[Openvpn-devel] [PATCH v3] Add documentation for PERSIST_TUN_ACTION (Android specific)

[Arne Schwabe]

---
 doc/android.txt | 18 +-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/doc/android.txt b/doc/android.txt
index 871e399..466afba 100644
--- a/doc/android.txt
+++ b/doc/android.txt
@@ -2,7 +2,7 @@ This file documents the support in OpenVPN for Android 4.0 and 
up.

 This support is primarily used in the "OpenVPN for Android" app
 (http://code.google.com/p/ics-openvpn/). For building see the developer
-README: http://code.google.com/p/ics-openvpn/source/browse/README.txt.
+README: http://code.google.com/p/ics-openvpn/source/browse/doc/README.txt.

 Android provides the VPNService API
 (http://developer.android.com/reference/android/net/VpnService.html)
@@ -55,6 +55,21 @@ To set the DNS server and search domain.
 The GUI will then respond with a "needok 'command' ok' or "needok
 'command' cancel', e.g. "needok 'IFCONFIG' ok".

+PERSIST_TUN_ACTION
+
+In Android 4.4-4.4.2 a bug exists that does not allow to open a new tun fd
+while a tun fd is still open. When OpenVPN wants to open an fd it will do
+this query. The UI should compare the last configuration of 
+the tun device with the current tun configuration and reply with either (or
+always respond with OPEN_AFTER_BEFORE/OPEN_BEFORE_CLOSE)
+
+- NOACTION: Keep using the old fd
+- OPEN_AFTER_CLOSE: First close the old fd and then open a new to workaround 
the bug
+- OPEN_BEFORE_CLOSE: the normal behaviour when the VPN configuration changed
+
+For example the UI could respond with 
+needok 'PERSIST_TUN_ACTION' OPEN_AFTER_CLOSE
+
 To protect a socket the OpenVPN will send a PROTECTFD to the UI.
 When sending the PROTECTFD command command to the UI it will send
 the fd of the socket as ancillary message over the UNIX socket.
@@ -74,3 +89,4 @@ are not specific to Android but are rarely used on other 
platform.
 For example using SIGUSR1 and management-hold to restart, pause,
 continue the VPN on network changes or the external key management
 --management-external-key option and inline files.
+
-- 
1.8.5.2 (Apple Git-48)

[Openvpn-devel] [PATCH] Add documentation for PERSIST_TUN_ACTION (Android specific)

[Arne Schwabe]

---
 doc/android.txt | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/android.txt b/doc/android.txt
index 871e399..cf8b3c7 100644
--- a/doc/android.txt
+++ b/doc/android.txt
@@ -2,7 +2,7 @@ This file documents the support in OpenVPN for Android 4.0 and 
up.

 This support is primarily used in the "OpenVPN for Android" app
 (http://code.google.com/p/ics-openvpn/). For building see the developer
-README: http://code.google.com/p/ics-openvpn/source/browse/README.txt.
+README: http://code.google.com/p/ics-openvpn/source/browse/doc/README.txt.

 Android provides the VPNService API
 (http://developer.android.com/reference/android/net/VpnService.html)
@@ -74,3 +74,12 @@ are not specific to Android but are rarely used on other 
platform.
 For example using SIGUSR1 and management-hold to restart, pause,
 continue the VPN on network changes or the external key management
 --management-external-key option and inline files.
+
+Due to a bug in Android 4.4-4.4.2 there the Android Control will also
+query what action the daemon should take when opening the fd. The GUI
+should compare the last configuration of the tun device with the current
+tun configuration and reply with either
+
+- NOACTION: Keep using the old fd
+- OPEN_AFTER_CLOSE: First close the old fd and then open a new to workaround 
the bug
+- OPEN_BEFORE_CLOSE: the normal behaviour when the VPN configuration changed
-- 
1.9.3 (Apple Git-50)

Re: [Openvpn-devel] Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support

[Lev Stipakov]

Hi Fabian & all,

Patch works great, thanks! I have rebased it a bit and added support
for client-connect plugin call.

I would like to offer a related feature (and implementation) I call async-push.

Use case: authentication / authorization takes time. I have auth/az
code in auth-user-pass-verify and client-connect calls, and sometimes
it takes more that second to execute those. The problem is that after
auth-user-pass-verify is done, OpenVPN server won’t proceed with
client-connect unless some timeout/io event happens for that client.
Also, server will not notify client that client-connect returned
success unless client sends PULL_REQUEST. Client, in turn, sends
PULL_REQUEST one second after connection initiation and after that
once per 5 seconds. So, for example, if at the moment when first pull
request has arrived, client-connect has not finished yet, we will have
to wait another 5 seconds for the next PULL_REQUEST.

Solution: Inotify. Since OpenVPN creates itself files (auth-contro and
client-connect-deferred) which names it passes to the plugin, we
create one inotify descriptor for event loop and right after creating
those files, we add inotify watch on those. Before calling epoll (or
whatever we use) we add inotify descriptor to the list of watched
descriptors. We also keep watch descriptor and multi_instance in a
hashtable.

When epoll informs us that an event has happened on inotify
descriptor, we get multi_instance by watch descriptor (fetched from
poll event) from our new hashtable and call multi_process_post for
given multi_instance. This will check result from the file and
eventually call multi_connection_established, from where we call
send_push_reply.

Since implementation uses Inotify, it will work on Linux only. Code is
under #define, which is set at compile-time (--enable-async-push=yes).

I have attached an implementation. So far has been working nicely in
my test environment. I would love to hear a feedback from the
community. Is the whole thing done more or less right? Any bugs got
introduced that someone could spot?

-Lev

2014-08-01 0:21 GMT+03:00 Fabian Knittel :
> Hi Lev,
>
> 2014-07-29 12:56 GMT+02:00 Lev Stipakov :
>>
>> I am pondering about asynchronous OPENVPN_PLUGIN_CLIENT_CONNECT
>> callback. Basically, I want _not_ to establish connection until
>> response is received and ofcI  don't want to block rest of traffic.
>
>
> [ Details of approach snipped. ]
>
>> What do you think about that? Does that approach sound reasonable?
>
>
> Some time ago I implemented something quite similar, but never quite managed
> to officially submit it. You can find my old git branch here [0].
> Unfortunately, to be of any use it would need to be ported to a current
> OpenVPN release / master first.
>
> The code has been in use for several years now [1], so the approach and the
> code basically work quite well. (I think my use case involved calling a
> Python script, but I might have implemented the plugin part too.)
>
> If the OpenVPN commiters see a certain chance, that such a change could be
> included upstream, I might even try to rebase the branch to master myself...
>
> Cheers
> Fabian
>
> 0:
> http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_deferred_client-connect
> 1: ... in a production environment with several hundred users (together with
> the equally unofficial VLAN-tagging feature [2]). The feature is needed by a
> daemon that does asynchronous IP-configuration via a central DHCP server
> [3].
> 2:
> http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_vlan
> 3: https://gitorious.org/odr



-- 
-Lev
diff --git a/configure.ac b/configure.ac
index ffba374..2c5c65d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,6 +264,13 @@ AC_ARG_ENABLE(
 	[enable_systemd="no"]
 )
 
+AC_ARG_ENABLE(
+	[async-push],
+	[AS_HELP_STRING([--enable-async-push], [enable async-push support @<:@default=no@:>@])],
+	[enable_async_push="yes"],
+	[enable_async_push="no"]
+)
+
 AC_ARG_WITH(
 	[special-build],
 	[AS_HELP_STRING([--with-special-build=STRING], [specify special build string])],
@@ -1144,6 +1151,14 @@ if test "${enable_plugin_auth_pam}" = "yes"; then
 	fi
 fi
 
+if test "${enable_async_push}" = "yes"; then
+	AC_CHECK_HEADERS(
+		[sys/inotify.h],
+		AC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push]),
+		AC_MSG_ERROR([inotify.h not found.])
+	)
+fi
+
 CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
 AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 39f66e3..940d426 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1353,6 +1353,9 @@ io_wait_dowork (struct context *c, const unsigned int flags)
 #ifdef ENABLE_MANAGEMENT
   static int management_shift = 6; /* depends on MANAGEMENT_READ and MANAGEMENT_WRITE */
 #endif

Re: [Openvpn-devel] [PATCH 2/2] systemd: Do not mask usernames when querying for it via systemd-ask-password

[Jon Ciesla]

On Tue, Oct 7, 2014 at 8:23 AM, David Sommerseth <
openvpn.l...@topphemmelig.net> wrote:

