OpenVPN ChangeLog
Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>

2025.09.22 -- Version 2.6.15

Antonio Quartulli (1):
      dco: add standard mi prefix handling to multi_process_incoming_dco()

Arne Schwabe (1):
      Check message id/acked ids too when doing sessionid cookie checks

Frank Lichtenheld (6):
      GHA: Pin version of CMake for MinGW build
      GHA: Dependency and Actions update April 2025 (2.6)
      GHA: Update dependencies July 2025 (2.6)
      Fix compiler warning in reliable.c with --disable-debug
      dco linux: avoid redefining ovpn enums (2.6)
      Update text of GPL to latest version from FSF

Gert Doering (7):
      unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
      Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
      replace assert() calls with ASSERT()
      remove newline characters at the end of msg() calls
      fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
      Fix t_net.sh / networking_testdriver after 'broadcast' change
      preparing release 2.6.15

Klemens Nanni (1):
      Fix tmp-dir documentation

Kristof Provost (1):
      dco: support float notifications on FreeBSD

Lev Stipakov (6):
      dco-win: Ensure correct OVERLAPPED scope
      win: replace wmic invocation with powershell
      openvpnserv: Fix writing messages to the event log
      Validate DNS domain name before powershell invocation
      Makefile: fix 'make dist'
      GHA: collect more artifacts for mingw builds

Ralf Lici (1):
      dco: backport OS-independent part of peer float support

Sebastian Marsching (1):
      Bugfix: Set broadcast address on interface.

rein.vanbaaren (1):
      Fix MBEDTLS_DEPRECATED_REMOVED build errors


2025.04.02 -- Version 2.6.14

Arne Schwabe (1):
      Allow tls-crypt-v2 to be setup only on initial packet of a session

Frank Lichtenheld (3):
      GHA: Drop Ubuntu 20.04 and other maintenance (2.6)
      crypto_backend: fix type of enc parameter
      Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+

Qingfang Deng (1):
      dco: fix source IP selection when multihome


2025.01.15 -- Version 2.6.13

Arne Schwabe (2):
      Refuse clients if username or password is longer than USER_PASS_LEN
      Improve peer fingerprint documentation

Ben Boeckel (1):
      console_systemd: remove the timeout when using 'systemd-ask-password'

Frank Lichtenheld (5):
      Fix missing spaces in various messages
      GHA: Update macOS runners
      GHA: Simplify macOS builds
      Various typo fixes
      forward: Fix potential unaligned access in drop_if_recursive_routing

Gert Doering (2):
      send uname() release as IV_PLAT_VER= on non-windows versions
      preparing release 2.6.13

Gianmarco De Gregori (1):
      Route: remove incorrect routes on exit

Lev Stipakov (1):
      Use a more robust way to get dco-win version

Ralf Lici (1):
      Fix check_addr_clash argument order

Rémi Farault (1):
      Add calls to nvlist_destroy to avoid leaks

Selva Nair (3):
      proxy.c: Clear sensitive data after use
      Protect cached username, password and token on client
      Fix more of uninitialized struct user_pass local vars

corubba (2):
      Fix IPv6 in port-share journal
      Fix port-share journal doc


2024.07.17 -- Version 2.6.12

Arne Schwabe (1):
      Allow trailing \r and \n in control channel message

Frank Lichtenheld (1):
      configure: Try to detect LZO with pkg-config

Gianmarco De Gregori (1):
      Http-proxy: fix bug preventing proxy credentials caching


2024.06.20 -- Version 2.6.11

5andr0 (1):
      Implement server_poll_timeout for socks

Arne Schwabe (6):
      Use snprintf instead of sprintf for get_ssl_library_version
      Add bracket in fingerprint message and do not warn about missing verification
      Replace macos11 with macos14 in github runners
      Only run coverity scan in OpenVPN/OpenVPN repository
      Workaround issue in LibreSSL crashing when enumerating digests/ciphers
      Properly handle null bytes and invalid characters in control messages

Franco Fichtner (1):
      Allow to set ifmode for existing DCO interfaces in FreeBSD

Frank Lichtenheld (6):
      samples: Update sample configurations
      documentation: make section levels consistent
      phase2_tcp_server: fix Coverity issue 'Dereference after null check'
      script-options.rst: Update ifconfig_* variables
      LZO: do not use lzoutils.h macros
      Remove "experimental" denotation for --fast-io

Heiko Wundram (1):
      Implement Windows CA template match for Crypto-API selector

Lev Stipakov (2):
      misc.c: remove unused code
      interactive.c: Improve access control for gui<->service pipe

Reynir Björnsson (1):
      Only schedule_exit() once


2024.03.20 -- Version 2.6.10

Christoph Schug (1):
      Update documentation references in systemd unit files

Frank Lichtenheld (6):
      Fix typo --data-cipher-fallback
      samples: Remove tls-*.conf
      check_compression_settings_valid: Do not test for LZ4 in LZO check
      t_client.sh: Allow to skip tests
      Update Copyright statements to 2024
      GHA: general update March 2024

Lev Stipakov (4):
      win32: Enforce loading of plugins from a trusted directory
      interactive.c: disable remote access to the service pipe
      interactive.c: Fix potential stack overflow issue
      Disable DCO if proxy is set via management

Martin Rys (1):
      openvpn-[client|server].service: Remove syslog.target

Max Fillinger (1):
      Remove license warning from README.mbedtls

Selva Nair (1):
      Document that auth-user-pass may be inlined

wellweek (1):
      remove repetitive words in documentation and comments


2024.02.11 -- Version 2.6.9

Arne Schwabe (15):
      Remove unused function prototype crypto_adjust_frame_parameters
      Log SSL alerts more prominently
      Document tls-exit option mainly as test option
      Remove TEST_GET_DEFAULT_GATEWAY as it duplicates --show-gateway
      Fix check_session_buf_not_used using wrong index
      Add missing check for nl_socket_alloc failure
      Add check for nice in cmake config
      Remove compat versionhelpers.h and remove cmake/configure check for it
      Extend the error message when TLS 1.0 PRF fails
      Fix unaligned access in macOS, FreeBSD, Solaris hwaddr
      Check PRF availability on initialisation and add --force-tls-key-material-export
      Make it more explicit and visible when pkg-config is not found
      Clarify that the tls-crypt-v2-verify has a very limited env set
      Implement the --tls-export-cert feature
      Remove conditional text for Apache2 linking exception

David Sommerseth (2):
      Remove --tls-export-cert
      Remove superfluous x509_write_pem()

Frank Lichtenheld (14):
      sample-keys: renew for the next 10 years
      GHA: clean up libressl builds with newer libressl
      configure.ac: Remove unused AC_TYPE_SIGNAL macro
      documentation: remove reference to removed option --show-proxy-settings
      unit_tests: remove includes for mock_msg.h
      documentation: improve documentation of --x509-track
      NTLM: add length check to add_security_buffer
      NTLM: increase size of phase 2 response we can handle
      proxy-options.rst: Add proper documentation for --http-proxy-user-pass
      buf_string_match_head_str: Fix Coverity issue 'Unsigned compared against 0'
      --http-proxy-user-pass: allow to specify in either order with --http-proxy
      README.cmake.md: Document minimum required CMake version for --preset
      documentation: Update and fix documentation for --push-peer-info
      documentation: Fixes for previous fixes to --push-peer-info

Gert Doering (4):
      OpenBSD: repair --show-gateway
      get_default_gateway() HWADDR overhaul
      fix uncrustify complaints about previous patch
      preparing release 2.6.9

Kristof Provost (1):
      dco-freebsd: dynamically re-allocate buffer if it's too small

Lev Stipakov (1):
      tun.c: don't attempt to delete DNS and WINS servers if they're not set

Marc Becker (1):
      vcpkg-ports/pkcs11-helper: bump to version 1.30

Max Fillinger (4):
      Add support for mbedtls 3.X.Y
      Update README.mbedtls
      Disable TLS 1.3 support with mbed TLS
      Enable key export with mbed TLS 3.x.y

Reynir Bjoernsson (1):
      protocol_dump: tls-crypt support

Steffan Karger (1):
      Fix IPv6 route add/delete message log level

yatta (1):
      fix(ssl): init peer_id when init tls_multi


2023.11.17 -- Version 2.6.8

Aquila Macedo (1):
      doc: Correct typos in multiple documentation files

Arne Schwabe (1):
      Do not check key_state buffers that are in S_UNDEF state

Frank Lichtenheld (1):
      platform.c: Do not depend Windows build on HAVE_CHDIR

Lev Stipakov (3):
      config.h: fix incorrect defines for _wopen()
      Make --dns options apply for tap-windows6 driver
      Warn if pushed options require DHCP


2023.11.08 -- Version 2.6.7

Antonio Quartulli (1):
      dco: fix crash when --multihome is used with --proto tcp

Arne Schwabe (8):
      Mock openvpn_exece on win32 also for test_tls_crypt
      Add warning for the --show-groups command that some groups are missing
      Print peer temporary key details
      Add warning if a p2p NCP client connects to a p2mp server
      Remove openssl engine method for loading the key
      Remove saving initial frame code
      Double check that we do not use a freed buffer when freeing a session
      Fix using to_link buffer after freed

Frank Lichtenheld (7):
      GHA: do not trigger builds in openvpn-build anymore
      GHA: new workflow to submit scan to Coverity Scan service
      buffer: use memcpy in buf_catrunc
      vcpkg-ports/pkcs11-helper: Backport MinGW series from master to release/2.6
      CMake: backport CMake buildsystem from master to release/2.6
      Remove all traces of the previous MSVC build system
      doc: fix argument name in --route-delay documentation

Heiko Hund (1):
      dns option: remove support for exclude-domains

Lev Stipakov (3):
      Warn user if INFO control command is too long
      dco-win: get driver version
      dco: warn if DATA_V1 packets are sent to userspace

Selva Nair (2):
      Make cert_data.h and test_cryptoapi/pkcs11.c MSVC compliant
      Log OpenSSL errors on failure to set certificate

orbea (1):
      configure: disable engines if OPENSSL_NO_ENGINE is defined


2023.08.14 -- Version 2.6.6

Antonio Quartulli (1):
      configure.ac: fix typ0 in LIBCAPNG_CFALGS

Arne Schwabe (8):
      Avoid unused function warning/error on FreeBSD (and potientially others)
      fix warning with gcc 12.2.0 (compiler bug?)
      Fix CR_RESPONSE mangaement message using wrong key_id
      Print a more user-friendly error when tls-crypt-v2 client auth fails
      Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
      Revert commit 423ced962d
      Implement using --peer-fingerprint without CA certificates
      show extra info for OpenSSL errors

David Sommerseth (1):
      ntlm: Clarify details on NTLM phase 3 decoding

Frank Lichtenheld (8):
      dist: add more missing files only used in the MSVC build
      dist: Include all documentation in distribution
      unit_tests: Add missing cert_data.h to source list for unit tests
      test_tls_crypt: Improve mock() usage to be more portable
      Remove old Travis CI related files
      options: Do not hide variables from parent scope
      pkcs11_openssl: Disable unused code
      route: Fix overriding return value of add_route3

George Pchelkin (1):
      fix typo: dhcp-options to dhcp-option in vpn-network-options.rst

Gert Doering (1):
      Make received OCC exit messages more visible in log.

Heiko Hund (1):
      work around false positive warning with mingw 12

Lev Stipakov (3):
      tun.c: enclose DNS domain in single quotes in WMIC call
      manage.c: document missing KID parameter
      Set WINS servers via interactice service

Sergey Korolev (1):
      dco-linux: fix counter print format


2023.06.13 -- Version 2.6.5

Arne Schwabe (1):
      Fix use-after-free with EVP_CIPHER_free

Frank Lichtenheld (6):
      dco_linux: properly close dco version file
      DCO: fix memory leak in dco_get_peer_stats_multi for Linux
      Fix two unused assignments
      sample-plugins: Fix memleak in client-connect example plugin
      options: remove --key-method from usage message
      msvc-generate: include version.m4.in in tarball

Ilya Shipitsin (1):
      src/openvpn/dco_freebsd.c: handle malloc failure

Lev Stipakov (2):
      dco-win: support for --dev-node
      tapctl: generate driver-specific adapter names

Selva Nair (2):
      Correctly handle Unicode names for exit event
      Interactive service: do not force a target desktop for openvpn.exe


2023.05.11 -- Version 2.6.4

Arne Schwabe (3):
      Remove unused variable line
      Add Apache2 linking with for new commits
      Fix compile error on TARGET_ANDROID

Frank Lichtenheld (2):
      man page: Remove cruft from --topology documentation
      tests: do not include t_client.sh in dist

Kristof Provost (1):
      DCO: support key rotation notifications

Michael Nix (1):
      fix typo in help text: --ignore-unknown-option

Selva Nair (2):
      Format Windows error message in Unicode
      Bugfix: dangling pointer passed to pkcs11-helper


2023.04.13 -- Version 2.6.3

Frank Lichtenheld (3):
      GHA: remove Ubuntu 18.04 builds
      vcpkg: request "tools" feature of openssl for MSVC build
      doc: run rst2* with --strict to catch warnings

Lev Stipakov (1):
      Support of DNS domain for DHCP-less drivers

Selva Nair (1):
      Bug-fix: segfault in dco_get_peer_stats()

2023.03.24 -- Version 2.6.2

Antonio Quartulli (6):
      dco: don't use NetLink to exchange control packets
      dco: print version to log if available
      dco-linux: remove M_ERRNO flag when printing netlink error message
      multi: don't call DCO APIs if DCO is disabled
      dco-freebsd: use m->instances[] instead of m->hash
      dco-linux: implement dco_get_peer_stats{, multi} API

Arne Schwabe (12):
      Set netlink socket to be non-blocking
      Ensure n = 2 is set in key2 struct in tls_crypt_v2_unwrap_client_key
      Fix memory leaks in open_tun_dco()
      Fix memory leaks in HMAC initial packet generation
      Use key_state instead of multi for tls_send_payload parameter
      Make sending plain text control message session aware
      Only update frame calculation if we have a valid link sockets
      Improve description of compat-mode
      Simplify --compress parsing in options.c
      Refuse connection if server pushes an option contradicting allow-compress
      Add 'allow-compression stub-only' internally for DCO
      Parse compression options and bail out when compression is disabled

Frank Lichtenheld (1):
      tests/unit_tests: Fix 'make distcheck' with subdir-objects enabled

Gert Doering (1):
      preparing release 2.6.2

Heiko Hund (1):
      dns option: allow up to eight addresses per server

Kristof Provost (1):
      dco: print FreeBSD version

Lev Stipakov (4):
      Support --inactive option for DCO
      Fix '--inactive <time> 0' behavior for DCO
      Print DCO client stats on SIGUSR2
      Don't overwrite socket flags when using DCO on Windows

Michael Baentsch (1):
      using OpenSSL3 API for EVP PKEY type name reporting

Selva Nair (8):
      Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form
      Import some sample certificates into Windows store for testing
      Add tests for finding certificates in Windows cert store
      Refactor SSL_CTX_use_CryptoAPI_certificate()
      Add a test for signing with certificates in Windows store
      Unit tests: add test for SSL_CTX_use_Cryptoapi_certificate()
      Improve error message on short read from socks proxy
      Make error in setting metric for IPv6 interface non-fatal


2023.03.08 -- Version 2.6.1

Arne Schwabe (13):
      Fix unaligned access in auth-token
      Update LibreSSL to 3.7.0 in Github actions
      Add printing USAN stack trace on github actions
      Fix LibreSSL not building in Github Actions
      Add missing stdint.h includes in unit tests files
      Combine extra_tun/frame parameter of frame_calculate_payload_overhead
      Update the last sections in the man page to a be a bit less outdated
      Add building unit tests with mingw to github actions
      Revise the cipher negotiation info about OpenVPN3 in the man page
      Exit if a proper message instead of segfault on Android without management
      Use proper print format/casting when converting msg_channel handle
      Reduce initialisation spam from verb <= 3 and print summary instead
      Dynamic tls-crypt for secure soft_reset/session renegotiation

Frank Lichtenheld (8):
      Changes.rst: document removal of --keysize
      Windows: fix unused function setenv_foreign_option
      Windows: fix unused variables in delete_route_ipv6
      Windows: fix wrong printf format in x_check_status
      Windows: fix unused variable in win32_get_arch
      configure: enable DCO by default on FreeBSD/Linux
      Windows: fix signedness errors with recv/send
      configure: fix formatting of --disable-lz4 and --enable-comp-stub

Gert Doering (2):
      Get rid of unused 'bool tuntap_buffer' arguments.
      FreeBSD 12.x workaround for IPv6 ifconfig is needed on 12.4 as well

Kristof Provost (3):
      options.c: enforce a minimal fragment size
      configure: improve FreeBSD DCO check
      dco: define OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT on FreeBSD

Lev Stipakov (6):
      Allow certain DHCP options to be used without DHCP server
      dco-win: use proper calling convention on x86
      Improve format specifier for socket handle in Windows
      Disable DCO if proxy is set via management
      Add logging for windows driver selection process
      Avoid management log loop with verb >= 6

Matthias Andree (1):
      make dist: Ship ovpn_dco_freebsd.h, too

Selva Nair (9):
      block-dns using iservice: fix a potential double free
      Conditionally add subdir-objects option to automake
      Build unit tests in mingw Windows build
      cyryptapi.c: log the selected certificate's name
      cryptoapi.c: remove pre OpenSSL-3.01 support
      cryptoapi.c: simplify parsing of thumbprint hex string
      Option --cryptoapicert: support issuer name as a selector
      Add a unit test for functions in cryptoapi.c
      Do not save pointer to 'struct passwd' returned by getpwnam etc.


2023.01.25 -- Version 2.6.0

Antonio Quartulli (1):
      dco_linux: update license for ovpn_dco_linux.h

Arne Schwabe (1):
      Workaround: make ovpn-dco more reliable

Gert Doering (3):
      Fix OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT breakage on FreeBSD+DCO
      Repair special-casing of EEXIST for Linux/SITNL route install
      preparing release 2.6.0

Lev Stipakov (3):
      openvpnmsica: remove dco installer custom actions
      openvpnmsica: remove unused declarations
      openvpnmsica: fix adapters discovery logic for DCO

Selva Nair (4):
      Define and use macros for route addition status code
      Warn when pkcs11-id or pkcs11-id-management options are ignored
      Cleanup route error and debug logging on Windows
      Fix one more 'existing route may get deleted' case

Timo Rothenpieler (1):
      Don't clear capability bounding set on capng_change_id


2023.01.12 -- Version 2.6_rc2

Antonio Quartulli (4):
      dco: properly re-initialize dco_del_peer_reason
      dco: bail out when no peer-specific message is delivered
      dco: improve comment about hidden debug message
      dco: print proper message in case of transport disconnection

Arne Schwabe (3):
      Add connect-freq-initial option to limit initial connection responses
      Log peer-id if loglevel is D_DCO_DEBUG and dco is enabled
      Deprecate OCC checking

Frank Lichtenheld (7):
      options.c: fix format security error when compiling without optimization
      options.c: update usage description of --cipher
      Update copyright year to 2023
      xkey_pkcs11h_sign: fix dangling pointer
      options: Always define options->management_flags
      check_engine_keys: make pass with OpenSSL 3
      documentation: update 'unsupported options' section

Gert Doering (3):
      Undo FreeBSD 12.x workaround on IPv6 ifconfig for 12.4 and up
      Reduce logspam about 'dco_update_keys: peer_id=-1' in p2p server mode
      preparing release 2.6_rc2

Lev Stipakov (1):
      tun: move print_windows_driver() out of tun.h

Selva Nair (11):
      Properly unmap ring buffer file-map in interactive service
      Use undo_lists for saving ring-buffer handles in interactive service
      Cleanup: Close duplicated handles in interactive service
      Preparing for better signal handling: some code refactoring
      Refactor signal handling in openvpn_getaddrinfo
      Use IPAPI for setting ipv6 routes when iservice not available
      Fix signal handling on Windows
      Assign and honour signal priority order
      Distinguish route addition errors from route already exists
      Propagate route error to initialization_completed()
      Include CE_DISABLED status of remote in "remote-entry-get" response


2022.12.29 -- Version 2.6_rc1

Arne Schwabe (17):
      Ensure that argument to parse_line has always space for final sentinel
      Improve documentation on user/password requirement and unicodize function
      Eliminate or comment empty blocks and switch fallthrough
      Remove unused gc_arena
      Fix corner case that might lead to leaked file descriptor
      Deprecate NTLMv1 proxy auth method.
      Use include "buffer.h" instead of include <buffer.h>
      Ensure that dco keepalive and mssfix options are also set in pure p2p mode
      Make management password check constant time
      Rename TM_UNTRUSTED to TM_INITIAL, always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL
      Move dco_installed back to link_socket from link_socket.info.actual
      Do not set nl socket buffer size
      Also drop incoming dco packet content when dropping the packet
      Improve logging when seeing a message for an unkown peer
      Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions
      Replace custom min macro and use more C99 style in man_remote_entry_get
      Replace realloc with new gc_realloc function

David Sommerseth (1):
      ssl_verify: Fix memleak if creating deferred auth control files fails

Gert Doering (1):
      bandaid fix for TCP multipoint server crash with Linux-DCO

Lev Stipakov (2):
      git-version.py: proper support for tags
      msvc: upgrade to Visual Studio 2022

Selva Nair (7):
      Reduce default restart pause to 1 second
      Do not include auth-token in pulled option digest
      Persist DCO client data channel traffic stats on restart
      Add remote-count and remote-entry query via management
      Permit unlimited connection entries and remotes
      Use a template for 'unsupported management commands' error
      Allow skipping multple remotes via management interface


2022.12.15 -- Version 2.6_beta2

Antonio Quartulli (1):
      disable DCO if --secret is specified

Arne Schwabe (7):
      Fix connection cookie not including address and fix endianness in test
      Fix unit test of test_pkt on little endian Linux
      Disable DCO when TLS mode is not used
      Ignore connection attempts while server is shutting down
      Improve debug logging of DCO swap key message and Linux dco_new_peer
      Trigger a USR1 if dco_update_keys fails
      Set DCO_NOT_INSTALLED also for keys not in the get_key_scan range

Frank Lichtenheld (1):
      ChangeLog: Fix encoding

Kristof Provost (4):
      Read DCO traffic stats from the kernel
      dco: Update counters when a client disconnects
      Read the peer deletion reason from the kernel
      dco: cleanup FreeBSD dco_do_read()

Lev Stipakov (3):
      Rename dco_get_peer_stats to dco_get_peer_stats_multi
      management: add timer to output BYTECOUNT
      Introduce dco_get_peer_stats API and Windows implementation

Marc Becker (4):
      unify code path for adding PKCS#11 providers
      use new pkcs11-helper interface to add providers
      special handling for PKCS11 providers on win32
      vcpkg-ports/pkcs11-helper: support loader flags

Max Fillinger (2):
      Correct tls-crypt-v2 metadata length in man page
      Fix message for too long tls-crypt-v2 metadata


2022.12.01 -- Version 2.6_beta1

Adrian (1):
      Fix error in example firewall.sh script

Antonio Quartulli (99):
      tun.c: remove unused variable
      openssl: fix EVP_PKEY_CTX memory leak
      openssl: avoid NULL pointer dereference
      ssl: remove unneeded if block
      options: check for blanks in fingerprints and reject string if found
      crypto: respect ECB argument type from prototype
      Add documentation on EVENT_READ/EVENT_WRITE constants
      windows: use appropriate and portable format specifier for 64bit pointer
      windows: define variable only where used
      windows: list all enum values in switch block
      forward: get rid of useless declarations for actually static functions
      mbedtls: do not define mbedtls_ctr_drbg_update_ret when not needed
      route.c: pass the right parameter to IN6_IS_ADDR_UNSPECIFIED
      man/protocol-options: add missing ending metachar
      compat-mode: allow user to specify version to be compatible with
      reject compression by default
      Remove support for PF (Packet Filter)
      configure: search also for rst2{man, html}.py
      multi: remove extra brackets in multi_process_incoming_link()
      do not include --cipher value in data-ciphers
      compat-mode: add --data-cipher-fallback auomatically if requested
      Set TLS 1.2 as minimum by default
      doc: fix indentation in protocol-options.rst
      networking: add and implement net_addr_ll_set() API
      networking: add missing brackets
      set_lladdr: use networking API net_addr_ll_set() on Linux
      configure: remove useless -Wno-* from default CFLAGS
      options.c: fix version reported in --cipher warning message
      doc/cipher-negotiation.rst: avoid warning by fixing indentation
      doc: remove PF leftovers from documentation
      sig.c: define signal_handler on non-windows only
      GitHub Actions: ensure Ubuntu builds are made with the chosen SSL library
      ssl.c: use arrow operator to access object member
      use 'static inline' instead of 'inline static'
      GitHub Actions: add other config flavours
      unit-test: fix test_crypto when USE_COMP is not defined
      update copyright year to 2022
      keyingmaterialexporter.c: include strings.h
      crypto: move validation logic from cipher_get to cipher_valid
      crypto: move OpenSSL specific FIPS check to its backend
      Get rid of README.IPv6 and TODO.IPv6
      auth_token/tls_crypt: fix usage of md_valid()
      crypto: unify key_type creation code
      remove unused sitnl.h file
      options: drop useless netmask variable
      networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
      networking: silence warnings about unused arguments
      networking_iproute2: don't pass M_WARN to openvpn_execve_check()
      networking: implement net_iface_new and net_iface_del APIs
      t_net.sh: delete dummy iface using iproute command
      auth-pam.c: add missing include limits.h
      dco: introduce low-level code for handling ovpn-dco in the Linux kernel
      dco: add helper function to detect if DCO is enabled or not
      dco: create DCO interface using SITNL
      tls-crypt-v2: bail out if the client key is too small
      dco: use specific metric when installing routes
      networking: fix doc for net_iface_new() API
      options: don't export local function pre_connect_save()
      networking_sitnl: always return negative error code in case of failure
      networking: add net_iface_type API
      tun: create tun_name_is_fixed helper
      dco: add option check - disable DCO if conflict is detected
      dco: allow user to disable it at runtime
      GitHub Actions: add Linux DCO build (on Ubuntu 20.04)
      dco: introduce open_tun_dco_generic() to open dynamic or fixed-name DCO devices
      dco: initialize context and save pointer in TLS object
      dco: configure keys in DCO right after generating them
      disable DCO if no --dev was specified
      dco: periodically check and possibly rotate/delete keys
      dco: split option parsing routines
      push: fix compilation with --disable-management and --enable-werror
      dco: check that pulled options are compatible
      dco: implement dco support for p2p/client code path
      dco: add documentation for ovpn-dco-linux
      dco: implement dco support for p2mp/server code path
      dco: perform pull options check only if we pulled any option
      dco: disable DCO if --allow-compress yes/asym was specified
      dco: turn supported ciphers list into a function
      do_open_tun: restyle 'can preserve TUN' check
      do_close_tun: get rid of one level of indentation
      ovpn-dco: print some netlink messages to debug level
      dco: move message to DCO debug level and reword a bit
      dco: properly name variables
      dco: don't pass VPN IPs to NEW_PEER API in P2P mode
      dco-win: ensure the DCO API is not used when running on Windows
      ssl_util: fix prototype style
      dco: move availability check to the end of check_option_conflict() function
      dco-win: introduce low-level code for handling ovpn-dco-win in Windows
      dco-win: check for incompatible options
      dco-win: implement ovpn-dco support in P2P Windows code path
      dco-win: add documentation to README.dco.md
      dco-win: update GH Actions config file
      dco: trigger ping timeout event only if the peer expired
      delete_routes(_ipv6): avoid memleak if RT_DEFINED is not set
      solaris/open_tun: prevent crash when dev is empty string
      do not push route-ipv6 entries that are also in the iroute-ipv6 list
      auth-user-pass: add support for inline credentials
      get_user_pass_cr: get password from stdin if missing inline
      close_tun: print interface type consistently in message

Arne Schwabe (289):
      Fix client's poor man NCP fallback
      Refactor key_state_export_keying_material functions
      Fix compilation with older mbed TLS versions (mbedtls_tls_prf_types undefined)
      Fix client NCP OCC fallback when server and client cipher are identical
      Move openvpn specific key expansion into its own function
      Allow 'none' cipher being specified in --data-ciphers
      Implement generating data channel keys via EKM/RFC 5705
      Ignore deprecation warning for daemon on macOS
      Add function for common env setting of verify user/pass calls
      Inline function tls_get_peer_info
      Align reliable_free with other free methods to accept NULL
      Remove NULL checks before calling free
      Remove explicit setting of peer_id to false
      Remove --disable-def-auth configure argument
      Replace key_scan array of static pointers with inline function
      Add more documentation about our internal TLS functions
      Improve keys out of sync message
      Clean up tls_authentication_status and document it
      Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED
      Send AUTH_FAILED message to clients on renegotiation failures
      Make any auth failure tls_authentication_status return auth failed
      Fix auth-token not being updated if auth-nocache is set
      Remove auth_user_pass.wait_for_push variable
      Fix port-share option with TLS-Crypt v2
      Zero initialise msghdr prior to calling sendmesg
      Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
      Remove inetd support from OpenVPN
      Change pull request timeout use a timeout rather than a number
      Check return values in md_ctx_init and hmac_ctx_init
      Implement client side handling of AUTH_PENDING message
      Introduce management client state for AUTH_PENDING notifications
      Add S_EXITCODE flag for openvpn_run_script to report exit code
      Prefer TLS libraries TLS PRF function, fix OpenVPN in FIPS mode
      Implement server side of AUTH_PENDING with extending timeout
      Refactor extract_var_peer_info into standalone function and add ssl_util.c
      Change parameter of send_auth_pending_messages from context to tls_multi
      Allow pending auth to be send from a auth plugin
      Avoid generating unecessary mbed debug messages
      Add README.wolfssl documentating the state of WolfSSL in OpenVPN
      Fix multiple problems when compiling with LLVM/Windows (clang-cl)
      Move extract_iv_proto to ssl_util.c/h
      Extend verify-hash to allow multiple hashes
      Implement peer-fingerprint to check fingerprint of peer certificate
      Document the simple self-signed certificate setup in examples
      Deprecate the --verify-hash option
      Remove empty dummy functions
      Move restoring pre pull options to initialising of c2 context
      Move NCP saving and restore to the prepush restore code
      Restore also ping related options on a reconnect
      Make buffer related function conversion explicit when narrowing
      Fix socket related functions using int instead of socket_descriptor_t
      Use correct types for OpenSSL and Windows APIs
      Cleanup print_details and add signature/ED certificate print
      Remove flexible array member autoconf check
      Remove support for non ISO C99 vararg support
      Fix #elif TARGET_LINUX missing defined() call
      Remove superflous ifdefs around enum like defines
      Rename tunnel_server_udp_single_threaded to tunnel_server_udp
      Remove code for aligning non-swapped compression
      Remove pointless tun_adjust_frame_parameters function
      Remove unused field txqueuelen from struct tuntap
      Remove unused function tls_test_auth_deferred_interval
      Remove unused variable pass_config_info
      Move is_proto function to the socket.h header
      Implement '--compress migrate' to migrate to non-compression setup
      Remove thread_mode field of multi_context
      Extract multi_assign_peer_id into its own function
      Remove do_init_socket_2 and do_init_socket_1 wrapper function
      Always disable TLS renegotiations
      Allow running a default configuration with TLS libraries without BF-CBC
      Deprecate non TLS mode in OpenVPN
      Remove deprecated option '--keysize'
      Move auth deferred related members into its own struct
      log file descriptor in more socket related error messages
      Fix async push broken after auth deferred refactor
      Remove conditionals compilation for P2MP, ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION
      Remove check for socket functions and Win XP compatbility code
      Remove checks for uint* types that are part of C99
      Remove a number of checks for functions/headers that are always present
      Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_*
      Remove OpenSSL configure checks
      Always save/restore pull options
      Also restore/save compress related options in reconnects
      Also restore/save route-gateway options on SIGUSR1 reconnects
      Remove LibreSSL specific defines not needed for modern LibreSSL
      Add parsing of dhcp-option PROXY_HTTP
      Ensure using const variables with EVP_PKEY_get0_*
      Move context_auth from context_2 to tls_multi and name it multi_state
      Fix condition to generate session keys
      Remove always enabled USE_64_BIT_COUNTERS define
      Fix a number of mingw warnings
      Move tls_select_primary_key into its own function
      Allow all GCM ciphers
      Change options->data_channel_use_ekm to flags
      Implement deferred auth for scripts
      Use functions to access key_state instead direct member access
      Avoid failing_test unused warning in example_test
      Move direct.h header where it is used
      Replace OS_SPECIFIC_DIRSEP with PATH_SEPARATOR
      Remove a number of platform specific checks in configure.ac
      Remove --disable-multihome option
      Remove support for blocking connect()
      Fix memory leak in misc unit test
      Fix binary and (&) used in auth-token check instead of logical and (&&)
      Add missing free_key_ctx for auth_token
      Remove explicit struct iovec check (HAVE_IOVEC)
      Remove getpeername, getpid check
      Inline do_init_auth_token_key
      Add noreturn attribute for MSVC to assert_failed method.
      Move utility function from win32.c to win32-util.c
      Document stub-v2 being basically an alias for no compression at all
      Return cached result in tls_authentication_status
      Use exponential backoff for caching in tls_authentication_status
      Add github actions
      Silence warning about format string in check_ca_required
      Implement auth-token-user
      Move auth_token_state from multi to key_state
      Add connection_established as state in tls_multi->context_auth
      Make waiting on auth an explicit state in the context state machine
      Ensure tls session is authenticated before sending push reply
      Extracting key_state deferred auth status update into function
      Move examples into openvpn-examples(5) man page
      Introduce S_GENERATED_KEYS state and generate keys only when authenticated
      Fix tls-cert-profile broken on OpenSSL 1.1+
      Cleanup handling of initial auth token
      Remove --ncp-disable option
      Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
      Support NCP in pure P2P VPN setups
      Remove unistd.h from unit test
      Introduce webauth auth pending method and deprecate openurl
      Include Chacha20-Poly1305 into default --data-ciphers when available
      Detect unusable ciphers on patched OpenSSL of RHEL/Centos
      Fix Ubuntu spelling and duplicate run in Github Actions
      Add message when decoding PKCS12 file fails.
      Add small unit test for testing HMAC
      Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message
      Use EVP_PKEY based API for loading DH keys
      Remove DES check with OpenSSL 3.0
      Remove DES key fixup code
      Do not allow CTS ciphers
      Use new EVP_MAC API for HMAC implementation
      Add --with-openssl-engine autoconf option (auto|yes|no)
      Use EVP_PKEY_get_group_name to query group name
      Replace EVP_get_cipherbyname with EVP_CIPHER_fetch
      Use EVP_MD_get0_name instead EV_MD_name
      Remove dependency on BF-CBC existance from test_ncp
      Implement DES ECB encrypt via EVP_CIPHER api
      Fix error when BF-CBC is not available
      Fix function name in DH error message
      Add insecure tls-cert-profile options
      Remove custom PRNG function
      Completely remove DES checks
      Refactor early initialisation and uninitialisation into methods
      Use TYPE_do_all_provided function for listing cipher/digest
      Add macos OpenSSL 3.0 and ASAN builds
      Allow loading of non default providers
      Move IV_TCPNL from comp_generate_peer_info_string to push_peer_info
      Implement optional cipher in --data-ciphers prefixed with ?
      Directly use hardcoed OPENVPN_AEAD_TAG_LENGTH instead lookup
      Remove cipher_kt_var_key_size and remaining --keysize documentation
      Remove cipher_ctx_get_cipher_kt and replace with direct context calls
      Remove key_type->cipher_length field
      Remove key_type->hmac_length
      Fix handling an optional invalid cipher at the end of data-ciphers
      Make --nobind default for --pull
      Remove ENABLE_CRYPTO_OPENSSL ifdef inside ENABLE_CRYPTO_OPENSSL ifdef
      Remove max_size from buffer_list_new
      Add argv_insert_head__empty_argv__head_only to argv tests
      Remove cipher_kt_t and change type to const char* in API
      Move deprecation of SWEET32/64bit block size ciphers to 2.7
      Adjust cipher-negotiation.rst with compat-mode changes
      Remove md_kt_t and change crypto API to use const char*
      Initialise kt_cipher even when no crypto is enabled
      Remove align_adjust frame code
      Fix triggering assertion of ks->authenticated after tls_deauthenticate
      Document frame related function and variables a bit more
      Remove post_open_mtu code
      Make github actions names nicer, include Ubuntu18+OpenSSL 1.0.2
      Add helper functions to calculate header/payload sizes
      Decouple MSS fix calculation from frame calculation
      Rework occ link-mtu calculation
      Remove pointless do_init_frame_tls function
      Remove BUFFER_LIST_AGGREGATE_TEST test code
      Deprecate link-mtu
      Fix mssfix and frame calculation in CBC mode
      Change buffer allocation calculation and checks to be more static
      Fix datagram_overhead and assorted functions
      Implement optional mtu parameter for mssfix
      Remove link_mtu parameter when running up/down scripts
      Replace TUN_MTU_SIZE with frame->tun_mtu
      Change the default for mssfix to mssfix 1492 mtu
      Add mtu paramter to --fragment and change fragment calculation
      Update fragment and mssfix related warnings
      Use new frame header methods to calculate OCC_MTU_LOAD payload size
      Remove extra_link from frame
      Remove frame->link_mtu
      Remove frame.extra_frame and frame.extra_buffer
      Default to --cipher BF-CBC if not set and compat-mode < 2.4.0
      Fix 'defined but not used' warnings with enable-small/disable-management
      Add Werror to github action ubuntu build
      Add better documentation for CAS_* states
      Add unit test for mssfix with compression involved
      Remove FRAME_HEADROOM, PAYLOAD_SIZE, EXTRA_FRAME and TUN_LINK_DELTA macros
      Fix mbed TLS compile if OpenSSL headers are not available
      Remove unused function cipher_var_key_size
      Implement fixed MSS value for mssfix and use it for non default MTUs
      networking: remove duplicate methods from networking_sitnl.c
      Remove dead PID_TEST code
      Remove inc_pid argument from reliable_mark_deleted that is always true
      Remove EXPONENTIAL_BACKOFF define
      Remove tls_init_control_channel_frame_parameters wrapper function
      Add documentation for swap_hmac function
      Make buf_write_u8/16/32 take the type they pretend to take
      Move pre decrypt lite check to its own function
      Extend tls_pre_decrypt_lite to return type of packet and keep state
      Move ssl function related to control channel wrap/unwrap to ssl_pkt.c/h
      Add unit tests for test_tls_decrypt_lite
      Split out reliable_ack_parse from reliable_ack_read
      Refactor tls-auth/tls-crypt wrapping into into own function
      Extract session_move_pre_start as own function, use local buffer variable
      Change FULL_SYNC macro to no_pending_reliable_packets function
      Extract session_move_active into its own function
      Move tls_process_state into its own function
      Remove pointless indentation from tls_process.
      Move CRL reload to key_state_init from S_START transition
      Change reliable_get_buf_sequenced to reliable_get_entry_sequenced
      Implement constructing a control channel reset client as standalone function
      Implement stateless HMAC-based sesssion-id three-way-handshake
      Extract read_incoming_tls_ciphertext into function
      Fix format specifier for printing size_t on 32bit size_t platforms
      Remove workaround for Android 4.4
      Implement HMAC based session id for tls-crypt v2
      Optimise three-way handshake condition for S_PRE_START to S_START
      Extract read_incoming_tls_plaintext into its own function
      Add uncrustify check to github actions
      Add ubuntu 22.04 to Github Actions
      Implement ED448 and ED25519 support in xkey_provider
      Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
      Fix client-pending-auth error message to say ERROR instead of SUCCESS
      Remove useless empty line from CR_RESPONSE message
      Remove leftover frame_set_mtu_dynamic definitions in mtu.h
      Inline frame_add_to_extra_tun function and remove frame_defined
      tun: extract close_tun_handle into its own fucntion and print correct type
      Error out if both remap-usr1 SIGHUP and config stdin are used
      Fix segfault when no --config argument is given
      Extract check_session_cipher into standalone function
      Cleanup receive_auth_failed and simplify method
      Fix IV_PLAT_VER and UV_ variables sent without push-peer-info
      Rename OPT_P_IPWIN32 to OPT_P_DHCPDNS and include --dns in it
      Include DCO status in GLOBAL_STATS status v2 output
      Github Actions: Add libreSSL actions
      Include libressl and macOS 12 to macOS github actions
      Fix declaration of pubkeys in test_provider.c in MSVC builds
      Change command help to match man page and implementation
      Implement --client-crresponse script options and plugin interface
      Add example script demonstrating TOTP via auth-pending
      Add OpenSSL 3.0 to mingw build
      Update android.txt to reflect more recent changes.
      Allow scripts and plugins to set a custom AUTH_FAILED message
      Implement exit notification via control channel
      Implement AUTH_FAIL, TEMP message support
      Document/cleanup event_timeout functions
      Fix OpenVPN querying user/password if auth-token with user expires
      Enable -Werror on macOS builds
      Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers
      Change exit signal in P2P to be a SIGUSR1 and delayed CC exit in P2MP
      Allow Authtoken lifetime to be short than renegotiation time
      Allows renegotiation only to start if session is fully established
      Fix renewal spelling and actually allow external-auth with renewal time
      Fix regression of ignoring --user
      Refactor/optimise code sending TLS control channel messages
      Add unit test for reliable_get_num_output_sequenced_available
      Allow setting control channel packet size with max-packet-size
      Always include ACKs for the last seen control packets
      Add workaround for Softether server dropping P_ACK_V1 with >= 5 acks
      Improve data key id not found error message
      Add packet type in accept/reject messages for HMAC packet
      Fix md_kt_size in mbed TLS when queried for size of "none"
      Add algorithm and bits used in key_print2 method and refactor method
      Remove unused addr_inet4or6, addr_guess_family and inline addr_copy_sa
      Allow tun-mtu to be pushed
      Push server mtu to client when supported and support occ mtu
      Fix logic error in checking early negotiation support check
      Move dco_installed from sock->info to sock->info.lsa.actual
      Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id
      Add section about common error with OpenVPN 2.6 and OpenSSL 3.0
      Introduce connection state for reconnecting peer in p2p
      Signal USR1 when connection initialising fails
      Allow reconnecting in p2p mode work under FreeBSD

Camille Guérin (1):
      Removed error message for an option flag not supported with --server-ipv6

David Korczynski (1):
      Fix argv leaks in add_route() and add_route_ipv6()

David Sommerseth (18):
      man: Add missing --server-ipv6
      man: Improve --remote entry
      sample-plugins: Partially autotoolize the sample-plugins build
      build: Fix make distclean/distcheck
      compat/lz4: Update to v1.9.2
      build: Fix missing install of man page in certain environments
      build: Remove compat-lz4
      Update copyrights
      doc: Use generic rules for man/html generation
      man: Clarify IV_HWADDR
      crypto: Fix OPENSSL_FIPS enabled builds
      sample-plugin: New plugin for testing multiple auth plugins
      plugins: Remove defer/simple.c sample plugin
      plug-ins: Disallow multiple deferred authentication plug-ins
      dev-tools: Remove no longer needed openvpn-plugin.h.in patching
      dev-tools: Remove uncrustify -p
      dev-tools: Avoid uncrustify mangling MAC_FMT macro
      The Great Reformatting of 2022

Dmitry Zelenkovsky (1):
      implement --session-timeout

Domagoj Pensa (3):
      Fix too early argv freeing when registering DNS
      Remove 1 second delay before running netsh
      Skip DHCP renew with Wintun adapter

Eric Thorpe (1):
      Fixes a bug in management_callback_send_cc_message, should be strlen instead of sizeof

Frank Lichtenheld (18):
      doc/Makefile: rebuild rst docs if input files change
      doc: fix misc documentation issues
      doc/options: clean up documentation for --proto and related options
      Reformat for sp_after_comma=add
      uncrustify: add sp_after_comma=add
      uncrustify: have exactly one newline at the end of files
      t_client: Allow to force FAIL on prerequisite fails
      systemd: remove generated service files on clean
      Reduce usage of __DATE__
      config-version.h: remove unused includes
      t_client.sh: do not require fping6
      doc: cleanup for --data-ciphers and related
      test_crypto: fix test_occ_mtu_calculation with --disable-fragment
      msvc: always call git-version.py
      GitHub Issues: add note to Changes as well
      GitHub Issues: add new links to INSTALL and README
      GitHub Issues: Create first issue template (Bug)
      documentation: avoid recommending --user nobody

Gert Doering (67):
      Change version.m4 to 2.6_git
      Fix stack overflow in OpenSolaris NEXTADDR()
      Workaround FreeBSD 12+ race condition on tun/tap open with IPv6.
      Document that --push-remove is generally more suitable than --push-reset
      Fix error detection / abort in --inetd corner case.
      Fix TUNSETGROUP compatibility with very old Linux systems.
      Fix handling of 'route remote_host' for IPv6 transport case.
      Replace 'echo -n' with 'printf' in tests/t_lpback.sh
      Fix description of --client-disconnect calling convention in manpage.
      Handle NULL returns from calloc() in sample plugins.
      Fix --show-gateway for IPv6 on NetBSD/i386.
      socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
      Fix netbits setting (in TAP mode) for IPv6 on Windows.
      If IPv6 pool specification sets pool start to ::0 address, increment.
      Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
      Fix combination of --dev tap and --topology subnet across multiple platforms.
      Fix redirecting of IPv4 default gateway if connecting over IPv6.
      Fix compilation on pre-EKM mbedTLS libraries.
      Avoid passing NULL to argv_printf_cat() in temp_file error case.
      Change travis build scripts to use https when fetching prerequisites.
      Fix line number reporting on config file errors after <inline> segments
      Clarify --block-ipv6 intent and direction.
      Document common uses of 'echo' directive, re-enable logging for 'echo'.
      Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL
      clean up / rewrite sample-plugins/defer/simple.c
      Fix EVP_PKEY_CTX_... compilation with LibreSSL
      Require at least 100MB of mlock()-able memory if --mlock is used.
      Get rid of last PLUGIN_DEF_AUTH #ifdef
      Fix 'compress migrate' for 2.2 clients.
      Fix potential NULL ptr crash if compiled with DMALLOC
      Repair --secret deprecation warning.
      rewrite parse_hash_fingerprint()
      Ignore leading whitespace and comment lines for peer-fingerprint.
      Add error reporting to get_console_input_win32().
      Ignore --explicit-exit-notify in TCP mode.
      Use more C99 initialization in add_route/add_route_ipv6().
      Include --push-remove in the output of --help.
      Move '--push-peer-info' documentation from 'server' to 'client options'
      add test case(s) to notice 'openvpn --show-cipher' crashing
      Repair --inactive with 'bytes' argument larger 2Gbytes.
      Fix --mtu-disc maybe|yes on Linux.
      Fix trailing-whitespace errors in last patch.
      Exclude the last two whitespace-only uncrustify fixes from git blame output.
      Implement --mtu-disc for IPv6 UDP sockets.
      Fix non-compliant whitespace introduced by commit 54800aa975418fe35.
      Pass proper sockaddr_* structure for IPv6 socket errors.
      Fix error message about extended errors for IPv4-only sockets.
      Break 'try 256 dco devices' loop on EPERM
      Cleanup: get rid of 'dynamic' argument of open_tun_generic()
      Remove outdated information from ChangeLog, point at release branches.
      Apply uncrustify changes that were forgotten in the last patch.
      Apply uncrustify changes that were forgotten in the FreeBSD DCO 1/2 patch.
      FreeBSD-DCO: repair device iteration to find first free interface.
      DCO: require valid netbits setting for non-primary iroutes.
      Adjust Linux+FreeBSD DCO device name handling to 'non DCO linux style'
      cleanup open_tun() for TARGET_NETBSD
      t_client: add per-instance arguments to fping
      introduce V= level to manage t_client.sh output verbosity
      un-break undo_ifconfig_ipv4()/_ipv6() on all non-linux/non-win32 platforms
      use boolean '||' to join two bools, not bitwise '|'
      denoise tests/t_lpback.sh
      FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode
      FreeBSD DCO: introduce real subnet mode
      Improve documentation for --dev and --dev-node.
      Update PORTS
      rework INSTALL and README to prepare for 2.6 release
      Preparing release 2.6_beta1

Greg Cox (5):
      Fix naming error in sample-plugins/defer/simple.c
      Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in
      Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c
      More explicit versioning compatibility in sample-plugins/defer/simple.c
      Explain structver usage in sample defer plugin.

Heiko Hund (10):
      add support for --dns option
      Add git pre-commit hook script to uncrustify
      pre-commit: uncrustify based on staged changes
      remove foreign_option() call for IPv6 DNS servers
      remove dead foreign-option parsing code
      rename foreign_option() and move it up
      doc: fix literal block in tls-options.rst
      dns: also (re)place foreign dhcp options in env
      signal --dns support in peer info
      make %x destination unsigned

Ilya Ponetayev (1):
      fix compilation issues with small and w/o debug

Ilya Shipitsin (2):
      CI: github actions: keep "pdb" in artifacts
      BUILD: enable CFG and Spectre mitigation for MSVC

Jan Mikkelsen (1):
      cipher-negotiation.rst missing from doc/Makefile.am

Jan Seeger (1):
      Added 'route_ipv6_metric_NN' environment variable for IPv6 route metric.

Jason A. Donenfeld (1):
      Support fingerprint authentication without CA certificate

Jeff (1):
      duplicate function declaration.

Juliusz Sosinowicz (4):
      EVP_DigestSignFinal siglen parameter correction
      Support for wolfSSL in OpenVPN
      build: Add support for pkg-config < 0.28 for old autoconf versions
      README.wolfssl Update

Kristof Provost (6):
      Handle exceeding 'max-clients'
      ovpn-dco: introduce FreeBSD data-channel offload support
      Support creating iroute route entries on FreeBSD
      FreeBSD networking cleanup
      FreeBSD DCO: support AES-192-GCM
      dco: pass control packets through the socket on FreeBSD

Lev Stipakov (68):
      tun.c: enable using wintun driver under SYSTEM
      openvpnmsica: make adapter renaming non-fatal
      msvc: better support for 32bit architecture
      Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN
      ssl_common.h: fix 'not all control paths return a value' msvc warning
      Remove compat-lz4 references from VS project files
      tapctl: support for ovpn-dco Windows driver
      msvc: add ARM64 configuration
      win32: add missing include header
      openvpnmsica: properly schedule reboot in the end of installation
      options.c: fix msvc build error
      msvc: standalone building
      contrib/vcpkg-ports: add pkcs11-helper port
      vcpkg-ports: restore trailing whitespaces in .patch files
      GitHub actions: add MSVC build
      crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)
      contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)
      Fix console prompts with redirected log
      GitHub Actions: fix MSVC builds
      contrib/vcpkg-ports: remove openssl port
      Add building man page on Windows
      GitHub Actions: remove Ubuntu 16.04 environment
      Fix loading PKCS12 files on Windows
      msvc: fix product version display
      config-msvc.h: fix OpenSSL-related defines
      GitHub Actions: use latest working lukka/run-vcpkg
      Use network address for emulated DHCP server as a default
      Load OpenSSL config on Windows from trusted location
      ring_buffer.h: fix GCC warning about unused function
      ssh_openssl.h: remove unused declaration
      vcpkg/pkcs11-helper: compatibility with latest vcpkg
      config-msvc.h: indicate key material export support
      auth_token.c: add NULL initialization
      tun: remove tun_finalize()
      vcpkg-ports/pkcs11-helper: bump to release 1.28
      vcpkg-ports/pkcs11-helper: indicate OpenSSL EC support
      xkey: fix msvc build
      msvc: switch to openssl3
      msvc: cleanup
      vcpkg: link lzo statically
      openvpnmsica: add ovpn-dco custom actions
      vcpkg-ports/pkcs11-helper: adapt to new upstream URL
      vcpkg-ports\pkcs11-helper: shorten patch filename
      vcpkg-ports\openssl3: update to 3.0.2
      Fix incorrect default mssfix value in server mode
      msvc: adjust build options to harden binaries
      vcpkg: switch to manifest
      Fix M_ERRNO behavior on Windows
      GitHub Actions: trigger openvpn-build GHA on success
      Set o->use_peer_id flag for p2p mode
      openvpnmsica: remove OpenVPNService state check code
      tun.c: remove unused gc_arena from init_tun()
      error.c: remove unused crash() function
      tun: properly handle device interface list
      dco.h: fix return type when DCO is not enabled
      dco-win: use run-time dynamic linking for GetOverlappedResultEx
      vcpkg: bump baseline version
      do_persist_tuntap: remove indentation level
      msvc: remove .filters files
      dco.c: check certain options only on startup
      Use DCO on Windows by default
      doc: add "ovpn-dco" to usage and man page
      dco-win: support for --persist-tun
      msvc: add branch name and commit hash to version output
      vcpkg: use the latest versions of dependency ports
      win32: detect arm64 architecture and emulations
      INSTALL: update Windows notes
      dco: disable dco on Windows if --remote is not defined

Magnus Kroken (2):
      doc: fix typos in cipher-negotiation.rst
      Changes.rst: fix mistyped option names

Marc Becker (2):
      vcpkg-ports/pkcs11-helper: bump to release 1.29
      fix GitHub workflow working directories in MinGW builds

Martin Janů (1):
      Update the replay-window backtrack log message

Matthias Andree (1):
      Fix SIGSEGV (NULL deref) receiving push "echo"

Max Fillinger (15):
      Wipe Socks5 credentials after use
      Fix build with mbedtls w/o SSL renegotiation support
      In init_ssl, open the correct CRL path pre-chroot
      Abort if CRL file can't be stat-ed in ssl_init
      Update Fox e-mail address in copyright notices
      Replace deprecated mbedtls DRBG update function
      Fix build with compression disabled
      Don't manually free DH params in OpenSSL 3
      Remove unused havege.h header
      Don't use BF-CBC in unit tests if we don't have it
      Add warning about mbed TLS licensing problem
      Don't "undo" ifconfig on exit if it wasn't done
      Update openssl_compat.h for newer LibreSSL
      Handle EVP_MD_CTX as an opaque struct
      Check if pkcs11_cert is NULL before freeing it

Michael Baentsch (1):
      Enable usage of TLS groups not identified by a NID in OpenSSL 3

Paolo Cerrito (1):
      Insert client connection data into PAM environment

Richard Bonhomme (6):
      Improve error msg when all TAP adapters are in use 'or disabled'
      Man page sections corrections
      Do not print Diffie Hellman parameters file to log file
      Log messages: Replace NCP with --data-ciphers (NFC)
      doc link-options.rst: Use free open-source dynamic-DNS provider URL
      doc/protocol-options.rst: Correct default for --allow-compression

Saifur Rahman Mohsin (1):
      Ignore deprecation warning for daemon() on macOS (plugin/auth-pam)

Selva Nair (64):
      Improve the documentation for --dhcp-option
      In tap.c use DiInstallDevice to install the driver on a new adapter
      Add a remark on dropping privileges when --mlock is used
      Allow --dhcp-option in config file when windows-driver is wintun
      Set DNS Domain using iservice
      Improve documentation of --username-as-common-name
      Quote the domain name argument passed to the wmic command
      Remove automatic service
      tun.c on WIN32: remove more unused variables
      Make it explicit that WIndows build requires UNICODE support
      Use C standard compliant format specs in wprintf functions
      Print format spec changes for tapctl and openvpnmscia
      Replace TEXT(__FUNCTION__) by __FUNCTION__ in openvpnmscia.c
      Fix parsing of IV_SSO string
      Do not require CA when peer-fingerprint is used
      Improve documentation of AUTH_PENDING related directives
      Apply the connect-retry backoff to only one side of a connection
      Fix client-pending-auth help message in management interface
      Minor doc correction: tls-crypt-v2 key generation
      Fix the "default" tls-version-min setting
      Fix some more wrong defines in config-msvc.h
      Require Windows CNG keys for cryptoapicert
      Remove error injection into OpenSSL from cryptoapi.c
      Require EC key support in Windows builds
      Ensure the current common_name is in the environment for scripts
      Avoid memory leak in hmac_ctx_new (OpenSSL 3.0 only)
      Fix tls-version-min default once again
      A built-in provider for using external key with OpenSSL 3.0
      Implement KEYMGMT in the xkey provider
      Implement SIGNATURE operations in xkey provider
      Implement import of custom external keys
      Initialize the xkey provider and use it in SSL context
      A helper function to import private key for management-external-key
      Add xkey_provider sources and includes to MSVC project
      Enable signing via provider for management-external-key
      Add a function to encode digests with PKCS1 DigestInfo wrapper
      Allow management client to announce pss padding support
      Respect algorithm support announced by management client
      Support sending DigestSign request to management client
      Increase ERR_BUF_SIZE when management interface support is enabled
      Add a generic key loading helper function for xkey provider
      pkcs11: Interface the xkey provider with pkcs11-helper
      Enable signing using CNG through xkey provider
      Add a unit test for external key provider
      xkey: Use a custom error level for debug messages
      Fix max saltlen calculation in cryptoapi.c
      Support PSS signing using pkcs11-helper >= 1.28
      Do not error when md_kt_size() is called with mdname="none"
      Fix a potential memory leak in tls_ctx_use_management_external_key
      pkcs11_openssl.c: check EVP_get_digestbyname() != NULL
      Fix crash in xkey-provider in msvc builds
      Remove management_write_peer_info_file and related code
      Log the actual management interface port in use
      Log address of management client on accept
      In x_check_status() read errno early
      xkey_provider: fix building with --disable-management
      Do not skip ERROR:/SUCCESS: response from management interface
      Allow a few levels of recursion in virtual_output_callback()
      Fix auth-token usage with management-def-auth
      Ensure --auth-nocache is handled during renegotiation
      Purge auth-token as well while purging passwords
      Do not copy auth_token username to itself
      Do not add leading space to pushed options
      pull-filter: ignore leading "spaces" in option names

Sergio E. Nemirowski (1):
      resolvconf fails with -p

Simon Rozman (9):
      iservice: Resolve MSVC C4996 warnings
      openvpnserv: Cache last error before it is overridden
      netsh: Specify interfaces by index rather than name
      netsh: Clear existing IPv6 DNS servers before configuring new ones
      netsh: Delete WINS servers on TUN close
      openvpnmsica: Simplify find_adapters() to void return
      tun.c: Remove dead code
      interactive.c: Resolve MSVC C4996 warning
      tapctl: Resolve MSVC C4996 warnings

Steffan Karger (5):
      networking_iproute2: fix memory leak in net_iface_mtu_set()
      Simplify key material exporter backend API
      tls-crypt-v2: fix server memory leak
      tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
      reliable: retransmit if 3 follow-up ACKs are received

Timo Rothenpieler (5):
      Linux: Retain CAP_NET_ADMIN when dropping privileges
      GitHub Actions: Add new libcap-ng-dev dependency
      Github Actions: update used actions
      dco: disable DCO if --user specified but unable to retain capabilities
      dco: turn platform config checks into separate function

Todd Zullinger (2):
      Update IRC information in CONTRIBUTING.rst
      doc/man (vpn-network-options): fix foreign_option_{n} typo

Tõivo Leedjärv (1):
      Stop using deprecated getpass()

Ville Skyttä (1):
      README.down-root: Fix plugin module name

Vladislav Grishenko (8):
      Fix best gateway selection over netlink
      Fix fatal error at switching remotes (#629)
      Fix update_time() and openvpn_gettimeofday() coexistence
      Selectively reformat too long lines
      Speedup TCP remote hosts connections
      Support X509 field list to be username
      Fix IPv4 default gateway with multiple route tables
      Add CRL extractor script for --crl-verify dir mode