0.5.0

This version adds support for NAT64, based on the SIIT algorithm documented in RFC 7915.

A split-horizon DNS can map domains to a NAT64 IPv6 prefix (routed to the VPN) or return a real IPv4/IPv6 IP address. This works with just one route and instantly reacts to IP address changes. Microsoft DirectAccess used this approach, and in my tests this works flawlessly.

This is good enough to fully support pterodapter on Windows hosts (with pterodapter running in WSL2).

Other notable changes:

• Reply with ICMP errors on for some routing issues.
• Increased buffer sizes to ensure that 1500-byte FortiVPN packets can be forwarded.
• Fixed HKDF with Windows nonces.
• Fixed handling of Windows Child SAs.
• Moved stack buffers outside the future, reducing potential transfers between heap and stack space by 50%.
• Fixed instructions for client certs.
• Format u8 slices as hex in debug messages - so that it's easier to paste them into tools like Wireshark.
• Refactored some code to make it simpler.
• Upgraded to Rust 1.85 (2024), updated dependency versions.
• Addressed cargo clippy comments.

0.4.1

• Bumped up dependency versions.

0.4.0

• Refactored code to use stack memory as much as possible, and avoid allocating/freeing memory. Even under intense load (200+ MBit/s), memory usage stays below 10MB.
• When possible, the code uses poll_fn to process multiple I/O operations in parallel - while still using a single-threaded version of Tokio.
• Improved bandwidth and throughput for the IKEv2 flow.
• Fixed an issue where sometimes shutdown never completed.
• Simplified the VPN client state machine.
• Bumped up dependency versions.
• Other small improvements.

0.3.0

• Added support for IKEv2 message fragmentation (RFC 7383)
• Improved debug logging for encrypted messages and ESP IP headers
• Added support and documentation for running locally in macOS
• Delete other sessions on INITIAL_CONTACT
• Use timeouts when deleting sessions instead of dropping them immediately
• Check that request matches the original request on retransmissions, follow the client IP/port on retransmissions
• Bumped up dependency versions, switched from ring to aws-lc-rs

Version 0.2.0

Implemented a new IKEv2 (L3) VPN mode.

Version 0.1.0

• Switched to rustls + ring for TLS connections, as this combination appears to be more actively maintained than native-tls and supports TLS 1.3.
• Detect loopback connections and drop them to prevent single-threaded Tokio from locking up.
• A few small code changes/refactorings.

Version 0.0.1

Initial release.