Re: [Openvpn-devel] Feature request - Allow comments inside markers

Hi, On Tue, May 18, 2021 at 02:19:10PM +0200, Arne Schwabe wrote: > We could implement it in the hash parser to skip the lines starting with #. Ah, right. This should be very easy, actually, without affecting anything else that does stuff. Let's see if I can find time :-) gert -- "If was on

Re: [Openvpn-devel] Feature request - Allow comments inside markers

Am 17.05.21 um 17:31 schrieb Gert Doering: > Hi, > > On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote: >> I think it would useful to allow comment inside the >> markers. > > I've run across this as well, and share that sentiment. It would be nice. > > That said, I'

Re: [Openvpn-devel] Feature request - Allow comments inside markers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, ‐‐‐ Original Message ‐‐‐ On Monday, 17 May 2021 16:31, Gert Doering wrote: > Hi, > > On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote: > > > I think it would useful to allow comment inside the > > markers.

Re: [Openvpn-devel] Feature request - Allow comments inside markers

Hi, On Mon, May 17, 2021 at 02:57:32PM +, tincantech via Openvpn-devel wrote: > I think it would useful to allow comment inside the > markers. I've run across this as well, and share that sentiment. It would be nice. That said, I'm not sure how easy it is to implement (the inline-config p

[Openvpn-devel] Feature request - Allow comments inside markers

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I think it would useful to allow comment inside the markers. EG: # alice 67:1F:A5:CA:26:98:BA:40:D9:EB:6A:5B:C1:64:8C:8E:66:6E:7A:22:26:73:96:6A:5E:9B:B3:17:8F:F8:C6:9C # bob 55:B6:3F:AD:BC:A0:8C:EF:00:B3:2F:A5:46:46:83:82:6F:34:86:8D:23:2B:

Re: [Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, no complaints yet ? Sent with ProtonMail Secure Email. ProtonMail, as crap as googlemail. ‐‐‐ Original Message ‐‐‐ On Friday, 23 April 2021 22:16, tincantech via Openvpn-devel wrote: > Hi, > > I am requesting that daemon_pid be adde

[Openvpn-devel] [openvpn-devel] Feature request - Include daemon_pid in --tls-crypt-v2-verify env - V2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi, I am requesting that daemon_pid be added to --tls-crypt-v2-verify env. Version 2 Justification: With the notable exception of --tls-crypt-v2-verify .. daemon_pid provides a verified process ID to All scripts. This ensures that scripts which ar

Re: [Openvpn-devel] feature request: get openvpn to use closest server

Hi, On Wed, Dec 10, 2014 at 08:31:27AM +1300, Jason Haar wrote: > LOL! It took Gert to spot the most obvious scenario ;-) I'm good at breaking things :-) > That really > re-enforces what I think about this needing to be an "openvpn ping" type > solution: it is irrelevant if the server is up or

Re: [Openvpn-devel] feature request: get openvpn to use closest server

On 10/12/14 08:09, Gert Doering wrote: > In what kind of scenario would an OpenVPN server not be available, if > the server itself still responds to pings? > "The server process crashed". LOL! It took Gert to spot the most obvious scenario ;-) That really re-enforces what I think about this needin

Re: [Openvpn-devel] feature request: get openvpn to use closest server

Hi, On Tue, Dec 09, 2014 at 10:40:01AM +0200, Samuli Seppänen wrote: > > I also think it should be done with some "openvpn-ping" instead of icmp > > ping because it confirms the server is available on the protocol/port > > combination, whereas icmp doesn't > In what kind of scenario would an OpenV

Re: [Openvpn-devel] feature request: get openvpn to use closest server

On 09/12/14 21:40, Samuli Seppänen wrote: > Would 3 pings and ping replies adequately measure the overall > performance of OpenVPN server even for one particular VPN session? What > if there's a temporary congestion somewhere between the "best" server > and the client? I think that reliably determi

Re: [Openvpn-devel] feature request: get openvpn to use closest server

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, > > > So I propose openvpn itself could solve this problem - if it had some > application layer way of "pinging" all available openvpn servers and > choosing the one that responds "best". I'd suggest it only be supported > for sites using "tls-aut

[Openvpn-devel] feature request: get openvpn to use closest server

Hi there If you have a global network with several openvpn servers, you have a problem with getting clients to connect to the "best" server(*). Typically you'd either rely on users manually choosing the best server (which they can't do well as they don't know the full story), or do something easy

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

David Sommerseth wrote: Am I missing something here or? openvpn does support this already, but I'm doing it via a C plug-in ... In this case, the plug-in (which needs to be compiled) gets it from the environment,

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 13/10/09 19:28, The Zep Man wrote: > James Yonan wrote: >> The best way to programmatically supply the username/password on the >> client side is to use the OpenVPN management interface. >> >> James > > And the worst way is by using a file on a di

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

James Yonan wrote: The best way to programmatically supply the username/password on the client side is to use the OpenVPN management interface. James And the worst way is by using a file on a disk (which is why it is disabled by default on compilation time). How about something in between?

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

The Zep Man wrote: Dear openvpn-devel list, OpenVPN supports verification of a username/password combination on the server-side by parsing these to a 'script' using auth-user-pass-verify'. With this, it is possible to use a file ('via-file') or environment variables ('via-env') to parse the g

[Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

Dear openvpn-devel list, OpenVPN supports verification of a username/password combination on the server-side by parsing these to a 'script' using auth-user-pass-verify'. With this, it is possible to use a file ('via-file') or environment variables ('via-env') to parse the given username and pa

[Openvpn-devel] Feature Request: OpenVPN support for fips 140-2 validated OpenSSL.

Howdy, OpenSSL has been FIPS 140-2 validated for a few months now. The "fips mode" within OpenSSL is not automatic, and requires some invocation from within the calling app. See here for details: http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf Running in this mode disables all ciphers bes

Re: [Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config

On 6/8/07, Richard Hartmann wrote: On 6/8/07, Alon Bar-Lev wrote: > You keep forgeting that attempting to authenticate to smartcard using > invalid PIN will eventually lock it. If there is only one PIN, that is not any threat. It either authenticates correctly or times out. In neither case is

Re: [Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config

Well... you keep saying that you know what you are doing... So please explain me 1. What happens if no card is inserted at startup? 2. What happens if the card is removed? 3. What happens if the card is removed and inserted? 4. What happens if the wrong card is inserted? Smartcards are dynami

Re: [Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config

Hi Alon, This is not wise in term of security. This depends on the use case and the requirements. If there was a way to have the user enter their PIN before logging into Windows, I would gladly use that. Furthermore, the method I described is still more secure than any solution based on certi

Re: [Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config

As you figured it out... This is not wise in term of security. So I am sorry, but I don't think this should be supported. Especially when you can achieve the same via the management interface. Best Regards, Alon Bar-Lev. On 6/8/07, Richard Hartmann wrote: Hi all, I am setting up a test case

[Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config

Hi all, I am setting up a test case where the user is supposed to plug in his USB token before booting. Once he boots up and prior to him logging in to Windows, I need to establish an OpenVPN connection to our aggregator. To do this, I am using a 'solution' where I abuse a netcat connection to

[Openvpn-devel] Feature Request for UDP connect-retry

First my concern: When openvpn is not connected, the client continually sends udp packets every 2 seconds (tls-timeout). This traffic is unnecessary/wasteful if the server is unreachable. Ideally there would be a setting to allow udp connections to take a break. I don't know why this has been imp

[Openvpn-devel] feature request

* motd --- like message of day, perfomed by client (in case, openvpn gui) * message based on common name --- a custom message, like ''last connected'' or a custom message ccd or push-based ... this just idea

Re: [Openvpn-devel] Feature request : connect to non-SSL HTTP proxy

Philippe Lemesle wrote: > Hello, all. > > At work, the admins are so paranoid that the policy is to block all internet > access to ensure security. > The only way to go to the Internet is by the way of an HTTP-proxy which > offers > SSL functionnality. > The admins are aware the some employees

[Openvpn-devel] Feature request : connect to non-SSL HTTP proxy

Hello, all. At work, the admins are so paranoid that the policy is to block all internet access to ensure security. The only way to go to the Internet is by the way of an HTTP-proxy which offers SSL functionnality. The admins are aware the some employees use VPN over SSL. In fact, they are cur

Re: [Openvpn-devel] feature request: "tcp-nodelay" option

On Fri, 06 Jan 2006 14:08:11 -0700 James Yonan wrote: > TCP_NODELAY is supported in 2.1 -- see man page. Oops, sorry. But I cannot find any description of TCP_NODELAY in man page (openvpn.8). I looked into openvpn-2.1_beta8.tar.gz, CVS repository (BETA21 branch) and http://openvpn.net/man-beta.

Re: [Openvpn-devel] feature request: "tcp-nodelay" option

UMEZAWA Takeshi wrote: Hello, all. It would be nice if we can set TCP_NODELAY socket option for tunnel connection when OpenVPN uses TCP transport, in order to achieve smaller latency rather than higher throughput. I think that it is not a good way to set this option in create_socket_tcp() (in

[Openvpn-devel] feature request: "tcp-nodelay" option

Hello, all. It would be nice if we can set TCP_NODELAY socket option for tunnel connection when OpenVPN uses TCP transport, in order to achieve smaller latency rather than higher throughput. I think that it is not a good way to set this option in create_socket_tcp() (in socket.c), because it also

[Openvpn-devel] feature request: demand connection

Hi I need a feature "connection on demand" including a "callback" script for a tls-client. why? I want to connect two servers via internet and establish a tunnel. Both servers use ADSL to connect to the internet on demand. Now if one server wants to connect to the other, he has to inititate a

[Openvpn-devel] Feature request: Management via Unix domain socket?

At the moment, OpenVPN's management interface can only listen on a TCP port. Support for listening on a Unix domain socket should be easy, and would be simpler and more secure for some setups. The configuration file format would not even need significant change; the "management" option could sim

[Openvpn-devel] feature request

is there any plan to have the following functions (mainly for windows, but other os could): - on server request, block all traffic except vpn (by route, firewall, or else ?) - on connection, execute some programs on clients: maybe with integrity check (md5+sha1+rmd160). example: launch ant