openvpn / openvpn-gui Goto Github PK

here's build log (5.4.0-4):

https://ci.appveyor.com/project/mattock/openvpn-gui/build/cygwin-3

good one (5.4.0-3):

https://ci.appveyor.com/project/mattock/openvpn-gui/build/cygwin-7

When you start the open vpn gui without administrator priviliges (which is the default) creating the new routes / ip forward entries, fails, but the tray icon turns green, which is suggesting that everything is fine.
I suggest turning it to red when not beeing able to create routes.

(Version openvpn-install-2.3.9-I601-x86_64)

Hi,

Currently if you attempt to run a second copy of OpenVPN GUI, you get:

OpenVPN GUI is already running.

Would be a lot nicer if instead of the error. The OpenVPN GUI simply reapears on screen.

Thanks,

Will

Currently open vpn leaks your real DNS IP according to DNS leak tests like https://browserleaks.com/ip and others.
So, can you please add the option to resolve all IPv4 and IPv6 DNS requests through the VPNs DNS instead of yours.
Thanks

Would it be possible to allow something the configuration file to override the name that is shown in the tray icon popover? Currently the file name of the OVPN file is used, but it would be nice if that name could also be specified in the configuration file itself.

Maybe this seems like a weird requirement, and may not seem like a good idea, why not simply change the filename? but when you download a file the characters are limited, e.g. UTF-8 support for offering downloads to browsers does not seem to work everywhere reliable, etc. Furthermore, when combining this with #156 the user may not have the option to rename first.

Can you add support for automatic updates, so you don't have to reinstall it every time there's a new update available.

openvpn-gui might be compiled with "password change disable" defined. in such case we do not need openssl at all

maybe we should make that check conditional?

When open vpn starts theres an option to select which vpn profile to use, can you please add an additional option to automatically select a random one.

Also, if one fails can you get it to automatically try a different one, if this isn't already the case.
Thanks

in line 262:
IDS_NFO_ASSIGN_IP "IP asseganto: %s"

should be
IDS_NFO_ASSIGN_IP "IP assegnato: %s"

we are trying to use OpenVPN with 2FA (two factor authentication), but the UI (on Windows) is a bit confusing. We have no need to ask for the user name, the CN is used on the server as the username. So only asking for a password/token makes more sense from the user's point of view.

There seem to be various ways to solve it:

• pre-fill the username field with the value of the CN, or the value of the setenv USERNAME "foo" from the config file (why else would it be there ;))
• allow a client option to only ask for a password and use the CN or setenv value as the username

(I realize you can use a file that lists only the username and specify that as parameter to --auth-user-pass, but that is not so easy for the user to configure as just grabbing this value from the config file)

Right now openvpn-gui tarball only has the major version in it, e.g. openvpn-gui-11.tar.gz. It would be good to have the full version in the tarball name for at least two reasons:

• All the components combined by openvpn-build would be identifiable exactly from a git diff. Right now we only know that a certain Windows installer bundle has some openvpn-gui-11 version, not if it has 11.4.0.0 or 11.5.0.0 or whatnot.
• Old minor version release tarballs would remain available on our download servers; right now they get overwritten on every openvpn-gui release.

I presented this idea earlier on openvpn-devel mailing list.

Our config requires usually 2 files to import:

I used the Import feature here:

Currently the .ovpn file is copied, but the certificate.p12 file is missing after import.

The config file contains e.g. the following line

pkcs12 certificatefilename123.p12

When it finds that line, it should automatically import the related file into the user's OpenVPN config folder, too.

Is there any way to create a portable version using the openvpn-gui? Because I want to create a portable version using this kind of GUI. Thank you!

I am trying to get OpenVPN working with a Radius server configured to send an access_challenge for an otp code it dynamically generates.

(server) openvpn server 2.3.2-7ubuntu3.1
(client) Openvpn-gui-cr.exe

The big question mark for me is how pam_radius_auth interacts with Openvpn.

Logs show that the plugin is receiving the code 11 access_challenge from the radius server:

Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got user name xxxxxx
Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Sending RADIUS request code 1
Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got RADIUS response code 11
Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got response to challenge code 11
Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: Got response to challenge code 3
Nov 3 15:30:21 openvpn openvpn[10910]: pam_radius_auth: authentication failed

However I don't see any pop-up box on the OpenVPN client prompting for the OTP code.

On the radius server, for the 2nd access request message (in response to the access_challenge) - openvpn is just sending the same original access_request message. The radius server then rejects access.

Do I need to modify pam_radius_auth to send messages in a special format to openvpn? I'm using this from here: https://github.com/FreeRADIUS/pam_radius/blob/master/src/pam_radius_auth.c

Hi,

apparently OpenVPN seems to be able to establish a VPN connection before a user logs on to Windows. Apparently this is being done by having OpenVPN running as a service:

https://openvpn.net/index.php/open-source/documentation/howto.html#startup

Establishing a VPN connection before logging on to Windows is especially useful when needing to log on to a domain joined machine (i.e. having to authenticate on a domain controller).

Is OpenVPN also able to offer a prompt for the VPN credentials before logging on to Windows?

Cisco AnyConnect does have that feature, it's called "Start Before Logon" or in short "SBL", see for example:

https://youtu.be/dkwC5lXu-HQ

Windows itself also does offer a similar feature:

https://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
https://blog.lan-tech.ca/2013/03/02/windows-8-connect-to-vpn-before-logon/

So, Windows does seem to have a "native" button for this on the log on screen (which is also being utilized by Cisco AnyConnect).

So, would it also be possible to have OpenVPN prompt for the VPN credentials when clicking on that button, so that a user can enter his VPN credentials (username + password) and connect via VPN before logging on to Windows?

Regards

OpenVPN: OpenVPN 2.3.11-- released on 2016.05.10
OS: Windows 10.0.10586(x64)

As shown above, the icon missing after resume from sleeping.

Ref: https://github.com/selvanair/openvpn-gui/tree/save-pass
The above link is to a cleaned up version of a feature we use locally -- option to save private key and user-auth passwords (username is always saved). If more than one person is interested in this feature I'll post a PR here. @chipitsine has already asked for it.
Thanks.

The docs mention that as of OpenVPN 2.4 (GUI 11.4.0.0), the GUI no longer needs to be run as administrator so long as the OpenVPN Interactive Service is running.

However, I am unable to test this because whenever I run C:\Program Files\OpenVPN\bin\openvpn-gui.exe, it asks permission to run as admin as it did for previous versions.

I've tried to open the EXE file properties and change this requirement, but the box "Run as admin" is checked and read-only, even when I edit properties from an Admin account (see the last checkbox in the attached image)

.
I'm using Windows 7 x64, and I upgraded in-place from 2.3.12 (GUI 10)

At the moment the description above this repo here on GitHub says it is a fork of the official repo at sourceforge. If I understand correctly the repo at sourceforge is not maintained anymore and this it official one now.

So I would suggest to change the description of the repo. And ideally adjust the README and put a message on sourceforge as well.

For ISO27001 certification, we are not allowed to let users save their VPN passwords locally. Is there a way to remove or disable the 'save password' box upon authentication ?

I am looking into simplifying user configurable parameters (registry keys, command line options) and propose to eliminate these:

• passphrase_attempts: currently limited to a single digit > 0 (i.e 1 to 9). It forces the user to restart the connection after that many attempts which doesn't appear to serve any purpose. It also complicates the code (had to be worked around to support dynamic challenge, for example) and adds another registry entry for little gain.
• allow_password: this controls whether the change-password menu is shown with no regard to whether user has write access to the key file or not. Instead, we can check the file access for each key and show the menu if appropriate for a better user experience and one less registry key.
• allow edit: let the user always view the config file (or edit if permissions allow)
• disconnect_on_suspend: not needed as we do not handle suspend/resume in the GUI anymore
• allow_proxy: always show the proxy settings tab
• editor and log_viewer: hard code to notepad.exe as a fallback and use file association to open config and log files. User keeps full control through associations.

If these keys will be missed by anyone please comment.

Hello, I'm using the latest version of OpenVPN v2.4.0 just released a few days ago. I've enabled the option "Launch on Windows startup" in OpenVPN GUI. Once I restart my computer I get the a messagebox

"OpenVPNInteractiveService" is not started.
Tasks requiring administrative access may not work.

Everything is working fine though...
I checked the mentioned service and it gets automatically started. Maybe Windows is starting the GUI and service in the wrong order. Is there any way to fix?

Hi dev-team!

I'm playing around with OpenVPN 2.4_rc1 on Windows and with the feature of connecting to servers without having admin permissions. It works great and I wanted to use that in my scripts.

The command openvpn-gui.exe --connect <configfile>.ovpn works fine but I can't find a scriptable method to disconnect (optional: and exit gui) from the server.

Is there any recommended/implemented way how to do that?
If not, please interpret this issue as feature request.

on line \openvpn-gui\res\openvpn-gui-res-en.rc(115 and line 116):
LTEXT "", ID_TXT_KEYFORMAT, 0, 0, 0, 0
LTEXT "", ID_TXT_KEYFILE, 0, 0, 0, 0

and in
\openvpn-gui\passphrase.c(162): GetDlgItemText(hwndDlg, ID_TXT_KEYFILE, keyfile, _countof(keyfile) - 1);
\openvpn-gui\passphrase.c(266): GetDlgItemText(hwndDlg, ID_TXT_KEYFILE, keyfile, _countof(keyfile) - 1);
\openvpn-2.4.0\openvpn-gui\passphrase.c(405): GetDlgItemText(hwndDlg, ID_TXT_KEYFILE, keyfile, _countof(keyfile) - 1);
\openvpn-gui\passphrase.c(699): SetDlgItemText(hwndChangePSW, ID_TXT_KEYFILE, keyfilename);
so my question is: how can we get or set the dialog item text?

and GetDlgItemText and GetDlgItemTextW mixed, not consistant

people usually do not understand what does mean

"Thu Sep 15 19:18:04 2016 All TAP-Windows adapters on this system are currently in use."

we should rework UI here

I wish to design and develop a web enabled configuration(cross-browser) for openVPN setup for both server and client . Any guide/idea on how to proceed?

Building with openvpn-build fails because openvpn-gui-res-cs.rc is not packaged into the release tarballs:

--- snip ---
i686-w64-mingw32-windres -DHAVE_CONFIG_H -I.  -I/home/samuli/buildtest/openvpn-build/windows-nsis/tmp/image-i686/openvpn/include -D_UNICODE -DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=_WIN32_WINNT_VISTA -DWINVER=_WIN32_WINNT -i res/openvpn-gui-res.rc -o openvpn-gui-res.o
res/openvpn-gui-res.rc:41:33: fatal error: openvpn-gui-res-cs.rc: No such file or directory
 #include "openvpn-gui-res-cs.rc"
                                 ^
compilation terminated.
i686-w64-mingw32-windres: preprocessing failed.
make[1]: *** [openvpn-gui-res.o] Error 1
make[1]: Leaving directory `/home/samuli/buildtest/openvpn-build/windows-nsis/tmp/build-i686/openvpn-gui-11'
make: *** [install-strip] Error 2
FATAL: make openvpn-gui
FATAL: build i686 >&2
FATAL: build-complete >&2

This is because the said resource file is missing from Makefile.am. I will issue a PR to fix this.

Hi,

I am having some issues on my Windows 7 when I do ./configure.

Here are the errors I get:

Thanks in advance for any help.

I use openVPN GUI in my windows 10 computer. There is a problem with it, I am trying to use multiple HTTP proxies using connection tags , our connections are limited by TCP 80 , 443 ports so I used same remote host for all my connections , then i had 5 -6 http proxies through which i wanted the OPENVPN to iterate, but the problem is that it is not iterating the credentials as well while iterating the connection . HTTP proxy Credentials are somehow cached and not iterated through. . I believe that this is not an intended behaviour and caused while trying to Cache Credentials of the openvpn-gui .

https://drive.google.com/file/d/0BwlvQ0O2HFzzVUVZYjZSQ05FY3pnb0U0VUNrUUpLTnN5bG1J/view?usp=sharing here is the typical config.

It would be nice to add the directory the user is expected to place config files, especially with the new per user config file directory.

