[Openvpn-devel] [PATCH v2] Send push reply right after async auth complete

[Lev Stipakov]

v2:
More careful inotify_watchers handling
* Ensure that same multi_instance is added only once
* Ensure that multi_instance is always removed

v1:
This feature speeds up connection establishment in cases when async
authentication result is not ready when first push request arrives. At
the moment server sends push reply only when it receives next push
request, which comes 5 seconds later.

Implementation overview.

Add new configure option ENABLE_ASYNC_PUSH, which can be enabled if
system supports inotify.

Add inotify descriptor to an event loop. Add inotify watch for a
authentication control file. Store mapping between watch descriptor and
multi_instance in a dictionary. When file is closed, inotify fires an
event and we continue with connection establishment - call client-
connect etc and send push reply.

Inotify watch descriptor got automatically deleted after file is closed
or when file is removed. We catch that event and remove it from the
dictionary.

Feature is easily tested with sample "defer" plugin and following settings:

auth-user-pass-optional
setenv test_deferred_auth 3
plugin simple.so

Signed-off-by: Lev Stipakov 
---
 configure.ac  |  15 +
 src/openvpn/forward.c |   8 +++
 src/openvpn/mtcp.c|  28 ++
 src/openvpn/mudp.c|  27 +
 src/openvpn/multi.c   | 152 +-
 src/openvpn/multi.h   |  14 +
 src/openvpn/openvpn.h |  11 
 src/openvpn/push.c|  69 +--
 src/openvpn/push.h|   2 +
 9 files changed, 295 insertions(+), 31 deletions(-)

diff --git a/configure.ac b/configure.ac
index 2e651d8..32620c6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -277,6 +277,13 @@ AC_ARG_ENABLE(
[enable_systemd="no"]
 )

+AC_ARG_ENABLE(
+   [async-push],
+   [AS_HELP_STRING([--enable-async-push], [enable async-push support 
@<:@default=no@:>@])],
+   [enable_async_push="yes"],
+   [enable_async_push="no"]
+)
+
 AC_ARG_WITH(
[special-build],
[AS_HELP_STRING([--with-special-build=STRING], [specify special build 
string])],
@@ -1201,6 +1208,14 @@ if test "${enable_plugin_auth_pam}" = "yes"; then
fi
 fi

+if test "${enable_async_push}" = "yes"; then
+   AC_CHECK_HEADERS(
+   [sys/inotify.h],
+   AC_DEFINE([ENABLE_ASYNC_PUSH], [1], [Enable async push]),
+   AC_MSG_ERROR([inotify.h not found.])
+   )
+fi
+
 CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
 AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], 
[Configuration settings])

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 7a5d383..134905c 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1371,6 +1371,9 @@ io_wait_dowork (struct context *c, const unsigned int 
flags)
 #ifdef ENABLE_MANAGEMENT
   static int management_shift = 6; /* depends on MANAGEMENT_READ and 
MANAGEMENT_WRITE */
 #endif
+#ifdef ENABLE_ASYNC_PUSH
+  static int file_shift = 8;
+#endif

   /*
* Decide what kind of events we want to wait for.
@@ -1465,6 +1468,11 @@ io_wait_dowork (struct context *c, const unsigned int 
flags)
 management_socket_set (management, c->c2.event_set, 
(void*)_shift, NULL);
 #endif

+#ifdef ENABLE_ASYNC_PUSH
+  /* arm inotify watcher */
+  event_ctl (c->c2.event_set, c->c2.inotify_fd, EVENT_READ, 
(void*)_shift);
+#endif
+
   /*
* Possible scenarios:
*  (1) tcp/udp port has data available to read
diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index dc15f09..b27c5eb 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -62,6 +62,10 @@
 # define MTCP_MANAGEMENT ((void*)4)
 #endif

+#ifdef ENABLE_ASYNC_PUSH
+#define MTCP_FILE_CLOSE_WRITE ((void*)5)
+#endif
+
 #define MTCP_N   ((void*)16) /* upper bound on MTCP_x */

 struct ta_iow_flags
@@ -245,6 +249,12 @@ multi_tcp_wait (const struct context *c,
   if (management)
 management_socket_set (management, mtcp->es, MTCP_MANAGEMENT, 
>management_persist_flags);
 #endif
+
+#ifdef ENABLE_ASYNC_PUSH
+  /* arm inotify watcher */
+  event_ctl (mtcp->es, c->c2.inotify_fd, EVENT_READ, MTCP_FILE_CLOSE_WRITE);
+#endif
+
   status = event_wait (mtcp->es, >c2.timeval, mtcp->esr, mtcp->maxevents);
   update_time ();
   mtcp->n_esr = 0;
@@ -636,6 +646,12 @@ multi_tcp_process_io (struct multi_context *m)
{
  get_signal (>top.sig->signal_received);
}
+#ifdef ENABLE_ASYNC_PUSH
+ else if (e->arg == MTCP_FILE_CLOSE_WRITE)
+   {
+ multi_process_file_closed (m, MPP_PRE_SELECT | MPP_RECORD_TOUCH);
+   }
+#endif
}
   if (IS_SIG (>top))
break;
@@ -684,6 +700,14 @@ tunnel_server_tcp (struct context *top)
   /* finished with initialization */
   initialization_sequence_completed (top, ISC_SERVER); /* --mode server 
--proto tcp-server */

+#ifdef ENABLE_ASYNC_PUSH
+  multi.top.c2.inotify_fd = inotify_init();
+  if 

Re: [Openvpn-devel] russian language fixes

[Anatoly Pugachev]

On Wed, Oct 7, 2015 at 10:27 AM, Samuli Seppänen  wrote:

> Hi,
>
> It seems that openvpn-gui development has stalled for quite a while, and
> I've had my own share of issues with getting patches in. To simplify the
> OpenVPN release process at my end I forked openvpn-gui a while back:
>
> 
>
> We may want to use my private openvpn-gui fork for now - the official
> openvpn-gui tarballs[1] are already built from my own Git repo. If
> something happens in the official SF.net openvpn-gui Git repo we can always
> merge those changes back to my fork.
>
>
​please, commit/pull/push https://github.com/mattock/openvpn-gui/pull/1​
​Thanks.​




​

Re: [Openvpn-devel] Topics for today's (Monday, 5th Oct 2015) community meeting (note: 30 mins early)

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting. Better late than never.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 5th Oct 2015
Time: 20:00 CEST (18:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet.

Your local meeting time is easy to check from services such as



SUMMARY

cron2, ecrist, krzee, lev, mattock, syzzer, TimSmall and ValdikSS 
participated in this meeting.


---

Discussed CloudFlare HTTPS caching, which was recently enabled on 
community.openvpn.net due to a DoS attack. As CloudFlare had the private 
key even before this incident, disabling caching again does not make 
much sense from security perspective.


---

Discussed the arrival schedules and made plans for the Delft hackathon. 
All important details are on the Trac DelftHackathon2015 page:




---

Discussed Windows building. Cron2 gave lev's MSVC patches and ACK and 
will merge them.


---

Discussed the option of bundling some other OpenVPN Windows GUI with 
OpenVPN Windows installers. The problem with current one (OpenVPN-GUI) 
is that it has not been maintained actively in two years. According to 
ValdikSS there are several actively maintained, featureful and stable 
GUIs for Windows. Mattock will ask ValdikSS to compile a list of options.


---

Discussed the Windows 10 DNS leak issue:



It was agreed that integrating the code into win32.c is reasonable. It 
was also agreed to get some feedback from James during the hackathon 
before moving forward with this.


---

Discussed the "Expired server cert not shown as error message" issue:



It was agreed that warning about certificate expiration makes perfect 
sense on the client side.


---

Discussed the "Privileges not being dropped if the first connection is 
not successful" patch:




The latest incarnation of the patch got an ACK from cron2 and syzzer, 
but the patch was mangled and did not merge. Syzzer promised to ask for 
a properly formatted version.


---

Discussed the "RFC changes to the auth-pam plugin" patch:



Dazo had promised to review the patch in hackthon the upcoming Friday. 
TimSmall will try to be mostly available that day for discussion.


---

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
(20:30:49) mattock: howdy
(20:31:09) lev__: good evening!
(20:31:17) mattock: good evening lev!
(20:32:08) lev__: it is -0.4°C outside here
(20:32:39) mattock: oh, that cold already, here it is 5 degrees
(20:33:18) lev__: mattock1: you live way too south 
(20:33:31) mattock: yes :)
(20:33:40) mattock: james just informed me that he'll be on plane today, so he 
won't make it
(20:33:47) mattock: I assume he's flying to Europe already
(20:33:58) syzzer: ah, probably yes
(20:34:06) syzzer: makes sense for such a long flight
(20:34:30) mattock: yep, and he likes to travel, so he probably wants a few 
days off the hackthon
(20:34:32) mattock: ok, let's see
(20:34:38) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2015-10-05
(20:34:40) vpnHelper: Title: Topics-2015-10-05 – OpenVPN Community (at 
community.openvpn.net)
(20:34:49) cron2: howdy!
(20:34:56) mattock: hi cron2!
(20:35:11) mattock: I have about 40 minutes of effective meeting time
(20:35:15) ***ecrist is here.
(20:35:18) mattock: hi ecrist!
(20:35:19) cron2: ok, so get your T-Shirts organized!
(20:35:31) mattock: no way, too late already :P
(20:35:31) syzzer: :')
(20:36:04) ***cron2 thinks mattock1 will need to sponsor one of the evening's 
drinks then...!
(20:36:22) mattock: what if we cover "my topics" first? topic #5 for example, 
and topic #1
(20:36:25) ecrist: I'll only be here another 15 minutes or so.
(20:36:26) cron2: anyway - mattock1: since you're time-constrained, 
(20:36:28) mattock: cron2: we'll see
(20:36:33) cron2: yah, that's what I wanted to suggest :)
(20:36:35) cron2: go for it
(20:36:46) cron2: ok, wht about #1?
(20:36:57) mattock: let's do #5 first, it's small
(20:37:02) mattock: cloudflare on community.openvpn.net
(20:37:22) mattock: so raidz turned cloudflare on there, because there was a 
DoS there a few days back
(20:37:37) ecrist: yes.
(20:37:38) mattock: how opposed to CloudFlare + SSL are we?
(20:37:47) mattock: shall I ask him to turn cloudflare caching off?
(20:37:49) cron2: how easy is it to turn it on and off?
(20:37:56) mattock: not sure, but it's probably quite doable
(20:38:04) syzzer: I guess they have the pubkey now anyway?
(20:38:10) syzzer: uh, private key ofc

Re: [Openvpn-devel] russian language fixes

[Samuli Seppänen]

Hi,

It seems that openvpn-gui development has stalled for quite a while, and 
I've had my own share of issues with getting patches in. To simplify the 
OpenVPN release process at my end I forked openvpn-gui a while back:




We may want to use my private openvpn-gui fork for now - the official 
openvpn-gui tarballs[1] are already built from my own Git repo. If 
something happens in the official SF.net openvpn-gui Git repo we can 
always merge those changes back to my fork.


As discussed in previous community meeting we also need to consider to 
option of replacing openvpn-gui with something that's more actively 
maintained.


Thoughts?

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] 



I posted the similar patch a year ago directly to openvpn-gui
sourceforge page and it seems to be gone.
So please apply this.

On 06.10.2015 11:45, Anatoly Pugachev wrote:


Hello!

Can you please apply patch from trac ticket 446. Thanks.

https://community.openvpn.net/openvpn/ticket/446



--


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel




--



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Help with build-testing a patched OpenVPN tree with Cygwin and Visual Studio?

[Samuli Seppänen]

I also updated information on these pages:




Both had some pretty badly outdated information.

Samuli



I added this as a Trac "volunteer" task:



We have not advertised the "[needs] volunteer" tasks much, so here they are:



Samuli



Hi,

jftr...

On Fri, Sep 25, 2015 at 03:01:01PM +0300, Samuli Seppänen wrote:

We'd need some help build-testing a patched[*] OpenVPN version with
Cygwin and Visual Studio:



This tree already builds fine on mingw_w64 which is enough for doing the
official builds.


Heiko tested on Cygwin, Lev made it work on MSVC2013 (and the necessary
changes for that have been merged).

So, now this needs people to actually run IPv6-over-IPv6 to *use* the
functionality and report whether it breaks in their setup.

What you need: IPv6 connectivity between OpenVPN client and server, and
IPv6 routing *into* the tunnel, with a route that overlaps the IPv6 address
of the server - either using "redirect-gateway ipv6", or pushing things
like "route-ipv6 2000::/3" with a server inside 2000::/3...  if you do
this, you should see something like this in the log:

Tue Oct  6 13:28:57 2015 GDG6: remote_host_ipv6=2607:fc50:1001:5200::4
Tue Oct  6 13:28:57 2015 ROUTE6_GATEWAY 2001:608:4::1 IFACE=eth0
Tue Oct  6 13:28:57 2015 ROUTE6: 2607:fc50:1001::/48 overlaps IPv6 remote 
2607:fc50:1001:5200::4, adding host route to VPN endpoint
Tue Oct  6 13:28:57 2015 add_route_ipv6(2607:fc50:1001:5200::4/128 -> 
2001:608:4::1 metric 1) dev eth0
Tue Oct  6 13:28:57 2015 /bin/route -A inet6 add 2607:fc50:1001:5200::4/128 dev 
eth0 gw 2001:608:4::1 metric 1

the first line is "this is the IPv6 address of the VPN server", the
"ROUTE6_GATEWAY" line is "this is the gateway and interface we have
discovered!".  The "overlap" notice means the feature will actually
kick in - it won't, if you have no overlapping routes into the tunnel,
or connect over IPv4 - and the last two lines are the installing of
the /128 host route, which better should work as well :-)

I tested this for 6 scenarios on 9 (!) platforms, so I'm reasonably sure
it works for the common case - but there will be unexpected cases...

gert

Re: [Openvpn-devel] Help with build-testing a patched OpenVPN tree with Cygwin and Visual Studio?

[Samuli Seppänen]

I added this as a Trac "volunteer" task:



We have not advertised the "[needs] volunteer" tasks much, so here they are:



Samuli



Hi,

jftr...

On Fri, Sep 25, 2015 at 03:01:01PM +0300, Samuli Seppänen wrote:

We'd need some help build-testing a patched[*] OpenVPN version with
Cygwin and Visual Studio:



This tree already builds fine on mingw_w64 which is enough for doing the
official builds.


Heiko tested on Cygwin, Lev made it work on MSVC2013 (and the necessary
changes for that have been merged).

So, now this needs people to actually run IPv6-over-IPv6 to *use* the
functionality and report whether it breaks in their setup.

What you need: IPv6 connectivity between OpenVPN client and server, and
IPv6 routing *into* the tunnel, with a route that overlaps the IPv6 address
of the server - either using "redirect-gateway ipv6", or pushing things
like "route-ipv6 2000::/3" with a server inside 2000::/3...  if you do
this, you should see something like this in the log:

Tue Oct  6 13:28:57 2015 GDG6: remote_host_ipv6=2607:fc50:1001:5200::4
Tue Oct  6 13:28:57 2015 ROUTE6_GATEWAY 2001:608:4::1 IFACE=eth0
Tue Oct  6 13:28:57 2015 ROUTE6: 2607:fc50:1001::/48 overlaps IPv6 remote 
2607:fc50:1001:5200::4, adding host route to VPN endpoint
Tue Oct  6 13:28:57 2015 add_route_ipv6(2607:fc50:1001:5200::4/128 -> 
2001:608:4::1 metric 1) dev eth0
Tue Oct  6 13:28:57 2015 /bin/route -A inet6 add 2607:fc50:1001:5200::4/128 dev 
eth0 gw 2001:608:4::1 metric 1

the first line is "this is the IPv6 address of the VPN server", the
"ROUTE6_GATEWAY" line is "this is the gateway and interface we have
discovered!".  The "overlap" notice means the feature will actually
kick in - it won't, if you have no overlapping routes into the tunnel,
or connect over IPv4 - and the last two lines are the installing of
the /128 host route, which better should work as well :-)

I tested this for 6 scenarios on 9 (!) platforms, so I'm reasonably sure
it works for the common case - but there will be unexpected cases...

gert




--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock