![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / net / openvpn
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.102 / (download) - annotate - [select for diffs], Fri Nov 10 00:17:47 2023 UTC (5 months, 1 week ago) by gdt
Branch: MAIN
CVS Tags: pkgsrc-2024Q1-base,
pkgsrc-2024Q1,
pkgsrc-2023Q4-base,
pkgsrc-2023Q4,
HEAD
Changes since 1.101: +1 -2
lines
Diff to previous 1.101 (colored) to selected 1.91 (colored)
net/openvpn: Update to 2.6.7 Upstream NEWS: Security Fixes: * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417) * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417). User visible changes: * DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco. * Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support. * add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6. * add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves). * --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again) * warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations) New features: * DCO-WIN: get and log driver version (for easier debugging). * print "peer temporary key details" in TLS handshake * log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios) * add CMake build system for MinGW and MSVC builds * remove old MSVC build system * improve cmocka unit test building for Windows
Revision 1.101 / (download) - annotate - [select for diffs], Wed Nov 8 13:20:33 2023 UTC (5 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.100: +2 -2
lines
Diff to previous 1.100 (colored) to selected 1.91 (colored)
*: recursive bump for icu 74.1
Revision 1.100 / (download) - annotate - [select for diffs], Tue Oct 24 22:10:28 2023 UTC (5 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.99: +2 -1
lines
Diff to previous 1.99 (colored) to selected 1.91 (colored)
*: bump for openssl 3
Revision 1.99 / (download) - annotate - [select for diffs], Wed May 17 17:00:38 2023 UTC (11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base,
pkgsrc-2023Q3,
pkgsrc-2023Q2-base,
pkgsrc-2023Q2
Changes since 1.98: +2 -2
lines
Diff to previous 1.98 (colored) to selected 1.91 (colored)
openvpn: updated to 2.6.4 Overview of changes in 2.6.4 User visible changes License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for details. Existing code will fall under the new license as soon as all contributors have agreed to the change - work ongoing. New features DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). This is the userland side, accepting a message from kernel, and initiating a TLS renegotiation. As of release, only implemented in FreeBSD kernel. Bug fixes fix pkcs#11 usage with OpenSSL 3.x and PSS signing fix compile error on TARGET_ANDROID fix typo in help text manpage updates (--topology) encoding of non-ASCII windows error messages in log + management fixed (use UTF8 "as for everything else", not ANSI codepages)
Revision 1.98 / (download) - annotate - [select for diffs], Tue Apr 25 07:02:26 2023 UTC (11 months, 3 weeks ago) by adam
Branch: MAIN
Changes since 1.97: +1 -2
lines
Diff to previous 1.97 (colored) to selected 1.91 (colored)
openvpn: updated to 2.6.3 Version 2.6.3 GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build doc: run rst2* with --strict to catch warnings Support of DNS domain for DHCP-less drivers Bug-fix: segfault in dco_get_peer_stats()
Revision 1.97 / (download) - annotate - [select for diffs], Wed Apr 19 08:11:10 2023 UTC (12 months ago) by adam
Branch: MAIN
Changes since 1.96: +2 -1
lines
Diff to previous 1.96 (colored) to selected 1.91 (colored)
revbump after textproc/icu update
Revision 1.96 / (download) - annotate - [select for diffs], Sun Mar 19 19:11:20 2023 UTC (13 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1
Changes since 1.95: +2 -1
lines
Diff to previous 1.95 (colored) to selected 1.91 (colored)
openvpn: --disable-dco. Needs kernel support.
Revision 1.95 / (download) - annotate - [select for diffs], Wed Nov 23 08:02:57 2022 UTC (16 months, 3 weeks ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base,
pkgsrc-2022Q4
Changes since 1.94: +1 -2
lines
Diff to previous 1.94 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.8
Overview of changes in 2.5.8
New features
allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC, the long-term compatibility "default cipher BF-CBC" would trigger an error on such TLS libraries)
User-visible Changes
add git branch name + commit ID to OpenVPN version string on MSVC builds (windows)
Testing Enhancements
t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and up, and call "fping -6" for IPv6 ping tests
t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will no longer "silently skip" t_client runs if fping (etc) can not be found, but will error out
Bugfixes
``--auth-nocache'' was not always correctly clearing username+password after a renegotiation
ensure that auth-token received from server is cleared if requested by the management interface ("forget password" or automatically via ``--management-forget-disconnect'')
in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix.
using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix.
management interface would sometimes get stuck if client and server try to write something simultaneously. Fix by allowing a limited level of recursion in virtual_output_callback()
fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state
tls-crypt-v2: abort connection if client-key is too short
make man page agree with actual code on replay-window backtrag log message
remove useless empty line from CR_RESPONSE message
Revision 1.94 / (download) - annotate - [select for diffs], Wed Oct 26 10:31:50 2022 UTC (17 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.93: +2 -2
lines
Diff to previous 1.93 (colored) to selected 1.91 (colored)
*: bump PKGREVISION for libunistring shlib major bump
Revision 1.93 / (download) - annotate - [select for diffs], Thu Aug 11 06:41:58 2022 UTC (20 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base,
pkgsrc-2022Q3
Changes since 1.92: +2 -1
lines
Diff to previous 1.92 (colored) to selected 1.91 (colored)
*: recursive PKGREVISION bump for mbedtls shlib major increases
Revision 1.92 / (download) - annotate - [select for diffs], Thu Mar 17 07:50:17 2022 UTC (2 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base,
pkgsrc-2022Q2,
pkgsrc-2022Q1-base,
pkgsrc-2022Q1
Changes since 1.91: +1 -2
lines
Diff to previous 1.91 (colored)
openvpn: updated to 2.5.6
OpenVPN 2.5.6.
This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).
Revision 1.91 / (download) - annotate - [selected], Wed Dec 15 20:11:51 2021 UTC (2 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base,
pkgsrc-2021Q4
Changes since 1.90: +1 -2
lines
Diff to previous 1.90 (colored)
openvpn: updated to 2.5.5
Overview of changes in 2.5.5
============================
User-visible Changes
--------------------
- SWEET32/64bit cipher deprecation change was postponed to 2.7
- Windows: use network address for emulated DHCP server as default
this enables use of a /30 subnet, which is needed when connecting
to OpenVPN Cloud.
- require EC support in windows builds
(this means it's no longer possible to build a Windows OpenVPN binary
with an OpenSSL lib without EC support)
New features
------------
- Windows build: use CFG and Spectre mitigations on MSVC builds
- bring back OpenSSL config loading to Windows builds.
OpenSSL config is loaded from %installdir%\SSL\openssl.cfg
(typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists.
This is important for some hardware tokens which need special
OpenSSL config for correct operation.
Bugfixes
--------
- Windows build: enable EKM
- Windows build: improve various vcpkg related build issues
- Windows build: fix regression related to non-writeable status files
- Windows build: fix regression that broke OpenSSL EC support
- Windows build: fix "product version" display (2.5..4 -> 2.5.4)
- Windows build: fix regression preventing use of PKCS12 files
- improve "make check" to notice if "openvpn --show-cipher" crashes
- improve argv unit tests
- ensure unit tests work with mbedTLS builds without BF-CBC ciphers
- include "--push-remove" in the output of "openvpn --help"
- fix error in iptables syntax in example firewall.sh script
- fix "resolvconf -p" invocation in example "up" script
- fix "common_name" environment for script calls when
"--username-as-common-name" is in effect
Documentation
-------------
- move "push-peer-info" documentation from "server options" to "client"
(where it belongs)
- correct "foreign_option_{n}" typo in manpage
- update IRC information in CONTRIBUTING.rst (libera.chat)
- README.down-root: fix plugin module name
Revision 1.90 / (download) - annotate - [select for diffs], Wed Dec 8 16:06:05 2021 UTC (2 years, 4 months ago) by adam
Branch: MAIN
Changes since 1.89: +2 -1
lines
Diff to previous 1.89 (colored) to selected 1.91 (colored)
revbump for icu and libffi
Revision 1.89 / (download) - annotate - [select for diffs], Fri Oct 8 17:58:05 2021 UTC (2 years, 6 months ago) by leot
Branch: MAIN
Changes since 1.88: +3 -1
lines
Diff to previous 1.88 (colored) to selected 1.91 (colored)
openvpn: Avoid to accidentally build HTML man pages rst2html.py and rst2man.py are accidentally recognized if installed and used leading to generation of HTML man pages and PLIST mismatch.
Revision 1.88 / (download) - annotate - [select for diffs], Tue Oct 5 19:25:41 2021 UTC (2 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.87: +1 -2
lines
Diff to previous 1.87 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.4 Overview of changes in 2.5.4 ============================ Bugfixes -------- - fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released. - fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used "ifconfig" calls) - various improvements for man page building (rst2man/rst2html etc) - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this) - fix minor memory leak under certain conditions in add_route() and add_route_ipv6() User-visible Changes -------------------- - documentation improvements - copyright updates where needed - better error reporting when win32 console access fails New features ------------ - also build man page on Windows builds
Revision 1.87 / (download) - annotate - [select for diffs], Wed Sep 29 19:01:10 2021 UTC (2 years, 6 months ago) by adam
Branch: MAIN
Changes since 1.86: +2 -1
lines
Diff to previous 1.86 (colored) to selected 1.91 (colored)
revbump for boost-libs
Revision 1.86 / (download) - annotate - [select for diffs], Tue Jul 27 07:35:05 2021 UTC (2 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base,
pkgsrc-2021Q3
Changes since 1.85: +1 -2
lines
Diff to previous 1.85 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.3 Version 2.5.3 * Add missing free_key_ctx for auth_token * Add github actions * Implement auth-token-user * Update copyrights * openvpnmsica: properly schedule reboot in the end of installation * msvc: add ARM64 configuration * msvc: standalone building * contrib/vcpkg-ports: add pkcs11-helper port * vcpkg-ports: restore trailing whitespaces in .patch files * GitHub actions: add MSVC build * crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) * contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) * Fix SIGSEGV (NULL deref) receiving push "echo" * Fix build with mbedtls w/o SSL renegotiation support * Improve documentation of AUTH_PENDING related directives * Apply the connect-retry backoff to only one side of a connection
Revision 1.85 / (download) - annotate - [select for diffs], Sun May 2 08:16:40 2021 UTC (2 years, 11 months ago) by nia
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.84: +2 -1
lines
Diff to previous 1.84 (colored) to selected 1.91 (colored)
Recursive revbump for security/mbedtls
Revision 1.84 / (download) - annotate - [select for diffs], Thu Apr 22 13:53:15 2021 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.83: +1 -2
lines
Diff to previous 1.83 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.2 The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with ãàØäauth-gen-tokenãàor a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
Revision 1.83 / (download) - annotate - [select for diffs], Wed Apr 21 13:25:12 2021 UTC (2 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.82: +2 -2
lines
Diff to previous 1.82 (colored) to selected 1.91 (colored)
revbump for boost-libs
Revision 1.82 / (download) - annotate - [select for diffs], Thu Apr 15 11:23:09 2021 UTC (3 years ago) by ryoon
Branch: MAIN
Changes since 1.81: +2 -2
lines
Diff to previous 1.81 (colored) to selected 1.91 (colored)
*: Recursive revbump from devel/nss
Revision 1.81 / (download) - annotate - [select for diffs], Fri Apr 9 06:55:02 2021 UTC (3 years ago) by wiz
Branch: MAIN
Changes since 1.80: +2 -1
lines
Diff to previous 1.80 (colored) to selected 1.91 (colored)
*: bump PKGREVISION for nss linking fix
Revision 1.80 / (download) - annotate - [select for diffs], Wed Feb 24 19:13:50 2021 UTC (3 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1
Changes since 1.79: +1 -2
lines
Diff to previous 1.79 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.1 Version 2.5.1 * Fix auth-token not being updated if auth-nocache is set * Remove auth_user_pass.wait_for_push variable * Fix port-share option with TLS-Crypt v2 * Zero initialise msghdr prior to calling sendmesg * Fix tls-auth mismatch OCC message when tls-cryptv2 is used. * build: Fix missing install of man page in certain environments * Fix too early argv freeing when registering DNS * Remove 1 second delay before running netsh * Skip DHCP renew with Wintun adapter * Change travis build scripts to use https when fetching prerequisites. * Fix line number reporting on config file errors after <inline> segments * Clarify --block-ipv6 intent and direction. * Document common uses of 'echo' directive, re-enable logging for 'echo'. * Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL * clean up / rewrite sample-plugins/defer/simple.c * Fix naming error in sample-plugins/defer/simple.c * Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in * Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c * More explicit versioning compatibility in sample-plugins/defer/simple.c * Explain structver usage in sample defer plugin. * Man page sections corrections * Quote the domain name argument passed to the wmic command * tls-crypt-v2: fix server memory leak * tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
Revision 1.79 / (download) - annotate - [select for diffs], Fri Feb 5 09:21:00 2021 UTC (3 years, 2 months ago) by wiz
Branch: MAIN
Changes since 1.78: +2 -1
lines
Diff to previous 1.78 (colored) to selected 1.91 (colored)
openvpn: fix installation of man page. Bump PKGREVISION.
Revision 1.78 / (download) - annotate - [select for diffs], Tue Nov 17 12:13:01 2020 UTC (3 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.77: +1 -2
lines
Diff to previous 1.77 (colored) to selected 1.91 (colored)
openvpn: updated to 2.5.0
Overview of changes in 2.5
==========================
New features
------------
Client-specific tls-crypt keys (``--tls-crypt-v2``)
``tls-crypt-v2`` adds the ability to supply each client with a unique
tls-crypt key. This allows large organisations and VPN providers to profit
from the same DoS and TLS stack protection that small deployments can
already achieve using ``tls-auth`` or ``tls-crypt``.
ChaCha20-Poly1305 cipher support
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data
channel.
Improved Data channel cipher negotiation
The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
The old name is still accepted. The change in name signals that
``data-ciphers`` is the preferred way to configure data channel
ciphers and the data prefix is chosen to avoid the ambiguity that
exists with ``--cipher`` for the data cipher and ``tls-cipher``
for the TLS ciphers.
OpenVPN clients will now signal all supported ciphers from the
``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
servers will select the first common cipher from the ``data-ciphers``
list instead of blindly pushing the first cipher of the list. This
allows to use a configuration like
``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
prefers ChaCha20-Poly1305 but uses it only if the client supports it.
See the data channel negotiation section in the manual for more details.
Removal of BF-CBC support in default configuration:
By default OpenVPN 2.5 will only accept AES-256-GCM and AES-128-GCM as
data ciphers. OpenVPN 2.4 allows AES-256-GCM,AES-128-GCM and BF-CBC when
no --cipher and --ncp-ciphers options are present. Accepting BF-CBC can be
enabled by adding
data-ciphers AES-256-GCM:AES-128-GCM:BF-CBC
and when you need to support very old peers also
data-ciphers-fallback BF-CBC
To offer backwards compatibility with older configs an *explicit*
cipher BF-CBC
in the configuration will be automatically translated into adding BF-CBC
to the data-ciphers option and setting data-ciphers-fallback to BF-CBC
(as in the example commands above). We strongly recommend to switching
away from BF-CBC to a more secure cipher.
Asynchronous (deferred) authentication support for auth-pam plugin.
See src/plugins/auth-pam/README.auth-pam for details.
Deferred client-connect
The ``--client-connect`` option and the connect plugin API allow
asynchronous/deferred return of the configuration file in the same way
as the auth-plugin.
Faster connection setup
A client will signal in the ``IV_PROTO`` variable that it is in pull
mode. This allows the server to push the configuration options to
the client without waiting for a ``PULL_REQUEST`` message. The feature
is automatically enabled if both client and server support it and
significantly reduces the connection setup time by avoiding one
extra packet round-trip and 1s of internal event delays.
Netlink support
On Linux, if configured without ``--enable-iproute2``, configuring IP
addresses and adding/removing routes is now done via the netlink(3)
kernel interface. This is much faster than calling ``ifconfig`` or
``route`` and also enables OpenVPN to run with less privileges.
If configured with --enable-iproute2, the ``ip`` command is used
(as in 2.4). Support for ``ifconfig`` and ``route`` is gone.
Wintun support
On Windows, OpenVPN can now use ``wintun`` devices. They are faster
than the traditional ``tap9`` tun/tap devices, but do not provide
``--dev tap`` mode - so the official installers contain both. To use
a wintun device, add ``--windows-driver wintun`` to your config
(and use of the interactive service is required as wintun needs
SYSTEM privileges to enable access).
IPv6-only operation
It is now possible to have only IPv6 addresses inside the VPN tunnel,
and IPv6-only address pools (2.4 always required IPv4 config/pools
and IPv6 was the "optional extra").
Improved Windows 10 detection
Correctly log OS on Windows 10 now.
Linux VRF support
Using the new ``--bind-dev`` option, the OpenVPN outside socket can
now be put into a Linux VRF. See the "Virtual Routing and Forwarding"
documentation in the man page.
TLS 1.3 support
TLS 1.3 support has been added to OpenVPN. Currently, this requires
OpenSSL 1.1.1+.
The options ``--tls-ciphersuites`` and ``--tls-groups`` have been
added to fine tune TLS protocol options. Most of the improvements
were also backported to OpenVPN 2.4 as part of the maintainance
releases.
Support setting DHCP search domain
A new option ``--dhcp-option DOMAIN-SEARCH my.example.com`` has been
defined, and Windows support for it is implemented (tun/tap only, no
wintun support yet). Other platforms need to support this via ``--up``
script (Linux) or GUI (OSX/Tunnelblick).
per-client changing of ``--data-ciphers`` or ``data-ciphers-fallback``
from client-connect script/dir (NOTE: this only changes preference of
ciphers for NCP, but can not override what the client announces as
"willing to accept")
Handle setting of tun/tap interface MTU on Windows
If IPv6 is in use, MTU must be >= 1280 (Windows enforces IETF requirements)
Add support for OpenSSL engines to access private key material (like TPM).
HMAC based auth-token support
The ``--auth-gen-token`` support has been improved and now generates HMAC
based user token. If the optional ``--auth-gen-token-secret`` option is
used clients will be able to seamlessly reconnect to a different server
using the same secret file or to the same server after a server restart.
Improved support for pending authentication
The protocol has been enhanced to be able to signal that
the authentication should use a secondary authentication
via web (like SAML) or a two factor authentication without
disconnecting the OpenVPN session with AUTH_FAILED. The
session will instead be stay in a authenticated state and
wait for the second factor authentication to complete.
This feature currently requires usage of the managent interface
on both client and server side. See the `management-notes.txt`
``client-pending-auth`` and ``cr-response`` commands for more
details.
VLAN support
OpenVPN servers in TAP mode can now use 802.1q tagged VLANs
on the TAP interface to separate clients into different groups
that can then be handled differently (different subnets / DHCP,
firewall zones, ...) further down the network. See the new
options ``--vlan-tagging``, ``--vlan-accept``, ``--vlan-pvid``.
802.1q tagging on the client side TAP interface is not handled
today (= tags are just forwarded transparently to the server).
Support building of .msi installers for Windows
Allow unicode search string in ``--cryptoapicert`` option (Windows)
Support IPv4 configs with /31 netmasks now
(By no longer trying to configure ``broadcast x.x.x.x'' in
ifconfig calls, /31 support "just works")
New option ``--block-ipv6`` to reject all IPv6 packets (ICMPv6)
this is useful if the VPN service has no IPv6, but the clients
might have (LAN), to avoid client connections to IPv6-enabled
servers leaking "around" the IPv4-only VPN.
``--ifconfig-ipv6`` and ``--ifconfig-ipv6-push`` will now accept
hostnames and do a DNS lookup to get the IPv6 address to use
Deprecated features
-------------------
For an up-to-date list of all deprecated options, see this wiki page:
https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
- ``ncp-disable`` has been deprecated
With the improved and matured data channel cipher negotiation, the use
of ``ncp-disable`` should not be necessary anymore.
- ``inetd`` has been deprecated
This is a very limited and not-well-tested way to run OpenVPN, on TCP
and TAP mode only, which complicates the code quite a bit for little gain.
To be removed in OpenVPN 2.6 (unless users protest).
- ``no-iv`` has been removed
This option was made into a NOOP option with OpenVPN 2.4. This has now
been completely removed.
- ``--client-cert-not-required`` has been removed
This option will now cause server configurations to not start. Use
``--verify-client-cert none`` instead.
- ``--ifconfig-pool-linear`` has been removed
This option is removed. Use ``--topology p2p`` or ``--topology subnet``
instead.
- ``--compress xxx`` is considered risky and is warned against, see below.
- ``--key-method 1`` has been removed
User-visible Changes
--------------------
- If multiple connect handlers are used (client-connect, ccd, connect
plugin) and one of the handler succeeds but a subsequent fails, the
client-disconnect-script is now called immediately. Previously it
was called, when the VPN session was terminated.
- Support for building with OpenSSL 1.0.1 has been removed. The minimum
supported OpenSSL version is now 1.0.2.
- The GET_CONFIG management state is omitted if the server pushes
the client configuration almost immediately as result of the
faster connection setup feature.
- ``--compress`` is nowadays considered risky, because attacks exist
leveraging compression-inside-crypto to reveal plaintext (VORACLE). So
by default, ``--compress xxx`` will now accept incoming compressed
packets (for compatibility with peers that have not been upgraded yet),
but will not use compression outgoing packets. This can be controlled with
the new option ``--allow-compression yes|no|asym``.
- Stop changing ``--txlen`` aways from OS defaults unless explicitly specified
in config file. OS defaults nowadays are actually larger then what we used
to configure, so our defaults sometimes caused packet drops = bad performance.
- remove ``--writepid`` pid file on exit now
- plugin-auth-pam now logs via OpenVPN logging method, no longer to stderr
(this means you'll have log messages in syslog or openvpn log file now)
- use ISO 8601 time format for file based logging now (YYYY-MM-DD hh:mm:dd)
(syslog is not affected, nor is ``--machine-readable-output``)
- ``--clr-verify`` now loads all CRLs if more than one CRL is in the same
file (OpenSSL backend only, mbedTLS always did that)
- when ``--auth-user-pass file`` has no password, and the management interface
is active, query management interface (instead of trying console query,
which does not work on windows)
- skip expired certificates in Windows certificate store (``--cryptoapicert``)
- ``--socks-proxy`` + ``--proto udp*`` will now allways use IPv4, even if
IPv6 is requested and available. Our SOCKS code does not handle IPv6+UDP,
and before that change it would just fail in non-obvious ways.
- TCP listen() backlog queue is now set to 32 - this helps TCP servers that
receive lots of "invalid" connects by TCP port scanners
- do no longer print OCC warnings ("option mismatch") about ``key-method``,
``keydir``, ``tls-auth`` and ``cipher`` - these are either gone now, or
negotiated, and the warnings do not serve a useful purpose.
- ``dhcp-option DNS`` and ``dhcp-option DNS6`` are now treated identically
(= both accept an IPv4 or IPv6 address for the nameserver)
Maintainer-visible changes
--------------------------
- the man page is now in maintained in .rst format, so building the openvpn.8
manpage from a git checkout now requires python-docutils (if this is missing,
the manpage will not be built - which is not considered an error generally,
but for package builders or ``make distcheck`` it is). Release tarballs
contain the openvpn.8 file, so unless some .rst is changed, doc-utils are
not needed for building.
- OCC support can no longer be disabled
- AEAD support is now required in the crypto library
- ``--disable-server`` has been removed from configure (so it is no longer
possible to build a client-/p2p-only OpenVPN binary) - the saving in code
size no longer outweighs the extra maintenance effort.
- ``--enable-iproute2`` will disable netlink(3) support, so maybe remove
that from package building configs (see above)
- support building with MSVC 2019
- cmocka based unit tests are now only run if cmocka is installed externally
(2.4 used to ship a local git submodule which was painful to maintain)
- ``--disable-crypto`` configure option has been removed. OpenVPN is now always
built with crypto support, which makes the code much easier to maintain.
This does not affect ``--cipher none`` to do a tunnel without encryption.
- ``--disable-multi`` configure option has been removed
Revision 1.77 / (download) - annotate - [select for diffs], Fri May 22 10:56:30 2020 UTC (3 years, 10 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3,
pkgsrc-2020Q2-base,
pkgsrc-2020Q2
Changes since 1.76: +2 -1
lines
Diff to previous 1.76 (colored) to selected 1.91 (colored)
revbump after updating security/nettle
Revision 1.76 / (download) - annotate - [select for diffs], Fri Apr 17 20:14:22 2020 UTC (4 years ago) by adam
Branch: MAIN
Changes since 1.75: +1 -2
lines
Diff to previous 1.75 (colored) to selected 1.91 (colored)
openvpn: updated to 2.4.9 OpenVPN 2.4.9 * socks: use the right function when printing struct openvpn_sockaddr * Fetch OpenSSL versions via source/old links * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs * Fix OpenSSL 1.1.1 not using auto elliptic curve selection * Fix broken fragmentation logic when using NCP * Fix building with --enable-async-push in FreeBSD * Fix broken async push with NCP is used * Fix illegal client float (CVE-2020-11810) * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file * Fix OpenSSL private key passphrase notices * Swap the order of checks for validating interactive service user * Move querying username/password from management interface to a function * When auth-user-pass file has no password query the management interface (if available). * Fix possibly uninitialized return value in GetOpenvpnSettings() * Fix possible access of uninitialized pipe handles * Skip expired certificates in Windows certificate store * Allow unicode search string in --cryptoapicert option * mbedTLS: Make sure TLS session survives move * docs: Add reference to X509_LOOKUP_hash_dir(3)
Revision 1.75 / (download) - annotate - [select for diffs], Sun Mar 8 16:50:57 2020 UTC (4 years, 1 month ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1
Changes since 1.74: +2 -2
lines
Diff to previous 1.74 (colored) to selected 1.91 (colored)
*: recursive bump for libffi
Revision 1.74 / (download) - annotate - [select for diffs], Sun Jan 26 17:31:53 2020 UTC (4 years, 2 months ago) by rillig
Branch: MAIN
Changes since 1.73: +2 -2
lines
Diff to previous 1.73 (colored) to selected 1.91 (colored)
all: migrate homepages from http to https pkglint -r --network --only "migrate" As a side-effect of migrating the homepages, pkglint also fixed a few indentations in unrelated lines. These and the new homepages have been checked manually.
Revision 1.73 / (download) - annotate - [select for diffs], Sat Jan 18 21:50:22 2020 UTC (4 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.72: +2 -1
lines
Diff to previous 1.72 (colored) to selected 1.91 (colored)
*: Recursive revision bump for openssl 1.1.1.
Revision 1.72 / (download) - annotate - [select for diffs], Thu Jan 16 13:33:51 2020 UTC (4 years, 3 months ago) by jperkin
Branch: MAIN
Changes since 1.71: +1 -2
lines
Diff to previous 1.71 (colored) to selected 1.91 (colored)
*: Remove USE_OLD_DES_API. OpenSSL 1.1.1d no longer ships des_old.h, and the time for this being necessary appears to be behind us.
Revision 1.71 / (download) - annotate - [select for diffs], Mon Nov 4 12:52:13 2019 UTC (4 years, 5 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base,
pkgsrc-2019Q4
Changes since 1.70: +4 -5
lines
Diff to previous 1.70 (colored) to selected 1.91 (colored)
openvpn: updated to 2.4.8 Version 2.4.8 This is primarily a maintenance release with minor bugfixes and improvements. New features Support compiling with OpenSSL 1.1 without deprecated APIs handle PSS padding in cryptoapicert (necessary for TLS >= 1.2) User visible changes do not abort when hitting the combination of "--pull-filter" and "--mode server" (this got hit when starting OpenVPN servers using the windows GUI which installs a pull-filter to force ip-win32) increase listen() backlog queue to 32 (improve response behaviour on openvpn servers using TCP that get portscanned) fix and enhance documentation (INSTALL, man page, ...) Bug fixes the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as a workaround, force IPv4 in this case until a full implementation for IPv6-UDP-SOCKS can be made. fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana fix building with LibreSSL do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd environments) repair windows builds repair Darwin builds (remove -no-cpp-precomp flag)
Revision 1.70 / (download) - annotate - [select for diffs], Sun Nov 3 11:45:46 2019 UTC (4 years, 5 months ago) by rillig
Branch: MAIN
Changes since 1.69: +2 -2
lines
Diff to previous 1.69 (colored) to selected 1.91 (colored)
net: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
Revision 1.69 / (download) - annotate - [select for diffs], Sat Jul 20 22:46:40 2019 UTC (4 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base,
pkgsrc-2019Q3
Changes since 1.68: +2 -2
lines
Diff to previous 1.68 (colored) to selected 1.91 (colored)
*: recursive bump for nettle 3.5.1
Revision 1.68 / (download) - annotate - [select for diffs], Sun May 5 22:49:50 2019 UTC (4 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.67: +2 -1
lines
Diff to previous 1.67 (colored) to selected 1.91 (colored)
Recursive rebvump from devel/nss
Revision 1.67 / (download) - annotate - [select for diffs], Thu Feb 21 16:22:54 2019 UTC (5 years, 1 month ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1
Changes since 1.66: +1 -2
lines
Diff to previous 1.66 (colored) to selected 1.91 (colored)
openvpn: updated to 2.4.7 OpenVPN 2.4.7 - Fix subnet topology on NetBSD (2.4). - add support for %lu in argv_printf and prevent ASSERT - buffer_list: add functions documentation - ifconfig-ipv6(-push): allow using hostnames - Properly free tuntap struct on android when emulating persist-tun - Add OpenSSL compat definition for RSA_meth_set_sign - Add support for tls-ciphersuites for TLS 1.3 - Add better support for showing TLS 1.3 ciphersuites in --show-tls - Use right function to set TLS1.3 restrictions in show-tls - Add message explaining early TLS client hello failure - Fallback to password authentication when auth-token fails - systemd: extend CapabilityBoundingSet for auth_pam - plugin: Export base64 encode and decode functions - Add %d, %u and %lu tests to test_argv unit tests. - Fix combination of --dev tap and --topology subnet across multiple platforms. - Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. - preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) - Minor reliability layer documentation fixes - Resolves small IV_GUI_VER typo in the documentation. - Clarify and expand management interface documentation - Refactor NCP-negotiable options handling - init.c: refine functions names and description - interactive.c: fix usage of potentially uninitialized variable - options.c: fix broken unary minus usage - Remove extra token after #endif - Fix error message when using RHEL init script - man: correct a --redirection-gateway option flag - Replace M_DEBUG with D_LOW as the former is too verbose - Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' - Bump version of openvpn plugin argument structs to 5 - Move get system directory to a separate function - Enable dhcp on tap adapter using interactive service - Pass the hash without the DigestInfo header to NCryptSignHash() - White-list pull-filter and script-security in interactive service - Add Interactive Service developer documentation - Detect TAP interfaces with root-enumerated hardware ID - man: add security considerations to --compress section - mbedtls: print warning if random personalisation fails - Fix memory leak after sighup - travis: add OpenSSL 1.1 Windows build - Fix --disable-crypto build - Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' - buffer_list_aggregate_separator(): simplify code
Revision 1.66 / (download) - annotate - [select for diffs], Sun Jun 24 09:26:12 2018 UTC (5 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base,
pkgsrc-2018Q4,
pkgsrc-2018Q3-base,
pkgsrc-2018Q3,
pkgsrc-2018Q2-base,
pkgsrc-2018Q2
Changes since 1.65: +2 -3
lines
Diff to previous 1.65 (colored) to selected 1.91 (colored)
openvpn: fix for NetBSD with subnet topology; remove empty DIST_SUBDIR
Revision 1.65 / (download) - annotate - [select for diffs], Fri Apr 27 06:40:28 2018 UTC (5 years, 11 months ago) by adam
Branch: MAIN
Changes since 1.64: +1 -2
lines
Diff to previous 1.64 (colored) to selected 1.91 (colored)
openvpn: 2.4.6 OpenVPN 2.4.6 management: Warn if TCP port is used without password Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4 Fix potential double-free() in Interactive Service (CVE-2018-9336) preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst) manpage: improve description of --status and --status-version Make return code external tls key match docs Delete the IPv6 route to the "connected" network on tun close Management: warn about password only when the option is in use Avoid overflow in wakeup time computation Add missing #ifdef SSL_OP_NO_TLSv1_1/2 Check for more data in control channel
Revision 1.64 / (download) - annotate - [select for diffs], Tue Apr 17 22:29:46 2018 UTC (6 years ago) by wiz
Branch: MAIN
Changes since 1.63: +2 -1
lines
Diff to previous 1.63 (colored) to selected 1.91 (colored)
Add p11-kit to gnutls/bl3.mk and bump dependencies.
Revision 1.63 / (download) - annotate - [select for diffs], Mon Jun 26 07:21:21 2017 UTC (6 years, 9 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base,
pkgsrc-2018Q1,
pkgsrc-2017Q4-base,
pkgsrc-2017Q4,
pkgsrc-2017Q3-base,
pkgsrc-2017Q3,
pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.62: +3 -1
lines
Diff to previous 1.62 (colored) to selected 1.91 (colored)
Distfile has been changed upstream
Revision 1.62 / (download) - annotate - [select for diffs], Wed May 24 20:35:12 2017 UTC (6 years, 10 months ago) by adam
Branch: MAIN
Changes since 1.61: +5 -7
lines
Diff to previous 1.61 (colored) to selected 1.91 (colored)
OpenVPN 2.4.2 Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy. Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
Revision 1.61 / (download) - annotate - [select for diffs], Fri May 19 18:11:04 2017 UTC (6 years, 11 months ago) by spz
Branch: MAIN
Changes since 1.60: +1 -2
lines
Diff to previous 1.60 (colored) to selected 1.91 (colored)
update openvpn to 2.3.15
fixes DoSses: CVE-2017-7478 CVE-2017-7479
fixes PR pkg/52044
relevant excerpt of ChangeLog:
OpenVPN Change Log
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
2017.05.11 -- Version 2.3.15
David Sommerseth (5):
dev-tools: Added script for updating copyright years in files
Update copyrights
docs: Further improve --reneg-bytes and SWEET32 information
git: Merge .gitignore files into a single file
Make --cipher/--auth none more explicit on the risks
Gert Doering (1):
Document --proto udp6, tcp6, etc.
Julien Muchembled (1):
Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset
Steffan Karger (6):
Add missing includes in error.h
cleanup: merge packet_id_alloc_outgoing() into packet_id_write()
Document that OpenVPN 2.3 does not check the CRL signature
Introduce and use secure_memzero() to erase secrets
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Don't assert out on receiving too-large control packets (CVE-2017-7478)
2016.12.06 -- Version 2.3.14
Christian Hesse (1):
update year in copyright message
David Sommerseth (1):
Document the --auth-token option
Gert Doering (2):
Repair topology subnet on FreeBSD 11
Repair topology subnet on OpenBSD
Lev Stipakov (1):
Drop recursively routed packets
Selva Nair (4):
Support --block-outside-dns on multiple tunnels
When parsing '--setenv opt xx ..' make sure a third parameter is present
Map restart signals from event loop to SIGTERM during exit-notification wait
Correctly state the default dhcp server address in man page
Steffan Karger (1):
Clean up format_hex_ex()
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
t_client.sh: Add support for Kerberos/ksu
t_client.sh: Improve detection if the OpenVPN process did start during tests
t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
Do not abort t_client run if OpenVPN instance does not start.
Fix t_client runs on OpenSolaris
make t_client robust against sudoers misconfiguration
add POSTINIT_CMD_suf to t_client.sh and sample config
Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
Exclude peer-id from pulled options digest
Fix compilation in pedantic mode
Samuli Seppänen (1):
Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
Fix unittests for out-of-source builds
Make gnu89 support explicit
cleanup: remove code duplication in msg_test()
Update cipher-related man page text
Limit --reneg-bytes to 64MB when using small block ciphers
Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
Only build and run cmocka unit tests if its submodule is initialized
Another fix related to unit test framework
Remove NOP function and callers
Dorian Harmans (1):
Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
Add unit testing support via cmocka
Add a test for auth-pam searchandreplace
Josh Cepek (1):
Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
Add link to bug tracker
Samuli Seppänen (2):
Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
Make error non-fatal while deleting address using netsh
Make block-outside-dns work with persist-tun
Ignore SIGUSR1/SIGHUP during exit notification
Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
Fix polarssl / mbedtls builds
Don't limit max incoming message size based on c2->frame
Fix '--cipher none --cipher' crash
Discourage using 64-bit block ciphers
Revision 1.60 / (download) - annotate - [select for diffs], Mon Sep 19 13:04:25 2016 UTC (7 years, 7 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base,
pkgsrc-2017Q1,
pkgsrc-2016Q4-base,
pkgsrc-2016Q4,
pkgsrc-2016Q3-base,
pkgsrc-2016Q3
Changes since 1.59: +2 -1
lines
Diff to previous 1.59 (colored) to selected 1.91 (colored)
Recursive PKGREVISION bump for gnutls shlib major bump.
Revision 1.59 / (download) - annotate - [select for diffs], Fri Jul 8 08:49:41 2016 UTC (7 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.58: +1 -2
lines
Diff to previous 1.58 (colored) to selected 1.91 (colored)
Update net/openvpn to 2.3.11. Changes since 2.3.6:
2016.05.09 -- Version 2.3.11
Fixed port-share bug with DoS potential
Make intent of utun device name validation clear
Fix buffer overflow by user supplied data
Correctly report TCP connection timeout on windows.
Report Windows bitness
Fix undefined signed shift overflow
Fix build with libressl
Improve LZO, PAM and OpenSSL documentation
Ensure input read using systemd-ask-password is null terminated
Support reading the challenge-response from console
openssl: improve logging
polarssl: improve logging
Update manpage: OpenSSL might also need /dev/urandom inside chroot
socks.c: fix check on get_user_pass() return value(s)
Fix OCSP_check.sh
hardening: add safe FD_SET() wrapper openvpn_fd_set()
Fix memory leak in argv_extract_cmd_name()
Replace MSG_TEST() macro for static inline msg_test()
Restrict default TLS cipher list
Various Changes.rst fixes
Clarify mssfix documentation
Clarify --block-outside-dns documentation
Update --block-outside-dns to work on Windows Vista
2016.01.04 -- Version 2.3.10
Prepare for v2.3.10 release, list PolarSSL 1.2 to 1.3 upgrade
Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
Repair IPv6 netsh calls if Win XP is detected
Use bob.example.com and alice.example.com to improve clarity of documentation
Remove unused variables from ssl_verify_polarssl.c's x509_get_serial()
Upgrade OpenVPN 2.3 to PolarSSL 1.3
Warn user if their certificate has expired
Make assert_failed() print the failed condition
cleanup: get rid of httpdigest.c type warnings
Fix regression in setups without a client certificate
polarssl: fix unreachable code
2015.12.15 -- Version 2.3.9
Show extra-certs in current parameters.
Fix commit a3160fc1bd7368395745b9cee6e40fb819f5564c
Do not set the buffer size by default but rely on the operation system default.
Remove --enable-password-save option
Reflect enable-password-save change in documentation
Also remove second instance of enable-password-save in the man page
Detect config lines that are too long and give a warning/error
Log serial number of revoked certificate
Adjust server-ipv6 documentation
Avoid partial authentication state when using --disabled in CCD configs
Make "block-outside-dns" option platform agnostic
Un-break --auth-user-pass on windows
Replace unaligned 16bit access to TCP MSS value with bytewise access
Repair test_local_addr() on WIN32
Fix possible heap overflow on read accessing getaddrinfo() result.
Fix FreeBSD-specific mishandling of gc arena pointer in create_arbitrary_remote()
remove unused gc_arena in FreeBSD close_tun()
Fix isatty() check for good.
put virtual IPv6 addresses into env
Use adapter index instead of name for windows IPv6 interface config
Client-side part for server restart notification
Use adapter index for add/delete_route_ipv6
Pass adapter index to up/down scripts
Fix VS2013 compilation
Fix privilege drop if first connection attempt fails
Support for username-only auth file.
Add CONTRIBUTING.rst
Updates to Changes.rst
Fix termination when windows suspends/sleeps
Do not hard-code windows systemroot in env_block
Handle ctrl-C and ctrl-break events on Windows
Unbreak read username password from management
Replace strdup() calls for string_alloc() calls
Check return value of ms_error_text()
Increase control channel packet size for faster handshakes
hardening: add insurance to exit on a failed ASSERT()
Fix memory leak in auth-pam plugin
Fix (potential) memory leak in init_route_list()
Fix unintialized variable in plugin_vlog()
Add macro to ensure we exit on fatal errors
Fix memory leak in add_option() by simplifying get_ipv6_addr
openssl: properly check return value of RAND_bytes()
Fix rand_bytes return value checking
Add Windows DNS Leak fix using WFP ('block-outside-dns')
Fix "White space before end tags can break the config parser"
2015.08.03 -- Version 2.3.8
Report missing endtags of inline files as warnings
Fix commit e473b7c if an inline file happens to have a line break exactly at buffer limit
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
Document --daemon changes and consequences (--askpass, --auth-nocache).
Del ipv6 addr on close of linux tun interface
Fix --askpass not allowing for password input via stdin
write pid file immediately after daemonizing
Make __func__ work with Visual Studio too
fix regression: query password before becoming daemon
Fix using management interface to get passwords.
Fix overflow check in openvpn_decrypt()
2015.06.02 -- Version 2.3.7
Default gateway can't be determined on illumos/Solaris platforms
Warn that tls-auth with free form files is going to be removed from OpenVPN 2.4
autotools: Fix wrong ./configure help screen default values
down-root plugin: Replaced system() calls with execve()
down-root: Improve error messages
plugin, down-root: Fix compiler warnings
sockets: Remove the limitation of --tcp-nodelay to be server-only
plugins, down-root: Code style clean-up
pkcs11: Load p11-kit-proxy.so module by default
Make 'provider' option to --show-pkcs11-ids optional where p11-kit is present
Use OPENVPN_ETH_P_* so that <netinet/if_ether.h> is unecessary
New approach to handle peer-id related changes to link-mtu (2.3 version)
Fix incorrect use of get_ipv6_addr() for iroute options.
Print helpful error message on --mktun/--rmtun if not available.
explain effect of --topology subnet on --ifconfig
Add note about file permissions and --crl-verify to manpage.
repair --dev null breakage caused by db950be85d37
assume res_init() is always there.
Correct note about DNS randomization in openvpn.8
Disallow usage of --server-poll-timeout in --secret key mode.
slightly enhance documentation about --cipher
Enforce "serial-tests" behaviour for tests/Makefile
Revert "Enforce "serial-tests" behaviour for tests/Makefile"
On signal reception, return EAI_SYSTEM from openvpn_getaddrinfo().
Use configure.ac hack to apply serial_test AM option only if supported.
Use EAI_AGAIN instead of EAI_SYSTEM for openvpn_getaddrinfo().
Move res_init() call to inner openvpn_getaddrinfo() loop
Fix FreeBSD ifconfig for topology subnet tunnels.
Fix --redirect-private in --dev tap mode.
include ifconfig_ environment variables in --up-restart env set
Fix null pointer dereference in options.c
Fix mssfix default value in connection_list context
Manual page update for Re-enabled TLS version negotiation.
Include systemd units in the source tarball (make dist)
Updated manpage for --rport and --lport
Properly escape dashes on the man-page
Improve documentation in --script-security section of the man-page
Really fix '--cipher none' regression
Update doxygen (a bit)
Set tls-version-max to 1.1 if cryptoapicert is used
Account for peer-id in frame size calculation
Disable SSL compression
Fix frame size calculation for non-CBC modes.
Allow for CN/username of 64 characters (fixes off-by-one)
Remove unneeded parameter 'first_time' from possibly_become_daemon()
Re-enable TLS version negotiation by default
Remove size limit for files inlined in config
Improve --tls-cipher and --show-tls man page description
Re-read auth-user-pass file on (re)connect if required
Clarify --capath option in manpage
Call daemon() before initializing crypto library
Revision 1.58 / (download) - annotate - [select for diffs], Sat Mar 5 11:29:09 2016 UTC (8 years, 1 month ago) by jperkin
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base,
pkgsrc-2016Q2,
pkgsrc-2016Q1-base,
pkgsrc-2016Q1
Changes since 1.57: +2 -2
lines
Diff to previous 1.57 (colored) to selected 1.91 (colored)
Bump PKGREVISION for security/openssl ABI bump.
Revision 1.57 / (download) - annotate - [select for diffs], Tue Sep 22 02:38:32 2015 UTC (8 years, 6 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base,
pkgsrc-2015Q4,
pkgsrc-2015Q3-base,
pkgsrc-2015Q3
Changes since 1.56: +2 -2
lines
Diff to previous 1.56 (colored) to selected 1.91 (colored)
use the correct version in solaris-tap's bl3.mk. Revbump dependees.
Revision 1.56 / (download) - annotate - [select for diffs], Sun Aug 23 14:30:40 2015 UTC (8 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.55: +2 -1
lines
Diff to previous 1.55 (colored) to selected 1.91 (colored)
Bump PKGREVISION for nettle shlib major bump.
Revision 1.55 / (download) - annotate - [select for diffs], Wed Dec 3 10:09:01 2014 UTC (9 years, 4 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base,
pkgsrc-2015Q2,
pkgsrc-2015Q1-base,
pkgsrc-2015Q1,
pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.54: +1 -2
lines
Diff to previous 1.54 (colored) to selected 1.91 (colored)
Update to 2.3.6:
2014.11.28 -- Version 2.3.6
David Sommerseth (1):
systemd: Reworked the systemd unit file to handle server and client configs better
Gert Doering (1):
Add client-only support for peer-id.
Samuli Seppänen (1):
Fix to --shaper documentation on the man-page
Steffan Karger (4):
Fix assertion error when using --cipher none
Add --tls-version-max
Modernize sample keys and sample configs
Drop too-short control channel packets instead of asserting out.
2014.10.24 -- Version 2.3.5
Andris Kalnozols (2):
Fix some typos in the man page.
Do not upcase x509-username-field for mixed-case arguments.
Arne Schwabe (1):
Fix server routes not working in topology subnet with --server [v3]
David Sommerseth (4):
Improve error reporting on file access to --client-config-dir and --ccd-exclusive
Don't let openvpn_popen() keep zombies around
Add systemd unit file for OpenVPN
systemd: Use systemd functions to consider systemd availability
Gert Doering (3):
Drop incoming fe80:: packets silently now.
Fix t_lpback.sh platform-dependent failures
Call init script helpers with explicit path (./)
Heiko Hund (1):
refine assertion to allow other modes than CBC
Hubert Kario (2):
ocsp_check - signature verification and cert staus results are separate
ocsp_check - double check if ocsp didn't report any errors in execution
James Bekkema (1):
Fix socket-flag/TCP_NODELAY on Mac OS X
James Yonan (6):
Fixed several instances of declarations after statements.
In socket.c, fixed issue where uninitialized value (err) is being passed to to gai_strerror.
Explicitly cast the third parameter of setsockopt to const void * to avoid warning.
MSVC 2008 doesn't support dimensioning an array with a const var nor using %z as a printf format specifier.
Define PATH_SEPARATOR for MSVC builds.
Fixed some compile issues with show_library_versions()
Jann Horn (1):
Remove quadratic complexity from openvpn_base64_decode()
Mike Gilbert (1):
Add configure check for the path to systemd-ask-password
Philipp Hagemeister (2):
Add topology in sample server configuration file
Implement on-link route adding for iproute2
Samuel Thibault (1):
Ensure that client-connect files are always deleted
Steffan Karger (13):
Remove function without effect (cipher_ok() always returned true).
Remove unneeded wrapper functions in crypto_openssl.c
Fix bug that incorrectly refuses oid representation eku's in polar builds
Update README.polarssl
Rename ALLOW_NON_CBC_CIPHERS to ENABLE_OFB_CFB_MODE, and add to configure.
Add proper check for crypto modes (CBC or OFB/CFB)
Improve --show-ciphers to show if a cipher can be used in static key mode
Extend t_lpback tests to test all ciphers reported by --show-ciphers
Don't exit daemon if opening or parsing the CRL fails.
Fix typo in cipher_kt_mode_{cbc, ofb_cfb}() doxygen.
Fix regression with password protected private keys (polarssl)
ssl_polarssl.c: fix includes and make casts explicit
Remove unused variables from ssl_verify_openssl.c extract_x509_extension()
TDivine (1):
Fix "code=995" bug with windows NDIS6 tap driver.
Revision 1.54 / (download) - annotate - [select for diffs], Mon Sep 8 16:57:01 2014 UTC (9 years, 7 months ago) by wiedi
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base,
pkgsrc-2014Q3
Changes since 1.53: +4 -1
lines
Diff to previous 1.53 (colored) to selected 1.91 (colored)
Add SMF manifest for openvpn. Provided by Ernst Glatz in https://github.com/joyent/pkgsrc/pull/218
Revision 1.53 / (download) - annotate - [select for diffs], Sun Jul 20 17:43:29 2014 UTC (9 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.52: +3 -4
lines
Diff to previous 1.52 (colored) to selected 1.91 (colored)
Changes 2.3.4: The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
Revision 1.52 / (download) - annotate - [select for diffs], Wed Feb 12 23:18:24 2014 UTC (10 years, 2 months ago) by tron
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base,
pkgsrc-2014Q2,
pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Changes since 1.51: +2 -1
lines
Diff to previous 1.51 (colored) to selected 1.91 (colored)
Recursive PKGREVISION bump for OpenSSL API version bump.
Revision 1.51 / (download) - annotate - [select for diffs], Wed Jul 31 06:53:21 2013 UTC (10 years, 8 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base,
pkgsrc-2013Q4,
pkgsrc-2013Q3-base,
pkgsrc-2013Q3
Changes since 1.50: +2 -3
lines
Diff to previous 1.50 (colored) to selected 1.91 (colored)
Changes 2.3.2:
Only print script warnings when a script is used. Remove stray mention of script-security system.
Move settings of user script into set_user_script function
Move checking of script file access into set_user_script
Provide more accurate warning message
Fix NULL-pointer crash in route_list_add_vpn_gateway().
Fix problem with UDP tunneling due to mishandled pktinfo structures.
Always push basic set of peer info values to server.
make 'explicit-exit-notify' pullable again
Fix proto tcp6 for server & non-P2MP modes
Fix Windows script execution when called from script hooks
Fixed tls-cipher translation bug in openssl-build
Fixed usage of stale define USE_SSL to ENABLE_SSL
Fix segfault when enabling pf plug-ins
Revision 1.50 / (download) - annotate - [select for diffs], Fri Jul 12 10:45:00 2013 UTC (10 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.49: +2 -1
lines
Diff to previous 1.49 (colored) to selected 1.91 (colored)
Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages.
Revision 1.49 / (download) - annotate - [select for diffs], Sun Feb 10 05:55:07 2013 UTC (11 years, 2 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base,
pkgsrc-2013Q2,
pkgsrc-2013Q1-base,
pkgsrc-2013Q1
Changes since 1.48: +16 -31
lines
Diff to previous 1.48 (colored) to selected 1.91 (colored)
Upgrade OpenVPN to 2.3.0 Bump openvpn-acct-wtmpx to add its licence and to take into account the new location of plugin directory Significant changes since 2.2.x: * Full IPv6 support * SSL layer modularised, enabling easier implementation for other SSL libraries * PolarSSL support as a drop-in replacement for OpenSSL * New plug-in API providing direct certificate access, improved logging API and easier to extend in the future * Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP' * New feature: --management-external-key - to provide access to the encryption keys via the management interface * New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins * New feature: --client-nat support * New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling * New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback) * New feature: --stale-routes-check, which cleans up the internal routing table * New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name * Improved client-kill management interface command * Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins * Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation * More options can now be used inside <connection> blocks * Completely new build system, enabling easier cross-compilation and Windows builds * Much of the code has been better documented * Many documentation updates * Plenty of bug fixes and other code clean-ups
Revision 1.48 / (download) - annotate - [select for diffs], Wed Feb 6 23:23:21 2013 UTC (11 years, 2 months ago) by jperkin
Branch: MAIN
Changes since 1.47: +2 -2
lines
Diff to previous 1.47 (colored) to selected 1.91 (colored)
PKGREVISION bumps for the security/openssl 1.0.1d update.
Revision 1.47 / (download) - annotate - [select for diffs], Sat Dec 15 10:36:30 2012 UTC (11 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.46: +2 -2
lines
Diff to previous 1.46 (colored) to selected 1.91 (colored)
Bump PKGREVISION from devel/nss 3.14.0.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Oct 23 17:18:44 2012 UTC (11 years, 5 months ago) by asau
Branch: MAIN
Changes since 1.45: +1 -3
lines
Diff to previous 1.45 (colored) to selected 1.91 (colored)
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Revision 1.45 / (download) - annotate - [select for diffs], Tue Mar 6 17:39:00 2012 UTC (12 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3,
pkgsrc-2012Q2-base,
pkgsrc-2012Q2,
pkgsrc-2012Q1-base,
pkgsrc-2012Q1
Changes since 1.44: +2 -1
lines
Diff to previous 1.44 (colored) to selected 1.91 (colored)
Recursive PKGREVISION bump for xulrunner, nss, and nspr.
Revision 1.44 / (download) - annotate - [select for diffs], Thu Jan 19 13:26:55 2012 UTC (12 years, 3 months ago) by adam
Branch: MAIN
Changes since 1.43: +2 -3
lines
Diff to previous 1.43 (colored) to selected 1.91 (colored)
Changes 2.2.2: * Only warn about non-tackled IPv6 packets once * add missing break between "case IPv4" and "case IPv6" * bump tap driver version from 9.8 to 9.9 * log error message and exit for "win32, tun mode, tap driver version 9.8" * Backported pkcs11-related parts of 7a8d707237bb18 to 2.2 branch
Revision 1.43 / (download) - annotate - [select for diffs], Wed Aug 3 08:33:32 2011 UTC (12 years, 8 months ago) by cheusov
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base,
pkgsrc-2011Q4,
pkgsrc-2011Q3-base,
pkgsrc-2011Q3
Changes since 1.42: +10 -1
lines
Diff to previous 1.42 (colored) to selected 1.91 (colored)
rc.d script improvements: - openvpn_chrootdir variable was introduced for running openvpn in chroot - openvpn_flags variable was introduced for extra flag passed to openvpn ++pkgrevision
Revision 1.42 / (download) - annotate - [select for diffs], Fri Jul 8 10:15:31 2011 UTC (12 years, 9 months ago) by adam
Branch: MAIN
Changes since 1.41: +3 -3
lines
Diff to previous 1.41 (colored) to selected 1.91 (colored)
Changes 2.2.1: * Don't define ENABLE_PUSH_PEER_INFO if SSL is not available * Fix compiling issues with pkcs11 when --disable-management is configured * Remove support for Linux 2.2 configuration fallback * Fix compile issues when using --enable-small and --disable-ssl/--disable-crypto * Fix 2.2.0 build failure when management interface disabled * Added info about --show-proxy-settings * Documented --x509-username-field option * Updated "easy-rsa" for OpenSSL 1.0.0 * Fixes to easy-rsa/2.0 * Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnf * Fix a build-ca issue on Windows * Fix issues with some older GCC compilers
Revision 1.41 / (download) - annotate - [select for diffs], Thu Apr 28 07:27:24 2011 UTC (12 years, 11 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q2-base,
pkgsrc-2011Q2
Changes since 1.40: +26 -29
lines
Diff to previous 1.40 (colored) to selected 1.91 (colored)
Changes 2.2.0: * Several man-page updates * Several buildsystem fixes * Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier * Change the default --tmp-dir path to a more suitable path * Improve the mysprintf() issue in openvpnserv.c * Fixed bug in port-share that could cause port share process to crash * Fix the --client-cert-not-required feature
Revision 1.40 / (download) - annotate - [select for diffs], Fri Apr 22 14:40:44 2011 UTC (13 years ago) by obache
Branch: MAIN
Changes since 1.39: +2 -1
lines
Diff to previous 1.39 (colored) to selected 1.91 (colored)
recursive bump from gettext-lib shlib bump.
Revision 1.39 / (download) - annotate - [select for diffs], Tue Nov 30 08:50:17 2010 UTC (13 years, 4 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2011Q1-base,
pkgsrc-2011Q1,
pkgsrc-2010Q4-base,
pkgsrc-2010Q4
Changes since 1.38: +3 -4
lines
Diff to previous 1.38 (colored) to selected 1.91 (colored)
Changes 2.1.4:
* Fix problem with special case route targets ('remote_host')
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and
netlist.len will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
Revision 1.38 / (download) - annotate - [select for diffs], Sun Sep 5 20:33:48 2010 UTC (13 years, 7 months ago) by adam
Branch: MAIN
CVS Tags: pkgsrc-2010Q3-base,
pkgsrc-2010Q3
Changes since 1.37: +13 -16
lines
Diff to previous 1.37 (colored) to selected 1.91 (colored)
Changes 2.1.3:
* Fixed potential local privilege escalation vulnerability in
Windows service.
* Added Python-based based alternative build system for Windows using
Visual Studio 2008 (in win directory).
* When aborting in a non-graceful way, try to execute do_close_tun in
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
* Fixed an issue where AUTH_FAILED was not being properly delivered
to the client when a bad password is given for mid-session reauth,
causing the connection to fail without an error indication.
* Don't advance to the next connection profile on AUTH_FAILED errors.
* Fixed an issue in the Management Interface that could cause
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
* Fixed an issue where if reneg-sec was set to 0 on the client,
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window period.
* Modified ">PASSWORD:Verification Failed" management interface
notification to include a client reason string:
>PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
* Enable exponential backoff in reliability layer retransmits.
* Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
socket is created rather than waiting until after connect/listen.
* Management interface performance optimizations:
1. Added env-filter MI command to perform filtering on env vars
passed through as a part of --management-client-auth
2. man_write will now try to aggregate output into larger blocks
(up to 1024 bytes) for more efficient i/o
* Fixed minor issue in Windows TAP driver DEBUG builds
where non-null-terminated unicode strings were being
printed incorrectly.
* Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
was not being compiled in.
* Proxy improvements:
* Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
* Implemented a key/value auth channel from client to server.
* Fixed issue where bad creds provided by the management interface
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
Revision 1.37 / (download) - annotate - [select for diffs], Wed Jun 16 07:30:26 2010 UTC (13 years, 10 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2010Q2-base,
pkgsrc-2010Q2
Changes since 1.36: +1 -2
lines
Diff to previous 1.36 (colored) to selected 1.91 (colored)
- fix PLIST - kill some pkglint warnings
Revision 1.36 / (download) - annotate - [select for diffs], Tue Jun 15 12:05:28 2010 UTC (13 years, 10 months ago) by sborrill
Branch: MAIN
Changes since 1.35: +2 -3
lines
Diff to previous 1.35 (colored) to selected 1.91 (colored)
Updated to 2.1.1. Changes: 2009.12.11 -- Version 2.1.1 * Fixed some breakage in openvpn.spec (which is required to build an RPM distribution) where it was referencing a non-existent subdirectory in the tarball, causing it to fail (patch from David Sommerseth). 2009.12.11 -- Version 2.1.0 * Fixed a couple issues in sample plugins auth-pam.c and down-root.c. (1) Fail gracefully rather than segfault if calloc returns NULL. (2) The openvpn_plugin_abort_v1 function can potentially be called with handle == NULL. Add code to detect this case, and if so, avoid dereferencing pointers derived from handle (Thanks to David Sommerseth for finding this bug). * Documented "multihome" option in the man page. 2009.11.20 -- Version 2.1_rc22 * Fixed a client-side bug on Windows that occurred when the "dhcp-pre-release" or "dhcp-renew" options were combined with "route-gateway dhcp". The release/renew would not occur because the Windows DHCP renew function is blocking and therefore must be called from another process or thread so as not to stall the tunnel. * Added a hard failure when peer provides a certificate chain with depth > 16. Previously, a warning was issued.
Revision 1.35 / (download) - annotate - [select for diffs], Sun Jan 17 12:02:34 2010 UTC (14 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2010Q1-base,
pkgsrc-2010Q1
Changes since 1.34: +2 -1
lines
Diff to previous 1.34 (colored) to selected 1.91 (colored)
Recursive PKGREVISION bump for jpeg update to 8.
Revision 1.34 / (download) - annotate - [select for diffs], Wed Nov 18 08:10:15 2009 UTC (14 years, 5 months ago) by manu
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base,
pkgsrc-2009Q4
Changes since 1.33: +2 -3
lines
Diff to previous 1.33 (colored) to selected 1.91 (colored)
Update to 2.1rc21. From Changelog: * Rebuilt OpenVPN Windows installer with OpenSSL 0.9.8l to address CVE-2009-3555. Note that OpenVPN has never relied on the session renegotiation capabilities that are built into the SSL/TLS protocol, therefore the fix in OpenSSL 0.9.8l (disable SSL/TLS renegotiation completely) will not adversely affect OpenVPN mid-session SSL/TLS renegotation or any other OpenVPN capabilities. * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain.
Revision 1.33 / (download) - annotate - [select for diffs], Thu Nov 12 08:41:10 2009 UTC (14 years, 5 months ago) by manu
Branch: MAIN
Changes since 1.32: +2 -2
lines
Diff to previous 1.32 (colored) to selected 1.91 (colored)
NetBSD's tun driver has no broadcast support. When configured with a tun device and subnet topology, OpenVPN insisted on setting a broadcast address on the tun device, causing a fatal error. This patch fixes that, and has been submitted upstream
Revision 1.32 / (download) - annotate - [select for diffs], Fri Oct 30 19:06:06 2009 UTC (14 years, 5 months ago) by manu
Branch: MAIN
Changes since 1.31: +3 -2
lines
Diff to previous 1.31 (colored) to selected 1.91 (colored)
Add a pam option for the PAM plugin
Revision 1.31 / (download) - annotate - [select for diffs], Sun Oct 11 17:32:00 2009 UTC (14 years, 6 months ago) by jmmv
Branch: MAIN
Changes since 1.30: +2 -3
lines
Diff to previous 1.30 (colored) to selected 1.91 (colored)
Update to 2.1_rc20 from 2.1_rc13:
2009.10.01 -- Version 2.1_rc20
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
* Fixed build problem when ./configure --disable-server is used.
* Fixed ifconfig command for "topology subnet" on FreeBSD (Stefan Bethke).
* Added --remote-random-hostname option.
* Added "load-stats" management interface command to get global server
load statistics.
* Added new ./configure flags:
--disable-def-auth Disable deferred authentication
--disable-pf Disable internal packet filter
* Added "setcon" directive for interoperability with SELinux (Sebastien
Raveau).
* Optimized PUSH_REQUEST handshake sequence to shave several seconds
off of a typical client connection initiation.
* The maximum number of "route" directives (specified in the config
file or pulled from a server) can now be configured via the new
"max-routes" directive.
* Eliminated the limitation on the number of options that can be pushed
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
* Added --server-poll-timeout option : when polling possible remote
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
* Added the ability for the server to provide a custom reason string
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
* client-kill management interface command, when issued on server, will
now send a RESTART message to client.
This feature is intended to make UDP clients respond the same as TCP
clients in the case where the server issues a RESTART message in
order to force the client to reconnect and pull a new options/route
list.
2009.07.16 -- Version 2.1_rc19
* In Windows TAP driver, refactor DHCP/ARP packet injection code to
use a DPC (deferred procedure call) to defer packet injection until
IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
in the context of AdapterTransmit. This is an attempt to reduce kernel
stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
observed on Vista. Updated TAP driver version number to 9.6.
* In configure.ac, use datadir instead of datarootdir for compatibility
with <autoconf-2.60.
2009.06.07 -- Version 2.1_rc18
* Fixed compile error on ./configure --enable-small
* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
does not build on Windows on non-MINGW32.
2009.05.30 -- Version 2.1_rc17
* Reduce the debug level (--verb) at which received management interface
commands are echoed from 7 to 3. Passwords will be filtered.
* Fixed race condition in management interface recv code on
Windows, where sending a set of several commands to the
management interface in quick succession might cause the
latter commands in the set to be ignored.
* Increased management interface input command buffer size
from 256 to 1024 bytes.
* Minor tweaks to Windows build system.
* Added "redirect-private" option which allows private subnets
to be pushed to the client in such a way that they don't accidently
obscure critical local addresses such as the DHCP server address and
DNS server addresses.
* Added new 'autolocal' redirect-gateway flag. When enabled, the OpenVPN
client will examine the routing table and determine whether (a) the
OpenVPN server is reachable via a locally connected interface, or (b)
traffic to the server must be forwarded through the default router.
Only add a special bypass route for the OpenVPN server if (b) is true.
If (a) is true, behave as if the 'local' flag is specified, and do not
add a bypass route.
The new 'autolocal' flag depends on the non-portable test_local_addr()
function in route.c, which is currently only implemented for Windows.
The 'autolocal' flag will act as a no-op on platforms that have not
yet defined a test_local_addr() function.
* Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
more option content to be pushed from server to client).
* Raised D_MULTI_DROPPED debug level to 4 from 3 to filter out (at debug
levels <=3) a common and usually innocuous warning.
* Fixed issue of symbol conflicts interfering with Windows CryptoAPI
functionality (Alon Bar-Lev).
* Fixed bug where the remote_X environmental variables were not being
set correctly when the 'local' option is specifed.
2009.05.17 -- Version 2.1_rc16
* Windows installer changes:
1. ifdefed out the check Windows version code which is causing
problems on Windows 7
2. don't define SF_SELECTED if it is already defined
3. Use LZMA instead of BZIP2 compression for better compression
4. Upgraded OpenSSL to 0.9.8k
* Added the ability to read the configuration file
from stdin, when "stdin" is given as the config
file name.
* Allow "management-client" directive to be used
with unix domain sockets.
* Added errors-to-stderr option. When enabled, fatal errors
that result in the termination of the daemon will be written
to stderr.
* Added optional "nogw" (no gateway) flag to --server-bridge
to inhibit the pushing of the route-gateway parameter to
clients.
* Added new management interface command "pid" to show the
process ID of the current OpenVPN process (Angelo Laub).
* Fixed issue where SIGUSR1 restarts would fail if private
key was specified as an inline file.
* Added daemon_start_time and daemon_pid environmental variables.
* In management interface, added new ">CLIENT:ESTABLISHED" notification.
* Build fixes:
1. Fixed some issues with C++ style comments that leaked into the code.
2. Updated configure.ac to work on MinGW64.
3. Updated common.h types for _WIN64.
4. Fixed issue involving an #ifdef in a macro reference that breaks early gcc
compilers.
5. In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
OpenVPNCryptAcquireCertificatePrivateKey to work around
a symbol conflict in MinGW-5.1.4.
2008.11.19 -- Version 2.1_rc15
* Fixed issue introduced in 2.1_rc14 that may cause a
segfault when a --plugin module is used.
* Added server-side --opt-verify option: clients that connect
with options that are incompatible with those of the server
will be disconnected (without this option, incompatible
clients would trigger a warning message in the server log
but would not be disconnected).
* Added --tcp-nodelay option: Macro that sets TCP_NODELAY socket
flag on the server as well as pushes it to connecting clients.
* Minor options check fix: --no-name-remapping is a
server-only option and should therefore generate an
error when used on the client.
* Added --prng option to control PRNG (pseudo-random
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
* Cleaned up man page synopsis.
2008.11.16 -- Version 2.1_rc14
* Added AC_GNU_SOURCE to configure.ac to enable struct ucred,
with the goal of fixing a build issue on Fedora 9 that was
introduced in 2.1_rc13.
* Added additional method parameter to --script-security to preserve
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:
script-security 3 system
* Added additional warning messages about --script-security 2
or higher being required to execute user-defined scripts or
executables.
* Windows build system changes:
Modified Windows domake-win build system to write all openvpn.nsi
input files to gen, so that gen can be disconnected from
the rest of the source tree and makensis openvpn.nsi will
still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
(commented out by default).
Added optional files SAMPCONF_CONF2 (second sample configuration
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
build system, and may be defined in settings.in.
* Extended Management Interface "bytecount" command
to work when OpenVPN is running as a server.
Documented Management Interface "bytecount" command in
management/management-notes.txt.
* Fixed informational message in ssl.c to properly indicate
deferred authentication.
* Added server-side --auth-user-pass-optional directive, to allow
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
* Changes to easy-rsa/2.0/pkitool and related openssl.cnf:
Calling scripts can set the KEY_NAME environmental variable to set
the "name" X509 subject field in generated certificates.
Modified pkitool to allow flexibility in separating the Common Name
convention from the cert/key filename convention.
For example:
KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
will create a client certificate/key pair of james.crt/james.key
having a Common Name of "James's Laptop" and a Name of "james".
* Added --no-name-remapping option to allow Common Name, X509 Subject,
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return (this is important for compatibility with external
authentication systems).
As a related change, added --status-version 3 format (and "status 3"
in the management interface) which uses the version 2 format except
that tabs are used as delimiters instead of commas so that there
is no ambiguity when parsing a Common Name that contains a comma.
Also, save X509 Subject fields to environment, using the naming
convention:
X509_{cert_depth}_{name}={value}
This is to avoid ambiguities when parsing out the X509 subject string
since "/" characters could potentially be used in the common name.
* Fixed some ifconfig-pool issues that precluded it from being combined
with --server directive.
Now, for example, we can configure thusly:
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
to have ifconfig-pool manage only a subset
of the VPN subnet.
* Added config file option "setenv FORWARD_COMPATIBLE 1" to relax
config file syntax checking to allow directives for future OpenVPN
versions to be ignored.
Revision 1.30 / (download) - annotate - [select for diffs], Mon Sep 21 12:33:31 2009 UTC (14 years, 7 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base,
pkgsrc-2009Q3
Changes since 1.29: +4 -4
lines
Diff to previous 1.29 (colored) to selected 1.91 (colored)
add an option to openvpn to enable using certificates on USB sticks or cards (etc) that are using the PKCS11 protocol
Revision 1.29 / (download) - annotate - [select for diffs], Tue May 19 08:59:27 2009 UTC (14 years, 11 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q2-base,
pkgsrc-2009Q2
Changes since 1.28: +2 -2
lines
Diff to previous 1.28 (colored) to selected 1.91 (colored)
Use standard location for LICENSE line (in MAINTAINER/HOMEPAGE/COMMENT block). Uncomment some commented out LICENSE lines while here.
Revision 1.28 / (download) - annotate - [select for diffs], Fri Dec 5 08:13:35 2008 UTC (15 years, 4 months ago) by hasso
Branch: MAIN
CVS Tags: pkgsrc-2009Q1-base,
pkgsrc-2009Q1,
pkgsrc-2008Q4-base,
pkgsrc-2008Q4
Changes since 1.27: +2 -2
lines
Diff to previous 1.27 (colored) to selected 1.91 (colored)
Make it work on DragonFly 2.0 and up. Bump PKGREVISION.
Revision 1.27 / (download) - annotate - [select for diffs], Sun Nov 23 15:16:42 2008 UTC (15 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.26: +4 -5
lines
Diff to previous 1.26 (colored) to selected 1.91 (colored)
Do not unnecessarily create share/doc/openvpn, and remove it from PLIST. It wasn't created when installing the binary package. Bump PKGREVISION.
Revision 1.26 / (download) - annotate - [select for diffs], Thu Oct 9 10:57:23 2008 UTC (15 years, 6 months ago) by sborrill
Branch: MAIN
Changes since 1.25: +3 -6
lines
Diff to previous 1.25 (colored) to selected 1.91 (colored)
Update to 2.1rc13. Changes include:
2008.10.07 -- Version 2.1_rc13
* Bundled OpenSSL 0.9.8i with Windows installer.
* Management interface can now listen on a unix
domain socket, for example:
management /tmp/openvpn unix
Also added management-client-user and management-client-group
directives to control which processes are allowed to connect
to the socket.
* Copyright change to OpenVPN Technologies, Inc.
2008.09.23 -- Version 2.1_rc12
* Patched Makefile.am so that the new t_cltsrv-down.sh script becomes
part of the tarball (Matthias Andree).
* Fixed --lladdr bug introduced in 2.1-rc9 where input validation code
was incorrectly expecting the lladdr parameter to be an IP address
when it is actually a MAC address (HoverHell).
2008.09.14 -- Version 2.1_rc11
* Fixed a bug that can cause SSL/TLS negotiations in UDP mode
to fail if UDP packets are dropped.
2008.09.10 -- Version 2.1_rc10
* Added "--server-bridge" (without parameters) to enable
DHCP proxy mode: Configure server mode for ethernet
bridging using a DHCP-proxy, where clients talk to the
OpenVPN server-side DHCP server to receive their IP address
allocation and DNS server addresses.
* Added "--route-gateway dhcp", to enable the extraction
of the gateway address from a DHCP negotiation with the
OpenVPN server-side LAN.
* Fixed minor issue with --redirect-gateway bypass-dhcp or bypass-dns
on Windows. If the bypass IP address is 0.0.0.0 or 255.255.255.255,
ignore it.
* Warn when ethernet bridging that the IP address of the bridge adapter
is probably not the same address that the LAN adapter was set to
previously.
* When running as a server, warn if the LAN network address is
the all-popular 192.168.[0|1].x, since this condition commonly
leads to subnet conflicts down the road.
* Primarily on the client, check for subnet conflicts between
the local LAN and the VPN subnet.
* Added a 'netmask' parameter to get_default_gateway, to return
the netmask of the adapter containing the default gateway.
Only implemented on Windows so far. Other platforms will
return 255.255.255.0. Currently the netmask information is
only used to warn about subnet conflicts.
* Minor fix to cryptoapi.c to not compile itself unless USE_CRYPTO
and USE_SSL flags are enabled (Alon Bar-Lev).
* Updated openvpn/t_cltsrv.sh (used by "make check") to conform to new
--script-security rules. Also adds retrying if the addresses are in
use (Matthias Andree).
* Fixed build issue with ./configure --disable-socks --disable-http.
* Fixed separate compile errors in options.c and ntlm.c that occur
on strict C compilers (such as old versions of gcc) that require
that C variable declarations occur at the start of a {} block,
not in the middle.
* Workaround bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8, which
the new implementation of extract_x509_field_ssl depends on.
* LZO compression buffer overflow errors will now invalidate
the packet rather than trigger a fatal assertion.
* Fixed minor compile issue in ntlm.c (mid-block declaration).
* Added --allow-pull-fqdn option which allows client to pull DNS names
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.
* 2.1_rc8 and earlier did implicit shell expansion on script
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls. The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:
client-connect "docc CLIENT-CONNECT"
would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.
This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.
* Modified ip_or_dns_addr_safe, which validates pulled DNS names,
to more closely conform to RFC 3696:
(1) DNS name length must not exceed 255 characters
(2) DNS name characters must be limited to alphanumeric,
dash ('-'), and dot ('.')
* Fixed bug in intra-session TLS key rollover that was introduced with
deferred authentication features in 2.1_rc8.
008.07.31 -- Version 2.1_rc9
* Security Fix -- affects non-Windows OpenVPN clients running
OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
vulnerable nor are any versions of the OpenVPN server vulnerable).
An OpenVPN client connecting to a malicious or compromised
server could potentially receive an "lladdr" or "iproute" configuration
directive from the server which could cause arbitrary code execution on
the client. A successful attack requires that (a) the client has agreed
to allow the server to push configuration directives to it by including
"pull" or the macro "client" in its configuration file, (b) the client
succesfully authenticates the server, (c) the server is malicious or has
been compromised and is under the control of the attacker, and (d) the
client is running a non-Windows OS. Credit: David Wagner.
* Miscellaneous defensive programming changes to multiple
areas of the code. In particular, use of the system() call
for calling executables such as ifconfig, route, and
user-defined scripts has been completely revamped in favor
of execve() on unix and CreateProcess() on Windows.
* In Windows build, package a statically linked openssl.exe to work around
observed instabilities in the dynamic build since the migration to
OpenSSL 0.9.8h.
2008.06.11 -- Version 2.1_rc8
* Added client authentication and packet filtering capability
to management interface. In addition, allow OpenVPN plugins
to take advantage of deferred authentication and packet
filtering capability.
* Added support for client-side connection profiles.
* Fixed unbounded memory growth bug in environmental variable
code that could have caused long-running OpenVPN sessions
with many TLS renegotiations to incrementally
increase memory usage over time.
* Windows release now packages openssl-0.9.8h.
* Build system changes -- allow building on Windows using
autoconf/automake scripts (Alon Bar-Lev).
* Changes to Windows build system to make it easier to do
partial builds, with a reduced set of prerequisites,
where only a subset of OpenVPN installer
components are built. See ./domake-win comments.
* Cleanup IP address for persistence interfaces for tap and also
using ifconfig, gentoo#209055 (Alon Bar-Lev).
* Fall back to old version of extract_x509_field for OpenSSL 0.9.6.
* Clarified tcp-queue-limit man page entry (Matti Linnanvuori).
* Added new OpenVPN icon and installer graphic.
* Minor pkitool changes.
* Added --pkcs11-id-management option, which will cause OpenVPN to
query the management interface via the new NEED-STR asynchronous
notification query to get additional PKCS#11 options (Alon Bar-Lev).
* Added NEED-STR management interface asynchronous query and
"needstr" management interface command to respond to the query
(Alon Bar-Lev).
* Added Dragonfly BSD support (Francis-Gudin).
* Quote device names before passing to up/down script (Josh Cepek).
* Bracketed struct openvpn_pktinfo with #pragma pack(1) to
prevent structure padding from causing an incorrect length
to be returned by sizeof (struct openvpn_pktinfo) on 64-bit
platforms.
* On systems that support res_init, always call it
before calling gethostbyname to ensure that
resolver configuration state is current.
* Added NTLMv2 proxy support (Miroslav Zajic).
* Fixed an issue in extract_x509_field_ssl where the extraction
would fail on the first field of the subject name, such as
the common name in: /CN=foo/emailAddress=
foo@bar.comThis e-mail address is being protected from spambots. You need
JavaScript enabled to view it
* Made "Linux ip addr del failed" error nonfatal.
* Amplified --client-cert-not-required warning.
* Added #pragma pack to proto.h.
Revision 1.25 / (download) - annotate - [select for diffs], Wed Feb 20 04:24:17 2008 UTC (16 years, 2 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
pkgsrc-2008Q1-base,
pkgsrc-2008Q1,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Changes since 1.24: +12 -8
lines
Diff to previous 1.24 (colored) to selected 1.91 (colored)
+ Add full DESTDIR support. + Replace unnecessary /bin/bash in easy-rsa scripts with /bin/sh. Bump the PKGREVISION to 1.
Revision 1.24 / (download) - annotate - [select for diffs], Wed Feb 13 12:07:24 2008 UTC (16 years, 2 months ago) by martti
Branch: MAIN
Changes since 1.23: +5 -5
lines
Diff to previous 1.23 (colored) to selected 1.91 (colored)
Updated net/openvpn to 2.1rc7
* Added a few extra files that exist in the svn repo but were
not being copied into the tarball by make dist.
* Fixup null interface on close, don't use ip addr flush (Alon Bar-Lev).
* Fixed options checking bug introduced in rc5 where legitimate configuration
files might elicit the error: "Options error: Parameter pkcs11_private_mode
can only be specified in TLS-mode, i.e. where --tls-server or --tls-client
is also specified."
* Added "forget-passwords" command to the management interface
(Alon Bar-Lev).
* Added --management-signal option to signal SIGUSR1 when the
management interface disconnects (Alon Bar-Lev).
* Modified command line and config file parser to allow
quoted strings using single quotes ('') (Alon Bar-Lev).
* Use pkcs11-helper as external library, can be downloaded from
https://www.opensc-project.org/pkcs11-helper (Alon Bar-Lev).
* Fixed interim memory growth issue in TCP connect loop where
"TCP: connect to %s failed, will try again in %d seconds: %s"
is output.
* Fixed bug in epoll driver in event.c, where the lack of a
handler for EPOLLHUP could cause 99% CPU usage.
* Defined ALLOW_NON_CBC_CIPHERS for people who don't
want to use a CBC cipher for OpenVPN's data channel.
* Added PLUGIN_LIBDIR preprocessor string to prepend a default
plugin directory to the dlopen search list when the user
specifies the basename of the plugin only (Marius Tomaschewski).
* Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
to allow forward slash characters ("/") in the X509 common name
(Pavel Shramov).
* Allow OpenVPN to run completely unprivileged under Linux
by allowing openvpn --mktun to be used with --user and --group
to set the UID/GID of the tun device node. Also added --iproute
option to allow an alternative command to be executed in place
of the default iproute2 command (Alon Bar-Lev).
* Fixed --disable-iproute2 in ./configure to actually disable
iproute2 usage (Alon Bar-Lev).
* Added --management-forget-disconnect option -- forget
passwords when management session disconnects (Alon Bar-Lev).
Revision 1.23 / (download) - annotate - [select for diffs], Fri Jan 18 05:08:48 2008 UTC (16 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.22: +2 -1
lines
Diff to previous 1.22 (colored) to selected 1.91 (colored)
Per the process outlined in revbump(1), perform a recursive revbump on packages that are affected by the switch from the openssl 0.9.7 branch to the 0.9.8 branch. ok jlam@
Revision 1.22 / (download) - annotate - [select for diffs], Sun Jul 1 01:11:38 2007 UTC (16 years, 9 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2007Q4-base,
pkgsrc-2007Q4,
pkgsrc-2007Q3-base,
pkgsrc-2007Q3
Changes since 1.21: +6 -1
lines
Diff to previous 1.21 (colored) to selected 1.91 (colored)
On SunOS, depend on net/solaris-tap to get the <net/if_tun.h> header.
Revision 1.21 / (download) - annotate - [select for diffs], Thu Jun 21 21:44:42 2007 UTC (16 years, 10 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2007Q2-base,
pkgsrc-2007Q2
Changes since 1.20: +28 -26
lines
Diff to previous 1.20 (colored) to selected 1.91 (colored)
Update net/openvpn to 2.1rc4. Changes from version 2.1rc2 include: * Fixed 64-bit portability bug in time_string function (Thomas Habets). * Clean up configure on FreeBSD for recent autotool versions that require that all .h files have to be compiled. Also, FreeBSD install does not support GNU long options which the Makefile in easy-rsa/2.0 uses (not checked the others as we don't install those on Gentoo) (Roy Marples).
Revision 1.20 / (download) - annotate - [select for diffs], Wed Feb 28 11:06:21 2007 UTC (17 years, 1 month ago) by sborrill
Branch: MAIN
CVS Tags: pkgsrc-2007Q1-base,
pkgsrc-2007Q1
Changes since 1.19: +3 -3
lines
Diff to previous 1.19 (colored) to selected 1.91 (colored)
Update to 2.1rc2. Mainly bug fixes and improvements to management interface
Revision 1.19 / (download) - annotate - [select for diffs], Tue Feb 20 09:40:49 2007 UTC (17 years, 2 months ago) by sborrill
Branch: MAIN
Changes since 1.18: +7 -5
lines
Diff to previous 1.18 (colored) to selected 1.91 (colored)
Update to 2.1_rc1. Many, many improvements including: Added optional minimum-number-of-bytes parameter to --inactive directive. Added --route-metric option to set a default route metric for --route Added --lladdr option to specify the link layer (MAC) address for the tap interface on non-Windows platforms Security Vulnerability CVE-2006-1629 Extended tun device configure code to support ethernet bridging on NetBSD Added --port-share option for allowing OpenVPN and HTTPS server to share the same port number. Added --management-client option to connect as a client to management GUI app rather than be connected to as a server. Added "bytecount" command to management interface. Added --connect-timeout option to control the timeout on TCP client connection attempts (doesn't work on all OSes). This patch also makes OpenVPN signalable during TCP connection attempts. Allow ca, cert, key, and dh files to be specified inline via XML-like syntax without needing to reference an explicit file. Allow plugin and push directives to have multi-line parameter lists Added connect-retry-max option Added a backtrack-hardened system time algorithm. Added --remote-cert-ku, --remote-cert-eku, and --remote-cert-tls options for verifying certificate attributes Added PKCS#11 support Added --bind option for TCP client connections Made LZO setting pushable Plus numerous bug fixes.
Revision 1.18 / (download) - annotate - [select for diffs], Wed Jul 5 15:50:05 2006 UTC (17 years, 9 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base,
pkgsrc-2006Q4,
pkgsrc-2006Q3-base,
pkgsrc-2006Q3
Changes since 1.17: +2 -3
lines
Diff to previous 1.17 (colored) to selected 1.91 (colored)
Update net/openvpn to 2.0.7. Changes from version 2.0.6 include fixing a Windows bug with 64bit counters which could cause intermittent crashes.
Revision 1.15.2.2 / (download) - annotate - [select for diffs], Thu Apr 13 16:08:25 2006 UTC (18 years ago) by salo
Branch: pkgsrc-2006Q1
Changes since 1.15.2.1: +2 -1
lines
Diff to previous 1.15.2.1 (colored) to branchpoint 1.15 (colored) next main 1.16 (colored) to selected 1.91 (colored)
Pullup ticket 1364 - requested by jlam NetBSD tap(4) support for openvpn Revisions pulled up: - pkgsrc/net/openvpn/Makefile 1.17 - pkgsrc/net/openvpn/distinfo 1.8 - pkgsrc/net/openvpn/patches/patch-ab 1.4 - pkgsrc/net/openvpn/patches/patch-ac 1.3 - pkgsrc/net/openvpn/patches/patch-ad 1.1 - pkgsrc/net/openvpn/patches/patch-ae 1.1 - pkgsrc/net/openvpn/patches/patch-af 1.1 Module Name: pkgsrc Committed By: jlam Date: Tue Apr 11 20:09:52 UTC 2006 Modified Files: pkgsrc/net/openvpn: Makefile distinfo Added Files: pkgsrc/net/openvpn/patches: patch-ab patch-ac patch-ad patch-ae patch-af Log Message: Add support for NetBSD's cloning tap device to support "device tap" configurations. Changes supplied in PR pkg/32929 by Alan Barrett. Bump PKGREVISION to 1.
Revision 1.17 / (download) - annotate - [select for diffs], Tue Apr 11 20:09:52 2006 UTC (18 years ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base,
pkgsrc-2006Q2
Changes since 1.16: +2 -1
lines
Diff to previous 1.16 (colored) to selected 1.91 (colored)
Add support for NetBSD's cloning tap device to support "device tap" configurations. Changes supplied in PR pkg/32929 by Alan Barrett. Bump PKGREVISION to 1.
Revision 1.15.2.1 / (download) - annotate - [select for diffs], Wed Apr 5 14:09:36 2006 UTC (18 years ago) by salo
Branch: pkgsrc-2006Q1
Changes since 1.15: +7 -9
lines
Diff to previous 1.15 (colored) to selected 1.91 (colored)
Pullup ticket 1327 - requested by jlam
Security update for openvpn
Revisions pulled up:
- pkgsrc/net/openvpn/Makefile 1.16
- pkgsrc/net/openvpn/distinfo 1.7
Module Name: pkgsrc
Committed By: jlam
Date: Wed Apr 5 13:49:26 UTC 2006
Modified Files:
pkgsrc/net/openvpn: Makefile distinfo
Log Message:
Update net/openvpn to 2.0.6. Changes from version 2.0.5 include:
* [security] An OpenVPN client connecting to a malicious or compromised
server could potentially receive "setenv" configuration directives
from the server which could cause arbitrary code execution on the
client via a LD_PRELOAD attack. A successful attack appears to
require that (a) the client has agreed to allow the server to push
configuration directives to it by including "pull" or the macro
"client" in its configuration file, (b) the client configuration
file uses a scripting directive such as "up" or "down", (c) the
client succesfully authenticates the server, (d) the server is
malicious or has been compromised and is under the control of the
attacker, and (e) the attacker has at least some level of pre-existing
control over files on the client (this might be accomplished by
having the server respond to a client web request with a specially
crafted file). The fix is to disallow "setenv" to be pushed to
clients from the server. For those who need this capability, OpenVPN
2.1 supports a new "setenv-safe" directive which is free of this
vulnerability.
* When deleting routes under Linux, use the route metric as a
differentiator to ensure that the route teardown process only deletes
the identical route which was originally added via the "route"
directive (Roy Marples).
* Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk
Meyer, Vasil Dimov).
* Extended tun device configure code to support ethernet bridging on
NetBSD (Emmanuel Kasper).
Revision 1.16 / (download) - annotate - [select for diffs], Wed Apr 5 13:49:26 2006 UTC (18 years ago) by jlam
Branch: MAIN
Changes since 1.15: +7 -9
lines
Diff to previous 1.15 (colored) to selected 1.91 (colored)
Update net/openvpn to 2.0.6. Changes from version 2.0.5 include: * [security] An OpenVPN client connecting to a malicious or compromised server could potentially receive "setenv" configuration directives from the server which could cause arbitrary code execution on the client via a LD_PRELOAD attack. A successful attack appears to require that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client configuration file uses a scripting directive such as "up" or "down", (c) the client succesfully authenticates the server, (d) the server is malicious or has been compromised and is under the control of the attacker, and (e) the attacker has at least some level of pre-existing control over files on the client (this might be accomplished by having the server respond to a client web request with a specially crafted file). The fix is to disallow "setenv" to be pushed to clients from the server. For those who need this capability, OpenVPN 2.1 supports a new "setenv-safe" directive which is free of this vulnerability. * When deleting routes under Linux, use the route metric as a differentiator to ensure that the route teardown process only deletes the identical route which was originally added via the "route" directive (Roy Marples). * Fix the t_cltsrv.sh file in FreeBSD 4 jails (Matthias Andree, Dirk Meyer, Vasil Dimov). * Extended tun device configure code to support ethernet bridging on NetBSD (Emmanuel Kasper).
Revision 1.15 / (download) - annotate - [select for diffs], Sat Mar 4 21:30:22 2006 UTC (18 years, 1 month ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base
Branch point for: pkgsrc-2006Q1
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored) to selected 1.91 (colored)
Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no developer is officially maintaining the package. The rationale for changing this from "tech-pkg" to "pkgsrc-users" is that it implies that any user can try to maintain the package (by submitting patches to the mailing list). Since the folks most likely to care about the package are the folks that want to use it or are already using it, this would leverage the energy of users who aren't developers.
Revision 1.14 / (download) - annotate - [select for diffs], Thu Dec 29 06:22:01 2005 UTC (18 years, 3 months ago) by jlam
Branch: MAIN
Changes since 1.13: +1 -2
lines
Diff to previous 1.13 (colored) to selected 1.91 (colored)
Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk automatically detects whether we want the pkginstall machinery to be used by the package Makefile.
Revision 1.13 / (download) - annotate - [select for diffs], Mon Dec 5 23:55:14 2005 UTC (18 years, 4 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base,
pkgsrc-2005Q4
Changes since 1.12: +2 -2
lines
Diff to previous 1.12 (colored) to selected 1.91 (colored)
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
Revision 1.12 / (download) - annotate - [select for diffs], Mon Dec 5 20:50:48 2005 UTC (18 years, 4 months ago) by rillig
Branch: MAIN
Changes since 1.11: +2 -2
lines
Diff to previous 1.11 (colored) to selected 1.91 (colored)
Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in
http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Revision 1.10.2.1 / (download) - annotate - [select for diffs], Sat Nov 5 20:17:18 2005 UTC (18 years, 5 months ago) by seb
Branch: pkgsrc-2005Q3
Changes since 1.10: +2 -4
lines
Diff to previous 1.10 (colored) next main 1.11 (colored) to selected 1.91 (colored)
Pullup ticket 884 - requested by Lubomir Sedlacik
security update of net/openvpn
Revisions pulled up:
- pkgsrc/net/openvpn/Makefile 1.11
- pkgsrc/net/openvpn/distinfo 1.6
- pkgsrc/net/openvpn/files/openvpn.sh 1.3
Module Name: pkgsrc
Committed By: salo
Date: Thu Nov 3 14:31:19 UTC 2005
Modified Files:
pkgsrc/net/openvpn: Makefile distinfo
pkgsrc/net/openvpn/files: openvpn.sh
Log Message:
Security update to version 2.0.5.
Changes:
2.0.5:
======
- Fixed bug in Linux get_default_gateway function
introduced in 2.0.4, which would cause redirect-gateway
on Linux clients to fail.
- Restored easy-rsa/2.0 tree (backported from 2.1 beta
series) which accidentally disappeared in
2.0.2 -> 2.0.4 transition.
2.0.4:
======
- Security fix -- Affects non-Windows OpenVPN clients of
version 2.0 or higher which connect to a malicious or
compromised server. A format string vulnerability
in the foreign_option function in options.c could
potentially allow a malicious or compromised server
to execute arbitrary code on the client. Only
non-Windows clients are affected. The vulnerability
only exists if (a) the client's TLS negotiation with
the server succeeds, (b) the server is malicious or
has been compromised such that it is configured to
push a maliciously crafted options string to the client,
and (c) the client indicates its willingness to accept
pushed options from the server by having "pull" or
"client" in its configuration file (Credit: Vade79).
CVE-2005-3393
- Security fix -- Potential DoS vulnerability on the
server in TCP mode. If the TCP server accept() call
returns an error status, the resulting exception handler
may attempt to indirect through a NULL pointer, causing
a segfault. Affects all OpenVPN 2.0 versions.
CVE-2005-3409
- Fix attempt of assertion at multi.c:1586 (note that
this precise line number will vary across different
versions of OpenVPN).
- Added ".PHONY: plugin" to Makefile.am to work around
"make dist" issue.
- Fixed double fork issue that occurs when --management-hold
is used.
- Moved TUN/TAP read/write log messages from --verb 8 to 6.
- Warn when multiple clients having the same common name or
username usurp each other when --duplicate-cn is not used.
- Modified Windows and Linux versions of get_default_gateway
to return the route with the smallest metric
if multiple 0.0.0.0/0.0.0.0 entries are present.
2.0.3:
======
- openvpn_plugin_abort_v1 function wasn't being properly
registered on Windows.
- Fixed a bug where --mode server --proto tcp-server --cipher none
operation could cause tunnel packet truncation.
Revision 1.11 / (download) - annotate - [select for diffs], Thu Nov 3 14:31:19 2005 UTC (18 years, 5 months ago) by salo
Branch: MAIN
Changes since 1.10: +2 -4
lines
Diff to previous 1.10 (colored) to selected 1.91 (colored)
Security update to version 2.0.5. Changes: 2.0.5: ====== - Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. - Restored easy-rsa/2.0 tree (backported from 2.1 beta series) which accidentally disappeared in 2.0.2 -> 2.0.4 transition. 2.0.4: ====== - Security fix -- Affects non-Windows OpenVPN clients of version 2.0 or higher which connect to a malicious or compromised server. A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79). CVE-2005-3393 - Security fix -- Potential DoS vulnerability on the server in TCP mode. If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions. CVE-2005-3409 - Fix attempt of assertion at multi.c:1586 (note that this precise line number will vary across different versions of OpenVPN). - Added ".PHONY: plugin" to Makefile.am to work around "make dist" issue. - Fixed double fork issue that occurs when --management-hold is used. - Moved TUN/TAP read/write log messages from --verb 8 to 6. - Warn when multiple clients having the same common name or username usurp each other when --duplicate-cn is not used. - Modified Windows and Linux versions of get_default_gateway to return the route with the smallest metric if multiple 0.0.0.0/0.0.0.0 entries are present. 2.0.3: ====== - openvpn_plugin_abort_v1 function wasn't being properly registered on Windows. - Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation.
Revision 1.10 / (download) - annotate - [select for diffs], Sun Sep 18 03:11:39 2005 UTC (18 years, 7 months ago) by jlam
Branch: MAIN
CVS Tags: pkgsrc-2005Q3-base
Branch point for: pkgsrc-2005Q3
Changes since 1.9: +2 -1
lines
Diff to previous 1.9 (colored) to selected 1.91 (colored)
Add a "reset" action to the openvpn rc.d script which triggers a SIGUSR1 reset of the openvpn process. This is useful for simplifying dhclient-exit-hooks hook scripts that need to tell the openvpn process to reset and re-run its "up" script. Bump the PKGREVISION of net/openvpn to 1.
Revision 1.9 / (download) - annotate - [select for diffs], Thu Sep 1 03:40:42 2005 UTC (18 years, 7 months ago) by jlam
Branch: MAIN
Changes since 1.8: +2 -2
lines
Diff to previous 1.8 (colored) to selected 1.91 (colored)
Update net/openvpn to 2.0.2. Changes from version 2.0.1 include: * Fixed bug in route.c in FreeBSD, Darwin, OpenBSD and NetBSD version of get_default_gateway. Allocated socket for route manipulation is never freed so number of mbufs continuously grow and exhaust system resources after a while (Jaroslav Klaus). * Fixed bug where "--proto tcp-server --mode p2p --management host port" would cause the management port to not respond until the OpenVPN peer connects.
Revision 1.8 / (download) - annotate - [select for diffs], Wed Aug 17 19:55:57 2005 UTC (18 years, 8 months ago) by jlam
Branch: MAIN
Changes since 1.7: +69 -21
lines
Diff to previous 1.7 (colored) to selected 1.91 (colored)
Update net/openvpn to version 2.0.1. Major changes from version 1.6.0
include:
Adding a highly scalable server for handling multiple TCP/UDP
clients over point-to-point TUN interfaces, all using a single
port number. The server has been designed so that it can run with
reduced privilege.
On the client side, "pull" has been added, which basically says
"accept certain config file options which the server pushes back
to you." The major win of the push/pull capability is that the
same client configuration file can be used on each client provided
each client has its own set of SSL/TLS keys which have been signed
by the master CA.
A management interface has been developed which can be used to
remotely control or centrally manage an OpenVPN daemon.
"remote" can now specify a set of machines, or a hostname can be
configured with multiple addresses in DNS. A server will be
randomly chosen from the list, and if the connect fails, another
will be tried (see the "remote-random" option)
A package for easy RSA key management (easy-rsa-2.0rc1) has been
included to aid in generating SSL keys and certificates for use
with OpenVPN.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Apr 11 21:46:53 2005 UTC (19 years ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base,
pkgsrc-2005Q2
Changes since 1.6: +1 -2
lines
Diff to previous 1.6 (colored) to selected 1.91 (colored)
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Feb 21 23:26:24 2005 UTC (19 years, 2 months ago) by bad
Branch: MAIN
CVS Tags: pkgsrc-2005Q1-base,
pkgsrc-2005Q1
Changes since 1.5: +2 -3
lines
Diff to previous 1.5 (colored) to selected 1.91 (colored)
Update openvpn to 1.6.0.
While here port it properly so that the route statements in the configuration
file work. Also add patches so that der Mouse's if_tap driver can be used.
Changes since 1.5.0:
2004.05.09 -- Version 1.6.0
* Unchanged from 1.6-rc4 except for version number
upgrade.
2004.04.01 -- Version 1.6-rc4
* Made minor customizations to devcon and
renamed as tapinstall.exe for Windows version.
* Fixed "storage size of `iv' isn't known" build
problem on FreeBSD.
* OpenSSL 0.9.7d bundled with Windows self-install.
2004.03.13 -- Version 1.6-rc3
* Minor Windows fixes for --ip-win32 dynamic, relating to
the way the TAP-Win32 driver responds to a DHCP request
from the Windows DHCP client.
* The net_gateway environmental variable wasn't being
set correctly for called scripts (Paul Zuber).
* Added code to determine the default gateway on FreeBSD,
allowing the --redirect-gateway option to work
(Juan Rodriguez Hervella).
2004.03.04 -- Version 1.6-rc2
* Fixed bug in Windows version where the NetBIOS node-type
DHCP option might have been passed even if it was not
specified.
* Fixed bug in Windows version introduced in 1.6-rc1, where
DHCP timeout would be set to 0 seconds if --ifconfig option
was used and --ip-win32 option was not explicitly specified.
* Added some new --dhcp-option types for Windows version.
2004.03.02 -- Version 1.6-rc1
* For Windows, make "--ip-win32 dynamic" the default.
* For Windows, make "--route-delay 10" the default
unless --ip-win32 dynamic is not used or --route-delay
is explicitly specified.
* L_TLS mutex could have been left in a locked state
for certain kinds of TLS errors.
2004.02.22 -- Version 1.6-beta7
* Allow scheduling priority increase (--nice) together
with UID/GID downgrade (--user/--group).
* Code that causes SIGUSR1 restart on TLS errors in TCP
mode was not activated in pthread builds.
* Save the certificate serial number in an environmental
variable called tls_serial_{n} prior to calling the
--tls-verify script. n is the current cert chain level.
* Added NetBSD IPv6 tunnel capability (also requires
a kernel patch) (Horst Laschinsky).
* Fixed bug in checking the return value of the nice()
function (Ian Pilcher).
* Bug fix in new FreeBSD IPv6 over TUN code which was
originally added in 1.6-beta5 (Nathanael Rensen).
* More Socks5 fixes -- extended the struct frame
infrastructure to accomodate proxy-based encapsulation
overhead.
* Added --dhcp-option to Windows version for setting
adapter properties such as WINS & DNS servers.
* Use a default route-delay of 5 seconds when
--ip-win32 dynamic is specified (only applicable when
--route-delay is not explicitly specified).
* Added "log_append" registry variable to control
whether the OpenVPN service wrapper on Windows
opens log files in append (log_append="1") or
truncate (log_append="0") mode. The default
is truncate.
2004.02.05 -- Version 1.6-beta6
* UDP over Socks5 fix to accomodate Socks5 encapsulation
overhead (Christof Meerwald).
* Minor --ip-win32 dynamic tweaks (use long lease time,
invalidate existing lease with DHCPNAK).
2004.02.01 -- Version 1.6-beta5
* Added Socks5 proxy support (Christof Meerwald).
* IPv6 tun support for FreeBSD (Thomas Glanzmann).
* Special TAP-Win32 debug mode for Windows self-install that was
enabled in beta4 is now turned off.
* Added some new Solaris notes to INSTALL (Koen Maris).
* More work on --ip-win32 dynamic.
2004.01.27 -- Version 1.6-beta4
* For this beta, the Windows self-install is a debug version
and will run slower -- use only for testing.
* Reverted the --ip-win32 default back to 'ipapi'
from 'dynamic'.
* Added the offset parameter to '--ip-win32 dynamic' which
can be used to control the address of the masqueraded
DHCP server which replies to Windows DHCP requests.
* Added a wait/nowait option to --inetd (nowait can only
be used with TCP sockets, TLS authentication, and over
a bridged configuration -- see FAQ for more info)
(Stefan `Sec` Zehl).
* Added a build-time capability where TAP-Win32 driver
debug messages can be output by OpenVPN at --verb 6
or higher.
2004.01.20 -- Version 1.6-beta2
* Added ./configure --enable-iproute2 flag which
uses iproute2 instead of route + ifconfig --
this is necessary for the LEAF Linux distro
(Martin Hejl).
* Added renewal-time and rebind-time to set of
DHCP options returned by the TAP-Win32 driver when
"--ip-win32 dynamic" is used.
2004.01.14 -- Version 1.6-beta1
* Fixed --proxy bug that sometimes caused plaintext
control info generated by the proxy prior to http
CONNECT method establishment to be incorrectly
parsed as OpenVPN data.
* For Windows version, implemented the
"--ip-win32 dynamic" method and made it the default.
This method sets the TAP-Win32 adapter IP address
and netmask by replying to the kernel's DHCP queries.
See the man page for more detailed info.
* Added --connect-retry parameter which controls
the time interval (in seconds) between connect()
retries when --proto tcp-client is used. Previously,
this value was hardcoded to 5 seconds, and still
defaults as such.
* --resolv-retry can now be used with a parameter
of "infinite" to retry indefinitely.
* Added SSL_CTX_use_certificate_chain_file() to ssl.c
for support of multi-level certificate chains
(Sten Kalenda).
* Fixed --tls-auth incompatibility with 1.4.x and earlier
versions of OpenVPN when the passphrase file is an
OpenVPN static key file (as generated by --genkey).
* Added shell-escape support in config files using
the backslash character ("\") so that (for example)
double quotes can be passed to the shell.
* Added "contrib" subdirectory on tarball, source zip,
and CVS containing user-submitted contributions.
* Added an optional patch to the Redhat init script to
allow the configuration file directory to be a
multi-level directory hierarchy (Farkas Levente).
See contrib/multilevel-init.patch
* Added some scripts and documentation on using
Linux "fwmark" iptables rules to enable
fine-grained routing control over the VPN
(Sean Reifschneider, <jafo@tummy.com>).
See contrib/openvpn-fwmarkroute-1.00
Revision 1.5 / (download) - annotate - [select for diffs], Sun Oct 3 00:17:57 2004 UTC (19 years, 6 months ago) by tv
Branch: MAIN
CVS Tags: pkgsrc-2004Q4-base,
pkgsrc-2004Q4
Changes since 1.4: +2 -2
lines
Diff to previous 1.4 (colored) to selected 1.91 (colored)
Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Apr 11 07:23:57 2004 UTC (20 years ago) by snj
Branch: MAIN
CVS Tags: pkgsrc-2004Q3-base,
pkgsrc-2004Q3,
pkgsrc-2004Q2-base,
pkgsrc-2004Q2
Changes since 1.3: +4 -4
lines
Diff to previous 1.3 (colored) to selected 1.91 (colored)
Convert to buildlink3.
Revision 1.3 / (download) - annotate - [select for diffs], Fri Mar 26 02:27:48 2004 UTC (20 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2004Q1-base,
pkgsrc-2004Q1
Changes since 1.2: +2 -1
lines
Diff to previous 1.2 (colored) to selected 1.91 (colored)
PKGREVISION bump after openssl-security-fix-update to 0.9.6m. Buildlink files: RECOMMENDED version changed to current version.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 12 23:11:12 2004 UTC (20 years, 2 months ago) by xtraeme
Branch: MAIN
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored) to selected 1.91 (colored)
MAINTAINER should be tech-pkg@ not packages@...
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Feb 10 12:39:17 2004 UTC (20 years, 2 months ago) by wulf
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored) to selected 1.91 (colored)
Initial commit of openvpn-1.5.0: A robust and highly configurable VPN
Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 10 12:39:17 2004 UTC (20 years, 2 months ago) by wulf
Branch: MAIN
Diff to selected 1.91 (colored)
Initial revision