* IPv6 support is probably broken or non-optimal. See how it can be
  improved.

* Simplify client route forwarding to the server.

* Think how the DTLS part can use better negotiation of algorithms and DTLS
  versions than the current openssl string approach (using PSK ciphersuites
  seem to be like a solution, but then we could not use the session ID to
  forward the UDP connection to the proper worker).

* Handle multiple settings/config files per user group.

* Certificate authentication to the main process. Possibly that is just
  wishful thinking. To verify the TLS client certificate verify signature 
  packet one needs instead of the signature, the contents of all the handshake 
  messages, and knowledge of the negotiated TLS version, in addition to being 
  able to select the server hello random. That could be done sanely only if 
  gnutls provided facilities to set the server hello random, and override the 
  client signature verification at an early stage before data are hashed 
  (to verify that the set random value was present in the handshake).

* When a TUN device is in use and cannot be assigned mark it as such and
  continue.

* When a user (IP) gets into the BAN list multiple times, disable it for
  longer time.

* Change into hashtables the lists that are used during a client
  connection.
