Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Arne Schwabe]

Am 08.02.18 um 16:31 schrieb Selva Nair:
> Hi,
> 
> On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
>  wrote:
>> On 08/02/18 04:36, Antonio Quartulli wrote:
>>>
>>>
>>> On 08/02/18 04:41, David Sommerseth wrote:
 On 07/02/18 21:21, Selva Nair wrote:

> In my view auth-token handling in openvpn.exe is broken at multiple 
> levels:
>
> Client process:
> (i) it should not remember the token after a reconnect is issued

 Agreed.  This should trigger retrieving new user input in regards to 
 SIGHUP at
 least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
 though (hang-up).
>>>
>>> I discussed this Arne as well as he also had users complaining about this.
>>>
>>> The conclusion we came was that it may be meaningful, upon reconnection,
>>> to try sending the token once (the token might be handled by external
>>> server side scripts and might still be alive, so one attempt is worth)
>>> and if it fails then we should dump the token, ask the user for the
>>> password and reconnect.
> 
> But this is the current behaviour, isn't it? So what's the difference?
> I think its wrong to reuse auth-token of one "connection"  in another
> one.  A client restart leads to a new connection and that should get a
> new token. Else a stolen token could be used in a new TLS session --
> may sound far-fetched as one also has to steal the private key, but as
> far as a user is concerned token is a place holder for their password
> and OTP. It should be reused only for reneg.
> 
> I think the correct and easy fix is to wipe the token on the client
> when it restarts by SIGUSR1 or SIGHUP.  If a server side script
> doesn't like it that script is anyway broken.

No it isn't. Current behaviour is to exit with AUTH_FAILED in that case.

And always forgetting it on SIGUSR1 with normal reconnect will
absolutely annoy users with mobile devices and otp password. Every roam
between wifi and mobile will then reask for the password. SOmething the
auth-token is designed to avoid.

Arne

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 12:07 PM, Arne Schwabe  wrote:
> Am 08.02.18 um 16:31 schrieb Selva Nair:
>> Hi,
>>
>> On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
>>  wrote:
>>> On 08/02/18 04:36, Antonio Quartulli wrote:


 On 08/02/18 04:41, David Sommerseth wrote:
> On 07/02/18 21:21, Selva Nair wrote:
>
>> In my view auth-token handling in openvpn.exe is broken at multiple 
>> levels:
>>
>> Client process:
>> (i) it should not remember the token after a reconnect is issued
>
> Agreed.  This should trigger retrieving new user input in regards to 
> SIGHUP at
> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
> though (hang-up).

 I discussed this Arne as well as he also had users complaining about this.

 The conclusion we came was that it may be meaningful, upon reconnection,
 to try sending the token once (the token might be handled by external
 server side scripts and might still be alive, so one attempt is worth)
 and if it fails then we should dump the token, ask the user for the
 password and reconnect.
>>
>> But this is the current behaviour, isn't it? So what's the difference?
>> I think its wrong to reuse auth-token of one "connection"  in another
>> one.  A client restart leads to a new connection and that should get a
>> new token. Else a stolen token could be used in a new TLS session --
>> may sound far-fetched as one also has to steal the private key, but as
>> far as a user is concerned token is a place holder for their password
>> and OTP. It should be reused only for reneg.
>>
>> I think the correct and easy fix is to wipe the token on the client
>> when it restarts by SIGUSR1 or SIGHUP.  If a server side script
>> doesn't like it that script is anyway broken.
>
> No it isn't. Current behaviour is to exit with AUTH_FAILED in that case.

It doesn't exit if auth-retry is in use (Windows GUI enforces that
option) but gets a prompt for username/password. Even then AUTH_FAILED
is bad as that has other implications like forgetting saved password
(at least on Windows GUI).

So is the proposal to change the server-side handling of auth-token?
That is, the server would try to use auth-token from the previous
connection and fall back to current behaviour if that fails, is it?
How would the server determine that the new connection is from the
same client if, say, duplicate-cn is in use? Sounds like opening up
new security holes to me..

>
> And always forgetting it on SIGUSR1 with normal reconnect will
> absolutely annoy users with mobile devices and otp password. Every roam
> between wifi and mobile will then reask for the password. SOmething the
> auth-token is designed to avoid.

Hmm.. auth-token is designed to avoid re-prompting for password/otp
during reneg. Not during SIGUSR1/SIGHUP restarts. Of course, it could
be made to handle such situations, but I'm not convinced that just
reusing the token set in a different context is a safe approach.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] show the right string for key-direction

[Steffan Karger]

Hi,

On 31-01-18 10:53, Arne Schwabe wrote:
> V2: print also a nice string if direction is not set
> V3: really include V2 changes
> ---
>  src/openvpn/crypto.c  | 11 +--
>  src/openvpn/crypto.h  |  2 +-
>  src/openvpn/options.c |  4 ++--
>  3 files changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 3096f3b0..b3021d4f 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -1545,11 +1545,18 @@ ascii2keydirection(int msglevel, const char *str)
>  }
>  
>  const char *
> -keydirection2ascii(int kd, bool remote)
> +keydirection2ascii(int kd, bool remote, bool humanreadable)
>  {
>  if (kd == KEY_DIRECTION_BIDIRECTIONAL)
>  {
> -return NULL;
> +if (humanreadable)
> +{
> +return "not set";
> +}
> +else
> +{
> +return NULL;
> +}
>  }
>  else if (kd == KEY_DIRECTION_NORMAL)
>  {
> diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
> index 8e8ee8f5..e1e318eb 100644
> --- a/src/openvpn/crypto.h
> +++ b/src/openvpn/crypto.h
> @@ -470,7 +470,7 @@ void must_have_n_keys(const char *filename, const char 
> *option, const struct key
>  
>  int ascii2keydirection(int msglevel, const char *str);
>  
> -const char *keydirection2ascii(int kd, bool remote);
> +const char *keydirection2ascii(int kd, bool remote, bool humanreadable);
>  
>  /* print keys */
>  void key2_print(const struct key2 *k,
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 66e1f9d1..9f5cd6ed 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -1706,7 +1706,7 @@ show_settings(const struct options *o)
>  #endif
>  
>  SHOW_STR(shared_secret_file);
> -SHOW_INT(key_direction);
> +SHOW_PARM(key_direction, keydirection2ascii(o->key_direction, false, 
> true), "%s");
>  SHOW_STR(ciphername);
>  SHOW_BOOL(ncp_enabled);
>  SHOW_STR(ncp_ciphers);
> @@ -3583,7 +3583,7 @@ options_string(const struct options *o,
>   * Key direction
>   */
>  {
> -const char *kd = keydirection2ascii(o->key_direction, remote);
> +const char *kd = keydirection2ascii(o->key_direction, remote, false);
>  if (kd)
>  {
>  buf_printf(, ",keydir %s", kd);
> 

'The right' here means 'what was in the config' instead of 'what we use
internally'.  But I agree that's better UX, so:

Acked-by: Steffan Karger 
Tested-by: Steffan Karger 

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Samuli Seppänen]

Il 07/02/2018 21:58, David Sommerseth ha scritto:
> On 07/02/18 20:32, Илья Шипицин wrote:
>> After auth-token were introduced, when user press "Reconnect", it leads to
>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>> complains.
> 
> This is actually expected, I'd say - but smells like a bug on the server side
> authentication.
> 
> Selva may correct me if I'm wrong, but my understanding of it when clicking
> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
> and a new OpenVPN process is started.  The client should in this case ask for
> username/password again.  So in this case, the server side should treat this
> connection as a fresh connection with no initial state.
> 
> The step of stopping the local client and starting a new and fresh one is
> definitely not a bad feature to have on clients.
> 
>> It looks like nobody uses that button.
>>
>> So, I asked several users, they confirmed they do not use Reconnect.
> 
> This is no good argument for me.  This is one specific setup with 1000 users.
> It would be more valuable with 50 different setups having 20 users each.  Your
> conclusion is based on a very homogeneous environment.

I agree. I also agree that the underlying problem should be fixed.

That said, Ilya's message was sent to both openvpn-users and
openvpn-devel and nobody has screamed "do not remove the Reconnect
button" :). The only additional thing we can do is post a message to the
forums. As usual, the only sure way to get feedback (read: complaints)
is to release the changes in an official build/installer.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Samuli Seppänen]

Il 08/02/2018 10:26, Илья Шипицин ha scritto:
> 
> 
> 2018-02-08 13:15 GMT+05:00 Samuli Seppänen  >:
> 
> Il 07/02/2018 21:58, David Sommerseth ha scritto:
> > On 07/02/18 20:32, Илья Шипицин wrote:
> >> After auth-token were introduced, when user press "Reconnect", it 
> leads to
> >> auth fail (saved password is forgotten), we run about 1000 users, 
> nobody
> >> complains.
> >
> > This is actually expected, I'd say - but smells like a bug on the 
> server side
> > authentication.
> >
> > Selva may correct me if I'm wrong, but my understanding of it when 
> clicking
> > "Reconnect", the local OpenVPN process which caches the auth-token is 
> stopped
> > and a new OpenVPN process is started.  The client should in this case 
> ask for
> > username/password again.  So in this case, the server side should treat 
> this
> > connection as a fresh connection with no initial state.
> >
> > The step of stopping the local client and starting a new and fresh one 
> is
> > definitely not a bad feature to have on clients.
> >
> >> It looks like nobody uses that button.
> >>
> >> So, I asked several users, they confirmed they do not use Reconnect.
> >
> > This is no good argument for me.  This is one specific setup with 1000 
> users.
> > It would be more valuable with 50 different setups having 20 users 
> each.  Your
> > conclusion is based on a very homogeneous environment.
> 
> I agree. I also agree that the underlying problem should be fixed.
> 
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.
> 
> 
> I suggest to do that after 2.4.5 installer.
> I'll write post on the forum. I think, even a good idea to place
> snapshot installer with new feature (i.e. button removed) to forum as well.
> 
> after feedback is received we can take it into account and act.
> 
> I also noticed nobody screaming "stop!!! do not remove that button!!!"
> 
> Samuli ?
>  

Posting a message to forums does not bind us to anything, so feel free
to do it. If even one person screams then I suspect at least hundreds of
people are actually using the button.

If we remove the button it should be because next to nobody is using it
and we want to clean up the GUI and its codebase. We should not remove
it because it does not work due to lower-level issues, which should be
fixed instead.

The problem with snapshot installers is that unless we actually merge
the button-removing code into OpenVPN GUI master, people will not use
it. And by announcing the snapshot installer on the mailing lists and
forums won't reach an audience any larger than your original email has.
So just asking about this on forums is probably enough.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Gert Doering]

Hi,

On Thu, Feb 08, 2018 at 01:26:27PM +0500,  ?? wrote:
> I also noticed nobody screaming "stop!!! do not remove that button!!!"

I hear at least two developers saying "do not remove the button", which 
closes the topic for me.

No need to discuss this further.

gert

-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Илья Шипицин]

2018-02-08 20:40 GMT+05:00 Selva Nair :

> Hi,
>
> On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen 
> wrote:
> > Il 07/02/2018 21:58, David Sommerseth ha scritto:
> >> On 07/02/18 20:32, Илья Шипицин wrote:
> >>> After auth-token were introduced, when user press "Reconnect", it
> leads to
> >>> auth fail (saved password is forgotten), we run about 1000 users,
> nobody
> >>> complains.
> >>
> >> This is actually expected, I'd say - but smells like a bug on the
> server side
> >> authentication.
> >>
> >> Selva may correct me if I'm wrong, but my understanding of it when
> clicking
> >> "Reconnect", the local OpenVPN process which caches the auth-token is
> stopped
> >> and a new OpenVPN process is started.  The client should in this case
> ask for
> >> username/password again.  So in this case, the server side should treat
> this
> >> connection as a fresh connection with no initial state.
> >>
> >> The step of stopping the local client and starting a new and fresh one
> is
> >> definitely not a bad feature to have on clients.
> >>
> >>> It looks like nobody uses that button.
> >>>
> >>> So, I asked several users, they confirmed they do not use Reconnect.
> >>
> >> This is no good argument for me.  This is one specific setup with 1000
> users.
> >> It would be more valuable with 50 different setups having 20 users
> each.  Your
> >> conclusion is based on a very homogeneous environment.
> >
> > I agree. I also agree that the underlying problem should be fixed.
> >
> > That said, Ilya's message was sent to both openvpn-users and
> > openvpn-devel and nobody has screamed "do not remove the Reconnect
> > button" :). The only additional thing we can do is post a message to the
> > forums. As usual, the only sure way to get feedback (read: complaints)
> > is to release the changes in an official build/installer.
>
> Only recently we added a reconnect item to the menu (earlier it was
> only available as a button in the status window) for ease of doing
> reconnects and based on user requests -- though I can't now find who
> asked for it.
>

it is interesting.


>
> I wouldn't take lack of response on the user's list as an indication
> that no one uses it. In fact its very handy -- how else will you
> restart a connection after editing the config file? Disconnect and
> connect again? That would close the status window and lose all
>

yes. disconnect and connect again.



> messages in it and also takes a number of mouse clicks because of the
> way tray popup menu behaves.
>
> Anyway the purported reason to remove it is totally bogus. Its like
> auth-token cant cope with SIGHUP, so let's remove that signal.
>

no, that is wrong interpretaion.
I actually meant

"it is broken" --> "users do not complain" --> "users do not care" -->
"other buttons will keep their places" --> "let us remove unused button"


>
> Finally, I'm an user too and I use that button all the time, though
> mostly for testing. If that counts as a dissenting voice.
>


yes, I also meant that. it is "designed by developers for themselves" :)
same as "edit config" menu item.
developers need edit config all the time and reconnect. but do users do
same things as well ?


as for "edit config", I'd like to keep it. it's removal will change menu
order, people will click at wrong items.


>
> Selva
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[David Sommerseth]

On 08/02/18 04:36, Antonio Quartulli wrote:
> 
> 
> On 08/02/18 04:41, David Sommerseth wrote:
>> On 07/02/18 21:21, Selva Nair wrote:
>>
>>> In my view auth-token handling in openvpn.exe is broken at multiple levels:
>>>
>>> Client process:
>>> (i) it should not remember the token after a reconnect is issued
>>
>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>> at
>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>> though (hang-up).
> 
> I discussed this Arne as well as he also had users complaining about this.
> 
> The conclusion we came was that it may be meaningful, upon reconnection,
> to try sending the token once (the token might be handled by external
> server side scripts and might still be alive, so one attempt is worth)
> and if it fails then we should dump the token, ask the user for the
> password and reconnect.
> 
> 
> This way we still save all those setups where the token survives fast
> reconenctions on the server side

This sounds reasonable to me.  But it is crucial that it is a proper
re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
to the server to close the session on the server side.  Otherwise you'll get
into some odd back-and-forth until the session is fully closed on the server.


-- 
kind regards,

David Sommerseth
OpenVPN Inc




signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Antonio Quartulli]

On 08/02/18 20:20, David Sommerseth wrote:
>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
> 
> This sounds reasonable to me.  But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side.  Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.

I thought that the new CLIENT_HARD_RESET packet would still clear the
client session on the server.

No matter if we did send an exit-notify or not.


Cheers,


-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
 wrote:
> On 08/02/18 04:36, Antonio Quartulli wrote:
>>
>>
>> On 08/02/18 04:41, David Sommerseth wrote:
>>> On 07/02/18 21:21, Selva Nair wrote:
>>>
 In my view auth-token handling in openvpn.exe is broken at multiple levels:

 Client process:
 (i) it should not remember the token after a reconnect is issued
>>>
>>> Agreed.  This should trigger retrieving new user input in regards to SIGHUP 
>>> at
>>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>>> though (hang-up).
>>
>> I discussed this Arne as well as he also had users complaining about this.
>>
>> The conclusion we came was that it may be meaningful, upon reconnection,
>> to try sending the token once (the token might be handled by external
>> server side scripts and might still be alive, so one attempt is worth)
>> and if it fails then we should dump the token, ask the user for the
>> password and reconnect.

But this is the current behaviour, isn't it? So what's the difference?
I think its wrong to reuse auth-token of one "connection"  in another
one.  A client restart leads to a new connection and that should get a
new token. Else a stolen token could be used in a new TLS session --
may sound far-fetched as one also has to steal the private key, but as
far as a user is concerned token is a place holder for their password
and OTP. It should be reused only for reneg.

I think the correct and easy fix is to wipe the token on the client
when it restarts by SIGUSR1 or SIGHUP.  If a server side script
doesn't like it that script is anyway broken.

>>
>>
>> This way we still save all those setups where the token survives fast
>> reconenctions on the server side
>
> This sounds reasonable to me.  But it is crucial that it is a proper
> re-connect - meaning, if UDP the "--explicit-exit-notify" message must be sent
> to the server to close the session on the server side.  Otherwise you'll get
> into some odd back-and-forth until the session is fully closed on the server.

Any reason not to make explicit-exit-notify 1 as the default for UDP?

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

[Selva Nair]

Hi,

On Thu, Feb 8, 2018 at 3:15 AM, Samuli Seppänen  wrote:
> Il 07/02/2018 21:58, David Sommerseth ha scritto:
>> On 07/02/18 20:32, Илья Шипицин wrote:
>>> After auth-token were introduced, when user press "Reconnect", it leads to
>>> auth fail (saved password is forgotten), we run about 1000 users, nobody
>>> complains.
>>
>> This is actually expected, I'd say - but smells like a bug on the server side
>> authentication.
>>
>> Selva may correct me if I'm wrong, but my understanding of it when clicking
>> "Reconnect", the local OpenVPN process which caches the auth-token is stopped
>> and a new OpenVPN process is started.  The client should in this case ask for
>> username/password again.  So in this case, the server side should treat this
>> connection as a fresh connection with no initial state.
>>
>> The step of stopping the local client and starting a new and fresh one is
>> definitely not a bad feature to have on clients.
>>
>>> It looks like nobody uses that button.
>>>
>>> So, I asked several users, they confirmed they do not use Reconnect.
>>
>> This is no good argument for me.  This is one specific setup with 1000 users.
>> It would be more valuable with 50 different setups having 20 users each.  
>> Your
>> conclusion is based on a very homogeneous environment.
>
> I agree. I also agree that the underlying problem should be fixed.
>
> That said, Ilya's message was sent to both openvpn-users and
> openvpn-devel and nobody has screamed "do not remove the Reconnect
> button" :). The only additional thing we can do is post a message to the
> forums. As usual, the only sure way to get feedback (read: complaints)
> is to release the changes in an official build/installer.

Only recently we added a reconnect item to the menu (earlier it was
only available as a button in the status window) for ease of doing
reconnects and based on user requests -- though I can't now find who
asked for it.

I wouldn't take lack of response on the user's list as an indication
that no one uses it. In fact its very handy -- how else will you
restart a connection after editing the config file? Disconnect and
connect again? That would close the status window and lose all
messages in it and also takes a number of mouse clicks because of the
way tray popup menu behaves.

Anyway the purported reason to remove it is totally bogus. Its like
auth-token cant cope with SIGHUP, so let's remove that signal.

Finally, I'm an user too and I use that button all the time, though
mostly for testing. If that counts as a dissenting voice.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel