2 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2009.12.11 -- Version 2.1.0
6 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c.
7 (1) Fail gracefully rather than segfault if calloc returns NULL.
8 (2) The openvpn_plugin_abort_v1 function can potentially be called
9 with handle == NULL. Add code to detect this case, and if so, avoid
10 dereferencing pointers derived from handle (Thanks to David
11 Sommerseth for finding this bug).
13 * Documented "multihome" option in the man page.
15 2009.11.20 -- Version 2.1_rc22
17 * Fixed a client-side bug on Windows that occurred when the
18 "dhcp-pre-release" or "dhcp-renew" options were combined with
19 "route-gateway dhcp". The release/renew would not occur
20 because the Windows DHCP renew function is blocking and
21 therefore must be called from another process or thread
22 so as not to stall the tunnel.
24 * Added a hard failure when peer provides a certificate chain
25 with depth > 16. Previously, a warning was issued.
27 2009.11.12 -- Version 2.1_rc21
29 * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address
30 CVE-2009-3555. Note that OpenVPN has never relied on the session
31 renegotiation capabilities that are built into the SSL/TLS protocol,
32 therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation
33 completely) will not adversely affect OpenVPN mid-session SSL/TLS
34 renegotation or any other OpenVPN capabilities.
36 * Added additional session renegotiation hardening. OpenVPN has always
37 required that mid-session renegotiations build up a new SSL/TLS
38 session from scratch. While the client certificate common name is
39 already locked against changes in mid-session TLS renegotiations, we
40 now extend this locking to the auth-user-pass username as well as all
41 certificate content in the full client certificate chain.
43 2009.10.01 -- Version 2.1_rc20
45 * Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
46 redirect-gateway option by itself, without any extra parameters,
47 would cause the option to be ignored.
49 * Fixed build problem when ./configure --disable-server is used.
51 * Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
53 * Added --remote-random-hostname option.
55 * Added "load-stats" management interface command to get global server
58 * Added new ./configure flags:
60 --disable-def-auth Disable deferred authentication
61 --disable-pf Disable internal packet filter
63 * Added "setcon" directive for interoperability with SELinux (Sebastien
66 * Optimized PUSH_REQUEST handshake sequence to shave several seconds
67 off of a typical client connection initiation.
69 * The maximum number of "route" directives (specified in the config
70 file or pulled from a server) can now be configured via the new
71 "max-routes" directive.
73 * Eliminated the limitation on the number of options that can be pushed
74 to clients, including routes. Previously, all pushed options needed
75 to fit within a 1024 byte options string.
77 * Added --server-poll-timeout option : when polling possible remote
78 servers to connect to in a round-robin fashion, spend no more than
79 n seconds waiting for a response before trying the next server.
81 * Added the ability for the server to provide a custom reason string
82 when an AUTH_FAILED message is returned to the client. This
83 string can be set by the server-side managment interface and read
84 by the client-side management interface.
86 * client-kill management interface command, when issued on server, will
87 now send a RESTART message to client.
88 This feature is intended to make UDP clients respond the same as TCP
89 clients in the case where the server issues a RESTART message in
90 order to force the client to reconnect and pull a new options/route
93 2009.07.16 -- Version 2.1_rc19
95 * In Windows TAP driver, refactor DHCP/ARP packet injection code to
96 use a DPC (deferred procedure call) to defer packet injection until
97 IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
98 in the context of AdapterTransmit. This is an attempt to reduce kernel
99 stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
100 observed on Vista. Updated TAP driver version number to 9.6.
102 * In configure.ac, use datadir instead of datarootdir for compatibility
105 2009.06.07 -- Version 2.1_rc18
107 * Fixed compile error on ./configure --enable-small
109 * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
110 does not build on Windows on non-MINGW32.
112 2009.05.30 -- Version 2.1_rc17
114 * Reduce the debug level (--verb) at which received management interface
115 commands are echoed from 7 to 3. Passwords will be filtered.
117 * Fixed race condition in management interface recv code on
118 Windows, where sending a set of several commands to the
119 management interface in quick succession might cause the
120 latter commands in the set to be ignored.
122 * Increased management interface input command buffer size
123 from 256 to 1024 bytes.
125 * Minor tweaks to Windows build system.
127 * Added "redirect-private" option which allows private subnets
128 to be pushed to the client in such a way that they don't accidently
129 obscure critical local addresses such as the DHCP server address and
130 DNS server addresses.
132 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
133 client will examine the routing table and determine whether (a) the
134 OpenVPN server is reachable via a locally connected interface, or (b)
135 traffic to the server must be forwarded through the default router.
136 Only add a special bypass route for the OpenVPN server if (b) is true.
137 If (a) is true, behave as if the 'local' flag is specified, and do not
140 The new 'autolocal' flag depends on the non-portable test_local_addr()
141 function in route.c, which is currently only implemented for Windows.
142 The 'autolocal' flag will act as a no-op on platforms that have not
143 yet defined a test_local_addr() function.
145 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
146 more option content to be pushed from server to client).
148 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
149 levels <=3) a common and usually innocuous warning.
151 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
152 functionality (Alon Bar-Lev).
154 * Fixed bug where the remote_X environmental variables were not being
155 set correctly when the 'local' option is specifed.
157 2009.05.17 -- Version 2.1_rc16
159 * Windows installer changes:
161 1. ifdefed out the check Windows version code which is causing
162 problems on Windows 7
164 2. don't define SF_SELECTED if it is already defined
166 3. Use LZMA instead of BZIP2 compression for better compression
168 4. Upgraded OpenSSL to 0.9.8k
170 * Added the ability to read the configuration file
171 from stdin, when "stdin" is given as the config
174 * Allow "management-client" directive to be used
175 with unix domain sockets.
177 * Added errors-to-stderr option. When enabled, fatal errors
178 that result in the termination of the daemon will be written
181 * Added optional "nogw" (no gateway) flag to --server-bridge
182 to inhibit the pushing of the route-gateway parameter to
185 * Added new management interface command "pid" to show the
186 process ID of the current OpenVPN process (Angelo Laub).
188 * Fixed issue where SIGUSR1 restarts would fail if private
189 key was specified as an inline file.
191 * Added daemon_start_time and daemon_pid environmental variables.
193 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
197 1. Fixed some issues with C++ style comments that leaked into the code.
199 2. Updated configure.ac to work on MinGW64.
201 3. Updated common.h types for _WIN64.
203 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
206 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
207 OpenVPNCryptAcquireCertificatePrivateKey to work around
208 a symbol conflict in MinGW-5.1.4.
210 2008.11.19 -- Version 2.1_rc15
212 * Fixed issue introduced in 2.1_rc14 that may cause a
213 segfault when a --plugin module is used.
215 * Added server-side --opt-verify option: clients that connect
216 with options that are incompatible with those of the server
217 will be disconnected (without this option, incompatible
218 clients would trigger a warning message in the server log
219 but would not be disconnected).
221 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
222 flag on the server as well as pushes it to connecting clients.
224 * Minor options check fix: --no-name-remapping is a
225 server-only option and should therefore generate an
226 error when used on the client.
228 * Added --prng option to control PRNG (pseudo-random
229 number generator) parameters. In previous OpenVPN
230 versions, the PRNG was hardcoded to use the SHA1
231 hash. Now any OpenSSL hash may be used. This is
232 part of an effort to remove hardcoded references to
233 a specific cipher or cryptographic hash algorithm.
235 * Cleaned up man page synopsis.
237 2008.11.16 -- Version 2.1_rc14
239 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
240 with the goal of fixing a build issue on Fedora 9 that was
241 introduced in 2.1_rc13.
243 * Added additional method parameter to --script-security to preserve
244 backward compatibility with system() call semantics used in OpenVPN
245 2.1_rc8 and earlier. To preserve backward compatibility use:
247 script-security 3 system
249 * Added additional warning messages about --script-security 2
250 or higher being required to execute user-defined scripts or
253 * Windows build system changes:
255 Modified Windows domake-win build system to write all openvpn.nsi
256 input files to gen, so that gen can be disconnected from
257 the rest of the source tree and makensis openvpn.nsi will
258 still function correctly.
260 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
261 (commented out by default).
263 Added optional files SAMPCONF_CONF2 (second sample configuration
264 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
265 build system, and may be defined in settings.in.
267 * Extended Management Interface "bytecount" command
268 to work when OpenVPN is running as a server.
269 Documented Management Interface "bytecount" command in
270 management/management-notes.txt.
272 * Fixed informational message in ssl.c to properly indicate
273 deferred authentication.
275 * Added server-side --auth-user-pass-optional directive, to allow
276 connections by clients that do not specify a username/password, when a
277 user-defined authentication script/module is in place (via
278 --auth-user-pass-verify, --management-client-auth, or a plugin module).
280 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
282 Calling scripts can set the KEY_NAME environmental variable to set
283 the "name" X509 subject field in generated certificates.
285 Modified pkitool to allow flexibility in separating the Common Name
286 convention from the cert/key filename convention.
290 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
292 will create a client certificate/key pair of james.crt/james.key
293 having a Common Name of "James's Laptop" and a Name of "james".
295 * Added --no-name-remapping option to allow Common Name, X509 Subject,
296 and username strings to include any printable character including
297 space, but excluding control characters such as tab, newline, and
298 carriage-return (this is important for compatibility with external
299 authentication systems).
301 As a related change, added --status-version 3 format (and "status 3"
302 in the management interface) which uses the version 2 format except
303 that tabs are used as delimiters instead of commas so that there
304 is no ambiguity when parsing a Common Name that contains a comma.
306 Also, save X509 Subject fields to environment, using the naming
309 X509_{cert_depth}_{name}={value}
311 This is to avoid ambiguities when parsing out the X509 subject string
312 since "/" characters could potentially be used in the common name.
314 * Fixed some ifconfig-pool issues that precluded it from being combined
315 with --server directive.
317 Now, for example, we can configure thusly:
319 server 10.8.0.0 255.255.255.0 nopool
320 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
322 to have ifconfig-pool manage only a subset
325 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
326 config file syntax checking to allow directives for future OpenVPN
327 versions to be ignored.
329 2008.10.07 -- Version 2.1_rc13
331 * Bundled OpenSSL 0.9.8i with Windows installer.
333 * Management interface can now listen on a unix
334 domain socket, for example:
336 management /tmp/openvpn unix
338 Also added management-client-user and management-client-group
339 directives to control which processes are allowed to connect
342 * Copyright change to OpenVPN Technologies, Inc.
344 2008.09.23 -- Version 2.1_rc12
346 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
347 part of the tarball (Matthias Andree).
349 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
350 was incorrectly expecting the lladdr parameter to be an IP address
351 when it is actually a MAC address (HoverHell).
353 2008.09.14 -- Version 2.1_rc11
355 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
356 to fail if UDP packets are dropped.
358 2008.09.10 -- Version 2.1_rc10
360 * Added "--server-bridge" (without parameters) to enable
361 DHCP proxy mode: Configure server mode for ethernet
362 bridging using a DHCP-proxy, where clients talk to the
363 OpenVPN server-side DHCP server to receive their IP address
364 allocation and DNS server addresses.
366 * Added "--route-gateway dhcp", to enable the extraction
367 of the gateway address from a DHCP negotiation with the
368 OpenVPN server-side LAN.
370 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
371 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
374 * Warn when ethernet bridging that the IP address of the bridge adapter
375 is probably not the same address that the LAN adapter was set to
378 * When running as a server, warn if the LAN network address is
379 the all-popular 192.168.[0|1].x, since this condition commonly
380 leads to subnet conflicts down the road.
382 * Primarily on the client, check for subnet conflicts between
383 the local LAN and the VPN subnet.
385 * Added a 'netmask' parameter to get_default_gateway, to return
386 the netmask of the adapter containing the default gateway.
387 Only implemented on Windows so far. Other platforms will
388 return 255.255.255.0. Currently the netmask information is
389 only used to warn about subnet conflicts.
391 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
392 and USE_SSL flags are enabled (Alon Bar-Lev).
394 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
395 --script-security rules. Also adds retrying if the addresses are in
396 use (Matthias Andree).
398 * Fixed build issue with ./configure --disable-socks --disable-http.
400 * Fixed separate compile errors in options.c and ntlm.c that occur
401 on strict C compilers (such as old versions of gcc) that require
402 that C variable declarations occur at the start of a {} block,
405 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
406 the new implementation of extract_x509_field_ssl depends on.
408 * LZO compression buffer overflow errors will now invalidate
409 the packet rather than trigger a fatal assertion.
411 * Fixed minor compile issue in ntlm.c (mid-block declaration).
413 * Added --allow-pull-fqdn option which allows client to pull DNS names
414 from server (rather than only IP address) for --ifconfig, --route, and
415 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
416 for these options to be pulled and translated to IP addresses by default.
417 Now --allow-pull-fqdn will be explicitly required on the client to enable
418 DNS-name-to-IP-address translation of pulled options.
420 * 2.1_rc8 and earlier did implicit shell expansion on script
421 arguments since all scripts were called by system().
422 The security hardening changes made to 2.1_rc9 no longer
423 use system(), but rather use the safer execve or CreateProcess
424 system calls. The security hardening also introduced a
425 backward incompatibility with 2.1_rc8 and earlier in that
426 script parameters were no longer shell-expanded, so
429 client-connect "docc CLIENT-CONNECT"
431 would fail to work because execve would try to execute
432 a script called "docc CLIENT-CONNECT" instead of "docc"
433 with "CLIENT-CONNECT" as the first argument.
435 This patch fixes the issue, bringing the script argument
436 semantics back to pre 2.1_rc9 behavior in order to preserve
437 backward compatibility while still using execve or CreateProcess
438 to execute the script/executable.
440 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
441 to more closely conform to RFC 3696:
443 (1) DNS name length must not exceed 255 characters
445 (2) DNS name characters must be limited to alphanumeric,
446 dash ('-'), and dot ('.')
448 * Fixed bug in intra-session TLS key rollover that was introduced with
449 deferred authentication features in 2.1_rc8.
451 2008.07.31 -- Version 2.1_rc9
453 * Security Fix -- affects non-Windows OpenVPN clients running
454 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
455 vulnerable nor are any versions of the OpenVPN server vulnerable).
456 An OpenVPN client connecting to a malicious or compromised
457 server could potentially receive an "lladdr" or "iproute" configuration
458 directive from the server which could cause arbitrary code execution on
459 the client. A successful attack requires that (a) the client has agreed
460 to allow the server to push configuration directives to it by including
461 "pull" or the macro "client" in its configuration file, (b) the client
462 successfully authenticates the server, (c) the server is malicious or has
463 been compromised and is under the control of the attacker, and (d) the
464 client is running a non-Windows OS. Credit: David Wagner.
467 * Miscellaneous defensive programming changes to multiple
468 areas of the code. In particular, use of the system() call
469 for calling executables such as ifconfig, route, and
470 user-defined scripts has been completely revamped in favor
471 of execve() on unix and CreateProcess() on Windows.
473 * In Windows build, package a statically linked openssl.exe to work around
474 observed instabilities in the dynamic build since the migration to
477 2008.06.11 -- Version 2.1_rc8
479 * Added client authentication and packet filtering capability
480 to management interface. In addition, allow OpenVPN plugins
481 to take advantage of deferred authentication and packet
482 filtering capability.
484 * Added support for client-side connection profiles.
486 * Fixed unbounded memory growth bug in environmental variable
487 code that could have caused long-running OpenVPN sessions
488 with many TLS renegotiations to incrementally
489 increase memory usage over time.
491 * Windows release now packages openssl-0.9.8h.
493 * Build system changes -- allow building on Windows using
494 autoconf/automake scripts (Alon Bar-Lev).
496 * Changes to Windows build system to make it easier to do
497 partial builds, with a reduced set of prerequisites,
498 where only a subset of OpenVPN installer
499 components are built. See ./domake-win comments.
501 * Cleanup IP address for persistence interfaces for tap and also
502 using ifconfig, gentoo#209055 (Alon Bar-Lev).
504 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
506 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
508 * Added new OpenVPN icon and installer graphic.
510 * Minor pkitool changes.
512 * Added --pkcs11-id-management option, which will cause OpenVPN to
513 query the management interface via the new NEED-STR asynchronous
514 notification query to get additional PKCS#11 options (Alon Bar-Lev).
516 * Added NEED-STR management interface asynchronous query and
517 "needstr" management interface command to respond to the query
520 * Added Dragonfly BSD support (Francis-Gudin).
522 * Quote device names before passing to up/down script (Josh Cepek).
524 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
525 prevent structure padding from causing an incorrect length
526 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
529 * On systems that support res_init, always call it
530 before calling gethostbyname to ensure that
531 resolver configuration state is current.
533 * Added NTLMv2 proxy support (Miroslav Zajic).
535 * Fixed an issue in extract_x509_field_ssl where the extraction
536 would fail on the first field of the subject name, such as
537 the common name in: /CN=foo/emailAddress=foo@bar.com
539 * Made "Linux ip addr del failed" error nonfatal.
541 * Amplified --client-cert-not-required warning.
543 * Added #pragma pack to proto.h.
545 2008.01.29 -- Version 2.1_rc7
547 * Added a few extra files that exist in the svn repo but were
548 not being copied into the tarball by make dist.
550 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
552 2008.01.24 -- Version 2.1_rc6
554 * Fixed options checking bug introduced in rc5 where legitimate configuration
555 files might elicit the error: "Options error: Parameter pkcs11_private_mode
556 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
559 2008.01.23 -- Version 2.1_rc5
561 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
562 incremented driver version to 9.4.
564 * Windows build system changes:
566 Incremented included OpenSSL version to openssl-0.9.7m.
568 Updated openssl.patch for openssl-0.9.7m and added some
569 brief usage comments to the head of the patch.
571 Added build-pkcs11-helper.sh for building the pkcs11-helper
574 Integrated inclusion of pkcs11-helper into Windows build
577 Upgraded TAP build scripts to use WDK 6001.17121
578 (Windows 2008 Server pre-RTM).
580 * Windows installer changes:
582 Clean up the start menu folder.
584 Allow for a site-specific sample configuration file and keys
585 to be included in a custom installer (see SAMPCONF macros
588 New icon (temporary).
590 * Added "forget-passwords" command to the management interface
593 * Added --management-signal option to signal SIGUSR1 when the
594 management interface disconnects (Alon Bar-Lev).
596 * Modified command line and config file parser to allow
597 quoted strings using single quotes ('') (Alon Bar-Lev).
599 * Use pkcs11-helper as external library, can be downloaded from
600 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
602 * Fixed interim memory growth issue in TCP connect loop where
603 "TCP: connect to %s failed, will try again in %d seconds: %s"
606 * Fixed bug in epoll driver in event.c, where the lack of a
607 handler for EPOLLHUP could cause 99% CPU usage.
609 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
610 want to use a CBC cipher for OpenVPN's data channel.
612 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
613 plugin directory to the dlopen search list when the user
614 specifies the basename of the plugin only (Marius Tomaschewski).
616 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
617 to allow forward slash characters ("/") in the X509 common name
620 * Allow OpenVPN to run completely unprivileged under Linux
621 by allowing openvpn --mktun to be used with --user and --group
622 to set the UID/GID of the tun device node. Also added --iproute
623 option to allow an alternative command to be executed in place
624 of the default iproute2 command (Alon Bar-Lev).
626 * Fixed --disable-iproute2 in ./configure to actually disable
627 iproute2 usage (Alon Bar-Lev).
629 * Added --management-forget-disconnect option -- forget
630 passwords when management session disconnects (Alon Bar-Lev).
632 2007.04.25 -- Version 2.1_rc4
634 * Worked out remaining issues with TAP driver signing
635 on Vista x64. OpenVPN will now run on Vista x64
636 with driver signing enforcement enabled.
638 * Fixed 64-bit portability bug in time_string function
641 2007.04.22 -- Version 2.1_rc3
643 * Additional fixes to TAP driver for Windows x64. Driver
644 now runs successfully on Vista x64 if driver signing
645 enforcement is disabled.
647 * The Windows Installer and TAP driver are now signed by
648 OpenVPN Solutions LLC (in addition to the usual GnuPG
651 * Added OpenVPN GUI (Mathias Sundman version) as install
652 option in Windows installer.
654 * Clean up configure on FreeBSD for recent autotool versions
655 that require that all .h files have to be compiled.
656 Also, FreeBSD install does not support GNU long options
657 which the Makefile in easy-rsa/2.0 uses (not checked the
658 others as we don't install those on Gentoo) (Roy Marples).
660 * Added additional scripts to easy-rsa/Windows for working
661 with password-protected keys; also add -extensions server
662 option when generating server cert via
663 build-key-server-pass.bat (Daniel Zauft).
665 2007.02.27 -- Version 2.1_rc2
667 * auth-pam change: link with -lpam rather
668 than dlopen (Roy Marples).
670 * Prevent SIGUSR1 or SIGHUP from causing program
671 exit from initial management hold.
673 * SO_REUSEADDR should not be set on Windows TCP sockets
674 because it will cause bind to succeed on port conflicts.
676 * Added time_ascii, time_duration, and time_unix
677 environmental variables for plugins and callback
680 * Fixed issue where OpenVPN does not apply the --txqueuelen option
681 to persistent interfaces made with --mktun (Roy Marples).
683 * Attempt at rational signal handling when in the
684 management hold state. During management hold, ignore
685 SIGUSR1/SIGHUP signals thrown with the "signal" command.
686 Also, "signal" command will now apply remapping as
687 specified with the --remap-usr1 option.
688 When a signal entered using the "signal" command from a management
689 hold is ignored, output: >HOLD:Waiting for hold release
691 * Fixed issue where struct env_set methods that
692 change the value of an existing name=value pair
693 would delay the freeing of the memory held by
694 the previous name=value pair until the underlying
695 client instance object is closed.
696 This could cause a server that handles long-term
697 client connections, resulting in many periodic calls
698 to verify_callback, to needlessly grow the env_set
699 memory allocation until the underlying client instance
702 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
703 to reflect the fact that Vista has blacklisted the tap0801.sys
704 file name due to previous compatibility issues which have now
705 been resolved. TAP-Win32 major/minor version number is now 9/1.
707 * Windows installer will delete a previously installed
708 tap0801.sys TAP driver before installing tap0901.sys.
710 * Added code to Windows installer to fail gracefully on 64 bit
711 installs until 64-bit TAP driver issues can be resolved.
713 * Added code to Windows installer to fail gracefully on
714 versions of Windows which are not explicitly supported.
716 * The Windows version will now use a default route-delay
717 of 5 seconds to deal with an apparent routing table race
720 * Worked around an incompatibility in the Windows Vista
721 version of CreateIpForwardEntry as described in
722 http://www.nynaeve.net/?p=59
723 This issue would cause route additions using the
724 IP Helper API to fail on Vista.
726 * On Windows, revert to "ip-win32 dynamic" as the default.
728 2006.10.31 -- Version 2.1_rc1
730 * Support recovery (return to hold) from signal at
731 management password prompt.
733 * Added workaround for OpenSC PKCS#11 bug#108
736 2006.10.01 -- Version 2.1-beta16
738 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
739 published vulnerabilities.
741 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
744 * Autodetect 32/64 bit Windows in installer and install
745 appropriate TAP driver (Mathias Sundman, Hypherion).
747 * Fixed bug in loopback self-test introduced
748 in 2.1-beta15 where self test as invoked by
749 "make check" would not properly exit after
750 2 minutes (Paul Howarth).
752 2006.09.12 -- Version 2.1-beta15
754 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
755 RSA Signature Forgery (CVE-2006-4339).
757 * Fixed bug introduced with the --port-share directive
758 (back in 2.1-beta9 which causes TLS soft resets
759 (1 per hour by default) in TCP server mode to force
760 a blockage of tunnel packets and later time-out and
761 restart the connection.
763 * easy-rsa update (Alon Bar-Lev)
764 Makefile (install) is now available so that
765 distribs will be able to install it safely.
767 * PKCS#11 changes: (Alon Bar-Lev)
768 - Modified ssl.c to not FATAL and return to init.c
769 so auth-retry will work.
770 - Modifed pkcs11-helper.c to fix some problem with
772 - Added retry counter to PKCS#11 PIN hook.
773 - Modified PKCS#11 PIN retry loop to return correct error
774 code when PIN is incorrect.
775 - Fix handling (ignoring) zero sized attributes.
777 - Fix openssl 0.9.6 (first version) issues.
779 * Minor fixes of lladdr (Alon Bar-Lev)
780 Updated makefile.w32-vc to include lladdr.*, updated
782 Modified lladdr.c to be compiled under visual C.
784 * Added two new management states:
785 OPENVPN_STATE_RESOLVE -- DNS lookup
786 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
788 * Echo management state change to log.
790 * Minor syshead.h change for NetBSD to allow
791 TCP_NODELAY flag to work.
793 * Modified --port-share code to remove the assumption that
794 CMSG_SPACE always evaluates to a constant, to enable
795 compilation on NetBSD and possibly other BSDs as well.
797 * Eliminated gcc 3.3.3 warnings on NetBSD
798 when ./configure --enable-strict is used.
800 * Added optional minimum-number-of-bytes parameter
801 to --inactive directive.
803 2006.04.13 -- Version 2.1-beta14
805 * Fixed Windows server bug in time backtrack handling code which
806 could cause TLS negotiation failures on legitimate clients.
808 * Rewrote gettimeofday function for Windows to be
809 simpler and more efficient.
811 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
813 * Added --route-metric option to set a default route metric
814 for --route (Roy Marples).
816 * Added --lladdr option to specify the link layer (MAC) address
817 for the tap interface on non-Windows platforms (Roy Marples).
819 2006.04.12 -- Version 2.1-beta13
821 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
822 to 64 bits caused a bug in the Windows version which has now
823 been fixed. The bug could cause intermittent crashes.
825 2006.04.05 -- Version 2.1-beta12
827 * Security Vulnerability -- An OpenVPN client connecting to a
828 malicious or compromised server could potentially receive
829 "setenv" configuration directives from the server which could
830 cause arbitrary code execution on the client via a LD_PRELOAD
831 attack. A successful attack appears to require that (a) the
832 client has agreed to allow the server to push configuration
833 directives to it by including "pull" or the macro "client" in
834 its configuration file, (b) the client configuration file uses
835 a scripting directive such as "up" or "down", (c) the client
836 succesfully authenticates the server, (d) the server is
837 malicious or has been compromised and is under the control of
838 the attacker, and (e) the attacker has at least some level of
839 pre-existing control over files on the client (this might be
840 accomplished by having the server respond to a client web request
841 with a specially crafted file). Credit: Hendrik Weimer.
844 The fix is to disallow "setenv" to be pushed to clients from
845 the server, and to add a new directive "setenv-safe" which is
846 pushable from the server, but which appends "OPENVPN_" to the
847 name of each remotely set environmental variable.
849 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
851 * PKCS11 fixes (Alon Bar-Lev). For full description:
852 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
854 * When deleting routes under Linux, use the route metric
855 as a differentiator to ensure that the route teardown
856 process only deletes the identical route which was originally
857 added via the "route" directive (Roy Marples).
859 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
860 (Matthias Andree, Dirk Meyer, Vasil Dimov).
862 * Extended tun device configure code to support ethernet
863 bridging on NetBSD (Emmanuel Kasper).
865 2006.02.19 -- Version 2.1-beta11
867 * Fixed --port-share bug that caused premature closing
870 2006.02.17 -- Version 2.1-beta10
872 * Fixed --port-share breakage introduced in 2.1-beta9.
874 2006.02.16 -- Version 2.1-beta9
876 * Added --port-share option for allowing OpenVPN and HTTPS
877 server to share the same port number.
878 * Added --management-client option to connect as a client
879 to management GUI app rather than be connected to as a
881 * Added "bytecount" command to management interface.
882 * --remote-cert-tls fixes (Alon Bar-Lev).
884 2006.01.03 -- Version 2.1-beta8
886 * --remap-usr1 will now also remap signals thrown during
888 * Added --connect-timeout option to control the timeout
889 on TCP client connection attempts (doesn't work on all
890 OSes). This patch also makes OpenVPN signalable during
891 TCP connection attempts.
892 * Fixed bug in acinclude.m4 where capability of compiler
893 to handle zero-length arrays in structs is tested
895 * Fixed typo in manage.c where inline function declaration
896 was declared without the "static" keyword (David Stipp).
897 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
898 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
899 proxy settings (currently Windows only).
900 * Removed redundant base64 code.
901 * Better sanity checking of --server and --server-bridge
902 IP pool ranges, so as not to hit the assertion at
904 * Fixed bug where --daemon and --management-query-passwords
905 used together would cause OpenVPN to block prior to
907 * Fixed client/server race condition which could occur
908 when --auth-retry interact is set and the initially
909 provided auth-user-pass credentials are incorrect,
910 forcing a username/password re-query.
911 * Fixed bug where if --daemon and --management-hold are
912 used together, --user or --group options would be ignored.
913 * --ip-win32 adaptive is now the default.
914 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
915 mode) can now set DNS/WINS addresses on the TAP-Win32
917 * Added new option --route-method adaptive (Win32)
918 which tries IP helper API first, then falls back to
920 * Made --route-method adaptive the default.
922 2005.11.12 -- Version 2.1-beta7
924 * Allow blank passwords to be passed via the management
926 * Fixed bug where "make check" inside a FreeBSD "jail"
927 would never complete (Matthias Andree).
928 * Fixed bug where --server directive in --dev tap mode
929 claimed that it would support subnets of /30 or less
930 but actually would only accept /29 or less.
931 * Extend byte counters to 64 bits (M. van Cuijk).
932 * Fixed bug in Linux get_default_gateway function
933 introduced in 2.0.4, which would cause redirect-gateway
934 on Linux clients to fail.
935 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
936 be compatible with 2.0.x distribution.
937 * Documented --route-nopull.
938 * Documented --ip-win32 adaptive.
939 * Windows build now linked with LZO2.
940 * Allow ca, cert, key, and dh files to be specified
941 inline via XML-like syntax without needing to
942 reference an explicit file.
947 * Allow plugin and push directives to have multi-line
948 parameter lists such as:
954 * Added connect-retry-max option (Alon Bar-Lev).
955 * Fixed problems where signals thrown during initialization
956 were not returning to a management-hold state.
957 * Added a backtrack-hardened system time algorithm.
958 * Added --remote-cert-ku, --remote-cert-eku, and
959 --remote-cert-tls options for verifying certificate
960 attributes (Alon Bar-Lev).
961 * For Windows, reverted --ip-win32 default back to "dynamic".
962 To use new adaptive mode, set explicitly.
964 2005.11.01 -- Version 2.1-beta6
966 * Security fix (merged from 2.0.4) -- Affects non-Windows
967 OpenVPN clients of version 2.0 or higher which connect to
968 a malicious or compromised server. A format string
969 vulnerability in the foreign_option function in options.c
970 could potentially allow a malicious or compromised server
971 to execute arbitrary code on the client. Only
972 non-Windows clients are affected. The vulnerability
973 only exists if (a) the client's TLS negotiation with
974 the server succeeds, (b) the server is malicious or
975 has been compromised such that it is configured to
976 push a maliciously crafted options string to the client,
977 and (c) the client indicates its willingness to accept
978 pushed options from the server by having "pull" or
979 "client" in its configuration file (Credit: Vade79).
981 * Security fix -- (merged from 2.0.4) Potential DoS
982 vulnerability on the server in TCP mode. If the TCP
983 server accept() call returns an error status, the resulting
984 exception handler may attempt to indirect through a NULL
985 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
987 * Fix attempt of assertion at multi.c:1586 (note that
988 this precise line number will vary across different
989 versions of OpenVPN).
990 * Windows reliability changes:
991 (a) Added code to make sure that the local PATH environmental
992 variable points to the Windows system32 directory.
993 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
994 and then fails over to 'netsh' if the DHCP negotiation fails.
995 (c) Made --ip-win32 adaptive the default.
996 * More PKCS#11 additions/changes (Alon Bar-Lev).
997 * Added ".PHONY: plugin" to Makefile.am to work around
999 * Fixed double fork issue that occurs when --management-hold
1001 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
1002 * Warn when multiple clients having the same common name or
1003 username usurp each other when --duplicate-cn is not used.
1004 * Modified Windows and Linux versions of get_default_gateway
1005 to return the route with the smallest metric
1006 if multiple 0.0.0.0/0.0.0.0 entries are present.
1007 * Added ">NEED-OK" alert and "needok" command to management
1008 interface to provide a general interface for sending
1009 alerts to the end-user. Used by the PKCS#11 code
1010 to send Token Insertion Requests to the user.
1011 * Added actual remote address used to the ">STATE" alert
1012 in the management interface (Rolf Fokkens).
1014 2005.10.17 -- Version 2.1-beta4
1016 * Fixed bug introduced in 2.1-beta3 where management
1017 socket bind would fail.
1018 * --capath fix in ssl.c (Zhuang Yuyao).
1019 * Added ".PHONY: plugin" to Makefile.am, reverted
1020 location of "plugin" directory (thanks to
1021 Matthias Andree for figuring this out).
1023 2005.10.16 -- Version 2.1-beta3
1025 * Added PKCS#11 support (Alon Bar-Lev).
1026 * Enable the use of --ca together with --pkcs12. If --ca is
1027 used at the same time as --pkcs12, the CA certificate is loaded
1028 from the file specified by --ca regardless if the pkcs12 file
1029 contains a CA cert or not (Mathias Sundman).
1030 * Merged --capath patch (Thomas Noel).
1031 * Merged --multihome patch.
1032 * Added --bind option for TCP client connections (Ewan Bhamrah
1034 * Moved "plugin" directory to "plugins" to deal with strange
1035 automake problem that ended up being also fixable with
1036 ".PHONY: plugin" in Makefile.am.
1038 2005.10.13 -- Version 2.1-beta2
1040 * Made --sndbuf and --rcvbuf pushable.
1042 2005.10.01 -- Version 2.1-beta1
1044 * Made LZO setting pushable.
1045 * Renamed sample-keys/tmp-ca.crt to ca.crt.
1046 * Fixed bug where remove_iroutes_from_push_route_list
1047 was missing routes if those routes had
1048 an implied netmask (by omission) of 255.255.255.255.
1049 * Merged with 2.0.3-rc1
1050 * easy-rsa/2.0 moved to easy-rsa
1051 * old easy-rsa moved to easy-rsa/1.0
1053 2005.09.23 -- Version 2.0.2-TO4
1055 * Added feature to TAP-Win32 adapter to allow it to be
1056 opened from non-administrator mode. This feature
1057 is enabled by default, and can be enabled/disabled
1058 in the adapter advanced properties dialog.
1059 * Added --allow-nonadmin standalone option for Windows to
1060 set TAP adapter to allow non-admin access. This
1061 is a user-mode version of the code, and duplicates
1062 the same feature as the above entry.
1063 * Added fix that attempts to solve corner case of tunnel not
1064 forwarding packets when system clock is reset to an earlier time.
1065 * Added --redirect-gateway bypass-dns option. (Developers:
1066 To add bypass-dhcp or bypass-dns support to other OSes,
1067 add a get_bypass_addresses function to route.c for
1069 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
1070 allows a client-connect plugin to return configuration text
1071 in memory, rather than via a file.
1072 * Fixed a bug where --mode server --proto tcp-server --cipher none
1073 operation could cause tunnel packet truncation.
1074 * openvpn --version will show [LZO1] or [LZO2], depending on
1075 version that was linked.
1077 2005.09.07 -- Version 2.0.2-TO1
1079 * Added --topology directive. See man page.
1080 * Added --redirect-gateway bypass-dhcp option to add a route
1081 allowing DHCP packets to bypass the tunnel, when the
1082 DHCP server is non-local. Currently only implemented
1084 * Modified OpenVPN Service on Windows to declare the DHCP
1085 client service as a dependency.
1086 * Extended the plugin interface to allow plugins to declare
1087 per-client constructor and destructor functions, to make
1088 it simpler for plugins to maintain per-client state.
1090 2005.09.25 -- Version 2.0.3-rc1
1092 * openvpn_plugin_abort_v1 function wasn't being properly
1093 registered on Windows.
1094 * Fixed a bug where --mode server --proto tcp-server --cipher none
1095 operation could cause tunnel packet truncation.
1097 2005.08.25 -- Version 2.0.2
1099 * No change from 2.0.2-rc1.
1101 2005.08.24 -- Version 2.0.2-rc1
1103 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
1104 which incorrectly set OpenVPN service to autostart.
1105 * Don't package source code zip file in Windows installer
1106 in order to reduce the size of the installer. The source
1107 zip file can always be downloaded separately if needed.
1108 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
1109 version of get_default_gateway. Allocated socket for route
1110 manipulation is never freed so number of mbufs continuously
1111 grow and exhaust system resources after a while (Jaroslav Klaus).
1112 * Fixed bug where "--proto tcp-server --mode p2p --management
1113 host port" would cause the management port to not respond until
1114 the OpenVPN peer connects.
1115 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
1117 2005.08.16 -- Version 2.0.1
1119 * Security Fix -- DoS attack against server when run with "verb 0" and
1120 without "tls-auth". If a client connection to the server fails
1121 certificate verification, the OpenSSL error queue is not properly
1122 flushed, which can result in another unrelated client instance on the
1123 server seeing the error and responding to it, resulting in disconnection
1124 of the unrelated client (CAN-2005-2531).
1125 * Security Fix -- DoS attack against server by authenticated client.
1126 This bug presents a potential DoS attack vector against the server
1127 which can only be initiated by a connected and authenticated client.
1128 If the client sends a packet which fails to decrypt on the server,
1129 the OpenSSL error queue is not properly flushed, which can result in
1130 another unrelated client instance on the server seeing the error and
1131 responding to it, resulting in disconnection of the unrelated client
1132 (CAN-2005-2532). Credit: Mike Ireton.
1133 * Security Fix -- DoS attack against server by authenticated client.
1134 A malicious client in "dev tap" ethernet bridging mode could
1135 theoretically flood the server with packets appearing to come from
1136 hundreds of thousands of different MAC addresses, causing the OpenVPN
1137 process to deplete system virtual memory as it expands its internal
1138 routing table. A --max-routes-per-client directive has been added
1139 (default=256) to limit the maximum number of routes in OpenVPN's
1140 internal routing table which can be associated with a given client
1142 * Security Fix -- DoS attack against server by authenticated client.
1143 If two or more client machines try to connect to the server at the
1144 same time via TCP, using the same client certificate, and when
1145 --duplicate-cn is not enabled on the server, a race condition can
1146 crash the server with "Assertion failed at mtcp.c:411"
1148 * Fixed server bug where under certain circumstances, the client instance
1149 object deletion function would try to delete iroutes which had never been
1150 added in the first place, triggering "Assertion failed at mroute.c:349".
1151 * Added --auth-retry option to prevent auth errors from being fatal
1152 on the client side, and to permit username/password requeries in case
1153 of error. Also controllable via new "auth-retry" management interface
1154 command. See man page for more info.
1155 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
1156 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
1157 would fail to build.
1158 * Implement "make check" to perform loopback tests (Matthias Andree).
1160 2005.07.21 -- Version 2.0.1-rc7
1162 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
1163 * Include linux/types.h before checking for linux/errqueue.h (Matthias
1166 2005.07.15 -- Version 2.0.1-rc6
1168 * Commented out "user nobody" and "group nobody" in sample
1169 client/server config files.
1170 * Allow '@' character to be used in --client-config-dir
1173 2005.07.04 -- Version 2.0.1-rc5
1175 * Windows version will log a for-further-info URL when
1176 initialization sequence is completed with errors.
1177 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
1178 to control whether auth-pam plugin links to PAM via
1179 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
1180 behavior should be preserved. DLOPEN_PAM=0 is the preferred
1181 setting to link via -lpam, but DLOPEN_PAM=1 works around
1182 a bug in SuSE 9.1 (and possibly other distros as well)
1183 where the PAM modules are not linked with -lpam. See
1184 thread on openvpn-devel for more discussion about this
1185 patch (Simon Perreault).
1187 2005.06.15 -- Version 2.0.1-rc4
1189 * Support LZO 2.00, including changes to configure script to
1190 autodetect LZO version.
1192 2005.06.12 -- Version 2.0.1-rc3
1194 * Fixed a bug which caused standard file handles to not be closed
1195 after daemonization when --plugin and --daemon are used together,
1196 and if the plugin initialization function forks (as does auth-pam
1197 and down-root) (Simon Perreault).
1198 * Added client-side up/down scripts in contrib/pull-resolv-conf
1199 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
1200 on Linux/Unix systems (Jesse Adelman).
1201 * Fixed bug where if client-connect scripts/plugins were cascaded,
1202 and one (but not all) of them returned an error status, there might
1203 be cases where for an individual script/plugin, client-connect was
1204 called but not client-disconnect. The goal of this fix is to
1205 ensure that if client-connect is called on a given client instance,
1206 then client-disconnect will definitely be called. A potential
1207 complication of this fix is that when client-connect functions are
1208 cascaded, it's possible that the client-disconnect function would
1209 be called in cases where the related client-connect function returned
1210 an error status. This fix should not alter OpenVPN behavior when
1211 scripts/plugins are not cascaded.
1212 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
1213 fatal error to a warning: "FRAG: outgoing buffer is not empty".
1214 Need more info on how to reproduce this one.
1215 * When --duplicate-cn is used, the --ifconfig-pool allocation
1216 algorithm will now allocate the first available IP address.
1217 * When --daemon and --management-hold are used together,
1218 OpenVPN will daemonize before it enters the management hold state.
1220 2005.05.16 -- Version 2.0.1-rc2
1222 * Modified vendor test in openvpn.spec file to match against
1223 "Mandrakesoft" in addition to "MandrakeSoft".
1224 * Using --iroute in a --client-config-dir file while in --dev tap
1225 mode is not currently supported and will produce a warning
1226 message. Fixed bug where in certain cases, in addition to
1227 generating a warning message, this combination of options
1228 would also produce a fatal assertion in mroute.c.
1229 * Pass --auth-user-pass username to server-side plugin without
1230 performing any string remapping (plugins, unlike scripts,
1231 don't get any security benefit from string remapping).
1232 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
1233 where backslash characters in a username ('\') were being remapped
1234 to underscore ('_').
1235 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
1236 * Documented --explicit-exit-notify in man page.
1237 * --explicit-exit-notify seconds parameter defaults to 1 if
1240 2005.04.30 -- Version 2.0.1-rc1
1242 * Fixed bug where certain kinds of fatal errors after
1243 initialization (such as port in use) would leave plugin
1244 processes (such as openvpn-auth-pam) still running.
1245 * Added optional openvpn_plugin_abort_v1 plugin function for
1246 closing initialized plugin objects in the event of a fatal
1247 error by main OpenVPN process.
1248 * When the --remote list is > 1, and --resolv-retry is not
1249 specified (meaning that it defaults to "infinite"), apply the
1250 infinite timeout to the --remote list as a whole, but try each
1251 list item only once before moving on to the next item.
1252 * Added new --syslog directive which redirects output
1253 to syslog without requiring the use of the --daemon or --inetd
1255 * Added openvpn.spec option to allow RPM to be built with support
1256 for passwords read from a file:
1257 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
1259 2005.04.17 -- Version 2.0
1261 * Fixed minor options string typo in options.c.
1263 2005.04.10 -- Version 2.0-rc21
1265 * Change license description from "GPL Version 2 or (at your
1266 option) any later version" to just "GPL Version 2".
1268 2005.04.04 -- Version 2.0-rc20
1270 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
1271 excellent distro/version coverage for RH/EL/Fedora, though
1272 using his own SPEC. I modified openvpn.spec to follow some of
1273 the same conventions such as putting sample scripts and doc
1274 files in %doc rather than /usr/share/openvpn.
1275 * Minor change to init scripts to run the user-defined script
1276 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
1277 configs are started, and to run /etc/openvpn/openvpn-shutdown
1278 after all OpenVPN configs have been stopped. The
1279 openvpn-startup script can be used for stuff like
1280 insmod tun.o, setting up firewall rules, or starting
1283 2005.03.29 -- Version 2.0-rc19
1285 * Omit additions of routes where the network and
1286 gateway are equal and the netmask is 255.255.255.255.
1287 This can come up if you are using both
1288 server/ifconfig-pool and client-config-dir with
1289 ifconfig-push static addresses for some subset of clients
1290 which directly reference the server IP address as the
1293 2005.03.28 -- Version 2.0-rc18
1295 * Packaged Windows installer with OpenSSL 0.9.7f.
1296 * Built Windows installer with NSIS 2.06.
1298 2005.03.12 -- Version 2.0-rc17
1300 * "MANAGEMENT: CMD" log file output will now only occur
1301 at --verb 7 or greater.
1302 * Added an optional name/value configuration list to
1303 the openvpn-auth-pam plugin module argument list. See
1304 plugin/auth-pam/README for documentation. This is necessary
1305 in order for openvpn-auth-pam to work with queries generated
1306 by arbitrary PAM modules.
1307 * In both auth-pam and down-root plugins, in the forked process,
1308 a read error on the parent process socket is no longer fatal.
