A major release with comprehensive security improvements, performance optimizations, and modernized infrastructure.

🔒 Security Enhancements

• Certificate Authority constraints (#14811) - Prevents certificate reuse across deployments with unique CA identifiers
• Refactored PKI management (#14809) - Replaced legacy OpenSSL scripts with Ansible crypto modules for better security and maintainability
• Prevented sensitive information logging (#14779) - Enhanced privacy by removing sensitive data from logs
• Modernized WireGuard key management (#14803) - Improved key generation and handling
• Security-hardened CI/CD (#14769) - Updated GitHub Actions with security best practices
• Jinja2 security update - Updated to ~3.1.6 for CVE-2025-27516 fix

🚀 Performance Improvements

• 30-60% faster deployments - Comprehensive performance optimizations throughout the codebase
• Self-bootstrapping Python environment (#14814) - Automatic uv setup for faster, more reliable installations
• Optimized cloud-init templates - Reduced startup time for cloud deployments
• Improved DNS caching - Better performance for DNS queries

🌐 Network and Routing Fixes

• Fixed multi-homed system routing (#14826) - Proper output interface specification for servers with multiple IPs
• Fixed iptables NAT rules (#14825) - Resolved VPN traffic routing issues
• IPv6 WireGuard endpoints (#14780) - Added support for IPv6 addresses in WireGuard configurations
• BSD IPv6 improvements (#14786) - Fixed address selection on BSD systems
• DigitalOcean multi-IP handling - Better support for droplets with both public and private IPs

☁️ Cloud Provider Updates

• Vultr API v2 support (#14773) - Updated to latest Vultr API
• AWS Lightsail fixes (#14823) - Resolved boto3 parameter issues
• AWS credentials file support (#14778) - Can now use standard AWS credentials file
• Azure improvements (#14781, #14774) - Fixed requirements path, updated to collection v3.7.0
• DigitalOcean cloud-init (#14801) - Fixed compatibility and deprecation warnings
• Hetzner instance types (#14762) - Switched to globally available types

📚 Documentation Improvements

• New FAQ: Single cipher suite rationale (#14827, closes #231) - Explains security benefits of our cryptographic choices
• New FAQ: Censorship circumvention stance (#14827, closes #230) - Clarifies Algo's focus on privacy vs anonymity
• Windows client guide (#14787) - Comprehensive setup instructions
• Installation requirements (#14790) - Clarified sudo requirements
• Grammar and clarity (#14770) - Improved throughout documentation

🔧 Infrastructure and Testing

• Comprehensive test suite - Added 15+ new test files covering all major components
• Jinja2 expression validation (#14817) - Detects inline comments that break templates
• Stricter linting (#14789) - Enhanced code quality with ansible-lint
• Installation reliability (#14788) - Added timeouts and retry logic
• OpenSSL 3+ compatibility (#14772) - Fixed PKCS#12 mobileconfig generation

📦 Dependency Updates

• Ansible 11.9.0 - Latest stable version
• GitHub Actions - All workflows updated to latest versions
• Python packaging - Modern setup with uv and pyproject.toml
• Removed legacy requirements.txt in favor of lockfile

🐛 Bug Fixes

• Ubuntu 22.04 compatibility issues (#14824)
• Server selection in update-user script (#14727)
• SSH tunnel certificate naming (#14771)
• AWS CloudFormation warnings (#14782)
• POSIX shell compliance (#14789)

💔 Breaking Changes

• Python 3.11+ required - Older Python versions no longer supported
• Certificate constraints - CAs now include deployment-specific constraints
• Ansible crypto modules - Legacy OpenSSL command usage removed

🎯 Milestone Completion

This release closes the 2.0 milestone with all planned features implemented and tested.

📝 Upgrade Notes

• Existing Algo servers will continue to work but won't benefit from the new features
• To use new features, deploy a fresh Algo server (recommended approach)
• Python environment will self-bootstrap with uv on first run

Algo VPN continues to focus on security through simplicity, providing a personal VPN that "just works" while maintaining the highest security standards.

Special thanks to all contributors who helped make this release possible!