This page shows the high-level status of OpenVPN 2.6 release. If you want all the details, see the Active Tickets by Milestone report.


Too early to say, but we hope to get this done quicker than 2.4 and 2.5 - so, tentatively:

  • all "must have" code in (except TLS handshake): End of December 2021
  • RC candidates: Jan/Feb? 2022
  • 2.6.0 release: March 2022

Features/fixes to include

must have

Task descriptionAssigned toStatusTicket
DCO (on Linux) ordex, plaisthos, cron2 alpha release (RFC on the list) -
DCO (on Windows) lev, d12fk, plaisthos alpha release (RFC on the list) -
update auth-user-pass docs mattock not started, discussion here
polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) cron2, plaisthos pending -
frame/buffer size handling plaisthos wip, patch set under review -
OpenSSL 3.0.0 support plaisthos mostly done 2021-11-12 -
OpenSSL 3.0.0 xkey selva done 2022-01-20 -
TLS handshake replay protection (up for discussion) plaisthos not started -
DDoS reflection hardening (rate-limiting) plaisthos, cron2 wip -
DNS option rework (split DNS) - new option parsing d12fk concept being written -
switch to 3.0.1 for Windows builds lev, mattock - -
OpenSSL Config file handling ("where does an OpenVPN binary read OpenSSL config from, and why?") - windows build / private vcpkg? - unix builds - OpenVPN vs. system defaults vs. loading "local" OpenSSL 3.0 providers lev, selva(?) done 2021-11-24 -
--nobind for --pull by default ("random client port by default") plaisthos done 2021-12-06 #936, #877
sort out multiple-plugin auth mess dazo investigating, first patch -
do not push route-ipv6 entries that are also in the iroute-ipv6 list ordex, cron2 pending review #354

nice to have / wild ideas

Task descriptionAssigned toStatusTicket
implement kqueue on MacOS plaisthos not started -
DNS option rework (split DNS) - windows backend lev, d12fk -
support TLS alerts plaisthos ??? -
AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] ? ? -
test server that does --auth-user-pass and/or challenge stuff cron2 (snair)--auth-user-pass done, challenge missing
Update OpenVPN PRF (move away from SHA1/MD5) syzzer/plaisthos done(?)
maybe: fix radius-plugin - plugin is useful but not maintained very well ??? ???
DCO (on FreBSD) ? ? -
test framework improvements (local "make check" crypto tests) syzzer - -

unlikely to happen, keeping the list

inner VRF support? ?? ?? ??
route monitoring (enable clients to react to network changes) cron2 not started -
maybe: add PRF plugin interface ??? ???
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) ??? ???
maybe: add data channel separation (or, move to ovpn3, which already has this?) ??? ???
Dynamic routes ('route in ccd-file'), depends on netlink support ??? ???
transport plugin (primary use case: obfuscation) ordex wip
tftp/wpad patch jjk patch on list, needs review and merge
support TLS record splitting (like ovpn3) syzzer (started, but no patches available yet) #554
support for multiple-protocol sockets (UDP/TCP) ordex wip -
Support for multiple sockets (multi-port/multi-IP) ordex pending review #556
improve control channel performance (further) - redo reliability layer, introduce windowing / scaling syzzer ???
Last modified 3 days ago Last modified on 01/21/22 11:18:45