Hi,
On Mon, Dec 11, 2017 at 08:08:41AM -0800, Tunnelblick developer wrote:
> Thanks for your work looking into this.
No problem.
That’s the reason why I love free software: if I have a problem, I can
(try to) fix it myself.
> I would consider a patch. I have two concerns, though:
>
> - I'm not sure how to detect that OpenVPN failed before actually trying
> to connect a VPN -- for example, if there are bad options in the
> configuration file. I don't think that launchd provides such
> feedback. Currently, Tunnelblick just waits until OpenVPN returns, which
> always happens quickly: either when an error occurs and it can't proceed,
> or no error occurs and it has forked a new process to connect the VPN.
To be honnest, I share your concern. I think the traditional UNIX way to
launch daemons is simple and efficient. I don’t really understand why
Apple decided to make simple things complex with launchd. (And most
linux distros follow the same route with systemd…)
> It might work to wait for some period of time for OpenVPN to process its
> arguments and if it hasn't exited by that time, assume that it is running
> and trying to connect the VPN. Setting such a time limit so it works
> properly on both quiet and busy systems (and with fast and slow processors)
> might be tricky.
>
> An alternative might be to assume it failed and rely on feedback (or the
> lack thereof) via OpenVPN's management interface to indicate a problem (or
> lack of a problem).
I think that might be the best option.
> - I don't know what (if any) other side effects there might be if we
> don't use the OpenVPN --daemon option. I don't trust that the OpenVPN
> documentation fully lists what --deamon does I probably wouldn't want to
> make such a change without providing a way to run OpenVPN either way (that
> is, as it is done now with --deamon, and the new way using launchd).
I had a look at the OpenVPN code, and I did not see anything besides the
code in the daemon function, that does fork(), setsid(), chdir("/") and
replace STDIN_FILENO, STDOUT_FILENO and STDERR_FILENO with /dev/null.
> I think such a patch would involve replacing line 2665 of
> tunnelblick-helper.m:
>
> * status = runAsRoot(openvpnPath, arguments, 0755);*
>
> with a call to a new "runAsRootUsingLaunchd" function. That function would
> need to do all the checking that runAsRoot does, of course. (Which probably
> means that the checking should be put into a routine that both runAsRoot()
> and runAsRootUsingLaunchd() would use.)
>
> Before you spend a lot of time on this, let me think about it some more and
> maybe do some experiments.
No problem. If you wish to experiment with it, I may send you the
quick&dirty script I wrote to replace the openvpn binary.
On Mon, Dec 11, 2017 at 09:18:51AM -0800, Tunnelblick developer wrote:
> OK, I've thought about it : )
That was fast! :-)
> I have another idea: perhaps the problem (issue with
> TunnelBlick + OpenVPN + PKCS#11 + PC/SC + Smartcard) is really that
> Tunnelblick is ignoring some message from OpenVPN's management interface.
I don’t think so: I tried to capture the traffic on the management
interface with tcpdump, and I did not see any unexpected message from
OpenVPN to TunnelBlick.
> To check that, use the following Terminal command to have Tunnelblick do
> some extra logging:
>
> *defaults write net.tunnelblick.tunnelblick DB-AU -bool yes*
>
>
> and then try to connect. The Console log should contain a lot more info,
> including all the commands that OpenVPN sends Tunnelblick. You can filter
> in Console using "tunnelblick", and then post the entries for the time that
> you tried to connect.
>
> When done, you can disable the extra logging with
>
> *defaults delete net.tunnelblick.tunnelblick DB-AU*
Anyway, I’ll give it a try tomorrow.
Cheers,
--
Nicolas