Re: [Openvpn-devel] Patch for compile-time problems on NetBSD and OpenBSD (trac #17)

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/07/10 11:48, Gert Doering wrote:
> Hi,
> 
> On Fri, Jul 09, 2010 at 10:31:02AM +0200, Gert Doering wrote:
>> the following patch fixes the IFF_MULTICAST compile-time problems on NetBSD,
>> and it should also fix them on OpenBSD (trac entry #17).
> 
> This would have been too easy...  on NetBSD,  can be 
> include before  (which the original patch does), on OpenBSD,
> this fails.
> 
> So I have swapped around these two includes in the  test program
> compiled by configure, and it now configure and compiles both on NetBSD
> and on OpenBSD just fine.  (Last time I had no OpenBSD to test - in the
> mean time, I've setup an OpenBSD 4.7 VM and tested it myself, so I'm *sure*
> it works :-) ).
> 
> Due to the fact that I've commited this in two goes, it's "two patches"
> now...  I've appended both.  Please apply to a clean configure.ac file,
> and to be sure, run "autoreconf" to rebuild "configure" (to Matthias: 
> well, the magic might do this automatically, but before I get another 
> bug report "your patch did not help" which could then be due to 
> "autoreconf not run", I'll just make *sure* it was rebuilt).
> 
> "David needs an independent ACK on this, so please test on NetBSD and
> OpenBSD and give feedback".
> 
> gert
> 

ACK received in Trac:


commit 422e5e751e73de8a17760acf2f15f61ea4f0394e
Author: Gert Doering 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sat Jul 10 11:24:41 2010 +0200

Fix  compile time problems on OpenBSD for good

Previous fix (commit eb973e055bc249948) fixed NetBSD but not OpenBSD
(include  *after* )

Signed-off-by: Gert Doering 
Acked-by: krzee 
Signed-off-by: David Sommerseth 


Applied to bugfix2.1, merged into allmerged and beta2.2.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq6ioACgkQDC186MBRfrpX8ACfaGqn2ywOCYha0SKGRfdQBj+n
MkYAmgJLR8trKICDgc+khYeMzrWzQVg3
=zOS4
-END PGP SIGNATURE-

Re: [Openvpn-devel] Patch for compile-time problems on NetBSD and OpenBSD (trac #17)

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/07/10 10:31, Gert Doering wrote:
> Hi,
> 
> the following patch fixes the IFF_MULTICAST compile-time problems on NetBSD,
> and it should also fix them on OpenBSD (trac entry #17).
> 
> ** important: after applying the patch to configure.ac, you MUST run
> ** "autoreconf" - otherwise the patch won't do anything
> 
> If it still doesn't work for OpenBSD, I need to see the parts from your
> config.log relating to 
> 
> gert
> 

ACK recieved in Trac:


commit eb973e055bc249948351cacf1aa045d878ed041d
Author: Gert Doering 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Jul 9 10:24:46 2010 +0200

Fix compile problems on NetBSD and OpenBSD

Configure will not find  due to missing  in
the test program, and thus, tun.c will fail to compile with missing
symbol IFF_MULTICAST.

Signed-off-by: Gert Doering 
Acked-by: krzee 
Signed-off-by: David Sommerseth 

Applied to bugfix2.1, merged into allmerged and beta2.2.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq6fYACgkQDC186MBRfroFygCff6kL1IMcEqlk3O1tMLwPfL+B
hdEAn08b+W4GLcWxX24dq7XeLHFJJXzO
=oY7H
-END PGP SIGNATURE-

Re: [Openvpn-devel] Compiler warnings when using openssl-1.0.0 - beta4

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 16/07/10 20:36, chantra wrote:
> 
>>
>> If nobody responds, I'll try to find some time looking into this in the
>> near future.
>>
> 
> I did in https://community.openvpn.net/openvpn/ticket/5#comment:3
> 
> chantra

ACK

I've smoke tested this on two 32bit boxes using openssl-0.9.8* - both as
OpenVPN server and client, to make sure this patch is backwards
compatible.  Likewise, generic quick tests have been done on a 64bit box
using openssl-1.0.0.  Testing seems to work very fine.

commit db3fb3d489df234c78ddcb9fce66de4d8fbb28e6
Author: chantra 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Jul 16 20:09:07 2010 +0200
Fixes openssl-1.0.0 compilation warning

When compiling against OpenSSL v1.0.0, the following compiler
warnings appears.

[...snip...comiler warning...]

Trac ticket #5
https://community.openvpn.net/openvpn/ticket/5

Signed-off-by: chantra 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 

Applied to bugfix2.1, merged into allmerged and beta2.2.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq6VIACgkQDC186MBRfrp0BACfREpGZjOD0X4jC5oY+IM4Q7Bo
8FcAn3PAUDfbxZ4XpvRkovH+bn9c95gb
=JtjU
-END PGP SIGNATURE-

Re: [Openvpn-devel] RFD: VPN client test framework

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/08/10 21:48, Gert Doering wrote:
> Hi,
> 
> as discussed in one of the previous the IRC meetings, I've been working
> on a test framework to enable full "fire up openvpn client, establish
> VPN connection, run ping tests, clean up, verify cleanup" automated 
> tests.
> 
> The framework is appended below (as patch, should apply cleanly against
> all branches in git) and has been checked & pushed into my feat_ipv6_payload
> branch (dazo, feel free to pull & merge wherever you find this useful).
> 

ACK

commit 97750e7d4571a0c28695aac1530a91fe98d25d06
Author: Gert Doering 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Aug 8 21:24:30 2010 +0200

[...snipped verbose explanation ...]

Signed-off-by: Gert Doering 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 

Applied to bugfix2.1, merged into allmerged and beta2.2.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq56wACgkQDC186MBRfrrZvACfQRML9cLvkmBjNW3ODoNcZxWi
GlQAniyRw+4sYFpuNuUn0FeJrB79m9Xb
=77TI
-END PGP SIGNATURE-

Re: [Openvpn-devel] RFD: VPN client test framework

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10/08/10 12:57, Gert Doering wrote:
> Hi,
> 
> On Sun, Aug 08, 2010 at 09:48:47PM +0200, Gert Doering wrote:
>> as discussed in one of the previous the IRC meetings, I've been working
>> on a test framework to enable full "fire up openvpn client, establish
>> VPN connection, run ping tests, clean up, verify cleanup" automated 
>> tests.
> 
> I got some feedback from Waldner on IRC, and had to make it work on
> Solaris (broken /bin/sh) - so this is now built using "configure",
> knows how to find "ip", "ifconfig" and "netstat" (configure does the
> work :-) ), *and* has been tested on Solaris (works!).
> 
> The patch goes on top of the previous one.  Pushed to my git repo.
> 
> gert

ACK

commit 0df01a3eb7ef21de7a18a32457ddb39084baead7
Author: Gert Doering 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Tue Aug 10 12:39:28 2010 +0200

Build t_client.sh by configure at run-time.

This is now built using "configure", knows how to find "ip",
"ifconfig" and "netstat" (configure does the work :-) ), *and* has
been tested on Solaris (works!).

extend configure.ac to find "netstat" binary and to chmod +x
"t_client.sh"

Signed-off-by: Gert Doering 
Acked-by: David Sommerseth 
Signed-off-by: David Sommerseth 


Applied to bugfix2.1, merged into allmerged and beta2.2.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxq560ACgkQDC186MBRfroG0ACff1TvvG7YPltJc8ji/Bfkz0Cv
z4QAn0zTgtVKkCpANdnLUl+mw00HyNTX
=UjWX
-END PGP SIGNATURE-

Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails

2010-08-17 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 17/08/10 17:12, Pasi Kärkkäinen wrote:
> On Tue, Aug 17, 2010 at 05:51:15PM +0300, Pasi Kärkkäinen wrote:
>> On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote:
>>> On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote:

 Hello,

 When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this 
 error:
 http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg

 ie. the installer cannot overwrite the existing files from openvpn 2.1.1 
 installation.
 I get that error for the following files:

 C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
 C:\Program Files (x86)\OpenVPN\bin\libeay32.dll

 And after finishing the installation windows "Program Combatibility 
 Assistant" pops up,
 and asks if the program installed correctly, or if I wanted to "Reinstall 
 using recommended settings".

 http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg

 I chose it installed OK and then rebooted the machine.

 After reboot I noticed the TAP network device is missing from Windows,
 and thus openvpn connections cannot be started..

 Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work 
 either..

>>>
>>> And here's a screenshot of the failing tapinstall.exe:
>>> http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg
>>>
>>
>> Any tips how to troubleshoot this? 
>>
> 
> I just verified: openvpn 2.1.1 installs and works without problems on this 
> win7 (x64) laptop.
> 
> no matter what I try openvpn 2.1.2 doesn't create the tap device..
> 
> I tried running the addtap.bat in various compatibility modes
> but it just doesn't add the tap interface to windows..
> 
> executing addtap.bat with "run as administrator" makes it say it installs ok,
> but in reality the tap interface is NOT added to windows.

It sounds like there are some issues with the v2.1.2 release.  Most
probably it is related to the TAP driver not being signed correctly.
Somehow I got a feeling James is investigating this now.

I'm sure James will update us on this issue when it has been solved.


Kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxqsvAACgkQDC186MBRfroEYQCgh1ojen3eLmSmQhHvJDYACIV3
s4cAn1tFLlBIm9RnOVR9uXeZ9JX/6/CT
=mwfn
-END PGP SIGNATURE-

Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails

2010-08-17 Thread Pasi Kärkkäinen 
On Tue, Aug 17, 2010 at 05:51:15PM +0300, Pasi Kärkkäinen wrote:
> On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote:
> > On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote:
> > > 
> > > Hello,
> > > 
> > > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed 
> > > this error:
> > > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg
> > > 
> > > ie. the installer cannot overwrite the existing files from openvpn 2.1.1 
> > > installation.
> > > I get that error for the following files:
> > > 
> > > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
> > > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll
> > > 
> > > And after finishing the installation windows "Program Combatibility 
> > > Assistant" pops up,
> > > and asks if the program installed correctly, or if I wanted to "Reinstall 
> > > using recommended settings".
> > > 
> > > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg
> > > 
> > > I chose it installed OK and then rebooted the machine.
> > > 
> > > After reboot I noticed the TAP network device is missing from Windows,
> > > and thus openvpn connections cannot be started..
> > > 
> > > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work 
> > > either..
> > > 
> > 
> > And here's a screenshot of the failing tapinstall.exe:
> > http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg
> > 
> 
> Any tips how to troubleshoot this? 
>

I just verified: openvpn 2.1.1 installs and works without problems on this win7 
(x64) laptop.

no matter what I try openvpn 2.1.2 doesn't create the tap device..

I tried running the addtap.bat in various compatibility modes
but it just doesn't add the tap interface to windows..

executing addtap.bat with "run as administrator" makes it say it installs ok,
but in reality the tap interface is NOT added to windows.

-- Pasi

Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails

2010-08-17 Thread Pasi Kärkkäinen 
On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote:
> On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote:
> > 
> > Hello,
> > 
> > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this 
> > error:
> > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg
> > 
> > ie. the installer cannot overwrite the existing files from openvpn 2.1.1 
> > installation.
> > I get that error for the following files:
> > 
> > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe
> > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll
> > 
> > And after finishing the installation windows "Program Combatibility 
> > Assistant" pops up,
> > and asks if the program installed correctly, or if I wanted to "Reinstall 
> > using recommended settings".
> > 
> > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg
> > 
> > I chose it installed OK and then rebooted the machine.
> > 
> > After reboot I noticed the TAP network device is missing from Windows,
> > and thus openvpn connections cannot be started..
> > 
> > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work 
> > either..
> > 
> 
> And here's a screenshot of the failing tapinstall.exe:
> http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg
> 

Any tips how to troubleshoot this? 

-- Pasi


> 
> > 
> > 
> > On Sun, Aug 15, 2010 at 04:27:06PM -0600, James Yonan wrote:
> > > 2010.08.09 -- Version 2.1.2
> > > 
> > > * Windows security issue:
> > >Fixed potential local privilege escalation vulnerability in
> > >Windows service. The Windows service did not properly quote the
> > >executable filename passed to CreateService.  A local attacker
> > >with write access to the root directory C:\ could create an
> > >executable that would be run with the same privilege level as
> > >the OpenVPN Windows service.  However, since non-Administrative
> > >users normally lack write permission on C:\, this vulnerability
> > >is generally not exploitable except on older versions of Windows
> > >(such as Win2K) where the default permissions on C:\ would allow
> > >any user to create files there.
> > >Credit:  Scott Laurie, MWR InfoSecurity
> > > 
> > > * Added Python-based based alternative build system for Windows using
> > >Visual Studio 2008 (in win directory).
> > > 
> > > * When aborting in a non-graceful way, try to execute do_close_tun in
> > >init.c prior to daemon exit to ensure that the tun/tap interface is
> > >closed and any added routes are deleted.
> > > 
> > > * Fixed an issue where AUTH_FAILED was not being properly delivered
> > >to the client when a bad password is given for mid-session reauth,
> > >causing the connection to fail without an error indication.
> > > 
> > > * Don't advance to the next connection profile on AUTH_FAILED errors.
> > > 
> > > * Fixed an issue in the Management Interface that could cause
> > >a process hang with 100% CPU utilization in --management-client
> > >mode if the management interface client disconnected at the
> > >point where credentials are queried.
> > > 
> > > * Fixed an issue where if reneg-sec was set to 0 on the client,
> > >so that the server-side value would take precedence,
> > >the auth_deferred_expire_window function would incorrectly
> > >return a window period of 0 seconds.  In this case, the
> > >correct window period should be the handshake window
> > >period.
> > > 
> > > * Modified ">PASSWORD:Verification Failed" management interface
> > >notification to include a client reason string:
> > > 
> > >  >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
> > > 
> > > * Enable exponential backoff in reliability layer
> > >retransmits.
> > > 
> > > * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after
> > >socket is created rather than waiting until after connect/listen.
> > > 
> > > * Management interface performance optimizations:
> > > 
> > >1. Added env-filter MI command to perform filtering on env vars
> > >   passed through as a part of --management-client-auth
> > > 
> > >2. man_write will now try to aggregate output into larger blocks
> > >   (up to 1024 bytes) for more efficient i/o
> > > 
> > > * Fixed minor issue in Windows TAP driver DEBUG builds
> > >where non-null-terminated unicode strings were being
> > >printed incorrectly.
> > > 
> > > * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support
> > >was not being compiled in.
> > > 
> > > * Proxy improvements:
> > > 
> > >Improved the ability of http-auth "auto" flag to dynamically detect
> > >the auth method required by the proxy.
> > > 
> > >Added http-auth "auto-nct" flag to reject weak proxy auth methods.
> > > 
> > >Added HTTP proxy digest authentication method.
> > > 
> > >Removed extraneous openvpn_sleep calls from proxy.c.
> > > 
> > > *

Re: [Openvpn-devel] Finnish translation of OpenVPN-GUI for review

2010-08-17 Thread Pasi Kärkkäinen 
On Tue, Aug 17, 2010 at 01:43:33PM +0200, Heiko Hund wrote:
> On Monday 16 August 2010 10:40:41 Pasi Kärkkäinen wrote:
> > Does this snapshot fix any problems/bugs?
> 
> Just the ones I come by. Try the latest version from 
> http://sf.net/projects/openvpn-gui/files/ to see if it works better for you.
> 

Ok. Will do. When I get openvpn 2.1.2 working again.. tapinstall.exe fails..

> > I'm often seeing problems with the gui icon on Windows 7 (64bit)..
> > sometimes (usually after suspend+resume of the laptop) the gui icon
> > stops responding, and I cannot stop the openvpn connection anymore..
> 
> So the icon is still there, but a right-click does not pop up the menu 
> anymore? Does the color of the icon reflect the current connection state?
> 

Yep, exactly. The icon is there, it shows the connection state,
but it doesn't respond. Right-click doesn't do anything.

This has happened at least 50 times for me..

-- Pasi

Re: [Openvpn-devel] Finnish translation of OpenVPN-GUI for review

2010-08-17 Thread Heiko Hund 
On Monday 16 August 2010 10:40:41 Pasi Kärkkäinen wrote:
> Does this snapshot fix any problems/bugs?

Just the ones I come by. Try the latest version from 
http://sf.net/projects/openvpn-gui/files/ to see if it works better for you.

> I'm often seeing problems with the gui icon on Windows 7 (64bit)..
> sometimes (usually after suspend+resume of the laptop) the gui icon
> stops responding, and I cannot stop the openvpn connection anymore..

So the icon is still there, but a right-click does not pop up the menu 
anymore? Does the color of the icon reflect the current connection state?

Regards
Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro GmbH & Co. KG | An der RaumFabrik 33a | 76227 Karlsruhe | Germany
Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe
 
Represented by the General Partner Astaro Verwaltungs GmbH
An der RaumFabrik 33a | 76227 Karlsruhe | Germany 
Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen,
Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen