Am 01.04.21 um 15:13 schrieb Arne Schwabe:
> Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
> building a binary without it is not something we realistically want
> to support anyway.
> }
> +/* Check if we have forbidding options in the current mode */
> +if (dco_ena
Acked-by: Gert Doering
Moved and compacted somewhat, but "the same functions".
Having a "proto_is_dgram()" sounds a bit silly since we're not doing
"openvpn over IPX" or anything other dgram based, but who knows... maybe
we'll grow IPX/SPX support and "proto_is_stream()" one day... :-)
Client-s
Acked-by: Gert Doering
"git grep" confirms.
Your patch has been applied to the master branch.
commit 9eb285f42f73bcfb270adbae527947951615df7d
Author: Arne Schwabe
Date: Thu Apr 1 15:13:28 2021 +0200
Remove unused variable pass_config_info
Signed-off-by: Arne Schwabe
Acked-by
Acked-by: Gert Doering
"git grep" confirms
Your patch has been applied to the master branch.
commit c0b36e9f29c9849892909a7e377e13db6aa59f95
Author: Arne Schwabe
Date: Thu Apr 1 15:13:31 2021 +0200
Remove unused function tls_test_auth_deferred_interval
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
As far as I can see, only Linux uses txqueuelen at all, and that one
still compiles with this patch applied. Out it goes!
Your patch has been applied to the master branch.
commit 3667df1d668420374d91607685b67a0efbcee328
Author: Arne Schwabe
Date: Thu Apr 1 15:13:30 202
Acked-by: Gert Doering
.. indeed!
Your patch has been applied to the master branch.
commit 14061e3e06075065fba1939d3716fbd09f9adf70
Author: Arne Schwabe
Date: Thu Apr 1 15:13:29 2021 +0200
Remove pointless tun_adjust_frame_parameters function
Signed-off-by: Arne Schwabe
Acke
Acked-by: Gert Doering
I was a bit worried about this breaking existing setups, and then
Arne remarked that "this is dead code anyway" - it is only compiled if
built with --disable-lz4, which we do for testing on some buildbots,
but not for production builds. So, ripping out dead code is not goi
Acked-by: Gert Doering
"Because it makes sense". There's no threads here, and with DCO and
all the asyncness, there might never be... so, admit that fact :-)
Lightly client-side tested on linux.
Your patch has been applied to the master branch.
commit bdc11ae462d61f0cdee5f539c7f028f58513a914
Acked-by: Gert Doering
Totally untested, but stared-at-code for a bit. (This will increase
binary for "no management" by some 10-20 bytes, but makes the code
easier to understand by not getting distracted by #ifdefs all over
the place).
Your patch has been applied to the master branch.
commit
Signed-off-by: Arne Schwabe
---
src/openvpn/forward.c | 3 ++-
src/openvpn/openvpn.h | 12 +++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 6f7a50048..98caf6651 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/fo
This makes multi_get_create_instance_udp a bit shorter and better
structured and also prepares this method to be called from the
mutlti TCP context with DCO which will also need to assign unique peer
ids to instances.
Signed-off-by: Arne Schwabe
---
src/openvpn/mudp.c | 20 +---
The variables are not used without the configured options but the
ifdef around them does not help readibility either.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c| 5 -
src/openvpn/mudp.c| 2 --
src/openvpn/openvpn.h | 4
3 files changed, 11 deletions(-)
diff --git a/src/
This functions seem to serve no purpose other than to add confusion.
Signed-off-by: Arne Schwabe
---
src/openvpn/init.c | 2 +-
src/openvpn/tun.h | 10 --
2 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 1a6015452..f0ae0b7f1 1
This add the fd to the epoll event error message and the x_check_status
message. This helps debugging when thing go wrong with event handling.
Also add logging when ep_del fails to remove a socket from the structure.
In constract to ep_ctl that has this as a FATAL message (M_ERR), we only
log here
These two function basically just pass a number of fields of context to
the linit_socket_init1/2 functions. This wrapper add little to no value
in understanding the code, especially since the linit_socket_init1 will
just copy them to yet another structure.
Remove these wrapper functions and pass c
This also eliminates the confusing name and eliminates
tunnel_server_udp as wrapper that only calls
tunnel_server_udp_single_threaded
Signed-off-by: Arne Schwabe
---
doc/doxygen/doc_eventloop.h| 2 +-
doc/doxygen/doc_tunnel_state.h | 2 +-
src/openvpn/mudp.c | 21 ++
These are a number of patches that do various cleanups that
I did as part of implementing DCO but are good on their own.
Arne Schwabe (14):
Remove code for aligning non-swapped compression
Remove superflous ifdefs around enum like defines
Rename tunnel_server_udp_single_threaded to tunnel_se
This is leftover of a never functional multi threaded openvpn
implementation attempt. It serves no purposes anymore.
Signed-off-by: Arne Schwabe
---
src/openvpn/mtcp.c | 2 +-
src/openvpn/mudp.c | 2 +-
src/openvpn/multi.c | 67 +++--
src/openvpn/multi
These functions are small enough to be inlined and also avoids
dependency on socket.c from unit_tests using those functions.
Signed-off-by: Arne Schwabe
---
src/openvpn/socket.c | 36 ---
src/openvpn/socket.h | 50 +---
2 files
Using OpenVPN without P2MP support (pull, TLS) is unrealistic and
building a binary without it is not something we realistically want
to support anyway.
Signed-off-by: Arne Schwabe
---
src/compat/compat-gettimeofday.c | 2 +-
src/openvpn/forward.c| 23 ++---
src/openvpn/forw
This function appears to completely unused and has not been touched
since 2008.
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl.h | 11 ---
1 file changed, 11 deletions(-)
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 8c8cbe028..300a70d35 100644
--- a/src/openvpn/ssl.h
+++ b/
Signed-off-by: Arne Schwabe
---
src/openvpn/ssl_common.h | 4
1 file changed, 4 deletions(-)
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 4e1ff6c84..18bce403a 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -293,10 +293,6 @@ struct tls_optio
The code uses tuntap->options.txqueuelen instead.
Signed-off-by: Arne Schwabe
---
src/openvpn/tun.h | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
index 7e8fb7647..60ebfdcba 100644
--- a/src/openvpn/tun.h
+++ b/src/openvpn/tun.h
@@ -165,9 +165,6 @@ st
This is an optimisation for memory alignment for lzo. Compression is
deprecated so this optimisation is not very important anymore.
Furthermore it is conditionally compiled on !defined(ENABLE_LZ4), which
makes the code not compiled in by default anyway.
Signed-off-by: Arne Schwabe
---
src/openv
Am 01.04.21 um 14:37 schrieb Gert Doering:
> Hi,
>
> On Thu, Apr 01, 2021 at 02:16:25PM +0200, Antonio Quartulli wrote:
>>> (Of course it makes lots of sense to defer this to iptables etc. on
>>> all platforms that have DCO *and* a reasonable firewall layer... dco-win
>>> will be interesting)
>>
>
Hi,
On 01/04/2021 14:37, Gert Doering wrote:
> Which is actually interesting for mssfix, as that is "on by default",
> so "all configs are incompatible with DCO", by that definition :-)
hehe Arne can confirm, but I think defaults are adapted to what DCO
expects, so mssfix is just disabled by defa
This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
using this option fall all into the SWEET32 category of ciphers with
64 bit block size.
Patch V2: Remove superflous check in OpenSSL codepath to check keysize
Signed-off-by: Arne Schwabe
---
config-msvc.h|
Hi,
On Thu, Apr 01, 2021 at 02:16:25PM +0200, Antonio Quartulli wrote:
> > (Of course it makes lots of sense to defer this to iptables etc. on
> > all platforms that have DCO *and* a reasonable firewall layer... dco-win
> > will be interesting)
>
> Features that are not compatible with DCO are be
Hi,
On 01/04/2021 14:10, Gert Doering wrote:
> Hi,
>
> On Thu, Apr 01, 2021 at 12:47:46PM +0200, Arne Schwabe wrote:
>> In your dco to dco setup you probably
>> don't have mssfix on either side unless you explicitly added iptables
>> rules for that.
>
> Ah, this is interesting and needs to be do
Hi,
On Thu, Apr 01, 2021 at 12:47:46PM +0200, Arne Schwabe wrote:
> In your dco to dco setup you probably
> don't have mssfix on either side unless you explicitly added iptables
> rules for that.
Ah, this is interesting and needs to be documented - "if you want feature
, , together with DCO, it
Renegotiations have been troublesome in the past and also the recent OpenSSL
security problem (CVE-2021-3449) is only exploitable if TLS renegotiation
is enabled.
mbed TLS disables it by default and says in the documentation:
Warning: It is recommended to always disable renegotation unless you kn
Renegotiations have been troublesome in the past and also the recent OpenSSL
security problem (CVE-2021-3449) is only exploitable if TLS renegotiation
is enabled.
mbed TLS disables it by default and says in the documentation:
Warning: It is recommended to always disable renegotation unless you kn
Am 01.04.21 um 04:38 schrieb Tony He:
> Hi Antonio, Arne,
>
> According to the dump, this issue is caused by fragment. If I set
> link-mtu to 1472 in the condition of encryption "none", it's gone.
> I also can reproduce the fragment in my Linux x86-64 PC and Linux VM .
> They use kernel 5.4. Fragm
Am 31.03.21 um 20:03 schrieb Max Fillinger:
> From: Steffan Karger
>
> To improve the control channel performance under packet loss conditions,
> add a more aggressive retransmit policy similar to what many TCP
> implementations do: retransmit a packet if the ACK timeout expires (like
> we alread
Patch has been applied to the master branch.
commit 997b006a266145c2797f7625eccb6f3623b7a59c
Author: Gert Doering
Date: Thu Apr 1 10:29:34 2021 +0200
Get rid of last PLUGIN_DEF_AUTH #ifdef
Signed-off-by: Gert Doering
Acked-by: Antonio Quartulli
Message-Id: <20210401082934
Hi,
On 01/04/2021 10:29, Gert Doering wrote:
> Commit 99d217b200 attempted to get rid of all #ifdef related to
> --disable-def-auth but one of them managed to hide. Remove.
>
> The effect of this is that the "openvpn_acf_...tmp" files get not
> removed after when an async auth plugin is in use.
Commit 99d217b200 attempted to get rid of all #ifdef related to
--disable-def-auth but one of them managed to hide. Remove.
The effect of this is that the "openvpn_acf_...tmp" files get not
removed after when an async auth plugin is in use. This is can
get very annoying on a busy server.
Trac:
Hi,
On Mon, Mar 22, 2021 at 09:43:31AM +0100, Gert Doering wrote:
> commit 24596b258aa3a removed the bundled compat-lz4 from OpenVPN, thus
> breaking windows/nsis builds with default config ("--enable-lz4").
>
> Add download URLs and build invocation. Since LZ4 has no "configure"
> script, we pa
Thanks!
Your patch has been applied with commit id:
0048aac81c3e4dc3046121a7124da77233656e99
Regards,
On 01/04/2021 08:44, Tony He wrote:
> Actully We can not set two options at the same time.
> Old code:
>
> setsockopt(s, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &opt, sizeof(opt))
>
> If you
On 01/04/2021 09:07, Antonio Quartulli wrote:
> Tony, in the meantime, setting the link-mtu to something lower than 1500
> is the proper workaround.
Sorry I take this last sentence back.
What I was talking all time long was the "tun-mtu".
To fix the MTU issue when there is encapsulation, it's
Hi,
Thanks for providing the info.
On 01/04/2021 09:01, Tony He wrote:
> % ifconfig ovpn-dco0
> ovpn-dco0: flags=81 mtu 1500
> % ifconfig ovpn-dco0
> ovpn-dco0: flags=81 mtu 1500
These values are not what ovpn-dco would set by default.
> log from openvpn client:
> 2021-04-01 14:57:31 net_if
sorry, update transport interface.
% ifconfig enx00e04c680a44
enx00e04c680a44: flags=4163 mtu 1500
inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::ec9b:2258:82ec:3cdb prefixlen 64 scopeid 0x20
ether 00:e0:4c:68:0a:44 txqueuelen 1000 (Ether
Antonio Quartulli 于2021年4月1日周四 下午2:35写道:
> Hi Tony,
>
> On 01/04/2021 04:38, Tony He wrote:
> > Hi Antonio, Arne,
> >
> > According to the dump, this issue is caused by fragment. If I set
> > link-mtu to 1472 in the condition of encryption "none", it's gone.
> > I also can reproduce the fragment
43 matches
Mail list logo
