[Openvpn-devel] [PATCH 2.3 v2] Support --block-outside-dns on multiple tunnels

v2: Simplified "add sublayer" code Currently each instance of openvpn adds WFP filters into an independent sublayer. As a block in one sublayer can over-ride a permit in another, this causes all DNS traffic to block when --block-outside-dns is used in multiple tunnels. Fix using a common

[Openvpn-devel] [PATCH master v2] Support --block-outside-dns on multiple tunnels

v2: Simplify the "add sublayer" code. Currently each instance of openvpn adds WFP filters into an independent sublayer. As a block in one sublayer can over-ride a permit in another, this causes all DNS traffic to block when --block-outside-dns is used in multiple tunnels. Fix using a common

[Openvpn-devel] [PATCH] cleanup cert_hash_remember scoping

Add scopes for the conditional code, remove local scope that's only needed for c89 support (which we dropped). This patch should be applied after the SHA256 fingerprint support patch. Signed-off-by: Steffan Karger --- src/openvpn/ssl_verify.c | 17 ++--- 1 file

[Openvpn-devel] [PATCH] Show compile-time variant for --multihome in --version output.

Instead of just [MH], show [MH/PKTINFO] or [MH/RECVDA], to see more easily which compile-time variant was chosen by configure and syshead.h Signed-off-by: Gert Doering --- src/openvpn/options.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git

Re: [Openvpn-devel] [PATCH] Fix IP_PKTINFO related compilation failure on NetBSD 7.0

Hi, On Fri, Sep 16, 2016 at 09:02:42PM +0200, Gert Doering wrote: > NetBSD has introduced IP_PKTINFO and struct in_pktinfo, but does not > have the "ipi_spec_dst" structure element, causing compilation errors. > > Introduce a check for that (AC_CHECK_MEMBER) in configure.ac, and > change all

[Openvpn-devel] [PATCH] Fix IP_PKTINFO related compilation failure on NetBSD 7.0

NetBSD has introduced IP_PKTINFO and struct in_pktinfo, but does not have the "ipi_spec_dst" structure element, causing compilation errors. Introduce a check for that (AC_CHECK_MEMBER) in configure.ac, and change all "#ifdef HAVE_IN_PKTINFO" to also check "HAVE_IPI_SPEC_DST". Patch inspired by

Re: [Openvpn-devel] [PATCH applied] Make gnu89 support explicit

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK. This works well on CentOS 5, so this change makes sense as this makes the compiler behaviour more predictable in regards to C standards. This will most possibly break non-GNU compilers though (Solaris and AIX?). But as this behaviour can be

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

On 25/08/16 15:45, David Sommerseth wrote: > > Hi, > [...snip...] > > What the patch-set does is: > > - Add --auth-gen-token, and when used the following steps happens > > - After a successful normal user/password authentication, it will > generate a random token for this tunnel and keep a

[Openvpn-devel] [PATCH 2.3 v2] Make gnu89 support explicit

In the release/2.3 branch we support gnu89, basically to keep pre-2015 MSVC happy. Old gcc (<5) defaulted to gnu89. But gcc 5+ and clang default to gnu11/c11. This patch makes our gnu89 support explicit, such these newer compilers will also point out gnu89 violations to developers. v2: only

Re: [Openvpn-devel] [PATCH applied] Do not abort t_client run if OpenVPN instance does not start.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the following branches commit a7b02f7f660707f765881f35867b4d23d89b390f (master) commit 0043ddbbe6768ac560996e9879f47381e043a116 (release/2.3) Author: Gert Doering Date: Tue Sep 13 22:04:58 2016 +0200 Do not

[Openvpn-devel] [PATCH] Remove tun-ipv6 Option. Instead assume that IPv6 is always supported.

This option was useful when Ipv6 tun support was non standard and was an internal/user specified flag that tracked the Ipv6 capability of the tun device. All supported OS support IPv6. Also tun-ipv6 is pushable by the remote so not putting tun-ipv6 does not forbid ipv6 addresses. This commit

Re: [Openvpn-devel] [PATCH] Do not abort t_client run if OpenVPN instance does not start.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/09/16 22:04, Gert Doering wrote: > Basically, an oversight - if one test instance does not start at > all (due to "tap driver not loaded") the whole script would exit, > instead of logging the failing instance and proceeding to the next > test