Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

[Christian Hesse]

Gert Doering  on Tue, 2020/04/21 20:59:
> Hi,
> 
> On Tue, Apr 21, 2020 at 08:37:35PM +0200, Gert Doering wrote:
> > On Tue, Apr 21, 2020 at 02:15:43PM -0400, mike tancsa wrote:  
> > >     Will the sec issue with OpenSSL force a new release of OpenVPN ?
> > > 
> > > https://www.openssl.org/news/secadv/20200421.txt  
> 
> So, speaking to myself again :-) - I've looked at the advisory, and
> it talks about "Server or client applications that call the 
> SSL_check_chain() function".
> 
> Which we don't, I just grepped through our source tree.
> 
> So, unless I misunderstand something about OpenSSL intricacies, I think
> we're safe - no new installers needed, and OpenVPN is not in risk.

Are you sure that openvpn code does not call any openssl function that calls
SSL_check_chain() then? Did not check, but I guess that's possible.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpnhhPdodxsP.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

[Christian Hesse]

Samuli Seppänen  on Mon, 2020/04/20 09:13:
> On a related note: I think we should consider stopping the distribution
> of the security list's public key from our webservers and just instruct
> people to fetch the key from the keyservers and refresh it if they have
> trouble.

Key server operation became instable lately. I would suggest to set up a web
key directory (WKD):
https://wiki.gnupg.org/WKD

Downloading the key from your WKD would require this command from a
recent gpg:

gpg --locate-keys secur...@openvpn.net
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpAVZ6bqxT7A.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.4.9 released

[Christian Hesse]

"Jonathan K. Bullard"  on Fri, 2020/04/17 17:16:
>  IHi,
> 
> On Fri, Apr 17, 2020 at 8:47 AM Samuli Seppänen  wrote:
> >
> > The OpenVPN community project team is proud to release OpenVPN 2.4.9. It
> > can be downloaded from here:
> >
> >   
> 
> I'm having trouble verifying 2.4.9.tar.gz with GPG. I'm pretty
> clueless about gpg, but I think it may not have been signed with the
> correct key.

The key is still correct, but it has new subkeys. Try to refresh the key from
a keyserver:

$ gpg --refresh-keys F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpgVFhW9fafH.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] configure.ac: replace set with env

[Christian Hesse]

Tom Yan  on Mon, 2020/01/06 08:48:
> How about printenv (without grep)?

The variables are not known in advance. This needs to match all variables
starting with "enable_" and "with_".
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpLW26T7v6T8.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] configure.ac: replace set with env

[Christian Hesse]

From: Christian Hesse 

The shell builtin `set` produces different output for different shells:

bash$ set | grep '^TERM='
TERM=xterm
dash$ set | grep '^TERM='
TERM='xterm'

This may break reproducible builds depending on what shell is used.

Let's replace `set` with `env`, which is a real command and always
produces identical output.

Signed-off-by: Christian Hesse 
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index a47e0a06..f13ff7b6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1326,7 +1326,7 @@ if test "${enable_async_push}" = "yes"; then
)
 fi
 
-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
+CONFIGURE_DEFINES="`env | grep '^enable_.*=' ; env | grep '^with_.*='`"
 AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], 
[Configuration settings])
 
 TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID"


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Remove extra token after #endif

[Christian Hesse]

Lev Stipakov  on Fri, 2018/11/09 11:59:
> Commit ee80ce3d6f2ebc59068338757311e0488ae620fc wrapped
> code in #ifdef/#endif and added extra token after #endif,
> which produces compiler warning.
> 
> This removes unneeded extra token.
> 
> Signed-off-by: Lev Stipakov 
> ---
>  src/openvpn/init.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index 586e4ca..1cdef31 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -624,7 +624,7 @@ save_ncp_options(struct context *c)
>  c->c1.ciphername = c->options.ciphername;
>  c->c1.authname = c->options.authname;
>  c->c1.keysize = c->options.keysize;
> -#endif ENABLE_CRYPTO
> +#endif

Perhaps this should go into comment:

#endif /* ENABLE_CRYPTO */
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp93kxnTfkV3.pgp
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] systemd: extend CapabilityBoundingSet for learn-address

[Christian Hesse]

Christian Ehrhardt  on Wed, 2018/08/29
16:27:
> It seems a not too uncommon case that learn-address needs to recycle
> dnsmasq - to do so it would need CAP_KILL.
> 
> This was suggested on https://community.openvpn.net/openvpn/ticket/918
> 
> Signed-off-by: Christian Ehrhardt 
> ---
>  distro/systemd/openvpn-ser...@.service.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/distro/systemd/openvpn-ser...@.service.in
> b/distro/systemd/openvpn-ser...@.service.in index d1cc72cb..edace213 100644
> --- a/distro/systemd/openvpn-ser...@.service.in
> +++ b/distro/systemd/openvpn-ser...@.service.in
> @@ -11,7 +11,7 @@ Type=notify
>  PrivateTmp=true
>  WorkingDirectory=/etc/openvpn/server
>  ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log
> --status-version 2 --suppress-timestamps --config %i.conf
> -CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> CAP_AUDIT_WRITE +CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CAP_KILL LimitNPROC=10
> DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager.dnsmasq /uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.ClearCache
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgphSrSEjPWji.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] systemd: run openvpn with dedicated user

[Christian Hesse]

Simon Ruderich <si...@ruderich.org> on Tue, 2018/04/24 10:38:
> I haven't followed the netlink conversion in detail, so please
> tell me if the following was already discussed and I've just
> missed it.

No, it has not been discussed and needs a review.

> On Mon, Apr 23, 2018 at 11:28:13AM +0200, Christian Hesse wrote:
> >  if ENABLE_SYSTEMD
> > +if ENABLE_IPROUTE
> > +SYSTEMD_USER=root
> > +SYSTEMD_CAPS_OPTION=CapabilityBoundingSet
> > +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +else
> > +SYSTEMD_USER=openvpn
> > +SYSTEMD_CAPS_OPTION=AmbientCapabilities
> > +SYSTEMD_CAPS_VALUES=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE  
> 
> Are those capabilities dropped after initialization? If they are
> not this sounds like a serious issue as the process is basically
> running as root even if it's using another user (CAP_NET_ADMIN
> and CAP_DAC_OVERRIDE). Or am I missing something here?
>
> Regarding the netlink change in general: From what I understand
> it means that openvpn will always run with CAP_NET_ADMIN
> capabilities. Is this correct? If so, this sounds like it
> requires much more privileges than before for the normal
> operation (unless I misunderstand the current setup - to my
> knowledge it only requires a normal user after setup and no
> further capabilities or privileges once setup/connected).

The above snippet holds code for both, netlink and iproute2 versions.

The iproute2 version (that is what is used currently) uses systemd option
"CapabilityBoundingSet" to limit the capabilities to the given set. If
configured openvpn will drop privileges after setup.

With netlink and my patch on top we go the other way: The process runs (and
is started) with user "openvpn". To grant required privileges we use
systemd option "AmbientCapabilities" and give capabilities to the process.
The process keeps these capabilities, but that's a benefit: The process
survives a reconnect that requires configuration changes and shuts down
cleanly (takes down routes and addresses).

I do not agree that the process is running with root privileges. It has some
extra capabilities, but it can not kill processes, fork away and change
cgroups, etc.
IMHO that is what we want to achieve.

For this patch I took the current set of capabilities and stripped CAP_SETGID
and CAP_SETUID for the netlink version. Whether or not the other capabilities
are required should be discussed independently. Wondering why we have
CAP_DAC_OVERRIDE in our capability capability set... That looks suspicious
indeed.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpOWT9rvHVUt.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC 0/4] add netlink support for Linux: update

[Christian Hesse]

Antonio Quartulli  on Fri, 2018/04/06 15:43:
> Two new files, namely networking_sitnl.c and networking_ip.c, provides
> two implementations for this API: one uses the new sitnl code (netlink)
> and one uses iproute2.

This complicates the situation for my followup code: Running the process with
unprivileged user works with netlink interface only. If we want to support
netlink and iproute2 we end up with creating the files from templates (or
carry static files in at least two versions).

This kicks into the discussion we had about supporting newer systemd features
selectively... Shipping different static files for distributions and/or
systemd versions duplicates the number of files.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp_Ai2ktPpR8.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC 0/3] follow-up netlink support, systemd integration

[Christian Hesse]

This series is a follow-up to 'add netlink support for Linux' by Antonio
Quartulli. It enhances integration with systemd and improves system security
by running the openvpn process with a dedicated user.

Christian Hesse (3):
  systemd: run openvpn with dedicated user
  systemd: do not downgrade UID/GID
  systemd: create configuration directories from tmpfiles

 configure.ac  | 8 
 distro/systemd/Makefile.am| 4 
 distro/systemd/openvpn-cli...@.service.in | 4 +++-
 distro/systemd/openvpn-ser...@.service.in | 4 +++-
 distro/systemd/sysusers-openvpn.conf  | 1 +
 distro/systemd/tmpfiles-openvpn.conf  | 6 --
 src/openvpn/init.c| 8 
 7 files changed, 31 insertions(+), 4 deletions(-)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Now that systemd starts the process with dedicated user we do no longer
want to downgrade privileges. Also remove CAP_SETGID and CAP_SETUID
from granted privileges.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-cli...@.service.in | 2 +-
 distro/systemd/openvpn-ser...@.service.in | 2 +-
 src/openvpn/init.c| 8 
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index a103d751..ee7957a6 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -13,7 +13,7 @@ User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_CHROOT 
CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index 7275e86a..03d28a2e 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -13,7 +13,7 @@ User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 36c1a4c4..0fc60d62 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 /* set user and/or group if we want to setuid/setgid */
 if (c0->uid_gid_specified)
 {
+#ifdef ENABLE_SYSTEMD
+if (sd_notify(0, "READY=0") > 0 && getuid() != 0)
+{
+msg(M_INFO, "NOTE: Running from systemd with non-root uid, 
skipping downgrade");
+return;
+}
+#endif
+
 if (no_delay)
 {
 platform_group_set(>platform_state_group);

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [RFC 3/3] systemd: create configuration directories from tmpfiles

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

We have a dedicated user created by systemd-sysusers, so create
configuration directories from systemd-tmpfiles for proper permissions.
This mitigates a race condition at packaging/install time.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/tmpfiles-openvpn.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/distro/systemd/tmpfiles-openvpn.conf 
b/distro/systemd/tmpfiles-openvpn.conf
index 835dc1c8..0f96baa5 100644
--- a/distro/systemd/tmpfiles-openvpn.conf
+++ b/distro/systemd/tmpfiles-openvpn.conf
@@ -1,2 +1,4 @@
 d /run/openvpn-client 0750 openvpn openvpn -
 d /run/openvpn-server 0750 openvpn openvpn -
+d /etc/openvpn/client 0750 openvpn openvpn -
+d /etc/openvpn/server 0750 openvpn openvpn -

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Update copyright notes

[Christian Hesse]

Selva Nair <selva.n...@gmail.com> on Mon, 2018/01/29 10:24:
> Hi,
> 
> On Mon, Jan 29, 2018 at 3:43 AM, Christian Hesse <l...@eworm.de> wrote:
> > From: Christian Hesse <m...@eworm.de>
> >
> > Now that the first release in 2018 is imminent let's update
> > the copyright notes.  
> 
> I think this is a pointless exercise. Copyright starts from the point
> of creation. Perpetually updating the date is meaningless unless the
> file has changed by the person listed in the line getting updated --
> and that's hard to keep track of. Why not just leave it o the authors
> to add/modify copyright lines at the time of editing a file if they
> think a new entry is appropriate because of substantial changes or
> other reasons.
> 
> Just my 2c.

After all I do not care about the copyright year in the header of source
files. We had this change last year, so I proposed the same for this year.

But I think we should update the copyright your at places where it is visible
to users. This is the information displayed with `openvpn --version` and the
repository's README file. Are you willing to accept a patch for these? Are
there more places this makes sense?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpQEzV2dnsAv.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] Update copyright notes

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Now that the first release in 2018 is imminent let's update
the copyright notes.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 COPYING | 2 +-
 ChangeLog   | 2 +-
 Makefile.am | 2 +-
 PORTS   | 2 +-
 README  | 2 +-
 build/Makefile.am   | 2 +-
 build/msvc/Makefile.am  | 2 +-
 build/msvc/msvc-generate/Makefile.am| 2 +-
 configure.ac| 2 +-
 dev-tools/gen-release-tarballs.sh   | 2 +-
 dev-tools/lz4-rebaser.sh| 2 +-
 dev-tools/reformat-all.sh   | 2 +-
 dev-tools/update-copyright.sh   | 2 +-
 distro/Makefile.am  | 2 +-
 distro/rpm/Makefile.am  | 2 +-
 distro/systemd/Makefile.am  | 2 +-
 doc/Makefile.am | 2 +-
 doc/doxygen/Makefile.am | 2 +-
 doc/doxygen/doc_compression.h   | 2 +-
 doc/doxygen/doc_control_processor.h | 2 +-
 doc/doxygen/doc_control_tls.h   | 2 +-
 doc/doxygen/doc_data_control.h  | 2 +-
 doc/doxygen/doc_data_crypto.h   | 2 +-
 doc/doxygen/doc_eventloop.h | 2 +-
 doc/doxygen/doc_external_multiplexer.h  | 2 +-
 doc/doxygen/doc_fragmentation.h | 2 +-
 doc/doxygen/doc_internal_multiplexer.h  | 2 +-
 doc/doxygen/doc_key_generation.h| 2 +-
 doc/doxygen/doc_mainpage.h  | 2 +-
 doc/doxygen/doc_memory_management.h | 2 +-
 doc/doxygen/doc_protocol_overview.h | 2 +-
 doc/doxygen/doc_reliable.h  | 2 +-
 doc/doxygen/doc_tunnel_state.h  | 2 +-
 doc/openvpn.8   | 6 +++---
 include/Makefile.am | 2 +-
 include/openvpn-msg.h   | 2 +-
 include/openvpn-plugin.h.in | 2 +-
 sample/Makefile.am  | 2 +-
 sample/sample-plugins/defer/simple.c| 2 +-
 .../keying-material-exporter-demo/keyingmaterialexporter.c  | 2 +-
 sample/sample-plugins/log/log.c | 2 +-
 sample/sample-plugins/log/log_v3.c  | 2 +-
 sample/sample-plugins/simple/simple.c   | 2 +-
 src/Makefile.am | 2 +-
 src/compat/Makefile.am  | 2 +-
 src/compat/compat-gettimeofday.c| 2 +-
 src/openvpn/Makefile.am | 2 +-
 src/openvpn/argv.c  | 2 +-
 src/openvpn/argv.h  | 2 +-
 src/openvpn/basic.h | 2 +-
 src/openvpn/block_dns.c | 2 +-
 src/openvpn/buffer.c| 2 +-
 src/openvpn/buffer.h| 2 +-
 src/openvpn/circ_list.h | 2 +-
 src/openvpn/clinat.c| 2 +-
 src/openvpn/clinat.h| 2 +-
 src/openvpn/common.h| 2 +-
 src/openvpn/comp-lz4.c  | 4 ++--
 src/openvpn/comp-lz4.h  | 4 ++--
 src/openvpn/comp.c  | 2 +-
 src/openvpn/comp.h  | 2 +-
 src/openvpn/compstub.c  | 2 +-
 src/openvpn/console.c   | 4 ++--
 src/openv

Re: [Openvpn-devel] [PATCH] avoid useless assignment

[Christian Hesse]

David Sommerseth  on Thu, 2017/08/24 20:16:
> On 24/08/17 09:57, Antonio Quartulli wrote:
> > My effort in writing the commit message has been quite poor.
> > 
> > The assignment is useless because 'ret' is re-assigned a few lines later
> > without ever being read.  
> 
> Hmmm.  I'm not convinced of this change.  But I'm also weird in these
> cases :)
> 
> I think it is good defensive programming to predefine the state of
> variables.  When that is not done, it is up the the compiler to decide
> what to do - which most of the times does a sane job these days.  But
> you're at the mercy of the compiler.
> 
> In this case,  I would expect the compiler to optimize this out anyway,
> regardless of the approaches used.  The compiler doesn't necessarily set
> the value first to true and then to change it to the output of
> multi_process_post().  It might just as well postpone the declaration.
> 
> So I think a better approach would be to completely move the "bool ret"
> down.  So it will become:
> 
>bool ret = multi_process_post(m, mi, mpp_flags);
> 
> Which I think is also closer to what the compiler would end up with anyway.

ISO C90 forbids mixed declarations and code in C. Probably compilers will
start to complain.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp9YMP02N81Q.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] avoid useless assignment

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Thu, 2017/08/24 20:51:
> On 24/08/17 20:40, Antonio Quartulli wrote:
> > 
> > 
> > On 25/08/17 02:40, Christian Hesse wrote:  
> >> David Sommerseth <open...@sf.lists.topphemmelig.net> on Thu, 2017/08/24
> >> 20:16:  
> >>> On 24/08/17 09:57, Antonio Quartulli wrote:  
> >>>> My effort in writing the commit message has been quite poor.
> >>>>
> >>>> The assignment is useless because 'ret' is re-assigned a few lines
> >>>> later without ever being read.
> >>>
> >>> Hmmm.  I'm not convinced of this change.  But I'm also weird in these
> >>> cases :)
> >>>
> >>> I think it is good defensive programming to predefine the state of
> >>> variables.  When that is not done, it is up the the compiler to decide
> >>> what to do - which most of the times does a sane job these days.  But
> >>> you're at the mercy of the compiler.
> >>>
> >>> In this case,  I would expect the compiler to optimize this out anyway,
> >>> regardless of the approaches used.  The compiler doesn't necessarily set
> >>> the value first to true and then to change it to the output of
> >>> multi_process_post().  It might just as well postpone the declaration.
> >>>
> >>> So I think a better approach would be to completely move the "bool ret"
> >>> down.  So it will become:
> >>>
> >>>bool ret = multi_process_post(m, mi, mpp_flags);
> >>>
> >>> Which I think is also closer to what the compiler would end up with
> >>> anyway.  
> >>
> >> ISO C90 forbids mixed declarations and code in C. Probably compilers will
> >> start to complain.  
> > 
> > We try to stick to C99. I think it allows such mix, no?  
> 
> That is correct.  We set -std=c99 unless CFLAGS already contains -std=.
> But we expect OpenVPN to be C99 compliant.
> 
> And C99 allows this.

You are right... So scratch my concern.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpEGrDLbx46m.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

[Christian Hesse]

Selva Nair  on Sat, 2017/04/15 16:08:
> I did not get this mail
> 
> https://sourceforge.net/p/openvpn/mailman/message/35789733/
> 
> Something up with the list or is it only me?

I did receive the mail. Possibly anything blocked the 7z attachment for you?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpcodWrW_vYR.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Fri, 2017/02/24 13:13:
> Christian Hesse <l...@eworm.de> on Thu, 2017/02/23 21:57:
> > Built v3 against openssl 1.0.2k without issues, tests succeed and two
> > instanced successfully established vpn connection (with server version
> > 2.3.12 and 2.4.0).  
> 
> Just tested a server instance with ancient client (version 2.1.4). Works as
> well.
> 
> I will try to restart another server instance later.

Just restarted the server. Here is the current client connect statistic:

  1  2.3.8
  4  2.3.12
  6  2.3.13
  7  2.3.11
 18  2.3.14
 70  2.4.0

So looks good for now. ;)
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp0DmfePlO2O.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] fix typo in notification message

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/init.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index ff1551e..7da0061 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -567,7 +567,7 @@ context_init_1(struct context *c)
  * do any fork due to daemon() a future call.
  * See possibly_become_daemon() [init.c] for more details.
  */
-sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization 
succesfull\nMAINPID=%lu",
+sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization 
successful\nMAINPID=%lu",
(unsigned long) getpid());
 #endif
 
-- 
2.11.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Thu, 2017/02/23 21:57:
> Built v3 against openssl 1.0.2k without issues, tests succeed and two
> instanced successfully established vpn connection (with server version
> 2.3.12 and 2.4.0).

Just tested a server instance with ancient client (version 2.1.4). Works as
well.

I will try to restart another server instance later.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpQ2mHLbwqHV.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Emmanuel Deloget  on Thu, 2017/02/23 15:35:
> This is v3 of the remaining patches for the "Add support for OpenSSL 
> 1.1.x" series. This series is partial: only the modified patches are 
> sent to the ML -- the other have not changed. The stats are a bit off 
> so I don't include them in this mail.
> 
> They have been generated after a rebase from the master tree. Individual
> commits can be viewed at
> 
>   https://github.com/emmanuel-deloget/openvpn/commits/openssl-1.1-v3
> 
> (This time, the branch name is correct :))
> 
> Changes v2 --> v3: 
> 
> * RSA_METHOD (04/15): rsa_meth->name is now a dup of the name parameter; 
>   it's freed in RSA_meth_free(). 
> 
> * RSA (07/15): calling RSA_set_method() in rsa_finish() is both a Bad 
>   Idea and not required so it has been removed.
>   
> Changes v1 --> v2:
> 
> * EVP_PKEY (06/15): add missing function EVP_PKEY_id() for 0.9.8.
> 
> * replace patch 15/15 with a new patch to use EVP_CipherInit_ex() 
>   instead of EVP_CipherInit() when a full init is not needed.
> 
> 
> Emmanuel Deloget (15):
>   [commited] OpenSSL: don't use direct access to the internal of SSL_CTX
>   [commited] OpenSSL: don't use direct access to the internal of X509_STORE
>   [commited] OpenSSL: don't use direct access to the internal of X509_OBJECT
>   OpenSSL: don't use direct access to the internal of RSA_METHOD
>   OpenSSL: don't use direct access to the internal of X509
>   OpenSSL: don't use direct access to the internal of EVP_PKEY
>   OpenSSL: don't use direct access to the internal of RSA
>   OpenSSL: don't use direct access to the internal of DSA
>   [commited] OpenSSL: don't use direct access to the internal of
> X509_STORE_CTX OpenSSL: don't use direct access to the internal of
> EVP_MD_CTX OpenSSL: don't use direct access to the internal of
> EVP_CIPHER_CTX OpenSSL: don't use direct access to the internal of HMAC_CTX
>   OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1
>   OpenSSL: constify getbio() parameters
>   OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit()

Built v3 against openssl 1.0.2k without issues, tests succeed and two
instanced successfully established vpn connection (with server version 2.3.12
and 2.4.0).

Built against openssl 1.1.0e without issues, tests succeed. Did not test with
real world connectivity, though.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp9Qdgpj9PV2.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 09/15] OpenSSL: don't use direct access to the internal of X509_STORE_CTX

[Christian Hesse]

Steffan Karger  on Tue, 2017/02/21 22:30:
> ACK.  Changes look good and tested against OpenSSL 0.9.8, 1.0.0, 1.0.1
> and 1.0.2.

You answered to a patch in the middle of a series. Does this ACK apply to the
complete series or just this patch?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpy7cO83QlgZ.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Mon, 2017/02/20 16:02:
> Emmanuel Deloget <log...@free.fr> on Mon, 2017/02/20 15:52:
> > On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget <log...@free.fr>
> > wrote:  
> > > Hi again,
> > >
> > > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget <log...@free.fr>
> > > wrote:
> > >> Hi Christian,
> > >>
> > >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse <l...@eworm.de>
> > >> wrote:
> > >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> > >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> > >>> check' reports lots of cipher failures.
> > >>>
> > >>> Are your patches available from a public git repository?
> > >>
> > >> I will make my patches available on github ASAP.
> > >
> > > I did as fast as I could, here they are:
> > >
> > > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1
> > 
> > BTW, sorry for the branch name. I believe my fingers got stuck to a
> > limited number of characters. This should have been openssl-1.1 but
> > it's not too late to change it :)  
> 
> Ah, I checked out the wrong branch. :-p
> 
> Redoing my test...

That one looks good! Build and tested against ArchLinux package
openssl 1.1.0e.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpTFnINrW3gD.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Emmanuel Deloget <log...@free.fr> on Mon, 2017/02/20 15:52:
> On Mon, Feb 20, 2017 at 2:53 PM, Emmanuel Deloget <log...@free.fr> wrote:
> > Hi again,
> >
> > On Mon, Feb 20, 2017 at 2:33 PM, Emmanuel Deloget <log...@free.fr>
> > wrote:  
> >> Hi Christian,
> >>
> >> On Mon, Feb 20, 2017 at 1:29 PM, Christian Hesse <l...@eworm.de> wrote:  
> >>> That matches my findings. Built against openssl 1.1.0e (Arch Linux
> >>> package openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make
> >>> check' reports lots of cipher failures.
> >>>
> >>> Are your patches available from a public git repository?  
> >>
> >> I will make my patches available on github ASAP.  
> >
> > I did as fast as I could, here they are:
> >
> > https://github.com/emmanuel-deloget/openvpn/commits/openvpn-1.1  
> 
> BTW, sorry for the branch name. I believe my fingers got stuck to a
> limited number of characters. This should have been openssl-1.1 but
> it's not too late to change it :)

Ah, I checked out the wrong branch. :-p

Redoing my test...
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpm9G60bKpi6.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [RFC PATCH v1 00/15] Add support for OpenSSL 1.1.x

[Christian Hesse]

Emmanuel Deloget  on Mon, 2017/02/20 12:45:
> Hello,
> 
> On Sun, Feb 19, 2017 at 6:49 PM, Gert Doering  wrote:
> > Hi,
> >
> > On Sun, Feb 19, 2017 at 01:03:45PM +0100, Steffan Karger wrote:  
> >> Thank you very much.  You approach looks good to me, and quite closely
> >> matches what I had in mind for when I would find the time to tackle
> >> this.  (Which might have taken me a while, so really happy to see these
> >> patches!)  
> > [..]  
> >> Also very good that this is split up into small and independently
> >> reviewable patches.  I'll start review soon.  
> >
> > While Steffan is our resident expert on nasty crypto libraries, I just
> > want to echo the sentiment - having these "chunks" tackle one API function
> > at a time, they are easily testable, and in case something explodes, it's
> > much easier to bisect to find the problematic one.
> >
> > Now back to being a commit slave for Steffan's ACKs :-)  (I do not know
> > the APIs well enough to properly comment on the changes, I can only run
> > tests...)  
> 
> I resumed the work this morning. So far the results are :
> 
> * 0.9.8zh --> EVP_PKEY_id() is not defined. I'm adding this to
> openssl_compat.h and will provide a v2 patch with the change. Once
> added, OpenVPN compiled successfully and was able to connect to my
> /2.3 server.
> 
> * 1.0.0t --> compile OK, connect OK
> 
> * 1.0.1u --> compile OK, connect OK
> 
> * 1.0.2.k --> compile OK, connect OK
> 
> * 1.1.0-git --> compile OK, failure to connect. I'm currently
> investigating this issue. I'll  provide a patch as soon as I fix this
> (this is a bit ironic ; I may have forgotten something somewhere...).

That matches my findings. Built against openssl 1.1.0e (Arch Linux package
openssl 1.1.0.e-1 [0]) the build itself succeeds, but 'make check' reports
lots of cipher failures.

Are your patches available from a public git repository?

[0] https://www.archlinux.org/packages/staging/x86_64/openssl/
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpUrshXYFkya.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Christian Hesse]

David Sommerseth  on Sat, 2017/02/18 02:52:
> On 17/02/17 22:59, Emmanuel Deloget wrote:
> > I'm not targetting 2.4 -- my work is done on the current master. Adding
> > hundreds of lines to the current 2.4 for the purpose of supporting a
> > library which is not yet present on the user systems does not make much
> > sense :)  
> 
> Currently, master and release/2.4 are fairly close ... so it shouldn't
> be too hard to cherry-pick stuff from master (which we usually prefer to
> do).
> 
> With that said ... I know Fedora have OpenSSL v1.1 support on their wish
> list for for OpenVPN [1] and I believe Arch Linux guys have also been
> asking about this too.  So the more leading edge distros are moving
> towards OpenSSL v1.1 as fast as possible

Arch Linux guy started this thread. ;)

Would be great to have openssl 1.1.0 support in master soon. Maintaining
backported patches downstream should not be a problem.

From my point of view having support for openssl 1.1.0 in release/2.4 would
be even better to minimize packaging workload.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpTx8wUzeaW0.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] build against openssl 1.1.0

[Christian Hesse]

On Mon, 13 Feb 2017 20:33:38 +0100
Gert Doering <g...@greenie.muc.de> wrote:
> On Mon, Feb 13, 2017 at 08:17:58PM +0100, Christian Hesse wrote:
> > Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN
> > does not compile against this version. Did anybody start the work
> > to support latest openssl versions?  
> 
> How does Arch deal with OpenSSH (which doesn't compile with 1.1.0
> either, at least "out of the repo")?

Good question... I am not responsible for the openssh package. Gaetan
has to deal with it.

And a lot more has to be done... There's a long list of packages to be
fixed. Sadly openssl developers do not care about ABI and API stability
or compatibility. :(
-- 
Best regards,
Chris

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] build against openssl 1.1.0

[Christian Hesse]

Hello everybody,

Arch Linux is about to upgrade openssl to version 1.1.0. OpenVPN does not
compile against this version. Did anybody start the work to support latest
openssl versions?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp0Spgf86j0G.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] remove GNUism and fix out-of-tree build

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

The plugin path handling cleanup (4590c383) introduced GNUism and broke
out-of-tree builds.

Revert back to let configure generate the header file. Instead let make
add an extra CFLAG that defines PLUGIN_LIBDIR.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac| 2 +-
 include/Makefile.am | 7 ---
 include/openvpn-plugin.h.in | 2 --
 src/openvpn/Makefile.am | 4 +++-
 4 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/configure.ac b/configure.ac
index f305c54..b29f8b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], 
[OpenVPN minor versi
 AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch 
level - may be a string or integer])
 
 AC_CONFIG_AUX_DIR([.])
-AC_CONFIG_HEADERS([config.h])
+AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])
 AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
 AC_CONFIG_MACRO_DIR([m4])
 
diff --git a/include/Makefile.am b/include/Makefile.am
index 37962a6..a52c427 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -16,10 +16,3 @@ MAINTAINERCLEANFILES = \
 include_HEADERS = \
openvpn-plugin.h \
openvpn-msg.h
-
-openvpn-plugin.h: openvpn-plugin.h.in Makefile
-   $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
-   -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \
-   -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \
-   -e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \
-   $< > $@.tmp && mv $@.tmp $@
diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
index a084fc1..0b30352 100644
--- a/include/openvpn-plugin.h.in
+++ b/include/openvpn-plugin.h.in
@@ -27,8 +27,6 @@
 
 #define OPENVPN_PLUGIN_VERSION 3
 
-#define PLUGIN_LIBDIR "@PLUGINDIR@"
-
 #ifdef ENABLE_CRYPTO
 #ifdef ENABLE_CRYPTO_MBEDTLS
 #include 
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index bea294b..3f97855 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -27,7 +27,9 @@ AM_CFLAGS = \
$(OPTIONAL_CRYPTO_CFLAGS) \
$(OPTIONAL_LZO_CFLAGS) \
$(OPTIONAL_LZ4_CFLAGS) \
-   $(OPTIONAL_PKCS11_HELPER_CFLAGS)
+   $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
+   -DPLUGIN_LIBDIR=\"${plugindir}\"
+
 if WIN32
 # we want unicode entry point but not the macro
 AM_CFLAGS += -municode -UUNICODE
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v5 1/1] Clean up plugin path handling

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.

This puts a define into include/openvpn-plugin.h.in which has the plugin
directory.
The configure script does not know about the final plugin path. Thus we
have to make make generate the final header file for us.

As the path is always available remove the compile time condition (and
dead code) from src/openvpn/plugin.c.

v2: The configure script can not evaluate the final $libdir path. So
use make to create a header file on the containing the final path.

v3: Fix whitespace errors and gitignore location.

v4: No extra header file, generate src/openvpn/plugin.h on the fly.
Remove condition and dead code.

v5: Move the define to include/openvpn-plugin.h.in and let make generate
the final header file.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac| 16 +++-
 include/Makefile.am |  7 +++
 include/openvpn-plugin.h.in |  2 ++
 src/openvpn/plugin.c| 10 +-
 4 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/configure.ac b/configure.ac
index 79fb1ba..f305c54 100644
--- a/configure.ac
+++ b/configure.ac
@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], 
[OpenVPN minor versi
 AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch 
level - may be a string or integer])
 
 AC_CONFIG_AUX_DIR([.])
-AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])
+AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
 AC_CONFIG_MACRO_DIR([m4])
 
@@ -301,13 +301,12 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1284,7 +1283,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test 
"${enable_plugin_down_root}" = "
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = 
"yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
diff --git a/include/Makefile.am b/include/Makefile.am
index a52c427..37962a6 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -16,3 +16,10 @@ MAINTAINERCLEANFILES = \
 include_HEADERS = \
openvpn-plugin.h \
openvpn-msg.h
+
+openvpn-plugin.h: openvpn-plugin.h.in Makefile
+   $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
+   -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \
+   -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \
+   -e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \
+   $< > $@.tmp && mv $@.tmp $@
diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
index 0b30352..a084fc1 100644
--- a/include/openvpn-plugin.h.in
+++ b/include/openvpn-plugin.h.in
@@ -27,6 +27,8 @@
 
 #define OPENVPN_PLUGIN_VERSION 3
 
+#define PLUGIN_LIBDIR "@PLUGINDIR@"
+
 #ifdef ENABLE_CRYPTO
 #ifdef ENABLE_CRYPTO_MBEDTLS
 #include 
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index e530c0c..f777027 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -234,23 +234,15 @@ plugin_init_item(struct plugin *p, const struct 
plugin_option *o)
 #ifndef _WIN32
 
 p->handle = NULL;
-#if defined(PLUGIN_LIBDIR)
+
 if (!absolute_pathname(p->so_pathname))
 {
 char full[PATH_MAX];
 
 openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, 
p->so_pathname);
 p->handle = dlopen(full, RTLD_NOW);
-#if defined(ENABLE_PLUGIN_SEARCH)
-if (!p->handle)
-{
-rel = true;
-p->handle = dlopen(p->so_pathname, RTLD_NOW);
-}
-#endif
 }
 else
-#endif
 {
 rel = !absolute_pathname(p->so_pathname);
 p->handle = dlopen(p->so_pathname, RTLD_NOW);
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4 1/1] Clean up plugin path handling

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.

This makes src/openvpn/plugin.h a template (moved the file to
src/openvpn/plugin.h.in). The real header file is generated on the fly,
including a define for the plugin path.
As the path is always available remove the compile time condition (and
dead code) from src/openvpn/plugin.c.

v2: The configure script can not evaluate the final $libdir path. So
use make to create a header file on the containing the final path.

v3: Fix whitespace errors and gitignore location.

v4: No extra header file, generate src/openvpn/plugin.h on the fly.
Remove condition and dead code.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 .gitignore|  1 +
 configure.ac  | 14 ++
 src/openvpn/Makefile.am   |  7 ++-
 src/openvpn/plugin.c  | 10 +-
 src/openvpn/{plugin.h => plugin.h.in} |  2 ++
 5 files changed, 16 insertions(+), 18 deletions(-)
 rename src/openvpn/{plugin.h => plugin.h.in} (99%)

diff --git a/.gitignore b/.gitignore
index 30e289b..780be68 100644
--- a/.gitignore
+++ b/.gitignore
@@ -63,6 +63,7 @@ t_client_ips.rc
 tests/unit_tests/**/*_testdriver
 
 src/openvpn/openvpn
+src/openvpn/plugin.h
 include/openvpn-plugin.h
 config-version.h
 nbproject
diff --git a/configure.ac b/configure.ac
index 79fb1ba..b29f8b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -301,13 +301,12 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1284,7 +1283,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test 
"${enable_plugin_down_root}" = "
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = 
"yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index bea294b..4f8a315 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -11,12 +11,17 @@
 
 include $(top_srcdir)/build/ltrc.inc
 
+plugin.h: plugin.h.in Makefile
+   $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
+   $< > $@.tmp && mv $@.tmp $@
+
 MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
 
 EXTRA_DIST = \
openvpn.vcxproj \
-   openvpn.vcxproj.filters
+   openvpn.vcxproj.filters \
+   plugin.h.in
 
 AM_CPPFLAGS = \
-I$(top_srcdir)/include \
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index e530c0c..f777027 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -234,23 +234,15 @@ plugin_init_item(struct plugin *p, const struct 
plugin_option *o)
 #ifndef _WIN32
 
 p->handle = NULL;
-#if defined(PLUGIN_LIBDIR)
+
 if (!absolute_pathname(p->so_pathname))
 {
 char full[PATH_MAX];
 
 openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, 
p->so_pathname);
 p->handle = dlopen(full, RTLD_NOW);
-#if defined(ENABLE_PLUGIN_SEARCH)
-if (!p->handle)
-{
-rel = true;
-p->handle = dlopen(p->so_pathname, RTLD_NOW);
-}
-#endif
 }
 else
-#endif
 {
 rel = !absolute_pathname(p->so_pathname);
 p->handle = dlopen(p->so_pathname, RTLD_NOW);
diff --git a/src/openvpn/plugin.h b/src/openvpn/plugin.h.in
similarity index 99%
rename from src/openvpn/plugin.h
rename to src/openvpn/plugin.h.in
index 4ded529..3d6e312 100644
--- a/src/openvpn/plugin.h
+++ b/src/openvpn/plugin.h.in
@@ -43,6 +43,8 @@
 
 #define MAX_PLUGINS 16
 
+#define PLUGIN_LIBDIR "@PLUGINDIR@"
+
 struct plugin_option {
 const char *so_pathname;
 const char **argv;
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 1/1] Clean up plugin path handling

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Wed, 2017/01/25 18:06:
> On 25/01/17 17:04, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > Drop --with-plugindir, instead use an environment variable PLUGINDIR
> > to specify the plugin directory.
> > 
> > This generates a header file src/openvpn/plugindir.h which contains a
> > define file the plugindir.
> > 
> > v2: The configure script can not evaluate the final $libdir path. So
> > use make to create a header file on the containing the final path.
> > 
> > v3: Fix whitespace errors and gitignore location.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  .gitignore |  1 +
> >  configure.ac   | 14 ++
> >  src/openvpn/Makefile.am| 11 +--
> >  src/openvpn/plugin.c   |  1 +
> >  src/openvpn/plugindir.h.in | 34 ++
> >  5 files changed, 51 insertions(+), 10 deletions(-)
> >  create mode 100644 src/openvpn/plugindir.h.in  
> 
> 
> Okay, some more feedback to this thread :)
> 
> As I've said, I think this makes sense.  It provides a predictable
> plug-in directory which is easily accessible within the C code ... and
> it will always be set.  So, Feature-ACK.
> 
> But I am wondering about the rationale of adding another header file
> (plugindir.h).  Why not just add this information to
> openvpn-plugin.h.in, which results into openvpn-plugin.h ... and which
> plugin.c already includes via plugin.h ...  I actually think this path
> can be quite useful for third-party plug-ins, being built outside of the
> openvpn source tree.

I did not want to be too intrusive. ;) Happy to hear that... About to
prepare a new patch, stay tuned!
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpiRQV96VKF8.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3 1/1] Clean up plugin path handling

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.

This generates a header file src/openvpn/plugindir.h which contains a
define file the plugindir.

v2: The configure script can not evaluate the final $libdir path. So
use make to create a header file on the containing the final path.

v3: Fix whitespace errors and gitignore location.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 .gitignore |  1 +
 configure.ac   | 14 ++
 src/openvpn/Makefile.am| 11 +--
 src/openvpn/plugin.c   |  1 +
 src/openvpn/plugindir.h.in | 34 ++
 5 files changed, 51 insertions(+), 10 deletions(-)
 create mode 100644 src/openvpn/plugindir.h.in

diff --git a/.gitignore b/.gitignore
index e6da21c..28df0f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -62,6 +62,7 @@ t_client_ips.rc
 tests/unit_tests/**/*_testdriver
 
 src/openvpn/openvpn
+src/openvpn/plugindir.h
 include/openvpn-plugin.h
 config-version.h
 nbproject
diff --git a/configure.ac b/configure.ac
index 8783109..f4c6bda 100644
--- a/configure.ac
+++ b/configure.ac
@@ -301,13 +301,12 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1270,7 +1269,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test 
"${enable_plugin_down_root}" = "
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = 
"yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index bea294b..53f4676 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -11,12 +11,19 @@
 
 include $(top_srcdir)/build/ltrc.inc
 
+plugindir.h: plugindir.h.in Makefile
+   $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
+   $< > $@.tmp && mv $@.tmp $@
+
+plugin.c: plugindir.h
+
 MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
 
 EXTRA_DIST = \
openvpn.vcxproj \
-   openvpn.vcxproj.filters
+   openvpn.vcxproj.filters \
+   plugindir.h.in
 
 AM_CPPFLAGS = \
-I$(top_srcdir)/include \
@@ -89,7 +96,7 @@ openvpn_SOURCES = \
perf.c perf.h \
pf.c pf.h pf-inline.h \
ping.c ping.h ping-inline.h \
-   plugin.c plugin.h \
+   plugin.c plugin.h plugindir.h \
pool.c pool.h \
proto.c proto.h \
proxy.c proxy.h \
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index e530c0c..5af6d1e 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -43,6 +43,7 @@
 #include "error.h"
 #include "misc.h"
 #include "plugin.h"
+#include "plugindir.h"
 #include "ssl_backend.h"
 #include "win32.h"
 #include "memdbg.h"
diff --git a/src/openvpn/plugindir.h.in b/src/openvpn/plugindir.h.in
new file mode 100644
index 000..6fa7b3e
--- /dev/null
+++ b/src/openvpn/plugindir.h.in
@@ -0,0 +1,34 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+/*
+ * define plugindir
+ */
+
+#ifndef OPENVPN_PLUGINDIR_H
+#define OPENV

[Openvpn-devel] [PATCH 1/2] use automake tools to install systemd files

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 .gitignore |  1 +
 configure.ac   | 10 +
 distro/Makefile.am |  4 +---
 distro/systemd/Makefile.am | 26 ++
 ...-client@.service => openvpn-cli...@.service.in} |  2 +-
 ...-server@.service => openvpn-ser...@.service.in} |  2 +-
 6 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 distro/systemd/Makefile.am
 rename distro/systemd/{openvpn-client@.service => openvpn-cli...@.service.in} 
(90%)
 rename distro/systemd/{openvpn-server@.service => openvpn-ser...@.service.in} 
(91%)

diff --git a/.gitignore b/.gitignore
index e6da21c..30e289b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,7 @@ config-msvc-local.h
 config-msvc-version.h
 doc/openvpn.8.html
 distro/rpm/openvpn.spec
+distro/systemd/*.service
 sample/sample-keys/sample-ca/
 vendor/.build
 vendor/dist
diff --git a/configure.ac b/configure.ac
index 8783109..48d8f0c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -378,6 +378,7 @@ AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
 AC_ARG_VAR([MAN2HTML], [path to man2html utility])
 AC_ARG_VAR([GIT], [path to git utility])
 AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
+AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory 
@<:@default=LIBDIR/systemd/system@:>@])
 AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
@@ -1099,6 +1100,12 @@ if test "$enable_systemd" = "yes" ; then
 OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
 AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
 LIBS="${saved_LIBS}"
+
+if test -n "${SYSTEMD_UNIT_DIR}"; then
+systemdunitdir="${SYSTEMD_UNIT_DIR}"
+else
+systemdunitdir="\${libdir}/systemd/system"
+fi
 fi
 
 
@@ -1275,6 +1282,8 @@ sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
 
+AC_SUBST([systemdunitdir])
+
 VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
 VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
 VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build"
@@ -1313,6 +1322,7 @@ AC_CONFIG_FILES([
distro/Makefile
distro/rpm/Makefile
distro/rpm/openvpn.spec
+   distro/systemd/Makefile
include/Makefile
src/Makefile
src/compat/Makefile
diff --git a/distro/Makefile.am b/distro/Makefile.am
index 7a9ffd0..eb0e554 100644
--- a/distro/Makefile.am
+++ b/distro/Makefile.am
@@ -12,6 +12,4 @@
 MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
 
-SUBDIRS = rpm
-
-EXTRA_DIST = systemd/openvpn-client@.service systemd/openvpn-server@.service
+SUBDIRS = rpm systemd
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
new file mode 100644
index 000..b10c6ed
--- /dev/null
+++ b/distro/systemd/Makefile.am
@@ -0,0 +1,26 @@
+#
+#  OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+#  Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
+#
+
+%.service: %.service.in Makefile
+   $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
+   $< > $@.tmp && mv $@.tmp $@
+
+EXTRA_DIST = \
+   openvpn-cli...@.service.in \
+   openvpn-ser...@.service.in
+
+if ENABLE_SYSTEMD
+systemdunit_DATA = \
+   openvpn-client@.service \
+   openvpn-server@.service
+endif
+
+MAINTAINERCLEANFILES = \
+   $(srcdir)/Makefile.in
diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-cli...@.service.in
similarity index 90%
rename from distro/systemd/openvpn-client@.service
rename to distro/systemd/openvpn-cli...@.service.in
index 5618af3..d933772 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -12,7 +12,7 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
+ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAll

[Openvpn-devel] [PATCH 2/2] do not race on RuntimeDirectory

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.

So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac  | 8 
 distro/systemd/Makefile.am| 6 ++
 distro/systemd/openvpn-cli...@.service.in | 2 --
 distro/systemd/openvpn-ser...@.service.in | 2 --
 distro/systemd/tmpfiles-openvpn.conf  | 2 ++
 5 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 distro/systemd/tmpfiles-openvpn.conf

diff --git a/configure.ac b/configure.ac
index 48d8f0c..79fb1ba 100644
--- a/configure.ac
+++ b/configure.ac
@@ -379,6 +379,7 @@ AC_ARG_VAR([MAN2HTML], [path to man2html utility])
 AC_ARG_VAR([GIT], [path to git utility])
 AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
 AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory 
@<:@default=LIBDIR/systemd/system@:>@])
+AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory 
@<:@default=LIBDIR/tmpfiles.d@:>@])
 AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
@@ -1106,6 +1107,12 @@ if test "$enable_systemd" = "yes" ; then
 else
 systemdunitdir="\${libdir}/systemd/system"
 fi
+
+if test -n "${TMPFILES_DIR}"; then
+tmpfilesdir="${TMPFILES_DIR}"
+else
+tmpfilesdir="\${libdir}/tmpfiles.d"
+fi
 fi
 
 
@@ -1283,6 +1290,7 @@ AC_SUBST([plugindir])
 AC_SUBST([sampledir])
 
 AC_SUBST([systemdunitdir])
+AC_SUBST([tmpfilesdir])
 
 VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
 VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
index b10c6ed..1e3f3ea 100644
--- a/distro/systemd/Makefile.am
+++ b/distro/systemd/Makefile.am
@@ -13,6 +13,7 @@
$< > $@.tmp && mv $@.tmp $@
 
 EXTRA_DIST = \
+   tmpfiles-openvpn.conf \
openvpn-cli...@.service.in \
openvpn-ser...@.service.in
 
@@ -20,6 +21,11 @@ if ENABLE_SYSTEMD
 systemdunit_DATA = \
openvpn-client@.service \
openvpn-server@.service
+tmpfiles_DATA = \
+   tmpfiles-openvpn.conf
+
+install-data-hook:
+   mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf 
$(DESTDIR)$(tmpfilesdir)/openvpn.conf
 endif
 
 MAINTAINERCLEANFILES = \
diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index d933772..1be1e33 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index da5c78e..3dccaf2 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-server
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/tmpfiles-openvpn.conf 
b/distro/systemd/tmpfiles-openvpn.conf
new file mode 100644
index 000..bb79671
--- /dev/null
+++ b/distro/systemd/tmpfiles-openvpn.conf
@@ -0,0 +1,2 @@
+d /run/openvpn-client 0710 root root -
+d /run/openvpn-server 0710 root root -
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] do not race on RuntimeDirectory

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2017/01/20 21:55:
> On 27/12/16 23:15, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> > 
> > So do not handle this in unit files but provide a tmpfiles.d
> > configuration and let systemd-tmpfiles do the work.
> > Nobody will (unintentionally) delete the directories and its content.
> > As /run is volatile we do not have to care about cleanup.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  configure.ac  | 8 
> >  distro/systemd/Makefile.am| 8 
> >  distro/systemd/openvpn-cli...@.service.in | 2 --
> >  distro/systemd/openvpn-ser...@.service.in | 2 --
> >  distro/systemd/openvpn.conf   | 2 ++
> >  5 files changed, 18 insertions(+), 4 deletions(-)
> >  create mode 100644 distro/systemd/openvpn.conf
> >   
> 
> [...snip...]
> 
> > diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
> > index 53a88c9..1a6c974 100644
> > --- a/distro/systemd/Makefile.am
> > +++ b/distro/systemd/Makefile.am
> > @@ -12,7 +12,12 @@
> > $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
> > $< > $@.tmp && mv $@.tmp $@
> >  
> > +install-data-local:
> > +   $(INSTALL) -d -m0710 $(DESTDIR)/run/openvpn-client
> > +   $(INSTALL) -d -m0710 $(DESTDIR)/run/openvpn-server  
> 
> Hmm ... that doesn't make much sense, does it?
> 
> $ mount | grep '/run '
> tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
> 
> IIRC, upstream systemd recommends /run to be a ramdisk, as it should
> always be clean on freshly rebooted systems.  And it probably saves a
> lot of SSD/flash storage write cycles, for those using that.

Well, the idea is: Files in /usr/lib/tmpfiles.d/ are handled by
systemd-tmpfiles at boot time. We want these directories after installation
(without a reboot) to be present - so just create them. Yes, these reside on
tmpfs, but are created automatically after reboot.

As package managers should run a hook if files in /usr/lib/tmpfiles.d/ change
(pacman does now) I am fine with removing this rule.

People installing manually may still stumble on this...

> [...snip...]
> 
> > @@ -21,6 +26,9 @@ systemdunitdir = $(systemdunitdir)
> >  systemdunit_DATA = \
> > openvpn-client@.service \
> > openvpn-server@.service
> > +tmpfilesdir = $(tmpfilesdir)  
> 
> This conflicts with AC_SUBST([tmpfilesdir])
> 
> $ autoreconf -vi
> autoreconf: Entering directory `.'
> autoreconf: configure.ac: not using Gettext
> autoreconf: running: aclocal -I m4
> autoreconf: configure.ac: tracing
> autoreconf: running: libtoolize --copy
> autoreconf: running: /usr/bin/autoconf
> autoreconf: running: /usr/bin/autoheader
> autoreconf: running: automake --add-missing --copy --no-force
> distro/systemd/Makefile.am:28: warning: tmpfilesdir was already defined
> in condition TRUE, which includes condition ENABLE_SYSTEMD ...
> configure.ac:1293: ... 'tmpfilesdir' previously defined here
> autoreconf: Leaving directory `.'
> $ rpm -q autoconf
> autoconf-2.69-11.el7.noarch
> 
> Removing that tmpfilesdir declaration line in Makefile.am resolves this
> issue, and it still works as expected.

Removed.

> [...snip...]
> 
> > diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf
> > new file mode 100644
> > index 000..57f20cd
> > --- /dev/null
> > +++ b/distro/systemd/openvpn.conf
> > @@ -0,0 +1,2 @@
> > +d /run/openvpn-client 0710 root root -
> > +d /run/openvpn-server 0710 root root -
> > \ No newline at end of file  
> 
> This makes more sense though, as this will tell systemd to create these
> directories with the proper attributes.
> 
> But I'm not too happy about the filename in our git repository.  The
> destination file may very well be called openvpn.conf, as then it should
> reside in $libdir/tmpfiles.d/ ... but openvpn.conf causes quite a bit of
> ambiguity inside the openvpn source tree, and unaware users might more
> see this as a sample configuration for OpenVPN and be even more confused.
> 
> I propose ... either rename this file to tmpfiles.d--openvpn.conf or
> move this openvpn.conf inside a tmpfiles.d/ subdirectory inside the
> ./distro/systemd/ directory.
> 
> Otherwise, this looks ve

Re: [Openvpn-devel] [PATCH 1/2] use automake tools to install systemd files

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2017/01/20 21:39:
> On 27/12/16 23:15, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > If systemd is enabled we install unit files to $libdir/systemd/system
> > (or the path specified by SYSTEMD_UNIT_DIR).
> > The unit files are generated on the fly with matching $sbindir.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  configure.ac   | 10 
> >  distro/Makefile.am |  4 +---
> >  distro/systemd/.gitignore  |  1 +
> >  distro/systemd/Makefile.am | 27
> > ++ ...-client@.service => openvpn-cli...@.service.in}
> > |  2 +- ...-server@.service => openvpn-ser...@.service.in} |  2 +-
> >  6 files changed, 41 insertions(+), 5 deletions(-)
> >  create mode 100644 distro/systemd/.gitignore
> >  create mode 100644 distro/systemd/Makefile.am
> >  rename distro/systemd/{openvpn-client@.service =>
> > openvpn-cli...@.service.in} (89%) rename
> > distro/systemd/{openvpn-server@.service => openvpn-ser...@.service.in}
> > (83%)  
> 
> 
> Finally had some time to look at this!  Some comments below.
> 
> [...snip...]
> 
> > --- /dev/null
> > +++ b/distro/systemd/.gitignore
> > @@ -0,0 +1 @@
> > +*.service
> > \ No newline at end of file  
> 
> I think it is better to put all of these things into the .gitignore file
> in the project root directory.  I see that this have slipped through a
> few times (./vendor, ./test/unit_tests and sample/sample-keys/) ... but
> as do ignore directories in the "master" .gitignore, I think we should
> have everything there.  It will be easier to know where to look.  And
> rather split things up when that master file gets too long and complicated.

I was not sure where you want this...
Moved it up to the root.

> > diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
> > new file mode 100644
> > index 000..53a88c9
> > --- /dev/null
> > +++ b/distro/systemd/Makefile.am
> > @@ -0,0 +1,27 @@
> > +#
> > +#  OpenVPN -- An application to securely tunnel IP networks
> > +# over a single UDP port, with support for SSL/TLS-based
> > +# session authentication and key exchange,
> > +# packet encryption, packet authentication, and
> > +# packet compression.
> > +#
> > +#  Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
> > +#
> > +
> > +%.service: %.service.in Makefile
> > +   $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
> > +   $< > $@.tmp && mv $@.tmp $@
> > +
> > +EXTRA_DIST = \
> > +   openvpn-cli...@.service.in \
> > +   openvpn-ser...@.service.in
> > +
> > +if ENABLE_SYSTEMD
> > +systemdunitdir = $(systemdunitdir)  
> 
> This conflicts with AC_SUBST([systemdunitdir]) in configure.ac.  So this
> line should not be here.

Removed.

> [...snip]
> 
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-cli...@.service.in similarity index 89%
> > rename from distro/systemd/openvpn-client@.service
> > rename to distro/systemd/openvpn-cli...@.service.in
> > index 5618af3..d9fd6b0 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-cli...@.service.in
> > @@ -12,7 +12,7 @@ PrivateTmp=true
> >  RuntimeDirectory=openvpn-client
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> > -ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> > %i.conf +ExecStart=@sbindir@ --suppress-timestamps --nobind --config
> > %i.conf  
> 
> It should be: ExecStart=@sbindir@/openvpn  otherwise the generated
> files are pointing at a only a directory.

Ups, stupid me... Looks like I broke this with my final patch preparation. :-p

I will send updated patches soon.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpHuUdA1pj7C.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 2/2] fix timeout in non-TLS mode with systemd

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

In non-TLS configuration we wait for the remote peer to connect
before issuing "Initialization Sequence Completed". So prevent to
time out by telling systemd service manager we are ready for now.
Status will be "Non-TLS mode, ready for now. Waiting for peer..."
and changes once the remote peer connects.

This fixes #801 (static key tunnels impossible to start via systemd)

v2: Rebase on "move systemd specific code to platform.c" (commit
46e647933030da848774656029c4c4a1f204e2f1).

Tested-by: Mantas Mikulėnas <graw...@gmail.com>
Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/openvpn.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 888acda..ddcb9ed 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -73,6 +73,18 @@ tunnel_point_to_point(struct context *c)
 return;
 }
 
+/* In non-TLS configuration we wait for the remote peer to connect
+ * before issuing "Initialization Sequence Completed". So prevent to
+ * time out by telling systemd service manager we are ready for now.
+ * Status will be "Non-TLS mode, ready for now. Waiting for peer..."
+ * and changes once the remote peer connects. */
+if (c->options.tls_client == false
+&& c->options.tls_server == false)
+{
+platform_notify("READY=1",
+"STATUS=Non-TLS mode, ready for now. Waiting for 
peer...");
+}
+
 /* main event loop */
 while (true)
 {
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] move systemd specific code to platform.c

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

We have voices that do not want to "litter ENABLE_SYSTEMD all over the
code". So move the systemd specific bits to platform_notify() in
platform.c.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/init.c | 23 +--
 src/openvpn/platform.c | 13 +
 src/openvpn/platform.h |  2 ++
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9a3e29d..46df8ca 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -30,10 +30,6 @@
 
 #include "syshead.h"
 
-#ifdef ENABLE_SYSTEMD
-#include 
-#endif
-
 #include "win32.h"
 #include "init.h"
 #include "sig.h"
@@ -983,13 +979,11 @@ possibly_become_daemon(const struct options *options)
 {
 bool ret = false;
 
-#ifdef ENABLE_SYSTEMD
 /* return without forking if we are running from systemd */
-if (sd_notify(0, "READY=0") > 0)
+if (platform_notify("READY=0", "STATUS=Possibly become daemon") > 0)
 {
 return ret;
 }
-#endif
 
 if (options->daemon)
 {
@@ -1026,7 +1020,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 {
 if (no_delay)
 {
-#ifdef ENABLE_SYSTEMD
 /* If OpenVPN is started by systemd, the OpenVPN process needs
  * to provide a preliminary status report to systemd.  This is
  * needed as $NOTIFY_SOCKET will not be available inside the
@@ -1040,10 +1033,8 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
  * have a sane way to know if OpenVPN will chroot or not and to
  * which subdirectory it will chroot into.
  */
-sd_notifyf(0, "READY=1\n"
-   "STATUS=Entering chroot, most of the init completed 
successfully\n"
-   "MAINPID=%lu", (unsigned long) getpid());
-#endif
+platform_notify("READY=1",
+"STATUS=Entering chroot, most of the init 
completed successfully");
 platform_chroot(c->options.chroot_dir);
 }
 else if (c->first_time)
@@ -1384,17 +1375,13 @@ initialization_sequence_completed(struct context *c, 
const unsigned int flags)
 show_adapters(M_INFO|M_NOPREFIX);
 msg(M_INFO, "%s With Errors ( see 
http://openvpn.net/faq.html#dhcpclientserv )", message);
 #else
-#ifdef ENABLE_SYSTEMD
-sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", 
message);
-#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
+platform_notify("READY=0", "STATUS=Failed to start up");
 msg(M_INFO, "%s With Errors", message);
 #endif
 }
 else
 {
-#ifdef ENABLE_SYSTEMD
-sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned 
long) getpid());
-#endif
+platform_notify("READY=1", "STATUS=Initialization Sequence Completed");
 msg(M_INFO, "%s", message);
 }
 
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 952d633..55a25b0 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -30,6 +30,10 @@
 
 #include "syshead.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 #include "buffer.h"
 #include "error.h"
 #include "win32.h"
@@ -336,3 +340,12 @@ platform_stat(const char *path, platform_stat_t *buf)
 #endif
 }
 
+int
+platform_notify(const char *status, const char *message)
+{
+#ifdef ENABLE_SYSTEMD
+return sd_notifyf(0, "%s\n%s", status, message);
+#endif
+
+return 0;
+}
diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h
index 62396a9..94c92e4 100644
--- a/src/openvpn/platform.h
+++ b/src/openvpn/platform.h
@@ -144,4 +144,6 @@ typedef struct stat platform_stat_t;
 #endif
 int platform_stat(const char *path, platform_stat_t *buf);
 
+int platform_notify(const char *status, const char *message);
+
 #endif /* ifndef PLATFORM_H */
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] fix timeout in non-TLS mode with systemd

[Christian Hesse]

Gert Doering <g...@greenie.muc.de> on Wed, 2016/12/28 19:57:
> Hi,
> 
> On Wed, Dec 28, 2016 at 02:07:21PM +0100, Christian Hesse wrote:
> > @@ -73,6 +77,21 @@ tunnel_point_to_point(struct context *c)
> >  return;
> >  }
> >  
> > +#ifdef ENABLE_SYSTEMD
> > +/* In non-TLS configuration we wait for the remote peer to connect
> > + * before issuing "Initialization Sequence Completed". So prevent to
> > + * time out by telling systemd service manager we are ready for now.
> > + * Status will be "Non-TLS mode, ready for now. Waiting for peer..."
> > + * and changes once the remote peer connects. */
> > +if (c->options.tls_client == false
> > +&& c->options.tls_server == false)
> > +{
> > +sd_notifyf(0, "READY=1\n"
> > +   "STATUS=Non-TLS mode, ready for now. Waiting for
> > peer...\n"
> > +   "MAINPID=%lu", (unsigned long) getpid());
> > +}
> > +#endif  
> 
> We definitely need a better approach than "litter ENABLE_SYSTEMD all
> over the code".

Well, openvpn supports a number of modes of operation... Some of these have
other requirements than others.

In general we have three options:

1. Use Type=forking in unit files. We decided not to go this way.

2. Use Type=notify and tell systemd we are ready about when we would have
   forked. This works as well as Type=forking does, but has some unhandled
   corner cases.

3. Use Type=notify and "litter ENABLE_SYSTEMD all over the code". This
   provides the best error handling.

(There is Type=simple, but that is just fire-and-forget - could not be worse.)

IMHO we should go with option three. Given the number of #ifdefs all over the
code - is this really an issue? My patch increases the number of sd_notify()
calls from four to five.

For informational purpose we could add even more calls. That would allow to
set intermediate status message, something like: "Up and running, currently
serving 25 client connections."

> (Also, this is the wrong check anyway.  p2p mode can go along with
> TLS just fine - what you need to check for is --server or --client,
> which is something else than --tls-server / --tls-client)

No, the check is correct.

In server move openvpn reports ready when it finally is ready to handle
incoming connections. That is fine.

In TLS client mode openvpn reports ready when it connected to a server
successfully. It fails if it can not connect. That is the desired behavior.
So that is fine as well.

The patch handles non-TLS P2P mode: Two nodes have a shared secret (or
connect unencrypted in pure tunnel mode) and connect to each other.
The culprit: There is no node that is ready all the time. As we do not want
to bail out before the other is connects we have to report ready after
initialization but before the remote connects. This really is about non-TLS,
not client/server. No?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpAoSJ3N2PI_.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] fix timeout in non-TLS mode with systemd

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

In non-TLS configuration we wait for the remote peer to connect
before issuing "Initialization Sequence Completed". So prevent to
time out by telling systemd service manager we are ready for now.
Status will be "Non-TLS mode, ready for now. Waiting for peer..."
and changes once the remote peer connects.

This fixes #801 (static key tunnels impossible to start via systemd)

Tested-by: Mantas Mikulėnas <graw...@gmail.com>
Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/openvpn.c | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 888acda..ae948f9 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -30,6 +30,10 @@
 
 #include "syshead.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 #include "init.h"
 #include "forward.h"
 #include "multi.h"
@@ -73,6 +77,21 @@ tunnel_point_to_point(struct context *c)
 return;
 }
 
+#ifdef ENABLE_SYSTEMD
+/* In non-TLS configuration we wait for the remote peer to connect
+ * before issuing "Initialization Sequence Completed". So prevent to
+ * time out by telling systemd service manager we are ready for now.
+ * Status will be "Non-TLS mode, ready for now. Waiting for peer..."
+ * and changes once the remote peer connects. */
+if (c->options.tls_client == false
+&& c->options.tls_server == false)
+{
+sd_notifyf(0, "READY=1\n"
+   "STATUS=Non-TLS mode, ready for now. Waiting for peer...\n"
+   "MAINPID=%lu", (unsigned long) getpid());
+}
+#endif
+
 /* main event loop */
 while (true)
 {
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] man: fix formatting for alternative option

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

This looked like...

--server-poll-timeout n
--connect-timeout n when connecting to [...]

... and this patch changes this to...

--server-poll-timeout n, --connect-timeout n
When connecting to [...]

... preserving correct highlighting.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 doc/openvpn.8 | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 7bd6d9d..68fed4e 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3969,9 +3969,8 @@ See management\-notes.txt in the OpenVPN distribution for 
a
 description of the OpenVPN challenge/response protocol.
 .\"*
 .TP
-.B \-\-server\-poll\-timeout n
-.B \-\-connect\-timeout n
-when connecting to a remote server do not wait for more than
+\fB\-\-server\-poll\-timeout n\fR, \fB\-\-connect\-timeout n\fR
+When connecting to a remote server do not wait for more than
 .B n
 seconds waiting for a response before trying the next server.
 The default value is 120s. This timeout includes proxy and TCP
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 1/1] Clean up plugin path handling

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.

This generates a header file src/openvpn/plugindir.h which contains a
define for the plugindir.

v2: The configure script can not evaluate the final $libdir path. So
use make to create a header file on the containing the final path.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac   | 14 ++
 src/openvpn/.gitignore |  1 +
 src/openvpn/Makefile.am| 12 ++--
 src/openvpn/plugin.c   |  1 +
 src/openvpn/plugindir.h.in | 34 ++
 5 files changed, 52 insertions(+), 10 deletions(-)
 create mode 100644 src/openvpn/.gitignore
 create mode 100644 src/openvpn/plugindir.h.in

diff --git a/configure.ac b/configure.ac
index 43487b0..182ea21 100644
--- a/configure.ac
+++ b/configure.ac
@@ -301,13 +301,12 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test 
"${enable_plugin_auth_pam}" = "ye
 AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = 
"yes"])
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
diff --git a/src/openvpn/.gitignore b/src/openvpn/.gitignore
new file mode 100644
index 000..450575a
--- /dev/null
+++ b/src/openvpn/.gitignore
@@ -0,0 +1 @@
+plugindir.h
\ No newline at end of file
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index bea294b..11854b6 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -11,12 +11,19 @@
 
 include $(top_srcdir)/build/ltrc.inc
 
+plugindir.h: plugindir.h.in Makefile
+   $(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
+   $< > $@.tmp && mv $@.tmp $@
+
+plugin.c: plugindir.h
+
 MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
 
 EXTRA_DIST = \
openvpn.vcxproj \
-   openvpn.vcxproj.filters
+   openvpn.vcxproj.filters \
+   plugindir.h.in
 
 AM_CPPFLAGS = \
-I$(top_srcdir)/include \
@@ -89,7 +96,7 @@ openvpn_SOURCES = \
perf.c perf.h \
pf.c pf.h pf-inline.h \
ping.c ping.h ping-inline.h \
-   plugin.c plugin.h \
+   plugin.c plugin.h plugindir.h \
pool.c pool.h \
proto.c proto.h \
proxy.c proxy.h \
@@ -131,3 +138,4 @@ if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h
 openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm 
-lfwpuclnt -lrpcrt4
 endif
+
diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
index 17eb2d8..a891ef4 100644
--- a/src/openvpn/plugin.c
+++ b/src/openvpn/plugin.c
@@ -43,6 +43,7 @@
 #include "error.h"
 #include "misc.h"
 #include "plugin.h"
+#include "plugindir.h"
 #include "ssl_backend.h"
 #include "win32.h"
 #include "memdbg.h"
diff --git a/src/openvpn/plugindir.h.in b/src/openvpn/plugindir.h.in
new file mode 100644
index 000..6fa7b3e
--- /dev/null
+++ b/src/openvpn/plugindir.h.in
@@ -0,0 +1,34 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ *  Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, I

[Openvpn-devel] [PATCH v2 1/1] add more security feature for systemd units

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

ProtectSystem=true mounts the /usr and /boot directories read-only.

ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.

See systemd.exec(5) [0] for details.

v2: Replace ProtectSystem=strict with ProtectSystem=true. Some configurations
may want to write to /etc or the like.

[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 2 ++
 distro/systemd/openvpn-server@.service | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..b92f2fa 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW 
CAP_SETGID CAP_SETU
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..535a79d 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN 
CAP_NET_BIND_SERVICE CAP_NET_RA
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] do not race on RuntimeDirectory

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.

So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac  | 8 
 distro/systemd/Makefile.am| 8 
 distro/systemd/openvpn-cli...@.service.in | 2 --
 distro/systemd/openvpn-ser...@.service.in | 2 --
 distro/systemd/openvpn.conf   | 2 ++
 5 files changed, 18 insertions(+), 4 deletions(-)
 create mode 100644 distro/systemd/openvpn.conf

diff --git a/configure.ac b/configure.ac
index 114fcb9..e3a682a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -379,6 +379,7 @@ AC_ARG_VAR([MAN2HTML], [path to man2html utility])
 AC_ARG_VAR([GIT], [path to git utility])
 AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
 AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory 
@<:@default=LIBDIR/systemd/system@:>@])
+AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory 
@<:@default=LIBDIR/tmpfiles.d@:>@])
 AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
@@ -1082,6 +1083,12 @@ if test "$enable_systemd" = "yes" ; then
 else
 systemdunitdir="\${libdir}/systemd/system"
 fi
+
+if test -n "${TMPFILES_DIR}"; then
+tmpfilesdir="${TMPFILES_DIR}"
+else
+tmpfilesdir="\${libdir}/tmpfiles.d"
+fi
 fi
 
 
@@ -1258,6 +1265,7 @@ AC_SUBST([plugindir])
 AC_SUBST([sampledir])
 
 AC_SUBST([systemdunitdir])
+AC_SUBST([tmpfilesdir])
 
 VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
 VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
index 53a88c9..1a6c974 100644
--- a/distro/systemd/Makefile.am
+++ b/distro/systemd/Makefile.am
@@ -12,7 +12,12 @@
$(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
$< > $@.tmp && mv $@.tmp $@
 
+install-data-local:
+   $(INSTALL) -d -m0710 $(DESTDIR)/run/openvpn-client
+   $(INSTALL) -d -m0710 $(DESTDIR)/run/openvpn-server
+
 EXTRA_DIST = \
+   openvpn.conf \
openvpn-cli...@.service.in \
openvpn-ser...@.service.in
 
@@ -21,6 +26,9 @@ systemdunitdir = $(systemdunitdir)
 systemdunit_DATA = \
openvpn-client@.service \
openvpn-server@.service
+tmpfilesdir = $(tmpfilesdir)
+tmpfiles_DATA = \
+   openvpn.conf
 endif
 
 MAINTAINERCLEANFILES = \
diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index d9fd6b0..354d206 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@ --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index a270982..35f4a14 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-server
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@ --status %t/openvpn-server/status-%i.log --status-version 
2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf
new file mode 100644
index 000..57f20cd
--- /dev/null
+++ b/distro/systemd/openvpn.conf
@@ -0,0 +1,2 @@
+d /run/openvpn-client 0710 root root -
+d /run/openvpn-server 0710 root root -
\ No newline at end of file
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] use automake tools to install systemd files

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

If systemd is enabled we install unit files to $libdir/systemd/system
(or the path specified by SYSTEMD_UNIT_DIR).
The unit files are generated on the fly with matching $sbindir.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac   | 10 
 distro/Makefile.am |  4 +---
 distro/systemd/.gitignore  |  1 +
 distro/systemd/Makefile.am | 27 ++
 ...-client@.service => openvpn-cli...@.service.in} |  2 +-
 ...-server@.service => openvpn-ser...@.service.in} |  2 +-
 6 files changed, 41 insertions(+), 5 deletions(-)
 create mode 100644 distro/systemd/.gitignore
 create mode 100644 distro/systemd/Makefile.am
 rename distro/systemd/{openvpn-client@.service => openvpn-cli...@.service.in} 
(89%)
 rename distro/systemd/{openvpn-server@.service => openvpn-ser...@.service.in} 
(83%)

diff --git a/configure.ac b/configure.ac
index 43487b0..114fcb9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -378,6 +378,7 @@ AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
 AC_ARG_VAR([MAN2HTML], [path to man2html utility])
 AC_ARG_VAR([GIT], [path to git utility])
 AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
+AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory 
@<:@default=LIBDIR/systemd/system@:>@])
 AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
 AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
@@ -1075,6 +1076,12 @@ if test "$enable_systemd" = "yes" ; then
 OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
 AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
 LIBS="${saved_LIBS}"
+
+if test -n "${SYSTEMD_UNIT_DIR}"; then
+systemdunitdir="${SYSTEMD_UNIT_DIR}"
+else
+systemdunitdir="\${libdir}/systemd/system"
+fi
 fi
 
 
@@ -1250,6 +1257,8 @@ sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
 
+AC_SUBST([systemdunitdir])
+
 VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
 VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
 VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build"
@@ -1288,6 +1297,7 @@ AC_CONFIG_FILES([
distro/Makefile
distro/rpm/Makefile
distro/rpm/openvpn.spec
+   distro/systemd/Makefile
include/Makefile
src/Makefile
src/compat/Makefile
diff --git a/distro/Makefile.am b/distro/Makefile.am
index 7a9ffd0..eb0e554 100644
--- a/distro/Makefile.am
+++ b/distro/Makefile.am
@@ -12,6 +12,4 @@
 MAINTAINERCLEANFILES = \
$(srcdir)/Makefile.in
 
-SUBDIRS = rpm
-
-EXTRA_DIST = systemd/openvpn-client@.service systemd/openvpn-server@.service
+SUBDIRS = rpm systemd
diff --git a/distro/systemd/.gitignore b/distro/systemd/.gitignore
new file mode 100644
index 000..ef4c0b8
--- /dev/null
+++ b/distro/systemd/.gitignore
@@ -0,0 +1 @@
+*.service
\ No newline at end of file
diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
new file mode 100644
index 000..53a88c9
--- /dev/null
+++ b/distro/systemd/Makefile.am
@@ -0,0 +1,27 @@
+#
+#  OpenVPN -- An application to securely tunnel IP networks
+# over a single UDP port, with support for SSL/TLS-based
+# session authentication and key exchange,
+# packet encryption, packet authentication, and
+# packet compression.
+#
+#  Copyright (C) 2017 OpenVPN Technologies, Inc. <sa...@openvpn.net>
+#
+
+%.service: %.service.in Makefile
+   $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
+   $< > $@.tmp && mv $@.tmp $@
+
+EXTRA_DIST = \
+   openvpn-cli...@.service.in \
+   openvpn-ser...@.service.in
+
+if ENABLE_SYSTEMD
+systemdunitdir = $(systemdunitdir)
+systemdunit_DATA = \
+   openvpn-client@.service \
+   openvpn-server@.service
+endif
+
+MAINTAINERCLEANFILES = \
+   $(srcdir)/Makefile.in
diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-cli...@.service.in
similarity index 89%
rename from distro/systemd/openvpn-client@.service
rename to distro/systemd/openvpn-cli...@.service.in
index 5618af3..d9fd6b0 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -12,7 +12,7 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
+ExecStart=@sbindir@ --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Mon, 2016/12/26 17:45:
> On 26/12/16 17:12, Christian Hesse wrote:
> > debbie10t <debbie...@gmail.com> on Sat, 2016/12/24 11:10:  
> >> On 16/12/16 22:00, Christian Hesse wrote:  
> >>> From: Christian Hesse <m...@eworm.de>
> >>>
> >>> Different unit instances create and destroy the same RuntimeDirectory.
> >>> This leads to running instances where the status file (and possibly
> >>> more runtime data) is no longer accessible.
> >>>
> >>> So do not handle this in unit files but provide a tmpfiles.d
> >>> configuration and let systemd-tmpfiles do the work.
> >>> Nobody will (unintentionally) delete the directories and its content.
> >>> As /run is volatile we do not have to care about cleanup.
> >>>
> >>> Signed-off-by: Christian Hesse <m...@eworm.de>
> >>> ---
> >>>  distro/systemd/openvpn-client@.service | 2 --
> >>>  distro/systemd/openvpn-server@.service | 2 --
> >>>  distro/systemd/openvpn.conf| 2 ++
> >>>  3 files changed, 2 insertions(+), 4 deletions(-)
> >>>  create mode 100644 distro/systemd/openvpn.conf
> >>>
> >>> diff --git a/distro/systemd/openvpn-client@.service
> >>> b/distro/systemd/openvpn-client@.service index 5618af3..1187ee8 100644
> >>> --- a/distro/systemd/openvpn-client@.service
> >>> +++ b/distro/systemd/openvpn-client@.service
> >>> @@ -9,8 +9,6 @@
> >>> Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >>>  Type=notify
> >>>  PrivateTmp=true
> >>> -RuntimeDirectory=openvpn-client
> >>> -RuntimeDirectoryMode=0710
> >>>  WorkingDirectory=/etc/openvpn/client
> >>>  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> >>> %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW
> >>> CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff --git
> >>> a/distro/systemd/openvpn-server@.service
> >>> b/distro/systemd/openvpn-server@.service index b9b4dba..25a6bb7 100644
> >>> --- a/distro/systemd/openvpn-server@.service +++
> >>> b/distro/systemd/openvpn-server@.service @@ -9,8 +9,6 @@
> >>> Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >>>  Type=notify
> >>>  PrivateTmp=true
> >>> -RuntimeDirectory=openvpn-server
> >>> -RuntimeDirectoryMode=0710
> >>>  WorkingDirectory=/etc/openvpn/server
> >>>  ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> >>> --status-version 2 --suppress-timestamps --config %i.conf
> >>> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> >>> CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff
> >>> --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf new
> >>> file mode 100644 index 000..bb79671 --- /dev/null
> >>> +++ b/distro/systemd/openvpn.conf
> >>> @@ -0,0 +1,2 @@
> >>> +d /run/openvpn-client 0710 root root -
> >>> +d /run/openvpn-server 0710 root root -
> >>>
> >>
> >> ACK
> >>
> >> This works as expected from debian8/systemd 215 to arch/systemd 232  
> > 
> > Great! Thanks for testing!
> > 
> > But I think this will not make its way into 2.4.0? Will we see this in
> > release/2.4 for a bugfix release?  
> 
> That is correct.  What is in release/2.4 currently is what will be the
> v2.4.0 release unless something of a real blocker appears before I'll
> tag and push out the release commit some time tomorrow.  I don't dare to
> add anything which is not absolutely strictly needed for the comming
> release.  I'm just waiting for a the final Windows test results from
> Samuli before pushing out the final release.  Then Samuli will publish
> all source tarballs, Windows installers and do the announcement.

Waiting for that to happen. :-p

> It's good that this is tested, but I'd like to have a more thorough
> review of this patch as well in addition to look at the automake rules
> so that we can install unit files and the tmpfiles.d config to the
> proper place as well during 'make install'.  This will simplify the job
> of the packagers as well.

Ok, let's discuss this on irc any time soon. I will have some last working
days this year - and hopefully some spare time.

> One thing I'm pondering on though, is how clever it is to call the
> tmp

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

debbie10t <debbie...@gmail.com> on Sat, 2016/12/24 11:10:
> On 16/12/16 22:00, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> >
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> >
> > So do not handle this in unit files but provide a tmpfiles.d
> > configuration and let systemd-tmpfiles do the work.
> > Nobody will (unintentionally) delete the directories and its content.
> > As /run is volatile we do not have to care about cleanup.
> >
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  distro/systemd/openvpn-client@.service | 2 --
> >  distro/systemd/openvpn-server@.service | 2 --
> >  distro/systemd/openvpn.conf| 2 ++
> >  3 files changed, 2 insertions(+), 4 deletions(-)
> >  create mode 100644 distro/systemd/openvpn.conf
> >
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index 5618af3..1187ee8 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -9,8 +9,6 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-client
> > -RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> >  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> > %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW
> > CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff --git
> > a/distro/systemd/openvpn-server@.service
> > b/distro/systemd/openvpn-server@.service index b9b4dba..25a6bb7 100644
> > --- a/distro/systemd/openvpn-server@.service +++
> > b/distro/systemd/openvpn-server@.service @@ -9,8 +9,6 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-server
> > -RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/server
> >  ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE diff
> > --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf new
> > file mode 100644 index 000..bb79671 --- /dev/null
> > +++ b/distro/systemd/openvpn.conf
> > @@ -0,0 +1,2 @@
> > +d /run/openvpn-client 0710 root root -
> > +d /run/openvpn-server 0710 root root -
> >  
> 
> ACK
> 
> This works as expected from debian8/systemd 215 to arch/systemd 232

Great! Thanks for testing!

But I think this will not make its way into 2.4.0? Will we see this in
release/2.4 for a bugfix release?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpVpD5pqwYEy.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH release/2.4] Update copyrights

[Christian Hesse]

David Sommerseth  on Wed, 2016/12/21 21:00:
> Signed-off-by: David Sommerseth 

As we will (hopefully) see a release in 2016... Does it make sense to update
to 2017?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpY3oC0O5Zqi.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

debbie10t <debbie...@gmail.com> on Tue, 2016/12/20 00:32:
> On 16/12/16 15:57, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> >
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> >
> > So create a RuntimeDirectory per instance.
> >
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  distro/systemd/openvpn-client@.service | 2 +-
> >  distro/systemd/openvpn-server@.service | 4 ++--
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index 5618af3..fcb5302 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -9,7 +9,7 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-client
> > +RuntimeDirectory=openvpn-client@%i
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> >  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config
> > %i.conf diff --git a/distro/systemd/openvpn-server@.service
> > b/distro/systemd/openvpn-server@.service index b9b4dba..8b240cf 100644
> > --- a/distro/systemd/openvpn-server@.service
> > +++ b/distro/systemd/openvpn-server@.service
> > @@ -9,10 +9,10 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-server
> > +RuntimeDirectory=openvpn-server@%i
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/server
> > -ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > +ExecStart=/usr/sbin/openvpn --status %t/openvpn-server@%i/status.log
> > --status-version 2 --suppress-timestamps --config %i.conf
> > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> > CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
> > LimitNPROC=10 DeviceAllow=/dev/null rw 
> 
> 
> CentOS 7 (after full update) still only uses systemd version 219
> 
> This functionality is not introduced until systemd 227
> 
> https://github.com/systemd/systemd/blob/master/NEWS

Ah, good to know when this was implemented. :-D

But we already know that this does not work for version we want to support.
Thus I had sent a patch with new approach on Dec 16th where RuntimeDirectory
is removed from unit files and directories are handled via tmpfiles.d. Can
you take a look at that one?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpY35vqpn_LT.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.

So do not handle this in unit files but provide a tmpfiles.d
configuration and let systemd-tmpfiles do the work.
Nobody will (unintentionally) delete the directories and its content.
As /run is volatile we do not have to care about cleanup.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 2 --
 distro/systemd/openvpn-server@.service | 2 --
 distro/systemd/openvpn.conf| 2 ++
 3 files changed, 2 insertions(+), 4 deletions(-)
 create mode 100644 distro/systemd/openvpn.conf

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..1187ee8 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..25a6bb7 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-server
-RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
diff --git a/distro/systemd/openvpn.conf b/distro/systemd/openvpn.conf
new file mode 100644
index 000..bb79671
--- /dev/null
+++ b/distro/systemd/openvpn.conf
@@ -0,0 +1,2 @@
+d /run/openvpn-client 0710 root root -
+d /run/openvpn-server 0710 root root -
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/16 22:15:
> On 16/12/16 20:09, Christian Hesse wrote:
> > David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/16
> > 19:14:  
> >> On 16/12/16 16:57, Christian Hesse wrote:  
> >>> From: Christian Hesse <m...@eworm.de>
> >>>
> >>> Different unit instances create and destroy the same RuntimeDirectory.
> >>> This leads to running instances where the status file (and possibly
> >>> more runtime data) is no longer accessible.
> >>>
> >>> So create a RuntimeDirectory per instance.
> >>>
> >>> Signed-off-by: Christian Hesse <m...@eworm.de>
> >>> ---
> >>>  distro/systemd/openvpn-client@.service | 2 +-
> >>>  distro/systemd/openvpn-server@.service | 4 ++--
> >>>  2 files changed, 3 insertions(+), 3 deletions(-)
> >>>
> >>> diff --git a/distro/systemd/openvpn-client@.service
> >>> b/distro/systemd/openvpn-client@.service index 5618af3..fcb5302 100644
> >>> --- a/distro/systemd/openvpn-client@.service
> >>> +++ b/distro/systemd/openvpn-client@.service
> >>> @@ -9,7 +9,7 @@
> >>> Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >>>  Type=notify
> >>>  PrivateTmp=true
> >>> -RuntimeDirectory=openvpn-client
> >>> +RuntimeDirectory=openvpn-client@%i
> >>
> >> I am quite sure we tested this, without any luck.  We ended up with a
> >> directory named openvpn-client@%i ... well, we used openvpn-client-%i,
> >> but the principle should be the same.
> >>
> >> This *might* have been fixed in a newer systemd releases, but as we have
> >> RHEL7 as the oldest release we need to ensure this works properly there
> >> too.
> >>
> >> For the server side, we used status-%i.log to avoid clashing on the
> >> status log.
> >>
> >> debbie10t did plenty of testing with various configurations, so he can
> >> probably fill out more details in the various test cases he used.  We
> >> should probably document those tests in our wiki though.  
> > 
> > Running systemd 232 here and everything works as expected. This is with
> > unit files from current master:
> > 
> > # systemctl start openvpn-server@test1.service
> > # systemctl start openvpn-server@test2.service
> > # systemctl stop openvpn-server@test2.service
> > # ls -l /run/openvpn-server/
> > ls: cannot access '/run/openvpn-server/': No such file or directory
> > 
> > And the same with my patch applied:
> > 
> > # ls -l /run/openvpn-server@test1/status.log 
> > -rw--- 1 root root 8419 Dec 16
> > 20:03 /run/openvpn-server@test1/status.log
> > 
> > From systemd.exec(5) about RuntimeDirectory=:  
> >> Takes a list of directory names. If set, one or more directories by the
> >> specified names will be created below /run (for system services) [...]
> >> when the unit is started, and removed when the unit is stopped.  
> > 
> > So this works as long the no service is stopped or fails.
> > 
> > I do not have RHEL7 around... What exactly fails there?  
> 
> The directory is literally named 'openvpn-server@%i'

Ok, that's bad. So another idea... Let's remove RuntimeDirectory= and
RuntimeDirectoryMode= from unit files. Instead we provide a file openvpn.conf
to be installed to /usr/lib/tmpfiles.d/ containing:

d /run/openvpn-client 0710 root root -
d /run/openvpn-server 0710 root root -

systemd will create the directories for us and nobody will
(unintentionally) delete them. As /run is volatile we do not have to care.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpzEsTVbc2Yn.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/16 19:14:
> On 16/12/16 16:57, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > Different unit instances create and destroy the same RuntimeDirectory.
> > This leads to running instances where the status file (and possibly
> > more runtime data) is no longer accessible.
> > 
> > So create a RuntimeDirectory per instance.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  distro/systemd/openvpn-client@.service | 2 +-
> >  distro/systemd/openvpn-server@.service | 4 ++--
> >  2 files changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index 5618af3..fcb5302 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -9,7 +9,7 @@
> > Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service]
> >  Type=notify
> >  PrivateTmp=true
> > -RuntimeDirectory=openvpn-client
> > +RuntimeDirectory=openvpn-client@%i  
> 
> I am quite sure we tested this, without any luck.  We ended up with a
> directory named openvpn-client@%i ... well, we used openvpn-client-%i,
> but the principle should be the same.
> 
> This *might* have been fixed in a newer systemd releases, but as we have
> RHEL7 as the oldest release we need to ensure this works properly there too.
> 
> For the server side, we used status-%i.log to avoid clashing on the
> status log.
> 
> debbie10t did plenty of testing with various configurations, so he can
> probably fill out more details in the various test cases he used.  We
> should probably document those tests in our wiki though.

Running systemd 232 here and everything works as expected. This is with unit
files from current master:

# systemctl start openvpn-server@test1.service
# systemctl start openvpn-server@test2.service
# systemctl stop openvpn-server@test2.service
# ls -l /run/openvpn-server/
ls: cannot access '/run/openvpn-server/': No such file or directory

And the same with my patch applied:

# ls -l /run/openvpn-server@test1/status.log 
-rw--- 1 root root 8419 Dec 16 20:03 /run/openvpn-server@test1/status.log

From systemd.exec(5) about RuntimeDirectory=:
> Takes a list of directory names. If set, one or more directories by the
> specified names will be created below /run (for system services) [...] when
> the unit is started, and removed when the unit is stopped.

So this works as long the no service is stopped or fails.

I do not have RHEL7 around... What exactly fails there?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp96ZXOb55lq.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] do not race on RuntimeDirectory

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Different unit instances create and destroy the same RuntimeDirectory.
This leads to running instances where the status file (and possibly
more runtime data) is no longer accessible.

So create a RuntimeDirectory per instance.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 2 +-
 distro/systemd/openvpn-server@.service | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..fcb5302 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -9,7 +9,7 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-client
+RuntimeDirectory=openvpn-client@%i
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..8b240cf 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -9,10 +9,10 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 [Service]
 Type=notify
 PrivateTmp=true
-RuntimeDirectory=openvpn-server
+RuntimeDirectory=openvpn-server@%i
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
-ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
+ExecStart=/usr/sbin/openvpn --status %t/openvpn-server@%i/status.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler
gives warning:

warning: ‘LZ4_compress_limitedOutput’ is deprecated: use
LZ4_compress_default() instead

The new function LZ4_compress_default() appeared in r129 (1.7.0), so
replace the function there.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/comp-lz4.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index 6b7c49b..a6ce4f7 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -87,7 +87,11 @@ do_lz4_compress(struct buffer *buf,
 return false;
 }
 
+#if defined LZ4_VERSION_NUMBER && LZ4_VERSION_NUMBER >= 10700
+zlen = LZ4_compress_default((const char *)BPTR(buf), (char 
*)BPTR(work), BLEN(buf), zlen_max );
+#else
 zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char 
*)BPTR(work), BLEN(buf), zlen_max );
+#endif
 
 if (zlen <= 0)
 {
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] replace deprecated LZ4 function

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

The LZ4 function LZ4_compress_limitedOutput() is deprecated, compiler
gives warning:

warning: ‘LZ4_compress_limitedOutput’ is deprecated: use
LZ4_compress_default() instead

So replace the function.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/comp-lz4.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index 6b7c49b..90feaa5 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -87,7 +87,7 @@ do_lz4_compress(struct buffer *buf,
 return false;
 }
 
-zlen = LZ4_compress_limitedOutput((const char *)BPTR(buf), (char 
*)BPTR(work), BLEN(buf), zlen_max );
+zlen = LZ4_compress_default((const char *)BPTR(buf), (char 
*)BPTR(work), BLEN(buf), zlen_max );
 
 if (zlen <= 0)
 {
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Sat, 2016/12/10 01:03:
> On 10/12/16 00:19, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > sd_notify() uses a socket to communicate with systemd. Communication
> > fails if the socket is not available within the chroot. So bind mount
> > the socket into the chroot when startet from systemd.
> > 
> > Unsharing namespace and mounting requires extra capability
> > CAP_SYS_ADMIN.  
> 
> I will pick up this one after 2.4.0 has been released.  This is a very
> promising approach.  However, I'm not too happy about CAP_SYS_ADMIN
> though, that grants quite some privileges.  Can we look at dropping this
> capability once we know we won't need it any more?  Perhaps when we send
> READY=1?

Never tried to drop capabilities... Have to look into that.
We do no longer need CAP_SYS_ADMIN after the bind mount. (Or not at all
without chrooting.)

> > +  char * chroot_notify = NULL;
> > +
> > +  if (sd_notify(0, "READY=0") > 0)
> > +{
> > +  asprintf(_notify, "%s/notify",
> > c->options.chroot_dir);  
> 
> Here we should use the buffer/string functions, based on the gc_arena
> implementation.  Unfortunately we do not have a direct equivalent to
> asprintf().  A starting point would be to for example look at the string
> handling in print_sockaddr_ex() [socket.c:2386] or x_msg_va()
> [error.c:251] ... there might be better examples too, I'm just not able
> to remember them now :)   buffer.[ch] keeps most of these functions.
> 
> The reason for this is basically to use the same well tested
> infrastructure.  And with gc_arena, only a single gc_free() is required,
> regardless of how many buffers you allocate to that arena.

I do not like this myself. The patch is just a proof of concept... So this
should be polished before committing. ;)

Thanks for the hints, I will have a look.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpdFAvSbXJm8.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

[Christian Hesse]

SviMik  on Sat, 2016/12/10 06:06:
> > You can break this with something like:
> > 
> > status /etc/openvpn/client/status.log
> > 
> > in your configuration. Writing a status file
> > to /run/openvpn-{client,server}/status.log works, though. So the default
> > setups should be fine. Do we have any more cases where openvpn wants write
> > access for whatever?  
> 
> From my configuration:
> 1) status

That is fine if it is written to /run/openvpn-{client,server}/. It breaks
with the status file in /etc/openvpn/{client,server}/ or example.

> 2) ifconfig-pool-persist

That is a problem... As the name suggests this should be persistent. :-/

> 3) tmp-dir (for storing openvpn_pf_*.tmp files)

Never used this. What is it for?
Anyway, I think this is not persistent stuff? Writing to /tmp/
or /run/openvpn-{client,server}/ should be fine.

> 4) client-connect script may want to write something

My scripts do some configuration and dbus-stuff, but do not write anything...
Writing to read-only path would fail, of course.

> 5) a plugin may want to write something

Same here... /run/ and /tmp/ is fine, other paths fail.

> For me even the read-only option will break nearly *everything*. And for
> user it will be completely not obvious why his scripts doesn't work, why
> his status file is not updated, and what's wrong with ifconfig-pool-persist.

Well, the error message should include something like: "cannot open file
'file': Read-only file system".

But this is more problematic than I thought initially.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpkdE7knZNap.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09 23:40:
> On 09/12/16 22:54, Christian Hesse wrote:
> > David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09
> > 22:37:  
> >> On 29/11/16 12:07, Christian Hesse wrote:  
> >>> From: Christian Hesse <m...@eworm.de>
> >>>
> >>> Drop --with-plugindir, instead use an environment variable PLUGINDIR
> >>> to specify the plugin directory.
> >>>
> >>> This always defines PLUGIN_LIBDIR and enables plugin search path.
> >>>
> >>> Signed-off-by: Christian Hesse <m...@eworm.de>
> >>> ---
> >>>  configure.ac| 14 ++
> >>>  src/openvpn/Makefile.am |  3 ++-
> >>>  2 files changed, 8 insertions(+), 9 deletions(-)
> >>>
> >>> diff --git a/configure.ac b/configure.ac
> >>> index f4073d0..5fe652e 100644
> >>> --- a/configure.ac
> >>> +++ b/configure.ac
> >>> @@ -301,13 +301,12 @@ AC_ARG_WITH(
> >>>   [with_crypto_library="openssl"]
> >>>  )
> >>>  
> >>> -AC_ARG_WITH(
> >>> - [plugindir],
> >>> - [AS_HELP_STRING([--with-plugindir], [plugin directory
> >>> @<:@default=LIBDIR/openvpn@:>@])],
> >>> - ,
> >>> - [with_plugindir="\$(libdir)/openvpn/plugins"]
> >>> -)
> >>> -
> >>> +AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory
> >>> @<:@default=LIBDIR/openvpn/plugins@:>@]) +if test -n "${PLUGINDIR}";
> >>> then
> >>> + plugindir="${PLUGINDIR}"
> >>> +else
> >>> + plugindir="\${libdir}/openvpn/plugins"
> >>> +fi
> >>
> >> Finally had some time to dig into this one.  I like the idea here, I
> >> think it makes sense.  But I'm not sure ${libdir} is correct by default.
> >>  I think that should be /usr/local/lib64 by default on a 64bit system.
> >>
> >> My google-foo isn't helpful for me today ... This is somewhat related,
> >> especially towards the end of this doc page:
> >> <https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Site-Defaults.html>
> >>
> >> But I believe there are better ways to do this.
> >>
> >> I haven't checked this in detail what happens with 'make install'.  We
> >> should ensure that the plug-ins we ship (./src/plugins) which are built
> >> are installed as well into this directory.  
> > 
> > ${libdir} is where plugins are installed to... That's why I choose it. ;)
> > 
> > Installing anything to $prefix/lib64/ does not make sense imho. Never.  
> 
> Well, that is the default for Fedora/RHEL families.  32bit systems uses
> /usr/lib, 64bit uses /usr/lib64.
> 
> $ uname -m
> x86_64
> $ cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> $ rpm --eval '%{_libdir}'
> /usr/lib64
> 
> I've tested this on Fedora 24 and Scientific Linux 6 and 7 as well, with
> the same result.
> 
> And you'll find the same in openSUSE too:
> <https://en.opensuse.org/openSUSE:Packaging_Conventions_RPM_Macros#.25_lib>
> 
> Unless it has changed in Debian/Ubuntu, it is a similar policy there too.

Uh, interesting... Probably I did not look at these distributions for too
long... (And/or relied on the package manager.)

For Arch Linux we use /usr/lib/, though /usr/lib64/ is provided by a symlink
to lib nowadays.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpFNF7JacsGA.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] bind mount systemd notification socket into chroot

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

sd_notify() uses a socket to communicate with systemd. Communication
fails if the socket is not available within the chroot. So bind mount
the socket into the chroot when startet from systemd.

Unsharing namespace and mounting requires extra capability CAP_SYS_ADMIN.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service |  2 +-
 distro/systemd/openvpn-server@.service |  2 +-
 src/openvpn/init.c | 37 +++---
 3 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..3ebd1da 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -13,7 +13,7 @@ RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..bcf1bcf 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -13,7 +13,7 @@ RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 26b236d..81bf9ab 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -31,6 +31,9 @@
 #include "syshead.h"
 
 #ifdef ENABLE_SYSTEMD
+#include 
+#include 
+#include 
 #include 
 #endif
 
@@ -969,22 +972,24 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
  if (no_delay)
 {
 #ifdef ENABLE_SYSTEMD
-  /* If OpenVPN is started by systemd, the OpenVPN process needs
-   * to provide a preliminary status report to systemd.  This is
-   * needed as $NOTIFY_SOCKET will not be available inside the
-   * chroot, which sd_notify()/sd_notifyf() depends on.
-   *
-   * This approach is the simplest and the most non-intrusive
-   * solution right before the 2.4_rc2 release.
-   *
-   * TODO: Consider altnernative solutions - bind mount?
-   * systemd does not grok OpenVPN configuration files, thus cannot
-   * have a sane way to know if OpenVPN will chroot or not and to
-   * which subdirectory it will chroot into.
-   */
-  sd_notifyf(0, "READY=1\n"
-"STATUS=Entering chroot, most of the init completed 
successfully\n"
-"MAINPID=%lu", (unsigned long) getpid());
+  int fd;
+  char * chroot_notify = NULL;
+
+  if (sd_notify(0, "READY=0") > 0)
+{
+  asprintf(_notify, "%s/notify", c->options.chroot_dir);
+
+  if (unshare(CLONE_NEWNS) != 0)
+msg (M_ERR, "unshare failed");
+  if ((fd = open(chroot_notify, O_WRONLY | O_CREAT | O_TRUNC, 
0644)) < 0)
+msg (M_ERR, "touch failed");
+  close(fd);
+  if (mount(getenv("NOTIFY_SOCKET"), chroot_notify, NULL, 
MS_BIND, NULL) != 0)
+msg (M_ERR, "bind mounting notification socket failed");
+
+  setenv("NOTIFY_SOCKET", "/notify", 1);
+  free(chroot_notify);
+}
 #endif
   platform_chroot (c->options.chroot_dir);
 }
-- 
2.10.2


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09 22:37:
> On 29/11/16 12:07, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > Drop --with-plugindir, instead use an environment variable PLUGINDIR
> > to specify the plugin directory.
> > 
> > This always defines PLUGIN_LIBDIR and enables plugin search path.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  configure.ac| 14 ++
> >  src/openvpn/Makefile.am |  3 ++-
> >  2 files changed, 8 insertions(+), 9 deletions(-)
> > 
> > diff --git a/configure.ac b/configure.ac
> > index f4073d0..5fe652e 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -301,13 +301,12 @@ AC_ARG_WITH(
> > [with_crypto_library="openssl"]
> >  )
> >  
> > -AC_ARG_WITH(
> > -   [plugindir],
> > -   [AS_HELP_STRING([--with-plugindir], [plugin directory
> > @<:@default=LIBDIR/openvpn@:>@])],
> > -   ,
> > -   [with_plugindir="\$(libdir)/openvpn/plugins"]
> > -)
> > -
> > +AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory
> > @<:@default=LIBDIR/openvpn/plugins@:>@]) +if test -n "${PLUGINDIR}"; then
> > +   plugindir="${PLUGINDIR}"
> > +else
> > +   plugindir="\${libdir}/openvpn/plugins"
> > +fi  
> 
> Finally had some time to dig into this one.  I like the idea here, I
> think it makes sense.  But I'm not sure ${libdir} is correct by default.
>  I think that should be /usr/local/lib64 by default on a 64bit system.
> 
> My google-foo isn't helpful for me today ... This is somewhat related,
> especially towards the end of this doc page:
> <https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Site-Defaults.html>
> 
> But I believe there are better ways to do this.
> 
> I haven't checked this in detail what happens with 'make install'.  We
> should ensure that the plug-ins we ship (./src/plugins) which are built
> are installed as well into this directory.

${libdir} is where plugins are installed to... That's why I choose it. ;)

Installing anything to $prefix/lib64/ does not make sense imho. Never.

32bit systems install to $prefix/lib/, 64bit system install to $prefix/lib/.
The only valid extra is $prefix/lib32/ for multilib on 64bit systemd.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpYJbsIcTxRu.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] add more security features for systemd units

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Fri, 2016/12/09 20:42:
> On 09/12/16 19:13, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > ProtectSystem=strict mounts the entire file system hierarchy read-only,
> > except for the API file system subtrees /dev, /proc and /sys (which can
> > be protected using PrivateDevices=, ProtectKernelTunables=,
> > ProtectControlGroups=).
> > 
> > ProtectHome=true makes the directories /home, /root and /run/user
> > inaccessible and empty for the process.  
> 
> Currently I don't think we can use ProtectedHome=  as it is fully
> possible to save certificates and keys under $HOME/.cert on Fedora/RHEL
> (and clones).  There is even a specific SELinux label for files in that
> path, home_cert_t.

I know that NetworkManager and its openvpn plugin use $HOME/.cert/... But
openvpn is not started from systemd then. Do we have setups where openvpn
starts from systemd and reads certificates from $HOME?

ProtectHome=read-only could help here... But I would still prefer
ProtectHome=true.

BTW, setting can be overwritten with something like:

mkdir /etc/systemd/system/openvpn-client@example.service.d
cat > /etc/systemd/system/openvpn-client@example.service.d/protecthome.conf
< For the others, I think they are more reasonable ... But I need to dig
> into the more murky details to be 100% they are safe for us.  This is
> anyhow something we need to postpone until after 2.4.0 ... I don't dare
> adding more things which may backfire in rc2, as we're on a strict
> schedule to manage the next Debian release.
> 
> Once rc2 settles, I will start playing with this patch.

Agreed this is post-2.4.0 stuff. ;)

You can break this with something like:

status /etc/openvpn/client/status.log

in your configuration. Writing a status file
to /run/openvpn-{client,server}/status.log works, though. So the default
setups should be fine. Do we have any more cases where openvpn wants write
access for whatever?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpsreZ2srCdu.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] add more security features for systemd units

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

ProtectSystem=strict mounts the entire file system hierarchy read-only,
except for the API file system subtrees /dev, /proc and /sys (which can
be protected using PrivateDevices=, ProtectKernelTunables=,
ProtectControlGroups=).

ProtectHome=true makes the directories /home, /root and /run/user
inaccessible and empty for the process.

See systemd.exec(5) [0] for details.

[0] https://www.freedesktop.org/software/systemd/man/systemd.exec.html

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 2 ++
 distro/systemd/openvpn-server@.service | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 5618af3..3a9b7e2 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW 
CAP_SETGID CAP_SETU
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=strict
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index b9b4dba..a9e57b2 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -17,6 +17,8 @@ CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN 
CAP_NET_BIND_SERVICE CAP_NET_RA
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
+ProtectSystem=strict
+ProtectHome=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.10.2


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Fri, 2016/12/09 18:37:
> David Sommerseth <dav...@openvpn.net> on Wed, 2016/12/07 03:51:
> > Commit c5931897ae8d663e7e introduced support for talking directly
> > to the systemd service manager about the situation for the OpenVPN
> > tunnel. This approach makes a lot of sense and is mostly the proper
> > way to do it.  But it was discovered that it breaks OpenVPN
> > configurations using --chroot.
> > 
> > The reason sd_notify() calls fails when using chroot() is that
> > sd_notify() expects to have access to a file as declared in the
> > $NOTIFY_SOCKET environment variable.  It is the main systemd
> > instance which is responsible to provide both the environment variable
> > as well as the socket file sd_nodify() should use.  When --chroot
> > comes into play, the $NOTIFY_SOCKET file will not be available
> > for OpenVPN any more.
> > 
> > As things are getting close to the 2.4_rc2 release we will not dare
> > to bring a too invasive fix.  As well we need some time to discuss
> > an approrpriate solution.  So this intermediate fix will only
> > provide a "successful start" message to the systemd service manager
> > right before chroot() happens.  This will at least resolve the issue
> > in a safe and non-intrusive way.
> > 
> > Signed-off-by: David Sommerseth <dav...@openvpn.net>
> > ---
> >  src/openvpn/init.c | 22 +-
> >  1 file changed, 21 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> > index 74f1139..e47f0d4 100644
> > --- a/src/openvpn/init.c
> > +++ b/src/openvpn/init.c
> > @@ -967,7 +967,27 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
> >if (c->options.chroot_dir)
> > {
> >   if (no_delay)
> > -   platform_chroot (c->options.chroot_dir);
> > +{
> > +#ifdef ENABLE_SYSTEMD
> > +  /* If OpenVPN is started by systemd, the OpenVPN process
> > needs
> > +   * to provide a preliminary status report to systemd.  This
> > is
> > +   * needed as $NOTIFY_SOCKET will not be available inside
> > the
> > +   * chroot, which sd_notify()/sd_notifyf() depends on.
> > +   *
> > +   * This approach is the simplest and the most non-intrusive
> > +   * solution right before the 2.4_rc2 release.
> > +   *
> > +   * TODO: Consider altnernative solutions - bind mount?
> > +   * systemd does not grok OpenVPN configuration files, thus
> > cannot
> > +   * have a sane way to know if OpenVPN will chroot or not
> > and to
> > +   * which subdirectory it will chroot into.
> > +   */
> > +  sd_notifyf(0, "READY=1\n"
> > +"STATUS=Entering chroot, most of the init completed
> > successfully\n"
> > +"MAINPID=%lu", (unsigned long) getpid());
> > +#endif
> > +  platform_chroot (c->options.chroot_dir);
> > +}
> >   else if (c->first_time)
> > msg (M_INFO, "NOTE: chroot %s", why_not);
> > }  
> 
> Looks good to me, so: ACK
> 
> In long term we should think about a proper solution. Notification socket
> is /run/systemd/notify, so we would have to make that available from within
> the chroot.

BTW, systemd used to use abstract sockets for notifications, which worked with
processes that chroot themselves. This was changed [0] in favor to
PrivateNetwork setting. Private network (in terms of systemd) is nothing we
can make use of, though. Obviously... :-p

Does it make sense to deny to chroot when running from systemd and instead
add some more security features to the systemd unit? Things like
ProtectSystem=strict, ProtectHome=true and friends. See systemd.exec(5) [1]
for details.

[0]
https://github.com/systemd/systemd/commit/7181dbdb2e3112858d62bdaea4f0ad2ed685ccba
[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpllYZqjGzAH.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Intermediate --chroot fix with the new sd_notify() implementation

[Christian Hesse]

David Sommerseth  on Wed, 2016/12/07 03:51:
> Commit c5931897ae8d663e7e introduced support for talking directly
> to the systemd service manager about the situation for the OpenVPN
> tunnel. This approach makes a lot of sense and is mostly the proper
> way to do it.  But it was discovered that it breaks OpenVPN
> configurations using --chroot.
> 
> The reason sd_notify() calls fails when using chroot() is that
> sd_notify() expects to have access to a file as declared in the
> $NOTIFY_SOCKET environment variable.  It is the main systemd
> instance which is responsible to provide both the environment variable
> as well as the socket file sd_nodify() should use.  When --chroot
> comes into play, the $NOTIFY_SOCKET file will not be available
> for OpenVPN any more.
> 
> As things are getting close to the 2.4_rc2 release we will not dare
> to bring a too invasive fix.  As well we need some time to discuss
> an approrpriate solution.  So this intermediate fix will only
> provide a "successful start" message to the systemd service manager
> right before chroot() happens.  This will at least resolve the issue
> in a safe and non-intrusive way.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/init.c | 22 +-
>  1 file changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index 74f1139..e47f0d4 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -967,7 +967,27 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>if (c->options.chroot_dir)
>   {
> if (no_delay)
> - platform_chroot (c->options.chroot_dir);
> +{
> +#ifdef ENABLE_SYSTEMD
> +  /* If OpenVPN is started by systemd, the OpenVPN process
> needs
> +   * to provide a preliminary status report to systemd.  This
> is
> +   * needed as $NOTIFY_SOCKET will not be available inside the
> +   * chroot, which sd_notify()/sd_notifyf() depends on.
> +   *
> +   * This approach is the simplest and the most non-intrusive
> +   * solution right before the 2.4_rc2 release.
> +   *
> +   * TODO: Consider altnernative solutions - bind mount?
> +   * systemd does not grok OpenVPN configuration files, thus
> cannot
> +   * have a sane way to know if OpenVPN will chroot or not and
> to
> +   * which subdirectory it will chroot into.
> +   */
> +  sd_notifyf(0, "READY=1\n"
> +"STATUS=Entering chroot, most of the init completed
> successfully\n"
> +"MAINPID=%lu", (unsigned long) getpid());
> +#endif
> +  platform_chroot (c->options.chroot_dir);
> +}
> else if (c->first_time)
>   msg (M_INFO, "NOTE: chroot %s", why_not);
>   }

Looks good to me, so: ACK

In long term we should think about a proper solution. Notification socket
is /run/systemd/notify, so we would have to make that available from within
the chroot.

BTW, feel free to CC me on systemd related topics.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpzdl_cITWjn.pgp
Description: OpenPGP digital signature
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3 1/2] Use systemd service manager notification

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.

v2: Add curly brackets (and indention) to block the else-part, msg()
call was non-conditional before.

v3: Move systemd header include from init.h to init.c.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service |  1 +
 distro/systemd/openvpn-server@.service |  1 +
 src/openvpn/init.c | 14 +-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 18b84dd..f64a239 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index a2b7b52..890e6a9 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2ccbab2..f99c934 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -30,6 +30,10 @@
 
 #include "syshead.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 #include "win32.h"
 #include "init.h"
 #include "sig.h"
@@ -1251,11 +1255,19 @@ initialization_sequence_completed (struct context *c, 
const unsigned int flags)
   show_adapters (M_INFO|M_NOPREFIX);
   msg (M_INFO, "%s With Errors ( see 
http://openvpn.net/faq.html#dhcpclientserv )", message);
 #else
+#ifdef ENABLE_SYSTEMD
+  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", 
message);
+#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
   msg (M_INFO, "%s With Errors", message);
 #endif
 }
   else
-msg (M_INFO, "%s", message);
+{
+#ifdef ENABLE_SYSTEMD
+  sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned 
long) getpid());
+#endif
+  msg (M_INFO, "%s", message);
+}
 
   /* Flag that we initialized */
   if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

We start with systemd Type=notify, so refuse to daemonize. This does not
affect starting openvpn from script or command line.

v2: Update commit message about script and command line.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 1 -
 distro/systemd/openvpn-server@.service | 1 -
 src/openvpn/init.c | 7 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index f64a239..5618af3 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index 890e6a9..b9b4dba 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index f99c934..74f1139 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -930,6 +930,13 @@ bool
 possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
+
+#ifdef ENABLE_SYSTEMD
+  /* return without forking if we are running from systemd */
+  if (sd_notify(0, "READY=0") > 0)
+return ret;
+#endif
+
   if (options->daemon)
 {
   ASSERT (!options->inetd);
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] update year in copyright for README

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

This line has not been touched in a long time... Let's
update the copyright with recent year for README.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 103a75a..6d2e9f3 100644
--- a/README
+++ b/README
@@ -1,6 +1,6 @@
 OpenVPN -- A Secure tunneling daemon
 
-Copyright (C) 2002-2010 OpenVPN Technologies, Inc. This program is free 
software;
+Copyright (C) 2002-2016 OpenVPN Technologies, Inc. This program is free 
software;
 you can redistribute it and/or modify
 it under the terms of the GNU General Public License version 2
 as published by the Free Software Foundation.
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 2/2] Refuse to daemonize when running from systemd

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

We start with systemd Type=notify, so refuse to daemonize. This does not
affect starting openvpn from script or command line.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 1 -
 distro/systemd/openvpn-server@.service | 1 -
 src/openvpn/init.c | 7 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index f64a239..5618af3 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index 890e6a9..b9b4dba 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index aea3590..63a5fee 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -926,6 +926,13 @@ bool
 possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
+
+#ifdef ENABLE_SYSTEMD
+  /* return without forking if we are running from systemd */
+  if (sd_notify(0, "READY=0") > 0)
+return ret;
+#endif
+
   if (options->daemon)
 {
   ASSERT (!options->inetd);
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 1/2] Use systemd service manager notification

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service |  1 +
 distro/systemd/openvpn-server@.service |  1 +
 src/openvpn/init.c | 10 +-
 src/openvpn/init.h |  4 
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 18b84dd..f64a239 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index a2b7b52..890e6a9 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2ccbab2..aea3590 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1251,11 +1251,19 @@ initialization_sequence_completed (struct context *c, 
const unsigned int flags)
   show_adapters (M_INFO|M_NOPREFIX);
   msg (M_INFO, "%s With Errors ( see 
http://openvpn.net/faq.html#dhcpclientserv )", message);
 #else
+#ifdef ENABLE_SYSTEMD
+  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", 
message);
+#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
   msg (M_INFO, "%s With Errors", message);
 #endif
 }
   else
-msg (M_INFO, "%s", message);
+{
+#ifdef ENABLE_SYSTEMD
+  sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned 
long) getpid());
+#endif
+  msg (M_INFO, "%s", message);
+}
 
   /* Flag that we initialized */
   if ((flags & (ISC_ERRORS|ISC_SERVER)) == 0)
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 524bc64..0518b06 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -27,6 +27,10 @@
 
 #include "openvpn.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 /*
  * Baseline maximum number of events
  * to wait for.
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Use systemd service manager notification

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Wed, 2016/11/30 09:12:
> Ok, lets go into detail. We can use three different settings: Type=simple,
> Type=forking and Type=notify.
> 
> * We used Type=forking for a long time. That is fine: systemd reports
> success when the process forks off first time. That is when openvpn
> successfully completed initialization sequence.
> 
> * The current systemd unit use Type=simple (which is implicit). systemd
>   reports success as soon as the process is executed, it does not wait for
>   anything. So startup can look like that: systemd starts openvpn process ->
>   unit is in state 'started' -> openvpn bails out with an error
>   before the initialization sequence completed -> systemd unit is in state
>   'failed' now. The problem is that it was in state 'started'
> intermittently: Manual systemctl (starting service from command line)
> reports success, other services depending on openvpn are started while
> dependency failed later, ... This is just broken.
> 
> * My patch introduces Type=notify. The (main) process must not fork, so most
>   things work like simple, except that systemd does not report success on
>   process execution, but waits for the sd_notify() call. We do not have
>   intermittent state 'success' and everything works as expected.
> 
> I will not package the code as-is with our Arch Linux package. Either I
> revert back to Type=forking or apply the patch for Type=notify.
> 
> So I still vote to apply this as soon as possible.

I prepared an example:

root@leda ~ # systemctl start openvpn-client@lugor
root@leda ~ # systemctl status openvpn-client@lugor
● openvpn-client@lugor.service - OpenVPN tunnel for lugor
   Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; 
vendor preset: disabled)
   Active: active (running) since Thu 2016-12-01 13:35:12 CET; 8s ago
 Docs: man:openvpn(8)
   https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
   https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 11700 ExecStartPre=/bin/sh -c grep -q -E ^daemon %i.conf || exit 0 
&& /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being 
managed by systemd" ; exit 1 (code=exited, status=0/SUCCESS)
 Main PID: 11703 (openvpn)
Tasks: 1 (limit: 4915)
   CGroup: 
/system.slice/system-openvpn\x2dclient.slice/openvpn-client@lugor.service
   └─11703 /usr/sbin/openvpn --suppress-timestamps --nobind --config 
lugor.conf


Dec 01 13:35:13 leda openvpn[11703]: GID set to nobody
Dec 01 13:35:13 leda openvpn[11703]: UID set to nobody
Dec 01 13:35:13 leda openvpn[11703]: Initialization Sequence Completed
root@leda ~ # # looks good...
root@leda ~ # echo "bad-option" >> /etc/openvpn/client/lugor.conf
root@leda ~ # systemctl restart openvpn-client@lugor
root@leda ~ # # succeeds, no?
root@leda ~ # systemctl status openvpn-client@lugor
● openvpn-client@lugor.service - OpenVPN tunnel for lugor
   Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.service; enabled; 
vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2016-12-01 13:36:14 CET; 15s ago
 Docs: man:openvpn(8)
   https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
   https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 11911 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind 
--config %i.conf (code=exited, status=1/FAILURE)
  Process: 11908 ExecStartPre=/bin/sh -c grep -q -E ^daemon %i.conf || exit 0 
&& /usr/bin/echo "OpenVPN configuration cannot contain --daemon when being 
managed by systemd" ; exit 1 (code=exited, status=0/SUCCESS)
 Main PID: 11911 (code=exited, status=1/FAILURE)

Dec 01 13:36:14 leda systemd[1]: Starting OpenVPN tunnel for lugor...
Dec 01 13:36:14 leda systemd[1]: Started OpenVPN tunnel for lugor.
Dec 01 13:36:14 leda openvpn[11911]: Options error: Unrecognized option or 
missing or extra parameter(s) in lugor.conf:32: bad-option (2.4_beta2)
Dec 01 13:36:14 leda openvpn[11911]: Use --help for more information.
Dec 01 13:36:14 leda systemd[1]: openvpn-client@lugor.service: Main process 
exited, code=exited, status=1/FAILURE
Dec 01 13:36:14 leda systemd[1]: openvpn-client@lugor.service: Unit entered 
failed state.
Dec 01 13:36:14 leda systemd[1]: openvpn-client@lugor.service: Failed with 
result 'exit-code'.
3 root@leda ~ # # Oops...
3 root@leda ~ # # now install openvpn with my systemd patches
3 root@leda ~ # systemctl restart openvpn-client@lugor
Job for openvpn-client@lugor.service failed because the control process exited 
with error code.
See "systemctl status openvpn-client@lugor.service" and "journalctl -xe" for 
details.
1 root@leda ~ # systemctl status openvpn-client@lugor
● openvpn-client@lugor.service - OpenVPN tunnel for lugor
   Loaded: loaded (/usr/lib/systemd/system/openvpn-client@.se

Re: [Openvpn-devel] [PATCH 1/1] Refuse to daemonize when running from systemd

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Wed, 2016/11/30 12:52:
> On 30/11/16 09:59, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > We start with systemd Type=notify, so refuse to daemonize.
> > 
> > Signed-off-by: Christian Hesse <m...@eworm.de>
> > ---
> >  distro/systemd/openvpn-client@.service | 1 -
> >  distro/systemd/openvpn-server@.service | 1 -
> >  src/openvpn/init.c | 7 +++
> >  3 files changed, 7 insertions(+), 2 deletions(-)
> > 
> > diff --git a/distro/systemd/openvpn-client@.service
> > b/distro/systemd/openvpn-client@.service index f64a239..5618af3 100644
> > --- a/distro/systemd/openvpn-client@.service
> > +++ b/distro/systemd/openvpn-client@.service
> > @@ -12,7 +12,6 @@ PrivateTmp=true
> >  RuntimeDirectory=openvpn-client
> >  RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/client
> > -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0
> > && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when
> > being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn
> > --suppress-timestamps --nobind --config %i.conf
> > CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID
> > CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 diff --git
> > a/distro/systemd/openvpn-server@.service
> > b/distro/systemd/openvpn-server@.service index 890e6a9..b9b4dba 100644
> > --- a/distro/systemd/openvpn-server@.service +++
> > b/distro/systemd/openvpn-server@.service @@ -12,7 +12,6 @@
> > PrivateTmp=true RuntimeDirectory=openvpn-server RuntimeDirectoryMode=0710
> >  WorkingDirectory=/etc/openvpn/server
> > -ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0
> > && /usr/bin/echo "OpenVPN configuration cannot contain --daemon when
> > being managed by systemd" ; exit 1' ExecStart=/usr/sbin/openvpn --status
> > %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps
> > --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN
> > CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
> > CAP_DAC_OVERRIDE LimitNPROC=10 diff --git a/src/openvpn/init.c
> > b/src/openvpn/init.c index 551e579..7ab5c52 100644 ---
> > a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -926,6 +926,13 @@ bool
> >  possibly_become_daemon (const struct options *options)
> >  {
> >bool ret = false;
> > +
> > +#ifdef ENABLE_SYSTEMD
> > +  /* return without forking if we are running from systemd */
> > +  if (sd_notify(0, "READY=0") > 0)
> > +return ret;
> > +#endif
> > +
> >if (options->daemon)
> >  {
> >ASSERT (!options->inetd);
> >   
> 
> NAK on this approach.  We cannot dictate that users _must_ start OpenVPN
> as a daemon via systemd if it has been built with systemd support.
> 
> I understand the sentiment for this change, but we need to ensure users
> may use their own scripts and hand-crafted configs to start OpenVPN,
> also if systemd is present.

We do not dictate anything. Starting openvpn from scripts or command line
this is a no-op. From man sd_notify(3):

> On failure, these calls return a negative errno-style error code. If
> $NOTIFY_SOCKET was not set and hence no status data could be sent, 0 is
> returned. If the status was sent, these functions return with a positive
> return value. In order to support both, init systems that implement this
> scheme and those which do not, it is generally recommended to ignore the
> return value of this call.

That is what we check for here: If (and only if) openvpn is started from
systemd (read: from a systemd unit/service) it denies to fork. The openvpn
service starts properly even with "daemon" in config file.

This is unrelated to systemd being installed or the system being booted with
systemd.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpDqkj19Nwpm.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Refuse to daemonize when running from systemd

[Christian Hesse]

Steffan Karger <steffan.kar...@fox-it.com> on Wed, 2016/11/30 10:06:
> Hi,
> 
> On 30-11-16 09:59, Christian Hesse wrote:
> > --- a/src/openvpn/init.c
> > +++ b/src/openvpn/init.c
> > @@ -926,6 +926,13 @@ bool
> >  possibly_become_daemon (const struct options *options)
> >  {
> >bool ret = false;
> > +
> > +#ifdef ENABLE_SYSTEMD
> > +  /* return without forking if we are running from systemd */
> > +  if (sd_notify(0, "READY=0") > 0)
> > +return ret;
> > +#endif
> > +
> >if (options->daemon)
> >  {
> >ASSERT (!options->inetd);  
> 
> Does this mean I cannot run openvpn --config bla.conf --daemon from the
> command line any more on a systemd system?  This would be a deal-breaker
> for me.

No. That means openvpn knows when it is run from within a system service.
Daemonization is refused there as we we start with "Type=notify".

sd_notify() is a no-op when run from command line. So everything works as
usual.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpl1zby1fbQ9.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] Refuse to daemonize when running from systemd

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

We start with systemd Type=notify, so refuse to daemonize.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 1 -
 distro/systemd/openvpn-server@.service | 1 -
 src/openvpn/init.c | 7 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index f64a239..5618af3 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/client
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index 890e6a9..b9b4dba 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -12,7 +12,6 @@ PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
 WorkingDirectory=/etc/openvpn/server
-ExecStartPre=/bin/sh -c 'grep -q -E ^daemon %i.conf || exit 0 && /usr/bin/echo 
"OpenVPN configuration cannot contain --daemon when being managed by systemd" ; 
exit 1'
 ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 551e579..7ab5c52 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -926,6 +926,13 @@ bool
 possibly_become_daemon (const struct options *options)
 {
   bool ret = false;
+
+#ifdef ENABLE_SYSTEMD
+  /* return without forking if we are running from systemd */
+  if (sd_notify(0, "READY=0") > 0)
+return ret;
+#endif
+
   if (options->daemon)
 {
   ASSERT (!options->inetd);
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Use systemd service manager notification

[Christian Hesse]

CCing Elias Probst as he is listed as contributor for last commit changing
systemd units (8b42c197626430118ed126c1b8256ba5ae1f699a, "systemd: Improve
the systemd unit files").
Anybody else involved with systemd units?

David Sommerseth <open...@sf.lists.topphemmelig.net> on Wed, 2016/11/30 02:45:
> On 29/11/16 16:27, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > Notify systemd service manager when our initialization sequence
> > completed. This helps ordering services as dependencies can rely on vpn
> > being available.  
> 
> Funny detail is that I have a somewhat similar patch in a local git
> tree, awaiting proper testing ... I postponed it as this is not
> something we will pull into v2.4.  We're going to release 2.4_rc1 this
> week, and that is too late for more intrusive changes (even though the
> changeset itself is small, the code changes makes OpenVPN behave
> somewhat different when managed by systemd).

We should rethink this... I am pretty sure I will not ship the code as-is
with Arch Linux. More below.

Tested by me, works pretty well. ;)

> Just a question, as it is good to see more people looking into these
> code paths ... I was considering to extend my approach to update STATUS=
> a bit more frequently.  On the client side, I thought it would be good
> if the status line had "Resolving %s", "Connecting to %s", "Successful
> connection to %s" or "Failed to connect to %s".  On the server side I
> was pondering on a "Successfully started, %i clients connected".  What
> do you think about that?  Does the sd_notify() API support more frequent
> updates?

Interesting idea... I will have a look.

> Also when using Type=notify ... does systemd expect the OpenVPN process
> to fork into the background or run in the foreground as now?

Ok, lets go into detail. We can use three different settings: Type=simple,
Type=forking and Type=notify.

* We used Type=forking for a long time. That is fine: systemd reports success
  when the process forks off first time. That is when openvpn successfully
  completed initialization sequence.

* The current systemd unit use Type=simple (which is implicit). systemd
  reports success as soon as the process is executed, it does not wait for
  anything. So startup can look like that: systemd starts openvpn process ->
  unit is in state 'started' -> openvpn bails out with an error
  before the initialization sequence completed -> systemd unit is in state
  'failed' now. The problem is that it was in state 'started' intermittently:
  Manual systemctl (starting service from command line) reports success, other
  services depending on openvpn are started while dependency failed
  later, ... This is just broken.

* My patch introduces Type=notify. The (main) process must not fork, so most
  things work like simple, except that systemd does not report success on
  process execution, but waits for the sd_notify() call. We do not have
  intermittent state 'success' and everything works as expected.

I will not package the code as-is with our Arch Linux package. Either I
revert back to Type=forking or apply the patch for Type=notify.

So I still vote to apply this as soon as possible.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpQjtPmYcfbX.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Tue, 2016/11/29 20:16:
> Oops, missed that in my logs (and did not find the code)... You are right,
> cache is cleared.
> 
> Either of both is just fine and it works as-is. So ignore my patch.

Oops again... Looks like I answered a wrong mail. Please ignore... (The
mail, not any patch. ;)
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpBSCfFHb2Lq.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] reload CRL only if file was modified

[Christian Hesse]

Steffan Karger  on Tue, 2016/11/29 17:43:
> Hi,
> 
> Thanks for following up.  I did some stare-at-code and trivial tests.
> Will test more thoroughly tonight (hopefully on Windows too), but have a
> lot of faith that those will succeed.  I have some comments from staring
> at the code though, see below.

Oops, missed that in my logs (and did not find the code)... You are right,
cache is cleared.

Either of both is just fine and it works as-is. So ignore my patch.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp7MmI2_Fygp.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] Use systemd service manager notification

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Notify systemd service manager when our initialization sequence
completed. This helps ordering services as dependencies can rely on vpn
being available.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 distro/systemd/openvpn-client@.service | 1 +
 distro/systemd/openvpn-server@.service | 1 +
 src/openvpn/init.c | 6 ++
 src/openvpn/init.h | 4 
 4 files changed, 12 insertions(+)

diff --git a/distro/systemd/openvpn-client@.service 
b/distro/systemd/openvpn-client@.service
index 18b84dd..f64a239 100644
--- a/distro/systemd/openvpn-client@.service
+++ b/distro/systemd/openvpn-client@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-client
 RuntimeDirectoryMode=0710
diff --git a/distro/systemd/openvpn-server@.service 
b/distro/systemd/openvpn-server@.service
index a2b7b52..890e6a9 100644
--- a/distro/systemd/openvpn-server@.service
+++ b/distro/systemd/openvpn-server@.service
@@ -7,6 +7,7 @@ 
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 
 [Service]
+Type=notify
 PrivateTmp=true
 RuntimeDirectory=openvpn-server
 RuntimeDirectoryMode=0710
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2ccbab2..551e579 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1251,10 +1251,16 @@ initialization_sequence_completed (struct context *c, 
const unsigned int flags)
   show_adapters (M_INFO|M_NOPREFIX);
   msg (M_INFO, "%s With Errors ( see 
http://openvpn.net/faq.html#dhcpclientserv )", message);
 #else
+#ifdef ENABLE_SYSTEMD
+  sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", 
message);
+#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
   msg (M_INFO, "%s With Errors", message);
 #endif
 }
   else
+#ifdef ENABLE_SYSTEMD
+sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) 
getpid());
+#endif
 msg (M_INFO, "%s", message);
 
   /* Flag that we initialized */
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 524bc64..0518b06 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -27,6 +27,10 @@
 
 #include "openvpn.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 /*
  * Baseline maximum number of events
  * to wait for.
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

[Christian Hesse]

Christian Hesse <l...@eworm.de> on Tue, 2016/11/29 12:07:
> From: Christian Hesse <m...@eworm.de>
> 
> Drop --with-plugindir, instead use an environment variable PLUGINDIR
> to specify the plugin directory.
> 
> This always defines PLUGIN_LIBDIR and enables plugin search path.
> 
> Signed-off-by: Christian Hesse <m...@eworm.de>
> ---
>  configure.ac| 14 ++
>  src/openvpn/Makefile.am |  3 ++-
>  2 files changed, 8 insertions(+), 9 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index f4073d0..5fe652e 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -301,13 +301,12 @@ AC_ARG_WITH(
>   [with_crypto_library="openssl"]
>  )
>  
> -AC_ARG_WITH(
> - [plugindir],
> - [AS_HELP_STRING([--with-plugindir], [plugin directory
> @<:@default=LIBDIR/openvpn@:>@])],
> - ,
> - [with_plugindir="\$(libdir)/openvpn/plugins"]
> -)
> -
> +AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory
> @<:@default=LIBDIR/openvpn/plugins@:>@]) +if test -n "${PLUGINDIR}"; then
> + plugindir="${PLUGINDIR}"
> +else
> + plugindir="\${libdir}/openvpn/plugins"
> +fi
>  
>  AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our
> host]) case "$host" in
> @@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test
> "${enable_plugin_auth_pam}" = "ye AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT],
> [test "${enable_plugin_down_root}" = "yes"])
> AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"]) 
> -plugindir="${with_plugindir}"
>  sampledir="\$(docdir)/sample"
>  AC_SUBST([plugindir])
>  AC_SUBST([sampledir])
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 4c18449..188834a 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -27,7 +27,8 @@ AM_CFLAGS = \
>   $(OPTIONAL_CRYPTO_CFLAGS) \
>   $(OPTIONAL_LZO_CFLAGS) \
>   $(OPTIONAL_LZ4_CFLAGS) \
> - $(OPTIONAL_PKCS11_HELPER_CFLAGS)
> + $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
> + -DPLUGIN_LIBDIR=\"${plugindir}\"
>  if WIN32
>  # we want unicode entry point but not the macro
>  AM_CFLAGS += -municode -UUNICODE

The alternative would look something like this:

--- a/configure.ac
+++ b/configure.ac
@@ -301,13 +301,13 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+   AC_DEFINE_UNQUOTED([PLUGIN_LIBDIR], ["${PLUGINDIR}"], [Path of plug-in 
search directory])
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1245,7 +1245,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test 
"${enable_plugin_auth_pam}" = "ye
 AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = 
"yes"])
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])

However you *have* to give PLUGINDIR this way to enable the search path. I
would like to avoid that. And I did not find a way to move
AC_DEFINE_UNQUOTED() below the condition due to the nested variables in
$libdir.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp65zxVT78KU.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] Clean up plugin path handling

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Drop --with-plugindir, instead use an environment variable PLUGINDIR
to specify the plugin directory.

This always defines PLUGIN_LIBDIR and enables plugin search path.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac| 14 ++
 src/openvpn/Makefile.am |  3 ++-
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/configure.ac b/configure.ac
index f4073d0..5fe652e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -301,13 +301,12 @@ AC_ARG_WITH(
[with_crypto_library="openssl"]
 )
 
-AC_ARG_WITH(
-   [plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
-   ,
-   [with_plugindir="\$(libdir)/openvpn/plugins"]
-)
-
+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
+if test -n "${PLUGINDIR}"; then
+   plugindir="${PLUGINDIR}"
+else
+   plugindir="\${libdir}/openvpn/plugins"
+fi
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
@@ -1245,7 +1244,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test 
"${enable_plugin_auth_pam}" = "ye
 AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = 
"yes"])
 AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
 
-plugindir="${with_plugindir}"
 sampledir="\$(docdir)/sample"
 AC_SUBST([plugindir])
 AC_SUBST([sampledir])
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 4c18449..188834a 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -27,7 +27,8 @@ AM_CFLAGS = \
$(OPTIONAL_CRYPTO_CFLAGS) \
$(OPTIONAL_LZO_CFLAGS) \
$(OPTIONAL_LZ4_CFLAGS) \
-   $(OPTIONAL_PKCS11_HELPER_CFLAGS)
+   $(OPTIONAL_PKCS11_HELPER_CFLAGS) \
+   -DPLUGIN_LIBDIR=\"${plugindir}\"
 if WIN32
 # we want unicode entry point but not the macro
 AM_CFLAGS += -municode -UUNICODE
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] allow to enable plugin lookup with configure argument

[Christian Hesse]

David Sommerseth <open...@sf.lists.topphemmelig.net> on Tue, 2016/11/29 00:47:
> On 28/11/16 17:16, Christian Hesse wrote:
> > From: Christian Hesse <m...@eworm.de>
> > 
> > For plugin lookup (give relative path to plugin directory in
> > configuration) we had to configure with something like this:
> > 
> > CFLAGS="$CFLAGS
> > -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn/plugins\\\"" ./configure
> > 
> > This allows to pass --enable-plugin-lookup to configure to achieve the
> > same. As a bonus we can be sure that install path and lookup path in
> > openvpn binary are the same.  
> 
> 
> Thank you for your patch.  Unfortunately I'm not convinced this is the
> proper way to do it.
> 
> First of all, to achieve what I believe is your goal, you need to flip
> things around:
> 
>   ./configure CFLAGS="$CFLAGS
> -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn/plugins\\\""
> 
> This will ensure that whenever 'make' decides to re-run ./configure
> automatically it will keep all variables provided to the command line.

Ah, right...
I used this to build a binary package, so configure is run only once and it
works for this case. :D

> Secondly, I believe the proper way to configure PLUGIN_LIBDIR without
> going via CFLAGS is to use a similar approach to what is used by
> IFCONFIG, ROUTE, IPROUTE and NETSTAT.  They are configured via AC_ARG_VAR.
> 
> I'd recommend just adding these two lines to configure.ac instead:
> 
> AC_ARG_VAR([PLUGINDIR], [Path of default plug-in search directory])
> AC_DEFINE_UNQUOTED([PLUGIN_LIBDIR], ["$PLUGINDIR"])
> 
> (these lines are not tested, but that should give some pointer towards a
> better direction.
> 
> With these lines in place, it is expected that you can do:
> 
>   ./configure PLUGINDIR=/usr/lib/openvpn/plugins
> 
> Which should result in defining PLUGIN_LIBDIR in config.h.

I decided to go another way... Wanted to make the plugin search work out of
the box. Or do we want to keep that optional?

(AC_DEFINE_UNQUOTED() fails if PLUGINDIR is not defined and you try
${libdir}/openvpn/plugins instead. That evaluates to
"${exec_prefix}/lib/openvpn/plugins" and breaks the path in config.h.)
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpDcQgOS59i6.pgp
Description: OpenPGP digital signature
--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/1] update year in copyright message

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

This line has not been touched in a long time... Let's update the
copyright message with recent year.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 src/openvpn/options.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7c2b989..63dcc24 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3685,7 +3685,7 @@ usage_version (void)
   show_windows_version( M_INFO|M_NOPREFIX );
 #endif
   msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan");
-  msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. 
<sa...@openvpn.net>");
+  msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2016 OpenVPN Technologies, Inc. 
<sa...@openvpn.net>");
 #ifndef ENABLE_SMALL
 #ifdef CONFIGURE_DEFINES
   msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES);
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] show correct default for plugin dir in configure help

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index f4073d0..d0fe889 100644
--- a/configure.ac
+++ b/configure.ac
@@ -303,7 +303,7 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[plugindir],
-   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn@:>@])],
+   [AS_HELP_STRING([--with-plugindir], [plugin directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])],
,
[with_plugindir="\$(libdir)/openvpn/plugins"]
 )
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 2/2] allow to enable plugin lookup with configure argument

[Christian Hesse]

From: Christian Hesse <m...@eworm.de>

For plugin lookup (give relative path to plugin directory in
configuration) we had to configure with something like this:

CFLAGS="$CFLAGS -DPLUGIN_LIBDIR=\\\"/usr/lib/openvpn/plugins\\\"" ./configure

This allows to pass --enable-plugin-lookup to configure to achieve the
same. As a bonus we can be sure that install path and lookup path in
openvpn binary are the same.

Signed-off-by: Christian Hesse <m...@eworm.de>
---
 configure.ac| 8 
 src/openvpn/Makefile.am | 4 
 2 files changed, 12 insertions(+)

diff --git a/configure.ac b/configure.ac
index d0fe889..193b5f0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -308,6 +308,14 @@ AC_ARG_WITH(
[with_plugindir="\$(libdir)/openvpn/plugins"]
 )
 
+AC_ARG_ENABLE(
+   [plugin-lookup],
+   [AS_HELP_STRING([--enable-plugin-lookup], [enable plugin lookup in 
plugin directory @<:@default=no@:>@])],
+   [enable_plugin_lookup="$enableval"],
+   [enable_plugin_lookup="no"]
+)
+AM_CONDITIONAL([ENABLE_PLUGIN_LOOKUP], [test x$enable_plugin_lookup = xyes])
+
 
 AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our 
host])
 case "$host" in
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 4c18449..46afc9a 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -33,6 +33,10 @@ if WIN32
 AM_CFLAGS += -municode -UUNICODE
 endif
 
+if ENABLE_PLUGIN_LOOKUP
+AM_CFLAGS += -DPLUGIN_LIBDIR=\"$(plugindir)\"
+endif
+
 sbin_PROGRAMS = openvpn
 
 openvpn_SOURCES = \
-- 
2.10.2


--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] fix build with automake 1.13(.1)

[Christian Hesse]

Hello everybody,

AM_CONFIG_HEADER has been deprecated for some time, finally it is removed on
automake 1.13. The attached patch replaces it with AC_CONFIG_HEADERS and
fixes build process with latest automake. Please apply.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Chris   get my mail address:*/=0;b=c[a++];)
putchar(b-1/(/*   gcc -o sig sig.c && ./sig*/b/42*2-3)*42);}
diff --git a/configure.ac b/configure.ac
index 2f780b7..ddd322c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -32,7 +32,7 @@ m4_include(compat.m4)
 AC_DEFINE([OPENVPN_VERSION_RESOURCE], [PRODUCT_VERSION_RESOURCE], [Version in windows resource format])

 AC_CONFIG_AUX_DIR([.])
-AM_CONFIG_HEADER([config.h])
+AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
 AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE