[Openvpn-devel] A configuration improvement suggestion: to use "port/protocol" pair

ould be possible to avoid editing client's configs. My goal is to penetrate tightly filtered perimeters where only proxyed HTTP and HTTPS are allowed. Please comment. Tony.

[Openvpn-devel] Who develops TAP-Win32?

I'd like to ask few questions about TAP-Win32 behaviour on winXP-SP2. In particular I'd like to know how to make it fully support NetBEUI broadcasts. Tony.

[Openvpn-devel] Re: Who develops TAP-Win32?

it is possible to fix TAP-Win32 to handle that sort of a problem. Thank you in advance. Tony.

[Openvpn-devel] Re: Who develops TAP-Win32?

Stupid me, I should have stated that I run it under BRIDGED configuration. Tony.

[Openvpn-devel] Re: OpenVPN 2.0.7 and 2.1-beta13 released

After that - "TLS failure" and re-try... Summary: client(v2.1b13)<->server(2.0.7) = OK client(v2.1b13)<->server(2.1b13) = NOK Tony.

[Openvpn-devel] Re: OpenVPN 2.1-beta14 released

nd RTC is on UTC. I may test this in server configuration if needed.) Tony.

[Openvpn-devel] Configuration flexibility enhancement suggestion.

ommand). I place my connections in the order of preference. Please comment on the idea. Tony.

[Openvpn-devel] Re: Configuration flexibility enhancement suggestion.

, and a wrapper script (supervised by runit or a similar tool) could be responsible for rotating between them. The idea is based on what I see in the openssl configuration file regarding the certificate generation of different types ("client" vs "server"), for example. Tony.

[Openvpn-devel] Re: Configuration flexibility enhancement suggestion.

eed a GUI user! What a shame I did not try this simple method first... Thank you for the advise! Gone testing... Tony.

[Openvpn-devel] Re: Connection problems ports

On Fri, 26 May 2006 13:27:40 +0400, Brian J wrote: Client file start__ client dev tap proto udp remote xxx.xxx.xxx.xxx:5000 I'm sure you should remove that ":" between the address and the port number. Tony.

[Openvpn-devel] A special IP address range for exclusive VPN usage?

?! I saw a VPN system, namely Hamachi (www.hamaci.cc), which cleverly uses the 5.*.*.* range. Who's responsibility to ask IANA about that matters? Is it already implemented? If so - which IP-range is safe to be used in VPN between a server and a client? Please comment. Tony.

Re: [Openvpn-devel] A special IP address range for exclusive VPN usage?

se (2) is tough. But for vast majority of roadwarriors (like me) - it will do the trick - with 100% probability. Whereas now - I may only hope that the LAN where I land now will not collide with my OpenVPN settings... Tony.

Re: [Openvpn-devel] A special IP address range for exclusive VPN usage?

.*.*) I think that an introduction of some special IP-range for the exclusive VPN usage - as long as IPv4 is still here - a range is very welcome. Now I re-configure my server to allocate a client with 5.*.*.* addresses. Tony.

[Openvpn-devel] MULTICAST: cannot join a group across the OpenVPN connection. Why?

3|SMTP and NetBEUI - all I use for my everyday work - operate as they should. What may be the cause of this misfeature? Tony.

Re: [Openvpn-devel] MULTICAST: cannot join a group across the OpenVPN connection. Why?

Does this silence (no replyes or comments) mean that it is my own mistake in configuring the OpenVPN and that MULTICASTing across the OpenVPN link works for everybody? Tony.

Re: [Openvpn-devel] MULTICAST: cannot join a group across the OpenVPN connection. Why?

control the presense of the data - receive it or not - the sender will flood all of your LAN with it's data. Besides, in IPv6 there will be no conception of BROADCASTs any more, only MULTICASTs should be used instead. Tony.

Re: [Openvpn-devel] MULTICAST: cannot join a group across the OpenVPN connection. Why?

it was not designed to handle broadcasts and multicasts properly. That's why I posted my question here. Tony.

[Openvpn-devel] OpenVPN v2.1_rc1 on winXP-SP2: success.

ssful only if a user is a member of the "Network Configuration Operators" group also (not just a plain "User") - I believe it is not purely OpenVPN limitation, right? Again, thank you for the fine product!!! Tony.

Re: [Openvpn-devel] OpenVPN v2.1_rc1 on winXP-SP2: success.

On Thu, 02 Nov 2006 13:49:42 +0300, Tony wrote: The OpenVPN v2.1_rc1 works as a client on winXP-SP2 fine. Now I report the success with OpenVPN v2.1_rc1 on winXP-SP2 as the server. Works fine, now I am able to run OpenVPN v2.1_rc1 <-> OpenVPN v2.1_rc1, i.e., on both ends of the link.

Re: [Openvpn-devel] OpenVPN Roadmap

Are there any plans to make OpenVPN multicast-friendly? Currently I seem to be unable to join to a multicasted group across the OpenVPN connection. I need such functionality real badly... Tony.

Re: [Openvpn-devel] Patch that provides unidirectional IGMP snooping in the multi-client server

OpenVPN server? ("local" == on the same LAN) My OpenVPN server is a winXP-SP2 box, I use BRIDGING, will your patch work for me? Can you send me a pre-compiled version to try? Thank you in advance. Tony.

Re: [Openvpn-devel] OpenVPN Status Log

On Wed, 03 Jan 2007 16:29:20 +0300, Alexander Littell wrote: I would guess that most OpenVPN administrators are using username/password pairs instead of certificates to authenticate their clients. Well, I do anyway. Not me! I use hardware-tokens-based (PKCS#11) authentication. Tony.

Re: [Openvpn-devel] OpenVPN Status Log

On Fri, 05 Jan 2007 00:38:44 +0300, Alexander Littell wrote: Thanks for the input, Tony. I'm sure that solution scales very well. ;-) I'm puzzled... Was that an irony or am I missled by English vs Russian language differences? Tony.

Re: [Openvpn-devel] OpenVPN 2.1_rc2 released

On Wed, 28 Feb 2007 13:24:45 +0300, James Yonan wrote: OpenVPN 2.1_rc2 has been released OpenVPN v2.1rc2 works fine on winXP-SP2 as a client to OpenVPN v2.1rc1 server (on winXP-SP2). The winXP-SP2 server update in planed for Monday, I'll report ASAP. -- Tony.

[Openvpn-devel] The "residual" traffic after a disconnect?

as always so, not just on this (v2.1-rc2) version. What could it be and how do I solve it (if at all possible)? -- Tony.

Re: [Openvpn-devel] how to resolwe host adres for each 5 minute

On Fri, 20 Jul 2007 11:03:46 +0400, feramus coban wrote: how can client computer resolve ip adres every 5 minute and reconnect There is an option for that: "resolv-retry infinite", I think. -- Tony.

[Openvpn-devel] ?????? [ovpn-dco] It seems not to compile ovpn-cli successfully

Hi Antonio, Thanks. Confirmed this issue has been fixed. Will test performance. If more issues are encountered, will report. Tony

[Openvpn-devel] [ovpn-dco] Can ovpn-dco use all cpu cores?

. So , can ovpn-dco use all cpu cores to get max performance? Thank you! Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] Can ovpn-dco use all cpu cores?

Hi Antonio, I think I need to test another platform. It may give us more information. I will choose one arm board to have a try when I'm free. Tony Antonio Quartulli 于2024年1月30日周二 19:02写道： > > Hi, > > On 29/01/2024 05:25, Tony He wrote: > > Hi Antonio, > > &g

[Openvpn-devel] ovpn-dco: nestns-test.sh - fix the issue that veth is not created successfully

Hi Antonio, Have you encountered this issue? Please help to review. Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] ovpn-dco: nestns-test.sh - fix the issue that veth is not created successfully

Hi Antonio, To confirm, I installed a Ubuntu 20.04 VM and saw it supports these two formates. Tony Antonio Quartulli 于2020年11月18日周三 下午11:05写道： > Hi Tony, > > On 18/11/2020 15:54, Tony He wrote: > > > > Hi Antonio, > > > > Have you encountered this issue? Plea

[Openvpn-devel] [ovpn-dco] performance issue

ation data from Ubuntu 20.04 VM to Ubuntu 18.04* tony-vm-2004% iperf3 -c 5.5.5.2 -t 15 Connecting to host 5.5.5.2, port 5201 [ 5] local 5.5.5.1 port 55342 connected to 5.5.5.2 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 37.3 MBytes 313 Mbits/

[Openvpn-devel] [ovpn-dco] Kernel NULL point derefence

899.348798] DR3: DR6: fffe0ff0 DR7: 0400 Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] Kernel NULL point derefence

Hi Antonio, Did more test. Just FYI. ba109be633f bad. 6eb6292a9d3 ? 0989291e816 good Tony Tony He 于2020年11月24日周二 上午9:19写道： > Hi Antonio, > > I'm using the latest commit 4b104be to test and encountered following > issue. I saw multi times in both peers. I never encountered th

Re: [Openvpn-devel] [ovpn-dco] Kernel NULL point derefence

Hi Antonio, Yeah, this patch fixes this issue. Tony Antonio Quartulli 于2020年11月24日周二 下午3:44写道： > Hi Tony, > > Thanks a lot for all your tests. > The faulty commit is: > > commit ba109be633fd802b856d6a125f47e2d0ff7ad749 > Author: Antonio Quartulli > Date: Sun No

[Openvpn-devel] [ovpn-dco] question about the comment about AEAD nonce

005 521c3b01 4308c041 83ba3099" wrong? Its size is 16 bytes, but you also comment "12-byte full IV" after two lines of it. Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

ver exposes to userspace. "cryptodev engine" is NOT the "HW engine" chip vendor provides. It's a common interface and its source is not from chip vendor. Please refer to: https://github.com/cryptodev-linux/cryptodev-linux https://openwrt.org/docs/techref/hardware/cryptographi

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

Hi Antonio, Understood. We have dicussed this in the OpenWRT forum. Maybe some kind OpenWRT guys will implement aead hmac-sha256-cbc-aes for ovpn-dco module in the future. https://forum.openwrt.org/t/ipq806x-nss-drivers/12613/2180?u=tony.he Tony Antonio Quartulli 于2020年11月26日周四 下午3:49写道

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

Hi Gert, Because there is HW crypto engine in some embedded devices, the crypto engine maybe only supports hmac-sha256-cbc-aes. Tony Gert Doering 于2020年11月26日周四 下午4:56写道： > Hi, > > On Thu, Nov 26, 2020 at 04:53:14PM +0800, Tony He wrote: > > Understood. We have dicussed this

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

t result, it's still not fast(about 60Mbps). The bottleneck is not encryption operation any more. It comes from the switch of user space and kernel space in the OpenVPN2, which makes the poor CPU of embedded device very busy. That's why we need OpenVPN3 running in the kernel space. Tony T

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

1207364.27k openssl speed -evp chacha20-poly1305 chacha20-poly1305 is an unknown cipher or digest Using old openssl, so chacha20-poly1305 is not supported. Tony Arne Schwabe 于2020年11月26日周四 下午6:40写道： > Am 26.11.20 um 10:41 schrieb Tony He: > > Hi Arne, > > > >>Since the origin

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

peed is much faster at least for big blocks. Maybe for small blocks it's slower because it needs the time to push the work to kernel and then HW engine and the time spent is may longer than the time costed by OpenSSL directly does the encryption/decryption. Tony Jan Just Keijser 于2020年12月2日周三 下午

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

ocks: 198963 sha1's in 3.00s Doing sha1 for 3s on 8192 size blocks: 27380 sha1's in 3.00s ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes sha1 10013.71k 26677.82k 51463.68k 67912.70k 74765.65k Tony Jan Just Keijser 于2020年12月2日周三 下午11:24写道： > Hi Tony, > > O

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

ee the CCM performance is almost same. Tony Jan Just Keijser 于2020年12月4日周五 下午5:49写道： > Hi Tony, > > On 04/12/20 08:41, Tony He wrote: > > Hi Jan, > Yeah, need option " -elapsed" because OpenSSL counts user time instead of > total time(user+sys time) without this

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

will implement this. > > > -- 原始邮件 -- > *发件人:* "Jan Just Keijser" ; > *发送时间:* 2020年12月4日(星期五) 晚上6:19 > *收件人:* "Tony He"; > *抄送:* "lev";"Antonio Quartulli" >;"openvpn-devel"; > *主题:* Re: [Openvpn-de

Re: [Openvpn-devel] [ovpn-dco] Is cbc-hmac supported?

UTC ... type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes aes-128-ccm 18304.68k 32283.75k 40139.86k 42916.18k 43660.63k 43745.28k Tony Tony He 于2020年12月6日周日 上午10:57写道： > Hi Jan, > > The driver is open source. > https://github.com/SVoxel/R9000/tree/mas

Re: [Openvpn-devel] [ovpn-dco] AES-CCM available for testing

yeah, also looking forward to add support authenc-hmac-sha256-cbc-aes because I have another IPQ806x device which support this mode but not CCM or GCM. IPQ806x devices are widely used for router users. Tony Jan Just Keijser 于2020年12月7日周一 下午5:12写道： > Hi Antonio, > > On 06/12/20 17:09

Re: [Openvpn-devel] [ovpn-dco]

Sorry, clicked "send" button before adding subject and CC Openvpn-dev. I will send a new mail. Tony He 于2021年1月13日周三 下午4:57写道： > Hi Antonio, > > I see you have pushed new commits to support multiple link to peers. So I > tried compiling, but encounter below error. My kern

Re: [Openvpn-devel] [ovpn-dco] compilation error in function ‘ovpn_peer_lookup_transp_addr’

change the subject. Tony He 于2021年1月13日周三 下午5:03写道： > Sorry, clicked "send" button before adding subject and CC Openvpn-dev. I > will send a new mail. > > Tony He 于2021年1月13日周三 下午4:57写道： > >> Hi Antonio, >> >> I see you have pushed new commits to su

Re: [Openvpn-devel] [ovpn-dco]compilation error in function ‘ovpn_peer_lookup_transp_addr’

ranch :-) > > > > The object pointed by sa6 is not large enough, hence triggering that > error. > > > > Will come up with a fix. > > > > Thanks! > > > > On 13/01/2021 11:17, Tony He wrote: > >> Hi Antonio, > >> > >> Yes, I

Re: [Openvpn-devel] compiling issue in openvpn 2.6.0+ supporting ovpn-dco

No, same error. This error happens on my Ubuntu 20.04 VM. Another Ubuntu 18.04 is fine. Checking. What's your Linux distribution? Tony Arne Schwabe 于2021年3月2日周二 下午4:18写道： > Am 02.03.21 um 05:12 schrieb Tony He: > > Hi Arne, > > > > I'm trying your working branch

[Openvpn-devel] Segmentation fault in OpenVPN 2.6_git [git:dco/fcc852a9b2ea832c]

SPEC] Program received signal SIGSEGV, Segmentation fault. encrypt_sign (c=c@entry=0x7fffd2b0, comp_frag=comp_frag@entry=true) at forward.c:567 567 if (c->c2.tls_multi->context_auth != CAS_SUCCEEDED) Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Segmentation fault in OpenVPN 2.6_git [git:dco/fcc852a9b2ea832c]

Arne Schwabe 于2021年3月3日周三 下午7:56写道： > Am 03.03.21 um 08:46 schrieb Tony He: > > Hi Arne, > > > > I encountered segmentation fault in your dco branch. Master branch is > > OK. I reverted the commit "Linux data-channel offload support", but it > >

Re: [Openvpn-devel] Segmentation fault in OpenVPN 2.6_git [git:dco/fcc852a9b2ea832c]

Antonio Quartulli 于2021年3月4日周四 下午3:48写道： > Hi Tony, > > On 04/03/2021 03:10, Tony He wrote: > > > > Arne Schwabe mailto:a...@rfc2549.org>> 于2021年3月3日 > > 周三 下午7:56写道： > > > > Am 03.03.21 um 08:46 schrieb Tony He: > > > Hi Arne, > &

[Openvpn-devel] [ovpn-dco] try to port to kernel 4.14.76, but can not join AF_NETLINK group

nk/af_netlink.c#L1631 The value of err is -2, which means No such file or directory. according to https://elixir.bootlin.com/linux/v4.14.76/source/include/uapi/asm-generic/errno-base.h#L6 If only join RTNLGRP_NOTIFY group, it's OK. Do you have any idea? Any input is ver

Re: [Openvpn-devel] [ovpn-dco] try to port to kernel 4.14.76, but can not join AF_NETLINK group

just pushed new code: int ret = nl_socket_add_membership(dco->nl_sock, dco->ovpn_dco_mcast_id); Had a quick test, it's fine. I'm not sure why the old code in my X86-64 PC is OK while it doesn't work in this MIPS64 router. Maybe it's not related with the kernel version. T

[Openvpn-devel] [ovpn-dco] sudden network disconnection

r hardware. Maybe I should test in more platforms and kernel versions to compare. If you have any idea, please let me know. Thanks a lot. Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

Hi Arne, I'm going to test encryption "none" to narrow down this issue, but I found your dco branch doesn't support this. Can you support? Tony Antonio Quartulli 于2021年3月31日周三 下午2:32写道： > Hi, > > On 31/03/2021 08:29, Antonio Quartulli wrote: > > A packet

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

Antonio Quartulli 于2021年3月31日周三 下午3:32写道： > Hi, > > On 31/03/2021 09:29, Tony He wrote: > > Hi Arne, > > > > I'm going to test encryption "none" to narrow down this issue, but I > > found your dco branch doesn't support this. > > Can yo

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

ng on at all levels. (Assuming the problem > will still appear) > Some issue. Will provide dump or more log when I am free. Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

in the low-end devices. It also consumes more CPU resource in low-end and high-end devices. If I'm not mistaken, we don't need to set link-mtu without dco. Is this a bug? Can you reproduce? Do I still need to upload my dump? If so, maybe I need to provide a link. Tony Tony He 于2021年3月31日周三

[Openvpn-devel] [PATCH] ovpn-dco: ovpn-cli: properly set socket options

;. Refer to https://stackoverflow.com/questions/58599070/socket-programming-setsockopt-protocol-not-available Signed-off-by: Tony He --- tests/ovpn-cli.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/ovpn-cli.c b/tests/ovpn-cli.c index c1cf3b4..68d28b4 100644 --- a/tests/ovpn-

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

Antonio Quartulli 于2021年4月1日周四 下午2:35写道： > Hi Tony, > > On 01/04/2021 04:38, Tony He wrote: > > Hi Antonio, Arne, > > > > According to the dump, this issue is caused by fragment. If I set > > link-mtu to 1472 in the condition of encryption "none", it&#x

Re: [Openvpn-devel] [ovpn-dco] sudden network disconnection

(Ethernet) RX packets 10365932 bytes 6963820421 (6.9 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 11883693 bytes 11887431595 (11.8 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 Tony He 于2021年4月1日周四 下午3:01写道： > > > Antonio Qua

[Openvpn-devel] [ovpn-dco] When will openvpn 2.6 be released

Hi Antonio, I am looking forward to official openvpn 2.6 which supports DCO. May I know what issues are blocking us? From Linux side or Windows side? Thank you! Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https

[Openvpn-devel] [ovpn-dco] can not delete tun interface automatically if option "user nobody" is used

2022-03-29 18:12:45 sitnl_send: rtnl: generic error (-1): Operation not permitted 2022-03-29 18:12:45 Linux can't del IP from iface tun0 2022-03-29 18:12:45 net_iface_del: delete tun0 2022-03-29 18:12:45 sitnl_send: rtnl: generic error (-1): Operation not permitted 2022-03-29 18:12:45 SIGINT[ha

Re: [Openvpn-devel] [ovpn-dco] can not delete tun interface automatically if option "user nobody" is used

Timo Rothenpieler 于2022年3月29日周二 18:45写道： > > On 29.03.2022 12:21, Tony He wrote: > > Hi, > > > > 1. Add option "user nobody" to test ovpn-dco. > > 2. Start openvpn, below is the log. Then we will see tun0 is still > > there after openvpn exit. We

[Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

on is the bottleneck. Do you know how to benchmark crypto performance in the kernel space? Any advice is welcome. Thank you! Tony ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

ta_usecs, mbits/delta_usecs); total_size = 0; delta_usecs = 0; } .. .. Tony Tony He 于2022年4月2日周六 17:40写道： > > Hi Antonio, > > I am porting ovpn-dco to embedded ARMv8 device with hardware crypto > engine. However the performance is not very go

Re: [Openvpn-devel] [ovpn-dco] How to benchmark kernel crypto performance?

exit automatically) Tony Jan Just Keijser 于2022年4月5日周二 19:26写道： > > hi Tony, > > On 02/04/22 11:40, Tony He wrote: > > Hi Antonio, > > > > I am porting ovpn-dco to embedded ARMv8 device with hardware crypto > > engine. However the performance is not very good. > >