[Openvpn-devel] [PATCH applied] Re: documentation: avoid recommending --user nobody
Acked-by: Gert Doering "This is the new style nobody, so yes" We might have a word with package maintainers to ensure that a user "openvpn" is actually created... this is something inside our repo, but actual talking to actual people ;-) Your patch has been applied to the master branch. commit a6664825494c482e0cbf50ac4a91c6a33874d7a7 Author: Frank Lichtenheld Date: Tue Nov 29 15:47:31 2022 +0100 documentation: avoid recommending --user nobody Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20221129144731.35105-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25573.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco: disable dco on Windows if --remote is not defined
Acked-by: Gert Doering "DCO WIN wants to do outgoing stuff", no server, no no-remote - so yes, makes sense. Your patch has been applied to the master branch. commit fd1c460ccfa38ca03e40e05524e2627917c58647 Author: Lev Stipakov Date: Thu Dec 1 14:59:02 2022 +0200 dco: disable dco on Windows if --remote is not defined Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20221201125902.400-1-lstipa...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25604.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow reconnecting in p2p mode work under FreeBSD
Acked-by: Gert Doering Indeed, that fixes the p2p dco reconnect problem we had with FreeBSD, and with "verb 6" debugging one can nicely see what happens: 14:28:55 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 10167064, cipher=AES-256-GCM reconnect, then 14:29:17 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 3502029, cipher=AES-256-GCM 14:29:17 dco_del_key: peer-id 10167064, slot 0 14:29:18 dco_del_peer: peer-id 10167064 14:29:18 dco_new_peer: peer-id 3502029, fd 7 14:29:18 process_incoming_dco: received message for mismatching peer-id 10167064, expected 3502029 (and we ignore this, not killing the new 3502029 peer) My own pokings in kernel space confirmed what I assumed - we just add peers, and they do not expire quickly. So after the first reconnect, without this patch, we have 2 peers in kernel with no vpn_ip address, so "lookup on nexthop" is not working, and that particular ovpn(4) interface is dead until ifdown/ifup or all the peers expire. I did experiment with a kernel patch that will remove all existing peers on install of a new p2p peer - and that worked, kernel side, but confused OpenVPN for the reasons we have a new "check the peer id!" check in this patch... so we need this patch anyway, obsoleting the need for a kernel patch... Tested on - FreeBSD 14 / CURRENT DCO, client and server - Ubuntu 20.04, Linux DCO, client and server - Gentoo, Linux with no DCO, client and server Your patch has been sho(u|o)ted into to the master branch. commit 0f7c5dde1bbd23353467ebd549ae955a6a03746f Author: Arne Schwabe Date: Thu Dec 1 12:01:28 2022 +0100 Allow reconnecting in p2p mode work under FreeBSD Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221201110128.271064-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25602.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v14] Add DNS SRV remote host discovery support
Smaller nitpicks:
On Wed, Nov 30, 2022 at 09:57:18PM +0100, Gert Doering wrote:
> From: Vladislav Grishenko
[...]
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index c2154b8d..3a70748e 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -350,7 +350,12 @@ management_callback_remote_cmd(void *arg, const char **p)
> }
> else if (!strcmp(p[1], "MOD") && p[2] && p[3])
> {
> -if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN)
> +if (ce->remote_srv && ce->proto == PROTO_AUTO)
> +{
> +/* can't mutate --remote-srv into --remote without protocol
> */
> +ret = false;
> +}
> +else if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) <
> RH_PORT_LEN)
> {
> struct remote_host_store *rhs = c->options.rh_store;
> if (!rhs)
> @@ -363,6 +368,7 @@ management_callback_remote_cmd(void *arg, const char **p)
>
> ce->remote = rhs->host;
> ce->remote_port = rhs->port;
> +ce->remote_srv = false;
> flags = CE_MAN_QUERY_REMOTE_MOD;
> ret = true;
> }
> @@ -462,6 +468,23 @@ clear_remote_addrlist(struct link_socket_addr *lsa, bool
> free)
> lsa->current_remote = NULL;
> }
>
> +/*
> + * Clear the remote service list
> + */
> +static void
> +clear_remote_servlist(struct link_socket_addr *lsa, bool free)
> +{
> +if (lsa->service_list && free)
> +{
> +freeservinfo(lsa->service_list);
> +}
> +lsa->service_list = NULL;
> +lsa->current_service = NULL;
> +
> +/* clear addrinfo objects as well */
> +clear_remote_addrlist(lsa, free);
> +}
> +
> /*
> * Increment to next connection entry
> */
> @@ -491,6 +514,24 @@ next_connection_entry(struct context *c)
> c->c1.link_socket_addr.current_remote =
> c->c1.link_socket_addr.current_remote->ai_next;
> }
> +/* Check if there is another resolved service to try for
> + * the current connection unless persist-remote-ip was
> + * requested and current service already has an address */
> +else if (c->c1.link_socket_addr.current_service
> + && c->c1.link_socket_addr.current_service->next
> + && !(c->options.persist_remote_ip
> + && c->c1.link_socket_addr.remote_list))
> +{
> +c->c1.link_socket_addr.current_service =
> +c->c1.link_socket_addr.current_service->next;
> +
> +/* Clear addrinfo object of the previous service */
> +if (c->c1.link_socket_addr.remote_list)
> +{
> +clear_remote_addrlist(>c1.link_socket_addr,
> + !c->options.resolve_in_advance);
> +}
> +}
> else
> {
> c->options.advance_next_remote = false;
> @@ -500,20 +541,24 @@ next_connection_entry(struct context *c)
> */
> if (!c->options.persist_remote_ip)
> {
> -/* Connection entry addrinfo objects might have been
> +/* Connection entry addr/servinfo objects might have been
> * resolved earlier but the entry itself might have been
> - * skipped by management on the previous loop.
> - * If so, clear the addrinfo objects as close_instance
> does
> + * skipped on the previous loop either by management or
> + * due inappropriate service protocol.
> + * Clear the addr/servinfo objects as close_instance
> does.
> */
> -if (c->c1.link_socket_addr.remote_list)
> +if (c->c1.link_socket_addr.remote_list
> +|| c->c1.link_socket_addr.service_list)
> {
> -clear_remote_addrlist(>c1.link_socket_addr,
> +clear_remote_servlist(>c1.link_socket_addr,
>
> !c->options.resolve_in_advance);
> }
>
> /* close_instance should have cleared the addrinfo
> objects */
> ASSERT(c->c1.link_socket_addr.current_remote == NULL);
> ASSERT(c->c1.link_socket_addr.remote_list == NULL);
> +ASSERT(c->c1.link_socket_addr.current_service == NULL);
> +ASSERT(c->c1.link_socket_addr.service_list == NULL);
> }
> else
> {
> @@ -549,6 +594,12 @@ next_connection_entry(struct context *c)
> }
>
> c->options.ce = *ce;
> +if (ce_defined &&
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
On Thu, Dec 1, 2022 at 1:44 PM David Sommerseth wrote: > > From: David Sommerseth > > Thanks a lot! This patch was a by the book in every possible way, so > this was really easy to review and apply. > > Acked-by: David Sommerseth The submission instructions were pretty clear. That helps. Thanks for applying. Frans ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v14] Add DNS SRV remote host discovery support
I have several nitpicks with this patch which I can enumerate later, but there is at least one critical issue which prevents me from ACKing this: # src/openvpn/openvpn --client --tls-cert-profile insecure --ca ../ca.crt --cert ../t_client.c\ rt --key ../t_client.key--remote-cert-tls server --comp-lzo --verb 3 --dev tun --proto tcp4 --r\ emote-srv lichtenheld.net --writepid ../tests/t_client-flichtenheld-TUXEDO-InfinityBook-S-15-17-Gen7\ -20221201-141818/openvpn-1.pid --setenv TESTNUM 1 --setenv TOP_BUILDDIR .. --script-security 2 --up \ ./update_t_client_ips.sh 2022-12-01 14:18:20 WARNING: Compression for receiving enabled. Compression has been used in the pas\ t to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-12-01 14:18:20 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fa\ llback when cipher negotiation failed in this case. If you need this fallback please add '--data-cip\ hers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 2022-12-01 14:18:20 OpenVPN 2.6_git [git:master/c98fe8b90271df5c] x86_64-pc-linux-gnu [SSL (OpenSSL)\ ] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 1 2022 2022-12-01 14:18:20 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 2022-12-01 14:18:21 Resolved remote service host: conn-test-server.openvpn.org:51194,udp4 prio 0 wei\ ght 0 2022-12-01 14:18:21 Resolved remote service host: conn-test-server.openvpn.org:51194,tcp4-client pri\ o 0 weight 0 2022-12-01 14:18:21 NOTE: the current --script-security setting may allow this configuration to call\ user-defined scripts 2022-12-01 14:18:21 TCP/UDP: Preserving recently used remote address: [AF_INET]199.102.77.82:51194 2022-12-01 14:18:21 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-12-01 14:18:21 UDPv4 link local: (not bound) 2022-12-01 14:18:21 UDPv4 link remote: [AF_INET]199.102.77.82:51194 As you can see it ignores the "--proto tcp4" if no proto was specified in --remote-srv. This is inconsistent with how --remote works. I don't think this can be the desired behaviour. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] dco: disable dco on Windows if --remote is not defined
From: Lev Stipakov
At the moment Windows driver requires remote to work.
