debbie10t | 13 Feb 23:35 2016
Picon

generic-build: Install openvpnxxx.tarbz2

Hi

I have successfully managed to use the generic-build system
to compile fully upto date version of openvpn/openssl ..

I now have the file: openvpn-x86_64-linux-gnu-001-bin.tar.bz2

I have run the built openvpn(bin) as a "stand alone binary" quite happily

LOG:
OpenVPN 2.3_git [git:master/5f5229e41d134b65+] x86_64-unknown-linux-gnu
[SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 12
2016
library versions: OpenSSL 1.0.1r  28 Jan 2016, LZO 2.09

Is this sufficient to run openvpn(bin) this way or are any of the other 
files
in the "openvpn xxx tar.bz" file required to be running correctly ?

Are there any instructions to install this correctly ?

I would ask elsewhere but I am at a loss as to where to go ..

Many thanks

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
(Continue reading)

Selva Nair | 13 Feb 22:15 2016
Picon

[PATCH 0/2] Support "block-outside-dns" through interactive service

Hi,

The patch is split into two commits for ease of review
(i) Refactor the code changing no functionality
    -- most of win_wfp_block_dns is moved to a new  file and
       made independent of the rest of the code

(ii) Implement a handler for blocking dns in the interactive service

With (i) and (ii) --block-outside-dns should work without admin privileges
if the interactive service installed and running and GUI is started as user.

Tested on Win7/Win10

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Selva Nair | 12 Feb 20:47 2016
Picon

interactive service and stdout/stderr pipes

Hi,

Currently the interactive service uses anonymous pipes for stdout and stderr in CreateProcess to start OpenVPN. But the service doesn't actively read from these pipes until the process exits with a non-zero error code. Any output thus read goes to the service pipe and EventLog which a casual end user never sees.

The bad side of this is the potential for deadlock which is especially bad when verb > 3: the pipe buffer may run out early causing write to block in msg (), with no or little output in the management interface.

Shall we change this to use /dev/null (i.e, "NUL" on windows) for both stdout/stderr ?

Selva
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
debbie10t | 12 Feb 12:10 2016
Picon

Micro-sha-ft

I presume you are aware but just in case
microsoft no more SHA1 authenticode

https://forums.openvpn.net/topic20987.html

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Samuli Seppänen | 12 Feb 09:51 2016
Picon

Re: OpenVPN installers with openvpn-gui pull request #13's code included

Hi,

Sending to the list also...

>
>     PS> C:\> openvpnserv.exe -install
>     PS> C:\> openvpnserv.exe -start automatic
>
>
> I suppose you mean openvpnserv.exe -start interactive

You're correct. My mistake.

>     - Revert commit 2af86368964 in openvpn-gui
>
>
> We may want to do this only for 2.4 (or git master) based binary
> distributions. For 2.3 there is no interactive service and this
> "highestAvailable" may still be required (or at least expected by users).

> One way to handle this is to create a release branch on the GUI repo and
> revert the commit only in master. Then 2.3 installers can continue to
> use that release branch.

This sounds reasonable. That said, we should be able to know which GUI 
version belong to the master branch, and which to the release branch. 
Right now we just a single version number - 10 at the moment.

>     - Make OpenVPN-GUI fail/warn if it can't reach interactive service
>
>
> In fact it may be ok to require the iservice to operate the GUI -- that
> is do not allow the GUI to directly start openvpn.exe -- running as
> admin will fail with a message then). But leave this for later?

I think we can leave this for later, as long as the Interactive Service 
is enabled at install time. That way much fewer users will get this 
nasty surprise.

> I think the installer should include the following commands
>
> (i) openvpnserv.exe -install  <- this will install both auto and
> interactive services
> this is probably there in the current NSIS installer (the user can
> disable it by chosing not to install any service, but its not possible
> to install only one of those (not yet, at least).

Yes, this is done by default right now.

> (ii) openvpnserv.exe --start interactive

This is not done by default. I will add it to the installer code.

> Do not start the automatic service by default as that is meant for
> expert users. Else it will spawn-up openvpn.exe for all configs found
> and possibly mess-up with interactive use.

This is the default behavior right now, and we should keep it that way.

>
>     - Relax OpenVPN's config file permissions, or...
>     - ... make OpenVPN-GUI read configs from user's home dir by default
>
>
> With the pull #13, its now possible for the user to edit
> HKCU\Software\OpenVPN\config_dir to point the GUI to an alternate
> location for configs. Currently there are no access checks in the
> service, so any location with read access will work.
>
> Let's revisit this after the service is hardened to restrict configs and
> options. Then we can decide how to modify the installer to choose
> appropriate defaults for config_dir etc.

Having an easy method for configuring the OpenVPN configuration file 
directory is needed in my opinion. Right now one has to launch 
regedit.exe and change the path, or do some magic incantations in 
Powershell - not exactly user-friendly.

>     Given that OpenVPNService and OpenVPNServiceInteractive have been
>     separated, replacing the non-interactive variant with openvpnserv2
>     should not be too difficult.
>
>
> While the two services can be independently stopped and started the two
> are installed and removed together:
> openvpnserv.exe --install sets up two services OpenVPNService and
> OpenVPNServiceInteractive. So any replacement will have to use a name
> distinct from those. I think openvpnserv2 uses the same name
> "OpenVPNService" which will cause a conflict.
> In the long run it may be better to remove the automatic service
> completely from the openvpnsev.exe code.

Disabling the automatic service part in openvpnserv.exe should be fairly 
straightforward. There's probably some simple routine which calls 
Windows APIs to register the new services, which we could modify. Then 
we also need to remove the old service in the installer/uninstaller.

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Steffan Karger | 8 Feb 22:54 2016

Re: [PATCH 07/10] Create separate function for replay check

Hi,

On Mon, Feb 8, 2016 at 4:55 PM, Arne Schwabe <schwabe <at> uni-paderborn.de> wrote:
> Am 07.02.16 um 20:47 schrieb Steffan Karger:
>> In preparation for AEAD cipher modes, which will need the same
>> functionality.
>>
>> Should not change any behaviour.
>
> ACK. Passing gc instead of using an own gc does not really matter in
> this case.

I chose to pass the gc for performance reasons.  Passing the gc should
be faster (even 'free' if the compiler decides to inline).  This is in
the critical path for packet processing, so I tried to keep overhead
to a minimum.

-Steffan

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Samuel Thibault | 8 Feb 22:39 2016
Gravatar

route / route-ipv6 can not be used in ccd

Hello,

Is there a reason for not being allowed to set route / route-ipv6
options in the ccd?

Here is our need: we have two openvpn daemons running on the same
server, one in udp mode, the other in tcp mode. Both have the same
configuration, that setup is meant for our users to use whichever
happens to be working from their network, preferring udp whenever
possible. The server thus has tun0 and tun1. Our users may have some
additional IPs routed to them, so we record these in the ccd files, for
instance:

iroute-ipv6 2a01:474:5:100::/56
route-ipv6 2a01:474:5:100::/56

However, while iroute-ipv6 is accepted by openvpn, route-ipv6 is not
accepted:

samuel.thibault/::ffff:83.200.171.86 Options error: option 'route-ipv6' cannot be used in this context

The problem is that since one can not know in advance which openvpn
daemon users will connect to (and thus which of tun0 or tun1 should have
the route), we can not set these routes statically before the users
connect.

We could of course use the --up script to set the routes, but it looks
much simpler and straightforward to set it from the ccd, since we need
to set the iroute there already anyway.

Samuel

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Samuli Seppänen | 8 Feb 11:26 2016
Picon

OpenVPN installers with openvpn-gui pull request #13's code included

Hi,

Selva has a pending pull request to openvpn-gui, which completes the 
integration of interactive service into OpenVPN installers:

<https://github.com/OpenVPN/openvpn-gui/pull/13>

The pull request contains several changes which need testing:

<https://github.com/OpenVPN/openvpn-gui/pull/13/commits>

I built test installers which include the new openvpn-gui code:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-x86_64.exe>

If you test these installers please report back and tell how things 
went. I'll try to do testing on my own later today.

Best regards,

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Lev Stipakov | 7 Feb 21:21 2016
Picon
Gravatar

[PATCH] Report Windows bitness

Trac #599

Signed-off-by: Lev Stipakov <lstipakov <at> gmail.com>
---
 src/openvpn/win32.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 6c6ac4c..5702304 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
 <at>  <at>  -1323,6 +1323,20  <at>  <at>  win32_version_info()
     }
 }

+bool
+win32_is_64bit()
+{
+#if defined(_WIN64)
+    return true;  // 64-bit programs run only on Win64
+#elif defined(_WIN32)
+    // 32-bit programs run on both 32-bit and 64-bit Windows
+    BOOL f64 = FALSE;
+    return IsWow64Process(GetCurrentProcess(), &f64) && f64;
+#else
+    return false; // Win64 does not support Win16
+#endif
+}
+
 const char *
 win32_version_string(struct gc_arena *gc, bool add_name)
 {
 <at>  <at>  -1349,6 +1363,8  <at>  <at>  win32_version_string(struct gc_arena *gc, bool add_name)
             break;
     }

+    buf_printf (&out, win32_is_64bit() ? " 64bit" : " 32bit");
+
     return (const char *)out.data;
 }

--

-- 
1.9.1

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Steffan Karger | 7 Feb 20:47 2016

[PATCH] Add support for AEAD (GCM) cipher mode

Hi,

These patches add support for GCM mode ciphers to OpenVPN.  These are
originally inspired by the patch from kruton (trac #301, and
http://thread.gmane.org/gmane.network.openvpn.devel/7653), but most of the
original code has been rewritten.

As discussed in various IRC meetings and at the hackathons, we used this
opportunity to introduce a new - more efficient - packet format.  See
http://sourceforge.net/p/openvpn/mailman/message/33210313/ and the commit
message of patch 8 for more details.

The first patches (1-7) are refactoring in preparation of adding AEAD modes.
Not all of the changes are strictly required, but they made it easier for me to
understand what was going on and debug my AEAD code.  I think they improve the
understandability of the code.  These should not change any behaviour (apart
from adding better log messages).

Patch 8 actually adds the GCM cipher mode.  See it's commit message for more
information on the implementation.

Patch 9 provides polarssl/mbedtls and openssl config file interoperability.

Patch 10 adds a (very) preliminary version of cipher negotation.  I'm not
entirely sure if we should already apply this patch or wait for full cipher
negotiation support.  I'm also not sure when I will have proper negotiation
patches available.

This implementation has been verified to be compatible with openvpn 3 clients
and servers.  To test this you'll need to pretend to fully support IV_NCP and
IV_TCPNL, see e.g. https://github.com/syzzer/openvpn/tree/aead-cipher-modes13.

This has been a spare-time project, and did not yet receive any thorough review
or field testing.  So both are still very much needed.

-Steffan

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Leonardo | 7 Feb 19:43 2016
Picon

Fwd: [PATCH] Fix misleading socket error code on Windows

Hi. First of all, this is my first contribution ever to an open source
project. I hope I'm doing this right.

After installing OpenVPN 2.3.10 on my Windows computer and trying to
connect to a VPN server, I was getting this error message:

TCP: connect to [AF_INET]x.x.x.x:80 failed, will try again in 5
seconds: The system tried to join a drive to a directory on a joined
drive.

Hours of googling and no real solution later, I've decided to check
the source code and see if I could find the real cause of this error.
It was a timeout error. Indeed there's a mismapping going on, as
suggested here:

http://sourceforge.net/p/openvpn/mailman/message/33101265/

I have both MinGW-w64 and Visual Studio 2015, and in both headers
WSAETIMEDOUT is defined as ETIMEDOUT which is defined as 138, despite
the online documentation saying that WSAETIMEDOUT should be 10060.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms740668%28v=vs.85%29.aspx

I couldn't find any explanation about this, but based on other
threads, this issue seems to be around for quite some time now. After
the patch below, the right error message comes out:

TCP: connect to [AF_INET]x.x.x.x:80 failed: Connection timed out (WSAETIMEDOUT)

I understand that's not the most elegant solution, but given the above
said, I don't see an alternative. There are many forum threads out
there just because of this misleading error message.

Signed-off-by: Leonardo Basilio <leobasilio <at> gmail.com>
---
 src/openvpn/socket.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 396fa54..c01ef3d 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
 <at>  <at>  -1177,7 +1177,11  <at>  <at>  openvpn_connect (socket_descriptor_t sd,
         {
           if (--connect_timeout < 0)
         {
+#ifdef WIN32
+          status = 10060;
+#else
           status = ETIMEDOUT;
+#endif
           break;
         }
           openvpn_sleep (1);
--
2.7.0.windows.1

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Gmane