Re: [Openvpn-devel] [PATCH] Updated URLs in README
Hi, On Sun, Nov 07, 2021 at 07:12:52PM +0100, Frank Lichtenheld wrote: > For detailed information on OpenVPN, including examples, see the man page > - http://openvpn.net/man.html > + https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/ @Samuli: can we have this for 2-5 and 2-6, please? It's not overly useful to merge patch to master or 2.5 that points to the 2.4 documentation... (but I'm willing to adjust this particular link according to branch, if "the powers that be" can put the manpage online [and maintain it]) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Start openvpn gui before windows login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ user/pass. On Monday, November 15th, 2021 at 13:11, Ruben Herold wrote: > On Mon, Nov 15, 2021 at 02:45:53PM +0200, Lev Stipakov wrote: > > > Are you sure your problem cannot be solved with openvpn service? > > > > See, for example, > > > > https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/ > > > > Also this discussion might be relevant: > > > > https://github.com/OpenVPN/openvpn-gui/issues/77 > > We are using user/pass auth against AD and MFA so this is not possible. > You can save user/pass to a text file and have openvpn read it. Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhknRpACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3BFggAvO0aIVB2pblvi+NgTi/V5be0n+6m1tqMD6Z8262mPTdPP27F FAxzgvy37ck7ojzpHbWOuCHgwI8qm7C9wWEUZvqRbb/Od5oIxSmQZrNDG10P hZqMpaDUKFq3VRLQ6cHj0dcntW3+0poeIeMguI/bGiym2rsiWwOuWKeU6s/F yZs6DacAMu4hvq2ZfHsyszZnjkLcVXzd9lsNtU0mEx2YEcELBLsWBlStE/FO vJAWi2odrNDQkvX24H9TiL8AVOvaTJ6XK6YGLyC3wxplE6OlrgJ55MCJLU/Z ZkyLf0j4jpwSsteKGw4m3YqHQzdmB397l5+UmrYM6FdoAtKn48iErQ== =Jk8I -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Start openvpn gui before windows login
On Mon, Nov 15, 2021 at 02:45:53PM +0200, Lev Stipakov wrote: Hi, > Things might have changed since then, but our priorities now are > releasing 2.6 with the new dco/dco-win drivers, which significantly > improve performance. We might have a look at UWP VPN after that again. Cause from the screenshoots it looks like they have found a way to start their own gui during login so that the user can use MFA and so on. Or do they really do all their vpn stuff via UWP? I'm not very deep in this Windows stuff, so it can be that I'm on the complete wrong way. > Are you sure your problem cannot be solved with openvpn service? > > See, for example, > https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/ > Also this discussion might be relevant: > https://github.com/OpenVPN/openvpn-gui/issues/77 > We are using user/pass auth against AD and MFA so this is not possible. Ruben -- Ruben Herold ru...@puettmann.net ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Start openvpn gui before windows login
Hi, A few years back we made a Proof-of-Concept with OpenVPN 3 and Windows UWP API. Performance-wise it was on tap-windows6 level (which is not impressive), there were some issues with UDP transport (which were solved by MSFT later) and usability related to UWP app model - for example application might be "paused" when it is not on the foreground, which means inability to send ping packets and disconnect. Things might have changed since then, but our priorities now are releasing 2.6 with the new dco/dco-win drivers, which significantly improve performance. We might have a look at UWP VPN after that again. Are you sure your problem cannot be solved with openvpn service? See, for example, https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/ Also this discussion might be relevant: https://github.com/OpenVPN/openvpn-gui/issues/77 -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Start openvpn gui before windows login
hi, at our company we run into problems with domain joined windows notebooks during lock downs. We realized that there is no way to start openvpn gui before windows login to connect to the company network. I asks our support contact at MS an got the information that this is only possible via: Universal Windows Platform (UWP) VPN plug-ins. It should be possible to add external vpn clients like cisco anyconnect: https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-connection-type "There are a number of Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution." As seen on the screenshoot at: https://remote-learning.arizona.edu/campus-technology-how-tos/vpn-start-before-logon It looks like they only start their client gui. The only documentation I could get so far is: https://docs.microsoft.com/en-us/uwp/api/Windows.Networking.Vpn?view=winrt-22000 and this could be an example: https://github.com/ysc3839/UWPToyVpn I'm not a developer so I can't proof. But I have some contacts at MS to ask for more informations if needed. I think this could be a very usefull extension to openvpn. Thx ruben -- Ruben Herold ru...@puettmann.net ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add ability to specify initialize flags for pkcs11 provider
Hi, On Thu, Sep 30, 2021 at 02:33:08PM +0300, Petr Mikhalicin via Openvpn-devel wrote: > New pkcs11-helper interface allows to setup pkcs11 provider via > properties: > https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85 > > Also pkcs11-helper added ability to setup init args for pkcs11 provider: > https://github.com/alonbl/pkcs11-helper/commit/133f893e30856eba1de715ecd6fe176722eb3097 I can't comment on the PKCS#11 feature (not my field), but I have a few comments about required coding style changes: > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -664,6 +664,11 @@ static const char usage_message[] = > " 8 : Use Unwrap.\n" > "--pkcs11-cert-private [0|1] ... : Set if login should be performed > before\n" > " certificate can be accessed. Set for > each provider.\n" > +"--pkcs11-init-flags hex ... : PKCS#11 init flags.\n" > +" It's bitwise OR of some PKCS#11 > initialize flags.\n" > +" Most popular of them is:\n" > +" 1 : > CKF_LIBRARY_CANT_CREATE_OS_THREADS\n" > +" 2 : CKF_OS_LOCKING_OK\n" The indent here is not right - did you use TABs here? Please don't, they get usually messed up by mail clients. > @@ -1838,6 +1843,13 @@ show_settings(const struct options *o) > SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[i] ? > "ENABLED" : "DISABLED", "%s"); > } > } > +{ > +int i; > +for (i = 0; i +{ > +SHOW_PARM(pkcs11_init_flags, o->pkcs11_init_flags[i], "%08x"); > +} > +} This, we do C99 style nowadays: > +for (int i=0; i +{ > +SHOW_PARM(pkcs11_init_flags, o->pkcs11_init_flags[i], "%08x"); > +} (so, no extra brackets, and the "int i" can go right into the for() clause) > SHOW_INT(pkcs11_pin_cache_period); > SHOW_STR(pkcs11_id); > SHOW_BOOL(pkcs11_id_management); > @@ -8778,6 +8790,17 @@ add_option(struct options *options, > options->pkcs11_cert_private[j-1] = atoi(p[j]) != 0 ? 1 : 0; > } > } > +else if (streq(p[0], "pkcs11-init-flags")) > +{ > +int j; > + > +VERIFY_PERMISSION(OPT_P_GENERAL); > + > +for (j = 1; j < MAX_PARMS && p[j] != NULL; ++j) Same here: "int j" goes into the loop. > diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c > index 02d0f51f..29db7ea4 100644 > --- a/src/openvpn/pkcs11.c > +++ b/src/openvpn/pkcs11.c > @@ -374,12 +374,17 @@ pkcs11_terminate(void) > +if ((rv = pkcs11h_registerProvider(provider)) != CKR_OK) { > +msg(M_WARN, "PKCS#11: Cannot register provider '%s' %ld-'%s'", > provider, rv, pkcs11h_getMessage(rv)); > + success = false; > + goto exit; > +} The "{" always goes to the next line, and indenting is never done with tabs (the lines above look like a mixture of tabs and spaces, and the tab being messed up by the mail client). > +// pkcs11-helper take ownership over this pointer No C++ comments, please. > +// pkcs11-helper take ownership over this pointer > +if ((p_init_args = malloc(sizeof(*p_init_args))) == NULL) { > +msg(M_FATAL, "PKCS#11: Cannot allocate memory"); > + success = false; > + goto cleanup; > +} > + > +memset(p_init_args, 0, sizeof(*p_init_args)); Please use calloc() and check_malloc_return() instead. msg(M_FATAL) never returns, so the "success = false, goto cleanup" bit is not needed - and all that is done by check_malloc_return() for you :-) For our coding style guidelines, see also here: https://community.openvpn.net/openvpn/wiki/CodeStyle and in the openvpn repo there is a "dev-tools/uncrustify.conf" config which can be used with the "uncrustify" program to format your code according to the whitespace rules. Won't do the "for (int i=0; ...)" C99 changes, though. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel