Re: [Openvpn-devel] [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to clients.

[David Sommerseth]

On 20/10/15 23:28, Gert Doering wrote:
> Hi,
> 
> On Tue, Oct 20, 2015 at 10:45:23AM +0200, Arne Schwabe wrote:
>> Am 19.10.15 um 20:06 schrieb Gert Doering:
>>> Workaround option for servers that have IPv6 working just fine, but
>>> need to turn it off for individual clients - in that case, set this
>>> option in the --client-config-dir file for a particular user, or
>>> via --client-connect script/plugin hook for a particular platform
>>> (like IOS 9.0.2)
>>>
>> ACK from me. 
> 
> Heh :-) - this was more thought of an "here, what do you think?" patch
> (plus "fix valdikss' headache in #614 quickly"), and I didn't expect an
> ACK so quickly...
> 
> ... and then a discussion on IRC later.
> 
> But Arne actually had a very good idea which I'm going to implement and
> send "soon":
> 
>  --push-filter 
> 
> like,
> 
>  --push-filter ifconfig-ipv6 tun-ipv6 route-ipv6
> 
> which would do exactly what the current patch did, but is much more flexible
> depending on what exactly needs to be worked around with *this* client...
> 
> (There's a trac ticket about "--push-reset", which we might resolve with
> this as well :-) )

I agree with the intention.  Just not sure 'filter' is a clever word.  As it
can be understood both as "remove these options" or "only include these
options".  Both interpretations are results of a filter.


-- 
kind regards,

David Sommerseth

[Openvpn-devel] [PATCH] openssl: remove usage of OPENSSL_malloc() from show_available_curves

[Steffan Karger]

There is no need to use OPENSSL_malloc(), so use our own functions that
automatically check for NULL and remove the now redundant NULL check.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_openssl.c | 33 +
 1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c08d4fe..c5543fe 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1447,31 +1447,24 @@ show_available_curves()
   size_t n = 0;

   crv_len = EC_get_builtin_curves(NULL, 0);
-
-  curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
-
-  if (curves == NULL)
-crypto_msg (M_FATAL, "Cannot create EC_builtin_curve object");
-  else
+  ALLOC_ARRAY(curves, EC_builtin_curve, crv_len);
+  if (EC_get_builtin_curves(curves, crv_len))
   {
-if (EC_get_builtin_curves(curves, crv_len))
+printf ("Available Elliptic curves:\n");
+for (n = 0; n < crv_len; n++)
 {
-  printf ("Available Elliptic curves:\n");
-  for (n = 0; n < crv_len; n++)
-  {
-const char *sname;
-sname   = OBJ_nid2sn(curves[n].nid);
-if (sname == NULL) sname = "";
+  const char *sname;
+  sname   = OBJ_nid2sn(curves[n].nid);
+  if (sname == NULL) sname = "";

-printf("%s\n", sname);
-  }
+  printf("%s\n", sname);
 }
-else
-{
-  crypto_msg (M_FATAL, "Cannot get list of builtin curves");
-}
-OPENSSL_free(curves);
   }
+  else
+  {
+crypto_msg (M_FATAL, "Cannot get list of builtin curves");
+  }
+  free(curves);
 #else
   msg (M_WARN, "Your OpenSSL library was built without elliptic curve support. 
"
   "No curves available.");
-- 
2.1.4

[Openvpn-devel] [PATCH] Fix memory leak in auth-pam plugin

[Steffan Karger]

As it says on the tin.  aresp would not be free'd nor returned by
my_conv() on errors.  Note that we never reach this code if allocation
of aresp failed.

Found with the Clang static analyzer.

Signed-off-by: Steffan Karger 
---
 src/plugins/auth-pam/auth-pam.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..95692ab 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -642,6 +642,9 @@ my_conv (int n, const struct pam_message **msg_array,

   if (ret == PAM_SUCCESS)
 *response_array = aresp;
+  else
+free(aresp);
+
   return ret;
 }

-- 
2.1.4

[Openvpn-devel] [PATCH] hardening: add insurance to exit on a failed ASSERT()

[Steffan Karger]

The code behind our ASSERT() macro is pretty complex.  Although it seems
to be correct, make it trivially clear we will never return from a failed
assert by adding an _exit(1) call.  As was suggested by Sebastian Krahmer
of the SuSE security team.

