Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-29 Thread Gert Doering 
Hi,

On Wed, Nov 25, 2015 at 08:52:09AM -0800, Fish Wang wrote:
> Just a small suggestion: I think the following will work:
> 
> - Check the version of the current operating system.
> - Dynamically loading related DLLs (in this case, should be WFP-related
> libraries) using LoadLibrary() only if OpenVPN is running Windows Vista+,
> and pops a warning for XP users who has that option enabled.
> - On Vista+, get addresses of those APIs that we want to call (via
> GetProcAddress() ), and then use them as function pointers.
> 
> Pros: one binary works for all Windows.
> Cons: the code is a bit messier. 
> 
> I've done this before for my own projects that must be running on both XP
> and later versions of Windows, and it works reliably. I can look into this
> later this week (if ValdikSS doesn't have cycles).

This would definitely be something I'd like to have a look at.

Depending how *much* messier the code gets (especially: what settings does
it need to get built?  WINXP or VISTA?) this might be a good way to avoid
having to build two different openvpn.exe executables.

OTOH, we need two installers anyway as the NDIS6 tap driver does not work
on XP - so if we bundle openvpn-xp.exe with the old tap driver and
openvpn-vista+.exe with the ndis6 tap driver, it's not that much worse than
what we have now...

And yes, time to get 2.4 out :-)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Fish Wang 
Just a small suggestion: I think the following will work:

- Check the version of the current operating system.
- Dynamically loading related DLLs (in this case, should be WFP-related
libraries) using LoadLibrary() only if OpenVPN is running Windows Vista+,
and pops a warning for XP users who has that option enabled.
- On Vista+, get addresses of those APIs that we want to call (via
GetProcAddress() ), and then use them as function pointers.

Pros: one binary works for all Windows.
Cons: the code is a bit messier. 

I've done this before for my own projects that must be running on both XP
and later versions of Windows, and it works reliably. I can look into this
later this week (if ValdikSS doesn't have cycles).

Best,
Fish

-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Wednesday, November 25, 2015 6:55 AM
To: Arne Schwabe <a...@rfc2549.org>
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Subject: Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix
using WFP ('block-outside-dns')

Hi,

On Wed, Nov 25, 2015 at 03:19:51PM +0100, Arne Schwabe wrote:
> I am not sure if we want to ship separate WIN XP and Vista+ versions.

We are in agremeent that we do *not* want that :-) - but we *do* want this 
patch to work around Win10 DNS brokenness, and that binary won't run on XP.

Which of the options do we want less...?

gert

-- 
USENET is *not* the non-clickable part of WWW!

//www.muc.de/~gert/
Gert Doering - Munich, Germany
g...@greenie.muc.de
fax: +49-89-35655025
g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread David Sommerseth 
On 24/11/15 18:49, ValdikSS wrote:
> I can't figure out why Thunderbird corrupts my patches.
> Please use the attached version.
> I still need help with 2.3 build system. If somebody willing to help me, 
> please use the attached version.

Thunderbird works great in many areas, but my experience with patches
are poor.  It often does some odd mangling with line lengths and other
things.  I've even heard rumours of Linux kernel developers rejecting
patches when Thunderbird is the MUA, as it will "always" be wrong (but
that's 5-6 years ago, might have improved).

And in particular if you use Enigmail with inline signatures, then
enigmail makes a really big mess.  It will do a select-all -> reformat
-> copy -> send clipboard to gpg -> gpg result to clipboard -> paste.
What is less worse is to use PGP/MIME ... which I had to do for all
these ML discussions, as it even messed up the '>' blocks completely and
other git log messages when replying.

As others have said already ... For patches, configure git send-email,
it is fairly simple and you won't have so much complaints from us :)


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Gert Doering 
Hi,

On Wed, Nov 25, 2015 at 03:19:51PM +0100, Arne Schwabe wrote:
> I am not sure if we want to ship separate WIN XP and Vista+ versions.

We are in agremeent that we do *not* want that :-) - but we *do* want this 
patch to work around Win10 DNS brokenness, and that binary won't run on XP.

Which of the options do we want less...?

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Arne Schwabe 


Am 25.11.15 um 15:15 schrieb Selva Nair:
> Hi,
>
> On Wed, Nov 25, 2015 at 2:54 AM, Gert Doering  > wrote:
>
> Hi,
>
> On Wed, Nov 25, 2015 at 08:31:23AM +0300, ValdikSS wrote:
> > I need help with 2.3 build system. While the code itself would
> compile fine, it won't link because I can't figure out how to link
> libraries available in vista+
> > only for vista+ build and do not link it for XP.
>
> Cross-build using ubuntu 14.04 and mingw64, and run configure with
> "configure ... LIBS='-lwhatyouneed'" for the vista+ build.
>
> For 2.3, that should be good enough.
>
>
> Aha, so original question about building for winxp is probably related
> to the extra libs added to Makefile.am?  I think it should not be
> there in the patch for 2.3 so that the code builds cleanly for XP+
> with the current 2.3 build setup. Then build specially for vista+ as
> Gert wrote above.

I am not sure if we want to ship separate WIN XP and Vista+ versions.

Arne

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Selva Nair 
Hi,

On Wed, Nov 25, 2015 at 2:54 AM, Gert Doering  wrote:

> Hi,
>
> On Wed, Nov 25, 2015 at 08:31:23AM +0300, ValdikSS wrote:
> > I need help with 2.3 build system. While the code itself would compile
> fine, it won't link because I can't figure out how to link libraries
> available in vista+
> > only for vista+ build and do not link it for XP.
>
> Cross-build using ubuntu 14.04 and mingw64, and run configure with
> "configure ... LIBS='-lwhatyouneed'" for the vista+ build.
>
> For 2.3, that should be good enough.
>

Aha, so original question about building for winxp is probably related to
the extra libs added to Makefile.am?  I think it should not be there in the
patch for 2.3 so that the code builds cleanly for XP+ with the current 2.3
build setup. Then build specially for vista+ as Gert wrote above.

Selva

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Gert Doering 
Hi,

On Tue, Nov 24, 2015 at 08:49:08PM +0300, ValdikSS wrote:
> I can't figure out why Thunderbird corrupts my patches.
> Please use the attached version.
> I still need help with 2.3 build system. If somebody willing to help me, 
> please use the attached version.

Thanks for the attachments, this should work out nicely.

There is something I'd ask you to change, though - all these new
additions to win32.h are really only needed for the benefit of win32.c
(the DEFINE_GUID stuff), but win32.h is included from a LOT of places
- so it would be much cleaner to have this inside win32.c, and only
export the function prototypes

> +bool win_wfp_block_dns(const NET_IFINDEX index);
> +bool win_wfp_uninit();
> +bool win_wfp_init();

towards users.

Another thing I wonder - why have two functions for _init() and _block_dns(),
which in the end is either called both, or not at all.  Couldn't this be
just folded into one function (_block_dns()) which calls _init() internally?

This would reduce the impact on other code paths even further...


Lastly, not all of the new #include files are #ifdef'ed for _WIN32_WINNT 
- are these all available on XP already, even if the libraries are not?

thanks,

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Gert Doering 
Hi,

On Wed, Nov 25, 2015 at 01:32:38AM -0500, Selva Nair wrote:
> On Wed, Nov 25, 2015 at 12:31 AM, ValdikSS  wrote:
> 
> > It's cron2 who wanted clear ifdefs for master, because there's no WinXP
> > support there.
> 
> If WinXP support is really going away in 2.4, 

It already is - the GetBestRoute2() stuff is not available on XP, and since
we decide long ago that we'll stop XP support in 2.4 if it becomes too
painful, this was the point of no return.

Theoretically, this could be handled at runtime (try to open the right
library and find the symbol, and if the library is not there, just disable
the functionality) but this is something we did not consider important - we
do not care about XP in 2.4, period :-)

If someone really *really* cares about XP support in 2.4 and submits clean
patches that do not cause extra build work for Samuli, we might reconsider
- but hey, XP is really dead (and who wants XP can still just stick to 2.3.x
which we'll continue supporting for a while)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Gert Doering 
Hi,

On Wed, Nov 25, 2015 at 08:31:23AM +0300, ValdikSS wrote:
> I need help with 2.3 build system. While the code itself would compile fine, 
> it won't link because I can't figure out how to link libraries available in 
> vista+
> only for vista+ build and do not link it for XP.

Cross-build using ubuntu 14.04 and mingw64, and run configure with 
"configure ... LIBS='-lwhatyouneed'" for the vista+ build.

For 2.3, that should be good enough.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Gert Doering 
Hi,

On Tue, Nov 24, 2015 at 07:13:17PM -0500, Selva Nair wrote:
> Not sure I understand this.  The patch I had tested all along had ifdef
> _WINNT_WIN32 >= 0x0600 around everything. So the code nicely silences
> itself when built for XP (I did not try this though). I built only 64 bit
> version for vista+.

That was the v3 patch, and we decided that we always build master with 
VISTA+, and do not want extra #ifdef's if we can avoid them.

> And this was against the master. Now the new sets of patches have different
> ifdefs: _WINNT_WIN32 >= 0x600 for 2.3, and if defined(WIN32) for master.
> This appears unnecessary. Two patches are still needed as some context
> lines have changed between 2.3 and master, but the code could be the same,
> and, in particular, the ifdefs could be just _WINNT_WIN32 >= 0x600.

No #ifdef if they are not needed.

In 2.3 they are needed, because we need to build for XP and Vista+ - in
master, XP support has been dropped and we always build Vista+, so we do 
not need the #ifdef bits for _WINNT_WIN32

I'm not sure why we grew #if defined(WIN32) though...  that might be due
to "other platforms do not have the functionality at all, so we should
not pretend to understand the option" (comment from Arne).  But maybe
these should be #ifdef HAVE_BLOCK_EXTERNAL_DNS which itself is 
conditionalized on WIN32 today - it might appear for other platforms,
who knows.  No really strong opinion there yet.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Selva Nair 
On Wed, Nov 25, 2015 at 12:31 AM, ValdikSS  wrote:

> It's cron2 who wanted clear ifdefs for master, because there's no WinXP
> support there.


If WinXP support is really going away in 2.4, agreed, ifdef WIN32 is
cleaner. That apart, the patch doesn't apply to 2.3, please send in if you
have an updated one.

For the build issue, may be Samuli can help. I built only for Vista+, but
will try building on XP.

Selva

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread ValdikSS 
It's cron2 who wanted clear ifdefs for master, because there's no WinXP support 
there.
I need help with 2.3 build system. While the code itself would compile fine, it 
won't link because I can't figure out how to link libraries available in vista+
only for vista+ build and do not link it for XP.

On 25.11.2015 03:13, Selva Nair wrote:
> Hi,
>
> On Tue, Nov 24, 2015 at 3:11 PM, Gert Doering  > wrote:
>
> Not sure I understand this.  The patch I had tested all along had ifdef 
> _WINNT_WIN32 >= 0x0600 around everything. So the code nicely silences itself 
> when
> built for XP (I did not try this though). I built only 64 bit version for 
> vista+. 
>
> And this was against the master. Now the new sets of patches have different 
> ifdefs: _WINNT_WIN32 >= 0x600 for 2.3, and if defined(WIN32) for master. This
> appears unnecessary. Two patches are still needed as some context lines have 
> changed between 2.3 and master, but the code could be the same, and, in
> particular, the ifdefs could be just _WINNT_WIN32 >= 0x600.
>
> May be you mean the same?
>  
> Selva
>  



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Selva Nair 
Hi,

On Tue, Nov 24, 2015 at 12:49 PM, ValdikSS  wrote:

> I can't figure out why Thunderbird corrupts my patches.
>

Its not a thunderbird-specific malady, almost every mail client messes up
with line breaks, adds extra spaces etc. As Gert suggested please use git
send-email. That makes it easy for everyone..


> Please use the attached version.
> I still need help with 2.3 build system. If somebody willing to help me,
> please use the attached version.
>

The patch for 2.3 doesn't apply. Hope its not just me.. In fact both
patches apply to the master (after some coaxing and with different offsets,
of course). That shows something is wrong, as some contexts have to be
different in 2.3 and master. For example:

Checking patch src/openvpn/init.c...
error: while searching for:
  "up",
  c->c2.es);

  /* possibly add routes */
  if ((route_order() == ROUTE_AFTER_TUN) &&
(!c->options.route_delay_defined))
do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,

error: patch failed: src/openvpn/init.c:1468

The problem is route_order() == ROUTE_AFTER_TUN is not in 2.3, its in
master.

Similarly in options.c

error: while searching for:
  VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
}
#endif
#if PASSTOS_CAPABILITY
  else if (streq (p[0], "passtos") && !p[1]) <--- this line doesn't
match the one in 2.3
{

Could you please check whether the patch is really against 2.3?

Also please see why the code has to be different for 2.3 and master -- why
not just use ifdef _WINNT_WIN32 ?

Selva

P.S.
There are tons of whitespace errors as well, but that could be worked
around..

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-25 Thread Selva Nair 
Hi,

On Tue, Nov 24, 2015 at 3:11 PM, Gert Doering  wrote:

> > I still need help with 2.3 build system. If somebody willing to help me,
> please use the attached version.
>
> Well, the 2.3 version would need all the #ifdefs around the code if not
> running at VISTA level, and *no* changes to the build system part (so,
> 2.3 out of the box would simply not "see" this code at all).
>
> Samuli would then have to change part of his build system to enable VISTA
> API level and add these extra libraries - but that would have to be an
> out-of-tree patch applied only to the Vista-and-up installers.


Not sure I understand this.  The patch I had tested all along had ifdef
_WINNT_WIN32 >= 0x0600 around everything. So the code nicely silences
itself when built for XP (I did not try this though). I built only 64 bit
version for vista+.

And this was against the master. Now the new sets of patches have different
ifdefs: _WINNT_WIN32 >= 0x600 for 2.3, and if defined(WIN32) for master.
This appears unnecessary. Two patches are still needed as some context
lines have changed between 2.3 and master, but the code could be the same,
and, in particular, the ifdefs could be just _WINNT_WIN32 >= 0x600.

May be you mean the same?

Selva

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-24 Thread Gert Doering 
Hi,

On Tue, Nov 24, 2015 at 08:49:08PM +0300, ValdikSS wrote:
> I can't figure out why Thunderbird corrupts my patches.

Because you're not using git send-email :)

 $ git send-email --to=openvpn-devel@lists.sourceforge.net -1

will magically do everything perfectly (added options available to set 
in-reply-to: to make threading work, etc., and you can configure it via 
.git/config to use the right SMTP server with authentication etc).

It's mostly there because clients are just too brain damaged to leave
patches alone.  *Attachment* sometimes works, and sometimes not
(supposedly thunderbird gets that part right, but gmail for example
fails even this)

> Please use the attached version.

I'll see if that applies...

> I still need help with 2.3 build system. If somebody willing to help me, 
> please use the attached version.

Well, the 2.3 version would need all the #ifdefs around the code if not
running at VISTA level, and *no* changes to the build system part (so,
2.3 out of the box would simply not "see" this code at all).  

Samuli would then have to change part of his build system to enable VISTA 
API level and add these extra libraries - but that would have to be an 
out-of-tree patch applied only to the Vista-and-up installers.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-24 Thread debbie10t 
Now that I can build OpenVPN-Windows I will help, although it will take me a 
while to work out how ..
I only have access to W7 but from what I have read that is the only Windows 
you do *not* have.


BTW: Many thanks for your exceptional efforts on this problem :)

Regards



- Original Message - 
From: "ValdikSS" <i...@valdikss.org.ru>

To: "Gert Doering" <g...@greenie.muc.de>
Cc: "openvpn-devel" <openvpn-devel@lists.sourceforge.net>
Sent: Tuesday, November 24, 2015 5:49 PM
Subject: Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix 
using WFP ('block-outside-dns')



I can't figure out why Thunderbird corrupts my patches.
Please use the attached version.
I still need help with 2.3 build system. If somebody willing to help me, 
please use the attached version.


On 24.11.2015 11:39, Gert Doering wrote:

Hi,

On Thu, Nov 19, 2015 at 06:20:19PM +0300, ValdikSS wrote:
Indeed, what Selva said - the patch is whitespace-mangled.  Valdikss,
could you please send it with "git-send-email"?

these extra blanks should not be there...  thus it won't apply without
force.

gert









--
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple 
OSs.

http://pubads.g.doubleclick.net/gampad/clk?id=254741551=/4140







___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-24 Thread ValdikSS 
I can't figure out why Thunderbird corrupts my patches.
Please use the attached version.
I still need help with 2.3 build system. If somebody willing to help me, please 
use the attached version.

On 24.11.2015 11:39, Gert Doering wrote:
> Hi,
>
> On Thu, Nov 19, 2015 at 06:20:19PM +0300, ValdikSS wrote:
> Indeed, what Selva said - the patch is whitespace-mangled.  Valdikss, 
> could you please send it with "git-send-email"?
>
> these extra blanks should not be there...  thus it won't apply without
> force.
>
> gert

From b248fe9e956b389eb8e4b9bbb091848060f71b98 Mon Sep 17 00:00:00 2001
In-Reply-To: <564ba6db.4070...@valdikss.org.ru>
References: <564ba6db.4070...@valdikss.org.ru>
From: ValdikSS 
List-Post: openvpn-devel@lists.sourceforge.net
Date: Tue, 24 Nov 2015 20:41:42 +0300
Subject: [PATCH v4-master] Add Windows DNS Leak fix using WFP
 ('block-outside-dns')

This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
---
 doc/openvpn.8   |  12 +++-
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |  22 ++
 src/openvpn/openvpn.vcxproj |   4 +-
 src/openvpn/options.c   |  16 +
 src/openvpn/options.h   |   1 +
 src/openvpn/win32.c | 168 
 src/openvpn/win32.h |  60 
 8 files changed, 280 insertions(+), 5 deletions(-)
 mode change 100755 => 100644 src/openvpn/openvpn.vcxproj

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index b6d5aed..c60ce00 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1129,8 +1129,8 @@ When used with
 .B \-\-client
 or
 .B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.
 
 When used on the client, this option effectively bars the
 server from adding routes to the client's routing table,
@@ -5517,6 +5517,14 @@ adapter list to the syslog or log file after the TUN/TAP adapter
 has been brought up and any routes have been added.
 .\"*
 .TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses 
+Windows Filtering Platform (WFP) and works on Windows Vista or
+later.
+.\"*
+.TP
 .B \-\-dhcp\-renew
 Ask Windows to renew the TAP adapter lease on startup.
 This option is normally unnecessary, as Windows automatically
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index c840f16..c55a520 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -127,5 +127,5 @@ openvpn_LDADD = \
 	$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm -lfwpuclnt -lrpcrt4
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5c0ab6..36ebc8d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,6 +1468,20 @@ do_open_tun (struct context *c)
 		   "up",
 		   c->c2.es);
 
+#if _WIN32_WINNT >= 0x0600
+  if (c->options.block_outside_dns)
+  {
+  if (!win_wfp_init())
+msg (M_FATAL, "Initialising WFP failed!");
+else
+{
+dmsg (D_LOW, "Blocking outside DNS");
+if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+msg (M_FATAL, "Blocking DNS failed!");
+}
+  }
+#endif
+
   /* possibly add routes */
   if ((route_order() == ROUTE_AFTER_TUN) && (!c->options.route_delay_defined))
 	do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1596,6 +1610,14 @@ do_close_tun (struct context *c, bool force)
 		   "down",
 		   c->c2.es);
 
+#if _WIN32_WINNT >= 0x0600
+if (c->options.block_outside_dns)
+{
+if (!win_wfp_uninit())
+msg (M_FATAL, "Uninitialising WFP failed!");
+}
+#endif
+
 	  /* actually close tun/tap device based on --down-pre flag */
 	  if (c->options.down_pre)
 	do_close_tun_simple (c);
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
old mode 100755
new mode 100644
index b117b0b..821c46c
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -64,7 +64,7 @@
   $(SOURCEBASE);%(AdditionalIncludeDirectories)
 
 
-  libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-24 Thread Gert Doering 
Hi,

On Thu, Nov 19, 2015 at 06:20:19PM +0300, ValdikSS wrote:
> This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
> for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.

Indeed, what Selva said - the patch is whitespace-mangled.  Valdikss, 
could you please send it with "git-send-email"?

> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1468,6 +1468,20 @@ do_open_tun (struct context *c)
>  "up",
>  c->c2.es);
>   +#if defined(WIN32)
> +  if (c->options.block_outside_dns)
> +  {

these extra blanks should not be there...  thus it won't apply without
force.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-24 Thread Selva Nair 
Hi,

On Thu, Nov 19, 2015 at 10:20 AM, ValdikSS  wrote:

> This option blocks all out-of-tunnel communication on TCP/UDP port 53
> (except
> for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
>

This version looks fine and works as promised (tested on Win 7 and 10).

I'm told many win10 users badly need this, so ACK from me.

Note: The patch appears damaged by the mailer. To test I had to pull the
block-external-dns-master branch (with last
commit 76dddc52cc3da95a0681ca660d264e297bf39039)
from https://github.com/ValdikSS/openvpn-with-patches

Selva