[Openvpn-devel] [PATCH applied] Re: documentation: avoid recommending --user nobody
Acked-by: Gert Doering "This is the new style nobody, so yes" We might have a word with package maintainers to ensure that a user "openvpn" is actually created... this is something inside our repo, but actual talking to actual people ;-) Your patch has been applied to the master branch. commit a6664825494c482e0cbf50ac4a91c6a33874d7a7 Author: Frank Lichtenheld Date: Tue Nov 29 15:47:31 2022 +0100 documentation: avoid recommending --user nobody Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering Message-Id: <20221129144731.35105-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25573.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: dco: disable dco on Windows if --remote is not defined
Acked-by: Gert Doering "DCO WIN wants to do outgoing stuff", no server, no no-remote - so yes, makes sense. Your patch has been applied to the master branch. commit fd1c460ccfa38ca03e40e05524e2627917c58647 Author: Lev Stipakov Date: Thu Dec 1 14:59:02 2022 +0200 dco: disable dco on Windows if --remote is not defined Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <20221201125902.400-1-lstipa...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25604.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Allow reconnecting in p2p mode work under FreeBSD
Acked-by: Gert Doering Indeed, that fixes the p2p dco reconnect problem we had with FreeBSD, and with "verb 6" debugging one can nicely see what happens: 14:28:55 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 10167064, cipher=AES-256-GCM reconnect, then 14:29:17 P2P mode NCP negotiation result: TLS_export=1, DATA_v2=1, peer-id 3502029, cipher=AES-256-GCM 14:29:17 dco_del_key: peer-id 10167064, slot 0 14:29:18 dco_del_peer: peer-id 10167064 14:29:18 dco_new_peer: peer-id 3502029, fd 7 14:29:18 process_incoming_dco: received message for mismatching peer-id 10167064, expected 3502029 (and we ignore this, not killing the new 3502029 peer) My own pokings in kernel space confirmed what I assumed - we just add peers, and they do not expire quickly. So after the first reconnect, without this patch, we have 2 peers in kernel with no vpn_ip address, so "lookup on nexthop" is not working, and that particular ovpn(4) interface is dead until ifdown/ifup or all the peers expire. I did experiment with a kernel patch that will remove all existing peers on install of a new p2p peer - and that worked, kernel side, but confused OpenVPN for the reasons we have a new "check the peer id!" check in this patch... so we need this patch anyway, obsoleting the need for a kernel patch... Tested on - FreeBSD 14 / CURRENT DCO, client and server - Ubuntu 20.04, Linux DCO, client and server - Gentoo, Linux with no DCO, client and server Your patch has been sho(u|o)ted into to the master branch. commit 0f7c5dde1bbd23353467ebd549ae955a6a03746f Author: Arne Schwabe Date: Thu Dec 1 12:01:28 2022 +0100 Allow reconnecting in p2p mode work under FreeBSD Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20221201110128.271064-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25602.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v14] Add DNS SRV remote host discovery support
Smaller nitpicks: On Wed, Nov 30, 2022 at 09:57:18PM +0100, Gert Doering wrote: > From: Vladislav Grishenko [...] > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index c2154b8d..3a70748e 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -350,7 +350,12 @@ management_callback_remote_cmd(void *arg, const char **p) > } > else if (!strcmp(p[1], "MOD") && p[2] && p[3]) > { > -if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < RH_PORT_LEN) > +if (ce->remote_srv && ce->proto == PROTO_AUTO) > +{ > +/* can't mutate --remote-srv into --remote without protocol > */ > +ret = false; > +} > +else if (strlen(p[2]) < RH_HOST_LEN && strlen(p[3]) < > RH_PORT_LEN) > { > struct remote_host_store *rhs = c->options.rh_store; > if (!rhs) > @@ -363,6 +368,7 @@ management_callback_remote_cmd(void *arg, const char **p) > > ce->remote = rhs->host; > ce->remote_port = rhs->port; > +ce->remote_srv = false; > flags = CE_MAN_QUERY_REMOTE_MOD; > ret = true; > } > @@ -462,6 +468,23 @@ clear_remote_addrlist(struct link_socket_addr *lsa, bool > free) > lsa->current_remote = NULL; > } > > +/* > + * Clear the remote service list > + */ > +static void > +clear_remote_servlist(struct link_socket_addr *lsa, bool free) > +{ > +if (lsa->service_list && free) > +{ > +freeservinfo(lsa->service_list); > +} > +lsa->service_list = NULL; > +lsa->current_service = NULL; > + > +/* clear addrinfo objects as well */ > +clear_remote_addrlist(lsa, free); > +} > + > /* > * Increment to next connection entry > */ > @@ -491,6 +514,24 @@ next_connection_entry(struct context *c) > c->c1.link_socket_addr.current_remote = > c->c1.link_socket_addr.current_remote->ai_next; > } > +/* Check if there is another resolved service to try for > + * the current connection unless persist-remote-ip was > + * requested and current service already has an address */ > +else if (c->c1.link_socket_addr.current_service > + && c->c1.link_socket_addr.current_service->next > + && !(c->options.persist_remote_ip > + && c->c1.link_socket_addr.remote_list)) > +{ > +c->c1.link_socket_addr.current_service = > +c->c1.link_socket_addr.current_service->next; > + > +/* Clear addrinfo object of the previous service */ > +if (c->c1.link_socket_addr.remote_list) > +{ > +clear_remote_addrlist(>c1.link_socket_addr, > + !c->options.resolve_in_advance); > +} > +} > else > { > c->options.advance_next_remote = false; > @@ -500,20 +541,24 @@ next_connection_entry(struct context *c) > */ > if (!c->options.persist_remote_ip) > { > -/* Connection entry addrinfo objects might have been > +/* Connection entry addr/servinfo objects might have been > * resolved earlier but the entry itself might have been > - * skipped by management on the previous loop. > - * If so, clear the addrinfo objects as close_instance > does > + * skipped on the previous loop either by management or > + * due inappropriate service protocol. > + * Clear the addr/servinfo objects as close_instance > does. > */ > -if (c->c1.link_socket_addr.remote_list) > +if (c->c1.link_socket_addr.remote_list > +|| c->c1.link_socket_addr.service_list) > { > -clear_remote_addrlist(>c1.link_socket_addr, > +clear_remote_servlist(>c1.link_socket_addr, > > !c->options.resolve_in_advance); > } > > /* close_instance should have cleared the addrinfo > objects */ > ASSERT(c->c1.link_socket_addr.current_remote == NULL); > ASSERT(c->c1.link_socket_addr.remote_list == NULL); > +ASSERT(c->c1.link_socket_addr.current_service == NULL); > +ASSERT(c->c1.link_socket_addr.service_list == NULL); > } > else > { > @@ -549,6 +594,12 @@ next_connection_entry(struct context *c) > } > > c->options.ce = *ce; > +if (ce_defined &&
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
On Thu, Dec 1, 2022 at 1:44 PM David Sommerseth wrote: > > From: David Sommerseth > > Thanks a lot! This patch was a by the book in every possible way, so > this was really easy to review and apply. > > Acked-by: David Sommerseth The submission instructions were pretty clear. That helps. Thanks for applying. Frans ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v14] Add DNS SRV remote host discovery support
I have several nitpicks with this patch which I can enumerate later, but there is at least one critical issue which prevents me from ACKing this: # src/openvpn/openvpn --client --tls-cert-profile insecure --ca ../ca.crt --cert ../t_client.c\ rt --key ../t_client.key--remote-cert-tls server --comp-lzo --verb 3 --dev tun --proto tcp4 --r\ emote-srv lichtenheld.net --writepid ../tests/t_client-flichtenheld-TUXEDO-InfinityBook-S-15-17-Gen7\ -20221201-141818/openvpn-1.pid --setenv TESTNUM 1 --setenv TOP_BUILDDIR .. --script-security 2 --up \ ./update_t_client_ips.sh 2022-12-01 14:18:20 WARNING: Compression for receiving enabled. Compression has been used in the pas\ t to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set. 2022-12-01 14:18:20 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fa\ llback when cipher negotiation failed in this case. If you need this fallback please add '--data-cip\ hers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers. 2022-12-01 14:18:20 OpenVPN 2.6_git [git:master/c98fe8b90271df5c] x86_64-pc-linux-gnu [SSL (OpenSSL)\ ] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Dec 1 2022 2022-12-01 14:18:20 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10 2022-12-01 14:18:21 Resolved remote service host: conn-test-server.openvpn.org:51194,udp4 prio 0 wei\ ght 0 2022-12-01 14:18:21 Resolved remote service host: conn-test-server.openvpn.org:51194,tcp4-client pri\ o 0 weight 0 2022-12-01 14:18:21 NOTE: the current --script-security setting may allow this configuration to call\ user-defined scripts 2022-12-01 14:18:21 TCP/UDP: Preserving recently used remote address: [AF_INET]199.102.77.82:51194 2022-12-01 14:18:21 Socket Buffers: R=[212992->212992] S=[212992->212992] 2022-12-01 14:18:21 UDPv4 link local: (not bound) 2022-12-01 14:18:21 UDPv4 link remote: [AF_INET]199.102.77.82:51194 As you can see it ignores the "--proto tcp4" if no proto was specified in --remote-srv. This is inconsistent with how --remote works. I don't think this can be the desired behaviour. Regards, -- Frank Lichtenheld ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] dco: disable dco on Windows if --remote is not defined
From: Lev Stipakov At the moment Windows driver requires remote to work. Signed-off-by: Lev Stipakov --- src/openvpn/dco.c | 8 1 file changed, 8 insertions(+) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 47fb0003..19a449ba 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -251,6 +251,14 @@ dco_check_option_ce(const struct connection_entry *ce, int msglevel) } #endif +#if defined(_WIN32) +if (!ce->remote) +{ +msg(msglevel, "NOTE: --remote is not defined, disabling data channel offload."); +return false; +} +#endif + return true; } -- 2.38.1.windows.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied openvpn3-linux] tests: platforminfo: skip DBus test if hostname service isn't available
From: David Sommerseth Thanks a lot! This patch was a by the book in every possible way, so this was really easy to review and apply. Acked-by: David Sommerseth - Your patch has been applied commit 1576e34a1f45133bd4c6df495eaef9387ecd1b4d master Author: Frans Klaver Date: Thu, 01 Dec 2022 07:50:13 + tests: platforminfo: skip DBus test if hostname service isn't available Signed-off-by: Frans Klaver Acked-by: David Sommerseth Patchwork-Id: 2880 URL: https://patchwork.openvpn.net/patch/2880/ -- kind regards, David Sommerseth ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Allow reconnecting in p2p mode work under FreeBSD
This commit consists of two parts. - explicitly removing an existing peer in p2p mode - ignoring the ping timeout notification that is generated by the first part Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 9 + src/openvpn/dco_freebsd.c | 2 ++ src/openvpn/forward.c | 13 + 3 files changed, 24 insertions(+) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 03ac8438a..cbd834194 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -459,6 +459,15 @@ dco_p2p_add_new_peer(struct context *c) struct sockaddr *remoteaddr = >info.lsa->actual.dest.addr.sa; struct tls_multi *multi = c->c2.tls_multi; +#ifdef TARGET_FREEBSD +/* In Linux in P2P mode the kernel automatically removes an existing peer + * when adding a new peer. FreeBSD needs to explicitly be told to do that */ +if (c->c2.tls_multi->dco_peer_id != -1) +{ +dco_del_peer(>c1.tuntap->dco, c->c2.tls_multi->dco_peer_id); +c->c2.tls_multi->dco_peer_id = -1; +} +#endif int ret = dco_new_peer(>c1.tuntap->dco, multi->peer_id, c->c2.link_socket->sd, NULL, remoteaddr, NULL, NULL); if (ret < 0) diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 4e03f52e9..a52ac8c1b 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -312,6 +312,8 @@ dco_del_peer(dco_context_t *dco, unsigned int peerid) nvlist_t *nvl; int ret; +msg(D_DCO_DEBUG, "%s: peer-id %d", __func__, peerid); + nvl = nvlist_create(0); nvlist_add_number(nvl, "peerid", peerid); diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 1b418b1bc..958bf0b56 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1174,9 +1174,22 @@ process_incoming_dco(struct context *c) dco_do_read(dco); +/* FreeBSD currently sends us removal notifcation with the old peer-id in + * p2p mode with the ping timeout reason, so ignore that one to not shout + * ourselves in the foot and removing the just established session */ +if (dco->dco_message_peer_id != c->c2.tls_multi->dco_peer_id) +{ +msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, " +"expected %d", __func__, dco->dco_message_peer_id, +c->c2.tls_multi->dco_peer_id); +return; +} + if ((dco->dco_message_type == OVPN_CMD_DEL_PEER) && (dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_EXPIRED)) { +msg(D_DCO_DEBUG, "%s: received peer expired notification of for peer-id " +"%d", __func__, dco->dco_message_peer_id); trigger_ping_timeout_signal(c); return; } -- 2.37.1 (Apple Git-137.1) ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel