Re: [Openvpn-devel] [PATCH 2/2] Allow repeated cycles through remotes when management-query-remote is in use

[Selva Nair]

Hi,

On Wed, May 13, 2020 at 12:36 PM Gert Doering  wrote:
>
> Hi,
>
> On Sun, Jun 09, 2019 at 03:33:55PM -0400, Selva Nair wrote:
> > Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201
> >
> > These patches were meant to help implement choosing the remote through
> > the GUI. I may not find time for that but the patches by themselves
> > are still relevant.
> >
> > If there is some interest I'll rebase to master.
>
> I'm working my way through the patch queue these days, and now I'm
> at this one :-)
>
> Can you elaborate a bit how this would work, and how much work on the
> GUI side would be needed?  (And, yes, a rebased patch :) ).

>From what I can recall...

Two points to note:

(i) With multiple remotes, openvpn exits if no successful connection
could be made after two cycles through all remotes (undocumented?) .
(ii) When --management-query-remote is used, the core presents one
remote at a time and the user has to make a choice to skip, accept or
replace without knowing which remotes are available.

Now, for a user-friendly implementation of selecting the remote from a
GUI dialog, the plan is to silently cycle through all remotes, make a
list and then allow the user to make a selection from the list. This
will be aided by having a safe way to cycle through all remotes
multiple times without the core exiting --- arguably, one cycle is
enough to make a list and the list building is complete when the
second cycle starts. But it would be much easier to do this without
having to worry about the core exiting unexpectedly. The GUI knows how
to restart or terminate the core exit if need be.

The behaviour is unchanged if management-query-remote is not in use.

The patch also changes the way failed connections are counted: skipped
remotes should not be counted as failed as that count is used in the
back-off logic.

Selva


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 2/2] Allow repeated cycles through remotes when management-query-remote is in use

[Gert Doering]

Hi,

On Sun, Jun 09, 2019 at 03:33:55PM -0400, Selva Nair wrote:
> Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201
> 
> These patches were meant to help implement choosing the remote through
> the GUI. I may not find time for that but the patches by themselves
> are still relevant.
> 
> If there is some interest I'll rebase to master.

I'm working my way through the patch queue these days, and now I'm
at this one :-)

Can you elaborate a bit how this would work, and how much work on the 
GUI side would be needed?  (And, yes, a rebased patch :) ).

gert


-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Change client side of t_lpback.sh configs to use inline material.

[Gert Doering]

Patch has been applied to the master branch.

And I agree with Antinio here - we need a bit more test coverage in this
section, which is actually fairly easy with the t_lpback approach (because
"without IP config", openvpn can happily talk to itself on all platforms,
not needing namespaces, dummynet, whatever). 

Maybe an extra set of config files with tls-crypt-v2, or running genkey 
first, and then using this...  any takers?

commit 6001784afd89c4e9d9d15cc9f2e84cec6bbe0e39
Author: Gert Doering
Date:   Wed May 13 16:11:47 2020 +0200

 Change client side of t_lpback.sh configs to use inline material.

 Signed-off-by: Gert Doering 
 Acked-by: Antonio Quartulli 
 Message-Id: <20200513141147.17171-1-g...@greenie.muc.de>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19883.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Change client side of t_lpback.sh configs to use inline material.

[Antonio Quartulli]

Hi,

On 13/05/2020 16:11, Gert Doering wrote:
> We have no real test rig for "inline" key material (key, cert, ca,
> tls-auth, tls-crypt*) yet.   This change adds the "sample" key set
> as inline config to the "loopback-client" config, while keeping
> file-based configs for "loopback-server" - that way, testing both
> methods of loading keys etc. in one go.
> 
> Signed-off-by: Gert Doering 

Very good idea - this way we should catch at least some basic inlining bugs.
We probably want to add (to the unit test) a run for checking genkey as
well.

In any case, I stared at the change and it looks good!

I did not run it myself but buildbot will immediately tell us if
something is wrong.


Acked-by: Antonio Quartulli 


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Change client side of t_lpback.sh configs to use inline material.

[Gert Doering]

We have no real test rig for "inline" key material (key, cert, ca,
tls-auth, tls-crypt*) yet.   This change adds the "sample" key set
as inline config to the "loopback-client" config, while keeping
file-based configs for "loopback-server" - that way, testing both
methods of loading keys etc. in one go.

