Remove build_test artifacts from git tracking

Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>
Fix IKEv2 SK payload format and IKE_AUTH parsing for Apple device connectivity
2026-04-21 06:19:25 +03:00 · 2026-03-06 08:41:59 +00:00 · 2026-03-06 08:41:38 +00:00 · 2026-02-20 09:51:18 +00:00 · 2026-02-20 09:50:38 +00:00 · 2026-02-20 06:57:32 +00:00
63 changed files with 12584 additions and 812 deletions
@@ -4,14 +4,14 @@ FreeBSD_task:
      SSL: openssl
      OPENSSL_ROOT_DIR: /usr/local
    env:
-      SSL: openssl32
+      SSL: openssl36
      OPENSSL_ROOT_DIR: /usr/local
    env:
      # base openssl
      SSL:
  matrix:
    freebsd_instance:
-      image_family: freebsd-14-2
+      image_family: freebsd-14-3
  prepare_script:
    - pkg install -y pkgconf cmake git libsodium cpu_features $SSL
    - git submodule update --init --recursive
@@ -7,6 +7,8 @@ body:
      value: |
        Thanks for taking the time to fill out this bug report!         
        We provide a template which is specifically made for bug reports, to be sure that the report includes enough details to be helpful.
        **⚠️ Antivirus False Positive?** If you're reporting an antivirus detection issue, please see [ANTIVIRUS.md](https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md) first. Antivirus false positives should be reported to the antivirus vendor, not as bugs in SoftEther VPN.
  - type: checkboxes
    attributes:
@@ -1,4 +1,8 @@
 contact_links:
  - name: Antivirus False Positive Detection
    about: If antivirus software is flagging SoftEther VPN as malicious, this is a false positive. See our documentation for solutions and how to report to antivirus vendors.
    url: https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
  - name: Are you using SoftEther VPN 4.x?
    about: This repository is for SoftEther VPN 5.x Developer Edition, developed independently from SoftEther VPN 4.x. Visit vpnusers.com if you would like to report issues or ask questions about version 4.x!
    url: https://www.vpnusers.com/
@@ -4,6 +4,7 @@ name: Coverity
 on:
  schedule:
  - cron: "0 0 * * *"
  workflow_dispatch:
 permissions:
  contents: read
@@ -11,7 +12,7 @@ permissions:
 jobs:
  scan:
    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'SoftEtherVPN' }}
+    if: ${{ github.repository_owner == 'SoftEtherVPN' || github.event_name == 'workflow_dispatch' }}
    steps:
    - uses: actions/checkout@v2
      with:
@@ -7,7 +7,7 @@ jobs:
  build_and_test:
    strategy:
      matrix:
-        os: [macos-15, macos-14, macos-13]
+        os: [macos-26, macos-15, macos-14]
    name: ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    steps:
@@ -8,10 +8,11 @@ jobs:
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
    name: ${{ matrix.platform.ARCHITECTURE }}
    steps:
    - uses: actions/checkout@v4
@@ -33,12 +34,13 @@ jobs:
        COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
        VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
        VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
        CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
      run: |
        set BUILD_NUMBER=0
        mkdir build
        cd build
        call "%VCVARS_PATH%"
-        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+        cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
        cmake --build .
        mkdir installers
        vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -26,13 +26,14 @@ jobs:
        uses: softprops/action-gh-release@v1
  build-windows:
    name: ${{ matrix.platform.ARCHITECTURE }}
-    runs-on: windows-latest
+    runs-on: ${{ matrix.platform.RUNNER }}
    needs: ["release"]
    strategy:
      matrix:
        platform: [
-          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat"},
+          { ARCHITECTURE: x86, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/bin/clang-cl.exe",     VCPKG_TRIPLET: "x86-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars32.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
-          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat"}
+          { ARCHITECTURE: x64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/x64/bin/clang-cl.exe", VCPKG_TRIPLET: "x64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvars64.bat", RUNNER: "windows-latest", CMAKE_EXTRA_FLAGS: ""},
          { ARCHITECTURE: arm64, COMPILER_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Tools/Llvm/ARM64/bin/clang-cl.exe", VCPKG_TRIPLET: "arm64-windows-static", VCVARS_PATH: "C:/Program Files/Microsoft Visual Studio/2022/Enterprise/VC/Auxiliary/Build/vcvarsarm64.bat", RUNNER: "windows-11-arm", CMAKE_EXTRA_FLAGS: "-DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON"}
        ]
    steps:
      - name: "Checkout repository"
@@ -57,11 +58,12 @@ jobs:
          COMPILER_PATH: ${{ matrix.platform.COMPILER_PATH }}
          VCPKG_TRIPLET: ${{ matrix.platform.VCPKG_TRIPLET }}
          VCVARS_PATH: ${{ matrix.platform.VCVARS_PATH }}
          CMAKE_EXTRA_FLAGS: ${{ matrix.platform.CMAKE_EXTRA_FLAGS }}
        run: |
          mkdir build
          cd build
          call "%VCVARS_PATH%"
-          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% ..
+          cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="C:\vcpkg\scripts\buildsystems\vcpkg.cmake" -DVCPKG_TARGET_TRIPLET=%VCPKG_TRIPLET% -DCMAKE_BUILD_TYPE=RelWithDebInfo -DCMAKE_C_COMPILER="%COMPILER_PATH%" -DCMAKE_CXX_COMPILER="%COMPILER_PATH%" -DBUILD_NUMBER=%BUILD_NUMBER% %CMAKE_EXTRA_FLAGS% ..
          cmake --build .
          mkdir installers
          vpnsetup /SFXMODE:vpnclient /SFXOUT:"installers\softether-vpnclient-%VERSION%.%BUILD_NUMBER%.%ARCHITECTURE%.exe"
@@ -210,3 +210,9 @@ developer_tools/stbchecker/**/*.binlog
 developer_tools/stbchecker/**/*.nvuser
 developer_tools/stbchecker/**/.mfractor/
 /vcpkg_installed
 # Build directories
 /_codeql_build_dir/
 /_codeql_detected_source_root
 /build/
 /build_test/
@@ -0,0 +1,338 @@
 # Antivirus False Positive Detection
 ## Overview
 Some antivirus software, including Microsoft Defender, may incorrectly flag SoftEther VPN executables as malicious software. This is a **false positive** detection. SoftEther VPN is legitimate, open-source software that has been developed and maintained since 2013 by researchers at the University of Tsukuba, Japan.
 ## Why Does This Happen?
 Antivirus software uses heuristic analysis to detect potentially malicious behavior. VPN software like SoftEther VPN performs operations that can appear suspicious to antivirus programs, including:
 - **Network tunneling and traffic interception**: VPN software creates virtual network adapters and intercepts network traffic to secure it
 - **Low-level network operations**: Packet filtering, protocol handling, and kernel-mode operations
 - **Service installation**: VPN clients install system services that run with elevated privileges
 - **Registry modifications**: Required for Windows integration and auto-start functionality
 - **Dynamic code execution**: Network protocol implementations may use techniques that appear similar to malicious software
 These are **normal and necessary operations** for any VPN software, but they can trigger heuristic-based detection algorithms.
 ## Microsoft Defender Specific Issue
 ### Affected Components
 Microsoft Defender may flag the following SoftEther VPN 5.x components as `Trojan:Win32/KepavII!rfn`:
 - `vpnclient.exe` - VPN Client executable
 - `vpnserver.exe` - VPN Server executable  
 - `vpnbridge.exe` - VPN Bridge executable
 - `vpncmd.exe` - VPN Command-line utility
 - Start menu shortcuts
 - Registry entries
 - Windows services (`SEVPNCLIENTDEV`, `SEVPNSERVERDEV`, etc.)
 ### Detection Details
 ```
 Detected: Trojan:Win32/KepavII!rfn
 Status: Quarantined
 Description: "This program is dangerous and executes commands from an attacker."
 ```
 **This is a false positive.** The detection is based on behavioral heuristics, not actual malicious code.
 ## Solutions and Workarounds
 ### Option 1: Add Exclusions (Recommended for Users)
 The recommended approach is to add SoftEther VPN directories to Microsoft Defender's exclusion list:
 #### Step-by-Step Instructions:
 1. **Open Windows Security**
   - Press `Windows Key + I` to open Settings
   - Navigate to **Privacy & Security** → **Windows Security**
   - Click **Virus & threat protection**
 2. **Access Exclusion Settings**
   - Scroll down to **Virus & threat protection settings**
   - Click **Manage settings**
   - Scroll down to **Exclusions**
   - Click **Add or remove exclusions**
 3. **Add SoftEther VPN Directories**
   Click **Add an exclusion** → **Folder** and add these paths:
   - `C:\Program Files\SoftEther VPN Client`
   - `C:\Program Files\SoftEther VPN Client Developer Edition`
   - `C:\Program Files\SoftEther VPN Server`
   - `C:\Program Files\SoftEther VPN Server Manager`
   - `C:\Program Files\SoftEther VPN Server Manager Developer Edition`
   - `C:\Program Files\SoftEther VPN Server Developer Edition`
   - `C:\ProgramData\SoftEther VPN Client`
   - `C:\ProgramData\SoftEther VPN Server`
   **Note**: Add only the directories that correspond to the SoftEther VPN components you have installed.
 4. **Restore Quarantined Files** (if needed)
   - Go back to **Virus & threat protection**
   - Click **Protection history**
   - Find the quarantined SoftEther VPN files
   - Click **Actions** → **Restore**
 5. **Reinstall if Necessary**
   - If files were deleted, you may need to reinstall SoftEther VPN
   - The exclusions will prevent future detections
 ### Option 2: Report False Positive to Microsoft
 Help improve Microsoft Defender by reporting the false positive:
 1. **Submit to Microsoft Defender Security Intelligence**
   - Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
   - Select **File** submission type
   - Choose **Software developer** as your role
   - Submit the falsely detected SoftEther VPN executable files
   - Provide details: "False positive detection of SoftEther VPN, open-source VPN software"
 2. **Include Information**
   - Product Name: SoftEther VPN
   - Vendor: SoftEther Project at University of Tsukuba
   - Official Website: https://www.softether.org/
   - GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
   - License: Apache License 2.0
 Microsoft typically reviews submissions within a few days and updates their definitions if confirmed as a false positive.
 ### Option 3: Use Alternative Antivirus Software
 If Microsoft Defender continues to cause issues:
 1. Consider using alternative antivirus software that doesn't flag SoftEther VPN
 2. Some users report fewer false positives with third-party antivirus solutions
 3. Ensure any alternative antivirus is from a reputable vendor
 ## For IT Administrators
 ### Group Policy Configuration
 To deploy exclusions across an organization using Group Policy:
 1. **Open Group Policy Management Console**
   ```
   gpmc.msc
   ```
 2. **Navigate to Windows Defender Antivirus Settings**
   ```
   Computer Configuration → Policies → Administrative Templates 
   → Windows Components → Microsoft Defender Antivirus → Exclusions
   ```
 3. **Configure Path Exclusions**
   - Enable **Path Exclusions**
   - Add the SoftEther VPN installation directories
 4. **Update Group Policy**
   ```powershell
   gpupdate /force
   ```
 ### PowerShell Exclusion Script
 For automated deployment, use this PowerShell script (requires Administrator privileges):
 ```powershell
 # Add Windows Defender exclusions for SoftEther VPN
 # Requires Administrator privileges
 $exclusionPaths = @(
    "C:\Program Files\SoftEther VPN Client",
    "C:\Program Files\SoftEther VPN Client Developer Edition",
    "C:\Program Files\SoftEther VPN Server",
    "C:\Program Files\SoftEther VPN Server Manager",
    "C:\Program Files\SoftEther VPN Server Manager Developer Edition",
    "C:\Program Files\SoftEther VPN Server Developer Edition",
    "C:\ProgramData\SoftEther VPN Client",
    "C:\ProgramData\SoftEther VPN Server"
 )
 # Check if running as Administrator
 $isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
 if (-not $isAdmin) {
    Write-Error "This script requires Administrator privileges. Please run PowerShell as Administrator."
    exit 1
 }
 # Check if Windows Defender module is available
 if (-not (Get-Module -ListAvailable -Name Defender)) {
    Write-Error "Windows Defender PowerShell module is not available on this system."
    exit 1
 }
 $successCount = 0
 $errorCount = 0
 foreach ($path in $exclusionPaths) {
    if (Test-Path $path) {
        try {
            Add-MpPreference -ExclusionPath $path -ErrorAction Stop
            Write-Host "✓ Added exclusion: $path" -ForegroundColor Green
            $successCount++
        }
        catch {
            Write-Warning "✗ Failed to add exclusion for: $path"
            Write-Warning "  Error: $($_.Exception.Message)"
            $errorCount++
        }
    }
    else {
        Write-Host "- Skipped (not found): $path" -ForegroundColor Gray
    }
 }
 Write-Host "`nSummary:" -ForegroundColor Cyan
 Write-Host "  Successfully added: $successCount exclusion(s)" -ForegroundColor Green
 if ($errorCount -gt 0) {
    Write-Host "  Failed: $errorCount exclusion(s)" -ForegroundColor Red
 }
 Write-Host "`nSoftEther VPN exclusions configured." -ForegroundColor Cyan
 ```
 Save as `Add-SoftEtherVPN-Exclusions.ps1` and run as Administrator.
 ## Verification of Software Authenticity
 ### Open Source Verification
 SoftEther VPN is **fully open source** and can be verified:
 1. **Source Code Review**
   - Complete source code: https://github.com/SoftEtherVPN/SoftEtherVPN
   - All commits are publicly visible
   - Community peer-reviewed code
 2. **Build from Source**
   - You can compile SoftEther VPN yourself from source
   - See: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md) and [BUILD_UNIX.md](src/BUILD_UNIX.md)
   - Self-compiled builds may have fewer false positive issues
 3. **Community Trust**
   - Active development since 2013
   - Over 11,000+ GitHub stars
   - Used by organizations and individuals worldwide
   - Peer-reviewed academic research project
 ### Official Distributions
 Always download SoftEther VPN from official sources:
 - **Official Website**: https://www.softether.org/
 - **GitHub Releases**: https://github.com/SoftEtherVPN/SoftEtherVPN/releases
 - **Official Download Site**: https://www.softether-download.com/
 **Warning**: Do not download SoftEther VPN from third-party websites or unofficial sources.
 ## Technical Background
 ### Why VPN Software Triggers Detection
 VPN software implements functionality that overlaps with techniques used by some malware:
 1. **Kernel-mode drivers**: Required for creating virtual network adapters
 2. **Network traffic interception**: Core VPN functionality to encrypt traffic
 3. **Process injection**: Some VPN implementations inject into other processes
 4. **Privilege escalation**: VPN services need administrative rights
 5. **Persistent system changes**: Auto-start configuration, service installation
 These are **legitimate techniques** when used by trusted VPN software.
 ### False Positive Rate
 False positives are common in the VPN and security software industry. Other legitimate VPN and security tools have faced similar issues:
 - OpenVPN has been flagged by various antivirus vendors
 - WireGuard implementations have triggered false positives
 - Many security research tools face similar challenges
 ## Code Signing Status
 **Note**: The official SoftEther VPN releases may not include code signing certificates. Code signing certificates require:
 - Annual fees (typically $300-500+ per year)
 - Corporate entity for Extended Validation (EV) certificates
 - Hardware security modules (HSM) for EV certificate storage
 As an open-source project with limited funding, SoftEther VPN prioritizes development over expensive code signing infrastructure. However, this doesn't make the software any less safe - all source code is publicly auditable.
 Users who require signed binaries can:
 1. Build from source and sign with their own certificates
 2. Work with their organization to sign the binaries
 3. Use alternative verification methods (source code review, checksums, etc.)
 ## Best Practices
 1. **Keep Antivirus Updated**: Ensure Microsoft Defender definitions are current
 2. **Monitor Protection History**: Regularly check if SoftEther VPN is being flagged
 3. **Subscribe to Updates**: Follow SoftEther VPN releases for security updates
 4. **Report False Positives**: Help the community by reporting detections to Microsoft
 5. **Use Official Builds**: Only download from official sources
 ## Additional Resources
 - **SoftEther VPN Official Website**: https://www.softether.org/
 - **GitHub Repository**: https://github.com/SoftEtherVPN/SoftEtherVPN
 - **Security Policy**: [SECURITY.md](SECURITY.md)
 - **Microsoft Defender Submission Portal**: https://www.microsoft.com/en-us/wdsi/filesubmission
 - **Build Instructions**: [BUILD_WINDOWS.md](src/BUILD_WINDOWS.md)
 ## Frequently Asked Questions
 ### Q: Is SoftEther VPN safe to use?
 **A**: Yes. SoftEther VPN is legitimate, open-source software developed by researchers at the University of Tsukuba, Japan. The detection is a false positive. All source code is publicly available for review at https://github.com/SoftEtherVPN/SoftEtherVPN
 ### Q: Why don't you just fix the code to not trigger antivirus?
 **A**: The detection is based on legitimate VPN operations, not malicious code. Changing how VPN functionality works to avoid heuristic detection would compromise the software's core purpose. The correct solution is to report false positives to antivirus vendors and add exclusions.
