Re: [Openvpn-devel] [PATCH] ssh_util: fix prototype style

Hi, Typo, subject should probably be s/ssh_util/ssl_util Regards, Simon > Function prototypes should have the return type on the same line as the > function name itself. Fix this in ssl_util.h. > > Signed-off-by: Antonio Quartulli > --- > src/openvpn/ssl_util.h | 13 + > 1 file

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On Mon, Apr 05, 2021 at 10:16:07AM +0200, Simon Matter wrote: >> Then I misunderstood what is written here? >> >> https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--compress >> >> "Compression is not recommended

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi Simon > > On 05/04/2021 09:38, Simon Matter wrote: >>> Hi, >>> >>> On Sat, Apr 03, 2021 at 03:07:11PM +0200, Simon Matter wrote: >>>> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-compress bytes,833300152 >>>> Apr 3 15:00:30 gw-X1 openv

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On Sat, Apr 03, 2021 at 03:07:11PM +0200, Simon Matter wrote: >> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-compress bytes,833300152 >> Apr 3 15:00:30 gw-X1 openvpn[1477]: post-compress bytes,796650159 >> Apr 3 15:00:30 gw-X1 openvpn[1477]: pre-decompress byte

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On 03/04/2021 12:06, Simon Matter wrote: >> Our use case is simple, we don't want ANY application in our company to >> consume more WAN bandwidth than is absolutely needed. Of course we're >> using compression like in rsync where it's possible, but that's

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On Sat, Apr 03, 2021 at 11:52:59AM +0200, Simon Matter wrote: >> > It sounds like there is no answer to this? >> > Then why are we even discussing further? >> >> It could be at least one feature to prevent people from moving over to >> WireG

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On 03/04/2021 11:18, Simon Matter wrote: >>> If you have a use case that you think can benefit big time by having >>> compression, please feel free to describe it in details. Therefore >>> might >>> be saner ways to address

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On 03/04/2021 10:32, Simon Matter wrote: >> I'm not asking to enable it by default or even compile it by default. >> I'm >> only asking to keep the code in so those who know what they are doing >> can >> enable it as a compile time option or

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> >> >> To me it seems like you can of course build a scenario where compression >> _could_ be a problem some how, but there are certainly many use cases >> where it can be considered almost impossible to have your security >> weakaned by compression. I mean, there is also the SSH VPN mode with c>

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Hi, > > On Fri, Apr 02, 2021 at 08:35:36PM +0200, Simon Matter wrote: >> What I'm still wondering is why is compression so dangerous with OpenVPN >> but not so with things like SSH or SCP? > > The problem is adversary-controlled traffic in a VPN tunnel, lik

Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

> Commit 8fa8a17528c001a introduces "compress migrate" to move old clients > that have "compress" or "comp-lzo" in their config towards a connection > without compression. This is done by looking at incoming OCC strings > to see if the client has compression enabled, and at incoming IV_ > strings

Re: [Openvpn-devel] [PATCH 0/1] reliable: retransmit if 3 follow-up ACKs are received

> Hi, > > On Thu, Apr 01, 2021 at 08:20:48AM +0200, Simon Matter wrote: >> > Yes. But it only affects the control channel. For data channel we >> never >> > do retransmits. >> >> OK, but it still could help in case of things like VoIP UDP over OpenVPN

Re: [Openvpn-devel] [PATCH 0/1] reliable: retransmit if 3 follow-up ACKs are received

> > Am 31.03.2021 um 21:39 schrieb Simon Matter: >>> This is my second attempt at sending this patch, this time without >>> mixing up commit message and cover letter, and from an account that >>> (I hope) doesn't hate mailing lists. >>> >>> Th

Re: [Openvpn-devel] [PATCH 0/1] reliable: retransmit if 3 follow-up ACKs are received

> This is my second attempt at sending this patch, this time without > mixing up commit message and cover letter, and from an account that > (I hope) doesn't hate mailing lists. > > This patch changes reliable_send() to resend a packet if at least three > later packets have been ACKed. This

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

> Hi Antonio, > > As you know I am porting opvn-dco to my router whose kernel is V4.14.76. > After solving AF_NETLINK group issue we discussed > yesterday. It finally works. But I encounter another issue :-( . When > testing the performance with iperf3, disconnection occurs > and recovers after

Re: [Openvpn-devel] Add --up-pre with the same functionality as --down-pre

> On 01/10/2020 17:03, Simon Matter wrote: >> I really can't understand why this small patch was refused for years and >> I >> still feel nobody ever really looked at it. > > Perhaps this also an indication of the corner case this patch is covering? > > This patc

Re: [Openvpn-devel] Add --up-pre with the same functionality as --down-pre

Hi Arne, > Am 22.11.17 um 17:58 schrieb Simon Matter: >> Hi, >> >> In our situation we have the requirement to run scripts before tun/tap >> is >> opened, not after. While this could be hacked into the init script, the >> proper way seems to add i

Re: [Openvpn-devel] is anybody running tests on Fedora ?

> пн, 4 мая 2020 г. в 16:41, Samuli Seppänen : > >> Hi, >> >> We do have a Fedora 30 buildslave and run fping tests there. It also >> seems to run t_client IPv6 ping tests. >> > > can you please run the following > > > dnf whatprovides fping6 I don't know about the EPEL packages but with recent

Re: [Openvpn-devel] OpenVPN 2.4.9 released

> Hi, > > On Fri, Apr 17, 2020 at 5:35 PM Gert Doering wrote: >> >> ... the new subkeys are just a few weeks old, so we need to publish >> a new key bundle with the new subkeys. > > So until a new security-keys-2020.asc (or whatever you will call it) > is published on the OpenVPN website, I can't

Re: [Openvpn-devel] [PATCH] Fix various spelling mistakes

Hi, > diff --git a/src/openvpn/console.h b/src/openvpn/console.h > index 0ffd6683..62beacae 100644 > --- a/src/openvpn/console.h > +++ b/src/openvpn/console.h > @@ -33,9 +33,9 @@ > */ > struct _query_user { > char *prompt; /**< Prompt to present to the user */ > -size_t

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

> Hi Jan Just, > > (forgot to add openvpn-devel in previous mail) > > Some background information. > > In openvpn3 we decided not to implement fragments, because: > > - this is quite a big feature which has to be supported through the whole > stack (client, server, kernel module) > - we assume

Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle

> On 29-08-18 17:18, Jan Just Keijser wrote: >> Since when can I not type in >>   rm -rf / >> any more ?  did someone build in a flag into the "rm" command to stop me >> from doing so? I sure hope not. > > $ sudo docker run --rm debian rm -rf / > rm: it is dangerous to operate recursively on '/' >

Re: [Openvpn-devel] Summary of the community meeting (Wed, 18th Apr 2018)

Hi, I'm just wondering what happened to the proposed 2.4.6 release? Will it come anytime soon? Regards, Simon > Hi, > > Here's the summary of the IRC meeting. > --- > > COMMUNITY MEETING > > Place: #openvpn-meeting on irc.freenode.net > Date: Wednesday 18th Apr 2018 > Time: 11:30 CET (10:30

[Openvpn-devel] tls fix for upcoming 2.4.5

Hi, I've just done some test builds with 2.4.5 tagged version. Attached patch makes it build with older systems. Do you see any issue with the change? Regards, Simon--- openvpn-2.4.5/src/openvpn/openssl_compat.h.orig 2018-02-28 21:56:54.0 +0100 +++

Re: [Openvpn-devel] On testing with openssl 0.9.8

> On 20/01/18 18:22, Selva Nair wrote: >> Hi, >> >> Does openvpn-vagrant include any VM provisioning with openssl-0.9.8? >> Until recently I had access to a few old debian boxes but now all >> updated and 0.9.8 testing is getting harder. > > Let me rather twist this question around ... Do we want

Re: [Openvpn-devel] OVPN vs IPSec performance as a transport

> -SNIP- > I haven't taken the time to fully understand the tests you've done etc. > [And it does seem you are not some neophyte blindly hacking your way > through this...] > > However, I will tell you that it's *very* common for people to do things > that appear very similarly as you describe,

Re: [Openvpn-devel] OVPN vs IPSec performance as a transport

Hi, > That would explain it if it always worked that way. > But I can get 400%+ wire speed from A to B with compressible data, and > 102% with incompressible data.  If I do the same test from B to A or A > to B, I get those results.  If I hop off of that to C, speed goes from >>1Gbps to

[Openvpn-devel] Add --up-pre with the same functionality as --down-pre

Hi, In our situation we have the requirement to run scripts before tun/tap is opened, not after. While this could be hacked into the init script, the proper way seems to add it to openvpn as --up-pre option. That's independent from any init scripts / systemd service file and works the same way as

Re: [Openvpn-devel] [PATCH v4] Add per session pseudo-random jitter to --reneg-sec intervals

Hi, > From: Simon Matter <simon.mat...@invoca.ch> > > While we were suffering from the "TLS Renegotiation Slowdown" bug here > https://community.openvpn.net/openvpn/ticket/854 we realized that there is > still room for improvement in our use case. > > It appe

Re: [Openvpn-devel] [PATCH v3] Add per session pseudo-random jitter to --reneg-sec intervals

eset sec=%d/%d bytes=" counter_format "/%d pkts=" counter_format "/%d", +(int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes, session->opt->renegotiate_bytes, I'm not a developer and not a git user,

Re: [Openvpn-devel] [PATCH v3] Add per session pseudo-random jitter to --reneg-sec intervals

Hi Steffan, Thanks for taking the time to improve this! Regards, Simon > From: Simon Matter <simon.mat...@invoca.ch> > > While we were suffering from the "TLS Renegotiation Slowdown" bug here > https://community.openvpn.net/openvpn/ticket/854 we realize

Re: [Openvpn-devel] [PATCH v2] lz4: Move towards a newer LZ4 API

Hi, While we are at it, I found it useful to see the used LZ4 version at runtime as it is done with LZO and other libraries. I've patched my rpms with the patch attached. Regards, Simon > We are using a deprecated function, LZ4_compress_limitedOutput(), which > will be removed with time. The

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> Hi, > > On Wed, Jun 21, 2017 at 04:18:41PM +0200, Simon Matter wrote: >> An additional source of confusion seems that the tarball of the .gz and >> .xz files don't match. Maybe this could easily be fixed in the build >> process. > > .gz is built with "

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

>>> I believe it is Cloudflare playing tricks on us again. >>> >>> Attached are the proper signature files and below a list of the SHA256 >>> checksums: >>> >>> 7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571 >>> openvpn-2.4.3.tar.xz >>> >>> This is based on the files I've already

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> On 21/06/17 13:48, Jonathan K. Bullard wrote: >> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. >>> It >>> can be downloaded from here: >>> >>>

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

>> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen >> wrote: >>> The OpenVPN community project team is proud to release OpenVPN 2.4.3. >>> It >>> can be downloaded from here: >>> >>> >> >> Hi. Thanks for this release.

Re: [Openvpn-devel] OpenVPN 2.4.3 released (with security fixes)

> On Wed, Jun 21, 2017 at 6:47 AM, Samuli Seppänen > wrote: >> The OpenVPN community project team is proud to release OpenVPN 2.4.3. It >> can be downloaded from here: >> >> > > Hi. Thanks for this release. > >

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

> On 31/05/17 15:51, Simon Matter wrote: >>> Hi, >>> >>> On Wed, May 31, 2017 at 11:14:33AM +0200, David Sommerseth wrote: >>>> On 31/05/17 09:02, Gert Doering wrote: >>>>> Hi, >>>>> >>>>> On Wed, May 31, 2017

Re: [Openvpn-devel] [PATCH release/2.4] configure.ac: fix building against static openssl

> Hi, > > On Wed, May 31, 2017 at 11:14:33AM +0200, David Sommerseth wrote: >> On 31/05/17 09:02, Gert Doering wrote: >> > Hi, >> > >> > On Wed, May 31, 2017 at 02:31:40AM +0200, David Sommerseth wrote: >> >> If we really do care for supporting 0.9.8, in release/2.4 - I can >> give >> >> this an

[Openvpn-devel] Please check the 2.3.15 downloads

Hi, I'm not sure what the correct 2.3.15 tarball is. The one available from https://openvpn.net/index.php/open-source/downloads.html doesn't have the CVE-2017-7478 included. Isn't there still something wrong there? Thanks, Simon

Re: [Openvpn-devel] [PATCH] Require minimum OpenSSL 1.0.1

> Hi, > > On 11-04-17 19:31, David Sommerseth wrote: >> As RHEL 5 has reached EOL, we no longer need to support OpenSSL v0.9.8. >> This also makes it possible to remove a few workaronds which was >> needed earlier, as well as some left overs from v0.9.6. >> >> This also makes ./configure really

Re: [Openvpn-devel] [PATCH] Make --cipher/--auth none more explicit on the risks

> The warning provided to --cipher and --auth using the 'none' setting may > not have been too clearly understandable to non-developers or people not > fully understanding encryption and cryptography. This tries to improve > that. > > While at it, also break up the long source lines. > >

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> > > On 06/04/17 12:52, Steffan Karger wrote: >> Hi, >> >> On 6 April 2017 at 12:26, David Sommerseth >> <open...@sf.lists.topphemmelig.net> wrote: >>> On 06/04/17 11:45, Simon Matter wrote: >>>> >>>>> I like Arne's and

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Web servers these days are also multi-threaded (or "multi-forked"), so > they can utilize multiple cores more efficiently. OpenVPN is *single > threaded*. So when one client starts a TLS renegotiation, it blocks all > the other connected clients until the renegotiation have completed. > When

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> Hi, > > On Wed, Apr 05, 2017 at 07:00:54PM +0100, debbie10t wrote: >> > Optional option does not mean that it is disabled by default. If you >> > don't the randomness you would need to do: >> > >> > reneg-sec 3600 3600 >> > >> > the optional argument also allows it to fine tune it to your needs.

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> > > On 05/04/17 17:13, debbie10t wrote: >> >> >> On 05/04/17 16:58, David Sommerseth wrote: >>> On 05/04/17 17:53, David Sommerseth wrote: On 05/04/17 16:42, debbie10t wrote: > >> > > A different approach could be like so: > > --reneg-sec 3600 >

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

> On 05/04/17 09:31, Steffan Karger wrote: >> Hi, >> >> On 05-04-17 08:57, Gert Doering wrote: >>> On Wed, Apr 05, 2017 at 06:34:34AM +0200, Simon Matter wrote: >>>> I've attached v2 now which works without any config change: >>> [..] >>

Re: [Openvpn-devel] [PATCH v2] Add per session pseudo-random component to --reneg-sec intervals

>> Hi, >> >> On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >>> Interesting to see that there is zero interest in this patch here. >> >> This is a misinterpretation. >> > > Hi Gert, > > Thanks for the explanation, I'll be pa

Re: [Openvpn-devel] [PATCH] Add per session pseudo-random component to --reneg-sec intervals

> Hi, > > On Tue, Apr 04, 2017 at 08:29:49AM +0200, Simon Matter wrote: >> Interesting to see that there is zero interest in this patch here. > > This is a misinterpretation. > Hi Gert, Thanks for the explanation, I'll be patient then :) If it's preferred for the patch

Re: [Openvpn-devel] [PATCH] Add per session pseudo-random component to --reneg-sec intervals

Hi, >> Hi, >> >> Initially I've created this RFE but have been told to send it to >> the devel list instead: >> >> https://community.openvpn.net/openvpn/ticket/865 >> >> Unfortunately I'm not a developer and have never used git so please bear >> with me as I send a classic patch to the list. >>

Re: [Openvpn-devel] [PATCH] Add per session pseudo-random component to --reneg-sec intervals

> Hi, > > Initially I've created this RFE but have been told to send it to > the devel list instead: > > https://community.openvpn.net/openvpn/ticket/865 > > Unfortunately I'm not a developer and have never used git so please bear > with me as I send a classic patch to the list. > > As suggested

[Openvpn-devel] [PATCH] Add per session pseudo-random component to --reneg-sec intervals

Hi, Initially I've created this RFE but have been told to send it to the devel list instead: https://community.openvpn.net/openvpn/ticket/865 Unfortunately I'm not a developer and have never used git so please bear with me as I send a classic patch to the list. As suggested by user "syzzer" I