Version 57 (modified by 4 years ago) (diff) | ,
---|
Introduction
This page shows the high-level status of OpenVPN 2.5 release. If you want all the details, see the Active Tickets by Milestone report.
Schedule
As we missed our original deadline (Debian Buster freeze) we don't have a schedule yet, except "in year 2020". Nevertheless, the release will proceed as follows:
- 2.5_beta1 (early July)
After this date, no new features allowed, stabilising starts for real. Some minor "nice to have patches" might be accepted after evaluation/discussion on IRC; but should be avoided. Man page processing will be converted from the current groff formatting to a markdown formatting right before beta tagging.
- ??? - 2.5_beta2 (optional)
Only patches related to stabilising and important bug-fixes are allowed after this point. No more "nice to have patches" after this point. If we have no bug fixes or otherwise stabilizing code this release can be skipped.
- ??? - 2.5_rc1
Only really needed and critical bug fixes allowed.
- ??? - 2.5_rc2
Branching out release/2.5 happens here.
- 2.5.0 Final release.
Deadline: To be determined
- Code freeze on June 30st, 2020 (based initially on discussions in Trento hackathon, postponed in IRC meeting on 4th March 2020, postponed again...)
- 2.5.0 release on August 15th, 2020
Features/fixes to include
must have
Task description | Assigned to | Status | Ticket |
MSI installers | mattock | Final integration tests not done | #1122 |
async client-connect support | plaisthos + ordex | pending, needs more review + work | - |
update auth-user-pass docs | mattock | not started, discussion here | |
polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) | cron2, plaisthos | pending | - |
Postponed items (former "nice to have" items for 2.5)
Task description | Assigned to | Status | Ticket |
support for multiple-protocol sockets (UDP/TCP) | ordex | wip | |
Support for multiple sockets (multi-port/multi-IP) | ordex | pending review | #556 |
Dynamic routes ('route in ccd-file'), depends on netlink support | ??? | ??? | |
transport plugin (primary use case: obfuscation) | ordex | wip | |
tftp/wpad patch | jjk | patch on list, needs review and merge | |
support TLS record splitting (like ovpn3) | syzzer | (started, but no patches available yet) | #554 |
test server that does --auth-user-pass and/or challenge stuff | cron2 (snair) | not started | |
Update OpenVPN PRF (move away from SHA1/MD5) | syzzer | not started | |
maybe: add PRF plugin interface | ??? | ??? | |
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) | ??? | ??? | |
maybe: add data channel separation (or, move to ovpn3, which already has this?) | ??? | ??? | |
maybe: fix radius-plugin - plugin is useful but not maintained very well | ??? | ??? | |
improve control channel performance | syzzer | ??? |
work needed
- trac tickets (2.4.x, 2.5.x, unclassified)
- MSI testing and user documentation
items already done
- remove ENABLE_CRYPTO
- ChaCha20-Poly1305 support for the data channel
- tls-crypt-v2 (#1121)
- MSI packaging
- struct argv overhaul
- Wintun support
- Auth failure messages back to client
- #6 - VLAN patch set
- #1123 - Netlink support (includes route.c / tun.c refactoring)
IPv6-only server | ordex & cron2 | most of the work is done! some details remain to be cleaned up | #208 |
Implement asymmetric compression | plaisthos | v5 merged (lev/cron2) | |
Allow OpenVPN to communicate to peers via a Linux VRF | cron2 | patch v2 on the list & merged | |
man page formatting change | dazo | merged |
TODO: update list
Missing pieces from MSI
Bundling OpenVPN as an MSI will require changes to several projects: openvpn, openvpnserv2, openvpn-build and tap-windows6. Here's a list of the missing pieces (hopefully) in the order in which they should be merged:
openvpn: the openvpnmsica and tapctl patch series- tap-windows6: MSM packaging
- openvpn-build: Windows MSI packaging
- openvpn-vagrant: Add MSI build support
- Needs to be adapted to final upstream URLs before merging
Dropping tap-windows6 NSI changes?
I (mattock) propose we drop the following tap-windows6 PRs that change the NSIS installer:
- installer: Refine the WoW64 decision logic
- installer: Select Win7/8/8.1 vs. Win10 driver at runtime
- installer: Add code signing certificate before installing the driver
Current OpenVPN / tap-windows6 NSIS installers are working well across all the platforms, so I'd prefer not to "rock the boat" by introducing changes unnecessarily. Also, I believe the above PRs were originally meant for OpenVPN 2.5, not for 2.4. And OpenVPN 2.5 does not need these PRs anymore now that we have MSM packaging for tap-windows6. Even if we did decide that the above PRs make sense for 2.4, our support policy says that 2.4 would move to "Old stable" in ~6 months after 2.5.0, after which we would not provide any Windows installers. So the gain for 2.4. would be rather small, maybe for one or two 2.4.x releases at most.