Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Morris, Russell 
Yep, looks to be OK now (with definitions updated today). Thanks!

... Russell


-Original Message-
From: Magnus Kroken [mailto:mkro...@gmail.com] 
Sent: Thursday, December 29, 2016 12:34 PM
To: Morris, Russell 
Cc: openvpn-devel@lists.sourceforge.net; Samuli Seppänen 
Subject: Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

Hi

On 29.12.2016 19.07, Morris, Russell wrote:
> That's good - thanks! Not sure how to fix Windows flagging this though - I'm 
> assuming others will have the same issue.
>
> ... Russell

Most likely a definition update will fix this very soon, or already has. 
I just ran it through Virustotal [1], all scanners report it as harmless, 
including Microsoft with todays definitions. Also, Defender reports 
openvpnserv2 as clean on my computer, with definitions created today at 10:44 
AM (CET or UTC, I'm not sure which).

[1]
https://www.virustotal.com/en/file/c3970ec979ccbdb03d38c1df606fc3437a85cea2f3b56a2f03c32fde4dfe9046/analysis/1483035462/

/Magnus

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/2] move systemd specific code to platform.c

2016-12-29 Thread Gert Doering 
Hi,

On Thu, Dec 29, 2016 at 07:57:26PM +0100, Christian Hesse wrote:
> From: Christian Hesse 
> 
> We have voices that do not want to "litter ENABLE_SYSTEMD all over the
> code". So move the systemd specific bits to platform_notify() in
> platform.c.

While this is better, it's still far from a proper abstraction that could
be used for cross-platform notification - like Selva said, we might want
to add windows event logging eventually (quite likely a larger user base
than Linux)...

So, for a start, passing arguments to platform_notify() that do not make
sense to anything that is not sd_notify() is a non-starter.

Then, please investigate using the existing status file / management
interface code to add this, instead of adding new calls in init.c
(I mentioned this yesterday).  If our existing status file / management
code is not up to more fine-grained notification, I'd rather see that
one improved, and then call out to systemd / windows events / ... 
than new code in parallel to the existing notification code.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 1/1] fix timeout in non-TLS mode with systemd

2016-12-29 Thread Gert Doering 
Hi,

On Wed, Dec 28, 2016 at 11:49:24PM +0100, David Sommerseth wrote:
> On 28/12/16 22:03, Gert Doering wrote:
> > nothing else but a subset of Linux distributions use systemd today,
> 
> If including the "millions" of various Linux distributions on
> DistroWatch, you might very well be right.
> 
> But a far better measuring point would be which Linux distributions the
> majority of Linux users do use.  And in my experience, the list which is
> gathered on wikipedia [1] covers what the vast majority of Linux users
> installs.  At least the majority of users I have met on various
> conferences over the last few years.
> 
> [1] 

My point was not whether it's "many" or "few" Linux distributions, but
it's "a (large) subset of Linux-only".  Even if it reaches 99% one day, 
it's still "Linux", which makes it a more of a platform-dependent thing 
for me, and not a "feature", when regarding "where do we want to have these
#ifdef".

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Fwd: Re: [Openvpn-announce] OpenVPN 2.4.0 released

2016-12-29 Thread Selva Nair 
On Thu, Dec 29, 2016 at 5:53 AM, Samuli Seppänen  wrote:

> Hi,
>
> Any comments about the forwarded email? Is our documentation regarding
> "or-highest" correct?
>
> Samuli
>
>
>  Messaggio Inoltrato 
> Oggetto:Re: [Openvpn-announce] OpenVPN 2.4.0 released
> Data:   Tue, 27 Dec 2016 22:04:23 -0600
> Mittente:   Michael French 
> A:  Samuli Seppänen 
>
>
>
> Hi Samuli,
> I installed 2.4 on a couple Windows 7x64 computers and all seems well.
> I even got tls-crypt to work using the old ta.key file on both client
> and server.
>
> However, I noticed in the documentation for 2.4 that the parameter
> tls-version-min is supposed to work with the 'or-highest' option, but it
> does not.
>
> I wish that it did work because I always want to run with the most
> secure version of TLS and the 'or-highest' option would save me the
> trouble of manually editing the TLS number every time it changes.
>

I too find this option somewhat counter-intuitive. I think you can
effectively get it set to the highest available version by specifying an
insanely large number as the first parameter. For example,

--tls-version-min 5.0 or-highest

As 5.0 is larger than any available versions, the minimum will get set to
the highest available (say 1.2).

