Hi,
When _DEBUG is defined openvpnmsica builds okay using MSVC, but fails
on mingw (before and after this patch) with errors like
openvpnmsica.c:410:17: error: ‘L__FUNCTION__’ undeclared (first use in
this function); did you mean ‘NLS_FUNCTION’?
debug_popup(TEXT(__FUNCTION__));
I have left
From: Selva Nair
The tapctl and openvpnmscia codebase is written with an intent of
supporting both unicode and ansi builds. This patch does not attempt
to change that although non-unicode support looks untested
and buggy.
The main change is to replace %s by PRIsLPTSR that is defined
as %ls
Hi,
Thanks for the review.
On Tue, May 25, 2021 at 4:06 AM Lev Stipakov wrote:
>
> Hi,
>
> I got compilation error:
Oops.. I did not test building with _DEBUG defined.
>
> 2>openvpnmsica.c
> 2>C:\Users\lev\Projects\openvpn\src\openvpnmsica\openvpnmsica.c(140,1):
> warning C4002: too many
> Note: In the logs above, the script is executed *before* Openvpn/Openssl
> verification, so exporting error-status to env for script seems unlikely.
No so. The script is executed from a callback and the error from
openssl is very much in there and should be exported to scripts, imo.
This was
From: Selva Nair
Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
is used with --peer-fingerprint.
The multiple --ca or --capath checks are consolidated into a function
Signed-off-by: Selva Nair
---
src/openvpn/options.c | 44 ++-
1 file
Hi,
On Mon, May 24, 2021 at 10:09 AM tincantech via Openvpn-devel
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> Is this expected ?
>
> Server log:
>
> 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY SCRIPT
> OK
> 2021-05-24 14:58:03 us=558066
From: Selva Nair
The tapctl and openvpnmscia codebase is written with an intent of
supporting both unicode and ansi builds. This patch does not attempt
to change that although non-unicode support looks untested
and buggy.
The main change is to replace %s by PRIsLPTSR that is defined
as %ls
From: Selva Nair
The interactive service code implicitly treats TCHAR == WCHAR in
several places with the assumption that we build only with UNICODE
defined. Make this explicit and remove some redundant code.
Also replace openvpn_sntprintf(), _tprintf() and similar with
explicit wide string
From: Selva Nair
- Use %ls for wchar_t * and %hs for char * variables
This makes it possible to build correctly with or without
__USE_MINGW_ANIS_STDIO defined. When this define is not used
all printf/scanf family functions are resolved from the windows
runtime MSVCRT. Newer (since version 8
Hi,
On Thu, May 20, 2021 at 3:50 PM tincantech via Openvpn-devel
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, 20 May 2021 19:30, Arne Schwabe wrote:
>
> > Am 20.05.2021 um 18:56 schrieb tincantech:
> >
> > > Hi,
> > >
Hi
On Wed, May 19, 2021 at 9:35 AM Gert Doering wrote:
>
> Inline peer-fingerprint blocks can benefit from a bit of structuring
> by indentation or by putting comments ("# this is Alice's key").
>
> v2: accept ';' and '#' as comment delimiter. Fix tab-indent.
> v3: we want ==
>
> Signed-off-by:
Hi,
On Wed, May 19, 2021 at 1:58 AM Gert Doering wrote:
>
> Inline peer-fingerprint blocks can benefit from a bit of structuring
> by indentation or by putting comments ("# this is Alice's key").
>
> v2: accept ';' and '#' as comment delimiter. Fix tab-indent.
>
> Signed-off-by: Gert Doering
>
Hi,
On Tue, May 18, 2021 at 10:33 AM Gert Doering wrote:
>
> Inline peer-fingerprint blocks can benefit from a bit of structuring
> by indentation or by putting comments ("# this is Alice's key").
>
> Signed-off-by: Gert Doering
> ---
> src/openvpn/options.c | 9 +++--
> 1 file changed, 7
On Mon, May 10, 2021 at 4:24 PM tincantech via Openvpn-devel
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, 10 May 2021 18:29, Gert Doering wrote:
>
> > Hi,
> >
> > On Wed, May 05, 2021 at 10:00:37PM +, tincantech via
From: Selva Nair
v2 changes
- do not allow so-path embedded in cert and key uri
- add --pkcs11-engine option to optionally specify the
engine and provider module to use
If either --cert or --key is specified as a PKCS#11 uri, try to
load the certificate and key from any accessible
Hi,
On Thu, May 6, 2021 at 6:12 AM Jan Just Keijser wrote:
>
> Hi Selva,
> > Maybe I'll have to resurrect that idea or require --script-security 2
> > for this? In either case the core code will stay the same -- will wait
> > for a review and/or more comments before changing anything.
> >
>
Hi JJK,
On Wed, May 5, 2021 at 4:00 AM Jan Just Keijser wrote:
>
> Hi Selva,
>
> On 05/05/21 07:18, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > If either --cert or --key is specified as a PKCS#11 uri, try to
> > load the certificate and ke
From: Selva Nair
If either --cert or --key is specified as a PKCS#11 uri, try to
load the certificate and key from any accessible PKCS#11 device.
This does not require linking with any pkcs11 library, but needs
pkcs11 engine to be available on the target machine.
In its simplest form, just have
On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel
wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel
> wrote:
>
> > Hi,
> >
> > ‐‐‐ Original Message ‐‐‐
> > On
Hi,
Currently RSA-PSS signatures are handled in pkcs11-helper by asking the
token to do raw RSA signature of data already padded by OpenSSL. Many new
hardware tokens refuse to support this mode and require the padding to be
done in hardware.
For a recent user report see this thread:
Hi,
On Wed, Apr 21, 2021 at 4:02 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Make tapctl aware of ovpn-dco.
>
> Signed-off-by: Lev Stipakov
> ---
> src/tapctl/main.c | 13 +++--
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/src/tapctl/main.c
(sourceforge seems to be refusing to accept mail from me.. sending again)
Hi,
On Wed, Apr 21, 2021 at 4:02 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Make tapctl aware of ovpn-dco.
>
> Signed-off-by: Lev Stipakov
> ---
> src/tapctl/main.c | 13 +++--
> 1 file changed, 7
From: Selva Nair
Fixes:
tun.c: In function ‘do_ifconfig_ipv4’:
tun.c:1217:17: warning: variable ‘ifconfig_remote_netmask’ set but not
used [-Wunused-but-set-variable]
const char *ifconfig_remote_netmask = NULL;
tun.c:1213:10: warning: unused variable ‘tun’ [-Wunused-variable
Hi
On Sat, Apr 3, 2021 at 12:01 PM Antonio Quartulli wrote:
>
> From: Antonio Quartulli
>
> Signed-off-by: Antonio Quartulli
> ---
> src/openvpn/tun.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 6b7c8ef1..60a3a179 100644
> ---
From: Selva Nair
This has been replaced by openvpnserv2 since 2.4.0 and we have
stopped setting up this service in the installer since 2.5.0.
Get rid of the unused code. The mechanics of supporting multiple
services with the same executable is retained for possible future use.
For backwards
13:48:08 2021 +0100
>
> Require at least 100MB of mlock()-able memory if --mlock is used.
>
> Signed-off-by: Gert Doering
> Acked-by: Selva Nair
> Message-Id: <20210310124808.14741-1-g...@greenie.muc.de>
> URL:
> https://www.mail-archive.com/open
Hi,
On Mon, Mar 8, 2021 at 2:11 AM Gert Doering wrote:
> If --mlock is used, the amount of memory OpenVPN can use is guarded
> by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this
> is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
> as soon as the first TLS
Hi,
On Sun, Mar 7, 2021 at 1:44 PM Gert Doering wrote:
> Hi,
>
> On Sun, Mar 07, 2021 at 01:36:03PM -0500, Selva Nair wrote:
> > > "I'm not sure", TBH. rlimit handling in unix is a bit of an unknown
> > > territory for me.
> > >
> > > Wh
On Sun, Mar 7, 2021 at 1:10 PM Gert Doering wrote:
> Hi,
>
> thanks for the review.
>
> On Sun, Mar 07, 2021 at 12:22:32PM -0500, Selva Nair wrote:
> > On Sun, Mar 7, 2021 at 11:31 AM Gert Doering
> wrote:
> >
> > > If --mlock is used, the amou
Hi,
On Sun, Mar 7, 2021 at 11:31 AM Gert Doering wrote:
> If --mlock is used, the amount of memory OpenVPN can use is guarded
> by the RLIMIT_MEMLOCK value (see mlockall(2)). The OS default for this
> is usually 64 Kbyte, which is enough for OpenVPN to initialize, but
> as soon as the first
Hi,
On Wed, Feb 17, 2021 at 5:38 PM tincanteksup wrote:
> Hi,
>
> due to not being allowed to have scripts "echo data" to the log file
> under Windows, debugging scripts is next to impossible.
