Re: Turning --enable-password-save on by default on Windows builds?

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Turning --enable-password-save on by default on Windows builds?

On 04/12/10 16:41, yegle wrote:
| Any conclution to this problem? Is it enabled by default now in
| openvpn-2.2 beta build? Thx 

If you check the minutes from the OpenVPN Developers Meeting this last
Thursday, you'll see that we've decided to enable password-save feature by
default on Windows, starting with the 2.2-RC release.  That release is
scheduled to go out in about 2 weeks.

<http://sourceforge.net/mailarchive/forum.php?thread_name=4CF8E76C.2000107%40openvpn.net&forum_name=openvpn-devel>

kind regards,

David Sommerseth

| On Sat, Aug 28, 2010 at 5:38 PM, Jason Haar <Jason.Haar <at> trimble.co.nz
| <mailto:Jason.Haar <at> trimble.co.nz>> wrote:
|
|       On 08/28/2010 06:02 AM, Morten Christensen wrote:
|      > In my world there is a big difference between when some criminal
|     runs a
|      > keylogger on a PC and the risk, that the employee's children by
|     mistake
|      > gets into our campany-server, if they are early home from school on a
|      > rainy day.
|      >
|     In my world I don't see the point in forcing a false sense of security
|     in open source software. There is *nothing* to stop any valid user
|     getting their hands on the openvpn sourcecode (or a different binary
|     build) and bypassing such a check - so why make the *default* position
|     so fake?
|
|     If you really want to ensure your users cannot store a password locally,
|     then you shouldn't use openvpn. Or firefox. Or MSIE. Or anything else
|     that allows users to store passwords. Or move to SecurID - that would
|     make this argument moot of course.
|
|     If you want to limit the opportunity of work machines being used by
|     employees' children then you should look at:
|
|     1. only allow work-supplied computers to access work via
|     openvpn/whatever
|     2. policy saying employees aren't allowed to share their account details
|     or computers with anyone
|     3. SCREENSAVER POLICIES!!!!! If the screen is locked, how did the child
|     get on? (see 2.)
|     4. what was an employee's computer doing at home when they weren't and
|     their child was? Shouldn't it be at work with them? 
|
|     i.e. standard corporate security measures manage this
|
|
|     --
|     Cheers
|
|     Jason Haar
|     Information Security Manager, Trimble Navigation Ltd.
|     Phone: +64 3 9635 377 Fax: +64 3 9635 417
|     PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
|
|
|
------------------------------------------------------------------------------
|     Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
|     Be part of this innovative community and reach millions of netbook users
|     worldwide. Take advantage of special opportunities to increase
|     revenue and
|     speed time-to-market. Join now, and jumpstart your future.
|     http://p.sf.net/sfu/intel-atom-d2d
|     _______________________________________________
|     Openvpn-users mailing list
|     Openvpn-users <at> lists.sourceforge.net
|     <mailto:Openvpn-users <at> lists.sourceforge.net>
|     https://lists.sourceforge.net/lists/listinfo/openvpn-users
|
|
|
|
| ------------------------------------------------------------------------------
| What happens now with your Lotus Notes apps - do you make another costly
| upgrade, or settle for being marooned without product support? Time to move
| off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
| use, and manage than apps on traditional platforms. Sign up for the Lotus
| Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
|
|
|
| _______________________________________________
| Openvpn-users mailing list
| Openvpn-users <at> lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Turning --enable-password-save on by default on Windows builds?

David Sommerseth skrev den 04-12-2010 22:47:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/12/10 16:41, yegle wrote:
> | Any conclution to this problem? Is it enabled by default now in
> | openvpn-2.2 beta build? Thx 
>
> If you check the minutes from the OpenVPN Developers Meeting this last
> Thursday, you'll see that we've decided to enable password-save feature by
> default on Windows, starting with the 2.2-RC release.  That release is
> scheduled to go out in about 2 weeks.
>
> <http://sourceforge.net/mailarchive/forum.php?thread_name=4CF8E76C.2000107%40openvpn.net&forum_name=openvpn-devel>
>
>
> kind regards,
>
> David Sommerseth
>

Shit. That means, the security-model we decided to use OpenVPN from, is 
gone, if users easily can find a client, that logs every computer they 
fancy, automatically into the company-network at boot-time.

(OpenVPN now beeing something to run on appliances, where people on the 
server-end has full control of the hardware on the client-end.)

Well, I have to see, what the boss'es say - don't hope, I must use my 
christmas holidays looking for vpn-solutions .

-- 
Morten Christensen

> | On Sat, Aug 28, 2010 at 5:38 PM, Jason Haar<Jason.Haar <at> trimble.co.nz
> |<mailto:Jason.Haar <at> trimble.co.nz>>  wrote:
> |
> |       On 08/28/2010 06:02 AM, Morten Christensen wrote:
> |>  In my world there is a big difference between when some criminal
> |     runs a
> |>  keylogger on a PC and the risk, that the employee's children by
> |     mistake
> |>  gets into our campany-server, if they are early home from school on a
> |>  rainy day.
> |>
> |     In my world I don't see the point in forcing a false sense of security
> |     in open source software. There is *nothing* to stop any valid user
> |     getting their hands on the openvpn sourcecode (or a different binary
> |     build) and bypassing such a check - so why make the *default* position
> |     so fake?
> |
> |     If you really want to ensure your users cannot store a password locally,
> |     then you shouldn't use openvpn. Or firefox. Or MSIE. Or anything else
> |     that allows users to store passwords. Or move to SecurID - that would
> |     make this argument moot of course.
> |
> |     If you want to limit the opportunity of work machines being used by
> |     employees' children then you should look at:
> |
> |     1. only allow work-supplied computers to access work via
> |     openvpn/whatever
> |     2. policy saying employees aren't allowed to share their account details
> |     or computers with anyone
> |     3. SCREENSAVER POLICIES!!!!! If the screen is locked, how did the child
> |     get on? (see 2.)
> |     4. what was an employee's computer doing at home when they weren't and
> |     their child was? Shouldn't it be at work with them? 
> |
> |     i.e. standard corporate security measures manage this
> |
> |
> |     --
> |     Cheers
> |
> |     Jason Haar

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

Re: Turning --enable-password-save on by default on Windows builds?

On 05/12/10 21:01, Morten Christensen wrote:
| David Sommerseth skrev den 04-12-2010 22:47:
|> -----BEGIN PGP SIGNED MESSAGE-----
|> Hash: SHA1
|>
|> On 04/12/10 16:41, yegle wrote:
|> | Any conclution to this problem? Is it enabled by default now in
|> | openvpn-2.2 beta build? Thx 
|>
|> If you check the minutes from the OpenVPN Developers Meeting this last
|> Thursday, you'll see that we've decided to enable password-save
|> feature by
|> default on Windows, starting with the 2.2-RC release. That release is
|> scheduled to go out in about 2 weeks.
|>
|>
<http://sourceforge.net/mailarchive/forum.php?thread_name=4CF8E76C.2000107%40openvpn.net&forum_name=openvpn-devel>

|>
|>
|>
|> kind regards,
|>
|> David Sommerseth
| Shit. That means, the security-model we decided to use OpenVPN from, is
| gone, if users easily can find a client, that logs every computer, they
| fancy, automatically into the company-network.
|
| (OpenVPN now beeing something to run on appliances, where people on the
| server-end has full control of the hardware on the client-end.
|
| Well, I have to see, what the boss'es say - don't hope, I have to use my
| christmas holiday looking for better vpn-solutions .

I do understand your initial reaction and point of view.  However, to provide
OpenVPN binaries without this feature is in *best case* security through
obscurity.  I personally do not like that this feature is available.  But
providing Windows without --enable-password-save is the wrong solution.

To rely on Windows binaries being built without --enable-password-save as a
security measurement, is a false security impression to start with.  It took
me less than 3 minutes to find this URL via Google:

<http://www.acevpn.com/2009/12/07/openvpn-build-with-save-password-enabled/>

I Googled for "openvpn enable password-save windows". Your users simply need
to find this binary and get that one installed - and you're back to this
discussion thread.

In fact this feature is really one of the simplest features to go around.
Clever users would either find link as the one above, compile their own
version or maybe even to have more fun, hard-code their username/password into
the source code when compiling it.  Okay, doing the compiling stuff is for the
more advanced users, but there are plenty of ways to circumvent this
limitation.  Management interface for example.  Enable the management
interface and have a little script (Python, Visual Basic, etc?) which connects
to the interface and feeds the username and password.

And then ask yourself these questions:  Is it safer for you and your users to
use an official OpenVPN Windows build which includes --enable-password-save or
to "unknowingly" have users who use a third party compiled Windows binary
installed instead of the official one without --enable-password-save?  Do you
trust that the third party binary is just as safe as the official OpenVPN builds?

You may claim that your users do not have Administrator access to install
applications.  But what do they do at home or when you don't see them
physically?  Are you sure they haven't installed the third-party build on a
private computer at home and just copied over the configuration files?  And
you still have the management interface approach open as well.

To see this from a different perspective: Security can never be achieved by
relying on the client side at all.  Security can only be achieved by a
controlled server environment which you can audit regularly.  Basically, all
clients are your enemies - no matter if they are known or unknown.  You need
to protect the access at the server side and not based on what's installed on
the clients.

One way to avoid --enable-password-save to be used is to move over to a token
based authentication, like S/Key, YubiKey, RSA or other OTP solutions, where
the password being sent over the wire changes for each login.  In fact, that's
probably the easiest implementation for a more secure solution, with or
without --enable-password-save.

So to sum it up:  --enable-password-save is *not* a security feature.  To
believe --enable-password-save is a security feature is a big
misunderstanding.  It has never really been, and will never be a security
feature.  It is simply a convenience feature and nothing else.

kind regards,

David Sommerseth

Remote Desktop slow on VPN tunnel

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Remote Desktop slow on VPN tunnel

On Mon, Dec 6, 2010 at 05:44, Manthra <manthra.24 <at> gmail.com> wrote:
> Hi,
>
> We have simple openvpn setup running fine. But as we observed Accessing
> Remote Desktop(RDP) is very very slow through the vpn tunnel but through
> datacard it is very fast. Please guide me to solve this problem.

Are you using a TCP tunnel or a UDP tunnel?

Can you define "very very slow"?  If you access it remotely from the
same location, but not through the VPN, how does it perform?

--

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: Windows 7 - OpenVPN fails after wake from Sleep/Standby

> 
> I'm not 100% sure about current status of this issue, but the 
> bug report is archived here:
> 
> <https://community.openvpn.net/openvpn/ticket/56>
> 
> I think Heiko (maintainer of the new OpenVPN-GUI) has found 
> the underlying issue, but I'm not sure if he has fixed it already.
> 
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
> 

I have created the following ticket, since the other ticket (linked 
above) appears to be for Windows XP. The bug still happens in 2.1.4 & 
2.2b5. Thanks!

https://community.openvpn.net/openvpn/ticket/71

--Bill

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

Re: Remote Desktop slow on VPN tunnel

Please reply to the list, I am not here to personally support you ;)

On Mon, Dec 6, 2010 at 14:03, Manthra <manthra.24 <at> gmail.com> wrote:
>  It is TCP vpn tunnel.
>
>      Very Slow- Only through the VPN, RDP reply is very slow but if i dont
> use VPN then speed is
>      good. I tried by selecting low resolution for rdp  but no use.

Try a UDP VPN, running TCP in TCP is known to have performance
problems: http://openvpn.net/archive/openvpn-users/2007-06/msg00123.html

--

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d
_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

IP changed, Broken VPN

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: IP changed, Broken VPN

------------------------------------------------------------------------------
What happens now with your Lotus Notes apps - do you make another costly 
upgrade, or settle for being marooned without product support? Time to move
off Lotus Notes and onto the cloud with Force.com, apps are easier to build,
use, and manage than apps on traditional platforms. Sign up for the Lotus 
Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d

_______________________________________________
Openvpn-users mailing list
Openvpn-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users