Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

[Arne Schwabe]

Am 13.04.2018 um 19:23 schrieb Micah Morton:
> From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001
> From: Micah Morton >
> Date: Fri, 13 Apr 2018 09:55:22 -0700
> Subject: [PATCH] Specify platform and version on command line.
>
> Add --iv-plat and --iv-plat-rel command line args, and use the values
> passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed
> to the server.
>
> IV_PLAT (platform type) is normally inferred from the build target, but
> it would be useful to be able to override this from the command line
> (e.g. for client to set platform as ChromeOS instead of Linux).
>
> IV_PLAT_REL (platform release version) would allow for pushing the
> platform (e.g. ChromeOS) release version to the server.
>
My Android client already uses

setenv IV_PLAT_VER to send platform specific information. I think
setting IV_PLAT_VER (and extend that to other platforms, might be
android specific at the moment) should also work for you. E.g..

setenv IV_PLAT_VER "27 8.1.0 arm64-v8a google taimen Pixel 2 XL"

Arne
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

[Micah Morton]

@gert:

>From the help message: "--setenv name value : Set a custom environmental
variable to pass to script."

--setenv appears to set string values for scripts only, not for the main
openvpn process (which is reading them in the push_peer_info() function).
Starting a test openvpn server with `--setenv foo bar` and then running
`strings` on /proc/PID/environ doesn't show "foo=bar". This suggests that
getenv() calls in the main openvpn process that try to read these vars may
return NULL.

@jon:

the mods to options.c in the patch above should take care of the help
message (I tested it by running openvpn --help). Although good point if
this is going in I should update the man page as well.

On Fri, Apr 13, 2018 at 11:58 AM, Gert Doering  wrote:

> Hi,
>
> On Fri, Apr 13, 2018 at 10:23:03AM -0700, Micah Morton wrote:
> > From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001
> > From: Micah Morton 
> > Date: Fri, 13 Apr 2018 09:55:22 -0700
> > Subject: [PATCH] Specify platform and version on command line.
> >
> > Add --iv-plat and --iv-plat-rel command line args, and use the values
> > passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed
> > to the server.
> >
> > IV_PLAT (platform type) is normally inferred from the build target, but
> > it would be useful to be able to override this from the command line
> > (e.g. for client to set platform as ChromeOS instead of Linux).
> >
> > IV_PLAT_REL (platform release version) would allow for pushing the
> > platform (e.g. ChromeOS) release version to the server.
>
> I'm actually less than enthusiastic about "yay, two more special-case
> options for OpenVPN" - and even less so to options that enable users
> to override a fairly well-defined meaning of IV_PLAT with an arbitrary
> string.  Even if it's ChromeOS, compiled with #define TARGET_LINUX,
> IV_PLAT should reflect that.
>
> There is already "--setenv UV_anykey=value" to send arbitrary strings
> to the server, and in particular, IV_PLAT_VER can already be set by
> "--setenv IV_PLAT_VER=".
>
> There's one catch to this, though - for some reason that escapes me right
> now we have decided that IV_PLAT_VER= and the UV_ user-defined strings
> are only sent if --push-peer-info is also configured on the client
> (while IV_GUI_VER, also settable with --setenv, is always sent).
>
> So we might want to revisit that decision.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

[Gert Doering]

Hi,

On Fri, Apr 13, 2018 at 10:23:03AM -0700, Micah Morton wrote:
> From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001
> From: Micah Morton 
> Date: Fri, 13 Apr 2018 09:55:22 -0700
> Subject: [PATCH] Specify platform and version on command line.
> 
> Add --iv-plat and --iv-plat-rel command line args, and use the values
> passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed
> to the server.
> 
> IV_PLAT (platform type) is normally inferred from the build target, but
> it would be useful to be able to override this from the command line
> (e.g. for client to set platform as ChromeOS instead of Linux).
> 
> IV_PLAT_REL (platform release version) would allow for pushing the
> platform (e.g. ChromeOS) release version to the server.

I'm actually less than enthusiastic about "yay, two more special-case
options for OpenVPN" - and even less so to options that enable users
to override a fairly well-defined meaning of IV_PLAT with an arbitrary 
string.  Even if it's ChromeOS, compiled with #define TARGET_LINUX, 
IV_PLAT should reflect that.

There is already "--setenv UV_anykey=value" to send arbitrary strings
to the server, and in particular, IV_PLAT_VER can already be set by
"--setenv IV_PLAT_VER=".

There's one catch to this, though - for some reason that escapes me right 
now we have decided that IV_PLAT_VER= and the UV_ user-defined strings 
are only sent if --push-peer-info is also configured on the client
(while IV_GUI_VER, also settable with --setenv, is always sent).

So we might want to revisit that decision.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Specify platform and version on command line.

[Jonathan K. Bullard]

Hi.

On Fri, Apr 13, 2018 at 1:23 PM, Micah Morton  wrote:
> From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001
> From: Micah Morton 
> Date: Fri, 13 Apr 2018 09:55:22 -0700
> Subject: [PATCH] Specify platform and version on command line.
>
> Add --iv-plat and --iv-plat-rel command line args, and use the values
> passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed
> to the server.

Sounds reasonable, but the new options should be documented on the man
page and in the usage message that's shown to users (in options.c) and
that should be included in this patch.

Best regards,

Jon Bullard

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Specify platform and version on command line.

[Micah Morton]

>From 557d2e73bf21ddb9d07b43f716c7914d610e7392 Mon Sep 17 00:00:00 2001
From: Micah Morton 
Date: Fri, 13 Apr 2018 09:55:22 -0700
Subject: [PATCH] Specify platform and version on command line.

Add --iv-plat and --iv-plat-rel command line args, and use the values
passed to these args to set IV_PLAT and IV_PLAT_REL info that is pushed
to the server.

IV_PLAT (platform type) is normally inferred from the build target, but
it would be useful to be able to override this from the command line
(e.g. for client to set platform as ChromeOS instead of Linux).

IV_PLAT_REL (platform release version) would allow for pushing the
platform (e.g. ChromeOS) release version to the server.

This patch is written against openvpn-2.4.4.

Signed-off-by: Micah Morton 
---
 src/openvpn/init.c   |  8 
 src/openvpn/options.c| 18 ++
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl.c|  9 +
 src/openvpn/ssl_common.h |  2 ++
 5 files changed, 39 insertions(+)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 133a9f5..1cb76ad 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2723,6 +2723,14 @@ do_init_crypto_tls(struct context *c, const unsigned
int flags)
 {
 to.push_peer_info_detail = 0;
 }
+if (options->iv_plat)
+{
+to.iv_plat = options->iv_plat;
+}
+if (options->iv_plat_rel)
+{
+to.iv_plat_rel = options->iv_plat_rel;
+}
 #endif

 /* should we not xmit any packets until we get an initial
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8dee5d1..d9559a0 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -229,6 +229,8 @@ static const char usage_message[] =
 "--client-nat snat|dnat network netmask alias : on client add 1-to-1
NAT rule.\n"
 #ifdef ENABLE_PUSH_PEER_INFO
 "--push-peer-info : (client only) push client info to server.\n"
+"--iv-plat: (client only) platform type.\n"
+"--iv-plat-rel: (client only) platform release version.\n"
 #endif
 "--setenv name value : Set a custom environmental variable to pass to
script.\n"
 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to
allow\n"
@@ -1781,6 +1783,8 @@ show_settings(const struct options *o)
 SHOW_BOOL(single_session);
 #ifdef ENABLE_PUSH_PEER_INFO
 SHOW_BOOL(push_peer_info);
+SHOW_STR(iv_plat);
+SHOW_STR(iv_plat_rel);
 #endif
 SHOW_BOOL(tls_exit);

@@ -7837,6 +7841,20 @@ add_option(struct options *options,
 VERIFY_PERMISSION(OPT_P_GENERAL);
 options->push_peer_info = true;
 }
+
+else if (streq(p[0], "iv-plat") && p[1] && !p[2])
+{
+VERIFY_PERMISSION(OPT_P_GENERAL);
+options->iv_plat = p[1];
+}
+
+else if (streq(p[0], "iv-plat-rel") && p[1] && !p[2])
+{
+VERIFY_PERMISSION(OPT_P_GENERAL);
+options->iv_plat_rel = p[1];
+}
+
+
 #endif
 else if (streq(p[0], "tls-exit") && !p[1])
 {
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 01a7b26..9da4058 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -575,6 +575,8 @@ struct options

 #ifdef ENABLE_PUSH_PEER_INFO
 bool push_peer_info;
+const char *iv_plat;
+const char *iv_plat_rel;
 #endif

 bool tls_exit;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 0739cf7..1265177 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2245,6 +2245,7 @@ push_peer_info(struct buffer *buf, struct tls_session
*session)
 buf_printf(, "IV_VER=%s\n", PACKAGE_VERSION);

 /* push platform */
+if (session->opt->iv_plat == NULL) {
 #if defined(TARGET_LINUX)
 buf_printf(, "IV_PLAT=linux\n");
 #elif defined(TARGET_SOLARIS)
@@ -2262,6 +2263,14 @@ push_peer_info(struct buffer *buf, struct
tls_session *session)
 #elif defined(_WIN32)
 buf_printf(, "IV_PLAT=win\n");
 #endif
+} else {
+buf_printf(, "IV_PLAT=%s\n", session->opt->iv_plat);
+}
+
+if (session->opt->iv_plat_rel != NULL)
+{
+buf_printf(, "IV_PLAT_REL=%s\n",
session->opt->iv_plat_rel);
+}

 /* support for P_DATA_V2 */
 buf_printf(, "IV_PROTO=2\n");
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 25bffd5..d95c2ef 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -251,6 +251,8 @@ struct tls_options
 bool pull;
 #ifdef ENABLE_PUSH_PEER_INFO
 int push_peer_info_detail;
+const char *iv_plat;
+const char *iv_plat_rel;
 #endif
 int transition_window;
 int handshake_window;
-- 
2.13.5
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Marvin]

>> Note: active-ftp NAT will never be merged - that is way too intrusive.
Yes, we realize that.  That is why we didn't pursue acceptance any
further.  But we still require it because we have to support a large number
(currently around 3000) of legacy devices that cannot be changed away from
active-ftp and client-nat is required.  So for now, we are resigned to
running our own build.

>>  The other NAT patch got lost somewhere but still has chances.
Since we have to run our own build anyway, and no one seemed interested, we
didn't pursue this one.

Thanks for the answer re TAP-Win32, we will try it out as soon as the
binary is released.

Best,
Marvin


On Fri, Apr 13, 2018 at 10:29 AM, Gert Doering  wrote:

> Hi,
>
> On Fri, Apr 13, 2018 at 10:24:18AM -0700, Marvin wrote:
> > Only that here we need to run Gava's patches for active-ftp and
> client-nat
> > (submitted to openvpn-dev several years ago but not accepted).  He has
> not
> > had time to port those patches to 2.4.x yet.  So for now we are stuck at
> > 2.3.18.
>
> If you run your own build anyway, just package with the new driver as
> soon as it's released - as today, there will be a signed .exe for the
> tap driver, which gets embedded into whatever installer you build,
> 2.3.x or 2.4.x
>
> (Note: active-ftp NAT will never be merged - that is way too intrusive.
> The other NAT patch got lost somewhere but still has chances)
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Gert Doering]

Hi,

On Fri, Apr 13, 2018 at 10:24:18AM -0700, Marvin wrote:
> Only that here we need to run Gava's patches for active-ftp and client-nat
> (submitted to openvpn-dev several years ago but not accepted).  He has not
> had time to port those patches to 2.4.x yet.  So for now we are stuck at
> 2.3.18.

If you run your own build anyway, just package with the new driver as
soon as it's released - as today, there will be a signed .exe for the
tap driver, which gets embedded into whatever installer you build,
2.3.x or 2.4.x

(Note: active-ftp NAT will never be merged - that is way too intrusive.
The other NAT patch got lost somewhere but still has chances)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Marvin]

HI Gert,

Only that here we need to run Gava's patches for active-ftp and client-nat
(submitted to openvpn-dev several years ago but not accepted).  He has not
had time to port those patches to 2.4.x yet.  So for now we are stuck at
2.3.18.

Marvin

On Fri, Apr 13, 2018 at 10:10 AM, Gert Doering  wrote:

> Hi,
>
> On Fri, Apr 13, 2018 at 10:03:55AM -0700, Marvin wrote:
> > Would there be any problem with updating the tap-windows6 to the
> Viscosity
> > patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)?
>
> "Why?"
>
> There is nothing in 2.3.x (... that we are aware of) that makes it more
> suitable than 2.4.x - and lots of goodness is missing, like being able
> to run GUI and openvpn.exe without admin privileges.
>
> gert
>
> --
> "If was one thing all people took for granted, was conviction that if you
>  feed honest figures into a computer, honest figures come out. Never
> doubted
>  it myself till I met a computer with a sense of humor."
>  Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Gert Doering]

Hi,

On Fri, Apr 13, 2018 at 10:03:55AM -0700, Marvin wrote:
> Would there be any problem with updating the tap-windows6 to the Viscosity
> patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)?

"Why?"

There is nothing in 2.3.x (... that we are aware of) that makes it more
suitable than 2.4.x - and lots of goodness is missing, like being able
to run GUI and openvpn.exe without admin privileges.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Viscosity patch to TAP driver

[Marvin]

Hi Guys,

Would there be any problem with updating the tap-windows6 to the Viscosity
patched version on an older openvpn build (e.g. 2.3.18 on Windows 10)?

Thanks,
Marvin

On Thu, Apr 12, 2018 at 8:45 PM, Eric Thorpe  wrote:

> Hi Gert,
>
> PR #47 has been submitted to tap-windows6 on github.
>
> Regards,
> Eric
>
> --
> Eric Thorpe
> SparkLabs 
> Developerhttps://www.sparklabs.comhttps://twitter.com/sparklabssupp...@sparklabs.com
>
> On 12/04/2018 6:26 PM, Gert Doering wrote:
>
> Hi Eric,
>
> On Thu, Mar 22, 2018 at 02:25:56PM +1100, Eric Thorpe wrote:
>
> One of the Viscosity developers here. The TAP driver used by Viscosity
> is based on the OpenVPN TAP-Windows driver. We're surprised to hear of
> any performance differences, as the changes we've made are very minimal.
>
> Besides a name and version number change, the only other modification is
> a change to the reported network adapter speed, which has Windows report
> the driver as 1000 Mbit instead of 100 Mbit.
>
> This change was made not because of any actual performance gains, but
> because of user reports that certain firewall or AV software tries to
> QoS the adapter based on its reported adapter speed, which is of course
> a problem if the VPN connection is capable of more than 100 Mbit.
>
> Please find a patch file of the changes attached.
>
> I think it would make sense for us to merge that patch - for two reasons,
> one is "the change could indeed help performance in high-bandwidth
> situtions", and the more important one is "another patch to tap-windows6
> is forthcoming, and that way we can keep the version numbers aligned
> so people can know what is inside".
>
> Do you have the patch in git?  If yes, could you please do the commit
> with "-s" (so the signed-off-by: line is added) and send it as regular
> git commit (git-send-email)?  Alternatively a PR against tap-windows6
> on github should do as well.
>
> Thanks in advance,
>
> gert
>
>
>
>
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files

[Simon Rozman]

May I ask what the rationale is for this change?


Use of angled and quoted form of #include filenames is mostly consistent across 
the OpenVPN source (src/openvpn) with those few exceptions fixed by this 
proposed patch.

The rationale for this change is unification of #include sentences.

Regards,
Simon
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files

[David Sommerseth]

On 13/04/18 17:55, Simon Rozman wrote:
> ---
>  src/openvpn/comp-lz4.c | 2 +-
>  src/openvpn/lzo.h  | 8 
>  src/openvpn/memdbg.h   | 4 ++--
>  3 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
> index f2916bdd..f52fdbfb 100644
> --- a/src/openvpn/comp-lz4.c
> +++ b/src/openvpn/comp-lz4.c
> @@ -35,7 +35,7 @@
>  #if defined(NEED_COMPAT_LZ4)
>  #include "compat-lz4.h"
>  #else
> -#include "lz4.h"
> +#include 
>  #endif

May I ask what the rationale is for this change?


-- 
kind regards,

David Sommerseth
OpenVPN Inc


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Change quoted to angled form when #including external .h files

[Simon Rozman]

---
 src/openvpn/comp-lz4.c | 2 +-
 src/openvpn/lzo.h  | 8 
 src/openvpn/memdbg.h   | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/openvpn/comp-lz4.c b/src/openvpn/comp-lz4.c
index f2916bdd..f52fdbfb 100644
--- a/src/openvpn/comp-lz4.c
+++ b/src/openvpn/comp-lz4.c
@@ -35,7 +35,7 @@
 #if defined(NEED_COMPAT_LZ4)
 #include "compat-lz4.h"
 #else
-#include "lz4.h"
+#include 
 #endif
 
 #include "comp.h"
diff --git a/src/openvpn/lzo.h b/src/openvpn/lzo.h
index 11e1c39f..453cd8ee 100644
--- a/src/openvpn/lzo.h
+++ b/src/openvpn/lzo.h
@@ -39,14 +39,14 @@
  */
 
 #if defined(HAVE_LZO_LZOUTIL_H)
-#include "lzo/lzoutil.h"
+#include 
 #elif defined(HAVE_LZOUTIL_H)
-#include "lzoutil.h"
+#include 
 #endif
 #if defined(HAVE_LZO_LZO1X_H)
-#include "lzo/lzo1x.h"
+#include 
 #elif defined(HAVE_LZO1X_H)
-#include "lzo1x.h"
+#include 
 #endif
 
 #include "buffer.h"
diff --git a/src/openvpn/memdbg.h b/src/openvpn/memdbg.h
index 70c6365d..6da9712b 100644
--- a/src/openvpn/memdbg.h
+++ b/src/openvpn/memdbg.h
@@ -44,7 +44,7 @@
 
 #ifdef USE_VALGRIND
 
-#include "valgrind/memcheck.h"
+#include 
 
 #define VALGRIND_MAKE_READABLE(addr, len)
 
@@ -84,7 +84,7 @@
  *  #define INTERNAL_MEMORY_SPACE (1024 * 1024 * 50)
  */
 
-#include "dmalloc.h"
+#include 
 
 #define openvpn_dmalloc(file, line, size) dmalloc_malloc((file), (line), 
(size), DMALLOC_FUNC_MALLOC, 0, 0)
 
-- 
2.15.1 (Apple Git-101)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add missing (but optional) escape backslash to sed replace string

[Gert Doering]

Hi,

On Fri, Apr 13, 2018 at 05:29:15PM +0200, Simon Rozman wrote:
>  #ifdef NEED_COMPAT_LZ4
>  EOF
> -sed 's/\"lz4\.h\"/\"compat-lz4.h"/' "$LZ4_C"
> +sed 's/\"lz4\.h\"/\"compat-lz4.h\"/' "$LZ4_C"

TBH, I think all the backslashes before a double quote (") should *go*.

Nothing special about a " inside(!) ''... - neither the shell cares
nor sed (unlike '.').

So, NAK.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Add missing (but optional) escape backslash to sed replace string

[Simon Rozman]

---
 dev-tools/lz4-rebaser.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dev-tools/lz4-rebaser.sh b/dev-tools/lz4-rebaser.sh
index 03debcb..3771639 100755
--- a/dev-tools/lz4-rebaser.sh
+++ b/dev-tools/lz4-rebaser.sh
@@ -58,7 +58,7 @@ echo "* Porting upstream lz4.c to compat-lz4.c"
 
 #ifdef NEED_COMPAT_LZ4
 EOF
-sed 's/\"lz4\.h\"/\"compat-lz4.h"/' "$LZ4_C"
+sed 's/\"lz4\.h\"/\"compat-lz4.h\"/' "$LZ4_C"
 cat 

[Openvpn-devel] [PATCH v4] Add Interactive Service developer documentation

[Simon Rozman]

The OpenVPN Interactive Service documentation from
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
upgraded with a description of the client-service communication flow,
service registry configuration, and non-default instance installation.
---
 doc/interactive-service-notes.txt | 329 ++
 1 file changed, 329 insertions(+)
 create mode 100644 doc/interactive-service-notes.txt

diff --git a/doc/interactive-service-notes.txt 
b/doc/interactive-service-notes.txt
new file mode 100644
index ..6f716800
--- /dev/null
+++ b/doc/interactive-service-notes.txt
@@ -0,0 +1,329 @@
+=
+OpenVPN Interactive Service Notes
+=
+
+
+Introduction
+
+
+OpenVPN Interactive Service, also known as "iservice" or
+"OpenVPNServiceInteractive", is a Windows system service which allows
+unprivileged openvpn.exe process to do certain privileged operations, such as
+adding routes. This removes the need to always run OpenVPN as administrator,
+which was the case for a long time, and continues to be the case for OpenVPN
+2.3.x.
+
+The 2.4.x release and git "master" versions of OpenVPN contain the Interactive
+Service code and OpenVPN-GUI is setup to use it by default. Starting from
+version 2.4.0, OpenVPN-GUI is expected to be started as user (do not 
right-click
+and "run as administrator" or do not set the shortcut to run as administrator).
+This ensures that OpenVPN and the GUI run with limited privileges.
+
+
+How It Works
+
+
+Here is a brief explanation of how the Interactive Service works, based on
+`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not
+an administrator, and does not have any other extra privileges.
+
+- OpenVPN-GUI runs as user *joe*.
+
+- Interactive Service runs as a local Windows service with maximum privileges.
+
+- OpenVPN-GUI connects to the Interactive Service and asks it to "run
+  openvpn.exe with the given command line options".
+
+- Interactive Service starts openvpn.exe process as user *joe*, and keeps a
+  service pipe between Interactive Service and openvpn.exe.
+
+- When openvpn.exe wants to perform any operation that require elevation (e.g.
+  ipconfig, route, configure DNS), it sends a request over the service pipe to
+  the Interactive Service, which will then execute it (and clean up should
+  openvpn.exe crash).
+
+- ``--up`` scripts are run by openvpn.exe itself, which is running as user
+  *joe*, all privileges are nicely in place.
+
+- Scripts run by the GUI will run as user *joe*, so that automated tasks like
+  mapping of drives work as expected.
+
+This avoids the use of scripts for privilege escalation (as was possible by
+running an ``--up`` script from openvpn.exe which is run as administrator).
+
+
+Client-Service Communication
+
+
+Connecting
+--
+
+The client (OpenVPN GUI) and the Interactive Service communicate using a named
+message pipe. By default, the service provides the ``\\.\pipe\openvpn\service``
+named pipe.
+
+The client connects to the pipe for read/write and sets the pipe state to
+``PIPE_READMODE_MESSAGE``::
+
+   HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"),
+   GENERIC_READ | GENERIC_WRITE,
+   0,
+   NULL,
+   OPEN_EXISTING,
+   FILE_FLAG_OVERLAPPED,
+   NULL);
+
+   if (pipe == INVALID_HANDLE_VALUE)
+   {
+   // Error
+   }
+
+   DWORD dwMode = PIPE_READMODE_MESSAGE;
+   if (!SetNamedPipeHandleState(pipe, , NULL, NULL)
+   {
+   // Error
+   }
+
+
+openvpn.exe Startup
+---
+
+After the client is connected to the service, the client must send a startup
+message to have the service start the openvpn.exe process. The startup message
+is comprised of three UTF-16 strings delimited by U zero characters::
+
+   startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO
+
+   workingdir = WSTRING
+   openvpnoptions = WSTRING
+   stdin  = WSTRING
+
+   WSTRING= *WCHAR
+   WCHAR  = %x0001-
+   WZERO  = %x
+
+``workingdir``
+   Represents the folder openvpn.exe process should be started in.
+
+``openvpnoptions``
+   String contains ``--config`` and other OpenVPN command line options, without
+   the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is
+   only one option specified, the ``--config`` option is assumed and the option
+   is the configuration filename.
+
+   Note that the interactive service validates the options. OpenVPN
+   configuration file must reside in the configuration folder defined by
+   ``config_dir`` registry value. The configuration file can also reside in any
+   subfolder of the configuration folder. For all other folders the invoking
+   user must be a member of local Administrators group, or a member of the 
group
+   defined by ``ovpn_admin_group`` registry value ("OpenVPN Administrators" by
+   

[Openvpn-devel] [PATCH v2 09/13] Signed/unsigned warnings of MSVC resolved

[Simon Rozman]

This patch fixes the signed/unsigned comparison warnings discovered when
compiling openvpnserv using MSVC.

Wherever possible, it changes iterator and/or size variables to a more
appropriate type, or uses type-casting when it is safe to do so.
---
 src/openvpnserv/automatic.c   | 2 +-
 src/openvpnserv/common.c  | 2 +-
 src/openvpnserv/interactive.c | 7 +++
 src/openvpnserv/validate.c| 2 +-
 4 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/openvpnserv/automatic.c b/src/openvpnserv/automatic.c
index 1f98283..89367fc 100644
--- a/src/openvpnserv/automatic.c
+++ b/src/openvpnserv/automatic.c
@@ -135,7 +135,7 @@ match(const WIN32_FIND_DATA *find, LPCTSTR ext)
  * Modify the extension on a filename.
  */
 static bool
-modext(LPTSTR dest, int size, LPCTSTR src, LPCTSTR newext)
+modext(LPTSTR dest, size_t size, LPCTSTR src, LPCTSTR newext)
 {
 size_t i;
 
diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c
index dc47666..59f73bd 100644
--- a/src/openvpnserv/common.c
+++ b/src/openvpnserv/common.c
@@ -40,7 +40,7 @@ openvpn_vsntprintf(LPTSTR str, size_t size, LPCTSTR format, 
va_list arglist)
 len = _vsntprintf(str, size, format, arglist);
 str[size - 1] = 0;
 }
-return (len >= 0 && len < size);
+return (len >= 0 && (size_t)len < size);
 }
 int
 openvpn_sntprintf(LPTSTR str, size_t size, LPCTSTR format, ...)
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index fbc32f9..66ffeec 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -188,7 +188,7 @@ typedef enum {
 static DWORD
 AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD 
count, LPHANDLE events)
 {
-int i;
+DWORD i;
 BOOL success;
 HANDLE io_event;
 DWORD res, bytes = 0;
@@ -934,7 +934,7 @@ static DWORD WINAPI
 RegisterDNS(LPVOID unused)
 {
 DWORD err;
-DWORD i;
+size_t i;
 WCHAR sys_path[MAX_PATH];
 DWORD timeout = RDNS_TIMEOUT * 1000; /* in milliseconds */
 
@@ -950,7 +950,6 @@ RegisterDNS(LPVOID unused)
 { ipcfg, L"ipconfig /flushdns",timeout },
 { ipcfg, L"ipconfig /registerdns", timeout },
 };
-int ncmds = sizeof(cmds) / sizeof(cmds[0]);
 
 HANDLE wait_handles[2] = {rdns_semaphore, exit_event};
 
@@ -963,7 +962,7 @@ RegisterDNS(LPVOID unused)
 if (WaitForMultipleObjects(2, wait_handles, FALSE, timeout) == 
WAIT_OBJECT_0)
 {
 /* Semaphore locked */
-for (i = 0; i < ncmds; ++i)
+for (i = 0; i < _countof(cmds); ++i)
 {
 ExecCommand(cmds[i].argv0, cmds[i].cmdline, cmds[i].timeout);
 }
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 653bd12..26ffa8f 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -298,7 +298,7 @@ IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, 
const WCHAR *group_nam
 break;
 }
 /* If a match is already found, ret == TRUE and the loop is skipped */
-for (int i = 0; i < nread && !ret; ++i)
+for (DWORD i = 0; i < nread && !ret; ++i)
 {
 ret = EqualSid(members[i].lgrmi0_sid, sid);
 }
-- 
2.9.0.windows.1

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] Add Interactive Service developer documentation

[Simon Rozman]

The OpenVPN Interactive Service documentation from
https://community.openvpn.net/openvpn/wiki/OpenVPNInteractiveService was
upgraded with a description of the client-service communication flow,
service registry configuration, and non-default instance installation.
---
 doc/Makefile.am   |   1 -
 doc/interactive-service-notes.txt | 329 ++
 2 files changed, 329 insertions(+), 1 deletion(-)
 create mode 100644 doc/interactive-service-notes.txt

diff --git a/doc/Makefile.am b/doc/Makefile.am
index cd1bcfdf..7113ab87 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -30,4 +30,3 @@ openvpn.8.html: $(srcdir)/openvpn.8
 else
 dist_man_MANS = openvpn.8
 endif
-
diff --git a/doc/interactive-service-notes.txt 
b/doc/interactive-service-notes.txt
new file mode 100644
index ..6f716800
--- /dev/null
+++ b/doc/interactive-service-notes.txt
@@ -0,0 +1,329 @@
+=
+OpenVPN Interactive Service Notes
+=
+
+
+Introduction
+
+
+OpenVPN Interactive Service, also known as "iservice" or
+"OpenVPNServiceInteractive", is a Windows system service which allows
+unprivileged openvpn.exe process to do certain privileged operations, such as
+adding routes. This removes the need to always run OpenVPN as administrator,
+which was the case for a long time, and continues to be the case for OpenVPN
+2.3.x.
+
+The 2.4.x release and git "master" versions of OpenVPN contain the Interactive
+Service code and OpenVPN-GUI is setup to use it by default. Starting from
+version 2.4.0, OpenVPN-GUI is expected to be started as user (do not 
right-click
+and "run as administrator" or do not set the shortcut to run as administrator).
+This ensures that OpenVPN and the GUI run with limited privileges.
+
+
+How It Works
+
+
+Here is a brief explanation of how the Interactive Service works, based on
+`Gert's email`_ to openvpn-devel mailing list. The example user, *joe*, is not
+an administrator, and does not have any other extra privileges.
+
+- OpenVPN-GUI runs as user *joe*.
+
+- Interactive Service runs as a local Windows service with maximum privileges.
+
+- OpenVPN-GUI connects to the Interactive Service and asks it to "run
+  openvpn.exe with the given command line options".
+
+- Interactive Service starts openvpn.exe process as user *joe*, and keeps a
+  service pipe between Interactive Service and openvpn.exe.
+
+- When openvpn.exe wants to perform any operation that require elevation (e.g.
+  ipconfig, route, configure DNS), it sends a request over the service pipe to
+  the Interactive Service, which will then execute it (and clean up should
+  openvpn.exe crash).
+
+- ``--up`` scripts are run by openvpn.exe itself, which is running as user
+  *joe*, all privileges are nicely in place.
+
+- Scripts run by the GUI will run as user *joe*, so that automated tasks like
+  mapping of drives work as expected.
+
+This avoids the use of scripts for privilege escalation (as was possible by
+running an ``--up`` script from openvpn.exe which is run as administrator).
+
+
+Client-Service Communication
+
+
+Connecting
+--
+
+The client (OpenVPN GUI) and the Interactive Service communicate using a named
+message pipe. By default, the service provides the ``\\.\pipe\openvpn\service``
+named pipe.
+
+The client connects to the pipe for read/write and sets the pipe state to
+``PIPE_READMODE_MESSAGE``::
+
+   HANDLE pipe = CreateFile(_T(".\\pipe\\openvpn\\service"),
+   GENERIC_READ | GENERIC_WRITE,
+   0,
+   NULL,
+   OPEN_EXISTING,
+   FILE_FLAG_OVERLAPPED,
+   NULL);
+
+   if (pipe == INVALID_HANDLE_VALUE)
+   {
+   // Error
+   }
+
+   DWORD dwMode = PIPE_READMODE_MESSAGE;
+   if (!SetNamedPipeHandleState(pipe, , NULL, NULL)
+   {
+   // Error
+   }
+
+
+openvpn.exe Startup
+---
+
+After the client is connected to the service, the client must send a startup
+message to have the service start the openvpn.exe process. The startup message
+is comprised of three UTF-16 strings delimited by U zero characters::
+
+   startupmsg = workingdir WZERO openvpnoptions WZERO stdin WZERO
+
+   workingdir = WSTRING
+   openvpnoptions = WSTRING
+   stdin  = WSTRING
+
+   WSTRING= *WCHAR
+   WCHAR  = %x0001-
+   WZERO  = %x
+
+``workingdir``
+   Represents the folder openvpn.exe process should be started in.
+
+``openvpnoptions``
+   String contains ``--config`` and other OpenVPN command line options, without
+   the ``argv[0]`` executable name ("openvpn" or "openvpn.exe"). When there is
+   only one option specified, the ``--config`` option is assumed and the option
+   is the configuration filename.
+
+   Note that the interactive service validates the options. OpenVPN
+   configuration file must reside in the configuration folder defined by
+   ``config_dir`` registry value. The