Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

ests (defaults to 8) (uint) parm:   klen:Key length (defaults to 0) (uint) cheers, JJK Jan Just Keijser 于2022年4月5日周二 19:26写道： hi Tony, On 02/04/22 11:40, Tony He wrote: Hi Antonio, I am porting ovpn-dco to embedded ARMv8 device with hardware crypto engine. However the perform

Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

hi Tony, On 02/04/22 11:40, Tony He wrote: Hi Antonio, I am porting ovpn-dco to embedded ARMv8 device with hardware crypto engine. However the performance is not very good. It's about 130-140Mbps. I expect more. The SDK already provides kernel CryptoAPI(CFI) interface to access the crypto

Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges

Hi, On 30/03/22 22:55, Timo Rothenpieler wrote: --- Using libcap-ng now sorry to butt in late, but I've got a nasty feeling about this... the whole purpose of using   --user is, according to the man page    --user user   Change the user ID of the OpenVPN process to user after 

[Openvpn-devel] Switched email addresses

warded yet. cheers, JJK / Jan Just Keijser ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released

On 15/12/21 18:01, Gert Doering wrote: Hi, On Wed, Dec 15, 2021 at 04:30:43PM +, tincantech via Openvpn-users wrote: -BEGIN PGP SIGNED MESSAGE- It seems only fair to warn the OpenVPN community that Version 2.5.5 has had bugs identified. A new release v2.5.6 is planned for the

Re: [Openvpn-devel] NTLMv1, NTLMv2 HTTP proxy support?

  "if your local proxy is running unsupported legacy code in an unsecure setup,    then you will have to resort to openvpn 2.4.x " or similar. BTW, do you know who worked on the obfuscation/transport API stuff? Was that David S? cheers, JJK / Jan Ju

Re: [Openvpn-devel] [Openvpn-users] NTLMv1, NTLMv2 HTTP proxy support?

Hi Jason, On 09/11/21 09:37, Jason Haar wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 How about ditching the NTLM and adding HTTPS proxy support instead? ;-) Does the privacy aspect of talking to proxies "properly" of course (Basic is fine over HTTPS) (and accidentally makes

Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

On 20/05/21 23:12, tincantech wrote: [...] So, why switch to .pem when it has never been used before by openvpn? If you are all happy to let it go that way then so-be-it, Hopefully this clarifies things: - the default output format of OpenSSL is PEM-encoded ; openssl uses the default

Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

Hi, On 20/05/21 21:49, tincantech via Openvpn-devel wrote: Hi, again, I do not understand why openvpn choose to switch to .pem for this tutorial.  PEM -> Private Email, which this is not. You have a certificate and a key and every other openvpn tutorial on openvpn and probably the entire

Re: [Openvpn-devel] [PATCH] Allow PKCS#11 uri to be used as --cert and --key file names

Hi Selva, On 05/05/21 15:29, Selva Nair wrote: On Wed, May 5, 2021 at 4:00 AM Jan Just Keijser wrote: On 05/05/21 07:18, selva.n...@gmail.com wrote: From: Selva Nair If either --cert or --key is specified as a PKCS#11 uri, try to load the certificate and key from any accessible PKCS#11

Re: [Openvpn-devel] [PATCH] Allow PKCS#11 uri to be used as --cert and --key file names

Hi Selva, On 05/05/21 07:18, selva.n...@gmail.com wrote: From: Selva Nair If either --cert or --key is specified as a PKCS#11 uri, try to load the certificate and key from any accessible PKCS#11 device. This does not require linking with any pkcs11 library, but needs pkcs11 engine to be

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

Hi Arne, Antonio, On 09/04/21 11:53, Arne Schwabe wrote: Am 09.04.21 um 11:24 schrieb Jan Just Keijser: On 08/04/21 17:52, Gert Doering wrote: On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote: I don't have any evidence with 2.5 right now but this is just a matter of use

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

Hi, On 08/04/21 17:52, Gert Doering wrote: Hi, On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote: I don't have any evidence with 2.5 right now but this is just a matter of use/principle to me: I can very well see that I would like to have a setup *without* NCP as I simply do

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

On 08/04/21 16:55, Arne Schwabe wrote: Am 08.04.21 um 16:36 schrieb Jan Just Keijser: Hi, On 08/04/21 16:02, Arne Schwabe wrote: NCP has proven to be stable and apart from the one VPN Provider doing hacky things with homebrewed NCP we have not had any reports about ncp-disable being required

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

Hi, On 08/04/21 16:02, Arne Schwabe wrote: NCP has proven to be stable and apart from the one VPN Provider doing hacky things with homebrewed NCP we have not had any reports about ncp-disable being required. Remove ncp-disable to simplify code paths. Note: This patch breaks client without

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

Hi, On 13/01/21 19:29, Илья Шипицин wrote: ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser <mailto:janj...@nikhef.nl>>: Hi, On 13/01/21 17:20, Илья Шипицин wrote: > Hello, > > if user save password, it might be stolen from well known location &g

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

Hi, On 13/01/21 17:20, Илья Шипицин wrote: Hello, if user save password, it might be stolen from well known location (there are popular password stealers). in theory, is it possible to keep password in tpm ? will it prevent password from being stolen ? in theory, yes, but as always, it

Re: [Openvpn-devel] wanted: mechanism to send text messages to client

On 21/12/20 18:22, Selva Nair wrote: On Mon, Dec 21, 2020 at 2:04 AM Gert Doering > wrote: Hi, On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote: > I thought we already went through this when we discussed the proposed "echo > msg" in

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

Hi, On 04/12/20 16:24, Arne Schwabe wrote: If I change the client config to list only a single   remote 1194 udp line then this reconnect behavior does NOT occur ?!?!?!? This might be a bug in the initialisation order. That the ping timer is armed before next_connection_entry is called. If

Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing

Hi Antonio, On 07/12/20 10:56, Antonio Quartulli wrote: Hi Jan Just, Tony, On 07/12/2020 10:10, Jan Just Keijser wrote: Thank you very much for adding this so quickly; it won't help Tony He though, as he is stuck using a rather old AL314 + R9000 chip which does not support CCM or GCM. I just

Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing

Hi Antonio, On 06/12/20 17:09, Antonio Quartulli wrote: Hi all, Some people have expressed interest in ovpn-dco supporting AES-CBC. However, since ovpn-dco is currently using the AEAD kernel crypto API only, introducing support for CBC mode would require quite some refactoring and we do not

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

Hi, On 04/12/20 15:38, Arne Schwabe wrote: Am 04.12.20 um 11:59 schrieb Jan Just Keijser: hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me explain

[Openvpn-devel] weird issue with server failover when *Not* using keepalive

hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me explain: For eduVPN, multiple openvpn instances are offered , both on UDP and TCP ports and the

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

penssl 1.0.x speed command is screwed up.   It will be worthwhile to build openssl 1.1.1 for the AL314 just to see if aes-128-ccm is a viable option or not. JJK Jan Just Keijser mailto:janj...@nikhef.nl>> 于2020年12月4日周五 下午5:49写道： Hi Tony, On 04/12/20 08:41, Tony He wrote:

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

sha1's in 3.00s ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha1 10013.71k 26677.82k 51463.68k 67912.70k 74765.65k Tony Jan Just Keijser mailto:janj...@nikhef.nl>> 于2020年12月2日周三 下午11:24写道： Hi Tony, On 02/12/20 15:51, Jan Just Keijser wrote: On 02/12/20 15:22,

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

Hi Tony, On 02/12/20 15:51, Jan Just Keijser wrote: On 02/12/20 15:22, Tony He wrote: Hi Jan, Welcome to join the discussion. >the second set of numbers doesn't make sense, and a much better test is to do an actual encryption test I don't compile cryptodev kernel module for my PC and

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

the time to push the work to kernel and then HW engine and the time spent is may longer than the time costed by OpenSSL directly does the encryption/decryption. Tony Jan Just Keijser mailto:janj...@nikhef.nl>> 于2020年12月2日周三 下午7:24写道： hi Tony, On 01/12/20 02:50, Tony He wrote: Hi

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

hi Tony, On 01/12/20 02:50, Tony He wrote: Hi Arne, openssl speed -evp aes-128-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 20035.60k 123261.54k 267081.60k 1094764.09k 9181370.18k openssl speed -evp aes-128-gcm type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes

[Openvpn-devel] [PATCH] [V5] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

Hi, On 11/07/20 12:44, Gert Doering wrote: On Fri, Jul 10, 2020 at 06:42:18PM +0200, Jan Just Keijser wrote: On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: Okay, here we go... thanks for the review, I incorporated your suggestions and comments almost verbatim

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi all, On 08-Jul-20 10:24, Gert Doering wrote: On Tue, Jul 07, 2020 at 06:14:25PM +0200, Jan Just Keijser wrote: This one works(!), so generally, Win10 accepts this DHCP option - but it seems to want "all domains in one". Can you send a v3? not sure if all went well , but

[Openvpn-devel] [PATCH] [V4] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: >From fe0592df3235f3eb9bc9820586651ba8fc8bade0 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Fri, 10 Jul 2020 18:40:43 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix l

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi, On 06/07/20 18:15, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:15:58PM +0200, Jan Just Keijser wrote: On 30/06/20 16:11, Gert Doering wrote: On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi, On 03/07/20 11:18, Arne Schwabe wrote: The main purpose of that RFC is to ensure we handle DNS and --dhcp-options consistently across all OpenVPN implementations we care about, and that we document this properly. I see one as an implementation issue (can we specify a particular DHCP

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi, On 02/07/20 23:04, David Sommerseth wrote: On 30/06/2020 16:15, Jan Just Keijser wrote: hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->n

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

e48797ba76698 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Tue, 30 Jun 2020 15:52:58 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix list) for Windows. As of Windows 10 1809 Windows finally supports this so it makes sense to add support to OpenVPN as well. Signed

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Just Keijser wrote: So, for what it's worth, I've dusted off the patch again and rebased it to the current openvpn master tree. See attached. Note that I did only rudimentary testing, as I don't use Windows 10 a lot and I was testing using a mingw cross-compile only. In wireshark I *do* see

Re: [Openvpn-devel] [PATCH v2 4/5] Implement sending SSO challenge to clients

On 15/05/20 17:40, David Sommerseth wrote: On 15/05/2020 17:36, David Sommerseth wrote: On 09/11/2019 16:13, Arne Schwabe wrote: This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

Hi Arne, On 22/04/20 10:13, Arne Schwabe wrote: SSL_check_chain() function". Which we don't, I just grepped through our source tree. So, unless I misunderstand something about OpenSSL intricacies, I think we're safe - no new installers needed, and OpenVPN is not in risk. the advisory

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

Hi Gert, On 21/04/20 20:59, Gert Doering wrote: Hi, On Tue, Apr 21, 2020 at 08:37:35PM +0200, Gert Doering wrote: On Tue, Apr 21, 2020 at 02:15:43PM -0400, mike tancsa wrote:     Will the sec issue with OpenSSL force a new release of OpenVPN ?

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

Hi all, On 05/03/20 13:53, Jan Just Keijser wrote: Hi, On 01/03/20 16:29, Selva Nair wrote: On Sun, Mar 1, 2020 at 2:17 AM Gert Doering wrote: On Sun, Mar 01, 2020 at 05:37:15AM +, Leroy Tennison via Openvpn-users wrote: Admittedly, and older server version (2.3) but is there a way

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

that I did not fully implement the RFC3397 encoding of the search list, as that requires one to merge domain names that occur more than once - that would have made the code far more complicated. share and enjoy, JJK >From a969947cd86292c881f7cc1c704ac992e8f6f0d6 Mon Sep 17 00:00:00 2001 F

Re: [Openvpn-devel] [PATCH v2 1/7] Visual Studio: upgrade project files to VS2019

Last version of openvpn for xp/Vista is 2.3, so dropping support for it in the build system is a no brainer to me. JM2CW, JJK Gert Doering wrote: >Hi, > >On Thu, Nov 07, 2019 at 07:28:36PM +0100, Lev Stipakov wrote: >> With VS2019 you cannot build for XP, you would need to install build

Re: [Openvpn-devel] Tap-windows6 test installer with PRs #84 and #86

Hi, On 23/10/19 13:20, Samuli Seppänen wrote: Il 23/10/19 14:19, Samuli Seppänen ha scritto: Hi, Here is a new Windows 10 / Server 2016+ tap-windows6 installer. It is based on the latest code in "master" plus two currently unmerged PRs: "Introduce TAP adapter as a virtual device"

Re: [Openvpn-devel] Wintun performance results

Hi David, * On 15/05/19 19:32, David Sommerseth wrote: On 15/05/2019 16:49, Илья Шипицин wrote: it will most probably get lost in mailing list. can we add it to https://openvpn.net website ? something like "performance testing" with full configs provided ? Good idea, but maybe not the

Re: [Openvpn-devel] Client reconnect issues

Hi Antonio, On 26/04/19 16:02, Antonio Quartulli wrote: Hi, On 26/04/2019 15:57, Jan Just Keijser wrote: I'd look into the way session tickets are configured and used in mbedtls, e.g. read up on https://tls.mbed.org/discussions/generic/what-is-the-correct-way-to-use-session-tickets

Re: [Openvpn-devel] Client reconnect issues

Hi Pieter, On 26/04/19 15:32, Pieter Hulshoff wrote: Gert, Op vr 19 apr. 2019 om 13:38 schreef Pieter Hulshoff >: I've been looking at https://community.openvpn.net/openvpn/ticket/880 for a while now, and was wondering if there'd been any

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi Selva, On 17/04/19 17:52, Selva Nair wrote: On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser mailto:janj...@nikhef.nl>> wr

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Hi Selva, On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list.

Re: [Openvpn-devel] openvpn with udp lost event.

On 15/04/19 14:29, wei wang wrote: Hi, For function multi_process_io_udp receive many events, but only process one at a time. Doest it cause the event to be lost? yes it does In our test, we had create thousands of client. When clients connect to server at a time, for the clients which

Re: [Openvpn-devel] Why does the tun-mtu default to 1500 bytes?

Hi Marcus, On 17/04/19 00:11, Marcus Wichelmann wrote: Hello, I'm wondering what the reason is that OpenVPN Community sets the default TUN-MTU to 1500 bytes, as seen here: https://github.com/OpenVPN/openvpn/blob/ed31cf2ab718d879615dea81e6a17d26537ab43a/src/openvpn/mtu.h#L70 In my

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list. On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis mailto:francois.ge...@gmail.com>> wrote: Hi all, I have a working openvpn setup with client certificate

Re: [Openvpn-devel] New tap-windows6 driver for Windows 7/8/8.1/Server 2012r2 ready for testing

Hi Samuli, On 05/04/19 16:00, Samuli Seppänen wrote: Hi, A new pre-release tap-windows6 driver (9.23.1) is available for testing. It should work on Windows 7/8/8.1/Server 2012r2. It _will not_ work on Windows 10 or Windows Server 2016/2019. The driver includes several new features such as

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

Hi Samuli, On 13/03/19 13:00, Samuli Seppänen wrote: Hi, Here's the summary of the IRC meeting. Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1. Agreed that this makes sense as people (on forums for example) already take 2.4.x and replace the OpenSSL libraries

Re: [Openvpn-devel] Summary of the community meeting (Wed, 19th Dec 2018)

Hi list, as a follow-up to the discussion we had in the community meeting: (13:38:08) dazo: janjust: if you get a chance to verify whether using non-ncp-listed cipher works with ccd, that's a good detail to know the answer is: yes and no ;) Yes, it is possible to specify a *NEW* list of ncp

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

Hi Lev, On 29/11/18 16:18, Lev Stipakov wrote: Some background information. In openvpn3 we decided not to implement fragments, because:  - this is quite a big feature which has to be supported through the whole stack (client, server, kernel module)  - we assume that it is not used by most

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

inside the tunnel only, and only for TCP connections. It does not depend on the outside protocol (UDP or TCP). I fully agree that having PMTUD would be nice to have, but even that has its drawbacks... JM2CW, JJK -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

Hi Lev, Simon, On 30/11/18 07:10, Simon Matter wrote: Hi Jan Just, (forgot to add openvpn-devel in previous mail) Some background information. In openvpn3 we decided not to implement fragments, because: - this is quite a big feature which has to be supported through the whole stack

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

Hi, On 29/11/18 09:03, Samuli Seppänen wrote: [...] Had a discussion about --fragment. Agreed that if we can fix internal fragmentation without needing a change in frame format then we can definitely deprecate --fragment in the long-term. Also noted that lack of tun-mtu support on Windows

Re: [Openvpn-devel] foreign_option_2 not set in 2.4

Hi, On 22/11/18 15:43, Arne Schwabe wrote: Am 22.11.18 um 14:46 schrieb Cyril Scetbon: OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul  8 2018 Output with —verb 4 https://pastebin.com/huQmnGaU Read your log closer. This is not a

Re: [Openvpn-devel] Adding Google Analytics code to Trac?

Hi, On 24/10/18 13:47, Samuli Seppänen wrote: Hi, The OpenVPN Inc. webmaster would like to add Google Analytics to community.openvpn.net, i.e. our Trac wiki/bug tracker. I said we need to consult the community first because GA can be seen as a form of spying. Here's our webmaster's view on

Re: [Openvpn-devel] [Openvpn-users] disabling compression on the fly?

Hi Ralf, On 09/10/18 13:35, Ralf Hildebrandt wrote: Currently we're suppling our user with a charite.ovpn File containing: ... compress lzo ... In some cases, we're overriding this on the server side by using: if (defined $ENV{'IV_LZ4'}) { $logger->info("$username lz4: available");

Re: [Openvpn-devel] [PATCH v2] Fix typo in IPv6 address in comment.

Hi Gert, On 15/07/18 22:43, Gert Doering wrote: Comment talks about ff02::1::ff00:8, correct address is ff02::1:ff00:8, and about fe80::1 where fe80::8 is the proper magic number. thanks for this patch! What the CVE for this ?  when do we get an emergency patch? will this change be

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

Following up on myself On 05/06/18 14:25, Jan Just Keijser wrote: On 01/06/18 02:50, Derek Zimmer wrote: I'm still working on this, as I think it is worthwhile for us to explore and get some hard data on how all of these things perform in a real world environment. I've been stalled

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

if you want to work together on this. HTH, JJK / Jan Just Keijser On Sun, May 6, 2018 at 8:04 AM, Steffan Karger <mailto:stef...@karger.me>> wrote: Hi, On 04-05-18 17:45, Jan Just Keijser wrote: > On 04/05/18 16:41, Derek Zimmer wrote: >> What conclusio

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

Hi, On 04/06/18 09:15, Gert Doering wrote: On Mon, Jun 04, 2018 at 09:10:23AM +0200, Jan Just Keijser wrote: What's the particular use case for putting tls-auth files in connection blocks? "I have one existing server that is not using tls-auth yet, and a new one that has tls-auth, and I

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

Hi Antonio, On 04/06/18 04:15, Antonio Quartulli wrote: Hi all, On 02/06/18 11:42, Antonio Quartulli wrote: Different VPN servers may use different tls-auth keys. For this reason it is convenient to make tls-auth a per-connection-block option so that the user is allowed to specify one key per

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

Hi all, On 25/05/18 22:56, Simon Rozman wrote: JJK, I think you are misreading this proposal. No hash is being sent as a part of the handshake -- its still client and server certificates that are exchanged and checked during handshake. The hash is exchanged by a separate channel (say snail

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

Hi Selva, On 25/05/18 16:07, Selva Nair wrote: On Fri, May 25, 2018 at 9:51 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certi

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

Hi, On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certificate of the peer's certificate against the CA with a hash check (certificate pinning if you want). So basically instead of saying that

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

Hi Arne, On 23/05/18 16:46, Arne Schwabe wrote: I have some strong thoughts on this, mostly related to:  can someone explain to me why this is safe? I've seen that OpenSSH 7.7 now implements something similar (xmss hash-based signatures,

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

Hi Steffan, On 17/05/18 20:31, Steffan Karger wrote: Hi Jason, [ Dumping my thoughts so this doesn't remain completely unanswered for even longer. ] On 17-04-18 18:50, Jason A. Donenfeld wrote: OpenVPN traditionally works around CAs. However many TLS-based protocols also allow an alternative

Re: [Openvpn-devel] Minimum Linux Version for OpenVPN 2.4.x

Hi, On 22/05/18 22:47, Gert Doering wrote: On Tue, May 22, 2018 at 09:10:10PM +0200, David Sommerseth wrote: On 22/05/18 19:32, Marvin wrote: Can someone tell me the minimum Linux version that OpenVPN 2.4.x will build and run on?  We have an older appliance the runs on an older 2.4.31 kernel

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

% or less. cheers, JJK On Fri, May 4, 2018 at 10:45 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I've been working

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I've been working with OpenVPN for a few years and there's a few curious performance anomalies that i've ran into that add up to a possible performance opportunity. My experience lies

Re: [Openvpn-devel] aes-gcm and iperf on Windows

Hi, (renamed the topic to reflect what it's about) On 27/03/18 01:09, fragmentux wrote: I am not convinced 'iperf -r' is reliable (bold claim maybe .. ) iperf3 have dropped -r in favour of -R "reverse mode" server sends and client receives. but not both on the same run .. After numerous

Re: [Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

Hi Selva, On 22/03/18 18:12, Selva Nair wrote: On Thu, Mar 22, 2018 at 12:16 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: Hi Eric, all, On 22/03/18 04:25, Eric Thorpe wrote: Hi All, One of the Viscosity developers here. The TAP driver used by Viscosity is based on the OpenVPN TAP-W

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

Hi, On 26/01/18 16:26, Selva Nair wrote: On Fri, Jan 26, 2018 at 10:20 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 26-Jan-18 16:08, Selva Nair wrote: arrrgh, the important line is missing: ERROR: Windows route add ipv6 command failed: returned error code 1 Gert has exp

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

Hi Selva, On 26-Jan-18 16:08, Selva Nair wrote: On Fri, Jan 26, 2018 at 8:23 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconf

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Fri Jan 26 14:08:10 2018 NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address interface=17 2

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

return value with TUN_ADAPTER_INDEX_INVALID in windows_route_find_if_index() if multiple interfaces match a route. (ii) Select the interface with lowest metric in adapter_index_of_ip() instead of the first one found when multiple interfaces match. Reported by Jan Just Keijser <janj...@nik

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

Works as expected. Tested-by: Jan Just Keijser <janj...@nikhef.nl> On 24/01/18 18:31, selva.n...@gmail.com wrote: From: Selva Nair <selva.n...@gmail.com> Currently a route addition using IPAPI or service is skipped if the route gateway is reachable by multiple interfaces.

Re: [Openvpn-devel] OVPN vs IPSec performance as a transport

On 05/01/18 00:52, Tom Kunz wrote: That would explain it if it always worked that way. But I can get 400%+ wire speed from A to B with compressible data, and 102% with incompressible data. If I do the same test from B to A or A to B, I get those results. If I hop off of that to C, speed goes

[Openvpn-devel] Possible bug: AEAD Decrypt error: cipher final failed

hi all, whilst testing some new hardware with OpenVPN I ran into the following messages which keep popping up from time to time:  AEAD Decrypt error: cipher final failed Config: server running OpenVPN 2.4.3, basic config, Ubuntu 17, kernel 4.14, openssl 1.0.2g client running OpenVPN 2.4.4,

Re: [Openvpn-devel] [PATCH 0/1] add engine keys keys

Hi James, On 30/10/17 15:09, James Bottomley wrote: On Sun, 2017-10-29 at 17:03 -0400, Selva wrote: On Sun, Oct 29, 2017 at 12:04 PM, James Bottomley wrote: On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote: On Sat, Oct 28, 2017 at 01:02:27PM

Re: [Openvpn-devel] proper configuring of "tls-verify"

Hi, On 11/09/17 13:22, Илья Шипицин wrote: Hello, is someone actually using "tls-verify" in production ? we tried to implement additional certificate check using tls-verify while it works in general, in case when it hits "exit 1", it look like a timeout from client point of view. it is not

[Openvpn-devel] how to roll your own OpenVPN Windows installer

hi dev list, someone asked me this question: how can one roll their own Windows OpenVPN installer, including a signed TAP driver? There's no need to rebuild OpenVPN or the TAP driver, but they do need to include other things, such as certificates, config files etc. Is there a way to

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

On 17/07/17 14:14, Gert Doering wrote: Hi, On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. Can we have

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

Follow-up: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. JJK On 17/07/17 14:01, Jan Just Keijser wrote: Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07/2017 00:43, Jan Just Keijser wrote: Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: <http://build.openvpn.net/downloads/relea

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: The previous installer(s) had pkcs11-helper 1.11. This one has

Re: [Openvpn-devel] Bug or Feature? Username in environment in auth-user-pass-verify

Hi Gert et al, On 15/06/17 09:47, Gert Doering wrote: Hi, On Thu, Jun 15, 2017 at 12:50:40PM +1000, Steven Haigh wrote: I'm just trying to figure out if its expected behaviour to have the 'username' set in the environment when using the auth-user-pass-verify script. The code in question

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

Hi David, On 03/04/17 22:43, David Sommerseth wrote: On 03/04/17 16:12, Jan Just Keijser wrote: On 03/04/17 15:53, Samuli Seppänen wrote: On 02/04/2017 10:57, Steffan Karger wrote: Hi, On 31-03-17 22:34, David Sommerseth wrote: On 31/03/17 10:56, Илья Шипицин wrote: 2017-03-31 13:26 GMT

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

Hi Samuli, On 03/04/17 15:53, Samuli Seppänen wrote: > On 02/04/2017 10:57, Steffan Karger wrote: >> Hi, >> >> On 31-03-17 22:34, David Sommerseth wrote: >>> On 31/03/17 10:56, Илья Шипицин wrote: 2017-03-31 13:26 GMT+05:00 Samuli Seppänen

Re: [Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

Hi, On 28/10/16 19:50, Selva Nair wrote: Hi, On Fri, Oct 28, 2016 at 6:27 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: --- src/openvpn/options.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) As Arne pointed out

Re: [Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

Hi Arne, On 28/10/16 13:08, Arne Schwabe wrote: > Hm, > > > I would like to see a rationale why this is needed. The client will > already only warn on unsupported options. Your patch would make push > "setenv opt unsupported" similar to "push unsupported". the rationale behind this is based on an

[Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

--- src/openvpn/options.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 281ef0b..dbb926d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5616,7 +5616,14 @@ add_option (struct options *options,

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 26/09/16 14:08, David Woodhouse wrote: > On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote: >> this sounds like a typical use case for "assign a public IP address". >> This is already possible with topology subnet and some special config >>

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 25/09/16 17:31, David Woodhouse wrote: > On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote: >> thanks for clarifying - but with OpenVPN 2.4 the default topology mode >> will be 'subnet topology', in which we also assign a single IP address &g

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 24/09/16 01:21, David Woodhouse wrote: > On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: >> sorry for asking, but what's the use case for this? > The use case for point-to-point? It allows you to use a single IP > address per client instead of having to se

  1   2   3   >