Changes between Version 12 and Version 13 of OpenVPN2.4


Ignore:
Timestamp:
12/19/16 13:30:03 (13 months ago)
Author:
dazo
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • OpenVPN2.4

    v12 v13  
    2222 * --preresolve patch
    2323 * ~~utun on mac os x~~ **done*
    24   * native tun, no need for extra tun.kext
    25   * Supported for all OS X >= 10.6.8 (latest PPC version)
    26    * Unfortunatly requires root
     24  * ~~native tun, no need for extra tun.kext~~
     25  * ~~Supported for all OS X >= 10.6.8 (latest PPC version)~~
     26   * ~~Unfortunatly requires root~~
    2727   * Real question: Drop tun.kext support and support only utun or "try utun first, fall back to tun.kext if it fails"
    28  * svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273)
     28 * ~~svn 2.1 patchset (snappy support, push-peer-info changes, see trac#268-273)~~ **cancelled** (LZ4 support came instead, which is slicker and faster)
    2929 * ~~management interface changes (status 2/3)~~ **done*
    30  * Formatting and whitespace fixes (just before 2.4 release)
     30 * ~~Formatting and whitespace fixes (just before 2.4 release)~~ **done**
    3131 * ~~--version to include git commit id and branch?~~ **yes, done**
    3232 * OpenVPN-GUI installer from mattock
     
    4242= Windows Interactive Service =
    4343
    44  * d12fk's new windows privilege separation scheme, permitting fully unprivileged users to safely run OpenVPN (described and agreed-upon at the [wiki:MunichHackathon2013])
     44 * ~~ d12fk's new windows privilege separation scheme, permitting fully unprivileged users to safely run OpenVPN (described and agreed-upon at the [wiki:MunichHackathon2013]) ~~ **done**
    4545
    4646= new frame format for data packets =
    4747
    48  * fix alignment performance penalty (byte-swap control byte with last byte of payload)
    49  * enable DoS-safe --float in TLS mode by transmitting session ID in data frames "ever so often" (like "when not having seen a packet from the server since more than 500 milliseconds" or whatever)
    50  * agreed-upon at the [wiki:MunichHackathon2013] (last section), nothing implemented yet
     48 * ~~ fix alignment performance penalty (byte-swap control byte with last byte of payload) ~~ **done** DATA_V2 packet format is in v2.4
     49 * ~~ enable DoS-safe --float in TLS mode by transmitting session ID in data frames "ever so often" (like "when not having seen a packet from the server since more than 500 milliseconds" or whatever) ~~ **done** --peer-id support
     50 * ~~ agreed-upon at the [wiki:MunichHackathon2013] (last section), nothing implemented yet ~~
    5151
    5252= cipher negotiation for data packets =
    5353
    54  * make cipher a per-client setting in the server, and pushable on the client (right now it's a "global" thing, set once and valid forever)
     54 * ~~ make cipher a per-client setting in the server, and pushable on the client (right now it's a "global" thing, set once and valid forever) ~~ **done** --ncp-cipher with negotiation implemented in v2.4 and a simpler approach (poor-mans NCP) implemented in v2.3.
    5555 * then add dynamic negotiation based on client/server capabilities
    5656
     
    6262
    6363= IPv6 payload / payload/routing integration =
    64  * implement "redirect-gateway ipv6" in 2.x code base as well (3 has it)
     64 * ~~ implement "redirect-gateway ipv6" in 2.x code base as well ~~ (3 has it) **done**
    6565 * add --block-ipv6
    6666 * handle ipv6 payload over ipv6 transport, when the VPN server is inside the pushed IPv6 routes
     
    6969  * cleanup afterwards
    7070 * handle iroute-ipv6 and pushed route-ipv6 consistently with IPv4: do not send pushed routes to the very client that the iroute-ipv6 points to (local route confusion at client), also trac#354.
    71  * have a way to signal IPv6 DNS (and other "DHCP") information to client, as currently "dhcp-option DNS ..." is IPv4-only (as is using DHCPv4 to signal this).  See trac#243
     71 * have a way to signal IPv6 DNS (and other "DHCP") information to client, as currently "dhcp-option DNS ..." is IPv4-only (as is using DHCPv4 to signal this).  See trac#243 **in progress, partially implemented**