A secondary benefit is that tools like clang static analyzer and coverity
can now understand our ASSERT() macros too.  To make sure they do, change
assert_failed() to a static inline function.

Signed-off-by: Steffan Karger 
---
 src/openvpn/error.c | 6 --
 src/openvpn/error.h | 7 ++-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/error.c b/src/openvpn/error.c
index 77b6cec..3f6254d 100644
--- a/src/openvpn/error.c
+++ b/src/openvpn/error.c
@@ -393,12 +393,6 @@ dont_mute (unsigned int flags)
   return ret;
 }

-void
-assert_failed (const char *filename, int line)
-{
-  msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
-}
-
 /*
  * Fail memory allocation.  Don't use msg() because it tries
  * to allocate memory as part of its operation.
diff --git a/src/openvpn/error.h b/src/openvpn/error.h
index d5204f3..6db7b59 100644
--- a/src/openvpn/error.h
+++ b/src/openvpn/error.h
@@ -210,7 +210,12 @@ FILE *msg_fp(const unsigned int flags);
 /* Fatal logic errors */
 #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while 
(false)

-void assert_failed (const char *filename, int line);
+static inline void
+assert_failed (const char *filename, int line)
+{
+  msg (M_FATAL, "Assertion failed at %s:%d", filename, line);
+  _exit(1); /* Just insurance; M_FATAL should trigger a clean exit. */
+}

 #ifdef ENABLE_DEBUG
 void crash (void); /* force a segfault (debugging only) */
-- 
2.1.4

Re: [Openvpn-devel] [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to clients.

[Gert Doering]

Hi,

On Tue, Oct 20, 2015 at 10:45:23AM +0200, Arne Schwabe wrote:
> Am 19.10.15 um 20:06 schrieb Gert Doering:
> > Workaround option for servers that have IPv6 working just fine, but
> > need to turn it off for individual clients - in that case, set this
> > option in the --client-config-dir file for a particular user, or
> > via --client-connect script/plugin hook for a particular platform
> > (like IOS 9.0.2)
> >
> ACK from me. 

Heh :-) - this was more thought of an "here, what do you think?" patch
(plus "fix valdikss' headache in #614 quickly"), and I didn't expect an
ACK so quickly...

... and then a discussion on IRC later.

But Arne actually had a very good idea which I'm going to implement and
send "soon":

 --push-filter 

like,

 --push-filter ifconfig-ipv6 tun-ipv6 route-ipv6

which would do exactly what the current patch did, but is much more flexible
depending on what exactly needs to be worked around with *this* client...

(There's a trac ticket about "--push-reset", which we might resolve with
this as well :-) )

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[debbie10t]

ho hum


-Original Message-
From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net]
Sent: Monday, October 19, 2015 3:01 PM
To: Morris, Russell ; Heiko Hund 
; sam...@openvpn.net

Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?



My point is that nobody really expects anyone to be a fully experienced 
OpenVPN developer to get involved.  Not at all.  We are a community, which 
help each other.


Don't be afraid, take that chance and share your thoughts and ideas.  Hang 
out on the #openvpn-devel IRC channel if you can, share your opinions on 
the mailing list ...


I Disagree

If past experience is anything to go by ..
Don't expect help !

I have always considered myself a cynic ..
The OpenVPN "community" cemented my opinion quite firmly.

(with a few exceptions)

regards

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[ValdikSS]

By the way, there is an open-source SecurePoint VPN client 
(https://sourceforge.net/projects/securepoint/) which handles current versions 
of Windows very well.
And here is my list of available open-source OpenVPN GUIs: 
https://gist.github.com/ValdikSS/9d7b13b5ef510c6b6d45#file-openvpn-guis-md

On 19.10.2015 23:14, Fish Wang wrote:
> Regarding Windows OpenVPN GUI: I have an internal fork of this OpenVPN GUI 
> (https://github.com/jochenwierum/openvpn-manager) from jochenwierum, with 
> many bug fixes and improvements, and it works fairly well on Windows. Maybe I 
> should tidy my patches and open source it on github?
>
> Best,
> Fish
>
> -Original Message-
> From: Morris, Russell [mailto:rmor...@rkmorris.us] 
> Sent: Monday, October 19, 2015 7:59 AM
> To: Heiko Hund ; sam...@openvpn.net
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
>
> Hi,
>
> Just a couple thoughts here, from a (absolutely!) non-expert ... :-(.
>
> I have been trying to develop my own "GUI" - not because the current one 
> doesn't work (not at all!), but because I want a bit of an extended feature 
> set ... to be able to change Tray Icon color with traffic (Tx/Rx), and plot 
> ping timing to a remote machine over the link, and as well traffic and bit 
> rate plots in the UL and DL.
>
> That all said, I can definitely see that the network adapter (TAP) and 
> openvpn.exe really are up and down (a lot!) on Windows ... :-(. I am trying 
> to use NSSM to at least keep openvpn.exe up (i.e. restart it), but the 
> network connection is a challenge also - often having to be reset (disabled 
> and enabled). So to the question below ... yes, Windows does need some work.
>
> I'd be happy to help out - but as above, I'm not an expert. So definitely 
> willing, but usefulness may be questionable unfortunately ... ;-).
>
> Thanks!
>
> ... Russell
>
>
>
> -Original Message-
> From: Heiko Hund [mailto:heiko.h...@sophos.com] 
> Sent: Monday, October 19, 2015 9:16 AM
> To: sam...@openvpn.net
> Cc: openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
>
> On Monday 19 October 2015 10:20:23 sam...@openvpn.net wrote:
> Ok, I think here is the main misunderstanding. My understanding was that you
> want a Windows development team. That I think would be counter productive. For
> the other topics I do not have a opinion.
>
> No, and I do not think that the service should take care of that. That's
> rather things that can be handled by the GUI.
>
> Hehe nice turn demanding proof, that'll shut up ppl. =)
>
> Heiko
>
>
> Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
> Deutschland
> Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
> www.sophos.de
> Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
> Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
> Onslow.
> Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
> Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
> www.sophos.de
> Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
> Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
> Onslow
>
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel




signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Interactive windows service

[Selva Nair]

On Tue, Oct 20, 2015 at 1:23 PM, Heiko Hund  wrote:

> On Tuesday 20 October 2015 13:11:44 Selva Nair wrote:
> > Thanks for the link. I cloned it, but it appears to be the same as a late
> > 2014 (early  2.3.x ?) version. In particular, the src directory has just
> > the same two subdirectories openvpn and openvpnserv, and the latter is
> the
> > same as in the official repo. No sign of any new service related sources.
> >
> > Am I looking at the wrong place?
>
> Probably. The changes are on branch interactive_service. Hope that helps.
>

Yes it does... Thanks.

Selva

Re: [Openvpn-devel] Interactive windows service

[Heiko Hund]

On Tuesday 20 October 2015 13:11:44 Selva Nair wrote:
> Thanks for the link. I cloned it, but it appears to be the same as a late
> 2014 (early  2.3.x ?) version. In particular, the src directory has just
> the same two subdirectories openvpn and openvpnserv, and the latter is the
> same as in the official repo. No sign of any new service related sources.
>
> Am I looking at the wrong place?

Probably. The changes are on branch interactive_service. Hope that helps.

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Interactive windows service

[Selva Nair]

On Tue, Oct 20, 2015 at 6:30 AM, Heiko Hund  wrote:

> On Saturday 17 October 2015 11:44:07 Selva Nair wrote:
> > Is there a public repo where I can access this?  I have been using a
> > patched MI-GUI to avoid needing admin priv on windows  but working
> towards
> > a solution that could come bundled with "official" releases would be
> great.
>
> Currently it is still on sourceforge, but I've got myself a Github account
> on
> the weekend and will move the openvpn and GUI code as I noticed sf.net
> went
> uncool. For now you can clone: git://git.code.sf.net/p/openvpn-gui/openvpn
>
>
Thanks for the link. I cloned it, but it appears to be the same as a late
2014 (early  2.3.x ?) version. In particular, the src directory has just
the same two subdirectories openvpn and openvpnserv, and the latter is the
same as in the official repo. No sign of any new service related sources.

Am I looking at the wrong place?

Thanks


Heiko
>
>
> Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe,
> Deutschland
> Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de
> www.sophos.de
> Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
> Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert,
> Jennifer Onslow.
> Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
> Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de
> www.sophos.de
> Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915
> Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin,
> Jennifer Onslow
>

Re: [Openvpn-devel] [PATCH] Replace variable length array with malloc

[Lev Stipakov]

Why OPENSSL_malloc() in particular?


I looked for other malloc calls in that file and only example I've found 
was OPENSSL_malloc in show_available_curves().


On the other side Dr. Stephen Henson says (quote unedited):

http://permalink.gmane.org/gmane.comp.encryption.openssl.user/11291


You don't have to use OPENSSL_malloc() in an application but you do

you can make use of OpenSSLs memory leak checking routines if you do.

-Lev

On 20.10.2015 16:52, Gert Doering wrote:

Hi,

On Tue, Oct 20, 2015 at 04:22:59PM +0300, Lev Stipakov wrote:

Commit 
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013 still 
requires
size of array to be compiler time constant. As a fix, use OPENSSL_malloc/free.


Why OPENSSL_malloc() in particular?

(As I have no clue about the intricacies of openssl-interfacing code, this
might be a stupid question, but it looks like "normal gc_malloc() should
be perfectly fine")

gert



--



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Replace variable length array with malloc

[Lev Stipakov]

> Why OPENSSL_malloc() in particular?

I looked for other malloc calls in that file and only example I've found 
was OPENSSL_malloc in show_available_curves().


On the other side Dr. Stephen Henson says (quote unedited):

http://permalink.gmane.org/gmane.comp.encryption.openssl.user/11291

> You don't have to use OPENSSL_malloc() in an application but you do 
you can make use of OpenSSLs memory leak checking routines if you do.


-Lev

On 20.10.2015 16:52, Gert Doering wrote:

Hi,

On Tue, Oct 20, 2015 at 04:22:59PM +0300, Lev Stipakov wrote:

Commit 
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013 still 
requires
size of array to be compiler time constant. As a fix, use OPENSSL_malloc/free.


Why OPENSSL_malloc() in particular?

(As I have no clue about the intricacies of openssl-interfacing code, this
might be a stupid question, but it looks like "normal gc_malloc() should
be perfectly fine")

gert



--



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Replace variable length array with malloc

[Gert Doering]

Hi,

On Tue, Oct 20, 2015 at 04:22:59PM +0300, Lev Stipakov wrote:
> Commit 
> https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51
> introduced a variable length array. Although C99 supports that, MSVS 2013 
> still requires
> size of array to be compiler time constant. As a fix, use OPENSSL_malloc/free.

Why OPENSSL_malloc() in particular?

(As I have no clue about the intricacies of openssl-interfacing code, this
might be a stupid question, but it looks like "normal gc_malloc() should
be perfectly fine")

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH] Replace variable length array with malloc

[Lev Stipakov]

Commit 
https://github.com/OpenVPN/openvpn/commit/685e486e8b8f70c25f09590c24762ff734f94a51
introduced a variable length array. Although C99 supports that, MSVS 2013 still 
requires
size of array to be compiler time constant. As a fix, use OPENSSL_malloc/free.

Signed-off-by: Lev Stipakov 
---
 src/openvpn/ssl_openssl.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index c08d4fe..1b4b1da 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -141,7 +141,10 @@ key_state_export_keying_material(struct key_state_ssl *ssl,
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x10001000)
   unsigned int size = session->opt->ekm_size;
-  unsigned char ekm[size];
+  unsigned char* ekm = OPENSSL_malloc(size);
+
+  if (ekm == NULL)
+   crypto_msg (M_FATAL, "Failed to allocate memory for export key 
material.");

   if (SSL_export_keying_material(ssl->ssl, ekm, sizeof(ekm),
   session->opt->ekm_label, session->opt->ekm_label_size, NULL, 0, 0))
@@ -162,6 +165,8 @@ key_state_export_keying_material(struct key_state_ssl *ssl,
  msg (M_WARN, "WARNING: Export keying material failed!");
  setenv_del (session->opt->es, "exported_keying_material");
}
+
+  OPENSSL_free(ekm);
 #endif
 }
 }
-- 
1.9.1

[Openvpn-devel] Interesting link related to OpenVPN on Windows

[Jan Just Keijser]

Hi,

just read this post:
http://www.theregister.co.uk/2015/10/19/microsoft_openssh_code_release/

Here's Redmond's rough road map for the OpenSSH port:

Update NoMachine port to OpenSSH 7.1 [Done]
Leverage Windows crypto api’s instead of OpenSSL/LibreSSL and 
run as Windows Service



[...]
esp the second bullet is interesting - if Microsoft created an 
(opensource) patch for OpenSSH to use Windows crypto api's then we can 
leverage this for OpenVPN-on-Windows as well.


share and enjoy,

JJK

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Samuli Seppänen]

On Tuesday 20 October 2015 10:15:22 Samuli Seppänen wrote:

Are you saying that the interactive service also doubles as a Windows
system service? If so, can it be  configured to autostart selected
openvpn connections on boot and restart them if they crash/stop?


No, and I do not think that the service should take care of that. That's
rather things that can be handled by the GUI.


What about persistent connections, especially on Windows servers?


The interactive service patch doesn't remove the currently available service.
So, you still can fire up any connections the way it was before. I personally
do not care about the original service though, it may very well be that it
lacks decent functionality.


The original openvpnserv.exe is truly crappy. It will not quit if all 
connections have died. It will not restart a connection should it crash. 
A single non-functional OpenVPN connection prevents it from launching 
the others (afaik). It will not work on Windows 10 in any reasonable 
fashion and works badly on anything post-Windows 7. It also does not 
handle resuming from suspend/hibernate properly.


My NSSM-based replacement thingie aims to address all these 
shortcomings. I believe the interactive service and NSSM are complementary.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Heiko Hund]

On Tuesday 20 October 2015 11:51:16 Samuli Seppänen wrote:
> 3) Adding OpenVPN-GUI to OpenVPN's GitHub page
>
> This was proposed by someone else earlier. If nothing else, it would
> allow sharing responsibility of OpenVPN-GUI development among more
> people, like what happened with easy-rsa, openvpn-build, etc. earlier. I
> actually created my own GitHub fork a while back to make my work easier,
> as well as to be able to merge trivial patches (e.g. language fixes)
> more easily. The versioning in my OpenVPN-GUI tree had diverged from the
> "official" one a long time before that.

That was me. Let's do that then.

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Heiko Hund]

On Monday 19 October 2015 16:57:02 Selva Nair wrote:
> I feel a framework such as the "interactive service" -- which is now and
> again mentioned in the mailing lists but no idea what it is --- with new
> GUI or a partial rewrite of the current one to effectively use the
> management interface plus a stable service is needed. Alternatively the
> current GUI could be adapted to use the "interactive service" if its ready
> for prime time.

The fun part is that the GUI already is capable of working with the
interactive service and our customers use it for a couple of years without
complaints. So, this is actually stable enough. The code just needs some
eyeballs from Windows people so the maintainers are sufficiently convinced to
merge it. Chances are also higher that things happen if more than one person
understands the code and could fix things in case I get hit by a bus.

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Heiko Hund]

On Tuesday 20 October 2015 10:15:22 Samuli Seppänen wrote:
> >> Are you saying that the interactive service also doubles as a Windows
> >> system service? If so, can it be  configured to autostart selected
> >> openvpn connections on boot and restart them if they crash/stop?
> >
> > No, and I do not think that the service should take care of that. That's
> > rather things that can be handled by the GUI.
>
> What about persistent connections, especially on Windows servers?

The interactive service patch doesn't remove the currently available service.
So, you still can fire up any connections the way it was before. I personally
do not care about the original service though, it may very well be that it
lacks decent functionality.

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Interactive windows service

[Heiko Hund]

On Saturday 17 October 2015 11:44:07 Selva Nair wrote:
> Is there a public repo where I can access this?  I have been using a
> patched MI-GUI to avoid needing admin priv on windows  but working towards
> a solution that could come bundled with "official" releases would be great.

Currently it is still on sourceforge, but I've got myself a Github account on
the weekend and will move the openvpn and GUI code as I noticed sf.net went
uncool. For now you can clone: git://git.code.sf.net/p/openvpn-gui/openvpn

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Samuli Seppänen]

On 19/10/15 16:58, Morris, Russell wrote:

I'd be happy to help out - but as above, I'm not an expert. So definitely
willing, but usefulness may be questionable unfortunately ... ;-).


That isn't too far away from where I started and got involved into the OpenVPN
core dev-team.  I was far from an OpenVPN expert.  I had very little OpenVPN
development experience but had worked on a patch for OpenVPN to solve an issue
for I had with a plug-in I was working on for OpenVPN.

But I took the risk of stepping up, saying "I can help" ... and some months
later I had gained enough trust in the community to be one of the first
gatekeepers of the newly established git repository for OpenVPN.

My point is that nobody really expects anyone to be a fully experienced
OpenVPN developer to get involved.  Not at all.  We are a community, which
help each other.  If you have some basic skills (for my part, I know C fairly
well but by no means an expert) and interest to help ... I mean, what else can
we ask for if you are willing to help out? :)

Don't be afraid, take that chance and share your thoughts and ideas.  Hang out
on the #openvpn-devel IRC channel if you can, share your opinions on the
mailing list ... review and test patches you think are valuable for OpenVPN,
submit your own patches of which you believe improve OpenVPN ... that's how
this open source game works.  And this is exactly how Gert, Heiko, Steffan,
Arne, and many many more also got involved.


+1. Also, if you're definitely not a developer, there are plenty of 
spaces where you can help. For example, I work on packaging (Windows, 
Debian/Ubuntu), build systems (tap-windows6, openvpn-build), continuous 
integration (buildslaves) and documentation, among other things. You 
don't actually need to send patches to the OpenVPN _core_ to be able to 
contribute.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Samuli Seppänen]

Hi all,

This response is not really a response - please bear with me.

Regarding Windows GUIs... The situation with them is similar to the 
situation we had with OpenVPN back in 2009. Back then, the main 
repository (SVN) was managed by James, but he did not have time to 
review or merge community patches. This had created several "islands" of 
activity, for example IPv6 patchsets from Gert and Juanjo and Eurephia 
from David. The OpenVPN forums were also "external", i.e. not managed by 
the main OpenVPN project. There was also little to no coordination 
between these islands. We merged these islands and slowly took over 
project's responsibilities from James. By 2.3-alpha/beta-something the 
takeover was complete. The OpenVPN project had become our playground, 
something which we as a community owned and shared responsibility of.


However, the Windows part has always remained "external" to the main 
project. There is a fairly large number of people working on various 
aspects of Windows - here's a crude list of the top of my hat:


- Me (openvpn-build, "the buildslave", openvpnserv.exe replacement)
- Heiko (OpenVPN-GUI, cygwin builds?, interactive service)
- Steffan (openvpn-build)
- Lev (msvc builds)
- ValdikSS (msvc builds?, Win10 DNS fix)
- James (msvc builds, OpenVPN Connect, fixes here and there)
- People interested in joining the Windows team (a few already)
- All the "other" GUI authors and their contributors

We've had #openvpn-devel and this development mailing list for ages, and 
we're still struggling to get people to work on Windows. There are 
basically two explanations for this:


a) The current model is not working
b) There simply are no people who want to work on Windows

The meat of my proposal is to create a (semi)separate playground for all 
those who want to help OpenVPN for Windows to be as pleasant an 
experience as possible. If a "Windows team" eventually emerges, fine. If 
it does not, we can scrap the idea and go on as if nothing had happened.


The actual steps towards enabling the "Windows team" to emerge would be:

1) #openvpn-windows IRC channel

A Windows-specific IRC channel would attract people who run OpenVPN on 
Windows. This exact thing happened when we created the #openvpn-as chat: 
two of the current OpenVPN Tech employees were actually recruited from 
this channel. So the model itself is highly likely to work. It probably 
makes sense to keep #openvpn the official support channel, but forward 
the more tricky Windows questions to #openvpn-windows.


2) Windows-specific forum board

A quick look at the forums shows that about 1/5 of topics are related to 
Windows, just based on the topic name. Obviously people will post 
non-Windows questions to a Windows board, but moving threads from one 
board to another happens all the time anyways. Moreover, now people post 
their Windows client TAP-Windows questions to "Server administration" 
board, so the current situation is unlikely to get any worse.


3) Adding OpenVPN-GUI to OpenVPN's GitHub page

This was proposed by someone else earlier. If nothing else, it would 
allow sharing responsibility of OpenVPN-GUI development among more 
people, like what happened with easy-rsa, openvpn-build, etc. earlier. I 
actually created my own GitHub fork a while back to make my work easier, 
as well as to be able to merge trivial patches (e.g. language fixes) 
more easily. The versioning in my OpenVPN-GUI tree had diverged from the 
"official" one a long time before that.


---

All of the three above are proposals, which probably help us get more 
people working on the Windows part of OpenVPN _in the long run_. I 
obviously have to present the proposals with the people who actually get 
affected by them, i.e. people on #openvpn and the forums.


The way I see it, none of the above can actually harm the project, so 
trying this out should be safe. If you disagree or have constructive 
suggestions, please speak now or forever hold your peace :).


Thanks,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock



Hi,

Just a couple thoughts here, from a (absolutely!) non-expert ... :-(.

I have been trying to develop my own "GUI" - not because the current one 
doesn't work (not at all!), but because I want a bit of an extended feature set ... to be 
able to change Tray Icon color with traffic (Tx/Rx), and plot ping timing to a remote 
machine over the link, and as well traffic and bit rate plots in the UL and DL.

That all said, I can definitely see that the network adapter (TAP) and 
openvpn.exe really are up and down (a lot!) on Windows ... :-(. I am trying to 
use NSSM to at least keep openvpn.exe up (i.e. restart it), but the network 
connection is a challenge also - often having to be reset (disabled and 
enabled). So to the question below ... yes, Windows does need some work.

I'd be happy to help out - but as above, I'm not an expert. So definitely 
willing, but usefulness may be questionable 

Re: [Openvpn-devel] [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to clients.

[Arne Schwabe]

Am 19.10.15 um 20:06 schrieb Gert Doering:
> Workaround option for servers that have IPv6 working just fine, but
> need to turn it off for individual clients - in that case, set this
> option in the --client-config-dir file for a particular user, or
> via --client-connect script/plugin hook for a particular platform
> (like IOS 9.0.2)
>
ACK from me. Patch looks good and is small enough not to cause
headaches. Ideally, this would be solved on the client (not accepting
these variables). The client still complain about other options like
redirect-gateway ipv6 but since this is a workaround anyway, it should
be fine.

Arne

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

[Samuli Seppänen]

Hi,


Are you saying that the interactive service also doubles as a Windows system
service? If so, can it be  configured to autostart selected openvpn
connections on boot and restart them if they crash/stop?


No, and I do not think that the service should take care of that. That's
rather things that can be handled by the GUI.


What about persistent connections, especially on Windows servers?

I've already done a proof of concept "openvpnserv.exe" replacement using 
NSSM:




I also started writing a small C# program that can manage OpenVPN 
connections in NSSM in a user-friendly fashion, because the standard 
NSSM GUI is way too complex and generic for our well-specified use-case.



Now, can anyone provide proof that having a Windows team would actually
_hurt_ the project? If not, what does it matter if it fails? We could just
scrap the idea retroactively.


Hehe nice turn demanding proof, that'll shut up ppl. =)


Yes, that was the idea, because I know you guys don't have any proof. It 
seemed to have worked fine :).


That said, I don't have any proof either, but I think we all can agree 
that the situation with Windows in OpenVPN is not optimal, and that we 
should try to do something about it.


Best regards,

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock