[Openvpn-devel] Windows 10 Creators Update broke --block-outside-dns

2017-04-15 Thread ValdikSS 
I hope this message would finally receive everyone. Sorry for spamming mail 
list.


Windows 10 Creators Update changed the way DNS works. It used to resolve DNS 
address using all available adapters and IP addresses in parallel, now it still 
resolves addresses using all available adapters but in sequence, beginning with 
random adapter.
This interfere with how --block-outside-dns currently work. Sometimes OS 
chooses VPN TAP adapter and things work as intended, sometimes the other 
adapter and user have to wait until DNS request times out and DNS resolution 
goes via VPN.
This behaviour introduces significant lag for web browsing.

Another thing is that Windows always prefers IPv6, just as any other OS. Some 
home routers give IPv6 Unique local address with DNS server to the computers 
using DHCPv6, even if there's no IPv6 connectivity from the provider.

More importantly, DisableSmartNameResolution switch, which didn't work in 
previous Windows 10 versions, now works correctly.

*Workaround #1*, If VPN infrastructure is IPv6-enabled and pushes IPv6 address 
and DNS and route to the client:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg



*Workaround #2*, if VPN infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. If there's IPv6 DNS from the router, set static IPv6 DNS to ::2 
(alternative to 127.0.0.2 in IPv4) or just disable IPv6 completely on internet 
interface.



*Workaround #3*, if VPN infrastructure is not IPv6-enabled and client's 
infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. Push IPv6 Unique local address and DNS server to the client, but do not 
push any routes. Client would use DNS over IPv6 but would not route anything 
else.

*Note*: it would route IPv6 traffic over internet interface (not via VPN) 
if client's ISP is IPv6-enabled.



*Question*: Fixing registry with --block-outside-dns is simple, but what should 
we do with IPv6 in OpenVPN? Should we introduce an option to disable IPv6 DNS 
on other interfaces if there's no IPv6 DNS pushed from the VPN?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Windows 10 Creators Update broke --block-outside-dns

2017-04-15 Thread ValdikSS 
I hope this message would finally receive everyone. Sorry for spamming mail 
list.


Windows 10 Creators Update changed the way DNS works. It used to resolve DNS 
address using all available adapters and IP addresses in parallel, now it still 
resolves addresses using all available adapters but in sequence, beginning with 
random adapter.
This interfere with how --block-outside-dns currently work. Sometimes OS 
chooses VPN TAP adapter and things work as intended, sometimes the other 
adapter and user have to wait until DNS request times out and DNS resolution 
goes via VPN.
This behaviour introduces significant lag for web browsing.

Another thing is that Windows always prefers IPv6, just as any other OS. Some 
home routers give IPv6 Unique local address with DNS server to the computers 
using DHCPv6, even if there's no IPv6 connectivity from the provider.

More importantly, DisableSmartNameResolution switch, which didn't work in 
previous Windows 10 versions, now works correctly.

*Workaround #1*, If VPN infrastructure is IPv6-enabled and pushes IPv6 address 
and DNS and route to the client:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg



*Workaround #2*, if VPN infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. If there's IPv6 DNS from the router, set static IPv6 DNS to ::2 
(alternative to 127.0.0.2 in IPv4) or just disable IPv6 completely on internet 
interface.



*Workaround #3*, if VPN infrastructure is not IPv6-enabled and client's 
infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. Push IPv6 Unique local address and DNS server to the client, but do not 
push any routes. Client would use DNS over IPv6 but would not route anything 
else.

*Note*: it would route IPv6 traffic over internet interface (not via VPN) 
if client's ISP is IPv6-enabled.



*Question*: Fixing registry with --block-outside-dns is simple, but what should 
we do with IPv6 in OpenVPN? Should we introduce an option to disable IPv6 DNS 
on other interfaces if there's no IPv6 DNS pushed from the VPN?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread ValdikSS 
Sorry, I totally forgot that OpenVPN mail list does not support DMARC. My 
domain has strict DMARC policy, that's why some of you didn't get and won't get 
my emails.

On 16.04.2017 00:06, Christian Hesse wrote:
> Selva Nair  on Sat, 2017/04/15 16:08:
> I did receive the mail. Possibly anything blocked the 7z attachment for you?
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Windows 10 Creators Update broke --block-outside-dns

2017-04-15 Thread ValdikSS 
Windows 10 Creators Update changed the way DNS works. It used to resolve DNS 
address using all available adapters and IP addresses in parallel, now it still 
resolves addresses using all available adapters but in sequence, beginning with 
random adapter.
This interfere with how --block-outside-dns currently work. Sometimes OS 
chooses VPN TAP adapter and things work as intended, sometimes the other 
adapter and user have to wait until DNS request times out and DNS resolution 
goes via VPN.
This behaviour introduces significant lag for web browsing.

Another thing is that Windows always prefers IPv6, just as any other OS. Some 
home routers give IPv6 Unique local address with DNS server to the computers 
using DHCPv6, even if there's no IPv6 connectivity from the provider.

More importantly, DisableSmartNameResolution switch, which didn't work in 
previous Windows 10 versions, now works correctly.

*Workaround #1*, If VPN infrastructure is IPv6-enabled and pushes IPv6 address 
and DNS and route to the client:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg



*Workaround #2*, if VPN infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. If there's IPv6 DNS from the router, set static IPv6 DNS to ::2 
(alternative to 127.0.0.2 in IPv4) or just disable IPv6 completely on internet 
interface.



*Workaround #3*, if VPN infrastructure is not IPv6-enabled and client's 
infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch: 
https://files.catbox.moe/vng9wm.reg
 2. Push IPv6 Unique local address and DNS server to the client, but do not 
push any routes. Client would use DNS over IPv6 but would not route anything 
else.

*Note*: it would route IPv6 traffic over internet interface (not via VPN) 
if client's ISP is IPv6-enabled.



*Question*: Fixing registry with --block-outside-dns is simple, but what should 
we do with IPv6 in OpenVPN? Should we introduce an option to disable IPv6 DNS 
on other interfaces if there's no IPv6 DNS pushed from the VPN?

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Windows 10 Creators Update broke --block-outside-dns

2017-04-15 Thread ValdikSS 
Windows 10 Creators Update changed the way DNS works. It used to resolve DNS 
address using all available adapters and IP addresses in parallel, now it still 
resolves addresses using all available adapters but in sequence, beginning with 
random adapter.
This interfere with how --block-outside-dns currently work. Sometimes OS 
chooses VPN TAP adapter and things work as intended, sometimes the other 
adapter and user have to wait until DNS request times out and DNS resolution 
goes via VPN.
This behaviour introduces significant lag for web browsing.

Another thing is that Windows always prefers IPv6, just as any other OS. Some 
home routers give IPv6 Unique local address with DNS server to the computers 
using DHCPv6, even if there's no IPv6 connectivity from the provider.

More importantly, DisableSmartNameResolution switch, which didn't work in 
previous Windows 10 versions, now works correctly (see below).

*Workaround #1*, If VPN infrastructure is IPv6-enabled and pushes IPv6 address 
and DNS and route to the client:

 1. Apply DisableSmartNameResolution registry patch.



*Workaround #2*, if VPN infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch.
 2. If there's IPv6 DNS from the router, set static IPv6 DNS to ::2 
(alternative to 127.0.0.2 in IPv4) or just disable IPv6 completely on internet 
interface.



*Workaround #3*, if VPN infrastructure is not IPv6-enabled and client's 
infrastructure is not IPv6-enabled:

 1. Apply DisableSmartNameResolution registry patch.
 2. Push IPv6 Unique local address and DNS server to the client, but do not 
push any routes. Client would use DNS over IPv6 but would not route anything 
else.

*Note*: it would route IPv6 traffic over internet interface (not via VPN) 
if client's ISP is IPv6-enabled.



*Question*: Fixing registry with --block-outside-dns is simple, but what should 
we do with IPv6 in OpenVPN? Should we introduce an option to disable IPv6 DNS 
on other interfaces if there's no IPv6 DNS pushed from the VPN?


=== DisableSmartNameResolution.reg ===

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"DisableSmartNameResolution"=dword:0001


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread Christian Hesse 
Selva Nair  on Sat, 2017/04/15 16:08:
> I did not get this mail
> 
> https://sourceforge.net/p/openvpn/mailman/message/35789733/
> 
> Something up with the list or is it only me?

I did receive the mail. Possibly anything blocked the 7z attachment for you?
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpcodWrW_vYR.pgp
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread ValdikSS 
It's not just gmail. I didn't get any bounce back and I can't see this message 
over gmane NNTP. Don't know what has happened. Reposting again.

On 16.04.2017 00:19, Selva Nair wrote:
>
> On Sat, Apr 15, 2017 at 5:17 PM, ValdikSS  > wrote:
>
> Possibly gmail blocked it in my case -- I thought 7z will be blocked only if 
> contained an executable (.exe, .bat etc..)
>
> Please do post again -- the registry entry may be added as a foot note in 
> plain text ?
>
> Thanks,
>
> Selva
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread Selva Nair 
On Sat, Apr 15, 2017 at 5:17 PM, ValdikSS  wrote:

> Should I try to re-post it? Could it be because of 7z archive?


Possibly gmail blocked it in my case -- I thought 7z will be blocked only
if contained an executable (.exe, .bat etc..)

Please do post again -- the registry entry may be added as a foot note in
plain text ?

Thanks,

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread ValdikSS 
Should I try to re-post it? Could it be because of 7z archive?

On 15.04.2017 23:38, debbie10t wrote:
>
> On 15/04/17 21:08, Selva Nair wrote:
> It is not only you :(
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] devel mailing list

2017-04-15 Thread debbie10t 


On 15/04/17 21:08, Selva Nair wrote:
> I did not get this mail
>
> https://sourceforge.net/p/openvpn/mailman/message/35789733/
>
> Something up with the list or is it only me?
>
> Selva
>

It is not only you :(



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] devel mailing list

2017-04-15 Thread Selva Nair 
I did not get this mail

https://sourceforge.net/p/openvpn/mailman/message/35789733/

Something up with the list or is it only me?

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Delete the IPv6 route to the "connected" network on tun close

2017-04-15 Thread Selva Nair 
While cleaning up my local branches this one came up..

Any comments? -- a NAK will do as well so that I can delete it :)

Selva

On Fri, Nov 25, 2016 at 12:21 AM, Selva Nair  wrote:

> This was missing on Windows when interactive service is in use.
>
> - Added route_ipv6_clear_host_bits(r6) to delete_route_ipv6: this is
>   required for Windows IP-helper API. Won't hurt other platforms (?)
>
> v2: Be const correct: route in delete_route_ipv6() made non-const.
> None of the exisitng calls are affected.
>
> Signed-off-by: Selva Nair 
> ---
>  src/openvpn/route.c | 4 +++-
>  src/openvpn/route.h | 2 +-
>  src/openvpn/tun.c   | 3 +++
>  3 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/route.c b/src/openvpn/route.c
> index fec12c1..34b1196 100644
> --- a/src/openvpn/route.c
> +++ b/src/openvpn/route.c
> @@ -2102,7 +2102,7 @@ delete_route (struct route_ipv4 *r,
>  }
>
>  void
> -delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt,
> unsigned int flags, const struct env_set *es)
> +delete_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt,
> unsigned int flags, const struct env_set *es)
>  {
>struct gc_arena gc;
>struct argv argv = argv_new ();
> @@ -2124,6 +2124,8 @@ delete_route_ipv6 (const struct route_ipv6 *r6,
> const struct tuntap *tt, unsigne
>
>gc_init ();
>
> +  route_ipv6_clear_host_bits (r6);
> +
>network = print_in6_addr( r6->network, 0, );
>gateway = print_in6_addr( r6->gateway, 0, );
>
> diff --git a/src/openvpn/route.h b/src/openvpn/route.h
> index c358681..70aeb65 100644
> --- a/src/openvpn/route.h
> +++ b/src/openvpn/route.h
> @@ -252,7 +252,7 @@ void copy_route_ipv6_option_list (struct
> route_ipv6_option_list *dest,
>struct gc_arena *a);
>
>  void add_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt,
> unsigned int flags, const struct env_set *es);
> -void delete_route_ipv6 (const struct route_ipv6 *r, const struct tuntap
> *tt, unsigned int flags, const struct env_set *es);
> +void delete_route_ipv6 (struct route_ipv6 *r, const struct tuntap *tt,
> unsigned int flags, const struct env_set *es);
>
>  void add_route (struct route_ipv4 *r,
> const struct tuntap *tt,
> diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
> index 560b1a8..40ce202 100644
> --- a/src/openvpn/tun.c
> +++ b/src/openvpn/tun.c
> @@ -5663,6 +5663,9 @@ close_tun (struct tuntap *tt)
>  {
>if (tt->options.msg_channel)
>  {
> +  /* remove route pointing to interface */
> +  delete_route_connected_v6_net(tt, NULL);
> +
>do_address_service (false, AF_INET6, tt);
>   if (tt->options.dns6_len > 0)
>   do_dns6_service (false, tt);
> --
> 2.1.4
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix broken ./configure on systems without openssl.pc

2017-04-15 Thread Gert Doering 
Hi,

On Sat, Apr 15, 2017 at 11:42:30AM +0200, David Sommerseth wrote:
> So reviewing this now, this 12 bit shift may actually fail on big endian
> machines.  It would probably be better to do a full 16 bit shift.
> 
> But if we don't want to reduce the match set to only version numbers,
> I'm fine with skipping the shifts all together.

Since this is a nice number, comparing with "<" or ">" will just ignore
those lower bits anyway.

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix broken ./configure on systems without openssl.pc

2017-04-15 Thread David Sommerseth 
On 15/04/17 11:16, Gert Doering wrote:
> Hi,
> 
> On Thu, Apr 13, 2017 at 07:26:09PM +0200, David Sommerseth wrote:
>> +/* Strip out some of the version information we don't care about */
>> +#define OSSLVER OPENSSL_VERSION_NUMBER >> 12
>> +#if OSSLVER < 0x10001
>> +#error OpneSSL too old
>> +#endif
> 
> While this works (except for the typo) - why not just do full-length math, 
> as in
> 
> #if OPENSSL_VERSION_NUMBER < 0x10001000L
> #error OpneSSL too old
> #endif
> 
> (note the L prefix, as in the opensslv.h #define)

Basically it was just to make the matching more similar to the matching
we do with pkg-config, which does not care for the letter in the version.

The OPENSSL_VERSION_NUMBER is also fairly complex, and also provides
"flags" if it is a beta releases or final releases too.  So by stripping
out the LSB 12 bits, the whole check gets a bit more "understandable"
without having to understand the whole version formatting.

What is also a bit confusing to me, is that they version spec they have
documented, says the last nibble (4 bits) is the status flag (dev, beta
or release).  While it seems to be encoded as a byte.  So the shift
operation considers 4 bits and not 8 bits.  The next 8 next bits is the
"letter" in version string.  Hence the shift is 12 bits.

So reviewing this now, this 12 bit shift may actually fail on big endian
machines.  It would probably be better to do a full 16 bit shift.

But if we don't want to reduce the match set to only version numbers,
I'm fine with skipping the shifts all together.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix broken ./configure on systems without openssl.pc

2017-04-15 Thread Gert Doering 
Hi,

On Thu, Apr 13, 2017 at 07:26:09PM +0200, David Sommerseth wrote:
> +/* Strip out some of the version information we don't care about */
> +#define OSSLVER OPENSSL_VERSION_NUMBER >> 12
> +#if OSSLVER < 0x10001
> +#error OpneSSL too old
> +#endif

While this works (except for the typo) - why not just do full-length math, 
as in

#if OPENSSL_VERSION_NUMBER < 0x10001000L
#error OpneSSL too old
#endif

(note the L prefix, as in the opensslv.h #define)

?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Reviewing Korean translation of OpenVPN-GUI?

2017-04-15 Thread Samuli Seppänen 
Hi all,

Do we have any Korean speakers here who could review this PR?



-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock


0x40864578.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel