This page shows the high-level status of OpenVPN 2.6 release. If you want all the details, see the Active Tickets by Milestone report.


Too early to say, but we hope to get this done quicker than 2.4 and 2.5 - so, tentatively (as of August 18 2022):

  • all "must have" code in (except TLS handshake): Mid-October 2022
  • RC candidates: November 2022
  • 2.6.0 release: December 1st 2022

Features/fixes to include

must have

Task descriptionAssigned toStatusTicketPatchwork
DCO (on Linux) ordex, plaisthos, cron2 merged, now ironing out bugs (p2p renegotiation) - Series 1516
DCO (on Windows) lev, d12fk, plaisthos, ordex merged, oroning out bugs (--windows-driver, --disable-dco quirks) - Series 1516
DCO (on FreBSD) kp, cron2 merged, ironing out bugs (double fragments, /24-on-/24 iroute) -
update auth-user-pass docs mattock wip: man-page updates (discussion)
polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) cron2, plaisthos pending review - patch 2303, patch 2488
TLS handshake replay protection (up for discussion) plaisthos wip -
DDoS reflection hardening (rate-limiting) plaisthos, cron2 wip -
sort out multiple-plugin auth mess dazo, cron2 on-going - RFC patch 2327
do not push route-ipv6 entries that are also in the iroute-ipv6 list ordex, cron2 pending review #354 patch 332
review INSTALL, README, PORTS etc. files tbd tbd - -

must have - completed/done

Task descriptionAssigned toStatusTicketPatchwork
frame/buffer size handling plaisthos done -
OpenSSL 3.0.0 support plaisthos mostly done 2021-11-12 -
OpenSSL 3.0.0 xkey selva done 2022-01-20 -
switch to 3.0.1 for Windows builds lev, mattock done -
OpenSSL Config file handling ("where does an OpenVPN binary read OpenSSL config from, and why?") - windows build / private vcpkg? - unix builds - OpenVPN vs. system defaults vs. loading "local" OpenSSL 3.0 providers lev, selva(?) done 2021-11-24 -
--nobind for --pull by default ("random client port by default") plaisthos done 2021-12-06 #936, #877
DNS option rework (split DNS) - new option parsing d12fk done (commit b3e0d95dcf) - patch 2494

nice to have / wild ideas

Task descriptionAssigned toStatusTicketPatchwork
implement kqueue on MacOS plaisthos wip (but slower than poll()) - -
DNS option rework (split DNS) - windows backend lev, d12fk not started - -
support TLS alerts plaisthos ??? -
AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] plaisthos review pending - series 1580
test server that does --auth-user-pass and/or challenge stuff cron2 (snair)--auth-user-pass done, challenge missing
Update OpenVPN PRF (move away from SHA1/MD5) syzzer/plaisthos done(?)
maybe: fix radius-plugin - plugin is useful but not maintained very well ??? ???
test framework improvements (local "make check" crypto tests) syzzer - -

unlikely to happen, keeping the list

inner VRF support? ?? ?? ??
route monitoring (enable clients to react to network changes) cron2 not started -
maybe: add PRF plugin interface ??? ???
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) ??? ???
maybe: add data channel separation (or, move to ovpn3, which already has this?) ??? ???
Dynamic routes ('route in ccd-file'), depends on netlink support ??? ???
transport plugin (primary use case: obfuscation) ordex wip
tftp/wpad patch jjk patch on list, needs review and merge
support TLS record splitting (like ovpn3) syzzer (started, but no patches available yet) #554
support for multiple-protocol sockets (UDP/TCP) ordex wip -
Support for multiple sockets (multi-port/multi-IP) ordex pending review #556
improve control channel performance (further) - redo reliability layer, introduce windowing / scaling syzzer ???
Last modified 3 weeks ago Last modified on 09/12/22 10:51:06