Re: [Openvpn-devel] any reason output_peer_info_env isn't in 2.3.8?
On 27/10/15 20:57, Gert Doering wrote: > Another feature that you really want on the server is server-side > peer-id support :-) - and that one is even more intrusive, so I'd just > stay at git master for the server. Well I really love the peer-id support trick too, so you've got me sold - git it is! :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] any reason output_peer_info_env isn't in 2.3.8?
Hi there I've been running on openvpn-git for some time (2.3.4-ish?) due to my desire to rely on UV_* variables being passed from the client to the server/router. Anyway, I saw some other "git" features I used were in 2.3.8, so I decided to try that and discovered it still doesn't have the server components for parsing environment vars pushed by the client Is there any reason that "feature" still isn't present? I mean - it's a bug - there's no point in having the client support a feature that the server can't even interpret? -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
On 22/10/15 20:50, Gert Doering wrote: > I've heard people ask for "we need the VPN to be up before user login so > windows domain login works!" - so the GUI won't be around yet. > > Now, not being a windows person and not running this domain stuff I'm > not sure if there are other ways to achieve that - but this is what has > been told to me... I can confirm that is precisely the way we use openvpn. We use it as an "always on vpn" and so it needs to be running via a service at boot time. nssm works well for us in that regard -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] [PATCH] Added two features to Network Address Translator
On 26/08/15 20:35, Arne Schwabe wrote: > Okay yes. Active FTP is broken by our simple nat implementation. But I > think FTP, let alone active FTP is dead. I am not sure if we should > support this in our simple NAT implementation. I agree. Surely this would be the beginning of a complete beat-up? If you support FTP port tracing in openvpn, then what about all the other odd-ball protocols that "real" firewalls have to have new code to support? Where does this end? Looking at Linux iptables, I can see the following - should all these be done too? (I'd argue having "fake NAT" itself might be a mistake ;-) netfilter]# ll nf_nat* -rw-r--r-- 1 root root 2052 Aug 4 16:18 nf_nat_amanda.ko.xz -rw-r--r-- 1 root root 2680 Aug 4 16:18 nf_nat_ftp.ko.xz -rw-r--r-- 1 root root 2444 Aug 4 16:18 nf_nat_irc.ko.xz -rw-r--r-- 1 root root 10144 Aug 4 16:18 nf_nat.ko.xz -rw-r--r-- 1 root root 1928 Aug 4 16:18 nf_nat_proto_dccp.ko.xz -rw-r--r-- 1 root root 2048 Aug 4 16:18 nf_nat_proto_sctp.ko.xz -rw-r--r-- 1 root root 1900 Aug 4 16:18 nf_nat_proto_udplite.ko.xz -rw-r--r-- 1 root root 2456 Aug 4 16:18 nf_nat_redirect.ko.xz -rw-r--r-- 1 root root 6212 Aug 4 16:18 nf_nat_sip.ko.xz -rw-r--r-- 1 root root 1764 Aug 4 16:18 nf_nat_tftp.ko.xz -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] about client-cert-not-required
On 23/06/15 19:39, Gert Doering wrote: > As far as the feature itself is concerned, I'm not voicing an opinion > (as I've never seen a deployment without client certs, so don't > understand the implications) I have - it's very useful in particular circumstances. But the few people like me who use it will have to move to the new format ;-) The migration plan Steffan suggested sounds perfect -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] about client-cert-not-required
On 23/06/15 03:50, Jan Just Keijser wrote: > 1) do we think it's valuable to add something like this (currently NO > cert checks are done when 'client-cert-not-required' is used) ? sounds like what you really want is for this to be renamed "--verify-client-cert (none|optional|required)" - with the default still being "required" of course - sort of like Apache's SSLVerifyClient -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] OpenVPN and XOR patches
On 15/05/15 20:04, Lisa Minogue wrote: > One thing to keep in mind with the Tor/obfsproxy and stunnel, is that once > you get into lossy networks, you're going to find ovpn can become unusable. > What's your definition of lossy networks? > > I think the lossy comment is not a tunnelling issue - lossy networks leads to majorly lossy VPNs in general. e.g. we've run Cisco IPSec VPN tunnels over the Internet for 15 years and I can tell you the "rule of thumb" is 1% packet loss on the Internet == 10% packet loss in IPSec tunnels (and 10% is "agh!!! the network is down!!!"). So if you are tunnelling openvpn through another layer, I can imagine it making things even worse - but it's not the extra layer that's really to blame - it's simply lossy network == unhappiness Another anecdote: two weeks ago I was in a hotel where the dodgy WiFi network had my laptop roaming between a working AP and a non-working AP (which I could only diagnose because I vaguely know what I'm doing). Every time I roamed to the non-working AP, my openvpn would time out and then my laptop would roam back to the working AP and openvpn would successfully re-initialize. This lead to a nearly unusable VPN connection. However, I barely noticed this "flapping" within my web browser which was accessing the Internet directly (stateless web pages - without youtube of course ;-) - which made me think that if I was a "normal" user, I'd be saying " the Internet is fine - it's the vpn that's broken". I really doubt any vpn software could better compensate for that corner case - and I think that fits the description of "lossy network" well. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] OpenVPN Service Windows 8
Unless other changes have been made to the windows service, I'd recommend not using it at all. There are error conditions under which it just hangs and blocks openvpn.exe from working We moved to using nssm - we set it to auto-restart on error and now openvpn as a Windows service is as reliable as openvpn as a Unix service Jason -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] server support for UV_ variables still not present in 2.3.6?
Hi there Back in Aug 2014, I needed the server to support exporting the UV_* variables the client sets into external programs the server calls on client-connect, so was told to try out openvpn-2.3_git - which had that missing code. So I did a clone of that and off I went I've been happily running on that for some time now - but just tried out 2.3.6 - and discovered that support still wasn't in there! Was it dropped for some reason, or was/is 2.3_git not a true representation of what ended up in the official 2.3 series? The missing code was in src/openvpn/misc.c Thanks -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] feature request: get openvpn to use closest server
On 10/12/14 08:09, Gert Doering wrote: > In what kind of scenario would an OpenVPN server not be available, if > the server itself still responds to pings? > "The server process crashed". LOL! It took Gert to spot the most obvious scenario ;-) That really re-enforces what I think about this needing to be an "openvpn ping" type solution: it is irrelevant if the server is up or even if openvpn tcp ports appear to be open, it's only evidence that openvpn is working that should be taken as evidence that openvpn is - well - working :-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] feature request: get openvpn to use closest server
Hi there If you have a global network with several openvpn servers, you have a problem with getting clients to connect to the "best" server(*). Typically you'd either rely on users manually choosing the best server (which they can't do well as they don't know the full story), or do something easy like have one DNS name with multiple A records - but the latter would mean users were using the *wrong* server the majority of the time Some can manage tricks using geoip DNS - but even that doesn't work reliably (eg if a lot of users hardwire Google/OpenDNS DNS servers in their client). Really speaking AnyCast is the only "proper" way of doing it - but that's a "big boy" solution So I propose openvpn itself could solve this problem - if it had some application layer way of "pinging" all available openvpn servers and choosing the one that responds "best". I'd suggest it only be supported for sites using "tls-auth" but that it doesn't need the full cert check - that way it's one packet from the client and one return packet from the server. I'd also suggest the server can respond with a "don't use me" message: maybe a new config option "pause-logins /path/filename" so that sysadmins can write their own load tests and create/delete that file when needed. The client could send "openvpn-pings" to each server (when the DNS server name resolves to >1 IP) and try up to 3 times before making a decision. ie packet loss means there needs to be a retry aspect, 3 failures means the server is down/firewalled, but if the server responds with "don't use me" then it's treated as "down" too. Then the client can simply figure out which positive return had the smallest latency and then use that to influence the order in which it tries to log into the servers. ie it doesn't replace the current server connection logic, it just re-sorts it before carrying on as usual I also think it should be done with some "openvpn-ping" instead of icmp ping because it confirms the server is available on the protocol/port combination, whereas icmp doesn't Is this something others would find useful? Cisco Anyconnect has this feature, so it's not an original idea. Thanks for listening Jason Note (*): we've run cisco vpnclient for over a decade and what we've discovered is "best" matters. Users who vpn into the closest vpn server get off the unpredictable Internet and onto a more predictable/consistent WAN link - and get the benefits that implies. eg we run VoIP internally and such a realtime application is very latency dependent. People who vpn across continents back to their "home" vpn router complain that VoIP is awful, whereas those that vpn'ed into the corporate site down the road from their hotel, they get much better realtime performance. And if they don't - the company can do something to fix that - whereas we have no ability to improve the performance of random hotels/countries/etc. -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] OpenVPN Management Interface
On 07/03/12 07:55, Alon Bar-Lev wrote: > 1. Multi user computer - we need to make sure one user cannot use > another user credentials and not effect the other users. With changes > I suggested there is full solution for this. Is that really a risk worth solving? I mean, does *anyone*, *anywhere* allow *any* form of end-user triggered VPN access from a multi-user machine? I cannot imagine (say) a Windows 2008 terminal server where users have local administrator privileges (huh?!?) and are allowed to create PPTP/L2TP/whatever links at will - it'd be chaos! Here's what I see are the primary use-cases of openvpn (or any software vpn really) 1. Using openvpn as a router. No need to worry about this - as there are no local users 2. I believe anyone using openvpn on multi-user servers should be expected to have set authentication details for the management interface (or not use it at all...). Users wouldn't have admin privilege, so no concerns with stealing creds from memory 3. single-user computers where users have local admin. Malware would be an issue - but would be even with the best privilege separation (can you say "keylogger"?) 4. single-user computers where users don't have local admin. Privilege separation is a must for this scenario Your comments on rogue servers is certainly worth discussing too. What can a rogue openvpn server push back to a client? Routes obviously - but other than screwing the client, is there any new risk? If the client has "pull" enabled, it is implicit that there's the opportunity for the client to find their network access corrupted by bad routes from the server. As the server is meant to be able to push routes to the client, I cannot see how that can ever be remediated (besides disabling "pull" and/or using "route-noexec/route-nopull", etc). However, the server can't tell the client to become a router (therefore opening up the client's internal network to be accessible from the server), nor can it force the client to create local accounts, install software, etc. So what are the actual risks? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Running udp and tcp server in the same instance
On 03/03/12 03:59, Gert Doering wrote: > I would *love* to have that. And it's somewhere on my TODO list of > things to implement in OpenVPN (multiple listening sockets in a single > process). Given the issue with the non-threaded nature of openvpn and the bottlenecks that can cause under load, what's wrong with running separate instances on multiple tcp and udp ports, and then using a "--client-connect" script to return a unique IP to clients? We use that so that all VPN users are always assigned "their" constant IP by mapping an IP to the CN field - that also stops them using the same cert on >1 clients... (ie that's a feature for us - not a bug). Actually it doesn't stop them using it on >1 clients - but it stops them running >1 clients simultaneously :-) With this, we have the luxury that every client always gets the same IP - which makes asset management *much* easier and means you get marvellous side-effects like I can be SSH-ed into a work machine at home, suspend my laptop, go to another building and get an completely different Internet address, and yet seconds later have openvpn auto-reconnect to work and find my SSH session still works. So cool :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released
A comment on your [1] reference. The issue of remote-user vs enterprise is an old one - that affects many software applications - not just openvpn. I personally think the proper solution is to implement NAC: make "the network/enterprise" audit the remote host and only allow it if it meets expectations. As such I don't think openvpn has to solve this problem itself, as "the enterprise" cares a lot more about the remote machine than whether or not the remote user has injected a couple of routes into the local routing table. eg Windows AV status. I think openvpn is quite entitled to act as a "mere" vpn solution, "the enterprise" should invoke a more over-arching solution (such as NAC with NAC agents) to ensure policy compliance. Jason On 01/03/12 10:36, Alon Bar-Lev wrote: > 2012/2/29 Gert Doering <g...@greenie.muc.de>: >> Hi, >> >> On Wed, Feb 29, 2012 at 07:43:18PM +0100, Carsten Krüger wrote: >>>> Part of the assumption here is "the user controls the openvpn config", >>>> and as such, he can make openvpn.exe run arbitrary scripts anyway - and >>>> to stop this from being a problem, just run openvpn.exe with your uid. >>> What operation could be in script that is usefull when it's executed >>> in user context. >>> >>> I never used script with openvpn. I've no idea which are real world >>> applications for it. >> Scripts are for creative uses that the programmers of openvpn have not >> foreseen. Like "after the VPN is up, auto-sync all your git repositories" >> or "open up a few xterms with ssh's to $internalhosts". >> >> David had some other idea recently, which I forgot. > This is a great example why this functionality should *MOVE OUT* of > the openvpn code base. > The UI can monitor OpenVPN and run scripts when such events are > detected via the management interface. > The UI already runs in the context of the interactive user. > > I would like to receive replies to[1]. > > Thanks, > Alon. > > [1] http://sourceforge.net/mailarchive/message.php?msg_id=28910374 > > -- > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released
On 29/02/12 11:47, Carsten Krüger wrote: > I found that openvpn.exe is extremly unstable on non perfectly > friendly behaving client ... Now I use the Non-Sucking Service Manager > ( http://nssm.cc/ ) instead of openvpnserv.exe to spawn openvpn.exe It > restarts openvpn.exe automatically if it's crashed. Good point. I reported this in Mar last year ("bugs with openvpnserv.exe") and it seems it was acknowledged as an issue. Is that fixed now? Would be great to see openvpn.exe restarting on error - without having to resort to srvany or nssm ;-) Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Windows Auto-Proxy
On 26/07/11 14:57, Russell Morris wrote: > > I use OpenVPN with a Windows client, and I tend to be on one network > one minute, another the next. One time with a proxy, the next time > without ... so I really want OpenVPN to automatically detect the proxy > (if there is one), and apply it ... for every connection restart, > client open, etc. My thinking is to add a new option, say something > like "auto-proxy" (so this won't break anything that is already > working!). The idea being that if this option is enabled, then on > every connection / reconnection attempt OpenVPN will first check the > proxy, and then apply it for the actual connection back to the server. > Hopefully this makes sense so far ... J. > ...isn't that already done by "--auto-proxy"? Been part of openvpn since 2.1(ish?) BTW: I totally agree this is a big deal. For openvpn to be truly brilliant, it needs 1. one config to handle both udp and tcp-based "" profiles [sorta supported] 2. "fragment", "mss-fix" and proxy support within profiles [not currently supported - which effectively makes "1." never work in practice] 3. dynamically figure out if a proxy is available and use that for TCP-based profiles [I thought that was supported by "--auto-proxy"] With such features and a properly ordered config, you'd have a VPN client that would tunnel out over UDP if it can, TCP if it can't, and TCP-via-proxy if it has to. Basically, you'd be guaranteed a working VPN session on any network that you're meant to be able to do such things on (with one config). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] openvpn protocol breaks proxies intercepting SSL ...
On 03/12/2011 10:34 AM, Vineet Kumar wrote: > BlueCoat's ProxySG is one that runs tranparent SSL protocol detection > and breaks if openvpn traffic is coming in via 443. This proxy is able > to pass through other non-HTTP pure SSL traffic though and not just > HTTPS. A bit off-topic, but do you know if Skype works through that proxy? Skype falls back to attempting connections over port 443 if it can't get others to work, and as it is primarily a UDP-based product - like openvpn - I've always wondered if their "port 443" traffic was true SSL or just some other encrypted "skype protocol". i.e. if an organization has a policied BlueCoat transparent HTTPS proxy, and general egress filtering, does Skype work? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] openvpn protocol breaks proxies intercepting SSL ...
On 03/11/2011 02:04 PM, Vineet Kumar wrote: > Hi, > Due to the reliability layer wrapping the SSL handshake packets plus > a few non-SSL messages during tunnel-setup time the openvpn protocol > when targeted to port 443 (instead of 1194) ends up breaking if a > proxy sits in the middle and is expecting SSL procol on 443. How can I > get around this (well apart of not using 443)? Are you talking about transparent https proxies? Such devices are designed to block non-SSL applications (which openvpn is), and can even block HTTPS transactions that don't use "sanctioned" CAs I think you'll be out of luck making openvpn run through such an environment > Also, doesn't this make openvpn different from other SSL VPNs which > advertise the fact that they are truly SSL? > Yes it does -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Intelligent OpenVPN service?
On 10/19/2010 07:43 AM, Davide Brini wrote: > Sorry for the silly question, but how do you expect the OpenVPN link to be > established if the computer "does not already have a connection"? > > What do you mean with the above statement? I think he means: if the machine is on the corporate network, then don't kick off an openvpn connection to the corporate network We did that here using firewall trickery. We block access to the openvpn server ports from the corporate network - that way openvpn can remain permanently running on all clients, and it will only work when clients connect from non-corporate networks. It's a kludge (hard to scale when you have dozens of corporate Internet address ranges) - what's really needed is a "--pre-connection" option - so that we can run scripts before the openvpn service even starts. Then the "pre" script could explicitly check if the corporate network is available (eg attempt to download a HTTPS page from an exclusively internal server) and error if it is - causing openvpn to not attempt to make a connection See "2.1 client - how to autorun script post-connect" for further comments about why I think a "pre" script option would be a good idea. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] proper "logout" support for the server?
On 09/24/2010 07:05 PM, Jan Just Keijser wrote: > it's already available: > --explicit-exit-notify > this is needed only for UDP based connections, as the server will know > when a TCP connection has ended. > Ha! So it is. Given the amount of time I've read the manpage, I'm surprised I've missed it :-} -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] proper "logout" support for the server?
Hi there Minor feature request. When a user ends their openvpn client session, shouldn't it be possible to send one last command to the server - a "logout" command? That way the server can clean up the session much faster than waiting for a keepalive timeout cycle... (the problem I see is that we make extensive use of "--up"/etc scripts and a user can sometimes do several "up->down->up" in a row - which leads to "flapping" checks. If the server was told the client was leaving, this would reduce these issues). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Enhancements.
On 09/14/2010 08:52 AM, Brad Dameron wrote: > > > Also can there be reporting added for the server side to show what > version the client is connecting with? > > > I agree. I have previously asked for client version and OS to be "pushed" during the initial phase so that the server can be decisions based on it. Currently we have some NAC checks built into the initial connection phase (thanks to openvpn's great scripting options) and we have to use portscans to differentiate between Windows and Unix. I'd rather the client just told me so that we could be finer grained in our reactions without resorting to such methods. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] openvpn and dll hijacking?
While we're on the topic of Windows compiles, has there being an audit of DLL-dependencies in openvpn? I'm thinking about the nightmare that is DLL Hijacking (http://isc.sans.edu/diary.html?storyid=9445) Having apps that can't be tricked into downloading random DLLs from strange websites would certainly be a good thing ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] bug stopping the use of mssfix/fragment in udp+tcp configs?
Hi there I have just looked at the current 2.2 git code and the bug blocking the use of udp+tcp combination configs when you want to use mssfix/fragment is still present. See https://community.openvpn.net/openvpn/wiki/Topics-2010-04-22 for references. By that I mean I cannot use fragment/mssfix even within a udp "" profile - as the tcp profiles that follow trigger openvpn to error. Is that planned to be fixed? With it, an openvpn config can contain udp, tcp and tcp-via-auto-proxy "" profiles - leading to the best opportunity for openvpn "escaping" from almost any network imaginable - without user intervention. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Auto-Proxy
On 04/06/2010 09:39 PM, Jan Just Keijser wrote: > open...@rkmorris.us wrote: > >> Hi, >> >> >> >> I have been using two different config files to connect to my OpenVPN >> server - as I am sometimes behind a proxy server, and sometimes not. >> So to fix this I tried using auto-proxy ... but it didn't work (in the >> proxy case) ... :-(. >> >> >> >> I am running the client on Windows - so it should work, no? >> >> >> >> > note to the developers: all error codes when using the > InternetQueryOption API are lost ... also read > http://support.microsoft.com/kb/226473 > Openvpn 2.1 uses the "old" IE4 API . > Another note to developers. Can they work on enabling auto-proxy to work in configs that contain both UDP and TCP-based "" profiles? :-) In a similar vein, the following ticket is in the bug tracking system - there seems to be a general problem with mixing TCP and UDP options (eg mssfix, nobind, fragment) http://sourceforge.net/tracker/index.php?func=detail=2945147_id=48978=454720 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] Erratic TCP Throughput
On 03/03/2010 04:52 PM, open...@rkmorris.us wrote: > > 1) Without OpenVPN - consistent performance, ~ 70 Mbps total > throughput (on a 100 Mb LAN). > > bin/iperf.exe -c server.home -P 8 -i 1 -p 5001 -f m -t 10 > ...results removed > > 2) With OpenVPN - very consistent performance, sometimes fine, other > times very poor. ~ 70 Mbps total throughput (on a 100 Mb LAN), but > bounces around a lot. > > bin/iperf.exe -c server -P 8 -i 1 -p 5001 -f m -t 10 > > ...results removed So what you're saying is that on a ~70Mbs network you sometimes see ~70Mbs via "openvpn-via-proxy-server" and sometimes you don't? As the performance of openvpn varies - and I assume you know the client and server aren't the bottleneck - then that leaves? The proxy! :-) See how it's running. Does it have inline AV? Does it do content filtering/rate shaping/etc. Could it be simply overloaded? When you're nailing 70Mbs through it, how does it look? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] [Openvpn-users] how to disable firewall for openvpn interface under Vista/Win7
I've discovered another issue - but found a fix. Apparently Windows7 cannot identify what kind of link an openvpn TAP interface is, and marks it as "Unidentified network", and it couldn't be reclassified. As such it always gets pushed into the "public" profile, which means firewall-up/etc. I found this article to do with this happening for other network interfaces - with a regedit hack fix http://social.technet.microsoft.com/Forums/en-US/w7itpronetworking/thread/e404cb1f-4f60-4d00-abaa-3b2e61415652 that enables Win7 to be able to recheck that interface and when I created the key and restarted openvpn, Win7 recategorized the interface as "domain" - which is exactly right! Shouldn't openvpn ensure it sets the same registry keys during install - so that this always happens? Thanks Jason On 02/25/2010 10:10 PM, Jason Haar wrote: > Thanks Leonard - your instructions were spot-on. However, I need to find > out how to do the same thing using netsh as I want to add it to the "up" > script on the clients - so that no matter what the user renames their > openvpn interface to, it will always have the firewall disabled (also > expecting users - even IS helpdesk - to manage 4-6 gui clicks without > ever getting it wrong is too much to ask). > > Now that I know it can be done, I only need to find out how to do it > using netsh - half way there! > > Thanks again, I'll post my results back if/when I figure it out > > Jason > > On 02/25/2010 05:39 AM, Leonard Parker wrote: > >> Hello Jason, >> >> It's entirely possible to do per-interface disabling of the Firewall >> in Win7, I haven't attempted this by the NETSH command line as yet, >> but there is a fairly powerful GUI for firewall control, if not a >> little difficult to navigate at first. >> >> So Control Panel > Windows Firewall > (Sidebar) Advanced Settings >> >> Now that we have the "Windows Firewall with Advanced Security" window >> open, click on the "Windows Firewall Properties" Hyperlink. >> >> Now with the Properties dialog open you'll notice the tabs are "Domain >> Profile" "Private Profile" "Public Profile" and "IPSec Settings" >> >> In each of the first three profile tabs you'll want to do as follows: >> >> Locate the "Customize" Button next to the line "Protected network >> connections:" >> >> in the "Customize" Dialog you will find a list of your Network >> Interfaces with a series of check boxes. Take the Checkbox out of your >> Tap adapter's connection and press OK. >> >> You're set. >> >> I haven't failed! I've only found 10,000 ways that don't work. >> >> >> >> >>> Date: Tue, 23 Feb 2010 16:53:04 +1300 >>> From: jason.h...@trimble.co.nz >>> To: openvpn-us...@lists.sourceforge.net >>> Subject: [Openvpn-users] how to disable firewall for openvpn >>> >> interface under Vista/Win7 >> >>> Hi there >>> >>> In our trials of Openvpn under XP, we've managed to reconfigure the >>> firewall to disable itself on just the openvpn TAP interface via: >>> >>> echo firewall set opmode mode = DISABLE interface = %dev% | netsh >>> >>> This is great: it means an XP box on the Internet (eg hotel) has its >>> firewall up, but any incoming traffic on the openvpn interface is >>> accepted: which means helpdesk, vulnerability scanners, etc still have >>> full access to the XP box. Happiness abounds :-) >>> >>> However, I cannot manage it under Vista+ (actually Win7). For one thing >>> "netsh firewall" is depreciated (it's now "advfirewall"), and there >>> isn't an "interface" option any more - it's now "interfacetype" and that >>> means "lan", "wireless", "ras". I really wonder what kinds of... people >>> they hire at Microsoft... A more tin-hat impression is that they are >>> deliberately trying to break third-party VPNs... >>> >>> So I had a splendid situation under XP and would like to do the same >>> under Win7. Any ideas? To recap: I want the firewall to remain up - but >>> down for just the OpenVPN interface. >>> >>> Thanks! >>> >>> -- >>> Cheers >>> >>> Jason Haar >>> Information Security Manager, Trimble Navigation Ltd. >>> Phone: +64 3 9635 377 Fax: +64 3 9635 417 >>> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 >>> >>> >>> >>> >> -- >> >>> Download Intel Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> ___ >>> Openvpn-users mailing list >>> openvpn-us...@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/openvpn-users >>> > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] is there an official bug reporting mechanism?
On 02/03/2010 10:09 PM, Samuli Seppänen wrote: > Hi Jason, > > You can file bugs to our SF.net bug tracker: > Thanks! Done it: 2945154 and 2945147 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
[Openvpn-devel] is there an official bug reporting mechanism?
Hi there I think I've found bugs in openvpn (nobind doesn't work with UDP) and the openvpnserv.exe for Windows (sometimes doesn't fully close down - meaning you can't restart openvpn.exe), is there an official channel for reporting bugs? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] win32 openvpn-2.1.1 has bug with "nobind"?
On 01/27/2010 09:17 PM, Gert Doering wrote: > Is this a single server listening on both ports, or is this two independent > servers? > > server running openvpn on tcp:1195 and udp:1195 client running openvpn with "nobind". client connects to server via "remote server.name 1195 tcp", "lsof -ni" on client shows openvpn is associated with "*:" - ie "nobind" is working client connects to server via "remote server.name 1195 udp", "lsof -ni" on client shows openvpn is associated with "*:1194" - ie "nobind" is NOT working > (For a customer installation, I need a single server to listen on UDP/1194 > and TCP/443, and as far as I understood so far, this was not possible) > > Yeah - can't be done. However, my problem is a client problem - you sound like having a server problem. "nobind" only works in client mode If you're using tun interfaces, you'll need to split your pool range between the two instances. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] win32 openvpn-2.1.1 has bug with "nobind"?
I have been googling around and others reported this back in 2005! Looking at the code (I'm no programmer), there seems to be a hint that the "nobind" option only works for TCP - not UDP? Is this true? There's no reason for it that I can think of, but it would explain what I'm seeing: in UDP mode, openvpn ignores "nobind". Even on my Linux box, I have "nobind" set and yet it's using 1194 for lport... Confirmed. I have a server running on 1194 tcp and udp and if I toggle between tcp and udp on the client (ie nobind remains the same), I see lport=1194 for udp and lport=>1023 for tcp Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: [Openvpn-devel] win32 openvpn-2.1.1 has bug with "nobind"?
On 01/27/2010 05:35 AM, Karl O. Pinc wrote: > > Sounds like the 2MSL problem described in this thread: > http://sourceforge.net/mailarchive/forum.php?thread_name=1263527105.29484.1%40mofo_name=openvpn-devel > > I see what you mean - not the same issue - but the same cause (and affecting UDP as well as TCP). I don't get it - what does "nobind" actually do then? The manpage states Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets That just seems to be totally not the case. With "nobind" set, openvpn still explicitly binds to 1194. I always read the manpage as meaning "nobind" meant "let the OS decide what port to use". In fact, I just tried "lport 2" and that didn't work either! It still used 1194. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1