Use Ed25519 keys. This uses the portable Ed25519 library made by Orson Peters, which in turn uses the reference implementation made by Daniel J. Bernstein. This implementation also allows Ed25519 keys to be used for key exchange, so there is no need to add a separate implementation of Curve25519.
Handle a disconnecting tincd better. - Try to prevent SIGPIPE from being sent for errors sending to the control socket. We don't outright block the SIGPIPE signal because we still want the tinc CLI to exit when its output is actually sent to a real (broken) pipe. - Don't call exit() from top(), and properly detect when the control socket is closed by the tincd.
Handle errors from TAP-Win32/64 adapter in a better way. Before, the tapreader thread would just exit immediately after encountering the first error, without notifying the main thread. Now, the tapreader thead never exits itself, but tells the main thread to stop when more than ten errors are encountered in a row.
Use addresses learned from other nodes when making outgoing connections. Before, when making a meta-connection to a node (either because of a ConnectTo or because AutoConnect is set), tinc required one or more Address statements in the corresponding host config file. However, tinc learns addresses from other nodes that it uses for UDP connections. We can use those just as well for TCP connections.
Don't ask questions if we are not running interactively. When creating invitations or using them to join a VPN, and the tinc command is not run interactively (ie, when stdin and stdout are not connected or redirected to/from a file), don't ask questions. If normally tinc would ask for a confirmation, just assume the default answer instead. If tinc really needs some input, just print an error message instead. In case an invitation is used for a VPN which uses a netname that is already in use on the local host, tinc will store the configuration in a temporary directory. Normally it asks for an alternative netname and then renames the temporary directory, but when not run interactively, it now just prints the location of the unchanged temporary directory.
Test two tinc daemons using network namespaces. Testing multiple daemons connecting to each other on the same computer is usually difficult, because connections to local IP addresses will bypass most of the network stack. However, recent versions of Linux support network namespaces, which can isolate network interfaces. We use this to isolate the virtual interface of the daemons from each other, so we get the behaviour as if the daemons were each running on their own machine. This can also be used for more complicated tests (including those with firewall rules) without disturbing the real network setup of the host computer.
Add the ListenAddress option. ListenAddress works the same as BindToAddress, except that from now on, explicitly binding outgoing packets to the address of a socket is only done for sockets specified with BindToAddress.