Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.
Am 13.04.2018 um 19:23 schrieb Micah Morton: > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > From: Micah Morton> > Date: Fri, 13 Apr 2018 09:55:22 -0700 > Subject: [PATCH] Specify platform and version on command line. > > Add --iv-plat and --iv-plat-rel command line args, and use the values > passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed > to the server. > > IV_PLAT (platform type) is normally inferred from the build target, but > it would be useful to be able to override this from the command line > (e.g. for client to set platform as ChromeOS instead of Linux). > > IV_PLAT_REL (platform release version) would allow for pushing the > platform (e.g. ChromeOS) release version to the server. > My Android client already uses setenv IV_PLAT_VER to send platform specific information. I think setting IV_PLAT_VER (and extend that to other platforms, might be android specific at the moment) should also work for you. E.g.. setenv IV_PLAT_VER "27 8.1.0 arm64-v8a google taimen Pixel 2 XL" Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.
@gert: >From the help message: "--setenv name value : Set a custom environmental variable to pass to script." --setenv appears to set string values for scripts only, not for the main openvpn process (which is reading them in the push_peer_info() function). Starting a test openvpn server with `--setenv foo bar` and then running `strings` on /proc/PID/environ doesn't show "foo=bar". This suggests that getenv() calls in the main openvpn process that try to read these vars may return NULL. @jon: the mods to options.c in the patch above should take care of the help message (I tested it by running openvpn --help). Although good point if this is going in I should update the man page as well. On Fri, Apr 13, 2018 at 11:58 AM, Gert Doeringwrote: > Hi, > > On Fri, Apr 13, 2018 at 10:23:03AM -0700, Micah Morton wrote: > > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > > From: Micah Morton > > Date: Fri, 13 Apr 2018 09:55:22 -0700 > > Subject: [PATCH] Specify platform and version on command line. > > > > Add --iv-plat and --iv-plat-rel command line args, and use the values > > passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed > > to the server. > > > > IV_PLAT (platform type) is normally inferred from the build target, but > > it would be useful to be able to override this from the command line > > (e.g. for client to set platform as ChromeOS instead of Linux). > > > > IV_PLAT_REL (platform release version) would allow for pushing the > > platform (e.g. ChromeOS) release version to the server. > > I'm actually less than enthusiastic about "yay, two more special-case > options for OpenVPN" - and even less so to options that enable users > to override a fairly well-defined meaning of IV_PLAT with an arbitrary > string. Even if it's ChromeOS, compiled with #define TARGET_LINUX, > IV_PLAT should reflect that. > > There is already "--setenv UV_anykey=value" to send arbitrary strings > to the server, and in particular, IV_PLAT_VER can already be set by > "--setenv IV_PLAT_VER=". > > There's one catch to this, though - for some reason that escapes me right > now we have decided that IV_PLAT_VER= and the UV_ user-defined strings > are only sent if --push-peer-info is also configured on the client > (while IV_GUI_VER, also settable with --setenv, is always sent). > > So we might want to revisit that decision. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.
Hi, On Fri, Apr 13, 2018 at 10:23:03AM -0700, Micah Morton wrote: > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > From: Micah Morton> Date: Fri, 13 Apr 2018 09:55:22 -0700 > Subject: [PATCH] Specify platform and version on command line. > > Add --iv-plat and --iv-plat-rel command line args, and use the values > passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed > to the server. > > IV_PLAT (platform type) is normally inferred from the build target, but > it would be useful to be able to override this from the command line > (e.g. for client to set platform as ChromeOS instead of Linux). > > IV_PLAT_REL (platform release version) would allow for pushing the > platform (e.g. ChromeOS) release version to the server. I'm actually less than enthusiastic about "yay, two more special-case options for OpenVPN" - and even less so to options that enable users to override a fairly well-defined meaning of IV_PLAT with an arbitrary string. Even if it's ChromeOS, compiled with #define TARGET_LINUX, IV_PLAT should reflect that. There is already "--setenv UV_anykey=value" to send arbitrary strings to the server, and in particular, IV_PLAT_VER can already be set by "--setenv IV_PLAT_VER=". There's one catch to this, though - for some reason that escapes me right now we have decided that IV_PLAT_VER= and the UV_ user-defined strings are only sent if --push-peer-info is also configured on the client (while IV_GUI_VER, also settable with --setenv, is always sent). So we might want to revisit that decision. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.
Hi. On Fri, Apr 13, 2018 at 1:23 PM, Micah Mortonwrote: > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 > From: Micah Morton > Date: Fri, 13 Apr 2018 09:55:22 -0700 > Subject: [PATCH] Specify platform and version on command line. > > Add --iv-plat and --iv-plat-rel command line args, and use the values > passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed > to the server. Sounds reasonable, but the new options should be documented on the man page and in the usage message that's shown to users (in options.c) and that should be included in this patch. Best regards, Jon Bullard -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Specify platform and version on command line.
>From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001 From: Micah MortonDate: Fri, 13 Apr 2018 09:55:22 -0700 Subject: [PATCH] Specify platform and version on command line. Add --iv-plat and --iv-plat-rel command line args, and use the values passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed to the server. IV_PLAT (platform type) is normally inferred from the build target, but it would be useful to be able to override this from the command line (e.g. for client to set platform as ChromeOS instead of Linux). IV_PLAT_REL (platform release version) would allow for pushing the platform (e.g. ChromeOS) release version to the server. This patch is written against openvpn-2.4.4. Signed-off-by: Micah Morton --- src/openvpn/init.c | 8 src/openvpn/options.c| 18 ++ src/openvpn/options.h| 2 ++ src/openvpn/ssl.c| 9 + src/openvpn/ssl_common.h | 2 ++ 5 files changed, 39 insertions(+) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 133a9f5..1cb76ad 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2723,6 +2723,14 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) { to.push_peer_info_detail = 0; } +if (options->iv_plat) +{ +to.iv_plat = options->iv_plat; +} +if (options->iv_plat_rel) +{ +to.iv_plat_rel = options->iv_plat_rel; +} #endif /* should we not xmit any packets until we get an initial diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8dee5d1..d9559a0 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -229,6 +229,8 @@ static const char usage_message[] = "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" #ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" +"--iv-plat: (client only) platform type.\n" +"--iv-plat-rel: (client only) platform release version.\n" #endif "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" @@ -1781,6 +1783,8 @@ show_settings(const struct options *o) SHOW_BOOL(single_session); #ifdef ENABLE_PUSH_PEER_INFO SHOW_BOOL(push_peer_info); +SHOW_STR(iv_plat); +SHOW_STR(iv_plat_rel); #endif SHOW_BOOL(tls_exit); @@ -7837,6 +7841,20 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->push_peer_info = true; } + +else if (streq(p[0], "iv-plat") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_GENERAL); +options->iv_plat = p[1]; +} + +else if (streq(p[0], "iv-plat-rel") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_GENERAL); +options->iv_plat_rel = p[1]; +} + + #endif else if (streq(p[0], "tls-exit") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 01a7b26..9da4058 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -575,6 +575,8 @@ struct options #ifdef ENABLE_PUSH_PEER_INFO bool push_peer_info; +const char *iv_plat; +const char *iv_plat_rel; #endif bool tls_exit; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0739cf7..1265177 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2245,6 +2245,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) buf_printf(, "IV_VER=%s\n", PACKAGE_VERSION); /* push platform */ +if (session->opt->iv_plat == NULL) { #if defined(TARGET_LINUX) buf_printf(, "IV_PLAT=linux\n"); #elif defined(TARGET_SOLARIS) @@ -2262,6 +2263,14 @@ push_peer_info(struct buffer *buf, struct tls_session *session) #elif defined(_WIN32) buf_printf(, "IV_PLAT=win\n"); #endif +} else { +buf_printf(, "IV_PLAT=%s\n", session->opt->iv_plat); +} + +if (session->opt->iv_plat_rel != NULL) +{ +buf_printf(, "IV_PLAT_REL=%s\n", session->opt->iv_plat_rel); +} /* support for P_DATA_V2 */ buf_printf(, "IV_PROTO=2\n"); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 25bffd5..d95c2ef 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -251,6 +251,8 @@ struct tls_options bool pull; #ifdef ENABLE_PUSH_PEER_INFO int push_peer_info_detail; +const char *iv_plat; +const char *iv_plat_rel; #endif int transition_window; int handshake_window; -- 2.13.5 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net
Re: [Openvpn-devel] Viscosity patch to TAP driver
>> Note: active-ftp NAT will never be merged - that is way too intrusive. Yes, we realize that. That is why we didn't pursue acceptance any further. But we still require it because we have to support a large number (currently around 3000) of legacy devices that cannot be changed away from active-ftp and client-nat is required. So for now, we are resigned to running our own build. >> The other NAT patch got lost somewhere but still has chances. Since we have to run our own build anyway, and no one seemed interested, we didn't pursue this one. Thanks for the answer re TAP-Win32, we will try it out as soon as the binary is released. Best, Marvin On Fri, Apr 13, 2018 at 10:29 AM, Gert Doeringwrote: > Hi, > > On Fri, Apr 13, 2018 at 10:24:18AM -0700, Marvin wrote: > > Only that here we need to run Gava's patches for active-ftp and > client-nat > > (submitted to openvpn-dev several years ago but not accepted). He has > not > > had time to port those patches to 2.4.x yet. So for now we are stuck at > > 2.3.18. > > If you run your own build anyway, just package with the new driver as > soon as it's released - as today, there will be a signed .exe for the > tap driver, which gets embedded into whatever installer you build, > 2.3.x or 2.4.x > > (Note: active-ftp NAT will never be merged - that is way too intrusive. > The other NAT patch got lost somewhere but still has chances) > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Viscosity patch to TAP driver
Hi, On Fri, Apr 13, 2018 at 10:24:18AM -0700, Marvin wrote: > Only that here we need to run Gava's patches for active-ftp and client-nat > (submitted to openvpn-dev several years ago but not accepted). He has not > had time to port those patches to 2.4.x yet. So for now we are stuck at > 2.3.18. If you run your own build anyway, just package with the new driver as soon as it's released - as today, there will be a signed .exe for the tap driver, which gets embedded into whatever installer you build, 2.3.x or 2.4.x (Note: active-ftp NAT will never be merged - that is way too intrusive. The other NAT patch got lost somewhere but still has chances) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Viscosity patch to TAP driver
HI Gert, Only that here we need to run Gava's patches for active-ftp and client-nat (submitted to openvpn-dev several years ago but not accepted). He has not had time to port those patches to 2.4.x yet. So for now we are stuck at 2.3.18. Marvin On Fri, Apr 13, 2018 at 10:10 AM, Gert Doeringwrote: > Hi, > > On Fri, Apr 13, 2018 at 10:03:55AM -0700, Marvin wrote: > > Would there be any problem with updating the tap-windows6 to the > Viscosity > > patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)? > > "Why?" > > There is nothing in 2.3.x (... that we are aware of) that makes it more > suitable than 2.4.x - and lots of goodness is missing, like being able > to run GUI and openvpn.exe without admin privileges. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Viscosity patch to TAP driver
Hi, On Fri, Apr 13, 2018 at 10:03:55AM -0700, Marvin wrote: > Would there be any problem with updating the tap-windows6 to the Viscosity > patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)? "Why?" There is nothing in 2.3.x (... that we are aware of) that makes it more suitable than 2.4.x - and lots of goodness is missing, like being able to run GUI and openvpn.exe without admin privileges. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Viscosity patch to TAP driver
Hi Guys, Would there be any problem with updating the tap-windows6 to the Viscosity patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)? Thanks, Marvin On Thu, Apr 12, 2018 at 8:45 PM, Eric Thorpewrote: > Hi Gert, > > PR #47 has been submitted to tap-windows6 on github. > > Regards, > Eric > > -- > Eric Thorpe > SparkLabs > Developerhttps://www.sparklabs.comhttps://twitter.com/sparklabssupp...@sparklabs.com > > On 12/04/2018 6:26 PM, Gert Doering wrote: > > Hi Eric, > > On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote: > > One of the Viscosity developers here. The TAP driver used by Viscosity > is based on the OpenVPN TAP-Windows driver. We're surprised to hear of > any performance differences, as the changes we've made are very minimal. > > Besides a name and version number change, the only other modification is > a change to the reported network adapter speed, which has Windows report > the driver as 1000 Mbit instead of 100 Mbit. > > This change was made not because of any actual performance gains, but > because of user reports that certain firewall or AV software tries to > QoS the adapter based on its reported adapter speed, which is of course > a problem if the VPN connection is capable of more than 100 Mbit. > > Please find a patch file of the changes attached. > > I think it would make sense for us to merge that patch - for two reasons, > one is "the change could indeed help performance in high-bandwidth > situtions", and the more important one is "another patch to tap-windows6 > is forthcoming, and that way we can keep the version numbers aligned > so people can know what is inside". > > Do you have the patch in git? If yes, could you please do the commit > with "-s" (so the signed-off-by: line is added) and send it as regular > git commit (git-send-email)? Alternatively a PR against tap-windows6 > on github should do as well. > > Thanks in advance, > > gert > > > > > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files
May I ask what the rationale is for this change? Use of angled and quoted form of #include filenames is mostly consistent across the OpenVPN source (src/openvpn) with those few exceptions fixed by this proposed patch. The rationale for this change is unification of #include sentences. Regards, Simon -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files
On 13/04/18 17:55, Simon Rozman wrote: > --- > src/openvpn/comp-lz4.c | 2 +- > src/openvpn/lzo.h | 8 > src/openvpn/memdbg.h | 4 ++-- > 3 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c > index f2916bdd..f52fdbfb 100644 > --- a/src/openvpn/comp-lz4.c > +++ b/src/openvpn/comp-lz4.c > @@ -35,7 +35,7 @@ > #if defined(NEED_COMPAT_LZ4) > #include "compat-lz4.h" > #else > -#include "lz4.h" > +#include > #endif May I ask what the rationale is for this change? -- kind regards, David Sommerseth OpenVPN Inc -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files
--- src/openvpn/comp-lz4.c | 2 +- src/openvpn/lzo.h | 8 src/openvpn/memdbg.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c index f2916bdd..f52fdbfb 100644 --- a/src/openvpn/comp-lz4.c +++ b/src/openvpn/comp-lz4.c @@ -35,7 +35,7 @@ #if defined(NEED_COMPAT_LZ4) #include "compat-lz4.h" #else -#include "lz4.h" +#include #endif #include "comp.h" diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h index 11e1c39f..453cd8ee 100644 --- a/src/openvpn/lzo.h +++ b/src/openvpn/lzo.h @@ -39,14 +39,14 @@ */ #if defined(HAVE_LZO_LZOUTIL_H) -#include "lzo/lzoutil.h" +#include #elif defined(HAVE_LZOUTIL_H) -#include "lzoutil.h" +#include #endif #if defined(HAVE_LZO_LZO1X_H) -#include "lzo/lzo1x.h" +#include #elif defined(HAVE_LZO1X_H) -#include "lzo1x.h" +#include #endif #include "buffer.h" diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h index 70c6365d..6da9712b 100644 --- a/src/openvpn/memdbg.h +++ b/src/openvpn/memdbg.h @@ -44,7 +44,7 @@ #ifdef USE_VALGRIND -#include "valgrind/memcheck.h" +#include #define VALGRIND_MAKE_READABLE(addr, len) @@ -84,7 +84,7 @@ * #define INTERNAL_MEMORY_SPACE (1024 * 1024 * 50) */ -#include "dmalloc.h" +#include #define openvpn_dmalloc(file, line, size) dmalloc_malloc((file), (line), (size), DMALLOC_FUNC_MALLOC, 0, 0) -- 2.15.1 (Apple Git-101) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add missing (but optional) escape backslash to sed replace string
Hi, On Fri, Apr 13, 2018 at 05:29:15PM +0200, Simon Rozman wrote: > #ifdef NEED_COMPAT_LZ4 > EOF > -sed 's/\"lz4\.h\"/\"compat-lz4.h"/' "$LZ4_C" > +sed 's/\"lz4\.h\"/\"compat-lz4.h\"/' "$LZ4_C" TBH, I think all the backslashes before a double quote (") should *go*. Nothing special about a " inside(!) ''... - neither the shell cares nor sed (unlike '.'). So, NAK. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add missing (but optional) escape backslash to sed replace string
--- dev-tools/lz4-rebaser.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-tools/lz4-rebaser.sh b/dev-tools/lz4-rebaser.sh index 03debcb..3771639 100755 --- a/dev-tools/lz4-rebaser.sh +++ b/dev-tools/lz4-rebaser.sh @@ -58,7 +58,7 @@ echo "* Porting upstream lz4.c to compat-lz4.c" #ifdef NEED_COMPAT_LZ4 EOF -sed 's/\"lz4\.h\"/\"compat-lz4.h"/' "$LZ4_C" +sed 's/\"lz4\.h\"/\"compat-lz4.h\"/' "$LZ4_C" cat
[Openvpn-devel] [PATCH v4] Add Interactive Service developer documentation
The OpenVPN Interactive Service documentation from https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was upgraded with a description of the client-service communication flow, service registry configuration, and non-default instance installation. --- doc/interactive-service-notes.txt | 329 ++ 1 file changed, 329 insertions(+) create mode 100644 doc/interactive-service-notes.txt diff --git a/doc/interactive-service-notes.txt b/doc/interactive-service-notes.txt new file mode 100644 index ..6f716800 --- /dev/null +++ b/doc/interactive-service-notes.txt @@ -0,0 +1,329 @@ += +OpenVPN Interactive Service Notes += + + +Introduction + + +OpenVPN Interactive Service, also known as "iservice" or +"OpenVPNServiceInteractive", is a Windows system service which allows +unprivileged openvpn.exe process to do certain privileged operations, such as +adding routes. This removes the need to always run OpenVPN as administrator, +which was the case for a long time, and continues to be the case for OpenVPN +2.3.x. + +The 2.4.x release and git "master" versions of OpenVPN contain the Interactive +Service code and OpenVPN-GUI is setup to use it by default. Starting from +version 2.4.0, OpenVPN-GUI is expected to be started as user (do not right-click +and "run as administrator" or do not set the shortcut to run as administrator). +This ensures that OpenVPN and the GUI run with limited privileges. + + +How It Works + + +Here is a brief explanation of how the Interactive Service works, based on +`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not +an administrator, and does not have any other extra privileges. + +- OpenVPN-GUI runs as user *joe*. + +- Interactive Service runs as a local Windows service with maximum privileges. + +- OpenVPN-GUI connects to the Interactive Service and asks it to "run + openvpn.exe with the given command line options". + +- Interactive Service starts openvpn.exe process as user *joe*, and keeps a + service pipe between Interactive Service and openvpn.exe. + +- When openvpn.exe wants to perform any operation that require elevation (e.g. + ipconfig, route, configure DNS), it sends a request over the service pipe to + the Interactive Service, which will then execute it (and clean up should + openvpn.exe crash). + +- ``--up`` scripts are run by openvpn.exe itself, which is running as user + *joe*, all privileges are nicely in place. + +- Scripts run by the GUI will run as user *joe*, so that automated tasks like + mapping of drives work as expected. + +This avoids the use of scripts for privilege escalation (as was possible by +running an ``--up`` script from openvpn.exe which is run as administrator). + + +Client-Service Communication + + +Connecting +-- + +The client (OpenVPN GUI) and the Interactive Service communicate using a named +message pipe. By default, the service provides the ``\\.\pipe\openvpn\service`` +named pipe. + +The client connects to the pipe for read/write and sets the pipe state to +``PIPE_READMODE_MESSAGE``:: + + HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"), + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_FLAG_OVERLAPPED, + NULL); + + if (pipe == INVALID_HANDLE_VALUE) + { + // Error + } + + DWORD dwMode = PIPE_READMODE_MESSAGE; + if (!SetNamedPipeHandleState(pipe, , NULL, NULL) + { + // Error + } + + +openvpn.exe Startup +--- + +After the client is connected to the service, the client must send a startup +message to have the service start the openvpn.exe process. The startup message +is comprised of three UTF-16 strings delimited by U zero characters:: + + startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO + + workingdir = WSTRING + openvpnoptions = WSTRING + stdin = WSTRING + + WSTRING= *WCHAR + WCHAR = %x0001- + WZERO = %x + +``workingdir`` + Represents the folder openvpn.exe process should be started in. + +``openvpnoptions`` + String contains ``--config`` and other OpenVPN command line options, without + the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is + only one option specified, the ``--config`` option is assumed and the option + is the configuration filename. + + Note that the interactive service validates the options. OpenVPN + configuration file must reside in the configuration folder defined by + ``config_dir`` registry value. The configuration file can also reside in any + subfolder of the configuration folder. For all other folders the invoking + user must be a member of local Administrators group, or a member of the group + defined by ``ovpn_admin_group`` registry value ("OpenVPN Administrators" by +
[Openvpn-devel] [PATCH v2 09/13] Signed/unsigned warnings of MSVC resolved
This patch fixes the signed/unsigned comparison warnings discovered when compiling openvpnserv using MSVC. Wherever possible, it changes iterator and/or size variables to a more appropriate type, or uses type-casting when it is safe to do so. --- src/openvpnserv/automatic.c | 2 +- src/openvpnserv/common.c | 2 +- src/openvpnserv/interactive.c | 7 +++ src/openvpnserv/validate.c| 2 +- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/openvpnserv/automatic.c b/src/openvpnserv/automatic.c index 1f98283..89367fc 100644 --- a/src/openvpnserv/automatic.c +++ b/src/openvpnserv/automatic.c @@ -135,7 +135,7 @@ match(const WIN32_FIND_DATA *find, LPCTSTR ext) * Modify the extension on a filename. */ static bool -modext(LPTSTR dest, int size, LPCTSTR src, LPCTSTR newext) +modext(LPTSTR dest, size_t size, LPCTSTR src, LPCTSTR newext) { size_t i; diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index dc47666..59f73bd 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -40,7 +40,7 @@ openvpn_vsntprintf(LPTSTR str, size_t size, LPCTSTR format, va_list arglist) len = _vsntprintf(str, size, format, arglist); str[size - 1] = 0; } -return (len >= 0 && len < size); +return (len >= 0 && (size_t)len < size); } int openvpn_sntprintf(LPTSTR str, size_t size, LPCTSTR format, ...) diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index fbc32f9..66ffeec 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -188,7 +188,7 @@ typedef enum { static DWORD AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD count, LPHANDLE events) { -int i; +DWORD i; BOOL success; HANDLE io_event; DWORD res, bytes = 0; @@ -934,7 +934,7 @@ static DWORD WINAPI RegisterDNS(LPVOID unused) { DWORD err; -DWORD i; +size_t i; WCHAR sys_path[MAX_PATH]; DWORD timeout = RDNS_TIMEOUT * 1000; /* in milliseconds */ @@ -950,7 +950,6 @@ RegisterDNS(LPVOID unused) { ipcfg, L"ipconfig /flushdns",timeout }, { ipcfg, L"ipconfig /registerdns", timeout }, }; -int ncmds = sizeof(cmds) / sizeof(cmds[0]); HANDLE wait_handles[2] = {rdns_semaphore, exit_event}; @@ -963,7 +962,7 @@ RegisterDNS(LPVOID unused) if (WaitForMultipleObjects(2, wait_handles, FALSE, timeout) == WAIT_OBJECT_0) { /* Semaphore locked */ -for (i = 0; i < ncmds; ++i) +for (i = 0; i < _countof(cmds); ++i) { ExecCommand(cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout); } diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 653bd12..26ffa8f 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -298,7 +298,7 @@ IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_nam break; } /* If a match is already found, ret == TRUE and the loop is skipped */ -for (int i = 0; i < nread && !ret; ++i) +for (DWORD i = 0; i < nread && !ret; ++i) { ret = EqualSid(members[i].lgrmi0_sid, sid); } -- 2.9.0.windows.1 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Add Interactive Service developer documentation
The OpenVPN Interactive Service documentation from https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was upgraded with a description of the client-service communication flow, service registry configuration, and non-default instance installation. --- doc/Makefile.am | 1 - doc/interactive-service-notes.txt | 329 ++ 2 files changed, 329 insertions(+), 1 deletion(-) create mode 100644 doc/interactive-service-notes.txt diff --git a/doc/Makefile.am b/doc/Makefile.am index cd1bcfdf..7113ab87 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -30,4 +30,3 @@ openvpn.8.html: $(srcdir)/openvpn.8 else dist_man_MANS = openvpn.8 endif - diff --git a/doc/interactive-service-notes.txt b/doc/interactive-service-notes.txt new file mode 100644 index ..6f716800 --- /dev/null +++ b/doc/interactive-service-notes.txt @@ -0,0 +1,329 @@ += +OpenVPN Interactive Service Notes += + + +Introduction + + +OpenVPN Interactive Service, also known as "iservice" or +"OpenVPNServiceInteractive", is a Windows system service which allows +unprivileged openvpn.exe process to do certain privileged operations, such as +adding routes. This removes the need to always run OpenVPN as administrator, +which was the case for a long time, and continues to be the case for OpenVPN +2.3.x. + +The 2.4.x release and git "master" versions of OpenVPN contain the Interactive +Service code and OpenVPN-GUI is setup to use it by default. Starting from +version 2.4.0, OpenVPN-GUI is expected to be started as user (do not right-click +and "run as administrator" or do not set the shortcut to run as administrator). +This ensures that OpenVPN and the GUI run with limited privileges. + + +How It Works + + +Here is a brief explanation of how the Interactive Service works, based on +`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not +an administrator, and does not have any other extra privileges. + +- OpenVPN-GUI runs as user *joe*. + +- Interactive Service runs as a local Windows service with maximum privileges. + +- OpenVPN-GUI connects to the Interactive Service and asks it to "run + openvpn.exe with the given command line options". + +- Interactive Service starts openvpn.exe process as user *joe*, and keeps a + service pipe between Interactive Service and openvpn.exe. + +- When openvpn.exe wants to perform any operation that require elevation (e.g. + ipconfig, route, configure DNS), it sends a request over the service pipe to + the Interactive Service, which will then execute it (and clean up should + openvpn.exe crash). + +- ``--up`` scripts are run by openvpn.exe itself, which is running as user + *joe*, all privileges are nicely in place. + +- Scripts run by the GUI will run as user *joe*, so that automated tasks like + mapping of drives work as expected. + +This avoids the use of scripts for privilege escalation (as was possible by +running an ``--up`` script from openvpn.exe which is run as administrator). + + +Client-Service Communication + + +Connecting +-- + +The client (OpenVPN GUI) and the Interactive Service communicate using a named +message pipe. By default, the service provides the ``\\.\pipe\openvpn\service`` +named pipe. + +The client connects to the pipe for read/write and sets the pipe state to +``PIPE_READMODE_MESSAGE``:: + + HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"), + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + FILE_FLAG_OVERLAPPED, + NULL); + + if (pipe == INVALID_HANDLE_VALUE) + { + // Error + } + + DWORD dwMode = PIPE_READMODE_MESSAGE; + if (!SetNamedPipeHandleState(pipe, , NULL, NULL) + { + // Error + } + + +openvpn.exe Startup +--- + +After the client is connected to the service, the client must send a startup +message to have the service start the openvpn.exe process. The startup message +is comprised of three UTF-16 strings delimited by U zero characters:: + + startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO + + workingdir = WSTRING + openvpnoptions = WSTRING + stdin = WSTRING + + WSTRING= *WCHAR + WCHAR = %x0001- + WZERO = %x + +``workingdir`` + Represents the folder openvpn.exe process should be started in. + +``openvpnoptions`` + String contains ``--config`` and other OpenVPN command line options, without + the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is + only one option specified, the ``--config`` option is assumed and the option + is the configuration filename. + + Note that the interactive service validates the options. OpenVPN + configuration file must reside in the configuration folder defined by + ``config_dir`` registry value. The