Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On Thu, Oct 22, 2015 at 3:58 PM, Morris, Russellwrote: > Hi, > > Just checked - yep, 9.0.0.21. It seems to be from 2014 though? > > And to the other email I just sent (that seemed to bounce?), > Probably my mistake, in one of the posts I changed the address from devel to users unintentionally.. > > Yes, this is a Windows 7 machine. I think the issue is standby / network > change related. In particular, standby / resume seems to cause a lot of > grief. I also run on a desktop, not near as many (or really any) issues. > But standby / resume -> crash! > > FYI, just had this exact issue, 1 minute ago. Got an OpenVPN connection, > but no IP address (DHCP). Killed openvpn, disable / enable TAP, start > openvpn and reconnect -> life is good again. Pretty reliable to make this > happen … . > > Our home laptop goes from sleep to resume all the time without major issues. But we are not connecting to any public servers -- private servers that run on a fixed IP and port, no DHCP, so may be that is one difference? We have one Windows 7 laptop in a really really remote location that is set to stay connected all the time.. The local network at that site crashes at least twice a day and still the VPN comes back every time the network is back. Its set not to sleep, so more like a desktop, but it does occasionally move from one site to another. Considering the remoteness of the location and the flakiness of the remote network I have been more than impressed by the way openvpn has served us for last 3 years. But roaming is something I haven't tested much at all. When users travel they do get connectivity from hotels etc., so that kind of "network change" works well too. > Perhaps some more detailed logs to debug? > Sure, would help. Regards, Selva
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, Just checked - yep, 9.0.0.21. It seems to be from 2014 though? And to the other email I just sent (that seemed to bounce?), Yes, this is a Windows 7 machine. I think the issue is standby / network change related. In particular, standby / resume seems to cause a lot of grief. I also run on a desktop, not near as many (or really any) issues. But standby / resume -> crash! FYI, just had this exact issue, 1 minute ago. Got an OpenVPN connection, but no IP address (DHCP). Killed openvpn, disable / enable TAP, start openvpn and reconnect -> life is good again. Pretty reliable to make this happen … . Perhaps some more detailed logs to debug? Thanks, ... Russell -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, October 22, 2015 2:37 PM To: Morris, Russell; Gert Doering Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? Hi, On 22-Oct-15 20:28, Morris, Russell wrote: > Hi, > > 90% sure it's I60x ... but I installed it a little bit ago, and didn't keep > the installer. Is there an easy way to check (to be 100% sure, so I don't > accidentally lie to you)? > try looking in the list of installed programs Control Panel -> Programs and Features Otherwise, look at the driver file for the tun adapter (tap0901.sys); I've got the 060x version installed and it has version 9.0.0.21 ; I am not entirely sure but I think the 010x version has a different (lower) version number. HTH, JJK > > > -Original Message- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: Thursday, October 22, 2015 1:25 PM > To: Morris, Russell > Cc: Gert Doering ; Heiko Hund ; > openvpn-devel@lists.sourceforge.net > Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? > > Hi, > > On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote: >> Actually, I already have nobind in my config file (and am running v2.3.8). I >> tend to see 2 errors, >> - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, >> disable / enable TAP, restart openvpn.exe) >> - TAP adapter exited > Is this the old or new tap adapter? (Windows installers I60x or I00x?) > > gert
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On 22-Oct-15 20:28, Morris, Russell wrote: Hi, 90% sure it's I60x ... but I installed it a little bit ago, and didn't keep the installer. Is there an easy way to check (to be 100% sure, so I don't accidentally lie to you)? try looking in the list of installed programs Control Panel -> Programs and Features Otherwise, look at the driver file for the tun adapter (tap0901.sys); I've got the 060x version installed and it has version 9.0.0.21 ; I am not entirely sure but I think the 010x version has a different (lower) version number. HTH, JJK -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: Thursday, October 22, 2015 1:25 PM To: Morris, RussellCc: Gert Doering ; Heiko Hund ; openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? Hi, On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote: Actually, I already have nobind in my config file (and am running v2.3.8). I tend to see 2 errors, - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, disable / enable TAP, restart openvpn.exe) - TAP adapter exited Is this the old or new tap adapter? (Windows installers I60x or I00x?) gert
[Openvpn-devel] Fwd: Creating a Windows team for OpenVPN?
Hi, On Thu, Oct 22, 2015 at 1:44 AM, Heiko Hundwrote: > On Tuesday 20 October 2015 22:12:06 Selva Nair wrote: > > > But a sever admin would not want it in the system as it can allow any > user > > with some VPN server account to change the routes etc using the > > service..(please correct me if I'm mistaken). > > If you do not make the configuration directory writable to anyone, then > you're > fine. IIRC the GUI has an command line option that would need to be > changed in > order to disable loading of arbitrary configs. Besides that the concept is > waterproof. If configs can be locked down by admin, I don't see how a GUI cmd line option can unprotect it. But, anyway, such details don't matter for this discussion at this stage. > Besides that the concept is waterproof. If its posible to do privilege separation without unpleasant side effects, that is great news and I'll take back my remarks against the interactive service. Then one service could be made to work for both "automatic" and interactive uses. Selva
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, 90% sure it's I60x ... but I installed it a little bit ago, and didn't keep the installer. Is there an easy way to check (to be 100% sure, so I don't accidentally lie to you)? Thanks! ... Russell -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: Thursday, October 22, 2015 1:25 PM To: Morris, RussellCc: Gert Doering ; Heiko Hund ; openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? Hi, On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote: > Actually, I already have nobind in my config file (and am running v2.3.8). I > tend to see 2 errors, > - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, > disable / enable TAP, restart openvpn.exe) > - TAP adapter exited Is this the old or new tap adapter? (Windows installers I60x or I00x?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On Thu, Oct 22, 2015 at 06:22:02PM +, Morris, Russell wrote: > Actually, I already have nobind in my config file (and am running v2.3.8). I > tend to see 2 errors, > - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, > disable / enable TAP, restart openvpn.exe) > - TAP adapter exited Is this the old or new tap adapter? (Windows installers I60x or I00x?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, Actually, I already have nobind in my config file (and am running v2.3.8). I tend to see 2 errors, - CONNECTION, but with ERROR (TAP adapter hung, have to close openvpn.exe, disable / enable TAP, restart openvpn.exe) - TAP adapter exited Thanks, ... Russell -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: Thursday, October 22, 2015 12:37 PM To: Morris, RussellCc: Gert Doering ; Heiko Hund ; openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? Hi, On Thu, Oct 22, 2015 at 04:43:05PM +, Morris, Russell wrote: > Sorry, catching up, but to the comments previously ... I do see openvpn.exe > crash quite regularly. I run it on a laptop, sleeping / resuming and moving > from wired to wireless (and) back quite a bit. These tend to break > openvpn.exe, and in some cases can hang the TAP adapter also ... :-(. Try without local bind (--nobind in the client config)... That should even give you seamless roaming without losing your tunnel if the server is new enough to support peer-id (git master, no older than about half a yaear). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
[Openvpn-devel] [PATCH applied] Re: Replace variable length array with malloc
ACK. Looks sane and is totally in line with coding conventions :-) - and very useful to actually have a gc around! Your patch has been applied to the master branch. commit 41e4b67a229e774ebc57a882c386e10d80e10e7e Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Oct 21 10:13:26 2015 +0300 Replace variable length array with malloc Signed-off-by: Lev StipakovAcked-by: Gert Doering Message-Id: <1445411606-13369-1-git-send-email-lstipa...@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10344 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: openssl: remove usage of OPENSSL_malloc() from show_available_curves
Your patch has been applied to the master branch. commit 470eb8b6b6a9970a68cb17a185359adffbaeabf5 Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Oct 21 00:39:04 2015 +0200 openssl: remove usage of OPENSSL_malloc() from show_available_curves Signed-off-by: Steffan KargerAcked-by: Lev Stipakov Message-Id: <1445380744-21086-1-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10339 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: Fix memory leak in auth-pam plugin
Your patch has been applied to the master and release/2.3 branch. commit cfc13b38bc6504b9768e4cc43311807d6b074672 (master) commit 6a5e978085cc721bb09796ab44d77c3142b5f78b (release/2.3) Author: Steffan Karger List-Post: openvpn-devel@lists.sourceforge.net Date: Wed Oct 21 00:38:26 2015 +0200 Fix memory leak in auth-pam plugin Signed-off-by: Steffan KargerAcked-by: Lev Stipakov Message-Id: <1445380706-20864-1-git-send-email-stef...@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10338 Signed-off-by: Gert Doering -- kind regards, Gert Doering
[Openvpn-devel] [PATCH applied] Re: Generate openvpn-plugin.h for MSVC build
ACK. I have no idea what it does in particular, but as it does only touch files for MSVC build and this basically affects only you and (possibly) James, I just trust you :-) Your patch has been applied to the master branch. commit dd8d351dbc92ede6726b7090ed4eceb9b95318c6 Author: Lev Stipakov List-Post: openvpn-devel@lists.sourceforge.net Date: Thu Oct 22 10:51:22 2015 +0300 Generate openvpn-plugin.h for MSVC build Signed-off-by: Lev StipakovAcked-by: Gert Doering Message-Id: <1445500282-23129-1-git-send-email-lstipa...@gmail.com> URL: http://article.gmane.org/gmane.network.openvpn.devel/10360 Signed-off-by: Gert Doering -- kind regards, Gert Doering
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On Thu, Oct 22, 2015 at 04:43:05PM +, Morris, Russell wrote: > Sorry, catching up, but to the comments previously ... I do see openvpn.exe > crash quite regularly. I run it on a laptop, sleeping / resuming and moving > from wired to wireless (and) back quite a bit. These tend to break > openvpn.exe, and in some cases can hang the TAP adapter also ... :-(. Try without local bind (--nobind in the client config)... That should even give you seamless roaming without losing your tunnel if the server is new enough to support peer-id (git master, no older than about half a yaear). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Sorry, catching up, but to the comments previously ... I do see openvpn.exe crash quite regularly. I run it on a laptop, sleeping / resuming and moving from wired to wireless (and) back quite a bit. These tend to break openvpn.exe, and in some cases can hang the TAP adapter also ... :-(. Thanks, ... Russell -Original Message- From: Gert Doering [mailto:g...@greenie.muc.de] Sent: Thursday, October 22, 2015 2:50 AM To: Heiko HundCc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] Creating a Windows team for OpenVPN? Hi, On Thu, Oct 22, 2015 at 07:49:45AM +0200, Heiko Hund wrote: > On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote: > > My NSSM-based replacement thingie aims to address all these > > shortcomings. I believe the interactive service and NSSM are complementary. > > Or we extend the GUI to make it start tunnels automatically on startup, then > the additional service is no longer needed, is it? I've heard people ask for "we need the VPN to be up before user login so windows domain login works!" - so the GUI won't be around yet. Now, not being a windows person and not running this domain stuff I'm not sure if there are other ways to achieve that - but this is what has been told to me... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 07:16:57PM +0300, ValdikSS ValdikSS wrote: > Actually, we should have used indexes and not interface names from the > beginning. This particular code was out there for review and comments for a few years now... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
If like this index approach. Actually, we should have used indexes and not interface names from the beginning. Original Message From: Gert Doering Sent: Thursday, 22 October 2015 18:26 To: Lev Stipakov Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH] Use adapter index instead of name Hi, On Thu, Oct 22, 2015 at 05:29:54PM +0300, Lev Stipakov wrote: > > And with interface indexes, it works all the time? > > We have tested it on a few machines which previously have had this > problem and this patch has fixed that. We will test it for larger > audience in near future and report results. As a side note: the new IPv6 "redirect gateway ipv6" stuff also only uses adapter indexes, so I'm pretty confident that "install route and ifconfig via adapter index" is a good approach (if only to avoid spaces and national characters on the command line :-) ) - I was mainly wondering whether there is any case when the get_adapter_index() could fail on us... Going to "ifindex only" will actually make the route.c code in master less complex, as it has to deal with name-or-index today. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 05:29:54PM +0300, Lev Stipakov wrote: > > And with interface indexes, it works all the time? > > We have tested it on a few machines which previously have had this > problem and this patch has fixed that. We will test it for larger > audience in near future and report results. As a side note: the new IPv6 "redirect gateway ipv6" stuff also only uses adapter indexes, so I'm pretty confident that "install route and ifconfig via adapter index" is a good approach (if only to avoid spaces and national characters on the command line :-) ) - I was mainly wondering whether there is any case when the get_adapter_index() could fail on us... Going to "ifindex only" will actually make the route.c code in master less complex, as it has to deal with name-or-index today. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 03:24:53PM +0100, David Woodhouse wrote: > I don't understand why you're feeding get_adapter_index_method_1() a > GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the > MSDN documentation for GetAdapterIndex() suggests that it takes the > interface name. Hey, maybe that's why it didn't work and you had to > invent a new method? Maybe I'm best not looking at your code at all :) I hav *so* no idea... this code is all much older than my involvement here :-) - but the method_2 approach looks halfway sane. > But still, I'm not booting Windows today. Not for all the tea in China. Cross-compiling indeed only gets one half-way here... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi *, On 22/10/15 16:24, David Woodhouse wrote: On Thu, 2015-10-22 at 16:17 +0200, Gert Doering wrote: Hi, On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote: So Olli and Lev would appear to be saying. For OpenConnect I haven't actually tested this hypothesis. Unfortunately I'd need to reimplement the get_adapter_index stuff under LGPL first... Looking at our tun.c I wish I hadn't done that... but it seems that using GetAdaptersinfo() should get you pretty far (which is what get_adapter_index_method_2() uses under the hood)... But indeed, this direction seems to be non trivial... It's not *that* hard. But I need to properly *understand* the how to do it so that I can write my own version from scratch and make 100% sure I'm not committing any cut-and-paste crimes, even via eyes and fingers and keyboard. And that means I need to understand the logic behind the two different get_adapter_index_methods, which is notably absent from the 2005 commit message which added get_adapter_index_method_2(). I don't understand why you're feeding get_adapter_index_method_1() a GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the MSDN documentation for GetAdapterIndex() suggests that it takes the interface name. Hey, maybe that's why it didn't work and you had to invent a new method? Maybe I'm best not looking at your code at all :) But still, I'm not booting Windows today. Not for all the tea in China. history, most likely. Before Vista the recommended way to develop and use a Windows driver was the TDI ( Transport Driver Interface). Read e.g. http://codemachine.com/article_tdi.html for some details. It might be worthwhile to investigate if we can safely drop all TDI stuff and use a more modern interface , but the again, if you read stuff like this (from the site listed): "Starting with Windows Vista, Microsoft has made several attempts to remove the support for TDI drivers from the operating system. This would have resulted in all legacy TDI clients and TDI filters becoming non-functional on subsequent versions of Windows. Although industry pressure on Microsoft has prevented this from happening so far, it is bound to happen eventually. Since TDI is on the path of deprecation, the windows networking stack provides new technologies that replace TDI, which developers are encouraged to adopt. Drivers on Vista and later versions of Windows that need to implement TDI client functionality should use the Windows Socket Kernel (WSK) interface and drivers that need to implement TDI filtering functionality should use Windows Filtering Platform (WFP) interface. Due to the re-architecture of the networking stack in Vista, TDI is no longer the interface that AFD.sys uses to communicate with TCPIP.sys. Instead, AFD.sys uses a new undocumented interface called Transport Layer Network Provider Interface (TLNPI) to communicate with TCPIP.sys. However, in order to support legacy TDI clients and TDI filters, Microsoft provides a new driver called TDX.sys, which internally use TLNPI to communicate with TCPIP.sys. It also creates all the device objects that TCPIP used to create, in order to maintain backward compatibility with legacy TDI drivers. The figure below shows the relationship between the components mentioned above on Vista and later versions of Windows. When Windows detects the presence of TDI filter in the system, all traffic between AFD.sys and TCPIP.sys is automatically routed through the TDX driver. The TDX driver makes use of the TDI API in TDI.sys and uses the Network Module Registrar (NMR) API in NETIO.sys to implement its functionality. TDX is supported on Vista, Server 2008 and Windows 7. TDX handles TDI requests from legacy TDI drivers and maps them to TLNPI calls." then I also no longer want to boot Windows anymore ;) JJK
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hello, > And with interface indexes, it works all the time? We have tested it on a few machines which previously have had this problem and this patch has fixed that. We will test it for larger audience in near future and report results. -Lev On 22.10.2015 16.59, Gert Doering wrote: hi, On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote: So what is the underlying issue here? Non-ASCII characters in the device name ("this *should* have been fixed a few releases ago")? No, and not spaces (despite the vpn.ccrypto.org link above suggesting that it is). Spaces are known to not cause issues ("I do test things" :-) ). The issue is not known. Seriously, "because Windows". Renaming the interface, and then renaming it back to precisely what it was before, and doing registry dumps and checking that things really *are* just the same as they were before, is sufficient to fix it. Urgh. And with interface indexes, it works all the time? In that case, we'll just change over... (the new rgi6 stuff uses interface indexes for routing anyway) ((meh, git master really is different from 2.3 code here...)) gert -- ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
On Thu, 2015-10-22 at 16:17 +0200, Gert Doering wrote: > Hi, > > On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote: > > So Olli and Lev would appear to be saying. For OpenConnect I > > haven't > > actually tested this hypothesis. Unfortunately I'd need to > > reimplement > > the get_adapter_index stuff under LGPL first... > > Looking at our tun.c I wish I hadn't done that... but it seems that > using GetAdaptersinfo() should get you pretty far (which is what > get_adapter_index_method_2() uses under the hood)... > > But indeed, this direction seems to be non trivial... It's not *that* hard. But I need to properly *understand* the how to do it so that I can write my own version from scratch and make 100% sure I'm not committing any cut-and-paste crimes, even via eyes and fingers and keyboard. And that means I need to understand the logic behind the two different get_adapter_index_methods, which is notably absent from the 2005 commit message which added get_adapter_index_method_2(). I don't understand why you're feeding get_adapter_index_method_1() a GUID prefixed with \DEVICE\TCPIP_ instead of a name, either, since the MSDN documentation for GetAdapterIndex() suggests that it takes the interface name. Hey, maybe that's why it didn't work and you had to invent a new method? Maybe I'm best not looking at your code at all :) But still, I'm not booting Windows today. Not for all the tea in China. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 03:09:57PM +0100, David Woodhouse wrote: > So Olli and Lev would appear to be saying. For OpenConnect I haven't > actually tested this hypothesis. Unfortunately I'd need to reimplement > the get_adapter_index stuff under LGPL first... Looking at our tun.c I wish I hadn't done that... but it seems that using GetAdaptersinfo() should get you pretty far (which is what get_adapter_index_method_2() uses under the hood)... But indeed, this direction seems to be non trivial... get -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
On Thu, 2015-10-22 at 15:59 +0200, Gert Doering wrote: > hi, > > On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote: > > > So what is the underlying issue here? Non-ASCII characters in the > > > device name ("this *should* have been fixed a few releases ago")? > > > > No, and not spaces (despite the vpn.ccrypto.org link above suggesting > > that it is). > > Spaces are known to not cause issues ("I do test things" :-) ). I have a Windows VM somewhere with an interface named 'TAP ♥' :) > > The issue is not known. Seriously, "because Windows". > > > > Renaming the interface, and then renaming it back to precisely what it > > was before, and doing registry dumps and checking that things really > > *are* just the same as they were before, is sufficient to fix it. > > Urgh. > > And with interface indexes, it works all the time? So Olli and Lev would appear to be saying. For OpenConnect I haven't actually tested this hypothesis. Unfortunately I'd need to reimplement the get_adapter_index stuff under LGPL first... -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
hi, On Thu, Oct 22, 2015 at 02:55:44PM +0100, David Woodhouse wrote: > > So what is the underlying issue here? Non-ASCII characters in the > > device name ("this *should* have been fixed a few releases ago")? > > No, and not spaces (despite the vpn.ccrypto.org link above suggesting > that it is). Spaces are known to not cause issues ("I do test things" :-) ). > The issue is not known. Seriously, "because Windows". > > Renaming the interface, and then renaming it back to precisely what it > was before, and doing registry dumps and checking that things really > *are* just the same as they were before, is sufficient to fix it. Urgh. And with interface indexes, it works all the time? In that case, we'll just change over... (the new rgi6 stuff uses interface indexes for routing anyway) ((meh, git master really is different from 2.3 code here...)) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
On Thu, 2015-10-22 at 15:51 +0200, Gert Doering wrote: > Hi, > > On Thu, Oct 22, 2015 at 04:47:56PM +0300, Olli Männistö wrote: > > Many VPN providers like us experience these issues and have to give users > > workarounds to fix it. Here are couple of examples: > > https://community.f-secure.com/t5/F-Secure/After-a-Windows-10-upgrade/ta-p/72732 > > https://forum.hidemyass.com/index.php/topic/18331-connection-problem/ > > https://vpn.ccrypto.org/page/install-windows > > > > There is also workaround on Microsoft Technet forum > > ( > > https://social.technet.microsoft.com/Forums/windowsserver/en-US/bb73aa66-34c3-49c2-8a2d-def03ee03902/element-not-found-error-when-trying-to-define-static-ipv6-route?forum=ipv6) > > to use index instead of adapter name. If it's reliable that we always get > > the index figured out it doesn't need to have fallback to use adapter name. > > In our testing it seems to work well with index and fix the described issue. > > So what is the underlying issue here? Non-ASCII characters in the > device name ("this *should* have been fixed a few releases ago")? No, and not spaces (despite the vpn.ccrypto.org link above suggesting that it is). The issue is not known. Seriously, "because Windows". Renaming the interface, and then renaming it back to precisely what it was before, and doing registry dumps and checking that things really *are* just the same as they were before, is sufficient to fix it. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 04:47:56PM +0300, Olli Männistö wrote: > Many VPN providers like us experience these issues and have to give users > workarounds to fix it. Here are couple of examples: > https://community.f-secure.com/t5/F-Secure/After-a-Windows-10-upgrade/ta-p/72732 > https://forum.hidemyass.com/index.php/topic/18331-connection-problem/ > https://vpn.ccrypto.org/page/install-windows > > There is also workaround on Microsoft Technet forum > ( > https://social.technet.microsoft.com/Forums/windowsserver/en-US/bb73aa66-34c3-49c2-8a2d-def03ee03902/element-not-found-error-when-trying-to-define-static-ipv6-route?forum=ipv6) > to use index instead of adapter name. If it's reliable that we always get > the index figured out it doesn't need to have fallback to use adapter name. > In our testing it seems to work well with index and fix the described issue. So what is the underlying issue here? Non-ASCII characters in the device name ("this *should* have been fixed a few releases ago")? Note that the technet forum talks about ipv6 *route*, not "set address", and this is not part of your patch... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
On Thu, 2015-10-22 at 15:26 +0200, Gert Doering wrote: > > NAK on that - it's extra code, another "two branches that need testing" > addition, and I have not seen any mention of these "weird issues" yet - > so please explain the problem scenario better. > > (I might be happy to go for "use adapter index, always!", but I really > *really* do not want "try this, fall back to that!" unless it's well > understood why this is needed). > > Also, I wonder why this is not needed for route addition if it's needed > for ip address setting.. Because Windows. You don't get to *understand*; you just get to work around the brokenness. And drink. I've had reports of something similar happening with OpenConnect on a German Windows installation too. At http://lists.infradead.org/pipermail/openconnect-devel/2015-June/003033.html is a log showing the interface name failing for some operations, and working for others: 2015-06-17 10:48 executing: netsh interface ipv4 set subinterface "Ethernet 2" mtu=1342 store=active 2015-06-17 10:48 Element nicht gefunden. 2015-06-17 10:48 Configuring "Ethernet 2" interface for Legacy IP... 2015-06-17 10:48 executing: netsh interface ip set address "Ethernet 2" static 137.248.72.208 255.255.255.0 2015-06-17 10:48 Element nicht gefunden. 2015-06-17 10:48 executing: netsh interface ip add wins "Ethernet 2" 192.168.16.26 index=1 2015-06-17 10:48 executing: netsh interface ip add dns "Ethernet 2" 137.248.1.5 index=1 2015-06-17 10:48 executing: netsh interface ip add dns "Ethernet 2" 137.248.21.22 index=2 2015-06-17 10:48 done. Besides, route addition doesn't use the network interface name on Windows, does it? FWIW the reporting user said that *renaming* the interface would make the problem go away: http://lists.infradead.org/pipermail/openconnect-devel/2015-July/003088.html -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [Openvpn-devel] [PATCH] Use adapter index instead of name
Hi, On Thu, Oct 22, 2015 at 04:09:20PM +0300, Lev Stipakov wrote: > From: Olli Mannisto> > Some windows machines get weird issues with netsh when using > adapter name on "netsh.exe interface ipv6 set address" command. > > Changed logic to get adapter index and use it instead of adapter > name for netsh set address command. if unable to get adapter index, > try with adapter name. NAK on that - it's extra code, another "two branches that need testing" addition, and I have not seen any mention of these "weird issues" yet - so please explain the problem scenario better. (I might be happy to go for "use adapter index, always!", but I really *really* do not want "try this, fall back to that!" unless it's well understood why this is needed). Also, I wonder why this is not needed for route addition if it's needed for ip address setting.. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
[Openvpn-devel] [PATCH] Use adapter index instead of name
From: Olli MannistoSome windows machines get weird issues with netsh when using adapter name on "netsh.exe interface ipv6 set address" command. Changed logic to get adapter index and use it instead of adapter name for netsh set address command. if unable to get adapter index, try with adapter name. Signed-off-by: Olli Mannisto Signed-off-by: Lev Stipakov --- src/openvpn/tun.c | 26 +++--- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 24a61ec..aa0278d 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -1301,18 +1301,30 @@ do_ifconfig (struct tuntap *tt, if ( do_ipv6 ) { char * saved_actual; + const DWORD idx = get_adapter_index_flexible(actual); if (!strcmp (actual, "NULL")) msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also specify --dev-node"); /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */ - argv_printf (, - "%s%sc interface ipv6 set address %s %s store=active", -get_win_sys_path(), -NETSH_PATH_SUFFIX, -actual, -ifconfig_ipv6_local ); - +if (idx != TUN_ADAPTER_INDEX_INVALID) +{ +argv_printf (, +"%s%sc interface ipv6 set address %u %s store=active", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + idx, + ifconfig_ipv6_local); +} +else +{ +argv_printf (, +"%s%sc interface ipv6 set address %s %s store=active", + get_win_sys_path(), + NETSH_PATH_SUFFIX, + actual, + ifconfig_ipv6_local); +} netsh_command (, 4); /* explicit route needed */ -- 1.9.1
[Openvpn-devel] [PATCH] Generate openvpn-plugin.h for MSVC build
openvpn-plugin.h was not generated for MSVC build since it has been removed from sources and made generated by configure script. This fix generates it for MSVC build and substitutes macroses like @OPENVPN_VERSION_MAJOR@ with actual values. Signed-off-by: Lev Stipakov--- build/msvc/msvc-generate/Makefile.mak | 27 +-- build/msvc/msvc-generate/version.m4.in | 3 +++ 2 files changed, 24 insertions(+), 6 deletions(-) mode change 100755 => 100644 build/msvc/msvc-generate/Makefile.mak create mode 100644 build/msvc/msvc-generate/version.m4.in diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak old mode 100755 new mode 100644 index 72415f1..be72643 --- a/build/msvc/msvc-generate/Makefile.mak +++ b/build/msvc/msvc-generate/Makefile.mak @@ -1,13 +1,28 @@ # Copyright (C) 2008-2012 Alon Bar-Lev CONFIG=$(SOURCEBASE)/version.m4 -INPUT=$(SOURCEBASE)/config-msvc-version.h.in -OUTPUT=$(SOURCEBASE)/config-msvc-version.h -all: $(OUTPUT) +INPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h.in +OUTPUT_MSVC_VER=$(SOURCEBASE)/config-msvc-version.h -$(OUTPUT): $(INPUT) $(CONFIG) - cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT)" --output="$(OUTPUT)" +INPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h.in +OUTPUT_PLUGIN=$(SOURCEBASE)/include/openvpn-plugin.h + +INPUT_PLUGIN_CONFIG=version.m4.in +OUTPUT_PLUGIN_CONFIG=version.m4 + +all: $(OUTPUT_MSVC_VER) $(OUTPUT_PLUGIN) + +$(OUTPUT_MSVC_VER): $(INPUT_MSVC_VER) $(CONFIG) + cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_MSVC_VER)" --output="$(OUTPUT_MSVC_VER)" + +$(OUTPUT_PLUGIN_CONFIG): $(INPUT_PLUGIN_CONFIG) + cscript //nologo msvc-generate.js --config="$(CONFIG)" --input="$(INPUT_PLUGIN_CONFIG)" --output="$(OUTPUT_PLUGIN_CONFIG)" + +$(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) + cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" clean: - -del "$(OUTPUT)" + -del "$(OUTPUT_MSVC_VER)" + -del "$(OUTPUT_PLUGIN)" + -del "$(OUTPUT_PLUGIN_CONFIG)" diff --git a/build/msvc/msvc-generate/version.m4.in b/build/msvc/msvc-generate/version.m4.in new file mode 100644 index 000..cbb4fef --- /dev/null +++ b/build/msvc/msvc-generate/version.m4.in @@ -0,0 +1,3 @@ +define([OPENVPN_VERSION_MAJOR], [@PRODUCT_VERSION_MAJOR@]) +define([OPENVPN_VERSION_MINOR], [@PRODUCT_VERSION_MINOR@]) +define([OPENVPN_VERSION_PATCH], [@PRODUCT_VERSION_PATCH@]) -- 1.9.1
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On Thu, Oct 22, 2015 at 07:49:45AM +0200, Heiko Hund wrote: > On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote: > > My NSSM-based replacement thingie aims to address all these > > shortcomings. I believe the interactive service and NSSM are complementary. > > Or we extend the GUI to make it start tunnels automatically on startup, then > the additional service is no longer needed, is it? I've heard people ask for "we need the VPN to be up before user login so windows domain login works!" - so the GUI won't be around yet. Now, not being a windows person and not running this domain stuff I'm not sure if there are other ways to achieve that - but this is what has been told to me... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
On Tuesday 20 October 2015 14:01:33 Samuli Seppänen wrote: > My NSSM-based replacement thingie aims to address all these > shortcomings. I believe the interactive service and NSSM are complementary. Or we extend the GUI to make it start tunnels automatically on startup, then the additional service is no longer needed, is it? Heiko Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, Deutschland Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de www.sophos.de Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658 Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer Onslow. Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de www.sophos.de Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer Onslow
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
On Tuesday 20 October 2015 22:12:06 Selva Nair wrote: > The interactive service (based on a quick scan through the code) looks to > be very useful on a desktop with a single user, allowing the GUI and openvpn > to run with user privileges. I hope the "windows team" would soon start > working on making the GUI to work with this new service :) See, that's the current problem with the OpenVPN Windows things. Too many people relying on other - non existing - people to do the work. That's why we did not really get anywhere with the interactive service. > But a sever admin would not want it in the system as it can allow any user > with some VPN server account to change the routes etc using the > service..(please correct me if I'm mistaken). If you do not make the configuration directory writable to anyone, then you're fine. IIRC the GUI has an command line option that would need to be changed in order to disable loading of arbitrary configs. Besides that the concept is waterproof. Heiko Sophos Technology GmbH, Amalienbadstraẞe 41/Bau 52, D-76227 Karlsruhe, Deutschland Tel +49 (0)721 25516 0 Fax +49 (0)721 25516 200 E-Mail i...@sophos.de www.sophos.de Sitz der Gesellschaft: Karlsruhe, Amtsgericht Mannheim HRB 712658 Geschäftsführer: Nicholas Bray, Pino von Kienlin, Wolfgang Hilpert, Jennifer Onslow. Sophos GmbH, Gustav-Stresemann-Ring 1, 65189 Wiesbaden, Deutschland Tel +49 (0) 611 5858-0 Fax +49 (0) 611 5858-1042 E-Mail i...@sophos.de www.sophos.de Sitz der Gesellschaft: Wiesbaden, Amtsgericht Wiesbaden HRB 25915 Geschäftsführer: Nicholas Bray, Wolfgang Hilpert, Pino von Kienlin, Jennifer Onslow
Re: [Openvpn-devel] Creating a Windows team for OpenVPN?
Hi, On Wed, Oct 21, 2015 at 7:54 AM, Morris, Russellwrote: > Hi, > > Lots of discussion on this - awesome to see! Perhaps a dumb question, but > I can see a few different ways to go on this, as I see comments about > services, applications, etc. ... so a couple thoughts, > - is the intention to run a service (like NSSM?) that keeps openvpn.exe > "alive" (restarting it as necessary), so it's always up and running? I > admit, I somewhat like this approach, one running application for each > config file. Then control it through the management interface. Or, > All said and done, I still think this is the best approach. This is also the current approach except that the service (non-NSSM) is "crappy" and the "official" GUI cant do much through MI if openvpn is started by the service. I'm saying this only based on the docs, may be the latest code is already capable of doing this with some coaxing. My current work-around is to use the MI-GUI and pray/hope for the service not to crash. I only run one server on 2008R2 and a few single user desktop clients with MI-GUI on Windows 7. This has worked well so far, but with few users. > - do folks prefer to have "control application" bring openvpn.exe up and > down? I have tried this, and it's a bit messy, but it is functional also. > Not sure how that works and what problems it would solve. For me the main needs are (i) a reliable way of daemonizing openvpn and keep it running on Windows (for servers and clients) and (ii) a way to run the GUI with user privileges. Both could be solved by NSSM + an improved GUI that speaks the MI. > > Thoughts? > > I do believe there may also be TAP related stability issues, but that may > be an artifact of openvpn.exe crashing - I guess the first step is to get > openvpn.exe stable? > I have seldom seen openvpn.exe crash -- its more like it just exits because of bad directives in a config file or a missing certificate/key etc. The problem is with the service -- a single bad config can stop it from loading others. It sometimes goes into a weird state which can be recovered only by a restart. It also lacks features like adding a new configs without affecting running instances. I hear it doesn't work on Windows 10, but I haven't tried. So, a stable service (or NSSM) and an improved GUI for desktop clients are needed. NSSM has many advantages in this regard as each instance is independent of the other (is n't it?). I am not that excited about the interactive service which lets openvpn.exe run as user but lets users push configs. And it cant handle non-interactive uses. In my view configs should be registered only with admin privilege, not arbitrarily pushed by any user -- this applies to desktops and servers. Only for day to day activities of starting and stopping a connection one wants to avoid the "run as admin" requirement.. Running only the GUI as user through the MI serves that purpose and looks a safer option than the interactive service. Thanks, Selva
Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing
Apologies for the "You must be" comment .. - Original Message - From:To: "Eric Crist" Cc: Sent: Wednesday, October 21, 2015 11:31 PM Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing Hi // You must be - Original Message - From: "Eric Crist" To: Cc: Sent: Tuesday, September 22, 2015 1:05 PM Subject: Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing http://sourceforge.net/p/openvpn/mailman/message/34480727/ https://forums.openvpn.net/topic19629.html It has only been one month. http://sourceforge.net/p/openvpn/mailman/message/34556607/