Re: [Openvpn-devel] Adding routes on Windows using DHCP

[Jan Just Keijser]

Hi,

On 03/07/15 15:15, Gert Doering wrote:

On Fri, Jul 03, 2015 at 01:56:39PM +0200, JÁKÓ András wrote:

yes this is possible; it's possible to push multiple gateways and
multiple (classless) routes (dhcp options 121 & 249).
If the metric on the tap-win adapter is set manually and is set low
enough the redirecting the gateway will also work.
However, changing the metric requires evelated access...

Sorry for the noise if that has been discussed before: Instead of
modifying the metric, how about pushing two /1 routes (0.0.0.0/1 and
128.0.0.0/1)?

Would work *if* windows supports the "classless routes" option (which
I'm not sure of) - and if it accepts DHCP on tap to provide a host
route for the VPN server to the original gateway on the normal LAN
interface.  Without that host route, routing would loop (we'd send
packets *to* the VPN server into the tunnel, encapsulate, send
to the VPN server, into the tunnel, encapsulate, ... *boom*)

AFAICT windows does support that option (that's what I was referring to 
with options 121 or 249) . OTOH, I am *not* sure if it allows you to set 
a 0.0.0.0/1 route using that option, but I guess there's only one way to 
find out.


As for IPv6: that is going to be a problem indeed, although a draft 
exists for handing out IPv6 routes over DHCP(v6); not sure how much work 
that would entail though.
I think Heiko's interactive service is "the way forward" but it does 
look like the "DHCP route" is too interesting to ignore. I will have 
more time next week to explore it, so I'll get back to the list then.


JJK

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[Gert Doering]

Hi,

On Fri, Jul 03, 2015 at 01:56:39PM +0200, JÁKÓ András wrote:
> > yes this is possible; it's possible to push multiple gateways and 
> > multiple (classless) routes (dhcp options 121 & 249).
> > If the metric on the tap-win adapter is set manually and is set low 
> > enough the redirecting the gateway will also work.
> > However, changing the metric requires evelated access...
> 
> Sorry for the noise if that has been discussed before: Instead of
> modifying the metric, how about pushing two /1 routes (0.0.0.0/1 and
> 128.0.0.0/1)?

Would work *if* windows supports the "classless routes" option (which
I'm not sure of) - and if it accepts DHCP on tap to provide a host
route for the VPN server to the original gateway on the normal LAN
interface.  Without that host route, routing would loop (we'd send
packets *to* the VPN server into the tunnel, encapsulate, send 
to the VPN server, into the tunnel, encapsulate, ... *boom*)

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgplEiQoHaBCm.pgp
Description: PGP signature

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[JÁKÓ András]

 Hi JJK,

> > * Can you push several routes via DHCP?  Or just a single one?
> > If you can push multiple routes, then I'd say we should look into adding
> > a check if --redirect-gateway + non-admin privileged user => provide an
> > solid warning in the logs that redirecting won't work without proper
> > privileges.
> >   
> yes this is possible; it's possible to push multiple gateways and 
> multiple (classless) routes (dhcp options 121 & 249).
> If the metric on the tap-win adapter is set manually and is set low 
> enough the redirecting the gateway will also work.
> However, changing the metric requires evelated access...

Sorry for the noise if that has been discussed before: Instead of
modifying the metric, how about pushing two /1 routes (0.0.0.0/1 and
128.0.0.0/1)?

András

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[Gert Doering]

Hi,

On Fri, Jul 03, 2015 at 01:32:32PM +0200, Jan Just Keijser wrote:
> > * What about IPv6?
> > Can you push IPv6 routes the same way?  Will that also work without 
> > privileges?
>
> How are IPv6 addresses handled by OpenVPN / tap-win32 ? 

Calling "netsh.exe" (both for addresses and routes).

> IPv6 comes with 
> DHCPv6 which also includes support for pushing routes It needs 
> further investigation, however.

DHCPv6 does *not* support routing information.  You need RA for that, and
implementing a full-featured DHCPv6+RA daemon inside OpenVPN is way more
work than just getting the (already existing!) code from Heiko for the
interactive service tested and merged...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpTsKD7tuQ91.pgp
Description: PGP signature

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[Gert Doering]

Hi,

On Fri, Jul 03, 2015 at 01:02:56PM +0200, Jan Just Keijser wrote:
> It's even possible to run openvpn without admin privileges and set 
> routes this way!

singular route, unfortunlatey - while there is an option to advertise
specific routes ("192.168.0.0/24") in DHCP, as far as I understand, nobody
supports this - so all you can do is a default route...

> Before you get too excited: it does not seem to be possible to replace 
> an existing default GW this way. the new 0.0.0.0 route has the metric of 
> the tap-win32 adapter , which is better than that of a wifi adapter but 
> worse (30 == higher) than that of a regular LAN Adapter (metric=10).
> 
> Before I go any deeper into this: what does the rest think about setting 
> routes on Windows this way? It could be a nice way to circumvent all 
> kinds of "route add" problems.

Won't do IPv6, won't help us installing the /32 needed for "redirect-gateway",
and (if my assumption above is true) won't give us more specific routes.

So: nice finding, but not useful enough...

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


pgpmwY2Hw0JPL.pgp
Description: PGP signature

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[Jan Just Keijser]

Hi David,

David Sommerseth wrote:

On 03/07/15 13:02, Jan Just Keijser wrote:
  

hi all,

whilst writing the TFTP/WPAD patch I stumbled upon the options to set a 
default gateway and/or routes using DHCP options.
I've patched openvpn to also set DHCP option 3 ("gateway") and indeed, 
windows picks up the route supplied to it  :)


This might be a way to address this topic from the IRC meeting:

Windows 8.1 DNS registration issues

* ipconfig failing to execute during VPN connection
  
* Who will fix and how?


It's even possible to run openvpn without admin privileges and set 
routes this way!
Before you get too excited: it does not seem to be possible to replace 
an existing default GW this way. the new 0.0.0.0 route has the metric of 
the tap-win32 adapter , which is better than that of a wifi adapter but 
worse (30 == higher) than that of a regular LAN Adapter (metric=10).


Before I go any deeper into this: what does the rest think about setting 
routes on Windows this way? It could be a nice way to circumvent all 
kinds of "route add" problems.



Okay, it's bold of me having opinion on the Windows, who have not used
Windows on his personal or work computers the last 15 years.

But I generally think this sounds like a really good idea.  I understand
doing the routing tricks for --redirect-gateway won't work - and I can
personally live with that.  I do like that openvpn today then can run
without privileges,

A few questions though

* Can you push several routes via DHCP?  Or just a single one?
If you can push multiple routes, then I'd say we should look into adding
a check if --redirect-gateway + non-admin privileged user => provide an
solid warning in the logs that redirecting won't work without proper
privileges.
  
yes this is possible; it's possible to push multiple gateways and 
multiple (classless) routes (dhcp options 121 & 249).
If the metric on the tap-win adapter is set manually and is set low 
enough the redirecting the gateway will also work.

However, changing the metric requires evelated access...


* What about IPv6?
Can you push IPv6 routes the same way?  Will that also work without privileges?
  
How are IPv6 addresses handled by OpenVPN / tap-win32 ? IPv6 comes with 
DHCPv6 which also includes support for pushing routes It needs 
further investigation, however.



JJK

Re: [Openvpn-devel] Adding routes on Windows using DHCP

[David Sommerseth]

On 03/07/15 13:02, Jan Just Keijser wrote:
> hi all,
> 
> whilst writing the TFTP/WPAD patch I stumbled upon the options to set a 
> default gateway and/or routes using DHCP options.
> I've patched openvpn to also set DHCP option 3 ("gateway") and indeed, 
> windows picks up the route supplied to it  :)
> 
> This might be a way to address this topic from the IRC meeting:
> 
> Windows 8.1 DNS registration issues
> 
> * ipconfig failing to execute during VPN connection
>   
> * Who will fix and how?
> 
> 
> It's even possible to run openvpn without admin privileges and set 
> routes this way!
> Before you get too excited: it does not seem to be possible to replace 
> an existing default GW this way. the new 0.0.0.0 route has the metric of 
> the tap-win32 adapter , which is better than that of a wifi adapter but 
> worse (30 == higher) than that of a regular LAN Adapter (metric=10).
> 
> Before I go any deeper into this: what does the rest think about setting 
> routes on Windows this way? It could be a nice way to circumvent all 
> kinds of "route add" problems.

Okay, it's bold of me having opinion on the Windows, who have not used
Windows on his personal or work computers the last 15 years.

But I generally think this sounds like a really good idea.  I understand
doing the routing tricks for --redirect-gateway won't work - and I can
personally live with that.  I do like that openvpn today then can run
without privileges,

A few questions though

* Can you push several routes via DHCP?  Or just a single one?
If you can push multiple routes, then I'd say we should look into adding
a check if --redirect-gateway + non-admin privileged user => provide an
solid warning in the logs that redirecting won't work without proper
privileges.

* What about IPv6?
Can you push IPv6 routes the same way?  Will that also work without
privileges?


-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature

[Openvpn-devel] Adding routes on Windows using DHCP

[Jan Just Keijser]

hi all,

whilst writing the TFTP/WPAD patch I stumbled upon the options to set a 
default gateway and/or routes using DHCP options.
I've patched openvpn to also set DHCP option 3 ("gateway") and indeed, 
windows picks up the route supplied to it  :)


This might be a way to address this topic from the IRC meeting:

Windows 8.1 DNS registration issues

   * ipconfig failing to execute during VPN connection
 
   * Who will fix and how?


It's even possible to run openvpn without admin privileges and set 
routes this way!
Before you get too excited: it does not seem to be possible to replace 
an existing default GW this way. the new 0.0.0.0 route has the metric of 
the tap-win32 adapter , which is better than that of a wifi adapter but 
worse (30 == higher) than that of a regular LAN Adapter (metric=10).


Before I go any deeper into this: what does the rest think about setting 
routes on Windows this way? It could be a nice way to circumvent all 
kinds of "route add" problems.



cheers,

JJK

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

[David Sommerseth]

On 03/07/15 09:30, Samuli Seppänen wrote:
> 
>> Attached is the patch to add the TFTP and WPAD DHCP options. The patch
>> is based on openvpn 2.3.7 as I did not know how to do a windows mingw
>> build of the git version ...
> One way to build a git version on openvpn-build is this:
> 
> $ git clone 
> $ mv openvpn openvpn-2.3_git
> $ cd openvpn
> $ autoreconf -vi
> $ cd ..
> $ tar -zcf openvpn-2.3_git.tar.gz openvpn-2.3_git

Just a stupid question ... instead of the 'tar' command, why not just
run 'make dist' ?

-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] OpenVPN 2.3.7-I602-x86_64.exe download 404 Error

[Samuli Seppänen]

Hi,

On Wed, Jul 01, 2015 at 03:05:44PM +0100, debbie...@gmail.com wrote:

Resolving swupdate.openvpn.org (swupdate.openvpn.org)... 104.28.1.12,
104.28.0.12
Connecting to swupdate.openvpn.org
(swupdate.openvpn.org)|104.28.1.12|:443... connected.


Something interesting is going on.  I thought it might be related to
the two different IP addresses, and maybe one has the file and one
does not - but it works for both from here...

Connecting to swupdate.openvpn.org (swupdate.openvpn.org)|104.28.0.12|:443... 
connected.
openvpn-install-2.3 100%[=>]   1.72M  1.06MB/s   in 1.6s

Connecting to swupdate.openvpn.org (swupdate.openvpn.org)|104.28.1.12|:443... 
connected.
openvpn-install-2.3 100%[=>]   1.72M  1.04MB/s   in 1.6s

funny.

Samuli, can you investigate?

Sorry for the delay, did not check my emails yesterday.

The 404 errors are typically happen if CloudFlare caches a 404 error 
from one of our download servers before the release files have 
propagated to it. As usual, I tested all the download links so that 
should _not_ be the case here. Nevertheless, I cleared the caches for 
this particular file.


As for the TLS/SSL issues - I'll tell the guys at the office to have a 
look. I'm not aware of any changes at the CloudFlare end, but I'm not in 
the loop, either.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH] Add TFTP and WPAD DHCP options

[Samuli Seppänen]

Attached is the patch to add the TFTP and WPAD DHCP options. The patch
is based on openvpn 2.3.7 as I did not know how to do a windows mingw
build of the git version ...

One way to build a git version on openvpn-build is this:

$ git clone 
$ mv openvpn openvpn-2.3_git
$ cd openvpn
$ autoreconf -vi
$ cd ..
$ tar -zcf openvpn-2.3_git.tar.gz openvpn-2.3_git

Then copy openvpn-2.3_git.tar.gz to a webserver and set openvpn version 
to "2.3_git" in generic/build.vars. Renaming the directory is needed due 
to how openvpn-build moves around in the build directories.


Samuli

Re: [Openvpn-devel] Compiling issue on Visual Studio 2010

[Samuli Seppänen]

Also I believe Visual Studio provides better security guarantees (like stack 
canaries, buffer checks etc.).

Just for reference: those are supported by mingw/gcc too:
-fstack-protector for canaries, -Wl,--nxcompat for DEP,
-Wl,--dynamicbase for ASLR.


Steffan: so these are the magic incantations that would solve



I'll try those with openvpn-build and see what happens.

Thanks,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock