Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, What I have in mind would also require editing all calls to send_msg_iservice() which is essentially what Gert is objecting to. So ignore me -- a separate send_msg_iservice_ex may be the best option. Selva On Tue, Jun 25, 2019 at 5:00 PM Selva Nair wrote: > > Hi, > > On Tue, Jun 25, 2019

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, On Tue, Jun 25, 2019 at 4:38 PM Lev Stipakov wrote: > > Hi, > >> >> The way interactive service structures are coded should not require >> this at all, does it? The size and message type are already in the >> header, so why do we need to pass it? > > > But we need to know the response size

Re: [Openvpn-devel] [PATCH v4 6/7] Sent indication that a session is expired to clients

On 13/06/2019 15:48, Arne Schwabe wrote: > From: Arne Schwabe > > This allows OpenVPN 3 core to fall back to the original authentication > method. > > This commit changes man_def_auth_set_client_reason to > auth_set_client_reason since it now used in more contexts. > > Also remove a FIXME

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi On Tue, Jun 25, 2019 at 4:34 PM Gert Doering wrote: > > Hi, > > On Tue, Jun 25, 2019 at 03:57:18PM -0400, Selva Nair wrote: > > The way interactive service structures are coded should not require > > this at all, does it? The size and message type are already in the > > header, so why do we

[Openvpn-devel] how to migrate users to "no compression" config

Hello, for example, let us imagine we provisioned a lot of users with config files containing "comp-lzo" and we want to migrate them to server without compression. I see two options 1) set up new server (actually, new udp/tcp ports on the same server) and send new config to users 2) use push

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, > The way interactive service structures are coded should not require > this at all, does it? The size and message type are already in the > header, so why do we need to pass it? But we need to know the response size in send_msg_iservice() since we pass it to ReadFile(). So far we assumed

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, On Tue, Jun 25, 2019 at 03:57:18PM -0400, Selva Nair wrote: > The way interactive service structures are coded should not require > this at all, does it? The size and message type are already in the > header, so why do we need to pass it? The result here is a new kind of > ack message with a

Re: [Openvpn-devel] [PATCH v4 7/7] Implement unit tests for auth-gen-token

On 13/06/2019 15:48, Arne Schwabe wrote: > From: Arne Schwabe > > Patch V2: adapt unit tests to other V2 patches > Patch V4: Resolve rebase conflicts > --- > tests/unit_tests/openvpn/Makefile.am | 20 +- > tests/unit_tests/openvpn/test_auth_token.c | 375 + > 2 files

Re: [Openvpn-devel] [PATCH v4 4/7] Rewrite auth-token-gen to be based on HMAC based tokens

On 13/06/2019 15:48, Arne Schwabe wrote: > The previous auth-token implementation had a serious problem, especially when > paired with an unpatched OpenVPN client that keeps trying the auth-token > (commit e61b401a). > > The auth-token-gen implementation forgot the auth-token on reconnect, this >

Re: [Openvpn-devel] [PATCH v4 2/7] Implement --genkey type keyfile syntax and migrate tls-crypt-v2

On 13/06/2019 15:48, Arne Schwabe wrote: > This unifies our key generation and also migrates the generation > of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any > released version, we remove the the old syntax without compatibility. > > PATCH V4: Introduce warning/error when

Re: [Openvpn-devel] [PATCH v4 3/7] Add generate_ephemeral_key that allows a random ephermal key

On 13/06/2019 15:48, Arne Schwabe wrote: > From: Arne Schwabe > > This is useful for features that can use enither a persistent > or an ephemeral key. > > Patch V2: Move the functionality of generating a random key into a > separate function that acts as wrapper for pem_read_key_file

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi On Tue, Jun 25, 2019 at 3:49 PM Gert Doering wrote: > > Hi, > > On Tue, Jun 25, 2019 at 10:34:01PM +0300, Lev Stipakov wrote: > > ack_message_t ack; > > struct gc_arena gc = gc_new(); > > > > -if (!send_msg_iservice(pipe, rt, size, , "ROUTE")) > > +if

Re: [Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

Hi, On Tue, Jun 25, 2019 at 10:34:01PM +0300, Lev Stipakov wrote: > ack_message_t ack; > struct gc_arena gc = gc_new(); > > -if (!send_msg_iservice(pipe, rt, size, , "ROUTE")) > +if (!send_msg_iservice(pipe, rt, size, , sizeof(ack), "ROUTE")) I do not like this. Please find

[Openvpn-devel] [PATCH] openvpnserv: enable interactive service to open tun

From: Lev Stipakov This patch enables interactive service to open tun device. This is mostly needed by Wintun, which could be opened only by privileged process. When interactive service is used, instead of calling CreateFile() directly by openvpn process we pass tun device path into service

Re: [Openvpn-devel] Summary of the community meeting (20th June 2019)

Hi, I got the Static Driver Verifier to run with help from Stephen. The correct (command-line) procedure is now documented here: So it was bad usability after all. The tests are now running and hopefully I can create