Note: Windows MSI was updated to I002 on June 19th. Changes in I002:$$$Includes fix for CVE-2025-50054

Note: Windows MSI was updated to I002 on June 19th. Changes in I002:$$$Includes fix for CVE-2025-50054

Overview of changes in 2.6.14$$$Security fixes$$$CVE-2025-2704 fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2$$$Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.$$$To trigger the bug; a valid tls-crypt-v2 client key is needed; or network observation of a handshake with a valid tls-crypt-v2 client key$$$No crypto integrity is violated; no data is leaked; and no remote code execution is possible.$$$This bug does not affect OpenVPN clients.$$$(Bug found by internal QA at OpenVPN Inc)$$$Code maintenance$$$fix compatibility with mbedTLS 2.28.10+ and 3.6.3+: security hardening on the mbedTLS side (adding verification of the server certificate hostname inside mbedTLS) broke OpenVPN; as OpenVPN does not use hostname-based verification. Disable mbedTLS feature.$$$fix compilation warnings for mbedTLS builds related to enc enum/integer mismatch.$$$Github Action builds: drop Ubuntu 20.04 builds; upgrade various packages$$$Bug fixes$$$Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Overview of changes in 2.6.14$$$Security fixes$$$CVE-2025-2704 fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2$$$Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.$$$To trigger the bug; a valid tls-crypt-v2 client key is needed; or network observation of a handshake with a valid tls-crypt-v2 client key$$$No crypto integrity is violated; no data is leaked; and no remote code execution is possible.$$$This bug does not affect OpenVPN clients.$$$(Bug found by internal QA at OpenVPN Inc)$$$Code maintenance$$$fix compatibility with mbedTLS 2.28.10+ and 3.6.3+: security hardening on the mbedTLS side (adding verification of the server certificate hostname inside mbedTLS) broke OpenVPN; as OpenVPN does not use hostname-based verification. Disable mbedTLS feature.$$$fix compilation warnings for mbedTLS builds related to enc enum/integer mismatch.$$$Github Action builds: drop Ubuntu 20.04 builds; upgrade various packages$$$Bug fixes$$$Linux DCO: repair source IP selection for --multihome (Qingfang Deng)

Overview of changes in 2.6.13$$$New features$$$on non-windows clients (MacOS; Linux; Unix) send release string from uname() call as IV_PLAT_VER= to server - while highly OS specific this is still helpful to keep track of OS versions used on the client side (GH #637)$$$Windows: protect cached username; password and token in client memory (using the CryptProtectMemory() windows API$$$Windows: use new API to get dco-win driver version from driver (newly introduced non-exclusive control device) (GH: ovpn-dco-win #76)$$$Linux: pass --timeout=0 argument to systemd-ask-password; to avoid default timeout of 90 seconds (console prompting also has no timeout) (GH #649)$$$Bug fixes$$$fix potentially unaligned access in drop_if_recursive_routing on Linux (ASAN)$$$correct documentation for port-share journal$$$fix logging of IPv6 addresses in port-share journal$$$fix various typos in messages; documentation; comments and examples (GH #442; GH #644)$$$FreeBSD DCO: fix memory leaks in nvlist handling (GH #636)$$$route handling: correctly handle case of route installation fails in the face of an already-existing route - previously; OpenVPN would remove the other route on exit; incorrectly changing system state.$$$fix generation of warning messages for overlapping --local/--remote and --ifconfig addresses$$$purge proxy authentication credentials from memory after use (if --auth-nocache is in use)$$$fix missing space in various (long and wrapped) msg() calls$$$Code maintenance$$$improve documentation/examples for <peer-fingerprint> feature$$$simplify Github Action macOS build setup$$$update Github Action macOS runners (remove macOS 12; add macOS 15)$$$fix a number of uninitialized struct user_pass local variables (no impact beyond compiler warning; but future-proofing the code)$$$Security fixes$$$improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash; buffer overflow or other security issues; but the server would then misparse incoming IV_* variables and produce misleading error messages.

Overview of changes in 2.6.12$$$Bug fixes$$$the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict; breaking user configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script. Strip those before testing the command buffer (Github: #568). Also; add unit test.$$$Http-proxy: fix bug preventing proxy credentials caching (Trac: #1187)$$$Code maintenance$$$try to detect LZO installation with pkg-config (= on many systems manually setting LZO_CFLAGS/LZO_LIBS should no longer be necessary)$$$Overview of changes in 2.6.11$$$Security fixes$$$CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with some elevated privileges (SeImpersonatePrivilege) could open the pipe a second time; tricking openvn GUI into providing user credentials (tokens); getting full access to the account openvpn-gui runs as. (Zeze with TeamT5)$$$CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log; or cause high CPU load. (Reynir Björnsson)$$$CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server keep the session even when the server has been told to disconnect this client (Reynir Björnsson)$$$New features$$$Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.$$$support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)$$$Bugfixes$$$fix connect timeout when using SOCKS proxies (trac #328; github #267)$$$work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug; already fixed upstream; but not backported to OpenBSD 7.5; see also libressl/openbsd#150)$$$Add bracket in fingerprint message and do not warn about missing verification (github #516)

Overview of changes in 2.6.11$$$Security fixes$$$CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with some elevated privileges (SeImpersonatePrivilege) could open the pipe a second time; tricking openvn GUI into providing user credentials (tokens); getting full access to the account openvpn-gui runs as. (Zeze with TeamT5)$$$CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log; or cause high CPU load. (Reynir Björnsson)$$$CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server keep the session even when the server has been told to disconnect this client (Reynir Björnsson)$$$New features$$$Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store.$$$support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise)$$$Bugfixes$$$fix connect timeout when using SOCKS proxies (trac #328; github #267)$$$work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers (LibreSSL bug; already fixed upstream; but not backported to OpenBSD 7.5; see also libressl/openbsd#150)$$$Add bracket in fingerprint message and do not warn about missing verification (github #516)$$$Documentation$$$remove experimental denotation for --fast-io$$$correctly document ifconfig_* variables passed to scripts (script-options.rst)$$$documentation: make section levels consistent$$$samples: Update sample configurations$$$remove compression & old cipher settings; add more informative comments$$$Code maintenance$$$remove usage of <lzoutils.h> header & macro; discouraged by upstream$$$only run coverity scans in OpenVPN/OpenVPN repository (= do not spam owners of cloned repos with cannot run this messages)$$$replace macOS 11 github runners with macOS 14$$$remove some unused code in misc.c (leftover from commit 3a4fb1)$$$phase2_tcp_server: fix Coverity issue Dereference after null check - the code itself was correct; just doing needless checks$$$Use snprintf instead of sprintf for get_ssl_library_version - the code itself was correct; but macOS clang dislikes sprintf()

Overview of changes in 2.6.10$$$Security fixes$$$CVE-2024-27459: Windows: fix a possible stack overflow in the interactive service component which might lead to a local privilege escalation. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>$$$CVE-2024-24974: Windows: disallow access to the interactive service pipe from remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>$$$CVE-2024-27903: Windows: disallow loading of plugins from untrusted installation paths; which could be used to attack openvpn via a malicious plugin. Plugins can now only be loaded from the OpenVPN install directory; the Windows system directory; and possibly from a directory specified by HKLMSOFTWAREOpenVPNplugin_dir. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>$$$Bug fixes$$$Windows: if the win-dco driver is used (default) and the GUI requests use of a proxy server; the connection would fail. Disable DCO in this case. (Github: #522)$$$Compression: minor bugfix in checking option consistency vs. compiled-in algorithm support$$$systemd unit files: remove obsolete syslog.target$$$User visible changes$$$Update copyright notices to 2024$$$New features$$$t_client.sh can now run pre-tests and skip a test block if needed (e.g. skip NTLM proxy tests if SSL library does not support MD4)$$$Documentation$$$remove license warnings about mbedTLS linking (README.mbedtls)$$$update documentation references in systemd unit files$$$sample config files: remove obsolete tls-*.conf files$$$document that auth-user-pass may be inlined

Overview of changes in 2.6.9$$$============================$$$$$$Security fixes$$$--------------$$$- Windows Installer: fix CVE 2023-7235 where installing to a non-default$$$ directory could lead to a local privilege escalation.$$$ Reported by Will Dormann <will.dormann@analygence.com>.$$$$$$New features$$$------------$$$- add support for building with mbedTLS 3.x.x$$$$$$- new option --force-tls-key-material-export to only accept clients$$$ that can do TLS keying material export to generate session keys$$$ (mostly an internal option to better deal with TLS 1.0 PRF failures).$$$$$$- Windows: bump vcpkg-ports/pkcs11-helper to 1.30$$$$$$- Log incoming SSL alerts in easier to understand form and move logging$$$ from --verb 8 to --verb 3.$$$$$$- protocol_dump(): add support for printing --tls-crypt packets$$$$$$$$$User visible changes$$$--------------------$$$- license change is now complete; and all code has been re-licensed$$$ under the new license (still GPLv2; but with new linking exception$$$ for Apache2 licensed code). See COPYING for details.$$$$$$ Code that could not be re-licensed has been removed or rewritten.$$$$$$- the original code for the --tls-export-cert feature has been removed$$$ (due to the re-licensing effort) and rewritten without looking at the$$$ original code. Feature-compatibility has been tested by other developers;$$$ looking at both old and new code and documentation; so there *should*$$$ not be a user-visible change here.$$$$$$- IPv6 route addition/deletion are now logged on the same level (3) as$$$ for IPv4. Previously IPv6 was always logged at --verb 1.$$$$$$- better handling of TLS 1.0 PRF failures in the underlying SSL library$$$ (e.g. on some FIPS builds) - this is now reported on startup; and$$$ clients before 2.6.0 that can not use TLS EKM to generate key material$$$ are rejected by the server. Also; error messages are improved to see$$$ what exactly failed.$$$$$$- packaged sample-keys renewed (old keys due to expire in October 2024)$$$$$$$$$Bug fixes / Code cleanup$$$------------------------$$$- Windows GUI: always update tray icon on state change (Github: #669)$$$ (for persistent connection profiles; connecting state would not show)$$$$$$- FreeBSD: for servers with multiple clients; reporting of peer traffic$$$ statistics would fail due to insufficient buffer space (Github: #487)$$$$$$- make interaction between --http-proxy-user-pass and --http-proxy$$$ more consistent$$$$$$- doc: improve documentation on --http-proxy-user-pass$$$$$$- doc: improve documentation for IV_ variables and IV_PROTO bits$$$$$$- doc: improve documentation on CMake requirements$$$$$$- fix various coverity-reported complains (signed/unsigned comparison etc);$$$ none of them actual bugs$$$$$$- NTLMv2: increase phase 2 buffers so things actually work$$$$$$- NTLM: add extra buffer size verification checks$$$$$$- doc: improve documentation on --tls-crypt-v2-verify$$$$$$- autoconf on Linux: improve error reporting for missing libraries - in$$$ case the problem came due to missing pkg-config the previous error$$$ was misleading. Now clearly report that Linux builds require pkg-config$$$ and abort if not found.$$$$$$- MacOS X: fix undefined behaviour found by UBSAN in get_default_gateway()$$$ (IV_HWADDR); using getifaddrs(3) instead of old and convoluted$$$ SIOCGIFCONF API.$$$$$$- OpenSolaris: correctly implement get_default_gateway() (IV_HWADDR); using$$$ SIOCGIFHWADDR instead of SIOCGIFCONF API.$$$$$$- OpenBSD: work around route socket issue in get_default_gateway()$$$ (--show-gateway) where RA_IFP must not be set on the query message;$$$ otherwise kernel will return EINVAL.$$$$$$- doc: improve documentation of --x509-track$$$$$$- bugfix: in UDP mode when exceeding --max-clients; OpenVPN would$$$ incorrectly close the connection to peer-id 0. Fix by correctly$$$ initializing peer_id with MAX_PEER_ID.$$$$$$- Windows: do not attempt to delete DNS or WINS servers if they are not set$$$$$$- configure: get rid of AC_TYPE_SIGNA

Overview of changes in 2.6.8$$$Bug fixes / Code cleanup$$$SIGSEGV crash: Do not check key_state buffers that are in S_UNDEF state (Github #449) - the new sanity check function introduced in 2.6.7 sometimes tried to use a NULL pointer after an unsuccessful TLS handshake$$$Windows: --dns option did not work when tap-windows6 driver was used; because internal flag for apply DNS option to DHCP server wasnt set (Github #447)$$$Windows: fix status/log file permissions; caused by regression after changing to CMake build system (Github: #454; Trac: #1430)$$$Windows: fix --chdir failures; also caused by error in CMake build system (Github #448)$$$doc: fix typos in documentation$$$User visible changes$$$Windows: print warning if pushed options require DHCP (e.g. DOMAIN-SEARCH) and driver in use does not use DHCP (wintun; dco).

Overview of changes in 2.6.6$$$User visible changes$$$OCC exit messages are now logged more visibly (Github #391)$$$OpenSSL error messages are now logged with more details (for example; when loading a provider fails; which .so was tried; and why did it fail) (Github #361)$$$print a more user-friendly message when tls-crypt-v2 client auth fails$$$packaging now includes all documentation in the tarball$$$New features$$$set WINS server via interactive service - this adds support for dhcp-option WINS 192.0.2.1 for DCO + wintun interfaces where no DHCP server is used (Github #373).$$$Bug fixes / Code cleanup$$$route.c was sometimes ignoring return values of add_route3() (found by coverity)$$$ntlm: clarify use of buffer in case of truncated NTLM challenge; no actual code change (reported by Trial of Bits; TOB-OVPN-14)$$$pkcs11_openssl.c: disable unused code (found by coverity)$$$options.c: do not hide variable from parent scope (found by coverity)$$$configure: fix typo in LIBCAPNG_CFALGS (Github #371)$$$ignore IPv6 route deletion request on Android; reduce IPv4 route-related message verbosity on Android$$$manage.c: document missing KID parameter of client-pending-auth (new addition in da083c3b (2.6.2)) in manage interface help text$$$vpn-network-options.rst: fix typo of dhcp-option (Github #313)$$$tun.c/windows: quote WMIC call to set DHCP/DNS domain with hyphen (Github #363)$$$fix CR_RESPONSE management message using wrong key_id$$$work around false positive compiler warnings with MinGW 12$$$work around false positive compiler warnings with GCC 12.2.0$$$fix more compiler warnings on FreeBSD$$$test_tls_crypt: improve cmocka testing portability$$$dco-linux: fix counter print format (signed/unsigned)$$$packaging: include everything that is needed for a MSVC build in tarballs (Github #344)$$$Overview of changes in 2.6.5$$$User visible changes$$$tapctl (windows): generate driver-specific names (if using tapctl to create additional tap/wintun/dco devices; and not using --name) (Github #337)$$$interactive service (windows): do not force target desktop for openvpn - this has no impact for normal use; but enables running of OpenVPN in a scripted way when no user is logged on (for example; via task scheduler) (Github OpenVPN/openvpn-gui#626)$$$Bug fixes$$$fix use-after-free with EVP_CIPHER_free$$$fix building with MSVC from release tarball (missing version.m4.in)$$$dco-win: repair use of --dev-node to select specific DCO drivers (Github #336)$$$fix missing malloc() return check in dco_freebsd.c$$$windows: correctly handle unicode names for exit event$$$fix memleak in client-connect example plugin$$$fix fortify build problem in keying-material-exporter-demo plugin$$$fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will leak a small amount of memory every 15s on DCO enabled servers; leading to noticeable memory waste for long-running processes.$$$dco_linux.c: properly close dco version file (fd leak)

Overview of changes in 2.6.5$$$User visible changes$$$tapctl (windows): generate driver-specific names (if using tapctl to create additional tap/wintun/dco devices; and not using --name) (Github #337)$$$interactive service (windows): do not force target desktop for openvpn - this has no impact for normal use; but enables running of OpenVPN in a scripted way when no user is logged on (for example; via task scheduler) (Github OpenVPN/openvpn-gui#626)$$$Bug fixes$$$fix use-after-free with EVP_CIPHER_free$$$fix building with MSVC from release tarball (missing version.m4.in)$$$dco-win: repair use of --dev-node to select specific DCO drivers (Github #336)$$$fix missing malloc() return check in dco_freebsd.c$$$windows: correctly handle unicode names for exit event$$$fix memleak in client-connect example plugin$$$fix fortify build problem in keying-material-exporter-demo plugin$$$fix memleak in dco_linux.c/dco_get_peer_stats_multi() - this will leak a small amount of memory every 15s on DCO enabled servers; leading to noticeable memory waste for long-running processes.$$$dco_linux.c: properly close dco version file (fd leak)

Overview of changes in 2.6.4$$$User visible changes$$$License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS; OpenSSL) - see COPYING for details. Existing code will fall under the new license as soon as all contributors have agreed to the change - work ongoing.$$$New features$$$DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). This is the userland side; accepting a message from kernel; and initiating a TLS renegotiation. As of release; only implemented in FreeBSD kernel.$$$Bug fixes$$$fix pkcs#11 usage with OpenSSL 3.x and PSS signing (Github #323)$$$fix compile error on TARGET_ANDROID$$$fix typo in help text$$$manpage updates (--topology)$$$encoding of non-ASCII windows error messages in log + management fixed (use UTF8 as for everything else; not ANSI codepages) (Github #319)

Overview of changes in 2.6.3$$$New features$$$Windows: support setting DNS domain in configurations without DHCP (typically wintun or windco drivers); see GH #306.$$$Bug fixes$$$fix possible crash with Linux client on reconnect on TLS errors (needs either --status file or active management interface to trigger)$$$fix incorrect formatting in .rst documents$$$Windows .msi installer: ensure interactive service stays enabled after silent reinstall; see GH OpenVPN/openvpn-build#348; #349 and #351$$$Windows installer: repair querying install path info for easyrsa-start.bat on some Windows language versions; see GH OpenVPN/openvpn-build#352.$$$Windows DCO driver: use correct crypto library so it loads on x86; see GH OpenVPN/ovpn-dco-win#43

