Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Selva Nair 
Hi,

On Thu, Oct 22, 2015 at 3:58 PM, Morris, Russell 
wrote:

> Hi,
>
> Just checked - yep, 9.0.0.21. It seems to be from 2014 though?
>
> And to the other email I just sent (that seemed to bounce?),
>

Probably my mistake, in one of the posts I changed the address from devel
to users unintentionally..


>
> Yes, this is a Windows 7 machine. I think the issue is standby / network
> change related. In particular, standby / resume seems to cause a lot of
> grief. I also run on a desktop, not near as many (or really any) issues.
> But standby / resume -> crash!
>
> FYI, just had this exact issue, 1 minute ago. Got an OpenVPN connection,
> but no IP address (DHCP). Killed openvpn, disable / enable TAP, start
> openvpn and reconnect -> life is good again. Pretty reliable to make this
> happen … .
>
>
Our home laptop goes from sleep to resume all the time without major
issues. But we are not connecting to any public servers -- private servers
that run on a fixed IP and port, no DHCP, so may be that is one difference?

We have one Windows 7 laptop in a really really remote location that is set
to stay connected all the time.. The local network at that site crashes at
least twice a day and still the VPN comes back every time the network is
back. Its set not to sleep, so more like a desktop, but it does
occasionally move from one site to another.  Considering the remoteness of
the location and the flakiness of the remote network I have been more than
impressed by the way openvpn has served us for last 3 years.

But roaming is something I haven't tested much at all. When users travel
they do get connectivity from hotels etc., so that kind of "network change"
works well too.


> Perhaps some more detailed logs to debug?
>

Sure, would help.

Regards,

Selva

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Morris, Russell 
Hi,

Just checked - yep, 9.0.0.21. It seems to be from 2014 though?

And to the other email I just sent (that seemed to bounce?),

Yes, this is a Windows 7 machine. I think the issue is standby / network change 
related. In particular, standby / resume seems to cause a lot of grief. I also 
run on a desktop, not near as many (or really any) issues. But standby / resume 
-> crash!

FYI, just had this exact issue, 1 minute ago. Got an OpenVPN connection, but no 
IP address (DHCP). Killed openvpn, disable / enable TAP, start openvpn and 
reconnect -> life is good again. Pretty reliable to make this happen … .

Perhaps some more detailed logs to debug?

Thanks,
... Russell


-Original Message-
From: Jan Just Keijser [mailto:janj...@nikhef.nl] 
Sent: Thursday, October 22, 2015 2:37 PM
To: Morris, Russell ; Gert Doering 
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi,


On 22-Oct-15 20:28, Morris, Russell wrote:
> Hi,
>
> 90% sure it's I60x ... but I installed it a little bit ago, and didn't keep 
> the installer. Is there an easy way to check (to be 100% sure, so I don't 
> accidentally lie to you)?
>
try looking in the list of installed programs
Control Panel -> Programs and Features

Otherwise, look at the driver file for the tun adapter (tap0901.sys); 
I've got the 060x version installed and it has version 9.0.0.21 ; I am 
not entirely sure but I think the 010x version has a different (lower) 
version number.

HTH,

JJK

>
>
> -Original Message-
> From: Gert Doering [mailto:g...@greenie.muc.de]
> Sent: Thursday, October 22, 2015 1:25 PM
> To: Morris, Russell 
> Cc: Gert Doering ; Heiko Hund ; 
> openvpn-devel@lists.sourceforge.net
> Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
>
> Hi,
>
> On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote:
>> Actually, I already have nobind in my config file (and am running v2.3.8). I 
>> tend to see 2 errors,
>> - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, 
>> disable / enable TAP, restart openvpn.exe)
>> - TAP adapter exited
> Is this the old or new tap adapter?  (Windows installers I60x or I00x?)
>
> gert

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Jan Just Keijser 

Hi,


On 22-Oct-15 20:28, Morris, Russell wrote:

Hi,

90% sure it's I60x ... but I installed it a little bit ago, and didn't keep the 
installer. Is there an easy way to check (to be 100% sure, so I don't 
accidentally lie to you)?


try looking in the list of installed programs
   Control Panel -> Programs and Features

Otherwise, look at the driver file for the tun adapter (tap0901.sys); 
I've got the 060x version installed and it has version 9.0.0.21 ; I am 
not entirely sure but I think the 010x version has a different (lower) 
version number.


HTH,

JJK




-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de]
Sent: Thursday, October 22, 2015 1:25 PM
To: Morris, Russell 
Cc: Gert Doering ; Heiko Hund ; 
openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi,

On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote:

Actually, I already have nobind in my config file (and am running v2.3.8). I 
tend to see 2 errors,
- CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, 
disable / enable TAP, restart openvpn.exe)
- TAP adapter exited

Is this the old or new tap adapter?  (Windows installers I60x or I00x?)

gert

[Openvpn-devel] Fwd: Creating a Windows team for OpenVPN?

2015-10-22 Thread Selva Nair 
Hi,

On Thu, Oct 22, 2015 at 1:44 AM, Heiko Hund  wrote:

> On Tuesday 20 October 2015 22:12:06 Selva Nair wrote:
>
> > But a sever admin would not want it in the system as it can allow any
> user
> > with some VPN server account to change the routes etc using the
> > service..(please correct me if I'm mistaken).
>
> If you do not make the configuration directory writable to anyone, then
> you're
> fine. IIRC the GUI has an command line option that would need to be
> changed in
> order to disable loading of arbitrary configs. Besides that the concept is
> waterproof.


If configs can be locked down by admin, I don't see how a GUI cmd line
option can unprotect it. But, anyway, such details don't matter for this
discussion at this stage.


> Besides that the concept is waterproof.


If its posible to do privilege separation without unpleasant side effects,
that is great news and I'll take back my remarks against the interactive
service. Then one service could be made to work for both "automatic" and
interactive uses.

Selva

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Morris, Russell 
Hi,

90% sure it's I60x ... but I installed it a little bit ago, and didn't keep the 
installer. Is there an easy way to check (to be 100% sure, so I don't 
accidentally lie to you)?

Thanks!

... Russell



-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Thursday, October 22, 2015 1:25 PM
To: Morris, Russell 
Cc: Gert Doering ; Heiko Hund ; 
openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi,

On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote:
> Actually, I already have nobind in my config file (and am running v2.3.8). I 
> tend to see 2 errors, 
> - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, 
> disable / enable TAP, restart openvpn.exe)
> - TAP adapter exited

Is this the old or new tap adapter?  (Windows installers I60x or I00x?)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote:
> Actually, I already have nobind in my config file (and am running v2.3.8). I 
> tend to see 2 errors, 
> - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, 
> disable / enable TAP, restart openvpn.exe)
> - TAP adapter exited

Is this the old or new tap adapter?  (Windows installers I60x or I00x?)

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Morris, Russell 
Hi,

Actually, I already have nobind in my config file (and am running v2.3.8). I 
tend to see 2 errors, 
- CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, 
disable / enable TAP, restart openvpn.exe)
- TAP adapter exited

Thanks,
... Russell


-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Thursday, October 22, 2015 12:37 PM
To: Morris, Russell 
Cc: Gert Doering ; Heiko Hund ; 
openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi,

On Thu, Oct 22, 2015 at 04:43:05PM +, Morris, Russell wrote:
> Sorry, catching up, but to the comments previously ... I do see openvpn.exe 
> crash quite regularly. I run it on a laptop, sleeping / resuming and moving 
> from wired to wireless (and) back quite a bit. These tend to break 
> openvpn.exe, and in some cases can hang the TAP adapter also ... :-(.

Try without local bind (--nobind in the client config)...

That should even give you seamless roaming without losing your tunnel
if the server is new enough to support peer-id (git master, no older
than about half a yaear).

gert 

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

[Openvpn-devel] [PATCH applied] Re: Replace variable length array with malloc

2015-10-22 Thread Gert Doering 
ACK.  Looks sane and is totally in line with coding conventions :-) - and
very useful to actually have a gc around!

Your patch has been applied to the master branch.

commit 41e4b67a229e774ebc57a882c386e10d80e10e7e
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Oct 21 10:13:26 2015 +0300

 Replace variable length array with malloc

 Signed-off-by: Lev Stipakov 
 Acked-by: Gert Doering 
 Message-Id: <1445411606-13369-1-git-send-email-lstipa...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10344
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: openssl: remove usage of OPENSSL_malloc() from show_available_curves

2015-10-22 Thread Gert Doering 
Your patch has been applied to the master branch.

commit 470eb8b6b6a9970a68cb17a185359adffbaeabf5
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Oct 21 00:39:04 2015 +0200

 openssl: remove usage of OPENSSL_malloc() from show_available_curves

 Signed-off-by: Steffan Karger 
 Acked-by: Lev Stipakov 
 Message-Id: <1445380744-21086-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10339
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Fix memory leak in auth-pam plugin

2015-10-22 Thread Gert Doering 
Your patch has been applied to the master and release/2.3 branch.

commit cfc13b38bc6504b9768e4cc43311807d6b074672 (master)
commit 6a5e978085cc721bb09796ab44d77c3142b5f78b (release/2.3)

Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Wed Oct 21 00:38:26 2015 +0200

 Fix memory leak in auth-pam plugin

 Signed-off-by: Steffan Karger 
 Acked-by: Lev Stipakov 
 Message-Id: <1445380706-20864-1-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10338
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Generate openvpn-plugin.h for MSVC build

2015-10-22 Thread Gert Doering 
ACK.  I have no idea what it does in particular, but as it does only
touch files for MSVC build and this basically affects only you and
(possibly) James, I just trust you :-)

Your patch has been applied to the master branch.

commit dd8d351dbc92ede6726b7090ed4eceb9b95318c6
Author: Lev Stipakov
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Thu Oct 22 10:51:22 2015 +0300

 Generate openvpn-plugin.h for MSVC build

 Signed-off-by: Lev Stipakov 
 Acked-by: Gert Doering 
 Message-Id: <1445500282-23129-1-git-send-email-lstipa...@gmail.com>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10360
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 04:43:05PM +, Morris, Russell wrote:
> Sorry, catching up, but to the comments previously ... I do see openvpn.exe 
> crash quite regularly. I run it on a laptop, sleeping / resuming and moving 
> from wired to wireless (and) back quite a bit. These tend to break 
> openvpn.exe, and in some cases can hang the TAP adapter also ... :-(.

Try without local bind (--nobind in the client config)...

That should even give you seamless roaming without losing your tunnel
if the server is new enough to support peer-id (git master, no older
than about half a yaear).

gert 

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Morris, Russell 
Sorry, catching up, but to the comments previously ... I do see openvpn.exe 
crash quite regularly. I run it on a laptop, sleeping / resuming and moving 
from wired to wireless (and) back quite a bit. These tend to break openvpn.exe, 
and in some cases can hang the TAP adapter also ... :-(.

Thanks,
... Russell


-Original Message-
From: Gert Doering [mailto:g...@greenie.muc.de] 
Sent: Thursday, October 22, 2015 2:50 AM
To: Heiko Hund 
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

Hi,

On Thu, Oct 22, 2015 at 07:49:45AM +0200, Heiko Hund wrote:
> On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote:
> > My NSSM-based replacement thingie aims to address all these
> > shortcomings. I believe the interactive service and NSSM are complementary.
> 
> Or we extend the GUI to make it start tunnels automatically on startup, then
> the additional service is no longer needed, is it?

I've heard people ask for "we need the VPN to be up before user login so
windows domain login works!" - so the GUI won't be around yet.

Now, not being a windows person and not running this domain stuff I'm 
not sure if there are other ways to achieve that - but this is what has
been told to me...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 07:16:57PM +0300, ValdikSS ValdikSS wrote:
> Actually, we should have used indexes and not interface names from the 
> beginning.

This particular code was out there for review and comments for a few 
years now...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread ValdikSS ValdikSS 
If like this index approach. Actually, we should have used indexes and not 
interface names from the beginning.

  Original Message  
From: Gert Doering
Sent: Thursday, 22 October 2015 18:26
To: Lev Stipakov
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

Hi,

On Thu, Oct 22, 2015 at 05:29:54PM +0300, Lev Stipakov wrote:
> > And with interface indexes, it works all the time?
> 
> We have tested it on a few machines which previously have had this 
> problem and this patch has fixed that. We will test it for larger 
> audience in near future and report results.

As a side note: the new IPv6 "redirect gateway ipv6" stuff also only
uses adapter indexes, so I'm pretty confident that "install route and
ifconfig via adapter index" is a good approach (if only to avoid spaces
and national characters on the command line :-) ) - I was mainly wondering
whether there is any case when the get_adapter_index() could fail on us...

Going to "ifindex only" will actually make the route.c code in master
less complex, as it has to deal with name-or-index today.

gert


-- 
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 05:29:54PM +0300, Lev Stipakov wrote:
>  > And with interface indexes, it works all the time?
> 
> We have tested it on a few machines which previously have had this 
> problem and this patch has fixed that. We will test it for larger 
> audience in near future and report results.

As a side note: the new IPv6 "redirect gateway ipv6" stuff also only
uses adapter indexes, so I'm pretty confident that "install route and
ifconfig via adapter index" is a good approach (if only to avoid spaces
and national characters on the command line :-) ) - I was mainly wondering
whether there is any case when the get_adapter_index() could fail on us...

Going to "ifindex only" will actually make the route.c code in master
less complex, as it has to deal with name-or-index today.

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 03:24:53PM +0100, David Woodhouse wrote:
> I don't understand why you're feeding get_adapter_index_method_1() a
> GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the
> MSDN documentation for GetAdapterIndex() suggests that it takes the
> interface name. Hey, maybe that's why it didn't work and you had to
> invent a new method? Maybe I'm best not looking at your code at all :)

I hav *so* no idea...  this code is all much older than my involvement
here :-) - but the method_2 approach looks halfway sane.

> But still, I'm not booting Windows today. Not for all the tea in China.

Cross-compiling indeed only gets one half-way here...

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Jan Just Keijser 

Hi *,

On 22/10/15 16:24, David Woodhouse wrote:

On Thu, 2015-10-22 at 16:17 +0200, Gert Doering wrote:

Hi,

On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote:

So Olli and Lev would appear to be saying. For OpenConnect I
haven't
actually tested this hypothesis. Unfortunately I'd need to
reimplement
the get_adapter_index stuff under LGPL first...

Looking at our tun.c I wish I hadn't done that... but it seems that
using GetAdaptersinfo() should get you pretty far (which is what
get_adapter_index_method_2() uses under the hood)...

But indeed, this direction seems to be non trivial...

It's not *that* hard. But I need to properly *understand* the how to do
it so that I can write my own version from scratch and make 100% sure
I'm not committing any cut-and-paste crimes, even via eyes and fingers
and keyboard.

And that means I need to understand the logic behind the two different
get_adapter_index_methods, which is notably absent from the 2005 commit
message which added get_adapter_index_method_2().

I don't understand why you're feeding get_adapter_index_method_1() a
GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the
MSDN documentation for GetAdapterIndex() suggests that it takes the
interface name. Hey, maybe that's why it didn't work and you had to
invent a new method? Maybe I'm best not looking at your code at all :)

But still, I'm not booting Windows today. Not for all the tea in China.


history, most likely. Before Vista the recommended way to develop and 
use a Windows driver was the TDI ( Transport Driver Interface).


Read e.g. http://codemachine.com/article_tdi.html for some details.

It might be worthwhile to investigate if we can safely drop all TDI 
stuff and use a more modern interface , but the again, if you read stuff 
like this (from the site listed):


"Starting with Windows Vista, Microsoft has made several attempts to 
remove the support for TDI drivers from the operating system. This would 
have resulted in all legacy TDI clients and TDI filters becoming 
non-functional on subsequent versions of Windows. Although industry 
pressure on Microsoft has prevented this from happening so far, it is 
bound to happen eventually. Since TDI is on the path of deprecation, the 
windows networking stack provides new technologies that replace TDI, 
which developers are encouraged to adopt. Drivers on Vista and later 
versions of Windows that need to implement TDI client functionality 
should use the Windows Socket Kernel (WSK) interface and drivers that 
need to implement TDI filtering functionality should use Windows 
Filtering Platform (WFP) interface.


Due to the re-architecture of the networking stack in Vista, TDI is no 
longer the interface that AFD.sys uses to communicate with TCPIP.sys. 
Instead, AFD.sys uses a new undocumented interface called Transport 
Layer Network Provider Interface (TLNPI) to communicate with TCPIP.sys. 
However, in order to support legacy TDI clients and TDI filters, 
Microsoft provides a new driver called TDX.sys, which internally use 
TLNPI to communicate with TCPIP.sys. It also creates all the device 
objects that TCPIP used to create, in order to maintain backward 
compatibility with legacy TDI drivers. The figure below shows the 
relationship between the components mentioned above on Vista and later 
versions of Windows. When Windows detects the presence of TDI filter in 
the system, all traffic between AFD.sys and TCPIP.sys is automatically 
routed through the TDX driver. The TDX driver makes use of the TDI API 
in TDI.sys and uses the Network Module Registrar (NMR) API in NETIO.sys 
to implement its functionality. TDX is supported on Vista, Server 2008 
and Windows 7. TDX handles TDI requests from legacy TDI drivers and maps 
them to TLNPI calls."


then I also no longer want to boot Windows anymore ;)

JJK

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Lev Stipakov 

Hello,

> And with interface indexes, it works all the time?

We have tested it on a few machines which previously have had this 
problem and this patch has fixed that. We will test it for larger 
audience in near future and report results.


-Lev


On 22.10.2015 16.59, Gert Doering wrote:

hi,

On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote:

So what is the underlying issue here?  Non-ASCII characters in the
device name ("this *should* have been fixed a few releases ago")?


No, and not spaces (despite the vpn.ccrypto.org link above suggesting
that it is).


Spaces are known to not cause issues ("I do test things" :-) ).


The issue is not known. Seriously, "because Windows".

Renaming the interface, and then renaming it back to precisely what it
was before, and doing registry dumps and checking that things really
*are* just the same as they were before, is sufficient to fix it.


Urgh.

And with interface indexes, it works all the time?  In that case, we'll
just change over... (the new rgi6 stuff uses interface indexes for routing
anyway)  ((meh, git master really is different from 2.3 code here...))

gert



--



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread David Woodhouse 
On Thu, 2015-10-22 at 16:17 +0200, Gert Doering wrote:
> Hi,
> 
> On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote:
> > So Olli and Lev would appear to be saying. For OpenConnect I
> > haven't
> > actually tested this hypothesis. Unfortunately I'd need to
> > reimplement
> > the get_adapter_index stuff under LGPL first...
> 
> Looking at our tun.c I wish I hadn't done that... but it seems that
> using GetAdaptersinfo() should get you pretty far (which is what 
> get_adapter_index_method_2() uses under the hood)...
> 
> But indeed, this direction seems to be non trivial...

It's not *that* hard. But I need to properly *understand* the how to do
it so that I can write my own version from scratch and make 100% sure
I'm not committing any cut-and-paste crimes, even via eyes and fingers
and keyboard.

And that means I need to understand the logic behind the two different
get_adapter_index_methods, which is notably absent from the 2005 commit
message which added get_adapter_index_method_2().

I don't understand why you're feeding get_adapter_index_method_1() a
GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the
MSDN documentation for GetAdapterIndex() suggests that it takes the
interface name. Hey, maybe that's why it didn't work and you had to
invent a new method? Maybe I'm best not looking at your code at all :)

But still, I'm not booting Windows today. Not for all the tea in China.

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote:
> So Olli and Lev would appear to be saying. For OpenConnect I haven't
> actually tested this hypothesis. Unfortunately I'd need to reimplement
> the get_adapter_index stuff under LGPL first...

Looking at our tun.c I wish I hadn't done that... but it seems that
using GetAdaptersinfo() should get you pretty far (which is what 
get_adapter_index_method_2() uses under the hood)...

But indeed, this direction seems to be non trivial...

get

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread David Woodhouse 
On Thu, 2015-10-22 at 15:59 +0200, Gert Doering wrote:
> hi,
> 
> On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote:
> > > So what is the underlying issue here?  Non-ASCII characters in the 
> > > device name ("this *should* have been fixed a few releases ago")?
> > 
> > No, and not spaces (despite the vpn.ccrypto.org link above suggesting
> > that it is).
> 
> Spaces are known to not cause issues ("I do test things" :-) ).

I have a Windows VM somewhere with an interface named 'TAP ♥' :)

> > The issue is not known. Seriously, "because Windows".
> > 
> > Renaming the interface, and then renaming it back to precisely what it
> > was before, and doing registry dumps and checking that things really
> > *are* just the same as they were before, is sufficient to fix it.
> 
> Urgh.
> 
> And with interface indexes, it works all the time? 

So Olli and Lev would appear to be saying. For OpenConnect I haven't
actually tested this hypothesis. Unfortunately I'd need to reimplement
the get_adapter_index stuff under LGPL first...

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
hi,

On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote:
> > So what is the underlying issue here?  Non-ASCII characters in the 
> > device name ("this *should* have been fixed a few releases ago")?
> 
> No, and not spaces (despite the vpn.ccrypto.org link above suggesting
> that it is).

Spaces are known to not cause issues ("I do test things" :-) ).

> The issue is not known. Seriously, "because Windows".
> 
> Renaming the interface, and then renaming it back to precisely what it
> was before, and doing registry dumps and checking that things really
> *are* just the same as they were before, is sufficient to fix it.

Urgh.

And with interface indexes, it works all the time?  In that case, we'll
just change over... (the new rgi6 stuff uses interface indexes for routing
anyway)  ((meh, git master really is different from 2.3 code here...))

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread David Woodhouse 
On Thu, 2015-10-22 at 15:51 +0200, Gert Doering wrote:
> Hi,
> 
> On Thu, Oct 22, 2015 at 04:47:56PM +0300, Olli Männistö wrote:
> > Many VPN providers like us experience these issues and have to give users
> > workarounds to fix it. Here are couple of examples:
> > https://community.f-secure.com/t5/F-Secure/After-a-Windows-10-upgrade/ta-p/72732
> > https://forum.hidemyass.com/index.php/topic/18331-connection-problem/
> > https://vpn.ccrypto.org/page/install-windows
> > 
> > There is also workaround on Microsoft Technet forum
> > (
> > https://social.technet.microsoft.com/Forums/windowsserver/en-US/bb73aa66-34c3-49c2-8a2d-def03ee03902/element-not-found-error-when-trying-to-define-static-ipv6-route?forum=ipv6)
> > to use index instead of adapter name. If it's reliable that we always get
> > the index figured out it doesn't need to have fallback to use adapter name.
> > In our testing it seems to work well with index and fix the described issue.
> 
> So what is the underlying issue here?  Non-ASCII characters in the 
> device name ("this *should* have been fixed a few releases ago")?

No, and not spaces (despite the vpn.ccrypto.org link above suggesting
that it is).

The issue is not known. Seriously, "because Windows".

Renaming the interface, and then renaming it back to precisely what it
was before, and doing registry dumps and checking that things really
*are* just the same as they were before, is sufficient to fix it.


-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 04:47:56PM +0300, Olli Männistö wrote:
> Many VPN providers like us experience these issues and have to give users
> workarounds to fix it. Here are couple of examples:
> https://community.f-secure.com/t5/F-Secure/After-a-Windows-10-upgrade/ta-p/72732
> https://forum.hidemyass.com/index.php/topic/18331-connection-problem/
> https://vpn.ccrypto.org/page/install-windows
> 
> There is also workaround on Microsoft Technet forum
> (
> https://social.technet.microsoft.com/Forums/windowsserver/en-US/bb73aa66-34c3-49c2-8a2d-def03ee03902/element-not-found-error-when-trying-to-define-static-ipv6-route?forum=ipv6)
> to use index instead of adapter name. If it's reliable that we always get
> the index figured out it doesn't need to have fallback to use adapter name.
> In our testing it seems to work well with index and fix the described issue.

So what is the underlying issue here?  Non-ASCII characters in the device
name ("this *should* have been fixed a few releases ago")?

Note that the technet forum talks about ipv6 *route*, not "set address", and
this is not part of your patch...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread David Woodhouse 
On Thu, 2015-10-22 at 15:26 +0200, Gert Doering wrote:
> 
> NAK on that - it's extra code, another "two branches that need testing"
> addition, and I have not seen any mention of these "weird issues" yet -
> so please explain the problem scenario better.
> 
> (I might be happy to go for "use adapter index, always!", but I really 
> *really* do not want "try this, fall back to that!" unless it's well 
> understood why this is needed).
> 
> Also, I wonder why this is not needed for route addition if it's needed
> for ip address setting..

Because Windows. You don't get to *understand*; you just get to work
around the brokenness. And drink.

I've had reports of something similar happening with OpenConnect on a
German Windows installation too. At
http://lists.infradead.org/pipermail/openconnect-devel/2015-June/003033.html
is a log showing the interface name failing for some operations, and
working for others:

2015-06-17 10:48 executing: netsh interface ipv4 set subinterface "Ethernet 2" 
mtu=1342 store=active
2015-06-17 10:48 Element nicht gefunden.
2015-06-17 10:48 Configuring "Ethernet 2" interface for Legacy IP...
2015-06-17 10:48 executing: netsh interface ip set address "Ethernet 2" static 
137.248.72.208 255.255.255.0
2015-06-17 10:48 Element nicht gefunden.
2015-06-17 10:48 executing: netsh interface ip add wins "Ethernet 2" 
192.168.16.26 index=1
2015-06-17 10:48 executing: netsh interface ip add dns "Ethernet 2" 137.248.1.5 
index=1
2015-06-17 10:48 executing: netsh interface ip add dns "Ethernet 2" 
137.248.21.22 index=2
2015-06-17 10:48 done.

Besides, route addition doesn't use the network interface name on
Windows, does it?

FWIW the reporting user said that *renaming* the interface would make
the problem go away:
http://lists.infradead.org/pipermail/openconnect-devel/2015-July/003088.html

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature

Re: [Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 04:09:20PM +0300, Lev Stipakov wrote:
> From: Olli Mannisto 
> 
> Some windows machines get weird issues with netsh when using
> adapter name on "netsh.exe interface ipv6 set address" command.
> 
> Changed logic to get adapter index and use it instead of adapter
> name for netsh set address command. if unable to get adapter index,
> try with adapter name.

NAK on that - it's extra code, another "two branches that need testing"
addition, and I have not seen any mention of these "weird issues" yet -
so please explain the problem scenario better.

(I might be happy to go for "use adapter index, always!", but I really 
*really* do not want "try this, fall back to that!" unless it's well 
understood why this is needed).

Also, I wonder why this is not needed for route addition if it's needed
for ip address setting..

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH] Use adapter index instead of name

2015-10-22 Thread Lev Stipakov 
From: Olli Mannisto 

Some windows machines get weird issues with netsh when using
adapter name on "netsh.exe interface ipv6 set address" command.

Changed logic to get adapter index and use it instead of adapter
name for netsh set address command. if unable to get adapter index,
try with adapter name.

Signed-off-by: Olli Mannisto 
Signed-off-by: Lev Stipakov 
---
 src/openvpn/tun.c | 26 +++---
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 24a61ec..aa0278d 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1301,18 +1301,30 @@ do_ifconfig (struct tuntap *tt,
 if ( do_ipv6 )
   {
char * saved_actual;
+   const DWORD idx = get_adapter_index_flexible(actual);

if (!strcmp (actual, "NULL"))
  msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than 
one TAP-Windows adapter, you must also specify --dev-node");

/* example: netsh interface ipv6 set address MyTap 2001:608:8003::d 
store=active */
-   argv_printf (,
-   "%s%sc interface ipv6 set address %s %s store=active",
-get_win_sys_path(),
-NETSH_PATH_SUFFIX,
-actual,
-ifconfig_ipv6_local );
-
+if (idx != TUN_ADAPTER_INDEX_INVALID)
+{
+argv_printf (,
+"%s%sc interface ipv6 set address %u %s store=active",
+ get_win_sys_path(),
+ NETSH_PATH_SUFFIX,
+ idx,
+ ifconfig_ipv6_local);
+}
+else
+{
+argv_printf (,
+"%s%sc interface ipv6 set address %s %s store=active",
+ get_win_sys_path(),
+ NETSH_PATH_SUFFIX,
+ actual,
+ ifconfig_ipv6_local);
+}
netsh_command (, 4);

/* explicit route needed */
-- 
1.9.1

[Openvpn-devel] [PATCH] Generate openvpn-plugin.h for MSVC build

2015-10-22 Thread Lev Stipakov 
openvpn-plugin.h was not generated for MSVC build since it has been
removed from sources and made generated by configure script.

This fix generates it for MSVC build and substitutes macroses like
@OPENVPN_VERSION_MAJOR@ with actual values.

Signed-off-by: Lev Stipakov 
---
 build/msvc/msvc-generate/Makefile.mak  | 27 +--
 build/msvc/msvc-generate/version.m4.in |  3 +++
 2 files changed, 24 insertions(+), 6 deletions(-)
 mode change 100755 => 100644 build/msvc/msvc-generate/Makefile.mak
 create mode 100644 build/msvc/msvc-generate/version.m4.in

diff --git a/build/msvc/msvc-generate/Makefile.mak 
b/build/msvc/msvc-generate/Makefile.mak
old mode 100755
new mode 100644
index 72415f1..be72643
--- a/build/msvc/msvc-generate/Makefile.mak
+++ b/build/msvc/msvc-generate/Makefile.mak
@@ -1,13 +1,28 @@
 # Copyright (C) 2008-2012 Alon Bar-Lev 

 CONFIG=$(SOURCEBASE)/version.m4
-INPUT=$(SOURCEBASE)/config-msvc-version.h.in
-OUTPUT=$(SOURCEBASE)/config-msvc-version.h

-all:   $(OUTPUT)
+INPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h.in
+OUTPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h

-$(OUTPUT): $(INPUT) $(CONFIG)
-   cscript //nologo msvc-generate.js --config="$(CONFIG)" 
--input="$(INPUT)" --output="$(OUTPUT)"
+INPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h.in
+OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h
+
+INPUT_PLUGIN_CONFIG=version.m4.in
+OUTPUT_PLUGIN_CONFIG=version.m4
+
+all:   $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN)
+
+$(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG) 
+   cscript //nologo msvc-generate.js --config="$(CONFIG)" 
--input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)"
+
+$(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG)
+   cscript //nologo msvc-generate.js --config="$(CONFIG)" 
--input="$(INPUT_PLUGIN_CONFIG)" --output="$(OUTPUT_PLUGIN_CONFIG)"  
+
+$(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG)
+   cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" 
--input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"

 clean:
-   -del "$(OUTPUT)"
+   -del "$(OUTPUT_MSVC_VER)"
+   -del "$(OUTPUT_PLUGIN)"
+   -del "$(OUTPUT_PLUGIN_CONFIG)"
diff --git a/build/msvc/msvc-generate/version.m4.in 
b/build/msvc/msvc-generate/version.m4.in
new file mode 100644
index 000..cbb4fef
--- /dev/null
+++ b/build/msvc/msvc-generate/version.m4.in
@@ -0,0 +1,3 @@
+define([OPENVPN_VERSION_MAJOR], [@PRODUCT_VERSION_MAJOR@])
+define([OPENVPN_VERSION_MINOR], [@PRODUCT_VERSION_MINOR@])
+define([OPENVPN_VERSION_PATCH], [@PRODUCT_VERSION_PATCH@])
-- 
1.9.1

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Gert Doering 
Hi,

On Thu, Oct 22, 2015 at 07:49:45AM +0200, Heiko Hund wrote:
> On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote:
> > My NSSM-based replacement thingie aims to address all these
> > shortcomings. I believe the interactive service and NSSM are complementary.
> 
> Or we extend the GUI to make it start tunnels automatically on startup, then
> the additional service is no longer needed, is it?

I've heard people ask for "we need the VPN to be up before user login so
windows domain login works!" - so the GUI won't be around yet.

Now, not being a windows person and not running this domain stuff I'm 
not sure if there are other ways to achieve that - but this is what has
been told to me...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Heiko Hund 
On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote:
> My NSSM-based replacement thingie aims to address all these
> shortcomings. I believe the interactive service and NSSM are complementary.

Or we extend the GUI to make it start tunnels automatically on startup, then
the additional service is no longer needed, is it?

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Heiko Hund 
On Tuesday 20 October 2015 22:12:06 Selva Nair wrote:
> The interactive service (based on a quick scan through the code) looks to
> be very useful on a desktop with a single user, allowing the GUI and openvpn
> to run with user privileges. I hope the "windows team" would soon start
> working on making the GUI to work with this new service :)

See, that's the current problem with the OpenVPN Windows things. Too many
people relying on other - non existing - people to do the work. That's why we
did not really get anywhere with the interactive service.

> But a sever admin would not want it in the system as it can allow any user
> with some VPN server account to change the routes etc using the
> service..(please correct me if I'm mistaken).

If you do not make the configuration directory writable to anyone, then you're
fine. IIRC the GUI has an command line option that would need to be changed in
order to disable loading of arbitrary configs. Besides that the concept is
waterproof.

Heiko


Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, 
Deutschland
Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658
Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer 
Onslow.
Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland
Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de 
www.sophos.de
Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 
Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer 
Onslow

Re: [Openvpn-devel] Creating a Windows team for OpenVPN?

2015-10-22 Thread Selva Nair 
Hi,

On Wed, Oct 21, 2015 at 7:54 AM, Morris, Russell 
wrote:

> Hi,
>
> Lots of discussion on this - awesome to see! Perhaps a dumb question, but
> I can see a few different ways to go on this, as I see comments about
> services, applications, etc. ... so a couple thoughts,
> - is the intention to run a service (like NSSM?) that keeps openvpn.exe
> "alive" (restarting it as necessary), so it's always up and running? I
> admit, I somewhat like this approach, one running application for each
> config file. Then control it through the management interface. Or,
>

All said and done, I still think this is the best approach. This is also
the current approach except that the service (non-NSSM) is "crappy" and the
"official" GUI cant do much through MI if openvpn is started by the
service.  I'm saying this only based on the docs, may be the latest code is
already capable of doing this with some coaxing.

My current work-around is to use the MI-GUI and pray/hope for the service
not to crash. I only run one server on 2008R2 and a few single user desktop
clients with MI-GUI on Windows 7. This has worked well so far, but with few
users.


> - do folks prefer to have "control application" bring openvpn.exe up and
> down? I have tried this, and it's a bit messy, but it is functional also.
>

Not sure how that works and what problems it would solve. For me the main
needs are (i) a reliable way of daemonizing openvpn and keep it running on
Windows (for servers and clients) and (ii) a way to run the GUI with user
privileges. Both could be solved by NSSM + an improved GUI that speaks the
MI.


>
> Thoughts?
>
> I do believe there may also be TAP related stability issues, but that may
> be an artifact of openvpn.exe crashing - I guess the first step is to get
> openvpn.exe stable?
>

I have seldom seen openvpn.exe crash -- its more like it just exits because
of bad directives in a config file or a missing certificate/key etc.  The
problem is with the service -- a single bad config can stop it from loading
others. It sometimes goes into a weird state which can be recovered only by
a restart. It also lacks features like adding a new configs without
affecting running instances. I hear it doesn't work on Windows 10, but I
haven't tried.

So, a stable service (or NSSM) and an improved GUI for desktop clients are
needed. NSSM has many advantages in this regard as each instance is
independent of the other (is n't it?). I am not that excited about the
interactive service which lets openvpn.exe run as user but lets users push
configs. And it cant handle non-interactive uses.

In my view configs should be registered only with admin privilege, not
arbitrarily pushed by any user -- this applies to desktops and servers.
Only for day to day activities of starting and stopping a connection one
wants to avoid the "run as admin" requirement.. Running only the GUI as
user through the MI serves that purpose and looks a safer option than the
interactive service.

Thanks,

Selva

Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing

2015-10-22 Thread debbie10t 

Apologies for the "You must be" comment ..

- Original Message - 
From: 

To: "Eric Crist" 
Cc: 
Sent: Wednesday, October 21, 2015 11:31 PM
Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file 
missing




Hi // You must be

- Original Message - 
From: "Eric Crist" 

To: 
Cc: 
Sent: Tuesday, September 22, 2015 1:05 PM
Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file 
missing


http://sourceforge.net/p/openvpn/mailman/message/34480727/

https://forums.openvpn.net/topic19629.html

It has only been one month.

http://sourceforge.net/p/openvpn/mailman/message/34556607/