From 5246174f27866c0e9e22844d998f3c97cac54050 Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Wed, 30 Sep 2020 21:10:50 +0200
Subject: New upstream version 2.5~rc2

---
 ChangeLog                                          |  67 +++
 config-msvc.h                                      |   1 +
 configure                                          |  29 +-
 configure.ac                                       |   1 +
 doc/man-sections/advanced-options.rst              |   7 +-
 doc/man-sections/client-options.rst                |  60 +-
 doc/man-sections/generic-options.rst               |   7 +
 doc/man-sections/script-options.rst                |   5 +-
 doc/man-sections/server-options.rst                |  36 +-
 doc/man-sections/vpn-network-options.rst           |   4 +
 doc/openvpn.8                                      | 133 +++--
 doc/openvpn.8.html                                 | 126 +++--
 include/openvpn-plugin.h                           |   2 +-
 sample/Makefile.am                                 |   3 +
 sample/Makefile.in                                 |   4 +
 sample/sample-plugins/Makefile                     | 584 ++++++++++++++++++++
 sample/sample-plugins/Makefile.am                  |  34 ++
 sample/sample-plugins/Makefile.in                  | 584 ++++++++++++++++++++
 sample/sample-plugins/Makefile.plugins             |  37 ++
 sample/sample-plugins/README                       |  43 ++
 sample/sample-plugins/client-connect/README        |  38 ++
 .../client-connect/sample-client-connect.c         | 612 +++++++++++++++++++++
 sample/sample-plugins/defer/README                 |  16 -
 sample/sample-plugins/defer/build                  |  15 -
 sample/sample-plugins/defer/simple.c               |   5 +
 .../keying-material-exporter-demo/build            |  15 -
 .../keyingmaterialexporter.c                       |   6 +
 sample/sample-plugins/log/build                    |  15 -
 sample/sample-plugins/log/log.c                    |   5 +
 sample/sample-plugins/log/log_v3.c                 |   5 +
 sample/sample-plugins/simple/README                |  16 -
 sample/sample-plugins/simple/build                 |  15 -
 sample/sample-plugins/simple/simple.c              |   5 +
 src/compat/PropertySheet.props                     |   2 +-
 src/openvpn/errlevel.h                             |   1 +
 src/openvpn/init.c                                 |  11 +
 src/openvpn/networking_sitnl.c                     |  44 +-
 src/openvpn/openvpn.vcxproj                        |   4 +-
 src/openvpn/options.c                              |   6 +-
 src/openvpn/otime.h                                |   1 +
 src/openvpn/pool.c                                 |  18 +
 src/openvpn/route.c                                |  46 +-
 src/openvpn/socket.c                               |  13 +-
 src/openvpn/socks.c                                |   9 +-
 src/openvpn/tun.c                                  | 231 +++++---
 src/openvpnmsica/dllmain.c                         |   2 +-
 src/openvpnmsica/openvpnmsica.c                    |  16 +-
 src/openvpnserv/interactive.c                      | 141 ++++-
 src/tapctl/main.c                                  |   2 +-
 src/tapctl/tap.c                                   | 242 +++-----
 src/tapctl/tap.h                                   |   6 +-
 tests/t_lpback.sh                                  |   8 +-
 version.m4                                         |   4 +-
 53 files changed, 2850 insertions(+), 492 deletions(-)
 create mode 100644 sample/sample-plugins/Makefile
 create mode 100644 sample/sample-plugins/Makefile.am
 create mode 100644 sample/sample-plugins/Makefile.in
 create mode 100644 sample/sample-plugins/Makefile.plugins
 create mode 100644 sample/sample-plugins/README
 create mode 100644 sample/sample-plugins/client-connect/README
 create mode 100644 sample/sample-plugins/client-connect/sample-client-connect.c
 delete mode 100644 sample/sample-plugins/defer/README
 delete mode 100755 sample/sample-plugins/defer/build
 delete mode 100755 sample/sample-plugins/keying-material-exporter-demo/build
 delete mode 100755 sample/sample-plugins/log/build
 delete mode 100644 sample/sample-plugins/simple/README
 delete mode 100755 sample/sample-plugins/simple/build

diff --git a/ChangeLog b/ChangeLog
index f516b5a..447c374 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,73 @@
 OpenVPN Change Log
 Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
 
+2020.09.30 -- Version 2.5_rc2
+
+Lev Stipakov (1):
+      Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN
+
+Selva Nair (2):
+      Set DNS Domain using iservice
+      Improve documentation of --username-as-common-name
+
+Simon Rozman (4):
+      netsh: Specify interfaces by index rather than name
+      netsh: Clear existing IPv6 DNS servers before configuring new ones
+      netsh: Delete WINS servers on TUN close
+      openvpnmsica: Simplify find_adapters() to void return
+
+Vladislav Grishenko (1):
+      Fix update_time() and openvpn_gettimeofday() coexistence
+
+
+2020.09.21 -- Version 2.5_rc1
+
+David Sommerseth (4):
+      man: Add missing --server-ipv6
+      man: Improve --remote entry
+      sample-plugins: Partially autotoolize the sample-plugins build
+      build: Fix make distclean/distcheck
+
+Gert Doering (10):
+      Fix handling of 'route remote_host' for IPv6 transport case.
+      Replace 'echo -n' with 'printf' in tests/t_lpback.sh
+      Fix description of --client-disconnect calling convention in manpage.
+      Handle NULL returns from calloc() in sample plugins.
+      Fix --show-gateway for IPv6 on NetBSD/i386.
+      socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
+      Fix netbits setting (in TAP mode) for IPv6 on Windows.
+      If IPv6 pool specification sets pool start to ::0 address, increment.
+      Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" paths
+      Fix combination of --dev tap and --topology subnet across multiple platforms.
+
+Lev Stipakov (1):
+      msvc: better support for 32bit architecture
+
+Selva Nair (2):
+      Add a remark on dropping privileges when --mlock is used
+      Allow --dhcp-option in config file when windows-driver is wintun
+
+Vladislav Grishenko (1):
+      Fix fatal error at switching remotes (#629)
+
+
+2020.09.10 -- Version 2.5_beta4
+
+Gert Doering (3):
+      Document that --push-remove is generally more suitable than --push-reset
+      Fix error detection / abort in --inetd corner case.
+      Fix TUNSETGROUP compatibility with very old Linux systems.
+
+Lev Stipakov (1):
+      openvpnmsica: make adapter renaming non-fatal
+
+Selva Nair (1):
+      In tap.c use DiInstallDevice to install the driver on a new adapter
+
+Vladislav Grishenko (1):
+      Fix best gateway selection over netlink
+
+
 2020.08.31 -- Version 2.5_beta3
 
 Arne Schwabe (1):
diff --git a/config-msvc.h b/config-msvc.h
index 8ef4897..f199bb2 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -112,6 +112,7 @@
 #define HAVE_EC_GROUP_ORDER_BITS 1
 #define OPENSSL_NO_EC 1
 #define HAVE_EVP_CIPHER_CTX_RESET 1
+#define HAVE_DIINSTALLDEVICE 1
 
 #define PATH_SEPARATOR     '\\'
 #define PATH_SEPARATOR_STR "\\"
diff --git a/configure b/configure
index 2624890..7de5671 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for OpenVPN 2.5_beta3.
+# Generated by GNU Autoconf 2.69 for OpenVPN 2.5_rc2.
 #
 # Report bugs to <openvpn-users@lists.sourceforge.net>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='OpenVPN'
 PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.5_beta3'
-PACKAGE_STRING='OpenVPN 2.5_beta3'
+PACKAGE_VERSION='2.5_rc2'
+PACKAGE_STRING='OpenVPN 2.5_rc2'
 PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
 PACKAGE_URL=''
 
@@ -1466,7 +1466,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures OpenVPN 2.5_beta3 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.5_rc2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1536,7 +1536,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenVPN 2.5_beta3:";;
+     short | recursive ) echo "Configuration of OpenVPN 2.5_rc2:";;
    esac
   cat <<\_ACEOF
 
@@ -1749,7 +1749,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-OpenVPN configure 2.5_beta3
+OpenVPN configure 2.5_rc2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2588,7 +2588,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by OpenVPN $as_me 2.5_beta3, which was
+It was created by OpenVPN $as_me 2.5_rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2952,13 +2952,13 @@ if test -z "${htmldir}"; then
 fi
 
 
-$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,0,3" >>confdefs.h
+$as_echo "#define OPENVPN_VERSION_RESOURCE 2,5,0,6" >>confdefs.h
 
 OPENVPN_VERSION_MAJOR=2
 
 OPENVPN_VERSION_MINOR=5
 
-OPENVPN_VERSION_PATCH=_beta3
+OPENVPN_VERSION_PATCH=_rc2
 
 
 $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
@@ -2967,7 +2967,7 @@ $as_echo "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
 $as_echo "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h
 
 
-$as_echo "#define OPENVPN_VERSION_PATCH \"_beta3\"" >>confdefs.h
+$as_echo "#define OPENVPN_VERSION_PATCH \"_rc2\"" >>confdefs.h
 
 
 ac_aux_dir=
@@ -3493,7 +3493,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='openvpn'
- VERSION='2.5_beta3'
+ VERSION='2.5_rc2'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -18360,7 +18360,7 @@ TEST_CFLAGS="${TEST_CFLAGS} -I\$(top_srcdir)/include ${CMOCKA_CFLAGS}"
 
 
 
-ac_config_files="$ac_config_files version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/systemd/Makefile doc/Makefile doc/doxygen/Makefile doc/doxygen/openvpn.doxyfile include/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnmsica/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile src/tapctl/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile tests/unit_tests/engine-key/Makefile sample/Makefile"
+ac_config_files="$ac_config_files version.sh Makefile build/Makefile build/msvc/Makefile build/msvc/msvc-generate/Makefile distro/Makefile distro/systemd/Makefile doc/Makefile doc/doxygen/Makefile doc/doxygen/openvpn.doxyfile include/Makefile sample/sample-plugins/Makefile src/Makefile src/compat/Makefile src/openvpn/Makefile src/openvpnmsica/Makefile src/openvpnserv/Makefile src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile src/tapctl/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile tests/unit_tests/engine-key/Makefile sample/Makefile"
 
 ac_config_files="$ac_config_files tests/t_client.sh"
 
@@ -18946,7 +18946,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by OpenVPN $as_me 2.5_beta3, which was
+This file was extended by OpenVPN $as_me 2.5_rc2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19012,7 +19012,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-OpenVPN config.status 2.5_beta3
+OpenVPN config.status 2.5_rc2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
@@ -19515,6 +19515,7 @@ do
     "doc/doxygen/Makefile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/Makefile" ;;
     "doc/doxygen/openvpn.doxyfile") CONFIG_FILES="$CONFIG_FILES doc/doxygen/openvpn.doxyfile" ;;
     "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+    "sample/sample-plugins/Makefile") CONFIG_FILES="$CONFIG_FILES sample/sample-plugins/Makefile" ;;
     "src/Makefile") CONFIG_FILES="$CONFIG_FILES src/Makefile" ;;
     "src/compat/Makefile") CONFIG_FILES="$CONFIG_FILES src/compat/Makefile" ;;
     "src/openvpn/Makefile") CONFIG_FILES="$CONFIG_FILES src/openvpn/Makefile" ;;
diff --git a/configure.ac b/configure.ac
index f827992..ebb3220 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1433,6 +1433,7 @@ AC_CONFIG_FILES([
 	doc/doxygen/Makefile
 	doc/doxygen/openvpn.doxyfile
 	include/Makefile
+	sample/sample-plugins/Makefile
 	src/Makefile
 	src/compat/Makefile
 	src/openvpn/Makefile
diff --git a/doc/man-sections/advanced-options.rst b/doc/man-sections/advanced-options.rst
index 9b96e40..bedc884 100644
--- a/doc/man-sections/advanced-options.rst
+++ b/doc/man-sections/advanced-options.rst
@@ -11,8 +11,11 @@ Standalone Debug Options
      --show-gateway
      --show-gateway IPv6-target
 
-  If an IPv6 target address is passed as argument, the IPv6 route for this
-  host is reported.
+  For IPv6 this queries the route towards ::/128, or the specified IPv6
+  target address if passed as argument.
+  For IPv4 on Linux, Windows, MacOS and BSD it looks for a 0.0.0.0/0 route.
+  If there are more specific routes, the result will not always be matching
+  the route of the IPv4 packets to the VPN gateway.
 
 
 Advanced Expert Options
diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst
index ec1e3b1..af21fbc 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -244,43 +244,51 @@ configuration.
   use :code:`ignore`.
 
 --remote args
-  Remote host name or IP address.  It supports two additional optional
-  arguments: ``port`` and ``proto``.  On the client, multiple ``--remote``
-  options may be specified for redundancy, each referring to a different
-  OpenVPN server. Specifying multiple ``--remote`` options for this
-  purpose is a special case of the more general connection-profile
-  feature. See the ``<connection>`` documentation below.
+  Remote host name or IP address, port and protocol.
 
-  The OpenVPN client will try to connect to a server at ``host:port`` in
-  the order specified by the list of ``--remote`` options.
-
-  Examples:
+  Valid syntaxes:
   ::
 
-     remote server.example.net
-     remote server.example.net 1194
-     remote server.example.net tcp
+     remote host
+     remote host port
+     remote host port proto
 
-  ``proto`` indicates the protocol to use when connecting with the remote,
-  and may be :code:`tcp` or :code:`udp`.
+  The ``port`` and ``proto`` arguments are optional. The OpenVPN client
+  will try to connect to a server at ``host:port``.  The ``proto`` argument
+  indicates the protocol to use when connecting with the remote, and may be
+  :code:`tcp` or :code:`udp`.  To enforce IPv4 or IPv6 connections add a
+  :code:`4` or :code:`6` suffix; like :code:`udp4` / :code:`udp6`
+  / :code:`tcp4` / :code:`tcp6`.
 
-  For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like
-  udp4/udp6/tcp4/tcp6.
+  On the client, multiple ``--remote`` options may be specified for
+  redundancy, each referring to a different OpenVPN server, in the order
+  specified by the list of ``--remote`` options. Specifying multiple
+  ``--remote`` options for this purpose is a special case of the more
+  general connection-profile feature. See the ``<connection>``
+  documentation below.
 
   The client will move on to the next host in the list, in the event of
   connection failure. Note that at any given time, the OpenVPN client will
   at most be connected to one server.
 
-  Note that since UDP is connectionless, connection failure is defined by
-  the ``--ping`` and ``--ping-restart`` options.
+  Examples:
+  ::
 
-  Note the following corner case: If you use multiple ``--remote``
-  options, AND you are dropping root privileges on the client with
-  ``--user`` and/or ``--group`` AND the client is running a non-Windows
-  OS, if the client needs to switch to a different server, and that server
-  pushes back different TUN/TAP or route settings, the client may lack the
-  necessary privileges to close and reopen the TUN/TAP interface. This
-  could cause the client to exit with a fatal error.
+     remote server1.example.net
+     remote server1.example.net 1194
+     remote server2.example.net 1194 tcp
+
+  *Note:*
+     Since UDP is connectionless, connection failure is defined by
+     the ``--ping`` and ``--ping-restart`` options.
+
+     Also, if you use multiple ``--remote`` options, AND you are dropping
+     root privileges on the client with ``--user`` and/or ``--group`` AND
+     the client is running a non-Windows OS, if the client needs to switch
+     to a different server, and that server pushes back different TUN/TAP
+     or route settings, the client may lack the necessary privileges to
+     close and reopen the TUN/TAP interface. This could cause the client
+     to exit with a fatal error.
 
   If ``--remote`` is unspecified, OpenVPN will listen for packets from any
   IP address, but will not act on those packets unless they pass all
diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index a07fe7e..d5f0883 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -230,6 +230,13 @@ which mode OpenVPN is configured as.
   The downside of using ``--mlock`` is that it will reduce the amount of
   physical memory available to other applications.
 
+  The limit on how much memory can be locked and how that limit
+  is enforced are OS-dependent. On Linux the default limit that an
+  unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if
+  privileges are dropped later, future memory allocations will very
+  likely fail. The limit can be increased using ulimit or systemd
+  directives depending on how OpenVPN is started.
+
 --nice n
   Change process priority after initialization (``n`` greater than 0 is
   lower priority, ``n`` less than zero is higher priority).
diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst
index b4bbf52..a4df673 100644
--- a/doc/man-sections/script-options.rst
+++ b/doc/man-sections/script-options.rst
@@ -157,9 +157,8 @@ SCRIPT HOOKS
   where some of the related client-connect functions returned an error
   status.
 
-  The ``--client-disconnect`` command is passed the same pathname as the
-  corresponding ``--client-connect`` command as its last argument (after
-  any arguments specified in ``cmd``).
+  The ``--client-disconnect`` command is not passed any extra arguments
+  (only those arguments specified in cmd, if any).
 
 --down cmd
   Run command ``cmd`` after TUN/TAP device close (post ``--user`` UID
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index f1f0667..5a68945 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -204,7 +204,8 @@ fast hardware. SSL/TLS authentication must be used in this mode.
      ifconfig-ipv6-pool ipv6addr/bits
 
   The pool starts at ``ipv6addr`` and matches the offset determined from
-  the start of the IPv4 pool.
+  the start of the IPv4 pool.  If the host part of the given IPv6
+  address is ``0``, the pool starts at ``ipv6addr`` +1.
 
 --ifconfig-pool-persist args
   Persist/unpersist ifconfig-pool data to ``file``, at ``seconds``
@@ -530,6 +531,14 @@ fast hardware. SSL/TLS authentication must be used in this mode.
   ``--client-config-dir`` configuration file. This option will ignore
   ``--push`` options at the global config file level.
 
+  *NOTE*: ``--push-reset`` is very thorough: it will remove almost
+  all options from the list of to-be-pushed options.  In many cases,
+  some of these options will need to be re-configured afterwards -
+  specifically, ``--topology subnet`` and ``--route-gateway`` will get
+  lost and this will break client configs in many cases.  Thus, for most
+  purposes, ``--push-remove`` is better suited to selectively remove
+  push options for individual clients.
+
 --server args
   A helper directive designed to simplify the configuration of OpenVPN's
   server mode. This directive will set up an OpenVPN server which will
@@ -631,6 +640,19 @@ fast hardware. SSL/TLS authentication must be used in this mode.
     mode server
     tls-server
 
+--server-ipv6 args
+  Convenience-function to enable a number of IPv6 related options at once,
+  namely ``--ifconfig-ipv6``, ``--ifconfig-ipv6-pool`` and
+  ``--push tun-ipv6``.
+
+  Valid syntax:
+  ::
+
+     server-ipv6 ipv6addr/bits
+
+  Pushing of the ``--tun-ipv6`` directive is done for older clients which
+  require an explicit ``--tun-ipv6`` in their configuration.
+
 --stale-routes-check args
   Remove routes which haven't had activity for ``n`` seconds (i.e. the ageing
   time).  This check is run every ``t`` seconds (i.e. check interval).
@@ -646,9 +668,15 @@ fast hardware. SSL/TLS authentication must be used in this mode.
   ``--max-routes-per-client``
 
 --username-as-common-name
-  For ``--auth-user-pass-verify`` authentication, use the authenticated
-  username as the common name, rather than the common name from the client
-  cert.
+  Use the authenticated username as the common-name, rather than the
+  common-name from the client certificate. Requires that some form of
+  ``--auth-user-pass`` verification is in effect. As the replacement happens
+  after ``--auth-user-pass`` verification, the verification script or
+  plugin will still receive the common-name from the certificate.
+
+  The common_name environment variable passed to scripts and plugins invoked
+  after authentication (e.g, client-connect script) and file names parsed in
+  client-config directory will match the username.
 
 --verify-client-cert mode
   Specify whether the client is required to supply a valid certificate.
diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst
index 825dd1c..2668278 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -114,6 +114,10 @@ routing.
   :code:`DOMAIN` ``name``
         Set Connection-specific DNS Suffix to :code:`name`.
 
+  :code:`ADAPTER_DOMAIN_SUFFIX` ``name``
+        Alias to :code:`DOMAIN`. This is a compatibility option, it
+        should not be used in new deployments.
+
   :code:`DOMAIN-SEARCH` ``name``
         Add :code:`name` to the domain search list.
         Repeat this option to add more entries. Up to
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index b914f32..5056e03 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -343,6 +343,13 @@ below), then are discarded.
 .sp
 The downside of using \fB\-\-mlock\fP is that it will reduce the amount of
 physical memory available to other applications.
+.sp
+The limit on how much memory can be locked and how that limit
+is enforced are OS\-dependent. On Linux the default limit that an
+unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if
+privileges are dropped later, future memory allocations will very
+likely fail. The limit can be increased using ulimit or systemd
+directives depending on how OpenVPN is started.
 .TP
 .BI \-\-nice \ n
 Change process priority after initialization (\fBn\fP greater than 0 is
@@ -1268,50 +1275,67 @@ next remote succeeds. To silently ignore an option pushed by the server,
 use \fBignore\fP\&.
 .TP
 .BI \-\-remote \ args
-Remote host name or IP address.  It supports two additional optional
-arguments: \fBport\fP and \fBproto\fP\&.  On the client, multiple \fB\-\-remote\fP
-options may be specified for redundancy, each referring to a different
-OpenVPN server. Specifying multiple \fB\-\-remote\fP options for this
-purpose is a special case of the more general connection\-profile
-feature. See the \fB<connection>\fP documentation below.
-.sp
-The OpenVPN client will try to connect to a server at \fBhost:port\fP in
-the order specified by the list of \fB\-\-remote\fP options.
+Remote host name or IP address, port and protocol.
 .sp
-Examples:
+Valid syntaxes:
 .INDENT 7.0
 .INDENT 3.5
 .sp
 .nf
 .ft C
-remote server.example.net
-remote server.example.net 1194
-remote server.example.net tcp
+remote host
+remote host port
+remote host port proto
 .ft P
 .fi
 .UNINDENT
 .UNINDENT
 .sp
-\fBproto\fP indicates the protocol to use when connecting with the remote,
-and may be \fBtcp\fP or \fBudp\fP\&.
+The \fBport\fP and \fBproto\fP arguments are optional. The OpenVPN client
+will try to connect to a server at \fBhost:port\fP\&.  The \fBproto\fP argument
+indicates the protocol to use when connecting with the remote, and may be
+\fBtcp\fP or \fBudp\fP\&.  To enforce IPv4 or IPv6 connections add a
+\fB4\fP or \fB6\fP suffix; like \fBudp4\fP / \fBudp6\fP
+/ \fBtcp4\fP / \fBtcp6\fP\&.
 .sp
-For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like
-udp4/udp6/tcp4/tcp6.
+On the client, multiple \fB\-\-remote\fP options may be specified for
+redundancy, each referring to a different OpenVPN server, in the order
+specified by the list of \fB\-\-remote\fP options. Specifying multiple
+\fB\-\-remote\fP options for this purpose is a special case of the more
+general connection\-profile feature. See the \fB<connection>\fP
+documentation below.
 .sp
 The client will move on to the next host in the list, in the event of
 connection failure. Note that at any given time, the OpenVPN client will
 at most be connected to one server.
 .sp
-Note that since UDP is connectionless, connection failure is defined by
+Examples:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+remote server1.example.net
+remote server1.example.net 1194
+remote server2.example.net 1194 tcp
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.INDENT 7.0
+.TP
+.B \fINote:\fP
+Since UDP is connectionless, connection failure is defined by
 the \fB\-\-ping\fP and \fB\-\-ping\-restart\fP options.
 .sp
-Note the following corner case: If you use multiple \fB\-\-remote\fP
-options, AND you are dropping root privileges on the client with
-\fB\-\-user\fP and/or \fB\-\-group\fP AND the client is running a non\-Windows
-OS, if the client needs to switch to a different server, and that server
-pushes back different TUN/TAP or route settings, the client may lack the
-necessary privileges to close and reopen the TUN/TAP interface. This
-could cause the client to exit with a fatal error.
+Also, if you use multiple \fB\-\-remote\fP options, AND you are dropping
+root privileges on the client with \fB\-\-user\fP and/or \fB\-\-group\fP AND
+the client is running a non\-Windows OS, if the client needs to switch
+to a different server, and that server pushes back different TUN/TAP
+or route settings, the client may lack the necessary privileges to
+close and reopen the TUN/TAP interface. This could cause the client
+to exit with a fatal error.
+.UNINDENT
 .sp
 If \fB\-\-remote\fP is unspecified, OpenVPN will listen for packets from any
 IP address, but will not act on those packets unless they pass all
@@ -1709,7 +1733,8 @@ ifconfig\-ipv6\-pool ipv6addr/bits
 .UNINDENT
 .sp
 The pool starts at \fBipv6addr\fP and matches the offset determined from
-the start of the IPv4 pool.
+the start of the IPv4 pool.  If the host part of the given IPv6
+address is \fB0\fP, the pool starts at \fBipv6addr\fP +1.
 .TP
 .BI \-\-ifconfig\-pool\-persist \ args
 Persist/unpersist ifconfig\-pool data to \fBfile\fP, at \fBseconds\fP
@@ -2098,6 +2123,14 @@ Don\(aqt inherit the global push list for a specific client instance.
 Specify this option in a client\-specific context such as with a
 \fB\-\-client\-config\-dir\fP configuration file. This option will ignore
 \fB\-\-push\fP options at the global config file level.
+.sp
+\fINOTE\fP: \fB\-\-push\-reset\fP is very thorough: it will remove almost
+all options from the list of to\-be\-pushed options.  In many cases,
+some of these options will need to be re\-configured afterwards \-
+specifically, \fB\-\-topology subnet\fP and \fB\-\-route\-gateway\fP will get
+lost and this will break client configs in many cases.  Thus, for most
+purposes, \fB\-\-push\-remove\fP is better suited to selectively remove
+push options for individual clients.
 .TP
 .BI \-\-server \ args
 A helper directive designed to simplify the configuration of OpenVPN\(aqs
@@ -2242,6 +2275,26 @@ tls\-server
 .UNINDENT
 .UNINDENT
 .TP
+.BI \-\-server\-ipv6 \ args
+Convenience\-function to enable a number of IPv6 related options at once,
+namely \fB\-\-ifconfig\-ipv6\fP, \fB\-\-ifconfig\-ipv6\-pool\fP and
+\fB\-\-push tun\-ipv6\fP\&.
+.sp
+Valid syntax:
+.INDENT 7.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+server\-ipv6 ipv6addr/bits
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+Pushing of the \fB\-\-tun\-ipv6\fP directive is done for older clients which
+require an explicit \fB\-\-tun\-ipv6\fP in their configuration.
+.TP
 .BI \-\-stale\-routes\-check \ args
 Remove routes which haven\(aqt had activity for \fBn\fP seconds (i.e. the ageing
 time).  This check is run every \fBt\fP seconds (i.e. check interval).
@@ -2264,9 +2317,15 @@ This option helps to keep the dynamic routing table small. See also
 \fB\-\-max\-routes\-per\-client\fP
 .TP
 .B \-\-username\-as\-common\-name
-For \fB\-\-auth\-user\-pass\-verify\fP authentication, use the authenticated
-username as the common name, rather than the common name from the client
-cert.
+Use the authenticated username as the common\-name, rather than the
+common\-name from the client certificate. Requires that some form of
+\fB\-\-auth\-user\-pass\fP verification is in effect. As the replacement happens
+after \fB\-\-auth\-user\-pass\fP verification, the verification script or
+plugin will still receive the common\-name from the certificate.
+.sp
+The common_name environment variable passed to scripts and plugins invoked
+after authentication (e.g, client\-connect script) and file names parsed in
+client\-config directory will match the username.
 .TP
 .BI \-\-verify\-client\-cert \ mode
 Specify whether the client is required to supply a valid certificate.
@@ -4271,6 +4330,10 @@ dhcp\-options type [parm]
 .B \fBDOMAIN\fP \fBname\fP
 Set Connection\-specific DNS Suffix to \fBname\fP\&.
 .TP
+.B \fBADAPTER_DOMAIN_SUFFIX\fP \fBname\fP
+Alias to \fBDOMAIN\fP\&. This is a compatibility option, it
+should not be used in new deployments.
+.TP
 .B \fBDOMAIN\-SEARCH\fP \fBname\fP
 Add \fBname\fP to the domain search list.
 Repeat this option to add more entries. Up to
@@ -5020,9 +5083,8 @@ plugins will be called on client instance object deletion, even in cases
 where some of the related client\-connect functions returned an error
 status.
 .sp
-The \fB\-\-client\-disconnect\fP command is passed the same pathname as the
-corresponding \fB\-\-client\-connect\fP command as its last argument (after
-any arguments specified in \fBcmd\fP).
+The \fB\-\-client\-disconnect\fP command is not passed any extra arguments
+(only those arguments specified in cmd, if any).
 .TP
 .BI \-\-down \ cmd
 Run command \fBcmd\fP after TUN/TAP device close (post \fB\-\-user\fP UID
@@ -6283,8 +6345,11 @@ Valid syntax:
 .UNINDENT
 .UNINDENT
 .sp
-If an IPv6 target address is passed as argument, the IPv6 route for this
-host is reported.
+For IPv6 this queries the route towards ::/128, or the specified IPv6
+target address if passed as argument.
+For IPv4 on Linux, Windows, MacOS and BSD it looks for a 0.0.0.0/0 route.
+If there are more specific routes, the result will not always be matching
+the route of the IPv4 packets to the VPN gateway.
 .UNINDENT
 .SS Advanced Expert Options
 .sp
diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html
index d6b2719..f5d6f26 100644
--- a/doc/openvpn.8.html
+++ b/doc/openvpn.8.html
@@ -3,7 +3,7 @@
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta name="generator" content="Docutils 0.14: http://docutils.sourceforge.net/" />
+<meta name="generator" content="Docutils 0.15.2: http://docutils.sourceforge.net/" />
 <title>openvpn</title>
 <style type="text/css">
 
@@ -634,8 +634,14 @@ was able to crack the box running OpenVPN, he would not be able to scan
 the system swap file to recover previously used ephemeral keys, which
 are used for a period of time governed by the <tt class="docutils literal"><span class="pre">--reneg</span></tt> options (see
 below), then are discarded.</p>
-<p class="last">The downside of using <tt class="docutils literal"><span class="pre">--mlock</span></tt> is that it will reduce the amount of
+<p>The downside of using <tt class="docutils literal"><span class="pre">--mlock</span></tt> is that it will reduce the amount of
 physical memory available to other applications.</p>
+<p class="last">The limit on how much memory can be locked and how that limit
+is enforced are OS-dependent. On Linux the default limit that an
+unprivileged process may lock (RLIMIT_MEMLOCK) is low, and if
+privileges are dropped later, future memory allocations will very
+likely fail. The limit can be increased using ulimit or systemd
+directives depending on how OpenVPN is started.</p>
 </td></tr>
 <tr><td class="option-group">
 <kbd><span class="option">--nice <var>n</var></span></kbd></td>
@@ -1423,36 +1429,47 @@ use <code>ignore</code>.</p>
 </td></tr>
 <tr><td class="option-group">
 <kbd><span class="option">--remote <var>args</var></span></kbd></td>
-<td><p class="first">Remote host name or IP address.  It supports two additional optional
-arguments: <tt class="docutils literal">port</tt> and <tt class="docutils literal">proto</tt>.  On the client, multiple <tt class="docutils literal"><span class="pre">--remote</span></tt>
-options may be specified for redundancy, each referring to a different
-OpenVPN server. Specifying multiple <tt class="docutils literal"><span class="pre">--remote</span></tt> options for this
-purpose is a special case of the more general connection-profile
-feature. See the <tt class="docutils literal">&lt;connection&gt;</tt> documentation below.</p>
-<p>The OpenVPN client will try to connect to a server at <tt class="docutils literal">host:port</tt> in
-the order specified by the list of <tt class="docutils literal"><span class="pre">--remote</span></tt> options.</p>
-<p>Examples:</p>
+<td><p class="first">Remote host name or IP address, port and protocol.</p>
+<p>Valid syntaxes:</p>
 <pre class="literal-block">
-remote server.example.net
-remote server.example.net 1194
-remote server.example.net tcp
-</pre>
-<p><tt class="docutils literal">proto</tt> indicates the protocol to use when connecting with the remote,
-and may be <code>tcp</code> or <code>udp</code>.</p>
-<p>For forcing IPv4 or IPv6 connection suffix tcp or udp with 4/6 like
-udp4/udp6/tcp4/tcp6.</p>
+remote host
+remote host port
+remote host port proto
+</pre>
+<p>The <tt class="docutils literal">port</tt> and <tt class="docutils literal">proto</tt> arguments are optional. The OpenVPN client
+will try to connect to a server at <tt class="docutils literal">host:port</tt>.  The <tt class="docutils literal">proto</tt> argument
+indicates the protocol to use when connecting with the remote, and may be
+<code>tcp</code> or <code>udp</code>.  To enforce IPv4 or IPv6 connections add a
+<code>4</code> or <code>6</code> suffix; like <code>udp4</code> / <code>udp6</code>
+/ <code>tcp4</code> / <code>tcp6</code>.</p>
+<p>On the client, multiple <tt class="docutils literal"><span class="pre">--remote</span></tt> options may be specified for
+redundancy, each referring to a different OpenVPN server, in the order
+specified by the list of <tt class="docutils literal"><span class="pre">--remote</span></tt> options. Specifying multiple
+<tt class="docutils literal"><span class="pre">--remote</span></tt> options for this purpose is a special case of the more
+general connection-profile feature. See the <tt class="docutils literal">&lt;connection&gt;</tt>
+documentation below.</p>
 <p>The client will move on to the next host in the list, in the event of
 connection failure. Note that at any given time, the OpenVPN client will
 at most be connected to one server.</p>
-<p>Note that since UDP is connectionless, connection failure is defined by
+<p>Examples:</p>
+<pre class="literal-block">
+remote server1.example.net
+remote server1.example.net 1194
+remote server2.example.net 1194 tcp
+</pre>
+<dl class="docutils">
+<dt><em>Note:</em></dt>
+<dd><p class="first">Since UDP is connectionless, connection failure is defined by
 the <tt class="docutils literal"><span class="pre">--ping</span></tt> and <tt class="docutils literal"><span class="pre">--ping-restart</span></tt> options.</p>
-<p>Note the following corner case: If you use multiple <tt class="docutils literal"><span class="pre">--remote</span></tt>
-options, AND you are dropping root privileges on the client with
-<tt class="docutils literal"><span class="pre">--user</span></tt> and/or <tt class="docutils literal"><span class="pre">--group</span></tt> AND the client is running a non-Windows
-OS, if the client needs to switch to a different server, and that server
-pushes back different TUN/TAP or route settings, the client may lack the
-necessary privileges to close and reopen the TUN/TAP interface. This
-could cause the client to exit with a fatal error.</p>
+<p class="last">Also, if you use multiple <tt class="docutils literal"><span class="pre">--remote</span></tt> options, AND you are dropping
+root privileges on the client with <tt class="docutils literal"><span class="pre">--user</span></tt> and/or <tt class="docutils literal"><span class="pre">--group</span></tt> AND
+the client is running a non-Windows OS, if the client needs to switch
+to a different server, and that server pushes back different TUN/TAP
+or route settings, the client may lack the necessary privileges to
+close and reopen the TUN/TAP interface. This could cause the client
+to exit with a fatal error.</p>
+</dd>
+</dl>
 <p>If <tt class="docutils literal"><span class="pre">--remote</span></tt> is unspecified, OpenVPN will listen for packets from any
 IP address, but will not act on those packets unless they pass all
 authentication tests. This requirement for authentication is binding on
@@ -1794,7 +1811,8 @@ optional <tt class="docutils literal">netmask</tt> parameter will also be pushed
 ifconfig-ipv6-pool ipv6addr/bits
 </pre>
 <p class="last">The pool starts at <tt class="docutils literal">ipv6addr</tt> and matches the offset determined from
-the start of the IPv4 pool.</p>
+the start of the IPv4 pool.  If the host part of the given IPv6
+address is <tt class="docutils literal">0</tt>, the pool starts at <tt class="docutils literal">ipv6addr</tt> +1.</p>
 </td></tr>
 <tr><td class="option-group" colspan="2">
 <kbd><span class="option">--ifconfig-pool-persist <var>args</var></span></kbd></td>
@@ -2102,10 +2120,18 @@ the IPv4/IPv6 address argument is possible.</p>
 </td></tr>
 <tr><td class="option-group">
 <kbd><span class="option">--push-reset</span></kbd></td>
-<td>Don't inherit the global push list for a specific client instance.
+<td><p class="first">Don't inherit the global push list for a specific client instance.
 Specify this option in a client-specific context such as with a
 <tt class="docutils literal"><span class="pre">--client-config-dir</span></tt> configuration file. This option will ignore
-<tt class="docutils literal"><span class="pre">--push</span></tt> options at the global config file level.</td></tr>
+<tt class="docutils literal"><span class="pre">--push</span></tt> options at the global config file level.</p>
+<p class="last"><em>NOTE</em>: <tt class="docutils literal"><span class="pre">--push-reset</span></tt> is very thorough: it will remove almost
+all options from the list of to-be-pushed options.  In many cases,
+some of these options will need to be re-configured afterwards -
+specifically, <tt class="docutils literal"><span class="pre">--topology</span> subnet</tt> and <tt class="docutils literal"><span class="pre">--route-gateway</span></tt> will get
+lost and this will break client configs in many cases.  Thus, for most
+purposes, <tt class="docutils literal"><span class="pre">--push-remove</span></tt> is better suited to selectively remove
+push options for individual clients.</p>
+</td></tr>
 <tr><td class="option-group">
 <kbd><span class="option">--server <var>args</var></span></kbd></td>
 <td><p class="first">A helper directive designed to simplify the configuration of OpenVPN's
@@ -2200,6 +2226,19 @@ tls-server
 </pre>
 </td></tr>
 <tr><td class="option-group" colspan="2">
+<kbd><span class="option">--server-ipv6 <var>args</var></span></kbd></td>
+</tr>
+<tr><td>&nbsp;</td><td><p class="first">Convenience-function to enable a number of IPv6 related options at once,
+namely <tt class="docutils literal"><span class="pre">--ifconfig-ipv6</span></tt>, <tt class="docutils literal"><span class="pre">--ifconfig-ipv6-pool</span></tt> and
+<tt class="docutils literal"><span class="pre">--push</span> <span class="pre">tun-ipv6</span></tt>.</p>
+<p>Valid syntax:</p>
+<pre class="literal-block">
+server-ipv6 ipv6addr/bits
+</pre>
+<p class="last">Pushing of the <tt class="docutils literal"><span class="pre">--tun-ipv6</span></tt> directive is done for older clients which
+require an explicit <tt class="docutils literal"><span class="pre">--tun-ipv6</span></tt> in their configuration.</p>
+</td></tr>
+<tr><td class="option-group" colspan="2">
 <kbd><span class="option">--stale-routes-check <var>args</var></span></kbd></td>
 </tr>
 <tr><td>&nbsp;</td><td><p class="first">Remove routes which haven't had activity for <tt class="docutils literal">n</tt> seconds (i.e. the ageing
@@ -2215,9 +2254,15 @@ stale-routes-check n [t]
 <tr><td class="option-group" colspan="2">
 <kbd><span class="option">--username-as-common-name</span></kbd></td>
 </tr>
-<tr><td>&nbsp;</td><td>For <tt class="docutils literal"><span class="pre">--auth-user-pass-verify</span></tt> authentication, use the authenticated
-username as the common name, rather than the common name from the client
-cert.</td></tr>
+<tr><td>&nbsp;</td><td><p class="first">Use the authenticated username as the common-name, rather than the
+common-name from the client certificate. Requires that some form of
+<tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> verification is in effect. As the replacement happens
+after <tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> verification, the verification script or
+plugin will still receive the common-name from the certificate.</p>
+<p class="last">The common_name environment variable passed to scripts and plugins invoked
+after authentication (e.g, client-connect script) and file names parsed in
+client-config directory will match the username.</p>
+</td></tr>
 <tr><td class="option-group" colspan="2">
 <kbd><span class="option">--verify-client-cert <var>mode</var></span></kbd></td>
 </tr>
@@ -3830,6 +3875,9 @@ dhcp-options type [parm]
 <dl class="last docutils">
 <dt><code>DOMAIN</code> <tt class="docutils literal">name</tt></dt>
 <dd>Set Connection-specific DNS Suffix to <code>name</code>.</dd>
+<dt><code>ADAPTER_DOMAIN_SUFFIX</code> <tt class="docutils literal">name</tt></dt>
+<dd>Alias to <code>DOMAIN</code>. This is a compatibility option, it
+should not be used in new deployments.</dd>
 <dt><code>DOMAIN-SEARCH</code> <tt class="docutils literal">name</tt></dt>
 <dd>Add <code>name</code> to the domain search list.
 Repeat this option to add more entries. Up to
@@ -4449,9 +4497,8 @@ succeeded, then ALL of the client-disconnect functions for scripts and
 plugins will be called on client instance object deletion, even in cases
 where some of the related client-connect functions returned an error
 status.</p>
-<p class="last">The <tt class="docutils literal"><span class="pre">--client-disconnect</span></tt> command is passed the same pathname as the
-corresponding <tt class="docutils literal"><span class="pre">--client-connect</span></tt> command as its last argument (after
-any arguments specified in <tt class="docutils literal">cmd</tt>).</p>
+<p class="last">The <tt class="docutils literal"><span class="pre">--client-disconnect</span></tt> command is not passed any extra arguments
+(only those arguments specified in cmd, if any).</p>
 </td></tr>
 <tr><td class="option-group">
 <kbd><span class="option">--down <var>cmd</var></span></kbd></td>
@@ -5508,8 +5555,11 @@ towards the gateway (if the protocol in question is enabled).</p>
 --show-gateway
 --show-gateway IPv6-target
 </pre>
-<p class="last">If an IPv6 target address is passed as argument, the IPv6 route for this
-host is reported.</p>
+<p class="last">For IPv6 this queries the route towards ::/128, or the specified IPv6
+target address if passed as argument.
+For IPv4 on Linux, Windows, MacOS and BSD it looks for a 0.0.0.0/0 route.
+If there are more specific routes, the result will not always be matching
+the route of the IPv4 packets to the VPN gateway.</p>
 </td></tr>
 </tbody>
 </table>
diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
index e20f463..57755bd 100644
--- a/include/openvpn-plugin.h
+++ b/include/openvpn-plugin.h
@@ -53,7 +53,7 @@ extern "C" {
  */
 #define OPENVPN_VERSION_MAJOR 2
 #define OPENVPN_VERSION_MINOR 5
-#define OPENVPN_VERSION_PATCH "_beta3"
+#define OPENVPN_VERSION_PATCH "_rc2"
 
 /*
  * Plug-in types.  These types correspond to the set of script callbacks
diff --git a/sample/Makefile.am b/sample/Makefile.am
index 3be698e..46d113a 100644
--- a/sample/Makefile.am
+++ b/sample/Makefile.am
@@ -12,6 +12,9 @@
 MAINTAINERCLEANFILES = \
 	$(srcdir)/Makefile.in
 
+DISTCLEANFILES = \
+       $(builddir)/sample-plugins/Makefile
+
 EXTRA_DIST = \
 	sample-plugins \
 	sample-config-files \
diff --git a/sample/Makefile.in b/sample/Makefile.in
index 779f27e..74a2e1f 100644
--- a/sample/Makefile.in
+++ b/sample/Makefile.in
@@ -351,6 +351,9 @@ top_srcdir = @top_srcdir@
 MAINTAINERCLEANFILES = \
 	$(srcdir)/Makefile.in
 
+DISTCLEANFILES = \
+       $(builddir)/sample-plugins/Makefile
+
 EXTRA_DIST = \
 	sample-plugins \
 	sample-config-files \
@@ -495,6 +498,7 @@ clean-generic:
 distclean-generic:
 	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
 	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
new file mode 100644
index 0000000..9967d2f
--- /dev/null
+++ b/sample/sample-plugins/Makefile
@@ -0,0 +1,584 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# sample/sample-plugins/Makefile.  Generated from Makefile.in by configure.
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+
+
+#
+#  OpenVPN -- An application to securely tunnel IP networks
+#             over a single UDP port, with support for SSL/TLS-based
+#             session authentication and key exchange,
+#             packet encryption, packet authentication, and
+#             packet compression.
+#
+#  Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
+#
+
+#  SPDX-License-Identifier: GPL-2.0-only
+#
+#  Copyright (C) 2020 OpenVPN Inc <sales@openvpn.net>
+#
+
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/openvpn
+pkgincludedir = $(includedir)/openvpn
+pkglibdir = $(libdir)/openvpn
+pkglibexecdir = $(libexecdir)/openvpn
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = x86_64-pc-linux-gnu
+host_triplet = x86_64-pc-linux-gnu
+subdir = sample/sample-plugins
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
+	$(top_srcdir)/m4/ax_socklen_t.m4 \
+	$(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \
+	$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h \
+	$(top_builddir)/include/openvpn-plugin.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_$(V))
+am__v_P_ = $(am__v_P_$(AM_DEFAULT_VERBOSITY))
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_$(V))
+am__v_GEN_ = $(am__v_GEN_$(AM_DEFAULT_VERBOSITY))
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_$(V))
+am__v_at_ = $(am__v_at_$(AM_DEFAULT_VERBOSITY))
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.plugins \
+	README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing aclocal-1.16
+AMTAR = $${TAR-tar}
+AM_DEFAULT_VERBOSITY = 1
+AR = ar
+AS = as
+AUTOCONF = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing autoconf
+AUTOHEADER = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing autoheader
+AUTOMAKE = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing automake-1.16
+AWK = gawk
+CC = gcc
+CCDEPMODE = depmode=gcc3
+CFLAGS = -Wall -Wno-unused-parameter -Wno-unused-function -Wno-stringop-truncation -g -O2 -std=c99
+CMOCKA_CFLAGS = 
+CMOCKA_LIBS = 
+CPP = gcc -E
+CPPFLAGS = 
+CYGPATH_W = echo
+DEFS = -DHAVE_CONFIG_H
+DEPDIR = .deps
+DLLTOOL = false
+DL_LIBS = -ldl
+DSYMUTIL = 
+DUMPBIN = 
+ECHO_C = 
+ECHO_N = -n
+ECHO_T = 
+EGREP = /usr/bin/grep -E
+ENABLE_UNITTESTS = 
+EXEEXT = 
+FGREP = /usr/bin/grep -F
+GIT = git
+GREP = /usr/bin/grep
+IFCONFIG = /usr/sbin/ifconfig
+INSTALL = /usr/bin/install -c
+INSTALL_DATA = ${INSTALL} -m 644
+INSTALL_PROGRAM = ${INSTALL}
+INSTALL_SCRIPT = ${INSTALL}
+INSTALL_STRIP_PROGRAM = $(install_sh) -c -s
+IPROUTE = /usr/sbin/ip
+LD = /usr/bin/ld -m elf_x86_64
+LDFLAGS = 
+LIBOBJS = 
+LIBPAM_CFLAGS = 
+LIBPAM_LIBS = -lpam
+LIBS = 
+LIBTOOL = $(SHELL) $(top_builddir)/libtool
+LIPO = 
+LN_S = ln -s
+LTLIBOBJS = 
+LT_SYS_LIBRARY_PATH = 
+LZ4_CFLAGS = 
+LZ4_LIBS = 
+LZO_CFLAGS = 
+LZO_LIBS = -llzo2
+MAKEINFO = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/missing makeinfo
+MANIFEST_TOOL = :
+MBEDTLS_CFLAGS = 
+MBEDTLS_LIBS = 
+MKDIR_P = /usr/bin/mkdir -p
+NETSTAT = netstat
+NM = /usr/bin/nm -B
+NMEDIT = 
+OBJDUMP = objdump
+OBJEXT = o
+OPENSSL_CFLAGS = 
+OPENSSL_LIBS = -lssl -lcrypto 
+OPENVPN_VERSION_MAJOR = 2
+OPENVPN_VERSION_MINOR = 5
+OPENVPN_VERSION_PATCH = _rc2
+OPTIONAL_CRYPTO_CFLAGS =  
+OPTIONAL_CRYPTO_LIBS =  -lssl -lcrypto 
+OPTIONAL_DL_LIBS = -ldl
+OPTIONAL_INOTIFY_CFLAGS = 
+OPTIONAL_INOTIFY_LIBS = 
+OPTIONAL_LZ4_CFLAGS = 
+OPTIONAL_LZ4_LIBS = 
+OPTIONAL_LZO_CFLAGS = 
+OPTIONAL_LZO_LIBS = -llzo2
+OPTIONAL_PKCS11_HELPER_CFLAGS = 
+OPTIONAL_PKCS11_HELPER_LIBS = 
+OPTIONAL_SELINUX_LIBS = 
+OPTIONAL_SYSTEMD_LIBS = 
+OTOOL = 
+OTOOL64 = 
+P11KIT_CFLAGS = 
+P11KIT_LIBS = 
+PACKAGE = openvpn
+PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
+PACKAGE_NAME = OpenVPN
+PACKAGE_STRING = OpenVPN 2.5_rc2
+PACKAGE_TARNAME = openvpn
+PACKAGE_URL = 
+PACKAGE_VERSION = 2.5_rc2
+PATH_SEPARATOR = :
+PKCS11_HELPER_CFLAGS = 
+PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper 
+PKG_CONFIG = /usr/bin/pkg-config
+PKG_CONFIG_LIBDIR = 
+PKG_CONFIG_PATH = 
+PLUGINDIR = 
+PLUGIN_AUTH_PAM_CFLAGS = 
+PLUGIN_AUTH_PAM_LIBS = -lpam
+RANLIB = ranlib
+RC = 
+ROUTE = /usr/sbin/route
+RST2HTML = rst2html
+RST2MAN = rst2man
+SED = /usr/bin/sed
+SELINUX_LIBS = -lselinux
+SET_MAKE = 
+SHELL = /bin/sh
+SOCKETS_LIBS =  -lresolv
+STRIP = strip
+SYSTEMD_ASK_PASSWORD = /usr/bin/systemd-ask-password
+SYSTEMD_UNIT_DIR = 
+TAP_CFLAGS = 
+TAP_WIN_COMPONENT_ID = tap0901
+TAP_WIN_MIN_MAJOR = 9
+TAP_WIN_MIN_MINOR = 9
+TEST_CFLAGS =     -I$(top_srcdir)/include 
+TEST_LDFLAGS =  -lssl -lcrypto   -llzo2 
+TMPFILES_DIR = 
+VERSION = 2.5_rc2
+abs_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
+abs_srcdir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/sample/sample-plugins
+abs_top_builddir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
+abs_top_srcdir = /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn
+ac_ct_AR = ar
+ac_ct_CC = gcc
+ac_ct_DUMPBIN = 
+am__include = include
+am__leading_dot = .
+am__quote = 
+am__tar = $${TAR-tar} chof - "$$tardir"
+am__untar = $${TAR-tar} xf -
+bindir = ${exec_prefix}/bin
+build = x86_64-pc-linux-gnu
+build_alias = 
+build_cpu = x86_64
+build_os = linux-gnu
+build_vendor = pc
+builddir = .
+datadir = ${datarootdir}
+datarootdir = ${prefix}/share
+docdir = ${datarootdir}/doc/${PACKAGE_TARNAME}
+dvidir = ${docdir}
+exec_prefix = ${prefix}
+host = x86_64-pc-linux-gnu
+host_alias = 
+host_cpu = x86_64
+host_os = linux-gnu
+host_vendor = pc
+htmldir = ${docdir}
+includedir = ${prefix}/include
+infodir = ${datarootdir}/info
+install_sh = ${SHELL} /home/samuli/opt/openvpninc/openvpn-release-scripts/release/openvpn/install-sh
+libdir = ${exec_prefix}/lib
+libexecdir = ${exec_prefix}/libexec
+libsystemd_CFLAGS = 
+libsystemd_LIBS = 
+localedir = ${datarootdir}/locale
+localstatedir = ${prefix}/var
+mandir = ${datarootdir}/man
+mkdir_p = $(MKDIR_P)
+oldincludedir = /usr/include
+pdfdir = ${docdir}
+plugindir = ${libdir}/openvpn/plugins
+prefix = /usr/local
+program_transform_name = s,x,x,
+psdir = ${docdir}
+sampledir = $(docdir)/sample
+sbindir = ${exec_prefix}/sbin
+sharedstatedir = ${prefix}/com
+srcdir = .
+sysconfdir = ${prefix}/etc
+systemdunitdir = 
+target_alias = 
+tmpfilesdir = 
+top_build_prefix = ../../
+top_builddir = ../..
+top_srcdir = ../..
+MAINTAINERCLEANFILES = \
+	$(srcdir)/Makefile.in
+
+AM_CPPFLAGS = -I$(top_srcdir) -I$(top_builddir) \
+	-I$(top_srcdir)/include -I$(top_builddir)/include
+
+
+#
+# Plug-ins to build - listed entries should not carry any extensions
+#
+PLUGINS = \
+	defer/simple \
+	keying-material-exporter-demo/keyingmaterialexporter \
+	log/log log/log_v3 \
+	simple/base64 \
+	simple/simple \
+	client-connect/sample-client-connect
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .o
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(srcdir)/Makefile.plugins $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign sample/sample-plugins/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign sample/sample-plugins/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+$(srcdir)/Makefile.plugins $(am__empty):
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am dist-hook distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+# All the plugins to build - rewritten with .so extension
+all : $(foreach var, $(PLUGINS), $(var).so)
+
+# Do not automatically remove object files
+# This is a special Make setting, to avoid adding an implicit
+# 'rm' command on object files - due to the .c.o/%.so rules below
+.PRECIOUS: %.o
+
+# Compile step
+.c.o :
+	test -d `dirname $@` || $(MKDIR_P) `dirname $@`; \
+	$(CC) -c -o $@ $(CFLAGS) $(AM_CPPFLAGS) -fPIC $<
+
+# Link step
+%.so : %.o
+	$(CC) $(LDFLAGS) -shared -fPIC -o $@ $<
+
+# Clean up all build object and shared object files
+clean :
+	rm -f $(foreach var, $(PLUGINS), $(var).o) \
+	$(foreach var, $(PLUGINS), $(var).so)
+
+# We don't want automake to pull in libtool for building these
+# sample-plugins.  Even though this breaks the conceptual ideas
+# around autoconf/automake/libtools ... these sample plug-ins
+# are just sample code, not to be installed or distributed outside
+# of the source tarball.  Not even built by default, by design.
+#
+# We only add this as a simple and convenient way to build all
+# these plug-ins with the same build parameters as the rest
+# of the OpenVPN code.
+#
+# All the plugins which will be built are processed in this
+# separate Makefile, which disconnects everything just enough
+# to achieve our goal.
+
+dist-hook :
+	make -f Makefile.plugins clean
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/sample/sample-plugins/Makefile.am b/sample/sample-plugins/Makefile.am
new file mode 100644
index 0000000..b903a6f
--- /dev/null
+++ b/sample/sample-plugins/Makefile.am
@@ -0,0 +1,34 @@
+#
+#  OpenVPN -- An application to securely tunnel IP networks
+#             over a single UDP port, with support for SSL/TLS-based
+#             session authentication and key exchange,
+#             packet encryption, packet authentication, and
+#             packet compression.
+#
+#  Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
+#
+
+MAINTAINERCLEANFILES = \
+	$(srcdir)/Makefile.in
+
+AM_CPPFLAGS = -I$(top_srcdir) -I$(top_builddir) \
+	-I$(top_srcdir)/include -I$(top_builddir)/include
+
+# We don't want automake to pull in libtool for building these
+# sample-plugins.  Even though this breaks the conceptual ideas
+# around autoconf/automake/libtools ... these sample plug-ins
+# are just sample code, not to be installed or distributed outside
+# of the source tarball.  Not even built by default, by design.
+#
+# We only add this as a simple and convenient way to build all
+# these plug-ins with the same build parameters as the rest
+# of the OpenVPN code.
+#
+# All the plugins which will be built are processed in this
+# separate Makefile, which disconnects everything just enough
+# to achieve our goal.
+include Makefile.plugins
+
+
+dist-hook :
+	make -f Makefile.plugins clean
diff --git a/sample/sample-plugins/Makefile.in b/sample/sample-plugins/Makefile.in
new file mode 100644
index 0000000..ae3eef3
--- /dev/null
+++ b/sample/sample-plugins/Makefile.in
@@ -0,0 +1,584 @@
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+#  OpenVPN -- An application to securely tunnel IP networks
+#             over a single UDP port, with support for SSL/TLS-based
+#             session authentication and key exchange,
+#             packet encryption, packet authentication, and
+#             packet compression.
+#
+#  Copyright (C) 2002-2020 OpenVPN Inc <sales@openvpn.net>
+#
+
+#  SPDX-License-Identifier: GPL-2.0-only
+#
+#  Copyright (C) 2020 OpenVPN Inc <sales@openvpn.net>
+#
+VPATH = @srcdir@
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
+am__make_running_with_option = \
+  case $${target_option-} in \
+      ?) ;; \
+      *) echo "am__make_running_with_option: internal error: invalid" \
+              "target option '$${target_option-}' specified" >&2; \
+         exit 1;; \
+  esac; \
+  has_opt=no; \
+  sane_makeflags=$$MAKEFLAGS; \
+  if $(am__is_gnu_make); then \
+    sane_makeflags=$$MFLAGS; \
+  else \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        bs=\\; \
+        sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+          | sed "s/$$bs$$bs[$$bs $$bs	]*//g"`;; \
+    esac; \
+  fi; \
+  skip_next=no; \
+  strip_trailopt () \
+  { \
+    flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+  }; \
+  for flg in $$sane_makeflags; do \
+    test $$skip_next = yes && { skip_next=no; continue; }; \
+    case $$flg in \
+      *=*|--*) continue;; \
+        -*I) strip_trailopt 'I'; skip_next=yes;; \
+      -*I?*) strip_trailopt 'I';; \
+        -*O) strip_trailopt 'O'; skip_next=yes;; \
+      -*O?*) strip_trailopt 'O';; \
+        -*l) strip_trailopt 'l'; skip_next=yes;; \
+      -*l?*) strip_trailopt 'l';; \
+      -[dEDm]) skip_next=yes;; \
+      -[JT]) skip_next=yes;; \
+    esac; \
+    case $$flg in \
+      *$$target_option*) has_opt=yes; break;; \
+    esac; \
+  done; \
+  test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = sample/sample-plugins
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \
+	$(top_srcdir)/m4/ax_socklen_t.m4 \
+	$(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \
+	$(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h \
+	$(top_builddir)/include/openvpn-plugin.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN     " $@;
+am__v_GEN_1 = 
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 = 
+SOURCES =
+DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.plugins \
+	README
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AS = @AS@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
+CMOCKA_LIBS = @CMOCKA_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DL_LIBS = @DL_LIBS@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+ENABLE_UNITTESTS = @ENABLE_UNITTESTS@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GIT = @GIT@
+GREP = @GREP@
+IFCONFIG = @IFCONFIG@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+IPROUTE = @IPROUTE@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBPAM_CFLAGS = @LIBPAM_CFLAGS@
+LIBPAM_LIBS = @LIBPAM_LIBS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+LZ4_CFLAGS = @LZ4_CFLAGS@
+LZ4_LIBS = @LZ4_LIBS@
+LZO_CFLAGS = @LZO_CFLAGS@
+LZO_LIBS = @LZO_LIBS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MBEDTLS_CFLAGS = @MBEDTLS_CFLAGS@
+MBEDTLS_LIBS = @MBEDTLS_LIBS@
+MKDIR_P = @MKDIR_P@
+NETSTAT = @NETSTAT@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_CFLAGS = @OPENSSL_CFLAGS@
+OPENSSL_LIBS = @OPENSSL_LIBS@
+OPENVPN_VERSION_MAJOR = @OPENVPN_VERSION_MAJOR@
+OPENVPN_VERSION_MINOR = @OPENVPN_VERSION_MINOR@
+OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@
+OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@
+OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@
+OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@
+OPTIONAL_INOTIFY_CFLAGS = @OPTIONAL_INOTIFY_CFLAGS@
+OPTIONAL_INOTIFY_LIBS = @OPTIONAL_INOTIFY_LIBS@
+OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@
+OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@
+OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@
+OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@
+OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@
+OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@
+OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@
+OPTIONAL_SYSTEMD_LIBS = @OPTIONAL_SYSTEMD_LIBS@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+P11KIT_CFLAGS = @P11KIT_CFLAGS@
+P11KIT_LIBS = @P11KIT_LIBS@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@
+PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGINDIR = @PLUGINDIR@
+PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@
+PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@
+RANLIB = @RANLIB@
+RC = @RC@
+ROUTE = @ROUTE@
+RST2HTML = @RST2HTML@
+RST2MAN = @RST2MAN@
+SED = @SED@
+SELINUX_LIBS = @SELINUX_LIBS@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKETS_LIBS = @SOCKETS_LIBS@
+STRIP = @STRIP@
+SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@
+SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@
+TAP_CFLAGS = @TAP_CFLAGS@
+TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@
+TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@
+TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@
+TEST_CFLAGS = @TEST_CFLAGS@
+TEST_LDFLAGS = @TEST_LDFLAGS@
+TMPFILES_DIR = @TMPFILES_DIR@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libsystemd_CFLAGS = @libsystemd_CFLAGS@
+libsystemd_LIBS = @libsystemd_LIBS@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+plugindir = @plugindir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sampledir = @sampledir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+systemdunitdir = @systemdunitdir@
+target_alias = @target_alias@
+tmpfilesdir = @tmpfilesdir@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+MAINTAINERCLEANFILES = \
+	$(srcdir)/Makefile.in
+
+AM_CPPFLAGS = -I$(top_srcdir) -I$(top_builddir) \
+	-I$(top_srcdir)/include -I$(top_builddir)/include
+
+
+#
+# Plug-ins to build - listed entries should not carry any extensions
+#
+PLUGINS = \
+	defer/simple \
+	keying-material-exporter-demo/keyingmaterialexporter \
+	log/log log/log_v3 \
+	simple/base64 \
+	simple/simple \
+	client-connect/sample-client-connect
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .o
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(srcdir)/Makefile.plugins $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign sample/sample-plugins/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign sample/sample-plugins/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+	esac;
+$(srcdir)/Makefile.plugins $(am__empty):
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(BUILT_SOURCES)
+	$(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) \
+	  top_distdir="$(top_distdir)" distdir="$(distdir)" \
+	  dist-hook
+check-am: all-am
+check: check-am
+all-am: Makefile
+installdirs:
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+	-test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES)
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+	-rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am:
+
+.MAKE: install-am install-strip
+
+.PHONY: all all-am check check-am clean clean-generic clean-libtool \
+	cscopelist-am ctags-am dist-hook distclean distclean-generic \
+	distclean-libtool distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-ps install-ps-am \
+	install-strip installcheck installcheck-am installdirs \
+	maintainer-clean maintainer-clean-generic mostlyclean \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags-am uninstall uninstall-am
+
+.PRECIOUS: Makefile
+
+
+# All the plugins to build - rewritten with .so extension
+all : $(foreach var, $(PLUGINS), $(var).so)
+
+# Do not automatically remove object files
+# This is a special Make setting, to avoid adding an implicit
+# 'rm' command on object files - due to the .c.o/%.so rules below
+.PRECIOUS: %.o
+
+# Compile step
+.c.o :
+	test -d `dirname $@` || $(MKDIR_P) `dirname $@`; \
+	$(CC) -c -o $@ $(CFLAGS) $(AM_CPPFLAGS) -fPIC $<
+
+# Link step
+%.so : %.o
+	$(CC) $(LDFLAGS) -shared -fPIC -o $@ $<
+
+# Clean up all build object and shared object files
+clean :
+	rm -f $(foreach var, $(PLUGINS), $(var).o) \
+	$(foreach var, $(PLUGINS), $(var).so)
+
+# We don't want automake to pull in libtool for building these
+# sample-plugins.  Even though this breaks the conceptual ideas
+# around autoconf/automake/libtools ... these sample plug-ins
+# are just sample code, not to be installed or distributed outside
+# of the source tarball.  Not even built by default, by design.
+#
+# We only add this as a simple and convenient way to build all
+# these plug-ins with the same build parameters as the rest
+# of the OpenVPN code.
+#
+# All the plugins which will be built are processed in this
+# separate Makefile, which disconnects everything just enough
+# to achieve our goal.
+
+dist-hook :
+	make -f Makefile.plugins clean
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/sample/sample-plugins/Makefile.plugins b/sample/sample-plugins/Makefile.plugins
new file mode 100644
index 0000000..37559a8
--- /dev/null
+++ b/sample/sample-plugins/Makefile.plugins
@@ -0,0 +1,37 @@
+#  SPDX-License-Identifier: GPL-2.0-only
+#
+#  Copyright (C) 2020 OpenVPN Inc <sales@openvpn.net>
+#
+
+#
+# Plug-ins to build - listed entries should not carry any extensions
+#
+PLUGINS = \
+	defer/simple \
+	keying-material-exporter-demo/keyingmaterialexporter \
+	log/log log/log_v3 \
+	simple/base64 \
+	simple/simple \
+	client-connect/sample-client-connect
+
+# All the plugins to build - rewritten with .so extension
+all : $(foreach var, $(PLUGINS), $(var).so)
+
+# Do not automatically remove object files
+# This is a special Make setting, to avoid adding an implicit
+# 'rm' command on object files - due to the .c.o/%.so rules below
+.PRECIOUS: %.o
+
+# Compile step
+.c.o :
+	test -d `dirname $@` || $(MKDIR_P) `dirname $@`; \
+	$(CC) -c -o $@ $(CFLAGS) $(AM_CPPFLAGS) -fPIC $<
+
+# Link step
+%.so : %.o
+	$(CC) $(LDFLAGS) -shared -fPIC -o $@ $<
+
+# Clean up all build object and shared object files
+clean :
+	rm -f $(foreach var, $(PLUGINS), $(var).o) \
+	$(foreach var, $(PLUGINS), $(var).so)
diff --git a/sample/sample-plugins/README b/sample/sample-plugins/README
new file mode 100644
index 0000000..cf1b355
--- /dev/null
+++ b/sample/sample-plugins/README
@@ -0,0 +1,43 @@
+OpenVPN plug-in examples.
+
+Examples provided:
+
+* authentication and logging
+simple/simple.c -- using the --auth-user-pass-verify callback, verify
+                   that the username/password is "foo"/"bar".
+defer/simple.c  -- using the --auth-user-pass-verify callback,
+                   test deferred authentication.
+log/log.c       -- Extended variant of simple/simple.c which adds more
+                   logging of what is happening inside the plug-in
+log/log_v3.c    -- A variant of log/log.c, which makes use of the
+                   OpenVPN plug-in v3 API.  This will also log even more
+                   information related to certificates in use.
+
+* client-connect (and logging)
+client-connect/sample-client-connect -- demonstrate how to use the
+                   CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks to achieve
+                   "per client configuration / logging / ..." actions,
+                   both in synchronous and async/deferred mode
+
+* cryptography related
+simple/base64.c -- Example using the OpenVPN exported base64 encode/decode
+                   functions
+keying-material-exporter-demo/keyingmaterialexporter.c
