightly different line number. The fix is twofold:
2604 (1) In previous releases, --mtu-test may trigger this
2605 assertion -- this bug has been fixed. (2) If something
2606 else causes the assertion to be thrown, don't panic,
2607 just output a nonfatal warning to the log and drop
2608 the packet which generated the error.
2609 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
2610 * Added --echo directive.
2611 * Added --auth-nocache directive.
2613 2004.10.28 -- Version 2.0-beta15
2615 * Changed environmental variable character classes
2616 so that names must consist of alphanumeric or
2617 underbar chars and values must consist of printable
2618 characters. Illegal chars will be deleted.
2619 Versions prior to 2.0-beta12 were more restrictive
2620 and would map spaces to '.'.
2621 * On Windows, when the TAP adapter fails to
2622 initialize with the correct IP address, output
2623 "Initialization Sequence Completed with Errors"
2624 to the console or log file.
2625 * Added a warning when user/group/chroot is used
2626 without persist-tun and persist-key.
2627 * Added cryptoapi.[ch] to tarball and source zip.
2628 * --tls-remote option now works with common name
2629 prefixes as well as with the full X509 subject
2630 string. This is a useful alternative to using
2631 a CRL on the client.
2632 * common names associated with a static
2633 --ifconfig-push setting will no longer leave
2634 any state in the --ifconfig-pool-persist file.
2635 * Hard TLS errors (TLS handshake failed) will now
2636 trigger either a SIGUSR1 signal by default
2637 or SIGTERM (if --tls-exit is specified). In TCP
2638 mode, all TLS errors are considered to be hard.
2639 In server mode, the signal will be local to the
2641 * Added method parameter to --auth-user-pass-verify
2642 directive to select whether username/password
2643 is passed to script via environment or a temporary
2645 * Added --status-version option to control format
2646 of --status file. The --mode server
2647 --status-version 2 format now includes a line
2648 type token, the virtual IP address is shown
2649 in the client list (even in --dev tap mode),
2650 and the integer time_t value is shown anywhere
2651 an ascii-formatted time/date is also shown.
2652 * Added --remap-usr1 directive which can be used
2653 to control whether internally or externally
2654 generated SIGUSR1 signals are remapped to
2655 SIGHUP (restart without persisting state) or
2657 * When running as a Windows service (using
2658 --service option), check the exit event before
2659 and after reading one line of input from
2660 stdin, when reading username/password info.
2661 * For developers: Extended the --gremlin function
2662 to better stress-test the new 2.0 features,
2663 added Valgrind support on Linux and Dmalloc
2666 2004.10.19 -- Version 2.0-beta14
2668 * Fixed a bug introduced in Beta12 that would occur
2669 if you use a --client-connect script without also
2671 * Fixed a bug introduced in Beta12 where a learn-address
2672 script might segfault on the delete method.
2673 * Added Crypto API support in Windows version via
2674 the --cryptoapicert option (Peter 'Luna' Runestig).
2676 2004.10.18 -- Version 2.0-beta13
2678 * Fixed an issue introduced in Beta12 where the private
2679 key password would not be prompted for unless --askpass
2680 was explicitly specified in the config.
2682 2004.10.17 -- Version 2.0-beta12
2684 * Added support for username/password-based authentication.
2685 Clients can now authentication themselves with the server
2686 using either a certificate, a username/password, or both.
2687 New directives: --auth-user-pass, --auth-user-pass-verify,
2688 --client-cert-not-required, and --username-as-common-name.
2689 * Added NTLM proxy patch (William Preston).
2690 * Added --ifconfig-pool-linear server flag to allocate
2691 individual tun addresses for clients rather than /30
2692 subnets (won't work with Windows clients).
2693 * Modified --http-proxy code to cache username/password
2695 * Modified --http-proxy code to read username/password
2696 from the console when the auth file is given as "stdin".
2697 * Modified --askpass to take an optional filename argument.
2698 * --persist-tun and --persist-key now work in client mode
2699 and can be pushed to clients as well.
2700 * Added --ifconfig-pool-persist directive, to maintain
2701 ifconfig-pool info in a file which is persistent across
2702 daemon instantiations.
2703 * --user and --group privilege downgrades as well as
2704 --chroot now also work in client mode (the
2705 dowgrade/chroot will be delayed until the initialization
2706 sequence is completed).
2707 * Added --show-engines standalone directive to show
2708 available OpenSSL crypto accelerator engine support.
2709 * --engine directive now accepts an optional engine-ID
2710 parameter to control which engine is used.
2711 * "Connection reset, restarting" log message now shows
2712 which client is being reset.
2713 * Added --dhcp-pre-release directive in Windows version.
2714 * Second parm to --ip-win32 can be "default", e.g.
2715 --ip-win32 dynamic default 60.
2716 * Fixed documentation bug regarding environmental
2717 variable settings for --ifconfig-pool IP addresses.
2718 The correct environmental variable names are:
2719 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
2720 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
2721 environmental variables are now passed to the
2722 client-disconnect script.
2723 * In server mode, environmental variables are now scoped
2724 according to the client they are associated with,
2725 to solve the problem of "crosstalk" between different
2726 client's environmental variable sets.
2727 * Added --down-pre flag to cause --down script to be
2728 called before TUN/TAP close (rather than after).
2729 * Added --tls-exit flag which will cause OpenVPN
2730 to exit on any TLS errors.
2731 * Don't push a route to a client if it exactly
2732 matches an iroute (this lets you push routes to
2733 all clients, and OpenVPN will automatically remove
2734 the route from the route push list only for that client
2735 which the route actually belongs to).
2736 * Made '--resolv-retry infinite' the default.
2737 --resolv-retry can be disabled by using a parameter of 0.
2738 * For clients which plan to pull config info from server,
2739 set an initial default ping-restart of 60 seconds.
2740 * Optimized mute code to lessen the load on the processor
2741 when messages are being muted at a higher frequency.
2742 * Made route log messages non-mutable.
2743 * Silence the Linux "No buffer space available" message.
2744 * Added miscellaneous additional option sanity checks.
2745 * Added Windows version of easy-rsa scripts in
2746 easy-rsa/Windows directory (Andrew J. Richardson).
2747 * Added NetBSD route patch (Ed Ravin).
2748 * Added OpenBSD patch for TAP + --redirect-gateway
2749 (Waldemar Brodkorb).
2750 * Directives which prompt for a username and/or password
2751 will now work with --daemon (OpenVPN will prompt
2753 * Warn if CRL is from a different issuer than the
2754 issuer of the peer certificate (Bernhard Weisshuhn).
2755 * Changed init script chkconfig parameters to start
2756 OpenVPN daemon(s) before NFS.
2757 * Bug fix attempt of "too many I/O wait events" which occurs
2758 on OSes which prefer select() over poll() such as Mac OS X.
2759 * Added --ccd-exclusive flag. This flag will require, as a
2760 condition of authentication, that a connecting client has
2761 a --client-config-dir file.
2762 * TAP-Win32 open code will attempt to open a free adapter
2763 if --dev-node is not specified (Mathias Sundman).
2764 * Resequenced --nice and --chroot ordering so that --nice
2766 * Added --suppress-timestamps flag (Charles Duffy).
2767 * Source code changes to allow compilation by MSVC
2768 (Peter 'Luna' Runestig).
2769 * Added experimental --fast-io flag which optimizes
2770 TUN/TAP/UDP writes on non-Windows systems.
2772 2004.08.18 -- Version 2.0-beta11
2774 * Added --server, --server-bridge, --client, and
2775 --keepalive helper directives. See client.conf
2776 and server.conf in sample-config-files for sample
2777 configurations which use the new directives.
2778 * On Windows, added --route-method to control
2779 whether IP Helper API or route.exe is used
2780 to add/delete routes.
2781 * On Windows, added a second parameter to
2782 --route-delay to control the maximum time period
2783 to wait for the TAP-Win32 adapter to come up
2784 before adding routes.
2785 * Fixed bug in Windows version where configurations
2786 which omit --ifconfig might fail to recognize when
2787 the TAP adapter is up.
2788 * Proxy connection failures will now retry according
2789 to the --connect-retry parameter.
2790 * Fixed --dev null handling on Windows so that TLS
2791 loopback test described in INSTALL file works
2792 correctly on Windows.
2793 * Added "Initialization Sequence Completed" message
2794 after all initialization steps have been completed
2795 and the VPN can be considered "up".
2796 * Better sanity-checking on --ifconfig-pool parameters.
2797 * Added --tcp-queue-limit option to control
2798 TUN/TAP -> TCP socket overflow.
2799 * --ifconfig-nowarn flag will now silence general
2800 warnings about possible --ifconfig address
2801 conflicts, including the warning about --ifconfig
2802 and --remote addresses being in same /24 subnet.
2803 * Fixed case where server mode did not correctly
2804 identify certain types of ethernet multicast packets
2806 * Added --explicit-exit-notify option (experimental).
2808 2004.08.02 -- Version 2.0-beta10
2810 * Fixed possible reference after free of option strings
2811 after a restart, bug was introduced in beta8.
2812 * Fixed segfault at route.c:919 in the beta9
2813 Windows version that was being caused by indirection
2814 through a NULL pointer.
2815 * Mistakenly built debug version of TAP-Win32 driver
2816 for beta9. Beta10 has correct release build.
2818 2004.07.30 -- Version 2.0-beta9
2820 * Fixed --route issue on Windows that was introduced with
2821 the new beta8 route implementation based on the
2824 2004.07.27 -- Version 2.0-beta8
2826 * Added TCP support in server mode.
2827 * Added PKCS #12 support (Mathias Sundman).
2828 * Added patch to make revoke-crt and make-crl work
2829 seamlessly within the easy-rsa environment (Jan Kiszka).
2830 * Modified --mode server ethernet bridge code to forward
2831 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
2832 * Added --dhcp-renew and --dhcp-release flags to Windows
2833 version. Normally DHCP renewal and release on the TAP
2834 adapter occurs automatically under Windows, however
2835 if you set the TAP-Win32 adapter Media Status property
2836 to "Always Connected", you may need these flags.
2837 * Added --show-net standalone flag to Windows version to
2838 show OpenVPN's view of the system adapter and routing
2840 * Added --show-net-up flag to Windows version to output
2841 the system routing table and network adapter list to
2842 the log file after the TAP-Win32 adapter has been brought
2843 up and any routes have been added.
2844 * Modified Windows version to add routes using the IP Helper
2845 API rather than by calling route.exe.
2846 * Fixed bug where --route-up script was not being called
2847 if no --route options were specified.
2848 * Added --mute-replay-warnings to suppress packet replay
2849 warnings. This is a common false alarm on WiFi nets.
2850 * Added "def1" flag to --redirect-gateway option to override
2851 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
2852 rather than 0.0.0.0/0. This has the benefit of overriding
2853 but not wiping out the original default gateway.
2854 (Thanks to Jim Carter for pointing out this idea).
2855 * You can now run OpenVPN with a single config file argument.
2856 For example, you can now say "openvpn config.conf"
2857 rather than "openvpn --config config.conf".
2858 * On Windows, made --route and --route-delay more adaptive
2859 with respect to waiting for interfaces referenced by the
2860 route destination to come up. Routes added by --route
2861 should now be added as soon as the interface comes up,
2862 rather than after an obligatory 10 second delay. The
2863 way this works internally is that --route-delay now
2864 defaults to 0 on Windows. Previous versions would
2865 wait for --route-delay seconds then add the routes.
2866 This version will wait --route-delay seconds and then
2867 test the routing table at one second intervals for the
2868 next 30 seconds and will not add the routes until they
2869 can be added without errors.
2870 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
2871 default on TCP/UDP socket in light of reports that this
2872 action can have undesirable global side effects on the
2873 MTU settings of other adapters. These parameters can
2874 still be set, but you need to explicitly specify
2875 --sndbuf and/or --rcvbuf.
2876 * Added --max-clients option to limit the maximum number
2877 of simultaneously connected clients in server mode.
2878 * Added error message to illuminate shell escape gotcha when
2879 single backslashes are used in Windows path names.
2880 * Added optional netmask parm to --ifconfig-pool.
2881 * Fixed bug where http-proxy connect retry attempts were
2882 incorrectly going to the remote OpenVPN server,
2883 not to the HTTP proxy server.
2885 2004.06.29 -- Version 2.0-beta7
2887 * Fixed bug in link_socket_verify_incoming_addr() which
2888 under certain circumstances could have caused --float
2889 behavior even if --float was not specified.
2890 * --tls-auth option now works with --mode server.
2891 All clients and the server should use the same
2892 --tls-auth key when operating in client/server mode.
2893 * Added --engine option to make use of OpenSSL-supported
2894 crypto acceleration hardware.
2895 * Fixed some high verbosity print format size issues
2896 in event.c for 64 bit platforms (Janne Johansson).
2897 * Made failure to open --log or --log-append file
2900 2004.06.23 -- Version 2.0-beta6
2902 * Fixed Windows installer to intelligently put
2903 up a reboot dialog only if tapinstall tells
2904 us that it's really necessary.
2905 * Fixed "Assertion failed at fragment.c:309"
2906 bug when --mode server and --fragment are used
2908 * Ignore HUP, USR1, and USR2 signals during
2909 initialization. Prior versions would abort.
2910 * Fixed bug on OS X: "Assertion failed at event.c:406".
2911 * Added --service option to Windows version, for use
2912 when OpenVPN is being programmatically instantiated
2913 by another process (see man page for info).
2914 * --log and --log-append options now work on Windows.
2915 * Update OpenBSD INSTALL notes (Janne Johansson).
2916 * Enable multicast on tun interface when running on
2917 OpenBSD (Pavlin Radoslavov).
2918 * Fixed recent --test-crypto breakage, where options
2919 such as --cipher were not being parsed correctly.
2920 * Modified options compatibility string by removing
2921 ifconfig substring if it is empty. Incremented
2922 options compatibility string version number to 4.
2923 * Fixed typo in --tls-timeout option parsing
2926 2004.06.13 -- Version 2.0-beta5
2928 * Fixed rare --mode server crash that could occur
2929 if data was being routed to a client at
2930 high bandwidth at the precise moment that the
2931 client instance object on the server was being
2933 * Fixed issue on machines which have epoll.h and
2934 the epoll_create glibc call defined, but which
2935 don't actually implement epoll in the kernel.
2936 OpenVPN will now gracefully fall back to the
2937 poll API in this case.
2938 * Fixed Windows bug which would cause the following
2939 error in a --mode server --dev tap configuration:
2940 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
2942 * Added CRL (certificate revocation list) management
2943 scripts to easy-rsa directory (Jon Bendtsen).
2944 * Do a better job of getting the ifconfig component
2945 of the options consistency check to work correctly
2946 when --up-delay is used.
2947 * De-inlined some functions which were too complex
2948 to be inlined anyway with gcc.
2949 * If a --dhcp-option option is pushed to a non-windows
2950 client, the option will be saved in the client's
2951 environment before the --up script is called, under
2952 the name "foreign_option_{n}".
2953 * Added --learn-address script (see man page) which
2954 allows for firewall access through the VPN to be
2955 controlled based on the client common name.
2956 * In mode --server mode, when a client connects to
2957 the server, the server will disconnect any
2958 still-active clients which use the same common
2959 name. Use --duplicate-cn flag to revert to
2960 previous behavior of allowing multiple clients
2961 to concurrently connect with the same common name.
2963 2004.06.08 -- Version 2.0-beta4
2965 * Fixed issue with beta3 where Win32 service wrapper
2966 was keying off of old TAP HWID as a dependency. To
2967 ensure that the new service wrapper is correctly
2968 installed, the Windows install script will uninstall
2969 the old wrapper before installing the new one,
2970 causing a reset of service properties.
2971 * Fixed permissions issue on --status output file,
2972 with default access permissions of owner read/write
2973 only (default permissions can be changed of course with
2976 2004.06.05 -- Version 2.0-beta3
2978 * More changes to TAP-Win32 driver's INF file which
2979 affects the placement of the driver in the Windows
2980 device namespace. This is done to work around an
2981 apparent bug in Windows when short HWIDs are used,
2982 and will also ease the upgrade from 1.x to 2.0 by
2983 reducing the chances that a reboot will be needed
2984 on upgrade. Like beta2, this upgrade will
2985 delete existing TAP-Win32 interfaces, and reinstall
2986 a single new interface with default properties.
2987 * Major rewrite of I/O event wait layer in the style
2988 of libevent. This is a precursor to TCP support
2990 * New feature: --status. Outputs a SIGUSR2-like
2991 status summary to a given file, updated once
2992 per n seconds. The status file is comma delimited
2993 for easy machine parsing.
2994 * --ifconfig-pool now remembers common names and
2995 will try to assign a consistent IP to a given
2996 common name. Still to do: persist --ifconfig-pool
2997 memory across restarts by saving state in file.
2998 * Fixed bug in event timer queue which could cause
2999 recurring timer events such as --ping to not
3000 correctly schedule again after firing. This in
3001 turn would cause spurrious ping restarts and possible
3002 connection outages. Thanks to Denis Vlasenko for
3004 * Possible fix to reported bug where --daemon argument
3005 was not printing to syslog correctly after restart.
3006 * Fixed bug where pulling --route or --dhcp-option
3007 directives from a server would problematically
3008 interact with --persist-tun on the client.
3009 * Updated contrib/multilevel-init.patch (Farkas Levente).
3010 * Added RPM build option to .spec and .spec.in files
3011 to optionally disable LZO inclusion (Ian Pilcher).
3012 * The latest MingW runtime and headers define
3013 'ssize_t', so a patch is needed (Gisle Vanem).
3015 2004.05.14 -- Version 2.0-beta2
3017 * Fixed signal handling bug in --mode server, where
3018 SIGHUP and SIGUSR1 were treated as SIGTERM.
3019 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
3020 Apparently the larger string may work around
3021 a problem where the TAP adapter is sometimes missing
3022 from the network connections panel, especially under
3023 XP SP2. Also note that installing this upgrade will
3024 uninstall any pre-existing TAP-Win32 adapters, and then
3025 install a single new adapter, meaning that old adapter
3026 properties will be lost. Thanks to Md5Chap for solving
3028 * For --mode server --dev tap, the options --ifconfig and
3029 --ifconfig-pool are now optional. This allows address
3030 assignment via DHCP or use of a TAP VPN without
3031 IP support, as has always been possible with 1.x.
3032 * Fixed bug where --ifconfig may not work correctly on
3034 * Added 'local' flag to --redirect-gateway for use on
3035 networks where both OpenVPN daemons are connected
3036 to a shared subnet, such as wireless.
3038 2004.05.09 -- Version 2.0-beta1
3040 * Unchanged from test29 except for version number
3043 2004.05.08 -- Version 2.0-test29
3045 * Modified --dev-node on Windows to accept a TAP-Win32
3046 GUID name. In addition, --show-adapters will now
3047 display the high-level name and GUID of each adapter.
3048 This is an attempt to work around an issue in Windows
3049 where sometimes the TAP-Win32 adapter installs correctly
3050 but has no icon in the network connections control
3051 panel. In such cases, being able to specify
3052 --dev-node {TAP-GUID} can work around the missing icon.
3054 2004.05.07 -- Version 2.0-test28
3056 * Fixed bug which could cause segfault on program
3057 shutdown if --route and --persist-tun are used
3060 2004.05.06 -- Version 2.0-test27
3062 * Fixed bug in close_instance() which might cause
3063 memory to be accessed after it had already been freed.
3064 * Fixed bug in verify_callback() that might have
3065 caused uninitialized data to be referenced.
3066 * --iroute now allows full CIDR subnet routing.
3067 * In "--mode server --dev tun" usage, source addresses
3068 on VPN packets coming from a particular client must
3069 be associated with that client in the OpenVPN internal
3072 2004.04.28 -- Version 2.0-test26
3074 * Optimized broadcast path in multi-client mode.
3075 * Added socket buffer size options --rcvbuf & --sndbuf.
3076 * Configure Linux tun/tap driver to use a more sensible
3077 txqueuelen default. Also allow explicit setting
3078 via --txqueuelen option (Harald Roelle).
3079 * The --remote option now allows the port number
3080 to be specified as the second parameter. If
3081 unspecified, the port number defaults to the
3083 * Multiple --remote options on the client can now be
3084 specified for load balancing and failover. The
3085 --remote-random flag can be used to initially randomize
3086 the --remote list for basic load balancing.
3087 * If a remote DNS name resolves to multiple DNS addresses,
3088 one will be chosen by random as a kind of basic
3089 load-balancing feature if --remote-random is used.
3090 * Added --connect-freq option to control maximum
3091 new connection frequency in multi-client mode.
3092 * In multi-client mode, all syslog messages associated
3093 with a specific client now include a client-ID prefix.
3094 * For Windows, use a gettimeofday() function based
3095 on QueryPerformanceCounter (Derek Burdick).
3096 * Fixed bug in interaction between --key-method 2
3097 and DES ciphers, where dynamic keys would be generated
3098 with bad parity and then be rejected.
3100 2004.04.17 -- Version 2.0-test24
3102 * Reworked multi-client broadcast handling.
3104 2004.04.13 -- Version 2.0-test23
3106 * Fixed bug in --dev tun --client-to-client routing.
3107 * Fixed a potential deadlock in --pull.
3108 * Fixed a problem with select() usage which could
3109 cause a repeating sequence of "select : Invalid
3112 2004.04.11 -- Version 2.0-test22
3114 * Fixed bug where --mode server + --daemon was
3115 prematurely closing syslog connection.
3116 * Added support for --redirect-gateway on Mac OS X
3118 * Minor changes to TAP-Win32 driver based on feedback
3119 from the NDISTest tool.
3121 2004.04.11 -- Version 2.0-test21
3123 * Optimizations in multi-client server event loop.
3125 2004.04.10 -- Version 2.0-test20
3127 * --mode server capability now works with either tun
3128 or tap interfaces. When used with tap interfaces,
3129 OpenVPN will internally bridge all client tap
3130 interfaces with the server tap interface.
3131 * Connecting clients can now have a client-specific
3132 configuration on the server, based on the client
3133 common name embedded in the client certificate.
3134 See --client-config-dir and --client-connect.
3135 These options can be used to configure client-specific
3137 * Added an option --client-to-client that enables
3138 internal client-to-client routing or bridging.
3139 Otherwise, clients will only "see" the server,
3140 not other connected clients.
3141 * Fixed bug in route scheduling which would have caused
3142 --mode server to not work on Windows in test18
3143 and test19 with the sample config file.
3144 * Man page is up to date with all new options.
3145 * OpenVPN 2.0 release notes on web site updated
3146 with tap-style tunnel examples.
3148 2004.04.02 -- Version 2.0-test19
3150 * Fixed bug where routes pushed from server were
3151 not working correctly on Windows clients.
3152 * Added Mac OS X route patch (Jeremy Apple).
3154 2004.03.30 -- Version 2.0-test18
3156 * Minor fixes + Windows self-install modified
3157 to use OpenSSL 0.9.7d.
3159 2004.03.29 -- Version 2.0-test17
3161 * Fixed some bugs related to instance timeout and deletion.
3162 * Extended --push/--pull option to support additional
3165 2004.03.28 -- Version 2.0-test16
3167 * Successful test of --mode udp-server, --push,
3168 --pull, and --ifconfig-pool with server on
3169 Linux 2.4 and clients on Linux and Windows.
3171 2004.03.25 -- Version 2.0-test15
3173 * Implemented hash-table lookup of client instances
3174 based either on remote UDP address/port or remote
3176 * Implemented a randomized binary tree based
3177 scheduler for scalably scheduling a large number
3178 of client instance events. Uses the treap
3179 data structure and node rotation algorithm
3180 to keep the tree balanced.
3181 * Initial implementation of ifconfig-pool.
3182 * Made --key-method 2 the default.
3184 2004.03.20 -- Version 2.0-test14
3186 * Implemented --push and --pull.
3188 2004.03.20 -- Version 2.0-test13
3190 * Reduced struct tls_multi and --single-session
3192 * Modified --single-session flag to be used
3193 in multi-client UDP server client instances.
3195 2004.03.19 -- Version 2.0-test12
3197 * Added the key multi-client UDP server options,
3198 --mode, --push, --pull, and --ifconfig-pool.
3199 * Revamped GC (garbage collection) code to not rely
3201 * Modifications to thread.[ch] to allow a more
3202 flexible thread model.
3204 2004.03.16 -- Version 2.0-test11
3206 * Moved all timer code to interval.h, added new file
3208 * Fixed missing include.
3210 2004.03.16 -- Version 2.0-test10
3212 * More TAP-Win32 fixes.
3213 * Initial debugging and testing of multi.[ch].
3215 2004.03.14 -- Version 2.0-test9
3217 * Branch merge with 1.6-rc3
3218 * More point-to-multipoint work in multi.[ch].
3219 * Major TAP-Win32 driver restructuring to use
3220 NdisMRegisterDevice instead of
3221 IoCreateDevice/IoCreateSymbolicLink.
3222 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
3224 * In the majority of cases, TAP-Win32 should now be
3225 able to install and uninstall on Win2K without requiring
3227 * TAP-Win32 MAC address can now be explicitly set in the
3228 adapter advanced properties page.
3230 2004.03.04 -- Version 2.0-test8
3232 * Branch merge with 1.6-rc2.
3234 2004.03.03 -- Version 2.0-test7
3236 * Branch merge with 1.6-rc1.2.
3238 2004.03.02 -- Version 2.0-test6
3240 * Branch merge with 1.6-rc1.
3242 2004.03.02 -- Version 2.0-test5
3244 * Move Socks5 UDP header append/remove to socks.c, and is
3245 called from forward.c.
3246 * Moved verify statics from ssl.c into struct tls_session.
3247 * Wrote multi.[ch] to handle top level of point-to-multipoint
3249 * Wrote some code to allow a struct link_socket in a child context
3250 to be slaved to the parent context.
3251 * Broke up packet read and process functions in forward.c
3252 (from socket or tuntap) into separate functions for read
3253 and process, so that point-to-point and point-to-multipoint can
3254 share the same code.
3255 * Expand TLS control channel to allow the passing of configuration
3257 * Wrote mroute.[ch] to handle internal packet routing for
3258 point-to-multipoint mode.
3260 2004.02.22 -- Version 2.0-test3
3262 * Initial work on UDP multi-client server.
3263 * Branch merge of 1.6-beta7
3265 2004.02.14 -- Version 2.0-test2
3267 * Refactorization of openvpn.c into openvpn.[ch]
3268 init.[ch] forward.[ch] forward-inline.h
3269 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
3270 sig.[ch]. Created a master per-tunnel
3271 struct context in openvpn.h.
3272 * Branch merge of 1.6-beta6.2
3274 2003.11.06 -- Version 2.0-test1
3276 * Initial testbed for 2.0.
3278 2004.05.09 -- Version 1.6.0
3280 * Unchanged from 1.6-rc4 except for version number
3283 2004.04.01 -- Version 1.6-rc4
3285 * Made minor customizations to devcon and
3286 renamed as tapinstall.exe for Windows version.
3287 * Fixed "storage size of `iv' isn't known" build
3289 * OpenSSL 0.9.7d bundled with Windows self-install.
3291 2004.03.13 -- Version 1.6-rc3
3293 * Minor Windows fixes for --ip-win32 dynamic, relating to
3294 the way the TAP-Win32 driver responds to a DHCP request
3295 from the Windows DHCP client.
3296 * The net_gateway environmental variable wasn't being
3297 set correctly for called scripts (Paul Zuber).
3298 * Added code to determine the default gateway on FreeBSD,
3299 allowing the --redirect-gateway option to work
3300 (Juan Rodriguez Hervella).
3302 2004.03.04 -- Version 1.6-rc2
3304 * Fixed bug in Windows version where the NetBIOS node-type
3305 DHCP option might have been passed even if it was not
3307 * Fixed bug in Windows version introduced in 1.6-rc1, where
3308 DHCP timeout would be set to 0 seconds if --ifconfig option
3309 was used and --ip-win32 option was not explicitly specified.
3310 * Added some new --dhcp-option types for Windows version.
3312 2004.03.02 -- Version 1.6-rc1
3314 * For Windows, make "--ip-win32 dynamic" the default.
3315 * For Windows, make "--route-delay 10" the default
3316 unless --ip-win32 dynamic is not used or --route-delay
3317 is explicitly specified.
3318 * L_TLS mutex could have been left in a locked state
3319 for certain kinds of TLS errors.
3321 2004.02.22 -- Version 1.6-beta7
3323 * Allow scheduling priority increase (--nice) together
3324 with UID/GID downgrade (--user/--group).
3325 * Code that causes SIGUSR1 restart on TLS errors in TCP
3326 mode was not activated in pthread builds.
3327 * Save the certificate serial number in an environmental
3328 variable called tls_serial_{n} prior to calling the
3329 --tls-verify script. n is the current cert chain level.
3330 * Added NetBSD IPv6 tunnel capability (also requires
3331 a kernel patch) (Horst Laschinsky).
3332 * Fixed bug in checking the return value of the nice()
3333 function (Ian Pilcher).
3334 * Bug fix in new FreeBSD IPv6 over TUN code which was
3335 originally added in 1.6-beta5 (Nathanael Rensen).
3336 * More Socks5 fixes -- extended the struct frame
3337 infrastructure to accomodate proxy-based encapsulation
3339 * Added --dhcp-option to Windows version for setting
3340 adapter properties such as WINS & DNS servers.
3341 * Use a default route-delay of 5 seconds when
3342 --ip-win32 dynamic is specified (only applicable when
3343 --route-delay is not explicitly specified).
3344 * Added "log_append" registry variable to control
3345 whether the OpenVPN service wrapper on Windows
3346 opens log files in append (log_append="1") or
3347 truncate (log_append="0") mode. The default
3350 2004.02.05 -- Version 1.6-beta6
3352 * UDP over Socks5 fix to accomodate Socks5 encapsulation
3353 overhead (Christof Meerwald).
3354 * Minor --ip-win32 dynamic tweaks (use long lease time,
3355 invalidate existing lease with DHCPNAK).
3357 2004.02.01 -- Version 1.6-beta5
3359 * Added Socks5 proxy support (Christof Meerwald).
3360 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
3361 * Special TAP-Win32 debug mode for Windows self-install that was
3362 enabled in beta4 is now turned off.
3363 * Added some new Solaris notes to INSTALL (Koen Maris).
3364 * More work on --ip-win32 dynamic.
3366 2004.01.27 -- Version 1.6-beta4
3368 * For this beta, the Windows self-install is a debug version
3369 and will run slower -- use only for testing.
3370 * Reverted the --ip-win32 default back to 'ipapi'
3372 * Added the offset parameter to '--ip-win32 dynamic' which
3373 can be used to control the address of the masqueraded
3374 DHCP server which replies to Windows DHCP requests.
3375 * Added a wait/nowait option to --inetd (nowait can only
3376 be used with TCP sockets, TLS authentication, and over
3377 a bridged configuration -- see FAQ for more info)
3378 (Stefan `Sec` Zehl).
3379 * Added a build-time capability where TAP-Win32 driver
3380 debug messages can be output by OpenVPN at --verb 6
3383 2004.01.20 -- Version 1.6-beta2
3385 * Added ./configure --enable-iproute2 flag which
3386 uses iproute2 instead of route + ifconfig --
3387 this is necessary for the LEAF Linux distro
3389 * Added renewal-time and rebind-time to set of
3390 DHCP options returned by the TAP-Win32 driver when
3391 "--ip-win32 dynamic" is used.
3393 2004.01.14 -- Version 1.6-beta1
3395 * Fixed --proxy bug that sometimes caused plaintext
3396 control info generated by the proxy prior to http
3397 CONNECT method establishment to be incorrectly
3398 parsed as OpenVPN data.
3399 * For Windows version, implemented the
3400 "--ip-win32 dynamic" method and made it the default.
3401 This method sets the TAP-Win32 adapter IP address
3402 and netmask by replying to the kernel's DHCP queries.
3403 See the man page for more detailed info.
3404 * Added --connect-retry parameter which controls
3405 the time interval (in seconds) between connect()
3406 retries when --proto tcp-client is used. Previously,
3407 this value was hardcoded to 5 seconds, and still
3409 * --resolv-retry can now be used with a parameter
3410 of "infinite" to retry indefinitely.
3411 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
3412 for support of multi-level certificate chains
3414 * Fixed --tls-auth incompatibility with 1.4.x and earlier
3415 versions of OpenVPN when the passphrase file is an
3416 OpenVPN static key file (as generated by --genkey).
3417 * Added shell-escape support in config files using
3418 the backslash character ("\") so that (for example)
3419 double quotes can be passed to the shell.
3420 * Added "contrib" subdirectory on tarball, source zip,
3421 and CVS containing user-submitted contributions.
3422 * Added an optional patch to the Redhat init script to
3423 allow the configuration file directory to be a
3424 multi-level directory hierarchy (Farkas Levente).
3425 See contrib/multilevel-init.patch
3426 * Added some scripts and documentation on using
3427 Linux "fwmark" iptables rules to enable
3428 fine-grained routing control over the VPN
3429 (Sean Reifschneider, <jafo@tummy.com>).
3430 See contrib/openvpn-fwmarkroute-1.00
3432 2003.11.20 -- Version 1.5.0
3434 * Minor documentation changes.
3436 2003.11.04 -- Version 1.5-beta14
3438 * Fixed build problem with ./configure --disable-ssl
3439 that was reported on Debian woody.
3440 * Fixed bug where --redirect-gateway could not be used
3441 together with --resolv-retry.
3443 2003.11.03 -- Version 1.5-beta13
3445 * Added CRL (certificate revocation list) capability using
3446 --crl-verify option (Stefano Bracalenti).
3447 * Added --replay-window option for variable replay-protection
3449 * Fixed --fragment bug which might have caused certain large
3450 packets to be sent unfragmented.
3451 * Modified --secret and --tls-auth to permit different cipher and
3452 HMAC keys to be used for each data flow direction. Also
3453 increased static key file size generated by --genkey from
3454 1024 to 2048 bits, where 512 bits each are reserved for
3455 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
3456 and backward compatibility is maintained. See --secret option
3457 documentation on the man page for more info.
3458 * Added --tls-remote option (Teemu Kiviniemi).
3459 * Fixed --tls-cipher documention regarding correct delimiter
3460 usage (Teemu Kiviniemi).
3461 * Added --key-method option for selecting alternative data
3462 channel key negotiation methods. Method 1 is the default.
3463 Method 2 has been added (see man page for more info).
3464 * Added French translation of HOWTO to web site
3465 (Guillaume Lehmann).
3466 * Fixed problem caused by late resolver library load on
3467 certain platforms when --resolv-retry and --chroot are
3468 used together (Teemu Kiviniemi).
3469 * In TCP mode, all decryption or TLS errors will abort the current
3470 connection (this is not done in UDP mode because UDP is
3472 * Fixed a TCP client reconnect bug that only occurs on the
3473 BSDs, where connect() fails with an invalid argument. This
3474 bug was partially (but not completely) fixed in beta7.
3475 * Added "route_net_gateway" environmental variable which contains
3476 the pre-existing default gateway address from the routing table
3477 (there's no standard API for getting the default gateway, so
3478 right now this feature only works on Windows or Linux).
3479 * Renamed the "route_default_gateway" enviromental variable to
3480 "route_vpn_gateway" -- this is the remote VPN endpoint.
3481 * The special keywords vpn_gateway, net_gateway, and remote_host
3482 can now be used for the network or gateway components of the
3483 --route option. See the man page for more info.
3484 * Added the --redirect-gateway option to configure the VPN
3485 as the default gateway (implemented on Linux and Windows only).
3486 * Added the --http-proxy option with basic authentication
3487 support for use in TCP client mode. Successfully tested
3488 using Squid as the HTTP proxy, with and without authentication.
3490 2003.10.12 -- Version 1.5-beta12
3492 * Fixed Linux-only bug in --mktun and --rmtun which was
3493 introduced around beta8 or so, which would cause
3494 an error such as "I don't recognize device tun0 as a
3495 tun or tap device1".
3496 * Added --ifconfig-nowarn option to disable options
3497 consistency warnings about --ifconfig parameters.
3498 * Don't allow any kind of sequence number backtracking or
3499 message reordering when in TCP mode.
3500 * Changed beta naming convention to use '_' (underscore)
3501 rather than '-' (dash) to pacify rpmbuild.
3503 2003.10.08 -- Version 1.5-beta11
3505 * Modified code in the Windows version which sets the IP address
3506 and netmask of the TAP-Win32 adapter using the IP Helper API.
3507 Most of the changes involve better error recovery when
3508 the IP Helper API returns an error status. See the
3509 manual page entry on --ip-win32 for more info.
3511 2003.10.08 -- Version 1.5-beta10
3513 * Added getpass() function for Windows version so that --askpass
3514 option works correctly (Stefano Bracalenti).
3515 * Added reboot advisory to end of Win32 install script.
3516 * Changed crypto code to use pseudo-random IVs rather than
3517 carrying forward the IV state from the previous packet.
3518 This is in response to item 2 in the following document:
3519 http://www.openssl.org/~bodo/tls-cbc.txt which points
3520 out weaknesses in TLS's use of the same IV carryforward
3521 approach. This change does not break protocol compatibility
3522 with previous versions of OpenVPN.
3523 * Made a change to the crypto replay protection code to also
3524 protect against certain kinds of packet reordering attacks.
3525 This change does not break protocol compatibility with
3526 previous versions of OpenVPN.
3527 * Added --ip-win32 option to provide several choices for
3528 setting the IP address on the TAP-Win32 adapter.
3529 * #ifdefed out non-CBC crypto modes by default.
3530 * Added --up-delay option to delay TUN/TAP open and --up script
3531 execution until after connection establishment. This option
3532 replaces the earlier windows-only option --tap-delay.
3534 2003.10.01 -- Version 1.5-beta9
3536 * Fixed --route-noexec bug where option was not parsed correctly.
3537 * Complain if --dev tun is specified without --ifconfig on Windows.
3538 * Fixed bug where TCP connections on windows would sometimes cause
3539 an assertion failure.
3540 * Added a new flag to TAP-Win32 advanced properties that allows one
3541 to set the adapter to be always "connected" even when an OpenVPN
3542 process doesn't have it open. The default behavior is to report
3543 a media status of connected only when an OpenVPN process has the
3545 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
3546 DLLs in response to an OpenSSL security advisory.
3548 2003.09.30 -- Version 1.5-beta8
3550 * Extended the --ifconfig option to work on tap devices as well
3552 * Implemented the --ifconfig option for Windows, by calling the
3554 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
3555 refresh the MAC cache. This behaviour can be disabled with
3557 * On Windows, allow the --dev-node parameter (which specifies
3558 the name of the TAP-Win32 adapter) to be omitted in cases where
3559 there is a single TAP-Win32 adapter on the system which can be
3560 assumed to be the default.
3561 * Modified the diagnostic --verb 5 debugging level to print 'R'
3562 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
3563 and 'w' for TUN/TAP write.
3564 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
3566 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
3567 * Make the --enable-mtu-dynamic ./configure option enabled by
3569 * Deprecated the --mtu-dynamic run-time option, in favor of
3571 * DNS names can now be used as --ifconfig parameters.
3572 * Significant work on TAP-Win32 driver to bring up to SMP standards.
3573 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
3574 unloaded or disabled, while a user-space process has it open.
3575 * On Windows, if --tun-mtu is not specified, it will be read from
3576 the TAP-Win32 driver via ioctl.
3577 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
3578 signal (only when run from a console window).
3579 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
3580 * Renamed --mtu-dynamic option to --fragment to more accurately
3581 reflect its function. Fragment accepts a single parameter which
3582 is the upper limit on acceptable UDP packet size.
3583 * Changed default --tun-mtu-extra parameter to 32 from 64.
3584 * Eliminated reference to malloc.o in configure.ac.
3585 * Added tun device emulation to the TAP-Win32 driver.
3586 * Added --route and related options.
3587 * Added init script for SuSE Linux (Frank Plohmann).
3588 * Extended option consistency check between peers to function
3589 in all crypto modes, including static-key and cleartext modes.
3590 Previously only TLS mode was supported. Disable with
3592 * Overall, increased the amount of configuration option sanity
3593 checking, especially of networking parameters.
3594 * Added --mtu-test option for empirical MTU measurement.
3595 * Added Windows-only option --tap-delay to not set the TAP-Win32
3596 adapter media state to 'connected' until TCP/UDP connection
3597 establishment with peer.
3598 * Slightly modified --route/--route-delay semantics so that when
3599 --route is given without --route-delay, routes are added
3600 immediately after tun/tap device open. When --route-delay is
3601 specified, routes will be added n seconds after connection
3602 initiation, where n is the --route-delay parameter (which
3604 * Made TCP framing error into a non-fatal error that triggers a
3607 2003.08.28 -- Version 1.5-beta7
3609 * Fixed bug that caused OpenVPN not to respond to exit/restart
3610 signals when --resolv-retry is used and a local or remote DNS
3611 name cannot be resolved.
3612 * Exported a series of environmental variables with useful
3613 info for scripts. See man page for more info. Based
3614 on a suggestion by Anthony Ciaravalo.
3615 * Moved TCP/UDP socket bind to a point in the initialization
3616 before the --up script gets called. This is desirable
3617 because (a) a socket bind failure will happen before
3618 daemonization, allowing an error status code to be returned
3619 to the shell and (b) the possibility is eliminated of a
3620 socket bind failure causing the --up script to be run
3621 but not the --down script. This change has a side effect
3622 that --resolv-retry will no longer work with --local.
3623 * Fixed bug where if an OpenVPN TCP server went down and back
3624 up again, Solaris or FreeBSD clients would fail to reconnect
3626 * Fixed bug that prevented OpenVPN from being run by
3627 inetd/xinetd in TCP mode.
3628 * Added --log and --log-append options for logging messages to
3630 * On Windows, check that the current user is a member of the
3631 Administrator group before attempting install or uninstall.
3633 2003.08.16 -- Version 1.5-beta6
3635 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
3637 2003.08.14 -- Version 1.5-beta5
3639 * Added user-configurability of the TAP-Win32 adapter MTU
3640 through the adapter advanced properties page.
3641 * Added Windows Service support.
3642 * On Windows, added file association and right-clickability
3643 for .ovpn files (OpenVPN config files).
3645 2003.08.05 -- Version 1.5-beta4
3647 * Extra refinements and error checking added to Windows
3648 NSIS install script.
3650 2003.08.05 -- Version 1.5-beta3
3652 * Added md5.h include to crypto.c to fix build problem on
3654 * Created a Win32 installer using NSIS.
3655 * Removed DelService command from TAP-Win32 INF file. It appears
3656 to be not necessary and it interfered with the ability to
3657 uninstall and reinstall the driver without needing to reboot.
3658 * On Windows version, added "addtap" and "deltapall" batch
3659 files to add and delete TAP-Win32 adapter instances.
3661 2003.07.31 -- Version 1.5-beta2
3663 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
3664 in Windows ASCII so it's easier to click and view.
3665 * Added postscript and PDF versions of the HOWTO to the web
3667 * Merged Michael Clarke's stability patch into TAP-Win32
3668 driver which appears to fix the suspend/resume driver bug
3669 and significantly improve driver stability.
3670 * Added Christof Meerwald's Media Status patch to the
3671 TAP-Win32 driver which shows the TAP adapter to be
3672 disconnected when OpenVPN is not running.
3673 * Moved socket connect and TCP server listen code to a later
3674 point in openvpn() function so that the TCP server listen
3675 state is entered after daemonization.
3676 * Added keyboard shortcuts to simulate signals in the Windows
3677 version, see the window title bar for descriptions.
3679 2003.07.24 -- Version 1.5-beta1
3681 * Added TCP support via the new --proto option.
3682 * Renamed udp-centric options such as --udp-mtu to
3683 --link-mtu (old option names preserved for compatibility).
3684 * Ported to Windows 2000 + XP using mingw and a TAP driver
3685 derived from the Cipe-Win32 project by Damion K. Wilson.
3686 * Added --show-adapters flag for windows version.
3687 * Reworked the SSL/TLS packet acknowledge code to better
3688 handle certain corner cases.
3689 * Turned off the default enabling of IP forwarding in the
3690 sample-scripts/openvpn.init script for Redhat.
3691 Forwarding can be enabled by users in their --up scripts
3693 * Added --up-restart option based on suggestion from Sean
3695 * If --dev tap or --dev-type tap is specified, --tun-mtu
3696 defaults to 1500 and --tun-mtu-extra defaults to 64.
3697 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
3698 for each packet read or write on the TCP/UDP socket.
3700 2003.08.04 -- Version 1.4.3
3702 * Added md5.h include to crypto.c
3703 to fix build problem on OpenBSD.
3705 2003.07.15 -- Version 1.4.2
3707 * Removed adaptive bandwidth from
3708 --mtu-dynamic -- its absence appears
3709 to work better than its existence (1.4.1.2).
3710 * Minor changes to --shaper to fix long
3711 retransmit timeouts at low bandwidth
3713 * Added LOG_RW flag to openvpn.h for
3714 debugging (1.4.1.2).
3715 * Silenced spurious configure warnings (1.4.1.2).
3716 * Backed out --dev-name patch, modified --dev
3717 to offer equivalent functionality (1.4.1.4).
3718 * Added an optional parameter to --daemon and
3719 --inetd to support the passing of a custom
3720 program name to the system logger (1.4.1.5).
3721 * Add compiled-in options to the program title
3723 * Coded the beginnings of a WIN32 port (1.4.1.5).
3724 * Succeeded in porting to Win32 Mingw environment
3725 and running loopback tests (1.4.1.6). Still
3726 need a kernel driver for full Win32
3728 * Fixed a bug in error.h where
3729 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
3730 This would have caused a significant slowdown
3731 of OpenVPN when built by compilers that
3732 lack ISO C99 vararg macros (1.4.1.6).
3733 * Created an init script for Gentoo Linux
3734 in ./gentoo directory (1.4.1.6).
3736 2003.05.15 -- Version 1.4.1
3738 * Modified the Linux 2.4 TUN/TAP open code to
3739 fall back to the 2.2 TUN/TAP interface if the
3740 open or ioctl fails.
3741 * Fixed bug when --verb is set to 0 and non-fatal
3742 socket errors occur, causing 100% CPU utilization.
3743 Occurs on platorms where
3744 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
3746 * Fixed typo in tun.c that was preventing
3748 * Added --enable-mtu-dynamic configure option
3749 to enable --mtu-dynamic experimental option.
3751 2003.05.07 -- Version 1.4.0
3753 * Added --replay-persist feature to allow replay
3754 protection across sessions.
3755 * Fixed bug where --ifconfig could not be used
3757 * Added --tun-mtu-extra parameter to deal with
3758 the situation where a read on a TUN/TAP device
3759 returns more data than the device's MTU size.
3760 * Fixed bug where some IPv6 support code for
3761 Linux was not being properly ifdefed out for
3762 Linux 2.2, causing compile errors.
3763 * Added OPENVPN_EXIT_STATUS_x codes to
3764 openvpn.h to control which status value
3765 openvpn returns to its caller (such as
3766 a shell or inetd/xinetd) for various conditions.
3767 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
3768 openvpn.h to allow debugging in situations
3769 where stdout, stderr, and syslog cannot be used
3770 for message output, such as when OpenVPN is
3771 instantiated by inetd/xinetd.
3772 * Removed owner-execute permission from file
3773 created by static key generator (Herbert Xu
3774 and Alberto Gonzalez Iniesta).
3775 * Added --passtos option to allow IPv4 TOS bits
3776 to be passed from TUN/TAP input packets to
3777 the outgoing UDP socket (Craig Knox).
3778 * Added code to prevent open socket file descriptors
3779 from being accessible to called scripts.
3780 * Added --dev-name option (Christian Lademann).
3781 * Added --mtu-disc option for manual control
3783 * Show OS MTU value on UDP socket write failures
3785 * Numerous build system and portability
3786 fixes (Matthias Andree).
3787 * Added better sensing of compiler support for
3788 variable argument macros, including (a) gcc
3789 style, (b) ISO C 1999 style, and (c) no support.
3790 * Removed generated files from CVS. Note INSTALL
3791 file for new CVS build commands.
3792 * Changed certain internal symbol names
3793 for C standards compliance.
3794 * Added TUN/TAP open code to cycle dynamically
3795 through unit numbers until it finds a free
3796 unit (based on code from Thomas Gielfeldt
3798 * Added dynamic MTU and fragmenting infrastructure
3799 (Experimental). Rebuild with FRAGMENT_ENABLE
3801 * Minor changes to SSL/TLS negotiation, use
3802 exponential backoff on retransmits, and use
3803 a smaller MTU size (note that no protocol
3804 changes have been made which would break
3805 compatibility with 1.3.x).
3806 * Added --enable-strict-options flag
3807 to ./configure. This option will cause
3808 a more strict check for options compatibility
3809 between peers when SSL/TLS negotiation is used,
3810 but should only be used when both OpenVPN peers
3811 are of the same version.
3812 * Reorganization of debugging levels.
3813 * Added a workaround in configure.ac for
3814 default SSL header location on Linux
3815 to fix RH9 build problem.
3816 * Fixed potential deadlock when pthread support
3817 is used on OSes that allocate a small socketpair()
3819 * Fixed openvpn.init to be sh compliant
3821 * Changed --daemon to wait until all
3822 initialization is finished before becoming a
3823 daemon, for the benefit of initialization
3824 scripts that want a useful return status from
3825 the openvpn command.
3826 * Made openvpn.init script more robust, including
3827 positive indication of initialization errors
3828 in the openvpn daemon and better sanity checks.
3829 * Changed --chroot to wait until initialization
3830 is finished before calling chroot(), and allow
3831 the use of --user and --group with --chroot.
3832 * When syslog logging is enabled (--daemon or
3833 --inetd), set stdin/stdout/stderr to point
3835 * For inetd instantiations, dup socket descriptor
3837 * Fixed bug in verify-cn script, where test would
3838 incorrectly fail if CN=x was the last component
3839 of the X509 composite string (Anonymous).
3840 * Added Markus F.X.J. Oberhumer's special
3841 license exception to COPYING.
3843 2002.10.23 -- Version 1.3.2
3845 * Added SSL_CTX_set_client_CA_list call
3846 to follow the canonical form for TLS initialization
3847 recommended by the OpenSSL docs. This change allows
3848 better support for intermediate CAs and has no impact
3850 * Added build-inter script to easy-rsa package, to
3851 facilitate the generation of intermediate CAs.
3852 * Ported to NetBSD (Dimitri Goldin).
3853 * Fixed minor bug in easy-rsa/sign-req. It refers to
3854 openssl.cnf file, instead of $KEY_CONFIG, like all
3855 other scripts (Ernesto Baschny).
3856 * Added --days 3650 to the root CA generation command
3857 in the HOWTO to override the woefully small 30 day
3858 default (Dominik 'Aeneas' Schnitzer).
3859 * Fixed bug where --ping-restart would sometimes
3860 not re-resolve remote DNS hostname.
3861 * Added --tun-ipv6 option and related infrastructure
3862 support for IPv6 over tun.
3863 * Added IPv6 over tun support for Linux (Aaron Sethman).
3864 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
3865 INSTALL (Matthias Andree).
3866 * Added inetd/xinetd support (--inetd) including
3867 documentation in the HOWTO.
3868 * Added "Important Note on the use of commercial certificate
3869 authorities (CAs) with OpenVPN" to HOWTO based on
3870 issues raised on the openvpn-users list.
3872 2002.07.10 -- Version 1.3.1
3874 * Fixed bug in openvpn.spec and openvpn.init
3875 which caused RPM upgrade to fail.
3877 2002.07.10 -- Version 1.3.0
3879 * Added --dev-node option to allow explicit selection of
3880 tun/tap device node.
3881 * Removed mlockall call from child thread, as it doesn't
3882 appear to be necessary (child thread inherits mlockall
3884 * Added --ping-timer-rem which causes timer for --ping-exit
3885 and --ping-restart not to run unless we have a remote IP
3887 * Added condrestart to openvpn.init and openvpn.spec
3889 * Added --ifconfig case for FreeBSD (Matthias Andree).
3890 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
3891 * Changed LOG_INFO messages to LOG_NOTICE.
3892 * Added warning when key files are group/others accessible.
3893 * Added --single-session flag for TLS mode.
3894 * Fixed bug where --writepid would segfault if used with
3895 an invalid filename.
3896 * Fixed bug where --ipchange status message was formatted
3898 * Print more concise error message when system() call
3900 * Added --disable-occ option.
3901 * Added --local, --remote, and --ifconfig options sanity
3903 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
3905 * Successfully tested with OpenSSL 0.9.7 Beta 2.
3906 * Broke out debug level definitions to errlevel.h
3907 * Minor documentation and web site changes.
3908 * All changes maintain protocol compatibility
3909 with OpenVPN versions since 1.1.0, however default
3910 MTU changes will require setting the MTU explicitly
3911 by command line option, if you want 1.3.0 to
3912 communicate with previous versions.
3914 2002.06.12 -- Version 1.2.1
3916 * Added --ping-restart option to restart
3917 connection on ping timeout using SIGUSR1
3918 logic (Matthias Andree).
3919 * Added --persist-tun, --persist-key,
3920 --persist-local-ip, and --persist-remote-ip
3921 options for finer-grained control over SIGUSR1
3922 and --ping-restart restarts. To
3923 replicate previous SIGUSR1 functionality,
3924 use --persist-remote-ip.
3925 * Changed residual IV fetching code to take
3926 IV from tail of ciphertext.
3927 * Added check to make sure that CFB or OFB
3928 cipher modes are only used with SSL/TLS
3929 authentication mode, and added a caveat
3931 * Changed signal handling during initialization
3932 (including re-initialization during restarts)
3933 to exit on SIGTERM or SIGINT and ignore other
3934 signals which would ordinarily be caught.
3935 * Added --resolv-retry option to allow
3936 retries on hostname resolution.
3937 * Expanded the --float option to also
3938 allow dynamic changes in source port number
3939 on incoming datagrams.
3940 * Added --mute option to limit repetitive
3941 logging of similar message types.
3942 * Added --group option to downgrade GID
3943 after initialization.
3944 * Try to set ifconfig path automatically
3946 * Added --ifconfig code for Mac OS X
3947 (Christoph Pfisterer).
3948 * Moved "Peer Connection Initiated" message
3950 * Successfully tested with
3951 OpenSSL 0.9.7 Beta 1 and AES cipher.
3952 * Added RPM notes to INSTALL.
3953 * Added ACX_PTHREAD (from the autoconf
3954 macro archive) to configure.ac
3955 to figure out the right pthread
3956 options for a given platform.
3957 * Broke out macro definitions from
3958 configure.ac to acinclude.m4.
3959 * Minor changes to docs and HOWTO.
3960 * All changes maintain protocol compatibility
3961 with OpenVPN versions since 1.1.0.
3963 2002.05.22 -- Version 1.2.0
3965 * Added configuration file support via
3966 the --config option.
3967 * Added pthread support to improve latency.
3968 With pthread support, OpenVPN
3969 will offload CPU-intensive tasks such as RSA
3970 key number crunching to a background thread
3971 to improve tunnel packet forwarding
3972 latency. pthread support can be enabled
3973 with the --enable-pthread configure option.
3974 Pthread support is currently available
3975 only for Linux and Solaris.
3976 * Added --dev-type option so that tun/tap
3977 device names don't need to begin with
3979 * Added --writepid option to write main
3980 process ID to a file.
3981 * Numerous portability fixes to ease
3982 porting to other OSes including changing
3983 all network types to uint8_t and uint32_t,
3984 and not assuming that time_t is 32 bits.
3985 * Backported to OpenSSL 0.9.5.
3986 * Ported to Solaris.
3987 * Finished OpenBSD port except for
3989 * Added initialization script:
3990 sample-scripts/openvpn.init
3992 * Ported to Mac OS X (Christoph Pfisterer).
3993 * Improved resilience to DoS attacks when
3994 TLS mode is used without --remote or
3995 --tls-auth, or when --float is used
3996 with --remote. Note however that the best
3997 defense against DoS attacks in TLS mode
3998 is to use --tls-auth.
3999 * Eliminated automake/autoconf dependency
4001 * Ported configure.in to configure.ac
4003 * SIGHUP signal now causes OpenVPN to restart
4004 and re-read command line and or config file,
4005 in conformance with canonical daemon behaviour.
4006 * SIGUSR1 now does what SIGHUP did in
4007 version 1.1.1 and earlier -- close and reopen
4008 the UDP socket for use when DHCP changes
4009 host's IP address and preserve most recently
4010 authenticated peer address without rereading
4012 * SIGUSR2 added -- outputs current statistics,
4013 including compression statistics.
4014 * All changes maintain protocol compatibility
4015 with 1.1.1 and 1.1.0.
4017 2002.04.22 -- Version 1.1.1
4019 * Added --ifconfig option to automatically configure
4021 * Added inactivity disconnect (--inactive
4022 and --ping-exit options).
4023 * Added --ping option to keep stateful firewalls
4025 * Added sanity check to command line parser to
4026 err if any TLS options are used in non-TLS mode.
4027 * Fixed build problem with compiler environments that
4028 define printf as a macro.
4029 * Fixed build problem on linux systems that have
4030 an integrated TUN/TAP driver but lack the persistent
4031 tunnel feature (TUNSETPERSIST). Some linux kernels
4032 >= 2.4.0 and < 2.4.7 fall into this category.
4033 * Changed all calls to EVP_CipherInit to use explicit
4034 encrypt/decrypt mode in order to fix problem with
4035 IDEA-CBC and AES-256-CBC ciphers.
4036 * Minor changes to control channel transmit limiter
4037 algorithm to fix problem where TLS control channel
4038 might not renegotiate within the default 60 second window.
4039 * Simplified man page examples by taking advantage
4040 of the new --ifconfig option.
4041 * Minor changes to configure.in to check more
4042 rigourously for OpenSSL 0.9.6 or greater.
4043 * Put back openvpn.spec, eliminated
4045 * Modified openvpn.spec to reflect new automake-based
4046 build environment (Bishop Clark).
4047 * Other documentation changes.
4048 * Added --test-crypto option for debugging.
4049 * Added "missing" and "mkinstalldirs" automake
4053 2002.04.09 -- Version 1.1.0
4055 * Strengthened replay protection and IV handling,
4056 extending it fully to both static key and
4057 TLS dynamic key exchange modes.
4058 * Added --mlock option to disable paging and ensure that key
4059 material and tunnel data is never paged to disk.
4060 * Added optional traffic shaping feature to cap the maximum
4061 data rate of the tunnel.
4062 * Converted to automake (The Platypus Brothers 2002-04-01).
4063 * Ported to OpenBSD by Janne Johansson.
4064 * Added --tun-af-inet option to work around an incompatibility
4065 between Linux and BSD tun drivers.
4066 * Sequence number-based replay protection using the
4067 IPSec sliding window model is now the default,
4068 disable with --no-replay.
4069 * Explicit IV is now the default, disable with --no-iv.
4070 * Disabled all cipher modes except CBC, CFB, and OFB.
4071 * In CBC mode, use explicit IV and carry forward residuals,
4073 * In CFB/OFB mode, IV is timestamp, sequence number.
4074 * Eliminated --packet-id, --timestamp, and max-delta parameter to
4075 the --tls-auth option as they are now supplanted by improved
4076 replay code which is enabled by default.
4077 * Eliminated --rand-iv as it is now obsolete with improved
4079 * Eliminated --reneg-err option as it increases vulnerability
4081 * Added weak key check for DES ciphers.
4082 * --tls-freq option is no longer specified on the command line,
4083 instead it now inherits its parameter from the
4084 --tls-timeout option.
4085 * Fixed bug that would try to free memory on exit that was
4086 never malloced if --comp-lzo was not specified.
4087 * Errata fixed in the man page examples: "test-ca" should be
4089 * Updated manual page.
4090 * Preliminary work in porting to OpenSSL 0.9.7.
4091 * Changed license to allowing linking with OpenSSL.
4093 2002.03.29 -- Version 1.0.3
4095 * Fixed a problem in configure with library ordering on the
4098 2002.03.28 -- Version 1.0.2
4100 * Improved the efficiency of the inner event loop.
4101 * Fixed a minor bug with timeout handling.
4102 * Improved the build system to build on RH 6.2 through 7.2.
4103 * Added an openvpn.spec file for RPM builders (Bishop Clark).
4105 2002.03.23 -- Version 1.0
4107 * Added TLS-based authentication and key exchange.
4108 * Added gremlin mode to stress test.
4111 2001.12.26 -- Version 0.91
4113 * Added any choice of cipher or HMAC digest.
4115 2001.5.13 -- Version 0.90
4118 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.