headers
Heikki Hannikainen | 18 May 2013 13:53
Picon
Picon
Gravatar

[PATCH] pkcs12-additional-cas option to load CA+intermediate certs from both PKCS#12 and a --ca PEM file

Hi,

I've set up a VPN service which authenticates users using certificates
provided by a 3rd party (which has manually authenticated the users
from paper documents and given out some 50k certs). Their tools allow
the end users to nicely export a PKCS#12 certificate which OpenVPN can
currently use out of the box. Grand!

The 3rd party does not give out server certificates, so my VPN server
uses a certificate signed by my own CA. Thus I need to pass my CA to
the VPN client using the --ca option.

Currently OpenVPN ignores CA and intermediate certificates inside the
PKCS#12 file if --ca is set. Without --ca it loads them. The problem
is that the 3rd party CA uses intermediate certificates, and rotates
them ~yearly without warning, so I need the client to load the
intermediates from PKCS#12. To get both client and server validation
working I need to load certs from both the PKCS#12 file and a PEM file
provided using --ca.

So, I added a client option 'pkcs12-additional-cas' to make the --ca
and pkcs12 CA certs additive, not exclusive either-or. Default
functionality is like before. Manual page updated, too.

Patch attached, feedback welcome. I'm not quite sure if the name of
the option (--pkcs12-additional-cas) is good.

---
 doc/openvpn.8             |   16 ++++++++++++++++
 src/openvpn/options.c     |   16 ++++++++++++++++
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gert Doering | 18 May 2013 12:43
Picon

[PATCH] Improve documentation and help text for --route-ipv6.

Signed-off-by: Gert Doering <gert <at> greenie.muc.de>
---
 doc/openvpn.8         | 6 +++++-
 src/openvpn/options.c | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index cbfc107..366e2f5 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
 <at>  <at>  -5359,7 +5359,11  <at>  <at>  if no gateway is specified.
 .TP
 .B --route-ipv6 ipv6addr/bits [gateway] [metric]
 setup IPv6 routing in the system to send the specified IPv6 network
-into OpenVPN's ``tun'' device
+into OpenVPN's ``tun''.  The gateway parameter is only used for
+IPv6 routes across ``tap'' devices, and if missing, the ``ipv6remote''
+field from
+.B --ifconfig-ipv6
+is used.
 .TP
 .B --server-ipv6 ipv6addr/bits
 convenience-function to enable a number of IPv6 related options at
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c5ed0d6..fdf52e0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -215,7 +215,7  <at>  <at>  static const char usage_message[] =
   "--route-ipv6 network/bits [gateway] [metric] :\n"
   "                  Add IPv6 route to routing table after connection\n"
(Continue reading)

Permalink | Reply | 0 comments |
headers
Josh Cepek | 11 May 2013 21:00
Picon

[PATCH] Fix Windows script execution when called from script hooks

Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.

Fixes bug #240.

Signed-off-by: Josh Cepek <josh.cepek <at> usa.net>
---
 src/openvpn/win32.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c
index 2db96a8..291124e 100644
--- a/src/openvpn/win32.c
+++ b/src/openvpn/win32.c
 <at>  <at>  -879,7 +879,10  <at>  <at>  openvpn_execve (const struct argv *a, const struct env_set *es, const unsigned i
           start_info.dwFlags = STARTF_USESHOWWINDOW;
           start_info.wShowWindow = SW_HIDE;

-          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, 0, env, NULL, &start_info, &proc_info))
+          /* this allows console programs to run, and is ignored otherwise */
+          unsigned int proc_flags = CREATE_NO_WINDOW;
+
+          if (CreateProcessW (cmd, cl, NULL, NULL, FALSE, proc_flags, env, NULL, &start_info, &proc_info))
             {
               DWORD exit_status = 0;
               CloseHandle (proc_info.hThread);
--

-- 
1.8.1.5
(Continue reading)

Permalink | Reply | 3 comments |
headers
Gert Doering | 5 May 2013 15:10
Picon

[PATCH] Use min_int() instead of MIN()+syshead.c compat definition.

Reverts commit 15ca5c297b556fbb, instead change ssl_openssl.c to use
"min_int()", which is already defined in "integer.h"
---
 src/openvpn/ssl_openssl.c |    2 +-
 src/openvpn/syshead.h     |    7 -------
 2 files changed, 1 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 79cc056..be55b8f 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
 <at>  <at>  -232,7 +232,7  <at>  <at>  tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
           // %.*s format specifier expects length of type int, so guarantee
           // that length is small enough and cast to int.
           msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
-              (int) MIN(current_cipher_len, 256), current_cipher);
+              (int) min_int(current_cipher_len, 256), current_cipher);
         }
       else
 	{
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 0c3e4ee..db02c23 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
 <at>  <at>  -399,13 +399,6  <at>  <at> 
 #endif

 /*
- * do we have the MIN() macro?
- */
(Continue reading)

Permalink | Reply | 4 comments |
headers
Gert Doering | 3 May 2013 21:13
Picon

[PATCH] Fix NULL-pointer crash in route_list_add_vpn_gateway().

Add ASSERT() check to route_list_add_vpn_gateway() to ensure that *rl
is valid (and if not, crash with a somewhat more meaningful message than
"segmentation violation").  For the actual bugfix, change init code to
always allocate a "struct route_list" for IPv4, even if no --route options
have been seen in the config.

Fix trac#281 and trac#258.

Signed-off-by: Gert Doering <gert <at> greenie.muc.de>
---
 src/openvpn/init.c  | 7 ++++---
 src/openvpn/route.c | 1 +
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 98f5489..694d086 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
 <at>  <at>  -1145,13 +1145,14  <at>  <at>  do_init_traffic_shaper (struct context *c)
 }

 /*
- * Allocate a route list structure if at least one
- * --route option was specified.
+ * Allocate route list structures for IPv4 and IPv6
+ * (we do this for IPv4 even if no --route option has been seen, as other
+ * parts of OpenVPN might want to fill the route-list with info, e.g. DHCP)
  */
 static void
 do_alloc_route_list (struct context *c)
(Continue reading)

Permalink | Reply | 2 comments |
headers
Josh Cepek | 2 May 2013 23:17
Picon

[PATCH] Fix proto tcp6 for server & non-P2MP modes

This fix adds support for using tcp6 as a proto in server or non-P2MP
modes, resolving a failed ASSERT in such cases.

Signed-off-by: Josh Cepek <josh.cepek <at> usa.net>
---
 src/openvpn/options.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 05c6da2..c86f795 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
 <at>  <at>  -1833,6 +1833,8  <at>  <at>  options_postprocess_verify_ce (const struct options *options, const struct conne
    */
   if (ce->proto == PROTO_TCPv4)
     msg (M_USAGE, "--proto tcp is ambiguous in this context.  Please specify --proto tcp-server or --proto tcp-client");
+  if (ce->proto == PROTO_TCPv6)
+    msg (M_USAGE, "--proto tcp6 is ambiguous in this context.  Please specify --proto tcp6-server or --proto tcp6-client");

   /*
    * Sanity check on daemon/inetd modes
 <at>  <at>  -2355,6 +2357,8  <at>  <at>  options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce)
     {
       if (ce->proto == PROTO_TCPv4)
        ce->proto = PROTO_TCPv4_SERVER;
+      else if (ce->proto == PROTO_TCPv6)
+       ce->proto = PROTO_TCPv6_SERVER;
     }
 #endif
 #if P2MP
(Continue reading)

Permalink | Reply | 2 comments |
headers
Samuli Seppänen | 2 May 2013 11:17
Favicon

Today's IRC meeting postponed to next week

Hi,

Unlike we originally planned, we won't have an official IRC meeting
today. Next meeting is planned for next Thursday at 18:00 UTC, when
we'll take a stab at reviewing some of the unreviewed patches:

<https://community.openvpn.net/openvpn/wiki/Topics-2013-05-09>

Please don't hesitate to take a look, and let us know the patches look
ok, or if you think they need some modifications. We hope to review as
many of them as possible before the meeting.

Best regards,

--

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
Permalink | Reply | 0 comments |
headers
spockyf@gmx.net | 30 Apr 2013 02:14
Picon

openvpn-gui build error (cross-compile for Windows)

Hi all together,

I stuck trying to build Openvpn for Windows under Debian wheezy. I use
the openvpn-build git-repo and installed all packages and dependencies
mentioned in the README files.
The Problem always occurs when the build-script tries to build
openvpn-gui. Here the essential output:

#:~openvpn-build/generic{master}$ IMAGEROOT=`pwd`/image-win64
CHOST=x86_64-w64-mingw32 CBUILD=x86_64-pc-linux-gnu ./build
...
x86_64-w64-mingw32-gcc -std=gnu99 -DHAVE_CONFIG_H -I.
-I/home/felix/repositories/openvpn-build/generic/image-win64/openvpn/include
-D_UNICODE -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=NTDDI_WINXP -municode
-pedantic -Wall -Wextra -MT proxy.o -MD -MP -MF .deps/proxy.Tpo -c -o
proxy.o proxy.c
proxy.c: In function 'QueryWindowsProxySettings':
proxy.c:417:23: error: 'WINHTTP_AUTO_DETECT_TYPE_DHCP' undeclared (first
use in this function)
proxy.c:417:23: note: each undeclared identifier is reported only once
for each function it appears in
proxy.c:417:55: error: 'WINHTTP_AUTO_DETECT_TYPE_DNS_A' undeclared
(first use in this function)
proxy.c:438:32: error: 'WINHTTP_AUTOPROXY_CONFIG_URL' undeclared (first
use in this function)
proxy.c:448:21: warning: passing argument 1 of 'GlobalFree' discards
'const' qualifier from pointer target type [enabled by default]
/usr/lib/gcc/x86_64-w64-mingw32/4.6/../../../../x86_64-w64-mingw32/include/winbase.h:1132:29:
note: expected 'HGLOBAL' but argument is of type 'LPCWSTR'
proxy.c:449:27: warning: assignment discards 'const' qualifier from
(Continue reading)

Permalink | Reply | 2 comments |
headers
Jan Just Keijser | 27 Apr 2013 23:45
Picon
Picon
Favicon

TAP driver & NDIS 6.3

yo list,

did anybody see this post on the forum

  https://forums.openvpn.net/topic12455.html

"Current windows TAP driver 9.9.2 uses NDIS API version 5.0. This is 
fine for desktop Windows including Windows 8, but the driver sources 
cannot be recompiled for Windows RT. Windows RT requires NDIS drivers to 
use NDIS API version 6.30, and MS completely removed support for older 
NDIS API."

?

cheers,

JJK

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Permalink | Reply | 0 comments |
headers
Samuli Seppänen | 26 Apr 2013 22:12
Favicon

Summary of the IRC meeting (25th Apr 2013)

Hi,

Here's the summary of the previous IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
Date: Thursday 25th Apr 2013
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:

<https://community.openvpn.net/openvpn/wiki/Topics-2013-04-25>

Next meeting is scheduled for Thursday 2nd May at 18:00 UTC. Your local
meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

or with

$ date -u

SUMMARY

cron2, dazo, jamesyonan, krzee, mattock and novaflash participated in
this meeting.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Arne Schwabe | 26 Apr 2013 21:54
Gravatar

[[Patch v3] 1/3] Allow routes to be set before opening tun, similar to ifconfig before opening tun

---
 src/openvpn/init.c |   13 ++++++++++---
 src/openvpn/tun.h  |   11 +++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 979ba23..f08583b 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
 <at>  <at>  -1428,7 +1428,14  <at>  <at>  do_open_tun (struct context *c)
 						&gc);
 	  do_ifconfig (c->c1.tuntap, guess, TUN_MTU_SIZE (&c->c2.frame), c->c2.es);
 	}
-
+      
+      /* possibly add routes */
+      if (route_order() == ROUTE_BEFORE_TUN) {
+        /* Ignore route_delay, would cause ROUTE_BEFORE_TUN to be ignored */
+        do_route (&c->options, c->c1.route_list, c->c1.route_ipv6_list,
+                  c->c1.tuntap, c->plugins, c->c2.es);
+      }
+      
       /* open the tun device */
       open_tun (c->options.dev, c->options.dev_type, c->options.dev_node,
 		c->c1.tuntap);
 <at>  <at>  -1460,7 +1467,7  <at>  <at>  do_open_tun (struct context *c)
 		   c->c2.es);

       /* possibly add routes */
-      if (!c->options.route_delay_defined)
(Continue reading)

Permalink | Reply | 17 comments |

Gmane