[Openvpn-devel] [PATCH] dns option: remove support for exclude-domains

No DNS resolver currently supports this and it is not possible to emulate the behavior without the chance of errors. Finding the effective default system DNS server(s) to specify the exclude DNS routes is not trivial and cannot be verified to be correct without resolver internal knowledge. So, it i

[Openvpn-devel] [PATCH] dns option: allow up to two addresses per family

Signed-off-by: Heiko Hund --- doc/man-sections/client-options.rst | 7 +-- src/openvpn/dns.c | 70 - src/openvpn/dns.h | 19 +--- src/openvpn/options.c | 30 +++-- 4 files changed, 72 insertions(+), 54 dele

[Openvpn-devel] [PATCH 1/3] Add siphash reference implementation

OpenSSL only supports SIPHASH with OpenSSL 3.1 and newer. The source code of siphash is quite small and has very liberal CC0 license, so include it instead of pulling an extra library for it. Change-Id: I1292894fe7f537049a97bee97af4419e5e854a00 Signed-off-by: Arne Schwabe --- src/openvpn/siphash

[Openvpn-devel] [PATCH 2/3] Implement initial packet reflection protection using bloom filter

When an OpenVPN server is used/tried to be usedc in a reflection attack the protection with the simple --connect-freq-initial also block legimitate client from other networks that are not attacked by a reflection attack. To allow a server to still reply to these clients, we need to make the counts

[Openvpn-devel] [PATCH 3/3] Prefer OpenSSL's SIPHASH implementation when available

OpenSSL library is significantly faster than the reference implementation (almost 2x). Prefer using this when available. The API for using the SIPHASH MAC is different enough from using normal HMAC or Digest that we already implement that combining them into one API does not make sense. Change-Id: