[Openvpn-devel] [XS] Change in openvpn[master]: Fix typo --data-cipher-fallback
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/534?usp=email ) Change subject: Fix typo --data-cipher-fallback .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/534?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d Gerrit-Change-Number: 534 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 04 Mar 2024 23:22:57 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Minor fix to process_ip_header
Attention is currently required from: its_Giaan, ordex. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/525?usp=email ) Change subject: Minor fix to process_ip_header .. Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: We could clean up this more but this is a good first step -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/525?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I4b5e8357d872c920efdb64632e9bce72cebee202 Gerrit-Change-Number: 525 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: ordex Gerrit-Comment-Date: Mon, 04 Mar 2024 16:36:25 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/1] openvpn-[client|server].service: Remove syslog.target
From: Martin Rys Change-Id: If825e5b1ebc6eecc9e5398f0d8274927b53e5b83 Signed-off-by: Martin Rys Acked-by: Frank Lichtenheld Signed-off-by: Frank Lichtenheld --- distro/systemd/openvpn-cli...@.service.in | 2 +- distro/systemd/openvpn-ser...@.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/distro/systemd/openvpn-cli...@.service.in b/distro/systemd/openvpn-cli...@.service.in index 159fb4dc..8e18629b 100644 --- a/distro/systemd/openvpn-cli...@.service.in +++ b/distro/systemd/openvpn-cli...@.service.in @@ -1,6 +1,6 @@ [Unit] Description=OpenVPN tunnel for %I -After=syslog.target network-online.target +After=network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage diff --git a/distro/systemd/openvpn-ser...@.service.in b/distro/systemd/openvpn-ser...@.service.in index 6e8e7d94..8752440f 100644 --- a/distro/systemd/openvpn-ser...@.service.in +++ b/distro/systemd/openvpn-ser...@.service.in @@ -1,6 +1,6 @@ [Unit] Description=OpenVPN service for %I -After=syslog.target network-online.target +After=network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -- 2.34.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Persist-key: enable persist-key option by default
Attention is currently required from: flichtenheld, its_Giaan. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/529?usp=email ) Change subject: Persist-key: enable persist-key option by default .. Patch Set 2: (4 comments) Patchset: PS2: An entry in Changes.rst is missing. File doc/man-sections/unsupported-options.rst: http://gerrit.openvpn.net/c/openvpn/+/529/comment/eb5579c0_cf2fe0e5 : PS2, Line 47: Removed in OpenVPN 2.7. Keys are now always persisted across restarts. Maybe use "Ignored" since OpenVPN 2.7? File src/openvpn/init.c: http://gerrit.openvpn.net/c/openvpn/+/529/comment/cab1614e_ebf8f6bc : PS2, Line 3630: random whitespace change File src/openvpn/options.c: http://gerrit.openvpn.net/c/openvpn/+/529/comment/6f595c78_b2ccf3fe : PS2, Line 6965: "please remove it from your configuration."); I don't think we should/warn or threaten to remove that option. That just makes configuration files incompatible in the future without a good reason to do so. For other options like max-routes, we also just ignore them. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/529?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I57f1c2ed42bd9dfd43577238749a9b7f4c1419ff Gerrit-Change-Number: 529 Gerrit-PatchSet: 2 Gerrit-Owner: its_Giaan Gerrit-Reviewer: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: its_Giaan Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 04 Mar 2024 16:31:36 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v1] samples: Remove tls-*.conf
These are mostly redundant with client/server.conf Let's try to manage to maintain one set of sample configurations before we branch out further. Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7 Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Acked-by: Antonio Quartulli --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master and release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/531 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Antonio Quartulli diff --git a/sample/sample-config-files/home.up b/sample/sample-config-files/home.up deleted file mode 100755 index 9c347cc..000 --- a/sample/sample-config-files/home.up +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 diff --git a/sample/sample-config-files/office.up b/sample/sample-config-files/office.up deleted file mode 100755 index 74a71a3..000 --- a/sample/sample-config-files/office.up +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf deleted file mode 100644 index ff19d50..000 --- a/sample/sample-config-files/tls-home.conf +++ /dev/null @@ -1,83 +0,0 @@ -# -# Sample OpenVPN configuration file for -# home using SSL/TLS mode and RSA certificates/keys. -# -# '#' or ';' may be used to delimit comments. - -# Use a dynamic tun device. For non-Linux OSes, you may want to use an -# explicit unit number such as "tun1". -# OpenVPN also supports virtual ethernet "tap" devices. -dev tun - -# Our OpenVPN peer is the office gateway. -remote 1.2.3.4 - -# 10.1.0.2 is our local VPN endpoint (home). -# 10.1.0.1 is our remote VPN endpoint (office). -ifconfig 10.1.0.2 10.1.0.1 - -# Our up script will establish routes -# once the VPN is alive. -up ./home.up - -# In SSL/TLS key exchange, Office will -# assume server role and Home -# will assume client role. -tls-client - -# Certificate Authority file -ca my-ca.crt - -# Our certificate/public key -cert home.crt - -# Our private key -key home.key - -# Our data channel cipher (must match peer config) -cipher AES-256-GCM - -# OpenVPN 2.0 uses UDP port 1194 by default -# (official port assignment by iana.org 11/04). -# OpenVPN 1.x uses UDP port 5000 by default. -# Each OpenVPN tunnel must use -# a different port number. -# lport or rport can be used -# to denote different ports -# for local and remote. -; port 1194 - -# Downgrade UID and GID to an -# unpriviledged user after initialization -# for extra security. -; user openvpn -; group openvpn - -# If you built OpenVPN with -# LZO compression, uncomment -# out the following line. -; comp-lzo - -# Send a UDP ping to remote once -# every 15 seconds to keep -# stateful firewall connection -# alive. Uncomment this -# out if you are using a stateful -# firewall. -; ping 15 - -# Uncomment this section for a more reliable detection when a system -# loses its connection. For example, dial-ups or laptops that -# travel to other locations. -; ping 15 -; ping-restart 45 -; ping-timer-rem -; persist-tun -; persist-key - -# Verbosity level. -# 0 -- quiet except for fatal errors. -# 1 -- mostly quiet, but display non-fatal network errors. -# 3 -- medium output, good for normal operation. -# 9 -- verbose, good for troubleshooting -verb 3 diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf deleted file mode 100644 index 152e58a..000 --- a/sample/sample-config-files/tls-office.conf +++ /dev/null @@ -1,86 +0,0 @@ -# -# Sample OpenVPN configuration file for -# office using SSL/TLS mode and RSA certificates/keys. -# -# '#' or ';' may be used to delimit comments. - -# Use a dynamic tun device. -# For Linux 2.2 or non-Linux OSes, -# you may want to use an explicit -# unit number such as "tun1". -# OpenVPN also supports virtual -# ethernet "tap" devices. -dev tun - -# 10.1.0.1 is our local VPN endpoint (office). -# 10.1.0.2 is our remote VPN endpoint (home). -ifconfig 10.1.0.1 10.1.0.2 - -# Our up script will establish routes -# once the VPN is alive. -up ./office.up - -# In SSL/TLS key exchange, Office will -# assume server role and Home -# will assume client role. -tls-server - -# Diffie-Hellman Parameters (tls-server only) -dh dh2048.pem - -# Certificate Authority file -ca my-ca.crt - -# Our certificate/public key -cert office.crt - -# Our private key -key office.key - -# Our data channel cipher (must match peer config) -cipher AES-256-GCM - -# OpenVPN 2.0 uses UDP port 1194 by default -# (official port assignment by iana.org 11/04). -# OpenVPN 1.x uses UDP port 5000 by default. -# Each OpenVPN tunnel must use -# a different port number. -# lport or rport can be used -# to denote different ports -# for local and remote. -; port 1194 - -# Downgrade UID and GID to an -# unpriviledged user after
[Openvpn-devel] [XS] Change in openvpn[master]: Fix typo --data-cipher-fallback
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/534?usp=email
to review the following change.
Change subject: Fix typo --data-cipher-fallback
..
Fix typo --data-cipher-fallback
Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Signed-off-by: Frank Lichtenheld
---
M doc/man-sections/generic-options.rst
M src/openvpn/dco.c
2 files changed, 2 insertions(+), 2 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/34/534/1
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index 95e4ca2..30c990d 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -75,7 +75,7 @@
to the configuration if no other compression options are present.
- 2.4.x or lower: The cipher in ``--cipher`` is appended to
``--data-ciphers``.
- - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with
+ - 2.3.x or lower: ``--data-ciphers-fallback`` is automatically added with
the same cipher as ``--cipher``.
- 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration
when ``--tls-version-min`` is not explicitly set.
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index cd3e0ad..14430d3 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -400,7 +400,7 @@
if (o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername,
dco_get_supported_ciphers()))
{
-msg(msglevel, "Note: --data-cipher-fallback with cipher '%s' "
+msg(msglevel, "Note: --data-ciphers-fallback with cipher '%s' "
"disables data channel offload.", o->ciphername);
return false;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/534?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I38e70cb74c10848ab2981efc4c4c8863c5c8785d
Gerrit-Change-Number: 534
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
Attention is currently required from: flichtenheld, ordex, plaisthos. Hello ordex, plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email to look at the new patch set (#3). The following approvals got outdated and were removed: Code-Review+2 by ordex Change subject: samples: Update sample configurations .. samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-ciphers negotiation. - Add comment how to set data-ciphers for very old clients. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 33 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/3 diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..c1e4060 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -103,22 +103,15 @@ # EasyRSA can do this for you. remote-cert-tls server +# Allow to connect to really old OpenVPN versions +# without AEAD support (OpenVPN 2.3.x or older) +# This adds AES-256-CBC as fallback cipher and +# keeps the modern ciphers as well. +;data-ciphers AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305:AES-256-CBC + # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..3595c48 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -84,12 +92,18 @@ # openssl dhparam -out dh2048.pem 2048
[Openvpn-devel] [XS] Change in openvpn[master]: Avoid SIGUR1 to SIGHUP when the configuration is read from stdin
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/533?usp=email
to review the following change.
Change subject: Avoid SIGUR1 to SIGHUP when the configuration is read from stdin
..
Avoid SIGUR1 to SIGHUP when the configuration is read from stdin
If the configuration is read from stdin, we cannot reread the configuration
as stdin provides the configuration only once. So whenever we hit the
"close_context usr1 to hup" logic, the OpenVPN process will fail as tries
to restart with an empty configuration.
Change-Id: Icfc179490d6821e22d14817941fb0bad667c713f
Signed-off-by: Arne Schwabe
---
M src/openvpn/openvpn.c
1 file changed, 5 insertions(+), 3 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/33/533/1
diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 874facf..4d1437d 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -32,6 +32,7 @@
#include "multi.h"
#include "win32.h"
#include "platform.h"
+#include "string.h"
#include "memdbg.h"
@@ -60,9 +61,10 @@
/* set point-to-point mode */
c->mode = CM_P2P;
-
-/* initialize tunnel instance */
-init_instance_handle_signals(c, c->es, CC_HARD_USR1_TO_HUP);
+/* initialize tunnel instance, avoid SIGHUP when config is stdin since
+ * reading the config from stdin will not work */
+bool stdin_config = c->options.config && (strcmp(c->options.config,
"stdin") == 0);
+init_instance_handle_signals(c, c->es, stdin_config ? 0 :
CC_HARD_USR1_TO_HUP);
if (IS_SIG(c))
{
return;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/533?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Icfc179490d6821e22d14817941fb0bad667c713f
Gerrit-Change-Number: 533
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos
Gerrit-Reviewer: flichtenheld
Gerrit-CC: openvpn-devel
Gerrit-Attention: flichtenheld
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
Attention is currently required from: flichtenheld, plaisthos. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/532?usp=email ) Change subject: samples: Update sample configurations .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Gerrit-Change-Number: 532 Gerrit-PatchSet: 2 Gerrit-Owner: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 04 Mar 2024 13:15:23 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Remove tls-*.conf
Attention is currently required from: flichtenheld. ordex has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/531?usp=email ) Change subject: samples: Remove tls-*.conf .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/531?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7 Gerrit-Change-Number: 531 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: ordex Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 04 Mar 2024 13:13:23 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Remove tls-*.conf
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/531?usp=email ) Change subject: samples: Remove tls-*.conf .. Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/531?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7 Gerrit-Change-Number: 531 Gerrit-PatchSet: 1 Gerrit-Owner: flichtenheld Gerrit-Reviewer: plaisthos Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Mon, 04 Mar 2024 13:08:30 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email to look at the new patch set (#2). Change subject: samples: Update sample configurations .. samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-cipher with sane defaults. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Github: #511 Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 21 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/2 diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..1c20e1b 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -105,20 +105,7 @@ # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..927c465 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -89,7 +97,7 @@ # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) -;topology subnet +topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -218,7 +226,7 @@ # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. +# UNCOMMENT THIS LINE. ;duplicate-cn # The keepalive directive causes
[Openvpn-devel] [S] Change in openvpn[master]: gerrit-send-mail: add missing Signed-off-by
Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
to review the following change.
Change subject: gerrit-send-mail: add missing Signed-off-by
..
gerrit-send-mail: add missing Signed-off-by
Our development documentation says we add this
automatically when it is missing. So let's do that
here as well.
Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Signed-off-by: Frank Lichtenheld
---
M dev-tools/gerrit-send-mail.py
1 file changed, 13 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/30/530/1
diff --git a/dev-tools/gerrit-send-mail.py b/dev-tools/gerrit-send-mail.py
index 67a2cf1..10305e2 100755
--- a/dev-tools/gerrit-send-mail.py
+++ b/dev-tools/gerrit-send-mail.py
@@ -50,6 +50,12 @@
ack = f"{reviewer_name} <{reviewer_mail}>"
print(f"Acked-by: {ack}")
acked_by.append(ack)
+# construct Signed-off-by in case it is missing
+owner = json_data["owner"]
+owner_name = owner.get("display_name", owner["name"])
+owner_mail = owner.get("email", owner["name"])
+sign_off = f"{owner_name} <{owner_mail}>"
+print(f"Signed-off-by: {sign_off}")
change_id = json_data["change_id"]
# assumes that the created date in Gerrit is in UTC
utc_stamp = (
@@ -67,6 +73,7 @@
"target": json_data["branch"],
"msg_id": msg_id,
"acked_by": acked_by,
+"sign_off": sign_off,
}
@@ -81,10 +88,14 @@
def apply_patch_mods(patch_text, details, args):
comment_start = patch_text.index("\n---\n") + len("\n---\n")
+signed_off_text = ""
+signed_off_comment = ""
try:
signed_off_start = patch_text.rindex("\nSigned-off-by: ")
signed_off_end = patch_text.index("\n", signed_off_start + 1) + 1
except ValueError: # Signed-off missing
+signed_off_text = f"Signed-off-by: {details['sign_off']}\n"
+signed_off_comment = "\nSigned-off-by line for the author was added as
per our policy.\n"
signed_off_end = patch_text.index("\n---\n") + 1
assert comment_start > signed_off_end
acked_by_text = ""
@@ -94,6 +105,7 @@
acked_by_names += f"{ack}\n"
patch_text_mod = (
patch_text[:signed_off_end]
++ signed_off_text
+ acked_by_text
+ patch_text[signed_off_end:comment_start]
+ f"""
@@ -102,6 +114,7 @@
Gerrit URL: {args.url}/c/{details["project"]}/+/{args.changeid}
This mail reflects revision {details["revision"]} of this Change.
+{signed_off_comment}
Acked-by according to Gerrit (reflected above):
{acked_by_names}
"""
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/530?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9cb7d66f079fe1c87fcb5b4e59bc887533d77fa
Gerrit-Change-Number: 530
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-MessageType: newchange
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: samples: Update sample configurations
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/532?usp=email to review the following change. Change subject: samples: Update sample configurations .. samples: Update sample configurations - Remove compression settings. Not recommended anymore. - Remove old cipher setting. Replaced by data-cipher with sane defaults. - Remove/reword some old comments. e.g. no need to reference OpenVPN 1.x anymore. - Mention peer-fingerprint alternative. Change-Id: I1a36651c0dea52259533ffc00bccb9b03bf82e26 Signed-off-by: Frank Lichtenheld --- M sample/sample-config-files/README M sample/sample-config-files/client.conf M sample/sample-config-files/server.conf 3 files changed, 21 insertions(+), 43 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/32/532/1 diff --git a/sample/sample-config-files/README b/sample/sample-config-files/README index d53ac79..1493dab 100644 --- a/sample/sample-config-files/README +++ b/sample/sample-config-files/README @@ -4,3 +4,5 @@ which is located at: http://openvpn.net/howto.html + +See also the openvpn-examples man page. diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 15cb1b3..1c20e1b 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -1,5 +1,5 @@ ## -# Sample client-side OpenVPN 2.0 config file # +# Sample client-side OpenVPN 2.6 config file # # for connecting to multi-client server. # ## # This configuration can be used by multiple # @@ -105,20 +105,7 @@ # If a tls-auth key is used on the server # then every client must also have the key. -tls-auth ta.key 1 - -# Select a cryptographic cipher. -# If the cipher option is used on the server -# then you must also specify it here. -# Note that v2.4 client/server will automatically -# negotiate AES-256-GCM in TLS mode. -# See also the data-ciphers option in the manpage -cipher AES-256-CBC - -# Enable compression on the VPN link. -# Don't enable this unless it is also -# enabled in the server config file. -#comp-lzo +;tls-auth ta.key 1 # Set log file verbosity. verb 3 diff --git a/sample/sample-config-files/server.conf b/sample/sample-config-files/server.conf index d9345b6..927c465 100644 --- a/sample/sample-config-files/server.conf +++ b/sample/sample-config-files/server.conf @@ -1,5 +1,5 @@ # -# Sample OpenVPN 2.0 config file for# +# Sample OpenVPN 2.6 config file for# # multi-client server. # # # # This file is for the server side # @@ -47,15 +47,15 @@ # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function -# unless you partially or fully disable +# unless you partially or fully disable/open # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the +# have more than one. +# You may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap @@ -66,8 +66,9 @@ # key file. The server and all clients will # use the same ca file. # -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates +# See the "easy-rsa" project at +# https://github.com/OpenVPN/easy-rsa +# for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. @@ -75,6 +76,13 @@ # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). +# +# If you do not want to maintain a CA +# and have a small number of clients +# you can also use self-signed certificates +# and use the peer-fingerprint option. +# See openvpn-examples man page for a +# configuration example. ca ca.crt cert server.crt key server.key # This file should be kept secret @@ -89,7 +97,7 @@ # unless Windows clients v2.0.9 and lower have to # be supported (then net30, i.e. a /30 per client) # Defaults to net30 (not recommended) -;topology subnet +topology subnet # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -218,7 +226,7 @@ # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. +# UNCOMMENT THIS LINE. ;duplicate-cn # The keepalive directive causes ping-like @@
[Openvpn-devel] [M] Change in openvpn[master]: samples: Remove tls-*.conf
Attention is currently required from: plaisthos. Hello plaisthos, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/531?usp=email to review the following change. Change subject: samples: Remove tls-*.conf .. samples: Remove tls-*.conf These are mostly redundant with client/server.conf Let's try to manage to maintain one set of sample configurations before we branch out further. Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7 Signed-off-by: Frank Lichtenheld --- D sample/sample-config-files/home.up D sample/sample-config-files/office.up D sample/sample-config-files/tls-home.conf D sample/sample-config-files/tls-office.conf 4 files changed, 0 insertions(+), 173 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/31/531/1 diff --git a/sample/sample-config-files/home.up b/sample/sample-config-files/home.up deleted file mode 100755 index 9c347cc..000 --- a/sample/sample-config-files/home.up +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 diff --git a/sample/sample-config-files/office.up b/sample/sample-config-files/office.up deleted file mode 100755 index 74a71a3..000 --- a/sample/sample-config-files/office.up +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 diff --git a/sample/sample-config-files/tls-home.conf b/sample/sample-config-files/tls-home.conf deleted file mode 100644 index ff19d50..000 --- a/sample/sample-config-files/tls-home.conf +++ /dev/null @@ -1,83 +0,0 @@ -# -# Sample OpenVPN configuration file for -# home using SSL/TLS mode and RSA certificates/keys. -# -# '#' or ';' may be used to delimit comments. - -# Use a dynamic tun device. For non-Linux OSes, you may want to use an -# explicit unit number such as "tun1". -# OpenVPN also supports virtual ethernet "tap" devices. -dev tun - -# Our OpenVPN peer is the office gateway. -remote 1.2.3.4 - -# 10.1.0.2 is our local VPN endpoint (home). -# 10.1.0.1 is our remote VPN endpoint (office). -ifconfig 10.1.0.2 10.1.0.1 - -# Our up script will establish routes -# once the VPN is alive. -up ./home.up - -# In SSL/TLS key exchange, Office will -# assume server role and Home -# will assume client role. -tls-client - -# Certificate Authority file -ca my-ca.crt - -# Our certificate/public key -cert home.crt - -# Our private key -key home.key - -# Our data channel cipher (must match peer config) -cipher AES-256-GCM - -# OpenVPN 2.0 uses UDP port 1194 by default -# (official port assignment by iana.org 11/04). -# OpenVPN 1.x uses UDP port 5000 by default. -# Each OpenVPN tunnel must use -# a different port number. -# lport or rport can be used -# to denote different ports -# for local and remote. -; port 1194 - -# Downgrade UID and GID to an -# unpriviledged user after initialization -# for extra security. -; user openvpn -; group openvpn - -# If you built OpenVPN with -# LZO compression, uncomment -# out the following line. -; comp-lzo - -# Send a UDP ping to remote once -# every 15 seconds to keep -# stateful firewall connection -# alive. Uncomment this -# out if you are using a stateful -# firewall. -; ping 15 - -# Uncomment this section for a more reliable detection when a system -# loses its connection. For example, dial-ups or laptops that -# travel to other locations. -; ping 15 -; ping-restart 45 -; ping-timer-rem -; persist-tun -; persist-key - -# Verbosity level. -# 0 -- quiet except for fatal errors. -# 1 -- mostly quiet, but display non-fatal network errors. -# 3 -- medium output, good for normal operation. -# 9 -- verbose, good for troubleshooting -verb 3 diff --git a/sample/sample-config-files/tls-office.conf b/sample/sample-config-files/tls-office.conf deleted file mode 100644 index 152e58a..000 --- a/sample/sample-config-files/tls-office.conf +++ /dev/null @@ -1,86 +0,0 @@ -# -# Sample OpenVPN configuration file for -# office using SSL/TLS mode and RSA certificates/keys. -# -# '#' or ';' may be used to delimit comments. - -# Use a dynamic tun device. -# For Linux 2.2 or non-Linux OSes, -# you may want to use an explicit -# unit number such as "tun1". -# OpenVPN also supports virtual -# ethernet "tap" devices. -dev tun - -# 10.1.0.1 is our local VPN endpoint (office). -# 10.1.0.2 is our remote VPN endpoint (home). -ifconfig 10.1.0.1 10.1.0.2 - -# Our up script will establish routes -# once the VPN is alive. -up ./office.up - -# In SSL/TLS key exchange, Office will -# assume server role and Home -# will assume client role. -tls-server - -# Diffie-Hellman Parameters (tls-server only) -dh dh2048.pem - -# Certificate Authority file -ca my-ca.crt - -# Our certificate/public key -cert office.crt - -# Our private key -key office.key - -# Our data channel cipher (must match peer config) -cipher AES-256-GCM - -# OpenVPN 2.0 uses UDP port 1194 by default -# (official port assignment by iana.org
