Jonathan K. Bullard | 17 Apr 11:28 2015
Picon

OpenVPN argument parsing of most options ignores "extra" parameters

I would like to propose a patch which complains if OpenVPN options
include parameters that are not expected.

If possible, I would like to get a "feature ACK" consensus before I
create the patch. (If I get a "feature NAK" then I won't create the
patch.)

The patch would be to reject options that are followed by extra parameters.

The error message would change from
     Options error: Unrecognized option or missing parameter(s)
to
     Options error: Unrecognized option or missing or unexpected parameter(s)

Perhaps the current behavior of ignoring "extra" parameters is
purposeful, to allow options to have parameters that are ignored by
"old" versions of OpenVPN but accepted and acted on by "new" versions
of OpenVPN. (I think doing that is not a good idea, but maybe that's
the way the community wants it.)

The patch would break any configurations that have such "extra"
parameters. I think that's good, because the configurations are, well,
wrong. But there could be a lot of such configurations being used with
current versions of OpenVPN -- who knows?

**EXAMPLE**

Here is the code in the add_option routine in src/openvpn/options.c
that processes "--mtu-test", which has no parameters:

(Continue reading)

Yegor Yefremov | 14 Apr 20:34 2015

[PATCH] m4: enable silent build

Signed-off-by: Yegor Yefremov <yegorslists <at> googlemail.com>
---
 configure.ac | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/configure.ac b/configure.ac
index 9132468..ca0d9c3 100644
--- a/configure.ac
+++ b/configure.ac
 <at>  <at>  -374,6 +374,9  <at>  <at>  AC_DEFINE_UNQUOTED([IPROUTE_PATH], ["$IPROUTE"], [Path to iproute tool])
 AC_DEFINE_UNQUOTED([ROUTE_PATH], ["$ROUTE"], [Path to route tool])
 AC_DEFINE_UNQUOTED([SYSTEMD_ASK_PASSWORD_PATH], ["$SYSTEMD_ASK_PASSWORD"], [Path to
systemd-ask-password tool])

+# enable silent build
+m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes]]))
+
 #
 # Libtool
 #
--

-- 
2.1.0

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
(Continue reading)

Samuli Seppänen | 13 Apr 07:23 2015
Picon

Topics for today's (Monday, 13th Apr 2015) community meeting

Hi,

We're going to have an IRC meeting today, 13th April, starting at 20:00 
CEST (18:00 UTC) on #openvpn-devel <at> irc.freenode.net. Current topic list 
along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-04-13>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
(Continue reading)

Jiri Horky | 31 Mar 10:04 2015
Picon

Increasing TUN_MTU_MIN to make connection establishment faster

Hi all,

continuing yesterday's IRC discussion. I would like to ask whether you
can think of a reason why TUN_MTU_MIN is set to only 100 bytes, and
maybe more importantly, why this value is effectively enforced in function

static void
tls_init_control_channel_frame_parameters(const struct frame
*data_channel_frame,
                 struct frame *frame)
....
  /* set dynamic link MTU to minimum value */
  frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN);

We were debugging slow connection establishment on links with higher RTT
(>200ms), which takes about 7seconds. We tracked the problem down to
certificate handshake on a control channel, where client and server need
to exchange certificates which are about 3KiB each, and because the
enforced low MTU during tls init, and the fact that there are at maximum
4 unacknowledged packets on wire (CONTROL_SEND_ACK_MAX), it takes quite
a lot of round trips to transfer it (it is clearly visible in wireshark,
that the openvpn fragments are exactly of 100Bytes).

I tried to increase the TUN_MTU_MIN to 1000 (which should be safe on
nowadays Internet), which immediately helped.

Before I make the change on our servers, I would like to understand
whether I may not break something by doing so.

Thank you
(Continue reading)

samuli | 31 Mar 08:44 2015
Picon

[PATCH] Remove useless dash escapes from the man-page

From: Samuli Seppänen <samuli <at> openvpn.net>

This patch is against the release/2.3 branch

Trac: 512
Signed-off-by: Samuli Seppänen <samuli <at> openvpn.net>
---
 doc/openvpn.8 | 1800 ++++++++++++++++++++++++++++-----------------------------
 1 file changed, 900 insertions(+), 900 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index a95d353..bcd2d76 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -37,7 +37,7  <at>  <at> 
 .TH openvpn 8 "17 November 2008"
 .\"*********************************************************
 .SH NAME
-openvpn \- secure IP tunnel daemon.
+openvpn - secure IP tunnel daemon.
 .\"*********************************************************
 .SH SYNOPSIS
 .ft 3
 <at>  <at>  -97,25 +97,25  <at>  <at>  with a relatively lightweight footprint.
 .SH OPTIONS
 OpenVPN allows any option to be placed either on the command line
 or in a configuration file.  Though all command line options are preceded
-by a double-leading-dash ("\-\-"), this prefix can be removed when
+by a double-leading-dash ("--"), this prefix can be removed when
 an option is placed in a configuration file.
(Continue reading)

samuli | 31 Mar 08:40 2015
Picon

[PATCH] Remove useless dash escapes from the man-page

From: Samuli Seppänen <samuli <at> openvpn.net>

Trac: 512
Signed-off-by: Samuli Seppänen <samuli <at> openvpn.net>
---
 doc/openvpn.8 | 1810 ++++++++++++++++++++++++++++-----------------------------
 1 file changed, 905 insertions(+), 905 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 9551566..1c1a2da 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -37,7 +37,7  <at>  <at> 
 .TH openvpn 8 "17 November 2008"
 .\"*********************************************************
 .SH NAME
-openvpn \- secure IP tunnel daemon.
+openvpn - secure IP tunnel daemon.
 .\"*********************************************************
 .SH SYNOPSIS
 .ft 3
 <at>  <at>  -97,25 +97,25  <at>  <at>  with a relatively lightweight footprint.
 .SH OPTIONS
 OpenVPN allows any option to be placed either on the command line
 or in a configuration file.  Though all command line options are preceded
-by a double-leading-dash ("\-\-"), this prefix can be removed when
+by a double-leading-dash ("--"), this prefix can be removed when
 an option is placed in a configuration file.
 .\"*********************************************************
 .TP
(Continue reading)

Steffan Karger | 30 Mar 22:29 2015

FreeBSD+cryptodev testers wanted

Hi,

See https://community.openvpn.net/openvpn/ticket/480

A bug was reported when using openvpn in daemon mode (--daemon), in 
combination with the OpenSSL cryptodev engine on FreeBSD.  The 
originally proposed patch is reported to fix the problem, but caused a 
change in the interpretation of config files, so was NAK'ed.  I proposed 
an alternative patch, which I believe will fix the issue without 
changing config file interpretation, but I do not have a set up to 
verify this.

So, is there anyone with a FreeBSD machine with cryptodev engine 
available who is willing to test the patch?

Thanks,
-Steffan

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
Matthias Andree | 30 Mar 21:54 2015
Picon
Picon

[PATCH] Manual page update for Re-enabled TLS version negotiation.

Signed-off-by: Matthias Andree <matthias.andree <at> gmx.de>
---
 doc/openvpn.8 | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index a95d353..1420bdd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -4286,16 +4286,19  <at>  <at>  include "1.0", "1.1", or "1.2".  If 'or-highest' is specified
 and version is not recognized, we will only accept the highest TLS
 version supported by the local SSL implementation.

-If this options is not set, the code in OpenVPN 2.3.4 will default
-to using TLS 1.0 only, without any version negotiation.  This reverts
-the beaviour to what OpenVPN versions up to 2.3.2 did, as it turned
-out that TLS version negotiation can lead to handshake problems due
-to new signature algorithms in TLS 1.2.
+Also see
+.B \-\-tls-version-max
+below, for information on compatibility.
 .\"*********************************************************
 .TP
 .B \-\-tls-version-max version
 Set the maximum TLS version we will use (default is the highest version
 supported).  Examples for version include "1.0", "1.1", or "1.2".
+
+If and only if this is set to 1.0, and OpenSSL is used (not PolarSSL),
+then OpenVPN will set up OpenSSL to use a fixed TLSv1 handshake. All
+other configurations will autonegotiate in the given limits, and the
(Continue reading)

Steffan Karger | 26 Mar 01:01 2015

[PATCH] Remove unneeded parameter 'first_time' from possibility_become_daemon()

The static helper function possibily_become_deamon() is called only once,
by do_init_first_time(), which checks 'first_time' to be true before
calling possibily_become_daemon().  This makes the parameter useless.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/init.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b670a48..b97d2da 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
 <at>  <at>  -917,10 +917,10  <at>  <at>  do_persist_tuntap (const struct options *options)
  * Return true if we did it.
  */
 static bool
-possibly_become_daemon (const struct options *options, const bool first_time)
+possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
-  if (first_time && options->daemon)
+  if (options->daemon)
     {
       ASSERT (!options->inetd);
       if (daemon (options->cd_dir != NULL, options->log) < 0)
 <at>  <at>  -2771,7 +2771,7  <at>  <at>  do_init_first_time (struct context *c)
       get_pid_file (c->options.writepid, &c0->pid_state);

       /* become a daemon if --daemon */
(Continue reading)

Samuli Seppänen | 23 Mar 20:21 2015
Picon

Topics for next week's (Monday, 30th Mar 2015) community meeting

Hi,

We're going to have an IRC meeting _next_ Monday, 30th March, starting
at 20:00 CET (19:00 UTC) on #openvpn-devel <at> irc.freenode.net. Current
topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-03-30>

If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

NOTE: It's required to use a registered Freenode IRC nickname to join
#openvpn-devel - look here for details:

<https://community.openvpn.net/openvpn/wiki/GettingHelp#DeveloperIRCchannel>

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(Continue reading)

Ryan O'Connor | 19 Mar 14:48 2015

OpenVPN Service Windows 8

I have been using OpenVPN Service to run my clients vpn connections on Windows 8 and have noticed that they never starts automatically even though its set to.

 

I have found that to fix this you need to go into services.msc and in OpenVPN Service you need to go to the Log On tab and change the Local System account to Allow service to interact with desktop.  Is this expected behaviour or only new because of Win 8/10

 

Thanks,


Ryan

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Gmane