>
> I presume there are no compile time options to enable "echo" under Windows
> ?
>
> Could anybody
From: Selva Nair
It appears wmic needs domain names containing hyphens to
be quoted.
Trac #1375
Signed-off-by: Selva Nair
---
src/openvpnserv/interactive.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index
Hi,
Starting version 8, mingw has started automatically setting
__USE_MINGW_ANSI_STDIO
= 1 under some feature-set conditions: for example, when _GNU_SOURCE is
defined or -std=C99, both of which are true in our case.
See: release notes at http://mingw-w64.org/doku.php
This causes several stdio
driving the openvpn core via management interface. Which commands
> exists and their syntax has so far been mostly undocumented.
>
> Condense the long and good discussion between Selva Nair and
> Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
> Jonathan, comments from Sel
Hi,
On Mon, Jan 18, 2021 at 8:17 AM Gert Doering wrote:
>
> There will be a v3, as I just added "Android: Planned" to all the
> msg stuff.
>
> Selva, which GUI version will be "the one with msg support"? So I can
> have this fixed as well.
GUI is at 11.21.0 right now, this will be in 11.22.0
Hi,
The blob stored in the registry is encrypted by DPAPI and requires access
to the user's session to decrypt. No matter where the blob is stored, if an
attacker has access to the session, anything the GUI can read can be read
by the attacker too.
That said, if there is a well-defined API for
far been mostly undocumented.
>
> Condense the long and good discussion between Selva Nair and
> Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
> Jonathan, comments from Selva and Arne), with a pointer added
> to doc/management-notes.txt.
>
> See:
>
>
> ht
Hi
Thanks for the comments.
On Fri, Dec 25, 2020 at 3:03 PM Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
> > Here is the link again.
> > https://github.com/selvanair/openvpn-gui/releases/tag/v11-echo-msg
> > I got no f
Hi,
Merry Christmas!
On Wed, Dec 23, 2020 at 6:15 AM Jan Just Keijser wrote:
> On 21/12/20 18:22, Selva Nair wrote:
>
>
>
> On Mon, Dec 21, 2020 at 2:04 AM Gert Doering wrote:
>
>> Hi,
>>
>> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
&g
Hi,
On Mon, Dec 21, 2020 at 3:27 PM Arne Schwabe wrote:
> Am 21.12.20 um 20:11 schrieb Gert Doering:
> > Hi,
> >
> > On Mon, Dec 21, 2020 at 06:24:36PM +, Greg Cox wrote:
> >> My contention is, a VPN client has enough information from its own
> certs to
> >> know when its certs are expired
On Mon, Dec 21, 2020 at 2:04 AM Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote:
> > I thought we already went through this when we discussed the proposed
> "echo
> > msg" in considerable detail 3 years ago.
>
&
Hi,
On Sun, Dec 20, 2020 at 5:38 PM Gert Doering wrote:
> Hi,
>
> On Sun, Dec 20, 2020 at 04:00:13PM +0100, Arne Schwabe wrote:
> > > ... and the client would then either print this on the console
> > > (if !management) or dump it to management, where the GUI/Tunnelblick
> > > could pick it up
Hi,
On Sun, Dec 20, 2020 at 5:55 AM Gert Doering wrote:
> Hi,
>
> I find myself looking for a mechanism by which I could send informational
> messages ("your cert expires in two weeks, go refresh!" - "your openvpn
> client needs an upgrade") from the openvpn server to incoming clients.
>
> Of
Hi
On Tue, Dec 15, 2020 at 12:37 PM Gert Doering wrote:
> Hi,
>
> On Tue, Dec 15, 2020 at 06:16:00PM +0100, Domagoj Pensa wrote:
> > When registering DNS on Windows, argv is freed after being used in first
> > ipconfig command (/flushdns).
> >
> > Then same argv is used uninitialized in next
Hi,
On Thu, Sep 24, 2020 at 4:57 AM Lev Stipakov wrote:
> Hi,
>
> > When there are no IPv6 DNS published, the adapter state is not
> > sanitized and might contain IPv6 DNS server from a previous session.
>
> In this case, shouldn't the "set dns" call below overwrite the previous
> value?
> >
From: Selva Nair
Trac #1079
Signed-off-by: Selva Nair
---
doc/man-sections/server-options.rst | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/doc/man-sections/server-options.rst
b/doc/man-sections/server-options.rst
index c0b22a5..4b649b1 100644
--- a/doc/man
From: Selva Nair
Use wmic instead of directly editing the registry
as the former does not take full effect unless the dns
client service is restarted.
Editing the registry appears to work erratically depending
on whether its followed with a dchp renew or ipconfig /registerdns
etc.
DOMAIN
Hi
Thanks for the review.
On Fri, Sep 25, 2020 at 5:24 AM Lev Stipakov wrote:
> Hi,
>
> > Note: this will set the domain twice if both v4 and v6 DNS
> > servers are defined. It cant hurt, but could be avoided by
> > making the domain setting a separate call from the DNS
> > server setting.
>
>
From: Selva Nair
Use wmic instead of directly editing the registry
as the former does not take full effect unless the dns
client service is restarted.
Editing the registry appears to work erratically depending
on whether its followed with a dchp renew or ipconfig /registerdns
etc.
DOMAIN
Hi
On Tue, Sep 15, 2020 at 2:48 AM Lev Stipakov wrote:
> Hi,
>
> > -msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or
> adaptive");
> > +msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or
> adaptive");
>
> Nice, this typo has been there since at least 2005.
>
>
From: Selva Nair
When wintun is in use we mutate ip_win32_type to NETSH
and then complain that ip-win32 option should be dynamic or adaptive
if any --dhcp-option directive is present in the config file. This
causes a fatal error.
How to reproduce: specify a --dhcp-option in the config
Hi
On Fri, Sep 11, 2020 at 1:45 PM RafaeHil Gava wrote:
> Hi Selva,
>
> I was wondering if it's possible to detect UAC during the installation.
> What do you think?
>
There are many ways of running the GUI as admin and all involve some
deliberate action on the part of the user. The best we can
Hi,
On Fri, Sep 11, 2020 at 1:58 AM Gert Doering wrote:
> Hi,
>
> On Thu, Sep 10, 2020 at 06:10:17PM -0700, Marvin wrote:
> > To All 3,
> > Thank you with your help I found the issue. UAC was disabled in the
> > registry on this image. IIRC we had trouble updating some software by
> >
Hi
On Thu, Sep 10, 2020 at 3:10 AM Marvin Adeff wrote:
> Selva,
>
> Please allow me to back up a moment and restate this:
> 1. I installed the beta3 msi from the web site logged in as a user that
> has admin privileges. But no elevation was used to install it, just
> double-click on the file.
Hi,
On Thu, Sep 10, 2020 at 12:19 AM Marvin wrote:
> Hi Selva,
>
> The GUI did not have this error unless run as administrator which you
>> should not and will never work.
>
> So you are saying that if OpenVPN is installed by a user who has admin
> privileges (as our case does) that v2.5 with
ate to SYSTEM.
Selva
>
> Marvin
>
> On Wed, Sep 9, 2020 at 5:14 PM Selva Nair wrote:
>
>> Hi Marvin,
>>
>> This is the wrong thread, but...
>>
>> On Wed, Sep 9, 2020 at 7:54 PM Marvin wrote:
>>
>>> Hi Guys,
>>>
>>> I just teste
Hi Marvin,
This is the wrong thread, but...
On Wed, Sep 9, 2020 at 7:54 PM Marvin wrote:
> Hi Guys,
>
> I just tested beta3 on Win10. I am getting the exact same error with
> wintun as before. TAP works normally. I tried with the GUI and by cli.
>
The GUI never generated this error even
From: Selva Nair
trac #1059
Signed-off-by: Selva Nair
---
doc/man-sections/generic-options.rst | 7 +++
1 file changed, 7 insertions(+)
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index a07fe7e..d5f0883 100644
--- a/doc/man-sections/generic
From: Selva Nair
As reported in Trac 1321, additional adapter instalaltion
by tapctl.exe fails to fully setup the device node (some registry
keys missing, error in setapi.dev.log etc.).
Although the exact cause of this failure is unclear,
letting the Plug and Play subsystem handle
Hi Lev,
Thanks for confirming. What you tested is exactly what I have in mind.
I suppose you tested it using MSVC. I recall when I worked on creating tap
adapters on the fly (patch abandoned for lack of time) some functions in
newdev.dll did not resolve with mingw and I always had to load them
Hi,
tldr: a fix for Trac 1321
Currently tapctl.exe does the following to create an adapter and install
the driver on it.
1. Create a device info structure
2. Set the hardware id on it
3. Search the driver store for the latest matching driver
4. Select the driver, set it in the device info and
Hi
On Wed, Sep 2, 2020 at 9:54 AM Lev Stipakov wrote:
> Hi,
>
> >> if (dwResult != ERROR_SUCCESS)
> >> {
> >> -tap_delete_adapter(NULL, ,
> );
> >> +/* failed renaming is not a fatal error, continue
> */
> >> +
Hi
On Wed, Sep 2, 2020 at 9:39 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> For some users renaming adapter mysteriously fails
> (https://github.com/OpenVPN/openvpn-build/issues/187),
>
> Since renaming is just a a "nice to have", make it not fatail.
>
> Signed-off-by: Lev Stipakov
> ---
>
Hi,
I would suggest to keep this renaming but make it not fatal. A
descriptive name is nice to have and we could even make the name
configurable at some point in future.
Selva
On Wed, Sep 2, 2020 at 8:40 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Renaming doesn't work on some machines (
Hi
>
> > (2) At the end of install the GUI is launched as admin, not user.
>
> I couldn't reproduce that on my Windows 10 laptop:
>
I too can't reproduce it any longer. So please ignore that comment.
I was installing from the command line (easier to generate logs that way)
and probably used an
Hi
On Fri, Aug 28, 2020 at 9:10 AM Samuli Seppänen wrote:
> Hi,
>
> It would be great if somebody would find time to test the following
> installer:
>
>
> https://build.openvpn.net/downloads/releases/OpenVPN-2.5-beta2-I601-amd64.msi
>
> In particular I'd like to know if anyone else has problems
ure, management support and deferred auth
support have to be enabled but restricting the usefulness of your patch to
those cases is not really a limitation.
What am I missing?
Selva
---
> Eric Thorpe
> SparkLabs
> Developerhttps://www.sparklabs.comhttps://twitter.com/sparklabssupp...@spa
Hi,
On Thu, Aug 13, 2020 at 4:37 AM Eric Thorpe wrote:
> Hi Arne,
>
> The issue is your state is not accessible from where that boolean needs
> to be used unless I am missing something? Please advise if I'm mistaken
> or of another route.
>
I agree with Arne that duplicating a state machine
Hi,
On Wed, Aug 19, 2020 at 3:08 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Commit 6d19775a468 has removed SYSTEM elevation hack,
> but introduced regression - inability to use wintun without interactive
> service.
>
> Proceed with ring buffers registration even if iservice is unavailable
Hi
On Tue, Aug 18, 2020 at 3:42 PM Gert Doering wrote:
> Hi,
>
> On Tue, Aug 18, 2020 at 03:29:19PM -0400, Selva Nair wrote:
> > > If you already have SYSTEM, accessing wintun from openvpn directly will
> > > also work and should bring quite a bit of speed impro
Hi,
On Tue, Aug 18, 2020 at 3:21 PM Gert Doering wrote:
> Hi,
>
> On Tue, Aug 18, 2020 at 12:09:11PM -0700, Marvin Adeff wrote:
> > I???m sorry for the confusing response.
> >
> > Our systems do M2M monitoring and need to run OpenVPN even without a
> user logged in. In previous versions we
>
>
>
> An additional check in openvpn.exe whether it's started as SYSTEM could be
> useful as well, but less critical, IMO.
>
> Yes Please! We run 2500+ systems that run it this way as SYSTEM.
>
In most such cases (not using the GUI) one could use the automatic service
which runs as SYSTEM. For
Hi
On Tue, Aug 18, 2020 at 2:33 AM Gert Doering wrote:
> Hi,
>
> On Tue, Aug 18, 2020 at 08:23:35AM +0200, Gert Doering wrote:
> > This can also happen if you run the GUI with admin privs (because then
> > it will not use the iservice *but* openvpn needs *more* privs than
> > "just
From: Selva Nair
- Stress that these are handled internally only on some platforms
- Correct the statement about wintun
- Document DOMAIN-SEARCH
Signed-off-by: Selva Nair
---
v2: Rebase to master and reword to match the new rst version
Add doc for DOMAIN-SEARCH
doc/man-sections/vpn
ement interface was missed
in the previous version of the patch.
Selva
>
> --
> Best Regards, Vladislav Grishenko
>
> -Original Message-
> From: Selva Nair
> Sent: Friday, August 14, 2020 11:22 PM
> To: openvpn-devel
> Subject: Re: [Openvpn-devel] [PATCH v2]
Hi
On Fri, Aug 14, 2020 at 1:36 PM Arne Schwabe wrote:
>
> Am 14.08.20 um 19:12 schrieb Vladislav Grishenko:
> > In case of some permanent part of common name (ex. domain) and/or
> > long complex common name consisting of multiple x509 fields, it's
> > handly to kill client instances via
Hi,
This looks good but can we do better? We don't check the error
(GetLastError()) after the CreateFile() failure -- can we determine
whether the error was due to permissions, busy file (in use) or
disabled device and print out a more specific error message? I'm not
sure what errors are
Hi
On Thu, Jul 23, 2020 at 4:50 PM Arne Schwabe wrote:
>
> Am 23.07.2020 um 20:14 schrieb André via Openvpn-devel:
> > Hi,
> >
> > Regarding,
> >
> > https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull
> > "Openvpn devs would like to know if you use this
Hi,
If your VPN establishes a route to the domain controller(s) and the
domain name resolves from the client, you can join the domain just as
you would do while directly connected to the LAN. For example, if the
domain name is example.local, "nslookup example.local" should return
the IP addresses
-- > "all forwarding for all
other clients"
Acked-by: Selva Nair
On Wed, Jul 15, 2020 at 5:02 AM Gert Doering wrote:
>
> If OpenVPN signals deferred authentication support (by setting
> the internal environment variables "auth_control_file" and
> "deferr
service, ) < 0)
> +{
> +goto done;
Do we have to abort in this case? This will exit the background
process and cripple the server while this could be a temporary memory
pressure causing the fork to fail. Why not just break and plough
along? The core will fail to get a response via the ac_file, but that
could happen if the grand-child fails as well -- the server is
supposed to cope with such failures.
> +}
> +break;
> +}
> +
> +
> +/* non-deferred auth: wait for pam result and send
> + * result back via control socketpair
> + */
> if (pam_auth(service, )) /* Succeeded */
> {
> if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
> --
Apart from these minor issues that could be corrected or ignored at
merge time, all look good.
We should put the usage info into README.auth-pam as that seems to be
the only documentation of the plugin. Also an entry in changelog?
Could be a separate patch.
Acked-by: Selva Nair
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Tue, Jun 23, 2020 at 3:22 AM Jan Just Keijser wrote:
>
> Hi,
>
> On 21/06/20 17:14, Selva Nair wrote:
> > On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote:
> >>
> >> going through OpenVPN threads that went stale - I think this is
> >> actu
On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth wrote:
>
> This change makes the server use AES-256-GCM instead of BF-CBC as the
> default cipher for the VPN tunnel when starting OpenVPN via systemd
> and the openvpn-server@.service unit file.
>
> To avoid breaking existing running
Hi,
This was long overdue after patches after patches sprinkling fprintf() all
over the place.. mea culpa too..
Acked-by: Selva Nair
On Sat, Jun 20, 2020 at 11:18 AM Gert Doering wrote:
>
> More recent OpenVPN APIs pass a function pointer for a logging function
> (plugin_log()) t
Hi,
On Sat, Jun 20, 2020 at 12:23 PM Gert Doering wrote:
>
> If OpenVPN signals deferred authentication support (by setting the
> internal environment variable "auth_control_file"), do not wait
> for PAM stack to finish. Instead, the privileged PAM process
> returns RESPONSE_DEFER via the
Hi,
On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote:
>
> Hi,
>
> going through OpenVPN threads that went stale - I think this is
> actually a nice addition (read: other people have already asked
> me if this can be done).
>
> On Thu, Mar 05, 2020 at 01:53:12PM +0100, Jan Just Keijser wrote:
>
On Tue, Jun 9, 2020 at 1:55 PM Gert Doering wrote:
> Hi,
>
> I ran into a problem at a customer installation recently, where
> plugin-auth-pam was blocking for some extended time (~30 seconds?)
> due to pam_radius not receiving answers due to problems in the backend.
>
> Now, maybe I should use
From: Selva Nair
(i) Let the management-client predictably cycle through remote entries. This
is done by not aborting after two cycles. The client can abort or restart
the connection using signals (USR/HUP/TERM) as necessary.
In the current behaviour, the daemon can unexpectedly exit when
Hi,
On Wed, May 13, 2020 at 12:36 PM Gert Doering wrote:
>
> Hi,
>
> On Sun, Jun 09, 2019 at 03:33:55PM -0400, Selva Nair wrote:
> > Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201
> >
> > These patches were meant to help implement choosing the
Hi,
On Tue, Aug 7, 2018 at 3:01 PM Gert Doering wrote:
>
> Your patch has been applied to the master branch.
>
> (I'm a bit undecided about release/2.4 - this is in "new feature!" land,
> and all the challenge stuff is "master" territory. OTOH, it's not openvpn
> main code, and the code is sane
Hi,
> is this one and aa6affe6df811db11577847366a569def0a3e314 also material
> for release/2.4? So "feature" or "bug" category?
Yes it would be good to get this one and aa6affe into 2.4. This one
will cherry-pick with a minor conflict in cryptoapicert.c, easily
resolved. aa6affe should
From: Selva Nair
When only username is found in the file, redirect the auth-user-pass
query to the management interface if management-query-passwords is
enabled. Otherwise the user is prompted on console, if available,
as before.
This changes the behaviour for those who run from the command
From: Selva Nair
This helps the next patch. No functionality changes, only
refactoring.
Same as commit 461e566fb274d6f7647dc3aa81c02e4fbf362a23 in master
except for additional ifdef ENABLE_CLIENT_CR
Signed-off-by: Selva Nair
---
src/openvpn/misc.c | 61
Hi,
On Thu, Apr 2, 2020 at 12:56 PM Jonathan K. Bullard
wrote:
> Hi,
>
> On Mon, Mar 30, 2020 at 2:06 PM wrote:
> >
> > From: Selva Nair
> >
> > When only username is found in the file, redirect the auth-user-pass
> > query to the management i
Hi,
On Mon, Mar 30, 2020 at 8:59 AM Paolo Cerrito wrote:
> 1) so remote was set to the maxlenght of ipv6 address defined into
> arpa/inet.h + 1 for string terminator
>
> 2) I refactored the call to get_env to take first ipv6 address, then
>only if it is NULL, i make a call for ipv4
> ---
>
From: Selva Nair
This helps the next patch. No functionality changes, only
refactoring.
Signed-off-by: Selva Nair
---
No changes from v1
src/openvpn/misc.c | 54 ++
1 file changed, 34 insertions(+), 20 deletions(-)
diff --git a/src/openvpn
From: Selva Nair
When only username is found in the file, redirect the auth-user-pass
query to the management if management-query-passwords is enabled.
Otherwise the user is prompted on console, if available, as before.
This changes the behaviour for those who run from the command line
Hi,
On Mon, Mar 30, 2020 at 12:11 PM Jonathan K. Bullard
wrote:
> Hi,
>
> On Mon, Mar 30, 2020 at 11:12 AM Selva Nair wrote:
> > Jonathan K. Bullard wrote:
> > >
> > > If the OS X command line user was using --management-query-passwords
> > >
Hi,
On Mon, Mar 30, 2020 at 2:07 AM Gert Doering wrote:
>
> Hi,
>
> On Sun, Mar 29, 2020 at 07:58:15PM -0400, Selva Nair wrote:
> > Yes, that's right. However, that logic wont be proper on OS-X, would it?
> > Command line users who use --log can still see password
>
Hi,
On Sun, Mar 29, 2020 at 7:13 PM Jonathan K. Bullard wrote:
>
> Hi,
>
> On Sun, Mar 29, 2020 at 4:34 PM wrote:
> >
> > From: Selva Nair
> >
> > If only username is found in the file, redirect the auth-user-pass
> > query to the management on
401 - 500 of 1359 matches
Mail list logo