Re: [Openvpn-users] Problem with service on windows server

2022-06-27 Thread Samuli Seppänen 

HI,

Il 26/06/22 04:33, Austin Witmer ha scritto:

I actually managed to get it figured out now.

I did multiple reinstalls making sure that I selected to have the 
openvpn service installed. None of that seemed to work.


I finally went into the properties of that service and specified a user 
and password to use to run the service. Then it worked! The user I chose 
is the same one I am logged in as. Is that a bug of some kind? Why 
should I have to do that?


This is not normal and we have not heard of this before. Normally 
OpenVPNService runs just fine with admin privileges and does not require 
defining any credentials.


To me it seems like some Windows setting or possibly some security 
software is interfering with normal function of OpenVPNService and what 
you did allowed working around the issue.


Samuli


Thanks!

Austin Witmer

On Jun 25, 2022, at 4:32 PM, Selva Nair > wrote:


Hi,

Check whether openvpnservice is installed by running the following 
from a command line


sc query OpenVPNService

It will show whether the service exists and its current state. If 
installed but nor running open services and change the startup to 
automatic and start.


If not installed, you may have to uninstall openvpn and re-install it. 
Select custom install and make sure OpenVPN service is selected.


It seems the msi installer has some weird logic in selecting when to 
install the service (so-called automatic service) and when to set it 
to auto start. The interactive service used by the GUI is installed by 
default.


Selva


On Sat, Jun 25, 2022 at 3:09 PM Austin Witmer > wrote:


Hello all!

I am setting up an OpenVPN server on a windows server for a
client, but ran into the problem where the openvpn service in
services doesn’t pick up the config files I placed into the
C:\Program Files\Openvpn\config folder.

I can start the server from the command line just fine and also
from the openvpn-gui client, but when I start the openvpn service
in services, the service starts and stays running, but the server
isn’t listening for incoming connections.

The log files aren't being created either, so that make me think
that for some reason the openvpn service isn’t seeing my
server.ovpn file with my configuration.

By the way, this is the latest version of openvpn downloaded and
installed this morning.

Do you have any idea what the problem is? Thanks in advance for
your help!

Austin Witmer

___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/openvpn-users






___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Debian 11 ("Bullseye") OpenVPN 2.5.7 packages also available

2022-05-31 Thread Samuli Seppänen 

Hi,

OpenVPN 2.5.7 has been packaged for Debian 11 and is available in our 
Debian/Ubuntu apt repos:




If you have any issues with please let me know.

Ubuntu 22.04 package is also available for testing, but due to (current) 
technical limitations not available in the apt repository. If you want 
to give it a spin, let me know and I'll put it online somewhere.


Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.7 released

2022-05-31 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.5.7. 
This is mostly a bugfix release, but adds limited support for OpenSSL 
3.0. Full support will arrive in OpenVPN 2.6.




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

2022-03-28 Thread Samuli Seppänen 

Hi,

Right now I'm using sbuild, a wrapper around schroot, to build Debian 
and Ubuntu packages. This is (or at least was) a pretty standard 
mechanism in Debian for building packages for multiple different 
platforms. The same can nowadays be done with Docker though.


The scripts that do the building are these:

<https://github.com/OpenVPN/sbuild_wrapper>

A build VM ("sbuild") with sbuild_wrapper can be created with 
Vagrant+Virtualbox:


<https://github.com/OpenVPN/openvpn-vagrant>

The actual error I can't remember anymore, it's been a while. However, 
sbuild calls apt inside the schroot in a certain way, and those calls 
fail for more recent Debian. It _could_ be that upgrading the build VM 
to, say, Ubuntu 20.04, would resolve the issue, but of that I'm not sure 
about.


My idea was to not fix sbuild_wrapper at all and rather move to 
packaging with the new production buildbot system. However, due to 
various hindrances outside of my control getting that into production 
shape has taken a lot longer than excepted. However, that is done except 
for mail notifications. Debian packaging also works in buildbot, but 
possibly some small tweaks are required to produce "production quality" 
builds.


Anyhow, if you feel like taking a stab at fixing sbuild_wrapper I would 
not mind.


Samuli

Il 23.3.2022 13.51, Stella Ashburne ha scritto:

Hi Samuli


Sent: Wednesday, March 23, 2022 at 6:04 PM
From: "Samuli Seppänen" 
To: "Stella Ashburne" , openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

There are esoteric technical reasons for that.


Would you like to elaborate what those "esoteric technical reasons" are with regards to 
building the .deb package? Are the "esoteric technical reasons" confined to Debian only? 
I ask because David Sommerseth produced the openvpn package, version 2.5.5 and now 2.5.6,  for 
Fedora 35, such as openvpn-2.5.6-1.fc35 (URL: 
https://packages.fedoraproject.org/pkgs/openvpn/openvpn/fedora-35-updates.html)

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

2022-03-23 Thread Samuli Seppänen 

Hi,

There are no Debian packages for the more recent Debian variants 
unfortunately. There are esoteric technical reasons for that. New 
packages will eventually come, but I can't promise any hard deadline 
unfortunately.


Samuli



Il 18.3.2022 23.50, Stella Ashburne ha scritto:

Hi Andre


Sent: Friday, March 18, 2022 at 2:32 PM
From: "André" 
To: "Stella Ashburne" , "openvpn-users" 

Subject: Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

Hi Stella Ashburne,

Regarding the link:
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos



Thanks for the correct URL. However I can't find the .deb package of OpenVPN 
2.5.6 in the links provided in that page.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.12 released

2022-03-23 Thread Samuli Seppänen 
OpenVPN 2.4.12 was released last week. It will be the last release in 
the 2.4.x series, so we encourage you to migrate to latest 2.5.x release 
if you can.


Source code and Windows installers can be downloaded from our download page:



Linux packages are not provided for this release.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.6 released

2022-03-16 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.5.6. 
This is mostly a bugfix release including one security fix ("Disallow 
multiple deferred authentication plug-ins.", CVE: 2022-0547). More 
details are available in Changes.rst:




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-12-19 Thread Samuli Seppänen 

Hi,

Indeed. I have Debian 10 and 11 builds working in the new buildbot 
environment, but those are not yet "release-quality" packaging-vise. 
Adding Debian 10 and 11 support to the current/old sbuild-based 
buildsystem proved quite difficult due to stupid technical reasons.


I'm at the final phases of wrapping up release Debian packaging in 
buildbot. Then we can switch over to it and get a lot better OS coverage.


Samuli


Il 16.12.2021 18.46, Marc-Christian Petersen ha scritto:

Hello,

so one release later, 2.5.5 is available for Stretch but again not for Buster 
and not for Bullseye?!

:)

—
ciao, Marc


Am 03.11.2021 um 08:22 schrieb Marc-Christian Petersen :
Good morning,

what's up with a deb version 2.5.4 for Debian 10/Buster and 9/Stretch?

--


Am 20.10.2021 um 10:13 Uhr schrieb Samuli Seppänen :

Hi,

Il 17/10/21 19:01, David Sommerseth ha scritto:

On 15/10/2021 13:06, Stella Ashburne wrote:

Debian gets a major release about once every two years and the
OpenVPN package is somewhat outdated.

You seem to miss my point.  No, it is not out-of-date.  It is fully supported 
and receives bug and security updates by the Debian package maintainer for the 
lifetime of the distribution.  So far the OpenVPN maintainers over the last 
10-15 years has been pretty good at keeping the OpenVPN package in a decent 
shape.
That the Debian repositories does not do major updates when the OpenVPN 
community releases one, is a Debian package policy.  So you will miss new 
features arriving in new major releases.  But the packages in supported Debian 
releases _are_ _up-to-date_ in regards to latest security and bug fixes.  And 
this is what makes Debian releases far more stable than many other more 
bleeding edge distributions.


Indeed. When I add new distro support (e.g. Debian 11) to our packages I take 
the upstream (Debian project) control files etc. and use them as a basis for 
ours. In this process I very often have to disable several Debian patches 
because they are the same patches that we've already released in our own minor 
releases.

So yes, Debian is keeping their packages updated with (a subset of our) patches




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.5 released

2021-12-15 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.5.5. 
The most notable changes are Windows-related: use of CFG 
Spectre-mitigations in MSVC builds, bringing back of OpenSSL config 
loading and several build fixes. More details are available in Changes.rst:




Source code and Windows installers can be downloaded from our download page:



Debian and Ubuntu packages are available in the official apt repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-20 Thread Samuli Seppänen 

Hi,

Il 17/10/21 19:01, David Sommerseth ha scritto:

On 15/10/2021 13:06, Stella Ashburne wrote:

Debian gets a major release about once every two years and the
OpenVPN package is somewhat outdated.



You seem to miss my point.  No, it is not out-of-date.  It is fully 
supported and receives bug and security updates by the Debian package 
maintainer for the lifetime of the distribution.  So far the OpenVPN 
maintainers over the last 10-15 years has been pretty good at keeping 
the OpenVPN package in a decent shape.


That the Debian repositories does not do major updates when the OpenVPN 
community releases one, is a Debian package policy.  So you will miss 
new features arriving in new major releases.  But the packages in 
supported Debian releases _are_ _up-to-date_ in regards to latest 
security and bug fixes.  And this is what makes Debian releases far more 
stable than many other more bleeding edge distributions.


Indeed. When I add new distro support (e.g. Debian 11) to our packages I 
take the upstream (Debian project) control files etc. and use them as a 
basis for ours. In this process I very often have to disable several 
Debian patches because they are the same patches that we've already 
released in our own minor releases.


So yes, Debian is keeping their packages updated with (a subset of our) 
patches.


Samuli




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-20 Thread Samuli Seppänen 

Hi,

Il 15/10/21 14:49, Gert Doering ha scritto:

Hi,

On Fri, Oct 15, 2021 at 01:11:17PM +0200, Stella Ashburne wrote:

May I suggest that your clarification in your reply be included
in the web page (URL:
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos?_ga=2.190564834.834709539.1634296076-1437631519.1634296076&__cf_chl_jschl_tk__=pmd_SqElzWxjXmYdlsS3WCW.lfJQh4qDowmIRmK4X27I1dE-1634296100-0-gqNtZGzNAmWjcnBszQhR).
Said page is awfully out of date. There is no mention of Debian
Bullseye whatsoever. Mentions of "Wheezy" and "Jessie" should be
erased.


Days are short, work & family life & food & sleep tends to get in the
way of unpaid open source work...

Contributions always welcome.

gert


Indeed. I did fix the list of support Debian/Ubuntu versions now. But 
anyone could have done it - it is a public wiki/bug tracker with 
trivially easy registration.


Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-12 Thread Samuli Seppänen 

The Debian 11 package is now in the repository.

Samuli

Il 12/10/21 15:52, Samuli Seppänen ha scritto:

Hi,

I'll add it to the repo then. The Debian 10 build issue is an annoying 
one - Debian 10 fails to run apt-get because it is now "oldstable" and 
not "stable". And sbuild-update does not run apt-get update with the 
proper flags to circumvent that.


Samuli

Il 12/10/21 15:11, Andreas Mueller via Openvpn-users ha scritto:

Hi there,
the package provided by Samuli works like a charm on Debian 11 - would 
be great to see this one wihtin an bullseye-repo on openvpn.net.


https://build.openvpn.net/downloads/temp/openvpn_2.5.4-bullseye0_amd64.deb 
<https://build.openvpn.net/downloads/temp/openvpn_2.5.4-bullseye0_amd64.deb> 
I would alwaya have a look at the release infos 
(https://openvpn.net/community-downloads/) in order to compare the 
packages from the official repo and this here. I personally prefer the 
community packages ... Regards, Andreas




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-12 Thread Samuli Seppänen 

Hi,

I'll add it to the repo then. The Debian 10 build issue is an annoying 
one - Debian 10 fails to run apt-get because it is now "oldstable" and 
not "stable". And sbuild-update does not run apt-get update with the 
proper flags to circumvent that.


Samuli

Il 12/10/21 15:11, Andreas Mueller via Openvpn-users ha scritto:

Hi there,
the package provided by Samuli works like a charm on Debian 11 - would 
be great to see this one wihtin an bullseye-repo on openvpn.net.


https://build.openvpn.net/downloads/temp/openvpn_2.5.4-bullseye0_amd64.deb 
 
I would alwaya have a look at the release infos 
(https://openvpn.net/community-downloads/) in order to compare the 
packages from the official repo and this here. I personally prefer the 
community packages ... Regards, Andreas




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-08 Thread Samuli Seppänen 

Hi,

Please try this one out:

https://build.openvpn.net/downloads/temp/openvpn_2.5.4-bullseye0_amd64.deb

It is completely untested right now, but "it should work".

It also seems that Debian 10 build failed and I did not notice it. 
Something between 2.5.3 and 2.5.4 apparently broke our builds. I think 
it must be a patch that does not apply cleanly. I'll investigate and fix.


Samuli


Il 08/10/21 09:38, Samuli Seppänen ha scritto:
There are no Debian 11 packages yet. I'll try to create them now. 
Usually the process is smooth, but sometimes there are challenges.


Samuli


Il 08/10/21 09:35, Marc-Christian Petersen ha scritto:
I think the packages are not there, neither for Bullseye nor Buster. 
Packages file is missing 2.5.4


Stretch is there ...

--

Am 08.10.2021 um 07:38 Uhr schrieb Ralf Hildebrandt 
:



* Stella Ashburne :

Hi

After I clicked the link 
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos%3E 
mentioned in Samuli's post 
https://sourceforge.net/p/openvpn/mailman/openvpn-users/?viewmonth=202110, 
an error message Trac Error appeared.


Use https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

2021-10-08 Thread Samuli Seppänen 
There are no Debian 11 packages yet. I'll try to create them now. 
Usually the process is smooth, but sometimes there are challenges.


Samuli


Il 08/10/21 09:35, Marc-Christian Petersen ha scritto:

I think the packages are not there, neither for Bullseye nor Buster. Packages 
file is missing 2.5.4

Stretch is there ...

--

Am 08.10.2021 um 07:38 Uhr schrieb Ralf Hildebrandt 
:


* Stella Ashburne :

Hi

After I clicked the link 
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos%3E mentioned in 
Samuli's post 
https://sourceforge.net/p/openvpn/mailman/openvpn-users/?viewmonth=202110, an 
error message Trac Error appeared.


Use https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.4 released

2021-10-05 Thread Samuli Seppänen 
ficial documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Easy RSA 3 HOWTO:
<https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.3 released

2021-06-17 Thread Samuli Seppänen 
//community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Remove ad...@aenth.ie

2021-04-29 Thread Samuli Seppänen 
To add to this: I believe we can't even see our subscribers anymore. I 
think it is related to GDPR and Sourceforge (personal information and 
all that).


Samuli

Il 29/04/21 09:27, Antonio Quartulli ha scritto:

Hello,

to unsubscribe, please follow this link:
https://sourceforge.net/projects/openvpn/lists/openvpn-users/unsubscribe

Best Regards,






___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.11 released

2021-04-21 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.11. 
It fixes two related security vulnerabilities (CVE-2020-15078) which 
under very specific circumstances allow tricking a server using delayed 
authentication (plugin or management) into returning a PUSH_REPLY before 
the AUTH_FAILED message, which can possibly be used to gather 
information about a VPN setup. This release also includes other bug 
fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in 
Windows installers.


Source code and Windows installers can be downloaded from our download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.2 released

2021-04-21 Thread Samuli Seppänen 
st>

---

Linux packages are available from

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>
<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/>

Useful resources

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Easy RSA 3 HOWTO:
<https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.1 released

2021-02-24 Thread Samuli Seppänen 
mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5.0 released

2020-10-28 Thread Samuli Seppänen 
st: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-rc3 released

2020-10-19 Thread Samuli Seppänen 

The OpenVPN community project team is proud to release OpenVPN
2.5-rc3. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
MSI installer (Windows)
The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
  management

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-rc2 released

2020-09-30 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN
2.5-rc2. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN, most of which affect
Windows only.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
MSI installer (Windows)
The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
  management

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Gert Doering (1):
  Preparing release 2.5_rc2

Lev Stipakov (1):
  Alias ADAPTER_DOMAIN_SUFFIX to DOMAIN

Selva Nair (2):
  Set DNS Domain using iservice
  Improve documentation of --username-as-common-name

Simon Rozman via Openvpn-devel (4):
  netsh: Specify interfaces by index rather than name
  netsh: Clear existing IPv6 DNS servers before configuring new ones
  netsh: Delete WINS servers on TUN close
  openvpnmsica: Simplify find_adapters() to void return

Vladislav Grishenko (1):
  Fix update_time() and openvpn_gettimeofday() coexistence



pEpkey.asc
Description: application/pgp-keys
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-rc1 released

2020-09-22 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN
2.5-rc1. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

This release includes a number of fixes to OpenVPN. On the Windows side
there are several changes:

- The MSI installer now bundles EasyRSA 3, a modern take on OpenVPN CA
management

- OpenVPN GUI can now be run as admin without breaking Wintun with the
"Always use interactive service by default" checkbox.

- Windows performance is increased by enabling compile-time
optimizations for OpenVPN and OpenSSL.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

David Sommerseth (4):
  man: Add missing --server-ipv6
  man: Improve --remote entry
  sample-plugins: Partially autotoolize the sample-plugins build
  build: Fix make distclean/distcheck

Gert Doering (11):
  Fix handling of 'route remote_host' for IPv6 transport case.
  Replace 'echo -n' with 'printf' in tests/t_lpback.sh
  Fix description of --client-disconnect calling convention in manpage.
  Handle NULL returns from calloc() in sample plugins.
  Fix --show-gateway for IPv6 on NetBSD/i386.
  socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes
  Fix netbits setting (in TAP mode) for IPv6 on Windows.
  If IPv6 pool specification sets pool start to ::0 address, increment.
  Add demo plugin that excercises "CLIENT_CONNECT" and "CLIENT_CONNECT_V2" 
paths
  Fix combination of --dev tap and --topology subnet across multiple 
platforms.
  Preparing release 2.5_rc1

Lev Stipakov (1):
  msvc: better support for 32bit architecture

Selva Nair (2):
  Add a remark on dropping privileges when --mlock is used
  Allow --dhcp-option in config file when windows-driver is wintun

Vladislav Grishenko (1):
  Fix fatal error at switching remotes (#629)



pEpkey.asc
Description: application/pgp-keys
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-beta4 released

2020-09-11 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN
2.5-beta4. Source code and Windows installers can be downloaded from our
download page:

<https://openvpn.net/community-downloads/>

Debian and Ubuntu packages are available in the official apt repositories:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

On Red Hat derivatives we recommend using the Fedora Copr repository:

<https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-beta/>

The 2.5-beta4 release includes important fixes to the Windows MSI
installers, plus some smaller fixes to OpenVPN itself.

OpenVPN 2.5 is a new major release with many new features:

Client-specific tls-crypt keys (--tls-crypt-v2)
Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN
data channel
Improved Data channel cipher negotiation
Removal of BF-CBC support in default configuration
Asynchronous (deferred) authentication support for auth-pam plugin
Deferred client-connect
Faster connection setup
Netlink support
Wintun support
IPv6-only operation
Improved Windows 10 detection
Linux VRF support
TLS 1.3 support
Support setting DHCP search domain
Handle setting of tun/tap interface MTU on Windows
HMAC based auth-token support
VLAN support
Support building of .msi installers for Windows
Allow unicode search string in --cryptoapicert option (Windows)
Support IPv4 configs with /31 netmasks now
New option --block-ipv6 to reject all IPv6 packets (ICMPv6)

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:

<https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net/>
Forums: <https://forums.openvpn.net/>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Community bug tracker: <https://community.openvpn.net/>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


pEpkey.asc
Description: application/pgp-keys
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-beta3 released

2020-09-01 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN
2.5-beta3. Source code and Windows installers can be downloaded from



Debian and Ubuntu packages are available in the official apt repositories:



On RedHat derivatives we recommend using the Fedora Copr repository:



This release includes fixes to MSI packaging and client NCP OCP fallback
behavior.

OpenVPN 2.5 is a new major release with many new features:

- Client-specific tls-crypt keys (--tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the
OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in --cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
- IPv4-only VPN

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.5-beta1 released

2020-08-14 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN
2.5-beta1. Source code and Windows installers can be downloaded from



Debian and Ubuntu packages are available in the official apt repositories:



On RedHat derivatives we recommend using the Fedora Copr repository:



This is a new major release with many new features:

- Client-specific tls-crypt keys (--tls-crypt-v2)
- Added support for using the ChaCha20-Poly1305 cipher in the
OpenVPN data channel
- Improved Data channel cipher negotiation
- Removal of BF-CBC support in default configuration
- Asynchronous (deferred) authentication support for auth-pam plugin
- Deferred client-connect
- Faster connection setup
- Netlink support
- Wintun support
- IPv6-only operation
- Improved Windows 10 detection
- Linux VRF support
- TLS 1.3 support
- Support setting DHCP search domain
- Handle setting of tun/tap interface MTU on Windows
- HMAC based auth-token support
- VLAN support
- Support building of .msi installers for Windows
- Allow unicode search string in --cryptoapicert option (Windows)
- Support IPv4 configs with /31 netmasks now
- New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
- IPv4-only VPN

More details on these new features as well as a list of deprecated
features and user-visible changes are available in Changes.rst:



For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)




signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Updated GPG key for OpenVPN 2.x apt repositories

2020-07-28 Thread Samuli Seppänen 
Hi,

Many of you may have noticed that the GPG key that was used for signing
our apt repositories had expired a few days ago. I updated the keys and
pushed them to our download server.

Instructions for renewing the GPG key are available here:



Best regards,

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Linux 32 Bit Builds using GenericBuild Environment

2020-05-21 Thread Samuli Seppänen 
Il 21/05/20 17:11, Colin Ryan ha scritto:
> Folks,
> 
> I know this belongs more on the dev list but anyone know what CHOST,
> CBUILD environment variables could be used to leverage using the
> GenericBuild environment to build 32bit linux binaries in a 64bit linux
> environment.
> 
> I _love_ the GenericBuild environment for Windows builds...hoping to
> leverage for my linux builds.
> 

Hi,

I know some people are cross-compiling for Linux on Linux. There is some
info in the wiki which seems related to your question:



Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.4.9 released

2020-04-24 Thread Samuli Seppänen 
Il 24/04/20 00:15, Simon Deziel ha scritto:
> On 2020-04-23 5:08 p.m., David Sommerseth wrote:
>> On 23/04/2020 22:30, Simon Deziel wrote:
>>> On 2020-04-23 3:55 p.m., David Sommerseth wrote:
 On 23/04/2020 19:55, Simon Deziel wrote:
> On 2020-04-21 1:41 p.m., David Sommerseth wrote:
>> On 21/04/2020 18:32, Simon Deziel wrote:
>>> Hello,
>>>
>>> I cannot validate the Windows exe files [1] and [2] using the key
>>> advertised in [3].
>>>
>>> $ gpg --verify openvpn-install-2.4.9-I601-Win7.exe.asc
>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win7.exe'
>>> gpg: Signature made Fri 17 Apr 2020 07:25:11 AM EDT
>>> gpg:using RSA key 
>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
>>> gpg: Can't check signature: No public key
>>>
>>> $ gpg --verify openvpn-install-2.4.9-I601-Win10.exe.asc
>>> gpg: assuming signed data in 'openvpn-install-2.4.9-I601-Win10.exe'
>>> gpg: Signature made Fri 17 Apr 2020 07:25:00 AM EDT
>>> gpg:using RSA key 
>>> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4
>>> gpg: Can't check signature: No public key
>>>
>>>
>>> $ gpg --list-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>>> pub   rsa4096/0x12F5F7B42F2B01E7 2017-02-09 [SC] [expires: 2027-02-07]
>>>   Key fingerprint = F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 
>>> 01E7
>>> uid   [ unknown] OpenVPN - Security Mailing List
>>> 
>>>
>>>
>>> Did I download the right files?
>>>
>>> $ sha256sum openvpn-install-2.4.9-I601-Win*
>>> 4f95a674c3ffafd85062df995a182cfb57ca56d96084472a48a65c546c815f0c
>>> openvpn-install-2.4.9-I601-Win10.exe
>>> 340a6b917c5358a18e4ed283669e8d59073720184dba2d1f2965512c9cac18ad
>>> openvpn-install-2.4.9-I601-Win10.exe.asc
>>> 495754e6f3e40a056b947d496729f3ba78aaf0458d80ff08991c27bddf386139
>>> openvpn-install-2.4.9-I601-Win7.exe
>>> b15e4b34756446589cc609d5d08fe5daba98c34463135b7abfab1538722c4c4e
>>> openvpn-install-2.4.9-I601-Win7.exe.asc
>>
>>
>> Try refreshing the PGP keys.  We pushed out new keys in early March, but 
>> seems
>> the web page was not updated.
>>
>> $ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
>>
>> This should do the proper key update and the verification should work 
>> just
>> fine.  We always publish the security public key to key servers whenever 
>> they
>> are updated.
>
> I tried all the above and even did so in a fresh container. The subkey
> 333D46306CF9D9F1F630DB8D96AEC408005D6BB4 simply not there:
>

 This is really weird.  From my own test:

 [user@host ~]$ gpg --list-keys | wc -l
 0
 [user@host ~]$ gpg --recv-key F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7 

  
 gpg: requesting key 2F2B01E7 from hkp server keys.gnupg.net
>>>
>>> Indeed, pulling from that key server picked the 'new' subkey.
>>>
 gpg: key 2F2B01E7: public key "OpenVPN - Security Mailing List 
 " imported
 gpg: no ultimately trusted keys found
 gpg: Total number processed: 1
 gpg:   imported: 1  (RSA: 1)
 [user@host ~]$ gpg --edit F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
 gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.


 pub  4096R/2F2B01E7  created: 2017-02-09  expires: 2027-02-07  usage: SC  
  trust: unknown   validity: unknown
 The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - 
 Security Mailing List 
 sub  4096R/F6D9F8D7  created: 2017-02-09  revoked: 2019-02-04  usage: E   
 The following key was revoked on 2019-02-04 by RSA key 2F2B01E7 OpenVPN - 
 Security Mailing List 
 sub  4096R/8CC2B034  created: 2017-02-09  revoked: 2019-02-04  usage: S   
 sub  4096R/AF131CAE  created: 2018-03-07  expired: 2019-03-07  usage: S   
 sub  4096R/907F94CF  created: 2018-03-07  expired: 2019-03-07  usage: E   
 sub  4096R/5ACFEAC6  created: 2019-02-04  expired: 2020-03-09  usage: S   
 sub  4096R/3FEA78DB  created: 2019-02-04  expired: 2020-03-09  usage: E   
 sub  4096R/005D6BB4  created: 2020-02-21  expires: 2021-03-05  usage: S  
 < The key which is used
 sub  4096R/5EABA192  created: 2020-02-21  expires: 2021-03-05  usage: E   
 [ unknown] (1). OpenVPN - Security Mailing List 


 Which key server do you try to fetch from?  Might be we need to do
 some additional pushes to some servers.
>>>
>>> Stock default Ubuntu pulls from hkps://keys.openpgp.org which doesn't
>>> have the new subkey.
>>
>> Alright, I just re-pushed to that server again explicitly.  And now

[Openvpn-users] OpenVPN 2.4.9 released

2020-04-17 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
can be downloaded from here:



This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810, trac #1272)
which allows disrupting service of a freshly connected client that has
not yet not negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

A summary of all included changes is available here:



A full list of changes is available here:



Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:



Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)


Samuli

Antonio Quartulli (1):
  socks: use the right function when printing struct openvpn_sockaddr

Arne Schwabe (3):
  Fetch OpenSSL versions via source/old links
  Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
  Fix OpenSSL 1.1.1 not using auto elliptic curve selection

Gert Doering (1):
  Preparing release v2.4.9 (ChangeLog, version.m4, Changes.rst)

Lev Stipakov (4):
  Fix broken fragmentation logic when using NCP
  Fix building with --enable-async-push in FreeBSD
  Fix broken async push with NCP is used
  Fix illegal client float (CVE-2020-11810)

Maxim Plotnikov (1):
  OpenSSL: Fix --crl-verify not loading multiple CRLs in one file

Santtu Lakkala (1):
  Fix OpenSSL private key passphrase notices

Selva Nair (7):
  Swap the order of checks for validating interactive service user
  Move querying username/password from management interface to a function
  When auth-user-pass file has no password query the management interface 
(if available).
  Fix possibly uninitialized return value in GetOpenvpnSettings()
  Fix possible access of uninitialized pipe handles
  Skip expired certificates in Windows certificate store
  Allow unicode search string in --cryptoapicert option

Tom van Leeuwen (1):
  mbedTLS: Make sure TLS session survives move

WGH (1):
  docs: Add reference to X509_LOOKUP_hash_dir(3)



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-06 Thread Samuli Seppänen 
Il 04/04/20 05:46, blz ha scritto:
> On 4/3/2020 12:06 PM, Nathan Stratton Treadway wrote:
>> On Fri, Apr 03, 2020 at 20:00:54 +0300, Samuli Seppänen wrote:
>>> Hi,
>>>
>>> Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
>>>> Would this second option be consistent with the fact that the failed
>>>> setupapi log says the driver package was "already imported?
>>> Seems like it. You can use
>>>
>>> <https://github.com/mattock/tap-windows-scripts>
>>>
>>> to get rid of all tap-windows instances in the Driver Store. That's what
>>> I use when I need to be 100% positive the latest driver version is
>>> actually being used and not some cached version.
>> Yeah, I will plan to do that once it seems like there's nothing more to
>> learn investigating the system in its current state
>>
>>>> Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
>>>> inside the TAP-Windows installer, or is that generated dynamically at
>>>> installer-execution time?
>>> I have absolutely no idea. We don't actively create such identifiers,
>>> identifiers so I have to assume it's Windows.
>> Well, I guess the interesting thing is that the same directory name was
>> used on both the failing- and succeeding-installation machines.  So I
>> guess it is baked into the driver-installer somewhere (unlike the
>> "c:\windows\inf\oem*.inf" name used, which was different between the two
>> machines)  But I'm wondering whether or not that directory name is
>> constant across tap-windows versions, etc.
> What I am wondering is Windows Update, which can and does sometimes
> download drivers from Microsoft's repository, could be a possible
> culprit? I've seen WU time and again be the root cause of some pretty
> big driver-related headaches before.

We have not uploaded tap-windows6 to the Microsoft driver repository.
Fortunately it seems :).

Samuli



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-06 Thread Samuli Seppänen 
Il 04/04/20 18:20, Gert Doering ha scritto:
> Hi,
> 
> On Sat, Apr 04, 2020 at 10:37:23AM -0400, Selva Nair wrote:
>> (ii) Add an identifier to the inf file to make the two versions (win7/win10)
>> different.
> 
> If we can figure out how to do that, this sounds like a robust way
>forward.
>

Added https://community.openvpn.net/openvpn/ticket/1269

>> (iii) Have the installer delete all tap adapters and do a cleanup before
>> starting installation. This is very invasive and adversely affects those
>> who have multiple adapters, removes customized adapter names etc.
> 
> I have thought about this, but I find it too intrusive to do on a 
> "default" install.
> 
> We could offer it as an extra submodule?  checkbox item?  that users
> could activate if they have installation problems

We could, though I'd like to avoid any extra work going into the NSIS
installers. I'm not sure how MSI would handle this.

>   [ ] remove all existing TAP adapters before upgrading
> 
> but if we can get identifiers done, this should not even be necessary.
> 
>> By the way, while the Remove-tapwindows.ps1 script is very handy, it
>> works only if all adapters are first removed using deltapall.bat or
>> something
>> equivalent. Adding that functionality to the script would be very useful.
> 
> +1

I added a (private) task about this for me, though I'm open to PRs :).

> 
> Samuli, you're listening? :-)
> 
> gert
> 

Yes, I've read each and every email related to this and there sure have
been plenty :).

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-03 Thread Samuli Seppänen 
Hi,

Il 02/04/20 22:07, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote:
>> The installer I extracted had a sha1sum of
>>
>> 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
>>
>> That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which
>> I just a few minutes ago downloaded from the official download page and
>> our alternative download server:
> 
> Yes, this matches the other copies of the installer we have (though
> unfortunately on the machine where this failed, the installer .exe file
> was not saved, so I guess there is some remote possibility that it was
> not the same file, somehow).
> 
> 
>>
>> <https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe>
>> <https://build.openvpn.net/downloads/releases/openvpn-install-2.4.8-I601-Win10.exe>
>>
>> At this point I have no clue where a Windows 7 version of the driver
>> could have appeared from, unless:
>>
>> - The installer you're using is somehow accidentally not the correct one
>> - Windows has the Windows 7 driver hidden somewhere (Driver Store)
> 
> Would this second option be consistent with the fact that the failed
> setupapi log says the driver package was "already imported?

Seems like it. You can use

<https://github.com/mattock/tap-windows-scripts>

to get rid of all tap-windows instances in the Driver Store. That's what
I use when I need to be 100% positive the latest driver version is
actually being used and not some cached version.

> Is "oemvista.inf_amd64_6d4bec28a2ef0cdf" a name that is hard-coded
> inside the TAP-Windows installer, or is that generated dynamically at
> installer-execution time?

I have absolutely no idea. We don't actively create such identifiers,
identifiers so I have to assume it's Windows.

> 
> Anway, I will see if I can determine anything by checking the timestamps
> for the various c:\windows\ files mentioned in the log, etc.

Ok, let me know what you find!

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-02 Thread Samuli Seppänen 
Hi again,

Il 02/04/20 20:52, Samuli Seppänen ha scritto:
> Il 02/04/20 20:43, Nathan Stratton Treadway ha scritto:
>> On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote:
>>> Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
>>>> On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
>>>>> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
>>>>>>> So it does seem like the driver is signed by OpenVPN (and not
>>>>>>> Microsoft)... but the version is 9.24.  Does that mean it actually is
>>>>>>> the "tap0901" driver, or can the tap-windows6 driver also have a version
>>>>>>> of 9.24?
>>>>>>
>>>>>> All these are "tap-windows6", "tap0901".
>>>>>>
>>>>>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>>>>>>
>>>>>> There used to be a tap-windows with NDIS5, but I think we never
>>>>>> shipped a 2.4 installer with it - the installer versions with "-I001"
>>>>>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
>>>>>
>>>>> Okay, thanks, that helps.
>>>>>
>>>>> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
>>>>> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
>>>>>
>>>>
>>>> Or, I guess a more precise question is: does the tapinstall.exe file
>>>> included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
>>>> guess is tapinstall v602 , right?) contain both Win 7 and Win 10
>>>> drivers?
>>>
>>> The OpenVPN installers should contain only Windows 7 (cross-signed) or
>>> Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
>>
>> Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer
>> should contain *only* the Win 10 version of the TAP-windows driver?  
> 
> Yes, exactly. I had to double-check that from openvpn-build and
> tap-windows6 buildsystems to be sure.
> 
>> If so, then the question is where the cross-signed driver is coming from
>> on this box (which has never had any OpenVPN [or TAP] installer other
>> then openvpn-install-2.4.8-i602-Win10.exe run on it)?
> 
> That is a very good question. I just launched my lovely arm64 Windows 10
> laptop to check the catalog signatures. I'll report back.

So, with 7zip on Windows I opened

openvpn-install-2.4.8-i602-Win10.exe
-> $TEMP
   -> tap-windows.exe
  -> driver

That contains OemVista.inf, tap0901.cat and tap0901.sys in three
flavors: i386, amd64 and arm64. I extracted the cat and sys files and
checked their signatures. They were all signed by Microsoft. With
"Get-AuthenticodeSignature " all showed SignerCertificate
starting with 87D211E3. Checking the File Properties showed that
corresponds to Microsoft.

The installer I extracted had a sha1sum of

9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d

That matches the sha1sum of openvpn-install-2.4.8-i602-Win10.exe's which
I just a few minutes ago downloaded from the official download page and
our alternative download server:

<https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.8-I602-Win10.exe>
<https://build.openvpn.net/downloads/releases/openvpn-install-2.4.8-I601-Win10.exe>

At this point I have no clue where a Windows 7 version of the driver
could have appeared from, unless:

- The installer you're using is somehow accidentally not the correct one
- Windows has the Windows 7 driver hidden somewhere (Driver Store)

It is getting late here (9:15 PM) so I won't be around anymore, but will
check back in my morning.


>>> flavors. Verifying that is fairly easy by extracting the installer with
>>> p7zip and checking the signatures of all the *.cat files in it.
>>
>> p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did
>> 7zr ("Can not open file as archive").  Can you sent a pointer to a
>> website which discusses the type of unpacking-of-installer-file you are
>> talking about?
> 
> I've only ever done it on Windows. Verifying the authenticode signature
> signer might be challenging on Linux.
> 
>> (Note that I don't run Windows myself, and only have limit access to the
>> Windows machines in question.)
> 
> 
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-02 Thread Samuli Seppänen 
Il 02/04/20 20:43, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 20:17:23 +0300, Samuli Seppänen wrote:
>> Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
>>> On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
>>>> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
>>>>> Hi,
>>>>>
>>>>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
>>>>>> So it does seem like the driver is signed by OpenVPN (and not
>>>>>> Microsoft)... but the version is 9.24.  Does that mean it actually is
>>>>>> the "tap0901" driver, or can the tap-windows6 driver also have a version
>>>>>> of 9.24?
>>>>>
>>>>> All these are "tap-windows6", "tap0901".
>>>>>
>>>>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>>>>>
>>>>> There used to be a tap-windows with NDIS5, but I think we never
>>>>> shipped a 2.4 installer with it - the installer versions with "-I001"
>>>>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
>>>>
>>>> Okay, thanks, that helps.
>>>>
>>>> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
>>>> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
>>>>
>>>
>>> Or, I guess a more precise question is: does the tapinstall.exe file
>>> included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
>>> guess is tapinstall v602 , right?) contain both Win 7 and Win 10
>>> drivers?
>>
>> The OpenVPN installers should contain only Windows 7 (cross-signed) or
>> Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
> 
> Are you saying that the openvpn-install-2.4.8-i602-Win10.exe installer
> should contain *only* the Win 10 version of the TAP-windows driver?  

Yes, exactly. I had to double-check that from openvpn-build and
tap-windows6 buildsystems to be sure.

> If so, then the question is where the cross-signed driver is coming from
> on this box (which has never had any OpenVPN [or TAP] installer other
> then openvpn-install-2.4.8-i602-Win10.exe run on it)?

That is a very good question. I just launched my lovely arm64 Windows 10
laptop to check the catalog signatures. I'll report back.

>> flavors. Verifying that is fairly easy by extracting the installer with
>> p7zip and checking the signatures of all the *.cat files in it.
> 
> p7zip on my Ubuntu box (Xenial) refused to open the .exe file, as did
> 7zr ("Can not open file as archive").  Can you sent a pointer to a
> website which discusses the type of unpacking-of-installer-file you are
> talking about?

I've only ever done it on Windows. Verifying the authenticode signature
signer might be challenging on Linux.

> (Note that I don't run Windows myself, and only have limit access to the
> Windows machines in question.)


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-02 Thread Samuli Seppänen 
Il 02/04/20 19:22, Nathan Stratton Treadway ha scritto:
> On Thu, Apr 02, 2020 at 12:17:17 -0400, Nathan Stratton Treadway wrote:
>> On Thu, Apr 02, 2020 at 18:07:26 +0200, Gert Doering wrote:
>>> Hi,
>>>
>>> On Thu, Apr 02, 2020 at 11:48:14AM -0400, Nathan Stratton Treadway wrote:
 So it does seem like the driver is signed by OpenVPN (and not
 Microsoft)... but the version is 9.24.  Does that mean it actually is
 the "tap0901" driver, or can the tap-windows6 driver also have a version
 of 9.24?
>>>
>>> All these are "tap-windows6", "tap0901".
>>>
>>> 2.4.7 ships with 9.23 of the tap-windows6 driver, 2.4.8 with 9.24
>>>
>>> There used to be a tap-windows with NDIS5, but I think we never
>>> shipped a 2.4 installer with it - the installer versions with "-I001"
>>> in the name had tap5, the "I601, I602, ..."" ones have tap6.
>>
>> Okay, thanks, that helps.
>>
>> So does the openvpn-install-2.4.8-i602-Win10.exe installer contain both
>> the Windows 7 and Windows 10 versions of the tap-windows6 driver?
>>
> 
> Or, I guess a more precise question is: does the tapinstall.exe file
> included in the openvpn-install-2.4.8-i602-Win10.exe installer (which I
> guess is tapinstall v602 , right?) contain both Win 7 and Win 10
> drivers?

The OpenVPN installers should contain only Windows 7 (cross-signed) or
Windows 10 (attestation-signed) drivers in i386, amd64 and arm64
flavors. Verifying that is fairly easy by extracting the installer with
p7zip and checking the signatures of all the *.cat files in it.

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-02 Thread Samuli Seppänen 
Hi,

Il 02/04/20 08:33, Nathan Stratton Treadway ha scritto:
> On Wed, Apr 01, 2020 at 11:14:08 -0400, Nathan Stratton Treadway wrote:
>> I should be able to get the setupapi.dev.log  files from both of the
>> machines if that would be helpful.
> 
> I extracted the section of the setupapi.dev.log files related to the
> TAP-Windows installation from each of the systems in question, and then
> to try to spot the funtional differences between the two, I ran the
> following commands to mask off the timestamps contained within the log:
> 
>   $ sed "s/10:50:03\/HH:MM:SS.sss/g" setupapi_TAP-Windows_succeeded.log > 
> setupapi_TAP-Windows_succeeded.log_cleaned
>   $ sed "s/11:09:33\/HH:MM:SS.sss/g" setupapi_TAP-Windows_failed.log > 
> setupapi_TAP-Windows_failed.log_cleaned
> 
> and then compared the two "_cleaned" files:
> 
> =
> $ diff -ui setupapi_TAP-Windows_{succeeded,failed}.log_cleaned
> --- setupapi_TAP-Windows_succeeded.log_cleaned2020-04-02 
> 00:18:12.0 -0400
> +++ setupapi_TAP-Windows_failed.log_cleaned   2020-04-02 00:19:09.0 
> -0400
> @@ -1,5 +1,5 @@
>  >>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901]
> ->>>  Section start 2020/03/13 HH:MM:SS.sss
> +>>>  Section start 2020/03/27 HH:MM:SS.sss
>cmd: "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install 
> "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
>   ndv: INF path: C:\Program Files\TAP-Windows\driver\OemVista.inf
>   ndv: Install flags: 0x0001
> @@ -9,19 +9,13 @@
>   dvi:  {Build Driver List} HH:MM:SS.sss
>   dvi:   Searching for hardware ID(s):
>   dvi:tap0901
> - sig:   {_VERIFY_FILE_SIGNATURE} HH:MM:SS.sss
> - sig:Key  = oemvista.inf
> - sig:FilePath = c:\program 
> files\tap-windows\driver\oemvista.inf
> - sig:Catalog  = c:\program 
> files\tap-windows\driver\tap0901.cat
> - sig:Success: File is signed in catalog.
> - sig:   {_VERIFY_FILE_SIGNATURE exit(0x)} HH:MM:SS.sss
>   dvi:   Created Driver Node:
>   dvi:HardwareID   - tap0901
>   dvi:InfName  - c:\program 
> files\tap-windows\driver\oemvista.inf
>   dvi:DevDesc  - TAP-Windows Adapter V9
>   dvi:Section  - tap0901.ndi
>   dvi:Rank - 0x00ff
> - dvi:Signer Score - WHQL
> + dvi:Signer Score - Authenticode

Your problem seems to be the same as Ralf's (see my other email). The
NSIS installer chose to install the Windows 7 version of tap-windows6 on
this Windows 10 instance, and that will not work.

WHQL = attestation signed
Authenticode = cross-signed


>   dvi:DrvDate  - 09/27/2019
>   dvi:Version  - 9.24.2.601
>   dvi:  {Build Driver List - exit(0x)} HH:MM:SS.sss
> @@ -40,70 +34,15 @@
>   ndv:   Inf Name   - oemvista.inf
>   ndv:   Driver Date- 09/27/2019
>   ndv:   Driver Version - 9.24.2.601
> + ndv:  Driver package 
> 'C:\WINDOWS\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf\oemvista.inf'
>  is already imported.
>   sto:  {Setup Import Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> - inf:   Provider: TAP-Windows Provider V9
> - inf:   Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
> - inf:   Driver Version: 09/27/2019,9.24.2.601
> - inf:   Catalog File: tap0901.cat
> - sto:   {Copy Driver Package: c:\program 
> files\tap-windows\driver\oemvista.inf} HH:MM:SS.sss
> - sto:Driver Package = c:\program 
> files\tap-windows\driver\oemvista.inf
> - sto:Flags  = 0x0007
> [... skipping the copying of all the driver files, etc...]
> - sto: {DRIVERSTORE IMPORT END} HH:MM:SS.sss
> - dvi:  Flushed all driver package files to disk. 
> Time = 16 ms
> - sig:  Installed catalog 'tap0901.cat' as 
> 'oem128.cat'.
> - sto: {DRIVERSTORE IMPORT END: exit(0x)} 
> HH:MM:SS.sss
> - sto:{Core Driver Package Import: exit(0x)} 
> HH:MM:SS.sss
> - sto:   {Stage Driver Package: exit(0x)} HH:MM:SS.sss
> + sto:   Driver package already imported as 'oem43.inf'.
>   sto:  {Setup Import Driver Package - exit (0x)} HH:MM:SS.sss
>   dvi:  Searching for hardware ID(s):
>   dvi:   tap0901
>   dvi:  Class GUID of device changed to: 
> {4d36e972-e325-11ce-bfc1-08002be10318}.
>   dvi:  {Plug and Play Service: Device Install for ROOT\NET\}
> - dvi:   Driver INF Path:

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-04-01 Thread Samuli Seppänen 
Hi,

Il 01/04/20 18:14, Nathan Stratton Treadway ha scritto:
> On Thu, Mar 26, 2020 at 17:11:27 +0200, Samuli Seppänen wrote:
>> Il 26/03/20 15:47, Ralf Hildebrandt ha scritto:
>>> As you might have heard this covid19 thingy is forcing (our) users to
>>> work from home. 
>>>
>>> We're using openvpn (in the meantime we deployed three openvpn servers
>>> to handle the load adn have optimised the scripts to lower the overall
>>> latency upon execution), and recently we encountered massive problems with
>>> openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
>>> issues (little yellow triangle with an exclamation mark in the device 
>>> manager).
>>
>> Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
>> some of the affected computers? Or just the part of it which describes
>> the failed tap-windows6 installation (rather easy to find).
> 
> We've just hit what I assume is the same problem at our site. 
> Interestingly we have two "twin" Windows 10 machines (same model
> purchased at the same time), but OpenVPN installed fine on one and had
> the problem on the other.
> 
> (Specifically on the failed machine the TAP-Windows Adapter V9 entry in
> the Deveice manger has a Device Status of "Windows cannot verify the
> digital signature for the drivers required for this device. A recent
> hardware or software change might have installed a file that is signed
> incorrectly or damaged, or that might be malicious software from an
> unknown source. (Code 52)"..)
> 
> On both of these machines OpenVPN had never been installed before
> the recent installation.
> 
> I should be able to get the setupapi.dev.log  files from both of the
> machines if that would be helpful.

I looked at Ralf's logs and they show that - for whatever reason - the
tap-windows installer chose to install the Windows 7 version of
tap-windows6 on those Windows 10 instances. The Digital signer in the
device properties should show "Microsoft Windows Hardware
Compatibility Publisher" (=attestation signature), not "OpenVPN Inc"
(cross-signed).

Assuming 9.23.x works it "should be easy"(tm) to figure out what the
difference is. Or maybe something changed in Windows which causes this
misbehavior. Fully removing all traces of tap-windows6 from the system,
e.g. with Remote-Tapwindows.ps1:

<https://github.com/mattock/tap-windows-scripts>

Can you guys try if that full removal helps with this?

Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-03-30 Thread Samuli Seppänen 
Il 26/03/20 23:48, Gert Doering ha scritto:
> Hi,
> 
> On Thu, Mar 26, 2020 at 05:11:27PM +0200, Samuli Seppänen wrote:
>>> If this is a know issue -- could we get a recent version of openvpn with
>>> a TAP32 driver that actually works on Win10? Or can we simply
>>> recommend installing 2.4.7 instead (and hope the driver bundled is
>>> 9.23.3)?
>>
>> This is not a known problem. Or at least I've never heard of it.
>>
>> It checked logs of openvpn-build and they indicate that
>> tap-windows-9.23.3-I601 _is_ bundled with
>> openvpn-install-2.4.7-I607-Win10.exe.
> 
> Well, that seems to be what Ralf is saying "we install 2.4.7 and that
> brings 9.23.3, so all is good" - doesn't 2.4.8 bring a newer version
> of the tap driver, which has upgrade issues on some machines?
> 
> (I lost track of the details)
> 
> gert
> 

According to Git logs 2.4.8 has tap-windows-9.24.2 which does not have
any widespread problems on Windows 10: if it did, we would have heard of
it very soon after the release of 2.4.8.

I also don't think Ralf's issue is about the signature, as both 9.23.3
and 9.24.2 are attestation-signed, i.e have Microsoft's own signature.

The changes done between 9.23.3 and 9.24.2 are these:

$ git shortlog 38d6cac...HEAD
Lev Stipakov (2):
  cosmetics: fix debug build
  constants.h: make driver not halt on suspend

Samuli Seppänen (8):
  Fix timestamping when appending signatures
  Document the need to use a statically linked devcon.exe
  Add support for version.m4 overrides
  Add build configuration for HLK builds
  Do not wipe --ti directory when using prebuilt devcon
  Complete removal of --oas option which breaks HLK builds
  Merge pull request #94 from rozmansi/pending/characteristics
  Bump version to 9.24.2.601

Simon Rozman (4):
  Enable code analysis on Release|x64 builds
  Remove NCF_HAS_UI flag from Characteristics
  Match PhysicalMediaType in INF and source code
  Declare adapter as virtual device rather than physical Ethernet NIC

Stephen Stair (2):
  Fix annotation problems noticed by code analysis.
  Fixing some more code analysis issues. * Updated IRQL modification
annotations * Expanded some 32bit additions to 64bit in statistics *
Corrected some edge cases tools were complaining about.

---

There are some which seem to have potential for causing problems (in
some scenarios/corner cases).

Without having a look at setupapi.dev.log it is impossible to tell what
is wrong. If the problem is present on a wide range Windows machines
then a GPO or some other shared configuration to trigger this problem.

Samuli



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn 2.4.8 on Windows 10: TAP32 Adapter seems to be fubared

2020-03-26 Thread Samuli Seppänen 
Hi,

Il 26/03/20 15:47, Ralf Hildebrandt ha scritto:
> As you might have heard this covid19 thingy is forcing (our) users to
> work from home. 
> 
> We're using openvpn (in the meantime we deployed three openvpn servers
> to handle the load adn have optimised the scripts to lower the overall
> latency upon execution), and recently we encountered massive problems with
> openvpn 2.4.8 on Windows 10. The bundled TAP32 Adapter is having
> issues (little yellow triangle with an exclamation mark in the device 
> manager).

Can you send me (privately) C:\Windows\inf\setupapi.dev.log from one or
some of the affected computers? Or just the part of it which describes
the failed tap-windows6 installation (rather easy to find).

> The workaround is to install
> https://build.openvpn.net/downloads/releases/tap-windows-9.23.3-I601-Win10.exe
> and all is well. Yay!
> 
> If this is a know issue -- could we get a recent version of openvpn with
> a TAP32 driver that actually works on Win10? Or can we simply
> recommend installing 2.4.7 instead (and hope the driver bundled is
> 9.23.3)?

This is not a known problem. Or at least I've never heard of it.

It checked logs of openvpn-build and they indicate that
tap-windows-9.23.3-I601 _is_ bundled with
openvpn-install-2.4.7-I607-Win10.exe.

Samuli


> It doesn't seem to happen with all Win10 installations, though.
> 
> --
> Ralf Hildebrandt
> Charité - Universitätsmedizin Berlin
> Geschäftsbereich IT | Abteilung Netzwerk
> 
> Campus Benjamin Franklin (CBF)
> Haus I | 1. OG | Raum 105
> Hindenburgdamm 30 | D-12203 Berlin
> 
> Tel. +49 30 450 570 155
> ralf.hildebra...@charite.de
> https://www.charite.de
> 
> 
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] gmane is dead

2019-12-02 Thread Samuli Seppänen 
Il 02/12/19 11:58, sergio ha scritto:
> 
> Gmane is dead, please update:
> 
> https://openvpn.net/community-resources/mailing-lists/
> 
> 

Added a ticket for our web guys. We've had another non-SF.net archive
available for a long while. The openvpn-devel list, for example, is
archived here:



Samuli


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.4.8 released

2019-10-31 Thread Samuli Seppänen 
Hi,

We recently found out that the code signing certificate the 2.4.8
Windows installers use expired a couple of weeks ago. I will get a new
certificate today evening (~6 hours) and push out new installers.

This problem only seems to affect the prompt you get when you
double-click on the installer executable. You probably see "Unknown
publisher" there. Besides that Windows seems to be perfectly happy with
the executables and libraries. That is the main reason why a problem
such as this was able to slip through testing.

Samuli

Il 31/10/19 12:27, Samuli Seppänen ha scritto:
> The OpenVPN community project team is proud to release OpenVPN 2.4.8. It
> can be downloaded from here:
> 
> <https://openvpn.net/community-downloads/>
> 
> This is primarily a maintenance release with bugfixes and improvements.
> The Windows installers (I601) have several improvements compared to the
> previous release:
> 
> * New tap-windows6 driver (9.24.2) which fixes some suspend and resume
> issues
> * Latest OpenVPN-GUI
> * Considerable performance boost due to new compiler optimization flags
> 
> A summary of all included changes is available here:
> 
> <https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>
> 
> A full list of changes is available here:
> 
> <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>
> 
> Please note that LibreSSL is not a supported crypto backend. We accept
> patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
> newer versions of LibreSSL break API compatibility we do not take
> responsibility to fix that.
> 
> Also note that  Windows installers have been built with NSIS version
> that has been patched against several NSIS installer code execution and
> privilege escalation problems:
> 
> <https://community.openvpn.net/openvpn/wiki/NSISBug1125>
> 
> Based on our testing, though, older Windows versions such as Windows 7
> might not benefit from these fixes. We thus strongly encourage you to
> always move NSIS installers to a non-user-writeable location before
> running them. Our long-term plan is to migrate to using MSI installers
> instead.
> 
> Compared to OpenVPN 2.3 this is a major update with a large number of
> new features, improvements and fixes. Some of the major features are
> AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
> IPv4/IPv6 dual stack support and more seamless connection migration when
> client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
> can be used to increase users' connection privacy.
> 
> OpenVPN GUI bundled with the Windows installer has a large number of new
> features compared to the one bundled with OpenVPN 2.3. One of major
> features is the ability to run OpenVPN GUI without administrator privileges.
> 
> For full details, look here:
> 
> <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>
> 
> The new OpenVPN GUI features are documented here:
> 
> <https://github.com/OpenVPN/openvpn-gui>
> 
> Please note that OpenVPN 2.4 installers will not work on Windows XP.
> 
> For generic help use these support channels:
> 
> Official documentation:
> <http://openvpn.net/index.php/open-source/documentation/howto.html>
> Wiki: <https://community.openvpn.net>
> Forums: <https://forums.openvpn.net>
> User mailing list: <http://sourceforge.net/mail/?group_id=48978>
> User IRC channel: #openvpn at irc.freenode.net
> 
> Please report bugs and ask development questions here:
> 
> Bug tracker and wiki: <https://community.openvpn.net>
> Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
> Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
> Freenode registration)
> 
> 
> Samuli
> 
> 
> 
> ___
> Openvpn-devel mailing list
> openvpn-de...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 




signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.8 released

2019-10-31 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.8. It
can be downloaded from here:



This is primarily a maintenance release with bugfixes and improvements.
The Windows installers (I601) have several improvements compared to the
previous release:

* New tap-windows6 driver (9.24.2) which fixes some suspend and resume
issues
* Latest OpenVPN-GUI
* Considerable performance boost due to new compiler optimization flags

A summary of all included changes is available here:



A full list of changes is available here:



Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:



Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:



The new OpenVPN GUI features are documented here:



Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:

Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)


Samuli
Antonio Quartulli (1):
  mbedtls: fix segfault by calling mbedtls_cipher_free() in 
cipher_ctx_free()

Arne Schwabe (1):
  Remove -no-cpp-precomp flag from Darwin builds

David Sommerseth (3):
  cleanup: Remove RPM openvpn.spec build approach
  docs: Update INSTALL
  build: Package missing mock_msg.h

Gert Doering (5):
  repair windows builds (2.4)
  Increase listen() backlog queue to 32
  Force combinationation of --socks-proxy and --proto UDP to use IPv4.
  Fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana
  preparing release v2.4.8 (ChangeLog, version.m4, Changes.rst)

Gisle Vanem (1):
  Wrong FILETYPE in .rc files

Hilko Bengen (1):
  Do not set pkcs11-helper 'safe fork mode'

Ilya Shipitsin (2):
  travis-ci: add "linux-ppc64le" to build matrix, change trusty image to 
xenial, update osx to xcode9.4 and modernize brew management
  travis-ci: fix osx builds

Kyle Evans (1):
  tests/t_lpback.sh: Switch sed(1) to POSIX-compatible regex.

Lev Stipakov (1):
  Fix various compiler warnings

Matthias Andree (1):
  Fix regression, reinstate LibreSSL support.

Michal Soltys (1):
  man: correct the description of --capath and --crl-verify regarding CRLs

Mykola Baibuz (1):
  Fix typo in NTLM proxy debug message

Richard Bonhomme (1):
  Ignore --pull-filter for --mode server

Rosen Penev (1):
  openssl: Fix compilation without deprecated OpenSSL 1.1 APIs

Selva Nair (3):
  Better error message when script fails due to script-security setting
  Correct the return value of cryptoapi RSA signature callbacks
  Handle PSS padding in cryptoapicert

Steffan Karger (1):
  cmocka: use relative paths

Thomas Quinot (1):
  Fix documentation of tls-verify script argument



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] tap-windows driver and HP Envy laptops

2019-06-10 Thread Samuli Seppänen 
Il 07/06/19 20:19, Selva Nair ha scritto:
> Hi JJK,
> 
> On Fri, Jun 7, 2019 at 11:09 AM Jan Just Keijser  wrote:
>>
>> hi all,
>>
>> in the eduVPN project we've run into a strange issue:
>> HP Envy laptops running Windows 10 have a "handy" feature to
>> automatically switch from wifi to a 'wired' adapter if one is detected.
>> The use case behind this is that if you put your laptop in a docking
>> station (with LAN) it will auto-switch to it.
>> How does this relate to OpenVPN:  when an OpenVPN connection is
>> established, the HP Envy driver gimmick detects the tap-windows device
>> as a LAN adapter and switches off wifi -regardless of whether you are on
>> a LAN or not.  Thus, "plain" OpenVPN 2.4 becomes quite hard to use on
>> these laptops.
>> Now the strange part is, that both Viscosity and NordVPN - each with
>> their own tap-win adapters do NOT have this problem.
>> So my question now is:  what could be causing this and how can we
>> resolve it.
>> The patches the Viscosity folks made to the tap-win driver for their
>> setup are in github (pull request #47, IIRC) and I don't see anything
>> truly strange in that patch.
>> The only thing that seems to be different is whether a device is
>> sporting the UI flag in the "characterstics" section.
>>
>> Does anybody have a clue how to best approach this?
> 
> One thing I've noticed is that in the driver inf file viscosity has set
> 
> characteristics = 0x1 ; NCF_VIRTUAL
> 
> It goes into the registry entries for the device node.
> 
> They don't seem to have a link to download the patched source (have to
> make a request by email -- no idea whether a paid license is also
> required), so I haven't looked for any other changes in the sources.
> Possibly you could ask for the source code and do a diff.
> 
> 
> Selva

Hi,

This is tangential, but I wonder if these "characteristics" (also) have
an effect on which HLK tests are required? Rozmansi's "Introduce TAP
adapter as a virtual device" does not touch them:

https://github.com/OpenVPN/tap-windows6/pull/84/files

That PR, as-is, did not help narrow down the scope of HLK tests.

The wintun driver has this in characteristics:

  wintun.inf:Characteristics = 0x1 ; NCF_VIRTUAL

Default tap-windows6 has

  version.m4:define([PRODUCT_TAP_WIN_CHARACTERISTICS], [0x81])

Thoughts?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] tap-windows driver and HP Envy laptops

2019-06-10 Thread Samuli Seppänen 
Il 08/06/19 00:29, Selva Nair ha scritto:
> On Fri, Jun 7, 2019 at 4:54 PM David Sommerseth
>  wrote:
>>
>> On 07/06/2019 19:19, Selva Nair wrote:
>> [...snip...]
>>> They don't seem to have a link to download the patched source (have to
>>> make a request by email -- no idea whether a paid license is also
>>> required), so I haven't looked for any other changes in the sources.
>>> Possibly you could ask for the source code and do a diff.
>>
>> If their driver is based on tap-windows6, that driver is GPLv2 - so a paid
>> license should not be a requirement to get the sources they use for their
>> driver.  They don't have to provide the diff, they can wrap it all into a
>> "package" of a format _they_ find convenient; but with the expectation you 
>> can
>> unpack it in the end.
> 
> I was just showing my irritation at not making the patched sources "readily"
> available. Both their driver and OpenVPN.exe are based on GPLv2 sources
> and they do have a license link with an email address to contact for
> sources subject to GPL.

I've requested sources from the in the past. They did use to have a web
page with tarballs, but maybe that was just created on-demand as hinted
by this post:

https://www.sparklabs.com/forum/viewtopic.php?t=2058

> 
> Technically they could even ask for a postal address and a nominal fee for a 
> CD
> or DVD to be sent by snail mail, but in this day and age I expect a url in 
> plain
> sight where anyone can download the source or patches instead of having to
> send an email requesting for it.
> 

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] New OpenVPN 2.4.7 Windows installers released

2019-04-24 Thread Samuli Seppänen 
Hi,

New OpenVPN Windows installers have been released. The release
highlights are:

- Latest openvpn-gui
- Latest openvpnserv2 (OpenVPNService)
- Latest tap-windows6 driver
  - ARM64 support
  - NDIS 6.30 support
  - other enhancements
  - fix to local privilege exploit vulnerability

The installers come in two flavors. Windows 7/8/8.1/Server 2012r2:

<https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I606-Win7.exe>

Windows 10 (any version):

<https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I606-Win10.exe>

We're unable to release a version for Windows Server 2016 at this point,
 so you need to use the old installer:

<https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.7-I603.exe>

We're working on getting tap-windows6 pass the HLK test suite on Windows
Server 2016. This will allow us to get a signature from Microsoft and
release an updated tap-windows6 on that platform as well. While waiting
please avoid running OpenVPN on nodes where all users are not trusted.

For further details see the download page:

<https://openvpn.net/community-downloads/>

Best regards,

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



signature.asc
Description: OpenPGP digital signature
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] which google play openVPN client should I use?

2018-06-01 Thread Samuli Seppänen 
Il 01/06/2018 06:25, James Peng via Openvpn-users ha scritto:
> I found there are more than one openVPN client app on the Google Play store.
> Which one should I use?
> 
> Thanks,
> James
> 

Very healthy paranoia here :). There are two primary options:

OpenVPN Connect
- proprietary
- based on OpenVPN 3
- author is OpenVPN, Inc

OpenVPN for Android
- open source
- based on OpenVPN 2
- author is a well-known community developer

You might also find a "Unified [OpenVPN] client" or similar. That one is
also by OpenVPN Inc and will replace OpenVPN Connect in the long run.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.6 released

2018-04-24 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.6. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This is primarily a maintenance release with minor bugfixes and
improvements, and one security relevant fix for the Windows Interactive
Service. Windows installer includes updated OpenVPN GUI and OpenSSL. The
bundled tap-windows6 driver includes one security fix.

Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

A summary of all included changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


David Sommerseth (1):
  management: Warn if TCP port is used without password

Gert Doering (3):
  Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4
  Fix potential double-free() in Interactive Service (CVE-2018-9336)
  preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst)

Gert van Dijk (1):
  manpage: improve description of --status and --status-version

Joost Rijneveld (1):
  Make return code external tls key match docs

Selva Nair (3):
  Delete the IPv6 route to the "connected" network on tun close
  Management: warn about password only when the option is in use
  Avoid overflow in wakeup time computation

Simon Matter (1):
  Add missing #ifdef SSL_OP_NO_TLSv1_1/2

Steffan Karger (1):
  Check for more data in control channel



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.5 released

2018-03-01 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.5. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes a large number of fixes and enhancements. One of
the biggest changes is that 2.4.5 Windows installers bundle OpenSSL
1.1.0 instead of OpenSSL 1.0.2 by default. The Windows installer also
comes with OpenVPN GUI (11.10.0.0) that has a large number of fixes and
improvements. Some easy-rsa 2 fixes are also included.

Please note that LibreSSL is not a supported crypto backend. We accept
patches and we do test on OpenBSD 6.0 which comes with LibreSSL, but if
newer versions of LibreSSL break API compatibility we do not take
responsibility to fix that.

Also note that  Windows installers have been built with NSIS version
that has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

A summary of all included changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Antonio Quartulli (4):
  reload HTTP proxy credentials when moving to the next connection profile
  Allow learning iroutes with network made up of all 0s (only if netbits < 
8)
  mbedtls: fix typ0 in comment
  manpage: fix simple typ0

Arne Schwabe (2):
  Treat dhcp-option DNS6 and DNS identical
  show the right string for key-direction

Bertrand Bonnefoy-Claudet (1):
  Fix typo in error message: "optione" -> "option"

David Sommerseth (8):
  lz4: Fix confused version check
  lz4: Fix broken builds when pkg-config is not present but system library 
is
  Remove references to keychain-mcd in Changes.rst
  lz4: Rebase compat-lz4 against upstream v1.7.5
  systemd: Add and ship README.systemd
  Update copyright to include 2018 plus company name change
  man: Add .TQ groff support macro
  man: Reword --management to prefer unix sockets over TCP

Emmanuel Deloget (1):
  OpenSSL: check EVP_PKEY key types before returning the pkey

Gert Doering (3):
  Remove warning on pushed tun-ipv6 option.
  Fix removal of on-link prefix on windows with netsh
  Preparing for release v2.4.5 (ChangeLog, version.m4, Changes.rst)

Ilya Shipitsin (2):
  travis-ci: add brew cache, remove ccache
  travis-ci: modify openssl build script to support openssl-1.1.0

James Bottomley (1):
  autoconf: Fix engine checks for openssl 1.1

Jeremie Courreges-Anglas (2):
  Cast time_t to long long in order to print it.
  Fix build with LibreSSL

Selva Nair (14):
  Check whether in pull_mode before warning about previous connection blocks
  Avoid illegal memory access when malformed data is read from the pipe
  Fix missing check for return value of malloc'd buffer
  Return NULL if GetAdaptersInfo fails
  Use RSA_meth_free instead o

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

2018-02-09 Thread Samuli Seppänen 
Il 09/02/2018 07:41, Илья Шипицин ha scritto:
> 
> 
> 2018-02-08 20:40 GMT+05:00 Selva Nair <selva.n...@gmail.com
> <mailto:selva.n...@gmail.com>>:
> 
> Hi,
> 
> On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen <sam...@openvpn.net
> <mailto:sam...@openvpn.net>> wrote:
> > Il 07/02/2018 21:58, David Sommerseth ha scritto:
> >> On 07/02/18 20:32, Илья Шипицин wrote:
> >>> After auth-token were introduced, when user press "Reconnect",
> it leads to
> >>> auth fail (saved password is forgotten), we run about 1000
> users, nobody
> >>> complains.
> >>
> >> This is actually expected, I'd say - but smells like a bug on the
> server side
> >> authentication.
> >>
> >> Selva may correct me if I'm wrong, but my understanding of it
> when clicking
> >> "Reconnect", the local OpenVPN process which caches the
> auth-token is stopped
> >> and a new OpenVPN process is started.  The client should in this
> case ask for
> >> username/password again.  So in this case, the server side should
> treat this
> >> connection as a fresh connection with no initial state.
> >>
> >> The step of stopping the local client and starting a new and
> fresh one is
> >> definitely not a bad feature to have on clients.
> >>
> >>> It looks like nobody uses that button.
> >>>
> >>> So, I asked several users, they confirmed they do not use Reconnect.
> >>
> >> This is no good argument for me.  This is one specific setup with
> 1000 users.
> >> It would be more valuable with 50 different setups having 20
> users each.  Your
> >> conclusion is based on a very homogeneous environment.
> >
> > I agree. I also agree that the underlying problem should be fixed.
> >
> > That said, Ilya's message was sent to both openvpn-users and
> > openvpn-devel and nobody has screamed "do not remove the Reconnect
> > button" :). The only additional thing we can do is post a message
> to the
> > forums. As usual, the only sure way to get feedback (read: complaints)
> > is to release the changes in an official build/installer.
> 
> Only recently we added a reconnect item to the menu (earlier it was
> only available as a button in the status window) for ease of doing
> reconnects and based on user requests -- though I can't now find who
> asked for it.
> 
> 
> it is interesting.
>  
> 
> 
> I wouldn't take lack of response on the user's list as an indication
> that no one uses it. In fact its very handy -- how else will you
> restart a connection after editing the config file? Disconnect and
> connect again? That would close the status window and lose all
> 
> 
> yes. disconnect and connect again.
> 
>  
> 
> messages in it and also takes a number of mouse clicks because of the
> way tray popup menu behaves.
> 
> Anyway the purported reason to remove it is totally bogus. Its like
> auth-token cant cope with SIGHUP, so let's remove that signal.
> 
> 
> no, that is wrong interpretaion.
> I actually meant
> 
> "it is broken" --> "users do not complain" --> "users do not care" -->
> "other buttons will keep their places" --> "let us remove unused button"
>  
> 
> 
> Finally, I'm an user too and I use that button all the time, though
> mostly for testing. If that counts as a dissenting voice.
> 
> 
> 
> yes, I also meant that. it is "designed by developers for themselves" :)
> same as "edit config" menu item.
> developers need edit config all the time and reconnect. but do users do
> same things as well ?
> 
> 
> as for "edit config", I'd like to keep it. it's removal will change menu
> order, people will click at wrong items.
>  

This discussion has actually been pretty interesting in the context of
"how to get [some] VPN providers[1] to join OpenVPN-GUI development".
We'd almost certainly need the capability to easily modify the GUI
interface to suit their particular use-cases. Like removing buttons
their users don't need. At the moment we don't have anybody willing to
do such refactorings, nor any idea if any VPN provider would be
interested anyways.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] This is something we discussed in the OpenVPN-GUI project
(issues/PRs?) on GitHub.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

2018-02-08 Thread Samuli Seppänen 
Il 08/02/2018 10:26, Илья Шипицин ha scritto:
> 
> 
> 2018-02-08 13:15 GMT+05:00 Samuli Seppänen <sam...@openvpn.net
> <mailto:sam...@openvpn.net>>:
> 
> Il 07/02/2018 21:58, David Sommerseth ha scritto:
> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> After auth-token were introduced, when user press "Reconnect", it 
> leads to
> >> auth fail (saved password is forgotten), we run about 1000 users, 
> nobody
> >> complains.
> >
> > This is actually expected, I'd say - but smells like a bug on the 
> server side
> > authentication.
> >
> > Selva may correct me if I'm wrong, but my understanding of it when 
> clicking
> > "Reconnect", the local OpenVPN process which caches the auth-token is 
> stopped
> > and a new OpenVPN process is started.  The client should in this case 
> ask for
> > username/password again.  So in this case, the server side should treat 
> this
> > connection as a fresh connection with no initial state.
> >
> > The step of stopping the local client and starting a new and fresh one 
> is
> > definitely not a bad feature to have on clients.
> >
> >> It looks like nobody uses that button.
> >>
> >> So, I asked several users, they confirmed they do not use Reconnect.
> >
> > This is no good argument for me.  This is one specific setup with 1000 
> users.
> > It would be more valuable with 50 different setups having 20 users 
> each.  Your
> > conclusion is based on a very homogeneous environment.
> 
> I agree. I also agree that the underlying problem should be fixed.
> 
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.
> 
> 
> I suggest to do that after 2.4.5 installer.
> I'll write post on the forum. I think, even a good idea to place
> snapshot installer with new feature (i.e. button removed) to forum as well.
> 
> after feedback is received we can take it into account and act.
> 
> I also noticed nobody screaming "stop!!! do not remove that button!!!"
> 
> Samuli ?
>  

Posting a message to forums does not bind us to anything, so feel free
to do it. If even one person screams then I suspect at least hundreds of
people are actually using the button.

If we remove the button it should be because next to nobody is using it
and we want to clean up the GUI and its codebase. We should not remove
it because it does not work due to lower-level issues, which should be
fixed instead.

The problem with snapshot installers is that unless we actually merge
the button-removing code into OpenVPN GUI master, people will not use
it. And by announcing the snapshot installer on the mailing lists and
forums won't reach an audience any larger than your original email has.
So just asking about this on forums is probably enough.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] "Reconnect" button in openvpn-gui

2018-02-08 Thread Samuli Seppänen 
Il 07/02/2018 21:58, David Sommerseth ha scritto:
> On 07/02/18 20:32, Илья Шипицин wrote:
>> After auth-token were introduced, when user press "Reconnect", it leads to
>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>> complains.
> 
> This is actually expected, I'd say - but smells like a bug on the server side
> authentication.
> 
> Selva may correct me if I'm wrong, but my understanding of it when clicking
> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
> and a new OpenVPN process is started.  The client should in this case ask for
> username/password again.  So in this case, the server side should treat this
> connection as a fresh connection with no initial state.
> 
> The step of stopping the local client and starting a new and fresh one is
> definitely not a bad feature to have on clients.
> 
>> It looks like nobody uses that button.
>>
>> So, I asked several users, they confirmed they do not use Reconnect.
> 
> This is no good argument for me.  This is one specific setup with 1000 users.
> It would be more valuable with 50 different setups having 20 users each.  Your
> conclusion is based on a very homogeneous environment.

I agree. I also agree that the underlying problem should be fixed.

That said, Ilya's message was sent to both openvpn-users and
openvpn-devel and nobody has screamed "do not remove the Reconnect
button" :). The only additional thing we can do is post a message to the
forums. As usual, the only sure way to get feedback (read: complaints)
is to release the changes in an official build/installer.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] test latest binary on vista

2018-01-30 Thread Samuli Seppänen 
Hi,

Il 29/01/2018 20:09, Selva Nair ha scritto:
> (Cross posting to users and devel)
> 
> Hi,
> 
> 2.4.x needs to support, Vista, isn't it?

Good question and we have discussed in the past. Windows Vista is no
longer supported by Microsoft:

<https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet>

But then again, we do provide installers which work on Windows XP, which
is similarly EOL. So I guess we do support Windows Vista for the time being.

> 
> Can anyone please latest 2.4 release branch on Windows Vista using an
> RSA certificate in Windows cert store (using --cryptoapicert option) ?
> 
> Need to be built with openssl 1.1. Not sure the snapshots are built that way..
> https://build.openvpn.net/downloads/snapshots/

Not yet. I will switch snapshot builds to OpenSSL 1.1 once
openvpn-build's openvpn.nsi stops failing on OpenSSL 1.1 libraries
(names have changed). A PR is pending but it still needs one minor fix.

> The recent changes to cryptoapi uses CNG api which is supposedly
> supported on Vista but some testing would be useful. I no longer have
> access to a Vista machine.
> 
> Thanks,
> 
> Selva
> 



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN LDAP Authentication

2018-01-15 Thread Samuli Seppänen 
Hi,

Il 12/01/2018 10:44, eisenmad ha scritto:
> Hello,
> 
> I have some problems, probably very easy ones but I am total new to this
> kind of implementation.
> 
> I have to configure an OpenVPN Server on a Raspberry Pi that
> authenticates against LDAP. I have a little experience with an OpenVPN
> Server that don't use LDAP. I installed openvpn-auth-ldap and edited
> auth-ldap.conf.
> 
> 
>     # LDAP server URL
>     URL ldap://ldap.jumpcloud.com:636
> 
>     # Bind DN (If your LDAP server doesn't support anonymous binds)
>     # BindDN uid=Manager,ou=People,dc=example,dc=com
> 
>     # Bind Password
>     # Password  SecretPassword
> 
>     # Network timeout (in seconds)
>     Timeout 15
> 
>     # Enable Start TLS
>     TLSEnable   yes
> 
>     # Follow LDAP Referrals (anonymously)
>     FollowReferrals yes
> 
>     # TLS CA Certificate File
>     TLSCACertFile   /usr/local/etc/ssl/ca.pem
> 
>     # TLS CA Certificate Directory
>     TLSCACertDir    /etc/ssl/certs
> 
>     # Client Certificate and key
>     # If TLS client authentication is required
>     TLSCertFile /usr/local/etc/ssl/client-cert.pem
>     TLSKeyFile  /usr/local/etc/ssl/client-key.pem
> 
>     # Cipher Suite
>     # The defaults are usually fine here
>     # TLSCipherSuite    ALL:!ADH:@STRENGTH
> 
> 
> 
>     # Base DN
>     BaseDN "o=BaseDN_I_got_from_the_LDAP_admin,dc=jumpcloud,dc=com"
> 
>     # User Search Filter
>     #SearchFilter   "(&(uid=%u)(accountStatus=active))"
>     SearchFilter    "(&(uid=%u))"
> 
>     # Require Group Membership
>     RequireGroup    false
> 
>     # Add non-group members to a PF table (disabled)
>     #PFTable    ips_vpn_users
> 
>     
>     BaseDN  "ou=Groups,dc=example,dc=com"
>     SearchFilter    "(|(cn=developers)(cn=artists))"
>     MemberAttribute uniqueMember
>     # Add group members to a PF table (disabled)
>     #PFTable    ips_vpn_eng
>     
> 
> 
> My OpenVPN server.conf is:
> 
> port 1194
> proto udp
> dev tun
> sndbuf 0
> rcvbuf 0
> ca ca.crt
> cert server.crt
> key server.key
> dh dh.pem
> auth SHA512
> tls-auth ta.key 0
> topology subnet
> server 10.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> push "redirect-gateway def1 bypass-dhcp"
> push "dhcp-option DNS 192.168.0.1"
> keepalive 10 120
> cipher AES-256-CBC
> comp-lzo
> user nobody
> group nogroup
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
> crl-verify crl.pem
> plugin /usr/lib/openvpn/openvpn-auth-ldap.so
> /etc/openvpn/auth/auth-ldap.conf login
> client-cert-not-required
> 
> I copied my client.ovpn and the ca.crt from the OpenVPN Server to my
> Windows 10 machine and installed OpenVPN-Gui. Now a connection to the
> vpn server is working and I could login in the network. Now I have the
> following questions:
> 
> I could login but I didn't have to pass my LDAP user und password for
> login. The jumpcloud admin made a test account for me. How to validate
> this?
> 
> And is it normal that you could login without any user and password? All
> I did was copying the client.ovpn and ca.crt to the config folder of
> OpenVPN-Gui.
> 
> Thanks for help and greetings
> 

By "login" you mean connect to the VPN?

The man-page is a bit ambiguous regarding --client-cert-not-require and
its successor, --verify-client-cert. My hunch is that your client.ovpn
contains a client certificate and private key, possibly in embedded into
the config file. Is this correct?

If yes, I think OpenVPN is using/accepting the key/cert instead of
actually enforcing LDAP auth. My OpenVPN clients which authenticate
against LDAP only have the tls-auth key and the CA certificate in their
configs, coupled with the auth-user-pass option.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.18 released (with security fixes)

2017-09-26 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.3.18.
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release has an important security fix for legacy setups that may
still be using key-method 1:

<https://community.openvpn.net/openvpn/wiki/CVE-2017-12166>

As that option was deprecated 12 years ago we estimate that not many
production setups are affected in practice.

In addition Windows installers have been built with NSIS version that
has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.3/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.18 released (with security fixes)

2017-09-26 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.3.18.
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release has an important security fix for legacy setups that may
still be using key-method 1:

<https://community.openvpn.net/openvpn/wiki/CVE-2017-12166>

As that option was deprecated 12 years ago we estimate that not many
production setups are affected in practice.

In addition Windows installers have been built with NSIS version that
has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.3/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.4 released (with security fixes)

2017-09-26 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.4. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes a large number of small fixes and enhancements.
There is also an important security fix for legacy setups that may still
be using key-method 1:

<https://community.openvpn.net/openvpn/wiki/CVE-2017-12166>

As that option was deprecated 12 years ago we estimate that not many
production setups are affected in practice.

In addition Windows installers have been built with NSIS version that
has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Windows installer I601 includes updated OpenVPN GUI (11.9.0.0) and
easy-rsa (2.3.2). Note that OpenVPN's bin directory is no longer added
to system PATH. While most users will be unaffected by this change, you
should have a look at vars.bat.sample if you are migrating an old
easy-rsa CA to a new easy-rsa installation.

A summary of all included changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock





0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.4 released (with security fixes)

2017-09-26 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.4. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes a large number of small fixes and enhancements.
There is also an important security fix for legacy setups that may still
be using key-method 1:

<https://community.openvpn.net/openvpn/wiki/CVE-2017-12166>

As that option was deprecated 12 years ago we estimate that not many
production setups are affected in practice.

In addition Windows installers have been built with NSIS version that
has been patched against several NSIS installer code execution and
privilege escalation problems:

<https://community.openvpn.net/openvpn/wiki/NSISBug1125>

Based on our testing, though, older Windows versions such as Windows 7
might not benefit from these fixes. We thus strongly encourage you to
always move NSIS installers to a non-user-writeable location before
running them. Our long-term plan is to migrate to using MSI installers
instead.

Windows installer I601 includes updated OpenVPN GUI (11.9.0.0) and
easy-rsa (2.3.2). Note that OpenVPN's bin directory is no longer added
to system PATH. While most users will be unaffected by this change, you
should have a look at vars.bat.sample if you are migrating an old
easy-rsa CA to a new easy-rsa installation.

A summary of all included changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock






0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VirusTotal openvpn-install-2.4.3-I602.exe

2017-09-05 Thread Samuli Seppänen 
On 05/09/2017 16:15, Илья Шипицин wrote:
> 
> 
> 2017-09-05 18:02 GMT+05:00 Samuli Seppänen <sam...@openvpn.net
> <mailto:sam...@openvpn.net>>:
> 
> On 05/09/2017 14:30, Илья Шипицин wrote:
> >
>     >
> > 2017-09-05 12:15 GMT+05:00 Samuli Seppänen <sam...@openvpn.net 
> <mailto:sam...@openvpn.net>
> > <mailto:sam...@openvpn.net <mailto:sam...@openvpn.net>>>:
> >
> >     On 04/09/2017 16:32, Igor Bozovic wrote:
> >     > Hello,
> >     >
> >     > I downloaded openvpn-install-2.4.3-I602.exe from
> >     > https://openvpn.net/index.php/open-source/downloads.html
> <https://openvpn.net/index.php/open-source/downloads.html>
> >     <https://openvpn.net/index.php/open-source/downloads.html
> <https://openvpn.net/index.php/open-source/downloads.html>> and uploaded
> >     > the file to https://www.virustotal.com.
> >     >
> >     > Baidu and TrendMicro-HouseCall reported a virus:
> >     > 
> https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection
> 
> <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection>
> >     
> <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection
> 
> <https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection>>
> >     >
> >     > I used gpg to check the file integrity:
> >     >
> >     > 
> >     > gpg -v --verify openvpn-install-2.4.3-I602.exe.asc
> >     > gpg: armor header: Version: GnuPG v1
> >     > gpg: assuming signed data in `openvpn-install-2.4.3-I602.exe'
> >     > gpg: Signature made петак, 14. јул 2017. (this means Friday, 14th 
> July)
> >     > 15:28:49 CEST using RSA key ID 8CC2B034
> >     > gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7
> >     > gpg: using PGP trust model
> >     > gpg: Good signature from "OpenVPN - Security Mailing List
> >     > <secur...@openvpn.net <mailto:secur...@openvpn.net>
> <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net>>
> >     <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net>
> <mailto:secur...@openvpn.net <mailto:secur...@openvpn.net>>>>"
> >     > gpg: WARNING: This key is not certified with a trusted signature!
> >     > gpg:  There is no indication that the signature belongs 
> to the
> >     > owner.
> >     > Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 
> 2F2B 01E7
> >     >  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 
> 8CC2 B034
> >     > gpg: binary signature, digest algorithm SHA1
> >     > 
> >     >
> >     > I assume it's a false positive, but I would appreciate if you 
> could
> >     > confirm this. I guess that the exe file could be infected at 
> compile time.
> >
> >
> > recently we (I work in private company in Russia) were contacted by
> > GlobalSign CA, they want to sell us digital certificates.
> >
> > they state that if we will buy EV codesign cert, so SmartScreen filter
> > will automatically "whitelist" our software.
> >
> > @mattock, am I right, openvpn binaries are signed with codesign EV 
> already ?
> >  
> 
> No. Only the tap-windows6 driver has been signed with an EV certificate.
> Everything else has been signed with a "normal" AuthentiCode
> certificate.
> 
> In our case EV signing is done with a special dongle. The dongle
> integrates with Windows Certificate Store, but I've been told that it
> has a built-in failure counter. Afaik if the fail count exceed the
> dongle will be bricked, or at least disabled,. As such, the dongle is
> not particularly well suited for automation like that used in
> openvpn-build.
> 
> 
> well, I hope that we will issue codesign EV for ourselves, I will test
> it with whitelisting and tell you
>  

Great, thanks!

Samuli

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] VirusTotal openvpn-install-2.4.3-I602.exe

2017-09-05 Thread Samuli Seppänen 
On 04/09/2017 16:32, Igor Bozovic wrote:
> Hello,
> 
> I downloaded openvpn-install-2.4.3-I602.exe from
> https://openvpn.net/index.php/open-source/downloads.html and uploaded
> the file to https://www.virustotal.com.
> 
> Baidu and TrendMicro-HouseCall reported a virus:
> https://www.virustotal.com/#/file/f722ff1d187951c4e7454e2d845ba6d0d43d505112e073fa60b67b350fd6bc87/detection
> 
> I used gpg to check the file integrity:
> 
> 
> gpg -v --verify openvpn-install-2.4.3-I602.exe.asc
> gpg: armor header: Version: GnuPG v1
> gpg: assuming signed data in `openvpn-install-2.4.3-I602.exe'
> gpg: Signature made петак, 14. јул 2017. (this means Friday, 14th July)
> 15:28:49 CEST using RSA key ID 8CC2B034
> gpg: using subkey 8CC2B034 instead of primary key 2F2B01E7
> gpg: using PGP trust model
> gpg: Good signature from "OpenVPN - Security Mailing List
> <secur...@openvpn.net <mailto:secur...@openvpn.net>>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:  There is no indication that the signature belongs to the
> owner.
> Primary key fingerprint: F554 A368 7412 CFFE BDEF  E0A3 12F5 F7B4 2F2B 01E7
>  Subkey fingerprint: B596 06E2 D8C6 E10B 80BE  2B31 D72A F344 8CC2 B034
> gpg: binary signature, digest algorithm SHA1
> 
> 
> I assume it's a false positive, but I would appreciate if you could
> confirm this. I guess that the exe file could be infected at compile time.
> 
> Many thanks,
> 
> Igor Božović
> 

Hi,

Almost every installer of ours triggers one or two of the virus scanners
at VirusTotal. If the the installer were really infected, I'm sure that
our users' personal virus scanners would also start showing red, and we
would get more than one report (that is, yours).

So yes, this is certainly yet another false positive.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Pulling the plug on old swupdate apt repositories on 7th August

2017-07-31 Thread Samuli Seppänen 
Hi all,

The new apt repositories on build.openvpn.net have been in production
for about a year now.

I will thus pull the plug on the old swupdate.openvpn.org repositories
the upcoming Monday (7th August).

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] New 2.4.3 Windows installer with a security fix and improvements now available

2017-07-25 Thread Samuli Seppänen 
Hi all,

An updated 2.4 Windows installer is now available here:

<https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.3-I602.exe>

This installer includes updated OpenVPN GUI (11.8.0.0) and easy-rsa (2.3.0).

The installer also fixes a security vulnerability in the service
installation code:

<https://community.openvpn.net/openvpn/wiki/UnquotedServicePathIn24WindowsInstallers>

Systems where the C:\ drive is writable by limited users and which have
OpenVPN 2.4 installed are affected. Users of such systems should upgrade
to openvpn-install-2.4.3-I602.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Motion to elect Samuli to be the official maintainer of OpenVPN at Debian

2017-06-23 Thread Samuli Seppänen 
Hi,

>>> 2. there is no need to fetch updates from a separate repository
>>> outside of Debian ones. Users can just install backported version
>>> from Debian backport-repository.
>>
>> The Debian backports repository brings with it lots of "other stuff" 
>> besides OpenVPN. People would need to set the "Pin-Priority"
>> correctly to avoid accidentally upgrading more than what they want.#
> 
> Not quite, the backports repo is marked "NotAutomatic", so it should not
> pull in new versions unconditionally.
> 
> Bernhard
> 

Hi Bernhard,

I stand corrected. In the distant past when I used backports last I
recall pinning was required.

Samuli


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

2017-06-22 Thread Samuli Seppänen 
am repo
   - Must ensure that what is pushed is the bare minimum
3. Building and testing Debian packages
4) Building and testing Windows installers
5) Playing with CloudFlare caches

Producing release announcements (1) from a template would help quite a
bit actually, as the announcements are generally very similar to each
other. This script could potentially be public.

Parts of 2) have been automated by my release script, but there is still
room for improvement. This also could potentially be public.

Debian package (3) building generally goes smoothly, but there are
occasional hickups when something has changed somewhere (e.g. OpenVPN or
the underlying OS). Plus building tons of packages simply takes a lot of
time. This is already public, but could be automated further.

Windows installer building (4) is fairly straightforward and testing has
been automated using openvpn-windows-test (see GitHub). Still several
different versions have to be built atm:

- 2.4.x combined (32/64-bit) installer for Vista+
- 2.3.x installers (32/64-bit) for Vista+
- 2.3.x installers (32/64-bit) for XP

Building and testing these takes a lot of time and care. All the scripts
are public already, but further automation is possible.

CloudFlare (5) cache clearing could probably be automated fairly easily.
A separate Python script, for example, could be used. If this part is
made generic enough it could be made public.

> - We need to write down a proper check-list of all the steps needed
>   for a release, including putting a clear responsibility for each
>   release.  This list must also mention which scripts to be run.  Again,
>   automation is key to reduce the risk for errors.

We have a pretty thorough internal checklist in JIRA.

> - Consider how many who really needs to be involved in producing a
>   release.  More chefs in a kitchen can result in great food, but it can
>   also end up quite messy.

Agreed.

Many of the tasks in the JIRA ticket do not require any special access
to OpenVPN Technologies internal services (CloudFlare) or servers
(download/build/management servers). So those tasks could potentially be
handled by community developers. But would that make sense? Would it not
be easier to handle the entire release process from one point and just
ensure that the process can be replicated by more than one person (an
employee)?

What we could do is split the release into logical single-purpose steps
each of which is handled by a separate script. The scripts which would
not need access to OpenVPN Tech servers or CloudFlare could then be
published on GitHub. Or, if the scripts are generic enough they could
(potentially) be used by others by simply modifying a configuration file
or command-line options.

I've done this for some of the larger scripts I use for releases:

- openvpn-windows-test (the Powershell test suite)
- sbuild_wrapper (used to produce Debian packages)

> - At the same time, ensure we don't end up in a "single point of
>   failure".  More of us core developers need to be able to step in for
>   others, and still be able to produce a release without errors.  This
>   can be the end result if we have proper scripts, both for automated
>   and manual tasks.

I think you are the best fit for the role :). You have a good
understanding of the release process and have or can be granted the
access that is needed to handle all the release steps.

> My intention with these points are primarily "food for thought".  I
> don't fully believe it will be easy to have a well structured debate
> about the complete release process in a mailing list thread.
> 
> So I suggest we take a few weeks holiday, let this sink in, and then we
> can schedule a meeting some time in August where we discuss these
> issues.  And lets hope we don't need to rush yet another release before
> August :)
> 
> 

Makes sense.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.17 released (with security fixes)

2017-06-21 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.3.17.
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. Most of these issues also
affect OpenVPN 2.3.16 and earlier. We recommend you to upgrade to
OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are available
in our official security announcement:

<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243>

A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.3/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.3 released (with security fixes)

2017-06-21 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.3. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

OpenVPN v2.4.2 was analyzed closely using a fuzzer by Guido Vranken. In
the process several vulnerabilities were found, some of which are
remotely exploitable in certain circumstances. We recommend you to
upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible. More details are
available in our official security announcement:

<https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243>

In addition a number of bugs with no security impact have been fixed.
The one big feature in the 2.4.3 release is support for building with
OpenSSL 1.1.

A summary of all included changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




0x40864578.asc
Description: application/pgp-keys


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Motion to elect Samuli to be the official maintainer of OpenVPN at Debian

2017-06-20 Thread Samuli Seppänen 
Hi,

Thanks for nominating me :).

On 20/06/2017 18:40, Javier Santos wrote:
> June 20, 2017
> 
> Hi guys,
> 
> Our friend, Samuli, has been creating .deb files of the latest version of 
> OpenVPN (Community Edition) for quite some time.
> 
> I proposed that Samuli be the official maintainer of said software for 
> Debian. Debian users benefit because:
> 
> 1. updates are available on the same day that the Windows version is posted 
> for download. There is a significant time gap between the version created by 
> Samuli and the one that is available on Debian's backport-repository. As an 
> example look at the time when Samuli made the latest version of OpenVPN 
> available and compare it with the time that the backported version of Debian 
> Jessie is made available by its official maintainer.

Our OpenVPN packages don't have to conform to Debian's packaging
policies. That is part of the reason why we can publish new Debian
packages at OpenVPN release time. Having Debian "in the middle" would in
all likelihood make OpenVPN releases more time-consuming and tricky to
organize.

> 
> 2. there is no need to fetch updates from a separate repository outside of 
> Debian ones. Users can just install backported version from Debian 
> backport-repository.

The Debian backports repository brings with it lots of "other stuff"
besides OpenVPN. People would need to set the "Pin-Priority" correctly
to avoid accidentally upgrading more than what they want. Further
details on pinning (also applicable to Debian):

<https://help.ubuntu.com/community/PinningHowto>

When people add our (=OpenVPN project's) apt repository they get just
what they want: up-to-date OpenVPN packages. Moreover, they can choose
which version they want to have:

- stable
- testing (includes alpha/beta/rc releases)
- release/2.3
- release/2.4

These repositories serve different use-cases. So having a completely
separate repository actually makes sense.

> 
> Kindly reply to this email if you support this motion.
> 
> Thanks.
> 
> Javier
> 


-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request 2.4.2-openvpn .deb package that is compatible with Debian Stretch

2017-06-19 Thread Samuli Seppänen 
On 19/06/2017 14:43, Javier Santos wrote:
>> Sent: Monday, June 19, 2017 at 4:48 PM
>> From: "Samuli Seppänen" <sam...@openvpn.net>
>> To: "Gert Doering" <g...@greenie.muc.de>, "Javier Santos" 
>> <u7u...@groupmail.com>
>> Cc: openvpn-users@lists.sourceforge.net
>> Subject: Re: [Openvpn-users] Request 2.4.2-openvpn .deb package that is 
>> compatible with Debian Stretch
>> On 18/06/2017 21:56, Gert Doering wrote:
>>
>> I will try to get Stretch support for the next OpenVPN releases. If
>> there are no surprised then that should be doable. What I'll do is
>> replace the "libssl1.0.0" dependency with "libssl1.0.2" and remove the
>> "initscripts" dependency altogether.
> 
> Thanks, Samuli, for your offer of help.
> 
> When is the next OpenVPN release coming out? Any dates?
> 
> Regards
> 
> Javier
> 

Yes, we will make a release on Wednesday.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request 2.4.2-openvpn .deb package that is compatible with Debian Stretch

2017-06-19 Thread Samuli Seppänen 
On 18/06/2017 21:56, Gert Doering wrote:
> Hi,
> 
> On Sun, Jun 18, 2017 at 04:46:58PM +0200, Javier Santos wrote:
>> Debian Stretch has just been released and we would appreciate it if you 
>> could create compatible .deb packages for the OS.
> 
> What does Stretch ship with?  It *should* come with openvpn 2.4...
> 
> (Of course it makes sense to have Strech-compatible .deb for future 
> relases which are not going to be available out of the box right away)
> 
> gert
> 

Hi,

We've actually had this problem with the latest Ubuntu non-LTS releases,
where initscripts have been completely replaced with systemd. However,
we only want to support LTS releases, as the non-LTS releases generally
have a fairly up-to-date OpenVPN anyways.

I will try to get Stretch support for the next OpenVPN releases. If
there are no surprised then that should be doable. What I'll do is
replace the "libssl1.0.0" dependency with "libssl1.0.2" and remove the
"initscripts" dependency altogether.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] automatically restart openvpn

2017-05-31 Thread Samuli Seppänen 
On 31/05/2017 19:50, Xen wrote:
> David Sommerseth schreef op 31-05-2017 18:28:
>> On 31/05/17 17:05, Xen wrote:
>>> Riccardo Paolo Bestetti schreef op 31-05-2017 16:01:
>>>> It's not OpenVPN you should configure, but your Operating System.
>>>> You should refer to its documentation or its relevant mailing list.
>>>
>>> You can also do:
>>>
>>> # crontab -l | { cat; echo "*/15 * * * * /bin/sh -c 'ifconfig | grep
>>> tun0 > /dev/null || systemctl restart openvn'"; } | crontab
>>>
>>> This will check very 15 minutes whether tun0 is up and if not will use
>>> systemctl to restart openvpn service.
>>>
>>> Not sure what runs on Raspbian.
>>
>> As you use systemctl, that implies systemd.  Then that hack is truly
>> ugly compared to what systemd provides.
> 
> So how can you get systemd to send you emails?
> 
> Can you let it run a script on restart?
> 

Hi,

A few months back I looked into exactly this issue. Back then there was
no easy way to make systemd send emails. That is why I still use monit
which has good notification capabilities:

<https://www.mmonit.com/monit/>

Monit works by polling service states periodically, so some delay is
always involved. Monit can, however, do whatever you want when a problem
is encountered and is not limited to just restarting the service.

Combining systemd instantaneous restarts with monit's notifications is a
pretty good system imho.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.16 released

2017-05-19 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.3.16.
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This is a minor release that fixes a few bugs. This release was made
primarily because CloudFlare managed to serve obsolete pre-release
OpenVPN 2.3.15 tarballs which lack a fix for CVE-2017-7478:

<https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits>

The official OpenVPN 2.3.15 Windows installers have the fix.
Nevertheless, you are advised to upgrade your OpenVPN installations to
2.3.16 or 2.4.2.

A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.3/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

NOTE: The GPG key used to sign release files has changed:

<https://openvpn.net/index.php/open-source/documentation/sig.html>

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



0x40864578.asc
Description: application/pgp-keys
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.2 released (with security fixes)

2017-05-11 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.2. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

OpenVPN v2.4.0 was audited for security vulnerabilities independently by
Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by
Private Internet Access) between December 2016 and April 2017. The
primary findings were two remote denial-of-service vulnerabilities.
Fixes to them have been backported to v2.3.15.  Our official security
announcement is here:

<https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits>

A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. One of major
features is the ability to run OpenVPN GUI without administrator privileges.

For full details, look here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

The new OpenVPN GUI features are documented here:

<https://github.com/OpenVPN/openvpn-gui>

Please note that OpenVPN 2.4 installers will not work on Windows XP.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)
-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN releases tomorrow at 14:00 UTC (fixes vulnerabilities)

2017-05-10 Thread Samuli Seppänen 
Hi all,

We will make OpenVPN releases tomorrow (11th May 2017) at 14:00 UTC,
fixing two remote DoS vulnerabilities. More details will follow at
release time.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Build-System ./build-complete --build-depcache

2017-05-08 Thread Samuli Seppänen 
Hi,

> 
> rm -fr tmp and ./build-complete --build-depcache = exact same result.
> 
> Searching for openvpn bin
> :/home/tct/openvpn/bsys/windows-nsis# find tmp | grep vpn | grep bin
> tmp/image-x86_64/openvpn/bin
> tmp/image-x86_64/openvpn/bin/openssl.exe
> tmp/image-x86_64/openvpn/bin/liblzo2-2.dll
> tmp/image-x86_64/openvpn/bin/ssleay32.dll
> tmp/image-x86_64/openvpn/bin/libpkcs11-helper-1.dll
> tmp/image-x86_64/openvpn/bin/c_rehash
> tmp/image-x86_64/openvpn/bin/libeay32.dll
> tmp/image-i686/openvpn/bin
> tmp/image-i686/openvpn/bin/openssl.exe
> tmp/image-i686/openvpn/bin/liblzo2-2.dll
> tmp/image-i686/openvpn/bin/ssleay32.dll
> tmp/image-i686/openvpn/bin/libpkcs11-helper-1.dll
> tmp/image-i686/openvpn/bin/c_rehash
> tmp/image-i686/openvpn/bin/libeay32.dll
> 
> From what I can tell (tho my sh foo is not great)
> ./build-complete --build-depcache does not build openvpn
> eg:
> ./build-complete --help
> --build-depcache   create depcache only (no program build)
> 
> but then expects openvpn to be there .. ?

Yes, depcache does not build OpenVPN, only the dependencies. I'll have
to do some testing to figure out what it is doing and whether this is a
feature or a bug. I recall having some depcache-related issue a while
back which vaguely resembles this one.

> Another thing I notice which i think must be an error while building
> openssl:
> 
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root//bin'
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root///lib'
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root///lib/engines'
> 
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root///lib/pkgconfig'
> 
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root//include'
> 
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root//include/openssl'
> 
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root/etc'
> created directory
> `/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/depcache-root/etc/ssl'
> 
> 
> //bin, ///lib & //include .. is this intentional and it occurs many
> times throughout the log ?

This is probably due an extra "/"(s) somewhere. Not a problem, but looks
silly and should be fixed if possible.

> Also, windows-nsis/tmp/build-x86_64/depcache-root does not exist once
> the script fails .. (nor i686)
> 
> Finally, "FATAL: please specify openvpn binary tarball" AFAICT, the
> tarball is specified by build-complete:
> 
> ROOT="${TMPDIR}/installer" \
>   ./build \
>   --installer-version="${INSTALLER_VERSION}" \
>   --special-build="${SPECIAL_BUILD}" \
>   --openvpn-bin-tarball-i686=$(ls
> ${TMPDIR}/image-i686/openvpn-i686-*-bin.*) \
>   --openvpn-bin-tarball-x86_64=$(ls
> ${TMPDIR}/image-x86_64/openvpn-x86_64-*-bin.*) \
> 
> So that error message is a bit misleading, maybe it could read
> "FATAL: cannot find specified openvpn binary tarball
> $(ls ${TMPDIR}/image-i686/openvpn-i686-*-bin.*)"
> 
> 
>>
>> If this is a bug then we should add a --build-depcache test to Travis so
>> that the depcache does not break again.
>>
> 
> I can open a ticket for it, if it is a bug ? let me know
> 
Not sure at this point, but I'll investigate.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Build-System ./build-complete --build-depcache

2017-05-08 Thread Samuli Seppänen 
Hi,

On 08/05/2017 16:50, debbie10t wrote:
> Hi,
> 
> Build-System ./build-snapshot = works
> Build-System ./build-complete = works
> Build-System ./build-complete --build-depcache does not appear to work.
> 
> OS:
> 
> Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-75-generic x86_64)
> 
>   * Documentation:  https://help.ubuntu.com
>   * Management: https://landscape.canonical.com
>   * Support:https://ubuntu.com/advantage
> 
> 67 packages can be updated.
> 0 updates are security updates.
> 
> 
> 
> This is the complete log with a file list of ./tmp included:
> (The end of the log is at line 9470)
> 
> https://paste.fedoraproject.org/paste/9rHQOmT7WGEgN2yZ5LFGG15M1UNdIGYhyRLivL9gydE=
> 
> 
> 
> This is the error at the end of the log:
> 
> make[1]: Leaving directory 
> '/home/tct/openvpn/bsys/windows-nsis/tmp/build-x86_64/pkcs11-helper-1.11'
> tap-windows
> Fixup libtool files
> Restore libtool files
> ls: cannot access 'tmp/image-i686/openvpn-i686-*-bin.*': No such file or 
> directory
> ls: cannot access 'tmp/image-x86_64/openvpn-x86_64-*-bin.*': No such 
> file or directory
> FATAL: please specify openvpn binary tarball
> FATAL: pack installer >&2
> tct@ub16-hyv-live-64:~/openvpn/bsys/windows-nsis$
> 
> 
> 
> What am I doing wrong ?

Not sure. I would remove the windows-nsis/tmp folder and retry. If the
build still fails I'd look into tmp/ and see what it actually contains
and move on from there.

If this is a bug then we should add a --build-depcache test to Travis so
that the depcache does not break again.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.1 released

2017-03-22 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.1. It
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

Compared to OpenVPN 2.3 this is a major update with a large number of
new features, improvements and fixes. Some of the major features are
AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved
IPv4/IPv6 dual stack support and more seamless connection migration when
client's IP address changes (Peer-ID). Also, the new --tls-crypt feature
can be used to increase users' connection privacy.

Compared to OpenVPN 2.4.0 there are several bugfixes and small
enhancements. A summary of the changes is available here:

<https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst>

A full list of changes is available here.

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

OpenVPN GUI bundled with the Windows installer has a large number of new
features compared to the one bundled with OpenVPN 2.3. Details are
available on the "ChangesInOpenvpn24" page, above.

For generic help use these support channels:

Official documentation:
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Windows openvpnservice (openvpnserv2) starting of its own accord ?

2017-02-21 Thread Samuli Seppänen 
On 20/02/2017 22:01, debbie10t wrote:
> 
> 
> On 20/02/17 17:45, Selva Nair wrote:
>> On Mon, Feb 20, 2017 at 12:32 PM, debbie10t  wrote:
>>
>>> Stop running openvpnserv2 + openvpn.exe
>>> REBOOT
>>>
>>> Result of powershell:
>>>
>>> ExitCode:  0
>>> Name:  OpenVPNService
>>> ProcessID: 2324
>>> StartMode: Manual
>>> State: Running
>>> Status:OK
>>>
>>> Weird ?
>>>
>>
>>
>> A shot in the dark.. May be some event is triggering to start it. Does
>>
>> sc qtriggerinfo OpenVPNService
>>
>> show anything?
> 
> RESULT:
> 
> The service openvpnservice has not registered for any start or stop 
> triggers.
> 
> 
>>
>> Any scheduled tasks (taskschd) that could be starting it?
>>
> 
> Nothing in Windows Scheduled Tasks other than the usual MS crap
> eg: Customer Experience Improvement Program
> 
> Although, I am not overly familiar with this version of windows 
> scheduled tasks.  If there is a command/powershell I can run .. ?
> 
> Also, nothing in 'at'
> 
> Also, although some time ago, it is the sort of thing I may have done
> to setup some dumb hack to start the service, this is a New service so
> anything I did before should not effect this service name .. ?
> 

Well, the same service name ("OpenVPNService") was also used in OpenVPN
2.3 for the legacy automatic service. Any custom scripts that managed
the (now legacy) service in OpenVPN 2.3 continue to work in OpenVPN 2.4
- they just manage the new openvpnserv2.exe -based service now.

Samuli

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Windows openvpnservice (openvpnserv2) starting of its own accord ?

2017-02-20 Thread Samuli Seppänen 
On 20/02/2017 17:09, Samuli Seppänen wrote:
> On 20/02/2017 15:09, Gert Doering wrote:
>> Hi,
>>
>> On Mon, Feb 20, 2017 at 12:44:37PM +, debbie10t wrote:
>>> I am a little bit rusty with windows and I can't figure out how this is 
>>> happening.
>>>
>>> Computer is Windows 7 Home
>>>
>>> Openvpn 2.4.0 standard install + easyrsa
>>>
>>> Openvpn Interactive service = Auto, does start at logon OK
>>> Openvpn Legacy service = Manual, does *not* start at logon OK
>>> Openvpn service (openvpnserv2) = Manual, *Does* start at logon BAD!
>>>
>>> Can anybody please explain why this service is being started ?
>>> I have run out of ideas ..
>>
>> No of these services should ever start at *logon* - iservice should start
>> on boot, the others only if enabled in the services control panel.
>>
>> gert
>>
> 
> Debbie10t: can you launch Powershell and issue
> 
>   Get-WMIObject -Class win32_service -Filter "Name='OpenVPNService'"
> 
> With default settings it should output this:
> 
>   ExitCode  : 0
>   Name  : OpenVpnService
>   ProcessId : 0
>   StartMode : Manual
>   State : Stopped
>   Status: Ok
> 
> If "StartMode" is truly set to Manual, yet after a reboot "State" says
> "Running", then we have a genuine problem.
> 

Could you run the above Get-WMIObject command just in case? That would
help rule out the possibility that the graphical UI is confused about
the StartupType of OpenVpnService.

Samuli








0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Question about tls-crypt and port 443 firewall ducking

2017-01-02 Thread Samuli Seppänen 
Il 31/12/2016 20:36, Илья Шипицин ha scritto:
>
> Вт, 20 дек. 2016 г. в 5:13, Kevin Long <kevin.l...@haloprivacy.com
> <mailto:kevin.l...@haloprivacy.com>>:
>
>
>
> I was just browsing the Mastering OpenVPN book and a paragraph
> jumped out at me which basically said that using OpenVPN on port 443
> is a common way people try to duck firewalls.  Indeed, this is what
> I do.  My clients are all over the place, airports, hotels,
> different countries etc, and we do seem to have better luck on port
> 443 tcp than 1194 tcp or udp.
>
>
>
> But the book states, as I have just learned just recently
> coincidentally,  that OpenVPN traffic (even running on TCP) does not
> really look like normal browser TLS traffic.
>
>
>
>
>
> I saw in the release notes I believe, that the new tls-crypt feature
> helps prevent metadata about auth certificates from being exposed,
> as well as blocking deep-packet inspections of the traffic.
>
>
>
> Could anyone possibly elaborate on this? Will this in practice help
> do mitigate OpenVPN blocking on port 443 in cases where normal TLS
> 443 traffic is permitted?
>
>
>
> Also, could anyone elaborate on tis-crypt being “poor man’s quantum”
> protection
>
>
>
> Thank you again,
>
>
>
> Kevin
>
>
>
>
> I think traffic obfuscation need more attention. OpenVPN becomes more
> and more popular, even http://openvpn.net is prohibited in several
> countries.
>
> we recently tried tls-crypt from China, it does not bypass great wall
> software.

Hi,

We've discussed traffic obfuscation in the past many times, and have 
always concluded that we don't want to play that cat-and-mouse game in 
the _core_ OpenVPN.

That said, there could definitely be a separate project that basically 
bundles OpenVPN with obfuscation software such as obfsproxy. Then _that_ 
project would play the cat-and-mouse game. I would argue that this 
approach would be more effective, as the participants in that project 
would have vested interest in the obfuscation working. I believe many 
VPN providers already implement obfuscation, each reinventing the wheel, 
which typically tends to produce half-baked implementation as well as 
lots of wasted effort in the name of commercial differentiation.

If someone is willing to cobble something together and publish it, I'm 
sure other people will soon follow and the "Obfuscated OpenVPN" project 
will start gaining momentum.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4.0 released

2016-12-27 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4.0. It 
can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

Compared to OpenVPN 2.3 this is a major update with a large number of 
new features, improvements and fixes. Changes compared to the previous 
OpenVPN 2.4 release are very minor. A summary of these changes is 
available here:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

A full list of changes is available here.

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

OpenVPN GUI bundled with the Windows installer has a large number of new 
features compared to the one bundled with OpenVPN 2.3. Details are 
available on the "ChangesInOpenvpn24" page, above.

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4_rc2 released

2016-12-16 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4_rc2. 
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

Compared to OpenVPN 2.3 this is a major update with a large number of 
new features, improvements and fixes. Changes compared to previous 
OpenVPN 2.4 release are fairly minor, and include several small fixes 
and improvements.  A summary of these changes is available here:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

A full list of changes is available here.

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

OpenVPN GUI bundled with the Windows installer has a large number of new 
features compared to the one bundled with OpenVPN 2.3. Details are 
available on the "ChangesInOpenvpn24" page, above.

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request: Copy or Move openvpn_2.3.14-jessie0_amd64.deb and update hashsums in Packages file

2016-12-14 Thread Samuli Seppänen 
Il 14/12/2016 18:39, Sebastian Rubenstein ha scritto:
> Hi Samuli
>
> When you have time to spare, could you copy/move 
> openvpn_2.3.14-jessie0_amd64.deb to 
> http://swupdate.openvpn.net/apt/pool/jessie/main/o/openvpn/ please?
>
> Moreover, please update the Packages file in 
> http://swupdate.openvpn.net/apt/dists/jessie/main/binary-amd64/Packages with 
> the hashsums of openvpn_2.3.14-jessie0_amd64.deb
>
> Thank you for your assistance.
>
> Sebastian
>

Interesting that 2.3.14 is missing from there. I will look into it.

Btw. if you're interested in more fine-grained options on which OpenVPN 
packages to install, have look at the four new repos on build.openvpn.net:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

OpenVPN 2.3.14 should be in the "release/2.3" and "stable" repos.

Best regards,
-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Elliptic Curve, strongest cipher? (and how about iOS app?)

2016-12-13 Thread Samuli Seppänen 
Il 13/12/2016 03:57, Kevin Long ha scritto:
>
>
> Greetings,
>
>
> I have a requirement to set up an OpenVPN server that serves clients,  
> including the *iOS* OpenVPN app which I understand is quite different from 
> the open source.
>
> The requirement is that I use the absolute strongest encryption ciphers, 
> regardless of VPN performance.
>
> If I am not mistaken,  Elliptic Curve is much preferred these days,  and I 
> believe support for ciphers which utilize EC was added into the 2.4 branch of 
> OpenVPN open source.
>
>
> So to get this functionality I believe I would need to compile a release 
> candidate from source?
>
>
> But how about the iOS app,  does it support EC ciphers, will it ever?

The iOS app is based on OpenVPN 3:

<https://github.com/OpenVPN/openvpn3>

I believe OpenVPN 3 supports elliptic curve crypto just like OpenVPN 
2.4, but I could be mistaken.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] source code of a licensed version

2016-12-08 Thread Samuli Seppänen 
Il 08/12/2016 00:20, boxar...@yandex.ru ha scritto:
> Hi,
>
> I'm wondering if I can get source code of a licensed openvpn version, so that 
> I could recompile it myself before using.
> I'm trying to enable fips mode in openvpn and I don't see any other way but 
> to change source code calling FIPS_mode_set() function. Maybe you have any 
> other ideas on how I can do it for a licensed version?
>

What do you mean by "licensed version"? Do you means a "FIPS compliant 
version"?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4_rc1 released

2016-12-02 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.4_rc1. 
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes several smaller fixes and improvements. A summary 
of these changes is available here:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

A full list of changes is available here.

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Launching OpenVPN-GUI automatically on user login?

2016-11-28 Thread Samuli Seppänen 
Hi,

There is a PR that makes OpenVPN-GUI launch automatically when any user 
logs in:

<https://github.com/OpenVPN/openvpn-build/pull/55>

No OpenVPN connections are started, of course, but the OpenVPN-GUI tray 
application will launch. Each user will be able to opt-out of this 
behavior in OpenVPN-GUI preferences

My question is: is it reasonable to enable this by default in the 
installer. Or should this be opt-in at install time?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN AS download links

2016-11-24 Thread Samuli Seppänen 
Il 23/11/2016 19:22, Simon Deziel ha scritto:
> Hello,
>
> I just noticed that the package download links on [1] are using HTTP
> while the server supports HTTPS. The other download links for the
> appliance images are all using HTTPS already so it looks like the
> package links were forgotten about.
>
> Regards,
> Simon
>
> 1: https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
>

Hi,

I informed the people responsible for AS about this.

Thanks!

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OSTIF.org has started an OpenVPN security audit fundraiser

2016-11-23 Thread Samuli Seppänen 
Hi,

OSTIF[1] has started a new fundraiser with the goal of getting a 
security audit for OpenVPN 2.4.x:

<https://ostif.org/ostif-is-beginning-a-fundraiser-for-openvpn-lets-get-it-audited/>

On that page there are suggestions on how to promote the fundraiser.

This new fundraiser has way more credibility than the previous one on 
Kickstarter, as since then OSTIF has been able to raise enough money to 
get Veracrypt[2] audited:

<https://ostif.org/the-veracrypt-audit-results/>
<https://ostif.org/wp-content/uploads/2016/10/VeraCrypt-Audit-Final-for-Public-Release.pdf>
<https://sourceforge.net/p/veracrypt/discussion/general/thread/9490dbcc/>

In addition, VeraCrypt Git logs show that most of the identified 
vulnerabilities were fixed.

Best regards,

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] <https://ostif.org/>
[2] <https://sourceforge.net/projects/veracrypt/>
 <https://github.com/veracrypt/VeraCrypt>

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.3.13 released

2016-11-03 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 2.3.13. 
It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes many small improvements and fixes. The largest 
change in this is release is limiting of --reneg-bytes to 64MB when 
using small block ciphers. A full list of changes is available here:

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [Openvpn-devel] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-25 Thread Samuli Seppänen 
Il 17/10/2016 13:58, Samuli Seppänen ha scritto:
> Il 17/10/2016 11:50, Ralf Hildebrandt ha scritto:
>> * Samuli Seppänen <sam...@openvpn.net>:
>>> Hi,
>>>
>>> Should we have a separate apt repository for "unstable" apt packages?
>>
>> Yes please. Do have a look at how dovecot does it:
>> http://wiki2.dovecot.org/PrebuiltBinaries#Debian
>>
>> there is "stable" and "testing"
>>
>
> Thanks to all for the feedback. Based on it the most flexible approach
> would probably be to have four different repositories:
>
> "testing": tracks latest release, including all alphas/beta/rcs
> "stable": tracks latest stable release (2.3.x/2.4.x)
> "release/2.3": tracks latest 2.3.x release
> "release/2.4": tracks latest 2.4 release (including alphas/beta/rcs)
>
> The current apt repository would become "release/2.3" to minimize
> surprises. In all cases the package name would be "openvpn". A user
> could have several of these repositories enabled at the same time - apt
> would then just default to the latest version.
>
> Right now Debian package building is not fully automated, but when it
> is, having a "snapshots" repository would make sense.
>
> I'd rather not allow several different OpenVPN packages to co-exist on a
> single computer (e.g. "openvpn-2.3" and "openvpn-2.4"): that tends to
> complicate packaging without any significant benefits. I believe this
> approach is mostly used in cases where different application versions
> are (protocol)incompatible, and users need to be able to use both
> simultaneously.
>

Hi all,

The four new apt repositories described above are now available. 
Instructions for setting them up are here:

<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos>

OpenVPN 2.4_alpha2 is available in "release/2.4" and "testing"
OpenVPN 2.3.12 is available in "release/2.3" and "stable

Once the new repos have been online for a while and are proven to work, 
I will look into redirecting requests to the old swupdate repository to 
the new "release/2.3" repository.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive. 
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN 2.4-alpha2 released

2016-10-20 Thread Samuli Seppänen 
The OpenVPN community project team is proud to release OpenVPN 
2.4_alpha2. It can be downloaded from here:

<http://openvpn.net/index.php/open-source/downloads.html>

This release includes a large number of new features, improvements and 
fixes. A summary of these changes is available here:

<https://github.com/OpenVPN/openvpn/blob/master/Changes.rst>

A full list of changes is available here.

<https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>

OpenVPN 2.4_alpha1 release was skipped due to a bug found soon after 
tagging that release in Git.

For generic help use these support channels:

Official documentation: 
<http://openvpn.net/index.php/open-source/documentation/howto.html>
Wiki: <https://community.openvpn.net>
Forums: <https://forums.openvpn.net>
User mailing list: <http://sourceforge.net/mail/?group_id=48978>
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: <https://community.openvpn.net>
Developer mailing list: <http://sourceforge.net/mail/?group_id=48978>
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-17 Thread Samuli Seppänen 
Il 17/10/2016 11:50, Ralf Hildebrandt ha scritto:
> * Samuli Seppänen <sam...@openvpn.net>:
>> Hi,
>>
>> Should we have a separate apt repository for "unstable" apt packages?
>
> Yes please. Do have a look at how dovecot does it:
> http://wiki2.dovecot.org/PrebuiltBinaries#Debian
>
> there is "stable" and "testing"
>

Thanks to all for the feedback. Based on it the most flexible approach 
would probably be to have four different repositories:

"testing": tracks latest release, including all alphas/beta/rcs
"stable": tracks latest stable release (2.3.x/2.4.x)
"release/2.3": tracks latest 2.3.x release
"release/2.4": tracks latest 2.4 release (including alphas/beta/rcs)

The current apt repository would become "release/2.3" to minimize 
surprises. In all cases the package name would be "openvpn". A user 
could have several of these repositories enabled at the same time - apt 
would then just default to the latest version.

Right now Debian package building is not fully automated, but when it 
is, having a "snapshots" repository would make sense.

I'd rather not allow several different OpenVPN packages to co-exist on a 
single computer (e.g. "openvpn-2.3" and "openvpn-2.4"): that tends to 
complicate packaging without any significant benefits. I believe this 
approach is mostly used in cases where different application versions 
are (protocol)incompatible, and users need to be able to use both 
simultaneously.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Separate apt repositories for 2.4-alpha/beta/rc releases?

2016-10-14 Thread Samuli Seppänen 
Hi,

Should we have a separate apt repository for "unstable" apt packages? 
Right now our apt repositories hold 2.3.x packages, meaning that 
upgrades have historically been fairly minor.

That said, users who use _our_ apt repositories have expressed interest 
in using something newer than what is available in their distribution's 
repositories.

Would 2.3.12 -> 2.4-alpha1 be too big an upgrade?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Help testing OpenVPN 2.4-alpha1 preview installers?

2016-10-13 Thread Samuli Seppänen 
Hi, and thanks for testing!

Il 12/10/2016 20:47, Enno Gröper ha scritto:
> Am 11.10.2016 um 12:36 schrieb Samuli Seppänen:
>> If you can, please test the installers in your environment and let us
>> know how it went: we'd like to minimize the chance of breaking existing
>> setups before we make the official 2.4-alpha1 release.
>

> Installs and connects fine on:
> Windows 7 Professional SP1, 64 Bit
>
> Windows 10 64 Bit Educational:
> GUI warns about Interactive Service not being started.
> After starting it manually, everything works fine.

Interesting. So did the Interactive Service start automatically on 
"Windows 7 Professional SP1, 64 Bit"?

> On server side there is an openvpn 2.3.4 in tun-Mode running on (and
> obtained from) Debian Jessie.
>
> Kind regards,
> Enno

Regards,

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Help testing OpenVPN 2.4-alpha1 preview installers?

2016-10-12 Thread Samuli Seppänen 
Hi Jose,

Thanks for testing! The documentation about the new services is probably 
suboptimal right now. I will need to improve it a bit, because I believe 
what is said here

<https://github.com/OpenVPN/openvpn-gui>

is all we have right now. Quickly summarizing:

1) OpenVPNService (provided by openvpnserv2.exe)

This is a new background service based on openvpnserv2. It is intended 
for running one or more VPN connections in the background without user 
interaction.

2) OpenVPNServiceInteractive (provided by openvpnserv.exe)

This service co-operates with OpenVPN-GUI to allow unprivileged users to 
successfully launch VPN connection.

3) OpenVPNServiceLegacy (provided by openvpnserv.exe)

This is the old background service. It does not work well on anything 
post-Windows 7 and is pretty crude in general. It is intended for 
running one or more VPN connections in the background without user 
interaction.

I will add this documentation somewhere - probably INSTALL-win32.txt.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Il 12/10/2016 14:29, Jose Alf. ha scritto:
> Samuli,
>
> I tested the 64 bit installer on Windows 7 Enterprise using default
> settings. It ran smoothly. I notice that now there are 3 services -
> OpenVPN Interactive Service (appears started automatic)
> - OpenVPN Legacy Service (manual)
> - OpenVPNService (manual)
>
> Any pointers to documentation about this?
>
> I use OpenVPN-MI-GUI. I had to start OpenVPNService to connect to my
> server. Other than that, it worked fine.
>
> Regards,
> Jose
>
> --------
> *From:* Samuli Seppänen <sam...@openvpn.net>
> *To:* "openvpn-de...@lists.sourceforge.net"
> <openvpn-de...@lists.sourceforge.net>;
> "openvpn-users@lists.sourceforge.net" <openvpn-users@lists.sourceforge.net>
> *Sent:* Tuesday, October 11, 2016 5:36 AM
> *Subject:* [Openvpn-users] Help testing OpenVPN 2.4-alpha1 preview
> installers?
>
> Hi all,
>
> We're really close to OpenVPN 2.4-alpha1 release now. In yesterday's IRC
> meeting[1] we deemed that "late this week" might be doable.
>
> However, we'd need to help with testing these preview installers:
>
> <http://build.openvpn.net/downloads/temp/openvpn-install-2.3_git-do-ifconfig-after-tun-v2-I601-i686.exe>
> <http://build.openvpn.net/downloads/temp/openvpn-install-2.3_git-do-ifconfig-after-tun-v2-I601-x86_64.exe>
>
> Note that the installers contain a much improved OpenVPN-GUI that
> behaves differently under the hood from the one bundled in OpenVPN 2.3.x:
>
> <https://github.com/OpenVPN/openvpn-gui>
>
> The installer also contains a new, much improved Windows system service
> called openvpnserv2:
>
> <https://github.com/OpenVPN/openvpnserv2>
>
> Based on earlier tests openvpnserv2 should be able to handle
> suspend/resume gracefully. It should also automatically restart a
> connection that dies for whatever reason.
>
> So far the installers linked to above have passed some basic tests:
>
> <https://community.openvpn.net/openvpn/wiki/OpenVPN24WindowsTests>
>
> If you can, please test the installers in your environment and let us
> know how it went: we'd like to minimize the chance of breaking existing
> setups before we make the official 2.4-alpha1 release.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
> [1]
> <https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12657.html>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> <mailto:Openvpn-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Help testing OpenVPN 2.4-alpha1 preview installers?

2016-10-11 Thread Samuli Seppänen 
Hi all,

We're really close to OpenVPN 2.4-alpha1 release now. In yesterday's IRC 
meeting[1] we deemed that "late this week" might be doable.

However, we'd need to help with testing these preview installers:

<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_git-do-ifconfig-after-tun-v2-I601-i686.exe>
<http://build.openvpn.net/downloads/temp/openvpn-install-2.3_git-do-ifconfig-after-tun-v2-I601-x86_64.exe>

Note that the installers contain a much improved OpenVPN-GUI that 
behaves differently under the hood from the one bundled in OpenVPN 2.3.x:

<https://github.com/OpenVPN/openvpn-gui>

The installer also contains a new, much improved Windows system service 
called openvpnserv2:

<https://github.com/OpenVPN/openvpnserv2>

Based on earlier tests openvpnserv2 should be able to handle 
suspend/resume gracefully. It should also automatically restart a 
connection that dies for whatever reason.

So far the installers linked to above have passed some basic tests:

<https://community.openvpn.net/openvpn/wiki/OpenVPN24WindowsTests>

If you can, please test the installers in your environment and let us 
know how it went: we'd like to minimize the chance of breaking existing 
setups before we make the official 2.4-alpha1 release.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


[1] 
<https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12657.html>

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Windows tap driver signing certificate expired.

2016-09-07 Thread Samuli Seppänen 
Hi,

Il 06/09/2016 17:22, Jose Alf. ha scritto:
>
> On Tue, 6 Sep 2016 09:34:33 +0200, Gert Doering wrote:
>
> Could you share how you do the silent install / silent update?  Is this
> using wpkg, or something else?
>
> We don't use wpkg, but we take advantage of the same technique they use
> to avoid the Security Confirmation prompt when the driver is being
> installed. This is the same solution reported by Jason Haar in this thread.
>
> However, right now, the story is a bit more complicated. I notice that
> the cabinet file have two signatures, one is the old SHA1 signature that
> expired on Sept 2nd, 2016 and there is a new SHA2 certificate that will
> expire Feb 13, 2019. In my test, I found I had to preload BOTH
> certificates to get rid of the prompt... I only tested on Windows 7 and
> I also had to install 2 patches (KB2921916 and kb3033929). This is
> related to the planned deprecation of SHA1. See
> http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/
>
> <http://www.migee.com/2010/09/24/solution-for-unattendedsilent-installs-and-would-you-like-to-install-this-device-software/>
> I also checked the tap-windows included in the OpenVPN-NL distribution
> and it also has two signatures by Fox It (one SHA1 with an expired
> certificate and the other SHA2 with a current one). Anyway, I will
> repeat the test on another machine to make sure the behavoir is consistent.

The current tap-windows6 driver indeed has two signatures, the first one 
being SHA1 and the second one being SHA2. Both signatures have 
timestamps, so Windows should accept them just fine after the 
certificate has expired. Of course the certificate expiration and/or 
SHA1 deprecation could trigger the prompts you're seing.

The SHA1 signature is/was needed to support Windows Vista. It was 
created using a normal (non-EV) kernel-mode Authenticode certificate.

The SHA2 signature has been created using an Extended Validation (EV) 
dongle, as anything less would get rejected by later versions of Windows 10.

We now have a new non-EV certificate that replaces the one that expired 
on 3rd September. However, it can only be used to generate SHA2 
signatures, so the next release of tap-windows6 will only have the SHA2 
EV signature and will not work on Windows Vista or Windows 7 
installations that do not have SHA2 support. Therefore I'm inclined to 
just let things be as they are for the time being. If the SHA1 signature 
starts causing issues for non-enterprise users[*] them we obviously need 
remove it.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] Meaning: users who cannot be expected to be able to work around the 
issues they encounter.

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Howto install a native binary built with build-system ?

2016-08-31 Thread Samuli Seppänen 
>>>> What platform do you intend to run the executable on?
>>>>
>>> That would be debian the same system used to do the build.
>>>
>>
>> Ok, then just forget about openvpn-build and do
>>
>> $ apt-get install build-essential
>> $ apt-get build-dep openvpn
>> $ git clone https://github.com/OpenVPN/openvpn.git
>> $ cd openvpn
>> $ autoreconf -vi
>> $ ./configure
>> $ make
>> $ make install
>>
> Thanks but I am quite capable of building openvpn ..
>
> I am trying to determine how to use these files:
> openvpn-build/generic/image-native/*.bin.tar.bz2
> or, if indeed, they have any valid use ..

> I am not expecting any "out of scope" help.

You have not described what your goal is, so we don't really know what 
is "out of scope". I'll make a few other guesses based on hints in your 
emails, and hope they are not out of scope this time.

Are you just trying to build OpenVPN on a Debian system, and wish to 
distribute the executable to other systems that run the exactly same 
version of the OS on the same architecture? If so, I would just grab the 
files that "make" generates, put them into a tarball and you're done 
with it.

The only reason I can think of you insist on openvpn-build is that you 
want to _also_ bundle the dependencies (openssl, lzo) to the other 
systems. In that case openvpn-build _might_ make sense, but I have no 
idea how the *.bin.tar.bz2 files would be used. You have to look inside 
and do some testing to figure it out. However, I would definitely 
recommend creating Debian packages instead. If sbuild_wrapper is not 
your thing, you could roll out custom debs with FPM:

<https://github.com/jordansissel/fpm/wiki>

> Any straight answer to my straight question would be appreciated.

Naturally. Please explain what your goal is, so that we can help you better.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

  1   2   >