Re: [Openvpn-devel] [PATCH 3/3] Introduce dynamic tls-crypt for secure soft_reset/session renegotiation

On Freitag, 9. September 2022 21:59:02 CEST Arne Schwabe wrote: > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -1803,6 +1803,10 @@ multi_client_set_protocol_options(struct context *c) > { > o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT; > } > +if

Re: [Openvpn-devel] [PATCH 1/3] Allows renegotiation only to start if session is fully established

On Freitag, 9. September 2022 21:59:00 CEST Arne Schwabe wrote: > This change makes the state machine more strict in terms of transation *transitions > Signed-off-by: Arne Schwabe Acked-by: Heiko Hund For those who wonder what this is/does, my take on it: basically shields the calls to

[Openvpn-devel] [PATCH applied] Re: Allow Authtoken lifetime to be short than renegotiation time

Acked-by: Gert Doering The feature itself is really in the "we are a swiss army knife and can do everything" side of things. It does not introduce a new option and no new #ifdef, and the actual code change is not very intrusive. I should point out that there is potential for conflict with the

Re: [Openvpn-devel] [PATCH 1/2] FreeBSD: for topology subnet, put tun interface into IFF_BROADCAST mode

Signed-off-by: Kristof Provost On 12 Oct 2022, at 16:59, Gert Doering wrote: > For reasons unknown, OpenVPN has always put FreeBSD tun(4) interfaces > into point-to-point mode (IFF_POINTOPOINT), which means "local and > remote address, no on-link subnet". > > "--topology subnet" was emulated by

Re: [Openvpn-devel] [PATCH 2/2] FreeBSD DCO: introduce real subnet mode

Signed-off-by: Kristof Provost On 12 Oct 2022, at 16:59, Gert Doering wrote: > To be able to configure a FreeBSD interface to "subnet" mode > (as opposed to point-to-point mode), it needs to have its > if_iflags set to IFF_BROADCAST. For tun(4) interface this is > done with the TUNSIFMODE

Re: [Openvpn-devel] route/iroute handling on FreeBSD

On 12 Oct 2022, at 16:38, Gert Doering wrote: > people have alreadycomplained at me that I write so long e-mails today, > so I can write more... > > On Wed, Oct 12, 2022 at 08:39:31AM +0200, Gert Doering wrote: >> Factor 1: single-peer (client or p2p) vs. multi-peer >> >> single-peer -> DCO has

[Openvpn-devel] [PATCH v2] Allow Authtoken lifetime to be short than renegotiation time

Currently the life time of the auth-token is tied to the renegotiation time. While this is fine for many setups, some setups prefer a user to be no longer authenticated when the user disconnects from the VPN for a certain amount of time. This commit allows to shorten the renewal time of the

Re: [Openvpn-devel] [PATCH] Allow Authtoken lifetime to be short than renegotiation time

Hi, I'm working through this, and have some questions... On Fri, Oct 07, 2022 at 05:38:23PM +0200, Arne Schwabe wrote: > diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c > index 6a45b9e91..eca4a4335 100644 > --- a/src/openvpn/forward.c > +++ b/src/openvpn/forward.c > @@ -195,9 +196,15

[Openvpn-devel] [PATCH applied] Re: Change exit signal in P2P to be a SIGUSR1 and delay CC exit in P2MP

Acked-by: Gert Doering Tested the whole lot again. Only difference to v1 is in p2mp mode with incoming TLS EEN, which now logs 10:15:34 cron2-freebsd-tc-amd64/194.97.140.21:53341 Exit message received by peer 10:15:34 cron2-freebsd-tc-amd64/194.97.140.21:53341 Delayed exit in 5 seconds