Gert Doering [Fri, 9 Jul 2010 08:24:46 +0000 (10:24 +0200)]
Fix compile problems on NetBSD and OpenBSD
Configure will not find <net/if.h> due to missing <sys/types.h> in the test program,
and thus, tun.c will fail to compile with missing symbol IFF_MULTICAST.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: krzee <jeff@doeshosting.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
This is a fix for trac ticket #20,
<https://community.openvpn.net/openvpn/ticket/20>
which was started in the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719>
The implemented solution is to give a warning for each of the different script hooks
available. The last configured script will override any earlier configured scripts,
to ensure that the command line can override the configuration file.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
Davide Brini [Sun, 2 May 2010 09:07:38 +0000 (11:07 +0200)]
Exclude ping and control packets from activity
Problem: using --ping and --inactive together partially defeats the
point of using --inactive as periodic ping packets are counted as
activity. Here is the original discussion:
It turns out that "activity" is detected and recorded in two places
in the code, both in forward.c: in process_outgoing_tun() for received
packets, after they've been decrypted and sent to the TUN device; and
in process_outgoing_link(), after they've been encrypted and written
to the network socket.
In the first case we can be sure that packets that get so far are
really due to user activity, whereas in the second case there can be
non-user packets (like OpenVPN's internal ping packets, and TLS control
packets), and those should not be counted as activity as they are not
coming from the user.
So a need arises to detect those control packets and not count them as
activity for the purposes of --inactive. Unfortunately, at that stage
packets are already compressed and encrypted, so it's not possible to
look into them to see what they are. However, there seems to be a
convention in the code that packets whose buffer length in the context_2
structure is 0 should be ignored for certain purposes. TLS control
packets follow that convention already, so this patch makes a small
change in the code that generates the ping packets to set their buffer
length to 0 as well.
Finally, the call to register_activity() in process_outgoing_link() is
made conditional to the buffer length being > 0.
According to my tests, now --inactive behaves correctly according to
the configured parameters (time or time+bytes) even when --ping is
being used.
forward.c:
Call register_activity() in process_outgoing_link() only if the
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Test routine is described here:
<https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6>
Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
When the client sends PUSH_REQUESTS, it waits until the server sends PUSH_REPLY.
If the server do not have anything to push to the client nothing happens. The
client will then regularly send new PUSH_REQUESTS until it gets an answer, which
results in not completing the connection negotiation.
This patch makes the server send an empty PUSH_REPLY when it has nothing to more
to push to the client.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
chantra [Fri, 11 Jun 2010 14:23:03 +0000 (16:23 +0200)]
Handle non standard subnets in PF grammar
Allow subnets for like 192.168.100.8/28 to be understood. A warning
will be logged when subnet is incorrect and is being corrected to what
is assumed to be correct.
Signed-off-by: chantra <chantra@debuntu.org> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
James Yonan [Mon, 24 May 2010 22:51:16 +0000 (22:51 +0000)]
Implemented http-proxy-override and http-proxy-fallback directives to make it
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
David Sommerseth [Sun, 16 May 2010 17:42:40 +0000 (19:42 +0200)]
OCSP_check.sh: new check logic
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Mon, 26 Apr 2010 07:50:30 +0000 (09:50 +0200)]
Avoid repetition of "this config may cache passwords in memory" (v2)
For OpenVPN clients with long living connections, this message is repeated
everytime the connection is renegotiated. This patch removes this behaviour
and will only show this warning once.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 16 Apr 2010 20:09:48 +0000 (22:09 +0200)]
Renamed all calls to create_temp_filename()
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 16 Apr 2010 20:02:36 +0000 (22:02 +0200)]
Harden create_temp_filename() (version 2)
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Daniel Johnson [Tue, 30 Mar 2010 13:54:44 +0000 (15:54 +0200)]
When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Dan Nelson [Sun, 28 Feb 2010 21:09:18 +0000 (22:09 +0100)]
bash->bourne script cleanup
Many of the scripts in the openvpn source have their shell set to
/bin/bash, but only two use bash features. The attached patch (against
openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
better portability. The only scripts that actually require bash are
contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable
indirection feature.
Enrico Scholz [Sun, 28 Feb 2010 13:40:57 +0000 (14:40 +0100)]
Allow 'lport 0' setup for random port binding
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 19 Feb 2010 16:32:56 +0000 (17:32 +0100)]
verb 5 logging wrongly reports received bytes
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Karl O. Pinc [Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)]
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
David Sommerseth [Thu, 18 Feb 2010 20:20:14 +0000 (21:20 +0100)]
Do not randomize resolving of IP addresses in getaddr()
Based on a discussion on the mailing list and in the IRC meeting Feb 18,
it was decided to remove get_random() from the getaddr() function as that
can conflict with round-robin/randomization done by DNS servers.
This change must be documented in the release notes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 16 Apr 2010 20:09:48 +0000 (22:09 +0200)]
Renamed all calls to create_temp_filename()
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 16 Apr 2010 20:02:36 +0000 (22:02 +0200)]
Harden create_temp_filename() (version 2)
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Daniel Johnson [Tue, 30 Mar 2010 13:54:44 +0000 (15:54 +0200)]
When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Jan Brinkmann [Sun, 28 Feb 2010 22:29:29 +0000 (23:29 +0100)]
The man page needs dash escaping in UTF-8 environments
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Tested-by: Pavel Shramov <shramov@mexmat.net> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Dan Nelson [Sun, 28 Feb 2010 21:09:18 +0000 (22:09 +0100)]
bash->bourne script cleanup
Many of the scripts in the openvpn source have their shell set to
/bin/bash, but only two use bash features. The attached patch (against
openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
better portability. The only scripts that actually require bash are
contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable
indirection feature.
Enrico Scholz [Sun, 28 Feb 2010 13:40:57 +0000 (14:40 +0100)]
Allow 'lport 0' setup for random port binding
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 19 Feb 2010 16:32:56 +0000 (17:32 +0100)]
verb 5 logging wrongly reports received bytes
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Karl O. Pinc [Thu, 18 Feb 2010 20:30:48 +0000 (21:30 +0100)]
[PATCH] Change verify-cn so cn is no longer hardcoded in openvpn's config file
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Eric F Crist <ecrist@secure-computing.net>
David Sommerseth [Thu, 18 Feb 2010 20:20:14 +0000 (21:20 +0100)]
Do not randomize resolving of IP addresses in getaddr()
Based on a discussion on the mailing list and in the IRC meeting Feb 18,
it was decided to remove get_random() from the getaddr() function as that
can conflict with round-robin/randomization done by DNS servers.
This change must be documented in the release notes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net>
David Sommerseth [Fri, 16 Apr 2010 20:09:48 +0000 (22:09 +0200)]
Renamed all calls to create_temp_filename()
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 16 Apr 2010 20:02:36 +0000 (22:02 +0200)]
Harden create_temp_filename() (version 2)
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: Fabian Knittel <fabian.knittel@avona.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Daniel Johnson [Tue, 30 Mar 2010 13:54:44 +0000 (15:54 +0200)]
When I began testing OpenVPN v2.1_rc9 I was having trouble authenticating to the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
projects / thirdparty / openvpn.git / log
