Re: [Openvpn-devel] [PATCH] Implement parsing and sending INFO and INFO_PRE control messages

[Antonio Quartulli]

Hi,

On 03/07/18 23:33, Gert Doering wrote:
> Hi,
> 
> On Tue, Jul 03, 2018 at 04:47:55PM +0200, Arne Schwabe wrote:
>> OpenVPN 3 implements these messages to send information during the
>> authentication to the UI, implement these message also in OpenVPN 2.x
> 
> Feature-Questionmark :-)
> 
> Is there any documentation about this?  What sort of messages are sent,
> by which product?  What do you do with it?
> 
> Can we maybe have some documentation in management-notes.txt?

And even at a higher level: what is the actual use case for this?
Porting more features "just because they are supported in openvpn3" does
not really sound like a reason to maintain more code on the community
side, imho.

Cheers,



-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Upstreaming pqcrypto changes from microsoft/openvpn

[Kevin Kane via Openvpn-devel]

[Resending to openvpn-devel now that I'm subscribed to it.]

Hello all,

Thanks to Jon for making the introduction. My team works on post-quantum (PQ) 
cryptography, which is algorithms used by regular computers but which are 
resistant to attack by a sufficiently powerful quantum computer. This OpenVPN 
fork is an example application we released so the public could experiment with 
it. 

The following sites have information on what we're doing:

Our openvpn, openvpn-build, and openvpn-gui forks are subprojects of the 
following repo: https://github.com/Microsoft/PQCrypto-VPN

I just realized there are no back-pointers from the subprojects back to the 
main repo. I've just corrected that.

On this site are scripts and instructions for doing our custom build of OpenVPN 
for Windows and Linux, to use the PQ crypto-enabled fork of OpenSSL we use, and 
how to properly configure it for PQ crypto. We also provide instructions for 
building an image for a Raspberry Pi to be used as a wifi access point that 
tunnels all traffic to a remote server protected by PQ key exchange. We also 
have released pre-built Linux x64 and Windows binaries. Our current build 
process works but there is plenty of room for improvement.

A more in-depth description of the PQ VPN is here: 
https://www.microsoft.com/en-us/research/project/post-quantum-crypto-vpn/

And our introduction to post-quantum cryptography overall is here: 
https://www.microsoft.com/en-us/research/project/post-quantum-cryptography/

As Jon said, these algorithms are experimental and so it would be inappropriate 
to introduce them into production code until the standardization and thorough 
analysis by the cryptographic community are completed. When that happens, we 
want to be ready to quickly integrate these algorithms into existing software. 
My colleagues are already contributing to a PQ crypto-enabled fork of OpenSSL 
(https://github.com/open-quantum-safe/openssl), and similarly we believe there 
is value in maintaining a PQ-enabled fork of OpenVPN, so that both are ready 
when there is consensus on a standard.

I will be updating the fork to track the forward progress of both the 
PQ-enabled OpenSSL fork and OpenVPN as time allows, but I welcome the 
participation of anyone who's interested in helping with the updates or making 
other improvements, as well as any suggestions you may have on future 
directions for this work.

-Original Message-
From: Jon Kunkee 
Sent: Tuesday, July 3, 2018 4:20 PM
To: Samuli Seppänen ; Илья Шипицин ; 
Kevin Kane 
Cc: openvpn-devel 
Subject: Upstreaming pqcrypto changes from microsoft/openvpn

Hi,

(Retitling thread from RE: [Openvpn-devel] Topics for the community meeting 
(Wed, 13th June 2018))

> do you know this activity https://github.com/Microsoft/openvpn/ ?
> there are interesting things

There are *very* interesting things there!

> Do you know if Kevin (or his manager/team) plans to push his work upstream 
> (i.e. to us) at some point?

Samuli and Илья, I'd like to introduce you to Kevin Kane. He is the current 
maintainer of the Microsoft\openvpn pqcrypto branch on Github.

He is working on developing encryption standards that are resistant to 
quantum-mechanics-based attacks. This includes taking existing products and 
adding experimental implementations of the experimental standards to 
them—including OpenVPN and OpenSSL. Over time these new techniques will be 
studied, refined, tested, and otherwise hammered on in the furnace of 
open-source cryptography until they gain some measure of trust.

Both the experimental and untested nature of his work mean that no, his code 
isn’t ready to be merged into OpenVPN/master…yet!

In the meantime, he would love to work with someone from the OpenVPN 
community—or even the organization itself—to make the connection official and 
to refine his additions. Some of the needed refinement requires familiarity 
with the overall build system, while a forward-looking cryptographer or 
protocol guru might take interest in what's developing under the hood.

I don't know much about the current status of the project, but Kevin is happy 
to answer questions and would love to hear from you.

Thanks,
Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Upstreaming pqcrypto changes from microsoft/openvpn

[Jon Kunkee via Openvpn-devel]

Hi,

(Retitling thread from RE: [Openvpn-devel] Topics for the community meeting 
(Wed, 13th June 2018))

> do you know this activity https://github.com/Microsoft/openvpn/ ?
> there are interesting things

There are *very* interesting things there!

> Do you know if Kevin (or his manager/team) plans to push his work upstream 
> (i.e. to us) at some point?

Samuli and Илья, I'd like to introduce you to Kevin Kane. He is the current 
maintainer of the Microsoft\openvpn pqcrypto branch on Github.

He is working on developing encryption standards that are resistant to 
quantum-mechanics-based attacks. This includes taking existing products and 
adding experimental implementations of the experimental standards to 
them—including OpenVPN and OpenSSL. Over time these new techniques will be 
studied, refined, tested, and otherwise hammered on in the furnace of 
open-source cryptography until they gain some measure of trust.

Both the experimental and untested nature of his work mean that no, his code 
isn’t ready to be merged into OpenVPN/master…yet!

In the meantime, he would love to work with someone from the OpenVPN 
community—or even the organization itself—to make the connection official and 
to refine his additions. Some of the needed refinement requires familiarity 
with the overall build system, while a forward-looking cryptographer or 
protocol guru might take interest in what's developing under the hood.

I don't know much about the current status of the project, but Kevin is happy 
to answer questions and would love to hear from you.

Thanks,
Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tap-windows6 and AppVeyor

[Jon Kunkee via Openvpn-devel]

Agreed. I leapt a bit too far to land at my conclusion. :| I gladly defer to 
those who have to live with this decision in the long run.

(Unfortunately, it seems that MS' VSTS doesn't have any WDK or EWDK CI 
solutions at all...oh well.)

-Original Message-
From: Simon Rozman  
Sent: Tuesday, July 3, 2018 12:40 PM
To: Jon Kunkee ; Илья Шипицин ; 
Samuli Seppänen 
Cc: openvpn-devel 
Subject: RE: tap-windows6 and AppVeyor

Hi,

> I chose the EWDK thinking it would actually be easier for CI because it was
> so
> similar to the Win7 DDK, but from what you are saying I was wrong (at least
> for AppVeyor). Are you interested converting buildtap.py to use
> VS2017+WDK instead of the EWDK? I'm happy to do it, but I won't get to it
> until next week at the earliest...

EWDK is a nice step forward in simplifying the build environment.
Unfortunately, a step too forward in AppVeyor's case. ;)

The decision to keep EWDK, revert back to VS2017+WDK, or support both is
probably best to be made by other team members working on TAP driver most.

Best regards,
Simon
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tap-windows6 and AppVeyor

[Simon Rozman]

Hi,

> I chose the EWDK thinking it would actually be easier for CI because it was
> so
> similar to the Win7 DDK, but from what you are saying I was wrong (at least
> for AppVeyor). Are you interested converting buildtap.py to use
> VS2017+WDK instead of the EWDK? I'm happy to do it, but I won't get to it
> until next week at the earliest...

EWDK is a nice step forward in simplifying the build environment.
Unfortunately, a step too forward in AppVeyor's case. ;)

The decision to keep EWDK, revert back to VS2017+WDK, or support both is
probably best to be made by other team members working on TAP driver most.

Best regards,
Simon


smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Add MTU to Android IFCONFIG6 control command

[Gert Doering]

Acked-by: Gert Doering 

"I guessed that something interesting might happen here" - nothing
much to review, though, as it's Android specific and does not touch
anything else (and no obvious issues with it).

Your patch has been applied to the master branch.

commit e050bdfe9489ae9d0a15cb000360b73c7c748b59
Author: Arne Schwabe
Date:   Tue Jul 3 18:17:51 2018 +0200

 Add MTU to Android IFCONFIG6 control command

 Acked-by: Gert Doering 
 Message-Id: <20180703161751.7680-1-a...@rfc2549.org>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17186.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Jon Kunkee via Openvpn-devel]

I don't know right off, but I will ask. 

-Original Message-
From: Samuli Seppänen  
Sent: Tuesday, July 3, 2018 11:23 AM
To: Jon Kunkee ; Илья Шипицин 
Cc: openvpn-devel 
Subject: Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 
2018)

Hi Jon,

Do you know if Kevin (or his manager/team) plans to push his work
upstream (i.e. to us) at some point?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Il 03/07/2018 20:55, Jon Kunkee ha scritto:
> Yes, I am aware of that. Note that it’s not tap-windows6, but openvpn.
> 
>  
> 
> I talked to the primary contributor to that fork, Kevin Kane, a few days
> ago. When I asked if his team had done anything with signing the driver
> or doing the HLK work, he said his team uses tap-windows6 as-shipped,
> complete with signatures. His work is on the usermode daemon’s crypto
> engine, if I understood the commit messages right, so any changes he
> makes aren’t related to the driver.
> 
>  
> 
> *From:* Илья Шипицин 
> *Sent:* Tuesday, July 3, 2018 10:50 AM
> *To:* Jon Kunkee 
> *Cc:* Samuli Seppänen ; openvpn-devel
> 
> *Subject:* Re: [Openvpn-devel] Topics for the community meeting (Wed,
> 13th June 2018)
> 
>  
> 
> Hello, Jon.
> 
>  
> 
> do you know this activity 
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoft%2Fopenvpn%2Fdata=02%7C01%7Cjkunkee%40microsoft.com%7Cbd8e7cd00b2e4b35d04208d5e111f8df%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636662389663864307sdata=v%2Frbq%2F%2BJKjIbZTlgzrlIfMbfsHsM6raJFOBzdJlSs%2Fo%3Dreserved=0
> 
> ?
> 
> there are interesting things
> 
>  
> 
> вт, 3 июл. 2018 г. в 22:43, Jon Kunkee via Openvpn-devel
>  >:
> 
> Hi,
> 
> 2. Tap-windows6 patches, building and testing
> 
> In order to get the tap-windows6 driver signed properly for Windows
> Server 2016, it needs to pass the Windows Hardware Certification
> Program subset of the Windows Hardware Logo Kit (HLK) tests. Samuli
> has the tests running in EC2, but there are some failures.
> 
> Some of the failures are basically paperwork, like the Static
> Verification logs test. Some reflect needed tweaks in the
> environment, like the Running on Server Core test. Others reflect
> possible code bugs, and since I have significant experience doing
> Windows kernel debugging I'm investigating those.
> 
> I spent yesterday setting up a local HLK-based test environment with
> kernel debugging. Today I'm trying to get two OpenVPN clients to be
> able to talk to each other over a VPN so I can start reproducing and
> investigating the failures. (I will be sending a mail to
> openvpn-users asking for help since it would be quite noisy to
> explain  on IRC.)
> 
> Cheers,
> Jon Kunkee
> Software Developer
> Microsoft
> 
> -Original Message-
> From: Samuli Seppänen mailto:sam...@openvpn.net>>
> Sent: Tuesday, July 3, 2018 10:30 AM
> To: openvpn-devel@lists.sourceforge.net
> 
> Subject: [Openvpn-devel] Topics for the community meeting (Wed, 13th
> June 2018)
> 
> Hi,
> 
> We're going to have an IRC meeting starting at 11:30 CET
> (9:30 UTC) on #openvpn-meeting  irc.freenode.net
> 
> .
> You do not have to be logged in to Freenode to join the channel.
> 
> Current topic list along with basic information is here:
> 
> 
>  
> >
> 
> If you have any other things you'd like to bring up, respond to this
> mail, send me mail privately or add them to the list yourself.
> 
> In case you can't attend the meeting, please feel free to make
>  

Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Samuli Seppänen]

Hi Jon,

Do you know if Kevin (or his manager/team) plans to push his work
upstream (i.e. to us) at some point?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


Il 03/07/2018 20:55, Jon Kunkee ha scritto:
> Yes, I am aware of that. Note that it’s not tap-windows6, but openvpn.
> 
>  
> 
> I talked to the primary contributor to that fork, Kevin Kane, a few days
> ago. When I asked if his team had done anything with signing the driver
> or doing the HLK work, he said his team uses tap-windows6 as-shipped,
> complete with signatures. His work is on the usermode daemon’s crypto
> engine, if I understood the commit messages right, so any changes he
> makes aren’t related to the driver.
> 
>  
> 
> *From:* Илья Шипицин 
> *Sent:* Tuesday, July 3, 2018 10:50 AM
> *To:* Jon Kunkee 
> *Cc:* Samuli Seppänen ; openvpn-devel
> 
> *Subject:* Re: [Openvpn-devel] Topics for the community meeting (Wed,
> 13th June 2018)
> 
>  
> 
> Hello, Jon.
> 
>  
> 
> do you know this activity https://github.com/Microsoft/openvpn/
> 
> ?
> 
> there are interesting things
> 
>  
> 
> вт, 3 июл. 2018 г. в 22:43, Jon Kunkee via Openvpn-devel
>  >:
> 
> Hi,
> 
> 2. Tap-windows6 patches, building and testing
> 
> In order to get the tap-windows6 driver signed properly for Windows
> Server 2016, it needs to pass the Windows Hardware Certification
> Program subset of the Windows Hardware Logo Kit (HLK) tests. Samuli
> has the tests running in EC2, but there are some failures.
> 
> Some of the failures are basically paperwork, like the Static
> Verification logs test. Some reflect needed tweaks in the
> environment, like the Running on Server Core test. Others reflect
> possible code bugs, and since I have significant experience doing
> Windows kernel debugging I'm investigating those.
> 
> I spent yesterday setting up a local HLK-based test environment with
> kernel debugging. Today I'm trying to get two OpenVPN clients to be
> able to talk to each other over a VPN so I can start reproducing and
> investigating the failures. (I will be sending a mail to
> openvpn-users asking for help since it would be quite noisy to
> explain  on IRC.)
> 
> Cheers,
> Jon Kunkee
> Software Developer
> Microsoft
> 
> -Original Message-
> From: Samuli Seppänen mailto:sam...@openvpn.net>>
> Sent: Tuesday, July 3, 2018 10:30 AM
> To: openvpn-devel@lists.sourceforge.net
> 
> Subject: [Openvpn-devel] Topics for the community meeting (Wed, 13th
> June 2018)
> 
> Hi,
> 
> We're going to have an IRC meeting starting at 11:30 CET
> (9:30 UTC) on #openvpn-meeting  irc.freenode.net
> 
> .
> You do not have to be logged in to Freenode to join the channel.
> 
> Current topic list along with basic information is here:
> 
> 
>  
> >
> 
> If you have any other things you'd like to bring up, respond to this
> mail, send me mail privately or add them to the list yourself.
> 
> In case you can't attend the meeting, please feel free to make
> comments on the topics by responding to this email or to the summary
> email sent after the meeting. Whenever possible, we'll also respond
> to existing, related email threads.
> 
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> 
> 
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 

Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Jon Kunkee via Openvpn-devel]

Yes, I am aware of that. Note that it’s not tap-windows6, but openvpn.

I talked to the primary contributor to that fork, Kevin Kane, a few days ago. 
When I asked if his team had done anything with signing the driver or doing the 
HLK work, he said his team uses tap-windows6 as-shipped, complete with 
signatures. His work is on the usermode daemon’s crypto engine, if I understood 
the commit messages right, so any changes he makes aren’t related to the driver.

From: Илья Шипицин 
Sent: Tuesday, July 3, 2018 10:50 AM
To: Jon Kunkee 
Cc: Samuli Seppänen ; openvpn-devel 

Subject: Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 
2018)

Hello, Jon.

do you know this activity 
https://github.com/Microsoft/openvpn/
 ?
there are interesting things

вт, 3 июл. 2018 г. в 22:43, Jon Kunkee via Openvpn-devel 
mailto:openvpn-devel@lists.sourceforge.net>>:
Hi,

2. Tap-windows6 patches, building and testing

In order to get the tap-windows6 driver signed properly for Windows Server 
2016, it needs to pass the Windows Hardware Certification Program subset of the 
Windows Hardware Logo Kit (HLK) tests. Samuli has the tests running in EC2, but 
there are some failures.

Some of the failures are basically paperwork, like the Static Verification logs 
test. Some reflect needed tweaks in the environment, like the Running on Server 
Core test. Others reflect possible code bugs, and since I have significant 
experience doing Windows kernel debugging I'm investigating those.

I spent yesterday setting up a local HLK-based test environment with kernel 
debugging. Today I'm trying to get two OpenVPN clients to be able to talk to 
each other over a VPN so I can start reproducing and investigating the 
failures. (I will be sending a mail to openvpn-users asking for help since it 
would be quite noisy to explain  on IRC.)

Cheers,
Jon Kunkee
Software Developer
Microsoft

-Original Message-
From: Samuli Seppänen mailto:sam...@openvpn.net>>
Sent: Tuesday, July 3, 2018 10:30 AM
To: 
openvpn-devel@lists.sourceforge.net
Subject: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

Hi,

We're going to have an IRC meeting starting at 11:30 CET
(9:30 UTC) on #openvpn-meeting  
irc.freenode.net.
 You do not have to be logged in to Freenode to join the channel.

