= Introduction =

This page shows the high-level status of OpenVPN 2.6 release. If you want all the details, see the [report:3 Active Tickets by Milestone] report.

= Schedule =

Too early to say, but we hope to get this done quicker than 2.4 and 2.5 - so, tentatively:
 - all "must have" code in (except TLS handshake): End of December 2021
 - RC candidates: Jan/Feb 2022
 - 2.6.0 release: March 2022

= Features/fixes to include =

== must have ==

||'''Task description'''||'''Assigned to'''||'''Status'''||'''Ticket'''||'''Patchwork'''||
|| DCO (on Linux) || ordex, plaisthos, cron2 ||on-going review|| - ||[https://patchwork.openvpn.net/project/openvpn2/list/?series=1516 Series 1516] ||
|| DCO (on Windows) || lev, d12fk, plaisthos, ordex ||on-going review|| - ||[https://patchwork.openvpn.net/project/openvpn2/list/?series=1516 Series 1516] ||
|| update auth-user-pass docs || mattock ||wip: man-page updates ([https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12835.html discussion]) || ||
|| polish auth-token / auth-gen-token corner cases (not sending token after explicit-exit-notify from server, etc.) || cron2, plaisthos || pending review || - || [https://patchwork.openvpn.net/patch/2303/ patch 2303] ||
|| frame/buffer size handling || plaisthos || **done** || - || ||
|| OpenSSL 3.0.0 support || plaisthos  ||mostly **done** 2021-11-12 || - || ||
|| OpenSSL 3.0.0 xkey || selva ||**done** 2022-01-20 || - || ||
|| TLS handshake replay protection (up for discussion) || plaisthos || wip || - || ||
|| DDoS reflection hardening (rate-limiting) || plaisthos, cron2 || wip || - || ||
|| DNS option rework (split DNS) - new option parsing || d12fk ||**done** ([https://gitlab.com/openvpn/openvpn/-/commit/b3e0d95dcfd0de2a5fe6545fed8f46e0dd35784d commit b3e0d95dcf]) || - || ||
|| switch to 3.0.**1** for Windows builds || lev, mattock || **done** || - || ||
|| OpenSSL Config file handling ("where does an OpenVPN binary read OpenSSL config from, and why?") - windows build / private vcpkg? - unix builds - OpenVPN vs. system defaults vs. loading "local" OpenSSL 3.0 providers || lev, selva(?) || **done** 2021-11-24 || - || ||
|| {{{--nobind}}} for {{{--pull}}} by default ("random client port by default") || plaisthos || **done** 2021-12-06 || #936, #877 || ||
|| sort out multiple-plugin auth mess || dazo, cron2 || on-going || - ||RFC [https://patchwork.openvpn.net/patch/2327/ patch 2327] ||
|| do not push route-ipv6 entries that are also in the iroute-ipv6 list || ordex, cron2 || pending review || #354 ||[https://patchwork.openvpn.net/patch/332/ patch 332] ||


== nice to have / wild ideas ==
||'''Task description'''||'''Assigned to'''||'''Status'''||'''Ticket'''||
|| implement kqueue on MacOS || plaisthos || not started || - ||
|| DNS option rework (split DNS) - windows backend || lev, d12fk || - || 
|| support TLS alerts || plaisthos || ??? || - ||
|| AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x **must handle gracefully** ] || ? || ? || - ||
|| test server that does --auth-user-pass and/or challenge stuff ||cron2 (snair)||--auth-user-pass done, challenge missing|| ||
|| Update OpenVPN PRF (move away from SHA1/MD5) || syzzer/plaisthos || done(?) || ||
|| maybe: fix radius-plugin - plugin is useful but not maintained very well  || ??? || ??? || ||
|| DCO (on FreBSD) || ? || ? || - ||
|| test framework improvements (local "make check" crypto tests) || syzzer || - || - ||


== unlikely to happen, keeping the list ==
|| inner VRF support? || ?? || ?? || ?? ||
|| route monitoring (enable clients to react to network changes) || cron2 || not started || - ||
|| maybe: add PRF plugin interface || ??? || ??? || ||
|| maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) || ??? || ??? || ||
|| maybe: add data channel separation (or, move to ovpn3, which already has this?) || ??? || ??? || ||
|| Dynamic routes ('route in ccd-file'), depends on netlink support || ??? || ??? || ||
|| transport plugin (primary use case: obfuscation) || ordex || wip || ||
|| [http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg10511.html tftp/wpad patch] || jjk ||patch on list, needs review and merge|| ||
|| support TLS record splitting (like ovpn3) || syzzer ||(started, but no patches available yet) ||#554||
|| support for multiple-protocol sockets (UDP/TCP) || ordex || wip || - ||
|| Support for multiple sockets (multi-port/multi-IP) || ordex || pending review ||#556||
|| improve control channel performance (further) - redo reliability layer, introduce windowing / scaling || syzzer || ??? || ||