Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

On 10.12.2015 18:49, ValdikSS wrote: I'd better go with just closing the engine without deleting everything. I don't see any drawbacks, that should be perfectly OK for a dynamic session. Is this correct, Lev? If yes, I'll push v9 today or tomorrow morning. Removing non-working FwpmSubLayerDel

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

Hi, On Thu, Dec 10, 2015 at 3:18 PM, ValdikSS wrote: > Use dynamic sessions. > > Many applications add filtering policy objects at start, and then delete > these objects at stop. By using a dynamic session, you guarantee that these > objects are deleted even if the application crashes. Furthermo

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

I'm not totally sure about that, but I suppose it shouldn't leak. Here's what Microsoft's Best Practice says: > Use dynamic sessions. > > Many applications add filtering policy objects at start, and then delete > these objects at stop. By using a dynamic session, you guarantee that these > object

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

On Thu, Dec 10, 2015 at 11:49 AM, ValdikSS wrote: > It's a very minor actually, FwpmSubLayerDeleteByKey0 is indeed fails every > time but it doesn't break anything since we close the engine right after. > Lev suggested to use a correct way with making a filter GUID and deleting > it before deleti

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

No, I'm afraid it would fail by default since DNS queries are (usually) made from svchost.exe. Whitelisting openvpn.exe is done to not to break OpenVPN on UDP port 53. I could be incorrect tho. On 12/10/2015 07:31 PM, Selva Nair wrote: > > On Thu, Dec 10, 2015 at 11:24 AM, ValdikSS

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

It's a very minor actually, FwpmSubLayerDeleteByKey0 is indeed fails every time but it doesn't break anything since we close the engine right after. Lev suggested to use a correct way with making a filter GUID and deleting it before deleting sublayer, but I'd better go with just closing the engin

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

On Thu, Dec 10, 2015 at 11:24 AM, ValdikSS wrote: > That would break name resolver on reconnection if remote is a hostname. > Yes, I meant to leave the block all and permit openvpn.exe filters always on and delete/re-add only the filters for the tun/tap interface. Well, its probably just a cosme

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

Hi, On Thu, Dec 10, 2015 at 11:55:16AM +0200, Lev Stipakov wrote: > Sorry for the late response. [..] > FwpmSubLayerDeleteByKey0 will likely fail if there is a filter > associated with sublayer. On the other side, FwpmEngineClose0 seems to > be enough to remove blocking. So, is this something t

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

That would break name resolver on reconnection if remote is a hostname. On 12/10/2015 06:53 PM, Selva Nair wrote: > > On Thu, Dec 10, 2015 at 4:55 AM, Lev Stipakov > wrote: > > That sounds useful for yet another reason as well. Its only necessary to > delete and recre

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

On Thu, Dec 10, 2015 at 4:55 AM, Lev Stipakov wrote: > +bool > +win_wfp_uninit() > +{ > +dmsg (D_LOW, "Uninitializing WFP"); > +if (m_hEngineHandle) { > +FwpmSubLayerDeleteByKey0(m_hEngineHandle, &m_subLayerGUID); > +CLEAR(m_subLayerGUID); > +FwpmEngineClose0(m_hEn

Re: [Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

Hi, Sorry for the late response. +bool +win_wfp_uninit() +{ +dmsg (D_LOW, "Uninitializing WFP"); +if (m_hEngineHandle) { +FwpmSubLayerDeleteByKey0(m_hEngineHandle, &m_subLayerGUID); +CLEAR(m_subLayerGUID); +FwpmEngineClose0(m_hEngineHandle); +m_hEngineHand

[Openvpn-devel] [PATCH v8-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10. --- doc/openvpn.8 | 12 ++- src/openvpn/Makefile.am | 2 +- src/openvpn/init.c | 17 src/openvpn/openvpn.vcxproj | 4