headers
Tony | 8 Sep 2006 17:49
Picon

MULTICAST: cannot join a group across the OpenVPN connection. Why?

I have a BRIDGEd configuration on my main LAN. The server pushes the  
"redirect gateway" option to the client. (Both server and client are  
winXP-SP2 boxes with firewall OFF)

On the main LAN there is a box MULTICASTing to the 239.255.20.1:50001  
group.
Any box on the LAN is able to join that group and properly receive the  
streamed data. If my client is physically connected to the LAN - it too is  
able to receive that stream.
But if my client is connected via OpenVPN - no data gets in.
The same time all other IP and Ethernet connectivity works as expected -  
HTTP[S], POP3|SMTP and NetBEUI - all I use for my everyday work - operate  
as they should.

What may be the cause of this misfeature?

Tony.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 5 comments |
headers
wsgtr wsgtr | 9 Sep 2006 05:05
Picon

if openvpn

i am use openvpn 2.0.7,and use auth-user-pass-verify to auth userlogin.
but i have a problems!
 
if openvpn server "use auth-user-pass-verify ",can't disable a user name duplicate login in same time.
 
my auth plugin src is below:
 

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define _XOPEN_SOURCE
#include <unistd.h>
#include <crypt.h>
#include <sys/types.h>
#include <sys/stat.h>

#include "openvpn-plugin.h"

#define MAX_USER_LEN    15
#define MAX_PASS_LEN    47
#define MAX_USERS       100

struct user
{
    char name[MAX_USER_LEN + 1];
    char pass[MAX_PASS_LEN + 1];
    int  online;
};

/*
 * Our context, where we keep our state.
 */
struct plugin_context
{
    const char *file_path;
    time_t mtime;
    int num_users;
    struct user users[MAX_USERS];
    int fs;
};


/**
 * 检验客户端输入的用户名和密码是否正确
 *
 * <at> return 非 0 正确;0 错误
 */
static int valid_login(struct plugin_context *ct,const char *user,const char *pass)
{
    int i;
    FILE *fp;
    struct user *users = ct->users;

    if ( user == NULL || pass == NULL )
    {
        return 0;
    }

    for (i=0; i < ct->num_users; i++)
    {
        if ( strcmp(user,users[i].name) == 0 ) // && ( users[i].online == 0))
        {
            //char *result = crypt(pass,users[i].pass);
            //return (strcmp(result,users[i].pass) == 0);
            //users[i].online =1;
            fp = fopen("/home/wsgtrsys/openvpn/log/login","a"); 
           
            if (ct->fs == 0)
             {
              fclose(fp);
              fp = fopen("/home/wsgtrsys/openvpn/log/login","w");
              ct->fs = 1;
             }
            fprintf(fp,user name is:%s\n,user);
            fclose(fp);
           
            return 1;
        }
    }

    return 0;
}


/*
 * Given an environmental variable name, search
 * the envp array for its value, returning it
 * if found or NULL otherwise.
 */
static const char *
get_env (const char *name, const char *envp[])
{
    if (envp)
    {
        int i;
        const int namelen = strlen (name);

        for (i = 0; envp[i]; ++i)
        {
            if (!strncmp (envp[i], name, namelen))
            {
                const char *cp = envp[i] + namelen;

                if (*cp == '=')
                    return cp + 1;
            }
        }
    }

    return NULL;
}


/**
 * 读入帐号文件中的帐号
 */
static int read_users(struct plugin_context *ct)
{
    int num;
    FILE *fp;
    struct stat st;
    char buf[256];

    if (ct == NULL || ct->file_path == NULL)
    {
        fprintf(stderr,"Arg check failed\n");
        return -1;
    }

    if ( stat(ct->file_path,&st) < 0 )
    {
        perror("stat");
        return -1;
    }

    if ( st.st_mtime <= ct->mtime )
    {
        return 0;
    }

    fp = fopen(ct->file_path,"r");
    if (fp == NULL)
    {
        perror("fopen");
        return -1;
    }

    num = 0;
    while( fgets(buf,sizeof(buf),fp) )
    {
        char *p = strchr(buf,':');

        if (p == NULL)
            continue;

        *p++ = '\0';
        if ( strlen(buf) > MAX_USER_LEN )
        {
            fprintf(stderr,"Too long user: %s\n",buf);
            continue;
        }
        if ( strlen(p) > MAX_PASS_LEN )
        {
            fprintf(stderr,"Too long pass: %s\n",p);
            continue;
        }

        strcpy(ct->users[num].name,buf);
        strcpy(ct->users[num].pass,p);

        while ( (p = strrchr(ct->users[num].pass,'\n')) )
            *p = '\0';

        num++;
        if (num >= MAX_USERS)
            break;
    }
    fclose(fp);

    ct->mtime = st.st_mtime;
    ct->num_users = num;

    return num;
}


OPENVPN_EXPORT openvpn_plugin_handle_t
openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[])
{
    struct plugin_context *context;

    if ( argv[1] == NULL )
    {
        fprintf(stderr,"Need u/p file argument\n");
        return NULL;
    }

    /*
     * Allocate our context
     */
    context = (struct plugin_context *) calloc (1, sizeof (struct plugin_context));
    memset(context,0,sizeof(struct plugin_context));
    context->file_path = argv[1];

    if ( read_users(context) < 0 )
    {
        free(context);
        fprintf(stderr,"Get users failed\n");
        return NULL;
    }

    context->file_path = strdup(argv[1]);

    /*
     * We are only interested in intercepting the
     * --auth-user-pass-verify callback.
     */
    *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);

    return (openvpn_plugin_handle_t) context;
}


OPENVPN_EXPORT int
openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[])
{
    struct plugin_context *context = (struct plugin_context *) handle;

    /* get username/password from envp string array */
    const char *username = get_env ("username", envp);
    const char *password = get_env ("password", envp);

    read_users(context);

    /* check entered username/password against what we require */
    if ( valid_login(context,username,password) )
        return OPENVPN_PLUGIN_FUNC_SUCCESS;
    else
        return OPENVPN_PLUGIN_FUNC_ERROR;
}


OPENVPN_EXPORT void
openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle)
{
    struct plugin_context *context = (struct plugin_context *) handle;

    free((void*)context->file_path);
    free (context);
}


#ifdef TEST
int main(int argc,const char **argv,const char **envp)
{
    unsigned int type = 0;
    openvpn_plugin_handle_t h;

    h = openvpn_plugin_open_v1(&type,&argv[1],envp);
    if (h == NULL)
    {
        fprintf(stderr,"openvpn_plugin_open_v1\n");
        return -1;
    }

    if ( openvpn_plugin_func_v1(h,type,NULL,envp) == OPENVPN_PLUGIN_FUNC_SUCCESS )
    {
        puts("OK");
    }

    openvpn_plugin_close_v1(h);
    return 0;
}
#endif

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Permalink | Reply | 0 comments |
headers
Tony | 10 Sep 2006 01:00
Picon

Re: MULTICAST: cannot join a group across the OpenVPN connection. Why?

Does this silence (no replyes or comments) mean that it is my own mistake  
in configuring the OpenVPN and that MULTICASTing across the OpenVPN link  
works for everybody?

Tony.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 4 comments |
headers
Roy Marples | 10 Sep 2006 03:31
Picon
Favicon

Re: MULTICAST: cannot join a group across the OpenVPN connection. Why?

On Sunday 10 September 2006 00:00, Tony wrote:
> Does this silence (no replyes or comments) mean that it is my own mistake
> in configuring the OpenVPN and that MULTICASTing across the OpenVPN link
> works for everybody?

Or that most people here have nfc what multicasting is. I understand routing 
concepts, but that's it.

Thanks

BTW - this is a farily quiet list - you can get replies to mails you sent 
months ago ;)

--

-- 
Roy Marples <uberlord <at> gentoo.org>
Gentoo/Linux Developer (baselayout, networking)

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 1 comment |
headers
Tony | 10 Sep 2006 17:18
Picon

Re: MULTICAST: cannot join a group across the OpenVPN connection. Why?

On Sun, 10 Sep 2006 05:31:50 +0400, Roy Marples <uberlord <at> gentoo.org>  
wrote:

> Or that most people here have nfc what multicasting is.
MULTICASTing vs BROADCASTing is (in short):
You broadcast to "all ones" IP address on a segment, i.e. for  
192.168.1.0/24 it is 192.168.1.255,
while multicasts go to imaginary IP address in the special range, in my  
example this is 239.255.20.1

The advantage of MULTICAST is that if noone on a given segment needs|wants  
your data - the data never enters such a segment. When some host decides  
it needs that data it "joins" a multicast group, i.e. informs it's closest  
router it needs to pass the multicasted data into a segment. When the last  
host on a segment decides to "leave a group" - the closest router again  
stops to route multicasted data into a segment.
With broadcasts it is not possible (for the receiving side) to control the  
presense of the data - receive it or not - the sender will flood all of  
your LAN with it's data.
Besides, in IPv6 there will be no conception of BROADCASTs any more, only  
MULTICASTs should be used instead.

Tony.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 0 comments |
headers
Matthias Andree | 10 Sep 2006 21:05
Picon
Picon
Favicon

Re: MULTICAST: cannot join a group across the OpenVPN connection. Why?

On Sun, 10 Sep 2006, Tony wrote:

> Does this silence (no replyes or comments) mean that it is my own mistake  
> in configuring the OpenVPN and that MULTICASTing across the OpenVPN link  
> works for everybody?

Never bothered to try -- and your question doesn't belong on the -devel
list either, perhaps that's why nobody cares.

--

-- 
Matthias Andree

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 1 comment |
headers
Tony | 10 Sep 2006 22:19
Picon

Re: MULTICAST: cannot join a group across the OpenVPN connection. Why?

On Sun, 10 Sep 2006 23:05:18 +0400, Matthias Andree  
<ma+ovpnd <at> dt.e-technik.uni-dortmund.de> wrote:

> Never bothered to try -- and your question doesn't belong on the -devel  
> list either, perhaps that's why nobody cares.
Actually, there are quite a lot of issues with TAP-Win32 adapter. All are,  
I believe, because it was not designed to handle broadcasts and multicasts  
properly.
That's why I posted my question here.

Tony.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 0 comments |
headers
Sammy Yu | 11 Sep 2006 18:11
Picon

TAP driver

Hi guys,
   I am working on a research project that needs some to be implemented on the Windows platform.  It involves developing a virtual ethernet interface that would redirect traffic to other physical interfaces.  I saw some of the tap-win32 sources in OpenVPN which does similiar things.  My questions are:
1) Is it possible to modify that driver to redirect to multiple physical interfaces?
2) Does the driver itself modify the headers of the packet?
3) Are there documentation or books available that can help me better the architecture?

Thanks for your help.

Best Regards,
Sammy

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Permalink | Reply | 0 comments |
headers
James Yonan | 12 Sep 2006 10:17

OpenVPN 2.0.8 and 2.1_beta15 released

2006.09.12 -- Version 2.0.8

* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
  RSA Signature Forgery (CVE-2006-4339).

* No changes to OpenVPN source code between 2.0.7 and 2.0.8.

2006.09.12 -- Version 2.1-beta15

* Windows installer updated with OpenSSL 0.9.7k DLLs to fix
  RSA Signature Forgery (CVE-2006-4339).

* Fixed bug introduced with the --port-share directive
  (back in 2.1-beta9 which causes TLS soft resets
  (1 per hour by default) in TCP server mode to force
  a blockage of tunnel packets and later time-out and
  restart the connection.

* pkcs11 changes:
  1. Modified ssl.c to not FATAL and return to init.c
     so auth-retry will work.
  2. Modifed pkcs11-helper.c to fix some problem with
     multiple providers.
  3. Updated makefile.w32-vc to include lladdr.*, updated
     linkage libraries.
  4. Modified lladdr.c to be compiled under visual C.
  5. Added retry counter to PKCS#11 PIN hook.
  6. Modified PKCS#11 PIN retry loop to return correct error
     code when PIN is incorrect.
  7. Fix handling (ignoring) zero sized attributes.
  8. Fix gcc-2 issues.
  9. Fix openssl 0.9.6 (first version) issues.
  10. easy-rsa Makefile (install) is now available so that
      distribs will be able to install it safely.

* Added two new management states:
   OPENVPN_STATE_RESOLVE      -- DNS lookup
   OPENVPN_STATE_TCP_CONNECT  -- Connecting to TCP server

* Echo management state change to log.

* Minor syshead.h change for NetBSD to allow
  TCP_NODELAY flag to work.

* Modified --port-share code to remove the assumption that
  CMSG_SPACE always evaluates to a constant, to enable
  compilation on NetBSD and possibly other BSDs as well.

* Eliminated gcc 3.3.3 warnings on NetBSD
  when ./configure --enable-strict is used.

* Added optional minimum-number-of-bytes parameter
  to --inactive directive.

James

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 9 comments |
headers
Farkas Levente | 12 Sep 2006 10:47
Picon

Re: OpenVPN 2.0.8 and 2.1_beta15 released

James Yonan wrote:
> 2006.09.12 -- Version 2.0.8
> 
> * Windows installer updated with OpenSSL 0.9.7k DLLs to fix
>   RSA Signature Forgery (CVE-2006-4339).
> 
> * No changes to OpenVPN source code between 2.0.7 and 2.0.8.
> 
> 2006.09.12 -- Version 2.1-beta15

hi,
is there any estimate/schedule/roadmap for 2.1 final?
yours.

--

-- 
  Levente                               "Si vis pacem para bellum!"

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Permalink | Reply | 4 comments |

Gmane