Age | Commit message (Collapse) | Author |
|
Currently the life time of the auth-token is tied to the renegotiation
time. While this is fine for many setups, some setups prefer a user
to be no longer authenticated when the user disconnects from the VPN
for a certain amount of time.
This commit allows to shorten the renewal time of the auth-token and
ensures that the server resends the auth-token often enough over the
existing control channel. This way of updating the auth token is a lot
more lightweight than the alternative (frequent renegotiations).
Patch v2: fix grammar mistakes (thanks Gert), fix unit tests
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221017095145.2580186-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25407.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
From the implemention of explicit-notify and the fact that it is a an
OCC message (basically the rudimentary predecessor to control channel),
this message is very old.
I think in the past this feature fit nicely to the weird inetd + openvpn
mode that seems to have far to many hacks still left in our code. With
inetd, it made sense that the server instance quits if you press C-c
on the client.
In our current state where inetd is no longer supported, this behaviour
to exit makes little sense and this patch changes the behaviour to SIGUSR1.
Testing this lead to a confused v2 of the patch and also finally the
insight that if a CC channel exit is triggered too early the remaining
control channel packets coming in after that can trigger the HMAC code
to open a sessions again if the whole session lasted less than two
minutes (with default settings).
Patch v2: use different signals for p2mp and p2p
Patch v3: use delayed exit for P2MP/CC exit and USR1 for everything else
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221016154953.2483509-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Make sure cipher_valid only considers these four operations as valid.
This fixes that something like --data-ciphers AES-256-GCM:AES-128-CCM
will start but later fail when trying to use the CCM cipher.
We say "a supported AEAD" mode in our error since CCM is also an AEAD mode
but one we don't support, unlike GCM.
Patch v2: add the indication if the cipher was optional into the message
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221010155515.1687151-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25379.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
OpenVPN provides the IPv4/IPv6 address of incoming client connections
to the plugin-api by means of two environment variables, $untrusted_ip
and $untrusted_ip6. This patch adds support to plugin-auth-pam to pass
this information to the PAM stack as pam_set_item(PAM_RHOST).
v3:
- styled code as openvpn
- added check for remote, if NULL after all get_env, put to point
to empy string
Signed-off-by: Paolo Cerrito <wardragon78@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221010122745.19809-1-wardragon78@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25375.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221009140042.1560899-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25369.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The problematic behaviour happens when starting a profile without
auth-user-pass and then connecting to a server that pushes auth-token.
When the auth token expires OpenVPN asks for auth User and password
again (but it shouldn't).
The problem is that the auth_user_pass_setup sets
auth_user_pass_enabled = true; This function is called from two places.
In ssl.c it is only called with an auth-token present or that
variable already set. The other one is init_query_passwords.
Move setting auth_user_pass_enabled to the second place to ensure it is
only set if we really want passwords.
Patch v2: Remove unrelated code change
Patch v3: Rebase to master
Patch v4: Rebase to master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20221009130805.1556517-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Until now, when HTTP proxy user and password were specified inline,
it was assumed that both creds were specified. A missing password would
result in an empty password being stored.
This behaviour is not ideal, as we want to allow the user to store the
username, but let the password be entered via stdin.
This affects both http proxy and authentication inline'd creds.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914185937.31423-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25215.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
--auth-user-pass is probably the only option expecting a filename as
argument that cannot be inline'd as of today.
This patch allows specifying username and password inline in the config
file within the <auth-user-pass></auth-user-pass> tag.
This logic was already implemented for --http-proxy-user-pass, therefore
it was just about applying it to this specific option as well.
Note that the current logic expects username and password to always be
specified when inline. Therefore omitting the password will result in
storing an empty password.
A later patch will change this behaviour to make it consistent with the
classic case (username writte in file), where the password is requested
via stdin when missing.
While a it, add an empty line between prototypes in init.c to make
uncrustify happy.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917134832.16359-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25236.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Disconnect clients after session-timeout expires.
session-timeout can be defined in ccd files in order to limit
per-user connection time.
Signed-off-by: Dmitry Zelenkovsky <dmitry@zelenkovsky.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221006203731.13529-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25352.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Remove function event_timeout_clear_ret as it is unused.
Cleanup event_timeout_trigger a bit. Do an instant return false if the
timeout is not defined and inline local_now and use
event_timeout_remaining instead of local duplicated code.
Add doxygen comments for all timeout function, especially for the
event_timeout_trigger function that is hard to understand otherwise.
Patch v2: add many fixes/correction suggested by Frank
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221006122940.1202712-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25348.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
A server should push a route to a client only if there is no matching
iroute for the same client.
While this logic works fine for IPv4, there is no IPv6 counterpart.
Implement the same check for IPv6 routes and discard matching ones
from the push list.
Trac: #354
Cc: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220628082024.19059-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24577.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Introduce V=<nn> levels to t_lpback.sh self test
V=0 - do not print any output at all
V=1 - print intro line, summary at end, and "FAIL"+Log for failing tests
V=99 - print everything + summary
code-wise, introduce test_start() / test_end() functions which do
the $? check as well, so the actual testing code is streamlined.
v2:
replace indent tabs with spaces
change [ $V == 1 ] expression to [ $V = 1 ] (POSIXly correct)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20221004131403.95597-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25332.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
FreeBSD 14 clang complains about this:
init.c:3530:13: warning: use of bitwise '|' with boolean operands
[-Wbitwise-instead-of-logical]
platform_group_get(c->options.groupname,
&c0->platform_state_group)
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
init.c:3530:13: note: cast one or both operands to int to silence this
warning
1 warning generated.
.. so do what it wants us to do.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20221004145142.19091-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25333.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This commit needs a somewhat longer background story to explain the
problem...
undo_ifconfig_ipv4()/_ipv6() started their life as part of the
TARGET_LINUX (only) close_tun() function.
In commit 611fcbc48, these functions were created, to decouple IPv4/IPv6
dependency, still TARGET_LINUX only, with an #ifdef ENABLE_IPROUTE
inside, to differenciate iproute2 vs. old-style ifconfig.
Commit dc7fcd714 changed this to "the new linux API" (sitnl), calling
net_addr_ptp_v4_del() etc. - in the first branch of the #ifdef,
changing from ENABLE_IPROUTE to TARGET_LINUX, inside a TARGET_LINUX,
so the #else branch was never looked at for any platform. The code
in that #else branch was still "the old linux ifconfig" style to
undo IPv4/IPv6 address config on the tun interface.
Now, commit 0c4d40cb8 comes along and makes undo_ifconfig_ipvX() a
global function, during the bugfix to "don't undo ifconfig if
--ifconfig-noexec is in effect". Due to "it makes the code a lot
cleaner" undo_ifconfig*() is now called from do_close_tun_simple()
and no longer from (Linux-) close_tun().
*This* now enables the old "linux ifconfig" code to be run on
"all non-windows platforms" - running commands like
ifconfig tun0 0.0.0.0
to remove the IPv4 address - which plain doesn't work on the BSDs
(and has not been tested anywhere else).
This all said, it's debatable whether any platforms actually NEED
this - all unixoid platforms remove IPv4/IPv6 addresses on interface
destroy time, so for non-persistant tun/tap interfaces, there is no
hard requirement to remove IP addresses on program exit. For
persistent tun/tap (pre-create with "ifconfig tun7 create") this is
indeed useful to restore the pre-openvpn state by removing anything
OpenVPN configured.
OpenVPN up to 2.5 did not do this IP address removal on any non-Linux
platform, which is better than exec'ing an ifconfig command that does
nothing but print an error message (very annoying in t_client.sh V=1 runs).
This all said: this patch brings an implementation of undo_ifconfig_*()
for TARGET_FREEBSD ("ifconfig tunX $ip -alias"), and brings back the
old "do nothing" behaviour for all other unixoid platforms. Tested
on FreeBSD 7.4, 12.3, 14.0.
v2: use #elif defined(TARGET_FREEBSD), otherwise it breaks other platforms
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20221004153127.527-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25337.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
If t_client.sh is run interactively, more verbose output is useful
to quickly see what it is doing. If run from a CI environment, going
through lots of output for successful tests just to find the one that
failed is non-useful.
Introduce V=<n> environment variable to control output verbosity
V=0 - do not print any per-test output at all, just overall summary
V=1 - print single header line for each successful test
print full output for failing tests
V=99 - print full output, always, as before
default is V=1 now
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v2:
fix erroneous test on "-n"
do not accumulate extra "\n" in outbuf (V=1)
fix missing "-e" at "test failures. FAIL." message
fix missing "\n" when including "diff" output
fix missing "-n" when printing outbuf (= extra newline)
(and more newlines being shuffled around)
v3:
fix quoting on inclusion of "ifconfig/route diff", with newlines...
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220920132351.27718-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25285.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In addition to global FPING_EXTRA_ARGS now also evaluate
FPING_ARGGS_<suffix>.
This can be used, for example, for a test instance for "will ToS-tagged
packets be sent properly?" by setting FPING_ARGS_2="-O 0x10".
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220926081158.40640-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25315.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Add a simple python script which generates header with
branch name and commit hash #defines.
While on it, fix filename in msvc-generate.vcxproj
and add proper copyright header to Makefile.mak.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220926064310.688-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25311.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This was originally reported on GH, but never dealt with.
Make sure 'ptr' is always initialized to prevent derefence of null
pointer in case of empty dev string.
While at it, change the if condition to use ptr instead of dev, since
dev is not used anymore in the logic.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917125811.13549-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25235.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Since version 0.8.0, dco-win driver added support for
DEL_PEER command, which enabled --persist-tun
implementation on client side.
Add real implementation for dco_del_peer on Windows,
which calls DEL_PEER, which clears peer state
on the driver without tearing tunnel down.
When pulled options are changed on restart,
we need to close and reopen tun device. This
is not yes supported for dco-win, so we close
tun and trigger reconnect.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220830104958.91-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25136.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This allows a server to indicate a temporary problem on the server and
allows the server to indicate how to proceed (i.e. move to the next server,
retry the same server, wait a certain time,...)
This adds options_utils.c/h to be able to unit test the new function.
Patch v2: Improve documentation, format man page better, comment that
protocol-flags is not a user usable option.
Patch v3: cleanup parse_auth_failed_temp to use a simple const string
instead of a buffer
Patch v4: move message + strlen(TEMP) to caller
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220914170134.2659433-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25210.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Current exit notification relies on data channel messages with specific
prefix. Adding these to new data channel modules (DCO) adds unncessary
complexity for the data for messages that from their idea belong to the
control channel anyway.
This patch adds announcing support for control channel and sending/receving
it. We use the simple EXIT message for this.
Patch v2: add comment about protocol-flags to be not a user visible option,
fix various grammar mistakes, remove unused argument to
receive_exit_message
Patch v3: rename data_channel_crypto_flags to imported_protocol_flags
add tls-ekm to protocol-flags.
Patch v4: rebase, use a buffer for the code that prepares the push reply
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914165041.2658423-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25209.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In this case the function would exit without releasing the argv object
initialized via argv_new().
Move initialization of argv after thic check is performed.
While at it, also move the declaration of gc and initizlize it with
gc_new().
Reported-by: Camille Guérin <guerincamille56@gmail.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917224227.16988-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25245.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
While on it, remove redundant sentence
and quotation mark from --windows-driver man
description.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220917163425.351-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25240.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This is currently only possible when using the management interface
and the client-deny functionality.
Patch v3: add missing gc_free
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220824140848.88013-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25099.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
On startup, check following conditions:
- ovpn-dco-win driver is installed. Perform this check
by trying to open adapter by symbolic name.
- options are compatible with dco. Same checks as on
Linux and FreeBSD. In addition, check that --mode server
is not used and --windows-driver is not set to tap-windows6/wintun.
If both checks are passed, use DCO.
Move options_postprocess_mutate_invariant() call
below since it depends on selected windows driver.
dco_check_option() has side effect on Windows -
if dco is not used, it might complain "cipher chachapoly
not supported by dco, disabling dco" if chachapoly
support is missing system-wide. To not to see this,
check dco options only if dco is enabled. This means
moving dco_enabled() from dco_check_startup_option()
to one level above. We do similar thing in
multi_connection_established() before checking ccd options.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220915104028.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25221.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- Fix various formatting inconsistencies
- Remove outdated (as of 2.6) information from
--data-ciphers and instead add a link to
cipher negotiation chapter.
- Some drive-by fixes in related code comments
and log messages as I was reading them.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220628080814.745-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24575.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
- NetBSD "dynamic tap" (--dev tap -> tap<number>) handling had special
#ifdef'ed code inside open_tun_generic() - pull out, move to NetBSD
open_tun(). Roughly the same amount of code, less #ifdef, code flow
is more clear.
- fix one spurious warning about "remote" not being initialized
- adjust NetBSD do_open() comments to actual code - the "pre NetBSD 4.0"
code has long be removed, but the comment was still there.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220808152344.17539-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24849.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Address a few minor code review remarks:
- use constants for the inet_ntop() buffers
- replace argv_printf() + argv_printf_cat() with a single argv_printf()
- net_route_v4/6 both add and remove, so adjust the error message to
reflect that.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220822092834.14231-2-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25054.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220911144834.2220049-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25165.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This also updates the host system to ubuntu 22.04 and remove the
ovpn-dco-win checkout as we now include the required headers in
our own repository.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220826153026.337899-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25131.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v3: Some minor cleanups in the script (rename CNs, add more comments)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210304114018.8442-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21603.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Following options are set on startup and cannot be changed later:
- dev
- dev-type
- connections list
- mode
- topology
Same for system-wide availability of dco.
dco_check_option_conflict(), where those options
were checked, is also called in server mode when
client is connected. Move those checks to
dco_check_startup_option_conflict() which is only
called at startup.
Since we moved dco_enabled() check to startup,
dco_check_option_conflict() might now trigger exit
on Windows if system lacks chachapoly support.
Since dco checks only need to be performed for
dco, wrap those into "if (dco_enabled) {}".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220909121841.646-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25158.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
DEL_PEER events can be sent by ovpn-dco to userspace for various reasons.
We should trigger the ping timeout reaction only if the reason was
"peer has expired".
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220818144431.208337-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25000.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This allows scripts and plugins to parse/react to a CR_RESPONSE message
Patch V2: doc fixes, do not put script under ENABLE_PLUGIN
Patch V3: rebase
Patch V4: fix else branch of the verify_crresponse_script function
Patch V5: unify message when unable to create/write crresponse file
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220824110930.73009-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25089.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Filters file defines custom logical folders in
Solution Explorer. We don't use this functionality
and it requires maintenance, so let's remove those.
While on it, remove dco linux files from VS project.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220905115639.379-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25149.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Reverse if condition - this allows us to get rid of
indentation level, which makes code easier to read.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220909064126.482-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25153.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220908161435.327109-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25151.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
On Linux, tun devices are created according to the following algorithm
--dev tun -> try tun0, tun1, ... tun255, use first free
--dev anything -> create a TUN device named "anything"
(as long as "anything" is not "null" or "tap[N]")
DCO was following the "other platform convention", where everything
not having a digit was iterated ("--dev tun-home" -> "tun-home0") -
which does not work for classic tun/tap devices on the BSDs anyway,
so is not the best model.
Adjust open_tun_dco_generic() to document expected behaviour and
do the thing.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220829190124.2636045-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25134.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
In order to build OpenVPN with DCO support on Windows there is no need
to pull the full ovpn-dco-win source code, because we now ship the
UAPI header within OpenVPN directly. This also eliminates the need
to specify the DCO_SOURCEDIR var.
At the same time, DCO is always enabled therefore passing --enable-dco
at configure time is not needed anymore.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220826084111.239523-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25120.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The existing DCO code had extra logic for "if this is not
MR_WITH_NETBITS, set 32/128 as address length", but only for
iroute addition. For iroute deletion, this was missing, and
subsequently iroute deletion for IPv4 host routes failed on
FreeBSD DCO (commit 3433577a99).
Iroute handling differenciates between "primary" iroutes (coming
from anm IP pool or ccd/ifconfig-push), and "non-primary" iroutes,
coming from --iroute and --iroute-ipv6 statements in per-client config.
"Primary" iroutes always use "-1" for their netbits, but since these
are not installed via DCO, this is of no concern here. Whether these
can and should be changed needs further study on internal route
learning and cleanup.
Refactor options.c and multi.c to ensure that netbits is always set
for non-primary iroutes - and ASSERT() on this in the DCO path, so we can
find out if there might be other code violating this.
Change options.c::option_iroute() to always set netbits=32 for IPv4
host routes (options_iroute_ipv6() never differenciated). Since
netmask_to_netbits() also insists on "-1" for host routes, change
to netmask_to_netbits2().
Remove all the extra MR_WITH_NETBITS logic from dco.c, where it should
have never appeared.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220820140124.11325-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25044.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Error: test_provider.c(74): error C2099: initializer is not a constant
Fix this issue by making the const char* to const char[]. This is probably
of one the weird array decay corner cases
I could not find another/better way around this issue.
This error only occurs when building unit tests with windows which our
normal build system does not do but my out of tree cmake build script
tries and fails.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220824165718.102002-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25102.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
fping and fping6 were merged in version 4.0,
released in 2017. Many recent distributions do
not include the compatibility symlink anymore.
So if we find fping but not fping6 do not error
out but assume that fping is capable of IPv6.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20220822141806.39406-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25058.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220813204224.22576-4-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24921.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
With this change it is possible to use ovpn-dco-win when running OpenVPN
in client or P2P mode.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220825131449.260-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25108.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220822184147.281142-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25065.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Also we don't officially support it, it is nice to know when we break it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220822184147.281142-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25064.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Building OpenVPN on the latest OpenBSD snapshot failed because EVP_MD_CTX
is an opaque struct in LibreSSL now. Therefore, call md_ctx_new() instead
of declaring them on the stack. When they're not on the stack anymore, we
don't have to call EVP_MD_CTX_init() anymore, but we need to call
EVP_MD_CTX_free() instead of cleanup.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220811120722.29168-2-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24873.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
LibreSSL has added some of the functions that are defined here. However,
we still need RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v2: Change ifdef condition for RSA_F_RSA_OSSL_PRIVATE_ENCRYPT.
v3: Don't break WolfSSL.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220822154037.44320-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/search?l=mid&q=20220822154037.44320-1-maximilian.fillinger@foxcrypto.com
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This allows us to use newer versions of
dependencies, such as openssl 3.0.2 -> 3.0.5.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220820112755.285-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25042.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220812134154.16729-3-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24895.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|