Re: [Openvpn-users] OpenVPN 2.3.9 released
>Sent: Wednesday, December 16, 2015 at 9:40 PM >From: "Samuli Seppänen">To: "openvpn users list (openvpn-users@lists.sourceforge.net)" > , "openvpn-de...@lists.sourceforge.net" > , openvpn-annou...@lists.sourceforge.net >Subject: [Openvpn-users] OpenVPN 2.3.9 released > >The biggest change is the addition of --block-outside-dns option, which can be >used to fix DNS leaks in Windows 8.1 and 10. Hi Samuli If I understood it correctly, the option --block-outside-dns is to be applied on the server side, not on the client side. Thanks in advance for your clarification. Regards. Sebastian R. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Hi Sebastian, Sebastian Rubenstein wrote: >> Sent: Wednesday, December 16, 2015 at 9:40 PM >> From: "Samuli Seppänen">> To: "openvpn users list (openvpn-users@lists.sourceforge.net)" >> , "openvpn-de...@lists.sourceforge.net" >> , openvpn-annou...@lists.sourceforge.net >> Subject: [Openvpn-users] OpenVPN 2.3.9 released >> >> The biggest change is the addition of --block-outside-dns option, which can >> be used to fix DNS leaks in Windows 8.1 and 10. >> > > Hi Samuli > > If I understood it correctly, the option --block-outside-dns is to be applied > on the server side, not on the client side. > > Thanks in advance for your clarification. > > nope, this is typically a client-side option. It *is* possible, however, to push it from the server side to all clients: Windows Vista+ clients will pick it up and use it, all others will ignore it. HTH, JJK -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Sebastian Rubenstein wrote: > Thanks Samuli for doing a great job. > > However, may I know why the latest community version 2.3.9 for > Microsoft Windows OS does not include the four security fixes > mentioned in https://openssl.org/news/secadv/20151203.txt ? err, the fixes *are* included: openvpn 2.3.9 uses openssl 1.0.1q which addresses all issues listed in the link. JJK -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Hi, On Fri, Dec 18, 2015 at 10:55:36AM +0100, Sebastian Rubenstein wrote: > >The biggest change is the addition of --block-outside-dns option, which can > >be used to fix DNS leaks in Windows 8.1 and 10. > > If I understood it correctly, the option --block-outside-dns is to be applied > on the server side, not on the client side. The server can *push* it to its clients, or you can put it into the client config. Applying it to the server is not overy useful - because that would block all DNS queries coming through the tunnel towards the "protected Internet". (And who would run a server on Windows anyway?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
> Sent: Friday, December 18, 2015 at 6:07 PM > From: "Jan Just Keijser" <janj...@nikhef.nl> > To: "Sebastian Rubenstein" <asdf123...@gmx.com> > Cc: "Samuli Seppänen" <sam...@openvpn.net>, "openvpn users list > (openvpn-users@lists.sourceforge.net)" <openvpn-users@lists.sourceforge.net> > Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released > > nope, this is typically a client-side option. It *is* possible, however, > to push it from the server side to all clients: Windows Vista+ clients > will pick it up and use it, all others will ignore it. Hi JJK, Suppose I'm using Ubuntu and the contents of the sample.conf are as follows: client dev tun proto tcp remote 111.222.333.444 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC comp-lzo no route-delay 5 verb 3 ca "ca.crt" cert "sample.crt" key "sample.key" tls-auth "ta.key" 1 script-security 3 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf block-outside-dns Please look at the last line. Is that how it should be worded in the sample.conf? Thanks. Sebastian R. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Hi, On Fri, Dec 18, 2015 at 01:43:34PM +0100, Sebastian Rubenstein wrote: > Suppose I'm using Ubuntu and the contents of the sample.conf are as follows: [..] > block-outside-dns > > Please look at the last line. Is that how it should be worded in the > sample.conf? No, because on Ubuntu, this is an unknown option -> error. make it setenv opt block-outside-dns instead gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
> Sent: Friday, December 18, 2015 at 8:54 PM > From: "Gert Doering" <g...@greenie.muc.de> > To: "Sebastian Rubenstein" <asdf123...@gmx.com> > Cc: "Jan Just Keijser" <janj...@nikhef.nl>, "openvpn users list > (openvpn-users@lists.sourceforge.net)" <openvpn-users@lists.sourceforge.net> > Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released > > No, because on Ubuntu, this is an unknown option -> error. > > make it > > setenv opt block-outside-dns > > instead Thanks Gert for the tip. Am I right to state that setenv opt block-outside-dns can appear anywhere in the *.conf file? Regards. Sebastian R. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Hi - Original Message - From: "Gert Doering" <g...@greenie.muc.de> To: <debbie...@gmail.com> Cc: "Gert Doering" <g...@greenie.muc.de>; "Sebastian Rubenstein" <asdf123...@gmx.com>; <openvpn-users@lists.sourceforge.net> Sent: Friday, December 18, 2015 9:14 PM Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released > Hi, > > On Fri, Dec 18, 2015 at 09:08:20PM -, debbie...@gmail.com wrote: > > With the proviso that there is not a subsequent line such as: > > setenv opt something_else > > No. All "setenv opt" lines are totally independent. Certainly "interpretted differently" ! FAO: man page maintainers .. for a "man page" entry, this: --setenv name value Set a custom environmental variable name=value to pass to script. simply does *not* cut it. Regards. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
- Original Message - From: "Gert Doering" <g...@greenie.muc.de> To: "Sebastian Rubenstein" <asdf123...@gmx.com> Cc: <openvpn-users@lists.sourceforge.net> Sent: Friday, December 18, 2015 1:02 PM Subject: Re: [Openvpn-users] OpenVPN 2.3.9 released >> Am I right to state that >> >> setenv opt block-outside-dns >> >> can appear anywhere in the *.conf file? > >Yes. With the proviso that there is not a subsequent line such as: setenv opt something_else With that in mind, using variable name "opt" feels very generic, I would have thought a more suitable name could be chosen ? For (dodgy) example: setenv opt_windows_dns_leak_protect block-outside-dns Just my 2c .. BTW: Well done and Many thanks to All who helped solve this problem. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
* Gert Doering: > "man openvpn" has a bit > > .B \-\-block\-outside\-dns > Block DNS servers on other network adapters to prevent > DNS leaks. This option prevents any application from accessing > TCP or UDP port 53 except one inside the tunnel. It uses > Windows Filtering Platform (WFP) and works on Windows Vista or > later. Seen that after I updated the server package... > Yes. But you need to either push it, or configure it as > > setenv opt block-outside-dns > > which will make the "unrecognized option" bit a warning only, not a fatal > (when pushed, it's always warning-only) > > Plus, it only works on Vista+, so on XP it will trigger an error (or warning, > same rules as for the option itself on Linux/Mac) Currently I'm pushing it. No ill side effects so far. > It might need to be pushed along with "register-dns", or a configured --up- We're pushing that for years now :) > script that does "ipconfig /registerdns" to make sure that Windows really > really understands that "hey, there is new nameservers, please USE THEM!!!" > - otherwise some testers reported DNS latencies in the first few minutes > of VPN usage. A side issue there with register-dns: https://community.openvpn.net/openvpn/ticket/570 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155 -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
I just want to check this is not an error of some sort: https://forums.openvpn.net/topic20433.html#p56941 Note: Unpacking openvpn (2.3.9-debian0) over (2.3.2-7ubuntu3.1) ... Debian over Ubuntu ? I double checked my sources.list.d twice: deb http://swupdate.openvpn.net/apt trusty main -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] OpenVPN 2.3.9 released
Hi, On Wed, Dec 16, 2015 at 03:12:52PM +0100, Ralf Hildebrandt wrote: > * Samuli Seppänen: > > > This release includes many small improvements and fixes. The biggest > > change is the addition of --block-outside-dns option, which can be used > > to fix DNS leaks in Windows 8.1 and 10. > > Where's the docs for that? "man openvpn" has a bit .B \-\-block\-outside\-dns Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later. > What I need to know is: > > * does it work on Win32 only (ignoring it on osx/linux is ok) Yes. But you need to either push it, or configure it as setenv opt block-outside-dns which will make the "unrecognized option" bit a warning only, not a fatal (when pushed, it's always warning-only) Plus, it only works on Vista+, so on XP it will trigger an error (or warning, same rules as for the option itself on Linux/Mac) > * do I need to change the config on the client or can that be pushed from the > server? Can be pushed. It might need to be pushed along with "register-dns", or a configured --up- script that does "ipconfig /registerdns" to make sure that Windows really really understands that "hey, there is new nameservers, please USE THEM!!!" - otherwise some testers reported DNS latencies in the first few minutes of VPN usage. (Lev, Valdikss, feel free to chime in and explain better) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users