460 commits

Author	SHA1	Message	Date
Arne Schwabe	b4cb98b5bb	Try to emphasise the transition from old ovpn-dco to new ovpn module ... This tries to ensure that the difference between the old and new module is clearer. Also removed a duplicate section about --disable-dco from the manual page. This also changes one instance of ovpn-dco to ovpn that is probably a bug when reusing a tun device. Change-Id: Iff9f6811fdf553f59f2afee0072d7bf90133d328 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1550 Message-Id: <20260411090625.18343-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36573.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-11 16:38:41 +02:00
Luca Boccassi	49ff16dd54	management: add base64 multi-line input for passwords ... Allow management clients to send long passwords via the usual multi-line base64 encoded protocol. A client declares MCV 5 support and sends a 'password <type>' line, followed by as many lines (each up to 1024 bytes) as needed, in base64 encoded format, terminated by 'END'. This is useful when a password is a JIT-generated use-once token. Declare management version 6 for this feature. Change-Id: Ib99f171fb69d51f2260b44edf8ebe21ac958f233 Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Acked-by: Selva Nair <selva.nair@gmail.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1593 Message-Id: <20260330180900.16608-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36360.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-06 12:38:55 +02:00
Frank Lichtenheld	ecda555404	doc: Remove some explanations for pre-2.3 configurations ... Just streamline the documentation a bit. Change-Id: Ieaaf3a79642c8f7914f9bfc6762ad601c4f5695b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1603 Message-Id: <20260402120435.39983-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36434.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-04-04 17:51:44 +02:00
Greg Cox	c39742d1a7	Update --learn-address man page with ipv6 information ... The `--learn-address` option is very v4-specific in its man page. This expands the docs based on things I tripped over when bringing up a dual-stack server. Signed-off-by: Greg Cox <gcox@mozilla.com> Github: closes OpenVPN/openvpn#1009 Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20260330231355.84547-2-gcox@mozilla.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36363.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-31 15:51:44 +02:00
Selva Nair	dfbf80b0a0	Add an optional username-only flag for auth-user-pass ... Specify "--auth-user-pass username-only" for openvpn to prompt for only username, not password. Prompt via management interface uses the usual ">PASSWORD 'Auth' " prompt with type "username" instead of "username/password". Internally, the password gets set as "[[BLANK]]" which is currently used as tag for blank password. Not compatible with --static-challenge or when username and password are inlined or read from a file. In such cases, the user hard-code a dummy password in the file instead. Change-Id: I788f76e6a70a9c20bca3367140d2741bd0551582 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1548 Message-Id: <20260303142819.6123-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35855.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-30 13:58:45 +02:00
Arne Schwabe	7b5ebf7c44	Increase default size of internal hash maps to 4 * --max-clients ... The default of 256 seems quite low as with (at least) 1024 possible entries (the --max-clients default setting) we have a guaranteed collisions. Using 4 times the number of possible entries for real addresses should reduce collisions quite a bit while also leaving some headroom for the virtual addresses hash where a client might have more than one address. A reason to keep the limit so low are the memory requirements. Each bucket has the size of one linked-list pointer (4 byte or 32 bit and 8 byte for 64 bit). So 256 buckets use 1 or 2 kB while 4096 will use 16 kB or 32 kB. When the current limit was set 20 years ago this might have been a meaningful memory saving but today the collision probability is more important. Change-Id: Ia699b0dfa407ac377970bb130434298eaaec592b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1563 Message-Id: <20260325124526.124049-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36268.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-26 15:45:49 +01:00
Heiko Hund	c26437c0d3	doc: fix typo with --ingore-unknown-option ... Change-Id: Ie502c982bda67d55ee74e4f2f66c26ea82698e60 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1575 Message-Id: <20260313104615.15951-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36085.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-14 17:53:56 +01:00
Heiko Hund	3459f09f49	doc: improve Windows-specific options section ... Change-Id: I29a33ac23f3c1a7cf16196aecc46ec3597a22175 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1574 Message-Id: <20260313103707.14534-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36084.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-14 17:52:26 +01:00
Ralf Lici	60986ae533	doc: fix client-nat syntax and examples ... The client-nat documentation uses an incorrect command form and incomplete examples. Document the actual syntax accepted by openvpn: client-nat snat|dnat network netmask alias Update examples to include all required arguments and rewrite the explanatory text to describe 'network', 'netmask', and 'alias' separately. Documentation-only change; no behavior change. Change-Id: I89f0aa9a23915c7783ae03793080ee989a437208 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1560 Message-Id: <20260309130546.7735-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35966.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-09 14:39:41 +01:00
Selva Nair	d5814ecd23	Document management client versions ... Also add an enum to keep track of client version updates. Change-Id: I1c01fa1bc7d65ac060b334724feb56ef4d0b5d35 Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1552 Message-Id: <20260302141811.5697-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35805.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-03-02 22:52:58 +01:00
Selva Nair	adc0febaea	Fixup version command on management interface ... All commands to the management interface are supposed to be responded with either a one-line "SUCCESS:/ERROR:" message or a multi-line reply terminated by "END". But, curently we silently accept the "version n" command wih no response. This causes clients like OpenVPN-GUI lock-up if version command is used, waiting for ever for a reply. Fix this by adding a SUCCESS response if client version is set to a value >= 4. As the highest client version in use until now is 3, this should not affect any work-arounds in existing clients. ERROR response is generated if the version parameter is null which never happens in practice. Change-Id: I76dc80a9d9b29e401b7bbd59e0c46baf751d2e4a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1528 Message-Id: <20260224213036.31845-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35782.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-25 09:39:41 +01:00
Max Fillinger	880bd69254	Mbed TLS 3: Remove prediction resistance option ... The option --use-prediction-resistance causes the random number generator to be reseeded for every call. This is excessive. This commit removes that option. Github: closes OpenVPN/openvpn#964 Change-Id: I6298795f140c2c62252638f9e0cd6df19cb3d7ed Signed-off-by: Max Fillinger <maximilian.fillinger@sentyron.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1530 Message-Id: <20260216151033.16585-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35658.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 16:20:55 +01:00
Frank Lichtenheld	70ab9347f8	Remove NTLM support ... Since Microsoft has abandonded this I think it is time for us to do the same for OpenVPN 2.8. Leaves a stub ntlm_support in to make cross-branch t_client.rc easier to maintain. Change-Id: I1f5724476862935284f620c54afa510eea03e3f9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1453 Message-Id: <20260216145205.14958-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35650.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-16 16:14:13 +01:00
Frank Lichtenheld	5836ccdff4	Review Changes.rst for 2.7.0 release ... Fixes various issues, either errors or things that got outdated during development. Change-Id: Idd079f42fac1189c08c6cf42ea84fa8c0383e1a8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1515 Message-Id: <20260210162038.7915-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35574.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-02-10 18:40:20 +01:00
Frank Lichtenheld	f94a3ad2ba	Update Copyright statements to 2026 ... Change-Id: I1728fcb75284ba106e5c37ef53f6e568b64fb647 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1456 Message-Id: <20260108074915.9417-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59280815/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2026-01-08 10:59:57 +01:00
Arne Schwabe	927b45dde7	Allow test-crypto to work without the --secret argument ... The --test-crypto still requires the --secret argument. Since --secret will be removed in OpenVPN 2.8 but we want to keep test-crypt, remove the dependency of test-crypto on --static. Instead we will just generate a random key for this selftest method. This also removes the extra logic that is a leftover from the early multi-thread implementation attempt. Change-Id: I72947bd4f0213fd118327f740daeb1d86ae166de Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1435 Message-Id: <20251219135110.166468-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35157.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-22 13:09:24 +01:00
Gianmarco De Gregori	e5ff824753	Deprecate --fast-io option ... Recent changes to the event loop revealed that the --fast-io option is now partially broken and may cause "unroutable control packet" issues. As agreed during the last hackathon, this patch turns --fast-io into a no-op and emits a warning when it is used. Additionally, the MPP_CONDITIONAL_PRE_SELECT flag has been removed as it was part of the same code path and no longer needed. Change-Id: I2c0a0b55ad56e704d4bd19f1fbc1c30c83fae14c Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1425 Message-Id: <20251211105956.22789-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35024.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-11 12:29:34 +01:00
Frank Lichtenheld	a0813a9d21	Correct documentation for --ns-cert-type ... Our documentation claimed this option was removed. But it was not, for compatiblity reasons. So reflect the correct status. Change-Id: I1d1851eaebe8bf66c92dac3c8c10f68b1ec3ef33 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1428 Message-Id: <20251210085625.32174-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34984.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-10 10:18:15 +01:00
Frank Lichtenheld	d4df0a3fbc	options: Remove some verbose error messages for options deprecated in 2.4 ... It has been a long time since 2.3. So move this from the code to the documentation. Includes some minimal drive-by fixes. Change-Id: I59995bf0fd6bc48a738a94e41141ed37d8d637ba Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1427 Message-Id: <20251210075056.27185-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34972.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-10 09:47:35 +01:00
Frank Lichtenheld	2ab3e8733e	Remove some obsolete references to --windows-driver ... The option doesn't exist anymore so don't point people to it. But add it to the list of unsupported options. Change-Id: I78c6f335c635e97bb41d26ed8908a978d7b49387 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1426 Message-Id: <20251210074904.27067-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34970.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-10 09:45:22 +01:00
Selva Nair	d3e03b9a97	pull-filter: improve documentation ... Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Reported by: <aarnav@srlabs.de> Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 Message-Id: <20251209070218.4467-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34930.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-09 09:56:55 +01:00
Frank Lichtenheld	bd8d03e91a	Documentation: Various syntax fixes and text improvements ... This started as a fix for OpenVPN/openvpn#606 but while reviewing the documentation referenced from there I identified more and more issues. There a few classes of changes in here: - Fix wrong `...` syntax, which makes no sense in rst. - Remove some very old references to OpenVPN v1 behavior. - Fix typos or other small text issues. Note: The usage of ``...`` vs :code:`...` is very inconsistent, but fixing that is outside of the scope of this patch. I have tried to make it at least locally consistent. Github: Fixes OpenVPN/openvpn#606 Change-Id: Iee535f1502ab3dcb7bde7f2593c2e122d27d9189 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1414 Message-Id: <20251208114224.10223-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34878.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-12-08 14:55:53 +01:00
Gert Doering	0effd6cae3	Remove remainders of --no-name-remapping option ... This option was removed in 2.5 (commit c3f565f059) but still showed up in the ``openvpn --help`` text and in a Q&A section of the man page. Change-Id: Ib15bd4148872db39a4c8291796a5da211bb20a87 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1411 Message-Id: <20251127115737.3598-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34754.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-27 13:03:50 +01:00
Gert Doering	eeb866ac6a	Change '--multihome' behaviour regarding egress interface selection. ... Traditional OpenVPN ``--multihome`` behaviour is to send packets out the same interface that they were received on (copy ipi_ifindex from ingress to egress packet info). For some scenarios this makes sense, for other scenarios it is breaking connectivity when there are no routes pointing out the ingress interface (intentionally asymmetric traffic). For 2.7.0, change the default(!) to always send out packets with ipi_ifindex = 0, to follow normal system interface selection rules. Add a flag ``--multihome same-interface`` to restore the pre-2.7 behavior of copying ipi_ifindex from ingress to egress packets. There are use cases for this, and we want to give users a chance to read the release notes and adjust their setups to "not break after upgrading to 2.7.0". Github: OpenVPN/openvpn#855 Github: OpenVPN/openvpn#554 v2: fix whitespace v3: turn logic around - new default is "egress ifindex 0" now v4: typo fixed in commit message v5: fix invalid rst in Changes.rst Change-Id: Id429241e1b17a8ff51d9019efc357c910f3bde4c Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1383 Message-Id: <20251126130410.19091-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34709.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-26 19:01:23 +01:00
Max Fillinger	20b234b23d	Add option to check tls-crypt-v2 key timestamps ... This commit adds the option --tls-crypt-v2-max-age n. When a client key is older than n days or has no timestamp, the server rejects it. Based on work by Rein van Baaren for Sentyron. Co-authored-by: Rein van Baaren <revaban04@proton.me> Change-Id: I0579d18c784e2ac16973d5553992c28f281a0900 Signed-off-by: Max Fillinger <max@max-fillinger.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1304 Message-Id: <20251119140149.31867-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34545.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-19 16:28:00 +01:00
Frank Lichtenheld	8d278223df	doc: Document potential filesystem pitfalls of client-config-dir ... Reported-By: stefan@srlabs.de Change-Id: I23ea00dbd62271838aa72e913b743cc679ff2386 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1380 Message-Id: <20251119135243.30967-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34541.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-19 15:32:24 +01:00
Antonio Quartulli	c716b3b8bf	options: remove --opt-verify functionality ... As previously agreed, the --opt-verify directive is deprecated and can be fully removed as of OpenVPN 2.7.0. GitHub: closes OpenVPN/openvpn#901 Change-Id: Ia60a393a296f23ac1090d0f2016b5682649ed490 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1375 Message-Id: <20251113212143.30034-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34403.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-14 07:40:26 +01:00
Gert Doering	7fe5cc03ab	FreeBSD DCO: repair --inactive ... --inactive on DCO requires a working DCO counters query function (dco_get_peer_stats(), implemented in the previous commit) and that the DCO implementation in use fills the "tun_{read,write}_bytes" fields for the peer context. FreeBSD DCO only fills the "dco_{read,write}_bytes" counters - which is something we can't fix in OpenVPN, this needs kernel enhancements. So, to make the feature (mostly) work, check the other set of counters on FreeBSD. Caveat: this will count encryption overhead and keepalives, so it will still not work for `--inactive <n>` without a byte count, or for byte counts with too tight thresholds. Adding the #ifdef to forward.c was considered the least bad alternative. v2: fix rst syntax for manpage addition Github: OpenVPN/openvpn#898 Change-Id: I48c877843d24144450af1282b7524bb3ba18232e Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Ralf Lici <ralf@mandelbit.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1351 Message-Id: <20251109084238.11581-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34274.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-11-09 12:00:32 +01:00
Arne Schwabe	f938d991a8	Install host routes for out-of-subnet ifconfig-push addresses when DCO is enabled ... ifconfig-push and ifconfig-ipv6-push can configure the IP address of a client. If this IP address lies inside the network that is configured on the ovpn/tun device this works as expected as the routing table point to the ovpn/tun interface. However, if the IP address is outside that range, the IP packets are not forwarded to the ovpn/tun interface and Linux and FreeBSD DCO implementations need a "connected" route so kernel routing knows that the IP in question is a peer VPN IP. This patch adds logic to add host routes for these ifconfig-push + ifconfig-ipv6-push addresses to ensure that traffic for these IP addresses is also directed to the VPN. For Linux it is important that these extra routes are routes using scope link rather than static since otherwise indirect routes via these IP addresses, like iroute, will not work. On FreeBSD we also use interface routes as that works and routes that target interfaces instead of next-hop IP addresses are less brittle. Tested using a server with ccd: openvpn --server 10.33.0.0 255.255.192.0 --server-ipv6 fd00:f00f::1/64 --client-config-dir ~/ccd [...] and a client with lwipvonpn and the following ccd file: iroute-ipv6 FD00:F00F:CAFE::1001/64 ifconfig-ipv6-push FD00:F00F:D00D::77/64 push "setenv-safe ifconfig_ipv6_local_2 FD00:F00F:CAFE::1001" push "setenv-safe ifconfig_ipv6_netbits_2 64" iroute 10.234.234.0 255.255.255.0 ifconfig-push 10.11.12.13 255.255.255.0 push "setenv-safe ifconfig_local_2 10.234.234.12" push "setenv-safe ifconfig_netmask_2 255.255.255.0" This setups an ifconfig-push addresses outside the --server/--server-ipv6 network and additionally configures a iroute behind that client. The setenv-safe configure lwipovpn to use that additional IP addresses to allow testing via ping. Windows behaves like the user space implementation. It does not require these special routes but instead (like user space) needs static routes to redirect IP traffic for these IP addresses to the tunnel interface. E.g. in the example above the server config needs to have: route 10.234.234.0 255.255.255.0 route 10.11.12.0 255.255.255.0 route-ipv6 FD00:F00F:CAFE::1001/64 route-ipv6 FD00:F00F:D00D::77/64 Change-Id: I83295e00d1a756dfa44050b0a4493095fb050fff Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1192 Message-Id: <20251029070701.11457-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33991.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-29 08:49:17 +01:00
Arne Schwabe	d6a0cf599c	Warn if push is used without --mode server/--server/--server-bridge ... This is not a supported configuration and will often work good enough to get a connection working but will operate more in a weird pre P2P negotiation compatibility way rather than actually negotiating protocol features. While at it, remove an unused macro (PUSH_DEFINED). Change-Id: I82c7c61be07593ecd5bf2f854767dda74ab5170c Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1288 Message-Id: <20251023155614.20642-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33856.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-28 18:36:25 +01:00
Ralf Lici	c9a320649b	options: warn and ignore --reneg-bytes/pkts when DCO is enabled ... Thresholds specified by --reneg-bytes and --reneg-pkts cannot be enforced when DCO is enabled, as it only provides global statistics. Rather than adding complexity to support these options, ignore them when DCO is enabled. Print a warning to inform users and update the manpage accordingly. Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280 Message-Id: <20251017191612.15642-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59248122/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-17 21:20:01 +02:00
Christian Kujau	8c53b12ae6	doc: HTTPS upgrades and URL fixes throughout the tree ... * HTTPS upgrades * 404 fixes, with hopefully better helpful links to the relevant documentation * some trailing white space fixes * resurrect utun-demo.c from a different source * Don't touch openvpn.doxyfile.in though, as it was autogenerated * Don't touch COPYING as it's an external license file * The openvpn.net URLs will be addressed some other time Signed-off-by: Christian Kujau <github@nerdbynature.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20251006144249.23672-3-lists@nerdbynature.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59242866/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-13 17:39:46 +02:00
Christian Kujau	3199fcebd3	doc: Fix hyperlinks in openvpn(8) ... * http://www.cs.ucsd.edu/users/mihir/papers/hmac.html - 404, RFC104 basically * http://sites.inka.de/sites/bigred/devel/tcp-tcp.html - 404, unfortunately * http://www.ietf.org/rfc/rfc2246.txt - HTTPS upgrade to the HTML version Signed-off-by: Christian Kujau <github@nerdbynature.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20251006144249.23672-2-lists@nerdbynature.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59242864/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-13 17:36:11 +02:00
Steffan Karger	7fa59cdf0c	Document that tls-crypt-v2 can be used in connection profile ... As reported in https://github.com/OpenVPN/openvpn/issues/795, tls-crypt-v2 was not documented as an option that was allowed to be used in <connection> blocks. This is a documentation mistake - it has from it's introduction been possible to do so. Verified in the code and tested locally. Github: closes OpenVPN/openvpn#795 Change-Id: Ie8c6381e66d57e0c1ec31132fad8277e0133283f Signed-off-by: Steffan Karger <steffan@karger.me> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1254 Message-Id: <20251007202816.27730-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59243550/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-10-08 10:12:35 +02:00
Max Fillinger	efb58abbcc	Rename Fox Crypto to Sentyron in copyright notices ... Fox Crypto has been renamed to Sentyron on September 4th 2025. See https://sentyron.com/press-release-foxcrypto-sentyron/ for the announcement. Change-Id: Ic9912627b707bf4edd4fe4bfc37b8a639feaba08 Signed-off-by: MaxF <max@max-fillinger.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1047 Message-Id: <20250919164440.23251-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33102.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-09-19 19:25:27 +02:00
Marco Baffo	c598efc405	PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages ... Using the management interface you can now target one or more clients (via broadcast or via cid) and send a PUSH_UPDATE control message to update some options. See doc/management-notes.txt for details. Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250903164826.13284-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32807.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-09-03 20:55:52 +02:00
Gert Doering	1cc3525b46	Introduce env variables to communicate desired gateway redirection to NM. ... When run under Network Manager control, OpenVPN is not allowed to control routing. Instead, NM uses the OpenVPN-set environment variables ("route_network_1" etc) to set up routes as requested. This method never worked properly for "redirect-gateway", as the information was not made available in environment variables. Introduce new env vars: route_redirect_gateway_ipv4 route_redirect_gateway_ipv6 to communicate desired state: <not set> = no gateway redirection desired 1 = "redirect-gateway for that protocol in question" 2 = "include block-local to redirect the local LAN as well" We intentionally do not expose all the IPv4 flags ("local", "def1", ...) as this is really internal OpenVPN historical cruft. Change-Id: I1e623b4a836f7216750867243299c7e4d0bd32d0 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250826184046.21434-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32686.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-08-27 21:02:18 +02:00
Frank Lichtenheld	5c4744f28e	Clean up documentation for --tun-mtu-max ... There was some confusion about how the option was called... Change-Id: I5e240c35cd4236e1d845195e4634fd5008f61814 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250823153652.30938-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32663.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-08-23 17:40:56 +02:00
Gert Doering	2d73540316	Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file ... Since commit bd9aa06feb (Jan 2015) OpenVPN has allowed to use '--dh none' to disable traditional Diffie Hellman, since more secure ECDH algorithms are available that do not use explicit DH parameters. If configured with a suffiently high securelevel (3+), or if running in FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests fail. Thus, remove all the DH2048 stuff from our sample configs. Github: triggered by OpenVPN/openvpn#819 Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250820175459.11227-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32632.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-08-20 23:11:33 +02:00
Frank Lichtenheld	ad73d827d3	Update GPL header in all source files to current recommended version ... This removes the postal address of the FSF and replaces it with their URL. Mostly generated with sed -i -e 's@if not, write to the Free Software Foundation, Inc.,\ @if not, see <https://www.gnu.org/licenses/>.@' sed -i -e '/51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA/d' sed -i -e '/59 Temple Place, Suite 330, Boston, MA 02111-1307 USA/d' With some manual fix-ups afterwards. Change-Id: Ic3959970fa9ab993e98d4b38c025fd0efc7b92f2 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250803145126.23494-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32481.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-08-03 16:55:47 +02:00
Gianmarco De Gregori	f93fc813ff	Route: add support for user defined routing table ... Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Trac #1399 Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250622110311.1140-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31946.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-06-22 13:07:14 +02:00
Frank Lichtenheld	022f0a4387	Update copyright statements to 2025 ... Change-Id: I3dfead8e60da93f223e3333db7b8e01ead01a856 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250531203546.26593-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31826.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-05-31 22:38:38 +02:00
Frank Lichtenheld	d2b59d6db2	Doxygen: Fix missing parameter warnings ... This fixes almost all of the remaining warnings in our doxygen. Mostly about missing parameters in otherwise documented functions (completely undocumented functions do not cause warnings). Other changes: - Exclude out/ directory (used by CMakePresets.json) - Output doxygen warnings into a separate file, which can be used by CI systems to check for new warnings - Increase DOT_GRAPH_MAX_NODES to avoid warnings about some of the central header files (syshead.h and buffer.h) Change-Id: I3bf775bbdea742575210606e174ccafe840677c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250519143550.21761-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31712.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-05-19 16:39:32 +02:00
Arne Schwabe	57bdefbabd	Make --dh none behaviour default if not specified ... Nowadays ciphers that are using still DH and not ECDH are rarely chosen as best cipher suite. Our man page even indicates that OpenSSL 1.0.1+ supports ECDH cipher suites. So it does not feel useful to force specifying --dh anymore. Side note: Custom generated Diffie Hellmann parameters are also discouraged nowadays. The newest OpenSSL FIPS libraries even flat out reject them: FIPS 186-4 type domain parameters no longer allowed in FIPS mode, since the required validation routines were removed from FIPS 186-5 But instead of adding support for loading the well-known curve just make dh none the default and the recommended option as finite field Diffie Hellmann is being deprecated anyway (https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/) and not supported by TLS 1.3 at all. Change-Id: Ica02244c9f0ac9b4690a51f940fda9d900465289 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250518220245.24489-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-05-19 11:48:03 +02:00
Heiko Hund	fef5c4b4e8	dns: apply settings via script on unixoid systems ... This introduces a new script hook, the dns-updown, and implements such a command script for a few popular systems (and a default for the not so popular ones). Like the name suggests this hook is soleley for dealing with modifying how names are resolved when the VPN pushes some --dns settings. The default dns updown command is part of the distribution and is installed with openvpn. You can change the path the command is located at as a compile time option, defaults to libexecdir. You can compile-time disable that the default dns-updown hook is run by passing --disable-dns-updown-by-default to configure or ccmake ENABLE_DNS_UPDOWN_BY_DEFAULT to OFF. There's also a new runtime option --dns-updown, which can run a custom command, force running the default when disabled or disable execution of the dns-updown altogether. Change-Id: Ifbe4ffb44d3bfcaa50adb38cacb3436fcdc71b10 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250514135334.14377-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31639.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-05-14 18:17:51 +02:00
Lev Stipakov	ad7a694514	win: remove Wintun support ... Since DCO supports modern ciphers and server mode, there is no reason to support Wintun anymore. This also removes --windows-driver option support. The default driver is DCO, as it has been since 2.6. If for some reasons one doesn't want to use it, --disable-dco multiplatform option will switch to tap-windows6. Change-Id: I43ec390040bffeec05270271ea7fb54fb219c536 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250513151006.13617-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-05-13 17:32:00 +02:00
Klemens Nanni	9ecaf2400a	Fix tmp-dir documentation ... Mention its default (on non-Windows systems), rephrase for brevity, fix grammar, correct the module environment variable name and remove a wrong default mentioned in a related option. Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20250426121903.67930-1-kn@openbsd.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-04-28 16:24:36 +02:00
Frank Lichtenheld	78d0c15f48	Doxygen: Remove useless Python information ... Do not include information for the trivial Python scripts we have. Completely eliminates the "Namespaces" page as well. Change-Id: Ia7186b528773c0549748f1051c1c8d1db39a7e11 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250415155656.12963-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31433.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-04-15 20:13:15 +02:00
Frank Lichtenheld	0911d6e1a5	Doxygen: Clean up tls-crypt documentation ... - Fix broken links to OpenSSL documentation - Remove some unnecessary \c for function names. Doxygen does handle them automatically. - Add some \c for --option since otherwise -- gets converted to one character (e.g. &ndash; in HTML). Change-Id: I9a27248557fabcd9f7584deb4aba16cd71fb803c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Message-Id: <20250415155720.13034-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31434.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-04-15 20:12:11 +02:00
Frank Lichtenheld	d166fc91c0	Doxygen: Fix obsolete links to OpenSSL documentation ... Change-Id: Iabef94b36bae16b2c8288b15b14d660ecb06842d Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250409125336.5835-1-gert@greenie.muc.de> URL: https://sourceforge.net/p/openvpn/mailman/message/59171340/ Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-04-09 16:04:06 +02:00