Re: [Openvpn-devel] how to migrate users to "no compression" config
Am 26.06.2019 um 14:19 schrieb Илья Шипицин: > Should we add some high level documentation on compression? My patch that enables asymmetrical compression by default adds a bit of documentation in that regard iirc. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] openvpnserv: enable interactive service to open tun
Hi, I haven't compiled or run tested, but there are few issues that need to be addressed before that: On Wed, Jun 26, 2019 at 5:52 AM Lev Stipakov wrote: > > From: Lev Stipakov > > This patch enables interactive service to open tun device. > This is mostly needed by Wintun, which could be opened > only by privileged process. > > When interactive service is used, instead of calling > CreateFile() directly by openvpn process we pass tun device path > into service process. There we open device, duplicate handle > and pass it back to openvpn process. > > Signed-off-by: Lev Stipakov > --- > v2: > - introduce send_msg_iservice_ex() instead of changing > signature of existing send_msg_iservice() > - use wchar_t strings in interactive service code > > include/openvpn-msg.h | 12 + > src/openvpn/tun.c | 60 > +-- > src/openvpn/win32.c | 9 ++- > src/openvpn/win32.h | 30 +++--- > src/openvpnserv/interactive.c | 57 +++- > 5 files changed, 154 insertions(+), 14 deletions(-) > > diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h > index 66177a2..273d9a6 100644 > --- a/include/openvpn-msg.h > +++ b/include/openvpn-msg.h > @@ -39,6 +39,8 @@ typedef enum { > msg_del_block_dns, > msg_register_dns, > msg_enable_dhcp, > +msg_open_tun_device, > +msg_open_tun_device_result, > } message_type_t; > > typedef struct { > @@ -117,4 +119,14 @@ typedef struct { > interface_t iface; > } enable_dhcp_message_t; > > +typedef struct { > +message_header_t header; > +char device_path[512]; > +} open_tun_device_message_t; > + > +typedef struct { > +message_header_t header; > +HANDLE handle; > +int error_number; > +} open_tun_device_result_message_t; > #endif /* ifndef OPENVPN_MSG_H_ */ > diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c > index 8f8f7c6..6caba50 100644 > --- a/src/openvpn/tun.c > +++ b/src/openvpn/tun.c > @@ -5248,6 +5248,43 @@ out: > return ret; > } > > +static HANDLE > +service_open_tun_device(const HANDLE pipe, const char* device_path) > +{ > +open_tun_device_result_message_t result_msg; > +struct gc_arena gc = gc_new(); > +open_tun_device_message_t open_tun_device = { > +.header = { > +msg_open_tun_device, > +sizeof(open_tun_device_message_t), > +0 > +} > +}; > +result_msg.handle = INVALID_HANDLE_VALUE; > + > +strncpynt(open_tun_device.device_path, device_path, > sizeof(open_tun_device.device_path)); > + > +if (!send_msg_iservice_ex(pipe, _tun_device, > sizeof(open_tun_device), > +_msg, sizeof(result_msg), "Open_tun_device")) > +{ > +goto out; > +} > + > +if (result_msg.error_number != NO_ERROR) > +{ > +msg(D_TUNTAP_INFO, "TUN: opening tun handle using service failed: %s > [status=%u device_path=%s]", > +strerror_win32(result_msg.error_number, ), > result_msg.error_number, device_path); > +} > +else > +{ > +msg(M_INFO, "Opened tun device %s using service", device_path); > +} > + > +out: > +gc_free(); > +return result_msg.handle; > +} > + > /* > * Return a TAP name for netsh commands. > */ > @@ -5631,15 +5668,22 @@ open_tun(const char *dev, const char *dev_type, const > char *dev_node, struct tun > device_guid, > TAP_WIN_SUFFIX); > > -tt->hand = CreateFile( > -device_path, > -GENERIC_READ | GENERIC_WRITE, > -0,/* was: FILE_SHARE_READ */ > -0, > -OPEN_EXISTING, > -FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, > -0 > +if (tt->options.msg_channel) > +{ > +tt->hand = > service_open_tun_device(tt->options.msg_channel, device_path); > +} > +else > +{ > +tt->hand = CreateFile( > +device_path, > +GENERIC_READ | GENERIC_WRITE, > +0,/* was: FILE_SHARE_READ */ > +0, > +OPEN_EXISTING, > +FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, > +0 > ); > +} > > if (tt->hand == INVALID_HANDLE_VALUE) > { This only handles dev-node is unspecified. We need the same for the case where dev-node specified above this. > diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c > index eb4c030..039c1a4 100644 > --- a/src/openvpn/win32.c > +++ b/src/openvpn/win32.c > @@ -1476,12 +1476,19 @@ bool > send_msg_iservice(HANDLE pipe, const void *data, size_t
[Openvpn-devel] Patch for pam recent module
hi, i make a pull reuqest ofr this patch some times ago over github, this patch implements the right peace of software for passing ip and hostname to pam modules, to use for example in firewall or modules like pam_recent, this patch is succefull running by more tha 7 years into our systems. diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c index 88b53204..9d8dfb95 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c @@ -115,6 +115,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; + char remote[128]; const struct name_value_list *name_value_list; }; @@ -517,13 +518,15 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle, const int type, const cha const char *username = get_env("username", envp); const char *password = get_env("password", envp); const char *common_name = get_env("common_name", envp) ? get_env("common_name", envp) : ""; + const char *remote = get_env("untrusted_ip", envp) ? get_env("untrusted_ip", envp) : get_env("untrusted_ip6", envp); if (username && strlen(username) > 0 && password) { if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1 || send_string(context->foreground_fd, username) == -1 || send_string(context->foreground_fd, password) == -1 - || send_string(context->foreground_fd, common_name) == -1) + || send_string(context->foreground_fd, common_name) == -1 + || send_string(context->foreground_fd, remote) == -1) { fprintf(stderr, "AUTH-PAM: Error sending auth info to background process\n"); } @@ -750,8 +753,16 @@ pam_auth(const char *service, const struct user_pass *up) status = pam_start(service, name_value_list_provided ? NULL : up->username, , ); if (status == PAM_SUCCESS) { + /* Set PAM_RHOST environment variable */ + if (*(up->remote)) + { + status = pam_set_item(pamh, PAM_RHOST, up->remote); + } /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + { + status = pam_authenticate(pamh, 0); + } if (status == PAM_SUCCESS) { status = pam_acct_mgmt(pamh, 0); @@ -839,7 +850,8 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * case COMMAND_VERIFY: if (recv_string(fd, up.username, sizeof(up.username)) == -1 || recv_string(fd, up.password, sizeof(up.password)) == -1 - || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1) + || recv_string(fd, up.common_name, sizeof(up.common_name)) == -1 + || recv_string(fd, up.remote, sizeof(up.remote)) == -1) { fprintf(stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", command); @@ -853,6 +865,7 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * up.username, up.password); #else fprintf(stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); + fprintf(stderr, "AUTH-PAM: BACKGROUND: REMOTE: %s\n", up.remote); #endif } -- -***- Paolo Cerrito -***- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] how to migrate users to "no compression" config
Am 26.06.19 um 08:35 schrieb Gert Doering: > Hi, > > On Wed, Jun 26, 2019 at 01:48:34AM +0500, ?? wrote: >> 2) use push "compress empty" (if there's such an option) ? > > you can do > > push "compress" > > with no arguments. According to the docs, this will enable compression > framing format, but no actual compression. > Better use stub-v2 since that has no extra byte added and is also compatible with clients that do not have a compress/comp-lzo directive. (Unless you have packets that look like IPv5) There is also a IV_STUB_V2=1 (or similar to detect if the client can do this) Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] how to migrate users to "no compression" config
Should we add some high level documentation on compression? On Wed, Jun 26, 2019, 5:05 PM Arne Schwabe wrote: > Am 26.06.19 um 08:35 schrieb Gert Doering: > > Hi, > > > > On Wed, Jun 26, 2019 at 01:48:34AM +0500, ?? wrote: > >> 2) use push "compress empty" (if there's such an option) ? > > > > you can do > > > > push "compress" > > > > with no arguments. According to the docs, this will enable compression > > framing format, but no actual compression. > > > > Better use stub-v2 since that has no extra byte added and is also > compatible with clients that do not have a compress/comp-lzo directive. > > (Unless you have packets that look like IPv5) > > There is also a IV_STUB_V2=1 (or similar to detect if the client can do > this) > > Arne > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] openvpnserv: enable interactive service to open tun
From: Lev Stipakov This patch enables interactive service to open tun device. This is mostly needed by Wintun, which could be opened only by privileged process. When interactive service is used, instead of calling CreateFile() directly by openvpn process we pass tun device path into service process. There we open device, duplicate handle and pass it back to openvpn process. Signed-off-by: Lev Stipakov --- v2: - introduce send_msg_iservice_ex() instead of changing signature of existing send_msg_iservice() - use wchar_t strings in interactive service code include/openvpn-msg.h | 12 + src/openvpn/tun.c | 60 +-- src/openvpn/win32.c | 9 ++- src/openvpn/win32.h | 30 +++--- src/openvpnserv/interactive.c | 57 +++- 5 files changed, 154 insertions(+), 14 deletions(-) diff --git a/include/openvpn-msg.h b/include/openvpn-msg.h index 66177a2..273d9a6 100644 --- a/include/openvpn-msg.h +++ b/include/openvpn-msg.h @@ -39,6 +39,8 @@ typedef enum { msg_del_block_dns, msg_register_dns, msg_enable_dhcp, +msg_open_tun_device, +msg_open_tun_device_result, } message_type_t; typedef struct { @@ -117,4 +119,14 @@ typedef struct { interface_t iface; } enable_dhcp_message_t; +typedef struct { +message_header_t header; +char device_path[512]; +} open_tun_device_message_t; + +typedef struct { +message_header_t header; +HANDLE handle; +int error_number; +} open_tun_device_result_message_t; #endif /* ifndef OPENVPN_MSG_H_ */ diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 8f8f7c6..6caba50 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -5248,6 +5248,43 @@ out: return ret; } +static HANDLE +service_open_tun_device(const HANDLE pipe, const char* device_path) +{ +open_tun_device_result_message_t result_msg; +struct gc_arena gc = gc_new(); +open_tun_device_message_t open_tun_device = { +.header = { +msg_open_tun_device, +sizeof(open_tun_device_message_t), +0 +} +}; +result_msg.handle = INVALID_HANDLE_VALUE; + +strncpynt(open_tun_device.device_path, device_path, sizeof(open_tun_device.device_path)); + +if (!send_msg_iservice_ex(pipe, _tun_device, sizeof(open_tun_device), +_msg, sizeof(result_msg), "Open_tun_device")) +{ +goto out; +} + +if (result_msg.error_number != NO_ERROR) +{ +msg(D_TUNTAP_INFO, "TUN: opening tun handle using service failed: %s [status=%u device_path=%s]", +strerror_win32(result_msg.error_number, ), result_msg.error_number, device_path); +} +else +{ +msg(M_INFO, "Opened tun device %s using service", device_path); +} + +out: +gc_free(); +return result_msg.handle; +} + /* * Return a TAP name for netsh commands. */ @@ -5631,15 +5668,22 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun device_guid, TAP_WIN_SUFFIX); -tt->hand = CreateFile( -device_path, -GENERIC_READ | GENERIC_WRITE, -0,/* was: FILE_SHARE_READ */ -0, -OPEN_EXISTING, -FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, -0 +if (tt->options.msg_channel) +{ +tt->hand = service_open_tun_device(tt->options.msg_channel, device_path); +} +else +{ +tt->hand = CreateFile( +device_path, +GENERIC_READ | GENERIC_WRITE, +0,/* was: FILE_SHARE_READ */ +0, +OPEN_EXISTING, +FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, +0 ); +} if (tt->hand == INVALID_HANDLE_VALUE) { diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index eb4c030..039c1a4 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -1476,12 +1476,19 @@ bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, const char *context) { +return send_msg_iservice_ex(pipe, data, size, ack, sizeof(*ack), context); +} + +bool +send_msg_iservice_ex(HANDLE pipe, const void *data, size_t size, + void *response, size_t response_size, const char *context) +{ struct gc_arena gc = gc_new(); DWORD len; bool ret = true; if (!WriteFile(pipe, data, size, , NULL) -|| !ReadFile(pipe, ack, sizeof(*ack), , NULL)) +|| !ReadFile(pipe, response, response_size, , NULL))
Re: [Openvpn-devel] how to migrate users to "no compression" config
Hi, On Wed, Jun 26, 2019 at 01:48:34AM +0500, ?? wrote: > 2) use push "compress empty" (if there's such an option) ? you can do push "compress" with no arguments. According to the docs, this will enable compression framing format, but no actual compression. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel