* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
* Implement a simple DNS cache to work around issue with
Seamless Tunnel -- When Seamless Tunnel is enabled,
reconnections are unable to send DNS requests because
the internet is blocked. This fix caches the IP address
used for the initial connection, then reuses it
over the lifetime of the Seamless Tunnel.
* Try to ensure that connections properly pause on device
sleep (when sleep on screen blanking is NOT enabled) so
that they will survive until wakeup.
iOS:
* Don't choke on foreign profiles (such as VPN On Demand) that are
imported onto the device but lack critical info such as a
config file.
* Fix attempt for java.lang.NullPointerException in
net.openvpn.openvpn.OpenVPNService.onStartCommand(OpenVPNService.java:838)
* Allow non-unified profiles (i.e. profiles containing directives that
reference other files) to be imported from SD card, as long
as all referenced files are present in the same directory on the
SD card as the profile.
* Relaxed parsing of "remote" directive to allow the port and/or
protocol parameters to be omitted. The port defaults to 1194
and the protocol to UDP. Either defaults can be changed with
the "port" or "proto" directive.
* Fixed issue where profile parser was choking on files containing
Windows-style line-endings.
Implemented IPv6 in iOS client.
Added new flags to redirect-gateway to control whether redirection
occurs at IPv4 or IPv6 levels (or both):
* ipv4 (default)
* !ipv4
* ipv6
* !ipv6
Added new directive "redirect-dns yes|no". If yes, all DNS requests
will be forwarded through pushed DNS servers. If no, only DNS
requests that match domains enumerated in "dhcp-option DOMAIN"
directives will be forwarded. If redirect-dns is omitted, it will
default to yes if redirect-gateway is specified at the IPv4 level
(this is the normal pre-existing behavior).
Allow the following aggregated options that are normally pushed by
the server to be defined in the config file as well. These options
will be combined with server-pushed options:
* route
* route-ipv6
* redirect-gateway
* redirect-private
* dhcp-option
Allow the following singleton options (i.e. options that don't
aggregate), that are normally pushed, to be defined in the config
file (note that server-pushed singleton options will override the
config file setting):
* redirect-dns
The Connection Details section of the UI now displays VPN IP
addresses for IPv4 and IPv6.
Added new pushable option "client-ip IP_ADDR" that can be pushed
by the server with the client's IP address as seen by the server.
The client will then show the address in the Connection Details
section of the UI.
array instead of concatenated string, and to resolve issue on OS X
where signals were being ignored after system() was called.
C++ iterators incremented in a for statement should usually use
a preincrement syntax.
* Allow protocol to be specified by "proto" directive instead
of requiring it to be present in "remote" directive.
* Throw error if tls-remote is specified in client config file.
Updated Android client.txt notes.
connect intent to service when already connected.
One of the ramifications of the "hot connect" fix above is that
OpenVPNClientBase.is_active() will now return a value that is
instantaneously up-to-date, whereas events might lag because
of the mechanics of inter-thread message posting. Keep this in
mind when correlating received events to is_active() values.
For C++ core threads, increased allowed thread-stop delay to 2.5
seconds before thread is marked as unresponsive and abandoned.
Previous delay was 1 second. This delay can't be made too long,
otherwise Android will tell the user that the app is unresponsive
and invite them to kill it.
When closing out an abandoned core thread, indicate this condition
with a new event type called CORE_THREAD_ABANDONED. If the thread
is abandoned due to lack of response to a disconnect request, then
the CORE_THREAD_ABANDONED event will occur followed by
CORE_THREAD_INACTIVE. For core threads that properly exit,
the DISCONNECTED event will be followed by CORE_THREAD_INACTIVE.
Added save_as_filename parameter to importProfileRemote method for
controlling the filename that the imported profile is saved as.
This parameter may be set to null to have the method choose an
appropriate name. To have an imported profile replace an existing
profile, the filenames much match.
Added UI_OVERLOADED debugging constant to OpenVPNClient to allow
the UI to connect to a profile when already connected to another
profile in order to test "hot connect".
Added new events CLIENT_HALT and CLIENT_RESTART for compatibility
with an Access Server feature that allows the server to remotely
kill or restart the client.
When connecting a profile, the core will now automatically fill in
the username if it is not specified for userlocked profiles.
Version 0.902.
Added ClientProtoTerminateCallback abstraction to ClientProto.
Added ClientProto::Config for configuration parameters, rather than
passing parameters individually to ClientProto constructor.
