Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

[Selva Nair]

Hi,

On Fri, Jun 28, 2019 at 5:03 PM Gert Doering  wrote:
>
> Hi,
>
> On Fri, Jun 28, 2019 at 04:51:47PM -0400, Selva Nair wrote:
> > Would that mean we can assume that always allowing all users access to
> > the tap (say, using the service to open it) would not be a regression?
> > Or are there folks who use local builds of the driver and expect
> > openvpn.exe to respect that setting?
>
> The whole permission model for openvpn on Windows has been funky at
> best "forever" - open tap device and setup IPv4 address by means of
> DHCP could be done "by everyone", while installing routes or setting
> up IPv6 then failed for non-Admin accounts...
>
> I'm not exactly sure what you are proposing, but aligning this with
> wintun and using the service to get access to tap6-windows sounds
> like a reasonable plan.

That's what lev's patch would do, but it wont respect the registry key
which is "supposed" to toggle non-admin access to tap-windows6
adapters on and off.

> With a registry key to re-enable "full
> access as today", for compat reasons.

For some reason that registry key appears to be doing nothing in
current versions of tap-windows6. I know this is confusing...

Selva


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

[Gert Doering]

Hi,

On Fri, Jun 28, 2019 at 04:51:47PM -0400, Selva Nair wrote:
> Would that mean we can assume that always allowing all users access to
> the tap (say, using the service to open it) would not be a regression?
> Or are there folks who use local builds of the driver and expect
> openvpn.exe to respect that setting?

The whole permission model for openvpn on Windows has been funky at
best "forever" - open tap device and setup IPv4 address by means of
DHCP could be done "by everyone", while installing routes or setting
up IPv6 then failed for non-Admin accounts...

I'm not exactly sure what you are proposing, but aligning this with
wintun and using the service to get access to tap6-windows sounds
like a reasonable plan.  With a registry key to re-enable "full 
access as today", for compat reasons.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

[Selva Nair]

On Fri, Jun 28, 2019 at 4:51 PM Selva Nair  wrote:
>
> Hi,
>
> While testing a patch, I failed to toggle AllowNonAdmin access to the
> tap-adapter.
> Looking at the sources it seems we do not respect that setting.
>
> From adapter.c ~line

The quoted code was from tap-windows6/src/adapter.c ~line 428


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Using AllowNonAdmin in the advanced options of tap adapter

[Selva Nair]

Hi,

While testing a patch, I failed to toggle AllowNonAdmin access to the
tap-adapter.
Looking at the sources it seems we do not respect that setting.

>From adapter.c ~line
#if ENABLE_NONADMIN
NdisReadConfiguration (
,
,
configHandle,
,
NdisParameterInteger
);

if (localStatus == NDIS_STATUS_SUCCESS)
{
if (configParameter->ParameterType == NdisParameterInteger)
{
Adapter->AllowNonAdmin = TRUE;
}
}
#endif

The code does not appear to check the actual value read from registry
which will be in configParameter->ParameterData.IntegerData, but
enables AllowNonAdmin in any case.

Would that mean we can assume that always allowing all users access to
the tap (say, using the service to open it) would not be a regression?
Or are there folks who use local builds of the driver and expect
openvpn.exe to respect that setting?

Thanks,

Selva


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] travis-ci: fix osx builds

[chipitsine]

From: Ilya Shipitsin 

cached homebrew required update, so lzo was not installed.
enforce updating homebrew

Signed-off-by: Ilya Shipitsin 
---
 .travis.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.travis.yml b/.travis.yml
index a8ec3a18..7a074d34 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -78,6 +78,7 @@ addons:
 update: true
 packages: [ liblzo2-dev, libpam0g-dev, liblz4-dev, linux-libc-dev, 
man2html, mingw-w64]
   homebrew:
+update: true
 packages: [ lzo ]
 
 cache:
-- 
2.20.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 0/2] travis-ci osx fix and components update

[chipitsine]

From: Ilya Shipitsin 

enabled homebrew update that fixes osx builds.
update components to the most recent versions

Ilya Shipitsin (2):
  travis-ci: fix osx builds
  travis-ci: update components versions

 .travis.yml | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

-- 
2.20.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] travis-ci: update components versions

[chipitsine]

From: Ilya Shipitsin 

tap windows, pkcs11 helper, mbedtls, openssl were updated to the most recent 
versions

Signed-off-by: Ilya Shipitsin 
---
 .travis.yml | 16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 7a074d34..2d07cdc3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,13 +9,13 @@ env:
   global:
 - JOBS=3
 - PREFIX="${HOME}/opt"
-- TAP_WINDOWS_VERSION=9.21.2
+- TAP_WINDOWS_VERSION=9.23.3
 - LZO_VERSION=2.10
-- PKCS11_HELPER_VERSION=1.22
-- MBEDTLS_VERSION="2.8.0"
+- PKCS11_HELPER_VERSION=1.25.1
+- MBEDTLS_VERSION=2.16.1
 - MBEDTLS_CFLAGS="-I${PREFIX}/include"
 - MBEDTLS_LIBS="-L${PREFIX}/lib -lmbedtls -lmbedx509 -lmbedcrypto"
-- OPENSSL_VERSION="1.0.2o"
+- OPENSSL_VERSION=1.0.2s
 - OPENSSL_CFLAGS="-I${PREFIX}/include"
 - OPENSSL_LIBS="-L${PREFIX}/lib -lssl -lcrypto"
 # The next declaration is the encrypted COVERITY_SCAN_TOKEN, created
@@ -30,10 +30,10 @@ matrix:
 - env: SSLLIB="openssl" OPENSSL_VERSION="1.0.1u"
   os: linux
   compiler: gcc
-- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0h"
+- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1c"
   os: linux
   compiler: gcc
-- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0h" LABEL="linux-ppc64le"
+- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1c" LABEL="linux-ppc64le"
   os: linux-ppc64le
   compiler: gcc
 - env: SSLLIB="openssl" EXTRA_CONFIG="--enable-iproute2"
@@ -42,7 +42,7 @@ matrix:
 - env: SSLLIB="openssl" CFLAGS="-fsanitize=address"
   os: linux
   compiler: clang
-- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.0h"
+- env: SSLLIB="openssl" OPENSSL_VERSION="1.1.1c"
   os: linux
   compiler: clang
 - env: SSLLIB="mbedtls"
@@ -60,7 +60,7 @@ matrix:
 - env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.0.1u"
   os: linux
   compiler: ": Win64 build only"
-- env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.0h"
+- env: SSLLIB="openssl" CHOST=x86_64-w64-mingw32 OPENSSL_VERSION="1.1.1c"
   os: linux
   compiler: ": Win64 build only"
 - env: SSLLIB="openssl" CHOST=i686-w64-mingw32
-- 
2.20.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment

[Илья Шипицин]

Do not pay attention to osx. I will fix it soon

On Fri, Jun 28, 2019, 4:29 PM Paolo  wrote:

> Hi,
>
> after rebasing my fork on current master, the are no conflicts with
> current source code. Travis error on osx are not releated to my code,
> they are errors about configuration peace not working on osx.
>
> --
> -***-
> Paolo Cerrito
> -***-
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Insert client connection data into PAM environment

[Paolo]

Hi,

after rebasing my fork on current master, the are no conflicts with
current source code. Travis error on osx are not releated to my code,
they are errors about configuration peace not working on osx.

-- 
-***-
Paolo Cerrito
-***-



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how to migrate users to "no compression" config

[Arne Schwabe]

Am 28.06.19 um 10:26 schrieb Илья Шипицин:
> 
> 
> пт, 28 июн. 2019 г. в 12:49, Gert Doering  >:
> 
> Hi,
> 
> On Fri, Jun 28, 2019 at 12:14:40PM +0500,  ?? wrote:
> > by "high level" compression doc I mean something like that
> >
> > a) road warrior scenario (remote access for enterprise users) -
> should we
> > enable compression ? or traffic usually is compressed ? RDP is
> compressed ?
> > any way to estimate compression (like $gzip_ratio in nginx)
> > b) lz4, lzo, ... which one to choose ?
> > c) how to push compression settings, best practices on that
> >
> > @mattock, what do you think, should some such documentation present on
> > https://openvpn.net ?
> 
> The high level document should propably specify "do not use compression
> at all, unless you have a specific need".
> 
> 
> I agree with that. It might not be very obvious.

The async compression patch will introduce warnings and docs to tell you
not to use compression and will default to async compression effectively
disabling it when used on both ends.

Arne


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how to migrate users to "no compression" config

[Илья Шипицин]

пт, 28 июн. 2019 г. в 12:49, Gert Doering :

> Hi,
>
> On Fri, Jun 28, 2019 at 12:14:40PM +0500,  ?? wrote:
> > by "high level" compression doc I mean something like that
> >
> > a) road warrior scenario (remote access for enterprise users) - should we
> > enable compression ? or traffic usually is compressed ? RDP is
> compressed ?
> > any way to estimate compression (like $gzip_ratio in nginx)
> > b) lz4, lzo, ... which one to choose ?
> > c) how to push compression settings, best practices on that
> >
> > @mattock, what do you think, should some such documentation present on
> > https://openvpn.net ?
>
> The high level document should propably specify "do not use compression
> at all, unless you have a specific need".
>

I agree with that. It might not be very obvious.


>
> I'm fairly sure we did publish something along that lines already, but
> have no idea where to look for it.
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how to migrate users to "no compression" config

[Gert Doering]

Hi,

On Fri, Jun 28, 2019 at 12:14:40PM +0500,  ?? wrote:
> by "high level" compression doc I mean something like that
> 
> a) road warrior scenario (remote access for enterprise users) - should we
> enable compression ? or traffic usually is compressed ? RDP is compressed ?
> any way to estimate compression (like $gzip_ratio in nginx)
> b) lz4, lzo, ... which one to choose ?
> c) how to push compression settings, best practices on that
> 
> @mattock, what do you think, should some such documentation present on
> https://openvpn.net ?

The high level document should propably specify "do not use compression
at all, unless you have a specific need".

I'm fairly sure we did publish something along that lines already, but
have no idea where to look for it.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] how to migrate users to "no compression" config

[Илья Шипицин]

by "high level" compression doc I mean something like that

a) road warrior scenario (remote access for enterprise users) - should we
enable compression ? or traffic usually is compressed ? RDP is compressed ?
any way to estimate compression (like $gzip_ratio in nginx)
b) lz4, lzo, ... which one to choose ?
c) how to push compression settings, best practices on that

@mattock, what do you think, should some such documentation present on
https://openvpn.net ?



чт, 27 июн. 2019 г. в 12:39, Gert Doering :

> Hi,
>
> On Wed, Jun 26, 2019 at 11:14:34PM +0200, Arne Schwabe wrote:
> > My patch that enables asymmetrical compression by default adds a bit of
> > documentation in that regard iirc.
>
> Where did that get stuck?  Still in limbo between David and you?
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel