Re: [Openvpn-devel] Adding Google Analytics code to Trac?

2018-10-25 Thread Eric Crist 
> On Oct 24, 2018, at 06:47:58, Samuli Seppänen  > wrote:
> 
> Signed PGP part
> Hi,
> 
> The OpenVPN Inc. webmaster would like to add Google Analytics to
> community.openvpn.net, i.e. our Trac wiki/bug tracker. I said we need to
> consult the community first because GA can be seen as a form of spying.
> Here's our webmaster's view on this subject:
> 
> ---
> 
> "The goal of this would be to understand what information first-time
> users are finding the most valuable on community.openvpn.net."
> 
> "As this is a publicly accessible community without the requirement to
> join to read the articles, it would be advantageous for all to
> understand which pieces of content the public are finding the most
> useful, what encourages them to become a part of the community, and what
> potentially persuaded them to use start using a commercial product."
> 
> "As openvpn.net links to community.openvpn.net and vice versa this will
> also help us to understand the complete journey of a user and help to
> improve the website experience, which can only be seen as a positive."
> 
> ---
> 
> In today's community meeting there was some concern about the spying
> aspect of Google Analytics, but nobody was strongly opposed. This was I
> believe, in part, because it is fairly easy to block Google Analytics if
> one so wishes.
> 
> So, what do _you_ think?



We have had Google Analytics built in to the forum for years.  I think since 
their inception.  Not a single person has made a complaint (I’m sure I’ll get 
some now).

I’m not opposed to adding GA to the community site.


Eric


Eric F Crist
Sr Integration Engineer
Desk: 651-242-5305
Mobile: 612-998-3588



signature.asc
Description: Message signed with OpenPGP
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Discussion: Moving forward with compression and voracle

2018-08-27 Thread Eric Crist 
I agree with Arne on this one.  I’m OK with a warning, but I don’t think we 
should make it impossible.  This is where nasty forks start to show up because 
we broke something upstream (recall the day s of the lack of password-save in 
our Windows client).

Eric F Crist


> On Aug 27, 2018, at 03:10:31, Derek Zimmer  wrote:
> 
>> That is a terrible idea. The intention is good but users will then opt
>> out of encryption because they want compression or build stacked VPNs.
> 
> That was the point of the idea though. If you want to go that far to
> go around security, you are very aware of the consequences of what
> you're doing. If we don't want to force the users hand, a big and ugly
> warning that shows up when compression + encryption is enabled may
> lead to the same end result.
> 
> In my opinion as long as the user is acutely aware of the risks and we
> make the documentation and warnings very clear, the project is as safe
> as it can be from user error driven security suicide.
> Derek Zimmer
> Chief Executive Officer
> Open Source Technology Improvement Fund
> 
> 
> On Mon, Aug 27, 2018 at 2:25 AM, Arne Schwabe  wrote:
>> Am 27.08.18 um 00:55 schrieb Derek Zimmer:
>>> There's always the option of not allowing encryption to be enabled
>>> with compression enabled. This keeps things like using OpenVPN as
>>> fancy proxy working without endangering the privacy VPN use-case.
>> 
>> That is a terrible idea. The intention is good but users will then opt
>> out of encryption because they want compression or build stacked VPNs.
>> 
>> Arne
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [openvpn-devel] Forum upgrade problems

2017-09-20 Thread Eric Crist 
I’m not going to make that change. 

Eric Crist

> On Sep 20, 2017, at 5:39 AM, fragmentux <fragmen...@gmail.com> wrote:
> 
> Another suggestion:
> Can you please change [oconf=x] to simply [oconf]
> There is enough remaining information to be able to determine what
> the config is used for .. and if there isn't then a simple question
> can be asked to clarify.
> 
> Otherwise, people just use it blindly and assume it does not work.
> eg: https://forums.openvpn.net/viewtopic.php?f=4=24913
> 
> 
>> On 19/09/17 15:39, Eric F Crist wrote:
>> Switching the forum back from our custom style to the prosilver default 
>> resolves at least the [code] BBCode.  I'll look at the differences tonight.
>> ---
>> Eric F Crist
>>> On 2017-09-19 09:34, Eric F Crist wrote:
>>> I've uploaded the [oconf] BBcode to github: https://github.com/ecrist/oconf
>>> 
>>> There may be style/template issues on the forum, and I will look into
>>> those based on your other messages.
>>> 
>>> ---
>>> Eric F Crist
>>> 
>>> 
>>>> On 2017-09-18 16:29, Eric Crist wrote:
>>>> The oconf stuff is something I can share. I’ll post to github this
>>>> afternoon. This white space problem appears to be a known
>>>> “feature”.
>>>> 
>>>> Eric Crist
>>>> 
>>>>> On Sep 18, 2017, at 4:26 PM, fragmentux <fragmen...@gmail.com> wrote:
>>>>> 
>>>>> Any update ?
>>>>> 
>>>>> here is a good example of the problem:
>>>>> https://forums.openvpn.net/viewtopic.php?f=6=24907
>>>>> 
>>>>>> On 14/09/17 17:29, Eric Crist wrote:
>>>>>> 
>>>>>> I will look into these. I'm surprised [oconf] is broken, since I
>>>>>> wrote that myself and it is not a normal part of phpBB.
>>>>> 
>>>>>> Eric Crist
>>>>> On Sep 14, 2017, at 6:36 AM, fragmentux <fragmen...@gmail.com>
>>>>> wrote:
>>>> 
>>>>>> 
>>>> 
>>>>>> The forum upgrade has broken the following BBCodes.
>>>> 
>>>>>> 
>>>> 
>>>>>> 1. [quote="Name"]
>>>> 
>>>>>> "Name" is no longer shown.
>>>> 
>>>>>> 
>>>> 
>>>>>> 2. [code]
>>>> 
>>>>>> Appears to strip out all newline / CRLF.
>>>> 
>>>> 
>>>> --
>>>>  
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> 
>>>> ___
>>>> Openvpn-devel mailing list
>>>> Openvpn-devel@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>>> 
>>> --
>>>  
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> ___
>>> Openvpn-devel mailing list
>>> Openvpn-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [openvpn-devel] Forum upgrade problems

2017-09-14 Thread Eric Crist 
I will look into these. I'm surprised [oconf] is broken, since I wrote that 
myself and it is not a normal part of phpBB. 

Eric Crist

> On Sep 14, 2017, at 6:36 AM, fragmentux <fragmen...@gmail.com> wrote:
> 
> The forum upgrade has broken the following BBCodes.
> 
> 1. [quote="Name"]
> "Name" is no longer shown.
> 
> 2. [code]
> Appears to strip out all newline / CRLF.
> 
> 3. [oconf=x]
> Appears to strip off last line.
> 
> 4. [list]
> Always inserts a bullet point even if no [*] is used.
> 
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Reviewer for French openvpn-gui localization patch?

2017-08-28 Thread Eric Crist 
I have a few comments I'll share later when I'm back home. This mostly looks 
OK, but can be improved with a few clarifications and additions. 

Eric Crist

> On Aug 28, 2017, at 7:08 AM, Samuli Seppänen <sam...@openvpn.net> wrote:
> 
> Hi,
> 
> Could a French-speaker review this openvpn-gui pull request?
> 
> <https://github.com/OpenVPN/openvpn-gui/pull/184/files>
> 
> It would be good to have these changes in the next OpenVPN GUI version.
> 
> -- 
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
> 
> irc freenode net: mattock
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Question regarding easy-rsa

2017-05-19 Thread Eric Crist 
Since this was sent to three separate lists:

I am active and review the reported bugs. I recently completed my second book 
on OpenVPN and should shortly have an opportunity to work more actively on the 
project. 

Eric Crist

> On May 19, 2017, at 5:52 PM, Mahawar, Sunil <sunil.maha...@intel.com> wrote:
> 
> Hello Eric,
>  I loved easy-rsa tool and its user friendly interface. I 
> am using this utility for one of my project for OpenHPC 
> (http://openhpc.community ). However one of my colleague pointed out that 
> easy-rsa project is not an active project, its last release was 2 year back, 
> last commit was June 2016, and there are multiple open issues on git hub 
> (40), which are not yet addressed. So there was concern that any security 
> related vulnerability (if found) will not be fixed in timely manner. Because 
> of that I was asked to reevaluate easy-rsa utility for my use.
>  
> I am assuming you are an active maintainer/developer for easy-rsa, can you 
> please confirm? I am also assuming if there is any security related issue 
> comes in, you will drive those issue to closure, however so far I have not 
> seen any vulnerability in this project. Though I am not the expert, but I can 
> also provide my help if needed. Could you please confirm your involvement in 
> easy-rsa utility?
>  
> If you are not the right person then I am sorry for this email.
>  
>  
> Thanks & Regards
> -Sunil Mahawar
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] question about easy-rsa

2017-05-19 Thread Eric Crist 
Thrice:

I am active and review the reported bugs. I recently completed my second book 
on OpenVPN and should shortly have an opportunity to work more actively on the 
project. 

Eric Crist

> On May 19, 2017, at 5:41 PM, Mahawar, Sunil <sunil.maha...@intel.com> wrote:
> 
> Hi,
>  I loved easy-rsa tool and its user friendly interface. I am using this 
> tool for one of my project for OpenHPC (http://openhpc.community ). However 
> one my colleague pointed out that easy-rsa project is not an active project, 
> its last release was 2 year back, last commit was June 2016, and there are 
> multiple open issues on git hub (40), which are not yet addressed. So there 
> was concern that any security related vulnerability (if found) will not be 
> fixed in timely manner. Because of that I was asked to reevaluate easy-rsa 
> utility for my use.
> As per the documentation, easy-rsa development co-exists with OpenVPN, I am 
> assuming that openvpn community will take care of any vulnerability in 
> easy-rsa (if found). I will appreciate if someone on community confirm my 
> assumption that openvpn community will also be maintain easy-rsa any 
> vulnerability in this utility?
>  
>  
> Thanks & Regards
> -Sunil Mahawar
>  
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> openvpn-us...@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] SPAM on trac

2016-04-30 Thread Eric Crist 
I think I’ve cleaned everything up.  Users will need to ask for permission to 
update the wiki.

Eric


> On Apr 29, 2016, at 13:51:07, debbie10t  wrote:
> 
> The lamest spam I ever did see :D
> 
> Is this a complaint ?
> http://postimg.org/image/fre81b9zl/
> 
> this guy knows about spam filters
> today has been a torrent of spam ..
> (No more on this list .. time to resume development)
> 
> 
> 
> 
> --
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] Fw: Easy-RSA3.0.0 Windows Version batch file missing

2015-09-22 Thread Eric Crist 
I’ll publish corrected zip files today.

-
Eric F Crist



> On Sep 22, 2015, at 06:39:35,   
> wrote:
> 
> See also:
> 
> https://forums.openvpn.net/topic19770.html#p54980
> 
> The Windows .zip file is missing the entire /bin directory as well.
> 
> Windows zip file download size v3.0.0 = 42kb
> Windows zip file download size v3.0.0-rc2 = 606kb
> 
> 
> - Original Message -
> From: 
> To: 
> Sent: Monday, September 21, 2015 12:49 PM
> Subject: Easy-RSA3.0.0 Windows Version batch file missing
> 
> 
>> Source:
>> https://github.com/OpenVPN/easy-rsa/releases
>> 
>> Version:
>> https://github.com/OpenVPN/easy-rsa/releases/download/3.0.0/EasyRSA-3.0.0.zip
>> 
>> * Downloaded today *
>> 
>> EasyRSA-Readme.md:
>>  Running Easy-RSA
>> 
>> Invoking Easy-RSA is done through your preferred shell. Under Windows,
>> you
>> will use the `EasyRSA Start.bat`
>> 
>> Problem:
>> EasyRSA Start.bat is missing from acrhive.
>> 
>> Regards
>> 
> 
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] vpn server's IP is not the same as the result given by https://www.whatismyip.com.

2015-09-20 Thread Eric Crist 
You need to enable default gateway in the server config. See redirect-gateway 
in the man page. 



> On Sep 20, 2015, at 12:01 AM, Hongyi Zhao  wrote:
> 
> Hi all,
> 
> I use openvpn client to connect to the vpn server 139.226.101.101, after 
> I have connected to the server, I use https://www.whatismyip.com to 
> inspect my IP address, and find the following result:
> 
> Your IP Address Is:
> 103.41.63.9
> 
> As you can see, the vpn server's IP is not the same as the result given 
> by https://www.whatismyip.com, could you please give me some hints on 
> this thing?
> 
> Regards
> -- 
> .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :.
> 
> 
> --
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Questions/Comments about EasyRSA

2014-09-23 Thread Eric Crist 
Hi Greg,

I've seen your comments, but haven't had the time to reply to them.  You're not 
being ignored, but I've been busy.  IRC in #openvpn, #openvpn-devel, or here is 
fine.  I'd prefer GitHub, as you've been doing, or IRC, myself.

-
Eric F Crist



On Sep 23, 2014, at 10:50:33, Gregory Sloop  wrote:

> I have some comments/issues related to EasyRSA - and I'm glad to assist as I 
> can. 
> 
> However, I've made comments over at GitHub and haven't seen any response - so 
> perhaps this is a better place to make them. Yet, I'm not sure how open this 
> list is to discussion about EasyRSA when, almost certainly, the majority of 
> the traffic is for "real" dev work on the main product, OpenVPN.
> 
> So, is this the place to discuss EasyRSA, or does someone have some 
> alternative suggestions.
> [I'm glad to get into the heart of the discussion, but want to be sure this 
> is the right forum and that I'm not committing some faux-pas.]
> 
> -Greg
> --
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] Openvpn 2.3.2: "Could not create temporary file" ....Too many open files

2014-07-22 Thread Eric Crist 
This isn't an OpenVPN problem, directly.  It appears you have a client connect 
script, or are storing connection information in temp files.  You can increase 
the maximum allowed open files in Fedora (you'll have to research that 
yourself).  Alternatively, stop storing connection data in a temp file for new 
connections.  OpenVPN, by itself, does not create these temporary files.

-
Eric F Crist



On Jul 22, 2014, at 11:24:54, arno.oderm...@ch.schindler.com wrote:

> Dear all, 
> 
> we are driving O-VPN 2.3.2 on Fedora20. 
> Since we have quit many permanently connected O-VPN clients, we have started 
> three O-VPN processes, listening on three different ports and setting up 
> three different tap interfaces:
> 
> Today, all three O-VPN processes crashed suddenly, whereas we found following 
> error:
> 
> ip-172-16-128-101 openvpn[654]: /172.16.253.10:44214 Could not create 
> temporary file '/var/tmp/openvpn_cc_1bd37815cbacd70936015e40e25198aa.tmp': 
> Too many open files
> 
> We did not find any helpful information, neither in the the mail-archives, 
> nor in other forums/panels, beside something related to user/password 
> authentication (openvpn-auth-pam), which we are not using (using TLS-server) 
> and also lsof did not provide any helpful information to correlate this error 
> to a (file-) resource problem 
> https://forums.openvpn.net/topic13474.html 
> https://community.openvpn.net/openvpn/ticket/201
> 
> 
> 
> After this happened, we found: 
> 
> - in /tmp:-rw-r--r--.  1 root0 Jul 18 10:51 vpn3_sema_15198   
>  #sema files laying around 
> 
> - in /var/tmp-rw---.  1 root0 Jul 18 10:51 
> openvpn_cc_0e211df697b9f5620da89bd05f44ef48.tmp 
> 
> 
> Deleting of the sema-files and restarting O-VPN brought back everything to 
> life. 
> 
> Has anybody ever experienced something similar, can this be a bug and what 
> could be the corrective action to overcome, this to repeat again? 
> 
> Thank you for any help in this 
> 
> Ar
> 
> 
> **
> Notice: The information contained in this message is intended only for use of 
> the individual(s) named above and may contain confidential, proprietary or 
> legally privileged information. No confidentiality or privilege is waived or 
> lost by any mistransmission. If you are not the intended recipient of this 
> message you are hereby notified that you must not use, disseminate , copy it 
> in any form or take any action in reliance of it. If you have received this 
> message in error please delete it and any copies of it and notify the sender 
> immediately.
> ***
> --
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] Easy-RSA v3 release planning

2014-07-15 Thread Eric Crist 
Josh and I spoke on this today and we're going to push to close a couple bugs 
and try to get an RC-2 published some time this week.

-
Eric F Crist



On Jul 14, 2014, at 22:57:29, Jonathan K. Bullard  wrote:

> On Tue, Dec 17, 2013 at 9:05 PM, Josh Cepek  wrote:
> The notable fix since -rc1 has been support for OpenSSL-0.9.8 (commit
> 8b1fe01.) While I hope this isn't a common need, the fix was simple
> enough, and this is still a supported OpenSSL version.
> 
> Any update on the availability of an -rc2 with this fix?
> 
> --
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] IRC & Community...

2014-05-02 Thread Eric Crist 
Sorry about the logs, I'll update the wiki.  My cronjob was putting the files 
in the wrong location.  It's better, so I'm going to leave them where they are 
now.

