[Openvpn-devel] TAP driver & NDIS 6.3

yo list, did anybody see this post on the forum https://forums.openvpn.net/topic12455.html "Current windows TAP driver 9.9.2 uses NDIS API version 5.0. This is fine for desktop Windows including Windows 8, but the driver sources cannot be recompiled for Windows RT. Windows RT requires NDIS

[Openvpn-devel] forum topic12703: cross compile problem with crypto-library=polarssl

hi *, particularly Adriaan, can someone take a look at https://forums.openvpn.net/topic12703.html subject: cross compile problem with crypto-library=polarssl thx, JJK

Re: [Openvpn-devel] [PATCH] Add auto value to pkcs11-id parameter

Chris J Arges wrote: This patch allows one to specify --pkcs11-id auto to automatically select the first certificate on a pkcs11 device. This simplifies scripts and usage in environments where clients may only use a single certificate for connecting to a VPN. Based on a patch by Oliver

Re: [Openvpn-devel] option --crl-verify PATH dir

Adriaan de Jong wrote: -Original Message- From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] Sent: zondag 3 februari 2013 15:52 To: Jan Just Keijser Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] option --crl-verify PATH dir On 03/02/13 12:02, Jan Just

Re: [Openvpn-devel] [PATCH 1/7] refine assertion to allow other modes than CBC

Arne Schwabe wrote: Am 16.08.12 10:38, schrieb Heiko Hund: cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB are used the assertion outlen == iv_len is always false. There's no CBC mode defined for the GOST 28147-89 block cipher. Hence this patch is needed for it to work.

[Openvpn-devel] man page patch for missing options

hi all, attached is a man page patch to include the options that were made connection-entry specific (by a patch of mine, which is included in 2.3.0). see you in a bit, JJK diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2ed5201..829bbd2 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@

Re: [Openvpn-devel] Summary of the IRC meeting (29th Nov 2012)

Hi all, Samuli Seppänen wrote: Hi, Here's the summary of the previous IRC meeting. it's great to hear that the openvpn community is getting together again at FOSDEM 2013 ! One small practial remark , however: the train schedule between Amsterdam en Brussels is about to change; the

Re: [Openvpn-devel] RFC - Usage of --script-security with the 'system' flag

Hi David, David Sommerseth wrote: Hi all, I've been reviewing a bug reported to the v2.3 code base. We're in the beta phase currently, and this is a bug I'd like to get fixed before we're moving on further. The bug is related to the use of the 'system' flag in --script-security.

Re: [Openvpn-devel] Ability to send variable data from client to server

Hi Gert, Gert Doering wrote: Hi, On Mon, Oct 01, 2012 at 06:58:28AM +, f7n4ahb...@snkmail.com wrote: I believe there is ongoing development to allow a variable to be set in the client config which can be used by the client-connect or route-up scripts on the server. Specifically I need

Re: [Openvpn-devel] openvpn-gui disconnect

Hi Nelson, Nelson Teixeira wrote: Hello, Sorry by writting directly to devel list, but I'm not being able to solve this problem I'm in and thought maybe you would be so kind to take a look. Thanks in advance :) I'm having trouble in finding how to end openvpn programmatically in windows.

[Openvpn-devel] [Fwd: Re: [OpenVPN Community] #97: OpenVPN produces DCHP NAK bomb on Win 7 64bit]

did one of the tap-win32 developers see this: Seems to be a bug in the TAP driver. It's happening after you try to refresh the DHCP lease 3 times (after resume from hibernation, Windows tries to acquire a DHCP lease too). I think the reason for this is a programming error in dhcp.c in function

Re: [Openvpn-devel] [PATCH] Openvpn for Android 4.0 Changeset

Hi, Samuli Seppänen wrote: Hello, I have developed the port of openvpn for Android 4.0: https://play.google.com/store/apps/details?id=de.blinkt.openvpn and http://code.google.com/p/ics-openvpn/ The API of Android 4.0 requires that openvpn runs as completely unprivileged process. There all

Re: [Openvpn-devel] openvpn question

Hi Raj, Raj Kumar wrote: Hi all, I am new to openvpn. I am using openvpn on my linux machine. I have a basic question about openvpn. How openvpn process the incoming packets ? Is it processing incoming packets one by one, means receive one packet from the kernel, decrypt it and send it

Re: [Openvpn-devel] openssl ouch

Jan Just Keijser wrote: ouch: http://www.openssl.org/news/secadv_20120419.txt we need to investigate whether and how openvpn is affected. did somebody end up writing an 'authoritative' answer to the question if and how openvpn is affected by this bug? cheers, JJK

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

Hi Adriaan, Adriaan de Jong wrote: +void +tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name +) +{ +#ifdef USE_SSL_EC + if (curve_name != NULL) + { +int nid; +EC_KEY *ecdh = NULL; + +nid = OBJ_sn2nid(curve_name); + +if (nid ==

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

Hi Adriaan, Adriaan de Jong wrote: Hi Janjust, I've finally had the time to take a look at this patch with a colleague who is more familiar with the subject at hand :). Hope this helps. Please see my comments inline. Adriaan On 02/07/2012 04:13 PM, Jan Just Keijser wrote: Added support

Re: [Openvpn-devel] [DISCUSS] much more complicated gcc invocations now

Alon Bar-Lev wrote: On Wed, Mar 28, 2012 at 11:12 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: Hi, Gert Doering wrote: Hi, On Mon, Mar 26, 2012 at 07:51:01PM +0200, Alon Bar-Lev wrote: The benefit is to divide the code into libraries and core which is easier to maintain and

Re: [Openvpn-devel] [DISCUSS] much more complicated gcc invocations now

Hi, Gert Doering wrote: Hi, On Mon, Mar 26, 2012 at 07:51:01PM +0200, Alon Bar-Lev wrote: The benefit is to divide the code into libraries and core which is easier to maintain and reuse. I'm not sure I understand what's so hard about "compile stuff, use 'ar' to pack into

Re: [Openvpn-devel] two tls-auth questions

Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy So, in

Re: [Openvpn-devel] two tls-auth questions

Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy when openvpn starts

Re: [Openvpn-devel] openvpn windows gui

Samuli Seppänen wrote: We should probably write an installer. I'm not sure if it's the best idea to make each and every GUI project out there write it's own installer, when it's mostly a single executable that needs to be replaced to package it with upstream openvpn. The pragmatic way

Re: [Openvpn-devel] [RFC][windows] gettimeofday()

Hi Alon, Alon Bar-Lev wrote: Hello all, There is an abnormality in the openvpn sources I want to resolve. In windows there is own implementation of gettimeofday(). In the past there was no gettimeofday(), so we used performance counters, then James optimize it to reduce CPU consumption.

Re: [Openvpn-devel] [RFC] openssl minimum supported version

Alon Bar-Lev wrote: > Hello, > > OpenVPN supports minimum openssl version of 0.9.6, while this version > is unsupported by upstream and probably a security risk. > > What would be a suitable minimum version to support? > > I think that 0.9.8 is the one. > EL5 and most SuSE distro's still use

Re: [Openvpn-devel] Config question

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/02/12 16:56, Jan Just Keijser wrote: Hi Paul, Paul Bakker wrote: On 8-2-2012 15:53, Jan Just Keijser wrote: Hi Paul, I can't find why the client would use 'eth0' for the 'tun0' network

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

otiation phase without this patch: if the client and server are configured to use ECDSA+SHA512 certs and the 'ecdh' parameters are NOT set on the server then the initial TLS handshake fails. cheers, JJK > On Tue, Feb 7, 2012 at 5:13 PM, Jan Just Keijser <janj...@nikhef.nl > <mailto:jan

Re: [Openvpn-devel] [PATCH] Made some options connection-entry specific

sorry about the noise, folks; this was my second git patch attempt :) cheers, JJK Jan Just Keijser wrote: > Made some options connection-entry specific: > fragment > mssfix > tun-mtu > tun-mtu-extra > link-mtu > mtu_discover_type > explicit-exit-notificati

[Openvpn-devel] [PATCH] Made some options connection-entry specific

-by: Jan Just Keijser <janj...@nikhef.nl> --- forward.c |2 +- init.c| 38 ++- occ.c |2 +- options.c | 125 +++-- options.h | 36 +- sig.c |6 +- 6 files changed, 107 insertions(+

[Openvpn-devel] Elliptic curve patch

hi all, attached is my elliptic curve patch, to add support for using ECDSA curves in combination with SHA256/SHA512 signed certificates; currently you can do either ECDSA with SHA1-signed certificates, or no ECDSA but SHA256/SHA512 signed certs . The error message seen is

Re: [Openvpn-devel] Summary of the IRC meeting (19th Jan 2012)

Hi all, Samuli Seppänen wrote: Hi, Here's the summary of the previous IRC meeting / sprint. I've been offline for a while but am slowly getting back online ; as for the chatlog attachment: Gert did ask me about bug #97 (dhcpnak storm) ; I have not been able to reproduce the DHCP NAK

Re: [Openvpn-devel] OpenVPN 2.2.2 released

Hi mattock, Samuli Seppänen wrote: The OpenVPN community project team is proud to release OpenVPN 2.2.2. It can be downloaded from here: Changes include: - Pkcs11 support built into the Windows version - Fixed a bug in the Windows

Re: [Openvpn-devel] Topics for today's meeting

Alon Bar-Lev wrote: > I hate CMake, it is way too complex, these guys re-invented the wheel > with no decent reuse of any methodology / language that existed > before. > I agree with Alon here : +1 autoconf -9 CMake esp troubleshooting a non-working CMake setup is a nightmare. JJK > If we

Re: [Openvpn-devel] [PATCH 3/3] Changed default algorithm for PolarSSL to AES-128, as BF is not supported

I'd NACK this patch : the default behaviour of OpenVPN should be independent of the SSL implementation. JJK Adriaan de Jong wrote: > Signed-off-by: Adriaan de Jong > --- > options.c |5 + > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/options.c

Re: [Openvpn-devel] Fatal Error on XP

Hi, the log line "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com" shows that the client does not trust the server certificate, or the CA certificate that signed the

Re: [Openvpn-devel] Summary of the IRC meeting (7th July 2011)

dazo wrote: dazo 12:16:09 we need to catch up on janjust on that one ... I think he dropped the ball due to holiday season or so ... I think it's been quite quiet from him lately (esp. here on IRC) yep - I'm on holidays right now and I have not had the time to look into this further ;

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/06/11 11:36, Jan Just Keijser wrote: NACK on this patch - the openssl.cnf file should be (almost) the same as the one used in easy-rsa/2.0 that way the certificates are generated in the same manner

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

NACK on this patch - the openssl.cnf file should be (almost) the same as the one used in easy-rsa/2.0 that way the certificates are generated in the same manner (*with* EKU=ServerAuth) JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/06/11 09:49,

Re: [Openvpn-devel] Summary of the IRC meeting (9th June 2011)

Hi *, > Discussed the possibility of arranging a "real" face-to-face meeting > between the company and community people, for example in New York. Costs > are an issue, but this might happen eventually. JM2CW: I think this would be a *very* good thing , for both the openvpn community developers

Re: [Openvpn-devel] [PATCH] Make '--comp-lzo no' the default behaviour if LZO is enabled

Hi *, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/05/11 13:10, David Sommerseth wrote: This makes 'comp-lzo' pushable without requiring clients to have --comp-lzo defined in the client configs. To make 'comp-lzo' not pushable on the client, a new 'disabled'

Re: [Openvpn-devel] [Openvpn-users] behavior of remote address with more than one A record

Hi William, William Cooley wrote: On 5/12/2011 1:46 PM, Jan Just Keijser wrote: William Cooley wrote: I'd like to have a remote address setting that has two A records. The client should randomly try to connect to one of the addresses and if it fails it should either try the other IP address

Re: [Openvpn-devel] Fwd: OpenVPN netsh.exe patch

Hi, Gert Doering wrote: > Hi, > > On Tue, May 10, 2011 at 03:31:56PM +0200, Jan Just Keijser wrote: > >> Seth Mos wrote: >> >>> Here is the tun.c patch for correction of the netsh.exe commands. >>> >>> I've confirmed that the patch w

Re: [Openvpn-devel] Fwd: OpenVPN netsh.exe patch

Hi Seth, Seth Mos wrote: > Here is the tun.c patch for correction of the netsh.exe commands. > > > > I've confirmed that the patch works on Windows XP SP2 and Windows 7. > > Patch! > http://iserv.nl/files/pfsense/0001-Change-the-netsh.exe-command-from-add-to-set-.-Th.patch > > please explain

Re: [Openvpn-devel] OpenVPN 2.2.0 released

Hi, I just would like to thank dazo, mattock and all the other developers and contributors who have put so much time into creating this release - great job guys! JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/04/11 20:48, Samuli Seppänen wrote: | | Note

Re: [Openvpn-devel] [Openvpn-users] OpenVPN memory usage

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/04/11 17:25, Jan Just Keijser wrote: Hi *, copying in the openvpn-devel list as they might be interested in this memory usage analysis as well Ralf Hildebrandt wrote: * Ralf Hildebrandt

Re: [Openvpn-devel] [Openvpn-users] OpenVPN memory usage

Hi *, copying in the openvpn-devel list as they might be interested in this memory usage analysis as well Ralf Hildebrandt wrote: > * Ralf Hildebrandt : >> * Fredrik Kers : >>> I measure the memory usage by checking the VmRSS (Resident

Re: [Openvpn-devel] [PATCH] Fix the --client-cert-not-required feature

With this explanation, I'm ACKing the patch. JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31/03/11 09:57, Jan Just Keijser wrote: Hi David, David Sommerseth wrote: Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using

Re: [Openvpn-devel] [PATCH] Fix the --client-cert-not-required feature

Hi David, David Sommerseth wrote: Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using other SSL certificate fields for authentication than then CN field. This commit introduced a bug, which made the verify_callback() function getting called even if

Re: [Openvpn-devel] sctp in openvpn

David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/02/11 12:25, Gert Doering wrote: | Hi, | | On Sat, Feb 26, 2011 at 11:19:19AM +, Olivier Van Acker wrote: |>> The code parts in question inside OpenVPN (socket.c) are somewhat |>> complicated due to lots of existing

Re: [Openvpn-devel] OpenVPN 2.2-rc Windows installer ready

hi Samuli, Samuli Seppänen wrote: Hi all, The (hopefully) final preview of the OpenVPN 2.2-rc installer for Windows is available here: The main reason for this preview installer is our use of the new,

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

hi Samuli, Samuli Seppänen wrote: Hi Samuli, Samuli Seppänen wrote: Hi, As some of you may be aware, I've been working on the new Python-based OpenVPN Windows buildsystem; now the first fully functional OpenVPN installer is ready:

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

Hi Samuli, Samuli Seppänen wrote: Hi, As some of you may be aware, I've been working on the new Python-based OpenVPN Windows buildsystem; now the first fully functional OpenVPN installer is ready: However,

Re: [Openvpn-devel] OpenVPN documentation (man page) review

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! This is a little cry for help from us playing with the OpenVPN code. We have a quite good man page today with a lot of information. But maintaining it and to make sure it is up-to-date with all the

Re: [Openvpn-devel] [Openvpn-users] Using EasyRSA intermediate CA with OpenVPN - warning with certificate revocation list: "CRL crl.pem is from a different issuer than the issuer of certificate ..."

Hi Erich, (copying in the openvpn-devel list as this might be considered a minor bug) Erich Titl wrote: Hi JJK at 11.01.2011 15:45, Jan Just Keijser wrote: Hi, ... the "CRL crl.pem is from a different issuer" warning is actually an error: when OpenVPN go

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

...@greenie.muc.de <mailto:g...@greenie.muc.de>> wrote: > > On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote: > > > assigns a 169.254 address. If this works for you as well then maybe the > > > tap-win32 developers can dive de

Re: [Openvpn-devel] Summary of the IRC meeting (9th Dec 2010)

Hi Adriaan, Adriaan de Jong wrote: -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Hi Samuli, David, list, What some people get confused about is a stacked certificate vs a certificate chain: OpenVPN only supports stacked CA certificates, meaning that any

Re: [Openvpn-devel] script-security 1

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 15:53, Jan Just Keijser wrote: hi all, the openvpn 2.1 man page on script-security reads: --script-security level [method] This directive offers policy-level control over OpenVPN's usage

[Openvpn-devel] OpenVPN (cook)book

Hi all, I just wanted to let you know that the OpenVPN 2 Cookbook , which I've been working on for the past 6 months or so, is due for publication in early 2011. A pre-release (RAW) version of the book can already be found here: https://www.packtpub.com/openvpn-2-cookbook/book cheers,

[Openvpn-devel] VERY weird interaction between openvpn and opensc-pkcs11

that openvpn's openvpn_execve fork+waitpid function causes the program pid to change every time, triggering the reset of the pkcs11 interface ! What shall we do about this? cheers, JJK / Jan Just Keijser

Re: [Openvpn-devel] Problem with client reconnect when using username-as-common-name and username is blank

Hi Carlos, this looks like a repeat of something reported on March 1st : in multi.c the function multi_client_connect_setenv contains 1410 /* setenv incoming cert common name for script */ 1411 setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi,

Re: [Openvpn-devel] [Openvpn-users] Variable-Expansion withon *.ovpn files?

Ralf Hildebrandt wrote: * Jan Just Keijser <janj...@nikhef.nl>: Does openvpn handle Variable-Expansion within its config files? e.g.pkcs12 %HOMEPATH%\\client.p12 not that I am aware of and not that I can find in the OpenVPN sources ; the word 'getenv' appears n

Re: [Openvpn-devel] Enhancements.

Gert Doering wrote: Hi, On Fri, Sep 24, 2010 at 12:01:08PM +0200, Jan Just Keijser wrote: 3385 #ifdef ENABLE_PUSH_PEER_INFO [..] just toyed with it for about an hour or so and I can't get it to work - I even ran openvpn --cipher none --auth none to see if I could see

[Openvpn-devel] openvpn 2.2 --x509-username-field

hi all, I was just playing with the new 2.2 option --x509-username-field why is the field "uppercased" ? There are quite a few X509 fields that are case sensitive: emailAddress name dnQualifier etc (all from /usr/include/openssl/objects.h) It should also be noted that only the objects

Re: [Openvpn-devel] With route-noexec openvpn still adds routes automatically

Ansis Atteka wrote: Hello, I have OpenVPN configuration where I want to add all routes from up.sh and down.sh scripts manually. My setup also has route-noexec option in config file, so according to man pages I would expect that OpenVPN should not add any routes on its own: /

Re: [Openvpn-devel] openvpn, NTLM and McAfee Web Gateway

openvpn wrote: dear all, a few days ago I deployed an ovpn solution in a medium sized company. One of the two ends of the vpn network is passing through a proxy with NTLM authentication. ovpn has problems to recognize the authentication because immediately after sending the message type 1,

Re: [Openvpn-devel] [Openvpn-users] TAP installation Problem (2.1.3) on Windows 2000

Hi Gert (and David), Gert Doering wrote: Hi, On Thu, Oct 07, 2010 at 05:47:40PM +0200, Gert Doering wrote: On Thu, Oct 07, 2010 at 05:28:13PM +0200, Jan Just Keijser wrote: WHy is that? it's a (minor) mistake in how openvpn 2.1.3 is packaged: This is not a mistake

Re: [Openvpn-devel] [Openvpn-users] TAP installation Problem (2.1.3) on Windows 2000

Ralf Hildebrandt wrote: During installation, no TAP32 adapter is being installed and the addtap.bat returns an error: d:\program files\openvpn\bin\tapinstall.exe is not a valid Win32 application. WHy is that? it's a (minor) mistake in how openvpn 2.1.3 is packaged: openvpn 2.1.1 comes

Re: [Openvpn-devel] HTTP/1.1 Host header

Lars Hupel wrote: I'm not sure if I understand the question ; openvpn already has the option to use http/1.1 headers using --http-proxy-option VERSION 1.1 which should send HTTP/1.1 type messages - doesn't that work? The problem is that (at least Apache) rejects these requests because

Re: [Openvpn-devel] HTTP/1.1 Host header

Lars Hupel wrote: Hi, as the subject states, I would like that OpenVPN sends an appropriate Host header, because my server configuration relies on Apache's VirtualHosts. Because OpenVPN doesn't send this header, I patched it myself. Recently, I found the discussion on openvpn-devel from 10/2008

Re: [Openvpn-devel] Enhancements.

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/09/10 09:15, Jan Just Keijser wrote: Yo all, [...snip...] I was just browsing through the 2.1.3 source tree and found this in ssl.c: 3379 static bool 3380 push_peer_info(struct buffer *buf

Re: [Openvpn-devel] Enhancements.

Yo all, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/09/10 13:37, Gert Doering wrote: Hi, On Tue, Sep 14, 2010 at 11:10:28AM +0200, Jan Just Keijser wrote: if (buf_string_match_head_str (, "AUTH_FAILED")) receive_auth

Re: [Openvpn-devel] proper "logout" support for the server?

Jason Haar wrote: Hi there Minor feature request. When a user ends their openvpn client session, shouldn't it be possible to send one last command to the server - a "logout" command? That way the server can clean up the session much faster than waiting for a keepalive timeout cycle... (the

[Openvpn-devel] comp-lzo & push "comp-lzo"

hi all, just noticed something odd with openvpn 2.1 (.1 & .3): in the server config I specify comp-lzo push "comp-lzo" if the client config has does NOT have a line comp-lzo then this "push" is not picked up by the client. If the client has a line comp-lzo no (or 'yes' or 'adaptive' ) then

Re: [Openvpn-devel] Enhancements.

Hi, Gert Doering wrote: Hi, On Tue, Sep 14, 2010 at 09:58:19AM +1200, Jason Haar wrote: On 09/14/2010 08:52 AM, Brad Dameron wrote: Also can there be reporting added for the server side to show what version the client is connecting with? I agree. I have previously asked for

[Openvpn-devel] shaper broken in openvpn 2.1.1 linux clients?

hi all, is the option shaper 10 broken in openvpn 2.1.1 on linux? If I add this option to a client config I get very erratic behaviour when running iperf: - performance is absolute crap - after iperf has finished the link remain active doing something but is not responding; after about

Re: [Openvpn-devel] My results of OpenVPN Benchmarking

nts to a single VPN server try increasing the txqueuelen: --txqueuelen 1000 (default is 100) HTH, JJK 4. lsof shows mostly sockets to the clients (almost all are in Established state). Ansis On Tue, Aug 31, 2010 at 3:16 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@

Re: [Openvpn-devel] Netmask OpenVPN Server

Hi Eike, Eike Lohmann wrote: We are working with static assignments and if the 2 networks are side by side I can recompile the code and define a larger mask. Is this also working if I have 2 networks far away from each other (10.x and 192.168.x), with defining a 'all your base belong to us'

Re: [Openvpn-devel] Netmask OpenVPN Server

Gert Doering wrote: Hi, On Tue, Aug 31, 2010 at 12:35:03PM +0200, Eike Lohmann wrote: In the past only /16 networks were possibel per openvpn instance. Is it now possibel to define larger networks or define 2x /16 networks on one openvpn instance? I assume that you're talking about

Re: [Openvpn-devel] My results of OpenVPN Benchmarking

Hi Ansis, very interesting results, it's been on my TODO list to do some extensive benchmarking for some time, especially in a 1 Gbps and 10 Gbps network environment. See some comments below Ansis Atteka wrote: Hello I have done some benchmarking of OpenVPN and wanted to share my numbers

Re: [Openvpn-devel] openvpn-2.1.0-r1: easy-rsa tools creates broken client CERTs unusable for TLS

somehow fallen deeply in your email boxes. ;-) The text below show that the two certificates Jan Just Keijser generated the days before could not be used on my Gentoo box. Clearly, the problem is with Gentoo install/my binaries and has nothing to do with the key and certificate creation. Thanks, Martin

Re: [Openvpn-devel] [Openvpn-users] Problem with installation on Windows7 (64bit)

Hi Ralf, Ralf Hildebrandt wrote: After installation of openvpn-2.1.1, I was able to start openvpn-gui as NORMAL user (not admin). No problems there. But in order to actually *use* openvpn, I have to start openvpn-gui via "run as admin". When I would do that, openvpn gui would report:

Re: [Openvpn-devel] [Openvpn-users] OpenVPN server listening both on udp and tcp?

Hi Henno, Henno Täht wrote: Hello! 2010/7/2 David Sommerseth > On 02/07/10 19:38, Henno Täht wrote: > Hello! > > Can anyone experienced and helpful scribble a little guide how to have > the same

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

Gert Doering wrote: Hi, On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote: assigns a 169.254 address. If this works for you as well then maybe the tap-win32 developers can dive deeper into this and find out why windows treats the 'always connected' adapter differently from

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

Hi Henno, Henno Täht wrote: Is it possible to share files from Windows XP using port 445 over OpenVPN tunnel? Everything works within the LAN but from the other side of OpenVPN connection I'm getting "No network provider accepted the given network path." error while trying to access XP's

Re: [Openvpn-devel] openvpn-2.1.0-r1: easy-rsa tools creates broken client CERTs unusable for TLS

Hi, Martin Mokrejs wrote: Hi, David Sommerseth wrote: On 08/06/10 18:24, Martin Mokrejs wrote: Hi, I had a look into the original bug report I sent and the summary is this: at some version openvpn implemented a more strict check for certificate values and if teh cjeck fails one

Re: [Openvpn-devel] [PATCH-fixed] revocation

Davide Brini wrote: On Thursday 22 April 2010, Davide Brini wrote: (moving to -devel as this is obviously pertains there more than -users) Sorry, too quick! I posted an incomplete version of the patch. The attached one should be better. The only doubt I have is about error

Re: [Openvpn-devel] man page patch

Hi, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/04/10 19:48, Jan Just Keijser wrote: man page patch to fix (based on the git page). - explicit-exit-notify text is misleading : parameter [n] is the number of attempts not the number of retries - I would

Re: [Openvpn-devel] DNS problems with openvpn 2.1 on Windows

Heiko Hund wrote: Hi, On Tuesday 06 April 2010 22:36:31 Johan Ymerson wrote: > I have tested on 3 PC's with Windows XP, all 3 show the same problem, at > almost 100% of my connection attempts. OpenVPN 2.0.9 does not have this > issue (ie. reverting back to 2.0.9 on the same machines with the

Re: [Openvpn-devel] Auto-Proxy

open...@rkmorris.us wrote: Hi, I have been using two different config files to connect to my OpenVPN server - as I am sometimes behind a proxy server, and sometimes not. So to fix this I tried using auto-proxy ... but it didn't work (in the proxy case) ... :-(. I am running the

Re: [Openvpn-devel] [PATCH 4/9] vlan: Prepend and remove VLAN identifiers on outgoing and incoming frames

Peter Stuge wrote: Jan Just Keijser wrote: FYI: 802.1Q defines VLAN 1 as the 'native' LAN: all packets on VLAN 1 are *by definition* not encapsulated (according to my CCNA guide ;-)) 802.1Q != CCNA.. Look at the spec, Table 9-2 on page 86. (100 in PDF) VID Use 0 "no

Re: [Openvpn-devel] [PATCH 4/9] vlan: Prepend and remove VLAN identifiers on outgoing and incoming frames

Fabian Knittel wrote: Peter Stuge schrieb: Fabian Knittel wrote: + if (ntohs (vlanhdr.tpid) != OPENVPN_ETH_P_8021Q) +{ + /* Drop untagged frames */ + goto err; +} It would be nice to be able to use VID 0 to mean untagged packets. Hm, nice idea. I'll

Re: [Openvpn-devel] [Fwd: Re: Clarifications to "OpenVPN will not connect through certain HTTP proxies" bug report]

David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 22/03/10 14:57, Samuli Seppänen wrote: I somehow managed to miss the attached response earlier today. So the proxy server error was encountered on T-mobile t-zones web proxy only. Should we close the bug report or make

Re: [Openvpn-devel] Summary of the IRC meeting (18th Mar 2010)

Hi Samuli, (I'd prefer to be referred to as JJK in minutes ;-) ) see comments below Samuli Seppänen wrote: Hi, Here's the summary of the previous community meeting. --- COMMUNITY MEETING Place: #openvpn-discussion on irc.freenode.net Date: Thursday, 18th March 2010 Time: 18:00 UTC

Re: [Openvpn-devel] Windows, OpenVPN-GUI, disconnect

Hi Gert, Gert Doering wrote: Hi, can one of you tell me what happens "under the hood" if I click the "disconnect" button of the openvpn-gui under Windows XP? Why am I asking? I managed to get my windows build environment working well enough that I can now build a complete installer package

Re: [Openvpn-devel] Linux tun/tap performance issues

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15/03/10 16:29, Jan Just Keijser wrote: More tests, this time with 'oprofile' : here's a recap: - nothing changed on the server side: openvpn --ifconfig 10.222.0.1 10.222.0.2 --dev tun --secret secret.key

Re: [Openvpn-devel] Linux tun/tap performance issues

ing bottlenecks. If anybody else has more experience with 'oprofile' then please let me know how I can rerun these tests more effectively. share and enjoy, JJK / Jan Just Keijser

Re: [Openvpn-devel] Supporting "route-gateway dhcp" on non-Windows

be nice/fun to be able to use a ppp adapter as well, provided that I provide the right interface between what openvpn expects and what ppp expects) JM2CW, JJK / Jan Just Keijser

Re: [Openvpn-devel] Linux tun/tap performance issues

space was different, i.e. older CPUs had more trouble with the encryption/decryption, hence you'd see a larger difference between user vs sys. cheers, JJK / Jan Just Keijser David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/03/10 15:47, James Yonan wrote: I

Re: [Openvpn-devel] Erratic TCP Throughput

open...@rkmorris.us wrote: Hi, This is more my bet, because my question wasn't very clear ... I require a proxy server during "normal" operation, but for this data throughput test I had no proxy server, rather a "direct" connection. without config files it's impossible to tell - is

<    1   2   3