> You can break this with something like:
>
> status /etc/openvpn/client/status.log
>
> in your configuration. Writing a status file
> to /run/openvpn-{client,server}/status.log works, though. So the default
> setups should be fine. Do we have any more cases where openvpn wants write
> access for
On 10/12/16 00:19, Christian Hesse wrote:
> From: Christian Hesse
>
> sd_notify() uses a socket to communicate with systemd. Communication
> fails if the socket is not available within the chroot. So bind mount
> the socket into the chroot when startet from systemd.
>
> Unsharing namespace and m
David Sommerseth on Fri, 2016/12/09 23:40:
> On 09/12/16 22:54, Christian Hesse wrote:
> > David Sommerseth on Fri, 2016/12/09
> > 22:37:
> >> On 29/11/16 12:07, Christian Hesse wrote:
> >>> From: Christian Hesse
> >>>
> >>> Drop --with-plugindir, instead use an environment variable PLUGINDI
From: Christian Hesse
sd_notify() uses a socket to communicate with systemd. Communication
fails if the socket is not available within the chroot. So bind mount
the socket into the chroot when startet from systemd.
Unsharing namespace and mounting requires extra capability CAP_SYS_ADMIN.
Signed
On 09/12/16 22:54, Christian Hesse wrote:
> David Sommerseth on Fri, 2016/12/09 22:37:
>> On 29/11/16 12:07, Christian Hesse wrote:
>>> From: Christian Hesse
>>>
>>> Drop --with-plugindir, instead use an environment variable PLUGINDIR
>>> to specify the plugin directory.
>>>
>>> This always defin
David Sommerseth on Fri, 2016/12/09 22:37:
> On 29/11/16 12:07, Christian Hesse wrote:
> > From: Christian Hesse
> >
> > Drop --with-plugindir, instead use an environment variable PLUGINDIR
> > to specify the plugin directory.
> >
> > This always defines PLUGIN_LIBDIR and enables plugin search
David Sommerseth on Fri, 2016/12/09 20:42:
> On 09/12/16 19:13, Christian Hesse wrote:
> > From: Christian Hesse
> >
> > ProtectSystem=strict mounts the entire file system hierarchy read-only,
> > except for the API file system subtrees /dev, /proc and /sys (which can
> > be protected using Priv
On Fri, Dec 9, 2016 at 4:39 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 09/12/16 22:27, Steffan Karger wrote:
> >
> > Sounds like we have a final config on the CodeStyle page now. Are we
> > ready to run it on all code now, and publish a reformat branch?
> >
>
> Agreed.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Your patch has been applied to the master branch
commit 65140a3acfa42e5d42cdfcf8108f00a62d5767ff
Author: David Sommerseth
Date: Wed Dec 7 03:51:52 2016 +0100
systemd: Intermediate --chroot fix with the new sd_notify() implementation
Sign
On 09/12/16 22:27, Steffan Karger wrote:
>
> Sounds like we have a final config on the CodeStyle page now. Are we
> ready to run it on all code now, and publish a reformat branch?
>
Agreed. I can do this later this night.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
sign
On 29/11/16 12:07, Christian Hesse wrote:
> From: Christian Hesse
>
> Drop --with-plugindir, instead use an environment variable PLUGINDIR
> to specify the plugin directory.
>
> This always defines PLUGIN_LIBDIR and enables plugin search path.
>
> Signed-off-by: Christian Hesse
> ---
> config
On 9 December 2016 at 21:43, Selva Nair wrote:
> On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote:
>> On 9 December 2016 at 00:14, David Sommerseth
>> wrote:
>> > I just spotted in ssl.c that we need sp_assign=add.
>> >
>> > [ ssl.c, tls1_PRF() ]
>> > len = slen/2;
>> > S1 = sec;
>>
On Fri, Dec 9, 2016 at 8:41 AM, Steffan Karger wrote:
>
> On 9 December 2016 at 00:14, David Sommerseth
> wrote:
> > I just spotted in ssl.c that we need sp_assign=add.
> >
> > [ ssl.c, tls1_PRF() ]
> > len = slen/2;
> > S1 = sec;
> > S2 = &(sec[len]);
> > len += (slen&1); /* add
On 09/12/16 18:59, Christian Hesse wrote:
> Christian Hesse on Fri, 2016/12/09 18:37:
>> David Sommerseth on Wed, 2016/12/07 03:51:
>>> Commit c5931897ae8d663e7e introduced support for talking directly
>>> to the systemd service manager about the situation for the OpenVPN
>>> tunnel. This approac
On 09/12/16 19:13, Christian Hesse wrote:
> From: Christian Hesse
>
> ProtectSystem=strict mounts the entire file system hierarchy read-only,
> except for the API file system subtrees /dev, /proc and /sys (which can
> be protected using PrivateDevices=, ProtectKernelTunables=,
> ProtectControlGro
9 дек. 2016 г. 22:40 пользователь "Selva Nair"
написал:
Hi,
A comment on the GUI github page said:
"For ISO27001 certification, we are not allowed to let users save their VPN
passwords locally. Is there a way to remove or disable the 'save password'
box upon authentication ?"
Although I sugge
From: Christian Hesse
ProtectSystem=strict mounts the entire file system hierarchy read-only,
except for the API file system subtrees /dev, /proc and /sys (which can
be protected using PrivateDevices=, ProtectKernelTunables=,
ProtectControlGroups=).
ProtectHome=true makes the directories /home,
Christian Hesse on Fri, 2016/12/09 18:37:
> David Sommerseth on Wed, 2016/12/07 03:51:
> > Commit c5931897ae8d663e7e introduced support for talking directly
> > to the systemd service manager about the situation for the OpenVPN
> > tunnel. This approach makes a lot of sense and is mostly the prop
Hi,
A comment on the GUI github page said:
"For ISO27001 certification, we are not allowed to let users save their VPN
passwords locally. Is there a way to remove or disable the 'save password'
box upon authentication ?"
Although I suggested to use an up script to delete the saved password, the
David Sommerseth on Wed, 2016/12/07 03:51:
> Commit c5931897ae8d663e7e introduced support for talking directly
> to the systemd service manager about the situation for the OpenVPN
> tunnel. This approach makes a lot of sense and is mostly the proper
> way to do it. But it was discovered that it b
Your patch has been applied to the master branch. Thanks.
I have not changed the #include formatting, as The Great Reformatting
will catch it anyway.
commit c00919e8bd6a4e36d9fa009f3b1a93b262a59fc6
Author: Magnus Kroken
Date: Fri Dec 9 10:07:35 2016 +0100
mbedtls: include correct net/net
This adds a warning to the log file if --topology is configured to use
subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option
is not an subnet mask.
v2 - Make use of ifconfig_sanity_check() in tun.c instead of doing the exact
same check and warning in prepare_push_reply()
- Extend ifconfig_sanity_check() to know which context it is called from,
if it is used to check --ifconfig or --ifconfig-push
- Improve error messages to also report errornous IP address usage when
being in TOP_SUBNET
- Improve the TAP check too, providing the IP address used instead of the
This patch set is combining two separate mail threads [1] [2] as they are
related.
These patches have also been rearragned, where the first patch adds the generic
improvements and prepares for the push.c update which is in the second patch.
These patches combined will resolve the issue reported
Hi,
On 9 December 2016 at 00:14, David Sommerseth
wrote:
> I just spotted in ssl.c that we need sp_assign=add.
>
> [ ssl.c, tls1_PRF() ]
> len = slen/2;
> S1 = sec;
> S2 = &(sec[len]);
> len += (slen&1); /* add for odd, make longer */
>
> I believe we've agreed on spaces around as
Hi,
On 9 December 2016 at 10:07, Magnus Kroken wrote:
> is deprecated as of mbedTLS 2.4.0, it is renamed
> . OpenVPN will fail to build with
> mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined.
>
> Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and
> net_sockets.h for >= 2.4.0.
Without this commit, if remote host cannot be reached, we get stuck in loop
trying to
connect and we cannot reload a new configuration using SIGHUP.
In this case, the only way to reload the configuration is to kill and relaunch
the daemon.
With this commit, following use case can be done:
- Set
Hi,
On Fri, Dec 09, 2016 at 08:24:24AM -0500, Selva Nair wrote:
> On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote:
>
> > if (a>0)
> > { do_this(); }
> > else
> > { do_that(); }
> >
>
> In such cases I would normally skip all braces, in spite of all the
> arguments against it...
On Fri, Dec 9, 2016 at 2:42 AM, Gert Doering wrote:
> if (a>0)
> { do_this(); }
> else
> { do_that(); }
>
In such cases I would normally skip all braces, in spite of all the
arguments against it... But that's just me.
That said the proposed re-formatting looks super good to me and
Without this commit, if remote host cannot be reached, we get stuck in loop
trying to
connect and we cannot reload a new configuration using SIGHUP.
In this case, the only way to reload the configuration is to kill and relaunch
the daemon.
With this commit, following use case can be done:
- Set
On 09/12/16 09:15, Gert Doering wrote:
> Hi,
>
> On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote:
>> - Instead of checking the complete in_addr_t (which lacked proper htonl()),
>> just do a simple peek at the last byte which contains the first octet
>> of an IP address or subn
On 09/11/16 09:51 PM, Gert Doering wrote:
> Hi,
>
> as you might know, we try to build everything we commit to git on all
> supported platforms (using buildbot). This works quite well and has
> helped us keep things consistently working across all platforms, at least
> as far as we have tests for
--
С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ
>From 971d1d5e66ba714fc8f74b8da0672e7da47dc557 Mon Sep 17 00:00:00 2001
From: Alexander Pyhalov
Date: Fri, 9 Dec 2016 13:16:01 +0300
Subject: [PA
This is a patch against release/2.3 branch.
--
С уважением,
Александр Пыхалов,
программист отдела телекоммуникационной инфраструктуры
управления информационно-коммуникационной инфраструктуры ЮФУ
>From 4dfe7d9740b2a96a8dbd5f74d43408582ebc9403 Mon Sep 17 00:00:00 2001
From: Alexander Pyhalov
Date:
is deprecated as of mbedTLS 2.4.0, it is renamed
. OpenVPN will fail to build with
mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined.
Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and
net_sockets.h for >= 2.4.0.
Signed-off-by: Magnus Kroken
---
Tested, builing with both mbedTL
Hi,
On Fri, Dec 09, 2016 at 09:13:19AM +0100, Gert Doering wrote:
> ... ifconfig_sanity_check() does *nothing* for TOP_SUBNET
Overlooked the second patch (since it wasn't threaded). So with the other
patch, that argument is no longer valid, of course. Apologies.
[..]
> Also we might to re-thi
Hi,
On Fri, Dec 09, 2016 at 03:52:32AM +0100, David Sommerseth wrote:
> - Instead of checking the complete in_addr_t (which lacked proper htonl()),
> just do a simple peek at the last byte which contains the first octet
> of an IP address or subnet mask.
Have you *tested* this on a non-intel
Hi,
On Fri, Dec 09, 2016 at 03:50:48AM +0100, David Sommerseth wrote:
> This adds a warning to the log file if --topology is configured to use
> subnet or net30 and the 'subnet mask' argument of an --ifconfig-push option
> is not an subnet mask.
>
> v2 - Make use of ifconfig_sanity_check() in tun
38 matches
Mail list logo
