Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

2020-12-02 Thread Jan Just Keijser
hi Tony, On 01/12/20 02:50, Tony He wrote: Hi Arne, openssl speed -evp aes-128-cbc type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes aes-128-cbc 20035.60k 123261.54k 267081.60k 1094764.09k 9181370.18k openssl speed -evp aes-128-gcm type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes

[Openvpn-devel] [PATCH] [V5] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

2020-07-14 Thread Jan Just Keijser
Hi, On 11/07/20 12:44, Gert Doering wrote: On Fri, Jul 10, 2020 at 06:42:18PM +0200, Jan Just Keijser wrote: On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: Okay, here we go... thanks for the review, I incorporated your suggestions and comments almost verbatim

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-10 Thread Jan Just Keijser
Hi all, On 08-Jul-20 10:24, Gert Doering wrote: On Tue, Jul 07, 2020 at 06:14:25PM +0200, Jan Just Keijser wrote: This one works(!), so generally, Win10 accepts this DHCP option - but it seems to want "all domains in one". Can you send a v3? not sure if all went well , but

[Openvpn-devel] [PATCH] [V4] Added support for DHCP option 119 (dns search suffix, list) for Windows. As of Windows 10 1809 Windows finally supports this so it, makes sense to add support to OpenVPN a

2020-07-10 Thread Jan Just Keijser
On 08/07/20 10:24, Gert Doering wrote: Can I have a v4, please? :-) V4: >From fe0592df3235f3eb9bc9820586651ba8fc8bade0 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Fri, 10 Jul 2020 18:40:43 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix l

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-07 Thread Jan Just Keijser
Hi, On 06/07/20 18:15, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:15:58PM +0200, Jan Just Keijser wrote: On 30/06/20 16:11, Gert Doering wrote: On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-03 Thread Jan Just Keijser
Hi, On 03/07/20 11:18, Arne Schwabe wrote: The main purpose of that RFC is to ensure we handle DNS and --dhcp-options consistently across all OpenVPN implementations we care about, and that we document this properly. I see one as an implementation issue (can we specify a particular DHCP

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-07-03 Thread Jan Just Keijser
Hi, On 02/07/20 23:04, David Sommerseth wrote: On 30/06/2020 16:15, Jan Just Keijser wrote: hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-30 Thread Jan Just Keijser
hi, On 30/06/20 16:11, Gert Doering wrote: Hi, On Tue, Jun 30, 2020 at 04:07:52PM +0200, Jan Just Keijser wrote: @@ -5697,6 +5740,11 @@ build_dhcp_options_string(struct buffer *buf, const struct tuntap_options *o) write_dhcp_u32_array(buf, 42, (uint32_t *)o->ntp, o->n

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-30 Thread Jan Just Keijser
e48797ba76698 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser Date: Tue, 30 Jun 2020 15:52:58 +0200 Subject: [PATCH] Added support for DHCP option 119 (dns search suffix list) for Windows. As of Windows 10 1809 Windows finally supports this so it makes sense to add support to OpenVPN as well. Signed

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-23 Thread Jan Just Keijser
Just Keijser wrote: So, for what it's worth, I've dusted off the patch again and rebased it to the current openvpn master tree. See attached. Note that I did only rudimentary testing, as I don't use Windows 10 a lot and I was testing using a mingw cross-compile only. In wireshark I *do* see

Re: [Openvpn-devel] [PATCH v2 4/5] Implement sending SSO challenge to clients

2020-05-15 Thread Jan Just Keijser
On 15/05/20 17:40, David Sommerseth wrote: On 15/05/2020 17:36, David Sommerseth wrote: On 09/11/2019 16:13, Arne Schwabe wrote: This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

2020-04-22 Thread Jan Just Keijser
Hi Arne, On 22/04/20 10:13, Arne Schwabe wrote: SSL_check_chain() function". Which we don't, I just grepped through our source tree. So, unless I misunderstand something about OpenSSL intricacies, I think we're safe - no new installers needed, and OpenVPN is not in risk. the advisory

Re: [Openvpn-devel] [Openvpn-users] new openssl = new OpenVPN release ?

2020-04-22 Thread Jan Just Keijser
Hi Gert, On 21/04/20 20:59, Gert Doering wrote: Hi, On Tue, Apr 21, 2020 at 08:37:35PM +0200, Gert Doering wrote: On Tue, Apr 21, 2020 at 02:15:43PM -0400, mike tancsa wrote:     Will the sec issue with OpenSSL force a new release of OpenVPN ?

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-03-05 Thread Jan Just Keijser
Hi all, On 05/03/20 13:53, Jan Just Keijser wrote: Hi, On 01/03/20 16:29, Selva Nair wrote: On Sun, Mar 1, 2020 at 2:17 AM Gert Doering wrote: On Sun, Mar 01, 2020 at 05:37:15AM +, Leroy Tennison via Openvpn-users wrote: Admittedly, and older server version (2.3) but is there a way

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-03-05 Thread Jan Just Keijser
that I did not fully implement the RFC3397 encoding of the search list, as that requires one to merge domain names that occur more than once - that would have made the code far more complicated. share and enjoy, JJK >From a969947cd86292c881f7cc1c704ac992e8f6f0d6 Mon Sep 17 00:00:00 2001 F

Re: [Openvpn-devel] [PATCH v2 1/7] Visual Studio: upgrade project files to VS2019

2019-11-07 Thread Jan Just Keijser
Last version of openvpn for xp/Vista is 2.3, so dropping support for it in the build system is a no brainer to me. JM2CW, JJK Gert Doering wrote: >Hi, > >On Thu, Nov 07, 2019 at 07:28:36PM +0100, Lev Stipakov wrote: >> With VS2019 you cannot build for XP, you would need to install build

Re: [Openvpn-devel] Tap-windows6 test installer with PRs #84 and #86

2019-10-25 Thread Jan Just Keijser
Hi, On 23/10/19 13:20, Samuli Seppänen wrote: Il 23/10/19 14:19, Samuli Seppänen ha scritto: Hi, Here is a new Windows 10 / Server 2016+ tap-windows6 installer. It is based on the latest code in "master" plus two currently unmerged PRs: "Introduce TAP adapter as a virtual device"

Re: [Openvpn-devel] Wintun performance results

2019-05-16 Thread Jan Just Keijser
Hi David, * On 15/05/19 19:32, David Sommerseth wrote: On 15/05/2019 16:49, Илья Шипицин wrote: it will most probably get lost in mailing list. can we add it to https://openvpn.net website ? something like "performance testing" with full configs provided ? Good idea, but maybe not the

Re: [Openvpn-devel] Client reconnect issues

2019-04-26 Thread Jan Just Keijser
Hi Antonio, On 26/04/19 16:02, Antonio Quartulli wrote: Hi, On 26/04/2019 15:57, Jan Just Keijser wrote: I'd look into the way session tickets are configured and used in mbedtls, e.g. read up on https://tls.mbed.org/discussions/generic/what-is-the-correct-way-to-use-session-tickets

Re: [Openvpn-devel] Client reconnect issues

2019-04-26 Thread Jan Just Keijser
Hi Pieter, On 26/04/19 15:32, Pieter Hulshoff wrote: Gert, Op vr 19 apr. 2019 om 13:38 schreef Pieter Hulshoff >: I've been looking at https://community.openvpn.net/openvpn/ticket/880 for a while now, and was wondering if there'd been any

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-19 Thread Jan Just Keijser
Hi Selva, On 17/04/19 17:52, Selva Nair wrote: On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser mailto:janj...@nikhef.nl>> wr

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-17 Thread Jan Just Keijser
Hi Selva, On 10/04/19 19:09, Selva Nair wrote: On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser <mailto:janj...@nikhef.nl>> wrote: On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list.

Re: [Openvpn-devel] openvpn with udp lost event.

2019-04-17 Thread Jan Just Keijser
On 15/04/19 14:29, wei wang wrote: Hi, For function multi_process_io_udp receive many events, but only process one at a time. Doest it cause the event to be lost? yes it does In our test, we had create thousands of client. When clients connect to server at a time, for the clients which

Re: [Openvpn-devel] Why does the tun-mtu default to 1500 bytes?

2019-04-17 Thread Jan Just Keijser
Hi Marcus, On 17/04/19 00:11, Marcus Wichelmann wrote: Hello, I'm wondering what the reason is that OpenVPN Community sets the default TUN-MTU to 1500 bytes, as seen here: https://github.com/OpenVPN/openvpn/blob/ed31cf2ab718d879615dea81e6a17d26537ab43a/src/openvpn/mtu.h#L70 In my

Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

2019-04-10 Thread Jan Just Keijser
On 10/04/19 17:58, Selva Nair wrote: Hi, This is more relevant to OpenVPN than OpenSSL, so copying to the openvpn-devel list. On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis mailto:francois.ge...@gmail.com>> wrote: Hi all, I have a working openvpn setup with client certificate

Re: [Openvpn-devel] New tap-windows6 driver for Windows 7/8/8.1/Server 2012r2 ready for testing

2019-04-08 Thread Jan Just Keijser
Hi Samuli, On 05/04/19 16:00, Samuli Seppänen wrote: Hi, A new pre-release tap-windows6 driver (9.23.1) is available for testing. It should work on Windows 7/8/8.1/Server 2012r2. It _will not_ work on Windows 10 or Windows Server 2016/2019. The driver includes several new features such as

Re: [Openvpn-devel] Summary of the community meeting (Wed, 12th Mar 2019)

2019-03-13 Thread Jan Just Keijser
Hi Samuli, On 13/03/19 13:00, Samuli Seppänen wrote: Hi, Here's the summary of the IRC meeting. Talked about release OpenVPN 2.x Windows installers with OpenSSL 1.1.1. Agreed that this makes sense as people (on forums for example) already take 2.4.x and replace the OpenSSL libraries

Re: [Openvpn-devel] Summary of the community meeting (Wed, 19th Dec 2018)

2018-12-19 Thread Jan Just Keijser
Hi list, as a follow-up to the discussion we had in the community meeting: (13:38:08) dazo: janjust: if you get a chance to verify whether using non-ncp-listed cipher works with ccd, that's a good detail to know the answer is: yes and no ;) Yes, it is possible to specify a *NEW* list of ncp

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-12-04 Thread Jan Just Keijser
Hi Lev, On 29/11/18 16:18, Lev Stipakov wrote: Some background information. In openvpn3 we decided not to implement fragments, because:  - this is quite a big feature which has to be supported through the whole stack (client, server, kernel module)  - we assume that it is not used by most

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-30 Thread Jan Just Keijser
inside the tunnel only, and only for TCP connections. It does not depend on the outside protocol (UDP or TCP). I fully agree that having PMTUD would be nice to have, but even that has its drawbacks... JM2CW, JJK -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-30 Thread Jan Just Keijser
Hi Lev, Simon, On 30/11/18 07:10, Simon Matter wrote: Hi Jan Just, (forgot to add openvpn-devel in previous mail) Some background information. In openvpn3 we decided not to implement fragments, because: - this is quite a big feature which has to be supported through the whole stack

Re: [Openvpn-devel] Summary of the community meeting (Wed, 28th Nov 2018)

2018-11-29 Thread Jan Just Keijser
Hi, On 29/11/18 09:03, Samuli Seppänen wrote: [...] Had a discussion about --fragment. Agreed that if we can fix internal fragmentation without needing a change in frame format then we can definitely deprecate --fragment in the long-term. Also noted that lack of tun-mtu support on Windows

Re: [Openvpn-devel] foreign_option_2 not set in 2.4

2018-11-22 Thread Jan Just Keijser
Hi, On 22/11/18 15:43, Arne Schwabe wrote: Am 22.11.18 um 14:46 schrieb Cyril Scetbon: OpenVPN 2.4.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul  8 2018 Output with —verb 4 https://pastebin.com/huQmnGaU Read your log closer. This is not a

Re: [Openvpn-devel] Adding Google Analytics code to Trac?

2018-10-24 Thread Jan Just Keijser
Hi, On 24/10/18 13:47, Samuli Seppänen wrote: Hi, The OpenVPN Inc. webmaster would like to add Google Analytics to community.openvpn.net, i.e. our Trac wiki/bug tracker. I said we need to consult the community first because GA can be seen as a form of spying. Here's our webmaster's view on

Re: [Openvpn-devel] [Openvpn-users] disabling compression on the fly?

2018-10-09 Thread Jan Just Keijser
Hi Ralf, On 09/10/18 13:35, Ralf Hildebrandt wrote: Currently we're suppling our user with a charite.ovpn File containing: ... compress lzo ... In some cases, we're overriding this on the server side by using: if (defined $ENV{'IV_LZ4'}) { $logger->info("$username lz4: available");

Re: [Openvpn-devel] [PATCH v2] Fix typo in IPv6 address in comment.

2018-07-16 Thread Jan Just Keijser
Hi Gert, On 15/07/18 22:43, Gert Doering wrote: Comment talks about ff02::1::ff00:8, correct address is ff02::1:ff00:8, and about fe80::1 where fe80::8 is the proper magic number. thanks for this patch! What the CVE for this ?  when do we get an emergency patch? will this change be

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-06-05 Thread Jan Just Keijser
Following up on myself On 05/06/18 14:25, Jan Just Keijser wrote: On 01/06/18 02:50, Derek Zimmer wrote: I'm still working on this, as I think it is worthwhile for us to explore and get some hard data on how all of these things perform in a real world environment. I've been stalled

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-06-05 Thread Jan Just Keijser
if you want to work together on this. HTH, JJK / Jan Just Keijser On Sun, May 6, 2018 at 8:04 AM, Steffan Karger <mailto:stef...@karger.me>> wrote: Hi, On 04-05-18 17:45, Jan Just Keijser wrote: > On 04/05/18 16:41, Derek Zimmer wrote: >> What conclusio

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-04 Thread Jan Just Keijser
Hi, On 04/06/18 09:15, Gert Doering wrote: On Mon, Jun 04, 2018 at 09:10:23AM +0200, Jan Just Keijser wrote: What's the particular use case for putting tls-auth files in connection blocks? "I have one existing server that is not using tls-auth yet, and a new one that has tls-auth, and I

Re: [Openvpn-devel] [PATCH 1/2] make tls-auth a per-connection-block option

2018-06-04 Thread Jan Just Keijser
Hi Antonio, On 04/06/18 04:15, Antonio Quartulli wrote: Hi all, On 02/06/18 11:42, Antonio Quartulli wrote: Different VPN servers may use different tls-auth keys. For this reason it is convenient to make tls-auth a per-connection-block option so that the user is allowed to specify one key per

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-28 Thread Jan Just Keijser
Hi all, On 25/05/18 22:56, Simon Rozman wrote: JJK, I think you are misreading this proposal. No hash is being sent as a part of the handshake -- its still client and server certificates that are exchanged and checked during handshake. The hash is exchanged by a separate channel (say snail

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-25 Thread Jan Just Keijser
Hi Selva, On 25/05/18 16:07, Selva Nair wrote: On Fri, May 25, 2018 at 9:51 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certi

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-25 Thread Jan Just Keijser
Hi, On 25/05/18 03:41, Simon Rozman wrote: Private and public key are still used. The patch stil uses certificates and TLS, it only replaces the check certificate of the peer's certificate against the CA with a hash check (certificate pinning if you want). So basically instead of saying that

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-23 Thread Jan Just Keijser
Hi Arne, On 23/05/18 16:46, Arne Schwabe wrote: I have some strong thoughts on this, mostly related to:  can someone explain to me why this is safe? I've seen that OpenSSH 7.7 now implements something similar (xmss hash-based signatures,

Re: [Openvpn-devel] [PATCH] Support fingerprint authentication

2018-05-23 Thread Jan Just Keijser
Hi Steffan, On 17/05/18 20:31, Steffan Karger wrote: Hi Jason, [ Dumping my thoughts so this doesn't remain completely unanswered for even longer. ] On 17-04-18 18:50, Jason A. Donenfeld wrote: OpenVPN traditionally works around CAs. However many TLS-based protocols also allow an alternative

Re: [Openvpn-devel] Minimum Linux Version for OpenVPN 2.4.x

2018-05-23 Thread Jan Just Keijser
Hi, On 22/05/18 22:47, Gert Doering wrote: On Tue, May 22, 2018 at 09:10:10PM +0200, David Sommerseth wrote: On 22/05/18 19:32, Marvin wrote: Can someone tell me the minimum Linux version that OpenVPN 2.4.x will build and run on?  We have an older appliance the runs on an older 2.4.31 kernel

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-05-04 Thread Jan Just Keijser
% or less. cheers, JJK On Fri, May 4, 2018 at 10:45 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I've been working

Re: [Openvpn-devel] Does the OpenVPN protocol itself handle windowing?

2018-05-04 Thread Jan Just Keijser
Hi, see some comments inline On 04/05/18 16:41, Derek Zimmer wrote: Hello everyone, Derek from OSTIF here. I've been working with OpenVPN for a few years and there's a few curious performance anomalies that i've ran into that add up to a possible performance opportunity. My experience lies

Re: [Openvpn-devel] Viscosity patch to TAP driver

2018-04-12 Thread Jan Just Keijser
Hi, On 12/04/18 16:50, Gert Doering wrote: Hi, On Thu, Apr 12, 2018 at 10:27:08AM -0400, Selva Nair wrote: This change was made not because of any actual performance gains, but because of user reports that certain firewall or AV software tries to QoS the adapter based on its reported adapter

Re: [Openvpn-devel] aes-gcm and iperf on Windows

2018-03-29 Thread Jan Just Keijser
Hi, (renamed the topic to reflect what it's about) On 27/03/18 01:09, fragmentux wrote: I am not convinced 'iperf -r' is reliable (bold claim maybe .. ) iperf3 have dropped -r in favour of -R "reverse mode" server sends and client receives. but not both on the same run .. After numerous

Re: [Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

2018-03-22 Thread Jan Just Keijser
Hi Selva, On 22/03/18 18:12, Selva Nair wrote: On Thu, Mar 22, 2018 at 12:16 PM, Jan Just Keijser <janj...@nikhef.nl> wrote: Hi Eric, all, On 22/03/18 04:25, Eric Thorpe wrote: Hi All, One of the Viscosity developers here. The TAP driver used by Viscosity is based on the OpenVPN TAP-W

Re: [Openvpn-devel] Summary of the community meeting (Wed, 21st Mar 2018)

2018-03-22 Thread Jan Just Keijser
Hi Eric, all, On 22/03/18 04:25, Eric Thorpe wrote: Hi All, One of the Viscosity developers here. The TAP driver used by Viscosity is based on the OpenVPN TAP-Windows driver. We're surprised to hear of any performance differences, as the changes we've made are very minimal. Besides a name

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Hi, On 26/01/18 16:26, Selva Nair wrote: On Fri, Jan 26, 2018 at 10:20 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 26-Jan-18 16:08, Selva Nair wrote: arrrgh, the important line is missing: ERROR: Windows route add ipv6 command failed: returned error code 1 Gert has exp

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Hi Selva, On 26-Jan-18 16:08, Selva Nair wrote: On Fri, Jan 26, 2018 at 8:23 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconf

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
On 26/01/18 14:11, Jan Just Keijser wrote: the patch works as expected but I did notice something in the openvpn log : Fri Jan 26 14:08:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Fri Jan 26 14:08:10 2018 NETSH: C:\Windows\system32\netsh.exe interface ipv6 set address interface=17 2

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
return value with TUN_ADAPTER_INDEX_INVALID in windows_route_find_if_index() if multiple interfaces match a route. (ii) Select the interface with lowest metric in adapter_index_of_ip() instead of the first one found when multiple interfaces match. Reported by Jan Just Keijser <janj...@nik

Re: [Openvpn-devel] [PATCH v3] Use lowest metric interface when multiple interfaces match a route

2018-01-26 Thread Jan Just Keijser
Works as expected. Tested-by: Jan Just Keijser <janj...@nikhef.nl> On 24/01/18 18:31, selva.n...@gmail.com wrote: From: Selva Nair <selva.n...@gmail.com> Currently a route addition using IPAPI or service is skipped if the route gateway is reachable by multiple interfaces.

Re: [Openvpn-devel] OVPN vs IPSec performance as a transport

2018-01-06 Thread Jan Just Keijser
On 05/01/18 00:52, Tom Kunz wrote: That would explain it if it always worked that way. But I can get 400%+ wire speed from A to B with compressible data, and 102% with incompressible data. If I do the same test from B to A or A to B, I get those results. If I hop off of that to C, speed goes

Re: [Openvpn-devel] [PATCH] Implement "status 4" (JSON) for management interface

2017-11-14 Thread Jan Just Keijser
On 14/11/17 09:31, Gert Doering wrote: On Mon, Nov 13, 2017 at 01:16:46PM +0100, David Sommerseth wrote: But we should consider if we want to make use of a JSON library producing the JSON streams. The reason is to ensure the output is according to the specification and that escaping if

[Openvpn-devel] Possible bug: AEAD Decrypt error: cipher final failed

2017-11-03 Thread Jan Just Keijser
hi all, whilst testing some new hardware with OpenVPN I ran into the following messages which keep popping up from time to time:  AEAD Decrypt error: cipher final failed Config: server running OpenVPN 2.4.3, basic config, Ubuntu 17, kernel 4.14, openssl 1.0.2g client running OpenVPN 2.4.4,

Re: [Openvpn-devel] [PATCH 0/1] add engine keys keys

2017-10-31 Thread Jan Just Keijser
Hi James, On 30/10/17 15:09, James Bottomley wrote: On Sun, 2017-10-29 at 17:03 -0400, Selva wrote: On Sun, Oct 29, 2017 at 12:04 PM, James Bottomley wrote: On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote: On Sat, Oct 28, 2017 at 01:02:27PM

Re: [Openvpn-devel] proper configuring of "tls-verify"

2017-09-11 Thread Jan Just Keijser
Hi, On 11/09/17 13:22, Илья Шипицин wrote: Hello, is someone actually using "tls-verify" in production ? we tried to implement additional certificate check using tls-verify while it works in general, in case when it hits "exit 1", it look like a timeout from client point of view. it is not

[Openvpn-devel] how to roll your own OpenVPN Windows installer

2017-09-08 Thread Jan Just Keijser
hi dev list, someone asked me this question: how can one roll their own Windows OpenVPN installer, including a signed TAP driver? There's no need to rebuild OpenVPN or the TAP driver, but they do need to include other things, such as certificates, config files etc. Is there a way to

Re: [Openvpn-devel] [PATCH] bash: substitute legacy `` with modern $()

2017-08-29 Thread Jan Just Keijser
Hi, On 25/08/17 03:41, Antonio Quartulli wrote: On 25/08/17 04:21, David Sommerseth wrote: On 24/08/17 21:18, Gert Doering wrote: (gen-release-tarballs.sh only needs to work on FreeBSD and Linux, and FreeBSD's /bin/sh is sufficiently modern so so it's likely to work - but the test scripts

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
On 17/07/17 14:14, Gert Doering wrote: Hi, On Mon, Jul 17, 2017 at 02:10:11PM +0200, Jan Just Keijser wrote: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. Can we have

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
Follow-up: this problem is NOT present in OpenVPN 2.3.17; the same warning appears (route gateway is ambiguous) but the route is added anyway. This seems to be a regression in 2.4. JJK On 17/07/17 14:01, Jan Just Keijser wrote: Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-17 Thread Jan Just Keijser
Hi all, On 17/07/17 12:34, Samuli Seppänen wrote: On 15/07/2017 00:43, Jan Just Keijser wrote: Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: <http://build.openvpn.net/downloads/relea

Re: [Openvpn-devel] Windows installer with updated pkcs11-helper (1.22) available for testing

2017-07-14 Thread Jan Just Keijser
Hi Samuli, On 14/07/17 16:07, Samuli Seppänen wrote: Hi all, Those of you who use pkcs11 on Windows: could you please test this new Windows installer: The previous installer(s) had pkcs11-helper 1.11. This one has

Re: [Openvpn-devel] Bug or Feature? Username in environment in auth-user-pass-verify

2017-06-16 Thread Jan Just Keijser
Hi Gert et al, On 15/06/17 09:47, Gert Doering wrote: Hi, On Thu, Jun 15, 2017 at 12:50:40PM +1000, Steven Haigh wrote: I'm just trying to figure out if its expected behaviour to have the 'username' set in the environment when using the auth-user-pass-verify script. The code in question

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

2017-04-04 Thread Jan Just Keijser
Hi David, On 03/04/17 22:43, David Sommerseth wrote: On 03/04/17 16:12, Jan Just Keijser wrote: On 03/04/17 15:53, Samuli Seppänen wrote: On 02/04/2017 10:57, Steffan Karger wrote: Hi, On 31-03-17 22:34, David Sommerseth wrote: On 31/03/17 10:56, Илья Шипицин wrote: 2017-03-31 13:26 GMT

Re: [Openvpn-devel] Upgrading EasyRSA 2's defaults

2017-04-03 Thread Jan Just Keijser
Hi Samuli, On 03/04/17 15:53, Samuli Seppänen wrote: > On 02/04/2017 10:57, Steffan Karger wrote: >> Hi, >> >> On 31-03-17 22:34, David Sommerseth wrote: >>> On 31/03/17 10:56, Илья Шипицин wrote: 2017-03-31 13:26 GMT+05:00 Samuli Seppänen

Re: [Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

2016-10-29 Thread Jan Just Keijser
Hi, On 28/10/16 19:50, Selva Nair wrote: Hi, On Fri, Oct 28, 2016 at 6:27 AM, Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote: --- src/openvpn/options.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) As Arne pointed out

Re: [Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

2016-10-28 Thread Jan Just Keijser
Hi Arne, On 28/10/16 13:08, Arne Schwabe wrote: > Hm, > > > I would like to see a rationale why this is needed. The client will > already only warn on unsupported options. Your patch would make push > "setenv opt unsupported" similar to "push unsupported". the rationale behind this is based on an

[Openvpn-devel] [PATCH] Allow "setenv opt" to be pushed from server to client

2016-10-28 Thread Jan Just Keijser
--- src/openvpn/options.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 281ef0b..dbb926d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -5616,7 +5616,14 @@ add_option (struct options *options,

Re: [Openvpn-devel] p2p topology on Windows

2016-09-30 Thread Jan Just Keijser
Hi David, On 26/09/16 14:08, David Woodhouse wrote: > On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote: >> this sounds like a typical use case for "assign a public IP address". >> This is already possible with topology subnet and some special config >>

Re: [Openvpn-devel] p2p topology on Windows

2016-09-26 Thread Jan Just Keijser
Hi David, On 25/09/16 17:31, David Woodhouse wrote: > On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote: >> thanks for clarifying - but with OpenVPN 2.4 the default topology mode >> will be 'subnet topology', in which we also assign a single IP address &g

Re: [Openvpn-devel] p2p topology on Windows

2016-09-25 Thread Jan Just Keijser
Hi David, On 24/09/16 01:21, David Woodhouse wrote: > On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: >> sorry for asking, but what's the use case for this? > The use case for point-to-point? It allows you to use a single IP > address per client instead of having to se

Re: [Openvpn-devel] p2p topology on Windows

2016-09-23 Thread Jan Just Keijser
Hi David, On 23/09/16 23:34, David Woodhouse wrote: > I believe I have P2P working on a Windows (8.1) client (with > OpenConnect, but I don't see why it can't work for OpenVPN). > > I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local > IP address, and with network and netmask

Re: [Openvpn-devel] Linux: Use /tmp for log problem ?

2016-09-22 Thread Jan Just Keijser
Hi, On 22/09/16 15:07, debbie10t wrote: > Hi > > posting in devel because I am asking for clarification of > what the source code really does. > > Re: https://forums.openvpn.net/viewtopic.php?f=30=22485 > > Config: > |--- > server *normal stuff* > log-append /tmp/openvpn.log > --- > > I have just

Re: [Openvpn-devel] Dropping Windows Vista / XP support?

2016-09-07 Thread Jan Just Keijser
On 07/09/16 14:15, Samuli Seppänen wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 07/09/16 11:43, Gert Doering wrote: >>> Hi, >>> >>> On Wed, Sep 07, 2016 at 12:18:17PM +0300, Samuli Seppänen wrote: We have already dropped XP support from OpenVPN Git "master". I

[Openvpn-devel] AES-GCM & gigabit networks

2016-08-17 Thread Jan Just Keijser
hi all, just wanted to share some results with you: AES-GCM has a *very* nice impact on openvpn's performance over gigabit networks. I'm now capable of saturating a gigabit ethernet link with full AES-256-GCM encryption (Linux on both ends). Raw iperf results: - ethernet: 935 Mbps -

[Openvpn-devel] AES-GCM & gigabit networks

2016-08-17 Thread Jan Just Keijser
hi all, just wanted to share some results with you: AES-GCM has a *very* nice impact on openvpn's performance over gigabit networks. I'm now capable of saturating a gigabit ethernet link with full AES-256-GCM encryption (Linux on both ends). Raw iperf results: - ethernet: 935 Mbps -

Re: [Openvpn-devel] testing challenge-response

2016-08-17 Thread Jan Just Keijser
Hi Selva, Selva Nair wrote: > Hi, > > As discussed in the IRC meeting, here is a client config that connects > to a test server I run for static and dynamic challenge. Just run it as > > sudo openvpn --config cr-client.conf > > Respond with some arbitrary strings at the username, password and

Re: [Openvpn-devel] testing challenge-response

2016-08-17 Thread Jan Just Keijser
Hi Selva, Selva Nair wrote: > Hi, > > As discussed in the IRC meeting, here is a client config that connects > to a test server I run for static and dynamic challenge. Just run it as > > sudo openvpn --config cr-client.conf > > Respond with some arbitrary strings at the username, password and

Re: [Openvpn-devel] [PATCH] Allow ncp-disable and ncp-ciphers to be specified in ccd files

2016-07-29 Thread Jan Just Keijser
Hi, On 25/07/16 20:52, Steffan Karger wrote: This allows the ncp-disable and ncp-ciphers options to be used in 'client config dir' files, to disable or change the negotiable crypto parameter settings for specific clients. Signed-off-by: Steffan Karger ---

Re: [Openvpn-devel] [PATCH] Allow ncp-disable and ncp-ciphers to be specified in ccd files

2016-07-26 Thread Jan Just Keijser
ACK from me, but just to nitpick: we now have an option 'disable-occ' and an option 'ncp-disable' - wouldn't it make more sense to make it "disable-ncp" as well? JJK On 25/07/16 20:52, Steffan Karger wrote: This allows the ncp-disable and ncp-ciphers options to be used in 'client config

Re: [Openvpn-devel] use of --cipher with no arguments?

2016-07-26 Thread Jan Just Keijser
Hi Gert, On 25/07/16 22:04, Gert Doering wrote: Hi, has anyone ever used "--cipher" without an argument? If yes, what is the intended usage? It sort of "tells openvpn we want crypto!" but does not go into detail about it... Normally, this would just be a random weird option, but I ran

Re: [Openvpn-devel] [Openvpn-users] Segmentation Fault

2016-07-08 Thread Jan Just Keijser
Hi, On 08/07/16 16:55, pbar...@netprotec.com wrote: Please run the OpenVPN instance which core dumps via gdb. When it segfaults, type the command 'bt' (backtrace) and provide us with the complete backtrace. Then we can have an idea where in the code it crashed. Another

Re: [Openvpn-devel] [PATCH] V3:Add support for pushable encryption. Now properly supports AEAD as well

2016-04-22 Thread Jan Just Keijser
On 22/04/16 05:55, Jan Just Keijser wrote: This patch adds support for pushing encryption and HMAC ciphers to the client - it works when pushing both --cipher and/or --auth - works by re-doing part of the encryption setup (you'll see some messages fly by twice ) - pushing an HMAC (e.g. push

Re: [Openvpn-devel] OpenSSL connect and disconnect calls

2016-04-22 Thread Jan Just Keijser
Hi, On 22/04/16 10:16, Shubham Chauhan wrote: Hello, I was going through the codebase, and found myself a bit confused. I wanted to customize some functionalities and run some tests I was specifically looking for the methods where we start (performing the handshake) and end an OpenSSL

[Openvpn-devel] [PATCH] V3:Add support for pushable encryption. Now properly supports AEAD as well

2016-04-22 Thread Jan Just Keijser
This patch adds support for pushing encryption and HMAC ciphers to the client - it works when pushing both --cipher and/or --auth - works by re-doing part of the encryption setup (you'll see some messages fly by twice ) - pushing an HMAC (e.g. push "auth SHA256"") does **not** work in

[Openvpn-devel] [PATCH] V2: Add compression support. Now properly supports AEAD as well

2016-04-22 Thread Jan Just Keijser
--- src/openvpn/init.c | 74 ++ src/openvpn/mtu.h | 18 + 2 files changed, 82 insertions(+), 10 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 84fac07..0566b5b 100644 --- a/src/openvpn/init.c +++

Re: [Openvpn-devel] Add support for pushable encryption.

2016-04-21 Thread Jan Just Keijser
"auth SHA256"") does **not** work in combination with --tls-auth: when tls-auth is used all incoming packets are signed using the "original" HMAC cipher and you won't even get to the "push" stage to get the correct cipher. share and enjoy, JJK On 21/

[Openvpn-devel] Add support for pushable encryption.

2016-04-21 Thread Jan Just Keijser
--- src/openvpn/init.c | 128 + 1 file changed, 91 insertions(+), 37 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2beec72..d21a862 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -60,6 +60,13 @@ static

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-05 Thread Jan Just Keijser
Hi, On 04/03/16 22:58, ValdikSS wrote: I have good news and bad news: Good news: * OpenVPN sends all certificates from the server supplied for --server directive (although with a small bug that a certificate which you have private key for must be supplied on the top) * OpenVPN

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Jan Just Keijser
Hi, On 04/03/16 14:24, Arne Schwabe wrote: Am 04.03.16 um 14:18 schrieb ValdikSS: On 03/04/2016 04:12 PM, Arne Schwabe wrote: Am 03.03.16 um 22:04 schrieb ValdikSS: Shouldn't sending the new CA chain only be enough? Since it is (cross)signed by the old CA, the client will accept it. For the

Re: [Openvpn-devel] Pushing multiple certificates from server

2016-03-04 Thread Jan Just Keijser
Hi, On 03/03/16 22:04, ValdikSS wrote: Hello everyone, I'm trying to leisurely move from an old existing 1024 bit CA to a new 4096 bit one without a hassle for a clients. From a X.509 perspective it shouldn't be a problem, and I already have new CA self-signed and cross-signed with old CA,

[Openvpn-devel] manpage oddity

2016-03-03 Thread Jan Just Keijser
hi, the openvpn man page section on environment variables lists local The --local parameter. Set on program initiation and reset on SIGHUP. local_port The local port number, specified by --port or --lport. Set on program initiation and reset on SIGHUP. and

Re: [Openvpn-devel] Need help testing installers on Windows XP

2016-02-17 Thread Jan Just Keijser
On 17/02/16 13:39, Samuli Seppänen wrote: Hi, Could someone quickly test these installers on Windows XP?

Re: [Openvpn-devel] route / route-ipv6 can not be used in ccd

2016-02-09 Thread Jan Just Keijser
Hi, On 09/02/16 11:46, Gert Doering wrote: On Tue, Feb 09, 2016 at 11:15:33AM +0100, Samuel Thibault wrote: Gert Doering, on Tue 09 Feb 2016 10:28:21 +0100, wrote: On Mon, Feb 08, 2016 at 10:39:29PM +0100, Samuel Thibault wrote: Is there a reason for not being allowed to set route /

  1   2   3   >