[Openvpn-devel] certificate key usage in openvpn

Looking at the openvpn manual, the predefined certificate key usage for clients is "digitalSignature and/or keyAgreement" (or "80 08 88"). The same for the server is "digitalSignature and ( keyEncipherment or keyAgreement )" - "a0 88". According to Section 4.2.1.3 of RFC3280, the certificate k

Re: [Openvpn-devel] two tls-auth questions

Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? yep, just use any freeform key that has enough entropy. For example, this ta.key file is good enough ]# cat mykey garble warble we need lots of entropy So, in theory, I could use, for example, o

[Openvpn-devel] two tls-auth questions

Is there a way to generate a symmetric ta.key without using "openvpn --genkey --secret ta.key"? Is it possible to embed the contents of the above file in my openvpn config file in a similar fashion as it is done with the tag for example? If so, what tag should I use for this?

Re: [Openvpn-devel] [PATCH 35/52] build: proper selinux detection and usage

However, from my experience it is not needed, people are most capable of manage this without creating noise. On the contrary, displaying meaningful error messages from configure is *never* a "noise". As Fabian pointed out - quite rightly - if make fails due to wrong/incorrect/missing depend

Re: [Openvpn-devel] [PATCH 35/52] build: proper selinux detection and usage

Are you referring to the configure code? I might be missing something obvious, but AC_CHECK_LIB([selinux], [setcon], [SELINUX_LIBS="-lselinux"]) versus AC_CHECK_HEADER([selinux/selinux.h], [ AC_CHECK_LIB([selinux], [setcon], [SELINUX_LIBS="-lselinux"], [AC_MSG_RESULT([SELinux libr

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I've used "--route-nopull" together with specific "--route" statements to work around VPN setups that didn't work under specific circumstances (the server pushes a heap of routes, some of which caused problems in my setup [*], and I only wanted to reach a specific subnet via the VPN). +1 I'

Re: [Openvpn-devel] OpenVPN 2.3-alpha1 released

For the plug-in API ... look at openvpn-plugin.h ... look for openvpn_plugin_*_v3. Especially openvpn_plugin_open_v3() and openvpn_plugin_func_v3(). If fact, most of the openvpn-plugin.h is a pretty comprehensive reference for the plugin API. For a working example, look at plugin/examples/log

Re: [Openvpn-devel] OpenVPN 2.3-alpha1 released

The one-to-one NAT feature seems to be described on the man-page in the "--client-nat" section. The new management features are James' handywork, so they're probably described here: If not, then

Re: [Openvpn-devel] [Openvpn-users] OpenVPN 2.3-alpha1 released

I disagree, open source project is not different than any other software project. OK, I'll bite. I disagree with the above entirely. Open-source project *is* different "from any other project" - vastly so - not least because it is open for scrutiny by the whole community, not just individ

Re: [Openvpn-devel] OpenVPN 2.3-alpha1 released

* Improved plug-in API (v3) which can more easily be expanded in the future: includes support for direct access to X.509 certificate data in plug-ins [...] * One-to-one NAT to circumvent IP address conflicts between local and remote networks Is there any help/doc/wiki where I could

Re: [Openvpn-devel] static build

Mr Dash Four: could you try following the steps Alon gave in his earlier mail to see if it works for you? The buildsystem fetches the dependencies from standard URLs, see "openvpn-build/generic/build.vars". Except that they are not "standard", at least not all of them.

Re: [Openvpn-devel] static build

arm-unknown-linux-gnueabi-objdump: image-arm-static/openvpn/sbin/openvpn: Invalid operation Huh? Have you altered the sources/makefiles of openvpn or any of the dependent libraries (lzo, openssh etc) by any chance? I noticed you are applying a single patch to the lzo source, which I had t

Re: [Openvpn-devel] static build

You can check if executable is static by using arm-unknown-linux-gnueabi-readelf --relocas. The fact that the archive has a lot of files does not mean the openvpn is not static. Well, I don't really know what you understand "static linking" to be, but to me it means that all external functio

Re: [Openvpn-devel] static build

Reason being, I suspect, that the lzo static libraries cannot be found (strange as the compilation succeeded). I need tmp/openvpn/config.log Better to have the complete build output... This was done in mock environment (both the rpm and "normal" build). When I did this from outside,

Re: [Openvpn-devel] static build

> To cross compile master to arm in static, do: > $ git clone git://github.com/alonbl/openvpn-build.git > $ cd openvpn-build/generic > $ CHOST="arm-unknown-linux-gnueabi" CBUILD="x86_64-pc-linux-gnu" > DO_STATIC=1 ./build > > It will create static dependencies, but dynamic libc, if you want > real

Re: [Openvpn-devel] static build

I am working on a new build system for OpenVPN, you can check it[1] out. To cross compile master to arm in static, do: $ git clone git://github.com/alonbl/openvpn-build.git $ cd openvpn-build/generic $ CHOST="arm-unknown-linux-gnueabi" CBUILD="x86_64-pc-linux-gnu" DO_STATIC=1 ./build It will c

[Openvpn-devel] static build

I would like to build a slimmed-down version of OpenVPN for armv6 - would that be easy to achieve? My aim is to deploy it on my android device (I don't trust the version in existence there, so by statically building OpenVPN I won't be dependent on the bionic toolchain). Has this been attempted

Re: [Openvpn-devel] minimalistic OpenVPN

configure --enable-small --disable-management (and maybe a few others) As far as I have heard others talk about it, there already is an OpenVPN version for Android... so maybe that is an even easier approach :-) Even though the OS I use is Android-like (it uses the full source, but makes a

Re: [Openvpn-devel] minimalistic OpenVPN

Cyanogenmod v7 includes working openvpn support. A co-worker of mine has it on his HTC desire to connect to his home network. Brilliant! I will have a look on the forum then and see what's on offer, thanks for the heads up, much appreciated!

Re: [Openvpn-devel] minimalistic OpenVPN

OpenVPN runs under OpenWRT, which is designed for minimal devices. I suppose it depends on how minimal. As minimal as possible really - it will run in "client" mode only and will connect to a central server, using either the keypad or a usb smartcard token to log in (that needs to be decide

[Openvpn-devel] minimalistic OpenVPN

Is it possible to build a minimalistic version of OpenVPN to be used on portables? As part of in-house project I would like to be able to compile, build install and use OpenVPN on HTC (Desire). I already have the modified OS and the toolchain is already built and sufficiently tested, though I

Re: [Openvpn-devel] OpenVPN 2.2.0 build failure with "--disable-management"

If this works for you, I'll take this as an ACK from you, then this patch will get into the queue for a 2.2.1 release. Yep, the patch works without a hitch, but when I now have this: configure \ --build=x86_64-redhat-linux-gnu \ --host=i686-redhat-linux-gnu \ --enable-password-save \ --enab

Re: [Openvpn-devel] OpenVPN 2.2.0 build failure with "--disable-management"

Quick fix: add --disable-pkcs11 in addition to --disable-management Can you try to apply the attached patch? I believe that might solve your compile issues. Many thanks - I think applying the patch would be easier (I'll just list it in the .spec file and include it during the rpm build) -

Re: [Openvpn-devel] OpenVPN 2.2.0 build failure with "--disable-management"

Our buildslave farm reported this problem, too. It should get fixed shortly in "master" branch and in 2.2 release branch: Thanks for the swift response. I'll wait until this is fixed so that I c

[Openvpn-devel] OpenVPN 2.2.0 build failure with "--disable-management"

configure \ --build=x86_64-redhat-linux-gnu \ --host=i686-redhat-linux-gnu \ --enable-password-save \ --enable-iproute2 \ --with-ifconfig-path=/sbin/ifconfig \ --with-iproute-path=/sbin/ip \ --with-route-path=/sbin/route \ --disable-port-share \ --disable-management passes through, but then I ge

[Openvpn-devel] route-up and iproute plugins

Is there a plugin allowing me to run "route-up" and "iproute" (replacement) scripts taking advantage of the split privilege execution? I know there is down-root which allows a "down" script to be executed in this fashion, but I am not sure I could find a similar one for the above two scripts.

Re: [Openvpn-devel] OpenVPN 2.2-RC released

Speaking of which, I also proposed a (rather trivial) patch which enables cross compilation of a number of OpenVPN plugins (that patch is attached again) as in the 2.1.4 version that was not possible. I think you should leave the -O2 as default to CFLAGS. CFLAGS=-O2 Can be overridden by

Re: [Openvpn-devel] OpenVPN 2.2-RC released

Any reason why the windows cross compile fix we discussed [1] did not made it into mainline? This is trivial patch, which resume the ability to build openvpn using cross compiler and autotools. Please apply so we don't need to maintain this out of tree. You can test build at [2]. I'm so

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

Can you toss your .spec file around? Just sent privately!

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

If the patch is applied, the libtoolize tool has populated m4/* and you've regenerated the aclocal.m4 with aclocal, the configure and Makefile.in, then it should suffice, yes. I am more than willing to send you my spec file for you to look at and can also attach instructions on how to try to

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

This has gone wrong. The plugins should be built from the top-level directory instead (see below how it works for me), with the regular "make" that also builds openvpn, so the "for plugin in ... make -C $plugin ..." is no longer needed for these two guys. I just removed the loop to see if it

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

This has gone wrong. The plugins should be built from the top-level directory instead (see below how it works for me), with the regular "make" that also builds openvpn, so the "for plugin in ... make -C $plugin ..." is no longer needed for these two guys. "make install" should load the materia

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

I suppose you need to modify the .spec file to make sure you're running autoreconf twice up front (or libtoolize, aclocal, autoconf, automake, possibly autoheader). Note you'll want to remove the .la files from the destdir, and list the .so files in the %files section, /usr/lib/openvpn/*.so mig

Re: [Openvpn-devel] bugfix2.1: automake support for plugin build

This is the patch series for the bugfix2.1 branch. I will send a separate patch pair for beta 2.2 soon. Looking for feedback, review, and ACK or NAK :-) I take it that these patches could be applied to the 2.1.4 version tree, right? If so, I would be able to test this tonight (including c

Re: [Openvpn-devel] [OpenVPN 2.1.4 BUG]: hard-coded values in Makefiles for down-root and auth-pam plugins prevent cross compilation

I think it would be good to integrate this with automake if the whole setup is to be integrated and these plugins are supposed to be built more or less officially. Yep, that's what I meant. Better still, autogen can be utilised to do the same thing, but automake is a good start.

Re: [Openvpn-devel] [OpenVPN 2.1.4 BUG]: hard-coded values in Makefiles for down-root and auth-pam plugins prevent cross compilation

Your patch removes -Wall completely. No, it doesn't! "-Wall" is (normally) part of CFLAGS and is included "by default", so there is no need to be specified again here. If anything needs to be added, it has to be compile/link flags specific for this module and/or objects (like DLOPEN_PAM for e

[Openvpn-devel] [OpenVPN 2.1.4 BUG]: hard-coded values in Makefiles for down-root and auth-pam plugins prevent cross compilation

Due to the fact that I have spent the last two and a half hours trying to find a place where to submit a bug report via the Trac system (https://community.openvpn.net/openvpn) - and failing, miserably so - I am submitting it here! In this version of OpenVPN, the Makefiles for the above plugins