Menu ▾ ▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 | Jan | Feb | Mar | Apr (24) | May (14) | Jun (29) | Jul (33) | Aug (3) | Sep (8) | Oct (18) | Nov (1) | Dec (10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 | Jan (3) | Feb (33) | Mar (7) | Apr (28) | May (30) | Jun (5) | Jul (10) | Aug (7) | Sep (32) | Oct (41) | Nov (20) | Dec (10) |
| 2004 | Jan (24) | Feb (18) | Mar (57) | Apr (40) | May (55) | Jun (48) | Jul (77) | Aug (15) | Sep (56) | Oct (80) | Nov (74) | Dec (52) |
| 2005 | Jan (38) | Feb (42) | Mar (39) | Apr (56) | May (79) | Jun (73) | Jul (16) | Aug (23) | Sep (68) | Oct (77) | Nov (52) | Dec (27) |
| 2006 | Jan (27) | Feb (18) | Mar (51) | Apr (62) | May (28) | Jun (50) | Jul (36) | Aug (33) | Sep (47) | Oct (50) | Nov (77) | Dec (13) |
| 2007 | Jan (15) | Feb (8) | Mar (14) | Apr (18) | May (25) | Jun (16) | Jul (16) | Aug (19) | Sep (32) | Oct (17) | Nov (5) | Dec (5) |
| 2008 | Jan (64) | Feb (25) | Mar (25) | Apr (6) | May (28) | Jun (20) | Jul (10) | Aug (27) | Sep (28) | Oct (59) | Nov (37) | Dec (43) |
| 2009 | Jan (40) | Feb (25) | Mar (12) | Apr (57) | May (46) | Jun (29) | Jul (39) | Aug (10) | Sep (20) | Oct (42) | Nov (50) | Dec (57) |
| 2010 | Jan (82) | Feb (165) | Mar (256) | Apr (260) | May (36) | Jun (87) | Jul (53) | Aug (89) | Sep (107) | Oct (51) | Nov (88) | Dec (117) |
| 2011 | Jan (69) | Feb (60) | Mar (113) | Apr (71) | May (67) | Jun (90) | Jul (88) | Aug (90) | Sep (48) | Oct (64) | Nov (69) | Dec (118) |
| 2012 | Jan (49) | Feb (528) | Mar (351) | Apr (190) | May (238) | Jun (193) | Jul (104) | Aug (100) | Sep (57) | Oct (41) | Nov (47) | Dec (51) |
| 2013 | Jan (94) | Feb (57) | Mar (96) | Apr (105) | May (77) | Jun (102) | Jul (27) | Aug (81) | Sep (32) | Oct (53) | Nov (127) | Dec (65) |
| 2014 | Jan (113) | Feb (59) | Mar (104) | Apr (259) | May (70) | Jun (70) | Jul (146) | Aug (45) | Sep (58) | Oct (149) | Nov (77) | Dec (83) |
| 2015 | Jan (53) | Feb (66) | Mar (86) | Apr (50) | May (135) | Jun (76) | Jul (151) | Aug (83) | Sep (97) | Oct (262) | Nov (245) | Dec (231) |
| 2016 | Jan (131) | Feb (233) | Mar (97) | Apr (138) | May (221) | Jun (254) | Jul (92) | Aug (248) | Sep (168) | Oct (275) | Nov (477) | Dec (445) |
| 2017 | Jan (218) | Feb (217) | Mar (146) | Apr (172) | May (216) | Jun (252) | Jul (164) | Aug (192) | Sep (190) | Oct (143) | Nov (255) | Dec (182) |
| 2018 | Jan (295) | Feb (164) | Mar (113) | Apr (147) | May (64) | Jun (262) | Jul (184) | Aug (90) | Sep (69) | Oct (364) | Nov (102) | Dec (101) |
| 2019 | Jan (119) | Feb (64) | Mar (64) | Apr (102) | May (57) | Jun (154) | Jul (84) | Aug (81) | Sep (76) | Oct (102) | Nov (233) | Dec (89) |
| 2020 | Jan (38) | Feb (170) | Mar (155) | Apr (172) | May (120) | Jun (223) | Jul (461) | Aug (227) | Sep (268) | Oct (113) | Nov (56) | Dec (124) |
| 2021 | Jan (121) | Feb (48) | Mar (334) | Apr (345) | May (207) | Jun (136) | Jul (71) | Aug (112) | Sep (122) | Oct (173) | Nov (184) | Dec (223) |
| 2022 | Jan (197) | Feb (206) | Mar (156) | Apr (212) | May (192) | Jun (170) | Jul (143) | Aug (380) | Sep (182) | Oct (148) | Nov (128) | Dec (269) |
| 2023 | Jan (248) | Feb (196) | Mar (264) | Apr (36) | May (123) | Jun (66) | Jul (120) | Aug (48) | Sep (157) | Oct (198) | Nov (300) | Dec (273) |
| 2024 | Jan (271) | Feb (147) | Mar (207) | Apr (78) | May (107) | Jun (168) | Jul (151) | Aug (51) | Sep (438) | Oct (221) | Nov (302) | Dec (357) |
| 2025 | Jan (451) | Feb (219) | Mar (326) | Apr (232) | May (306) | Jun (181) | Jul (452) | Aug (282) | Sep (620) | Oct (793) | Nov (682) | Dec |
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
| | | | | 1 | 2 (3) | 3 (6) |
| 4 (2) | 5 | 6 (5) | 7 (4) | 8 (10) | 9 (2) | 10 (1) |
| 11 | 12 (4) | 13 (2) | 14 | 15 | 16 (1) | 17 (1) |
| 18 (2) | 19 (3) | 20 (2) | 21 | 22 | 23 | 24 (3) |
| 25 | 26 (3) | 27 (6) | 28 (5) | 29 | 30 (3) | |
| From: James Y. <ji...@yo...> - 2005-09-24 19:34:31 |
On Sat, 24 Sep 2005, Mathias Sundman wrote: > On Sat, 24 Sep 2005, James Yonan wrote: > > > One of the interesting ramifications of this feature, is that it sets the > > stage for non-admin accounts to be able to run OpenVPN directly, without > > using the service wrapper. > > > > With OpenVPN 2.0, this couldn't happen for two reasons: (a) opening the > > TAP-Win32 device object required administrative privileges, and (b) if the > > server pushed routes, the client couldn't add them because adding routes > > on Windows requires privilege. > > > > This new release addresses (a). (b) is still an issue if the server is > > pushing routes. However (b) is less of an issue now since the "topology > > subnet" feature was added, because it allows a tun-based tunnel to operate > > without requiring any mandatory route pushes in order to function. Of > > course, if you are pushing custom routes, or are pushing > > "redirect-gateway" to clients, then those routes cannot be added if the > > user lacks administrative privileges (is there a finer-grained > > privilege that allows route modification without full admin privileges?). > > You're awesome! How did you solve it? Last time it was discussed on the > list I remember there was another way to open the TAP driver but it was a > non supported way and would probably not pass WHQL Driver tests so you > didn't want to use that method. Did you come up with an other solution, or > did you chose this way after all? Well as it goes, trying to solve intractable windows driver problems usually starts with the requisite tearing out of hair, followed by the transmission of a distress signal to microsoft.public.development.device.drivers: http://groups.google.com/group/microsoft.public.development.device.drivers/browse_thread/thread/f5baddd33208d68e/ff903d776234414c That gave me some ideas, such as using the ZwSetSecurityObject call on the device object after it has already been created with admin-only permissions. While the code for this seems reasonable, the ZwSetSecurityObject kernel call is not officially documented in the DDK, though I believe it's documented in another MS toolkit. I think the bottom line is that MS didn't really think this through, and we're going to have to wait until NDIS 6.0 (vista) to get an elegant solution. So while I'm not sure that using ZwSetSecurityObject would pass muster with the WHQL fashion police, my current sense is that it's a stable workaround. > Could we perhaps solve (b) in the TAP driver as well. I mean implement an > interface between userspace and the TAP driver that allows us to tell the > TAP driver to add/delete routes? That's tricky -- I'm sure that kernel space has some kind of API for route manipulation, I'm just not sure that it's documented. > Or do you still think the final solution is to run the whole openvpn > process via a service wrapper? > > The good thing with using the TAP driver also for adding routes is that > openvpn could continue running as a non-admin userspace application and > give us all the benefits of a potential security voulnerability found in > the openvpn code only beeing executed as non-admin. > > Of cource the same thing could be implemented in a seperate service module > only used for route additions and perhaps script execution. Right -- one could have a sort of "route" service. But when you start talking about script execution, then there's going to be a lot of security concerns, and I think you would end up with something that looks more like sudo. > The tricky part of cource would be how to control that only the openvpn > process is able to control the TAP driver or service module so we don't > allow normal users to execute arbitrary code as admin. I think making the TAP device object accessible from non-admin is reasonable from a security perspective. In fact, would argue that it actually improves security, in the same way that user/group nobody on *nix does. James |
| From: Mathias S. <ma...@op...> - 2005-09-24 12:04:37 |
On Sat, 24 Sep 2005, James Yonan wrote: > One of the interesting ramifications of this feature, is that it sets the > stage for non-admin accounts to be able to run OpenVPN directly, without > using the service wrapper. > > With OpenVPN 2.0, this couldn't happen for two reasons: (a) opening the > TAP-Win32 device object required administrative privileges, and (b) if the > server pushed routes, the client couldn't add them because adding routes > on Windows requires privilege. > > This new release addresses (a). (b) is still an issue if the server is > pushing routes. However (b) is less of an issue now since the "topology > subnet" feature was added, because it allows a tun-based tunnel to operate > without requiring any mandatory route pushes in order to function. Of > course, if you are pushing custom routes, or are pushing > "redirect-gateway" to clients, then those routes cannot be added if the > user lacks administrative privileges (is there a finer-grained > privilege that allows route modification without full admin privileges?). You're awesome! How did you solve it? Last time it was discussed on the list I remember there was another way to open the TAP driver but it was a non supported way and would probably not pass WHQL Driver tests so you didn't want to use that method. Did you come up with an other solution, or did you chose this way after all? Could we perhaps solve (b) in the TAP driver as well. I mean implement an interface between userspace and the TAP driver that allows us to tell the TAP driver to add/delete routes? Or do you still think the final solution is to run the whole openvpn process via a service wrapper? The good thing with using the TAP driver also for adding routes is that openvpn could continue running as a non-admin userspace application and give us all the benefits of a potential security voulnerability found in the openvpn code only beeing executed as non-admin. Of cource the same thing could be implemented in a seperate service module only used for route additions and perhaps script execution. The tricky part of cource would be how to control that only the openvpn process is able to control the TAP driver or service module so we don't allow normal users to execute arbitrary code as admin. Cheers - Mathias PS: Testing will come as well as a GUI version installation package! -- _____________________________________________________________ Mathias Sundman (^) ASCII Ribbon Campaign OpenVPN GUI for Windows X NO HTML/RTF in e-mail http://openvpn.se/ / \ NO Word docs in e-mail |
| From: James Y. <ji...@yo...> - 2005-09-24 10:30:31 |
This release is the latest in the topology branch which was first discussed here: http://openvpn.net/archive/openvpn-users/2005-09/msg00079.html Included in the Windows version of this release is a long-sought-after feature: The ability for OpenVPN to open the TAP-Win32 adapter from accounts other than administrator. Two methods of setting non-admin access are provided. The first method is implemented in the TAP-Win32 driver itself. By default, non-admin access is now allowed, however this can be turned off in the adapter advanced properties dialog, or in the OemWin2k.inf file. The second method configures non-admin access from userspace, using the new --allow-nonadmin standalone flag to the openvpn command. This method was more of a proof-of-concept, before I ported the code to the TAP-Win32 driver. I need people to test this new TAP-Win32 driver on as many Windows versions as possible (it is included in the pre-built Windows installer for this release). Of course, you should treat it as an early beta release, and not use it in production yet. I've tested the driver on XP SP2 only, and more testing is needed on Win2K and Server 2003. One of the interesting ramifications of this feature, is that it sets the stage for non-admin accounts to be able to run OpenVPN directly, without using the service wrapper. With OpenVPN 2.0, this couldn't happen for two reasons: (a) opening the TAP-Win32 device object required administrative privileges, and (b) if the server pushed routes, the client couldn't add them because adding routes on Windows requires privilege. This new release addresses (a). (b) is still an issue if the server is pushing routes. However (b) is less of an issue now since the "topology subnet" feature was added, because it allows a tun-based tunnel to operate without requiring any mandatory route pushes in order to function. Of course, if you are pushing custom routes, or are pushing "redirect-gateway" to clients, then those routes cannot be added if the user lacks administrative privileges (is there a finer-grained privilege that allows route modification without full admin privileges?). Testing is quite easy. Simply add this line to your "dev tun" based server config: topology subnet Download: http://openvpn.net/beta/to/ Change Log: 2005.09.23 -- Version 2.0.2-TO4 * Added feature to TAP-Win32 adapter to allow it to be opened from non-administrator mode. This feature is enabled by default, and can be enabled/disabled in the adapter advanced properties dialog. * Added --allow-nonadmin standalone option for Windows to set TAP adapter to allow non-admin access. This is a user-mode version of the code, and duplicates the same feature as the above entry. * Added fix that attempts to solve corner case of tunnel not forwarding packets when system clock is reset to an earlier time. * Added --redirect-gateway bypass-dns option. (Developers: To add bypass-dhcp or bypass-dns support to other OSes, add a get_bypass_addresses function to route.c for your OS.) * Added OPENVPN_PLUGIN_CLIENT_CONNECT_V2 plugin callback, which allows a client-connect plugin to return configuration text in memory, rather than via a file. * Fixed a bug where --mode server --proto tcp-server --cipher none operation could cause tunnel packet truncation. * openvpn --version will show [LZO1] or [LZO2], depending on version that was linked. James |