1309 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
1310 A conditional test of the vendor has been added to
1311 Require the appropriately named 'lzo' (liblzo1 / lzo).
1312 (Tom Walsh - http://openhardware.net)
1315 2005.02.20 -- Version 2.0-rc16
1317 * Fixed bug introduced in rc13 where Windows service wrapper
1318 would be installed with a startup type of Automatic.
1319 This fix restores the previous behavior of installing
1320 with a startup type of Manual.
1322 2005.02.19 -- Version 2.0-rc15
1324 * Added warning when --keepalive is not used in a server
1326 * Don't include OpenSSL md4.h file if we are not building
1327 NTLM proxy support (Waldemar Brodkorb).
1328 * Added easy-rsa/build-key-pkcs12 and
1329 easy-rsa/Windows/build-key-pkcs12.bat scripts
1332 2005.02.16 -- Version 2.0-rc14
1334 * Fixed small memory leak that occurs when --crl-verify
1336 * Upgraded Windows installer and .nsi script to NSIS 2.05
1338 * Changed #include backslash usage in cryptoapi.c to use
1339 forward slashes instead (Gisle Vanem).
1340 * Created easy-rsa/revoke-full to handle revocations in
1341 a single step: (a) revoke crt, (b) regenerate CRL, and
1342 (c) verify that revocation succeeded.
1343 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
1344 that both *nix and Windows scripts are equivalent.
1346 2005.02.11 -- Version 2.0-rc13
1348 * Improve human-readability of local/remote options
1349 diff, when inconsistencies are present.
1350 * For Windows easy-rsa, distribute vars.bat.sample and
1351 openssl.cnf.sample, then copy them to their normal
1352 filenames (without the .sample) when init-config.bat
1353 is run. This is to prevent OpenVPN upgrades from
1354 wiping out vars.bat and openssl.cnf edits.
1355 * Modified service wrapper (Windows) to use a
1356 case-insensitive search when scanning for .ovpn files
1357 in \Program Files\OpenVPN\config. Prior versions
1358 required an all-lower-case .ovpn file extension.
1359 * Miscellaneous service wrapper code cleanup.
1360 * If --user/--group is used on Windows, treat it
1361 as a no-op with a warning (this makes it easier to
1362 distribute the same client config file to Windows
1364 * Warn if --ifconfig-pool-persist is used with
1367 2005.02.05 -- Version 2.0-rc12
1369 * Removed some debugging code inadvertently included
1370 in rc11 which would print the --auth-user-pass
1371 username/password provided by clients in the server
1373 * Client code for cycling through --remote list will
1374 retry the last address which successfully authenticated
1375 before moving on through the list.
1376 * Windows installer will now install sample configuration
1377 files in \Program Files\OpenVPN\sample-configs as well
1378 as generate a start menu shortcut to this directory.
1379 * Minor type change in buffer.[ch] to work around char-type
1380 ambiguity bug. Caused management interface lock-ups on
1381 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
1383 2005.02.03 -- Version 2.0-rc11
1385 * Windows installer will now install easy-rsa directory
1386 in \Program Files\OpenVPN
1387 * Allow syslog facility to be controlled at compile time,
1388 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
1389 * Changed certain shell scripts in distribution to use
1390 #!/bin/sh rather than #!/bin/bash for better portability.
1391 * If --ifconfig-pool-persist seconds parameter is 0, treat
1392 persist file as an allocation of fixed IP addresses
1393 (previous versions took IP-to-common-name associations
1394 from this list as hints, not mandatory static allocations).
1395 * Fixed bug on *nix where if --auth-user-pass and --log
1396 were used together, the username prompt would be sent to
1397 the log file rather than /dev/tty.
1398 * Spurious text in openvpn.8 detected by doclifter
1400 * Call closelog later on daemon kill so that process
1401 exit message is written to syslog.
1403 2005.01.27 -- Version 2.0-rc10
1405 * When ./configure is run with plugins enabled (the default),
1406 check whether or not dlopen exists in libc before testing
1407 for libdl. This is to fix an issue on FreeBSD and possibly
1408 other OSes which bundle libdl functions in libc.
1409 * On Windows, filter initial WSAEINVAL warning which occurs
1410 on the initial read attempt of an unbound socket.
1411 * The easy-rsa scripts build-key, build-key-pass, and
1412 build-key-server will now chmod the .key file
1413 to 0600. This is in addition to the fact the generated
1414 keys directory has always been similarly protected
1417 2005.01.23 -- Version 2.0-rc9
1419 * Fixed error "ROUTE: route addition failed using
1420 CreateIpForwardEntry ..." on Windows when --redirect-gateway
1421 is used over a RRAS internet link.
1422 * When using --route-method exe on Windows, include the
1423 gateway parameter on route delete commands (Mathias Sundman).
1424 * Try not to do a hard reset (i.e. SIGHUP) when two
1425 SIGUSR1 signals are received in close succession.
1426 * If the push list tries to grow beyond its buffer capacity,
1427 the resulting error will be non-fatal.
1428 * To increase the push list capacity (must be done on both
1429 client and server), increase TLS_CHANNEL_BUF_SIZE in
1430 common.h (default=1024).
1432 2005.01.15 -- Version 2.0-rc8
1434 * Fixed bug introduced in rc7 where options error
1435 "--auth-user-pass requires --pull" might occur even
1436 if --pull was correctly specified.
1437 * Changed management interface code to bind once
1438 to TCP socket, rather than rebinding after every
1440 * Added "disable" directive for client-config-dir
1442 * Windows binary install is now distributed with
1444 * Query the management interface for --http-proxy
1445 username/password if authfile is set to "stdin".
1446 * Added current OpenVPN version number to "Unrecognized
1447 option or missing parameter" error message.
1448 * Added "-extensions server" to "openssl req" command
1449 in easy-rsa/build-key-server (Nir Yeffet).
1451 2005.01.10 -- Version 2.0-rc7
1453 * Fixed bug in management interface which could cause
1454 100% CPU utilization in --proto tcp-server mode
1455 on all *nix OSes except for Linux 2.6.
1456 * --ifconfig-push now accepts DNS names as well as
1458 * Added sanity check errors when --pull or
1459 --auth-user-pass is used in an incorrect mode.
1460 * Updated man page entries for --client-connect and
1462 * Added "String Types and Remapping" section to man
1463 page to consisely document the way which OpenVPN
1464 may convert certain types of characters in strings
1466 * Modified bridging description in HOWTO to emphasize
1467 the fact that bridging allows Windows file and print
1468 sharing without a WINS server (Charles Duffy).
1470 2004.12.20 -- Version 2.0-rc6
1472 * Improved checking for epoll support in ./configure
1473 to fix false positive on RH9 (Jan Just Keijser).
1474 * Made the "MULTI TCP: I/O wait required blocking in
1475 multi_tcp_action, action=7" error nonfatal and replaced
1476 with "MULTI: Outgoing TUN queue full, dropped packet".
1477 So far the issue only seems to occur on Linux 2.2
1478 in --mode server --proto tcp mode. It occurs when
1479 the TUN/TAP driver locks up and refuses to accept
1480 new packet writes for a second or more.
1481 * Fixed bug where if a --client-config-dir file tried
1482 to include another file using "config", and if that
1483 include failed, OpenVPN would abort with a fatal
1484 error. Now such inclusion failures will be logged
1485 but are no longer fatal.
1486 * Global changes to the way that packet buffer alignment
1487 is handled. Previously we didn't care about alignment
1488 and took care, when handling 16 and 32 bit words
1489 in buffers, to always use alignment-safe transfers.
1490 This approach appears to be inadequate on some
1491 architectures such as alpha. The new approach is
1492 to initialize packet buffers in a way that anticipates
1493 how component structures will be allocated within
1494 them, to maintain correct alignment.
1495 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
1496 over TCP (Jan Just Keijser).
1497 * Added --http-proxy-option directive for controlling
1498 miscellaneous HTTP proxy options.
1499 * Management state will no longer transition to "WAIT"
1500 during TLS renegotiations.
1502 2004.12.16 -- Version 2.0-rc5
1504 * The --client-config-dir option will now try to open
1505 a default file called "DEFAULT" if no file matching
1506 the common name of the incoming client was found.
1507 * The --client-connect script/plugin can now veto client
1508 authentication by returning a failure code.
1509 * The --learn-address script/plugin can now prevent a
1510 client-instance/address association from being learned
1511 by returning a failure code.
1512 * Changed RPM group in .spec file to Applications/Internet.
1514 2004.12.14 -- Version 2.0-rc4
1516 * SuSE only -- Fixed interaction between openvpn.spec and
1517 suse/openvpn.init where the .spec file was writing the
1518 OpenVPN binary to a different location than where the
1519 .init script was referencing it (Stefan Engel).
1520 * Solaris only -- Split Solaris ifconfig command into two
1521 parts (Jan Just Keijser).
1522 * Some cleanup in add_option().
1523 * Better error checking on input dotted quad IP addresses.
1524 * Verify that --push argument is quoted, if there is
1526 * More miscellaneous option sanity checks.
1528 2004.12.13 -- Version 2.0-rc3
1530 * On Windows, when --log or --log-append is used,
1531 save the original stderr for username and password
1533 * Fixed a bug introduced in the late 2.0 betas where
1534 if a "verb" parameter >= 16 was used, it would be
1535 ignored and the actual verb level would remain at 1.
1536 * Fixed a bug mostly seen on OS X where --management-hold
1537 or --management-query-passwords would cause the management
1538 interface to be unresponsive to incoming client connections.
1539 * Trigger an options error if one of the management-modifying
1540 options is used without "management" itself.
1542 2004.12.12 -- Version 2.0-rc2
1544 * Amplified warnings in documentation about possible
1545 man-in-the-middle attack when clients do not properly
1546 verify server certificate. Changes to easy-rsa README,
1547 FAQ, HOWTO, man page, and sample client config file.
1548 * Added a warning message if --tls-client or --client
1549 is used without also specifying one of either
1550 --ns-cert-type, --tls-remote, or --tls-verify.
1551 * status_open() fixes for MSVC builds (Blaine Fleming).
1552 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
1553 compiler error which has been reported on some platforms.
1554 * The openvpn.spec file for rpmbuild has several
1555 new build-time options. See comments in the file.
1556 * Plugins are now built and packaged in the RPM and
1557 will be saved in /usr/share/openvpn/plugin/lib.
1558 * Added --management-hold directive to start OpenVPN
1559 in a hibernating state until released by the
1560 management interface. Also added "hold" command
1561 to the management interface.
1563 2004.12.07 -- Version 2.0-rc1
1565 * openvpn.spec workaround for SuSE confusion regarding
1566 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
1568 2004.12.05 -- Version 2.0-beta20
1570 * The ability to read --askpass and --auth-user-pass
1571 passwords from a file has been disabled by default.
1572 To re-enable, use ./configure --enable-password-save.
1573 * Added additional pre-connected states to management
1574 interface. See management/management-notes.txt
1576 * State history is now recorded by the management
1577 interface, and the "state" command now works like
1578 the log or echo commands.
1579 * State history and real-time state change notifications
1580 are now prepended with an integer unix timestamp.
1581 * Added --http-proxy-timeout option, previously
1582 the timeout was hardcoded to 5 seconds.
1584 2004.12.02 -- Version 2.0-beta19
1586 * Fixed bug in management interface line termination
1587 where output lines incorrectly contained a \00 char
1588 after the customary \0d \0a.
1589 * Fixed bug introduced in beta18 where Windows version
1590 would segfault on options errors.
1591 * Fixed bug in management interface where an empty
1592 quoted string ("") entered as a parameter would cause
1594 * Fixed bug where --resolv-retry was not working
1595 properly with multiple --remote hosts.
1596 * Added additional ./configure options to reduce
1597 executable size for embedded applications.
1598 See ./configure --help.
1600 2004.11.28 -- Version 2.0-beta18
1602 * Added management interface. See new --management-*
1603 options or the full management interface documentation
1604 in management/management-notes.txt in the tarball.
1605 Management interface inclusion can be disabled by
1606 ./configure --disable-management.
1607 * Added two new plugin modules: auth-pam and down-root.
1608 Auth-pam supports pam-based authentication using a
1609 split privilege execution model, while down-root enables
1610 a down script to be executed with root privileges, even
1611 when --user/--group is used to drop root privileges.
1612 See the plugin directory in the tarball for READMEs,
1613 source code, and Makefiles.
1614 * Plugin developers should note that some changes were
1615 made to the plugin interface since beta17. See
1616 openvpn-plugin.h for details.
1617 Plugin interface inclusion can be disabled with
1618 ./configure --disable-plugins
1619 * Added easy-rsa/build-key-server script which will
1620 build a certificate with with nsCertType=server.
1621 * Added --ns-cert-type option for verification
1622 of nsCertType field in peer certificate.
1623 * If --fragment n is specified and --mssfix is specified
1624 without a parameter, default --mssfix to n. This restores
1625 the 1.6 behavior when using --mssfix without a parameter.
1626 * Fixed SSL context initialization bug introduced in beta14
1627 where this error might occur on restarts: "Cannot load
1628 certificate chain ... PEM_read_bio:no start line".
1630 2004.11.11 -- Version 2.0-beta17
1632 * Changed default port number to 1194 per IANA official
1633 port number assignment.
1634 * Added --plugin directive which allows compiled
1635 modules to intercept script callbacks. See
1636 plugin folder in tarball for more info.
1637 * Fixed bug introduced in beta12 where --key-method 1
1638 authentications which should have succeeded would fail.
1639 * Ignore SIGUSR1 during DNS resolution.
1640 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
1641 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
1644 2004.11.07 -- Version 2.0-beta16
1646 * Modified sample-scripts/auth-pam.pl to get username
1647 and password from OpenVPN via a file rather than
1648 via environmental variables.
1649 * Added bytes_sent and bytes_received environmental
1650 variables to be set prior to client-disconnect script.
1651 * Changed client virtual IP derivation precedence:
1652 (1) use --ifconfig-push directive from --client-connect
1653 script, (2) use --ifconfig-push directive from
1654 --client-config-dir, and (3) use --ifconfig-pool
1656 * If a --client-config-dir file specifies --ifconfig-push,
1657 it will be visible to the --client-connect-script in
1658 the ifconfig_pool_remote_ip environmental variable.
1659 * For tun-style tunnels, the ifconfig_pool_local_ip
1660 environmental variable will be set, while for
1661 tap-style tunnels, the ifconfig_pool_netmask variable
1663 * Added intelligence to autoconf script to test
1664 compiler for the accepted form of zero-length arrays.
1665 * Fixed a bug introduced in beta12 where --ip-win32
1666 netsh would fail if --dev-node was not explicitly
1668 * --ip-win32 netsh will now work on hidden adapters.
1669 * Fix attempt of "Assertion failed at crypto.c:149".
1670 This assertion has also been reported on 1.x with a
1671 slightly different line number. The fix is twofold:
1672 (1) In previous releases, --mtu-test may trigger this
1673 assertion -- this bug has been fixed. (2) If something
1674 else causes the assertion to be thrown, don't panic,
1675 just output a nonfatal warning to the log and drop
1676 the packet which generated the error.
1677 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
1678 * Added --echo directive.
1679 * Added --auth-nocache directive.
1681 2004.10.28 -- Version 2.0-beta15
1683 * Changed environmental variable character classes
1684 so that names must consist of alphanumeric or
1685 underbar chars and values must consist of printable
1686 characters. Illegal chars will be deleted.
1687 Versions prior to 2.0-beta12 were more restrictive
1688 and would map spaces to '.'.
1689 * On Windows, when the TAP adapter fails to
1690 initialize with the correct IP address, output
1691 "Initialization Sequence Completed with Errors"
1692 to the console or log file.
1693 * Added a warning when user/group/chroot is used
1694 without persist-tun and persist-key.
1695 * Added cryptoapi.[ch] to tarball and source zip.
1696 * --tls-remote option now works with common name
1697 prefixes as well as with the full X509 subject
1698 string. This is a useful alternative to using
1699 a CRL on the client.
1700 * common names associated with a static
1701 --ifconfig-push setting will no longer leave
1702 any state in the --ifconfig-pool-persist file.
1703 * Hard TLS errors (TLS handshake failed) will now
1704 trigger either a SIGUSR1 signal by default
1705 or SIGTERM (if --tls-exit is specified). In TCP
1706 mode, all TLS errors are considered to be hard.
1707 In server mode, the signal will be local to the
1709 * Added method parameter to --auth-user-pass-verify
1710 directive to select whether username/password
1711 is passed to script via environment or a temporary
1713 * Added --status-version option to control format
1714 of --status file. The --mode server
1715 --status-version 2 format now includes a line
1716 type token, the virtual IP address is shown
1717 in the client list (even in --dev tap mode),
1718 and the integer time_t value is shown anywhere
1719 an ascii-formatted time/date is also shown.
1720 * Added --remap-usr1 directive which can be used
1721 to control whether internally or externally
1722 generated SIGUSR1 signals are remapped to
1723 SIGHUP (restart without persisting state) or
1725 * When running as a Windows service (using
1726 --service option), check the exit event before
1727 and after reading one line of input from
1728 stdin, when reading username/password info.
1729 * For developers: Extended the --gremlin function
1730 to better stress-test the new 2.0 features,
1731 added Valgrind support on Linux and Dmalloc
1734 2004.10.19 -- Version 2.0-beta14
1736 * Fixed a bug introduced in Beta12 that would occur
1737 if you use a --client-connect script without also
1739 * Fixed a bug introduced in Beta12 where a learn-address
1740 script might segfault on the delete method.
1741 * Added Crypto API support in Windows version via
1742 the --cryptoapicert option (Peter 'Luna' Runestig).
1744 2004.10.18 -- Version 2.0-beta13
1746 * Fixed an issue introduced in Beta12 where the private
1747 key password would not be prompted for unless --askpass
1748 was explicitly specified in the config.
1750 2004.10.17 -- Version 2.0-beta12
1752 * Added support for username/password-based authentication.
1753 Clients can now authentication themselves with the server
1754 using either a certificate, a username/password, or both.
1755 New directives: --auth-user-pass, --auth-user-pass-verify,
1756 --client-cert-not-required, and --username-as-common-name.
1757 * Added NTLM proxy patch (William Preston).
1758 * Added --ifconfig-pool-linear server flag to allocate
1759 individual tun addresses for clients rather than /30
1760 subnets (won't work with Windows clients).
1761 * Modified --http-proxy code to cache username/password
1763 * Modified --http-proxy code to read username/password
1764 from the console when the auth file is given as "stdin".
1765 * Modified --askpass to take an optional filename argument.
1766 * --persist-tun and --persist-key now work in client mode
1767 and can be pushed to clients as well.
1768 * Added --ifconfig-pool-persist directive, to maintain
1769 ifconfig-pool info in a file which is persistent across
1770 daemon instantiations.
1771 * --user and --group privilege downgrades as well as
1772 --chroot now also work in client mode (the
1773 dowgrade/chroot will be delayed until the initialization
1774 sequence is completed).
1775 * Added --show-engines standalone directive to show
1776 available OpenSSL crypto accelerator engine support.
1777 * --engine directive now accepts an optional engine-ID
1778 parameter to control which engine is used.
1779 * "Connection reset, restarting" log message now shows
1780 which client is being reset.
1781 * Added --dhcp-pre-release directive in Windows version.
1782 * Second parm to --ip-win32 can be "default", e.g.
1783 --ip-win32 dynamic default 60.
1784 * Fixed documentation bug regarding environmental
1785 variable settings for --ifconfig-pool IP addresses.
1786 The correct environmental variable names are:
1787 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
1788 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
1789 environmental variables are now passed to the
1790 client-disconnect script.
1791 * In server mode, environmental variables are now scoped
1792 according to the client they are associated with,
1793 to solve the problem of "crosstalk" between different
1794 client's environmental variable sets.
1795 * Added --down-pre flag to cause --down script to be
1796 called before TUN/TAP close (rather than after).
1797 * Added --tls-exit flag which will cause OpenVPN
1798 to exit on any TLS errors.
1799 * Don't push a route to a client if it exactly
1800 matches an iroute (this lets you push routes to
1801 all clients, and OpenVPN will automatically remove
1802 the route from the route push list only for that client
1803 which the route actually belongs to).
1804 * Made '--resolv-retry infinite' the default.
1805 --resolv-retry can be disabled by using a parameter of 0.
1806 * For clients which plan to pull config info from server,
1807 set an initial default ping-restart of 60 seconds.
1808 * Optimized mute code to lessen the load on the processor
1809 when messages are being muted at a higher frequency.
1810 * Made route log messages non-mutable.
1811 * Silence the Linux "No buffer space available" message.
1812 * Added miscellaneous additional option sanity checks.
1813 * Added Windows version of easy-rsa scripts in
1814 easy-rsa/Windows directory (Andrew J. Richardson).
1815 * Added NetBSD route patch (Ed Ravin).
1816 * Added OpenBSD patch for TAP + --redirect-gateway
1817 (Waldemar Brodkorb).
1818 * Directives which prompt for a username and/or password
1819 will now work with --daemon (OpenVPN will prompt
1821 * Warn if CRL is from a different issuer than the
1822 issuer of the peer certificate (Bernhard Weisshuhn).
1823 * Changed init script chkconfig parameters to start
1824 OpenVPN daemon(s) before NFS.
1825 * Bug fix attempt of "too many I/O wait events" which occurs
1826 on OSes which prefer select() over poll() such as Mac OS X.
1827 * Added --ccd-exclusive flag. This flag will require, as a
1828 condition of authentication, that a connecting client has
1829 a --client-config-dir file.
1830 * TAP-Win32 open code will attempt to open a free adapter
1831 if --dev-node is not specified (Mathias Sundman).
1832 * Resequenced --nice and --chroot ordering so that --nice
1834 * Added --suppress-timestamps flag (Charles Duffy).
1835 * Source code changes to allow compilation by MSVC
1836 (Peter 'Luna' Runestig).
1837 * Added experimental --fast-io flag which optimizes
1838 TUN/TAP/UDP writes on non-Windows systems.
1840 2004.08.18 -- Version 2.0-beta11
1842 * Added --server, --server-bridge, --client, and
1843 --keepalive helper directives. See client.conf
1844 and server.conf in sample-config-files for sample
1845 configurations which use the new directives.
1846 * On Windows, added --route-method to control
1847 whether IP Helper API or route.exe is used
1848 to add/delete routes.
1849 * On Windows, added a second parameter to
1850 --route-delay to control the maximum time period
1851 to wait for the TAP-Win32 adapter to come up
1852 before adding routes.
1853 * Fixed bug in Windows version where configurations
1854 which omit --ifconfig might fail to recognize when
1855 the TAP adapter is up.
1856 * Proxy connection failures will now retry according
1857 to the --connect-retry parameter.
1858 * Fixed --dev null handling on Windows so that TLS
1859 loopback test described in INSTALL file works
1860 correctly on Windows.
1861 * Added "Initialization Sequence Completed" message
1862 after all initialization steps have been completed
1863 and the VPN can be considered "up".
1864 * Better sanity-checking on --ifconfig-pool parameters.
1865 * Added --tcp-queue-limit option to control
1866 TUN/TAP -> TCP socket overflow.
1867 * --ifconfig-nowarn flag will now silence general
1868 warnings about possible --ifconfig address
1869 conflicts, including the warning about --ifconfig
1870 and --remote addresses being in same /24 subnet.
1871 * Fixed case where server mode did not correctly
1872 identify certain types of ethernet multicast packets
1874 * Added --explicit-exit-notify option (experimental).
1876 2004.08.02 -- Version 2.0-beta10
1878 * Fixed possible reference after free of option strings
1879 after a restart, bug was introduced in beta8.
1880 * Fixed segfault at route.c:919 in the beta9
1881 Windows version that was being caused by indirection
1882 through a NULL pointer.
1883 * Mistakenly built debug version of TAP-Win32 driver
1884 for beta9. Beta10 has correct release build.
1886 2004.07.30 -- Version 2.0-beta9
1888 * Fixed --route issue on Windows that was introduced with
1889 the new beta8 route implementation based on the
1892 2004.07.27 -- Version 2.0-beta8
1894 * Added TCP support in server mode.
1895 * Added PKCS #12 support (Mathias Sundman).
1896 * Added patch to make revoke-crt and make-crl work
1897 seamlessly within the easy-rsa environment (Jan Kiszka).
1898 * Modified --mode server ethernet bridge code to forward
1899 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
1900 * Added --dhcp-renew and --dhcp-release flags to Windows
1901 version. Normally DHCP renewal and release on the TAP
1902 adapter occurs automatically under Windows, however
1903 if you set the TAP-Win32 adapter Media Status property
1904 to "Always Connected", you may need these flags.
1905 * Added --show-net standalone flag to Windows version to
1906 show OpenVPN's view of the system adapter and routing
1908 * Added --show-net-up flag to Windows version to output
1909 the system routing table and network adapter list to
1910 the log file after the TAP-Win32 adapter has been brought
1911 up and any routes have been added.
1912 * Modified Windows version to add routes using the IP Helper
1913 API rather than by calling route.exe.
1914 * Fixed bug where --route-up script was not being called
1915 if no --route options were specified.
1916 * Added --mute-replay-warnings to suppress packet replay
1917 warnings. This is a common false alarm on WiFi nets.
1918 * Added "def1" flag to --redirect-gateway option to override
1919 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1920 rather than 0.0.0.0/0. This has the benefit of overriding
1921 but not wiping out the original default gateway.
1922 (Thanks to Jim Carter for pointing out this idea).
1923 * You can now run OpenVPN with a single config file argument.
1924 For example, you can now say "openvpn config.conf"
1925 rather than "openvpn --config config.conf".
1926 * On Windows, made --route and --route-delay more adaptive
1927 with respect to waiting for interfaces referenced by the
1928 route destination to come up. Routes added by --route
1929 should now be added as soon as the interface comes up,
1930 rather than after an obligatory 10 second delay. The
1931 way this works internally is that --route-delay now
1932 defaults to 0 on Windows. Previous versions would
1933 wait for --route-delay seconds then add the routes.
1934 This version will wait --route-delay seconds and then
1935 test the routing table at one second intervals for the
1936 next 30 seconds and will not add the routes until they
1937 can be added without errors.
1938 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
1939 default on TCP/UDP socket in light of reports that this
1940 action can have undesirable global side effects on the
1941 MTU settings of other adapters. These parameters can
1942 still be set, but you need to explicitly specify
1943 --sndbuf and/or --rcvbuf.
1944 * Added --max-clients option to limit the maximum number
1945 of simultaneously connected clients in server mode.
1946 * Added error message to illuminate shell escape gotcha when
1947 single backslashes are used in Windows path names.
1948 * Added optional netmask parm to --ifconfig-pool.
1949 * Fixed bug where http-proxy connect retry attempts were
1950 incorrectly going to the remote OpenVPN server,
1951 not to the HTTP proxy server.
1953 2004.06.29 -- Version 2.0-beta7
1955 * Fixed bug in link_socket_verify_incoming_addr() which
1956 under certain circumstances could have caused --float
1957 behavior even if --float was not specified.
1958 * --tls-auth option now works with --mode server.
1959 All clients and the server should use the same
1960 --tls-auth key when operating in client/server mode.
1961 * Added --engine option to make use of OpenSSL-supported
1962 crypto acceleration hardware.
1963 * Fixed some high verbosity print format size issues
1964 in event.c for 64 bit platforms (Janne Johansson).
1965 * Made failure to open --log or --log-append file
1968 2004.06.23 -- Version 2.0-beta6
1970 * Fixed Windows installer to intelligently put
1971 up a reboot dialog only if tapinstall tells
1972 us that it's really necessary.
1973 * Fixed "Assertion failed at fragment.c:309"
1974 bug when --mode server and --fragment are used
1976 * Ignore HUP, USR1, and USR2 signals during
1977 initialization. Prior versions would abort.
1978 * Fixed bug on OS X: "Assertion failed at event.c:406".
1979 * Added --service option to Windows version, for use
1980 when OpenVPN is being programmatically instantiated
1981 by another process (see man page for info).
1982 * --log and --log-append options now work on Windows.
1983 * Update OpenBSD INSTALL notes (Janne Johansson).
1984 * Enable multicast on tun interface when running on
1985 OpenBSD (Pavlin Radoslavov).
1986 * Fixed recent --test-crypto breakage, where options
1987 such as --cipher were not being parsed correctly.
1988 * Modified options compatibility string by removing
1989 ifconfig substring if it is empty. Incremented
1990 options compatibility string version number to 4.
1991 * Fixed typo in --tls-timeout option parsing
1994 2004.06.13 -- Version 2.0-beta5
1996 * Fixed rare --mode server crash that could occur
1997 if data was being routed to a client at
1998 high bandwidth at the precise moment that the
1999 client instance object on the server was being
2001 * Fixed issue on machines which have epoll.h and
2002 the epoll_create glibc call defined, but which
2003 don't actually implement epoll in the kernel.
2004 OpenVPN will now gracefully fall back to the
2005 poll API in this case.
2006 * Fixed Windows bug which would cause the following
2007 error in a --mode server --dev tap configuration:
2008 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
2010 * Added CRL (certificate revocation list) management
2011 scripts to easy-rsa directory (Jon Bendtsen).
2012 * Do a better job of getting the ifconfig component
2013 of the options consistency check to work correctly
2014 when --up-delay is used.
2015 * De-inlined some functions which were too complex
2016 to be inlined anyway with gcc.
2017 * If a --dhcp-option option is pushed to a non-windows
2018 client, the option will be saved in the client's
2019 environment before the --up script is called, under
2020 the name "foreign_option_{n}".
2021 * Added --learn-address script (see man page) which
2022 allows for firewall access through the VPN to be
2023 controlled based on the client common name.
2024 * In mode --server mode, when a client connects to
2025 the server, the server will disconnect any
2026 still-active clients which use the same common
2027 name. Use --duplicate-cn flag to revert to
2028 previous behavior of allowing multiple clients
2029 to concurrently connect with the same common name.
2031 2004.06.08 -- Version 2.0-beta4
2033 * Fixed issue with beta3 where Win32 service wrapper
2034 was keying off of old TAP HWID as a dependency. To
2035 ensure that the new service wrapper is correctly
2036 installed, the Windows install script will uninstall
2037 the old wrapper before installing the new one,
2038 causing a reset of service properties.
2039 * Fixed permissions issue on --status output file,
2040 with default access permissions of owner read/write
2041 only (default permissions can be changed of course with
2044 2004.06.05 -- Version 2.0-beta3
2046 * More changes to TAP-Win32 driver's INF file which
2047 affects the placement of the driver in the Windows
2048 device namespace. This is done to work around an
2049 apparent bug in Windows when short HWIDs are used,
2050 and will also ease the upgrade from 1.x to 2.0 by
2051 reducing the chances that a reboot will be needed
2052 on upgrade. Like beta2, this upgrade will
2053 delete existing TAP-Win32 interfaces, and reinstall
2054 a single new interface with default properties.
2055 * Major rewrite of I/O event wait layer in the style
2056 of libevent. This is a precursor to TCP support
2058 * New feature: --status. Outputs a SIGUSR2-like
2059 status summary to a given file, updated once
2060 per n seconds. The status file is comma delimited
2061 for easy machine parsing.
2062 * --ifconfig-pool now remembers common names and
2063 will try to assign a consistent IP to a given
2064 common name. Still to do: persist --ifconfig-pool
2065 memory across restarts by saving state in file.
2066 * Fixed bug in event timer queue which could cause
2067 recurring timer events such as --ping to not
2068 correctly schedule again after firing. This in
2069 turn would cause spurrious ping restarts and possible
2070 connection outages. Thanks to Denis Vlasenko for
2072 * Possible fix to reported bug where --daemon argument
2073 was not printing to syslog correctly after restart.
2074 * Fixed bug where pulling --route or --dhcp-option
2075 directives from a server would problematically
2076 interact with --persist-tun on the client.
2077 * Updated contrib/multilevel-init.patch (Farkas Levente).
2078 * Added RPM build option to .spec and .spec.in files
2079 to optionally disable LZO inclusion (Ian Pilcher).
2080 * The latest MingW runtime and headers define
2081 'ssize_t', so a patch is needed (Gisle Vanem).
2083 2004.05.14 -- Version 2.0-beta2
2085 * Fixed signal handling bug in --mode server, where
2086 SIGHUP and SIGUSR1 were treated as SIGTERM.
2087 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
2088 Apparently the larger string may work around
2089 a problem where the TAP adapter is sometimes missing
2090 from the network connections panel, especially under
2091 XP SP2. Also note that installing this upgrade will
2092 uninstall any pre-existing TAP-Win32 adapters, and then
2093 install a single new adapter, meaning that old adapter
2094 properties will be lost. Thanks to Md5Chap for solving
2096 * For --mode server --dev tap, the options --ifconfig and
2097 --ifconfig-pool are now optional. This allows address
2098 assignment via DHCP or use of a TAP VPN without
2099 IP support, as has always been possible with 1.x.
2100 * Fixed bug where --ifconfig may not work correctly on
2102 * Added 'local' flag to --redirect-gateway for use on
2103 networks where both OpenVPN daemons are connected
2104 to a shared subnet, such as wireless.
2106 2004.05.09 -- Version 2.0-beta1
2108 * Unchanged from test29 except for version number
2111 2004.05.08 -- Version 2.0-test29
2113 * Modified --dev-node on Windows to accept a TAP-Win32
2114 GUID name. In addition, --show-adapters will now
2115 display the high-level name and GUID of each adapter.
2116 This is an attempt to work around an issue in Windows
2117 where sometimes the TAP-Win32 adapter installs correctly
2118 but has no icon in the network connections control
2119 panel. In such cases, being able to specify
2120 --dev-node {TAP-GUID} can work around the missing icon.
2122 2004.05.07 -- Version 2.0-test28
2124 * Fixed bug which could cause segfault on program
2125 shutdown if --route and --persist-tun are used
2128 2004.05.06 -- Version 2.0-test27
2130 * Fixed bug in close_instance() which might cause
2131 memory to be accessed after it had already been freed.
2132 * Fixed bug in verify_callback() that might have
2133 caused uninitialized data to be referenced.
2134 * --iroute now allows full CIDR subnet routing.
2135 * In "--mode server --dev tun" usage, source addresses
2136 on VPN packets coming from a particular client must
2137 be associated with that client in the OpenVPN internal
2140 2004.04.28 -- Version 2.0-test26
2142 * Optimized broadcast path in multi-client mode.
2143 * Added socket buffer size options --rcvbuf & --sndbuf.
2144 * Configure Linux tun/tap driver to use a more sensible
2145 txqueuelen default. Also allow explicit setting
2146 via --txqueuelen option (Harald Roelle).
2147 * The --remote option now allows the port number
2148 to be specified as the second parameter. If
2149 unspecified, the port number defaults to the
2151 * Multiple --remote options on the client can now be
2152 specified for load balancing and failover. The
2153 --remote-random flag can be used to initially randomize
2154 the --remote list for basic load balancing.
2155 * If a remote DNS name resolves to multiple DNS addresses,
2156 one will be chosen by random as a kind of basic
2157 load-balancing feature if --remote-random is used.
2158 * Added --connect-freq option to control maximum
2159 new connection frequency in multi-client mode.
2160 * In multi-client mode, all syslog messages associated
2161 with a specific client now include a client-ID prefix.
2162 * For Windows, use a gettimeofday() function based
2163 on QueryPerformanceCounter (Derek Burdick).
2164 * Fixed bug in interaction between --key-method 2
2165 and DES ciphers, where dynamic keys would be generated
2166 with bad parity and then be rejected.
2168 2004.04.17 -- Version 2.0-test24
2170 * Reworked multi-client broadcast handling.
2172 2004.04.13 -- Version 2.0-test23
2174 * Fixed bug in --dev tun --client-to-client routing.
2175 * Fixed a potential deadlock in --pull.
2176 * Fixed a problem with select() usage which could
2177 cause a repeating sequence of "select : Invalid
2180 2004.04.11 -- Version 2.0-test22
2182 * Fixed bug where --mode server + --daemon was
2183 prematurely closing syslog connection.
2184 * Added support for --redirect-gateway on Mac OS X
2186 * Minor changes to TAP-Win32 driver based on feedback
2187 from the NDISTest tool.
2189 2004.04.11 -- Version 2.0-test21
2191 * Optimizations in multi-client server event loop.
2193 2004.04.10 -- Version 2.0-test20
2195 * --mode server capability now works with either tun
2196 or tap interfaces. When used with tap interfaces,
2197 OpenVPN will internally bridge all client tap
2198 interfaces with the server tap interface.
2199 * Connecting clients can now have a client-specific
2200 configuration on the server, based on the client
2201 common name embedded in the client certificate.
2202 See --client-config-dir and --client-connect.
2203 These options can be used to configure client-specific
2205 * Added an option --client-to-client that enables
2206 internal client-to-client routing or bridging.
2207 Otherwise, clients will only "see" the server,
2208 not other connected clients.
2209 * Fixed bug in route scheduling which would have caused
2210 --mode server to not work on Windows in test18
2211 and test19 with the sample config file.
2212 * Man page is up to date with all new options.
2213 * OpenVPN 2.0 release notes on web site updated
2214 with tap-style tunnel examples.
2216 2004.04.02 -- Version 2.0-test19
2218 * Fixed bug where routes pushed from server were
2219 not working correctly on Windows clients.
2220 * Added Mac OS X route patch (Jeremy Apple).
2222 2004.03.30 -- Version 2.0-test18
2224 * Minor fixes + Windows self-install modified
2225 to use OpenSSL 0.9.7d.
2227 2004.03.29 -- Version 2.0-test17
2229 * Fixed some bugs related to instance timeout and deletion.
2230 * Extended --push/--pull option to support additional
2233 2004.03.28 -- Version 2.0-test16
2235 * Successful test of --mode udp-server, --push,
2236 --pull, and --ifconfig-pool with server on
2237 Linux 2.4 and clients on Linux and Windows.
2239 2004.03.25 -- Version 2.0-test15
2241 * Implemented hash-table lookup of client instances
2242 based either on remote UDP address/port or remote
2244 * Implemented a randomized binary tree based
2245 scheduler for scalably scheduling a large number
2246 of client instance events. Uses the treap
2247 data structure and node rotation algorithm
2248 to keep the tree balanced.
2249 * Initial implementation of ifconfig-pool.
2250 * Made --key-method 2 the default.
2252 2004.03.20 -- Version 2.0-test14
2254 * Implemented --push and --pull.
2256 2004.03.20 -- Version 2.0-test13
2258 * Reduced struct tls_multi and --single-session
2260 * Modified --single-session flag to be used
2261 in multi-client UDP server client instances.
2263 2004.03.19 -- Version 2.0-test12
2265 * Added the key multi-client UDP server options,
2266 --mode, --push, --pull, and --ifconfig-pool.
2267 * Revamped GC (garbage collection) code to not rely
2269 * Modifications to thread.[ch] to allow a more
2270 flexible thread model.
2272 2004.03.16 -- Version 2.0-test11
2274 * Moved all timer code to interval.h, added new file
2276 * Fixed missing include.
2278 2004.03.16 -- Version 2.0-test10
2280 * More TAP-Win32 fixes.
2281 * Initial debugging and testing of multi.[ch].
2283 2004.03.14 -- Version 2.0-test9
2285 * Branch merge with 1.6-rc3
2286 * More point-to-multipoint work in multi.[ch].
2287 * Major TAP-Win32 driver restructuring to use
2288 NdisMRegisterDevice instead of
2289 IoCreateDevice/IoCreateSymbolicLink.
2290 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
2292 * In the majority of cases, TAP-Win32 should now be
2293 able to install and uninstall on Win2K without requiring
2295 * TAP-Win32 MAC address can now be explicitly set in the
2296 adapter advanced properties page.
2298 2004.03.04 -- Version 2.0-test8
2300 * Branch merge with 1.6-rc2.
2302 2004.03.03 -- Version 2.0-test7
2304 * Branch merge with 1.6-rc1.2.
2306 2004.03.02 -- Version 2.0-test6
2308 * Branch merge with 1.6-rc1.
2310 2004.03.02 -- Version 2.0-test5
2312 * Move Socks5 UDP header append/remove to socks.c, and is
2313 called from forward.c.
2314 * Moved verify statics from ssl.c into struct tls_session.
2315 * Wrote multi.[ch] to handle top level of point-to-multipoint
2317 * Wrote some code to allow a struct link_socket in a child context
2318 to be slaved to the parent context.
2319 * Broke up packet read and process functions in forward.c
2320 (from socket or tuntap) into separate functions for read
2321 and process, so that point-to-point and point-to-multipoint can
2322 share the same code.
2323 * Expand TLS control channel to allow the passing of configuration
2325 * Wrote mroute.[ch] to handle internal packet routing for
2326 point-to-multipoint mode.
2328 2004.02.22 -- Version 2.0-test3
2330 * Initial work on UDP multi-client server.
2331 * Branch merge of 1.6-beta7
2333 2004.02.14 -- Version 2.0-test2
2335 * Refactorization of openvpn.c into openvpn.[ch]
2336 init.[ch] forward.[ch] forward-inline.h
2337 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
2338 sig.[ch]. Created a master per-tunnel
2339 struct context in openvpn.h.
2340 * Branch merge of 1.6-beta6.2
2342 2003.11.06 -- Version 2.0-test1
2344 * Initial testbed for 2.0.
2346 2004.05.09 -- Version 1.6.0
2348 * Unchanged from 1.6-rc4 except for version number
2351 2004.04.01 -- Version 1.6-rc4
2353 * Made minor customizations to devcon and
2354 renamed as tapinstall.exe for Windows version.
2355 * Fixed "storage size of `iv' isn't known" build
2357 * OpenSSL 0.9.7d bundled with Windows self-install.
2359 2004.03.13 -- Version 1.6-rc3
2361 * Minor Windows fixes for --ip-win32 dynamic, relating to
2362 the way the TAP-Win32 driver responds to a DHCP request
2363 from the Windows DHCP client.
2364 * The net_gateway environmental variable wasn't being
2365 set correctly for called scripts (Paul Zuber).
2366 * Added code to determine the default gateway on FreeBSD,
2367 allowing the --redirect-gateway option to work
2368 (Juan Rodriguez Hervella).
2370 2004.03.04 -- Version 1.6-rc2
2372 * Fixed bug in Windows version where the NetBIOS node-type
2373 DHCP option might have been passed even if it was not
2375 * Fixed bug in Windows version introduced in 1.6-rc1, where
2376 DHCP timeout would be set to 0 seconds if --ifconfig option
2377 was used and --ip-win32 option was not explicitly specified.
2378 * Added some new --dhcp-option types for Windows version.
2380 2004.03.02 -- Version 1.6-rc1
2382 * For Windows, make "--ip-win32 dynamic" the default.
2383 * For Windows, make "--route-delay 10" the default
2384 unless --ip-win32 dynamic is not used or --route-delay
2385 is explicitly specified.
2386 * L_TLS mutex could have been left in a locked state
2387 for certain kinds of TLS errors.
2389 2004.02.22 -- Version 1.6-beta7
2391 * Allow scheduling priority increase (--nice) together
2392 with UID/GID downgrade (--user/--group).
2393 * Code that causes SIGUSR1 restart on TLS errors in TCP
2394 mode was not activated in pthread builds.
2395 * Save the certificate serial number in an environmental
2396 variable called tls_serial_{n} prior to calling the
2397 --tls-verify script. n is the current cert chain level.
2398 * Added NetBSD IPv6 tunnel capability (also requires
2399 a kernel patch) (Horst Laschinsky).
2400 * Fixed bug in checking the return value of the nice()
2401 function (Ian Pilcher).
2402 * Bug fix in new FreeBSD IPv6 over TUN code which was
2403 originally added in 1.6-beta5 (Nathanael Rensen).
2404 * More Socks5 fixes -- extended the struct frame
2405 infrastructure to accomodate proxy-based encapsulation
2407 * Added --dhcp-option to Windows version for setting
2408 adapter properties such as WINS & DNS servers.
2409 * Use a default route-delay of 5 seconds when
2410 --ip-win32 dynamic is specified (only applicable when
2411 --route-delay is not explicitly specified).
2412 * Added "log_append" registry variable to control
2413 whether the OpenVPN service wrapper on Windows
2414 opens log files in append (log_append="1") or
2415 truncate (log_append="0") mode. The default
2418 2004.02.05 -- Version 1.6-beta6
2420 * UDP over Socks5 fix to accomodate Socks5 encapsulation
2421 overhead (Christof Meerwald).
2422 * Minor --ip-win32 dynamic tweaks (use long lease time,
2423 invalidate existing lease with DHCPNAK).
2425 2004.02.01 -- Version 1.6-beta5
2427 * Added Socks5 proxy support (Christof Meerwald).
2428 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
2429 * Special TAP-Win32 debug mode for Windows self-install that was
2430 enabled in beta4 is now turned off.
2431 * Added some new Solaris notes to INSTALL (Koen Maris).
2432 * More work on --ip-win32 dynamic.
2434 2004.01.27 -- Version 1.6-beta4
2436 * For this beta, the Windows self-install is a debug version
2437 and will run slower -- use only for testing.
2438 * Reverted the --ip-win32 default back to 'ipapi'
2440 * Added the offset parameter to '--ip-win32 dynamic' which
2441 can be used to control the address of the masqueraded
2442 DHCP server which replies to Windows DHCP requests.
2443 * Added a wait/nowait option to --inetd (nowait can only
2444 be used with TCP sockets, TLS authentication, and over
2445 a bridged configuration -- see FAQ for more info)
2446 (Stefan `Sec` Zehl).
2447 * Added a build-time capability where TAP-Win32 driver
2448 debug messages can be output by OpenVPN at --verb 6
2451 2004.01.20 -- Version 1.6-beta2
2453 * Added ./configure --enable-iproute2 flag which
2454 uses iproute2 instead of route + ifconfig --
2455 this is necessary for the LEAF Linux distro
2457 * Added renewal-time and rebind-time to set of
2458 DHCP options returned by the TAP-Win32 driver when
2459 "--ip-win32 dynamic" is used.
2461 2004.01.14 -- Version 1.6-beta1
2463 * Fixed --proxy bug that sometimes caused plaintext
2464 control info generated by the proxy prior to http
2465 CONNECT method establishment to be incorrectly
2466 parsed as OpenVPN data.
2467 * For Windows version, implemented the
2468 "--ip-win32 dynamic" method and made it the default.
2469 This method sets the TAP-Win32 adapter IP address
2470 and netmask by replying to the kernel's DHCP queries.
2471 See the man page for more detailed info.
2472 * Added --connect-retry parameter which controls
2473 the time interval (in seconds) between connect()
2474 retries when --proto tcp-client is used. Previously,
2475 this value was hardcoded to 5 seconds, and still
2477 * --resolv-retry can now be used with a parameter
2478 of "infinite" to retry indefinitely.
2479 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
2480 for support of multi-level certificate chains
2482 * Fixed --tls-auth incompatibility with 1.4.x and earlier
2483 versions of OpenVPN when the passphrase file is an
2484 OpenVPN static key file (as generated by --genkey).
2485 * Added shell-escape support in config files using
2486 the backslash character ("\") so that (for example)
2487 double quotes can be passed to the shell.
2488 * Added "contrib" subdirectory on tarball, source zip,
2489 and CVS containing user-submitted contributions.
2490 * Added an optional patch to the Redhat init script to
2491 allow the configuration file directory to be a
2492 multi-level directory hierarchy (Farkas Levente).
2493 See contrib/multilevel-init.patch
2494 * Added some scripts and documentation on using
2495 Linux "fwmark" iptables rules to enable
2496 fine-grained routing control over the VPN
2497 (Sean Reifschneider, <jafo@tummy.com>).
2498 See contrib/openvpn-fwmarkroute-1.00
2500 2003.11.20 -- Version 1.5.0
2502 * Minor documentation changes.
2504 2003.11.04 -- Version 1.5-beta14
2506 * Fixed build problem with ./configure --disable-ssl
2507 that was reported on Debian woody.
2508 * Fixed bug where --redirect-gateway could not be used
2509 together with --resolv-retry.
2511 2003.11.03 -- Version 1.5-beta13
2513 * Added CRL (certificate revocation list) capability using
2514 --crl-verify option (Stefano Bracalenti).
2515 * Added --replay-window option for variable replay-protection
2517 * Fixed --fragment bug which might have caused certain large
2518 packets to be sent unfragmented.
2519 * Modified --secret and --tls-auth to permit different cipher and
2520 HMAC keys to be used for each data flow direction. Also
2521 increased static key file size generated by --genkey from
2522 1024 to 2048 bits, where 512 bits each are reserved for
2523 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
2524 and backward compatibility is maintained. See --secret option
2525 documentation on the man page for more info.
2526 * Added --tls-remote option (Teemu Kiviniemi).
2527 * Fixed --tls-cipher documention regarding correct delimiter
2528 usage (Teemu Kiviniemi).
2529 * Added --key-method option for selecting alternative data
2530 channel key negotiation methods. Method 1 is the default.
2531 Method 2 has been added (see man page for more info).
2532 * Added French translation of HOWTO to web site
2533 (Guillaume Lehmann).
2534 * Fixed problem caused by late resolver library load on
2535 certain platforms when --resolv-retry and --chroot are
2536 used together (Teemu Kiviniemi).
2537 * In TCP mode, all decryption or TLS errors will abort the current
2538 connection (this is not done in UDP mode because UDP is
2540 * Fixed a TCP client reconnect bug that only occurs on the
2541 BSDs, where connect() fails with an invalid argument. This
2542 bug was partially (but not completely) fixed in beta7.
2543 * Added "route_net_gateway" environmental variable which contains
2544 the pre-existing default gateway address from the routing table
2545 (there's no standard API for getting the default gateway, so
2546 right now this feature only works on Windows or Linux).
2547 * Renamed the "route_default_gateway" enviromental variable to
2548 "route_vpn_gateway" -- this is the remote VPN endpoint.
2549 * The special keywords vpn_gateway, net_gateway, and remote_host
2550 can now be used for the network or gateway components of the
2551 --route option. See the man page for more info.
2552 * Added the --redirect-gateway option to configure the VPN
2553 as the default gateway (implemented on Linux and Windows only).
2554 * Added the --http-proxy option with basic authentication
2555 support for use in TCP client mode. Successfully tested
2556 using Squid as the HTTP proxy, with and without authentication.
2558 2003.10.12 -- Version 1.5-beta12
2560 * Fixed Linux-only bug in --mktun and --rmtun which was
2561 introduced around beta8 or so, which would cause
2562 an error such as "I don't recognize device tun0 as a
2563 tun or tap device1".
2564 * Added --ifconfig-nowarn option to disable options
2565 consistency warnings about --ifconfig parameters.
2566 * Don't allow any kind of sequence number backtracking or
2567 message reordering when in TCP mode.
2568 * Changed beta naming convention to use '_' (underscore)
2569 rather than '-' (dash) to pacify rpmbuild.
2571 2003.10.08 -- Version 1.5-beta11
2573 * Modified code in the Windows version which sets the IP address
2574 and netmask of the TAP-Win32 adapter using the IP Helper API.
2575 Most of the changes involve better error recovery when
2576 the IP Helper API returns an error status. See the
2577 manual page entry on --ip-win32 for more info.
2579 2003.10.08 -- Version 1.5-beta10
2581 * Added getpass() function for Windows version so that --askpass
2582 option works correctly (Stefano Bracalenti).
2583 * Added reboot advisory to end of Win32 install script.
2584 * Changed crypto code to use pseudo-random IVs rather than
2585 carrying forward the IV state from the previous packet.
2586 This is in response to item 2 in the following document:
2587 http://www.openssl.org/~bodo/tls-cbc.txt which points
2588 out weaknesses in TLS's use of the same IV carryforward
2589 approach. This change does not break protocol compatibility
2590 with previous versions of OpenVPN.
2591 * Made a change to the crypto replay protection code to also
2592 protect against certain kinds of packet reordering attacks.
2593 This change does not break protocol compatibility with
2594 previous versions of OpenVPN.
2595 * Added --ip-win32 option to provide several choices for
2596 setting the IP address on the TAP-Win32 adapter.
2597 * #ifdefed out non-CBC crypto modes by default.
2598 * Added --up-delay option to delay TUN/TAP open and --up script
2599 execution until after connection establishment. This option
2600 replaces the earlier windows-only option --tap-delay.
2602 2003.10.01 -- Version 1.5-beta9
2604 * Fixed --route-noexec bug where option was not parsed correctly.
2605 * Complain if --dev tun is specified without --ifconfig on Windows.
2606 * Fixed bug where TCP connections on windows would sometimes cause
2607 an assertion failure.
2608 * Added a new flag to TAP-Win32 advanced properties that allows one
2609 to set the adapter to be always "connected" even when an OpenVPN
2610 process doesn't have it open. The default behavior is to report
2611 a media status of connected only when an OpenVPN process has the
2613 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
2614 DLLs in response to an OpenSSL security advisory.
2616 2003.09.30 -- Version 1.5-beta8
2618 * Extended the --ifconfig option to work on tap devices as well
2620 * Implemented the --ifconfig option for Windows, by calling the
2622 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
2623 refresh the MAC cache. This behaviour can be disabled with
2625 * On Windows, allow the --dev-node parameter (which specifies
2626 the name of the TAP-Win32 adapter) to be omitted in cases where
2627 there is a single TAP-Win32 adapter on the system which can be
2628 assumed to be the default.
2629 * Modified the diagnostic --verb 5 debugging level to print 'R'
2630 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
2631 and 'w' for TUN/TAP write.
2632 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
2634 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
2635 * Make the --enable-mtu-dynamic ./configure option enabled by
2637 * Deprecated the --mtu-dynamic run-time option, in favor of
2639 * DNS names can now be used as --ifconfig parameters.
2640 * Significant work on TAP-Win32 driver to bring up to SMP standards.
2641 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
2642 unloaded or disabled, while a user-space process has it open.
2643 * On Windows, if --tun-mtu is not specified, it will be read from
2644 the TAP-Win32 driver via ioctl.
2645 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
2646 signal (only when run from a console window).
2647 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
2648 * Renamed --mtu-dynamic option to --fragment to more accurately
2649 reflect its function. Fragment accepts a single parameter which
2650 is the upper limit on acceptable UDP packet size.
2651 * Changed default --tun-mtu-extra parameter to 32 from 64.
2652 * Eliminated reference to malloc.o in configure.ac.
2653 * Added tun device emulation to the TAP-Win32 driver.
2654 * Added --route and related options.
2655 * Added init script for SuSE Linux (Frank Plohmann).
2656 * Extended option consistency check between peers to function
2657 in all crypto modes, including static-key and cleartext modes.
2658 Previously only TLS mode was supported. Disable with
2660 * Overall, increased the amount of configuration option sanity
2661 checking, especially of networking parameters.
2662 * Added --mtu-test option for empirical MTU measurement.
2663 * Added Windows-only option --tap-delay to not set the TAP-Win32
2664 adapter media state to 'connected' until TCP/UDP connection
2665 establishment with peer.
2666 * Slightly modified --route/--route-delay semantics so that when
2667 --route is given without --route-delay, routes are added
2668 immediately after tun/tap device open. When --route-delay is
2669 specified, routes will be added n seconds after connection
2670 initiation, where n is the --route-delay parameter (which
2672 * Made TCP framing error into a non-fatal error that triggers a
2675 2003.08.28 -- Version 1.5-beta7
2677 * Fixed bug that caused OpenVPN not to respond to exit/restart
2678 signals when --resolv-retry is used and a local or remote DNS
2679 name cannot be resolved.
2680 * Exported a series of environmental variables with useful
2681 info for scripts. See man page for more info. Based
2682 on a suggestion by Anthony Ciaravalo.
2683 * Moved TCP/UDP socket bind to a point in the initialization
2684 before the --up script gets called. This is desirable
2685 because (a) a socket bind failure will happen before
2686 daemonization, allowing an error status code to be returned
2687 to the shell and (b) the possibility is eliminated of a
2688 socket bind failure causing the --up script to be run
2689 but not the --down script. This change has a side effect
2690 that --resolv-retry will no longer work with --local.
2691 * Fixed bug where if an OpenVPN TCP server went down and back
2692 up again, Solaris or FreeBSD clients would fail to reconnect
2694 * Fixed bug that prevented OpenVPN from being run by
2695 inetd/xinetd in TCP mode.
2696 * Added --log and --log-append options for logging messages to
2698 * On Windows, check that the current user is a member of the
2699 Administrator group before attempting install or uninstall.
2701 2003.08.16 -- Version 1.5-beta6
2703 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
2705 2003.08.14 -- Version 1.5-beta5
2707 * Added user-configurability of the TAP-Win32 adapter MTU
2708 through the adapter advanced properties page.
2709 * Added Windows Service support.
2710 * On Windows, added file association and right-clickability
2711 for .ovpn files (OpenVPN config files).
2713 2003.08.05 -- Version 1.5-beta4
2715 * Extra refinements and error checking added to Windows
2716 NSIS install script.
2718 2003.08.05 -- Version 1.5-beta3
2720 * Added md5.h include to crypto.c to fix build problem on
2722 * Created a Win32 installer using NSIS.
2723 * Removed DelService command from TAP-Win32 INF file. It appears
2724 to be not necessary and it interfered with the ability to
2725 uninstall and reinstall the driver without needing to reboot.
2726 * On Windows version, added "addtap" and "deltapall" batch
2727 files to add and delete TAP-Win32 adapter instances.
2729 2003.07.31 -- Version 1.5-beta2
2731 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
2732 in Windows ASCII so it's easier to click and view.
2733 * Added postscript and PDF versions of the HOWTO to the web
2735 * Merged Michael Clarke's stability patch into TAP-Win32
2736 driver which appears to fix the suspend/resume driver bug
2737 and significantly improve driver stability.
2738 * Added Christof Meerwald's Media Status patch to the
2739 TAP-Win32 driver which shows the TAP adapter to be
2740 disconnected when OpenVPN is not running.
2741 * Moved socket connect and TCP server listen code to a later
2742 point in openvpn() function so that the TCP server listen
2743 state is entered after daemonization.
2744 * Added keyboard shortcuts to simulate signals in the Windows
2745 version, see the window title bar for descriptions.
2747 2003.07.24 -- Version 1.5-beta1
2749 * Added TCP support via the new --proto option.
2750 * Renamed udp-centric options such as --udp-mtu to
2751 --link-mtu (old option names preserved for compatibility).
2752 * Ported to Windows 2000 + XP using mingw and a TAP driver
2753 derived from the Cipe-Win32 project by Damion K. Wilson.
2754 * Added --show-adapters flag for windows version.
2755 * Reworked the SSL/TLS packet acknowledge code to better
2756 handle certain corner cases.
2757 * Turned off the default enabling of IP forwarding in the
2758 sample-scripts/openvpn.init script for Redhat.
2759 Forwarding can be enabled by users in their --up scripts
2761 * Added --up-restart option based on suggestion from Sean
2763 * If --dev tap or --dev-type tap is specified, --tun-mtu
2764 defaults to 1500 and --tun-mtu-extra defaults to 64.
2765 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
2766 for each packet read or write on the TCP/UDP socket.
2768 2003.08.04 -- Version 1.4.3
2770 * Added md5.h include to crypto.c
2771 to fix build problem on OpenBSD.
2773 2003.07.15 -- Version 1.4.2
2775 * Removed adaptive bandwidth from
2776 --mtu-dynamic -- its absence appears
2777 to work better than its existence (1.4.1.2).
2778 * Minor changes to --shaper to fix long
2779 retransmit timeouts at low bandwidth
2781 * Added LOG_RW flag to openvpn.h for
2782 debugging (1.4.1.2).
2783 * Silenced spurious configure warnings (1.4.1.2).
2784 * Backed out --dev-name patch, modified --dev
2785 to offer equivalent functionality (1.4.1.4).
2786 * Added an optional parameter to --daemon and
2787 --inetd to support the passing of a custom
2788 program name to the system logger (1.4.1.5).
2789 * Add compiled-in options to the program title
2791 * Coded the beginnings of a WIN32 port (1.4.1.5).
2792 * Succeeded in porting to Win32 Mingw environment
2793 and running loopback tests (1.4.1.6). Still
2794 need a kernel driver for full Win32
2796 * Fixed a bug in error.h where
2797 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
2798 This would have caused a significant slowdown
2799 of OpenVPN when built by compilers that
2800 lack ISO C99 vararg macros (1.4.1.6).
2801 * Created an init script for Gentoo Linux
2802 in ./gentoo directory (1.4.1.6).
2804 2003.05.15 -- Version 1.4.1
2806 * Modified the Linux 2.4 TUN/TAP open code to
2807 fall back to the 2.2 TUN/TAP interface if the
2808 open or ioctl fails.
2809 * Fixed bug when --verb is set to 0 and non-fatal
2810 socket errors occur, causing 100% CPU utilization.
2811 Occurs on platorms where
2812 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
2814 * Fixed typo in tun.c that was preventing
2816 * Added --enable-mtu-dynamic configure option
2817 to enable --mtu-dynamic experimental option.
2819 2003.05.07 -- Version 1.4.0
2821 * Added --replay-persist feature to allow replay
2822 protection across sessions.
2823 * Fixed bug where --ifconfig could not be used
2825 * Added --tun-mtu-extra parameter to deal with
2826 the situation where a read on a TUN/TAP device
2827 returns more data than the device's MTU size.
2828 * Fixed bug where some IPv6 support code for
2829 Linux was not being properly ifdefed out for
2830 Linux 2.2, causing compile errors.
2831 * Added OPENVPN_EXIT_STATUS_x codes to
2832 openvpn.h to control which status value
2833 openvpn returns to its caller (such as
2834 a shell or inetd/xinetd) for various conditions.
2835 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
2836 openvpn.h to allow debugging in situations
2837 where stdout, stderr, and syslog cannot be used
2838 for message output, such as when OpenVPN is
2839 instantiated by inetd/xinetd.
2840 * Removed owner-execute permission from file
2841 created by static key generator (Herbert Xu
2842 and Alberto Gonzalez Iniesta).
2843 * Added --passtos option to allow IPv4 TOS bits
2844 to be passed from TUN/TAP input packets to
2845 the outgoing UDP socket (Craig Knox).
2846 * Added code to prevent open socket file descriptors
2847 from being accessible to called scripts.
2848 * Added --dev-name option (Christian Lademann).
2849 * Added --mtu-disc option for manual control
2851 * Show OS MTU value on UDP socket write failures
2853 * Numerous build system and portability
2854 fixes (Matthias Andree).
2855 * Added better sensing of compiler support for
2856 variable argument macros, including (a) gcc
2857 style, (b) ISO C 1999 style, and (c) no support.
2858 * Removed generated files from CVS. Note INSTALL
2859 file for new CVS build commands.
2860 * Changed certain internal symbol names
2861 for C standards compliance.
2862 * Added TUN/TAP open code to cycle dynamically
2863 through unit numbers until it finds a free
2864 unit (based on code from Thomas Gielfeldt
2866 * Added dynamic MTU and fragmenting infrastructure
2867 (Experimental). Rebuild with FRAGMENT_ENABLE
2869 * Minor changes to SSL/TLS negotiation, use
2870 exponential backoff on retransmits, and use
2871 a smaller MTU size (note that no protocol
2872 changes have been made which would break
2873 compatibility with 1.3.x).
2874 * Added --enable-strict-options flag
2875 to ./configure. This option will cause
2876 a more strict check for options compatibility
2877 between peers when SSL/TLS negotiation is used,
2878 but should only be used when both OpenVPN peers
2879 are of the same version.
2880 * Reorganization of debugging levels.
2881 * Added a workaround in configure.ac for
2882 default SSL header location on Linux
2883 to fix RH9 build problem.
2884 * Fixed potential deadlock when pthread support
2885 is used on OSes that allocate a small socketpair()
2887 * Fixed openvpn.init to be sh compliant
2889 * Changed --daemon to wait until all
2890 initialization is finished before becoming a
2891 daemon, for the benefit of initialization
2892 scripts that want a useful return status from
2893 the openvpn command.
2894 * Made openvpn.init script more robust, including
2895 positive indication of initialization errors
2896 in the openvpn daemon and better sanity checks.
2897 * Changed --chroot to wait until initialization
2898 is finished before calling chroot(), and allow
2899 the use of --user and --group with --chroot.
2900 * When syslog logging is enabled (--daemon or
2901 --inetd), set stdin/stdout/stderr to point
2903 * For inetd instantiations, dup socket descriptor
2905 * Fixed bug in verify-cn script, where test would
2906 incorrectly fail if CN=x was the last component
2907 of the X509 composite string (Anonymous).
2908 * Added Markus F.X.J. Oberhumer's special
2909 license exception to COPYING.
2911 2002.10.23 -- Version 1.3.2
2913 * Added SSL_CTX_set_client_CA_list call
2914 to follow the canonical form for TLS initialization
2915 recommended by the OpenSSL docs. This change allows
2916 better support for intermediate CAs and has no impact
2918 * Added build-inter script to easy-rsa package, to
2919 facilitate the generation of intermediate CAs.
2920 * Ported to NetBSD (Dimitri Goldin).
2921 * Fixed minor bug in easy-rsa/sign-req. It refers to
2922 openssl.cnf file, instead of $KEY_CONFIG, like all
2923 other scripts (Ernesto Baschny).
2924 * Added --days 3650 to the root CA generation command
2925 in the HOWTO to override the woefully small 30 day
2926 default (Dominik 'Aeneas' Schnitzer).
2927 * Fixed bug where --ping-restart would sometimes
2928 not re-resolve remote DNS hostname.
2929 * Added --tun-ipv6 option and related infrastructure
2930 support for IPv6 over tun.
2931 * Added IPv6 over tun support for Linux (Aaron Sethman).
2932 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
2933 INSTALL (Matthias Andree).
2934 * Added inetd/xinetd support (--inetd) including
2935 documentation in the HOWTO.
2936 * Added "Important Note on the use of commercial certificate
2937 authorities (CAs) with OpenVPN" to HOWTO based on
2938 issues raised on the openvpn-users list.
2940 2002.07.10 -- Version 1.3.1
2942 * Fixed bug in openvpn.spec and openvpn.init
2943 which caused RPM upgrade to fail.
2945 2002.07.10 -- Version 1.3.0
2947 * Added --dev-node option to allow explicit selection of
2948 tun/tap device node.
2949 * Removed mlockall call from child thread, as it doesn't
2950 appear to be necessary (child thread inherits mlockall
2952 * Added --ping-timer-rem which causes timer for --ping-exit
2953 and --ping-restart not to run unless we have a remote IP
2955 * Added condrestart to openvpn.init and openvpn.spec
2957 * Added --ifconfig case for FreeBSD (Matthias Andree).
2958 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2959 * Changed LOG_INFO messages to LOG_NOTICE.
2960 * Added warning when key files are group/others accessible.
2961 * Added --single-session flag for TLS mode.
2962 * Fixed bug where --writepid would segfault if used with
2963 an invalid filename.
2964 * Fixed bug where --ipchange status message was formatted
2966 * Print more concise error message when system() call
2968 * Added --disable-occ option.
2969 * Added --local, --remote, and --ifconfig options sanity
2971 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2973 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2974 * Broke out debug level definitions to errlevel.h
2975 * Minor documentation and web site changes.
2976 * All changes maintain protocol compatibility
2977 with OpenVPN versions since 1.1.0, however default
2978 MTU changes will require setting the MTU explicitly
2979 by command line option, if you want 1.3.0 to
2980 communicate with previous versions.
2982 2002.06.12 -- Version 1.2.1
2984 * Added --ping-restart option to restart
2985 connection on ping timeout using SIGUSR1
2986 logic (Matthias Andree).
2987 * Added --persist-tun, --persist-key,
2988 --persist-local-ip, and --persist-remote-ip
2989 options for finer-grained control over SIGUSR1
2990 and --ping-restart restarts. To
2991 replicate previous SIGUSR1 functionality,
2992 use --persist-remote-ip.
2993 * Changed residual IV fetching code to take
2994 IV from tail of ciphertext.
2995 * Added check to make sure that CFB or OFB
2996 cipher modes are only used with SSL/TLS
2997 authentication mode, and added a caveat
2999 * Changed signal handling during initialization
3000 (including re-initialization during restarts)
3001 to exit on SIGTERM or SIGINT and ignore other
3002 signals which would ordinarily be caught.
3003 * Added --resolv-retry option to allow
3004 retries on hostname resolution.
3005 * Expanded the --float option to also
3006 allow dynamic changes in source port number
3007 on incoming datagrams.
3008 * Added --mute option to limit repetitive
3009 logging of similar message types.
3010 * Added --group option to downgrade GID
3011 after initialization.
3012 * Try to set ifconfig path automatically
3014 * Added --ifconfig code for Mac OS X
3015 (Christoph Pfisterer).
3016 * Moved "Peer Connection Initiated" message
3018 * Successfully tested with
3019 OpenSSL 0.9.7 Beta 1 and AES cipher.
3020 * Added RPM notes to INSTALL.
3021 * Added ACX_PTHREAD (from the autoconf
3022 macro archive) to configure.ac
3023 to figure out the right pthread
3024 options for a given platform.
3025 * Broke out macro definitions from
3026 configure.ac to acinclude.m4.
3027 * Minor changes to docs and HOWTO.
3028 * All changes maintain protocol compatibility
3029 with OpenVPN versions since 1.1.0.
3031 2002.05.22 -- Version 1.2.0
3033 * Added configuration file support via
3034 the --config option.
3035 * Added pthread support to improve latency.
3036 With pthread support, OpenVPN
3037 will offload CPU-intensive tasks such as RSA
3038 key number crunching to a background thread
3039 to improve tunnel packet forwarding
3040 latency. pthread support can be enabled
3041 with the --enable-pthread configure option.
3042 Pthread support is currently available
3043 only for Linux and Solaris.
3044 * Added --dev-type option so that tun/tap
3045 device names don't need to begin with
3047 * Added --writepid option to write main
3048 process ID to a file.
3049 * Numerous portability fixes to ease
3050 porting to other OSes including changing
3051 all network types to uint8_t and uint32_t,
3052 and not assuming that time_t is 32 bits.
3053 * Backported to OpenSSL 0.9.5.
3054 * Ported to Solaris.
3055 * Finished OpenBSD port except for
3057 * Added initialization script:
3058 sample-scripts/openvpn.init
3060 * Ported to Mac OS X (Christoph Pfisterer).
3061 * Improved resilience to DoS attacks when
3062 TLS mode is used without --remote or
3063 --tls-auth, or when --float is used
3064 with --remote. Note however that the best
3065 defense against DoS attacks in TLS mode
3066 is to use --tls-auth.
3067 * Eliminated automake/autoconf dependency
3069 * Ported configure.in to configure.ac
3071 * SIGHUP signal now causes OpenVPN to restart
3072 and re-read command line and or config file,
3073 in conformance with canonical daemon behaviour.
3074 * SIGUSR1 now does what SIGHUP did in
3075 version 1.1.1 and earlier -- close and reopen
3076 the UDP socket for use when DHCP changes
3077 host's IP address and preserve most recently
3078 authenticated peer address without rereading
3080 * SIGUSR2 added -- outputs current statistics,
3081 including compression statistics.
3082 * All changes maintain protocol compatibility
3083 with 1.1.1 and 1.1.0.
3085 2002.04.22 -- Version 1.1.1
3087 * Added --ifconfig option to automatically configure
3089 * Added inactivity disconnect (--inactive
3090 and --ping-exit options).
3091 * Added --ping option to keep stateful firewalls
3093 * Added sanity check to command line parser to
3094 err if any TLS options are used in non-TLS mode.
3095 * Fixed build problem with compiler environments that
3096 define printf as a macro.
3097 * Fixed build problem on linux systems that have
3098 an integrated TUN/TAP driver but lack the persistent
3099 tunnel feature (TUNSETPERSIST). Some linux kernels
3100 >= 2.4.0 and < 2.4.7 fall into this category.
3101 * Changed all calls to EVP_CipherInit to use explicit
3102 encrypt/decrypt mode in order to fix problem with
3103 IDEA-CBC and AES-256-CBC ciphers.
3104 * Minor changes to control channel transmit limiter
3105 algorithm to fix problem where TLS control channel
3106 might not renegotiate within the default 60 second window.
3107 * Simplified man page examples by taking advantage
3108 of the new --ifconfig option.
3109 * Minor changes to configure.in to check more
3110 rigourously for OpenSSL 0.9.6 or greater.
3111 * Put back openvpn.spec, eliminated
3113 * Modified openvpn.spec to reflect new automake-based
3114 build environment (Bishop Clark).
3115 * Other documentation changes.
3116 * Added --test-crypto option for debugging.
3117 * Added "missing" and "mkinstalldirs" automake
3121 2002.04.09 -- Version 1.1.0
3123 * Strengthened replay protection and IV handling,
3124 extending it fully to both static key and
3125 TLS dynamic key exchange modes.
3126 * Added --mlock option to disable paging and ensure that key
3127 material and tunnel data is never paged to disk.
3128 * Added optional traffic shaping feature to cap the maximum
3129 data rate of the tunnel.
3130 * Converted to automake (The Platypus Brothers 2002-04-01).
3131 * Ported to OpenBSD by Janne Johansson.
3132 * Added --tun-af-inet option to work around an incompatibility
3133 between Linux and BSD tun drivers.
3134 * Sequence number-based replay protection using the
3135 IPSec sliding window model is now the default,
3136 disable with --no-replay.
3137 * Explicit IV is now the default, disable with --no-iv.
3138 * Disabled all cipher modes except CBC, CFB, and OFB.
3139 * In CBC mode, use explicit IV and carry forward residuals,
3141 * In CFB/OFB mode, IV is timestamp, sequence number.
3142 * Eliminated --packet-id, --timestamp, and max-delta parameter to
3143 the --tls-auth option as they are now supplanted by improved
3144 replay code which is enabled by default.
3145 * Eliminated --rand-iv as it is now obsolete with improved
3147 * Eliminated --reneg-err option as it increases vulnerability
3149 * Added weak key check for DES ciphers.
3150 * --tls-freq option is no longer specified on the command line,
3151 instead it now inherits its parameter from the
3152 --tls-timeout option.
3153 * Fixed bug that would try to free memory on exit that was
3154 never malloced if --comp-lzo was not specified.
3155 * Errata fixed in the man page examples: "test-ca" should be
3157 * Updated manual page.
3158 * Preliminary work in porting to OpenSSL 0.9.7.
3159 * Changed license to allowing linking with OpenSSL.
3161 2002.03.29 -- Version 1.0.3
3163 * Fixed a problem in configure with library ordering on the
3166 2002.03.28 -- Version 1.0.2
3168 * Improved the efficiency of the inner event loop.
3169 * Fixed a minor bug with timeout handling.
3170 * Improved the build system to build on RH 6.2 through 7.2.
3171 * Added an openvpn.spec file for RPM builders (Bishop Clark).
3173 2002.03.23 -- Version 1.0
3175 * Added TLS-based authentication and key exchange.
3176 * Added gremlin mode to stress test.
3179 2001.12.26 -- Version 0.91
3181 * Added any choice of cipher or HMAC digest.
3183 2001.5.13 -- Version 0.90
3186 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.