Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
Forgot release/2.3 ... it's added there too as commit f417db630353648a0bd1cd9d634413ce446fe900 I changed the subject line in the release/2.3 commit to match the proper cherry picked commit in that branch. On 15/10/15 16:50, David Sommerseth wrote: > From: David Sommerseth> > > Your patch has been applied to the master branch. > > commit cba33989101175ac07434b9c5cceba116bf38127 > Author: Arne Schwabe > Date: Wed Oct 14 15:05:56 2015 +0200 > > Fix commit c67acea173dc9ee37220f5b9ff14ede081181992 > > Acked-by: Lev Stipakov > Message-Id: 1444827956-2169-1-git-send-email-a...@rfc2549.org > URL: http://article.gmane.org/gmane.network.openvpn.devel/10271 > Signed-off-by: David Sommerseth -- kind regards, David Sommerseth signature.asc Description: OpenPGP digital signature
Re: [Openvpn-devel] [PATCH applied] Refine float logging
From: David Sommerseth-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit 5203d8094f38a9d23d983377171c11b1d3a82ad2 Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Thu Oct 15 14:39:42 2015 +0300 Refine float logging Signed-off-by: Lev Stipakov Acked-by: Steffan Karger Message-Id: 1444909182-11785-1-git-send-email-lstipa...@gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/10276 Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYfvhUACgkQDC186MBRfroFDwCfbG96a12WyLwwvtUXERXnNH5m 5WcAn30rIfWxNfBfkdlxXPmDRvD07+La =zRPD -END PGP SIGNATURE-
Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
From: David Sommerseth-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit cba33989101175ac07434b9c5cceba116bf38127 Author: Arne Schwabe List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Oct 14 15:05:56 2015 +0200 Fix commit c67acea173dc9ee37220f5b9ff14ede081181992 Acked-by: Lev Stipakov Message-Id: 1444827956-2169-1-git-send-email-a...@rfc2549.org URL: http://article.gmane.org/gmane.network.openvpn.devel/10271 Signed-off-by: David Sommerseth - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYfvTsACgkQDC186MBRfrpY3gCffS0SPSnNevLssNasbI0bX00S X5IAoJkFGC+Yvk3IBSKTpn4+ilQ6MB0X =yV5l -END PGP SIGNATURE-
[Openvpn-devel] [PATCH] Start Changes.rst that lists changes in 2.4.0
This list is proably incomplete but should give a good starting point --- Changes.rst | 66 + 1 file changed, 66 insertions(+) create mode 100644 Changes.rst diff --git a/Changes.rst b/Changes.rst new file mode 100644 index 000..24afb5c --- /dev/null +++ b/Changes.rst @@ -0,0 +1,66 @@ +Version 2.4.0 += + + +New features + + +keying-material-exporter +Keying Material Exporter [RFC-5705] allow additional keying material to be +derived from existing TLS channel. + +redirect-gateway ipv6 +OpenVPN has now feature parity between IPv4 and IPv6 for redirect +gateway including the handling of overlapping IPv6 routes with +IPv6 remote VPN server address + +Mac OS X Keychain management client +add contrib/keychain-mcd which allows to use Mac OS X keychain +certificates with OpenVPN + +Peer ID support +Added new packet format P_DATA_V2, which includes peer-id. If +server and client support it, client sends all data packets in +the new format. When data packet arrives, server identifies peer +by peer-id. If peer's ip/port has changed, server assumes that +client has floated, verifies HMAC and updates ip/port in internal structs. + +Dualstack client connect +Instead of only using the first address of each --remote OpenVPN +will now try all addresses (IPv6 and IPv4) of a --remote entry. + +LZ4 Compression +Additionally to LZO compression OpenVPN now also supports LZ4 +compression. + +Changes +--- +- proto udp and proto tcp specify to use IPv4 and IPv6. The new + options proto udp4 and tcp4 specify to use IPv4 only. + +- connect-timeout specifies now the timeout until the first TLS packet + is received (identical to server-poll-timeout) and this timeout now + includes the removed socks proxy timeout and http proxy timeout. + + In --static mode connect-timeout specifies the timeout for TCP and + proxy connection establishment + + +- connect-retry now specifies the maximum number of unsucessfully + trying all remote/connection entries before exiting. + +- sndbuf and recvbuf default now to OS default instead of 64k + +- OpenVPN exits with an error if an option has extra parameters; + previously they were silently ignored + +- The default of tls-cipher is now "DEFAULT:!EXP:!PSK:!SRP:!kRSA" + instead of "DEFAULT" to always select perfect forward security + cipher suites + +- --tls-auth always requires OpenVPN static key files and will no + longer work with free form files + +- proto udp6/tcp6 in server mode will now try to always listen to + both IPv4 and IPv6 on platforms that allow it. Use bind ipv6only + to explicitly listen only on IPv6. -- 2.3.8 (Apple Git-58)
[Openvpn-devel] [PATCH V2] Do not set the buffer size by default but rely on the operation system default.
Also remove SOCKET_SND_RCV_BUF_MAX since limiting the buffer to 1000k is arbitrary and all OSes impose a maximum that can be set anyway. closes trac ticket #461 V2: SOCKET_SND_RCV_BUF_MAX removal --- doc/openvpn.8 | 4 ++-- src/openvpn/options.c | 4 src/openvpn/socket.c | 16 +--- src/openvpn/socket.h | 5 - 4 files changed, 7 insertions(+), 22 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index b8fb2e5..f305c58 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -1418,12 +1418,12 @@ connection problems) with the following options: .TP .B \-\-sndbuf size Set the TCP/UDP socket send buffer size. -Currently defaults to 65536 bytes. +Defaults to operation system default. .\"* .TP .B \-\-rcvbuf size Set the TCP/UDP socket receive buffer size. -Currently defaults to 65536 bytes. +Defaults to operation system default. .\"* .TP .B \-\-mark value diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 55db81a..086dcea 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -783,10 +783,6 @@ init_options (struct options *o, const bool init_gc) #ifdef ENABLE_FEATURE_TUN_PERSIST o->persist_mode = 1; #endif -#ifndef WIN32 - o->rcvbuf = 65536; - o->sndbuf = 65536; -#endif #ifdef TARGET_LINUX o->tuntap_options.txqueuelen = 100; #endif diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index b4032b8..dd8ea29 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -624,12 +624,9 @@ static void socket_set_sndbuf (int sd, int size) { #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_SNDBUF) - if (size > 0 && size < SOCKET_SND_RCV_BUF_MAX) + if (setsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) , sizeof (size)) != 0) { - if (setsockopt (sd, SOL_SOCKET, SO_SNDBUF, (void *) , sizeof (size)) != 0) - { - msg (M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size); - } + msg (M_WARN, "NOTE: setsockopt SO_SNDBUF=%d failed", size); } #endif } @@ -653,13 +650,10 @@ static bool socket_set_rcvbuf (int sd, int size) { #if defined(HAVE_SETSOCKOPT) && defined(SOL_SOCKET) && defined(SO_RCVBUF) - if (size > 0 && size < SOCKET_SND_RCV_BUF_MAX) + if (setsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) , sizeof (size)) != 0) { - if (setsockopt (sd, SOL_SOCKET, SO_RCVBUF, (void *) , sizeof (size)) != 0) - { - msg (M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size); - return false; - } + msg (M_WARN, "NOTE: setsockopt SO_RCVBUF=%d failed", size); + return false; } return true; #endif diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 30b6ace..da224dd 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -42,11 +42,6 @@ #define OPENVPN_PORT "1194" /* - * Maximum size passed passed to setsockopt SNDBUF/RCVBUF - */ -#define SOCKET_SND_RCV_BUF_MAX 100 - -/* * Number of seconds that "resolv-retry infinite" * represents. */ -- 2.3.8 (Apple Git-58)
Re: [Openvpn-devel] [PATCH applied] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
From: David Sommerseth
Re: [Openvpn-devel] [PATCH v3] Notify clients about server's exit/restart
Am 13.10.15 um 16:45 schrieb Lev Stipakov: > When server exits / restarts (gets SIGUSR1, SIGTERM, SIGHUP, SIGINT) and > explicit-exit-notify is set, server sends RESTART control channel command to > all clients and reschedules received signal in 2 secs. > > When client receives RESTART command, it either reconnects to the same server > or > advances to the new one, depends on parameter comes with RESTART > command - behavior is controlled by explicit-exit-notify in the server config. > > v3: > - Use control channel "RESTART" command instead of new OCC code to > notify clients > - Configure on the server side (by value of explicit-exit-notify) if > client should reconnect to the same server or advance to the next one > - Fix compilation when OCC is disabled (--enable-small) > - Update man page > > This gets an ACK from me. As additional note, we should add a follow up that a server shutting down should not accept new clients. My client reconnects in the 2s shutdown interval. Arne
Re: [Openvpn-devel] [PATCH] Refine float logging
On 15 Oct 2015 13:40, Lev Stipakov wrote: > v2: > * Bump log level for attack attempt message > * More clear message for float event > > v1: > * Decrease log level for peer float message > > Signed-off-by: Lev Stipakov> --- > src/openvpn/mudp.c | 2 +- > src/openvpn/multi.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c > index 3aed3a0..ce67206 100644 > --- a/src/openvpn/mudp.c > +++ b/src/openvpn/mudp.c > @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context > *m, bool *floated) > { > /* reset prefix, since here we are not sure peer is the one > it claims to be */ > ungenerate_prefix(mi); > - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to > float to %s", peer_id, > + msg (D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to > %s", peer_id, > mroute_addr_print (, )); > } > } > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index 05c36db..7c3aaac 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -2286,7 +2286,7 @@ void multi_process_float (struct multi_context* m, > struct multi_instance* mi) >/* do not float if target address is taken by client with another > cert */ >if (!cert_hash_compare(m1->locked_cert_hash_set, m2- > >locked_cert_hash_set)) > { > - msg (D_MULTI_MEDIUM, "Disallow float to an address taken by > another client %s", > + msg (D_MULTI_LOW, "Disallow float to an address taken by another > client %s", > multi_instance_string (ex_mi, false, )); > > mi->context.c2.buf.len = 0; Even-more-ACK -Steffan
[Openvpn-devel] [PATCH] Refine float logging
v2: * Bump log level for attack attempt message * More clear message for float event v1: * Decrease log level for peer float message Signed-off-by: Lev Stipakov--- src/openvpn/mudp.c | 2 +- src/openvpn/multi.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 3aed3a0..ce67206 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) { /* reset prefix, since here we are not sure peer is the one it claims to be */ ungenerate_prefix(mi); - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to float to %s", peer_id, + msg (D_MULTI_MEDIUM, "Float requested for peer %" PRIu32 " to %s", peer_id, mroute_addr_print (, )); } } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 05c36db..7c3aaac 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2286,7 +2286,7 @@ void multi_process_float (struct multi_context* m, struct multi_instance* mi) /* do not float if target address is taken by client with another cert */ if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) { - msg (D_MULTI_MEDIUM, "Disallow float to an address taken by another client %s", + msg (D_MULTI_LOW, "Disallow float to an address taken by another client %s", multi_instance_string (ex_mi, false, )); mi->context.c2.buf.len = 0; -- 1.9.1
Re: [Openvpn-devel] [PATCH] Decrease log level for peer float message
On 15 Oct 2015 12:39, Lev Stipakov wrote: > Signed-off-by: Lev Stipakov> --- > src/openvpn/mudp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c > index 3aed3a0..9fa9f9e 100644 > --- a/src/openvpn/mudp.c > +++ b/src/openvpn/mudp.c > @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context > *m, bool *floated) > { > /* reset prefix, since here we are not sure peer is the one > it claims to be */ > ungenerate_prefix(mi); > - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to > float to %s", peer_id, > + msg (D_MULTI_MEDIUM, "Untrusted peer %" PRIu32 " wants to > float to %s", peer_id, > mroute_addr_print (, )); > } > } ACK. No need to log this so often. -Steffan
[Openvpn-devel] [PATCH] Decrease log level for peer float message
Signed-off-by: Lev Stipakov--- src/openvpn/mudp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 3aed3a0..9fa9f9e 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -79,7 +79,7 @@ multi_get_create_instance_udp (struct multi_context *m, bool *floated) { /* reset prefix, since here we are not sure peer is the one it claims to be */ ungenerate_prefix(mi); - msg (D_MULTI_ERRORS, "Untrusted peer %" PRIu32 " wants to float to %s", peer_id, + msg (D_MULTI_MEDIUM, "Untrusted peer %" PRIu32 " wants to float to %s", peer_id, mroute_addr_print (, )); } } -- 1.9.1
Re: [Openvpn-devel] [PATCH V2] Fix commit c67acea173dc9ee37220f5b9ff14ede081181992
On 14 October 2015 15:39:39 CEST, Lev Stipakovwrote: >ACK from me. Tested on ics-openvpn, problem with endtag now fixed. > >A nitpick. git am says: > >/home/stiple/Projects/ics-openvpn/.git/modules/main/openvpn/rebase-apply/patch:20: > >trailing whitespace. > char *line_ptr = line; >warning: 1 line adds whitespace errors. Nice catch! However, I believe git am --whitespace=fix fixes those; which our git ack-am script uses. kind regards, David Sommerseth