This page shows the high-level status of OpenVPN 2.6 release. If you want all the details, see the Active Tickets by Milestone report.


Currently planned:

  • all "must have" code in and all major (crash) bugs fixed: Jan 11, 2023
  • RC candidates: Dec 28, 2022 + Jan 12 2023
  • 2.6.0 release: Jan 26, 2023

Features/fixes to include

must have

Task descriptionAssigned toStatusTicketPatchwork
DCO (on Linux) ordex, plaisthos, cron2 merged, now ironing out bugs (p2p reconnection) - Series 1516
DCO (on Windows) lev, d12fk, plaisthos, ordex merged, ironing out bugs (--windows-driver, --disable-dco quirks) - Series 1516
DCO (on FreBSD) kp, cron2 merged, fine tuning (/24-on-/24 iroute, peer stats, exit notification with stats) -
update auth-user-pass docs mattock wip: man-page updates (discussion)
TLS handshake replay protection (up for discussion) plaisthos pending review - patch 2747
sort out multiple-plugin auth mess dazo, cron2 on-going - RFC patch 2327

must have - completed/done

Task descriptionAssigned toStatusTicketPatchwork
frame/buffer size handling plaisthos done -
OpenSSL 3.0.0 support plaisthos mostly done 2021-11-12 -
OpenSSL 3.0.0 xkey selva done 2022-01-20 -
switch to 3.0.1 for Windows builds lev, mattock done -
OpenSSL Config file handling ("where does an OpenVPN binary read OpenSSL config from, and why?") - windows build / private vcpkg? - unix builds - OpenVPN vs. system defaults vs. loading "local" OpenSSL 3.0 providers lev, selva(?) done 2021-11-24 -
--nobind for --pull by default ("random client port by default") plaisthos done 2021-12-06 #936, #877
DNS option rework (split DNS) - new option parsing d12fk done (commit b3e0d95dcf) - patch 2494
review INSTALL, README, PORTS etc. files cron2 done - -
do not push route-ipv6 entries that are also in the iroute-ipv6 list ordex, cron2 done, commit 437812d4eac9 #354 patch 332
polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) cron2, plaisthos, selva "seems to be all in good shape now" - patch 2303, patch 2488
DDoS reflection hardening (rate-limiting) plaisthos, cron2 merged -

nice to have / wild ideas

Task descriptionAssigned toStatusTicketPatchwork
implement kqueue on MacOS plaisthos wip (but slower than poll()) - -
DNS option rework (split DNS) - windows backend lev, d12fk not started - -
support TLS alerts plaisthos ??? -
AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] plaisthos review pending - series 1580
test server that does --auth-user-pass and/or challenge stuff cron2 (snair)--auth-user-pass done, challenge missing
Update OpenVPN PRF (move away from SHA1/MD5) syzzer/plaisthos done(?)
maybe: fix radius-plugin - plugin is useful but not maintained very well ??? ???
test framework improvements (local "make check" crypto tests) syzzer - -

unlikely to happen, keeping the list

inner VRF support? ?? ?? ??
route monitoring (enable clients to react to network changes) cron2 not started -
maybe: add PRF plugin interface ??? ???
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) ??? ???
maybe: add data channel separation (or, move to ovpn3, which already has this?) ??? ???
Dynamic routes ('route in ccd-file'), depends on netlink support ??? ???
transport plugin (primary use case: obfuscation) ordex wip
tftp/wpad patch jjk patch on list, needs review and merge
support TLS record splitting (like ovpn3) syzzer (started, but no patches available yet) #554
support for multiple-protocol sockets (UDP/TCP) ordex wip -
Support for multiple sockets (multi-port/multi-IP) ordex pending review #556
improve control channel performance (further) - redo reliability layer, introduce windowing / scaling syzzer ???
Last modified 3 weeks ago Last modified on 01/10/23 07:36:07