Re: [Openvpn-devel] [PATCH 2/3] netsh: Clear existing IPv6 DNS servers before configuring new ones

2020-09-28 Thread Selva Nair
Hi, On Thu, Sep 24, 2020 at 4:57 AM Lev Stipakov wrote: > Hi, > > > When there are no IPv6 DNS published, the adapter state is not > > sanitized and might contain IPv6 DNS server from a previous session. > > In this case, shouldn't the "set dns" call below overwrite the previous > value? > >

[Openvpn-devel] [PATCH] Improve documentation of --username-as-common-name

2020-09-27 Thread selva . nair
From: Selva Nair Trac #1079 Signed-off-by: Selva Nair --- doc/man-sections/server-options.rst | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index c0b22a5..4b649b1 100644 --- a/doc/man

[Openvpn-devel] [PATCH v2] Set DNS Domain using iservice

2020-09-25 Thread selva . nair
From: Selva Nair Use wmic instead of directly editing the registry as the former does not take full effect unless the dns client service is restarted. Editing the registry appears to work erratically depending on whether its followed with a dchp renew or ipconfig /registerdns etc. DOMAIN

Re: [Openvpn-devel] [PATCH] Set DNS Domain using iservice

2020-09-25 Thread Selva Nair
Hi Thanks for the review. On Fri, Sep 25, 2020 at 5:24 AM Lev Stipakov wrote: > Hi, > > > Note: this will set the domain twice if both v4 and v6 DNS > > servers are defined. It cant hurt, but could be avoided by > > making the domain setting a separate call from the DNS > > server setting. > >

[Openvpn-devel] [PATCH] Set DNS Domain using iservice

2020-09-24 Thread selva . nair
From: Selva Nair Use wmic instead of directly editing the registry as the former does not take full effect unless the dns client service is restarted. Editing the registry appears to work erratically depending on whether its followed with a dchp renew or ipconfig /registerdns etc. DOMAIN

Re: [Openvpn-devel] [PATCH] Allow --dhcp-option in config file when windows-driver is wintun

2020-09-15 Thread Selva Nair
Hi On Tue, Sep 15, 2020 at 2:48 AM Lev Stipakov wrote: > Hi, > > > -msg(M_USAGE, "--dhcp-options requires --ip-win32 dynamic or > adaptive"); > > +msg(M_USAGE, "--dhcp-option requires --ip-win32 dynamic or > adaptive"); > > Nice, this typo has been there since at least 2005. > >

[Openvpn-devel] [PATCH] Allow --dhcp-option in config file when windows-driver is wintun

2020-09-14 Thread selva . nair
From: Selva Nair When wintun is in use we mutate ip_win32_type to NETSH and then complain that ip-win32 option should be dynamic or adaptive if any --dhcp-option directive is present in the config file. This causes a fatal error. How to reproduce: specify a --dhcp-option in the config

Re: [Openvpn-devel] problem with beta3 and wintun

2020-09-11 Thread Selva Nair
Hi On Fri, Sep 11, 2020 at 1:45 PM RafaeHil Gava wrote: > Hi Selva, > > I was wondering if it's possible to detect UAC during the installation. > What do you think? > There are many ways of running the GUI as admin and all involve some deliberate action on the part of the user. The best we can

Re: [Openvpn-devel] problem with beta3 and wintun

2020-09-11 Thread Selva Nair
Hi, On Fri, Sep 11, 2020 at 1:58 AM Gert Doering wrote: > Hi, > > On Thu, Sep 10, 2020 at 06:10:17PM -0700, Marvin wrote: > > To All 3, > > Thank you with your help I found the issue. UAC was disabled in the > > registry on this image. IIRC we had trouble updating some software by > >

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

2020-09-10 Thread Selva Nair
Hi On Thu, Sep 10, 2020 at 3:10 AM Marvin Adeff wrote: > Selva, > > Please allow me to back up a moment and restate this: > 1. I installed the beta3 msi from the web site logged in as a user that > has admin privileges. But no elevation was used to install it, just > double-click on the file.

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

2020-09-09 Thread Selva Nair
Hi, On Thu, Sep 10, 2020 at 12:19 AM Marvin wrote: > Hi Selva, > > The GUI did not have this error unless run as administrator which you >> should not and will never work. > > So you are saying that if OpenVPN is installed by a user who has admin > privileges (as our case does) that v2.5 with

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

2020-09-09 Thread Selva Nair
ate to SYSTEM. Selva > > Marvin > > On Wed, Sep 9, 2020 at 5:14 PM Selva Nair wrote: > >> Hi Marvin, >> >> This is the wrong thread, but... >> >> On Wed, Sep 9, 2020 at 7:54 PM Marvin wrote: >> >>> Hi Guys, >>> >>> I just teste

