OpenVPN 2.6 beta1 lançado para para Windows, Linux


Lançado o OpenVPN 2.6 beta1 com dezena de correções e melhorias, confira.

OpenVPN 2.6 beta1



O OpenVPN é um software livre e open-source para criar redes privadas virtuais do tipo ponto-a-ponto ou server-to-multiclient através de túneis criptografados entre computadores. Wikipédia



Houve uma série de novos recursos e melhorias:

  • Suporte de aceleração do kernel Data Channel Offload (DCO) para Windows, Linux e FreeBSD.
  • Suporte OpenSSL 3.
  • Manipulação aprimorada de MTU de túnel, incluindo suporte para MTU pushable.
  • Handshake TLS retrabalhado, tornando o OpenVPN imune a ataques de esgotamento do estado do pacote de repetição.
  • Adicionado o modo --peer-fingerprint para uma configuração e verificação de certificado mais simplista.
  • Negociação de protocolo aprimorada, levando a uma configuração de conexão mais rápida.

Changelog completo no quadro abaixo.

 
Adrian (1): Fix error in example firewall.sh script Antonio Quartulli (99): tun.c: remove unused variable openssl: fix EVP_PKEY_CTX memory leak openssl: avoid NULL pointer dereference ssl: remove unneeded if block options: check for blanks in fingerprints and reject string if found crypto: respect ECB argument type from prototype Add documentation on EVENT_READ/EVENT_WRITE constants windows: use appropriate and portable format specifier for 64bit pointer windows: define variable only where used windows: list all enum values in switch block forward: get rid of useless declarations for actually static functions mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED man/protocol-options: add missing ending metachar compat-mode: allow user to specify version to be compatible with reject compression by default Remove support for PF (Packet Filter) configure: search also for rst2{man, html}.py multi: remove extra brackets in multi_process_incoming_link() do not include --cipher value in data-ciphers compat-mode: add --data-cipher-fallback auomatically if requested Set TLS 1.2 as minimum by default doc: fix indentation in protocol-options.rst networking: add and implement net_addr_ll_set() API networking: add missing brackets set_lladdr: use networking API net_addr_ll_set() on Linux configure: remove useless -Wno-* from default CFLAGS options.c: fix version reported in --cipher warning message doc/cipher-negotiation.rst: avoid warning by fixing indentation doc: remove PF leftovers from documentation sig.c: define signal_handler on non-windows only GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library ssl.c: use arrow operator to access object member use 'static inline' instead of 'inline static' GitHub Actions: add other config flavours unit-test: fix test_crypto when USE_COMP is not defined update copyright year to 2022 keyingmaterialexporter.c: include strings.h crypto: move validation logic from cipher_get to cipher_valid crypto: move OpenSSL specific FIPS check to its backend Get rid of README.IPv6 and TODO.IPv6 auth_token/tls_crypt: fix usage of md_valid() crypto: unify key_type creation code remove unused sitnl.h file options: drop useless netmask variable networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN networking: silence warnings about unused arguments networking_iproute2: don't pass M_WARN to openvpn_execve_check() networking: implement net_iface_new and net_iface_del APIs t_net.sh: delete dummy iface using iproute command auth-pam.c: add missing include limits.h dco: introduce low-level code for handling ovpn-dco in the Linux kernel dco: add helper function to detect if DCO is enabled or not dco: create DCO interface using SITNL tls-crypt-v2: bail out if the client key is too small dco: use specific metric when installing routes networking: fix doc for net_iface_new() API options: don't export local function pre_connect_save() networking_sitnl: always return negative error code in case of failure networking: add net_iface_type API tun: create tun_name_is_fixed helper dco: add option check - disable DCO if conflict is detected dco: allow user to disable it at runtime GitHub Actions: add Linux DCO build (on Ubuntu 20.04) dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices dco: initialize context and save pointer in TLS object dco: configure keys in DCO right after generating them disable DCO if no --dev was specified dco: periodically check and possibly rotate/delete keys dco: split option parsing routines push: fix compilation with --disable-management and --enable-werror dco: check that pulled options are compatible dco: implement dco support for p2p/client code path dco: add documentation for ovpn-dco-linux dco: implement dco support for p2mp/server code path dco: perform pull options check only if we pulled any option dco: disable DCO if --allow-compress yes/asym was specified dco: turn supported ciphers list into a function do_open_tun: restyle 'can preserve TUN' check do_close_tun: get rid of one level of indentation ovpn-dco: print some netlink messages to debug level dco: move message to DCO debug level and reword a bit dco: properly name variables dco: don't pass VPN IPs to NEW_PEER API in P2P mode dco-win: ensure the DCO API is not used when running on Windows ssl_util: fix prototype style dco: move availability check to the end of check_option_conflict() function dco-win: introduce low-level code for handling ovpn-dco-win in Windows dco-win: check for incompatible options dco-win: implement ovpn-dco support in P2P Windows code path dco-win: add documentation to README.dco.md dco-win: update GH Actions config file dco: trigger ping timeout event only if the peer expired delete_routes(_ipv6): avoid memleak if RT_DEFINED is not set solaris/open_tun: prevent crash when dev is empty string do not push route-ipv6 entries that are also in the iroute-ipv6 list auth-user-pass: add support for inline credentials get_user_pass_cr: get password from stdin if missing inline close_tun: print interface type consistently in message Arne Schwabe (289): Fix client's poor man NCP fallback Refactor key_state_export_keying_material functions Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined) Fix client NCP OCC fallback when server and client cipher are identical Move openvpn specific key expansion into its own function Allow 'none' cipher being specified in --data-ciphers Implement generating data channel keys via EKM/RFC 5705 Ignore deprecation warning for daemon on macOS Add function for common env setting of verify user/pass calls Inline function tls_get_peer_info Align reliable_free with other free methods to accept NULL Remove NULL checks before calling free Remove explicit setting of peer_id to false Remove --disable-def-auth configure argument Replace key_scan array of static pointers with inline function Add more documentation about our internal TLS functions Improve keys out of sync message Clean up tls_authentication_status and document it Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED Send AUTH_FAILED message to clients on renegotiation failures Make any auth failure tls_authentication_status return auth failed Fix auth-token not being updated if auth-nocache is set Remove auth_user_pass.wait_for_push variable Fix port-share option with TLS-Crypt v2 Zero initialise msghdr prior to calling sendmesg Fix tls-auth mismatch OCC message when tls-cryptv2 is used. Remove inetd support from OpenVPN Change pull request timeout use a timeout rather than a number Check return values in md_ctx_init and hmac_ctx_init Implement client side handling of AUTH_PENDING message Introduce management client state for AUTH_PENDING notifications Add S_EXITCODE flag for openvpn_run_script to report exit code Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode Implement server side of AUTH_PENDING with extending timeout Refactor extract_var_peer_info into standalone function and add ssl_util.c Change parameter of send_auth_pending_messages from context to tls_multi Allow pending auth to be send from a auth plugin Avoid generating unecessary mbed debug messages Add README.wolfssl documentating the state of WolfSSL in OpenVPN Fix multiple problems when compiling with LLVM/Windows (clang-cl) Move extract_iv_proto to ssl_util.c/h Extend verify-hash to allow multiple hashes Implement peer-fingerprint to check fingerprint of peer certificate Document the simple self-signed certificate setup in examples Deprecate the --verify-hash option Remove empty dummy functions Move restoring pre pull options to initialising of c2 context Move NCP saving and restore to the prepush restore code Restore also ping related options on a reconnect Make buffer related function conversion explicit when narrowing Fix socket related functions using int instead of socket_descriptor_t Use correct types for OpenSSL and Windows APIs Cleanup print_details and add signature/ED certificate print Remove flexible array member autoconf check Remove support for non ISO C99 vararg support Fix #elif TARGET_LINUX missing defined() call Remove superflous ifdefs around enum like defines Rename tunnel_server_udp_single_threaded to tunnel_server_udp Remove code for aligning non-swapped compression Remove pointless tun_adjust_frame_parameters function Remove unused field txqueuelen from struct tuntap Remove unused function tls_test_auth_deferred_interval Remove unused variable pass_config_info Move is_proto function to the socket.h header Implement '--compress migrate' to migrate to non-compression setup Remove thread_mode field of multi_context Extract multi_assign_peer_id into its own function Remove do_init_socket_2 and do_init_socket_1 wrapper function Always disable TLS renegotiations Allow running a default configuration with TLS libraries without BF-CBC Deprecate non TLS mode in OpenVPN Remove deprecated option '--keysize' Move auth deferred related members into its own struct log file descriptor in more socket related error messages Fix async push broken after auth deferred refactor Remove conditionals compilation for P2MP, ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION Remove check for socket functions and Win XP compatbility code Remove checks for uint* types that are part of C99 Remove a number of checks for functions/headers that are always present Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_* Remove OpenSSL configure checks Always save/restore pull options Also restore/save compress related options in reconnects Also restore/save route-gateway options on SIGUSR1 reconnects Remove LibreSSL specific defines not needed for modern LibreSSL Add parsing of dhcp-option PROXY_HTTP Ensure using const variables with EVP_PKEY_get0_* Move context_auth from context_2 to tls_multi and name it multi_state Fix condition to generate session keys Remove always enabled USE_64_BIT_COUNTERS define Fix a number of mingw warnings Move tls_select_primary_key into its own function Allow all GCM ciphers Change options->data_channel_use_ekm to flags Implement deferred auth for scripts Use functions to access key_state instead direct member access Avoid failing_test unused warning in example_test Move direct.h header where it is used Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR Remove a number of platform specific checks in configure.ac Remove --disable-multihome option Remove support for blocking connect() Fix memory leak in misc unit test Fix binary and (&) used in auth-token check instead of logical and (&&) Add missing free_key_ctx for auth_token Remove explicit struct iovec check (HAVE_IOVEC) Remove getpeername, getpid check Inline do_init_auth_token_key Add noreturn attribute for MSVC to assert_failed method. Move utility function from win32.c to win32-util.c Document stub-v2 being basically an alias for no compression at all Return cached result in tls_authentication_status Use exponential backoff for caching in tls_authentication_status Add github actions Silence warning about format string in check_ca_required Implement auth-token-user Move auth_token_state from multi to key_state Add connection_established as state in tls_multi->context_auth Make waiting on auth an explicit state in the context state machine Ensure tls session is authenticated before sending push reply Extracting key_state deferred auth status update into function Move examples into openvpn-examples(5) man page Introduce S_GENERATED_KEYS state and generate keys only when authenticated Fix tls-cert-profile broken on OpenSSL 1.1+ Cleanup handling of initial auth token Remove --ncp-disable option Add detailed man page section to setup a OpenVPN setup with peer-fingerprint Support NCP in pure P2P VPN setups Remove unistd.h from unit test Introduce webauth auth pending method and deprecate openurl Include Chacha20-Poly1305 into default --data-ciphers when available Detect unusable ciphers on patched OpenSSL of RHEL/Centos Fix Ubuntu spelling and duplicate run in Github Actions Add message when decoding PKCS12 file fails. Add small unit test for testing HMAC Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message Use EVP_PKEY based API for loading DH keys Remove DES check with OpenSSL 3.0 Remove DES key fixup code Do not allow CTS ciphers Use new EVP_MAC API for HMAC implementation Add --with-openssl-engine autoconf option (auto|yes|no) Use EVP_PKEY_get_group_name to query group name Replace EVP_get_cipherbyname with EVP_CIPHER_fetch Use EVP_MD_get0_name instead EV_MD_name Remove dependency on BF-CBC existance from test_ncp Implement DES ECB encrypt via EVP_CIPHER api Fix error when BF-CBC is not available Fix function name in DH error message Add insecure tls-cert-profile options Remove custom PRNG function Completely remove DES checks Refactor early initialisation and uninitialisation into methods Use TYPE_do_all_provided function for listing cipher/digest Add macos OpenSSL 3.0 and ASAN builds Allow loading of non default providers Move IV_TCPNL from comp_generate_peer_info_string to push_peer_info Implement optional cipher in --data-ciphers prefixed with ? Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup Remove cipher_kt_var_key_size and remaining --keysize documentation Remove cipher_ctx_get_cipher_kt and replace with direct context calls Remove key_type->cipher_length field Remove key_type->hmac_length Fix handling an optional invalid cipher at the end of data-ciphers Make --nobind default for --pull Remove ENABLE_CRYPTO_OPENSSL ifdef inside ENABLE_CRYPTO_OPENSSL ifdef Remove max_size from buffer_list_new Add argv_insert_head__empty_argv__head_only to argv tests Remove cipher_kt_t and change type to const char* in API Move deprecation of SWEET32/64bit block size ciphers to 2.7 Adjust cipher-negotiation.rst with compat-mode changes Remove md_kt_t and change crypto API to use const char* Initialise kt_cipher even when no crypto is enabled Remove align_adjust frame code Fix triggering assertion of ks->authenticated after tls_deauthenticate Document frame related function and variables a bit more Remove post_open_mtu code Make github actions names nicer, include Ubuntu18+OpenSSL 1.0.2 Add helper functions to calculate header/payload sizes Decouple MSS fix calculation from frame calculation Rework occ link-mtu calculation Remove pointless do_init_frame_tls function Remove BUFFER_LIST_AGGREGATE_TEST test code Deprecate link-mtu Fix mssfix and frame calculation in CBC mode Change buffer allocation calculation and checks to be more static Fix datagram_overhead and assorted functions Implement optional mtu parameter for mssfix Remove link_mtu parameter when running up/down scripts Replace TUN_MTU_SIZE with frame->tun_mtu Change the default for mssfix to mssfix 1492 mtu Add mtu paramter to --fragment and change fragment calculation Update fragment and mssfix related warnings Use new frame header methods to calculate OCC_MTU_LOAD payload size Remove extra_link from frame Remove frame->link_mtu Remove frame.extra_frame and frame.extra_buffer Default to --cipher BF-CBC if not set and compat-mode 2.4.0 Fix 'defined but not used' warnings with enable-small/disable-management Add Werror to github action ubuntu build Add better documentation for CAS_* states Add unit test for mssfix with compression involved Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros Fix mbed TLS compile if OpenSSL headers are not available Remove unused function cipher_var_key_size Implement fixed MSS value for mssfix and use it for non default MTUs networking: remove duplicate methods from networking_sitnl.c Remove dead PID_TEST code Remove inc_pid argument from reliable_mark_deleted that is always true Remove EXPONENTIAL_BACKOFF define Remove tls_init_control_channel_frame_parameters wrapper function Add documentation for swap_hmac function Make buf_write_u8/16/32 take the type they pretend to take Move pre decrypt lite check to its own function Extend tls_pre_decrypt_lite to return type of packet and keep state Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h Add unit tests for test_tls_decrypt_lite Split out reliable_ack_parse from reliable_ack_read Refactor tls-auth/tls-crypt wrapping into into own function Extract session_move_pre_start as own function, use local buffer variable Change FULL_SYNC macro to no_pending_reliable_packets function Extract session_move_active into its own function Move tls_process_state into its own function Remove pointless indentation from tls_process. Move CRL reload to key_state_init from S_START transition Change reliable_get_buf_sequenced to reliable_get_entry_sequenced Implement constructing a control channel reset client as standalone function Implement stateless HMAC-based sesssion-id three-way-handshake Extract read_incoming_tls_ciphertext into function Fix format specifier for printing size_t on 32bit size_t platforms Remove workaround for Android 4.4 Implement HMAC based session id for tls-crypt v2 Optimise three-way handshake condition for S_PRE_START to S_START Extract read_incoming_tls_plaintext into its own function Add uncrustify check to github actions Add ubuntu 22.04 to Github Actions Implement ED448 and ED25519 support in xkey_provider Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names Fix client-pending-auth error message to say ERROR instead of SUCCESS Remove useless empty line from CR_RESPONSE message Remove leftover frame_set_mtu_dynamic definitions in mtu.h Inline frame_add_to_extra_tun function and remove frame_defined tun: extract close_tun_handle into its own fucntion and print correct type Error out if both remap-usr1 SIGHUP and config stdin are used Fix segfault when no --config argument is given Extract check_session_cipher into standalone function Cleanup receive_auth_failed and simplify method Fix IV_PLAT_VER and UV_ variables sent without push-peer-info Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it Include DCO status in GLOBAL_STATS status v2 output Github Actions: Add libreSSL actions Include libressl and macOS 12 to macOS github actions Fix declaration of pubkeys in test_provider.c in MSVC builds Change command help to match man page and implementation Implement --client-crresponse script options and plugin interface Add example script demonstrating TOTP via auth-pending Add OpenSSL 3.0 to mingw build Update android.txt to reflect more recent changes. Allow scripts and plugins to set a custom AUTH_FAILED message Implement exit notification via control channel Implement AUTH_FAIL, TEMP message support Document/cleanup event_timeout functions Fix OpenVPN querying user/password if auth-token with user expires Enable -Werror on macOS builds Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP Allow Authtoken lifetime to be short than renegotiation time Allows renegotiation only to start if session is fully established Fix renewal spelling and actually allow external-auth with renewal time Fix regression of ignoring --user Refactor/optimise code sending TLS control channel messages Add unit test for reliable_get_num_output_sequenced_available Allow setting control channel packet size with max-packet-size Always include ACKs for the last seen control packets Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks Improve data key id not found error message Add packet type in accept/reject messages for HMAC packet Fix md_kt_size in mbed TLS when queried for size of "none" Add algorithm and bits used in key_print2 method and refactor method Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa Allow tun-mtu to be pushed Push server mtu to client when supported and support occ mtu Fix logic error in checking early negotiation support check Move dco_installed from sock->info to sock->info.lsa.actual Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id Add section about common error with OpenVPN 2.6 and OpenSSL 3.0 Introduce connection state for reconnecting peer in p2p Signal USR1 when connection initialising fails Allow reconnecting in p2p mode work under FreeBSD Camille Guérin (1): Removed error message for an option flag not supported with --server-ipv6 David Korczynski (1): Fix argv leaks in add_route() and add_route_ipv6() David Sommerseth (18): man: Add missing --server-ipv6 man: Improve --remote entry sample-plugins: Partially autotoolize the sample-plugins build build: Fix make distclean/distcheck compat/lz4: Update to v1.9.2 build: Fix missing install of man page in certain environments build: Remove compat-lz4 Update copyrights doc: Use generic rules for man/html generation man: Clarify IV_HWADDR crypto: Fix OPENSSL_FIPS enabled builds sample-plugin: New plugin for testing multiple auth plugins plugins: Remove defer/simple.c sample plugin plug-ins: Disallow multiple deferred authentication plug-ins dev-tools: Remove no longer needed openvpn-plugin.h.in patching dev-tools: Remove uncrustify -p dev-tools: Avoid uncrustify mangling MAC_FMT macro The Great Reformatting of 2022 Dmitry Zelenkovsky (1): implement --session-timeout Domagoj Pensa (3): Fix too early argv freeing when registering DNS Remove 1 second delay before running netsh Skip DHCP renew with Wintun adapter Eric Thorpe (1): Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof Frank Lichtenheld (18): doc/Makefile: rebuild rst docs if input files change doc: fix misc documentation issues doc/options: clean up documentation for --proto and related options Reformat for sp_after_comma=add uncrustify: add sp_after_comma=add uncrustify: have exactly one newline at the end of files t_client: Allow to force FAIL on prerequisite fails systemd: remove generated service files on clean Reduce usage of __DATE__ config-version.h: remove unused includes t_client.sh: do not require fping6 doc: cleanup for --data-ciphers and related test_crypto: fix test_occ_mtu_calculation with --disable-fragment msvc: always call git-version.py GitHub Issues: add note to Changes as well GitHub Issues: add new links to INSTALL and README GitHub Issues: Create first issue template (Bug) documentation: avoid recommending --user nobody Gert Doering (67): Change version.m4 to 2.6_git Fix stack overflow in OpenSolaris NEXTADDR() Workaround FreeBSD 12+ race condition on tun/tap open with IPv6. Document that --push-remove is generally more suitable than --push-reset Fix error detection / abort in --inetd corner case. Fix TUNSETGROUP compatibility with very old Linux systems. Fix handling of 'route remote_host' for IPv6 transport case. Replace 'echo -n' with 'printf' in tests/t_lpback.sh Fix description of --client-disconnect calling convention in manpage. Handle NULL returns from calloc() in sample plugins. Fix --show-gateway for IPv6 on NetBSD/i386. socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes Fix netbits setting (in TAP mode) for IPv6 on Windows. If IPv6 pool specification sets pool start to ::0 address, increment. Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths Fix combination of --dev tap and --topology subnet across multiple platforms. Fix redirecting of IPv4 default gateway if connecting over IPv6. Fix compilation on pre-EKM mbedTLS libraries. Avoid passing NULL to argv_printf_cat() in temp_file error case. Change travis build scripts to use https when fetching prerequisites. Fix line number reporting on config file errors after segments Clarify --block-ipv6 intent and direction. Document common uses of 'echo' directive, re-enable logging for 'echo'. Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL clean up / rewrite sample-plugins/defer/simple.c Fix EVP_PKEY_CTX_... compilation with LibreSSL Require at least 100MB of mlock()-able memory if --mlock is used. Get rid of last PLUGIN_DEF_AUTH #ifdef Fix 'compress migrate' for 2.2 clients. Fix potential NULL ptr crash if compiled with DMALLOC Repair --secret deprecation warning. rewrite parse_hash_fingerprint() Ignore leading whitespace and comment lines for peer-fingerprint. Add error reporting to get_console_input_win32(). Ignore --explicit-exit-notify in TCP mode. Use more C99 initialization in add_route/add_route_ipv6(). Include --push-remove in the output of --help. Move '--push-peer-info' documentation from 'server' to 'client options' add test case(s) to notice 'openvpn --show-cipher' crashing Repair --inactive with 'bytes' argument larger 2Gbytes. Fix --mtu-disc maybe|yes on Linux. Fix trailing-whitespace errors in last patch. Exclude the last two whitespace-only uncrustify fixes from git blame output. Implement --mtu-disc for IPv6 UDP sockets. Fix non-compliant whitespace introduced by commit 54800aa975418fe35. Pass proper sockaddr_* structure for IPv6 socket errors. Fix error message about extended errors for IPv4-only sockets. Break 'try 256 dco devices' loop on EPERM Cleanup: get rid of 'dynamic' argument of open_tun_generic() Remove outdated information from ChangeLog, point at release branches. Apply uncrustify changes that were forgotten in the last patch. Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch. FreeBSD-DCO: repair device iteration to find first free interface. DCO: require valid netbits setting for non-primary iroutes. Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style' cleanup open_tun() for TARGET_NETBSD t_client: add per-instance arguments to fping introduce V= level to manage t_client.sh output verbosity un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms use boolean '||' to join two bools, not bitwise '|' denoise tests/t_lpback.sh FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode FreeBSD DCO: introduce real subnet mode Improve documentation for --dev and --dev-node. Update PORTS rework INSTALL and README to prepare for 2.6 release Preparing release 2.6_beta1 Greg Cox (5): Fix naming error in sample-plugins/defer/simple.c Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c More explicit versioning compatibility in sample-plugins/defer/simple.c Explain structver usage in sample defer plugin. Heiko Hund (10): add support for --dns option Add git pre-commit hook script to uncrustify pre-commit: uncrustify based on staged changes remove foreign_option() call for IPv6 DNS servers remove dead foreign-option parsing code rename foreign_option() and move it up doc: fix literal block in tls-options.rst dns: also (re)place foreign dhcp options in env signal --dns support in peer info make %x destination unsigned Ilya Ponetayev (1): fix compilation issues with small and w/o debug Ilya Shipitsin (2): CI: github actions: keep "pdb" in artifacts BUILD: enable CFG and Spectre mitigation for MSVC Jan Mikkelsen (1): cipher-negotiation.rst missing from doc/Makefile.am Jan Seeger (1): Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric. Jason A. Donenfeld (1): Support fingerprint authentication without CA certificate Jeff (1): duplicate function declaration. Juliusz Sosinowicz (4): EVP_DigestSignFinal siglen parameter correction Support for wolfSSL in OpenVPN build: Add support for pkg-config 0.28 for old autoconf versions README.wolfssl Update Kristof Provost (6): Handle exceeding 'max-clients' ovpn-dco: introduce FreeBSD data-channel offload support Support creating iroute route entries on FreeBSD FreeBSD networking cleanup FreeBSD DCO: support AES-192-GCM dco: pass control packets through the socket on FreeBSD Lev Stipakov (68): tun.c: enable using wintun driver under SYSTEM openvpnmsica: make adapter renaming non-fatal msvc: better support for 32bit architecture Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN ssl_common.h: fix 'not all control paths return a value' msvc warning Remove compat-lz4 references from VS project files tapctl: support for ovpn-dco Windows driver msvc: add ARM64 configuration win32: add missing include header openvpnmsica: properly schedule reboot in the end of installation options.c: fix msvc build error msvc: standalone building contrib/vcpkg-ports: add pkcs11-helper port vcpkg-ports: restore trailing whitespaces in .patch files GitHub actions: add MSVC build crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) Fix console prompts with redirected log GitHub Actions: fix MSVC builds contrib/vcpkg-ports: remove openssl port Add building man page on Windows GitHub Actions: remove Ubuntu 16.04 environment Fix loading PKCS12 files on Windows msvc: fix product version display config-msvc.h: fix OpenSSL-related defines GitHub Actions: use latest working lukka/run-vcpkg Use network address for emulated DHCP server as a default Load OpenSSL config on Windows from trusted location ring_buffer.h: fix GCC warning about unused function ssh_openssl.h: remove unused declaration vcpkg/pkcs11-helper: compatibility with latest vcpkg config-msvc.h: indicate key material export support auth_token.c: add NULL initialization tun: remove tun_finalize() vcpkg-ports/pkcs11-helper: bump to release 1.28 vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support xkey: fix msvc build msvc: switch to openssl3 msvc: cleanup vcpkg: link lzo statically openvpnmsica: add ovpn-dco custom actions vcpkg-ports/pkcs11-helper: adapt to new upstream URL vcpkg-ports\pkcs11-helper: shorten patch filename vcpkg-ports\openssl3: update to 3.0.2 Fix incorrect default mssfix value in server mode msvc: adjust build options to harden binaries vcpkg: switch to manifest Fix M_ERRNO behavior on Windows GitHub Actions: trigger openvpn-build GHA on success Set o->use_peer_id flag for p2p mode openvpnmsica: remove OpenVPNService state check code tun.c: remove unused gc_arena from init_tun() error.c: remove unused crash() function tun: properly handle device interface list dco.h: fix return type when DCO is not enabled dco-win: use run-time dynamic linking for GetOverlappedResultEx vcpkg: bump baseline version do_persist_tuntap: remove indentation level msvc: remove .filters files dco.c: check certain options only on startup Use DCO on Windows by default doc: add "ovpn-dco" to usage and man page dco-win: support for --persist-tun msvc: add branch name and commit hash to version output vcpkg: use the latest versions of dependency ports win32: detect arm64 architecture and emulations INSTALL: update Windows notes dco: disable dco on Windows if --remote is not defined Magnus Kroken (2): doc: fix typos in cipher-negotiation.rst Changes.rst: fix mistyped option names Marc Becker (2): vcpkg-ports/pkcs11-helper: bump to release 1.29 fix GitHub workflow working directories in MinGW builds Martin Janů (1): Update the replay-window backtrack log message Matthias Andree (1): Fix SIGSEGV (NULL deref) receiving push "echo" Max Fillinger (15): Wipe Socks5 credentials after use Fix build with mbedtls w/o SSL renegotiation support In init_ssl, open the correct CRL path pre-chroot Abort if CRL file can't be stat-ed in ssl_init Update Fox e-mail address in copyright notices Replace deprecated mbedtls DRBG update function Fix build with compression disabled Don't manually free DH params in OpenSSL 3 Remove unused havege.h header Don't use BF-CBC in unit tests if we don't have it Add warning about mbed TLS licensing problem Don't "undo" ifconfig on exit if it wasn't done Update openssl_compat.h for newer LibreSSL Handle EVP_MD_CTX as an opaque struct Check if pkcs11_cert is NULL before freeing it Michael Baentsch (1): Enable usage of TLS groups not identified by a NID in OpenSSL 3 Paolo Cerrito (1): Insert client connection data into PAM environment Richard Bonhomme (3): Improve error msg when all TAP adapters are in use 'or disabled' Man page sections corrections Do not print Diffie Hellman parameters file to log file Richard T Bonhomme (3): Log messages: Replace NCP with --data-ciphers (NFC) doc link-options.rst: Use free open-source dynamic-DNS provider URL doc/protocol-options.rst: Correct default for --allow-compression Saifur Rahman Mohsin (1): Ignore deprecation warning for daemon() on macOS (plugin/auth-pam) Selva Nair (64): Improve the documentation for --dhcp-option In tap.c use DiInstallDevice to install the driver on a new adapter Add a remark on dropping privileges when --mlock is used Allow --dhcp-option in config file when windows-driver is wintun Set DNS Domain using iservice Improve documentation of --username-as-common-name Quote the domain name argument passed to the wmic command Remove automatic service tun.c on WIN32: remove more unused variables Make it explicit that WIndows build requires UNICODE support Use C standard compliant format specs in wprintf functions Print format spec changes for tapctl and openvpnmscia Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c Fix parsing of IV_SSO string Do not require CA when peer-fingerprint is used Improve documentation of AUTH_PENDING related directives Apply the connect-retry backoff to only one side of a connection Fix client-pending-auth help message in management interface Minor doc correction: tls-crypt-v2 key generation Fix the "default" tls-version-min setting Fix some more wrong defines in config-msvc.h Require Windows CNG keys for cryptoapicert Remove error injection into OpenSSL from cryptoapi.c Require EC key support in Windows builds Ensure the current common_name is in the environment for scripts Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only) Fix tls-version-min default once again A built-in provider for using external key with OpenSSL 3.0 Implement KEYMGMT in the xkey provider Implement SIGNATURE operations in xkey provider Implement import of custom external keys Initialize the xkey provider and use it in SSL context A helper function to import private key for management-external-key Add xkey_provider sources and includes to MSVC project Enable signing via provider for management-external-key Add a function to encode digests with PKCS1 DigestInfo wrapper Allow management client to announce pss padding support Respect algorithm support announced by management client Support sending DigestSign request to management client Increase ERR_BUF_SIZE when management interface support is enabled Add a generic key loading helper function for xkey provider pkcs11: Interface the xkey provider with pkcs11-helper Enable signing using CNG through xkey provider Add a unit test for external key provider xkey: Use a custom error level for debug messages Fix max saltlen calculation in cryptoapi.c Support PSS signing using pkcs11-helper >= 1.28 Do not error when md_kt_size() is called with mdname="none" Fix a potential memory leak in tls_ctx_use_management_external_key pkcs11_openssl.c: check EVP_get_digestbyname() != NULL Fix crash in xkey-provider in msvc builds Remove management_write_peer_info_file and related code Log the actual management interface port in use Log address of management client on accept In x_check_status() read errno early xkey_provider: fix building with --disable-management Do not skip ERROR:/SUCCESS: response from management interface Allow a few levels of recursion in virtual_output_callback() Fix auth-token usage with management-def-auth Ensure --auth-nocache is handled during renegotiation Purge auth-token as well while purging passwords Do not copy auth_token username to itself Do not add leading space to pushed options pull-filter: ignore leading "spaces" in option names Sergio E. Nemirowski (1): resolvconf fails with -p Simon Rozman (9): iservice: Resolve MSVC C4996 warnings openvpnserv: Cache last error before it is overridden netsh: Specify interfaces by index rather than name netsh: Clear existing IPv6 DNS servers before configuring new ones netsh: Delete WINS servers on TUN close openvpnmsica: Simplify find_adapters() to void return tun.c: Remove dead code interactive.c: Resolve MSVC C4996 warning tapctl: Resolve MSVC C4996 warnings Steffan Karger (5): networking_iproute2: fix memory leak in net_iface_mtu_set() Simplify key material exporter backend API tls-crypt-v2: fix server memory leak tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key) reliable: retransmit if 3 follow-up ACKs are received Timo Rothenpieler (5): Linux: Retain CAP_NET_ADMIN when dropping privileges GitHub Actions: Add new libcap-ng-dev dependency Github Actions: update used actions dco: disable DCO if --user specified but unable to retain capabilities dco: turn platform config checks into separate function Todd Zullinger (2): Update IRC information in CONTRIBUTING.rst doc/man (vpn-network-options): fix foreign_option_{n} typo Tõivo Leedjärv (1): Stop using deprecated getpass() Ville Skyttä (1): README.down-root: Fix plugin module name Vladislav Grishenko (8): Fix best gateway selection over netlink Fix fatal error at switching remotes (#629) Fix update_time() and openvpn_gettimeofday() coexistence Selectively reformat too long lines Speedup TCP remote hosts connections Support X509 field list to be username Fix IPv4 default gateway with multiple route tables Add CRL extractor script for --crl-verify dir mode

Fonte

 

Download

Faça o download no link correspondente ao seu sistema operacional.

Download OpenVPN 2.6 para Windows

Download OpenVPN 2.6 para Linux

 

 

 

 

Comentários

Você precisa ver isso

Todos os arquivos do blog

Mostrar mais