Hi,
On Fri, Jun 24, 2022 at 5:10 AM Antonio Quartulli wrote:
> GetOverlappedResultEx is not available on ming32 therefore we must
> provide some compat layer before being able to use this function.
>
I suppose "mingw32" here refers to I mingw-w64 for 32 bit (i686) target.
This symbol has been
NACK, doesn't build:
mtu.c: In function ‘frame_calculate_default_mtu’:
mtu.c:223:31: error: too few arguments to function
‘frame_calculate_payload_overhead’
223 | size_t payload_overhead = frame_calculate_payload_overhead(0,
, );
|
Code changes look fine to me, but several documentation suggestions.
On Tue, Jun 21, 2022 at 06:16:48PM +0200, Arne Schwabe wrote:
> This changes the default MTU of the tun-mtu to 1420 to avoid MTU related
> issues that are even more prominent when DCO server or clients are involved.
>
> To
open_tun_generic already contains the logic required to find a device
name when not specified b the user. For this reason the DCO case can
easily leverage on function and avoid code duplication.
Signed-off-by: Antonio Quartulli
---
src/openvpn/init.c | 2 +-
src/openvpn/tun.c | 133
Signed-off-by: Antonio Quartulli
---
src/openvpn/options.c | 29 +
1 file changed, 29 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9a0634a5..7b450296 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -61,6 +61,7 @@
When using DCO iroutes and routes all live in the same routing table,
However, the latter should always come after the former.
for this reason assign a default metric of 200 to routes. iroutes will
later get a metric of 100.
Signed-off-by: Antonio Quartulli
---
src/openvpn/dco.h | 2 ++
Signed-off-by: Antonio Quartulli
---
configure.ac| 34 +
dev-tools/special-files.lst | 1 +
src/openvpn/Makefile.am | 3 +
src/openvpn/dco.h | 165 +
src/openvpn/dco_internal.h | 78 +++
src/openvpn/dco_linux.c
Signed-off-by: Antonio Quartulli
---
src/openvpn/options.h | 20
src/openvpn/tun.h | 1 +
2 files changed, 21 insertions(+)
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index c2937dc3..8152e755 100644
--- a/src/openvpn/options.h
+++
This patchset is *almost* the same as the previous patchset, but it got
fragmented in multiple patches for easier review.
I am not setting any version on these patches as they do not match
previous versions.
The idea behind splitting patches is that they should be mergeable and
compilable
Signed-off-by: Antonio Quartulli
---
src/openvpn/Makefile.am | 2 +-
src/openvpn/dco.c | 149
src/openvpn/openvpn.vcxproj | 1 +
src/openvpn/openvpn.vcxproj.filters | 3 +
4 files changed, 154 insertions(+), 1 deletion(-)
Signed-off-by: Antonio Quartulli
---
src/openvpn/networking_sitnl.c | 11 +++
1 file changed, 11 insertions(+)
diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c
index bffcb067..0944ad0a 100644
--- a/src/openvpn/networking_sitnl.c
+++
On Fri, Jun 24, 2022 at 10:35:24AM +0200, Frank Lichtenheld wrote:
> Code changes look fine to me, but several documentation suggestions.
Hmm, after reading the next patch might I suggest to move the
change to push.c actually to the next patch? Both references
to IV_MTU and tun-max-mtu only make
This change introduces ovpn-dco support along the p2mp/server code path.
Some code seems to be duplicate of the p2p version, but details are
different, so it couldn't be shared.
Signed-off-by: Antonio Quartulli
---
src/openvpn/dco.c | 203 ++
Acked-By: Frank Lichtenheld
Trivial code move.
On Tue, Jun 21, 2022 at 06:16:46PM +0200, Arne Schwabe wrote:
> This allow the code later to check if the cipher is okay to use and
> update it for the calculation for the max MTU size.
>
> Signed-off-by: Arne Schwabe
> ---
> src/openvpn/ssl.c
Hi Paolo,
On 20/06/2022 14:21, Paolo Cerrito wrote:
From: paolo
Is this a new version of your previous patch having subject "Insert
client connection data into PAM environment"?
If yes, you should send it as a v2 (i.e. with subject starting with
"[PATCH v2]") instead of appending ",
With this change we introduce ovpn-dco support only along the p2p/client
code path. Server codebase is still unchanged.
Signed-off-by: Antonio Quartulli
---
src/openvpn/dco.c | 90 +++
src/openvpn/dco.h | 48 +++
GetOverlappedResultEx is not available on ming32 therefore we must
provide some compat layer before being able to use this function.
Signed-off-by: Antonio Quartulli
Signed-off-by: Lev Stipakov
---
src/compat/Makefile.am| 3 +-
Other platforms may need more complex logic to decide whether a cipher
is supported or not, therefore turn hardcoded list into a function that
can be implemented by each platform independently.
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
src/openvpn/dco.c | 4 ++--
From: Arne Schwabe
This moves closing the tun handle into its own function and also prints
the adapter type we are operating on, instead hardcoding it to
tap-windows.
While at it, set the handle to NULL after closing, to prevent a double
close due to multiple invocations of this helper.
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
.github/workflows/build.yaml | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index b905c0d2..536dd9d6 100644
--- a/.github/workflows/build.yaml
Signed-off-by: Antonio Quartulli
---
src/openvpn/init.c | 49
src/openvpn/ssl_common.h | 23 +++
2 files changed, 63 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 7099eba4..7ab2c9a2 100644
The ovpn-dco kernel module needs to be informed about the keys to be
used to encrypt/decrypt data traffic to/from a peer.
Configure keys in DCO right afte they are generated by the SSL code, to
avoid keeping them in memory longer than needed.
Signed-off-by: Antonio Quartulli
---
Only skimmed this. A few small typo fixes and the like.
On Tue, Jun 21, 2022 at 06:16:49PM +0200, Arne Schwabe wrote:
> This allows tun-mtu to pushed but only up to the size of the preallocated
> buffers. This is not a perfect solution but should allow most of the use
> cases where the mtu is
Signed-off-by: Antonio Quartulli
---
Changes.rst | 9 ++
README.dco.md | 123 ++
doc/man-sections/advanced-options.rst | 13 +++
doc/man-sections/server-options.rst | 6 ++
4 files changed, 151 insertions(+)
create
DCO will try to install keys upon generating them, however, this happens
when parsing pushed cipher options (due to NCP).
For this reason we need to postpone parsing pushed cipher options to *after*
the tunnel interface has been opened, otherwise we would have no DCO netdev
object to operate on.
Some platforms may have different constraints in terms of incompatible
opions, therefore we add a function that explicitly checks those.
Also, add generic option check for when ovpn-dco-win is in use.
Signed-off-by: Antonio Quartulli
Signed-off-by: Lev Stipakov
---
src/openvpn/dco.c | 25
Signed-off-by: Arne Schwabe
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
README.dco.md | 9 +
1 file changed, 9 insertions(+)
diff --git a/README.dco.md b/README.dco.md
index e73e0fc2..ef56f0fe 100644
--- a/README.dco.md
+++ b/README.dco.md
@@ -58,6 +58,13 @@ see a
Signed-off-by: Antonio Quartulli
---
.github/workflows/build.yaml | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 6c267a61..b905c0d2 100644
--- a/.github/workflows/build.yaml
+++
Signed-off-by: Arne Schwabe
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
config-msvc.h | 2 +
configure.ac| 9 +-
dev-tools/special-files.lst | 1 +
src/openvpn/Makefile.am | 4 +-
With this change it is possible to use ovpn-dco-win when running OpenVPN
in client or P2P mode.
Signed-off-by: Arne Schwabe
Signed-off-by: Lev Stipakov
Signed-off-by: Antonio Quartulli
---
src/openvpn/forward.c | 7
src/openvpn/init.c| 29 +++--
src/openvpn/options.c | 19
A server may push options that are not compatible with DCO.
In this case we should log a message and bail out.
Signed-off-by: Antonio Quartulli
---
src/openvpn/init.c | 23 +++
1 file changed, 23 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index
Data channel keys are periodically regenarated and installed in
ovpn-dco.
However, there is a certain moment when keys are rotated in order
to elect the new primary one.
Check the key status in userspace so that kernelspace can be informed as
well when rotations happen.
Signed-off-by: Antonio
The current condition checking if the TUN interface was preserved is
dependant on the platform being Android or not. This makes the code
reasonably ugly, especially because uncrustify can't indent properly.
On top of that, we will require an extra condition only for windows+DCO,
which will make
Hi,
do we still need this patch after having merged Arne's HMAC feature?
Regards,
--
Antonio Quartulli
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi,
On Tue, Jun 21, 2022 at 06:16:48PM +0200, Arne Schwabe wrote:
> This changes the default MTU of the tun-mtu to 1420 to avoid MTU related
> issues that are even more prominent when DCO server or clients are involved.
I'm not convinced that this change "by default" is a desirable change.
On Fri, Jun 24, 2022 at 01:13:16PM +0200, Arne Schwabe wrote:
> We could also just hardcode this value to 1420 but this approach does
> not add much (complicated) code and it is a bit better than to have
> a magic number to just be there.
>
[...]
> +/**
> + * Function to calculate the default MTU
Doesn't make sense to test with fragment, if the code
ignores it.
Signed-off-by: Frank Lichtenheld
---
tests/unit_tests/openvpn/test_crypto.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/tests/unit_tests/openvpn/test_crypto.c
This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.c | 11 +--
src/openvpn/ssl_ncp.c | 22 ++
src/openvpn/ssl_ncp.h | 8
3 files
We could also just hardcode this value to 1420 but this approach does
not add much (complicated) code and it is a bit better than to have
a magic number to just be there.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtu.c | 22 ++
src/openvpn/mtu.h
This changes the default MTU of the tun-mtu to 1420 to avoid MTU related
issues that are even more prominent when DCO server or clients are involved.
To maximise compatibility to lie our MTU in the default OCC message and also
push the real MTU to clients that support pushing the MTU.
Patch v2:
This allows tun-mtu to pushed but only up to the size of the preallocated
buffers. This is not a perfect solution but should allow most of the use
cases where the mtu is close enough to 1500.
Signed-off-by: Arne Schwabe
---
Changes.rst | 8
Am 24.06.22 um 12:26 schrieb Gert Doering:
Hi,
On Fri, Jun 24, 2022 at 11:13:40AM +0200, Antonio Quartulli wrote:
do we still need this patch after having merged Arne's HMAC feature?
Yes and no.
*This* patch won't apply anymore, but Arne said "we're now much faster
in replying to packets
Hi,
On Fri, Jun 24, 2022 at 12:52:23PM +0200, Arne Schwabe wrote:
> I still think this is a reasonable change. Yes, it might break in some
> very obscure setups but for those setups, people can still set the MTU
> back to 1500. Tap still uses the 1500 default anyway.
It will break all setups
Hi,
On Fri, Jun 24, 2022 at 01:15:05PM +0200, Arne Schwabe wrote:
> > *This* patch won't apply anymore, but Arne said "we're now much faster
> > in replying to packets than ever before" so we might indeed need a
> > per-source-ip rate-limiter, to something like "10 per 10 seconds" or
> > so
Am 24.06.22 um 10:38 schrieb Frank Lichtenheld:
On Fri, Jun 24, 2022 at 10:35:24AM +0200, Frank Lichtenheld wrote:
Code changes look fine to me, but several documentation suggestions.
Hmm, after reading the next patch might I suggest to move the
change to push.c actually to the next patch?
Hi,
On Fri, Jun 24, 2022 at 11:13:40AM +0200, Antonio Quartulli wrote:
> do we still need this patch after having merged Arne's HMAC feature?
Yes and no.
*This* patch won't apply anymore, but Arne said "we're now much faster
in replying to packets than ever before" so we might indeed need a
Am 24.06.22 um 12:35 schrieb Gert Doering:
Hi,
On Tue, Jun 21, 2022 at 06:16:48PM +0200, Arne Schwabe wrote:
This changes the default MTU of the tun-mtu to 1420 to avoid MTU related
issues that are even more prominent when DCO server or clients are involved.
I'm not convinced that this
From: paolo
"Changes from v1:
changed sprintf for logging to plugin_log
"
change to reflect current head openvpn repository
this patch put remote host ip into pam environment, so this make pam
module able to use it.
in simple, this patch get ip (ipv4 and ipv6) from openvpn, put into pam
48 matches
Mail list logo