This page shows the high-level status of OpenVPN 2.7 release. If you want all the details, see the Active Tickets by Milestone report.


Release is roughly planned for two years after OpenVPN 2.6. So end of 2024 or beginning of 2025. It was discussed that we should provide official preview builds earlier this time to gather more feedback for merged changes. Also the experience from 2.6 release was to branch off release/2.7 later, since branching it off too early causes a lot of work for little benefit.

Features/fixes to include

must have

Task descriptionAssigned toStatusTicketPatchwork / Gerrit
DCO code polishing ordex not started - -
sort out multiple-plugin auth mess dazo, cron2 on-going - RFC patch 2327
DNS option rework (split DNS) - windows backend lev, d12fk in gerrit? - -
SRV patch (set) ? patch needs work - -
Make TAP6-Windows Really Fast lev not started - -
Improve NM-OVPN integration cron2 trying to establish contact - -
Deprecate NTLM v2 support djpig - wiki:DeprecatedOptions#NTLMv2authenticationsupportin--http-proxyStatus:Tobedeprecatedin2.7 -
Properly deprecate _v1 and _v2 plugin functions - - wiki:DeprecatedOptions#plugin:_v1and_v2functionsforopenandfunccallStatus:Pendingremoval -
Change default for --topology to subnet djpig Patch in gerrit wiki:DeprecatedOptions#Changedefault--topologynet30tosubnetStatus:Pending Change 421

must have - completed/done

Task descriptionAssigned toStatusTicketPatchwork / Gerrit
Switch from MSVC buildsystem to CMake for Windows builds djpig Done - Change 266
Remove deprecated --no-replay djpig Done wiki:DeprecatedOptions#Option:--no-replayStatus:RemovedinOpenVPNv2.7 Change 281
Make it harder to use --secret plaisthos Done wiki:DeprecatedOptions#Option:--secretStatus:Deprecatedpendingremoval Change 325
Remove deprecated NTLM v1 support djpig done wiki:DeprecatedOptions#NTLMv1authenticationsupportin--http-proxyStatus:Deprecatedpendingremoval Change 379 Change 500

nice to have / wild ideas

Task descriptionAssigned toStatusTicketPatchwork / Gerrit
Remove deprecated --ns-cert-type - - wiki:DeprecatedOptions#Option:--ns-cert-typeStatus:Pendingremoval -
Remove deprecated --tun-ipv6 - - wiki:DeprecatedOptions#Option:--tun-ipv6Status:Ignoredpendingremoval -
Remove deprecated --max-routes - - wiki:DeprecatedOptions#Option:--max-routesStatus:Ignoredpendingremoval -
Remove deprecated --dhcp-release - - wiki:DeprecatedOptions#Option:--dhcp-releaseStatus:Ignoredpendingremoval -
implement kqueue on MacOS plaisthos wip (but slower than poll()) - -
support TLS alerts plaisthos patch in Gerrit - Change 449
AUTH_TEMP_FAIL ("I can not handle you *now*, but please come back later") [auth-retry noninteract -> something for 3.x mostly, but 2.x must handle gracefully ] plaisthos Done - c9474fa316a6f73286ed97b36c8f8b1ba62141bd
test server that does --auth-user-pass and/or challenge stuff cron2 (snair)--auth-user-pass done, challenge missing - -
Update OpenVPN PRF (move away from SHA1/MD5) syzzer/plaisthos done(?) - -
maybe: fix radius-plugin - plugin is useful but not maintained very well ??? ??? - -
test framework improvements (local "make check" crypto tests) syzzer - - -
inner VRF support? ?? ?? ??
route monitoring (enable clients to react to network changes) cron2 not started - -
maybe: add PRF plugin interface ??? ??? - -
maybe: add key exchange plugin interface (allows easily doing .e.g post quantum kex) ??? ??? - -
maybe: add data channel separation (or, move to ovpn3, which already has this?) ??? ??? -
investigate TUNSLMODE on FreeBSD and NetBSD to get rid of iroute table (iroutes become normal system routes) cron2 not started - -
Dynamic routes ('route in ccd-file'), depends on netlink support ordex not started - -
transport plugin (primary use case: obfuscation) ordex wip - -
tftp/wpad patch jjk patch on list, needs review and merge - -
support TLS record splitting (like ovpn3) syzzer (started, but no patches available yet) #554 -
support for multiple-protocol sockets (UDP/TCP) ordex wip - -
Support for multiple sockets (multi-port/multi-IP) ordex wip (rebase required) #556 -
improve control channel performance (further) - redo reliability layer, introduce windowing / scaling syzzer ??? - -

unlikely to happen, keeping the list

Last modified 2 months ago Last modified on 03/18/24 16:08:51