 ### Q: Will adding exclusions make my computer less secure?
 **A**: Exclusions for trusted software from official sources don't significantly reduce security. Only add exclusions for software you trust and have downloaded from official sources. SoftEther VPN is open-source and can be verified.
 ### Q: Can I use SoftEther VPN without adding exclusions?
 **A**: Not reliably with Microsoft Defender. The antivirus will quarantine executables and prevent the VPN from functioning. Exclusions are necessary unless Microsoft updates their detection definitions.
 ### Q: How do I know my downloaded file is authentic?
 **A**: 
 1. Only download from https://github.com/SoftEtherVPN/SoftEtherVPN/releases or https://www.softether.org/
 2. Verify the file hash/checksum if provided
 3. Review the source code on GitHub
 4. Build from source yourself for maximum assurance
 ### Q: Is this issue specific to SoftEther VPN?
 **A**: No. Many VPN applications and security tools face false positive detections. OpenVPN, WireGuard implementations, and other network security tools have similar issues with various antivirus vendors.
 ### Q: Will this be fixed in a future version?
 **A**: The SoftEther VPN project continues to work on this issue. However, heuristic-based detection is challenging to avoid without compromising functionality. The best approach is to:
 1. Report false positives to Microsoft
 2. Use exclusions as needed
 3. Build from source if your organization requires it
 ## Contributing
 If you have additional solutions or workarounds that have worked for you, please contribute to this documentation:
 1. Fork the repository: https://github.com/SoftEtherVPN/SoftEtherVPN
 2. Edit this file: `ANTIVIRUS.md`
 3. Submit a pull request with your improvements
 ---
 **Applies to**: SoftEther VPN 5.x (Developer Edition)  
 **Related Issue**: False positive detection by Microsoft Defender as Trojan:Win32/KepavII!rfn
@@ -136,6 +136,78 @@
          "type": "STRING"
        }
      ]
    },
    {
      "name": "arm64-on-x64",
      "description": "Cross compile Windows ARM64 on x64",
      "generator": "Ninja",
      "configurationType": "RelWithDebInfo",
      "inheritEnvironments": ["msvc_arm64_x64"],
      "buildRoot": "${projectDir}\\out\\build\\${name}",
      "installRoot": "${projectDir}\\out\\install\\${name}",
      "variables": [
        {
          "name": "BUILD_NUMBER",
          "value": "${env.BuildNumber}",
          "type": "STRING"
        },
        {
          "name": "CMAKE_SYSTEM_NAME",
          "value": "Windows",
          "type": "STRING"
        },
        {
          "name": "CMAKE_SYSTEM_PROCESSOR",
          "value": "arm64",
          "type": "STRING"
        },
        {
          "name": "CMAKE_C_COMPILER",
          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
          "type": "FILEPATH"
        },
        {
          "name": "CMAKE_CXX_COMPILER",
          "value": "${env.VCINSTALLDIR}Tools/Llvm/bin/clang-cl.exe",
          "type": "FILEPATH"
        },
        {
          "name": "CMAKE_C_COMPILER_TARGET",
          "value": "arm64-windows-msvc",
          "type": "STRING"
        },
        {
          "name": "CMAKE_CXX_COMPILER_TARGET",
          "value": "arm64-windows-msvc",
          "type": "STRING"
        },
        {
          "name": "CMAKE_EXE_LINKER_FLAGS",
          "value": "/machine:ARM64",
          "type": "STRING"
        },
        {
          "name": "VCPKG_TARGET_TRIPLET",
          "value": "arm64-windows-static",
          "type": "STRING"
        },
        {
          "name": "CMAKE_STATIC_LINKER_FLAGS",
          "value": "/machine:ARM64",
          "type": "STRING"
        },
        {
          "name": "CMAKE_SHARED_LINKER_FLAGS",
          "value": "/machine:ARM64",
          "type": "STRING"
        },
        {
          "name": "IS_CROSS_COMPILATION",
          "value": "arm64-on-x64",
          "type": "STRING"
        }
      ]
    }
  ]
 }
@@ -37,15 +37,18 @@ COPY --from=builder /usr/local/src/SoftEtherVPN/build/libcedar.so /usr/local/src
 FROM base AS vpnserver
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnserver ./
 RUN ./vpnserver --help
 EXPOSE 443/tcp 992/tcp 1194/tcp 1194/udp 5555/tcp 500/udp 4500/udp
 CMD ["/usr/local/bin/vpnserver", "execsvc"]
 FROM base AS vpnclient
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnclient ./
 RUN ./vpnclient --help
 CMD ["/usr/local/bin/vpnclient", "execsvc"]
 FROM base AS vpnbridge
 COPY --from=builder /usr/local/src/SoftEtherVPN/build/vpnbridge ./
 RUN ./vpnbridge --help
 CMD ["/usr/local/bin/vpnbridge", "execsvc"]
@@ -14,6 +14,7 @@
  * [For Windows](#for-windows)
  * [From binary installers (stable channel)](#from-binary-installers-stable-channel)
  * [Build from Source code](#build-from-source-code)
 - [Antivirus False Positive Detection](ANTIVIRUS.md)
 - [About HTML5-based Modern Admin Console and JSON-RPC API Suite](#about-html5-based-modern-admin-console-and-json-rpc-api-suite)
  * [Built-in SoftEther VPN Server HTML5 Ajax-based Web Administration Console](#built-in-softether-vpn-server-html5-ajax-based-web-administration-console)
  * [Built-in SoftEther Server VPN JSON-RPC API Suite](#built-in-softether-server-vpn-json-rpc-api-suite)
@@ -206,6 +207,8 @@ Also SoftEther VPN [Stable Edition](https://www.freshports.org/security/softethe
 [Nightly builds](https://github.com/SoftEtherVPN/SoftEtherVPN/actions/workflows/windows.yml)
 (choose appropriate platform, then find binaries or installers as artifacts)
 **⚠️ Important for Windows Users**: Some antivirus software (including Microsoft Defender) may incorrectly flag SoftEther VPN as malicious. This is a **false positive**. See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions.
 ## From binary installers (stable channel)
 Those can be found under https://www.softether-download.com/
@@ -290,6 +293,8 @@ We hope that you can reach one of the above URLs at least!
 Your contribution to SoftEther VPN Project is much appreciated.
 Please send patches to us through GitHub.
 Here you find how to submit new translation: [TRANSLATION_GUIDE.md](TRANSLATION_GUIDE.md)
 # DEAR SECURITY EXPERTS
@@ -12,4 +12,15 @@ currently being supported with security updates.
 ## Reporting a Vulnerability
-Please use [github security reporting](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new)
+Please use [github security reporting](https://github.com/SoftEtherVPN/SoftEtherVPN/security/advisories/new)
 ## Antivirus False Positive Detection
 Some antivirus software may incorrectly flag SoftEther VPN executables as malicious. This is a **false positive** and not a security vulnerability.
 **If you encounter antivirus warnings:**
 - See [ANTIVIRUS.md](ANTIVIRUS.md) for detailed information and solutions
 - Report false positives to your antivirus vendor
 - Verify downloads are from official sources only
 **SoftEther VPN is safe**: All source code is publicly available and can be reviewed at https://github.com/SoftEtherVPN/SoftEtherVPN
@@ -0,0 +1,116 @@
 ================================================================================
 SoftEther VPN - Windows Installation Notes
 ================================================================================
 Thank you for installing SoftEther VPN!
 SoftEther VPN is legitimate, open-source VPN software developed by researchers
 at the University of Tsukuba, Japan. It has been in active development since
 2013 and is used by organizations and individuals worldwide.
 ================================================================================
 IMPORTANT: Antivirus False Positive Warning
 ================================================================================
 Some antivirus software (including Microsoft Defender) may incorrectly flag
 SoftEther VPN executables as malicious. This is a FALSE POSITIVE detection.
 WHY THIS HAPPENS:
 -----------------
 VPN software performs operations that can appear suspicious to antivirus
 programs:
  - Network tunneling and traffic interception
  - Low-level network operations
  - Service installation with elevated privileges
  - Registry modifications for Windows integration
 These are NORMAL and NECESSARY operations for any VPN software.
 IF MICROSOFT DEFENDER QUARANTINES SOFTETHER VPN:
 ------------------------------------------------
 1. Add Exclusions to Microsoft Defender:
   a) Open Windows Security (Windows Key + I -> Privacy & Security -> 
      Windows Security -> Virus & threat protection)
   b) Click "Manage settings" under Virus & threat protection settings
   c) Scroll down to "Exclusions" and click "Add or remove exclusions"
   d) Click "Add an exclusion" -> "Folder" and add:
      C:\Program Files\SoftEther VPN Client
      C:\Program Files\SoftEther VPN Client Developer Edition
      C:\Program Files\SoftEther VPN Server
      C:\Program Files\SoftEther VPN Server Developer Edition
      (Add only the folders that exist for your installation)
 2. Restore Quarantined Files:
   a) Go to "Virus & threat protection" -> "Protection history"
   b) Find quarantined SoftEther VPN files
   c) Click "Actions" -> "Restore"
 3. Reinstall if Necessary:
   If files were deleted, reinstall SoftEther VPN. The exclusions will
   prevent future detections.
 REPORT FALSE POSITIVE TO MICROSOFT:
 ------------------------------------
 Help improve Microsoft Defender by reporting the false positive:
  Visit: https://www.microsoft.com/en-us/wdsi/filesubmission
  Submit the flagged file and indicate it's a false positive detection
  of SoftEther VPN, open-source software from the University of Tsukuba.
 MORE INFORMATION:
 -----------------
 For detailed documentation about this issue and additional solutions, see:
  https://github.com/SoftEtherVPN/SoftEtherVPN/blob/master/ANTIVIRUS.md
 VERIFY AUTHENTICITY:
 --------------------
 SoftEther VPN is open source. You can verify the software by:
  - Reviewing source code: https://github.com/SoftEtherVPN/SoftEtherVPN
  - Official website: https://www.softether.org/
  - Only download from official sources
 WARNING: Do not download SoftEther VPN from third-party websites.
 ================================================================================
 Getting Started
 ================================================================================
 After adding antivirus exclusions (if needed):
 1. Launch "SoftEther VPN Client Manager" from the Start Menu
 2. Configure your VPN connection settings
 3. Connect to your VPN server
 For detailed documentation, visit: https://www.softether.org/
 ================================================================================
 Support
 ================================================================================
 Official Website: https://www.softether.org/
 GitHub Repository: https://github.com/SoftEtherVPN/SoftEtherVPN
 Security Issues: https://github.com/SoftEtherVPN/SoftEtherVPN/security
 ================================================================================
 SoftEther VPN is licensed under the Apache License 2.0
 Copyright (c) SoftEther VPN Project at University of Tsukuba, Japan
 Thank you for using SoftEther VPN!
 ================================================================================
@@ -87,6 +87,10 @@ into it. So that is what will be described below.
   - x86-on-x64
     Cross compile x86 executables with 64-bit compiler
    - arm64-on-x64
     Cross compile arm64 executables with x64t compiler
   On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.
@@ -0,0 +1,52 @@
 # How to build and install SoftEther VPN on Windows ARM64
 This document describes how to build SoftEther VPN for Windows ARM64 and how to install the VPN Client and Neo6 virtual network adapter on Windows on ARM devices.
 ## Requirements
 - Build host: Windows x64
 - Target device: Windows 10 / Windows 11 ARM64
 ## Building 
    **Notes before building**: ARM64 builds are cross-compiled from an x64 Windows host. An existing x64-native build is required to generate hamcore.se2.
 1. Follow [BUILD_WINDOWS.md](BUILD_WINDOWS.md##Building)
 1. Build x64 (Native): From the build menu, select x64-on-x64. Complete the build successfully. This build is required to generate shared resources
 1. Build ARM64 (Cross-Compiled): From the same build menu, select arm64-on-x64. 
 Build the ARM64 version of SoftEther VPN.
 1. Building the Neo6 Virtual Network Adapter (ARM64)
    Open the following project in Visual Studio:
    ```
    .\src\Neo6\Neo6.vcxproj 
    ```
    SoftEther VPN Client uses the Neo6 virtual network adapter.
    Driver Output Files
    The ARM64 driver package includes:
    ```
    Neo6_arm64_VPN.sys
    Neo6_arm64_VPN.inf
    ```
    Driver Signing and Installation (Windows ARM64)
    ```
    Enable test-signing mode: bcdedit /set testsigning on
    Reboot the system.
    Testing signing:
    Install the Neo6 ARM64 driver.
    ```
 # Summary
 SoftEther VPN can be cross-compiled for Windows ARM64 on an x64 host
 VPN Client works natively on Windows on ARM
 Neo6 ARM64 driver requires Microsoft signing for production use
 Test-signing is suitable for local development only
@@ -1,4 +1,4 @@
-if(UNIX)
+if(UNIX)
  # Creates wrapper scripts and installs them in the user's binaries directory, which is usually "/usr/local/bin".
  # This is required because symlinks use the folder they are in as working directory.
  #
@@ -59,6 +59,12 @@ add_definitions(-D_REENTRANT -DREENTRANT -D_THREAD_SAFE -D_THREADSAFE -DTHREAD_S
 include_directories(.)
 if(WIN32)
  if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
    set(CMAKE_SYSTEM_PROCESSOR "arm64")
  else()
    message("Setting QSPECTRE")
    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
  endif()
  add_definitions(-DWIN32 -D_WINDOWS -DOS_WIN32 -D_CRT_SECURE_NO_WARNINGS)
  #
@@ -69,9 +75,6 @@ if(WIN32)
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /guard:cf")
  set(CMAKE_EXE_LINKER_FLAGS  "${CMAKE_EXE_LINKER_FLAGS} /guard:cf /DYNAMICBASE")
  message("Setting QSPECTRE")
  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Qspectre")
  message("Setting CETCOMPAT")
  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /CETCOMPAT")
@@ -164,15 +167,45 @@ add_custom_target(hamcore-archive-build
  ALL
  DEPENDS "${BUILD_DIRECTORY}/hamcore.se2"
 )
 if(IS_CROSS_COMPILATION MATCHES "arm64-on-x64")
    file(TO_CMAKE_PATH "${TOP_DIRECTORY}" TOP_DIRECTORY_NORM)
    set(X64_HAMCORE_BUILDER
      "${TOP_DIRECTORY_NORM}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"
    )
    if(EXISTS "${X64_HAMCORE_BUILDER}")
      message(STATUS "file exist (from TOP_DIRECTORY)")
    endif()
-add_custom_command(
+  # support cross compile, when you compile ARM64 version on X64 Platform
-  COMMENT "Building hamcore.se2 archive file..."
+  if(EXISTS "${X64_HAMCORE_BUILDER}")
-  COMMAND hamcorebuilder "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
+    message("X64_HAMCORE_BUILDER found: ${X64_HAMCORE_BUILDER}")
-  DEPENDS hamcorebuilder "${TOP_DIRECTORY}/src/bin/hamcore/"
+  elseif(EXISTS("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe"))
-  OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
+    set(X64_HAMCORE_BUILDER "${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
-  WORKING_DIRECTORY "${BUILD_DIRECTORY}"
+  else()
-  VERBATIM
+	message("${TOP_DIRECTORY}/out/build/x64-native/src/hamcorebuilder/hamcorebuilder.exe")
-)
+    message(FATAL_ERROR "X64_HAMCORE_BUILDER not found: ${X64_HAMCORE_BUILDER}, pls build x64-native version first")
  endif()
  message(STATUS "X64_HAMCORE_BUILDER = ${X64_HAMCORE_BUILDER}")
  add_custom_command(
    COMMENT "Building hamcore.se2 archive file..."
    COMMAND ${X64_HAMCORE_BUILDER} "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
    DEPENDS ${X64_HAMCORE_BUILDER} "${TOP_DIRECTORY}/src/bin/hamcore/"
    OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
    WORKING_DIRECTORY "${BUILD_DIRECTORY}"
    VERBATIM
  )
 else()
  add_custom_command(
      COMMENT "Building hamcore.se2 archive file..."
      COMMAND hamcorebuilder "hamcore.se2" "${TOP_DIRECTORY}/src/bin/hamcore"
      DEPENDS hamcorebuilder "${TOP_DIRECTORY}/src/bin/hamcore/"
      OUTPUT "${BUILD_DIRECTORY}/hamcore.se2"
      WORKING_DIRECTORY "${BUILD_DIRECTORY}"
      VERBATIM
  )
 endif()
 if(WIN32)
  # PenCore
@@ -8739,7 +8739,7 @@ UINT StSetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	}
 	//SetRadiusServer(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret);
-	SetRadiusServerEx(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval);
+	SetRadiusServerEx2(h, t->RadiusServerName, t->RadiusPort, t->RadiusSecret, t->RadiusRetryInterval, t->RadiusRetryTimeout);
 	ALog(a, h, "LA_SET_HUB_RADIUS");
@@ -8778,8 +8778,8 @@ UINT StGetHubRadius(ADMIN *a, RPC_RADIUS *t)
 	Zero(t, sizeof(RPC_RADIUS));
 	//GetRadiusServer(h, t->RadiusServerName, sizeof(t->RadiusServerName),
 	//	&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret));
-	GetRadiusServerEx(h, t->RadiusServerName, sizeof(t->RadiusServerName),
+	GetRadiusServerEx2(h, t->RadiusServerName, sizeof(t->RadiusServerName),
-		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval);
+		&t->RadiusPort, t->RadiusSecret, sizeof(t->RadiusSecret), &t->RadiusRetryInterval, &t->RadiusRetryTimeout);
 	ReleaseHub(h);
@@ -13031,6 +13031,7 @@ void InRpcRadius(RPC_RADIUS *t, PACK *p)
 	PackGetStr(p, "HubName", t->HubName, sizeof(t->HubName));
 	PackGetStr(p, "RadiusSecret", t->RadiusSecret, sizeof(t->RadiusSecret));
 	t->RadiusRetryInterval = PackGetInt(p, "RadiusRetryInterval");
 	t->RadiusRetryTimeout = PackGetInt(p, "RadiusRetryTimeout");
 }
 void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 {
@@ -13045,6 +13046,7 @@ void OutRpcRadius(PACK *p, RPC_RADIUS *t)
 	PackAddStr(p, "HubName", t->HubName);
 	PackAddStr(p, "RadiusSecret", t->RadiusSecret);
 	PackAddInt(p, "RadiusRetryInterval", t->RadiusRetryInterval);
 	PackAddInt(p, "RadiusRetryTimeout", t->RadiusRetryTimeout);
 }
 // RPC_HUB
@@ -259,6 +259,7 @@ struct RPC_RADIUS
 	UINT RadiusPort;					// Radius port number
 	char RadiusSecret[MAX_PASSWORD_LEN + 1];	// Secret key
 	UINT RadiusRetryInterval;			// Radius retry interval
 	UINT RadiusRetryTimeout;			// Radius retry timeout
 };
 // Specify the HUB
@@ -12,6 +12,15 @@ else()
  add_library(cedar SHARED ${SOURCES_CEDAR} ${SOURCES_CEDAR_CPP} ${HEADERS_CEDAR})
 endif()
 if(MSVC)
  target_compile_options(cedar PRIVATE /EHsc)
 elseif(CMAKE_CXX_COMPILER_ID STREQUAL "Clang")
  if(CMAKE_CXX_COMPILER_FRONTEND_VARIANT STREQUAL "MSVC")
    target_compile_options(cedar PRIVATE /EHsc)
  else()
    target_compile_options(cedar PRIVATE -fexceptions)
  endif()
 endif()
 set_target_properties(cedar
  PROPERTIES
  ARCHIVE_OUTPUT_DIRECTORY "${BUILD_DIRECTORY}"
@@ -22,19 +31,22 @@ set_target_properties(cedar
 target_link_libraries(cedar PUBLIC mayaqua)
 cmake_host_system_information(RESULT HAS_SSE2 QUERY HAS_SSE2)
-
+if(CMAKE_SYSTEM_PROCESSOR MATCHES "arm64|aarch64|arm64v8|ARM64")
-set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
+  message(STATUS "Target architecture is ARM64")
-set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SRC_PATH}/blake2s-ref.c>)
+  set(BLAKE2_SRC_PATH "${TOP_DIRECTORY}/3rdparty/BLAKE2/neon")
-
+  set(BLAKE2_SRC "${BLAKE2_SRC_PATH}/blake2s-neon.c")
 else()
  set(BLAKE2_SRC_PATH $<IF:$<BOOL:${HAS_SSE2}>,${TOP_DIRECTORY}/3rdparty/BLAKE2/sse,${TOP_DIRECTORY}/3rdparty/BLAKE2/ref>)
  set(BLAKE2_SRC $<IF:$<BOOL:${HAS_SSE2}>,${BLAKE2_SRC_PATH}/blake2s.c,${BLAKE2_SRC_PATH}/blake2s-ref.c>)
  if(HAS_SSE2)
    # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
    # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
    set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
  endif()
 endif()
 target_include_directories(cedar PUBLIC ${BLAKE2_SRC_PATH})
 target_sources(cedar PRIVATE ${BLAKE2_SRC})
 if(HAS_SSE2)
  # If SSE2 is enabled, a build failure occurs with MSVC because it doesn't define "__SSE2__".
  # The fix consists in defining "HAVE_SSE2" manually, effectively overriding the check.
  set_property(SOURCE ${BLAKE2_SRC} PROPERTY COMPILE_DEFINITIONS "HAVE_SSE2")
 endif()
 if(VCPKG_TARGET_TRIPLET)
  find_package(unofficial-sodium CONFIG REQUIRED)
  target_link_libraries(cedar PUBLIC unofficial-sodium::sodium)
@@ -99,6 +99,8 @@ void CheckNetworkAcceptThread(THREAD *thread, void *param)
 	Disconnect(s);
 	ReleaseSock(s);
 	Free(c);
 }
@@ -155,15 +157,15 @@ void CheckNetworkListenThread(THREAD *thread, void *param)
 		}
 		else
 		{
-			CHECK_NETWORK_2 c;
+			CHECK_NETWORK_2 *c;
 			THREAD *t;
-			Zero(&c, sizeof(c));
+			c = ZeroMalloc(sizeof(CHECK_NETWORK_2));
-			c.s = new_sock;
+			c->s = new_sock;
-			c.k = pri;
+			c->k = pri;
-			c.x = x;
+			c->x = x;
-			t = NewThread(CheckNetworkAcceptThread, &c);
+			t = NewThread(CheckNetworkAcceptThread, c);
 			Insert(o, t);
 		}
 	}
@@ -11789,6 +11791,9 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		{"[server_name:port]", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_Host"), CmdEvalNotEmpty, NULL},
 		{"SECRET", CmdPromptChoosePassword, _UU("CMD_RadiusServerSet_Prompt_Secret"), NULL, NULL},
 		{"RETRY_INTERVAL", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryInterval"), CmdEvalMinMax, &minmax},
 		// Support for setting timeout through commandline not added
 		// {"RETRY_TIMEOUT", CmdPrompt, _UU("CMD_RadiusServerSet_Prompt_RetryTimeout"), CmdEvalMinMax, &minmax},
 	};
 	// If virtual HUB is not selected, it's an error
@@ -11813,6 +11818,7 @@ UINT PsRadiusServerSet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 		StrCpy(t.RadiusServerName, sizeof(t.RadiusServerName), host);
 		StrCpy(t.RadiusSecret, sizeof(t.RadiusSecret), GetParamStr(o, "SECRET"));
 		t.RadiusRetryInterval = GetParamInt(o, "RETRY_INTERVAL");
 		// t.RadiusRetryTimeout = GetParamInt(o, "RETRY_TIMEOUT");
 		Free(host);
@@ -11936,6 +11942,9 @@ UINT PsRadiusServerGet(CONSOLE *c, char *cmd_name, wchar_t *str, void *param)
 			UniToStri(tmp, t.RadiusRetryInterval);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryInterval"), tmp);
 			UniToStri(tmp, t.RadiusRetryTimeout);
 			CtInsert(ct, _UU("CMD_RadiusServerGet_RetryTimeout"), tmp);
 		}
 		CtFree(ct, c);
@@ -1938,6 +1938,7 @@ bool PasswordPrompt(char *password, UINT size)
 		c = _getch();
 #else	// OS_WIN32
 		c = getc(stdin);
 PROCESS_CH:
 #endif	// OS_WIN32
 		if (c >= 0x20 && c <= 0x7E)
@@ -1952,6 +1953,7 @@ bool PasswordPrompt(char *password, UINT size)
 		else if (c == 0x03)
 		{
 			// Break
 			RestoreConsole(console);
 			exit(0);
 		}
 		else if (c == 0x04 || c == 0x1a || c == 0x0D || c==0x0A)
@@ -1977,7 +1979,47 @@ bool PasswordPrompt(char *password, UINT size)
 				goto BACKSPACE;
 			}
 		}
-		else if (c == 0x08)
+#ifdef OS_UNIX	// OS_UNIX
 		else if (c == 0x1B)
 		{
 			c = getc(stdin);
 			if (c != 0x5B && c != 0x4F)
 			{
 				// ESC key
 				goto PROCESS_CH;
 			}
 			c = getc(stdin);
 			if (c == 0x44)
 			{
 				// Left arrow key
 				goto BACKSPACE;
 			}
 			else if (c == 0x33)
 			{
 				c = getc(stdin);
 				if (c == 0x7E)
 				{
 					// Delete key
 					goto BACKSPACE;
 				}
 			}
 			// Drain remaining sequence bytes (most are <= 6)
 			for (int i = 0; i < 6; i++)
 			{
 				if (c >= 0x40 && c <= 0x7E)
 				{
 					// End of sequence
 					break;
 				}
 				c = getc(stdin);
 			}
 			continue;
 		}
 #endif	// OS_UNIX
 		else if (c == 0x08 || c == 0x7F)
 		{
 BACKSPACE:
 			// Backspace
@@ -99,6 +99,7 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	char radius_servers[MAX_PATH] = {0};
 	UINT radius_port = 0;
 	UINT radius_retry_interval = 0;
 	UINT radius_retry_timeout = 0;
 	char radius_secret[MAX_PATH] = {0};
 	char radius_suffix_filter[MAX_PATH] = {0};
 	if (cedar == NULL || hubname == NULL || client_ip_str == NULL || username == NULL)
@@ -115,8 +116,8 @@ EAP_CLIENT *HubNewEapClient(CEDAR *cedar, char *hubname, char *client_ip_str, ch
 	if (hub != NULL)
 	{
-		if (GetRadiusServerEx2(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
+		if (GetRadiusServerEx3(hub, radius_servers, sizeof(radius_servers), &radius_port, radius_secret,
-			sizeof(radius_secret), &radius_retry_interval, radius_suffix_filter, sizeof(radius_suffix_filter)))
+			sizeof(radius_secret), &radius_retry_interval, &radius_retry_timeout, radius_suffix_filter, sizeof(radius_suffix_filter)))
 		{
 			bool use_peap = hub->RadiusUsePeapInsteadOfEap;
@@ -630,6 +631,7 @@ void DataToHubOptionStruct(HUB_OPTION *o, RPC_ADMIN_OPTION *ao)
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	GetHubAdminOptionDataAndSet(ao, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	GetHubAdminOptionDataAndSet(ao, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 	GetHubAdminOptionDataAndSet(ao, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }
 // Convert the contents of the HUB_OPTION to data
@@ -705,6 +707,7 @@ void HubOptionStructToData(RPC_ADMIN_OPTION *ao, HUB_OPTION *o, char *hub_name)
 	Add(aol, NewAdminOption("UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption));
 	Add(aol, NewAdminOption("UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId));
 	Add(aol, NewAdminOption("AllowEapMatchUserByCert", o->AllowEapMatchUserByCert));
 	Add(aol, NewAdminOption("DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs));
 	Zero(ao, sizeof(RPC_ADMIN_OPTION));
@@ -6413,17 +6416,23 @@ void ReleaseHub(HUB *h)
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size)
 {
 	UINT interval;
 	return GetRadiusServerEx(hub, name, size, port, secret, secret_size, &interval);
 }
-bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval)
+bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval) {
-{
+	UINT timeout;
-	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, NULL, 0);
+
 	return GetRadiusServerEx2(hub, name, size, port, secret, secret_size, interval, &timeout);
 }
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size)
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout)
 {
 	return GetRadiusServerEx3(hub, name, size, port, secret, secret_size, interval, timeout, NULL, 0);
 }
 bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size)
 {
 	bool ret = false;
 	// Validate arguments
-	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL)
+	if (hub == NULL || name == NULL || port == NULL || secret == NULL || interval == NULL || timeout == NULL)
 	{
 		return false;
 	}
@@ -6437,6 +6446,7 @@ bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secre
 			StrCpy(name, size, hub->RadiusServerName);
 			*port = hub->RadiusServerPort;
 			*interval = hub->RadiusRetryInterval;
 			*timeout = hub->RadiusRetryTimeout;
 			tmp_size = hub->RadiusSecret->Size + 1;
 			tmp = ZeroMalloc(tmp_size);
@@ -6463,6 +6473,10 @@ void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret)
 	SetRadiusServerEx(hub, name, port, secret, RADIUS_RETRY_INTERVAL);
 }
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval)
 {
 	SetRadiusServerEx2(hub, name, port, secret, interval, RADIUS_RETRY_TIMEOUT);
 }
 void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout)
 {
 	// Validate arguments
 	if (hub == NULL)
@@ -6482,19 +6496,28 @@ void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT inter
 			hub->RadiusServerName = NULL;
 			hub->RadiusServerPort = 0;
 			hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
 			hub->RadiusRetryTimeout = RADIUS_RETRY_TIMEOUT;
 			FreeBuf(hub->RadiusSecret);
 		}
 		else
 		{
 			hub->RadiusServerName = CopyStr(name);
 			hub->RadiusServerPort = port;
 			if (timeout == 0) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			hub->RadiusRetryTimeout = timeout;
 			if (interval == 0)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL;
+				hub->RadiusRetryInterval = RADIUS_RETRY_INTERVAL; ///What happens here is that RADIUS_RETRY_TIMEOUT is not configurable, and RADIUS_RETRY_INTERVAL is set to the timeout if it's larger.
 			}
-			else if (interval > RADIUS_RETRY_TIMEOUT)
+			
 			if (interval > timeout)
 			{
-				hub->RadiusRetryInterval = RADIUS_RETRY_TIMEOUT;
+				hub->RadiusRetryInterval = timeout;
 			}
 			else
 			{
@@ -30,6 +30,9 @@
 // Default flooding queue length
 #define	DEFAULT_FLOODING_QUEUE_LENGTH				(32 * 1024 * 1024)
 // Default DHCP Discover Timeout
 #define	DEFAULT_DHCP_DISCOVER_TIMEOUT				(5 * 1000)
 // SoftEther link control packet
 struct SE_LINK
 {
@@ -183,6 +186,7 @@ struct HUB_OPTION
 	bool UseHubNameAsDhcpUserClassOption;	// Add HubName to DHCP request as User-Class option
 	bool UseHubNameAsRadiusNasId;		// Add HubName to Radius request as NAS-Identifier attrioption
 	bool AllowEapMatchUserByCert;		// Allow matching EAP Identity with user certificate CNs
 	UINT DhcpDiscoverTimeoutMs;			// Timeout to wait for DHCP server response on DISCOVER request
 };
 // MAC table entry
@@ -337,6 +341,7 @@ struct HUB
 	char *RadiusServerName;				// Radius server name
 	UINT RadiusServerPort;				// Radius server port number
 	UINT RadiusRetryInterval;			// Radius retry interval
 	UINT RadiusRetryTimeout;			// Radius timeout, it will no longer retry
 	BUF *RadiusSecret;					// Radius shared key
 	char RadiusSuffixFilter[MAX_SIZE];	// Radius suffix filter
 	char RadiusRealm[MAX_SIZE];			// Radius realm (optional)
@@ -478,9 +483,11 @@ void GetAccessListStr(char *str, UINT size, ACCESS *a);
 void DeleteOldIpTableEntry(LIST *o);
 void SetRadiusServer(HUB *hub, char *name, UINT port, char *secret);
 void SetRadiusServerEx(HUB *hub, char *name, UINT port, char *secret, UINT interval);
 void SetRadiusServerEx2(HUB *hub, char *name, UINT port, char *secret, UINT interval, UINT timeout);
 bool GetRadiusServer(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size);
 bool GetRadiusServerEx(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval);
-bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, char *suffix_filter, UINT suffix_filter_size);
+bool GetRadiusServerEx2(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout);
 bool GetRadiusServerEx3(HUB *hub, char *name, UINT size, UINT *port, char *secret, UINT secret_size, UINT *interval, UINT *timeout, char *suffix_filter, UINT suffix_filter_size);
 int CompareCert(void *p1, void *p2);
 void GetHubLogSetting(HUB *h, HUB_LOG *setting);
 void SetHubLogSetting(HUB *h, HUB_LOG *setting);
@@ -493,12 +493,14 @@ IPC *NewIPC(CEDAR *cedar, char *client_name, char *postfix, char *hubname, char
 	{
 		UINTToIP(&ipc->DefaultGateway, hub->Option->DefaultGateway);
 		UINTToIP(&ipc->SubnetMask, hub->Option->DefaultSubnet);
 		ipc->DhcpDiscoverTimeoutMs = hub->Option->DhcpDiscoverTimeoutMs;
 		GetBroadcastAddress4(&ipc->BroadcastAddress, &ipc->DefaultGateway, &ipc->SubnetMask);
 	}
 	else
 	{
 		ZeroIP4(&ipc->DefaultGateway);
 		ZeroIP4(&ipc->SubnetMask);
 		ipc->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 		ZeroIP4(&ipc->BroadcastAddress);
 	}
@@ -565,6 +567,9 @@ IPC *NewIPCBySock(CEDAR *cedar, SOCK *s, void *mac_address)
 	ipc->Sock = s;
 	AddRef(s->ref);
 	// Initialize to pass the validity check on the source IP address performed by IPCSendIPv4()
 	ZeroIP4(&ipc->ClientIPAddress);
 	Copy(ipc->MacAddress, mac_address, 6);
 	ipc->Interrupt = NewInterruptManager();
@@ -793,7 +798,8 @@ bool IPCDhcpAllocateIP(IPC *ipc, DHCP_OPTION_LIST *opt, TUBE *discon_poll_tube)
 	StrCpy(req.Hostname, sizeof(req.Hostname), ipc->ClientHostname);
 	IPCDhcpSetConditionalUserClass(ipc, &req);
-	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, IPC_DHCP_TIMEOUT, discon_poll_tube);
+	UINT discoverTimeout = ipc->DhcpDiscoverTimeoutMs > 0 ? ipc->DhcpDiscoverTimeoutMs : DEFAULT_DHCP_DISCOVER_TIMEOUT;
 	d = IPCSendDhcpRequest(ipc, NULL, tran_id, &req, DHCP_OFFER, discoverTimeout, discon_poll_tube);
 	if (d == NULL)
 	{
 		return false;
@@ -896,7 +902,7 @@ DHCPV4_DATA *IPCSendDhcpRequest(IPC *ipc, IP *dest_ip, UINT tran_id, DHCP_OPTION
 	}
 	// Retransmission interval
-	resend_interval = MAX(1, (timeout / 3) - 100);
+	resend_interval = MIN(IPC_DHCP_MAX_RESEND_INTERVAL, MAX(1, (timeout / 3) - 100));
 	// Time-out time
 	giveup_time = Tick64() + (UINT64)timeout;
@@ -19,6 +19,7 @@
 #define	IPC_DHCP_TIMEOUT				(5 * 1000)
 #define	IPC_DHCP_MIN_LEASE				5
 #define	IPC_DHCP_DEFAULT_LEASE			3600
 #define	IPC_DHCP_MAX_RESEND_INTERVAL	(3 * 1000)
 #define	IPC_MAX_PACKET_QUEUE_LEN		10000
@@ -149,6 +150,7 @@ struct IPC
 	SHARED_BUFFER *IpcSessionSharedBuffer;	// A shared buffer between IPC and Session
 	IPC_SESSION_SHARED_BUFFER_DATA *IpcSessionShared;	// Shared data between IPC and Session
 	UINT Layer;
 	UINT DhcpDiscoverTimeoutMs;			// Timeut to wait for DHCP server response on DISCOVER request
 	// IPv6 stuff
 	QUEUE *IPv6ReceivedQueue;			// IPv6 reception queue
@@ -457,10 +457,10 @@ void L3KnownArp(L3IF *f, UINT ip, UCHAR *mac)
 	// Delete an ARP query entry to this IP address
 	Zero(&t, sizeof(t));
 	t.IpAddress = ip;
-	w = Search(f->IpWaitList, &t);
+	w = Search(f->ArpWaitTable, &t);
 	if (w != NULL)
 	{
-		Delete(f->IpWaitList, w);
+		Delete(f->ArpWaitTable, w);
 		Free(w);
 	}
@@ -11,6 +11,7 @@
 #include "Connection.h"
 #include "Logging.h"
 #include "Proto_EtherIP.h"
 #include "Proto_IKEv2.h"
 #include "Proto_IPsec.h"
 #include "Proto_L2TP.h"
 #include "Server.h"
@@ -35,40 +36,57 @@ void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p)
 	if (p->Type == IKE_UDP_TYPE_ISAKMP)
 	{
-		// ISAKMP (IKE) packet
+		IKE_HEADER *raw_hdr;
 		IKE_PACKET *header;
-		header = ParseIKEPacketHeader(p);
+		// Check packet is large enough for the IKE header
-		if (header == NULL)
+		if (p->Size < sizeof(IKE_HEADER))
 		{
 			return;
 		}
-		//Debug("InitiatorCookie: %I64u, ResponderCookie: %I64u\n", header->InitiatorCookie, header->ResponderCookie);
+		raw_hdr = (IKE_HEADER *)p->Data;
-		switch (header->ExchangeType)
+		// Dispatch IKEv2 packets by version field
 		if (raw_hdr->Version == IKEv2_VERSION)
 		{
-		case IKE_EXCHANGE_TYPE_MAIN:	// Main mode
+			ProcIKEv2PacketRecv(ike, p);
-			ProcIkeMainModePacketRecv(ike, p, header);
+			return;
 			break;
 		case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode
 			if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
 			{
 				ProcIkeAggressiveModePacketRecv(ike, p, header);
 			}
 			break;
 		case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode
 			ProcIkeQuickModePacketRecv(ike, p, header);
 			break;
 		case IKE_EXCHANGE_TYPE_INFORMATION:	// Information exchange
 			ProcIkeInformationalExchangePacketRecv(ike, p, header);
 			break;
 		}
-		IkeFree(header);
+		// IKEv1 / ISAKMP packet
 		{
 			IKE_PACKET *header;
 			header = ParseIKEPacketHeader(p);
 			if (header == NULL)
 			{
 				return;
 			}
 			switch (header->ExchangeType)
 			{
 			case IKE_EXCHANGE_TYPE_MAIN:	// Main mode
 				ProcIkeMainModePacketRecv(ike, p, header);
 				break;
 			case IKE_EXCHANGE_TYPE_AGGRESSIVE:	// Aggressive mode
 				if (ike->Cedar->Server->DisableIPsecAggressiveMode == false)
 				{
 					ProcIkeAggressiveModePacketRecv(ike, p, header);
 				}
 				break;
 			case IKE_EXCHANGE_TYPE_QUICK:	// Quick mode
 				ProcIkeQuickModePacketRecv(ike, p, header);
 				break;
 			case IKE_EXCHANGE_TYPE_INFORMATION:	// Information exchange
 				ProcIkeInformationalExchangePacketRecv(ike, p, header);
 				break;
 			}
 			IkeFree(header);
 		}
 	}
 	else if (p->Type == IKE_UDP_TYPE_ESP)
 	{
@@ -5645,6 +5663,9 @@ void ProcessIKEInterrupts(IKE_SERVER *ike)
 	}
 	while (ike->StateHasChanged);
 	// IKEv2 interrupt processing
 	ProcessIKEv2Interrupts(ike);
 	// Maintenance of the thread list
 	MaintainThreadList(ike->ThreadList);
 	/*Debug("ike->ThreadList: %u\n", LIST_NUM(ike->ThreadList));
@@ -5823,6 +5844,17 @@ void FreeIKEServer(IKE_SERVER *ike)
 	ReleaseList(ike->ClientList);
 	// Free IKEv2 SAs
 	{
 		UINT j;
 		for (j = 0; j < LIST_NUM(ike->IKEv2SaList); j++)
 		{
 			IKEv2_SA *sa2 = LIST_DATA(ike->IKEv2SaList, j);
 			IKEv2FreeSA(ike, sa2);
 		}
 	}
 	ReleaseList(ike->IKEv2SaList);
 	ReleaseSockEvent(ike->SockEvent);
 	IPsecLog(ike, NULL, NULL, NULL, "LI_STOP");
@@ -5869,6 +5901,8 @@ IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec)
 	ike->ThreadList = NewThreadList();
 	ike->IKEv2SaList = NewList(CmpIKEv2SA);
 	IPsecLog(ike, NULL, NULL, NULL, "LI_START");
 	return ike;
@@ -268,6 +268,10 @@ struct IKE_SERVER
 	// Setting data
 	char Secret[MAX_SIZE];						// Pre-shared key
 	// IKEv2 state
 	LIST *IKEv2SaList;							// IKEv2 SA list
 	UINT CurrentIKEv2SaId;						// IKEv2 SA ID counter
 };
@@ -0,0 +1,292 @@
 // SoftEther VPN Source Code - Developer Edition Master Branch
 // Cedar Communication Module
 // Proto_IKEv2.h
 // Header for IKEv2 (RFC 7296) implementation
 #ifndef PROTO_IKEV2_H
 #define PROTO_IKEV2_H
 #include "Proto_IKE.h"
 #include "Proto_IkePacket.h"
 //// IKEv2 Header Flags (RFC 7296 Section 3.1)
 #define IKEv2_FLAG_RESPONSE       0x20
 #define IKEv2_FLAG_VERSION        0x10
 #define IKEv2_FLAG_INITIATOR      0x08
 //// IKEv2 Payload Types (RFC 7296 Section 3.3)
 #define IKEv2_PAYLOAD_NONE        0
 #define IKEv2_PAYLOAD_SA          33
 #define IKEv2_PAYLOAD_KE          34
 #define IKEv2_PAYLOAD_IDi         35
 #define IKEv2_PAYLOAD_IDr         36
 #define IKEv2_PAYLOAD_CERT        37
 #define IKEv2_PAYLOAD_CERTREQ     38
 #define IKEv2_PAYLOAD_AUTH        39
 #define IKEv2_PAYLOAD_NONCE       40
 #define IKEv2_PAYLOAD_NOTIFY      41
 #define IKEv2_PAYLOAD_DELETE      42
 #define IKEv2_PAYLOAD_VENDOR      43
 #define IKEv2_PAYLOAD_TSi         44
 #define IKEv2_PAYLOAD_TSr         45
 #define IKEv2_PAYLOAD_SK          46
 #define IKEv2_PAYLOAD_CP          47
 #define IKEv2_PAYLOAD_EAP         48
 //// IKEv2 Transform Types
 #define IKEv2_TF_ENCR             1
 #define IKEv2_TF_PRF              2
 #define IKEv2_TF_INTEG            3
 #define IKEv2_TF_DH               4
 #define IKEv2_TF_ESN              5
 //// IKEv2 Encryption Algorithm IDs
 #define IKEv2_ENCR_3DES           3
 #define IKEv2_ENCR_AES_CBC        12
 //// IKEv2 PRF Algorithm IDs
 #define IKEv2_PRF_HMAC_MD5        1
 #define IKEv2_PRF_HMAC_SHA1       2
 #define IKEv2_PRF_HMAC_SHA2_256   5
 #define IKEv2_PRF_HMAC_SHA2_384   6
 #define IKEv2_PRF_HMAC_SHA2_512   7
 //// IKEv2 Integrity Algorithm IDs
 #define IKEv2_INTEG_HMAC_MD5_96        1   // key=16,  icv=12
 #define IKEv2_INTEG_HMAC_SHA1_96       2   // key=20,  icv=12
 #define IKEv2_INTEG_HMAC_SHA2_256_128  12  // key=32,  icv=16
 #define IKEv2_INTEG_HMAC_SHA2_384_192  13  // key=48,  icv=24
 #define IKEv2_INTEG_HMAC_SHA2_512_256  14  // key=64,  icv=32
 //// IKEv2 DH Groups (same wire values as IKEv1)
 #define IKEv2_DH_1024_MODP        2
 #define IKEv2_DH_1536_MODP        5
 #define IKEv2_DH_2048_MODP        14
 #define IKEv2_DH_3072_MODP        15
 #define IKEv2_DH_4096_MODP        16
 //// IKEv2 ESN Values
 #define IKEv2_ESN_NO_ESN          0
 #define IKEv2_ESN_YES             1
 //// IKEv2 Notify Message Types (error types < 16384)
 #define IKEv2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD  1
 #define IKEv2_NOTIFY_INVALID_IKE_SPI               4
 #define IKEv2_NOTIFY_INVALID_MAJOR_VERSION         5
 #define IKEv2_NOTIFY_INVALID_SYNTAX                7
 #define IKEv2_NOTIFY_INVALID_MESSAGE_ID            9
 #define IKEv2_NOTIFY_INVALID_SPI                   11
 #define IKEv2_NOTIFY_NO_PROPOSAL_CHOSEN            14
 #define IKEv2_NOTIFY_INVALID_KE_PAYLOAD            17
 #define IKEv2_NOTIFY_AUTHENTICATION_FAILED         24
 #define IKEv2_NOTIFY_TS_UNACCEPTABLE               38
 //// IKEv2 Notify status types (>= 16384)
 #define IKEv2_NOTIFY_NAT_DETECTION_SOURCE_IP       16388
 #define IKEv2_NOTIFY_NAT_DETECTION_DESTINATION_IP  16389
 #define IKEv2_NOTIFY_USE_TRANSPORT_MODE            16391
 #define IKEv2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED 16394
 //// IKEv2 ID Types
 #define IKEv2_ID_IPV4_ADDR        1
 #define IKEv2_ID_FQDN             2
 #define IKEv2_ID_RFC822_ADDR      3
 #define IKEv2_ID_IPV6_ADDR        5
 #define IKEv2_ID_KEY_ID           11
 //// IKEv2 Authentication Methods
 #define IKEv2_AUTH_RSA_SIGN       1
 #define IKEv2_AUTH_PSK            2
 //// IKEv2 Traffic Selector Types
 #define IKEv2_TS_IPV4_ADDR_RANGE  7
 #define IKEv2_TS_IPV6_ADDR_RANGE  8
 //// IKEv2 Protocol IDs
 #define IKEv2_PROTO_IKE           1
 #define IKEv2_PROTO_AH            2
 #define IKEv2_PROTO_ESP           3
 //// SA states
 #define IKEv2_SA_STATE_HALF_OPEN  0
 #define IKEv2_SA_STATE_ESTABLISHED 1
 //// Sizes and limits
 #define IKEv2_MAX_KEYMAT_SIZE     128
 #define IKEv2_NONCE_SIZE          32
 #define IKEv2_NONCE_MIN_SIZE      16
 #define IKEv2_NONCE_MAX_SIZE      256
 #define IKEv2_PSK_PAD             "Key Pad for IKEv2"
 #define IKEv2_PSK_PAD_LEN         17
 //// Timeouts
 #define IKEv2_SA_TIMEOUT_HALF_OPEN    30000
 #define IKEv2_SA_TIMEOUT_ESTABLISHED  (86400ULL * 1000)
 #define IKEv2_SA_RESEND_INTERVAL      2000
 #define IKEv2_CHILD_SA_LIFETIME_SECS  3600
 //// Structures
 // Negotiated IKE SA transform parameters
 struct IKEv2_IKETF
 {
    UINT EncrAlg;        // Encryption algorithm
    UINT EncrKeyLen;     // Encryption key length (bytes)
    UINT PrfAlg;         // PRF algorithm
    UINT IntegAlg;       // Integrity algorithm
    UINT DhGroup;        // DH group number
    UINT BlockSize;      // Cipher block size (bytes)
    UINT PrfKeyLen;      // PRF key length (bytes)
    UINT PrfOutLen;      // PRF output length (bytes)
    UINT IntegKeyLen;    // Integrity key length (bytes)
    UINT IntegIcvLen;    // Integrity ICV length (bytes)
 };
 typedef struct IKEv2_IKETF IKEv2_IKETF;
 // Negotiated Child SA transform parameters
 struct IKEv2_CHILDTF
 {
    UINT EncrAlg;        // Encryption algorithm
    UINT EncrKeyLen;     // Encryption key length (bytes)
    UINT IntegAlg;       // Integrity algorithm
    UINT IntegKeyLen;    // Integrity key length (bytes)
    UINT IntegIcvLen;    // Integrity ICV length (bytes)
    UINT DhGroup;        // DH group (0 if none)
    bool UseTransport;   // True = transport mode
    UINT BlockSize;      // Cipher block size
 };
 typedef struct IKEv2_CHILDTF IKEv2_CHILDTF;
 // IKEv2 SA (one per IKEv2 connection attempt)
 struct IKEv2_SA
 {
    UINT         Id;
    UINT64       InitiatorSPI;
    UINT64       ResponderSPI;
    IP           ClientIP;
    UINT         ClientPort;
    IP           ServerIP;
    UINT         ServerPort;
    bool         IsNatT;
    UINT         State;
    bool         Deleting;
    UINT64       FirstCommTick;
    UINT64       LastCommTick;
    IKEv2_IKETF  Transform;
    // Nonces
    BUF         *Ni;
    BUF         *Nr;
    // DH
    DH_CTX      *Dh;
    BUF         *GxI;     // initiator KE value
    BUF         *GxR;     // responder KE value (our public key)
    // Derived IKE SA keys  (max 64 bytes each)
    UCHAR        SK_d [IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ai[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ar[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_ei[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_er[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_pi[IKEv2_MAX_KEYMAT_SIZE];
    UCHAR        SK_pr[IKEv2_MAX_KEYMAT_SIZE];
    // Crypto key objects for SK payload
    IKE_CRYPTO_KEY *EncKeyI;   // key for SK_ei (decrypt received)
    IKE_CRYPTO_KEY *EncKeyR;   // key for SK_er (encrypt sent)
    // Original IKE_SA_INIT messages for AUTH
    BUF         *InitMsg;   // IKE_SA_INIT request (from initiator)
    BUF         *RespMsg;   // IKE_SA_INIT response (from us)
    // Initiator identity from IKE_AUTH
    UCHAR        IDi_Type;
    BUF         *IDi_Data;
    // Responder identity (from initiator's optional IDr payload, echoed back)
    UCHAR        IDr_Type;
    BUF         *IDr_Data;
    // Message ID tracking
    UINT         NextExpectedMsgId;
    // Retransmission: cache last response
    BUF         *LastResponse;
    UINT         LastRespMsgId;
    UINT64       LastRespTick;
    UINT         NumResends;
    // Pointer to IKEv1 IKE_CLIENT created after AUTH
    IKE_CLIENT  *IkeClient;
 };
 typedef struct IKEv2_SA IKEv2_SA;
 //// Function prototypes
 void  ProcIKEv2PacketRecv(IKE_SERVER *ike, UDPPACKET *p);
 void  ProcessIKEv2Interrupts(IKE_SERVER *ike);
 IKEv2_SA *IKEv2NewSA(IKE_SERVER *ike);
 void  IKEv2FreeSA(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2MarkDeleting(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2PurgeDeleting(IKE_SERVER *ike);
 IKEv2_SA *IKEv2FindByInitSPI(IKE_SERVER *ike, UINT64 init_spi, IP *client_ip, UINT client_port);
 IKEv2_SA *IKEv2FindBySPIPair(IKE_SERVER *ike, UINT64 init_spi, UINT64 resp_spi);
 int   CmpIKEv2SA(void *p1, void *p2);
 void  IKEv2ProcSAInit(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr);
 void  IKEv2ProcAuth(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
                    void *payload_data, UINT payload_size, UCHAR first_payload);
 void  IKEv2ProcInformational(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr, IKEv2_SA *sa,
                              void *payload_data, UINT payload_size);
 bool  IKEv2DeriveKeys(IKE_SERVER *ike, IKEv2_SA *sa);
 void  IKEv2PRF(UINT prf_alg, void *key, UINT key_len,
               void *data, UINT data_len, void *out);
 void  IKEv2PRFPlus(UINT prf_alg, void *key, UINT key_len,
                   void *seed, UINT seed_len, void *out, UINT out_len);
 bool  IKEv2VerifyAuth(IKE_SERVER *ike, IKEv2_SA *sa,
                      UCHAR auth_method, void *auth_data, UINT auth_len);
 void  IKEv2ComputeOurAuth(IKE_SERVER *ike, IKEv2_SA *sa, void *out, UINT *out_len);
 bool  IKEv2CreateChildSAForClient(IKE_SERVER *ike, IKEv2_SA *sa,
                                   IKEv2_CHILDTF *ctf, UINT spi_i, UINT spi_r,
                                   BUF *ni, BUF *nr);
 bool  IKEv2ParseSAProposalIKE(void *data, UINT size, IKEv2_IKETF *out);
 bool  IKEv2ParseSAProposalChild(void *data, UINT size, IKEv2_CHILDTF *out, UINT *out_spi_i);
 UINT  IKEv2BuildSAProposalIKE(IKEv2_SA *sa, void *buf, UINT buf_size);
 UINT  IKEv2BuildSAProposalChild(IKEv2_CHILDTF *ctf, UINT spi_r, void *buf, UINT buf_size);
 void  IKEv2SendResponse(IKE_SERVER *ike, IKEv2_SA *sa, IKE_HEADER *req_hdr,
                        UCHAR exchange_type, void *payloads, UINT payloads_size,
                        bool encrypt);
 void  IKEv2SendNotifyError(IKE_SERVER *ike, UDPPACKET *p, IKE_HEADER *hdr,
                            UINT64 resp_spi, USHORT notify_type);
 BUF  *IKEv2EncryptSK(IKE_SERVER *ike, IKEv2_SA *sa, UCHAR next_payload,
                      void *inner, UINT inner_size);
 BUF  *IKEv2DecryptSK(IKE_SERVER *ike, IKEv2_SA *sa, bool is_init_sending,
                      void *sk_data, UINT sk_size);
 UINT  IKEv2PrfKeyLen(UINT prf_alg);
 UINT  IKEv2PrfOutLen(UINT prf_alg);
 UINT  IKEv2IntegKeyLen(UINT integ_alg);
 UINT  IKEv2IntegIcvLen(UINT integ_alg);
 UINT  IKEv2EncrKeyLen(UINT encr_alg, UINT requested);
 UINT  IKEv2EncrBlockSize(UINT encr_alg);
 IKE_HASH   *IKEv2GetHashForPrf(IKE_SERVER *ike, UINT prf_alg);
 IKE_HASH   *IKEv2GetHashForInteg(IKE_SERVER *ike, UINT integ_alg);
 IKE_CRYPTO *IKEv2GetCrypto(IKE_SERVER *ike, UINT encr_alg);
 IKE_DH     *IKEv2GetDh(IKE_SERVER *ike, UINT dh_group);
 #endif // PROTO_IKEV2_H
@@ -2562,9 +2562,16 @@ void OvsRecvPacket(OPENVPN_SERVER *s, LIST *recv_packet_list, UINT protocol)
 								Debug("OpenVPN Channel %u Failed.\n", j);
 								OvsLog(s, se, c, "LO_CHANNEL_FAILED");
-								// Return the AUTH_FAILED
+								if ((se->IpcAsync->ErrorCode == ERR_AUTHTYPE_NOT_SUPPORTED) ||
-								str = "AUTH_FAILED";
+									(se->IpcAsync->ErrorCode == ERR_AUTH_FAILED) ||
-								WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
+									(se->IpcAsync->ErrorCode == ERR_PROXY_AUTH_FAILED) ||
 									(se->IpcAsync->ErrorCode == ERR_USER_AUTHTYPE_NOT_PASSWORD) ||
 									(se->IpcAsync->ErrorCode == ERR_NOT_SUPPORTED_AUTH_ON_OPENSOURCE))
 								{
 									// Return the AUTH_FAILED
 									str = "AUTH_FAILED";
 									WriteFifo(c->SslPipe->SslInOut->SendFifo, str, StrSize(str));
 								}
 								s->SessionEstablishedCount++;
@@ -5429,7 +5429,7 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 	p = PackError(0);
-	PackAddInt(p, "noop", 1);
+	PackAddInt(p, "noop", NOOP);
 	(void)HttpClientSend(c->FirstSock, p);
 	FreePack(p);
@@ -5440,6 +5440,24 @@ void ClientUploadNoop(CONNECTION *c)
 	}
 }
 void ServerUploadNoop(CONNECTION *c)
 {
 	PACK *p;
 	// Validate arguments
 	if (c == NULL)
 	{
 		return;
 	}
 	p = PackError(0);
 	PackAddInt(p, "noop", NOOP_IGNORE);
 	(void)HttpServerSend(c->FirstSock, p);
 	FreePack(p);
 	// Client can't re-respond to an HTTP "response" 
 	// so we don't wait for it on the server side
 }
 // Add client version information to the PACK
 void PackAddClientVersion(PACK *p, CONNECTION *c)
 {
@@ -5843,7 +5861,6 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				// Target is invalid
 				HttpSendNotFound(s, h->Target);
 				Free(data);
 				FreeHttpHeader(h);
 				*error_detail_str = "POST_Target_Wrong";
 			}
 			else
@@ -5861,10 +5878,10 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 				{
 					// WaterMark is incorrect
 					HttpSendForbidden(s, h->Target, NULL);
 					FreeHttpHeader(h);
 					*error_detail_str = "POST_WaterMark_Error";
 				}
 			}
 			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "OPTIONS") == 0)
 		{
@@ -5884,6 +5901,7 @@ bool ServerDownloadSignature(CONNECTION *c, char **error_detail_str)
 					continue;
 				}
 			}
 			FreeHttpHeader(h);
 		}
 		else if (StrCmpi(h->Method, "SSTP_DUPLEX_POST") == 0 && (ProtoEnabled(server->Proto, "SSTP") || s->IsReverseAcceptedSocket) && GetServerCapsBool(server, "b_support_sstp"))
 		{
@@ -169,6 +169,7 @@ bool GetSessionKeyFromPack(PACK *p, UCHAR *session_key, UINT *session_key_32);
 void CreateNodeInfo(NODE_INFO *info, CONNECTION *c);
 UINT SecureSign(SECURE_SIGN *sign, UINT device_id, char *pin);
 void ClientUploadNoop(CONNECTION *c);
 void ServerUploadNoop(CONNECTION *c);
 bool ClientCheckServerCert(CONNECTION *c, bool *expired);
 void ClientCheckServerCertThread(THREAD *thread, void *param);
 bool ClientSecureSign(CONNECTION *c, UCHAR *sign, UCHAR *random, X **x);
@@ -7,6 +7,7 @@
 #include "Radius.h"
 #include "Protocol.h"
 #include "Connection.h"
 #include "IPC.h"
 #include "Server.h"
@@ -1767,7 +1768,7 @@ LABEL_ERROR:
 ////////// Classical implementation
 // Attempts Radius authentication (with specifying retry interval and multiple server)
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname)
 {
 	UCHAR random[MD5_SIZE];
@@ -2072,14 +2073,22 @@ bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT sec
 			// Transmission process start
 			start = Tick64();
 			// Limit timeout to be larger than hardcoded timeout
 			// Limit interval to be larger than the hardcoded interval and less than timeout
 			if (timeout < RADIUS_RETRY_TIMEOUT) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			if(interval < RADIUS_RETRY_INTERVAL)
 			{
 				interval = RADIUS_RETRY_INTERVAL;
 			}
-			else if(interval > RADIUS_RETRY_TIMEOUT)
+			else if(interval > timeout)
 			{
-				interval = RADIUS_RETRY_TIMEOUT;
+				interval = timeout;
 			}
 			next_send_time = start + (UINT64)interval;
 			while (true)
@@ -2099,6 +2108,8 @@ SEND_RETRY:
 				next_send_time = Tick64() + (UINT64)interval;
 RECV_RETRY:
 				ServerUploadNoop(c);				
 				now = Tick64();
 				if (next_send_time <= now)
 				{
@@ -2109,7 +2120,7 @@ RECV_RETRY:
 					goto SEND_RETRY;
 				}
-				if ((start + RADIUS_RETRY_TIMEOUT) < now)
+				if ((start + timeout) < now)
 				{
 					// Time-out
 					break;
@@ -283,7 +283,7 @@ struct RADIUS_LOGIN_OPTION
 };
 // Function prototype
-bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UCHAR *mschap_v2_server_response_20,
+bool RadiusLogin(CONNECTION *c, char *server, UINT port, UCHAR *secret, UINT secret_size, wchar_t *username, char *password, UINT interval, UINT timeout, UCHAR *mschap_v2_server_response_20,
 				 RADIUS_LOGIN_OPTION *opt, char *hubname);
 BUF *RadiusEncryptPassword(char *password, UCHAR *random, UCHAR *secret, UINT secret_size);
 BUF *RadiusCreateUserName(wchar_t *username);
@@ -516,6 +516,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			char suffix_filter[MAX_SIZE];
 			wchar_t suffix_filter_w[MAX_SIZE];
 			UINT interval;
 			UINT timeout;
 			EAP_CLIENT *eap = NULL;
 			char password1[MAX_SIZE];
 			UCHAR client_challenge[16];
@@ -586,7 +587,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 			}
 			// Get the Radius server information
-			if (GetRadiusServerEx2(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, suffix_filter, sizeof(suffix_filter)))
+			if (GetRadiusServerEx3(hub, radius_server_addr, sizeof(radius_server_addr), &radius_server_port, radius_secret, sizeof(radius_secret), &interval, &timeout, suffix_filter, sizeof(suffix_filter)))
 			{
 				Unlock(hub->lock);
@@ -597,7 +598,7 @@ bool SamAuthUserByPlainPassword(CONNECTION *c, HUB *hub, char *username, char *p
 					// Attempt to login
 					b = RadiusLogin(c, radius_server_addr, radius_server_port,
 						radius_secret, StrLen(radius_secret),
-						name, password, interval, mschap_v2_server_response_20, opt, hub->Name);
+						name, password, interval, timeout, mschap_v2_server_response_20, opt, hub->Name);
 					if (b)
 					{
@@ -2337,6 +2337,7 @@ void SiSetDefaultHubOption(HUB_OPTION *o)
 	o->AccessListIncludeFileCacheLifetime = ACCESS_LIST_INCLUDE_FILE_CACHE_LIFETIME;
 	o->RemoveDefGwOnDhcpForLocalhost = true;
 	o->FloodingSendQueueBufferQuota = DEFAULT_FLOODING_QUEUE_LENGTH;
 	o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 }
 // Create a default virtual HUB
@@ -3942,6 +3943,11 @@ void SiLoadHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	o->UseHubNameAsDhcpUserClassOption = CfgGetBool(f, "UseHubNameAsDhcpUserClassOption");
 	o->UseHubNameAsRadiusNasId = CfgGetBool(f, "UseHubNameAsRadiusNasId");
 	o->AllowEapMatchUserByCert = CfgGetBool(f, "AllowEapMatchUserByCert");
 	o->DhcpDiscoverTimeoutMs = CfgGetInt(f, "DhcpDiscoverTimeoutMs");
 	if (o->DhcpDiscoverTimeoutMs == 0)
 	{
 		o->DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 	}
 	// Enabled by default
 	if (CfgIsItem(f, "ManageOnlyPrivateIP"))
@@ -4048,6 +4054,7 @@ void SiWriteHubOptionCfg(FOLDER *f, HUB_OPTION *o)
 	CfgAddBool(f, "UseHubNameAsDhcpUserClassOption", o->UseHubNameAsDhcpUserClassOption);
 	CfgAddBool(f, "UseHubNameAsRadiusNasId", o->UseHubNameAsRadiusNasId);
 	CfgAddBool(f, "AllowEapMatchUserByCert", o->AllowEapMatchUserByCert);
 	CfgAddInt(f, "DhcpDiscoverTimeoutMs", o->DhcpDiscoverTimeoutMs);
 }
 // Write the user
@@ -4848,6 +4855,7 @@ void SiWriteHubCfg(FOLDER *f, HUB *h)
 		}
 		CfgAddInt(f, "RadiusServerPort", h->RadiusServerPort);
 		CfgAddInt(f, "RadiusRetryInterval", h->RadiusRetryInterval);
 		CfgAddInt(f, "RadiusRetryTimeout", h->RadiusRetryTimeout);
 		CfgAddStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter);
 		CfgAddStr(f, "RadiusRealm", h->RadiusRealm);
@@ -5013,9 +5021,11 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 			BUF *secret;
 			UINT port;
 			UINT interval;
 			UINT timeout;
 			port = CfgGetInt(f, "RadiusServerPort");
 			interval = CfgGetInt(f, "RadiusRetryInterval");
 			timeout = CfgGetInt(f, "RadiusRetryTimeout");
 			CfgGetStr(f, "RadiusSuffixFilter", h->RadiusSuffixFilter, sizeof(h->RadiusSuffixFilter));
 			CfgGetStr(f, "RadiusRealm", h->RadiusRealm, sizeof(h->RadiusRealm));
@@ -5028,6 +5038,10 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 				interval = RADIUS_RETRY_INTERVAL;
 			}
 			if (timeout == 0) {
 				timeout = RADIUS_RETRY_TIMEOUT;
 			}
 			if (port != 0 && CfgGetStr(f, "RadiusServerName", name, sizeof(name)))
 			{
 				secret = CfgGetBuf(f, "RadiusSecret");
@@ -5041,7 +5055,7 @@ void SiLoadHubCfg(SERVER *s, FOLDER *f, char *name)
 					}
 					secret_str[sizeof(secret_str) - 1] = 0;
 					//SetRadiusServer(h, name, port, secret_str);
-					SetRadiusServerEx(h, name, port, secret_str, interval);
+					SetRadiusServerEx2(h, name, port, secret_str, interval, timeout);
 					FreeBuf(secret);
 				}
 			}
@@ -7533,6 +7547,11 @@ void SiCalledUpdateHub(SERVER *s, PACK *p)
 	o.UseHubNameAsDhcpUserClassOption = PackGetBool(p, "UseHubNameAsDhcpUserClassOption");
 	o.UseHubNameAsRadiusNasId = PackGetBool(p, "UseHubNameAsRadiusNasId");
 	o.AllowEapMatchUserByCert = PackGetBool(p, "AllowEapMatchUserByCert");
 	o.DhcpDiscoverTimeoutMs = PackGetInt(p, "DhcpDiscoverTimeoutMs");
 	if (o.DhcpDiscoverTimeoutMs == 0)
 	{
 		o.DhcpDiscoverTimeoutMs = DEFAULT_DHCP_DISCOVER_TIMEOUT;
 	}
 	save_packet_log = PackGetInt(p, "SavePacketLog");
 	packet_log_switch_type = PackGetInt(p, "PacketLogSwitchType");
@@ -9368,6 +9387,7 @@ void SiPackAddCreateHub(PACK *p, HUB *h)
 	PackAddBool(p, "UseHubNameAsDhcpUserClassOption", h->Option->UseHubNameAsDhcpUserClassOption);
 	PackAddBool(p, "UseHubNameAsRadiusNasId", h->Option->UseHubNameAsRadiusNasId);
 	PackAddBool(p, "AllowEapMatchUserByCert", h->Option->AllowEapMatchUserByCert);
 	PackAddInt(p, "DhcpDiscoverTimeoutMs", h->Option->DhcpDiscoverTimeoutMs);
 	SiAccessListToPack(p, h->AccessList);
@@ -2815,6 +2815,7 @@ void NativeNatThread(THREAD *thread, void *param)
 		if (a != NULL)
 		{
 			char macstr[64];
 			IP dhcp_ip;
 			// Acquisition success
 			Debug("NnGetNextInterface Ok: %s\n", a->DeviceName);
@@ -2842,9 +2843,10 @@ void NativeNatThread(THREAD *thread, void *param)
 			Debug("NnMainLoop Start.\n");
 			MacToStr(macstr, sizeof(macstr), a->Ipc->MacAddress);
 			UINTToIP(&dhcp_ip, a->CurrentDhcpOptionList.ServerAddress);
 			NLog(t->v, "LH_KERNEL_MODE_START", a->DeviceName,
 			     &a->Ipc->ClientIPAddress, &a->Ipc->SubnetMask, &a->Ipc->DefaultGateway, &a->Ipc->BroadcastAddress,
-			     macstr, &a->CurrentDhcpOptionList.ServerAddress, &a->DnsServerIP);
+				macstr, &dhcp_ip, &a->DnsServerIP);
 			NnMainLoop(t, a);
 			Debug("NnMainLoop End.\n");
@@ -18,20 +18,46 @@ set_target_properties(mayaqua
 find_package(OpenSSL REQUIRED)
-if(OPENSSL_VERSION VERSION_LESS "3") # Disable oqsprovider when OpenSSL version < 3
+if(OPENSSL_VERSION VERSION_GREATER_EQUAL "3")
-  add_definitions(-DSKIP_OQS_PROVIDER)
+  set(OQS_ENABLE ON CACHE BOOL "By setting this to OFF, Open Quantum Safe algorithms will not be built in")
 else()
  # Disable oqsprovider when OpenSSL version < 3
  set(OQS_ENABLE OFF)
 endif()
 if(OQS_ENABLE)
  set(OQS_BUILD_ONLY_LIB ON CACHE BOOL "Set liboqs to build only the library (no tests)")
  set(BUILD_TESTING OFF CACHE BOOL "By setting this to OFF, no tests or examples will be compiled.")
  set(OQS_PROVIDER_BUILD_STATIC ON CACHE BOOL "Build a static library instead of a shared library") # Build oqsprovider as a static library (defaults to shared)
  list(PREPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/src/Mayaqua/3rdparty/")
    # Disable all other KEM families
  set(OQS_ENABLE_KEM_FRODOKEM OFF)
  set(OQS_ENABLE_KEM_NTRUPRIME OFF)
  set(OQS_ENABLE_KEM_NTRU OFF)
  set(OQS_ENABLE_KEM_CLASSIC_MCELIECE OFF)
  set(OQS_ENABLE_KEM_HQC OFF)
  set(OQS_ENABLE_KEM_BIKE OFF)
  # Disable all SIG families
  set(OQS_ENABLE_SIG_ML_DSA OFF)
  set(OQS_ENABLE_SIG_FALCON OFF)
  set(OQS_ENABLE_SIG_DILITHIUM OFF)
  set(OQS_ENABLE_SIG_SPHINCS OFF)
  set(OQS_ENABLE_SIG_MAYO OFF)
  set(OQS_ENABLE_SIG_CROSS OFF)
  set(OQS_ENABLE_SIG_UOV OFF)
  set(OQS_ENABLE_SIG_SNOVA OFF)
  set(OQS_ENABLE_SIG_SLH_DSA OFF)
  add_subdirectory(3rdparty/liboqs)
  add_subdirectory(3rdparty/oqs-provider)
  target_include_directories(oqsprovider PUBLIC ${CMAKE_CURRENT_BINARY_DIR}/3rdparty/liboqs/include)
  set_property(TARGET oqsprovider PROPERTY POSITION_INDEPENDENT_CODE ON)
  target_link_libraries(mayaqua PRIVATE oqsprovider)
 else()
  add_definitions(-DSKIP_OQS_PROVIDER)
 endif()
 include(CheckSymbolExists)
@@ -125,8 +151,10 @@ if(UNIX)
    message("-- Using system's cpu_features")
    target_link_libraries(mayaqua PRIVATE cpu_features)
  else()
    message("-- Using bundled cpu_features")
    set(BUILD_SHARED_LIBS OFF)
    set(CMAKE_POSITION_INDEPENDENT_CODE ON)
    add_subdirectory(3rdparty/cpu_features)
    set_property(TARGET cpu_features PROPERTY POSITION_INDEPENDENT_CODE ON)
    target_link_libraries(mayaqua PRIVATE cpu_features)
  endif()
@@ -4462,9 +4462,13 @@ bool IsAesNiSupported()
 	// Unfortunately OpenSSL doesn't provide a function to do it
 #ifdef _MSC_VER
-	int regs[4]; // EAX, EBX, ECX, EDX
+  #if defined(_M_X64) || defined(_M_IX86)
-	__cpuid(regs, 1);
+    int regs[4]; // EAX, EBX, ECX, EDX
-	supported = (regs[2] >> 25) & 1;
+    __cpuid(regs, 1);
    supported = (regs[2] >> 25) & 1;
  #elif defined(_M_ARM64)
 	return IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE);
  #endif
 #else // _MSC_VER
 	#if defined(CPU_FEATURES_ARCH_X86)
 		const X86Features features = GetX86Info().features;
@@ -4757,7 +4761,7 @@ static void MY_SHA0_Transform(MY_SHA0_CTX* ctx) {
 	UCHAR* p = ctx->buf;
 	int t;
 	for(t = 0; t < 16; ++t) {
-		UINT tmp =  *p++ << 24;
+		UINT tmp =  (UINT)*p++ << 24;
 		tmp |= *p++ << 16;
 		tmp |= *p++ << 8;
 		tmp |= *p++;
@@ -1207,12 +1207,14 @@ PACK *HttpClientRecv(SOCK *s)
 	UINT size;
 	UCHAR *tmp;
 	HTTP_VALUE *v;
 	UINT num_noop = 0;
 	// Validate arguments
 	if (s == NULL)
 	{
 		return NULL;
 	}
 START:
 	h = RecvHttpHeader(s);
 	if (h == NULL)
 	{
@@ -1257,6 +1259,22 @@ PACK *HttpClientRecv(SOCK *s)
 	p = BufToPack(b);
 	FreeBuf(b);
 	// Client shouldn't receive a noop other than NOOP_IGNORE
 	// because it can't respond without a full new HTTP request
 	UINT noop = PackGetInt(p, "noop");
 	if (noop == NOOP_IGNORE) {
 		Debug("recv: noop ignore\n");
 		FreePack(p);
 		num_noop++;
 		if (num_noop > MAX_NOOP_PER_SESSION)
 		{
 			return NULL;
 		}
 		goto START;
 	}
 	return p;
 }
@@ -1365,13 +1383,14 @@ START:
 	FreeBuf(b);
 	// Determine whether it's a NOOP
-	if (PackGetInt(p, "noop") != 0)
+	UINT noop = PackGetInt(p, "noop");
 	if (noop == NOOP)
 	{
 		Debug("recv: noop\n");
 		FreePack(p);
 		p = PackError(0);
-		PackAddInt(p, "noop", 1);
+		PackAddInt(p, "noop", NOOP_IGNORE);
 		if (HttpServerSend(s, p) == false)
 		{
 			FreePack(p);
@@ -1387,6 +1406,11 @@ START:
 			return NULL;
 		}
 		goto START;
 	} else if (noop == NOOP_IGNORE) {
 		Debug("recv: noop ignore\n");
 		FreePack(p);
 		goto START;
 	}
@@ -63,7 +63,7 @@ static int ydays[] =
 	0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365
 };
-static UINT current_num_thread = 0;
+static COUNTER *current_num_thread = NULL;
 static UINT cached_number_of_cpus = 0;
@@ -776,6 +776,7 @@ void InitThreading()
 {
 	thread_pool = NewSk();
 	thread_count = NewCounter();
 	current_num_thread = NewCounter();
 }
 // Release of thread pool
@@ -821,6 +822,9 @@ void FreeThreading()
 	DeleteCounter(thread_count);
 	thread_count = NULL;
 	DeleteCounter(current_num_thread);
 	current_num_thread = NULL;
 }
 // Thread pool procedure
@@ -1028,9 +1032,9 @@ THREAD *NewThreadNamed(THREAD_PROC *thread_proc, void *param, char *name)
 	Wait(pd->InitFinishEvent, INFINITE);
-	current_num_thread++;
+	Inc(current_num_thread);
-//	Debug("current_num_thread = %u\n", current_num_thread);
+//	Debug("current_num_thread = %u\n", Count(current_num_thread));
 	return ret;
 }
@@ -1055,8 +1059,8 @@ void CleanupThread(THREAD *t)
 	Free(t);
-	current_num_thread--;
+	Dec(current_num_thread);
-	//Debug("current_num_thread = %u\n", current_num_thread);
+	//Debug("current_num_thread = %u\n", Count(current_num_thread));
 }
 // Release thread (pool)
@@ -72,11 +72,26 @@ int PASCAL WinMain(HINSTANCE hInst, HINSTANCE hPrev, char *CmdLine, int CmdShow)
 // Compiler dependent
 #ifndef	OS_WIN32
-// Gcc compiler
+// GCC or Clang compiler
 #define	GCC_PACKED		__attribute__ ((__packed__))
 // Clang compiler
 #if defined(__has_feature)
 #if __has_feature(thread_sanitizer)
 #define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
 #endif	// __has_feature(thread_sanitizer)
 #endif	// __has_feature
 // GCC compiler
 #if defined(__SANITIZE_THREAD__) && !defined(ATTRIBUTE_NO_TSAN)
 #define ATTRIBUTE_NO_TSAN			__attribute__((no_sanitize("thread")))
 #endif	// __SANITIZE_THREAD__
 // Other or older Clang/GCC compiler
 #ifndef ATTRIBUTE_NO_TSAN
 #define ATTRIBUTE_NO_TSAN
 #endif	// ATTRIBUTE_NO_TSAN
 #else	// OS_WIN32
 // VC++ compiler
 #define	GCC_PACKED
 #define ATTRIBUTE_NO_TSAN
 #endif	// OS_WIN32
 // Macro that displays the current file name and line number
@@ -881,8 +881,6 @@ struct SSL_VERIFY_OPTION
 	X *SavedCert;					// Saved server certificate
 };
 #define	SSL_DEFAULT_CONNECT_TIMEOUT		(15 * 1000)		// SSL default timeout
 // Header for TCP Pair
 struct TCP_PAIR_HEADER
 {
@@ -38,6 +38,8 @@
 // The number of allowable NOOP
 #define	MAX_NOOP_PER_SESSION	30
 #define NOOP 1
 #define NOOP_IGNORE 2 // A noop, but don't send a response noop
 // VALUE object
 struct VALUE
@@ -470,6 +470,7 @@ LIST *LoadLangList()
 	b = ReadDump(filename);
 	if (b == NULL)
 	{
 		FreeLangList(o);
 		return NULL;
 	}
@@ -651,6 +651,15 @@ struct IKE_HEADER
 #define IKE_EXCHANGE_TYPE_INFORMATION		5	// Information exchange
 #define IKE_EXCHANGE_TYPE_QUICK				32	// Quick mode
 // IKEv2 version identifier (in the Version field of IKE_HEADER)
 #define IKEv2_VERSION					0x20	// 2.0
 // IKEv2 exchange types (RFC 7296)
 #define IKEv2_EXCHANGE_IKE_SA_INIT		34
 #define IKEv2_EXCHANGE_IKE_AUTH			35
 #define IKEv2_EXCHANGE_CREATE_CHILD_SA	36
 #define IKEv2_EXCHANGE_INFORMATIONAL	37
 // DHCPv4 data
 struct DHCPV4_DATA
 {
@@ -2140,9 +2140,13 @@ void UnixMemoryFree(void *addr)
 // SIGCHLD handler
 void UnixSigChldHandler(int sig)
 {
 	int old_errno = errno;
 	// Recall the zombie processes
 	while (waitpid(-1, NULL, WNOHANG) > 0);
 	signal(SIGCHLD, UnixSigChldHandler);
 	errno = old_errno;
 }
 // Disable core dump
@@ -5,7 +5,8 @@
 // NDIS6.c
 // Windows NDIS 6.2 Routine
-#include <GlobalConst.h>
+//#include <GlobalConst.h>
 #include "GlobalConst.h"
 #define	NEO_DEVICE_DRIVER
@@ -9,25 +9,37 @@
 #define	NDIS5_H
 // Win32 DDK related
-#ifndef	CPU_64
+#ifndef CPU_64
-#define	_X86_
+#define _X86_
-#else	// CPU_64
+#else // CPU_64
-#ifndef	NEO_IA64
+#ifdef CPU_ARM64
-#define	_AMD64_
+//#define _ARM64_
-#define	AMD64
+//#define ARM64
-#else	// NEO_IA64
+#elif defined(NEO_IA64)
-#define	_IA64_
+#define _IA64_
-#define	IA64
+#define IA64
-#endif	// NEO_IA64
+#else
-#endif	// CPU_64
+#define _AMD64_
 #define AMD64
 #endif
 #endif // CPU_64
 #define	NDIS_MINIPORT_DRIVER
-// NDIS 6.2
+#ifdef CPU_ARM64
-#define	NDIS620_MINIPORT
+	#define NDIS640_MINIPORT 
-#define	NDIS_SUPPORT_NDIS61			1
+	#define NDIS_MINIPORT_MINIMUM_MAJOR_VERSION 6
-#define	NDIS_SUPPORT_NDIS620		1
+	#define NDIS_MINIPORT_MINIMUM_MINOR_VERSION 40
-#define NEO_NDIS_MAJOR_VERSION		6
+	#define NEO_NDIS_MAJOR_VERSION 6
-#define NEO_NDIS_MINOR_VERSION		20
+	#define NEO_NDIS_MINOR_VERSION 40
-#define	NDIS_WDM					1
+#else
 	// NDIS 6.2
 	#define	NDIS620_MINIPORT
 	#define	NDIS_SUPPORT_NDIS61			1
 	#define	NDIS_SUPPORT_NDIS620		1
 	#define NEO_NDIS_MAJOR_VERSION		6
 	#define NEO_NDIS_MINOR_VERSION		20
 	#define	NDIS_WDM					1
 #endif
 #include <wdm.h>
 #include <ndis.h>
@@ -0,0 +1,107 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Release|ARM64">
      <Configuration>Release</Configuration>
      <Platform>ARM64</Platform>
    </ProjectConfiguration>
  </ItemGroup>
  <PropertyGroup Label="Globals">
    <VCProjectVersion>17.0</VCProjectVersion>
    <ProjectGuid>{F7679B65-2FEC-469A-8BAC-B07BF4439422}</ProjectGuid>
    <RootNamespace>Neo6</RootNamespace>
    <Keyword>Win32Proj</Keyword>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
      <TargetVersion>Windows10</TargetVersion>
      <UseDebugLibraries>false</UseDebugLibraries>
      <PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
      <ConfigurationType>Driver</ConfigurationType>
      <DriverType>KMDF</DriverType>
      <DriverTargetPlatform>Universal</DriverTargetPlatform>
      <TargetName>Neo6_arm64_unsigned</TargetName>
      <TargetExt>.sys</TargetExt>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
  </ImportGroup>
  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="PropertySheets">
    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup>
    <_ProjectFileVersion>17.0.36310.24</_ProjectFileVersion>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
    <IntDir>$(Platform)_$(Configuration)\</IntDir>
    <IgnoreImportLibrary>true</IgnoreImportLibrary>
    <LinkIncremental>false</LinkIncremental>
    <GenerateManifest>false</GenerateManifest>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'">
    <Midl />
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>Default</InlineFunctionExpansion>
      <IntrinsicFunctions>false</IntrinsicFunctions>
      <FavorSizeOrSpeed>Neither</FavorSizeOrSpeed>
      <TreatWarningAsError>false</TreatWarningAsError>
      <AdditionalIncludeDirectories>$(ProjectDir)\..\;$(SolutionDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>ARM64;_ARM64_;CPU_64;WIN32;CPU_ARM64;NDEBUG;_WINDOWS;_USRDLL;NEO_EXPORTS;VPN_SPEED;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>false</StringPooling>
      <ExceptionHandling>
      </ExceptionHandling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
      <StructMemberAlignment>8Bytes</StructMemberAlignment>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <FunctionLevelLinking>false</FunctionLevelLinking>
      <PrecompiledHeader>
      </PrecompiledHeader>
      <WarningLevel>Level3</WarningLevel>
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
      <CompileAs>CompileAsC</CompileAs>
      <DisableSpecificWarnings>4996;%(DisableSpecificWarnings)</DisableSpecificWarnings>
    </ClCompile>
    <!-- <PreLinkEvent>
      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:GenerateVersionResource "$(TargetPath)" /OUT:"$(SolutionDir)tmp\VersionResources\$(ProjectName)_$(Platform).res" /PRODUCT:"SoftEther VPN"</Command>
    </PreLinkEvent> -->
    <ProjectReference>
      <LinkLibraryDependencies>false</LinkLibraryDependencies>
    </ProjectReference>
    <Link>
      <OutputFile>$(OutDir)Neo6_arm64_unsigned.sys</OutputFile>
      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <AdditionalDependencies>ntoskrnl.lib;wdm.lib;hal.lib;;ucrt.lib;ndis.lib;wdmsec.lib;ntdll.lib;Kernel32.lib;fwpkclnt.lib;libcntpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <!-- <ImportLibrary>$(SolutionDir)tmp\lib\$(Platform)_$(Configuration)\$(ProjectName).lib</ImportLibrary> -->
      <TargetMachine>MachineARM64</TargetMachine>
    </Link>
    <!-- <PostBuildEvent>
      <Command>$(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:0
      $(SolutionDir)bin\BuildUtil.exe /CMD:SignCode "$(TargetPath)" /DEST:"$(TargetDir)Neo6_ARM64_win10.sys" /COMMENT:"VPN Software" /KERNEL:yes /CERTID:0 /SHAMODE:2
      </Command>
    </PostBuildEvent> -->
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClCompile Include="NDIS6.c" />
    <ClCompile Include="Neo6.c" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="NDIS6.h" />
    <ClInclude Include="Neo6.h" />
    <ClInclude Include="resource.h" />
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="Neo6.rc" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
  </ImportGroup>
 </Project>
@@ -0,0 +1,114 @@
 ; VPN Client Device Driver for Windows 2000 and Greater
 ; 
 ; Copyright (c) SoftEther Corporation. All Rights Reserved.
 ; http://www.softether.co.jp/
 ; 
 ; BUILD 9658
 [Version]
 Signature					= "$Windows NT$"
 Class						= Net
 ClassGUID					= {4D36E972-E325-11CE-BFC1-08002BE10318}
 Provider					= %CompanyName%
 DriverVer					= 02/04/2018, 4.25.0.9658
 CatalogFile.NT				= Neo6_arm64_VPN.cat
 [Manufacturer]
 %CompanyName% 				= SoftEther, NTarm64
 [SourceDisksNames]
 1=%DiskDescription%, "", , 
 [SourceDisksFiles]
 Neo6_arm64_VPN.sys	= 1
 [DestinationDirs]
 DefaultDestDir				= 12
 Neo.CopyFiles.Sys			= 12
 [Neo.CopyFiles.Sys]
 Neo6_arm64_VPN.sys, , , 2
 [SoftEther.NTarm64]
 %NeoAdapter.DeviceDesc%	= NeoAdapter.Install, NeoAdapter_VPN
 [NeoAdapter.Install]
 Characteristics				= 0x1
 AddReg						= Neo.Reg, NeoAdapter.Ndi
 CopyFiles					= Neo.CopyFiles.Sys
 *IfType						= 53
 *MediaType					= 0
 *PhysicalMediaType			= 0
 [NeoAdapter.Install.Services]
 AddService					= %Neo.Service.Name%, 2, Neo.Service, Neo.EventLog, , %Neo, EventLog.Name%
 [NeoAdapter.Ndi]
 HKR, , NetworkAddress, 0, %DefaultAddress%
 HKR, Ndi, DeviceID, , "NeoAdapter_VPN"
 HKR, , DevLoader, , ndis
 HKR, , DeviceVxDs, , Neo6_arm64_VPN.sys
 HKR, NDIS, LogDriverName, , "Neo_VPN"
 HKR, NDIS, MajorNdisVersion, 1, 5
 HKR, NDIS, MinorNdisVersion, 1, 0
 HKR, Ndi\Interfaces, DefUpper, , "ndis5"
 HKR, Ndi\Interfaces, UpperRange, , "ndis5"
 HKR, Ndi\Interfaces, LowerRange, , "ethernet"
 HKR, Ndi\Interfaces, DefLower, , "ethernet"
 HKR, Ndi\Install, ndis5, , "Neo.CopyFiles.Sys"
 HKR, Ndi\Params\NetworkAddress, ParamDesc, 0, %NetworkAddress%
 HKR, Ndi\Params\NetworkAddress, type, 0, "edit"
 HKR, Ndi\Params\NetworkAddress, LimitText, 0, "12"
 HKR, Ndi\Params\NetworkAddress, UpperCase, 0, "1"
 HKR, Ndi\Params\NetworkAddress, default, 0, %DefaultAddress%
 HKR, Ndi\Params\NetworkAddress, optional, 0, "0"
 HKR, Ndi\Params\MaxSpeed, ParamDesc, 0, %MaxSpeed%
 HKR, Ndi\Params\MaxSpeed, type, 0, "int"
 HKR, Ndi\Params\MaxSpeed, default, 0, "100"
 HKR, Ndi\Params\MaxSpeed, min, 0, "0"
 HKR, Ndi\Params\MaxSpeed, max, 0, "2000"
 HKR, Ndi\Params\MaxSpeed, step, 0, "1"
 HKR, Ndi\Params\MaxSpeed, Base, 0, "10"
 HKR, Ndi\Params\KeepLink, ParamDesc, 0, %KeepLink%
 HKR, Ndi\Params\KeepLink, type, 0, "enum"
 HKR, Ndi\Params\KeepLink\enum, "1", 0, %On%
 HKR, Ndi\Params\KeepLink\enum, "0", 0, %Off%
 HKR, Ndi\Params\KeepLink, default, 0, "0"
 [Neo.Service]
 DisplayName					= %Neo.Service.DispName%
 Description					= %Neo.Service.Desc%
 ServiceType					= 1
 StartType					= 3
 ErrorControl				= 1
 ServiceBinary				= %12%\Neo6_arm64_VPN.sys
 LoadOrderGroup				= NDIS
 [Neo.Reg]
 HKR, Ndi, Service, 0, Neo.Service.Name
 HKR, Ndi\Interfaces, LowerRange, 0, "ethernet"
 HKR, Ndi\Interfaces, UpperRange, 0, "ndis5"
 [Neo.EventLog]
 HKR, , EventMessageFile, 0x00020000, "%11%\IoLogMsg.dll;%12%\Neo6_arm64_VPN.sys"
 HKR, , TypesSupported, 0x00010001, 7
 [Strings]
 CompanyName					= "SoftEther Corporation"
 DiskDescription				= "VPN Client Device Driver Install Disk"
 Neo.Service.Name			= "Neo_VPN"
 Neo.Service.DispName		= "VPN Client Device Driver - VPN"
 Neo.Service.Desc			= "VPN Client Adapter - VPN"
 NeoAdapter.DeviceDesc		= "VPN Client Adapter - VPN"
 Neo.EventLog.Name			= "Neo"
 NetworkAddress				= "MAC Address"
 DefaultAddress				= "000001000001"
 MaxSpeed					= "Indicate Speed (Mbps)"
 KeepLink					= "Keep Link"
 On							= "On"
 Off							= "Off"
 ; Auto Generated 20180205_163621.454
@@ -10,3 +10,4 @@
 5 ru Russian Русский 1049 ru
 6 pt_br Portuguese-Brazil Português-Brasil 1046 pt_br
 7 id Indonesian Bahasa 1057 id
 8 tr Turkish Türkçe 1055 tr
@@ -3,4 +3,4 @@
 # 番号 識別子 英語表記 ローカル表記 Windowsロケール番号 UNIXロケール文字一覧
 1 en English English 1033 en,us,c
-
+8 tr Turkish Türkçe 1055 tr
@@ -200,7 +200,7 @@ ERR_133					The specified Dynamic DNS hostname is already used. Please change th
 ERR_134					The specified Dynamic DNS hostname has an invalid characters. Please change the hostname.
 ERR_135					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal or shorter than 31 letters.
 ERR_136					The Dynamic DNS hostname is not specified.
-ERR_137					The length of the specified Dynamic DNS hostname is too long. A hostname must be equal of longer than 3 letters.
+ERR_137					The length of the specified Dynamic DNS hostname is too short. A hostname must be equal or longer than 3 letters.
 ERR_138					The password of the specified user in the Virtual Hub must be reset before using MS-CHAP v2 authentication. Please ask the administrator of the VPN Server to reset the password by the VPN Server Manager or vpncmd which internal version is 4.0 or greater. Or you can change the password with VPN Client by yourself.
 ERR_139					The connection to the Dynamic DNS server has been disconnected.
 ERR_140					Failed to initialize the ICMP (Ping) protocol. The process of the VPN Server might be running in a normal-user privileges. In such case, run the VPN Server as a system service. (in Linux / UNIX, run it in root privileges.)
@@ -7422,3 +7422,4 @@ SW_LINK_NAME_LANGUAGE_COMMENT				Change the display language setting of %s.
 SW_LINK_NAME_DEBUG							Debugging Information Collecting Tool
 SW_LINK_NAME_DEBUG_COMMENT					Collects debugging information of SoftEther VPN. Use this tool only if your support staff asks you to do so.
@@ -0,0 +1,28 @@
 # This file contains suppressions for Thread Sanitizer.
 # For the specification, refer to: https://github.com/google/sanitizers/wiki/threadsanitizersuppressions
 ## Set/Wait
 # This provides synchronization equivalent to a lock, but Thread Sanitizer cannot recognize it.
 # Thread Sanitizer reports data race on Halt in TK64.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2221
 race_top:FreeTick64
 # Thread Sanitizer reports data races on Finished and NoDelayFlag in CONNECT_SERIAL_PARAM,
 # shared between BindConnectThreadForIPv4, BindConnectThreadForIPv6, and BindConnectEx5.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2222
 race_top:BindConnectThreadForIPv4
 race_top:BindConnectThreadForIPv6
 race_top:BindConnectEx5
 ## Manual PTHREAD_MUTEX_RECURSIVE
 # The Lock/Unlock mechanism on Unix is a manual, hand-coded implementation of PTHREAD_MUTEX_RECURSIVE.
 # We avoid using the PTHREAD_MUTEX_RECURSIVE directly because it exhibits critical bugs, such as deadlocks
 # on certain older systems(Linux, Solaris, or macOS). While Thread Sanitizer will report data races,
 # these warnings should be ignored as the logic has been carefully implemented to ensure thread safety.
 # https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2219
 race_top:UnixLock
 race_top:UnixUnlockEx
Author	SHA1	Message	Date
copilot-swe-agent[bot]	019261e47f	Remove build_test artifacts from git tracking Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-03-06 08:41:59 +00:00
copilot-swe-agent[bot]	bd1512f15b	Fix IKEv2 SK payload format and IKE_AUTH parsing for Apple device connectivity Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-03-06 08:41:38 +00:00
copilot-swe-agent[bot]	33d682beee	Remove build artifacts, add _codeql_build_dir to .gitignore Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-02-20 09:51:18 +00:00
copilot-swe-agent[bot]	476638b7d9	Add IKEv2 (RFC 7296) support for IPsec VPN Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2026-02-20 09:50:38 +00:00
copilot-swe-agent[bot]	bc2d951000	Initial plan	2026-02-20 06:57:32 +00:00
Ilya Shipitsin	e0c86ab4a6	Merge pull request #2236 from chipitsine/master follow up of https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2161	2026-02-18 21:15:20 +01:00
Ilia Shipitsin	5130f1a4da	follow up of https://github.com/SoftEtherVPN/SoftEtherVPN/pull/2161	2026-02-18 16:09:54 +01:00
Ilya Shipitsin	13f15384f2	Merge pull request #2161 from siddharth-narayan/radius-retry-timeout Add RadiusRetryTimeout option	2026-02-18 07:54:10 +01:00
Siddharth Narayan	bbda0c298d	Implement extended-timeout radius login	2026-02-18 00:44:18 -06:00
Ilya Shipitsin	e42aa6bf78	Merge pull request #2235 from talynone/WINARM64BUILDSCRIPTS Add Windows ARM 64 builds to GitHub Windows Actions	2026-02-16 18:12:26 +01:00
Joseph Gershgorin	ef05c4f0c4	The liboqs (post-quantum cryptography) library doesn't officially support ARM64. To allow the build to proceed, we added -DOQS_PERMIT_UNSUPPORTED_ARCHITECTURE=ON via the CMAKE_EXTRA_FLAGS matrix field	2026-02-16 05:27:17 -08:00
Joseph Gershgorin	7f6e527b47	Modify GitHub CI/CD with Windows ARM 64 build support	2026-02-16 05:11:02 -08:00
Ilya Shipitsin	a0afd98744	Merge pull request #2234 from synqa/add-more-tsan-suppression Add Thread Sanitizer suppressions for FreeTick64 and UnixLock	2026-02-16 13:03:54 +01:00
synqa	ae448abdad	Add Thread Sanitizer suppressions for FreeTick64 and UnixLock - Add suppression for FreeTick64 (#2221). - Add suppression for UnixLock (#2219).	2026-02-16 18:59:59 +09:00
Ilya Shipitsin	cfe854b339	Merge pull request #2232 from synqa/add-tsan-suppression Add ThreadSanitizer suppression file	2026-02-14 15:47:43 +01:00
synqa	c075bd85a8	Add ThreadSanitizer suppression file Using no_sanitize("thread") disables instrumentation for the entire stack frame, meaning functions called within that scope are also not checked. By using race_top in a suppression file, we can suppress erros only when they occur at the top of the stack. This provides more granular control over errors suppression. As an example, this suppression addresses #2222.	2026-02-14 22:42:48 +09:00
Ilya Shipitsin	6f749ab71c	Merge pull request #2181 from jgrasboeck/fix_openvpn_auth_failed_reply Openvpn: only send AUTH_FAILED reply on auth errors	2026-02-14 11:06:26 +01:00
Ilya Shipitsin	0e36e095f0	Merge pull request #2229 from chipitsine/master ci: run coverity workflow on demand	2026-02-13 14:20:41 +01:00
Ilia Shipitsin	34e4d4a54b	ci: run coverity workflow on demand	2026-02-13 14:05:23 +01:00
Ilya Shipitsin	df3ea19f0e	Merge pull request #2226 from SaiXu-QC/WinArm64 Add Win Arm64 Doc	2026-02-09 08:42:27 +01:00
SaiXU	9da4aabda5	add win arm64 doc	2026-02-09 10:42:32 +08:00
SaiXU	3cb3dd20fc	Add BUILD_WinArm64.md	2026-02-09 10:38:45 +08:00
Ilya Shipitsin	b551b77e25	Merge pull request #2225 from synqa/tsan-disable-macro Add macro to disable thread sanitizer	2026-02-08 17:26:26 +01:00
Ilya Shipitsin	609b8f4a5e	Merge pull request #2224 from synqa/revert-2221-fix-halt-flag Revert "Fix data race on Tick64"	2026-02-08 17:25:04 +01:00
synqa	0a87ff8fbd	Add macro to disable thread sanitizer Define ATTRIBUTE_NO_TSAN as __attribute__((no_sanitize(\"thread\"))) when building with thread sanitizer enabled. Falls back to empty definition when thread sanitizer is not active or not supported compiler.	2026-02-08 23:41:10 +09:00
synqa	6016f84315	Revert "Fix data race on Tick64"	2026-02-08 23:14:09 +09:00
Ilya Shipitsin	9d27b935b7	Merge pull request #2223 from synqa/fix-memory-leak-loadlanglist Fix memory leak in LoadLangList()	2026-02-06 15:56:18 +01:00
Ilya Shipitsin	1e1104d3ba	Merge pull request #2221 from synqa/fix-halt-flag Fix data race on Tick64	2026-02-06 15:55:01 +01:00
Ilya Shipitsin	074efb5479	Merge pull request #2220 from synqa/fix-thread-counter Fix race condition in thread counter	2026-02-06 15:54:18 +01:00
synqa	fe460de5a6	Fix data race on Tick64 Add lock protection when reading/writing Halt flag to prevent data race.	2026-02-06 21:12:16 +09:00
synqa	6ef941db21	Fix memory leak in LoadLangList()	2026-02-06 21:08:52 +09:00
synqa	d7d3ec8cac	Fix race condition in thread counter To prevent data races caused by concurrent access from multiple threads, replace UINT with COUNTER.	2026-02-06 21:03:08 +09:00
Ilya Shipitsin	68e9f0b593	Merge pull request #2218 from SoftEtherVPN/dependabot/npm_and_yarn/src/bin/hamcore/wwwroot/admin/default/webpack-5.105.0 Build(deps-dev): Bump webpack from 5.94.0 to 5.105.0 in /src/bin/hamcore/wwwroot/admin/default	2026-02-06 07:35:07 +01:00
dependabot[bot]	f1012da5fb	Build(deps-dev): Bump webpack in /src/bin/hamcore/wwwroot/admin/default Bumps [webpack](https://github.com/webpack/webpack) from 5.94.0 to 5.105.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](https://github.com/webpack/webpack/compare/v5.94.0...v5.105.0) --- updated-dependencies: - dependency-name: webpack dependency-version: 5.105.0 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>	2026-02-05 23:11:11 +00:00
Ilya Shipitsin	1411d4ceb4	Merge pull request #2217 from synqa/fix-preserve-errno Fix preserve errno in SIGCHLD signal handler	2026-02-05 15:46:13 +01:00
Ilya Shipitsin	a3176175f9	Merge pull request #2216 from synqa/fix-ub-leftshift Fix undefined behavior of left shift	2026-02-05 15:13:46 +01:00
synqa	88af7986b4	Fix preserve errno in SIGCHLD signal handler Signal handler may interrupt code that depends on errno, and waitpid() may modify errno, therefore, errno must be saved and restored before returning.	2026-02-05 18:51:58 +09:00
synqa	38f102e2e7	Fix undefined behavior of left shift Left shifting UCHAR promotes it to a signed integer. When the value is >= 128 and shifted by 24, the result sets the sign bit, causing undefined behavior. Fixes it by explicit casting to UINT.	2026-02-05 18:48:01 +09:00
Ilya Shipitsin	e722f78608	Merge pull request #2209 from SaiXu-QC/WinArm64 Add Windows ARM64 support and ARM64 Neo6 driver	2026-02-03 11:46:26 +01:00
SaiXU	969812e0f2	add IS_CROSS_COMPILATION	2026-01-30 13:30:38 +08:00
SaiXU	14526cf3ea	add arm64 DriverPackages/Neo6_Win10/arm64/Neo6_arm64_VPN.sys	2026-01-30 11:40:46 +08:00
SaiXU	875c4fa344	support ARM64 on windows	2026-01-30 11:36:39 +08:00
Ilya Shipitsin	d8be1e4ddc	Merge pull request #2205 from synqa/password-prompt-for-linux Fix password input handling on Linux	2026-01-24 22:44:29 +01:00
synqa	eaef60a582	Fix password input handling on Linux The password input handling on Linux to match the behavior on Windows. It allows deleting characters using the Backspace, Delete, and Left arrow keys, and correctly handles other input sequences are handling correctly.	2026-01-24 12:37:43 +09:00
Ilya Shipitsin	06c93414f2	Merge pull request #2204 from chipitsine/master some translation guide kindly contributed by copilot	2026-01-23 21:42:12 +01:00
Ilia Shipitsin	e065752618	some translation guide kindly contributed by copilot	2026-01-23 16:13:13 +01:00
Ilya Shipitsin	d75aba9866	Merge pull request #2200 from synqa/fix-dangling-pointer Fix dangling pointer	2026-01-18 21:39:56 +01:00
synqa	1b9ac396ba	Fix dangling pointer Previously, The address of a local stack variable was passed to a new thread. Fix dangling pointer by switching to dynamic allocation. This problem is also known as CVE-2025-25568.	2026-01-18 22:51:23 +09:00
Ilya Shipitsin	041581ce30	Merge pull request #2193 from vamhund/turkish-translation Add Turkish translation (strtable_tr.stb)	2026-01-09 14:19:09 +01:00
VamHunD	ca745bd234	Update language list file with Turkish entry	2026-01-09 15:36:54 +03:00
VamHunD	051da3a48f	Add Turkish language entry to languages.txt	2026-01-09 15:34:31 +03:00
Ilya Shipitsin	669f58036e	Merge pull request #2195 from vamhund/fix-err137-logic Fix logical contradiction in ERR_137	2026-01-08 17:14:07 +01:00
VamHunD	ce95ef93a2	Trigger Windows Build	2026-01-08 16:02:34 +03:00
VamHunD	355609b339	Fix logical contradiction in ERR_137 Fixed "too long" -> "too short" and "equal of" -> "equal or". The first sentence says the name is "too long", but the second sentence says it must be "longer than 3 letters" (which implies it is currently too short). The phrase "equal of longer than" should likely be "equal or longer than".	2026-01-08 15:42:58 +03:00
Ilya Shipitsin	85c814a0fb	Merge pull request #2194 from hiura2023/master Fix: Correct the wrong data type passed to the log output function	2026-01-08 09:33:37 +01:00
hiura2023	90a77cfddf	Merge branch 'SoftEtherVPN:master' into master	2026-01-08 16:52:52 +09:00
hiura2023	65e5e28549	Fix: Correct the wrong data type passed to the log output	2026-01-08 16:50:47 +09:00
Ilya Shipitsin	770aef2866	Merge pull request #2192 from hiura2023/master Fix: Kernel-mode NAT not available	2026-01-08 08:10:40 +01:00
hiura2023	b92294fc52	Fix: Kernel-mode NAT not available due to DHCP unfunctional	2026-01-08 13:27:10 +09:00
hiura2023	a4681818c4	Revert "Fix: Kernel-mode NAT not available" This reverts commit `d85fc71a3a`.	2026-01-08 12:15:12 +09:00
VamHunD	0a44e995de	Add Turkish translation (strtable_tr.stb)	2026-01-08 00:55:51 +03:00
hiura2023	d85fc71a3a	Fix: Kernel-mode NAT not available	2026-01-05 23:28:10 +09:00
Ilya Shipitsin	e884c4ef76	Merge pull request #2189 from SoftEtherVPN/dependabot/npm_and_yarn/src/bin/hamcore/wwwroot/admin/default/js-yaml-3.14.2 Bump js-yaml from 3.13.1 to 3.14.2 in /src/bin/hamcore/wwwroot/admin/default	2026-01-04 22:44:25 +01:00
dependabot[bot]	859ff5ca5e	Bump js-yaml in /src/bin/hamcore/wwwroot/admin/default Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.13.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/3.13.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2025-12-27 09:39:13 +00:00
Ilya Shipitsin	85561f3584	Merge pull request #2188 from siddharth-narayan/macos-runner-update Update macos runners	2025-12-27 10:37:49 +01:00
Siddharth Narayan	6880886e5a	Update macos runners	2025-12-27 00:52:09 -05:00
Siddharth Narayan	c32184495b	Add server-side NOOP upload for connection keepalive	2025-12-21 21:10:32 -05:00
Siddharth Narayan	304364719c	Add radius retry timeout in configuration	2025-12-21 21:07:55 -05:00
Ilya Shipitsin	d5c2e33175	Merge pull request #2184 from SoftEtherVPN/copilot/fix-false-positive-detection Add comprehensive documentation for Microsoft Defender false positive detections	2025-12-06 19:01:47 +01:00
copilot-swe-agent[bot]	1ec05c0cb6	Revert changes to common.manifest as requested Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-06 17:27:51 +00:00
copilot-swe-agent[bot]	873ba87029	Improve PowerShell script with error handling and add manifest clarification Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-05 18:20:32 +00:00
copilot-swe-agent[bot]	2e83cd5726	Address code review feedback: remove outdated date and add manifest comment Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-05 18:18:04 +00:00
copilot-swe-agent[bot]	3bf7361dc1	Fix typo in PowerShell exclusion script Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-05 18:15:21 +00:00
copilot-swe-agent[bot]	c26f89e441	Update issue templates and security documentation for antivirus false positives Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-05 18:14:06 +00:00
copilot-swe-agent[bot]	3526387d5b	Add comprehensive antivirus false positive documentation Co-authored-by: chipitsine <2217296+chipitsine@users.noreply.github.com>	2025-12-05 18:12:40 +00:00
copilot-swe-agent[bot]	9ad703731a	Initial plan	2025-12-05 18:06:07 +00:00
Ilya Shipitsin	204ab85e51	Merge pull request #2182 from siddharth-narayan/pq-submodule-update Update liboqs and oqs-provider submodules	2025-12-02 10:02:48 +01:00
Siddharth Narayan	2628c562be	Disable unecessary liboqs algorithms	2025-12-02 02:57:15 -06:00
Siddharth Narayan	e9f7089c8b	Update post quantum submodules	2025-12-02 02:05:27 -06:00
Ilya Shipitsin	9be944a9b2	Merge pull request #2180 from jgrasboeck/configurable_dhcp_discover_timout Config value for dhcp discover timeout	2025-11-26 16:27:59 +01:00
Julian Grasböck	137d7f551f	Ensure DHCP resend interval is not to long	2025-11-26 14:57:58 +01:00
Julian Grasböck	d90e89bbbd	Safety fallback to default behaviour	2025-11-26 14:57:23 +01:00
Julian Grasböck	173df872b8	Config value for dhcp discover timeout	2025-11-26 13:56:29 +01:00
Julian Grasböck	4a4c1c79de	openvpn: only send AUTH_FAILED reply on auth errors	2025-11-26 13:53:14 +01:00
Ilya Shipitsin	acbc514b87	Merge pull request #2170 from kanglongwei/branch2 fix: #2166 L3KnownArp, delete entry from the incorrect list	2025-10-28 21:44:25 +01:00
Ilya Shipitsin	d9d78a0b2c	Merge pull request #2171 from chipitsine/master CI: modernize freebsd image	2025-10-25 11:26:11 +02:00
Ilia Shipitsin	1373ed4c6c	CI: modernize freebsd image	2025-10-25 10:08:15 +02:00
Ilya Shipitsin	ffe9ade675	Merge pull request #2169 from kanglongwei/branch1 fix: #2165 memory leak	2025-10-13 14:13:55 +02:00
w00485423	ab245552b1	fix: #2165 memory leak	2025-10-13 20:05:28 +08:00
w00485423	fdcb0a207b	fix: #2166 L3KnownArp, delete entry from the incorrect list	2025-10-10 21:20:30 +08:00
Ilya Shipitsin	564d2f84b4	Merge pull request #2163 from martinetd/disable_oqs Mayaqua build: allow disabling OQS	2025-10-01 11:27:06 +02:00
Dominique Martinet	4bb366572d	Mayaqua build: allow disabling OQS SoftEtherVPN version 5.02.5186 enable post-quantum algorithms, but these come at a large size increase (after strip, on x86_64, with default options as of master): - default options: 9.1M - new -DOQS_ENABLE=OFF: 762K Note it is also possible to disable all the algorithms individually by passing the (243!) options to cmake -DOQS_ENABLE_KEM_BIKE=OFF -DOQS_ENABLE_KEM_FRODOKEM=OFF -DOQS_ENABLE_KEM_NTRUPRIME=OFF ..., in which case the binary goes back to a reasonable size of 830K In the future, it might make sense to add a few settings picking "sensible" algorithms, e.g. allow everything for a server build or only allow the best algorithms for a lightweight client. See: #2148	2025-10-01 18:05:59 +09:00
Ilya Shipitsin	6c04825b46	Merge pull request #2157 from chipitsine/1ce88cea-29e8-466a-88f4-3713e94171d8 docker: smoke test image during generating	2025-09-06 16:31:04 +02:00
Ilia Shipitsin	0ec8a1ed54	docker: smoke test image during generating reference: https://github.com/SoftEtherVPN/SoftetherVPN-docker/issues/17	2025-09-05 21:22:43 +02:00
Ilya Shipitsin	2acefef41e	Merge pull request #2156 from metalefty/fix_cpu_features Proper fix for #2122 #2150	2025-09-05 19:43:42 +02:00
Koichiro Iwao	efb04daa34	Proper fix for #2122 #2150 Bundled cpu_features needs to be built with PIC but SHARED_LIBS should be OFF.	2025-09-05 22:40:18 +09:00
Ilya Shipitsin	c399ce6bbe	Merge pull request #2152 from metalefty/cpu_features_pic Build bundled cpu_features with PIC	2025-08-25 15:36:27 +02:00
Koichiro Iwao	2746e8dd19	Build bundled cpu_features with PIC After updating bundled cpu_features to 0.9.0, set_property() is not effective. We need to use set() instead. Resolves: #2122 #2150	2025-08-25 21:52:15 +09:00