[Openvpn-devel] route-up and iproute plugins

[Mr Dash Four]

Is there a plugin allowing me to run "route-up" and "iproute" 
(replacement) scripts taking advantage of the split privilege execution?


I know there is down-root which allows a "down" script to be executed in 
this fashion, but I am not sure I could find a similar one for the above 
two scripts.


The reason I am asking this is two-fold: currently I have to install the 
sudo package, configure it and include sudo commands in the above 2 
scripts in order to avoid route/ip commands being executed in 
unprivileged environment. While this works well, I'd much rather have 
everything better organised (and more secure) within OpenVPN.


I've had a (very) quick look at down-root.c and openvpn-plugin.h files 
and it seems possible to use those as a template to write 2 additional 
plugins dealing with those two scripts, though I do not wish to reinvent 
the wheel if there are already in existence or if there is an easier way 
of doing this (if at all possible).


Many thanks in advance!

Re: [Openvpn-devel] First test build of OpenVPN 2.2 for Windows is now available

[Samuli Seppänen]

Hi,

Here's the next version of the installer:



This version fixes this issue:



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


> Hi everyone,
>
> The first test build of OpenVPN 2.2 for Windows is available here:
>
> 
>
> Any help in testing it prior to the final release - hopefully 22nd April
> - is much appreciated! Changes to 2.2-RC2 include:
>
> ---
>
> 2011.04.xx -- Version 2.2
> David Sommerseth (2):
>   Fix the --client-cert-not-required feature
>   Change the default --tmp-dir path to a more suitable path
>
> Gert Doering (1):
>   Add more detailed explanation regarding the function of 
> "--rdns-internal"
>
> Gisle Vanem (1):
>   Avoid re-defining uint32_t when using mingw compiler
>
> James Yonan (1):
>   Fixed bug in port-share that could cause port share process to crash
>
> Samuli Seppänen (5):
>   Add man page entry for --redirect-private
>   Change all CRLF linefeeds to LF linefeeds
>   Fix a bug in devcon source code handling
>   Removed Win2k from supported platforms list in INSTALL and 
> win/openvpn.nsi
>   Fixed copying of tapinstall.exe to dist/bin when using prebuilt 
> TAP-drivers
>
> chantra (1):
>   Clarify --tmp-dir option
>
> rf (2):
>   Update man page with info about --remote-random-hostname
>   Added man page entry for --management-client
>
> ---
>
> The final 2.2 installer may include a few minor additional changes.
>
>   

Re: [Openvpn-devel] [PATCHv2] Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 15/04/11 15:25, Samuli Seppänen wrote:
> This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9510c.
> 
> Trac-ticket: 120
> Signed-off-by: Samuli Seppänen 

ACK.  Applied to master and beta2.2

commit 1cc2b62d97d651ce9b05466928faba3b463838b7
Author: Samuli Seppänen 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Apr 15 16:25:17 2011 +0300

Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier

This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9

Trac-ticket: 120
Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 
(cherry picked from commit 6d1d08f6792109a4a4cdd9cd0936fd4338c76fa1)


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2oUj4ACgkQDC186MBRfrpNtACfVtuKzYJ36/gx/irIYtFfruPb
kVgAn2v3v3N/aJJDOj2crbwH3+mbF5UN
=/qmi
-END PGP SIGNATURE-

[Openvpn-devel] [PATCHv2] Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlier

[Samuli Seppänen]

This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9510c.

Trac-ticket: 120
Signed-off-by: Samuli Seppänen 
---
 win/openvpn.nsi |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/win/openvpn.nsi b/win/openvpn.nsi
index bad1ef4..d3f80d0 100755
--- a/win/openvpn.nsi
+++ b/win/openvpn.nsi
@@ -237,6 +237,12 @@ Section -pre
 
   Sleep 3000
 
+  # Fix for Trac ticket 120. Remove after 2.3 has been released.
+  !ifdef USE_GUI
+SetShellVarContext current
+Delete "$DESKTOP\${PRODUCT_NAME} GUI.lnk"
+  !endif
+
 SectionEnd
 
 Section "${PRODUCT_NAME} User-Space Components" SecOpenVPNUserSpace
-- 
1.6.3.3

[Openvpn-devel] OpenVPN Windows build dependency package now available

[Samuli Seppänen]

Hi all,

Most of OpenVPN 2.2's build and packaging dependencies for Windows are
now available in one convenient package:



See the included README.TXT file for details. Build instructions are
available here:



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] [PATCH] Fixed a bug with GUI icon not being deleted on upgrade from 2.2-RC or earlier

[Samuli Seppänen]

This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9510c.

Trac-ticket: 120
Signed-off-by: Samuli Seppänen 
---
 win/openvpn.nsi |7 +++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/win/openvpn.nsi b/win/openvpn.nsi
index bad1ef4..148dafc 100755
--- a/win/openvpn.nsi
+++ b/win/openvpn.nsi
@@ -237,6 +237,13 @@ Section -pre
 
   Sleep 3000
 
+  # Fix for Trac ticket 120. Remove after 2.3 has been released.
+  !ifdef USE_GUI
+SetShellVarContext current
+Delete "$INSTDIR\bin\${OPENVPN_GUI}"
+Delete "$DESKTOP\${PRODUCT_NAME} GUI.lnk"
+  !endif
+
 SectionEnd
 
 Section "${PRODUCT_NAME} User-Space Components" SecOpenVPNUserSpace
-- 
1.6.3.3

Re: [Openvpn-devel] Summary of the IRC meeting (14th Apr 2011)

[Carsten Krüger]

Hello Samuli,

> release: this avoids having to sign the TAP-drivers again due to such a
> trivial change.

Release signing is trivial, too.
No need to circumvent it, it's easy to automate.

How to Release-Sign File System Drivers
http://msdn.microsoft.com/en-us/windows/hardware/gg487543.aspx

greetings
Carsten

[Openvpn-devel] Summary of the IRC meeting (14th Apr 2011)

[Samuli Seppänen]

Hi,

Here's the summary of the previous community meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Thursday, 14th Apr 2011
Time: 18:00 UTC

Planned meeting topics for this meeting were on this page:



Next meeting will be announced in advance, but will be on the same
weekday and at the same time. Your local meeting time is easy to check
from services such as



or with

$ date -u


SUMMARY

cron2, dazo, krzee and mattock were present in this meeting.

--

Discussed the status of VLAN tagging patchset (in the feat_vlan_tagging
branch). Lack of test reports has prevented it from being merged into
the main development branches.

--

Discussed value of PRODUCT_TAP_RELDATE in win/settings.in. Agreed that
when it's changed, it's should be set to 24th March 2011, when
PRODUCT_TAP_WIN32_MIN_MINOR (in version.m4) was fixed. Also agreed that
it's probably best not to update PRODUCT_TAP_RELDATE until after 2.2
release: this avoids having to sign the TAP-drivers again due to such a
trivial change.

--

Discussed lack of anchors in the FAQ:



For example, this is broken:



Mattock will take a look at these.

--

Discussed the "Removed Win2k from supported platforms list in INSTALL
and win/openvpn.nsi" patch:



Dazo gave this patch an ACK with a minor change.

Decided to list supported Windows versions for every release on the
downloads page and to add last Win2k-compliant version (2.1.3) to the
download listing.

--

Discussed the "Fixed copying of tapinstall.exe to dist/bin when using
prebuilt TAP-drivers" patch:



Dazo gave this patch an ACK.

--

Discussed the "Fix a bug in devcon source code handling" patch:



Dazo gave this patch an ACK.

--

Discussed the "Change the default --tmp-dir path to a more suitable
path" patch:



Cron2 gave this patch an ACK after minor modifications.

---

Full chatlog as an attachment

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:06:35) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2011-04-14
(21:06:37) vpnHelper: Title: Topics-2011-04-14 – OpenVPN Community (at 
community.openvpn.net)
(21:06:38) mattock: topic list ^^^
(21:06:51) mattock: is there anything to add to the agenda?
(21:07:23) dazo: --tmp-dir patch
(21:07:37) mattock: can you give a link to the latest version?
(21:08:17) dazo: http://thread.gmane.org/gmane.network.openvpn.devel/4593
(21:08:19) vpnHelper: Title: Gmane Loom (at thread.gmane.org)
(21:09:25) mattock: dazo: is that a standalone patch that applies on top of 
latest beta2.2 branch?
(21:10:09) mattock: or does it depend on earlier --tmp-dir patches not yet in 
Git?
(21:10:12) dazo: that's a standalone patch, on top of latest beta2.2/master
(21:10:31) dazo: I merged all into one, as it began to be quite unclear
(21:10:46) mattock: ok
(21:10:58) mattock: cron2: are you there?
(21:11:27) mattock: or somebody else who knows the correct value for TAP_RELDATE
(21:12:10) mattock: I think we could take care of this while waiting for James: 
http://thread.gmane.org/gmane.network.openvpn.devel/4596
(21:12:12) vpnHelper: Title: Gmane Loom (at thread.gmane.org)
(21:13:53) dazo: If nobody says anything about the TAP_RELDATE, I suggest 
setting it to 2011-03-24, as that's the date when we modified the 
PRODUCT_TAP_WIN32_MIN_MINOR version
(21:15:20) mattock: good idea
(21:16:17) dazo: I can do that when we tag the final release version
(21:17:10) krzee: whats the status of that vlan tagging patch?
(21:17:14) dazo: that's not a change which is critical for review on the ML
(21:17:15) krzee: (out of curiosity)
(21:17:18) mattock: this brings in another point... if we change TAP_RELDATE, 
the TAP-drivers have to be signed again
(21:17:20) dazo: krzee: nothing has happened there at all
(21:17:29) krzee: ok, thats what i thought
(21:17:31) dazo: mattock: that's correct
(21:18:09) krzee: dazo, does it need testing or it needs re-writing?
(21:18:11) mattock: I would prefer not changing TAP_RELDATE until after 2.2 
because of that
(21:18:43) dazo: krzee: if there comes up some real testing  we're ready to 
include it ... however, this depends on the pass-tos feature as well, I think 
this was the culprit 
(21:18:59) dazo: mattock: is that signing something james needs to do?
(21:19:06) mattock: at the moment yes
(21:19:21) mattock: he was ok with me doing it in the future, but the switch 
might take some time
(21:20:14) dazo: okay ... well, it's kind of dirty ... however the date field 
it's not, to my 

[Openvpn-devel] First test build of OpenVPN 2.2 for Windows is now available

[Samuli Seppänen]

Hi everyone,

The first test build of OpenVPN 2.2 for Windows is available here:



Any help in testing it prior to the final release - hopefully 22nd April
- is much appreciated! Changes to 2.2-RC2 include:

---

2011.04.xx -- Version 2.2
David Sommerseth (2):
  Fix the --client-cert-not-required feature
  Change the default --tmp-dir path to a more suitable path

Gert Doering (1):
  Add more detailed explanation regarding the function of "--rdns-internal"

Gisle Vanem (1):
  Avoid re-defining uint32_t when using mingw compiler

James Yonan (1):
  Fixed bug in port-share that could cause port share process to crash

Samuli Seppänen (5):
  Add man page entry for --redirect-private
  Change all CRLF linefeeds to LF linefeeds
  Fix a bug in devcon source code handling
  Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi
  Fixed copying of tapinstall.exe to dist/bin when using prebuilt 
TAP-drivers

chantra (1):
  Clarify --tmp-dir option

rf (2):
  Update man page with info about --remote-random-hostname
  Added man page entry for --management-client

---

The final 2.2 installer may include a few minor additional changes.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH v2] Change the default --tmp-dir path to a more suitable path

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/04/11 16:29, David Sommerseth wrote:
> After all the discussions regarding the --tmp-dir patch [1], I have now
> condenced everything into one single patch.  The main change is that
> the new win_get_tempdir() function is simplified by using GetTempPath()
> instead.
> 
> On Windows the fallback solution, if GetTempPath() returns NULL, is now to
> behave as before - write temporary files in the directory where OpenVPN was
> started.
> 
> 
> [1] 
> 
> 
> David Sommerseth (1):
>   Change the default --tmp-dir path to a more suitable path
> 
>  options.c |   18 ++
>  win32.c   |   19 +++
>  win32.h   |3 +++
>  3 files changed, 36 insertions(+), 4 deletions(-)

Applied to master and beta2.2.

commit eb4b1bb6adc7fb1828839967a7807b6317305145 (beta2.2)
commit eb4b1bb6adc7fb1828839967a7807b6317305145 (master)
Author: David Sommerseth 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Apr 14 16:21:16 2011 +0200

Signed-off-by: David Sommerseth 
Tested-by: Jan Just Keijser 
Acked-by: Gert Doering 


Kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2oAyUACgkQDC186MBRfroWKgCdFp47roG5t8GlwBUtbqSWl36I
N1AAn2uPVZgh8itgrQlLUi/hZcfrUEOz
=t8A0
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Fix a bug in devcon source code handling

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/04/11 16:40, Samuli Seppänen wrote:
> The win/config_ti.py build script assumes to find 
> ../tapinstall/7600/sources.in
> which does not exists in devcon.exe source code directory. This makes
> config_ti.py look for ../tapinstall/7600/sources instead.
> ---
>  win/config_ti.py |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 

ACK.  Applied to master and beta2.2.

commit 6f0ded58250d4b4fef9cfdd314165d88d8f8f80e (beta2.2)
commit a18752d4febdaa91f87efcc487ac865d6587c527 (master)
Author: Samuli Seppänen 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Apr 14 17:40:33 2011 +0300

Fix a bug in devcon source code handling

The win/config_ti.py build script assumes to find ../tapinstall
/7600/sources.in
which does not exists in devcon.exe source code directory. This makes
config_ti.py look for ../tapinstall/7600/sources instead.

Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2oApUACgkQDC186MBRfrpBwQCfegsKnY91cdlJsXU05r6Y8Ynl
ZJ8An1bGQENjDv06d4pdF81XPE9BOyj8
=sMaT
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsi

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


ACK.  Applied to master and beta2.2.


commit 8cf7903c31d76ea905b7fd5d9257f116f424fe9e (beta2.2)
commit 9b8247edf3e58893eb3ecc38dbfb2805ff1bb83d
Author: Samuli Seppänen 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Apr 14 17:41:23 2011 +0300

Removed Win2k from supported platforms list in INSTALL and
win/openvpn.nsi

Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 


Kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2oAjwACgkQDC186MBRfrp7NACcCgWlTCAQWb6uTXi3Zj68JhO6
MJUAn1wROrwEO4YPRjCiohDIPJtNq/jq
=BqRw
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-drivers

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/04/11 16:43, Samuli Seppänen wrote:
> Signed-off-by: Samuli Seppänen 
> ---
>  win/make_dist.py |2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)

ACK.  Applied to master and beta2.2

commit f71233577e573c5d1dc0cd711b7b78867a7853be (beta2.2)
commit 343037a99708bd7785de10cc5be37a150609bd01 (master)
Author: Samuli Seppänen 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Apr 14 17:43:40 2011 +0300

Fixed copying of tapinstall.exe to dist/bin when using prebuilt
TAP-drivers

Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 


Kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2oAf8ACgkQDC186MBRfrrK6ACfQsgyQvYG2jgqrE6jFpqXQljw
i0MAn3kYpyswjRu0SutaBVimF/XQ90X4
=gmLp
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH v2] Change the default --tmp-dir path to a more suitable path

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 14/04/11 23:52, Peter Stuge wrote:
> David Sommerseth wrote:
>> In commit 4e1cc5f6dda22e9 the create_temp_filename() function was
>> reviewed and hardened, which in the end renamed this function to
>> create_temp_file() in commit 495e3cec5d156.
>>
>> With these changes it became more evident that OpenVPN needs a directory
>> where it can create temporary files.  The create_temp_file() will create
>> such files f.ex. if --client-connect or --plugin which makes use of
>> the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so.
>>
>> When this happens, OpenVPN will normally create these files in the directory
>> OpenVPN was started.  In many cases, this will fail due to restricted access.
>> By using --tmp-dir and pointing it to a directory writeable to the user
>> running OpenVPN, it works again.
>>
>> This patch makes OpenVPN use a more suitable temproary directory by default,
>> instead of the current working directory.  On non-Windows platforms this
>> default value is set to '/tmp', but can be modified at compile-time by
>> running ./configure --with-tmp-dir-path=.  On Windows, it
>> will use GetTempPath() to find temporary paths recommended by the OS.  If
>> this fails, it will fallback to the old behaviour, using the directory
>> where OpenVPN was started.
>>
>> In any cases, this default value can be overridden in the configuration
>> file by using the --tmp-dir option, as before.
>>
>> To check what the default is at runime, you can see this easily by doing
>> this:
>>
>>   $ ./openvpn --verb 4 --dev tun | grep tmp_dir
>>
>> Signed-off-by: David Sommerseth 
>> Tested-by: Jan Just Keijser 
> 
> The above commit message doesn't really fit the patch anymore. :)

Gah ... yeah, I see now that the compile-time stuff should be removed as
well.  That slipped through.  I'll push a git note to that commit.  The
patch is already applied, I'd rather avoid redoing the history.

>> diff --git a/options.c b/options.c
>> index 36e8393..7303cb4 100644
>> --- a/options.c
>> +++ b/options.c
>> @@ -766,11 +766,23 @@ init_options (struct options *o, const bool init_gc)
>>  #ifdef ENABLE_X509ALTUSERNAME
>>o->x509_username_field = X509_USERNAME_FIELD_DEFAULT;
>>  #endif
>> -#endif
>> -#endif
>> +#endif /* USE_SSL */
>> +#endif /* USE_CRYPTO */
>>  #ifdef ENABLE_PKCS11
>>o->pkcs11_pin_cache_period = -1;
>>  #endif  /* ENABLE_PKCS11 */
> 
> The above hunk is not really related, right? Looks fine otherwise!

I left that part on purpose, as it is completely harmless, code-wise.  I
had to step carefully in the #ifdef nesting when adding my changes.  So I
figured adding helpful comments in the same region where the code is
modified is beneficial after all.  I could have mentioned it in the commit
log though.

Gert already commented it on irc to me before giving it an ACK, so it's
been spotted already and we let it pass.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2n/RYACgkQDC186MBRfroWXwCePAT57lEORmXhfyWK1MaCe13B
e0oAn0B2GGZaJSiMAINQdRz2xbRFXS6Y
=AInB
-END PGP SIGNATURE-