fastd v19

This is mostly a maintenance release with few new features.

New features

  • Add support for OpenSSL 1.1+
  • Allow binding to a fixed random port
    • By specifying port 0 in a bind directive, fastd will bind to a random port that is stable over the whole runtime of the fastd instance. The existing behaviour to use a new random port for each connection is preserved (by not specifying a port at all).

Removed features

  • The secure handshakes option is deprecated and has no effect with fastd v19; the old (pre-v11) insecure handshake scheme is not supported anymore
  • The deprecated xsalsa20-poly1305 method has been removed; salsa20+poly1305 and various faster methods exist since fastd v11
  • As libsodium removed the aes128-ctr cipher, fastd doesn’t support it anymore either (for both libsodium and NaCl). For AES support, fastd must be built with OpenSSL.


  • Fix build with custom CMAKE_MODULE_PATH (as often used by embedded build environments like buildroot
  • Fix build on MacOS 10.12+
  • Fix fast reconnect when changing networks on recent Linux kernels
  • Fix segfault in tun/multitap mode with persist iface no
  • Fix segfault in resolver with musl libc 1.1.20+
  • Fix segfault when failing to create an interface on FreeBSD
  • Do not print local address as a v4-mapped IPv6 address in log messages and script environments for sockets bound to any
  • Fix OpenWrt initscript with multiple instances
  • Fix OpenWrt initscript with multiple interfaces (tun/multitap mode)
  • Fix tap/multitap modes on OpenBSD 5.9+
    • Note: This breaks support for older OpenBSD versions

Other changes

  • Allocation functions were hardened against a number of theoretical integer overflow issues
  • The alternative handshake format introduced in fastd v17 was removed again. The benefit of making endianess of the fastd packet formats more consistent does not outweigh the downsides of creating an incompatible fastd protocol version with a future release.