Steffan Karger | 20 Aug 23:00 2014

[PATCH 1/2] Fix some unintialized variable warnings

Does not actually change behaviour, but fixes compiler warnings
and properly initializing is good habit anyway.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/plugin.c | 2 +-
 src/openvpn/sig.c    | 2 +-
 src/openvpn/socket.c | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 0948f23..54c5b52 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
 <at>  <at>  -291,7 +291,7  <at>  <at>  plugin_init_item (struct plugin *p, const struct plugin_option *o)
 static void
 plugin_vlog (openvpn_plugin_log_flags_t flags, const char *name, const char *format, va_list arglist)
 {
-  unsigned int msg_flags;
+  unsigned int msg_flags = 0;

   if (!format)
     return;
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c
index 90e39a4..a3d29de 100644
--- a/src/openvpn/sig.c
+++ b/src/openvpn/sig.c
 <at>  <at>  -126,7 +126,7  <at>  <at>  print_signal (const struct signal_info *si, const char *title, int msglevel)
     {
       const char *type = (si->signal_text ? si->signal_text : "");
(Continue reading)

Gert Doering | 20 Aug 13:22 2014
Picon

Re: Ongoing Windoes 8 issues

Hi,

On Wed, Aug 20, 2014 at 11:49:18AM +0200, Richard Weinberger wrote:
> Okay, let's come down a bit and have a cup of coffee first.

Good plan :-)

> I did not know about the new NDIS6 drivers. Now there is a comment mentioning it. Thanks for
> that. This is all I wanted.

So, yes, "we are working on it" (it was decided last year in Munich that
this was needed, and OpenVPN Tech actually found someone who understands
windows programming well enough to tackle this and paid him to do it).  

It seems to have some bugs left, though, so carefully test this before 
rolling out.

gert
--

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert <at> greenie.muc.de
fax: +49-89-35655025                        gert <at> net.informatik.tu-muenchen.de
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
(Continue reading)

Richard Weinberger | 20 Aug 09:32 2014
Picon

Ongoing Windoes 8 issues

Hi!

This bug exists for almost 14 months (!!) without a solution.
Some hacks work some not.
https://community.openvpn.net/openvpn/ticket/316

I really wonder why this issue is ignored by the OpenVPN developers.

--

-- 
Thanks,
//richard

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Steffan Karger | 18 Aug 23:09 2014

[PATCH] Fix compiler warnings in ssl_polarssl.c.

No functional changes, just add missing includes and make casts explicit.

Signed-off-by: Steffan Karger <steffan <at> karger.me>
---
 src/openvpn/ssl_polarssl.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index ddccf1d..62c110b 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
 <at>  <at>  -40,6 +40,7  <at>  <at> 

 #include "errlevel.h"
 #include "ssl_backend.h"
+#include "base64.h"
 #include "buffer.h"
 #include "misc.h"
 #include "manage.h"
 <at>  <at>  -49,8 +50,10  <at>  <at> 

 #include "ssl_verify_polarssl.h"
 #include <polarssl/error.h>
+#include <polarssl/oid.h>
 #include <polarssl/pem.h>
 #include <polarssl/sha256.h>
+#include <polarssl/version.h>

 void
 tls_init_lib()
(Continue reading)

Josh Cepek | 18 Aug 12:46 2014
Picon
Picon

IPv6 pool and handling CIDR masks

First, an overview of IPv6 pool and CIDR handling.

The handling of the --ifconfig-ipv6-pool `bits` CIDR netmask value seems to
need adjustment. Today, if this value does not exactly match the same CIDR
mask applied to --ifconfig-ipv6, clients connectivity breaks in odd ways.

I am proposing that we update the behavior to effectively ignore this value,
remove the documentation references to the problematic `bits` setting, and
use the server's own CIDR mask to use when pushing to clients. An
anti-climatic patch to do this will be sent as a reply, and is
backwards-compatible with existing configurations because the CIDR mask will
be accepted and ignored.

In short, clients should be pushed the CIDR mask of the server, not the mask
of the pool size. This is how IPv4 works (a pool using 128 IPs does not mean
we push a /25, but we still push the /24 used by the server.) The pool need
to be independent of the actual CIDR mask assigned to the VPN network. Until
the code can handle IPv6 pools of a smaller size and correctly refuse to use
IPs outside the pool range, it is best to not offer v6 pool size selection
at all.

So what's the problem?

The manpage says the `bits` value to the v6 pool controls the size of the
pool, which we would get in IPv4 by controlling the start/stop values.
However, this value actually has nothing to do with the pool size, and only
the initial IP is used meaningfully.

When a client connects, the multi_select_virtual_addr() function is
responsible for picking IPs for the client, based on either --ifconfig-push
(Continue reading)

Micah Robert | 15 Aug 21:00 2014
Picon

Bad signature

The GnuPG signatures for all 4 of the windows downloads from <https://openvpn.net/index.php/open-source/downloads.html> show as bad when verified against the signature downloads from <https://openvpn.net/index.php/open-source/documentation/sig.html>.

Also, Norton shows 3 of the 4 files to be only 8 days old and 1 to be only 7 days old.

Sincerely,
Micah Robert
------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Lev Stipakov | 14 Aug 10:00 2014
Picon

Possible memory leaks found by Coverity

Hello,

I have analyzed OpenVPN code with Coverity and I could not explain
some resource leaks Coverity has found.

