Re: [Openvpn-devel] OpenVPN 2.6.0 released
Hi, So download link in Forum Announcement should be corrected? https://forums.openvpn.net/viewtopic.php?t=35260 Sent with Proton Mail secure email. --- Original Message --- On Friday, January 27th, 2023 at 01:53, David Sommerseth wrote: > On 25/01/2023 20:50, Frank Lichtenheld wrote: > [...snip...] > > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > > > A slight update here. The repo above will be preserved for OpenVPN 2.5 > releases. A new repository for OpenVPN 2.6 has been published: > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release-2.6/ > > > > -- > kind regards, > > David Sommerseth > OpenVPN Inc > > > > > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Document that --push-remove is generally more suitable than --push-reset
Hi, My vote would be to deprecate --push-reset (same for --route-nopull) André Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday 8 September 2020 18:41, Arne Schwabe wrote: > Am 08.09.20 um 18:35 schrieb Gert Doering: > > > Hi, > > On Tue, Sep 08, 2020 at 03:11:40PM +0200, David Sommerseth wrote: > > > > > It would be good if --push-reset would actually not remove certain > > > critical > > > options, but this is anyhow a good heads-up for our users. > > > > Well, that ticket sat there 10 years (!!) waiting for someone to go > > and implement it... 6 years it sat on your lap, 4 years on mine (or so), > > so it looks like this is not going to happen any time soon. > > It also feels like a feature from a different area when pushed options > were few and not as essential to OpenVPN. It would remove/deprecate that > feature instead of trying to figure out how it should now. > > Arne > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel signature.asc Description: Binary data ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Regarding deprecation of --route-nopull
Hi, > Am 23.07.2020 um 20:14 schrieb André via Openvpn-devel: > > > Hi, > > Regarding, > > https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull > > "Openvpn devs would like to know if you use this option". > > Many pfSense users use this option to policy route. > > I would also vote for keeping this option. I did not vote ;) but ok will give my Senf :) > Yes you can emulate the > option by using a number of pull-filter lines but that feels like not a > good user experience. One could also say that, --route-nopull does more then just barring routes. --pull-filter is specific, I would prefer that. > Also route-pull works in both OpenVPN 2.x and 3.x > clients while pull-filter is currently 2.x only. Could change in 3.x too I guess. W.k.r. Pippin ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Regarding deprecation of --route-nopull
Hi, Regarding, https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull "Openvpn devs would like to know if you use this option". Many pfSense users use this option to policy route. P.S. Made a feature request at pfSense Redmine to add --pull-filter six months ago. W.k.r. Pippin ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Wiki: PluginOverview
Hi, Regarding radius plugin: https://community.openvpn.net/openvpn/wiki/PluginOverview The source is here: https://www.nongnu.org/radiusplugin/ Edited Wiki page. W.k.r Pippin Sent with ProtonMail Secure Email. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs
Hi, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday 22 June 2020 18:58, Selva Nair wrote: > On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth dav...@openvpn.net wrote: > > > This change makes the server use AES-256-GCM instead of BF-CBC as the > > default cipher for the VPN tunnel when starting OpenVPN via systemd > > and the openvpn-server@.service unit file. > > To avoid breaking existing running configurations defaulting to BF-CBC, > > the Negotiable Crypto Parameters (NCP) list contains the BF-CBC in > > addition to AES-CBC. This makes it possible to migrate existing older > > client configurations one-by-one to use at least AES-CBC unless the > > client is updated to v2.4 or newer (which defaults to upgrade to > > AES-GCM automatically) > > This has been tested in Fedora 27 (released November 2017) with no > > reported issues. By making this default for all Linux distributions > > with systemd shipping with the unit files we provide, we gradually > > expand setups using this possibility. As we gather experience from > > this change, we can further move these changes into the defaults of > > the OpenVPN binary itself with time. > > > > Signed-off-by: David Sommerseth dav...@openvpn.net > > > > --- > > > > Changes.rst | 15 +++ > > distro/systemd/openvpn-ser...@.service.in | 2 +- > > 2 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/Changes.rst b/Changes.rst > > index 00dd6ed8..e76d3c73 100644 > > --- a/Changes.rst > > +++ b/Changes.rst > > @@ -14,6 +14,21 @@ ChaCha20-Poly1305 cipher support > > channel. > > +User-visible Changes > > + > > +New default cipher for systemd based Linux distributions > > > > - For Linux distributions with systemd which packages the systemd unit > > files > > - from the OpenVPN project, the default cipher is now changed to > > AES-256-GCM, > > - with BF-CBC as a fallback through the NCP feature. This change has been > > - tested successfully since the Fedora 27 release (released November > > 2017). > > - > > - WARNING This MAY break configurations where the client uses > > - ``--disable-occ`` feature where the ``--cipher`` has > > > > > > - not been explicitly configured on both client and > > > > > > - server side. It is recommended to remove the > > ``--disable-occ`` > > > > > > - option *or* explicitly add ``--cipher AES-256-GCM`` on > > the > > > > > > - client side if ``--disable-occ`` is strictly needed. > > > > > > - > > > > Overview of changes in 2.4 > > > > === > > > > diff --git a/distro/systemd/openvpn-ser...@.service.in > > b/distro/systemd/openvpn-ser...@.service.in > > index d1cc72cb..f3545ff5 100644 > > --- a/distro/systemd/openvpn-ser...@.service.in > > +++ b/distro/systemd/openvpn-ser...@.service.in > > @@ -10,7 +10,7 @@ > > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO > > Type=notify > > PrivateTmp=true > > WorkingDirectory=/etc/openvpn/server > > -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --config %i.conf > > +ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log > > --status-version 2 --suppress-timestamps --cipher AES-256-GCM --ncp-ciphers > > AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC --config %i.conf > > This is why I keep my openvpn servers out of systemd's view -- it > keeps deciding what's good for us. I want to run my configs as is. > > Selva > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel Sorry for the noise in advance but I agree. No idea how to keep it out of systemd's view :) but I change the line to -ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf +ExecStart=@sbindir@/openvpn --config %i.conf and do everything in %i.conf No unexpected configuration behaviour that way like missing timestamps in log. Pippin ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel