Changes between Version 12 and Version 13 of OpenVPN2.4
- Timestamp:
- 12/19/16 13:30:03 (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
OpenVPN2.4
v12 v13 22 22 * --preresolve patch 23 23 * ~~utun on mac os x~~ **done* 24 * native tun, no need for extra tun.kext25 * Supported for all OS X >= 10.6.8 (latest PPC version)26 * Unfortunatly requires root24 * ~~native tun, no need for extra tun.kext~~ 25 * ~~Supported for all OS X >= 10.6.8 (latest PPC version)~~ 26 * ~~Unfortunatly requires root~~ 27 27 * Real question: Drop tun.kext support and support only utun or "try utun first, fall back to tun.kext if it fails" 28 * svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273)28 * ~~svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273)~~ **cancelled** (LZ4 support came instead, which is slicker and faster) 29 29 * ~~management interface changes (status 2/3)~~ **done* 30 * Formatting and whitespace fixes (just before 2.4 release)30 * ~~Formatting and whitespace fixes (just before 2.4 release)~~ **done** 31 31 * ~~--version to include git commit id and branch?~~ **yes, done** 32 32 * OpenVPN-GUI installer from mattock … … 42 42 = Windows Interactive Service = 43 43 44 * d12fk's new windows privilege separation scheme, permitting fully unprivileged users to safely run OpenVPN (described and agreed-upon at the [wiki:MunichHackathon2013])44 * ~~ d12fk's new windows privilege separation scheme, permitting fully unprivileged users to safely run OpenVPN (described and agreed-upon at the [wiki:MunichHackathon2013]) ~~ **done** 45 45 46 46 = new frame format for data packets = 47 47 48 * fix alignment performance penalty (byte-swap control byte with last byte of payload)49 * enable DoS-safe --float in TLS mode by transmitting session ID in data frames "ever so often" (like "when not having seen a packet from the server since more than 500 milliseconds" or whatever)50 * agreed-upon at the [wiki:MunichHackathon2013] (last section), nothing implemented yet48 * ~~ fix alignment performance penalty (byte-swap control byte with last byte of payload) ~~ **done** DATA_V2 packet format is in v2.4 49 * ~~ enable DoS-safe --float in TLS mode by transmitting session ID in data frames "ever so often" (like "when not having seen a packet from the server since more than 500 milliseconds" or whatever) ~~ **done** --peer-id support 50 * ~~ agreed-upon at the [wiki:MunichHackathon2013] (last section), nothing implemented yet ~~ 51 51 52 52 = cipher negotiation for data packets = 53 53 54 * make cipher a per-client setting in the server, and pushable on the client (right now it's a "global" thing, set once and valid forever)54 * ~~ make cipher a per-client setting in the server, and pushable on the client (right now it's a "global" thing, set once and valid forever) ~~ **done** --ncp-cipher with negotiation implemented in v2.4 and a simpler approach (poor-mans NCP) implemented in v2.3. 55 55 * then add dynamic negotiation based on client/server capabilities 56 56 … … 62 62 63 63 = IPv6 payload / payload/routing integration = 64 * implement "redirect-gateway ipv6" in 2.x code base as well (3 has it)64 * ~~ implement "redirect-gateway ipv6" in 2.x code base as well ~~ (3 has it) **done** 65 65 * add --block-ipv6 66 66 * handle ipv6 payload over ipv6 transport, when the VPN server is inside the pushed IPv6 routes … … 69 69 * cleanup afterwards 70 70 * handle iroute-ipv6 and pushed route-ipv6 consistently with IPv4: do not send pushed routes to the very client that the iroute-ipv6 points to (local route confusion at client), also trac#354. 71 * have a way to signal IPv6 DNS (and other "DHCP") information to client, as currently "dhcp-option DNS ..." is IPv4-only (as is using DHCPv4 to signal this). See trac#243 71 * have a way to signal IPv6 DNS (and other "DHCP") information to client, as currently "dhcp-option DNS ..." is IPv4-only (as is using DHCPv4 to signal this). See trac#243 **in progress, partially implemented**