Re: [Openvpn-users] Bypassing censorship devices

[Stella Ashburne via Openvpn-users]

Hi

> Sent: Wednesday, December 13, 2023 at 2:42 AM
> From: "Peter Davis" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Bypassing censorship devices
>
>
>
> Hello,
> Tor and all its modes like meek and snowflake are blocked, even bridges are 
> blocked because you can easily find a list of bridges.
> Is it possible to hide OpenVPN in something like ICMP, DNS or SSH?
>
I don't know where you got the information from but my European friends living 
in China are able to use meek and snowflake to correspond securely.

There are many types of Tor bridges and not all of them are made public.

I suggest that you surf to https://tb-manual.torproject.org/zh-CN/ to read more 
about what Tor Browser can and can't do for you.

There are many talented IT people in China who are able to help you build 
secure VPN tunnels that bypass deep packet inspection and are undetectable by 
Chinese government machinery. They mostly offer their services on Weibo or 
WeChat and some of them work for the Chinese authorities in charge of 
censorship. There's no free lunch in this world and you are expected to pay for 
their service.

This will be my final reply to you on this topic.

Good luck!

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Bypassing censorship devices

[Stella Ashburne via Openvpn-users]

Hi Peter 

>Sent: Tuesday, December 12, 2023 at 2:03 PM
>From: "Peter Davis via Openvpn-users" 
>To: "Tincantech via Openvpn-users" 
>Subject: [Openvpn-users] Bypassing censorship devices
>
>Hello,
>How to use OpenVPN in a country that uses internet censorship devices to block 
>VPN services? Is there a way to hide OpenVPN or make it look like a normal 
>internet connection?

You might like to surf to https://airvpn.org/, register an account for free and 
ask for a free trial.

Even if you aren't a subscriber of its services, you can still post your 
questions in its various sub-forums (URL: https://airvpn.org/forums/)

If you're unable to reach AirVPN using the above URL, you can use one of the 
following:

(1) airvpn.info
(2) airvpn.eu
(3) Onion address: 
https://airvpn3epnw2fnsbx5x2ppzjs6vxtdarldas7wjyqvhscj7x43fxylqd.onion/

The second VPN vendor that you might like to try is Mullvad which is based in 
Sweden (also one of the "14 Eyes" alliance). If you use Mullvad's proprietary 
app, you may wish to connect to its servers in Japan or the USA. Again my 
friends in China have reported very good download speeds when connecting to its 
servers in Japan and the USA.

Note #1:

You must use Tor Brower with onion addresses. (If you're in a country that 
blocks Tor, you can make use of Tor Browser's built-in features such as meek or 
snowflake to bypass host governments' censorship of Tor. Or simply ask Tor 
Browser to give you a private bridge to allow you to access Tor. My friends in 
China have no problems with using Tor Browser to access the internet using 
meek, snowflake or private bridges.)

Note #2:

I am not an employee of AirVPN (one of the "14 Eyes" alliance.)

Besides AirVPN, I have tried other VPN providers/vendors as have **my friends 
in China**. They told me that AirVPN works best because you are able to use 
OpenVPN over SSL or SSH (cf. 
https://airvpn.org/forums/topic/9149-how-to-use-advanced-airvpn-services-and-features/
 and read the sub-section in which it mentions OpenVPN over SSL or SSH.)

Note #3:

My friends in China are not ethnic Chinese but Caucasians and non-Chinese 
nationals of Western countries.

Note #4 (very important note)

Using a VPN service provided by a VPN provider/vendor that isn't approved by 
the Chinese government is illegal and if you're caught, you may face severe 
punitive punishments, including jail time. So far no foreigner of a Western 
country has been caught and punished for violating this Chinese law as 
otherwise Reuters, AFP, etc. would have reported it.

Best wishes.

Stella

P.S.: If you can, avoid posting to this mailing list using HTML format. The 
traditional format for posting to mailing lists is plain text such as this 
reply of mine. Many years ago posts that were in HTML format would be 
automatically rejected or bounced by mailing lists' providers.



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Bypassing censorship devices

[Stella Ashburne via Openvpn-users]

Attention: Peter Davis

Hi Peter 

>Sent: Tuesday, December 12, 2023 at 3:15 PM
>From: "Hans via Openvpn-users" 
>To: peter.davis1...@proton.me, openvpn-users@lists.sourceforge.net
>Subject: Re: [Openvpn-users] Bypassing censorship devices
>
>
>
>>From: "Peter Davis via Openvpn-users" 
>>mailto:openvpn-users@lists.sourceforge.net]>
>>Date: Tuesday, 12 December 2023 at 07:08:08
>>To: "Tincantech via Openvpn-users" 
>>mailto:openvpn-users@lists.sourceforge.net]>
>>Subject: [Openvpn-users] Bypassing censorship devices 
>>Hello,
>>How to use OpenVPN in a country that uses internet censorship devices to 
>>block VPN services? Is there a way to hide OpenVPN or make it look like a 
>>normal internet connection?
>
> 
>Besides that, one might also need to use onion routing (TOR), to hide your 
>destination. (VPN-end-point)

I guess Han was referring to cascading (or double-hopping) Tor and a VPN node, 
something like this: your device --> Tor --> VPN node --> internet.

Please don't try the above method if you are in country in which there is heavy 
censorship of the internet. Do NOT try it in China; it will fail not because of 
the method but because of you. You'll find it unbearably slow to use the 
internet that you'll give up easily.

Best wishes.

Stella

P.S.: If you can, avoid posting to this mailing list using HTML format. The 
traditional format for posting to mailing lists is plain text such as this 
reply of mine. Many years ago posts that were in HTML format would be 
automatically rejected or bounced by mailing lists' providers.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on Debian 12/Bookworm

[Stella Ashburne]

Hi Gert

> Sent: Saturday, June 24, 2023 at 3:55 PM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on 
> Debian 12/Bookworm
>
>
> I'm aware of that, I maintain that file :-) - for Linux users, there is
> nothing really interesting in 2.6.3 -> 2.6.4.  The bugs fixed in 2.6.4
> affect Windows, MacOS/pkcs#11 and Android users.


Sorry, could you be a bit more specific? By "file" did you mean "package"? To 
the best of my knowledge, the package called "openvpn 2.6.3-1" is maintained by 
Bernhard Schmidt. Your name is not listed on the page referenced by 
https://metadata.ftp-master.debian.org/changelogs//main/o/openvpn/openvpn_2.6.3-1_changelog

> There *is* a mem leak in 2.6.4 -> 2.6.5, and I assume that Debian is
> picking up this bugfix and will do a fixed 2.6.3 re-release - by debian
> policy, they will normally not upgrade to fully new versions within a
> release, just pick relevant bugfixes and release updated packages.

Thanks for letting me know there is a mem leak in 2.6.4.

By the way, 2.6.5 was released on 13 June 2023 and till now, Debian's 
maintainer, Bernhard Schmidt, has not released said bugfix yet. Fortunately 
OpenVPN's own maintainer released 2.6.5 for Debian 12. The URL is: 
https://build.openvpn.net/debian/openvpn/release/2.6/pool/bookworm/main/o/openvpn/


> This is an interesting statement - we intentionally tried to release
> frequently, so bug fixes (that are inevitably found when doing a new
> release with new features) can be distributed quickly.
>
As you have clarified why OpenVPN releases bugfixes more frequently now, I 
would prefer more frequent bugfixes. Thank you and thanks to OpenVPN developers.

> So would you trust us more if we only did a 2.6.1 release after 5 months,
> containing all the bugfixes found, instead of 5 release, each with just
> a few commits?

No, based on your clarification, I would prefer more frequent bugfixes.

>
> "most commercial VPN service providers" just suck big time at code
> maintenance, and talking to OpenVPN upstream - they hack extra features
> into OpenVPN, sometimes breaking the protocol in incompatible ways, and
> most of them never nother to actually speak to us to ensure best results
> for their customers... and then we get to deal with the bug reports.

I totally empathize with you on this point.

I have a suggestion: If you have some time to spare, you might like to list and 
elaborate with examples

(a) on the aspects of good code maintenance;
(b) the extra features that you claim that OpenVPN providers use and as a 
result break the protocols

Your write-up could be placed in a dedicated page under openvpn.net
>
>
> But all this said - providing packages for Debian 12 needs resources on
> the side of the OpenVPN project (read: Frank needs to do that).  Since we
> think 2.6.x is better than 2.5.x, and Debian thinks that 2.6.x is stable
> enough to include into bookworm, we think this is human life time better
> spent elsewhere.  Like, on improving OpenVPN.
>
Thanks, Gert, for your explanation.

Stella

P.S.: I am just curious and if you have time, could you explain why Bernhard 
Schmidt's name is listed as the maintainer of 2.6.5-bookworm0? When it is 
obvious to everyone that Frank or Samuli, on behalf of OpenVPN Inc., is the 
real maintainer (in the sense of expending time and effort on creating 
2.6.5-bookworm0.) Bernhard's name is listed in the file called Packages 
(https://build.openvpn.net/debian/openvpn/release/2.6/dists/bookworm-20230613112628209348061/main/binary-amd64/Packages)



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on Debian 12/Bookworm

[Stella Ashburne]

Hi Gert

> Sent: Saturday, June 24, 2023 at 3:58 PM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on 
> Debian 12/Bookworm
>
>
> So if you do not trust DCO, just turn it off, and
> OpenVPN 2.6 will use literally the same code for data channel as 2.5
>
Maybe a year or so from now when DCO has undergone more tests or security 
vulnerabilities found and VPN service providers recommend or implement it, only 
then I will use it.

At the time of writing this email, DCO is still in its infancy.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on Debian 12/Bookworm

[Stella Ashburne]

Hello Gert

> Sent: Friday, June 23, 2023 at 2:09 PM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on 
> Debian 12/Bookworm
>
>
> Why would you want that, when bookworm ships with OpenVPN 2.6.2?
>
> gert

I just checked and found that Debian Bookworm's version of OpenVPN is 2.6.3-1. 
It is not yet updated to 2.6.4 (According to 
https://github.com/OpenVPN/openvpn/blob/v2.6.4/Changes.rst, version 2.6.4 
provides some fixes to bugs discovered in 2.6.3)

Secondly, I find that the pace with which the minor versions of 2.6 series is 
released to be too fast. It just takes about five months for 2.6.0 to reach 
2.6.5. OpenVPN is a privacy-focused software and I fear there is insufficient 
time to uncover bugs and security vulnerabilities. I know there is this novel 
technology called DCO (data channel offload). Without enough time for it to 
prove itself that it is safe and secure for us to use, we end-users might 
unwittingly offload our sensitive data to the channels operated by 
state-sponsored hackers and cyber criminals. When this happens, DCO would 
become the butt of jokes among OpenVPN users.

Let's compare the length of time taken to release 2.5.9 to that of version 
2.6.5.