+                -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705]
+                   (openvpn/doc/keying-material-exporter.txt).  For more details, see
+                   keying-material-exporter-demo/README
+
+
+To build on *BSD/Linux platforms (requires GNU Make):
+
+   gmake                   (builds a default set of plug-ins)
+   gmake simple/simple.so
+
+To build on Windows platform (MinGW):
+
+   cd simple; ./winbuild simple.so
+
+To use in OpenVPN, add to config file:
+
+  plugin simple.so (Linux/BSD/etc.)
+  plugin simple.dll
diff --git a/sample/sample-plugins/client-connect/README b/sample/sample-plugins/client-connect/README
new file mode 100644
index 0000000..cb3e0f3
--- /dev/null
+++ b/sample/sample-plugins/client-connect/README
@@ -0,0 +1,38 @@
+OpenVPN plugin examples.
+
+Examples provided:
+
+sample-client-connect.c
+
+  - hook to all plugin hooks that openvpn offers
+  - log which hook got called
+  - on CLIENT_CONNECT or CLIENT_CONNECT_V2 set some config variables
+    (controlled by "setenv plugin_cc_config ..." and "plugin_cc2_config"
+    in openvpn's config)
+
+  - if the environment variable UV_WANT_CC_FAIL is set, fail
+  - if the environment variable UV_WANT_CC_DISABLE is set, reject ("disable")
+  - if the environment variable UV_WANT_CC_ASYNC is set, go to
+    asynchronous/deferred mode on CLIENT_CONNECT, and sleep for
+    ${UV_WANT_CC_ASYNC} seconds
+
+  - if the environment variable UV_WANT_CC2_FAIL is set, fail CC2
+  - if the environment variable UV_WANT_CC2_DISABLE is set, reject ("disable")
+  - if the environment variable UV_WANT_CC2_ASYNC is set, go to
+    asynchronous/deferred mode on CLIENT_CONNECT_V2, and sleep for
+    ${UV_WANT_CC2_ASYNC} seconds
+
+    (this can be client-controlled with --setenv UV_WANT_CC_ASYNC nnn
+     etc. --> for easy testing server code paths)
+
+To build for unixy platforms (not very sophisticated right now, needs gmake):
+
+  .../sample-plugins$ gmake client-connect/sample-client-connect.so
+
+(This plugin has not been tested on Windows, and might not even work due
+to its use of fork() and wait().  Let us know if it does or needs patches)
+
+
+To use in OpenVPN, add to config file:
+
+  plugin sample-client-connect.so (Linux/BSD/etc.)
diff --git a/sample/sample-plugins/client-connect/sample-client-connect.c b/sample/sample-plugins/client-connect/sample-client-connect.c
new file mode 100644
index 0000000..6168076
--- /dev/null
+++ b/sample/sample-plugins/client-connect/sample-client-connect.c
@@ -0,0 +1,612 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single TCP/UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+/*
+ * This file implements a simple OpenVPN plugin module which
+ * will log the calls made, and send back some config statements
+ * when called on the CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks.
+ *
+ * it can be asked to fail or go to async/deferred mode by setting
+ * environment variables (UV_WANT_CC_FAIL, UV_WANT_CC_ASYNC,
+ * UV_WANT_CC2_ASYNC) - mostly used as a testing vehicle for the
+ * server side code to handle these cases
+ *
+ * See the README file for build instructions and env control variables.
+ */
+
+/* strdup() might need special defines to be visible in <string.h> */
+#include "config.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/wait.h>
+
+#include "openvpn-plugin.h"
+
+/* Pointers to functions exported from openvpn */
+static plugin_log_t plugin_log = NULL;
+static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+static plugin_base64_decode_t plugin_base64_decode = NULL;
+
+/* module name for plugin_log() */
+static char *MODULE = "sample-cc";
+
+/*
+ * Our context, where we keep our state.
+ */
+
+struct plugin_context {
+    int verb;                           /* logging verbosity */
+};
+
+/* this is used for the CLIENT_CONNECT_V2 async/deferred handler
+ *
+ * the "CLIENT_CONNECT_V2" handler puts per-client information into
+ * this, and the "CLIENT_CONNECT_DEFER_V2" handler looks at it to see
+ * if it's time yet to succeed/fail
+ */
+struct plugin_per_client_context {
+    time_t sleep_until;                 /* wakeup time (time() + sleep) */
+    bool want_fail;
+    bool want_disable;
+    const char *client_config;
+};
+
+/*
+ * Given an environmental variable name, search
+ * the envp array for its value, returning it
+ * if found or NULL otherwise.
+ */
+static const char *
+get_env(const char *name, const char *envp[])
+{
+    if (envp)
+    {
+        int i;
+        const int namelen = strlen(name);
+        for (i = 0; envp[i]; ++i)
+        {
+            if (!strncmp(envp[i], name, namelen))
+            {
+                const char *cp = envp[i] + namelen;
+                if (*cp == '=')
+                {
+                    return cp + 1;
+                }
+            }
+        }
+    }
+    return NULL;
+}
+
+
+static int
+atoi_null0(const char *str)
+{
+    if (str)
+    {
+        return atoi(str);
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+/* use v3 functions so we can use openvpn's logging and base64 etc. */
+OPENVPN_EXPORT int
+openvpn_plugin_open_v3(const int v3structver,
+                       struct openvpn_plugin_args_open_in const *args,
+                       struct openvpn_plugin_args_open_return *ret)
+{
+    /* const char **argv = args->argv; */ /* command line arguments (unused) */
+    const char **envp = args->envp;       /* environment variables */
+
+    /* Check API compatibility -- struct version 5 or higher needed */
+    if (v3structver < 5)
+    {
+        fprintf(stderr, "sample-client-connect: this plugin is incompatible with the running version of OpenVPN\n");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /*
+     * Allocate our context
+     */
+    struct plugin_context *context = calloc(1, sizeof(struct plugin_context));
+    if (!context)
+    {
+        goto error;
+    }
+
+    /*
+     * Intercept just about everything...
+     */
+    ret->type_mask =
+        OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_UP)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_DOWN)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_ROUTE_UP)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_IPCHANGE)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_VERIFY)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_V2)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_CLIENT_DISCONNECT)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_LEARN_ADDRESS)
+        |OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_TLS_FINAL);
+
+    /* Save global pointers to functions exported from openvpn */
+    plugin_log = args->callbacks->plugin_log;
+    plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
+    plugin_base64_decode = args->callbacks->plugin_base64_decode;
+
+    /*
+     * Get verbosity level from environment
+     */
+    context->verb = atoi_null0(get_env("verb", envp));
+
+    ret->handle = (openvpn_plugin_handle_t *) context;
+    plugin_log(PLOG_NOTE, MODULE, "initialization succeeded");
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+
+error:
+    if (context)
+    {
+        free(context);
+    }
+    return OPENVPN_PLUGIN_FUNC_ERROR;
+}
+
+
+/* there are two possible interfaces for an openvpn plugin how
+ * to be called on "client connect", which primarily differ in the
+ * way config options are handed back to the client instance
+ * (see openvpn/multi.c, multi_client_connect_call_plugin_{v1,v2}())
+ *
+ * OPENVPN_PLUGIN_CLIENT_CONNECT
+ *   openvpn creates a temp file and passes the name to the plugin
+ *    (via argv[1] variable, argv[0] is the name of the plugin)
+ *   the plugin can write config statements to that file, and openvpn
+ *    reads it in like a "ccd/$cn" per-client config file
+ *
+ * OPENVPN_PLUGIN_CLIENT_CONNECT_V2
+ *   the caller passes in a pointer to an "openvpn_plugin_string_list"
+ *   (openvpn-plugin.h), which is a linked list of (name,value) pairs
+ *
+ *   we fill in one node with name="config" and value="our config"
+ *
+ *   both "l" and "l->name" and "l->value" are malloc()ed by the plugin
+ *   and free()ed by the caller (openvpn_plugin_string_list_free())
+ */
+
+/* helper function to write actual "here are your options" file,
+ * called from sync and sync handler
+ */
+int
+write_cc_options_file(const char *name, const char **envp)
+{
+    if (!name)
+    {
+        return OPENVPN_PLUGIN_FUNC_SUCCESS;
+    }
+
+    FILE *fp = fopen(name,"w");
+    if (!fp)
+    {
+        plugin_log(PLOG_ERR, MODULE, "fopen('%s') failed", name);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* config to-be-sent can come from "setenv plugin_cc_config" in openvpn */
+    const char *p = get_env("plugin_cc_config", envp);
+    if (p)
+    {
+        fprintf(fp, "%s\n", p);
+    }
+
+    /* some generic config snippets so we know it worked */
+    fprintf(fp, "push \"echo sample-cc plugin 1 called\"\n");
+
+    /* if the caller wants, reject client by means of "disable" option */
+    if (get_env("UV_WANT_CC_DISABLE", envp))
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_DISABLE, reject");
+        fprintf(fp, "disable\n");
+    }
+    fclose(fp);
+
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+int
+cc_handle_deferred_v1(int seconds, const char *name, const char **envp)
+{
+    const char *ccd_file = get_env("client_connect_deferred_file", envp);
+    if (!ccd_file)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_ASYNC=%d, but "
+                   "'client_connect_deferred_file' not set -> fail", seconds);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* the CLIENT_CONNECT (v1) API is a bit tricky to work with, because
+     * completition can be signalled both by the "deferred_file" and by
+     * the new ...CLIENT_CONNECT_DEFER API - which is optional.
+     *
+     * For OpenVPN to be able to differenciate, we must create the file
+     * right away if we want to use that for signalling.
+     */
+    int fd = open(ccd_file, O_WRONLY);
+    if (fd < 0)
+    {
+        plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    if (write(fd, "2", 1) != 1)
+    {
+        plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+        close(fd);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+    close(fd);
+
+    /* we do not want to complicate our lives with having to wait()
+     * for child processes (so they are not zombiefied) *and* we MUST NOT
+     * fiddle with signal handlers (= shared with openvpn main), so
+     * we use double-fork() trick.
+     */
+
+    /* fork, sleep, succeed/fail according to env vars */
+    pid_t p1 = fork();
+    if (p1 < 0)                 /* Fork failed */
+    {
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+    if (p1 > 0)                 /* parent process */
+    {
+        waitpid(p1, NULL, 0);
+        return OPENVPN_PLUGIN_FUNC_DEFERRED;
+    }
+
+    /* first gen child process, fork() again and exit() right away */
+    pid_t p2 = fork();
+    if (p2 < 0)
+    {
+        plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: fork(2) failed");
+        exit(1);
+    }
+    if (p2 > 0)                 /* new parent: exit right away */
+    {
+        exit(0);
+    }
+
+    /* (grand-)child process
+     *  - never call "return" now (would mess up openvpn)
+     *  - return status is communicated by file
+     *  - then exit()
+     */
+
+    /* do mighty complicated work that will really take time here... */
+    plugin_log(PLOG_NOTE, MODULE, "in async/deferred handler, sleep(%d)", seconds);
+    sleep(seconds);
+
+    /* write config options to openvpn */
+    int ret = write_cc_options_file(name, envp);
+
+    /* by setting "UV_WANT_CC_FAIL" we can be triggered to fail */
+    const char *p = get_env("UV_WANT_CC_FAIL", envp);
+    if (p)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_FAIL=%s -> fail", p);
+        ret = OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* now signal success/failure state to openvpn */
+    fd = open(ccd_file, O_WRONLY);
+    if (fd < 0)
+    {
+        plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "open('%s') failed", ccd_file);
+        exit(1);
+    }
+
+    plugin_log(PLOG_NOTE, MODULE, "cc_handle_deferred_v1: done, signalling %s",
+               (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "success" : "fail" );
+
+    if (write(fd, (ret == OPENVPN_PLUGIN_FUNC_SUCCESS) ? "1" : "0", 1) != 1)
+    {
+        plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "write to '%s' failed", ccd_file );
+    }
+    close(fd);
+
+    exit(0);
+}
+
+int
+openvpn_plugin_client_connect(struct plugin_context *context,
+                              const char **argv,
+                              const char **envp)
+{
+    /* log environment variables handed to us by OpenVPN, but
+     * only if "setenv verb" is 3 or higher (arbitrary number)
+     */
+    if (context->verb>=3)
+    {
+        for (int i = 0; argv[i]; i++)
+        {
+            plugin_log(PLOG_NOTE, MODULE, "per-client argv: %s", argv[i]);
+        }
+        for (int i = 0; envp[i]; i++)
+        {
+            plugin_log(PLOG_NOTE, MODULE, "per-client env: %s", envp[i]);
+        }
+    }
+
+    /* by setting "UV_WANT_CC_ASYNC" we go to async/deferred mode */
+    const char *p = get_env("UV_WANT_CC_ASYNC", envp);
+    if (p)
+    {
+        /* the return value will usually be OPENVPN_PLUGIN_FUNC_DEFERRED
+         * ("I will do my job in the background, check the status file!")
+         * but depending on env setup it might be "..._ERRROR"
+         */
+        return cc_handle_deferred_v1(atoi(p), argv[1], envp);
+    }
+
+    /* -- this is synchronous mode (openvpn waits for us) -- */
+
+    /* by setting "UV_WANT_CC_FAIL" we can be triggered to fail */
+    p = get_env("UV_WANT_CC_FAIL", envp);
+    if (p)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC_FAIL=%s -> fail", p);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* does the caller want options?  give them some */
+    int ret = write_cc_options_file(argv[1], envp);
+
+    return ret;
+}
+
+int
+openvpn_plugin_client_connect_v2(struct plugin_context *context,
+                                 struct plugin_per_client_context *pcc,
+                                 const char **envp,
+                                 struct openvpn_plugin_string_list **return_list)
+{
+    /* by setting "UV_WANT_CC2_ASYNC" we go to async/deferred mode */
+    const char *want_async = get_env("UV_WANT_CC2_ASYNC", envp);
+    const char *want_fail = get_env("UV_WANT_CC2_FAIL", envp);
+    const char *want_disable = get_env("UV_WANT_CC2_DISABLE", envp);
+
+    /* config to push towards client - can be controlled by OpenVPN
+     * config ("setenv plugin_cc2_config ...") - mostly useful in a
+     * regression test environment to push stuff like routes which are
+     * then verified by t_client ping tests
+     */
+    const char *client_config = get_env("plugin_cc2_config", envp);
+    if (!client_config)
+    {
+        /* pick something meaningless which can be verified in client log */
+        client_config = "push \"setenv CC2 MOOH\"\n";
+    }
+
+    if (want_async)
+    {
+        /* we do no really useful work here, so we just tell the
+         * "CLIENT_CONNECT_DEFER_V2" handler that it should sleep
+         * and then "do things" via the per-client-context
+         */
+        pcc->sleep_until = time(NULL) + atoi(want_async);
+        pcc->want_fail = (want_fail != NULL);
+        pcc->want_disable = (want_disable != NULL);
+        pcc->client_config = client_config;
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_ASYNC=%s -> set up deferred handler", want_async);
+        return OPENVPN_PLUGIN_FUNC_DEFERRED;
+    }
+
+    /* by setting "UV_WANT_CC2_FAIL" we can be triggered to fail here */
+    if (want_fail)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL=%s -> fail", want_fail);
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    struct openvpn_plugin_string_list *rl =
+        calloc(1, sizeof(struct openvpn_plugin_string_list));
+    if (!rl)
+    {
+        plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+    rl->name = strdup("config");
+    if (want_disable)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_DISABLE, reject");
+        rl->value = strdup("disable\n");
+    }
+    else
+    {
+        rl->value = strdup(client_config);
+    }
+
+    if (!rl->name || !rl->value)
+    {
+        plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    *return_list = rl;
+
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+int
+openvpn_plugin_client_connect_defer_v2(struct plugin_context *context,
+                                       struct plugin_per_client_context *pcc,
+                                       struct openvpn_plugin_string_list
+                                       **return_list)
+{
+    time_t time_left = pcc->sleep_until - time(NULL);
+    plugin_log(PLOG_NOTE, MODULE, "defer_v2: seconds left=%d",
+               (int) time_left);
+
+    /* not yet due? */
+    if (time_left > 0)
+    {
+        return OPENVPN_PLUGIN_FUNC_DEFERRED;
+    }
+
+    /* client wants fail? */
+    if (pcc->want_fail)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_FAIL -> fail" );
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    /* fill in RL according to with-disable / without-disable */
+
+    /* TODO: unify this with non-deferred case */
+    struct openvpn_plugin_string_list *rl =
+        calloc(1, sizeof(struct openvpn_plugin_string_list));
+    if (!rl)
+    {
+        plugin_log(PLOG_ERR, MODULE, "malloc(return_list) failed");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+    rl->name = strdup("config");
+    if (pcc->want_disable)
+    {
+        plugin_log(PLOG_NOTE, MODULE, "env has UV_WANT_CC2_DISABLE, reject");
+        rl->value = strdup("disable\n");
+    }
+    else
+    {
+        rl->value = strdup(pcc->client_config);
+    }
+
+    if (!rl->name || !rl->value)
+    {
+        plugin_log(PLOG_ERR, MODULE, "malloc(return_list->xx) failed");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
+    *return_list = rl;
+
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT int
+openvpn_plugin_func_v2(openvpn_plugin_handle_t handle,
+                       const int type,
+                       const char *argv[],
+                       const char *envp[],
+                       void *per_client_context,
+                       struct openvpn_plugin_string_list **return_list)
+{
+    struct plugin_context *context = (struct plugin_context *) handle;
+    struct plugin_per_client_context *pcc = (struct plugin_per_client_context *) per_client_context;
+
+    /* for most functions, we just "don't do anything" but log the
+     * event received (so one can follow it in the log and understand
+     * the sequence of events).  CONNECT and CONNECT_V2 are handled
+     */
+    switch (type)
+    {
+        case OPENVPN_PLUGIN_UP:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_UP");
+            break;
+
+        case OPENVPN_PLUGIN_DOWN:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_DOWN");
+            break;
+
+        case OPENVPN_PLUGIN_ROUTE_UP:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_ROUTE_UP");
+            break;
+
+        case OPENVPN_PLUGIN_IPCHANGE:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_IPCHANGE");
+            break;
+
+        case OPENVPN_PLUGIN_TLS_VERIFY:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_VERIFY");
+            break;
+
+        case OPENVPN_PLUGIN_CLIENT_CONNECT:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT");
+            return openvpn_plugin_client_connect(context, argv, envp);
+
+        case OPENVPN_PLUGIN_CLIENT_CONNECT_V2:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_V2");
+            return openvpn_plugin_client_connect_v2(context, pcc, envp,
+                                                    return_list);
+
+        case OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_CONNECT_DEFER_V2");
+            return openvpn_plugin_client_connect_defer_v2(context, pcc,
+                                                          return_list);
+
+        case OPENVPN_PLUGIN_CLIENT_DISCONNECT:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_CLIENT_DISCONNECT");
+            break;
+
+        case OPENVPN_PLUGIN_LEARN_ADDRESS:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_LEARN_ADDRESS");
+            break;
+
+        case OPENVPN_PLUGIN_TLS_FINAL:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_TLS_FINAL");
+            break;
+
+        default:
+            plugin_log(PLOG_NOTE, MODULE, "OPENVPN_PLUGIN_? type=%d\n", type);
+    }
+    return OPENVPN_PLUGIN_FUNC_SUCCESS;
+}
+
+OPENVPN_EXPORT void *
+openvpn_plugin_client_constructor_v1(openvpn_plugin_handle_t handle)
+{
+    printf("FUNC: openvpn_plugin_client_constructor_v1\n");
+    return calloc(1, sizeof(struct plugin_per_client_context));
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_client_destructor_v1(openvpn_plugin_handle_t handle, void *per_client_context)
+{
+    printf("FUNC: openvpn_plugin_client_destructor_v1\n");
+    free(per_client_context);
+}
+
+OPENVPN_EXPORT void
+openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
+{
+    struct plugin_context *context = (struct plugin_context *) handle;
+    printf("FUNC: openvpn_plugin_close_v1\n");
+    free(context);
+}
diff --git a/sample/sample-plugins/defer/README b/sample/sample-plugins/defer/README
deleted file mode 100644
index d8990f8..0000000
--- a/sample/sample-plugins/defer/README
+++ /dev/null
@@ -1,16 +0,0 @@
-OpenVPN plugin examples.
-
-Examples provided:
-
-simple.c -- using the --auth-user-pass-verify callback,
-            test deferred authentication.
-
-To build:
-
-  ./build simple (Linux/BSD/etc.)
-  ./winbuild simple (MinGW on Windows)
-
-To use in OpenVPN, add to config file:
-
-  plugin simple.so (Linux/BSD/etc.)
-  plugin simple.dll (MinGW on Windows)
diff --git a/sample/sample-plugins/defer/build b/sample/sample-plugins/defer/build
deleted file mode 100755
index ba41a39..0000000
--- a/sample/sample-plugins/defer/build
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix.  The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../../include}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared ${LDFLAGS} -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/defer/simple.c b/sample/sample-plugins/defer/simple.c
index d18695b..64338b4 100644
--- a/sample/sample-plugins/defer/simple.c
+++ b/sample/sample-plugins/defer/simple.c
@@ -141,6 +141,11 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
      * Allocate our context
      */
     context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+    if (context == NULL)
+    {
+        printf("PLUGIN: allocating memory for context failed\n");
+        return NULL;
+    }
 
     context->test_deferred_auth = atoi_null0(get_env("test_deferred_auth", envp));
     printf("TEST_DEFERRED_AUTH %d\n", context->test_deferred_auth);
diff --git a/sample/sample-plugins/keying-material-exporter-demo/build b/sample/sample-plugins/keying-material-exporter-demo/build
deleted file mode 100755
index bbb05f7..0000000
--- a/sample/sample-plugins/keying-material-exporter-demo/build
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix.  The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../..}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
index b53f13f..27275f3 100644
--- a/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
+++ b/sample/sample-plugins/keying-material-exporter-demo/keyingmaterialexporter.c
@@ -92,6 +92,12 @@ openvpn_plugin_open_v3(const int version,
 {
     struct plugin *plugin = calloc(1, sizeof(*plugin));
 
+    if (plugin == NULL)
+    {
+        printf("PLUGIN: allocating memory for context failed\n");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
+
     plugin->type = get_env("remote_1", args->envp) ? CLIENT : SERVER;
     plugin->log  = args->callbacks->plugin_log;
 
diff --git a/sample/sample-plugins/log/build b/sample/sample-plugins/log/build
deleted file mode 100755
index c07ec40..0000000
--- a/sample/sample-plugins/log/build
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix.  The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../../include}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/log/log.c b/sample/sample-plugins/log/log.c
index b5c1c3b..a782aa9 100644
--- a/sample/sample-plugins/log/log.c
+++ b/sample/sample-plugins/log/log.c
@@ -78,6 +78,11 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
      * Allocate our context
      */
     context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+    if (context == NULL)
+    {
+        printf("PLUGIN: allocating memory for context failed\n");
+        return NULL;
+    }
 
     /*
      * Set the username/password we will require.
diff --git a/sample/sample-plugins/log/log_v3.c b/sample/sample-plugins/log/log_v3.c
index 17b83f3..1344499 100644
--- a/sample/sample-plugins/log/log_v3.c
+++ b/sample/sample-plugins/log/log_v3.c
@@ -113,6 +113,11 @@ openvpn_plugin_open_v3(const int v3structver,
 
     /* Allocate our context */
     context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+    if (context == NULL)
+    {
+        printf("PLUGIN: allocating memory for context failed\n");
+        return OPENVPN_PLUGIN_FUNC_ERROR;
+    }
 
     /* Set the username/password we will require. */
     context->username = "foo";
diff --git a/sample/sample-plugins/simple/README b/sample/sample-plugins/simple/README
deleted file mode 100644
index 4400cd3..0000000
--- a/sample/sample-plugins/simple/README
+++ /dev/null
@@ -1,16 +0,0 @@
-OpenVPN plugin examples.
-
-Examples provided:
-
-simple.c -- using the --auth-user-pass-verify callback, verify
-            that the username/password is "foo"/"bar".
-
-To build:
-
-  ./build simple (Linux/BSD/etc.)
-  ./winbuild simple (MinGW on Windows)
-
-To use in OpenVPN, add to config file:
-
-  plugin simple.so (Linux/BSD/etc.)
-  plugin simple.dll (MinGW on Windows)
diff --git a/sample/sample-plugins/simple/build b/sample/sample-plugins/simple/build
deleted file mode 100755
index bbb05f7..0000000
--- a/sample/sample-plugins/simple/build
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-#
-# Build an OpenVPN plugin module on *nix.  The argument should
-# be the base name of the C source file (without the .c).
-#
-
-# This directory is where we will look for openvpn-plugin.h
-CPPFLAGS="${CPPFLAGS:--I../../..}"
-
-CC="${CC:-gcc}"
-CFLAGS="${CFLAGS:--O2 -Wall -g}"
-
-$CC $CPPFLAGS $CFLAGS -fPIC -c $1.c && \
-$CC $CFLAGS -fPIC -shared $LDFLAGS -Wl,-soname,$1.so -o $1.so $1.o -lc
diff --git a/sample/sample-plugins/simple/simple.c b/sample/sample-plugins/simple/simple.c
index 950c547..60cfea4 100644
--- a/sample/sample-plugins/simple/simple.c
+++ b/sample/sample-plugins/simple/simple.c
@@ -80,6 +80,11 @@ openvpn_plugin_open_v1(unsigned int *type_mask, const char *argv[], const char *
      * Allocate our context
      */
     context = (struct plugin_context *) calloc(1, sizeof(struct plugin_context));
+    if (context == NULL)
+    {
+        printf("PLUGIN: allocating memory for context failed\n");
+        return NULL;
+    }
 
     /*
      * Set the username/password we will require.
diff --git a/src/compat/PropertySheet.props b/src/compat/PropertySheet.props
index fdded31..4f94b97 100644
--- a/src/compat/PropertySheet.props
+++ b/src/compat/PropertySheet.props
@@ -3,7 +3,7 @@
   <ImportGroup Label="PropertySheets" />
   <PropertyGroup Label="UserMacros">
     <SOURCEBASE>$(SolutionDir)</SOURCEBASE>
-    <OPENVPN_DEPROOT>$(SOURCEBASE)\..\openvpn-build\msvc\image</OPENVPN_DEPROOT>
+    <OPENVPN_DEPROOT>$(SOURCEBASE)\..\openvpn-build\msvc\image$(PlatformArchitecture)</OPENVPN_DEPROOT>
     <OPENSSL_HOME>$(OPENVPN_DEPROOT)</OPENSSL_HOME>
     <TAP_WINDOWS_HOME>$(OPENVPN_DEPROOT)</TAP_WINDOWS_HOME>
     <LZO_HOME>$(OPENVPN_DEPROOT)</LZO_HOME>
diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h
index e448fc3..5663f84 100644
--- a/src/openvpn/errlevel.h
+++ b/src/openvpn/errlevel.h
@@ -91,6 +91,7 @@
 #define D_OSBUF              LOGLEV(3, 43, 0)        /* show socket/tun/tap buffer sizes */
 #define D_PS_PROXY           LOGLEV(3, 44, 0)        /* messages related to --port-share option */
 #define D_PF_INFO            LOGLEV(3, 45, 0)        /* packet filter informational messages */
+#define D_IFCONFIG           LOGLEV(3, 0,  0)        /* show ifconfig info (don't mute) */
 
 #define D_SHOW_PARMS         LOGLEV(4, 50, 0)        /* show all parameters on program initiation */
 #define D_SHOW_OCC           LOGLEV(4, 51, 0)        /* show options compatibility string */
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a785934..d1ad5c8 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -500,6 +500,17 @@ next_connection_entry(struct context *c)
                  */
                 if (!c->options.persist_remote_ip)
                 {
+                    /* Connection entry addrinfo objects might have been
+                     * resolved earlier but the entry itself might have been
+                     * skipped by management on the previous loop.
+                     * If so, clear the addrinfo objects as close_instance does
+                     */
+                    if (c->c1.link_socket_addr.remote_list)
+                    {
+                        clear_remote_addrlist(&c->c1.link_socket_addr,
+                                              !c->options.resolve_in_advance);
+                    }
+
                     /* close_instance should have cleared the addrinfo objects */
                     ASSERT(c->c1.link_socket_addr.current_remote == NULL);
                     ASSERT(c->c1.link_socket_addr.remote_list == NULL);
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
index 713a213..2bc70a5 100644
--- a/src/openvpn/networking_sitnl.c
+++ b/src/openvpn/networking_sitnl.c
@@ -345,6 +345,13 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups,
  *               continue;
  *           }
  */
+
+            if (h->nlmsg_type == NLMSG_DONE)
+            {
+                ret = 0;
+                goto out;
+            }
+
             if (h->nlmsg_type == NLMSG_ERROR)
             {
                 err = (struct nlmsgerr *)NLMSG_DATA(h);
@@ -360,7 +367,11 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups,
                         ret = 0;
                         if (cb)
                         {
-                            ret = cb(h, arg_cb);
+                            int r = cb(h, arg_cb);
+                            if (r <= 0)
+                            {
+                                ret = r;
+                            }
                         }
                     }
                     else
@@ -375,8 +386,12 @@ sitnl_send(struct nlmsghdr *payload, pid_t peer, unsigned int groups,
 
             if (cb)
             {
-                ret = cb(h, arg_cb);
-                goto out;
+                int r = cb(h, arg_cb);
+                if (r <= 0)
+                {
+                    ret = r;
+                    goto out;
+                }
             }
             else
             {
@@ -410,6 +425,7 @@ typedef struct {
     int addr_size;
     inet_address_t gw;
     char iface[IFNAMSIZ];
+    bool default_only;
 } route_res_t;
 
 static int
@@ -421,6 +437,12 @@ sitnl_route_save(struct nlmsghdr *n, void *arg)
     int len = n->nlmsg_len - NLMSG_LENGTH(sizeof(*r));
     unsigned int ifindex = 0;
 
+    /* filter-out non-zero dst prefixes */
+    if (res->default_only && r->rtm_dst_len != 0)
+    {
+        return 1;
+    }
+
     while (RTA_OK(rta, len))
     {
         switch (rta->rta_type)
@@ -477,11 +499,25 @@ sitnl_route_best_gw(sa_family_t af_family, const inet_address_t *dst,
     {
         case AF_INET:
             res.addr_size = sizeof(in_addr_t);
-            req.n.nlmsg_flags |= NLM_F_DUMP;
+            /*
+             * kernel can't return 0.0.0.0/8 host route, dump all
+             * the routes and filter for 0.0.0.0/0 in cb()
+             */
+            if (!dst || !dst->ipv4)
+            {
+                req.n.nlmsg_flags |= NLM_F_DUMP;
+                res.default_only = true;
+            }
+            else
+            {
+                req.r.rtm_dst_len = 32;
+            }
             break;
 
         case AF_INET6:
             res.addr_size = sizeof(struct in6_addr);
+            /* kernel can return ::/128 host route */
+            req.r.rtm_dst_len = 128;
             break;
 
         default:
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index 5367979..3863854 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -92,7 +92,7 @@
     </ClCompile>
     <ResourceCompile />
     <Link>
-      <AdditionalDependencies>legacy_stdio_definitions.lib;Ncrypt.lib;libssl.lib;libcrypto.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>legacy_stdio_definitions.lib;Ncrypt.lib;libssl.lib;libcrypto.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalLibraryDirectories>$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <SubSystem>Console</SubSystem>
     </Link>
@@ -122,7 +122,7 @@
     </ClCompile>
     <ResourceCompile />
     <Link>
-      <AdditionalDependencies>legacy_stdio_definitions.lib;Ncrypt.lib;libssl.lib;libcrypto.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalDependencies>legacy_stdio_definitions.lib;Ncrypt.lib;libssl.lib;libcrypto.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;setupapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
       <AdditionalLibraryDirectories>$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
       <SubSystem>Console</SubSystem>
     </Link>
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8bf82c5..3df803d 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2181,10 +2181,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
     }
 
     if (options->tuntap_options.dhcp_options
+        && options->windows_driver != WINDOWS_DRIVER_WINTUN
         && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ
         && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE)
     {
-        msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive");
+        msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or adaptive");
     }
 
     if (options->windows_driver == WINDOWS_DRIVER_WINTUN && dev != DEV_TYPE_TUN)
@@ -7439,7 +7440,8 @@ add_option(struct options *options,
         VERIFY_PERMISSION(OPT_P_IPWIN32);
         bool ipv6dns = false;
 
-        if (streq(p[1], "DOMAIN") && p[2])
+        if ((streq(p[1], "DOMAIN") || streq(p[1], "ADAPTER_DOMAIN_SUFFIX"))
+            && p[2])
         {
             o->domain = p[2];
         }
diff --git a/src/openvpn/otime.h b/src/openvpn/otime.h
index a6f7ec2..78d20ba 100644
--- a/src/openvpn/otime.h
+++ b/src/openvpn/otime.h
@@ -84,6 +84,7 @@ update_time(void)
     openvpn_gettimeofday(&tv, NULL);
 #else
     update_now(time(NULL));
+    now_usec = 0;
 #endif
 }
 
diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
index 1f74ac5..ece0784 100644
--- a/src/openvpn/pool.c
+++ b/src/openvpn/pool.c
@@ -224,6 +224,24 @@ ifconfig_pool_init(const bool ipv4_pool, enum pool_type type, in_addr_t start,
         }
 
         pool->ipv6.base = ipv6_base;
+
+        /* if a pool starts at a base address that has all-zero in the
+         * host part, that first IPv6 address must not be assigned to
+         * clients because it is not usable (subnet anycast address).
+         * Start with 1, then.
+         *
+         * NOTE: this will also (mis-)fire for something like
+         *    ifconfig-ipv6-pool 2001:db8:0:1:1234::0/64
+         * as we only check the rightmost 32 bits of the host part.  So be it.
+         */
+        if (base == 0)
+        {
+            msg(D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: incrementing pool start "
+                "to avoid ::0 assignment");
+            base++;
+            pool->ipv6.base.s6_addr[15]++;
+        }
+
         pool_ipv6_size = ipv6_netbits >= 112
                           ? (1 << (128 - ipv6_netbits)) - base
                           : IFCONFIG_POOL_MAX;
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index f127a90..d75aa5f 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -49,6 +49,10 @@
 #include <linux/rtnetlink.h>            /* RTM_GETROUTE etc. */
 #endif
 
+#if defined(TARGET_NETBSD)
+#include <net/route.h>			/* RT_ROUNDUP(), RT_ADVANCE() */
+#endif
+
 #ifdef _WIN32
 #include "openvpn-msg.h"
 
@@ -323,6 +327,10 @@ init_route(struct route_ipv4 *r,
 
     if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
     {
+        if (!status)
+        {
+            goto fail;
+        }
         special.s_addr = htonl(special.s_addr);
         ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL,
                                   AF_INET, network_list);
@@ -619,7 +627,7 @@ init_route_list(struct route_list *rl,
 
     rl->flags = opt->flags;
 
-    if (remote_host)
+    if (remote_host != IPV4_INVALID_ADDR)
     {
         rl->spec.remote_host = remote_host;
         rl->spec.flags |= RTSA_REMOTE_HOST;
@@ -1979,25 +1987,24 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt,
     }
     else
     {
-        struct buffer out = alloc_buf_gc(64, &gc);
+        DWORD adapter_index;
         if (r6->adapter_index)          /* vpn server special route */
         {
-            buf_printf(&out, "interface=%lu", r6->adapter_index );
+            adapter_index = r6->adapter_index;
             gateway_needed = true;
         }
         else
         {
-            buf_printf(&out, "interface=%lu", tt->adapter_index );
+            adapter_index = tt->adapter_index;
         }
-        device = buf_bptr(&out);
 
-        /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */
-        argv_printf(&argv, "%s%s interface ipv6 add route %s/%d %s",
+        /* netsh interface ipv6 add route 2001:db8::/32 42 */
+        argv_printf(&argv, "%s%s interface ipv6 add route %s/%d %lu",
                     get_win_sys_path(),
                     NETSH_PATH_SUFFIX,
                     network,
                     r6->netbits,
-                    device);
+                    adapter_index);
 
         /* next-hop depends on TUN or TAP mode:
          * - in TAP mode, we use the "real" next-hop
@@ -2423,25 +2430,24 @@ delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt,
     }
     else
     {
-        struct buffer out = alloc_buf_gc(64, &gc);
+        DWORD adapter_index;
         if (r6->adapter_index)          /* vpn server special route */
         {
-            buf_printf(&out, "interface=%lu", r6->adapter_index );
+            adapter_index = r6->adapter_index;
             gateway_needed = true;
         }
         else
         {
-            buf_printf(&out, "interface=%lu", tt->adapter_index );
+            adapter_index = tt->adapter_index;
         }
-        device = buf_bptr(&out);
 
-        /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */
-        argv_printf(&argv, "%s%s interface ipv6 delete route %s/%d %s",
+        /* netsh interface ipv6 delete route 2001:db8::/32 42 */
+        argv_printf(&argv, "%s%s interface ipv6 delete route %s/%d %lu",
                     get_win_sys_path(),
                     NETSH_PATH_SUFFIX,
                     network,
                     r6->netbits,
-                    device);
+                    adapter_index);
 
         /* next-hop depends on TUN or TAP mode:
          * - in TAP mode, we use the "real" next-hop
@@ -3408,11 +3414,15 @@ struct rtmsg {
 
 /* the route socket code is identical for all 4 supported BSDs and for
  * MacOS X (Darwin), with one crucial difference: when going from
- * 32 bit to 64 bit, the BSDs increased the structure size but kept
+ * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
  * source code compatibility by keeping the use of "long", while
  * MacOS X decided to keep binary compatibility by *changing* the API
  * to use "uint32_t", thus 32 bit on all OS X variants
  *
+ * NetBSD does the MacOS way of "fixed number of bits, no matter if
+ * 32 or 64 bit OS", but chose uint64_t.  For maximum portability, we
+ * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
+ *
  * We used to have a large amount of duplicate code here which really
  * differed only in this (long) vs. (uint32_t) - IMHO, worse than
  * having a combined block for all BSDs with this single #ifdef inside
@@ -3421,6 +3431,8 @@ struct rtmsg {
 #if defined(TARGET_DARWIN)
 #define ROUNDUP(a) \
     ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
+#elif defined(TARGET_NETBSD)
+#define ROUNDUP(a) RT_ROUNDUP(a)
 #else
 #define ROUNDUP(a) \
     ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
@@ -3729,7 +3741,7 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
     }
     if (write(sockfd, (char *)&m_rtmsg, l) < 0)
     {
-        msg(M_WARN, "GDG6: problem writing to routing socket");
+        msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket");
         goto done;
     }
 
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index c486327..76bdbfc 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1141,8 +1141,8 @@ create_socket(struct link_socket *sock, struct addrinfo *addr)
 #if defined(TARGET_LINUX)
     if (sock->bind_dev)
     {
-        msg (M_INFO, "Using bind-dev %s", sock->bind_dev);
-        if (setsockopt (sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, strlen (sock->bind_dev) + 1) != 0)
+        msg(M_INFO, "Using bind-dev %s", sock->bind_dev);
+        if (setsockopt(sock->sd, SOL_SOCKET, SO_BINDTODEVICE, sock->bind_dev, strlen(sock->bind_dev) + 1) != 0)
         {
             msg(M_WARN|M_ERRNO, "WARN: setsockopt SO_BINDTODEVICE=%s failed", sock->bind_dev);
         }
@@ -2030,8 +2030,14 @@ phase2_inetd(struct link_socket *sock, const struct frame *frame,
             }
             else
             {
-                msg(M_WARN, "inetd(%s): getsockname(%d) failed, using AF_INET",
+                int saved_errno = errno;
+                msg(M_WARN|M_ERRNO, "inetd(%s): getsockname(%d) failed, using AF_INET",
                     proto2ascii(sock->info.proto, sock->info.af, false), (int)sock->sd);
+                /* if not called with a socket on stdin, --inetd cannot work */
+                if (saved_errno == ENOTSOCK)
+                {
+                    msg(M_FATAL, "ERROR: socket required for --inetd operation");
+                }
             }
         }
 #else  /* ifdef HAVE_GETSOCKNAME */
@@ -2047,7 +2053,6 @@ phase2_inetd(struct link_socket *sock, const struct frame *frame,
                                  false,
                                  sock->inetd == INETD_NOWAIT,
                                  signal_received);
-
     }
     ASSERT(!remote_changed);
 }
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 57f0cee..36df747 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -312,7 +312,7 @@ recv_socks_reply(socket_descriptor_t sd,
     char atyp = '\0';
     int alen = 0;
     int len = 0;
-    char buf[22];
+    char buf[270];		/* 4 + alen(max 256) + 2 */
     const int timeout_sec = 5;
 
     if (addr != NULL)
@@ -381,7 +381,10 @@ recv_socks_reply(socket_descriptor_t sd,
                     break;
 
                 case '\x03':    /* DOMAINNAME */
-                    alen = (unsigned char) c;
+                    /* RFC 1928, section 5: 1 byte length, <n> bytes name,
+                     * so the total "address length" is (length+1)
+                     */
+                    alen = (unsigned char) c + 1;
                     break;
 
                 case '\x04':    /* IP V6 */
@@ -451,7 +454,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p,
                                const char *servname,    /* openvpn server port */
                                volatile int *signal_received)
 {
-    char buf[128];
+    char buf[270];
     size_t len;
 
     if (!socks_handshake(p, sd, signal_received))
diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 923131a..9eeaed0 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -68,7 +68,7 @@ const static GUID GUID_DEVINTERFACE_NET = { 0xcac88484, 0x7515, 0x4c03, { 0x82,
 #define NI_OPTIONS     (1<<2)
 
 static void netsh_ifconfig(const struct tuntap_options *to,
-                           const char *flex_name,
+                           DWORD adapter_index,
                            const in_addr_t ip,
                            const in_addr_t netmask,
                            const unsigned int flags);
@@ -79,7 +79,7 @@ static void windows_set_mtu(const int iface_index,
 
 static void netsh_set_dns6_servers(const struct in6_addr *addr_list,
                                    const int addr_len,
-                                   const char *flex_name);
+                                   DWORD adapter_index);
 
 static void netsh_command(const struct argv *a, int n, int msglevel);
 
@@ -115,11 +115,17 @@ do_address_service(const bool add, const short family, const struct tuntap *tt)
     {
         addr.address.ipv4.s_addr = htonl(tt->local);
         addr.prefix_len = netmask_to_netbits2(tt->adapter_netmask);
+        msg(D_IFCONFIG, "INET address service: %s %s/%d",
+            add ? "add" : "remove",
+            print_in_addr_t(tt->local, 0, &gc), addr.prefix_len);
     }
     else
     {
         addr.address.ipv6 = tt->local_ipv6;
-        addr.prefix_len = tt->netbits_ipv6;
+        addr.prefix_len = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6;
+        msg(D_IFCONFIG, "INET6 address service: %s %s/%d",
+            add ? "add" : "remove",
+            print_in6_addr(tt->local_ipv6, 0, &gc), addr.prefix_len);
     }
 
     if (!send_msg_iservice(pipe, &addr, sizeof(addr), &ack, "TUN"))
@@ -142,6 +148,61 @@ out:
     return ret;
 }
 
+static bool
+do_dns_domain_service(bool add, const struct tuntap *tt)
+{
+    bool ret = false;
+    ack_message_t ack;
+    struct gc_arena gc = gc_new();
+    HANDLE pipe = tt->options.msg_channel;
+
+    if (!tt->options.domain) /* no  domain to add or delete */
+    {
+        return true;
+    }
+
+    /* Use dns_cfg_msg with addr_len = 0 for setting only the DOMAIN */
+    dns_cfg_message_t dns = {
+        .header = {
+            (add ? msg_add_dns_cfg : msg_del_dns_cfg),
+            sizeof(dns_cfg_message_t),
+            0
+        },
+        .iface = { .index = tt->adapter_index, .name = "" },
+        .domains = "",      /* set below */
+        .family = AF_INET,  /* unused */
+        .addr_len = 0       /* add/delete only the domain, not DNS servers */
+    };
+
+    strncpynt(dns.iface.name, tt->actual_name, sizeof(dns.iface.name));
+    strncpynt(dns.domains, tt->options.domain, sizeof(dns.domains));
+    /* truncation of domain name is not checked as it can't happen
+     * with 512 bytes room in dns.domains.
+     */
+
+    msg(D_LOW, "%s dns domain on '%s' (if_index = %d) using service",
+            (add ? "Setting" : "Deleting"), dns.iface.name, dns.iface.index);
+    if (!send_msg_iservice(pipe, &dns, sizeof(dns), &ack, "TUN"))
+    {
+        goto out;
+    }
+
+    if (ack.error_number != NO_ERROR)
+    {
+        msg(M_WARN, "TUN: %s dns domain failed using service: %s [status=%u if_name=%s]",
+            (add ? "adding" : "deleting"), strerror_win32(ack.error_number, &gc),
+            ack.error_number, dns.iface.name);
+        goto out;
+    }
+
+    msg(M_INFO, "DNS domain %s using service", (add ? "set" : "deleted"));
+    ret = true;
+
+out:
+    gc_free(&gc);
+    return ret;
+}
+
 static bool
 do_dns_service(bool add, const short family, const struct tuntap *tt)
 {
@@ -158,6 +219,7 @@ do_dns_service(bool add, const short family, const struct tuntap *tt)
         return true;
     }
 
+    /* Use dns_cfg_msg with domain = "" for setting only the DNS servers */
     dns_cfg_message_t dns = {
         .header = {
             (add ? msg_add_dns_cfg : msg_del_dns_cfg),
@@ -1088,26 +1150,40 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int tun_mtu,
     else if (tt->options.msg_channel)
     {
         do_address_service(true, AF_INET6, tt);
-        add_route_connected_v6_net(tt, es);
+        if (tt->type == DEV_TYPE_TUN)
+        {
+            add_route_connected_v6_net(tt, es);
+        }
         do_dns_service(true, AF_INET6, tt);
         do_set_mtu_service(tt, AF_INET6, tun_mtu);
+        /* If IPv4 is not enabled, set DNS domain here */
+        if (!tt->did_ifconfig_setup)
+        {
+           do_dns_domain_service(true, tt);
+        }
     }
     else
     {
-        /* example: netsh interface ipv6 set address interface=42
-         *                  2001:608:8003::d store=active
+        /* example: netsh interface ipv6 set address 42
+         *                  2001:608:8003::d/bits store=active
+         */
+
+        /* in TUN mode, we only simulate a subnet, so the interface
+         * is configured with /128 + a route to fe80::8.  In TAP mode,
+         * the correct netbits must be set, and no on-link route
          */
-        char iface[64];
+        int netbits = (tt->type == DEV_TYPE_TUN) ? 128 : tt->netbits_ipv6;
 
-        openvpn_snprintf(iface, sizeof(iface), "interface=%lu",
-                         tt->adapter_index);
-        argv_printf(&argv, "%s%s interface ipv6 set address %s %s store=active",
-                    get_win_sys_path(), NETSH_PATH_SUFFIX, iface,
-                    ifconfig_ipv6_local);
+        argv_printf(&argv, "%s%s interface ipv6 set address %lu %s/%d store=active",
+                    get_win_sys_path(), NETSH_PATH_SUFFIX, tt->adapter_index,
+                    ifconfig_ipv6_local, netbits);
         netsh_command(&argv, 4, M_FATAL);
-        add_route_connected_v6_net(tt, es);
+        if (tt->type == DEV_TYPE_TUN)
+        {
+            add_route_connected_v6_net(tt, es);
+        }
         /* set ipv6 dns servers if any are specified */
-        netsh_set_dns6_servers(tt->options.dns6, tt->options.dns6_len, ifname);
+        netsh_set_dns6_servers(tt->options.dns6, tt->options.dns6_len, tt->adapter_index);
         windows_set_mtu(tt->adapter_index, AF_INET6, tun_mtu);
     }
 #else /* platforms we have no IPv6 code for */
@@ -1224,7 +1300,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
         argv_printf(&argv, "%s %s netmask 255.255.255.255", IFCONFIG_PATH,
                     ifname);
     }
-    else if (tt->topology == TOP_SUBNET)
+    else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up", IFCONFIG_PATH,
                     ifname, ifconfig_local, ifconfig_local,
@@ -1243,7 +1319,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
         solaris_error_close(tt, es, ifname, false);
     }
 
-    if (!tun && tt->topology == TOP_SUBNET)
+    if (!tun && tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         /* Add a network route for the local tun interface */
         struct route_ipv4 r;
@@ -1274,7 +1350,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
                     IFCONFIG_PATH, ifname, ifconfig_local,
                     ifconfig_remote_netmask, tun_mtu);
     }
-    else if (tt->topology == TOP_SUBNET)
+    else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         remote_end = create_arbitrary_remote( tt );
         argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up -link0",
@@ -1292,7 +1368,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     openvpn_execve_check(&argv, es, S_FATAL, "OpenBSD ifconfig failed");
 
     /* Add a network route for the local tun interface */
-    if (!tun && tt->topology == TOP_SUBNET)
+    if (!tun && tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         struct route_ipv4 r;
         CLEAR(r);
@@ -1312,7 +1388,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
                     IFCONFIG_PATH, ifname, ifconfig_local,
                     ifconfig_remote_netmask, tun_mtu);
     }
-    else if (tt->topology == TOP_SUBNET)
+    else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         remote_end = create_arbitrary_remote(tt);
         argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH,
@@ -1334,7 +1410,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     openvpn_execve_check(&argv, es, S_FATAL, "NetBSD ifconfig failed");
 
     /* Add a network route for the local tun interface */
-    if (!tun && tt->topology == TOP_SUBNET)
+    if (!tun && tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         struct route_ipv4 r;
         CLEAR(r);
@@ -1366,7 +1442,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     }
     else
     {
-        if (tt->topology == TOP_SUBNET)
+        if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
         {
             argv_printf(&argv, "%s %s %s %s netmask %s mtu %d up",
                         IFCONFIG_PATH, ifname, ifconfig_local, ifconfig_local,
@@ -1384,7 +1460,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     openvpn_execve_check(&argv, es, S_FATAL, "Mac OS X ifconfig failed");
 
     /* Add a network route for the local tun interface */
-    if (!tun && tt->topology == TOP_SUBNET)
+    if (!tun && tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         struct route_ipv4 r;
         CLEAR(r);
@@ -1406,7 +1482,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
                     IFCONFIG_PATH, ifname, ifconfig_local,
                     ifconfig_remote_netmask, tun_mtu);
     }
-    else if (tt->topology == TOP_SUBNET)
+    else if (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         remote_end = create_arbitrary_remote( tt );
         argv_printf(&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH,
@@ -1423,7 +1499,7 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     openvpn_execve_check(&argv, es, S_FATAL, "FreeBSD ifconfig failed");
 
     /* Add a network route for the local tun interface */
-    if (!tun && tt->topology == TOP_SUBNET)
+    if (!tun && tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET)
     {
         struct route_ipv4 r;
         CLEAR(r);
@@ -1455,8 +1531,6 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
         env_set_destroy(aix_es);
     }
 #elif defined (_WIN32)
-    ASSERT(ifname != NULL);
-
     if (tt->options.ip_win32_type == IPW32_SET_MANUAL)
     {
         msg(M_INFO,
@@ -1472,10 +1546,11 @@ do_ifconfig_ipv4(struct tuntap *tt, const char *ifname, int tun_mtu,
     {
         do_address_service(true, AF_INET, tt);
         do_dns_service(true, AF_INET, tt);
+        do_dns_domain_service(true, tt);
     }
     else if (tt->options.ip_win32_type == IPW32_SET_NETSH)
     {
-        netsh_ifconfig(&tt->options, ifname, tt->local,
+        netsh_ifconfig(&tt->options, tt->adapter_index, tt->local,
                        tt->adapter_netmask, NI_IP_NETMASK|NI_OPTIONS);
     }
     if (tt->options.msg_channel)
@@ -1993,6 +2068,11 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun
 
 #ifdef ENABLE_FEATURE_TUN_PERSIST
 
+/* TUNSETGROUP appeared in 2.6.23 */
+#ifndef TUNSETGROUP
+# define TUNSETGROUP   _IOW('T', 206, int)
+#endif
+
 void
 tuncfg(const char *dev, const char *dev_type, const char *dev_node,
        int persist_mode, const char *username, const char *groupname,
@@ -2032,7 +2112,7 @@ tuncfg(const char *dev, const char *dev_type, const char *dev_node,
         }
         else if (ioctl(tt->fd, TUNSETGROUP, platform_state_group.gr->gr_gid) < 0)
         {
-            msg(M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", groupname, dev);
+            msg(M_ERR, "Cannot ioctl TUNSETGROUP(%s) %s", groupname, dev);
         }
     }
     close_tun(tt, ctx);
@@ -5263,23 +5343,29 @@ ip_addr_member_of(const in_addr_t addr, const IP_ADDR_STRING *ias)
  * Set the ipv6 dns servers on the specified interface.
  * The list of dns servers currently set on the interface
  * are cleared first.
- * No action is taken if number of addresses (addr_len) < 1.
  */
 static void
 netsh_set_dns6_servers(const struct in6_addr *addr_list,
                        const int addr_len,
-                       const char *flex_name)
+                       DWORD adapter_index)
 {
     struct gc_arena gc = gc_new();
     struct argv argv = argv_new();
 
+    /* delete existing DNS settings from TAP interface */
+    argv_printf(&argv, "%s%s interface ipv6 delete dns %lu all",
+                get_win_sys_path(),
+                NETSH_PATH_SUFFIX,
+                adapter_index);
+    netsh_command(&argv, 2, M_FATAL);
+
     for (int i = 0; i < addr_len; ++i)
     {
         const char *fmt = (i == 0) ?
-                          "%s%s interface ipv6 set dns %s static %s"
-                          : "%s%s interface ipv6 add dns %s %s";
+                          "%s%s interface ipv6 set dns %lu static %s"
+                          : "%s%s interface ipv6 add dns %lu %s";
         argv_printf(&argv, fmt, get_win_sys_path(),
-                    NETSH_PATH_SUFFIX, flex_name,
+                    NETSH_PATH_SUFFIX, adapter_index,
                     print_in6_addr(addr_list[i], 0, &gc));
 
         /* disable slow address validation on Windows 7 and higher */
@@ -5301,7 +5387,7 @@ netsh_ifconfig_options(const char *type,
                        const in_addr_t *addr_list,
                        const int addr_len,
                        const IP_ADDR_STRING *current,
-                       const char *flex_name,
+                       DWORD adapter_index,
                        const bool test_first)
 {
     struct gc_arena gc = gc_new();
@@ -5325,11 +5411,11 @@ netsh_ifconfig_options(const char *type,
     /* delete existing DNS/WINS settings from TAP interface */
     if (delete_first)
     {
-        argv_printf(&argv, "%s%s interface ip delete %s %s all",
+        argv_printf(&argv, "%s%s interface ip delete %s %lu all",
                     get_win_sys_path(),
                     NETSH_PATH_SUFFIX,
                     type,
-                    flex_name);
+                    adapter_index);
         netsh_command(&argv, 2, M_FATAL);
     }
 
@@ -5342,14 +5428,14 @@ netsh_ifconfig_options(const char *type,
             if (delete_first || !test_first || !ip_addr_member_of(addr_list[i], current))
             {
                 const char *fmt = count ?
-                                  "%s%s interface ip add %s %s %s"
-                                  : "%s%s interface ip set %s %s static %s";
+                                  "%s%s interface ip add %s %lu %s"
+                                  : "%s%s interface ip set %s %lu static %s";
 
                 argv_printf(&argv, fmt,
                             get_win_sys_path(),
                             NETSH_PATH_SUFFIX,
                             type,
-                            flex_name,
+                            adapter_index,
                             print_in_addr_t(addr_list[i], 0, &gc));
 
                 /* disable slow address validation on Windows 7 and higher */
@@ -5365,8 +5451,8 @@ netsh_ifconfig_options(const char *type,
             }
             else
             {
-                msg(M_INFO, "NETSH: \"%s\" %s %s [already set]",
-                    flex_name,
+                msg(M_INFO, "NETSH: %lu %s %s [already set]",
+                    adapter_index,
                     type,
                     print_in_addr_t(addr_list[i], 0, &gc));
             }
@@ -5397,7 +5483,7 @@ init_ip_addr_string2(IP_ADDR_STRING *dest, const IP_ADDR_STRING *src1, const IP_
 
 static void
 netsh_ifconfig(const struct tuntap_options *to,
-               const char *flex_name,
+               DWORD adapter_index,
                const in_addr_t ip,
                const in_addr_t netmask,
                const unsigned int flags)
@@ -5410,27 +5496,26 @@ netsh_ifconfig(const struct tuntap_options *to,
     if (flags & NI_TEST_FIRST)
     {
         const IP_ADAPTER_INFO *list = get_adapter_info_list(&gc);
-        const int index = get_adapter_index_flexible(flex_name);
-        ai = get_adapter(list, index);
-        pai = get_per_adapter_info(index, &gc);
+        ai = get_adapter(list, adapter_index);
+        pai = get_per_adapter_info(adapter_index, &gc);
     }
 
     if (flags & NI_IP_NETMASK)
     {
         if (test_adapter_ip_netmask(ai, ip, netmask))
         {
-            msg(M_INFO, "NETSH: \"%s\" %s/%s [already set]",
-                flex_name,
+            msg(M_INFO, "NETSH: %lu %s/%s [already set]",
+                adapter_index,
                 print_in_addr_t(ip, 0, &gc),
                 print_in_addr_t(netmask, 0, &gc));
         }
         else
         {
-            /* example: netsh interface ip set address my-tap static 10.3.0.1 255.255.255.0 */
-            argv_printf(&argv, "%s%s interface ip set address %s static %s %s",
+            /* example: netsh interface ip set address 42 static 10.3.0.1 255.255.255.0 */
+            argv_printf(&argv, "%s%s interface ip set address %lu static %s %s",
                         get_win_sys_path(),
                         NETSH_PATH_SUFFIX,
-                        flex_name,
+                        adapter_index,
                         print_in_addr_t(ip, 0, &gc),
                         print_in_addr_t(netmask, 0, &gc));
 
@@ -5449,7 +5534,7 @@ netsh_ifconfig(const struct tuntap_options *to,
                                to->dns,
                                to->dns_len,
                                pai ? &pai->DnsServerList : NULL,
-                               flex_name,
+                               adapter_index,
                                BOOL_CAST(flags & NI_TEST_FIRST));
         if (ai && ai->HaveWins)
         {
@@ -5460,7 +5545,7 @@ netsh_ifconfig(const struct tuntap_options *to,
                                to->wins,
                                to->wins_len,
                                ai ? wins : NULL,
-                               flex_name,
+                               adapter_index,
                                BOOL_CAST(flags & NI_TEST_FIRST));
     }
 
@@ -5469,16 +5554,16 @@ netsh_ifconfig(const struct tuntap_options *to,
 }
 
 static void
-netsh_enable_dhcp(const char *actual_name)
+netsh_enable_dhcp(DWORD adapter_index)
 {
     struct argv argv = argv_new();
 
-    /* example: netsh interface ip set address my-tap dhcp */
+    /* example: netsh interface ip set address 42 dhcp */
     argv_printf(&argv,
-                "%s%s interface ip set address %s dhcp",
+                "%s%s interface ip set address %lu dhcp",
                 get_win_sys_path(),
                 NETSH_PATH_SUFFIX,
-                actual_name);
+                adapter_index);
 
     netsh_command(&argv, 4, M_FATAL);
 
@@ -5624,7 +5709,7 @@ tun_standby(struct tuntap *tt)
         {
             msg(M_INFO, "NOTE: now trying netsh (this may take some time)");
             netsh_ifconfig(&tt->options,
-                           tt->actual_name,
+                           tt->adapter_index,
                            tt->local,
                            tt->adapter_netmask,
                            NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS);
@@ -6529,7 +6614,7 @@ tuntap_set_ip_props(const struct tuntap *tt, bool *dhcp_masq, bool *dhcp_masq_po
             }
             else
             {
-                netsh_enable_dhcp(tt->actual_name);
+                netsh_enable_dhcp(tt->adapter_index);
             }
         }
         *dhcp_masq = true;
@@ -6543,7 +6628,7 @@ tuntap_set_ip_props(const struct tuntap *tt, bool *dhcp_masq, bool *dhcp_masq_po
         if (dhcp_status(tt->adapter_index) != DHCP_STATUS_ENABLED)
         {
             netsh_ifconfig(&tt->options,
-                           tt->actual_name,
+                           tt->adapter_index,
                            tt->local,
                            tt->adapter_netmask,
                            NI_TEST_FIRST | NI_IP_NETMASK | NI_OPTIONS);
@@ -6675,15 +6760,25 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc
     if (len > 0)
     {
         argv_printf(&argv,
-                    "%s%s interface %s delete dns %s all",
+                    "%s%s interface %s delete dns %lu all",
                     get_win_sys_path(),
                     NETSH_PATH_SUFFIX,
                     ipv6 ? "ipv6" : "ipv4",
-                    tt->actual_name);
+                    tt->adapter_index);
         netsh_command(&argv, 1, M_WARN);
     }
 
-    if (ipv6)
+    if (!ipv6 && tt->options.wins_len > 0)
+    {
+        argv_printf(&argv,
+                    "%s%s interface ipv4 delete winsservers %lu all",
+                    get_win_sys_path(),
+                    NETSH_PATH_SUFFIX,
+                    tt->adapter_index);
+        netsh_command(&argv, 1, M_WARN);
+    }
+
+    if (ipv6 && tt->type == DEV_TYPE_TUN)
     {
         delete_route_connected_v6_net(tt);
     }
@@ -6692,7 +6787,7 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc
      * address we added (pointed out by Cedric Tabary).
      */
 
-    /* netsh interface ipvX delete address \"%s\" %s */
+    /* netsh interface ipvX delete address %lu %s */
     if (ipv6)
     {
         ifconfig_ip_local = print_in6_addr(tt->local_ipv6, 0, gc);
@@ -6702,11 +6797,11 @@ netsh_delete_address_dns(const struct tuntap *tt, bool ipv6, struct gc_arena *gc
         ifconfig_ip_local = print_in_addr_t(tt->local, 0, gc);
     }
     argv_printf(&argv,
-                "%s%s interface %s delete address %s %s store=active",
+                "%s%s interface %s delete address %lu %s store=active",
                 get_win_sys_path(),
                 NETSH_PATH_SUFFIX,
                 ipv6 ? "ipv6" : "ipv4",
-                tt->actual_name,
+                tt->adapter_index,
                 ifconfig_ip_local);
     netsh_command(&argv, 1, M_WARN);
 
@@ -6728,6 +6823,11 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
         }
         else if (tt->options.msg_channel)
         {
+            /* If IPv4 is not enabled, delete DNS domain here */
+            if (!tt->did_ifconfig_setup)
+            {
+                do_dns_domain_service(false, tt);
+            }
             if (tt->options.dns6_len > 0)
             {
                 do_dns_service(false, AF_INET6, tt);
@@ -6753,6 +6853,7 @@ close_tun(struct tuntap *tt, openvpn_net_ctx_t *ctx)
         }
         else if (tt->options.msg_channel)
         {
+            do_dns_domain_service(false, tt);
             do_dns_service(false, AF_INET, tt);
             do_address_service(false, AF_INET, tt);
         }
diff --git a/src/openvpnmsica/dllmain.c b/src/openvpnmsica/dllmain.c
index 201fd9a..34946ed 100644
--- a/src/openvpnmsica/dllmain.c
+++ b/src/openvpnmsica/dllmain.c
@@ -193,6 +193,6 @@ x_msg_va(const unsigned int flags, const char *format, va_list arglist)
         }
     }
 
-    MsiProcessMessage(s->hInstall, INSTALLMESSAGE_ERROR, hRecordProg);
+    MsiProcessMessage(s->hInstall, (flags & M_WARN) ? INSTALLMESSAGE_INFO : INSTALLMESSAGE_ERROR, hRecordProg);
     MsiCloseHandle(hRecordProg);
 }
diff --git a/src/openvpnmsica/openvpnmsica.c b/src/openvpnmsica/openvpnmsica.c
index 31e90bd..de1cf65 100644
--- a/src/openvpnmsica/openvpnmsica.c
+++ b/src/openvpnmsica/openvpnmsica.c
@@ -248,7 +248,7 @@ cleanup_OpenSCManager:
 }
 
 
-static UINT
+static void
 find_adapters(
     _In_ MSIHANDLE hInstall,
     _In_z_ LPCTSTR szzHardwareIDs,
@@ -262,12 +262,12 @@ find_adapters(
     uiResult = tap_list_adapters(NULL, szzHardwareIDs, &pAdapterList);
     if (uiResult != ERROR_SUCCESS)
     {
-        return uiResult;
+        return;
     }
     else if (pAdapterList == NULL)
     {
         /* No adapters - no fun. */
-        return ERROR_SUCCESS;
+        return;
     }
 
     /* Get IPv4/v6 info for all network adapters. Actually, we're interested in link status only: up/down? */
@@ -394,7 +394,6 @@ cleanup_pAdapterAdresses:
     free(pAdapterAdresses);
 cleanup_pAdapterList:
     tap_free_adapter_list(pAdapterList);
-    return uiResult;
 }
 
 
@@ -1096,12 +1095,9 @@ ProcessDeferredAction(_In_ MSIHANDLE hInstall)
             dwResult = tap_create_adapter(NULL, NULL, szHardwareId, &bRebootRequired, &guidAdapter);
             if (dwResult == ERROR_SUCCESS)
             {
-                /* Set adapter name. */
-                dwResult = tap_set_adapter_name(&guidAdapter, szName);
-                if (dwResult != ERROR_SUCCESS)
-                {
-                    tap_delete_adapter(NULL, &guidAdapter, &bRebootRequired);
-                }
+                /* Set adapter name. May fail on some machines, but that is not critical - use silent
+                   flag to mute messagebox and print error only to log */
+                tap_set_adapter_name(&guidAdapter, szName, TRUE);
             }
         }
         else if (wcsncmp(szArg[i], L"deleteN=", 8) == 0)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 207cc4a..65bb106 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -91,6 +91,7 @@ typedef enum {
     block_dns,
     undo_dns4,
     undo_dns6,
+    undo_domain,
     _undo_type_max
 } undo_type_t;
 typedef list_item_t *undo_lists_t[_undo_type_max];
@@ -564,6 +565,24 @@ InterfaceLuid(const char *iface_name, PNET_LUID luid)
     return status;
 }
 
+static DWORD
+ConvertInterfaceNameToIndex(const wchar_t *ifname, NET_IFINDEX *index)
+{
+   NET_LUID luid;
+   DWORD err;
+
+   err = ConvertInterfaceAliasToLuid(ifname, &luid);
+   if (err == ERROR_SUCCESS)
+   {
+       err = ConvertInterfaceLuidToIndex(&luid, index);
+   }
+   if (err != ERROR_SUCCESS)
+   {
+       MsgToEventLog(M_ERR, L"Failed to find interface index for <%s>", ifname);
+   }
+   return err;
+}
+
 static BOOL
 CmpAddress(LPVOID item, LPVOID address)
 {
@@ -1057,6 +1076,53 @@ out:
     return err;
 }
 
+/**
+ * Run command: wmic nicconfig (InterfaceIndex=$if_index) call $action ($data)
+ * @param  if_index    "index of interface"
+ * @param  action      e.g., "SetDNSDomain"
+ * @param  data        data if required for action
+ *                     - a single word for SetDNSDomain, empty or NULL to delete
+ *                     - comma separated values for a list
+ */
+static DWORD
+wmic_nicconfig_cmd(const wchar_t *action, const NET_IFINDEX if_index,
+                   const wchar_t *data)
+{
+    DWORD err = 0;
+    wchar_t argv0[MAX_PATH];
+    wchar_t *cmdline = NULL;
+    int timeout = 10000; /* in msec */
+
+    swprintf(argv0, _countof(argv0), L"%s\\%s", get_win_sys_path(), L"wbem\\wmic.exe");
+    argv0[_countof(argv0) - 1] = L'\0';
+
+    const wchar_t *fmt;
+    /* comma separated list must be enclosed in parenthesis */
+    if (data && wcschr(data, L','))
+    {
+       fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %s (%s)";
+    }
+    else
+    {
+       fmt = L"wmic nicconfig where (InterfaceIndex=%ld) call %s %s";
+    }
+
+    size_t ncmdline = wcslen(fmt) + 20 + wcslen(action) /* max 20 for ifindex */
+                    + (data ? wcslen(data) + 1 : 1);
+    cmdline = malloc(ncmdline*sizeof(wchar_t));
+    if (!cmdline)
+    {
+        return ERROR_OUTOFMEMORY;
+    }
+
+    openvpn_sntprintf(cmdline, ncmdline, fmt, if_index, action,
+                      data? data : L"");
+    err = ExecCommand(argv0, cmdline, timeout);
+
+    free(cmdline);
+    return err;
+}
+
 /* Delete all IPv4 or IPv6 dns servers for an interface */
 static DWORD
 DeleteDNS(short family, wchar_t *if_name)
@@ -1079,6 +1145,54 @@ CmpWString(LPVOID item, LPVOID str)
     return (wcscmp(item, str) == 0) ? TRUE : FALSE;
 }
 
+/**
+ * Set interface specific DNS domain suffix
+ * @param  if_name    name of the the interface
+ * @param  domain     a single domain name
+ * @param  lists      pointer to the undo lists. If NULL
+ *                    undo lists are not altered.
+ * Will delete the currently set value if domain is empty.
+ */
+static DWORD
+SetDNSDomain(const wchar_t *if_name, const char *domain, undo_lists_t *lists)
+{
+   NET_IFINDEX if_index;
+
+   DWORD err  = ConvertInterfaceNameToIndex(if_name, &if_index);
+   if (err != ERROR_SUCCESS)
+   {
+       return err;
+   }
+
+   wchar_t *wdomain = utf8to16(domain); /* utf8 to wide-char */
+   if (!wdomain)
+   {
+       return ERROR_OUTOFMEMORY;
+   }
+
+   /* free undo list if previously set */
+   if (lists)
+   {
+       free(RemoveListItem(&(*lists)[undo_domain], CmpWString, (void *)if_name));
+   }
+
+   err = wmic_nicconfig_cmd(L"SetDNSDomain", if_index, wdomain);
+
+   /* Add to undo list if domain is non-empty */
+   if (err == 0 && wdomain[0] && lists)
+   {
+        wchar_t *tmp_name = wcsdup(if_name);
+        if (!tmp_name || AddListItem(&(*lists)[undo_domain], tmp_name))
+        {
+            free(tmp_name);
+            err = ERROR_OUTOFMEMORY;
+        }
+   }
+
+   free(wdomain);
+   return err;
+}
+
 static DWORD
 HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists)
 {
@@ -1098,6 +1212,13 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists)
         return ERROR_MESSAGE_DATA;
     }
 
+    /* use a non-const reference with limited scope to enforce null-termination of strings from client */
+    {
+        dns_cfg_message_t *msgptr = (dns_cfg_message_t *) msg;
+        msgptr->iface.name[_countof(msg->iface.name)-1] = '\0';
+        msgptr->domains[_countof(msg->domains)-1] = '\0';
+    }
+
     wchar_t *wide_name = utf8to16(msg->iface.name); /* utf8 to wide-char */
     if (!wide_name)
     {
@@ -1117,9 +1238,14 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists)
         free(RemoveListItem(&(*lists)[undo_type], CmpWString, wide_name));
     }
 
-    if (msg->header.type == msg_del_dns_cfg) /* job done */
+    if (msg->header.type == msg_del_dns_cfg)
     {
-        goto out;
+        if (msg->domains[0])
+        {
+            /* setting an empty domain removes any previous value */
+            err = SetDNSDomain(wide_name, "", lists);
+        }
+        goto out;  /* job done */
     }
 
     for (int i = 0; i < addr_len; ++i)
@@ -1142,6 +1268,8 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists)
          */
     }
 
+    err = 0;
+
     if (msg->addr_len > 0)
     {
         wchar_t *tmp_name = wcsdup(wide_name);
@@ -1154,7 +1282,10 @@ HandleDNSConfigMessage(const dns_cfg_message_t *msg, undo_lists_t *lists)
         }
     }
 
-    err = 0;
+    if (msg->domains[0])
+    {
+        err = SetDNSDomain(wide_name, msg->domains, lists);
+    }
 
 out:
     free(wide_name);
@@ -1445,6 +1576,10 @@ Undo(undo_lists_t *lists)
                     DeleteDNS(AF_INET6, item->data);
                     break;
 
+                case undo_domain:
+                    SetDNSDomain(item->data, "", NULL);
+                    break;
+
                 case block_dns:
                     interface_data = (block_dns_data_t *)(item->data);
                     delete_block_dns_filters(interface_data->engine);
diff --git a/src/tapctl/main.c b/src/tapctl/main.c
index 31bb2ec..d5bc729 100644
--- a/src/tapctl/main.c
+++ b/src/tapctl/main.c
@@ -237,7 +237,7 @@ _tmain(int argc, LPCTSTR argv[])
             }
 
             /* Rename the adapter. */
-            dwResult = tap_set_adapter_name(&guidAdapter, szName);
+            dwResult = tap_set_adapter_name(&guidAdapter, szName, FALSE);
             if (dwResult != ERROR_SUCCESS)
             {
                 StringFromIID((REFIID)&guidAdapter, &szAdapterId);
diff --git a/src/tapctl/tap.c b/src/tapctl/tap.c
index 7cb3ded..dd4a10a 100644
--- a/src/tapctl/tap.c
+++ b/src/tapctl/tap.c
@@ -33,18 +33,69 @@
 #include <setupapi.h>
 #include <stdio.h>
 #include <tchar.h>
+#include <newdev.h>
 
 #ifdef _MSC_VER
 #pragma comment(lib, "advapi32.lib")
 #pragma comment(lib, "ole32.lib")
 #pragma comment(lib, "setupapi.lib")
+#pragma comment(lib, "newdev.lib")
 #endif
 
+
 const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } };
 
 const static TCHAR szAdapterRegKeyPathTemplate[] = TEXT("SYSTEM\\CurrentControlSet\\Control\\Network\\%") TEXT(PRIsLPOLESTR) TEXT("\\%") TEXT(PRIsLPOLESTR) TEXT("\\Connection");
 #define ADAPTER_REGKEY_PATH_MAX (_countof(TEXT("SYSTEM\\CurrentControlSet\\Control\\Network\\")) - 1 + 38 + _countof(TEXT("\\")) - 1 + 38 + _countof(TEXT("\\Connection")))
 
+/**
+ * Dynamically load a library and find a function in it
+ *
+ * @param libname     Name of the library to load
+ * @param funcname    Name of the function to find
+ * @param m           Pointer to a module. On return this is set to the
+ *                    the handle to the loaded library. The caller must
+ *                    free it by calling FreeLibrary() if not NULL.
+ *
+ * @return            Pointer to the function
+ *                    NULL on error -- use GetLastError() to find the error code.
+ *
+ **/
+static void *
+find_function(const WCHAR *libname, const char *funcname, HMODULE *m)
+{
+    WCHAR libpath[MAX_PATH];
+    void *fptr = NULL;
+
+    /* Make sure the dll is loaded from the system32 folder */
+    if (!GetSystemDirectoryW(libpath, _countof(libpath)))
+    {
+       return NULL;
+    }
+
+    size_t len = _countof(libpath) - wcslen(libpath) - 1;
+    if (len < wcslen(libname) + 1)
+    {
+       SetLastError(ERROR_INSUFFICIENT_BUFFER);
+       return NULL;
+    }
+    wcsncat(libpath, L"\\", len);
+    wcsncat(libpath, libname, len-1);
+
+    *m = LoadLibraryW(libpath);
+    if (*m == NULL)
+    {
+       return NULL;
+    }
+    fptr = GetProcAddress(*m, funcname);
+    if (!fptr)
+    {
+       FreeLibrary(*m);
+       *m = NULL;
+       return NULL;
+    }
+    return fptr;
+}
 
 /**
  * Returns length of string of strings
@@ -678,6 +729,7 @@ tap_create_adapter(
     _Out_ LPGUID pguidAdapter)
 {
     DWORD dwResult;
+    HMODULE libnewdev = NULL;
 
     if (szHwId == NULL
         || pbRebootRequired == NULL
@@ -746,129 +798,7 @@ tap_create_adapter(
         goto cleanup_hDevInfoList;
     }
 
-    /* Search for the driver. */
-    if (!SetupDiBuildDriverInfoList(
-            hDevInfoList,
-            &devinfo_data,
-            SPDIT_CLASSDRIVER))
-    {
-        dwResult = GetLastError();
-        msg(M_NONFATAL, "%s: SetupDiBuildDriverInfoList failed", __FUNCTION__);
-        goto cleanup_hDevInfoList;
-    }
-    DWORDLONG dwlDriverVersion = 0;
-    DWORD drvinfo_detail_data_size = sizeof(SP_DRVINFO_DETAIL_DATA) + 0x100;
-    SP_DRVINFO_DETAIL_DATA *drvinfo_detail_data = (SP_DRVINFO_DETAIL_DATA *)malloc(drvinfo_detail_data_size);
-    if (drvinfo_detail_data == NULL)
-    {
-        msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, drvinfo_detail_data_size);
-        dwResult = ERROR_OUTOFMEMORY; goto cleanup_DriverInfoList;
-    }
-
-    for (DWORD dwIndex = 0;; dwIndex++)
-    {
-        /* Get a driver from the list. */
-        SP_DRVINFO_DATA drvinfo_data = { .cbSize = sizeof(SP_DRVINFO_DATA) };
-        if (!SetupDiEnumDriverInfo(
-                hDevInfoList,
-                &devinfo_data,
-                SPDIT_CLASSDRIVER,
-                dwIndex,
-                &drvinfo_data))
-        {
-            if (GetLastError() == ERROR_NO_MORE_ITEMS)
-            {
-                break;
-            }
-            else
-            {
-                /* Something is wrong with this driver. Skip it. */
-                msg(M_WARN | M_ERRNO, "%s: SetupDiEnumDriverInfo(%u) failed", __FUNCTION__, dwIndex);
-                continue;
-            }
-        }
-
-        /* Get driver info details. */
-        DWORD dwSize;
-        drvinfo_detail_data->cbSize = sizeof(SP_DRVINFO_DETAIL_DATA);
-        if (!SetupDiGetDriverInfoDetail(
-                hDevInfoList,
-                &devinfo_data,
-                &drvinfo_data,
-                drvinfo_detail_data,
-                drvinfo_detail_data_size,
-                &dwSize))
-        {
-            if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
-            {
-                /* (Re)allocate buffer. */
-                if (drvinfo_detail_data)
-                {
-                    free(drvinfo_detail_data);
-                }
-
-                drvinfo_detail_data_size = dwSize;
-                drvinfo_detail_data = (SP_DRVINFO_DETAIL_DATA *)malloc(drvinfo_detail_data_size);
-                if (drvinfo_detail_data == NULL)
-                {
-                    msg(M_FATAL, "%s: malloc(%u) failed", __FUNCTION__, drvinfo_detail_data_size);
-                    dwResult = ERROR_OUTOFMEMORY; goto cleanup_DriverInfoList;
-                }
-
-                /* Re-get driver info details. */
-                drvinfo_detail_data->cbSize = sizeof(SP_DRVINFO_DETAIL_DATA);
-                if (!SetupDiGetDriverInfoDetail(
-                        hDevInfoList,
-                        &devinfo_data,
-                        &drvinfo_data,
-                        drvinfo_detail_data,
-                        drvinfo_detail_data_size,
-                        &dwSize))
-                {
-                    /* Something is wrong with this driver. Skip it. */
-                    continue;
-                }
-            }
-            else
-            {
-                /* Something is wrong with this driver. Skip it. */
-                msg(M_WARN | M_ERRNO, "%s: SetupDiGetDriverInfoDetail(\"%hs\") failed", __FUNCTION__, drvinfo_data.Description);
-                continue;
-            }
-        }
-
-        /* Check the driver version and hardware ID. */
-        if (dwlDriverVersion < drvinfo_data.DriverVersion
-            && drvinfo_detail_data->HardwareID
-            && _tcszistr(drvinfo_detail_data->HardwareID, szHwId))
-        {
-            /* Newer version and matching hardware ID found. Select the driver. */
-            if (!SetupDiSetSelectedDriver(
-                    hDevInfoList,
-                    &devinfo_data,
-                    &drvinfo_data))
-            {
-                /* Something is wrong with this driver. Skip it. */
-                msg(M_WARN | M_ERRNO, "%s: SetupDiSetSelectedDriver(\"%hs\") failed", __FUNCTION__, drvinfo_data.Description);
-                continue;
-            }
-
-            dwlDriverVersion = drvinfo_data.DriverVersion;
-        }
-    }
-    if (drvinfo_detail_data)
-    {
-        free(drvinfo_detail_data);
-    }
-
-    if (dwlDriverVersion == 0)
-    {
-        dwResult = ERROR_NOT_FOUND;
-        msg(M_NONFATAL, "%s: No driver for device \"%" PRIsLPTSTR "\" installed.", __FUNCTION__, szHwId);
-        goto cleanup_DriverInfoList;
-    }
-
-    /* Call appropriate class installer. */
+    /* Register the device instance with the PnP Manager */
     if (!SetupDiCallClassInstaller(
             DIF_REGISTERDEVICE,
             hDevInfoList,
@@ -876,43 +806,38 @@ tap_create_adapter(
     {
         dwResult = GetLastError();
         msg(M_NONFATAL, "%s: SetupDiCallClassInstaller(DIF_REGISTERDEVICE) failed", __FUNCTION__);
-        goto cleanup_DriverInfoList;
+        goto cleanup_hDevInfoList;
     }
 
-    /* Register device co-installers if any. */
-    if (!SetupDiCallClassInstaller(
-            DIF_REGISTER_COINSTALLERS,
-            hDevInfoList,
-            &devinfo_data))
-    {
-        dwResult = GetLastError();
-        msg(M_WARN | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_REGISTER_COINSTALLERS) failed", __FUNCTION__);
-    }
+    /* Install the device using DiInstallDevice()
+     * We instruct the system to use the best driver in the driver store
+     * by setting the drvinfo argument of DiInstallDevice as NULL. This
+     * assumes a driver is already installed in the driver store.
+     */
+#ifdef HAVE_DIINSTALLDEVICE
+    if (!DiInstallDevice(hwndParent, hDevInfoList, &devinfo_data, NULL, 0, pbRebootRequired))
+#else
+    /* mingw does not resolve DiInstallDevice, so load it at run time. */
+    typedef BOOL (WINAPI *DiInstallDeviceFn) (HWND, HDEVINFO, SP_DEVINFO_DATA *,
+                                                  SP_DRVINFO_DATA *, DWORD, BOOL *);
+    DiInstallDeviceFn installfn
+           = find_function (L"newdev.dll", "DiInstallDevice", &libnewdev);
 
-    /* Install adapters if any. */
-    if (!SetupDiCallClassInstaller(
-            DIF_INSTALLINTERFACES,
-            hDevInfoList,
-            &devinfo_data))
+    if (!installfn)
     {
         dwResult = GetLastError();
-        msg(M_WARN | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_INSTALLINTERFACES) failed", __FUNCTION__);
+        msg(M_NONFATAL | M_ERRNO, "%s: Failed to locate DiInstallDevice()", __FUNCTION__);
+        goto cleanup_hDevInfoList;
     }
 
-    /* Install the device. */
-    if (!SetupDiCallClassInstaller(
-            DIF_INSTALLDEVICE,
-            hDevInfoList,
-            &devinfo_data))
+    if (!installfn(hwndParent, hDevInfoList, &devinfo_data, NULL, 0, pbRebootRequired))
+#endif
     {
         dwResult = GetLastError();
-        msg(M_NONFATAL | M_ERRNO, "%s: SetupDiCallClassInstaller(DIF_INSTALLDEVICE) failed", __FUNCTION__);
+        msg(M_NONFATAL | M_ERRNO, "%s: DiInstallDevice failed", __FUNCTION__);
         goto cleanup_remove_device;
     }
 
-    /* Check if a system reboot is required. (Ignore errors) */
-    check_reboot(hDevInfoList, &devinfo_data, pbRebootRequired);
-
     /* Get network adapter ID from registry. Retry for max 30sec. */
     dwResult = get_net_adapter_guid(hDevInfoList, &devinfo_data, 30, pguidAdapter);
 
@@ -958,13 +883,11 @@ cleanup_remove_device:
         }
     }
 
-cleanup_DriverInfoList:
-    SetupDiDestroyDriverInfoList(
-        hDevInfoList,
-        &devinfo_data,
-        SPDIT_CLASSDRIVER);
-
 cleanup_hDevInfoList:
+    if (libnewdev)
+    {
+        FreeLibrary(libnewdev);
+    }
     SetupDiDestroyDeviceInfoList(hDevInfoList);
     return dwResult;
 }
@@ -1140,9 +1063,12 @@ ExecCommand(const WCHAR* cmdline)
 DWORD
 tap_set_adapter_name(
     _In_ LPCGUID pguidAdapter,
-    _In_ LPCTSTR szName)
+    _In_ LPCTSTR szName,
+    _In_ BOOL bSilent)
 {
     DWORD dwResult;
+    int msg_flag = bSilent ? M_WARN : M_NONFATAL;
+    msg_flag |= M_ERRNO;
 
     if (pguidAdapter == NULL || szName == NULL)
     {
@@ -1176,7 +1102,7 @@ tap_set_adapter_name(
     if (dwResult != ERROR_SUCCESS)
     {
         SetLastError(dwResult); /* MSDN does not mention RegOpenKeyEx() to set GetLastError(). But we do have an error code. Set last error manually. */
-        msg(M_NONFATAL | M_ERRNO, "%s: RegOpenKeyEx(HKLM, \"%" PRIsLPTSTR "\") failed", __FUNCTION__, szRegKey);
+        msg(msg_flag, "%s: RegOpenKeyEx(HKLM, \"%" PRIsLPTSTR "\") failed", __FUNCTION__, szRegKey);
         goto cleanup_szAdapterId;
     }
 
@@ -1185,7 +1111,7 @@ tap_set_adapter_name(
     if (dwResult != ERROR_SUCCESS)
     {
         SetLastError(dwResult);
-        msg(M_NONFATAL | M_ERRNO, "%s: Error reading adapter name", __FUNCTION__);
+        msg(msg_flag, "%s: Error reading adapter name", __FUNCTION__);
         goto cleanup_hKey;
     }
 
@@ -1203,7 +1129,7 @@ tap_set_adapter_name(
     if (dwResult != ERROR_SUCCESS)
     {
         SetLastError(dwResult);
-        msg(M_NONFATAL | M_ERRNO, "%s: Error renaming adapter", __FUNCTION__);
+        msg(msg_flag, "%s: Error renaming adapter", __FUNCTION__);
         goto cleanup_hKey;
     }
 
diff --git a/src/tapctl/tap.h b/src/tapctl/tap.h
index 102de32..63d791c 100644
--- a/src/tapctl/tap.h
+++ b/src/tapctl/tap.h
@@ -118,12 +118,16 @@ tap_enable_adapter(
  *
  * @param szName        New adapter name - must be unique
  *
+ * @param bSilent       If true, MSI installer won't display message box and
+ *                      only print error to log.
+ *
  * @return ERROR_SUCCESS on success; Win32 error code otherwise
  **/
 DWORD
 tap_set_adapter_name(
     _In_ LPCGUID pguidAdapter,
-    _In_ LPCTSTR szName);
+    _In_ LPCTSTR szName,
+    _In_ BOOL bSilent);
 
 
 /**
diff --git a/tests/t_lpback.sh b/tests/t_lpback.sh
index f2729fd..6206899 100755
--- a/tests/t_lpback.sh
+++ b/tests/t_lpback.sh
@@ -44,7 +44,7 @@ set +e
 e=0
 for cipher in ${CIPHERS}
 do
-    echo -n "Testing cipher ${cipher}... "
+    printf "Testing cipher ${cipher}... "
     ( "${top_builddir}/src/openvpn/openvpn" --test-crypto --secret key.$$ --cipher ${cipher} ) >log.$$ 2>&1
     if [ $? != 0 ] ; then
         echo "FAILED"
@@ -55,7 +55,7 @@ do
     fi
 done
 
-echo -n "Testing tls-crypt-v2 server key generation..."
+printf "Testing tls-crypt-v2 server key generation... "
 "${top_builddir}/src/openvpn/openvpn" \
     --genkey tls-crypt-v2-server tc-server-key.$$ >log.$$ 2>&1
 if [ $? != 0 ] ; then
@@ -66,7 +66,7 @@ else
     echo "OK"
 fi
 
-echo -n "Testing tls-crypt-v2 key generation (no metadata)..."
+printf "Testing tls-crypt-v2 key generation (no metadata)... "
 "${top_builddir}/src/openvpn/openvpn" --tls-crypt-v2 tc-server-key.$$ \
     --genkey tls-crypt-v2-client tc-client-key.$$ >log.$$ 2>&1
 if [ $? != 0 ] ; then
@@ -84,7 +84,7 @@ while [ $i -lt 732 ]; do
     METADATA="${METADATA}A"
     i=$(expr $i + 1)
 done
-echo -n "Testing tls-crypt-v2 key generation (max length metadata)..."
+printf "Testing tls-crypt-v2 key generation (max length metadata)... "
 "${top_builddir}/src/openvpn/openvpn" --tls-crypt-v2 tc-server-key.$$ \
     --genkey tls-crypt-v2-client tc-client-key.$$ "${METADATA}" \
     >log.$$ 2>&1
diff --git a/version.m4 b/version.m4
index db690c7..38b35ec 100644
--- a/version.m4
+++ b/version.m4
@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [_beta3])
+define([PRODUCT_VERSION_PATCH], [_rc2])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,0,3])
+define([PRODUCT_VERSION_RESOURCE], [2,5,0,6])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
-- 
cgit v1.2.3