[Openvpn-devel] Fw: Re: [Openvpn-users] Problem with service on windows server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Forwarding to openvpn-devel, as requested. CC'ing -users FTR. --- Original Message --- On Tuesday, June 28th, 2022 at 02:59, Selva Nair wrote: > Hi, > > > > > > the \\config-auto folder is only created if the 'openVPN Service' is > > selected *manually* during installation. > > > We need to install the automatic service without manual intervention. Is this > also the behaviour on a fresh install instead of an update? The logic for > installing the service was complicated from start because we wanted to detect > when automatic service should be set to autostart, migrate configs into > config-auto if required etc. during an update. But, in the process, it seems > we have somehow ended up not installing it by default. > > Actually, always installing and even setting its startup to auto should be > safe now as we have a folder exclusively meant for auto-start ones > (config-auto). This was not the case with older versions. > > Selva > > > > > > > However, the 'Interactive-Service' *is* installed by default. > > > > This feels *needlessly* complicated. > > > > As a long-time Windows user, I am much more accustomed to turning options > > which I do not want OFF than I am turning options which I do want ON. > > > > Also, the installer does not have the customary: > > * FULL (Default) > > * Standard - This could be renamed 'CLIENT ONLY', if that is the intention > > .. > > * Custom - Debugging .. > > * Advertiser sponsored - This is common enough. > > > > which I would normally "hope" to see from a well behaved .msi installer. > > > > my2c > > > > > > > > --- Original Message --- > > On Monday, June 27th, 2022 at 22:49, tincantech > > wrote: > > > > > > > Correction: 2.5.7-I602 not 2.5.5 > > > > > > --- Original Message --- > > > On Monday, June 27th, 2022 at 22:35, tincantech via Openvpn-users > > > openvpn-us...@lists.sourceforge.net wrote: > > > > > > > > > > > > > Hi, > > > > > > > > I must point this out: > > > > > > > > > > > > > > > > > > > > I am setting up an OpenVPN server on a windows server for a > > > > > > > > client, but ran into the problem where the openvpn service in > > > > > > > > services doesn’t pick up the config files I placed into the > > > > > > > > C:\Program Files\Openvpn\config folder. > > > > > > > > > > > > > > > > I can start the server from the command line just fine and also > > > > > > > > from the openvpn-gui client, but when I start the openvpn > > > > > > > > service > > > > > > > > in services, the service starts and stays running, but the > > > > > > > > server > > > > > > > > isn’t listening for incoming connections. > > > > > > > > > > > > > > > > It is not clear if the following point effects the OP, however .. > > > > > > > > The correct folder for auto-start is: > > > > C:\Program Files\Openvpn\config-auto > > > > > > > > However, this directory and the README are not installed using > > > > 2.5.5-I602. > > > > > > > > This could be due to recent changes. > > > > > > > > -- > > > > > > > > > > > -BEGIN PGP SIGNATURE- > > Version: ProtonMail > > > > wsBzBAEBCAAGBQJiujWDACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec > > 9muQuJ2LYAf/Vh4nss7ejL0d+H6gCyxryTURfwoCPL60mfdqXYWuXIBHN19c > > rB5lMr3oa9yzx3MU4ga6zBQzbXlwEw3F7wGVokqNDP1u+BSzjQIIYZsC2QBD > > wdQMa2wdAIOpwwUml3DIyuz68vFmotXYp37DcafHt/tgTyWLNcaXrLSopM7K > > ICwjKFrJ0Wd3Fz9eqMMBMeOimYFCMlqNbYqUWur3Ve9GNMuaou6pURo0X0+e > > Gqmxo7QoGDPVYR59NXL2LQTO8mCAVRkd/9oAUbmpP7d/XuKMBPoPo/gcChx6 > > k1NGhNQR8DqsyK8vA/xFCIiBhg78NfgZMY2qk0Iq4heyGi+z5KZc0A== > > =2LbF > > -END PGP SIGNATURE- > > ___ > > Openvpn-users mailing list > > openvpn-us...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiuy/qACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0E5ggArCAVCZwbhBOt6w+JsZj76USHN7enjWo0OG24qB+BzfOjhZOx r14C1jCZmGydSS7MIjgYy0Toj3Al7N+6ZUwFwzm8h13x23KQIkyAd2lG2kIs zxMRooKIpMmoE/HYF88RCSM5whsJjPVcHJ6VV8tkNnibCnUcTj5h4Mog6TRQ EXv622Hen23tGjWUWU8GV2qXk/PRuDF31VEhs0+nQ7DitVolZe2NMawPdtVl W0Z7KBuW2c7R5TjCqWeOAzjSqSocoF/SOAY19kSTDqN2zhvsyM1DOlUgI7UC 15elTAQj2Y9H/Jp8o2mlf93rCOS5f6uRhyQ8NYYp7wc4JB00gURl/w== =7ZIh -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] New option --suppress-auth-cache-warning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ref: https://forums.openvpn.net/viewtopic.php?t=34461 Food for thought.. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiv25tACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3+uQf8C4svn9uGUDXcjPAohtlnw0/w3WjQI1yY3cHjGTro6KhEJpmB G5og6sOD5jyT3f0wYy3sRaYxEpcA5+DR2XWKLrwtRJNfPPdAhJjs6nX8iI+e /aHvInARZ7ua8QUx07y60JLy+cXThZWWhX4KrAFCV45DQEZaHA/qYAenLL3X VcofwBNl2lXf9tr96wU8dcp3ntH0HOkB9wa1E6GpN8wyI36ZcLcx0niZUFBw 4tKa75Mix4dPEd6Oxnh0mnDD0dVSfaV9mJTL86JwtYwnCUG9dLaj2dps2alt edpjMtYwTSiQPZi5YBxqc1ICoMzNyuZxEQOb4/bGCj3DJCioYy8r1A== =AASZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Possible bug?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Magnus, can you report this as an issue on github, please ? https://github.com/OpenVPN/easy-rsa/issues My first guess would be the version of openssl 3.0.1 is at fault. Thanks, Richard Sent with Proton Mail secure email. --- Original Message --- On Thursday, August 18th, 2022 at 02:37, Magnus Larsson via Openvpn-devel wrote: > Hi, > I just moved from Ubuntu 20.04 LTS (where the exact command works fine and > does not prompt for pass phrase) to Red Hat Enterprise Linux 9 and installed > Easy-RSA via EPEL. > > When I run ./easyrsa build-ca nopass as root, it still prompts for PEM pass > phrase: > > > # ./easyrsa build-ca nopass > Using SSL: openssl OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec > 2021) > Enter PEM pass phrase: > Enter PEM pass phrase: > Enter PEM pass phrase: > Enter PEM pass phrase: > 80DB8DBF7D7F:error:0480006D:PEM routines:PEM_def_callback:problems > getting password:crypto/pem/pem_lib.c:62: > 80DB8DBF7D7F:error:07880109:common libcrypto > routines:do_ui_passphrase:interrupted or cancelled:crypto/passphrase.c:175: > 80DB8DBF7D7F:error:1C80009F:Provider routines:p8info_to_encp8:unable to > get passphrase:providers/implementations/encode_decode/encode_key2any.c:116: > > > > > # ./easyrsa --version > EasyRSA Version Information > Version: 3.0.8 > Generated: Wed Sep 9 15:59:45 CDT 2020 > SSL Lib: OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021) > Git Commit: f12e00e53b4f486ce3d119ca429198780fa694ac > Source Repo: https://github.com/OpenVPN/easy-rsa > > > > > # ls -l > total 8 > lrwxrwxrwx 1 root root 29 Aug 17 18:56 easyrsa -> > /usr/share/easy-rsa/3/easyrsa > lrwxrwxrwx 1 root root 41 Aug 17 18:56 openssl-easyrsa.cnf -> > /usr/share/easy-rsa/3/openssl-easyrsa.cnf > drwx-- 9 root root 4096 Aug 17 20:10 pki > -rw-r--r-- 1 root root 332 Aug 17 18:56 vars > lrwxrwxrwx 1 root root 36 Aug 17 18:56 vars.example -> > /usr/share/doc/easy-rsa/vars.example > lrwxrwxrwx 1 root root 32 Aug 17 18:56 x509-types -> > /usr/share/easy-rsa/3/x509-types > > > > > # cat /etc/os-release > NAME="Red Hat Enterprise Linux" > VERSION="9.0 (Plow)" > ID="rhel" > ID_LIKE="fedora" > VERSION_ID="9.0" > PLATFORM_ID="platform:el9" > PRETTY_NAME="Red Hat Enterprise Linux 9.0 (Plow)" > ANSI_COLOR="0;31" > LOGO="fedora-logo-icon" > CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos" > HOME_URL="https://www.redhat.com/"; > DOCUMENTATION_URL="https://access.redhat.com/documentation/red_hat_enterprise_linux/9/"; > BUG_REPORT_URL="https://bugzilla.redhat.com/"; > > > REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9" > REDHAT_BUGZILLA_PRODUCT_VERSION=9.0 > REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux" > REDHAT_SUPPORT_PRODUCT_VERSION="9.0" > > > > > # dnf repolist > Updating Subscription Management repositories. > repo id > repo name > codeready-builder-for-rhel-9-x86_64-rpms > Red Hat CodeReady Linux Builder for RHEL 9 x86_64 (RPMs) > epel > Extra Packages for Enterprise Linux 9 - x86_64 > rhel-9-for-x86_64-appstream-rpms > Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) > rhel-9-for-x86_64-baseos-rpms > Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs) > > > > > # getenforce > Disabled > > > > > # uname -a > Linux test 5.14.0-70.22.1.el9_0.x86_64 #1 SMP PREEMPT Tue Aug 2 10:02:12 EDT > 2022 x86_64 x86_64 x86_64 GNU/Linux > > > > Let me know if you need additional information. > > Thanks, > Magnus > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJi/gHXACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3FpAf9FRWGhWLwzc8ONkqdMM0yts3GHGMhQ6ZqzILJjLh4Udgn5NlI IV7InwTHZZm7IE6q4IWhzSqGA/KjIc23Xydsz29Vh0BDoDDZemeXkjYdxCQd gRDIMuzMLTqCQIoI9FqeWKKQW9r5cG9qwIpUwiBh2BUmub2D0hb7P0SVEWur +moGPLU1neXIhlL2F6hbTqtl/wNxr2V5qLfODrRJpiEyKQNa1C8GvvqXJR2r BYRA2vyoFIGn+krBMBb2lcExGhioWr4gzecFolqOin9e/i3pCCii1Xl4/XI5 BqHP31VoNmc88CLmOhSn/At3kagcnou9WDsA8DbJabW1/MPeGjKpXQ== =ukTL -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v5 2/3] Allow setting control channel packet size with max-packet-size
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Plus one more typo. Sent with Proton Mail secure email. --- Original Message --- On Thursday, October 20th, 2022 at 11:05, Arne Schwabe wrote: > diff --git a/src/openvpn/common.h b/src/openvpn/common.h > index b94680885..dce6fd01d 100644 > --- a/src/openvpn/common.h > +++ b/src/openvpn/common.h > @@ -68,6 +68,19 @@ typedef unsigned long ptr_type; > / > #define TLS_CHANNEL_BUF_SIZE 2048 > > +/ TLS control buffer minimum size. This size is not actually inherent to > + * the OpenVPN protocol. But with our current sending window being 6 and the > + * receive window being 8 or 12 depending on the OpenVPN version, the biggest > + * payload we can send is 6 * min_size. And we need to support to send > payloads > + * of TLS_CHANNEL_BUF_SIZE. Splitting this into more than > + * 6 packets (with overhead) would complicate our sending logic a lot more. > + * Diving TLS_CHANNEL_BUF_SIZE (2048) by 6 gets us ~342 byte. Allowing for Diving -> Dividing > + * ~100 bytes of overhead (in OpenVPN headers + IP headers) and rounding > + * up to the next "nice" number gives use 512. > + * > + * / -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJjUS1fACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2mxAf/afXklJAMoPqLoelxi8mF7hq97b3Eky6iB+zqiGXhOxBjVOKC F6BpNk2uxCUkNSU9FPaLDTMurKuGe6p5+YSdHQh13EzZkx/vehBce4/+OWZ5 nInvafaUbtAI0LqHZvcNhjB2LQcci2MUyw6duok1V43LRdYFZ0ohk4/o+HZ7 6vrij4xNLO1BHhc91CKS0Gm9ZierXPHS8vmAc6ssrhhhq8eFetVq58S7dhyQ ISx8xg20MnqjynmDjpOVgbxKW00+OBTK5NWGLEXd5effQjgdz4qEv5MBoS4V sNdvCBw4tU/GrZdYlBihcQf2h6tgGJ0DxEu4qiF0Tg1h81rrEHSahw== =8tPU -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] IRC community meeting summary (Feb 14th)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, On Wednesday, 14 February 2024 at 15:22, Frank Lichtenheld wrote: > Meeting summary for 14 February 2024: > * New: Easy-rsa in Windows installers > easy-rsa has included pre-built Windows binaries for a long time. But with > Windows 11 they do not seem to work correctly anymore in some cases. Just to clarify: Easy-RSA works perfectly as-is on W10 & W11 but requires Windows Admin access. Without Windows Admin Access, Easy-RSA on W11 does not work with the now 10 year old MKSH:sh.exe This is annoying but it isn't a complete deal-breaker. Regards tct -- -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAnBYJlzPXJCZBPl5z2a5C4nRYhBAm8PURno41yecVVVU+XnPZr kLidAAC+Cwf+P7EBDJirKoBXV/SsOrzfNfFSR2hVOCqSN9jwFs+TIv/kD+UN eOT87L5EW3x/EpF0hRyNy0g83ePdR1ESN4C4mP1Jm9QJZzKgXX44uO4XH5C3 4FXWj/06vQRoaTO5Lk8Y+caLFn9kmpq57JCkorPOI3RjDIwcJcgZ66FweAY2 prSSCj33fzuGoJMWfdXfF4pEu55cV1Iawar2acYJOLlpn0NTFNtyqzVoC8lv k5FDHjzFuTooBvJ4g2hR8KDctaS/3tTjk4c3ZsVr+0F9n2SwsMmHz93YfONX iuvLv/vxGMrWViXv9gbYJMqqfagamWn7SZivlkFp/YxSBg+3vSPo1w== =+izN -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 2 April 2021 19:35, Simon Matter wrote: > > Commit 8fa8a17528c001a introduces "compress migrate" to move old clients > > that have "compress" or "comp-lzo" in their config towards a connection > > without compression. This is done by looking at incoming OCC strings > > to see if the client has compression enabled, and at incoming IV_ > > strings to see whether it can do "compress stub-v2" or needs to be sent > > "comp-lzo no". > > Hi, > > What I'm still wondering is why is compression so dangerous with OpenVPN > but not so with things like SSH or SCP? > Simon, I believe the detail which you have over-looked is this: A lot of people use openvpn as a client to VPN service providers believing things which are not true. They then surf the web with over-confidence. In such a scenario, while pulling off such an attack on a compressed VPN stream may seem remote, when you have such a vast number of victims to potentially abuse, the temptation to do so and potential success rate increase dramatically. But i believe you need to have access to both the compressed VPN data and the uncompressed https packets to exploit such an attack. Still, it was shown to be a genuine attack vector none-the-less. -- Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgZ7oZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2Qzwf9GFUFmJrJv4ny2uvbLUWKHAGsFKsD12I5YeJLQArsAsP39w7k H4chac7T/XLA2nBYLxIizioc3fiFqPTrlyx2AdwIuTpWhqf4FuU+pXt9JhqJ spI6j907aSN/G1jDjWhzltrWrjhJg/a6VQvtuTzAcBx3h1AA3WwKvRCUVhm6 r0/jqRpb5OhA05Ux6JG0uqlCfG5zTURSaFdjwhEotvHpuzg9IpzEIBx42dnU EgS+aoJPdxYSCldYbdwj9EWus1+MzNHd+JjZsxadqiGarC+I+r5q2fHC9bBA EPdlbWGIdPcASeB0edWSI9uOO18UBpuaOnU4aBN/SXQJE4wApq1wUQ== =LhbH -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Saturday, 3 April 2021 01:43, tincantech via Openvpn-devel wrote: > > But i believe you need to have access to both the compressed VPN data > and the uncompressed https packets to exploit such an attack. > Edit: The attacker also needs to control the https website that the victim visits. It's a tall order .. but do you really want to argue with the sort of people that figured out how to do it ? > Still, it was shown to be a genuine attack vector none-the-less. > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgZ7usACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3yaAgAvefAvhIBj2izSl5JoOH2oPeCYunedXsrFOXjrvteC1GX/Hem gRpLgcjNjdhcWdfW8NCFhihozr1Hrb9cLIxmvNLw5zmAIf6DRtcPPaExsyYJ mDLXMFlKZmSoGc3Jh9hsXxFy5oEH2K2RtQxJevGciAHn6GSkPx0MrHLJlmCH EPhUThW+QpEq+NdqNUo9dPJe9ByUUrZ9c/eySjXG8Eo7hYSLu0AhoYUr/zY1 OqpRNg3lsH6CRFkH7LV5cJEBGLF6qZLeAZ5x7UYGjWWR1pwI02AKknF5E9bW s+4P64TLyIVerUsewJ9EbzU4kI5abf+pammwmqBHFrPaI1foNUS/dA== =s7Ma -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Remove P2MP mode and check for gettimeofday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Saturday, 3 April 2021 19:46, Arne Schwabe wrote: > Using OpenVPN without P2MP support (pull, TLS) is unrealistic and > building a binary without it is not something we realistically want > to support anyway. Building P2MP support now only depends on > HAVE_GETTIMEOFDAY or win32, which has a compat function for it. > > This also removes the ENABLE_SHAPER and TIME_BACKTRACK_PROTECTION > defines, which also depend only on the HAVE_GETTIMEOFDAY or WIN32. Is this the end of --shaper option ? -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgaMHkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1nmwf/efDZ8L/Py44AKHZJ90OE3WA8T16qmzbMZpScnCc3iL65QLJF vU/VU/xg636f53OKBav09SXAEhnLvcA3gGdiPb/1e9M/Y/tU6Q9nZknCRcKe 8DwNreop4+YsDY4FI9KeLS6Mnm97DhXS0ErEwgw1Wut0meGHdcKDK6wghOgW DbKsBrXZzEBN7MkmpTbzK9rYBAuGJYjWQL6sG+7ClC9wCN2Jms/SBWq92QpF ZuXecVbUp7tWa3EqxGkAnvg7CMQHwA9XmemzBAX+6EzTMTT90KTJvu88rH9H SeKcJVE1RH2Jf0XaGuqn2ZcrHWGm9R+O6SCsrsRch6Y2stgT9AaTpQ== =zXFm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 11/14] Remove P2MP mode and check for gettimeofday
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Before this goes any further, I doubt very much that Openvpn intends to "Remove P2MP mode". Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, 1 April 2021 18:27, Arne Schwabe wrote: > Am 01.04.21 um 15:13 schrieb Arne Schwabe: > > > Using OpenVPN without P2MP support (pull, TLS) is unrealistic and > > building a binary without it is not something we realistically want > > to support anyway. > > > } > > > > > > - /* Check if we have forbidding options in the current mode */ > > - if (dco_enabled( &mi->context.options) > > Ignore this patch for now. Rebasing worked without conflicts but somehow > still pull dco bits into it (rebase is sometimes magic ) > > Arne > > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgaNsSACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2xqwf9EbssBV+0gW+/y0bIR+3I7DFZouZTRcO+9SCftHO6AcfTBgaD Uro0ZmOa233PaGSB3B5MbJcZQ0gnIWegVeGjN0khVOU75fv332svNc2CLZtn JHwG3XYnHWxMMVaRWkcyPp72UUfxiaooZp1FjPAnhl6D/PUAxw2tU3Cl6dp1 rgHmWhNKza2B8PzhnSZ8K0RiTjdOy3bYLSdj6hKwyQkvG1+wEGpG0qJSEnKF 1Qb2qpPNftG1BfOkTQ3QVuBcpDDusR1ip+qs9LmLo87LKD2UF8DWgZlj5Ev8 pdu8+cp7Fk7G2UrLWbKy7fTPcfncaViiNEHNbm9EMtURCioaLsQwoA== =Cr8U -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 2/3] Remove --ncp-disable option
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 9 April 2021 10:53, Arne Schwabe wrote: > > I am not sure how you came to that conclusion. I have written a fairly > comprehensible documentation how NCP in 2.5 works for our manpage: > https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/cipher-negotiation.rst > > That should also answer your question. > sorry for the noise but I created a quick ref. guide for cipher negotiation: https://community.openvpn.net/openvpn/wiki/CipherNegotiation It may be of some value to others reading this thread. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgcES+ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2TPAgAuSyk329uuzmDecw9kvFBa/UDQ2C8U4ZVwXZZKXk4AL5NtM9Q Nbsi6qHMPT/WYfgVMOPbJLvWgUx2yi51rPawis5itd4Ghe7nZtBQOdjz1LZY /5VfqgOIMtfvovL+Wlg1SpwPM5Mo/ApILcec4jfrP5XJxe/6Xo8Mx4ZcYLq7 EmjVZ3gFWSX3kmBTdtQmPRKZ6qTe3gezwduZ667eRy58kK39SRFX2tsjvFT+ 2D8mtkLIQvJNDbO1KHNmW4oXxcu7YesQScAshOBpIutyU0vUyg37fp+SoTcs Q4oS2Wp2T2HZlPMkvBopbiddk6Wu1+kaP0+jDiBllSkZRrcrwCRtsQ== =8Qly -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] make --persist-key always-on and remove "off" code path
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 9 April 2021 17:28, Gert Doering wrote: > I do not use --persist-key, but I still restart my services after fiddling > with configs... > Same. To add weight here, I would estimate 95%+ of all posts on the forum, which include a config file, have --persist-key enabled, regardless. Regards R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgcIRiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2w0wgAv4Yv3T+4nsxYxocmBdlAGzZAuOOYsg6d9wWyHavY3YXCNWSh CN+8Fi4ruR3iaeEnVa98RlV/SvLkns5cyRRr2XEG/OMOthc4237o33W8BrRX 8zYkxezaYSGWB7Q8KJmyHFnAc3njrVdXRN2INMbZyn9dHUOSIYD8ZUmntxPR +ftK2/idc9ftk1wVqBL5oIngCaFCm1Y/lfG76Ae6GTAha3pEqwh0qj573IC3 Mgyu5JYCCjbYWcojM2nilOWCDPaWPQaasVmLe9Pu31yUCWbTLy4Y/nZuwLpA cSWUV9E+rqQ+C4ZObxx4MJhVPJfVmKWJtZsbN5vF6OELD/w/iQ0Sgw== =qukX -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 hi, I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify environment. FTR: $daemon_pid is currently undocumented in all three manuals. Thanks. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggeRlACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3+LQgAxSKGYd1ubfyiSdl4VMNrp+y97t03OLVhBntuUiYHTZUaQlKi 33oQRxNY+ELuZUpK4ueMgeUPvG20kAB5zfpyT6imsYrze3hlbd9G6omflByh f0sAovrDSiegF8adNgdKCsGi8co7z2B3Ec0WWRnGLPPcZHQzIo8MlspYJ50l uf6EdEDZL96VQYHNDJ/RH6egj1+WZww+qk/VJsuiBTyxf/KlRNVbrC24/iM1 gHS/3HqDvwgX675vIIDlB2ZzF0QiHCPZWYlWbPAU2GqEqpzN/qn7EDuPfrFB IY/g8y9+qH+AZmD7byeRSeLSiira84oBWX6OwGJOrmLPsam9ZVTmRg== =+Hpt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 07:13, Gert Doering wrote: > Hi, > > On Thu, Apr 22, 2021 at 09:02:30PM +, tincantech via Openvpn-devel wrote: > > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > environment. > > What for? Easy-TLS - I'll explain in more detail sometime .. > > > FTR: $daemon_pid is currently undocumented in all three manuals. > > It seems to be an obscure and not very useful feature. > > "Programs that are called from OpenVPN" can find the OpenVPN pid trivially > by calling getppid() (or $PPID in shell). Unfortunately, in Windows $PPID carries the PID of sh.exe being executed. This use case is making Linux sh scripts usable in Windows. Thanks for the PPID tip, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggwdgACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0dVQf+MUWXJy3VToFwmmAsS2ILKvoec8eZH2fjDftQGZoOBDSa68Jp o2vryOtdfxxCVyXDt3O7Wjb4CkkWJM3dlf7hZEYCw47D4++BY0UzhfFRwt2o cTS7RmdqOK9OUPstTzPl6+Nydsn3uNLq/0mNgsshaTq8PoKrBhoya73VNU9d M4vdLF8d89EKaphRFArcTXgWKU363ZvmsrS90onXTNpu1wUY162yFlip5P8j swB4Ziq4+7mRzg+n6QomlForwYP30BnHo+Iaob/snCF+8UJJzWTQCvfsrAjF PCZYEumWvIRQ31a4AuQ2eTAyWzD1xHSBJez5uvmdZI2JKT1G/hcyUw== =dqrf -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 13:22, Antonio Quartulli wrote: > Hi, > > On 23/04/2021 14:16, tincantech wrote: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 23 April 2021 08:12, Antonio Quartulli a...@unstable.cc wrote: > > > > > Hi, > > > > > On 22/04/2021 23:02, tincantech via Openvpn-devel wrote: > > > > > > hi, > > > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > > > environment. > > > > > The environment for --tls-crypt-v2-verify was designed to be extremely > > > minimal. > > > Anything concerning tls-crypt verification was designed to be as minimal > > > as possible. > > > > > Indeed, differently from other scripts, the env for tls-crypt-v2 is > > > created empty and then only a very few variables are added. > > > > > Anything that was deemed not necessary for the metadata verification was > > > not passed. > > > > I understand your reasoning, however, in the case of daemon_pid would you > > not > > consider the process to be "more secure" if openvpn does provide the PID in > > the environment, rather than have the script read the PID from a file? > > Having to configure openvpn to write the PID and then read the PID is two > > steps > > which can introduce user bound misconfiguration errors. > > we can't control what the user does with the script - he could do > anything wrong and ugly, but we can't just implement shortcuts for them, no? No. This is not a shortcut, this is OpenVPN providing a guaranteed working environment. I am not expecting openvpn to "control" what the user does with the script, I am asking that ALL scripts have access to daemon_pid as an obvious and beneficial security precaution. All scripts ought to have access to daemon_pid for the simple reason of ensuring the scripts run for the same server instance. Providing daemon_pid to all scripts is the *most secure* way to do this. There are other reasons to use --writepid, such as for completely external processes. > > > > I can imagine you have a usecase for daemon_pid, but I am sure more > > > people will have other arguments for other variables as well. Hence the > > > idea to design something extremely minimal and leave more complex logics > > > to following (post-auth) steps. > > > > I reviewed all the other variables for inclusion viability and, with the > > exception of "untrusted_ip / untrusted_ip6", I came to the conclusion that > > the only variable which does come with a genuine security bonus is > > daemon_pid. > > (As outlined in my previous comment) > > As for untrusted_ip*, it definitely could be useful to --tls-crypt-v2-verify > > but I'm not asking for that here. Perhaps on reading this other members will > > see how it can be of benefit to the scripts versatility.. > > (The same goes for untrusted_port but that seems less useful over all) I notice how you conveniently skipped this entire section .. > > I would also quote that old, old expression "Security through Obscurity" > > https://en.wikipedia.org/wiki/Security_through_obscurity > > It's not security through obscurity here, but it's about keeping the > code that leads to the tls-crypt-v2-verify call as minimal as possible. .. and went straight to this comment. In my opinion this is security through obscurity. With holding daemon_pid from any script executed by openvpn is a bad decision and in the case of --tls-crypt-v2-verify, with holding ALL other data from the script is clearly S.T.O. I can understand the reason to make the env minimal but this is clearly a case of going too far. Thus .. as above. > > This said, what is deamon-pid useful for in the tls-crypt-v2-verify > script? Maybe a clear usecase with pro and cons could help understanding > where this need is coming from. You are forcing my hand: https://github.com/TinCanTech/easy-tls I can see absolutely no security benefit to with holding daemon_pid from --tls-crypt-v2-verify, for the simple reason of the extra hoops a user is forced to jump through and the security risks they are forced to take in doing so.. As a final comment here, on the one hand openvpn chooses to enforce cipher-negotiation "because it is more secure and helps unwary users to configure their vpn correctly". On the other hand openvpn cannot see the simple LOGIC of providing daemon_pid to ALL scripts launched by openvpn. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggtEaACEJEE+XnPZrkLidFiEE
Re: [Openvpn-devel] --tls-crypt-v2-verify env $daemon_pid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 08:12, Antonio Quartulli wrote: > Hi, > > On 22/04/2021 23:02, tincantech via Openvpn-devel wrote: > > > hi, > > I am requesting that $daemon_pid be added to the --tls-crypt-v2-verify > > environment. > > The environment for --tls-crypt-v2-verify was designed to be extremely > minimal. > Anything concerning tls-crypt verification was designed to be as minimal > as possible. > > Indeed, differently from other scripts, the env for tls-crypt-v2 is > created empty and then only a very few variables are added. > > Anything that was deemed not necessary for the metadata verification was > not passed. I understand your reasoning, however, in the case of daemon_pid would you not consider the process to be "more secure" if openvpn *does* provide the PID in the environment, rather than have the script read the PID from a file? Having to configure openvpn to write the PID and then read the PID is two steps which can introduce user bound misconfiguration errors. > > I can imagine you have a usecase for daemon_pid, but I am sure more > people will have other arguments for other variables as well. Hence the > idea to design something extremely minimal and leave more complex logics > to following (post-auth) steps. I reviewed all the other variables for inclusion viability and, with the exception of "untrusted_ip / untrusted_ip6", I came to the conclusion that the *only* variable which does come with a genuine security bonus is daemon_pid. (As outlined in my previous comment) As for untrusted_ip*, it definitely could be useful to --tls-crypt-v2-verify but I'm not asking for that here. Perhaps on reading this other members will see how it can be of benefit to the scripts versatility.. (The same goes for untrusted_port but that seems less useful over all) I would also quote that old, old expression "Security through Obscurity" https://en.wikipedia.org/wiki/Security_through_obscurity > > > FTR: $daemon_pid is currently undocumented in all three manuals. > > It'd be nice to have such documentation added :-) I hope that your not suggesting that I provide documentation for something which you then refuse to allow me to use ? ;-) Not only but also, "you give a little, you get a little" :D In conclusion, I request that OpenVPN review their earlier decision to be so *cruelly frugal* to --tls-crypt-v2-verify, on this one occasion. Thanks for your informed and collective consideration, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggrqWACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1ZWwgAkgKYkbfa04CCrqu2pVYxYnt4bcRCvMV7qI8RM37PliG8b2Bx 6qDPMUAZ1DwIL59WKYahtKOIVcp5gLXLoAlrfJy+FMRfJodnGT3iPz3no+Ew HWTsiwTXjUozGnD3fIviVfzbcXIb082WRzKP1/IpAtTztnBv6Aq6i5vLb/mJ Ghh/YJIDsaV012dz8qLX9oVbmd8SycfyhKa8E1IwlpkbHsJlqUYo/rxOeXTY 1q4J07aNk1bwPAQU0bWbxf04ItLqeAnoWESnaTc6gWz4fXaRM3XiMuUDFzFl 6FFRQeGkrJAdY2N/ZdAwcNSY3PDkFmu5MPBoaw6lmeBMMoFxG4S/kg== =ZBp4 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. Version 2 Justification: With the notable exception of --tls-crypt-v2-verify .. daemon_pid provides a verified process ID to All scripts. This ensures that scripts which are intended to pass data along to the following scripts have an index to which they can link that data. Example: An example is presented in Easy-TLS: https://github.com/TinCanTech/easy-tls This script passes hardware address from --tls-crypt-v2 key metadata along to --client-connect, where the pushed client variable IV_HWADDR can be matched against the fixed hardware address encrypted in the TLS Crypt V2 key metadata. Security: There are no known security concerns with regard to including the openvpn process ID (daemon_pid) in the --tls-crypt-v2-verify environment. Complexity: Ongoing support of the required code would be minimal to zero. Code: This patch is included for review purposes only. diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); + setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); Conclusion: Due to the OS in use and other environmental factors, the *nix built-in variable PPID may not always be available. Without including $daemon_pid in the --tls-crypt-v2-verify environment, openvpn is forcing the user to unnecessarily configure --writepid. The purpose of --writepid is to advertise the openvpn process ID to external processes which do not have access to the internals of openvpn. By including daemon_pid in the --tls-crypt-v2-verify environment all processes launched by openvpn have access to this very useful identifier. Provided there are no genuine reasons to NAK this request, I will send a correctly formatted patch. Addendum: I know this is something which helps me in the short term and I already have a working alternative but I would like you to reconsider your previous decision. In my opinion All scripts launched by openvpn should have immediate access to daemon_pid. Thank you for your time and consideration, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJggzkmACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0nVggAkf9tcCo7onTYoZ4WetX/6uePD2QzEYd8rHYbn1q6R8JvOqMi JrDIRIYZw06v/r4pyzq8tYUvS+1VBY9cPIm+v3uudOhZ/WUlyGw180u2tA+w eX+bx/AwA5FC4QGqgJlTEx9G5s0H5Ge2vSd1ChA52VjC5QZeorI/42nZpG2I Gg7vC0JH9rr9LqAzVNH9YfWff7vNKvXAPdmL9/itf3Eq6uFytGsD77KjZaq7 RESDSO2cOnCyoVyktPhw64d77q6bCgFtl08CVQYJOTwg07cY+ZEWa3wRCEAb bcDj6eDNDHy8e9iMzie3yrIgZsRDCbGiXCyaLk2abZtpFsqX7rP6jA== =z4PC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, no complaints yet ? Sent with ProtonMail Secure Email. ProtonMail, as crap as googlemail. ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 22:16, tincantech via Openvpn-devel wrote: > Hi, > > I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. > Version 2 > > Justification: > > With the notable exception of --tls-crypt-v2-verify .. > daemon_pid provides a verified process ID to All scripts. This ensures > that scripts which are intended to pass data along to the following scripts > have an index to which they can link that data. > > Example: > > An example is presented in Easy-TLS: > https://github.com/TinCanTech/easy-tls > > This script passes hardware address from --tls-crypt-v2 key metadata along > to --client-connect, where the pushed client variable IV_HWADDR can be > matched against the fixed hardware address encrypted in the TLS Crypt V2 > key metadata. > > Security: > > There are no known security concerns with regard to including the openvpn > process ID (daemon_pid) in the --tls-crypt-v2-verify environment. > > Complexity: > > Ongoing support of the required code would be minimal to zero. > > Code: > > This patch is included for review purposes only. > > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > + setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > Conclusion: > > Due to the OS in use and other environmental factors, the *nix built-in > variable PPID > may not always be available. Without including $daemon_pid in the > --tls-crypt-v2-verify > environment, openvpn is forcing the user to unnecessarily configure > --writepid. > > The purpose of --writepid is to advertise the openvpn process ID to external > processes > which do not have access to the internals of openvpn. By including daemon_pid > in the --tls-crypt-v2-verify environment all processes launched by openvpn > have access > to this very useful identifier. > > Provided there are no genuine reasons to NAK this request, I will send a > correctly > formatted patch. > > Addendum: > > I know this is something which helps me in the short term and I already have > a working > alternative but I would like you to reconsider your previous decision. In my > opinion All > scripts launched by openvpn should have immediate access to daemon_pid. > > Thank you for your time and consideration, > R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiMIMACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2yHAf/VwSjdR6F5GQy7rfJLKkP+sbGgL1kgKPsB7bgiiSV47+GTg0J lftyAS6lxyKhJ+7Xt+xm45janjMxnsxXrzIYjJdlfQSPMEfFOn9Uw17ohW0x bO52oTqCqoR5Y/UhqlLQ+lpgUMJJalfWZtJ3uiQ1GfloJk9oKjJ1thmdnmQ+ 048pGsBf2iRnvPJEDqJ/JxoKttvEAHQhVp3wI2aO70JzYujsuq5E6gnQsAT+ roDB8W2HRt5Ycbl+Y9lnzPM4HUk+W67j0+Af6Jf0mrfuK2IC2EFRBTkaVM5C F9QICvlZ/wB9oaH4/OXfp1DXAHBHh2wf0Bw6Rxcsyg3ni8Ro0ARdsw== =TmRk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Openvpn process ID (daemon_pid) provides the most secure way for scripts to verify which process they were called by. This patch adds daemon_poid to --tls-crypt-v2-verify environment. Tested on Linux and Windows. diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); +setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- git version 2.25.1 I hope my MTA has not mangled this patch but I don't currently have access to an SMTP server port. If it is borken then please ignore this and I'll find another way. Feel free to send other feedback. eg: NAK + Reason. Thanks R # -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiZ8TACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3KTAf+OfRyvNNBqDTulTPHsULxhehPve6mgqsoovqlYomkFnIu20CJ 497Yiqno7Nz49Wy2Ka5nu88sTptp0CdFg6QE2yytol1H8D0vFYwNwyIIS9eq d8pPa/sI0ga8DHSF5QjbvsTJusPolIjR4H7yXPFjrqMXlXYdRgof6IT+P3+G b/ev08nhPSjS0ZlciAPymW1wL5zsttDxSWU8vy/T6NYoq+QTaNfYgqNjlW8M BR48OSAc1aTPBzHeYW8MxOkm3Si9u2qS+hSSMgT0yS8EnvpCZn0vw+tOQ2Ey WR7RmdyoQRsJYANnlY4Pqe+c3h4tuWBK9UCJRnpgz/ytIog8V1VBjg== =iX52 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Yeah, I forgot to apply and commit -- sorry. I guess I'll send again if this is an acceptable patch and my MTA didn't screw it up ? Please let me know .. thanks ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 18:44, tincantech wrote: > Openvpn process ID (daemon_pid) provides the most secure way for > scripts to verify which process they were called by. > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > Tested on Linux and Windows. > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > -- > > git version 2.25.1 > > I hope my MTA has not mangled this patch but I don't currently have access > to an SMTP server port. If it is borken then please ignore this and I'll find > another way. Feel free to send other feedback. eg: NAK + Reason. > > Thanks > R > > == -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiZ/PACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3hPwgAk3GKzcr76rPTac1/6NMQyP3wnWpXgsmbGCvr5zVcQRbAaSbL FwN+qB01aXx8ic7u1t9xoBA83WA5BOy/Nmecg/MmTK2hWapL954b2dEHubFt j9b1wqXX46Mcg55VSvSC2gc35bZB2wXLiKIAOGFgvmH84m18CCDSePaKywrf izC5B+Ew+M6zacf1IZU64DKJdLX8yzyQt9U3zI1egFj9mK7qzm3lY79zier0 jkDQlijZrp6krAeBqlGmm1sMLERyQrCrJrCdbuEbrMbVPxbJOhYFpT8EWolE ta/OTF94IK2T8ErmNZsA3oSdXSuYriZM6gSxKqiMpSXuNjo3wKzrkg== =57ff -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Looking closer, I can see that it was damaged in transit .. Please let me know if you would be willing to accept my proposed patch and then I will persist to find a way. If you will not accept the addition then please let me know. Thanks R ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel wrote: > Yeah, I forgot to apply and commit -- sorry. > > I guess I'll send again if this is an acceptable patch and my MTA didn't > screw it up ? > Please let me know .. thanks > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 28 April 2021 18:44, tincantech tincant...@protonmail.com wrote: > > > Openvpn process ID (daemon_pid) provides the most secure way for > > scripts to verify which process they were called by. > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > Tested on Linux and Windows. > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > > index 7b5016d3..23d93a6c 100644 > > --- a/src/openvpn/tls_crypt.c > > +++ b/src/openvpn/tls_crypt.c > > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > > *ctx, > > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > > setenv_str(es, "metadata_type", metadata_type_str); > > setenv_str(es, "metadata_file", tmp_file); > > > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > > > -- > > git version 2.25.1 > > I hope my MTA has not mangled this patch but I don't currently have access > > to an SMTP server port. If it is borken then please ignore this and I'll > > find > > another way. Feel free to send other feedback. eg: NAK + Reason. > > Thanks > > R > > == -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgiaNiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2FZwf/VduCykdRxUIXhDX1+owQ1wKB02tuhj/0ABu0GpK9VvyZCOx4 0BKCaZB6VPWhV4sop4AAfm24LeyT80aST/W+PQ2N5bnfHvC5/Lm6anB+ck38 K/6JkehHkyvuVdR1K2LiKdgtW9gAggdPYSn4WbKSlv+Q2HthmVZlg7/ADrZk RsRE6HYO/mNkTaLsuzkWczyH1z6ncAqg8ivZxcnOBfrjSRNJJMHsAzWzT7J7 eitX50FT387SSbiBgP2PiVUnm5XIO/rT/yJhHTM9p8wISzzOfW/5hUovMnvx wP4er/eYwp1/JbErVDbzlpT0r33MQADbVQAxKJpg4l9m0GIzmlHGIw== =0azE -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify script environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Not a single comment ? Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, 28 April 2021 19:03, tincantech wrote: > Looking closer, I can see that it was damaged in transit .. > > Please let me know if you would be willing to accept my proposed patch and > then I will persist to find a way. > > If you will not accept the addition then please let me know. > > Thanks > R > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 28 April 2021 18:48, tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Yeah, I forgot to apply and commit -- sorry. > > I guess I'll send again if this is an acceptable patch and my MTA didn't > > screw it up ? > > Please let me know .. thanks > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 28 April 2021 18:44, tincantech tincant...@protonmail.com > > wrote: > > > > > Openvpn process ID (daemon_pid) provides the most secure way for > > > scripts to verify which process they were called by. > > > This patch adds daemon_poid to --tls-crypt-v2-verify environment. > > > Tested on Linux and Windows. > > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > > > index 7b5016d3..23d93a6c 100644 > > > --- a/src/openvpn/tls_crypt.c > > > +++ b/src/openvpn/tls_crypt.c > > > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct > > > tls_wrap_ctx *ctx, > > > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > > > setenv_str(es, "metadata_type", metadata_type_str); > > > setenv_str(es, "metadata_file", tmp_file); > > > > > > - setenv_int(es, "daemon_pid", platform_getpid()); > > > struct argv argv = argv_new(); > > > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > > > > > > > -- > > > git version 2.25.1 > > > I hope my MTA has not mangled this patch but I don't currently have access > > > to an SMTP server port. If it is borken then please ignore this and I'll > > > find > > > another way. Feel free to send other feedback. eg: NAK + Reason. > > > Thanks > > > R > > > > > > = -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgipHgACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ064ggAifsuMtavQAW7fBTiMjr/587lEwrO7CMFJOEhIexbeJN2tl1G tbDG5NSIRxM9Vle2rvpybaStga3Fst9Q6Gi7EDIwVFBfSNWjSeogwA30N35f T0KRWCbveSjiKRsyTS7p9zEv1Dvms0iRX0G+NClsbIJr7Fn7gUtSS2ztvj60 KfXeH1dkv1Q7EJPLC0H7zKcoEagFrYb0bNtG3g7uca5Yb7sEyetA3rKX02Z/ JpqeZN3nZe4Fvx19YOnrc+dZPtKpshws7swg7KQOz07GEEXMXe5BBjgWqQlz RTcHefU8fLaMklprpLsuOvMnOgVwQ0fwbV22IBAT4g7d5++CxCvBSQ== =ReR6 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Under Windows, programmatically retrieving the parent process ID of the openvpn instance which called a script is practically impossible. The only sensible way, currently available, is to write a PID file. This patch adds a single integer variable, named daemon_pid, to the script environment. The value of which is set to the openvpn process ID that called the script. Providing this variable via the running openvpn process is more secure, faster and far less prone to user-error than using a PID file. Signed-off-by: Richard T Bonhomme tincant...@protonmail.com src/openvpn/tls_crypt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); - setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- 2.25.1 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgitDzACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3tigf9GP21RvAuybG60NgMaC5t9LIyjlBjaNOcWjLgbCUh7KhFSPMu 6r48YAsdy2PB7vd753GhjoQbQuM8+JhS0+fXBIgtToOxMOSGJoSJLu0RoYL3 ScRLXgx2M0p5wbQdHD9tx3ZsVXKyLPTwRWg3w3V7viIJ2A9tmiAUuX4YflJ+ hyfhp1sT648Hb2PW3eIBvEMZNOGG9Et/jS833/Yk5WRn8Wee/nPASOYYbHGf amX51gbevtmJy67Dti0ibUNomf9uYFd95ojG9qdqJDDQaff76nbda/bRX38g SUu50B2mNpS/sHeirUAKCpuzmMxqpLl9NOxS4m3SFLk+sfeDgSJRSA== =6a1K -END PGP SIGNATURE- From 91baf93e62db2ed063a8c4cfdf5b6ff750ac6103 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 29 Apr 2021 16:17:06 +0100 Subject: [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment Under Windows, programmatically retrieving the parent process ID of the openvpn instance which called a script is practically impossible. The only sensible way, currently available, is to write a PID file. This patch adds a single integer variable, named daemon_pid, to the script environment. The value of which is set to the openvpn process ID that called the script. Providing this variable via the running openvpn process is more secure, faster and far less prone to user-error than using a PID file. Signed-off-by: Richard T Bonhomme --- src/openvpn/tls_crypt.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 7b5016d3..23d93a6c 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, setenv_str(es, "script_type", "tls-crypt-v2-verify"); setenv_str(es, "metadata_type", metadata_type_str); setenv_str(es, "metadata_file", tmp_file); +setenv_int(es, "daemon_pid", platform_getpid()); struct argv argv = argv_new(); argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); -- 2.25.1 0001-Add-daemon_pid-to-tls-crypt-v2-verify-environment.patch.sig Description: PGP signature publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ‐‐‐ Original Message ‐‐‐ On Thursday, 29 April 2021 18:15, Richard T Bonhomme wrote: > From: string vest stringves...@gmail.com > > Under Windows, programmatically retrieving the parent process ID of > the openvpn instance which called a script is practically impossible. > The only sensible way, currently available, is to write a PID file. > > This patch adds a single integer variable, named daemon_pid, to the > script environment. The value of which is set to the openvpn process > ID that called the script. > > Providing this variable via the running openvpn process is more secure, > faster and far less prone to user-error than using a PID file. > > Signed-off-by: Richard T Bonhomme tincant...@protonmail.com > > src/openvpn/tls_crypt.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c > index 7b5016d3..23d93a6c 100644 > --- a/src/openvpn/tls_crypt.c > +++ b/src/openvpn/tls_crypt.c > @@ -537,6 +537,7 @@ tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx > *ctx, > setenv_str(es, "script_type", "tls-crypt-v2-verify"); > setenv_str(es, "metadata_type", metadata_type_str); > setenv_str(es, "metadata_file", tmp_file); > > - setenv_int(es, "daemon_pid", platform_getpid()); > > struct argv argv = argv_new(); > argv_parse_cmd(&argv, opt->tls_crypt_v2_verify_script); > > > -- > 2.25.1 Bump. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkDFOACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1Wywf/bDBG1X2K9a5NfjvSb5X2npD8VOq4d66Dy8uwDnhCkJoT5exm MFRhaLYhQXXK22GVSqX/n7aNDly6HveyMRkuUzoDnKNMhxJ9NUfgwCpgc+Ap 5nJtYfss13mcaHQzwP1CPuQWpjupKQ4nAi+OWT3tPBhc0zkKq8O/VXOjff8g KSE3WMlwCHrrXqZ5XV4Y8FqyeN0mqkVnhKfJy0UxKR1zh+E+a70cCT1mUR0x mlBAXMDoS/p+EoIW6PqJNt+4qgzSQbH8b77XmAkR1eR9LS4GoZG1OHYkwQiW e8SRm6tKLpjTIw9Ob9HTIoIt9kSjFfRVgBVyM37s2KSyeYG0YjPTAg== =DN5K -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Tuesday, 4 May 2021 11:50, Arne Schwabe wrote:
> Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
>
> > From: string vest stringves...@gmail.com
> > Under Windows, programmatically retrieving the parent process ID of
> > the openvpn instance which called a script is practically impossible.
> > The only sensible way, currently available, is to write a PID file.
> > This patch adds a single integer variable, named daemon_pid, to the
> > script environment. The value of which is set to the openvpn process
> > ID that called the script.
> > Providing this variable via the running openvpn process is more secure,
> > faster and far less prone to user-error than using a PID file.
>
> Could you explain why you need the process ID of the daemon? I am trying
> to figure out why that is needed. I also don't understand the secure in
> this context. What are you protecting yourself against? You are not
> protecting your script being called from a malicious program as that
> could lookup the PID of openvpn and just set the daemon_id variable.
>
The reason I am using the process ID is as follows:
When --tls-crypt-v2-verify is executed, it saves a file named:
$(certificate_serial_number}.${daemon_pid}
with data from the TLS-Crypt-V2 key metadata field, which can then
be read by the following scripts: --tls-verify and --client-connect.
The --tls-verify and --client-connect script have:
$(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
in their environment and can guarantee to pick-up the correct data file.
This is OK for one running server but when there are more than one server
instance running, using a PID file becomes messy and cumbersome.
The "secure" in this sense is that, having openvpn provide the PID is much
more reliable than relying on multiple PID files.
Also, while it is "trivial" for *nix to retrieve the Parent PID, under
Windows, programmatically doing this is not "trivial" at all:
PID:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
PPID:
https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
Therefore, barring any known security reasons for not providing the openvpn PID
to all scripts which it executes, it makes more sense to have openvpn provide
daemon_pid. The only script currently missing this data is
--tls-crypt-v2-verify
(And probably --learn-address but I have not tested that).
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkUFuACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0Zcgf+MpbxgsNS/eKpPsbafA5Qmdotc1HoQuxp+4mlw+Fr7uGxJT1y
cIAf5akt6ox+y/c0tOdFAPvczNirZh0j598TISFXbQtdEFG+budjBXK6peTc
ZKTlxvUSzZNterBcnjmCYYsQBxUdWrsH65cb23nvJ6G9m3dgkAPnt8w8NLe/
Z4/xHAElwU1kOoyGcpG4DMVQM55ikvXSmdDQx6BU8ksUueBHR4m3mMtkjFgq
krvjr+ycEZNcOX5601dOgNZS0AIT8TFvdFPEvMIXrSKJsmXtFLIXhLckM+3v
cUoV65+V3nQpdkJGumWHvCA1HB9nCSh75R8MdlD4mc0efaM2IiElog==
=KHtU
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Tuesday, 4 May 2021 13:43, tincantech via Openvpn-devel
wrote:
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Tuesday, 4 May 2021 11:50, Arne Schwabe a...@rfc2549.org wrote:
>
> > Am 29.04.21 um 19:15 schrieb Richard T Bonhomme:
> >
> > > From: string vest stringves...@gmail.com
> > > Under Windows, programmatically retrieving the parent process ID of
> > > the openvpn instance which called a script is practically impossible.
> > > The only sensible way, currently available, is to write a PID file.
> > > This patch adds a single integer variable, named daemon_pid, to the
> > > script environment. The value of which is set to the openvpn process
> > > ID that called the script.
> > > Providing this variable via the running openvpn process is more secure,
> > > faster and far less prone to user-error than using a PID file.
> >
> > Could you explain why you need the process ID of the daemon? I am trying
> > to figure out why that is needed. I also don't understand the secure in
> > this context. What are you protecting yourself against? You are not
> > protecting your script being called from a malicious program as that
> > could lookup the PID of openvpn and just set the daemon_id variable.
>
> The reason I am using the process ID is as follows:
>
> When --tls-crypt-v2-verify is executed, it saves a file named:
> $(certificate_serial_number}.${daemon_pid}
> with data from the TLS-Crypt-V2 key metadata field, which can then
> be read by the following scripts: --tls-verify and --client-connect.
>
> The --tls-verify and --client-connect script have:
> $(certificate_serial_number} -> ${tls_serial_hex_0} and ${daemon_pid},
> in their environment and can guarantee to pick-up the correct data file.
>
> This is OK for one running server but when there are more than one server
> instance running, using a PID file becomes messy and cumbersome.
>
> The "secure" in this sense is that, having openvpn provide the PID is much
> more reliable than relying on multiple PID files.
>
> Also, while it is "trivial" for *nix to retrieve the Parent PID, under
> Windows, programmatically doing this is not "trivial" at all:
>
> PID:
> https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id
> PPID:
> https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows
>
> Therefore, barring any known security reasons for not providing the openvpn
> PID
> to all scripts which it executes, it makes more sense to have openvpn provide
> daemon_pid. The only script currently missing this data is
> --tls-crypt-v2-verify
> (And probably --learn-address but I have not tested that).
>
Due to the inordinate resistance this patch has received, consider this my
official
withdrawal. I hereby NACK.
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkZoxACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1HTQf7BSnvVR9LHZTcPyn+1oHv71TOxIMuFqckmxmQk/PZDSU+yq0h
OdjDWjSLLW/ZbQwS3Zcs09h50GEWBtUM5xoghAsBtUpGLCDMtvbU37JI/mMu
IfSI04+afMqi3xSsu1N4NMlAhVJTg2u0wfB6i46/Ltf/gLr9a0w3IAR7z1l4
Ykaxl5pBkNTZjuT6AtSVuVv8VUmr5+xQGWaUAxfPLIHeNeZGfCR7iJWd2L6L
zcnM8j3lLfzz1Tx2Ry3asVU40G6kp826F2LvuBH2mSZQeFENR/74HtAG0yY9
GcZg17oMkgBUmOZJzYupgrRwU1LFRGUIgk9ygS3Ew96M13C4lV90Sw==
=9B+C
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Tuesday, 4 May 2021 20:41, Selva Nair wrote: > On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Due to the inordinate resistance this patch has received, consider this my > > official > > withdrawal. I hereby NACK. > > Resistance is a good thing -- it means people are considering your > patch seriously and are asking questions in earnest. > > I've had patches that languished for years and finally merged, > without batting an eye.. Except for an occasional gentle nudge (say > once a year), and some patience. Selva, thanks for your guidance. On this occasion I have been pushed to find a better way. Thanks to Gert for reminding me about PPID and pushing my code a little further, I now realise that I don't need daemon_pid from openvpn directly. Withdrawing this patch seems the most appropriate way to minimize the time wasted. Sometimes it's difficult to see your own mistakes but realisation is satisfying if and when you do "break on through" ;-) R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkbBPACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0MYwgAuFchojIT/cnf0yppB9o/WxJRZHdFaEn9jyRO+PgMYNrAJeet QUqaCbUPZ0N5UdXnwuf5DTMYcStQpDyKnQyeB/dw0r23fmlSV69U1Vdx64+x kjfbxl3h3miJ5yRu62YnmSCtqtiC/ErrJ1bz68RglI/aeGD4g6nPkpoHhZ/O ix1zPxOpV+fnjEZtZfRCzNah+wa1vWyxF/UFpbIUe/pME6Y1pCGf4ZWGPFG8 qVdxSU/GwMMIaQn+Kz+iwoZDzhbkkprHGwS/yvJkEBIXOf8SspnlOOH0gJ6J yFvxCBmaLeFUDoHhOy9JdL5toUN6hCtwu1wKPnUC3xN0IypeGdHtrQ== =a9Jn -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday, 4 May 2021 21:36, tincantech via Openvpn-devel wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Tuesday, 4 May 2021 20:41, Selva Nair selva.n...@gmail.com wrote: > > > On Tue, May 4, 2021 at 3:04 PM tincantech via Openvpn-devel > > openvpn-devel@lists.sourceforge.net wrote: > > > > > > Due to the inordinate resistance this patch has received, consider this > > > my official > > > withdrawal. I hereby NACK. > > > > Resistance is a good thing -- it means people are considering your > > patch seriously and are asking questions in earnest. And this resistance was indeed not futile. I have discovered a flaw in my logic, which is so insidious, that it may bring my entire house of cards down .. I just F000M'^~,.ed myself .. arse! -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgkcFnACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3msAgAsoR4DghKD6z/et3JYXabmsGny+5/hu48E1FMXGUH5cB/cWpM 5P+KL3Kr3D7MkemqbHvvapQQKn0DCA+Kt056fqQI8h9fc8vhJKLYAxFD4M8E b60H8+/K5bSwUxVkH4X6jW8m/HJ16q8fBrTSRDbZeJ4x1u1u0uxTk84WVhW2 gjued3xLGhPlkBlufYayr6LytUXN5wDEJSKLgjeROl04NlvTlDc1VCu+QREw KnqXh1JBg9Lqo5ctmNtV6QZ8R5nx9G3cNqJ0joRQfN329H1Bp30S6iyvkBMV /7pgCyKQ1X38D5rXNcRL/4qP0YfcSkQ43zb2dur9LtQ/wFqepKwr4Q== =IcL9 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Wednesday, 5 May 2021 08:51, Arne Schwabe wrote:
> > > Could you explain why you need the process ID of the daemon? I am trying
> > > to figure out why that is needed. I also don't understand the secure in
> > > this context. What are you protecting yourself against? You are not
> > > protecting your script being called from a malicious program as that
> > > could lookup the PID of openvpn and just set the daemon_id variable.
> >
> > The reason I am using the process ID is as follows:
> > When --tls-crypt-v2-verify is executed, it saves a file named:
> > $(certificate_serial_number}.${daemon_pid}
> > with data from the TLS-Crypt-V2 key metadata field, which can then
> > be read by the following scripts: --tls-verify and --client-connect.
>
> I can get behind the need of needing something daemon specific when
> running multiple daemon that scripts/plugins need something simple to
> identify a specific daemon. With management and a persistent connection
> that is easier to implicitly assign an ID but for scripts daemon_pid
> seems to be a good fit.
>
> So if we make that a bit clear in the commit message this gets an ACK
> from me.
>
Arne,
thanks for the feedback, I can resubmit with an improved commit message
and corrected email if required.
Thanks
R
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgkxVyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ0PGggAtMnaL8kv8Z2xGvqMkSr+TO7kHLWl2OoYP+o+S18NpUpQrLn1
1Yr0t2ZHjdho30l24iMsKGYAgtPwXfmNgNI+tjhb2p7URRNgkfaDDDUiTePL
hfnZnjLdmjlCIurKNnCqFsVKj92C2jQbicLcCH+504a0TeTLGmWaCYQ3/QiE
2I5CUJErNmjXrBRTeS5hB7FLSbYzbAs1AC5dU7uGSxjnhPrT1tx7An/GNAc6
HJMMBhF1if98jvPRntG6zXLTC4nIFPEM73m9oyWyrwXPql0lD8hZJ08OnpxI
YyfsH3KEFc3f6st2pmAen8o31zuDxARpYdhusqiLzqWW0WbCj1lt7A==
=ClM7
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 10 May 2021 18:29, Gert Doering wrote: > Hi, > > On Wed, May 05, 2021 at 10:00:37PM +, tincantech via Openvpn-devel wrote: > > > thanks for the feedback, I can resubmit with an improved commit message > > and corrected email if required. > > This is how I understand Arne - he's happy with the code change, just > wants the commit message to explain a bit better why this is relevant. > > So, there is an ACK-and-merge pending :-) > well, personally.. it's complicated.. 1. Antonio's initial reluctance. I do not believe it would be prudent to continue without his opinion. 2. Replacement method. This is no longer required. (Thanks given to Gert for PPID) 3. Work Rewriting the commit message to suit, plus resubmitting as a V2 .. and .. then jumping through googles and gits hoops is not at the top of my list. 4. Having my user account _recently_ locked out of Trac. I expect that I can even ''predict'' what that is with regard to. ... For the time being, I suggest that TLS-Crypt-V2 code be left as-is, because TLS-Crypt-V2 *has* more important issues to consider.. I would list the trac issue but #4 The impasse has been met, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmZY5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1sMggAnsGf77yUfrERZRY67k3zTPqRuXuVegRKSzyAlumJXaMSyY81 JMD1m3s5vQSE2EyH/b+3U0jlZIlnKTRVvLE/YJYKiEEFNm0LuWy1dc7jpdwo vWeGI3O442zngXzk4SRnHRNP1e11jwPtlh3zZevlMHMwgzpKE+xkpT+9ySIP bGNyHO25odJy4lqwpvF54C2IL9Pokh5u3/Ij7vdESE/X+WLkS/I2nPJFMkLj ls4Hdyxfhyh/ekiVPDEkyioAEG00FqVsVYvZrMpsbu2wmwP6eX8Jk1jJVZ1i FRyEaUVJaxzmCr1pqt8Nzu46uL4Pt3xdenxOo6O09SZzCNaPqYcsIQ== =dlZP -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, > 4. Having my user account recently locked out of Trac. > > I expect that I can even ''predict'' what that is with regard to. > > ... > Seems I typed my ludicrously long password incorrectly.. The rest still stands. Sorry for the noise, R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgma0dACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3aSggAs9IxRPp2KmNfmP8o16gHzMA1X7MpncTWmWHRsVsrAv7daAbg LUX310MIqsz1tOb+dG7TqHiXjfhO7VH5L7DJfjm/zRdVIWyHBtYM3CBeleq+ zsHwOYF1k8pyRPMmOIc+mYPpXuk3hb9xvNBvLpdEBsJI7HYE9JTfaLAJNaOi zoIWHUtcG6sc6pP0as0EDoT1kKhN0j0j/BWkxIvNMOENGCTPyHn4MX0aFmdp Hpzva/0zHIbd5MFnDMH3v20thBOp3EhOaBxD0uXn3S4J0NxzNXeOtHaoQSFF W9zefCIUEFxiP7yxae644Cw9FLqjSD+uRyAeJb9YkPwXVxNWJdVzrw== =NgsE -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 10 May 2021 23:10, Selva Nair wrote: > On Mon, May 10, 2021 at 4:24 PM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Monday, 10 May 2021 18:29, Gert Doering g...@greenie.muc.de wrote: > > > > > Hi, > > > On Wed, May 05, 2021 at 10:00:37PM +, tincantech via Openvpn-devel > > > wrote: > > > > > > > thanks for the feedback, I can resubmit with an improved commit message > > > > and corrected email if required. > > > > > > This is how I understand Arne - he's happy with the code change, just > > > wants the commit message to explain a bit better why this is relevant. > > > So, there is an ACK-and-merge pending :-) > > > > well, personally.. it's complicated.. > > I think it's a good thing to pass daemon_pid to all scripts uniformly. > Can't think of any downside. And, on Windows it's a pain to get the > parent pid from a batch file. Personally, I do not have a use case > though. > > Selva Trac in question: https://community.openvpn.net/openvpn/ticket/1310 -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmbIfACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2QrQgAoH7L8LCDvs8Tp9mj/VVR/aolKox2hHQJqfEcZXsEfKySmFUC 8oDFY9bnlOiGg1LhEaLIITXkYlW2aTB11Sm1DE/hYy1MK/IxByzwRa1AJyCk 6TJtmoiMl7Inwxz6z/IOCpSDCdOR+/i+BXaXx8pJujn7omr9Vprgkku78I6s 2unDfIycBWwMD78pCULJvqnOPzCM5TkA82x6WdcpJykLaeOOX+do7CrkNmxC s9Hfl7duiqGgSCLAZOZv71CwvyoJYorHpO6yhB+UxikhszFANXRCEU4AXoqR jRL8yH7ouz92mR9vospC39lwAMJGthBQ85l8Sj5ngaiVrvBj3qfh6g== =WQSw -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add daemon_pid to --tls-crypt-v2-verify environment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Tuesday, 11 May 2021 07:02, Gert Doering wrote: > Hi, > > On Mon, May 10, 2021 at 06:10:33PM -0400, Selva Nair wrote: > > > > > So, there is an ACK-and-merge pending :-) > > [..] > > > I think it's a good thing to pass daemon_pid to all scripts uniformly. > > Can't think of any downside. And, on Windows it's a pain to get the > > parent pid from a batch file. Personally, I do not have a use case > > though. > > This was about the thoughts Arne and I had - if we have daemon_pid in > some places, we should have it in all places. And, on Windows it's not > as trivial as on Unix... > > (Out of interest: is there a way at all to get the ppid from a batch file?) > This is what I found for PID/PPID in batch: PID: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id PPID: https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgmmV+ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0BCgf9Ffzik7MJhQtRjPBc2L/ZCpcQxLJJTHSB9c//g0YetY2/hEyG ReuEW9G7AnSoZTPep8Xt502rPJZtyxut3kmY79J9Pt/NTD7siV4+f4ZUg24V lPDqWpsVhqD0EeeiPqWa/6OhZWmgT4qXMnYyPznCHdzYlcjYAZARJB4EWeE6 baf6RQFfJ1cjhNY07jaeMJi3SW72J5RjdlLFPfKITfrPgIuzFhFc6rvmyplU Sz41k1Bd1QprZwIGE7JiZDLajOmYkmGUaqXQ6AoLWmTZJACNFDKyQZYXs7lY wwoROF6u14vxLh2TeQ1btfuxnGUs2HhpqZX80TrxAm80EQyBrnJ5bA== =17mP -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I was in the process of reviewing this patch when I found that protonmail had changed most of the git '+' to '-', see below. I have reported a bug to protonmail. Anyway, I can see a few typos and some other odd errors. Hopefully, protonmail will have a solution, or maybe someone here knows what I can do/try ? Finally, I wrote a simple script which generates self-signed certs, keys and inlines the fingerprint for use with Openvpn. https://github.com/TinCanTech/easy-pfp I hope it is of some use in the future. Thanks R ‐‐‐ Original Message ‐‐‐ On Wednesday, 12 May 2021 14:15, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN > setup. Our own documentation is lacking in this regard and many often > tutorials that can be found online are often questionable in some > aspects. > > Linking the invidiaul RST file on github also give a tutorial > in a nicely formatted way. > > Signed-off-by: Arne Schwabe a...@rfc2549.org > > Changes.rst | 4 + > doc/Makefile.am | 1 + > doc/man-sections/example-fingerprint.rst | 194 +++ > 3 files changed, 199 insertions(+) > create mode 100644 doc/man-sections/example-fingerprint.rst > > diff --git a/Changes.rst b/Changes.rst > index 9185b55f7..f1c739f99 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint > fingerprint of the peer. The option takes use a number of allowed > SHA256 certificate fingerprints. > > - See the man page section "Small OpenVPN setup with peer-fingerprint" > - for a tutorial how to use this feature. This is also available online > - under > https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst > - > > TLS mode with self-signed certificates > When `--peer-fingerprint` is used, the `--ca` and `--capath` option > become optional. This allows for small OpenVPN setups without setting up > diff --git a/doc/Makefile.am b/doc/Makefile.am > index e411f5f9d..e7022c085 100644 > --- a/doc/Makefile.am > +++ b/doc/Makefile.am > @@ -25,6 +25,7 @@ dist_noinst_DATA = \ > man-sections/connection-profiles.rst \ > man-sections/encryption-options.rst \ > man-sections/examples.rst \ > > - man-sections/examples.rst \ > man-sections/generic-options.rst \ > man-sections/inline-files.rst \ > man-sections/link-options.rst \ > diff --git a/doc/man-sections/example-fingerprint.rst > b/doc/man-sections/example-fingerprint.rst > new file mode 100644 > index 0..7d915aedb > --- /dev/null > +++ b/doc/man-sections/example-fingerprint.rst > @@ -0,0 +1,194 @@ > +Small OpenVPN setup with peer-fingerprint > += > +This section consists of instructions how to build a small OpenVPN setup > with the > +:code:`peer-fingerprint` option. This setup has the advantage to be easy > to setup > +and should for most small lab and home setups without the need to setup > a PKI. > +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still > recommended. > > - > > +Both server and client configuration can of course be further modified to > individualise the > +setup. > + > +Server setup > + > +1. Install openvpn > + > > - Compile from source-code (see `INSTALL` file) or install via a > distribution (apt/yum/ports) > - or via installer (Windows). > - > > +2. Generate a self-signed certificate for the server: > > - :: > - > - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout > serverkey.pem -out server.pem -nodes -sha256 -days 3650 -subj '/CN=server' > - > > +3. Generate SHA256 fingerprint of the server certificate > + > > - Use the OpenSSL command line utility to view the fingerprint of just > - created certificate: > - :: > - > - openssl x509 -fingerprint -sha256 -in styx-win.pem -noout server.pem > - > - This output something similar to: > - :: > - > - SHA256 > Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff > > > - > - > > +3. Write a server configuration (`server.conf`): > +:: > + > > - The server certificate we created in step 1 > > > > - cert server.pem > > - key serverkey.pem > > - > - dh none > > - dev tun > > - > - Listen on IPv6+IPv4 simultaneously > > === > > - proto udp6 > > - > - The ip address the server will distribute > > == > > - server 192.168.234.0 255.255.255.0 > > - server-ipv6 fd00:6f76:706e::/64 > > - > - A tun-mtu of 1400 avoids problems of too big packets after VPN > encapsulation > > > = > > - tun-mtu 1400 > > - > - The fingerprints of your clients. After adding/remvoing one here rest
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I used sed to create my own reply .. comments inline. ‐‐‐ Original Message ‐‐‐ On Wednesday, 12 May 2021 14:15, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN > setup. Our own documentation is lacking in this regard and many often > tutorials that can be found online are often questionable in some > aspects. > > Linking the invidiaul RST file on github also give a tutorial invidiaul -> individual > in a nicely formatted way. > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 4 + > doc/Makefile.am | 1 + > doc/man-sections/example-fingerprint.rst | 194 +++ > 3 files changed, 199 insertions(+) > create mode 100644 doc/man-sections/example-fingerprint.rst > > diff --git a/Changes.rst b/Changes.rst > index 9185b55f7..f1c739f99 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint > fingerprint of the peer. The option takes use a number of allowed > SHA256 certificate fingerprints. > > +See the man page section "Small OpenVPN setup with peer-fingerprint" > +for a tutorial how to use this feature. This is also available online tutorial how -> tutorial on how (just reads better) > +under > https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst > + > TLS mode with self-signed certificates > When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` option > become optional. This allows for small OpenVPN setups without setting up > diff --git a/doc/Makefile.am b/doc/Makefile.am > index e411f5f9d..e7022c085 100644 > --- a/doc/Makefile.am > +++ b/doc/Makefile.am > @@ -25,6 +25,7 @@ dist_noinst_DATA = \ > man-sections/connection-profiles.rst \ > man-sections/encryption-options.rst \ > man-sections/examples.rst \ > + man-sections/examples.rst \ > man-sections/generic-options.rst \ > man-sections/inline-files.rst \ > man-sections/link-options.rst \ > diff --git a/doc/man-sections/example-fingerprint.rst > b/doc/man-sections/example-fingerprint.rst > new file mode 100644 > index 0..7d915aedb > --- /dev/null > +++ b/doc/man-sections/example-fingerprint.rst > @@ -0,0 +1,194 @@ > +Small OpenVPN setup with peer-fingerprint > += > +This section consists of instructions how to build a small OpenVPN setup > with the > +:code:`peer-fingerprint` option. Reword suggestion: This setup has the advantage to be easy to setup > +and should for most small lab and home setups without the need to setup a > PKI. Using Peer-fingerprint mode has the advantage of being easy to setup without the need for a PKI. It is suitable for most small lab and home setups. > +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still > recommended. > + > +Both server and client configuration can of course be further modified to > individualise the > +setup. individualise ? - This word is odd .. how about customise ? > + > +Server setup > + > +1. Install openvpn > + > + Compile from source-code (see `INSTALL` file) or install via a > distribution (apt/yum/ports) > + or via installer (Windows). > + > +2. Generate a self-signed certificate for the server: > + :: > + > +openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout > serverkey.pem -out server.pem -nodes -sha256 -days 3650 -subj '/CN=server' Why not using .key and .crt as is the custom when files are created by Easy-RSA ? Also, it is simpler to understand what the file type is .. > + > +3. Generate SHA256 fingerprint of the server certificate > + > + Use the OpenSSL command line utility to view the fingerprint of just > + created certificate: > + :: > + > +openssl x509 -fingerprint -sha256 -in styx-win.pem -noout server.pem Why stix-win .. would it not be more suitable to use consistent names of files ? Also, this command is incorrect, the server.pem causes openssl error: x509: Unknown parameter server.pem > + > + This output something similar to: > + :: > + > + SHA256 > Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff > + > + > +3. Write a server configuration (`server.conf`): > +:: > + > +# The server certificate we created in step 1 > +cert server.pem > +key serverkey.pem > + > +dh none > +dev tun > + > +# Listen on IPv6+IPv4 simultaneously > +proto udp6 I just want this to be verified because the manual reads that: udp6 will force only udp on IPv6, at least that is how I read it. > + > +# The ip address the server will distribute > +server 192.168.234.0 255.255.255.0 > +server-ipv6 fd00:6f76:706e::/64 > + > +# A tun-mtu of 1400 avoids problems of too big packets after VPN > encapsulatio
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, missed one.. ‐‐‐ Original Message ‐‐‐ On Thursday, 13 May 2021 22:48, tincantech via Openvpn-devel wrote: > Hi, > > I used sed to create my own reply .. > > comments inline. > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > This is meant to give new users a quickstart for a useable OpenVPN > > setup. Our own documentation is lacking in this regard and many often > > tutorials that can be found online are often questionable in some > > aspects. many often tutorials -> many tutorials (extra 'often') -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgnaAYACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0jjwgAygbBIeAgigR5msWnDad8NZboh62d7CDlMMEJGQBm5AU54R28 IYQInLl4LoRx4oFiMQ6aDUzSbkc3dHwnPIDxhEJkh+Js36GOEOBEaOlnPCSq lZQEX0l3scOuBdgSXpqYQkysOySnyqxbiTPR+dVZ1h5PsFTMsSFSD/w93n5y v+pNi4zXy5fae07dJeQCRCermE+FeRwK8jdGVpUS6awE2q87pcZ7rAF6E13s T7WCEkvZt0baK/gInoa5Yv7EcodtJX02uL+A+zfLltg7rgZgrB+Fv7ld3LHo X1dHTBDBhCrGANJP/rRwL/D+zzrqCAdR+onSqaH6esaa/nfAAi2Asw== =LDsm -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Feature request - Allow comments inside markers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I think it would useful to allow comment inside the markers. EG: # alice 67:1F:A5:CA:26:98:BA:40:D9:EB:6A:5B:C1:64:8C:8E:66:6E:7A:22:26:73:96:6A:5E:9B:B3:17:8F:F8:C6:9C # bob 55:B6:3F:AD:BC:A0:8C:EF:00:B3:2F:A5:46:46:83:82:6F:34:86:8D:23:2B:AC:79:39:E2:26:0B:FC:1A:86:38 Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgooRFACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2Gxwf+MZsFJKL83UScncpqzPDid2nJnp685JBqS42dmE+XPADUrinU ymZA000r8Q4aqgU/1Ml5TAkFT9yAVUEJK4HJVLenpyL2lP3y2Fel7Wy66caZ K+zUyX82JpBVSyh6O5DwoaEnKG5Er86So4bVrfFvEgYv6xO5eWHaEWfQPwTD 6zw6k5OimLaj+KTPaoL0rDuEt0uTyhAcWFkHmkzskNtNaowNo/u3P5zfT49o ct/9/GpDUx0nY0D6MfM88SIYjcegoaCdVdY0OHIer2sxoRCnDk4r6jgdOj1I 67B/HdKHXSng6sJfRp2teyxFp6+mCsqDdtOjTotZv7rT5+xDA6EGlw== =5Phv -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Feature request - Allow comments inside markers
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 16:31, Gert Doering wrote: > Hi, > > On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote: > > > I think it would useful to allow comment inside the > > markers. > > I've run across this as well, and share that sentiment. It would be nice. > > That said, I'm not sure how easy it is to implement (the inline-config > parser is used for all inline stuff, not only for peer-fingerprint). > > > As a workaround, you can put "per user" peer-fingerprint lines into the > config: > > the config option - and the inline block - can appear multiple times. > Ah nice, I should have thought of that myself ! I can't think of any other reason to allow comments in other inline sections and your work around is perfectly suitable for small setups, consider this resolved. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgoo8lACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ36hQf+Iv76yenMrNbvyi32egQsvjGnIEEHekVr1YLjkm935asSF9NW 7Pe0XsGhcbcVgupPPhYo+KsfX0wnAEmVClDSn6r2jZQ9r5/DFoBHP2fst7UA qPZs5EgLXcaNiBLI3gY6yxaxxrqCiAb4LEoHxdaO4sWGoYUnZxly3H/dkLgE NEdxTarhBYPd0Rr5hg0pXIsz+RTGo/Eb/fzqRN7HzZdgk3isVPhtzm0a3tJM YhPpa8KOuRh23u5/gVtLsGtKP3uyIA51RD22tv+NC6QOoV32+bvIbaXS+NfN tX2sfax7F/Tmhv6EhSWoUSe9GktQyczWGjAQF5Ajv9JkT4j1bTrgig== =Ur8w -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Wednesday, 12 May 2021 14:15, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN > setup. Our own documentation is lacking in this regard and many often > tutorials that can be found online are often questionable in some > aspects. > I believe Openvpn in standard mode (Full PKI) would reject an expired client certificate. Note: There is absolutely nothing in the manual to confirm this ! https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html On that page there are eight uses of the word 'expire' and they all relate to an expired auth-token, this could also probably be improved. However, Openvpn in peer-fingerprint mode allows an expired client certificate to connect. The client log *does* have a 'WARNING: Your certificate has expired!' The server log has nothing about an expired client certificate. And, as we all know, _who reads their log files_ anyway ? The issue here is that the server allows an expired client certificate to connect and there is no mention of this change in behaviour. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgoqTPACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ18DQgAiFbKtIV3YXi4YG3qiN429AsLyGd8FR+ysy09aNB/FM9p/70E FgobM0x2waAWILLaNOgG/u3B8ocHa6ld0s2h0fJ7ef7FAdo4SRYbosyQFq+Q gcv5Z8AzivkOVbK2d9kP9T9HWd4BVOtduHKg/u/pwwQD7GUB4mM9HrztTzy8 X+oG6197ZZnA9jLUE+wxShttgXf1PP9q39r7gJ798kt1P0zDrtN4gjSTLp5v JwdyxMLHnD5YdwqsW31Zu3AnYP+s12xXfq8dZtAP0JaY/qYt/FqU6t+3hNOB PLtXCdmr53wPdrkyUOHnzLcOoF2S3M9pDLZW1/JSowginVfUpRpUWQ== =kmta -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 18:16, tincantech via Openvpn-devel wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > This is meant to give new users a quickstart for a useable OpenVPN > > setup. Our own documentation is lacking in this regard and many often > > tutorials that can be found online are often questionable in some > > aspects. I think it is also worth noting that, in it's current form, the documentation given does not provide for a --remote-cert-tls solution. I may be able to help with that but prefer to log it here first. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgor7wACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3g5wf9EXijgq5+j38umqKpdwIeQQ1F78OeEPMi8/LAxyrGZlSJNvr+ 9OIDwj9ZBE1SOY80f2AGR5tXE7Czl1VT0S+CPcrVnaKadR5dfNB3HpVShOWY sFPvmjzY++U0Jmw6/vsV09SCigBv85DU2s+VYmwoBwgq08vc28WvKXPY6DJl PxmePhpVbsV/5uZAw+3MismpvPvw7hzDmEEKtZLeqduLFGx9l0D7Apeq+d1Q 4348BdmeZFaIjk6sKBW45akIjxeLN3wejfp0hUFBYrITVs8ssQUbQUc9uDDu CdUxMwoeu5ZhVT7TN5Rh2iSjkFQjjsewTimGLuNr4dT+dUH3ypJvsQ== =ql9l -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Tuesday, 18 May 2021 13:21, Arne Schwabe wrote: > Am 17.05.21 um 19:16 schrieb tincantech: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > > > This is meant to give new users a quickstart for a useable OpenVPN > > > setup. Our own documentation is lacking in this regard and many often > > > tutorials that can be found online are often questionable in some > > > aspects. > > > > I believe Openvpn in standard mode (Full PKI) would reject an expired > > client certificate. > > Note: There is absolutely nothing in the manual to confirm this ! > > https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html > > On that page there are eight uses of the word 'expire' and they all > > relate to an expired auth-token, this could also probably be improved. > > However, Openvpn in peer-fingerprint mode allows an expired client > > certificate to connect. > > The client log does have a 'WARNING: Your certificate has expired!' > > The server log has nothing about an expired client certificate. > > And, as we all know, who reads their log files anyway ? > > The issue here is that the server allows an expired client certificate > > to connect and there is no mention of this change in behaviour. > > Yes. We just trust the fingerprint of the certificate. The behaviour to > ignore expiry is a side effect of that. It is kinda designed to be this way. > > Arne The change itself is ok, I just thought it worth mentioning is this guide. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgo76EACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1pAAf+M7BWGoMLjSdhrcfokV0mu9M8eND0XF7AvEI3d+DQEGqJ2S9I l6aVCCXsIKi1m/fJbYSYROhD7zvKj3i1KQebXxUTTonmlhEIMLhXnzHmdAPH Owh3Ixpf284NMTcjZgcQAhGcLdlMeVpykJrIIx4lpR75u0+FV6STUmtIgG2Q gWOi4OduA5gNJanu4BlF/7JCHNXSQvHQ5yrSGBrRdT2kIIGnrHSYfmUz1Jq4 v0AHQP8aTFD6sUaYw2j0nRGKj43rAmV+yyx2oLU1/6jbiBl5wq25fgNi3cCa 22HuxRP1SsbSf5PoWbUyZmXagpnHKRmgj42DkMn3pMTLjGnDD6NmVA== =Fotu -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 20:07, tincantech wrote: > Hi, > > ‐‐‐ Original Message ‐‐‐ > On Monday, 17 May 2021 18:16, tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > Hi, > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, 12 May 2021 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > > > This is meant to give new users a quickstart for a useable OpenVPN > > > setup. Our own documentation is lacking in this regard and many often > > > tutorials that can be found online are often questionable in some > > > aspects. > > I think it is also worth noting that, in it's current form, the > documentation given does not provide for a --remote-cert-tls solution. > > I may be able to help with that but prefer to log it here first. > If/how you choose to document this here, I leave that to you. I have expanded easypfp to create either Server or Client certificates by adding X509v3 Extended Key Usage: TLS Web Client Authentication and TLS Web Server Authentication as optional extras. All tests passed. https://github.com/TinCanTech/easy-pfp Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpAgIACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2goggAsxXM0nhW/aKCPi5ZiAgn4ZwSXwDuCQRU/G5Ff57RKfdiPjim ZWyWtttrUBlyBNRKUzKVoMbiAdXuf8WIUIgx11SqG0ZrJEbzvyhN6rcsCX33 6c6C2EPFriFwtMDjyiBiS4OtxKVs/L/GpbjfbxU6oPvQfQLVs/licvPOOHGs xAFXMOF8COPvcANstUUFzr9BTq7kc6KUzaI01zrBkDAh7zRapHupo6wiPrjB xRuhWnwV8dGxaeDNoxB7VXAqbWaPQFCsxc+gt9wPlFcG28Y0Ct1ME1MIIKKc +w6+wzEgGq01OTKFIzKJ6CVjIVUTziHZ65nsmHd/JqXOWZ146ZXJ5w== =+xAi -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Summary of the community meeting (19th May 2021)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Wednesday, 19 May 2021 14:31, Samuli Seppänen wrote: > Hi, > > Here's the summary of the IRC meeting. > > > > COMMUNITY MEETING > > Place: #openvpn-meeting on irc.freenode.net > Date: Wed 19th May 2021 > Time: 14:00 CET (12:00 UTC) > > Planned meeting topics for this meeting were here: > > https://community.openvpn.net/openvpn/wiki/Topics-2021-05-19 > > Your local meeting time is easy to check from services such as > > http://www.timeanddate.com/worldclock > > SUMMARY > > cron2, dazo, d12fk, lev, mattock, ordex, plaisthos and syzzer > participated in this meeting. > > > > > Talked about removing --no-replay option. Noted that it was to be > removed in 2.5, but we backpedaled on that decision and forgot to change > our documentation. It was also noted that that option changes the wire > format. > > Noted that --cipher none --auth none and --no-replay are quite > intertwined. Getting rid of these options would be good from security > perspective, but it was also noted that plain-text OpenVPN tunnels do > have some advantages over the alternatives like GRE tunnels. > > Summarizing the discussion: > > 1. OpenVPN 2.6: reject configs where --no-replay is used without --auth > none. > > 2. OpenVPN 2.7: remove --no-replay > 3. Add clear warnings to 2.5 and 2.6 about 1) and 2) > > Noted that mattock buildbot setup is shaping up nicely. There are a ton > of workers and code and data are quite well separated. Mattock is now > working on limiting concurrent builds on the docker host, then moving on > to t_client tests. > WRT --no-replay There is also --mute-replay-warnings, which you all seem to have over-looked. Perhaps this message could be changed (crypto.c:338): msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " "see the man page entry for --no-replay and --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); Remove the reference to --no-replay soon. Just a thought. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpTRkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ30bAgAk6bSZLaE73TDgkhlkhX5dTkLe6Lx4zAal1ADnS3tluqXJIlg IP16FNKbh+ZGahCBh4ICzEJvPwbI12F+hba0QwQpQOUiN0k00yvNxGuPpc8H q1YmasQvst4cFKJGqESR4gVe2hZx/JQT7ZLisWVPO3Je1roACOx/PNtRWG3F 36/zWFTwY7qqpbHrbfOgYV3/6hdvAArn//ki/Mu1DTPVOLu9v6n947nkcA7n /WBGY+IUp4heUQoNmNxkbT/SokVmx6bwgvMwpAF04PKWiLwGFcKxKsRHO6yw /AdxLouR77cRW3Jfu/WjiipXyU+H8LZAfa4UyRA2kQHf+99acRw4/Q== =+xci -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 00:36, Arne Schwabe wrote: > > I just want this to be verified because the manual reads that: > > udp6 will force only udp on IPv6, at least that is how I read it. > > Not on the server side. It is one of the quirks that we need to fix at > some point. See the ipv6only option of --bind for more details I actually checked this and believe it is a reasoanble decision. It works for me and I was not expecting it to do so. > > > > - > > > - The ip address the server will distribute > > > > > > == > > > > > > - server 192.168.234.0 255.255.255.0 > > > - server-ipv6 fd00:6f76:706e::/64 > > > - > > > - A tun-mtu of 1400 avoids problems of too big packets after VPN > > > encapsulation > > > > > > > > > = > > > > > > - tun-mtu 1400 > > > - > > > - The fingerprints of your clients. After adding/remvoing one here > > > restart the > > > > > > > > > = > > > > > > > remvoing -> removing > > > > > - server > > > > > > === > > > > > > - > > > - > > > - > > > - Notify clients when you restart the server to reconnect quickly > > > > > > > > > > > > - explicit-exit-notify 1 > > > - > > > - Ping every 60s, restart if no data received for 5 minutes > > > > > > == > > > > > > - keepalive 60 300 > > > > I presume you are all sure that this is suitable for consumer grade routers. > > I think 60 300 is a good starting point but we might later modify it if > this becomes a problem. OK. It is a big difference from the standard setting so I just wanted to call it here. > > Thanks for spell/grammar checking it! > > Arne No problem. Thanks for everything you've done too. Richard -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpaUbACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1iEQf9HSb9ReZSAve3LfzgDNo4hb0c1mGNWSNcIQudw8fdaYc8TfjU UD1MLdTM9CM5uuHEz3O29nyBPEjCUJS16bQ45lVtHzAbGcdzUEF9cn/gUsST 7v/3aMeFM76YSDXnI3DrA6PtlqXoWJ7K+NC3tzXb7suF3Zy0Gi8AWgJhKD8q tXvHtXdGD9ohsZTF4yio8PWCW4n0UFPUTImndr/R8D6TRO5umhBDkmQ9fWx0 3gPN6ln9FF2bE/gqG7Sj1s6uu5OLNqJ+aswet2B22DI/7CHlgQzFC38nuy5f CKFJ0eZnrQ8baDDOpOHlmLTarisRLcOP7rxT1qz5S6PWdGTP4+s/rg== =VNul -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, just FYI I was also going to question the --tun-mtu 1400 setting but decided that was above my pay-grade. I think it is probably a good long-term decision that will probably invade some of those less respectable blogs and be a good thing over-all. I know, it is complicated ! Cheers R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpamaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3PVQgAju8gPugglio2RQ1Qr/fcXFyq7tAQEy/njizNTIDBEAE3E1tr J0gOsMMe1fQTDjen5DCtJEyq7pwIgMVKWw/kVP7DzOlTzC+oUb4avysoi3Ld pUFDmJdD2eP1Ls+Ylc9O2HDlK1q8n46mUjX5Fuv1+0UN/HFUb1d7z9IgRHTf 0h+6f7dkn4z0QgFjY97esSKDu9x3ZZhhIfUPwPOUF4mLEQv+6PczpzAvm7eS oZRr/GNjSBq1dBzzWNi80v9cv31Uxz7VTuy3ntKp5k0n80W0b93tbG0xVcu7 qi1ZCQh5VgFdh/35+7uwsJkpA9Eoc+ijFqV1+gz1+FekdRAmO1iCpA== =rh5B -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 9/9] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, missed another one .. ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 01:13, tincantech wrote: > Hi, > > just FYI > > I was also going to question the --tun-mtu 1400 setting but decided > that was above my pay-grade. I think it is probably a good long-term > decision that will probably invade some of those less respectable blogs > and be a good thing over-all. I know, it is complicated ! > How would that effect the default --mssfix ? Swings and roundabouts R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpa+8ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1f9Af/ZxK/IusDe82uZsnlZXlRAJElzyamWPA+Splu+nOoUVQhSjah eyc6YqM4+FNNP6dyZxVELT0RKC5p8c7KUEqFzay+2nflnwALDu9m5ak4WVyb EFmXPFctfu1myCdqZ70705DhfORainxI7tLrbzTwLMeZMH1xPJ9IszBE5wqb nUcBO1B3g+E01b/cF9GL6wHF32kW9BH5uc+0A1mb4/3+iO83VP3nUnKBm+sj pZUR4G3VpgLzyc1ymIkxQIxsas1f6M3r8qvBI+ol1F1YkZJXy76Piuh7I5rF 0fYcm0jtxKmf/ETHPIQFL6J3N2zrar8+kazS0GRW9hPLPfqODXqqDQ== =I3MI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, again, I do not understand why openvpn choose to switch to .pem for this tutorial. PEM -> Private Email, which this is not. You have a certificate and a key and every other openvpn tutorial on openvpn and probably the entire planet uses .crt and .key. This seems to be a poor decision in my opinion. And I presume that --tun-mtu 1400 is not going to break --mssfix 1450 There is also another advantage of using this method which is not documented. Each client can build its own cert/key and send the finger-print to the server in clear text, as can the server FP be sent to the clients. And apologies for the plug but easy-pfp can do all this and more even easier. https://github.com/TinCanTech/easy-pfp Sent with ProtonMail Secure Email. Which does not know how to reply to a git formatted patch and has other stupid quirks too. sed formatted reply. ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 16:09, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN > setup. Our own documentation is lacking in this regard and many > tutorials that can be found online are often questionable in some > aspects. > > Linking the individaul RST file on github also give a tutorial > in a nicely formatted way. individaul -> individual (ua) > > Patch V2: Fix grammar/spelling mistakes (thanks ticantech), move > to openvpn-examples(5). > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 4 + > doc/Makefile.am | 1 + > doc/man-sections/example-fingerprint.rst | 196 +++ > doc/openvpn-examples.5.rst | 1 + > 4 files changed, 202 insertions(+) > create mode 100644 doc/man-sections/example-fingerprint.rst > > diff --git a/Changes.rst b/Changes.rst > index 9185b55f7..5ac24307f 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint > fingerprint of the peer. The option takes use a number of allowed > SHA256 certificate fingerprints. > > +See the man page section "Small OpenVPN setup with peer-fingerprint" > +for a tutorial on how to use this feature. This is also available online > +under > https://github.com/openvpn/openvpn/blob/master/doc/man-sections/example-fingerprint.rst > + > TLS mode with self-signed certificates > When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` option > become optional. This allows for small OpenVPN setups without setting up > diff --git a/doc/Makefile.am b/doc/Makefile.am > index 1dbbddf58..d86560174 100644 > --- a/doc/Makefile.am > +++ b/doc/Makefile.am > @@ -25,6 +25,7 @@ dist_noinst_DATA = \ > man-sections/client-options.rst \ > man-sections/connection-profiles.rst \ > man-sections/encryption-options.rst \ > + man-sections/example-fingerprint.rst \ > man-sections/examples.rst \ > man-sections/generic-options.rst \ > man-sections/inline-files.rst \ > diff --git a/doc/man-sections/example-fingerprint.rst > b/doc/man-sections/example-fingerprint.rst > new file mode 100644 > index 0..c91ca64b9 > --- /dev/null > +++ b/doc/man-sections/example-fingerprint.rst > @@ -0,0 +1,196 @@ > +Small OpenVPN setup with peer-fingerprint > += > +This section consists of instructions how to build a small OpenVPN setup > with the > +:code:`peer-fingerprint` option. This has the advantage of being easy to > setup > +and should be suitable for most small lab and home setups without the need > for a PKI. > +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still > recommended. > + > +Both server and client configuration can of be further modified to customise > the > +setup. > + > +Server setup > + > +1. Install openvpn > + > + Compile from source-code (see `INSTALL` file) or install via a > distribution (apt/yum/ports) > + or via installer (Windows). > + > +2. Generate a self-signed certificate for the server: > + :: > + > +openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout > serverkey.pem -out server.pem -nodes -sha256 -days 3650 -subj '/CN=server' > + > +3. Generate SHA256 fingerprint of the server certificate > + > + Use the OpenSSL command line utility to view the fingerprint of just > + created certificate: > + :: > + > +openssl x509 -fingerprint -sha256 -in server.pem -noout > + > + This output something similar to: > + :: > + > + SHA256 > Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff > + > + > +3. Write a server configuration (`server.conf`): > +:: > + > +# The server certificate we created in step 1 > +cert server.pem > +key serverkey.pem > + > +dh none > +dev tun > + > +# Listen on IPv6+IPv4 simultaneously > +proto udp6 > + > +# The ip address
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 19:30, Arne Schwabe wrote: > Am 20.05.2021 um 18:56 schrieb tincantech: > > > Hi, > > again, I do not understand why openvpn choose to switch to .pem > > for this tutorial. PEM -> Private Email, which this is not. > > You have a certificate and a key and every other openvpn tutorial > > on openvpn and probably the entire planet uses .crt and .key. > > This seems to be a poor decision in my opinion. > > pem as extension for keys is pretty common and specifies more the > encoding than the type. E.g. there is also the der encoding. > > Arne I accept the principle but openvpn *only* uses PEM-enc, that I know of. So, why switch to .pem when it has never been used before by openvpn? If you are all happy to let it go that way then so-be-it, Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgpr0yACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3AXgf9H+mL+H1aPZ/Gk0lTukZEP7FVXHkO2LBf49KA/YmoyhbHYAFf sICvASsTlkA0q3wuKYzXs8bspMGiebOeqcoJi7QvJSaAq4sDLvWopz/VmN96 SmB33OnN/jYHQmKpk2qOMeZv6PyhFyjFb/3j1ymQ2zuYXh8osrSiiRHftwSx hXg8CMyXOA0THrK6H9mnxisLuss7uhVsclwTOSKMOnRj0NiEx5tFg1itn7+u YmRL/h2taDC6skHbF5PPfU1x/M6HtG05ZajAtNfh3bc0Zw4S7bRiEUc4+4qb f8GEEufo2WAg4CUwaCVJ9O5pSewk48OAScHGx9RMybvfZ1X6V5xnqA== =EBa6 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 22:05, Jan Just Keijser wrote: > Hi, > > On 20/05/21 21:49, tincantech via Openvpn-devel wrote: > > > > > Hi, > > > > again, I do not understand why openvpn choose to switch to .pem > > > > for this tutorial. PEM -> Private Email, which this is not. > > > > You have a certificate and a key and every other openvpn tutorial > > > > on openvpn and probably the entire planet uses .crt and .key. > > > > This seems to be a poor decision in my opinion. > > > > pem as extension for keys is pretty common and specifies more the > > > > encoding than the type. E.g. there is also the der encoding. > > > > > > Arne > > > I accept the principle but openvpn only uses PEM-enc, that I know of. > > > > So, why switch to .pem when it has never been used before by openvpn? > > If you are all happy to let it go that way then so-be-it, > > Hopefully this clarifies things: > > - the default output format of OpenSSL is PEM-encoded ; openssl uses the > default extension .pem > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but > they've just been named differently by the easy-rsa tools to ensure that > the files can be easily loaded on Windows > > - FTR: nearly all webservers I have ever seen are configured to use a > hostcert.pem and hostkey.pem and my guess is that there are (still) > more Linux-based webservers out there than OpenVPN clients and servers. > > Having said that, I do agree that after using .crt/.key files left and > right (to accomodate Windows users) for over 15 years, it does seem > confusing to start using files named .pem for peer-fingerprinting all > of sudden. On the other hand, with peer-fingerprinting you don't > HAVE a .crt file (at least, you don't need one, technically) but only > a .key file. So choosing a different extension for peer-fingerprinting > does have its merits. FTR: Openvpn still exchanges the full certificates in peer-fingerprint mode. > > HTH, > > JJK > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgptC5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2t0ggAxDZnJr8UhxV79fyAjnScANMeWbN3XZ/QqQuTsgaJp85Fibbz weT1TfvihZ5l1rS6vh1nIDyTtoNRpqLHMxlaNWnmgN9tR4IRlQZuVR8svZl1 UYmrAm1H5g83yHef60nnIiOxGe8tnLdy/fmjqoRFsHaBwSM87zTQ8uG+UJnq GIGhHbdLYWaH4C9SrJ+p64pZYdm3jaQpwZHdeg3rPdvHAgUixX13KWBU J2UYseRDBLcvNfz6gAgQDtTJtdT9edH3h6m4Tyu0AsIw016hfREeNe20uzrX uyQ6jGGovT2ki9alVN9P5v1k9uYVC0/1mYnFBLR8PI8effQd/zfLiA== =KICZ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Thursday, 20 May 2021 22:22, Jan Just Keijser wrote: > On 20/05/21 23:12, tincantech wrote: > > > [...] > > > > > > So, why switch to .pem when it has never been used before by openvpn? > > > > If you are all happy to let it go that way then so-be-it, > > > > Hopefully this clarifies things: > > > > > > - the default output format of OpenSSL is PEM-encoded ; openssl uses the > > > default extension .pem > > > > > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but > > > they've just been named differently by the easy-rsa tools to ensure > > > that > > > the files can be easily loaded on Windows > > > > > > - FTR: nearly all webservers I have ever seen are configured to use a > > > hostcert.pem and hostkey.pem and my guess is that there are (still) > > > more Linux-based webservers out there than OpenVPN clients and > > > servers. > > > Having said that, I do agree that after using .crt/.key files left and > > > right (to accomodate Windows users) for over 15 years, it does seem > > > confusing to start using files named .pem for peer-fingerprinting all > > > of sudden. On the other hand, with peer-fingerprinting you don't > > > HAVE a .crt file (at least, you don't need one, technically) but only > > > a .key file. So choosing a different extension for peer-fingerprinting > > > does have its merits. > > FTR: Openvpn still exchanges the full certificates in peer-fingerprint > > mode. > meh ... I guess it was easier to implement it that way at the TLS level... I cannot comment on the code but there is the case of older clients which require self-signed server".crt" (Easy-RSA) in place of the CA cert. > > IMO that does add a "+1" to using .crt/.key extensions - otherwise it > might confuse the heck out of end users (like overwriting the private > key with the public cert etc ... ) That is another good point. > How do the examples distinguish between the cert and the private key in > this case then? Generally, the distinction between what is private and what is public has not been very well covered. Other than the notable exception of "Protect your Private CA key at all costs!" I have included this Private v Public information in the easy-pfp output. Seems like the only way to get things done sometimes is do-it-yourself ;-) Anyway, all other points aside, the point is that: Changing to .pem (not PEM) feels like an unnecessary complication. Thanks for all your input R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgptYeACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ0haQf/VyfMNC8x8r+8okE+aKW+kp+OMA58J6R7xOdv7D518BsBSJNX BAqDiM1lalAwDvU7edKKMXhc0U2BOgMiaVOXp54jkZvXo7O5tt57A1O+tTKv GNPzqDrhfGQRuaplHTMeiSkcWZOSmyNwIAW0vroCmiPBnGY2/F5GIL8T83Dp qiNsST7Fug+u4nVUv/BUE2K81/B3pNz4Jy6hX2QMmq5LdRJgtNU37AAsZAQ5 Zwr4bewl/l8q36VjsX4QYNQgQekXdK8oT7LXZuqEy+tf4RnVHA8YDQZ2Ed5t tfUUg/b02w3Ml6k9Wt3SHDgoXMAW0utUxxOWCMGVnEhuDRWg0kQ3rw== =B+MM -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
-‐‐ Original Message ‐‐‐
On Thursday, 20 May 2021 22:35, tincantech via Openvpn-devel
wrote:
> Hi,
>
> ‐‐‐ Original Message ‐‐‐
> On Thursday, 20 May 2021 22:22, Jan Just Keijser janj...@nikhef.nl wrote:
>
> > On 20/05/21 23:12, tincantech wrote:
> >
> > > [...]
> > >
> > > > > So, why switch to .pem when it has never been used before by openvpn?
> > > > > If you are all happy to let it go that way then so-be-it,
> > > > > Hopefully this clarifies things:
> > > >
> > > > - the default output format of OpenSSL is PEM-encoded ; openssl uses
> > > > the
> > > > default extension .pem
> > > >
> > > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
> > > > they've just been named differently by the easy-rsa tools to ensure
> > > > that
> > > > the files can be easily loaded on Windows
> > > >
> > > > - FTR: nearly all webservers I have ever seen are configured to use a
> > > > hostcert.pem and hostkey.pem and my guess is that there are (still)
> > > > more Linux-based webservers out there than OpenVPN clients and
> > > > servers.
> > > > Having said that, I do agree that after using .crt/.key files left
> > > > and
> > > > right (to accomodate Windows users) for over 15 years, it does seem
> > > > confusing to start using files named .pem for peer-fingerprinting
> > > > all
> > > > of sudden. On the other hand, with peer-fingerprinting you don't
> > > > HAVE a .crt file (at least, you don't need one, technically) but
> > > > only
> > > > a .key file. So choosing a different extension for
> > > > peer-fingerprinting
> > > > does have its merits.
> > > >
>
> > > FTR: Openvpn still exchanges the full certificates in
> > > peer-fingerprint mode.
> > >
>
> > meh ... I guess it was easier to implement it that way at the TLS level...
>
> I cannot comment on the code but there is the case of older clients which
> require
> self-signed server".crt" (Easy-RSA) in place of the CA cert.
>
> > IMO that does add a "+1" to using .crt/.key extensions - otherwise it
> > might confuse the heck out of end users (like overwriting the private
> > key with the public cert etc ... )
>
> That is another good point.
>
> > How do the examples distinguish between the cert and the private key in
> > this case then?
>
> Generally, the distinction between what is private and what is public
> has not been very well covered. Other than the notable exception of
> "Protect your Private CA key at all costs!"
>
> I have included this Private v Public information in the easy-pfp output.
> Seems like the only way to get things done sometimes is do-it-yourself ;-)
>
> Anyway, all other points aside, the point is that: Changing to .pem (not PEM)
> feels like an unnecessary complication.
>
I would like to hammer one final nail into this discussion.
Openvpn option names and inline tags ALL use ificate .crt and .key.
They do not use .pem or PEM and none of the Official online documentation,
to date, references use of a {name}.pem file, other than far-flung cases.
The files generated in this tutorial will all be PEM encoded regardless.
This is why I asked the question of why Openvpn suddenly chooses to change
to a .pem extension and add this unnecessary complication.
Real users may see this as another hurdle which they just don't want to jump.
Do you want to drive them away .. ?
As I am also banned from #openvpn-meeting, so I leave this for you to discuss.
--
Richard
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgpvNyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1U5wgAza4n5mxniWpvVrkSxRCN3TEc0MEafFb+Eza0uL/l9i5tVDDQ
A4ZwjBuRGgteJzNhbe3Q+YJzZZ1hjf9k9FjPwGtnUK49IZZt8OOe60bfiQt7
aSmhKMRyZzzjRgSv6QNdPWsZEB3JceZ572+EIi5zfQmz6V1q8USsPQPaUZoa
k65YA9Z+pU6xsm1+lKMLGbi8rzIvIhNYCEIZ4pGl5OzckQP7o7JKUanhOoHH
7KrD5Nu5ad4CtgMv72RYWCbmW5vsqIcOrYJIG7mASodCTGkL2JH5F2i8fVUJ
rg5OrvVViLewxTYyGCVc+PZ7ukB6l/bEYd8efA1G4carr6+hRDTfSA==
=T6wH
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/2] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
‐‐‐ Original Message ‐‐‐
On Friday, 21 May 2021 00:40, tincantech wrote:
> I would like to hammer one final nail into this discussion.
>
> Openvpn option names and inline tags ALL use ificate .crt and
> .key.
>
> They do not use .pem or PEM and none of the Official online documentation,
> to date, references use of a {name}.pem file, other than far-flung cases.
>
> The files generated in this tutorial will all be PEM encoded regardless.
One final blow to the nail:
There is still the outstanding problem of --remote-cert-tls
which this tutorial does not discuss or solve.
The user log will show a WARNING message which they *cannot* solve
by means of your documentation.
--
Thanks
R
Unfairly banned.
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJgpvv5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2gkQf9FDId8dPnTrdC4+UHLhFOJOAYelk9SDQ1a3PSVhbag2ZO2FvM
3pCKfqdqSB0zYuu3rXBSdBoToovKw2Zc+8tnF8MaH6Oqm5+cmnRDfc03ZfDs
auqD04xIACnt3cPYAXXU+qXxGC8GpwLiUlEIEzlTcTsBrZyLMJhMPx146Dpe
MNRQtmYW+FqJfYHO7OscIb1uwUQ4WeWLY+76GkqhRMSPY6hrZ6CRU9htSdoU
w+B7KOGCKVE/FsyABNOz4IRNdnM3FMzvAvRD0UcOxJnmz/2BjImP6qNa7D0f
VGyg1kvnYQViVOOjE17ejvqbnLcRJRD53gRJcHpb/45UbVWNjSq04A==
=C3te
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Is this expected ? Server log: 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY SCRIPT OK 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate extended key usage 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK * EasyTLS-verify => CN: cli-arch-v21x connection allowed 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=573911 10.10.201.226:60276 VERIFY KU OK 2021-05-24 14:58:03 us=573928 10.10.201.226:60276 Validating certificate extended key usage 2021-05-24 14:58:03 us=573939 10.10.201.226:60276 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication 2021-05-24 14:58:03 us=573948 10.10.201.226:60276 VERIFY EKU OK * EasyTLS-verify => CN: cli-arch-v21x connection allowed 2021-05-24 14:58:03 us=588472 10.10.201.226:60276 VERIFY SCRIPT OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=588508 10.10.201.226:60276 VERIFY OK: depth=0, CN=cli-arch-v21x 2021-05-24 14:58:03 us=590929 10.10.201.226:60276 peer info: IV_VER=2.6_git Client log: 2021-05-24 15:06:44 us=111054 TLS: Initial packet from [AF_INET]10.10.101.101:17332, sid=ae12d90b 6b413bf6 2021-05-24 15:06:44 us=120475 VERIFY KU OK 2021-05-24 15:06:44 us=121197 Validating certificate extended key usage 2021-05-24 15:06:44 us=122354 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-05-24 15:06:44 us=122737 VERIFY EKU OK * TLS Verify Script OK 2021-05-24 15:06:44 us=130217 VERIFY SCRIPT OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=130598 VERIFY OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=131581 VERIFY KU OK 2021-05-24 15:06:44 us=132268 Validating certificate extended key usage 2021-05-24 15:06:44 us=132828 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-05-24 15:06:44 us=133364 VERIFY EKU OK * TLS Verify Script OK 2021-05-24 15:06:44 us=137990 VERIFY SCRIPT OK: depth=0, CN=srv-wiscii-v21x 2021-05-24 15:06:44 us=138614 VERIFY OK: depth=0, CN=srv-wiscii-v21x Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq7M5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1+vAgApEpHTOh5m9D706+WEOMvXq6PiKxfLnnjowOMLS1ut+ts0Kj6 8JHutbqJarT+0rhiezfDlKqqdXrDLaW/5bfF0M0f9J8+BgZNGIKXSM2Tp39f lSqJIF0kMdD/RQKYxGu5TaO3eLaaWTBbEdkyAHa+t74E7fIiTtxEdvgqVkWm 423h3PSsdnHcOaCQkM7KOGilmpq+Wz/5KEtjVlzhKyfscqtw3RUvtFgKOXYj p+axmfzY1aqkQNQTz98nC4w06Vao7XUSQtjWYfznVdDd8rP/hHmWDwLtYNyR yQnN+iPHg5JsAdmrQ+6m99bX+C8btSHUPfN/0jAifkZjmEwP/I9ckA== =cwb8 -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 18:39, Selva Nair wrote: > Hi, > > On Mon, May 24, 2021 at 10:09 AM tincantech via Openvpn-devel > openvpn-devel@lists.sourceforge.net wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > Hi, > > Is this expected ? > > Server log: > > 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY > > SCRIPT OK > > 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573911 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=573928 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=573939 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=573948 10.10.201.226:60276 VERIFY EKU OK > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed > > 2021-05-24 14:58:03 us=588472 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=588508 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=590929 10.10.201.226:60276 peer info: IV_VER=2.6_git > > This looks like an unintended consequence of how and when OpenSSL > executes the verify callback. If there are no verification errors, the > callback is called only once for each depth with preverify_ok = 1. > When there are errors (as is the case when CA is missing), for each > depth and each error we get a callback. (Ref: OpenSSL docs on > SSL_CTX_set_verify). > > Even for self-signed certs one would get a call with an error saying > certificate is self-signed and then possibly another call with > signature verification success. For a cert issued by a CA, one would > first get an "issuer missing" error followed by a "signature > verification" error and no success calls unless there are intermediate > certs. > > This was not an issue before fingerprint support. In that case we do > not proceed further when OpenSSL reports a verify error. > > The easiest option for scripts may be to be prepared to be called > mutiple times with the same cert and same depth. I think we should > export the verification error-status to the env so that the script > could make a more informed decision. Note: In the logs above, the script is executed *before* Openvpn/Openssl verification, so exporting error-status to env for script seems unlikely. > Our internal callback is not meant to be executed multiple times with > same depth, but the side effects appear to be benign -- like repeated > VERIFY OK in the logs. > > Selva Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq+wRACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3oqQf9ELeVXn5uhviySVqMzIRyCKQAY9zMrdvFSLgNcEOJbiBYcv6Y WIzDoVfODy0jGIx44dsjODw2jM9hWP27FSj/uG8RuTCv7gmO/zDvJIKL6qEn EcpnLxLBvyJcfu7zfW80kBNhYcHyys3DSSL2khtzbT+75OM3Kvo7pUNJUAhl czUF07j7o8KmUGq2wB8E70Y7i+U07j2Dcs0+oDRhY3hBsnHHmWPSm32fBPLZ uSbRPm4btNe4a/R83uMRkWTgL1U/2dTKKPb3PyVE7bGWfeB5BmkuUQsPx5q6 bofIkWaDYG+1pW6nyTxMZ2drihC2c9vA/OHmLG6HUYxBIaYPW/JZLQ== =s/jt -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I may be wrong but this is the order as it appears to me: ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 18:39, Selva Nair wrote: > > Server log: > > 2021-05-24 14:58:03 us=534606 10.10.201.226:60276 TLS CRYPT V2 VERIFY > > SCRIPT OK --tls-crypt-v2-verify script > > 2021-05-24 14:58:03 us=558066 10.10.201.226:60276 VERIFY KU OK > > 2021-05-24 14:58:03 us=558105 10.10.201.226:60276 Validating certificate > > extended key usage > > 2021-05-24 14:58:03 us=558120 10.10.201.226:60276 ++ Certificate has EKU > > (str) TLS Web Client Authentication, expects TLS Web Client Authentication > > 2021-05-24 14:58:03 us=558130 10.10.201.226:60276 VERIFY EKU OK --remote-cert-tls client > > * EasyTLS-verify => CN: cli-arch-v21x connection allowed --tls-verify > > 2021-05-24 14:58:03 us=573751 10.10.201.226:60276 VERIFY SCRIPT OK: > > depth=0, CN=cli-arch-v21x > > 2021-05-24 14:58:03 us=573782 10.10.201.226:60276 VERIFY OK: depth=0, > > CN=cli-arch-v21x Openvpn/Openssl verify Then it repeats. I just wanted to clarify that and I may also be wrong in my understanding. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgq+5zACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ23wAf9GluCVmrwY47qboOJX79NMSJ9Q0aVy7Q7F+rkwDwTwxkGA6zd 2wi4Q9NNgNd+c4Y4nEd6gtCFgYWDN5ScFi4xfwla1rmCWn2jom/HpNGC8i6D IZHpOEuW1qQFV7iNOB3VoVggOiuUteChJ55RE380R3RvMypJDxo7wQIU5hak xAiTqbvYYmNfTKFUN4GSxn+6ioGIc+KtQsr0P/VWslh6Cg8cGmfJoK1RhSfs i1J/MtiGiuRY/2bpZBwo1G2P1gQgbIKtoZyBzjwxCivOAM34RLz3vszNm3hj 9g44xzJze5n7i9FK9uRZIm8hyJM34frpk2qimuIQTKrqDUin1Z/L2A== =rUbS -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tls-verify runs twice for a single cert in Peer-fingerprint mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 24 May 2021 21:43, Arne Schwabe wrote: > Am 24.05.2021 um 16:07 schrieb tincantech via Openvpn-devel: > > > Hi, > > Is this expected ? > > I might to check if it is even a good idea to allow tls-verify and other > verify options together peer-fingerprint. (You could implement > peer-fingerprint with tls-verify as well. Since we haven't published 2.6 > yet we might just make the combination very limited to avoid allowing > all kind of crazy combinations and having to support those. > > Arne Posted in -devel not -users for that very reason. I am not questioning the code, only bringing you test data. Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgrDE5ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3xZwf/cgA0qvrIM2XUNnXWE9VcR98jeGkFh10rmucI5QlApd+78v1w uCv/2udPYrJVD2gcsy59nT+tyNcTaewv4WM7x6P9dh5fSvQaX58yZSn1kbV/ wva46qCRYIUDTA9833gNCjkvdDSdCSJPiTYYBDqE/LABAmVqUdGlP4mlqcv3 Ls+9/bEpGkeiqUC53vazWIBWQfeogGin6d0TUel2rV7wm/hB6Luo13K5BTsK vDuTorFUUft7pPVjTsjo19Q5zVDj3No30xhOKJGGINg16Q5xeH5hfQzJw5QK KZvplCjUgKAeJJX+Zx6DnDv/i07ISWBpSw5/9LK6LRd9fRHUTAgA9Q== =BDnA -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 1/2] Improve documentation of AUTH_PENDING related directives
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Him
I read through it and it looks good to me.
One tiny omission inserted: Scroll to end.
Regards
R
Sent with ProtonMail Secure Email. Which still can't handle patches.
‐‐‐ Original Message ‐‐‐
On Wednesday, 2 June 2021 04:42, wrote:
> From: Selva Nair selva.n...@gmail.com
>
> Also fix some typos.
>
> Signed-off-by: Selva Nair selva.n...@gmail.com
>
> doc/man-sections/server-options.rst | 4 ++
> doc/management-notes.txt | 101 +---
> 2 files changed, 67 insertions(+), 38 deletions(-)
>
> diff --git a/doc/man-sections/server-options.rst
> b/doc/man-sections/server-options.rst
> index 036323b9..047f2270 100644
> --- a/doc/man-sections/server-options.rst
> +++ b/doc/man-sections/server-options.rst
> @@ -460,6 +460,10 @@ fast hardware. SSL/TLS authentication must be used in
> this mode.
> The UI version of a UI if one is running, for example
> :code:`de.blinkt.openvpn 0.5.47` for the Android app.
>
> - :code:`IV_SSO=[crtext,][openurl,][proxy_url]`
> - Additional authentication methods supported by the client.
>
>
> - This may be set by the client UI/GUI using ``--setenv``
>
>
> - When `--push-peer-info` is enabled the additional information consists
> of the following data:
>
> diff --git a/doc/management-notes.txt b/doc/management-notes.txt
> index 3aff6eb6..9f064764 100644
> --- a/doc/management-notes.txt
> +++ b/doc/management-notes.txt
> @@ -199,7 +199,7 @@ Command examples:
> COMMAND -- kill
>
>
> -In server mode, kill a particlar client instance.
> +In server mode, kill a particular client instance.
>
> Command examples:
>
> @@ -407,6 +407,7 @@ RECONNECTING -- A restart has occurred.
> EXITING -- A graceful exit is in progress.
> RESOLVE -- (Client only) DNS lookup
> TCP_CONNECT -- (Client only) Connecting to TCP server
> +AUTH_PENDING -- (Client only) Authentication pending
>
> Command examples:
>
> @@ -437,6 +438,11 @@ Fields (e)-(h) are shown for CONNECTED state,
> (e) is available starting from OpenVPN 2.1
> (f)-(i) are available starting from OpenVPN 2.4
>
> +For AUTH_PENDING, if (c) is present, it would read
> +as "timeout number" where number is the number of seconds
> +before authentication will timeout. It is printed as an
> +unsigned integer (%u).
> +
> Real-time state notifications will have a ">STATE:" prefix
> prepended to them.
>
> @@ -608,7 +614,7 @@ COMMAND -- client-pending-auth (OpenVPN 2.5 or higher)
> Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message
> to signal a pending authenticating to the client. A pending auth means
> that the connecting requires extra authentication like a one time
> -password or doing a single sign one via web.
> +password or doing a single sign on via web.
>
> client-pending-auth {CID} {EXTRA} {TIMEOUT}
>
> @@ -624,22 +630,22 @@ the timeout proposed by the server, even if the timeout
> is shorter.
> If the client does not receive a packet from the server for hand-window the
> connection times out regardless of the timeout. This ensures that the
> connection
> still times out relatively quickly in case of network problems. The client
> will
> -continously send PULL_REQUEST messages to the server until the timeout is
> reached.
> +continuously send PULL_REQUEST messages to the server until the timeout is
> reached.
> This message also triggers an ACK message from the server that resets the
> hand-window based timeout.
>
> Both client and server limit the maximum timeout to the smaller value of half
> the
> --tls-reneg minimum time and --hand-window time (defaults to 60s).
>
> -For the format of EXTRA see below. For the OpenVPN server this is a stateless
> +For the format of {EXTRA} see below. For OpenVPN server this is a stateless
> operation and needs to be followed by a client-deny/client-auth[-nt] command
> (that is the result of the out of band authentication).
>
> Before issuing a client-pending-auth to a client instead of a
> client-auth/client-deny, the server should check the IV_SSO
> -environment variable if the method is support. The currently
> -defined method are crtext for challenge/response using text
> -(e.g. TOTP), openurl and proxy_url for opening an URL in the client to
> +environment variable for whether the method is supported. Currently
> +defined methods are crtext for challenge/response using text
> +(e.g., TOTP), openurl and proxy_url for opening a URL in the client to
> continue authentication. A client supporting the first two methods would
> set
>
> @@ -649,17 +655,30 @@ The variable name IV_SSO is historic as AUTH_PENDING
> was first used
> to signal single sign on support. To keep compatibility with existing
> implementations the name IV_SSO is kept in lieu of a better name.
>
> +The management interface of the client receives notification of
> +pending auth via
> +
> +>STATE:datetime,AUTH_PENDING,[timeout number]
>
> -
>
> +If {EXTRA} is present the client is informed usi
Re: [Openvpn-devel] [PATCH 8/9] Document stub-v2 being basically an alias for no compression at all
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi text corrections. Sorry about protonmail making '+' to '-' ‐‐‐ Original Message ‐‐‐ On Wednesday, May 12th, 2021 at 14:15, Arne Schwabe wrote: > Signed-off-by: Arne Schwabe a...@rfc2549.org > > doc/man-sections/protocol-options.rst | 5 + > > 1 file changed, 5 insertions(+) > > diff --git a/doc/man-sections/protocol-options.rst > b/doc/man-sections/protocol-options.rst > > index 4b6928c68..34d4255ee 100644 > > --- a/doc/man-sections/protocol-options.rst > > +++ b/doc/man-sections/protocol-options.rst > > @@ -96,6 +96,11 @@ configured in a compatible way between both the local and > remote side. > > other variants always add one extra framing byte compared to no > > compression framing. > > - Especially :code:`stub-v2` is essentially identical to no compression and > - no compression framing as its header indicates IP version 5 in a tun setup > - and can (ab)used to complete disable compression to clients. (See the > - :code:`migrate option below) > - If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, Re-write: The :code:`stub-v2` is essentially identical to no compression and no compression framing as its header indicates IP version 5 in a tun setup and can be (ab)used to completely disable compression to clients. (See the :code:`migrate` option below) If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > compression will be turned off, but the packet framing for compression > > will still be enabled, allowing a different setting to be pushed later. > > -- > > 2.31.1 > > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgz4RlACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ17fgf/SKzw7gpopswKR35nFGEW9F2hR7FMgKX7xBkhWLLUlENrD/Eq LvQ39Y7+CK0+19MIJHed4hgSaBx4MK3Eb28XHMsm6y9Vz8lfM9/IeXsS3uXy Ip9nCy4EpzPc62FWb93ysXyXRNS8GkYvZX50Oh3xV7glZMEwA5q7UGhRLsJY 3orWsnpT0PUTjrwB4Nm8ZDprXUEU1tsefTJn/HnbOzwlrCAa+b/W3xP8F7wn YO4+bU3XP137bEV7t0FaB0qpTKXB2X+5j+A46T3jVjLOjHKSQipqgqSY0j5j TJvwi5mjw0zaWCkFKBlrhp2f4Ybztd6OSB/JguxLE+jPkkWvEoRV2Q== =ms4h -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 8/9] Document stub-v2 being basically an alias for no compression at all
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ignore me .. this has been applied Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Sunday, June 20th, 2021 at 19:09, tincantech via Openvpn-devel wrote: > Hi > > text corrections. > > Sorry about protonmail making '+' to '-' > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, May 12th, 2021 at 14:15, Arne Schwabe a...@rfc2549.org wrote: > > > Signed-off-by: Arne Schwabe a...@rfc2549.org > > > > doc/man-sections/protocol-options.rst | 5 + > > > > 1 file changed, 5 insertions(+) > > > > diff --git a/doc/man-sections/protocol-options.rst > > b/doc/man-sections/protocol-options.rst > > > > index 4b6928c68..34d4255ee 100644 > > > > --- a/doc/man-sections/protocol-options.rst > > > > +++ b/doc/man-sections/protocol-options.rst > > > > @@ -96,6 +96,11 @@ configured in a compatible way between both the local > > and remote side. > > > > other variants always add one extra framing byte compared to no > > > > compression framing. > > > > - Especially :code:`stub-v2` is essentially identical to no compression > > and > > - no compression framing as its header indicates IP version 5 in a tun > > setup > > - and can (ab)used to complete disable compression to clients. (See the > > - :code:`migrate option below) > > - If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > Re-write: > > The :code:`stub-v2` is essentially identical to no compression and > > no compression framing as its header indicates IP version 5 in a tun setup > > and can be (ab)used to completely disable compression to clients. (See the > > :code:`migrate` option below) > > If the `algorithm` parameter is :code:`stub`, :code:`stub-v2` or empty, > > > compression will be turned off, but the packet framing for compression > > > > will still be enabled, allowing a different setting to be pushed later. > > > > -- > > > > 2.31.1 > > > > > > Openvpn-devel mailing list > > > > Openvpn-devel@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJgz4cFACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3SOwgAmIYtimEns1a2LT4CwKUU3lfhXEr2IHvNCZGbTl56p7FYgsVe L3my1KclB/z6NVPydgBs/FAowSPOnWWoaWuh/+eMo1O8+nfA7+5YhNTL6Hyn pRKJDJ6trAWXlGQm8N1kzRKUCjrDkPzFKoKsQvXgmjypQeyfwVLL4gJ+XQFk gsP3gve88tb/q8F5FJfPcuM2NrNsLN0c+f4CKlfb6sr/U7ALp7Rf00hQ71CV 28RSZir15r+aahRmJs6SWng0K5gpN50Ed9PICBYQNmsQSqVAg6f2n1OA3ACQ C68i58Vv85ElzG2VRymSzWAHdzA/KFM3qaKCnEZyviTkB00rbgWm0g== =1Bdk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, the openvpn-server systemd unit file currently make use of PrivateTmp=True, this denies the openvpn process access to /tmp (and /var/tmp). This setting also does not provide the systemd assigned location for temporary files to the openvpn process. Thus the problem is two fold: 1. It is not possible to pre-determine a temporary directory within the systemd PrivateTmp assigned folder within an openvpn config which needs to use --tmp-dir 2. Openvpn is forced to assign a non-standard temporary folder to --tmp-dir which lies outside of the systemd assigned private temporary folder. Not being familiar with lib-systemd, I do not know how to approach this problem, the only "answer" I can see is something like an "alias" for systemd PrivateTmp. EG: To use --tmp-dir within an openvpn config that uses the systemd assign temporary folder, the alias would be something like: 'tmp-dir systemd' Otherwise, what is the recommended way to use --tmp-dir under systemd ? Thanks R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJg3PFrACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2uQwgAzLi4zvrOVV+N88FegTN6rzAT9/pvW/BDRSH5/SGISOlxs8sF nxWtQyAq1qgokSK1LrIudge/43b4xB2q++hjeZ+U+e7nW2GvyLONwc/FL2IX 6lA6g1JLpQzhy+i4F4A6vFr2kdatPPy9LOFS5AZryvQXYFcF8+5vWmaWav4j mJ1IBgxwBEQSRglhlKaKwWNqOfVNfKBCpRq54a9EikQSoZbs5SADxp4d5VVE UbNnf3jkIXRgCsWPVzbP3llwiCwhnyQtN6MhwkRIUk3Q8iZifWzmu2ETMX4q wVB17Kc0WrDrd4lAmMl8wiKxRoZRYZf+8eG1yAWDIkbVdGjfCWLoew== =I4w+ -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi the problem is three fold: 3. How would I then point scripts to the systemd assigned folder ? (Yet another env var: systemd_private_tmp) The most logical answer is "To take matters into my own hands" and specify my own temporary location but that does not sound like a "secure" approach generally .. which is the point of using systemd to "secure" things, in the first place. stuck in a rabbit hole .. R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJg3PaaACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2gSQgAj8sL20yh3H+lruv30ZyMG3l3sMd81FZdhMQpn1yGbFNqDeit geuooC8RIQ1636Sa4UD/TxEZy5e0gU0SfRcaX1+383cV33iFUXHCahMlVAO5 /CDY7yCi+sXuacvR7TpoR6f3hB0zaF0P+XUNH/K0CUE76P1F1csFlGpvycCx 6yjIIJo/fWx2VFS7FiPSwK3l2AreLKo8aQAjo/RWnY/AB6uKVbl/l9qKdhn0 appzLGAzDRbjhpSunp20BtruVu0X5t2fxh6GYpkSy1V8cBI4EZkSu6IfKZpD olhzDOPswOFKNdwu5CUYIbRJ03lVInxJo/kb0z9rgcy29SKii8Eisw== =1l7e -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] --tmp-dir and systemd PrivateTmp incompatibility
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi David, with your help, I was able to use systemd.PrivateTmp correctly. thanks for this detailed explanation. R ‐‐‐ Original Message ‐‐‐ On Thursday, July 1st, 2021 at 13:41, David Sommerseth wrote: > On 01/07/2021 00:56, tincantech via Openvpn-devel wrote: > > > Hi > > [... copied from first mail ...] > > > > Thus the problem is two fold: > > > > It is not possible to pre-determine a temporary directory within the systemd > > > > PrivateTmp assigned folder within an openvpn config which needs to use > > --tmp-dir > > > > 2. > > > > Openvpn is forced to assign a non-standard temporary folder to --tmp-dir > > which > > > > lies outside of the systemd assigned private temporary folder.[... second > > mail ...] > > > > the problem is three fold: > > > > 3. > > > > How would I then point scripts to the systemd assigned folder ? > > > > (Yet another env var: systemd_private_tmp) > > > > > The most logical answer is "To take matters into my own hands" > > > > > > and specify my own temporary location but that does not sound > > > > > > like a "secure" approach generally .. which is the point of using > > > > > > systemd to "secure" things, in the first place. > > First of all - what you are describing is what you are observing. But I'm > missing the context of when you need a publicly available tmp-dir. > > The PrivateTmp is a security hardening. Using /tmp and /var/tmp to dump > various data has been a well-known security issue for years. And not just > within OpenVPN, but all kind of running daemons have faced security > challenges with the use of a global tmp-dir. > > First some background. > > In 2010 we added some hardening to avoid some of the potential issues with > tmp-dir and temp-files needed for the script hooks (see commit 4e1cc5f6d for > details). Already back then we knew this was not covering all issues, but it > was still a good step forward to harden this issue. For those not being > satisfied with this change, can use --tmp-dir to relocate this directory with > stricter privileges. That's probably as strict as you can go. > > The challenge at hand was that another process could manage to create a > tempfile with the same tempname as OpenVPN did earlier, which OpenVPN would > pick up and read despite it had not created it (it was the task of the > plug-in/script to do so earlier). This was a perfect trap to inject data from > outside, even from a user not privileged to configure OpenVPN. So we changed > the model so OpenVPN always creates the temp-file before it runs the > plug-in/script and ensures the privileges on that file is correct. > > And then came systemd with PrivateTmp which added further hardening. > > That's the background ... now to PrivateTmp > > When running scripts via OpenVPN's script hooks or plug-ins, they should run > under the same confinement as the OpenVPN process, so it should share the > same tmp-dir. So PrivateTmp should not cause any issues in regards to script > hooks or plug-ins. They should all share the same tmp-dir. I don't recall now > if some $TMP or $TMPDIR variables would be set as well. > > Now if you want your scripts to leave data after it has run, a tmp-dir is > still the wrong location for such data - as then it isn't strictly a > temporary file. In that case, these scripts should ideally use a different > path with is not confined inside a private tmp-dir. > > Some reasonable locations: > > - Most Linux packaging provides /var/lib/openvpn, which should be owned > > by openvpn:openvpn by default. Creating a subdirectory here with the > > proper ACL would be considered appropriate. > - If the data you want to leave for another script/process to pick up > > (like a queue), the typical location for that would be /var/spool > > /openpvn (which needs to be created). > - If it is cached data, then /var/cache/openvpn would be appropriate. > > - If it is runtime related data, which may be wiped when the OpenVPN > > process is stopped, using /run/openvpn/ would be fine - but these > > days, /run is mostly mounted as a tmpfs filesystem so be careful with > > the amount of data you put there. > > My point is, don't use tmp-dir to save data which isn't really temporary, > where temporary means it should not live there for very long. And don't abuse > the --tmp-dir option to relocate it to one of these more persistent > locations. Just d
Re: [Openvpn-devel] [PATCH v3 7/9] Cleanup handling of initial auth token
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
this is a comment about a comment which this patch is not changing
but the comment is so awful I thought it best to make a note.
See below.
Also, two typos. And FYI, 'anymore' ought to be 'any more'
R
Sent with ProtonMail Secure Email, which still cannot handle diffs.
‐‐‐ Original Message ‐‐‐
On Tuesday, July 6th, 2021 at 14:57, Arne Schwabe wrote:
> This changes that auth_token_initial is set when the token is
> initially generated instead when pushing the token. Even I do not know
> anymore why I did it in this way in the first place. Also use
> multi->auth_token_initial as source for the sesssion ID since it should
sesssion -> session
> now always be available.
>
> Since the change makes auth_token_initial always available we need to add
> a check to only send a PUSH reply to update the token on renegotiations.
> The old code relied on multi->auth_token not being set in this case.
>
> This commit also removes the workaround for old OpenVPN clients. These
> were only available as commercial OpenVPN Connect client and not in use
> anymore.
>
> Patch V2: rebase.
> Patch V3: fix formatting, clarifying commit message, remove initial
> token workaround for old v3.
>
> Signed-off-by: Arne Schwabe
> ---
> doc/man-sections/server-options.rst| 4 +--
> src/openvpn/auth_token.c | 34 --
> src/openvpn/push.c | 8 -
> src/openvpn/ssl_common.h | 4 +--
> src/openvpn/ssl_verify.c | 6 ++--
> tests/unit_tests/openvpn/test_auth_token.c | 7 +++--
> 6 files changed, 32 insertions(+), 31 deletions(-)
>
> diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server=
> -options.rst
> index 047f2270f..1ab00e81b 100644
> --- a/doc/man-sections/server-options.rst
> +++ b/doc/man-sections/server-options.rst
> @@ -35,7 +35,7 @@ fast hardware. SSL/TLS authentication must be used in th=
> is mode.
>token is reached or after not being renewed for more than 2 \*
>``reneg-sec`` seconds. Clients will be sent renewed tokens on every TLS
>renogiation to keep the client's token updated. This is done to
I know this is not in this patch but .. renogiation -> renegotiation
> - invalidate a token if a client is disconnected for a sufficently long
> + invalidate a token if a client is disconnected for a sufficiently long
>time, while at the same time permitting much longer token lifetimes for
>active clients.
>
> @@ -46,7 +46,7 @@ fast hardware. SSL/TLS authentication must be used in th=
> is mode.
>When the :code:`external-auth` keyword is present the normal
>authentication method will always be called even if auth-token succeeds=
> .
>Normally other authentications method are skipped if auth-token
> - verification suceeds or fails.
> + verification succeeds or fails.
>
>This option postpones this decision to the external authentication
>methods and checks the validity of the account and do other checks.
> diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
> index 0ea6d1832..a681d726f 100644
> --- a/src/openvpn/auth_token.c
> +++ b/src/openvpn/auth_token.c
> @@ -109,11 +109,11 @@ add_session_token_env(struct tls_session *session, s=
> truct tls_multi *multi,
> /*
> * No session before, generate a new session token for the new se=
> ssion
> */
> -if (!multi->auth_token)
> +if (!multi->auth_token_initial)
> {
> generate_auth_token(up, multi);
> }
> -session_id_source =3D multi->auth_token;
> +session_id_source =3D multi->auth_token_initial;
> }
> /*
> * In the auth-token the auth token is already base64 encoded
> @@ -184,7 +184,7 @@ generate_auth_token(const struct user_pass *up, struct=
> tls_multi *multi)
>
> uint8_t sessid[AUTH_TOKEN_SESSION_ID_LEN];
>
> -if (multi->auth_token)
> +if (multi->auth_token_initial)
> {
> /* Just enough space to fit 8 bytes+ 1 extra to decode a non padd=
> ed
> * base64 string (multiple of 3 bytes). 9 bytes =3D> 12 bytes bas=
> e64
> @@ -192,11 +192,14 @@ generate_auth_token(const struct user_pass *up, stru=
> ct tls_multi *multi)
> */
> char old_tstamp_decode[9];
>
> +/* Make a copy of the string to not modify multi->auth_token_init=
> ial */
> +char* initial_token_copy =3D string_alloc(multi->auth_token_initi=
> al, &gc);
> +
> /*
> * reuse the same session id and timestamp and null terminate it =
> at
> * for base64 decode it only decodes the session id part of it
> */
For the sake of readability:
/*
* reuse the same session id and timestamp and null terminate it at
* for base64 decode it only decodes the session id part of it
*/
What does this mean ? I can't decipher it ..
> -char *old_sessid =3D multi->auth_
Re: [Openvpn-devel] [PATCH v3] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, six minor improvements, could probably be made on commit. One comment: This tutorial will not work on Windows because it relies on a bashism to generate the self-signed certs. There is no mention of that anywhere, may be it could be pointed out somewhere ? Other than that, excellent work! And for the record: Easy-TLS can create these cert/keys and share fingerprints to relevant inline files with relative ease. https://github.com/TinCanTech/easy-tls Sent with ProtonMail Secure (but still git unfriendly) Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, July 28th, 2021 at 16:49, Arne Schwabe wrote: > This is meant to give new users a quickstart for a useable OpenVPN quickstart -> quick start > setup. Our own documentation is lacking in this regard and many > tutorials that can be found online are often questionable in some > aspects. > > Linking the individaul RST file on github also give a tutorial individual (au->ua) > in a nicely formatted way. > > Patch V2: Fix grammar/spelling mistakes (thanks ticantech), move tincantech > to openvpn-examples(5). > > Patch v3: use server.key and server.crt instead of server.pem/serverkey.pe= > m > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 4 + > doc/Makefile.am | 1 + > doc/man-sections/example-fingerprint.rst | 196 +++ > doc/openvpn-examples.5.rst | 1 + > 4 files changed, 202 insertions(+) > create mode 100644 doc/man-sections/example-fingerprint.rst > > diff --git a/Changes.rst b/Changes.rst > index 9185b55f7..5ac24307f 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint > fingerprint of the peer. The option takes use a number of allowed > SHA256 certificate fingerprints. > > +See the man page section "Small OpenVPN setup with peer-fingerprint" > +for a tutorial on how to use this feature. This is also available onl= > ine > +under https://github.com/openvpn/openvpn/blob/master/doc/man-sections= > /example-fingerprint.rst > + > TLS mode with self-signed certificates > When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` op= > tion > become optional. This allows for small OpenVPN setups without setting= > up > diff --git a/doc/Makefile.am b/doc/Makefile.am > index 1e4fcdea3..1a67f7b52 100644 > --- a/doc/Makefile.am > +++ b/doc/Makefile.am > @@ -31,6 +31,7 @@ dist_noinst_DATA =3D \ > man-sections/client-options.rst \ > man-sections/connection-profiles.rst \ > man-sections/encryption-options.rst \ > + man-sections/example-fingerprint.rst \ > man-sections/examples.rst \ > man-sections/generic-options.rst \ > man-sections/inline-files.rst \ > diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/e= > xample-fingerprint.rst > new file mode 100644 > index 0..ba948dd07 > --- /dev/null > +++ b/doc/man-sections/example-fingerprint.rst > @@ -0,0 +1,196 @@ > +Small OpenVPN setup with peer-fingerprint > +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > +This section consists of instructions how to build a small OpenVPN setup = > with the > +:code:`peer-fingerprint` option. This has the advantage of being easy to = > setup > +and should be suitable for most small lab and home setups without the nee= > d for a PKI. > +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still reco= > mmended. > + > +Both server and client configuration can of be further modified to custom= "can of be" -> can be Also, it could simply read: "can be further customised." > ise the > +setup. > + > +Server setup > + > +1. Install openvpn > + > + Compile from source-code (see `INSTALL` file) or install via a distrib= > ution (apt/yum/ports) > + or via installer (Windows). The following method does not work in Windows. > + > +2. Generate a self-signed certificate for the server: > + :: > + > +openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyo= > ut server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=3Dserve= > r' > + > +3. Generate SHA256 fingerprint of the server certificate > + > + Use the OpenSSL command line utility to view the fingerprint of just > + created certificate: > + :: > + > +openssl x509 -fingerprint -sha256 -in server.crt -noout > + > + This output something similar to: > + :: > + > + SHA256 Fingerprint=3D00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff= > :00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff > + > + > +3. Write a server configuration (`server.conf`): > +:: > + > +# The server certificate we created in step 1 > +cert server.crt > +key server.key > + > +dh none > +dev tun > + > +# Listen on IPv6+IPv4 simultaneously > +proto udp6
Re: [Openvpn-devel] [PATCH v3] Add example script demonstrating TOTP via auth-pending
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, August 2nd, 2021 at 10:52, Arne Schwabe wrote: > Signed-off-by: Arne Schwabe a...@rfc2549.org > > Patch v3: Some minor cleanups in the script (rename CNs, add more comments) > > Signed-off-by: Arne Schwabe a...@rfc2549.org > > doc/man-sections/script-options.rst | 3 + > > sample/sample-scripts/totpauth.py | 111 > > 2 files changed, 114 insertions(+) > > create mode 100755 sample/sample-scripts/totpauth.py > > diff --git a/doc/man-sections/script-options.rst > b/doc/man-sections/script-options.rst > > index f48e5818d..6517f8474 100644 > > --- a/doc/man-sections/script-options.rst > > +++ b/doc/man-sections/script-options.rst > > @@ -147,6 +147,9 @@ SCRIPT HOOKS > > :code:`auth_control_file or further defer it. See `--auth-user-pass-verify` > > for details. > > - For a sample script that implement TOTP (RFC 6238) based two-factor > - authentication, see :code:`sample-scripts/totp.py`. sample-scripts/totp.py -> sample-scripts/totpauth.py Checked everything else and it all LGTM. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhCABYACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1MTgf+KJa9xstxZXVoGhTer7jFDn+EQdKeBQT3S2JOiu/lLVrGFhCG +4nEXmsVSN/G/UIqwIzTfe0c6bTALGeEI4YUjL2Rsqixt96xxVUWeer+YVdv DF4Jxza/vCagzH3uszCpvBgiqB4YIhk7ZaTpLGfXqbY0VgVrwUD1AYPPWPFH tssgUx5UxSqqoT+AnIpsHTkT/svKCmd1d5IYLjAPy0I9+2vhBQEauWr4f/xa eoRJb6CQET3z3Lag9DEuqct/k4kT+twS4WYh4Ljr5SzNhuRZV+fbqHQYgk3n 50QttAoUmgzVKkwPSzwTd6u5DZUiT4KyH5REeqAOdwzNYwmxjwKCkQ== =YOUk -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Modernise OpenVPN defaults and introduce '--compat-mode'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, 12 minor corrections Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, August 2nd, 2021 at 12:46, Arne Schwabe wrote: > TLS 1.0 should be allowed anymore in a sensible default configuration. Bump > the default to TLS 1.2 > TLS 1.0 should not be allowed -- Missing 'not' > > Also modify --cipher not to be automatically appended and default > allow-compression to no. This also allows a default configuration to be > compatible with DCO. > > Also introduce --compat-mode version to allow an easy way for UI/users > to maximise compatibility to earlier versions at the cost of DCO and > security. > > --compat-mode is only intended as an easier way to set options that > are still present. It will not implement options that are removed > (e.g. --keysize), so it is meant a best effort option and not as > a mean to provide 100% compatibility. mean -> means > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 23 +++ > doc/man-sections/generic-options.rst | 21 ++ > src/openvpn/comp.h | 1 + > src/openvpn/options.c| 97 +++- > src/openvpn/options.h| 17 + > src/openvpn/ssl_ncp.c| 13 > src/openvpn/ssl_ncp.h| 8 +++ > 7 files changed, 163 insertions(+), 17 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 0323a7f7a..cf3329486 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -45,6 +45,12 @@ Pending auth support for plugins and scripts > > See ``sample/sample-scripts/totpauth.py`` for an example. > > +Compatibility mode (``--compat-mode``) > +The modernisation of defaults can impact the compatibility of OpenVPN > 2.6.0 > +with older peers. The options ``--compat-mode`` allows UIs to provide > users > +an easy way to still connect to older servers. with an easy way - missing 'with' -- not important > + > + > Deprecated features > --- > ``inetd`` has been removed > @@ -65,6 +71,23 @@ Deprecated features > This option mainly served a role as debug option when NCP was first > introduced. It should now no longer be necessary. > > +TLS 1.0 and 1.1 are deprecated > +``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults > +to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally > +avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. > + > +``--cipher`` options is no longer included in ``--data-ciphers`` by default > +Data cipher negotiation has been introduced in 2.4.0 and been > significantly > +improved in 2.5.0. The implicit fallback to the cipher specified in > +``--cipher`` has been removed. > + > +Compression no longer enabled by default > +Unless an explicit compression option is specified in the configuration, > +``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. > +OpenVPN 2.5 still allowed by default a server to enable compression by Maybe improved with: By default, OpenVPN 2.5 still allowed a server to enable compression Just reads a little easier > +pushing compression related options. > + > + > Overview of changes in 2.5 > == > > diff --git a/doc/man-sections/generic-options.rst > b/doc/man-sections/generic-options.rst > index 203e35f57..739e845ac 100644 > --- a/doc/man-sections/generic-options.rst > +++ b/doc/man-sections/generic-options.rst > @@ -52,6 +52,27 @@ which mode OpenVPN is configured as. >BSDs implement a getrandom() or getentropy() syscall that removes the >need for /dev/urandom to be available. > > +--compat-mode version > + This option provides a way to alter the default of OpenVPN to be more > + compatible with the version ``version`` specified. All of the changes > + this option does can also be achieved using invdivdiual configuration > + option. All of the changes this option *makes* -- does -> makes invdivdiual -> individual > + > + Note: Using this options sets reverts defaults to no longer recommended > + values and should be avoided if possible. > + > + The following table details what defaults are changed depending on the > + version specified. > + > + - 2.5.x or lower: ``--allow-compression asym`` is automatically added > +to the configuration if no other compression options are present. > + - 2.4.x or lower: The cipher in ``--cipher`` is appended to > +``--data-ciphers`` > + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with > +the same cipher as ``--cipher`` > + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration > +when ``--tls-version-min`` is not explicitly set. > + > --config file >Load additional config options from ``file`` where each line corresponds >to one command line option, but with the leading '--' removed. > diff --git a/src/openvpn/comp.h b/s
Re: [Openvpn-devel] [PATCH v2] Modernise OpenVPN defaults and introduce '--compat-mode'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, V2 - 13 minor correction ;-) ‐‐‐ Original Message ‐‐‐ On Monday, August 2nd, 2021 at 12:55, Arne Schwabe wrote: > TLS 1.0 should be allowed anymore in a sensible default configuration. Bump TLS 1.0 should *not* be allowed > the default to TLS 1.2 > Also modify --cipher not to be automatically appended and default > allow-compression to no. This also allows a default configuration to be > compatible with DCO. > > Also introduce --compat-mode version to allow an easy way for UI/users > to maximise compatibility to earlier versions at the cost of DCO and > security. > > --compat-mode is only intended as an easier way to set options that > are still present. It will not implement options that are removed > (e.g. --keysize), so it is meant a best effort option and not as > a mean to provide 100% compatibility. mean -> means > > Patch v2: rebase > > Signed-off-by: Arne Schwabe > --- > Changes.rst | 23 +++ > doc/man-sections/generic-options.rst | 21 ++ > src/openvpn/comp.h | 1 + > src/openvpn/options.c| 97 +++- > src/openvpn/options.h| 17 + > src/openvpn/ssl_ncp.c| 13 > src/openvpn/ssl_ncp.h| 8 +++ > 7 files changed, 165 insertions(+), 15 deletions(-) > > diff --git a/Changes.rst b/Changes.rst > index 0323a7f7a..cf3329486 100644 > --- a/Changes.rst > +++ b/Changes.rst > @@ -45,6 +45,12 @@ Pending auth support for plugins and scripts > > See ``sample/sample-scripts/totpauth.py`` for an example. > > +Compatibility mode (``--compat-mode``) > +The modernisation of defaults can impact the compatibility of OpenVPN > 2.6.0 > +with older peers. The options ``--compat-mode`` allows UIs to provide > users > +an easy way to still connect to older servers. *with* an easy way -- not important > + > + > Deprecated features > --- > ``inetd`` has been removed > @@ -65,6 +71,23 @@ Deprecated features > This option mainly served a role as debug option when NCP was first > introduced. It should now no longer be necessary. > > +TLS 1.0 and 1.1 are deprecated > +``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults > +to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally > +avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. > + > +``--cipher`` options is no longer included in ``--data-ciphers`` by default > +Data cipher negotiation has been introduced in 2.4.0 and been > significantly > +improved in 2.5.0. The implicit fallback to the cipher specified in > +``--cipher`` has been removed. > + > +Compression no longer enabled by default > +Unless an explicit compression option is specified in the configuration, > +``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. > +OpenVPN 2.5 still allowed by default a server to enable compression by By default, OpenVPN 2.5 still allowed a server to enable compression > +pushing compression related options. > + > + > Overview of changes in 2.5 > == > > diff --git a/doc/man-sections/generic-options.rst > b/doc/man-sections/generic-options.rst > index 203e35f57..739e845ac 100644 > --- a/doc/man-sections/generic-options.rst > +++ b/doc/man-sections/generic-options.rst > @@ -52,6 +52,27 @@ which mode OpenVPN is configured as. >BSDs implement a getrandom() or getentropy() syscall that removes the >need for /dev/urandom to be available. > > +--compat-mode version > + This option provides a way to alter the default of OpenVPN to be more > + compatible with the version ``version`` specified. All of the changes > + this option does can also be achieved using invdivdiual configuration does -> makes invdivdiual - invdividual > + option. > + > + Note: Using this options sets reverts defaults to no longer recommended 'sets' is out of place and unnecessary > + values and should be avoided if possible. > + > + The following table details what defaults are changed depending on the > + version specified. > + > + - 2.5.x or lower: ``--allow-compression asym`` is automatically added > +to the configuration if no other compression options are present. > + - 2.4.x or lower: The cipher in ``--cipher`` is appended to > +``--data-ciphers`` > + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with > +the same cipher as ``--cipher`` > + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration > +when ``--tls-version-min`` is not explicitly set. > + > --config file >Load additional config options from ``file`` where each line corresponds >to one command line option, but with the leading '--' removed. > diff --git a/src/openvpn/comp.h b/src/openvpn/comp.h > index cd4f0e1a2..619a574e5 100644 > --- a/src/openvpn/comp.h > +++ b/s
Re: [Openvpn-devel] [PATCH v3] Modernise OpenVPN defaults and introduce '--compat-mode'
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, a few more wrinkles to smooth out. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, August 11th, 2021 at 08:29, Antonio Quartulli wrote: > Hi, > > On 05/08/2021 20:09, Arne Schwabe wrote: > > TLS 1.0 should not be allowed anymore in a sensible default configuration. > > Bump the default to TLS 1.2 > > Also modify --cipher not to be automatically appended and default > > allow-compression to no. This also allows a default configuration to be > > compatible with DCO. > > > > Also introduce --compat-mode version to allow an easy way for UI/users > > to maximise compatibility to earlier versions at the cost of DCO and > > security. > > > > --compat-mode is only intended as an easier way to set options that > > are still present. It will not implement options that are removed > > (e.g. --keysize), so it is meant a best effort option and not as > > a mean to provide 100% compatibility. mean -> means > > > > Patch v2: rebase > > Patch v3: Fix version number off by a factor of 10 > > > > Signed-off-by: Arne Schwabe > > --- > > Changes.rst | 23 +++ > > doc/man-sections/generic-options.rst | 21 ++ > > src/openvpn/comp.h | 1 + > > src/openvpn/options.c| 97 +++- > > src/openvpn/options.h| 17 + > > src/openvpn/ssl_ncp.c| 13 > > src/openvpn/ssl_ncp.h| 8 +++ > > 7 files changed, 165 insertions(+), 15 deletions(-) > > > > diff --git a/Changes.rst b/Changes.rst > > index 0323a7f7a..56b4dd39c 100644 > > --- a/Changes.rst > > +++ b/Changes.rst > > @@ -45,6 +45,12 @@ Pending auth support for plugins and scripts > > > > See ``sample/sample-scripts/totpauth.py`` for an example. > > > > +Compatibility mode (``--compat-mode``) > > +The modernisation of defaults can impact the compatibility of OpenVPN > > 2.6.0 > > +with older peers. The options ``--compat-mode`` allows UIs to provide > > users > > +with an easy way to still connect to older servers. > > + > > + > > Deprecated features > > --- > > ``inetd`` has been removed > > @@ -65,6 +71,23 @@ Deprecated features > > This option mainly served a role as debug option when NCP was first > > introduced. It should now no longer be necessary. > > > > +TLS 1.0 and 1.1 are deprecated > > +``tls-version-min`` is set to 1.2 by default. OpenVPN 2.6.0 defaults > > +to a minimum TLS version of 1.2 as TLS 1.0 and 1.1 should be generally > > +avoided. Note that OpenVPN versions older than 2.3.7 use TLS 1.0 only. > > + > > +``--cipher`` options is no longer included in ``--data-ciphers`` by default > > options -> argument ? > > > +Data cipher negotiation has been introduced in 2.4.0 and been > > significantly > > +improved in 2.5.0. The implicit fallback to the cipher specified in > > +``--cipher`` has been removed. > > + > > +Compression no longer enabled by default > > +Unless an explicit compression option is specified in the > > configuration, > > +``--allow-compression`` defaults to ``no`` in OpeNVPN 2.6.0. > > +By default, OpenVPN 2.5 still allowed a server to enable compression by > > +pushing compression related options. > > + > > + > > Overview of changes in 2.5 > > == > > > > diff --git a/doc/man-sections/generic-options.rst > > b/doc/man-sections/generic-options.rst > > index 203e35f57..739e845ac 100644 > > --- a/doc/man-sections/generic-options.rst > > +++ b/doc/man-sections/generic-options.rst > > @@ -52,6 +52,27 @@ which mode OpenVPN is configured as. > >BSDs implement a getrandom() or getentropy() syscall that removes the > >need for /dev/urandom to be available. > > > > +--compat-mode version > > + This option provides a way to alter the default of OpenVPN to be more > > + compatible with the version ``version`` specified. All of the changes > > + this option does can also be achieved using invdivdiual configuration > > invdivdiual -> individual does -> makes > > > + option. > > + > > + Note: Using this options sets reverts defaults to no longer recommended > > options -> option > > sets reverts -> reverts > > > + values and should be avoided if possible. > > + > > + The following table details what defaults are changed depending on the > > + version specified. > > + > > + - 2.5.x or lower: ``--allow-compression asym`` is automatically added > > +to the configuration if no other compression options are present. > > + - 2.4.x or lower: The cipher in ``--cipher`` is appended to > > +``--data-ciphers`` > > + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with > > +the same cipher as ``--cipher`` > > + - 2.3.6 or lower: ``--tls-version-min 1.0`` is added to the configuration > > +when ``--tls-version-min`` is not explicitly set. > > + > > --config file >
Re: [Openvpn-devel] [PATCH 1/7] simplify condition detecting pure P2P mode
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Monday, September 6th, 2021 at 14:19, Arne Schwabe wrote:
> Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
>
> > The new condition is equivalent to the old one, but easier to grasp.
> >
> > Also add message to inform uset that cipher negotiation, in this case,
> >
uset -> user
> > it indeed disabled.
> >
it -> is
> > Signed-off-by: Arne Schwabe a...@rfc2549.org
> >
> > Signed-off-by: Antonio Quartulli a...@unstable.cc
> >
> >
> > src/openvpn/options.c | 6 +-
> >
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> >
> > index 00ba6044..0d6b85cf 100644
> >
> > --- a/src/openvpn/options.c
> >
> > +++ b/src/openvpn/options.c
> >
> > @@ -3076,8 +3076,12 @@ options_postprocess_verify(const struct options *o)
> >
> > static void
> >
> > options_postprocess_cipher(struct options *o)
> >
> > {
> >
> > - if (!o->pull && !(o->mode == MODE_SERVER))
> >
> > - if (!o->tls_server && !o->tls_client)
> >
> > {
> > - /* we are in the classic P2P mode */
> >
> >
> > - msg(M_WARN, "Cipher negotiation is disabled since TLS "
> >
> >
> > - "mode is not enabled");
> >
> >
> > - /* If the cipher is not set, use the old default of BF-CBC. We
> > will
> > * warn that this is deprecated on cipher initialisation, no need
> > * to warn here as well */
> >
> >
>
> Yes. Makes sense. The change makes it is a lot more clear. I think it is
>
> actually not equivalent but the new one is definitively the correct one.
>
> Acked-By: Arne Schwabe a...@rfc2549.org
>
> Arne
>
> Openvpn-devel mailing list
>
> Openvpn-devel@lists.sourceforge.net
>
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhNhflACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2H0wgAup4i4ArQzzTGnSsFtHYAjzeKiwIPemMiOw76gv64TqI7dRST
6SsSkpS4Xs10HQysdYzyoCW4Pju2u1zEn654UeonDa43HPYtrL0V3NDmtRYT
3+aJOtqkE74MAZXpMxh1zo1KVkP+UMtpJmFVngK9IvMnSMjBnEj/1np2aZeE
KJSRKpskDgBXC5ISzo6JB3T48zbbl1+4zq8TOKrr9uvyXluw5Cme+YGL1yC5
l0ApubT29ANQMOIwBMwGaHm49sRZtkFod/hO630NNcjD/veksS2eyT0fo7oY
P38ZVT0rbQWO06D1/0D4PGlXeukYHa0aVRqCR+nWm01dqa22gedDzg==
=S+qj
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Correct --client-disconnect environment variable common_name
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
The commit message is incorrect.
Not *always* but "after a renegotiation" then *always*
I'll resubmit again after some final testing.
R
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Thursday, September 16th, 2021 at 17:46, wrote:
> From: Richard T Bonhomme tincant...@protonmail.com
>
> --client-disconnect is always passed the X509 certificate common_name,
>
> which is incorrect when --username-as-common-name is used.
>
> Set the environment variable common_name to the correct value, prior to
>
> calling --client-disconnect.
>
> Resolves https://community.openvpn.net/openvpn/ticket/160
>
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/multi.c | 3 +++
>
> 1 file changed, 3 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..18ee5e52 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,9 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> - /* setenv client current common-name */
>
> - setenv_str(mi->context.c2.es, "common_name",
> tls_common_name(mi->context.c2.tls_multi, true));
>
> - /* setenv client real IP address */
>
> setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhQ68bACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3Mogf+OX2Aj37g3VmepoBmyefgwHdxf6kf5Bfogns3GvEwcL459ciZ
OfDlWF1L7TyUX4ddSlApcbMCCb3r2iuLwgf4/LHc1RgybONaNCXk1lRqhQW4
eer6XYSGSjtdirdqCic3VGE0Zb61dtjEUzBFIGPsnZMD4bioXSwZ/aZ9ol/9
+zBZlkN4Pbk+I25D3AIXMCiZf3rl++BLlVYy/MND8VpiQi6wCj9K5r/YB2CI
AY1c+V7KjaUhSD6rwpchz9bQnYSTwvwOlv+3gggGXiiExy8HCieXLNybPJYq
3DhM3PPUt9zYgoOdD5BUUCArpU1DX1yt9FlD6Nl3Tjm1z2ST5TefnQ==
=OGdj
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Correct value for --client-disconnect env variable common_name
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi,
I NAK this for the following reasons.
The original problem:
"Openvpn does not set common_name for --client-disconnect",
for reasons which have not been identified, no longer occurs.
The code has changed enough since 2011 that a new problem occurs.
The new problem:
Openvpn sets common_name to X509-CN for --client-disconnect,
after a client has attempted to float, successfully or not.
If this patch is applied to current Openvpn then similar behaviour
of the original problem occurs. That being, after a client attempts
to float then common_name is not set at all.
I have also written Easy-TLS to work around this bug, as it stands,
and Easy-TLS manages connection tracking 100% successfully.
Regards
R
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Friday, September 17th, 2021 at 16:35, wrote:
> From: Richard T Bonhomme tincant...@protonmail.com
>
> A server configured with --client-disconnect and --username-as-common-name
>
> will pass the X509-CN not username, after the client has completed a
>
> renegotiation, to --client-disconnect.
>
> Explicitly set the environment variable common_name to the current value,
>
> which will be username in this case, prior to calling --client-disconnect.
>
> Trac: #160
>
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/multi.c | 4
>
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
>
> index 22357cfb..c72e8e95 100644
>
> --- a/src/openvpn/multi.c
>
> +++ b/src/openvpn/multi.c
>
> @@ -557,6 +557,10 @@ setenv_stats(struct context *c)
>
> static void
>
> multi_client_disconnect_setenv(struct multi_instance *mi)
>
> {
>
> - /* setenv client current common-name */
>
> - setenv_str(mi->context.c2.es, "common_name",
>
> - tls_common_name(mi->context.c2.tls_multi, true));
>
>
> - /* setenv client real IP address */
>
> setenv_trusted(mi->context.c2.es, get_link_socket_info(&mi->context));
>
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhYxtZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1suAgAkjPdY7Zh0qZpnSjd2nUoBwnsafzflGlzlTjzokRURa5+aAdK
zDZvyN3TTayZgVlnFWRf+lvrIQTbYyUkLSRqxWfiDabr6BxIEGeFxqWardLn
YAdfvwI8MX17HBZPXI02EJiaCnKWA90uU9OM1DRzswarc8Kakqrs61vIy/iL
LhamBby/984WrJhJq1Gv90aM25E6/GLCi9GUAHixhvxDiaeCiWDpO/asB19d
TYxJWt1yVxuELAIaot02ESMPEogorK3V9W52oN64xCieoKWYsW51OxgSFMfu
0JIv20gJdPLMM0GOPFOi3ZHVPChiLg+gh7tiQixsi4+LGMkwOT4+hw==
=+jcn
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix error in example firewall.sh script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, November 8th, 2021 at 12:23, Frank Lichtenheld wrote: > > Arne Schwabe a...@rfc2549.org hat am 08.11.2021 12:36 geschrieben: > > > > Am 07.11.21 um 18:40 schrieb Frank Lichtenheld: > > > > > From: Adrian adrian.cre...@protonmail.com > > > > > > The man page says: > > > > > > [!] -s, --source address[/mask][,...] > > > > > > Signed-off-by: Frank Lichtenheld fr...@lichtenheld.com > > > -- > > > > > > sample/sample-config-files/firewall.sh | 2 +- > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > As part of an initative to clean up the Github PR submissions, submitting > > > > > > this patch to the mailing list for inclusion. Looks obviously correct to > > > > > > me. > > > > > > diff --git a/sample/sample-config-files/firewall.sh > > > b/sample/sample-config-files/firewall.sh > > > > > > index 19d75ee9..456700ca 100755 > > > > > > --- a/sample/sample-config-files/firewall.sh > > > > > > +++ b/sample/sample-config-files/firewall.sh > > > > > > @@ -50,7 +50,7 @@ iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j > > > DROP > > > > > > iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP > > > > > > Check source address validity on packets going out to internet > > > == > > > > > > -iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP > > > > > > +iptables -A FORWARD ! -s $PRIVATE -i eth1 -j DROP > > > > > > Allow local loopback > > > > > > > > > iptables -A INPUT -s $LOOP -j ACCEPT > > > > I have a vague idea that this is actually different. Like one is that > > > > condition is not fulfilled and the other is that it is not part of the > > > > subnet if is different when there is different protocol but I might > > > > misremember. > > Certainly does not work with my iptables: > > iptables -A OUTPUT -s ! 10.0.0.0/8 -j ACCEPT > > > Bad argument `10.0.0.0/8' Try` iptables -h' or 'iptables --help' for more > information. > > iptables -A OUTPUT ! -s 10.0.0.0/8 -j ACCEPT > > From: https://ipset.netfilter.org/iptables.man.html [!] -s, --source address[/mask][,...] Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D). R -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhiSw2ACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1jZAf/b2mzU/9kXQIIvNAhICrkyDc68AnyR5GRlMItdo91prqcH/bn ksBxh5OolZeq7Md7K6O63DZgL3Kdj0HpUGavPonVgIrBXj1QoQW69KiEp9/A 98UixypgCCi3yy4wii510Wn9F8ZFmfQBk9l/ilRB5tT+oU6/KyvaZmwz2kRQ pkmcvXWI40LEvjMXA1Ye5Usn7a1yf5lP2YbJyvhE8mG64mZo6/2fePyTuASd EhCzxoQ1QIUy/jHL6FCHac6Gt2lx5JH73CI9lKzczvfZmq4Y7a3I5+rjpP2w Gx4YdA/PkRK5QJtn/KHppCZx4FdYBSvW2Aqq+fSrhzPam//qXQLt6g== =8IIR -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v4] [OSSL 3.0] Allow loading of non default providers
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
One tiny typo:
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Thursday, November 11th, 2021 at 13:00, Arne Schwabe
wrote:
> This allows OpenVPN to load non-default providers. This is mainly
>
> useful for loading the legacy provider with --provider legacy default
>
> Patch v4: use spaces to seperate providers, unload providers.
>
> Signed-off-by: Arne Schwabe a...@rfc2549.org
>
> doc/man-sections/generic-options.rst | 10 ++
>
> src/openvpn/crypto_backend.h | 14 +
>
> src/openvpn/crypto_mbedtls.c | 13
>
> src/openvpn/crypto_mbedtls.h | 3 +++
>
> src/openvpn/crypto_openssl.c | 30
>
> src/openvpn/crypto_openssl.h | 9 +
>
> src/openvpn/openvpn.c | 13
>
> src/openvpn/options.c | 7 +++
>
> src/openvpn/options.h | 9 +
>
> 9 files changed, 108 insertions(+)
>
> diff --git a/doc/man-sections/generic-options.rst
> b/doc/man-sections/generic-options.rst
>
> index e6c1fe455..f5b8a9135 100644
>
> --- a/doc/man-sections/generic-options.rst
>
> +++ b/doc/man-sections/generic-options.rst
>
> @@ -280,6 +280,16 @@ which mode OpenVPN is configured as.
>
> This option solves the problem by persisting keys across :code:`SIGUSR1`
>
> resets, so they don't need to be re-read.
>
> +--provider providers
>
> - Load the : separated list of (OpenSSL) providers. This is mainly useful
> for
> - using an external provider for key management like tpm2-openssl or to load
> - the legacy provider with
>
> - ::
>
> ---provider "legacy:default"
>
>
>
> --remap-usr1 signal
>
> Control whether internally or externally generated :code:`SIGUSR1` signals
>
> are remapped to :code:`SIGHUP` (restart without persisting state) or
>
> diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
>
> index 5aab3e1b7..40984c559 100644
>
> --- a/src/openvpn/crypto_backend.h
>
> +++ b/src/openvpn/crypto_backend.h
>
> @@ -78,6 +78,20 @@ void crypto_clear_error(void);
>
> /
>
> void crypto_init_lib_engine(const char engine_name);
>
> +
>
> +/
>
> - - Load the given (OpenSSL) providers
> - - @param provider name of providers to load
> - - @return reference to the loaded provider
> - */
>
> +provider_t *crypto_load_provider(const char *provider);
>
> +/**
>
> - - Unloads the given (OpneSSL) provider
> - - @param provider pointer to the provider to unload
> - /
>
> +void crypto_unload_provider(const char provname, provider_t *provider);
>
> #ifdef DMALLOC
>
> /*
>
> - OpenSSL memory debugging. If dmalloc debugging is enabled, tell
>
> diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
>
> index 08b9e004f..39dbf38a5 100644
>
> --- a/src/openvpn/crypto_mbedtls.c
>
> +++ b/src/openvpn/crypto_mbedtls.c
>
> @@ -69,6 +69,19 @@ crypto_init_lib_engine(const char *engine_name)
>
> "available");
>
> }
>
> +provider_t *crypto_load_provider(const char *provider)
>
> +{
>
> - if (provider)
> - {
> - msg(M_WARN, "Note: mbed TLS provider functionality is not
> available");
>
>
> - }
> - return NULL;
>
> +}
>
> +void crypto_unload_provider(const char* provname, provider_t provider)
>
> +{
>
> +}
>
> +
>
> /
>
> *
>
> - Functions related to the core crypto library
>
> diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
>
> index 019de01d1..758ab1b40 100644
>
> --- a/src/openvpn/crypto_mbedtls.h
>
> +++ b/src/openvpn/crypto_mbedtls.h
>
> @@ -48,6 +48,9 @@ typedef mbedtls_md_context_t md_ctx_t;
>
> /** Generic HMAC %context. /
>
> typedef mbedtls_md_context_t hmac_ctx_t;
>
> +/ Use a dummy type for the provider */
>
> +typedef void provider_t;
>
> /** Maximum length of an IV */
>
> #define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
>
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
>
> index cc1d62210..ab38d6e5c 100644
>
> --- a/src/openvpn/crypto_openssl.c
>
> +++ b/src/openvpn/crypto_openssl.c
>
> @@ -54,6 +54,9 @@
>
> #if (OPENSSL_VERSION_NUMBER >= 0x1010L) &&
> !defined(LIBRESSL_VERSION_NUMBER)
>
> #include
>
> #endif
>
> +#if OPENSSL_VERSION_NUMBER >= 0x3000L
>
> +#include
>
> +#endif
>
> #if defined(_WIN32) && defined(OPENSSL_NO_EC)
>
> #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
>
> @@ -149,6 +152,33 @@ crypto_init_lib_engine(const char *engine_name)
>
> #endif
>
> }
>
> +provider_t *
>
> +crypto_load_provider(const char *provider)
>
> +{
>
> +#if OPENSSL_VERSION_NUMBER >= 0x3000L
>
> - /* Load providers into the default (NULL) library context */
>
> - OSSL_PROVIDER* prov = OSSL_PROVIDER_load(NULL, provider);
>
> - if (!prov)
>
> - {
>
> - crypto_msg(M_FATAL, "failed to load provider '%s'", provider);
>
>
> - }
>
> - return prov;
>
> +#else /* OPENSSL_VERSION_NUMBER >= 0x3000L */
>
> - msg(M_WARN, "No
Re: [Openvpn-devel] Start openvpn gui before windows login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ user/pass. On Monday, November 15th, 2021 at 13:11, Ruben Herold wrote: > On Mon, Nov 15, 2021 at 02:45:53PM +0200, Lev Stipakov wrote: > > > Are you sure your problem cannot be solved with openvpn service? > > > > See, for example, > > > > https://openvpn.net/community-resources/running-openvpn-as-a-windows-service/ > > > > Also this discussion might be relevant: > > > > https://github.com/OpenVPN/openvpn-gui/issues/77 > > We are using user/pass auth against AD and MFA so this is not possible. > You can save user/pass to a text file and have openvpn read it. Regards -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhknRpACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ3BFggAvO0aIVB2pblvi+NgTi/V5be0n+6m1tqMD6Z8262mPTdPP27F FAxzgvy37ck7ojzpHbWOuCHgwI8qm7C9wWEUZvqRbb/Od5oIxSmQZrNDG10P hZqMpaDUKFq3VRLQ6cHj0dcntW3+0poeIeMguI/bGiym2rsiWwOuWKeU6s/F yZs6DacAMu4hvq2ZfHsyszZnjkLcVXzd9lsNtU0mEx2YEcELBLsWBlStE/FO vJAWi2odrNDQkvX24H9TiL8AVOvaTJ6XK6YGLyC3wxplE6OlrgJ55MCJLU/Z ZkyLf0j4jpwSsteKGw4m3YqHQzdmB397l5+UmrYM6FdoAtKn48iErQ== =Jk8I -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Log message: Replace NCP ciphers with --data-ciphers (NFC)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Superseded - Due to incorrect option name.
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Tuesday, November 16th, 2021 at 14:49, Richard T Bonhomme
wrote:
> Signed-off-by: Richard T Bonhomme tincant...@protonmail.com
>
> src/openvpn/options.c | 2 +-
>
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>
> index 4a5db8a6..7822f21e 100644
>
> --- a/src/openvpn/options.c
>
> +++ b/src/openvpn/options.c
>
> @@ -3240,7 +3240,7 @@ options_postprocess_mutate(struct options *o)
>
> o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc);
>
> if (o->ncp_ciphers == NULL)
>
> {
>
>
> - msg(M_USAGE, "NCP cipher list contains unsupported ciphers or is
> too long.");
>
>
>
> - msg(M_USAGE, "--data-cipher list contains unsupported ciphers or
> is too long.");
>
>
> }
>
> if (o->remote_list && !o->connection_list)
>
> --
>
> 2.25.1
-BEGIN PGP SIGNATURE-
Version: ProtonMail
wsBzBAEBCAAGBQJhk8pGACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1YMAgAjo7FUlGvpm1DwEN/EzLTQegAuD9yyclb+C/x++DzdQPc1/FK
3xt/xT2wH159v/bDXtFu3FSOuQxRIwyiDpJUSX1bhIGqyq2jkXVCbTdQtLUV
xrdOmM+fLN810BGHiUIrhsx4R+eSyEdFUnvw7o0xuOl+2RfQ5ZOQXmm9M1nO
UbhGbRdmPTxEsq4toaMu4blwszg1zdcj0CviKULOARytPdHh4YcvmmNhtEmg
cqBXarbERdI3XUtm8UbVxPBHm7DGqf8dxZFa94JVCwbN4zR7YTqURnXuFgah
bA7M0BvXslxJqlfVZ5cvXXaMLpDwFjGZiLtPQFB5IKks6MMUzXrjFA==
=4Uqz
-END PGP SIGNATURE-
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Doc openvpn.8: Add deprecation notice to --compress
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seems I jumped the gun a little.. NACK, --compress is not deprecated in 2.4 Sorry R Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, November 26th, 2021 at 14:48, Antonio Quartulli wrote: > Hi, > > On 26/11/2021 15:43, Richard T Bonhomme wrote: > > > Signed-off-by: Richard T Bonhomme tincant...@protonmail.com > > --- > > > > doc/openvpn.8 | 1 + > > > > 1 file changed, 1 insertion(+) > > > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > > > > index 598d5fce..dfe0ad10 100644 > > > > --- a/doc/openvpn.8 > > > > +++ b/doc/openvpn.8 > > > > @@ -2501,6 +2501,7 @@ limit repetitive logging of similar message types. > > > > .\"* > > > > .TP > > > > .B \-\-compress [algorithm] > > > > +.B DEPRECATED > > > > Enable a compression algorithm. > > > > The > > We already have this. Against what branch did you create this patch? > > Cheers, > > > > Antonio Quartulli > > Openvpn-devel mailing list > > Openvpn-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-devel -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhotroACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1VPgf+O45rGSxFsovrhOa2OQ3r9DFCiG8Wsc51hs24jqH8CJd7fiaI Bqy3ZIJsxi/PQocn2JCqE0odfFSiHOQVLpGEkCS2dSnbOG7wrA+LKqWbuTMu xnly3U0a1ekMwunKbXxE6tGgQXrS0aBPkcx5oNWyxvFGNruYoDUwHkOex2zh mUvjQS1F/TWxwBaXm/2awzBOLghIqUNE+l+Fm5eAN+025jUP9g3TUVlxBF6S j6FOjIEXukN75t/K01g2ME/P4RJgvjNcRLw2kQewD8ajtGJhweRQKyaFQOJY xSKE3ePA7wWoTVX0xpY41Gruin3usMXwL6XeU3/WyX6CLZY5nQIQ4g== =nFcI -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 It seems only fair to warn the OpenVPN community that Version 2.5.5 has had bugs identified. A new release v2.5.6 is planned for the coming week, or so.. Regards Richard Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, December 15th, 2021 at 09:30, Samuli Seppänen wrote: > The OpenVPN community project team is proud to release OpenVPN 2.5.5. > > The most notable changes are Windows-related: use of CFG > > Spectre-mitigations in MSVC builds, bringing back of OpenSSL config > > loading and several build fixes. More details are available in Changes.rst: > > https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst > > Source code and Windows installers can be downloaded from our download page: > > https://openvpn.net/community-downloads/ > > Debian and Ubuntu packages are available in the official apt repositories: > > https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > Openvpn-users mailing list > > openvpn-us...@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhuhgkACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2UVwgAljL4rh7sOEw05+pdAxPREqT9Hrn5owARWcJsWN6CLrf1sR0c 3BjzssUxNNjaubeQZIQe7fqaRlOdE/ikQzCT8H2f9OTQazbK+FYgFZmlwQbj 173E7Ucc1WE4gLgpAy1rArJRiB7ow8AUPqj9xU63JKb5Q8qUTz0tfI7J7NSl vEZS+nB/zFgsC+OhuPcZvzPXfjmT/4pOHn057jParQBtVw+H8AS+aGjUcKAB UfQGtuLKHTxZp7FBR4Eh5kr9l/dTbSiRMcoZJAPSN/chs/POolNa/Bbtv6A5 rREVQODLIDrubJhwIweUn3nfburrUd5E+ACVJTCcYJrEi/e/mOHISw== =n6Vj -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.5.5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Seems I was too hasty here. OpenVPN 2.5.5 is the current release and there are no bugs severe enough to warrant a version 2.5.6, at this time. Sorry for the confusion. Regards Richard Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Wednesday, December 15th, 2021 at 16:30, tincantech via Openvpn-users wrote: > It seems only fair to warn the OpenVPN community that Version 2.5.5 has had > bugs identified. > > A new release v2.5.6 is planned for the coming week, or so.. > > Regards > > Richard > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Wednesday, December 15th, 2021 at 09:30, Samuli Seppänen > sam...@openvpn.net wrote: > > > The OpenVPN community project team is proud to release OpenVPN 2.5.5. > > > > The most notable changes are Windows-related: use of CFG > > > > Spectre-mitigations in MSVC builds, bringing back of OpenSSL config > > > > loading and several build fixes. More details are available in Changes.rst: > > > > https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst > > > > Source code and Windows installers can be downloaded from our download page: > > > > https://openvpn.net/community-downloads/ > > > > Debian and Ubuntu packages are available in the official apt repositories: > > > > https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos > > > > On Red Hat derivatives we recommend using the Fedora Copr repository. > > > > https://copr.fedorainfracloud.org/coprs/dsommers/openvpn-release/ > > > > Openvpn-users mailing list > > > > openvpn-us...@lists.sourceforge.net > > > > https://lists.sourceforge.net/lists/listinfo/openvpn-users -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJhuiAeACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ1pDwgAzPtRlmOa5WhGv7Ui7SiKO3kO2GCxpAsQYP4H/GpHLWv3o4GY 2UymApbeXtYu6cjHm4n7fPGyd3302WFmX4/8JkwN4lMmGGNC2mUO8SEYuz1o mFoBpLhAGI3l/VvGTiEtrIiQBYCwfHURVH8WR5j2lcMvXEqoxaOOIiZpjcN9 uCwPDI8s8ipU1MUGN7DUWHs+6Mp0R+406S9cNKu9J7kpGb+zuYt+y2f37L3Q gXwETEqDOEm9gXR9eDeZruFXnQSraTvAZm32DUa1JvswCcaWyrynnUHieY12 gx7z0Tw11+Re2OCu5hMgIU97fN1ZNcto/L0eoWB8uNw20Ynoja2tnw== =7edC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Fix checks of SHA256 in tls-crypt and auth-token
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 May as well attribute this correctly. * tincant...@protonmail.com Protonmail, now so badly mangles mail on reply that I may have to go back to gmail. -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiC7VvACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2jFAgAjHPRhyMsY1JJuJjt7ePXPcve39xSF46BDUZyMQYXoEVC/pMC Zrlg5SUtASqxBTis3qI8A8t1aCi+8PdYgM+e2GdSuFLwYYGHDsBMBxlohr0V tHEVz4eaLtA5h/vQ5a5aki5g/rkPFP7Zedx1jgO7VNxF1EAmfbGK3ch1F/67 o23TePBzlNOPJLrGNPouU58msG8lv5+kB0PRSOUlNGLIN4TA86ynr9ThqvNY NLP+IXFkmFasizioI5sFZ8wqaLyMFfiSQbUiTXu5yD2DQjuarxwqUsLP2lZv in8LULOk9Vx+L2RWrmv/LOdCgmRNWppAOs+VN4K1P9EcU+y0P4mRjA== =d1PC -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Enablement of quantum-safe key establishment
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 EasyRSA development is back on-track. Happy to help. BR --- Original Message --- On Monday, March 28th, 2022 at 14:56, Michael Baentsch wrote: > Am 28.03.22 um 13:52 schrieb Arne Schwabe: > > > > Easyrsa has become also separate project. Development and maintainance > > > > of easyrsa have become quite slow in the last years. > -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiQcETACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2sGgf+ItPKF6rxjuLxtLJ8IeV8powsxVVmRCJ07c5OgyT98r8zDYsv NzaQ//cQou736YsA5lPhSfAFvqxLcAAsjyUsqJ24uSOyR49IND7pOe1p06Ea Jp31EQSCqZU0RkvGkgxGL//j+dg2dq7PLKYpy9axwPBeWb+GWjWZlso6QSrZ Br73r6qz+nDdQ6JHdt1ZiAti2gewvxkamR+4H51dMjqzrJ81xUbZIjRi6ALX niJ4hQf0yKtgeZBf3GCLRNtoNB56x5liJIBwrpUA4NTbFaEEiK+kDy/0Rgh2 omuOKZnBgtZR/K/jTh/VTCh8Rn1owKULTTMxnvGdB7oPCMmGN5QgdA== =N9Ct -END PGP SIGNATURE- publickey - tincantech@protonmail.com - 0x09BC3D44.asc Description: application/pgp-keys publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Subject: OpenVPN Client Vulnerability - TLS Key Negotiation Timeout Leading to DoS (Black Box Pentest)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi nsh...@gmail.com It is common procedure to keep security concerns to the security@ mailing list. To have your concerns expertly reviewed, it is advisable to follow standard security and disclosure procedures. While this thread is, no doubt, amusing .. it is unnecessary noise on this list. Please ensure that you know who you are sending your emails to, in future. Peace and light tct Sent with Proton Mail secure email. On Sunday, 17 November 2024 at 03:48, נתי שטרן wrote: > Hi' i sent fully logs : > > > בתאריך יום א׳, 17 בנוב׳ 2024 ב-3:03 מאת Johan Draaisma > <jo...@openvpn.com>: > > > Hello Natanel/Netanel, > > > > We still don't see the issue, exponential backoff is how this type of > > situation is handled in other common protocols too, it is a not a security > > vulnerability. And just in case someone messes with the client side and > > tries endlessly reconnecting much faster in an attempt to stress the > > server, we also have other defenses in place. > > > > You also appear to be confusing server-side behavior with client-side > > behavior. What you are writing is that when the client is having a problem > > with the TLS handshake, that the server automatically restarts, as in, the > > process stops and is restarted. That is simply not true. If it were true it > > would mean failed TLS handshakes from one client would affect all other > > connected clients too, and that's something we don't see happening. But if > > you have proof that says otherwise, show it to us with verbatim log lines, > > and a way to reproduce it that includes version of client and server > > software used (and please, supported versions only, not versions from 8 > > years ago), client and server configurations, and the steps to reach this > > supposedly problematic state. My guess however is that you are > > misinterpreting the message that the client is going to do a restart of the > > connection, which would likely be visible in the server logs, and would be > > expected and normal. > > > > Yes, there is theoretical potential to exhaust server resources from > > repeatedly hammering the server with failing connections, as is the case > > with many network programs. But we have various defenses in place for that. > > Currently with the description given I don't believe you have found > > something that broke through those defenses. But I could be wrong. But if > > so, I want to see proof, not just a story. You write that the server is > > automatically restarting in response to multiple failed TLS handshakes. > > Show us the evidence please. > > > > Until then, we don't have anything to go on, sorry. > > > > Kind regards, > > Johan Draaisma > > > > On 16-11-2024 17:22, נתי שטרן wrote: > > > > > Hi, > > > it's same on 2.6 version: > > > > > > Subject: Possible DoS Vulnerability - OpenVPN Server Showing Repeated TLS > > > Handshake Failures > > > > > > Dear OpenVPN Security Team, > > > > > > I am writing to report a potential vulnerability to Denial-of-Service > > > (DoS) attacks that I have observed in an OpenVPN server's logs. The > > > server is exhibiting consistent TLS handshake failures, resulting in > > > repeated process restarts. While the exact cause isn't immediately > > > apparent, the symptoms strongly suggest a vulnerability to an attack > > > vector that overwhelms the server with unsuccessful connection attempts. > > > > > > The logs demonstrate repeated errors of the form: "TLS key negotiation > > > failed to occur within 5 seconds (check your network connectivity)" and > > > "TLS handshake failed," followed by automatic server restarts. The server > > > appears to be attempting to mitigate by increasing the restart delay with > > > each failure, but this is only a temporary workaround, and the underlying > > > issue persists. > > > > > > The observed behavior is highly suggestive of a DoS attack, where an > > > attacker is attempting to exhaust server resources by triggering multiple > > > failed TLS handshakes. This, along with the server automatically > > > restarting in response, suggests a DoS mitigation procedure is in place > > > that can only temporarily avoid service outages. > > > > > > While I do not have direct access to the server configuration or the full > > > scope of logs, I believe the behavior described poses a significant > > > security risk. I have attached the partial log file demonstrating the > > > repeated errors. > > > > > > I would greatly appreciate it if you could investigate this potential > > > vulnerability and provide any guidance or recommendations for > > > strengthening the server's resilience against this type of attack. If > > > further information is needed, please do not hesitate to ask. > > > > > > Sincerely, > > > > > > Netanel > > > > > > > > > > > > > > > בתאריך יום ו׳, 15 בנוב׳ 2024 ב-17:30 מאת Arne Schwabe > > > <a...@rfc2549
