Menu
▾
▴
openvpn-users — OpenVPN users list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(12) |
Apr
(45) |
May
(34) |
Jun
(50) |
Jul
(39) |
Aug
(39) |
Sep
(29) |
Oct
(28) |
Nov
(30) |
Dec
(28) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(18) |
Feb
(20) |
Mar
(10) |
Apr
(19) |
May
(72) |
Jun
(42) |
Jul
(31) |
Aug
(153) |
Sep
(156) |
Oct
(233) |
Nov
(213) |
Dec
(137) |
| 2004 |
Jan
(255) |
Feb
(292) |
Mar
(449) |
Apr
(241) |
May
(412) |
Jun
(541) |
Jul
(532) |
Aug
(611) |
Sep
(689) |
Oct
(804) |
Nov
(676) |
Dec
(715) |
| 2005 |
Jan
(639) |
Feb
(695) |
Mar
(756) |
Apr
(562) |
May
(497) |
Jun
(424) |
Jul
(394) |
Aug
(427) |
Sep
(390) |
Oct
(418) |
Nov
(387) |
Dec
(494) |
| 2006 |
Jan
(503) |
Feb
(436) |
Mar
(563) |
Apr
(448) |
May
(400) |
Jun
(420) |
Jul
(240) |
Aug
(362) |
Sep
(292) |
Oct
(408) |
Nov
(318) |
Dec
(245) |
| 2007 |
Jan
(330) |
Feb
(241) |
Mar
(259) |
Apr
(216) |
May
(305) |
Jun
(277) |
Jul
(288) |
Aug
(269) |
Sep
(273) |
Oct
(248) |
Nov
(267) |
Dec
(265) |
| 2008 |
Jan
(312) |
Feb
(454) |
Mar
(358) |
Apr
(195) |
May
(352) |
Jun
(305) |
Jul
(233) |
Aug
(385) |
Sep
(441) |
Oct
(325) |
Nov
(301) |
Dec
(329) |
| 2009 |
Jan
(344) |
Feb
(263) |
Mar
(350) |
Apr
(262) |
May
(255) |
Jun
(161) |
Jul
(330) |
Aug
(281) |
Sep
(285) |
Oct
(230) |
Nov
(304) |
Dec
(284) |
| 2010 |
Jan
(353) |
Feb
(260) |
Mar
(357) |
Apr
(403) |
May
(335) |
Jun
(236) |
Jul
(199) |
Aug
(247) |
Sep
(212) |
Oct
(160) |
Nov
(118) |
Dec
(110) |
| 2011 |
Jan
(172) |
Feb
(105) |
Mar
(113) |
Apr
(120) |
May
(124) |
Jun
(88) |
Jul
(94) |
Aug
(63) |
Sep
(78) |
Oct
(42) |
Nov
(137) |
Dec
(90) |
| 2012 |
Jan
(75) |
Feb
(113) |
Mar
(90) |
Apr
(77) |
May
(68) |
Jun
(58) |
Jul
(67) |
Aug
(119) |
Sep
(56) |
Oct
(60) |
Nov
(72) |
Dec
(48) |
| 2013 |
Jan
(78) |
Feb
(93) |
Mar
(114) |
Apr
(79) |
May
(57) |
Jun
(56) |
Jul
(29) |
Aug
(84) |
Sep
(55) |
Oct
(75) |
Nov
(61) |
Dec
(40) |
| 2014 |
Jan
(42) |
Feb
(14) |
Mar
(48) |
Apr
(132) |
May
(96) |
Jun
(58) |
Jul
(90) |
Aug
(116) |
Sep
(88) |
Oct
(69) |
Nov
(97) |
Dec
(93) |
| 2015 |
Jan
(61) |
Feb
(38) |
Mar
(62) |
Apr
(63) |
May
(67) |
Jun
(124) |
Jul
(79) |
Aug
(101) |
Sep
(60) |
Oct
(109) |
Nov
(64) |
Dec
(135) |
| 2016 |
Jan
(107) |
Feb
(83) |
Mar
(90) |
Apr
(78) |
May
(125) |
Jun
(100) |
Jul
(52) |
Aug
(96) |
Sep
(23) |
Oct
(74) |
Nov
(85) |
Dec
(168) |
| 2017 |
Jan
(63) |
Feb
(75) |
Mar
(51) |
Apr
(87) |
May
(48) |
Jun
(135) |
Jul
(90) |
Aug
(72) |
Sep
(38) |
Oct
(54) |
Nov
(102) |
Dec
(42) |
| 2018 |
Jan
(25) |
Feb
(55) |
Mar
(1) |
Apr
(10) |
May
(31) |
Jun
(72) |
Jul
(61) |
Aug
(12) |
Sep
(30) |
Oct
(41) |
Nov
(33) |
Dec
(16) |
| 2019 |
Jan
(19) |
Feb
(26) |
Mar
(72) |
Apr
(32) |
May
(38) |
Jun
(26) |
Jul
(19) |
Aug
(12) |
Sep
(8) |
Oct
(19) |
Nov
(61) |
Dec
(26) |
| 2020 |
Jan
(18) |
Feb
(21) |
Mar
(26) |
Apr
(206) |
May
(59) |
Jun
(18) |
Jul
(64) |
Aug
(28) |
Sep
(22) |
Oct
(15) |
Nov
(22) |
Dec
(21) |
| 2021 |
Jan
(17) |
Feb
(46) |
Mar
(64) |
Apr
(84) |
May
(86) |
Jun
(84) |
Jul
(45) |
Aug
(12) |
Sep
(27) |
Oct
(38) |
Nov
(49) |
Dec
(42) |
| 2022 |
Jan
(37) |
Feb
(55) |
Mar
(35) |
Apr
(31) |
May
(27) |
Jun
(61) |
Jul
(15) |
Aug
(4) |
Sep
(71) |
Oct
(15) |
Nov
(14) |
Dec
(12) |
| 2023 |
Jan
(20) |
Feb
(86) |
Mar
(57) |
Apr
(3) |
May
(7) |
Jun
(28) |
Jul
(105) |
Aug
(189) |
Sep
(33) |
Oct
(63) |
Nov
(40) |
Dec
(71) |
| 2024 |
Jan
(174) |
Feb
(120) |
Mar
(5) |
Apr
(42) |
May
(39) |
Jun
(19) |
Jul
(17) |
Aug
(23) |
Sep
(16) |
Oct
(6) |
Nov
(14) |
Dec
(2) |
| 2025 |
Jan
(1) |
Feb
(11) |
Mar
(19) |
Apr
(6) |
May
(11) |
Jun
(12) |
Jul
(7) |
Aug
(25) |
Sep
(47) |
Oct
(20) |
Nov
(3) |
Dec
|
|
From: Jochen B. <Joc...@bi...> - 2025-09-29 07:48:03
|
On 29.09.25 04:18, Leroy Tennison via Openvpn-users wrote: > Other than connecting to the client, finding what ca.crt they > use and running openssl x509 -in<client ca.crt> -noout -enddate? a) Just to make sure: The *clients* need the cert of the CA issuing the *server* certs, because *that's* the cert they're checking with it. b) Your OpenSSL command will output the data for the *first* cert found in the file. Files - or, for that matter, CApath directories - accepted by OpenVPN can contain *several* CA certs. (In the case of a PKI with intermediate CAs, they *should* have the entire chains from root to server-cert-issuing intermediate.) c) I still remember the time when, while we evaluated a new platform, we found that OpenVPN would also refuse a CA with an expired *CRL*, so you might want to check that as well - *if* you're rolling out CRLs to the clients. d) Having that said, I'm not aware of a method to doublecheck any of that on the *server* side ... > My concern is accidentally overlooking a client. You might be able to change the roll-out process so that the new serverCA file and new client certs with some marker (say, OU=ImAlreadyDone) will be installed at the same time, then you could recognize unprepared clients by the missing marker as they auth ... ? (Still doesn't catch *dormant* clients, though ...) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH |
|
From: Leroy T. <ler...@ve...> - 2025-09-29 02:48:54
|
Other than connecting to the client, finding what ca.crt they use and running openssl x509 -in<client ca.crt> -noout -enddate? The reason I'm asking is that we have a ca.crt which will be expiring in about a year. I know how to update ca.crt without immediately having to update all clients and how to update all clients (including their own certificates which will expire some time after the ca.crt) and we will be doing that over time. My concern is accidentally overlooking a client. Thanks for any and all help. |
|
From: Alireza F. <rad...@gm...> - 2025-09-27 18:15:45
|
https://github.com/LSPosed/.github/tree/master/profile |
|
From: Alireza F. <rad...@gm...> - 2025-09-27 14:03:54
|
https://github.com/AKP199/Spoon-Knife/actions/runs/18035755666/job/51322237718#step:2:19 |
|
From: Alireza F. <rad...@gm...> - 2025-09-27 14:02:29
|
https://github.com/AKP199/Spoon-Knife/actions/runs/18035755666/job/51322237718 |
|
From: Alireza F. <rad...@gm...> - 2025-09-27 13:05:18
|
https://github.com/pvorb/npm-stat.com/blob/develop/package-lock.json#L۲-L۳ |
|
From: Gert D. <ge...@gr...> - 2025-09-25 18:15:06
|
Hi,
On Thu, Sep 25, 2025 at 05:42:01PM +0300, Yuriy Darnobyt wrote:
> Important bug fixes since 2.7_beta1:
>
> * add proper input sanitation to DNS strings to prevent an attack coming
> from a trusted-but-malicous OpenVPN server (CVE-2025-10680, affects
> unixoid systems with --dns-updown scripts and windows using the built-in
> powershell call)
Let me emphasize this. If you followed my advice to "please go and test
2.7_beta1" and installed a --dns-updown script (for example by compiling
and then "make install"), and there is a risk that you connect to an
openvpn server that is not trustworthy -> please upgrade ASAP.
Also, do not use openvpn configs from untrusted sources with 2.7_beta1
under unixoid OSes.
If your OpenVPN server is fully trusted, and you know where the configs
are coming from, then there is no attack angle.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Yuriy D. <yur...@op...> - 2025-09-25 14:42:24
|
The OpenVPN community project team is proud to release OpenVPN 2.7_beta2. This is a second beta which includes important bugfixes. Feature changes since 2.7_beta1: * greatly improved event log handling for the Windows interactive service - this brings build system changes and a new openvpnservmsg.dll Important bug fixes since 2.7_beta1: * add proper input sanitation to DNS strings to prevent an attack coming from a trusted-but-malicous OpenVPN server (CVE-2025-10680, affects unixoid systems with --dns-updown scripts and windows using the built-in powershell call) * bugfixes when using multi-socket on windows (properly recognize that TCP server mode does not work with DCO, properly handle TCP multi-socket server setups without DCO) * bring back configuring of IPv4 broadcast addresses on Linux * repair "--dhcp-option DNS" setting in combination with DHCP (TAP) or "--up" scripts (Github: OpenVPN/openvpn#839, OpenVPN/openvpn#840) More details can be found in the Changes document: <https://github.com/OpenVPN/openvpn/blob/master/Changes.rst> Source code and Windows installers can be downloaded from our download page: <https://openvpn.net/community-downloads/> Packages for Debian, Ubuntu, Fedora, RHEL, and openSUSE are available in the various official Community repositories: <https://community.openvpn.net/Pages/OpenVPN%20software%20repos> Kind regards, Yuriy Darnobyt |
|
From: Frank L. <fr...@li...> - 2025-09-24 14:52:14
|
The OpenVPN community project team is proud to release OpenVPN 2.6.15.
This is a bugfix release.
Bug fixes:
* On Windows, do not use "wmic.exe" any longer to set DNS search domain
(discontinued by Microsoft), use "powershell" fragment instead.
* On Windows, logging to the windows event log has been improved
(and logging of GetLastError() strings repaired).
To make this work, a new "openvpnmsgserv.dll" library is now installed and
registered.
* DNS domain names are now strictly validated with a positive-list of
allowed characters (including UTF-8 high-bit-set bytes) before being handed
to powershell.
* Apply more checks to incoming TLS handshake packets before creating new state
- namely, verify message ID / acked ID for "valid range for an initial packet".
This fixes a problem with clients that float very early but send control
channel packet from the pre-float IP (Github: OpenVPN/openvpn#704, backported
from 2.7_beta1).
* Backport handling of client float notifications on FreeBSD 14/STABLE DCO.
(FreeBSD: #289303)
* Update GPL license text to latest version from FSF.
* On Linux, on interfaces where applicable, OpenVPN explicitly configures the
broadcast address again. This was dropped for 2.6.0 "because computers are
smart and can do it themselves", but the kernel netlink interface isn't, and
will install "0.0.0.0". This does not normally matter, but for broadcast-based
applications that get the address to use from "ifconfig", this change repairs
functionality.
Windows MSI changes since 2.6.14-I004:
* Built against OpenSSL 3.5.3
* Included openvpn-gui updated to 11.56.0.0
* Fix "Cannot open the System Tray Menu with Keyboard"
(Github: OpenVPN/openvpn-gui#763)
More details can be found in the Changes document:
<https://github.com/OpenVPN/openvpn/blob/release/2.6/Changes.rst>
(The Changes document also contains a section with work-arounds for
common problems encountered when using OpenVPN with OpenSSL 3)
Source code and Windows installers can be downloaded from our download page:
<https://openvpn.net/community/>
Debian and Ubuntu packages are available in the official apt repositories:
<https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos#DebianUbuntu:UsingOpenVPNaptrepositories>
On Red Hat derivatives we recommend using the Fedora Copr repository.
<https://copr.fedorainfracloud.org/coprs/g/OpenVPN/openvpn-release-2.6/>
Regards,
--
Frank Lichtenheld
|
|
From: David S. <daz...@eu...> - 2025-09-24 13:15:46
|
OpenVPN 3 Linux v26 (Stable release) The v26 release is a small bugfix and enhancement release. Please notice the deprecation of openvpn3-autoload. * Enhancement: Improve user feedback when a VPN profile is not valid Since the OpenVPN 3 Linux v22_dev release, the openvpn3-service-configmgr service has provided an API to validate VPN profiles it manages. This has been used in the rest of the available tools to check if everything is in order before attempting to start a VPN session. When a configuration profile was lacking certain required options, it would fail this validation. But the feedback to the user was not much helpful and the user would need to check the configuration profile manually. With the v26 release, the end user will be provided a list of required configuration options missing. * Enhancement: Set route metric value when provided via VPN session Since the very beginning of OpenVPN 3 Linux, the route metric value has been ignored. This has been improved in the v26 release and the metric values provided in the configuration profile or pushed from the VPN server will now be respected. * FEATURE DEPRECATION: openvpn3-autoload The openvpn3-autoload feature was deprecated already in the v20 release. This feature will be removed in a coming stable release. The replacement is the openvpn3-session@.service systemd unit. Please see the openvpn3-systemd man page [1] for more details. If you depend on openvpn3-autoload today, please migrate ASAP to the systemd approach. [1] <https://codeberg.org/OpenVPN/openvpn3-linux/src/branch/master/docs/man/openvpn3-systemd.8.rst> * Bugfix: Proper parsing of <connection/> tags in OpenVPN configs The internal VPN profile configuration parser did not properly parse configuration files containing <connection>...</connection> tags to configure a remote server. This has been fixed and both the openvpn3-service-configmgr and the openvpn3 Python module has been updated to support this feature. * Bugfix: Proper parsing of semicolon (;) as comment line The openvpn3 Python module did not properly parse configuration files which used semicolon (;) as a comment separator. This has been improved and both hash (#) and semicolon can now be used for comments in configuration profiles. * Bugfix: openvpn3-service-netcfg may stop on route setup errors In some corner cases, when the openvpn3-service-client (VPN client) process called the Network Configuration service (openvpn3-service-netcfg) to establish the VPN network interface, the Network Configuration service could crash and not recover, resulting in the VPN session not being able to be established. This has been improved and this error situation is now handled and logged properly. * Bugfix: Background D-Bus calls to systemd-resolved fails On some systems the D-Bus communication between the openvpn3-service-netcfg (NetCfg) process and systemd-resolved could be too slow, resulting in the NetCfg process retrying the D-Bus call. Due to an incorrect retry logic, the parameters systemd-resolved would need had been released from memory and was no longer accessible. This has been resolved and the retry logic now behaves as expected. * Bugfix: VPN session restart triggers assertion warning in logs When an on-going VPN session is attempted restarted, for example via the openvpn3 session-manage command, the NetCfg service would log an assertion warning in the system logs. This has been resolved and VPN session restarts will now work as expected. * Bugfix: OpenVPN 3 AWS-VPC fails changing IPv6 routes Due to a typo in the parameter name used for changing IPv6 routes in the AWS VPC service, setting IPv6 routes would result in an error. This has been resolved in the OpenVPN 3 Core version 3.11.5 release, which OpenVPN 3 Linux v26 has upgraded to. * OpenVPN 3 Core Library update The OpenVPN 3 Core Library has been updated to version 3.11.5, which is contains the fix for the AWS VPC route fix. It also enables building against Linux 6.16 kernel headers. Known issues: - The openvpn3-service-netcfg service does not differentiate between --dns server X resolve-domains and --dns search-domains when using the --resolv-conf mode, which is not as this feature is intended to work. This was discovered in the v24 release and is on the schedule to be fixed in the next releases. When this gets fixed, only --dns search-domains will be considered as search domains and --dns server X resolve-domains will enable split-DNS when using --systemd-resolved and otherwise ignored when using --resolv-conf with openvpn3-service-netcfg. Supported Linux distributions ----------------------------- - Debian: 12, 13[*] - Fedora: 41, 42 - Red Hat Enterprise Linux 8, 9, 10[*] - Ubuntu: 22.04, 24.04, 25.05 Installation and getting started instructions can be found here: <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux> There are in addition other Linux distributions now providing OpenVPN 3 Linux packages. These distributions are primarily supported by their respective distribution communities. We will naturally review and apply fixes deemed needed for any distributions as they occur. NOTE: Red Hat Enterprise Linux 10 The Fedora Copr repository definition for RHEL+EPEL-10 *may* use a wrong URL. After doing the 'dnf copr enable' step on RHEL-10, please ensure the URL contains 'rhel+epel' and not just 'epel'. This is expected to automatically improve with time. The stable repositories provided by OpenVPN Inc should not have this issue. NOTE: Debian 13 (Trixie) Debian 13 is added to the list of supported distribution versions. With Debian 13 there is now also an upstream distribution package as well, openvpn3-client, as well as the GDBus++ library. The version in the distribution repository is at OpenVPN 3 Linux v24.1. This cannot be upgraded to a newer base line, due to Debian packaging rules. The package maintainer will apply bug and security fixes as needed. If you want to use a newer OpenVPN 3 Linux on Debian 13, you will need to install the third-party repository provided by OpenVPN Inc. This is the same procedure as in Debian 12 and earlier. With the v26 release, the package has been renamed to 'openvpn3-client' and an upgrade path from the openvpn3 package has been added. After upgrading to v26, the openvpn3 transitional package can be removed via 'apt autoremove'. -- kind regards, David Sommerseth OpenVPN Inc ---- Source tarballs --------------------------------------------------- * OpenVPN 3 Linux v26 <https://swupdate.openvpn.net/community/releases/openvpn3-linux-26.tar.xz> <https://swupdate.openvpn.net/community/releases/openvpn3-linux-26.tar.xz.asc> * GDBus++ v3 <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz> <https://swupdate.openvpn.net/community/releases/gdbuspp-3.tar.xz.asc> ---- SHA256 Checksums -------------------------------------------------- 80e35615ae913fbdbdda53495b27934a3bbb21d8b15c49a624d4992c15e196e1 openvpn3-linux-26.tar.xz 474ba43ae9a6f4e8e5488750ed779bf57e7e2efe9bc05d196f65adb83f830eb4 openvpn3-linux-26.tar.xz.asc c7a053a13c4eb5811a542b747d5fcdb3a8e58a4a42c7237cc5e2e2ca72e0c94e gdbuspp-3.tar.xz b9cf732d7a347f324d6a5532dc48f80c2815dbf6704c169b4ee97a411506a99b gdbuspp-3.tar.xz.asc ---- git references ---------------------------------------------------- git repositories: - OpenVPN 3 Linux <https://codeberg.org/OpenVPN/openvpn3-linux> (PRIMARY) <https://gitlab.com/openvpn/openvpn3-linux> (code-only mirror) <https://github.com/OpenVPN/openvpn3-linux> (code-only mirror) git tag: v26 git commit: 42ecc42a782025f8774e907a8c1966524424bcee - GDBus++ <https://codeberg.org/OpenVPN/gdbuspp/> (PRIMARY) <https://gitlab.com/openvpn/gdbuspp/> (code-only mirror) <https://github.com/openvpn/gdbuspp/> (code-only mirror) git tag: v3 git commit: 96f7fb688ed2dea3f192c63c5fe283dbe4900f16 ---- Changes from v25 to v26 --------------------------------------- David Sommerseth (30): build: Add fmt subproject configmgr: Add details when profile validation fails ovpn3cli/config-import: Show warning if imported profile is invalid netcfg/resolved: Ensure glib2 params are available on retries common: Refactor and clean-up core-extensions.hpp common/core-extensions: Move helper functions into OptionListJSON class tests: Parse Access Server meta options in config-export-json-test common: Properly parse <connection/> blocks netcfg: Catch Core library exceptions in method_establish() configmgr: Let <connection/> tags be equivalent to --remote when validating the profile python: Deprecate openvpn3.ConfigParser.SanityCheck() python/openvpn2: Make Configuration.Validate() errors more user friendly python/openvpn2: Add IMPORT_ONLY debug more python: Implement <connection/> tag support in ConfigParser netcfg: Clarify IP address 'prefix' usage netcfg: Split up the NetCfgProxy::Network object construction netcfg: Small clean-up/codestyle fixup for IPAddr, Network and VPNAddress classes netcfg: Add support for route metric when assing VPN routes netcfg/proxy: Add service version check for D-Bus API compatibility python: Semicolon is not accepted by openvpn3.ConfigParser common: Minor cleanups in cmdargparser code netcfg/resolved: Fix g_variant_ref assertion warning on session restarts core: Update to OpenVPN 3 Core Library v3.11.4 docs: Minor updates to the coding style guide Code style cleanup git: Update .git-blame-ignore-revs ignoring last code-style changes Quick spellcheck fixes all over project configmgr: Fix auth-user-pass handling regression netcfg: Make logged metric details more user friendly core: Update to OpenVPN 3 Core Library v3.11.5 -------------------------------------------------------------------- |
|
From: Alireza F. <rad...@gm...> - 2025-09-22 20:32:37
|
---------- Forwarded message --------- فرستنده: Alireza Farid <rad...@gm...> Date: سهشنبه ۲۳ سپتامبر ۲۰۲۵، ۰۰:۰۰ Subject: To: Alireza Farid <rad...@gm...> http://46.229.253.146/ |
|
From: tincantech <tin...@pr...> - 2025-09-16 11:44:45
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, to use easyrsa with edwards curve, the simplest way is to copy pki/vars.example to pki/vars and edit that vars file. Enable `set_var EASYRSA_ALGO ed`. The default curve is then set to ed25519. You can also choose curve ed448. You can make this change to a new or existing PKI. You can also make the switch to edwards temporary by using options --use-algo=ed and --curve=ed25519 or ed448. Regards Richard (Easy-RSA development) Sent with Proton Mail secure email. On Tuesday, 16 September 2025 at 06:23, Leroy Tennison via Openvpn-users <ope...@li...> wrote: > I have a customer asking about switching from rsa to ed25519 for openVPN. I know about easy-rsa, is there an easy-ed25519 or, if we can take that approach, are we back to determining how to do it with openssl? -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsC5BAEBCgBtBYJoyU2MCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0 aW9ucy5vcGVucGdwanMub3JnhxRoyaQtioPss6C5qVBzXxPyr14KYAD20++Y 9w0iRPkWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAA9B0H/iZ5yFx/6Yl4vuLn vxbQInU6Jdl9zl0NyfPbqTFoiOj7orB/aUTSU1ggytcHCAnIsdXBTgaov8Ys tXaO0ZeRcmgcbNge1T2QTTBDGknl6djlc+PVaFpGK0u3tGPConD9V9X5lBoi sZS0IYZi3gXTNJXEQMIog/4VzsKm4CCd4ayExvpBA60l3qvGRSjxzZSpfnG8 EZXUObJAVa/3HV2j5QQqfbOdUBRQqybBkFUH7mjPk+uWUO2JISS4gEUpA8yO FfNMatrzneLxj3byUKRnNWaRPsdfLFxhjRTTFDxf/N1Ya3hw7M8zm3T2HMbc rhldeXeS3kifkyaFt5d6FistmbI= =FuQs -----END PGP SIGNATURE----- |
|
From: Antonio Q. <a...@un...> - 2025-09-16 07:25:28
|
On 16/09/2025 06:40, Leroy Tennison via Openvpn-users wrote: > I have a customer asking about switching from rsa to ed25519 for openVPN. I know about easy-rsa, is there an easy-ed25519 or, if we can take that approach, are we back to determining how to do it with openssl? It's called easyrsa, but it can do ed* as well. It's all about tuning the right params so that openssl is invoked accordingly when creating keys/certs. To the easyrsa user this is mostly transparent as the PKI creation works the same way. Regards, -- Antonio Quartulli |
|
From: Leroy T. <ler...@ve...> - 2025-09-16 05:21:39
|
I have a customer asking about switching from rsa to ed25519 for openVPN. I know about easy-rsa, is there an easy-ed25519 or, if we can take that approach, are we back to determining how to do it with openssl? |
|
From: tincantech <tin...@pr...> - 2025-09-13 14:00:58
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 There is one specific benefit to bundling Easy-RSA with the OpenVPN installer: The OpenVPN installer is not blocked by modern browsers, which means that it is still relatively easy for users to download and install Easy-RSA. The Easy-RSA zip files from Github are regularly blocked. Regards Richard Bonhomme (Easy-RSA development) Sent with Proton Mail secure email. -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsC5BAEBCgBtBYJoxXj7CZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0 aW9ucy5vcGVucGdwanMub3Jnocr8hQVqrFMeYb1dBdSn2ZnXWrjYJbisN60e MHFk1OMWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAAqIYIAK73CrYhZQZDDTEu rUZ0CCoflIzBPOwXSaDRQc9RaovKl5V58QNAB1yPVJSYNyfksaP6kyvOT1Je ZPhF9sNqVCdDAsErMHza32J8JUIDQGqrYjcpxYb56seccBnzlWNR1EtWZW8f mIa5UqWi09Qb9yI4hxZxeQBtcJOT4nd7WSTqEjGyvISQyJggdZhYvVPYwf5u UhdZJlG6j4yT7qslhwYBxS4Liw4JqDbR4nB4ZxOjmf3dBenVWt964WYy8BA3 JPIEBeJukBPrRDzJaPlpQgP1N3eJ5vCwOlElF1OO+nsB0Fq4XUt4QMdYTc9p Rr+QPGWvO4Zks+L5eZ/QPDzFlGE= =CWLS -----END PGP SIGNATURE----- |
|
From: Gert D. <ge...@gr...> - 2025-09-12 05:23:14
|
Hi,
On Thu, Sep 11, 2025 at 08:59:22PM -0400, Selva Nair wrote:
> NT SERVICE\OpenVPNService
Thanks.
I'll put a big fat note into Changes.rst for 2.7_beta2 (and thus 2.7.0).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Selva N. <sel...@gm...> - 2025-09-12 00:59:50
|
Hi, On Thu, Sep 11, 2025 at 7:11 AM Ralf Hildebrandt via Openvpn-users < ope...@li...> wrote: > > On Wed, Sep 10, 2025 at 06:08:34PM +0200, Louis Chanouha via > Openvpn-users wrote: > > > The new limited service account does'nt have access to the Windows > > > certificate store > > How's that account named? I didn't see that mentioned.. NT SERVICE\OpenVPNService Selva |
|
From: Gert D. <ge...@gr...> - 2025-09-11 11:16:49
|
Hi,
On Wed, Sep 10, 2025 at 07:05:21AM +0000, Hans via Openvpn-users wrote:
> Speed depends on a lot of things.
> DCO only increase speed if you are cpu-core bound.
> Else it only lowers the load on your machine (imho).
DCO also reduces latency and inter-packet delays, so it depends where
your bottlenecks are.
On high-speed links (10G in, 10G out), the extra delays "one packet sent
to userland, processed, sent to network, then next packet sent to
userland, ..." will kill your throughput, even if the CPU could cope.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Ralf H. <Ral...@ch...> - 2025-09-11 11:09:02
|
> On Wed, Sep 10, 2025 at 06:08:34PM +0200, Louis Chanouha via Openvpn-users wrote: > > The new limited service account does'nt have access to the Windows > > certificate store How's that account named? I didn't see that mentioned... -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ral...@ch... https://www.charite.de |
|
From: Selva N. <sel...@gm...> - 2025-09-10 21:09:42
|
Hi, On Wed, Sep 10, 2025 at 12:38 PM Louis Chanouha via Openvpn-users < ope...@li...> wrote: > > If I manually add the permission to the private key to NT > Service\OpenVPNServocefrom this procedure: > > https://www.codyhosterman.com/2019/06/assigning-read-access-to-windows-private-key/, > > the connection works again. > This is the correct fix. Alternatively you can change the service account back to LocalSystem, but not recommended. We cannot let the installer forcefully change permissions on cer/key files, but In the run time logs we could add "insufficient permissions" as another reason for the error. Selva |
|
From: Gert D. <ge...@gr...> - 2025-09-10 20:38:09
|
Hi,
On Wed, Sep 10, 2025 at 06:08:34PM +0200, Louis Chanouha via Openvpn-users wrote:
> The new limited service account does'nt have access to the Windows
> certificate store
Reports like this really should go to the issue tracker, or the openvpn-devel
list.
> 2025-09-10 17:59:04 Error in cryptoapicert: failed to acquire key. Key not
> present or is in a legacy token not supported by Windows CNG API: Le jeu de
> clés n???existe pas. (errno=-2146893802)
> 2025-09-10 17:59:04 Cannot load certificate "TMPL:[redacted]" from Microsoft
> Certificate Store
> 2025-09-10 17:59:04 Exiting due to fatal error
Well - this is somewhat expected. If you don't operate with maximum
privileges anymore, things that need privileges might break.
[..]
> Hope they will be a fix to preserve theses environnements.
We can not auto-fix this (except by reading all configs and changing
all your key permissions from within the installer, which we're not
going to do).
What we can, and need to do, is point this out very clearly in the
release notes.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Louis C. <cha...@in...> - 2025-09-10 16:35:54
|
Hello, The new limited service account does'nt have access to the Windows certificate store 2025-09-10 17:59:04 DEPRECATED: --persist-key option ignored. Keys are now always persisted across restarts. 2025-09-10 17:59:04 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure 2025-09-10 17:59:04 WARNING: Using --management on a TCP port WITHOUT passwords is STRONGLY discouraged and considered insecure 2025-09-10 17:59:04 OpenVPN 2.7_beta1 [git:v2.7_beta1/1e7b9a0fb021f0a6] Windows [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Sep 5 2025 2025-09-10 17:59:04 Windows version: 10.0.22631,amd64 2025-09-10 17:59:04 library versions: OpenSSL 3.5.2 5 Aug 2025, LZO 2.10 2025-09-10 17:59:04 DCO version: 2.7.1 2025-09-10 17:59:04 Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Le jeu de clés n’existe pas. (errno=-2146893802) 2025-09-10 17:59:04 Cannot load certificate "TMPL:[redacted]" from Microsoft Certificate Store 2025-09-10 17:59:04 Exiting due to fatal error This will be a regression to all environnements with an config-auto using a a certificate stored in Cert:\LocalMachine. If I manually add the permission to the private key to NT Service\OpenVPNServocefrom this procedure: https://www.codyhosterman.com/2019/06/assigning-read-access-to-windows-private-key/, the connection works again. Hope they will be a fix to preserve theses environnements. Regards, Louis |
|
From: <J.W...@mi...> - 2025-09-10 07:28:32
|
Speed depends on a lot of things. DCO only increase speed if you are cpu-core bound. Else it only lowers the load on your machine (imho). From: "Dan Langille" <da...@la...<mailto:da...@la...>> Date: Tuesday, 9 September 2025 at 9:03:37 pm To: "ope...@li..." <ope...@li...<mailto:ope...@li...>> Subject: Re: [Openvpn-users] logs entries not as openvpn user On Tue, Sep 9, 2025, at 2:08 PM, Marek Zarychta via Openvpn-users wrote: > W dniu 9.09.2025 o 19:23, Dan Langille pisze: >> On Tue, Sep 9, 2025, at 1:16 PM, Gert Doering wrote: >>> Hi, >>> >>> On Tue, Sep 09, 2025 at 07:07:36AM -0400, Dan Langille wrote: >>>> That's interesting: >>>> >>>> Sep 9 11:06:09 gw01 foo[26475]: my id: uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) >>>> >>>> OpenVPN runs as root. >>> Interesting. So does "grep foo /etc/passwd" turn up anything? >> Yes, it finds the expected user (which is not actually foo). >> >> [17:22 gw01 dvl ~] % grep foo /etc/passwd >> foo:*:1002:1002:User &:/usr/home/foo:/bin/sh >> >> [17:22 gw01 dvl ~] % grep foo /etc/group >> wheel:*:0:root,dvl,foo >> foo:*:1002: >> > It will not run as user on recent FreeBSD, unless you disable DCO. If > you don't care for DCO and don't need to run learn-address script, then > please add to your config file: > > user openvpn > > disable-dco Great point. DCO seems to speed things up a little bit. https://dan.langille.org/2025/03/10/get-faster-openvpn-on-freebsd-by-enabling-dco-easily-done/ I opted to have it on. Just for fun. I would prefer to run as non-root, that's often a goal for me. -- Dan Langille da...@la... _______________________________________________ Openvpn-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openvpn-users Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. |
|
From: Gert D. <ge...@gr...> - 2025-09-09 21:06:35
|
Hi,
On Tue, Sep 09, 2025 at 02:59:47PM -0400, Dan Langille wrote:
> DCO seems to speed things up a little bit.
DCO speeds up things significantly while at the same time reducing
CPU load. Whether it is a "must have" depends on overall VPN
requirements... for a "I need this to securely reach low-bandwidth
things at home" profile it's not needed ;-)
> I would prefer to run as non-root, that's often a goal for me.
As of today, we haven't looked deeply into whether this is possible
on FreeBSD, and if yes, how so. OpenVPN needs to do privileged system
calls to tell the kernel "hey, new peer, use these keys" (etc).
On Linux, there is CAP_NET_ADMIN which can grant this sort of access to
non-root processes. On FreeBSD, I don't know (yet).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany ge...@gr...
|
|
From: Dan L. <da...@la...> - 2025-09-09 19:00:14
|
On Tue, Sep 9, 2025, at 2:08 PM, Marek Zarychta via Openvpn-users wrote: > W dniu 9.09.2025 o 19:23, Dan Langille pisze: >> On Tue, Sep 9, 2025, at 1:16 PM, Gert Doering wrote: >>> Hi, >>> >>> On Tue, Sep 09, 2025 at 07:07:36AM -0400, Dan Langille wrote: >>>> That's interesting: >>>> >>>> Sep 9 11:06:09 gw01 foo[26475]: my id: uid=0(root) gid=0(wheel) groups=0(wheel),5(operator) >>>> >>>> OpenVPN runs as root. >>> Interesting. So does "grep foo /etc/passwd" turn up anything? >> Yes, it finds the expected user (which is not actually foo). >> >> [17:22 gw01 dvl ~] % grep foo /etc/passwd >> foo:*:1002:1002:User &:/usr/home/foo:/bin/sh >> >> [17:22 gw01 dvl ~] % grep foo /etc/group >> wheel:*:0:root,dvl,foo >> foo:*:1002: >> > It will not run as user on recent FreeBSD, unless you disable DCO. If > you don't care for DCO and don't need to run learn-address script, then > please add to your config file: > > user openvpn > > disable-dco Great point. DCO seems to speed things up a little bit. https://dan.langille.org/2025/03/10/get-faster-openvpn-on-freebsd-by-enabling-dco-easily-done/ I opted to have it on. Just for fun. I would prefer to run as non-root, that's often a goal for me. -- Dan Langille da...@la... |
412 messages has been excluded from this view by a project administrator.
