IPv6 pools without
relying on an IPv4 pool assignment.
Signed-off-by: Josh Cepek
---
doc/openvpn.8 | 5 +
src/openvpn/multi.c | 2 +-
2 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f2911c0..e9d8700 100644
--- a/doc/openvpn.8
+++ b/doc
First, an overview of IPv6 pool and CIDR handling.
The handling of the --ifconfig-ipv6-pool `bits` CIDR netmask value seems to
need adjustment. Today, if this value does not exactly match the same CIDR
mask applied to --ifconfig-ipv6, clients connectivity breaks in odd ways.
I am proposing that w
will
out of convention, but since an --ifconfig-ipv6-push can supply
arbitrary values, this should again be available to scripts wishing to
take advantage of it.
This fixes #230.
Signed-off-by: Josh Cepek
>From 257c18edbe0c0b194f1130a842bc9306c1baee75 Mon Sep 17 00:00:00 2001
From: Josh Ce
he token?
3) How does a signed certificate get loaded back onto your token?
Remember that in the easy-rsa v3 model, it is more likely that the
request is sent to a separate CA for signing, which means this may be a
logically separate step.
Thanks for the interest!
- --
Josh C
l goal for 3.1 for improved flexibility.
In light of the complexity involved with external tokens, I don't think
PKCS#11 makes sense to ship with 3.0, but as distro-specific additions
for a 3.1 release. This too will be made clear in the documentation.
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
V
#x27;d rather see a pkcs11 frontend script that
is targeted to each platform, and envision this as a 3.1 release target
feature.
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSsQLhAAoJENcx2Xpgb9RjbF4MAKTomgBgRwJ/2WZ8h+PuHlPj
Us+aZMfqvsCKcuMK2wG0qy7
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
ACK. This makes the sample addressing match RFC3849 recommendations.
- --
Josh Cepek
On 11/16/13 11:53, Gert Doering wrote:
> IPv6 documentation prefix is 2001:db*8*:: (not :dba:), and the second
> test stanza variables need to end in _2, of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
When used with PolarSSL, OpenVPN requires a library version 1.2.x (and
not later.)
The attached patch fixes bug#343.
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJShPMtAAoJENcx2Xpgb9RjfvkL/0R
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This patch adds automatic UAC elevation prompting for privileged users.
(signed patch attached)
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSeSgfAAoJENcx2Xpgb9Rj/JQL/1uXroXqY02BPv20/TmsZVPn
-complete `--build-depcache`
..and then pass --use-depcache to build-complete on future runs.
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSaEk9AAoJENcx2Xpgb9Rj7ioL/idvudtJQuBTMf08nj/Bwzfd
M+mqOS2cck9vXVzqkTZtP3MYCPJA1jmtsUoHx3yadZkZne6BmNy1GoD
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
ACK on this; a local build checks out with all sorts of creative UTF-8
device names I threw at it, including ones with spaces too.
- --
Josh Cepek
On 10/15/13 04:23, Heiko Hund wrote:
> Currently the TAP adapter name is fetched as an OEM str
HwQ==
=V6Ck
-END PGP SIGNATURE-
>From 2b4a3b819ee2dd3d1bf1326d17b7baf8bfbf6f38 Mon Sep 17 00:00:00 2001
From: Josh Cepek
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sun, 15 Sep 2013 05:12:11 -0500
Subject: [PATCH] Fix file access checks when using --chroot
This fixes bug #33
ature.
- --
Josh Cepek
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
iQGcBAEBAgAGBQJSGQrIAAoJENcx2Xpgb9RjHOEL/jRDeXyguibzmFYP+n+oduA3
ICjpGrUwhnzTtwp/8i01vfo2YVVwgi1eC8qJmcCs4SOJXkq1ExB5KSPuwRrB0s3E
w9Fv6yYcvXbNWKbhJtvqgLFxgHPYzYZ1TJLOGO9H37V4viTYxaqdQsb2e1Z
tand what the real problem here is.
I suspect the impact of places this will break is limited to _very_ old
server setups where they should really either upgrade their server, or
simply continue using an old client that continues to speak ancient
OpenSSL if that's "not possible."
d probably do
so as well. The code as I see will simply "not offer" this feature when
info.proto == PROTO_UDPv6, but then we need to document the distinction.
This is probably less important to address now; let's first see if the
rest of us can figure out what this feature's use-case is.
Thanks,
--
Josh Cepek
signature.asc
Description: OpenPGP digital signature
oblem for you or an archiving service (sf.net,
gmane, etc) I'd like to know about it.
--
Josh Cepek
From 24be21ea2f1d02631685a0a11bf187372cf10fa4 Mon Sep 17 00:00:00 2001
From: Josh Cepek
List-Post: openvpn-devel@lists.sourceforge.net
Date: Wed, 21 Aug 2013 16:20:30 -0500
Subject: [PATCH]
I've recently done a complete re-write of the Easy-RSA codebase and have
a beta-release (currently beta-2) available at the following project
homepage:
http://pekster.sdf.org/code/projects/easyrsa3.html
This beta is open for comment and suggestions. Still on the TODO list is
integration for P
On 5/31/2013 12:10, Dash Four wrote:
> Anyone care to clarify this?
You didn't get a reply before because the openvpn-devel list is for
development of openvpn, not support for openvpn. If you're not
submitting a source patch or discussing programming practices, you
usually get ignored. Please dire
ould probably be moved
to a better location; it sounds like that's already in the works for a
future changeset (and not required to fix this crash.)
--
Josh Cepek
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Fixes bug #240.
Signed-off-by: Josh Cepek
Console applications under Windows, such as batch scripts, require the
CREATE_NO_WINDOW process flag when run without an actual console window
present. This change allows such scripts to execute and impact the hook
status by way of their return code.
Fixes bug #240.
Signed-off-by: Josh Cepek
This fix adds support for using tcp6 as a proto in server or non-P2MP
modes, resolving a failed ASSERT in such cases.
Signed-off-by: Josh Cepek
---
src/openvpn/options.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 05c6da2..c86f795
On 3/26/2013 11:09, Gert Doering wrote:
> This basically brings back the previously-working metric setting for
> directly connected routes (add a "0" to the "route add" command) on
> Solaris/OpenSolaris. It was working in f0eac1a59790, and got broken
> by the route.c/route.h refactoring in 576dc96
ved another byte removing the comma.
Updated patch attached.
--
Josh
>From d41a0237220f2fea6647a508a2ab07263e0f160b Mon Sep 17 00:00:00 2001
From: Josh Cepek
List-Post: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Mar 2013 22:52:12 -0500
Subject: [PATCH] Warn when using verb levels >=
message output code is omitted when built with
enable_debug=yes or enable_small=yes.
Signed-off-by: Josh Cepek
---
src/openvpn/options.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2eb4f91..7f8940c 100644
--- a/src/openvpn/options.c
The patch is attached; a summary, and mitigating build suggestion follows:
The current official Windows builds of 2.3.0 up to I004 are built
enable_debug=no; I'm not sure about the repo builds since I build from source
on my non-Windows systems, but the same issue is present when lacking debug
sup
The Windows installer for 2.3 (both 32 and 64-bit versions) no longer installs
the TAP-Win32 utility scripts by default (addtap.bat & deltapall.bat.) These
scripts are required for end-users to manage TAP adapters, and specifically to
install more than 1 adapter if use of multiple VPNs is required.
Josh Cepek wrote:
Assuming I have read the source correctly, it seems to me that the
packet could be dropped (probably with an associated error to the log)
rather than using an ASSERT() call. This way malformed data from
internal clients behind a VPN peer won't bring down the VPN.
This message was based on a reply I made to the openvpn-users list with
some additional details of interest to developers. I apologize for any
confusion cross-posting this might cause, but feel the analysis of this
from a development perspective didn't really belong in the users list.
The ori
Sistemas wrote:
Hi:
I've a problem that I could not find using Google nor openvpn-user mailing
list. I've revoked a client certificate using revoke-full:
$ revoke-full fjr001
Using configuration from /home/sistemas/easy-rsa-2.0/openssl.cnf
Adding Entry with serial number 02 to DB
for /C=ES/S
R Mullen wrote:
Hello,
There's a hardcoded size limit in pool.h when assigning the netmask to
your VPN. It only allows you to have /16 networks or smaller, and I
think this should be increased to /8 so that you can use the whole
10.0.0.0/8 subnet as described by RFC 1918 concerning dedicated
pri
Under Windows, when run_up_down() from misc.c executes the --up script,
the position of the parameters depends on the device name of the tun/tap
adapter. For example, a default installation creates a device that may
be called "Local Area Connection 2" (number varies), but this device
name isn'
32 matches
Mail list logo
