This page shows the high-level status of OpenVPN 2.4 release. If you want all the details, see the Active Tickets by Milestone report.


  • November 16 - 2.4_beta1 After this date, no new features allowed, stabilising starts for real. Some minor "nice to have patches" might be accepted after evaluation/discussion on IRC.
  • (optional) November 24th/25th - 2.4_beta2 Only patches related to stabilising and important bug-fixes are allowed after this point. No more "nice to have patches" after this point. If we have no bug fixes or otherwise stabilizing code this release can be skipped.
  • December 1st - 2.4_rc1 Only really needed and critical bug fixes allowed. This is also the time where we change to a unified coding style across the whole source code.
  • December 15th - 2.4_rc2 Branching out release/2.4 happens here.
  • December 28th - 2.4.0 Final release.

Deadline: Debian 9 freeze

Mattock asked the Debian package maintainer about getting 2.4_something into Debian 9 before the freeze. Here's the response: "I'll consider uploading 2.4_something in early December, so we have a month to fix possible issues. After December 29 it won't be doable."

Features/fixes to include

must have

Task descriptionAssigned toStatus

All done.

minor, but "we should try to make it happen"

Task descriptionAssigned toStatus
struct argv overhaul d12fk Patch review completed (dazo), patch 1-4 applied, patch 5-7 need v2 patches
auth-gen-token: Inform client why auth-token was rejected dazo Patch review in progress (syzzer)
tftp/wpad patchjjkpatch on list, needs review and merge
support TLS record splitting (like ovpn3) syzzer #554 (started, but no patches available yet)
Allow OpenVPN to communicate to peers via a Linux VRF - updated patches need review + ML submission
test server that does --auth-user-pass and/or challenge stuffcron2 (snair)not started
update auth-user-pass docsmattocknot started, discussion here
Update OpenVPN PRF (move away from SHA1/MD5) syzzer not started

work needed

  • trac tickets (2.3.x, 2.4.x, unclassified)

(major) items already done

  • poor man's NCP (v6)
  • make openvpnserv2 use exit-events
  • combined 32/64-bit Windows installers
  • semi-automated testing of OpenVPN/OpenVPN-GUI/openvpnserv2 on Windows using openvpn-windows-test
  • dhcp-option DNS6 (stub, windows netsh+service, android)
  • bundle OpenSSL 1.0.2 on windows
  • Refactor CRL handling
  • --tls-crypt control channel encryption #633
  • ifconfig-before-open reversal patch for windows fixed (argv_printf) and merged
  • openvpnserv2 integration
  • pushable ciphers, and cipher negotiation
  • true dual-stack operation (2.3 has "dual single-stack")
  • interactive service + openvpn-gui integration
  • IPv6 route-gateway redirection
  • AEAD cipher
  • cipher negotiation (for all but a few corner cases)
  • peer-id (server and client, 2.3 has only client)
  • compression v2 = more efficient alignment
  • unified TCP timeout handling (Arne v3)
  • new buildbots for FreeBSD 10.3, NetBSD 7.0.1, OpenBSD 6.0, MacOS X, various recent Linux versions
  • --multihome fixed on BSD/amd64 architectures, tested by buildbots
  • recursive routing fixup (Lev v4)
  • block-outside-dns on multiple tunnels (v2, Selva)
  • re-indent formatting (dazo, syzzer). More details on CodeStyle
Last modified 7 years ago Last modified on 12/15/16 18:25:29