changelog

OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authe

  memory footprint.
* Modified --single-session flag to be used
  in multi-client UDP server client instances.

2004.03.19 -- Version 2.0-test12

* Added the key multi-client UDP server options,
  --mode, --push, --pull, and --ifconfig-pool.
* Revamped GC (garbage collection) code to not rely
  on any global data.
* Modifications to thread.[ch] to allow a more
  flexible thread model.

2004.03.16 -- Version 2.0-test11

* Moved all timer code to interval.h, added new file
  interval.c.
* Fixed missing include.

2004.03.16 -- Version 2.0-test10

* More TAP-Win32 fixes.
* Initial debugging and testing of multi.[ch].

2004.03.14 -- Version 2.0-test9

* Branch merge with 1.6-rc3
* More point-to-multipoint work in multi.[ch].
* Major TAP-Win32 driver restructuring to use
  NdisMRegisterDevice instead of
  IoCreateDevice/IoCreateSymbolicLink.
* Changed TAP-Win32 symbolic links to use \DosDevices\Global\
  pathname prefix.
* In the majority of cases, TAP-Win32 should now be
  able to install and uninstall on Win2K without requiring
  a reboot.
* TAP-Win32 MAC address can now be explicitly set in the
  adapter advanced properties page.

2004.03.04 -- Version 2.0-test8

* Branch merge with 1.6-rc2.

2004.03.03 -- Version 2.0-test7

* Branch merge with 1.6-rc1.2.

2004.03.02 -- Version 2.0-test6

* Branch merge with 1.6-rc1.

2004.03.02 -- Version 2.0-test5

* Move Socks5 UDP header append/remove to socks.c, and is
  called from forward.c.
* Moved verify statics from ssl.c into struct tls_session.
* Wrote multi.[ch] to handle top level of point-to-multipoint
  mode.
* Wrote some code to allow a struct link_socket in a child context
  to be slaved to the parent context.
* Broke up packet read and process functions in forward.c
  (from socket or tuntap) into separate functions for read
  and process, so that point-to-point and point-to-multipoint can
  share the same code.
* Expand TLS control channel to allow the passing of configuration
  commands.
* Wrote mroute.[ch] to handle internal packet routing for
  point-to-multipoint mode.

2004.02.22 -- Version 2.0-test3

* Initial work on UDP multi-client server.
* Branch merge of 1.6-beta7
	
2004.02.14 -- Version 2.0-test2

* Refactorization of openvpn.c into openvpn.[ch]
  init.[ch] forward.[ch] forward-inline.h
  occ.[ch] occ-inline.h  ping.[ch] ping-inline.h
  sig.[ch].  Created a master per-tunnel
  struct context in openvpn.h.
* Branch merge of 1.6-beta6.2

2003.11.06 -- Version 2.0-test1

* Initial testbed for 2.0.

2004.05.09 -- Version 1.6.0
	
* Unchanged from 1.6-rc4 except for version number
  upgrade.

2004.04.01 -- Version 1.6-rc4

* Made minor customizations to devcon and
  renamed as tapinstall.exe for Windows version.
* Fixed "storage size of `iv' isn't known" build
  problem on FreeBSD.
* OpenSSL 0.9.7d bundled with Windows self-install.
	
2004.03.13 -- Version 1.6-rc3

* Minor Windows fixes for --ip-win32 dynamic, relating to
  the way the TAP-Win32 driver responds to a DHCP request
  from the Windows DHCP client.
* The net_gateway environmental variable wasn't being
  set correctly for called scripts (Paul Zuber).
* Added code to determine the default gateway on FreeBSD,
  allowing the --redirect-gateway option to work
  (Juan Rodriguez Hervella).
	
2004.03.04 -- Version 1.6-rc2

* Fixed bug in Windows version where the NetBIOS node-type
  DHCP option might have been passed even if it was not
  specified.
* Fixed bug in Windows version introduced in 1.6-rc1, where
  DHCP timeout would be set to 0 seconds if --ifconfig option
  was used and --ip-win32 option was not explicitly specified.
* Added some new --dhcp-option types for Windows version.

2004.03.02 -- Version 1.6-rc1

* For Windows, make "--ip-win32 dynamic" the default.
* For Windows, make "--route-delay 10" the default
  unless --ip-win32 dynamic is not used or --route-delay
  is explicitly specified.
* L_TLS mutex could have been left in a locked state
  for certain kinds of TLS errors.
	
2004.02.22 -- Version 1.6-beta7
	
* Allow scheduling priority increase (--nice) together
  with UID/GID downgrade (--user/--group).
* Code that causes SIGUSR1 restart on TLS errors in TCP
  mode was not activated in pthread builds.
* Save the certificate serial number in an environmental
  variable called tls_serial_{n} prior to calling the
  --tls-verify script.  n is the current cert chain level.
* Added NetBSD IPv6 tunnel capability (also requires
  a kernel patch) (Horst Laschinsky).
* Fixed bug in checking the return value of the nice()
  function (Ian Pilcher).
* Bug fix in new FreeBSD IPv6 over TUN code which was
  originally added in 1.6-beta5 (Nathanael Rensen).
* More Socks5 fixes -- extended the struct frame
  infrastructure to accomodate proxy-based encapsulation
  overhead.
* Added --dhcp-option to Windows version for setting
  adapter properties such as WINS & DNS servers.
* Use a default route-delay of 5 seconds when
  --ip-win32 dynamic is specified (only applicable when
  --route-delay is not explicitly specified).
* Added "log_append" registry variable to control
  whether the OpenVPN service wrapper on Windows
  opens log files in append (log_append="1") or
  truncate (log_append="0") mode.  The default
  is truncate.

2004.02.05 -- Version 1.6-beta6

* UDP over Socks5 fix to accomodate Socks5 encapsulation
  overhead (Christof Meerwald).
* Minor --ip-win32 dynamic tweaks (use long lease time,
  invalidate existing lease with DHCPNAK).

2004.02.01 -- Version 1.6-beta5

* Added Socks5 proxy support (Christof Meerwald).
* IPv6 tun support for FreeBSD (Thomas Glanzmann).
* Special TAP-Win32 debug mode for Windows self-install that was
  enabled in beta4 is now turned off.
* Added some new Solaris notes to INSTALL (Koen Maris).
* More work on --ip-win32 dynamic.

2004.01.27 -- Version 1.6-beta4

* For this beta, the Windows self-install is a debug version
  and will run slower -- use only for testing.
* Reverted the --ip-win32 default back to 'ipapi'
  from 'dynamic'.
* Added the offset parameter to '--ip-win32 dynamic' which
  can be used to control the address of the masqueraded
  DHCP server which replies to Windows DHCP requests.
* Added a wait/nowait option to --inetd (nowait can only
  be used with TCP sockets, TLS authentication, and over
  a bridged configuration -- see FAQ for more info)
  (Stefan `Sec` Zehl).
* Added a build-time capability where TAP-Win32 driver
  debug messages can be output by OpenVPN at --verb 6
  or higher.

2004.01.20 -- Version 1.6-beta2

* Added ./configure --enable-iproute2 flag which
  uses iproute2 instead of route + ifconfig --
  this is necessary for the LEAF Linux distro
  (Martin Hejl).
* Added renewal-time and rebind-time to set of
  DHCP options returned by the TAP-Win32 driver when
  "--ip-win32 dynamic" is used.
	
2004.01.14 -- Version 1.6-beta1

* Fixed --proxy bug that sometimes caused plaintext
  control info generated by the proxy prior to http
  CONNECT method establishment to be incorrectly
  parsed as OpenVPN data.
* For Windows version, implemented the
  "--ip-win32 dynamic" method and made it the default.
  This method sets the TAP-Win32 adapter IP address
  and netmask by replying to the kernel's DHCP queries.
  See the man page for more detailed info.
* Added --connect-retry parameter which controls
  the time interval (in seconds) between connect()
  retries when --proto tcp-client is used.  Previously,
  this value was hardcoded to 5 seconds, and still
  defaults as such.
* --resolv-retry can now be used with a parameter
  of "infinite" to retry indefinitely.
* Added SSL_CTX_use_certificate_chain_file() to ssl.c
  for support of multi-level certificate chains
  (Sten Kalenda).
* Fixed --tls-auth incompatibility with 1.4.x and earlier
  versions of OpenVPN when the passphrase file is an
  OpenVPN static key file (as generated by --genkey).
* Added shell-escape support in config files using
  the backslash character ("\") so that (for example)
  double quotes can be passed to the shell.
* Added "contrib" subdirectory on tarball, source zip,
  and CVS containing user-submitted contributions.
* Added an optional patch to the Redhat init script to
  allow the configuration file directory to be a
  multi-level directory hierarchy (Farkas Levente).
  See contrib/multilevel-init.patch
* Added some scripts and documentation on using
  Linux "fwmark" iptables rules to enable
  fine-grained routing control over the VPN
  (Sean Reifschneider, <jafo@tummy.com>).
  See contrib/openvpn-fwmarkroute-1.00

2003.11.20 -- Version 1.5.0

* Minor documentation changes.

2003.11.04 -- Version 1.5-beta14

* Fixed build problem with ./configure --disable-ssl
  that was reported on Debian woody.
* Fixed bug where --redirect-gateway could not be used
  together with --resolv-retry.

2003.11.03 -- Version 1.5-beta13

* Added CRL (certificate revocation list) capability using
  --crl-verify option (Stefano Bracalenti).
* Added --replay-window option for variable replay-protection
  window sizes.
* Fixed --fragment bug which might have caused certain large
  packets to be sent unfragmented.
* Modified --secret and --tls-auth to permit different cipher and
  HMAC keys to be used for each data flow direction.  Also
  increased static key file size generated by --genkey from
  1024 to 2048 bits, where 512 bits each are reserved for
  send-HMAC, encrypt, receive-HMAC, and decrypt.  Key file forward
  and backward compatibility is maintained.  See --secret option
  documentation on the man page for more info.
* Added --tls-remote option (Teemu Kiviniemi).
* Fixed --tls-cipher documention regarding correct delimiter
  usage (Teemu Kiviniemi).
* Added --key-method option for selecting alternative data
  channel key negotiation methods.  Method 1 is the default.
  Method 2 has been added (see man page for more info).
* Added French translation of HOWTO to web site
  (Guillaume Lehmann).
* Fixed problem caused by late resolver library load on
  certain platforms when --resolv-retry and --chroot are
  used together (Teemu Kiviniemi).
* In TCP mode, all decryption or TLS errors will abort the current
  connection (this is not done in UDP mode because UDP is
  "connectionless").
* Fixed a TCP client reconnect bug that only occurs on the
  BSDs, where connect() fails with an invalid argument.  This
  bug was partially (but not completely) fixed in beta7.
* Added "route_net_gateway" environmental variable which contains
  the pre-existing default gateway address from the routing table
  (there's no standard API for getting the default gateway, so
  right now this feature only works on Windows or Linux).
* Renamed the "route_default_gateway" enviromental variable to
  "route_vpn_gateway" -- this is the remote VPN endpoint.
* The special keywords vpn_gateway, net_gateway, and remote_host
  can now be used for the network or gateway components of the
  --route option.  See the man page for more info.
* Added the --redirect-gateway option to configure the VPN
  as the default gateway (implemented on Linux and Windows only).
* Added the --http-proxy option with basic authentication
  support for use in TCP client mode.  Successfully tested
  using Squid as the HTTP proxy, with and without authentication.

2003.10.12 -- Version 1.5-beta12

* Fixed Linux-only bug in --mktun and --rmtun which was
  introduced around beta8 or so, which would cause
  an error such as "I don't recognize device tun0 as a
  tun or tap device1".
* Added --ifconfig-nowarn option to disable options
  consistency warnings about --ifconfig parameters.
* Don't allow any kind of sequence number backtracking or
  message reordering when in TCP mode.
* Changed beta naming convention to use '_' (underscore)