Re: [Openvpn-devel] [Openvpn-users] --auth-user-pass-verify and --script-security

[James Yonan]

this is a major gripe for me as well: the behaviour on how to start 
external programs changed quite drastically somewhere between rc7 and 
rc13 (I believe rc10 was the first version), especially on the Windows 
platform. Yet this is (as of today) poorly documented and nobody has 
written any info on how to convert old style scripts (e.g. 
"Auth4OpenVPN.vbs") to a new style ("cscript.exe " ) etc.
So, in short, your guess is as good as mine ... Personally I'd go for 
the second one.


For those who still remembers what this threat was about - I managed to 
get v2.1rc13 working with
auth-user-pass-verify "c:/windows/system32/cscript.exe //H:cscript 
c:/Progra~1/OpenVPN/config/Auth4OpenVPN.vbs" via-env

fantastic!



I totally agree with you that we should not be breaking the semantics
for calling external programs, and it wasn't our intention to do so.
Our original hope was that the security benefits of migrating from
system() to execve() on unix and CreateProcess() on Windows could be
done transparently.  But seeing that that's not the case, I would
suggest that we offer the previous system() semantics as a deprecated
option, using the syntax

  script-security  

where mode is "execve" by default, (which means to use execve() on unix
family platforms or CreateProcess on Windows) or "system" which means to
use system().

This means that any OpenVPN config prior to 2.1_rc9 could continue to
use system() by adding:

  script-security 2 system

OpenVPN would issue a warning about system() usage being deprecated, but
would continue to use pre-2.1_rc9 external program calling semantics.

Comments?

James

Re: [Openvpn-devel] [WINDOWS] Request for test win64

[Alon Bar-Lev]

A new one [1].
This time with amd64 assembly.
Maybe it would be even faster!

[1] http://alon.barlev.googlepages.com/openvpn-win64.tar.bz2

On 11/8/08, Alon Bar-Lev  wrote:
> On 11/8/08, Jason R. Coombs  wrote:
>  
>
> >
>  >  It appears as if the 64-bit build does have a 5-10% performance increase 
> over
>  >  the 32-bit build in this environment.
>  >
>  >  I hope these results are helpful.  Unfortunately, I don't have a testbed 
> where
>  >  I can configure two isolated, clean systems, which would probably result 
> in
>  >  more deterministic results.  Let me know if I can arrange the tests
>  >  differently to highlight a particular aspect of the performance.
>  >
>  >  Regards,
>  >
>  > Jason
>
>
> Great work!
>  Maybe someone else can also perform these tests so users will know if
>  they wish to use 64bit build?
>
>
>  Alon.
>

[Openvpn-devel] IPv6 Support

[Marcel Pennewiß]

Hi,

a long time ago Juanjo Ciarlante wrote a patch for openvpn to create a tunnel 
via ipv6 [1]. Later i fixed the patch to work with openvpn-2.0 and 2.1 which 
i use on OpenWRT and Gentoo. Roy (from Gentoo) wrote about this also to the 
devel-list [1]. But since that no one answered :( 

What about IPv6-support to create a tunnel over IPv6? Since my first patch i 
try to adapt the patch to newer versions. This patches are not properly 
tested but works fine for me (on gentoo).[2][3]

I'm not able to adapt the patch detailed 'cause of not enough knowledge about 
the source and missing programming skills. JuanJo want some integration to 
the official openvpn source code, but knowone did this until now. 

[1] 
http://sourceforge.net/mailarchive/message.php?msg_id=20070629101345.0f8beeba%40uberlaptop.marples.name
[2] http://source.pennewiss.de/openvpn/udp6/
[3] http://bugs.gentoo.org/show_bug.cgi?id=183457

Are there plans to integrate it to the future?

Regards,
Marcel