{5} Accepted, Active Tickets by Owner (Full Description) (23 matches)

List tickets accepted, group by ticket owner. This report demonstrates the use of full-row display.

cron2 (8 matches)

Ticket Summary Component Milestone Type Created
Description
#461 Change default sndbuf and rcvbuf values Networking release 2.3.8 Bug / Defect 10/11/14

Default value of 64K for sndbuf and rcvbuf can be speed limiter for, for example, wifi. With default values, I get 25 mbit/s for download and 30 mbit/s for upload over wifi, but with 512K values I get 80/80 mbit/s (maximum for my internet connection).

I suggest removing default values and use OS default values for rcvbuf and sndbuf, or increasing default values up to 256K for example.


#500 forced invalid path in windows Generic / unclassified release 2.3.8 Bug / Defect 01/12/15

In the code openvpn forces the PATH environment to the C:\ drive. This is not correct and the OS can be installed on any drive letter.

src/openvpn/win32.c

env_block (const struct env_set *es) {

char * force_path = "PATH=C:
Windows
System32;C:
WINDOWS;C:
WINDOWS
System32
Wbem";


#562 FreeBSD 9.3-RELEASE-p16 - OpenVPN 2.3.7 :: Only the first Dialin-IP-Traffic forwarded Networking release 2.3.8 Bug / Defect 06/15/15

Since version 2.3.7 was installed over FreBSD Port-Build (see below) method the TUN-Interface setup is different to 2.3.6 and only the first IP address in this pool was forwarded to the internet. All other IP addresses are unreachable from external networks. After I have copied the old binary (without any changes to the configuration) with version 2.3.6 the forwarding seems OK. What's the issue?

NOTICE: I can't select version 2.3.7 on field "Version" in this form.

Network: xx.xx.32.240/28 (Non-RFC1918) Clients: Ubuntu 14, iPhone 5-Client

[2.3.6-Output (TUN-I/F)] tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500

options=80000<LINKSTATE> inet6 fe80::xxxxxxf%tun1 prefixlen 64 scopeid 0x12 inet xx.xx.x2.241 --> xx.xx.x2.241 netmask 0xfffffff0 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 1145

[netstat -rnfinet] xx.xx.x2.240/28 xx.xx.x2.241 UGS 0 5048 tun1 xx.xx.x2.241 link#18 UH 0 0 tun1

---

[2.3.7-Output (TUN-I/F)] tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500

options=80000<LINKSTATE> inet6 fe80::xxxxxxf%tun1 prefixlen 64 scopeid 0x12 inet xx.xx.x2.241 --> xx.xx.x2.242 netmask 0xfffffff0 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 1146

[netstat -rnfinet] xx.xx.x2.240/28 xx.xx.x2.241 UGS 0 5048 tun1 xx.xx.x2.241 link#18 UH 0 0 lo0

---

[Port-Build] ./configure --enable-pkcs11 --enable-password-save --enable-x509-alt-username --with-crypto-library=openssl --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/info/ --build=amd64-portbld-freebsd9.3

[Configuration] daemon dev tun1 proto udp port 500 bind xx.xx.1.38 local xx.xx.1.38 topology subnet float tun-mtu 1500 mssfix mute-replay-warnings management localhost 7500

# certs ..

# TLS tls-auth /usr/local/etc/openvpn500/server.key 0 verify-x509-name xxxxxxxxxxxxx name cipher AES-256-CBC tls-version-min 1.0

comp-lzo yes keepalive 30 600

status /var/log/openvpn500-status.log 1 log-append /var/log/openvpn500.log user root group daemon

persist-key persist-tun duplicate-cn

tls-server server xx.xx.x2.240 255.255.255.240

push "redirect-gateway" push "dhcp-option DNS xx.xx.x2.196" push "dhcp-option DNS xx.1xx.xx.196" push "dhcp-option DNS xx.xx.86.xx"

plugin /usr/local/lib/radiusplugin.so

client-to-client tmp-dir /etc/openvpn client-config-dir /usr/local/etc/openvpn500/ccd

username-as-common-name verb 3 script-security 2


#495 src/plugins/down-root/down-root.c should not include <err.h> directly Generic / unclassified Bug / Defect 12/29/14

configure script will detect the existence of <err.h> , if <err.h> exist, down-root.c will include ith with config.h, if err.h is exist, it should not use err() and warn() from err.h.

This bug cause openvpn fail to build on AIX platform with default configure option. us '--disable-plugin-down-root' is a workaround.


#496 src/plugins/down-root/down-root.c should use src/compat/compat-daemon.c when daemon() not exist plug-ins / plug-in API Bug / Defect 12/29/14

when daemon() does not exist, down-root.c cannot use daemon() function from src/compat/compat-daemon.c.

This cause openvpn build faild on AIX.


#545 CONTROL messages are highly fragmented Generic / unclassified alpha 2.4 Bug / Defect 04/28/15

All CONTROL messages are highly fragmented (maximum payload size is 100 bytes) and seems to require P_ACK_V1 on every message. This introduces huge connection delay on high latency or lossy links.

Due to my specific configuration, I push 3000+ routes from OpenVPN server, and connection takes no less than 2 minutes.


#264 [PATCH] IPv6 p2p issues IPv6 release 2.4 Feature Wish 02/25/13

I had a couple problems adding IPv6 to an existing IPv6 p2p tunnel configuration. I want to use:

# server
 ifconfig-ipv6 2620:83:8000:3088::101/128 2620:83:3000:8088::445
# client
ifconfig-ipv6 2620:83:8000:3088::445/128 2620:83:3000:8088::101

First I ran into:

ifconfig-ipv6: /netbits must be between 64 and 124, not /128

Once I "fixed" that the ifconfig command issued was missing the remote end:

# server
openvpn_test[57456]: /sbin/ifconfig tun6 inet6 2620:83:3000:8088::101/128

Attached are patches for both changes I needed.


#498 Support dynamic IPv6 prefixes in server config rather than hardcoded prefixes. IPv6 Feature Wish 01/02/15

The use of DHCPv6-PD by many ISPs creates a headache in using IPv6 for an OpenVPN tunnel because OpenVPN currently requires the IPv6 prefix be hardcoded into the server config.

It would be nice to have OpenVPN use whatever prefix is assigned to the TUN adapter by DHCPv6.

For example, let's say the OpenVPN server machine receives a /60 address from the ISP: 2001:db8::/60. The DHCPv6 client on machine then assigns a /64 to the OpenVPN tun adapter: 2001:db8:0:1::1/64. Now I want OpenVPN to assign IPv6 addresses to connecting clients using WHATEVER prefix was assigned to the tun adapter.

Seems like the way to accomplish this would be as follows: 1) Remove the "ifconfig-ipv6" command from the server config. Thus IPv6 assignment to the TUN adapter on the server could be handled by the DHCPv6 client on the machine as and when it receives a new prefix from the ISP. (In the current state, if the IPv6 address is given to the TUN adapter by DHCPv6, then OpenVPN also calls ifconfig to assign the address and produces a file-already-exists error and OpenVPN exits as a result. However, the "ifconfig-ipv6" command cannot currently be removed from the server config because...) 2) Currently "ifconfig-ipv6-pool" also requires that "ifconfig-ipv6" is used. Remove this requirement so "ifconfig-ipv6-pool" can be used without "ifconfig-ipv6". 3) Allow syntax for "ifconfig-ipv6-pool" that only specifies the suffix. For example "ifconfig-ipv6-pool ::100/64" would assign IPv6 addresses to connecting clients starting at <prefix>::100. The <prefix> would be whatever is assigned to the TUN adapter. 4) When the IPv6 prefix assigned by DHCPv6-PD to the TUN adapter on the server changes, re-issue new IPv6 addresses to connected clients with the new prefix.

The only workaround I have come up with is to use ULA addresses, which can be hardcoded. This works for local traffix, but prevents me redirecting all IPv6 internet-bound traffic through the tunnel (because clients do not receive a publicly routable IPv6 address).


dazo (1 match)

Ticket Summary Component Milestone Type Created
Description
#29 push-reset should not reset topology and route-gateway from global config Configuration release 2.4 Feature Wish 07/21/10

When using push-reset, all "push" option are reset (this also include topology and route-gateway).

Considering this server conf:

route 192.168.34.0 255.255.255.0
server 10.9.0.0 255.255.255.0

Considering a client with this part of the conf in his ccd's file:

push-reset
route 192.168.33.0 255.255.255.0
route 192.168.32.0 255.255.255.0

I expect client to get an IP in 10.9.0.0/24 range and get route added for 192.168.33.0/24 and 192.168.32.0/24 (but not 192.168.34.0/24)

In topology net30 (default topology) it works perfectly, but does not in topology subnet. The reason is that in topology subnet, the following options MUST to be pushed:

  • topology subnet
  • route-gateway 10.9.0.1

Whithout these, the client will fail to set itself up with the following message:

Wed Jul 21 21:00:01 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 21 21:00:01 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jul 21 21:00:01 2010 [server] Peer Connection Initiated with [AF_INET]192.168.51.128:1195
Wed Jul 21 21:00:03 2010 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Jul 21 21:00:03 2010 PUSH: Received control message: 'PUSH_REPLY,route 192.168.33.0 255.255.255.0,route 192.168.32.0 255.255.255.0,ifconfig 10.9.0.2 255.255.255.0'
Wed Jul 21 21:00:03 2010 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jul 21 21:00:03 2010 OPTIONS IMPORT: route options modified
Wed Jul 21 21:00:03 2010 WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address.  You are using something (255.255.255.0) that looks more like a netmask. (silence this warning with --ifconfig-nowarn)
Wed Jul 21 21:00:03 2010 ROUTE default_gateway=192.168.2.1
Wed Jul 21 21:00:03 2010 TUN/TAP device tun0 opened
Wed Jul 21 21:00:03 2010 TUN/TAP TX queue length set to 100
Wed Jul 21 21:00:03 2010 /sbin/ifconfig tun0 10.9.0.2 pointopoint 255.255.255.0 mtu 1500
SIOCSIFDSTADDR: Invalid argument

It seems to me that overriding topology and route-gateway from ccd can only break things and make the connection unusable. Also they become compulsary and redundant when using push-rest in topology subnet .

Even though it can be worked-around by adding them to the ccd's file, it become a bit more complexed to handle these when the push options of the user are store remotely as this would involve to have a specific route-gateway set up for each openvpn server that will get users config from that remote backend.

What do you guys think? should those opeions (topology/route-gateway) be reset from push list ? or just overriden when provided by ccd's file.

Tks


janjust (1 match)

Ticket Summary Component Milestone Type Created
Description
#160 openvpn sometimes doesn't provide 'common_name' env. var during client-disconnect execution. plug-ins / plug-in API release 2.4 Bug / Defect 09/12/11

Hi!

I have a client-disconnect script which gets executed when users disconnect. Although I'm push'ing "explicit-exit-notify" to clients, sometimes it happens that they disconnect abruptly (because of flaky internet connections). For a long time the client-disconnect script has never failed me, and it cleaned up after the user, but to be able to do this, it needs the 'common_name' environment variable, which provides me the username (I'm using username/password auth, not key files). Unfortunately, every now and then, there is a user, who loses her/his internet connection, and I'm starting to get these in the server logs:

read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Then after ten or so messages, the client-disconnect script's log entries:

client-disconnect: undefined username!

The code is simple which provides this: it simply checks for the 'common_name' env. var existence. I've gathered additional information from the time when this has happened. These informations are produced by the same client-disconnect script, which couldn't find the 'common_name' env. variable:

  • ENVIRONMENT VARIABLES:
    time_ascii=Sat Sep 10 15:35:02 2011
    daemon_start_time=1315566047
    ifconfig_local=10.x.x.x
    trusted_ip=7x.x.x.x
    remote_port_1=1194
    daemon_pid=1129
    daemon_log_redirect=0
    untrusted_port=1024
    verb=3
    time_duration=416
    bytes_sent=17018
    daemon=1
    local_1=9x.x.x.x
    trusted_port=1024
    ifconfig_broadcast=10.x.x.x
    dev=tap0
    ifconfig_pool_remote_ip=10.x.x.49
    untrusted_ip=7x.x.x.x
    bytes_received=10460
    tun_mtu=1500
    ifconfig_netmask=255.255.240.0
    ifconfig_pool_netmask=255.255.240.0
    time_unix=1315661702
    proto_1=udp
    link_mtu=1574
    local_port_1=1194
    config=/etc/openvpn/openvpn-fw.conf
    script_type=client-disconnect
    script_context=init
    

You can see that the 'common_name' is missing from it. Every other information is present and correct.