Current topic list along with basic information is here:

>

If you have any other things you'd like to bring up, respond to this mail, send 
me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments on the 
topics by responding to this email or to the summary email sent after the 
meeting. Whenever possible, we'll also respond to existing, related email 
threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net

Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Илья Шипицин]

Hello, Jon.

do you know this activity https://github.com/Microsoft/openvpn/ ?
there are interesting things

вт, 3 июл. 2018 г. в 22:43, Jon Kunkee via Openvpn-devel <
openvpn-devel@lists.sourceforge.net>:

> Hi,
>
> 2. Tap-windows6 patches, building and testing
>
> In order to get the tap-windows6 driver signed properly for Windows Server
> 2016, it needs to pass the Windows Hardware Certification Program subset of
> the Windows Hardware Logo Kit (HLK) tests. Samuli has the tests running in
> EC2, but there are some failures.
>
> Some of the failures are basically paperwork, like the Static Verification
> logs test. Some reflect needed tweaks in the environment, like the Running
> on Server Core test. Others reflect possible code bugs, and since I have
> significant experience doing Windows kernel debugging I'm investigating
> those.
>
> I spent yesterday setting up a local HLK-based test environment with
> kernel debugging. Today I'm trying to get two OpenVPN clients to be able to
> talk to each other over a VPN so I can start reproducing and investigating
> the failures. (I will be sending a mail to openvpn-users asking for help
> since it would be quite noisy to explain  on IRC.)
>
> Cheers,
> Jon Kunkee
> Software Developer
> Microsoft
>
> -Original Message-
> From: Samuli Seppänen 
> Sent: Tuesday, July 3, 2018 10:30 AM
> To: openvpn-devel@lists.sourceforge.net
> Subject: [Openvpn-devel] Topics for the community meeting (Wed, 13th June
> 2018)
>
> Hi,
>
> We're going to have an IRC meeting starting at 11:30 CET
> (9:30 UTC) on #openvpn-meeting  irc.freenode.net. You do not have to
> be logged in to Freenode to join the channel.
>
> Current topic list along with basic information is here:
>
> <
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.openvpn.net%2Fopenvpn%2Fwiki%2FTopics-2018-06-13data=02%7C01%7Cjkunkee%40microsoft.com%7C2ff5949944a34864919b08d5e10aa0b2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636662358125323471sdata=E2tnMk95DPL%2BFpUNM8td0lQd0PTMmfZ8ZAXUsGBES%2FA%3Dreserved=0
> >
>
> If you have any other things you'd like to bring up, respond to this mail,
> send me mail privately or add them to the list yourself.
>
> In case you can't attend the meeting, please feel free to make comments on
> the topics by responding to this email or to the summary email sent after
> the meeting. Whenever possible, we'll also respond to existing, related
> email threads.
>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Jon Kunkee via Openvpn-devel]

Hi,

2. Tap-windows6 patches, building and testing

In order to get the tap-windows6 driver signed properly for Windows Server 
2016, it needs to pass the Windows Hardware Certification Program subset of the 
Windows Hardware Logo Kit (HLK) tests. Samuli has the tests running in EC2, but 
there are some failures.

Some of the failures are basically paperwork, like the Static Verification logs 
test. Some reflect needed tweaks in the environment, like the Running on Server 
Core test. Others reflect possible code bugs, and since I have significant 
experience doing Windows kernel debugging I'm investigating those.

I spent yesterday setting up a local HLK-based test environment with kernel 
debugging. Today I'm trying to get two OpenVPN clients to be able to talk to 
each other over a VPN so I can start reproducing and investigating the 
failures. (I will be sending a mail to openvpn-users asking for help since it 
would be quite noisy to explain  on IRC.)

Cheers,
Jon Kunkee
Software Developer
Microsoft

-Original Message-
From: Samuli Seppänen  
Sent: Tuesday, July 3, 2018 10:30 AM
To: openvpn-devel@lists.sourceforge.net
Subject: [Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

Hi,

We're going to have an IRC meeting starting at 11:30 CET
(9:30 UTC) on #openvpn-meeting  irc.freenode.net. You do not have to be 
logged in to Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this mail, send 
me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments on the 
topics by responding to this email or to the summary email sent after the 
meeting. Whenever possible, we'll also respond to existing, related email 
threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Topics for the community meeting (Wed, 13th June 2018)

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting starting at 11:30 CET
(9:30 UTC) on #openvpn-meeting  irc.freenode.net. You do not have
to be logged in to Freenode to join the channel.

Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this
mail, send me mail privately or add them to the list yourself.

In case you can't attend the meeting, please feel free to make comments
on the topics by responding to this email or to the summary email sent
after the meeting. Whenever possible, we'll also respond to existing,
related email threads.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock





signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tap-windows6 and AppVeyor

[Jon Kunkee via Openvpn-devel]

I chose the EWDK thinking it would actually be easier for CI because it was so 
similar to the Win7 DDK, but from what you are saying I was wrong (at least for 
AppVeyor). Are you interested converting buildtap.py to use VS2017+WDK instead 
of the EWDK? I'm happy to do it, but I won't get to it until next week at the 
earliest...

-Original Message-
From: Simon Rozman  
Sent: Tuesday, July 3, 2018 6:45 AM
To: Jon Kunkee ; Илья Шипицин ; 
Samuli Seppänen 
Cc: openvpn-devel 
Subject: RE: tap-windows6 and AppVeyor

Hi,

I was dismissed by the AppVeyor about an image preinstalled with EWDK request. 
They explained I can use their build cache to maintain a local EWDK copy.
Unfortunately, the build cache is account-specific, meaning every user trying 
to run its own fork (including OpenVPN for upstream) will require AppVeyor 
Premium plan. EWDK won't fit into 1GB build cache limit with Free/Basic plan.

So, we still have Jon's alternative proposal to support EWDK *and* VS2015+WDK 
building in buildtap.py.
The downside to this approach is, we are using slightly different build 
environment for CI.
 
Best regards,
Simon

> -Original Message-
> From: Jon Kunkee 
> Sent: Friday, June 15, 2018 7:58 PM
> To: Илья Шипицин ; Samuli Seppänen
> 
> Cc: Simon Rozman ; openvpn-devel  de...@lists.sourceforge.net>
> Subject: RE: tap-windows6 and AppVeyor
> 
> Hi,
> 
> I like the idea of asking AppVeyor if they could include the EWDK in one of
> their images. It is a standalone tool, so Visual Studio is not needed.
> 
> Sadly I don't see a Chocolatey package for the EWDK. That would have been
> convenient.
> 
> The AppVeyor docs[1] say that the Visual Studio 2017 image in AppVeyor
> already has the Windows Driver Kit (WDK) installed. Buildtap.py would need
> a couple of changes to consume the WDK instead of the EWDK, but it is an
> option.
> 
> Thanks,
> Jon
> 
> [1] https://www.appveyor.com/docs/build-environment/
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Add MTU to Android IFCONFIG6 control command

[Arne Schwabe]

Since OpenVPN nows supports IPv6 only connections, OpenVPN for Android
cannot longer rely on IFCONFIG to send the MTU. Add sending the MTU to
IFCONFIG6 too.
---
 src/openvpn/tun.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index f9b9c716..26baa206 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -910,8 +910,8 @@ do_ifconfig_ipv6(struct tuntap *tt, const char *ifname, int 
tun_mtu,
 #elif defined(TARGET_ANDROID)
 char out6[64];
 
-openvpn_snprintf(out6, sizeof(out6), "%s/%d",
- ifconfig_ipv6_local,tt->netbits_ipv6);
+openvpn_snprintf(out6, sizeof(out6), "%s/%d %d",
+ ifconfig_ipv6_local,tt->netbits_ipv6, tun_mtu);
 management_android_control(management, "IFCONFIG6", out6);
 #elif defined(TARGET_SOLARIS)
 argv_printf(, "%s %s inet6 unplumb", IFCONFIG_PATH, ifname);
-- 
2.17.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Make up/down script errors not FATAL

[selva . nair]

From: Selva Nair 

Treat the error as not FATAL only if its triggered due
to script_security < SSEC_SCRIPTS.

This helps user interfaces enforce a safer script-security setting
without causing a FATAL error.

Signed-off-by: Selva Nair 
---
v2 changes:
- Have script errors continue to trigger a FATAL error.
- Update the commit message to match this change.

 src/openvpn/init.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b748357..074a2d3 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -168,13 +168,14 @@ run_up_down(const char *command,
 if (command)
 {
 struct argv argv = argv_new();
+int flags = (script_security >= SSEC_SCRIPTS)? S_FATAL : 0;
 ASSERT(arg);
 setenv_str(es, "script_type", script_type);
 argv_parse_cmd(, command);
 argv_printf_cat(, "%s %d %d %s %s %s", arg, tun_mtu, link_mtu,
 ifconfig_local, ifconfig_remote, context);
 argv_msg(M_INFO, );
-openvpn_run_script(, es, S_FATAL, "--up/--down");
+openvpn_run_script(, es, flags, "--up/--down");
 argv_reset();
 }
 
-- 
2.1.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Implement parsing and sending INFO and INFO_PRE control messages

[Gert Doering]

Hi,

On Tue, Jul 03, 2018 at 04:47:55PM +0200, Arne Schwabe wrote:
> OpenVPN 3 implements these messages to send information during the
> authentication to the UI, implement these message also in OpenVPN 2.x

Feature-Questionmark :-)

Is there any documentation about this?  What sort of messages are sent,
by which product?  What do you do with it?

Can we maybe have some documentation in management-notes.txt?

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4] Implement block-ipv6

[Arne Schwabe]

This can be used to redirect all IPv6 traffic to the tun interface,
effectively black holing the IPv6 traffic. Without ICMPv6 error
messages this will result in timeouts when the server does not send
error codes.  block-ipv6 allows client side only blocking on all
platforms that OpenVPN supports IPv6. On Android it is only way to do
sensible IPv6 blocking on Android < 5.0 and broken devices (Samsung).

PATCH V4:
- Fix more style issues reported by Antonio
- Clarify parts of the patch in comments and manpage

PATCH V3:
- Fix style iusses reported by Antonio and accidentily commited parts
- merge udp_checksum and ipv6_checkusm into common ip_checksum method
- Use fake ff80::7 address when no other address is configured.
- Make block-ipv6 also work for server  by replying block-ipv6 to all
  ipv6 traffic send to the server

Note for the server the process_ip happens before the ipv6 route
lookup so every ipv6 packet, regardless of its source address is
replyied to with a no route to host packet.
---
 doc/openvpn.8 |  36 +++
 src/openvpn/dhcp.c|  51 ++--
 src/openvpn/forward.c | 138 +-
 src/openvpn/forward.h |   4 +-
 src/openvpn/multi.c   |   2 +-
 src/openvpn/options.c |  11 
 src/openvpn/options.h |   1 +
 src/openvpn/proto.c   |  45 ++
 src/openvpn/proto.h   |  52 
 src/openvpn/socket.h  |  19 --
 10 files changed, 288 insertions(+), 71 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 8a987b37..bad66754 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1240,6 +1240,42 @@ Like \-\-redirect\-gateway, but omit actually changing 
the default
 gateway.  Useful when pushing private subnets.
 .\"*
 .TP
+.B \-\-block\-ipv6
+On the client, instead of sending IPv6 packets over the VPN tunnel, all
+IPv6 packets are answered with an ICMPv6 no route host message. On the
+server, all IPv6 packets from clients are answered with an ICMPv6
+no route to host message. This options is intended for cases when IPv6
+should be blocked and other options are not available.
+\.B \-\-block\-ipv6
+will use the remote IPv6 as source address of the ICMPv6 packets if set,
+otherwise will use fe80::7 as source address.
+
+For this option to make sense you actually have to route traffic to the tun
+interface. The following example config block would send all IPv6 traffic to
+OpenVPN and answer all requests with no route to host, effectively blocking
+IPv6.
+
+# client config
+.br
+.B \-\-ifconfig-ipv6
+fd15:53b6:dead::2/64  fd15:53b6:dead::1
+.br
+.B \-\-redirect\-gateway
+ipv6
+.br
+.B \-\-block\-ipv6
+
+# Server config, push a "valid" ipv6 config to the client and block on the 
server
+.br
+.B \-\-push
+"ifconfig-ipv6 fd15:53b6:dead::2/64  fd15:53b6:dead::1"
+.br
+.B \-\-push
+"redirect\-gateway ipv6"
+.br
+.B \-\-block\-ipv6
+.\"*
+.TP
 .B \-\-tun\-mtu n
 Take the TUN device MTU to be
 .B n
diff --git a/src/openvpn/dhcp.c b/src/openvpn/dhcp.c
index fb28b27d..24c45c76 100644
--- a/src/openvpn/dhcp.c
+++ b/src/openvpn/dhcp.c
@@ -147,49 +147,6 @@ do_extract(struct dhcp *dhcp, int optlen)
 return ret;
 }
 
-static uint16_t
-udp_checksum(const uint8_t *buf,
- const int len_udp,
- const uint8_t *src_addr,
- const uint8_t *dest_addr)
-{
-uint16_t word16;
-uint32_t sum = 0;
-int i;
-
-/* make 16 bit words out of every two adjacent 8 bit words and  */
-/* calculate the sum of all 16 bit words */
-for (i = 0; i < len_udp; i += 2)
-{
-word16 = ((buf[i] << 8) & 0xFF00) + ((i + 1 < len_udp) ? (buf[i+1] & 
0xFF) : 0);
-sum += word16;
-}
-
-/* add the UDP pseudo header which contains the IP source and destination 
addresses */
-for (i = 0; i < 4; i += 2)
-{
-word16 = ((src_addr[i] << 8) & 0xFF00) + (src_addr[i+1] & 0xFF);
-sum += word16;
-}
-for (i = 0; i < 4; i += 2)
-{
-word16 = ((dest_addr[i] << 8) & 0xFF00) + (dest_addr[i+1] & 0xFF);
-sum += word16;
-}
-
-/* the protocol number and the length of the UDP packet */
-sum += (uint16_t) OPENVPN_IPPROTO_UDP + (uint16_t) len_udp;
-
-/* keep only the last 16 bits of the 32 bit calculated sum and add the 
carries */
-while (sum >> 16)
-{
-sum = (sum & 0x) + (sum >> 16);
-}
-
-/* Take the one's complement of sum */
-return ((uint16_t) ~sum);
-}
-
 in_addr_t
 dhcp_extract_router_msg(struct buffer *ipbuf)
 {
@@ -210,10 +167,10 @@ dhcp_extract_router_msg(struct buffer *ipbuf)
 
 /* recompute the UDP checksum */
 df->udp.check = 0;
-df->udp.check = htons(udp_checksum((uint8_t *) >udp,
-   sizeof(struct openvpn_udphdr) + 
sizeof(struct dhcp) + optlen,
-   (uint8_t 

[Openvpn-devel] [PATCH] Implement parsing and sending INFO and INFO_PRE control messages

[Arne Schwabe]

OpenVPN 3 implements these messages to send information during the
authentication to the UI, implement these message also in OpenVPN 2.x
---
 src/openvpn/forward.c |  8 
 src/openvpn/push.c| 29 +
 src/openvpn/push.h|  2 ++
 3 files changed, 39 insertions(+)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 9905b5a0..d3e6eede 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -169,6 +169,14 @@ check_incoming_control_channel_dowork(struct context *c)
 {
 server_pushed_signal(c, , false, 4);
 }
+else if (buf_string_match_head_str(, "INFO_PRE"))
+{
+server_pushed_info(c, , 8);
+}
+else if (buf_string_match_head_str(, "INFO"))
+{
+server_pushed_info(c, , 4);
+}
 else
 {
 msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: 
%s", BSTR());
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index d1ca84d1..069a32c4 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -175,6 +175,34 @@ server_pushed_signal(struct context *c, const struct 
buffer *buffer, const bool
 }
 }
 
+void server_pushed_info(struct context *c, const struct buffer *buffer, const 
int adv)
+{
+  struct gc_arena gc;
+  const char *m = "";
+  struct buffer buf = *buffer;
+
+  if (buf_advance(, adv) && buf_read_u8() == ',' && BLEN())
+{
+  m = BSTR();
+}
+
+#ifdef ENABLE_MANAGEMENT
+if (management)
+{
+gc = gc_new();
+
+/* We use >INFOMSG here instead of plain >INFO since INFO is used to */
+/* for management greeting and we don't want to confuse the client */
+struct buffer out = alloc_buf_gc(256, );
+buf_printf(, ">%s:%s", "INFOMSG", m);
+management_notify_generic(management, BSTR());
+
+gc_free();
+}
+#endif
+msg(D_PUSH, "Info command was pushed by server ('%s')", m);
+}
+
 #if P2MP_SERVER
 /**
  * Add an option to the given push list by providing a format string.
diff --git a/src/openvpn/push.h b/src/openvpn/push.h
index 5f6181e7..acc94003 100644
--- a/src/openvpn/push.h
+++ b/src/openvpn/push.h
@@ -50,6 +50,8 @@ void receive_auth_failed(struct context *c, const struct 
buffer *buffer);
 
 void server_pushed_signal(struct context *c, const struct buffer *buffer, 
const bool restart, const int adv);
 
+void server_pushed_info(struct context *c, const struct buffer *buffer, const 
int adv);
+
 void incoming_push_message(struct context *c, const struct buffer *buffer);
 
 #if P2MP_SERVER
-- 
2.17.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] Implement block-ipv6

[Arne Schwabe]

>> +}
>> +if (c->c2.buf.len > 0)
>> +{
> 
> is this related to the ipv6 change? If so, how?


To drop packet OpenVPN generally sets the buf len to zero. Since we now
also drop packets that would normally go from client to server, I added
the check here so these packets can be dropped.



>> +{
>> +#define ICMPV6LEN  1280
> 
> isn't this available in any header? If not, I'd put MAX somewhere, to
> let people immediately understand what it is used for.

No and that constant is specific to the icmpv6 code so I kept in this
function.



> 
>> +
>> +struct openvpn_ipv6hdr pip6out;
> 
> I know that we can declare variables basically everywhere, but don't you
> think this can quickly get out of control? Personally I'd just declare
> all of them at the top.
> 
> But I am not sure what the others think about it.

I inlined that declaration to make it more C99 style and look a bit better..


> 
>> +
>> +/* IPv6 Header */
>> +ASSERT(buf_write_prepend(outbuf, , sizeof(struct 
>> openvpn_ipv6hdr)));
>> +
>> +/*
>> + * Working IPv6 block for TAP will also need the client to respond to 
>> IPv6 nd with
>> + * its own (fake) adress
>> + */
> 
> maybe I am missing something, but in the comment above you talk about
> answering to ND, but below you are just filling the Ethernet header. How
> are the two related?
> 
>> +if (TUNNEL_TYPE(c->c1.tuntap) == DEV_TYPE_TAP)
>> +{
>> +if (BLEN(buf) < (int) sizeof (struct openvpn_ethhdr))
> 
> spaces..
> 
>> +return;
>> +
>> +const struct openvpn_ethhdr* orig_ethhdr = (struct openvpn_ethhdr 
>> *) BPTR(buf);
>> +
>> +/* Copy frametype and reverse source/destination for the response */
>> +struct openvpn_ethhdr ethhdr;
>> +memcpy(ethhdr.source, orig_ethhdr->dest, OPENVPN_ETH_ALEN);
>> +memcpy(ethhdr.dest, orig_ethhdr->source, OPENVPN_ETH_ALEN);
>> +ethhdr.proto = htons(OPENVPN_ETH_P_IPV6);
>> +ASSERT(buf_write_prepend(outbuf, , sizeof(struct 
>> openvpn_ethhdr)));
>> +}
>> +}
> 
> Overall I was thinking: instead of creating many little objects (one per
> header) here and there and then copying them one by one in the allocated
> buffer, why not allocating the buffer first and writing directly into
> it? I believe that this is normal practice and might make the code a bit
> slimmer too. What do you think?
> 
> This is just a suggestion - I haven't tried to change the code myself.

I don't think that it would make the code much easier to to read.
Allocating the whole len in the buffer at the start and then defining
the structs as pointers at certain offsets in the buffer, is probably
not easier to understand. And since this is not a critical code path I
think the speed argument also does not count here. I would prefer to
keep it like it currently is.


>>  {
>>  /*
>> @@ -1275,7 +1392,7 @@ process_ip_header(struct contexICMPV6LENt *c, unsigned 
>> int flags, struct buffer *buf)
>>  /* possibly do NAT on packet */
>>  if ((flags & PIPV4_CLIENT_NAT) && c->options.client_nat)
>>  {
>> -const int direction = (flags & PIPV4_OUTGOING) ? 
>> CN_INCOMING : CN_OUTGOING;
>> +const int direction = (flags & PIP_OUTGOING) ? 
>> CN_INCOMING : CN_OUTGOING;
> 
> how is this change related to this patch?

Since PIP_OUTGOING is not ipv4 specific anymore thanks to this patch, I
renamed the constant to PIP_OUTGOING.


For all the other comments I that I did not answer, I integrated them in
the V4 patch.

Arne

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

[Selva Nair]

Hi,

On Tue, Jul 3, 2018 at 3:09 AM, Gert Doering  wrote:

> Hi,
>
> On Mon, Jul 02, 2018 at 11:13:01PM -0400, Jonathan K. Bullard wrote:
> > My initial reaction is that I'd rather a problem in the up/down
> > scripts generates a fatal error, so if there's a problem in the
> > Tunnelblick scripts somebody will report it. In my experience, almost
> > nobody pays attention to warnings, and mostly, those who do are
> > worried about warning that don't matter.
>
> From how I read Selva's mail, an error in the script will still create
> a fatal error.
>
> The difference is that today, if you have --script-security 1 and a --up
> config, that combination will cause an error, while after the change, this
> will only cause a warning.
>
> Selva, did I read that correctly?
>

Unfortunately no. This patch will trigger only a warning for both a script
error
and inability execute the script due to script-security setting.

If actual errors in up/down scripts should trigger M_FATAL, we can change
the
patch to just bypass the script execution if script security is < 2. It
would be a
bit ugly like this:

-openvpn_run_script(, es, 0, "--up/--down");
+   openvpn_run_script(, es, (script_security >= SSEC_SCRIPTS)?
S_FATAL : 0, "--up/--down");


For some reason the code path involved is somewhat convoluted:

First we log a warning that external scripts require script_security >= 2.
But fully knowing its going to fail we still call openvpn_run_script(). The
flag
that say error out or warn is set in this call and script permission is
checked just before executing:

openvpn_run_script() --> openvpn_execve_check() --> openvpn_execve_allowed()

When the latter returns an error due to script-security,
openvpn_execve_check()
fails with a slightly misleading message.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] tap-windows6 and AppVeyor

[Simon Rozman]

Hi,

I was dismissed by the AppVeyor about an image preinstalled with EWDK request. 
They explained I can use their build cache to maintain a local EWDK copy.
Unfortunately, the build cache is account-specific, meaning every user trying 
to run its own fork (including OpenVPN for upstream) will require AppVeyor 
Premium plan. EWDK won't fit into 1GB build cache limit with Free/Basic plan.

So, we still have Jon's alternative proposal to support EWDK *and* VS2015+WDK 
building in buildtap.py.
The downside to this approach is, we are using slightly different build 
environment for CI.
 
Best regards,
Simon

> -Original Message-
> From: Jon Kunkee 
> Sent: Friday, June 15, 2018 7:58 PM
> To: Илья Шипицин ; Samuli Seppänen
> 
> Cc: Simon Rozman ; openvpn-devel  de...@lists.sourceforge.net>
> Subject: RE: tap-windows6 and AppVeyor
> 
> Hi,
> 
> I like the idea of asking AppVeyor if they could include the EWDK in one of
> their images. It is a standalone tool, so Visual Studio is not needed.
> 
> Sadly I don't see a Chocolatey package for the EWDK. That would have been
> convenient.
> 
> The AppVeyor docs[1] say that the Visual Studio 2017 image in AppVeyor
> already has the Windows Driver Kit (WDK) installed. Buildtap.py would need
> a couple of changes to consume the WDK instead of the EWDK, but it is an
> option.
> 
> Thanks,
> Jon
> 
> [1] https://www.appveyor.com/docs/build-environment/


smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 1/2] crypto: always reload tls-auth/crypt key contexts

[Antonio Quartulli]

Hi,

On 27/06/18 09:50, Antonio Quartulli wrote:
> Hi,
> 
> On 27/06/18 05:33, David Sommerseth wrote:
>> On 05/06/18 10:14, Antonio Quartulli wrote:
>>> In preparation to having tls-auth/crypt keys per connection
>>> block, it is important to ensure that such material is always
>>> reloaded upon SIGUSR1, no matter if `persist-key` was specified
>>> or not.
>>
>> Has this been tested with --chroot and --user/--group?
> 
> No, these tests are missing.

Tests performed.

There is no change in behaviour: --chroot and --user/--group behave
exactly as now.
This was expected as using persist-key will instruct openvpn to cache
the key material and thus it can be reused to re-init the various SSL
context every time.


Cheers,

-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

[Antonio Quartulli]

Hi,

On 03/07/18 16:23, David Sommerseth wrote:
> TL;DR: Reduce the possibility to run scripts to an absolute minimum (if at
> all).  If having this possibility run them with as few privileges as possible,
> and scripts to run is preferred to be configured outside of the OpenVPN
> configuration file.
> 
> The latter argument of configuring scripts outside of the configuration file
> is simply trying to end up with a single configuration file which would be
> functional on all devices.  A configuration file with Windows scripts won't
> work on a non-Windows box and vice versa - some configuration files might not
> even work across Linux distributions even.  So let the OpenVPN configuration
> files be as generic as possible, focusing on getting a connection to a remote
> server.  And configure the rest outside of the OpenVPN configuration profile.
> 

I have previously proposed to use an udev-compatible mechanism to run
scripts.
In this scenario OpenVPN only needs to trigger "signals" and then
whoever is listening (i.e. udev/hotplug) will take care of handling
them. This could even be DBus driven.

However, this can work on Linux. Anybody knows of a similar mechanism
for Windows and macOS?


Cheers,


-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

[David Sommerseth]

On 03/07/18 09:49, Selva Nair wrote:
> Hi Jon,
> 
> On Mon, Jul 2, 2018 at 11:13 PM, Jonathan K. Bullard  > wrote:
>> Hi.
>>
>> On Mon, Jul 2, 2018 at 9:24 PM,  > wrote:
>>>
>>> From: Selva Nair mailto:selva.n...@gmail.com>>
>>>
>>> Instead log only a warning.
>>>
>>> This helps user interfaces enforce a safer script-security setting
>>> without causing a FATAL error.
>>
>>
>> Can you expand on that? What "safer script secuity settings' do you
>> have in mind? Tunnelblick (and I think all Linux) use script-security
>> 2 to allow for up/down scripts that implement DNS and other settings.
>>
>> My initial reaction is that I'd rather a problem in the up/down
>> scripts generates a fatal error, so if there's a problem in the
>> Tunnelblick scripts somebody will report it. In my experience, almost
>> nobody pays attention to warnings, and mostly, those who do are
>> worried about warning that don't matter.

+1

> 
> This is in reaction to
> 
> https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da
> 
> 
> In OpenVPN Windows GUI I'm considering to enforce "--script-security 1"
> (SSEC_BUILT_IN). See the discussion here:
>
> https://github.com/OpenVPN/openvpn-gui/issues/270


This I am much more in favour of.  I've already added a longer GitHub comment
with a bit different perspective, as well as looking more into the future of
what we're doing with OpenVPN 3 - where OpenVPN processes generally will not
run any scripts or even support it.

TL;DR: Reduce the possibility to run scripts to an absolute minimum (if at
all).  If having this possibility run them with as few privileges as possible,
and scripts to run is preferred to be configured outside of the OpenVPN
configuration file.

The latter argument of configuring scripts outside of the configuration file
is simply trying to end up with a single configuration file which would be
functional on all devices.  A configuration file with Windows scripts won't
work on a non-Windows box and vice versa - some configuration files might not
even work across Linux distributions even.  So let the OpenVPN configuration
files be as generic as possible, focusing on getting a connection to a remote
server.  And configure the rest outside of the OpenVPN configuration profile.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

[Gert Doering]

Hi,

On Mon, Jul 02, 2018 at 11:13:01PM -0400, Jonathan K. Bullard wrote:
> My initial reaction is that I'd rather a problem in the up/down
> scripts generates a fatal error, so if there's a problem in the
> Tunnelblick scripts somebody will report it. In my experience, almost
> nobody pays attention to warnings, and mostly, those who do are
> worried about warning that don't matter.

From how I read Selva's mail, an error in the script will still create
a fatal error.  

The difference is that today, if you have --script-security 1 and a --up 
config, that combination will cause an error, while after the change, this 
will only cause a warning.

Selva, did I read that correctly?

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Make up/down script errors not FATAL

[Selva Nair]

Hi Jon,

On Mon, Jul 2, 2018 at 11:13 PM, Jonathan K. Bullard 
wrote:
> Hi.
>
> On Mon, Jul 2, 2018 at 9:24 PM,  wrote:
>>
>> From: Selva Nair 
>>
>> Instead log only a warning.
>>
>> This helps user interfaces enforce a safer script-security setting
>> without causing a FATAL error.
>
>
> Can you expand on that? What "safer script secuity settings' do you
> have in mind? Tunnelblick (and I think all Linux) use script-security
> 2 to allow for up/down scripts that implement DNS and other settings.
>
> My initial reaction is that I'd rather a problem in the up/down
> scripts generates a fatal error, so if there's a problem in the
> Tunnelblick scripts somebody will report it. In my experience, almost
> nobody pays attention to warnings, and mostly, those who do are
> worried about warning that don't matter.

This is in reaction to

https://medium.com/tenable-techblog/reverse-shell-from-an-
openvpn-configuration-file-73fd8b1d38da

In OpenVPN Windows GUI I'm considering to enforce "--script-security 1"
(SSEC_BUILT_IN). See the discussion here:

https://github.com/OpenVPN/openvpn-gui/issues/270

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel