openvpn-devel Mailing List for OpenVPN

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi David, I replied to you directly, maybe it got caught in your spam filter? Anyone else has some thoughts about developing an obfsproxy-style component for OpenVPN? Best, Jun. On 13/02/2012 13:09, David Sommerseth wrote: > On 13/02/12 13:59, Jun Matsushita wrote: >> This is my first post in this list. As probably a lot of you >> heard, Iran has stepped up its filtering by apparently blocking >> SSL/TLS using DPI. This is a good read about what's happening >> http://news.ycombinator.com/item?id=3575029. As these statistics >> from TOR attest >> https://metrics.torproject.org/users.html?graph=direct-users&start=2012-01-12&end=2012-02-12&country=ir&events=on&dpi=72#direct-users > >> > > the impact has been immediate and surely concerns the majority of > tools >> out there. > >> Does OpenVPN allow the use of some form of Obfuscation (such as >> the one TOR is testing now and seem to work from within Iran >> https://www.torproject.org/projects/obfsproxy-instructions.html.en)? > >> Anyone has thoughts about this or would be interested in >> discussing the matter? > > > Hi Jun, > > OpenVPN uses SSL under the hood. But it does some tricks to allow > SSL over UDP (SSL is strictly designed for TCP). This however > makes some changes that many DPI firewalls *might* not identify > OpenVPN traffic as SSL traffic. But as it's not really an > obfuscation which changes over time, it might still be possible to > block it if this kind of traffic is detected. > > However, the obfsproxy project sounds very interesting. And it > should be possible to use obfsproxy (as it can talk like a SOCKS > proxy) with OpenVPN, by using the --socks-proxy argument. But I'm > not aware of any openvpn services providing obfsproxy services in > conjunction with OpenVPN. > > > kind regards, > > David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPOXDCAAoJECoH9wygNueS5mMH/Rx1IKVJ57Zc5n0l+GVxzdgm KvS0yt2Su2jD8pyzTujH3CSlCj4n8k7P+NMIN3vTtOfeBWfGhedgi8bQRgEkUB05 oPW/nCK18eRM1uIdBXw/EEudqoHVkBUXzISl04LFLmux7mh7ifGj9sFw/0S2q7mn Md+qywN0m8+Af5jbQkVkak61lv5H7QK7JNYrFe20+PsV5JhrlZ4xCpJDef3hhGXH Xl+OGzjv5fqgILOZYbcIWl+tlgNXQP/p/PFi8cmZUvyNV+hq+ACjySn2bDrPzD47 xNF6vXg8wKjYumCZTO2QxVbFPq6oM+3GVxyu6YQCpocPOYACn3ijIrzXUWxzMaM= =w9je -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/12 19:40, ig...@no... wrote: > When building a very minimal OpenVPN for OpenWRT with > --disable-management among others, the compilaton fails due to > ENABLE_CLIENT_CR being defined, although the management interface, > which makes use of it, has been disabled. > > The attached simple patch checks for ENABLE_MANAGEMENT before defining > ENABLE_CLIENT_CR. > I've already ACKed this patch in another response in this mail thread. But here is the complete overview of all patches pushed out on the master branch for the -testing and -stable source trees. commit 2ee0dc2bd72ec318fcc227af54e5ca7e1384a6cc Author: Igor Novgorodov <ig...@no...> Date: Sun Feb 12 22:40:02 2012 +0400 The code blocks enabled by ENABLE_CLIENT_CR depends on management If the management interface is not enabled, it makes no sense in including the ENABLE_CLIENT_CR #ifdef blocks. This will also in some configurations cause build issues if these blocks are enabled. Signed-off-by: Igor Novgorodov <ig...@no...> Acked-by: David Sommerseth <da...@re...> Signed-off-by: David Sommerseth <da...@re...> commit ecede953d6366e9fbfecea62cc1f61fd2347dab7 Author: David Sommerseth <da...@re...> Date: Mon Feb 13 16:03:46 2012 +0100 Remove --show-gateway if debug info is not enabled (--disable-debug) The --show-gateway feature depends on functions only being enabled when --disable-debug is _not_ used. As this I consider --show-gateway more a handy function for debugging, removing this feature when - --disable-debug is used seems like the proper approach. Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> commit 22277ec675847f73203bf908144f9903d13e2869 Author: David Sommerseth <da...@re...> Date: Mon Feb 13 15:52:00 2012 +0100 Fix compile issues when plug-ins are disabled. Commit 1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb modified plugin_call() and introduced plugin_call_ssl(). But the similar approach was missing for situations without plug-ins. Solution: Rename plugin_call() in the #else !ENABLE_PLUGIN section to plugin_call_ssl(). Then move the plugin_ssl() function inside the #ifdef ENABLE_PLUGIN section outside the #ifdef, making it available for builds with and without plug-ins enabled. Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85aukACgkQDC186MBRfrq0tACgojflVPWaBkrac+epuuk5Je2n 5NwAn3wyj5omLMZ1CtsGM3XpJBIyV/MU =oXDO -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/02/12 16:29, Jan Just Keijser wrote: > Made some options connection-entry specific: fragment mssfix tun-mtu > tun-mtu-extra link-mtu mtu_discover_type explicit-exit-notification > in order to support stuff like <connection> remote host proto udp > fragment explicit-exit-notification 3 </connection> <connection> > remote host proto tcp </connection> > > Signed-off-by: Jan Just Keijser <ja...@ni...> --- forward.c | 2 > +- init.c | 38 ++++++++++--------- occ.c | 2 +- options.c > | 125 +++++++++++++++++++++++++++++++------------------------------ > options.h | 36 +++++++++--------- sig.c | 6 +- 6 files > changed, 107 insertions(+), 102 deletions(-) ACK. Applied to the master branch for -stable and -testing trees. commit 76809cae0eae07817160b423d3f9551df1a1d68e Author: Jan Just Keijser <ja...@ni...> Date: Tue Feb 7 16:29:47 2012 +0100 Made some options connection-entry specific Signed-off-by: Jan Just Keijser <ja...@ni...> Acked-by: David Sommerseth <da...@re...> Signed-off-by: David Sommerseth <da...@re...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85atQACgkQDC186MBRfrpRcACeOAUc3CWM1ORg2hWBDSwwS4hQ 4B8AoK8lWaZQKO5m589P3TgjUB2IE9/v =meS6 -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/11/11 19:08, Heiko Hund wrote: > This patch makes openvpn read unicode from the console and convert > the input to UTF-8. And then display UTF-8 output to the console > correctly. > > Signed-off-by: Heiko Hund <hei...@so...> --- configure.ac | 1 > + openvpn.c | 4 ++++ win32.c | 14 +++++++++++++- 3 files > changed, 18 insertions(+), 1 deletions(-) > ACKed and applied to master branch on -testing and -stable. commit 6ba68180b89e0290855f70832243fc9b4370e4d2 Author: Heiko Hund <hei...@so...> Date: Wed Nov 23 19:08:34 2011 +0100 Windows UTF-8 input/output Signed-off-by: Heiko Hund <hei...@so...> Acked-by: David Sommerseth <da...@re...> Signed-off-by: David Sommerseth <da...@re...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85asMACgkQDC186MBRfroynACfQNt0I34bvNV6r5VBmqkmFF/k /LYAniC/Ch7k86CBGPRCRm284oaxuoaA =qiCa -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQEcBAABAgAGBQJPOWk/AAoJEHKWQhk5DQ0OU5gH/iNsoquLkbD+2fE37heOeV3c oGQ8O+CMLydUBxUGHTnGKTaxnSOEfP1gU7Bdmueoxyeozt/2ETMBXOTLzXNiO2TW BjLZx4k1xHPuzR9k+ug3mMui/YwxDy+KL+tZPxIJZpHMHwvMO59YBTBTl/jylVqZ W6Vhaz6k2plzsWvwpJO1GSttGLkCHBPO/34qvgsl0bUNITW19ek+LjeH1gM7EMrf G1wxI+dqfTvEp4JLVcY4Fcnm3mREc8UbP1ZuY5gsR07TIfQXQ0/SgI2Qdhl5VjYM cWuDMEhmnBdOCEnDptgzm1knjA3RVQVp74KPpzHUGPexidgcan5p2LL/rQAmLlw= =1n8J -----END PGP SIGNATURE----- ----- Eric F Crist Secure Computing Networks Certified in ABC by Sesame Street Brought to you by the number 4 Certified Winner by Charlie Sheen I can do it better than you, nanna nanna boo boo (School of Tosh.0) 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/12 15:13, Heiko Hund wrote: > Openvpn for Windows is not compiled as a Unicode binary and thus > cannot handle paths which contain non-ASCII characters using the argv > vector. Characters that are not present in the system codepage are > simply replaced with a question mark, e.g. if started as 'openvpn > --config домой.ovpn' the file '?????.ovpn' is tried to be opened as > configuration. > > The same applies to paths in config files which need to be UTF-8 > encoded if they contain non ASCII characters. The option line 'key > лев.pem' will lead to openvpn trying to open 'лев.pem' on a system > with codepage 1252. > > This patch makes openvpn read the command line in UCS-2 and convert it > to UTF-8 internally. Windows stores names in the filesystem in UCS-2. > When using a paths openvpn converts it from UTF-8 to UCS-2 and uses > the wide character Windows API function. > > Signed-off-by: Heiko Hund <hei...@so...> --- > > This version of the patch was rebased to current master. It also > handles the access(2) calls introduced in commit 0f2bc0dd by David > correctly. > > buffer.c | 3 +- crypto.c | 6 +- error.c > | 17 +- manage.c | 2 +- misc.c | 41 > ++++- misc.h | 31 ++++ options.c | 37 > ++++- packet_id.c | 6 +- pf.c | 2 +- > plugin.c | 3 +- ps.c | 2 +- > ssl_openssl.c | 459 > +++++++++++++++++++------------------------------- ssl_verify.c > | 2 +- ssl_verify_openssl.c | 6 +- status.c | 48 > ++---- syshead.h | 1 + win32.c | 60 > ++++++-- win32.h | 3 + 18 files changed, 367 > insertions(+), 362 deletions(-) > ACK and applied to master for -stable and -testing trees. commit 71bbbd76c62630c88441237d72fe5b61f0b45b2a Author: Heiko Hund <hei...@so...> Date: Fri Feb 10 15:13:42 2012 +0100 handle Windows unicode paths Signed-off-by: Heiko Hund <hei...@so...> Acked-by: David Sommerseth <da...@re...> Signed-off-by: David Sommerseth <da...@re...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85ZCwACgkQDC186MBRfrqGJQCdHMudYYgOM/ZT9trN4eNimO6i yeMAoIijsO70hmkaq+OeAWXV7Xn7cv2o =68zX -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/12 19:40, ig...@no... wrote: > When building a very minimal OpenVPN for OpenWRT with > --disable-management among others, the compilaton fails due to > ENABLE_CLIENT_CR being defined, although the management interface, > which makes use of it, has been disabled. > > The attached simple patch checks for ENABLE_MANAGEMENT before defining > ENABLE_CLIENT_CR. > I've already ACKed this patch in another response in this mail thread. But here is the complete overview of all patches pushed out on the master branch for the -testing and -stable source trees. commit 2ee0dc2bd72ec318fcc227af54e5ca7e1384a6cc Author: Igor Novgorodov <ig...@no...> Date: Sun Feb 12 22:40:02 2012 +0400 The code blocks enabled by ENABLE_CLIENT_CR depends on management If the management interface is not enabled, it makes no sense in including the ENABLE_CLIENT_CR #ifdef blocks. This will also in some configurations cause build issues if these blocks are enabled. Signed-off-by: Igor Novgorodov <ig...@no...> Acked-by: David Sommerseth <da...@re...> Signed-off-by: David Sommerseth <da...@re...> commit ecede953d6366e9fbfecea62cc1f61fd2347dab7 Author: David Sommerseth <da...@re...> Date: Mon Feb 13 16:03:46 2012 +0100 Remove --show-gateway if debug info is not enabled (--disable-debug) The --show-gateway feature depends on functions only being enabled when --disable-debug is _not_ used. As this I consider --show-gateway more a handy function for debugging, removing this feature when - --disable-debug is used seems like the proper approach. Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> commit 22277ec675847f73203bf908144f9903d13e2869 Author: David Sommerseth <da...@re...> Date: Mon Feb 13 15:52:00 2012 +0100 Fix compile issues when plug-ins are disabled. Commit 1876ccd012e9e2ca6f8e1cd9e7e9bb4bf24ccecb modified plugin_call() and introduced plugin_call_ssl(). But the similar approach was missing for situations without plug-ins. Solution: Rename plugin_call() in the #else !ENABLE_PLUGIN section to plugin_call_ssl(). Then move the plugin_ssl() function inside the #ifdef ENABLE_PLUGIN section outside the #ifdef, making it available for builds with and without plug-ins enabled. Signed-off-by: David Sommerseth <da...@re...> Acked-by: Gert Doering <ge...@gr...> kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85Y4EACgkQDC186MBRfrpXCQCfbm+HLw3OwXQb3lcXXs1QWE3q g5AAn0NvBrUZbEMryUQgVQaX+yNrUuk3 =TeUL -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/02/12 18:36, ig...@no... wrote: > Thanks! > > Well, i'm no OpenWRT developer, just customizing some packages for my > needs, but i thought that they are sending patches upstream :) > > Anyway, if i happen to find anything, i'll post here. Thanks a lot!!! That's wonderful! We'll do our best to get these things into the source tree as soon as possible too :) > What's for the second patch (gateway/debug stuff), it has been patched > in OpenWRT too, i just forgot to mention it: > https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/400-fix-undefined-print_default.gateway.patch Ahh, > yeah, I didn't think about checking the other patches. Even though, the change in init.c gave me a wtf!? moment ... but it turns out wrapping that one isn't needed either. As TEST_GET_DEFAULT_GATEWAY isn't defined anywhere. I'm guessing it's James Yonan testing out some code paths here. And it's been latent in the code tree for so long I'm wondering if we need it at all. And it seems like that there were no more patches in the openwrt tree even. :) kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85YmsACgkQDC186MBRfrrVRACfWwJ5OTa9GZ2GP3We0lKYyTNx MHsAnRVgLjLuenIfDW7whLjWChdMddw/ =QkuB -----END PGP SIGNATURE----- 

 Thanks! Well, i'm no OpenWRT developer, just customizing some packages for my needs, but i thought that they are sending patches upstream :) Anyway, if i happen to find anything, i'll post here. What's for the second patch (gateway/debug stuff), it has been patched in OpenWRT too, i just forgot to mention it: https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/400-fix-undefined-print_default.gateway.patch On Mon, 13 Feb 2012 16:07:04 +0100, David Sommerseth wrote: > On 13/02/12 14:00, Igor Novgorodov wrote: >> I'm building latest GIT with: >> >> ./configure \ >> --disable-debug \ >> --disable-plugins \ >> --disable-management \ >> --disable-socks \ >> --disable-password-save \ >> --disable-multi \ >> --disable-server \ >> --disable-pkcs11 \ >> --disable-http \ >> --disable-port-share \ >> --disable-def-auth \ >> --disable-pf \ >> --disable-lzo \ >> --disable-selinux \ >> --disable-iproute2 \ >> --enable-small >> >> (effectively, the version that supports only static keys and no >> fancy stuff) >> >> Build fails with: >> ... >> gcc -DHAVE_CONFIG_H -I. -I. -g -O2 -MT init.o -MD -MP -MF >> .deps/init.Tpo >> -c -o init.o init.c >> init.c: In function ‘do_route’: >> init.c:1364:7: error: too few arguments to function ‘plugin_call’ >> plugin.h:196:1: note: declared here >> init.c: In function ‘do_init_crypto_tls’: >> init.c:2286:20: error: ‘const struct options’ has no member named >> ‘sc_info’ >> make[2]: *** [init.o] Error 1 >> ... >> >> Here are even two errors, one of which (plugin_call) function is >> addressed in OpenWRT patchset: >> >> https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/300-fix-plugin_call-with-ssl.patch > > I would love the OpenWRT guys o give us a heads up directly when > something > like this is noticed. Such things we really want to fix ASAP. > > However, I didn't particular like the approach in that patch, so I've > attached another patch for review. If this is acked, please consider > using > this one instead (patch 0001). > >> And another is that i'm talking about. > > I'm giving your patch an ACK, so that will go into the tree. But > even one > more fix is needed, which is in the second patch I attached. > > > kind regards, > > David Sommerseth > > >> On 13.02.2012 16:32, David Sommerseth wrote: >> On 12/02/12 19:40, ig...@no... wrote: >>>>> When building a very minimal OpenVPN for OpenWRT with >>>>> --disable-management among others, the compilaton fails due to >>>>> ENABLE_CLIENT_CR being defined, although the management >>>>> interface, >>>>> which makes use of it, has been disabled. >>>>> >>>>> The attached simple patch checks for ENABLE_MANAGEMENT before >>>>> defining >>>>> ENABLE_CLIENT_CR. >> Which version are you compiling? I tried a couple of compile with >> the >> latest version in git (master branch) in combination with >> --disable-management and --enable-small ... And I could not manage >> to >> trigger this one. Our buildbot (even though, not testing all >> combinations) have also not triggered this one. >> >> Could you provide more version information and the configure >> arguments >> you use? >> >> >> kind regards, >> >> David Sommerseth >> >> >> >> >> ------------------------------------------------------------------------------ >> Try before you buy = See our experts in action! >> The most comprehensive online learning library for Microsoft >> developers >> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, >> MVC3, >> Metro Style Apps, more. Free future releases when you subscribe now! >> http://p.sf.net/sfu/learndevnow-dev2 >> _______________________________________________ >> Openvpn-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openvpn-devel >> 

Hi, On Mon, Feb 13, 2012 at 04:07:04PM +0100, David Sommerseth wrote: > I would love the OpenWRT guys o give us a heads up directly when something > like this is noticed. Such things we really want to fix ASAP. Seconded :-) > However, I didn't particular like the approach in that patch, so I've > attached another patch for review. If this is acked, please consider using > this one instead (patch 0001). > > > And another is that i'm talking about. > > I'm giving your patch an ACK, so that will go into the tree. But even one > more fix is needed, which is in the second patch I attached. ACK. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany ge...@gr... fax: +49-89-35655025 ge...@ne... 

On 13/02/12 14:00, Igor Novgorodov wrote: > I'm building latest GIT with: > > ./configure \ > --disable-debug \ > --disable-plugins \ > --disable-management \ > --disable-socks \ > --disable-password-save \ > --disable-multi \ > --disable-server \ > --disable-pkcs11 \ > --disable-http \ > --disable-port-share \ > --disable-def-auth \ > --disable-pf \ > --disable-lzo \ > --disable-selinux \ > --disable-iproute2 \ > --enable-small > > (effectively, the version that supports only static keys and no fancy stuff) > > Build fails with: > ... > gcc -DHAVE_CONFIG_H -I. -I. -g -O2 -MT init.o -MD -MP -MF .deps/init.Tpo > -c -o init.o init.c > init.c: In function ‘do_route’: > init.c:1364:7: error: too few arguments to function ‘plugin_call’ > plugin.h:196:1: note: declared here > init.c: In function ‘do_init_crypto_tls’: > init.c:2286:20: error: ‘const struct options’ has no member named ‘sc_info’ > make[2]: *** [init.o] Error 1 > ... > > Here are even two errors, one of which (plugin_call) function is > addressed in OpenWRT patchset: > https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/300-fix-plugin_call-with-ssl.patch I would love the OpenWRT guys o give us a heads up directly when something like this is noticed. Such things we really want to fix ASAP. However, I didn't particular like the approach in that patch, so I've attached another patch for review. If this is acked, please consider using this one instead (patch 0001). > And another is that i'm talking about. I'm giving your patch an ACK, so that will go into the tree. But even one more fix is needed, which is in the second patch I attached. kind regards, David Sommerseth > On 13.02.2012 16:32, David Sommerseth wrote: > On 12/02/12 19:40, ig...@no... wrote: >>>> When building a very minimal OpenVPN for OpenWRT with >>>> --disable-management among others, the compilaton fails due to >>>> ENABLE_CLIENT_CR being defined, although the management interface, >>>> which makes use of it, has been disabled. >>>> >>>> The attached simple patch checks for ENABLE_MANAGEMENT before defining >>>> ENABLE_CLIENT_CR. > Which version are you compiling? I tried a couple of compile with the > latest version in git (master branch) in combination with > --disable-management and --enable-small ... And I could not manage to > trigger this one. Our buildbot (even though, not testing all > combinations) have also not triggered this one. > > Could you provide more version information and the configure arguments > you use? > > > kind regards, > > David Sommerseth > > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/02/12 13:59, Jun Matsushita wrote: > This is my first post in this list. As probably a lot of you heard, > Iran has stepped up its filtering by apparently blocking SSL/TLS using > DPI. This is a good read about what's happening > http://news.ycombinator.com/item?id=3575029. As these statistics from > TOR attest > https://metrics.torproject.org/users.html?graph=direct-users&start=2012-01-12&end=2012-02-12&country=ir&events=on&dpi=72#direct-users > > the impact has been immediate and surely concerns the majority of tools > out there. > > Does OpenVPN allow the use of some form of Obfuscation (such as the > one TOR is testing now and seem to work from within Iran > https://www.torproject.org/projects/obfsproxy-instructions.html.en)? > > Anyone has thoughts about this or would be interested in discussing > the matter? > Hi Jun, OpenVPN uses SSL under the hood. But it does some tricks to allow SSL over UDP (SSL is strictly designed for TCP). This however makes some changes that many DPI firewalls *might* not identify OpenVPN traffic as SSL traffic. But as it's not really an obfuscation which changes over time, it might still be possible to block it if this kind of traffic is detected. However, the obfsproxy project sounds very interesting. And it should be possible to use obfsproxy (as it can talk like a SOCKS proxy) with OpenVPN, by using the --socks-proxy argument. But I'm not aware of any openvpn services providing obfsproxy services in conjunction with OpenVPN. kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85C5gACgkQDC186MBRfro25ACfVYHhArEonjCmWalM9aUx4/av Xc4AniLaPP0au8uXWCav9r0+2g/bB1F8 =WeLG -----END PGP SIGNATURE----- 

I'm building latest GIT with: ./configure \ --disable-debug \ --disable-plugins \ --disable-management \ --disable-socks \ --disable-password-save \ --disable-multi \ --disable-server \ --disable-pkcs11 \ --disable-http \ --disable-port-share \ --disable-def-auth \ --disable-pf \ --disable-lzo \ --disable-selinux \ --disable-iproute2 \ --enable-small (effectively, the version that supports only static keys and no fancy stuff) Build fails with: ... gcc -DHAVE_CONFIG_H -I. -I. -g -O2 -MT init.o -MD -MP -MF .deps/init.Tpo -c -o init.o init.c init.c: In function ‘do_route’: init.c:1364:7: error: too few arguments to function ‘plugin_call’ plugin.h:196:1: note: declared here init.c: In function ‘do_init_crypto_tls’: init.c:2286:20: error: ‘const struct options’ has no member named ‘sc_info’ make[2]: *** [init.o] Error 1 ... Here are even two errors, one of which (plugin_call) function is addressed in OpenWRT patchset: https://dev.openwrt.org/browser/packages/net/openvpn-polarssl/patches/300-fix-plugin_call-with-ssl.patch And another is that i'm talking about. On 13.02.2012 16:32, David Sommerseth wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/02/12 19:40, ig...@no... wrote: >> When building a very minimal OpenVPN for OpenWRT with >> --disable-management among others, the compilaton fails due to >> ENABLE_CLIENT_CR being defined, although the management interface, >> which makes use of it, has been disabled. >> >> The attached simple patch checks for ENABLE_MANAGEMENT before defining >> ENABLE_CLIENT_CR. > Which version are you compiling? I tried a couple of compile with the > latest version in git (master branch) in combination with > - --disable-management and --enable-small ... And I could not manage to > trigger this one. Our buildbot (even though, not testing all > combinations) have also not triggered this one. > > Could you provide more version information and the configure arguments > you use? > > > kind regards, > > David Sommerseth > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk85AuIACgkQDC186MBRfroHEACfbJfdxCqMM0rp+wqlWx6yxc6F > T+UAnAkQ1T7n0vb4F1cOqxaLTmQyQ4Zh > =Gwvf > -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is my first post in this list. As probably a lot of you heard, Iran has stepped up its filtering by apparently blocking SSL/TLS using DPI. This is a good read about what's happening http://news.ycombinator.com/item?id=3575029. As these statistics from TOR attest https://metrics.torproject.org/users.html?graph=direct-users&start=2012-01-12&end=2012-02-12&country=ir&events=on&dpi=72#direct-users the impact has been immediate and surely concerns the majority of tools out there. Does OpenVPN allow the use of some form of Obfuscation (such as the one TOR is testing now and seem to work from within Iran https://www.torproject.org/projects/obfsproxy-instructions.html.en)? Anyone has thoughts about this or would be interested in discussing the matter? Best, Jun. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPOQlLAAoJECoH9wygNueS81AH/0a56HP4YQb8ZSGFuU/isLz1 0ujlkOHYxssHxVYZ6UV0O0p9C7lHIxlEj/ymPlb3FbB2rE1qzrCjwCGj2idYAnCb r+m/8QMI6Tei1U8+iVEsZn8wP5ZmoG8QsacwE8gat5rc0o7HuNCK7GKoXX6H2nvz pKdakP3gR8J4dRP/uOFWU/jxIhGZagIf5kSKSFFH7J+CuI5a1rese0TOQKg2lz95 NoT1loaMdh7LOMnPLyM0aiR1h4kKn1pJ68PSj23ggrWcZB4o/uDMzrBpIsX1q/D0 +hdxlKki44CjwaHbFTeKIK0tyC/aiSEN1bOvdidURcHEVObSgPYt+Xhi9wHflqE= =ryUY -----END PGP SIGNATURE----- 

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/02/12 19:40, ig...@no... wrote: > When building a very minimal OpenVPN for OpenWRT with > --disable-management among others, the compilaton fails due to > ENABLE_CLIENT_CR being defined, although the management interface, > which makes use of it, has been disabled. > > The attached simple patch checks for ENABLE_MANAGEMENT before defining > ENABLE_CLIENT_CR. Which version are you compiling? I tried a couple of compile with the latest version in git (master branch) in combination with - --disable-management and --enable-small ... And I could not manage to trigger this one. Our buildbot (even though, not testing all combinations) have also not triggered this one. Could you provide more version information and the configure arguments you use? kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85AuIACgkQDC186MBRfroHEACfbJfdxCqMM0rp+wqlWx6yxc6F T+UAnAkQ1T7n0vb4F1cOqxaLTmQyQ4Zh =Gwvf -----END PGP SIGNATURE-----