All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- OpenVPN: Opt out of platform info in peer info. #409
- OpenVPN: HMAC breaking due to dangling OSSL_PARAM. #405
- OpenVPN: Bad error mapping. #404
- OpenVPN: Restore default security level. #406
- Demo rewritten in SwiftUI. #399
- Upgrade OpenSSL to 3.2.0. #336
- Keychain may fail to set password. #327
- Hide errors behind façade TunnelKit*Error. #325
- WireGuard: DoH/DoT options. #314
- OpenVPN: Full implementation of Tunnelblick XOR patch (tmthecoder). #255
- OpenVPN: Support for
--route-nopull
. #280 - OpenVPN: Support for
--remote-random-hostname
. #286 - Use .includeAllNetworks for best-effort kill switch. #300
- Bump targets to iOS 15 / macOS 12.
- Upgrade OpenSSL to 1.1.1q.
- Use natively async methods from NetworkExtension. #284
- OpenVPN: Unmask PUSH_REPLY and network settings in logs.
- OpenVPN: Delay tunnel disposal. #311
- OpenVPN: Deal with remote options properly. #297
- OpenVPN: Routes from configuration file are ignored. #278
- OpenVPN: Split DNS domain and search domains. #313
- WireGuard: Return native parsing errors from WireGuardKit. #316
- IPv6 endpoints are parsed improperly. #293
- Fix abandoned MockVPN. #285
- OpenVPN: Parse authentication requirement from
--auth-user-pass
. - OpenVPN: Handle multiple
--remote
options correctly. - OpenVPN: Explicitly enable/disable DNS/proxy settings.
- Reconnect with current manager and configuration.
- Customize tunnel log path.
- Rewrite Manager package with Swift Concurrency.
- WireGuard: Use entities from WireGuardKit directly.
- Only enable on-demand if at least one rule is provided.
- Drop incomplete support for IPSec/IKEv2.
- Upgrade OpenSSL to 1.1.1o.
- OpenVPN: Bug in StaticKey equality comparison.
- WireGuard support. #236
- Handle
--keepalive
option.
- Relax deployment target for macOS down to 10.14
- Upgrade OpenSSL to 1.1.1m.
- Verify CA from on-disk file. #237
- Revert to OpenSSL. #233
- Regression in TLS handshake (temporarily revert #213).
- Migrate to SwiftPM. #210
- Replace OpenSSL with BoringSSL from SwiftNIO SSL.
- Drop support for TLS security level (not present in BoringSSL).
- Support for IPSec/IKEv2 providers.
- Avoid caching PEMs on disk (roop). #213
- Upgrade OpenSSL to 1.1.1l.
- Avoid caching PEMs on disk. #213
- Support for XOR patch (Sam Foxman). #170
- Support for
--compress stub-v2
.
- Return error in install completion handler. #206
- Relax handling of whitespaces in configuration file.
- Clean up cached PEMs at the end of a Session. #203
- Skip keychain password prompt on macOS. #200
- Restore app group in keychain queries about password references. #201
- Handle
--data-ciphers
anddata-ciphers-fallback
from OpenVPN 2.5 - Support DNS over HTTPS (DoH) and TLS (DoT).
- Pick tunnel password reference from an existing keychain item context.
- Do not override network DNS settings when not provided by VPN. #197
- Encoding of internal provider configuration.
- Parse
--tun-mtu
option.
- Update API to access current Wi-Fi SSID.
- Refactor access to keychain.
- Support for Apple Silicon (macOS arm64).
- Customize IV_UI_VER (pahnev). #178
- Deployment targets raised to iOS 12.0 and macOS 10.15
- Use active profile name in VPN configuration (device settings).
- Incorrect tunnel bundle identifiers in Demo. #176
- IV_PLAT in peer info was hardcoded to "mac" (pahnev). #177
- Code cleanup.
- Address concerns from Guido Vranken fuzzers. #141
- Improve IP Header parsing (roop). #171
- Support for SAN hostname in certificates (jaroslavas). #168
- IPv6 traffic broken on Mojave. #146, #169
- Restore tunnel MTU setting (ueshiba). #148
- Transient connected state upon connection failure (rob-patchett). #128
- Upgrade OpenSSL to 1.1.1g. #166
- Upgrade OpenSSL to 1.1.1f. #165
- Index out of range during negotiation (Grivus). #143
- Handle server shutdown/restart (remote
--explicit-exit-notify
). #131 - Abrupt disconnection upon unknown packet key id (johankool). #161
- Handle explicit IPv4/IPv6 protocols (
4
or6
suffix in--proto
). #153 - Mitigate IP traffic breaking on Mojave. #146
- Pointer warnings from Xcode 11.4 upgrade.
- Keep-alive pings coalescing over time.
- Ping timeout not checked for if keep-alive is disabled.
- Require explicit
--ca
and--cipher
in .ovpn configuration file.
- Allow keep-alive timeout to be configured by the server or client (Robert Patchett). #122
- Support for proxy autoconfiguration URL (ThinkChaos). #125
- Support multiple DNS search domains. #127
- Upgrade OpenSSL to 1.1.1d. #123
- Session negotiation succeeds too early (Robert Patchett). #124
- Handle
vpn_gateway
literal in--route
.
- OpenSSL framework structure on macOS makes binary invalid when uploaded to App Store Connect.
- Potential OOB in memcmp() (Guido Vranken).
- Deadlock on shutdown (further fixes). #106
- Regression with negotiation failing due to .staleSession error. #120
- Deadlock on shutdown. #106
- Stuck on SOFT_RESET. #105
- Tunnel dies unexpectedly on macOS. #111
- Recover from ENOBUFS. #112
- Regression in LZO subspec.
- Major refactoring.
- Partially support
--redirect-gateway block-local
. #81
- Authentication failure due to local options. #95
- Customize security level (to tolerate weak certificates). #97
- Connection stalls on server-initiated SOFT_RESET.
- Wrong configuration mutability.
- Do not redirect all traffic to VPN unless
--redirect-gateway
specified. #90 - Upgrade OpenSSL to 1.1.0j.
- SoftEther sends an incomplete PUSH_REPLY. #86
- Authentication/Decrypt errors with TLS wrapping. #88, #61
- Broken DNS when no servers provided. #84
- UDP may disconnect on high-speed upload link. #87
- Client certificate may fail when private key in .ovpn is encrypted. #91
- DNS is unreachable when VPN is not default gateway. #94
- Basic support for proxy settings (no PAC). #74
- Make
hostname
optional and pickresolvedAddresses
if nil.
- Negotiation times out with SoftEther. #67
- Unable to handle continuated PUSH_REPLY. #71
- TCP requiring multiple PUSH_REQUEST. #73
- DNS inconsistencies. #85
- Cipher/digest erroneously required by AppExtension.
- Handle
dhcp-option DOMAIN
. #77
- Refactor configuration parser for reuse.
- Optional data count report via
TunnelKitProvider.Configuration.dataCount(in:)
.
- Upgraded to Swift 5.
checksEKU
not propagated to TunnelKitProvider.
- Several reconnection issues.
- Missing EKU flag evaluation.
- Shut down if server pushes a compressed data packet.
- Custom DNS servers were not applied.
- Reject
<connection>
blocks as unsupported.
- Enable or disable EKU according to
remote-cert-tls server
in .ovpn file. #64
- Compiling errors in demo target.
- Linking errors with OpenSSL.
- A few potential vulnerabilities.
- Parser for .ovpn configuration files. #47
- Due to #47,
SocketType
andEndpointProtocol
were moved to Core subspec.
- IPv4/UInt32 conversions are not endianness-agnostic. #46
- Refactored tunnel configuration API for increased code reuse. #44
- Use high-level accessories instead of
debugLogKey
andlastErrorKey
. #45
- IPv4/UInt32 calculations were wrong.
- Debug log is saved to group container rather than
UserDefaults
. #43
- Handle server-initiated renegotiation. #41
- Potentially private data (e.g. Internet addresses) is now masked in debug log. #42
- Configuration key
lastErrorKey
for reporting errors to host app. #40 - Server extended key usage validation (EKU). #27
- CA file was not closed after MD5 calculation when using PIA patches.
- Mitigated an issue with MTU in TCP mode during negotiation. #39
- Support for
--tls-auth
wrapping. #34 - Support for
--tls-crypt
wrapping. #35 - Parser for static OpenVPN keys from file. #36
- Handling of mixed DATA_V1/DATA_V2 packets. #30
- Restored support for PIA patches. #32
- Make CA non-optional. #28
- Client certificate verification. #3
- Support for both
--comp-lzo
and--compress
compression framing. #2, #5, #10 - Routes setup from PUSH_REPLY. #7
- Support for IPv6. #8
- Support for server-side NCP. #11
- Property to mark ciphers not requiring digest auth (e.g. GCM). #13
Codable
implementations for native Swift serialization. #15- More cipher and digest algorithms. #16
- Negotiated compression framing from PUSH_REPLY. #19
- Customizable keep-alive. #20
- Negotiated keep-alive from PUSH_REPLY. #22
- Peer-info metadata.
- Raised iOS target to 11 (drops 32-bit support).
- Upgraded OpenSSL from 1.1.0h to 1.1.0i.
- Minor adjustments for Xcode 10 / Swift 4.2.
- Deep refactoring of control channel for future extensibility.
- App group moved out of tunnel configuration, to make it more platform-agnostic and coherent to serialize.
- Keep-alive is disabled by default.
- Several internal renamings.
- Sensitive data logged in PUSH_REPLY. #12
- Bad interpretation of 0 seconds between renegotiations. #18
- Incorrect behavior on data-related failures. #21
- Initial fork from https://github.com/pia-foss/tunnel-apple
- Non-standard PIA patches.