Introduction
This page shows the high-level status of OpenVPN 2.7 release. If you want all the details, see the Active Tickets by Milestone report.
Schedule
Release is roughly planned for two years after OpenVPN 2.6. So end of 2024 or beginning of 2025. It was discussed that we should provide official preview builds earlier this time to gather more feedback for merged changes. Also the experience from 2.6 release was to branch off release/2.7 later, since branching it off too early causes a lot of work for little benefit.
Features/fixes to include
must have
| Task description | Assigned to | Status | Ticket | Patchwork / Gerrit |
| DCO code polishing | ordex | not started | - | - |
| sort out multiple-plugin auth mess | dazo, cron2 | on-going | - | RFC patch 2327 |
| DNS option rework (split DNS) - windows backend | lev, d12fk | in gerrit? | - | - |
| SRV patch (set) | ? | patch needs work | - | - |
| Make TAP6-Windows Really Fast | lev | not started | - | - |
| Improve NM-OVPN integration | cron2 | trying to establish contact | - | - |
| Deprecate NTLM v2 support | djpig | - | wiki:DeprecatedOptions#NTLMv2authenticationsupportin--http-proxyStatus:Tobedeprecatedin2.7 | - |
| Properly deprecate _v1 and _v2 plugin functions | - | - | wiki:DeprecatedOptions#plugin:_v1and_v2functionsforopenandfunccallStatus:Pendingremoval | - |
Change default for --topology to subnet | djpig | Patch in gerrit | wiki:DeprecatedOptions#Changedefault--topologynet30tosubnetStatus:Pending | Change 421 |
must have - completed/done
| Task description | Assigned to | Status | Ticket | Patchwork / Gerrit |
| Switch from MSVC buildsystem to CMake for Windows builds | djpig | Done | - | Change 266 |
Remove deprecated --no-replay | djpig | Done | wiki:DeprecatedOptions#Option:--no-replayStatus:RemovedinOpenVPNv2.7 | Change 281 |
Make it harder to use --secret | plaisthos | Done | wiki:DeprecatedOptions#Option:--secretStatus:Deprecatedpendingremoval | Change 325 |
| Remove deprecated NTLM v1 support | djpig | done | wiki:DeprecatedOptions#NTLMv1authenticationsupportin--http-proxyStatus:Deprecatedpendingremoval | Change 379 Change 500 |
nice to have / wild ideas
| Task description | Assigned to | Status | Ticket | Patchwork / Gerrit |
| Remove deprecated --ns-cert-type | - | - | wiki:DeprecatedOptions#Option:--ns-cert-typeStatus:Pendingremoval | - |
| Remove deprecated --tun-ipv6 | - | - | wiki:DeprecatedOptions#Option:--tun-ipv6Status:Ignoredpendingremoval | - |
| Remove deprecated --max-routes | - | - | wiki:DeprecatedOptions#Option:--max-routesStatus:Ignoredpendingremoval | - |
| Remove deprecated --dhcp-release | - | - | wiki:DeprecatedOptions#Option:--dhcp-releaseStatus:Ignoredpendingremoval | - |
| implement kqueue on MacOS | plaisthos | wip (but slower than poll()) | - | - |
| support TLS alerts | plaisthos | patch in Gerrit | - | Change 449 |
| AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] | plaisthos | Done | - | c9474fa316a6f73286ed97b36c8f8b1ba62141bd |
| test server that does --auth-user-pass and/or challenge stuff | cron2 (snair) | --auth-user-pass done, challenge missing | - | - |
| Update OpenVPN PRF (move away from SHA1/MD5) | syzzer/plaisthos | done(?) | - | - |
| maybe: fix radius-plugin - plugin is useful but not maintained very well | ??? | ??? | - | - |
| test framework improvements (local "make check" crypto tests) | syzzer | - | - | - |
| inner VRF support? | ?? | ?? | ?? | |
| route monitoring (enable clients to react to network changes) | cron2 | not started | - | - |
| maybe: add PRF plugin interface | ??? | ??? | - | - |
| maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) | ??? | ??? | - | - |
| maybe: add data channel separation (or, move to ovpn3, which already has this?) | ??? | ??? | - | |
| investigate TUNSLMODE on FreeBSD and NetBSD to get rid of iroute table (iroutes become normal system routes) | cron2 | not started | - | - |
| Dynamic routes ('route in ccd-file'), depends on netlink support | ordex | not started | - | - |
| transport plugin (primary use case: obfuscation) | ordex | wip | - | - |
| tftp/wpad patch | jjk | patch on list, needs review and merge | - | - |
| support TLS record splitting (like ovpn3) | syzzer | (started, but no patches available yet) | #554 | - |
| support for multiple-protocol sockets (UDP/TCP) | ordex | wip | - | - |
| Support for multiple sockets (multi-port/multi-IP) | ordex | wip (rebase required) | #556 | - |
| improve control channel performance (further) - redo reliability layer, introduce windowing / scaling | syzzer | ??? | - | - |
unlikely to happen, keeping the list
Last modified 5 weeks ago
Last modified on 03/18/24 16:08:51
