Re: [Openvpn-devel] Re: Openvpn future: probably certificate problems...
Leonard Isham a écrit : What about a dual account/ID user situation? Where one user is a normal user with all the restrictions and the other has administrator rights. The first is used to login the second, administrator equivalent is for storing the certificate and running the service. good point. any privilege separation under windows ? Regards Julien
[Openvpn-devel] feature request
is there any plan to have the following functions (mainly for windows, but other os could): - on server request, block all traffic except vpn (by route, firewall, or else ?) - on connection, execute some programs on clients: maybe with integrity check (md5+sha1+rmd160). example: launch antivirus update and scan, system update on server: by default, in vpn ssh traffic only, after some clients check, +web+else ... Regards Julien
Re: [Openvpn-devel] openvpn 1.x: route on darwin
Denis Vlasenko wrote: On Friday 14 May 2004 21:05, James Yonan wrote: Right now all new patches are going into 2.0, but I'm certainly amenable to merging localized patches such as the route patch for darwin into 1.x. I will add to the todo list for 1.6.1. Hmm. On Unixlike systems it typically easier to call sh script to do this kind of config changes. This looks like superior solution to me. both are available. it's also very simple to do all things in one config file. patch join (same than 2.0, build ok) Regards Julien --- route.c.origSat May 15 11:22:02 2004 +++ route.c Sat May 15 11:22:18 2004 @@ -634,6 +634,23 @@ if (r->metric_defined) buf_printf (, " -rtt %d", r->metric); #endif +#elif defined(TARGET_DARWIN) + + buf_printf (, ROUTE_PATH " add"); + +#if 0 + if (r->metric_defined) +buf_printf (, " -rtt %d", r->metric); +#endif + + buf_printf (, " -net %s %s %s", + network, + gateway, + netmask); + + msg (D_ROUTE, "%s", BSTR ()); + status = system_check (BSTR (), "ERROR: FreeBSD route add command failed", false); + buf_printf (, " -net %s %s -netmask %s", network, @@ -723,6 +740,17 @@ msg (D_ROUTE, "%s", BSTR ()); system_check (BSTR (), "ERROR: OpenBSD route delete command failed", false); +#elif defined(TARGET_DARWIN) + + buf_printf (, ROUTE_PATH " delete -net %s %s %s", + network, + gateway, + netmask); + + msg (D_ROUTE, "%s", BSTR ()); + system_check (BSTR (), "ERROR: Darwin route delete command failed", false); + + #else msg (M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script"); #endif @@ -859,6 +887,23 @@ rtm.rtm_version = RTM_VERSION; rtm.rtm_seq = ++seq; rtm.rtm_addrs = rtm_addrs; + +#elif defined(TARGET_DARWUB) + +#include +#include +#include + +/* all of this is taken from in Darwin */ +#define RTA_DST 0x1 +#define RTA_GATEWAY 0x2 +#define RTA_NETMASK 0x4 + +#define RTM_GET 0x4 +#define RTM_VERSION 5 + +#define RTF_UP 0x1 +#define RTF_GATEWAY 0x2 so_dst.sa_family = AF_INET; so_dst.sa_len = sizeof(struct sockaddr_in);
[Openvpn-devel] openvpn 1.x: route on darwin
is there any plan to include route patch for darwin in 1.x ? http://cvs.sourceforge.net/viewcvs.py/openvpn/openvpn/route.c?r1=1.2.2.4=1.2.2.5 thanks Regards Julien Touche
[no subject]
for <openvpn-devel@lists.sourceforge.net>; Fri, 16 Jan 2004 23:14:25 +0100 (CET) Message-ID: <40086293.4040...@lycos.com> From: Julien TOUCHE <julien.tou...@lycos.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 CC: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] No buffer space available (code=105) References: <4002f85b.9010...@lycos.com> In-Reply-To: <4002f85b.9010...@lycos.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: 1.4 (+) X-Spam-Report: Spam Filtering performed by sourceforge.net. See http://spamassassin.org/tag/ for more details. Report problems to http://sf.net/tracker/?func=add_id=1=21 1.4 RCVD_FAKE_HELO_DOTCOM Received contains a faked HELO hostname Sender: openvpn-devel-ad...@lists.sourceforge.net Errors-To: openvpn-devel-ad...@lists.sourceforge.net X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.0.9-sf.net Precedence: bulk List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-requ...@lists.sourceforge.net?subject=unsubscribe> List-Id: List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-requ...@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-requ...@lists.sourceforge.net?subject=subscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=openvpn-devel> List-Post: openvpn-devel@lists.sourceforge.net Date: Fri Jan 16 14:15:01 2004 X-Original-Date: Fri, 16 Jan 2004 23:15:47 +0100 in fact, complete log show this: Fri Jan 16 22:48:39 2004 40: Peer Connection Initiated with 81.50.152.188:16883 Fri Jan 16 22:48:39 2004 41: Peer Connection Initiated with 10.0.1.26:16883 Fri Jan 16 22:48:39 2004 42: Peer Connection Initiated with 81.50.152.188:16883 Fri Jan 16 22:48:39 2004 43: Peer Connection Initiated with 10.0.1.26:16883 Fri Jan 16 22:48:39 2004 44: Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #11695541 / time = (1 074289048) Fri Jan 16 22:37:28 2004 ] -- see the man page entry for --no-replay and --replay-window for more info Fri Jan 16 22:48:39 2004 45: Peer Connection Initiated with 81.50.152.188:16883 Fri Jan 16 22:48:39 2004 46: Peer Connection Initiated with 10.0.1.26:16883 Fri Jan 16 22:48:48 2004 47: write UDPv4 []: No buffer space available (code=105) Fri Jan 16 22:48:48 2004 48: write UDPv4 []: No buffer space available (code=105) seems it try to connect to vpn external (remote) and internal (specified by ifconfig) ip ... the remote host is specified in a configuration file which had not been changed sinced 1.4 (maybe extra mute & log-append but that's all) i get it on another link with no extra use of cpu and strange frag traffic but connection is no more reliable both side are linux 2.4 (openvpn 1.5 and 1.6b1 <-> 1.5b11; will try with 1.5) Regards Julien
Re: [Openvpn-devel] comments on beta12
James Yonan wrote: Right, but I don't think this behavior has changed since 1.4.x? You need to sorry, i was thinking all unix could call "dev tun" or "dev tap". not a real pb. > Not sure about that -- it would be handled by the tun driver on OpenBSD. OpenVPN never sees the packet when the local endpoint is pinged. i think this too, but was a comment. in all case, openvpn 1.5 will rock :) Regards Julien
Re: [Openvpn-devel] Need 1.5 beta testers for *BSD, Linux 2.2, OS X
julien Touche wrote: one extra could be: for a client side hidden behind a gateway (so no public ip) could contact and establish a vpn with a public box. would it be possible without any relay on the client gateway ? finally, what about this question ? do you think it is possible ? thanks & regards Julien
Re: [Openvpn-devel] New feature: --ifconfig for tap devices
James Yonan wrote: What I need right now in order to make the TAP version of --ifconfig work correctly, is the correct ifconfig command syntax for setting the IP address and netmask of a TAP device, on all the OSes which OpenVPN supports. I've already coded templates for Linux and Windows, but I still need to know the appropriate ifconfig syntax for FreeBSD, OpenBSD, NetBSD, Solaris, and Mac OS X, with respect to setting the IP/netmask on a TAP device. So if you are using one of these OSes with OpenVPN + TAP adapter, please let us know what kind of ifconfig syntax you use in your --up script to set the adapter parameters. not sure if tap is available on openbsd (have post it previously to james) some googling drives me to this thread http://www.monkey.org/openbsd/archive/tech/0111/msg00098.html and find /sys -iname '*tap*' returns nothing so i'm not sure openbsd stock-kernel has tap ... if someone has more information (i will ask about it on misc@) Regards Julien
Re: [Openvpn-devel] Need 1.5 beta testers for *BSD, Linux 2.2, OS X
James Yonan wrote: I'm thinking about something like this in a more generalized context, where OpenVPN running as a server would actually generate the config file for the client, and send it to the client via SSL after an initial authentication handshake. This would simplify the configuration on the client side, and allow the server to send routes back to the client. one extra could be: for a client side hidden behind a gateway (so no public ip) could contact and establish a vpn with a public box. would it be possible without any relay on the client gateway ? Regards Julien
Re: [Openvpn-devel] Need 1.5 beta testers for *BSD, Linux 2.2, OS X
works well with openbsd 3.4-beta question regarding windows openvpn (thanks a lot for this :), is it possible to have some script executed (like add a route for the other side subnet) ? Regards Julien
[Openvpn-devel] some questions
Hi first greetings for openvpn which is a best of for easy VPN :) i have a small list of questions i can't answer myself: - at which stage is the win32 port ? always looking for tun driver ? i give a glimpse to cipe driver which seems "simple unix2win" NDIS driver but 1-cannot compile (need ndis.h part of windows DDK which is not free download) 2-lot bigger compare to unix tun code (from vtun site) even if it does more 3- there is no /dev in win so what's best ? pipe i believe ? - is there any way to connect someone which is not-root ? for example, i'm at work with a desktop computer without root access (maybe even not sure to have tun/tap driver) but i have only two or three apps i need to connect to my home vpn (ssh, ftp, ...). i can modify them in order to send data not on a socket but a pipe (or anything else) which send data to a modified openvpn and send it on my home vpn. is it possible or i'm completely dreaming ? another solution is: having a list of port tunneled local (8080, , ...) to local (9991, 9992, ...) (by stunnel for example) and the latter list of port i send to vpn by openvpn/nonroot (of course, we need to define for each local port the distant port AND host, but if we can change on fly, it will be ok; or maybe someone know a way for common user to forward all data address to a port to another host ?) the tun/tap driver is only required if want a complete real network interface, right ? (which is necessary if we want to work with unmodified apps) Regards PS: please cc.