OpenVPN Changelog

What's new in OpenVPN 2.6.10 I001

Mar 20, 2024

Security fixes:
CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege escalation.
Reported-by: Vladimir Tokarev [email protected]
CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers.
Reported-by: Vladimir Tokarev [email protected]
CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths, which could be used to attack openvpn.exe via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory, the Windows system directory, and possibly from a directory specified by HKLMSOFTWAREOpenVPNplugin_dir.
Reported-by: Vladimir Tokarev [email protected]
CVE-2024-1305: Windows TAP driver: Fix potential integer overflow in !TapSharedSendPacket.
Reported-by: Vladimir Tokarev [email protected]
New features:
t_client.sh can now run pre-tests and skip a test block if needed
(e.g. skip NTLM proxy tests if SSL library does not support MD4)
User visible changes:
Update copyright notices to 2024
Bug fixes:
Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server, the connection would fail. Disable DCO in this case. (#522)
Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support
systemd unit files: remove obsolete syslog.target

New in OpenVPN 2.6.8 I001 (Nov 17, 2023)

New in OpenVPN 2.6.6 I001 (Aug 17, 2023)

New in OpenVPN 2.6.5 I001 (Jun 14, 2023)

New in OpenVPN 2.6.4 I001 (May 11, 2023)

New in OpenVPN 2.6.3 I001 (Apr 14, 2023)

New in OpenVPN 2.6.1 I001 (Mar 9, 2023)

New in OpenVPN 2.6.0 I003 (Jan 26, 2023)

New in OpenVPN 2.5.8 I601 (Nov 3, 2022)

New in OpenVPN 2.5.7 I602 (Jun 1, 2022)

New in OpenVPN 2.5.6 I601 (Mar 16, 2022)

New in OpenVPN 2.5.4 I604 (Oct 21, 2021)

New in OpenVPN 2.5.4 (Oct 5, 2021)

New in OpenVPN 2.5.2 (Apr 21, 2021)

New in OpenVPN 2.5.1 (Feb 24, 2021)

New in OpenVPN 2.5.0 (Oct 28, 2020)

New in OpenVPN 2.5 RC 2 (Sep 30, 2020)

New in OpenVPN 2.5 RC 1 (Sep 22, 2020)

New in OpenVPN 2.5 Beta 1 (Aug 14, 2020)

New in OpenVPN 2.4.9 (Apr 17, 2020)

New in OpenVPN 2.4.8 (Oct 31, 2019)

New in OpenVPN 2.4.7 (Feb 21, 2019)

Adam Ciarciński (1):
Fix subnet topology on NetBSD (2.4).
Antonio Quartulli (3):
add support for %lu in argv_printf and prevent ASSERT
buffer_list: add functions documentation
ifconfig-ipv6(-push): allow using hostnames
Arne Schwabe (7):
Properly free tuntap struct on android when emulating persist-tun
Add OpenSSL compat definition for RSA_meth_set_sign
Add support for tls-ciphersuites for TLS 1.3
Add better support for showing TLS 1.3 ciphersuites in --show-tls
Use right function to set TLS1.3 restrictions in show-tls
Add message explaining early TLS client hello failure
Fallback to password authentication when auth-token fails
Christian Ehrhardt (1):
systemd: extend CapabilityBoundingSet for auth_pam
David Sommerseth (1):
plugin: Export base64 encode and decode functions
Gert Doering (4):
Add %d, %u and %lu tests to test_argv unit tests.
Fix combination of --dev tap and --topology subnet across multiple platforms.
Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6.
preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst)
Gert van Dijk (1):
Minor reliability layer documentation fixes
James Bekkema (1):
Resolves small IV_GUI_VER typo in the documentation.
Jonathan K. Bullard (1):
Clarify and expand management interface documentation
Lev Stipakov (5):
Refactor NCP-negotiable options handling
init.c: refine functions names and description
interactive.c: fix usage of potentially uninitialized variable
options.c: fix broken unary minus usage
Remove extra token after #endif
Richard van den Berg via Openvpn-devel (1):
Fix error message when using RHEL init script
Samy Mahmoudi (1):
man: correct a --redirection-gateway option flag
Selva Nair (7):
Replace M_DEBUG with D_LOW as the former is too verbose
Correct the declaration of handle in 'struct openvpn_plugin_args_open_return'
Bump version of openvpn plugin argument structs to 5
Move get system directory to a separate function
Enable dhcp on tap adapter using interactive service
Pass the hash without the DigestInfo header to NCryptSignHash()
White-list pull-filter and script-security in interactive service
Simon Rozman (2):
Add Interactive Service developer documentation
Detect TAP interfaces with root-enumerated hardware ID
Steffan Karger (7):
man: add security considerations to --compress section
mbedtls: print warning if random personalisation fails
Fix memory leak after sighup
travis: add OpenSSL 1.1 Windows build
Fix --disable-crypto build
Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth'
buffer_list_aggregate_separator(): simplify code

New in OpenVPN 2.4.6 (Apr 24, 2018)

New in OpenVPN 2.4.5-I601 (Mar 1, 2018)

Antonio Quartulli (4):
reload HTTP proxy credentials when moving to the next connection profile
Allow learning iroutes with network made up of all 0s (only if netbits < 8)
mbedtls: fix typ0 in comment
manpage: fix simple typ0
Arne Schwabe (2):
Treat dhcp-option DNS6 and DNS identical
show the right string for key-direction
Bertrand Bonnefoy-Claudet (1):
Fix typo in error message: "optione" -> "option"
David Sommerseth (8):
lz4: Fix confused version check
lz4: Fix broken builds when pkg-config is not present but system library is
Remove references to keychain-mcd in Changes.rst
lz4: Rebase compat-lz4 against upstream v1.7.5
systemd: Add and ship README.systemd
Update copyright to include 2018 plus company name change
man: Add .TQ groff support macro
man: Reword --management to prefer unix sockets over TCP
Emmanuel Deloget (1):
OpenSSL: check EVP_PKEY key types before returning the pkey
Gert Doering (3):
Remove warning on pushed tun-ipv6 option.
Fix removal of on-link prefix on windows with netsh
Preparing for release v2.4.5 (ChangeLog, version.m4, Changes.rst)
Ilya Shipitsin (2):
travis-ci: add brew cache, remove ccache
travis-ci: modify openssl build script to support openssl-1.1.0
James Bottomley (1):
autoconf: Fix engine checks for openssl 1.1
Jeremie Courreges-Anglas (2):
Cast time_t to long long in order to print it.
Fix build with LibreSSL
Selva Nair (14):
Check whether in pull_mode before warning about previous connection blocks
Avoid illegal memory access when malformed data is read from the pipe
Fix missing check for return value of malloc'd buffer
Return NULL if GetAdaptersInfo fails
Use RSA_meth_free instead of free
Bring cryptoapi.c upto speed with openssl 1.1
Add SSL_CTX_get_max_proto_version() not in openssl 1.0
TLS v1.2 support for cryptoapicert -- RSA only
Refactor get_interface_metric to return metric and auto flag separately
Ensure strings read from registry are null-terminated
Make most registry values optional
Use lowest metric interface when multiple interfaces match a route
Adapt to RegGetValue brokenness in Windows 7
Fix format spec errors in Windows builds
Simon Rozman (11):
Local functions are not supported in MSVC. Bummer.
Mixing wide and regular strings in concatenations is not allowed in MSVC.
RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h
Simplify iphlpapi.dll API calls
Fix local #include to use quoted form
Document ">PASSWORD:Auth-Token" real-time message
Fix typo in "verb" command examples
Uniform swprintf() across MinGW and MSVC compilers
MSVC meta files added to .gitignore list
openvpnserv: Add support for multi-instances
Document missing OpenVPN states
Steffan Karger (21):
make struct key * argument of init_key_ctx const
buffer_list_aggregate_separator(): add unit tests
Add --tls-cert-profile option.
Use P_DATA_V2 for server->client packets too
Fix memory leak in buffer unit tests
buffer_list_aggregate_separator(): update list size after aggregating
buffer_list_aggregate_separator(): don't exceed max_len
buffer_list_aggregate_separator(): prevent 0-byte malloc
Fix types around buffer_list_push(_data)
ssl_openssl: fix compiler warning by removing getbio() wrapper
travis: use clang's -fsanitize=address to catch more bugs
Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
Add support for TLS 1.3 in --tls-version-{min, max}
Plug memory leak if push is interrupted
Fix format errors when cross-compiling for Windows
Log pre-handshake packet drops using D_MULTI_DROPPED
Enable stricter compiler warnings by default
Get rid of ax_check_compile_flag.m4
mbedtls: don't use API deprecated in mbed 2.7
Warn if tls-version-max < tls-version-min
Don't throw fatal errors from create_temp_file()
hashiz (1):
Fix '--bind ipv6only'

New in OpenVPN 2.4.4-I601 (Sep 27, 2017)

crypto: correct typ0 in error message
use M_ERRNO instead of explicitly printing errno
don't print errno twice
ntlm: avoid useless cast
ntlm: unwrap multiple function calls
route: improve error message
management: preserve wait_for_push field when asking for user/pass
tls-crypt: avoid warnings when --disable-crypto is used
ntlm: convert binary buffers to uint8_t *
ntlm: restyle compressed multiple function calls
ntlm: improve code style and readability
OpenSSL: remove unreachable call to SSL_CTX_get0_privatekey()
make function declarations C99 compliant
remove unused functions
use NULL instead of 0 when assigning pointers
add missing static attribute to functions
ntlm: avoid breaking anti-aliasing rules
remove the --disable-multi config switch
rename mroute_extract_addr_ipv4 to mroute_extract_addr_ip
route: avoid definition of unused variables in certain configurations
fix a couple of typ0s in comments and strings
fragment.c: simplify boolean expression
tcp-server: ensure AF family is propagated to child context
Set tls-cipher restriction before loading certificates
Print ec bit details, refuse management-external-key if key is not RSA
Use provided env vars in up/down script.
Document down-root plugin usage in client.down
doc: The CRL processing is not a deprecated feature
cleanup: Move write_pid() to where it is being used
contrib: Remove keychain-mcd code
cleanup: Move init_random_seed() to where it is being used
sample-plugins: fix ASN1_STRING_to_UTF8 return value checks
Highlight deprecated features
Use consistent version references
docs: Replace all PolarSSL references to mbed TLS
systemd: Ensure systemd shuts down OpenVPN in a proper way
systemd: Enable systemd's auto-restart feature for server profiles
lz4: Move towards a newer LZ4 API
Prepare the release of OpenVPN 2.4.
OpenSSL: remove pre-1.1 function from the OpenSSL compat interface
OpenSSL: remove EVP_CIPHER_CTX_new() from the compat layer
OpenSSL: remove EVP_CIPHER_CTX_free() from the compat layer
Warn that DH config option is only meaningful in a tls-server context
travis-ci: add 3 missing patches from master to release/2.4
travis-ci: update openssl to 1.0.2l, update mbedtls to 2.5.1
travis-ci: update pkcs11-helper to 1.22
man: Corrections to doc/openvpn.8
Fix typo in extract_x509_extension() debug message
Move adjust_power_of_2() to integer.h
Undo cipher push in client options state if cipher is rejected
Remove strerror_ts()
Move openvpn_sleep() to manage.c
fixup: also change missed openvpn_sleep() occurrences
Always use default keysize for NCP'd ciphers
Move create_temp_file() out of #ifdef ENABLE_CRYPTO
Deprecate --keysize
Deprecate --no-replay
Move run_up_down() to init.c
tls-crypt: introduce tls_crypt_kt()
crypto: create function to initialize encrypt and decrypt key
Add coverity static analysis to Travis CI config
tls-crypt: don't leak memory for incorrect tls-crypt messages
travis: reorder matrix to speed up build
Fix bounds check in read_key()
OpenSSL: Always set SSL_OP_CIPHER_SERVER_PREFERENCE flag
Fix socks_proxy_port pointing to invalid data

New in OpenVPN 2.4.3-I601 (Jun 22, 2017)

Antonio Quartulli (1):
Ignore auth-nocache for auth-user-pass if auth-token is pushed
David Sommerseth (3):
crypto: Enable SHA256 fingerprint checking in --verify-hash
copyright: Update GPLv2 license texts
auth-token with auth-nocache fix broke --disable-crypto builds
Emmanuel Deloget (8):
OpenSSL: don't use direct access to the internal of X509
OpenSSL: don't use direct access to the internal of EVP_PKEY
OpenSSL: don't use direct access to the internal of RSA
OpenSSL: don't use direct access to the internal of DSA
OpenSSL: force meth->name as non-const when we free() it
OpenSSL: don't use direct access to the internal of EVP_MD_CTX
OpenSSL: don't use direct access to the internal of EVP_CIPHER_CTX
OpenSSL: don't use direct access to the internal of HMAC_CTX
Gert Doering (6):
Fix NCP behaviour on TLS reconnect.
Remove erroneous limitation on max number of args for --plugin
Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
Fix potential 1-byte overread in TCP option parsing.
Fix remotely-triggerable ASSERT() on malformed IPv6 packet.
Preparing for release v2.4.3 (ChangeLog, version.m4, Changes.rst)
Guido Vranken (6):
refactor my_strupr
Fix 2 memory leaks in proxy authentication routine
Fix memory leak in add_option() for option 'connection'
Ensure option array p[] is always NULL-terminated
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevent two kinds of stack buffer OOB reads and a crash for invalid input data
Jérémie Courrèges-Anglas (2):
Fix an unaligned access on OpenBSD/sparc64
Missing include for socket-flags TCP_NODELAY on OpenBSD
Matthias Andree (1):
Make openvpn-plugin.h self-contained again.
Selva Nair (1):
Pass correct buffer size to GetModuleFileNameW()
Steffan Karger (11):
Log the negotiated (NCP) cipher
Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c)
Skip tls-crypt unit tests if required crypto mode not supported
openssl: fix overflow check for long --tls-cipher option
Add a DSA test key/cert pair to sample-keys
Fix mbedtls fingerprint calculation
mbedtls: fix --x509-track post-authentication remote DoS (CVE-2017-7522)
mbedtls: require C-string compatible types for --x509-username-field
Fix remote-triggerable memory leaks (CVE-2017-7521)
Restrict --x509-alt-username extension types
Fix potential double-free in --x509-alt-username (CVE-2017-7521)
Steven McDonald (1):
Fix gateway detection with OpenBSD routing domains

New in OpenVPN 2.4.1-I601 (Mar 23, 2017)

attempt to add IPv6 route even when no IPv6 address was configured
fix redirect-gateway behaviour when an IPv4 default route does not exist
CRL: use time_t instead of struct timespec to store last mtime
ignore remote-random-hostname if a numeric host is provided
man: fix formatting for alternative option
systemd: Use automake tools to install unit files
systemd: Do not race on RuntimeDirectory
systemd: Add more security feature for systemd units
Clean up plugin path handling
plugin: Remove GNUism in openvpn-plugin.h generation
fix typo in notification message
management: >REMOTE operation would overwrite ce change indicator
management: Remove a redundant #ifdef block
git: Merge .gitignore files into a single file
systemd: Move the READY=1 signalling to an earlier point
plugin: Improve the handling of default plug-in directory
cleanup: Remove faulty env processing functions
OpenSSL: check for the SSL reason, not the full error
OpenSSL: don't use direct access to the internal of X509_STORE_CTX
OpenSSL: don't use direct access to the internal of SSL_CTX
OpenSSL: don't use direct access to the internal of X509_STORE
OpenSSL: don't use direct access to the internal of X509_OBJECT
OpenSSL: don't use direct access to the internal of RSA_METHOD
OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()
Fix Building Using MSVC
Add openssl_compat.h to openvpn_SOURCES
Fix '--dev null'
Fix installation of IPv6 host route to VPN server when using iservice.
Make ENABLE_OCC no longer depend on !ENABLE_SMALL
Preparing for release v2.4.1 (ChangeLog, version.m4)
Crash in options.c
Resolve several travis-ci issues
travis-ci: remove unused files
Fix building with LibreSSL 2.5.1 by cleaning a hack.
Fix push options digest update
Always release dhcp address in close_tun() on Windows.
Add a check for -Wl, --wrap support in linker
Fix user's group membership check in interactive service to work with domains
Fix segfault when using crypto lib without AES-256-CTR or SHA256
More broadly enforce Allman style and braces-around-conditionals
Use SHA256 for the internal digest, instead of MD5
OpenSSL: 1.1 fallout - fix configure on old autoconf
Fix types in WIN32 socket_listen_accept()
Remove duplicate X509 env variables
Fix non-C99-compliant builds: don't use const size_t as array length
Deprecate --ns-cert-type
Be less picky about keyUsage extensions

New in OpenVPN 2.4.0-I601 (Dec 28, 2016)

New in OpenVPN 2.3.14-I601 (Dec 7, 2016)

New in OpenVPN 2.4 RC 1 (Dec 2, 2016)

New in OpenVPN 2.4 Beta 2 (Nov 25, 2016)

New in OpenVPN 2.3.13-I601 (Nov 3, 2016)

New in OpenVPN 2.3.12-I601 (Aug 24, 2016)

New in OpenVPN 2.3.11-I601 (May 10, 2016)

New in OpenVPN 2.3.10-I601 (Jan 4, 2016)

New in OpenVPN 2.3.9-I601 (Dec 17, 2015)

Show extra-certs in current parameters.
Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
Do not set the buffer size by default but rely on the operation system default.
Remove --enable-password-save option
Reflect enable-password-save change in documentation
Also remove second instance of enable-password-save in the man page
Detect config lines that are too long and give a warning/error
Log serial number of revoked certificate
Adjust server-ipv6 documentation
Avoid partial authentication state when using --disabled in CCD configs
Make "block-outside-dns" option platform agnostic
Un-break --auth-user-pass on windows
Replace unaligned 16bit access to TCP MSS value with bytewise access
Repair test_local_addr() on WIN32
Fix possible heap overflow on read accessing getaddrinfo() result.
Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
remove unused gc_arena in FreeBSD close_tun()
Fix isatty() check for good.
Preparing for release v2.3.9 (ChangeLog, version.m4)
put virtual IPv6 addresses into env
Use adapter index instead of name for windows IPv6 interface config
Client-side part for server restart notification
Use adapter index for add/delete_route_ipv6
Pass adapter index to up/down scripts
Fix VS2013 compilation
Fix privilege drop if first connection attempt fails
Support for username-only auth file.
Add CONTRIBUTING.rst
Updates to Changes.rst
Fix termination when windows suspends/sleeps
Do not hard-code windows systemroot in env_block
Handle ctrl-C and ctrl-break events on Windows
Unbreak read username password from management
Replace strdup() calls for string_alloc() calls
Check return value of ms_error_text()
Increase control channel packet size for faster handshakes
hardening: add insurance to exit on a failed ASSERT()
Fix memory leak in auth-pam plugin
Fix (potential) memory leak in init_route_list()
Fix unintialized variable in plugin_vlog()
Add macro to ensure we exit on fatal errors
Fix memory leak in add_option() by simplifying get_ipv6_addr
openssl: properly check return value of RAND_bytes()
Fix rand_bytes return value checking
Add Windows DNS Leak fix using WFP ('block-outside-dns')
Fix "White space before end tags can break the config parser"

New in OpenVPN 2.3.8-I601 (Aug 5, 2015)

New in OpenVPN 2.3.7-I603 (Jul 25, 2015)

New in OpenVPN 2.3.7-I601 (Jun 10, 2015)

Default gateway can't be determined on illumos/Solaris platforms
Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
autotools: Fix wrong ./configure help screen default values
down-root plugin: Replaced system() calls with execve()
down-root: Improve error messages
plugin, down-root: Fix compiler warnings
sockets: Remove the limitation of --tcp-nodelay to be server-only
plugins, down-root: Code style clean-up
pkcs11: Load p11-kit-proxy.so module by default
Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
Use OPENVPN_ETH_P_* so that is unecessary
New approach to handle peer-id related changes to link-mtu (2.3 version)
Fix incorrect use of get_ipv6_addr() for iroute options.
Print helpful error message on --mktun/--rmtun if not available.
explain effect of --topology subnet on --ifconfig
Add note about file permissions and --crl-verify to manpage.
repair --dev null breakage caused by db950be85d37
assume res_init() is always there.
Correct note about DNS randomization in openvpn.8
Disallow usage of --server-poll-timeout in --secret key mode.
slightly enhance documentation about --cipher
Enforce "serial-tests" behaviour for tests/Makefile
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
Use configure.ac hack to apply serial_test AM option only if supported.
Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
Move res_init() call to inner openvpn_getaddrinfo() loop
Fix FreeBSD ifconfig for topology subnet tunnels.
Preparing for release v2.3.7 (ChangeLog, version.m4)
Fix --redirect-private in --dev tap mode.
include ifconfig_ environment variables in --up-restart env set
Fix null pointer dereference in options.c
Fix mssfix default value in connection_list context
Manual page update for Re-enabled TLS version negotiation.
Include systemd units in the source tarball (make dist)
Updated manpage for --rport and --lport
Properly escape dashes on the man-page
Improve documentation in --script-security section of the man-page
Really fix '--cipher none' regression
Update doxygen (a bit)
Set tls-version-max to 1.1 if cryptoapicert is used
Account for peer-id in frame size calculation
Disable SSL compression
Fix frame size calculation for non-CBC modes.
Allow for CN/username of 64 characters (fixes off-by-one)
Remove unneeded parameter 'first_time' from possibly_become_daemon()
Re-enable TLS version negotiation by default
Remove size limit for files inlined in config
Improve --tls-cipher and --show-tls man page description
Re-read auth-user-pass file on (re)connect if required
Clarify --capath option in manpage
Call daemon() before initializing crypto library

New in OpenVPN 2.3.6-I601 (Dec 2, 2014)

New in OpenVPN 2.3.5-I601 (Oct 29, 2014)

Fix some typos in the man page
Do not upcase x509-username-field for mixed-case arguments
Fix server routes not working in topology subnet with --server [v3]
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Preparing for release v2.3.5 (ChangeLog, version.m4)
refine assertion to allow other modes than CBC
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Remove quadratic complexity from openvpn_base64_decode()
Add configure check for the path to systemd-ask-password
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Ensure that client-connect files are always deleted
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Add proper check for crypto modes (CBC or OFB/CFB)
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
Fix "code=995" bug with windows NDIS6 tap driver.

New in OpenVPN 2.3.4-I001 (May 2, 2014)

New in OpenVPN 2.3.3-I001 (Apr 9, 2014)

pkcs11: use generic evp key instead of rsa
Add support of utun devices under Mac OS X
Add support to ignore specific options.
Add a note what setenv opt does for OpenVPN < 2.3.3
Add reporting of UI version to basic push-peer-info set.
Fix compile error in ssl_openssl introduced by polar external-management patch
Fix assertion when SIGUSR1 is received while getaddrinfo is successful
Add warning for using connection block variables after connection blocks
Introduce safety check for http proxy options
man page: Update man page about the tls_digest_{n} environment variable
Remove the --disable-eurephia configure option
plugin: Extend the plug-in v3 API to identify the SSL implementation used
autoconf: Fix typo
Fix file checks when --chroot is being used
Document authfile for socks server
Fix IPv6 examples in t_client.rc-sample
Fix slow memory drain on each client renegotiation.
t_client.sh: ignore fields from "ip -6 route show" output that distort results.
Make code and documentation for --remote-random-hostname consistent.
Reduce IV_OPENVPN_GUI_VERSION= to IV_GUI_VER=
Document issue with --chroot, /dev/urandom and PolarSSL.
Rename 'struct route' to 'struct route_ipv4'
Replace copied structure elements with including
Workaround missing SSL_OP_NO_TICKET in earlier OpenSSL versions
Always load intermediate certificates from a PKCS#12 file
Support non-ASCII TAP adapter names on Windows
Support non-ASCII characters in Windows tmp path
TLS version negotiation
Added "setenv opt" directive prefix.
Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.
Fix spurious ignoring of pushed config options (trac#349).
Refactor tls_ctx_use_external_private_key()
--management-external-key for PolarSSL
external_pkcs1_sign: Support non-RSA_SIG_RAW hash_ids
Correct error text when no Windows TAP device is present
Require a 1.2.x PolarSSL version
tls_ctx_load_ca: Improve certificate error messages
Remove duplicate cipher entries from TLS translation table.
Fix configure interaction with static OpenSSL libraries
Do not pass struct tls_session* as void* in key_state_ssl_init().
Require polarssl >= 1.2.10 for polarssl-builds, which fixes CVE-2013-5915.
Use RSA_generate_key_ex() instead of deprecated, RSA_generate_key()
Also update TLSv1_method() calls in support code to SSLv23_method() calls.
Update TLSv1 error messages to SSLv23 to reflect changes from commit 4b67f98
If --tls-cipher is supplied, make --show-tls parse the list.
Add openssl-specific common cipher list names to ssl.c.
Add support for client-cert-not-required for PolarSSL.
Fix "." in description of utun.

New in OpenVPN 2.3.2-I001 (Jun 3, 2013)

New in OpenVPN 2.3.1-I001 (Mar 30, 2013)

New in OpenVPN 2.3.0-I005 (Mar 11, 2013)

New in OpenVPN 2.3.0 (Jan 8, 2013)

New in OpenVPN 2.3 RC 2 (Dec 19, 2012)

New in OpenVPN 2.3 RC 1 (Nov 1, 2012)

New in OpenVPN 2.3 Beta 1 (Sep 14, 2012)

New in OpenVPN 2.2.1 (Dec 22, 2011)

New in OpenVPN 2.2.0 (Jul 1, 2011)

New in OpenVPN 2.2 RC (Mar 10, 2011)

New in OpenVPN 2.2 Beta 5 (Dec 6, 2010)

New in OpenVPN 2.1.4 (Nov 10, 2010)

New in OpenVPN 2.1.3 (Sep 2, 2010)

New in OpenVPN 2.1 RC15 / 2.0.9 (Nov 28, 2008)

New in OpenVPN 2.1 RC14 (Nov 18, 2008)

Added AC_GNU_SOURCE to configure.ac to enable structucred, with the goal of fixing a build issue on Fedora 9 that was introduced in 2.1_rc13.
Added additional method parameter to --script-security to preserve backward compatibility with system() call semantics used in OpenVPN 2.1_rc8 and earlier. To preserve backward compatibility use: script-security 3 system
Added additional warning messages about --script-security 2 or higher being required to execute user-defined scripts or executables.
Windows build system changes:
Modified Windows domake-win build system to write all openvpn.nsi input files to gen, so that gen can be disconnected from the rest of the source tree and makensis openvpn.nsi will still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in(commented out by default).
Added optional files SAMPCONF_CONF2 (second sample configuration file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows build system, and may be defined in settings.in.
Extended Management Interface "bytecount" command to work when OpenVPN is running as a server.
Documented Management Interface "bytecount" command in management/management-notes.txt.
Fixed informational message in ssl.c to properly indicate deferred authentication.
Added server-side --auth-user-pass-optional directive, to allow connections by clients that do not specify a username/password, when a user-defined authentication script/module is in place (via --auth-user-pass-verify, --management-client-auth, or a plugin module).
Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
Calling scripts can set the KEY_NAME environmental variable to set the "name" X509 subject field in generated certificates.
Modified pkitool to allow flexibility in separating the Common Name convention from the cert/key filename convention.
For example: KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james will create a client certificate/key pair of james.crt/james.key having a Common Name of "James's Laptop" and a Name of "james".
Added --no-name-remapping option to allow Common Name, X509 Subject, and username strings to include any printable character including space, but excluding control characters such as tab, newline, and carriage-return (this is important for compatibility with external authentication systems).
As a related change, added --status-version 3 format (and "status 3" in the management interface) which uses the version 2 format except that tabs are used as delimiters instead of commas so that there is no ambiguity when parsing a Common Name that contains a comma.
Also, save X509 Subject fields to environment, using the naming convention:
X509_{cert_depth}_{name}={value}
This is to avoid ambiguities when parsing out the X509 subject string since "/" characters could potentially be used in the common name.
Fixed some ifconfig-pool issues that precluded it from being combined with --server directive.
Now, for example, we can configure thusly:
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
to have ifconfig-pool manage only a subset of the VPN subnet.
Added config file option "setenv FORWARD_COMPATIBLE 1" to relax config file syntax checking to allow directives for future OpenVPN versions to be ignored.

New in OpenVPN 2.1 RC7 (Feb 9, 2008)