Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

2022-04-05 Thread Jan Just Keijser
in mb speed tests (defaults to 8) (uint) parm:   klen:Key length (defaults to 0) (uint) cheers, JJK Jan Just Keijser 于2022年4月5日周二 19:26写道: hi Tony, On 02/04/22 11:40, Tony He wrote: Hi Antonio, I am porting ovpn-dco to embedded ARMv8 device with hardware crypto engine. However the

Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

2022-04-05 Thread Jan Just Keijser
hi Tony, On 02/04/22 11:40, Tony He wrote: Hi Antonio, I am porting ovpn-dco to embedded ARMv8 device with hardware crypto engine. However the performance is not very good. It's about 130-140Mbps. I expect more. The SDK already provides kernel CryptoAPI(CFI) interface to access the crypto engi

Re: [Openvpn-devel] [PATCH v2] Retain CAP_NET_ADMIN when dropping privileges

2022-03-30 Thread Jan Just Keijser
Hi, On 30/03/22 22:55, Timo Rothenpieler wrote: --- Using libcap-ng now sorry to butt in late, but I've got a nasty feeling about this... the whole purpose of using   --user is, according to the man page    --user user   Change the user ID of the OpenVPN process to user after 

[Openvpn-devel] Switched email addresses

2022-03-09 Thread Jan Just Keijser
e forwarded yet. cheers, JJK / Jan Just Keijser ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released

2021-12-15 Thread Jan Just Keijser
On 15/12/21 18:01, Gert Doering wrote: Hi, On Wed, Dec 15, 2021 at 04:30:43PM +, tincantech via Openvpn-users wrote: -BEGIN PGP SIGNED MESSAGE- It seems only fair to warn the OpenVPN community that Version 2.5.5 has had bugs identified. A new release v2.5.6 is planned for the comin

Re: [Openvpn-devel] NTLMv1, NTLMv2 HTTP proxy support?

2021-12-15 Thread Jan Just Keijser
  "if your local proxy is running unsupported legacy code in an unsecure setup,    then you will have to resort to openvpn 2.4.x " or similar. BTW, do you know who worked on the obfuscation/transport API stuff? Was that David S? cheers, JJK / Jan Ju

Re: [Openvpn-devel] [Openvpn-users] NTLMv1, NTLMv2 HTTP proxy support?

2021-11-11 Thread Jan Just Keijser
Hi Jason, On 09/11/21 09:37, Jason Haar wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 How about ditching the NTLM and adding HTTPS proxy support instead? ;-) Does the privacy aspect of talking to proxies "properly" of course (Basic is fine over HTTPS) (and accidentally makes openvpn-o

Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

2021-05-20 Thread Jan Just Keijser
On 20/05/21 23:12, tincantech wrote: [...] So, why switch to .pem when it has never been used before by openvpn? If you are all happy to let it go that way then so-be-it, Hopefully this clarifies things: - the default output format of OpenSSL is PEM-encoded ; openssl uses the default ex

Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

2021-05-20 Thread Jan Just Keijser
Hi, On 20/05/21 21:49, tincantech via Openvpn-devel wrote: Hi, again, I do not understand why openvpn choose to switch to .pem for this tutorial.  PEM -> Private Email, which this is not. You have a certificate and a key and every other openvpn tutorial on openvpn and probably the entire plane

Re: [Openvpn-devel] [PATCH] Allow PKCS#11 uri to be used as --cert and --key file names

2021-05-06 Thread Jan Just Keijser
Hi Selva, On 05/05/21 15:29, Selva Nair wrote: On Wed, May 5, 2021 at 4:00 AM Jan Just Keijser wrote: On 05/05/21 07:18, selva.n...@gmail.com wrote: From: Selva Nair If either --cert or --key is specified as a PKCS#11 uri, try to load the certificate and key from any accessible PKCS#11

Re: [Openvpn-devel] [PATCH] Allow PKCS#11 uri to be used as --cert and --key file names

2021-05-05 Thread Jan Just Keijser
Hi Selva, On 05/05/21 07:18, selva.n...@gmail.com wrote: From: Selva Nair If either --cert or --key is specified as a PKCS#11 uri, try to load the certificate and key from any accessible PKCS#11 device. This does not require linking with any pkcs11 library, but needs pkcs11 engine to be availa

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

2021-04-09 Thread Jan Just Keijser
Hi Arne, Antonio, On 09/04/21 11:53, Arne Schwabe wrote: Am 09.04.21 um 11:24 schrieb Jan Just Keijser: On 08/04/21 17:52, Gert Doering wrote: On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote: I don't have any evidence with 2.5 right now but this is just a matter o

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

2021-04-09 Thread Jan Just Keijser
Hi, On 08/04/21 17:52, Gert Doering wrote: Hi, On Thu, Apr 08, 2021 at 05:30:52PM +0200, Jan Just Keijser wrote: I don't have any evidence with 2.5 right now but this is just a matter of use/principle to me: I can very well see that I would like to have a setup *without* NCP as I simp

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

2021-04-08 Thread Jan Just Keijser
On 08/04/21 16:55, Arne Schwabe wrote: Am 08.04.21 um 16:36 schrieb Jan Just Keijser: Hi, On 08/04/21 16:02, Arne Schwabe wrote: NCP has proven to be stable and apart from the one VPN Provider doing hacky things with homebrewed NCP we have not had any reports about ncp-disable being required

Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option

2021-04-08 Thread Jan Just Keijser
Hi, On 08/04/21 16:02, Arne Schwabe wrote: NCP has proven to be stable and apart from the one VPN Provider doing hacky things with homebrewed NCP we have not had any reports about ncp-disable being required. Remove ncp-disable to simplify code paths. Note: This patch breaks client without --pul

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-14 Thread Jan Just Keijser
Hi, On 13/01/21 19:29, Илья Шипицин wrote: ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser <mailto:janj...@nikhef.nl>>: Hi, On 13/01/21 17:20, Илья Шипицин wrote: > Hello, > > if user save password, it might be stolen from well known location &g

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Jan Just Keijser
Hi, On 13/01/21 17:20, Илья Шипицин wrote: Hello, if user save password, it might be stolen from well known location (there are popular password stealers). in theory, is it possible to keep password in tpm ? will it prevent password from being stolen ? in theory, yes, but as always, it d

Re: [Openvpn-devel] wanted: mechanism to send text messages to client

2020-12-23 Thread Jan Just Keijser
On 21/12/20 18:22, Selva Nair wrote: On Mon, Dec 21, 2020 at 2:04 AM Gert Doering > wrote: Hi, On Sun, Dec 20, 2020 at 07:31:42PM -0500, Selva Nair wrote: > I thought we already went through this when we discussed the proposed "echo > msg" in c

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-09 Thread Jan Just Keijser
Hi, On 04/12/20 16:24, Arne Schwabe wrote: If I change the client config to list only a single   remote 1194 udp line then this reconnect behavior does NOT occur ?!?!?!? This might be a bug in the initialisation order. That the ping timer is armed before next_connection_entry is called. If y

Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing

2020-12-07 Thread Jan Just Keijser
Hi Antonio, On 07/12/20 10:56, Antonio Quartulli wrote: Hi Jan Just, Tony, On 07/12/2020 10:10, Jan Just Keijser wrote: Thank you very much for adding this so quickly; it won't help Tony He though, as he is stuck using a rather old AL314 + R9000 chip which does not support CCM or GCM. I

Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing

2020-12-07 Thread Jan Just Keijser
Hi Antonio, On 06/12/20 17:09, Antonio Quartulli wrote: Hi all, Some people have expressed interest in ovpn-dco supporting AES-CBC. However, since ovpn-dco is currently using the AEAD kernel crypto API only, introducing support for CBC mode would require quite some refactoring and we do not re

Re: [Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Jan Just Keijser
Hi, On 04/12/20 15:38, Arne Schwabe wrote: Am 04.12.20 um 11:59 schrieb Jan Just Keijser: hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me ex

[Openvpn-devel] weird issue with server failover when *Not* using keepalive

2020-12-04 Thread Jan Just Keijser
hey guys, I'm posting this on behalf of the eduVPN team. François Kooman spent a long time debugging an issue and finally managed to find the piece of code that causes the weird behavior. Let me explain: For eduVPN, multiple openvpn instances are offered , both on UDP and TCP ports and the c

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Jan Just Keijser
penssl 1.0.x speed command is screwed up.   It will be worthwhile to build openssl 1.1.1 for the AL314 just to see if aes-128-ccm is a viable option or not. JJK Jan Just Keijser mailto:janj...@nikhef.nl>> 于2020年12月4日周五 下午5:49写道: Hi Tony, On 04/12/20 08:41, Tony He wrote:

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-04 Thread Jan Just Keijser
sha1's in 3.00s Doing sha1 for 3s on 256 size blocks: 603090 sha1's in 3.00s Doing sha1 for 3s on 1024 size blocks: 198963 sha1's in 3.00s Doing sha1 for 3s on 8192 size blocks: 27380 sha1's in 3.00s ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha1 10013.71k 26677.

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-02 Thread Jan Just Keijser
Hi Tony, On 02/12/20 15:51, Jan Just Keijser wrote: On 02/12/20 15:22, Tony He wrote: Hi Jan, Welcome to join the discussion. >the second set of numbers doesn't make sense, and a much better test is to do an actual encryption test I don't compile cryptodev kernel module for

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-02 Thread Jan Just Keijser
blocks. Maybe for small blocks it's slower because it needs the time to push the work to kernel and then HW engine and the time spent is may longer than the time costed by OpenSSL directly does the encryption/decryption. Tony Jan Just Keijser mailto:janj...@nikhef.nl>> 于2020年12月2

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-02 Thread Jan Just Keijser
hi Tony, On 01/12/20 02:50, Tony He wrote: Hi Arne, openssl speed -evp aes-128-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 20035.60k 123261.54k 267081.60k 1094764.09k 9181370.18k openssl speed -evp aes-128-gcm type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes a

[Openvpn-devel] [PATCH] [V5] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

2020-07-14 Thread Jan Just Keijser
Hi, On 11/07/20 12:44, Gert Doering wrote: On Fri, Jul 10, 2020 at 06:42:18PM +0200, Jan Just Keijser wrote: On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: Okay, here we go... thanks for the review, I incorporated your suggestions and comments almost verbatim

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-10 Thread Jan Just Keijser
Hi all, On 08-Jul-20 10:24, Gert Doering wrote: On Tue, Jul 07, 2020 at 06:14:25PM +0200, Jan Just Keijser wrote: This one works(!), so generally, Win10 accepts this DHCP option - but it seems to want "all domains in one". Can you send a v3? not sure if all went well , but

[Openvpn-devel] [PATCH] [V4] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

2020-07-10 Thread Jan Just Keijser
On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: >From fe0592df3235f3eb9bc9820586651ba8fc8bade0 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Fri, 10 Jul 2020 18:40:43 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix list)

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-07 Thread Jan Just Keijser
Hi, On 06/07/20 18:15, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:15:58PM +0200, Jan Just Keijser wrote: On 30/06/20 16:11, Gert Doering wrote: On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-03 Thread Jan Just Keijser
Hi, On 03/07/20 11:18, Arne Schwabe wrote: The main purpose of that RFC is to ensure we handle DNS and --dhcp-options consistently across all OpenVPN implementations we care about, and that we document this properly. I see one as an implementation issue (can we specify a particular DHCP option

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-03 Thread Jan Just Keijser
Hi, On 02/07/20 23:04, David Sommerseth wrote: On 30/06/2020 16:15, Jan Just Keijser wrote: hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-30 Thread Jan Just Keijser
hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->ntp_len,

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-30 Thread Jan Just Keijser
31af223a574f75de48797ba76698 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Tue, 30 Jun 2020 15:52:58 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix list) for Windows. As of Windows 10 1809 Windows finally supports this so it makes sense to add support to OpenVPN a

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-23 Thread Jan Just Keijser
Just Keijser wrote: So, for what it's worth, I've dusted off the patch again and rebased it to the current openvpn master tree. See attached. Note that I did only rudimentary testing, as I don't use Windows 10 a lot and I was testing using a mingw cross-compile only. In wireshark

Re: [Openvpn-devel] [PATCH v2 4/5] Implement sending SSO challenge to clients

2020-05-15 Thread Jan Just Keijser
On 15/05/20 17:40, David Sommerseth wrote: On 15/05/2020 17:36, David Sommerseth wrote: On 09/11/2019 16:13, Arne Schwabe wrote: This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

2020-04-22 Thread Jan Just Keijser
Hi Arne, On 22/04/20 10:13, Arne Schwabe wrote: SSL_check_chain() function". Which we don't, I just grepped through our source tree. So, unless I misunderstand something about OpenSSL intricacies, I think we're safe - no new installers needed, and OpenVPN is not in risk. the advisory applie

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

2020-04-22 Thread Jan Just Keijser
Hi Gert, On 21/04/20 20:59, Gert Doering wrote: Hi, On Tue, Apr 21, 2020 at 08:37:35PM +0200, Gert Doering wrote: On Tue, Apr 21, 2020 at 02:15:43PM -0400, mike tancsa wrote:     Will the sec issue with OpenSSL force a new release of OpenVPN ? https://www.openssl.org/news/secadv/20200421.tx

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-03-05 Thread Jan Just Keijser
Hi all, On 05/03/20 13:53, Jan Just Keijser wrote: Hi, On 01/03/20 16:29, Selva Nair wrote: On Sun, Mar 1, 2020 at 2:17 AM Gert Doering wrote: On Sun, Mar 01, 2020 at 05:37:15AM +, Leroy Tennison via Openvpn-users wrote: Admittedly, and older server version (2.3) but is there a way to

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-03-05 Thread Jan Just Keijser
er to implement Also note that I did not fully implement the RFC3397 encoding of the search list, as that requires one to merge domain names that occur more than once - that would have made the code far more complicated. share and enjoy, JJK >From a969947cd86292c881f7cc1c704ac992e8f6f

Re: [Openvpn-devel] [PATCH v2 1/7] Visual Studio: upgrade project files to VS2019

2019-11-07 Thread Jan Just Keijser
Last version of openvpn for xp/Vista is 2.3, so dropping support for it in the build system is a no brainer to me. JM2CW, JJK Gert Doering wrote: >Hi, > >On Thu, Nov 07, 2019 at 07:28:36PM +0100, Lev Stipakov wrote: >> With VS2019 you cannot build for XP, you would need to install build too

Re: [Openvpn-devel] Tap-windows6 test installer with PRs #84 and #86

2019-10-25 Thread Jan Just Keijser
Hi, On 23/10/19 13:20, Samuli Seppänen wrote: Il 23/10/19 14:19, Samuli Seppänen ha scritto: Hi, Here is a new Windows 10 / Server 2016+ tap-windows6 installer. It is based on the latest code in "master" plus two currently unmerged PRs: "Introduce TAP adapter as a virtual device"

Re: [Openvpn-devel] Wintun performance results

2019-05-16 Thread Jan Just Keijser
Hi David, * On 15/05/19 19:32, David Sommerseth wrote: On 15/05/2019 16:49, Илья Шипицин wrote: it will most probably get lost in mailing list. can we add it to https://openvpn.net website ? something like "performance testing" with full configs provided ? Good idea, but maybe not the official

Re: [Openvpn-devel] Client reconnect issues

2019-04-26 Thread Jan Just Keijser
Hi Antonio, On 26/04/19 16:02, Antonio Quartulli wrote: Hi, On 26/04/2019 15:57, Jan Just Keijser wrote: I'd look into the way session tickets are configured and used in mbedtls, e.g. read up on https://tls.mbed.org/discussions/generic/what-is-the-correct-way-to-use-session-tickets

Re: [Openvpn-devel] Client reconnect issues

2019-04-26 Thread Jan Just Keijser
Hi Pieter, On 26/04/19 15:32, Pieter Hulshoff wrote: Gert, Op vr 19 apr. 2019 om 13:38 schreef Pieter Hulshoff >: I've been looking at https://community.openvpn.net/openvpn/ticket/880 for a while now, and was wondering if there'd been any a

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-19 Thread Jan Just Keijser
Hi Selva, On 17/04/19 17:52, Selva Nair wrote: On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser mailto:janj...@nikhef.nl>> wr

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-17 Thread Jan Just Keijser
Hi Selva, On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list.

Re: [Openvpn-devel] openvpn with udp lost event.

2019-04-17 Thread Jan Just Keijser
On 15/04/19 14:29, wei wang wrote: Hi, For function multi_process_io_udp receive many events, but only process one at a time. Doest it cause the event to be lost? yes it does In our test, we had create thousands of client. When clients connect to server at a time, for the clients which already

Re: [Openvpn-devel] Why does the tun-mtu default to 1500 bytes?

2019-04-17 Thread Jan Just Keijser
Hi Marcus, On 17/04/19 00:11, Marcus Wichelmann wrote: Hello, I'm wondering what the reason is that OpenVPN Community sets the default TUN-MTU to 1500 bytes, as seen here: https://github.com/OpenVPN/openvpn/blob/ed31cf2ab718d879615dea81e6a17d26537ab43a/src/openvpn/mtu.h#L70 In my understandin

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-10 Thread Jan Just Keijser
On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list. On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis mailto:francois.ge...@gmail.com>> wrote: Hi all, I have a working openvpn setup with client certificate and

Re: [Openvpn-devel] New tap-windows6 driver for Windows 7/8/8.1/Server 2012r2 ready for testing

2019-04-08 Thread Jan Just Keijser
Hi Samuli, On 05/04/19 16:00, Samuli Seppänen wrote: Hi, A new pre-release tap-windows6 driver (9.23.1) is available for testing. It should work on Windows 7/8/8.1/Server 2012r2. It _will not_ work on Windows 10 or Windows Server 2016/2019. The driver includes several new features such as sup

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

2019-03-13 Thread Jan Just Keijser
Hi Samuli, On 13/03/19 13:00, Samuli Seppänen wrote: Hi, Here's the summary of the IRC meeting. Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1. Agreed that this makes sense as people (on forums for example) already take 2.4.x and replace the OpenSSL libraries forcibly.

Re: [Openvpn-devel] Summary of the community meeting (Wed, 19th Dec 2018)

2018-12-19 Thread Jan Just Keijser
Hi list, as a follow-up to the discussion we had in the community meeting: (13:38:08) dazo: janjust: if you get a chance to verify whether using non-ncp-listed cipher works with ccd, that's a good detail to know the answer is: yes and no ;) Yes, it is possible to specify a *NEW* list of ncp

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-12-04 Thread Jan Just Keijser
Hi Lev, On 29/11/18 16:18, Lev Stipakov wrote: Some background information. In openvpn3 we decided not to implement fragments, because:  - this is quite a big feature which has to be supported through the whole stack (client, server, kernel module)  - we assume that it is not used by most o

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-30 Thread Jan Just Keijser
inside the tunnel only, and only for TCP connections. It does not depend on the outside protocol (UDP or TCP). I fully agree that having PMTUD would be nice to have, but even that has its drawbacks... JM2CW, JJK -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-30 Thread Jan Just Keijser
Hi Lev, Simon, On 30/11/18 07:10, Simon Matter wrote: Hi Jan Just, (forgot to add openvpn-devel in previous mail) Some background information. In openvpn3 we decided not to implement fragments, because: - this is quite a big feature which has to be supported through the whole stack (client

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-29 Thread Jan Just Keijser
Hi, On 29/11/18 09:03, Samuli Seppänen wrote: [...] Had a discussion about --fragment. Agreed that if we can fix internal fragmentation without needing a change in frame format then we can definitely deprecate --fragment in the long-term. Also noted that lack of tun-mtu support on Windows mig

Re: [Openvpn-devel] foreign_option_2 not set in 2.4

2018-11-22 Thread Jan Just Keijser
Hi, On 22/11/18 15:43, Arne Schwabe wrote: Am 22.11.18 um 14:46 schrieb Cyril Scetbon: OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul  8 2018 Output with —verb 4 https://pastebin.com/huQmnGaU Read your log closer. This is not a bug

Re: [Openvpn-devel] Adding Google Analytics code to Trac?

2018-10-24 Thread Jan Just Keijser
Hi, On 24/10/18 13:47, Samuli Seppänen wrote: Hi, The OpenVPN Inc. webmaster would like to add Google Analytics to community.openvpn.net, i.e. our Trac wiki/bug tracker. I said we need to consult the community first because GA can be seen as a form of spying. Here's our webmaster's view on this

Re: [Openvpn-devel] [Openvpn-users] disabling compression on the fly?

2018-10-09 Thread Jan Just Keijser
Hi Ralf, On 09/10/18 13:35, Ralf Hildebrandt wrote: Currently we're suppling our user with a charite.ovpn File containing: ... compress lzo ... In some cases, we're overriding this on the server side by using: if (defined $ENV{'IV_LZ4'}) { $logger->info("$username lz4: available"); pu

Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle

2018-08-29 Thread Jan Just Keijser
On 27/08/18 14:46, David Sommerseth wrote: On 24/08/18 21:16, Gert Doering wrote: You do not need to agree with me on this, you just need to accept this as a fact of life. I will resist any change that removes useful functionality from the "swiss tool kit of VPN" side of OpenVPN just because us

Re: [Openvpn-devel] [PATCH v2] Fix typo in IPv6 address in comment.

2018-07-16 Thread Jan Just Keijser
Hi Gert, On 15/07/18 22:43, Gert Doering wrote: Comment talks about ff02::1::ff00:8, correct address is ff02::1:ff00:8, and about fe80::1 where fe80::8 is the proper magic number. thanks for this patch! What the CVE for this ?  when do we get an emergency patch? will this change be backported

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-06-05 Thread Jan Just Keijser
Following up on myself On 05/06/18 14:25, Jan Just Keijser wrote: On 01/06/18 02:50, Derek Zimmer wrote: I'm still working on this, as I think it is worthwhile for us to explore and get some hard data on how all of these things perform in a real world environment. I've been

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-06-05 Thread Jan Just Keijser
nce. Please contact me off-list if you want to work together on this. HTH, JJK / Jan Just Keijser On Sun, May 6, 2018 at 8:04 AM, Steffan Karger <mailto:stef...@karger.me>> wrote: Hi, On 04-05-18 17:45, Jan Just Keijser wrote: > On 04/05/18 16:41, Derek Zimmer

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-04 Thread Jan Just Keijser
Hi, On 04/06/18 09:15, Gert Doering wrote: On Mon, Jun 04, 2018 at 09:10:23AM +0200, Jan Just Keijser wrote: What's the particular use case for putting tls-auth files in connection blocks? "I have one existing server that is not using tls-auth yet, and a new one that has tls-auth,

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-04 Thread Jan Just Keijser
Hi Antonio, On 04/06/18 04:15, Antonio Quartulli wrote: Hi all, On 02/06/18 11:42, Antonio Quartulli wrote: Different VPN servers may use different tls-auth keys. For this reason it is convenient to make tls-auth a per-connection-block option so that the user is allowed to specify one key per

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-28 Thread Jan Just Keijser
Hi all, On 25/05/18 22:56, Simon Rozman wrote: JJK, I think you are misreading this proposal. No hash is being sent as a part of the handshake -- its still client and server certificates that are exchanged and checked during handshake. The hash is exchanged by a separate channel (say snail mail

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-25 Thread Jan Just Keijser
Hi Selva, On 25/05/18 16:07, Selva Nair wrote: On Fri, May 25, 2018 at 9:51 AM, Jan Just Keijser wrote: On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certificate of the peer's certif

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-25 Thread Jan Just Keijser
Hi, On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certificate of the peer's certificate against the CA with a hash check (certificate pinning if you want). So basically instead of saying that yo

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-23 Thread Jan Just Keijser
Hi Arne, On 23/05/18 16:46, Arne Schwabe wrote: I have some strong thoughts on this, mostly related to:  can someone explain to me why this is safe? I've seen that OpenSSH 7.7 now implements something similar (xmss hash-based signatures, https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-bas

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-23 Thread Jan Just Keijser
Hi Steffan, On 17/05/18 20:31, Steffan Karger wrote: Hi Jason, [ Dumping my thoughts so this doesn't remain completely unanswered for even longer. ] On 17-04-18 18:50, Jason A. Donenfeld wrote: OpenVPN traditionally works around CAs. However many TLS-based protocols also allow an alternative

Re: [Openvpn-devel] Minimum Linux Version for OpenVPN 2.4.x

2018-05-23 Thread Jan Just Keijser
Hi, On 22/05/18 22:47, Gert Doering wrote: On Tue, May 22, 2018 at 09:10:10PM +0200, David Sommerseth wrote: On 22/05/18 19:32, Marvin wrote: Can someone tell me the minimum Linux version that OpenVPN 2.4.x will build and run on?  We have an older appliance the runs on an older 2.4.31 kernel

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-05-04 Thread Jan Just Keijser
I was expecting something of 2% or less. cheers, JJK On Fri, May 4, 2018 at 10:45 AM, Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I&#x

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-05-04 Thread Jan Just Keijser
Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I've been working with OpenVPN for a few years and there's a few curious performance anomalies that i've ran into that add up to a possible performance opportunity. My experience lies cl

Re: [Openvpn-devel] Viscosity patch to TAP driver

2018-04-12 Thread Jan Just Keijser
Hi, On 12/04/18 16:50, Gert Doering wrote: Hi, On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote: This change was made not because of any actual performance gains, but because of user reports that certain firewall or AV software tries to QoS the adapter based on its reported adapter s

Re: [Openvpn-devel] aes-gcm and iperf on Windows

2018-03-29 Thread Jan Just Keijser
Hi, (renamed the topic to reflect what it's about) On 27/03/18 01:09, fragmentux wrote: I am not convinced 'iperf -r' is reliable (bold claim maybe .. ) iperf3 have dropped -r in favour of -R "reverse mode" server sends and client receives. but not both on the same run .. After numerous hangs

Re: [Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

2018-03-22 Thread Jan Just Keijser
Hi Selva, On 22/03/18 18:12, Selva Nair wrote: On Thu, Mar 22, 2018 at 12:16 PM, Jan Just Keijser wrote: Hi Eric, all, On 22/03/18 04:25, Eric Thorpe wrote: Hi All, One of the Viscosity developers here. The TAP driver used by Viscosity is based on the OpenVPN TAP-Windows driver. We&#x

Re: [Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

2018-03-22 Thread Jan Just Keijser
Hi Eric, all, On 22/03/18 04:25, Eric Thorpe wrote: Hi All, One of the Viscosity developers here. The TAP driver used by Viscosity is based on the OpenVPN TAP-Windows driver. We're surprised to hear of any performance differences, as the changes we've made are very minimal. Besides a name

Re: [Openvpn-devel] [Openvpn-users] "Reconnect" button in openvpn-gui

2018-02-08 Thread Jan Just Keijser
Hi, On 08/02/18 09:15, Samuli Seppänen wrote: Il 07/02/2018 21:58, David Sommerseth ha scritto: On 07/02/18 20:32, Илья Шипицин wrote: After auth-token were introduced, when user press "Reconnect", it leads to auth fail (saved password is forgotten), we run about 1000 users, nobody complains.

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Hi, On 26/01/18 16:26, Selva Nair wrote: On Fri, Jan 26, 2018 at 10:20 AM, Jan Just Keijser wrote: On 26-Jan-18 16:08, Selva Nair wrote: arrrgh, the important line is missing: ERROR: Windows route add ipv6 command failed: returned error code 1 Gert has explained the fe80::8 magic

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Hi Selva, On 26-Jan-18 16:08, Selva Nair wrote: On Fri, Jan 26, 2018 at 8:23 AM, Jan Just Keijser wrote: On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_se

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Fri Jan 26 14:08:10 2018 NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address interface=17 2

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
eturn value with TUN_ADAPTER_INDEX_INVALID in windows_route_find_if_index() if multiple interfaces match a route. (ii) Select the interface with lowest metric in adapter_index_of_ip() instead of the first one found when multiple interfaces match. Reported by Jan Just Keijser Signed-off-by: Selva Nair -

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Works as expected. Tested-by: Jan Just Keijser On 24/01/18 18:31, selva.n...@gmail.com wrote: From: Selva Nair Currently a route addition using IPAPI or service is skipped if the route gateway is reachable by multiple interfaces. This changes that to use the interface with lowest metric

Re: [Openvpn-devel] OVPN vs IPSec performance as a transport

2018-01-06 Thread Jan Just Keijser
On 05/01/18 00:52, Tom Kunz wrote: That would explain it if it always worked that way. But I can get 400%+ wire speed from A to B with compressible data, and 102% with incompressible data. If I do the same test from B to A or A to B, I get those results. If I hop off of that to C, speed goes

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-14 Thread Jan Just Keijser
On 14/11/17 09:31, Gert Doering wrote: On Mon, Nov 13, 2017 at 01:16:46PM +0100, David Sommerseth wrote: But we should consider if we want to make use of a JSON library producing the JSON streams. The reason is to ensure the output is according to the specification and that escaping if contents

[Openvpn-devel] Possible bug: AEAD Decrypt error: cipher final failed

2017-11-03 Thread Jan Just Keijser
hi all, whilst testing some new hardware with OpenVPN I ran into the following messages which keep popping up from time to time:  AEAD Decrypt error: cipher final failed Config: server running OpenVPN 2.4.3, basic config, Ubuntu 17, kernel 4.14, openssl 1.0.2g client running OpenVPN 2.4.4,

Re: [Openvpn-devel] [PATCH 0/1] add engine keys keys

2017-10-31 Thread Jan Just Keijser
Hi James, On 30/10/17 15:09, James Bottomley wrote: On Sun, 2017-10-29 at 17:03 -0400, Selva wrote: On Sun, Oct 29, 2017 at 12:04 PM, James Bottomley wrote: On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote: On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote: Engine keys

Re: [Openvpn-devel] how to roll your own OpenVPN Windows installer

2017-09-14 Thread Jan Just Keijser
Hi all, On 11/09/17 09:06, Samuli Seppänen wrote: Il 08/09/2017 13:10, Jan Just Keijser ha scritto: hi dev list, someone asked me this question: how can one roll their own Windows OpenVPN installer, including a signed TAP driver? There's no need to rebuild OpenVPN or the TAP driver, but

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Jan Just Keijser
Hi, On 11/09/17 13:22, Илья Шипицин wrote: Hello, is someone actually using "tls-verify" in production ? we tried to implement additional certificate check using tls-verify while it works in general, in case when it hits "exit 1", it look like a timeout from client point of view. it is not a

[Openvpn-devel] how to roll your own OpenVPN Windows installer

2017-09-08 Thread Jan Just Keijser
hi dev list, someone asked me this question: how can one roll their own Windows OpenVPN installer, including a signed TAP driver? There's no need to rebuild OpenVPN or the TAP driver, but they do need to include other things, such as certificates, config files etc. Is there a way to repackage

Re: [Openvpn-devel] [PATCH] bash: substitute legacy `` with modern $()

2017-08-29 Thread Jan Just Keijser
Hi, On 25/08/17 03:41, Antonio Quartulli wrote: On 25/08/17 04:21, David Sommerseth wrote: On 24/08/17 21:18, Gert Doering wrote: (gen-release-tarballs.sh only needs to work on FreeBSD and Linux, and FreeBSD's /bin/sh is sufficiently modern so so it's likely to work - but the test scripts n

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
On 17/07/17 14:14, Gert Doering wrote: Hi, On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. Can we have a

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
Follow-up: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. JJK On 17/07/17 14:01, Jan Just Keijser wrote: Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07/2017 00:43, Jan Just Keijser wrote: Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: <http://build.openvpn.net/downloads/relea

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-14 Thread Jan Just Keijser
Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: The previous installer(s) had pkcs11-helper 1.11. This one has 1.

Re: [Openvpn-devel] Bug or Feature? Username in environment in auth-user-pass-verify

2017-06-16 Thread Jan Just Keijser
Hi Gert et al, On 15/06/17 09:47, Gert Doering wrote: Hi, On Thu, Jun 15, 2017 at 12:50:40PM +1000, Steven Haigh wrote: I'm just trying to figure out if its expected behaviour to have the 'username' set in the environment when using the auth-user-pass-verify script. The code in question (ssl_

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

2017-04-04 Thread Jan Just Keijser
Hi David, On 03/04/17 22:43, David Sommerseth wrote: On 03/04/17 16:12, Jan Just Keijser wrote: On 03/04/17 15:53, Samuli Seppänen wrote: On 02/04/2017 10:57, Steffan Karger wrote: Hi, On 31-03-17 22:34, David Sommerseth wrote: On 31/03/17 10:56, Илья Шипицин wrote: 2017-03-31 13:26 GMT

  1   2   3   4   >