Version 2.5.0 was released on 28 October 2020 and the final version 2.5.9 was 
released about two years and four months later. There was sufficient time for 
bugs and security vulnerabilities to be uncovered and patched.

Thirdly, most commercial VPN service providers might not be keen to upgrade 
their OpenVPN versions to the 2.6 series due to stability concerns and the 
impact of the latter on their businesses.

Best regards.

Stella







___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Request: A *.deb package for OpenVPN 2.5.9 on Debian 12/Bookworm

[Stella Ashburne]

Hi Frank.

Firstly I wish to thank you and all the people involved in the OpenVPN project 
for making available OpenVPN 2.5.9 to us.

Secondly, I have surfed to 
https://build.openvpn.net/debian/openvpn/release/2.5/pool/ and could not find 
version 2.5.9 for Debian 12/Bookworm.

Would it be possible for you to build a *.deb package (version 2.5.9) for 
Debian Bookworm please?

Thank you and best regards.

Stella


> Sent: Thursday, February 16, 2023 at 8:50 PM
> From: "Frank Lichtenheld" 
> To: openvpn-de...@lists.sourceforge.net, openvpn-users@lists.sourceforge.net, 
> openvpn-annou...@lists.sourceforge.net
> Subject: [Openvpn-users] OpenVPN 2.5.9 released
>
> The OpenVPN community project team is proud to release OpenVPN 2.5.9. This is
> a small bugfix release.
>
> The Windows MSI installers are now built against OpenSSL 1.1.1t which contains
> several security fixes.
>
> List of changes in OpenVPN:
>
> 
>
> Source code and Windows installers can be downloaded from our download page:
>
> 
>
> Debian and Ubuntu packages are available in the official apt repositories:
>
> 
>
> On Red Hat derivatives we recommend using the Fedora Copr repository.
>
> 
>
> Regards,
> --
>   Frank Lichtenheld
>
>
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] What are these three *.deb packages and how do I use them? They are for version 2.6.5 and Debian 12/Bookworm

[Stella Ashburne]

Hi guys,

Firstly, I wish to thank you for giving us OpenVPN 2.6.5.

Secondly I have a few questions about the *.deb packages for Debian 12 
(bookworm). They are:

(A) After navigating to /debian/openvpn/release/2.6/pool/bookworm/main/o/, I 
found three packages. They are:

openvpn-dbgsym_2.6.5-bookworm0_amd64.deb

openvpn_2.6.5-bookworm0_amd64.deb

openvpn-dco-dkms_0.2.20230426-bookworm0_all.deb

(B) What are the differences between them?

(C) What do *dbgsym* and *dkms* stand for? I suppose *dco* stands for Data 
Channel Offload.

(D) I guess openvpn_2.6.5-bookworm0_amd64.deb uses the "normal" way of 
installing it on Debian. But do openvpn-dbgsym_2.6.5-bookworm0_amd64.deb and 
openvpn-dco-dkms_0.2.20230426-bookworm0_all.deb require additional packages 
from Debian's official repos?

(E) Does my VPN service provider/vendor need to install 
openvpn-dbgsym_2.6.5-bookworm0_amd64.deb and 
openvpn-dco-dkms_0.2.20230426-bookworm0_all.deb on their VPN servers in order 
to make full use of the new functionalities that OpenVPN 2.6.5 provides?

I look forward to hearing from you soon.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.5.9 released

[Stella Ashburne]

Hi Frank

> Sent: Thursday, February 16, 2023 at 8:50 PM
> From: "Frank Lichtenheld" 
> To: openvpn-de...@lists.sourceforge.net, openvpn-users@lists.sourceforge.net, 
> openvpn-annou...@lists.sourceforge.net
> Subject: [Openvpn-users] OpenVPN 2.5.9 released
>
> The OpenVPN community project team is proud to release OpenVPN 2.5.9. This is
> a small bugfix release.
> 

I was pleasantly surprised to receive this announcement of yours.

When OpenVPN 2.6.0 Community Edition was released a few weeks ago, I thought 
that the developers had decided to skip version 2.5.9!

For your information, I shall use version 2.6.0 on Microsoft Windows 11 and 
version 2.5.9 on Debian 11.6.0. The Linux DCO package for Debian is available 
only for the Testing branch (a.k.a. the future Debian 12). I noticed that the 
official repositories of Fedora 37 do not have the Linux DCO package as well.

As always, I wish to thank the developers, Samuli and you for the generosity 
and effort in bringing about this fine release.

Best regards.

Stella

P.S.: Thanks for updating the page at 
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN-GUI 11.36.0: There might be a bug

[Stella Ashburne]

Hi,

I have three config directories/folders, each from a different VPN provider. 
They are all in C:\Program Files\OpenVPN

Let's call the three config folders config-1, config-2 and config-3

The default config folder is simply called config

After renaming one of them to config, I notice that the names from the other 
config folders remain in "System Profiles".

In order to remove these other names, I need to uninstall OpenVPN and reinstall 
it. Only then will these other names disappear.

This is a bug, isn't it?

Best regards.

Stella

P.S.: I am using OpenVPN-2.6.0-I004-amd64.msi


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work on Microsoft Windows 11 if opvpn-dco is enabled

[Stella Ashburne]

> Sent: Friday, February 10, 2023 at 5:18 AM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work 
> on Microsoft Windows 11 if opvpn-dco is enabled
>
> Hi,
> 
Hi Gert
> 
> "dco on Linux".
> 
> Unless you install and load the Linux DCO module, there won't be DCO,
> so it's not the situation Lev was talking about.

I didn't know that. Thanks for your explanation.

By the way, I am using Debian 11.6.0 and openvpn-dco-dkms (0.0+git20230125-1) 
isn't available for Debian Bullseye.

Best regards.

Stella



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work on Microsoft Windows 11 if opvpn-dco is enabled

[Stella Ashburne]

> Sent: Friday, February 10, 2023 at 5:23 AM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work 
> on Microsoft Windows 11 if opvpn-dco is enabled
>
> Hi,
> 
Hi Gert

> 
> It does, and it matters a lot.  Mullvad breaks the OpenVPN protocol
> with their server configs (they should never ever push "comp-lzo" 
> settings to a client that is not signalling it's willingness to accept
> them).
> 
Thanks for your explanation.

> This is a common theme: VPN providers not understanding the evolution
> in the OpenVPN world and doing things that might have made sense 5-10
> years ago, but are no longer the correct thing to do - and of course,
> not testing new OpenVPN client releases, and never talking to us.  Different
> providers do *different* things in wrong ways, so knowing which provider
> you have problems with is very important to us so we can reproduce,
> understand and fix the problem.

Again, thanks for your explanation.
 
> Otherwise, talk to the VPN
> vendor you are paying for, and ask them why it's not working with them
> 
Fair enough. I shall ask my VPN vendor/provider why it doesn't implement 
opvn-dco.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Is Data Channel Offload REALLY THAT awesome? A very privacy-centered VPN vendor/provider turns off ovpn-dco

[Stella Ashburne]

Microsoft Windows 11 build 22621.1194
OpenVPN-2.6.0-I004-amd64.msi

Part 2 of 2

Below are the contents of the config file:

client
dev tun
remote [ip-address-redacted] 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 4
rcvbuf 262144
sndbuf 262144
remote-cert-tls server
comp-lzo no
data-ciphers 
AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512


-BEGIN CERTIFICATE-
redacted
-END CERTIFICATE-



-BEGIN CERTIFICATE-
redacted
-END CERTIFICATE-



-BEGIN PRIVATE KEY-
redacted
-END PRIVATE KEY-



-BEGIN OpenVPN Static key V1-
redacted
-END OpenVPN Static key V1-



Below are the contents of the connection log:


2023-02-08 04:25:46 us=50 Note: --data-cipher-fallback with cipher 
'AES-256-CBC' disables data channel offload.
2023-02-08 04:25:46 us=50 Current Parameter Settings:
2023-02-08 04:25:46 us=50   config = 'us.ovpn'
2023-02-08 04:25:46 us=50   mode = 0
2023-02-08 04:25:46 us=50   show_ciphers = DISABLED
2023-02-08 04:25:46 us=50   show_digests = DISABLED
2023-02-08 04:25:46 us=50   show_engines = DISABLED
2023-02-08 04:25:46 us=50   genkey = DISABLED
2023-02-08 04:25:46 us=50   genkey_filename = '[UNDEF]'
2023-02-08 04:25:46 us=50   key_pass_file = '[UNDEF]'
2023-02-08 04:25:46 us=50   show_tls_ciphers = DISABLED
2023-02-08 04:25:46 us=50   connect_retry_max = 0
2023-02-08 04:25:46 us=50 Connection profiles [0]:
2023-02-08 04:25:46 us=50   proto = tcp-client
2023-02-08 04:25:46 us=50   local = '[UNDEF]'
2023-02-08 04:25:46 us=50   local_port = '[UNDEF]'
2023-02-08 04:25:46 us=50   remote = '[ip-address-redacted]'
2023-02-08 04:25:46 us=50   remote_port = '443'
2023-02-08 04:25:46 us=50   remote_float = DISABLED
2023-02-08 04:25:46 us=50   bind_defined = DISABLED
2023-02-08 04:25:46 us=50   bind_local = DISABLED
2023-02-08 04:25:46 us=50   bind_ipv6_only = DISABLED
2023-02-08 04:25:46 us=50   connect_retry_seconds = 1
2023-02-08 04:25:46 us=50   connect_timeout = 120
2023-02-08 04:25:46 us=50   socks_proxy_server = '[UNDEF]'
2023-02-08 04:25:46 us=50   socks_proxy_port = '[UNDEF]'
2023-02-08 04:25:46 us=50   tun_mtu = 1500
2023-02-08 04:25:46 us=50   tun_mtu_defined = ENABLED
2023-02-08 04:25:46 us=50   link_mtu = 1500
2023-02-08 04:25:46 us=50   link_mtu_defined = DISABLED
2023-02-08 04:25:46 us=50   tun_mtu_extra = 0
2023-02-08 04:25:46 us=50   tun_mtu_extra_defined = DISABLED
2023-02-08 04:25:46 us=50   tls_mtu = 1250
2023-02-08 04:25:46 us=50   mtu_discover_type = -1
2023-02-08 04:25:46 us=50   fragment = 0
2023-02-08 04:25:46 us=50   mssfix = 1492
2023-02-08 04:25:46 us=50   mssfix_encap = ENABLED
2023-02-08 04:25:46 us=50   mssfix_fixed = DISABLED
2023-02-08 04:25:46 us=50   explicit_exit_notification = 0
2023-02-08 04:25:46 us=50   tls_auth_file = '[UNDEF]'
2023-02-08 04:25:46 us=50   key_direction = not set
2023-02-08 04:25:46 us=50   tls_crypt_file = '[INLINE]'
2023-02-08 04:25:46 us=50   tls_crypt_v2_file = '[UNDEF]'
2023-02-08 04:25:46 us=50 Connection profiles END
2023-02-08 04:25:46 us=50   remote_random = DISABLED
2023-02-08 04:25:46 us=50   ipchange = '[UNDEF]'
2023-02-08 04:25:46 us=50   dev = 'tun'
2023-02-08 04:25:46 us=50   dev_type = '[UNDEF]'
2023-02-08 04:25:46 us=50   dev_node = '[UNDEF]'
2023-02-08 04:25:46 us=50   tuntap_options.disable_dco = ENABLED
2023-02-08 04:25:46 us=50   lladdr = '[UNDEF]'
2023-02-08 04:25:46 us=50   topology = 1
2023-02-08 04:25:46 us=50   ifconfig_local = '[UNDEF]'
2023-02-08 04:25:46 us=50   ifconfig_remote_netmask = '[UNDEF]'
2023-02-08 04:25:46 us=50   ifconfig_noexec = DISABLED
2023-02-08 04:25:46 us=50   ifconfig_nowarn = DISABLED
2023-02-08 04:25:46 us=50   ifconfig_ipv6_local = '[UNDEF]'
2023-02-08 04:25:46 us=50   ifconfig_ipv6_netbits = 0
2023-02-08 04:25:46 us=50   ifconfig_ipv6_remote = '[UNDEF]'
2023-02-08 04:25:46 us=50   shaper = 0
2023-02-08 04:25:46 us=50   mtu_test = 0
2023-02-08 04:25:46 us=50   mlock = DISABLED
2023-02-08 04:25:46 us=50   keepalive_ping = 0
2023-02-08 04:25:46 us=50   keepalive_timeout = 0
2023-02-08 04:25:46 us=50   inactivity_timeout = 0
2023-02-08 04:25:46 us=50   session_timeout = 0
2023-02-08 04:25:46 us=50   inactivity_minimum_bytes = 0
2023-02-08 04:25:46 us=50   ping_send_timeout = 0
2023-02-08 04:25:46 us=50   ping_rec_timeout = 0
2023-02-08 04:25:46 us=50   ping_rec_timeout_action = 0
2023-02-08 04:25:46 us=50   ping_timer_remote = DISABLED
2023-02-08 04:25:46 us=50   remap_sigusr1 = 0
2023-02-08 04:25:46 us=50   persist_tun = ENABLED
2023-02-08 04:25:46 us=50   persist_local_ip = DISABLED
2023-02-08 04:25:46 us=50   persist_remote_ip = DISABLED

[Openvpn-users] Is Data Channel Offload REALLY THAT awesome? A very privacy-centered VPN vendors turns off ovpn-dco

[Stella Ashburne]

Microsoft Windows 11 build 22621.1194
OpenVPN-2.6.0-I004-amd64.msi

Part 1 of 2

Below are the contents of the config file:

client
dev tun
remote [ip-address-redacted] 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 4
rcvbuf 262144
sndbuf 262144
remote-cert-tls server
comp-lzo no
data-ciphers 
AES-256-GCM:AES-256-CBC:AES-192-GCM:AES-192-CBC:AES-128-GCM:AES-128-CBC
#data-ciphers-fallback AES-256-CBC
proto tcp
auth SHA512


-BEGIN CERTIFICATE-
[redacted]
-END CERTIFICATE-



-BEGIN CERTIFICATE-
[redacted]
-END CERTIFICATE-



-BEGIN PRIVATE KEY-
[redacted]
-END PRIVATE KEY-



-BEGIN OpenVPN Static key V1-
[redacted]
-END OpenVPN Static key V1-




Below are the contents of connection log file:


2023-02-08 04:21:36 us=625000 Note: --cipher is not set. OpenVPN versions 
before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in 
this case. If you need this fallback please add '--data-ciphers-fallback 
BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-02-08 04:21:36 us=625000 Note: '--allow-compression' is not set to 'no', 
disabling data channel offload.
2023-02-08 04:21:36 us=625000 Current Parameter Settings:
2023-02-08 04:21:36 us=625000   config = 'us.ovpn'
2023-02-08 04:21:36 us=625000   mode = 0
2023-02-08 04:21:36 us=625000   show_ciphers = DISABLED
2023-02-08 04:21:36 us=625000   show_digests = DISABLED
2023-02-08 04:21:36 us=625000   show_engines = DISABLED
2023-02-08 04:21:36 us=625000   genkey = DISABLED
2023-02-08 04:21:36 us=625000   genkey_filename = '[UNDEF]'
2023-02-08 04:21:36 us=625000   key_pass_file = '[UNDEF]'
2023-02-08 04:21:36 us=625000   show_tls_ciphers = DISABLED
2023-02-08 04:21:36 us=625000   connect_retry_max = 0
2023-02-08 04:21:36 us=625000 Connection profiles [0]:
2023-02-08 04:21:36 us=625000   proto = tcp-client
2023-02-08 04:21:36 us=625000   local = '[UNDEF]'
2023-02-08 04:21:36 us=625000   local_port = '[UNDEF]'
2023-02-08 04:21:36 us=625000   remote = '[ip-address-redacted]'
2023-02-08 04:21:36 us=625000   remote_port = '443'
2023-02-08 04:21:36 us=625000   remote_float = DISABLED
2023-02-08 04:21:36 us=625000   bind_defined = DISABLED
2023-02-08 04:21:36 us=625000   bind_local = DISABLED
2023-02-08 04:21:36 us=625000   bind_ipv6_only = DISABLED
2023-02-08 04:21:36 us=625000   connect_retry_seconds = 1
2023-02-08 04:21:36 us=625000   connect_timeout = 120
2023-02-08 04:21:36 us=625000   socks_proxy_server = '[UNDEF]'
2023-02-08 04:21:36 us=625000   socks_proxy_port = '[UNDEF]'
2023-02-08 04:21:36 us=625000   tun_mtu = 1500
2023-02-08 04:21:36 us=625000   tun_mtu_defined = ENABLED
2023-02-08 04:21:36 us=625000   link_mtu = 1500
2023-02-08 04:21:36 us=625000   link_mtu_defined = DISABLED
2023-02-08 04:21:36 us=625000   tun_mtu_extra = 0
2023-02-08 04:21:36 us=625000   tun_mtu_extra_defined = DISABLED
2023-02-08 04:21:36 us=625000   tls_mtu = 1250
2023-02-08 04:21:36 us=625000   mtu_discover_type = -1
2023-02-08 04:21:36 us=625000   fragment = 0
2023-02-08 04:21:36 us=625000   mssfix = 1492
2023-02-08 04:21:36 us=625000   mssfix_encap = ENABLED
2023-02-08 04:21:36 us=625000   mssfix_fixed = DISABLED
2023-02-08 04:21:36 us=625000   explicit_exit_notification = 0
2023-02-08 04:21:36 us=625000   tls_auth_file = '[UNDEF]'
2023-02-08 04:21:36 us=625000   key_direction = not set
2023-02-08 04:21:36 us=625000   tls_crypt_file = '[INLINE]'
2023-02-08 04:21:36 us=625000   tls_crypt_v2_file = '[UNDEF]'
2023-02-08 04:21:36 us=625000 Connection profiles END
2023-02-08 04:21:36 us=625000   remote_random = DISABLED
2023-02-08 04:21:36 us=625000   ipchange = '[UNDEF]'
2023-02-08 04:21:36 us=625000   dev = 'tun'
2023-02-08 04:21:36 us=625000   dev_type = '[UNDEF]'
2023-02-08 04:21:36 us=625000   dev_node = '[UNDEF]'
2023-02-08 04:21:36 us=625000   tuntap_options.disable_dco = ENABLED
2023-02-08 04:21:36 us=625000   lladdr = '[UNDEF]'
2023-02-08 04:21:36 us=625000   topology = 1
2023-02-08 04:21:36 us=625000   ifconfig_local = '[UNDEF]'
2023-02-08 04:21:36 us=625000   ifconfig_remote_netmask = '[UNDEF]'
2023-02-08 04:21:36 us=625000   ifconfig_noexec = DISABLED
2023-02-08 04:21:36 us=625000   ifconfig_nowarn = DISABLED
2023-02-08 04:21:36 us=625000   ifconfig_ipv6_local = '[UNDEF]'
2023-02-08 04:21:36 us=625000   ifconfig_ipv6_netbits = 0
2023-02-08 04:21:36 us=625000   ifconfig_ipv6_remote = '[UNDEF]'
2023-02-08 04:21:36 us=625000   shaper = 0
2023-02-08 04:21:36 us=625000   mtu_test = 0
2023-02-08 04:21:36 us=625000   mlock = DISABLED
2023-02-08 04:21:36 us=625000   keepalive_ping = 0
2023-02-08 04:21:36 us=625000   keepalive_timeout = 0
2023-02-08 04:21:36 us=625000   inactivity_timeout = 0
2023-02-08 04:21:36 us=625000   session_timeout = 0
2023-02-08 04:21:36 us=625000   inactivity_minimum_bytes = 0
2023-02-08 04:21:36 us=625000   ping_send_timeout = 0
2023-02-08 04:21:36 us=625000   ping_rec_timeout = 0
2023-02-08 04:21:36 us=625000   

Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work on Microsoft Windows 11 if opvpn-dco is enabled

[Stella Ashburne]

> Sent: Thursday, February 09, 2023 at 6:07 PM
> From: "Lev Stipakov" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work 
> on Microsoft Windows 11 if opvpn-dco is enabled
>
> Hi Stella,
> 
Hi Lev

> Just a heads-up. I assume you use Mullvad.

For privacy reasons, I won't confirm or deny that my VPN provider/vendor is 
Mullvad because it doesn't really matter to the issue at hand

> I downloaded mullvad ovpn
> profile and was able to reproduce this issue - no error in openvpn or
> driver log, but no traffic flow.
> 
Your above statement isn't entirely correct. I have no issues with using the 
same config files on Debian 11.6.0 (64-bit).

> I'm looking into that.
> 
On behalf of OpenVPN users, I thank you for your generous gesture.

Best regards.

Stella



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work on Microsoft Windows 11 if opvpn-dco is enabled

[Stella Ashburne]

Hi Lev

> Sent: Thursday, February 09, 2023 at 7:49 PM
> From: "Lev Stipakov" 
> To: "Stella Ashburne" , "Antonio Quartulli" 
> 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work 
> on Microsoft Windows 11 if opvpn-dco is enabled
>
> I have created a ticket
> https://github.com/OpenVPN/ovpn-dco-win/issues/35 where further
> updates will be posted.
> 
Thanks for creating a support ticket for the issue that I brought up a few days 
ago.

> Also it seems that dco on Linux has the same issue with Mullvad.
> 
Firstly, for privacy reasons, I won't confirm or deny if the VPN 
vendor/provider is Mullvad because it doesn't really matter to the issue at 
hand.

Secondly, I have no issues at all when I use the same config files on Debian 
11.6.0 (64-bit).

Best regards.

Stella

P.S.: Please read the next two posts on how another privacy-centered VPN vendor 
deals with the "data channel offload" feature. This vendor really prioritizes 
the privacy of its customers above all things; for example, payments can be 
made in XMR, no email is required during registration, it allows VPN over Tor 
and Tor over VPN, cascading/chaining of VPN servers with other VPN vendors, 
very robust SSL tunneling that defeats censorship and surveillance by 
authoritarian regimes such as Iran, China, etc.



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN-2.6.0-I004-amd64.msi still fails to work on Microsoft Windows 11 if opvpn-dco is enabled

[Stella Ashburne]

Hi

I downloaded OpenVPN-2.6.0-I004-amd64.msi and installed it on Microsoft Windows 
11.

The same problem that I have had with OpenVPN-2.6.0-I003-amd64.msi still exists.

While waiting for a fix that works, I have added the parameter "disable-dco" 
(without quotes) in my *.ovpn config files.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] Re: OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

> Sent: Wednesday, February 01, 2023 at 3:26 PM
> From: "Ralf Hildebrandt via Openvpn-users" 
> 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] [ext] Re: OpenVPN-2.6.0-I003-amd64.msi does not 
> work on Microsoft Windows 11 if ovpn-dco is enabled
>
> 
Hi Ralf

> Shouldn't "--disable-dco" rather be "disable-dco" when used inside a
> config file?
> 

I have tested two scenarios, one in which the config file contains 
"disable-dco" and another in which the config file contains "--disabe-dco". The 
result is the same: dco is disabled.

Many months ago, when I was using the 2.5.x versions of OpenVPN, I added 
"--data-ciphers-fallback AES-256-CBC" to my config files and the result was the 
same, which was that the warning about the deprecation of using "cipher 
AES-256-CBC" disappeared.

Best regards.

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

> Sent: Monday, January 30, 2023 at 6:08 PM
> From: "Lev Stipakov" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on 
> Microsoft Windows 11 if ovpn-dco is enabled
>
> Hi Stella,
> 
Hi Lev

> Please post an openvpn log file with verb 4.
> 

Part 2 of 2

Please find below the config file with "verb 4" and "--disable-dco" parameters 
and the connection log.

My Mozilla Firefox is able to open websites when the dco is disabled.


client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
--disable-dco
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp4
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
auth-user-pass password.txt
auth-nocache
ca ca.crt
service vpnprovideropenvpn
block-outside-dns
remote-random
remote [ip-address-redacted] 443




2023-01-30 13:03:29 us=421000 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' 
but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
OpenVPN ignores --cipher for cipher negotiations. 
2023-01-30 13:03:29 us=421000 Current Parameter Settings:
2023-01-30 13:03:29 us=421000   config = 'us.ovpn'
2023-01-30 13:03:29 us=421000   mode = 0
2023-01-30 13:03:29 us=421000   show_ciphers = DISABLED
2023-01-30 13:03:29 us=421000   show_digests = DISABLED
2023-01-30 13:03:29 us=421000   show_engines = DISABLED
2023-01-30 13:03:29 us=421000   genkey = DISABLED
2023-01-30 13:03:29 us=421000   genkey_filename = '[UNDEF]'
2023-01-30 13:03:29 us=421000   key_pass_file = '[UNDEF]'
2023-01-30 13:03:29 us=421000   show_tls_ciphers = DISABLED
2023-01-30 13:03:29 us=421000   connect_retry_max = 0
2023-01-30 13:03:29 us=421000 Connection profiles [0]:
2023-01-30 13:03:29 us=421000   proto = tcp4-client
2023-01-30 13:03:29 us=421000   local = '[UNDEF]'
2023-01-30 13:03:29 us=421000   local_port = '[UNDEF]'
2023-01-30 13:03:29 us=421000   remote = 'ip-address-redacted'
2023-01-30 13:03:29 us=421000   remote_port = '443'
2023-01-30 13:03:29 us=421000   remote_float = DISABLED
2023-01-30 13:03:29 us=421000   bind_defined = DISABLED
2023-01-30 13:03:29 us=421000   bind_local = DISABLED
2023-01-30 13:03:29 us=421000   bind_ipv6_only = DISABLED
2023-01-30 13:03:29 us=421000   connect_retry_seconds = 1
2023-01-30 13:03:29 us=421000   connect_timeout = 120
2023-01-30 13:03:29 us=421000   socks_proxy_server = '[UNDEF]'
2023-01-30 13:03:29 us=421000   socks_proxy_port = '[UNDEF]'
2023-01-30 13:03:29 us=421000   tun_mtu = 1500
2023-01-30 13:03:29 us=421000   tun_mtu_defined = ENABLED
2023-01-30 13:03:29 us=421000   link_mtu = 1500
2023-01-30 13:03:29 us=421000   link_mtu_defined = DISABLED
2023-01-30 13:03:29 us=421000   tun_mtu_extra = 0
2023-01-30 13:03:29 us=421000   tun_mtu_extra_defined = DISABLED
2023-01-30 13:03:29 us=421000   tls_mtu = 1250
2023-01-30 13:03:29 us=421000   mtu_discover_type = -1
2023-01-30 13:03:29 us=421000   fragment = 0
2023-01-30 13:03:29 us=421000   mssfix = 1492
2023-01-30 13:03:29 us=421000   mssfix_encap = ENABLED
2023-01-30 13:03:29 us=421000   mssfix_fixed = DISABLED
2023-01-30 13:03:29 us=421000   explicit_exit_notification = 0
2023-01-30 13:03:29 us=421000   tls_auth_file = '[UNDEF]'
2023-01-30 13:03:29 us=421000   key_direction = not set
2023-01-30 13:03:29 us=421000   tls_crypt_file = '[UNDEF]'
2023-01-30 13:03:29 us=421000   tls_crypt_v2_file = '[UNDEF]'
```Connection profiles from [1] to [62] deleted to save space```
2023-01-30 13:03:29 us=437000 Connection profiles [63]:
2023-01-30 13:03:29 us=437000   proto = tcp4-client
2023-01-30 13:03:29 us=437000   local = '[UNDEF]'
2023-01-30 13:03:29 us=437000   local_port = '[UNDEF]'
2023-01-30 13:03:29 us=437000   remote = 'ip-address-redacted'
2023-01-30 13:03:29 us=437000   remote_port = '443'
2023-01-30 13:03:29 us=437000   remote_float = DISABLED
2023-01-30 13:03:29 us=437000   bind_defined = DISABLED
2023-01-30 13:03:29 us=437000   bind_local = DISABLED
2023-01-30 13:03:29 us=437000   bind_ipv6_only = DISABLED
2023-01-30 13:03:29 us=437000   connect_retry_seconds = 1
2023-01-30 13:03:29 us=437000   connect_timeout = 120
2023-01-30 13:03:29 us=437000   socks_proxy_server = '[UNDEF]'
2023-01-30 13:03:29 us=437000   socks_proxy_port = '[UNDEF]'
2023-01-30 13:03:29 us=437000   tun_mtu = 1500
2023-01-30 13:03:29 us=437000   tun_mtu_defined = ENABLED
2023-01-30 13:03:29 us=437000   link_mtu = 1500
2023-01-30 13:03:29 us=437000   link_mtu_defined = DISABLED
2023-01-30 13:03:29 us=437000   tun_mtu_extra = 0
2023-01-30 13:03:29 us=437000   tun_mtu_extra_defined = DISABLED
2023-01-30 13:03:29 us=437000   tls_mtu = 1250
2023-01-30 13:03:29 us=437000   mtu_discover_type = -1
2023-01-30 13:03:29 us=437000   fragment = 0
2023-01-30 13:03:29 us=437000   mssfi

Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

> Sent: Wednesday, February 01, 2023 at 12:11 PM
> From: "Stella Ashburne" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on 
> Microsoft Windows 11 if ovpn-dco is enabled
>
> 
> Part 1 of 2
> 
> Please find below the config file with "verb 4" and without "--disable-dco" 
> parameters
> 


I forgot to add that without the "--disable-dco" parameter (that is to say, by 
allowing data channel open), my Mozilla Firefox browser is unable to open 
websites. The error message "Server Not Found" appears.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

> Sent: Monday, January 30, 2023 at 6:08 PM
> From: "Lev Stipakov" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on 
> Microsoft Windows 11 if ovpn-dco is enabled
>
> Hi Stella,
> 

Hi Lev

> Please post an openvpn log file with verb 4.
> 
> You can also add --disable-dco to the config and see if it makes any 
> difference.
> 
> -Lev
> 

Part 1 of 2

Please find below the config file with "verb 4" and without "--disable-dco" 
parameters

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 4
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp4
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
auth-user-pass password.txt
auth-nocache
ca ca.crt
service vpnprovideropenvpn
block-outside-dns
remote-random
remote [ip address is redacted] 443




2023-01-30 12:52:44 us=765000 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' 
but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). 
OpenVPN ignores --cipher for cipher negotiations. 
2023-01-30 12:52:44 us=781000 Current Parameter Settings:
2023-01-30 12:52:44 us=781000   config = 'us.ovpn'
2023-01-30 12:52:44 us=781000   mode = 0
2023-01-30 12:52:44 us=781000   show_ciphers = DISABLED
2023-01-30 12:52:44 us=781000   show_digests = DISABLED
2023-01-30 12:52:44 us=781000   show_engines = DISABLED
2023-01-30 12:52:44 us=781000   genkey = DISABLED
2023-01-30 12:52:44 us=781000   genkey_filename = '[UNDEF]'
2023-01-30 12:52:44 us=781000   key_pass_file = '[UNDEF]'
2023-01-30 12:52:44 us=781000   show_tls_ciphers = DISABLED
2023-01-30 12:52:44 us=781000   connect_retry_max = 0
2023-01-30 12:52:44 us=781000 Connection profiles [0]:
2023-01-30 12:52:44 us=781000   proto = tcp4-client
2023-01-30 12:52:44 us=781000   local = '[UNDEF]'
2023-01-30 12:52:44 us=781000   local_port = '[UNDEF]'
2023-01-30 12:52:44 us=781000   remote = 'ip-address-redacted'
2023-01-30 12:52:44 us=781000   remote_port = '443'
2023-01-30 12:52:44 us=781000   remote_float = DISABLED
2023-01-30 12:52:44 us=781000   bind_defined = DISABLED
2023-01-30 12:52:44 us=781000   bind_local = DISABLED
2023-01-30 12:52:44 us=781000   bind_ipv6_only = DISABLED
2023-01-30 12:52:44 us=781000   connect_retry_seconds = 1
2023-01-30 12:52:44 us=781000   connect_timeout = 120
2023-01-30 12:52:44 us=781000   socks_proxy_server = '[UNDEF]'
2023-01-30 12:52:44 us=781000   socks_proxy_port = '[UNDEF]'
2023-01-30 12:52:44 us=781000   tun_mtu = 1500
2023-01-30 12:52:44 us=781000   tun_mtu_defined = ENABLED
2023-01-30 12:52:44 us=781000   link_mtu = 1500
2023-01-30 12:52:44 us=781000   link_mtu_defined = DISABLED
2023-01-30 12:52:44 us=781000   tun_mtu_extra = 0
2023-01-30 12:52:44 us=781000   tun_mtu_extra_defined = DISABLED
2023-01-30 12:52:44 us=781000   tls_mtu = 1250
2023-01-30 12:52:44 us=781000   mtu_discover_type = -1
2023-01-30 12:52:44 us=781000   fragment = 0
2023-01-30 12:52:44 us=781000   mssfix = 1492
2023-01-30 12:52:44 us=781000   mssfix_encap = ENABLED
2023-01-30 12:52:44 us=781000   mssfix_fixed = DISABLED
2023-01-30 12:52:44 us=781000   explicit_exit_notification = 0
2023-01-30 12:52:44 us=781000   tls_auth_file = '[UNDEF]'
2023-01-30 12:52:44 us=781000   key_direction = not set
2023-01-30 12:52:44 us=781000   tls_crypt_file = '[UNDEF]'
2023-01-30 12:52:44 us=781000   tls_crypt_v2_file = '[UNDEF]'
```Connection profiles from [1] to [62] deleted to save space```
2023-01-30 12:52:44 us=796000 Connection profiles [63]:
2023-01-30 12:52:44 us=796000   proto = tcp4-client
2023-01-30 12:52:44 us=796000   local = '[UNDEF]'
2023-01-30 12:52:44 us=796000   local_port = '[UNDEF]'
2023-01-30 12:52:44 us=796000   remote = 'ip-address-redacted'
2023-01-30 12:52:44 us=796000   remote_port = '443'
2023-01-30 12:52:44 us=796000   remote_float = DISABLED
2023-01-30 12:52:44 us=796000   bind_defined = DISABLED
2023-01-30 12:52:44 us=796000   bind_local = DISABLED
2023-01-30 12:52:44 us=796000   bind_ipv6_only = DISABLED
2023-01-30 12:52:44 us=796000   connect_retry_seconds = 1
2023-01-30 12:52:44 us=796000   connect_timeout = 120
2023-01-30 12:52:44 us=796000   socks_proxy_server = '[UNDEF]'
2023-01-30 12:52:44 us=796000   socks_proxy_port = '[UNDEF]'
2023-01-30 12:52:44 us=796000   tun_mtu = 1500
2023-01-30 12:52:44 us=796000   tun_mtu_defined = ENABLED
2023-01-30 12:52:44 us=796000   link_mtu = 1500
2023-01-30 12:52:44 us=796000   link_mtu_defined = DISABLED
2023-01-30 12:52:44 us=796000   tun_mtu_extra = 0
2023-01-30 12:52:44 us=796000   tun_mtu_extra_defined = DISABLED
2023-01-30 12:52:44 us=796000   tls_mtu = 1250
2023-01-30 12:52:44 us=796000   mtu_discover_type = -1
2023-01-30 12:52:44 us=796000   fragment = 0
2023-01-30 12:52:44 us

Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

> Sent: Monday, January 30, 2023 at 6:08 PM
> From: "Lev Stipakov" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on 
> Microsoft Windows 11 if ovpn-dco is enabled
>
> Hi Stella,
> 

Hi Lev

> Please post an openvpn log file with verb 4.
> 

My reply is being held up by the moderator of this list. Please see below the 
message from openvpn-users-ow...@lists.sourceforge.net

[quote]

Your mail to 'Openvpn-users' with the subject

Re: [Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on
Microsoft Windows 11 if ovpn-dco is enabled

Is being held until the list moderator can review it for approval.

The reason it is being held:

Message body is too big: 55406 bytes with a limit of 40 KB

Either the message will get posted to the list, or you will receive
notification of the moderator's decision. If you would like to cancel
this posting, please visit the following URL:

https://lists.sourceforge.net/lists/confirm/openvpn-users/639ee1bd36df2f2e95ae111b4036c34e23c81e21

[end quote]


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] OpenVPN-2.6.0-I003-amd64.msi does not work on Microsoft Windows 11 if ovpn-dco is enabled

[Stella Ashburne]

Hi guys

I've just installed OpenVPN-2.6.0-I003-amd64.msi on Microsoft Windows 11 (build 
22621.1105).

The contents of a sample config file from my commercial VPN vendor/provider are 
as follows:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp4
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
auth-user-pass password.txt
auth-nocache
ca ca.crt
service xyzopenvpn
block-outside-dns
remote 11.22.33.44 443

My computer was able to connect to the VPN vendor's server. According to the 
connection log, the data channel offload (ovpn-dco) was opened.

However, I was unable to surf the internet. The error "Server Not Found" 
appeared in my Firefox browser.

What I did next was to add the following line to the config file:

--data-ciphers-fallback AES-256-CBC

The contents of the config file have changed as follows:

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
--data-ciphers-fallback AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp4
pull-filter ignore "route-ipv6"
pull-filter ignore "ifconfig-ipv6"
auth-user-pass password.txt
auth-nocache
ca ca.crt
service xyzopenvpn
block-outside-dns
remote 11.22.33.44 443

My computer is able to connect to the VPN provider's server. This time, 
however, ovpn-dco is disabled according to the first line in my connection log:

Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, 
disabling data channel offload.

With ovpn-dco disabled, I can surf the internet and browse websites without 
issues.

It appears that the kernel of Microsoft Windows 11 rejects and prevents 
ovpn-dco from working.

What do you guys think?

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.6.0 released

[Stella Ashburne]

Congratulations Frank

> Sent: Thursday, January 26, 2023 at 3:50 AM
> From: "Frank Lichtenheld" 
> To: openvpn-de...@lists.sourceforge.net, openvpn-users@lists.sourceforge.net, 
> openvpn-annou...@lists.sourceforge.net
> Subject: [Openvpn-users] OpenVPN 2.6.0 released
>
> The OpenVPN community project team is proud to release OpenVPN 2.6.0.
> This is the new stable version of OpenVPN with some major new features.
> 

I wish to thank all who contributed to the latest release of OpenVPN Community 
Edition.

In particular, I wish to thank Samuli for making 
openvpn_2.6.0-bullseye0_amd64.deb available to all who use Debian or 
Debian-based distros.

Best regards.

Stella

P.S.: I'm unable to use OpenVPN-2.6.0-I003-amd64.msi on Microsoft Windows 11 
(build 22621.1105). Please see my feedback in an upcoming post.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Debian 11 ("Bullseye") OpenVPN 2.5.7 packages also available

[Stella Ashburne]

Dear Samuli

I just learned today that OpenVPN 2.5.7 has been released.

My kind compliments to you and your team of fellow developers.

I wish to take this opportunity to thank you for making available the Debian 
package (Bullseye) of OpenVPN 2.5.7.

Best regards.

Stella


>Hi,
>
>OpenVPN 2.5.7 has been packaged for Debian 11 and is available in our
>Debian/Ubuntu apt repos:
>
>
>
>If you have any issues with please let me know.
>
>Ubuntu 22.04 package is also available for testing, but due to (current)
>technical limitations not available in the apt repository. If you want
>to give it a spin, let me know and I'll put it online somewhere.
>
>Samuli



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi Gert

> Sent: Saturday, April 30, 2022 at 10:14 PM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to 
> my connection?
>
> If you compare the log before/after closely, you can see that most of
> the routers have not been installed.
>
Thank you for telling me that. I really appreciate it.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi Gert

> Sent: Saturday, April 30, 2022 at 2:13 AM
> From: "Gert Doering" 
> To: "Jordan Hayes" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to 
> my connection?
>
> *I* have spent very much time to implement and improve the IPv6 support
> (*and* to provide the tools to ignore server-pushed options, if someone
> would bother to read the manuals)

Your contributions to the development of OpenVPN cannot be overestimated. I 
really thank you from the bottom of my heart.

> - and it pains me if people spread the
> lore that "disabling IPv6 is a good way forward".
>
>
OpenVPN developers are human and they are unable to foresee some unexpected 
security vulnerabilities. A good case in point is the VORACLE attack 
(https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/)

> Half of the "you need to disable IPv6 to achieve..." is bullshit, and the
> other half is misunderstood lore.
>
> Like, "with IPv6 in my VPN I can be tracked" - no, you can't,

All VPN vendors/providers which are serious about security and privacy will 
invariably advise their customers to disable IPv6 support in Linux or to 
configure Microsoft Windows in such a way that IPv4 is preferred to IPv6.

These serious VPN vendors/providers have been in the business for more than a 
decade and they do know what they are saying when they give such advice. You 
may be surprised that some of them may be contributors to the development of 
OpenVPN.

>
> There is reliable measurement data that performance from mobile networks
> to dual-stacked servers is *better* using IPv6 than using IPv4, due to
> the avoidance of CGNAT boxes, leading to better routing and less issues
> due to CGNAT state overflow.
>
Thanks for this piece of information. What is the source of this "reliable 
measurement data"?

However, in my opinion, performance cannot and should not trump security.

Below is the quote from "VORACLE Attack Can Recover HTTP Data From VPN 
Connections" 
(https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/)

[quote]

But despite this, the OpenVPN project did not modify its default setting of 
compressing data before encrypting it as part of the VPN tunnel. This is 
because compressing data before the TLS encryption has performance benefits and 
a good reason why most VPN services/clients will continue to use this option.

[end quote]

If the above quote is factually correct, it shows that the folks at OpenVPN 
prioritize performance over security, which is a big NO for me.

Best regards.

Stella

P.S.: This is off-topic but I hope you can satisfy my curiosity. What do you 
think of The Tor Project? Would you contribute to the project if you had the 
time?





___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi

Thanks for your tip.

>-BEGIN PGP SIGNED MESSAGE-
>Hash: SHA256
>
>Hi,
>
>Sent with ProtonMail secure email.
>--- Original Message ---
>On Friday, April 29th, 2022 at 16:52, Stella Ashburne  wrote:
>
>
>
>> Any tips as to how I can configure my client-side config file to prevent 
>> IPv6 routes from being added during the connections?
>
>You could try --pull-filter-ignore 'route-ipv6 '
>It could break everything though ..
>
>See the docs for details.
>
>tct


Below is the connection log when I included the following option

pull-filter ignore route-ipv6

in my client configuration file.



2022-04-28 20:23:17 Successful ARP Flush on interface [20] 
{FB1A746D-116A-471A-A0B3-6017A1BF137A}
2022-04-28 20:23:17 MANAGEMENT: 
>STATE:1651321397,ASSIGN_IP,,10.5.0.3,fdda:d0d0:cafe:443::1001
2022-04-28 20:23:17 IPv4 MTU set to 1500 on interface 20 using service
2022-04-28 20:23:17 INET6 address service: add fdda:d0d0:cafe:443::1001/128
2022-04-28 20:23:17 add_route_ipv6(fdda:d0d0:cafe:443::/64 -> 
fdda:d0d0:cafe:443::1001 metric 0) dev OpenVPN TAP-Windows6
2022-04-28 20:23:17 IPv6 route addition via service succeeded
2022-04-28 20:23:17 IPv6 MTU set to 1500 on interface 20 using service
2022-04-28 20:23:17 Blocking outside dns using service succeeded.
2022-04-28 20:23:22 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
2022-04-28 20:23:22 C:\Windows\system32\route.exe ADD 69.4.234.134 MASK 
255.255.255.255 192.168.1.1
2022-04-28 20:23:22 Route addition via service succeeded
2022-04-28 20:23:22 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 
10.5.0.1
2022-04-28 20:23:22 Route addition via service succeeded
2022-04-28 20:23:22 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 
10.5.0.1
2022-04-28 20:23:22 Route addition via service succeeded
2022-04-28 20:23:22 WARNING: this configuration may cache passwords in memory 
-- use the auth-nocache option to prevent this
2022-04-28 20:23:22 Initialization Sequence Completed
2022-04-28 20:23:22 MANAGEMENT: 
>STATE:1651321402,CONNECTED,SUCCESS,10.5.0.3,69.4.234.134,443,192.168.10.93,50072,fdda:d0d0:cafe:443::1001


It appears that the option, pull-filter ignore route-ipv6, fails to prevent 
IPv6 routes from being added based on the following lines in the connection log:

add_route_ipv6(fdda:d0d0:cafe:443::/64 -> fdda:d0d0:cafe:443::1001 metric 0) 
dev OpenVPN TAP-Windows6
IPv6 route addition via service succeeded
IPv6 MTU set to 1500 on interface 20 using service

It seems that the tip provided by Jordan Hayes does prevent IPv6 routes from 
being added.

Best regards.

Stella



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi Jordan

Thanks for your tip.
 

Sent: Saturday, April 30, 2022 at 1:13 AM
From: "Jordan Hayes" 
To: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to 
my connection?
> Any tips as to how I can configure my client-side config file to prevent IPv6 
> routes from being added during the connections?
One trick to doing this on a Windows client is to open the adapter and deselect 
IPv6 support.
___ Openvpn-users mailing list 
Openvpn-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Firstly, based on your tip, I deselected IPv6 support of OpenVPN TAP-Windows6 
adapter.

Below is the connection log:


2022-04-30 19:11:24 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version 
will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to 
--data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 
'AES-256-CBC' to silence this warning.
2022-04-30 19:11:24 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] 
[PKCS11] [AEAD] built on Mar 16 2022
2022-04-30 19:11:24 Windows version 10.0 (Windows 10 or greater) 64bit
2022-04-30 19:11:24 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-04-30 19:11:24 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25374
2022-04-30 19:11:24 Need hold release from management interface, waiting...
2022-04-30 19:11:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25374
2022-04-30 19:11:25 MANAGEMENT: CMD 'state on'
2022-04-30 19:11:25 MANAGEMENT: CMD 'log all on'
2022-04-30 19:11:25 MANAGEMENT: CMD 'echo all on'
2022-04-30 19:11:25 MANAGEMENT: CMD 'bytecount 5'
2022-04-30 19:11:25 MANAGEMENT: CMD 'hold off'
2022-04-30 19:11:25 MANAGEMENT: CMD 'hold release'
2022-04-30 19:11:25 TCP/UDP: Preserving recently used remote address: 
[AF_INET]aa.bb.cc.dd:443
2022-04-30 19:11:25 Socket Buffers: R=[65536->524288] S=[65536->524288]
2022-04-30 19:11:25 Attempting to establish TCP connection with 
[AF_INET]aa.bb.cc.dd:443 [nonblock]
2022-04-30 19:11:25 MANAGEMENT: >STATE:1651317085,TCP_CONNECT,,
2022-04-30 19:11:25 TCP connection established with [AF_INET]aa.bb.cc.dd:443
2022-04-30 19:11:25 TCP_CLIENT link local: (not bound)
2022-04-30 19:11:25 TCP_CLIENT link remote: [AF_INET]aa.bb.cc.dd:443
2022-04-30 19:11:25 MANAGEMENT: >STATE:1651317085,WAIT,,
2022-04-30 19:11:25 MANAGEMENT: >STATE:1651317085,AUTH,,
2022-04-30 19:11:25 TLS: Initial packet from [AF_INET]aa.bb.cc.dd:443, 
sid=22a213c3 9443bc90
2022-04-30 19:11:26 VERIFY OK: depth=2, C=XX, ST=Somewhere, L=Somecity, 
O=Verizon AB, OU=somevpn, CN=somevpn Root CA v2, 
emailAddress=secur...@somevpn.net
2022-04-30 19:11:26 VERIFY OK: depth=1, C=XX, ST=Somewhere, O=Verizon AB, 
OU=somevpn, CN=somevpn Intermediate CA v4, emailAddress=secur...@somevpn.net
2022-04-30 19:11:26 VERIFY KU OK
2022-04-30 19:11:26 Validating certificate extended key usage
2022-04-30 19:11:26 ++ Certificate has EKU (str) TLS Web Server Authentication, 
expects TLS Web Server Authentication
2022-04-30 19:11:26 VERIFY EKU OK
2022-04-30 19:11:26 VERIFY OK: depth=0, C=XX, ST=Somewhere, O=Verizon AB, 
OU=somevpn, CN=us-dal-105.somevpn.net, emailAddress=secur...@somevpn.net
2022-04-30 19:11:26 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 
1559', remote='link-mtu 1560'
2022-04-30 19:11:26 WARNING: 'comp-lzo' is present in remote config but missing 
in local config, remote='comp-lzo'
2022-04-30 19:11:26 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: 
RSA-SHA256
2022-04-30 19:11:26 [us-dal-105.somevpn.net] Peer Connection Initiated with 
[AF_INET]aa.bb.cc.dd:443
2022-04-30 19:11:28 MANAGEMENT: >STATE:1651317088,GET_CONFIG,,
2022-04-30 19:11:28 SENT CONTROL [us-dal-105.somevpn.net]: 'PUSH_REQUEST' 
(status=1)
2022-04-30 19:11:33 SENT CONTROL [us-dal-105.somevpn.net]: 'PUSH_REQUEST' 
(status=1)
2022-04-30 19:11:34 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 
10.5.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 ::/2,route-ipv6 
4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 
10.5.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 
fdda:d0d0:cafe:443::1001/64 fdda:d0d0:cafe:443::,ifconfig 10.5.0.3 
255.255.0.0,peer-id 0,cipher AES-256-GCM'
2022-04-30 19:11:34 OPTIONS IMPORT: compression parms modified
2022-04-30 19:11:34 OPTIONS IMPORT: --socket-flags option modified
2022-04-30 19:11:34 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-30 19:11:34 OPTIONS IMPORT: route options modified
2022-04-30 19:11:34 OPTIONS IMPORT: route-related options modified
2022-04-30 19:11:34 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2022-04-30 19:11:34 OPTIONS IMPORT: peer-id set
2022-04-30 19:11:34 OPTIONS IMPORT: adjusting link_mtu to 1626
2022-04-30 19:11:34 

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi Marek

Thanks for your reply.

> Sent: Friday, April 29, 2022 at 11:49 PM
> From: "Marek Zarychta" 
> To: "Gert Doering" , "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to 
> my connection?
>
> IPv6 support in OpenVPN is decent since a longer while.
>
> This support is so good that some people think they have a native ip6
> from ISP (but they don't)!
>
> I am kidding you not, that's my experience, have received some feedback
> related to this issue.

Any tips as to how I can configure my client-side config file to prevent IPv6 
routes from being added during the connections?

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi Gert

Thanks for your reply.

> Sent: Friday, April 29, 2022 at 10:03 PM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] How do I prevent IPv6 routes from being added to 
> my connection?
>
> Why would anyone want that?
> 

Firstly I define privacy ≠ anonymity

Secondly using IPv6 in VPN connections decreases privacy.

Best regards.

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] How do I prevent IPv6 routes from being added to my connection?

[Stella Ashburne]

Hi

Below are some details that are relevant to my question:

Operating system: Microsoft Windows 11 Pro, 64bit
OpenVPN version: 2.5.6

I have configured my system to prefer IPv4 over IPv6 using the guide: 
https://kb.firedaemon.com/support/solutions/articles/4000160803-prioritising-ipv4-over-ipv6-on-windows-10-and-11

Below are the contents of my configuration file (client config file):

client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto tcp
auth-user-pass password.txt
ca ca.crt
service somevpnopenvpn
block-outside-dns
remote-random
{list of resolved IP addresses redacted for privacy}

Below are the contents of the log after a successful connection to the VPN 
server:

