On 27/02/2017 18:18, David Sommerseth wrote:
> On 27/02/17 23:06, James Yonan wrote:
>> On 25/02/2017 08:40, Steffan Karger wrote:
> [...snip...]
>>> I'd say so. Something like:
>>>
>>> legacy: RSA 1024+, SHA1+, all curves
>>> default: RSA 204
On 25/02/2017 08:40, Steffan Karger wrote:
> On 25-02-17 07:04, James Yonan wrote:
>> On 24/02/2017 16:10, Steffan Karger wrote:
>>> On 24-02-17 22:28, James Yonan wrote:
>>>> On 24/02/2017 02:40, Steffan Karger wrote:
>>>>> On 23-02-17 22:41,
On 24/02/2017 16:10, Steffan Karger wrote:
> Hi,
>
> On 24-02-17 22:28, James Yonan wrote:
>> On 24/02/2017 02:40, Steffan Karger wrote:
>>> On 23-02-17 22:41, James Yonan wrote:
>>>> On 23/02/2017 01:22, Steffan Karger wrote:
>>>>> On 22-02-17 1
On 24/02/2017 02:40, Steffan Karger wrote:
> On 23-02-17 22:41, James Yonan wrote:
>> On 23/02/2017 01:22, Steffan Karger wrote:
>>> On 22-02-17 19:48, James Yonan wrote:
>>>> mbedTLS 2 has a new feature that allows rejection of certificates if the
>>>>
On 23/02/2017 01:22, Steffan Karger wrote:
> Hi James,
>
> On 22-02-17 19:48, James Yonan wrote:
>> mbedTLS 2 has a new feature that allows rejection of certificates if the
>> key size is too small or the signing hash is weak.
>>
>> The feature is controlled vi
mbedTLS 2 has a new feature that allows rejection of certificates if the
key size is too small or the signing hash is weak.
The feature is controlled via struct mbedtls_x509_crt_profile.
For example, you could specify that certificates must be at least 2048
bits and use a SHA-2 signing alg.
On 04/03/2016 02:49, Arne Schwabe wrote:
Am 04.03.16 um 08:29 schrieb James Yonan:
On 03/03/2016 16:48, Arne Schwabe wrote:
Am 03.03.16 um 09:18 schrieb James Yonan:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
On 03/03/2016 16:48, Arne Schwabe wrote:
Am 03.03.16 um 09:18 schrieb James Yonan:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Basically what this patch does is to change the condition to
if (flags
Bind the local TCP/UDP socket before UID/GID downgrade,
otherwise we cannot bind to ports < 1024.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/init.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/ini
The inline directive http-proxy-user-pass can be used to
specify proxy credentials in config, e.g.:
http-proxy proxy.tld 3128 auto-nct
foo
bar
This usage is already supported by OpenVPN 3.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/misc.c| 8
src/o
er-defined scripting */
#define ENABLE_SCRIPTS 1
or disabled by ensuring that ENABLE_SCRIPTS is undefined.
If ENABLE_SCRIPTS is undefined, OpenVPN will log "[NOSCRIPTS]"
in the initial version info line.
This patch assumes that script_security defaults to
SSEC_BUILT_IN or less.
Signed-off
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_verify_polarssl.c | 166 ++
src/openvpn/syshead.h | 2 +-
2 files changed, 167 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_verify_polarssl.c
b/src/o
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_verify_polarssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/ssl_verify_polarssl.c
b/src/openvpn/ssl_verify_polarssl.c
index e87d2e2..9d0d086 100644
--- a/src/openvpn/ssl_verify_pola
For example:
x509-track "+SHA1"
will extract the SHA1 fingerprints for all certs in the
peer chain.
This patch is ported from OpenVPN 2.1.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_verify_openssl.c | 114 +--
1
the generated hex string
in upper case.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/buffer.c | 11 +++
src/openvpn/buffer.h | 4 +++-
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c
index bc67d65..52c6ab9
nSSL returns decimal serial numbers.
RFC 5280, published in 2008, decrees that serial numbers can be
up to 20 bytes long, hence it is necessary to support SSL
libraries that return the serial number as a hex string.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_verify
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/forward.c | 8 +---
src/openvpn/forward.h | 4 +++-
2 files c
remote-override -- replace the hostname in all remote
directives with alt-remote.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan <ja...@openvpn.net>
---
doc/openvpn.8 | 5 +
src/openvpn/options.c | 8 +++-
src/openvpn/options.h | 2 ++
3 files changed, 14 insertions
Has anyone seen issues with --block-outside-dns speed? Because this
approach drops certain DNS packets, I'm wondering if apps will
experience lag time while waiting for dropped DNS requests to time out.
James
These may have been fixed by now, but noticed some issues in the
original patch that was discussed in the OpenVPN-devel IRC meeting
several weeks ago.
* win_adapter_index_to_luid is declared to return a
NET_LUID but not all code paths return a value.
* wcscat(svchostpath, L"\\svchost.exe")
On 09/11/2015 00:38, Samuli Seppänen wrote:
Hi,
I plan to add a control-C handler in win32.c. The handler will simply
map it to SIGTERM. Is there any particular reason why control-C is not
currently handled?
Hi,
I forwarded this email to James - he might have a clue.
Currently the
ix:
http://thread.gmane.org/gmane.network.openvpn.devel/9386
which is waiting for an ACK.
Otherwise implementation is pretty much in line with your spec.
Great, thanks.
James
-Lev
2015-01-07 2:08 GMT+02:00 James Yonan <ja...@openvpn.net>:
I've updated the OpenVPN protocol extension doc
I've updated the OpenVPN protocol extension doc with additional details,
now that more of these features have been implemented in OpenVPN 3.
If you are implementing any of these features in OpenVPN 2.x, please
review so we can ensure that OpenVPN 2.x and 3 are on the same page with
respect to
In addition to the Peer-ID/DATA_V2 protocol change proposal,
here are a couple more proposed extensions for AEAD mode and
Compression V2 that we can discuss at the upcoming Munich
hackathon.
James
OpenVPN Protocol extensions
1. DATA_V2 opcode with 24-bit peer ID
2. AEAD mode
To support
() as returning const char *,
to avoid loss of const qualifier in ssl_openssl.c.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/options.c | 15 +--
src/openvpn/options.h | 2 ++
src/openvpn/ssl_backend.h | 2 +-
src/openvpn/ssl_openssl.c | 2 +-
src/o
Signed-off-by: James Yonan <ja...@openvpn.net>
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 9a95ae6..fa99384 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -76,6 +76,9 @@
#define HAVE_OPENSSL_ENGINE 1
+#define PATH_SEP
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl_openssl.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 481600a..d845fd7 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/o
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/socket.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 4e7e7f8..793cd9f 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -1023,7 +1023,7 @@
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/socket.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 7ff14cc..6e68c18 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1150,7 +
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/init.c | 10 ++
src/openvpn/socket.c | 2 +-
src/openvpn/win32.c | 6 +++---
3 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 52d370b..3fb 100644
---
This series of patches is for the 2.3 branch and fixes MSVC compile issues.
Some of these may be applicable to master as well, though I haven't checked yet.
James
On 28/04/2014 15:19, Steffan Karger wrote:
Hi,
On 27-04-14 22:10, Steffan Karger wrote:
On 27-04-14 19:53, Gert Doering wrote:
On Mon, Apr 21, 2014 at 01:10:04AM -0600, James Yonan wrote: The
attached patch is what I intend to commit to release/2.3 *only*,
not to master - as agreed at the IRC
On 23/04/2014 18:22, Timothe Litt wrote:
I don't see that cryptoapi.c has been updated to work with TLS 1.2.
Yes, just came to the same conclusion.
Long-term the key-loaders need to get updated.
Maybe short-term the options that invoke them could force NO_TLSv_1_2...
That would make things
On 23/04/2014 17:21, Timothe Litt wrote:
On 23-Apr-14 16:06, Steffan Karger wrote:
I generated a matching pair of traces of the failure (client and server)
& posted a summary.
Let me know if you would like the full traces.
Sent off-list.
I've been trying to reproduce the error. I grabbed my
On 23/04/2014 04:17, Arne Schwabe wrote:
Am 21.04.14 21:26, schrieb James Yonan:
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags
On 21/04/2014 05:33, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
remote-override -- replace the hostname in all remote
directives with alt-remote.
Just a question. How does remote-override differ from ip-remote-hint?
Both options seem to have the same effect aside from very
On 21/04/2014 05:27, Arne Schwabe wrote:
On 21.04.2014 09:10, James Yonan wrote:
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
I haven't look at the code but if remember correctly, this method does
On 21/04/2014 05:49, Gert Doering wrote:
Hi,
On Mon, Apr 21, 2014 at 01:11:05PM +0200, Arne Schwabe wrote:
Yes. But with this patch it is always turned off, keeping OpenVPN in 99%
of installations in TLS 1.0. Is there any other known case where it
breaks aside from the Tomato OpenVPN client?
On 19/04/2014 08:33, Steffan Karger wrote:
Hi,
On 04/18/2014 02:49 PM, Steffan Karger wrote:
On 04/17/2014 09:41 PM, James Yonan wrote:
I'm not sure I understand the (SIZE_MAX - hashlen) > asn_len part.
Wouldn't this always be true for reasonable values of hashlen and asn_len?
This sho
ciphersuites.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/ssl.c | 4 ++--
src/openvpn/ssl_backend.h | 15 +--
src/openvpn/ssl_openssl.c | 31 ++-
src/openvpn/ssl_polarssl.c | 43 +++
4
MSVC 2013 C library now defines strtoull() function,
so use the native implementation when available.
Signed-off-by: James Yonan <ja...@openvpn.net>
---
config-msvc.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/config-msvc.h b/config-msvc.h
index 99c00f9..9a95ae6 100644
--- a/
Define PIP_OPT_MASK to represent all flags of interest to
process_ip_header, so that it can have a fast exit path
if no flags are set.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/forward.c | 6 +-
src/openvpn/forward.h | 4 +++-
2 files chan
remote-override -- replace the hostname in all remote
directives with alt-remote.
Merged from OpenVPN 2.1
Signed-off-by: James Yonan <ja...@openvpn.net>
---
src/openvpn/options.c | 7 ++-
src/openvpn/options.h | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git
Just wondering if anyone has looked at implementing x509-track for PolarSSL?
James
On 27/02/2014 12:40, steffan.kar...@fox-it.com wrote:
Hi,
The attached patches add support for PolarSSL 1.3. These patches are for
master only, as they drop support for PolarSSL 1.2. Supporting both versions
would require a lot of #ifdef's, so I opted for dropping 1.2.
Along with PolarSSL 1.3
ftware can distinguish it.
This very simple patch does that.
James
>From a8f0d219d4edd1e95520cc40d27a0cd79cace2c2 Mon Sep 17 00:00:00 2001
From: James Yonan <ja...@openvpn.net>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, 16 Apr 2014 21:29:42 -0600
Subject: [PATCH] tls_seri
Someone on the Tor lists is claiming that OpenVPN isn't implementing
SOCKSv5 authentication correctly:
https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html
Any ideas?
James
On 30/03/2014 07:46, Gert Doering wrote:
Hi,
On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote:
3 - Change OpenSSL builds to use hax representation
I tend toward this one - user visible behaviour shouldn't change (unless
unavoidable) depending on SSL library used.
So for me
On 17/03/2014 14:29, Gert Doering wrote:
Hi,
On Sun, Mar 16, 2014 at 06:49:36PM -0600, James Yonan wrote:
However, even with the above code, stateless session resumption
is still possible unless explicitly disabled with the
SSL_OP_NO_TICKET flag. This patch does this.
This actually raises
OpenVPN doesn't want or need SSL session renegotiation or
resumption, as it handles renegotiation on its own.
For this reason, OpenVPN always disables the SSL session cache:
SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF)
However, even with the above code, stateless session resumption
On 18/06/2013 01:23, Joachim Schipper wrote:
Joachim Schipper wrote [I'm continuing my own message here]:
-Original Message-
From: Kenny Root [mailto:ke...@the-b.org]
Sent: dinsdag 4 juni 2013 2:15
To: openvpn-devel@lists.sourceforge.net
Subject: [Openvpn-devel] Adding support for AEAD
We've recently merged some patches allowing OpenVPN to negotiate certain
settings (such as compression), but unfortunately at this time neither
cipher nor auth directives can be negotiated in the 2.x branch.
The 3.0 branch has fixed this somewhat by having the client support
cipher and auth
Fixes to allow compilation with Microsoft Visual Studio 2008
* Fixed several instances of declarations after statements.
* In socket.c, fixed issue where uninitialized value (err)
is being passed to to gai_strerror.
* ssl.c is trying to access multi_output_peer_info_env
function in multi.c,
This is the TLS versioning patch as discussed in last Thursday's IRC
meeting.
It combines these two patches:
https://github.com/jamesyonan/openvpn/commit/03a5599202bdc3ba07983dc4efdae387fb8fb436
https://github.com/jamesyonan/openvpn/commit/d23005413b0e0f28a3c48a6342f494763d5c9b40
James
diff
On 18/06/2013 01:41, Joachim Schipper wrote:
From: James Yonan <ja...@openvpn.net>:
On 14/06/2013 02:47, Joachim Schipper wrote:
>From James Yonan <ja...@openvpn.net>:
TLS Protocol
Since day 1, OpenVPN has used TLS 1.0 as a control channel and key
exchange mechani
On 17/06/2013 01:58, Steffan Karger wrote:
On 06/14/2013 09:53 PM, James Yonan wrote:
To get the adaptive versioning behavior in OpenSSL, you have to use
SSLv23_server_method() or SSLv23_client_method() and then explicitly
disable the versions you don't want to consider, i.e. SSL_OP_NO_SSLv2
On 12/06/2013 15:08, Arne Schwabe wrote:
Am 12.06.13 21:38, schrieb James Yonan:
About finding out which cipher client and server use. I am not really
familiar with this code so forgive my stupid question. TLS somehow also
does this "select the best cipher to use" dance. Why ca
On 18/01/2013 15:31, Marcel Pennewiß wrote:
On Wed, 16 Jan 2013 21:48:23 -0700
James Yonan <ja...@openvpn.net> wrote:
The client is based on the new C++ OpenVPN core that is also used in
the OpenVPN Connect client for Android. The C++ core is a portable,
lightweight class library for bu
Just wanted to let everyone know that the OpenVPN Connect client for iOS
has just been released and is now available in the app store.
This is an official Apple-sanctioned OpenVPN client developed by OpenVPN
Technologies in collaboration with Apple.
The client is based on the new C++ OpenVPN
We've gotten some questions about whether OpenVPN is vulnerable to the
"BEAST" exploit.
At the time of this writing, the details of the "BEAST" exploit haven't
been released yet, but the general consensus is that it exploits the
known-IV weakness in SSL and TLS 1.0 that is discussed by Bard
Regarding the recently discovered SSL vulnerability CVE-2010-3864,
OpenVPN should not be affected because it is single-threaded.
James
I would be interested to know if anyone has succeeded in using
alternative approaches to install the windows TAP driver (other than
using tapinstall/devcon).
In particular, has anyone tried using the Difx API? This posting seems
to indicate that people have succeeded along these lines, but I
2010.08.09 -- Version 2.1.2
* Windows security issue:
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\
I've observed a case on Windows Server 2008R2 where an antivirus product
called ESET Smart Security prevents install of the TAP driver.
The net effect in tapinstall (devcon) is that
UpdateDriverForPlugAndPlayDevices returns error code 1450
(ERROR_NO_SYSTEM_RESOURCES).
Apparently ESET
r 08, 2010 at 08:21:35AM -0700, James Yonan wrote:
(2) Complex method: Write code in OpenVPN to simulate a DHCP client,
then translate the settings received in the DHCP reply to OpenVPN
push-style directives (such as ifconfig, route, etc.) as if they had
been pushed by the OpenVPN server.
...
- how does one debug Windows drivers? Is there a printf() as in Linux
that goes to console / syslog?
I have not yet figured out that part. I did my debugging with Wireshark
("see what packets move back and forth and stare at the packet details").
While Windows doesn't support "printf"
I believe this has been discussed before, but I noticed recently that a
Linux-based OpenVPN client (Linux 2.6.24, OpenVPN 2.1.1) spends a lot
more CPU time in kernel space than in user space. This is surprising,
given the fact that all of the CPU-intensive cryptographic operations
are being
OpenVPN 2.1 has a relatively recent feature that allows a TAP-based
OpenVPN session to be established where the client gets its IP address
assignment and other attributes from the server-side DHCP server.
The feature is enabled by the "route-gateway dhcp" directive on the client.
It's a
Davide Brini wrote:
On Friday 11 December 2009, James Yonan wrote:
Try adding the "nobind" directive to your client config file. I think
this will solve the problem.
That seems indeed to do it. Thank you very much!
However, never in my life could I have imagined that th
Jon Onstott wrote:
Hello,
I am compiling OpenVPN and the TAP driver from source and would like the
TAP driver to be signed so that it installs correctly on Vista (and
doesn't pop-up warning dialog boxes). I noticed that the configure
scripts attempt to do that if "signtool" is defined. Is
Karl O. Pinc wrote:
On 12/10/2009 04:39:57 AM, Samuli Seppänen wrote:
David Sommerseth ha scritto:
I believe James have received several patches in the past from
people on
the mailing list - or directly.
They will either include patches into their own source
trees, or
kick them back
2 at 04:15 -0700, James Yonan wrote:
Are you using the --multihome option?
Sorry to jump in here, but I've run into a weird behavior when using multihome
in all versions, up to rc15 (I haven't tried later versions, but I guess that
it would be the same thing since I don't see anythi
where I found it (after
you let me know about it) was with openvpn --help.
Thank you, I'll try it.
BTW, why is it not by default?
Regards,
Olaf
On Thu, 2009-11-12 at 04:15 -0700, James Yonan wrote:
Are you using the --multihome option?
James, this option is not documented in the man pages
http://openvpn.net/prebuilt/2.1_rc22-prebuilt.tbz
Victor Wagner wrote:
> On 2009.10.24 at 13:39:56 -0600, James Yonan wrote:
>
>> Can you submit a patch (as an email attachment) with this fix?
> Attached
>
> This patch also contains X509_NAME_oneline replacement, which handles
> MSB characters.
>
> I've not checked
thought I must be missing something.
So if OpenVPN always uses a new session, what would be the point of
adding an option to disable renegotiation at the server side?
Cheers,
Dunc
James Yonan wrote:
OpenVPN uses a fresh SSL/TLS session for each of its mid-session
renegotiations. This means
This release is to respond to the OpenSSL vulnerability CVE-2009-3555.
Some people have worried that the fix made to OpenSSL to address this
vulnerability (ban all SSL/TLS renegotiations) would break OpenVPN's
session renegotiation capability. This is not the case. OpenVPN does
not rely on
OpenVPN uses a fresh SSL/TLS session for each of its mid-session
renegotiations. This means that when you see:
TLS: soft reset sec=0 bytes=314/0 pkts=6/0
OpenVPN is actually creating a brand new SSL/TLS session. So the
important point here is that OpenVPN does not rely on the session
The Zep Man wrote:
Dear openvpn-devel list,
OpenVPN supports verification of a username/password combination on the
server-side by parsing these to a 'script' using auth-user-pass-verify'.
With this, it is possible to use a file ('via-file') or environment
variables ('via-env') to parse the
2009.10.01 -- Version 2.1_rc20
* Fixed a bug introduced in 2.1_rc17 (svn r4436) where using the
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
* Fixed build problem when ./configure --disable-server is used.
* Fixed ifconfig command
Sebastien Raveau wrote:
Hi everybody!
OpenVPN already has support for dropping privileges and confining
itself to a directory *after* startup (thanks to calls like setgid,
setuid and chroot) which makes for much better management than if you
had to respectively start OpenVPN unprivileged and
Thanks Stefan and Matthias. I've committed the patch.
James
Matthias Andree wrote:
Hi Jim,
there has been a recent change in FreeBSD 8 BETA that will break OpenVPN
2.1's "topology subnet" mode by (rightfully!) rejecting the ifconfig
command we're currently using (which incorrectly sets the
Matthias Andree wrote:
James Yonan schrieb:
2009.07.16 -- Version 2.1_rc19
...
* In configure.ac, use datadir instead of datarootdir for compatibility
with
Dear Jim,
This is backwards. Please don't do that, but revert that change and
instead update the argument of AC_PREREQ
This release fixes an issue with the Windows TAP driver that can cause
BSODs on Vista (normally seen in the OpenVPN client). The problem is
that Windows has always restricted kernel threads to a very small stack
size (12KB on x86 32-bit). If they go over this limit, Windows will
crash with a
Arne Schwabe wrote:
Hello,
I am at the moment looking to integrating packet filtering into OpenVPN. My
reason to do so, are the following:
- Windows own Firewall does not work when routing/bridging is used
- I am not aware of a OpenSource Firewall for windows
- Being able to do NAT without
David Sommerseth wrote:
James Yonan wrote:
Change Log:
2009.05.30 -- Version 2.1_rc17
* Reduce the debug level (--verb) at which received management interface
commands are echoed from 7 to 3. Passwords will be filtered.
* Fixed race condition in management interface recv code
2009.06.07 -- Version 2.1_rc18
* Fixed compile error on ./configure --enable-small
* Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change
does not build on Windows on non-MINGW32.
James
Daniel Johnson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Karl O. Pinc wrote:
Openvpn does not do DNS at all. You can use it to push DNS related
DHCP options to the "clients" so that they are directed to a DNS
server that does the right thing. (There may be a way to do
something
Change Log:
2009.05.30 -- Version 2.1_rc17
* Reduce the debug level (--verb) at which received management interface
commands are echoed from 7 to 3. Passwords will be filtered.
* Fixed race condition in management interface recv code on
Windows, where sending a set of several commands to
David Sommerseth wrote:
M. G. wrote:
Hello,
I recently changed my VPN-tunnel from TCP to UDP for the sake of better
performance. It generally works very well but I noticed that I can't
connect to my server from some networks when using UDP, e.g. at work.
This may be an issue with the
Victor Wagner wrote:
On 2009.05.27 at 10:48:30 -0700, Frank Yellin wrote:
I posted the following onto the OpenVPN forum, but it was suggested
that I would be better off mailing directly to this list.
=
I seem to have found a bug in 2.1_rc16 that is also
We will be releasing a new Windows GUI for 2.1 that properly uses the
management interface, and can be run by a user without administrator
privileges. The GUI has already been developed and is available now
with our Access Server product. We will be open-sourcing this Windows
client GUI as part
age does not configure the system so that the
openvpnas service starts during system startup.
Best Regards,
James Yonan & the OpenVPN Technologies Team
Alon Bar-Lev wrote:
On Tuesday 10 February 2009 13:35:35 David Balazic wrote:
Ping ?
Should I resend the patch without the end-of-line-spaces change ?
James has his own response times.
I suggest you have much patience :)
Alon.
I apologize for not having the bandwidth to focus as much
Marcel Pennewiß wrote:
On Thursday 13 November 2008 01:23:46 Marcel Pennewiß wrote:
Hi,
Hi again,
a long time ago Juanjo Ciarlante wrote a patch for openvpn to create a
tunnel via ipv6 [1]. Later i fixed the patch to work with openvpn-2.0 and
2.1 which i use on OpenWRT and Gentoo. Roy (from
David,
A couple issues with the patch:
* sscanf usage doesn't check for buffer overflow.
* You use gw_if_name in some places and gw_ifname in other places. To
eliminate confusion it would be best to use a consistent form.
Also, to reiterate, try submitting the patch as an attachment to
Matthias Andree wrote:
On Tue, 27 Jan 2009, Alon Bar-Lev wrote:
Sent this to James.
Did not apply.
My queue is at:
http://svn.openvpn.net/projects/openvpn/contrib/alon
Perhaps the choice of version control system used for OpenVPN could
deserve a second thought -- Mercurial or better Git
I've patched the NSIS installer to omit the Windows version check.
Try this installer:
http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe
James
István Szukács wrote:
Hi folks!
I am wondering if you have ever had success to run openvpn on windows 7.
The problem is the latest
I don't believe this issue significantly affects OpenVPN. OpenVPN does
not use the EVP_VerifyFinal function. The issue is that some internal
OpenSSL functions do not properly check the return value of this
function. The issue is primarily of concern if you are using DSA or
ECDSA
Nikola Ciprich wrote:
Hello,
we are experiencing openvpn crashes from time to time, usually few times a week.
It happens with both 2.0.9 and 2.1rc13.
I've enabled coredumps, and backtrace looks always the same:
Core was generated by `/usr/sbin/openvpn --daemon --writepid
1 - 100 of 468 matches
Mail list logo