Can u add a network lock option where if enabled and open vpn is running, it blocks all network and internet access, when its not connected to a vpn.
Thanks

I'm using OpenVPN GUI connecting to a OpenVPN server. The server uses Google Authenticator OTP.

The client software never prompts me to enter the generated code.

Logging:
Sun Sep 17 21:06:11 2016 AUTH: Received control message: AUTH_FAILED,CRV1:R,E:F/xxxxxx+xxxxxxxxxxxxxxxxxxxxxxxx:Enter Google Authenticator Code
Sun Sep 17 21:06:11 2016 SIGUSR1[soft,auth-failure] received, process restarting
Sun Sep 17 21:06:11 2016 MANAGEMENT: >STATE:1474225571,RECONNECTING,auth-failure,,
Sun Sep 17 21:06:11 2016 Restart pause, 2 second(s)

do you guys have any idea in building the app for windows 10 mobiles and workstations.

It seems an OVPN file is somehow associated with OpenVPN, but probably not in the most helpful way:

1. Double click: opens it in notepad;
2. Right click: "Start OpenVPN on this config file" which launches OpenVPN in a terminal...

Would it be possible to associate it in such a way that either/and:

1. Double click is actually the "import" action (as manually with right click on OpenVPN icon, Import...)
2. Right click: add the option to "import".

Not sure if this is related, but what would also be nice is that if you download an OVPN file in your browser, it would offer to open/import it in OpenVPN right away without the need to download it first and search for it in your download folder.

at least the german text shown by the gui in the "about" tab is really 10 years old, talking about copyright up to 2005... didn't check other languages

It is not possible to use the "%USERPROFILE%\OpenVPN\config" folder for openvpn, if the user/computer is a member of a domain. But if the config is stored in the Program-Folder everything is ok.

Following Errors in EventLog:

openvpnserv error:
0x20000001
You have specified a config file location (xxxxxxx_VPN1.ovpn relative to C:\Users\alexander.weber\OpenVPN\config) that requires admin approval. This error may be avoided by adding your account to the "OpenVPN Administrators" group

openvpnserv error: Der Benutzername konnte nicht gefunden werden. (0x8ad)
NetUserGetLocalGroups

But I allready added the user to the "OpenVPN Administrators" group. A Test with a local user
does not have a problem.

PS:
Tested on Windows 7 X64 Pro

I was trying to get the latest openvpn client 2.3.11 and the included GUI to work with user+password + duo (two factor) and somehow failed.

I have managed to run openvpn.exe by hand with --auth-retry interact and that worked, so it's something specific to the GUI.

The OpenVPN-GUI shows v10 version. Not sure what else I am missing.

I use iphone6 ios 10.2.1 updated at the appstore openvpn 1.1.1, not provide prompt project? Why is this?

Since updating to 2.4.0 using a NTML proxy doesn't seem to work anymore. Is this a GUI or OpenVPN (configuration) issue?

OpenVPN GUI setting use proxy settings from config file

Config:
http-proxy 10.0.0.1 8080 credentials ntlm
(Also using stdin doesn't work.)

Log:
Wed Jan 04 08:48:55 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 04 08:48:55 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jan 04 08:48:55 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]10.58.243.1:8080
Wed Jan 04 08:48:55 2017 Socket Buffers: R=[8192->100000] S=[64512->100000]
Wed Jan 04 08:48:55 2017 Attempting to establish TCP connection with [AF_INET]10.0.0.1:8080 [nonblock]
Wed Jan 04 08:48:55 2017 MANAGEMENT: >STATE:1483516135,TCP_CONNECT,,,,,,
Wed Jan 04 08:48:56 2017 TCP connection established with [AF_INET]10.58.243.1:8080
Wed Jan 04 08:48:56 2017 Send to HTTP proxy: 'CONNECT example.com:443 HTTP/1.0'
Wed Jan 04 08:48:56 2017 Send to HTTP proxy: 'Host: example.com'
Wed Jan 04 08:48:56 2017 Attempting NTLM Proxy-Authorization phase 1
Wed Jan 04 08:48:56 2017 HTTP proxy returned: 'HTTP/1.1 407 Proxy Authentication Required ( Access is denied. )'
Wed Jan 04 08:48:56 2017 Proxy requires authentication
Wed Jan 04 08:48:56 2017 HTTP proxy returned: 'Via: 1.1 Sxxxxxx'
Wed Jan 04 08:48:56 2017 HTTP proxy returned: 'Proxy-Authenticate: NTLM xxxxxxxx='
Wed Jan 04 08:48:56 2017 auth string: 'xxxxxxxx
Wed Jan 04 08:48:56 2017 Received NTLM Proxy-Authorization phase 2 response
Wed Jan 04 08:48:58 2017 recv_line: TCP port read timeout expired
Wed Jan 04 08:48:58 2017 Send to HTTP proxy: 'CONNECT example.com:443 HTTP/1.0'
Wed Jan 04 08:48:58 2017 Send to HTTP proxy: 'Host: example.com'
Wed Jan 04 08:48:58 2017 Attempting NTLM Proxy-Authorization phase 3
Wed Jan 04 08:48:58 2017 Send to HTTP proxy: 'Proxy-Authorization: NTLM xxxxxxx=='
Wed Jan 04 08:48:59 2017 HTTP proxy returned: 'HTTP/1.1 200 Connection established'
Wed Jan 04 08:49:01 2017 TCP_CLIENT link local: (not bound)
Wed Jan 04 08:49:01 2017 TCP_CLIENT link remote: [AF_INET]10.0.0.1:8080
Wed Jan 04 08:49:01 2017 Server poll timeout, restarting

Currently OpenVPN gui is only provided as a system tray icon which only reads the values from config directory. I think it will be nice to have a GUI letting users configure simple parameters such as remote server and its port using a sample file.

OpenVPN for Android is a perfect example what could be done in terms of UI actually: https://github.com/schwabe/ics-openvpn

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

I do not lnow any case when openvpn-gui is compiled with that feature defined.
do we really need it?

and, if we do, should I add couple of configuration to travis-ci?

Hi folks!
Are there any plans to implement "pkcs11-id-management" feature?

With latest 11.5 version i get "GUI> Error: Received NEED-STR message -- not implemented"

I suggest the following approach:

• one time is enough, no need to show that error more than once
• change text and add "Import" button to make this window looks like friendly welcome screen (e.g. https://docs.fedoraproject.org/en-US/Fedora//html/Installation_Guide/sect-installation-graphical-mode.html )

do we still need separate nsis installer for openvpn-gui?

D_UNICODE -i res/openvpn-gui-res.rc -o openvpn-gui-res.o
make: D_UNICODE: Command not found
please help me with this error

Please enable ASLR & DEP support on Windows.

The scripts run by the GUI (pre-connect, connect and disconnect) have associated timeout values in the registry. Out of these only the connect script timeout is used in any real sense (to report a timeout error that is ambiguous), the rest are just used for sleeping for that many seconds for no apparent reason.

I would like to clean up these, and run the scripts in their own threads, but wonder why the timeouts are there in the first place. The wait in worker thread just causes the status window to go non-responsive, especially for scripts that may take several seconds to complete. None of the scripts are force-terminated after timeout so it seems we can get rid of those waits altogether. Or increase those to fairly large values to be used to terminate run-away scripts...

Any thoughs?

In my organization we do not want the user to be able to save his password because we are never very sure of his environment. For example, who has access to his machine and what happens if he loses it or if someone steals it. In these cases it is easy to open the GUI to have directly access to the network of the establishment. This is why we want the connection to be made only if a secret (password) has been explicitly provided.
The disable-save-passwords option or scripts that remove the auth-data key are fine but a user can quite easily bypass this.
For me the best and simple solution would be for the server to know if the "save password" box has been checked and accept or decline the connection according to its state.
It seems to me that this information could go back to the server via a variable UV_ .… usable with peer-info
Is this implementation feasible?

OpenVPN GUI bundled with pre-2.4.0 version of OpenVPN (e.g. GUI v10) has the option in context menu to set/change password of the private key. The one with OpenVPN 2.4.0 (GUI v11.4.0.0) does not have this option anymore, although it properly prompts for password of encrypted private keys.
Can the "Change Password" option be restored please?