#openvpn: http://secure-computing.net/logs/openvpn.log
#openvpn-devel: http://secure-computing.net/logs/openvpn-devel.log

-
Eric F Crist



On May 1, 2014, at 17:37:04, David Sommerseth  
wrote:

> On 01/05/14 21:15, Gert Doering wrote:
>> Hi,
>> 
>> On Thu, May 01, 2014 at 08:06:46PM +0300, Samuli Seppänen wrote:
>>> A few notes about where we get our patches from... in the documentation
>>> we do say that "post the patch to openvpn-devel list". That was a
>>> decision that was reached some years ago. However, we, in practice, do
>>> accept patches from Trac, GitHub and IRC. We should probably change the
>>> documentation to reflect this.
>> 
>> Actually, openvpn-devel *is* the way, with trac being second (due to
>> the way we reference every commit to a mail on openvpn-devel, trac
>> patches basically need someone re-sending them to the list).
>> 
>> Github and IRC are *not* a welcome input for patches, because it doesn't
>> match the agreed-upon workflow ("ack or nack on the list, reference that
>> message in the commit"), and doesn't have the benefit of trac to be
>> tied to a ticket that can be set to a given milestone, etc.
>> 
>> IRC is very welcome to bounce around ideas ("should we fix this?  if
>> yes, in which way?") but it needs to result in a patch being sent to
>> openvpn-devel.  Actually, this is often the reason why some patches get
>> ACKed much quicker than others - they have been discussed, the reason
>> for the change is well-understood, and for complicated stuff, the details
>> how to tackle it might have been agreed-upon beforehand.
> 
> +1
> 
> [...snip...]
> 
> On 01/05/14 19:06, Samuli Seppänen wrote:
>> Lack of developer time is the biggest issue for us, and that lack of
>> time results in unnecessary work having to be done later; like having
>> and maintaining a patch tracking page instead of just handling the
>> patches immediately as they are sent to the list.
> 
> +1 ... For some more info to Timothe, I used to be quite active for a long 
> time.  But I almost "hit the wall" late last summer, and had to pull the 
> emergency break and reduce my workload.  I simply did too much and OpenVPN 
> was 
> one of the things which took quite some time for me.  I've not resigned 
> completely, but I'm incredibly grateful Gert was able to pick up where I had 
> to drop.  Gert has done an amazing job, far better than I could ever do!  
> I'll 
> come back somehow, and I even have a few patches on the ML which lingers too 
> - 
> but I need to step carefully forward.  But these patches which already are on 
> the ML does need help to get tested and reviewed.
> 
> We're really lacking developer time.  And developers often needs to also try 
> to keep track of what happens a few places too.  So this is a bad circle, as 
> to where to put the efforts today.  So I'm open to discuss a way to move this 
> patch tracking and some of the administrative work "away" from the 
> developers, 
> if anyone is available and have time and energy.  That's not something which 
> requires really deep developer skills, but interest and somewhat knowledge 
> about development is always good.  And it can be a good starting point to get 
> more involved in more core development with time as well, as it's a perfect 
> way to gain more knowledge about OpenVPN and how it works ... And if no-one 
> chimes in, things won't change all too much.
> 
> So the key point is probably: Do you dare to get your hands dirty?  Then 
> there 
> might absolutely be a possibility to join in :)
> 
> 
> -- 
> kind regards,
> 
> David Sommerseth
> 
> --
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] possible socks authentication issue?

2014-04-17 Thread Eric Crist 
There are recent patches on the devel list. 

> On Apr 16, 2014, at 6:37 PM, James Yonan  wrote:
> 
> Someone on the Tor lists is claiming that OpenVPN isn't implementing 
> SOCKSv5 authentication correctly:
> 
> https://lists.torproject.org/pipermail/tor-dev/2014-March/006427.html
> 
> Any ideas?
> 
> James
> 
> --
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] RFD: ssl library version numbers

2014-04-13 Thread Eric Crist 
Love it. Report always 

> On Apr 13, 2014, at 10:26 AM, Gert Doering  wrote:
> 
> Hi,
> 
> OpenVPN does not currently report the version of the SSL library it is
> using - which I'm not sure whether it's by design or just because nobody
> ever added it.  Anyway, right now I think we need it, to help future
> cases.
> 
> There are a few questions that go along with that, which I want to discuss
> here :-)
> 
> - shall we report compile-time versions as well, or only run-time version?
> 
>  Like:
> 
>OpenSSL compile version='OpenSSL 1.0.1f 6 Jan 2014'
>library version='OpenSSL 1.0.1g 7 Apr 2014'
> 
>  (this is on one of my test systems where I discovered an old OpenSSL
>  installation, and upgraded *after* I built the OpenVPN binary)
> 
>  While I always like seeing numbers, I think the compile-time version is
>  not actually that useful - if the ABI is not compatible, it will break,
>  and if it is, the library version is what is relevant.
> 
> - how do I get the library version for PolarSSL?
> 
> - shall we report the library version to the server, e.g. in the form of
> 
>   IV_SSL=OpenSSL 1.0.1f
>   IV_SSL=PolarSSL 1.2.8
> 
>  as a sysadmin on the server side, I'd welcome this ("show me what my
>  users are running").  From a security geek side, I'm not sure whether
>  there is potential for abuse, so "please give me your input"
> 
> - if we report it, do we want to report it always (as IV_VER) or only
>  if --push-peer-info is set?
> 
> feedback, please! :-)
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>   //www.muc.de/~gert/
> Gert Doering - Munich, Germany g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
> --
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment 
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Remove from list

2014-02-18 Thread Eric Crist 
You'll need to remove yourself.

-
Eric F Crist



On Feb 18, 2014, at 07:53:45, Jeffrey Malkoff  wrote:

> Please remove me from the distribution list.  Thank you!
> 
> --
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471=/4140/ostg.clktrk___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] Bug Handling

2013-07-08 Thread Eric Crist 
On Jul 8, 2013, at 08:20:05, Samuli Seppänen  wrote:

> 
>> Hi,
>> 
>> On Sun, Jun 30, 2013 at 10:32:31PM +0200, Max Muster wrote:
>>> So maybe it would be a simple idea to think of a switch in "bug
>>> handling". Why not simply use this list as "#1 input" for bug reports.
>> This list isn't always working better or quicker...  it really comes down
>> to whoever has time to go through open issues.  (We *do* have plans to
>> improve the ticket handling...)
>> 
>> So - as I said before, things have improved as far as community involvement
>> and feedback goes, but still have quite a way to go.  Working on it.
>> 
>> gert
> 
> I think it would probably make sense to configure Trac to send
> notifications of new tickets to this list. Although it would not
> increase the time at our hands, it would at the very least keep us
> updated on new issues. I'm also hoping that it would encourage others
> outside the current core developer team to review the new bug reports.
> I've reviewed quite a few bug reports in the past, and many of them seem
> to be simple configuration errors or based on misunderstandings. These
> non-valid bug reports could be fairly easily be filtered out by people
> who would not normally participate in writing OpenVPN code.
> 
> Looking at the past record of new bug reports[1] we could expect maybe
> 0-3 new tickets each week. Would this amount of extra mails be acceptable?


I think it's more than acceptable.  Anyone interested in working on bug reports 
is welcome to do so.  Either Samuli or myself can grant them the needed 
permissions in Trac.

-
Eric F Crist

Re: [Openvpn-devel] Topics for next weeks meeting

2013-04-18 Thread Eric Crist 
1800UTC

-
Eric F Crist



On Apr 18, 2013, at 02:01:24, Matthias Andree  wrote:

> Am 10.04.2013 13:47, schrieb Samuli Seppänen:
>> Hi all,
>> 
>> After a fairly long pause, the community meetings are starting again.
>> Next one is on Thursday 18th Apr 2013. The preliminary agenda is here:
>> 
>> 
>> 
>> Best regards,
>> 
> 
> Would you care to send the exact time of the meeting?
> The generic Wiki page is ambiguous, mentioning two distinct points in
> time. 
> 
> --
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] option --crl-verify PATH dir

2013-02-05 Thread Eric Crist 
I think this option should remain.  This is useful for temporarily disabling 
users for VPNs that don't incorporate user/pass authentication.  I am opposed 
to deprecating this function.


-
Eric F Crist



On Feb 4, 2013, at 01:43:10, Adriaan de Jong  wrote:

>> -Original Message-
>> From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net]
>> Sent: zondag 3 februari 2013 15:52
>> To: Jan Just Keijser
>> Cc: openvpn-devel@lists.sourceforge.net
>> Subject: Re: [Openvpn-devel] option --crl-verify PATH dir
>> 
>> On 03/02/13 12:02, Jan Just Keijser wrote:
>>> hi,
>>> 
>>> what is the second option to '--crl-verify' supposed to do? in
>>> options.c it sets a flag SSLF_CRL_VERIFY_DIR which then triggers the
>>> function 'verify_check_crl_dir'. However, this function does not seem
>>> to do anything
>> 
>> Quickly looked at the code ... with the 'dir' flag (which sets
>> SSLF_CRL_VERIFY_DIR), it's no longer a typical CRL file validation.  If
>> you create (touch) a file in the defined directory with the file name
>> matching a particular client's serial number; the connection will be
>> denied.
>> 
> 
> Confirmed, with the footnote that this is a weird way of going about things. 
> 
> I would like to suggest deprecating this option from 2.4 (or 2.3.1?) onwards, 
> and forcing people to either:
> 
> - Create an actual CRL file. This is not difficult. In general, people using 
> OpenVPN should be managing their own CA in the OpenVPN world.
> - Failing that, create a custom script to do this.
> 
> I'm always open for discussion, but imho this should not be core 
> functionality in OpenVPN.
> 
> Kind regards,
> Adriaan
> 
> 
> --
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Correct Man Page: client-to-client

2013-01-08 Thread Eric Crist 
I'm certain this is the behavior for TAP, but I'll do some due-dilligence and 
generate a few different scenarios and verify.  It's entirely possible this 
behavior is only present with the TAP adapter.  I'll post my findings later 
this week.
 
-
Eric F Crist



On Jan 8, 2013, at 02:52:01, Gert Doering  wrote:

> Hi,
> 
> On Mon, Jan 07, 2013 at 09:38:02PM +0100, Davide Brini wrote:
>> The current documentation looks correct to me. When using client-to-client,
>> traffic is not exposed on the tun interface; when not using
>> client-to-client, traffic shows up on the tun interface and can be
>> firewalled (eg with iptales).
> 
> +1
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>   //www.muc.de/~gert/
> Gert Doering - Munich, Germany g...@greenie.muc.de
> fax: +49-89-35655025g...@net.informatik.tu-muenchen.de
> --
> Master SQL Server Development, Administration, T-SQL, SSAS, SSIS, SSRS
> and more. Get SQL Server skills now (including 2012) with LearnDevNow -
> 200+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only - learn more at:
> http://p.sf.net/sfu/learnmore_122512___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] Correct Man Page: client-to-client

2013-01-07 Thread Eric Crist 
This is something I've been meaning to address for quite some time, since the 
documentation is very, very wrong.  I'm not very good at reading the code 
(yet), so please correct me if I'm wrong.  This update is based on behavior 
I've seen and not as much on my ability to read our source.

The human-readable difference:

=== OLD ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to internally route client-to-client traffic rather than
pushing all client-originating traffic to the TUN/TAP interface.

When this options is used, each client with "see" the other 
clients which are currently connected.  Otherwise, each client
will only see the server.  Don't use this option if you want
to firewall tunnel traffic using custom, per-client rules.

=== NEW ===
Because the OpenVPN server mode handles mutliple clients
through a single tun or tap interface, it is effectively
a router.  The --client-to-client flag tells OpenVPN
to allow traffic between clients connected to the VPN.  This
also exposes the traffic between client to the TUN/TAP
interface, allow for firewalling on a per-client basis.

When this options is used, each client with "see" the other 
clients which are currently connected.




diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2ed5201..009aeda 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -2987,15 +2987,13 @@ Because the OpenVPN server mode handles multiple clients
 through a single tun or tap interface, it is effectively
 a router.  The
 .B \-\-client-to-client
-flag tells OpenVPN to internally route client-to-client
-traffic rather than pushing all client-originating traffic
-to the TUN/TAP interface.
+flag tells OpenVPN to allow traffic between clients
+connected to the VPN.  This also exposes the traffic between
+clients to the TUN/TAP inteface, allowing for firewalling
+on a per-client basis.
 
 When this option is used, each client will "see" the other
-clients which are currently connected.  Otherwise, each
-client will only see the server.  Don't use this option
-if you want to firewall tunnel traffic using
-custom, per-client rules.
+clients which are currently connected.  
 .\"*
 .TP
 .B \-\-duplicate-cn



-
Eric F Crist

Re: [Openvpn-devel] Looking to hire consultant - help us disguise OpenVPN traffic from Chinese firewall

2012-12-14 Thread Eric Crist 
This isn't really the correct list for this.  You should have posted to -users, 
instead.  Check out obfsproxy: 
https://www.torproject.org/projects/obfsproxy.html.en

Cheers
-
Eric F Crist



On Dec 14, 2012, at 09:10:49, Ben  wrote:

> To whom it may concern,
> 
> I am running a VPN service and have customers located in China who cannot 
> connect via OpenVPN due to recent changes in their firewall. We are looking 
> for solutions to disguise the traffic so the connections won't be reset by 
> the Chinese firewall.
> If you are interested in working with us as a consultant on this project, 
> please reply to this email.
> 
> Thanks
> Ben
> --
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Bug in program, bug in documentation, or something else?

2012-10-22 Thread Eric Crist 
Well, I guess that puts a stopper in my attempt to pass the buck!

-
Eric F Crist



On Oct 21, 2012, at 18:21:51, Jonathan K. Bullard <jkbull...@gmail.com> wrote:

> On Sun, Oct 21, 2012 at 7:03 PM, Eric Crist wrote:
> This sounds like a Tunnelblick failure.  I'd suggest checking with them 
> first, they do all sorts of things with scripts and such.
> 
> Thanks, but I'm the current Tunnelblick developer!
> 
> You're correct that Tunnelblick does a lot in its scripts, but as far as I 
> can tell, this behavior has nothing to do with the scripts or Tunnelblick.
> 
> It has to do with what OpenVPN does -- the Tunnelblick scripts are not 
> involved. The behavior takes place completely within OpenVPN.
>

Re: [Openvpn-devel] Bug in program, bug in documentation, or something else?

2012-10-22 Thread Eric Crist 
This sounds like a Tunnelblick failure.  I'd suggest checking with them first, 
they do all sorts of things with scripts and such.

Cheers
-
Eric F Crist



On Oct 21, 2012, at 17:40:08, Jonathan K. Bullard  wrote:

> A Tunnelblick user has reported odd behavior with name resolution failures. I 
> can't tell if it is a bug in OpenVPN, a bug in the documentation, or 
> something else. The behavior is apparently the same in OpenVPN 2.2.1 and 
> 2.3alpha1.
> 
> The 2.3 man page says:
> --resolv-retry n
>  If hostname resolve fails for --remote, retry resolve for n seconds 
> before failing.
>  Set n to "infinite" to retry indefinitely.
>  By default, --resolv-retry infinite is enabled.  You can disable by 
> setting n=0.
> 
> But the behavior seems very different:
> 
> If a name resolution failure (caused, for example, by losing the network 
> connection) occurs
> and --resolv-retry is:
> 1, the first resolution failure terminates the connection;
> 5, resolution attempts are made dozens of times per second, seemingly 
> forever; or
> 10, resolution attempts are made every five seconds, seemingly forever.
> 
> Any ideas if this is a program bug, a documentation bug, or something else, 
> for example, a problem that only occurs on OS X?
> --
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Using --mlock and --user makes openvpn "run out of memory"

2012-10-11 Thread Eric Crist 
If this is of importance to you, there are two courses of action.  First, 
please create a ticket on the OpenVPN community trac.  Please be as detailed as 
possible.  Another option is to fix this in the source tree, based of 
git-master, and submit a working patch.  This second option is going to be the 
quickest way to get a resolution.

Cheers
-
Eric F Crist



On Oct 11, 2012, at 10:21:35, Alberto Gonzalez Iniesta  wrote:

> Hi,
> 
> There's an open bug in Debian [1] since 2007, that seems to be quite
> documented right now. To sum up, when you run openvpn with --mlock and
> --user, the daemon will die with "out of memory", possibly due to
> mlock(2):
> 
> BUGS
> Since  kernel  2.6.9, if a privileged process calls mlockall(MCL_FUTURE)
> and later drops privileges (loses the CAP_IPC_LOCK capability by, for
> example,  setting  its effective  UID  to  a  nonzero  value),  then
> subsequent memory allocations (e.g., mmap(2), brk(2)) will fail if the
> RLIMIT_MEMLOCK resource limit is encountered.
> 
> The bug report contains a workaround (editing PAM limits) and a plea to
> document this behaviour. I guess it's better to document this (after
> verification of the facts) in OpenVPN's man page rather than just
> Debian's package.
> 
> Regards,
> 
> Alberto
> 
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=406895
> -- 
> Alberto Gonzalez Iniesta| Formación, consultoría y soporte técnico
> agi@(inittab.org|debian.org)| en GNU/Linux y software libre
> Encrypted mail preferred| http://inittab.com
> 
> Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
> 
> --
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

2012-08-27 Thread Eric Crist 
On Aug 27, 2012, at 08:11:53, Amm Vpn  wrote:

> With my idea of simple textarea HTML field, local admin himself (without 
> needing me)
> can enable a feature or remove deprecated feature by simply adding/removing
> related line. All I have to make sure that disallow word "script-dir" in 
> frontend.
> And may be few other keywords like "chroot".

All of this can be solved with sed.  No need for an OpenVPN patch that simply 
makes your life a little easier.  This hasn't been requested by 'many' users, 
like you claim.  It's only been requested by you.

-
Eric F Crist

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

2012-08-23 Thread Eric Crist 
On Aug 23, 2012, at 10:30:51, Amm Vpn <ammdispose-...@yahoo.com> wrote:

> - Original Message -
>> From: Eric Crist <ecr...@secure-computing.net>
>> To: Amm Vpn <ammdispose-...@yahoo.com>
>> Cc: Heiko Hund <heiko.h...@sophos.com>; 
>> "openvpn-devel@lists.sourceforge.net" <openvpn-devel@lists.sourceforge.net>
>> Sent: Thursday, 23 August 2012 8:19 PM
>> Subject: Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir
>  
>>> So best is to make OpenVPN itself secure. And run only scripts from 
>>> particular directory. (script-dir)
> 
> 
>> I don't really see how this adds any security.  Perhaps it makes it easier 
>> to code your front-end, but it doesn't offer anything in the way of 
>> security, since it's an option passed in the config or on the command line, 
>> it can be changed at-will by whomever runs the program.
> 
> Umm, same applies for script-security parameter as well. How does that add 
> security?
> If person has access to config file he can change script-security level as 
> well and then
> run any RANDOM command at his will.
> 
> So why was such an option added too? Please do not assume that it will be 
> only you who would
> be modifying config file. In my case I have to allow access to subordinate.
> 
> My point here is script-security does not really give you TRUE security.
> 
> Script-dir makes sure that ONLY script from particular directory (say 
> /etc/openvpn/scripts)
> are run. This should infact be hardcoded in openvpn at compile time. (which 
> my patch
> does not do yet but instead made is config option)
> 
> Any script NOT in that directory should not be run at all.
> 
> Currently openvpn BLINDLY runs any script which in my opinion is too 
> dangerous. One
> breach and intruder can simply erase your whole harddisk.
> 
> My idea of script-dir is taken from sendmail concept of smrsh.
> http://www.faqs.org/docs/securing/chap22sec182.html
> 
> In my case person does not have direct access to machine. But only to config 
> file.
> Now if I make sure that he cant change script-dir, it secures my whole 
> machine.
> 
> Otherwise there is noway I can give access to config file to him without 
> worrying
> about him running "rm -rf /"
> 
> Hope I am able to convey my idea. Just trying to patch a flaw in openvpn, in 
> my opinion

I still think this doesn't help anything that can't be solved in your own GUI.  
Simply make sure that you prepend the full path on any scripts setup from your 
front-end and you help your own cause.  Additionally, strip any pathing from 
the supplied arguments.  script-security was added by James before the 
community got heavily involved in development, so I can't say as to the real 
reasons for that change.  I am still thinking this is an unneeded patch with 
too-narrow a scope.

-
Eric F Crist

Re: [Openvpn-devel] patch for 2.2.2 to include --script-dir

2012-08-23 Thread Eric Crist 
On Aug 23, 2012, at 09:45:14, Amm Vpn  wrote:

>> Hi
>> 
>> On Thu 23 08 2012 21:09:49 ammdispose-...@yahoo.com wrote:
>>> So my idea was
>>> 1) Add a new option called script-dir
>>> 2) Frontend will not allow word "script-dir" in config file (so admin cant
>>> change it) 
>>> 3) script-dir will be passed on command line
>>> 
>>> This way admin can not run anything other than what I have put in
>>> script-dir. This also helps prevent accidentally run script in some other
>>> path.
>> 
>> As this is very specific to you frontend, why doesn't your frontend simple 
>> check the path names in the config for correctness before deploying it?
> 
> Umm, I suppose this feature may be useful for other purposes. Atleast adds a 
> level of security.
> 
> Regarding my frontend, frontend is very basic, Simple textarea in a form.
> I do not want to complicate it by parsing each line, each type of config 
> value and verifying them for
> correctness and secureness.
> 
> Also want it to be forward compatible, in a sense, lets say tomorrow some 
> other config is
> introduced which runs some other script. Then I do not want to re-code my 
> frontend to
> check for new config entry.
> 
> So best is to make OpenVPN itself secure. And run only scripts from 
> particular directory. (script-dir)


I don't really see how this adds any security.  Perhaps it makes it easier to 
code your front-end, but it doesn't offer anything in the way of security, 
since it's an option passed in the config or on the command line, it can be 
changed at-will by whomever runs the program.

-
Eric F Crist

Re: [Openvpn-devel] RFC: tun/tap cleanup at program end

2012-08-16 Thread Eric Crist 
On Aug 15, 2012, at 05:53:40, Gert Doering  wrote:

> Hi,
> 
> On Wed, Aug 15, 2012 at 12:00:12PM +0200, Gert Doering wrote:
>>  3 - check for the existance of "--dev tap3" and remember, not cleaning
>>  if it existed previously, doing this with RT_NETLINK which should
>>  be sufficiently portable across all BSDs.  Same advantage as "2",
>>  hopefully much nicer implementation.
> 
> Here we go.  I discovered if_nametoindex(), which is really handy for
> this :-)
> 
> Eric, please test whether this solves your issues.
> 
> David, please do *not yet* commit, even if someone ACKs - I need to test
> this on OpenBSD, NetBSD and FreeBSD 9 as well.  So far, only tested on 
> FreeBSD 7.4 (and works).

I'm comfortable giving my ACK to this patch.

-
Eric F Crist

Re: [Openvpn-devel] StrongVPN.com - Account config

2012-08-14 Thread Eric Crist 
This is not appropriate content for the developers mailing list.  Please remove 
the openvpn-devel address from this thread on future mailings.

-
Eric F Crist



On Aug 14, 2012, at 14:08:00, jassim almaamary  wrote:

> i am doing this because i lost all configuration of strong VPN 
> so if i get them back i will keep in 
> 
> regards
> 
> jassim 
> 
> > Date: Tue, 14 Aug 2012 11:46:02 +0200
> > From: openvpn.l...@topphemmelig.net
> > To: al_mam...@hotmail.com
> > CC: openvpn-devel@lists.sourceforge.net
> > Subject: Re: [Openvpn-devel] StrongVPN.com - Account config
> > 
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> > 
> > On 13/08/12 20:30, jassim almaamary wrote:
> > > please cancel my account as i am still facing same problem please
> > > stop invoicing me
> > 
> > This is the OpenVPN developers mailing list. This list is not in any
> > way related to StrongVPN at all. Please contact StrongVPN directly,
> > people on this mailing list cannot help you.
> > 
> > I would guess this might be a good starting point to look for help:
> > 
> > 
> > 
> > 
> > kind regards,
> > 
> > David Sommerseth
> > 
> > 
> > > 
> > >
> > > 
> > Date: Mon, 13 Aug 2012 10:55:09 -0700
> > > To: al_mam...@hotmail.com From:
> > > do_not_re...@intranet.reliablehosting.com Subject: StrongVPN.com -
> > > Account config
> > > 
> > >  *Hello jassim almamary,*
> > > 
> > > Config for your Open VPN Account ovpn141-vpn-in109 account in
> > > attachment.
> > > 
> > > Below you will find your StrongVPN account information. Please log
> > > into customer area
> > >  to
> > > familiarize yourself with our services and features. Instructions
> > > for all devices and operating systems can be found on this page 
> > > http://strongvpn.com/setup.shtml. We are also available on our Live
> > > Help 24 hours a day should you need any assistance. If for some
> > > reason our live help does not work for you, please contact us via
> > > Skype at user account "reliablehosting". *Follow us*
> > > 
> > > 
> > >  
> > > 
> > > 
> > > 
> > > *Support Help*
> > > 
> > > *If you are unable to connect, please review our top reasons for
> > > failed connection  before
> > > contacting support:*
> > > 
> > > * *Live Help -* Remember if you have any problems during the 
> > > installation, we are available 24hours a day, 7 days a week on via 
> > > Live Help. Just click  and we can 
> > > help you with the installation, or even do it for you remotely via 
> > > Teamviewer.
> > > 
> > > * *Support Desk -* If you have any questions, please use our
> > > helpdesk at: http://secure.reliablehosting.com/esupport/ 
> > >  Skype
> > > - Skype contacts at http://www.strongvpn.com/contacts.shtml Phone -
> > > 1-877-402-9532 - voicemail box call back
> > > 
> > > * *Mirror Sites -* If you are unable to see StrongVPN.com to get
> > > live help, you can reach us on our mirror site here: 
> > > http://strongvpn.mobi http://strongvpn.mx http://strongvpn.name
> > > 
> > > 
> > > *Billing Area Help*
> > > 
> > > * Pay invoices online here: https://whm.reliablehosting.com/whmcs/ 
> > > * Cancel Account or individual packages here: 
> > > https://intranet.reliablehosting.com/services/cancellation_request/
> > >
> > > * Refund Policy - We guarantee your 100% satisfaction with our
> > > services. If for any reason you are not satisfied within 7 days of
> > > receciving access we will grant you a 100% refund. Just place your
> > > cancellation below within that time frame for the full refund.
> > > 
> > > Please note when we do process your order, the charge will appear
> > > on your statement as: *Black Oak Computers, Inc. /
> > > Reliablehosting.com*
> > > 
> > > 
> > > Thanks from Reliablehosting.com / StrongVPN.com Accounting
> > > Department
> > > 
> > > 
> > > 
> > > --
> > >
> > > 
> > Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security and 
> > > threat landscape has changed and how IT managers can respond.
> > > Discussions will include endpoint security, mobile security and the
> > > latest in malware threats.
> > > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > > 
> > > 
> > > 
> > > ___ Openvpn-devel
> > > mailing list Openvpn-devel@lists.sourceforge.net 
> > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> > 
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.4.11 (GNU/Linux)
> >

Re: [Openvpn-devel] [RFC] Split plugins into their own repositories

2012-05-13 Thread Eric Crist 
David,

You misrepresent my opinion.  I do NOT want a split, but will deal with one (as 
a packager) if it becomes necessary.  I would much prefer there to never be a 
split, and for everything to be handled with configure args or ifdefs in the 
make file.

-
Eric F Crist



On May 13, 2012, at 15:42:10, Eric Crist wrote:

> What I had mentioned might be a good alternative in IRC was to have an 
> openvpn package, and an openvpn-contrib.  Two isn't hard, 17 or 500 is.  
> This, still, didn't seem to be liked by Alon (not calling you out, per se, 
> but stating fact).
> 
> Not sure where we should go from here other than to stay where we are.  No 
> point in moving until we're all ready to move in the same direction.  If need 
> be, we can enforce a dev-team sack race when we next get together. ;)
> 
> -
> Eric F Crist
> 
> 
> 
> On May 13, 2012, at 07:40:07, Seth Mos wrote:
> 
>> Chiming in here,
>> 
>> Although pfSense is basically a giant tarbal, it has the benefit of being 
>> sure that all parts of it fit together. We also have installable packages 
>> and we frequently see issues with that. We are trying to solve some of them 
>> using PBI packages just so that each "package" always has it's dependencies 
>> in check.
>> 
>> Although we are just a "consumer", we'd rather have a single FreeBSD port 
>> that we build then 5 ports we need to update, with all the required 
>> dependencies.
>> 
>> Our github repo is split into one for packages, tools and pfSense. But each 
>> is really a standalone thing, because there is no overlap. Which probably my 
>> point, the plugin is useless without the main.
>> 
>> The one git repo for pfSense is pretty manageable, even more so through git 
>> with Pull requests. The single biggest jump in commits and patches from the 
>> community is moving to GitHub. It makes contributions so much easier. That 
>> said, even for us the amount of simultaneous active coders is about 5, 
>> although we do see small patches and pull requests from about 30 or so 
>> people a year.
>> 
>> I see nagios using nagios-plugins, that has seperate releases from the main 
>> nagios. So there's that too.
>> 
>> Just a few thoughts from the other end.
>> 
>> Really, really, _really_ looking forward to Viscosity and Tunnelblick 
>> shipping Ipv6 enabled clients. Pretty please.
>> 
>> Cheers,
>> 
>> Seth
>> pfSense developer
>> 
>> Op 13 mei 2012, om 13:12 heeft Gert Doering het volgende geschreven:
>> 
>>> Hi,
>>> 
>>> On Sun, May 13, 2012 at 02:00:32PM +0300, Alon Bar-Lev wrote:
>>>>>> Can't we progress?
>>>>> 
>>>>> Why is that progress?
>>>>> 
>>>>> Change always has drawbacks.  If the plus sides outweighs the drawbacks,
>>>>> change is good.  Change for change's sake, "just because you can change
>>>>> it", is not.
>>>> 
>>>> Yes, but still from your responses I don't see any drawback... maybe I
>>>> am slow learner...
>>> 
>>> Drawback to maintainers and sysadmins has already been mentioned by
>>> ecrist and me.  Try being a sysadmin for a few weeks and figure out
>>> which bits of xorg you need to download to install xinit, assuming
>>> you have a system without any X libraries and headers yet (in the xorg
>>> example: splitting off "xinit" might actually make sense, but splitting
>>> the basic infrastructure to build anything into about 50 different
>>> "xyz-library" and "xyz-headers" packages is crazyness).
>>> 
>>> But the onus is not particularily on me: you have not put forward 
>>> convincing arguments why splitting off a very small number of files 
>>> that only make use in the context of OpenVPN into their own repository 
>>> has any *advantage*.
>>> 
>>> The handwavy argument "it will attract more users!" can be countered by
>>> similarily handwaving "I, as a user, hate to download multiple packages
>>> to figure out how to start contributing, and so it will scare *away*
>>> users".
>>> 
>>> 
>>> As a counterexample, look at Apache.  They have heaps of modules in
>>> the main tarball, and have no issues with frequent release and with
>>> attracting developers.  And still, modules maintained by non-apache
>>> developers can be developed externally, without having to splitt off
>>> all existing modules beforehand.

Re: [Openvpn-devel] [RFC] Split plugins into their own repositories

2012-05-13 Thread Eric Crist 
What I had mentioned might be a good alternative in IRC was to have an openvpn 
package, and an openvpn-contrib.  Two isn't hard, 17 or 500 is.  This, still, 
didn't seem to be liked by Alon (not calling you out, per se, but stating fact).

Not sure where we should go from here other than to stay where we are.  No 
point in moving until we're all ready to move in the same direction.  If need 
be, we can enforce a dev-team sack race when we next get together. ;)

-
Eric F Crist



On May 13, 2012, at 07:40:07, Seth Mos wrote:

> Chiming in here,
> 
> Although pfSense is basically a giant tarbal, it has the benefit of being 
> sure that all parts of it fit together. We also have installable packages and 
> we frequently see issues with that. We are trying to solve some of them using 
> PBI packages just so that each "package" always has it's dependencies in 
> check.
> 
> Although we are just a "consumer", we'd rather have a single FreeBSD port 
> that we build then 5 ports we need to update, with all the required 
> dependencies.
> 
> Our github repo is split into one for packages, tools and pfSense. But each 
> is really a standalone thing, because there is no overlap. Which probably my 
> point, the plugin is useless without the main.
> 
> The one git repo for pfSense is pretty manageable, even more so through git 
> with Pull requests. The single biggest jump in commits and patches from the 
> community is moving to GitHub. It makes contributions so much easier. That 
> said, even for us the amount of simultaneous active coders is about 5, 
> although we do see small patches and pull requests from about 30 or so people 
> a year.
> 
> I see nagios using nagios-plugins, that has seperate releases from the main 
> nagios. So there's that too.
> 
> Just a few thoughts from the other end.
> 
> Really, really, _really_ looking forward to Viscosity and Tunnelblick 
> shipping Ipv6 enabled clients. Pretty please.
> 
> Cheers,
> 
> Seth
> pfSense developer
> 
> Op 13 mei 2012, om 13:12 heeft Gert Doering het volgende geschreven:
> 
>> Hi,
>> 
>> On Sun, May 13, 2012 at 02:00:32PM +0300, Alon Bar-Lev wrote:
> Can't we progress?
 
 Why is that progress?
 
 Change always has drawbacks.  If the plus sides outweighs the drawbacks,
 change is good.  Change for change's sake, "just because you can change
 it", is not.
>>> 
>>> Yes, but still from your responses I don't see any drawback... maybe I
>>> am slow learner...
>> 
>> Drawback to maintainers and sysadmins has already been mentioned by
>> ecrist and me.  Try being a sysadmin for a few weeks and figure out
>> which bits of xorg you need to download to install xinit, assuming
>> you have a system without any X libraries and headers yet (in the xorg
>> example: splitting off "xinit" might actually make sense, but splitting
>> the basic infrastructure to build anything into about 50 different
>> "xyz-library" and "xyz-headers" packages is crazyness).
>> 
>> But the onus is not particularily on me: you have not put forward 
>> convincing arguments why splitting off a very small number of files 
>> that only make use in the context of OpenVPN into their own repository 
>> has any *advantage*.
>> 
>> The handwavy argument "it will attract more users!" can be countered by
>> similarily handwaving "I, as a user, hate to download multiple packages
>> to figure out how to start contributing, and so it will scare *away*
>> users".
>> 
>> 
>> As a counterexample, look at Apache.  They have heaps of modules in
>> the main tarball, and have no issues with frequent release and with
>> attracting developers.  And still, modules maintained by non-apache
>> developers can be developed externally, without having to splitt off
>> all existing modules beforehand.
>> 
>> gert
>> -- 
>> USENET is *not* the non-clickable part of WWW!
>>  //www.muc.de/~gert/
>> Gert Doering - Munich, Germany 
>> g...@greenie.muc.de
>> fax: +49-89-35655025
>> g...@net.informatik.tu-muenchen.de
>> --
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. 
>> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
>> Openvpn-devel mailing list
>> Openvpn-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
> 
> 
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint

Re: [Openvpn-devel] [RFC] Split plugins into their own repositories

2012-05-12 Thread Eric Crist 
My two cents on this is as follows:

As a package maintainer, I think this is going to prove to be a lot of work.  
It means there are more packages to maintain, over the one I need to now.  
HOWEVER, from the OpenVPN development process, I think it's best to split 
things out, as Alon suggests, with one caveat.  Let's wait for 3.0.  That's 
already going to be a massive change to our source tree and overall build 
process, and I think it would be the right time to push that out.

Hope this helps.
-
Eric F Crist



signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2012-17 Snapshot Signature

2012-04-29 Thread Eric Crist 
Here's the GPG signature for the week 17, 2012 source snapshot.  If this block 
of text doesn't work for you, it's also been attached to this email.

Cheers.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJPnVTXAAoJEHKWQhk5DQ0ObY4H/RmcIOAiDtR153UYuczF6At1
/I/hS2bwb/vEh5yxMtTuoCDOOLlsAAV1s9D4FyLdDa80lL7EMfPROi32un92qjXz
DiO6IFChDsYdi7VE6a4EAf0Uc7yPGegMq0QSZsL2do6xgcqsBrDyvrqKN5Ef9SHR
u2dqSl9cRBTnIoF80+3Sdp7e72MOtamu4qS60ghYqbiO3wZXDUdPJFDyDl0dcPK9
OJsrk4bGBg37wbBZqNi1u/yE00x8aizppXfKhUdUFhCyHXO9ypVvw4gsxrG0D3j0
j+iS0978kBEFh6DOYWl5a0dWkmlg6wZMYn/exQIX2G66qFTPBqzkNdf5uTm7VNI=
=faxn
-END PGP SIGNATURE-


-
Eric F Crist



openvpn-201217.tar.gz.asc
Description: Binary data


signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2012-08 Snapshot Signature

2012-02-27 Thread Eric Crist 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJPS4G8AAoJEHKWQhk5DQ0OgxoH/Rlv20qKcnYNjmSdyqgIKatE
Qn8sTfFskrBTkXXis1UjriVlwxtFFKB7YCrdWjjfTtPVRbjt59iqjT82wnFFhX3d
bMUnYzHAMx94kJi0jZ5tcRn0ATrkHLv0Euzgw7xBvY1tbJBUXgOtExxE5XFTbdeo
7yUY/868MdbYLuG03Tj4PXnT4uILFMDOSTSYyPSVcF6qKwnSBfnDHic9DvmWDTkU
ysK8R6mvpAvzfdyjlr26wQfPAeIWn6LcYs5Ab/CXoMsfI1U1VNWStPVkSrD678DV
ObmAmpJLZYo5cXR3tidnmAdBI6cy7l8vuGj/Ut8jow0jS9S91zXYg37JWENdfKk=
=Q2KF
-END PGP SIGNATURE-


-
Eric F Crist


signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2012-07 Snapshot Signature

2012-02-13 Thread Eric Crist 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJPOWk/AAoJEHKWQhk5DQ0OU5gH/iNsoquLkbD+2fE37heOeV3c
oGQ8O+CMLydUBxUGHTnGKTaxnSOEfP1gU7Bdmueoxyeozt/2ETMBXOTLzXNiO2TW
BjLZx4k1xHPuzR9k+ug3mMui/YwxDy+KL+tZPxIJZpHMHwvMO59YBTBTl/jylVqZ
W6Vhaz6k2plzsWvwpJO1GSttGLkCHBPO/34qvgsl0bUNITW19ek+LjeH1gM7EMrf
G1wxI+dqfTvEp4JLVcY4Fcnm3mREc8UbP1ZuY5gsR07TIfQXQ0/SgI2Qdhl5VjYM
cWuDMEhmnBdOCEnDptgzm1knjA3RVQVp74KPpzHUGPexidgcan5p2LL/rQAmLlw=
=1n8J
-END PGP SIGNATURE-


-
Eric F Crist
Secure Computing Networks
Certified in ABC by Sesame Street
Brought to you by the number 4
Certified Winner by Charlie Sheen
I can do it better than you, nanna nanna boo boo (School of Tosh.0)



signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2012-04 Snapshot Signature

2012-01-23 Thread Eric Crist 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJPHbp4AAoJEHKWQhk5DQ0OH80IAJaoDCDVb4gEtX9lYD+qaTFj
K6zc1cvt4Nm5WGNFgrVV7H+Q+QR5n/NurwJLsVB2nGc7m+j4WBRDi5yapAUZWBSg
evscYtFBtxSQfHnWdsGg5CNHxQsRXQw4E+RQ/9ReM/+SfQBMbKUh2exI1Wco2sF0
/+e7HBp7aELHpJ5JI2Q/9xJHDrg+dfWgShTbEEpnBYs+iVXYyXevLnChs88wBhAy
rp+E/XEpOFrgY58ChtDDDCbYDhY8PBzKsU/e49kKqNxxBs2DQr0x3/2sa9J22q3Y
bRfWxA6qSrcw+LEJMWGG/vC8C8M2thKqPkgvz+bzYQWCp06+N1pKoOy3QnZ9FNs=
=llEq
-END PGP SIGNATURE-


-
Eric F Crist
Secure Computing Networks
Certified in ABC by Sesame Street
Brought to you by the number 4
Certified Winner by Charlie Sheen
I can do it better than you, nanna nanna boo boo (School of Tosh.0)



signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2012-01 Snapshot Signature

2012-01-02 Thread Eric Crist 
Weekly snapshot of the openvpn source tree are built every Sunday at midnight 
CST/CDT.  The snapshot for week 1 of 2012 is as follows:

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJPASbjAAoJEHKWQhk5DQ0Owd4H/0VXszqMBnomN7VTQaNs9eg6
mwvSwQxrt5q2KVuihJGVfGSn5Jl/w+ywlegYZsLB7dwfhcIQmzx3IaaZrxo2jsjI
/MpRbQqpJt3CZZAWWc4xEBi6h+AKAB8jZywYsdQ/vmmLukSeEXL+8n0oF7SBdbKT
03/wFl7BfyCwNeCY53OpcDopYglgs/xkmB3t485zSyHxbPT/Uo0PGSYAvT4iBK6z
f3DKeDkYl2BNzPgVwAMqhf7LaPv6DmUcPu+q2TDZbaJRtqHvs1mBixts3/bpZFiz
wdTgylSZoAzbJRjj1gTbThz29rxyYsqL7GLNhQNDLxohQx+pn14Me9diKlG7HWM=
=XmYa
-END PGP SIGNATURE-

Happy New Year!
-
Eric F Crist
Secure Computing Networks





signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] 2011-51 Snapshot Signature

2011-12-18 Thread Eric Crist 
The signature for openvpn-201151.tar.gz weekly snapshot is below:


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJO7hKnAAoJEHKWQhk5DQ0OHhcIAMR3j0wkEGWh6paF+AxPIvf9
6P04CjzJQ46ljtsAuAPLpEeouhChcTGDPteuVJUVjm74xDLWirUeJEO3iApHZDzG
Bg+Cl6nM9I4p/EZ0ljzYu6E/7ZziUeBwoZeDPBy9eC9/PyAnDTv7x8QIR7tasCPU
fQIzAXo0QqjWPDmV0jdRB1AsUxwZFsHY4/6swCXu4m6Fb6kNj5I2MQXN2i2untut
0i8zVKk+u6e4U9YefYQIDqGvjJJriYoaS40oj4nVZDOCyAfOFSt/IHgZIBZLBMcK
JqbzaWLLmd/6l0/M0ZOcLJvuOItvsZ4W0aRmCMacc5dk0aqi/WPSCcDpiIDMD0M=
=zDhG
-END PGP SIGNATURE-

Cheers
-
Eric F Crist
Secure Computing Networks




signature.asc
Description: Message signed with OpenPGP using GPGMail

[Openvpn-devel] Weekly Snapshots

2011-12-09 Thread Eric Crist 
Beginning with this past week, I plan to sign the weekly snapshots and most a 
message to the list with the signature.  I believe it'll prove more difficult 
to doctor everyone's email than a single file on my FTP servers.  These tar 
balls are generated every Sunday at 00:00 CST if there have been new commits.  
There is also a brief change log that can be found in revision.log.  You may 
use ftp.secure-computing.net or ftp2.secure-computing.net in pub/openvpn.

Without further ado, the signature for week 49 of 2011:

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.16 (FreeBSD)

iQEcBAABAgAGBQJO4nF3AAoJEHKWQhk5DQ0Oq90IAIr8VLaHIaACguVqy0vVx3nl
Z+5xiRS5ziH/RNmfmAR+zAQTCN6TC6dnns6BA0z/vzSeFW0ftarid/OC0/X3qF5d
TEpjN3QZz6N2LAS898J7zJCbnDq7CTpX7CkxnNk4NSXO5ej2iFFqGeGHDK8L85aV
xNFGZc3RFoaHKjFw6T7EPd6BPYoc8IniSAqIYDNvKxnBAYsCbjqvPnQkhTMrJO4f
aoKpdRfgajEb4joXmbxpOpl8zxtP7WEbeBBVKQXfZtKU0W+/nOwcMiFTngCcuD60
xi6HNlA7jDgv1fKpdW1EWQCZfBP8E7iBlIGLYQPY9qjDNQbp/Oj4YDbYoFmMrxA=
=op6Z
-END PGP SIGNATURE-


-
Eric F Crist
Secure Computing Networks





signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [Openvpn-devel] Build issues on OSX Lion

2011-09-20 Thread Eric Crist 
On Sep 19, 2011, at 16:05:27, JuanJo wrote:

> On Mon, Sep 19, 2011 at 5:56 PM, JuanJo Ciarlante <jjo...@google.com> wrote:
>> On Mon, Sep 19, 2011 at 4:46 PM, Eric Crist <ecr...@secure-computing.net> 
>> wrote:
>>> After testing, this appears to compile and function, with David's 
>>> tun-stuff.patch, which was attached to the first message.
> 
> FYI indeed had to add tun-stuff.patch to compile under freebsd, quickly
> tested ok also.
> 
>> 
>> Great! ... thanks Eric for testing this (fwiw checked building+test under
>> openbsd ok - just to assert that I didn't broke any BSDism).
>> 
>> Cheers,


JuanJo,

I forgot to mention the FreeBSD bit, that was something I already knew, sorry 
for wasting your time by not saying something.  For posterity, I've attached 
the patches here, and added the openvpn-devel list as a CC.

Eric Crist

From f11d7ddb965c6bd65d7dd02cc57539ea4f1c5598 Mon Sep 17 00:00:00 2001
From: JuanJo Ciarlante <jjo...@google.com>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Mon, 19 Sep 2011 16:07:14 +0200
Subject: [PATCH] fix ipv6 compilation under macosx >= 1070 - v3
 - use __APPLE_USE_RFC_3542 for macosx build environment >= 1070
 - define SOL_IP from IPPROTO_IP if it's missing
   In Linux man 7 ip says:
   "Using SOL_IP socket options level isn't portable, BSD-based
   stacks use IPPROTO_IP level."

Signed-off-by: JuanJo Ciarlante <jjo...@google.com>
---
 socket.c  |3 +--
 socket.h  |6 ++
 syshead.h |   14 ++
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/socket.c b/socket.c
index a2f9511..47e44ed 100644
--- a/socket.c
+++ b/socket.c
@@ -2878,8 +2878,7 @@ struct openvpn_in4_pktinfo
   struct cmsghdr cmsghdr;
 #ifdef HAVE_IN_PKTINFO
   struct in_pktinfo pi4;
-#endif
-#ifdef IP_RECVDSTADDR
+#elif defined(IP_RECVDSTADDR)
   struct in_addr pi4;
 #endif
 };
diff --git a/socket.h b/socket.h
index a9a29c5..4a4f75d 100644
--- a/socket.h
+++ b/socket.h
@@ -86,8 +86,7 @@ struct link_socket_actual
   union {
 #ifdef HAVE_IN_PKTINFO
 struct in_pktinfo in4;
-#endif
-#ifdef IP_RECVDSTADDR
+#elif defined(IP_RECVDSTADDR)
 struct in_addr in4;
 #endif
 struct in6_pktinfo in6;
@@ -589,8 +588,7 @@ addr_defined_ipi (const struct link_socket_actual *lsa)
   switch (lsa->dest.addr.sa.sa_family) {
 #ifdef HAVE_IN_PKTINFO
 case AF_INET: return lsa->pi.in4.ipi_spec_dst.s_addr != 0;
-#endif
-#ifdef IP_RECVDSTADDR
+#elif defined(IP_RECVDSTADDR)
 case AF_INET: return lsa->pi.in4.s_addr != 0;
 #endif
 case AF_INET6: return !IN6_IS_ADDR_UNSPECIFIED(>pi.in6.ipi6_addr);
diff --git a/syshead.h b/syshead.h
index e208d4c..66a2538 100644
--- a/syshead.h
+++ b/syshead.h
@@ -57,6 +57,12 @@
 #define srandom srand
 #endif
 
+#if defined(__APPLE__)
+#if __ENVIRONMENT_MAC_OS_X_VERSION_MIN_REQUIRED__ >= 1070
+#define __APPLE_USE_RFC_3542  1
+#endif
+#endif
+
 #ifdef HAVE_SYS_TYPES_H
 #include 
 #endif
@@ -401,6 +407,14 @@
 #endif
 
 /*
+ * Does this platform define SOL_IP
+ * or only bsd-style IPPROTO_IP ?
+ */
+#ifndef SOL_IP
+#define SOL_IP IPPROTO_IP
+#endif
+
+/*
  * Disable ESEC
  */
 #if 0
-- 
1.7.3.1

diff --git a/tun.c b/tun.c
index aa17c36..5185f73 100644
--- a/tun.c
+++ b/tun.c
@@ -865,13 +865,13 @@ do_ifconfig (struct tuntap *tt,
 	  /* Add a network route for the local tun interface */
 	  struct route r;
 	  CLEAR (r);  
-	  r.defined = true;   
+	  r.flags = RT_DEFINED
 	  r.network = tt->local & tt->remote_netmask;
 	  r.netmask = tt->remote_netmask;
 	  r.gateway = tt->local;  
 	  r.metric_defined = true;
 	  r.metric = 0;
-	  add_route (, tt, 0, es);
+	  add_route (, tt, 0, NULL, es);
 	}

   tt->did_ifconfig = true;
@@ -1061,11 +1061,11 @@ do_ifconfig (struct tuntap *tt,
 	{
 	  struct route r;
 	  CLEAR (r);
-	  r.defined = true;
+	  r.flags = RT_DEFINED;
 	  r.network = tt->local & tt->remote_netmask;
 	  r.netmask = tt->remote_netmask;
 	  r.gateway = tt->local;
-	  add_route (, tt, 0, es);
+	  add_route (, tt, 0, NULL, es);
 	}

   if ( do_ipv6 )
@@ -1105,21 +1105,21 @@ do_ifconfig (struct tuntap *tt,
   ifconfig_remote_netmask,
   tun_mtu
   );
-	
+
   argv_msg (M_INFO, );
   openvpn_execve_check (, es, S_FATAL, "FreeBSD ifconfig failed");
   tt->did_ifconfig = true;

 	/* Add a network route for the local tun interface */
   if (!tun && tt->topology == TOP_SUBNET)
-{   
+{
   struct route r;
-  CLEAR (r);  
-  r.defined = true;   
+  CLEAR (r);
+  r.flags = RT_DEFINED;
   r.network = tt->local & tt->remote_netmask;
   r.netmask = tt->remote_netmask;
-  r.gateway = tt->local;  
-  add_route (, tt, 0, es);
+  r.gateway = tt->local;
+  add_route (, tt, 0, NULL, es);
 }

   if ( do_ipv6 )

[Openvpn-devel] tun.c patch breaks compile on FreeBSD

2011-09-15 Thread Eric Crist 
James,

It would appear a patch you committed breaks compile on FreeBSD.  Part of this 
removes r.defined, which is looked for during compile on FreeBSD, and 
specifically stops things during compile of tun.c.  The commit in question is 
7fb0e07ec3f7c5f65 visible here:

http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commitdiff;h=7fb0e07ec3f7c5f6514523085dbe02ea6b8933e2

The configure line used is as follows:

$ ./configure --with-lzo-lib=/usr/local/lib 
--with-lzo-headers=/usr/local/include --disable-depr-random-resolv 
--enable-password-save --disable-pkcs11 --prefix=/usr/local 
--mandir=/usr/local/man --infodir=/usr/local/info/ 
--build=amd64-portbld-freebsd9.0

Feel free to talk to me here or, easier for me, on IRC if you'd like to test.

Eric Crist

Re: [Openvpn-devel] IRC meeting regarding OpenVPN development model

2010-01-08 Thread Eric Crist 
I agree with David.

Sent via BlackBerry from T-Mobile

-Original Message-
From: David Sommerseth 
Date: Fri, 08 Jan 2010 12:04:39 
To: Samuli Seppänen
Cc: openvpn-devel@lists.sourceforge.net
Subject: Re: [Openvpn-devel] IRC meeting regarding OpenVPN development model

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/01/10 09:40, Samuli Seppänen wrote:
> These are very valid concerns... even if all else goes smoothly, there's
> probably lots of "noise" on the #openvpn channel. Any objections against
> moving the meeting(s) to #openvpn-discussion?

Right now, I'm not sure what's the best.  I really think we're being a
bit unstructured, unclear and maybe a bit too flexible - changing things
constantly just a few days before the meeting, may cause some confusion
to what's really going to happen.  That will not benefit anything.

Samuli, I would say you should take this decision, but rather asap.  If
nothing is changed, we can move the meeting from #openvpn to another
channel after the meeting has really started.  But if really changes, it
should be decided *now* and be communicated immediately.

There are pro and contra points to both staying in #openvpn and to move
to #openvpn-discussion.  For me what is chosen, is less important. It is
much more important to me that we actually do have these discussions.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAktHEUEACgkQDC186MBRfrpTvgCeNLPSm57U+cUbfQDmCpclYus0
hLQAoKnGO27ftUDa32fsIurw/3blCXwl
=yqRV
-END PGP SIGNATURE-

--
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel