Re: [Openvpn-devel] windows client tests needed

2024-06-06 Thread Dmitry Melekhov 

06.06.2024 16:23, Gert Doering пишет:

Hello!


We used to have

   block-outside-dns

to prevent Windows from doing DNS lookups "around the VPN" - the main
intent of this was "make sure split DNS works", but a side effect has
also been "avoid DNS leaks".

Heiko has now extended this code to be able to "block everything not
going into the VPN".  To activate this, you need

   redirect-gateway def1 block-local

in your config ("block-local" is the keyword, but without "def1" you
end up with a split-tunnel and "nothing else is allowed", which is rarely
a really good combination).

Repeat: if "redirect-gateway block-local" is active, NO packets leave
via LAN/WiFi/... interfaces, except those sourced by the openvpn.exe
process.  This is important for maximum privacy, especially if you
roam into a network with an untrusted DHCP server.

Will

redirect-gateway def1 block-local

also apply block-outside-dns ?

Thank you!



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.6.7 released

2023-11-13 Thread Dmitry Melekhov 

14.11.2023 11:05, Gert Doering пишет:

Hi,

On Sun, Nov 12, 2023 at 06:08:48PM +, Greg Cox wrote:

Spun this config up, then ran:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 443,80
-j REDIRECT --to-ports 1194

Within 5 minutes the random web scanners found and segfaulted me.

... your port scanners are definitely better than mine - took more like 5
hours here to crash, but it confirms the current assumptions, ks->state
being S_UNDEF and ks->send_reliable being NULL.

Now, Arne's patch (if (ks->state == S_UNDEF) { continue; }) *should* have
fully fixed this, so I'm a bit surprised that we get "it still crashes"
reports...  will re-test with this setup and see what happens.

gert


I'd like to confirm that after patch and more then 24hours run I have no 
issues.



Thank you!



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.6.7 released

2023-11-10 Thread Dmitry Melekhov 


btw, what I missed, openvpn dies:

openvpn[11346]: segfault at 0 ip 55e33503f5f3 sp 7fff33642390 
error 4 in openvpn[55e334fc8000+8f000]


but only  multipoint udp .



10.11.2023 11:35, Dmitry Melekhov пишет:

10.11.2023 11:23, Gert Doering пишет:

Hi,

On Fri, Nov 10, 2023 at 11:19:58AM +0400, Dmitry Melekhov wrote:

OK, now I know what is broken.

I have so called multihomed server,  and multihomed udp does not work in
2.6.7.

On server with only one external interface everything works OK.

Are you using --multihome in your config?  If not, please add this - UDP
on a server with multiple IP addresses of the same family (v4 or v6) can
not work reliably without --multihome.


yes, sure.

as I said 2.6.6 works OK , and all previous versions since multihomed 
support for udp was introduced.



If it does not work with --multihome, please send logs.



I see nothing strange in logs, server just lost connection, client 
too, then they reconnects.



(There is one multihome-related code change in 2.6.6 -> 2.6.7, but that
should only ever trigger if you use DCO)



I don't use dco, but multihomed udp does not work.



gert








___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.6.7 released

2023-11-09 Thread Dmitry Melekhov 

10.11.2023 11:23, Gert Doering пишет:

Hi,

On Fri, Nov 10, 2023 at 11:19:58AM +0400, Dmitry Melekhov wrote:

OK, now I know what is broken.

I have so called multihomed server,  and multihomed udp does not work in
2.6.7.

On server with only one external interface everything works OK.

Are you using --multihome in your config?  If not, please add this - UDP
on a server with multiple IP addresses of the same family (v4 or v6) can
not work reliably without --multihome.


yes, sure.

as I said 2.6.6 works OK , and all previous versions since multihomed 
support for udp was introduced.




If it does not work with --multihome, please send logs.



I see nothing strange in logs, server just lost connection, client too, 
then they reconnects.



(There is one multihome-related code change in 2.6.6 -> 2.6.7, but that
should only ever trigger if you use DCO)



I don't use dco, but multihomed udp does not work.




gert


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.6.7 released

2023-11-09 Thread Dmitry Melekhov 

10.11.2023 10:21, Dmitry Melekhov пишет:

10.11.2023 00:56, Yuriy Darnobyt пишет:

The OpenVPN community project team is proud to release OpenVPN 2.6.7.



something is broken in 2.6.7. it stops passing traffic after several 
seconds after connection when acts as server,


so I reverted it back to 2.6.6.

compiled from sources on ubuntu 22.04 with --disable-dco

don't know where is problem, at least now.



