Samuli Seppänen | 29 Sep 10:44 2014
Picon

tap-windows6 bugfixes


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Just got back from my one-week vacation and learned that the author of
tap-windows6 has started fixing the issues:

<https://github.com/TDivine/tap-windows6>

I'll build an updated tap-windows6 installer after a few more bugs have
been squashed, then after some beta-testing rebuild the OpenVPN Windows
installers.

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQpG+AACgkQwp2X7RmNIqMcDgCggeUdIFKphJKJc9ao+gLi/uxs
tMoAniMhSm/wvGJrV8d28YcX7po1KHLN
=vJf9
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
(Continue reading)

Samuli Seppänen | 29 Sep 10:52 2014
Picon

Any Windows-based OpenVPN servers available for fixing bug #432?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Does someone have a spare (=non-production) Windows-based OpenVPN server
(e.g. on EC2) which could be used to debug and fix #432?

<https://community.openvpn.net/openvpn/ticket/432>

Best regards,

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQpHdkACgkQwp2X7RmNIqME2wCgkqEgRHvJh9yflN2sT3GYYhob
ICMAoOG6X7E65wTsWz1lQxXxULjNbd/4
=tMCF
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
(Continue reading)

Philipp Hagemeister | 26 Sep 18:11 2014
Picon

[PATCH] Implement on-link route adding for iproute2

Currently, when compiling with --enable-iproute2 , OpenVPN does not
create a correct route when the user is connected to the Internet
without a gateway (e.g. via ppp). This patch implements the
corresponding FIXME.

Signed-off-by: Philipp Hagemeister <phihag <at> phihag.de>
---
 src/openvpn/route.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 5428e76..a06c841 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
 <at>  <at>  -1285,15 +1285,18  <at>  <at>  add_route (struct route_ipv4 *r,

 #if defined(TARGET_LINUX)
 #ifdef ENABLE_IPROUTE
-  /* FIXME -- add on-link support for ENABLE_IPROUTE */
-  argv_printf (&argv, "%s route add %s/%d via %s",
-             iproute_path,
+  argv_printf (&argv, "%s route add %s/%d",
+             iproute_path,
              network,
-             count_netmask_bits(netmask),
-             gateway);
+             count_netmask_bits(netmask));
+
   if (r->flags & RT_METRIC_DEFINED)
     argv_printf_cat (&argv, "metric %d", r->metric);
(Continue reading)

Hubert Kario | 26 Sep 12:24 2014
Picon

[PATCH 1/2] ocsp_check - signature verification and cert staus results are separate

when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.

Otherwise results like:

Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
        This Update: Sep 23 12:12:28 2014 GMT

will be accepted as being trustworthy.

Note that "Response verify OK" is printed on stderr, so it can't
be discarded.

Signed-off-by: Hubert Kario <hkario <at> redhat.com>
---
 contrib/OCSP_check/OCSP_check.sh | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/contrib/OCSP_check/OCSP_check.sh b/contrib/OCSP_check/OCSP_check.sh
index 553c3dc..ce7ec04 100644
--- a/contrib/OCSP_check/OCSP_check.sh
+++ b/contrib/OCSP_check/OCSP_check.sh
 <at>  <at>  -97,12 +97,15  <at>  <at>  if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then
                     "$nonce" \
                     -CAfile "$verify" \
                     -url "$ocsp_url" \
-                    -serial "${serial}" 2>/dev/null)
(Continue reading)

Jorge Ramos | 25 Sep 08:04 2014

Problem with I603-64 under Vista 64 SP2

Hello,

 

I installed openvpn-install-2.3.4-I603-x86_64.exe under Vista 64 SP2 and it didn’t work. VPN connects but don’t work and openvpn-gui can’t stop openvpn process. I have tried manually signaling the event sent to openvpn via command line but it seems that openvpn wasn’t waiting on that. In this scenario a boot was impossible because openvpn didn’t die. I have to poweroff the computer each new try (annoying and dangerous) !

 

I uninstall i603 and install openvpn-install-2.3.4-I003-x86_64.exe and everything works as expected including the manual signaling of event (I did it just to be sure, not a normal operation). The connection is usable, but slow. Probably a network related problem.

 

I’m not sure if this is a bug or not.


Regards 

Jorge Ramos

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Gregory Sloop | 23 Sep 17:50 2014
Picon

Questions/Comments about EasyRSA

I have some comments/issues related to EasyRSA - and I'm glad to assist as I can.

However, I've made comments over at GitHub and haven't seen any response - so perhaps this is a better place to make them. Yet, I'm not sure how open this list is to discussion about EasyRSA when, almost certainly, the majority of the traffic is for "real" dev work on the main product, OpenVPN.

So, is this the place to discuss EasyRSA, or does someone have some alternative suggestions.
[I'm glad to get into the heart of the discussion, but want to be sure this is the right forum and that I'm not committing some faux-pas.]

-Greg
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hubert Kario | 23 Sep 14:45 2014
Picon

OCSP_check.sh fixup

There are few serious issues with the OCSP_check.sh script:
 1. It will accept OCSP responses with bad signatures
 2. It may accept OCSP old responses as currently valid

detailed description on bug tracker:
https://community.openvpn.net/openvpn/ticket/450#ticket

Pull request with fixes:
https://github.com/OpenVPN/openvpn/pull/17

--

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario <at> redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
si simsons | 20 Sep 00:29 2014
Picon

(no subject)

------------------------------------------------------------------------------
Slashdot TV.  Video for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
David Sommerseth | 18 Sep 11:02 2014
Picon

[PATCH] Add systemd unit file for OpenVPN

From: David Sommerseth <davids <at> redhat.com>

This is to encourage all Linux distributions to use a unified systemd
unit file.

This unit file also tries to reduce the capabilities of the running
openvpn process.

Signed-off-by: David Sommerseth <davids <at> redhat.com>
---
 distro/systemd/openvpn <at> .service | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 distro/systemd/openvpn <at> .service

diff --git a/distro/systemd/openvpn <at> .service b/distro/systemd/openvpn <at> .service
new file mode 100644
index 0000000..e17a8a5
--- /dev/null
+++ b/distro/systemd/openvpn <at> .service
 <at>  <at>  -0,0 +1,19  <at>  <at> 
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
+Documentation=http://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+PrivateTmp=true
+Type=forking
+PIDFile=/var/run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/
--config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH 
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target
--

-- 
1.8.3.1

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
David Sommerseth | 9 Sep 19:26 2014
Picon

[PATCH v2 0/2] Further systemd cleanups

From: David Sommerseth <davids <at> redhat.com>

This replaces patch 2/4 [1] and patch 3/4 [2] of the last round,
just fixing up things from the review.

Patch 1/4 [3] got an ACK and have been applied, while patch 4/4 [4]
will be considered in a bigger scope.

[1] <http://thread.gmane.org/gmane.network.openvpn.devel/9023/focus=9024>
[2] <http://thread.gmane.org/gmane.network.openvpn.devel/9023/focus=9020>
[3] <http://thread.gmane.org/gmane.network.openvpn.devel/9023/focus=9021>
[4] <http://thread.gmane.org/gmane.network.openvpn.devel/9023/focus=9022>

David Sommerseth (2):
  Don't try to use systemd-ask-password if it is not available
  Clean up the pipe closing in openvpn_popen()

 src/openvpn/console.c |  8 +++++---
 src/openvpn/misc.c    | 18 ++++++++++--------
 2 files changed, 15 insertions(+), 11 deletions(-)

--

-- 
1.8.3.1

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
davids | 5 Sep 17:25 2014
Picon

[PATCH 0/4] Clean-up of the systemd integration

From: David Sommerseth <davids <at> redhat.com>

There were a few issues with the systemd implementation,
where the openvpn binary would have zombie processes attached
to itself when systemd-ask-password was used.  In addition
to not always properly closing the communcation pipes used.

This patch set also avoids OpenVPN failing if systemd-ask-password
is not found, but rather falls back to the normal console method.

David Sommerseth (4):
  Don't let openvpn_popen() keep zombies around
  Don't try to use systemd-ask-password if it is not available
  Clean up the pipe closing in openvpn_popen()
  White-space clean-up of openvpn_popen()

 src/openvpn/console.c | 11 ++++----
 src/openvpn/misc.c    | 75 ++++++++++++++++++++++++++++-----------------------
 2 files changed, 47 insertions(+), 39 deletions(-)

--
kind regards,

David Sommerseth

--

-- 
1.8.3.1

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

Gmane