multiple addresses will be treated as if each address was an
individual remote directive.
Fixed issue where UDP transport driver was calling socket
connect method synchronously. This can cause exceptions
to be thrown in corner cases, such as "No route to host"
on OSX/iOS for connections to IPv6 addresses when no default
IPv6 route exists on system. Refactoring UDP connect
operation to be asychronous fixes the issue.
Implemented remote-random.
Separated the functionality of replacePasswordWithSessionID
and cachePassword, and allow them to be used together,
in which case the session ID will be used as the password
until it expires or is invalidated, then the cached
password will be used to reauth.
Android: 1.1.9 build 31
* Reverted key-direction back to a default of 1.
* Raise fatal error if "fragment" option is used.
* Made TunBuilderCapture more useful as a base class for
tun construction on various platforms.
* Added disableClientCert flag at ovpncli.hpp API.
* Updated help FAQ with more details on how to
properly set key-direction, and notes about
possible network disconnect during voice calls.
* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
DNS Fallback (enabled by default) -- Use Google DNS servers as a
fallback for connections that route all internet traffic through
the VPN tunnel but don't define any VPN DNS servers.
* Implement a simple DNS cache to work around issue with
Seamless Tunnel -- When Seamless Tunnel is enabled,
reconnections are unable to send DNS requests because
the internet is blocked. This fix caches the IP address
used for the initial connection, then reuses it
over the lifetime of the Seamless Tunnel.
* Try to ensure that connections properly pause on device
sleep (when sleep on screen blanking is NOT enabled) so
that they will survive until wakeup.
iOS:
* Don't choke on foreign profiles (such as VPN On Demand) that are
imported onto the device but lack critical info such as a
config file.
Android:
* Added a preference item tun_persist -- in the UI it is
described as "Seamless Tunnel -- Block internet while VPN
is paused or reconnecting"
* If tun_persist is enabled, hold onto tun socket during
reconnects or pauses, and don't rebuild the tunnel
on reconnect unless its controlling parameters have changed.
cert chain to the core, rather than only the leaf cert.
This allows profiles to be used that lack "ca", "cert",
or "key" directives -- instead, these values are read from the
KeyChain.
If "ca" IS NOT defined in the profile, it will be set to
the chain of supporting certs assocated with the Keychain
leaf cert.
If "ca" IS defined by the profile, then the chain of supporting
certs will go into the "extra-certs" list, meaning that it
will support the client cert but not serve as an authority
to verify the server cert.
* Fixed core segfault that would occur if external_pki_cert_request
returned an error status.
* More robust handling of External PKI alias invalidation.
* Minor fixes to allow jellybean_hack.cpp to build in
debug mode.
* Fix attempt for java.lang.NullPointerException in
net.openvpn.openvpn.OpenVPNService.onStartCommand(OpenVPNService.java:838)
* Allow non-unified profiles (i.e. profiles containing directives that
reference other files) to be imported from SD card, as long
as all referenced files are present in the same directory on the
SD card as the profile.
* Relaxed parsing of "remote" directive to allow the port and/or
protocol parameters to be omitted. The port defaults to 1194
and the protocol to UDP. Either defaults can be changed with
the "port" or "proto" directive.
* Fixed issue where profile parser was choking on files containing
Windows-style line-endings.
Implemented IPv6 in iOS client.
Added new flags to redirect-gateway to control whether redirection
occurs at IPv4 or IPv6 levels (or both):
* ipv4 (default)
* !ipv4
* ipv6
* !ipv6
Added new directive "redirect-dns yes|no". If yes, all DNS requests
will be forwarded through pushed DNS servers. If no, only DNS
requests that match domains enumerated in "dhcp-option DOMAIN"
directives will be forwarded. If redirect-dns is omitted, it will
default to yes if redirect-gateway is specified at the IPv4 level
(this is the normal pre-existing behavior).
Allow the following aggregated options that are normally pushed by
the server to be defined in the config file as well. These options
will be combined with server-pushed options:
* route
* route-ipv6
* redirect-gateway
* redirect-private
* dhcp-option
Allow the following singleton options (i.e. options that don't
aggregate), that are normally pushed, to be defined in the config
file (note that server-pushed singleton options will override the
config file setting):
* redirect-dns
The Connection Details section of the UI now displays VPN IP
addresses for IPv4 and IPv6.
Added new pushable option "client-ip IP_ADDR" that can be pushed
by the server with the client's IP address as seen by the server.
The client will then show the address in the Connection Details
section of the UI.
yes -- support compression on both uplink and downlink
asym -- support compression on downlink only
no (default) -- no compression (stubs only)
Added our own internal LZO decompressor, which is enabled when
HAVE_LZO is undefined and the standard LZO library is not linked.
This allows clients to support LZO in downlink mode only
if the library isn't available.
Android version: 1.1 beta 1
More alignment of iOS and Android clients:
* Normalized building of dependencies for Android and iOS:
This build adds some new library dependencies:
The library versions required are enumerated in
ovpn3/lib-versions, currently:
export BOOST_VERSION=boost_1_51_0
export OPENSSL_VERSION=openssl-1.0.1c
export POLARSSL_VERSION=polarssl-1.1.4
export LZO_VERSION=lzo-2.06
To build, first mkdir ~/src/android and ~/src/mac if they don't
already exist. Set the env var O3 to point to the ovpn3 dir,
usually ~/src/ovpn3.
Build on iOS:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
Build on Android:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
* Integrated Minicrypto library (an assembly language library
of low-level crypto functions adapted from OpenSSL).
* Added LZO compression with a preference/settings item
to enable or disable.
* Added special compression handling to support older servers
that ignore compression handshake -- this will handle receiving
compressed packets even if we didn't ask for them.
* Normalized profile naming conventions.
iOS changes:
* Log tunnel performance stats immediately on disconnection
of tunnel.
Android changes:
* Client now supports loading profiles as attachments
opened from other apps.
* Added Import Private Tunnel menu item, however current
Private Tunnel download page needs to be adapted to fit
requirements of Android download manager.
* Enter key should advance to the next input field,
or connect if entered from the last field.
* Import from Access Server now provides the option to
download autologin vs. userlogin profiles.
* "About" page now shows copyright text for included
libraries/content (except for LZO and PolarSSL
which will presumably be commercially licensed).