However, that will also make it impossible to connect to a server that
doesn't support the said version.

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2 2/2] fix timeout in non-TLS mode with systemd

2016-12-29 Thread Christian Hesse 
From: Christian Hesse 

In non-TLS configuration we wait for the remote peer to connect
before issuing "Initialization Sequence Completed". So prevent to
time out by telling systemd service manager we are ready for now.
Status will be "Non-TLS mode, ready for now. Waiting for peer..."
and changes once the remote peer connects.

This fixes #801 (static key tunnels impossible to start via systemd)

v2: Rebase on "move systemd specific code to platform.c" (commit
46e647933030da848774656029c4c4a1f204e2f1).

Tested-by: Mantas Mikulėnas 
Signed-off-by: Christian Hesse 
---
 src/openvpn/openvpn.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index 888acda..ddcb9ed 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -73,6 +73,18 @@ tunnel_point_to_point(struct context *c)
 return;
 }
 
+/* In non-TLS configuration we wait for the remote peer to connect
+ * before issuing "Initialization Sequence Completed". So prevent to
+ * time out by telling systemd service manager we are ready for now.
+ * Status will be "Non-TLS mode, ready for now. Waiting for peer..."
+ * and changes once the remote peer connects. */
+if (c->options.tls_client == false
+&& c->options.tls_server == false)
+{
+platform_notify("READY=1",
+"STATUS=Non-TLS mode, ready for now. Waiting for 
peer...");
+}
+
 /* main event loop */
 while (true)
 {
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 1/2] move systemd specific code to platform.c

2016-12-29 Thread Christian Hesse 
From: Christian Hesse 

We have voices that do not want to "litter ENABLE_SYSTEMD all over the
code". So move the systemd specific bits to platform_notify() in
platform.c.

Signed-off-by: Christian Hesse 
---
 src/openvpn/init.c | 23 +--
 src/openvpn/platform.c | 13 +
 src/openvpn/platform.h |  2 ++
 3 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 9a3e29d..46df8ca 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -30,10 +30,6 @@
 
 #include "syshead.h"
 
-#ifdef ENABLE_SYSTEMD
-#include 
-#endif
-
 #include "win32.h"
 #include "init.h"
 #include "sig.h"
@@ -983,13 +979,11 @@ possibly_become_daemon(const struct options *options)
 {
 bool ret = false;
 
-#ifdef ENABLE_SYSTEMD
 /* return without forking if we are running from systemd */
-if (sd_notify(0, "READY=0") > 0)
+if (platform_notify("READY=0", "STATUS=Possibly become daemon") > 0)
 {
 return ret;
 }
-#endif
 
 if (options->daemon)
 {
@@ -1026,7 +1020,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 {
 if (no_delay)
 {
-#ifdef ENABLE_SYSTEMD
 /* If OpenVPN is started by systemd, the OpenVPN process needs
  * to provide a preliminary status report to systemd.  This is
  * needed as $NOTIFY_SOCKET will not be available inside the
@@ -1040,10 +1033,8 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
  * have a sane way to know if OpenVPN will chroot or not and to
  * which subdirectory it will chroot into.
  */
-sd_notifyf(0, "READY=1\n"
-   "STATUS=Entering chroot, most of the init completed 
successfully\n"
-   "MAINPID=%lu", (unsigned long) getpid());
-#endif
+platform_notify("READY=1",
+"STATUS=Entering chroot, most of the init 
completed successfully");
 platform_chroot(c->options.chroot_dir);
 }
 else if (c->first_time)
@@ -1384,17 +1375,13 @@ initialization_sequence_completed(struct context *c, 
const unsigned int flags)
 show_adapters(M_INFO|M_NOPREFIX);
 msg(M_INFO, "%s With Errors ( see 
http://openvpn.net/faq.html#dhcpclientserv )", message);
 #else
-#ifdef ENABLE_SYSTEMD
-sd_notifyf(0, "STATUS=Failed to start up: %s With Errors\nERRNO=1", 
message);
-#endif /* HAVE_SYSTEMD_SD_DAEMON_H */
+platform_notify("READY=0", "STATUS=Failed to start up");
 msg(M_INFO, "%s With Errors", message);
 #endif
 }
 else
 {
-#ifdef ENABLE_SYSTEMD
-sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned 
long) getpid());
-#endif
+platform_notify("READY=1", "STATUS=Initialization Sequence Completed");
 msg(M_INFO, "%s", message);
 }
 
diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
index 952d633..55a25b0 100644
--- a/src/openvpn/platform.c
+++ b/src/openvpn/platform.c
@@ -30,6 +30,10 @@
 
 #include "syshead.h"
 
+#ifdef ENABLE_SYSTEMD
+#include 
+#endif
+
 #include "buffer.h"
 #include "error.h"
 #include "win32.h"
@@ -336,3 +340,12 @@ platform_stat(const char *path, platform_stat_t *buf)
 #endif
 }
 
+int
+platform_notify(const char *status, const char *message)
+{
+#ifdef ENABLE_SYSTEMD
+return sd_notifyf(0, "%s\n%s", status, message);
+#endif
+
+return 0;
+}
diff --git a/src/openvpn/platform.h b/src/openvpn/platform.h
index 62396a9..94c92e4 100644
--- a/src/openvpn/platform.h
+++ b/src/openvpn/platform.h
@@ -144,4 +144,6 @@ typedef struct stat platform_stat_t;
 #endif
 int platform_stat(const char *path, platform_stat_t *buf);
 
+int platform_notify(const char *status, const char *message);
+
 #endif /* ifndef PLATFORM_H */
-- 
2.11.0


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Magnus Kroken 
Hi

On 29.12.2016 19.07, Morris, Russell wrote:
> That's good - thanks! Not sure how to fix Windows flagging this though - I'm 
> assuming others will have the same issue.
>
> ... Russell

Most likely a definition update will fix this very soon, or already has. 
I just ran it through Virustotal [1], all scanners report it as 
harmless, including Microsoft with todays definitions. Also, Defender 
reports openvpnserv2 as clean on my computer, with definitions created 
today at 10:44 AM (CET or UTC, I'm not sure which).

[1] 
https://www.virustotal.com/en/file/c3970ec979ccbdb03d38c1df606fc3437a85cea2f3b56a2f03c32fde4dfe9046/analysis/1483035462/

/Magnus

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Morris, Russell 
Hi,

Sure you bet! Had to restore it from Quarantine (was removed by Window 
Defender). Here are the checksums - do they look right?

SHA-1: 12A92A1314394994E5493DEEDECCE1B885E88497
MD5: 4628C852B721472918C0F07C954AD11D
CRC32: BC4B4D67

Thanks,
... Russell


-Original Message-
From: Samuli Seppänen [mailto:sam...@openvpn.net] 
Sent: Thursday, December 29, 2016 3:44 AM
To: Morris, Russell ; openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

Hi Russell,

Interesting. Can you send me the sha1sum or md5sum of your openvpnserv2.exe?

We've typically had false positives related to the OpenVPN installers, but 
never with the bundled executables afaik.

Samuli

Il 29/12/2016 05:45, Morris, Russell ha scritto:
> Something you may want to know about - at least on my Windows 10 
> machine, when I try to run openvpnserv2.exe . Windows Defender 
> identifies it as a Trojan - quarantines and removes it . L.
>
>
>
> Thanks,
>
> . Russell
>
>
>
>
>
>
>
> --
>  Check out the vibrant tech community on one of the world's 
> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Morris, Russell 
That's good - thanks! Not sure how to fix Windows flagging this though - I'm 
assuming others will have the same issue.

... Russell



-Original Message-
From: Samuli Seppänen [mailto:sam...@openvpn.net] 
Sent: Thursday, December 29, 2016 12:03 PM
To: Morris, Russell ; openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

Your sha1sum matches that of "openvpnserv2-1.3.0.0.exe" on the download server, 
which is correct. So there is nothing suspicious about your copy of 
openvpnserv2.exe.

Samuli

Il 29/12/2016 18:40, Morris, Russell ha scritto:
> Hi,
>
> Sure you bet! Had to restore it from Quarantine (was removed by Window 
> Defender). Here are the checksums - do they look right?
>
> SHA-1: 12A92A1314394994E5493DEEDECCE1B885E88497
> MD5: 4628C852B721472918C0F07C954AD11D
> CRC32: BC4B4D67
>
> Thanks,
> ... Russell
>
>
> -Original Message-
> From: Samuli Seppänen [mailto:sam...@openvpn.net]
> Sent: Thursday, December 29, 2016 3:44 AM
> To: Morris, Russell ; 
> openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan
>
> Hi Russell,
>
> Interesting. Can you send me the sha1sum or md5sum of your openvpnserv2.exe?
>
> We've typically had false positives related to the OpenVPN installers, but 
> never with the bundled executables afaik.
>
> Samuli
>
> Il 29/12/2016 05:45, Morris, Russell ha scritto:
>> Something you may want to know about - at least on my Windows 10 
>> machine, when I try to run openvpnserv2.exe . Windows Defender 
>> identifies it as a Trojan - quarantines and removes it . L.
>>
>>
>>
>> Thanks,
>>
>> . Russell
>>
>>
>>
>>
>>
>>
>>
>> -
>> -
>>  Check out the vibrant tech community on one of the world's 
>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>
>



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Samuli Seppänen 
Your sha1sum matches that of "openvpnserv2-1.3.0.0.exe" on the download 
server, which is correct. So there is nothing suspicious about your copy 
of openvpnserv2.exe.

Samuli

Il 29/12/2016 18:40, Morris, Russell ha scritto:
> Hi,
>
> Sure you bet! Had to restore it from Quarantine (was removed by Window 
> Defender). Here are the checksums - do they look right?
>
> SHA-1: 12A92A1314394994E5493DEEDECCE1B885E88497
> MD5: 4628C852B721472918C0F07C954AD11D
> CRC32: BC4B4D67
>
> Thanks,
> ... Russell
>
>
> -Original Message-
> From: Samuli Seppänen [mailto:sam...@openvpn.net]
> Sent: Thursday, December 29, 2016 3:44 AM
> To: Morris, Russell ; openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan
>
> Hi Russell,
>
> Interesting. Can you send me the sha1sum or md5sum of your openvpnserv2.exe?
>
> We've typically had false positives related to the OpenVPN installers, but 
> never with the bundled executables afaik.
>
> Samuli
>
> Il 29/12/2016 05:45, Morris, Russell ha scritto:
>> Something you may want to know about - at least on my Windows 10
>> machine, when I try to run openvpnserv2.exe . Windows Defender
>> identifies it as a Trojan - quarantines and removes it . L.
>>
>>
>>
>> Thanks,
>>
>> . Russell
>>
>>
>>
>>
>>
>>
>>
>> --
>>  Check out the vibrant tech community on one of the world's
>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>
>>
>>
>> ___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>
>
>



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Fwd: Re: [Openvpn-announce] OpenVPN 2.4.0 released

2016-12-29 Thread Arne Schwabe 
Am 29.12.16 um 10:53 schrieb Samuli Seppänen:
> Hi,
> 
> Any comments about the forwarded email? Is our documentation regarding 
> "or-highest" correct?
> 

Yes should be correct. Speciyfing a not yet supported tls version, e.g.
"1.3" will also give an error.

Also this directive is not for being always bumped to the next version
but (as tls-version-max) but to exclude certain version, i.e. 1.0.

Arne


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Fwd: Re: [Openvpn-announce] OpenVPN 2.4.0 released

2016-12-29 Thread Samuli Seppänen 
Hi,

Any comments about the forwarded email? Is our documentation regarding 
"or-highest" correct?

Samuli


 Messaggio Inoltrato 
Oggetto:Re: [Openvpn-announce] OpenVPN 2.4.0 released
Data:   Tue, 27 Dec 2016 22:04:23 -0600
Mittente:   Michael French 
A:  Samuli Seppänen 



Hi Samuli,
I installed 2.4 on a couple Windows 7x64 computers and all seems well. 
I even got tls-crypt to work using the old ta.key file on both client 
and server.

However, I noticed in the documentation for 2.4 that the parameter 
tls-version-min is supposed to work with the 'or-highest' option, but it 
does not.

I wish that it did work because I always want to run with the most 
secure version of TLS and the 'or-highest' option would save me the 
trouble of manually editing the TLS number every time it changes.

Thanks and keep up the good work!

Regards,
Mike

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] OpenVPN Service Flagged as Trojan

2016-12-29 Thread Samuli Seppänen 
Hi Russell,

Interesting. Can you send me the sha1sum or md5sum of your openvpnserv2.exe?

We've typically had false positives related to the OpenVPN installers, 
but never with the bundled executables afaik.

Samuli

Il 29/12/2016 05:45, Morris, Russell ha scritto:
> Something you may want to know about – at least on my Windows 10
> machine, when I try to run openvpnserv2.exe … Windows Defender
> identifies it as a Trojan – quarantines and removes it … L.
>
>
>
> Thanks,
>
> … Russell
>
>
>
>
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>



--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel