OpenVPN Release 2.7_beta1

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_beta1" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.

New features alpha3 -> beta1 are
  - a large number of signed/unsigned related warnings have been fixed
  - bugfixes in --dns-updown script for linux systems using resolvconf
  - rewrite of the management interface "bytecount" infastructure to better
    interact with DCO
  - PUSH_UPDATE server support (via management interface)
  - introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
  - speeding up t_client tests by reducing per-test startup delay 3s -> 1s

The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.

Signed-off-by: Gert Doering <gert@greenie.muc.de>

ChangeLog

@@ -1,6 +1,71 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.09.04 -- Version 2.7_beta1
+
+Arne Schwabe (1):
+      Check message id/acked ids too when doing sessionid cookie checks
+
+Frank Lichtenheld (27):
+      Update text of GPL to latest version from FSF
+      Update GPL header in all source files to current recommended version
+      Define a .clang-format file for the project
+      Disable clang-format for some code parts
+      Update git-pre-commit-uncrustify.sh to handle clang-format
+      GHA: enable -Werror for mbedTLS v3 and AWS LC builds
+      Reformat the whole project with clang-format
+      Fix build error with clang-cl on latest Windows SDK
+      clang-format: Switch to ColumnLimit 0
+      Add clang-format reformat commit to .git-blame-ignore-revs
+      Remove uncrustify config and reformat-all.sh
+      buffer: remove unused function buf_write_alloc_prepend
+      t_client.sh: Do not wait 3 seconds for OpenVPN to come up
+      Collect trivial conversion fixes
+      options: Fix --hash-size virtual argument
+      Clean up documentation for --tun-mtu-max
+      comp: Make sure comp flags are treated as unsigned
+      crypto: Make sure crypto flags are treated as unsigned
+      options: Make sure option types are treated as unsigned
+      route: Make sure various route flags are treated as unsigned
+      socket: Create socket_util with non-socket functions
+      Add new unit test module test_socket
+      socket_util: Clean up conversion warnings in add_in6_addr
+      manage: Make sure various management flags are treated as unsigned
+      forward: Make sure pip flags are treated as unsigned
+      options: Introduce atoi_constrained and review usages of atoi_warn
+      ssl_openssl: Fix type of sslopts argument to SSL_CTX_set_options
+
+Gert Doering (3):
+      Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
+      Introduce env variables to communicate desired gateway redirection to NM.
+      OpenVPN Release 2.7_beta1
+
+Gianmarco De Gregori (1):
+      dco: avoid printing mi prefix on debug messages
+
+Heiko Hund (1):
+      dns: fix systemd dns-updown script
+
+Ilia Shipitsin (1):
+      GHA: limit 'Deploy Doxygen documentation' to main repo only
+
+Lev Stipakov (3):
+      Log setting DNS via NRPT
+      dco-win: add support for multipeer stats
+      Refactor management bytecount tracking
+
+Marco Baffo (1):
+      PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
+
+Ralf Lici (3):
+      management: resync timer on bytecount interval change
+      dco_linux: validate tun interface before fetching stats
+      management: stop bytecount on client disconnection
+
+Samuli Seppänen (2):
+      Add sample FFDH parameters file and use that in t_server_null tests
+
+
 2025.07.31 -- Version 2.7_alpha3
 
 Antonio Quartulli (10):

Changes.rst

@@ -131,11 +131,23 @@ PUSH_UPDATE client support
     implementation for OpenVPN 2.x is still under development.
     See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html
 
+PUSH_UPDATE server support (minimal)
+    new management interface commands ``push-update-broad`` and
+    ``push-update-cid`` to send PUSH_UPDATE option updates to all
+    clients ("there is a new DNS server") or only a specific client ID
+    ("privileges have changed, here's a new IP address").  See
+    doc/management-notes.txt
+
 Support for user-defined routing tables on Linux
     see the ``--route-table`` option in the manpage
 
 PQE support for WolfSSL
 
+Two new environment variables have been introduced to communicate desired
+    default gateway redirection to plugins like Network Manager,
+    ``route_redirect_gateway_ipv4`` and ``route_redirect_gateway_ipv6``.
+    See the "Environmental Variables" section in the man page
+
 
 Deprecated features
 -------------------
@@ -235,6 +247,24 @@ User-visible Changes
   server pushes DCO incompatible options), use the ``--disable-dco``
   option.
 
+- Apply more checks to incoming TLS handshake packets before creating
+  new state - namely, verify message ID / acked ID for "valid range for
+  an initial packet".  This fixes a problem with clients that float
+  very early but send control channel packet from the pre-float IP
+  (Github: OpenVPN/openvpn#704).
+
+- Use of ``--dh dh2048.pem`` in all sample configs has been replaced
+  with ``--dh none``.  The ``dh2048.pem`` file has been removed, and
+  has been replaced with ``ffdhe2048.pem`` for the benefit of the
+  t_server_null test (to test all variants of ``--dh``).
+
+- the startup delay in ``t_client.sh`` has been reduced from 3s to 1s,
+  making a noticeable difference for setups with many tests.
+
+- changed from using ``uncrustify`` for code formatting and pre-commit checks
+  to ``clang-format``.  This reformatted quite a bit of code, and requires
+  that regular committers change their pre-commit checks accordingly.
+
 
 Overview of changes in 2.6
 ==========================

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_alpha3])
+define([PRODUCT_VERSION_PATCH], [_beta1])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])