Samuli Seppänen | 19 Dec 15:00 2014

Topics for next Monday's (22nd Dec 2014) community meeting


We're having an IRC meeting on Monday, starting at 20:00 CET (19:00
UTC) on #openvpn-devel <at> Current topic list along with
basic information is here:


If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:



Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
David Woodhouse | 11 Dec 14:03 2014

[PATCH] pkcs11: Load module by default

If the user specifies --pkcs11-id or --pkcs-id-management but neglects
to explicitly provide a --pkcs11-provider argument, and if the system
has p11-kit installed, then load the p11-kit proxy module so that the
system-configured tokens are available.

Trac: 490
Signed-off-by: David Woodhouse <David.Woodhouse <at>>
---          |  7 +++++++
 doc/openvpn.8         | 10 ++++++++++
 src/openvpn/options.c |  9 +++++++++
 3 files changed, 26 insertions(+)

diff --git a/ b/
index ddaa2b2..b549452 100644
--- a/
+++ b/
 <at>  <at>  -1139,6 +1139,13  <at>  <at>  if test "${enable_pkcs11}" = "yes"; then
 	AC_DEFINE([ENABLE_PKCS11], [1], [Enable PKCS11])
+		[P11KIT],
+		[p11-kit-1],
+		[proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`"
+		 AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])],
+		[]
+	)

(Continue reading)

David Sommerseth | 9 Dec 10:52 2014

[PATCH] sockets: Remove the limitation of --tcp-nodelay to be server-only

From: David Sommerseth <davids <at>>

The assert(0) happening if trying to use --tcp-nodelay in a client
config is really not helpful at all.  When this assert(0) was removed,
another warning appeared that this could only be used in server
configs.  That itself is also quite silly, as clients can choose to
use --socket-flags TCP_NODELAY in the client config instead.  This
behaviour does not help the user in any way.

This patch removes the server-only restriction and rather provides
a more helpful warning when using --tcp-nodelay on the client side.

Trac: 489
Signed-off-by: David Sommerseth <davids <at>>
 src/openvpn/helper.c  | 2 +-
 src/openvpn/options.c | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 0ed0b2b..339e2ae 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
 <at>  <at>  -534,7 +534,7  <at>  <at>  helper_tcp_nodelay (struct options *o)
-	  ASSERT (0);
+	  o->sockflags |= SF_TCP_NODELAY;
(Continue reading)

David Sommerseth | 8 Dec 23:45 2014

[PATCH] plugins, down-root: Code style clean-up

From: David Sommerseth <davids <at>>

The coding style was somewhat chaotic.  Cleaning it up using the astyle
tool.  The style parameters are coherent to what was agreed upon at the
Munich Hackathon 2014 [1].

     astyle --style=allman --indent=spaces=4 -c

Also included a "Local variables" section which some editors may pick
up automatically.

Signed-off-by: David Sommerseth <davids <at>>
 src/plugins/down-root/down-root.c | 630 +++++++++++++++++++-------------------
 1 file changed, 323 insertions(+), 307 deletions(-)

diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c
index f7a49a0..6931bec 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
 <at>  <at>  -66,17 +66,17  <at>  <at>  static void down_root_server (const int fd, char * const * argv, char * const *e
 struct down_root_context
-  /* Foreground's socket to background process */
-  int foreground_fd;
+    /* Foreground's socket to background process */
+    int foreground_fd;

-  /* Process ID of background process */
(Continue reading)

David Sommerseth | 8 Dec 22:35 2014

[PATCH] plugin, down-root: Fix compiler warnings

From: David Sommerseth <davids <at>>

Removed a few compiler warnings:
  down-root.c:164:4: warning: implicit declaration of function 'warn' [-Wimplicit-function-declaration]
  down-root.c:239:5: warning: implicit declaration of function 'err' [-Wimplicit-function-declaration]
  down-root.c:461:7: warning: unused variable 'i' [-Wunused-variable]
  down-root.c:460:15: warning: unused variable 'p' [-Wunused-variable]

Signed-off-by: David Sommerseth <davids <at>>
 src/plugins/down-root/down-root.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/plugins/down-root/down-root.c b/src/plugins/down-root/down-root.c
index ed2636a..f7a49a0 100644
--- a/src/plugins/down-root/down-root.c
+++ b/src/plugins/down-root/down-root.c
 <at>  <at>  -42,6 +42,7  <at>  <at> 
 #include <signal.h>
 #include <syslog.h>
 #include <errno.h>
+#include <err.h>

 #include <openvpn-plugin.h>

 <at>  <at>  -457,9 +458,6  <at>  <at>  openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle)
 static void
 down_root_server (const int fd, char * const *argv, char * const *envp, const int verb)
-  const char *p[3];
(Continue reading)

Lev Stipakov | 8 Dec 18:06 2014

[PATCH] Add the peer-id to the output of the status command

This adds peer-id to the status output which might help analyze floating
logs. This will change the output of status in the same way commit
662ce6acc065bddf6490b3494725b8b3987b7def did.

Signed-off-by: Lev Stipakov <lstipakov <at>>
 src/openvpn/multi.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 538f4f1..b7785c1 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
 <at>  <at>  -815,8 +815,8  <at>  <at>  multi_print_status (struct multi_context *m, struct status_output *so, const int
 	  status_printf (so, "TITLE%c%s", sep, title_string);
 	  status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, &gc_top), sep, (unsigned int)now);
-	  status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual
IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since
(time_t)%cUsername%cClient ID",
-			 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
+	  status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual
IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since
(time_t)%cUsername%cClient ID%cPeer ID",
+			 sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
 	  hash_iterator_init (m->hash, &hi);
 	  while ((he = hash_iterator_next (&hi)))
 <at>  <at>  -827,10 +827,11  <at>  <at>  multi_print_status (struct multi_context *m, struct status_output *so, const int
(Continue reading)

Lev Stipakov | 8 Dec 17:48 2014

[PATCH] Prevent memory drain for long lasting floating sessions

For every float event we generate prefix, which allocates 256 + 64
bytes. That memory is reclaimed when client disconnects, so long lasting
and constantly floating sessions drain memory.

As a fix use preallocated buffer inside multi_instance for storing

Signed-off-by: Lev Stipakov <lstipakov <at>>
 src/openvpn/mudp.c  |  4 ++++
 src/openvpn/multi.c | 14 ++++++++++----
 src/openvpn/multi.h |  8 +++++---
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 853c08c..3e3f750 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
 <at>  <at>  -111,6 +111,10  <at>  <at>  multi_get_create_instance_udp (struct multi_context *m, bool *floated)
+		      /* should not really end up here, since multi_create_instance returns null
+		       * if amount of clients exceeds max_clients */
+		      ASSERT(i < m->max_clients);
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
(Continue reading)

Vasily Kulikov | 8 Dec 12:52 2014

[PATCH] Add Mac OS X keychain support

This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server.  This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface.  The patch is very similar
to, and also based on, the Windows Crypto API certificate functionality
that currently exists in OpenVPN.

The previous version of the patch was sent by Brian Raderman
(  The current
version uses autoconf, doesn't use printf, fixes several small bugs like
ignoring errors, and it now works with Tunnelblick.  The previous version
has been tested with an Aladdin eToken on Mac OSX Leopard and with
software only certificates on Mac OSX Leopard and Snow Leopard, as
reported by Brian Raderman in his email.  The current version of the
patch was tested in Yandex company on ~3000 hosts using several Mac OS X
versions (10.7, 10.8. 10.9. 10.10) using Tunnelblick.

It was tested both on OpenVPN started from the terminal and using
Tunnelblick.  Renegotiation was tested too.

There are several warnings on Mac OS X related to functions deprecation
like RSA_new() and similar.  However, they are used in other OpenVPN
code, so I decided not to touch it.

The patch is against commit 3341a98c2852d1d0c1eafdc70a3bdb218ec29049.

Signed-off-by: Vasily Kulikov <segoon <at>>

diff --git a/ b/
(Continue reading)

Steffan Karger | 7 Dec 19:48 2014

[PATCH] Update doxygen (a bit)

This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.

Stuff that was changed:
 * Explain data channel crypto format in crypto.h
 * Add P_DATA_V1 and P_DATA_V2 packet format spec
 * Remove '2.1' from title
 * Update some OpenSSL-specific text

Signed-off-by: Steffan Karger <steffan <at>>
 .gitignore                          |  1 +
 doc/doxygen/doc_data_crypto.h       |  4 +--
 doc/doxygen/doc_mainpage.h          |  2 +-
 doc/doxygen/doc_protocol_overview.h | 69 +++++++++++++++++------------------
 src/openvpn/crypto.h                | 72 ++++++++++++++++++++++++++++++++++++-
 5 files changed, 107 insertions(+), 41 deletions(-)

diff --git a/.gitignore b/.gitignore
index 538c020..06ff7c6 100644
--- a/.gitignore
+++ b/.gitignore
 <at>  <at>  -33,6 +33,7  <at>  <at>  config.sub
(Continue reading)

Jason Haar | 6 Dec 18:28 2014

feature request: get openvpn to use closest server

Hi there

If you have a global network with several openvpn servers, you have a
problem with getting clients to connect to the "best" server(*).
Typically you'd either rely on users manually choosing the best server
(which they can't do well as they don't know the full story), or do
something easy like have one DNS name with multiple A records - but the
latter would mean users were using the *wrong* server the majority of
the time

Some can manage tricks using geoip DNS - but even that doesn't work
reliably (eg if a lot of users hardwire Google/OpenDNS DNS servers in
their client). Really speaking AnyCast is the only "proper" way of doing
it - but that's a "big boy" solution

So I propose openvpn itself could solve this problem - if it had some
application layer way of "pinging" all available openvpn servers and
choosing the one that responds "best". I'd suggest it only be supported
for sites using "tls-auth" but that it doesn't need the full cert check
- that way it's one packet from the client and one return packet from
the server. I'd also suggest the server can respond with a "don't use
me" message: maybe a new config option "pause-logins /path/filename" so
that sysadmins can write their own load tests and create/delete that
file when needed. The client could send "openvpn-pings" to each server
(when the DNS server name resolves to >1 IP) and try up to 3 times
before making a decision. ie packet loss means there needs to be a retry
aspect, 3 failures means the server is down/firewalled, but if the
server responds with "don't use me" then it's treated as "down" too.
Then the client can simply figure out which positive return had the
smallest latency and then use that to influence the order in which it
(Continue reading)

Hooman ZGN | 5 Dec 08:38 2014


would u please shutttt the fuck up and stop email me u bastards ????
shutttt up and dieeeeeeeeeeeee. u drive me angryyyyy
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
Openvpn-devel mailing list
Openvpn-devel <at>