From patchwork Tue Feb 10 16:20:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4754 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9188:b0:80a:3855:ce6a with SMTP id j8csp2481559maf; Tue, 10 Feb 2026 08:20:51 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUj8wue6DXHavjETmAUk69ofHhK1nPHMcD6r893kkPfFi7SJtvYUpR4J/XD04mZ7D031bUU2hbSzBI=@openvpn.net X-Received: by 2002:a05:6870:f2a2:b0:404:3010:b95a with SMTP id 586e51a60fabf-40e6693e321mr1581023fac.44.1770740451174; Tue, 10 Feb 2026 08:20:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770740451; cv=none; d=google.com; s=arc-20240605; b=iCG2yL10GpgKXrxnP5XYQXCwptAHnbfkE/I9eW++vUDLWwUk+dD5+UVk8bblkBTCDB 0Sqi9QWsS8qV9PQZYygnsiaHID4cgoHSdMqh3KYKl8HL5IFKfUlFS5GG9ZOI+4zx5XpP x58FbT/i9T2SBRccVyksZOHxUstnCLUK49ylXliP0pLNhSdAHp5Z5R3qO/l9EshgjSWh 1cNdSbvedx773mgcdQOW4qIW+wQ8oudDbKzs3ETvI8bRrl7I15FiTbbemKIAvq3Jr5Fa 8mSUWtTmTgIoGhcFMwu/JD5CHBTHepbtC7YzFyIFKt20FGcP/r3F9SAfGCFwE8XucsVd ubBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=SqtKaTd+3WoOX94YH5Z6/jByKHX1PBXY/ZMBcSg5bDU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=iu6LqtpKBpfApBMOyWTazt8I+rLTmYQHJvmB07RT9ouKLXfs/X4+6ZRur/e1FQq/5J Kw9q/QPItOd3CvQeMTkfF4J8+AWDh+F4S09JfOimWs42MgvayxuBz3ZLcwE26lCUQVwJ MPupB2ctFOVWkn8y1ViQStNUu/+BPTTwGLwwbtcufIsJLjpYkc3es2AUjx9Psy66yFoU p+8U5IeSou41psC+pI/8/0VyCSZ4QclxAamOOimQ7J0FGbLiTLpEG2Hs1brdHTbf6kXS pLHnP300AHDv2aT+dd4bAYqnoVmGBJQCg5KefLxNzmKusaiX2pW/PCvE2k6W98HmF9Jg yfqg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kc0uS+yH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BAQ5IFba; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=R02gDeRd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-40a9986419dsi10877229fac.278.2026.02.10.08.20.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Feb 2026 08:20:51 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=kc0uS+yH; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BAQ5IFba; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=R02gDeRd; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=SqtKaTd+3WoOX94YH5Z6/jByKHX1PBXY/ZMBcSg5bDU=; b=kc0uS+yHwDYcM7IQEx9bxj/X2v mmJH1x7495eGhWSTSOq8sSShs+bKwTFxeHA7aSFi/UwdWqZE7t5jBpfH/lLmykQDE3su1K4XccOfl hPHPFXEqSsQHREnwTi6zjSeCqNuXoz3YbzsnaO1Zv1BCAXMH9rutNctn5CWRVti145Ko=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vpqTo-0001yC-5f; Tue, 10 Feb 2026 16:20:48 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vpqTm-0001xz-NM for openvpn-devel@lists.sourceforge.net; Tue, 10 Feb 2026 16:20:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3WgLCtObLHU6xF4ujVh7z5zPXgPsxv4ieUqdxLSmExU=; b=BAQ5IFbabmg0RSDowg9OeODPHu NB8wAwA90eGjeyh0TQ+xUNLze+q5T+XJVsqz/1/s7FJCZkT4Gwodof2hmQ3QrJYVx5Uh+crBSjZV7 oA4qTyIS5Jbudlhelh2IZXpw0pvGnSKFhxBiBwiuS64OV3IsS5ledzgkknt/zLSu4Zeg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3WgLCtObLHU6xF4ujVh7z5zPXgPsxv4ieUqdxLSmExU=; b=R02gDeRd9ojNjXWxOhTGmlRAuR +yWojBtVdm4DxhmXro6Nkk6QUMoJLqw8Eo9e0csz0kewnTBs6wKnepXHer+oCf4eMYTQh2qXMlx8a AOw7FTjjlgkrqrAxeeoGYe9ZdvDeaC3p2UwMFqeWvdp/0AzO/vIdIAicdExTBRJlDqSI=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vpqTm-00005K-51 for openvpn-devel@lists.sourceforge.net; Tue, 10 Feb 2026 16:20:47 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 61AGKdx0007930 for ; Tue, 10 Feb 2026 17:20:39 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 61AGKdhK007929 for openvpn-devel@lists.sourceforge.net; Tue, 10 Feb 2026 17:20:39 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 10 Feb 2026 17:20:33 +0100 Message-ID: <20260210162038.7915-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Fixes various issues, either errors or things that got outdated during development. Change-Id: Idd079f42fac1189c08c6cf42ea84fa8c0383e1a8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/open [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vpqTm-00005K-51 Subject: [Openvpn-devel] [PATCH v1] Review Changes.rst for 2.7.0 release X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1856755939373399853?= X-GMAIL-MSGID: =?utf-8?q?1856755939373399853?= From: Frank Lichtenheld Fixes various issues, either errors or things that got outdated during development. Change-Id: Idd079f42fac1189c08c6cf42ea84fa8c0383e1a8 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1515 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1515 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/Changes.rst b/Changes.rst index d2c6716..7de5f10 100644 --- a/Changes.rst +++ b/Changes.rst @@ -116,9 +116,9 @@ `lwipovpn on Github `_. Allow overriding username with ``--override-username`` - This is intended to allow using auth-gen-token in scenarios where the + This is intended to allow using ``--auth-gen-token`` in scenarios where the clients use certificates and multi-factor authentication. This will - also generate a 'push "auth-token-user newusername"' directives in + also generate a ``push "auth-token-user newusername"`` directive in push replies. ``--port-share`` now properly supports IPv6 @@ -127,20 +127,18 @@ Support for Haiku OS -TLS1.3 support with mbedTLS (very recent mbedTLS development versions only) +TLS1.3 support with mbedTLS (requires mbedTLS >= 3.6.4) PUSH_UPDATE client support It is now possible to update parts of the client-side configuration (IP address, routes, MTU, DNS) by sending a new server-to-client - control message, PUSH_UPDATE,. Server-side support is - currently only supported by OpenVPN Inc commercial offerings, the - implementation for OpenVPN 2.x is still under development. + control message, ``PUSH_UPDATE,``. See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html NOTE: PUSH_UPDATE client support is currently disabled if DCO is active (on all platforms). PUSH_UPDATE server support (minimal) - new management interface commands ``push-update-broad`` and + New management interface commands ``push-update-broad`` and ``push-update-cid`` to send PUSH_UPDATE option updates to all clients ("there is a new DNS server") or only a specific client ID ("privileges have changed, here's a new IP address"). See @@ -149,7 +147,7 @@ is active (on all platforms). Support for user-defined routing tables on Linux - see the ``--route-table`` option in the manpage + See the ``--route-table`` option in the manpage PQE support for WolfSSL @@ -166,7 +164,7 @@ use policies that direct "everything that is not OpenVPN" into the tunnel, and have IP packets to the VPN server address arrive as expected (no such policies are currently installed by OpenVPN) - (github #669). + (GH: OpenVPN/openvpn#669). COPYING: license details only relevant to our Windows installers have been updated and moved to the openvpn-build repo @@ -181,9 +179,10 @@ (When a client is older than n days or has no timestamp, the server will reject it) -mbedTLS 4 support has been added. Algorithms need to be translated to - mbedTLS 4 internal IDs, and these tables are only very basic right now - (but AES-GCM and ChaCha-Poly are in). +mbedTLS 4 support has been added. + Note that with mbedTLS 4 algorithms need to be translated to + mbedTLS 4 internal IDs by OpenVPN, and some names might be + missing. Deprecated features @@ -234,7 +233,7 @@ ``--allow-compression asym``. ``--memstats`` feature removed - The ``--mememstat`` was largely undocumented and there is no known + The ``--memstats`` option was largely undocumented and there is no known user of this feature. This feature provided very limited statistics (number of users, link bytes read/written) and we do not except any usage because of this. @@ -263,7 +262,7 @@ By default ``--topology`` is pushed from server to client. - ``--x509-username-field`` will no longer automatically convert fieldnames to - uppercase. This is deprecated since OpenVPN 2.4, and has now been removed. + uppercase. This was deprecated since OpenVPN 2.4, and has now been removed. - ``--dh none`` is now the default if ``--dh`` is not specified. Modern TLS implementations will prefer ECDH and other more modern algorithms anyway. @@ -286,7 +285,7 @@ - ``--cryptoapicert`` now supports issuer name as well as Windows CA template name or OID as selector string. -- TLS handshake debugging information contains much more details now when +- TLS handshake debugging information contains much more details now when using recent versions of OpenSSL. - The ``IV_PLAT_VER`` variable sent by Windows clients now contains the @@ -308,18 +307,16 @@ (Github: OpenVPN/openvpn#704). - Use of ``--dh dh2048.pem`` in all sample configs has been replaced - with ``--dh none``. The ``dh2048.pem`` file has been removed, and - has been replaced with ``ffdhe2048.pem`` for the benefit of the - t_server_null test (to test all variants of ``--dh``). + with ``--dh none``. The ``dh2048.pem`` file has been removed. -- the startup delay in ``t_client.sh`` has been reduced from 3s to 1s, +- The startup delay in ``t_client.sh`` has been reduced from 3s to 1s, making a noticeable difference for setups with many tests. -- changed from using ``uncrustify`` for code formatting and pre-commit checks +- Changed from using ``uncrustify`` for code formatting and pre-commit checks to ``clang-format``. This reformatted quite a bit of code, and requires that regular committers change their pre-commit checks accordingly. -- on Linux, on interfaces where applicable, OpenVPN explicitly configures +- On Linux, on interfaces where applicable, OpenVPN explicitly configures the broadcast address again. This was dropped for 2.6.0 "because computers are smart and can do it themselves", but the kernel netlink interface isn't, and will install "0.0.0.0". This does not normally @@ -339,7 +336,7 @@ Win-DCO as well), add printing of the hwid to all adapter outputs, and change the default adapter type created to ``ovpn-dco``. -- the default for ``multihome`` egress interface handling has changed. +- The default for ``multihome`` egress interface handling has changed. 2.7.0 will default to ipi_ifindex=0, that is, leave the decision to the routing/policy setup of the operating system. The pre-2.7 behaviour (force egress = ingress interface) can be achieved with the new diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 370c670..03ce651 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -90,7 +90,7 @@ password from a script). **Note:** the username for ``--auth-gen-token`` can be overridden by - ``--override-user``. In this case the client will be pushed also the + ``--override-username``. In this case the client will be pushed also the ``--auth-token-user`` option and an auth token that is valid for that username instead of the original username that the client authenticated with. diff --git a/tests/t_server_null_default.rc b/tests/t_server_null_default.rc index bba77aa..c6540cb 100755 --- a/tests/t_server_null_default.rc +++ b/tests/t_server_null_default.rc @@ -13,7 +13,6 @@ top_builddir="${top_builddir:-..}" sample_keys="${srcdir}/../sample/sample-keys" -DH="${sample_keys}/ffdhe2048.pem" CA="${sample_keys}/ca.crt" CLIENT_CERT="${sample_keys}/client.crt" CLIENT_KEY="${sample_keys}/client.key"