Version 1.1pre18 released.

• Check all Address statements when making outgoing connections.
• Make more variables safe for use in invitations.
• Allow tinc --force join to accept all variables sent in an invitation.
• Make sure the stop command works on Windows if tincd is running in the foreground.
• Handle DOS line endings in invitation files.
• Double-quote node names in dump graph output.
• Prevent large amounts of UDP probes being sent consecutively.
• Try harder to reconnect with unreachable nodes.
• Generate tinc-up.bat on Windows.
• Fix a possible infinite loop when adding Subnets to a running tincd.
• Allow a tun/tap filedescriptor to be passed through a UNIX socket.
• Use auto-clone tun/tap devices as default on FreeBSD and DragonFlyBSD.

Thanks to Fabian Maurer, Ilia Pavlikhin, Maciej S. Szmigiero, Pacien Tran-Girard, Aaron Li, Andreas Rammhold, Rosen Penev, Shengjing Zhu, Werner Schreiber, iczero and leptonyu for their contributions to this version of tinc.

Tinc is potentially affected by CVE-2019-14899.

Please ensure your firewalls block packets with destination IP addresses in your VPN IP range from being received on WAN interfaces.

The LINUX Unplugged podcast just released episode 329: ”Flat Network Truthers”, which covers several VPN technologies, including tinc.

Version 1.0.36 released.

• Fix compiling tinc with certain versions of the OpenSSL library.
• Fix parsing some IPv6 addresses with :: in them.
• Fix GraphDumpFile output to handle node names starting with a digit.
• Fix a potential segmentation fault when fragmenting packets.

Thanks to Rosen Penev, Quentin Rameau and Werner Schreiber for their contributions to this version of tinc.

Versions 1.0.35 and 1.1pre17 released.

• Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
• Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).

Thanks to Michael Yonli for auditing tinc and reporting these vulnerabilities. For more information, see the security page.

Version 1.0.34 released.

• Fix a potential segmentation fault when connecting to an IPv6 peer via a proxy.
• Minor improvements to the build system.
• Make the systemd service file identical to the one from the 1.1 branch.
• Fix a potential problem causing IPv4 sockets to not work on macOS.

Thanks to Maximilian Stein and Wang Liu Shuai for their contributions to this version of tinc.

Version 1.1pre16 released.

• Fixed building with support for UML sockets.
• Documentation updates and spelling fixes.
• Support for MSS clamping of IP-in-IP packets.
• Fixed parsing of the -b flag.
• Added the ability to set a firemall mark on sockets on Linux.
• Minor improvements to the build system.
• Added a cache of recently seen addresses of peers.
• Add support for —runstatedir to the configure script.
• Fixed linking with libncurses on some distributions.
• Automatically disable PMTUDiscovery when TCPOnly is enabled.
• Fixed removing the tinc service on Windows in some situations.

Thanks to Todd C. Miller, Etienne Dechamps, Daniel Lublin, Gjergji Ramku, Mike Sullivan and Oliver Freyermuth for their contributions to this version of tinc.

Version 1.0.33 released.

• Allow compilation from a build directory.
• Source code cleanups.
• Fix some options specified on the command line not surviving a HUP signal.
• Handle tun/tap device returning EPERM or EBUSY.
• Disable PMTUDiscovery when TCPOnly is used.
• Support the —runstatedir option of the autoconf 2.70.

Thanks to Rafael Sadowski and Pierre-Olivier Mercier for their contributions to this version of tinc.

Version 1.0.32 released.

• Fix segmentation fault when using Cipher = none.
• Fix Proxy = exec.
• Support PriorityInheritance for IPv6 packets.
• Fixes for Solaris tun/tap support.
• Bind outgoing TCP sockets when ListenAddress is used.

Thanks to Vittorio Gambaletta for his contribution to this version of tinc.

Version 1.1pre15 released.

• Detect when the machine is resuming from suspension or hibernation.
• When an old PID file is found, check whether the old daemon is still alive.
• Remember scope_id for IPv6 addresses when sending UDP packets to link-local addresses.
• Ensure compatibility with OpenSSL 1.1.
• Only log about dropped packets with debug level 5.
• Warn when trying to generate RSA keys less than 2048 bits.
• Use AES256 and SHA256 as the default encryption and digest algorithms.
• Add DeviceType = fd to support tinc on Android without requiring root.
• Support PriorityInheritance for IPv6 packets.
• Fixes for Solaris tun/tap support.
• Add a configurable expiration time for invitations.
• Store invitation data after a succesful join.
• Exit gracefully when the tun/tap device is in a bad state.
• Add the LogLevel option.
• AutoConnect now actively tries to heal split networks.

Thanks to Etienne Dechamps, Rafał Leśniak, Sean McVeigh, Vittorio Gambaletta, Dennis Lan, Pacien Tran-Girard, Roman Savelyev, lemoer and volth for their contributions to this version of tinc.