OK, now I know what is broken.

I have so called multihomed server,  and multihomed udp does not work in 
2.6.7.


On server with only one external interface everything works OK.


Could you, please, fix this?




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.6.7 released

2023-11-09 Thread Dmitry Melekhov 

10.11.2023 00:56, Yuriy Darnobyt пишет:

The OpenVPN community project team is proud to release OpenVPN 2.6.7.



something is broken in 2.6.7. it stops passing traffic after several 
seconds after connection when acts as server,


so I reverted it back to 2.6.6.

compiled from sources on ubuntu 22.04 with --disable-dco

don't know where is problem, at least now.




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN 2.5.9 released

2023-02-16 Thread Dmitry Melekhov 

16.02.2023 17:11, Jonathan K. Bullard пишет:
Not yet seeing anything about 2.5.9 at 
https://openvpn.net/community-downloads/. (From the New York City 
metropolitan area.)


Maybe caches need updating?


use almost the same url as for 2.5.8 but change version, works for me.




Best regards,

Jon Bullard




On Thu, Feb 16, 2023 at 7:51 AM Frank Lichtenheld 
 wrote:


The OpenVPN community project team is proud to release OpenVPN
2.5.9. This is
a small bugfix release.

The Windows MSI installers are now built against OpenSSL 1.1.1t
which contains
several security fixes.

List of changes in OpenVPN:



Source code and Windows installers can be downloaded from our
download page:



Debian and Ubuntu packages are available in the official apt
repositories:



On Red Hat derivatives we recommend using the Fedora Copr repository.



Regards,
-- 
  Frank Lichtenheld



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] git master crashes on connect of 2.3 client with --enable-small

2020-07-13 Thread Dmitry Melekhov 


13.07.2020 18:23, Marvin Adeff пишет:

I’m wondering if the opposite of this scenario has been tested, where the 
server is running 2.3.18 (on Linux) and a client running 2.5 (on Windows) tries 
to connect?



No, I did not tried this, because we run 2.4.9 on servers now.



I know, I know, we should upgrade.  Unfortunately in this case OpenVPN server 
is running on an appliance that cannot be upgraded past Linux 2.6, and I don’t 
think 2.4.x can run on Linux 2.6.



Well, if you have running server you can easily test :-)




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] git master crashes on connect of 2.3 client with --enable-small

2020-07-13 Thread Dmitry Melekhov 

13.07.2020 10:58, Gert Doering пишет:

Hi,

On Mon, Jul 13, 2020 at 08:33:03AM +0200, Gert Doering wrote:

On Mon, Jul 13, 2020 at 08:10:23AM +0200, Gert Doering wrote:

Ouch.  This is not good.  My gut feeling is "2.3 with --enable-small =
no OCC *and* no NCP = the server runs across a NULL pointer here".

Bäm.  Fully reproduceable here

Program received signal SIGSEGV, Segmentation fault.
0x77af51be in ?? () from /lib64/libc.so.6
(gdb) where
#0  0x77af51be in ?? () from /lib64/libc.so.6
#1  0x555d4a7b in ncp_get_best_cipher (server_list=,
 server_cipher=0x555f28da "BF-CBC",
 peer_info=peer_info@entry=0x556781c0 
"IV_VER=2.3.18\nIV_PLAT=freebsd\nIV_PROTO=2\n", remote_cipher=0x0, 
gc=gc@entry=0x5565e070) at ssl_ncp.c:231

... and this is why (added a msg() call):

2020-07-13 08:36:59 us=802772 ncp_get_best_cipher(), peer_ncp_list=, 
tmp_ciphers=AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC, 
remote_cipher=(null), server_cipher=BF-CBC

if "remote_cipher" is NULL (= no OCC) we pass that to "strcmp()", and that
does not want it.


Returning NULL from ncp_get_best_cipher() if there is nothing the client
has to offer works fine, though it triggers this warning

2020-07-13 08:43:01 us=483904 cron2-freebsd-tc-amd64-23/194.97.140.21:30927 
PUSH: No common cipher between server and client.Expect this connection not to 
work. Server ncp-ciphers: 
'AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC', client supported 
ciphers ''


which we might want to reword for this case ("No information about cipher
support received from client, cannot ensure correct operation" or so).

Patch appended.

Comments?

gert


I just applied patch, now server works correctly with 2.3.18 client 
compiled with enable-small


and with 2.5git with enable-small and ncp-disable in config.

I.e. everything works as expected.


Thank you!




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-07-12 Thread Dmitry Melekhov 

12.07.2020 04:05, Arne Schwabe пишет:

Am 23.06.20 um 11:12 schrieb Dmitry Melekhov:

23.06.2020 13:02, Gert Doering пишет:


That patch is from Steffan, and review has been sitting in my lap for
way too long.  Need to see if it still applies.


Unfortunately it is not compatible with 2.4.9, because of introduced
change...

Can you test with current openvpn master if that works for you? That has
now allows you set the --cipher in ccd/connect-client scripts.

Arne


Hello!

Compiled master from git, installed on server copy with Ubuntu 18.04.

Compiled  the same master with enable-small on my Ubuntu 20.04 desktop.

Added ncp-disable to config.

If cipher is different from default on client and there is no cipher in 
ccd for client - connection fails.


If I add specific cipher to client, i.e. ciphers match- everything is fine.


So, looks like it works, but unfortunately, there is problem:


Then I compiled openvpn-2.3.18 on Centos 6.

It connects if it is compiled by just  using configure.

But if I compile 2.3.18 with enable-small, then 2.5 server dies, always, 
even if there is no cipher in ccd and ciphers match.


On client side:

./openvpn belkam.ovpn
Mon Jul 13 09:33:17 2020 OpenVPN 2.3.18 x86_64-unknown-linux-gnu [SSL 
(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jul 13 2020
Mon Jul 13 09:33:17 2020 library versions: OpenSSL 1.0.1e-fips 11 Feb 
2013, LZO 2.03

Enter Auth Username:dm
Enter Auth Password:
Mon Jul 13 09:33:20 2020 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for 
more info.
Mon Jul 13 09:33:20 2020 WARNING: file '/home/dm/openvpn/dm.key' is 
group or others accessible

Mon Jul 13 09:33:20 2020 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jul 13 09:33:20 2020 Attempting to establish TCP connection with 
[AF_INET]192.168.222.2:1194 [nonblock]
Mon Jul 13 09:33:21 2020 TCP connection established with 
[AF_INET]192.168.222.2:1194

Mon Jul 13 09:33:21 2020 TCPv4_CLIENT link local: [undef]
Mon Jul 13 09:33:21 2020 TCPv4_CLIENT link remote: 
[AF_INET]192.168.222.2:1194
Mon Jul 13 09:33:21 2020 TLS: Initial packet from 
[AF_INET]192.168.222.2:1194, sid=7c5295f5 d243c13b
Mon Jul 13 09:33:21 2020 WARNING: this configuration may cache passwords 
in memory -- use the auth-nocache option to prevent this
Mon Jul 13 09:33:21 2020 VERIFY OK: depth=1, C=RU, ST=Udm, L=Izhevsk, 
O=Belkam, OU=UIT, CN=vpn.belkam.com, emailAddress=supp...@belkam.com
Mon Jul 13 09:33:21 2020 VERIFY OK: depth=0, C=RU, ST=Udm, L=Izhevsk, 
O=Belkam, OU=UIT, CN=ovpn1, emailAddress=supp...@belkam.com
Mon Jul 13 09:33:22 2020 Data Channel Encrypt: Cipher 'AES-256-CBC' 
initialized with 256 bit key
Mon Jul 13 09:33:22 2020 Data Channel Encrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Mon Jul 13 09:33:22 2020 Data Channel Decrypt: Cipher 'AES-256-CBC' 
initialized with 256 bit key
Mon Jul 13 09:33:22 2020 Data Channel Decrypt: Using 160 bit message 
hash 'SHA1' for HMAC authentication
Mon Jul 13 09:33:22 2020 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 
ECDHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Mon Jul 13 09:33:22 2020 [ovpn1] Peer Connection Initiated with 
[AF_INET]192.168.222.2:1194

Mon Jul 13 09:33:22 2020 Connection reset, restarting [0]
Mon Jul 13 09:33:22 2020 SIGUSR1[soft,connection-reset] received, 
process restarting

Mon Jul 13 09:33:22 2020 Restart pause, 5 second(s)

On server side:

Jul 13 09:33:22 ovpn1 systemd[1]: openvpn@server.service: Main process 
exited, code=killed, status=11/SEGV
Jul 13 09:33:22 ovpn1 systemd[1]: openvpn@server.service: Killing 
process 9231 (openvpn) with signal SIGKILL.
Jul 13 09:33:22 ovpn1 systemd[1]: openvpn@server.service: Failed with 
result 'signal'.



Servers just dies...

Thank you!




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-06-24 Thread Dmitry Melekhov 


24.06.2020 14:12, Arne Schwabe пишет:

There are openvpn 2.3 clients in 3g routers which  are built without
ability to inform server about cipher, so server uses default cipher for
them,

in case you need to change default cipher on server you can't do this ,
because clients will not work, it is also impossible to change default
cipher on all clients at once,

so this is where ability to set default cipher on ccd helps.  All these
are explained in ticket.

Thanks to patch author we were able to change default cipher without
downtime.

btw, we still run such routers but can't do the same procedure because
patch is not compatible with 2.4.9 if for some reason current cipher
will became nonsecure as blowfish.


Allowing to be able to specify ncp-fallback-cipher from my proposal per
ccd if no NCP could be performed would also fix your use case, right?



Yes, sure!

Thank you!



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-06-23 Thread Dmitry Melekhov 

23.06.2020 13:02, Gert Doering пишет:



That patch is from Steffan, and review has been sitting in my lap for
way too long.  Need to see if it still applies.



Unfortunately it is not compatible with 2.4.9, because of introduced 
change...






___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-06-23 Thread Dmitry Melekhov 

23.06.2020 12:34, Arne Schwabe пишет:

Am 23.06.20 um 06:16 schrieb Dmitry Melekhov:

22.06.2020 20:58, Selva Nair пишет:

+*WARNING*    This MAY break configurations where the client uses
+    ``--disable-occ`` feature where the ``--cipher`` has
+    not been explicitly configured on both client and
+    server side.  It is recommended to remove the
``--disable-occ``
+    option*or*  explicitly add ``--cipher AES-256-GCM``
on the
+    client side if ``--disable-occ`` is strictly needed.

Well, may be it is possible to add support for setting cipher in ccd

as it was possible before 2.4.9 using patch from here

https://community.openvpn.net/openvpn/ticket/845


I get that this might have been needed in 2.4.x with the first version
of NCP. But the NCP negoiation in 2.5.x should handle all use cases.

Help me understand why --cipher in ccd should be needed?

Arne

There are openvpn 2.3 clients in 3g routers which  are built without 
ability to inform server about cipher, so server uses default cipher for 
them,


in case you need to change default cipher on server you can't do this , 
because clients will not work, it is also impossible to change default 
cipher on all clients at once,


so this is where ability to set default cipher on ccd helps.  All these 
are explained in ticket.


Thanks to patch author we were able to change default cipher without 
downtime.


btw, we still run such routers but can't do the same procedure because 
patch is not compatible with 2.4.9 if for some reason current cipher 
will became nonsecure as blowfish.



Thank you!




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-06-22 Thread Dmitry Melekhov 

22.06.2020 20:58, Selva Nair пишет:

+*WARNING*This MAY break configurations where the client uses
+``--disable-occ`` feature where the ``--cipher`` has
+not been explicitly configured on both client and
+server side.  It is recommended to remove the ``--disable-occ``
+option*or*  explicitly add ``--cipher AES-256-GCM`` on the
+client side if ``--disable-occ`` is strictly needed.


Well, may be it is possible to add support for setting cipher in ccd

as it was possible before 2.4.9 using patch from here

https://community.openvpn.net/openvpn/ticket/845

?


Thank you!





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] 2.4.9 and cipher in ccd

2020-04-18 Thread Dmitry Melekhov 





Hello!


We use patch from https://community.openvpn.net/openvpn/ticket/845 for 
several years,


it is still interesting for us and allows to set cipher per client in ccd.

Unfortunately, 2.4.9 makes this patch incompatible.

Is it possible to update this patch to 2.4.9 ? Unfortunately I have no 
enough knowledge to do this :-(



Thank you!



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel