2 Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
4 $Id: ChangeLog 1330 2006-10-01 11:45:06Z james $
6 2006.10.01 -- Version 2.0.9
8 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
9 published vulnerabilities.
11 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
12 (Henry Nestler). The TAP-Win32 driver has now been
13 upgraded to version 8.4.
15 2006.09.12 -- Version 2.0.8
17 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
18 RSA Signature Forgery (CVE-2006-4339).
19 * No changes to OpenVPN source code between 2.0.7 and 2.0.8.
21 2006.04.12 -- Version 2.0.7
23 * Code added in 2.0.6-rc1 to extend byte counters
24 to 64 bits caused a bug in the Windows version which has now
25 been fixed. The bug could cause intermittent crashes.
27 2006.04.05 -- Version 2.0.6
29 * Security Vulnerability affecting OpenVPN 2.0 through 2.0.5.
30 An OpenVPN client connecting to a
31 malicious or compromised server could potentially receive
32 "setenv" configuration directives from the server which could
33 cause arbitrary code execution on the client via a LD_PRELOAD
34 attack. A successful attack appears to require that (a) the
35 client has agreed to allow the server to push configuration
36 directives to it by including "pull" or the macro "client" in
37 its configuration file, (b) the client configuration file uses
38 a scripting directive such as "up" or "down", (c) the client
39 succesfully authenticates the server, (d) the server is
40 malicious or has been compromised and is under the control of
41 the attacker, and (e) the attacker has at least some level of
42 pre-existing control over files on the client (this might be
43 accomplished by having the server respond to a client web
44 request with a specially crafted file). Credit: Hendrik Weimer.
47 The fix is to disallow "setenv" to be pushed to clients from
48 the server. For those who need this capability, OpenVPN
49 2.1 supports a new "setenv-safe" directive which is free
50 of this vulnerability.
52 * When deleting routes under Linux, use the route metric
53 as a differentiator to ensure that the route teardown
54 process only deletes the identical route which was originally
55 added via the "route" directive (Roy Marples).
57 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
58 (Matthias Andree, Dirk Meyer, Vasil Dimov).
60 * Extended tun device configure code to support ethernet
61 bridging on NetBSD (Emmanuel Kasper).
63 2006.01.03 -- Version 2.0.6-rc1
65 * Fixed bug where "make check" inside a FreeBSD "jail"
66 would never complete (Matthias Andree).
67 * Fixed bug where --server directive in --dev tap mode
68 claimed that it would support subnets of /30 or less
69 but actually would only accept /29 or less.
70 * Extend byte counters to 64 bits (M. van Cuijk).
71 * Fixed bug in acinclude.m4 where capability of compiler
72 to handle zero-length arrays in structs is tested
74 * Fixed typo in manage.c where inline function declaration
75 was declared without the "static" keyword (David Stipp).
76 * Removed redundant base64 code.
77 * Better sanity checking of --server and --server-bridge
78 IP pool ranges, so as not to hit the assertion at
80 * Fixed bug where --daemon and --management-query-passwords
81 used together would cause OpenVPN to block prior to
83 * Fixed client/server race condition which could occur
84 when --auth-retry interact is set and the initially
85 provided auth-user-pass credentials are incorrect,
86 forcing a username/password re-query.
87 * Fixed bug where if --daemon and --management-hold are
88 used together, --user or --group options would be ignored.
90 2005.11.02 -- Version 2.0.5
92 * Fixed bug in Linux get_default_gateway function
93 introduced in 2.0.4, which would cause redirect-gateway
94 on Linux clients to fail.
95 * Restored easy-rsa/2.0 tree (backported from 2.1 beta
96 series) which accidentally disappeared in
97 2.0.2 -> 2.0.4 transition.
99 2005.11.01 -- Version 2.0.4
101 * Security fix -- Affects non-Windows OpenVPN clients of
102 version 2.0 or higher which connect to a malicious or
103 compromised server. A format string vulnerability
104 in the foreign_option function in options.c could
105 potentially allow a malicious or compromised server
106 to execute arbitrary code on the client. Only
107 non-Windows clients are affected. The vulnerability
108 only exists if (a) the client's TLS negotiation with
109 the server succeeds, (b) the server is malicious or
110 has been compromised such that it is configured to
111 push a maliciously crafted options string to the client,
112 and (c) the client indicates its willingness to accept
113 pushed options from the server by having "pull" or
114 "client" in its configuration file (Credit: Vade79).
116 * Security fix -- Potential DoS vulnerability on the
117 server in TCP mode. If the TCP server accept() call
118 returns an error status, the resulting exception handler
119 may attempt to indirect through a NULL pointer, causing
120 a segfault. Affects all OpenVPN 2.0 versions.
122 * Fix attempt of assertion at multi.c:1586 (note that
123 this precise line number will vary across different
124 versions of OpenVPN).
125 * Added ".PHONY: plugin" to Makefile.am to work around
127 * Fixed double fork issue that occurs when --management-hold
129 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
130 * Warn when multiple clients having the same common name or
131 username usurp each other when --duplicate-cn is not used.
132 * Modified Windows and Linux versions of get_default_gateway
133 to return the route with the smallest metric
134 if multiple 0.0.0.0/0.0.0.0 entries are present.
136 2005.09.25 -- Version 2.0.3-rc1
138 * openvpn_plugin_abort_v1 function wasn't being properly
139 registered on Windows.
140 * Fixed a bug where --mode server --proto tcp-server --cipher none
141 operation could cause tunnel packet truncation.
143 2005.08.25 -- Version 2.0.2
145 * No change from 2.0.2-rc1.
147 2005.08.24 -- Version 2.0.2-rc1
149 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
150 which incorrectly set OpenVPN service to autostart.
151 * Don't package source code zip file in Windows installer
152 in order to reduce the size of the installer. The source
153 zip file can always be downloaded separately if needed.
154 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
155 version of get_default_gateway. Allocated socket for route
156 manipulation is never freed so number of mbufs continuously
157 grow and exhaust system resources after a while (Jaroslav Klaus).
158 * Fixed bug where "--proto tcp-server --mode p2p --management
159 host port" would cause the management port to not respond until
160 the OpenVPN peer connects.
161 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
163 2005.08.16 -- Version 2.0.1
165 * Security Fix -- DoS attack against server when run with "verb 0" and
166 without "tls-auth". If a client connection to the server fails
167 certificate verification, the OpenSSL error queue is not properly
168 flushed, which can result in another unrelated client instance on the
169 server seeing the error and responding to it, resulting in disconnection
170 of the unrelated client (CAN-2005-2531).
171 * Security Fix -- DoS attack against server by authenticated client.
172 This bug presents a potential DoS attack vector against the server
173 which can only be initiated by a connected and authenticated client.
174 If the client sends a packet which fails to decrypt on the server,
175 the OpenSSL error queue is not properly flushed, which can result in
176 another unrelated client instance on the server seeing the error and
177 responding to it, resulting in disconnection of the unrelated client
178 (CAN-2005-2532). Credit: Mike Ireton.
179 * Security Fix -- DoS attack against server by authenticated client.
180 A malicious client in "dev tap" ethernet bridging mode could
181 theoretically flood the server with packets appearing to come from
182 hundreds of thousands of different MAC addresses, causing the OpenVPN
183 process to deplete system virtual memory as it expands its internal
184 routing table. A --max-routes-per-client directive has been added
185 (default=256) to limit the maximum number of routes in OpenVPN's
186 internal routing table which can be associated with a given client
188 * Security Fix -- DoS attack against server by authenticated client.
189 If two or more client machines try to connect to the server at the
190 same time via TCP, using the same client certificate, and when
191 --duplicate-cn is not enabled on the server, a race condition can
192 crash the server with "Assertion failed at mtcp.c:411"
194 * Fixed server bug where under certain circumstances, the client instance
195 object deletion function would try to delete iroutes which had never been
196 added in the first place, triggering "Assertion failed at mroute.c:349".
197 * Added --auth-retry option to prevent auth errors from being fatal
198 on the client side, and to permit username/password requeries in case
199 of error. Also controllable via new "auth-retry" management interface
200 command. See man page for more info.
201 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
202 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
204 * Implement "make check" to perform loopback tests (Matthias Andree).
206 2005.07.21 -- Version 2.0.1-rc7
208 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
209 * Include linux/types.h before checking for linux/errqueue.h (Matthias
212 2005.07.15 -- Version 2.0.1-rc6
214 * Commented out "user nobody" and "group nobody" in sample
215 client/server config files.
216 * Allow '@' character to be used in --client-config-dir
219 2005.07.04 -- Version 2.0.1-rc5
221 * Windows version will log a for-further-info URL when
222 initialization sequence is completed with errors.
223 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
224 to control whether auth-pam plugin links to PAM via
225 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
226 behavior should be preserved. DLOPEN_PAM=0 is the preferred
227 setting to link via -lpam, but DLOPEN_PAM=1 works around
228 a bug in SuSE 9.1 (and possibly other distros as well)
229 where the PAM modules are not linked with -lpam. See
230 thread on openvpn-devel for more discussion about this
231 patch (Simon Perreault).
233 2005.06.15 -- Version 2.0.1-rc4
235 * Support LZO 2.00, including changes to configure script to
236 autodetect LZO version.
238 2005.06.12 -- Version 2.0.1-rc3
240 * Fixed a bug which caused standard file handles to not be closed
241 after daemonization when --plugin and --daemon are used together,
242 and if the plugin initialization function forks (as does auth-pam
243 and down-root) (Simon Perreault).
244 * Added client-side up/down scripts in contrib/pull-resolv-conf
245 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
246 on Linux/Unix systems (Jesse Adelman).
247 * Fixed bug where if client-connect scripts/plugins were cascaded,
248 and one (but not all) of them returned an error status, there might
249 be cases where for an individual script/plugin, client-connect was
250 called but not client-disconnect. The goal of this fix is to
251 ensure that if client-connect is called on a given client instance,
252 then client-disconnect will definitely be called. A potential
253 complication of this fix is that when client-connect functions are
254 cascaded, it's possible that the client-disconnect function would
255 be called in cases where the related client-connect function returned
256 an error status. This fix should not alter OpenVPN behavior when
257 scripts/plugins are not cascaded.
258 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
259 fatal error to a warning: "FRAG: outgoing buffer is not empty".
260 Need more info on how to reproduce this one.
261 * When --duplicate-cn is used, the --ifconfig-pool allocation
262 algorithm will now allocate the first available IP address.
263 * When --daemon and --management-hold are used together,
264 OpenVPN will daemonize before it enters the management hold state.
266 2005.05.16 -- Version 2.0.1-rc2
268 * Modified vendor test in openvpn.spec file to match against
269 "Mandrakesoft" in addition to "MandrakeSoft".
270 * Using --iroute in a --client-config-dir file while in --dev tap
271 mode is not currently supported and will produce a warning
272 message. Fixed bug where in certain cases, in addition to
273 generating a warning message, this combination of options
274 would also produce a fatal assertion in mroute.c.
275 * Pass --auth-user-pass username to server-side plugin without
276 performing any string remapping (plugins, unlike scripts,
277 don't get any security benefit from string remapping).
278 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
279 where backslash characters in a username ('\') were being remapped
281 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
282 * Documented --explicit-exit-notify in man page.
283 * --explicit-exit-notify seconds parameter defaults to 1 if
286 2005.04.30 -- Version 2.0.1-rc1
288 * Fixed bug where certain kinds of fatal errors after
289 initialization (such as port in use) would leave plugin
290 processes (such as openvpn-auth-pam) still running.
291 * Added optional openvpn_plugin_abort_v1 plugin function for
292 closing initialized plugin objects in the event of a fatal
293 error by main OpenVPN process.
294 * When the --remote list is > 1, and --resolv-retry is not
295 specified (meaning that it defaults to "infinite"), apply the
296 infinite timeout to the --remote list as a whole, but try each
297 list item only once before moving on to the next item.
298 * Added new --syslog directive which redirects output
299 to syslog without requiring the use of the --daemon or --inetd
301 * Added openvpn.spec option to allow RPM to be built with support
302 for passwords read from a file:
303 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
305 2005.04.17 -- Version 2.0
307 * Fixed minor options string typo in options.c.
309 2005.04.10 -- Version 2.0-rc21
311 * Change license description from "GPL Version 2 or (at your
312 option) any later version" to just "GPL Version 2".
314 2005.04.04 -- Version 2.0-rc20
316 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
317 excellent distro/version coverage for RH/EL/Fedora, though
318 using his own SPEC. I modified openvpn.spec to follow some of
319 the same conventions such as putting sample scripts and doc
320 files in %doc rather than /usr/share/openvpn.
321 * Minor change to init scripts to run the user-defined script
322 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
323 configs are started, and to run /etc/openvpn/openvpn-shutdown
324 after all OpenVPN configs have been stopped. The
325 openvpn-startup script can be used for stuff like
326 insmod tun.o, setting up firewall rules, or starting
329 2005.03.29 -- Version 2.0-rc19
331 * Omit additions of routes where the network and
332 gateway are equal and the netmask is 255.255.255.255.
333 This can come up if you are using both
334 server/ifconfig-pool and client-config-dir with
335 ifconfig-push static addresses for some subset of clients
336 which directly reference the server IP address as the
339 2005.03.28 -- Version 2.0-rc18
341 * Packaged Windows installer with OpenSSL 0.9.7f.
342 * Built Windows installer with NSIS 2.06.
344 2005.03.12 -- Version 2.0-rc17
346 * "MANAGEMENT: CMD" log file output will now only occur
347 at --verb 7 or greater.
348 * Added an optional name/value configuration list to
349 the openvpn-auth-pam plugin module argument list. See
350 plugin/auth-pam/README for documentation. This is necessary
351 in order for openvpn-auth-pam to work with queries generated
352 by arbitrary PAM modules.
353 * In both auth-pam and down-root plugins, in the forked process,
354 a read error on the parent process socket is no longer fatal.
355 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
356 A conditional test of the vendor has been added to
357 Require the appropriately named 'lzo' (liblzo1 / lzo).
358 (Tom Walsh - http://openhardware.net)
361 2005.02.20 -- Version 2.0-rc16
363 * Fixed bug introduced in rc13 where Windows service wrapper
364 would be installed with a startup type of Automatic.
365 This fix restores the previous behavior of installing
366 with a startup type of Manual.
368 2005.02.19 -- Version 2.0-rc15
370 * Added warning when --keepalive is not used in a server
372 * Don't include OpenSSL md4.h file if we are not building
373 NTLM proxy support (Waldemar Brodkorb).
374 * Added easy-rsa/build-key-pkcs12 and
375 easy-rsa/Windows/build-key-pkcs12.bat scripts
378 2005.02.16 -- Version 2.0-rc14
380 * Fixed small memory leak that occurs when --crl-verify
382 * Upgraded Windows installer and .nsi script to NSIS 2.05
384 * Changed #include backslash usage in cryptoapi.c to use
385 forward slashes instead (Gisle Vanem).
386 * Created easy-rsa/revoke-full to handle revocations in
387 a single step: (a) revoke crt, (b) regenerate CRL, and
388 (c) verify that revocation succeeded.
389 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
390 that both *nix and Windows scripts are equivalent.
392 2005.02.11 -- Version 2.0-rc13
394 * Improve human-readability of local/remote options
395 diff, when inconsistencies are present.
396 * For Windows easy-rsa, distribute vars.bat.sample and
397 openssl.cnf.sample, then copy them to their normal
398 filenames (without the .sample) when init-config.bat
399 is run. This is to prevent OpenVPN upgrades from
400 wiping out vars.bat and openssl.cnf edits.
401 * Modified service wrapper (Windows) to use a
402 case-insensitive search when scanning for .ovpn files
403 in \Program Files\OpenVPN\config. Prior versions
404 required an all-lower-case .ovpn file extension.
405 * Miscellaneous service wrapper code cleanup.
406 * If --user/--group is used on Windows, treat it
407 as a no-op with a warning (this makes it easier to
408 distribute the same client config file to Windows
410 * Warn if --ifconfig-pool-persist is used with
413 2005.02.05 -- Version 2.0-rc12
415 * Removed some debugging code inadvertently included
416 in rc11 which would print the --auth-user-pass
417 username/password provided by clients in the server
419 * Client code for cycling through --remote list will
420 retry the last address which successfully authenticated
421 before moving on through the list.
422 * Windows installer will now install sample configuration
423 files in \Program Files\OpenVPN\sample-configs as well
424 as generate a start menu shortcut to this directory.
425 * Minor type change in buffer.[ch] to work around char-type
426 ambiguity bug. Caused management interface lock-ups on
427 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
429 2005.02.03 -- Version 2.0-rc11
431 * Windows installer will now install easy-rsa directory
432 in \Program Files\OpenVPN
433 * Allow syslog facility to be controlled at compile time,
434 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
435 * Changed certain shell scripts in distribution to use
436 #!/bin/sh rather than #!/bin/bash for better portability.
437 * If --ifconfig-pool-persist seconds parameter is 0, treat
438 persist file as an allocation of fixed IP addresses
439 (previous versions took IP-to-common-name associations
440 from this list as hints, not mandatory static allocations).
441 * Fixed bug on *nix where if --auth-user-pass and --log
442 were used together, the username prompt would be sent to
443 the log file rather than /dev/tty.
444 * Spurious text in openvpn.8 detected by doclifter
446 * Call closelog later on daemon kill so that process
447 exit message is written to syslog.
449 2005.01.27 -- Version 2.0-rc10
451 * When ./configure is run with plugins enabled (the default),
452 check whether or not dlopen exists in libc before testing
453 for libdl. This is to fix an issue on FreeBSD and possibly
454 other OSes which bundle libdl functions in libc.
455 * On Windows, filter initial WSAEINVAL warning which occurs
456 on the initial read attempt of an unbound socket.
457 * The easy-rsa scripts build-key, build-key-pass, and
458 build-key-server will now chmod the .key file
459 to 0600. This is in addition to the fact the generated
460 keys directory has always been similarly protected
463 2005.01.23 -- Version 2.0-rc9
465 * Fixed error "ROUTE: route addition failed using
466 CreateIpForwardEntry ..." on Windows when --redirect-gateway
467 is used over a RRAS internet link.
468 * When using --route-method exe on Windows, include the
469 gateway parameter on route delete commands (Mathias Sundman).
470 * Try not to do a hard reset (i.e. SIGHUP) when two
471 SIGUSR1 signals are received in close succession.
472 * If the push list tries to grow beyond its buffer capacity,
473 the resulting error will be non-fatal.
474 * To increase the push list capacity (must be done on both
475 client and server), increase TLS_CHANNEL_BUF_SIZE in
476 common.h (default=1024).
478 2005.01.15 -- Version 2.0-rc8
480 * Fixed bug introduced in rc7 where options error
481 "--auth-user-pass requires --pull" might occur even
482 if --pull was correctly specified.
483 * Changed management interface code to bind once
484 to TCP socket, rather than rebinding after every
486 * Added "disable" directive for client-config-dir
488 * Windows binary install is now distributed with
490 * Query the management interface for --http-proxy
491 username/password if authfile is set to "stdin".
492 * Added current OpenVPN version number to "Unrecognized
493 option or missing parameter" error message.
494 * Added "-extensions server" to "openssl req" command
495 in easy-rsa/build-key-server (Nir Yeffet).
497 2005.01.10 -- Version 2.0-rc7
499 * Fixed bug in management interface which could cause
500 100% CPU utilization in --proto tcp-server mode
501 on all *nix OSes except for Linux 2.6.
502 * --ifconfig-push now accepts DNS names as well as
504 * Added sanity check errors when --pull or
505 --auth-user-pass is used in an incorrect mode.
506 * Updated man page entries for --client-connect and
508 * Added "String Types and Remapping" section to man
509 page to consisely document the way which OpenVPN
510 may convert certain types of characters in strings
512 * Modified bridging description in HOWTO to emphasize
513 the fact that bridging allows Windows file and print
514 sharing without a WINS server (Charles Duffy).
516 2004.12.20 -- Version 2.0-rc6
518 * Improved checking for epoll support in ./configure
519 to fix false positive on RH9 (Jan Just Keijser).
520 * Made the "MULTI TCP: I/O wait required blocking in
521 multi_tcp_action, action=7" error nonfatal and replaced
522 with "MULTI: Outgoing TUN queue full, dropped packet".
523 So far the issue only seems to occur on Linux 2.2
524 in --mode server --proto tcp mode. It occurs when
525 the TUN/TAP driver locks up and refuses to accept
526 new packet writes for a second or more.
527 * Fixed bug where if a --client-config-dir file tried
528 to include another file using "config", and if that
529 include failed, OpenVPN would abort with a fatal
530 error. Now such inclusion failures will be logged
531 but are no longer fatal.
532 * Global changes to the way that packet buffer alignment
533 is handled. Previously we didn't care about alignment
534 and took care, when handling 16 and 32 bit words
535 in buffers, to always use alignment-safe transfers.
536 This approach appears to be inadequate on some
537 architectures such as alpha. The new approach is
538 to initialize packet buffers in a way that anticipates
539 how component structures will be allocated within
540 them, to maintain correct alignment.
541 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
542 over TCP (Jan Just Keijser).
543 * Added --http-proxy-option directive for controlling
544 miscellaneous HTTP proxy options.
545 * Management state will no longer transition to "WAIT"
546 during TLS renegotiations.
548 2004.12.16 -- Version 2.0-rc5
550 * The --client-config-dir option will now try to open
551 a default file called "DEFAULT" if no file matching
552 the common name of the incoming client was found.
553 * The --client-connect script/plugin can now veto client
554 authentication by returning a failure code.
555 * The --learn-address script/plugin can now prevent a
556 client-instance/address association from being learned
557 by returning a failure code.
558 * Changed RPM group in .spec file to Applications/Internet.
560 2004.12.14 -- Version 2.0-rc4
562 * SuSE only -- Fixed interaction between openvpn.spec and
563 suse/openvpn.init where the .spec file was writing the
564 OpenVPN binary to a different location than where the
565 .init script was referencing it (Stefan Engel).
566 * Solaris only -- Split Solaris ifconfig command into two
567 parts (Jan Just Keijser).
568 * Some cleanup in add_option().
569 * Better error checking on input dotted quad IP addresses.
570 * Verify that --push argument is quoted, if there is
572 * More miscellaneous option sanity checks.
574 2004.12.13 -- Version 2.0-rc3
576 * On Windows, when --log or --log-append is used,
577 save the original stderr for username and password
579 * Fixed a bug introduced in the late 2.0 betas where
580 if a "verb" parameter >= 16 was used, it would be
581 ignored and the actual verb level would remain at 1.
582 * Fixed a bug mostly seen on OS X where --management-hold
583 or --management-query-passwords would cause the management
584 interface to be unresponsive to incoming client connections.
585 * Trigger an options error if one of the management-modifying
586 options is used without "management" itself.
588 2004.12.12 -- Version 2.0-rc2
590 * Amplified warnings in documentation about possible
591 man-in-the-middle attack when clients do not properly
592 verify server certificate. Changes to easy-rsa README,
593 FAQ, HOWTO, man page, and sample client config file.
594 * Added a warning message if --tls-client or --client
595 is used without also specifying one of either
596 --ns-cert-type, --tls-remote, or --tls-verify.
597 * status_open() fixes for MSVC builds (Blaine Fleming).
598 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
599 compiler error which has been reported on some platforms.
600 * The openvpn.spec file for rpmbuild has several
601 new build-time options. See comments in the file.
602 * Plugins are now built and packaged in the RPM and
603 will be saved in /usr/share/openvpn/plugin/lib.
604 * Added --management-hold directive to start OpenVPN
605 in a hibernating state until released by the
606 management interface. Also added "hold" command
607 to the management interface.
609 2004.12.07 -- Version 2.0-rc1
611 * openvpn.spec workaround for SuSE confusion regarding
612 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
614 2004.12.05 -- Version 2.0-beta20
616 * The ability to read --askpass and --auth-user-pass
617 passwords from a file has been disabled by default.
618 To re-enable, use ./configure --enable-password-save.
619 * Added additional pre-connected states to management
620 interface. See management/management-notes.txt
622 * State history is now recorded by the management
623 interface, and the "state" command now works like
624 the log or echo commands.
625 * State history and real-time state change notifications
626 are now prepended with an integer unix timestamp.
627 * Added --http-proxy-timeout option, previously
628 the timeout was hardcoded to 5 seconds.
630 2004.12.02 -- Version 2.0-beta19
632 * Fixed bug in management interface line termination
633 where output lines incorrectly contained a \00 char
634 after the customary \0d \0a.
635 * Fixed bug introduced in beta18 where Windows version
636 would segfault on options errors.
637 * Fixed bug in management interface where an empty
638 quoted string ("") entered as a parameter would cause
640 * Fixed bug where --resolv-retry was not working
641 properly with multiple --remote hosts.
642 * Added additional ./configure options to reduce
643 executable size for embedded applications.
644 See ./configure --help.
646 2004.11.28 -- Version 2.0-beta18
648 * Added management interface. See new --management-*
649 options or the full management interface documentation
650 in management/management-notes.txt in the tarball.
651 Management interface inclusion can be disabled by
652 ./configure --disable-management.
653 * Added two new plugin modules: auth-pam and down-root.
654 Auth-pam supports pam-based authentication using a
655 split privilege execution model, while down-root enables
656 a down script to be executed with root privileges, even
657 when --user/--group is used to drop root privileges.
658 See the plugin directory in the tarball for READMEs,
659 source code, and Makefiles.
660 * Plugin developers should note that some changes were
661 made to the plugin interface since beta17. See
662 openvpn-plugin.h for details.
663 Plugin interface inclusion can be disabled with
664 ./configure --disable-plugins
665 * Added easy-rsa/build-key-server script which will
666 build a certificate with with nsCertType=server.
667 * Added --ns-cert-type option for verification
668 of nsCertType field in peer certificate.
669 * If --fragment n is specified and --mssfix is specified
670 without a parameter, default --mssfix to n. This restores
671 the 1.6 behavior when using --mssfix without a parameter.
672 * Fixed SSL context initialization bug introduced in beta14
673 where this error might occur on restarts: "Cannot load
674 certificate chain ... PEM_read_bio:no start line".
676 2004.11.11 -- Version 2.0-beta17
678 * Changed default port number to 1194 per IANA official
679 port number assignment.
680 * Added --plugin directive which allows compiled
681 modules to intercept script callbacks. See
682 plugin folder in tarball for more info.
683 * Fixed bug introduced in beta12 where --key-method 1
684 authentications which should have succeeded would fail.
685 * Ignore SIGUSR1 during DNS resolution.
686 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
687 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
690 2004.11.07 -- Version 2.0-beta16
692 * Modified sample-scripts/auth-pam.pl to get username
693 and password from OpenVPN via a file rather than
694 via environmental variables.
695 * Added bytes_sent and bytes_received environmental
696 variables to be set prior to client-disconnect script.
697 * Changed client virtual IP derivation precedence:
698 (1) use --ifconfig-push directive from --client-connect
699 script, (2) use --ifconfig-push directive from
700 --client-config-dir, and (3) use --ifconfig-pool
702 * If a --client-config-dir file specifies --ifconfig-push,
703 it will be visible to the --client-connect-script in
704 the ifconfig_pool_remote_ip environmental variable.
705 * For tun-style tunnels, the ifconfig_pool_local_ip
706 environmental variable will be set, while for
707 tap-style tunnels, the ifconfig_pool_netmask variable
709 * Added intelligence to autoconf script to test
710 compiler for the accepted form of zero-length arrays.
711 * Fixed a bug introduced in beta12 where --ip-win32
712 netsh would fail if --dev-node was not explicitly
714 * --ip-win32 netsh will now work on hidden adapters.
715 * Fix attempt of "Assertion failed at crypto.c:149".
716 This assertion has also been reported on 1.x with a
717 slightly different line number. The fix is twofold:
718 (1) In previous releases, --mtu-test may trigger this
719 assertion -- this bug has been fixed. (2) If something
720 else causes the assertion to be thrown, don't panic,
721 just output a nonfatal warning to the log and drop
722 the packet which generated the error.
723 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
724 * Added --echo directive.
725 * Added --auth-nocache directive.
727 2004.10.28 -- Version 2.0-beta15
729 * Changed environmental variable character classes
730 so that names must consist of alphanumeric or
731 underbar chars and values must consist of printable
732 characters. Illegal chars will be deleted.
733 Versions prior to 2.0-beta12 were more restrictive
734 and would map spaces to '.'.
735 * On Windows, when the TAP adapter fails to
736 initialize with the correct IP address, output
737 "Initialization Sequence Completed with Errors"
738 to the console or log file.
739 * Added a warning when user/group/chroot is used
740 without persist-tun and persist-key.
741 * Added cryptoapi.[ch] to tarball and source zip.
742 * --tls-remote option now works with common name
743 prefixes as well as with the full X509 subject
744 string. This is a useful alternative to using
746 * common names associated with a static
747 --ifconfig-push setting will no longer leave
748 any state in the --ifconfig-pool-persist file.
749 * Hard TLS errors (TLS handshake failed) will now
750 trigger either a SIGUSR1 signal by default
751 or SIGTERM (if --tls-exit is specified). In TCP
752 mode, all TLS errors are considered to be hard.
753 In server mode, the signal will be local to the
755 * Added method parameter to --auth-user-pass-verify
756 directive to select whether username/password
757 is passed to script via environment or a temporary
759 * Added --status-version option to control format
760 of --status file. The --mode server
761 --status-version 2 format now includes a line
762 type token, the virtual IP address is shown
763 in the client list (even in --dev tap mode),
764 and the integer time_t value is shown anywhere
765 an ascii-formatted time/date is also shown.
766 * Added --remap-usr1 directive which can be used
767 to control whether internally or externally
768 generated SIGUSR1 signals are remapped to
769 SIGHUP (restart without persisting state) or
771 * When running as a Windows service (using
772 --service option), check the exit event before
773 and after reading one line of input from
774 stdin, when reading username/password info.
775 * For developers: Extended the --gremlin function
776 to better stress-test the new 2.0 features,
777 added Valgrind support on Linux and Dmalloc
780 2004.10.19 -- Version 2.0-beta14
782 * Fixed a bug introduced in Beta12 that would occur
783 if you use a --client-connect script without also
785 * Fixed a bug introduced in Beta12 where a learn-address
786 script might segfault on the delete method.
787 * Added Crypto API support in Windows version via
788 the --cryptoapicert option (Peter 'Luna' Runestig).
790 2004.10.18 -- Version 2.0-beta13
792 * Fixed an issue introduced in Beta12 where the private
793 key password would not be prompted for unless --askpass
794 was explicitly specified in the config.
796 2004.10.17 -- Version 2.0-beta12
798 * Added support for username/password-based authentication.
799 Clients can now authentication themselves with the server
800 using either a certificate, a username/password, or both.
801 New directives: --auth-user-pass, --auth-user-pass-verify,
802 --client-cert-not-required, and --username-as-common-name.
803 * Added NTLM proxy patch (William Preston).
804 * Added --ifconfig-pool-linear server flag to allocate
805 individual tun addresses for clients rather than /30
806 subnets (won't work with Windows clients).
807 * Modified --http-proxy code to cache username/password
809 * Modified --http-proxy code to read username/password
810 from the console when the auth file is given as "stdin".
811 * Modified --askpass to take an optional filename argument.
812 * --persist-tun and --persist-key now work in client mode
813 and can be pushed to clients as well.
814 * Added --ifconfig-pool-persist directive, to maintain
815 ifconfig-pool info in a file which is persistent across
816 daemon instantiations.
817 * --user and --group privilege downgrades as well as
818 --chroot now also work in client mode (the
819 dowgrade/chroot will be delayed until the initialization
820 sequence is completed).
821 * Added --show-engines standalone directive to show
822 available OpenSSL crypto accelerator engine support.
823 * --engine directive now accepts an optional engine-ID
824 parameter to control which engine is used.
825 * "Connection reset, restarting" log message now shows
826 which client is being reset.
827 * Added --dhcp-pre-release directive in Windows version.
828 * Second parm to --ip-win32 can be "default", e.g.
829 --ip-win32 dynamic default 60.
830 * Fixed documentation bug regarding environmental
831 variable settings for --ifconfig-pool IP addresses.
832 The correct environmental variable names are:
833 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
834 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
835 environmental variables are now passed to the
836 client-disconnect script.
837 * In server mode, environmental variables are now scoped
838 according to the client they are associated with,
839 to solve the problem of "crosstalk" between different
840 client's environmental variable sets.
841 * Added --down-pre flag to cause --down script to be
842 called before TUN/TAP close (rather than after).
843 * Added --tls-exit flag which will cause OpenVPN
844 to exit on any TLS errors.
845 * Don't push a route to a client if it exactly
846 matches an iroute (this lets you push routes to
847 all clients, and OpenVPN will automatically remove
848 the route from the route push list only for that client
849 which the route actually belongs to).
850 * Made '--resolv-retry infinite' the default.
851 --resolv-retry can be disabled by using a parameter of 0.
852 * For clients which plan to pull config info from server,
853 set an initial default ping-restart of 60 seconds.
854 * Optimized mute code to lessen the load on the processor
855 when messages are being muted at a higher frequency.
856 * Made route log messages non-mutable.
857 * Silence the Linux "No buffer space available" message.
858 * Added miscellaneous additional option sanity checks.
859 * Added Windows version of easy-rsa scripts in
860 easy-rsa/Windows directory (Andrew J. Richardson).
861 * Added NetBSD route patch (Ed Ravin).
862 * Added OpenBSD patch for TAP + --redirect-gateway
864 * Directives which prompt for a username and/or password
865 will now work with --daemon (OpenVPN will prompt
867 * Warn if CRL is from a different issuer than the
868 issuer of the peer certificate (Bernhard Weisshuhn).
869 * Changed init script chkconfig parameters to start
870 OpenVPN daemon(s) before NFS.
871 * Bug fix attempt of "too many I/O wait events" which occurs
872 on OSes which prefer select() over poll() such as Mac OS X.
873 * Added --ccd-exclusive flag. This flag will require, as a
874 condition of authentication, that a connecting client has
875 a --client-config-dir file.
876 * TAP-Win32 open code will attempt to open a free adapter
877 if --dev-node is not specified (Mathias Sundman).
878 * Resequenced --nice and --chroot ordering so that --nice
880 * Added --suppress-timestamps flag (Charles Duffy).
881 * Source code changes to allow compilation by MSVC
882 (Peter 'Luna' Runestig).
883 * Added experimental --fast-io flag which optimizes
884 TUN/TAP/UDP writes on non-Windows systems.
886 2004.08.18 -- Version 2.0-beta11
888 * Added --server, --server-bridge, --client, and
889 --keepalive helper directives. See client.conf
890 and server.conf in sample-config-files for sample
891 configurations which use the new directives.
892 * On Windows, added --route-method to control
893 whether IP Helper API or route.exe is used
894 to add/delete routes.
895 * On Windows, added a second parameter to
896 --route-delay to control the maximum time period
897 to wait for the TAP-Win32 adapter to come up
898 before adding routes.
899 * Fixed bug in Windows version where configurations
900 which omit --ifconfig might fail to recognize when
901 the TAP adapter is up.
902 * Proxy connection failures will now retry according
903 to the --connect-retry parameter.
904 * Fixed --dev null handling on Windows so that TLS
905 loopback test described in INSTALL file works
906 correctly on Windows.
907 * Added "Initialization Sequence Completed" message
908 after all initialization steps have been completed
909 and the VPN can be considered "up".
910 * Better sanity-checking on --ifconfig-pool parameters.
911 * Added --tcp-queue-limit option to control
912 TUN/TAP -> TCP socket overflow.
913 * --ifconfig-nowarn flag will now silence general
914 warnings about possible --ifconfig address
915 conflicts, including the warning about --ifconfig
916 and --remote addresses being in same /24 subnet.
917 * Fixed case where server mode did not correctly
918 identify certain types of ethernet multicast packets
920 * Added --explicit-exit-notify option (experimental).
922 2004.08.02 -- Version 2.0-beta10
924 * Fixed possible reference after free of option strings
925 after a restart, bug was introduced in beta8.
926 * Fixed segfault at route.c:919 in the beta9
927 Windows version that was being caused by indirection
928 through a NULL pointer.
929 * Mistakenly built debug version of TAP-Win32 driver
930 for beta9. Beta10 has correct release build.
932 2004.07.30 -- Version 2.0-beta9
934 * Fixed --route issue on Windows that was introduced with
935 the new beta8 route implementation based on the
938 2004.07.27 -- Version 2.0-beta8
940 * Added TCP support in server mode.
941 * Added PKCS #12 support (Mathias Sundman).
942 * Added patch to make revoke-crt and make-crl work
943 seamlessly within the easy-rsa environment (Jan Kiszka).
944 * Modified --mode server ethernet bridge code to forward
945 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
946 * Added --dhcp-renew and --dhcp-release flags to Windows
947 version. Normally DHCP renewal and release on the TAP
948 adapter occurs automatically under Windows, however
949 if you set the TAP-Win32 adapter Media Status property
950 to "Always Connected", you may need these flags.
951 * Added --show-net standalone flag to Windows version to
952 show OpenVPN's view of the system adapter and routing
954 * Added --show-net-up flag to Windows version to output
955 the system routing table and network adapter list to
956 the log file after the TAP-Win32 adapter has been brought
957 up and any routes have been added.
958 * Modified Windows version to add routes using the IP Helper
959 API rather than by calling route.exe.
960 * Fixed bug where --route-up script was not being called
961 if no --route options were specified.
962 * Added --mute-replay-warnings to suppress packet replay
963 warnings. This is a common false alarm on WiFi nets.
964 * Added "def1" flag to --redirect-gateway option to override
965 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
966 rather than 0.0.0.0/0. This has the benefit of overriding
967 but not wiping out the original default gateway.
968 (Thanks to Jim Carter for pointing out this idea).
969 * You can now run OpenVPN with a single config file argument.
970 For example, you can now say "openvpn config.conf"
971 rather than "openvpn --config config.conf".
972 * On Windows, made --route and --route-delay more adaptive
973 with respect to waiting for interfaces referenced by the
974 route destination to come up. Routes added by --route
975 should now be added as soon as the interface comes up,
976 rather than after an obligatory 10 second delay. The
977 way this works internally is that --route-delay now
978 defaults to 0 on Windows. Previous versions would
979 wait for --route-delay seconds then add the routes.
980 This version will wait --route-delay seconds and then
981 test the routing table at one second intervals for the
982 next 30 seconds and will not add the routes until they
983 can be added without errors.
984 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
985 default on TCP/UDP socket in light of reports that this
986 action can have undesirable global side effects on the
987 MTU settings of other adapters. These parameters can
988 still be set, but you need to explicitly specify
989 --sndbuf and/or --rcvbuf.
990 * Added --max-clients option to limit the maximum number
991 of simultaneously connected clients in server mode.
992 * Added error message to illuminate shell escape gotcha when
993 single backslashes are used in Windows path names.
994 * Added optional netmask parm to --ifconfig-pool.
995 * Fixed bug where http-proxy connect retry attempts were
996 incorrectly going to the remote OpenVPN server,
997 not to the HTTP proxy server.
999 2004.06.29 -- Version 2.0-beta7
1001 * Fixed bug in link_socket_verify_incoming_addr() which
1002 under certain circumstances could have caused --float
1003 behavior even if --float was not specified.
1004 * --tls-auth option now works with --mode server.
1005 All clients and the server should use the same
1006 --tls-auth key when operating in client/server mode.
1007 * Added --engine option to make use of OpenSSL-supported
1008 crypto acceleration hardware.
1009 * Fixed some high verbosity print format size issues
1010 in event.c for 64 bit platforms (Janne Johansson).
1011 * Made failure to open --log or --log-append file
1014 2004.06.23 -- Version 2.0-beta6
1016 * Fixed Windows installer to intelligently put
1017 up a reboot dialog only if tapinstall tells
1018 us that it's really necessary.
1019 * Fixed "Assertion failed at fragment.c:309"
1020 bug when --mode server and --fragment are used
1022 * Ignore HUP, USR1, and USR2 signals during
1023 initialization. Prior versions would abort.
1024 * Fixed bug on OS X: "Assertion failed at event.c:406".
1025 * Added --service option to Windows version, for use
1026 when OpenVPN is being programmatically instantiated
1027 by another process (see man page for info).
1028 * --log and --log-append options now work on Windows.
1029 * Update OpenBSD INSTALL notes (Janne Johansson).
1030 * Enable multicast on tun interface when running on
1031 OpenBSD (Pavlin Radoslavov).
1032 * Fixed recent --test-crypto breakage, where options
1033 such as --cipher were not being parsed correctly.
1034 * Modified options compatibility string by removing
1035 ifconfig substring if it is empty. Incremented
1036 options compatibility string version number to 4.
1037 * Fixed typo in --tls-timeout option parsing
1040 2004.06.13 -- Version 2.0-beta5
1042 * Fixed rare --mode server crash that could occur
1043 if data was being routed to a client at
1044 high bandwidth at the precise moment that the
1045 client instance object on the server was being
1047 * Fixed issue on machines which have epoll.h and
1048 the epoll_create glibc call defined, but which
1049 don't actually implement epoll in the kernel.
1050 OpenVPN will now gracefully fall back to the
1051 poll API in this case.
1052 * Fixed Windows bug which would cause the following
1053 error in a --mode server --dev tap configuration:
1054 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
1056 * Added CRL (certificate revocation list) management
1057 scripts to easy-rsa directory (Jon Bendtsen).
1058 * Do a better job of getting the ifconfig component
1059 of the options consistency check to work correctly
1060 when --up-delay is used.
1061 * De-inlined some functions which were too complex
1062 to be inlined anyway with gcc.
1063 * If a --dhcp-option option is pushed to a non-windows
1064 client, the option will be saved in the client's
1065 environment before the --up script is called, under
1066 the name "foreign_option_{n}".
1067 * Added --learn-address script (see man page) which
1068 allows for firewall access through the VPN to be
1069 controlled based on the client common name.
1070 * In mode --server mode, when a client connects to
1071 the server, the server will disconnect any
1072 still-active clients which use the same common
1073 name. Use --duplicate-cn flag to revert to
1074 previous behavior of allowing multiple clients
1075 to concurrently connect with the same common name.
1077 2004.06.08 -- Version 2.0-beta4
1079 * Fixed issue with beta3 where Win32 service wrapper
1080 was keying off of old TAP HWID as a dependency. To
1081 ensure that the new service wrapper is correctly
1082 installed, the Windows install script will uninstall
1083 the old wrapper before installing the new one,
1084 causing a reset of service properties.
1085 * Fixed permissions issue on --status output file,
1086 with default access permissions of owner read/write
1087 only (default permissions can be changed of course with
1090 2004.06.05 -- Version 2.0-beta3
1092 * More changes to TAP-Win32 driver's INF file which
1093 affects the placement of the driver in the Windows
1094 device namespace. This is done to work around an
1095 apparent bug in Windows when short HWIDs are used,
1096 and will also ease the upgrade from 1.x to 2.0 by
1097 reducing the chances that a reboot will be needed
1098 on upgrade. Like beta2, this upgrade will
1099 delete existing TAP-Win32 interfaces, and reinstall
1100 a single new interface with default properties.
1101 * Major rewrite of I/O event wait layer in the style
1102 of libevent. This is a precursor to TCP support
1104 * New feature: --status. Outputs a SIGUSR2-like
1105 status summary to a given file, updated once
1106 per n seconds. The status file is comma delimited
1107 for easy machine parsing.
1108 * --ifconfig-pool now remembers common names and
1109 will try to assign a consistent IP to a given
1110 common name. Still to do: persist --ifconfig-pool
1111 memory across restarts by saving state in file.
1112 * Fixed bug in event timer queue which could cause
1113 recurring timer events such as --ping to not
1114 correctly schedule again after firing. This in
1115 turn would cause spurrious ping restarts and possible
1116 connection outages. Thanks to Denis Vlasenko for
1118 * Possible fix to reported bug where --daemon argument
1119 was not printing to syslog correctly after restart.
1120 * Fixed bug where pulling --route or --dhcp-option
1121 directives from a server would problematically
1122 interact with --persist-tun on the client.
1123 * Updated contrib/multilevel-init.patch (Farkas Levente).
1124 * Added RPM build option to .spec and .spec.in files
1125 to optionally disable LZO inclusion (Ian Pilcher).
1126 * The latest MingW runtime and headers define
1127 'ssize_t', so a patch is needed (Gisle Vanem).
1129 2004.05.14 -- Version 2.0-beta2
1131 * Fixed signal handling bug in --mode server, where
1132 SIGHUP and SIGUSR1 were treated as SIGTERM.
1133 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
1134 Apparently the larger string may work around
1135 a problem where the TAP adapter is sometimes missing
1136 from the network connections panel, especially under
1137 XP SP2. Also note that installing this upgrade will
1138 uninstall any pre-existing TAP-Win32 adapters, and then
1139 install a single new adapter, meaning that old adapter
1140 properties will be lost. Thanks to Md5Chap for solving
1142 * For --mode server --dev tap, the options --ifconfig and
1143 --ifconfig-pool are now optional. This allows address
1144 assignment via DHCP or use of a TAP VPN without
1145 IP support, as has always been possible with 1.x.
1146 * Fixed bug where --ifconfig may not work correctly on
1148 * Added 'local' flag to --redirect-gateway for use on
1149 networks where both OpenVPN daemons are connected
1150 to a shared subnet, such as wireless.
1152 2004.05.09 -- Version 2.0-beta1
1154 * Unchanged from test29 except for version number
1157 2004.05.08 -- Version 2.0-test29
1159 * Modified --dev-node on Windows to accept a TAP-Win32
1160 GUID name. In addition, --show-adapters will now
1161 display the high-level name and GUID of each adapter.
1162 This is an attempt to work around an issue in Windows
1163 where sometimes the TAP-Win32 adapter installs correctly
1164 but has no icon in the network connections control
1165 panel. In such cases, being able to specify
1166 --dev-node {TAP-GUID} can work around the missing icon.
1168 2004.05.07 -- Version 2.0-test28
1170 * Fixed bug which could cause segfault on program
1171 shutdown if --route and --persist-tun are used
1174 2004.05.06 -- Version 2.0-test27
1176 * Fixed bug in close_instance() which might cause
1177 memory to be accessed after it had already been freed.
1178 * Fixed bug in verify_callback() that might have
1179 caused uninitialized data to be referenced.
1180 * --iroute now allows full CIDR subnet routing.
1181 * In "--mode server --dev tun" usage, source addresses
1182 on VPN packets coming from a particular client must
1183 be associated with that client in the OpenVPN internal
1186 2004.04.28 -- Version 2.0-test26
1188 * Optimized broadcast path in multi-client mode.
1189 * Added socket buffer size options --rcvbuf & --sndbuf.
1190 * Configure Linux tun/tap driver to use a more sensible
1191 txqueuelen default. Also allow explicit setting
1192 via --txqueuelen option (Harald Roelle).
1193 * The --remote option now allows the port number
1194 to be specified as the second parameter. If
1195 unspecified, the port number defaults to the
1197 * Multiple --remote options on the client can now be
1198 specified for load balancing and failover. The
1199 --remote-random flag can be used to initially randomize
1200 the --remote list for basic load balancing.
1201 * If a remote DNS name resolves to multiple DNS addresses,
1202 one will be chosen by random as a kind of basic
1203 load-balancing feature if --remote-random is used.
1204 * Added --connect-freq option to control maximum
1205 new connection frequency in multi-client mode.
1206 * In multi-client mode, all syslog messages associated
1207 with a specific client now include a client-ID prefix.
1208 * For Windows, use a gettimeofday() function based
1209 on QueryPerformanceCounter (Derek Burdick).
1210 * Fixed bug in interaction between --key-method 2
1211 and DES ciphers, where dynamic keys would be generated
1212 with bad parity and then be rejected.
1214 2004.04.17 -- Version 2.0-test24
1216 * Reworked multi-client broadcast handling.
1218 2004.04.13 -- Version 2.0-test23
1220 * Fixed bug in --dev tun --client-to-client routing.
1221 * Fixed a potential deadlock in --pull.
1222 * Fixed a problem with select() usage which could
1223 cause a repeating sequence of "select : Invalid
1226 2004.04.11 -- Version 2.0-test22
1228 * Fixed bug where --mode server + --daemon was
1229 prematurely closing syslog connection.
1230 * Added support for --redirect-gateway on Mac OS X
1232 * Minor changes to TAP-Win32 driver based on feedback
1233 from the NDISTest tool.
1235 2004.04.11 -- Version 2.0-test21
1237 * Optimizations in multi-client server event loop.
1239 2004.04.10 -- Version 2.0-test20
1241 * --mode server capability now works with either tun
1242 or tap interfaces. When used with tap interfaces,
1243 OpenVPN will internally bridge all client tap
1244 interfaces with the server tap interface.
1245 * Connecting clients can now have a client-specific
1246 configuration on the server, based on the client
1247 common name embedded in the client certificate.
1248 See --client-config-dir and --client-connect.
1249 These options can be used to configure client-specific
1251 * Added an option --client-to-client that enables
1252 internal client-to-client routing or bridging.
1253 Otherwise, clients will only "see" the server,
1254 not other connected clients.
1255 * Fixed bug in route scheduling which would have caused
1256 --mode server to not work on Windows in test18
1257 and test19 with the sample config file.
1258 * Man page is up to date with all new options.
1259 * OpenVPN 2.0 release notes on web site updated
1260 with tap-style tunnel examples.
1262 2004.04.02 -- Version 2.0-test19
1264 * Fixed bug where routes pushed from server were
1265 not working correctly on Windows clients.
1266 * Added Mac OS X route patch (Jeremy Apple).
1268 2004.03.30 -- Version 2.0-test18
1270 * Minor fixes + Windows self-install modified
1271 to use OpenSSL 0.9.7d.
1273 2004.03.29 -- Version 2.0-test17
1275 * Fixed some bugs related to instance timeout and deletion.
1276 * Extended --push/--pull option to support additional
1279 2004.03.28 -- Version 2.0-test16
1281 * Successful test of --mode udp-server, --push,
1282 --pull, and --ifconfig-pool with server on
1283 Linux 2.4 and clients on Linux and Windows.
1285 2004.03.25 -- Version 2.0-test15
1287 * Implemented hash-table lookup of client instances
1288 based either on remote UDP address/port or remote
1290 * Implemented a randomized binary tree based
1291 scheduler for scalably scheduling a large number
1292 of client instance events. Uses the treap
1293 data structure and node rotation algorithm
1294 to keep the tree balanced.
1295 * Initial implementation of ifconfig-pool.
1296 * Made --key-method 2 the default.
1298 2004.03.20 -- Version 2.0-test14
1300 * Implemented --push and --pull.
1302 2004.03.20 -- Version 2.0-test13
1304 * Reduced struct tls_multi and --single-session
1306 * Modified --single-session flag to be used
1307 in multi-client UDP server client instances.
1309 2004.03.19 -- Version 2.0-test12
1311 * Added the key multi-client UDP server options,
1312 --mode, --push, --pull, and --ifconfig-pool.
1313 * Revamped GC (garbage collection) code to not rely
1315 * Modifications to thread.[ch] to allow a more
1316 flexible thread model.
1318 2004.03.16 -- Version 2.0-test11
1320 * Moved all timer code to interval.h, added new file
1322 * Fixed missing include.
1324 2004.03.16 -- Version 2.0-test10
1326 * More TAP-Win32 fixes.
1327 * Initial debugging and testing of multi.[ch].
1329 2004.03.14 -- Version 2.0-test9
1331 * Branch merge with 1.6-rc3
1332 * More point-to-multipoint work in multi.[ch].
1333 * Major TAP-Win32 driver restructuring to use
1334 NdisMRegisterDevice instead of
1335 IoCreateDevice/IoCreateSymbolicLink.
1336 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
1338 * In the majority of cases, TAP-Win32 should now be
1339 able to install and uninstall on Win2K without requiring
1341 * TAP-Win32 MAC address can now be explicitly set in the
1342 adapter advanced properties page.
1344 2004.03.04 -- Version 2.0-test8
1346 * Branch merge with 1.6-rc2.
1348 2004.03.03 -- Version 2.0-test7
1350 * Branch merge with 1.6-rc1.2.
1352 2004.03.02 -- Version 2.0-test6
1354 * Branch merge with 1.6-rc1.
1356 2004.03.02 -- Version 2.0-test5
1358 * Move Socks5 UDP header append/remove to socks.c, and is
1359 called from forward.c.
1360 * Moved verify statics from ssl.c into struct tls_session.
1361 * Wrote multi.[ch] to handle top level of point-to-multipoint
1363 * Wrote some code to allow a struct link_socket in a child context
1364 to be slaved to the parent context.
1365 * Broke up packet read and process functions in forward.c
1366 (from socket or tuntap) into separate functions for read
1367 and process, so that point-to-point and point-to-multipoint can
1368 share the same code.
1369 * Expand TLS control channel to allow the passing of configuration
1371 * Wrote mroute.[ch] to handle internal packet routing for
1372 point-to-multipoint mode.
1374 2004.02.22 -- Version 2.0-test3
1376 * Initial work on UDP multi-client server.
1377 * Branch merge of 1.6-beta7
1379 2004.02.14 -- Version 2.0-test2
1381 * Refactorization of openvpn.c into openvpn.[ch]
1382 init.[ch] forward.[ch] forward-inline.h
1383 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
1384 sig.[ch]. Created a master per-tunnel
1385 struct context in openvpn.h.
1386 * Branch merge of 1.6-beta6.2
1388 2003.11.06 -- Version 2.0-test1
1390 * Initial testbed for 2.0.
1392 2004.05.09 -- Version 1.6.0
1394 * Unchanged from 1.6-rc4 except for version number
1397 2004.04.01 -- Version 1.6-rc4
1399 * Made minor customizations to devcon and
1400 renamed as tapinstall.exe for Windows version.
1401 * Fixed "storage size of `iv' isn't known" build
1403 * OpenSSL 0.9.7d bundled with Windows self-install.
1405 2004.03.13 -- Version 1.6-rc3
1407 * Minor Windows fixes for --ip-win32 dynamic, relating to
1408 the way the TAP-Win32 driver responds to a DHCP request
1409 from the Windows DHCP client.
1410 * The net_gateway environmental variable wasn't being
1411 set correctly for called scripts (Paul Zuber).
1412 * Added code to determine the default gateway on FreeBSD,
1413 allowing the --redirect-gateway option to work
1414 (Juan Rodriguez Hervella).
1416 2004.03.04 -- Version 1.6-rc2
1418 * Fixed bug in Windows version where the NetBIOS node-type
1419 DHCP option might have been passed even if it was not
1421 * Fixed bug in Windows version introduced in 1.6-rc1, where
1422 DHCP timeout would be set to 0 seconds if --ifconfig option
1423 was used and --ip-win32 option was not explicitly specified.
1424 * Added some new --dhcp-option types for Windows version.
1426 2004.03.02 -- Version 1.6-rc1
1428 * For Windows, make "--ip-win32 dynamic" the default.
1429 * For Windows, make "--route-delay 10" the default
1430 unless --ip-win32 dynamic is not used or --route-delay
1431 is explicitly specified.
1432 * L_TLS mutex could have been left in a locked state
1433 for certain kinds of TLS errors.
1435 2004.02.22 -- Version 1.6-beta7
1437 * Allow scheduling priority increase (--nice) together
1438 with UID/GID downgrade (--user/--group).
1439 * Code that causes SIGUSR1 restart on TLS errors in TCP
1440 mode was not activated in pthread builds.
1441 * Save the certificate serial number in an environmental
1442 variable called tls_serial_{n} prior to calling the
1443 --tls-verify script. n is the current cert chain level.
1444 * Added NetBSD IPv6 tunnel capability (also requires
1445 a kernel patch) (Horst Laschinsky).
1446 * Fixed bug in checking the return value of the nice()
1447 function (Ian Pilcher).
1448 * Bug fix in new FreeBSD IPv6 over TUN code which was
1449 originally added in 1.6-beta5 (Nathanael Rensen).
1450 * More Socks5 fixes -- extended the struct frame
1451 infrastructure to accomodate proxy-based encapsulation
1453 * Added --dhcp-option to Windows version for setting
1454 adapter properties such as WINS & DNS servers.
1455 * Use a default route-delay of 5 seconds when
1456 --ip-win32 dynamic is specified (only applicable when
1457 --route-delay is not explicitly specified).
1458 * Added "log_append" registry variable to control
1459 whether the OpenVPN service wrapper on Windows
1460 opens log files in append (log_append="1") or
1461 truncate (log_append="0") mode. The default
1464 2004.02.05 -- Version 1.6-beta6
1466 * UDP over Socks5 fix to accomodate Socks5 encapsulation
1467 overhead (Christof Meerwald).
1468 * Minor --ip-win32 dynamic tweaks (use long lease time,
1469 invalidate existing lease with DHCPNAK).
1471 2004.02.01 -- Version 1.6-beta5
1473 * Added Socks5 proxy support (Christof Meerwald).
1474 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
1475 * Special TAP-Win32 debug mode for Windows self-install that was
1476 enabled in beta4 is now turned off.
1477 * Added some new Solaris notes to INSTALL (Koen Maris).
1478 * More work on --ip-win32 dynamic.
1480 2004.01.27 -- Version 1.6-beta4
1482 * For this beta, the Windows self-install is a debug version
1483 and will run slower -- use only for testing.
1484 * Reverted the --ip-win32 default back to 'ipapi'
1486 * Added the offset parameter to '--ip-win32 dynamic' which
1487 can be used to control the address of the masqueraded
1488 DHCP server which replies to Windows DHCP requests.
1489 * Added a wait/nowait option to --inetd (nowait can only
1490 be used with TCP sockets, TLS authentication, and over
1491 a bridged configuration -- see FAQ for more info)
1492 (Stefan `Sec` Zehl).
1493 * Added a build-time capability where TAP-Win32 driver
1494 debug messages can be output by OpenVPN at --verb 6
1497 2004.01.20 -- Version 1.6-beta2
1499 * Added ./configure --enable-iproute2 flag which
1500 uses iproute2 instead of route + ifconfig --
1501 this is necessary for the LEAF Linux distro
1503 * Added renewal-time and rebind-time to set of
1504 DHCP options returned by the TAP-Win32 driver when
1505 "--ip-win32 dynamic" is used.
1507 2004.01.14 -- Version 1.6-beta1
1509 * Fixed --proxy bug that sometimes caused plaintext
1510 control info generated by the proxy prior to http
1511 CONNECT method establishment to be incorrectly
1512 parsed as OpenVPN data.
1513 * For Windows version, implemented the
1514 "--ip-win32 dynamic" method and made it the default.
1515 This method sets the TAP-Win32 adapter IP address
1516 and netmask by replying to the kernel's DHCP queries.
1517 See the man page for more detailed info.
1518 * Added --connect-retry parameter which controls
1519 the time interval (in seconds) between connect()
1520 retries when --proto tcp-client is used. Previously,
1521 this value was hardcoded to 5 seconds, and still
1523 * --resolv-retry can now be used with a parameter
1524 of "infinite" to retry indefinitely.
1525 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
1526 for support of multi-level certificate chains
1528 * Fixed --tls-auth incompatibility with 1.4.x and earlier
1529 versions of OpenVPN when the passphrase file is an
1530 OpenVPN static key file (as generated by --genkey).
1531 * Added shell-escape support in config files using
1532 the backslash character ("\") so that (for example)
1533 double quotes can be passed to the shell.
1534 * Added "contrib" subdirectory on tarball, source zip,
1535 and CVS containing user-submitted contributions.
1536 * Added an optional patch to the Redhat init script to
1537 allow the configuration file directory to be a
1538 multi-level directory hierarchy (Farkas Levente).
1539 See contrib/multilevel-init.patch
1540 * Added some scripts and documentation on using
1541 Linux "fwmark" iptables rules to enable
1542 fine-grained routing control over the VPN
1543 (Sean Reifschneider, <jafo@tummy.com>).
1544 See contrib/openvpn-fwmarkroute-1.00
1546 2003.11.20 -- Version 1.5.0
1548 * Minor documentation changes.
1550 2003.11.04 -- Version 1.5-beta14
1552 * Fixed build problem with ./configure --disable-ssl
1553 that was reported on Debian woody.
1554 * Fixed bug where --redirect-gateway could not be used
1555 together with --resolv-retry.
1557 2003.11.03 -- Version 1.5-beta13
1559 * Added CRL (certificate revocation list) capability using
1560 --crl-verify option (Stefano Bracalenti).
1561 * Added --replay-window option for variable replay-protection
1563 * Fixed --fragment bug which might have caused certain large
1564 packets to be sent unfragmented.
1565 * Modified --secret and --tls-auth to permit different cipher and
1566 HMAC keys to be used for each data flow direction. Also
1567 increased static key file size generated by --genkey from
1568 1024 to 2048 bits, where 512 bits each are reserved for
1569 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
1570 and backward compatibility is maintained. See --secret option
1571 documentation on the man page for more info.
1572 * Added --tls-remote option (Teemu Kiviniemi).
1573 * Fixed --tls-cipher documention regarding correct delimiter
1574 usage (Teemu Kiviniemi).
1575 * Added --key-method option for selecting alternative data
1576 channel key negotiation methods. Method 1 is the default.
1577 Method 2 has been added (see man page for more info).
1578 * Added French translation of HOWTO to web site
1579 (Guillaume Lehmann).
1580 * Fixed problem caused by late resolver library load on
1581 certain platforms when --resolv-retry and --chroot are
1582 used together (Teemu Kiviniemi).
1583 * In TCP mode, all decryption or TLS errors will abort the current
1584 connection (this is not done in UDP mode because UDP is
1586 * Fixed a TCP client reconnect bug that only occurs on the
1587 BSDs, where connect() fails with an invalid argument. This
1588 bug was partially (but not completely) fixed in beta7.
1589 * Added "route_net_gateway" environmental variable which contains
1590 the pre-existing default gateway address from the routing table
1591 (there's no standard API for getting the default gateway, so
1592 right now this feature only works on Windows or Linux).
1593 * Renamed the "route_default_gateway" enviromental variable to
1594 "route_vpn_gateway" -- this is the remote VPN endpoint.
1595 * The special keywords vpn_gateway, net_gateway, and remote_host
1596 can now be used for the network or gateway components of the
1597 --route option. See the man page for more info.
1598 * Added the --redirect-gateway option to configure the VPN
1599 as the default gateway (implemented on Linux and Windows only).
1600 * Added the --http-proxy option with basic authentication
1601 support for use in TCP client mode. Successfully tested
1602 using Squid as the HTTP proxy, with and without authentication.
1604 2003.10.12 -- Version 1.5-beta12
1606 * Fixed Linux-only bug in --mktun and --rmtun which was
1607 introduced around beta8 or so, which would cause
1608 an error such as "I don't recognize device tun0 as a
1609 tun or tap device1".
1610 * Added --ifconfig-nowarn option to disable options
1611 consistency warnings about --ifconfig parameters.
1612 * Don't allow any kind of sequence number backtracking or
1613 message reordering when in TCP mode.
1614 * Changed beta naming convention to use '_' (underscore)
1615 rather than '-' (dash) to pacify rpmbuild.
1617 2003.10.08 -- Version 1.5-beta11
1619 * Modified code in the Windows version which sets the IP address
1620 and netmask of the TAP-Win32 adapter using the IP Helper API.
1621 Most of the changes involve better error recovery when
1622 the IP Helper API returns an error status. See the
1623 manual page entry on --ip-win32 for more info.
1625 2003.10.08 -- Version 1.5-beta10
1627 * Added getpass() function for Windows version so that --askpass
1628 option works correctly (Stefano Bracalenti).
1629 * Added reboot advisory to end of Win32 install script.
1630 * Changed crypto code to use pseudo-random IVs rather than
1631 carrying forward the IV state from the previous packet.
1632 This is in response to item 2 in the following document:
1633 http://www.openssl.org/~bodo/tls-cbc.txt which points
1634 out weaknesses in TLS's use of the same IV carryforward
1635 approach. This change does not break protocol compatibility
1636 with previous versions of OpenVPN.
1637 * Made a change to the crypto replay protection code to also
1638 protect against certain kinds of packet reordering attacks.
1639 This change does not break protocol compatibility with
1640 previous versions of OpenVPN.
1641 * Added --ip-win32 option to provide several choices for
1642 setting the IP address on the TAP-Win32 adapter.
1643 * #ifdefed out non-CBC crypto modes by default.
1644 * Added --up-delay option to delay TUN/TAP open and --up script
1645 execution until after connection establishment. This option
1646 replaces the earlier windows-only option --tap-delay.
1648 2003.10.01 -- Version 1.5-beta9
1650 * Fixed --route-noexec bug where option was not parsed correctly.
1651 * Complain if --dev tun is specified without --ifconfig on Windows.
1652 * Fixed bug where TCP connections on windows would sometimes cause
1653 an assertion failure.
1654 * Added a new flag to TAP-Win32 advanced properties that allows one
1655 to set the adapter to be always "connected" even when an OpenVPN
1656 process doesn't have it open. The default behavior is to report
1657 a media status of connected only when an OpenVPN process has the
1659 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
1660 DLLs in response to an OpenSSL security advisory.
1662 2003.09.30 -- Version 1.5-beta8
1664 * Extended the --ifconfig option to work on tap devices as well
1666 * Implemented the --ifconfig option for Windows, by calling the
1668 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
1669 refresh the MAC cache. This behaviour can be disabled with
1671 * On Windows, allow the --dev-node parameter (which specifies
1672 the name of the TAP-Win32 adapter) to be omitted in cases where
1673 there is a single TAP-Win32 adapter on the system which can be
1674 assumed to be the default.
1675 * Modified the diagnostic --verb 5 debugging level to print 'R'
1676 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
1677 and 'w' for TUN/TAP write.
1678 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
1680 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
1681 * Make the --enable-mtu-dynamic ./configure option enabled by
1683 * Deprecated the --mtu-dynamic run-time option, in favor of
1685 * DNS names can now be used as --ifconfig parameters.
1686 * Significant work on TAP-Win32 driver to bring up to SMP standards.
1687 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
1688 unloaded or disabled, while a user-space process has it open.
1689 * On Windows, if --tun-mtu is not specified, it will be read from
1690 the TAP-Win32 driver via ioctl.
1691 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
1692 signal (only when run from a console window).
1693 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
1694 * Renamed --mtu-dynamic option to --fragment to more accurately
1695 reflect its function. Fragment accepts a single parameter which
1696 is the upper limit on acceptable UDP packet size.
1697 * Changed default --tun-mtu-extra parameter to 32 from 64.
1698 * Eliminated reference to malloc.o in configure.ac.
1699 * Added tun device emulation to the TAP-Win32 driver.
1700 * Added --route and related options.
1701 * Added init script for SuSE Linux (Frank Plohmann).
1702 * Extended option consistency check between peers to function
1703 in all crypto modes, including static-key and cleartext modes.
1704 Previously only TLS mode was supported. Disable with
1706 * Overall, increased the amount of configuration option sanity
1707 checking, especially of networking parameters.
1708 * Added --mtu-test option for empirical MTU measurement.
1709 * Added Windows-only option --tap-delay to not set the TAP-Win32
1710 adapter media state to 'connected' until TCP/UDP connection
1711 establishment with peer.
1712 * Slightly modified --route/--route-delay semantics so that when
1713 --route is given without --route-delay, routes are added
1714 immediately after tun/tap device open. When --route-delay is
1715 specified, routes will be added n seconds after connection
1716 initiation, where n is the --route-delay parameter (which
1718 * Made TCP framing error into a non-fatal error that triggers a
1721 2003.08.28 -- Version 1.5-beta7
1723 * Fixed bug that caused OpenVPN not to respond to exit/restart
1724 signals when --resolv-retry is used and a local or remote DNS
1725 name cannot be resolved.
1726 * Exported a series of environmental variables with useful
1727 info for scripts. See man page for more info. Based
1728 on a suggestion by Anthony Ciaravalo.
1729 * Moved TCP/UDP socket bind to a point in the initialization
1730 before the --up script gets called. This is desirable
1731 because (a) a socket bind failure will happen before
1732 daemonization, allowing an error status code to be returned
1733 to the shell and (b) the possibility is eliminated of a
1734 socket bind failure causing the --up script to be run
1735 but not the --down script. This change has a side effect
1736 that --resolv-retry will no longer work with --local.
1737 * Fixed bug where if an OpenVPN TCP server went down and back
1738 up again, Solaris or FreeBSD clients would fail to reconnect
1740 * Fixed bug that prevented OpenVPN from being run by
1741 inetd/xinetd in TCP mode.
1742 * Added --log and --log-append options for logging messages to
1744 * On Windows, check that the current user is a member of the
1745 Administrator group before attempting install or uninstall.
1747 2003.08.16 -- Version 1.5-beta6
1749 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
1751 2003.08.14 -- Version 1.5-beta5
1753 * Added user-configurability of the TAP-Win32 adapter MTU
1754 through the adapter advanced properties page.
1755 * Added Windows Service support.
1756 * On Windows, added file association and right-clickability
1757 for .ovpn files (OpenVPN config files).
1759 2003.08.05 -- Version 1.5-beta4
1761 * Extra refinements and error checking added to Windows
1762 NSIS install script.
1764 2003.08.05 -- Version 1.5-beta3
1766 * Added md5.h include to crypto.c to fix build problem on
1768 * Created a Win32 installer using NSIS.
1769 * Removed DelService command from TAP-Win32 INF file. It appears
1770 to be not necessary and it interfered with the ability to
1771 uninstall and reinstall the driver without needing to reboot.
1772 * On Windows version, added "addtap" and "deltapall" batch
1773 files to add and delete TAP-Win32 adapter instances.
1775 2003.07.31 -- Version 1.5-beta2
1777 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
1778 in Windows ASCII so it's easier to click and view.
1779 * Added postscript and PDF versions of the HOWTO to the web
1781 * Merged Michael Clarke's stability patch into TAP-Win32
1782 driver which appears to fix the suspend/resume driver bug
1783 and significantly improve driver stability.
1784 * Added Christof Meerwald's Media Status patch to the
1785 TAP-Win32 driver which shows the TAP adapter to be
1786 disconnected when OpenVPN is not running.
1787 * Moved socket connect and TCP server listen code to a later
1788 point in openvpn() function so that the TCP server listen
1789 state is entered after daemonization.
1790 * Added keyboard shortcuts to simulate signals in the Windows
1791 version, see the window title bar for descriptions.
1793 2003.07.24 -- Version 1.5-beta1
1795 * Added TCP support via the new --proto option.
1796 * Renamed udp-centric options such as --udp-mtu to
1797 --link-mtu (old option names preserved for compatibility).
1798 * Ported to Windows 2000 + XP using mingw and a TAP driver
1799 derived from the Cipe-Win32 project by Damion K. Wilson.
1800 * Added --show-adapters flag for windows version.
1801 * Reworked the SSL/TLS packet acknowledge code to better
1802 handle certain corner cases.
1803 * Turned off the default enabling of IP forwarding in the
1804 sample-scripts/openvpn.init script for Redhat.
1805 Forwarding can be enabled by users in their --up scripts
1807 * Added --up-restart option based on suggestion from Sean
1809 * If --dev tap or --dev-type tap is specified, --tun-mtu
1810 defaults to 1500 and --tun-mtu-extra defaults to 64.
1811 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
1812 for each packet read or write on the TCP/UDP socket.
1814 2003.08.04 -- Version 1.4.3
1816 * Added md5.h include to crypto.c
1817 to fix build problem on OpenBSD.
1819 2003.07.15 -- Version 1.4.2
1821 * Removed adaptive bandwidth from
1822 --mtu-dynamic -- its absence appears
1823 to work better than its existence (1.4.1.2).
1824 * Minor changes to --shaper to fix long
1825 retransmit timeouts at low bandwidth
1827 * Added LOG_RW flag to openvpn.h for
1828 debugging (1.4.1.2).
1829 * Silenced spurious configure warnings (1.4.1.2).
1830 * Backed out --dev-name patch, modified --dev
1831 to offer equivalent functionality (1.4.1.4).
1832 * Added an optional parameter to --daemon and
1833 --inetd to support the passing of a custom
1834 program name to the system logger (1.4.1.5).
1835 * Add compiled-in options to the program title
1837 * Coded the beginnings of a WIN32 port (1.4.1.5).
1838 * Succeeded in porting to Win32 Mingw environment
1839 and running loopback tests (1.4.1.6). Still
1840 need a kernel driver for full Win32
1842 * Fixed a bug in error.h where
1843 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
1844 This would have caused a significant slowdown
1845 of OpenVPN when built by compilers that
1846 lack ISO C99 vararg macros (1.4.1.6).
1847 * Created an init script for Gentoo Linux
1848 in ./gentoo directory (1.4.1.6).
1850 2003.05.15 -- Version 1.4.1
1852 * Modified the Linux 2.4 TUN/TAP open code to
1853 fall back to the 2.2 TUN/TAP interface if the
1854 open or ioctl fails.
1855 * Fixed bug when --verb is set to 0 and non-fatal
1856 socket errors occur, causing 100% CPU utilization.
1857 Occurs on platorms where
1858 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
1860 * Fixed typo in tun.c that was preventing
1862 * Added --enable-mtu-dynamic configure option
1863 to enable --mtu-dynamic experimental option.
1865 2003.05.07 -- Version 1.4.0
1867 * Added --replay-persist feature to allow replay
1868 protection across sessions.
1869 * Fixed bug where --ifconfig could not be used
1871 * Added --tun-mtu-extra parameter to deal with
1872 the situation where a read on a TUN/TAP device
1873 returns more data than the device's MTU size.
1874 * Fixed bug where some IPv6 support code for
1875 Linux was not being properly ifdefed out for
1876 Linux 2.2, causing compile errors.
1877 * Added OPENVPN_EXIT_STATUS_x codes to
1878 openvpn.h to control which status value
1879 openvpn returns to its caller (such as
1880 a shell or inetd/xinetd) for various conditions.
1881 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
1882 openvpn.h to allow debugging in situations
1883 where stdout, stderr, and syslog cannot be used
1884 for message output, such as when OpenVPN is
1885 instantiated by inetd/xinetd.
1886 * Removed owner-execute permission from file
1887 created by static key generator (Herbert Xu
1888 and Alberto Gonzalez Iniesta).
1889 * Added --passtos option to allow IPv4 TOS bits
1890 to be passed from TUN/TAP input packets to
1891 the outgoing UDP socket (Craig Knox).
1892 * Added code to prevent open socket file descriptors
1893 from being accessible to called scripts.
1894 * Added --dev-name option (Christian Lademann).
1895 * Added --mtu-disc option for manual control
1897 * Show OS MTU value on UDP socket write failures
1899 * Numerous build system and portability
1900 fixes (Matthias Andree).
1901 * Added better sensing of compiler support for
1902 variable argument macros, including (a) gcc
1903 style, (b) ISO C 1999 style, and (c) no support.
1904 * Removed generated files from CVS. Note INSTALL
1905 file for new CVS build commands.
1906 * Changed certain internal symbol names
1907 for C standards compliance.
1908 * Added TUN/TAP open code to cycle dynamically
1909 through unit numbers until it finds a free
1910 unit (based on code from Thomas Gielfeldt
1912 * Added dynamic MTU and fragmenting infrastructure
1913 (Experimental). Rebuild with FRAGMENT_ENABLE
1915 * Minor changes to SSL/TLS negotiation, use
1916 exponential backoff on retransmits, and use
1917 a smaller MTU size (note that no protocol
1918 changes have been made which would break
1919 compatibility with 1.3.x).
1920 * Added --enable-strict-options flag
1921 to ./configure. This option will cause
1922 a more strict check for options compatibility
1923 between peers when SSL/TLS negotiation is used,
1924 but should only be used when both OpenVPN peers
1925 are of the same version.
1926 * Reorganization of debugging levels.
1927 * Added a workaround in configure.ac for
1928 default SSL header location on Linux
1929 to fix RH9 build problem.
1930 * Fixed potential deadlock when pthread support
1931 is used on OSes that allocate a small socketpair()
1933 * Fixed openvpn.init to be sh compliant
1935 * Changed --daemon to wait until all
1936 initialization is finished before becoming a
1937 daemon, for the benefit of initialization
1938 scripts that want a useful return status from
1939 the openvpn command.
1940 * Made openvpn.init script more robust, including
1941 positive indication of initialization errors
1942 in the openvpn daemon and better sanity checks.
1943 * Changed --chroot to wait until initialization
1944 is finished before calling chroot(), and allow
1945 the use of --user and --group with --chroot.
1946 * When syslog logging is enabled (--daemon or
1947 --inetd), set stdin/stdout/stderr to point
1949 * For inetd instantiations, dup socket descriptor
1951 * Fixed bug in verify-cn script, where test would
1952 incorrectly fail if CN=x was the last component
1953 of the X509 composite string (Anonymous).
1954 * Added Markus F.X.J. Oberhumer's special
1955 license exception to COPYING.
1957 2002.10.23 -- Version 1.3.2
1959 * Added SSL_CTX_set_client_CA_list call
1960 to follow the canonical form for TLS initialization
1961 recommended by the OpenSSL docs. This change allows
1962 better support for intermediate CAs and has no impact
1964 * Added build-inter script to easy-rsa package, to
1965 facilitate the generation of intermediate CAs.
1966 * Ported to NetBSD (Dimitri Goldin).
1967 * Fixed minor bug in easy-rsa/sign-req. It refers to
1968 openssl.cnf file, instead of $KEY_CONFIG, like all
1969 other scripts (Ernesto Baschny).
1970 * Added --days 3650 to the root CA generation command
1971 in the HOWTO to override the woefully small 30 day
1972 default (Dominik 'Aeneas' Schnitzer).
1973 * Fixed bug where --ping-restart would sometimes
1974 not re-resolve remote DNS hostname.
1975 * Added --tun-ipv6 option and related infrastructure
1976 support for IPv6 over tun.
1977 * Added IPv6 over tun support for Linux (Aaron Sethman).
1978 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
1979 INSTALL (Matthias Andree).
1980 * Added inetd/xinetd support (--inetd) including
1981 documentation in the HOWTO.
1982 * Added "Important Note on the use of commercial certificate
1983 authorities (CAs) with OpenVPN" to HOWTO based on
1984 issues raised on the openvpn-users list.
1986 2002.07.10 -- Version 1.3.1
1988 * Fixed bug in openvpn.spec and openvpn.init
1989 which caused RPM upgrade to fail.
1991 2002.07.10 -- Version 1.3.0
1993 * Added --dev-node option to allow explicit selection of
1994 tun/tap device node.
1995 * Removed mlockall call from child thread, as it doesn't
1996 appear to be necessary (child thread inherits mlockall
1998 * Added --ping-timer-rem which causes timer for --ping-exit
1999 and --ping-restart not to run unless we have a remote IP
2001 * Added condrestart to openvpn.init and openvpn.spec
2003 * Added --ifconfig case for FreeBSD (Matthias Andree).
2004 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2005 * Changed LOG_INFO messages to LOG_NOTICE.
2006 * Added warning when key files are group/others accessible.
2007 * Added --single-session flag for TLS mode.
2008 * Fixed bug where --writepid would segfault if used with
2009 an invalid filename.
2010 * Fixed bug where --ipchange status message was formatted
2012 * Print more concise error message when system() call
2014 * Added --disable-occ option.
2015 * Added --local, --remote, and --ifconfig options sanity
2017 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2019 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2020 * Broke out debug level definitions to errlevel.h
2021 * Minor documentation and web site changes.
2022 * All changes maintain protocol compatibility
2023 with OpenVPN versions since 1.1.0, however default
2024 MTU changes will require setting the MTU explicitly
2025 by command line option, if you want 1.3.0 to
2026 communicate with previous versions.
2028 2002.06.12 -- Version 1.2.1
2030 * Added --ping-restart option to restart
2031 connection on ping timeout using SIGUSR1
2032 logic (Matthias Andree).
2033 * Added --persist-tun, --persist-key,
2034 --persist-local-ip, and --persist-remote-ip
2035 options for finer-grained control over SIGUSR1
2036 and --ping-restart restarts. To
2037 replicate previous SIGUSR1 functionality,
2038 use --persist-remote-ip.
2039 * Changed residual IV fetching code to take
2040 IV from tail of ciphertext.
2041 * Added check to make sure that CFB or OFB
2042 cipher modes are only used with SSL/TLS
2043 authentication mode, and added a caveat
2045 * Changed signal handling during initialization
2046 (including re-initialization during restarts)
2047 to exit on SIGTERM or SIGINT and ignore other
2048 signals which would ordinarily be caught.
2049 * Added --resolv-retry option to allow
2050 retries on hostname resolution.
2051 * Expanded the --float option to also
2052 allow dynamic changes in source port number
2053 on incoming datagrams.
2054 * Added --mute option to limit repetitive
2055 logging of similar message types.
2056 * Added --group option to downgrade GID
2057 after initialization.
2058 * Try to set ifconfig path automatically
2060 * Added --ifconfig code for Mac OS X
2061 (Christoph Pfisterer).
2062 * Moved "Peer Connection Initiated" message
2064 * Successfully tested with
2065 OpenSSL 0.9.7 Beta 1 and AES cipher.
2066 * Added RPM notes to INSTALL.
2067 * Added ACX_PTHREAD (from the autoconf
2068 macro archive) to configure.ac
2069 to figure out the right pthread
2070 options for a given platform.
2071 * Broke out macro definitions from
2072 configure.ac to acinclude.m4.
2073 * Minor changes to docs and HOWTO.
2074 * All changes maintain protocol compatibility
2075 with OpenVPN versions since 1.1.0.
2077 2002.05.22 -- Version 1.2.0
2079 * Added configuration file support via
2080 the --config option.
2081 * Added pthread support to improve latency.
2082 With pthread support, OpenVPN
2083 will offload CPU-intensive tasks such as RSA
2084 key number crunching to a background thread
2085 to improve tunnel packet forwarding
2086 latency. pthread support can be enabled
2087 with the --enable-pthread configure option.
2088 Pthread support is currently available
2089 only for Linux and Solaris.
2090 * Added --dev-type option so that tun/tap
2091 device names don't need to begin with
2093 * Added --writepid option to write main
2094 process ID to a file.
2095 * Numerous portability fixes to ease
2096 porting to other OSes including changing
2097 all network types to uint8_t and uint32_t,
2098 and not assuming that time_t is 32 bits.
2099 * Backported to OpenSSL 0.9.5.
2100 * Ported to Solaris.
2101 * Finished OpenBSD port except for
2103 * Added initialization script:
2104 sample-scripts/openvpn.init
2106 * Ported to Mac OS X (Christoph Pfisterer).
2107 * Improved resilience to DoS attacks when
2108 TLS mode is used without --remote or
2109 --tls-auth, or when --float is used
2110 with --remote. Note however that the best
2111 defense against DoS attacks in TLS mode
2112 is to use --tls-auth.
2113 * Eliminated automake/autoconf dependency
2115 * Ported configure.in to configure.ac
2117 * SIGHUP signal now causes OpenVPN to restart
2118 and re-read command line and or config file,
2119 in conformance with canonical daemon behaviour.
2120 * SIGUSR1 now does what SIGHUP did in
2121 version 1.1.1 and earlier -- close and reopen
2122 the UDP socket for use when DHCP changes
2123 host's IP address and preserve most recently
2124 authenticated peer address without rereading
2126 * SIGUSR2 added -- outputs current statistics,
2127 including compression statistics.
2128 * All changes maintain protocol compatibility
2129 with 1.1.1 and 1.1.0.
2131 2002.04.22 -- Version 1.1.1
2133 * Added --ifconfig option to automatically configure
2135 * Added inactivity disconnect (--inactive
2136 and --ping-exit options).
2137 * Added --ping option to keep stateful firewalls
2139 * Added sanity check to command line parser to
2140 err if any TLS options are used in non-TLS mode.
2141 * Fixed build problem with compiler environments that
2142 define printf as a macro.
2143 * Fixed build problem on linux systems that have
2144 an integrated TUN/TAP driver but lack the persistent
2145 tunnel feature (TUNSETPERSIST). Some linux kernels
2146 >= 2.4.0 and < 2.4.7 fall into this category.
2147 * Changed all calls to EVP_CipherInit to use explicit
2148 encrypt/decrypt mode in order to fix problem with
2149 IDEA-CBC and AES-256-CBC ciphers.
2150 * Minor changes to control channel transmit limiter
2151 algorithm to fix problem where TLS control channel
2152 might not renegotiate within the default 60 second window.
2153 * Simplified man page examples by taking advantage
2154 of the new --ifconfig option.
2155 * Minor changes to configure.in to check more
2156 rigourously for OpenSSL 0.9.6 or greater.
2157 * Put back openvpn.spec, eliminated
2159 * Modified openvpn.spec to reflect new automake-based
2160 build environment (Bishop Clark).
2161 * Other documentation changes.
2162 * Added --test-crypto option for debugging.
2163 * Added "missing" and "mkinstalldirs" automake
2167 2002.04.09 -- Version 1.1.0
2169 * Strengthened replay protection and IV handling,
2170 extending it fully to both static key and
2171 TLS dynamic key exchange modes.
2172 * Added --mlock option to disable paging and ensure that key
2173 material and tunnel data is never paged to disk.
2174 * Added optional traffic shaping feature to cap the maximum
2175 data rate of the tunnel.
2176 * Converted to automake (The Platypus Brothers 2002-04-01).
2177 * Ported to OpenBSD by Janne Johansson.
2178 * Added --tun-af-inet option to work around an incompatibility
2179 between Linux and BSD tun drivers.
2180 * Sequence number-based replay protection using the
2181 IPSec sliding window model is now the default,
2182 disable with --no-replay.
2183 * Explicit IV is now the default, disable with --no-iv.
2184 * Disabled all cipher modes except CBC, CFB, and OFB.
2185 * In CBC mode, use explicit IV and carry forward residuals,
2187 * In CFB/OFB mode, IV is timestamp, sequence number.
2188 * Eliminated --packet-id, --timestamp, and max-delta parameter to
2189 the --tls-auth option as they are now supplanted by improved
2190 replay code which is enabled by default.
2191 * Eliminated --rand-iv as it is now obsolete with improved
2193 * Eliminated --reneg-err option as it increases vulnerability
2195 * Added weak key check for DES ciphers.
2196 * --tls-freq option is no longer specified on the command line,
2197 instead it now inherits its parameter from the
2198 --tls-timeout option.
2199 * Fixed bug that would try to free memory on exit that was
2200 never malloced if --comp-lzo was not specified.
2201 * Errata fixed in the man page examples: "test-ca" should be
2203 * Updated manual page.
2204 * Preliminary work in porting to OpenSSL 0.9.7.
2205 * Changed license to allowing linking with OpenSSL.
2207 2002.03.29 -- Version 1.0.3
2209 * Fixed a problem in configure with library ordering on the
2212 2002.03.28 -- Version 1.0.2
2214 * Improved the efficiency of the inner event loop.
2215 * Fixed a minor bug with timeout handling.
2216 * Improved the build system to build on RH 6.2 through 7.2.
2217 * Added an openvpn.spec file for RPM builders (Bishop Clark).
2219 2002.03.23 -- Version 1.0
2221 * Added TLS-based authentication and key exchange.
2222 * Added gremlin mode to stress test.
2225 2001.12.26 -- Version 0.91
2227 * Added any choice of cipher or HMAC digest.
2229 2001.5.13 -- Version 0.90
2232 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.