  • ARP TABLE:
    Address       HWtype HWaddress          Flags Mask Iface
    [...]
    10.x.x.49 ether  00:ff:x:x:x:x  C          tap0
    [...]
    

The "offending" user's information is available in the arp table.

  • OPENVPN STATUS FILE:
    OpenVPN CLIENT LIST
    Updated,Sat Sep 10 15:41:58 2011
    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
    [...]
    UNDEF,7x.x.x.x:1024,10460,17018,Sat Sep 10 15:35:02 2011
    [...]
    ROUTING TABLE
    Virtual Address,Common Name,Real Address,Last Ref
    [...]
    00:ff:x:x:x:x,UNDEF,7x.x.x.x:1024,Sat Sep 10 15:41:21 2011
    [...]
    GLOBAL STATS
    Max bcast/mcast queue length,49
    END
    

As you can see, the username is UNDEF, probably that is why the client-disconnect script won't get the env. var. The other informations (ip, mac) are present and correct.

OpenVPN server version is 2.2.1, and has been configured and compiled like this:

./configure --enable-password-save --enable-iproute2 --disable-selinux --prefix=/usr/local && make

The server config:

daemon          openvpn-fw

mode            server
tls-server
dh              /etc/openvpn/dh1024.pem
ca              /etc/ssl/certs/ca.crt
cert            /etc/ssl/certs/cert.crt
key             /etc/ssl/private/key.key

user            openvpn
group           openvpn

local           9x.x.x.x
port            1194
proto           udp

dev-type        tap
dev             tap0
ifconfig        10.x.x.1 255.255.240.0

ifconfig-pool   10.x.x.10 10.x.x.255 255.255.240.0
push            "route-gateway 10.x.x.1"

persist-key
persist-tun

replay-persist  /var/run/openvpn/openvpn-replay

comp-lzo        adaptive
push            "comp-lzo adaptive"

max-clients     150
keepalive       3 30
push            "explicit-exit-notify 3"

status          /var/run/openvpn/openvpn-fw_status 1
status-version  1

syslog          openvpn
verb            3

management      /var/run/openvpn/openvpn-fw_management unix /etc/openvpn/management_passwd
management-client-user  root
management-client-group root

client-cert-not-required
username-as-common-name

script-security 2

client-connect          /usr/local/libexec/openvpn/client-connect.pl
client-disconnect       /usr/local/libexec/openvpn/client-disconnect.pl
tmp-dir                 /dev/shm

auth-user-pass-verify   /usr/local/libexec/openvpn/auth-user-pass-verify.pl     via-file

samuli (11 matches)

Ticket Summary Component Milestone Type Created
Description
#52 No routing after restart of Win 2003 Server on 2.1 Networking release 2.4 Bug / Defect 09/09/10

I have installed OpenVPN 2.1rc4 on a Windows 2003 Server (SBS)

Everytime the Server is restarted, I *can* connect to the OpenVPN daemon but could not ping anything, neither internal net nor the Tunnel Endpoint itself which is 192.168.254.1 in my case.

Then, if I simply restart the OpenVPN service, everything works as expected e.g ping to internal machines on the network works and the routing as well.

Tell me what Information you need in addition


#153 Add "RequestExecutionLevel admin" to tapinstall.exe manifest file Installation alpha 2.4 Bug / Defect 08/12/11

Currently standalone tapinstall.exe does not automatically raise privileges on Windows Vista/7 as it should. This should be trivial to fix by modifying it's manifest file.


#161 GET INST BY VIRT error is too obscure quiet Generic / unclassified release 2.4 Bug / Defect 09/20/11

This error means that your packets are being dropped:

Tue Sep 20 12:47:53 2011 us=236940 GET INST BY VIRT: 196.12.12.88 [failed]

Unfortunately it's very easy to miss. It's not visible at debug level 6 and it's not obvious at all. Perhaps it could be made more severe, and say something like:

"No internal route (iroute) to 196.12.12.88, dropping packet, see http://openvpn.net/index.php/open-source/faq/79-client/317-qmulti-bad-source-address-from-client--packet-droppedq-or-qget-inst-by-virt-failedq.html"

Cheers, Chris.


#252 OpenVPN-GUI (64-bit) fails after installation Windows GUI release 2.4 Bug / Defect 01/25/13

I installed OpenVPN-2.3.0 on my 64-bit Windows 7 install without uninstalling my older OpenVPN install. I install OpenVPN in a custom path. After installing, opening OpenVPN-GUI errors out with this error:

Error while creating HKLM\SOFTWARE\OpenVPN-GUI key.

I tried to remove any old OpenVPN-GUI keys I found in the Registry, but it doesn't appear to work.


#325 Windows: Lacking ASLR and DEP support Building / Compiling release 2.4 Bug / Defect 08/27/13

All exe's and dll's from OpenVPN Windows client 2.3.2 64 bit lack ASLR and DEP support, I haven't checked other versions.


#213 OpenVPN GUI on 64-bit Windows (registry issue) Generic / unclassified release 2.4 Bug / Defect 06/07/12

Hello. My name is Kirill and I apologize for my English.

Creating an installer for my own VPN, based on OpenVPN, I found a bug with 64-bit Windows systems. The registry in 64-bit versions of Windows is divided into 32-bit and 64-bit keys. (http://support.microsoft.com/kb/305097/) So, OpenVPN registry keys are creating in HKLM/Software/Wow6432node/OpenVPN instead of HKLM/Software/OpenVPN. And OpenVPN GUI application does not take this into account. If OpenVPN was installed in default location (C:\Program Files (x86)\OpenVPN), I guess, GUI does not find registry keys, and it uses default values. Otherwise, it causes an error in CreateProcess? system call, because openvpn.exe does not exist in default folder.

If you have additional questions, I am ready to answer.

Thanks in advance.


#249 Installer script bugs Installation release 2.4 Bug / Defect 01/11/13

I found two problems with the v2.3 installer:

1) '\OpenVPN' is not appended to path when install dir is changed on MUI_PAGE_INSTFILES (dir selection).

2) specifying the install dir on the command line (/D=) has no consequence, making it impossible to silently install OpenVPN to a non-default directory.

The cause of problem No.1 is that the InstallDir? attribute was omitted from the script. Current script uses the following code to set default install dir with regard to architecture:

	Function .onInit

	...

	${If} "${ARCH}" == "x86_64"
		SetRegView 64
		StrCpy $INSTDIR "$PROGRAMFILES64\${PACKAGE_NAME}"
	${Else}
		StrCpy $INSTDIR "$PROGRAMFILES\${PACKAGE_NAME}"
	${EndIf}

	...

	FunctionEnd

This works fine but it doesn't make the InstallDir? attribute redundant. InstallDir? shouldn't have been removed because it serves another purpose - the part of the string after the last '\' is what gets appended when the user changes the install dir.

Problem No.2 is directly tied to the above code. The current script always sets $INSTDIR to default in .onInit and thus overwrites the value possibly set by the /D switch.

And the solution to both problems is:

	InstallDir "$PROGRAMFILES\${PACKAGE_NAME}"

	...

	Function .onInit

	...

	${If} "${ARCH}" == "x86_64"
		SetRegView 64
		StrCmp $INSTDIR "$PROGRAMFILES\${PACKAGE_NAME}" 0 +2
		StrCpy $INSTDIR "$PROGRAMFILES64\${PACKAGE_NAME}"
	${EndIf}

	...

	FunctionEnd

Sorry if my report doesn't conform to standards, but better to report bugs some way than no way I suppose. Anyway, I know my NSIS and what I wrote is definitely correct.


#323 http://openvpn.net/faq.html#dhcpclientserv not working anymore Documentation Bug / Defect 08/22/13

When the initialization sequence fails, the last line of the log says:

Thu Aug 22 16:07:44 2013 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

That link isn't really working as it should. It should point to http://openvpn.net/index.php/open-source/faq/community-software-client/259-tap-win32-adapter-is-not-coming-up-qinitialization-sequence-completed-with-errorsq.html now


#23 Integrate code security analysis tools into Buildbot Generic / unclassified TODO (General task list) 07/16/10

In the IRC meeting on 22nd Apr 2010 it was agreed that all patches should be checked with (security) auditing tools such as Valgrind and Coverity. These tools need to be integrated into our Continuous integration server app, Buildbot.


#494 OpenVPN GUI does not use file association handlers for log viewing & config editing Windows GUI Bug / Defect 12/29/14

With default file association handlers registered for .log and .ovpn set to Notepad++ when right-clicking the OpenVPN GUI system tray icon and selecting either "View Log" or "Edit Config" the standard Windows Notepad application is launched.


#219 man page could need improvements in the --keepalive section Documentation release 2.4 Feature Wish 07/12/12

I guess there's a small bug in the man page of openvpn regarding the "keepalive" example:

--keepalive n m

A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations.

For example, --keepalive 10 60 expands as follows:

if mode server:

ping 10 ping-restart 120 push "ping 10" push "ping-restart 60"

else

ping 10 ping-restart 60

Would openvpn really double the value for "ping-restart" in server mode, or shouldn't that read "ping-restart 60" instead "ping-restart 120"?


syzzer (2 matches)

Ticket Summary Component Milestone Type Created
Description
#385 Regression: 2.3.3 windows client fails with arm server 2.3.3 Generic / unclassified release 2.3.8 Bug / Defect 04/10/14

This reports a regression with 2.3.3 on the server side of a tunnel. Also, push-peer-info is not working with a build from git master.

I gave up on cross-building for RPI, put a disk on the system temporarily & native built 2.3.3. [It normally runs only from flash; logging is remote syslog.] Exact build procedure follows summary.

The linux machines got the openssl patch before the switch to 2.3.3 on the server. The server's openssl is 1.0.1e-2+rvt+deb7u6 (This has the heartbeat vulnerability patch.)

Prior to this, the RPI (server) ran 2.2.1-8+deb7u2 and successfully accepted connections from a remote linux system and a local windows system. After updating the windows system to 2.3.3, it continued to work with 2.2.1.

After updating the server to 2.3.3, it successfully accepts a connection from a remote Linux client (2.3.2, details below). The tunnel comes up, pings work both ways, data flows.

However, connections from the windows system fail. The failure is reported on the client side:

TLS_ERROR: BIO read tls_read_plaintext error: error:04066083:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:invalid message length: error:14099006:SSL routines:SSL3_SEND_CLIENT_VERIFY:EVP lib TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed

It would be nice if this error was reported to the GUI, not just burried in the log.

The server side just has the usual:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

I also built the server from git master (OpenVPN 2.3_git [git:master/60b40a58c4caaeb5] ) with no change in symptoms.

NB: With the git build, I expected to push-peer-info in the server connect script, but it does not appear in the environment. The push-peer-info directive is present in both the server and the (otherwise successful) linux client.

Let me know what I can do to help troubleshoot this. Details follow.

Thanks.

Server version:

openvpn --version

OpenVPN 2.3.3 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 9 2014 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…> Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=no enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_sysroot=no

Server built on RPI (debian raspbian wheezy) Started with an empty disk (but some tools on flash):

parted /dev/sda mkfs -t ext4 -j -LBlackBox /dev/sda1 mount /dev/sda1 /mnt/hdd mkdir /mnt/hdd/builds cd /mnt/hdd/builds wget http://swupdate.openvpn.org/community/releases/openvpn-2.3.3.zip unzip openvpn-2.3.3.zip cd openvpn-2.3.3/ apt-get install liblzo2-dev apt-get install libpam-dev apt-get install libssl-dev apt-get install git

prefix=/usr ./configure --build=arm-linux-gnueabihf --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-dependency-tracking CFLAGS="-g -O2" CPPFLAGS="" CXXFLAGS="-g -O2" FFLAGS=-"g -O2" LDFLAGS="" --enable-password-save --host=arm-linux-gnueabihf

make make install

Client is today's windows release.

The client log - where things are XXX'd out, the length matches the live data:

Wed Apr 09 21:10:39 2014 us=68808 Current Parameter Settings: Wed Apr 09 21:10:39 2014 us=68808 config = 'config.ovpn' Wed Apr 09 21:10:39 2014 us=68808 mode = 0 Wed Apr 09 21:10:39 2014 us=68808 show_ciphers = DISABLED Wed Apr 09 21:10:39 2014 us=68808 show_digests = DISABLED Wed Apr 09 21:10:39 2014 us=68808 show_engines = DISABLED Wed Apr 09 21:10:39 2014 us=68808 genkey = DISABLED Wed Apr 09 21:10:39 2014 us=68808 key_pass_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 show_tls_ciphers = DISABLED Wed Apr 09 21:10:39 2014 us=68808 Connection profiles [default]: Wed Apr 09 21:10:39 2014 us=68808 proto = udp Wed Apr 09 21:10:39 2014 us=68808 local = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 local_port = 1194 Wed Apr 09 21:10:39 2014 us=68808 remote = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 remote_port = 1194 Wed Apr 09 21:10:39 2014 us=68808 remote_float = ENABLED Wed Apr 09 21:10:39 2014 us=68808 bind_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 bind_local = ENABLED Wed Apr 09 21:10:39 2014 us=68808 connect_retry_seconds = 5 Wed Apr 09 21:10:39 2014 us=68808 connect_timeout = 10 Wed Apr 09 21:10:39 2014 us=68808 connect_retry_max = 0 Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_server = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_port = 0 Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_retry = DISABLED Wed Apr 09 21:10:39 2014 us=68808 tun_mtu = 1500 Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 link_mtu = 1500 Wed Apr 09 21:10:39 2014 us=68808 link_mtu_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_extra = 0 Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_extra_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 mtu_discover_type = -1 Wed Apr 09 21:10:39 2014 us=68808 fragment = 0 Wed Apr 09 21:10:39 2014 us=68808 mssfix = 1450 Wed Apr 09 21:10:39 2014 us=68808 explicit_exit_notification = 0 Wed Apr 09 21:10:39 2014 us=68808 Connection profiles [0]: Wed Apr 09 21:10:39 2014 us=68808 proto = udp Wed Apr 09 21:10:39 2014 us=68808 local = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 local_port = 1194 Wed Apr 09 21:10:39 2014 us=68808 remote = 'xxxxxxxxxxxxx' Wed Apr 09 21:10:39 2014 us=68808 remote_port = 1194 Wed Apr 09 21:10:39 2014 us=68808 remote_float = ENABLED Wed Apr 09 21:10:39 2014 us=68808 bind_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 bind_local = ENABLED Wed Apr 09 21:10:39 2014 us=68808 connect_retry_seconds = 5 Wed Apr 09 21:10:39 2014 us=68808 connect_timeout = 10 Wed Apr 09 21:10:39 2014 us=68808 connect_retry_max = 0 Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_server = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_port = 0 Wed Apr 09 21:10:39 2014 us=68808 socks_proxy_retry = DISABLED Wed Apr 09 21:10:39 2014 us=68808 tun_mtu = 1500 Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_defined = ENABLED Wed Apr 09 21:10:39 2014 us=68808 link_mtu = 1500 Wed Apr 09 21:10:39 2014 us=68808 link_mtu_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_extra = 0 Wed Apr 09 21:10:39 2014 us=68808 tun_mtu_extra_defined = DISABLED Wed Apr 09 21:10:39 2014 us=68808 mtu_discover_type = -1 Wed Apr 09 21:10:39 2014 us=68808 fragment = 0 Wed Apr 09 21:10:39 2014 us=68808 mssfix = 1450 Wed Apr 09 21:10:39 2014 us=68808 explicit_exit_notification = 0 Wed Apr 09 21:10:39 2014 us=68808 Connection profiles END Wed Apr 09 21:10:39 2014 us=68808 remote_random = DISABLED Wed Apr 09 21:10:39 2014 us=68808 ipchange = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 dev = 'tun' Wed Apr 09 21:10:39 2014 us=68808 dev_type = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 dev_node = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 lladdr = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 topology = 1 Wed Apr 09 21:10:39 2014 us=68808 tun_ipv6 = DISABLED Wed Apr 09 21:10:39 2014 us=68808 ifconfig_local = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 ifconfig_remote_netmask = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 ifconfig_noexec = DISABLED Wed Apr 09 21:10:39 2014 us=68808 ifconfig_nowarn = DISABLED Wed Apr 09 21:10:39 2014 us=68808 ifconfig_ipv6_local = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 ifconfig_ipv6_netbits = 0 Wed Apr 09 21:10:39 2014 us=68808 ifconfig_ipv6_remote = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 shaper = 0 Wed Apr 09 21:10:39 2014 us=68808 mtu_test = 0 Wed Apr 09 21:10:39 2014 us=68808 mlock = DISABLED Wed Apr 09 21:10:39 2014 us=68808 keepalive_ping = 0 Wed Apr 09 21:10:39 2014 us=68808 keepalive_timeout = 0 Wed Apr 09 21:10:39 2014 us=68808 inactivity_timeout = 0 Wed Apr 09 21:10:39 2014 us=68808 ping_send_timeout = 0 Wed Apr 09 21:10:39 2014 us=68808 ping_rec_timeout = 0 Wed Apr 09 21:10:39 2014 us=68808 ping_rec_timeout_action = 0 Wed Apr 09 21:10:39 2014 us=68808 ping_timer_remote = ENABLED Wed Apr 09 21:10:39 2014 us=68808 remap_sigusr1 = 0 Wed Apr 09 21:10:39 2014 us=68808 persist_tun = DISABLED Wed Apr 09 21:10:39 2014 us=68808 persist_local_ip = DISABLED Wed Apr 09 21:10:39 2014 us=68808 persist_remote_ip = DISABLED Wed Apr 09 21:10:39 2014 us=68808 persist_key = DISABLED Wed Apr 09 21:10:39 2014 us=68808 passtos = DISABLED Wed Apr 09 21:10:39 2014 us=68808 resolve_retry_seconds = 1000000000 Wed Apr 09 21:10:39 2014 us=68808 username = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 groupname = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 chroot_dir = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 cd_dir = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 writepid = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 up_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 down_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 down_pre = DISABLED Wed Apr 09 21:10:39 2014 us=68808 up_restart = DISABLED Wed Apr 09 21:10:39 2014 us=68808 up_delay = DISABLED Wed Apr 09 21:10:39 2014 us=68808 daemon = DISABLED Wed Apr 09 21:10:39 2014 us=68808 inetd = 0 Wed Apr 09 21:10:39 2014 us=68808 log = ENABLED Wed Apr 09 21:10:39 2014 us=68808 suppress_timestamps = DISABLED Wed Apr 09 21:10:39 2014 us=68808 nice = 0 Wed Apr 09 21:10:39 2014 us=68808 verbosity = 5 Wed Apr 09 21:10:39 2014 us=68808 mute = 0 Wed Apr 09 21:10:39 2014 us=68808 status_file = 'status.txt' Wed Apr 09 21:10:39 2014 us=68808 status_file_version = 3 Wed Apr 09 21:10:39 2014 us=68808 status_file_update_freq = 