OpenVPN full changelog

Security fixes:
CVE-2025-13751: Windows/interactive service: fix erroneous exit on error that could be used by a local Windows users to achieve a local denial-of-service
Bug fixes:
Windows/interactive service: improve service pipe robustness against file access races (uuid) and access by unauthorized processes (ACL).
upgrade bundled build instruction (vcpkg and patch) for pkcs11-helper to 1.31, fixing a parser bug

Security fixes:
CVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient.
Bug fixes:
fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed.
Windows: in the interactive service, fix the "undo DNS config" handling.
Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN Administrator
Windows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names.
Windows: in the interactive service, improve error handling in some "unlikely to happen" paths. auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf). for incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes.
sitnl: set close-on-exec flag on netlink socket
ssl_mbedtls: fix missing perf_pop() call (optional performance profiling)

Highlights of this release include:
Multi-socket support for servers -- Handle multiple addresses/ports/protocols within one server
Improved Client support for DNS options:
Client implementations for Linux/BSD, included with the default install
New client implementation for Windows, adding support for features like split DNS and DNSSEC
Architectural improvements on Windows:
The block-local flag is now enforced with WFP filters
Windows network adapters are now generated on demand
Windows automatic service now runs as an unprivileged user
Support for server mode in win-dco driver
Note: Support for the wintun driver has been removed. win-dco is now the default, tap-windows6 is the fallback solution for use-cases not covered by win-dco.
Improved data channel:
Enforcement of AES-GCM usage limit
Epoch data keys and packet format
Support for new upstream DCO Linux kernel module:
This release supports the new ovpn DCO Linux kernel module which will be available in future upstream Linux kernel releases. Backports of the new module to current kernels are available via the ovpn-backports project.
Windows MSI changes since 2.6.14:
Built against OpenSSL 3.5.0
Included openvpn-gui updated to 11.53.0.0
Support for webauth in PLAP (Pre-Logon Access Provider) via QR code (github openvpn-gui#687)

Highlights of this release include:
Multi-socket support for servers -- Handle multiple addresses/ports/protocols within one server
Improved Client support for DNS options:
Client implementations for Linux/BSD, included with the default install
New client implementation for Windows, adding support for features like split DNS and DNSSEC
Architectural improvements on Windows:
The block-local flag is now enforced with WFP filters
Windows network adapters are now generated on demand
Windows automatic service now runs as an unprivileged user
Support for server mode in win-dco driver
Note: Support for the wintun driver has been removed. win-dco is now the default, tap-windows6 is the fallback solution for use-cases not covered by win-dco.
Improved data channel:
Enforcement of AES-GCM usage limit
Epoch data keys and packet format
Support for new upstream DCO Linux kernel module:
This release supports the new ovpn DCO Linux kernel module which will be available in future upstream Linux kernel releases. Backports of the new module to current kernels are available via the ovpn-backports project.
Windows MSI changes since 2.6.14:
Built against OpenSSL 3.5.0
Included openvpn-gui updated to 11.53.0.0
Support for webauth in PLAP (Pre-Logon Access Provider) via QR code (github openvpn-gui#687)

Feature changes:
on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server - while highly OS specific this is still helpful to keep track of OS versions used on the client side (​#637)
Windows: protect cached username, password and token in client memory (using the CryptProtectMemory() windows API)
Windows: use new API to get dco-win driver version from driver (newly introduced non-exclusive control device) (OpenVPN/ovpn-dco-win#76)
Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds ("console prompting also has no timeout") (#649)
Security fixes:
improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.
Notable bug fixes:
FreeBSD DCO: fix memory leaks in nvlist handling (#636)
purge proxy authentication credentials from memory after use (if --auth-nocache is in use)

Bug fixes:
the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script. Strip those before testing the command buffer (github ​#568). Also, add unit test.
Http-proxy: fix bug preventing proxy credentials caching (trac #1187)
Windows MSI changes since 2.6.11:
Built against OpenSSL 3.3.1
Included openvpn-gui updated to 11.50.0.0
Update Italian language (github ​#696)