Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 17/08/10 17:12, Pasi Kärkkäinen wrote: > On Tue, Aug 17, 2010 at 05:51:15PM +0300, Pasi Kärkkäinen wrote: >> On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote: >>> On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote: Hello, When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this error: http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg ie. the installer cannot overwrite the existing files from openvpn 2.1.1 installation. I get that error for the following files: C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe C:\Program Files (x86)\OpenVPN\bin\libeay32.dll And after finishing the installation windows "Program Combatibility Assistant" pops up, and asks if the program installed correctly, or if I wanted to "Reinstall using recommended settings". http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg I chose it installed OK and then rebooted the machine. After reboot I noticed the TAP network device is missing from Windows, and thus openvpn connections cannot be started.. Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work either.. >>> >>> And here's a screenshot of the failing tapinstall.exe: >>> http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg >>> >> >> Any tips how to troubleshoot this? >> > > I just verified: openvpn 2.1.1 installs and works without problems on this > win7 (x64) laptop. > > no matter what I try openvpn 2.1.2 doesn't create the tap device.. > > I tried running the addtap.bat in various compatibility modes > but it just doesn't add the tap interface to windows.. > > executing addtap.bat with "run as administrator" makes it say it installs ok, > but in reality the tap interface is NOT added to windows. It sounds like there are some issues with the v2.1.2 release. Most probably it is related to the TAP driver not being signed correctly. Somehow I got a feeling James is investigating this now. I'm sure James will update us on this issue when it has been solved. Kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkxqsvAACgkQDC186MBRfroEYQCgh1ojen3eLmSmQhHvJDYACIV3 s4cAn1tFLlBIm9RnOVR9uXeZ9JX/6/CT =mwfn -END PGP SIGNATURE-
Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails
On Tue, Aug 17, 2010 at 05:51:15PM +0300, Pasi Kärkkäinen wrote: > On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote: > > On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote: > > > > > > Hello, > > > > > > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed > > > this error: > > > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg > > > > > > ie. the installer cannot overwrite the existing files from openvpn 2.1.1 > > > installation. > > > I get that error for the following files: > > > > > > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe > > > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll > > > > > > And after finishing the installation windows "Program Combatibility > > > Assistant" pops up, > > > and asks if the program installed correctly, or if I wanted to "Reinstall > > > using recommended settings". > > > > > > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg > > > > > > I chose it installed OK and then rebooted the machine. > > > > > > After reboot I noticed the TAP network device is missing from Windows, > > > and thus openvpn connections cannot be started.. > > > > > > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work > > > either.. > > > > > > > And here's a screenshot of the failing tapinstall.exe: > > http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg > > > > Any tips how to troubleshoot this? > I just verified: openvpn 2.1.1 installs and works without problems on this win7 (x64) laptop. no matter what I try openvpn 2.1.2 doesn't create the tap device.. I tried running the addtap.bat in various compatibility modes but it just doesn't add the tap interface to windows.. executing addtap.bat with "run as administrator" makes it say it installs ok, but in reality the tap interface is NOT added to windows. -- Pasi
Re: [Openvpn-devel] OpenVPN version 2.1.2 released / tapinstall.exe fails
On Mon, Aug 16, 2010 at 04:34:54PM +0300, Pasi Kärkkäinen wrote: > On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote: > > > > Hello, > > > > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this > > error: > > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg > > > > ie. the installer cannot overwrite the existing files from openvpn 2.1.1 > > installation. > > I get that error for the following files: > > > > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe > > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll > > > > And after finishing the installation windows "Program Combatibility > > Assistant" pops up, > > and asks if the program installed correctly, or if I wanted to "Reinstall > > using recommended settings". > > > > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg > > > > I chose it installed OK and then rebooted the machine. > > > > After reboot I noticed the TAP network device is missing from Windows, > > and thus openvpn connections cannot be started.. > > > > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work > > either.. > > > > And here's a screenshot of the failing tapinstall.exe: > http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg > Any tips how to troubleshoot this? -- Pasi > > > > > > > On Sun, Aug 15, 2010 at 04:27:06PM -0600, James Yonan wrote: > > > 2010.08.09 -- Version 2.1.2 > > > > > > * Windows security issue: > > >Fixed potential local privilege escalation vulnerability in > > >Windows service. The Windows service did not properly quote the > > >executable filename passed to CreateService. A local attacker > > >with write access to the root directory C:\ could create an > > >executable that would be run with the same privilege level as > > >the OpenVPN Windows service. However, since non-Administrative > > >users normally lack write permission on C:\, this vulnerability > > >is generally not exploitable except on older versions of Windows > > >(such as Win2K) where the default permissions on C:\ would allow > > >any user to create files there. > > >Credit: Scott Laurie, MWR InfoSecurity > > > > > > * Added Python-based based alternative build system for Windows using > > >Visual Studio 2008 (in win directory). > > > > > > * When aborting in a non-graceful way, try to execute do_close_tun in > > >init.c prior to daemon exit to ensure that the tun/tap interface is > > >closed and any added routes are deleted. > > > > > > * Fixed an issue where AUTH_FAILED was not being properly delivered > > >to the client when a bad password is given for mid-session reauth, > > >causing the connection to fail without an error indication. > > > > > > * Don't advance to the next connection profile on AUTH_FAILED errors. > > > > > > * Fixed an issue in the Management Interface that could cause > > >a process hang with 100% CPU utilization in --management-client > > >mode if the management interface client disconnected at the > > >point where credentials are queried. > > > > > > * Fixed an issue where if reneg-sec was set to 0 on the client, > > >so that the server-side value would take precedence, > > >the auth_deferred_expire_window function would incorrectly > > >return a window period of 0 seconds. In this case, the > > >correct window period should be the handshake window > > >period. > > > > > > * Modified ">PASSWORD:Verification Failed" management interface > > >notification to include a client reason string: > > > > > > >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] > > > > > > * Enable exponential backoff in reliability layer > > >retransmits. > > > > > > * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after > > >socket is created rather than waiting until after connect/listen. > > > > > > * Management interface performance optimizations: > > > > > >1. Added env-filter MI command to perform filtering on env vars > > > passed through as a part of --management-client-auth > > > > > >2. man_write will now try to aggregate output into larger blocks > > > (up to 1024 bytes) for more efficient i/o > > > > > > * Fixed minor issue in Windows TAP driver DEBUG builds > > >where non-null-terminated unicode strings were being > > >printed incorrectly. > > > > > > * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support > > >was not being compiled in. > > > > > > * Proxy improvements: > > > > > >Improved the ability of http-auth "auto" flag to dynamically detect > > >the auth method required by the proxy. > > > > > >Added http-auth "auto-nct" flag to reject weak proxy auth methods. > > > > > >Added HTTP proxy digest authentication method. > > > > > >Removed extraneous openvpn_sleep calls from proxy.c. > > > > > > *
Re: [Openvpn-devel] OpenVPN version 2.1.2 released
On Mon, Aug 16, 2010 at 04:29:17PM +0300, Pasi Kärkkäinen wrote: > > Hello, > > When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this > error: > http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg > > ie. the installer cannot overwrite the existing files from openvpn 2.1.1 > installation. > I get that error for the following files: > > C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe > C:\Program Files (x86)\OpenVPN\bin\libeay32.dll > > And after finishing the installation windows "Program Combatibility > Assistant" pops up, > and asks if the program installed correctly, or if I wanted to "Reinstall > using recommended settings". > > http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg > > I chose it installed OK and then rebooted the machine. > > After reboot I noticed the TAP network device is missing from Windows, > and thus openvpn connections cannot be started.. > > Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work > either.. > And here's a screenshot of the failing tapinstall.exe: http://pasik.reaktio.net/openvpn212-tapinstall-failed.jpg -- Pasi > > > On Sun, Aug 15, 2010 at 04:27:06PM -0600, James Yonan wrote: > > 2010.08.09 -- Version 2.1.2 > > > > * Windows security issue: > >Fixed potential local privilege escalation vulnerability in > >Windows service. The Windows service did not properly quote the > >executable filename passed to CreateService. A local attacker > >with write access to the root directory C:\ could create an > >executable that would be run with the same privilege level as > >the OpenVPN Windows service. However, since non-Administrative > >users normally lack write permission on C:\, this vulnerability > >is generally not exploitable except on older versions of Windows > >(such as Win2K) where the default permissions on C:\ would allow > >any user to create files there. > >Credit: Scott Laurie, MWR InfoSecurity > > > > * Added Python-based based alternative build system for Windows using > >Visual Studio 2008 (in win directory). > > > > * When aborting in a non-graceful way, try to execute do_close_tun in > >init.c prior to daemon exit to ensure that the tun/tap interface is > >closed and any added routes are deleted. > > > > * Fixed an issue where AUTH_FAILED was not being properly delivered > >to the client when a bad password is given for mid-session reauth, > >causing the connection to fail without an error indication. > > > > * Don't advance to the next connection profile on AUTH_FAILED errors. > > > > * Fixed an issue in the Management Interface that could cause > >a process hang with 100% CPU utilization in --management-client > >mode if the management interface client disconnected at the > >point where credentials are queried. > > > > * Fixed an issue where if reneg-sec was set to 0 on the client, > >so that the server-side value would take precedence, > >the auth_deferred_expire_window function would incorrectly > >return a window period of 0 seconds. In this case, the > >correct window period should be the handshake window > >period. > > > > * Modified ">PASSWORD:Verification Failed" management interface > >notification to include a client reason string: > > > > >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] > > > > * Enable exponential backoff in reliability layer > >retransmits. > > > > * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after > >socket is created rather than waiting until after connect/listen. > > > > * Management interface performance optimizations: > > > >1. Added env-filter MI command to perform filtering on env vars > > passed through as a part of --management-client-auth > > > >2. man_write will now try to aggregate output into larger blocks > > (up to 1024 bytes) for more efficient i/o > > > > * Fixed minor issue in Windows TAP driver DEBUG builds > >where non-null-terminated unicode strings were being > >printed incorrectly. > > > > * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support > >was not being compiled in. > > > > * Proxy improvements: > > > >Improved the ability of http-auth "auto" flag to dynamically detect > >the auth method required by the proxy. > > > >Added http-auth "auto-nct" flag to reject weak proxy auth methods. > > > >Added HTTP proxy digest authentication method. > > > >Removed extraneous openvpn_sleep calls from proxy.c. > > > > * Implemented http-proxy-override and http-proxy-fallback directives to > > make it > >easier for OpenVPN client UIs to start a pre-existing client config > > file with > >proxy options, or to adaptively fall back to a proxy connection if a > > direct > >connection fails. > > > > * Implemented a key/value auth channel from client
Re: [Openvpn-devel] OpenVPN version 2.1.2 released
Hello, When running the openvpn 2.1.2 installer on Windows 7 (x64) I noticed this error: http://pasik.reaktio.net/openvpn212-setup-error-opening-file-for-writing.jpg ie. the installer cannot overwrite the existing files from openvpn 2.1.1 installation. I get that error for the following files: C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe C:\Program Files (x86)\OpenVPN\bin\libeay32.dll And after finishing the installation windows "Program Combatibility Assistant" pops up, and asks if the program installed correctly, or if I wanted to "Reinstall using recommended settings". http://pasik.reaktio.net/openvpn212-setup-might-not-have-installed-correctly.jpg I chose it installed OK and then rebooted the machine. After reboot I noticed the TAP network device is missing from Windows, and thus openvpn connections cannot be started.. Running the "Add a new TAP virtual ethernet adapter" doesn't seem to work either.. -- Pasi On Sun, Aug 15, 2010 at 04:27:06PM -0600, James Yonan wrote: > 2010.08.09 -- Version 2.1.2 > > * Windows security issue: >Fixed potential local privilege escalation vulnerability in >Windows service. The Windows service did not properly quote the >executable filename passed to CreateService. A local attacker >with write access to the root directory C:\ could create an >executable that would be run with the same privilege level as >the OpenVPN Windows service. However, since non-Administrative >users normally lack write permission on C:\, this vulnerability >is generally not exploitable except on older versions of Windows >(such as Win2K) where the default permissions on C:\ would allow >any user to create files there. >Credit: Scott Laurie, MWR InfoSecurity > > * Added Python-based based alternative build system for Windows using >Visual Studio 2008 (in win directory). > > * When aborting in a non-graceful way, try to execute do_close_tun in >init.c prior to daemon exit to ensure that the tun/tap interface is >closed and any added routes are deleted. > > * Fixed an issue where AUTH_FAILED was not being properly delivered >to the client when a bad password is given for mid-session reauth, >causing the connection to fail without an error indication. > > * Don't advance to the next connection profile on AUTH_FAILED errors. > > * Fixed an issue in the Management Interface that could cause >a process hang with 100% CPU utilization in --management-client >mode if the management interface client disconnected at the >point where credentials are queried. > > * Fixed an issue where if reneg-sec was set to 0 on the client, >so that the server-side value would take precedence, >the auth_deferred_expire_window function would incorrectly >return a window period of 0 seconds. In this case, the >correct window period should be the handshake window >period. > > * Modified ">PASSWORD:Verification Failed" management interface >notification to include a client reason string: > > >PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING'] > > * Enable exponential backoff in reliability layer >retransmits. > > * Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after >socket is created rather than waiting until after connect/listen. > > * Management interface performance optimizations: > >1. Added env-filter MI command to perform filtering on env vars > passed through as a part of --management-client-auth > >2. man_write will now try to aggregate output into larger blocks > (up to 1024 bytes) for more efficient i/o > > * Fixed minor issue in Windows TAP driver DEBUG builds >where non-null-terminated unicode strings were being >printed incorrectly. > > * Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support >was not being compiled in. > > * Proxy improvements: > >Improved the ability of http-auth "auto" flag to dynamically detect >the auth method required by the proxy. > >Added http-auth "auto-nct" flag to reject weak proxy auth methods. > >Added HTTP proxy digest authentication method. > >Removed extraneous openvpn_sleep calls from proxy.c. > > * Implemented http-proxy-override and http-proxy-fallback directives to > make it >easier for OpenVPN client UIs to start a pre-existing client config > file with >proxy options, or to adaptively fall back to a proxy connection if a > direct >connection fails. > > * Implemented a key/value auth channel from client to server. > > * Fixed issue where bad creds provided by the management interface >for HTTP Proxy Basic Authentication would go into an infinite >retry-fail loop instead of requerying the management interface for >new creds. > > * Added support for MSVC debugging of openvpn.exe in settings.in: > ># Build debugging version of openvpn.exe >!define PRODUCT_OPENVPN_DEBUG > > * Implemented