New features$$$implement byte counter statistics for DCO Linux (p2mp server and client)$$$implement byte counter statistics for DCO Windows (client only)$$$--dns server <n> address ... now permits up to 8 v4 or v6 addresses$$$fix a few cases of possibly undefined behaviour detected by ASAN$$$add more unit tests for Windows cryptoapi interface$$$Bug fixes$$$sending of AUTH_PENDING and INFO_PRE messages fixed (#256)$$$Windows: do not treat setting IPv6 interface metric failed as fatal err

The OpenVPN community project team is proud to release OpenVPN 2.6.1. This is mostly a bugfix release with some improvements.$$$$$$For details see ?Changes.rst$$$$$$Feature changes:$$$$$$Dynamic TLS Crypt: When both peers are OpenVPN 2.6.1+; OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations.$$$CryptoAPI (Windows): support issuer name as a selector. Certificate selection string can now specify a partial issuer name string as$$$--cryptoapicert ISSUER:<string> where <string> is matched as a substring of the issuer (CA) name in the certificate.$$$Note: configure now enables DCO build by default on FreeBSD and Linux. On Linux this brings in a new default dependency for libnl-genl (for Linux distributions that are too old to have a suitable version of the library; use configure --disable-dco)$$$$$$

The OpenVPN community project team is proud to release OpenVPN 2.6.0. This is a new stable release with some major new features.$$$$$$For details see: Changes.rst$$$$$$The Changes document also contains a section with workarounds for common problems encountered when using OpenVPN with OpenSSL 3.$$$$$$New features and improvements in 2.6.0 compared to 2.5.8:$$$$$$Data Channel Offload (DCO) kernel acceleration support for Windows; Linux; and FreeBSD.$$$OpenSSL 3 support.$$$Improved handling of tunnel MTU; including support for pushable MTU.$$$Outdated cryptographic algorithms disabled by default; but there are options to override if necessary.$$$Reworked TLS handshake; making OpenVPN immune to replay-packet state exhaustion attacks.$$$Added --peer-fingerprint mode for a more simplistic certificate setup and verification.$$$Added Pre-Logon Access Provider support to OpenVPN GUI for Windows.$$$Improved protocol negotiation; leading to faster connection setup.$$$Included openvpn-gui updated to 11.37.0.0. See CHANGES.rst.$$$Updated easy-rsa3 bundled with the installer on Windows.$$$Various bug fixes.

New features$$$allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC; the long-term compatibility default cipher BF-CBC would trigger an error on such TLS libraries)$$$User-visible Changes$$$add git branch name + commit ID to OpenVPN version string on MSVC builds (windows)$$$Testing Enhancements$$$t_client.sh: if fping is found and fping6 is not; assume we have fping 4.0 and up; and call fping -6 for IPv6 ping tests$$$t_client.sh: allow to force FAIL on prerequisite fails; so a CI environment will no longer silently skip t_client runs if fping (etc) can not be found; but will error out$$$Bugfixes$$$``--auth-nocache was not always correctly clearing username+password after a renegotiation$$$ensure that auth-token received from server is cleared if requested by the management interface (forget password or automatically via ``--management-forget-disconnect)

New features$$$Limited OpenSSL 3.0 support$$$OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies on the compatiblity layer and full OpenSSL 3.0 support is coming with OpenVPN 2.6. Only features that impact usage directly have been backported:$$$$$$--tls-cert-profile insecure has been added to allow selecting the lowest OpenSSL security level (not recommended; use only if you must).$$$$$$OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option --providers allows loading the legacy provider to renable these algorithms. Most notably; reading of many PKCS#12 files encrypted with the RC2 algorithm fails unless --providers legacy default is configured.$$$$$$The OpenSSL engine feature --engine is not enabled by default anymore if OpenSSL 3.0 is detected.$$$$$$print OpenSSL error stack if decoding PKCS12 file fails$$$$$$User-visible Changes$$$windows vcpkg building includes pkcs11-helper 1.29 now$$$add MSVC build options to harden windows binaries (HW-enforced stack protection; SHA256 object hashes; SDL).$$$Bugfixes$$$fix omission of cipher-negotiation.rst in tarballs$$$fix errno handling on Windows (Windows has different classes of error codes; GetLastError() and C runtime errno; these should now be handled correctly)$$$fix PATH_MAX build failure in auth-pam.c$$$fix t_net.sh self-test leaving around stale ovpn-dummy0 interface$$$fix overlong path names; leading to missing pkcs11-helper patch in tarball