Re: [Openvpn-devel] Topics for today's (Monday, 14th Dec 2015) community meeting

[Samuli Seppänen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Here's the summary of today's IRC meeting.

- - ---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 14th Dec 2015
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-12-14>

The next meeting has not been scheduled yet, but will probably be arranged two 
weeks from now.

Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, ecrist, lev, ltfish, mattock, rafaelgava100, syzzer and valdikss 
participated in this meeting.

- ---

Discussed the "​Make ValdikSS's DNS leak fix platform agnostic" patch:

<http://thread.gmane.org/gmane.network.openvpn.devel/10746>

Several new versions of the patch were created and tested during the meeting. 
The final version worked on enough mingw-w64 and Visual Studio versions to 
allow giving it an ACK.

- ---

Discussed the "​Added two feature to Network Address Translator" patch:

<http://thread.gmane.org/gmane.network.openvpn.devel/10047>

None of the attendees knew the affected codepaths well enough, so mattock sent 
email to jamesyonan, asking him to review the patch.

- ---

Discussed the "​Distribute the GUI to run with highest privilege available" 
patch to openvpn-gui:

<http://thread.gmane.org/gmane.network.openvpn.devel/10761>
<https://github.com/OpenVPN/openvpn-gui/pull/6/commits>
<http://thread.gmane.org/gmane.network.openvpn.user/36387/focus=36417>

The approach taken in the patch seems sane. Mattock will do some basic testing 
with the patched OpenVPN-GUI and if all goes well, merge it into official 
installers. The testing does not have to postpone the 2.3.9 release, as new 
Windows installers can be released soon after initial 2.3.9 Windows installers 
are out.

The alternative approach of using level=”requireAdministrator” seems to have 
the potential to break valid cases where the user _does_ have the privileges 
required for OpenVPN to work, but _does not_ have admin privileges.

- ---

Discussed OpenVPN 2.3.9 release. Here is the release plan:

- - mattock posts changes.rst to list
- - cron2 adds changes.rst, updates ChangeLog and version.m4
- - mattock builds 2.3.9 installers with all the new stuff
- - if that is good, cron2 tags and we ship

In addition:

- - the initial windows installers will not have the openvpn-gui changes
- - mattock will provide test installers with the changes and send a link to 
the list
- - if the test installers work fine for people, new official installers will 
released

- ---

Full chatlog has been attached to this email.

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlZvOGAACgkQwp2X7RmNIqO06QCfYWe5I34JUsOIMHP8bIUqBMeD
laQAn0wF15O1NMd+whDYcje2p/dmERs1
=nSlq
-END PGP SIGNATURE-
(21:02:34) mattock: hi
(21:02:46) ecrist: hey, mattock
(21:02:50) lev__: hi
(21:02:50) mattock: hi ecrist!
(21:02:56) mattock: ready to start the meeting?
(21:03:01) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2015-12-14
(21:03:03) vpnHelper: Title: Topics-2015-12-14 – OpenVPN Community (at 
community.openvpn.net)
(21:04:49) syzzer: hi, yes, ready!
(21:04:58) mattock: is the topic list ok? anything to remove or add?
(21:05:14) cron2_: lev__: if you close 637, we can just have it done on the 
agenda :)
(21:05:38) lev__: cron2_: I would like to but don't have trac admin rights
(21:05:51) cron2_: oh?  mattock: can you fix that, please? :-)
(21:05:57) cron2_: (trac name is "stipa")
(21:06:06) mattock: cron2_: ok
(21:06:17) WayneD ha abbandonato la stanza (quit: Remote host closed the 
connection).
(21:06:57) mattock: done
(21:06:58) gava100: hi, I'd like to ask you guys about a patch: "Allow the user 
to use the string 'client-ip' on the  client-nat network configuration as a 
convenient way to use  the leased IP address received from OpenVPN server"
(21:07:36) cron2_: it's on the agenda
(21:07:54) gava100: oh great, thx!
(21:07:57) cron2_: (though I'm not sure if mattock linked the right mail)
(21:08:24) mattock: yes, I did
(21:08:36) mattock: unless there is a version 2 or something
(21:08:58) mattock: I'll check the previous discussion regarding that patch
(21:09:31) gava100: exactly. The version 2 is only for this client-ip string.
(21:09:48) cron2_: regarding fish's v2 patch - "close, but no cigar" - it is 
removing all #if _WIN32_WINNT >= 0x0600 lines, but some of them should actually 
be #if defined(WIN32) - those in init.c, for example, because otherwise it will 
fail non-windows builds
(21:10:20) ltfish: i see
(21:10:30) gava100: I think we should consider it instead of the previous pat

[Openvpn-devel] OpenVPN 2.3.9 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.9. It 
can be downloaded from here:


<http://openvpn.net/index.php/open-source/downloads.html>

This release includes many small improvements and fixes. The biggest 
change is the addition of --block-outside-dns option, which can be used 
to fix DNS leaks in Windows 8.1 and 10. There are also improvements to 
behavior during suspend/resume on Windows and integration with external 
service managers such as NSSM. Client-side part of server restart 
notification is also included. A full list of changes is available here:


<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>

Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Topics for today's (Monday, 28th Dec 2015) community meeting

[Samuli Seppänen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

We're going to have an IRC meeting today starting at 20:00 CET (19:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.

Current topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-12-28>

If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.

- - - -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlaA7PkACgkQwp2X7RmNIqOzDQCeJYgc7qJkKa/yaNYfTsLTq+x9
OpUAn3mWJn5WTTilI3yfRsfISAWyX2F1
=Cwdf
-END PGP SIGNATURE-

Re: [Openvpn-devel] windows team ?

[Samuli Seppänen]

Hello,

I've heard about "things need some loving" and "let us create windows team".
can you please pay some attention to pull requests
https://github.com/OpenVPN/openvpn-gui/pulls ?

it is no good when PR stay without any attention. looks like there's no
loving for windows things.


There has been attention, just no action. I responded to the pull request.

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Summary of today's (28th Dec 2015) IRC meeting

[Samuli Seppänen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Here's the summary of today's IRC meeting.

- ---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 28th Dec 2015
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2015-12-28>

The next meeting (patch review sprint) has been scheduled to two weeks from now.

Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, gava100, Guest37887, jamesyonan, mattock, plaisthos, syzzer and valdikss 
participated in this meeting.

- ---

Discussed the open pull requests in the OpenVPN-GUI subproject:

<https://github.com/OpenVPN/openvpn-gui/pulls>

Both will be handled / are being handled by mattock.

- --

Discussed "AEAD (GCM) mode" and how to move forward with it. The AEAD part can 
probably be merged after some more tests, but the negotiation part requires 
more work to ensure correctness.

- --

Discussed tap-windows6 driver and Windows 10. It was noted that new driver 
signing requirements require us to obtain an EV code signing certificate, as 
well as to use "Windows Hardware Developer Center Dashboard" to sign the 
drivers. Mattock is moving this forward at the company side.

- --

Discussed the OpenVPN 2.3.10 release. IPv6 support for Windows XP is broken 
right now, and we want to implement a fix which lev is working on. It was 
agreed to release 2.3.10 on 4th or 5th Jan 2016. A separate release meeting 
will not be arranged unless deemed necessary.

- --

Discussed open tickets related to the Windows Installer:

<https://community.openvpn.net/openvpn/ticket/638>
<https://community.openvpn.net/openvpn/ticket/632>

Mattock will handle the first two in one go to save some context switches. 
Customizing openvpn.nsi in openvpn-build for Windows XP will be avoided at all 
cost.

- --

Discussed a rather nasty tap-windows6 + Windows 10 issue:

<https://community.openvpn.net/openvpn/ticket/592>

This ticket is blocked by lack the capability to (re)build tap-windows6 for 
Windows 10(see above).

- --

Discussed our patch review rate. It was agreed that we can't review patches as 
fast as they come. Large patchsets in particular tend to get bogged down. We'll 
try having patch review sprints in addition to regular meetings to speed things 
up. These sprints would include only patch review and nothing else. Larger 
patchsets could have dedicated sprints.

The first sprint will be arranged on Monday two weeks from now, unless 
something requires a change in this plan.

- ---

Full chatlog has been attached to this email.

- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlaBqr0ACgkQwp2X7RmNIqOxqACgs+lBmKwfgu0TrxgOv58Bhpn+
ZwYAoIO8xhNtKmbNXX3b0jwwOeF6QcBH
=HYyY
-END PGP SIGNATURE-
(21:04:35) samuli: hi!
(21:04:44) samuli: topic list: 
https://community.openvpn.net/openvpn/wiki/Topics-2015-12-28
(21:04:46) vpnHelper: Title: Topics-2015-12-28 – OpenVPN Community (at 
community.openvpn.net)
(21:05:50) samuli: cron2 said he'll be a bit late
(21:06:25) samuli: we can skip the openvpn-gui pull request for now: 
https://github.com/OpenVPN/openvpn-gui/pull/8
(21:06:27) vpnHelper: Title: cppcheck cleanup: by chipitsine · Pull Request #8 
· OpenVPN/openvpn-gui · GitHub (at github.com)
(21:06:36) samuli: once I get the tarball, I can do a test build and merge
(21:07:28) syzzer: hi :)
(21:07:34) samuli: hi!
(21:07:46) syzzer: forgot to check this channel :')
(21:08:33) syzzer: anyone else here but mattock_ and me?
(21:08:51) samuli: jamesyonan should be here
(21:08:59) samuli: as in "not just idling"
(21:09:13) syzzer: ah, good
(21:09:14) samuli: any idea what tickets topic #3 refers to?
(21:09:40) jamesyonan: hi guys
(21:09:43) samuli: "Windows Installer - open trac tickets"
(21:09:43) syzzer: the 'run as admin' stuff perhaps? (or did you already fix 
that?)_
(21:09:47) samuli: hi jamesyonan!
(21:09:54) syzzer: hi james
(21:09:58) samuli: syzzer: no, didn't have time yet
(21:10:15) samuli: maybe we should start with #4: AEAD (GCM) mode - the way 
forward 
(21:10:28) syzzer: yes, that makes sense
(21:11:16) syzzer: so I have fiddled a bit more with my AEAD implementation, 
and have been looking into cipher negotiation
(21:12:20) syzzer: I have a trivial server-side implementation that just pushes 
the server cipher when a client announces 'IV_NCP' capabilties
(21:14:49) syzzer: real negotiation is more tricky.  I got the negotiation 
itself going, but still need to figure out how to figure out the correct frame 
sizes etc (in a nice way)
(21:15:26) syzzer: the current code assumes to know a lot of that stuff 
beforehand

[Openvpn-devel] Windows installers with OpenVPN-GUI that requests highest available privileges

[Samuli Seppänen]

Hi,

I've produced two test installers based OpenVPN 2.3.9 plus an 
OpenVPN-GUI which requests highest possible privileges of the user, 
instead of launching as the invoking user:


<https://github.com/OpenVPN/openvpn-gui/pull/6>

The above patch should allow users with administrator privileges to 
launch OpenVPN-GUI without having to "Run as administrator" separately. 
It should also allow use of OpenVPN-GUI without having full admin rights 
- it is enough to have whatever OpenVPN/OpenVPN-GUI needs to function 
properly. A much more detailed description is available beyond the above 
link.


The test installers are here:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.9-I901-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.9-I901-x86_64.exe>

Let me know if the installers work correctly - or don't. I'd like to 
merge this functionality into OpenVPN 2.3.10 which is due early next 
week. If that deadline passes, I will release new Windows installers 
with this patch a bit later.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] link to openvpn.se ?

[Samuli Seppänen]

> Hello,


I mentioned that you want to shut down openvpn.se <http://openvpn.se>,
because of beeing too old.
however, there're links to it, for instance,
https://github.com/OpenVPN/openvpn-gui/blob/master/README

more links, higher google page rank, so people will see it in search
results.
should we remove that link ?


It seems the README is horribly obsolete and should be rewritten, 
probably as README.rst. I can do most of the modernization, but I'll 
need a bit of advise regarding the internal technical changes for d12fk 
and others. We can work on this on #openvpn-windows.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] OpenVPN 2.3.10 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.10. 
It can be downloaded from here:


<http://openvpn.net/index.php/open-source/downloads.html>

This release fixes IPv6 on WIndows XP and warns users about expired 
certificates. A few other small fixes and improvements are included. In 
addition, PolarSSL 1.3 is now required for PolarSSL builds. The Windows 
installers now bundle OpenVPN-GUI 10, which automatically requests 
administrator privileges using UAC, instead of launching as a normal 
user and then failing at route creation time. A full list of changes is 
available here:


<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>

Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] some cleanup on openvpn-build

[Samuli Seppänen]

Hi,

I merged the pull request. I do get pull request notifications from 
GitHub, but it might take some days before I actually get to reviewing 
them. In this case the changes were trivial, but some changes require 
manual testing, so I need to find a suitable time slot for doing it.


What I've noticed some people do on GitHub doing is create a separate 
local branch for each pull request. This way they can continue working 
on their own "master" branch even if the pull request is not immediately 
merged upstream.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Hello,

please someone have a look at
https://github.com/OpenVPN/openvpn-build/pull/16

it seems there few more files with --enable-password-save or
--disable-snappy


Cheers,
Ilya Shipitsin


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] link to openvpn.se ?

[Samuli Seppänen]

No progress. The task is on my Kanban board, so it won't be forgotten 
about. I've just had other (arguably more important) things to do.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



Hello,

any progress here ?

2015-12-31 14:48 GMT+05:00 Samuli Seppänen mailto:sam...@openvpn.net>>:


 > Hello,


I mentioned that you want to shut down openvpn.se
<http://openvpn.se> <http://openvpn.se>,
because of beeing too old.
however, there're links to it, for instance,
https://github.com/OpenVPN/openvpn-gui/blob/master/README

more links, higher google page rank, so people will see it in search
results.
should we remove that link ?


It seems the README is horribly obsolete and should be rewritten,
probably as README.rst. I can do most of the modernization, but I'll
need a bit of advise regarding the internal technical changes for
d12fk and others. We can work on this on #openvpn-windows.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCHv2] Update INSTALL-win32.txt for OpenVPN 2.3.10

[Samuli Seppänen]

Hi,

On Mon, Jan 04, 2016 at 08:25:20PM +0200, sam...@openvpn.net wrote:

From: Samuli Seppänen 

OpenVPN 2.3.10 includes an OpenVPN-GUI which automatically requests elevation of
privileges using UAC. Modified INSTALL-win32.txt to reflect this behavior.


I wonder if these bits should not be removed from the INSTALL-win32.txt
we ship in the main openvpn repo - since this is a gui thing and happens
totally outside the main repo...  move it to the windows build tree,
maybe, and show it from the installer upon installation?

gert


Hi,

Looking at the the full contents of INSTALL-win32.txt your suggestion 
makes sense. I'll migrate the file to openvpn-build and then send a 
removal patch for openvpn/INSTALL-win32.txt.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Disabling auth_pam plugin by default in openvpn-build?

[Samuli Seppänen]

Hi,

There is a pull request in GitHub to openvpn-build, which disables 
auth_pam plugin by default:


<https://github.com/OpenVPN/openvpn-build/pull/10/files>

For Windows this makes sense, as PAM is not present. However, 
openvpn-build can also be used to cross-compile for the ARM 
architecture, in which case PAM might be useful.


Does the pull request makes sense, or should we just fix this with 
better documentation, e.g.


"If you're cross-compiling for ARM, make sure you add 
--disable-plugin-auth-pam to EXTRA_OPENVPN_CONFIG"


Thoughts?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Patch review sprint today at 20:00 CET (19:00 UTC) on #openvpn-meeting

[Samuli Seppänen]

Hi,

We're having a patch review sprint today at 20:00 CET (19:00 UTC) on 
#openvpn-meeting channel on Freenode. The idea is to have no other 
topics, so that we can focus on shortening our backlog of unreviewed 
patches. The "topic" list is here:


<https://community.openvpn.net/openvpn/wiki/Topics-2016-01-11>

If want to join the sprint, it would be great if you could let me know 
about that via a private email, or by saying "I will be present" on 
#openvpn-meeting channel. This helps us determine which patches we 
can/should review today.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Disabling auth_pam plugin by default in openvpn-build?

[Samuli Seppänen]

Hi,

On Mon, Jan 11, 2016 at 03:38:15PM +0100, David Sommerseth wrote:

You'll most likely upset quite some Linux distro maintainers.
Especially if such a change is not properly communicated.

I know at least RPM packaging will start failing when it detects that
files expected to be installed by 'make install' is missing.  Other
packaging systems may behave differently.


I would be very surprised to see "standard" distro maintainers use the
openvpn-build script set - as it's totally unneeded unless you do
cross-building...


Yeah, exactly. This might one of those "ask around in vain, then turn it 
off, and suddenly everyone is complaining". I have no strong feelings 
one way or the other.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] travis-ci for openvpn-gui

[Samuli Seppänen]

Hi,


Hello,

https://github.com/OpenVPN/openvpn-gui/pull/12


I merged this one, it looked good afaict.


should we add build configuration under https://travis-ci.org/openvpn/ ?


I think that makes sense. Syzzer can do it I believe.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Rewrite of OpenVPNServ.exe

[Samuli Seppänen]

Hi,

On Fri, Jan 22, 2016 at 07:31:37PM +0800, Daniel Sim wrote:

I have rewritten openvpnserv.exe in C# to support auto-restart on
termination and to support suspend/resume.


Can you cross-build C# binaries?  If yes, what do you need?


The "ovpnsvcsetup" (NSSM wrapper) I started writing is/was developed on 
Linux using MonoDevelop. I only needed Windows to test the resulting 
executable. Basically C# executables will work on any platform that has 
a .NET runtime environment, including Linux if it has Mono installed. 
This is quite similar to how Java works.


In this particular case the code is tightly coupled with Windows for 
other reasons, even though in theory the code would run on Linux+Mono.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] travis-ci for openvpn-gui

[Samuli Seppänen]

Hi,

Sorry, took a while. Travis-CI should work now, it has been enabled in 
openvpn-gui GitHub project and in the Travis-CI portal.


Samuli



Samuli, any news from you ?

2016-01-23 1:22 GMT+05:00 Илья Шипицин mailto:chipits...@gmail.com>>:

any progress here ?

2016-01-22 14:05 GMT+05:00 Steffan Karger mailto:stef...@karger.me>>:

On Fri, Jan 22, 2016 at 9:40 AM, Илья Шипицин
mailto:chipits...@gmail.com>> wrote:
> who can add it tohttps://travis-ci.org/openvpn/ ?

Samuli can do this - I do not have sufficient rights on the
openvpn-gui repository.

-Steffan

Re: [Openvpn-devel] [PATCH v3] interactive service v3

[Samuli Seppänen]

Hi,

so, this took quite a while - barely 2.5 years, but we're getting
there.  v3 of the patch has been rebased to git master, and all comments
from Steffan and my earlier review have been integrated into the build
stuff and the openvpn side of the code - so, as far as openvpn goes, I'm
fine with merging that but would welcome an independent ACK (given that
I modified quite a bit of Heiko's code).

The service part has been *tested* - as in:

  - compiles (mingw)
  - runs on Win7  (openvpnserv -remove, copy in new binary, run
"openvpnvserv -install", "openvpnserv -start interactive" [or reboot])
  - does what it says on the tin:
 - run openvpn.exe as the user executing the GUI
 - handles adding and removing of ipv6 address config and v4/v6 routing
 - enables use of openvpn gui without [X] admin checkbox as a totally
   unprivileged user
 - openvpn log makes it clear whether netsh.exe is used or service

what I have not done is a full review of the resulting code - the changes
are large and intrusive, and given the amount of code *removal* it looks
like "massive cleanup" happened as well.  I do not know Windows well enough
to understand the intricacies, so a review from someone with a stronger
Windows background would be welcome - Selva, are you still around?

There are some caveats that need to be tested better in combination with
a full reinstall, like "where does the openvpn log go to, and is the
destination writeable?" - that seems to relate to registry entries that
my system did not have, so there will be extra work for Samuli and Heiko
as well...

gert



When this code gets into Git "master" the Windows buildslave will start 
producing installers with this functionality. We can then point people 
at those. I suspect enterprises in particular are interested in the this 
functionality so I think we'll get a fair amount of testing before we 
even reach 2.4.0.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH v3] interactive service v3

[Samuli Seppänen]

> Hi,


so, this took quite a while - barely 2.5 years, but we're getting
there.  v3 of the patch has been rebased to git master, and all comments
from Steffan and my earlier review have been integrated into the build
stuff and the openvpn side of the code - so, as far as openvpn goes, I'm
fine with merging that but would welcome an independent ACK (given that
I modified quite a bit of Heiko's code).

The service part has been *tested* - as in:

  - compiles (mingw)
  - runs on Win7  (openvpnserv -remove, copy in new binary, run
"openvpnvserv -install", "openvpnserv -start interactive" [or reboot])
  - does what it says on the tin:
 - run openvpn.exe as the user executing the GUI
 - handles adding and removing of ipv6 address config and v4/v6 routing
 - enables use of openvpn gui without [X] admin checkbox as a totally
   unprivileged user
 - openvpn log makes it clear whether netsh.exe is used or service

what I have not done is a full review of the resulting code - the changes
are large and intrusive, and given the amount of code *removal* it looks
like "massive cleanup" happened as well.  I do not know Windows well enough
to understand the intricacies, so a review from someone with a stronger
Windows background would be welcome - Selva, are you still around?

There are some caveats that need to be tested better in combination with
a full reinstall, like "where does the openvpn log go to, and is the
destination writeable?" - that seems to relate to registry entries that
my system did not have, so there will be extra work for Samuli and Heiko
as well...

gert


One question, primarily to Heiko... does the interactive service solve 
the use-case where the administrator/user wants to have persistent 
connections that come up on boot and are not closed or managed in any 
way in the meantime? In this use-case no user interaction is wanted, 
needed or expected.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH v3] interactive service v3

[Samuli Seppänen]

Il 27/01/2016 00:54, Selva Nair ha scritto:


On Tue, Jan 26, 2016 at 4:24 PM, Gert Doering mailto:g...@greenie.muc.de>> wrote:

Since Heiko has reworked the "classic" code (in automatic.c now, as
he called this "automatic service") maybe we can just use the
opportunity
to get the remaining issues fixed - is there more than "restart
openvpn.exe
when it dies"?


Haven't look at the new code, but of  if the "automatic service" logic
is the same as before, it would take some work to make it behave like a
watchdog of openvpn.exe processes. Using NSSM for "automatic" uses and
this one only for interactive start ups by the GUI may be a better
option. NSSM has the added advantage of one service per config which
could be independently stopped and restarted etc.

The original service starts all the configs and then sits there waiting
for the exit event to trigger, at which point the service will just
stop. For one, the exit event will not trigger when openvpn.exe quits
and even if we make the event to trigger, there is only one common event
for multiple configs, and the service just stopping at such an event
serves no purpose.

Instead of fixing it why not just use NSSM? Then the interactive service
patch could be decoupled from openvpnserv and provided as a new feature
independent of the original service.

Selva


There actually is a drop-in replacement for the old openvpnserv.exe here:

<https://github.com/mattock/openvpnserv2>

It was announced here:

<https://community.openvpn.net/openvpn/ticket/595>

From now on, I will call it openvpnserv2 to distinguish it from the old 
crappy openvpnserv.exe and from the interactive service.


I would personally prefer openvpnserv2 over using glue and duct-tape 
around NSSM to make it's configuration frontend suck less. Openvpnserv2 
can already restart dead connections, e.g. after the computer has 
resumed from suspend or hibernation. I did some very basic testing on a 
Windows 7 laptop and confirmed suspend/resume worked fine. Of course 
we'd need more extensive tests with test installers before releasing it 
to a wider audience.


An added bonus is that openvpnserv2 is written in C#, which means it can 
be developed on Linux using Mono, and the language choice probably helps 
getting new contributions from people not fluent with C.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH v3] interactive service v3

[Samuli Seppänen]

Hi,

On Wed, Jan 27, 2016 at 10:14:18AM +0200, Samuli Seppänen wrote:

An added bonus is that openvpnserv2 is written in C#, which means it can
be developed on Linux using Mono, and the language choice probably helps
getting new contributions from people not fluent with C.


I'm not totally convinced that "mixing in a new language" is a *bonus*
(as it means that the core team won't be able to help unless also fluent
with the other language).


Well, I just reviewed all of the code with no difficulty, so would I 
have no trouble co-maintaining it. Openvpnserv2 is built on top of 
generic Service C# classes provided by Microsoft and overrides a few 
methods such as OnStart, OnStop, and sets some some capabilities based 
on what OpenVPN processes can (be ordered to) do. For an overview of the 
ServiceBase class look here:


<https://msdn.microsoft.com/en-us/library/system.serviceprocess.servicebase%28v=vs.110%29.aspx>

The core of openvpnserv2 is in this file:

<https://github.com/xkjyeah/openvpnserv2/blob/master/Service.cs>

The remaining files are mostly stuff added by the IDE. The only thing 
that openvpnserv2 really adds on top of generic MS service classes is:


- loading of OpenVPN registry keys
- building the command-line(s) to launch the connection(s)
- monitoring the individual OpenVPN processes and restart them if they crash
- stopping the processes before suspend
- starting the processes on resume

That said, the code does not seem to handle 32/64-bit registry keys yet. 
This needs to be fixed, unless there is some underlying magic in there I 
missed. Adding support for selecting which connections to launch 
automatically would also be nice, e.g. via registry or a config file.


I would not be worried about current core developers not being able to 
help with openvpnserv2. First, they haven't really been able to help 
with openvpnserv.exe, either. If they had, we wouldn't be having this 
discussion in the first place. I would be inclined to think that instead 
of overloading the existing C maintainers we should try to get _new_ 
people to maintain the Windows service part.


I don't see a problem with moving to C# for a number of reasons:

- The codebase pretty small
- Most of the hard lifting is done in the classes maintained by MS
- There is already a maintainer for this code
- There is a volunteering co-maintainer (=me) in the core group
- C# is easier than C to understand/develop (imho), if you already know 
a high-level language (especially Java, but also Python etc.)



Given that services run with maximum privileges, strong review is as
important there as for core openvpn...


Yes, agreed. But note that most of the functionality is stock 
functionality provided by Microsoft in their libraries, so there's not 
much to review. As said, I reviewed the code already, but of course it 
does not hurt if an experienced C# developer has a second look.


One thing to bear in mind is that making horrible mistakes (e.g. create 
a gaping security hole) with C# is more difficult than with C, so while 
review is of course necessary, every single line does not have to picked 
apart for potential vulnerabilities.



If the only reason why everyone is disliking the old openvpnserv is
"it is not restarting openvpn.exe when it breaks" - *that* should be
fairly easy to add.  So, what is that people consider "broken"?


It does not work at all in Windows 10 afaik, and only barely works in 
Windows 8.1. It does not handle suspend/resume. It is not maintained, 
and there are no maintainers, and I don't see any maintainers appearing. 
There are a bunch of tickets in Trac related to openvpnserv.exe, 
directly or indirectly. Interestingly openvpnserv.exe has been dropped 
from the OpenVPN Chocolatey package[1], apparently because it's fairly 
useless nowadays.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1] <https://chocolatey.org/packages/openvpn>

Re: [Openvpn-devel] [PATCH v3] interactive service v3

[Samuli Seppänen]

On Wed, Jan 27, 2016 at 3:20 AM, Gert Doering mailto:g...@greenie.muc.de>> wrote:

Hi,

On Wed, Jan 27, 2016 at 10:14:18AM +0200, Samuli Seppänen wrote:
> An added bonus is that openvpnserv2 is written in C#, which means it can
> be developed on Linux using Mono, and the language choice probably helps
> getting new contributions from people not fluent with C.

I'm not totally convinced that "mixing in a new language" is a *bonus*
(as it means that the core team won't be able to help unless also fluent
with the other language).


Currently the service is a part of the openvpn repo, but there is no
reason to keep it thus. In fact, once the interactive service is
available, in my view, it may not be even necessary to ship the original
service with the windows binary distribution. Only advanced users would
need the original service or its equivalent (openvpnserv2 or NSSM) usage
of which could be made available as documentation in the wiki pages.


This would be a novel idea. The service component has very few ties to 
OpenVPN, and is a very simple piece of software. I don't think it 
_needs_ to be in the main OpenVPN repo, either. Splitting the project 
into smaller chunks both code- and organization-vise has been beneficial 
in the past by allowing us to get more people onboard. Plus we've been 
able to optimize the development processes per subproject, so that the 
strict patch review regime in the main project has not slowed down the 
development of less critical components.


I have no idea how large a percentage of our users use the service. 
Probably the only way to _really_ find that out would be to deselect the 
service in the installer by default and see how loudly people scream. We 
could have a poll, but in my experience only a few people would answer, 
and we wouldn't be any better off. If most people would be basically ok 
without the service, we could still provide it as a separate download on 
the official download pages. That said, I have no strong opinions one 
way or the other.




Given that services run with maximum privileges, strong review is as
important there as for core openvpn...

If the only reason why everyone is disliking the old openvpnserv is
"it is not restarting openvpn.exe when it breaks" - *that* should be
fairly easy to add.  So, what is that people consider "broken"?


Although it is called a service, it only works like a one time task or
an rc script. However, unlike a startup script, it does not terminate
after spawning openvpn.exe processes, giving it the appearance of a
service. It does not keep track of the spawned processes, has no way of
knowing any of the processes stopped or crashed, has no way of editing
one config and then restart only that connection leaving others up etc.


I believe openvpnserv2 - or rather the more generic MS code upon which 
it builds - can monitor the individual processes and restart them as 
necessary. So it definitely a more complete solution than what 
openvpnserv.exe provides.



Having said that, on the only windows 10 machine I have, the original
service works the same way as on Windows 7. Early reports of "not
working on windows 10" might have had more to do with unrelated TAP6 issues.


Quite likely. Also some issues seem to have been related to specific 
problematic Windows 10 builds.


Samuli

[Openvpn-devel] New Windows installers released

[Samuli Seppänen]

Hi all,

New OpenVPN Windows installers with OpenSSL 1.0.1r have been released:

<https://openvpn.net/index.php/download/community-downloads.html>

The new OpenSSL release fixes some vulnerabilities, none of which affect 
OpenVPN:


<http://openssl.org/news/secadv/20160128.txt>

If you are already using 2.3.10 I601/I001 installers you're not in a 
hurry to upgrade.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] "OpenVPN on Windows" meeting today (1st Feb 2015)

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting today starting at 20:00 CET (19:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.


Current topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-02-01>

If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.


In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] "OpenVPN on Windows" meeting today (1st Feb 2015)

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

- - ---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 1st Feb 2015
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-02-01>

The next meeting has not been scheduled yet, but will probably be 
arranged two weeks from now.


Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, d12fk, janjust, mattock, snair, syzzer and valdikss participated 
in this meeting.


---

Discussed ValdikSS's fix to the block-outside-dns option on Windows Vista:

<https://community.openvpn.net/openvpn/ticket/648>
<http://article.gmane.org/gmane.network.openvpn.devel/10998>
<https://github.com/ValdikSS/openvpn-with-patches/commit/664763ac3cd1e23713ecf75456ef26ccb92e6231>

Snair took a quick look and based on that the patch looks ok. Mattock 
will create and publish test installers with the patch tomorrow, after 
which snair, mattock and janjust will do testing on Windows 7/8/10 and 
Windows Server 2012. Further testing by other community members will 
help build confidence in the revamped patch


--

Discussed the Interactive service patch, in particular the security 
aspects of it. At installation time, admin gets to choose whether config 
files are restricted or not in some way, e.g. by only loading them from 
a certain directory or from any place where the user has access to. The 
communication channel between GUI and service will be changed to ensure 
that only startup-relevant options can be passed from GUI to service (so 
a rogue gui can't do bad stuff).


Snair will do some practical tests to ensure that the restrictions 
imposed by the interactive service cannot be circumvented.


---

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
(21:02:48) mattock: howdy
(21:02:51) ValdikSS: me
(21:03:03) mattock: quick response to a question I did not have time to ask :P
(21:03:11) mattock: who else?
(21:04:04) mattock: (is here)
(21:04:09) cron2_: muh
(21:05:04) mattock: xkjyeah can't make it because of timezone issues (UTC+8)
(21:05:27) mattock: lev__, ltfish?
(21:05:32) janjust [~janjust@openvpn/community/support/janjust] è entrato nella 
stanza.
(21:05:38) mattock: ah hi!
(21:05:43) janjust: hi!
(21:06:46) mattock: four people already, so I guess we can start
(21:07:02) janjust: I see 10 on the list :) ?
(21:07:31) mattock: before we start, I should mention that there are some 
fairly odd issues with our download servers, with links to I602/I002 installers 
missing from the webserver index 
(https://swupdate.openvpn.org/community/releases/)
(21:07:32) vpnHelper: Title: Index of /community/releases/ (at 
swupdate.openvpn.org)
(21:07:38) mattock: so I'll probably have to multitask a bit
(21:07:52) mattock: janjust: most are just idling, even though this is just a 
meeting channel
(21:10:03) cron2_: the most interesting discussion seems to happen on the list 
between selva and d12fk now, and neither is here...
(21:10:14) cron2_: review!
(21:10:35) janjust: so we only want to discuss the interactive service bit?
(21:10:56) mattock: topics: 
https://community.openvpn.net/openvpn/wiki/Topics-2016-02-01
(21:10:58) vpnHelper: Title: Topics-2016-02-01 – OpenVPN Community (at 
community.openvpn.net)
(21:11:00) ValdikSS: Can we start with block-outside-dns update for Vista?
(21:11:12) janjust: there's something I'd like to figure out how to do in 
windows: let openvpn run in 'normal' mode and only when privileged mode is 
required, THEN pop up the dialog
(21:11:43) janjust: but that's "wishlist" stuff... block-outside-dns seems more 
practical and relevant for now
(21:11:54) mattock: I'm fine with starting with that
(21:13:40) ValdikSS: Well, it seems that Vista can't do non-equal matching for 
a program name and fails, so I edited the code to whitelist openvpn.exe before 
all other filtering rules and use equal matching instead.
(21:15:33) ValdikSS: https://community.openvpn.net/openvpn/ticket/648
(21:15:36) vpnHelper: Title: #648 ("Can't add WFP" filter being fatal?) – 
OpenVPN Community (at community.openvpn.net)
(21:16:21) cron2_: feature-ack, but someone who understands windows needs to 
review the code... selva or ltfish have been very helpful with the initial wfp 
patch but seem busy these days
(21:16:54) janjust: agreed, and I don't understand the WFP details myself eitehr
(21:17:55) mattock: valdikss: t
(21:18:06) mattock: he code is in your GitHub fork, right?
(21:18:46) cron2_: on the list
(21:18:56) snair [~snair@2600:3c03:e001:3b00::1004] è entrato nella stanza.
(21:19:04) mattock: selva, I presume
(21:19:04) cron2_: http://article.gmane.o

[Openvpn-devel] Test installers with the Interactive service / Vista-compatible block-outside-dns

[Samuli Seppänen]

Hi,

Here are test installers based on latest Git code plus the Interactive 
service patch, which allows non-admin users to launch OpenVPN connections:


<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_iservice-I601-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_iservice-I601-x86_64.exe>

A second pair of installers contain a patch which makes the new 
--block-outside-dns work with Windows Vista:


<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_blockoutsidedns-I601-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_blockoutsidedns-I601-x86_64.exe>

If you test these, please let us know about your experience with them 
(worked/did not work/had issues).


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] OpenVPN installers with openvpn-gui pull request #13's code included

[Samuli Seppänen]

Hi,

Selva has a pending pull request to openvpn-gui, which completes the 
integration of interactive service into OpenVPN installers:


<https://github.com/OpenVPN/openvpn-gui/pull/13>

The pull request contains several changes which need testing:

<https://github.com/OpenVPN/openvpn-gui/pull/13/commits>

I built test installers which include the new openvpn-gui code:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-x86_64.exe>

If you test these installers please report back and tell how things 
went. I'll try to do testing on my own later today.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] OpenVPN installers with openvpn-gui pull request #13's code included

[Samuli Seppänen]

Hi all,

I generated new installers which include the latest version of the PR:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13v2-I603-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13v2-I603-x86_64.exe>

These installers contain a manually patched openvpn-gui which reverts 
commit 2af86368964 ("Run with highest privilege available"), so that 
users with administrator privileges can launch OpenVPN-GUI with 
non-elevated privileges. I tested the latter installer on a Windows 7 
Pro 64-bit laptop and there were two issues.


1) Interactive service not installed by default

First, OpenVPN-GUI would silently fail to create routes when launched as 
a normal user, as if interactive service was not present. And indeed it 
is not out of the box. The fix was fairly simple (but not obvious):


PS> C:\> openvpnserv.exe -install
PS> C:\> openvpnserv.exe -start automatic

After this the interactive service is running, but the non-interactive 
one is not:


PS> C:\> Get-Service|Where-Object { $_.DisplayName -like "*openvpn*" }

Status   Name   DisplayName
--      ---
Stopped  OpenVPNService OpenVPN Service
Running  OpenVPNServiceI... OpenVPN Interactive Service

When OpenVPN-GUI is now launched, it can now communicate with the 
interactive service and the VPN works properly.


2) OpenVPN-GUI points OpenVPN config directory to a system-wide location

While OpenVPN-GUI now saves the registry keys under "HKCU" (=current 
user) instead of "HKLM" (=local-machine), the default value for OpenVPN 
configs is still C:\Program Files\OpenVPN\config (or equivalent). At 
least on my test system the OpenVPN configuration files under that 
directory could not be read by a normal user, even though listing the 
files was permitted. This caused OpenVPN-GUI to see the config file, but 
upon loading it just hanged.


---

A few things to fix:

- Revert commit 2af86368964 in openvpn-gui
- Make OpenVPN-GUI fail/warn if it can't reach interactive service
- Enable interactive service at OpenVPN install
- Relax OpenVPN's config file permissions, or...
- ... make OpenVPN-GUI read configs from user's home dir by default

Given that OpenVPNService and OpenVPNServiceInteractive have been 
separated, replacing the non-interactive variant with openvpnserv2 
should not be too difficult.


Thoughts?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Hi,

Selva has a pending pull request to openvpn-gui, which completes the
integration of interactive service into OpenVPN installers:

<https://github.com/OpenVPN/openvpn-gui/pull/13>

The pull request contains several changes which need testing:

<https://github.com/OpenVPN/openvpn-gui/pull/13/commits>

I built test installers which include the new openvpn-gui code:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-i686.exe>

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr13-I601-x86_64.exe>


If you test these installers please report back and tell how things
went. I'll try to do testing on my own later today.

Best regards,

Re: [Openvpn-devel] OpenVPN installers with openvpn-gui pull request #13's code included

[Samuli Seppänen]

Hi,

Sending to the list also...



PS> C:\> openvpnserv.exe -install
PS> C:\> openvpnserv.exe -start automatic


I suppose you mean openvpnserv.exe -start interactive


You're correct. My mistake.


- Revert commit 2af86368964 in openvpn-gui


We may want to do this only for 2.4 (or git master) based binary
distributions. For 2.3 there is no interactive service and this
"highestAvailable" may still be required (or at least expected by users).



One way to handle this is to create a release branch on the GUI repo and
revert the commit only in master. Then 2.3 installers can continue to
use that release branch.


This sounds reasonable. That said, we should be able to know which GUI 
version belong to the master branch, and which to the release branch. 
Right now we just a single version number - 10 at the moment.



- Make OpenVPN-GUI fail/warn if it can't reach interactive service


In fact it may be ok to require the iservice to operate the GUI -- that
is do not allow the GUI to directly start openvpn.exe -- running as
admin will fail with a message then). But leave this for later?


I think we can leave this for later, as long as the Interactive Service 
is enabled at install time. That way much fewer users will get this 
nasty surprise.



I think the installer should include the following commands

(i) openvpnserv.exe -install  <- this will install both auto and
interactive services
this is probably there in the current NSIS installer (the user can
disable it by chosing not to install any service, but its not possible
to install only one of those (not yet, at least).


Yes, this is done by default right now.


(ii) openvpnserv.exe --start interactive


This is not done by default. I will add it to the installer code.


Do not start the automatic service by default as that is meant for
expert users. Else it will spawn-up openvpn.exe for all configs found
and possibly mess-up with interactive use.


This is the default behavior right now, and we should keep it that way.



- Relax OpenVPN's config file permissions, or...
- ... make OpenVPN-GUI read configs from user's home dir by default


With the pull #13, its now possible for the user to edit
HKCU\Software\OpenVPN\config_dir to point the GUI to an alternate
location for configs. Currently there are no access checks in the
service, so any location with read access will work.

Let's revisit this after the service is hardened to restrict configs and
options. Then we can decide how to modify the installer to choose
appropriate defaults for config_dir etc.


Having an easy method for configuring the OpenVPN configuration file 
directory is needed in my opinion. Right now one has to launch 
regedit.exe and change the path, or do some magic incantations in 
Powershell - not exactly user-friendly.



Given that OpenVPNService and OpenVPNServiceInteractive have been
separated, replacing the non-interactive variant with openvpnserv2
should not be too difficult.


While the two services can be independently stopped and started the two
are installed and removed together:
openvpnserv.exe --install sets up two services OpenVPNService and
OpenVPNServiceInteractive. So any replacement will have to use a name
distinct from those. I think openvpnserv2 uses the same name
"OpenVPNService" which will cause a conflict.
In the long run it may be better to remove the automatic service
completely from the openvpnsev.exe code.


Disabling the automatic service part in openvpnserv.exe should be fairly 
straightforward. There's probably some simple routine which calls 
Windows APIs to register the new services, which we could modify. Then 
we also need to remove the old service in the installer/uninstaller.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] OpenVPN installers with openvpn-gui pull request #13's code included

[Samuli Seppänen]

Il 11/02/2016 22:23, Selva Nair ha scritto:

Hi,

On Thu, Feb 11, 2016 at 11:42 AM, Samuli Seppänen mailto:sam...@openvpn.net>> wrote:

2) OpenVPN-GUI points OpenVPN config directory to a system-wide location

While OpenVPN-GUI now saves the registry keys under "HKCU" (=current
user) instead of "HKLM" (=local-machine), the default value for OpenVPN
configs is still C:\Program Files\OpenVPN\config (or equivalent). At
least on my test system the OpenVPN configuration files under that
directory could not be read by a normal user, even though listing the
files was permitted. This caused OpenVPN-GUI to see the config file, but
upon loading it just hanged.


Changing this default may break most setups as that is where the GUI
looked for configs for so long.. I was under the impression that
C:\Program FIles\ and directories & files under it are readable by all
users. And that matches with a few machines I checked  (win 7, win10,
server2012). openvpn.nsis does not show any permission settings on these
folders either. May be there are some "hardened" systems where such
locations are not readable?


The reason my user was unable to read configs in C:\Program 
Files\OpenVPN\config was related to ACLs. I had copied the config file 
there as the main administrator account, so the owner was wrong. This 
prevented the normal user from reading the file. I had to set the ACLs 
properly to fix the issue.


While the above could be seen as a user mistake, the ACLs in Windows are 
pretty well hidden from normal users and even admins. This could end up 
being a minor support nightmare for us.



I'm don't write GUI, so anything beyond a warning popup is too hard for
me. Yet, it would be nice to have an initial configuration dialog (shown
at first run by each user) to set config_dir and possibly a few other
parameters.


That would be good. We also need to warn about lack of permissions on 
the config files. Right now GUI just hangs if it can't read the OpenVPN 
config file.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Micro-sha-ft

[Samuli Seppänen]

I presume you are aware but just in case
microsoft no more SHA1 authenticode

https://forums.openvpn.net/topic20987.html


Hi,

This was not entirely unexpected. I'll try to get this fixed this week 
and then release new installers. I suppose Microsoft has finally fixed 
Windows 7 so that it can handle SHA-2.


Thanks!

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

Hi,

Currently openvpn-build allows producing installers which do not 
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this 
one can - at install time - select which of the contained components are 
intalled.


Let me know if you have good arguments on why we should have the option 
to generate installers without the said components. If nobody speaks up, 
I'll remove the conditional code from openvpn.nsi while preparing for 
the OpenVPN 2.4 release.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Handling bitness (32/64) for OpenVPN Windows installers

[Samuli Seppänen]

Hi,

We currently produce four installers per OpenVPN 2.3.x release:

- 64-bit for Windows Vista+
- 32-bit for Windows vista+
- 64-bit for Windows XP
- 32-bit for Windows XP

The latter two will be dropped in OpenVPN 2.4 alpha releases, which are 
due fairly soon[*]. That leaves us with one 32-bit and one 64-bit 
installer. While that is not too bad, things could be simpler. Here are 
a few suggestions:


1) Combine 32-bit and 64-bit installers into one

Is there a use-case for installing 32-bit OpenVPN on a 64-bit system? 
If not, we could combine both 32-bit and 64-bit binaries into a single 
installers and, at install time, select the correct ones to install. 
This would increase installer size from ~1.8MB to ~3.3MB.


2) Drop the 64-bit installer altogether

This option was brought forth earlier, and while it felt to me like a 
step back, I could not point my finger at any concrete issues. If you 
know of any pros or cons, please speak up.


3) Hide the 32-bit installers better, but keep them available

Currently both 32-bit and 64-bit installers are displayed side-by-side 
on the download page. Because of this it is difficult to tell how many 
people really _need_ the 32-bit version, and how many just download it 
out of habit, or by mistake. Making the download link for 32-bit 
installer(s) less prominent would probably give us the answer. If 
complaints started coming in we could backpedal real quickly.


Unfortunately 32-bit Windows systems are not going away anytime soon, so 
"64-bit only" is not an option[**].


4) Maintain the status quo

Do not change anything.

---

Let me know which of the options seems most reasonable. It would be good 
to reach some consensus before OpenVPN 2.4-alpha1 is released.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] All the major functionality is in Git "master" or is being actively 
reviewed.
[**] E.g. 
<http://news.softpedia.com/news/Microsoft-Explains-Why-Windows-10-32-Bit-Is-Still-Needed-469563.shtml>

Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

On Tue, 2016-02-16 at 15:12 +0200, Samuli Seppänen wrote:

Hi,

Currently openvpn-build allows producing installers which do not
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this
one can - at install time - select which of the contained components are
intalled.

Let me know if you have good arguments on why we should have the option
to generate installers without the said components. If nobody speaks up,
I'll remove the conditional code from openvpn.nsi while preparing for
the OpenVPN 2.4 release.


It's nice to have a standalone signed installer for tap-windows6
without OpenVPN. Not sure if your question really covered that one... ?


Hi,

There is and will be a standalone tap-windows6 installer. I'm just 
suggesting we remove the option to generate installers which do not 
include tap-windows6.


So basically we have two layers here:

1) Include tap-windows6 in the installer? (yes/no)
2) Install tap-windows6 _if_ it is included in the installer? (yes/no)

I suggest we remove layer #1 to simplify things.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Handling bitness (32/64) for OpenVPN Windows installers

[Samuli Seppänen]

On Wed, Feb 17, 2016 at 3:01 AM, Samuli Seppänen mailto:sam...@openvpn.net>> wrote:

1) Combine 32-bit and 64-bit installers into one

Is there a use-case for installing 32-bit OpenVPN on a 64-bit system?
If not, we could combine both 32-bit and 64-bit binaries into a single
installers and, at install time, select the correct ones to install.
This would increase installer size from ~1.8MB to ~3.3MB.



3.3M? Umm, what year is this? :-)

I'd say put them both into the installer and auto-install the
appropriate one. If it was 18M vs 36M you might want to be more finer
grained - but <2M difference? It's not worth thinking about.

Ditching WinXP is definitely the right thing to do. People shouldn't be
running security software on dead OSes. They will do it poorly. Just sayin'


Well, that would mean the installer will have to split into three floppy 
disks instead of two for transport.


But seriously, a combined installer looks like a reasonable way 
forwared. It will, however, require significant changes to 
openvpn-build/openvpn.nsi, so it will take a bit of effort to get it done.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Need help testing installers on Windows XP

[Samuli Seppänen]

Hi,

Could someone quickly test these installers on Windows XP?

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr14and15andtrac632-I605-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_guipr14and15andtrac632-I605-x86_64.exe>

The installer should pop up a message "This installer only works on 
Windows Vista, Windows Server 2008 and above", and then quit immediately.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Need help testing installers on Windows XP

[Samuli Seppänen]

> Just tested on Windows XP SP3 32-bit. Both are behaving as expected.


Best,
Fish


Great, thanks! And thanks to Jan also!

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Handling bitness (32/64) for OpenVPN Windowsinstallers

[Samuli Seppänen]

Am 17.02.16 um 14:37 schrieb debbie...@gmail.com:

I would say option 3 is better ..
doubling the installer size for 32bit seems like bloat! to me
plus .. why do all that extra work for something that will have
diminishing value ?


A combined installer will need less support because people do not
download a wrong installer.


Yes, that is big part of the appeal. Plus the results of the 
installations would be more consistent:


- Registry keys would always be in the main registry
- OpenVPN always under "C:\Program Files\OpenVPN" (unless customized)

I would love 32-bit Windows to go away, but that will probably take at 
least a decade.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Handling bitness (32/64) for OpenVPN Windowsinstallers

[Samuli Seppänen]

Hi,


In 4 years I have not seen a single complaint on the forum
nor can remember a single complaint on the mailing list
referring to downloading the wrong bitness installer.
Or that the download page is misleading in this way.


This is actually rather surprising. That said, I can't recall any 
incidents, either. Perhaps this is an exception to the rule "people 
don't read what is written on a webpage" :).



On top of that, as 32b it phased out by retail, it is likely
that anybody who still requires 32b will have the intelligence
to follow a separate link to 32b installers.


I don't think there are many (any?) 32-bit Windows operating systems 
being bundled with new computers. The reason why Microsoft backpedaled 
on dropping 32-bit support in Windows 10 seemed to be their free upgrade 
program: they wanted the 32-bit operating systems to be upgradeable too.


I suggest that for OpenVPN 2.4* releases we emphasize the 64-bit 
installer links. For example:



Source tarball (gzip)  openvpn-2.4.0.tar.gz   GPG sig
Source tarball (xz)openvpn-2.4.0.tar.xz   GPG sig
Source zip openvpn-2.4.0.zip  GPG sig
Installer (64-bit) openvpn-install-2.4.0-I601-x64_64.exe  GPG sig

A 32-bit installer is available (<- link). You should only use it on 
32-bit systems.


... followed by the rest of the release notes/comments...

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

Hi,

On Tue, Feb 16, 2016 at 03:12:58PM +0200, Samuli Seppänen wrote:

Currently openvpn-build allows producing installers which do not
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this
one can - at install time - select which of the contained components are
intalled.

Let me know if you have good arguments on why we should have the option
to generate installers without the said components. If nobody speaks up,
I'll remove the conditional code from openvpn.nsi while preparing for
the OpenVPN 2.4 release.


I do not think maintaining these options makes much sense - at install
time, yes!, but at build-time - this stuff should have what we want
*our* installers to contain.  The rest could go to comments in the
code maybe ("if you want to make this optional, remove the following
lines") or so.


I will remove this functionality in my next batch of modifications to 
openvpn.nsi.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

Hi,

On Tue, Feb 16, 2016 at 03:12:58PM +0200, Samuli Seppänen wrote:

Currently openvpn-build allows producing installers which do not
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this
one can - at install time - select which of the contained components are
intalled.

Let me know if you have good arguments on why we should have the option
to generate installers without the said components. If nobody speaks up,
I'll remove the conditional code from openvpn.nsi while preparing for
the OpenVPN 2.4 release.


I do not think maintaining these options makes much sense - at install
time, yes!, but at build-time - this stuff should have what we want
*our* installers to contain.  The rest could go to comments in the
code maybe ("if you want to make this optional, remove the following
lines") or so.


I will remove this functionality in my next batch of modifications to
openvpn.nsi.



I was quicker than I thought:

<https://github.com/OpenVPN/openvpn-build/pull/19>

All the details in the pull request.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Micro-sha-ft

[Samuli Seppänen]

Hi,

We just got an EV certificate token thingy, which certainly does not 
have SHA-1. The problem is that the token makes it impossible to safely 
automate the signing process. So basically we have to turn off automated 
signing in openvpn-build and just sign the files we absolutely have to. 
This probably boils down to


openvpn-installer-*.exe
tap-windows6 drivers
tap-windows6 installer

It would be nice to sign openvpn-gui, but then openvpn-build would have 
to fetch a pre-built and signed openvpn-gui.exe instead of building and 
signing it itself.


According to Microsoft documentation[*] we _could_ continue using non-EV 
certs (+ automated signing) for non-driver code, but that would probably 
mean paying for two certificates. I'll ask around to see if this is 
indeed the case.


I'm not entirely sure all this "increases security" which Microsoft 
claims to be the goal of EV certs. Currently we sign every single 
library and binary we distribute (including OpenSSL, LZO, etc) already, 
and soon we can only sign a subset.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] 
<https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887%28v=vs.85%29.aspx>



we sign our software here. actually it works like SHA-2 sign + SHA-1
timestamp.
we use "signtool" for that. I'll have a look how to do that with openvpn
release system

2016-02-15 14:05 GMT+05:00 Samuli Seppänen mailto:sam...@openvpn.net>>:




> I presume you are aware but just in case
> microsoft no more SHA1 authenticode
>
>https://forums.openvpn.net/topic20987.html

Hi,

This was not entirely unexpected. I'll try to get this fixed this week
and then release new installers. I suppose Microsoft has finally fixed
Windows 7 so that it can handle SHA-2.

Thanks!

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


--
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
<mailto:Openvpn-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Micro-sha-ft

[Samuli Seppänen]

Hi,

We just got an EV certificate token thingy, which certainly does not
have SHA-1. The problem is that the token makes it impossible to safely
automate the signing process. So basically we have to turn off automated
signing in openvpn-build and just sign the files we absolutely have to.
This probably boils down to

openvpn-installer-*.exe
tap-windows6 drivers
tap-windows6 installer

It would be nice to sign openvpn-gui, but then openvpn-build would have
to fetch a pre-built and signed openvpn-gui.exe instead of building and
signing it itself.

According to Microsoft documentation[*] we _could_ continue using non-EV
certs (+ automated signing) for non-driver code, but that would probably
mean paying for two certificates. I'll ask around to see if this is
indeed the case.


We decided to rekey our current non-EV certificate with SHA-2 - it will 
be valid until the upcoming September. This will buy us some time to 
think about our next move. So what I'll do next is:


- Sign the tap-windows6 driver with the EV-cert
- Start using the rekeyed non-EV cert for the rest of the signing

This should solve all the certificate validation issues we currently 
have on Windows.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] openvpn-gui

[Samuli Seppänen]

Hi,

We have a few pending pull requests in openvpn-gui. At least one of them
(put --log first in the command line) is tiny and may be reviewed
without getting sullied by association to windows:-)

Could anyone from here please take a look? Here is a link:

https://github.com/OpenVPN/openvpn-gui/pull/15


Oh well. As managing the numerous pull requests and patches had gotten 
rather complicated and more kept coming in, I merged that PR earlier 
today based on "lazy-ACK". That was before reading this email, 
obviously. That said, retroactive review would be most welcome!


In the future we need to decide how to manage OpenVPN-GUI reviews. I've 
been able to review some of the code patches because they've been fairly 
trivial. And I'm able usually able to test the PRs / patches to ensure 
they work as advertised. However, oftentimes review from a (Windows) C 
developer would be very beneficial or even required to help ensure 
correctness.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] The puprose of the Signed-off-by: line

[Samuli Seppänen]

The reason of adding the Signed-off-by is to have a better understanding
of whom have been involved in particular commits/patches.  While the
"Author field" in the git log (git log --pretty=fuller) can only have
one name, more people can have been involved in the patch.  Using the
Signed-off-by is a way to credit them as well.

And when everyone is consistent using the Signed-off-by line, writing
tools which parses our git log is also far more easier.

The other aspect of the Signed-off-by: line has to do with juridical
stuff, to protect the OpenVPN project.  By adding the Signed-off-by:
line you basically sign-off to "Yes, I am the author of these changes
and I am permitted to share them with the project".  For more
information, these pages explains it even better (same info, two
different sources):
<https://git.eclipse.org/r/Documentation/user-signedoffby.html>
<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SubmittingPatches#n409>


Hi David,

Looks like the rationale for Signed-off-by by is not properly documented 
in Trac:


<https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation>

David: do you want to integrate above explanation to Trac or shall I?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] The puprose of the Signed-off-by: line

[Samuli Seppänen]

The reason of adding the Signed-off-by is to have a better understanding
of whom have been involved in particular commits/patches.  While the
"Author field" in the git log (git log --pretty=fuller) can only have
one name, more people can have been involved in the patch.  Using the
Signed-off-by is a way to credit them as well.

And when everyone is consistent using the Signed-off-by line, writing
tools which parses our git log is also far more easier.

The other aspect of the Signed-off-by: line has to do with juridical
stuff, to protect the OpenVPN project.  By adding the Signed-off-by:
line you basically sign-off to "Yes, I am the author of these changes
and I am permitted to share them with the project".  For more
information, these pages explains it even better (same info, two
different sources):
<https://git.eclipse.org/r/Documentation/user-signedoffby.html>
<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/SubmittingPatches#n409>


Hi David,

Looks like the rationale for Signed-off-by by is not properly documented in 
Trac:

<https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation>

David: do you want to integrate above explanation to Trac or shall I?


I intended to update the wiki page as well.  It should be updated.  The
trouble is that I started thinking.  But I think we should do some more
modifications to more of this process.

There are two things I think we should agree upon first, which is
slightly different compared to the wiki page.


1) It probably makes more sense to use Reviewed-by: instead of
Signed-off-by: when someone have reviewed and not added code to the
commit.


Makes sense.


2) We should probably rethink the need of Signed-off-by: lines when
Gert or I do commits without modifying the patch in any way.  Whom
committed the patch is now also easily accessible using
the --pretty=fuller argument to git log.


Indeed:

commit 5f5229e41d134b659e502bb2597c711aedaf8096
Author: Leonardo Basilio 
AuthorDate: Wed Feb 10 11:19:39 2016 +0100
Commit: Gert Doering 
CommitDate: Wed Feb 10 11:19:39 2016 +0100

Correctly report TCP connection timeout on windows.

---snip---

Let's scrap the Signed-off-by lines except when actual changes have been 
made.



And it should be an explicit note which states that the committer
which adds a Signed-off-by: line to an unmodified commit does not
mean the same as when a patch contributor does so.  The committer's
Signed-off-by: basically means "Yes, this patch has been accepted by
N.N" ... That was the intention of this last Signed-off-by: line.


The difference between Acked-by and Reviewed-by seems to be the 
completeness of the review:


"Acked-by: does not necessarily indicate acknowledgment of the entire 
patch. For example, if a patch affects multiple subsystems and has an 
Acked-by: from one subsystem maintainer then this usually indicates 
acknowledgment of just the part which affects that maintainer’s code."


"A Reviewed-by tag is a statement of opinion that the patch is an 
appropriate modification of the kernel without any remaining serious 
technical issues."


These quotes are from

<https://git.eclipse.org/r/Documentation/user-signedoffby.html>

We've typically been using Acked-by for acknowledging the full patch, 
where we could have used Reviewed-by. And we've essentially used the 
committers Signed-off-by in place of Acked-by, if I'm not mistaken.



If we drop the additional Signed-off-by: line, we are much closer to
what other projects using Signed-off-by does.


Sounds good to me. They make little sense because of "--pretty=fuller".


I know I'm the one to blame for all this, as I believe it was my initial
suggestion.  But that was many years ago; where both the git tool have
improved vastly and the way git is used are nowadays somewhat more
unified across projects then what it was around in 2010-ish.  And I
think we have all learned to use git far better over all these years as
well.


+1 for following / trying to follow the instructions given here:

<https://git.eclipse.org/r/Documentation/user-signedoffby.html>

The tags (e.g. Signed-off-by) are not being used for analysis purposes, 
so this change of practice will not break anything.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Samsung Galaxy S6 to android 6.0.1 powersave

[Samuli Seppänen]

I just thought it was interesting that somebody found
*a* solution to what seems to be a common problem
and it was worth letting ppl here know.


Indeed. It remains to be seen whether this overly aggressive power 
saving configuration is limited to Samsung, or whether it's a Android 
6.0.x thing.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Our apt repositories should now work with recent apt versions (1.1+)

[Samuli Seppänen]

Hi,

Some of you may have noticed that our apt repositories did not work with 
apt-1.1 bundled with Ubuntu 16.04 alphas and Debian testing/unstable. 
That problem has now been fixed.


Let me know if you still encounter issues using the apt repository.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Windows installer with SHA-256 signatures ready for testing

[Samuli Seppänen]

Hi,

Here are new Windows 2.3.10 installers with OpenSSL 1.0.1s and SHA-2 
signatures:


<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-x86_64.exe>

I tested the latter lightly on Windows 7 Pro 64-bit and it seemed to 
work just fine and the signatures seemed to be correct. However, more 
testing is required before these installers can be officially released.


There is potentially a severe issue which manifests itself on Windows 
Vista SP2 / Windows Server 2008 SP2:


<https://support.microsoft.com/en-us/kb/2763674>

A second problem should be limited to Windows 7 and Windows Server 2008 
R2 installations that are booted through a non-Windows bootloader (e.g. 
grub):


<https://support.microsoft.com/en-us/kb/3033929>

Let me know if you can confirm or discredit either of these issues - 
that would help us get the new installers released soon.


Thanks,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

PS. The tap-windows6 driver in the installers is still the old one 
signed with SHA-1. I'm working on signing it with an EV certificatte, so 
that Windows 10 accepts it.

Re: [Openvpn-devel] Windows installer with SHA-256 signatures ready for testing

[Samuli Seppänen]

> Hi,


Here are new Windows 2.3.10 installers with OpenSSL 1.0.1s and SHA-2
signatures:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-i686.exe>

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3.10-I603-x86_64.exe>


I tested the latter lightly on Windows 7 Pro 64-bit and it seemed to
work just fine and the signatures seemed to be correct. However, more
testing is required before these installers can be officially released.

There is potentially a severe issue which manifests itself on Windows
Vista SP2 / Windows Server 2008 SP2:

<https://support.microsoft.com/en-us/kb/2763674>

A second problem should be limited to Windows 7 and Windows Server 2008
R2 installations that are booted through a non-Windows bootloader (e.g.
grub):

<https://support.microsoft.com/en-us/kb/3033929>

Let me know if you can confirm or discredit either of these issues -
that would help us get the new installers released soon.

Thanks,



Hi,

These installers are now live:

<https://openvpn.net/index.php/download/community-downloads.html>

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Windows installer with SHA-256 signatures ready for testing

[Samuli Seppänen]

On Thu, 2016-03-10 at 16:34 +0200, Samuli Seppänen wrote:


A second problem should be limited to Windows 7 and Windows Server 2008
R2 installations that are booted through a non-Windows bootloader (e.g.
grub):

<https://support.microsoft.com/en-us/kb/3033929>


Is there a link to the corresponding grub bug? In an ideal world,
things like the above would never be posted *without* such a link. But
I suppose we don't necessarily expect Microsoft to do the right thing.
Hopefully *someone* has?


I believe the bug is not in Grub, but in the said Windows update, which 
can put the computer into reboot loop:


<http://answers.microsoft.com/en-us/windows/forum/all/kb3033929-
does-not-install-multi-boot-win7-linux/8f35f8f8-c0b2-461a-a8aa-4bbf16c49920?auth=1>

I could not find a bug report in Grub bug tracker[1] using the above KB 
number. However, this problem is only tangentially related to the new 
OpenVPN installers:


- If KB3033929 has been installed, the problem will manifest itself 
regardless of OpenVPN
- If the said update has not been installed, then Windows 7 will/might 
fail to verify the signature of the installer and the libraries/binaries 
in it, showing "Unknown publisher" in UAC


Lack of the update might become more problematic after I rebuild the 
tap-windows6 driver and sign it with our new key, in which case Windows 
7 might reject the driver altogether. So that part requires more 
thorough pre-release testing.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1] <http://savannah.gnu.org/bugs/?group=grub>

Re: [Openvpn-devel] Downloads page still not quite right

[Samuli Seppänen]

This particular link returns 404

https://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I603-x86_64.exe

Notified here

https://forums.openvpn.net/topic21280.html



Hi,

This confirms my feeling that every time I make a release, some of the 
links are broken for some people, but that the problem goes away by 
itself after a while. That said, one of the download nodes was updated, 
so this could have been a temporary glitch during switchover.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Consideration for new Forum Rank - Protagonist

[Samuli Seppänen]

> Hi


currently the Forum Rank are like so:

RANK TITLE   MINIMUM POSTS

OpenVpn Newbie   0
-  OpenVPN User   10
-  OpenVPN Power User 50
-  OpenVPN Expert 200
-  I should be on the dev team.   500

While it is possible that "X should be on the dev team"
it is not very likely to happen .. due to circumstances ..

I would like to propose a new, more suitable rank for one
particular (currently) case:

Proposed rank - OpenVPN Protagonist
Minimum posts - 2000 or 1500 or 1000 or 999 etc

I once proposed "Guru" before but was asked not to change anything.
(Not to this list)

But I feel like as this is so simple to do (2 mins on the ACP)
and it more accurately reflects reality ..


Sounds good.

Samuli

Re: [Openvpn-devel] Windows installer with SHA-256 signatures ready for testing

[Samuli Seppänen]

Hi,

On Mon, Mar 14, 2016 at 02:18:08PM +0200, Samuli Seppänen wrote:

Lack of the update might become more problematic after I rebuild the
tap-windows6 driver and sign it with our new key, in which case Windows
7 might reject the driver altogether. So that part requires more
thorough pre-release testing.


The old key is still valid, just not "good enough" for win8+, right?

In that case we might consider building two tap driver packages, one
signed with the vista/win7 key, one with the win8+ key.

Or maybe I'm totally misunderstanding this, so ignore me :)

gert



In case I did not respond to this earlier (my email client claims that)...

Old tap-windows6 signatures will be as valid as they were before. We 
might run into trouble whe we sign tap-windows6 with the EV dongle, 
which probably generates SHA-2 signatures. The same goes for our new 
generic code-signing certificate, which was recently rekeyed to SHA-2.


My view of what will happen once we fully move to SHA-2 for signing the 
executables, libraries and drivers:


- Windows XP will show "Unknown publisher" for everything
- Some Windows 7 installations _might_ have issues:
  - Might not recognize the SHA-2 signatures ("Unknown publisher")
  - Might fail to install the SHA-2 tap-windows6 driver
- Windows 8.1+ should work just fine

That said, the Windows 7 issue has not been verified. So far nobody has 
complained about the new SHA-2 based Windows installers I published. The 
tap-windows6 driver contained in the installers was still signed with 
the non-EV SHA-1 key, so at worst we'd see the "Unknown publisher" problem.


I can probably sign Windows XP (I00x) installers with the old SHA-1 key 
until it expires in September. After that I will need to sign everything 
with SHA-2. I think that at that point we should consider dropping 
official Windows XP support, namely:


- Stop publishing tap-windows-based (I00x) OpenVPN installers
- Stop caring about "Unknown publisher" warnings on Windows XP

We could still allow use of I60x installers on Windows XP, and let 
people downgrade to tap-windows manually.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Code review for openvpn-gui pull request #26?

[Samuli Seppänen]

Hi,

This pull request has been lingering on GitHub for quite a while:

<https://github.com/OpenVPN/openvpn-gui/pull/26>

Here's the code:

<https://github.com/OpenVPN/openvpn-gui/pull/26/files>

I think "generic" code review would be enough. If we wait for a review 
from a Windows developer we might have to wait a bit too long :).


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Consideration for new Forum Rank - Protagonist

[Samuli Seppänen]

Hi

Having received no negative feedback (10 working days)
I am prepared to make this change like so:
Rank: Protagonist - Posts: 2000
This leaves plenty of room for intermediate ranks,
should the need arise.
Regards


Go for it :).

Samuli

Re: [Openvpn-devel] IOS custom URL scheme for 3rd party launching

[Samuli Seppänen]

Hi,

On Mon, Mar 14, 2016 at 04:13:49PM +, debbie10t wrote:

Just thought Arne might be interested:

https://forums.openvpn.net/topic21272.html


Well, that is about Connect, which is "James".


Yes, and this is for iOS, so definitely James.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] New EV-signed tap-windows6 driver ready for testing

[Samuli Seppänen]

Hi,


- Windows 10 (64 bit): success

Installs without error and works fine.


Excellent!


- Windows 7 (64 bit): success, but see below

Installs without error and works fine.
However, the driver details says that its _not_ digitally signed, but
the driver properties window shows "Digitally signed by OpenVPN
Technologies Inc."
Installing KB3123479 (update to support SHA2 signatures) makes no
difference.


Yeah, I noticed the same. This may just be a glitch in the GUI. Also, I 
think the same issue was/is present when using the old tap-windows6 
driver that has a SHA1 signature.


Interestingly Powershell seems to show all signatures I've created as 
valid, not matter what:


  > Get-AuthenticodeSignature .\tap0901.cat

It could be that the Get-Authenticode only does basic validation and 
does not lookup the entire certification path, like installing the 
driver or loading it to the kernel would. That said, the CmdLet 
occasionally hangs for long periods of time, so it could be doing 
something (e.g. downloading missing certificates) behind the scenes.



- Windows server 2008r2 (64bit) : installs ok, but adapter fails

Installs without error, driver properties and driver details display
same as Windows 7 (i.e one says signed, other says not signed).
Cannot enable the tap adapter -- fails with the following error

"The TAP-Windows Adapter V9 service failed to start due to the following
error:
Windows cannot verify the digital signature for this file. A recent
hardware or software change might have installed a file that is signed
incorrectly or damaged, or that might be malicious software from an
unknown source."


I suspect most of the signature issues are because of an incomplete 
certification path. I believe the path is viewable from the file 
properties dialog.



On installing KB3123479, the error changes to
"The driver \Driver\tap0901 failed to load for the device ROOT\NET\0004."
and TAP adapters do no show up in the list of network adapters




- Windows vista (32 bit): installs after ignoring security warning,
works fine

Installation: Pops up a warning that says no valid signature, publisher
not verified etc. On choosing to install anyway, completes without error.
Tap adapter works fine

I thought driver signature is not enforced on 32 bit vista, but this is
the only platform (among those I tried) that complained loudly at
installation time.


From what I read, Windows Vista does not correctly support SHA2 
signatures (in kernel drivers?). So it seems that 32-bit Vista works 
fine, but just complains a bit. It would be good to test on Windows 
Vista 64-bit and see if it outright rejects the driver. If that happens, 
we need to discuss what to do with Vista 64-bit; its Extended support 
EOL is due on April 11, 2017 [1].



Note: none of the above systems are up-to-date with windows updates.


This could cause part of the failures at least. Fully updating the 
system and retesting would be a good exercise (if possible).


I tested the driver on Windows Server 2012r2:
- installed just fine
- worked just fine

So so far only Windows Server 2008 is giving us headaches. I did receive 
one private report about Windows 7 64-bit not working, but I'll have to 
verify all the facts first.


In the worst case I can use dual signatures in the driver files. The 
main signature would be a non-EV SHA-1 signature, and the SHA-2 EV 
signature would be a secondary signature. Or the other way around. Some 
projects such as WinSCP advertise dual signatures on their executables 
and/or installers, so I guess that's a reasonable way forward. This 
would of course require a second round of testing.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] <http://windows.microsoft.com/en-us/windows/lifecycle>

Re: [Openvpn-devel] New EV-signed tap-windows6 driver ready for testing

[Samuli Seppänen]

Hi,

I just received a report from a colleague that the tap6-ev-signed driver 
failed on one particular instance of Windows 10. I will query for more 
details. In any case, there seems to be little coherence in Windows' 
behavior with the signatures.


Another colleague of mine had noticed strange behavior on Windows 10: 
when Windows updates are being downloaded/installed, tapinstall.exe just 
hangs, and the driver is in a non-functional state, and tap-windows6 
installation times out in 5 minutes or so. When the Windows updates are 
finished, tap-windows6 installation completes automatically. However, if 
the update are not stopped, then the tap-windows6 driver will remain in 
non-functional state indefinitely, unless Windows update is disabled 
completely. I assume that Windows update can be re-enabled after 
tap-windows6 installation completes.


Anyways, I created a Wiki page with current test results and more 
thorough instructions:


<https://community.openvpn.net/openvpn/wiki/TapWindows6CodesignTests>

Hopefully we can figure out a way to make all Windows versions accept a 
single driver package. If that fails, the least bad approach is probably 
to have three drivers embedded into one installer:


- tap-windows  (NDIS5), non-EV SHA1 for Windows XP
- tap-windows6 (NDIS6), non-EV SHA1 for Windows Vista - 8.1
- tap-windows6 (NDIS6), EV SHA2 for Windows 10

Hopefully we can avoid that mess...


Only the old 32-bit vista machine is badly out-of-date and bringing it
up-to-date is a major pain. Will try.


Ok, great! Based on my experiences with updating badly out-of-date 
Windows 7 installations we'll be hearing more about this in 2 weeks or 
so :).



Dual signatures sounds like a good plan provided all these older windows
versions are capable of reading dual signatures.  We should test this.


Definitely. I will produce two different driver packages today:

1) tap6-dual-sha2ev-sha1

Primary signature is EV SHA2, secondary non-ev SHA1.

2) tap6-dual-sha1-sha2ev

Same as above, but the other way around. I suspect this will be more 
likely to succeed.


---

That said, I can see several ways how even the dual signature strategy 
could fail. For example:


- Cross-certificates cannot be added to the secondary certificate, 
possibly resulting in incomplete certification path.


- When adding a secondary certificate Signtool.exe does not allow 
timestamping, which may or may not be an issue.


- Older / unupdated Windows versions might get confused about the 
primary/secondary certificates and/or unsupported hashes. This is just a 
hunch.


I'll report back when the drivers are ready.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] New EV-signed tap-windows6 driver ready for testing

[Samuli Seppänen]

Hi,

I produced a new set of drivers with dual signatures. See 
"tap6-dual-sha1-sha2ev" download links and test results here:




The driver passed basic testing on my Windows 7 test laptop.

Samuli


Hi,

I just received a report from a colleague that the tap6-ev-signed driver
failed on one particular instance of Windows 10. I will query for more
details. In any case, there seems to be little coherence in Windows'
behavior with the signatures.

Another colleague of mine had noticed strange behavior on Windows 10:
when Windows updates are being downloaded/installed, tapinstall.exe just
hangs, and the driver is in a non-functional state, and tap-windows6
installation times out in 5 minutes or so. When the Windows updates are
finished, tap-windows6 installation completes automatically. However, if
the update are not stopped, then the tap-windows6 driver will remain in
non-functional state indefinitely, unless Windows update is disabled
completely. I assume that Windows update can be re-enabled after
tap-windows6 installation completes.

Anyways, I created a Wiki page with current test results and more
thorough instructions:



Hopefully we can figure out a way to make all Windows versions accept a
single driver package. If that fails, the least bad approach is probably
to have three drivers embedded into one installer:

- tap-windows  (NDIS5), non-EV SHA1 for Windows XP
- tap-windows6 (NDIS6), non-EV SHA1 for Windows Vista - 8.1
- tap-windows6 (NDIS6), EV SHA2 for Windows 10

Hopefully we can avoid that mess...


Only the old 32-bit vista machine is badly out-of-date and bringing it
up-to-date is a major pain. Will try.


Ok, great! Based on my experiences with updating badly out-of-date
Windows 7 installations we'll be hearing more about this in 2 weeks or
so :).


Dual signatures sounds like a good plan provided all these older windows
versions are capable of reading dual signatures.  We should test this.


Definitely. I will produce two different driver packages today:

1) tap6-dual-sha2ev-sha1

Primary signature is EV SHA2, secondary non-ev SHA1.

2) tap6-dual-sha1-sha2ev

Same as above, but the other way around. I suspect this will be more
likely to succeed.

---

That said, I can see several ways how even the dual signature strategy
could fail. For example:

- Cross-certificates cannot be added to the secondary certificate,
possibly resulting in incomplete certification path.

- When adding a secondary certificate Signtool.exe does not allow
timestamping, which may or may not be an issue.

- Older / unupdated Windows versions might get confused about the
primary/secondary certificates and/or unsupported hashes. This is just a
hunch.

I'll report back when the drivers are ready.

Re: [Openvpn-devel] New EV-signed tap-windows6 driver ready for testing

[Samuli Seppänen]

Hi,

So far the new driver (tap6-dual-sha1-sha2ev) looks promising: it works 
on 64-bit Vista, 7 and 10:




Selva: can you try this new driver on your Vista 32-bit and Windows 
Server 2008? If you still have not updated them then please don't: it's 
probably best to test again systems which are more likely to cause issues.


I'll test the driver on Windows Server 2012 and append the results to 
the Wiki page.


Samuli




Hi,

I produced a new set of drivers with dual signatures. See
"tap6-dual-sha1-sha2ev" download links and test results here:



The driver passed basic testing on my Windows 7 test laptop.

Samuli


Hi,

I just received a report from a colleague that the tap6-ev-signed driver
failed on one particular instance of Windows 10. I will query for more
details. In any case, there seems to be little coherence in Windows'
behavior with the signatures.

Another colleague of mine had noticed strange behavior on Windows 10:
when Windows updates are being downloaded/installed, tapinstall.exe just
hangs, and the driver is in a non-functional state, and tap-windows6
installation times out in 5 minutes or so. When the Windows updates are
finished, tap-windows6 installation completes automatically. However, if
the update are not stopped, then the tap-windows6 driver will remain in
non-functional state indefinitely, unless Windows update is disabled
completely. I assume that Windows update can be re-enabled after
tap-windows6 installation completes.

Anyways, I created a Wiki page with current test results and more
thorough instructions:



Hopefully we can figure out a way to make all Windows versions accept a
single driver package. If that fails, the least bad approach is probably
to have three drivers embedded into one installer:

- tap-windows  (NDIS5), non-EV SHA1 for Windows XP
- tap-windows6 (NDIS6), non-EV SHA1 for Windows Vista - 8.1
- tap-windows6 (NDIS6), EV SHA2 for Windows 10

Hopefully we can avoid that mess...


Only the old 32-bit vista machine is badly out-of-date and bringing it
up-to-date is a major pain. Will try.


Ok, great! Based on my experiences with updating badly out-of-date
Windows 7 installations we'll be hearing more about this in 2 weeks or
so :).


Dual signatures sounds like a good plan provided all these older windows
versions are capable of reading dual signatures.  We should test this.


Definitely. I will produce two different driver packages today:

1) tap6-dual-sha2ev-sha1

Primary signature is EV SHA2, secondary non-ev SHA1.

2) tap6-dual-sha1-sha2ev

Same as above, but the other way around. I suspect this will be more
likely to succeed.

---

That said, I can see several ways how even the dual signature strategy
could fail. For example:

- Cross-certificates cannot be added to the secondary certificate,
possibly resulting in incomplete certification path.

- When adding a secondary certificate Signtool.exe does not allow
timestamping, which may or may not be an issue.

- Older / unupdated Windows versions might get confused about the
primary/secondary certificates and/or unsupported hashes. This is just a
hunch.

I'll report back when the drivers are ready.




--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] New EV-signed tap-windows6 driver ready for testing

[Samuli Seppänen]

Hi Selva,

Thanks for doing the tests!


Hi,

On Wed, Apr 20, 2016 at 2:51 AM, Samuli Seppänen mailto:sam...@openvpn.net>> wrote:

Hi,

So far the new driver (tap6-dual-sha1-sha2ev) looks promising: it
works on 64-bit Vista, 7 and 10:

<https://community.openvpn.net/openvpn/wiki/TapWindows6CodesignTests>

Selva: can you try this new driver on your Vista 32-bit and Windows
Server 2008? If you still have not updated them then please don't:
it's probably best to test again systems which are more likely to
cause issues.


To add to what's already confirmed, the new driver works for me too on
Windows 10 and window 7 (both 64bit) -- no problems with installation or
use; same as the earlier sha2-only version.


Great! I added all of your results to the Wiki page.


The behaviour on vista 32 (still not updated) is somewhat strange --
both the -sha2 and -sha1-sha2 now installs without any warning after the
first forced installation  --- i.e.,  install ignoring a stern warning,
remove, and then install again and the second time onwards there are no
warnings. I did not select the "trust this publisher" button or
anything, but it behaves as if.  Anyway, dual signatures appear to be
fine even with this out-of-date vista machine though it may be seeing
only the first signature: file properties shows only one digest -- sha2
on the first version and sha1 on the second one.


Ok, if Vista can only see one signature then making SHA1 the primary one 
made perfect sense. Interestingly the capability to add multiple 
signatures/timestamps to a file has appeared relatively recently: 
signtool.exe bundled with WinDDK 7600.* does not support it.. Windows 
Kit 10 (successor to WinDDK I presume) does have multiple signature support.



Updating the vista machine is probably not going to happen -- too many
failures trying to do so and considering this was booted into vista
first time in 2 years, it looks like a lost battle.


Yeah, don't worry about it. I think the driver has proven itself to the 
degree it can without actually being tested in the wild.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Unit testing in openvpn?

[Samuli Seppänen]

Adding a test framework would require a way to include & track this dependency.

I see three possibilities

* Copy-and-forget: Add a copy the upstream testing framework and add it as-is 
to the source code repo.
* Include-dependency-management: Add some kind of dependency management, e.g. 
cmake packages.

cmake vs autoconf/automake is somehwat heated discussion. At the moment
the project is using autoconf/automake since it has always been using that.

* Use-the-SCM: Use git submodules to add the dependency.

I dislike Copy-and-forget because it pollutes the repository, and makes 
tracking upstream changes very hard.

I have no experience with Makefile based dependency management

But I do know how to handle a git submodule.

I have a very strong preference to using a git submodule for unit testing.


I think how to put a testing framework into git is secondary. If unit
tests are useful in the current state, we can discuss about how to
include them.

Arne


I think the first step would be to identify the places where unit tests 
could be implemented easily (if any), and where they would do most good. 
If something falls to both of these categories then writing a unit test 
there would probably make sense.


Then there's the other codebase (3.x) which, when publicly released, 
might be a good/better candidate for writing unit tests.


If we end up writing unit tests, I too would prefer the Git submodule 
approach.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Tap-windows-9.21.2 installers available

[Samuli Seppänen]

Hi,

Tap-windows-9.21.2 installer is now available here:

<http://build.openvpn.net/downloads/releases/tap-windows-9.21.2.exe>

The driver files are also available separately:

<http://build.openvpn.net/downloads/releases/tap-windows-9.21.2.tar.gz>
<http://build.openvpn.net/downloads/releases/tap-windows-9.21.2.zip>

GnuPG signatures are also available - just add .asc to the file's URL.

I'll produce new OpenVPN Windows installers containing this new 
tap-windows6 driver soonish, next week probably. If you want, you can 
test the driver beforehand to make sure it works ok. That said, earlier 
drivers created with the same process have been fairly extensively 
tested[1]. However, the installer has not yet been tested at all, though 
it should work just fine.


All the executables (installer, tapinstall.exe) and driver catalog files 
have dual signatures and _should_ work on all Windows versions from 
Vista onwards.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] See "tap6-dual-sha1-sha2ev" here:

<https://community.openvpn.net/openvpn/wiki/TapWindows6CodesignTests>

Re: [Openvpn-devel] Unit testing in openvpn?

[Samuli Seppänen]

Then there's the other codebase (3.x) which, when publicly released, might be a 
good/better candidate for writing unit tests.


Please forgive my ignorance: Is this code base already a thing, and what is the 
time scale we are looking at (regarding “V3”)?


The 3.x codebase is included in OpenVPN Connect clients. It will be 
released in GitHub when James Yonan (the original author of OpenVPN) has 
some extra time to clean up the codebase up and make the release. This 
could take a few weeks or a few months, but there is nothing really 
blocking the release afaik.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Update INSTALL-win32.txt for OpenVPN 2.3.10

[Samuli Seppänen]

Hi,

On Wed, Apr 27, 2016 at 01:21:41PM +0300, Arne Schwabe wrote:

Am 04.01.16 um 20:22 schrieb sam...@openvpn.net:

From: Samuli Seppänen 

OpenVPN 2.3.10 includes an OpenVPN-GUI which automatically requests elevation of
privileges using UAC. Modified INSTALL-win32.txt to reflect this behavior.


ACK from me. This seems to be still not applied.


Well, it isn't, but I answered Samuli's mail, and he agreed that we do
not want to go there:

---
[..]

I wonder if these bits should not be removed from the INSTALL-win32.txt
we ship in the main openvpn repo - since this is a gui thing and happens
totally outside the main repo...  move it to the windows build tree,
maybe, and show it from the installer upon installation?

gert


Hi,

Looking at the the full contents of INSTALL-win32.txt your suggestion makes
sense. I'll migrate the file to openvpn-build and then send a removal patch
for openvpn/INSTALL-win32.txt.
---

... and this patch never came... :-)


Uh, I'm embarrassed :). That said, I have the task in our JIRA ("Migrate 
INSTALL-win32.txt to openvpn-build"), so I had not forgotten about it.


Now that tap-windows6 dual-signatures seem to work, I think I'll focus 
on cleaning up the JIRA backlog by tackling the small and easy tasks 
such as this one in one go.




So, what next?  Samuli?  Apply, based on Arne's ACK, or remove?

gert


Let's continue with the original plan.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] SPAM on trac

[Samuli Seppänen]

Wow. Previously nothing of this magnitude has been encountered. Luckily 
this crap is, afaik, invisible to normal users, because the pages are 
linked to from anywhere (except the TitleIndex).


Based on the history of the spam pages the spammer(s) used many user 
accounts, and the edits were spread over a period of over 32 hours at 
least. Assuming bots have not found a way around the Google reCAPTCHA we 
use in the registration webapp these are real human spammers.


Anyways, I'll turn on a bunch of other spam filtering services in Trac 
today, then add a few more on Monday. I'll also get rid of this crap 
after more spam filtering is in place.


I hope we can avoid the situation where all edits have to be made by 
known-good people. Right now Wiki edits are disabled for everyone except 
a select few.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




We have a spammer :(

https://community.openvpn.net/openvpn/wiki/TitleIndex

Lots of it ..

Regards

--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] SPAM on trac

[Samuli Seppänen]

Wow. Previously nothing of this magnitude has been encountered. Luckily
this crap is, afaik, invisible to normal users, because the pages are
linked to from anywhere (except the TitleIndex).

Based on the history of the spam pages the spammer(s) used many user
accounts, and the edits were spread over a period of over 32 hours at
least. Assuming bots have not found a way around the Google reCAPTCHA we
use in the registration webapp these are real human spammers.

Anyways, I'll turn on a bunch of other spam filtering services in Trac
today, then add a few more on Monday. I'll also get rid of this crap
after more spam filtering is in place.

I hope we can avoid the situation where all edits have to be made by
known-good people. Right now Wiki edits are disabled for everyone except
a select few.


Hi,

I turned on several new external content scanning spamfilters. In the 
process I had to upgrade Trac and the Trac spam filtering plugin. We 
used to only have Akismet, because we didn't really have any big spam 
issues. Now we have all of these activated:


- Akismet (http://akismet.com/)
- Blogspam (http://blogspam.net/)
- StopForumSpam (http://stopforumspam.com/)
- BotScout (http://botscout.com/)
- Fspamlist (http://www.fspamlist.com/)

Based on spam monitoring and Trac logs the filters seem to work, but 
we'd need actual spam attempts to prove that[*]. Right now the "karma" 
setup on Trac is such that if one service thinks the content is spam 
then the edit will be rejected. I also reduced the maximum number of 
edits per IP to 5 per hour, and activated Google reCAPTCHA. I did not 
see reCAPTCHAs, though, when doing ticket test edits, so it might only 
apply to anonymous edits; in that case it would be useless for us.


There are a few other spam detection services which we can probably 
activate later:


- Spamwipe (http://spamwipe.com/): registration does not work atm
- Mollom (http://mollom.com/)

I also did a mass removal of the spam Wiki pages (500+). The bastards 
had contaminated some of our useful Wiki pages, but deducing which ones 
was fairly easy given direct access to the database. I believe I managed 
to delete all the contaminated revisions.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] I did not want my own IP to get added to various IP blacklists, so I 
did not try "spamming" myself.

Re: [Openvpn-devel] Ubuntu Repository

[Samuli Seppänen]

Hi,

Good that you reminded me of this. I will produce packages after the 
more urgent stuff (aftermath of the spam attack on Trac) is finished.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



Hi,

Just curious – any plans to update the repository (at
http://swupdate.openvpn.net/apt), now that Ubuntu 16.04 LTS is out?

Thanks!

… Russell



--
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] compiling openvpn-gui artifacts on PR

[Samuli Seppänen]

Hello,

what do you think if we involve circle ci for compiling PR ?
it is know to keep artifacts

https://circleci.com/gh/chipitsine/openvpn-gui-circleci/12#artifacts

https://circleci.com/gh/chipitsine/openvpn-gui-circleci/10#artifacts

I haven't figured out how to report automatically to github "test just
compiled exe", but it look better (currently Samuli compiles exe and
upload them somewhere)


So this Circle CI would be an alternative to Travis CI? Or was it so 
that Travis is unable to build PRs?


The downloads you referred to are here, btw:

<http://build.openvpn.net/downloads/snapshots/>

There are builds for both the "master" and "release/2.3" branch. The 
installers are produced using a custom script that goes through the 
entire openvpn-build build chain. Replicating that very complex process 
using a "real" CI system would not be worth the effort imho.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] automatically close PR

[Samuli Seppänen]

Hello,

it is not very ethical to allow people to open PR in order to say later
"hey, you know, we do not accept PR"

I suggest to enable https://nopullrequests.appspot.com/ on
https://github.com/openvpn/openvpn repo, it looks like a polite way of
saying things.

ideas?


I added nopullrequests to my GitHub account as a test. Now I seem to 
have the ability to disable PRs for OpenVPN/openvpn. Any reason why we 
would want to keep pull requests open (and never review them)?


If we disable pull requests, I think it would make sense to

a) Mention our contribution procedure in README
b) Convert README into README.rst (so that it looks nicer on GitHub)

Thoughts?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] CI for openvpn

[Samuli Seppänen]

Hello,

I just run cppcheck and ...

[src/openvpnserv/interactive.c:601]: (error) Memory pointed to by
'addr_row' is freed twice.
[src/openvpnserv/interactive.c:700]: (error) Memory pointed to by
'fwd_row' is freed twice.
[src/openvpnserv/interactive.c:1329]: (error) Common realloc mistake:
'handles' nulled but not freed upon failure

I suggest to either

1) add travis-ci support (there are few tests in "t" and we can run
cppcheck)
2) add cppcheck to buildbot (however it is not transparent, I've no idea
where can I have a look at buildbot logs, for example)


I assume cppcheck produces the same results regardless of the 
OS/distribution it is running on. If this is the case, then we should 
add cppcheck tests to Travis-CI.


Using buildbot to running an identical check 150+ times per commit makes 
no sense.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] CI for openvpn

[Samuli Seppänen]

On Mon, May 2, 2016 at 9:44 AM, Samuli Seppänen  wrote:



1) add travis-ci support (there are few tests in "t" and we can run
cppcheck)


I assume cppcheck produces the same results regardless of the
OS/distribution it is running on. If this is the case, then we should
add cppcheck tests to Travis-CI.


Yes, I think this makes sense.  As a first step, someone could review
my patch from December to enable travis-ci on our repo:

https://sourceforge.net/p/openvpn/mailman/message/34709650/

-Steffan


Ilya (<- is that the correct translitteration?): can you have a look? 
You seem to have a fair bit of knowledge in Travis-CI.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] CI for openvpn

[Samuli Seppänen]

It seems, patches are often lost "somewhere in mailing list archives"


Indeed, because we've been unable to process them in time. And there is 
no fully automated system to show what the patch status is.



I still have no idea why this way of distributing patches is prefferable
over native github PRs


Indeed. At minimum we should clearly state why we prefer email patches 
over GitHub PRs. Then revisit the arguments every now and then, and 
adapt as necessary.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] CI for openvpn

[Samuli Seppänen]

well, I'm not prepared to pass commit procedures, I'm awaiting for
Samuli response whether or not he can handle those if I will send
patches directly to him


Well, if the patches would be 100% perfect all the time I probably would 
not mind relaying them to the list. However, in that case you could more 
easily just send them to the list yourself. I don't see much value for 
you in me acting as a proxy. And I do see pain for me for doing that.


Now, Ilya is right in that we _could_ export all the data we want from 
GitHub. So, one of the reasons why we originally chose mailing list 
-based review is moot. The rest of the reasons should be written 
somewhere, because people are increasingly using GitHub, and asking why 
we don't accept PRs. I can probably dig up the previous rather lengthy 
discussion on the topic and convert it to a Wiki page or add it to the 
README, so that GitHub users can see it. What we have now is clearly 
inadequate given the amount of complaints/discussion we get:


---

NOTE: Patches or "git pull requests" sent directly to a development tree 
maintainer will be rejected.


From <https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation>

---

I think these "GitHub PR discussions" go off the track almost the minute 
they start. Before even starting them we should fully understand what 
our goals as a project are. Then we could assess the tools and process 
we use now, and those which we have at our disposal. Then, finally, we 
could make an informed decision on where to go next. Or we could just 
continue doing what we're doing.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] SPAM on trac

[Samuli Seppänen]

Hi,

I turned on several new external content scanning spamfilters. In the
process I had to upgrade Trac and the Trac spam filtering plugin. We
used to only have Akismet, because we didn't really have any big spam
issues. Now we have all of these activated:

- Akismet (http://akismet.com/)
- Blogspam (http://blogspam.net/)
- StopForumSpam (http://stopforumspam.com/)
- BotScout (http://botscout.com/)
- Fspamlist (http://www.fspamlist.com/)

Based on spam monitoring and Trac logs the filters seem to work, but
we'd need actual spam attempts to prove that[*]. Right now the "karma"
setup on Trac is such that if one service thinks the content is spam
then the edit will be rejected. I also reduced the maximum number of
edits per IP to 5 per hour, and activated Google reCAPTCHA. I did not
see reCAPTCHAs, though, when doing ticket test edits, so it might only
apply to anonymous edits; in that case it would be useless for us.

There are a few other spam detection services which we can probably
activate later:

- Spamwipe (http://spamwipe.com/): registration does not work atm
- Mollom (http://mollom.com/)

I also did a mass removal of the spam Wiki pages (500+). The bastards
had contaminated some of our useful Wiki pages, but deducing which ones
was fairly easy given direct access to the database. I believe I managed
to delete all the contaminated revisions.



Hi,

I setup urlwatch to watch the "Recent changes" page every ten minutes:

<https://community.openvpn.net/openvpn/wiki/RecentChanges>

Adding, deleting or modifying a Wiki page will now trigger an email 
notification. The attack such as the last one would have triggered a 
huge number of emails and would have allowed us respond much faster. The 
Trac front page has been successfully monitored for a long while, 
resulting in removal of quite a bit of attachment spam. Notifications to 
Trac tickets are already sent to #openvpn-devel IRC channel, so that 
part is covered already.


Right now the notification emails go only to me, but sending them to 
additional people would improve our response time. I don't expect a huge 
number of emails, even though RecentChanges page will see more activity 
than Wikistart.


Let me know if you want to help monitor the Wiki and I'll add your email 
to the urlwatch list.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] SPAM on trac

[Samuli Seppänen]

Hi,

I turned on several new external content scanning spamfilters. In the
process I had to upgrade Trac and the Trac spam filtering plugin. We
used to only have Akismet, because we didn't really have any big spam
issues. Now we have all of these activated:

- Akismet (http://akismet.com/)
- Blogspam (http://blogspam.net/)
- StopForumSpam (http://stopforumspam.com/)
- BotScout (http://botscout.com/)
- Fspamlist (http://www.fspamlist.com/)

Based on spam monitoring and Trac logs the filters seem to work, but
we'd need actual spam attempts to prove that[*]. Right now the "karma"
setup on Trac is such that if one service thinks the content is spam
then the edit will be rejected. I also reduced the maximum number of
edits per IP to 5 per hour, and activated Google reCAPTCHA. I did not
see reCAPTCHAs, though, when doing ticket test edits, so it might only
apply to anonymous edits; in that case it would be useless for us.

There are a few other spam detection services which we can probably
activate later:

- Spamwipe (http://spamwipe.com/): registration does not work atm
- Mollom (http://mollom.com/)

I also did a mass removal of the spam Wiki pages (500+). The bastards
had contaminated some of our useful Wiki pages, but deducing which ones
was fairly easy given direct access to the database. I believe I managed
to delete all the contaminated revisions.



Hi,

I setup urlwatch to watch the "Recent changes" page every ten minutes:

<https://community.openvpn.net/openvpn/wiki/RecentChanges>

Adding, deleting or modifying a Wiki page will now trigger an email
notification. The attack such as the last one would have triggered a
huge number of emails and would have allowed us respond much faster. The
Trac front page has been successfully monitored for a long while,
resulting in removal of quite a bit of attachment spam. Notifications to
Trac tickets are already sent to #openvpn-devel IRC channel, so that
part is covered already.

Right now the notification emails go only to me, but sending them to
additional people would improve our response time. I don't expect a huge
number of emails, even though RecentChanges page will see more activity
than Wikistart.

Let me know if you want to help monitor the Wiki and I'll add your email
to the urlwatch list.



It seems that the spam attack continued well into last Saturday evening 
in the ticketing system. One last(?) attempt was made yesterday and then 
things went silent. Fortunately the mix of new spam filters seemed to 
block all the latest attempts properly. There was also one legitimate 
edit which got through without issues.


Today I added Mollom filter to the mix to provide additional protection. 
I also started training the built-in Bayesian filter to make things even 
more difficult for spammers.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] New OpenVPN 2.3.10 Windows installers (I604/I003) released

[Samuli Seppänen]

Hi all,

New OpenVPN Windows installers have been released. The I003 and I604 
installers bundle OpenSSL 1.0.1t which fixes some security 
vulnerabilities. The I604 installers also bundle a new tap-windows6 
driver (9.21.2) which has dual authenticode signatures (SHA1/SHA2) for 
the best possible compatibility across Windows versions (Vista -> 
Windows 10). In addition, the 9.21.2 driver fixes a security 
vulnerability which, however, required local admin rights to be 
exploitable. OpenVPN-GUI has also seen minor changes.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Installation failure with openvpn-install-2.3.10-I003-i686.exe on Windows XP 32-bit?

[Samuli Seppänen]

Hi,

I received a report on IRC that "openvpn-install-2.3.10-I003-i686.exe" 
installer fails on Windows XP 32-bit with


"This installer only works on Windows Vista, Windows server 2008 and above."

Can anyone else reproduce the above problem on Windows XP?

The openvpn-build commit that made this error possible was 65e328c:

<https://github.com/OpenVPN/openvpn-build/commit/65e328c89182c47d1a93398e04ca92199bf17af3>

However, as it states in the commit log the code path was tested before 
merging it.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Installation failure with openvpn-install-2.3.10-I003-i686.exe on Windows XP 32-bit?

[Samuli Seppänen]

Hi,

On Fri, May 06, 2016 at 10:18:34AM +0300, Samuli Seppänen wrote:

I received a report on IRC that "openvpn-install-2.3.10-I003-i686.exe"
installer fails on Windows XP 32-bit with

"This installer only works on Windows Vista, Windows server 2008 and above."

Can anyone else reproduce the above problem on Windows XP?


Yes.  Happens on my XP VM too.

(It first refuses to run at all due to "unknown signature", but that is
easily fixed by right-clicking and permitting execution, but then this
error message shows up)


The openvpn-build commit that made this error possible was 65e328c:

<https://github.com/OpenVPN/openvpn-build/commit/65e328c89182c47d1a93398e04ca92199bf17af3>

However, as it states in the commit log the code path was tested before
merging it.


Was it ever tested on Win XP?  Seems the branch "has_tap_windows:" isn't
taken...


From mailing list archives:

<http://thread.gmane.org/gmane.network.openvpn.devel/11187/focus=11188>

So "I60x on XP" _was_ tested, but "I00x on XP" was not. Staring at the 
NSIS code tells me that "it should work", but I need to do more testing 
and then release a fixed installer.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] New OpenVPN 2.3.10 Windows installers (I604/I003) released

[Samuli Seppänen]

Hi all,

New OpenVPN Windows installers have been released. The I003 and I604
installers bundle OpenSSL 1.0.1t which fixes some security
vulnerabilities. The I604 installers also bundle a new tap-windows6
driver (9.21.2) which has dual authenticode signatures (SHA1/SHA2) for
the best possible compatibility across Windows versions (Vista ->
Windows 10). In addition, the 9.21.2 driver fixes a security
vulnerability which, however, required local admin rights to be
exploitable. OpenVPN-GUI has also seen minor changes.

Best regards,



New Windows installers are now out for Windows XP:

<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I005-i686.exe>
<http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.10-I005-x86_64.exe>

They revert commit which caused the previous (I003) installer to bail 
out immediately on Windows XP thinking that the user was trying to 
install tap-windows6. Based on testing by a user on IRC these installers 
should work correctly on Windows XP.


I will get into fixing the actual problem early next week at latest. 
After proper testing I'll make yet another installer release.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] 
<https://github.com/OpenVPN/openvpn-build/commit/65e328c89182c47d1a93398e04ca92199bf17af3>

[Openvpn-devel] Windows installer snapshots now bundle the latest OpenVPN-GUI

[Samuli Seppänen]

Hi,

Upcoming OpenVPN Windows installer snapshots[1] now bundle OpenVPN-GUI 
built from tarballs automatically generated from Git sources:


Installer name OpenVPN branch  OpenVPN-GUI branch
-
openvpn-install-master-*   master  master
openvpn-install-release-2.3-*  release/2.3 release/10

This is particularly relevant for OpenVPN Git "master" snapshots, as the 
installer contains not only the Interactive service -enabled OpenVPN, 
but also an OpenVPN-GUI with the necessary integrations.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] <http://build.openvpn.net/downloads/snapshots>

[Openvpn-devel] Topics for today's (Monday, 9th May 2016) community meeting

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting today starting at 20:00 CEST (18:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.


Current topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-05-09>

If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.


In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Packages for Ubuntu 16.04 ("Xenial") now available

[Samuli Seppänen]

Hi all,

Our official apt repos now have packages for Ubuntu 16.04. To make use 
of the packages follow the standard procedure outlined here:


<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

I have lightly tested the 64-bit package and it seems to work fine. Let 
me know if you experience any issues with the packages.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] OpenVPN 2.3.11 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.11. 
It can be downloaded from here:


<http://openvpn.net/index.php/open-source/downloads.html>

This release fixes two vulnerabilities: a port-share bug with DoS 
potential and a buffer overflow by user supplied data when using pam 
authentication. In addition a number of small fixes and improvements are 
included. A full list of changes is available here:


<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>

Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Summary of the IRC meeting on 9th May 2016

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 9th May 2016
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-05-09>

The next meeting (patch review sprint) has been scheduled to two weeks 
from now.


Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, lev, mattock and syzzer participated in this meeting.

---

Discussed OpenVPN 2.3.11 release. Resolved a few tickets in Trac and 
moved those which could not be quickly fixed to milestone 2.3.12, then 
tagged the release. (Mattock made the release the day after the meeting)


--

Discussed the upcoming OpenVPN developer hackthon. The current plan is 
to organize it in Helsinki (Finland) in late September. Lev will get 
confirmation for this within a week or so.


--

Discussed the OpenVPN 2.4-alpha1 release. There are currently only two 
blockers:


- registerdns-in-the-iservice (patch on list, needs review)
- pushable ciphers (syzzer is working on this)

--

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:01:58) syzzer: good evening :)
(21:02:16) mattock: meeting time
(21:02:19) mattock: hi syzzer!
(21:04:14) syzzer: wow, 1st of Feb was the previous meeting
(21:04:28) mattock: yeah, a _long_ while ago
(21:05:45) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2016-05-09
(21:05:47) vpnHelper: Title: Topics-2016-05-09 – OpenVPN Community (at 
community.openvpn.net)
(21:06:47) mattock: I tried to direct-poke lev about the hackathon
(21:09:15) cron2: so, what did he say?
(21:09:37) mattock: nothing, he has not answered yet
(21:09:44) mattock: anyways, we can start with the other stuff
(21:09:52) mattock: so 2.3.11
(21:10:12) mattock: what goes in?
(21:10:38) syzzer: yes, that is the question :)
(21:10:48) mattock: opinions? :P
(21:11:09) syzzer: James' --port-share patches
(21:11:34) cron2: this is the most important one, and then timely release
(21:12:23) cron2: what about port-share-max?
(21:12:25) syzzer: but I think those need someone with a Mac to create a 
'deprecate ancient OSX' patch
(21:13:04) syzzer: if we do the above, I don't think we don't actually need 
--port-share-max
(21:13:11) syzzer: -don't
(21:13:12) cron2: the patch itself will be fine, but it will keep using the 
select() branch on MacOS - which, if you do not intend to provide a heavy-duty 
server, is not a big issue
(21:13:16) mattock: git shortlog v2.3.10...HEAD gives quite a few small patches
(21:13:46) mattock: (when branch is release/2.3)
(21:14:01) syzzer: I think we should just stop using select() on OSX too
(21:14:14) cron2: syzzer: with your FD_SET hardening, the worst thing that 
could happen on MacOS is "assert in fd_set", which is annoying, but better than 
now
(21:14:26) syzzer: cron2: yes, definitely
(21:14:36) syzzer: so we could even postpone polishing
(21:14:50) cron2: I agree with "stop using select()", I just wanted to point 
out that while important, it's a somewhat independent issue
(21:15:22) lev__ [~l...@stipakov.fi] è entrato nella stanza.
(21:15:32) lev__: hi there
(21:15:35) cron2: ho!
(21:15:46) syzzer: yes, you're right.  so let's check trac and decide if we can 
do a release :)\
(21:15:48) syzzer: hi lev :)
(21:16:02) mattock: hi lev!
(21:18:27) lev__: about hackathon - I got preliminary approval from my company 
to have it in our premises, but no exact dates yet
(21:19:07) mattock: excellent!
(21:19:10) cron2: cool
(21:19:10) mattock: so Helsinki, right?
(21:19:59) syzzer: yes, nice!
(21:20:17) lev__: if you are willing to fly to Oulu it would be much easier :) 
we could have larger premises and sauna
(21:20:37) ***syzzer checks flights
(21:20:40) cron2: where is Oulu?
(21:20:46) lev__: it is 55min flight from Hki
(21:21:29) cron2: but no direct flights from anywhere else, right?
(21:21:32) lev__: and accomocation is cheaper. Oulu is 600km to the north from 
Hki
(21:22:03) lev__: there are seasonal flights to/from Antalya
(21:22:08) lev__: but no pressure
(21:22:44) cron2: just thinking about options... MUC->OUL is about 4:40 with 
1:15 stopover in HEL, but options are limited (like, once per day)
(21:23:38) cron2: oh, no, that's jsut the affordable one... there is a 
Lufthansa+Finnair combination that google tells me costs 2317 EUR...
(21:23:53) cron2: (arbitrary fri<->sun in September, just to get an idea)
(21:24:41) mattock: yeah, Oulu is definitely harder to reach
(21:24:47) cron2: ok, for me, MUC<->HEL is at least 200 EUR cheaper than 
MUC<->HEL<->OUL, so that can go into accomodation extras
(21:25:12) cron2: and it makes travelling more flexible

Re: [Openvpn-devel] automatically close PR

[Samuli Seppänen]

I have a strong preference for using GitHub at least for vetting out most bugs.


We're not going to use GitHub for the actual patch merging process - that
is "mailing list, public ACK, merge, push to github + sourceforge", at
least today.

For review, PRs should be doable.


Speaking of reviewing PRs... there are many of those, and some could be 
merged trivially or  closed with "feature-NACK". I can have a quick look.


I'm sure there are tons of other things to do besides reviewing these 
PRs, However, reviewing PRs in timely manner would probably get more 
developers involved in the OpenVPN project. This is not purely 
speculation: when OpenVPN-GUI was moved to GitHub it was stagnating. Now 
there are five people with 5+ commits:


<https://github.com/OpenVPN/openvpn-gui/graphs/contributors>

All of the people except me came pretty much out of nowhere. Two of them 
(ffes, leobasileo) are not involved in any other OpenVPN-related 
projects afaics, and there was no way to know they even existed.


As Gert said, the reviewed patch should be sent to the mailing list. It 
can stay there for a few days waiting for further comments and if there 
are none, then get merged based on lazy-ACK.


At first, the reviewed patches could be relayed by people already on the 
list, for example by me. When we identify the people who contribute to 
OpenVPN often, we can suggest that they subscribe to the mailing list 
and send their patches themselves.


It might also be possible to generate an email (to openvpn-devel ml) 
from each PR. This would fit better with our current workflow, and 
ensure people are notified when PRs arrive.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] automatically close PR

[Samuli Seppänen]

I have a strong preference for using GitHub at least for vetting out most bugs.


We're not going to use GitHub for the actual patch merging process - that
is "mailing list, public ACK, merge, push to github + sourceforge", at
least today.

For review, PRs should be doable.


Speaking of reviewing PRs... there are many of those, and some could be
merged trivially or  closed with "feature-NACK". I can have a quick look.

I'm sure there are tons of other things to do besides reviewing these
PRs, However, reviewing PRs in timely manner would probably get more
developers involved in the OpenVPN project. This is not purely
speculation: when OpenVPN-GUI was moved to GitHub it was stagnating. Now
there are five people with 5+ commits:

<https://github.com/OpenVPN/openvpn-gui/graphs/contributors>

All of the people except me came pretty much out of nowhere. Two of them
(ffes, leobasileo) are not involved in any other OpenVPN-related
projects afaics, and there was no way to know they even existed.

As Gert said, the reviewed patch should be sent to the mailing list. It
can stay there for a few days waiting for further comments and if there
are none, then get merged based on lazy-ACK.

At first, the reviewed patches could be relayed by people already on the
list, for example by me. When we identify the people who contribute to
OpenVPN often, we can suggest that they subscribe to the mailing list
and send their patches themselves.

It might also be possible to generate an email (to openvpn-devel ml)
from each PR. This would fit better with our current workflow, and
ensure people are notified when PRs arrive.


Oh well, perhaps clicking on the "Watch" button for the OpenVPN project 
is easy enough :). No need to pollute the mailing list with PR 
notifications.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] New NDIS6 drivers in 2.3.11?

[Samuli Seppänen]

Hello everyone,

I have posted a question in the "Community Project Server Administration
Installation Help" forum about the updated ndis6 drivers in openvpn
2.3.11 for windows. I was advised to subscribe to the developer mailing
list and ask there again, so here goes my inquiry from
https://forums.openvpn.net/viewtopic.php?f=5&t=21728:

I noticed, that the NDIS6 drivers in the Windows Port of OpenVPN 2.3.11
(released this week) have been silently updated without notice in the
changelog, albeit with the same driver version. It seems to me like
there is now another signature on the driver package using the sha256
digest that has been created using an ev certificate. Is there anything
else that has changed in the drivers except for the things I have
observed? If there is no other change, what was the reasoning for the
driver update? The older drivers from 2.3.10 have been timestamped way
before the release of Windows 10, so the new requirement for ev
certificates for drivers in windows 10 cannot be the reason, they will
continue to run fine, because timestamping occurred before the ship date
of windows 10. At least this is my understanding of the new ev cert
enforcement in windows 10: If created before windows 10 rtm ship date,
drivers will work.

Any official comment from the openvpn dev team?


Hi,

We don't currently have official changelogs for the Windows 
_installers_. The tap-windows6 driver package was not upgraded in 
2.3.11, but in the latest 2.3.10 installers:


<https://forums.openvpn.net/viewtopic.php?f=20&t=21681>

Typically we make 1-5 Windows installer releases per OpenVPN version. 
Usually we just upgrade OpenSSL to the latest version.


The answer to your question is in the above announcement:

"The [OpenVPN 2.3.10] I604 installers also bundle a new tap-windows6 
driver (9.21.2) which has dual authenticode signatures (SHA1/SHA2) for 
the best possible compatibility across Windows versions (Vista -> 
Windows 10). In addition, the 9.21.2 driver fixes a security 
vulnerability which, however, required local admin rights to be 
exploitable. OpenVPN-GUI has also seen minor changes."


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] New NDIS6 drivers in 2.3.11?

[Samuli Seppänen]

_RESOURCE.


Thoughts?


My experience is: Update the numerical file version field for Windows PE files 
and you are all safe. YMMV.


Can you elaborate which PE files you mean exactly?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



Thanks for replying, all my questions have been answered.


i.A. Stefan Kuhr

Software-Entwicklungsingenieur

Hardware Entwicklung
Hardware Development

ads-tec GmbH
Heinrich-Hertz-Str. 1
72622 Nürtingen
Germany

Tel.:+49 7022 2522-2427
Fax:+49 7022 2522-405
E-Mail: s.k...@ads-tec.de
Web:www.ads-tec.de

-Ursprüngliche Nachricht-
Von: Samuli Seppänen [mailto:sam...@openvpn.net]
Gesendet: Donnerstag, 19. Mai 2016 08:24
An: Kuhr Stefan; openvpn-devel@lists.sourceforge.net
Betreff: Re: [Openvpn-devel] New NDIS6 drivers in 2.3.11?



Hello everyone,

I have posted a question in the "Community Project Server
Administration Installation Help" forum about the updated ndis6
drivers in openvpn
2.3.11 for windows. I was advised to subscribe to the developer
mailing list and ask there again, so here goes my inquiry from
https://forums.openvpn.net/viewtopic.php?f=5&t=21728:

I noticed, that the NDIS6 drivers in the Windows Port of OpenVPN
2.3.11 (released this week) have been silently updated without notice
in the changelog, albeit with the same driver version. It seems to me
like there is now another signature on the driver package using the
sha256 digest that has been created using an ev certificate. Is there
anything else that has changed in the drivers except for the things I
have observed? If there is no other change, what was the reasoning for
the driver update? The older drivers from 2.3.10 have been timestamped
way before the release of Windows 10, so the new requirement for ev
certificates for drivers in windows 10 cannot be the reason, they will
continue to run fine, because timestamping occurred before the ship
date of windows 10. At least this is my understanding of the new ev
cert enforcement in windows 10: If created before windows 10 rtm ship
date, drivers will work.

Any official comment from the openvpn dev team?


Hi,

We don't currently have official changelogs for the Windows _installers_. The 
tap-windows6 driver package was not upgraded in 2.3.11, but in the latest 
2.3.10 installers:

<https://forums.openvpn.net/viewtopic.php?f=20&t=21681>

Typically we make 1-5 Windows installer releases per OpenVPN version.
Usually we just upgrade OpenSSL to the latest version.

The answer to your question is in the above announcement:

"The [OpenVPN 2.3.10] I604 installers also bundle a new tap-windows6 driver (9.21.2) 
which has dual authenticode signatures (SHA1/SHA2) for the best possible compatibility 
across Windows versions (Vista -> Windows 10). In addition, the 9.21.2 driver fixes a 
security vulnerability which, however, required local admin rights to be exploitable. 
OpenVPN-GUI has also seen minor changes."

Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
___
ads-tec GmbH
Sitz: 72622 Nürtingen
Registergericht Stuttgart HRB 224527

Geschaeftsfuehrer:
Dipl.-Ing. Thomas Speidel
___
Diese E-Mail enthaelt vertrauliche und/oder rechtlich
geschuetzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtuemlich erhalten
haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese E-Mail. Das unerlaubte Kopieren,
jegliche anderweitige Verwendung sowie die unbefugte
Weitergabe dieser Mail sind nicht gestattet.
___

This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized
copying, disclosure, distribution or other use of the
material or parts thereof are strictly forbidden.
___

Re: [Openvpn-devel] [PATCH 1/2] Refactor t_client.sh

[Samuli Seppänen]

Hi,

On Sun, May 22, 2016 at 02:38:05PM +0200, Jens Neuhalfen wrote:

[???]


My buildbots test on "all the BSDs" (Free, Net, Open, and they have a
/bin/sh which is "It only supports features designated by POSIX plus a few
Berkeley extensions") and OpenSolaris 11 (ksh93).  Samuli's buildbot
test on various Linux variants, so "dash" should work.


Are these buildbots available vor the general public? Being able to easily test
lowers the bar for new contributors considerable.


Right now, not for "general public".  They auto-build (+test) every release
that gets commited to "master" - which, of course, means "it is too late
if it breaks platform ".

We have discussed building from test branches (on-demand), and widening the
access to these branches - but nothing specific has been decided yet.  Maybe
we should put that on the agenda for the monday meeting on May 30...

  - addition of new branches (at github), with more liberal commit rights
  - having the buildbots pull from github (right now they use sf, AFAIR)
  - opening the buildbot "build revision  on platform " API for
a wider circle (right now, I think only Samuli, David and I have access
to that host, it's on private addresses in Samuli's VPN)

I'm a bit reluctant giving "full user account" access rights to developers
I have not met in person yet - but with the approach outlined above, at
least sanity checking "I think the patch is good, will it break one of the
more esoteric platforms?" will be possible.

Samuli, are you listening? ;-)

gert


Yes. I think a separate testing branch with more liberal commit rights 
combined with pulling from GitHub makes sense. I'm not sure what happens 
at the buildslaves if we decide rewind history - rewinding would be 
quite useful when working with pure testing branches in that we could 
make "testing" track master and whenever a bad patch is found, simply 
rewind back to the last known-good state.


I'd prefer to keep the actual buildslave infrastructure private, with 
access granted to only a select few. We already get email notifications 
to a public list for each build failure.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH 1/2] Refactor t_client.sh

[Samuli Seppänen]

Hi,

On Mon, May 23, 2016 at 05:43:58PM +0200, Jens Neuhalfen wrote:

I'd prefer to keep the actual buildslave infrastructure private, with access 
granted to only a select few. We already get email notifications to a public 
list for each build failure.


Is there some kind of instruction to ?reproduce? the build infrastructure? Some 
kind of document or - even better - something executable 
(Vagrant/Docker/Salt/Puppet/..)?


https://community.openvpn.net/openvpn/wiki/SettingUpBuildslave

is what we currently have, but it only describes the slaves (talking to
Samuli's build master) - not sure if the master is documented anywhere.


The buildmaster part is not documented anywhere. I have shared the 
master config once when someone requested it - there is nothing 
inherently private in there, once the passwords are removed. Setting up 
buildmaster + buildslaves could definitely be automated, but it would be 
a rather massive task.


I would suggest extending Travis CI instead of trying to create a 
private buildbot infrastructure. If *BSD is not supported by Travis, 
then we obviously can't get rid of buildbot entirely anytime soon. Plus 
we need the Windows "buildslave" (=custom scropt) for full cross-compile 
tests and for publishing snapshot installers thus produced.


Could we use Travis CI with a huge combination of operating systems and 
build flags? Or does this kind of use go outside its scope? Right now 
each commit triggers something like 150 builds on the buildslaves (in 
total).


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH 1/2] Refactor t_client.sh

[Samuli Seppänen]

...


The buildmaster part is not documented anywhere. I have shared the master 
config once when someone requested it - there is nothing inherently private in 
there, once the passwords are removed. Setting up buildmaster + buildslaves 
could definitely be automated, but it would be a rather massive task.


Samuli, could you send me the scripts? I’d like to have a look. Maybe there is 
something that can be replicated. This is something I’d try to add to the 
scripted integration tests (Vagrant) already in the pipeline.


I published the Windows "buildslave" script here, along with some basic 
documentation:


<https://github.com/mattock/openvpn-windows-buildtest>

I also cleaned up the buildmaster configuration and will publish it 
later. However, there will be several hacks in there to accommodate 
quirks in our current buildslaves (e.g. NetBSD), so making it fully 
generic would require some refactoring.



Could we use Travis CI with a huge combination of operating systems and build 
flags? Or does this kind of use go outside its scope? Right now each commit 
triggers something like 150 builds on the buildslaves (in total).



 From what I know, this is not possible. 150 build? Whoah, thats quite a few. 
I’d expect 2-3 per supported OS. Is this a case of combinatoric explosion?


Yeah. we trigger at least 16 builds per buildslave/OS, can't check the 
exact number right now. This is because of the large number of configure 
flags we need to support.


It seems that basic smoke testing with Travis CI before pushing anything 
to the repository makes sense, but it's not a full buildbot replacement.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH 1/2] Refactor t_client.sh

[Samuli Seppänen]

...


The buildmaster part is not documented anywhere. I have shared the master 
config once when someone requested it - there is nothing inherently private in 
there, once the passwords are removed. Setting up buildmaster + buildslaves 
could definitely be automated, but it would be a rather massive task.


Samuli, could you send me the scripts? I’d like to have a look. Maybe there is 
something that can be replicated. This is something I’d try to add to the 
scripted integration tests (Vagrant) already in the pipeline.


I published the Windows "buildslave" script here, along with some basic
documentation:

<https://github.com/mattock/openvpn-windows-buildtest>

I also cleaned up the buildmaster configuration and will publish it
later. However, there will be several hacks in there to accommodate
quirks in our current buildslaves (e.g. NetBSD), so making it fully
generic would require some refactoring.



A cleaned up buildmaster configuration file is now here:

<https://github.com/mattock/openvpn-buildbot>

It could become genuinely useful outside the current buildbot 
infrastructure if the URLs, passwords and emails were be fetched from a 
separate file.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Topics for today's (Monday, 30th May 2016) community meeting

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting today starting at 20:00 CEST (18:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.


Current topic list along with basic information is here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-05-30>

If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.


In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Summary of the IRC meeting on 30th May 2016

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 30th May 2016
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:

<https://community.openvpn.net/openvpn/wiki/Topics-2016-05-30>

The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as

<http://www.timeanddate.com/worldclock>

SUMMARY

cron2, dazo, mattock and syzzer participated in this meeting.

---

Discussed the OpenVPN 2.4 release. Created a wiki page with a high-level 
overview of its status:


<https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn24>

--

Discussed the "Protect the client from accepting arbitrary options 
pushed by the server" feature request, for which there is now a PR in 
GitHub:


<https://community.openvpn.net/openvpn/ticket/682>
<https://github.com/OpenVPN/openvpn/pull/50/>

The general approach of the PR made sense to all, and cron2 gave the 
patch ACK, so that the author can send it to the mailing list.


--

Went through most of the other GitHub pull requests, closing those that 
are fixed and figuring out who should work on which. Some patches based 
on GitHub PRs were also sent to the mailing list during the meeting.


--

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


(21:01:34) L'argomento di #openvpn-meeting è: Meeting 2015-12-15 1900 UTC: 
Agenda at https://community.openvpn.net/openvpn/wiki/Topics-2015-12-14
(21:01:34) Topic for #openvpn-meeting set by 
ecrist!~ecrist@freebsd/contributor/openvpn.ecrist at 20:40:43 on 14/12/2015
(21:01:41) cron2_: uh, yes :)
(21:02:00) mattock: hi all!
(21:02:35) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2016-05-30
(21:02:37) vpnHelper: Title: Topics-2016-05-30 – OpenVPN Community (at 
community.openvpn.net)
(21:03:54) cron2_ è ora conosciuto come cron2
(21:05:10) cron2: lev__: are you here?
(21:07:14) mattock: is syzzer here today?
(21:07:15) cron2: shall we wait for dazo?
(21:07:23) mattock: we can wait a bit yes
(21:07:30) cron2: 19:58  * syzzer goes and find a beer
(21:07:36) mattock: hmm :P
(21:11:29) syzzer: yes, I'm here
(21:11:39) cron2: how's the beer
(21:12:00) syzzer: did not find a beer though, the news with images of the 
floods in germany caught my attention
(21:13:01) dazo [~dazo@openvpn/community/developer/dazo] è entrato nella stanza.
(21:13:13) syzzer: ah, dazo moved over here :)
(21:13:15) dazo: oh, so we're back to a meeting channel
(21:13:28) cron2: syzzer: bit shitstorm is coming up... weather analysts warned 
in advance, and media did not bother to relay that (so people *could* have been 
somewhat prepared)
(21:13:40) cron2: good, let's start :)
(21:14:17) mattock: hi
(21:14:24) cron2: dazo: one of the meetings earlier this year was heavily 
disturbed by "user traffic" in -devel... 
(21:14:49) mattock: so lev does not seem to be here right now
(21:14:58) mattock: perhaps we can postpone the hackathon discussion a bit?
(21:15:53) cron2: yeah, not that much to discuss, mostly updating information - 
but without lev, the point is a bit moot
(21:16:01) dazo: +1
(21:16:13) cron2: 2.4, then
(21:17:38) mattock: yes
(21:17:45) syzzer: yes, so, I hope to spend some time on cipher negotiation 
next week
(21:17:45) mattock: "what is left"
(21:18:02) cron2: timeout patch, cipher negotiation, bugs (trac)
(21:18:09) dazo: I do really want the query-user stuff to hit 2.4 
(21:18:21) mattock: interactive service + openvpn-gui is pretty much complete, 
even though Selva is constantly improving things
(21:18:26) dazo: I'm in the middle of completing patchset v4
(21:18:30) cron2: dazo: right, that one as well
(21:18:34) mattock: I need to integrate ovpnserv2 into the installer
(21:19:04) cron2: maybe we need to put up a list somewhere, so we can actually 
check regularily (and update) instead of making the list again and again...?
(21:19:08) syzzer: and if I can get it done in time, I'd like 'tls-crypt' to go 
in, but that's not a blocker
(21:19:49) syzzer: cron2: that sounds a lot more efficient
(21:20:37) cron2: mattock: can you create a page?  I'm notoriously bad in 
finding proper places where to put stuff
(21:21:20) mattock: yeah, let's add a page
(21:21:29) mattock: or maybe we can just create tickets to trac
(21:21:37) mattock: and link existing ones to milestone 2.4
(21:21:42) mattock: 2.4-alpha1 or whatever
(21:21:54) cron2: there is way too much in trac...
(21:22:07) cron2: let's have the big ones (and who is working on it) in a extra 
page
(21:22:11) mattock: ok
(21:23:51) mattock: it will be here: 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn24
(21:24:19) cron2: are you busy creating it?
(21:26:37) m

Re: [Openvpn-devel] [PATCH v3] Clarify the fact that build instructions in README are for release tarballs

[Samuli Seppänen]

On 30/05/16 22:03, sam...@openvpn.net wrote:

From: Samuli Seppänen 

URL: https://github.com/OpenVPN/openvpn/pull/51
Signed-off-by: Samuli Seppänen 
---
 README | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README b/README
index 349e08a..de4036a 100644
--- a/README
+++ b/README
@@ -7,12 +7,14 @@ as published by the Free Software Foundation.

 *

-For the latest version of OpenVPN, go to:
+To get the latest release of OpenVPN, go to:

http://openvpn.net/


Once we're at it, wouldn't it make sense to use this URL instead?

<https://openvpn.net/index.php/open-source/downloads.html>



Yes, except that the URL is bound to change soon. I'm not sure what 
"soon" in this context means, because it depends more on other people 
than me. If we're fine with changing the URL again later, then I think 
the change you propose makes sense. In any case the URL should start 
with https instead of http.


Thoughts?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Another fix related to unit test framework

[Samuli Seppänen]

This patch seems to do what it promises, so a feature-ACK from me.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


From: David Sommerseth 

Continuing to fix breakage caused by commit 40cb4cfc5d011102.

It seems it was a conflict in vendor/Makefile.am's distdir target,
confusing autotools so it wouldn't actually parse that directory
properly.  The result was that 'make distcheck' would fail and
tarballs created would just ship with an empty vendor/ directory.

Also remove the 'foreign' AUTOMAKE_OPTIONS flag, as we don't use
that many places at all.  Things work well without this flag.

Signed-off-by: David Sommerseth 
---
 vendor/Makefile.am | 9 ++---
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/vendor/Makefile.am b/vendor/Makefile.am
index 84656a1..6c925b0 100644
--- a/vendor/Makefile.am
+++ b/vendor/Makefile.am
@@ -1,5 +1,3 @@
-AUTOMAKE_OPTIONS = foreign
-
 cmockasrc = @VENDOR_SRC_ROOT@/cmocka  # needs an absolute path bc. of the 
cmake invocation
 cmockabuild   = @VENDOR_BUILD_ROOT@/cmocka
 cmockainstall = @VENDOR_DIST_ROOT@
@@ -10,12 +8,9 @@ MAINTAINERCLEANFILES = \
$(cmockainstall) \
@VENDOR_BUILD_ROOT@

-distdir:
-   mkdir -p $(cmockainstall)
-
-libcmocka: distdir
-   mkdir -p $(cmockabuild)
+libcmocka:
 if CMOCKA_INITIALIZED
+   mkdir -p $(cmockabuild) $(cmockainstall)
(cd $(cmockabuild) && cmake -DCMAKE_INSTALL_PREFIX=$(cmockainstall) $(cmockasrc) 
&& make && make install)
 endif

Re: [Openvpn-devel] [PATCH] Another fix related to unit test framework

[Samuli Seppänen]

…


IMO, the unit testing patches shouldn't have been merged into the
release branch


I agree. This patch was in retrospective clearly not ready for a release
branch. A lot of people spend time to hot fix a broken build.

My root cause analysis boils down to:

   Developers cannot detect multi-platform (build/run) issues with an
appropriate effort (or at all).


This is probably correct: the codebase is complex enough to cause 
breakage on many types of changes, no matter how carefully the code is 
reviewed. This is often because of the sheer number of options and their 
invisible interplay. A recent example is the recent persist-tun / WFP 
filtering issue, which slipped through all testing and review.


Regression testing using unit tests could possibly help us prevent this 
type of breakages.



We already have discussed solutions to this:

1) Enable developers to run the “authoritative” buildslave tests before
submitting patches


The buildmaster can trigger manual builds from a different branch (e.g. 
"staging/somebody"). Access to the buildmaster can be granted 
selectively to trusted core developers. Non-trivial patches from other 
people should probably be tested by one of these core developers before 
pushing them to "master". Or we can just accept the fact that "master" 
might be broken occasionally and fix the problems promptly.



2) Provide developers tooling to quickly (preferred: locally) run
iterations while developing


The Vagrant approach is nice because it will eventually allow developers 
to run a fairly extensive smoketests on several various operating 
systems with minimal effort:


<https://github.com/OpenVPN/openvpn/pull/45>

Right now the OS coverage is fairly minimal, but more variants can be 
added easily, and we're not limited to Linux/Ubuntu like with Travis.



#1 will need some processes & tooling by the current  maintainers.
#2 will be taken care of with the Vagrant based integration tests.

Opinions?


In addition to #1 and #2 we have Travis-CI smoke-testing in the pipeline:

<https://github.com/OpenVPN/openvpn/pull/52>

Travis-CI gives us some confidence on the quality of GitHub PRs, but 
it's test matrix is much narrower than that of Buildbot, so it's 
definitely not a panacea.


The only real way to test the more tricky corner-cases is to make it as 
easy as possible to use Git "master" -based builds. For Windows this is 
already covered by the Windows "buildslave" and the snapshots it 
generates. I can setup apt repositories with Debian/Ubuntu builds based 
on Git "master", but right now I don't have enough time to commit to that.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Another fix related to unit test framework

[Samuli Seppänen]

I stand corrected. However, cross-building is not a replacement for 
building on the actual OS.


Do cross-builds generally catch useful issues, or do they tend to catch 
issues related to the cross-building environment itself?


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


it is not true that Travis-CI is limited to Linux/Ubuntu, at least
there's Mac OS X.
and we can set up (later) cross builds for MIPS/ARM/Windows/whatever
(not sure about "make check")

cross build would be good starting point, if there was such thing
already, we could notice that mingw build got broken

2016-06-07 12:30 GMT+05:00 Samuli Seppänen mailto:sam...@openvpn.net>>:


> …
>
>> IMO, the unit testing patches shouldn't have been merged into the
>> release branch
>
> I agree. This patch was in retrospective clearly not ready for a
release
> branch. A lot of people spend time to hot fix a broken build.
>
> My root cause analysis boils down to:
>
>Developers cannot detect multi-platform (build/run) issues with an
> appropriate effort (or at all).

This is probably correct: the codebase is complex enough to cause
breakage on many types of changes, no matter how carefully the code is
reviewed. This is often because of the sheer number of options and their
invisible interplay. A recent example is the recent persist-tun / WFP
filtering issue, which slipped through all testing and review.

Regression testing using unit tests could possibly help us prevent this
type of breakages.

> We already have discussed solutions to this:
>
> 1) Enable developers to run the “authoritative” buildslave tests
before
> submitting patches

The buildmaster can trigger manual builds from a different branch (e.g.
"staging/somebody"). Access to the buildmaster can be granted
selectively to trusted core developers. Non-trivial patches from other
people should probably be tested by one of these core developers before
pushing them to "master". Or we can just accept the fact that "master"
might be broken occasionally and fix the problems promptly.

> 2) Provide developers tooling to quickly (preferred: locally) run
> iterations while developing

The Vagrant approach is nice because it will eventually allow developers
to run a fairly extensive smoketests on several various operating
systems with minimal effort:

<https://github.com/OpenVPN/openvpn/pull/45>

Right now the OS coverage is fairly minimal, but more variants can be
added easily, and we're not limited to Linux/Ubuntu like with Travis.

> #1 will need some processes & tooling by the current  maintainers.
> #2 will be taken care of with the Vagrant based integration tests.
>
> Opinions?

In addition to #1 and #2 we have Travis-CI smoke-testing in the
pipeline:

<https://github.com/OpenVPN/openvpn/pull/52>

Travis-CI gives us some confidence on the quality of GitHub PRs, but
it's test matrix is much narrower than that of Buildbot, so it's
definitely not a panacea.

The only real way to test the more tricky corner-cases is to make it as
easy as possible to use Git "master" -based builds. For Windows this is
already covered by the Windows "buildslave" and the snapshots it
generates. I can setup apt repositories with Debian/Ubuntu builds based
on Git "master", but right now I don't have enough time to commit to
that.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and
traffic
patterns at an interface-level. Reveals which users, apps, and
protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports.
https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
<mailto:Openvpn-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/openvpn-devel