Re: [Openvpn-devel] [PATCH for gui] Do not disconnect on suspend by default

[Selva Nair]

Hi,

>> Requires the installer to update the registry during an upgrade of exisitng
>> installations, or notify the end user of the change in the default value of
>> disconnect_on_suspend (0).
>
> What does this patch *do*?  Is this the "set up registry key on first
> start" part (so we set the default differently now)?
>
> But that implies that an upgrade will not change the default, right?

You are right, the current openvpn installer does not rewrite the
registry for the GUI, so an update does not change the default and
that is not good. I left that to the package maintainer with that
comment about the installer and upgrading.

I would have preferred to completely remove the handling of
PBT_APMSUSPEND event in main.c but did not wanted to make pervasive
changes..

Instead, one could just modify openvpn.nsi with an added line in the
GUI install section:

DelRegKeyIfUnchanged HKLM
"SOFTWARE\${PACKAGE_NAME}_GUI}\disconnect_on_suspend" "1"


Selva

Re: [Openvpn-devel] Topics for today's (Monday, 9th Nov 2015) community meeting

[Samuli Seppänen]

Hi,

Here's the summary of today's IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-devel on irc.freenode.net
List-Post: openvpn-devel@lists.sourceforge.net
Date: Monday 9th Nov 2015
Time: 20:00 CET (19:00 UTC)

Planned meeting topics for this meeting were here:



The next meeting has not been scheduled yet, but will probably be 
arranged two weeks from now.


Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, valdikss and syzzer participated in this meeting.

---

Discussed setting up a Flattr account for receiving donations. It was 
agreed that it makes sense, but it was not clear who would take care of 
the money, and how exactly the money would be distributed. Cron2 
suggested using the money to sponsor the developer hackathons, which 
have proven quite useful. Mattock will discuss this internally at the 
company to see if the company could hold the money.



--

Discussed PolarSSL end-of-life, which is due on 31st December 2015. 
Because very few package-based Linux distributions provide "OpenVPN with 
PolarSSL" packages, we'll simply drop PolarSSL 1.2 support from OpenVPN 
when the time comes. Source-based distributions probably don't have an 
issue with us dropping PolarSSL 1.2 support, as their users can link to 
1.3 easily at compile time.


--

Discussed setting up Travis-CI and Coverity for OpenVPN. It was agreed 
that this is a good idea. Syzzer will do some testing in his own GitHub 
fork of OpenVPN and when it works, we'll migrate the configuration to 
the official GitHub repository.


--

Discussed the OpenVPN 2.3.9 release. The Windows 10 DNS fix from 
valdikss should be included. ValdikSS will provide a separate patch for 
2.3 and Git "master". We will aim at releasing 2.3.9 with PolarSSL 1.2 
at the end of this month, and 2.3.10 with PolarSSL 1.3 about two weeks 
after that.


--

Discussed the "​Use adapter index instead of name" patch:



Lev will look into the correct syntax for the interface definition and 
get back.


--

Discussed the "​Support for disabled peer-id" patch:



Syzzer promised to review this patch.

--

Discussed the "​Notify clients about server's exit/restart" patch:



This has already been ACKed by Arne and will be merged soon.

--

Discussed the query username/password patches from dazo. Cron2 promised 
to review them tomorrow evening.


--

Discussed the "When --disable is set for a client, the server never 
replies to the client." ticket:




Mattock sent the reporter an email, asking him to test the patch dazo 
had provided.


---

Full chatlog has been attached to this email.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock
(21:06:09) mattock: hi guys!
(21:06:21) lev__: hi mattock1!
(21:07:49) mattock: everybody set?
(21:07:56) mattock: topics for today: 
https://community.openvpn.net/openvpn/wiki/Topics-2015-11-09
(21:09:20) syzzer: yes, ready!
(21:09:53) ***cron2 remarks being impressed with our news windows strategy
(21:10:04) cron2: whatever we did, people are sending windows fixes now!  woot!
(21:10:19) syzzer: yes, it is really working
(21:10:21) mattock: even without mattock doing the tasks he promised
(21:10:22) syzzer: very nice
(21:10:26) mattock: :P
(21:10:33) syzzer: yes, go fork!
(21:10:44) mattock: I will definitely need to setup the forum board, IRC 
channel and fork openvpn-gui to GitHub
(21:10:59) mattock: I'll prioritize those and start work on them tomorrow
(21:11:00) cron2: syzzer: speaking about tasks :-) - do we have a trac ticket 
or anything to remind you of the "warn if local cert is expired" wish?
(21:11:08) cron2: mattock1: tomorrow is always an option!
(21:11:27) syzzer: cron2: uh, not sure
(21:11:38) mattock: cron2: yes, and I'm speaking of a static tomorrow (10th 
Nov), not "tomorrow" that recurs every "today"
(21:11:38) syzzer: either way, I completely forgot about it
(21:11:58) cron2: mattock1: oh, the northern europe "tomorrow", not the 
southern "manana" :)
(21:12:13) cron2: syzzer: feel yourself reminded (always at your service)
(21:12:21) cron2: shall we start?
(21:12:30) mattock: syzzer: one question before we start
(21:12:34) mattock: what is your personal email?
(21:12:42) mattock: feel free to PM me or whatever
(21:12:47) ***cron2 shows mattock1 "git log" :)
(21:12:47) mattock: if you don't want it published
(21:12:53) mattock: ic
(21:12:56) mattock: let's start then
(21:13:12) mattock: do we want to discuss "moneyz" first, or will that become 
too much bikeshedding?
(21:13:18) cron2: half the patches are coming from the private address :)
(21:13:21) mattock: as a first topic I mean

Re: [Openvpn-devel] [PATCH] Fix a few typos in the Russian localization

[Роман Донченко]

Oh, OK then. I didn't know about the fork.

ValdikSS  писал в своём письме Mon, 09 Nov 2015  
22:28:52 +0300:


Thanks for the patch but all these and another typos are already fixed  
in the mattock's repository

https://github.com/mattock/openvpn-gui/commit/b5b00c272674233c5c951c0e473f2341065a9fc4
and would be included in next release.

On 09.11.2015 21:32, Роман Донченко wrote:

---
 res/openvpn-gui-res-ru.rc | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/res/openvpn-gui-res-ru.rc b/res/openvpn-gui-res-ru.rc
index a9f8f48..08e7f97 100644
--- a/res/openvpn-gui-res-ru.rc
+++ b/res/openvpn-gui-res-ru.rc
@@ -123,12 +123,12 @@ FONT 8, "Microsoft Sans Serif"
 LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
 BEGIN
 ICON ID_ICO_APP, 0, 8, 16, 21, 20
-LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графичсекий интерфейс  
Windows для OpenVPN\n" \
+LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графический интерфейс  
Windows для OpenVPN\n" \
   "Copyright (C) 2004-2005 Mathias Sundman  
\n" \

   "http://openvpn.se/;, 0, 36, 15, 206, 26
 LTEXT "OpenVPN - приложение для безопасного туннелирования  
IP-сетей " \
   "через единственный UDP-порт с поддержкой аутентификации  
сессий " \
-  "и обмена ключами на основе SSL/TLS, шифрования,  
аутенцификации " \
+  "и обмена ключами на основе SSL/TLS, шифрования,  
аутентификации " \

   "и сжатия пакетов.\n" \
   "\n" \
   "Copyright (C) 2002-2005 OpenVPN Solutions LLC  
\n" \

@@ -164,7 +164,7 @@ BEGIN
 IDS_MENU_SETTINGS "Настройки…"
 IDS_MENU_CLOSE "Выход"
 IDS_MENU_CONNECT "Подключиться"
-IDS_MENU_DISCONNECT "Отключится"
+IDS_MENU_DISCONNECT "Отключиться"
 IDS_MENU_STATUS "Отобразить состояние"
 IDS_MENU_VIEWLOG "Показать журнал"
 IDS_MENU_EDITCONFIG "Редактировать конфигурацию"
@@ -253,7 +253,7 @@ BEGIN
   "--log_dir\t\t\t: Путь к папке с файлами журнала.\n"  
\
   "--priority_string\t\t: Строка приоритета (См.  
install.txt для доп. информации).\n" \
   "--append_string\t\t: 1=Присоединять к файлу  
журнала. 0=Очищать файл журнала при соединении.\n" \
-  "--log_viewer\t\t: Путь к просмотровщику  
журналаr.\n" \
+  "--log_viewer\t\t: Путь к просмотровщику журнала.\n"  
\

   "--editor\t\t\t: Путь к редактору конфигурации.\n" \
   "--allow_edit\t\t: 1=Показать пункт меню  
Редактировать конфигурацию.\n" \
   "--allow_service\t\t: 1=Показать меню Служба  
OpenVPN.\n" \

Re: [Openvpn-devel] [PATCH for gui] Do not disconnect on suspend by default

[Gert Doering]

Hi,

On Mon, Nov 09, 2015 at 03:35:23PM -0500, Selva Nair wrote:
> With commit ea66a2b5c.. openvpn restarts instead of terminate on suspend.
> This conflicts with the stop/restart logic in the gui during windows power
> state change events. Here we change the default behaviour so that SIGTERM
> is not triggered during windows suspend.
> 
> Requires the installer to update the registry during an upgrade of exisitng
> installations, or notify the end user of the change in the default value of
> disconnect_on_suspend (0).

What does this patch *do*?  Is this the "set up registry key on first
start" part (so we set the default differently now)?

But that implies that an upgrade will not change the default, right?

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH for gui] Do not disconnect on suspend by default

[Selva Nair]

With commit ea66a2b5c.. openvpn restarts instead of terminate on suspend.
This conflicts with the stop/restart logic in the gui during windows power
state change events. Here we change the default behaviour so that SIGTERM
is not triggered during windows suspend.

Requires the installer to update the registry during an upgrade of exisitng
installations, or notify the end user of the change in the default value of
disconnect_on_suspend (0).

Signed-off-by: Selva Nair 
---
 registry.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/registry.c b/registry.c
index f96827a..16af368 100644
--- a/registry.c
+++ b/registry.c
@@ -111,7 +111,7 @@ GetRegistryKeys()

   if (!GetRegKey(_T("show_script_window"), o.show_script_window, _T("1"), 
_countof(o.show_script_window))) return(false);

-  if (!GetRegKey(_T("disconnect_on_suspend"), o.disconnect_on_suspend, 
_T("1"), 
+  if (!GetRegKey(_T("disconnect_on_suspend"), o.disconnect_on_suspend, 
_T("0"), 
   _countof(o.disconnect_on_suspend))) return(false);

   if (!GetRegKey(_T("passphrase_attempts"), o.psw_attempts_string, _T("3"), 
-- 
2.6.2

Re: [Openvpn-devel] [PATCH] Fix a few typos in the Russian localization

[ValdikSS]

Thanks for the patch but all these and another typos are already fixed in the 
mattock's repository
https://github.com/mattock/openvpn-gui/commit/b5b00c272674233c5c951c0e473f2341065a9fc4
and would be included in next release.

On 09.11.2015 21:32, Роман Донченко wrote:
> ---
>  res/openvpn-gui-res-ru.rc | 8 
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/res/openvpn-gui-res-ru.rc b/res/openvpn-gui-res-ru.rc
> index a9f8f48..08e7f97 100644
> --- a/res/openvpn-gui-res-ru.rc
> +++ b/res/openvpn-gui-res-ru.rc
> @@ -123,12 +123,12 @@ FONT 8, "Microsoft Sans Serif"
>  LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
>  BEGIN
>  ICON ID_ICO_APP, 0, 8, 16, 21, 20
> -LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графичсекий интерфейс Windows 
> для OpenVPN\n" \
> +LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графический интерфейс Windows 
> для OpenVPN\n" \
>"Copyright (C) 2004-2005 Mathias Sundman \n" \
>"http://openvpn.se/;, 0, 36, 15, 206, 26
>  LTEXT "OpenVPN - приложение для безопасного туннелирования IP-сетей " \
>"через единственный UDP-порт с поддержкой аутентификации сессий " \
> -  "и обмена ключами на основе SSL/TLS, шифрования, аутенцификации " \
> +  "и обмена ключами на основе SSL/TLS, шифрования, аутентификации " \
>"и сжатия пакетов.\n" \
>"\n" \
>"Copyright (C) 2002-2005 OpenVPN Solutions LLC 
> \n" \
> @@ -164,7 +164,7 @@ BEGIN
>  IDS_MENU_SETTINGS "Настройки…"
>  IDS_MENU_CLOSE "Выход"
>  IDS_MENU_CONNECT "Подключиться"
> -IDS_MENU_DISCONNECT "Отключится"
> +IDS_MENU_DISCONNECT "Отключиться"
>  IDS_MENU_STATUS "Отобразить состояние"
>  IDS_MENU_VIEWLOG "Показать журнал"
>  IDS_MENU_EDITCONFIG "Редактировать конфигурацию"
> @@ -253,7 +253,7 @@ BEGIN
>"--log_dir\t\t\t: Путь к папке с файлами журнала.\n" \
>"--priority_string\t\t: Строка приоритета (См. install.txt 
> для доп. информации).\n" \
>"--append_string\t\t: 1=Присоединять к файлу журнала. 
> 0=Очищать файл журнала при соединении.\n" \
> -  "--log_viewer\t\t: Путь к просмотровщику журналаr.\n" \
> +  "--log_viewer\t\t: Путь к просмотровщику журнала.\n" \
>"--editor\t\t\t: Путь к редактору конфигурации.\n" \
>"--allow_edit\t\t: 1=Показать пункт меню Редактировать 
> конфигурацию.\n" \
>"--allow_service\t\t: 1=Показать меню Служба OpenVPN.\n" \



signature.asc
Description: OpenPGP digital signature

Re: [Openvpn-devel] Adding a ctrl-C handler in windows

[Selva Nair]

Hi,

On Mon, Nov 9, 2015 at 1:04 PM, James Yonan  wrote:
>>> I plan to add a control-C handler in win32.c. The handler will simply
>>> map it to SIGTERM. Is there any particular reason why control-C is not
>>> currently handled?
>>
>> Hi,
>>
>> I forwarded this email to James - he might have a clue.
>
> Currently the Windows implementation, when running in console mode, uses
> function keys to trigger various Unix signals (see win32_signal_get()
> function in win32.c).
>
> The current code looks like this:
>
>switch (win32_keyboard_get (ws))
>  {
>  case 0x3B: /* F1 -> USR1 */
>ret = SIGUSR1;
>break;
>  case 0x3C: /* F2 -> USR2 */
>ret = SIGUSR2;
>break;
>  case 0x3D: /* F3 -> HUP */
>ret = SIGHUP;
>break;
>  case 0x3E: /* F4 -> TERM */
>ret = SIGTERM;
>break;
>  }
>
>
> It's probably okay to just make CTRL-c generate a SIGTERM as F4 is
> already doing.
>
> James

Thanks for the comment.

In the interactive mode, the console is opened with no
ENABLE_PROCESSED_INPUT so ctrl-C will be delivered as key-board input
and could be handled just like F4.

With nssm, the console is shared with nssm, so ctrl-C is delivered as
a signal. I'll send a patch handling both cases.

Selva

[Openvpn-devel] [PATCH] Fix a few typos in the Russian localization

[Роман Донченко]

---
 res/openvpn-gui-res-ru.rc | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/res/openvpn-gui-res-ru.rc b/res/openvpn-gui-res-ru.rc
index a9f8f48..08e7f97 100644
--- a/res/openvpn-gui-res-ru.rc
+++ b/res/openvpn-gui-res-ru.rc
@@ -123,12 +123,12 @@ FONT 8, "Microsoft Sans Serif"
 LANGUAGE LANG_RUSSIAN, SUBLANG_DEFAULT
 BEGIN
 ICON ID_ICO_APP, 0, 8, 16, 21, 20
-LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графичсекий интерфейс Windows 
для OpenVPN\n" \
+LTEXT "OpenVPN GUI v" PACKAGE_VERSION " - графический интерфейс Windows 
для OpenVPN\n" \
   "Copyright (C) 2004-2005 Mathias Sundman \n" \
   "http://openvpn.se/;, 0, 36, 15, 206, 26
 LTEXT "OpenVPN - приложение для безопасного туннелирования IP-сетей " \
   "через единственный UDP-порт с поддержкой аутентификации сессий " \
-  "и обмена ключами на основе SSL/TLS, шифрования, аутенцификации " \
+  "и обмена ключами на основе SSL/TLS, шифрования, аутентификации " \
   "и сжатия пакетов.\n" \
   "\n" \
   "Copyright (C) 2002-2005 OpenVPN Solutions LLC \n" 
\
@@ -164,7 +164,7 @@ BEGIN
 IDS_MENU_SETTINGS "Настройки…"
 IDS_MENU_CLOSE "Выход"
 IDS_MENU_CONNECT "Подключиться"
-IDS_MENU_DISCONNECT "Отключится"
+IDS_MENU_DISCONNECT "Отключиться"
 IDS_MENU_STATUS "Отобразить состояние"
 IDS_MENU_VIEWLOG "Показать журнал"
 IDS_MENU_EDITCONFIG "Редактировать конфигурацию"
@@ -253,7 +253,7 @@ BEGIN
   "--log_dir\t\t\t: Путь к папке с файлами журнала.\n" \
   "--priority_string\t\t: Строка приоритета (См. install.txt 
для доп. информации).\n" \
   "--append_string\t\t: 1=Присоединять к файлу журнала. 
0=Очищать файл журнала при соединении.\n" \
-  "--log_viewer\t\t: Путь к просмотровщику журналаr.\n" \
+  "--log_viewer\t\t: Путь к просмотровщику журнала.\n" \
   "--editor\t\t\t: Путь к редактору конфигурации.\n" \
   "--allow_edit\t\t: 1=Показать пункт меню Редактировать 
конфигурацию.\n" \
   "--allow_service\t\t: 1=Показать меню Служба OpenVPN.\n" \
-- 
2.6.1.windows.1

Re: [Openvpn-devel] Adding a ctrl-C handler in windows

[James Yonan]

On 09/11/2015 00:38, Samuli Seppänen wrote:



Hi,

I plan to add a control-C handler in win32.c. The handler will simply
map it to SIGTERM. Is there any particular reason why control-C is not
currently handled?


Hi,

I forwarded this email to James - he might have a clue.


Currently the Windows implementation, when running in console mode, uses 
function keys to trigger various Unix signals (see win32_signal_get() 
function in win32.c).


The current code looks like this:

  switch (win32_keyboard_get (ws))
{
case 0x3B: /* F1 -> USR1 */
  ret = SIGUSR1;
  break;
case 0x3C: /* F2 -> USR2 */
  ret = SIGUSR2;
  break;
case 0x3D: /* F3 -> HUP */
  ret = SIGHUP;
  break;
case 0x3E: /* F4 -> TERM */
  ret = SIGTERM;
  break;
}


It's probably okay to just make CTRL-c generate a SIGTERM as F4 is 
already doing.


James

[Openvpn-devel] [PATCH applied] Re: polarssl: add --verify-client-cert optional support

[Gert Doering]

Your patch has been applied to the master branch.

commit f107c62051ebbf4a2b661fcba8703fe26485c7af
Author: Steffan Karger
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Oct 16 00:43:15 2015 +0200

 polarssl: add --verify-client-cert optional support

 Signed-off-by: Steffan Karger 
 Acked-by: Jan Just Keijser 
 Message-Id: <1444948995-18720-3-git-send-email-stef...@karger.me>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10288
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCH applied] Re: Author: Jan Just Keijser <janj...@nikhef.nl>

[Gert Doering]

Your patch has been applied to the master branch.

commit b8cdb213d4fa5a56074115faceb2e0da373bab8f
Author: Jan Just Keijser
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Fri Oct 9 11:39:19 2015 +0200

 Author: Jan Just Keijser 

 Signed-off-by: Jan Just Keijser 
 Acked-by: Steffan Karger 
 Message-Id: <1444383559-15788-1-git-send-email-janj...@nikhef.nl>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10213
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

Re: [Openvpn-devel] [PATCH v2] Use adapter index instead of name

[Gert Doering]

Hi,

On Mon, Nov 09, 2015 at 04:35:09PM +0200, Lev Stipakov wrote:
> v2:
>  * Remove netsh call which uses adapter name. After thoughtful testing
> turns out that "adapter name" code branch is never used.

Not there yet :-) - but thanks for picking this up.

As I said for v1, if we change this for the "set address" part of the
code, because "it will sometimes not work otherwise", we should also
change it for the "set route" code - consistent usage of netsh, easier
to understand when reading the log, etc.

It should actually be not very hard - we should be able to set "tt->actual"
to read "interface=nnn", and then it should work automagically without even 
touching route.c at all

> - /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d 
> store=active */
> + /* example: netsh interface ipv6 set address 42 2001:608:8003::d 
> store=active */

What does surprise me, though, is that it works for you with just specifying
the interface index, without "IF" or "interface=" before it.

When setting IPv6 routes for non-tun/tap gateways (route.c, line 1770, 
in git master) I use "interface=" and that is what the online
help told me to use.

  struct buffer out = alloc_buf_gc (64, );
  buf_printf (, "interface=%d", r6->adapter_index );
  device = buf_bptr();
...
  argv_printf (, "%s%sc interface ipv6 add route %s/%d %s",
   get_win_sys_path(),
   NETSH_PATH_SUFFIX,
   network,
   r6->netbits,
   device);

is the syntax different for "set address"?

(IPv4 code uses "IF "... hrmph)

gert


-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

[Openvpn-devel] [PATCH v2] Use adapter index instead of name

[Lev Stipakov]

v2:
 * Remove netsh call which uses adapter name. After thoughtful testing
turns out that "adapter name" code branch is never used.

Some windows machines get weird issues with netsh when using
adapter name on "netsh.exe interface ipv6 set address" command.

Changed logic to get adapter index and use it instead of adapter
name for netsh set address command. if unable to get adapter index,
try with adapter name.

Signed-off-by: Olli Mannisto 
Signed-off-by: Lev Stipakov 
---
 src/openvpn/tun.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 24a61ec..0347a52 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -1301,18 +1301,18 @@ do_ifconfig (struct tuntap *tt,
 if ( do_ipv6 )
   {
char * saved_actual;
+   const DWORD idx = get_adapter_index_flexible(actual);

if (!strcmp (actual, "NULL"))
  msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than 
one TAP-Windows adapter, you must also specify --dev-node");

-   /* example: netsh interface ipv6 set address MyTap 2001:608:8003::d 
store=active */
+   /* example: netsh interface ipv6 set address 42 2001:608:8003::d 
store=active */
argv_printf (,
-   "%s%sc interface ipv6 set address %s %s store=active",
+"%s%sc interface ipv6 set address %u %s store=active",
 get_win_sys_path(),
 NETSH_PATH_SUFFIX,
-actual,
-ifconfig_ipv6_local );
-
+idx,
+ifconfig_ipv6_local);
netsh_command (, 4);

/* explicit route needed */
-- 
1.9.1

Re: [Openvpn-devel] [PATCH 2/2] polarssl: add --verify-client-cert optional support

[Jan Just Keijser]

Ack to this patch (but remember to apply my patch first :))

JJK

Steffan Karger wrote:

This adds support for the --verify-client-cert optional option in PolarSSL
builds, as was earlier added for OpenSSL builds by Jan-Just Keijser.

This patch also adds an additional sanity check that this option may only
be used in combination with some other authentication method, and changes
the warning message about this option to be displayed only once on startup,
instead of for each connecting client.

Signed-off-by: Steffan Karger 
---
 src/openvpn/options.c  | 13 ++---
 src/openvpn/ssl_openssl.c  |  8 +++-
 src/openvpn/ssl_polarssl.c | 10 --
 3 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index b2248b0..c88a180 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2053,8 +2053,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
 || PLUGIN_OPTION_LIST (options)
 || MAN_CLIENT_AUTH_ENABLED (options));
  const char *postfix = "must be used with --management-client-auth, an 
--auth-user-pass-verify script, or plugin";
- if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
-   msg (M_USAGE, "--client-cert-not-required %s", postfix);
+ if ((options->ssl_flags & 
(SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
+   msg (M_USAGE, "--verify-client-cert none|optional %s", postfix);
  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
msg (M_USAGE, "--username-as-common-name %s", postfix);
  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
@@ -2088,7 +2088,7 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
msg (M_USAGE, "--duplicate-cn requires --mode server");
   if (options->cf_max || options->cf_per)
msg (M_USAGE, "--connect-freq requires --mode server");
-  if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED || options->ssl_flags 
& SSLF_CLIENT_CERT_OPTIONAL)
+  if (options->ssl_flags & 
(SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require 
--mode server");
   if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
msg (M_USAGE, "--username-as-common-name requires --mode server");
@@ -2136,6 +2136,13 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
   (options->shared_secret_file != NULL) > 1)
 msg (M_USAGE, "specify only one of --tls-server, --tls-client, or 
--secret");
 
+  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))

+{
+  msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+ "--verify-client-cert none|optional (or --client-cert-not-required) "
+ "may accept clients which do not present a certificate");
+}
+
   if (options->tls_server || options->tls_client)
 {
 #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 3528ed4..3462d34 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -256,14 +256,12 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned 
int ssl_flags)
 #if P2MP_SERVER
   if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
 {
-  msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
- "--client-cert-not-required and --verify-client-cert none "
-  "may accept clients which do not present a certificate");
-
   flags = 0;
 }
   else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
-flags = SSL_VERIFY_PEER;
+{
+  flags = SSL_VERIFY_PEER;
+}
 #endif
   SSL_CTX_set_verify (ctx->ctx, flags, verify_callback);
 
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c

index 27cd735..cf38e69 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -776,18 +776,16 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
 
   /* Initialise SSL verification */

 #if P2MP_SERVER
-  if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+  if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
{
- msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
-  "--client-cert-not-required may accept clients which do not present "
-  "a certificate");
+ ssl_set_authmode(ks_ssl->ctx, SSL_VERIFY_OPTIONAL);
}
-  else
+  else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
 #endif
   {
ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
-   ssl_set_verify (ks_ssl->ctx, verify_callback, session);
   }
+  ssl_set_verify (ks_ssl->ctx, verify_callback, session);
 
   /* TODO: PolarSSL does not currently support sending the CA chain to the client */

   

[Openvpn-devel] Topics for today's (Monday, 9th Nov 2015) community meeting

[Samuli Seppänen]

Hi,

We're going to have an IRC meeting today starting at 20:00 CET (19:00 
UTC) on #openvpn-meeting  irc.freenode.net. Note that the meeting 
channel has changed and that you do _not_ have to be logged in to 
Freenode to join the channel.


Current topic list along with basic information is here:



If you have any other things you'd like to bring up, respond to this 
mail, send me mail privately or add them to the list yourself.


In case you can't attend the meeting, please feel free to make comments 
on the topics by responding to this email or to the summary email sent 
after the meeting. Whenever possible, we'll also respond to existing, 
related email threads.


NOTE: It's required to use a registered Freenode IRC nickname to join 
#openvpn-devel - look here for details:




--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

Re: [Openvpn-devel] [PATCH applied] Re: Fix termination when windows suspends/sleeps

[Samuli Seppänen]

Hi,

On Fri, Nov 6, 2015 at 4:12 PM, Gert Doering  wrote:

On Fri, Nov 06, 2015 at 10:08:59PM +0100, Gert Doering wrote:

ACK.  Explanation makes sense, logs and testers demonstrate that it indeed
fixes a significant problem, and the code is sane :-) - thanks.

Your patch has been applied to the master and release/2.3 branch.

commit ea66a2b5cdb21422139c421b4d3733e1c1c3937e (master)
commit 0d4ba251879c702b9474e26ff73a4f559d922d4f (release/2.3)


Uh, and because I forgot to mention it - Samuli's buildbot will build a
windows snapshot from git master containing this, and it will be part
of 2.3.9 when we release this (no timeline yet).


Thanks.

Speaking of the windows installer, the GUI needs a small change to
play nice with this patch. Else the GUI will end up killing openvpn on
resume.. Not sure where to send patches for the GUI.


Hi,

For now you can send the patch to this list. I'll add OpenVPN-GUI to 
OpenVPN project's GitHub page soon, after which you can just issue a 
pull request.


Samuli

Re: [Openvpn-devel] Adding a ctrl-C handler in windows

[Samuli Seppänen]

Hi,

I plan to add a control-C handler in win32.c. The handler will simply
map it to SIGTERM. Is there any particular reason why control-C is not
currently handled?


Hi,

I forwarded this email to James - he might have a clue.

Samuli