1) https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/options.c#L4378

char * ipv6_local;
VERIFY_PERMISSION (OPT_P_UP);
if ( get_ipv6_addr( p[1], NULL, &netbits, &ipv6_local, msglevel ) &&
ipv6_addr_safe( p[2] ) ) {
  if ( netbits < 64 || netbits > 124 ) {
    msg( msglevel, "ifconfig-ipv6: /netbits must be between 64 and
124, not '/%d'", netbits );
    goto err;
  }

Coverity claims that "err" branch leaks "ipv6_local". I looked into
"get_ipv6_addr" implementation and noticed that it does not pass any
"gc" to subsequent string_alloc call. To my understanding, in this
case caller is responsible for cleaning up, which is not the case for
"err" branch.

2) https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/proxy.c#L863

char *pa = NULL;
const int method = get_proxy_authenticate(sd, p->options.timeout, &pa,
NULL, signal_received);
if (method != HTTP_AUTH_NONE) {
  if (pa)
    msg (D_PROXY, "HTTP proxy authenticate '%s'", pa);
    if (p->options.auth_retry == PAR_NCT && method == HTTP_AUTH_BASIC) {
      msg (D_PROXY, "HTTP proxy: support for basic auth and other
cleartext proxy auth methods is disabled");
      goto error;
    }

Coverity claims that "error" branch leaks "pa". Same pattern as above,
"get_proxy_authenticate" passes NULL (4th parameter) as "gc" to
"string_alloc".

Do those issues look like problems? Does it make sense to submit a
patch fixing those?

--

-- 
-Lev

------------------------------------------------------------------------------
randy bercheni | 8 Aug 20:57 2014
Picon

Re: Openvpn-devel Digest, Vol 99, Issue 3

my vpn does not stay connected. I have to do it myself, sometimes that does not work.


On Friday, August 8, 2014 4:12 AM, "openvpn-devel-request <at> lists.sourceforge.net" <openvpn-devel-request <at> lists.sourceforge.net> wrote:


Send Openvpn-devel mailing list submissions to
    openvpn-devel <at> lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.sourceforge.net/lists/listinfo/openvpn-devel
or, via email, send a message with subject or body 'help' to
    openvpn-devel-request <at> lists.sourceforge.net

You can reach the person managing the list at
    openvpn-devel-owner <at> lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Openvpn-devel digest..."


Today's Topics:

  1. new OpenSSL Security Advisories (Mike Tancsa)
  2. Re: new OpenSSL Security Advisories (Steffan Karger)
  3. [PATCH] Tease apart ipv6 and ipv4 ifconfig code. (Gavin Shrubbery)
  4. Impact of latest OpenSSL vulnerabilities to OpenVPN
      (Samuli Sepp?nen)
  5. Re: Impact of latest OpenSSL vulnerabilities to    OpenVPN
      (Samuli Sepp?nen)


----------------------------------------------------------------------

Message: 1
Date: Thu, 07 Aug 2014 17:11:47 -0400
From: Mike Tancsa <mike <at> sentex.net>
Subject: [Openvpn-devel] new OpenSSL Security Advisories
To: "openvpn-devel <at> lists.sourceforge.net"
    <openvpn-devel <at> lists.sourceforge.net>
Message-ID: <53E3EB93.5090108 <at> sentex.net>
Content-Type: text/plain; charset=utf-8; format=flowed

Has anyone had a chance to evaluate the latest security issues and how
they might impact OpenVPN ?

https://www.openssl.org/news/secadv_20140806.txt


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike <at> sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada  http://www.tancsa.com/



------------------------------

Message: 2
Date: Thu, 07 Aug 2014 23:33:02 +0200
From: Steffan Karger <steffan <at> karger.me>
Subject: Re: [Openvpn-devel] new OpenSSL Security Advisories
To: openvpn-devel <at> lists.sourceforge.net
Message-ID: <53E3F08E.40309 <at> karger.me>
Content-Type: text/plain; charset=windows-1252

Hi,

On 07-08-14 23:11, Mike Tancsa wrote:
> Has anyone had a chance to evaluate the latest security issues and how
> they might impact OpenVPN ?
>
> https://www.openssl.org/news/secadv_20140806.txt

Yes, announcement on the wiki:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1i

tl;dr: You're probably not affected.

-Steffan



------------------------------

Message: 3
Date: Fri,  8 Aug 2014 11:10:32 +1200
From: Gavin Shrubbery <gavin.shrubbery <at> gmail.com>
Subject: [Openvpn-devel] [PATCH] Tease apart ipv6 and ipv4 ifconfig
    code.
To: openvpn-devel <at> lists.sourceforge.net
Message-ID:
    <1407453032-588-1-git-send-email-gavin.shrubbery <at> gmail.com>

This change makes it possible to configure an IPv6 address on a
tunnel without also having an IPv4 address.

Signed-off-by: Gavin Shrubbery <gavin.shrubbery <at> gmail.com>
---
src/openvpn/tun.c | 367 +++++++++++++++++++++++++++---------------------------
1 file changed, 183 insertions(+), 184 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index ba4b15e..d1a8a03 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
<at> <at> -634,16 +634,10 <at> <at> do_ifconfig (struct tuntap *tt,
      const char *ifconfig_local = NULL;
      const char *ifconfig_remote_netmask = NULL;
      const char *ifconfig_broadcast = NULL;
-      const char *ifconfig_ipv6_local = NULL;
-      const char *ifconfig_ipv6_remote = NULL;
-      bool do_ipv6 = false;
      struct argv argv;

      argv_init (&argv);

-      msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d",
-              tt->ipv6, tt->did_ifconfig_ipv6_setup );
-
      /*
        * We only handle TUN/TAP devices here, not --dev null devices.
        */
<at> <at> -655,13 +649,6 <at> <at> do_ifconfig (struct tuntap *tt,
      ifconfig_local = print_in_addr_t (tt->local, 0, &gc);
      ifconfig_remote_netmask = print_in_addr_t (tt->remote_netmask, 0, &gc);

-      if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
-        {
-      ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
-      ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
-      do_ipv6 = true;
-    }
-
      /*
        * If TAP-style device, generate broadcast address.
        */
<at> <at> -679,7 +666,6 <at> <at> do_ifconfig (struct tuntap *tt,
    }
#endif

-
#if defined(TARGET_LINUX)
#ifdef ENABLE_IPROUTE
    /*
<at> <at> -720,19 +706,6 <at> <at> do_ifconfig (struct tuntap *tt,
          argv_msg (M_INFO, &argv);
          openvpn_execve_check (&argv, es, S_FATAL, "Linux ip addr add failed");
    }
-      if ( do_ipv6 )
-    {
-      argv_printf( &argv,
-              "%s -6 addr add %s/%d dev %s",
-              iproute_path,
-              ifconfig_ipv6_local,
-              tt->netbits_ipv6,
-              actual
-              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "Linux ip -6 addr add failed");
-    }
-      tt->did_ifconfig = true;
#else
      if (tun)
    argv_printf (&argv,
<at> <at> -755,21 +728,8 <at> <at> do_ifconfig (struct tuntap *tt,
              );
      argv_msg (M_INFO, &argv);
      openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig failed");
-      if ( do_ipv6 )
-    {
-      argv_printf (&argv,
-              "%s %s add %s/%d",
-              IFCONFIG_PATH,
-              actual,
-              ifconfig_ipv6_local,
-              tt->netbits_ipv6
-              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig inet6 failed");
-    }
-      tt->did_ifconfig = true;
-
#endif /*ENABLE_IPROUTE*/
+      tt->did_ifconfig = true;
#elif defined(TARGET_SOLARIS)

      /* Solaris 2.6 (and 7?) cannot set all parameters in one go...
<at> <at> -824,52 +784,6 <at> <at> do_ifconfig (struct tuntap *tt,
      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-2 failed"))
    solaris_error_close (tt, es, actual, false);

-      if ( do_ipv6 )
-        {
-       argv_printf (&argv, "%s %s inet6 unplumb",
-                IFCONFIG_PATH, actual );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, 0, NULL);
-
-      if ( tt->type == DEV_TYPE_TUN )
-      {
-          argv_printf (&argv,
-                "%s %s inet6 plumb %s/%d %s up",
-                IFCONFIG_PATH,
-                actual,
-                ifconfig_ipv6_local,
-                tt->netbits_ipv6,
-                ifconfig_ipv6_remote
-                );
-        }
-      else                        /* tap mode */
-        {
-          /* base IPv6 tap interface needs to be brought up first
-          */
-          argv_printf (&argv, "%s %s inet6 plumb up",
-                IFCONFIG_PATH, actual );
-          argv_msg (M_INFO, &argv);
-          if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
-        solaris_error_close (tt, es, actual, true);
-
-          /* we might need to do "ifconfig %s inet6 auto-dhcp drop"
-          * after the system has noticed the interface and fired up
-          * the DHCPv6 client - but this takes quite a while, and the
-          * server will ignore the DHCPv6 packets anyway.  So we don't.
-          */
-
-          /* static IPv6 addresses need to go to a subinterface (tap0:1)
-          */
-          argv_printf (&argv,
-                "%s %s inet6 addif %s/%d up",
-                IFCONFIG_PATH, actual,
-                ifconfig_ipv6_local, tt->netbits_ipv6 );
-        }
-      argv_msg (M_INFO, &argv);
-      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 failed"))
-        solaris_error_close (tt, es, actual, true);
-        }
-
      if (!tun && tt->topology == TOP_SUBNET)
    {
      /* Add a network route for the local tun interface */
<at> <at> -928,32 +842,9 <at> <at> do_ifconfig (struct tuntap *tt,
              );
      argv_msg (M_INFO, &argv);
      openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed");
-      if ( do_ipv6 )
-    {
-      argv_printf (&argv,
-              "%s %s inet6 %s/%d",
-              IFCONFIG_PATH,
-              actual,
-              ifconfig_ipv6_local,
-              tt->netbits_ipv6
-              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed");

-      /* and, hooray, we explicitely need to add a route... */
-      add_route_connected_v6_net(tt, es);
-    }
      tt->did_ifconfig = true;
-
#elif defined(TARGET_NETBSD)
-
-/* whether or not NetBSD can do IPv6 can be seen by the availability of
- * the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details
- */
-#ifdef TUNSIFHEAD
-# define NETBSD_MULTI_AF
-#endif
-
      if (tun)
    argv_printf (&argv,
              "%s %s %s %s mtu %d netmask 255.255.255.255 up",
<at> <at> -994,26 +885,6 <at> <at> do_ifconfig (struct tuntap *tt,
      argv_msg (M_INFO, &argv);
      openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig failed");

-      if ( do_ipv6 )
-    {
-#ifdef NETBSD_MULTI_AF
-      argv_printf (&argv,
-              "%s %s inet6 %s/%d",
-              IFCONFIG_PATH,
-              actual,
-              ifconfig_ipv6_local,
-              tt->netbits_ipv6
-              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed");
-
-      /* and, hooray, we explicitely need to add a route... */
-      add_route_connected_v6_net(tt, es);
-#else
-      msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile openvpn)" );
-      tt->ipv6 = false;
-#endif
-    }
      tt->did_ifconfig = true;

#elif defined(TARGET_DARWIN)
<at> <at> -1079,22 +950,6 <at> <at> do_ifconfig (struct tuntap *tt,
      add_route (&r, tt, 0, NULL, es);
    }

-      if ( do_ipv6 )
-    {
-          argv_printf (&argv,
-                              "%s %s inet6 %s/%d",
-                              IFCONFIG_PATH,
-                              actual,
-                              ifconfig_ipv6_local,
-                              tt->netbits_ipv6
-                              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed");
-
-      /* and, hooray, we explicitely need to add a route... */
-      add_route_connected_v6_net(tt, es);
-    }
-
#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)

      /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
<at> <at> -1145,19 +1000,6 <at> <at> do_ifconfig (struct tuntap *tt,
          add_route (&r, tt, 0, NULL, es);
        }

-      if ( do_ipv6 )
-    {
-          argv_printf (&argv,
-                              "%s %s inet6 %s/%d",
-                              IFCONFIG_PATH,
-                              actual,
-                              ifconfig_ipv6_local,
-                              tt->netbits_ipv6
-                              );
-      argv_msg (M_INFO, &argv);
-      openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed");
-    }
-
#elif defined (WIN32)
      {
    /*
<at> <at> -1196,35 +1038,192 <at> <at> do_ifconfig (struct tuntap *tt,
      }
    tt->did_ifconfig = true;
      }
+#else
+      msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system.  You should ifconfig your TUN/TAP device manually or use an --up script.");
+#endif
+      argv_reset (&argv);
+  }

-    /* IPv6 always uses "netsh" interface */
-    if ( do_ipv6 )
-      {
-    char * saved_actual;
+  if (tt->ipv6 && tt->did_ifconfig_ipv6_setup)
+    {
+      const char *ifconfig_ipv6_local = NULL;
+      const char *ifconfig_ipv6_remote = NULL;

-    if (!strcmp (actual, "NULL"))
-      msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also specify --dev-node");
+      struct argv argv;

-    /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */
-    argv_printf (&argv,
-            "%s%sc interface ipv6 set address %s %s store=active",
-            get_win_sys_path(),
-            NETSH_PATH_SUFFIX,
-            actual,
-            ifconfig_ipv6_local );
+      argv_init (&argv);

-    netsh_command (&argv, 4);
+      msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d",
+              tt->ipv6, tt->did_ifconfig_ipv6_setup );

-    /* explicit route needed */
-    /* on windows, OpenVPN does ifconfig first, open_tun later, so
-    * tt->actual_name might not yet be initialized, but routing code
-    * needs to know interface name - point to "actual", restore later
-    */
-    saved_actual = tt->actual_name;
-    tt->actual_name = (char*) actual;
-    add_route_connected_v6_net(tt, es);
-    tt->actual_name = saved_actual;
-      }
+      ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
+      ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
+
+#if defined(TARGET_LINUX)
+#ifdef ENABLE_IPROUTE
+      argv_printf (&argv,
+          "%s -6 addr add %s/%d dev %s",
+          iproute_path,
+          ifconfig_ipv6_local,
+          tt->netbits_ipv6,
+          actual
+          );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "Linux ip -6 addr add failed");
+#else
+      argv_printf (&argv,
+          "%s %s add %s/%d",
+          IFCONFIG_PATH,
+          actual,
+          ifconfig_ipv6_local,
+          tt->netbits_ipv6
+          );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig inet6 failed");
+#endif /*ENABLE_IPROUTE*/
+#elif defined(TARGET_SOLARIS)
+
+      argv_printf (&argv, "%s %s inet6 unplumb",
+          IFCONFIG_PATH, actual );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, 0, NULL);
+
+      if ( tt->type == DEV_TYPE_TUN )
+    {
+      argv_printf (&argv,
+              "%s %s inet6 plumb %s/%d %s up",
+              IFCONFIG_PATH,
+              actual,
+              ifconfig_ipv6_local,
+              tt->netbits_ipv6,
+              ifconfig_ipv6_remote
+              );
+    }
+      else                        /* tap mode */
+    {
+      /* base IPv6 tap interface needs to be brought up first
+      */
+      argv_printf (&argv, "%s %s inet6 plumb up",
+              IFCONFIG_PATH, actual );
+      argv_msg (M_INFO, &argv);
+      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
+        solaris_error_close (tt, es, actual, true);
+
+      /* we might need to do "ifconfig %s inet6 auto-dhcp drop"
+      * after the system has noticed the interface and fired up
+      * the DHCPv6 client - but this takes quite a while, and the
+      * server will ignore the DHCPv6 packets anyway.  So we don't.
+      */
+
+      /* static IPv6 addresses need to go to a subinterface (tap0:1)
+      */
+      argv_printf (&argv,
+              "%s %s inet6 addif %s/%d up",
+              IFCONFIG_PATH, actual,
+              ifconfig_ipv6_local, tt->netbits_ipv6 );
+    }
+      argv_msg (M_INFO, &argv);
+      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 failed"))
+    solaris_error_close (tt, es, actual, true);
+
+#elif defined(TARGET_OPENBSD)
+
+      argv_printf (&argv,
+          "%s %s inet6 %s/%d",
+          IFCONFIG_PATH,
+          actual,
+          ifconfig_ipv6_local,
+          tt->netbits_ipv6
+          );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+
+#elif defined(TARGET_NETBSD)
+
+/* whether or not NetBSD can do IPv6 can be seen by the availability of
+ * the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details
+ */
+#ifdef TUNSIFHEAD
+# define NETBSD_MULTI_AF
+#endif
+
+#ifdef NETBSD_MULTI_AF
+      argv_printf (&argv,
+          "%s %s inet6 %s/%d",
+          IFCONFIG_PATH,
+          actual,
+          ifconfig_ipv6_local,
+          tt->netbits_ipv6
+          );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+#else
+      msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile openvpn)" );
+      tt->ipv6 = false;
+#endif
+
+#elif defined(TARGET_DARWIN)
+      /*
+      * Darwin (i.e. Mac OS X) seems to exhibit similar behaviour to OpenBSD...
+      */
+      argv_printf (&argv,
+                  "%s %s inet6 %s/%d",
+                  IFCONFIG_PATH,
+                  actual,
+                  ifconfig_ipv6_local,
+                  tt->netbits_ipv6
+                  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+
+
+#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
+
+      argv_printf (&argv,
+                  "%s %s inet6 %s/%d",
+                  IFCONFIG_PATH,
+                  actual,
+                  ifconfig_ipv6_local,
+                  tt->netbits_ipv6
+                  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed");
+
+#elif defined (WIN32)
+      /* IPv6 always uses "netsh" interface */
+      char * saved_actual;
+
+      if (!strcmp (actual, "NULL"))
+        msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also specify --dev-node");
+
+      /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */
+      argv_printf (&argv,
+          "%s%sc interface ipv6 set address %s %s store=active",
+          get_win_sys_path(),
+          NETSH_PATH_SUFFIX,
+          actual,
+          ifconfig_ipv6_local );
+
+      netsh_command (&argv, 4);
+
+      /* explicit route needed */
+      /* on windows, OpenVPN does ifconfig first, open_tun later, so
+      * tt->actual_name might not yet be initialized, but routing code
+      * needs to know interface name - point to "actual", restore later
+      */
+      saved_actual = tt->actual_name;
+      tt->actual_name = (char*) actual;
+      add_route_connected_v6_net(tt, es);
+      tt->actual_name = saved_actual;
#else
      msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system.  You should ifconfig your TUN/TAP device manually or use an --up script.");
#endif
<at> <at> -4932,7 +4931,7 <at> <at> open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu

  if (tt->type == DEV_TYPE_TUN)
    {
-      if (!tt->did_ifconfig_setup)
+      if (!(tt->did_ifconfig_setup || tt->did_ifconfig_ipv6_setup))
    {
      msg (M_FATAL, "ERROR: --dev tun also requires --ifconfig");
    }
--
2.0.2




------------------------------

Message: 4
Date: Fri, 08 Aug 2014 10:10:42 +0300
From: Samuli Sepp?nen <samuli <at> openvpn.net>
Subject: [Openvpn-devel] Impact of latest OpenSSL vulnerabilities to
    OpenVPN
To: "openvpn-devel <at> lists.sourceforge.net"
    <openvpn-devel <at> lists.sourceforge.net>,
    "openvpn-users <at> lists.sourceforge.net"
    <openvpn-users <at> lists.sourceforge.net>,
    "openvpn-announce <at> lists.sourceforge.net"
    <openvpn-announce <at> lists.sourceforge.net>
Message-ID: <53E477F2.8080003 <at> openvpn.net>
Content-Type: text/plain; charset=iso-8859-15


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Information on how the latest OpenSSL vulnerabilities affect OpenVPN is
available here:

<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1i>

Yesterday's Windows installer releases bundle OpenSSL 1.0.0i, which is
immune to the two issues which may[1] affect OpenVPN. Updated installers
are available here:

<http://openvpn.net/index.php/download/community-downloads.html>

Best regards,

- --
Samuli Sepp?nen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1] Depending on it's configuration
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkd/IACgkQwp2X7RmNIqOoWwCeLR13x//Vxm4LRXilRlwkxhtP
XcoAoMwIn+y3iYkofgL9TFiIK4YGMOK8
=msAA
-----END PGP SIGNATURE-----




------------------------------

Message: 5
Date: Fri, 08 Aug 2014 11:11:23 +0300
From: Samuli Sepp?nen <samuli <at> openvpn.net>
Subject: Re: [Openvpn-devel] Impact of latest OpenSSL vulnerabilities
    to    OpenVPN
To: "openvpn-devel <at> lists.sourceforge.net"
    <openvpn-devel <at> lists.sourceforge.net>,
    "openvpn-users <at> lists.sourceforge.net"
    <openvpn-users <at> lists.sourceforge.net>,
    "openvpn-announce <at> lists.sourceforge.net"
    <openvpn-announce <at> lists.sourceforge.net>
Message-ID: <53E4862B.1080709 <at> openvpn.net>
Content-Type: text/plain; charset=iso-8859-15


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



> Hi all,
>
> Information on how the latest OpenSSL vulnerabilities affect OpenVPN is
> available here:
>
>
<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1i>
>
> Yesterday's Windows installer releases bundle OpenSSL 1.0.0i, which is
> immune to the two issues which may[1] affect OpenVPN. Updated installers
> are available here:
>
Responding to myself before somebody else corrects me. The Windows
installers bundle 1.0.1i (not 1.0.0i).

Sorry for the noise.
- --
Samuli Sepp?nen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkhisACgkQwp2X7RmNIqPKIgCeNsM6/3Z1Y9IDMMOYKQztHeWQ
76cAn1t8clBRaBWhhEAY2pYI8LHbzjSC
=XS4x
-----END PGP SIGNATURE-----




------------------------------

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

------------------------------

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


End of Openvpn-devel Digest, Vol 99, Issue 3
********************************************


------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Samuli Seppänen | 8 Aug 09:10 2014
Picon

Impact of latest OpenSSL vulnerabilities to OpenVPN


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Information on how the latest OpenSSL vulnerabilities affect OpenVPN is
available here:

<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenSSL1.0.1i>

Yesterday's Windows installer releases bundle OpenSSL 1.0.0i, which is
immune to the two issues which may[1] affect OpenVPN. Updated installers
are available here:

<http://openvpn.net/index.php/download/community-downloads.html>

Best regards,

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] Depending on it's configuration
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkd/IACgkQwp2X7RmNIqOoWwCeLR13x//Vxm4LRXilRlwkxhtP
XcoAoMwIn+y3iYkofgL9TFiIK4YGMOK8
=msAA
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Gavin Shrubbery | 8 Aug 01:10 2014
Picon

[PATCH] Tease apart ipv6 and ipv4 ifconfig code.

This change makes it possible to configure an IPv6 address on a
tunnel without also having an IPv4 address.

Signed-off-by: Gavin Shrubbery <gavin.shrubbery <at> gmail.com>
---
 src/openvpn/tun.c | 367 +++++++++++++++++++++++++++---------------------------
 1 file changed, 183 insertions(+), 184 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index ba4b15e..d1a8a03 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
 <at>  <at>  -634,16 +634,10  <at>  <at>  do_ifconfig (struct tuntap *tt,
       const char *ifconfig_local = NULL;
       const char *ifconfig_remote_netmask = NULL;
       const char *ifconfig_broadcast = NULL;
-      const char *ifconfig_ipv6_local = NULL;
-      const char *ifconfig_ipv6_remote = NULL;
-      bool do_ipv6 = false;
       struct argv argv;

       argv_init (&argv);

-      msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d",
-	           tt->ipv6, tt->did_ifconfig_ipv6_setup );
-
       /*
        * We only handle TUN/TAP devices here, not --dev null devices.
        */
 <at>  <at>  -655,13 +649,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
       ifconfig_local = print_in_addr_t (tt->local, 0, &gc);
       ifconfig_remote_netmask = print_in_addr_t (tt->remote_netmask, 0, &gc);

-      if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
-        {
-	  ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
-	  ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
-	  do_ipv6 = true;
-	}
-
       /*
        * If TAP-style device, generate broadcast address.
        */
 <at>  <at>  -679,7 +666,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
     }
 #endif

-
 #if defined(TARGET_LINUX)
 #ifdef ENABLE_IPROUTE
 	/*
 <at>  <at>  -720,19 +706,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
 		  argv_msg (M_INFO, &argv);
 		  openvpn_execve_check (&argv, es, S_FATAL, "Linux ip addr add failed");
 	}
-      if ( do_ipv6 )
-	{
-	  argv_printf( &argv,
-		      "%s -6 addr add %s/%d dev %s",
-		      iproute_path,
-		      ifconfig_ipv6_local,
-		      tt->netbits_ipv6,
-		      actual
-		      );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "Linux ip -6 addr add failed");
-	}
-      tt->did_ifconfig = true;
 #else
       if (tun)
 	argv_printf (&argv,
 <at>  <at>  -755,21 +728,8  <at>  <at>  do_ifconfig (struct tuntap *tt,
 			  );
       argv_msg (M_INFO, &argv);
       openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig failed");
-      if ( do_ipv6 )
-	{
-	  argv_printf (&argv,
-			  "%s %s add %s/%d",
-			  IFCONFIG_PATH,
-			  actual,
-			  ifconfig_ipv6_local,
-			  tt->netbits_ipv6
-			  );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig inet6 failed");
-	}
-      tt->did_ifconfig = true;
-
 #endif /*ENABLE_IPROUTE*/
+      tt->did_ifconfig = true;
 #elif defined(TARGET_SOLARIS)

       /* Solaris 2.6 (and 7?) cannot set all parameters in one go...
 <at>  <at>  -824,52 +784,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
       if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-2 failed"))
 	solaris_error_close (tt, es, actual, false);

-      if ( do_ipv6 )
-        {
- 	  argv_printf (&argv, "%s %s inet6 unplumb",
-			    IFCONFIG_PATH, actual );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, 0, NULL);
-
-	  if ( tt->type == DEV_TYPE_TUN )
-	   {
-	      argv_printf (&argv,
-			    "%s %s inet6 plumb %s/%d %s up",
-			    IFCONFIG_PATH,
-			    actual,
-			    ifconfig_ipv6_local,
-			    tt->netbits_ipv6,
-			    ifconfig_ipv6_remote
-			    );
-	    }
-	  else						/* tap mode */
-	    {
-	      /* base IPv6 tap interface needs to be brought up first
-	       */
-	      argv_printf (&argv, "%s %s inet6 plumb up",
-			    IFCONFIG_PATH, actual );
-	      argv_msg (M_INFO, &argv);
-	      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
-		solaris_error_close (tt, es, actual, true);
-
-	      /* we might need to do "ifconfig %s inet6 auto-dhcp drop"
-	       * after the system has noticed the interface and fired up
-	       * the DHCPv6 client - but this takes quite a while, and the 
-	       * server will ignore the DHCPv6 packets anyway.  So we don't.
-	       */
-
-	      /* static IPv6 addresses need to go to a subinterface (tap0:1)
-	       */
-	      argv_printf (&argv,
-			    "%s %s inet6 addif %s/%d up",
-			    IFCONFIG_PATH, actual,
-			    ifconfig_ipv6_local, tt->netbits_ipv6 );
-	    }
-	  argv_msg (M_INFO, &argv);
-	  if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 failed"))
-	    solaris_error_close (tt, es, actual, true);
-        }
-
       if (!tun && tt->topology == TOP_SUBNET)
 	{
 	  /* Add a network route for the local tun interface */
 <at>  <at>  -928,32 +842,9  <at>  <at>  do_ifconfig (struct tuntap *tt,
 			  );
       argv_msg (M_INFO, &argv);
       openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed");
-      if ( do_ipv6 )
-	{
-	  argv_printf (&argv,
-			  "%s %s inet6 %s/%d",
-			  IFCONFIG_PATH,
-			  actual,
-			  ifconfig_ipv6_local,
-			  tt->netbits_ipv6
-			  );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed");

-	  /* and, hooray, we explicitely need to add a route... */
-	  add_route_connected_v6_net(tt, es);
-	}
       tt->did_ifconfig = true;
-
 #elif defined(TARGET_NETBSD)
-
-/* whether or not NetBSD can do IPv6 can be seen by the availability of
- * the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details
- */
-#ifdef TUNSIFHEAD
-# define NETBSD_MULTI_AF
-#endif
-
       if (tun)
 	argv_printf (&argv,
 			  "%s %s %s %s mtu %d netmask 255.255.255.255 up",
 <at>  <at>  -994,26 +885,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
       argv_msg (M_INFO, &argv);
       openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig failed");

-      if ( do_ipv6 )
-	{
-#ifdef NETBSD_MULTI_AF
-	  argv_printf (&argv,
-			  "%s %s inet6 %s/%d",
-			  IFCONFIG_PATH,
-			  actual,
-			  ifconfig_ipv6_local,
-			  tt->netbits_ipv6
-			  );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed");
-
-	  /* and, hooray, we explicitely need to add a route... */
-	  add_route_connected_v6_net(tt, es);
-#else
-	  msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile
openvpn)" );
-	  tt->ipv6 = false;
-#endif
-	}
       tt->did_ifconfig = true;

 #elif defined(TARGET_DARWIN)
 <at>  <at>  -1079,22 +950,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
 	  add_route (&r, tt, 0, NULL, es);
 	}

-      if ( do_ipv6 )
-	{
-          argv_printf (&argv,
-                              "%s %s inet6 %s/%d",
-                              IFCONFIG_PATH,
-                              actual,
-                              ifconfig_ipv6_local,
-                              tt->netbits_ipv6
-                              );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed");
-
-	  /* and, hooray, we explicitely need to add a route... */
-	  add_route_connected_v6_net(tt, es);
-	}
-
 #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)

       /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
 <at>  <at>  -1145,19 +1000,6  <at>  <at>  do_ifconfig (struct tuntap *tt,
           add_route (&r, tt, 0, NULL, es);
         }

-      if ( do_ipv6 )
-	{
-          argv_printf (&argv,
-                              "%s %s inet6 %s/%d",
-                              IFCONFIG_PATH,
-                              actual,
-                              ifconfig_ipv6_local,
-                              tt->netbits_ipv6
-                              );
-	  argv_msg (M_INFO, &argv);
-	  openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed");
-	}
-
 #elif defined (WIN32)
       {
 	/*
 <at>  <at>  -1196,35 +1038,192  <at>  <at>  do_ifconfig (struct tuntap *tt,
 	  }
 	tt->did_ifconfig = true;
       }
+#else
+      msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system.  You should
ifconfig your TUN/TAP device manually or use an --up script.");
+#endif
+      argv_reset (&argv);
+  }

-    /* IPv6 always uses "netsh" interface */
-    if ( do_ipv6 )
-      {
-	char * saved_actual;
+  if (tt->ipv6 && tt->did_ifconfig_ipv6_setup)
+    {
+      const char *ifconfig_ipv6_local = NULL;
+      const char *ifconfig_ipv6_remote = NULL;

-	if (!strcmp (actual, "NULL"))
-	  msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must
also specify --dev-node");
+      struct argv argv;

-	/* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */
-	argv_printf (&argv,
-		    "%s%sc interface ipv6 set address %s %s store=active",
-		     get_win_sys_path(),
-		     NETSH_PATH_SUFFIX,
-		     actual,
-		     ifconfig_ipv6_local );
+      argv_init (&argv);

-	netsh_command (&argv, 4);
+      msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d",
+	           tt->ipv6, tt->did_ifconfig_ipv6_setup );

-	/* explicit route needed */
-	/* on windows, OpenVPN does ifconfig first, open_tun later, so
-	 * tt->actual_name might not yet be initialized, but routing code
-	 * needs to know interface name - point to "actual", restore later
-	 */
-	saved_actual = tt->actual_name;
-	tt->actual_name = (char*) actual;
-	add_route_connected_v6_net(tt, es);
-	tt->actual_name = saved_actual;
-      }
+      ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
+      ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
+
+#if defined(TARGET_LINUX)
+#ifdef ENABLE_IPROUTE
+      argv_printf (&argv,
+		  "%s -6 addr add %s/%d dev %s",
+		  iproute_path,
+		  ifconfig_ipv6_local,
+		  tt->netbits_ipv6,
+		  actual
+		  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "Linux ip -6 addr add failed");
+#else
+      argv_printf (&argv,
+		  "%s %s add %s/%d",
+		  IFCONFIG_PATH,
+		  actual,
+		  ifconfig_ipv6_local,
+		  tt->netbits_ipv6
+		  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig inet6 failed");
+#endif /*ENABLE_IPROUTE*/
+#elif defined(TARGET_SOLARIS)
+
+      argv_printf (&argv, "%s %s inet6 unplumb",
+		  IFCONFIG_PATH, actual );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, 0, NULL);
+
+      if ( tt->type == DEV_TYPE_TUN )
+	{
+	  argv_printf (&argv,
+		      "%s %s inet6 plumb %s/%d %s up",
+		      IFCONFIG_PATH,
+		      actual,
+		      ifconfig_ipv6_local,
+		      tt->netbits_ipv6,
+		      ifconfig_ipv6_remote
+		      );
+	}
+      else						/* tap mode */
+	{
+	  /* base IPv6 tap interface needs to be brought up first
+	   */
+	  argv_printf (&argv, "%s %s inet6 plumb up",
+		      IFCONFIG_PATH, actual );
+	  argv_msg (M_INFO, &argv);
+	  if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
+	    solaris_error_close (tt, es, actual, true);
+
+	  /* we might need to do "ifconfig %s inet6 auto-dhcp drop"
+	   * after the system has noticed the interface and fired up
+	   * the DHCPv6 client - but this takes quite a while, and the 
+	   * server will ignore the DHCPv6 packets anyway.  So we don't.
+	   */
+
+	  /* static IPv6 addresses need to go to a subinterface (tap0:1)
+	   */
+	  argv_printf (&argv,
+		      "%s %s inet6 addif %s/%d up",
+		      IFCONFIG_PATH, actual,
+		      ifconfig_ipv6_local, tt->netbits_ipv6 );
+	}
+      argv_msg (M_INFO, &argv);
+      if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 failed"))
+	solaris_error_close (tt, es, actual, true);
+
+#elif defined(TARGET_OPENBSD)
+
+      argv_printf (&argv,
+		  "%s %s inet6 %s/%d",
+		  IFCONFIG_PATH,
+		  actual,
+		  ifconfig_ipv6_local,
+		  tt->netbits_ipv6
+		  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+
+#elif defined(TARGET_NETBSD)
+
+/* whether or not NetBSD can do IPv6 can be seen by the availability of
+ * the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details
+ */
+#ifdef TUNSIFHEAD
+# define NETBSD_MULTI_AF
+#endif
+
+#ifdef NETBSD_MULTI_AF
+      argv_printf (&argv,
+		  "%s %s inet6 %s/%d",
+		  IFCONFIG_PATH,
+		  actual,
+		  ifconfig_ipv6_local,
+		  tt->netbits_ipv6
+		  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+#else
+      msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile
openvpn)" );
+      tt->ipv6 = false;
+#endif
+
+#elif defined(TARGET_DARWIN)
+      /*
+       * Darwin (i.e. Mac OS X) seems to exhibit similar behaviour to OpenBSD...
+       */
+      argv_printf (&argv,
+                  "%s %s inet6 %s/%d",
+                  IFCONFIG_PATH,
+                  actual,
+                  ifconfig_ipv6_local,
+                  tt->netbits_ipv6
+                  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed");
+
+      /* and, hooray, we explicitely need to add a route... */
+      add_route_connected_v6_net(tt, es);
+
+
+#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
+
+      argv_printf (&argv,
+                  "%s %s inet6 %s/%d",
+                  IFCONFIG_PATH,
+                  actual,
+                  ifconfig_ipv6_local,
+                  tt->netbits_ipv6
+                  );
+      argv_msg (M_INFO, &argv);
+      openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed");
+
+#elif defined (WIN32)
+      /* IPv6 always uses "netsh" interface */
+      char * saved_actual;
+
+      if (!strcmp (actual, "NULL"))
+        msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also
specify --dev-node");
+
+      /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */
+      argv_printf (&argv,
+		  "%s%sc interface ipv6 set address %s %s store=active",
+		  get_win_sys_path(),
+		  NETSH_PATH_SUFFIX,
+		  actual,
+		  ifconfig_ipv6_local );
+
+      netsh_command (&argv, 4);
+
+      /* explicit route needed */
+      /* on windows, OpenVPN does ifconfig first, open_tun later, so
+       * tt->actual_name might not yet be initialized, but routing code
+       * needs to know interface name - point to "actual", restore later
+       */
+      saved_actual = tt->actual_name;
+      tt->actual_name = (char*) actual;
+      add_route_connected_v6_net(tt, es);
+      tt->actual_name = saved_actual;
 #else
       msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system.  You should
ifconfig your TUN/TAP device manually or use an --up script.");
 #endif
 <at>  <at>  -4932,7 +4931,7  <at>  <at>  open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tu

   if (tt->type == DEV_TYPE_TUN)
     {
-      if (!tt->did_ifconfig_setup)
+      if (!(tt->did_ifconfig_setup || tt->did_ifconfig_ipv6_setup))
 	{
 	  msg (M_FATAL, "ERROR: --dev tun also requires --ifconfig");
 	}
--

-- 
2.0.2

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Mike Tancsa | 7 Aug 23:11 2014
Picon

new OpenSSL Security Advisories

Has anyone had a chance to evaluate the latest security issues and how 
they might impact OpenVPN ?

https://www.openssl.org/news/secadv_20140806.txt

--

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike <at> sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk

Gmane