2022-04-28 21:36:47 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but 
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version 
will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to 
--data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 
'AES-256-CBC' to silence this warning.
2022-04-28 21:36:47 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] 
[PKCS11] [AEAD] built on Mar 16 2022
2022-04-28 21:36:47 Windows version 10.0 (Windows 10 or greater) 64bit
2022-04-28 21:36:47 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2022-04-28 21:36:47 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25374
2022-04-28 21:36:47 Need hold release from management interface, waiting...
2022-04-28 21:36:47 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25374
2022-04-28 21:36:47 MANAGEMENT: CMD 'state on'
2022-04-28 21:36:47 MANAGEMENT: CMD 'log all on'
2022-04-28 21:36:47 MANAGEMENT: CMD 'echo all on'
2022-04-28 21:36:47 MANAGEMENT: CMD 'bytecount 5'
2022-04-28 21:36:47 MANAGEMENT: CMD 'hold off'
2022-04-28 21:36:47 MANAGEMENT: CMD 'hold release'
2022-04-28 21:36:47 TCP/UDP: Preserving recently used remote address: 
[AF_INET]aa.bb.cc.dd:443 **the actual IP address has been redacted**
2022-04-28 21:36:47 Socket Buffers: R=[65536->524288] S=[65536->524288]
2022-04-28 21:36:47 Attempting to establish TCP connection with 
[AF_INET]aa.bb.cc.dd:443 [nonblock]
2022-04-28 21:36:47 MANAGEMENT: >STATE:1651153007,TCP_CONNECT,,
2022-04-28 21:36:48 TCP connection established with [AF_INET]aa.bb.cc.dd:443
2022-04-28 21:36:48 TCP_CLIENT link local: (not bound)
2022-04-28 21:36:48 TCP_CLIENT link remote: [AF_INET]aa.bb.cc.dd:443
2022-04-28 21:36:48 MANAGEMENT: >STATE:1651153008,WAIT,,
2022-04-28 21:36:48 MANAGEMENT: >STATE:1651153008,AUTH,,
2022-04-28 21:36:48 TLS: Initial packet from [AF_INET]aa.bb.cc.dd:443, 
sid=3903cca7 3d802dd1
2022-04-28 21:36:48 VERIFY OK: depth=2, C=XX, ST=Somewhere, L=Somecity, 
O=Verizon, OU=somevpn, CN=somevpn Root CA v2, emailAddress=secur...@somevpn.com
2022-04-28 21:36:48 VERIFY OK: depth=1, C=XX, ST=Somewhere, O=Verizon, 
OU=somevpn, CN=somevpn Intermediate CA v4, emailAddress=secur...@somevpn.com
2022-04-28 21:36:48 VERIFY KU OK
2022-04-28 21:36:48 Validating certificate extended key usage
2022-04-28 21:36:48 ++ Certificate has EKU (str) TLS Web Server Authentication, 
expects TLS Web Server Authentication
2022-04-28 21:36:48 VERIFY EKU OK
2022-04-28 21:36:48 VERIFY OK: depth=0, C=XX, ST=Somewhere, O=Verizon, 
OU=somevpn, CN=us-slc-102.somevpn.com, emailAddress=secur...@somevpn.com
2022-04-28 21:36:49 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 
1559', remote='link-mtu 1560'
2022-04-28 21:36:49 WARNING: 'comp-lzo' is present in remote config but missing 
in local config, remote='comp-lzo'
2022-04-28 21:36:49 Control Channel: TLSv1.3, cipher TLSv1.3 
TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: 
RSA-SHA256
2022-04-28 21:36:49 [us-slc-102.somevpn.org] Peer Connection Initiated with 
[AF_INET]aa.bb.cc.dd:443
2022-04-28 21:36:50 MANAGEMENT: >STATE:1651153010,GET_CONFIG,,
2022-04-28 21:36:50 SENT CONTROL [us-slc-102.somevpn.com]: 'PUSH_REQUEST' 
(status=1)
2022-04-28 21:36:51 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 
10.5.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 ::/2,route-ipv6 
4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 
10.5.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 
fdda:d0d0:cafe:443::1001/64 fdda:d0d0:cafe:443::,ifconfig 10.5.0.3 
255.255.0.0,peer-id 0,cipher AES-256-GCM'
2022-04-28 21:36:51 OPTIONS IMPORT: compression parms modified
2022-04-28 21:36:51 OPTIONS IMPORT: --socket-flags option modified
2022-04-28 21:36:51 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-28 21:36:51 OPTIONS IMPORT: route options modified
2022-04-28 21:36:51 OPTIONS IMPORT: route-related options modified
2022-04-28 21:36:51 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options 
modified
2022-04-28 21:36:51 OPTIONS IMPORT: peer-id set

Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

[Stella Ashburne]

Hi David

> Sent: Thursday, March 24, 2022 at 12:58 AM
> From: "David Sommerseth" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6
>
> So you got my attention ;-)  Both as an OpenVPN Inc employee, working on
> the open source projects, and as the official Fedora openvpn package
> maintainer.
>
I was looking around for a Linux distro that has the most up-to-date OpenVPN 
version and stumbled on Fedora. My first choice was Manjaro; however as it 
doesn't support UEFI Secure Boot, I ditched it in favor of Fedora.

> The Fedora build you point at uses the standard upstream distro
> repository build system.  And a similar infrastructure is also used for
> the Fedora Copr builds.  Btw. openvpn-2.5.6 builds are already in all
> the Fedora pipes.

>From January 1, 2022 to February 28, 2022, whenever I installed  
>openvpn-2.5.5-1.fc35, openvpn-2.5.5-2.fc35 and openvpn-2.5.5-3.fc35 onto 
>Fedora 35, there were warnings about "globs" not being supported; nevertheless 
>I continued with the installation of OpenVPN.

> The .deb package repositories hosted on
> <http://build.openvpn.net/debian/openvpn/> is a different story, as
> that's based on infrastructure managed by the OpenVPN project.  This
> infrastructure has been through some massive overhaul, and it seems
> Samuli hit some dark corners there causing issues with the builds for
> this repository.
>
According to Gert Doering, Samuli's problems with building a .deb package of 
OpenVPN were caused by: (sic) I guess that Samuli's build machine (which is a 
VM in some AWS VPC)
has issues unrelated to Debian or OpenVPN - but fixing takes time, so won't 
always be possible "right the same day".

Anyway, it would be good if Samuli could elaborate the types of "esoteric 
technical problems" that prevented him from building packages of OpenVPN for 
Debian distro.

> That said, comparing upstream Fedora 3x repos with the OpenVPN project
> provided repos is not really a fair reference point.  The Fedora
> repositories are similar to the upstream Debian repositories - but
> version wise, they are probably much closer to Fedora EPEL repositories.

That's correct and I've known about it some years ago.

> And in regards to upstream distribution repositories, the package
> maintainers there ensure that the OpenVPN versions distributed from
> there are up-to-date in regards to important bug and security fixes.
> They are typically back-ported from newer versions.  The version number
> in these repositories may not be completely accurate.  But very seldom
> are features back-ported.  This is due to repository polices, where
> major version updates are not allowed and minor updates are attempted
> kept at a minimum for the distribution - to ensure the package stays
> stable and have a predictable behavior.
>
Thanks for the reminder.

> The Fedora Copr repos is somewhat similar to Ubuntu PPA.  These
> repositories does not have the same strict version upgrade policy, but
> also does not carry the same types of stability guarantees.
>
> The project provided apt repository is also a best-effort repository.
> There are no guarantees it won't break, but we try to fix things as soon
> as possible.  On the other hand, the official OpenVPN 2.x releases from
> the project are generally very stable. But it does not go through the
> same set of testing which many distributions does before shipping it.
>
>
> I hope this could clarify a bit of the differences and align some of the
> expectations better.
>
Yes, your clarification helps a lot for folks like us. Could someone upload 
such clarification to the OpenVPN's wiki for Debian packages please?

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

[Stella Ashburne]

Hi Samuli

> Sent: Wednesday, March 23, 2022 at 6:04 PM
> From: "Samuli Seppänen" 
> To: "Stella Ashburne" , openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6
>
> There are esoteric technical reasons for that.

Would you like to elaborate what those "esoteric technical reasons" are with 
regards to building the .deb package? Are the "esoteric technical reasons" 
confined to Debian only? I ask because David Sommerseth produced the openvpn 
package, version 2.5.5 and now 2.5.6,  for Fedora 35, such as 
openvpn-2.5.6-1.fc35 (URL: 
https://packages.fedoraproject.org/pkgs/openvpn/openvpn/fedora-35-updates.html)

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6

[Stella Ashburne]

Hi Andre

> Sent: Friday, March 18, 2022 at 2:32 PM
> From: "André" 
> To: "Stella Ashburne" , "openvpn-users" 
> 
> Subject: Re: [Openvpn-users] Request .deb package of OpenVPN 2.5.6
>
> Hi Stella Ashburne,
> 
> Regarding the link:
> https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
> 
> 
Thanks for the correct URL. However I can't find the .deb package of OpenVPN 
2.5.6 in the links provided in that page.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Request .deb package of OpenVPN 2.5.6

[Stella Ashburne]

Hi Samuli

Thank you, Samuli and all the people who contributed to the release of OpenVPN 
2.5.6

Is it possible for you to release a Debian package of the current version 
please?

By the way, the link that you provided in your post, viz.

https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos%3E

leads to nowhere.

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.5.5 released

[Stella Ashburne]

I forgot to add that I am using Debian 11.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] OpenVPN 2.5.5 released

[Stella Ashburne]

Hi Samuli

> Sent: Wednesday, December 15, 2021 at 5:30 PM
> From: "Samuli Seppänen" 
> To: openvpn-de...@lists.sourceforge.net, openvpn-users@lists.sourceforge.net, 
> openvpn-annou...@lists.sourceforge.net
> Subject: [Openvpn-users] OpenVPN 2.5.5 released
>
> The OpenVPN community project team is proud to release OpenVPN 2.5.5. 
> The most notable changes are Windows-related: use of CFG 
> Spectre-mitigations in MSVC builds, bringing back of OpenSSL config 
> loading and several build fixes. More details are available in Changes.rst:
>

Thanks to you and all the selfless folks for the wonderful acts of generosity 
in bringing out this latest version of OpenVPN (Community Edition). 

> 
> Debian and Ubuntu packages are available in the official apt repositories:
> 
> 
> 
At the time of writing this reply, version 2.5.5 is unavailable in your Debian 
repos. On behalf of Debian users, I thank you in advance for uploading said 
version.

Best wishes for Christmas and the New Year!

Stella

P.S. It is interesting to note that version 2.5.5 is available as a package in 
OpenBSD's snapshot repo at least two days before the official announcement by 
Samuli.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] (no subject)

[Stella Ashburne]

Hi Gert

Thanks for your reply.

> Sent: Friday, December 03, 2021 at 2:14 AM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] (no subject)
>
> (I think we have a patch somewhere to clarify that - it might even be
> in the current man page.  You looked at the 2.4 man page, which is OLD)
>
> gert
> --

OK. I surfed to https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html which 
I guess is the latest version of man page of OpenVPN 2.5, right? According to 
it, "push-peer-info" is a server option.

Regards.

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] (no subject)

[Stella Ashburne]

Hi Gert

Thanks for your reply.

> Sent: Friday, December 03, 2021 at 12:09 AM
> From: "Gert Doering" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] (no subject)
>
>
> It is not sent by default, so nothing to do here.
>
Thanks for your clarification, Gert.

> (It will only be sent if you have "push-peer-info" in your client config,
> see "man openvpn" for what is always sent and what needs to be enabled)
>
>
About "push-peer-info":

I surfed to 
https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage?__cf_chl_jschl_tk__=JSUulbKidOapkzFKpsRhInXslT2sBquL7BK.lhuMS1s-1638461653-0-gaNycGzNCOU
 and learned that "push-peer-info" is an option in the server's configuration 
file and not in the client's. If that's the case, can we specify an option in 
the client's configuration file to refuse to give to the server such details 
such as IFACE and HWADDR?

And since we are on the subject of "push-peer-info", I would appreciate it if 
you could clarify the following that is written in man openvpn:

IV_HWADDR= -- the MAC address of clients default gateway

By "default gateway", does the author of the man page refer to the router's MAC 
address or to the MAC address of the network interface card in my machine?

>
> Thus: DO NOT USE A VPN PROVIDER THAT YOU DO NOT TRUST.
>
Thanks for your warning, Gert.

Regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] (no subject)

[Stella Ashburne]

Hi Ralf

Thanks for your reply.

> Sent: Thursday, December 02, 2021 at 11:41 PM
> From: "Ralf Hildebrandt" 
> To: "Stella Ashburne" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] [ext]  (no subject)
>
>
> The log of the opevpn server you're connecting to.
> Both sides have a log. They look differently.
>
No, I don't have access to the server's logs as my VPN provider is a commercial 
one.

>
> No, that's your client's log.
>
Thanks, Ralf, for your clarification and reassurance.

Regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] (no subject)

[Stella Ashburne]

Hi Ralf

Thanks for your reply.

> Sent: Thursday, December 02, 2021 at 11:39 PM
> From: "Ralf Hildebrandt" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] [ext]  (no subject)
>
>
>
> BUT if you care about fingerprinting, check the IV_* variables, example:
>
> ip.add.re.ss:49786 peer info: IV_VER=3.git::58b92569
> ip.add.re.ss:49786 peer info: IV_PLAT=ios
> ip.add.re.ss:49786 peer info: IV_NCP=2
> ip.add.re.ss:49786 peer info: IV_TCPNL=1
> ip.add.re.ss:49786 peer info: IV_PROTO=2
> ip.add.re.ss:49786 peer info: IV_LZO_STUB=1
> ip.add.re.ss:49786 peer info: IV_COMP_STUB=1
> ip.add.re.ss:49786 peer info: IV_COMP_STUBv2=1
> ip.add.re.ss:49786 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
> ip.add.re.ss:49786 peer info: IV_SSO=openurl
>

I'm a bit lost. Where do I check the IV_* variables? How do I check them, i.e. 
what commands do I need to type in a terminal?

Regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [ext] (no subject)

[Stella Ashburne]

Hi Ralf

Thanks for your reply.

> Sent: Thursday, December 02, 2021 at 11:27 PM
> From: "Ralf Hildebrandt" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] [ext]  (no subject)
>
>
> That's your log or the server's log?
>
What do you mean by server's log please?

I use Debian 11 distro as my operating system.

In a terminal, I connect my machine to a server provided by my VPN provider. As 
a connection is being made, many lines of text flash across the terminal. 
Please tell me if the lines of text that I see belong to the server's log?

> > To mitigate the fingerprinting, is it possible to prevent the details of 
> > IFACE and HWADDR from being transmitted to my VPN provider?
>
> Are they REALLY transmitted to your VPN provider?
>
I honestly don't know because I don't have the requisite IT skills to do it.
>
Regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] (no subject)

[Stella Ashburne]

Hi

Below is a partial log after my machine has connected successfully to my VPN 
provider's server:

2021-11-20 09:18:08 us=74921 Outgoing Data Channel: Cipher 'AES-256-GCM' 
initialized with 256 bit key
2021-11-20 09:18:08 us=74956 Incoming Data Channel: Cipher 'AES-256-GCM' 
initialized with 256 bit key
2021-11-20 09:18:08 us=75010 net_route_v4_best_gw query: dst 0.0.0.0
2021-11-20 09:18:08 us=75225 net_route_v4_best_gw result: via 192.168.0.1 dev 
enp850kd
2021-11-20 09:18:08 us=75299 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 
IFACE=enp850kd HWADDR=25:d3:a1:0e:6c:13

Am I correct to say that my VPN provider can store personally identifiable 
information such as IFACE and HWADDR to fingerprint me?

To mitigate the fingerprinting, is it possible to prevent the details of IFACE 
and HWADDR from being transmitted to my VPN provider?

Regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hello David

Thanks for your clarification.

> Sent: Wednesday, October 13, 2021 at 4:37 PM
> From: "David Sommerseth" 
> To: "Mathias Jeschke" 
> Cc: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
>
> OpenVPN 2.x, OpenVPN 3.x are "generations".  OpenVPN 2.x is written in
> C, OpenVPN 3 is a "brand new" (it's been available for about 10 years)
> implementation written in C++.
>
> OpenVPN 2.4, 2.5 as well as OpenVPN 3.5, 3.6 are major releases.  This
> is where new features and more intrusive internal code changes happens.
>
> OpenVPN 2.5.1, 2.5.2, 2.5.3 as well as OpenVPN 3.6.1, 3.6.2 are minor
> releases.  This is where security and bugfixes typically happens in
> released versions.  Occasionally we might add minor features or other
> related improvements to ensure better backwards compatibility with newer
> OpenVPN major releases.
>
>
> To summarize:  OpenVPN X.Y.Z
>
>  X = Generation(implementation platform)
>  Y = Major version (feature releases)
>  Z = Minor version (bug/security fixes)
>
>
May I suggest that your clarification in your reply be included in the web page 
(URL: 
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos?_ga=2.190564834.834709539.1634296076-1437631519.1634296076&__cf_chl_jschl_tk__=pmd_SqElzWxjXmYdlsS3WCW.lfJQh4qDowmIRmK4X27I1dE-1634296100-0-gqNtZGzNAmWjcnBszQhR).
 Said page is awfully out of date. There is no mention of Debian Bullseye 
whatsoever. Mentions of "Wheezy" and "Jessie" should be erased.

Best regards.

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hello David

Thanks for your detailed explanation. I really appreciate it.

> Sent: Wednesday, October 13, 2021 at 4:26 PM
> From: "David Sommerseth" 
> To: "Stella Ashburne" , openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
>
> - Major updates of a package (for OpenVPN, that means 2.4->2.5,
> 2.5->2.6, etc), these happens in the major distribution releases (like
> Debian 10 to Debian 11)
>
> - Minor updates of a package (for OpenVPN: 2.5.1->2.5.2->2.5.3, etc) can
> be handled in two ways.
>
> a) Update to the upstream minor release; which is what I do for
>Fedora/Fedora EPEL/Fedora Copr repositories.  This updates the
>package version number in the package.
>
> b) Backport important fixes from newer releases to the current one in
>the distribution.  This keeps the upstream version but updates the
>"build" number.  This is very common for Debian/Ubuntu, as well as
>for enterprise distributions such as Red Hat Enterprise
>Linux and CentOS.
>
> Both these approaches gives you a reliable and up-to-date version.
> Method b) often results in smaller changes being applied, so the
> stability can often be more predictable - but it depends on how good
> the package maintainer is.  The OpenVPN package maintainer for Debian
> packages (which ends up in Ubuntu too) are well maintained.
>
>
> Using the OpenVPN community provided packages is commonly more useful
> when the distro provided version is based on an older OpenVPN major
> release.  If there are no new features you require in the community
> provided repository, using the standard distro repository might be more
> than good enough.
>
> On the other hand, it might take a bit longer for a distribution
> repository to get an updated package compared to using the community
> provided packages.
>
Debian gets a major release about once every two years and the OpenVPN package 
is somewhat outdated.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Mathias

> Sent: Sunday, October 10, 2021 at 11:20 PM
> From: "Mathias Jeschke" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
> As this mailing list indicates I'm just an openvpn *user*

There are some developers here who answer questions posed by users.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Mathias

Thanks for your clarification.

> Sent: Sunday, October 10, 2021 at 12:42 AM
> From: "Mathias Jeschke" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
>
> That might not work, if the package dependencies (libc, libssl, etc.)
> differed of those for bullseye. Anyways, the differences between 2.5.4
> (openvpn community) and 2.5.1 (debian) are small - see:
> https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25
>
I am just curious: are you an OpenVPN developer on Microsoft Windows OS? Linux 
distro?

Best regards.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Mathias

> Sent: Friday, October 08, 2021 at 3:00 PM
> From: "Mathias Jeschke" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
>
> What is wrong with the Debian package from the official repo?
> https://packages.debian.org/bullseye/openvpn
>
> Do you really need 2.5.4 instead of 2.5.1?
>
Your questions are really pertinent.

For as long as I can remember, the person who built and released the community 
versions of OpenVPN also released them for Debian. That person preceded our 
friend, Samuli. I just went with whatever was offered by that person and then 
Samuli.

You asked me: "Do you really need 2.5.4 instead of 2.5.1?" I myself am unable 
to answer it.

Perhaps you can help me to understand what I do by answering my questions. They 
are:

1. What do I stand to lose/gain if I use 2.5.1 (from Debian's official repos)?

2. What do I stand to lose/gain if I use 2.5.3 (from Samuli's repos)?

In the meantime, while I wait for Samuli to offer the 2.5.4 version for Debian, 
can I use version 2.5.3 for buster on Debian 11? (For your info, I am using 
version 2.5.3 for Debian Buster/10 on my Debian Bullseye/11).

Best regards.

Stella




___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Samuli

> Sent: Friday, October 08, 2021 at 3:40 PM
> From: "Samuli Seppänen" 
> To: "Marc-Christian Petersen" , 
> "openvpn-users@lists.sourceforge.net" 
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
> Hi,
> 
> Please try this one out:
> 
> https://build.openvpn.net/downloads/temp/openvpn_2.5.4-bullseye0_amd64.deb
> 
> It is completely untested right now, but "it should work".
>

How should I test it? What bugs should I look for?

> Something between 2.5.3 and 2.5.4 apparently broke our builds. 
> 

Were you referring to the Debian 10 build? The Debian 11 build is OK except 
that it's completely untested, is that right?



___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Samuli

> Sent: Friday, October 08, 2021 at 2:38 PM
> From: "Samuli Seppänen" 
> To: "Marc-Christian Petersen" , 
> "openvpn-users@lists.sourceforge.net" 
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
> There are no Debian 11 packages yet. I'll try to create them now. 
> Usually the process is smooth, but sometimes there are challenges.
> 
> Samuli
> 
> 
My intention when I wrote my original post was not to rush you. I hope you do 
not take it the wrong way.

I know that you are doing your best for the OpenVPN community and I appreciate 
your time and effort.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Marc

> Sent: Friday, October 08, 2021 at 2:35 PM
> From: "Marc-Christian Petersen" 
> To: "openvpn-users@lists.sourceforge.net" 
> 
> Subject: Re: [Openvpn-users] Unable to locate the .deb package of OpenVPN 
> 2.5.4 for Debian 11/Bullseye
>
> I think the packages are not there, neither for Bullseye nor Buster. Packages 
> file is missing 2.5.4
>
> Stretch is there ...
>
Stretch is so old-schoolAs the subject line states, I use Debian 11.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] [SPAM] [ext] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi Ralf

> Sent: Friday, October 08, 2021 at 1:38 PM
> From: "Ralf Hildebrandt" 
> To: openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] [SPAM] [ext] Unable to locate the .deb package 
> of OpenVPN 2.5.4 for Debian 11/Bullseye
>
>
> Use https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
>
> Ralf Hildebrandt

After clicking the link that you provided in your reply, there's no repo for 
Debian Bullseye/11.

Stella


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

[Openvpn-users] Unable to locate the .deb package of OpenVPN 2.5.4 for Debian 11/Bullseye

[Stella Ashburne]

Hi

After I clicked the link 
https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos%3E mentioned in 
Samuli's post 
https://sourceforge.net/p/openvpn/mailman/openvpn-users/?viewmonth=202110, an 
error message Trac Error appeared.

I wish to download and install the Debian package of OpenVPN 2.5.4 
(11/Bullseye).

Could someone point me to a link that works please? Thanks.


___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users