60 Wed Apr 09 21:10:39 2014 us=68808 occ = ENABLED Wed Apr 09 21:10:39 2014 us=68808 rcvbuf = 0 Wed Apr 09 21:10:39 2014 us=68808 sndbuf = 0 Wed Apr 09 21:10:39 2014 us=68808 sockflags = 0 Wed Apr 09 21:10:39 2014 us=68808 fast_io = DISABLED Wed Apr 09 21:10:39 2014 us=68808 lzo = 0 Wed Apr 09 21:10:39 2014 us=68808 route_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 route_default_gateway = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=68808 route_default_metric = 0 Wed Apr 09 21:10:39 2014 us=68808 route_noexec = DISABLED Wed Apr 09 21:10:39 2014 us=68808 route_delay = 5 Wed Apr 09 21:10:39 2014 us=68808 route_delay_window = 30 Wed Apr 09 21:10:39 2014 us=68808 route_delay_defined = ENABLED Wed Apr 09 21:10:39 2014 us=68808 route_nopull = DISABLED Wed Apr 09 21:10:39 2014 us=68808 route_gateway_via_dhcp = DISABLED Wed Apr 09 21:10:39 2014 us=68808 max_routes = 100 Wed Apr 09 21:10:39 2014 us=68808 allow_pull_fqdn = DISABLED Wed Apr 09 21:10:39 2014 us=68808 management_addr = '127.0.0.1' Wed Apr 09 21:10:39 2014 us=68808 management_port = 25340 Wed Apr 09 21:10:39 2014 us=68808 management_user_pass = 'stdin' Wed Apr 09 21:10:39 2014 us=78822 management_log_history_cache = 250 Wed Apr 09 21:10:39 2014 us=78822 management_echo_buffer_size = 100 Wed Apr 09 21:10:39 2014 us=78822 management_write_peer_info_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 management_client_user = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 management_client_group = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 management_flags = 6 Wed Apr 09 21:10:39 2014 us=78822 shared_secret_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 key_direction = 0 Wed Apr 09 21:10:39 2014 us=78822 ciphername_defined = ENABLED Wed Apr 09 21:10:39 2014 us=78822 ciphername = 'BF-CBC' Wed Apr 09 21:10:39 2014 us=78822 authname_defined = ENABLED Wed Apr 09 21:10:39 2014 us=78822 authname = 'sha1' Wed Apr 09 21:10:39 2014 us=78822 prng_hash = 'SHA1' Wed Apr 09 21:10:39 2014 us=78822 prng_nonce_secret_len = 16 Wed Apr 09 21:10:39 2014 us=78822 keysize = 0 Wed Apr 09 21:10:39 2014 us=78822 engine = DISABLED Wed Apr 09 21:10:39 2014 us=78822 replay = ENABLED Wed Apr 09 21:10:39 2014 us=78822 mute_replay_warnings = DISABLED Wed Apr 09 21:10:39 2014 us=78822 replay_window = 64 Wed Apr 09 21:10:39 2014 us=78822 replay_time = 15 Wed Apr 09 21:10:39 2014 us=78822 packet_id_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 use_iv = ENABLED Wed Apr 09 21:10:39 2014 us=78822 test_crypto = DISABLED Wed Apr 09 21:10:39 2014 us=78822 tls_server = DISABLED Wed Apr 09 21:10:39 2014 us=78822 tls_client = ENABLED Wed Apr 09 21:10:39 2014 us=78822 key_method = 2 Wed Apr 09 21:10:39 2014 us=78822 ca_file = 'INLINE?' Wed Apr 09 21:10:39 2014 us=78822 ca_path = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 dh_file = 'INLINE?' Wed Apr 09 21:10:39 2014 us=78822 cert_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 priv_key_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 pkcs12_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 cryptoapi_cert = 'SUBJ:xxx' Wed Apr 09 21:10:39 2014 us=78822 cipher_list = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 tls_verify = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 tls_export_cert = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 verify_x509_type = 0 Wed Apr 09 21:10:39 2014 us=78822 verify_x509_name = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 crl_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 ns_cert_type = 1 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_ku[i] = 0 Wed Apr 09 21:10:39 2014 us=78822 remote_cert_eku = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 ssl_flags = 0 Wed Apr 09 21:10:39 2014 us=78822 tls_timeout = 2 Wed Apr 09 21:10:39 2014 us=78822 renegotiate_bytes = 0 Wed Apr 09 21:10:39 2014 us=78822 renegotiate_packets = 0 Wed Apr 09 21:10:39 2014 us=78822 renegotiate_seconds = 3600 Wed Apr 09 21:10:39 2014 us=78822 handshake_window = 60 Wed Apr 09 21:10:39 2014 us=78822 transition_window = 3600 Wed Apr 09 21:10:39 2014 us=78822 single_session = DISABLED Wed Apr 09 21:10:39 2014 us=78822 push_peer_info = ENABLED Wed Apr 09 21:10:39 2014 us=78822 tls_exit = DISABLED Wed Apr 09 21:10:39 2014 us=78822 tls_auth_file = 'INLINE?' Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_protected_authentication = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_private_mode = 00000000 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_cert_private = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pkcs11_pin_cache_period = -1 Wed Apr 09 21:10:39 2014 us=78822 pkcs11_id = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 pkcs11_id_management = DISABLED Wed Apr 09 21:10:39 2014 us=78822 server_network = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 server_netmask = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 server_network_ipv6 = üó" Wed Apr 09 21:10:39 2014 us=78822 server_netbits_ipv6 = 0 Wed Apr 09 21:10:39 2014 us=78822 server_bridge_ip = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 server_bridge_netmask = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 server_bridge_pool_start = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 server_bridge_pool_end = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_defined = DISABLED Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_start = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_end = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_netmask = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_persist_filename = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 ifconfig_pool_persist_refresh_freq = 600 Wed Apr 09 21:10:39 2014 us=78822 ifconfig_ipv6_pool_defined = DISABLED Wed Apr 09 21:10:39 2014 us=78822 ifconfig_ipv6_pool_base = üó" Wed Apr 09 21:10:39 2014 us=78822 ifconfig_ipv6_pool_netbits = 0 Wed Apr 09 21:10:39 2014 us=78822 n_bcast_buf = 256 Wed Apr 09 21:10:39 2014 us=78822 tcp_queue_limit = 64 Wed Apr 09 21:10:39 2014 us=78822 real_hash_size = 256 Wed Apr 09 21:10:39 2014 us=78822 virtual_hash_size = 256 Wed Apr 09 21:10:39 2014 us=78822 client_connect_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 learn_address_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 client_disconnect_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 client_config_dir = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 ccd_exclusive = DISABLED Wed Apr 09 21:10:39 2014 us=78822 tmp_dir = 'C:\DOCUME~1\Litt\LOCALS~1\Temp\' Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_defined = DISABLED Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_local = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_remote_netmask = 0.0.0.0 Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_ipv6_defined = DISABLED Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_ipv6_local = üó"/0 Wed Apr 09 21:10:39 2014 us=78822 push_ifconfig_ipv6_remote = üó" Wed Apr 09 21:10:39 2014 us=78822 enable_c2c = DISABLED Wed Apr 09 21:10:39 2014 us=78822 duplicate_cn = DISABLED Wed Apr 09 21:10:39 2014 us=78822 cf_max = 0 Wed Apr 09 21:10:39 2014 us=78822 cf_per = 0 Wed Apr 09 21:10:39 2014 us=78822 max_clients = 1024 Wed Apr 09 21:10:39 2014 us=78822 max_routes_per_client = 256 Wed Apr 09 21:10:39 2014 us=78822 auth_user_pass_verify_script = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 auth_user_pass_verify_script_via_file = DISABLED Wed Apr 09 21:10:39 2014 us=78822 client = DISABLED Wed Apr 09 21:10:39 2014 us=78822 pull = ENABLED Wed Apr 09 21:10:39 2014 us=78822 auth_user_pass_file = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 show_net_up = DISABLED Wed Apr 09 21:10:39 2014 us=78822 route_method = 0 Wed Apr 09 21:10:39 2014 us=78822 ip_win32_defined = DISABLED Wed Apr 09 21:10:39 2014 us=78822 ip_win32_type = 3 Wed Apr 09 21:10:39 2014 us=78822 dhcp_masq_offset = 0 Wed Apr 09 21:10:39 2014 us=78822 dhcp_lease_time = 31536000 Wed Apr 09 21:10:39 2014 us=78822 tap_sleep = 0 Wed Apr 09 21:10:39 2014 us=78822 dhcp_options = DISABLED Wed Apr 09 21:10:39 2014 us=78822 dhcp_renew = DISABLED Wed Apr 09 21:10:39 2014 us=78822 dhcp_pre_release = DISABLED Wed Apr 09 21:10:39 2014 us=78822 dhcp_release = DISABLED Wed Apr 09 21:10:39 2014 us=78822 domain = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 netbios_scope = '[UNDEF]' Wed Apr 09 21:10:39 2014 us=78822 netbios_node_type = 0 Wed Apr 09 21:10:39 2014 us=78822 disable_nbt = DISABLED Wed Apr 09 21:10:39 2014 us=78822 OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 9 2014 Enter Management Password: Wed Apr 09 21:10:50 2014 us=985944 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Wed Apr 09 21:10:50 2014 us=985944 Need hold release from management interface, waiting... Wed Apr 09 21:10:51 2014 us=456620 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Wed Apr 09 21:10:51 2014 us=556764 MANAGEMENT: CMD 'state on' Wed Apr 09 21:10:51 2014 us=556764 MANAGEMENT: CMD 'log all on' Wed Apr 09 21:10:51 2014 us=987384 MANAGEMENT: CMD 'hold off' Wed Apr 09 21:10:51 2014 us=997398 MANAGEMENT: CMD 'hold release' Wed Apr 09 21:10:52 2014 us=177657 Control Channel Authentication: tls-auth using INLINE static key file Wed Apr 09 21:10:52 2014 us=177657 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 09 21:10:52 2014 us=177657 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 09 21:10:52 2014 us=177657 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ] Wed Apr 09 21:10:52 2014 us=177657 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Apr 09 21:10:52 2014 us=187672 MANAGEMENT: >STATE:1397092252,RESOLVE, Wed Apr 09 21:10:52 2014 us=397974 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Apr 09 21:10:52 2014 us=397974 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Wed Apr 09 21:10:52 2014 us=397974 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Wed Apr 09 21:10:52 2014 us=397974 Local Options hash (VER=V4): 'e1cabb67' Wed Apr 09 21:10:52 2014 us=397974 Expected Remote Options hash (VER=V4): 'f78928cd' Wed Apr 09 21:10:52 2014 us=397974 UDPv4 link local (bound): [undef] Wed Apr 09 21:10:52 2014 us=397974 UDPv4 link remote: [AF_INET]192.168.134.1:1194 Wed Apr 09 21:10:52 2014 us=397974 MANAGEMENT: >STATE:1397092252,WAIT, Wed Apr 09 21:10:52 2014 us=508132 MANAGEMENT: >STATE:1397092252,AUTH, Wed Apr 09 21:10:52 2014 us=508132 TLS: Initial packet from [AF_INET]192.168.148.43:1194, sid=6453fbcf a941847e Wed Apr 09 21:10:52 2014 us=698406 VERIFY OK: depth=1, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Wed Apr 09 21:10:52 2014 us=698406 VERIFY OK: nsCertType=SERVER Wed Apr 09 21:10:52 2014 us=698406 VERIFY OK: depth=0, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Wed Apr 09 21:10:52 2014 us=748478 TLS_ERROR: BIO read tls_read_plaintext error: error:04066083:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:invalid message length: error:14099006:SSL routines:SSL3_SEND_CLIENT_VERIFY:EVP lib Wed Apr 09 21:10:52 2014 us=748478 TLS Error: TLS object -> incoming plaintext read error Wed Apr 09 21:10:52 2014 us=748478 TLS Error: TLS handshake failed Wed Apr 09 21:10:52 2014 us=768507 TCP/UDP: Closing socket Wed Apr 09 21:10:52 2014 us=778521 SIGUSR1[soft,tls-error] received, process restarting Wed Apr 09 21:10:52 2014 us=778521 MANAGEMENT: >STATE:1397092252,RECONNECTING,tls-error Wed Apr 09 21:10:52 2014 us=778521 Restart pause, 2 second(s) Wed Apr 09 21:10:54 2014 us=801430 Control Channel Authentication: tls-auth using INLINE static key file Wed Apr 09 21:10:54 2014 us=821459 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 09 21:10:54 2014 us=841488 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 09 21:10:54 2014 us=841488 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ] Wed Apr 09 21:10:54 2014 us=851502 Socket Buffers: R=[8192->8192] S=[8192->8192] Wed Apr 09 21:10:54 2014 us=851502 MANAGEMENT: >STATE:1397092254,RESOLVE, Wed Apr 09 21:10:54 2014 us=861516 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Apr 09 21:10:54 2014 us=881545 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' Wed Apr 09 21:10:54 2014 us=891560 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' Wed Apr 09 21:10:54 2014 us=891560 Local Options hash (VER=V4): 'e1cabb67' Wed Apr 09 21:10:54 2014 us=901574 Expected Remote Options hash (VER=V4): 'f78928cd' Wed Apr 09 21:10:54 2014 us=901574 UDPv4 link local (bound): [undef] Wed Apr 09 21:10:54 2014 us=911588 UDPv4 link remote: [AF_INET]192.168.134.1:1194 Wed Apr 09 21:10:54 2014 us=911588 MANAGEMENT: >STATE:1397092254,WAIT, Wed Apr 09 21:10:54 2014 us=921603 MANAGEMENT: >STATE:1397092254,AUTH, Wed Apr 09 21:10:54 2014 us=921603 TLS: Initial packet from [AF_INET]192.168.148.43:1194, sid=769c88e9 d986fb31 Wed Apr 09 21:10:55 2014 us=91848 TLS Error: Unroutable control packet received from [AF_INET]192.168.148.43:1194 (si=3 op=P_CONTROL_V1) Wed Apr 09 21:10:55 2014 us=161948 VERIFY OK: <The sequence continues>

Server log for this connection:

[24014]: MULTI: multi_create_instance called [24014]: 192.168.148.191:1194 Re-using SSL/TLS context [24014]: 192.168.148.191:1194 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ] [24014]: 192.168.148.191:1194 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] [24014]: 192.168.148.191:1194 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' [24014]: 192.168.148.191:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' [24014]: 192.168.148.191:1194 Local Options hash (VER=V4): 'f78928cd' [24014]: 192.168.148.191:1194 Expected Remote Options hash (VER=V4): 'e1cabb67' [24014]: 192.168.148.191:1194 TLS: Initial packet from [AF_INET]192.168.148.191:1194, sid=d6ccd910 e3e6a2f4 [24014]: 192.168.148.191:1194 TLS: new session incoming connection from [AF_INET]192.168.148.191:1194 [24014]: 192.168.148.191:1194 TLS: new session incoming connection from [AF_INET]192.168.148.191:1194 [24014]: 192.168.148.191:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) [24014]: 192.168.148.191:1194 TLS Error: TLS handshake failed [24014]: 192.168.148.191:1194 SIGUSR1[soft,tls-error] received, client-instance restarting


Client config:


verb 1 verb 5 cryptoapicert "SUBJ:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" dev tun proto udp ns-cert-type server pull tls-client cipher BF-CBC reneg-sec 3600 push-peer-info status status.txt status-version 3 ping-timer-rem auth sha1 float <connection> # Only the first one is reachable in the test remote xxx 1194 udp remote yyy 1194 udp </connection> <dh> xx </dh> <tls-auth> # 2048 bit OpenVPN static key </tls-auth> # Can CA come from the crypto API? <ca> xxx </ca>


server config


verb 1 cd /etc/openvpn script-security 2 dev tun proto udp float port 1194 topology subnet keepalive 300 600 ping-timer-rem management 127.0.0.1 1195 mode server tls-server ca ca-cert.pem dh dh1024.pem cert server.0.pem key private.pem cipher BF-CBC reneg-sec 3600 tls-auth tls-auth.key #push tun-ipv6 push-peer-info push "topology subnet" push "persist-key" push "persist-tun" ifconfig 192.168.134.1 255.255.255.0 ifconfig-pool 192.168.134.50 192.168.134.254 255.255.255.0 push "route-gateway 192.168.134.1" push "route 192.168.0.0 255.255.0.0" push "route 172.16.0.0 255.240.0.0" push "route 10.0.0.0 255.0.0.0" push "dhcp-option DOMAIN xxxxxxxxxxxxxxxx." push "dhcp-option DNS 192.168.148.6" push "dhcp-option DNS 192.168.148.4" push "dhcp-option DNS 192.168.134.6" push "dhcp-option WINS 192.168.148.21" push "dhcp-option NBT 2" push "dhcp-option NTP 192.168.148.43" push "dhcp-option NTP 192.168.148.10" push "dhcp-option NTP 192.168.148.136" client-to-client client-config-dir clients ccd-exclusive client-connect client-connect opt-verify auth sha1


Server CCD for this client:


push "register-dns"


The server build from git: apt-get install autoconf autoconf-doc libtool automake m4 gettext libsnappy-dev

git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/openvpn.git --depth 1

autoreconf -vi

(same configure, make, make install)


#301 Support AEAD cipher modes Crypto alpha 2.4 Patch submission 06/03/13

Add support for AEAD (Authenticated Encryption with Additional Data) that obviate the need for a separate MAC step. Modes such as AES-GCM, AES-CCM, and AES-XTS are examples. Combining the encryption and authentication steps leads to a speed-up since the library can use optimizations since it is doing both operations concurrently.


Note: See TracReports for help on using and creating reports.