Re: [Openvpn-devel] Follow up on sending messages to the GUI

[Selva Nair]

Hi Jon,

Thanks for starting this process.

On Thu, Dec 14, 2017 at 10:42 AM, Jonathan K. Bullard
 wrote:
> Hi,
>
> On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard  
> wrote:
>> Hi,
>>
>> On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair  wrote:

...snipped..

>> I'll be happy to try to document the protocol between OpenVPN and the
>> GUI, including the "msg*" commands and others such as
>> "forget-passwords", "setenv", etc., which we've discussed. However,
>> I'm thinking it should be a separate "doc/gui-notes.txt" document.
>>
>> In a separate document it would be easier to make it clear that it is
>> describing the protocol between the configuration and the GUIs and not
>> get lost in the complexity of the management interface itself.
>
> Below is a first draft of documentation for all of the "echo" commands
> sent from OpenVPN via the management interface (typically, to a GUI).
>
> I think it's important to include info about how the each of the
> common open GUIs interpret the commands in this document, so those who
> want to use --echo will have a single place to look.
>
> I'm doing this inline in this email, not as a patch for several
> reasons: because it's easier to read that way, because I'd like to get
> it at least close to acceptance before proposing it as a patch, and
> because I'm not really proficient with OpenVPN's patching process and
> there will probably be several versions of the patch. (If someone else
> wants to do this as a patch from right now, I'm happy to have them
> take it over.)
>
> The section on quoting should be examined carefully -- I didn't test
> any of that.
>
> And I don't know which commands will be implemented on Android so I
> left that as "??".
>
> Best regards,
>
> Jon
>
>
> 
> *** New document starts after the next line ***
> 
> Management Interface "echo" protocol
>
> 
> THIS IS A PRELIMINARY VERSION OF THIS DOCUMENT. ALL INFORMATION IN IT
> IS SUBJECT TO CHANGE.
> 
>
>
> CONTENTS
> THE OPENVPN --ECHO OPTION
> ENVIRONMENT COMMAND
> MESSSAGE COMMANDS
> PASSWORD COMMANDS
> QUOTING
> COMMMAND DETAILS
>
>
> =
> THE OPENVPN --ECHO OPTION
> =
>
> The OpenVPN --echo option causes commands to be sent out through the
> management interface, typically to a Graphic User Interface (GUI) such
> as "OpenVPN for Android", "Tunnelblick" (for macOS), or "Windows
> OpenVPN GUI". It can be included in a configuration file or on a
> command line, or can be pushed from the server.
>
> This document describes the commands that can be sent and how they are
> interpreted by various GUIs.
>
>  * OpenVPN does not process the commands in an --echo option; it only
> sends them out through the management interface.
>
>  * "echo" commands are processed by the GUI if, as, when, and in the
> order they are received. If no GUI is present the processing of
> commands may be delayed, the commands may never be processed, or only
> some commands may be processed. (That can happen if OpenVPN discards
> commands because its buffer for the commands fills up.)
>
>  * There is no mechanism for the GUI to acknowledge the receipt,
> success, or failure of a command.
>
>  * "echo" commands are stored by OpenVPN (within limits, see the next
> point) and sent only when the GUI requests them through the management
> interface. "echo" commands in the configuration file or the command
> line are typically requested and processed at the start of a
> connection attempt. "echo" commands that are pushed by the server are
> also typically asked for at the start of a connection attempt but can
> be sent at any time. They are processed in the middle of a connection
> attempt or after a connection is established, as the "push" options
> are received by the client from the server.

This may require some clarification as what you are describing is the
result of "echo all" issued by the management client (GUI), but one
would also use "echo on" for real-time echo notification once
the mgmt interface is connected.

It may be useful to explain "echo on" "echo all" etc as it appears in
the  management-notes.txt

>
>   * OpenVPN's storage for echo commands is limited in size, so a large
> number of commands or commands with long messages may require that
> some commands be removed from the storage. If that happens, some of
> the commands may not be sent through the management interface when a
> GUI does connect to it or asks for the "echo" commands.
>
>  * On SIGUSR1 and SIGHUP connection restarts, "echo" commands that
> were sent through the management interface and have been saved by
> OpenVPN are sent again and will be re-processed by the GUI.

This is implementati

Re: [Openvpn-devel] [PATCH] ssl_openssl: fix compiler warning by removing getbio() wrapper

[Steffan Karger]

Hi,

On 14-12-17 16:44, Gert Doering wrote:
> On Thu, Dec 14, 2017 at 11:21:37AM +0100, Steffan Karger wrote:
>> -if (!ret)
>> -{
>> -crypto_msg(M_FATAL, "Error creating %s BIO", desc);
>> -}
> 
> I'm not sure how likely these are going to fail, but the crypto_msg()
> had the benefit of actually telling us what the underlying library
> returned as error code...
> 
> If this won't ever happen except under very exceptional conditions, it
> won't matter much, though.

Fair point, but this is very unlikely to fail indeed.  We use standard
openssl-provided BIO_METHOD's, and do not do threading.  The one error I
could imagine is a malloc failure.

I still think it's fine to just go with the ASSERT().

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] ssl_openssl: fix compiler warning by removing getbio() wrapper

[Gert Doering]

Hi,

On Thu, Dec 14, 2017 at 11:21:37AM +0100, Steffan Karger wrote:
> -if (!ret)
> -{
> -crypto_msg(M_FATAL, "Error creating %s BIO", desc);
> -}

I'm not sure how likely these are going to fail, but the crypto_msg()
had the benefit of actually telling us what the underlying library
returned as error code...

If this won't ever happen except under very exceptional conditions, it
won't matter much, though.

gert

-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Follow up on sending messages to the GUI

[Jonathan K. Bullard]

Hi,

On Sat, Dec 2, 2017 at 7:08 AM, Jonathan K. Bullard  wrote:
> Hi,
>
> On Fri, Dec 1, 2017 at 10:58 AM, Selva Nair  wrote:
>>
>> Hi,
>>
>> On Fri, Dec 1, 2017 at 8:53 AM, Arne Schwabe  wrote:
>>>
>>> Am 30.11.2017 um 03:03 schrieb Selva Nair:
>>>
>>> Cross-posting to users and devel as this may be of interest to both.
>>>
>>> Hi,
>>>
>>> I have made a draft implementation of this feature that was discussed in a 
>>> previous thread. A test executable (GUI only) is in this pre-release:
>>>
>>> https://github.com/selvanair/openvpn-gui/releases/tag/v11-echo-msg
>>>
>>> It would be great if anyone can test this out[*].
>>>
>>> Thanks,
>>>
>>> Selva
>>>
>>> [*] Although virtually any text can be sent, some familiarity with openvpn 
>>> config/ccd parsing/quoting and push processing is necessary to get it right 
>>> for non-trivial messages that contain comment characters, commas, new lines 
>>> etc... Short and simple messages must be easy, though.
>>>
>>>
>>> Could we have some text stating that clients might only display one message 
>>> per connect? At the moment you can have multiple "echo msg-notify 
>>> message-title" pushed by the server. I would like to avoid in my client to 
>>> implement logic to display multiple messages. If one message allowed the 
>>> message can become just an Android notification without special logic
>>
>>
>> Yes, we can and probably should document that some clients may only
>> display one message. Do you also want to say that some clients may
>> interpret msg-window as msg-notify?
>>
>> Even in case of Windows desktop, I think it may be better to display
>> only one message per connection as otherwise it starts to get very
>> noisy. At most one message window and one notification.
>>
>> Jon, do you plan to document the proposed "echo msg" specs in management
>> notes or elsewhere?  The single message per connect limitation
>> could be specified there.
>
> I'll be happy to try to document the protocol between OpenVPN and the
> GUI, including the "msg*" commands and others such as
> "forget-passwords", "setenv", etc., which we've discussed. However,
> I'm thinking it should be a separate "doc/gui-notes.txt" document.
>
> In a separate document it would be easier to make it clear that it is
> describing the protocol between the configuration and the GUIs and not
> get lost in the complexity of the management interface itself.

Below is a first draft of documentation for all of the "echo" commands
sent from OpenVPN via the management interface (typically, to a GUI).

I think it's important to include info about how the each of the
common open GUIs interpret the commands in this document, so those who
want to use --echo will have a single place to look.

I'm doing this inline in this email, not as a patch for several
reasons: because it's easier to read that way, because I'd like to get
it at least close to acceptance before proposing it as a patch, and
because I'm not really proficient with OpenVPN's patching process and
there will probably be several versions of the patch. (If someone else
wants to do this as a patch from right now, I'm happy to have them
take it over.)

The section on quoting should be examined carefully -- I didn't test
any of that.

And I don't know which commands will be implemented on Android so I
left that as "??".

Best regards,

Jon



*** New document starts after the next line ***

Management Interface "echo" protocol


THIS IS A PRELIMINARY VERSION OF THIS DOCUMENT. ALL INFORMATION IN IT
IS SUBJECT TO CHANGE.



CONTENTS
THE OPENVPN --ECHO OPTION
ENVIRONMENT COMMAND
MESSSAGE COMMANDS
PASSWORD COMMANDS
QUOTING
COMMMAND DETAILS


=
THE OPENVPN --ECHO OPTION
=

The OpenVPN --echo option causes commands to be sent out through the
management interface, typically to a Graphic User Interface (GUI) such
as "OpenVPN for Android", "Tunnelblick" (for macOS), or "Windows
OpenVPN GUI". It can be included in a configuration file or on a
command line, or can be pushed from the server.

This document describes the commands that can be sent and how they are
interpreted by various GUIs.

 * OpenVPN does not process the commands in an --echo option; it only
sends them out through the management interface.

 * "echo" commands are processed by the GUI if, as, when, and in the
order they are received. If no GUI is present the processing of
commands may be delayed, the commands may never be processed, or only
some commands may be processed. (That can happen if OpenVPN discards
commands because its buffer for the commands fills up.)

 * There is no mechanism for the GUI to acknowledge the receipt,
success, or f

Re: [Openvpn-devel] [PATCH] ssl_openssl: fix compiler warning by removing getbio() wrapper

[Arne Schwabe]

Am 14.12.17 um 11:21 schrieb Steffan Karger:
> An API change in openssl 1.1 made the BIO_METHOD * returned by BIO_f_ssl()
> and BIO_s_mem() const, as well as the BIO_METHOD * argment of BIO_new()
> const.  This meant that our getbio() function would either have an API
> inconsistent with 1.0 or 1.1.
> 
> The wrapper was basically an ASSERT, so fix this by replacing the wrapper
> with an ASSERT.
> 

Looks good. The wrapper does also not add much clarity or otherwise
functionality.

Acked-by: Arne Schwabe

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Borodin Oleg]

On Thu, 14 Dec 2017 12:26:22 +0200
Samuli Seppänen  wrote:

> Il 14/12/2017 11:53, Borodin Oleg ha scritto:
> > On Thu, 14 Dec 2017 11:36:46 +0200
> > Samuli Seppänen  wrote:
> >   
> >> Il 14/12/2017 11:12, Borodin Oleg ha scritto:  
> >>> On Thu, 14 Dec 2017 10:41:37 +0200
> >>> Samuli Seppänen  wrote:
> >>> 
>  Il 12/12/2017 13:46, Borodin Oleg ha scritto:
> >
> > Hi!
> >
> > I wrote a small web interface for managing openvpn services and 
> > obtaining detail network information. 
> > http://wiki.unix7.org/vpnsw
> >
> > I wrote it to replace a legacy corporate vpn-crutch. 
> > It is already quite working, we manage more 400 tunnels/1200 workplaces.
> >
> > I have a question: how interesting this product is for continue 
> > developing? 
> > As opensource, of course.
> >
> > [Sorry, I sent this also to openvpn-users@]  
> 
>  Hi,
> 
>  What is the use-case for vpnsw? Is this meant for managing client
>  connections on an OpenVPN server?
> 
> >>>
> >>> Hi, Samuli!
> >>>
> >>> We use it to disable/enable and monitor user/workstation/branch office 
> >>> groups.
> >>> One VPN service on VPN concentrator related to 5-30 VPN "users", total to 
> >>> one
> >>> VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
> >>> 1400. Disconnection use for routine maintenance (synchronization/exchange 
> >>> of
> >>> application/corporate databases "into night" =) or urgently needed, and 
> >>> yet
> >>> etc).
> >>>
> >>> I can of course write a control of each user but so far there was no such
> >>> purpose. I also can write to show tail of any service log in runtime. 
> >>> That's why I'm asking if there is an interest in development.
> >>
> >> I'm sure there are others that could make use of vpnsw. I see that it is
> >> already on GitHub:
> >>
> >> 
> >>
> >> If you add a description (like what you have on your site) then people
> >> might find it when doing searches. I also noticed that there are no
> >> commit messages - is that intentional?  
> > 
> > No-no, of course =) I was developing one, with own svn, quickly, not even 
> > thinking
> > about publishing, and only today did export/transfer to git repos.
> >   
> >> I can also mention vpnsw this Trac page:
> >>
> >> 
> >>
> >> That should give vpnsw some additional visibility.  
> > 
> > I agree. This is a good idea.
> > 
> >   
> 
> Hi,
> 
> I fixed a bunch of formatting errors on the RelatedProjects page and
> added your projects there:
> 
> 

Thanks! =)

> I suggest adding links from vpnsw and minica pages to GitHub so that
> people know where they should send their contributions.

Yes, I agree, it's reasonable. I'm will to plan.

> Any particular reason why you chose the "Creative Commons
> Attribution-NoDerivs 3.0 Unported" license for you work? That is fairly
> uncommon license for software projets.
> 

Yes, I know. At the time of summer 2017, I did not think much about wide 
publishing
=). I think to change the license. 
Thank you for noticing this.

-- 
With best regards,

Oleg Borodin
+7-952-058-72-64
boro...@unix7.org
onboro...@gmail.com

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Samuli Seppänen]

Il 14/12/2017 11:53, Borodin Oleg ha scritto:
> On Thu, 14 Dec 2017 11:36:46 +0200
> Samuli Seppänen  wrote:
> 
>> Il 14/12/2017 11:12, Borodin Oleg ha scritto:
>>> On Thu, 14 Dec 2017 10:41:37 +0200
>>> Samuli Seppänen  wrote:
>>>   
 Il 12/12/2017 13:46, Borodin Oleg ha scritto:  
>
> Hi!
>
> I wrote a small web interface for managing openvpn services and obtaining 
> detail network information. 
> http://wiki.unix7.org/vpnsw
>
> I wrote it to replace a legacy corporate vpn-crutch. 
> It is already quite working, we manage more 400 tunnels/1200 workplaces.
>
> I have a question: how interesting this product is for continue 
> developing? 
> As opensource, of course.
>
> [Sorry, I sent this also to openvpn-users@]

 Hi,

 What is the use-case for vpnsw? Is this meant for managing client
 connections on an OpenVPN server?
  
>>>
>>> Hi, Samuli!
>>>
>>> We use it to disable/enable and monitor user/workstation/branch office 
>>> groups.
>>> One VPN service on VPN concentrator related to 5-30 VPN "users", total to 
>>> one
>>> VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
>>> 1400. Disconnection use for routine maintenance (synchronization/exchange of
>>> application/corporate databases "into night" =) or urgently needed, and yet
>>> etc).
>>>
>>> I can of course write a control of each user but so far there was no such
>>> purpose. I also can write to show tail of any service log in runtime. 
>>> That's why I'm asking if there is an interest in development.  
>>
>> I'm sure there are others that could make use of vpnsw. I see that it is
>> already on GitHub:
>>
>> 
>>
>> If you add a description (like what you have on your site) then people
>> might find it when doing searches. I also noticed that there are no
>> commit messages - is that intentional?
> 
> No-no, of course =) I was developing one, with own svn, quickly, not even 
> thinking
> about publishing, and only today did export/transfer to git repos.
> 
>> I can also mention vpnsw this Trac page:
>>
>> 
>>
>> That should give vpnsw some additional visibility.
> 
> I agree. This is a good idea.
> 
> 

Hi,

I fixed a bunch of formatting errors on the RelatedProjects page and
added your projects there:



I suggest adding links from vpnsw and minica pages to GitHub so that
people know where they should send their contributions.

Any particular reason why you chose the "Creative Commons
Attribution-NoDerivs 3.0 Unported" license for you work? That is fairly
uncommon license for software projets.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] ssl_openssl: fix compiler warning by removing getbio() wrapper

[Steffan Karger]

An API change in openssl 1.1 made the BIO_METHOD * returned by BIO_f_ssl()
and BIO_s_mem() const, as well as the BIO_METHOD * argment of BIO_new()
const.  This meant that our getbio() function would either have an API
inconsistent with 1.0 or 1.1.

The wrapper was basically an ASSERT, so fix this by replacing the wrapper
with an ASSERT.

Signed-off-by: Steffan Karger 
---
 src/openvpn/ssl_openssl.c | 23 +++
 1 file changed, 3 insertions(+), 20 deletions(-)

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 34c31b9..711bba1 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1416,23 +1416,6 @@ bio_debug_oc(const char *mode, BIO *bio)
 #endif /* ifdef BIO_DEBUG */
 
 /*
- * OpenVPN's interface to SSL/TLS authentication,
- * encryption, and decryption is exclusively
- * through "memory BIOs".
- */
-static BIO *
-getbio(BIO_METHOD *type, const char *desc)
-{
-BIO *ret;
-ret = BIO_new(type);
-if (!ret)
-{
-crypto_msg(M_FATAL, "Error creating %s BIO", desc);
-}
-return ret;
-}
-
-/*
  * Write to an OpenSSL BIO in non-blocking mode.
  */
 static int
@@ -1573,9 +1556,9 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, const 
struct tls_root_ctx *ssl_
  * from verify callback*/
 SSL_set_ex_data(ks_ssl->ssl, mydata_index, session);
 
-ks_ssl->ssl_bio = getbio(BIO_f_ssl(), "ssl_bio");
-ks_ssl->ct_in = getbio(BIO_s_mem(), "ct_in");
-ks_ssl->ct_out = getbio(BIO_s_mem(), "ct_out");
+ASSERT((ks_ssl->ssl_bio = BIO_new(BIO_f_ssl(;
+ASSERT((ks_ssl->ct_in = BIO_new(BIO_s_mem(;
+ASSERT((ks_ssl->ct_out = BIO_new(BIO_s_mem(;
 
 #ifdef BIO_DEBUG
 bio_debug_oc("open ssl_bio", ks_ssl->ssl_bio);
-- 
2.7.4


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Borodin Oleg]

On Thu, 14 Dec 2017 11:36:46 +0200
Samuli Seppänen  wrote:

> Il 14/12/2017 11:12, Borodin Oleg ha scritto:
> > On Thu, 14 Dec 2017 10:41:37 +0200
> > Samuli Seppänen  wrote:
> >   
> >> Il 12/12/2017 13:46, Borodin Oleg ha scritto:  
> >>>
> >>> Hi!
> >>>
> >>> I wrote a small web interface for managing openvpn services and obtaining 
> >>> detail network information. 
> >>> http://wiki.unix7.org/vpnsw
> >>>
> >>> I wrote it to replace a legacy corporate vpn-crutch. 
> >>> It is already quite working, we manage more 400 tunnels/1200 workplaces.
> >>>
> >>> I have a question: how interesting this product is for continue 
> >>> developing? 
> >>> As opensource, of course.
> >>>
> >>> [Sorry, I sent this also to openvpn-users@]
> >>
> >> Hi,
> >>
> >> What is the use-case for vpnsw? Is this meant for managing client
> >> connections on an OpenVPN server?
> >>  
> > 
> > Hi, Samuli!
> > 
> > We use it to disable/enable and monitor user/workstation/branch office 
> > groups.
> > One VPN service on VPN concentrator related to 5-30 VPN "users", total to 
> > one
> > VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
> > 1400. Disconnection use for routine maintenance (synchronization/exchange of
> > application/corporate databases "into night" =) or urgently needed, and yet
> > etc).
> > 
> > I can of course write a control of each user but so far there was no such
> > purpose. I also can write to show tail of any service log in runtime. 
> > That's why I'm asking if there is an interest in development.  
> 
> I'm sure there are others that could make use of vpnsw. I see that it is
> already on GitHub:
> 
> 
> 
> If you add a description (like what you have on your site) then people
> might find it when doing searches. I also noticed that there are no
> commit messages - is that intentional?

No-no, of course =) I was developing one, with own svn, quickly, not even 
thinking
about publishing, and only today did export/transfer to git repos.

> I can also mention vpnsw this Trac page:
> 
> 
> 
> That should give vpnsw some additional visibility.

I agree. This is a good idea.


-- 
With best regards,
Oleg Borodin
+7-952-058-72-64
boro...@unix7.org
onboro...@gmail.com

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Samuli Seppänen]

Il 14/12/2017 11:12, Borodin Oleg ha scritto:
> On Thu, 14 Dec 2017 10:41:37 +0200
> Samuli Seppänen  wrote:
> 
>> Il 12/12/2017 13:46, Borodin Oleg ha scritto:
>>>
>>> Hi!
>>>
>>> I wrote a small web interface for managing openvpn services and obtaining 
>>> detail network information. 
>>> http://wiki.unix7.org/vpnsw
>>>
>>> I wrote it to replace a legacy corporate vpn-crutch. 
>>> It is already quite working, we manage more 400 tunnels/1200 workplaces.
>>>
>>> I have a question: how interesting this product is for continue developing? 
>>> As opensource, of course.
>>>
>>> [Sorry, I sent this also to openvpn-users@]  
>>
>> Hi,
>>
>> What is the use-case for vpnsw? Is this meant for managing client
>> connections on an OpenVPN server?
>>
> 
> Hi, Samuli!
> 
> We use it to disable/enable and monitor user/workstation/branch office groups.
> One VPN service on VPN concentrator related to 5-30 VPN "users", total to one
> VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
> 1400. Disconnection use for routine maintenance (synchronization/exchange of
> application/corporate databases "into night" =) or urgently needed, and yet
> etc).
> 
> I can of course write a control of each user but so far there was no such
> purpose. I also can write to show tail of any service log in runtime. 
> That's why I'm asking if there is an interest in development.

I'm sure there are others that could make use of vpnsw. I see that it is
already on GitHub:



If you add a description (like what you have on your site) then people
might find it when doing searches. I also noticed that there are no
commit messages - is that intentional?

I can also mention vpnsw this Trac page:



That should give vpnsw some additional visibility.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Borodin Oleg]

On Thu, 14 Dec 2017 11:12:03 +0200
Borodin Oleg  wrote:

> On Thu, 14 Dec 2017 10:41:37 +0200
> Samuli Seppänen  wrote:
> 
> > Il 12/12/2017 13:46, Borodin Oleg ha scritto:  
> > > 
> > > Hi!
> > > 
> > > I wrote a small web interface for managing openvpn services and obtaining 
> > > detail network information. 
> > > http://wiki.unix7.org/vpnsw
> > > 
> > > I wrote it to replace a legacy corporate vpn-crutch. 
> > > It is already quite working, we manage more 400 tunnels/1200 workplaces.
> > > 
> > > I have a question: how interesting this product is for continue 
> > > developing? 
> > > As opensource, of course.
> > > 
> > > [Sorry, I sent this also to openvpn-users@]
> > 
> > Hi,
> > 
> > What is the use-case for vpnsw? Is this meant for managing client
> > connections on an OpenVPN server?
> >   
> 
> Hi, Samuli!
> 
> We use it to disable/enable and monitor user/workstation/branch office groups.
> One VPN service on VPN concentrator related to 5-30 VPN "users", total to one
> VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
> 1400. Disconnection use for routine maintenance (synchronization/exchange of
> application/corporate databases "into night" =) or urgently needed, and yet
> etc).
> 
> I can of course write a control of each user but so far there was no such
> purpose. I also can write to show tail of any service log in runtime. 
> That's why I'm asking if there is an interest in development.
> 
> 

PS

For management of certificates for OpenVPN services I wrote yet one application 
- MiniCA,
it implements a full X.509 cycle from creation of CA keys-certificates to 
creating revocation lists.
Used for management more 2500 certificates.
http://minica.unix7.org

May be we can use this project/X509 model of the project to manage VPN, in 
future.

-- 
With best regards,
Oleg Borodin
+7-952-058-72-64
boro...@unix7.org
onboro...@gmail.com

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Borodin Oleg]

On Thu, 14 Dec 2017 10:41:37 +0200
Samuli Seppänen  wrote:

> Il 12/12/2017 13:46, Borodin Oleg ha scritto:
> > 
> > Hi!
> > 
> > I wrote a small web interface for managing openvpn services and obtaining 
> > detail network information. 
> > http://wiki.unix7.org/vpnsw
> > 
> > I wrote it to replace a legacy corporate vpn-crutch. 
> > It is already quite working, we manage more 400 tunnels/1200 workplaces.
> > 
> > I have a question: how interesting this product is for continue developing? 
> > As opensource, of course.
> > 
> > [Sorry, I sent this also to openvpn-users@]  
> 
> Hi,
> 
> What is the use-case for vpnsw? Is this meant for managing client
> connections on an OpenVPN server?
> 

Hi, Samuli!

We use it to disable/enable and monitor user/workstation/branch office groups.
One VPN service on VPN concentrator related to 5-30 VPN "users", total to one
VPNc ~ 100-300, total to company workstation uses VPN direct or indirect ~
1400. Disconnection use for routine maintenance (synchronization/exchange of
application/corporate databases "into night" =) or urgently needed, and yet
etc).

I can of course write a control of each user but so far there was no such
purpose. I also can write to show tail of any service log in runtime. 
That's why I'm asking if there is an interest in development.


-- 
With best regards,

Oleg Borodin
Senior IT engeener
+7-952-058-72-64
boro...@unix7.org
onboro...@gmail.com

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] openvpn web frontend, vpnsw

[Samuli Seppänen]

Il 12/12/2017 13:46, Borodin Oleg ha scritto:
> 
> Hi!
> 
> I wrote a small web interface for managing openvpn services and obtaining 
> detail network information. 
> http://wiki.unix7.org/vpnsw
> 
> I wrote it to replace a legacy corporate vpn-crutch. 
> It is already quite working, we manage more 400 tunnels/1200 workplaces.
> 
> I have a question: how interesting this product is for continue developing? 
> As opensource, of course.
> 
> [Sorry, I sent this also to openvpn-users@]

Hi,

What is the use-case for vpnsw? Is this meant for managing client
connections on an OpenVPN server?

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add --tls-cert-profile option for mbedtls builds

[Steffan Karger]

Hi,

On 19-11-17 23:18, Jeremie Courreges-Anglas wrote:
> Here's another diff to detect SSL_CTX_get0_certificate().
> 
> Tested against LibreSSL only; adding
> 
>   #define HAVE_SSL_CTX_GET0_CERTIFICATE 1
> 
> to config.h lets ssl_openssl.c build (with a warning), the link fails as
> expected.
>
> From 1abd6089a45260e4ce7adfae3fa619f9055edcaf Mon Sep 17 00:00:00 2001
> From: Jeremie Courreges-Anglas 
> Date: Sun, 19 Nov 2017 23:12:30 +0100
> Subject: [PATCH] Detect if SSL_CTX_get0_certificate is available
> 
> Don't rely on #ifdef OPENSSL/LIBRESSL_VERSION_NUMBER checks.
> 
> Signed-off-by: Jeremie Courreges-Anglas 
> ---
>  configure.ac  | 1 +
>  src/openvpn/ssl_openssl.c | 4 ++--
>  2 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index acfddb22..ac6e7a76 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -925,6 +925,7 @@ if test "${enable_crypto}" = "yes" -a 
> "${with_crypto_library}" = "openssl"; then
>   EVP_MD_CTX_new \
>   EVP_MD_CTX_free \
>   EVP_MD_CTX_reset \
> + SSL_CTX_get0_certificate \
>   SSL_CTX_get_default_passwd_cb \
>   SSL_CTX_get_default_passwd_cb_userdata \
>   SSL_CTX_set_security_level \
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index b782946e..3df70166 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -425,7 +425,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
>  
>  ASSERT(ctx);
>  
> -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && 
> !defined(LIBRESSL_VERSION_NUMBER)
> +#ifdef HAVE_SSL_CTX_GET0_CERTIFICATE
>  /* OpenSSL 1.0.2 and up */
>  cert = SSL_CTX_get0_certificate(ctx->ctx);
>  #else
> @@ -460,7 +460,7 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
>  }
>  
>  cleanup:
> -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> +#ifndef HAVE_SSL_CTX_GET0_CERTIFICATE
>  SSL_free(ssl);
>  #endif
>  return;
> -- 
> 2.15.0

NAK.

Looking at this patch again I realize I have misunderstood the
intentions when first looking at it.  I thought LibreSSL *did* have an
SSL_CTX_get0_certificate() and this patch would make us use it (instead
of the workaround in the #else).  But this is just about replacing the
version check with a configure check.  I oppose that change because it
hides information I want to have:  "what code can be purged when we drop
support for openssl 1.0 and libressl?".

-Steffan

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel