OpenVPN: All TAP-Windows adapters on this system are currently in use

Working with several clients or partners might be an interesting challenge sometimes. While adding a new connection to an existing OpenVPN infrastructure I came across the following error message in the client log file: All TAP-Windows adapters on this system are currently in use.

Depending on how you actually installed your VPN client software you might be facing this issue while adding an additional client configuration for another connection. Especially when you are using a client software by a third-party provider, ie. WatchGuard Mobile VPN or Sophos. Perhaps you might be struggling to resolve it.

Get the TAP-Windows driver

Check whether you have the full installation of OpenVPN software. If yes, you might like to skip this the following steps and directly move on to add another TAP adapter to your Windows system.

Otherwise, please navigate to the Community Downloads of OpenVPN and either get the latest OpenVPN package, or if you think that this might be an issue, scroll down a little bit on same page and get Tap-windows package for your system. After the download is complete, run the installation routine and make sure to select TAP Virtual Ethernet Adapter like so:

OpenVPN: All TAP-Windows adapters on this system are currently in use

You might have to reboot Windows to complete the network driver installation.

Add a new TAP virtual ethernet adapter

Now, you should be able to add an additional TAP interface to your system, and make it available for your new OpenVPN connection. Hit the Start button or press the Win key, then type tap and wait for Windows to give you its matches found on the system. Here is how it looks like on my Windows 10:

OpenVPN: All TAP-Windows adapters on this system are currently in use

Click on the entry Add a new TAP virtual ethernet adapter and confirm the User Account Control (UAC) dialog with Yes. You then see an administrative command prompt that adds another network interface to your Windows.

C:\WINDOWS\system32>rem Add a new TAP virtual ethernet adapter

C:\WINDOWS\system32>"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
Device node created. Install is complete when drivers are installed...
Updating drivers for tap0901 from C:\Program Files\TAP-Windows\driver\OemVista.inf.
Drivers installed successfully.

C:\WINDOWS\system32>pause
Press any key to continue . . .

And your OpenVPN client is ready to roll.

The shortcut below the Windows Start menu is linked to a batch file which you can also access and launch directly from %ProgramFiles%\TAP-Windows\bin

OpenVPN: All TAP-Windows adapters on this system are currently in use

Note: Ensure to run the batch file with administrative permissions. Otherwise, the driver installation will fail.

Review your existing Network Connections

Perhaps you would like to inspect the existing TAP-Windows Adapters? You find them in the Control Panel under Network Connections.

OpenVPN: All TAP-Windows adapters on this system are currently in use

The adapters are classified as TAP-Windows Adapter V9. Here you can enable, disable or even delete an existing network interface.

Some readers might prefer interaction with a command line interface (CLI). Well, even on Windows there is nothing to worry about this. The Network Shell (Netsh) of Windows has you covered, although it is recommended to use PowerShell to manage networking technologies:

PS C:\> Get-NetAdapter

Name                      InterfaceDescription                    ifIndex Status       
----                      --------------------                    ------- ------       
vEthernet (Default Swi... Hyper-V Virtual Ethernet Adapter             30 Up           
Wi-Fi                     Killer Wireless-n/a/ac 1535 Wireless...      28 Up           
Ethernet                  Killer E2500 Gigabit Ethernet Contro...      19 Disconnected 
Ethernet 4                TAP-Windows Adapter V9 #2                    15 Disconnected 
VMware Network Adapte...8 VMware Virtual Ethernet Adapter for ...      14 Up           
VMware Network Adapte...1 VMware Virtual Ethernet Adapter for ...      13 Up           
Ethernet 2                ThinkPad USB-C Dock Ethernet                  8 Disconnected 
Ethernet 5                TAP-Windows Adapter V9 #3                    52 Up           
VirtualBox Host-Only ...2 VirtualBox Host-Only Ethernet Adap...#2       6 Up           
Ethernet 3                TAP-Windows Adapter V9                        5 Up

The information provided is identical to the visual representation in Windows Explorer.

Informative and Restrained as opposed to Superficial and Flashy

Leave a reply

Infotech 2017 has started.

And I am happy to notice that, except for one or two stands, things are much more “Informative and Restrained” compared to previous editions where things tended to be “Superficial and Flashy”.

Allow me to explain.

In Mauritius, for the past few years, we have become a nation of seminars, workshops, conferences and exhibitions and, unfortunately, many of them are quite superficial and very very flashy indeed. For the past six months, I have been to many such events where the venue was beautiful (a nice hotel with a beautiful view of the lagoon), the food was excellent, the hostesses out of this world but where, personally, I felt that there was not much to listen to and learn from, except from a minority of the speakers. This is what I call “Superficial and Flashy”.

What I would prefer to have, from a personal point of view, is the kind of chaotic geekish meetup as pictured above. An event where intelligent people of all horizons can meet, exchange views, share ideas and move forward together. Of course, there is a need for a venue and some food but nothing ostentatious. This is what I call “Informative and Restrained”.

The thing is that it is easier to do “Superficial and Flashy” than “Informative and Restrained”. The reason for that is that to be informative, the speakers need to be of high-caliber and need to be properly prepared.

This is your typical Googler. Similar people are changing our worlds everyday at Google, Facebook, Amazon, Apple, etc. but also in the IT division of most of the companies in the world. And, before you laugh, let me remind you that they run the world.

Pictured above are some of the people who have basically built the world as it is known today. Without them, we would still be waiting for The A-Team to be shown on TV on Saturday night. They are Steve Jobs (Apple), Sergey Brin (Google), Bill Gates (Microsoft), Larry Page (Google), Mark Zuckerberg (Facebook) and Jeff Bezos (Amazon). The missing ones being Linus Torvalds (Linux) and Richard Stallman (Free Software Foundation).

Of course, we won’t have Steve (RIP), Sergey, Bill, Larry, Mark, Jeff, Linus or Richard at Infotech. Maybe next year…

But we’ll have the 2nd best thing: the (real) innovators of Mauritius, each on his/her respective “Informative and Restrained” stand and willing to share his/her passion with you.

You just have to put aside your tendency to value the “Superficial and Flashy”, walk toward them and talk to them.

Enjoy

(First photo, courtesy of Le Méridien. Second photo, courtesy of Concept7. Third photo, courtesy of Business Insider. Fourth photo, courtesy of Youth Connect. Fifth photo, courtesy of PC Risk).

How to reduce the amount of disk space used by the systemd journal

Leave a reply

We, Linux people, generally use systemd now and one of its components is the journal controlled by the journalctl command line tool.

As explained on the Arch wiki,

systemd has its own logging system called the journal. The /var/log/journal/directory is a part of the systemd package and the journal will write to /var/log/journal/

The journal is always appended and therefore grows in size. On my laptop, the journal was taking 1.8Gb of space and was full of details which, I believe, I’ll never need. So I decided to clear all old contents (which the systemd people call a vacuum). I issued:

journalctl --disk-usage
journalctl --vacuum-size=64M
journalctl --disk-usage

And the journal immediately became smaller. I then issued a

journalctl --verify

which made me realise that some of the remaining journal files were corrupted (for some reason). There is no journal repair tool in systemd so I simply removed the offending files (with rm).

Now, I can easily check my journal entries for today and I know everything will be all fine:

journalctl --since today

Open and not extract .docx, .xlsx and .pptx files in the latest Gnome 3

Leave a reply

In the latest version of Gnome 3, a subtle change was brought to Nautilus, the file manager, to automatically extract the content of a ZIP file in a new folder when it is double-clicked on instead of open an application to do so. The problem is that Microsoft Office files (.docx, .xlsx, .pptx, etc.) are ZIP files. This means that double-clicking on a .pptx file extracts its content instead of opening the file in, say, LibreOffice Impress!

This makes life miserable for all those who need to open Microsoft Office files on a regular basis and, of course, this is a bug (as acknowledged by the Gnome people and the Red Hat / Fedora people).

Fortunately, it is quite easy to make Nautilus become sane again. Open Preferences and in the Behavior tab, unselect “Extract the files on open” in the Compressed Files section.

Phew!

World Creativity and Innovation Day

Leave a reply

20160421-panelists

Every 21 April, we celebrate the World Creativity and Innovation Day in Mauritius.

This year, the Mauritius Research Council organised a workshop on Creativity and Innovation and the the ICT Advisory Council, which I preside, was given a slot of 30 minutes. I quickly prepared a few slides like I like them to be (beautiful, memorable and witty) and I asked Logan Velvindron and Ish Sookun, both members of the ICT Advisory Council, to join me in a panel on Creativity and Innovation among Youth.

20160421-albert-einstein

The first topic was about having fun when learning and creating. I mentioned that school and teachers can be boring, especially in our age of having Wikipedia and YouTube in our pockets. I said that it was time for our education system to become fun again, where young people can enjoy creating and learning a lot of new things in the process. Both Ish and Logan explained how fun they have everyday at work and how important this is for them.

20160421-steve-jobs

The second topic was about not to be afraid to be different. In Mauritius, we have a culture of conformism. Women have specific roles to play. Kids also. And, of course, everyone should remain at his place. This is bullshit! Our world is created by people who think differently and who are not afraid to take risks and disrupt existing establishments… Logan and Ish told the audience how they discovered computers, decided to become geeks and do things differently from others. They were very thankful to have supportive parents who didn’t try to impose anything on them.

20160421-linus-torvalds

The third topic was about being a geek and the value of open source software for a country like Mauritius. I explained that open source software is free and this is very important for Mauritius which is not a very rich country. But I also explained how having access to the source code of software is essential for Computer Science teachers like me to create the new generation of top programmers which Mauritius will need in the future. Young people cannot learn complex programming just by reading a book or listening to a teacher: they need to see real source code of real complex software. Logan and Ish explained how they got involved in open source software and how we all now form part of organisations such the Linux User Group of Mauritius and Hackers.mu and the value those organisations have.

20160421-sheryl-sandberg

The last topic was about being a doer rather than a talker and that aiming for perfection, while sometimes a good thing, can sometimes prevent us from achieving. This is something I have noticed over the years in Mauritius: we love our committees. Doers are not revered though. This mentality has to change. I told the audience that we are as good as anyone from anywhere, whether it is the USA or France or India. But we should stop focusing on doing speeches. We should identify small but important problems and find feasible solutions for them.

After the panel, I got a question from Anibal Martinez who is collaborating with the Government to set up an incubator. He asked me how we can solve the Computer Science education issue in Mauritius.

I told him that in the short term, a lot can be done with ad-hoc training courses, such as the ones that I provide at Knowledge Seven. But this is not a viable model for the country. In the medium to long term, state-funded universities should find a way to revamp their Computer Science departments, which are absolutely substandard at this moment, to produce an adequate number of very competent computer scientists every year. The industry is ready to move up a level but there are not enough competencies.

Thanks to Ish and Logan for participating in the panel.

Big news ahead

Leave a reply

We will be present together with Avinash Meetoo at the world innovation day !

LUGM Statement on Ish Sookun

Leave a reply

The Managing Committee of The Linux User Group Meta (Mauritius) notes that one of its members, Ish Sookun, is currently being detained under The Prevention of Terrorism Act. Ish Sookun is a valued member of the LUGM and has actively participated for the promotion of open source software and technology in general in Mauritius. The Association appeals to the authorities for the investigation to be conducted in accordance with all laws and also taking into consideration the rights of all parties while safeguarding public interest.

Tell your SSL vendor to randomize the serial number of your certificate !

Leave a reply

Are you using SSL for your business ?

Like many of you, we rely on SSL for checking our mails, and doing bank transfers. As I said previously, local banks reduce the amount of money spent of papers by actively encouraging clients to use Internet Banking. I have the latest Android on my mobile phone, and I can connect to Internet Banking using the latest security technologies. However, not everybody can afford the latest android smartphone. A lot of people are still using Android KitKat in Mauritius. If tomorrow, MCB or SBM decide to deprecate SHA-1 for their SSL (a hash algorithm which is getting dangerously weak), and go with SHA 256 (a more secure hash algorithm) only, a lot of clients might not be able to connect to Internet Banking. Why ? It's because many widely-used software do not support SHA-256 very well.

What can we do with certificates with SHA-1 hash ?

CloudFlare proposed here that generating certificates containing SHA-1 hash should randomize the serial number to make it more difficult to forge those digital certificate and impersonate your business. Note that this does not mean that you should not advise your clients to upgrade their hardware and software and relax. It buys your clients more time to properly budget for their upgrade costs of their hardware and software to be SHA 256 ready.

For example, hackers.mu uses SSL. We asked on our SSL vendor forum about randomizing the serial number. We recommend to Banks such as MCB and SBM to ask their SSL vendors about the possibility of randomizing the serial number, with 20-bit entropy. Any other businesses that rely on SSL for their business should consider formulating the same request to their SSL vendors. If your SSL vendor flatly refuses, then you have a reasonable argument for moving to another SSL vendor.

Wrong advice on Tor Usage from hacklog.mu

Leave a reply

Hacklog.mu presentation on Tor

Hacklog.mu has a presentation on tor on the following page . On the same page, SM mentions that HTML5 elements could be used to leak information about an Internet User even with Tor. This is correct. Several developers were aware of the problem, and there were plans to fix this in orweb. See this URL for : details . This vulnerability was reported in 2013, and fixed in the same year . The presentation, by hacklog.mu, took place in 2014.

Firefox as the solution ?

Hacklog.mu uses firefox from Google Playstore, and configures it to work with Tor. From a security perspective, Firefox leaks more metadata than Orweb or tor-browser, due to the lack of patches that Orweb has. In fact, if you look at Tor-browser, you will realize that it's a modified version of Firefox, with a number of patches added on to protect the privacy of the users. Those patches are not in Firefox. Those patches provide several additional layers of security that Firefox on Android DOES NOT provide. The tor project constantly reworks the patches for their Tor-browser and applies the same design principles in Orweb/Orfox. See the design requirements for Orweb, OrFox and Tor-browser here We tested with Orweb & Orfox, and both do not leak, according to browserleaks.org. It is highly questionable to use Firefox, even with a Mobile proxy, as by default, Firefox is not designed to be as secure as Orweb, Orfox, and Tor-browser.

Conclusion

We recommend Internet users who want to remain anonymous to use orweb/orfox on Android and Tor-browser on their PCs instead of Firefox, and avoid the example presented on hacklog.mu. ^-^

Juniper backdoor explanation

Leave a reply

A simple explanation of a backdoor

Irshaad Abdool contacted hackers.mu concerning the Juniper vulnerability here Unfortunately, reverse engineering a firmware image, and explaining assembly code doesn't cut it for a lot of the young IT folks :)

The vulnerability

A strcmp() call was inserted. strcmp() is used for string comparisons. If it's successful, you can proceed, if Not, you are denied. In this particular case, this was inserted right before the normal authentication with SSH (or telnet). So you had your normal login, that went through the normal SSH (and telnet) code, but right before that, you had a special user that could login, and bypass the normal SSH and telnet login. That's in summary how this vulnerability works.

If you have any questions, please send them to us :)