2 Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
4 2009.05.30 -- Version 2.1_rc17
6 * Reduce the debug level (--verb) at which received management interface
7 commands are echoed from 7 to 3. Passwords will be filtered.
9 * Fixed race condition in management interface recv code on
10 Windows, where sending a set of several commands to the
11 management interface in quick succession might cause the
12 latter commands in the set to be ignored.
14 * Increased management interface input command buffer size
15 from 256 to 1024 bytes.
17 * Minor tweaks to Windows build system.
19 * Added "redirect-private" option which allows private subnets
20 to be pushed to the client in such a way that they don't accidently
21 obscure critical local addresses such as the DHCP server address and
24 * Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
25 client will examine the routing table and determine whether (a) the
26 OpenVPN server is reachable via a locally connected interface, or (b)
27 traffic to the server must be forwarded through the default router.
28 Only add a special bypass route for the OpenVPN server if (b) is true.
29 If (a) is true, behave as if the 'local' flag is specified, and do not
32 The new 'autolocal' flag depends on the non-portable test_local_addr()
33 function in route.c, which is currently only implemented for Windows.
34 The 'autolocal' flag will act as a no-op on platforms that have not
35 yet defined a test_local_addr() function.
37 * Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
38 more option content to be pushed from server to client).
40 * Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
41 levels <=3) a common and usually innocuous warning.
43 * Fixed issue of symbol conflicts interfering with Windows CryptoAPI
44 functionality (Alon Bar-Lev).
46 * Fixed bug where the remote_X environmental variables were not being
47 set correctly when the 'local' option is specifed.
49 2009.05.17 -- Version 2.1_rc16
51 * Windows installer changes:
53 1. ifdefed out the check Windows version code which is causing
56 2. don't define SF_SELECTED if it is already defined
58 3. Use LZMA instead of BZIP2 compression for better compression
60 4. Upgraded OpenSSL to 0.9.8k
62 * Added the ability to read the configuration file
63 from stdin, when "stdin" is given as the config
66 * Allow "management-client" directive to be used
67 with unix domain sockets.
69 * Added errors-to-stderr option. When enabled, fatal errors
70 that result in the termination of the daemon will be written
73 * Added optional "nogw" (no gateway) flag to --server-bridge
74 to inhibit the pushing of the route-gateway parameter to
77 * Added new management interface command "pid" to show the
78 process ID of the current OpenVPN process (Angelo Laub).
80 * Fixed issue where SIGUSR1 restarts would fail if private
81 key was specified as an inline file.
83 * Added daemon_start_time and daemon_pid environmental variables.
85 * In management interface, added new ">CLIENT:ESTABLISHED" notification.
89 1. Fixed some issues with C++ style comments that leaked into the code.
91 2. Updated configure.ac to work on MinGW64.
93 3. Updated common.h types for _WIN64.
95 4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
98 5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
99 OpenVPNCryptAcquireCertificatePrivateKey to work around
100 a symbol conflict in MinGW-5.1.4.
102 2008.11.19 -- Version 2.1_rc15
104 * Fixed issue introduced in 2.1_rc14 that may cause a
105 segfault when a --plugin module is used.
107 * Added server-side --opt-verify option: clients that connect
108 with options that are incompatible with those of the server
109 will be disconnected (without this option, incompatible
110 clients would trigger a warning message in the server log
111 but would not be disconnected).
113 * Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
114 flag on the server as well as pushes it to connecting clients.
116 * Minor options check fix: --no-name-remapping is a
117 server-only option and should therefore generate an
118 error when used on the client.
120 * Added --prng option to control PRNG (pseudo-random
121 number generator) parameters. In previous OpenVPN
122 versions, the PRNG was hardcoded to use the SHA1
123 hash. Now any OpenSSL hash may be used. This is
124 part of an effort to remove hardcoded references to
125 a specific cipher or cryptographic hash algorithm.
127 * Cleaned up man page synopsis.
129 2008.11.16 -- Version 2.1_rc14
131 * Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
132 with the goal of fixing a build issue on Fedora 9 that was
133 introduced in 2.1_rc13.
135 * Added additional method parameter to --script-security to preserve
136 backward compatibility with system() call semantics used in OpenVPN
137 2.1_rc8 and earlier. To preserve backward compatibility use:
139 script-security 3 system
141 * Added additional warning messages about --script-security 2
142 or higher being required to execute user-defined scripts or
145 * Windows build system changes:
147 Modified Windows domake-win build system to write all openvpn.nsi
148 input files to gen, so that gen can be disconnected from
149 the rest of the source tree and makensis openvpn.nsi will
150 still function correctly.
152 Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
153 (commented out by default).
155 Added optional files SAMPCONF_CONF2 (second sample configuration
156 file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
157 build system, and may be defined in settings.in.
159 * Extended Management Interface "bytecount" command
160 to work when OpenVPN is running as a server.
161 Documented Management Interface "bytecount" command in
162 management/management-notes.txt.
164 * Fixed informational message in ssl.c to properly indicate
165 deferred authentication.
167 * Added server-side --auth-user-pass-optional directive, to allow
168 connections by clients that do not specify a username/password, when a
169 user-defined authentication script/module is in place (via
170 --auth-user-pass-verify, --management-client-auth, or a plugin module).
172 * Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
174 Calling scripts can set the KEY_NAME environmental variable to set
175 the "name" X509 subject field in generated certificates.
177 Modified pkitool to allow flexibility in separating the Common Name
178 convention from the cert/key filename convention.
182 KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
184 will create a client certificate/key pair of james.crt/james.key
185 having a Common Name of "James's Laptop" and a Name of "james".
187 * Added --no-name-remapping option to allow Common Name, X509 Subject,
188 and username strings to include any printable character including
189 space, but excluding control characters such as tab, newline, and
190 carriage-return (this is important for compatibility with external
191 authentication systems).
193 As a related change, added --status-version 3 format (and "status 3"
194 in the management interface) which uses the version 2 format except
195 that tabs are used as delimiters instead of commas so that there
196 is no ambiguity when parsing a Common Name that contains a comma.
198 Also, save X509 Subject fields to environment, using the naming
201 X509_{cert_depth}_{name}={value}
203 This is to avoid ambiguities when parsing out the X509 subject string
204 since "/" characters could potentially be used in the common name.
206 * Fixed some ifconfig-pool issues that precluded it from being combined
207 with --server directive.
209 Now, for example, we can configure thusly:
211 server 10.8.0.0 255.255.255.0 nopool
212 ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
214 to have ifconfig-pool manage only a subset
217 * Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
218 config file syntax checking to allow directives for future OpenVPN
219 versions to be ignored.
221 2008.10.07 -- Version 2.1_rc13
223 * Bundled OpenSSL 0.9.8i with Windows installer.
225 * Management interface can now listen on a unix
226 domain socket, for example:
228 management /tmp/openvpn unix
230 Also added management-client-user and management-client-group
231 directives to control which processes are allowed to connect
234 * Copyright change to OpenVPN Technologies, Inc.
236 2008.09.23 -- Version 2.1_rc12
238 * Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
239 part of the tarball (Matthias Andree).
241 * Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
242 was incorrectly expecting the lladdr parameter to be an IP address
243 when it is actually a MAC address (HoverHell).
245 2008.09.14 -- Version 2.1_rc11
247 * Fixed a bug that can cause SSL/TLS negotiations in UDP mode
248 to fail if UDP packets are dropped.
250 2008.09.10 -- Version 2.1_rc10
252 * Added "--server-bridge" (without parameters) to enable
253 DHCP proxy mode: Configure server mode for ethernet
254 bridging using a DHCP-proxy, where clients talk to the
255 OpenVPN server-side DHCP server to receive their IP address
256 allocation and DNS server addresses.
258 * Added "--route-gateway dhcp", to enable the extraction
259 of the gateway address from a DHCP negotiation with the
260 OpenVPN server-side LAN.
262 * Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
263 on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
266 * Warn when ethernet bridging that the IP address of the bridge adapter
267 is probably not the same address that the LAN adapter was set to
270 * When running as a server, warn if the LAN network address is
271 the all-popular 192.168.[0|1].x, since this condition commonly
272 leads to subnet conflicts down the road.
274 * Primarily on the client, check for subnet conflicts between
275 the local LAN and the VPN subnet.
277 * Added a 'netmask' parameter to get_default_gateway, to return
278 the netmask of the adapter containing the default gateway.
279 Only implemented on Windows so far. Other platforms will
280 return 255.255.255.0. Currently the netmask information is
281 only used to warn about subnet conflicts.
283 * Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
284 and USE_SSL flags are enabled (Alon Bar-Lev).
286 * Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
287 --script-security rules. Also adds retrying if the addresses are in
288 use (Matthias Andree).
290 * Fixed build issue with ./configure --disable-socks --disable-http.
292 * Fixed separate compile errors in options.c and ntlm.c that occur
293 on strict C compilers (such as old versions of gcc) that require
294 that C variable declarations occur at the start of a {} block,
297 * Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
298 the new implementation of extract_x509_field_ssl depends on.
300 * LZO compression buffer overflow errors will now invalidate
301 the packet rather than trigger a fatal assertion.
303 * Fixed minor compile issue in ntlm.c (mid-block declaration).
305 * Added --allow-pull-fqdn option which allows client to pull DNS names
306 from server (rather than only IP address) for --ifconfig, --route, and
307 --route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
308 for these options to be pulled and translated to IP addresses by default.
309 Now --allow-pull-fqdn will be explicitly required on the client to enable
310 DNS-name-to-IP-address translation of pulled options.
312 * 2.1_rc8 and earlier did implicit shell expansion on script
313 arguments since all scripts were called by system().
314 The security hardening changes made to 2.1_rc9 no longer
315 use system(), but rather use the safer execve or CreateProcess
316 system calls. The security hardening also introduced a
317 backward incompatibility with 2.1_rc8 and earlier in that
318 script parameters were no longer shell-expanded, so
321 client-connect "docc CLIENT-CONNECT"
323 would fail to work because execve would try to execute
324 a script called "docc CLIENT-CONNECT" instead of "docc"
325 with "CLIENT-CONNECT" as the first argument.
327 This patch fixes the issue, bringing the script argument
328 semantics back to pre 2.1_rc9 behavior in order to preserve
329 backward compatibility while still using execve or CreateProcess
330 to execute the script/executable.
332 * Modified ip_or_dns_addr_safe, which validates pulled DNS names,
333 to more closely conform to RFC 3696:
335 (1) DNS name length must not exceed 255 characters
337 (2) DNS name characters must be limited to alphanumeric,
338 dash ('-'), and dot ('.')
340 * Fixed bug in intra-session TLS key rollover that was introduced with
341 deferred authentication features in 2.1_rc8.
343 2008.07.31 -- Version 2.1_rc9
345 * Security Fix -- affects non-Windows OpenVPN clients running
346 OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
347 vulnerable nor are any versions of the OpenVPN server vulnerable).
348 An OpenVPN client connecting to a malicious or compromised
349 server could potentially receive an "lladdr" or "iproute" configuration
350 directive from the server which could cause arbitrary code execution on
351 the client. A successful attack requires that (a) the client has agreed
352 to allow the server to push configuration directives to it by including
353 "pull" or the macro "client" in its configuration file, (b) the client
354 successfully authenticates the server, (c) the server is malicious or has
355 been compromised and is under the control of the attacker, and (d) the
356 client is running a non-Windows OS. Credit: David Wagner.
359 * Miscellaneous defensive programming changes to multiple
360 areas of the code. In particular, use of the system() call
361 for calling executables such as ifconfig, route, and
362 user-defined scripts has been completely revamped in favor
363 of execve() on unix and CreateProcess() on Windows.
365 * In Windows build, package a statically linked openssl.exe to work around
366 observed instabilities in the dynamic build since the migration to
369 2008.06.11 -- Version 2.1_rc8
371 * Added client authentication and packet filtering capability
372 to management interface. In addition, allow OpenVPN plugins
373 to take advantage of deferred authentication and packet
374 filtering capability.
376 * Added support for client-side connection profiles.
378 * Fixed unbounded memory growth bug in environmental variable
379 code that could have caused long-running OpenVPN sessions
380 with many TLS renegotiations to incrementally
381 increase memory usage over time.
383 * Windows release now packages openssl-0.9.8h.
385 * Build system changes -- allow building on Windows using
386 autoconf/automake scripts (Alon Bar-Lev).
388 * Changes to Windows build system to make it easier to do
389 partial builds, with a reduced set of prerequisites,
390 where only a subset of OpenVPN installer
391 components are built. See ./domake-win comments.
393 * Cleanup IP address for persistence interfaces for tap and also
394 using ifconfig, gentoo#209055 (Alon Bar-Lev).
396 * Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
398 * Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
400 * Added new OpenVPN icon and installer graphic.
402 * Minor pkitool changes.
404 * Added --pkcs11-id-management option, which will cause OpenVPN to
405 query the management interface via the new NEED-STR asynchronous
406 notification query to get additional PKCS#11 options (Alon Bar-Lev).
408 * Added NEED-STR management interface asynchronous query and
409 "needstr" management interface command to respond to the query
412 * Added Dragonfly BSD support (Francis-Gudin).
414 * Quote device names before passing to up/down script (Josh Cepek).
416 * Bracketed struct openvpn_pktinfo with #pragma pack(1) to
417 prevent structure padding from causing an incorrect length
418 to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
421 * On systems that support res_init, always call it
422 before calling gethostbyname to ensure that
423 resolver configuration state is current.
425 * Added NTLMv2 proxy support (Miroslav Zajic).
427 * Fixed an issue in extract_x509_field_ssl where the extraction
428 would fail on the first field of the subject name, such as
429 the common name in: /CN=foo/emailAddress=foo@bar.com
431 * Made "Linux ip addr del failed" error nonfatal.
433 * Amplified --client-cert-not-required warning.
435 * Added #pragma pack to proto.h.
437 2008.01.29 -- Version 2.1_rc7
439 * Added a few extra files that exist in the svn repo but were
440 not being copied into the tarball by make dist.
442 * Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
444 2008.01.24 -- Version 2.1_rc6
446 * Fixed options checking bug introduced in rc5 where legitimate configuration
447 files might elicit the error: "Options error: Parameter pkcs11_private_mode
448 can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
451 2008.01.23 -- Version 2.1_rc5
453 * Fixed Win2K TAP driver bug that was introduced by Vista fixes,
454 incremented driver version to 9.4.
456 * Windows build system changes:
458 Incremented included OpenSSL version to openssl-0.9.7m.
460 Updated openssl.patch for openssl-0.9.7m and added some
461 brief usage comments to the head of the patch.
463 Added build-pkcs11-helper.sh for building the pkcs11-helper
466 Integrated inclusion of pkcs11-helper into Windows build
469 Upgraded TAP build scripts to use WDK 6001.17121
470 (Windows 2008 Server pre-RTM).
472 * Windows installer changes:
474 Clean up the start menu folder.
476 Allow for a site-specific sample configuration file and keys
477 to be included in a custom installer (see SAMPCONF macros
480 New icon (temporary).
482 * Added "forget-passwords" command to the management interface
485 * Added --management-signal option to signal SIGUSR1 when the
486 management interface disconnects (Alon Bar-Lev).
488 * Modified command line and config file parser to allow
489 quoted strings using single quotes ('') (Alon Bar-Lev).
491 * Use pkcs11-helper as external library, can be downloaded from
492 https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
494 * Fixed interim memory growth issue in TCP connect loop where
495 "TCP: connect to %s failed, will try again in %d seconds: %s"
498 * Fixed bug in epoll driver in event.c, where the lack of a
499 handler for EPOLLHUP could cause 99% CPU usage.
501 * Defined ALLOW_NON_CBC_CIPHERS for people who don't
502 want to use a CBC cipher for OpenVPN's data channel.
504 * Added PLUGIN_LIBDIR preprocessor string to prepend a default
505 plugin directory to the dlopen search list when the user
506 specifies the basename of the plugin only (Marius Tomaschewski).
508 * Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
509 to allow forward slash characters ("/") in the X509 common name
512 * Allow OpenVPN to run completely unprivileged under Linux
513 by allowing openvpn --mktun to be used with --user and --group
514 to set the UID/GID of the tun device node. Also added --iproute
515 option to allow an alternative command to be executed in place
516 of the default iproute2 command (Alon Bar-Lev).
518 * Fixed --disable-iproute2 in ./configure to actually disable
519 iproute2 usage (Alon Bar-Lev).
521 * Added --management-forget-disconnect option -- forget
522 passwords when management session disconnects (Alon Bar-Lev).
524 2007.04.25 -- Version 2.1_rc4
526 * Worked out remaining issues with TAP driver signing
527 on Vista x64. OpenVPN will now run on Vista x64
528 with driver signing enforcement enabled.
530 * Fixed 64-bit portability bug in time_string function
533 2007.04.22 -- Version 2.1_rc3
535 * Additional fixes to TAP driver for Windows x64. Driver
536 now runs successfully on Vista x64 if driver signing
537 enforcement is disabled.
539 * The Windows Installer and TAP driver are now signed by
540 OpenVPN Solutions LLC (in addition to the usual GnuPG
543 * Added OpenVPN GUI (Mathias Sundman version) as install
544 option in Windows installer.
546 * Clean up configure on FreeBSD for recent autotool versions
547 that require that all .h files have to be compiled.
548 Also, FreeBSD install does not support GNU long options
549 which the Makefile in easy-rsa/2.0 uses (not checked the
550 others as we don't install those on Gentoo) (Roy Marples).
552 * Added additional scripts to easy-rsa/Windows for working
553 with password-protected keys; also add -extensions server
554 option when generating server cert via
555 build-key-server-pass.bat (Daniel Zauft).
557 2007.02.27 -- Version 2.1_rc2
559 * auth-pam change: link with -lpam rather
560 than dlopen (Roy Marples).
562 * Prevent SIGUSR1 or SIGHUP from causing program
563 exit from initial management hold.
565 * SO_REUSEADDR should not be set on Windows TCP sockets
566 because it will cause bind to succeed on port conflicts.
568 * Added time_ascii, time_duration, and time_unix
569 environmental variables for plugins and callback
572 * Fixed issue where OpenVPN does not apply the --txqueuelen option
573 to persistent interfaces made with --mktun (Roy Marples).
575 * Attempt at rational signal handling when in the
576 management hold state. During management hold, ignore
577 SIGUSR1/SIGHUP signals thrown with the "signal" command.
578 Also, "signal" command will now apply remapping as
579 specified with the --remap-usr1 option.
580 When a signal entered using the "signal" command from a management
581 hold is ignored, output: >HOLD:Waiting for hold release
583 * Fixed issue where struct env_set methods that
584 change the value of an existing name=value pair
585 would delay the freeing of the memory held by
586 the previous name=value pair until the underlying
587 client instance object is closed.
588 This could cause a server that handles long-term
589 client connections, resulting in many periodic calls
590 to verify_callback, to needlessly grow the env_set
591 memory allocation until the underlying client instance
594 * Renamed TAP-Win32 driver from tap0801.sys to tap0901.sys
595 to reflect the fact that Vista has blacklisted the tap0801.sys
596 file name due to previous compatibility issues which have now
597 been resolved. TAP-Win32 major/minor version number is now 9/1.
599 * Windows installer will delete a previously installed
600 tap0801.sys TAP driver before installing tap0901.sys.
602 * Added code to Windows installer to fail gracefully on 64 bit
603 installs until 64-bit TAP driver issues can be resolved.
605 * Added code to Windows installer to fail gracefully on
606 versions of Windows which are not explicitly supported.
608 * The Windows version will now use a default route-delay
609 of 5 seconds to deal with an apparent routing table race
612 * Worked around an incompatibility in the Windows Vista
613 version of CreateIpForwardEntry as described in
614 http://www.nynaeve.net/?p=59
615 This issue would cause route additions using the
616 IP Helper API to fail on Vista.
618 * On Windows, revert to "ip-win32 dynamic" as the default.
620 2006.10.31 -- Version 2.1_rc1
622 * Support recovery (return to hold) from signal at
623 management password prompt.
625 * Added workaround for OpenSC PKCS#11 bug#108
628 2006.10.01 -- Version 2.1-beta16
630 * Windows installer updated with OpenSSL 0.9.7l DLLs to fix
631 published vulnerabilities.
633 * Fixed TAP-Win32 bug that caused BSOD on Windows Vista
636 * Autodetect 32/64 bit Windows in installer and install
637 appropriate TAP driver (Mathias Sundman, Hypherion).
639 * Fixed bug in loopback self-test introduced
640 in 2.1-beta15 where self test as invoked by
641 "make check" would not properly exit after
642 2 minutes (Paul Howarth).
644 2006.09.12 -- Version 2.1-beta15
646 * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
647 RSA Signature Forgery (CVE-2006-4339).
649 * Fixed bug introduced with the --port-share directive
650 (back in 2.1-beta9 which causes TLS soft resets
651 (1 per hour by default) in TCP server mode to force
652 a blockage of tunnel packets and later time-out and
653 restart the connection.
655 * easy-rsa update (Alon Bar-Lev)
656 Makefile (install) is now available so that
657 distribs will be able to install it safely.
659 * PKCS#11 changes: (Alon Bar-Lev)
660 - Modified ssl.c to not FATAL and return to init.c
661 so auth-retry will work.
662 - Modifed pkcs11-helper.c to fix some problem with
664 - Added retry counter to PKCS#11 PIN hook.
665 - Modified PKCS#11 PIN retry loop to return correct error
666 code when PIN is incorrect.
667 - Fix handling (ignoring) zero sized attributes.
669 - Fix openssl 0.9.6 (first version) issues.
671 * Minor fixes of lladdr (Alon Bar-Lev)
672 Updated makefile.w32-vc to include lladdr.*, updated
674 Modified lladdr.c to be compiled under visual C.
676 * Added two new management states:
677 OPENVPN_STATE_RESOLVE -- DNS lookup
678 OPENVPN_STATE_TCP_CONNECT -- Connecting to TCP server
680 * Echo management state change to log.
682 * Minor syshead.h change for NetBSD to allow
683 TCP_NODELAY flag to work.
685 * Modified --port-share code to remove the assumption that
686 CMSG_SPACE always evaluates to a constant, to enable
687 compilation on NetBSD and possibly other BSDs as well.
689 * Eliminated gcc 3.3.3 warnings on NetBSD
690 when ./configure --enable-strict is used.
692 * Added optional minimum-number-of-bytes parameter
693 to --inactive directive.
695 2006.04.13 -- Version 2.1-beta14
697 * Fixed Windows server bug in time backtrack handling code which
698 could cause TLS negotiation failures on legitimate clients.
700 * Rewrote gettimeofday function for Windows to be
701 simpler and more efficient.
703 * Merged PKCS#11 extensions to easy-rsa/2.0 (Alon Bar-Lev).
705 * Added --route-metric option to set a default route metric
706 for --route (Roy Marples).
708 * Added --lladdr option to specify the link layer (MAC) address
709 for the tap interface on non-Windows platforms (Roy Marples).
711 2006.04.12 -- Version 2.1-beta13
713 * Code added in 2.1-beta7 and 2.0.6-rc1 to extend byte counters
714 to 64 bits caused a bug in the Windows version which has now
715 been fixed. The bug could cause intermittent crashes.
717 2006.04.05 -- Version 2.1-beta12
719 * Security Vulnerability -- An OpenVPN client connecting to a
720 malicious or compromised server could potentially receive
721 "setenv" configuration directives from the server which could
722 cause arbitrary code execution on the client via a LD_PRELOAD
723 attack. A successful attack appears to require that (a) the
724 client has agreed to allow the server to push configuration
725 directives to it by including "pull" or the macro "client" in
726 its configuration file, (b) the client configuration file uses
727 a scripting directive such as "up" or "down", (c) the client
728 succesfully authenticates the server, (d) the server is
729 malicious or has been compromised and is under the control of
730 the attacker, and (e) the attacker has at least some level of
731 pre-existing control over files on the client (this might be
732 accomplished by having the server respond to a client web request
733 with a specially crafted file). Credit: Hendrik Weimer.
736 The fix is to disallow "setenv" to be pushed to clients from
737 the server, and to add a new directive "setenv-safe" which is
738 pushable from the server, but which appends "OPENVPN_" to the
739 name of each remotely set environmental variable.
741 * "topology subnet" fix for FreeBSD (Benoit Bourdin).
743 * PKCS11 fixes (Alon Bar-Lev). For full description:
744 svn log -r990 http://svn.openvpn.net/projects/openvpn/branches/BETA21
746 * When deleting routes under Linux, use the route metric
747 as a differentiator to ensure that the route teardown
748 process only deletes the identical route which was originally
749 added via the "route" directive (Roy Marples).
751 * Fix the t_cltsrv.sh file in FreeBSD 4 jails
752 (Matthias Andree, Dirk Meyer, Vasil Dimov).
754 * Extended tun device configure code to support ethernet
755 bridging on NetBSD (Emmanuel Kasper).
757 2006.02.19 -- Version 2.1-beta11
759 * Fixed --port-share bug that caused premature closing
762 2006.02.17 -- Version 2.1-beta10
764 * Fixed --port-share breakage introduced in 2.1-beta9.
766 2006.02.16 -- Version 2.1-beta9
768 * Added --port-share option for allowing OpenVPN and HTTPS
769 server to share the same port number.
770 * Added --management-client option to connect as a client
771 to management GUI app rather than be connected to as a
773 * Added "bytecount" command to management interface.
774 * --remote-cert-tls fixes (Alon Bar-Lev).
776 2006.01.03 -- Version 2.1-beta8
778 * --remap-usr1 will now also remap signals thrown during
780 * Added --connect-timeout option to control the timeout
781 on TCP client connection attempts (doesn't work on all
782 OSes). This patch also makes OpenVPN signalable during
783 TCP connection attempts.
784 * Fixed bug in acinclude.m4 where capability of compiler
785 to handle zero-length arrays in structs is tested
787 * Fixed typo in manage.c where inline function declaration
788 was declared without the "static" keyword (David Stipp).
789 * Patch to support --topology subnet on Mac OS X (Mathias Sundman).
790 * Added --auto-proxy directive to auto-detect HTTP or SOCKS
791 proxy settings (currently Windows only).
792 * Removed redundant base64 code.
793 * Better sanity checking of --server and --server-bridge
794 IP pool ranges, so as not to hit the assertion at
796 * Fixed bug where --daemon and --management-query-passwords
797 used together would cause OpenVPN to block prior to
799 * Fixed client/server race condition which could occur
800 when --auth-retry interact is set and the initially
801 provided auth-user-pass credentials are incorrect,
802 forcing a username/password re-query.
803 * Fixed bug where if --daemon and --management-hold are
804 used together, --user or --group options would be ignored.
805 * --ip-win32 adaptive is now the default.
806 * --ip-win32 netsh (or --ip-win32 adaptive when in netsh
807 mode) can now set DNS/WINS addresses on the TAP-Win32
809 * Added new option --route-method adaptive (Win32)
810 which tries IP helper API first, then falls back to
812 * Made --route-method adaptive the default.
814 2005.11.12 -- Version 2.1-beta7
816 * Allow blank passwords to be passed via the management
818 * Fixed bug where "make check" inside a FreeBSD "jail"
819 would never complete (Matthias Andree).
820 * Fixed bug where --server directive in --dev tap mode
821 claimed that it would support subnets of /30 or less
822 but actually would only accept /29 or less.
823 * Extend byte counters to 64 bits (M. van Cuijk).
824 * Fixed bug in Linux get_default_gateway function
825 introduced in 2.0.4, which would cause redirect-gateway
826 on Linux clients to fail.
827 * Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to
828 be compatible with 2.0.x distribution.
829 * Documented --route-nopull.
830 * Documented --ip-win32 adaptive.
831 * Windows build now linked with LZO2.
832 * Allow ca, cert, key, and dh files to be specified
833 inline via XML-like syntax without needing to
834 reference an explicit file.
839 * Allow plugin and push directives to have multi-line
840 parameter lists such as:
846 * Added connect-retry-max option (Alon Bar-Lev).
847 * Fixed problems where signals thrown during initialization
848 were not returning to a management-hold state.
849 * Added a backtrack-hardened system time algorithm.
850 * Added --remote-cert-ku, --remote-cert-eku, and
851 --remote-cert-tls options for verifying certificate
852 attributes (Alon Bar-Lev).
853 * For Windows, reverted --ip-win32 default back to "dynamic".
854 To use new adaptive mode, set explicitly.
856 2005.11.01 -- Version 2.1-beta6
858 * Security fix (merged from 2.0.4) -- Affects non-Windows
859 OpenVPN clients of version 2.0 or higher which connect to
860 a malicious or compromised server. A format string
861 vulnerability in the foreign_option function in options.c
862 could potentially allow a malicious or compromised server
863 to execute arbitrary code on the client. Only
864 non-Windows clients are affected. The vulnerability
865 only exists if (a) the client's TLS negotiation with
866 the server succeeds, (b) the server is malicious or
867 has been compromised such that it is configured to
868 push a maliciously crafted options string to the client,
869 and (c) the client indicates its willingness to accept
870 pushed options from the server by having "pull" or
871 "client" in its configuration file (Credit: Vade79).
873 * Security fix -- (merged from 2.0.4) Potential DoS
874 vulnerability on the server in TCP mode. If the TCP
875 server accept() call returns an error status, the resulting
876 exception handler may attempt to indirect through a NULL
877 pointer, causing a segfault. Affects all OpenVPN 2.0 versions.
879 * Fix attempt of assertion at multi.c:1586 (note that
880 this precise line number will vary across different
881 versions of OpenVPN).
882 * Windows reliability changes:
883 (a) Added code to make sure that the local PATH environmental
884 variable points to the Windows system32 directory.
885 (b) Added new --ip-win32 adaptive mode which tries 'dynamic'
886 and then fails over to 'netsh' if the DHCP negotiation fails.
887 (c) Made --ip-win32 adaptive the default.
888 * More PKCS#11 additions/changes (Alon Bar-Lev).
889 * Added ".PHONY: plugin" to Makefile.am to work around
891 * Fixed double fork issue that occurs when --management-hold
893 * Moved TUN/TAP read/write log messages from --verb 8 to 6.
894 * Warn when multiple clients having the same common name or
895 username usurp each other when --duplicate-cn is not used.
896 * Modified Windows and Linux versions of get_default_gateway
897 to return the route with the smallest metric
898 if multiple 0.0.0.0/0.0.0.0 entries are present.
899 * Added ">NEED-OK" alert and "needok" command to management
900 interface to provide a general interface for sending
901 alerts to the end-user. Used by the PKCS#11 code
902 to send Token Insertion Requests to the user.
903 * Added actual remote address used to the ">STATE" alert
904 in the management interface (Rolf Fokkens).
906 2005.10.17 -- Version 2.1-beta4
908 * Fixed bug introduced in 2.1-beta3 where management
909 socket bind would fail.
910 * --capath fix in ssl.c (Zhuang Yuyao).
911 * Added ".PHONY: plugin" to Makefile.am, reverted
912 location of "plugin" directory (thanks to
913 Matthias Andree for figuring this out).
915 2005.10.16 -- Version 2.1-beta3
917 * Added PKCS#11 support (Alon Bar-Lev).
918 * Enable the use of --ca together with --pkcs12. If --ca is
919 used at the same time as --pkcs12, the CA certificate is loaded
920 from the file specified by --ca regardless if the pkcs12 file
921 contains a CA cert or not (Mathias Sundman).
922 * Merged --capath patch (Thomas Noel).
923 * Merged --multihome patch.
924 * Added --bind option for TCP client connections (Ewan Bhamrah
926 * Moved "plugin" directory to "plugins" to deal with strange
927 automake problem that ended up being also fixable with
928 ".PHONY: plugin" in Makefile.am.
930 2005.10.13 -- Version 2.1-beta2
932 * Made --sndbuf and --rcvbuf pushable.
934 2005.10.01 -- Version 2.1-beta1
936 * Made LZO setting pushable.
937 * Renamed sample-keys/tmp-ca.crt to ca.crt.
938 * Fixed bug where remove_iroutes_from_push_route_list
939 was missing routes if those routes had
940 an implied netmask (by omission) of 255.255.255.255.
941 * Merged with 2.0.3-rc1
942 * easy-rsa/2.0 moved to easy-rsa
943 * old easy-rsa moved to easy-rsa/1.0
945 2005.09.23 -- Version 2.0.2-TO4
947 * Added feature to TAP-Win32 adapter to allow it to be
948 opened from non-administrator mode. This feature
949 is enabled by default, and can be enabled/disabled
950 in the adapter advanced properties dialog.
951 * Added --allow-nonadmin standalone option for Windows to
952 set TAP adapter to allow non-admin access. This
953 is a user-mode version of the code, and duplicates
954 the same feature as the above entry.
955 * Added fix that attempts to solve corner case of tunnel not
956 forwarding packets when system clock is reset to an earlier time.
957 * Added --redirect-gateway bypass-dns option. (Developers:
958 To add bypass-dhcp or bypass-dns support to other OSes,
959 add a get_bypass_addresses function to route.c for
961 * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which
962 allows a client-connect plugin to return configuration text
963 in memory, rather than via a file.
964 * Fixed a bug where --mode server --proto tcp-server --cipher none
965 operation could cause tunnel packet truncation.
966 * openvpn --version will show [LZO1] or [LZO2], depending on
967 version that was linked.
969 2005.09.07 -- Version 2.0.2-TO1
971 * Added --topology directive. See man page.
972 * Added --redirect-gateway bypass-dhcp option to add a route
973 allowing DHCP packets to bypass the tunnel, when the
974 DHCP server is non-local. Currently only implemented
976 * Modified OpenVPN Service on Windows to declare the DHCP
977 client service as a dependency.
978 * Extended the plugin interface to allow plugins to declare
979 per-client constructor and destructor functions, to make
980 it simpler for plugins to maintain per-client state.
982 2005.09.25 -- Version 2.0.3-rc1
984 * openvpn_plugin_abort_v1 function wasn't being properly
985 registered on Windows.
986 * Fixed a bug where --mode server --proto tcp-server --cipher none
987 operation could cause tunnel packet truncation.
989 2005.08.25 -- Version 2.0.2
991 * No change from 2.0.2-rc1.
993 2005.08.24 -- Version 2.0.2-rc1
995 * Fixed regression bug in Win32 installer, introduced in 2.0.1,
996 which incorrectly set OpenVPN service to autostart.
997 * Don't package source code zip file in Windows installer
998 in order to reduce the size of the installer. The source
999 zip file can always be downloaded separately if needed.
1000 * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD
1001 version of get_default_gateway. Allocated socket for route
1002 manipulation is never freed so number of mbufs continuously
1003 grow and exhaust system resources after a while (Jaroslav Klaus).
1004 * Fixed bug where "--proto tcp-server --mode p2p --management
1005 host port" would cause the management port to not respond until
1006 the OpenVPN peer connects.
1007 * Modified pkitool script to be /bin/sh compatible (Johnny Lam).
1009 2005.08.16 -- Version 2.0.1
1011 * Security Fix -- DoS attack against server when run with "verb 0" and
1012 without "tls-auth". If a client connection to the server fails
1013 certificate verification, the OpenSSL error queue is not properly
1014 flushed, which can result in another unrelated client instance on the
1015 server seeing the error and responding to it, resulting in disconnection
1016 of the unrelated client (CAN-2005-2531).
1017 * Security Fix -- DoS attack against server by authenticated client.
1018 This bug presents a potential DoS attack vector against the server
1019 which can only be initiated by a connected and authenticated client.
1020 If the client sends a packet which fails to decrypt on the server,
1021 the OpenSSL error queue is not properly flushed, which can result in
1022 another unrelated client instance on the server seeing the error and
1023 responding to it, resulting in disconnection of the unrelated client
1024 (CAN-2005-2532). Credit: Mike Ireton.
1025 * Security Fix -- DoS attack against server by authenticated client.
1026 A malicious client in "dev tap" ethernet bridging mode could
1027 theoretically flood the server with packets appearing to come from
1028 hundreds of thousands of different MAC addresses, causing the OpenVPN
1029 process to deplete system virtual memory as it expands its internal
1030 routing table. A --max-routes-per-client directive has been added
1031 (default=256) to limit the maximum number of routes in OpenVPN's
1032 internal routing table which can be associated with a given client
1034 * Security Fix -- DoS attack against server by authenticated client.
1035 If two or more client machines try to connect to the server at the
1036 same time via TCP, using the same client certificate, and when
1037 --duplicate-cn is not enabled on the server, a race condition can
1038 crash the server with "Assertion failed at mtcp.c:411"
1040 * Fixed server bug where under certain circumstances, the client instance
1041 object deletion function would try to delete iroutes which had never been
1042 added in the first place, triggering "Assertion failed at mroute.c:349".
1043 * Added --auth-retry option to prevent auth errors from being fatal
1044 on the client side, and to permit username/password requeries in case
1045 of error. Also controllable via new "auth-retry" management interface
1046 command. See man page for more info.
1047 * Added easy-rsa 2.0 scripts to the tarball in easy-rsa/2.0
1048 * Fixed bug in openvpn.spec where rpmbuild --define 'without_pam 1'
1049 would fail to build.
1050 * Implement "make check" to perform loopback tests (Matthias Andree).
1052 2005.07.21 -- Version 2.0.1-rc7
1054 * Support LZO 2.01 which renamed its library to lzo2 (Matthias Andree).
1055 * Include linux/types.h before checking for linux/errqueue.h (Matthias
1058 2005.07.15 -- Version 2.0.1-rc6
1060 * Commented out "user nobody" and "group nobody" in sample
1061 client/server config files.
1062 * Allow '@' character to be used in --client-config-dir
1065 2005.07.04 -- Version 2.0.1-rc5
1067 * Windows version will log a for-further-info URL when
1068 initialization sequence is completed with errors.
1069 * Added DLOPEN_PAM parameter to plugin/auth-pam/Makefile
1070 to control whether auth-pam plugin links to PAM via
1071 dlopen or -lpam. By default, DLOPEN_PAM=1 so pre-existing
1072 behavior should be preserved. DLOPEN_PAM=0 is the preferred
1073 setting to link via -lpam, but DLOPEN_PAM=1 works around
1074 a bug in SuSE 9.1 (and possibly other distros as well)
1075 where the PAM modules are not linked with -lpam. See
1076 thread on openvpn-devel for more discussion about this
1077 patch (Simon Perreault).
1079 2005.06.15 -- Version 2.0.1-rc4
1081 * Support LZO 2.00, including changes to configure script to
1082 autodetect LZO version.
1084 2005.06.12 -- Version 2.0.1-rc3
1086 * Fixed a bug which caused standard file handles to not be closed
1087 after daemonization when --plugin and --daemon are used together,
1088 and if the plugin initialization function forks (as does auth-pam
1089 and down-root) (Simon Perreault).
1090 * Added client-side up/down scripts in contrib/pull-resolv-conf
1091 for accepting server-pushed "dhcp-option DOMAIN" and "dhcp-option DNS"
1092 on Linux/Unix systems (Jesse Adelman).
1093 * Fixed bug where if client-connect scripts/plugins were cascaded,
1094 and one (but not all) of them returned an error status, there might
1095 be cases where for an individual script/plugin, client-connect was
1096 called but not client-disconnect. The goal of this fix is to
1097 ensure that if client-connect is called on a given client instance,
1098 then client-disconnect will definitely be called. A potential
1099 complication of this fix is that when client-connect functions are
1100 cascaded, it's possible that the client-disconnect function would
1101 be called in cases where the related client-connect function returned
1102 an error status. This fix should not alter OpenVPN behavior when
1103 scripts/plugins are not cascaded.
1104 * Changed the hard-to-reproduce "Assertion failed at fragment.c:312"
1105 fatal error to a warning: "FRAG: outgoing buffer is not empty".
1106 Need more info on how to reproduce this one.
1107 * When --duplicate-cn is used, the --ifconfig-pool allocation
1108 algorithm will now allocate the first available IP address.
1109 * When --daemon and --management-hold are used together,
1110 OpenVPN will daemonize before it enters the management hold state.
1112 2005.05.16 -- Version 2.0.1-rc2
1114 * Modified vendor test in openvpn.spec file to match against
1115 "Mandrakesoft" in addition to "MandrakeSoft".
1116 * Using --iroute in a --client-config-dir file while in --dev tap
1117 mode is not currently supported and will produce a warning
1118 message. Fixed bug where in certain cases, in addition to
1119 generating a warning message, this combination of options
1120 would also produce a fatal assertion in mroute.c.
1121 * Pass --auth-user-pass username to server-side plugin without
1122 performing any string remapping (plugins, unlike scripts,
1123 don't get any security benefit from string remapping).
1124 This is intended to fix an issue with openvpn-auth-pam/pam_winbind
1125 where backslash characters in a username ('\') were being remapped
1126 to underscore ('_').
1127 * Updated OpenSSL DLLs in Windows build to 0.9.7g.
1128 * Documented --explicit-exit-notify in man page.
1129 * --explicit-exit-notify seconds parameter defaults to 1 if
1132 2005.04.30 -- Version 2.0.1-rc1
1134 * Fixed bug where certain kinds of fatal errors after
1135 initialization (such as port in use) would leave plugin
1136 processes (such as openvpn-auth-pam) still running.
1137 * Added optional openvpn_plugin_abort_v1 plugin function for
1138 closing initialized plugin objects in the event of a fatal
1139 error by main OpenVPN process.
1140 * When the --remote list is > 1, and --resolv-retry is not
1141 specified (meaning that it defaults to "infinite"), apply the
1142 infinite timeout to the --remote list as a whole, but try each
1143 list item only once before moving on to the next item.
1144 * Added new --syslog directive which redirects output
1145 to syslog without requiring the use of the --daemon or --inetd
1147 * Added openvpn.spec option to allow RPM to be built with support
1148 for passwords read from a file:
1149 rpmbuild -tb [openvpn.x.tar.gz] --define 'with_password_save 1'
1151 2005.04.17 -- Version 2.0
1153 * Fixed minor options string typo in options.c.
1155 2005.04.10 -- Version 2.0-rc21
1157 * Change license description from "GPL Version 2 or (at your
1158 option) any later version" to just "GPL Version 2".
1160 2005.04.04 -- Version 2.0-rc20
1162 * Dag Wieers has put together an OpenVPN/LZO binary RPM set with
1163 excellent distro/version coverage for RH/EL/Fedora, though
1164 using his own SPEC. I modified openvpn.spec to follow some of
1165 the same conventions such as putting sample scripts and doc
1166 files in %doc rather than /usr/share/openvpn.
1167 * Minor change to init scripts to run the user-defined script
1168 /etc/openvpn/openvpn-startup (if it exists) before any OpenVPN
1169 configs are started, and to run /etc/openvpn/openvpn-shutdown
1170 after all OpenVPN configs have been stopped. The
1171 openvpn-startup script can be used for stuff like
1172 insmod tun.o, setting up firewall rules, or starting
1175 2005.03.29 -- Version 2.0-rc19
1177 * Omit additions of routes where the network and
1178 gateway are equal and the netmask is 255.255.255.255.
1179 This can come up if you are using both
1180 server/ifconfig-pool and client-config-dir with
1181 ifconfig-push static addresses for some subset of clients
1182 which directly reference the server IP address as the
1185 2005.03.28 -- Version 2.0-rc18
1187 * Packaged Windows installer with OpenSSL 0.9.7f.
1188 * Built Windows installer with NSIS 2.06.
1190 2005.03.12 -- Version 2.0-rc17
1192 * "MANAGEMENT: CMD" log file output will now only occur
1193 at --verb 7 or greater.
1194 * Added an optional name/value configuration list to
1195 the openvpn-auth-pam plugin module argument list. See
1196 plugin/auth-pam/README for documentation. This is necessary
1197 in order for openvpn-auth-pam to work with queries generated
1198 by arbitrary PAM modules.
1199 * In both auth-pam and down-root plugins, in the forked process,
1200 a read error on the parent process socket is no longer fatal.
1201 * MandrakeSoft liblzo1 RPM only Provides for a 'liblzo1'.
1202 A conditional test of the vendor has been added to
1203 Require the appropriately named 'lzo' (liblzo1 / lzo).
1204 (Tom Walsh - http://openhardware.net)
1207 2005.02.20 -- Version 2.0-rc16
1209 * Fixed bug introduced in rc13 where Windows service wrapper
1210 would be installed with a startup type of Automatic.
1211 This fix restores the previous behavior of installing
1212 with a startup type of Manual.
1214 2005.02.19 -- Version 2.0-rc15
1216 * Added warning when --keepalive is not used in a server
1218 * Don't include OpenSSL md4.h file if we are not building
1219 NTLM proxy support (Waldemar Brodkorb).
1220 * Added easy-rsa/build-key-pkcs12 and
1221 easy-rsa/Windows/build-key-pkcs12.bat scripts
1224 2005.02.16 -- Version 2.0-rc14
1226 * Fixed small memory leak that occurs when --crl-verify
1228 * Upgraded Windows installer and .nsi script to NSIS 2.05
1230 * Changed #include backslash usage in cryptoapi.c to use
1231 forward slashes instead (Gisle Vanem).
1232 * Created easy-rsa/revoke-full to handle revocations in
1233 a single step: (a) revoke crt, (b) regenerate CRL, and
1234 (c) verify that revocation succeeded.
1235 * Renamed easy-rsa/Windows/revoke-key to revoke-full so
1236 that both *nix and Windows scripts are equivalent.
1238 2005.02.11 -- Version 2.0-rc13
1240 * Improve human-readability of local/remote options
1241 diff, when inconsistencies are present.
1242 * For Windows easy-rsa, distribute vars.bat.sample and
1243 openssl.cnf.sample, then copy them to their normal
1244 filenames (without the .sample) when init-config.bat
1245 is run. This is to prevent OpenVPN upgrades from
1246 wiping out vars.bat and openssl.cnf edits.
1247 * Modified service wrapper (Windows) to use a
1248 case-insensitive search when scanning for .ovpn files
1249 in \Program Files\OpenVPN\config. Prior versions
1250 required an all-lower-case .ovpn file extension.
1251 * Miscellaneous service wrapper code cleanup.
1252 * If --user/--group is used on Windows, treat it
1253 as a no-op with a warning (this makes it easier to
1254 distribute the same client config file to Windows
1256 * Warn if --ifconfig-pool-persist is used with
1259 2005.02.05 -- Version 2.0-rc12
1261 * Removed some debugging code inadvertently included
1262 in rc11 which would print the --auth-user-pass
1263 username/password provided by clients in the server
1265 * Client code for cycling through --remote list will
1266 retry the last address which successfully authenticated
1267 before moving on through the list.
1268 * Windows installer will now install sample configuration
1269 files in \Program Files\OpenVPN\sample-configs as well
1270 as generate a start menu shortcut to this directory.
1271 * Minor type change in buffer.[ch] to work around char-type
1272 ambiguity bug. Caused management interface lock-ups on
1273 ARM when building with armv4b-hardhat-linux-gcc 2.95.3.
1275 2005.02.03 -- Version 2.0-rc11
1277 * Windows installer will now install easy-rsa directory
1278 in \Program Files\OpenVPN
1279 * Allow syslog facility to be controlled at compile time,
1280 e.g. -DLOG_OPENVPN=LOG_LOCAL6 (P Kern).
1281 * Changed certain shell scripts in distribution to use
1282 #!/bin/sh rather than #!/bin/bash for better portability.
1283 * If --ifconfig-pool-persist seconds parameter is 0, treat
1284 persist file as an allocation of fixed IP addresses
1285 (previous versions took IP-to-common-name associations
1286 from this list as hints, not mandatory static allocations).
1287 * Fixed bug on *nix where if --auth-user-pass and --log
1288 were used together, the username prompt would be sent to
1289 the log file rather than /dev/tty.
1290 * Spurious text in openvpn.8 detected by doclifter
1292 * Call closelog later on daemon kill so that process
1293 exit message is written to syslog.
1295 2005.01.27 -- Version 2.0-rc10
1297 * When ./configure is run with plugins enabled (the default),
1298 check whether or not dlopen exists in libc before testing
1299 for libdl. This is to fix an issue on FreeBSD and possibly
1300 other OSes which bundle libdl functions in libc.
1301 * On Windows, filter initial WSAEINVAL warning which occurs
1302 on the initial read attempt of an unbound socket.
1303 * The easy-rsa scripts build-key, build-key-pass, and
1304 build-key-server will now chmod the .key file
1305 to 0600. This is in addition to the fact the generated
1306 keys directory has always been similarly protected
1309 2005.01.23 -- Version 2.0-rc9
1311 * Fixed error "ROUTE: route addition failed using
1312 CreateIpForwardEntry ..." on Windows when --redirect-gateway
1313 is used over a RRAS internet link.
1314 * When using --route-method exe on Windows, include the
1315 gateway parameter on route delete commands (Mathias Sundman).
1316 * Try not to do a hard reset (i.e. SIGHUP) when two
1317 SIGUSR1 signals are received in close succession.
1318 * If the push list tries to grow beyond its buffer capacity,
1319 the resulting error will be non-fatal.
1320 * To increase the push list capacity (must be done on both
1321 client and server), increase TLS_CHANNEL_BUF_SIZE in
1322 common.h (default=1024).
1324 2005.01.15 -- Version 2.0-rc8
1326 * Fixed bug introduced in rc7 where options error
1327 "--auth-user-pass requires --pull" might occur even
1328 if --pull was correctly specified.
1329 * Changed management interface code to bind once
1330 to TCP socket, rather than rebinding after every
1332 * Added "disable" directive for client-config-dir
1334 * Windows binary install is now distributed with
1336 * Query the management interface for --http-proxy
1337 username/password if authfile is set to "stdin".
1338 * Added current OpenVPN version number to "Unrecognized
1339 option or missing parameter" error message.
1340 * Added "-extensions server" to "openssl req" command
1341 in easy-rsa/build-key-server (Nir Yeffet).
1343 2005.01.10 -- Version 2.0-rc7
1345 * Fixed bug in management interface which could cause
1346 100% CPU utilization in --proto tcp-server mode
1347 on all *nix OSes except for Linux 2.6.
1348 * --ifconfig-push now accepts DNS names as well as
1350 * Added sanity check errors when --pull or
1351 --auth-user-pass is used in an incorrect mode.
1352 * Updated man page entries for --client-connect and
1354 * Added "String Types and Remapping" section to man
1355 page to consisely document the way which OpenVPN
1356 may convert certain types of characters in strings
1358 * Modified bridging description in HOWTO to emphasize
1359 the fact that bridging allows Windows file and print
1360 sharing without a WINS server (Charles Duffy).
1362 2004.12.20 -- Version 2.0-rc6
1364 * Improved checking for epoll support in ./configure
1365 to fix false positive on RH9 (Jan Just Keijser).
1366 * Made the "MULTI TCP: I/O wait required blocking in
1367 multi_tcp_action, action=7" error nonfatal and replaced
1368 with "MULTI: Outgoing TUN queue full, dropped packet".
1369 So far the issue only seems to occur on Linux 2.2
1370 in --mode server --proto tcp mode. It occurs when
1371 the TUN/TAP driver locks up and refuses to accept
1372 new packet writes for a second or more.
1373 * Fixed bug where if a --client-config-dir file tried
1374 to include another file using "config", and if that
1375 include failed, OpenVPN would abort with a fatal
1376 error. Now such inclusion failures will be logged
1377 but are no longer fatal.
1378 * Global changes to the way that packet buffer alignment
1379 is handled. Previously we didn't care about alignment
1380 and took care, when handling 16 and 32 bit words
1381 in buffers, to always use alignment-safe transfers.
1382 This approach appears to be inadequate on some
1383 architectures such as alpha. The new approach is
1384 to initialize packet buffers in a way that anticipates
1385 how component structures will be allocated within
1386 them, to maintain correct alignment.
1387 * Added --dhcp-option DISABLE-NBT to disable NetBIOS
1388 over TCP (Jan Just Keijser).
1389 * Added --http-proxy-option directive for controlling
1390 miscellaneous HTTP proxy options.
1391 * Management state will no longer transition to "WAIT"
1392 during TLS renegotiations.
1394 2004.12.16 -- Version 2.0-rc5
1396 * The --client-config-dir option will now try to open
1397 a default file called "DEFAULT" if no file matching
1398 the common name of the incoming client was found.
1399 * The --client-connect script/plugin can now veto client
1400 authentication by returning a failure code.
1401 * The --learn-address script/plugin can now prevent a
1402 client-instance/address association from being learned
1403 by returning a failure code.
1404 * Changed RPM group in .spec file to Applications/Internet.
1406 2004.12.14 -- Version 2.0-rc4
1408 * SuSE only -- Fixed interaction between openvpn.spec and
1409 suse/openvpn.init where the .spec file was writing the
1410 OpenVPN binary to a different location than where the
1411 .init script was referencing it (Stefan Engel).
1412 * Solaris only -- Split Solaris ifconfig command into two
1413 parts (Jan Just Keijser).
1414 * Some cleanup in add_option().
1415 * Better error checking on input dotted quad IP addresses.
1416 * Verify that --push argument is quoted, if there is
1418 * More miscellaneous option sanity checks.
1420 2004.12.13 -- Version 2.0-rc3
1422 * On Windows, when --log or --log-append is used,
1423 save the original stderr for username and password
1425 * Fixed a bug introduced in the late 2.0 betas where
1426 if a "verb" parameter >= 16 was used, it would be
1427 ignored and the actual verb level would remain at 1.
1428 * Fixed a bug mostly seen on OS X where --management-hold
1429 or --management-query-passwords would cause the management
1430 interface to be unresponsive to incoming client connections.
1431 * Trigger an options error if one of the management-modifying
1432 options is used without "management" itself.
1434 2004.12.12 -- Version 2.0-rc2
1436 * Amplified warnings in documentation about possible
1437 man-in-the-middle attack when clients do not properly
1438 verify server certificate. Changes to easy-rsa README,
1439 FAQ, HOWTO, man page, and sample client config file.
1440 * Added a warning message if --tls-client or --client
1441 is used without also specifying one of either
1442 --ns-cert-type, --tls-remote, or --tls-verify.
1443 * status_open() fixes for MSVC builds (Blaine Fleming).
1444 * Fix attempt of "ntlm.c:55: error: `des_cblock' undeclared"
1445 compiler error which has been reported on some platforms.
1446 * The openvpn.spec file for rpmbuild has several
1447 new build-time options. See comments in the file.
1448 * Plugins are now built and packaged in the RPM and
1449 will be saved in /usr/share/openvpn/plugin/lib.
1450 * Added --management-hold directive to start OpenVPN
1451 in a hibernating state until released by the
1452 management interface. Also added "hold" command
1453 to the management interface.
1455 2004.12.07 -- Version 2.0-rc1
1457 * openvpn.spec workaround for SuSE confusion regarding
1458 /etc/init.d vs. /etc/rc.d/init.d (Stefan Engel).
1460 2004.12.05 -- Version 2.0-beta20
1462 * The ability to read --askpass and --auth-user-pass
1463 passwords from a file has been disabled by default.
1464 To re-enable, use ./configure --enable-password-save.
1465 * Added additional pre-connected states to management
1466 interface. See management/management-notes.txt
1468 * State history is now recorded by the management
1469 interface, and the "state" command now works like
1470 the log or echo commands.
1471 * State history and real-time state change notifications
1472 are now prepended with an integer unix timestamp.
1473 * Added --http-proxy-timeout option, previously
1474 the timeout was hardcoded to 5 seconds.
1476 2004.12.02 -- Version 2.0-beta19
1478 * Fixed bug in management interface line termination
1479 where output lines incorrectly contained a \00 char
1480 after the customary \0d \0a.
1481 * Fixed bug introduced in beta18 where Windows version
1482 would segfault on options errors.
1483 * Fixed bug in management interface where an empty
1484 quoted string ("") entered as a parameter would cause
1486 * Fixed bug where --resolv-retry was not working
1487 properly with multiple --remote hosts.
1488 * Added additional ./configure options to reduce
1489 executable size for embedded applications.
1490 See ./configure --help.
1492 2004.11.28 -- Version 2.0-beta18
1494 * Added management interface. See new --management-*
1495 options or the full management interface documentation
1496 in management/management-notes.txt in the tarball.
1497 Management interface inclusion can be disabled by
1498 ./configure --disable-management.
1499 * Added two new plugin modules: auth-pam and down-root.
1500 Auth-pam supports pam-based authentication using a
1501 split privilege execution model, while down-root enables
1502 a down script to be executed with root privileges, even
1503 when --user/--group is used to drop root privileges.
1504 See the plugin directory in the tarball for READMEs,
1505 source code, and Makefiles.
1506 * Plugin developers should note that some changes were
1507 made to the plugin interface since beta17. See
1508 openvpn-plugin.h for details.
1509 Plugin interface inclusion can be disabled with
1510 ./configure --disable-plugins
1511 * Added easy-rsa/build-key-server script which will
1512 build a certificate with with nsCertType=server.
1513 * Added --ns-cert-type option for verification
1514 of nsCertType field in peer certificate.
1515 * If --fragment n is specified and --mssfix is specified
1516 without a parameter, default --mssfix to n. This restores
1517 the 1.6 behavior when using --mssfix without a parameter.
1518 * Fixed SSL context initialization bug introduced in beta14
1519 where this error might occur on restarts: "Cannot load
1520 certificate chain ... PEM_read_bio:no start line".
1522 2004.11.11 -- Version 2.0-beta17
1524 * Changed default port number to 1194 per IANA official
1525 port number assignment.
1526 * Added --plugin directive which allows compiled
1527 modules to intercept script callbacks. See
1528 plugin folder in tarball for more info.
1529 * Fixed bug introduced in beta12 where --key-method 1
1530 authentications which should have succeeded would fail.
1531 * Ignore SIGUSR1 during DNS resolution.
1532 * Added SuSE support to openvpn.spec (Umberto Nicoletti).
1533 * Fixed --cryptoapicert SUBJ: parsing bug (Peter 'Luna'
1536 2004.11.07 -- Version 2.0-beta16
1538 * Modified sample-scripts/auth-pam.pl to get username
1539 and password from OpenVPN via a file rather than
1540 via environmental variables.
1541 * Added bytes_sent and bytes_received environmental
1542 variables to be set prior to client-disconnect script.
1543 * Changed client virtual IP derivation precedence:
1544 (1) use --ifconfig-push directive from --client-connect
1545 script, (2) use --ifconfig-push directive from
1546 --client-config-dir, and (3) use --ifconfig-pool
1548 * If a --client-config-dir file specifies --ifconfig-push,
1549 it will be visible to the --client-connect-script in
1550 the ifconfig_pool_remote_ip environmental variable.
1551 * For tun-style tunnels, the ifconfig_pool_local_ip
1552 environmental variable will be set, while for
1553 tap-style tunnels, the ifconfig_pool_netmask variable
1555 * Added intelligence to autoconf script to test
1556 compiler for the accepted form of zero-length arrays.
1557 * Fixed a bug introduced in beta12 where --ip-win32
1558 netsh would fail if --dev-node was not explicitly
1560 * --ip-win32 netsh will now work on hidden adapters.
1561 * Fix attempt of "Assertion failed at crypto.c:149".
1562 This assertion has also been reported on 1.x with a
1563 slightly different line number. The fix is twofold:
1564 (1) In previous releases, --mtu-test may trigger this
1565 assertion -- this bug has been fixed. (2) If something
1566 else causes the assertion to be thrown, don't panic,
1567 just output a nonfatal warning to the log and drop
1568 the packet which generated the error.
1569 * Support TAP interfaces on Mac OS X (Waldemar Brodkorb).
1570 * Added --echo directive.
1571 * Added --auth-nocache directive.
1573 2004.10.28 -- Version 2.0-beta15
1575 * Changed environmental variable character classes
1576 so that names must consist of alphanumeric or
1577 underbar chars and values must consist of printable
1578 characters. Illegal chars will be deleted.
1579 Versions prior to 2.0-beta12 were more restrictive
1580 and would map spaces to '.'.
1581 * On Windows, when the TAP adapter fails to
1582 initialize with the correct IP address, output
1583 "Initialization Sequence Completed with Errors"
1584 to the console or log file.
1585 * Added a warning when user/group/chroot is used
1586 without persist-tun and persist-key.
1587 * Added cryptoapi.[ch] to tarball and source zip.
1588 * --tls-remote option now works with common name
1589 prefixes as well as with the full X509 subject
1590 string. This is a useful alternative to using
1591 a CRL on the client.
1592 * common names associated with a static
1593 --ifconfig-push setting will no longer leave
1594 any state in the --ifconfig-pool-persist file.
1595 * Hard TLS errors (TLS handshake failed) will now
1596 trigger either a SIGUSR1 signal by default
1597 or SIGTERM (if --tls-exit is specified). In TCP
1598 mode, all TLS errors are considered to be hard.
1599 In server mode, the signal will be local to the
1601 * Added method parameter to --auth-user-pass-verify
1602 directive to select whether username/password
1603 is passed to script via environment or a temporary
1605 * Added --status-version option to control format
1606 of --status file. The --mode server
1607 --status-version 2 format now includes a line
1608 type token, the virtual IP address is shown
1609 in the client list (even in --dev tap mode),
1610 and the integer time_t value is shown anywhere
1611 an ascii-formatted time/date is also shown.
1612 * Added --remap-usr1 directive which can be used
1613 to control whether internally or externally
1614 generated SIGUSR1 signals are remapped to
1615 SIGHUP (restart without persisting state) or
1617 * When running as a Windows service (using
1618 --service option), check the exit event before
1619 and after reading one line of input from
1620 stdin, when reading username/password info.
1621 * For developers: Extended the --gremlin function
1622 to better stress-test the new 2.0 features,
1623 added Valgrind support on Linux and Dmalloc
1626 2004.10.19 -- Version 2.0-beta14
1628 * Fixed a bug introduced in Beta12 that would occur
1629 if you use a --client-connect script without also
1631 * Fixed a bug introduced in Beta12 where a learn-address
1632 script might segfault on the delete method.
1633 * Added Crypto API support in Windows version via
1634 the --cryptoapicert option (Peter 'Luna' Runestig).
1636 2004.10.18 -- Version 2.0-beta13
1638 * Fixed an issue introduced in Beta12 where the private
1639 key password would not be prompted for unless --askpass
1640 was explicitly specified in the config.
1642 2004.10.17 -- Version 2.0-beta12
1644 * Added support for username/password-based authentication.
1645 Clients can now authentication themselves with the server
1646 using either a certificate, a username/password, or both.
1647 New directives: --auth-user-pass, --auth-user-pass-verify,
1648 --client-cert-not-required, and --username-as-common-name.
1649 * Added NTLM proxy patch (William Preston).
1650 * Added --ifconfig-pool-linear server flag to allocate
1651 individual tun addresses for clients rather than /30
1652 subnets (won't work with Windows clients).
1653 * Modified --http-proxy code to cache username/password
1655 * Modified --http-proxy code to read username/password
1656 from the console when the auth file is given as "stdin".
1657 * Modified --askpass to take an optional filename argument.
1658 * --persist-tun and --persist-key now work in client mode
1659 and can be pushed to clients as well.
1660 * Added --ifconfig-pool-persist directive, to maintain
1661 ifconfig-pool info in a file which is persistent across
1662 daemon instantiations.
1663 * --user and --group privilege downgrades as well as
1664 --chroot now also work in client mode (the
1665 dowgrade/chroot will be delayed until the initialization
1666 sequence is completed).
1667 * Added --show-engines standalone directive to show
1668 available OpenSSL crypto accelerator engine support.
1669 * --engine directive now accepts an optional engine-ID
1670 parameter to control which engine is used.
1671 * "Connection reset, restarting" log message now shows
1672 which client is being reset.
1673 * Added --dhcp-pre-release directive in Windows version.
1674 * Second parm to --ip-win32 can be "default", e.g.
1675 --ip-win32 dynamic default 60.
1676 * Fixed documentation bug regarding environmental
1677 variable settings for --ifconfig-pool IP addresses.
1678 The correct environmental variable names are:
1679 ifconfig_pool_local_ip and ifconfig_pool_remote_ip.
1680 * ifconfig_pool_local_ip and ifconfig_pool_remote_ip
1681 environmental variables are now passed to the
1682 client-disconnect script.
1683 * In server mode, environmental variables are now scoped
1684 according to the client they are associated with,
1685 to solve the problem of "crosstalk" between different
1686 client's environmental variable sets.
1687 * Added --down-pre flag to cause --down script to be
1688 called before TUN/TAP close (rather than after).
1689 * Added --tls-exit flag which will cause OpenVPN
1690 to exit on any TLS errors.
1691 * Don't push a route to a client if it exactly
1692 matches an iroute (this lets you push routes to
1693 all clients, and OpenVPN will automatically remove
1694 the route from the route push list only for that client
1695 which the route actually belongs to).
1696 * Made '--resolv-retry infinite' the default.
1697 --resolv-retry can be disabled by using a parameter of 0.
1698 * For clients which plan to pull config info from server,
1699 set an initial default ping-restart of 60 seconds.
1700 * Optimized mute code to lessen the load on the processor
1701 when messages are being muted at a higher frequency.
1702 * Made route log messages non-mutable.
1703 * Silence the Linux "No buffer space available" message.
1704 * Added miscellaneous additional option sanity checks.
1705 * Added Windows version of easy-rsa scripts in
1706 easy-rsa/Windows directory (Andrew J. Richardson).
1707 * Added NetBSD route patch (Ed Ravin).
1708 * Added OpenBSD patch for TAP + --redirect-gateway
1709 (Waldemar Brodkorb).
1710 * Directives which prompt for a username and/or password
1711 will now work with --daemon (OpenVPN will prompt
1713 * Warn if CRL is from a different issuer than the
1714 issuer of the peer certificate (Bernhard Weisshuhn).
1715 * Changed init script chkconfig parameters to start
1716 OpenVPN daemon(s) before NFS.
1717 * Bug fix attempt of "too many I/O wait events" which occurs
1718 on OSes which prefer select() over poll() such as Mac OS X.
1719 * Added --ccd-exclusive flag. This flag will require, as a
1720 condition of authentication, that a connecting client has
1721 a --client-config-dir file.
1722 * TAP-Win32 open code will attempt to open a free adapter
1723 if --dev-node is not specified (Mathias Sundman).
1724 * Resequenced --nice and --chroot ordering so that --nice
1726 * Added --suppress-timestamps flag (Charles Duffy).
1727 * Source code changes to allow compilation by MSVC
1728 (Peter 'Luna' Runestig).
1729 * Added experimental --fast-io flag which optimizes
1730 TUN/TAP/UDP writes on non-Windows systems.
1732 2004.08.18 -- Version 2.0-beta11
1734 * Added --server, --server-bridge, --client, and
1735 --keepalive helper directives. See client.conf
1736 and server.conf in sample-config-files for sample
1737 configurations which use the new directives.
1738 * On Windows, added --route-method to control
1739 whether IP Helper API or route.exe is used
1740 to add/delete routes.
1741 * On Windows, added a second parameter to
1742 --route-delay to control the maximum time period
1743 to wait for the TAP-Win32 adapter to come up
1744 before adding routes.
1745 * Fixed bug in Windows version where configurations
1746 which omit --ifconfig might fail to recognize when
1747 the TAP adapter is up.
1748 * Proxy connection failures will now retry according
1749 to the --connect-retry parameter.
1750 * Fixed --dev null handling on Windows so that TLS
1751 loopback test described in INSTALL file works
1752 correctly on Windows.
1753 * Added "Initialization Sequence Completed" message
1754 after all initialization steps have been completed
1755 and the VPN can be considered "up".
1756 * Better sanity-checking on --ifconfig-pool parameters.
1757 * Added --tcp-queue-limit option to control
1758 TUN/TAP -> TCP socket overflow.
1759 * --ifconfig-nowarn flag will now silence general
1760 warnings about possible --ifconfig address
1761 conflicts, including the warning about --ifconfig
1762 and --remote addresses being in same /24 subnet.
1763 * Fixed case where server mode did not correctly
1764 identify certain types of ethernet multicast packets
1766 * Added --explicit-exit-notify option (experimental).
1768 2004.08.02 -- Version 2.0-beta10
1770 * Fixed possible reference after free of option strings
1771 after a restart, bug was introduced in beta8.
1772 * Fixed segfault at route.c:919 in the beta9
1773 Windows version that was being caused by indirection
1774 through a NULL pointer.
1775 * Mistakenly built debug version of TAP-Win32 driver
1776 for beta9. Beta10 has correct release build.
1778 2004.07.30 -- Version 2.0-beta9
1780 * Fixed --route issue on Windows that was introduced with
1781 the new beta8 route implementation based on the
1784 2004.07.27 -- Version 2.0-beta8
1786 * Added TCP support in server mode.
1787 * Added PKCS #12 support (Mathias Sundman).
1788 * Added patch to make revoke-crt and make-crl work
1789 seamlessly within the easy-rsa environment (Jan Kiszka).
1790 * Modified --mode server ethernet bridge code to forward
1791 special IEEE 802.1d MAC Groups, i.e. 01:80:C2:XX:XX:XX.
1792 * Added --dhcp-renew and --dhcp-release flags to Windows
1793 version. Normally DHCP renewal and release on the TAP
1794 adapter occurs automatically under Windows, however
1795 if you set the TAP-Win32 adapter Media Status property
1796 to "Always Connected", you may need these flags.
1797 * Added --show-net standalone flag to Windows version to
1798 show OpenVPN's view of the system adapter and routing
1800 * Added --show-net-up flag to Windows version to output
1801 the system routing table and network adapter list to
1802 the log file after the TAP-Win32 adapter has been brought
1803 up and any routes have been added.
1804 * Modified Windows version to add routes using the IP Helper
1805 API rather than by calling route.exe.
1806 * Fixed bug where --route-up script was not being called
1807 if no --route options were specified.
1808 * Added --mute-replay-warnings to suppress packet replay
1809 warnings. This is a common false alarm on WiFi nets.
1810 * Added "def1" flag to --redirect-gateway option to override
1811 the default gateway by using 0.0.0.0/1 and 128.0.0.0/1
1812 rather than 0.0.0.0/0. This has the benefit of overriding
1813 but not wiping out the original default gateway.
1814 (Thanks to Jim Carter for pointing out this idea).
1815 * You can now run OpenVPN with a single config file argument.
1816 For example, you can now say "openvpn config.conf"
1817 rather than "openvpn --config config.conf".
1818 * On Windows, made --route and --route-delay more adaptive
1819 with respect to waiting for interfaces referenced by the
1820 route destination to come up. Routes added by --route
1821 should now be added as soon as the interface comes up,
1822 rather than after an obligatory 10 second delay. The
1823 way this works internally is that --route-delay now
1824 defaults to 0 on Windows. Previous versions would
1825 wait for --route-delay seconds then add the routes.
1826 This version will wait --route-delay seconds and then
1827 test the routing table at one second intervals for the
1828 next 30 seconds and will not add the routes until they
1829 can be added without errors.
1830 * On Windows, don't setsockopt SO_SNDBUF or SO_RCVBUF by
1831 default on TCP/UDP socket in light of reports that this
1832 action can have undesirable global side effects on the
1833 MTU settings of other adapters. These parameters can
1834 still be set, but you need to explicitly specify
1835 --sndbuf and/or --rcvbuf.
1836 * Added --max-clients option to limit the maximum number
1837 of simultaneously connected clients in server mode.
1838 * Added error message to illuminate shell escape gotcha when
1839 single backslashes are used in Windows path names.
1840 * Added optional netmask parm to --ifconfig-pool.
1841 * Fixed bug where http-proxy connect retry attempts were
1842 incorrectly going to the remote OpenVPN server,
1843 not to the HTTP proxy server.
1845 2004.06.29 -- Version 2.0-beta7
1847 * Fixed bug in link_socket_verify_incoming_addr() which
1848 under certain circumstances could have caused --float
1849 behavior even if --float was not specified.
1850 * --tls-auth option now works with --mode server.
1851 All clients and the server should use the same
1852 --tls-auth key when operating in client/server mode.
1853 * Added --engine option to make use of OpenSSL-supported
1854 crypto acceleration hardware.
1855 * Fixed some high verbosity print format size issues
1856 in event.c for 64 bit platforms (Janne Johansson).
1857 * Made failure to open --log or --log-append file
1860 2004.06.23 -- Version 2.0-beta6
1862 * Fixed Windows installer to intelligently put
1863 up a reboot dialog only if tapinstall tells
1864 us that it's really necessary.
1865 * Fixed "Assertion failed at fragment.c:309"
1866 bug when --mode server and --fragment are used
1868 * Ignore HUP, USR1, and USR2 signals during
1869 initialization. Prior versions would abort.
1870 * Fixed bug on OS X: "Assertion failed at event.c:406".
1871 * Added --service option to Windows version, for use
1872 when OpenVPN is being programmatically instantiated
1873 by another process (see man page for info).
1874 * --log and --log-append options now work on Windows.
1875 * Update OpenBSD INSTALL notes (Janne Johansson).
1876 * Enable multicast on tun interface when running on
1877 OpenBSD (Pavlin Radoslavov).
1878 * Fixed recent --test-crypto breakage, where options
1879 such as --cipher were not being parsed correctly.
1880 * Modified options compatibility string by removing
1881 ifconfig substring if it is empty. Incremented
1882 options compatibility string version number to 4.
1883 * Fixed typo in --tls-timeout option parsing
1886 2004.06.13 -- Version 2.0-beta5
1888 * Fixed rare --mode server crash that could occur
1889 if data was being routed to a client at
1890 high bandwidth at the precise moment that the
1891 client instance object on the server was being
1893 * Fixed issue on machines which have epoll.h and
1894 the epoll_create glibc call defined, but which
1895 don't actually implement epoll in the kernel.
1896 OpenVPN will now gracefully fall back to the
1897 poll API in this case.
1898 * Fixed Windows bug which would cause the following
1899 error in a --mode server --dev tap configuration:
1900 "resource limit WSA_MAXIMUM_WAIT_EVENTS has been
1902 * Added CRL (certificate revocation list) management
1903 scripts to easy-rsa directory (Jon Bendtsen).
1904 * Do a better job of getting the ifconfig component
1905 of the options consistency check to work correctly
1906 when --up-delay is used.
1907 * De-inlined some functions which were too complex
1908 to be inlined anyway with gcc.
1909 * If a --dhcp-option option is pushed to a non-windows
1910 client, the option will be saved in the client's
1911 environment before the --up script is called, under
1912 the name "foreign_option_{n}".
1913 * Added --learn-address script (see man page) which
1914 allows for firewall access through the VPN to be
1915 controlled based on the client common name.
1916 * In mode --server mode, when a client connects to
1917 the server, the server will disconnect any
1918 still-active clients which use the same common
1919 name. Use --duplicate-cn flag to revert to
1920 previous behavior of allowing multiple clients
1921 to concurrently connect with the same common name.
1923 2004.06.08 -- Version 2.0-beta4
1925 * Fixed issue with beta3 where Win32 service wrapper
1926 was keying off of old TAP HWID as a dependency. To
1927 ensure that the new service wrapper is correctly
1928 installed, the Windows install script will uninstall
1929 the old wrapper before installing the new one,
1930 causing a reset of service properties.
1931 * Fixed permissions issue on --status output file,
1932 with default access permissions of owner read/write
1933 only (default permissions can be changed of course with
1936 2004.06.05 -- Version 2.0-beta3
1938 * More changes to TAP-Win32 driver's INF file which
1939 affects the placement of the driver in the Windows
1940 device namespace. This is done to work around an
1941 apparent bug in Windows when short HWIDs are used,
1942 and will also ease the upgrade from 1.x to 2.0 by
1943 reducing the chances that a reboot will be needed
1944 on upgrade. Like beta2, this upgrade will
1945 delete existing TAP-Win32 interfaces, and reinstall
1946 a single new interface with default properties.
1947 * Major rewrite of I/O event wait layer in the style
1948 of libevent. This is a precursor to TCP support
1950 * New feature: --status. Outputs a SIGUSR2-like
1951 status summary to a given file, updated once
1952 per n seconds. The status file is comma delimited
1953 for easy machine parsing.
1954 * --ifconfig-pool now remembers common names and
1955 will try to assign a consistent IP to a given
1956 common name. Still to do: persist --ifconfig-pool
1957 memory across restarts by saving state in file.
1958 * Fixed bug in event timer queue which could cause
1959 recurring timer events such as --ping to not
1960 correctly schedule again after firing. This in
1961 turn would cause spurrious ping restarts and possible
1962 connection outages. Thanks to Denis Vlasenko for
1964 * Possible fix to reported bug where --daemon argument
1965 was not printing to syslog correctly after restart.
1966 * Fixed bug where pulling --route or --dhcp-option
1967 directives from a server would problematically
1968 interact with --persist-tun on the client.
1969 * Updated contrib/multilevel-init.patch (Farkas Levente).
1970 * Added RPM build option to .spec and .spec.in files
1971 to optionally disable LZO inclusion (Ian Pilcher).
1972 * The latest MingW runtime and headers define
1973 'ssize_t', so a patch is needed (Gisle Vanem).
1975 2004.05.14 -- Version 2.0-beta2
1977 * Fixed signal handling bug in --mode server, where
1978 SIGHUP and SIGUSR1 were treated as SIGTERM.
1979 * Changed the TAP-Win32 HWID from "TAP" to "TAPDEV".
1980 Apparently the larger string may work around
1981 a problem where the TAP adapter is sometimes missing
1982 from the network connections panel, especially under
1983 XP SP2. Also note that installing this upgrade will
1984 uninstall any pre-existing TAP-Win32 adapters, and then
1985 install a single new adapter, meaning that old adapter
1986 properties will be lost. Thanks to Md5Chap for solving
1988 * For --mode server --dev tap, the options --ifconfig and
1989 --ifconfig-pool are now optional. This allows address
1990 assignment via DHCP or use of a TAP VPN without
1991 IP support, as has always been possible with 1.x.
1992 * Fixed bug where --ifconfig may not work correctly on
1994 * Added 'local' flag to --redirect-gateway for use on
1995 networks where both OpenVPN daemons are connected
1996 to a shared subnet, such as wireless.
1998 2004.05.09 -- Version 2.0-beta1
2000 * Unchanged from test29 except for version number
2003 2004.05.08 -- Version 2.0-test29
2005 * Modified --dev-node on Windows to accept a TAP-Win32
2006 GUID name. In addition, --show-adapters will now
2007 display the high-level name and GUID of each adapter.
2008 This is an attempt to work around an issue in Windows
2009 where sometimes the TAP-Win32 adapter installs correctly
2010 but has no icon in the network connections control
2011 panel. In such cases, being able to specify
2012 --dev-node {TAP-GUID} can work around the missing icon.
2014 2004.05.07 -- Version 2.0-test28
2016 * Fixed bug which could cause segfault on program
2017 shutdown if --route and --persist-tun are used
2020 2004.05.06 -- Version 2.0-test27
2022 * Fixed bug in close_instance() which might cause
2023 memory to be accessed after it had already been freed.
2024 * Fixed bug in verify_callback() that might have
2025 caused uninitialized data to be referenced.
2026 * --iroute now allows full CIDR subnet routing.
2027 * In "--mode server --dev tun" usage, source addresses
2028 on VPN packets coming from a particular client must
2029 be associated with that client in the OpenVPN internal
2032 2004.04.28 -- Version 2.0-test26
2034 * Optimized broadcast path in multi-client mode.
2035 * Added socket buffer size options --rcvbuf & --sndbuf.
2036 * Configure Linux tun/tap driver to use a more sensible
2037 txqueuelen default. Also allow explicit setting
2038 via --txqueuelen option (Harald Roelle).
2039 * The --remote option now allows the port number
2040 to be specified as the second parameter. If
2041 unspecified, the port number defaults to the
2043 * Multiple --remote options on the client can now be
2044 specified for load balancing and failover. The
2045 --remote-random flag can be used to initially randomize
2046 the --remote list for basic load balancing.
2047 * If a remote DNS name resolves to multiple DNS addresses,
2048 one will be chosen by random as a kind of basic
2049 load-balancing feature if --remote-random is used.
2050 * Added --connect-freq option to control maximum
2051 new connection frequency in multi-client mode.
2052 * In multi-client mode, all syslog messages associated
2053 with a specific client now include a client-ID prefix.
2054 * For Windows, use a gettimeofday() function based
2055 on QueryPerformanceCounter (Derek Burdick).
2056 * Fixed bug in interaction between --key-method 2
2057 and DES ciphers, where dynamic keys would be generated
2058 with bad parity and then be rejected.
2060 2004.04.17 -- Version 2.0-test24
2062 * Reworked multi-client broadcast handling.
2064 2004.04.13 -- Version 2.0-test23
2066 * Fixed bug in --dev tun --client-to-client routing.
2067 * Fixed a potential deadlock in --pull.
2068 * Fixed a problem with select() usage which could
2069 cause a repeating sequence of "select : Invalid
2072 2004.04.11 -- Version 2.0-test22
2074 * Fixed bug where --mode server + --daemon was
2075 prematurely closing syslog connection.
2076 * Added support for --redirect-gateway on Mac OS X
2078 * Minor changes to TAP-Win32 driver based on feedback
2079 from the NDISTest tool.
2081 2004.04.11 -- Version 2.0-test21
2083 * Optimizations in multi-client server event loop.
2085 2004.04.10 -- Version 2.0-test20
2087 * --mode server capability now works with either tun
2088 or tap interfaces. When used with tap interfaces,
2089 OpenVPN will internally bridge all client tap
2090 interfaces with the server tap interface.
2091 * Connecting clients can now have a client-specific
2092 configuration on the server, based on the client
2093 common name embedded in the client certificate.
2094 See --client-config-dir and --client-connect.
2095 These options can be used to configure client-specific
2097 * Added an option --client-to-client that enables
2098 internal client-to-client routing or bridging.
2099 Otherwise, clients will only "see" the server,
2100 not other connected clients.
2101 * Fixed bug in route scheduling which would have caused
2102 --mode server to not work on Windows in test18
2103 and test19 with the sample config file.
2104 * Man page is up to date with all new options.
2105 * OpenVPN 2.0 release notes on web site updated
2106 with tap-style tunnel examples.
2108 2004.04.02 -- Version 2.0-test19
2110 * Fixed bug where routes pushed from server were
2111 not working correctly on Windows clients.
2112 * Added Mac OS X route patch (Jeremy Apple).
2114 2004.03.30 -- Version 2.0-test18
2116 * Minor fixes + Windows self-install modified
2117 to use OpenSSL 0.9.7d.
2119 2004.03.29 -- Version 2.0-test17
2121 * Fixed some bugs related to instance timeout and deletion.
2122 * Extended --push/--pull option to support additional
2125 2004.03.28 -- Version 2.0-test16
2127 * Successful test of --mode udp-server, --push,
2128 --pull, and --ifconfig-pool with server on
2129 Linux 2.4 and clients on Linux and Windows.
2131 2004.03.25 -- Version 2.0-test15
2133 * Implemented hash-table lookup of client instances
2134 based either on remote UDP address/port or remote
2136 * Implemented a randomized binary tree based
2137 scheduler for scalably scheduling a large number
2138 of client instance events. Uses the treap
2139 data structure and node rotation algorithm
2140 to keep the tree balanced.
2141 * Initial implementation of ifconfig-pool.
2142 * Made --key-method 2 the default.
2144 2004.03.20 -- Version 2.0-test14
2146 * Implemented --push and --pull.
2148 2004.03.20 -- Version 2.0-test13
2150 * Reduced struct tls_multi and --single-session
2152 * Modified --single-session flag to be used
2153 in multi-client UDP server client instances.
2155 2004.03.19 -- Version 2.0-test12
2157 * Added the key multi-client UDP server options,
2158 --mode, --push, --pull, and --ifconfig-pool.
2159 * Revamped GC (garbage collection) code to not rely
2161 * Modifications to thread.[ch] to allow a more
2162 flexible thread model.
2164 2004.03.16 -- Version 2.0-test11
2166 * Moved all timer code to interval.h, added new file
2168 * Fixed missing include.
2170 2004.03.16 -- Version 2.0-test10
2172 * More TAP-Win32 fixes.
2173 * Initial debugging and testing of multi.[ch].
2175 2004.03.14 -- Version 2.0-test9
2177 * Branch merge with 1.6-rc3
2178 * More point-to-multipoint work in multi.[ch].
2179 * Major TAP-Win32 driver restructuring to use
2180 NdisMRegisterDevice instead of
2181 IoCreateDevice/IoCreateSymbolicLink.
2182 * Changed TAP-Win32 symbolic links to use \DosDevices\Global\
2184 * In the majority of cases, TAP-Win32 should now be
2185 able to install and uninstall on Win2K without requiring
2187 * TAP-Win32 MAC address can now be explicitly set in the
2188 adapter advanced properties page.
2190 2004.03.04 -- Version 2.0-test8
2192 * Branch merge with 1.6-rc2.
2194 2004.03.03 -- Version 2.0-test7
2196 * Branch merge with 1.6-rc1.2.
2198 2004.03.02 -- Version 2.0-test6
2200 * Branch merge with 1.6-rc1.
2202 2004.03.02 -- Version 2.0-test5
2204 * Move Socks5 UDP header append/remove to socks.c, and is
2205 called from forward.c.
2206 * Moved verify statics from ssl.c into struct tls_session.
2207 * Wrote multi.[ch] to handle top level of point-to-multipoint
2209 * Wrote some code to allow a struct link_socket in a child context
2210 to be slaved to the parent context.
2211 * Broke up packet read and process functions in forward.c
2212 (from socket or tuntap) into separate functions for read
2213 and process, so that point-to-point and point-to-multipoint can
2214 share the same code.
2215 * Expand TLS control channel to allow the passing of configuration
2217 * Wrote mroute.[ch] to handle internal packet routing for
2218 point-to-multipoint mode.
2220 2004.02.22 -- Version 2.0-test3
2222 * Initial work on UDP multi-client server.
2223 * Branch merge of 1.6-beta7
2225 2004.02.14 -- Version 2.0-test2
2227 * Refactorization of openvpn.c into openvpn.[ch]
2228 init.[ch] forward.[ch] forward-inline.h
2229 occ.[ch] occ-inline.h ping.[ch] ping-inline.h
2230 sig.[ch]. Created a master per-tunnel
2231 struct context in openvpn.h.
2232 * Branch merge of 1.6-beta6.2
2234 2003.11.06 -- Version 2.0-test1
2236 * Initial testbed for 2.0.
2238 2004.05.09 -- Version 1.6.0
2240 * Unchanged from 1.6-rc4 except for version number
2243 2004.04.01 -- Version 1.6-rc4
2245 * Made minor customizations to devcon and
2246 renamed as tapinstall.exe for Windows version.
2247 * Fixed "storage size of `iv' isn't known" build
2249 * OpenSSL 0.9.7d bundled with Windows self-install.
2251 2004.03.13 -- Version 1.6-rc3
2253 * Minor Windows fixes for --ip-win32 dynamic, relating to
2254 the way the TAP-Win32 driver responds to a DHCP request
2255 from the Windows DHCP client.
2256 * The net_gateway environmental variable wasn't being
2257 set correctly for called scripts (Paul Zuber).
2258 * Added code to determine the default gateway on FreeBSD,
2259 allowing the --redirect-gateway option to work
2260 (Juan Rodriguez Hervella).
2262 2004.03.04 -- Version 1.6-rc2
2264 * Fixed bug in Windows version where the NetBIOS node-type
2265 DHCP option might have been passed even if it was not
2267 * Fixed bug in Windows version introduced in 1.6-rc1, where
2268 DHCP timeout would be set to 0 seconds if --ifconfig option
2269 was used and --ip-win32 option was not explicitly specified.
2270 * Added some new --dhcp-option types for Windows version.
2272 2004.03.02 -- Version 1.6-rc1
2274 * For Windows, make "--ip-win32 dynamic" the default.
2275 * For Windows, make "--route-delay 10" the default
2276 unless --ip-win32 dynamic is not used or --route-delay
2277 is explicitly specified.
2278 * L_TLS mutex could have been left in a locked state
2279 for certain kinds of TLS errors.
2281 2004.02.22 -- Version 1.6-beta7
2283 * Allow scheduling priority increase (--nice) together
2284 with UID/GID downgrade (--user/--group).
2285 * Code that causes SIGUSR1 restart on TLS errors in TCP
2286 mode was not activated in pthread builds.
2287 * Save the certificate serial number in an environmental
2288 variable called tls_serial_{n} prior to calling the
2289 --tls-verify script. n is the current cert chain level.
2290 * Added NetBSD IPv6 tunnel capability (also requires
2291 a kernel patch) (Horst Laschinsky).
2292 * Fixed bug in checking the return value of the nice()
2293 function (Ian Pilcher).
2294 * Bug fix in new FreeBSD IPv6 over TUN code which was
2295 originally added in 1.6-beta5 (Nathanael Rensen).
2296 * More Socks5 fixes -- extended the struct frame
2297 infrastructure to accomodate proxy-based encapsulation
2299 * Added --dhcp-option to Windows version for setting
2300 adapter properties such as WINS & DNS servers.
2301 * Use a default route-delay of 5 seconds when
2302 --ip-win32 dynamic is specified (only applicable when
2303 --route-delay is not explicitly specified).
2304 * Added "log_append" registry variable to control
2305 whether the OpenVPN service wrapper on Windows
2306 opens log files in append (log_append="1") or
2307 truncate (log_append="0") mode. The default
2310 2004.02.05 -- Version 1.6-beta6
2312 * UDP over Socks5 fix to accomodate Socks5 encapsulation
2313 overhead (Christof Meerwald).
2314 * Minor --ip-win32 dynamic tweaks (use long lease time,
2315 invalidate existing lease with DHCPNAK).
2317 2004.02.01 -- Version 1.6-beta5
2319 * Added Socks5 proxy support (Christof Meerwald).
2320 * IPv6 tun support for FreeBSD (Thomas Glanzmann).
2321 * Special TAP-Win32 debug mode for Windows self-install that was
2322 enabled in beta4 is now turned off.
2323 * Added some new Solaris notes to INSTALL (Koen Maris).
2324 * More work on --ip-win32 dynamic.
2326 2004.01.27 -- Version 1.6-beta4
2328 * For this beta, the Windows self-install is a debug version
2329 and will run slower -- use only for testing.
2330 * Reverted the --ip-win32 default back to 'ipapi'
2332 * Added the offset parameter to '--ip-win32 dynamic' which
2333 can be used to control the address of the masqueraded
2334 DHCP server which replies to Windows DHCP requests.
2335 * Added a wait/nowait option to --inetd (nowait can only
2336 be used with TCP sockets, TLS authentication, and over
2337 a bridged configuration -- see FAQ for more info)
2338 (Stefan `Sec` Zehl).
2339 * Added a build-time capability where TAP-Win32 driver
2340 debug messages can be output by OpenVPN at --verb 6
2343 2004.01.20 -- Version 1.6-beta2
2345 * Added ./configure --enable-iproute2 flag which
2346 uses iproute2 instead of route + ifconfig --
2347 this is necessary for the LEAF Linux distro
2349 * Added renewal-time and rebind-time to set of
2350 DHCP options returned by the TAP-Win32 driver when
2351 "--ip-win32 dynamic" is used.
2353 2004.01.14 -- Version 1.6-beta1
2355 * Fixed --proxy bug that sometimes caused plaintext
2356 control info generated by the proxy prior to http
2357 CONNECT method establishment to be incorrectly
2358 parsed as OpenVPN data.
2359 * For Windows version, implemented the
2360 "--ip-win32 dynamic" method and made it the default.
2361 This method sets the TAP-Win32 adapter IP address
2362 and netmask by replying to the kernel's DHCP queries.
2363 See the man page for more detailed info.
2364 * Added --connect-retry parameter which controls
2365 the time interval (in seconds) between connect()
2366 retries when --proto tcp-client is used. Previously,
2367 this value was hardcoded to 5 seconds, and still
2369 * --resolv-retry can now be used with a parameter
2370 of "infinite" to retry indefinitely.
2371 * Added SSL_CTX_use_certificate_chain_file() to ssl.c
2372 for support of multi-level certificate chains
2374 * Fixed --tls-auth incompatibility with 1.4.x and earlier
2375 versions of OpenVPN when the passphrase file is an
2376 OpenVPN static key file (as generated by --genkey).
2377 * Added shell-escape support in config files using
2378 the backslash character ("\") so that (for example)
2379 double quotes can be passed to the shell.
2380 * Added "contrib" subdirectory on tarball, source zip,
2381 and CVS containing user-submitted contributions.
2382 * Added an optional patch to the Redhat init script to
2383 allow the configuration file directory to be a
2384 multi-level directory hierarchy (Farkas Levente).
2385 See contrib/multilevel-init.patch
2386 * Added some scripts and documentation on using
2387 Linux "fwmark" iptables rules to enable
2388 fine-grained routing control over the VPN
2389 (Sean Reifschneider, <jafo@tummy.com>).
2390 See contrib/openvpn-fwmarkroute-1.00
2392 2003.11.20 -- Version 1.5.0
2394 * Minor documentation changes.
2396 2003.11.04 -- Version 1.5-beta14
2398 * Fixed build problem with ./configure --disable-ssl
2399 that was reported on Debian woody.
2400 * Fixed bug where --redirect-gateway could not be used
2401 together with --resolv-retry.
2403 2003.11.03 -- Version 1.5-beta13
2405 * Added CRL (certificate revocation list) capability using
2406 --crl-verify option (Stefano Bracalenti).
2407 * Added --replay-window option for variable replay-protection
2409 * Fixed --fragment bug which might have caused certain large
2410 packets to be sent unfragmented.
2411 * Modified --secret and --tls-auth to permit different cipher and
2412 HMAC keys to be used for each data flow direction. Also
2413 increased static key file size generated by --genkey from
2414 1024 to 2048 bits, where 512 bits each are reserved for
2415 send-HMAC, encrypt, receive-HMAC, and decrypt. Key file forward
2416 and backward compatibility is maintained. See --secret option
2417 documentation on the man page for more info.
2418 * Added --tls-remote option (Teemu Kiviniemi).
2419 * Fixed --tls-cipher documention regarding correct delimiter
2420 usage (Teemu Kiviniemi).
2421 * Added --key-method option for selecting alternative data
2422 channel key negotiation methods. Method 1 is the default.
2423 Method 2 has been added (see man page for more info).
2424 * Added French translation of HOWTO to web site
2425 (Guillaume Lehmann).
2426 * Fixed problem caused by late resolver library load on
2427 certain platforms when --resolv-retry and --chroot are
2428 used together (Teemu Kiviniemi).
2429 * In TCP mode, all decryption or TLS errors will abort the current
2430 connection (this is not done in UDP mode because UDP is
2432 * Fixed a TCP client reconnect bug that only occurs on the
2433 BSDs, where connect() fails with an invalid argument. This
2434 bug was partially (but not completely) fixed in beta7.
2435 * Added "route_net_gateway" environmental variable which contains
2436 the pre-existing default gateway address from the routing table
2437 (there's no standard API for getting the default gateway, so
2438 right now this feature only works on Windows or Linux).
2439 * Renamed the "route_default_gateway" enviromental variable to
2440 "route_vpn_gateway" -- this is the remote VPN endpoint.
2441 * The special keywords vpn_gateway, net_gateway, and remote_host
2442 can now be used for the network or gateway components of the
2443 --route option. See the man page for more info.
2444 * Added the --redirect-gateway option to configure the VPN
2445 as the default gateway (implemented on Linux and Windows only).
2446 * Added the --http-proxy option with basic authentication
2447 support for use in TCP client mode. Successfully tested
2448 using Squid as the HTTP proxy, with and without authentication.
2450 2003.10.12 -- Version 1.5-beta12
2452 * Fixed Linux-only bug in --mktun and --rmtun which was
2453 introduced around beta8 or so, which would cause
2454 an error such as "I don't recognize device tun0 as a
2455 tun or tap device1".
2456 * Added --ifconfig-nowarn option to disable options
2457 consistency warnings about --ifconfig parameters.
2458 * Don't allow any kind of sequence number backtracking or
2459 message reordering when in TCP mode.
2460 * Changed beta naming convention to use '_' (underscore)
2461 rather than '-' (dash) to pacify rpmbuild.
2463 2003.10.08 -- Version 1.5-beta11
2465 * Modified code in the Windows version which sets the IP address
2466 and netmask of the TAP-Win32 adapter using the IP Helper API.
2467 Most of the changes involve better error recovery when
2468 the IP Helper API returns an error status. See the
2469 manual page entry on --ip-win32 for more info.
2471 2003.10.08 -- Version 1.5-beta10
2473 * Added getpass() function for Windows version so that --askpass
2474 option works correctly (Stefano Bracalenti).
2475 * Added reboot advisory to end of Win32 install script.
2476 * Changed crypto code to use pseudo-random IVs rather than
2477 carrying forward the IV state from the previous packet.
2478 This is in response to item 2 in the following document:
2479 http://www.openssl.org/~bodo/tls-cbc.txt which points
2480 out weaknesses in TLS's use of the same IV carryforward
2481 approach. This change does not break protocol compatibility
2482 with previous versions of OpenVPN.
2483 * Made a change to the crypto replay protection code to also
2484 protect against certain kinds of packet reordering attacks.
2485 This change does not break protocol compatibility with
2486 previous versions of OpenVPN.
2487 * Added --ip-win32 option to provide several choices for
2488 setting the IP address on the TAP-Win32 adapter.
2489 * #ifdefed out non-CBC crypto modes by default.
2490 * Added --up-delay option to delay TUN/TAP open and --up script
2491 execution until after connection establishment. This option
2492 replaces the earlier windows-only option --tap-delay.
2494 2003.10.01 -- Version 1.5-beta9
2496 * Fixed --route-noexec bug where option was not parsed correctly.
2497 * Complain if --dev tun is specified without --ifconfig on Windows.
2498 * Fixed bug where TCP connections on windows would sometimes cause
2499 an assertion failure.
2500 * Added a new flag to TAP-Win32 advanced properties that allows one
2501 to set the adapter to be always "connected" even when an OpenVPN
2502 process doesn't have it open. The default behavior is to report
2503 a media status of connected only when an OpenVPN process has the
2505 * Rebuilt the Windows self-install distribution with OpenSSL 0.9.7c
2506 DLLs in response to an OpenSSL security advisory.
2508 2003.09.30 -- Version 1.5-beta8
2510 * Extended the --ifconfig option to work on tap devices as well
2512 * Implemented the --ifconfig option for Windows, by calling the
2514 * By default, do an "arp -d *" on Windows after TAP-Win32 open to
2515 refresh the MAC cache. This behaviour can be disabled with
2517 * On Windows, allow the --dev-node parameter (which specifies
2518 the name of the TAP-Win32 adapter) to be omitted in cases where
2519 there is a single TAP-Win32 adapter on the system which can be
2520 assumed to be the default.
2521 * Modified the diagnostic --verb 5 debugging level to print 'R'
2522 for TCP/UDP read, 'W' for TCP/UDP write, 'r' for TUN/TAP read,
2523 and 'w' for TUN/TAP write.
2524 * Conditionalize OpenBSD read_tun and write_tun based on tun or tap
2526 * Added IPv6 tun support to OpenBSD (Thomas Glanzmann).
2527 * Make the --enable-mtu-dynamic ./configure option enabled by
2529 * Deprecated the --mtu-dynamic run-time option, in favor of
2531 * DNS names can now be used as --ifconfig parameters.
2532 * Significant work on TAP-Win32 driver to bring up to SMP standards.
2533 * On Windows, fixed dangling IRP problem if TAP-Win32 driver is
2534 unloaded or disabled, while a user-space process has it open.
2535 * On Windows, if --tun-mtu is not specified, it will be read from
2536 the TAP-Win32 driver via ioctl.
2537 * On Windows, added TAP-Win32 driver status info to "F2" keyboard
2538 signal (only when run from a console window).
2539 * Added --mssfix option to control TCP MSS size (YANO Hirokuni).
2540 * Renamed --mtu-dynamic option to --fragment to more accurately
2541 reflect its function. Fragment accepts a single parameter which
2542 is the upper limit on acceptable UDP packet size.
2543 * Changed default --tun-mtu-extra parameter to 32 from 64.
2544 * Eliminated reference to malloc.o in configure.ac.
2545 * Added tun device emulation to the TAP-Win32 driver.
2546 * Added --route and related options.
2547 * Added init script for SuSE Linux (Frank Plohmann).
2548 * Extended option consistency check between peers to function
2549 in all crypto modes, including static-key and cleartext modes.
2550 Previously only TLS mode was supported. Disable with
2552 * Overall, increased the amount of configuration option sanity
2553 checking, especially of networking parameters.
2554 * Added --mtu-test option for empirical MTU measurement.
2555 * Added Windows-only option --tap-delay to not set the TAP-Win32
2556 adapter media state to 'connected' until TCP/UDP connection
2557 establishment with peer.
2558 * Slightly modified --route/--route-delay semantics so that when
2559 --route is given without --route-delay, routes are added
2560 immediately after tun/tap device open. When --route-delay is
2561 specified, routes will be added n seconds after connection
2562 initiation, where n is the --route-delay parameter (which
2564 * Made TCP framing error into a non-fatal error that triggers a
2567 2003.08.28 -- Version 1.5-beta7
2569 * Fixed bug that caused OpenVPN not to respond to exit/restart
2570 signals when --resolv-retry is used and a local or remote DNS
2571 name cannot be resolved.
2572 * Exported a series of environmental variables with useful
2573 info for scripts. See man page for more info. Based
2574 on a suggestion by Anthony Ciaravalo.
2575 * Moved TCP/UDP socket bind to a point in the initialization
2576 before the --up script gets called. This is desirable
2577 because (a) a socket bind failure will happen before
2578 daemonization, allowing an error status code to be returned
2579 to the shell and (b) the possibility is eliminated of a
2580 socket bind failure causing the --up script to be run
2581 but not the --down script. This change has a side effect
2582 that --resolv-retry will no longer work with --local.
2583 * Fixed bug where if an OpenVPN TCP server went down and back
2584 up again, Solaris or FreeBSD clients would fail to reconnect
2586 * Fixed bug that prevented OpenVPN from being run by
2587 inetd/xinetd in TCP mode.
2588 * Added --log and --log-append options for logging messages to
2590 * On Windows, check that the current user is a member of the
2591 Administrator group before attempting install or uninstall.
2593 2003.08.16 -- Version 1.5-beta6
2595 * Fixed TAP-Win32 driver to properly increment the Rx/Tx count.
2597 2003.08.14 -- Version 1.5-beta5
2599 * Added user-configurability of the TAP-Win32 adapter MTU
2600 through the adapter advanced properties page.
2601 * Added Windows Service support.
2602 * On Windows, added file association and right-clickability
2603 for .ovpn files (OpenVPN config files).
2605 2003.08.05 -- Version 1.5-beta4
2607 * Extra refinements and error checking added to Windows
2608 NSIS install script.
2610 2003.08.05 -- Version 1.5-beta3
2612 * Added md5.h include to crypto.c to fix build problem on
2614 * Created a Win32 installer using NSIS.
2615 * Removed DelService command from TAP-Win32 INF file. It appears
2616 to be not necessary and it interfered with the ability to
2617 uninstall and reinstall the driver without needing to reboot.
2618 * On Windows version, added "addtap" and "deltapall" batch
2619 files to add and delete TAP-Win32 adapter instances.
2621 2003.07.31 -- Version 1.5-beta2
2623 * Renamed INSTALL.w32 to INSTALL-win32.txt and reformatted
2624 in Windows ASCII so it's easier to click and view.
2625 * Added postscript and PDF versions of the HOWTO to the web
2627 * Merged Michael Clarke's stability patch into TAP-Win32
2628 driver which appears to fix the suspend/resume driver bug
2629 and significantly improve driver stability.
2630 * Added Christof Meerwald's Media Status patch to the
2631 TAP-Win32 driver which shows the TAP adapter to be
2632 disconnected when OpenVPN is not running.
2633 * Moved socket connect and TCP server listen code to a later
2634 point in openvpn() function so that the TCP server listen
2635 state is entered after daemonization.
2636 * Added keyboard shortcuts to simulate signals in the Windows
2637 version, see the window title bar for descriptions.
2639 2003.07.24 -- Version 1.5-beta1
2641 * Added TCP support via the new --proto option.
2642 * Renamed udp-centric options such as --udp-mtu to
2643 --link-mtu (old option names preserved for compatibility).
2644 * Ported to Windows 2000 + XP using mingw and a TAP driver
2645 derived from the Cipe-Win32 project by Damion K. Wilson.
2646 * Added --show-adapters flag for windows version.
2647 * Reworked the SSL/TLS packet acknowledge code to better
2648 handle certain corner cases.
2649 * Turned off the default enabling of IP forwarding in the
2650 sample-scripts/openvpn.init script for Redhat.
2651 Forwarding can be enabled by users in their --up scripts
2653 * Added --up-restart option based on suggestion from Sean
2655 * If --dev tap or --dev-type tap is specified, --tun-mtu
2656 defaults to 1500 and --tun-mtu-extra defaults to 64.
2657 * Enabled --verb 5 debugging mode that prints 'R' and 'W'
2658 for each packet read or write on the TCP/UDP socket.
2660 2003.08.04 -- Version 1.4.3
2662 * Added md5.h include to crypto.c
2663 to fix build problem on OpenBSD.
2665 2003.07.15 -- Version 1.4.2
2667 * Removed adaptive bandwidth from
2668 --mtu-dynamic -- its absence appears
2669 to work better than its existence (1.4.1.2).
2670 * Minor changes to --shaper to fix long
2671 retransmit timeouts at low bandwidth
2673 * Added LOG_RW flag to openvpn.h for
2674 debugging (1.4.1.2).
2675 * Silenced spurious configure warnings (1.4.1.2).
2676 * Backed out --dev-name patch, modified --dev
2677 to offer equivalent functionality (1.4.1.4).
2678 * Added an optional parameter to --daemon and
2679 --inetd to support the passing of a custom
2680 program name to the system logger (1.4.1.5).
2681 * Add compiled-in options to the program title
2683 * Coded the beginnings of a WIN32 port (1.4.1.5).
2684 * Succeeded in porting to Win32 Mingw environment
2685 and running loopback tests (1.4.1.6). Still
2686 need a kernel driver for full Win32
2688 * Fixed a bug in error.h where
2689 HAVE_CPP_VARARG_MACRO_GCC was misspelled.
2690 This would have caused a significant slowdown
2691 of OpenVPN when built by compilers that
2692 lack ISO C99 vararg macros (1.4.1.6).
2693 * Created an init script for Gentoo Linux
2694 in ./gentoo directory (1.4.1.6).
2696 2003.05.15 -- Version 1.4.1
2698 * Modified the Linux 2.4 TUN/TAP open code to
2699 fall back to the 2.2 TUN/TAP interface if the
2700 open or ioctl fails.
2701 * Fixed bug when --verb is set to 0 and non-fatal
2702 socket errors occur, causing 100% CPU utilization.
2703 Occurs on platorms where
2704 EXTENDED_SOCKET_ERROR_CAPABILITY is defined,
2706 * Fixed typo in tun.c that was preventing
2708 * Added --enable-mtu-dynamic configure option
2709 to enable --mtu-dynamic experimental option.
2711 2003.05.07 -- Version 1.4.0
2713 * Added --replay-persist feature to allow replay
2714 protection across sessions.
2715 * Fixed bug where --ifconfig could not be used
2717 * Added --tun-mtu-extra parameter to deal with
2718 the situation where a read on a TUN/TAP device
2719 returns more data than the device's MTU size.
2720 * Fixed bug where some IPv6 support code for
2721 Linux was not being properly ifdefed out for
2722 Linux 2.2, causing compile errors.
2723 * Added OPENVPN_EXIT_STATUS_x codes to
2724 openvpn.h to control which status value
2725 openvpn returns to its caller (such as
2726 a shell or inetd/xinetd) for various conditions.
2727 * Added OPENVPN_DEBUG_COMMAND_LINE flag to
2728 openvpn.h to allow debugging in situations
2729 where stdout, stderr, and syslog cannot be used
2730 for message output, such as when OpenVPN is
2731 instantiated by inetd/xinetd.
2732 * Removed owner-execute permission from file
2733 created by static key generator (Herbert Xu
2734 and Alberto Gonzalez Iniesta).
2735 * Added --passtos option to allow IPv4 TOS bits
2736 to be passed from TUN/TAP input packets to
2737 the outgoing UDP socket (Craig Knox).
2738 * Added code to prevent open socket file descriptors
2739 from being accessible to called scripts.
2740 * Added --dev-name option (Christian Lademann).
2741 * Added --mtu-disc option for manual control
2743 * Show OS MTU value on UDP socket write failures
2745 * Numerous build system and portability
2746 fixes (Matthias Andree).
2747 * Added better sensing of compiler support for
2748 variable argument macros, including (a) gcc
2749 style, (b) ISO C 1999 style, and (c) no support.
2750 * Removed generated files from CVS. Note INSTALL
2751 file for new CVS build commands.
2752 * Changed certain internal symbol names
2753 for C standards compliance.
2754 * Added TUN/TAP open code to cycle dynamically
2755 through unit numbers until it finds a free
2756 unit (based on code from Thomas Gielfeldt
2758 * Added dynamic MTU and fragmenting infrastructure
2759 (Experimental). Rebuild with FRAGMENT_ENABLE
2761 * Minor changes to SSL/TLS negotiation, use
2762 exponential backoff on retransmits, and use
2763 a smaller MTU size (note that no protocol
2764 changes have been made which would break
2765 compatibility with 1.3.x).
2766 * Added --enable-strict-options flag
2767 to ./configure. This option will cause
2768 a more strict check for options compatibility
2769 between peers when SSL/TLS negotiation is used,
2770 but should only be used when both OpenVPN peers
2771 are of the same version.
2772 * Reorganization of debugging levels.
2773 * Added a workaround in configure.ac for
2774 default SSL header location on Linux
2775 to fix RH9 build problem.
2776 * Fixed potential deadlock when pthread support
2777 is used on OSes that allocate a small socketpair()
2779 * Fixed openvpn.init to be sh compliant
2781 * Changed --daemon to wait until all
2782 initialization is finished before becoming a
2783 daemon, for the benefit of initialization
2784 scripts that want a useful return status from
2785 the openvpn command.
2786 * Made openvpn.init script more robust, including
2787 positive indication of initialization errors
2788 in the openvpn daemon and better sanity checks.
2789 * Changed --chroot to wait until initialization
2790 is finished before calling chroot(), and allow
2791 the use of --user and --group with --chroot.
2792 * When syslog logging is enabled (--daemon or
2793 --inetd), set stdin/stdout/stderr to point
2795 * For inetd instantiations, dup socket descriptor
2797 * Fixed bug in verify-cn script, where test would
2798 incorrectly fail if CN=x was the last component
2799 of the X509 composite string (Anonymous).
2800 * Added Markus F.X.J. Oberhumer's special
2801 license exception to COPYING.
2803 2002.10.23 -- Version 1.3.2
2805 * Added SSL_CTX_set_client_CA_list call
2806 to follow the canonical form for TLS initialization
2807 recommended by the OpenSSL docs. This change allows
2808 better support for intermediate CAs and has no impact
2810 * Added build-inter script to easy-rsa package, to
2811 facilitate the generation of intermediate CAs.
2812 * Ported to NetBSD (Dimitri Goldin).
2813 * Fixed minor bug in easy-rsa/sign-req. It refers to
2814 openssl.cnf file, instead of $KEY_CONFIG, like all
2815 other scripts (Ernesto Baschny).
2816 * Added --days 3650 to the root CA generation command
2817 in the HOWTO to override the woefully small 30 day
2818 default (Dominik 'Aeneas' Schnitzer).
2819 * Fixed bug where --ping-restart would sometimes
2820 not re-resolve remote DNS hostname.
2821 * Added --tun-ipv6 option and related infrastructure
2822 support for IPv6 over tun.
2823 * Added IPv6 over tun support for Linux (Aaron Sethman).
2824 * Added FreeBSD 4.1.1+ TUN/TAP driver notes to
2825 INSTALL (Matthias Andree).
2826 * Added inetd/xinetd support (--inetd) including
2827 documentation in the HOWTO.
2828 * Added "Important Note on the use of commercial certificate
2829 authorities (CAs) with OpenVPN" to HOWTO based on
2830 issues raised on the openvpn-users list.
2832 2002.07.10 -- Version 1.3.1
2834 * Fixed bug in openvpn.spec and openvpn.init
2835 which caused RPM upgrade to fail.
2837 2002.07.10 -- Version 1.3.0
2839 * Added --dev-node option to allow explicit selection of
2840 tun/tap device node.
2841 * Removed mlockall call from child thread, as it doesn't
2842 appear to be necessary (child thread inherits mlockall
2844 * Added --ping-timer-rem which causes timer for --ping-exit
2845 and --ping-restart not to run unless we have a remote IP
2847 * Added condrestart to openvpn.init and openvpn.spec
2849 * Added --ifconfig case for FreeBSD (Matthias Andree).
2850 * Call openlog with facility=LOG_DAEMON (Matthias Andree).
2851 * Changed LOG_INFO messages to LOG_NOTICE.
2852 * Added warning when key files are group/others accessible.
2853 * Added --single-session flag for TLS mode.
2854 * Fixed bug where --writepid would segfault if used with
2855 an invalid filename.
2856 * Fixed bug where --ipchange status message was formatted
2858 * Print more concise error message when system() call
2860 * Added --disable-occ option.
2861 * Added --local, --remote, and --ifconfig options sanity
2863 * Changed default UDP MTU to 1300 and TUN/TAP MTU to
2865 * Successfully tested with OpenSSL 0.9.7 Beta 2.
2866 * Broke out debug level definitions to errlevel.h
2867 * Minor documentation and web site changes.
2868 * All changes maintain protocol compatibility
2869 with OpenVPN versions since 1.1.0, however default
2870 MTU changes will require setting the MTU explicitly
2871 by command line option, if you want 1.3.0 to
2872 communicate with previous versions.
2874 2002.06.12 -- Version 1.2.1
2876 * Added --ping-restart option to restart
2877 connection on ping timeout using SIGUSR1
2878 logic (Matthias Andree).
2879 * Added --persist-tun, --persist-key,
2880 --persist-local-ip, and --persist-remote-ip
2881 options for finer-grained control over SIGUSR1
2882 and --ping-restart restarts. To
2883 replicate previous SIGUSR1 functionality,
2884 use --persist-remote-ip.
2885 * Changed residual IV fetching code to take
2886 IV from tail of ciphertext.
2887 * Added check to make sure that CFB or OFB
2888 cipher modes are only used with SSL/TLS
2889 authentication mode, and added a caveat
2891 * Changed signal handling during initialization
2892 (including re-initialization during restarts)
2893 to exit on SIGTERM or SIGINT and ignore other
2894 signals which would ordinarily be caught.
2895 * Added --resolv-retry option to allow
2896 retries on hostname resolution.
2897 * Expanded the --float option to also
2898 allow dynamic changes in source port number
2899 on incoming datagrams.
2900 * Added --mute option to limit repetitive
2901 logging of similar message types.
2902 * Added --group option to downgrade GID
2903 after initialization.
2904 * Try to set ifconfig path automatically
2906 * Added --ifconfig code for Mac OS X
2907 (Christoph Pfisterer).
2908 * Moved "Peer Connection Initiated" message
2910 * Successfully tested with
2911 OpenSSL 0.9.7 Beta 1 and AES cipher.
2912 * Added RPM notes to INSTALL.
2913 * Added ACX_PTHREAD (from the autoconf
2914 macro archive) to configure.ac
2915 to figure out the right pthread
2916 options for a given platform.
2917 * Broke out macro definitions from
2918 configure.ac to acinclude.m4.
2919 * Minor changes to docs and HOWTO.
2920 * All changes maintain protocol compatibility
2921 with OpenVPN versions since 1.1.0.
2923 2002.05.22 -- Version 1.2.0
2925 * Added configuration file support via
2926 the --config option.
2927 * Added pthread support to improve latency.
2928 With pthread support, OpenVPN
2929 will offload CPU-intensive tasks such as RSA
2930 key number crunching to a background thread
2931 to improve tunnel packet forwarding
2932 latency. pthread support can be enabled
2933 with the --enable-pthread configure option.
2934 Pthread support is currently available
2935 only for Linux and Solaris.
2936 * Added --dev-type option so that tun/tap
2937 device names don't need to begin with
2939 * Added --writepid option to write main
2940 process ID to a file.
2941 * Numerous portability fixes to ease
2942 porting to other OSes including changing
2943 all network types to uint8_t and uint32_t,
2944 and not assuming that time_t is 32 bits.
2945 * Backported to OpenSSL 0.9.5.
2946 * Ported to Solaris.
2947 * Finished OpenBSD port except for
2949 * Added initialization script:
2950 sample-scripts/openvpn.init
2952 * Ported to Mac OS X (Christoph Pfisterer).
2953 * Improved resilience to DoS attacks when
2954 TLS mode is used without --remote or
2955 --tls-auth, or when --float is used
2956 with --remote. Note however that the best
2957 defense against DoS attacks in TLS mode
2958 is to use --tls-auth.
2959 * Eliminated automake/autoconf dependency
2961 * Ported configure.in to configure.ac
2963 * SIGHUP signal now causes OpenVPN to restart
2964 and re-read command line and or config file,
2965 in conformance with canonical daemon behaviour.
2966 * SIGUSR1 now does what SIGHUP did in
2967 version 1.1.1 and earlier -- close and reopen
2968 the UDP socket for use when DHCP changes
2969 host's IP address and preserve most recently
2970 authenticated peer address without rereading
2972 * SIGUSR2 added -- outputs current statistics,
2973 including compression statistics.
2974 * All changes maintain protocol compatibility
2975 with 1.1.1 and 1.1.0.
2977 2002.04.22 -- Version 1.1.1
2979 * Added --ifconfig option to automatically configure
2981 * Added inactivity disconnect (--inactive
2982 and --ping-exit options).
2983 * Added --ping option to keep stateful firewalls
2985 * Added sanity check to command line parser to
2986 err if any TLS options are used in non-TLS mode.
2987 * Fixed build problem with compiler environments that
2988 define printf as a macro.
2989 * Fixed build problem on linux systems that have
2990 an integrated TUN/TAP driver but lack the persistent
2991 tunnel feature (TUNSETPERSIST). Some linux kernels
2992 >= 2.4.0 and < 2.4.7 fall into this category.
2993 * Changed all calls to EVP_CipherInit to use explicit
2994 encrypt/decrypt mode in order to fix problem with
2995 IDEA-CBC and AES-256-CBC ciphers.
2996 * Minor changes to control channel transmit limiter
2997 algorithm to fix problem where TLS control channel
2998 might not renegotiate within the default 60 second window.
2999 * Simplified man page examples by taking advantage
3000 of the new --ifconfig option.
3001 * Minor changes to configure.in to check more
3002 rigourously for OpenSSL 0.9.6 or greater.
3003 * Put back openvpn.spec, eliminated
3005 * Modified openvpn.spec to reflect new automake-based
3006 build environment (Bishop Clark).
3007 * Other documentation changes.
3008 * Added --test-crypto option for debugging.
3009 * Added "missing" and "mkinstalldirs" automake
3013 2002.04.09 -- Version 1.1.0
3015 * Strengthened replay protection and IV handling,
3016 extending it fully to both static key and
3017 TLS dynamic key exchange modes.
3018 * Added --mlock option to disable paging and ensure that key
3019 material and tunnel data is never paged to disk.
3020 * Added optional traffic shaping feature to cap the maximum
3021 data rate of the tunnel.
3022 * Converted to automake (The Platypus Brothers 2002-04-01).
3023 * Ported to OpenBSD by Janne Johansson.
3024 * Added --tun-af-inet option to work around an incompatibility
3025 between Linux and BSD tun drivers.
3026 * Sequence number-based replay protection using the
3027 IPSec sliding window model is now the default,
3028 disable with --no-replay.
3029 * Explicit IV is now the default, disable with --no-iv.
3030 * Disabled all cipher modes except CBC, CFB, and OFB.
3031 * In CBC mode, use explicit IV and carry forward residuals,
3033 * In CFB/OFB mode, IV is timestamp, sequence number.
3034 * Eliminated --packet-id, --timestamp, and max-delta parameter to
3035 the --tls-auth option as they are now supplanted by improved
3036 replay code which is enabled by default.
3037 * Eliminated --rand-iv as it is now obsolete with improved
3039 * Eliminated --reneg-err option as it increases vulnerability
3041 * Added weak key check for DES ciphers.
3042 * --tls-freq option is no longer specified on the command line,
3043 instead it now inherits its parameter from the
3044 --tls-timeout option.
3045 * Fixed bug that would try to free memory on exit that was
3046 never malloced if --comp-lzo was not specified.
3047 * Errata fixed in the man page examples: "test-ca" should be
3049 * Updated manual page.
3050 * Preliminary work in porting to OpenSSL 0.9.7.
3051 * Changed license to allowing linking with OpenSSL.
3053 2002.03.29 -- Version 1.0.3
3055 * Fixed a problem in configure with library ordering on the
3058 2002.03.28 -- Version 1.0.2
3060 * Improved the efficiency of the inner event loop.
3061 * Fixed a minor bug with timeout handling.
3062 * Improved the build system to build on RH 6.2 through 7.2.
3063 * Added an openvpn.spec file for RPM builders (Bishop Clark).
3065 2002.03.23 -- Version 1.0
3067 * Added TLS-based authentication and key exchange.
3068 * Added gremlin mode to stress test.
3071 2001.12.26 -- Version 0.91
3073 * Added any choice of cipher or HMAC digest.
3075 2001.5.13 -- Version 0.90
3078 * IP tunnel over UDP, with blowfish cipher and SHA1 HMAC signature.