Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

[Steffan Karger]

On 17-05-15 19:24, Gert Doering wrote:

On Sun, May 17, 2015 at 03:13:21PM +0200, Steffan Karger wrote:

That sounds reasonable to me.  However, I tend to be easier in accepting
(potentially) breaking changes than other community members.  So I think
it makes sense to put this on the agenda for the next IRC meeting.
Iirc, the next one should be tomorrow at 20:00 CEST.


+1 :-)

I do not have strong feelings on whether this should be a warning or
a hard error, but it's generally good practice to let the user know about
"unexpected extra arguments" (or, turned around, totally annoying if
software just ignores stuff on the command line without at least telling
you) - so all for "doing something about it".


Quoting from Samuli's IRC meeting summary:

"Decided to make the config parser fail if erroneous extra options are 
encountered."


That is, there is agreement to get this into master / 2.4.  Patches are 
very welcome.


-Steffan

Re: [Openvpn-devel] Topics for today's (Monday, 18th May 2015) community meeting

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 18th May 2015
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting is scheduled to two weeks from this meeting:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, krzee, jamesyonan, mattock and syzzer participated in this meeting

---

Discussed the option of creating a honeypot email address to lessen the 
amount of (clueless) support requests on the security mailing list. All 
were in favor


---

Discussed OpenVPN argument parsing:



Decided to make the config parser fail if erroneous extra options are 
encountered.


---

Discussed the status of OpenVPN 2.3.7 release. The status of the release 
will be reviewed in next meeting in two weeks from now. We'll also try 
to push out the release later that week. If some tickets can't be 
tackled, they will be moved to 2.3.8.


---

Discussed the status of OpenVPN 2.4 release. The main missing components 
are AEAD, IPv6 (fixes) and the interactive service.


Syzzer will make the interactive service patchset less intrusive by 
providing the "move things into struct tt" patch. After this the code 
can be moved into a separate Git branch from which mattock can start 
building snapshot installers. As the patch is already in wide use 
according to its author (d12fk), basic verification of functionality 
should be good enough for moving it to Git master.


The IPv6-related changes require a few days of focused effort on cron2's 
part.


The AEAD patches need review and testing first and foremost. Syzzer will 
provide updated patches based on the feedback.


We will continue work on 2.4 after the 2.3.7 release is out.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

(21:00:07) mattock: meeting time
(21:00:52) mattock: who do we have here?
(21:01:41) krzee: o/
(21:01:42) syzzer: well, me, obviously :p
(21:03:13) cron2: \ob/
(21:03:48) mattock: hi!
(21:03:57) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2015-05-18
(21:03:59) vpnHelper: Title: Topics-2015-05-18 – OpenVPN Community (at 
community.openvpn.net)
(21:04:01) mattock: anything to add to the agenda?
(21:04:07) syzzer: will james be joining tonight?
(21:04:19) mattock: I have not explicitly asked him
(21:04:26) mattock: I can send him an email if you think we'd need him
(21:04:45) mattock: any topics in particular for James?
(21:04:46) syzzer: he usually has an opinion on config file discussions
(21:04:58) mattock: ok, I'll mention that
(21:06:18) mattock: mail sent
(21:08:08) mattock: maybe we could start from topic #2, "Support requests sent 
to the security list"
(21:08:32) mattock: any thoughts on creating a honeypot email address for 
clueless people?
(21:08:41) cron2: +1
(21:09:14) jamesyonan [~jamesy...@c-67-166-32-18.hsd1.co.comcast.net] è entrato 
nella stanza.
(21:09:14) modalità (+o jamesyonan) da ChanServ
(21:09:34) krzee: +1
(21:09:37) syzzer: if I get less mail from clueless people, I'm all for it :p
(21:09:40) mattock: great!
(21:09:49) krzee: we have support places
(21:09:52) mattock: I'll get it done or fail trying then
(21:09:56) krzee: no reason for them to spam you guys
(21:10:02) mattock: krzee: yeah, exactly
(21:10:05) mattock: hi james!
(21:10:12) mattock: I think we can move to topic #1 now
(21:10:19) mattock: http://thread.gmane.org/gmane.network.openvpn.devel/9599
(21:10:20) syzzer: perfect timing
(21:10:21) vpnHelper: Title: Gmane Loom (at thread.gmane.org)
(21:10:29) krzee: hey james =]
(21:10:38) jamesyonan: hi guys
(21:10:46) cron2: hi Jams
(21:10:56) cron2: argh, typing impaired
(21:11:48) krzee: did anyone show james that page that said usa people were 
banned from contributing?  lol
(21:12:32) jamesyonan: that sounds like something out of the 90s
(21:13:16) mattock: krzee: what page?
(21:14:58) syzzer: ostif.org I believe, but I never managed to actually find 
the claim on the site
(21:15:24) krzee: i saw it before, trying to find again
(21:16:00) mattock: so config parsing?
(21:16:10) mattock: syzzer, cron2: you had some discussion about this on the ml
(21:16:48) krzee: ive seen people put funny options to redirect-gateway that 
were not fatal and would have helped the user to find their own problem if they 
were
(21:16:54) syzzer: yes, I voiced my opinion. I think it is a bit harsh for 2.3, 
but we should not silently ignore extra parameters and I would be fine with 
rejecting such configs in 2.4
(21:17:23) cron2: it's a bit too intrusive for 2.3, I'd say, but I agree on 2.4
(21:17:31) mattock: sounds reasonable
(21:17:31) cron2: we just need to 

[Openvpn-devel] [PATCH applied] Re: Updated manpage for --rport and --lport

[Gert Doering]

ACK.

Your patch has been applied to the master and release/2.3 branch.

commit d3eacb2d6ebb8a42506343c54e00c72252d683f8 (master)
commit f1fa7e35cf7c7a11c27031c7eb35c3e730a450b6 (release/2.3)

Author: Robert Fischer
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon May 18 21:21:09 2015 +0200

 Updated manpage for --rport and --lport

 Signed-off-by: Robert Fischer 
 Signed-off-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1431976869-4948-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/9701
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH] Updated manpage for --rport and --lport

[Steffan Karger]

[SK: v2, patch taken from trac #127 and updated to current master branch]

Signed-off-by: Robert Fischer 
Signed-off-by: Steffan Karger 
---
 doc/openvpn.8 | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 23cc789..b9eee0d 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -670,18 +670,28 @@ peer on its new IP address.
 .\"*
 .TP
 .B \-\-port port
-TCP/UDP port number or port name for both local and remote.  The current
+TCP/UDP port number or port name for both local and remote (sets both
+.B \-\-lport
+and
+.B \-\-rport
+options to given port).  The current
 default of 1194 represents the official IANA port number
 assignment for OpenVPN and has been used since version 2.0-beta17.
 Previous versions used port 5000 as the default.
 .\"*
 .TP
 .B \-\-lport port
-TCP/UDP port number or name for bind.
+Set local TCP/UDP port number or name.  Cannot be used together with
+.B \-\-nobind
+option.
 .\"*
 .TP
 .B \-\-rport port
-TCP/UDP port number or name for remote.
+Set TCP/UDP port number or name used by the
+.B \-\-remote
+option. The port can also be set directly using the
+.B \-\-remote
+option.
 .\"*
 .TP
 .B \-\-bind [ipv6only]
-- 
2.1.4

Re: [Openvpn-devel] OpenVPN argument parsing of most options ignores "extra" parameters

[Jonathan K. Bullard]

On Mon, May 4, 2015 at 9:26 AM, Jonathan K. Bullard wrote:
> If I have a
> configuration that has worked for many years I might be more likely to
> not notice one warning among all the output in a typical log at the
> default "verb 3" setting.

Correction: the default setting is "verb 1", not "verb 3".

However, almost all of the configurations I see from people
troubleshooting Tunnelblick include "verb 3", and eight of the ten
sample configuration files in OpenVPN 2.3.6 include "verb 3". So I
think my conclusions are still valid: a typical log includes a lot of
information and warnings are easily overlooked in a configuration that
was worked for years.

Re: [Openvpn-devel] Fwd: monit alert -- Resource limit matched rootfs

[Samuli Seppänen]

Sorry for the noice. Mistyping our internal dev address was due to 
happen sooner or later :).


Samuli


Hi,

Diskspace on git.openvpn.in is running out real soon...

Samuli


 Messaggio Inoltrato 
Oggetto:monit alert -- Resource limit matched rootfs
Data:   Sun, 17 May 2015 14:03:22 GMT
Mittente:   mo...@git.openvpn.in
A:  sta...@openvpn.in



Resource limit matched Service rootfs

Date:Sun, 17 May 2015 14:03:22
Action:  alert
Host:git.openvpn.in
Description: space usage 97.6% matches resource limit [space 
usage>90.0%]

Your faithful employee,
Monit





--
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Fwd: monit alert -- Resource limit matched rootfs

[Samuli Seppänen]

Hi,

Diskspace on git.openvpn.in is running out real soon...

Samuli


 Messaggio Inoltrato 
Oggetto:monit alert -- Resource limit matched rootfs
Data:   Sun, 17 May 2015 14:03:22 GMT
Mittente:   mo...@git.openvpn.in
A:  sta...@openvpn.in



Resource limit matched Service rootfs

Date:Sun, 17 May 2015 14:03:22
Action:  alert
Host:git.openvpn.in
Description: space usage 97.6% matches resource limit [space 
usage>90.0%]

Your faithful employee,
Monit

[Openvpn-devel] Topics for today's (Monday, 18th May 2015) community meeting

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting today, 18th May, starting at 20:00 
CEST (18:00 UTC) on #openvpn-devel  irc.freenode.net. Current topic 
list along with basic information is here:




If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.


In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.


NOTE: It's required to use a registered Freenode IRC nickname to join 
#openvpn-devel - look here for details:




--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Request peer review of modified OpenVPN client software

[Samuli Seppänen]

From: Samuli Seppänen 
Sent: Wed May 13 15:07:03 CEST 2015
To: Lisa Minogue , , Jonathan 
K. Bullard 
Subject: Re: [Openvpn-devel] Request peer review of modified OpenVPN client 
software

The obfuscation guide you linked to does not have official blessing from
the project, but it seems to have useful content. Note that we don't
generally distinguish between official and unofficial documentation.

Thanks Samuli for your clarification.

But as that guide in question was hosted on OpenVPN.net's website and was not given the 
"Imprimatur" by OpenVPN's project team members, it'd help surfers if the guide was 
prefixed by the word "Unofficial Guide" or some words of similar meaning.

When I first read the said guide, I was under the impression that it was 
officially sanctioned by OpenVPN's project team.

That particular page is hosted on Trac Wiki, not on the OpenVPN website 
(http://openvpn.net). As Wikis are editable by anyone all the pages 
hosted on them can be considered unofficial by default.


Samuli