openvpn-devel Mailing List for OpenVPN

Download: http://prdownloads.sourceforge.net/openvpn/openvpn-1.2.0.tar.gz Release Notes: OpenVPN 1.2.0 adds pthread support for background processing of SSL/TLS key negotiations, allowing efficient usage of large RSA keys (i.e. 2048 bits or larger). The OpenVPN web site has been considerably expanded, including a new HOWTO page that gives detailed instructions for setting up a complete telecommuting solution with firewall, VPN, NAT, and DHCP support. OpenVPN 1.2.0 has additional feature improvements including configuration file support and running daemon statistics via SIGUSR2. Since version 1.1.1, OpenVPN has seen extensive porting activity, including ports to Solaris, OpenBSD, Mac OS X (Darwin), and 64-bit Linux. ChangeLog from 1.1.1 -> 1.2.0 * Added configuration file support via the --config option. * Added pthread support to improve latency. With pthread support, OpenVPN will offload CPU-intensive tasks such as RSA key number crunching to a background thread to improve tunnel packet forwarding latency. pthread support can be enabled with the --enable-pthread configure option. Pthread support is currently available only for Linux and Solaris. * Added --dev-type option so that tun/tap device names don't need to begin with "tun" or "tap". * Added --writepid option to write main process ID to a file. * Numerous portability fixes to ease porting to other OSes including changing all network types to uint8_t and uint32_t, and not assuming that time_t is 32 bits. * Backported to OpenSSL 0.9.5. * Ported to Solaris. * Finished OpenBSD port except for pthread support. * Added initialization script: sample-scripts/openvpn.init (Douglas Keller) * Ported to Mac OS X (Christoph Pfisterer). * Improved resilience to DoS attacks when TLS mode is used without --remote or --tls-auth, or when --float is used with --remote. Note however that the best defense against DoS attacks in TLS mode is to use --tls-auth. * Eliminated automake/autoconf dependency for non-developers. * Ported configure.in to configure.ac and autoconf 2.50+. * SIGHUP signal now causes OpenVPN to restart and re-read command line and or config file, in conformance with canonical daemon behaviour. * SIGUSR1 now does what SIGHUP did in version 1.1.1 and earlier -- close and reopen the UDP socket for use when DHCP changes host's IP address and preserve most recently authenticated peer address without rereading config file. * SIGUSR2 added -- outputs current statistics, including compression statistics. * All changes maintain protocol compatibility with 1.1.1 and 1.1.0. James 

 Douglas Keller wrote: > James Yonan writes: > > This beta can be considered an initial release candidate for 1.2.0. See > > changelog below. > > > > Things are looking good for me...built the rpm with > "rpm -ta openvpn-1.1.1.18.tar.gz", the rpm included the init > script correctly. I installed it on my machines without any problems > (I had been running 1.1.1.16 for the last couple of days without any > problems). > > doug Doug, The init scripts are only good for very recent machines; RH62, for instance, will completely hate it. It's a common mistake, I have a one-line diff later on this evening. Not sure if this is a blocker for the 1.2.0 release. - bish 

This beta can be considered an initial release candidate for 1.2.0. See changelog below. http://openvpn.sourceforge.net/beta/openvpn-1.1.1.18.tar.gz Beta web site: http://openvpn.sourceforge.net/beta/www/ Changes since 1.1.1: 2002.05.19 -- Version 1.1.1.18 * Added configuration file support via the --config option. * Added pthread support to improve latency. With pthread support, OpenVPN will offload CPU-intensive tasks such as RSA key number crunching to a background thread to improve tunnel packet forwarding latency. pthread support can be enabled with the --enable-pthread configure option. Pthread support is currently available only for Linux and Solaris. * Added --dev-type option so that tun/tap device names don't need to begin with "tun" or "tap". * Added --writepid option to write main process ID to a file. * Numerous portability fixes to ease porting to other OSes including changing all network types to uint8_t and uint32_t, and not assuming that time_t is 32 bits. * Backported to OpenSSL 0.9.5. * Ported to Solaris. * Finished OpenBSD port except for pthread support. * Added initialization script: sample-scripts/openvpn.init (Douglas Keller) * Ported to Mac OS X (Christoph Pfisterer). * Improved resilience to DoS attacks when TLS mode is used without --remote or --tls-auth, or when --float is used with --remote. Note however that the best defense against DoS attacks in TLS mode is to use --tls-auth. * Eliminated automake/autoconf dependency for non-developers. * Ported configure.in to configure.ac and autoconf 2.50+. * SIGHUP signal now causes OpenVPN to restart and re-read command line and or config file, in conformance with canonical daemon behaviour. * SIGUSR1 now does what SIGHUP did in version 1.1.1 and earlier -- close and reopen the UDP socket for use when DHCP changes host's IP address and preserve most recently authenticated peer address without rereading config file. * SIGUSR2 added -- outputs current statistics, including compression statistics. * All changes maintain protocol compatibility with 1.1.1 and 1.1.0. James 

Hi, > I made a package to us openvpn in a defined configuration, we want to do > the same as securemote from CheckPoint since there is no securemote for I had quite no feedback on autovpn. Is there any interest? If not, we'll keep it for us :-( Anyone interested? -jec 

> thank you very much. I just tried 1.1.1.13 and I got a working tunnel > even using my axp-box. For this the tunnel is between an 1.1.1-i386 and > an 1.1.1.13-axp. Cool. The latest beta version of OpenVPN has lots of portability fixes which make minimal assumptions about word sizes, and use uint8_t and uint32_t for all network types, while being fully protocol compatible with 1.1.0 and 1.1.1. > BTW: Is there someone building a config file for openvpn? I'm just > playing with a small set of scripts and an config file with one line per > connection. At this time I only apply on preshared secrets. Config files are supported in the current beta releases, and will be supported in the next stable release which will be 1.2.0. Right now there's also a "beta version" of the web site which will go live when 1.2.0 is released that has a new HOWTO and lots of config file examples: http://openvpn.sourceforge.net/beta/www/howto.html James 

Hello Christoph, Hey, that's great news. It looks like you were able to make it work with a very small patch. A couple comments: (1) The TYPE_SOCKLEN_T macro is cool, but we can't rely on people having autoconf 2.5 or newer (unless we start distributing configure in addition to configure.in). Is there a way the macro could be coded to eliminate this dependency? What is it in the macro that requires 2.5? (2) You might want to take a look at 1.1.1.9 which is on the CVS now. In particular, tun.c has seen a lot of work over the weekend to add support for solaris, freebsd, and openbsd. You will want to add an #ifdef TARGET_DARWIN to the mix. You might also want to add a TARGET_DARWIN case to do_ifconfig(), so OpenVPN's --ifconfig option works correctly on Mac OS X. Can you edit INSTALL with the appropriate Mac OS X info, including a URL where they can get your tun driver, and initial steps to create and configure the tun device? I will merge everything in your patch now except the TYPE_SOCKLEN_T macro pending more thought. Great Work! James ----- Original Message ----- From: "Christoph Pfisterer" <cp...@ch...> To: <ope...@li...> Sent: Monday, May 06, 2002 7:08 AM Subject: [Openvpn-devel] Mac OS X support > Hi all! > > With some tweaking, I was able to get OpenVPN running on Mac OS X and > use it happily with a Linux peer. Discussion and patches follow. > > First of all, current versions of Mac OS X don't include a tun > driver, although it is present in the source tree (publicly available > via CVS). An independent port of the FreeBSD driver as a loadable > module exists, but OpenVPN uncovered some bugs in it. I was able to > fix those bugs and effectively took over maintenance of the driver. > It is available from <http://chrisp.de/en/projects/tunnel.html>; > OpenVPN requires at least version 1.1.0. > > OpenVPN itself also needed some small patches, mostly due to Mac OS > X's customized GCC and its outdated BSD headers. There are three main > problems: > > 1. There is no in_addr_t and uint32_t is not automatically defined. > Some research revealed that uint32_t is defined in <stdint.h>, which > is not included explicitly. On Linux, it is included implicitly by > <netinet/in.h>, but not so on Mac OS X. This is easily fixed in > syshead.h. > > 2. Apple's precompiling version of cpp doesn't know about macros with > variable arguments. Passing the "--no-cpp-precomp" command line > option gets rid of this. I added a small check to configure to add it > automatically. > > 3. There is no socklen_t. Coming up with a quick workaround was easy, > but fixing it properly wasn't. I found a quite complete configure > test for this in OpenSSH, it actually originated from curl. > Unfortunately it only works with autoconf 2.50 or newer. > > The attached patch is against the current CVS version (which > identifies itself as 1.1.1.6). It compiles and runs fine on my Mac OS > X box, although I haven't tested the new features yet. > > Please let me know what you think. > > Greetings, > chrisp > > -- > chrisp a.k.a. Christoph Pfisterer "Any sufficiently advanced > cp...@ch... - http://chrisp.de bug is indistinguishable > PGP key & geek code available from a feature." 

The CVS is now updated to 1.1.1.9. Changes since 1.1.1.6 include the Solaris port and backport to OpenSSL 0.9.5. James 

> I am interested in knowing wha tyour AutoVPN project does, but I didn't=20 > understand after reading your letter. Can you explain what it does? OK. I thought I was clear... :-) We need to let some of our users access our network from their home through their Internet access (Modem or Cable or ADSL). So we need a VPN for them. There is one called SecuRemote that comes with checkpoint Firewall. But it's only for windows, not for Linux. The goal is to have a VPN that needs only an account into one machine, not a certificate. It's because it's easier to manage for a large bunch of users. So we are using OpenVPN with *shared key*, not with TLS + certificate. The way that works: - Open am SSH session to our gateway (inside the network) - The user gives its password (no RSA key) - A script is called on the server which: - generate a shared key - starts openvpn with it - returns this key to the client - Then, the client starts openvpn passing the shared key - The VPN is open. Advatage: - No need of certificates for every people - No need of pre-shared key. It'changed every time a new autovpn session is made Understand better? -jec 

Hi all! With some tweaking, I was able to get OpenVPN running on Mac OS X and use it happily with a Linux peer. Discussion and patches follow. First of all, current versions of Mac OS X don't include a tun driver, although it is present in the source tree (publicly available via CVS). An independent port of the FreeBSD driver as a loadable module exists, but OpenVPN uncovered some bugs in it. I was able to fix those bugs and effectively took over maintenance of the driver. It is available from <http://chrisp.de/en/projects/tunnel.html>; OpenVPN requires at least version 1.1.0. OpenVPN itself also needed some small patches, mostly due to Mac OS X's customized GCC and its outdated BSD headers. There are three main problems: 1. There is no in_addr_t and uint32_t is not automatically defined. Some research revealed that uint32_t is defined in <stdint.h>, which is not included explicitly. On Linux, it is included implicitly by <netinet/in.h>, but not so on Mac OS X. This is easily fixed in syshead.h. 2. Apple's precompiling version of cpp doesn't know about macros with variable arguments. Passing the "--no-cpp-precomp" command line option gets rid of this. I added a small check to configure to add it automatically. 3. There is no socklen_t. Coming up with a quick workaround was easy, but fixing it properly wasn't. I found a quite complete configure test for this in OpenSSH, it actually originated from curl. Unfortunately it only works with autoconf 2.50 or newer. The attached patch is against the current CVS version (which identifies itself as 1.1.1.6). It compiles and runs fine on my Mac OS X box, although I haven't tested the new features yet. Please let me know what you think. Greetings, chrisp -- chrisp a.k.a. Christoph Pfisterer "Any sufficiently advanced cp...@ch... - http://chrisp.de bug is indistinguishable PGP key & geek code available from a feature."

Hi, I made a package to us openvpn in a defined configuration, we want to do the same as securemote from CheckPoint since there is no securemote for Linux Need to make it working: - A Linux machine with access to the entire netowk (the gateway in fact. - It must have openvpn-1.1.1 + autovpn installed - An SSH access on this machine for each user that want remote access to the network. - autovpn installed on the client too. Autovpn is written in Perl. It's made of 6-7 simple scripts. To install: On the client and the server: - untar autovpn.tar in /usr/local (not configuarble at the moment) - check that autovpn-server.pl is setuid root (has rws for user and that user is root) Then on the client (as root), issue: /usr/local/autovpn.pl It should ask for your password on the gateway. Then the terminal is blocked until you type ENTER to close the VPN. That's all! It's 0.1 version, so there is probably some problems. The config file is in ~/.autovpn It's a simple text file. The needed Perl modules are (on the client only): - Config::IniFiles - Data::Dumper Good luck! -jec -- Jean-Eric Cuendet Linkvest SA Av des Baumettes 19, 1020 Renens Switzerland Tel +41 21 632 9043 Fax +41 21 632 9090 E-mail: jea...@li... http://www.linkvest.com -------------------------------------------------------- 

Release Notes: http://openvpn.sourceforge.net/beta/www/relnotes.html Download: http://openvpn.sourceforge.net/beta/openvpn-1.1.1.9.tar.gz This release also has a "beta" version of the web site to go along with it: http://openvpn.sourceforge.net/beta/www/ As you will notice, this release has been ported to Solaris, while ports to OpenBSD and FreeBSD are ongoing. If you use OpenBSD or FreeBSD and would like to test OpenVPN on your platform, please email me. This release of OpenVPN is protocol compatible with 1.1.1. Enjoy, James 

James, For the moment I will be using the patch but will move to official 0.9.7 as soon as it is ready. Thank you very much. Ildar. ----- Original Message ----- From: "James Yonan" <ji...@nt...> To: "Ildar Gabdulline" <il...@nn...> Cc: <ope...@li...> Sent: Friday, May 03, 2002 10:10 PM Subject: Re: OpenVPN and OpenSSL 0.9.7 was: Re: Integration of AES algorith to OpenSSL Crypto library > > I'll be glad to receive such patch because I need to integrate AES > algorithm > > to openvpn > > (my boss requested this). > > If you can wait a few days, I would recommend waiting for the official 0.9.7 > openssl beta which will probably solve the problem. If you can't wait, > here's a patch: > > http://openvpn.sourceforge.net/patch/openssl097.patch > > Remember, 0.9.7 is pre-beta at this point so you're on your own. I have not > extensively tested this patch other than a brief test to confirm that it > fixed the EVP incompatibility. > > James > > > > > > 

> I'll be glad to receive such patch because I need to integrate AES algorithm > to openvpn > (my boss requested this). If you can wait a few days, I would recommend waiting for the official 0.9.7 openssl beta which will probably solve the problem. If you can't wait, here's a patch: http://openvpn.sourceforge.net/patch/openssl097.patch Remember, 0.9.7 is pre-beta at this point so you're on your own. I have not extensively tested this patch other than a brief test to confirm that it fixed the EVP incompatibility. James 

Hi, Is anybody here who uses openvpn with openssl version 0.9.7 (latest = snapshots) with AES encryption algorithm ? The problem is that I've tried to compile openvpn with snapshot from 1st = May and it crashed. Thanks, Ildar.