Signed-off-by: Lev Stipakov
---
src/openvpn/dco.c | 8
1 file changed, 8 insertions(+)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 47fb0003..19a449ba 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -251,6 +251,14 @@ dco_check_option_ce(const struct connection_entry *ce, int
msglevel)
}
#endif
+#if defined(_WIN32)
+if (!ce->remote)
+{
+msg(msglevel, "NOTE: --remote is not defined, disabling data channel
offload.");
+return false;
+}
+#endif
+
return true;
}
--
2.38.1.windows.1
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
From: David Sommerseth Thanks a lot! This patch was a by the book in every possible way, so this was really easy to review and apply. Acked-by: David Sommerseth - Your patch has been applied commit 1576e34a1f45133bd4c6df495eaef9387ecd1b4d master Author: Frans Klaver Date: Thu, 01 Dec 2022 07:50:13 + tests: platforminfo: skip DBus test if hostname service isn't available Signed-off-by: Frans Klaver Acked-by: David Sommerseth Patchwork-Id: 2880 URL: https://patchwork.openvpn.net/patch/2880/ -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Allow reconnecting in p2p mode work under FreeBSD
This commit consists of two parts.
- explicitly removing an existing peer in p2p mode
- ignoring the ping timeout notification that is generated by the first part
Signed-off-by: Arne Schwabe
---
src/openvpn/dco.c | 9 +
src/openvpn/dco_freebsd.c | 2 ++
src/openvpn/forward.c | 13 +
3 files changed, 24 insertions(+)
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 03ac8438a..cbd834194 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -459,6 +459,15 @@ dco_p2p_add_new_peer(struct context *c)
struct sockaddr *remoteaddr = >info.lsa->actual.dest.addr.sa;
struct tls_multi *multi = c->c2.tls_multi;
+#ifdef TARGET_FREEBSD
+/* In Linux in P2P mode the kernel automatically removes an existing peer
+ * when adding a new peer. FreeBSD needs to explicitly be told to do that
*/
+if (c->c2.tls_multi->dco_peer_id != -1)
+{
+dco_del_peer(>c1.tuntap->dco, c->c2.tls_multi->dco_peer_id);
+c->c2.tls_multi->dco_peer_id = -1;
+}
+#endif
int ret = dco_new_peer(>c1.tuntap->dco, multi->peer_id,
c->c2.link_socket->sd, NULL, remoteaddr, NULL,
NULL);
if (ret < 0)
diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c
index 4e03f52e9..a52ac8c1b 100644
--- a/src/openvpn/dco_freebsd.c
+++ b/src/openvpn/dco_freebsd.c
@@ -312,6 +312,8 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid)
nvlist_t *nvl;
int ret;
+msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid);
+
nvl = nvlist_create(0);
nvlist_add_number(nvl, "peerid", peerid);
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 1b418b1bc..958bf0b56 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1174,9 +1174,22 @@ process_incoming_dco(struct context *c)
dco_do_read(dco);
+/* FreeBSD currently sends us removal notifcation with the old peer-id in
+ * p2p mode with the ping timeout reason, so ignore that one to not shout
+ * ourselves in the foot and removing the just established session */
+if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id)
+{
+msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
+"expected %d", __func__, dco->dco_message_peer_id,
+c->c2.tls_multi->dco_peer_id);
+return;
+}
+
if ((dco->dco_message_type == OVPN_CMD_DEL_PEER)
&& (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED))
{
+msg(D_DCO_DEBUG, "%s: received peer expired notification of for
peer-id "
+"%d", __func__, dco->dco_message_peer_id);
trigger_ping_timeout_signal(c);
return;
}
--
2.37.1 (Apple Git-137.1)
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