Signed-off-by: Gert Doering 
---
 sample/sample-config-files/loopback-client | 207 -
 1 file changed, 203 insertions(+), 4 deletions(-)

diff --git a/sample/sample-config-files/loopback-client 
b/sample/sample-config-files/loopback-client
index 1734aa8b..4bfd3694 100644
--- a/sample/sample-config-files/loopback-client
+++ b/sample/sample-config-files/loopback-client
@@ -8,6 +8,9 @@
 #
 #  ./openvpn --config sample-config-files/loopback-client  (In one window) 
 #  ./openvpn --config sample-config-files/loopback-server  (Simultaneously in 
another window) 
+#
+# this config file has the crypto material (cert, key, ..) "inlined",
+# while the "server" config has it as external reference - test both paths
 
 rport 16000
 lport 16001
@@ -18,10 +21,206 @@ verb 3
 reneg-sec 10
 tls-client
 remote-cert-tls server
-ca sample-keys/ca.crt
-key sample-keys/client.key
-cert sample-keys/client.crt
-tls-auth sample-keys/ta.key 1
+#ca sample-keys/ca.crt
+
+-BEGIN CERTIFICATE-
+MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV
+BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM
+T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w
+HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL
+MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t
+VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88
+8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb
+GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF
+qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5
+CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG
+KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy
+n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS
+rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF
+YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV
+HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow
+4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y
+YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO
+BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ
+BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE
+ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h
+aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG
+9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj
+Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth
+rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I
+AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P
+ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J
+kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR
+9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu
+5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+
+65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV
+y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa
+hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw=
+-END CERTIFICATE-
+
+#key sample-keys/client.key
+
+-BEGIN PRIVATE KEY-
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW
+KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw
+SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd
+VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR
+WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY
+HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83
+DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT
+i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB
+TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X
+9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE
+/1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0
+6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY
+kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm
+VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17
+klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ
+wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR
+we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y
+QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP
+gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz
+4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI
+f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW

Re: [Openvpn-devel] [PATCH applied] Re: Persist management-query-remote and proxy prompts

[Gert Doering]

Hi,

On Wed, May 13, 2020 at 03:57:54PM +0200, Gert Doering wrote:
> Your patch has been applied to the master branch.
> 
> commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad
> Author: Selva Nair
> Date:   Thu Feb 20 22:00:28 2020 -0500


*and* to release/2.4, because "bugfix".  Forgot about that comment when
I was done with review and testing...

commit 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 (HEAD -> release/2.4)
Author: Selva Nair 
Date:   Thu Feb 20 22:00:28 2020 -0500

Persist management-query-remote and proxy prompts


applies fine, tests fine.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH applied] Re: Persist management-query-remote and proxy prompts

[Gert Doering]

Acked-by: Gert Doering 

I won't claim to understand management, but the patch does what it
says, and it does so in the same way as querying for >PASSWORD is
done.  Selva understands management way better than I do, so if he
says this is needed, and the code is in line with what we currently
have (manage.c, management_query_user_pass(), management_hold(),
management_query_multiline()...) and does not look like "mem leak" 
or "overflow" - which it doesn't - good enough for me.

The code *looks* as if a reference to "out" is going out of scope,
but that one is allocated in , so it's fine.  Just hard to read.

These functions could do with a bit of C99 modernizing, getting 
rid of extra nesting levels that are just there to enable local
variables... but that's for a different round of refactoring.


Your patch has been applied to the master branch.

commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad
Author: Selva Nair
Date:   Thu Feb 20 22:00:28 2020 -0500

 Persist management-query-remote and proxy prompts

 Signed-off-by: Selva Nair 
 Acked-by: Gert Doering 
 Message-Id: <1582254028-7763-1-git-send-email-selva.n...@gmail.com>
 URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html
 Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Summary of community meeting (13th May 2020)

[Samuli Seppänen]

Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 13th May 2020
Time: 11:30 CEST (9:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

dazo, krzee, lev, mattock, ordex and plaisthos participated in this meeting.

---

Talked about MSI/MSM for OpenVPN and tap-windows6. Mattock is now
fighting his way through the MSI/MSM jungle.

---

Talked about improving the buildbot configuration. Agreed that it makes
sense to:

1) Upgrade buildbot to a more modern version (better webui etc)
2) Migrate lots of semi-manual testing that is currently internal to
OpenVPN Inc. to buildbot
3) Start building openvpn3 on buildbot
4) Testing latest server code through buildbot

After the meeting cron2 reminded us that he has t_server testing
framework already - it is just running outside of buildbot.

Krzee and mattock will work together on these buildbot improvements.

---

Discussed OpenVPN 2.5 patches. This week dazo will review plaisthos'
three patches and start the epic "man page struggle".

--

Full chatlog attached

(12:28:46) mattock: hello!
(12:28:56) dazo: hey!
(12:30:12) mattock: cron2 said he could not make it
(12:30:26) mattock: it would be nice if rozmansi was here by accident :)
(12:30:42) mattock: I'm working on tap-windows6 MSM and unsurprisingly there 
have been a number of issues I've had to resolve
(12:30:48) krzee [be50baf1@openvpn/corp/krzee] è entrato nella stanza.
(12:30:53) mattock: probably related to the build environment, but problems 
nevertheless
(12:31:59) ordex: ué
(12:32:25) lev__: hello
(12:33:29) plaisthos: hello
(12:34:03) krzee: heyhey
(12:35:21) mattock: hi all
(12:35:23) mattock: so
(12:35:38) mattock: I pretty much reported what I've been up to :)
(12:35:48) mattock: any topics besides openvpn 2.5?
(12:36:16) dazo: plaisthos: what's the status now on the auth-token patches?
(12:36:35) dazo: Lets have a look here: 
https://community.openvpn.net/openvpn/wiki/StatusOfOpenvpn25
(12:36:37) vpnHelper: Title: StatusOfOpenvpn25 – OpenVPN Community (at 
community.openvpn.net)
(12:37:15) dazo: I'm planning to start playing with the man page challenge this 
week
(12:37:32) mattock: \o/
(12:37:39) plaisthos: dazo: err chek patchwork
(12:37:44) mattock: sounds like e-sports
(12:38:51) krzee: id like to understand a little more about our unit tests 
(using buildbot as i understand), specifically because i think ovpn3 should be 
added to it when possible and i think that maybe corp and community could use 
the same tests so that efforts are not duplicated
(12:41:19) mattock: +1
(12:42:17) mattock: basically we'd just add openvpn3 build dependencies to a 
subset of our buildslaves and add a few builders to build openvpn3
(12:42:55) dazo: plaisthos: ahh, found it ... alright, 3 patches missing formal 
acks ... I'll try to complete that this week then
(12:44:57) dazo: mattock: Hmmm ... can we also please upgrade our buildbot to 
something more up-to-date?  So that it is simpler to get an overview what is 
being run/tested, split out build errors from test errors, etc
(12:46:23) mattock: yes that is the plan
(12:46:30) mattock: after MSI stuff
(12:46:50) dazo: good!  Then I'll keep quite for a bit more :-P
(12:46:51) plaisthos: like jenkins?
(12:46:55) dazo: *quiet
(12:47:06) plaisthos: or newer buildbot?
(12:47:10) mattock: no jenkinses
(12:47:14) mattock: update buildbot
(12:47:16) mattock: :)
(12:47:20) krzee: how many tests are already implemented in buildbot?
(12:47:22) dazo: plaisthos: hehe 
(12:47:35) dazo: krzee: Only `make check`
(12:47:36) mattock: not sure as those are created programmatically
(12:47:47) plaisthos: no was a serious question. People might have more 
experience with jenkin
(12:48:12) mattock: yes, and it is still a piece of crap especially from 
management perspective
(12:48:37) ordex: :D
(12:48:51) krzee: dazo, i dont understand the answer
(12:49:44) ordex: tests are defined in t_client
(12:49:44) dazo: krzee: buildbot runs 'make check' ... so what is being run is 
defined in tests/Makefile.am via the TESTS variable
(12:50:04) ordex: the buildbot just runs make check (which executes the unit 
tests and the various t_* scripts)
(12:50:07) dazo: t_client.sh is one of the defined tests in TESTS
(12:50:31) ordex: right
(12:51:07) mattock: krzee and I also talked about extending t_client to include 
server-side tests (i.e. connect clients to a server instance built from HEAD)
(12:51:28) mattock: at the moment our servers are static (version  of 
openvpn)
(12:51:36) dazo: 
https://github.com/OpenVPN/openvpn/blob/master/tests/Makefile.am#L17   oh 
and beware of SUBDIRS too ... so this is also evaluated, recursively
(12:51:38) vpnHelper: Title: openvpn/Makefile.am at master · OpenVPN/openvpn · 
GitHub (at github.com)