[Openvpn-devel] bug stopping the use of mssfix/fragment in udp+tcp configs?

2010-07-13 Thread Jason Haar 
Hi there

I have just looked at the current 2.2 git code and the bug blocking the
use of udp+tcp combination configs when you want to use mssfix/fragment 
is still present. See
https://community.openvpn.net/openvpn/wiki/Topics-2010-04-22 for
references.

By that I mean I cannot use fragment/mssfix even within a udp
"" profile - as the tcp profiles that follow trigger openvpn
to error.

Is that planned to be fixed? With it, an openvpn config can contain udp,
tcp and tcp-via-auto-proxy "" profiles - leading to the best
opportunity for openvpn "escaping" from almost any network imaginable -
without user intervention.

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: [Openvpn-devel] bug stopping the use of mssfix/fragment in udp+tcp configs?

2010-07-13 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 13/07/10 11:07, Jason Haar wrote:
> Hi there
> 
> I have just looked at the current 2.2 git code and the bug blocking the
> use of udp+tcp combination configs when you want to use mssfix/fragment 
> is still present. See
> https://community.openvpn.net/openvpn/wiki/Topics-2010-04-22 for
> references.
> 
> By that I mean I cannot use fragment/mssfix even within a udp
> "" profile - as the tcp profiles that follow trigger openvpn
> to error.
> 
> Is that planned to be fixed? With it, an openvpn config can contain udp,
> tcp and tcp-via-auto-proxy "" profiles - leading to the best
> opportunity for openvpn "escaping" from almost any network imaginable -
> without user intervention.
> 

Hi Jason!

Thank you for bringing this up again!  It most definitely have fallen
out of our radar for a little while again.  I'll make sure to put this
into a Trac ticket so that we won't forget it so easily again.

Having that said, this feature change will most probably not hit the 2.2
release *unless* somebody is able to bring in a patch to the mailing
list soon enough to get it reviewed and accepted into the -testing tree.
 We've just recently put together the beta2.2 branch (and I will need to
redo the branch once more, unfortunately) so _no doors are closed yet_.
 But I really hope we can reach an release candidate long before the end
of this year, this is the point were we most probably will put a strict
feature change policy.

You might be worried that this fix might not come before 2.3, and be
even more worried when that release will come.  I can assure you that I
will work hard for getting the release process going quicker *without*
jeopardising the stability OpenVPN does have.

OpenVPN is one of those few remarkable pieces of software where not
everything might work as expected - but despite that, OpenVPN is really
rock solid and reliable.  This is not something we can or will
sacrifice.  Stability is our primary goal.

But after all ... *We can use your help* ... So whom ever have
possibility to write some code, review code, test our -testing tree ...
*Please* raise your hand on the mailinglist or join the #openvpn-devel
meetings[1] and tell us how you would like help out!  With even more
participation from even more people, we can get the release cycle going
smoother - and hopefully much quicker.


kind regards,

David Sommerseth


[1] 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkw8OQYACgkQDC186MBRfrqrywCfSpXsMXyTQjuHBMNMdtiTxR6X
jp4AnjSItLWj/7Y5Q4OPjEVX3eYBN8Kp
=bS4a
-END PGP SIGNATURE-

[Openvpn-devel] [PATCH] Fix multiple configured scripts conflicts issue

2010-07-13 Thread David Sommerseth 
This is a fix for trac ticket #20,

which was started in the sf.net bug tracker:


The implemented solution is to give a warning for each of the different script 
hooks
available.  The last configured script will override any earlier configured 
scripts,
to ensure that the command line can override the configuration file.

Signed-off-by: David Sommerseth 
---
 options.c |   36 
 1 files changed, 36 insertions(+), 0 deletions(-)

diff --git a/options.c b/options.c
index b78158e..9bbb51e 100644
--- a/options.c
+++ b/options.c
@@ -3877,6 +3877,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->ipchange) {
+   msg (M_WARN, "Multiple --ipchange scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->ipchange = string_substitute (p[1], ',', ' ', &options->gc);
 }
   else if (streq (p[0], "float"))
@@ -3923,6 +3927,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->up_script) {
+   msg (M_WARN, "Multiple --up scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->up_script = p[1];
 }
   else if (streq (p[0], "down") && p[1])
@@ -3930,6 +3938,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->down_script) {
+   msg (M_WARN, "Multiple --down scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->down_script = p[1];
 }
   else if (streq (p[0], "down-pre"))
@@ -4598,6 +4610,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->route_script) {
+   msg (M_WARN, "Multiple --route-up scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->route_script = p[1];
 }
   else if (streq (p[0], "route-noexec"))
@@ -4927,6 +4943,10 @@ add_option (struct options *options,
  msg (msglevel, "--auth-user-pass-verify requires a second parameter 
('via-env' or 'via-file')");
  goto err;
}
+  if (options->auth_user_pass_verify_script) {
+   msg (M_WARN, "Multiple --auth-user-pass-verify scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->auth_user_pass_verify_script = p[1];
 }
   else if (streq (p[0], "client-connect") && p[1])
@@ -4934,6 +4954,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->client_connect_script) {
+   msg (M_WARN, "Multiple --client-connect scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->client_connect_script = p[1];
 }
   else if (streq (p[0], "client-disconnect") && p[1])
@@ -4941,6 +4965,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->client_disconnect_script) {
+   msg (M_WARN, "Multiple --client-disconnect scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->client_disconnect_script = p[1];
 }
   else if (streq (p[0], "learn-address") && p[1])
@@ -4948,6 +4976,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->learn_address_script) {
+   msg (M_WARN, "Multiple --learn-address scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->learn_address_script = p[1];
 }
   else if (streq (p[0], "tmp-dir") && p[1])
@@ -5708,6 +5740,10 @@ add_option (struct options *options,
   VERIFY_PERMISSION (OPT_P_SCRIPT);
   if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT))
goto err;
+  if (options->tls_verify) {
+   msg (M_WARN, "Multiple --tls-verify scripts defined.  "
+"The previously configured script is overridden.");
+  }
   options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc);
 }
   else if (streq (p[0], "tls-remote") && p[1])
-- 
1.7.1.1