Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 23/09/16 23:34, David Woodhouse wrote: > I believe I have P2P working on a Windows (8.1) client (with > OpenConnect, but I don't see why it can't work for OpenVPN). > > I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local > IP address, and with network and netmask

Re: [Openvpn-devel] Linux: Use /tmp for log problem ?

Hi, On 22/09/16 15:07, debbie10t wrote: > Hi > > posting in devel because I am asking for clarification of > what the source code really does. > > Re: https://forums.openvpn.net/viewtopic.php?f=30=22485 > > Config: > |--- > server *normal stuff* > log-append /tmp/openvpn.log > --- > > I have just

Re: [Openvpn-devel] Dropping Windows Vista / XP support?

On 07/09/16 14:15, Samuli Seppänen wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 07/09/16 11:43, Gert Doering wrote: >>> Hi, >>> >>> On Wed, Sep 07, 2016 at 12:18:17PM +0300, Samuli Seppänen wrote: We have already dropped XP support from OpenVPN Git "master". I

[Openvpn-devel] AES-GCM & gigabit networks

hi all, just wanted to share some results with you: AES-GCM has a *very* nice impact on openvpn's performance over gigabit networks. I'm now capable of saturating a gigabit ethernet link with full AES-256-GCM encryption (Linux on both ends). Raw iperf results: - ethernet: 935 Mbps -

[Openvpn-devel] AES-GCM & gigabit networks

hi all, just wanted to share some results with you: AES-GCM has a *very* nice impact on openvpn's performance over gigabit networks. I'm now capable of saturating a gigabit ethernet link with full AES-256-GCM encryption (Linux on both ends). Raw iperf results: - ethernet: 935 Mbps -

Re: [Openvpn-devel] testing challenge-response

Hi Selva, Selva Nair wrote: > Hi, > > As discussed in the IRC meeting, here is a client config that connects > to a test server I run for static and dynamic challenge. Just run it as > > sudo openvpn --config cr-client.conf > > Respond with some arbitrary strings at the username, password and

Re: [Openvpn-devel] testing challenge-response

Hi Selva, Selva Nair wrote: > Hi, > > As discussed in the IRC meeting, here is a client config that connects > to a test server I run for static and dynamic challenge. Just run it as > > sudo openvpn --config cr-client.conf > > Respond with some arbitrary strings at the username, password and

Re: [Openvpn-devel] [PATCH] Allow ncp-disable and ncp-ciphers to be specified in ccd files

Hi, On 25/07/16 20:52, Steffan Karger wrote: This allows the ncp-disable and ncp-ciphers options to be used in 'client config dir' files, to disable or change the negotiable crypto parameter settings for specific clients. Signed-off-by: Steffan Karger ---

Re: [Openvpn-devel] [PATCH] Allow ncp-disable and ncp-ciphers to be specified in ccd files

ACK from me, but just to nitpick: we now have an option 'disable-occ' and an option 'ncp-disable' - wouldn't it make more sense to make it "disable-ncp" as well? JJK On 25/07/16 20:52, Steffan Karger wrote: This allows the ncp-disable and ncp-ciphers options to be used in 'client config

Re: [Openvpn-devel] use of --cipher with no arguments?

Hi Gert, On 25/07/16 22:04, Gert Doering wrote: Hi, has anyone ever used "--cipher" without an argument? If yes, what is the intended usage? It sort of "tells openvpn we want crypto!" but does not go into detail about it... Normally, this would just be a random weird option, but I ran

Re: [Openvpn-devel] [Openvpn-users] Segmentation Fault

Hi, On 08/07/16 16:55, pbar...@netprotec.com wrote: Please run the OpenVPN instance which core dumps via gdb. When it segfaults, type the command 'bt' (backtrace) and provide us with the complete backtrace. Then we can have an idea where in the code it crashed. Another

Re: [Openvpn-devel] [PATCH] V3:Add support for pushable encryption. Now properly supports AEAD as well

On 22/04/16 05:55, Jan Just Keijser wrote: This patch adds support for pushing encryption and HMAC ciphers to the client - it works when pushing both --cipher and/or --auth - works by re-doing part of the encryption setup (you'll see some messages fly by twice ) - pushing an HMAC (e.g. push

Re: [Openvpn-devel] OpenSSL connect and disconnect calls

Hi, On 22/04/16 10:16, Shubham Chauhan wrote: Hello, I was going through the codebase, and found myself a bit confused. I wanted to customize some functionalities and run some tests I was specifically looking for the methods where we start (performing the handshake) and end an OpenSSL

[Openvpn-devel] [PATCH] V3:Add support for pushable encryption. Now properly supports AEAD as well

This patch adds support for pushing encryption and HMAC ciphers to the client - it works when pushing both --cipher and/or --auth - works by re-doing part of the encryption setup (you'll see some messages fly by twice ) - pushing an HMAC (e.g. push "auth SHA256"") does **not** work in

[Openvpn-devel] [PATCH] V2: Add compression support. Now properly supports AEAD as well

--- src/openvpn/init.c | 74 ++ src/openvpn/mtu.h | 18 + 2 files changed, 82 insertions(+), 10 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 84fac07..0566b5b 100644 --- a/src/openvpn/init.c +++

Re: [Openvpn-devel] Add support for pushable encryption.

"auth SHA256"") does **not** work in combination with --tls-auth: when tls-auth is used all incoming packets are signed using the "original" HMAC cipher and you won't even get to the "push" stage to get the correct cipher. share and enjoy, JJK On 21/

[Openvpn-devel] Add support for pushable encryption.

--- src/openvpn/init.c | 128 + 1 file changed, 91 insertions(+), 37 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2beec72..d21a862 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -60,6 +60,13 @@ static

Re: [Openvpn-devel] Pushing multiple certificates from server

Hi, On 04/03/16 22:58, ValdikSS wrote: I have good news and bad news: Good news: * OpenVPN sends all certificates from the server supplied for --server directive (although with a small bug that a certificate which you have private key for must be supplied on the top) * OpenVPN

Re: [Openvpn-devel] Pushing multiple certificates from server

Hi, On 04/03/16 14:24, Arne Schwabe wrote: Am 04.03.16 um 14:18 schrieb ValdikSS: On 03/04/2016 04:12 PM, Arne Schwabe wrote: Am 03.03.16 um 22:04 schrieb ValdikSS: Shouldn't sending the new CA chain only be enough? Since it is (cross)signed by the old CA, the client will accept it. For the

Re: [Openvpn-devel] Pushing multiple certificates from server

Hi, On 03/03/16 22:04, ValdikSS wrote: Hello everyone, I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit one without a hassle for a clients. From a X.509 perspective it shouldn't be a problem, and I already have new CA self-signed and cross-signed with old CA,

[Openvpn-devel] manpage oddity

hi, the openvpn man page section on environment variables lists local The --local parameter. Set on program initiation and reset on SIGHUP. local_port The local port number, specified by --port or --lport. Set on program initiation and reset on SIGHUP. and

Re: [Openvpn-devel] Need help testing installers on Windows XP

On 17/02/16 13:39, Samuli Seppänen wrote: Hi, Could someone quickly test these installers on Windows XP?

Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd

Hi, On 09/02/16 11:46, Gert Doering wrote: On Tue, Feb 09, 2016 at 11:15:33AM +0100, Samuel Thibault wrote: Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: On Mon, Feb 08, 2016 at 10:39:29PM +0100, Samuel Thibault wrote: Is there a reason for not being allowed to set route /

Re: [Openvpn-devel] [PATCH] Clarify mssfix documentation

On 01/09/2016 07:07 PM, Jan Just Keijser wrote: Hi, On 09/01/16 16:53, ValdikSS wrote: this is a clarification for the --fragment option, right? and is the 28/48 bytes also applicable in TAP mode? JJK

Re: [Openvpn-devel] [PATCH] Clarify mssfix documentation

Hi, On 09/01/16 16:53, ValdikSS wrote: --- doc/openvpn.8 | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 9760e8b..ef77b29 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1381,7 +1381,11 @@ parameter is interpreted in the same

Re: [Openvpn-devel] [PATCH] Warn user if their certificate has expired

Hi, Steffan Karger wrote: Hi, On Wed, Dec 23, 2015 at 4:11 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: Steffan Karger wrote: [...] Just use mbedtls ;-) OpenSSL 1.0.2 has been released almost a year ago, so upcoming distro releases will probably contain 1.0.2+ (e.g. Ubuntu

Re: [Openvpn-devel] [PATCH] Warn user if their certificate has expired

Hi, Steffan Karger wrote: [...] Just use mbedtls ;-) OpenSSL 1.0.2 has been released almost a year ago, so upcoming distro releases will probably contain 1.0.2+ (e.g. Ubuntu 15.10 already has it, 16.04 LTS will have it too). Should not take too long, right? As you've probably noticed in the

Re: [Openvpn-devel] [PATCH] Warn user if their certificate has expired

Hi, On 15/12/15 08:53, Gert Doering wrote: Hi, On Tue, Dec 15, 2015 at 01:12:49AM +0100, David Sommerseth wrote: Just tried to build openvpn on one of my laptops (Scientific Linux 7.1, openssl-1.0.1e-42.el7). And it explodes when reaching the SSL_CTX_get0_certificate(), it seems that support

Re: [Openvpn-devel] [PATCH] Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2

Hi, On 15/12/15 13:21, Steffan Karger wrote: The SSL_CTX_get0_certificate() function I used in 091edd8e is available in OpenSSL 1.0.2+ only. Older versions seem to not have a useful alternative. The remaining option would then be to create a cache for our parsed certificate, but that would

Re: [Openvpn-devel] [PATCH] Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2

Hi, On 15/12/15 10:12, Steffan Karger wrote: Hi, On Tue, Dec 15, 2015 at 9:42 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 14/12/15 23:14, Steffan Karger wrote: The SSL_CTX_get0_certificate() function I used in 091edd8e is available in OpenSSL 1.0.2+ only. Older version

Re: [Openvpn-devel] [PATCH] Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2

Hi, On 14/12/15 23:14, Steffan Karger wrote: The SSL_CTX_get0_certificate() function I used in 091edd8e is available in OpenSSL 1.0.2+ only. Older versions seem to not have a useful alternative. The remaining option would then be to create a cache for our parsed certificate, but that would

Re: [Openvpn-devel] [PATCH 2/2] polarssl: add --verify-client-cert optional support

Ack to this patch (but remember to apply my patch first :)) JJK Steffan Karger wrote: This adds support for the --verify-client-cert optional option in PolarSSL builds, as was earlier added for OpenSSL builds by Jan-Just Keijser. This patch also adds an additional sanity check

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi, On 22-Oct-15 20:28, Morris, Russell wrote: Hi, 90% sure it's I60x ... but I installed it a little bit ago, and didn't keep the installer. Is there an easy way to check (to be 100% sure, so I don't accidentally lie to you)? try looking in the list of installed programs Control Panel

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

Hi *, On 22/10/15 16:24, David Woodhouse wrote: On Thu, 2015-10-22 at 16:17 +0200, Gert Doering wrote: Hi, On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote: So Olli and Lev would appear to be saying. For OpenConnect I haven't actually tested this hypothesis. Unfortunately I'd

[Openvpn-devel] Interesting link related to OpenVPN on Windows

Hi, just read this post: http://www.theregister.co.uk/2015/10/19/microsoft_openssh_code_release/ Here's Redmond's rough road map for the OpenSSH port: Update NoMachine port to OpenSSH 7.1 [Done] Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and run as Windows

Re: [Openvpn-devel] [PATCH v2] Allow inlining of --auth-user-pass

Ack from me. Tested: - myusername mypassword - myusername - auth-userpass username.txt where username.txt contains only the username. in the last 2 cases openvpn correctly queries the user for the password. JJK On 11/10/15 11:52, Adriaan de Jong wrote: This patch allows inlining

[Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options V4

These DHCP options will be added on the client to the (Windows) tun adapter and will be available to other applications. This allows the server to push out a TFTP address to use for applications like Cisco's IP Phone. WPAD stands for Windows Proxy Auto Detection and it allows Internet Explorer

[Openvpn-devel] [PATCH] Add support for TFTP and WPAD DHCP options. These DHCP options are picked up by the client-side (Windows) adapter and made available to other applications.

--- doc/openvpn.8 |8 src/openvpn/options.c | 14 ++ src/openvpn/tun.c | 29 + src/openvpn/tun.h |9 - 4 files changed, 59 insertions(+), 1 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index

Re: [Openvpn-devel] [Openvpn-users] CRL and --CApath usage

in one directory, c_rehash it, and that's all... all you need to do to manage it, is to copy the CRL across, whenever a certificate is revoked. In my case it would also be preferable, because there are multiple CAs and CRLs, thus I would not need it to concatenate all CRLs, every time a CRL is changed. That's

Re: [Openvpn-devel] Disable TLS for mode server

Hi Valentin, Valentin Sawadski wrote: Hello, I'm looking for a way to remove any encryption or MAC from OpenVPN in "--mode server". Since I'm new to the OpenVPN code base my starting point right now will be patching "options.c" to allow "--mode server" without TLS. Will this already be enough

Re: [Openvpn-devel] [PATCH] Added two features to Network Address Translator

Hi, Rafael Gava wrote: this is my first submission to the list and I hope that I'm doing in the right way. :-) Well, the features added to Network Address Translator are: 1) Allow the user to use the string "localhost" on the client-nat network configuration in a way that is not

Re: [Openvpn-devel] Openvpn is not working with hardware encryption enabled CPU.

that "openssl speed" give you. HTH, JJK On Fri, Jul 31, 2015 at 6:26 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: Hi, On 30/07/15 19:04, Rahul Arora wrote: Hi Thanks for the reply. I am already using "--engine cryptodev

Re: [Openvpn-devel] Does Openvpn really support cryptodev hardware accelerators

Hi, On 27/07/15 03:28, li yuqian wrote: Hi Jan, Thanks for your replay :) >>ah OK; I've grabbed a copy, built and installed it on 2 servers and ran some test: I get similar figures for 'openssl speed' but those numbers are artificial, i.e. they do not reflect true performance of the

Re: [Openvpn-devel] Openvpn is not working with hardware encryption enabled CPU.

Hi, On 30/07/15 19:04, Rahul Arora wrote: Hi Thanks for the reply. I am already using "--engine cryptodev" in the configuration file. I am using "aes-128-cbc" cipher algorithm and it is supported in my hardware as i am running "openssl speed test" using these ciphers only and in case of

Re: [Openvpn-devel] Docs or Bug: --push options no longer require double quotes

Hi Jonathan, On 25/07/15 22:24, Jonathan K. Bullard wrote: On Sat, Jul 25, 2015 at 3:45 PM, Gert Doering wrote: Hi, On Sat, Jul 25, 2015 at 01:34:46PM +0100, debbie...@gmail.com wrote: As the title states --push no longer requires options to be double quoted. Well,

Re: [Openvpn-devel] Does Openvpn really support cryptodev hardware accelerators

Hi, On 25/07/15 03:06, li yuqian wrote: Hi JJK, thanks for your reply. >>what kind of hardware cryptodev accelerator is on the Intel board? We don't have extra accelerator used in INTEL board, just enable cryptodev in kernel and installed cryptodev-linux-1.7.tar.gz , then i can got improved

Re: [Openvpn-devel] Does Openvpn really support cryptodev hardware accelerators

Hi, On 24/07/15 10:40, li yuqian wrote: Hi, I am working on try use the cryptodev hardware accelerator in Openvpn, i know this question is belong to user list, but i got confused for the issue, so, i think maybe need developer to help :) I have two boards, one is Freescale LS1021a ARM cpu,

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

Jan Just Keijser wrote: Jan Just Keijser wrote: Gert Doering wrote: On Thu, Jul 02, 2015 at 11:56:28AM +0200, Jan Just Keijser wrote: +write_dhcp_str (buf, 66, o->tftp, ); +write_dhcp_str (buf, 150, o->tftp, ); This does not look safe to me (or I'm overlooking som

Re: [Openvpn-devel] Adding routes on Windows using DHCP

Yo, Gert Doering wrote: Hi, On Wed, Jul 08, 2015 at 06:26:33PM +0200, Jan Just Keijser wrote: AFAICT windows does support that option (that's what I was referring to with options 121 or 249) . OTOH, I am *not* sure if it allows you to set a 0.0.0.0/1 route using that option, but I guess

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

Hi, Jan Just Keijser wrote: Gert Doering wrote: On Thu, Jul 02, 2015 at 11:56:28AM +0200, Jan Just Keijser wrote: +write_dhcp_str (buf, 66, o->tftp, ); +write_dhcp_str (buf, 150, o->tftp, ); This does not look safe to me (or I'm overlooking something) - if o->tftp i

Re: [Openvpn-devel] Adding routes on Windows using DHCP

Hi, Jan Just Keijser wrote: On 03/07/15 15:15, Gert Doering wrote: On Fri, Jul 03, 2015 at 01:56:39PM +0200, JÁKÓ András wrote: yes this is possible; it's possible to push multiple gateways and multiple (classless) routes (dhcp options 121 & 249). If the metric on the tap-win adapter is

Re: [Openvpn-devel] Adding routes on Windows using DHCP

Hi, On 03/07/15 15:15, Gert Doering wrote: On Fri, Jul 03, 2015 at 01:56:39PM +0200, JÁKÓ András wrote: yes this is possible; it's possible to push multiple gateways and multiple (classless) routes (dhcp options 121 & 249). If the metric on the tap-win adapter is set manually and is set low

Re: [Openvpn-devel] Adding routes on Windows using DHCP

Hi David, David Sommerseth wrote: On 03/07/15 13:02, Jan Just Keijser wrote: hi all, whilst writing the TFTP/WPAD patch I stumbled upon the options to set a default gateway and/or routes using DHCP options. I've patched openvpn to also set DHCP option 3 ("gateway") and indeed

[Openvpn-devel] Adding routes on Windows using DHCP

hi all, whilst writing the TFTP/WPAD patch I stumbled upon the options to set a default gateway and/or routes using DHCP options. I've patched openvpn to also set DHCP option 3 ("gateway") and indeed, windows picks up the route supplied to it :) This might be a way to address this topic

Re: [Openvpn-devel] [PATCH v2] Add TFTP and WPAD DHCP options

Hi, Gert Doering wrote: Hi, On Thu, Jul 02, 2015 at 11:56:28AM +0200, Jan Just Keijser wrote: +write_dhcp_str (buf, 66, o->tftp, ); +write_dhcp_str (buf, 150, o->tftp, ); This does not look safe to me (or I'm overlooking something) - if o->tftp is not set, i

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

Hi, On 02/07/15 14:16, Jonathan K. Bullard wrote: On Thu, Jul 2, 2015 at 2:56 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: Attached is the patch to add the TFTP and WPAD DHCP options. The patch is based on openvpn 2.3.7 as I did not know how to do a windows mingw build of the git v

[Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

/~janjust/openvpn-2.3.7-dhcp-win64.exe Signed-off-by: Jan Just Keijser <janj...@nikhef.nl> --- openvpn-2.3.7/src/openvpn/options.c 2015-06-02 10:01:24.0 +0200 +++ /tmp/build-x86_64/openvpn-2.3.7/src/openvpn/options.c 2015-07-02 11:47:24.291216980 +0200 @@ -692,11 +

Re: [Openvpn-devel] OpenVPN 2.3.7-I602-x86_64.exe download 404 Error

On 01/07/15 16:41, Gert Doering wrote: Hi, On Wed, Jul 01, 2015 at 03:05:44PM +0100, debbie...@gmail.com wrote: Resolving swupdate.openvpn.org (swupdate.openvpn.org)... 104.28.1.12, 104.28.0.12 Connecting to swupdate.openvpn.org (swupdate.openvpn.org)|104.28.1.12|:443... connected. Something

[Openvpn-devel] verify-client-cert patch

From: Jan Just Keijser <janj...@nikhef.nl> List-Post: openvpn-devel@lists.sourceforge.net Date: Mon, 29 Jun 2015 10:48:12 +0200 Subject: [PATCH] Author: Jan Just Keijser <janj...@nikhef.nl> Add extended client certificate verification support. Replace --client-cert-not-required

[Openvpn-devel] minor man page issue

hi all, whilst working on the --verify-client-cert patch I just noticed this in the man page: --compat-names [no-remapping] (DEPRECATED) [] Please note: This option is immediately deprecated. It is only implemented to make the tran- sition to the new

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

On 26/06/15 13:28, Gert Doering wrote: Hi, On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote: * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) This might be an issue on OpenVPN on the server side. However, --tls-auth will reduce the attack vector to one of your

Re: [Openvpn-devel] Windows build fix for CVE-2015-4000

Joseph S. Testa II wrote: Hi all, I was wondering if an updated Windows build is being planned for release soon to fix CVE-2015-4000, et. al, as described in http://www.openssl.org/news/secadv_20150611.txt. I haven't seen anyone talk about this on the mailing list since the

Re: [Openvpn-devel] about client-cert-not-required

Hi, On 22/06/15 23:20, Jason Haar wrote: On 23/06/15 03:50, Jan Just Keijser wrote: 1) do we think it's valuable to add something like this (currently NO cert checks are done when 'client-cert-not-required' is used) ? sounds like what you really want is for this to be renamed "--verify-c

[Openvpn-devel] about client-cert-not-required

hi all, just found out that when you use 'client-cert-not-required' that the client certificate is not checked at all, even if one is presented. I'm not sure if that's by design but I think it would be handy to check the client certificate if presented by the client. This allows an admin to

Re: [Openvpn-devel] why is "route add failure" considered not an error?

Yo Gert, On 17/06/15 12:07, Gert Doering wrote: Hi, OpenVPN history confuses me :-) - right now, I am wondering about the following: - if we call ifconfig to set up the tun device, and that fails, we consider it a hard error (openvpn_exec_check(..., S_FATAL, ...) and terminate -

Re: [Openvpn-devel] How to create openvpn channel between multiple interface linux machines.

Arun Kumar wrote: Hi, I have two ubuntu machine say host1 and host2. Each have two interfaces say eth0 and eth1. I want to create seperate openvpn channels between the interfaces of two hosts. i tried openvpn and create secure key. and add eth0 and eth1 in config file, but only one vpn channel

Re: [Openvpn-devel] [PATCH] Clarify --capath option in manpage

Hi Stefan, On 24/05/15 22:47, Steffan Karger wrote: Hi Jan Just, On 24-05-15 22:14, Jan Just Keijser wrote: On 24/05/15 11:45, Steffan Karger wrote: Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man

Re: [Openvpn-devel] [PATCH] Clarify --capath option in manpage

Hi, On 24/05/15 11:45, Steffan Karger wrote: Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Attached are patches for the master and release/2.3 branches. The only difference is that in the

Re: [Openvpn-devel] [PATCH] Document differences between --up-restart and --up in openvpn.8

On 22/05/15 20:36, Gert Doering wrote: See trac #93 and the discussion starting with <555bf270.3090...@nikhef.nl> on the openvpn-devel mailing list. Signed-off-by: Gert Doering --- doc/openvpn.8 | 6 ++ 1 file changed, 6 insertions(+) diff --git a/doc/openvpn.8

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Gert Doering wrote: Hi, On Fri, May 22, 2015 at 12:01:24AM +0200, Jan Just Keijser wrote: I'm not sure what the best path forward is, TBH... --up-restart *is* different from --up in several ways: - runs as the user+group that is specified in the config file - the 'tun' device

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Hi, On 21/05/15 20:31, Gert Doering wrote: On Thu, May 21, 2015 at 08:20:39PM +0200, Jan Just Keijser wrote: On 21/05/15 20:14, Gert Doering wrote: On Wed, May 20, 2015 at 04:33:20AM +0200, Jan Just Keijser wrote: here's my patch for bug #93: missing ifconfig_* env vars after up-restart

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Hi Gert, On 21/05/15 20:14, Gert Doering wrote: Hi, On Wed, May 20, 2015 at 04:33:20AM +0200, Jan Just Keijser wrote: here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 Reading through #93, I'm wondering

[Openvpn-devel] patch for bug #93: up-restart env vars

hi all, here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 cheers, JJK diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 42cb3e2..a4b5e05 100644 --- a/src/openvpn/init.c +++

Re: [Openvpn-devel] statistics file format not respected in point-to-point?

Hi, On 19/02/15 21:52, Reinoud Koornstra wrote: Hi Everyone, I have a side to side (point to point) configuration. Meaning no client or server involved. It comes up fine. I did set this as well in the config file: status /tmp/openvpn_hello_status.log 5 status-version 3 When i look at the

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

Hi, Gert Doering wrote: Hi, On Tue, Oct 21, 2014 at 10:53:52AM +0200, Jan Just Keijser wrote: Running the gui with elevated privileges fixes this issue. Shouldn't the installer have created this registry key? The GUI need to run with elevated privileges anyway, because otherwise

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

Hi Samuli, Samuli Seppänen wrote: New Windows installers with OpenSSL 1.0.1j have been released: Two of the issues fixed in OpenSSL may impact OpenVPN. More details here:

Re: [Openvpn-devel] Any Windows-based OpenVPN servers available for fixing bug #432?

Hi Samuli, Samuli Seppänen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Does someone have a spare (=non-production) Windows-based OpenVPN server (e.g. on EC2) which could be used to debug and fix #432? I can set up a (semi

Re: [Openvpn-devel] [Openvpn-users] OpenVPN and Multi-Core processor

On 07/08/14 16:15, Les Mikesell wrote: On Thu, Aug 7, 2014 at 4:56 AM, David Sommerseth wrote: However, that is most likely less intrusive and complex than to basically needing to re-write the event handler which schedules that each client gets their "time slice"

Re: [Openvpn-devel] Openvpn 2.3.2: "Could not create temporary file" ....Too many open files

Hi, On 23/07/14 08:19, arno.oderm...@ch.schindler.com wrote: Dear both, thank you for your reply. Yes, we are using the "--client-connect" and according to 2.3 OpenVPN manual (see section below) it does create files by writing to "file named by $1." Gert, we are sure, there was not a

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, On 11/07/14 20:35, Steffan Karger wrote: Hi, On 11-07-14 20:17, Jan Just Keijser wrote: on CentOS 5 I get checking for SSL_OP_NO_TICKET flag in OpenSSL... no configure: error: OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL which is logical as the "stock" openssl lib o

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, On 11/07/14 20:07, Gert Doering wrote: Hi, On Fri, Jul 11, 2014 at 04:50:38PM +0200, Jan Just Keijser wrote: the master branch (from openvpn-testing) currently does not build on either CentOS 5 and 6. Install snappy(-dev) or run configure with --disable-snappy :-) - besides

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, Gert Doering wrote: On Fri, Jul 11, 2014 at 10:51:54AM +0200, Jan Just Keijser wrote: On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Arne Schwabe wrote: Fri Jul 11 11:31:28 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Fri Jul 11 11:31:28 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.4.0 Fri

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi Arne, Arne Schwabe wrote: Am 11.07.14 10:51, schrieb Jan Just Keijser: On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK There are a few annoying

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK There are a few annoying issues with topology subnet esp when using server side things like route that

Re: [Openvpn-devel] Questionable restriction in --x509-username-field

Hi Andris, Kalnozols, Andris wrote: On 5/7/2014 10:06 PM, Jan Just Keijser wrote: On 08/05/14 03:32, Andris Kalnozols wrote: The X.509 user certificates in our organization have Subject fields that appear as in the following example: Subject: O=Hewlett-Packard Company, OU=WEB

Re: [Openvpn-devel] Questionable restriction in --x509-username-field

Hi Andris, On 08/05/14 03:32, Andris Kalnozols wrote: The X.509 user certificates in our organization have Subject fields that appear as in the following example: Subject: O=Hewlett-Packard Company, OU=WEB, CN=GivenName Surname/emailAddress=u...@hp.com Since the Common Name (CN)

Re: [Openvpn-devel] Fixes for HTTP proxy authentication with NTLM

Hi, On 18/04/14 23:05, Gert Doering wrote: Hi, On Wed, Apr 16, 2014 at 12:48:35PM +0200, Holger Kummert wrote: Any opinions? Any easy way to test this, without having a Windows domain around? (I already run a number of test cases from my t_client test sets using socks proxy, http proxy,

Re: [Openvpn-devel] [PATCH 0/3] Support non-root operation using ocproxy

Hi Kevin Cernekee wrote: On Sun, Apr 13, 2014 at 8:19 AM, Arne Schwabe wrote: You could look at the TARGET_ANDROID. That uses the management interface and fds over unix socket to achieve something similar. Do you think it would be feasible to enable TARGET_ANDROID

Re: [Openvpn-devel] RFD: ssl library version numbers

Hi Gert, Gert Doering wrote: Hi, OpenVPN does not currently report the version of the SSL library it is using - which I'm not sure whether it's by design or just because nobody ever added it. Anyway, right now I think we need it, to help future cases. There are a few questions that go along

Re: [Openvpn-devel] Heartbleed

On 09/04/14 12:34, Eike Lohmann wrote: Am 09.04.2014 10:45, schrieb Gert Doering: This is not trivial to set up, and might not be worth for every client out there - but if you're truly concerned about your data, upgrade the client, revoke the old key+certificate, reissue new keys. How does

Re: [Openvpn-devel] [PATCH] Fix man page and OSCP script: tls_serial_{n} is decimal

On 30/03/14 15:46, Gert Doering wrote: Hi, On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote: 3 - Change OpenSSL builds to use hax representation I tend toward this one - user visible behaviour shouldn't change (unless unavoidable) depending on SSL library used. So for me this

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi David, On 18/03/14 14:12, David Sommerseth wrote: On 18/03/14 10:51, Jan Just Keijser wrote: On 18/03/14 10:39, Steffan Karger wrote: Hi, On 17/03/2014 23:23, James Yonan wrote: On 17/03/2014 14:29, Gert Doering wrote: Right now, if I read configure.ac correct, we require 0.9.6

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

On 18/03/14 10:39, Steffan Karger wrote: Hi, On 17/03/2014 23:23, James Yonan wrote: On 17/03/2014 14:29, Gert Doering wrote: Right now, if I read configure.ac correct, we require 0.9.6 or later (and check this only if pkg-config is available) - but obviously, SSL_OP_NO_TICKET was added

Re: [Openvpn-devel] [Patch] ECDH support

On 04/03/14 23:48, Steffan Karger wrote: Hi, On Tue, Mar 4, 2014 at 10:49 PM, pietrek -- > wrote: [...] I think we could add option "--dh none" or "--no-dh". It may be specified, if user knows what he's doing. I like that idea.

Re: [Openvpn-devel] [Patch] ECDH support

Hi Steffan, On 25/02/14 09:48, Steffan Karger wrote: Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering > wrote: > Although there is apparently more work to do to get more cipher suites > working, this does give us a start on

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

Hi David, nice answer, David, and thanks for promoting the book ;) Your basic points are correct , of course: - networking is hard - security is hard Configuring openvpn can be daunting at first, but it is not nearly as bad as configuring PPTP , or - GASP! - IPSec+L2TP. Documentation can help

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

Hi Gert, Gert Doering wrote: Hi, On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote: It should be possible to add negotiation without completely breaking backwards compatibility; right now, when a server pushes an option to the client that is unrecognized the client

Re: [Openvpn-devel] [PATCH] Only print script warnings when a script is used. Remove stray mention of script-security system.

ACK! Arne Schwabe wrote: --- src/openvpn/common.h |2 +- src/openvpn/init.c | 19 +-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index dd2c83f..2f85bec 100644 --- a/src/openvpn/common.h +++

[Openvpn-devel] [PATCH] make "explicit-exit-notify" pullable again

can I revert to previous behavior? That is, indeed, a good question. "git blame" points to... commit 76809cae0eae07817160b423d3f9551df1a1d68e Author: Jan Just Keijser <janj...@nikhef.nl> Date: Tue Feb 7 16:29:47 2012 +0100 Made some options connection-entry specific

<    1   2   3   >