[Openvpn-devel] ics-openvpn - route not added ?

[debbie10t]

Hi

having read this about ics-openvpn :

https://github.com/schwabe/ics-openvpn/blob/master/doc/README.txt

I decided I was not in a position to add any further comments to this:

https://forums.openvpn.net/topic20654.html#p57367

So I thought to ask if Arne could add any thing

The gist is that: the server & client are connecting ok
but the server LAN is not being added to the client RT
even though the route is successfully pushed.

Specific versions are:

official build 0.6.46 running on samsung SM-G900F (MSM8974), Android 5.0
(LRX21T) API 21, ABI armeabi-v7a,
(samsung/kltexx/klte:5.0/LRX21T/G900FXXU1BOJ1:user/release-keys)

and

OpenVPN 2.4-icsopenvpn [git:icsopenvpn_645-e6b5e62e37c02d5b]
android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built
on Dec  8 2015


My presumption is .. this is not a version we support ?

Thanks

[Openvpn-devel] [PATCH applied] Re: Implement the compression V2 data format for stub and lz4.

[Gert Doering]

ACK from me as well (and thanks for bearing with Steffan and me).  

I have stared at the code, and ran my test suite - I have not yet 
run end-to-end lz4v2 or stubv2, but my test server will pick up the 
change tomorrow and we'll see... :-)

Your patch has been applied to the master branch.

The {} brackets in lz4v2_compress() have been moved around as suggested 
by Steffan.  Also, I have fixed a typo ("compression schmemes") that
managed to evade earlier review.

commit a75bb2e40a431e053ea1ef328ec022aaf851ccc0 (master)

Author: Arne Schwabe
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Sun Jan 3 18:27:46 2016 +0100

 Implement the compression V2 data format for stub and lz4.

 Acked-by: Steffan Karger 
 Acked-by: Gert Doering 
 Message-Id: <1451842066-13475-1-git-send-email-a...@rfc2549.org>
 URL: http://article.gmane.org/gmane.network.openvpn.devel/10925
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering

[Openvpn-devel] [PATCHv2] Update INSTALL-win32.txt for OpenVPN 2.3.10

[samuli]

From: Samuli Seppänen 

OpenVPN 2.3.10 includes an OpenVPN-GUI which automatically requests elevation of
privileges using UAC. Modified INSTALL-win32.txt to reflect this behavior.

Signed-off-by: Samuli Seppänen 
---
 INSTALL-win32.txt | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/INSTALL-win32.txt b/INSTALL-win32.txt
index 7c05685..142f368 100644
--- a/INSTALL-win32.txt
+++ b/INSTALL-win32.txt
@@ -23,13 +23,15 @@ your configuration files and certificates, which now go to
 provided you did not install the 32-bit version on 64-bit
 Windows.
 
-IMPORTANT NOTE FOR WINDOWS VISTA/7 USERS
+IMPORTANT NOTE FOR USERS OF WINDOWS VISTA AND ABOVE
+
+Note that on Windows Vista and above, you will need to run the
+OpenVPN-GUI as a user with administrator privileges, so that
+it can add routes to the routing table. Admin privileges are
+requested automatically in OpenVPN 2.3.10 and later; older
+versions require right-clicking on the OpenVPN-GUI desktop icon
+and selecting "Run as administrator".
 
-Note that on Windows Vista, you will need to run the OpenVPN
-GUI with administrator privileges, so that it can add routes
-to the routing table that are pulled from the OpenVPN server.
-You can do this by right-clicking on the OpenVPN GUI
-desktop icon, and selecting "Run as administrator".
 
 GENERAL QUICKSTART FOR WINDOWS
 
-- 
2.1.0

[Openvpn-devel] [PATCH] Update INSTALL-win32.txt for OpenVPN 2.3.10

[samuli]

From: Samuli Seppänen 

OpenVPN 2.3.10 includes an OpenVPN-GUI which automatically requests elevation of
privileges using UAC. Modified INSTALL-win32.txt to reflect this behavior.

Signed-off-by: Samuli Seppänen 
---
 INSTALL-win32.txt | 15 +--
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/INSTALL-win32.txt b/INSTALL-win32.txt
index 7c05685..ce08e63 100644
--- a/INSTALL-win32.txt
+++ b/INSTALL-win32.txt
@@ -1,3 +1,4 @@
+
 UPGRADING FROM 2.3-ALPHA1 AND EARLIER
 
 OpenVPN Windows installer went through major changes in
@@ -23,13 +24,15 @@ your configuration files and certificates, which now go to
 provided you did not install the 32-bit version on 64-bit
 Windows.
 
-IMPORTANT NOTE FOR WINDOWS VISTA/7 USERS
+IMPORTANT NOTE FOR USERS OF WINDOWS VISTA AND ABOVE
+
+Note that on Windows Vista and above, you will need to run the
+OpenVPN-GUI as a user with administrator privileges, so that
+it can add routes to the routing table. Admin privileges are
+requested automatically in OpenVPN 2.3.10 and later; older
+versions require right-clicking on the OpenVPN-GUI desktop icon
+and selecting "Run as administrator".
 
-Note that on Windows Vista, you will need to run the OpenVPN
-GUI with administrator privileges, so that it can add routes
-to the routing table that are pulled from the OpenVPN server.
-You can do this by right-clicking on the OpenVPN GUI
-desktop icon, and selecting "Run as administrator".
 
 GENERAL QUICKSTART FOR WINDOWS
 
-- 
2.1.0

[Openvpn-devel] OpenVPN 2.3.10 released

[Samuli Seppänen]

The OpenVPN community project team is proud to release OpenVPN 2.3.10. 
It can be downloaded from here:




This release fixes IPv6 on WIndows XP and warns users about expired 
certificates. A few other small fixes and improvements are included. In 
addition, PolarSSL 1.3 is now required for PolarSSL builds. The Windows 
installers now bundle OpenVPN-GUI 10, which automatically requests 
administrator privileges using UAC, instead of launching as a normal 
user and then failing at route creation time. A full list of changes is 
available here:




For generic help use these support channels:

Official documentation: 


Wiki: 
Forums: 
User mailing list: 
User IRC channel: #openvpn at irc.freenode.net

Please report bugs and ask development questions here:

Bug tracker and wiki: 
Developer mailing list: 
Developer IRC channel: #openvpn-devel at irc.freenode.net (requires 
Freenode registration)


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] [PATCH v2] Drop recursively routed packets

[Lev Stipakov]

v2: better method naming

On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.

As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.

To prevent that, drop packets which have gateway IP as
destination address.

Tested on Win7/10, OS X.

Trac #642

Signed-off-by: Lev Stipakov 
---
 src/openvpn/forward.c | 63 +++
 1 file changed, 63 insertions(+)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 36a99e6..af05bd0 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -973,6 +973,68 @@ read_incoming_tun (struct context *c)
   perf_pop ();
 }

+/**
+ * Drops UDP packets which OS decided to route via tun. 
+ * 
+ * On Windows and OS X when netwotk adapter is disabled or
+ * disconnected, platform starts to use tun as external interface. 
+ * When packet is sent to tun, it comes to openvpn, encapsulated
+ * and sent to routing table, which sends it again to tun.
+ */
+static void
+drop_if_recursive_routing (struct context *c, struct buffer *buf)
+{
+  bool drop = false;
+  struct openvpn_sockaddr tun_sa = c->c2.to_link_addr->dest;
+
+  if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), buf))
+{
+  const struct openvpn_iphdr *pip;
+
+  /* make sure we got whole IP header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr))
+   return;
+
+  /* skip ipv4 packets for ipv6 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET)
+   return;
+
+  pip = (struct openvpn_iphdr *) BPTR (buf);
+
+  /* drop packets with same dest addr as gateway */
+  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
+   drop = true;
+}
+  else if (is_ipv6 (TUNNEL_TYPE (c->c1.tuntap), buf))
+{
+  const struct openvpn_ipv6hdr *pip6;
+
+  /* make sure we got whole IPv6 header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr))
+   return;
+
+  /* skip ipv6 packets for ipv4 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET6)
+   return;
+
+  /* drop packets with same dest addr as gateway */
+  pip6 = (struct openvpn_ipv6hdr *) BPTR(buf);
+  if (IN6_ARE_ADDR_EQUAL(_sa.addr.in6.sin6_addr, >daddr))
+   drop = true;
+}
+
+  if (drop)
+{
+  struct gc_arena gc = gc_new ();
+
+  c->c2.buf.len = 0;
+
+  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
+   print_link_socket_actual(c->c2.to_link_addr, ));
+  gc_free ();
+}
+}
+
 /*
  * Input:  c->c2.buf
  * Output: c->c2.to_link
@@ -998,6 +1060,7 @@ process_incoming_tun (struct context *c)

   if (c->c2.buf.len > 0)
 {
+  drop_if_recursive_routing (c, >c2.buf);
   /*
* The --passtos and --mssfix options require
* us to examine the IP header (IPv4 or IPv6).
-- 
1.9.1

[Openvpn-devel] [PATCH] Drop recursively routed packets

[Lev Stipakov]

On certain OSes (Windows, OS X) when network adapter is
disabled (ethernet cable pulled off, Wi-Fi hardware switch disabled),
operating system starts to use tun as an external interface.
Outgoing packets are routed to tun, UDP encapsulated, given to
routing table and sent to.. tun.

As a consequence, system starts talking to itself on full power,
traffic counters skyrocket and user is not happy.

To prevent that, drop packets which have gateway IP as
destination address.

Tested on Win7/10, OS X.

Trac #642

Signed-off-by: Lev Stipakov 
---
 src/openvpn/forward.c | 63 +++
 1 file changed, 63 insertions(+)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 36a99e6..05445a1 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -973,6 +973,68 @@ read_incoming_tun (struct context *c)
   perf_pop ();
 }

+/**
+ * Drops UDP packets which OS decided to route via tun. 
+ * 
+ * On Windows and OS X when netwotk adapter is disabled or
+ * disconnected, platform starts to use tun as external interface. 
+ * When packet is sent to tun, it comes to openvpn, encapsulated
+ * and sent to routing table, which sends it again to tun.
+ */
+static void
+drop_recursive (struct context *c, struct buffer *buf)
+{
+  bool drop = false;
+  struct openvpn_sockaddr tun_sa = c->c2.to_link_addr->dest;
+
+  if (is_ipv4 (TUNNEL_TYPE (c->c1.tuntap), buf))
+{
+  const struct openvpn_iphdr *pip;
+
+  /* make sure we got whole IP header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_iphdr))
+   return;
+
+  /* skip ipv4 packets for ipv6 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET)
+   return;
+
+  pip = (struct openvpn_iphdr *) BPTR (buf);
+
+  /* drop packets with same dest addr as gateway */
+  if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr)
+   drop = true;
+}
+  else if (is_ipv6 (TUNNEL_TYPE (c->c1.tuntap), buf))
+{
+  const struct openvpn_ipv6hdr *pip6;
+
+  /* make sure we got whole IPv6 header */
+  if (BLEN (buf) < (int) sizeof (struct openvpn_ipv6hdr))
+   return;
+
+  /* skip ipv6 packets for ipv4 tun */
+  if (tun_sa.addr.sa.sa_family != AF_INET6)
+   return;
+
+  /* drop packets with same dest addr as gateway */
+  pip6 = (struct openvpn_ipv6hdr *) BPTR(buf);
+  if (IN6_ARE_ADDR_EQUAL(_sa.addr.in6.sin6_addr, >daddr))
+   drop = true;
+}
+
+  if (drop)
+{
+  struct gc_arena gc = gc_new ();
+
+  c->c2.buf.len = 0;
+
+  msg(D_LOW, "Recursive routing detected, drop tun packet to %s",
+   print_link_socket_actual(c->c2.to_link_addr, ));
+  gc_free ();
+}
+}
+
 /*
  * Input:  c->c2.buf
  * Output: c->c2.to_link
@@ -998,6 +1060,7 @@ process_incoming_tun (struct context *c)

   if (c->c2.buf.len > 0)
 {
+  drop_recursive (c, >c2.buf);
   /*
* The --passtos and --mssfix options require
* us to examine the IP header (IPv4 or IPv6).
-- 
1.9.1