OpenVPN Release 2.7_alpha3

version.m4, ChangeLog, Changes.rst

Changes.rst has not received an "2.7_alpha3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.

New features alpha2 -> alpha3 are
  - --dns-updown script for macOS
  - client-side support for PUSH_UPDATE handling
  - support for floating TLS clients when DCO is active
    (handling float notifications sent from kernel to userland)
  - use of user-defined routing tables on Linux
  - PQE support for WolfSSL

Besides new features, alpha3 sees a rewrite of the way kernel events
are handled by the linux DCO module, because under certain circumstances
notifications could get lost, leading to problems later.

Signed-off-by: Gert Doering <gert@greenie.muc.de>

Author: cron2

ChangeLog

@@ -1,6 +1,90 @@
 OpenVPN ChangeLog
 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
 
+2025.07.31 -- Version 2.7_alpha3
+
+Antonio Quartulli (10):
+      README.dco: update Linux instructions
+      dco_linux: fix case statement by using proper error value
+      dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
+      dco_linux: rearrange functions
+      multi: store multi_context address inside top instance
+      dco: only pass struct context to init function
+      dco_linux: factor out netlink notification code
+      dco_linux: fix async message reception
+      multi: make some multi_*() functions static
+      dco_linux: clean up PEER_GET trigger and parser
+
+Arne Schwabe (1):
+      Cleanup/simplify mbed TLS related define from autoconf
+
+Christian Schürmann (1):
+      Replace deprecated OpenSSL.crypto.load_crl
+
+Frank Lichtenheld (8):
+      packet_id: Fix build with --disable-debug
+      Fix new doxygen warnings about using @return in void functions
+      Fix compiler warning in reliable.c with --disable-debug
+      reliable: Review and fix gc_arena usage
+      configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
+      GHA: Dependency updates July 2025
+      plugins: Clean up -Wconversion warnings
+      options: Simplify function setenv_foreign_option
+
+Gert Doering (3):
+      mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
+      unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
+      OpenVPN Release 2.7_alpha3
+
+Gianmarco De Gregori (2):
+      Route: add support for user defined routing table
+      Multi-socket: Fix assert triggered by stale peer-id reuse
+
+Heiko Hund (9):
+      dns: add updown script for macOS
+      fix macOS dns-updown handling of parallel full redirects
+      run forced --dns-updown without --script-security
+      dns: create NRPT registry key if it doesn't exist
+      dns: do not run updown scripts with lwipovpn
+      prevent search domain races with macOS dns-updown
+      move macOS dns-updown common code into functions
+      mac dns: compare servers before restoring backup
+      mac dns: do not run dns-updown in parallel
+
+Kristof Provost (3):
+      dco: support float notifications on FreeBSD
+      dco-freebsd: always enable float notification support
+      dco-freebsd: pass address scope to the kernel
+
+Lev Stipakov (4):
+      Fix broken DHCP options
+      Fix --dns options for TAP adapter
+      Fix DNS options duplication on PUSH_UPDATE
+      Fix wrong byte order of --dns server
+
+Marco Baffo (3):
+      PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
+      PUSH_UPDATE: Added remove_option() and do_update().
+      PUSH_UPDATE: Added update_option() function.
+
+Ralf Lici (5):
+      dco linux: avoid redefining ovpn enums
+      dco linux: avoid sending local port to ovpn
+      dco: Add support for float notifications
+      improve float collision logging
+      add flag to print addresses in a consistent format during float
+
+Samuli Seppänen (2):
+      t_server_null: add multi-socket testing
+      t_server_null: match test numbers with server numbers
+
+Terrance (1):
+      Update systemd service name param to match command
+
+rein.vanbaaren (1):
+      Added PQE to WolfSSL
+
+
 2025.06.18 -- Version 2.7_alpha2
 
 Antonio Quartulli (1):

Changes.rst

@@ -9,14 +9,15 @@ Multi-socket support for servers
     and TCP connections at the same time, or listen on multiple addresses
     and/or ports.
 
-Client implementations for DNS options sent by server for Linux/BSD
-    Linux and BSD versions of OpenVPN now ship with a default ``dns-updown``
-    script that implements proper handling of DNS configuration sent
-    by the server. The scripts should work on systems that use
-    ``systemd`` or ``resolveconf`` to manage the DNS setup, as well as
-    raw ``/etc/resolv.conf`` files. However, the exact features supported
-    will depend on the configuration method. On Linux this should usually
-    mean that split-DNS configurations are supported out-of-the-box now.
+Client implementations for DNS options sent by server for Linux/BSD/macOS
+    Linux, BSD and macOS versions of OpenVPN now ship with a per-platform
+    default ``--dns-updown`` script that implements proper handling of
+    DNS configuration sent by the server.  The scripts should work on
+    systems that use ``systemd`` or ``resolveconf`` to manage the DNS
+    setup, as well as raw ``/etc/resolv.conf`` files. However, the exact
+    features supported will depend on the configuration method.
+    On Linux and MacOS this should usually make split-DNS configurations
+    supported out-of-the-box now.
 
     Note that this new script will not be used by default if a ``--up``
     script is already in use to reduce problems with
@@ -55,6 +56,12 @@ Support for new version of Linux DCO module
 Support for server mode in win-dco driver
     On Windows the win-dco driver can now be used in server setups.
 
+Support for TLS client floating in DCO implementations
+    The kernel modules will detect clients floating to a new IP address
+    and notify userland so both data packets (kernel) and TLS packets
+    (sent by userland) can reach the new client IP.
+    (Actual support depends on recent-enough kernel implementation)
+
 Enforcement of AES-GCM usage limit
     OpenVPN will now enforce the usage limits on AES-GCM with the same
     confidentiality margin as TLS 1.3 does. This mean that renegotiation will
@@ -116,6 +123,19 @@ Support for Haiku OS
 
 TLS1.3 support with mbedTLS (very recent mbedTLS development versions only)
 
+PUSH_UPDATE client support
+    It is now possible to update parts of the client-side configuration
+    (IP address, routes, MTU, DNS) by sending a new server-to-client
+    control message, PUSH_UPDATE,<options>.  Server-side support is
+    currently only supported by OpenVPN Inc commercial offerings, the
+    implementation for OpenVPN 2.x is still under development.
+    See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html
+
+Support for user-defined routing tables on Linux
+    see the ``--route-table`` option in the manpage
+
+PQE support for WolfSSL
+
 
 Deprecated features
 -------------------

version.m4

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [7])
-define([PRODUCT_VERSION_PATCH], [_alpha2])
+define([PRODUCT_VERSION_PATCH], [_alpha3])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])