subject:"Re\: \[Openvpn\-users\] OpenVPN 2.3.9 released"

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Sebastian Rubenstein

>Sent: Wednesday, December 16, 2015 at 9:40 PM
>From: "Samuli Seppänen" 
>To: "openvpn users list (openvpn-users@lists.sourceforge.net)" 
>, "openvpn-de...@lists.sourceforge.net" 
>, openvpn-annou...@lists.sourceforge.net
>Subject: [Openvpn-users] OpenVPN 2.3.9 released
>
>The biggest change is the addition of --block-outside-dns option, which can be 
>used to fix DNS leaks in Windows 8.1 and 10.

Hi Samuli

If I understood it correctly, the option --block-outside-dns is to be applied 
on the server side, not on the client side.

Thanks in advance for your clarification.

Regards.

Sebastian R.

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Jan Just Keijser

Hi Sebastian,

Sebastian Rubenstein wrote:
>> Sent: Wednesday, December 16, 2015 at 9:40 PM
>> From: "Samuli Seppänen" 
>> To: "openvpn users list (openvpn-users@lists.sourceforge.net)" 
>> , "openvpn-de...@lists.sourceforge.net" 
>> , openvpn-annou...@lists.sourceforge.net
>> Subject: [Openvpn-users] OpenVPN 2.3.9 released
>>
>> The biggest change is the addition of --block-outside-dns option, which can 
>> be used to fix DNS leaks in Windows 8.1 and 10.
>> 
>
> Hi Samuli
>
> If I understood it correctly, the option --block-outside-dns is to be applied 
> on the server side, not on the client side.
>
> Thanks in advance for your clarification.
>
>   
nope, this is typically a client-side option. It *is* possible, however, 
to push it from the server side to all clients: Windows Vista+ clients 
will pick it up and use it, all others will ignore it.

HTH,

JJK



--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Jan Just Keijser

Sebastian Rubenstein wrote:
> Thanks Samuli for doing a great job.
>  
> However, may I know why the latest community version 2.3.9 for 
> Microsoft Windows OS does not include the four security fixes 
> mentioned in https://openssl.org/news/secadv/20151203.txt ?

err, the fixes *are* included: openvpn 2.3.9 uses openssl 1.0.1q which 
addresses all issues listed in the link.

JJK


--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Gert Doering

Hi,

On Fri, Dec 18, 2015 at 10:55:36AM +0100, Sebastian Rubenstein wrote:
> >The biggest change is the addition of --block-outside-dns option, which can 
> >be used to fix DNS leaks in Windows 8.1 and 10.
> 
> If I understood it correctly, the option --block-outside-dns is to be applied 
> on the server side, not on the client side.

The server can *push* it to its clients, or you can put it into the client
config.

Applying it to the server is not overy useful - because that would block
all DNS queries coming through the tunnel towards the "protected Internet".

(And who would run a server on Windows anyway?)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Sebastian Rubenstein

> Sent: Friday, December 18, 2015 at 6:07 PM
> From: "Jan Just Keijser" <janj...@nikhef.nl>
> To: "Sebastian Rubenstein" <asdf123...@gmx.com>
> Cc: "Samuli Seppänen" <sam...@openvpn.net>, "openvpn users list 
> (openvpn-users@lists.sourceforge.net)" <openvpn-users@lists.sourceforge.net>
> Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released
>
> nope, this is typically a client-side option. It *is* possible, however, 
> to push it from the server side to all clients: Windows Vista+ clients 
> will pick it up and use it, all others will ignore it.

Hi JJK,

Suppose I'm using Ubuntu and the contents of the sample.conf are as follows:

client
dev tun
proto tcp
remote 111.222.333.444
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
ca "ca.crt"
cert "sample.crt"
key "sample.key"
tls-auth "ta.key" 1
script-security 3
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
block-outside-dns

Please look at the last line. Is that how it should be worded in the 
sample.conf?

Thanks.

Sebastian R.

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Gert Doering

Hi,

On Fri, Dec 18, 2015 at 01:43:34PM +0100, Sebastian Rubenstein wrote:
> Suppose I'm using Ubuntu and the contents of the sample.conf are as follows:
[..]
> block-outside-dns
> 
> Please look at the last line. Is that how it should be worded in the 
> sample.conf?

No, because on Ubuntu, this is an unknown option -> error.

make it

  setenv opt block-outside-dns

instead

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread Sebastian Rubenstein

> Sent: Friday, December 18, 2015 at 8:54 PM
> From: "Gert Doering" <g...@greenie.muc.de>
> To: "Sebastian Rubenstein" <asdf123...@gmx.com>
> Cc: "Jan Just Keijser" <janj...@nikhef.nl>, "openvpn users list 
> (openvpn-users@lists.sourceforge.net)" <openvpn-users@lists.sourceforge.net>
> Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released
> 
> No, because on Ubuntu, this is an unknown option -> error.
> 
> make it
> 
>   setenv opt block-outside-dns
> 
> instead

Thanks Gert for the tip.

Am I right to state that

setenv opt block-outside-dns

can appear anywhere in the *.conf file?

Regards.

Sebastian R.

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread debbie10t

Hi
- Original Message - 
From: "Gert Doering" <g...@greenie.muc.de>
To: <debbie...@gmail.com>
Cc: "Gert Doering" <g...@greenie.muc.de>; "Sebastian Rubenstein" 
<asdf123...@gmx.com>; <openvpn-users@lists.sourceforge.net>
Sent: Friday, December 18, 2015 9:14 PM
Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released

> Hi,
>
> On Fri, Dec 18, 2015 at 09:08:20PM -, debbie...@gmail.com wrote:
> > With the proviso that there is not a subsequent line such as:
> > setenv opt something_else
>
> No.   All "setenv opt" lines are totally independent.

Certainly "interpretted differently" !



FAO: man page maintainers .. for a "man page" entry, this:

--setenv name value
Set a custom environmental variable name=value to pass to script.

simply does *not* cut it.

Regards.


--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-18 Thread debbie10t


- Original Message - 
From: "Gert Doering" <g...@greenie.muc.de>
To: "Sebastian Rubenstein" <asdf123...@gmx.com>
Cc: <openvpn-users@lists.sourceforge.net>
Sent: Friday, December 18, 2015 1:02 PM
Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released


>> Am I right to state that
>>
>> setenv opt block-outside-dns
>>
>> can appear anywhere in the *.conf file?
>
>Yes.

With the proviso that there is not a subsequent line such as:
setenv opt something_else

With that in mind, using variable name "opt" feels very generic, 
I would have thought a more suitable name could be chosen ?

For (dodgy) example:
setenv  opt_windows_dns_leak_protect  block-outside-dns

Just my 2c .. 

BTW: 
Well done and Many thanks to All who helped solve this problem.


--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-17 Thread Ralf Hildebrandt

* Gert Doering :

> "man openvpn" has a bit 
> 
> .B \-\-block\-outside\-dns
> Block DNS servers on other network adapters to prevent
> DNS leaks. This option prevents any application from accessing
> TCP or UDP port 53 except one inside the tunnel. It uses
> Windows Filtering Platform (WFP) and works on Windows Vista or
> later.

Seen that after I updated the server package...

> Yes.  But you need to either push it, or configure it as
> 
>   setenv opt block-outside-dns
> 
> which will make the "unrecognized option" bit a warning only, not a fatal
> (when pushed, it's always warning-only)
> 
> Plus, it only works on Vista+, so on XP it will trigger an error (or warning,
> same rules as for the option itself on Linux/Mac)

Currently I'm pushing it. No ill side effects so far.
 
> It might need to be pushed along with "register-dns", or a configured --up-

We're pushing that for years now :)

> script that does "ipconfig /registerdns" to make sure that Windows really
> really understands that "hey, there is new nameservers, please USE THEM!!!"
> - otherwise some testers reported DNS latencies in the first few minutes
> of VPN usage.

A side issue there with register-dns:
https://community.openvpn.net/openvpn/ticket/570

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-16 Thread debbie10t

I just want to check this is not an error of some sort:
https://forums.openvpn.net/topic20433.html#p56941

Note: 
Unpacking openvpn (2.3.9-debian0) over (2.3.2-7ubuntu3.1) ...

Debian over Ubuntu ?

I double checked my sources.list.d twice:
deb http://swupdate.openvpn.net/apt trusty main



--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

2015-12-16 Thread Gert Doering

Hi,

On Wed, Dec 16, 2015 at 03:12:52PM +0100, Ralf Hildebrandt wrote:
> * Samuli Seppänen :
> 
> > This release includes many small improvements and fixes. The biggest 
> > change is the addition of --block-outside-dns option, which can be used 
> > to fix DNS leaks in Windows 8.1 and 10. 
> 
> Where's the docs for that?

"man openvpn" has a bit 

.B \-\-block\-outside\-dns
Block DNS servers on other network adapters to prevent
DNS leaks. This option prevents any application from accessing
TCP or UDP port 53 except one inside the tunnel. It uses
Windows Filtering Platform (WFP) and works on Windows Vista or
later.

> What I need to know is:
> 
> * does it work on Win32 only (ignoring it on osx/linux is ok)

Yes.  But you need to either push it, or configure it as

  setenv opt block-outside-dns

which will make the "unrecognized option" bit a warning only, not a fatal
(when pushed, it's always warning-only)

Plus, it only works on Vista+, so on XP it will trigger an error (or warning,
same rules as for the option itself on Linux/Mac)

> * do I need to change the config on the client or can that be pushed from the 
> server?

Can be pushed.

It might need to be pushed along with "register-dns", or a configured --up-
script that does "ipconfig /registerdns" to make sure that Windows really
really understands that "hey, there is new nameservers, please USE THEM!!!"
- otherwise some testers reported DNS latencies in the first few minutes
of VPN usage.

(Lev, Valdikss, feel free to chime in and explain better)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

Re: [Openvpn-users] OpenVPN 2.3.9 released

12 matches

Site Navigation

Mail list logo

Footer information