[Openvpn-devel] [M] Change in openvpn[master]: Route: add support for user defined routing table
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/524?usp=email ) Change subject: Route: add support for user defined routing table .. Patch Set 1: Code-Review-1 (7 comments) Patchset: PS1: Functionality might be fine, but could use some polish File doc/man-sections/vpn-network-options.rst: http://gerrit.openvpn.net/c/openvpn/+/524/comment/22a0a3ac_de6d8584 : PS1, Line 407: default taken from ``--route-table`` if set, otherwise :code:`0`. Please change tab to spaces http://gerrit.openvpn.net/c/openvpn/+/524/comment/f27813f8_b24586f4 : PS1, Line 408: Should document that table-id can't be pushed. http://gerrit.openvpn.net/c/openvpn/+/524/comment/a3b9a424_093b4876 : PS1, Line 464: might be a good opportunity to make the description of --route-ipv6 more consistent with --route? Currently the descriptions are of a very different format and verbosity even though the options are very similar File src/openvpn/options.h: http://gerrit.openvpn.net/c/openvpn/+/524/comment/f5eb20b0_42a87049 : PS1, Line 745: #define OPT_P_ROUTE_TABLE (1<<31) it is not clear to my why you need a separate permission entry here? Should maybe add a comment about this. File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/524/comment/ca4f68fc_2a1a10c0 : PS1, Line 205: "--route-table [table_id] : Specify a custom routing table for use with --route(-ipv6).\n" table_id is not optional, so don't use brackets here http://gerrit.openvpn.net/c/openvpn/+/524/comment/a60bb82d_c3d5db58 : PS1, Line 6992: msg(M_WARN, "NOTE: --route-table specified, but not supported on this platform"); This warning would be confusing with a Linux build with --enable-iproute2. Maybe those should be two separate warnings? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Gerrit-Change-Number: 524 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Fri, 16 Feb 2024 16:35:10 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Route: remove incorrect routes on exit
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/528?usp=email ) Change subject: Route: remove incorrect routes on exit .. Patch Set 1: Code-Review-2 (1 comment) Patchset: PS1: Spurious change due to change of Change-Id. See #522 for original change. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/528?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie147f81e5990b8292be090fd05c23b91f8e308d4 Gerrit-Change-Number: 528 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Fri, 16 Feb 2024 16:06:56 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Http-proxy: Fix bug preventing proxy credentials caching.
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/523?usp=email ) Change subject: Http-proxy: Fix bug preventing proxy credentials caching. .. Patch Set 1: Code-Review-2 (5 comments) Patchset: PS1: Definitely has issues File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/523/comment/a2ced5bd_47c89245 : PS1, Line 1861: SHOW_BOOL(ce.http_proxy_options->nocache); This belongs into show_connection_entry like the other o->ce options File src/openvpn/proxy.c: http://gerrit.openvpn.net/c/openvpn/+/523/comment/99f3b845_b241aa5b : PS1, Line 275: if (!static_proxy_user_pass.defined || (is_first_time && !p->options.nocache) ) This condition feels wrong to me. As I understand the code this should never be true when p->options.nocache is true. Or do I understand the code wrong? http://gerrit.openvpn.net/c/openvpn/+/523/comment/67ae3287_17906ea3 : PS1, Line 278: p->options.auth_file, I think you messed up a rebase on top of a634cc5eccd55f1d14197da7376bb819bdf72cb6 here. Your code ignores auth_file_up again. http://gerrit.openvpn.net/c/openvpn/+/523/comment/3303fbc3_b1eee104 : PS1, Line 546: get_user_pass_http(p); So previously this forced a reset of the credentials. This you removed. Are you sure this is correct? If yes, why? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/523?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia3e06c0832c4ca0ab868c845279fb71c01a1a78a Gerrit-Change-Number: 523 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Fri, 16 Feb 2024 16:01:38 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Route: remove incorrect routes on exit
Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/528?usp=email to review the following change. Change subject: Route: remove incorrect routes on exit .. Route: remove incorrect routes on exit Implemented a safeguard to verify the returned value from add_route3() when the default gateway is not a local remote host. Prior to this implementation, RT_DID_LOCAL flag was erroneously set even in case of add_route3() failure. This problem typically occurs when there's no default route and the --redirect-gateway def1 option is specified, and in case of reconnection makes it impossible for the client to reobtain the route to the server. This fix ensures OpenVPN accurately deletes the appropriate route on exit by properly handling add_route3() return value. Fixes: Trac #1457 Change-Id: Ie147f81e5990b8292be090fd05c23b91f8e308d4 Signed-off-by: Gianmarco De Gregori --- M src/openvpn/route.c 1 file changed, 4 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/28/528/1 diff --git a/src/openvpn/route.c b/src/openvpn/route.c index 6c027d9..6ab4392 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -1055,7 +1055,10 @@ ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, >rgi, es, ctx); -rl->iflags |= RL_DID_LOCAL; +if (ret) +{ +rl->iflags |= RL_DID_LOCAL; +} } else { -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/528?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie147f81e5990b8292be090fd05c23b91f8e308d4 Gerrit-Change-Number: 528 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: Route: remove uncorrect routes on exit.
Attention is currently required from: its_Giaan, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/522?usp=email ) Change subject: Route: remove uncorrect routes on exit. .. Patch Set 1: Code-Review+2 (1 comment) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/522/comment/1ee852a4_4c084f6c : PS1, Line 7: Route: remove uncorrect routes on exit. "incorrect" remove full stop at end of summary line -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/522?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8a67b82eb4afdc8d82c5a879c18457b41e77cbe7 Gerrit-Change-Number: 522 Gerrit-PatchSet: 1 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: its_Giaan Gerrit-Comment-Date: Fri, 16 Feb 2024 15:32:14 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] IRC community meeting summary (Feb 14th)
On Wed, Feb 14, 2024 at 05:18:21PM +, tincantech wrote: > On Wednesday, 14 February 2024 at 15:22, Frank Lichtenheld > wrote: > > > Meeting summary for 14 February 2024: > > > > > * New: Easy-rsa in Windows installers > > easy-rsa has included pre-built Windows binaries for a long time. But with > > Windows 11 they do not seem to work correctly anymore in some cases. > > Just to clarify: > Easy-RSA works perfectly as-is on W10 & W11 but requires Windows Admin access. > Without Windows Admin Access, Easy-RSA on W11 does not work with the now 10 > year > old MKSH:sh.exe Either way, I think everyone agrees that the current situation of shipping a ten-year old executable that causes some problems on the latest version of Windows isn't ideal. > This is annoying but it isn't a complete deal-breaker. Understood. The question about removing easy-rsa isn't so much about whether it is unusable in the current release. But we do not want to leave it in the current state. So, if we need to invest time and effort now anyway to update this to a modern standard (e.g. in terms of supply chain security), we want to use the opportunity to ask ourselves whether bundling easy-rsa with openvpn actually provides a value for the openvpn project and its users. It definitely has a cost. Most openvpn developers do not see a corresponding value in it (or they did not mention it so far). When using openvpn as a client, easy-rsa is not useful. If setting up a p2p connection, peer fingerprint can be used which requires openssl but not easy-rsa. So are there people that actually use openvpn as a server on Windows and do not have their own separate PKI and so use the bundled easy-rsa? That is something we would like to learn more about. Note that none of this negates the usefulness of easy-rsa. This is specifically about the usefulness of easy-rsa bundled in the openvpn Windows installer. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi, On 15/02/2024 17:17, Gert Doering wrote: Hi, On Thu, Feb 15, 2024 at 03:59:02PM +, its_Giaan (Code Review) wrote: if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +if (flags & PIP_OPT_MASK) NAK, as this is not the same thing. PIP_OPT_MASK will also match on the IPv6 flags, which are not something we need to test for here (= if only an IPv6 flag is active, why should we enter this branch?). We need to enter for either v4 or v6 flags, no? The check on whether the packet is v4 or v6 happens *inside* this if block. Am I wrong? Cheers, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] check_compression_settings_valid: Do not test for LZ4 in LZO check
Probably introduced by copy & paste since there is no COMP_ALGV2_LZO. Github: #500 Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master and release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/526 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 6e30369..311f3e9 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -195,7 +195,7 @@ } #endif #ifndef ENABLE_LZO -if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) +if (info->alg == COMP_ALG_LZO) { msg(msglevel, "OpenVPN is compiled without LZO support. Requested " "compression cannot be enabled."); ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/526?usp=email ) Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO check .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Gerrit-Change-Number: 526 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 16 Feb 2024 12:22:12 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [S] Change in openvpn[master]: documentation: make section levels consistent
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/527?usp=email to review the following change. Change subject: documentation: make section levels consistent .. documentation: make section levels consistent Previously the sections "Encryption Options" and "Data channel cipher negotiation" were on the same level as "OPTIONS", which makes no sense. Instead move them and their subsections one level down. Use ` since that was already in use in section "Virtual Routing and Forwarding". Change-Id: Ib5a7f9a978bda5ad58830e43580232660401f66d Signed-off-by: Frank Lichtenheld --- M doc/man-sections/cipher-negotiation.rst M doc/man-sections/encryption-options.rst M doc/man-sections/pkcs11-options.rst M doc/man-sections/renegotiation.rst M doc/man-sections/tls-options.rst 5 files changed, 14 insertions(+), 14 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/27/527/1 diff --git a/doc/man-sections/cipher-negotiation.rst b/doc/man-sections/cipher-negotiation.rst index 888ffa6..2a95119 100644 --- a/doc/man-sections/cipher-negotiation.rst +++ b/doc/man-sections/cipher-negotiation.rst @@ -1,12 +1,12 @@ Data channel cipher negotiation -=== +--- OpenVPN 2.4 and higher have the capability to negotiate the data cipher that is used to encrypt data packets. This section describes the mechanism in more detail and the different backwards compatibility mechanism with older server and clients. OpenVPN 2.5 and later behaviour - +``` When both client and server are at least running OpenVPN 2.5, that the order of the ciphers of the server's ``--data-ciphers`` is used to pick the the data cipher. That means that the first cipher in that list that is also in the client's @@ -25,7 +25,7 @@ ``--cipher`` option to this list. OpenVPN 2.4 clients +``` The negotiation support in OpenVPN 2.4 was the first iteration of the implementation and still had some quirks. Its main goal was "upgrade to AES-256-GCM when possible". An OpenVPN 2.4 client that is built against a crypto library that supports AES in GCM @@ -40,7 +40,7 @@ options to avoid this behaviour. OpenVPN 3 clients -- +` Clients based on the OpenVPN 3.x library (https://github.com/openvpn/openvpn3/) do not have a configurable ``--ncp-ciphers`` or ``--data-ciphers`` option. Newer versions by default disable legacy AES-CBC, BF-CBC, and DES-CBC ciphers. @@ -52,7 +52,7 @@ OpenVPN 2.3 and older clients (and clients with ``--ncp-disable``) --- +`` When a client without cipher negotiation support connects to a server the cipher specified with the ``--cipher`` option in the client configuration must be included in the ``--data-ciphers`` option of the server to allow @@ -65,7 +65,7 @@ cipher used by the client is necessary. OpenVPN 2.4 server --- +`` When a client indicates support for `AES-128-GCM` and `AES-256-GCM` (with ``IV_NCP=2``) an OpenVPN 2.4 server will send the first cipher of the ``--ncp-ciphers`` to the OpenVPN client regardless of what @@ -76,7 +76,7 @@ those ciphers are present. OpenVPN 2.3 and older servers (and servers with ``--ncp-disable``) --- +`` The cipher used by the server must be included in ``--data-ciphers`` to allow the client connecting to a server without cipher negotiation support. @@ -89,7 +89,7 @@ cipher used by the server is necessary. Blowfish in CBC mode (BF-CBC) deprecation --- +` The ``--cipher`` option defaulted to `BF-CBC` in OpenVPN 2.4 and older version. The default was never changed to ensure backwards compatibility. In OpenVPN 2.5 this behaviour has now been changed so that if the ``--cipher`` diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.rst index 3b26782..49385d6 100644 --- a/doc/man-sections/encryption-options.rst +++ b/doc/man-sections/encryption-options.rst @@ -1,8 +1,8 @@ Encryption Options -== +-- SSL Library information +``` --show-ciphers (Standalone) Show all cipher algorithms to use with the ``--cipher`` @@ -32,7 +32,7 @@ ``--ecdh-curve`` and ``tls-groups`` options. Generating key material +``` --genkey args (Standalone) Generate a key to be used of the
[Openvpn-devel] [XS] Change in openvpn[master]: check_compression_settings_valid: Do not test for LZ4 in LZO check
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email to review the following change. Change subject: check_compression_settings_valid: Do not test for LZ4 in LZO check .. check_compression_settings_valid: Do not test for LZ4 in LZO check Probably introduced by copy & paste since there is no COMP_ALGV2_LZO. Github: #500 Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Signed-off-by: Frank Lichtenheld --- M src/openvpn/comp.c 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/526/1 diff --git a/src/openvpn/comp.c b/src/openvpn/comp.c index 6e30369..311f3e9 100644 --- a/src/openvpn/comp.c +++ b/src/openvpn/comp.c @@ -195,7 +195,7 @@ } #endif #ifndef ENABLE_LZO -if (info->alg == COMP_ALG_LZO || info->alg == COMP_ALG_LZ4) +if (info->alg == COMP_ALG_LZO) { msg(msglevel, "OpenVPN is compiled without LZO support. Requested " "compression cannot be enabled."); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/526?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Gerrit-Change-Number: 526 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel