Re: [Openvpn-devel] Obfuscation for Iran SSL blocking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi David, I replied to you directly, maybe it got caught in your spam filter? Anyone else has some thoughts about developing an obfsproxy-style component for OpenVPN? Best, Jun. On 13/02/2012 13:09, David Sommerseth wrote: > On 13/02/12 13:59, Jun Matsushita wrote: >> This is my first post in this list. As probably a lot of you >> heard, Iran has stepped up its filtering by apparently blocking >> SSL/TLS using DPI. This is a good read about what's happening >> http://news.ycombinator.com/item?id=3575029. As these statistics >> from TOR attest >> https://metrics.torproject.org/users.html?graph=direct-users=2012-01-12=2012-02-12=ir=on=72#direct-users > >> > > the impact has been immediate and surely concerns the majority of > tools >> out there. > >> Does OpenVPN allow the use of some form of Obfuscation (such as >> the one TOR is testing now and seem to work from within Iran >> https://www.torproject.org/projects/obfsproxy-instructions.html.en)? > >> Anyone has thoughts about this or would be interested in >> discussing the matter? > > > Hi Jun, > > OpenVPN uses SSL under the hood. But it does some tricks to allow > SSL over UDP (SSL is strictly designed for TCP). This however > makes some changes that many DPI firewalls *might* not identify > OpenVPN traffic as SSL traffic. But as it's not really an > obfuscation which changes over time, it might still be possible to > block it if this kind of traffic is detected. > > However, the obfsproxy project sounds very interesting. And it > should be possible to use obfsproxy (as it can talk like a SOCKS > proxy) with OpenVPN, by using the --socks-proxy argument. But I'm > not aware of any openvpn services providing obfsproxy services in > conjunction with OpenVPN. > > > kind regards, > > David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPOXDCAAoJECoH9wygNueS5mMH/Rx1IKVJ57Zc5n0l+GVxzdgm KvS0yt2Su2jD8pyzTujH3CSlCj4n8k7P+NMIN3vTtOfeBWfGhedgi8bQRgEkUB05 oPW/nCK18eRM1uIdBXw/EEudqoHVkBUXzISl04LFLmux7mh7ifGj9sFw/0S2q7mn Md+qywN0m8+Af5jbQkVkak61lv5H7QK7JNYrFe20+PsV5JhrlZ4xCpJDef3hhGXH Xl+OGzjv5fqgILOZYbcIWl+tlgNXQP/p/PFi8cmZUvyNV+hq+ACjySn2bDrPzD47 xNF6vXg8wKjYumCZTO2QxVbFPq6oM+3GVxyu6YQCpocPOYACn3ijIrzXUWxzMaM= =w9je -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Check for ENABLE_MANAGEMENT for ENABLE_CLIENT_CR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/12 19:40, i...@novg.net wrote: > When building a very minimal OpenVPN for OpenWRT with > --disable-management among others, the compilaton fails due to > ENABLE_CLIENT_CR being defined, although the management interface, > which makes use of it, has been disabled. > > The attached simple patch checks for ENABLE_MANAGEMENT before defining > ENABLE_CLIENT_CR. > I've already ACKed this patch in another response in this mail thread. But here is the complete overview of all patches pushed out on the master branch for the -testing and -stable source trees. commit 2ee0dc2bd72ec318fcc227af54e5ca7e1384a6cc Author: Igor NovgorodovList-Post: openvpn-devel@lists.sourceforge.net Date: Sun Feb 12 22:40:02 2012 +0400 The code blocks enabled by ENABLE_CLIENT_CR depends on management If the management interface is not enabled, it makes no sense in including the ENABLE_CLIENT_CR #ifdef blocks. This will also in some configurations cause build issues if these blocks are enabled. Signed-off-by: Igor Novgorodov Acked-by: David Sommerseth Signed-off-by: David Sommerseth commit ecede953d6366e9fbfecea62cc1f61fd2347dab7 Author: David Sommerseth List-Post: openvpn-devel@lists.sourceforge.net Date: Mon Feb 13 16:03:46 2012 +0100 Remove --show-gateway if debug info is not enabled (--disable-debug) The --show-gateway feature depends on functions only being enabled when --disable-debug is _not_ used. As this I consider --show-gateway more a handy function for debugging, removing this feature when - --disable-debug is used seems like the proper approach. Signed-off-by: David Sommerseth Acked-by: Gert Doering commit 22277ec675847f73203bf908144f9903d13e2869 Author: David Sommerseth List-Post: openvpn-devel@lists.sourceforge.net Date: Mon Feb 13 15:52:00 2012 +0100 Fix compile issues when plug-ins are disabled. Commit 1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb modified plugin_call() and introduced plugin_call_ssl(). But the similar approach was missing for situations without plug-ins. Solution: Rename plugin_call() in the #else !ENABLE_PLUGIN section to plugin_call_ssl(). Then move the plugin_ssl() function inside the #ifdef ENABLE_PLUGIN section outside the #ifdef, making it available for builds with and without plug-ins enabled. Signed-off-by: David Sommerseth Acked-by: Gert Doering kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85aukACgkQDC186MBRfrq0tACgojflVPWaBkrac+epuuk5Je2n 5NwAn3wyj5omLMZ1CtsGM3XpJBIyV/MU =oXDO -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Made some options connection-entry specific
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/02/12 16:29, Jan Just Keijser wrote: > Made some options connection-entry specific: fragment mssfix tun-mtu > tun-mtu-extra link-mtu mtu_discover_type explicit-exit-notification > in order to support stuff like remote host proto udp > fragment explicit-exit-notification 3 > remote host proto tcp > > Signed-off-by: Jan Just Keijser--- forward.c | 2 > +- init.c| 38 ++- occ.c |2 +- options.c > | 125 +++-- > options.h | 36 +- sig.c |6 +- 6 files > changed, 107 insertions(+), 102 deletions(-) ACK. Applied to the master branch for -stable and -testing trees. commit 76809cae0eae07817160b423d3f9551df1a1d68e Author: Jan Just Keijser List-Post: openvpn-devel@lists.sourceforge.net Date: Tue Feb 7 16:29:47 2012 +0100 Made some options connection-entry specific Signed-off-by: Jan Just Keijser Acked-by: David Sommerseth Signed-off-by: David Sommerseth kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85atQACgkQDC186MBRfrpRcACeOAUc3CWM1ORg2hWBDSwwS4hQ 4B8AoK8lWaZQKO5m589P3TgjUB2IE9/v =meS6 -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCHv2] Windows UTF-8 input/output
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/11/11 19:08, Heiko Hund wrote: > This patch makes openvpn read unicode from the console and convert > the input to UTF-8. And then display UTF-8 output to the console > correctly. > > Signed-off-by: Heiko Hund--- configure.ac | 1 > + openvpn.c|4 win32.c | 14 +- 3 files > changed, 18 insertions(+), 1 deletions(-) > ACKed and applied to master branch on -testing and -stable. commit 6ba68180b89e0290855f70832243fc9b4370e4d2 Author: Heiko Hund List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Nov 23 19:08:34 2011 +0100 Windows UTF-8 input/output Signed-off-by: Heiko Hund Acked-by: David Sommerseth Signed-off-by: David Sommerseth kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85asMACgkQDC186MBRfroynACfQNt0I34bvNV6r5VBmqkmFF/k /LYAniC/Ch7k86CBGPRCRm284oaxuoaA =qiCa -END PGP SIGNATURE-
[Openvpn-devel] 2012-07 Snapshot Signature
-BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAABAgAGBQJPOWk/AAoJEHKWQhk5DQ0OU5gH/iNsoquLkbD+2fE37heOeV3c oGQ8O+CMLydUBxUGHTnGKTaxnSOEfP1gU7Bdmueoxyeozt/2ETMBXOTLzXNiO2TW BjLZx4k1xHPuzR9k+ug3mMui/YwxDy+KL+tZPxIJZpHMHwvMO59YBTBTl/jylVqZ W6Vhaz6k2plzsWvwpJO1GSttGLkCHBPO/34qvgsl0bUNITW19ek+LjeH1gM7EMrf G1wxI+dqfTvEp4JLVcY4Fcnm3mREc8UbP1ZuY5gsR07TIfQXQ0/SgI2Qdhl5VjYM cWuDMEhmnBdOCEnDptgzm1knjA3RVQVp74KPpzHUGPexidgcan5p2LL/rQAmLlw= =1n8J -END PGP SIGNATURE- - Eric F Crist Secure Computing Networks Certified in ABC by Sesame Street Brought to you by the number 4 Certified Winner by Charlie Sheen I can do it better than you, nanna nanna boo boo (School of Tosh.0) signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [Openvpn-devel] [PATCHv2] handle Windows unicode paths
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/02/12 15:13, Heiko Hund wrote: > Openvpn for Windows is not compiled as a Unicode binary and thus > cannot handle paths which contain non-ASCII characters using the argv > vector. Characters that are not present in the system codepage are > simply replaced with a question mark, e.g. if started as 'openvpn > --config домой.ovpn' the file '?.ovpn' is tried to be opened as > configuration. > > The same applies to paths in config files which need to be UTF-8 > encoded if they contain non ASCII characters. The option line 'key > лев.pem' will lead to openvpn trying to open 'лев.pem' on a system > with codepage 1252. > > This patch makes openvpn read the command line in UCS-2 and convert it > to UTF-8 internally. Windows stores names in the filesystem in UCS-2. > When using a paths openvpn converts it from UTF-8 to UCS-2 and uses > the wide character Windows API function. > > Signed-off-by: Heiko Hund--- > > This version of the patch was rebased to current master. It also > handles the access(2) calls introduced in commit 0f2bc0dd by David > correctly. > > buffer.c |3 +- crypto.c |6 +- error.c > | 17 +- manage.c |2 +- misc.c | 41 > - misc.h | 31 options.c| 37 > - packet_id.c |6 +- pf.c |2 +- > plugin.c |3 +- ps.c |2 +- > ssl_openssl.c| 459 > +++--- ssl_verify.c > |2 +- ssl_verify_openssl.c |6 +- status.c | 48 > ++ syshead.h|1 + win32.c | 60 > ++-- win32.h |3 + 18 files changed, 367 > insertions(+), 362 deletions(-) > ACK and applied to master for -stable and -testing trees. commit 71bbbd76c62630c88441237d72fe5b61f0b45b2a Author: Heiko Hund List-Post: openvpn-devel@lists.sourceforge.net Date: Fri Feb 10 15:13:42 2012 +0100 handle Windows unicode paths Signed-off-by: Heiko Hund Acked-by: David Sommerseth Signed-off-by: David Sommerseth kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85ZCwACgkQDC186MBRfrqGJQCdHMudYYgOM/ZT9trN4eNimO6i yeMAoIijsO70hmkaq+OeAWXV7Xn7cv2o =68zX -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH] Check for ENABLE_MANAGEMENT for ENABLE_CLIENT_CR
Thanks! Well, i'm no OpenWRT developer, just customizing some packages for my needs, but i thought that they are sending patches upstream :) Anyway, if i happen to find anything, i'll post here. What's for the second patch (gateway/debug stuff), it has been patched in OpenWRT too, i just forgot to mention it: https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/400-fix-undefined-print_default.gateway.patch On Mon, 13 Feb 2012 16:07:04 +0100, David Sommerseth wrote: On 13/02/12 14:00, Igor Novgorodov wrote: I'm building latest GIT with: ./configure \ --disable-debug \ --disable-plugins \ --disable-management \ --disable-socks \ --disable-password-save \ --disable-multi \ --disable-server \ --disable-pkcs11 \ --disable-http \ --disable-port-share \ --disable-def-auth \ --disable-pf \ --disable-lzo \ --disable-selinux \ --disable-iproute2 \ --enable-small (effectively, the version that supports only static keys and no fancy stuff) Build fails with: ... gcc -DHAVE_CONFIG_H -I. -I. -g -O2 -MT init.o -MD -MP -MF .deps/init.Tpo -c -o init.o init.c init.c: In function ‘do_route’: init.c:1364:7: error: too few arguments to function ‘plugin_call’ plugin.h:196:1: note: declared here init.c: In function ‘do_init_crypto_tls’: init.c:2286:20: error: ‘const struct options’ has no member named ‘sc_info’ make[2]: *** [init.o] Error 1 ... Here are even two errors, one of which (plugin_call) function is addressed in OpenWRT patchset: https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/300-fix-plugin_call-with-ssl.patch I would love the OpenWRT guys o give us a heads up directly when something like this is noticed. Such things we really want to fix ASAP. However, I didn't particular like the approach in that patch, so I've attached another patch for review. If this is acked, please consider using this one instead (patch 0001). And another is that i'm talking about. I'm giving your patch an ACK, so that will go into the tree. But even one more fix is needed, which is in the second patch I attached. kind regards, David Sommerseth On 13.02.2012 16:32, David Sommerseth wrote: On 12/02/12 19:40, i...@novg.net wrote: When building a very minimal OpenVPN for OpenWRT with --disable-management among others, the compilaton fails due to ENABLE_CLIENT_CR being defined, although the management interface, which makes use of it, has been disabled. The attached simple patch checks for ENABLE_MANAGEMENT before defining ENABLE_CLIENT_CR. Which version are you compiling? I tried a couple of compile with the latest version in git (master branch) in combination with --disable-management and --enable-small ... And I could not manage to trigger this one. Our buildbot (even though, not testing all combinations) have also not triggered this one. Could you provide more version information and the configure arguments you use? kind regards, David Sommerseth -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Check for ENABLE_MANAGEMENT for ENABLE_CLIENT_CR
Hi, On Mon, Feb 13, 2012 at 04:07:04PM +0100, David Sommerseth wrote: > I would love the OpenWRT guys o give us a heads up directly when something > like this is noticed. Such things we really want to fix ASAP. Seconded :-) > However, I didn't particular like the approach in that patch, so I've > attached another patch for review. If this is acked, please consider using > this one instead (patch 0001). > > > And another is that i'm talking about. > > I'm giving your patch an ACK, so that will go into the tree. But even one > more fix is needed, which is in the second patch I attached. ACK. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpyPxzEN1L7N.pgp Description: PGP signature
Re: [Openvpn-devel] [PATCH] Check for ENABLE_MANAGEMENT for ENABLE_CLIENT_CR
On 13/02/12 14:00, Igor Novgorodov wrote: > I'm building latest GIT with: > > ./configure \ > --disable-debug \ > --disable-plugins \ > --disable-management \ > --disable-socks \ > --disable-password-save \ > --disable-multi \ > --disable-server \ > --disable-pkcs11 \ > --disable-http \ > --disable-port-share \ > --disable-def-auth \ > --disable-pf \ > --disable-lzo \ > --disable-selinux \ > --disable-iproute2 \ > --enable-small > > (effectively, the version that supports only static keys and no fancy stuff) > > Build fails with: > ... > gcc -DHAVE_CONFIG_H -I. -I. -g -O2 -MT init.o -MD -MP -MF .deps/init.Tpo > -c -o init.o init.c > init.c: In function ‘do_route’: > init.c:1364:7: error: too few arguments to function ‘plugin_call’ > plugin.h:196:1: note: declared here > init.c: In function ‘do_init_crypto_tls’: > init.c:2286:20: error: ‘const struct options’ has no member named ‘sc_info’ > make[2]: *** [init.o] Error 1 > ... > > Here are even two errors, one of which (plugin_call) function is > addressed in OpenWRT patchset: > https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/300-fix-plugin_call-with-ssl.patch I would love the OpenWRT guys o give us a heads up directly when something like this is noticed. Such things we really want to fix ASAP. However, I didn't particular like the approach in that patch, so I've attached another patch for review. If this is acked, please consider using this one instead (patch 0001). > And another is that i'm talking about. I'm giving your patch an ACK, so that will go into the tree. But even one more fix is needed, which is in the second patch I attached. kind regards, David Sommerseth > On 13.02.2012 16:32, David Sommerseth wrote: > On 12/02/12 19:40, i...@novg.net wrote: When building a very minimal OpenVPN for OpenWRT with --disable-management among others, the compilaton fails due to ENABLE_CLIENT_CR being defined, although the management interface, which makes use of it, has been disabled. The attached simple patch checks for ENABLE_MANAGEMENT before defining ENABLE_CLIENT_CR. > Which version are you compiling? I tried a couple of compile with the > latest version in git (master branch) in combination with > --disable-management and --enable-small ... And I could not manage to > trigger this one. Our buildbot (even though, not testing all > combinations) have also not triggered this one. > > Could you provide more version information and the configure arguments > you use? > > > kind regards, > > David Sommerseth > > > > -- > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > From a0cc57dc54aefd0507a83174fb6c0e7a2b47b90f Mon Sep 17 00:00:00 2001 From: David SommersethList-Post: openvpn-devel@lists.sourceforge.net Date: Mon, 13 Feb 2012 15:52:00 +0100 Subject: [PATCH 1/2] Fix compile issues when plug-ins are disabled. Commit 1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb modified plugin_call() and introduced plugin_call_ssl(). But the similar approach was missing for situations without plug-ins. Solution: Rename plugin_call() in the #else !ENABLE_PLUGIN section to plugin_call_ssl(). Then move the plugin_ssl() function inside the #ifdef ENABLE_PLUGIN section outside the #ifdef, making it available for builds with and without plug-ins enabled. Signed-off-by: David Sommerseth --- plugin.h | 31 +++ 1 files changed, 15 insertions(+), 16 deletions(-) diff --git a/plugin.h b/plugin.h index 948ab88..6f75e27 100644 --- a/plugin.h +++ b/plugin.h @@ -133,20 +133,6 @@ int plugin_call_ssl (const struct plugin_list *pl, #endif ); -static inline int -plugin_call(const struct plugin_list *pl, - const int type, - const struct argv *av, - struct plugin_return *pr, - struct env_set *es) -{ - return plugin_call_ssl(pl, type, av, pr, es -#ifdef USE_SSL - , -1, NULL -#endif - ); -} - void plugin_list_close (struct plugin_list *pl); bool plugin_defined (const struct plugin_list *pl, const int type); @@ -182,7 +168,6 @@ plugin_return_init (struct plugin_return *pr) } #else - struct plugin_list { int dummy; }; struct plugin_return { int dummy; }; @@ -193,7 +178,7 @@ plugin_defined (const struct plugin_list *pl, const int type) } static inline int -plugin_call (const struct plugin_list *pl, +plugin_call_ssl (const struct plugin_list *pl, const int type, const struct argv *av, struct
Re: [Openvpn-devel] [PATCH] Check for ENABLE_MANAGEMENT for ENABLE_CLIENT_CR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/12 19:40, i...@novg.net wrote: > When building a very minimal OpenVPN for OpenWRT with > --disable-management among others, the compilaton fails due to > ENABLE_CLIENT_CR being defined, although the management interface, > which makes use of it, has been disabled. > > The attached simple patch checks for ENABLE_MANAGEMENT before defining > ENABLE_CLIENT_CR. Which version are you compiling? I tried a couple of compile with the latest version in git (master branch) in combination with - --disable-management and --enable-small ... And I could not manage to trigger this one. Our buildbot (even though, not testing all combinations) have also not triggered this one. Could you provide more version information and the configure arguments you use? kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85AuIACgkQDC186MBRfroHEACfbJfdxCqMM0rp+wqlWx6yxc6F T+UAnAkQ1T7n0vb4F1cOqxaLTmQyQ4Zh =Gwvf -END PGP SIGNATURE-