Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Gert Doering]

Hi,

On Tue, Feb 16, 2016 at 03:12:58PM +0200, Samuli Seppänen wrote:
> Currently openvpn-build allows producing installers which do not 
> _contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this 
> one can - at install time - select which of the contained components are 
> intalled.
> 
> Let me know if you have good arguments on why we should have the option 
> to generate installers without the said components. If nobody speaks up, 
> I'll remove the conditional code from openvpn.nsi while preparing for 
> the OpenVPN 2.4 release.

I do not think maintaining these options makes much sense - at install
time, yes!, but at build-time - this stuff should have what we want 
*our* installers to contain.  The rest could go to comments in the
code maybe ("if you want to make this optional, remove the following
lines") or so.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de


signature.asc
Description: PGP signature

Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

On Tue, 2016-02-16 at 15:12 +0200, Samuli Seppänen wrote:

Hi,

Currently openvpn-build allows producing installers which do not
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this
one can - at install time - select which of the contained components are
intalled.

Let me know if you have good arguments on why we should have the option
to generate installers without the said components. If nobody speaks up,
I'll remove the conditional code from openvpn.nsi while preparing for
the OpenVPN 2.4 release.


It's nice to have a standalone signed installer for tap-windows6
without OpenVPN. Not sure if your question really covered that one... ?


Hi,

There is and will be a standalone tap-windows6 installer. I'm just 
suggesting we remove the option to generate installers which do not 
include tap-windows6.


So basically we have two layers here:

1) Include tap-windows6 in the installer? (yes/no)
2) Install tap-windows6 _if_ it is included in the installer? (yes/no)

I suggest we remove layer #1 to simplify things.

--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] Handling bitness (32/64) for OpenVPN Windows installers

[Samuli Seppänen]

Hi,

We currently produce four installers per OpenVPN 2.3.x release:

- 64-bit for Windows Vista+
- 32-bit for Windows vista+
- 64-bit for Windows XP
- 32-bit for Windows XP

The latter two will be dropped in OpenVPN 2.4 alpha releases, which are 
due fairly soon[*]. That leaves us with one 32-bit and one 64-bit 
installer. While that is not too bad, things could be simpler. Here are 
a few suggestions:


1) Combine 32-bit and 64-bit installers into one

Is there a use-case for installing 32-bit OpenVPN on a 64-bit system? 
If not, we could combine both 32-bit and 64-bit binaries into a single 
installers and, at install time, select the correct ones to install. 
This would increase installer size from ~1.8MB to ~3.3MB.


2) Drop the 64-bit installer altogether

This option was brought forth earlier, and while it felt to me like a 
step back, I could not point my finger at any concrete issues. If you 
know of any pros or cons, please speak up.


3) Hide the 32-bit installers better, but keep them available

Currently both 32-bit and 64-bit installers are displayed side-by-side 
on the download page. Because of this it is difficult to tell how many 
people really _need_ the 32-bit version, and how many just download it 
out of habit, or by mistake. Making the download link for 32-bit 
installer(s) less prominent would probably give us the answer. If 
complaints started coming in we could backpedal real quickly.


Unfortunately 32-bit Windows systems are not going away anytime soon, so 
"64-bit only" is not an option[**].


4) Maintain the status quo

Do not change anything.

---

Let me know which of the options seems most reasonable. It would be good 
to reach some consensus before OpenVPN 2.4-alpha1 is released.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[*] All the major functionality is in Git "master" or is being actively 
reviewed.
[**] E.g. 

Re: [Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[David Woodhouse]

On Tue, 2016-02-16 at 15:12 +0200, Samuli Seppänen wrote:
> Hi,
> 
> Currently openvpn-build allows producing installers which do not 
> _contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this 
> one can - at install time - select which of the contained components are 
> intalled.
> 
> Let me know if you have good arguments on why we should have the option 
> to generate installers without the said components. If nobody speaks up, 
> I'll remove the conditional code from openvpn.nsi while preparing for 
> the OpenVPN 2.4 release.

It's nice to have a standalone signed installer for tap-windows6
without OpenVPN. Not sure if your question really covered that one... ?

-- 
dwmw2



smime.p7s
Description: S/MIME cryptographic signature

[Openvpn-devel] Always including tap-windows6, openvpn-gui and easy-rsa in openvpn-build -generated Windows installers?

[Samuli Seppänen]

Hi,

Currently openvpn-build allows producing installers which do not 
_contain_ tap-windows6, openvpn-gui or easy-rsa at all. On top of this 
one can - at install time - select which of the contained components are 
intalled.


Let me know if you have good arguments on why we should have the option 
to generate installers without the said components. If nobody speaks up, 
I'll remove the conditional code from openvpn.nsi while preparing for 
the OpenVPN 2.4 release.


--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[Openvpn-devel] [PATCHv2] Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.

[Arne Schwabe]

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 5a4efc6..d99aaf5 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2952,16 +2952,41 @@ configuration file.  This option will ignore
 options at the global config file level.
 .TP
 .B \-\-push\-peer\-info
-Push additional information about the client to server.  The additional 
information
-consists of the following data:
+Push additional information about the client to server. The following data is 
always pushed to
+the server.

 IV_VER= -- the client OpenVPN version

 IV_PLAT=[linux|solaris|openbsd|mac|netbsd|freebsd|win] -- the client OS 
platform

+IV_LZO_STUB=1 -- if client was built with LZO stub capability
+
+IV_LZ4=1 -- if the client supports LZ4 compressions.
+
+IV_RGI6=1 -- if the client supports
+.B \-\-redirect\-gateway
+for ipv6
+
+IV_PROTO=2 -- if the client supports peer-id floating mechansim
+
+IV_NCP=2 -- negotiable ciphers, client supports
+.B \-\-cipher
+pushed by the server, a value of 2 or greater indidactes additional
+support AES-GCM-128 and AES-GCM-256.
+
+IV_UI_VER=  -- the UI version of a UI if one is
+running, for example "de.blinkt.openvpn 0.5.47" for the
+Android app.
+
+When
+.B \-\-push\-peer\-info
+is enabled the additional information consists of the following data:
+
 IV_HWADDR= -- the MAC address of clients default gateway

-IV_LZO_STUB=1 -- if client was built with LZO stub capability
+IV_SSL= -- the ssl version used by the client, e.g. "OpenSSL 
1.0.2f 28 Jan 2016".
+
+IV_PLAT_VER=x.y - the version of the operating system, e.g. 6.1 for Windows 7.

 UV_= -- client environment variables whose names start with "UV_"
 .\"*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index f188558..14da733 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1903,15 +1903,17 @@ push_peer_info(struct buffer *buf, struct tls_session 
*session)
 #endif
 }

-  /* push env vars that begin with UV_ and IV_GUI_VER */
+  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
   for (e=es->list; e != NULL; e=e->next)
{
  if (e->string)
{
- if (((strncmp(e->string, "UV_", 3)==0 && 
session->opt->push_peer_info_detail >= 2)
-  || 
(strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
- && buf_safe(, strlen(e->string)+1))
-   buf_printf (, "%s\n", e->string);
+if strncmp(e->string, "UV_", 3)==0 ||
+   strncmp(e->string, "IV_PLAT_VER=", 
sizeof("IV_PLAT_VER=")-1)==0)
+  && session->opt->push_peer_info_detail >= 2)
+ || (strncmp(e->string,"IV_GUI_VER=", 
sizeof("IV_GUI_VER=")-1)==0))
+&& buf_safe(, strlen(e->string)+1))
+buf_printf (, "%s\n", e->string);
}
}

-- 
2.5.4 (Apple Git-61)

Re: [Openvpn-devel] --block-outside-dns speed

[Lev Stipakov]

Hi James,


Has anyone seen issues with --block-outside-dns speed?  Because this
approach drops certain DNS packets, I'm wondering if apps will
experience lag time while waiting for dropped DNS requests to time out.


Yes, I have experienced issues with that patch.

On only machine I was able to reproduce DNS leak, this patch causes 
_all_ DNS requests to take 10 seconds to execute. According to 
Wireshark, Windows sends DNS requests to all adapters, got fast response 
from "right one", but nevertheless waits for about 10 seconds before 
giving up.



-Lev

[Openvpn-devel] --block-outside-dns speed

[James Yonan]

Has anyone seen issues with --block-outside-dns speed?  Because this 
approach drops certain DNS packets, I'm wondering if apps will 
experience lag time while waiting for dropped DNS requests to time out.


James