@@ -1,6 +1,66 @@

 OpenVPN ChangeLog

 Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>

+2025.10.13 -- Version 2.7_beta3

+

+Arne Schwabe (2):

+      Allowing installing FreeBSD routes with interface instead of next-hop

+      Allow route_ipv6_match_host to be used outside of route.c

+

+Frank Lichtenheld (33):

+      GHA: Dependency updates September 2025

+      comp-lz4: Fix types in call to LZ4_decompress_safe

+      dco_win: In dco_new_key, document size assumptions for the integer casts

+      dco_linux: Fix -Wconversion warnings

+      ssl_openssl: Use uint16_t internally for TLS versions

+      dco: Change sd argument to dco_new_peer from int to socket_descriptor_t

+      crypto_epoch: Clean up type handling in ovpn_expand_label()

+      route: Fix a unused-but-set-variable warning on OpenBSD

+      platform: Do not assume uid_t/gid_t are signed

+      mtu: Trivial -Wconversion fix

+      Review CMocka assertion usage

+      dhcp: Fix conversion warnings

+      COPYING: Remove licenses for software bundled in the Windows client

+      sitnl: Clean up type handling

+      options: Factor out parsing code to separate options_parse.c

+      unit_tests: Remove useless wrapping for argv/buffer tests

+      crypto: Make some casts to int explicit

+      test_options_parse: Start new UT for options_parse.c

+      buffer: Fix buf_parse eating input

+      test_options_parse: Add test for read_config_string

+      vlan: Remove -Wconversion override

+      GHA: Run options_parse test for MinGW

+      test_options_parse: Do not use uintmax_t instead of LargestIntegralType

+      proto: Clean up conversion warnings related to checksum macros

+      test_options_parse: Remove --wrap

+      lzo: Fix conversion warning

+      options_util: Fix conversion warning in atoi_constrained

+      options: Review use of positive_atoi vs atoi_constrained

+      console: Simplify query_user_add interface

+      socks: Fix conversion warnings with MinGW

+      Move build_dhcp_options_string from tun to dhcp

+      dhcp: Replace DHCP Option types with defines

+      test_user_pass: Check fatal errors for empty username/password

+

+Lev Stipakov (4):

+      dco-win: fix broken ASSERT in dco_new_key

+      dco-win: support for epoch data channel

+      Preserve ifconfig(_ipv6)_local across reconnect

+      Make recursive routing check more fine-grained

+

+Marco Baffo (4):

+      PUSH_UPDATE: disabling PUSH_UPDATE server and client if DCO is enabled

+      PUSH_UPDATE server: bug-fix, reset buffer after processing

+      PUSH_UPDATE server: check IV_PROTO before sending the message to the client

+      redirect-gateway: only redirect traffic through TUN if address families match

+

+Selva Nair (1):

+      Fix PIN cache time in test_pkcs11.c

+

+Steffan Karger (1):

+      Document that tls-crypt-v2 can be used in connection profile

+

+

 2025.09.25 -- Version 2.7_beta2

 Antonio Quartulli (1):

@@ -87,6 +87,8 @@ Epoch data keys and packet format

     - IV constructed with XOR instead of concatenation to not have (parts) of

       the real IV on the wire

+Support for Epoch data channel on Windows, using the win-dco driver (2.8.0+)

+

 Default ciphers in ``--data-ciphers``

     Ciphers in ``--data-ciphers`` can contain the string DEFAULT that is

     replaced by the default ciphers used by OpenVPN, making it easier to

@@ -133,6 +135,8 @@ PUSH_UPDATE client support

     currently only supported by OpenVPN Inc commercial offerings, the

     implementation for OpenVPN 2.x is still under development.

     See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html

+    NOTE: PUSH_UPDATE client support is currently disabled if DCO

+    is active (on all platforms).

 PUSH_UPDATE server support (minimal)

     new management interface commands ``push-update-broad`` and

@@ -140,6 +144,8 @@ PUSH_UPDATE server support (minimal)

     clients ("there is a new DNS server") or only a specific client ID

     ("privileges have changed, here's a new IP address").  See

     doc/management-notes.txt

+    NOTE: PUSH_UPDATE server support is currently disabled if DCO

+    is active (on all platforms).

 Support for user-defined routing tables on Linux

     see the ``--route-table`` option in the manpage

@@ -153,6 +159,17 @@ Two new environment variables have been introduced to communicate desired

 Improved logging of service events/errors to event log on Windows.

+"Recursive Routing" check is now more granular, and will only drop

+   packets-in-tunnel if destination IP, protocol and port matches with

+   those needed to reach the VPN server.  With that change, you can now

+   use policies that direct "everything that is not OpenVPN" into the

+   tunnel, and have IP packets to the VPN server address arrive as

+   expected (no such policies are currently installed by OpenVPN)

+   (github #669).

+

+COPYING: license details only relevant to our Windows installers have

+   been updated and moved to the openvpn-build repo

+

 Deprecated features

 -------------------

@@ -278,6 +295,13 @@ User-visible Changes

   use from "ifconfig", this change repairs functionality (this has

   been backported to 2.6.15, but is not in earlier 2.6 versions).

+- `max-routes-per-client 0` used to be silently upgraded to `1`.  This

+  now produces an error.

+

+- `ifconfig` and `ifconfig-ipv6` values are now stored in pre-connect

+  options cache, and will be restored to pre-connect values on reconnects

+  if the server stops pushing the respective option.

+

 Overview of changes in 2.6

 ==========================

@@ -3,7 +3,7 @@ define([PRODUCT_NAME], [OpenVPN])

 define([PRODUCT_TARNAME], [openvpn])

 define([PRODUCT_VERSION_MAJOR], [2])

 define([PRODUCT_VERSION_MINOR], [7])

-define([PRODUCT_VERSION_PATCH], [_beta2])

+define([PRODUCT_VERSION_PATCH], [_beta3])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])

 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])