> From: David Sommerseth 
>
> In systemd after version 216, systemd-ask-password will support --echo
> which
> will avoid masking the user input.  As OpenVPN uses this mechanism
> collecting
> usernames when systemd is available, this will avoid the input of
> usernames to
> be masked.
>
> This patch also adds the --icon argument, which is aimed at graphical
> inputs.
> For example when OpenVPN is started at system boot-time using a graphical
> boot
> interface such as Plymouth.
>
> Signed-off-by: David Sommerseth 
> ---
>  configure.ac  | 1 +
>  src/openvpn/console.c | 8 
>  2 files changed, 9 insertions(+)
>
> diff --git a/configure.ac b/configure.ac
> index 608ab6d..09f32d4 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1017,6 +1017,7 @@ if test "$enable_systemd" = "yes" ; then
>  AC_CHECK_FUNCS([sd_booted], [], [AC_MSG_ERROR([systemd library is
> missing sd_booted()])])
>  OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
>  AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
> +AC_DEFINE_UNQUOTED(SYSTEMD_VERSION, [`echo
> ${libsystemd_MODVERSION}`], [systemd version installed])
>  LIBS="${saved_LIBS}"
>  fi
>
> diff --git a/src/openvpn/console.c b/src/openvpn/console.c
> index d66d408..5d4d878 100644
> --- a/src/openvpn/console.c
> +++ b/src/openvpn/console.c
> @@ -167,6 +167,14 @@ get_console_input_systemd (const char *prompt, const
> bool echo, char *input, con
>
>argv_init ();
>argv_printf (, SYSTEMD_ASK_PASSWORD_PATH);
> +
> +#if SYSTEMD_VERSION > 216
> +  if( echo )
> +{
> +  argv_printf_cat(, "--echo");
> +}
> +#endif
> +  argv_printf_cat (, "--icon=network-wired");
>argv_printf_cat (, "%s", prompt);
>
>if ((std_out = openvpn_popen (, NULL)) < 0) {
> --
> 1.8.3.1
>
>
>
> --
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

ACK.  Enables systemd features on systemd systems, and looks like a no-op
on non-systemd systems.

-- 
http://cecinestpasunefromage.wordpress.com/

in your fear, seek only peace
in your fear, seek only love

-d. bowie

Re: [Openvpn-devel] [PATCH 1/2] autotools: Add support for extracting version information from pkg-config modules

[Jon Ciesla]

On Tue, Oct 7, 2014 at 8:23 AM, David Sommerseth <
openvpn.l...@topphemmelig.net> wrote:

> From: David Sommerseth 
>
> Signed-off-by: David Sommerseth 
> ---
>  m4/pkg.m4 | 7 +--
>  1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/m4/pkg.m4 b/m4/pkg.m4
> index 9a71878..f82496b 100644
> --- a/m4/pkg.m4
> +++ b/m4/pkg.m4
> @@ -107,16 +107,18 @@ AC_DEFUN([PKG_CHECK_MODULES],
>  [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
>  AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding
> pkg-config])dnl
>  AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
> +AC_ARG_VAR([$1][_MODVERSION], [module version])dnl
>
>  pkg_failed=no
>  AC_MSG_CHECKING([for $1])
>
>  _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
>  _PKG_CONFIG([$1][_LIBS], [libs], [$2])
> +_PKG_CONFIG([$1][_MODVERSION], [modversion], [$2])
>
>  m4_define([_PKG_TEXT], [Alternatively, you may set the environment
> variables $1[]_CFLAGS
> -and $1[]_LIBS to avoid the need to call pkg-config.
> -See the pkg-config man page for more details.])
> +and $1[]_LIBS to avoid the need to call pkg-config.  The $1[]_MODVERSION
> provides version
> +information.  See the pkg-config man page for more details.])
>
>  if test $pkg_failed = yes; then
> AC_MSG_RESULT([no])
> @@ -153,6 +155,7 @@ To get pkg-config, see <
> http://pkg-config.freedesktop.org/>.])[]dnl
>  else
> $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
> $1[]_LIBS=$pkg_cv_[]$1[]_LIBS
> +   $1[]_MODVERSION=$pkg_cv_[]$1[]_MODVERSION
>  AC_MSG_RESULT([yes])
> $3
>  fi[]dnl
> --
> 1.8.3.1
>
>
>
> --
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

ACK.

-- 
http://cecinestpasunefromage.wordpress.com/

in your fear, seek only peace
in your fear, seek only love

-d. bowie

Re: [Openvpn-devel] Paid Engagement

[Arne Schwabe]

Am 07.10.14 16:32, schrieb Sio Poh Tan:
> Hi Samuli,
>
> Thanks for your reply. I've checked on the link that you provided.
However, it does not mention whether the Windows Crypto API integration
supports TLS 1.2 implementation. I understand that it does support TLS
1.0 implementation, similar to the OpenVPN community version. If the
OpenVPN Connect client is based on the community version, then I doubt
it supports TLS 1.2 using cryptoapicert as I've tested with the
community version. Please correct me if I'm wrong.
>
> I hope someone will be interested to work on this implementation as my
team is having a tight schedule implementing this for a project.

Probably it uses the management-api and the external-key-management API
of the management interface. My Android client (OpenVPN for Android)
uses that API to work with the Android keystore and does TLS 1.2 just
fine. That OpenVPN Connect can use the MAC Crypto store which OpenVPN
does not support kind of confirms that theory.

For anyone who wants to pick up  this work. This probably only replacing
the api calls which do RSA signing of the SHA1 checksum with an API call
that can do signing of SHA1 + SHA* variants (basicialy signing longer
bitstrings).

Arne

Re: [Openvpn-devel] Paid Engagement

[Sio Poh Tan]

Hi Samuli,

Thanks for your reply. I've checked on the link that you provided. However,
it does not mention whether the Windows Crypto API integration supports TLS
1.2 implementation. I understand that it does support TLS 1.0
implementation, similar to the OpenVPN community version. If the OpenVPN
Connect client is based on the community version, then I doubt it supports
TLS 1.2 using cryptoapicert as I've tested with the community version.
Please correct me if I'm wrong.

I hope someone will be interested to work on this implementation as my team
is having a tight schedule implementing this for a project.

Regards,
Isaac


On Tue, Oct 7, 2014 at 7:34 PM, Samuli Seppänen  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> Have you checked if the OpenVPN Connect client (bundled with the Access
> Server) meets your requirements? See section 5 in here:
>
> 
> 
>
> - --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>
>
> > Hello OpenVPN Developers,
> >
> > I understand that the current version of OpenVPN supports implementation
> of TLS 1.2 using exported cert and key. However, I have a project that
> requires implementation of TLS 1.2 using cryptoapicert.
> >
> > If any developer is interested to work on this implementation in
> OpenVPN, please email me specifying the cost of doing this. I do respect
> the developer's time and effort and hence, this will be a paid engagement.
> >
> > Thank you.
> >
> > Best Regards,
> > Isaac
> >
> >
> >
> --
> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
> >
> >
> > ___
> > Openvpn-devel mailing list
> > Openvpn-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iEYEARECAAYFAlQzz9UACgkQwp2X7RmNIqMnpwCdGkTeOe9UFqutDBcJz+ZOK38s
> KgIAoIK1FKWFCHZdu2sTiN5laqVkClWD
> =dC3b
> -END PGP SIGNATURE-
>
>

[Openvpn-devel] [PATCH 1/2] autotools: Add support for extracting version information from pkg-config modules

[David Sommerseth]

From: David Sommerseth 

Signed-off-by: David Sommerseth 
---
 m4/pkg.m4 | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/m4/pkg.m4 b/m4/pkg.m4
index 9a71878..f82496b 100644
--- a/m4/pkg.m4
+++ b/m4/pkg.m4
@@ -107,16 +107,18 @@ AC_DEFUN([PKG_CHECK_MODULES],
 [AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
 AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
 AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
+AC_ARG_VAR([$1][_MODVERSION], [module version])dnl

 pkg_failed=no
 AC_MSG_CHECKING([for $1])

 _PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
 _PKG_CONFIG([$1][_LIBS], [libs], [$2])
+_PKG_CONFIG([$1][_MODVERSION], [modversion], [$2])

 m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables 
$1[]_CFLAGS
-and $1[]_LIBS to avoid the need to call pkg-config.
-See the pkg-config man page for more details.])
+and $1[]_LIBS to avoid the need to call pkg-config.  The $1[]_MODVERSION 
provides version
+information.  See the pkg-config man page for more details.])

 if test $pkg_failed = yes; then
AC_MSG_RESULT([no])
@@ -153,6 +155,7 @@ To get pkg-config, see 
.])[]dnl
 else
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
+   $1[]_MODVERSION=$pkg_cv_[]$1[]_MODVERSION
 AC_MSG_RESULT([yes])
$3
 fi[]dnl
-- 
1.8.3.1

[Openvpn-devel] [PATCH applied] Re: systemd: Use systemd functions to consider systemd availability

[Gert Doering]

ACK.  "Doesn't break anything on my test system, so safe for non-systemd
users, and looks reasonable for those"

Your patch has been applied to the master branch.

commit f33ee6bcb12fdc3869b17b7c528a209f16581e2e
Author: David Sommerseth
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Oct 3 19:16:07 2014 +0200

 systemd: Use systemd functions to consider systemd availability

 Signed-off-by: David Sommerseth 
 Acked-by: Gert Doering 
 Message-Id: 
<1412356567-27125-1-git-send-email-openvpn.l...@topphemmelig.net>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9072
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] Paid Engagement

[Samuli Seppänen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Have you checked if the OpenVPN Connect client (bundled with the Access
Server) meets your requirements? See section 5 in here:



- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




> Hello OpenVPN Developers,
>
> I understand that the current version of OpenVPN supports
implementation of TLS 1.2 using exported cert and key. However, I have a
project that requires implementation of TLS 1.2 using cryptoapicert.
>
> If any developer is interested to work on this implementation in
OpenVPN, please email me specifying the cost of doing this. I do respect
the developer's time and effort and hence, this will be a paid engagement.
>
> Thank you.
>
> Best Regards,
> Isaac
>
>
>
--
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlQzz9UACgkQwp2X7RmNIqMnpwCdGkTeOe9UFqutDBcJz+ZOK38s
KgIAoIK1FKWFCHZdu2sTiN5laqVkClWD
=dC3b
-END PGP SIGNATURE-