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

2020-09-09 Thread Selva Nair
Hi Marvin, This is the wrong thread, but... On Wed, Sep 9, 2020 at 7:54 PM Marvin wrote: > Hi Guys, > > I just tested beta3 on Win10. I am getting the exact same error with > wintun as before. TAP works normally. I tried with the GUI and by cli. > The GUI never generated this error even

[Openvpn-devel] [PATCH] Add a remark on dropping privileges when --mlock is used

2020-09-09 Thread selva . nair
From: Selva Nair trac #1059 Signed-off-by: Selva Nair --- doc/man-sections/generic-options.rst | 7 +++ 1 file changed, 7 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index a07fe7e..d5f0883 100644 --- a/doc/man-sections/generic

[Openvpn-devel] [PATCH] In tap.c use DiInstallDevice to install the driver on a new adapter

2020-09-03 Thread selva . nair
From: Selva Nair As reported in Trac 1321, additional adapter instalaltion by tapctl.exe fails to fully setup the device node (some registry keys missing, error in setapi.dev.log etc.). Although the exact cause of this failure is unclear, letting the Plug and Play subsystem handle

Re: [Openvpn-devel] On tap-windows6 adapter installation by tapctl.exe

2020-09-03 Thread Selva Nair
Hi Lev, Thanks for confirming. What you tested is exactly what I have in mind. I suppose you tested it using MSVC. I recall when I worked on creating tap adapters on the fly (patch abandoned for lack of time) some functions in newdev.dll did not resolve with mingw and I always had to load them

[Openvpn-devel] On tap-windows6 adapter installation by tapctl.exe

2020-09-02 Thread Selva Nair
Hi, tldr: a fix for Trac 1321 Currently tapctl.exe does the following to create an adapter and install the driver on it. 1. Create a device info structure 2. Set the hardware id on it 3. Search the driver store for the latest matching driver 4. Select the driver, set it in the device info and

Re: [Openvpn-devel] [PATCH] openvpnmsica: make adapter renaming non-fatal

2020-09-02 Thread Selva Nair
Hi On Wed, Sep 2, 2020 at 9:54 AM Lev Stipakov wrote: > Hi, > > >> if (dwResult != ERROR_SUCCESS) > >> { > >> -tap_delete_adapter(NULL, , > ); > >> +/* failed renaming is not a fatal error, continue > */ > >> +

Re: [Openvpn-devel] [PATCH] openvpnmsica: make adapter renaming non-fatal

2020-09-02 Thread Selva Nair
Hi On Wed, Sep 2, 2020 at 9:39 AM Lev Stipakov wrote: > From: Lev Stipakov > > For some users renaming adapter mysteriously fails > (https://github.com/OpenVPN/openvpn-build/issues/187), > > Since renaming is just a a "nice to have", make it not fatail. > > Signed-off-by: Lev Stipakov > --- >

Re: [Openvpn-devel] [PATCH] openvpnmsica: remove adapter renaming

2020-09-02 Thread Selva Nair
Hi, I would suggest to keep this renaming but make it not fatal. A descriptive name is nice to have and we could even make the name configurable at some point in future. Selva On Wed, Sep 2, 2020 at 8:40 AM Lev Stipakov wrote: > From: Lev Stipakov > > Renaming doesn't work on some machines (

Re: [Openvpn-devel] Help testing OpenVPN 2.5-beta2 driver installation?

2020-08-31 Thread Selva Nair
Hi > > > (2) At the end of install the GUI is launched as admin, not user. > > I couldn't reproduce that on my Windows 10 laptop: > I too can't reproduce it any longer. So please ignore that comment. I was installing from the command line (easier to generate logs that way) and probably used an

Re: [Openvpn-devel] Help testing OpenVPN 2.5-beta2 driver installation?

2020-08-29 Thread Selva Nair
Hi On Fri, Aug 28, 2020 at 9:10 AM Samuli Seppänen wrote: > Hi, > > It would be great if somebody would find time to test the following > installer: > > > https://build.openvpn.net/downloads/releases/OpenVPN-2.5-beta2-I601-amd64.msi > > In particular I'd like to know if anyone else has problems

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

2020-08-24 Thread Selva Nair
ure, management support and deferred auth support have to be enabled but restricting the usefulness of your patch to those cases is not really a limitation. What am I missing? Selva --- > Eric Thorpe > SparkLabs > Developerhttps://www.sparklabs.comhttps://twitter.com/sparklabssupp...@spa

Re: [Openvpn-devel] [PATCH 1/2] Send auth-fail messages to clients on renegotiation failures via auth-token or user-pass expiry

2020-08-22 Thread Selva Nair
Hi, On Thu, Aug 13, 2020 at 4:37 AM Eric Thorpe wrote: > Hi Arne, > > The issue is your state is not accessible from where that boolean needs > to be used unless I am missing something? Please advise if I'm mistaken > or of another route. > I agree with Arne that duplicating a state machine

Re: [Openvpn-devel] [PATCH] tun.c: enable using wintun driver under SYSTEM

2020-08-21 Thread Selva Nair
Hi, On Wed, Aug 19, 2020 at 3:08 AM Lev Stipakov wrote: > From: Lev Stipakov > > Commit 6d19775a468 has removed SYSTEM elevation hack, > but introduced regression - inability to use wintun without interactive > service. > > Proceed with ring buffers registration even if iservice is unavailable

Re: [Openvpn-devel] 2.5-beta-1 Wintun requires SYSTEM privileges

2020-08-18 Thread Selva Nair
Hi On Tue, Aug 18, 2020 at 3:42 PM Gert Doering wrote: > Hi, > > On Tue, Aug 18, 2020 at 03:29:19PM -0400, Selva Nair wrote: > > > If you already have SYSTEM, accessing wintun from openvpn directly will > > > also work and should bring quite a bit of speed impro

Re: [Openvpn-devel] 2.5-beta-1 Wintun requires SYSTEM privileges

2020-08-18 Thread Selva Nair
Hi, On Tue, Aug 18, 2020 at 3:21 PM Gert Doering wrote: > Hi, > > On Tue, Aug 18, 2020 at 12:09:11PM -0700, Marvin Adeff wrote: > > I???m sorry for the confusing response. > > > > Our systems do M2M monitoring and need to run OpenVPN even without a > user logged in. In previous versions we

Re: [Openvpn-devel] 2.5-beta-1 Wintun requires SYSTEM privileges

2020-08-18 Thread Selva Nair
> > > > An additional check in openvpn.exe whether it's started as SYSTEM could be > useful as well, but less critical, IMO. > > Yes Please! We run 2500+ systems that run it this way as SYSTEM. > In most such cases (not using the GUI) one could use the automatic service which runs as SYSTEM. For

Re: [Openvpn-devel] 2.5-beta-1 Wintun requires SYSTEM privileges

2020-08-18 Thread Selva Nair
Hi On Tue, Aug 18, 2020 at 2:33 AM Gert Doering wrote: > Hi, > > On Tue, Aug 18, 2020 at 08:23:35AM +0200, Gert Doering wrote: > > This can also happen if you run the GUI with admin privs (because then > > it will not use the iservice *but* openvpn needs *more* privs than > > "just

[Openvpn-devel] [PATCH v2] Improve the documentation for --dhcp-option

2020-08-16 Thread selva . nair
From: Selva Nair - Stress that these are handled internally only on some platforms - Correct the statement about wintun - Document DOMAIN-SEARCH Signed-off-by: Selva Nair --- v2: Rebase to master and reword to match the new rst version Add doc for DOMAIN-SEARCH doc/man-sections/vpn

Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

2020-08-14 Thread Selva Nair
ement interface was missed in the previous version of the patch. Selva > > -- > Best Regards, Vladislav Grishenko > > -Original Message- > From: Selva Nair > Sent: Friday, August 14, 2020 11:22 PM > To: openvpn-devel > Subject: Re: [Openvpn-devel] [PATCH v2]

Re: [Openvpn-devel] [PATCH v2] Allow management to kill client instances by CN wildcard

2020-08-14 Thread Selva Nair
Hi On Fri, Aug 14, 2020 at 1:36 PM Arne Schwabe wrote: > > Am 14.08.20 um 19:12 schrieb Vladislav Grishenko: > > In case of some permanent part of common name (ex. domain) and/or > > long complex common name consisting of multiple x509 fields, it's > > handly to kill client instances via

Re: [Openvpn-devel] [PATCH] Improve error msg when all TAP adapters are in use "or disabled"

2020-08-06 Thread Selva Nair
Hi, This looks good but can we do better? We don't check the error (GetLastError()) after the CreateFile() failure -- can we determine whether the error was due to permissions, busy file (in use) or disabled device and print out a more specific error message? I'm not sure what errors are

Re: [Openvpn-devel] Regarding deprecation of --route-nopull

2020-07-23 Thread Selva Nair
Hi On Thu, Jul 23, 2020 at 4:50 PM Arne Schwabe wrote: > > Am 23.07.2020 um 20:14 schrieb André via Openvpn-devel: > > Hi, > > > > Regarding, > > > > https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#Option:--route-nopull > > "Openvpn devs would like to know if you use this

Re: [Openvpn-devel] [Openvpn-users] Join PC with OpenVpn to Active Directory

2020-07-19 Thread Selva Nair
Hi, If your VPN establishes a route to the domain controller(s) and the domain name resolves from the client, you can join the domain just as you would do while directly connected to the LAN. For example, if the domain name is example.local, "nslookup example.local" should return the IP addresses

Re: [Openvpn-devel] [PATCH v3] Add deferred authentication support to plugin-auth-pam

2020-07-15 Thread Selva Nair
-- > "all forwarding for all other clients" Acked-by: Selva Nair On Wed, Jul 15, 2020 at 5:02 AM Gert Doering wrote: > > If OpenVPN signals deferred authentication support (by setting > the internal environment variables "auth_control_file" and > "deferr

Re: [Openvpn-devel] [PATCH v2] Add deferred authentication support to plugin-auth-pam

2020-07-14 Thread Selva Nair
service, ) < 0) > +{ > +goto done; Do we have to abort in this case? This will exit the background process and cripple the server while this could be a temporary memory pressure causing the fork to fail. Why not just break and plough along? The core will fail to get a response via the ac_file, but that could happen if the grand-child fails as well -- the server is supposed to cope with such failures. > +} > +break; > +} > + > + > +/* non-deferred auth: wait for pam result and send > + * result back via control socketpair > + */ > if (pam_auth(service, )) /* Succeeded */ > { > if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1) > -- Apart from these minor issues that could be corrected or ignored at merge time, all look good. We should put the usage info into README.auth-pam as that seems to be the only documentation of the plugin. Also an entry in changelog? Could be a separate patch. Acked-by: Selva Nair ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-23 Thread Selva Nair
Hi, On Tue, Jun 23, 2020 at 3:22 AM Jan Just Keijser wrote: > > Hi, > > On 21/06/20 17:14, Selva Nair wrote: > > On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote: > >> > >> going through OpenVPN threads that went stale - I think this is > >> actu

Re: [Openvpn-devel] [PATCH] systemd: Change the default cipher to AES-256-GCM for server configs

2020-06-22 Thread Selva Nair
On Mon, Jun 22, 2020 at 7:31 AM David Sommerseth wrote: > > This change makes the server use AES-256-GCM instead of BF-CBC as the > default cipher for the VPN tunnel when starting OpenVPN via systemd > and the openvpn-server@.service unit file. > > To avoid breaking existing running

Re: [Openvpn-devel] [PATCH] Convert plugin/auth-pam.c from stderr logging to plugin_log().

2020-06-21 Thread Selva Nair
Hi, This was long overdue after patches after patches sprinkling fprintf() all over the place.. mea culpa too.. Acked-by: Selva Nair On Sat, Jun 20, 2020 at 11:18 AM Gert Doering wrote: > > More recent OpenVPN APIs pass a function pointer for a logging function > (plugin_log()) t

Re: [Openvpn-devel] [PATCH] Add deferred authentication support to plugin-auth-pam

2020-06-21 Thread Selva Nair
Hi, On Sat, Jun 20, 2020 at 12:23 PM Gert Doering wrote: > > If OpenVPN signals deferred authentication support (by setting the > internal environment variable "auth_control_file"), do not wait > for PAM stack to finish. Instead, the privileged PAM process > returns RESPONSE_DEFER via the

Re: [Openvpn-devel] [Openvpn-users] Multiple DNS search suffixes on Windows

2020-06-21 Thread Selva Nair
Hi, On Sun, Jun 21, 2020 at 7:14 AM Gert Doering wrote: > > Hi, > > going through OpenVPN threads that went stale - I think this is > actually a nice addition (read: other people have already asked > me if this can be done). > > On Thu, Mar 05, 2020 at 01:53:12PM +0100, Jan Just Keijser wrote: >

Re: [Openvpn-devel] async plugin-auth-pam

2020-06-12 Thread Selva Nair
On Tue, Jun 9, 2020 at 1:55 PM Gert Doering wrote: > Hi, > > I ran into a problem at a customer installation recently, where > plugin-auth-pam was blocking for some extended time (~30 seconds?) > due to pam_radius not receiving answers due to problems in the backend. > > Now, maybe I should use

[Openvpn-devel] [PATCH v2] Allow repeated cycles through remotes when management-query-remote is in use

2020-05-15 Thread selva . nair
From: Selva Nair (i) Let the management-client predictably cycle through remote entries. This is done by not aborting after two cycles. The client can abort or restart the connection using signals (USR/HUP/TERM) as necessary. In the current behaviour, the daemon can unexpectedly exit when

Re: [Openvpn-devel] [PATCH 2/2] Allow repeated cycles through remotes when management-query-remote is in use

2020-05-13 Thread Selva Nair
Hi, On Wed, May 13, 2020 at 12:36 PM Gert Doering wrote: > > Hi, > > On Sun, Jun 09, 2019 at 03:33:55PM -0400, Selva Nair wrote: > > Ref: https://patchwork.openvpn.net/project/openvpn2/list/?series=201 > > > > These patches were meant to help implement choosing the

Re: [Openvpn-devel] [PATCH applied] Re: Parse static challenge response in auth-pam plugin

2020-04-23 Thread Selva Nair
Hi, On Tue, Aug 7, 2018 at 3:01 PM Gert Doering wrote: > > Your patch has been applied to the master branch. > > (I'm a bit undecided about release/2.4 - this is in "new feature!" land, > and all the challenge stuff is "master" territory. OTOH, it's not openvpn > main code, and the code is sane

Re: [Openvpn-devel] [PATCH applied] Re: Skip expired certificates in Windows certificate store

2020-04-15 Thread Selva Nair
Hi, > is this one and aa6affe6df811db11577847366a569def0a3e314 also material > for release/2.4? So "feature" or "bug" category? Yes it would be good to get this one and aa6affe into 2.4. This one will cherry-pick with a minor conflict in cryptoapicert.c, easily resolved. aa6affe should

[Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password query the management interface (if available).

2020-04-03 Thread selva . nair
From: Selva Nair When only username is found in the file, redirect the auth-user-pass query to the management interface if management-query-passwords is enabled. Otherwise the user is prompted on console, if available, as before. This changes the behaviour for those who run from the command

[Openvpn-devel] [PATCH for-2.4 1/2] Move querying username/password from management interface to a function

2020-04-03 Thread selva . nair
From: Selva Nair This helps the next patch. No functionality changes, only refactoring. Same as commit 461e566fb274d6f7647dc3aa81c02e4fbf362a23 in master except for additional ifdef ENABLE_CLIENT_CR Signed-off-by: Selva Nair --- src/openvpn/misc.c | 61

Re: [Openvpn-devel] [PATCH v2 2/2] When auth-user-pass file has no password, query the management

2020-04-02 Thread Selva Nair
Hi, On Thu, Apr 2, 2020 at 12:56 PM Jonathan K. Bullard wrote: > Hi, > > On Mon, Mar 30, 2020 at 2:06 PM wrote: > > > > From: Selva Nair > > > > When only username is found in the file, redirect the auth-user-pass > > query to the management i

Re: [Openvpn-devel] [PATCH] [PATCH v5] Insert client connection data into PAM environment

2020-03-30 Thread Selva Nair
Hi, On Mon, Mar 30, 2020 at 8:59 AM Paolo Cerrito wrote: > 1) so remote was set to the maxlenght of ipv6 address defined into > arpa/inet.h + 1 for string terminator > > 2) I refactored the call to get_env to take first ipv6 address, then >only if it is NULL, i make a call for ipv4 > --- >

[Openvpn-devel] [PATCH v2 1/2] Move querying username/password from management to a function

2020-03-30 Thread selva . nair
From: Selva Nair This helps the next patch. No functionality changes, only refactoring. Signed-off-by: Selva Nair --- No changes from v1 src/openvpn/misc.c | 54 ++ 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/src/openvpn

[Openvpn-devel] [PATCH v2 2/2] When auth-user-pass file has no password, query the management

2020-03-30 Thread selva . nair
From: Selva Nair When only username is found in the file, redirect the auth-user-pass query to the management if management-query-passwords is enabled. Otherwise the user is prompted on console, if available, as before. This changes the behaviour for those who run from the command line

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-30 Thread Selva Nair
Hi, On Mon, Mar 30, 2020 at 12:11 PM Jonathan K. Bullard wrote: > Hi, > > On Mon, Mar 30, 2020 at 11:12 AM Selva Nair wrote: > > Jonathan K. Bullard wrote: > > > > > > If the OS X command line user was using --management-query-passwords > > >

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-30 Thread Selva Nair
Hi, On Mon, Mar 30, 2020 at 2:07 AM Gert Doering wrote: > > Hi, > > On Sun, Mar 29, 2020 at 07:58:15PM -0400, Selva Nair wrote: > > Yes, that's right. However, that logic wont be proper on OS-X, would it? > > Command line users who use --log can still see password >

Re: [Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-29 Thread Selva Nair
Hi, On Sun, Mar 29, 2020 at 7:13 PM Jonathan K. Bullard wrote: > > Hi, > > On Sun, Mar 29, 2020 at 4:34 PM wrote: > > > > From: Selva Nair > > > > If only username is found in the file, redirect the auth-user-pass > > query to the management on

Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass

2020-03-29 Thread Selva Nair
Hi, On Tue, Mar 17, 2020 at 6:25 AM Gert Doering wrote: > > Hi, > > On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote: > > On 16/03/2020 14:48, Selva Nair wrote: > > [...snip...] > > >> I would just rephrase it to say: > > >>

[Openvpn-devel] [PATCH 2/2] When auth-user-pass file has no password, query the management

2020-03-29 Thread selva . nair
From: Selva Nair If only username is found in the file, redirect the auth-user-pass query to the management on Windows if (i) management-query-passwords is enabled and (ii) stdout is redirected to a log file. These restrictions avoid regressive behaviour: those running from the command line

[Openvpn-devel] [PATCH 1/2] Move querying username/password from management to a function

2020-03-29 Thread selva . nair
From: Selva Nair This helps the next patch. No functionality changes, only refactoring. Signed-off-by: Selva Nair --- src/openvpn/misc.c | 54 ++ 1 file changed, 34 insertions(+), 20 deletions(-) diff --git a/src/openvpn/misc.c b/src

Re: [Openvpn-devel] Summary of the community meeting (26th March 2020)

2020-03-26 Thread Selva Nair
Hi, Quoting from the 26th March meeting summary > Noted that the combination of a username-only --auth-user-pass and > --management-query-passwords does not work. Dazo will take a stab at > fixing the actual problem. There is already a > GET_USER_PASS_PASSWORD_ONLY flag which just needs to be

Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass

2020-03-16 Thread Selva Nair
Hi, On Mon, Mar 16, 2020 at 8:39 AM David Sommerseth wrote: > > On 13/03/2020 14:01, sam...@openvpn.net wrote: > > From: Samuli Seppänen > > > > URL: https://community.openvpn.net/openvpn/ticket/757 > > Signed-off-by: Samuli Seppänen > > --- > > doc/openvpn.8 | 6 ++ > > 1 file changed, 6

Re: [Openvpn-devel] [PATCH] interactive.c: remove unused function

2020-02-29 Thread Selva Nair
Hi, On Sat, Feb 29, 2020 at 7:36 AM Lev Stipakov wrote: > > From: Lev Stipakov > > Function ReturnOpenvpnOutput was used to read > openvpn process output and write it to openvpn-gui. > > Commit 852f1e4 has directed stdout/stderr streams of openvpn > process to NUL, after which

[Openvpn-devel] [PATCH v2] Persist management-query-remote and proxy prompts

2020-02-20 Thread selva . nair
From: Selva Nair Currently this prompt is only output once, not re-written to the management interface when the management client connects. It is thus not seen by a client that connects after the prompt is output or one that disconnects and reconnects. This leads to a deadlock: the daemon

Re: [Openvpn-devel] [PATCH applied] Fix possible access of uninitialized pipe handles

2020-02-20 Thread Selva Nair
Hi On Thu, Feb 20, 2020 at 1:20 PM David Sommerseth wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Your patch has been applied to the master branch > > commit 32723d29b2775d63d3fe329d017e7a08e0cdcb72 > Author: Selva Nair > Date: Wed Feb 19 2

Re: [Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles

2020-02-20 Thread Selva Nair
Hi On Thu, Feb 20, 2020 at 4:24 AM Lev Stipakov wrote: > > Strangely, I do not see this warning (unlike another one about error > in common.c) > with GCC 7.3 despite adding -O1 and -Wmaybe-uninitialized. I saw it on the travis build. With gcc 7.3, for some reason, -O1 doesn't show it but -O2 or

[Openvpn-devel] [PATCH] Fix possible access of uninitialized pipe handles

2020-02-19 Thread selva . nair
From: Selva Nair Compile time warning for openvpnserv.exe interactive.c: In function ‘RunOpenvpn’: interactive.c:160:27: warning: ‘svc_pipe’ may be used uninitialized in this function [-Wmaybe-uninitialized] When RunOpenvpn exits early due to errors, uninitialized svc_pipe and ovpn_pipe vars

[Openvpn-devel] [PATCH] Fix possibly uninitialized return value in GetOpenvpnSettings()

2020-02-19 Thread selva . nair
From: Selva Nair Compile time warning for openvpnserv.exe common.c:90:11: warning: ‘error’ may be used uninitialized in this function [-Wmaybe-uninitialized]; Uninitialized value gets returned if install-path is not found in the registry. Fix by setting it to the return value of GetRegString

[Openvpn-devel] [PATCH 2.4 v3] Swap the order of checks for validating interactive service user

2020-02-18 Thread selva . nair
From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH] cryptoapi.c: fix run-time check failure in msvc debugger

2020-02-13 Thread Selva Nair
_CTX_get0_pkey(ctx); > if (pkey) Yeah, technically it may be "undefined behaviour" to pass an uninitialized var to a function even when its not used there. Acked-by: Selva Nair Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v4 2/2] Allow unicode search string in --cryptoapicert option

2020-02-12 Thread selva . nair
From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair --- v4: matched to

[Openvpn-devel] [PATCH v4 1/2] Skip expired certificates in Windows certificate store

2020-02-12 Thread selva . nair
From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect

Re: [Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

2020-02-11 Thread Selva Nair
Hi, Thanks for reviewing this. On Tue, Feb 11, 2020 at 4:52 AM Lev Stipakov wrote: > > Hi, > >> +DWORD find_type; >> +const void *find_param; >> >> >> >> if (!strncmp(cert_prop, "SUBJ:", 5)) >> { >> >> +find_param = cert_prop + 5; >> +find_type =

[Openvpn-devel] [PATCH 1/2 v3] Skip expired certificates in Windows certificate store

2020-02-10 Thread selva . nair
From: Selva Nair Have the cryptoapicert option find the first matching certificate in store that is valid at the present time. Currently the first found item, even if expired, is returned. This makes it possible to update certifiates in store without having to delete old ones. As a side effect

[Openvpn-devel] [PATCH 2/2 v3] Allow unicode search string in --cryptoapicert option

2020-02-10 Thread selva . nair
From: Selva Nair Currently when the certificate is specified as "SUBJ:foo", the string foo is assumed to be ascii. Change that and interpret it as utf-8, convert to a wide string, and flag it as unicode in CertFindCertifcateInStore(). Signed-off-by: Selva Nair --- v3: nud

[Openvpn-devel] [PATCH v3] Swap the order of checks for validating interactive service user

2020-02-09 Thread selva . nair
From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH 1/2] Skip DNS address validation

2020-02-05 Thread Selva Nair
Hi, On Wed, Feb 5, 2020 at 10:28 AM Lev Stipakov wrote: > > Hi, > > Built and tested with msvc, works as expected - "validate=no" is added to > netsh command line. > > There is a similar commit in Simon's repo (not yet sent to ml) : >

[Openvpn-devel] Fwd: [PATCH 2/2] Fix linking issues on MinGW

2020-02-05 Thread Selva Nair
-- Forwarded message - From: Selva Nair Date: Wed, Feb 5, 2020 at 10:16 AM Subject: Re: [Openvpn-devel] [PATCH 2/2] Fix linking issues on MinGW To: Domagoj Pensa Cc: Gert Doering Hi, On Wed, Feb 5, 2020 at 8:31 AM Domagoj Pensa wrote: > > Hi! > > On Wed, Feb 05

Re: [Openvpn-devel] [PATCH v2] Swap the order of checks for validating interactive service user

2020-02-03 Thread Selva Nair
Hi, On Mon, Feb 3, 2020 at 3:49 AM Lev Stipakov wrote: > > I am sorry, I have to retract my ACK. > > When ValidateOptions is called first and config is non located in global > directory (Program Files), > service replies to gui via pipe with error message: > > 0x2001 > You have specified a

[Openvpn-devel] [PATCH v2] Swap the order of checks for validating interactive service user

2020-01-31 Thread selva . nair
From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH] Swap the order of checks for validating interactive service user

2020-01-31 Thread Selva Nair
Hi, On Fri, Jan 31, 2020 at 5:29 AM Lev Stipakov wrote: > > Hi, > >> +if (!ValidateOptions(pipe, sud.directory, sud.options) >> +&& !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, >> settings.ovpn_admin_group) >> { > > > Closing parenthesis is missing: That is embarrassing..

[Openvpn-devel] [PATCH] Swap the order of checks for validating interactive service user

2020-01-30 Thread selva . nair
From: Selva Nair Check the config file location and command line options first and membership in OpenVPNAdministrators group after that as the latter could be a slow process for active directory users. When connection to domain controllers is poor or unavailable, checking the group membership

Re: [Openvpn-devel] [PATCH v3 7/7] wintun: clear adapter settings on tun close

2019-12-17 Thread Selva Nair
Hi, Probably this is the only one in the series without an ACK. v2 was reviewed by Simon and suggested changes are in here. This looks good to me. On Tue, Nov 12, 2019 at 9:44 AM Lev Stipakov wrote: > > From: Lev Stipakov > > With tap-windows6 we clear adapter settings with DHCP, > but since

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-17 Thread Selva Nair
Hi On Tue, Dec 17, 2019 at 6:09 AM Simon Rozman wrote: > > I have been playing with Lev's patches for the past few days. Tested them, > debugged them, did some fixes. There are things to be desired like > netsh=>ipcfg, remove or #ifdef the SYSTEM token hack... But those are design > choices

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-17 Thread Selva Nair
Hi Simon, A quick reply: > > IMO, the right approach on Windows is to run a bare minimal code as a > > service to get SYSTEM rights and the rest with limited privileges. > > Selva, those are two different use-cases. And none is "right" or "wrong". > OpenVPN can or should have both. :) > > 1. I

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-16 Thread Selva Nair
Hi, On Mon, Dec 16, 2019 at 5:18 PM Simon Rozman wrote: > > Hi, > > TLDR: > (i) stealing SYSTEM access from winlogon.exe is not a good thing to do > > > > This doesn't happen for the majority of use cases - only when iservice is not > used. We also > elevate only for the single DeviceIOControl

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-16 Thread Selva Nair
Hi On Mon, Dec 16, 2019 at 4:31 PM Lev Stipakov wrote: >> >> I have already said what I think of it. As an admin I wouldn't like to see >> users running processes that elevate to SYSTEM like this. > > > Would it be too much if > > - openvpn.exe process detects that it is not started by

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-16 Thread Selva Nair
Hi On Mon, Dec 16, 2019 at 3:01 PM Lev Stipakov wrote: > > Hi, > > Thanks for looking into this. See my comments below. > >> TLDR: >> (i) stealing SYSTEM access from winlogon.exe is not a good thing to do > > > This doesn't happen for the majority of use cases - only when iservice is not >

Re: [Openvpn-devel] [PATCH v6 4/7] wintun: ring buffers based I/O

2019-12-16 Thread Selva Nair
Hi, I was reluctant to review this as I do not understand the event processing in OpenVPN well enough. Now that Stefann has reviewed those bits and given an Ack, here are some comments on the rest of the code. TLDR: (i) stealing SYSTEM access from winlogon.exe is not a good thing to do (ii) with

Re: [Openvpn-devel] [PATCH] fix clang warning about missing braces

2019-11-28 Thread Selva Nair
Hi On Thu, Nov 28, 2019 at 10:23 AM Steffan Karger < steffan.kar...@foxcrypto.com> wrote: > On 28-11-2019 09:06, Lev Stipakov wrote: > > A struct with subobjects should be initialized > > with double braces. > > This is not true. {0} is a valid initializer for structs in C. Both > clang and gcc

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

2019-11-25 Thread Selva Nair
Hi On Mon, Nov 25, 2019 at 4:03 AM Lev Stipakov wrote: > Hi, > > (cc:ed to -devel) > > >> I would vote for B and not the combination. >> >> With wintun there is no backwards compatibility requirements, so we could >> use a cleaner, consistent and simpler approach (i.e B). Do not create any >>

Re: [Openvpn-devel] [PATCH v7 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

2019-11-22 Thread Selva Nair
Hi, Thanks for the updates. In spite of several nits below, I'm ACKing this. All remarks are typos or grammar, important only for docs and some comments. I suggest to handle these as a minor follow up patch. I'm also ignoring most typos in commit message except a few that could be corrected

Re: [Openvpn-devel] [PATCH v7 1/2] Make tls_version_max return the actual maximum version

2019-11-22 Thread Selva Nair
Hi, On Fri, Nov 22, 2019 at 9:34 AM Arne Schwabe wrote: > Before OpenSSL 1.1.1 there could be no mismatch between > compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need > runtime detection to detect the actual best TLS version supported. > > Allowing this runtime detection also

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

2019-11-19 Thread Selva Nair
Hi Lev, On Tue, Nov 19, 2019 at 12:23 PM Lev Stipakov wrote: > Hi, > > Apart from the error message, there is a larger issue especially when we >> use iservice. In that case, we have to preserve privilege separation and >> allowing a user to open a device handle in use by another has to be

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

2019-11-19 Thread Selva Nair
Hi, On Tue, Nov 19, 2019 at 9:09 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 14/11/2019 22:58, Selva Nair wrote: > > Hi David > > > > Thanks for the comments > > > > My idea was just to add -Werror ri

Re: [Openvpn-devel] [PATCH v3] wintun: add --windows-driver config option

2019-11-19 Thread Selva Nair
Hi, On Tue, Nov 19, 2019 at 3:29 AM Lev Stipakov wrote: > Hello, > > ti 19. marrask. 2019 klo 9.37 Gert Doering (g...@greenie.muc.de) > kirjoitti: > > > Looks like this will most likely break any dhcp-related options >> > in the client config.. Say "dhcp-option DNS xxx". > > > Oops, indeed.

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

2019-11-19 Thread Selva Nair
Hi, On Tue, Nov 19, 2019 at 3:50 AM Lev Stipakov wrote: > Hi, > > Doesn't this mean that if --dev-node is specified, we'll open tapwindows >> adapter >> with that name even if "--window-driver wintun" is specified? The open >> may succeed >> but subsequent wintun-specific processing will

Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device

2019-11-18 Thread Selva Nair
Hi, On Thu, Nov 7, 2019 at 12:49 PM Lev Stipakov wrote: > From: Lev Stipakov > > To open wintun device, we cannot use "\\.\Global\Wintun" > path as before. To get device path which we supply to CreateFile, > we have to use SetupAPI to: > > - enumerate network adapters with "wintun" as

Re: [Openvpn-devel] [PATCH v3] wintun: add --windows-driver config option

2019-11-18 Thread Selva Nair
Hi, I have been late to this wintun party (no time for anything fun, these days) and this has already been committed, it seems. But some concerns below.. > +/* for wintun kernel doesn't send DHCP requests, so use ipapi to set > IP address and netmask */ > +if (options->wintun) > +{

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

2019-11-14 Thread Selva Nair
Hi, On Thu, Nov 14, 2019 at 3:16 PM Илья Шипицин wrote: > Thank you for your efforts. > As you are touching this, can you try "dist: bionic" ? It might bring > newer compilers > I don't expect newer compilers on bionic break this patch. But fwiw, I've started a travis build with dist: bionic.

Re: [Openvpn-devel] [PATCH] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

2019-11-14 Thread Selva Nair
Hi David Thanks for the comments My idea was just to add -Werror right in the line above, and not extend the > ACL_CHECK_ADD_COMPILE_FLAGS macro with another argument. > I'm fine with that approach as well. Let me know if you want a v2. > I think you said it pretty well in your mail: > > >

  1   2   3   4   5   6   7   8   9   10   >