Re: [Openvpn-devel] testing challenge-response

Hi Selva, Selva Nair wrote: > Hi, > > As discussed in the IRC meeting, here is a client config that connects > to a test server I run for static and dynamic challenge. Just run it as > > sudo openvpn --config cr-client.conf > > Respond with some arbitrary strings at the username, password and

[Openvpn-devel] AES-GCM & gigabit networks

hi all, just wanted to share some results with you: AES-GCM has a *very* nice impact on openvpn's performance over gigabit networks. I'm now capable of saturating a gigabit ethernet link with full AES-256-GCM encryption (Linux on both ends). Raw iperf results: - ethernet: 935 Mbps -

Re: [Openvpn-devel] Dropping Windows Vista / XP support?

On 07/09/16 14:15, Samuli Seppänen wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 07/09/16 11:43, Gert Doering wrote: >>> Hi, >>> >>> On Wed, Sep 07, 2016 at 12:18:17PM +0300, Samuli Seppänen wrote: We have already dropped XP support from OpenVPN Git "master". I

Re: [Openvpn-devel] Linux: Use /tmp for log problem ?

Hi, On 22/09/16 15:07, debbie10t wrote: > Hi > > posting in devel because I am asking for clarification of > what the source code really does. > > Re: https://forums.openvpn.net/viewtopic.php?f=30=22485 > > Config: > |--- > server *normal stuff* > log-append /tmp/openvpn.log > --- > > I have just

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 23/09/16 23:34, David Woodhouse wrote: > I believe I have P2P working on a Windows (8.1) client (with > OpenConnect, but I don't see why it can't work for OpenVPN). > > I configure the TAP device (with TAP_IOCTL_CONFIG_TUN) with the local > IP address, and with network and netmask

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 24/09/16 01:21, David Woodhouse wrote: > On Sat, 2016-09-24 at 00:01 +0200, Jan Just Keijser wrote: >> sorry for asking, but what's the use case for this? > The use case for point-to-point? It allows you to use a single IP > address per client instead of having to se

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 25/09/16 17:31, David Woodhouse wrote: > On Sun, 2016-09-25 at 16:40 +0200, Jan Just Keijser wrote: >> thanks for clarifying - but with OpenVPN 2.4 the default topology mode >> will be 'subnet topology', in which we also assign a single IP address &g

Re: [Openvpn-devel] p2p topology on Windows

Hi David, On 26/09/16 14:08, David Woodhouse wrote: > On Mon, 2016-09-26 at 13:34 +0200, Jan Just Keijser wrote: >> this sounds like a typical use case for "assign a public IP address". >> This is already possible with topology subnet and some special config >>

Re: [Openvpn-devel] Problem with client reconnect when using username-as-common-name and username is blank

Hi Carlos, this looks like a repeat of something reported on March 1st : in multi.c the function multi_client_connect_setenv contains 1410 /* setenv incoming cert common name for script */ 1411 setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi,

[Openvpn-devel] VERY weird interaction between openvpn and opensc-pkcs11

that openvpn's openvpn_execve fork+waitpid function causes the program pid to change every time, triggering the reset of the pkcs11 interface ! What shall we do about this? cheers, JJK / Jan Just Keijser

[Openvpn-devel] OpenVPN (cook)book

Hi all, I just wanted to let you know that the OpenVPN 2 Cookbook , which I've been working on for the past 6 months or so, is due for publication in early 2011. A pre-release (RAW) version of the book can already be found here: https://www.packtpub.com/openvpn-2-cookbook/book cheers,

Re: [Openvpn-devel] script-security 1

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/12/10 15:53, Jan Just Keijser wrote: hi all, the openvpn 2.1 man page on script-security reads: --script-security level [method] This directive offers policy-level control over OpenVPN's usage

Re: [Openvpn-devel] Summary of the IRC meeting (9th Dec 2010)

Hi Adriaan, Adriaan de Jong wrote: -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Hi Samuli, David, list, What some people get confused about is a stacked certificate vs a certificate chain: OpenVPN only supports stacked CA certificates, meaning that any

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

...@greenie.muc.de <mailto:g...@greenie.muc.de>> wrote: > > On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote: > > > assigns a 169.254 address. If this works for you as well then maybe the > > > tap-win32 developers can dive de

Re: [Openvpn-devel] [Openvpn-users] Using EasyRSA intermediate CA with OpenVPN - warning with certificate revocation list: "CRL crl.pem is from a different issuer than the issuer of certificate ..."

Hi Erich, (copying in the openvpn-devel list as this might be considered a minor bug) Erich Titl wrote: Hi JJK at 11.01.2011 15:45, Jan Just Keijser wrote: Hi, ... the "CRL crl.pem is from a different issuer" warning is actually an error: when OpenVPN go

Re: [Openvpn-devel] OpenVPN documentation (man page) review

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! This is a little cry for help from us playing with the OpenVPN code. We have a quite good man page today with a lot of information. But maintaining it and to make sure it is up-to-date with all the

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

Hi Samuli, Samuli Seppänen wrote: Hi, As some of you may be aware, I've been working on the new Python-based OpenVPN Windows buildsystem; now the first fully functional OpenVPN installer is ready: However,

Re: [Openvpn-devel] Help testing OpenVPN 2.2-rc Windows installer?

hi Samuli, Samuli Seppänen wrote: Hi Samuli, Samuli Seppänen wrote: Hi, As some of you may be aware, I've been working on the new Python-based OpenVPN Windows buildsystem; now the first fully functional OpenVPN installer is ready:

Re: [Openvpn-devel] OpenVPN 2.2-rc Windows installer ready

hi Samuli, Samuli Seppänen wrote: Hi all, The (hopefully) final preview of the OpenVPN 2.2-rc installer for Windows is available here: The main reason for this preview installer is our use of the new,

Re: [Openvpn-devel] sctp in openvpn

David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/02/11 12:25, Gert Doering wrote: | Hi, | | On Sat, Feb 26, 2011 at 11:19:19AM +, Olivier Van Acker wrote: |>> The code parts in question inside OpenVPN (socket.c) are somewhat |>> complicated due to lots of existing

Re: [Openvpn-devel] [PATCH] Fix the --client-cert-not-required feature

Hi David, David Sommerseth wrote: Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using other SSL certificate fields for authentication than then CN field. This commit introduced a bug, which made the verify_callback() function getting called even if

Re: [Openvpn-devel] [PATCH] Fix the --client-cert-not-required feature

With this explanation, I'm ACKing the patch. JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 31/03/11 09:57, Jan Just Keijser wrote: Hi David, David Sommerseth wrote: Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using

Re: [Openvpn-devel] [Openvpn-users] OpenVPN memory usage

Hi *, copying in the openvpn-devel list as they might be interested in this memory usage analysis as well Ralf Hildebrandt wrote: > * Ralf Hildebrandt : >> * Fredrik Kers : >>> I measure the memory usage by checking the VmRSS (Resident

Re: [Openvpn-devel] [Openvpn-users] OpenVPN memory usage

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/04/11 17:25, Jan Just Keijser wrote: Hi *, copying in the openvpn-devel list as they might be interested in this memory usage analysis as well Ralf Hildebrandt wrote: * Ralf Hildebrandt

Re: [Openvpn-devel] OpenVPN 2.2.0 released

Hi, I just would like to thank dazo, mattock and all the other developers and contributors who have put so much time into creating this release - great job guys! JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27/04/11 20:48, Samuli Seppänen wrote: | | Note

Re: [Openvpn-devel] Fwd: OpenVPN netsh.exe patch

Hi Seth, Seth Mos wrote: > Here is the tun.c patch for correction of the netsh.exe commands. > > > > I've confirmed that the patch works on Windows XP SP2 and Windows 7. > > Patch! > http://iserv.nl/files/pfsense/0001-Change-the-netsh.exe-command-from-add-to-set-.-Th.patch > > please explain

Re: [Openvpn-devel] Fwd: OpenVPN netsh.exe patch

Hi, Gert Doering wrote: > Hi, > > On Tue, May 10, 2011 at 03:31:56PM +0200, Jan Just Keijser wrote: > >> Seth Mos wrote: >> >>> Here is the tun.c patch for correction of the netsh.exe commands. >>> >>> I've confirmed that the patch w

Re: [Openvpn-devel] [Openvpn-users] behavior of remote address with more than one A record

Hi William, William Cooley wrote: On 5/12/2011 1:46 PM, Jan Just Keijser wrote: William Cooley wrote: I'd like to have a remote address setting that has two A records. The client should randomly try to connect to one of the addresses and if it fails it should either try the other IP address

Re: [Openvpn-devel] [PATCH] Make '--comp-lzo no' the default behaviour if LZO is enabled

Hi *, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 16/05/11 13:10, David Sommerseth wrote: This makes 'comp-lzo' pushable without requiring clients to have --comp-lzo defined in the client configs. To make 'comp-lzo' not pushable on the client, a new 'disabled'

Re: [Openvpn-devel] Summary of the IRC meeting (9th June 2011)

Hi *, > Discussed the possibility of arranging a "real" face-to-face meeting > between the company and community people, for example in New York. Costs > are an issue, but this might happen eventually. JM2CW: I think this would be a *very* good thing , for both the openvpn community developers

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

NACK on this patch - the openssl.cnf file should be (almost) the same as the one used in easy-rsa/2.0 that way the certificates are generated in the same manner (*with* EKU=ServerAuth) JJK David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/06/11 09:49,

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/06/11 11:36, Jan Just Keijser wrote: NACK on this patch - the openssl.cnf file should be (almost) the same as the one used in easy-rsa/2.0 that way the certificates are generated in the same manner

Re: [Openvpn-devel] Summary of the IRC meeting (7th July 2011)

dazo wrote: dazo 12:16:09 we need to catch up on janjust on that one ... I think he dropped the ball due to holiday season or so ... I think it's been quite quiet from him lately (esp. here on IRC) yep - I'm on holidays right now and I have not had the time to look into this further ;

Re: [Openvpn-devel] Fatal Error on XP

Hi, the log line "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NewYork/L=minerals/O=certify.com/OU=R_D/CN=certify/emailAddress=cert...@server1.com" shows that the client does not trust the server certificate, or the CA certificate that signed the

Re: [Openvpn-devel] [PATCH 3/3] Changed default algorithm for PolarSSL to AES-128, as BF is not supported

I'd NACK this patch : the default behaviour of OpenVPN should be independent of the SSL implementation. JJK Adriaan de Jong wrote: > Signed-off-by: Adriaan de Jong > --- > options.c |5 + > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/options.c

Re: [Openvpn-devel] Topics for today's meeting

Alon Bar-Lev wrote: > I hate CMake, it is way too complex, these guys re-invented the wheel > with no decent reuse of any methodology / language that existed > before. > I agree with Alon here : +1 autoconf -9 CMake esp troubleshooting a non-working CMake setup is a nightmare. JJK > If we

Re: [Openvpn-devel] OpenVPN 2.2.2 released

Hi mattock, Samuli Seppänen wrote: The OpenVPN community project team is proud to release OpenVPN 2.2.2. It can be downloaded from here: Changes include: - Pkcs11 support built into the Windows version - Fixed a bug in the Windows

Re: [Openvpn-devel] Summary of the IRC meeting (19th Jan 2012)

Hi all, Samuli Seppänen wrote: Hi, Here's the summary of the previous IRC meeting / sprint. I've been offline for a while but am slowly getting back online ; as for the chatlog attachment: Gert did ask me about bug #97 (dhcpnak storm) ; I have not been able to reproduce the DHCP NAK

[Openvpn-devel] Elliptic curve patch

hi all, attached is my elliptic curve patch, to add support for using ECDSA curves in combination with SHA256/SHA512 signed certificates; currently you can do either ECDSA with SHA1-signed certificates, or no ECDSA but SHA256/SHA512 signed certs . The error message seen is

[Openvpn-devel] [PATCH] Made some options connection-entry specific

-by: Jan Just Keijser <janj...@nikhef.nl> --- forward.c |2 +- init.c| 38 ++- occ.c |2 +- options.c | 125 +++-- options.h | 36 +- sig.c |6 +- 6 files changed, 107 insertions(+

Re: [Openvpn-devel] [PATCH] Made some options connection-entry specific

sorry about the noise, folks; this was my second git patch attempt :) cheers, JJK Jan Just Keijser wrote: > Made some options connection-entry specific: > fragment > mssfix > tun-mtu > tun-mtu-extra > link-mtu > mtu_discover_type > explicit-exit-notificati

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

otiation phase without this patch: if the client and server are configured to use ECDSA+SHA512 certs and the 'ecdh' parameters are NOT set on the server then the initial TLS handshake fails. cheers, JJK > On Tue, Feb 7, 2012 at 5:13 PM, Jan Just Keijser <janj...@nikhef.nl > <mailto:jan

Re: [Openvpn-devel] Config question

Hi David, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/02/12 16:56, Jan Just Keijser wrote: Hi Paul, Paul Bakker wrote: On 8-2-2012 15:53, Jan Just Keijser wrote: Hi Paul, I can't find why the client would use 'eth0' for the 'tun0' network

Re: [Openvpn-devel] [RFC] openssl minimum supported version

Alon Bar-Lev wrote: > Hello, > > OpenVPN supports minimum openssl version of 0.9.6, while this version > is unsupported by upstream and probably a security risk. > > What would be a suitable minimum version to support? > > I think that 0.9.8 is the one. > EL5 and most SuSE distro's still use

Re: [Openvpn-devel] [RFC][windows] gettimeofday()

Hi Alon, Alon Bar-Lev wrote: Hello all, There is an abnormality in the openvpn sources I want to resolve. In windows there is own implementation of gettimeofday(). In the past there was no gettimeofday(), so we used performance counters, then James optimize it to reduce CPU consumption.

Re: [Openvpn-devel] openvpn windows gui

Samuli Seppänen wrote: We should probably write an installer. I'm not sure if it's the best idea to make each and every GUI project out there write it's own installer, when it's mostly a single executable that needs to be replaced to package it with upstream openvpn. The pragmatic way

Re: [Openvpn-devel] two tls-auth questions

Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy when openvpn starts

Re: [Openvpn-devel] two tls-auth questions

Mr Dash Four wrote: Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy So, in

Re: [Openvpn-devel] [DISCUSS] much more complicated gcc invocations now

Hi, Gert Doering wrote: Hi, On Mon, Mar 26, 2012 at 07:51:01PM +0200, Alon Bar-Lev wrote: The benefit is to divide the code into libraries and core which is easier to maintain and reuse. I'm not sure I understand what's so hard about "compile stuff, use 'ar' to pack into

Re: [Openvpn-devel] [DISCUSS] much more complicated gcc invocations now

Alon Bar-Lev wrote: On Wed, Mar 28, 2012 at 11:12 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: Hi, Gert Doering wrote: Hi, On Mon, Mar 26, 2012 at 07:51:01PM +0200, Alon Bar-Lev wrote: The benefit is to divide the code into libraries and core which is easier to maintain and

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

Hi Adriaan, Adriaan de Jong wrote: Hi Janjust, I've finally had the time to take a look at this patch with a colleague who is more familiar with the subject at hand :). Hope this helps. Please see my comments inline. Adriaan On 02/07/2012 04:13 PM, Jan Just Keijser wrote: Added support

Re: [Openvpn-devel] [PATCH] Signed-off-by: Jan Just Keijser <janj...@nikhef.nl>

Hi Adriaan, Adriaan de Jong wrote: +void +tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name +) +{ +#ifdef USE_SSL_EC + if (curve_name != NULL) + { +int nid; +EC_KEY *ecdh = NULL; + +nid = OBJ_sn2nid(curve_name); + +if (nid ==

Re: [Openvpn-devel] openssl ouch

Jan Just Keijser wrote: ouch: http://www.openssl.org/news/secadv_20120419.txt we need to investigate whether and how openvpn is affected. did somebody end up writing an 'authoritative' answer to the question if and how openvpn is affected by this bug? cheers, JJK

Re: [Openvpn-devel] openvpn question

Hi Raj, Raj Kumar wrote: Hi all, I am new to openvpn. I am using openvpn on my linux machine. I have a basic question about openvpn. How openvpn process the incoming packets ? Is it processing incoming packets one by one, means receive one packet from the kernel, decrypt it and send it

Re: [Openvpn-devel] [PATCH] Openvpn for Android 4.0 Changeset

Hi, Samuli Seppänen wrote: Hello, I have developed the port of openvpn for Android 4.0: https://play.google.com/store/apps/details?id=de.blinkt.openvpn and http://code.google.com/p/ics-openvpn/ The API of Android 4.0 requires that openvpn runs as completely unprivileged process. There all

[Openvpn-devel] [Fwd: Re: [OpenVPN Community] #97: OpenVPN produces DCHP NAK bomb on Win 7 64bit]

did one of the tap-win32 developers see this: Seems to be a bug in the TAP driver. It's happening after you try to refresh the DHCP lease 3 times (after resume from hibernation, Windows tries to acquire a DHCP lease too). I think the reason for this is a programming error in dhcp.c in function

Re: [Openvpn-devel] openvpn-gui disconnect

Hi Nelson, Nelson Teixeira wrote: Hello, Sorry by writting directly to devel list, but I'm not being able to solve this problem I'm in and thought maybe you would be so kind to take a look. Thanks in advance :) I'm having trouble in finding how to end openvpn programmatically in windows.

Re: [Openvpn-devel] Ability to send variable data from client to server

Hi Gert, Gert Doering wrote: Hi, On Mon, Oct 01, 2012 at 06:58:28AM +, f7n4ahb...@snkmail.com wrote: I believe there is ongoing development to allow a variable to be set in the client config which can be used by the client-connect or route-up scripts on the server. Specifically I need

Re: [Openvpn-devel] RFC - Usage of --script-security with the 'system' flag

Hi David, David Sommerseth wrote: Hi all, I've been reviewing a bug reported to the v2.3 code base. We're in the beta phase currently, and this is a bug I'd like to get fixed before we're moving on further. The bug is related to the use of the 'system' flag in --script-security.

Re: [Openvpn-devel] Summary of the IRC meeting (29th Nov 2012)

Hi all, Samuli Seppänen wrote: Hi, Here's the summary of the previous IRC meeting. it's great to hear that the openvpn community is getting together again at FOSDEM 2013 ! One small practial remark , however: the train schedule between Amsterdam en Brussels is about to change; the

[Openvpn-devel] man page patch for missing options

hi all, attached is a man page patch to include the options that were made connection-entry specific (by a patch of mine, which is included in 2.3.0). see you in a bit, JJK diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 2ed5201..829bbd2 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@

Re: [Openvpn-devel] [PATCH 1/7] refine assertion to allow other modes than CBC

Arne Schwabe wrote: Am 16.08.12 10:38, schrieb Heiko Hund: cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB are used the assertion outlen == iv_len is always false. There's no CBC mode defined for the GOST 28147-89 block cipher. Hence this patch is needed for it to work.

Re: [Openvpn-devel] option --crl-verify PATH dir

Adriaan de Jong wrote: -Original Message- From: David Sommerseth [mailto:openvpn.l...@topphemmelig.net] Sent: zondag 3 februari 2013 15:52 To: Jan Just Keijser Cc: openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] option --crl-verify PATH dir On 03/02/13 12:02, Jan Just

Re: [Openvpn-devel] [PATCH] Add auto value to pkcs11-id parameter

Chris J Arges wrote: This patch allows one to specify --pkcs11-id auto to automatically select the first certificate on a pkcs11 device. This simplifies scripts and usage in environments where clients may only use a single certificate for connecting to a VPN. Based on a patch by Oliver

[Openvpn-devel] forum topic12703: cross compile problem with crypto-library=polarssl

hi *, particularly Adriaan, can someone take a look at https://forums.openvpn.net/topic12703.html subject: cross compile problem with crypto-library=polarssl thx, JJK

[Openvpn-devel] TAP driver & NDIS 6.3

yo list, did anybody see this post on the forum https://forums.openvpn.net/topic12455.html "Current windows TAP driver 9.9.2 uses NDIS API version 5.0. This is fine for desktop Windows including Windows 8, but the driver sources cannot be recompiled for Windows RT. Windows RT requires NDIS

[Openvpn-devel] [PATCH] make "explicit-exit-notify" pullable again

can I revert to previous behavior? That is, indeed, a good question. "git blame" points to... commit 76809cae0eae07817160b423d3f9551df1a1d68e Author: Jan Just Keijser <janj...@nikhef.nl> Date: Tue Feb 7 16:29:47 2012 +0100 Made some options connection-entry specific

Re: [Openvpn-devel] [PATCH] Only print script warnings when a script is used. Remove stray mention of script-security system.

ACK! Arne Schwabe wrote: --- src/openvpn/common.h |2 +- src/openvpn/init.c | 19 +-- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/openvpn/common.h b/src/openvpn/common.h index dd2c83f..2f85bec 100644 --- a/src/openvpn/common.h +++

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

Hi Gert, Gert Doering wrote: Hi, On Thu, Aug 01, 2013 at 12:02:55PM +0200, Jan Just Keijser wrote: It should be possible to add negotiation without completely breaking backwards compatibility; right now, when a server pushes an option to the client that is unrecognized the client

Re: [Openvpn-devel] [Openvpn-users] why doesn't openvpn negotiate settings?

Hi David, nice answer, David, and thanks for promoting the book ;) Your basic points are correct , of course: - networking is hard - security is hard Configuring openvpn can be daunting at first, but it is not nearly as bad as configuring PPTP , or - GASP! - IPSec+L2TP. Documentation can help

Re: [Openvpn-devel] [Patch] ECDH support

Hi Steffan, On 25/02/14 09:48, Steffan Karger wrote: Hi, On Tue, Feb 25, 2014 at 9:22 AM, Gert Doering > wrote: > Although there is apparently more work to do to get more cipher suites > working, this does give us a start on

Re: [Openvpn-devel] [Patch] ECDH support

On 04/03/14 23:48, Steffan Karger wrote: Hi, On Tue, Mar 4, 2014 at 10:49 PM, pietrek -- > wrote: [...] I think we could add option "--dh none" or "--no-dh". It may be specified, if user knows what he's doing. I like that idea.

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

On 18/03/14 10:39, Steffan Karger wrote: Hi, On 17/03/2014 23:23, James Yonan wrote: On 17/03/2014 14:29, Gert Doering wrote: Right now, if I read configure.ac correct, we require 0.9.6 or later (and check this only if pkg-config is available) - but obviously, SSL_OP_NO_TICKET was added

Re: [Openvpn-devel] [PATCH] Set SSL_OP_NO_TICKET flag in SSL context for OpenSSL builds, to disable TLS stateless session resumption.

Hi David, On 18/03/14 14:12, David Sommerseth wrote: On 18/03/14 10:51, Jan Just Keijser wrote: On 18/03/14 10:39, Steffan Karger wrote: Hi, On 17/03/2014 23:23, James Yonan wrote: On 17/03/2014 14:29, Gert Doering wrote: Right now, if I read configure.ac correct, we require 0.9.6

Re: [Openvpn-devel] [PATCH] Fix man page and OSCP script: tls_serial_{n} is decimal

On 30/03/14 15:46, Gert Doering wrote: Hi, On Sun, Mar 30, 2014 at 12:48:37AM +0100, Steffan Karger wrote: 3 - Change OpenSSL builds to use hax representation I tend toward this one - user visible behaviour shouldn't change (unless unavoidable) depending on SSL library used. So for me this

Re: [Openvpn-devel] Heartbleed

On 09/04/14 12:34, Eike Lohmann wrote: Am 09.04.2014 10:45, schrieb Gert Doering: This is not trivial to set up, and might not be worth for every client out there - but if you're truly concerned about your data, upgrade the client, revoke the old key+certificate, reissue new keys. How does

Re: [Openvpn-devel] RFD: ssl library version numbers

Hi Gert, Gert Doering wrote: Hi, OpenVPN does not currently report the version of the SSL library it is using - which I'm not sure whether it's by design or just because nobody ever added it. Anyway, right now I think we need it, to help future cases. There are a few questions that go along

Re: [Openvpn-devel] [PATCH 0/3] Support non-root operation using ocproxy

Hi Kevin Cernekee wrote: On Sun, Apr 13, 2014 at 8:19 AM, Arne Schwabe wrote: You could look at the TARGET_ANDROID. That uses the management interface and fds over unix socket to achieve something similar. Do you think it would be feasible to enable TARGET_ANDROID

Re: [Openvpn-devel] Fixes for HTTP proxy authentication with NTLM

Hi, On 18/04/14 23:05, Gert Doering wrote: Hi, On Wed, Apr 16, 2014 at 12:48:35PM +0200, Holger Kummert wrote: Any opinions? Any easy way to test this, without having a Windows domain around? (I already run a number of test cases from my t_client test sets using socks proxy, http proxy,

Re: [Openvpn-devel] Questionable restriction in --x509-username-field

Hi Andris, On 08/05/14 03:32, Andris Kalnozols wrote: The X.509 user certificates in our organization have Subject fields that appear as in the following example: Subject: O=Hewlett-Packard Company, OU=WEB, CN=GivenName Surname/emailAddress=u...@hp.com Since the Common Name (CN)

Re: [Openvpn-devel] Questionable restriction in --x509-username-field

Hi Andris, Kalnozols, Andris wrote: On 5/7/2014 10:06 PM, Jan Just Keijser wrote: On 08/05/14 03:32, Andris Kalnozols wrote: The X.509 user certificates in our organization have Subject fields that appear as in the following example: Subject: O=Hewlett-Packard Company, OU=WEB

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK There are a few annoying issues with topology subnet esp when using server side things like route that

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi Arne, Arne Schwabe wrote: Am 11.07.14 10:51, schrieb Jan Just Keijser: On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK There are a few annoying

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Arne Schwabe wrote: Fri Jul 11 11:31:28 2014 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Fri Jul 11 11:31:28 2014 OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.4.0 Fri

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, Gert Doering wrote: On Fri, Jul 11, 2014 at 10:51:54AM +0200, Jan Just Keijser wrote: On 11/07/14 10:00, Philipp Hagemeister wrote: On modern systems, topology subnet should always be set, but it's missing in the configuration file. Add it with a short explanation. NACK

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, On 11/07/14 20:07, Gert Doering wrote: Hi, On Fri, Jul 11, 2014 at 04:50:38PM +0200, Jan Just Keijser wrote: the master branch (from openvpn-testing) currently does not build on either CentOS 5 and 6. Install snappy(-dev) or run configure with --disable-snappy :-) - besides

Re: [Openvpn-devel] [PATCH] Add topology in sample server configuration file

Hi, On 11/07/14 20:35, Steffan Karger wrote: Hi, On 11-07-14 20:17, Jan Just Keijser wrote: on CentOS 5 I get checking for SSL_OP_NO_TICKET flag in OpenSSL... no configure: error: OpenVPN 2.4+ requires SSL_OP_NO_TICKET in OpenSSL which is logical as the "stock" openssl lib o

Re: [Openvpn-devel] Openvpn 2.3.2: "Could not create temporary file" ....Too many open files

Hi, On 23/07/14 08:19, arno.oderm...@ch.schindler.com wrote: Dear both, thank you for your reply. Yes, we are using the "--client-connect" and according to 2.3 OpenVPN manual (see section below) it does create files by writing to "file named by $1." Gert, we are sure, there was not a

Re: [Openvpn-devel] [Openvpn-users] OpenVPN and Multi-Core processor

On 07/08/14 16:15, Les Mikesell wrote: On Thu, Aug 7, 2014 at 4:56 AM, David Sommerseth wrote: However, that is most likely less intrusive and complex than to basically needing to re-write the event handler which schedules that each client gets their "time slice"

Re: [Openvpn-devel] Any Windows-based OpenVPN servers available for fixing bug #432?

Hi Samuli, Samuli Seppänen wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Does someone have a spare (=non-production) Windows-based OpenVPN server (e.g. on EC2) which could be used to debug and fix #432? I can set up a (semi

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

Hi Samuli, Samuli Seppänen wrote: New Windows installers with OpenSSL 1.0.1j have been released: Two of the issues fixed in OpenSSL may impact OpenVPN. More details here:

Re: [Openvpn-devel] New OpenVPN Windows installers (I004 and I604) released

Hi, Gert Doering wrote: Hi, On Tue, Oct 21, 2014 at 10:53:52AM +0200, Jan Just Keijser wrote: Running the gui with elevated privileges fixes this issue. Shouldn't the installer have created this registry key? The GUI need to run with elevated privileges anyway, because otherwise

Re: [Openvpn-devel] statistics file format not respected in point-to-point?

Hi, On 19/02/15 21:52, Reinoud Koornstra wrote: Hi Everyone, I have a side to side (point to point) configuration. Meaning no client or server involved. It comes up fine. I did set this as well in the config file: status /tmp/openvpn_hello_status.log 5 status-version 3 When i look at the

[Openvpn-devel] patch for bug #93: up-restart env vars

hi all, here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 cheers, JJK diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 42cb3e2..a4b5e05 100644 --- a/src/openvpn/init.c +++

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Hi Gert, On 21/05/15 20:14, Gert Doering wrote: Hi, On Wed, May 20, 2015 at 04:33:20AM +0200, Jan Just Keijser wrote: here's my patch for bug #93: missing ifconfig_* env vars after up-restart. Tested with both IPv4, IPv6, topology subnet and topology net30 Reading through #93, I'm wondering

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Hi, On 21/05/15 20:31, Gert Doering wrote: On Thu, May 21, 2015 at 08:20:39PM +0200, Jan Just Keijser wrote: On 21/05/15 20:14, Gert Doering wrote: On Wed, May 20, 2015 at 04:33:20AM +0200, Jan Just Keijser wrote: here's my patch for bug #93: missing ifconfig_* env vars after up-restart

Re: [Openvpn-devel] patch for bug #93: up-restart env vars

Gert Doering wrote: Hi, On Fri, May 22, 2015 at 12:01:24AM +0200, Jan Just Keijser wrote: I'm not sure what the best path forward is, TBH... --up-restart *is* different from --up in several ways: - runs as the user+group that is specified in the config file - the 'tun' device

Re: [Openvpn-devel] [PATCH] Document differences between --up-restart and --up in openvpn.8

On 22/05/15 20:36, Gert Doering wrote: See trac #93 and the discussion starting with <555bf270.3090...@nikhef.nl> on the openvpn-devel mailing list. Signed-off-by: Gert Doering --- doc/openvpn.8 | 6 ++ 1 file changed, 6 insertions(+) diff --git a/doc/openvpn.8

Re: [Openvpn-devel] [PATCH] Clarify --capath option in manpage

Hi, On 24/05/15 11:45, Steffan Karger wrote: Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man pages. Attached are patches for the master and release/2.3 branches. The only difference is that in the

Re: [Openvpn-devel] [PATCH] Clarify --capath option in manpage

Hi Stefan, On 24/05/15 22:47, Steffan Karger wrote: Hi Jan Just, On 24-05-15 22:14, Jan Just Keijser wrote: On 24/05/15 11:45, Steffan Karger wrote: Prevent confusion as described in trac #422 by better explaining the behaviour of --capath, and providing pointers to relevant openssl man

  1   2   3   >