Re: [Openvpn-devel] [PATCH v7-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-30 Thread Selva Nair 
Hi,

On Sun, Nov 29, 2015 at 5:10 PM, ValdikSS  wrote:

> This option blocks all out-of-tunnel communication on TCP/UDP port 53
> (except
> for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.


v7 looks good and behaves as promised..

Tested v7-master and v7-2.3 (the latter built with and without wfp) on
windows 7 and windows 10 (64 bit only). For windows 7, also see the note
below.

Selva

Note: On windows7 I would suggest to use this option with either a script
that does "ipconfig /registerdns" or with the config option --register-dns
(the latter is slow as it restarts the dnsclient service etc., but may be
pushed). Without registerdns, at least on my win7 machine, any public dns
servers on other interfaces get queries through the tunnel for a long while
after the connection is up. As if those dns servers have been specified on
the tunnel interface! It doesn't appear to have anything to do with this
patch.

[Openvpn-devel] [PATCH] Use example.com to improve clarity of documentation

2015-11-30 Thread Phillip Smith 
This patch uses the generic "host1.example.com" and "host2.example.com" to
replace the current "may" and "june" hostname examples. Generic names chosen
rather than other names like "server"/"client" or "head-office"/"remote-office"
etc which may create other unintended or implicit meanings to the reader.
The example.com domain is set aside defined by IANA for use as documentation
examples. Refer to: http://www.iana.org/domains/reserved
Using this well-known domain makes comprehension of documentation easier.

Signed-off-by: Phillip Smith 
---
 doc/openvpn.8 | 84 +--
 1 file changed, 42 insertions(+), 42 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2978b7f..235bc26 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -6427,12 +6427,12 @@ and 1 for the CA certificate.
 .nf
 .ft 3
 .in +4
-X509_0_emailAddress=me@myhost.mydomain
+X509_0_emailAddress=m...@example.com
 X509_0_CN=Test-Client
 X509_0_O=OpenVPN-TEST
 X509_0_ST=NA
 X509_0_C=KG
-X509_1_emailAddress=me@myhost.mydomain
+X509_1_emailAddress=m...@example.com
 X509_1_O=OpenVPN-TEST
 X509_1_L=BISHKEK
 X509_1_ST=NA
@@ -6576,13 +6576,13 @@ for use with OpenVPN.
 .SS VPN Address Setup:
 For purposes
 of our example, our two machines will be called
-.B may.kg
+.B host1.example.com
 and
-.B june.kg.
+.B host2.example.com.
 If you are constructing a VPN over the internet, then replace
-.B may.kg
+.B host1.example.com
 and
-.B june.kg
+.B host2.example.com
 with the internet hostname or IP address that each machine will use
 to contact the other over the internet.

@@ -6590,8 +6590,8 @@ Now we will choose the tunnel endpoints.  Tunnel 
endpoints are
 private IP addresses that only have meaning in the context of
 the VPN.  Each machine will use the tunnel endpoint of the other
 machine to access it over the VPN.  In our example,
-the tunnel endpoint for may.kg
-will be 10.4.0.1 and for june.kg, 10.4.0.2.
+the tunnel endpoint for host1.example.com
+will be 10.4.0.1 and for host2.example.com, 10.4.0.2.

 Once the VPN is established, you have essentially
 created a secure alternate path between the two hosts
@@ -6600,16 +6600,17 @@ control which network
 traffic passes between the hosts 
 (a) over the VPN or (b) independently of the VPN, by choosing whether to use
 (a) the VPN endpoint address or (b) the public internet address,
-to access the remote host. For example if you are on may.kg and you wish to 
connect to june.kg
+to access the remote host. For example if you are on host1.example.com and you
+wish to connect to host2.example.com
 via
 .B ssh
 without using the VPN (since
 .B ssh
 has its own built-in security) you would use the command
-.B ssh june.kg.
+.B ssh host2.example.com.
 However in the same scenario, you could also use the command
 .B telnet 10.4.0.2
-to create a telnet session with june.kg over the VPN, that would
+to create a telnet session with host2.example.com over the VPN, that would
 use the VPN to secure the session rather than
 .B ssh.

@@ -6624,21 +6625,21 @@ you will get a weird feedback loop.
 .\"*
 .SS Example 1: A simple tunnel without security
 .LP
-On may:
+On host1.example.com:
 .IP
-.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 
\-\-verb 9
+.B openvpn \-\-remote host2.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 
10.4.0.2 \-\-verb 9
 .LP
-On june:
+On host2.example.com:
 .IP
-.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 
\-\-verb 9
+.B openvpn \-\-remote host1.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 
10.4.0.1 \-\-verb 9
 .LP
 Now verify the tunnel is working by pinging across the tunnel.
 .LP
-On may:
+On host1.example.com:
 .IP
 .B ping 10.4.0.2
 .LP
-On june:
+On host2.example.com:
 .IP
 .B ping 10.4.0.1
 .LP
@@ -6651,7 +6652,7 @@ program.  Omit the
 option to have OpenVPN run quietly.
 .\"*
 .SS Example 2: A tunnel with static-key security (i.e. using a pre-shared 
secret)
-First build a static key on may.
+First build a static key on host1.example.com.
 .IP
 .B openvpn \-\-genkey \-\-secret key
 .LP
@@ -6660,39 +6661,39 @@ This command will build a random key file called
 (in ascii format).
 Now copy
 .B key
-to june over a secure medium such as by
+to host2.example.com over a secure medium such as by
 using the
 .BR scp (1)
 program.
 .LP
-On may:
+On host1.example.com:
 .IP
-.B openvpn \-\-remote june.kg \-\-dev tun1 \-\-ifconfig 10.4.0.1 10.4.0.2 
\-\-verb 5 \-\-secret key
+.B openvpn \-\-remote host2.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.1 
10.4.0.2 \-\-verb 5 \-\-secret key
 .LP
-On june:
+On host2.example.com:
 .IP
-.B openvpn \-\-remote may.kg \-\-dev tun1 \-\-ifconfig 10.4.0.2 10.4.0.1 
\-\-verb 5 \-\-secret key
+.B openvpn \-\-remote host1.example.com \-\-dev tun1 \-\-ifconfig 10.4.0.2 
10.4.0.1 \-\-verb 5 \-\-secret key
 .LP
 Now verify the