Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

2015-10-15 Thread David Sommerseth 

Forgot release/2.3 ... it's added there too as
commit f417db630353648a0bd1cd9d634413ce446fe900

I changed the subject line in the release/2.3 commit to match the proper
cherry picked commit in that branch.

On 15/10/15 16:50, David Sommerseth wrote:
> From: David Sommerseth 
> 
> 
> Your patch has been applied to the master branch.
> 
> commit cba33989101175ac07434b9c5cceba116bf38127
> Author: Arne Schwabe
> Date:   Wed Oct 14 15:05:56 2015 +0200
> 
>  Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
> 
>  Acked-by: Lev Stipakov 
>  Message-Id: 1444827956-2169-1-git-send-email-a...@rfc2549.org
>  URL: http://article.gmane.org/gmane.network.openvpn.devel/10271
>  Signed-off-by: David Sommerseth 

-- 
kind regards,

David Sommerseth



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] [PATCH applied] Refine float logging

2015-10-15 Thread David Sommerseth 
From: David Sommerseth 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit 5203d8094f38a9d23d983377171c11b1d3a82ad2
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Oct 15 14:39:42 2015 +0300

 Refine float logging

 Signed-off-by: Lev Stipakov 
 Acked-by: Steffan Karger 
 Message-Id: 1444909182-11785-1-git-send-email-lstipa...@gmail.com
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10276
 Signed-off-by: David Sommerseth 

- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYfvhUACgkQDC186MBRfroFDwCfbG96a12WyLwwvtUXERXnNH5m
5WcAn30rIfWxNfBfkdlxXPmDRvD07+La
=zRPD
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

2015-10-15 Thread David Sommerseth 
From: David Sommerseth 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Your patch has been applied to the master branch.

commit cba33989101175ac07434b9c5cceba116bf38127
Author: Arne Schwabe
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Oct 14 15:05:56 2015 +0200

 Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

 Acked-by: Lev Stipakov 
 Message-Id: 1444827956-2169-1-git-send-email-a...@rfc2549.org
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10271
 Signed-off-by: David Sommerseth 

- --
kind regards,

David Sommerseth

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYfvTsACgkQDC186MBRfrpY3gCffS0SPSnNevLssNasbI0bX00S
X5IAoJkFGC+Yvk3IBSKTpn4+ilQ6MB0X
=yV5l
-END PGP SIGNATURE-

[Openvpn-devel] [PATCH] Start Changes.rst that lists changes in 2.4.0

2015-10-15 Thread Arne Schwabe 
This list is proably incomplete but should give a good starting point
---
 Changes.rst | 66 +
 1 file changed, 66 insertions(+)
 create mode 100644 Changes.rst

diff --git a/Changes.rst b/Changes.rst
new file mode 100644
index 000..24afb5c
--- /dev/null
+++ b/Changes.rst
@@ -0,0 +1,66 @@
+Version 2.4.0
+=
+
+
+New features
+
+
+keying-material-exporter
+Keying Material Exporter [RFC-5705] allow additional keying material to be
+derived from existing TLS channel. 
+
+redirect-gateway ipv6
+OpenVPN has now feature parity between IPv4 and IPv6 for redirect
+gateway including the handling of overlapping IPv6 routes with
+IPv6 remote VPN server address
+
+Mac OS X Keychain management client
+add contrib/keychain-mcd which allows to use Mac OS X keychain
+certificates with OpenVPN
+
+Peer ID support
+Added new packet format P_DATA_V2, which includes peer-id. If
+server and client  support it, client sends all data packets in
+the new format. When data packet arrives, server identifies peer
+by peer-id. If peer's ip/port has changed, server assumes that
+client has floated, verifies HMAC and updates ip/port in internal structs.
+
+Dualstack client connect
+Instead of only using the first address of each --remote OpenVPN
+will now try all addresses (IPv6 and IPv4) of a --remote entry.
+
+LZ4 Compression
+Additionally to LZO compression OpenVPN now also supports LZ4
+compression.
+
+Changes
+---
+- proto udp and proto tcp specify to use IPv4 and IPv6. The new
+  options proto udp4 and tcp4 specify to use IPv4 only.
+
+- connect-timeout specifies now the timeout until the first TLS packet
+  is received (identical to server-poll-timeout) and this timeout now
+  includes the removed socks proxy timeout and http proxy timeout.
+
+  In --static mode connect-timeout specifies the timeout for TCP and
+  proxy connection establishment 
+
+
+- connect-retry now specifies the maximum number of unsucessfully
+  trying all remote/connection entries before exiting.
+
+- sndbuf and recvbuf default now to OS default instead of 64k
+
+- OpenVPN exits with  an error if an option has extra parameters;
+  previously they were silently ignored
+
+- The default of tls-cipher is now "DEFAULT:!EXP:!PSK:!SRP:!kRSA"
+  instead of "DEFAULT" to always select perfect forward security
+  cipher suites
+
+- --tls-auth always requires OpenVPN static key files and will no
+  longer work with free form files
+
+- proto udp6/tcp6 in server mode will now try to always listen to
+  both IPv4 and IPv6 on platforms that allow it. Use bind ipv6only
+  to explicitly listen only on IPv6.
-- 
2.3.8 (Apple Git-58)

[Openvpn-devel] [PATCH V2] Do not set the buffer size by default but rely on the operation system default.

2015-10-15 Thread Arne Schwabe 
Also remove SOCKET_SND_RCV_BUF_MAX since limiting the buffer to 1000k is
arbitrary and all OSes impose a maximum that can be set anyway.

closes trac ticket #461

V2: SOCKET_SND_RCV_BUF_MAX removal
---
 doc/openvpn.8 |  4 ++--
 src/openvpn/options.c |  4 
 src/openvpn/socket.c  | 16 +---
 src/openvpn/socket.h  |  5 -
 4 files changed, 7 insertions(+), 22 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index b8fb2e5..f305c58 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1418,12 +1418,12 @@ connection problems) with the following options:
 .TP
 .B \-\-sndbuf size
 Set the TCP/UDP socket send buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
 .\"*
 .TP
 .B \-\-rcvbuf size
 Set the TCP/UDP socket receive buffer size.
-Currently defaults to 65536 bytes.
+Defaults to operation system default.
 .\"*
 .TP
 .B \-\-mark value
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 55db81a..086dcea 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -783,10 +783,6 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_FEATURE_TUN_PERSIST
   o->persist_mode = 1;
 #endif
-#ifndef WIN32
-  o->rcvbuf = 65536;
-  o->sndbuf = 65536;
-#endif
 #ifdef TARGET_LINUX
   o->tuntap_options.txqueuelen = 100;
 #endif
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index b4032b8..dd8ea29 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -624,12 +624,9 @@ static void
 socket_set_sndbuf (int sd, int size)
 {
 #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF)
-  if (size > 0 && size < SOCKET_SND_RCV_BUF_MAX)
+  if (setsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) , sizeof (size)) != 
0)
 {
-  if (setsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) , sizeof 
(size)) != 0)
-   {
- msg (M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size);
-   }
+  msg (M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size);
 }
 #endif
 }
@@ -653,13 +650,10 @@ static bool
 socket_set_rcvbuf (int sd, int size)
 {
 #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF)
-  if (size > 0 && size < SOCKET_SND_RCV_BUF_MAX)
+  if (setsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) , sizeof (size)) != 
0)
 {
-  if (setsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) , sizeof 
(size)) != 0)
-   {
- msg (M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size);
- return false;
-   }
+  msg (M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size);
+  return false;
 }
   return true;
 #endif
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 30b6ace..da224dd 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -42,11 +42,6 @@
 #define OPENVPN_PORT "1194"

 /*
- * Maximum size passed passed to setsockopt SNDBUF/RCVBUF
- */
-#define SOCKET_SND_RCV_BUF_MAX 100
-
-/*
  * Number of seconds that "resolv-retry infinite"
  * represents.
  */
-- 
2.3.8 (Apple Git-58)

Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

2015-10-15 Thread David Sommerseth 
From: David Sommerseth

Re: [Openvpn-devel] [PATCH v3] Notify clients about server's exit/restart

2015-10-15 Thread Arne Schwabe 


Am 13.10.15 um 16:45 schrieb Lev Stipakov:
> When server exits / restarts (gets SIGUSR1, SIGTERM, SIGHUP, SIGINT) and
> explicit-exit-notify is set, server sends RESTART control channel command to
> all clients and reschedules received signal in 2 secs.
>
> When client receives RESTART command, it either reconnects to the same server 
> or
> advances to the new one, depends on parameter comes with RESTART
> command - behavior is controlled by explicit-exit-notify in the server config.
>
> v3:
>  - Use control channel "RESTART" command instead of new OCC code to
> notify clients
>  - Configure on the server side (by value of explicit-exit-notify) if
> client should reconnect to the same server or advance to the next one
>  - Fix compilation when OCC is disabled (--enable-small)
>  - Update man page
>
>
This gets an ACK from me. As additional note, we should add a follow up
that a server shutting down should not accept new clients. My client
reconnects in the 2s shutdown interval.

Arne

Re: [Openvpn-devel] [PATCH] Refine float logging

2015-10-15 Thread Steffan Karger 

On 15 Oct 2015 13:40, Lev Stipakov wrote:
> v2:
>  * Bump log level for attack attempt message
>  * More clear message for float event
> 
> v1:
>  * Decrease log level for peer float message
> 
> Signed-off-by: Lev Stipakov 
> ---
>  src/openvpn/mudp.c  | 2 +-
>  src/openvpn/multi.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
> index 3aed3a0..ce67206 100644
> --- a/src/openvpn/mudp.c
> +++ b/src/openvpn/mudp.c
> @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context
> *m, bool *floated)
> {
>   /* reset prefix, since here we are not sure peer is the one
> it claims to be */
>   ungenerate_prefix(mi);
> - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to
> float to %s", peer_id,
> + msg (D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to
> %s", peer_id,
>   mroute_addr_print (, ));
> }
>   }
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 05c36db..7c3aaac 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -2286,7 +2286,7 @@ void multi_process_float (struct multi_context* m,
> struct multi_instance* mi)
>/* do not float if target address is taken by client with another
> cert */
>if (!cert_hash_compare(m1->locked_cert_hash_set, m2-
> >locked_cert_hash_set))
>   {
> -   msg (D_MULTI_MEDIUM, "Disallow float to an address taken by
> another client %s",
> +   msg (D_MULTI_LOW, "Disallow float to an address taken by another
> client %s",
>  multi_instance_string (ex_mi, false, ));
> 
> mi->context.c2.buf.len = 0;

Even-more-ACK

-Steffan

[Openvpn-devel] [PATCH] Refine float logging

2015-10-15 Thread Lev Stipakov 
v2:
 * Bump log level for attack attempt message
 * More clear message for float event

v1:
 * Decrease log level for peer float message

Signed-off-by: Lev Stipakov 
---
 src/openvpn/mudp.c  | 2 +-
 src/openvpn/multi.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 3aed3a0..ce67206 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  {
/* reset prefix, since here we are not sure peer is the one it 
claims to be */
ungenerate_prefix(mi);
-   msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to float 
to %s", peer_id,
+   msg (D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to 
%s", peer_id,
mroute_addr_print (, ));
  }
}
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 05c36db..7c3aaac 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2286,7 +2286,7 @@ void multi_process_float (struct multi_context* m, struct 
multi_instance* mi)
   /* do not float if target address is taken by client with another cert */
   if (!cert_hash_compare(m1->locked_cert_hash_set, 
m2->locked_cert_hash_set))
{
- msg (D_MULTI_MEDIUM, "Disallow float to an address taken by another 
client %s",
+ msg (D_MULTI_LOW, "Disallow float to an address taken by another 
client %s",
   multi_instance_string (ex_mi, false, ));

  mi->context.c2.buf.len = 0;
-- 
1.9.1

Re: [Openvpn-devel] [PATCH] Decrease log level for peer float message

2015-10-15 Thread Steffan Karger 
On 15 Oct 2015 12:39, Lev Stipakov wrote:
> Signed-off-by: Lev Stipakov 
> ---
>  src/openvpn/mudp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
> index 3aed3a0..9fa9f9e 100644
> --- a/src/openvpn/mudp.c
> +++ b/src/openvpn/mudp.c
> @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context
> *m, bool *floated)
> {
>   /* reset prefix, since here we are not sure peer is the one
> it claims to be */
>   ungenerate_prefix(mi);
> - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to
> float to %s", peer_id,
> + msg (D_MULTI_MEDIUM, "Untrusted peer %" PRIu32 " wants to
> float to %s", peer_id,
>   mroute_addr_print (, ));
> }
>   }

ACK.  No need to log this so often.

-Steffan

[Openvpn-devel] [PATCH] Decrease log level for peer float message

2015-10-15 Thread Lev Stipakov 
Signed-off-by: Lev Stipakov 
---
 src/openvpn/mudp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 3aed3a0..9fa9f9e 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool 
*floated)
  {
/* reset prefix, since here we are not sure peer is the one it 
claims to be */
ungenerate_prefix(mi);
-   msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to float 
to %s", peer_id,
+   msg (D_MULTI_MEDIUM, "Untrusted peer %" PRIu32 " wants to float 
to %s", peer_id,
mroute_addr_print (, ));
  }
}
-- 
1.9.1

Re: [Openvpn-devel] [PATCH V2] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992

2015-10-15 Thread David Sommerseth 
On 14 October 2015 15:39:39 CEST, Lev Stipakov  wrote:
>ACK from me. Tested on ics-openvpn, problem with endtag now fixed.
>
>A nitpick. git am says:
>
>/home/stiple/Projects/ics-openvpn/.git/modules/main/openvpn/rebase-apply/patch:20:
>
>trailing whitespace.
>   char *line_ptr = line;
>warning: 1 line adds whitespace errors.

Nice catch! However, I believe git am --whitespace=fix fixes those; which our 
git ack-am script uses.


kind regards,

David Sommerseth