Age | Commit message (Collapse) | Author |
|
Closes: OpenVPN/openvpn#313
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230714092557.229260-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26855.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 9d2e947e7358c7998f13b142d8bf17a2ce9eb7a3)
|
|
This allows to use the same configuration multiple platforms/ssl libraries
and include optional algorithms that are not available on all platforms
For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
emulate the default behaviour of OpenVPN 2.6.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23279.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 766044507497c41f0319159c37992788ecb681e6)
|
|
The man pages reference a logging message which has been rephrased
in ac1310528a248c99e039e7afaf48724ad1b7f10e. This commit updates the
man page message to reflect the change for improved grep-ability.
Signed-off-by: Martin Janů <martin.janu@protonmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <SVrvuTydxR6Qs_mvwvG7mqT8iLV0inlcCMXoenZTMI8M0LkosV4pZsH9m_XCTwcRWAPN5H8Zdro0ubhJrnSp6v5KC2ZNAL9So0Y2SKiSe7g=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24472.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 98cbd2914cb728bfaa6ce36a968e944555c57d53)
|
|
Trac: #1461
Signed-off-by: Jan Mikkelsen <janm@transactionware.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220518183715.931-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24394.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7c8dd98ec10f61c3b014b64c24090717cd6ebf05)
|
|
This allows OpenVPN to load non-default providers. This is mainly
useful for loading the legacy provider with --providers legacy default
Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to
better fit the changes in 2.5.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220512121429.2096164-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24327.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it
necessary to reallow them in certain deployments. Currently this works
by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0".
Add "insecure" as option to tls-cert-profile to allow setting a seclevel of 0.
Patch v4: fix default accidentially changed to insecure
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211029112407.2004234-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23076.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 23efeb7a0bd9e0a6d997ae6e77e0e04170da3e67)
|
|
The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted. For now we bail
out when this is discovered with an error in the log.
CVE: 2022-0547
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
|
|
This plugin allows setting username/passwords as well as configure
deferred authentication behaviour as part of the runtime initialization.
With this plug-in it is easier to test various scenarios where multiple
authentication plug-ins are active on the server side.
A test documentation was also added to describe various test cases and
the expected results.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220313193154.9350-2-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23932.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 79a111c7e16d157278495cb5f4c52eab2229b68e)
|
|
The family specific options were generally omitted.
Cc: David Sommerseth <openvpn@sf.lists.topphemmelig.net>
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220215145425.1989-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23798.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ba9a07a69db3ddb63fceac05b92a000d9b1c805e)
|
|
For now the dependencies are statically defined, which
should be fine and is still a much better solution than
to have no dependencies.
Also delete empty example-fingerprint.rst.
(cherry picked from commit 529cc6a52fc45a1a67abb5c91819ba4fb2f631e3)
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by:
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220210104445.16767-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23747.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220126124329.14784-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23663.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
While --push-peer-info can be configured on the server, it's not really
intended for that, and it ended in the "SERVER OPTIONS" section by
mishap. Fix that.
Reported-by: Stella Ashburne <rewefie@gmx.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211207130436.22187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23325.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 883cd6f4031ef9920580f0862594acbb45e4b0b8)
|
|
In 2da29362 (Improve the documentation for --dhcp-option, 2020-08-16),
`foreign_option_{n}` became plural between the first and second versions
of the patch. Correct it.
Signed-off-by: Todd Zullinger <tmz@pobox.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211122114104.4814-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23217.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit aee54a47142c13a29c2b59142e944fd448a406d9)
|
|
Trac: #1417
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211103202014.1121244-2-tincantech@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23095.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2c2e13d9ecdd1364c6a05ad77cea2840c015aa56)
|
|
This is the rebase of original Selva Nair's patch
which hasn't been merged:
https://sourceforge.net/p/openvpn/mailman/message/34674818/
and documentation change to reflect code changes, which
is basically a revert of another Selva's patch (which got merged):
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13387.h
tml
For subnet topology use "offset 0" as default for
calculating DHCP server address, which makes it equal
to the network address.
There is no know reason why non-zero default offset
is needed. Besides, offset -1 breaks subnet /30 case,
which in some cases is pushed by OpenVPN Cloud product.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211109015927.311-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23156.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7df6583d76fc2ff485186ede75f00c9b7dc3e42c)
|
|
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210822152820.7072-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22747.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6ee1a272d9ce9b7863487146c3ce141a98f16773)
|
|
The IV_HWADDR description was only partially correct, as there are more
implementations using other values than the MAC address of the default
gateway.
The intention of this value is to provide a unique identifier of the
client and on some platforms this is not possible to retrieve other than
to generate this information.
The 64 bytes limitation is an arbitrary value, it is not enforced by
OpenVPN 2.x. But it was considered a good idea to at least have some
reasonable upper limit of how long this string can be, at least for
those implementing support for this information.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210709134849.161728-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22625.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 51d85a9d287f44c373eaa514c6a52e1078c27c43)
|
|
Replace openvpn@fox-it.com with openvpn@foxcrypto.com.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210701171458.8897-1-maximilian.fillinger@foxcrypto.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22608.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ccee09d1478aa69783926c208bfa235dcb055124)
|
|
Prior to this patch, the Makefile.am needs to be modified multiple
places to add a new man or HTML page to be generated. Since it is not
too often we modify this, it is easy to miss these finer details.
This changes the man and HTML generator rules to be more generic and use
variables as many places as possible. Also moved all the lines which
should not need to be changed as much towards the bottom-half of the
file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210630185134.144826-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22604.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 37cf98fa224a2ae5fc5cfa380bdb291e90d6413d)
|
|
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20210520150932.2565217-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22414.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 0c5380e906116b61ce9ed5310181291941b75227)
|
|
When not using username and password (i.e. auth-user-pass) it can still
be desirable to provide the client with an auth-token, e.g. for allowing
a session to continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22417.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b398aa37ca309948b481401adf0074ea5589eb2d)
|
|
Also fix some typos.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210602034253.19984-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22475.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e0f860f4b38e60c2e1ce7b069f7c6c923c52e5ca)
|
|
- Update the update-copyright script to include more contributors as well
as correcting a few typos
- Correct a copyright address in the source code to now used address
(dazo)
- Update copyright year to 2021
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net>
URL: https://www.mail-archive.com/search?l=mid&q=20210609213231.22576-1-openvpn@sf.lists.topphemmelig.net
URL: https://sourceforge.net/p/openvpn/mailman/message/37299719/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 05271322e7b5f453fe9d85310e500d3460ac8ca4)
|
|
The auth-token check is tied to the username/password that is coming
via a specific SSL session, so keep the state also in the key_state
structure.
This also ensures the auth_token_state is always set to 0 on a new
session since we clear the key_state object at the start of a new
SSL session.
This is a prerequisite patch to fix 2020-15078 in the following two
commits.
2nd patch, squashed into the first one:
This also applies the changes to the auth_token_test.c. The change of
tls_session to a pointer is necessary since before that we had tls_session
not tied to the multi and had two tls_session used in the test. One
implicitly in tls_multi and one explicit one. Merge these to one.
CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The 'echo' command can be used to signal information to an OpenVPN
GUI driving the openvpn core via management interface. Which commands
exists and their syntax has so far been mostly undocumented.
Condense the long and good discussion between Selva Nair and
Jonathan K. Bullard into doc/gui-notes.txt (initial draft from
Jonathan, comments from Selva and Arne), with a pointer added
to doc/management-notes.txt.
See:
https://sourceforge.net/p/openvpn/mailman/openvpn-users/thread/CAEsd45T%2Bd
6FUJ9Po0KHwtHjfuL9Q2D-poG8yFtY45Qyh%2BtHjkg%40mail.gmail.com/#msg36136236
and
https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/CAKuzo_jPThh
vXTJAtzhqVUVOLPW1VGu6h2jQhVsHicY8P2WRqA%40mail.gmail.com/#msg36141193
for the details.
Re-enable logging of 'echo' statements, but only for the particular
class of messages starting with 'echo msg...'.
v2:
incorporate feedback from Selva Nair, correct >ECHO examples
v3:
add "msg*" support status for Windows GUI (11.22.0) and Android (Planned)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20210118162850.24214-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit ef2405a6bf5e8159d2e51e45107bc280fd6d0bd3)
|
|
Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210119215617.116886-1-tincanteksup@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21451.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 3b1ded3902b051b3c25f6e77da834ecd1b9f7eca)
|
|
--block-ipv6 is a fairly special-purpose option, and only blocks packet
in the client->server direction. This is implied by not ever mentioning
the other direction in the existing documentation, but not written down.
Make this explicit, avoid confusion.
Also, point why this option exist (avoid IPv6 leakage from dual-stacked
clients around IPv4-only VPN offerings).
Trac: #1351
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Richard Bonhomme <tincanteksup@gmail.com>
Message-Id: <20201225164214.22771-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21407.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8a8ee283aa7a4b409a9dafc082a6c65b5539308b)
|
|
It turns out the logic for dist_man_MANS was incorrectly put inside the
HAVE_PYDOCUTILS block. This results in the man page being installed
only if python-docutils is installed and available.
The solution is simple, move the dist_man_MANS part outside the
python-docutils block. The openvpn.8 file is prebuilt in source
tarballs and will thus be available.
Reported-By: Philip Brown <philip@pbdigital.org>
Tested-By: Philip Brown <philip@pbdigital.org>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201029213259.1636-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21236.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit fc25ca3a7cf720fbb53889fdba6ac0154c7c9c1a)
|
|
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200930064845.28022-1-jan.seeger@thenybble.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21110.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bfb288454aa43f8c2d0131bc87b48a37e4ab01b4)
|
|
ADAPTER_DOMAIN_SUFFIX is an openvpn3 replacement for
DOMAIN, which is used there for split-dns. This option is pushed
by modern Access Server.
This change improves compatibility between OpenVPN
community client and Access Server.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200922100021.20329-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21107.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit d6720203fa9ba446497798a284c17093b92de1dc)
|
|
Trac #1079
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1601232360-14096-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21098.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 66ad8727935a371e237a5bada142c9f5f467c3f8)
|
|
The first IPv6 address in a subnet is not usable (IPv6 anycast address),
but our pool code ignored this.
Instead of assigning an unusable address or erroring out, just log the
fact, and increment the pool start to <pool_base>::1
NOTE: this is a bit simplistic. A pool that is larger than /96 and
has non-0 bits in the "uppermost bits" will still get the increment
as we only look at the lowermost 32 bits.
NOTE2: if the pool is specified with "--server-ipv6 $base/$bits", this
is a non-issue, as the address for the pool start will be incremented
anyway.
v2: make comment more explicit about "we're only talking about the
host part here" and "base sees only only 32 bit of the host part"
Reported-by: NicolaF_ in Trac
Trac: #1282
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200917085941.20972-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21039.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4dff236811a1ec9c97a27ad93182ad4beb12377f)
|
|
The --remote entry had a syntax mistake in the argument examples, which
was introduced during the .rst conversion.
In addition this section did not have a good flow. So the text was
regrouped and re-organized a bit so related text pieces are now gathered
in the same context instead of being more spread out.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200909183012.7504-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20935.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 97ff64360745d27004e97043507ac788db23799c)
|
|
During the conversion from .8 to .rst and further reorganizing of the
content into separate files, the --server-ipv6 entry got lost. This
resurrects it again.
Trac: #1324
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200911154259.13837-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 8120e1ad4f20d4ec1fa9e191f3b15740c4aec448)
|
|
The man page claimed that --client-disconnect "is passed the same
pathname as the corresponding --client-connect command", which is
not what the code does. Fix.
Reported-By: hvenev in Trac
Trac: #884
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200909122926.9523-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20929.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 50c7700da09a1f83474e18f8709d59dbc4b509e2)
|
|
trac #1059
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1599689729-25906-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20937.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5b815eb449314a43e2b73325948edea8a4cfb215)
|
|
Netlink route request with NLM_F_DUMP flag set means to return
all entries matching criteria passed in message content -
matching supplied family & dst address in our case.
So, gateway from the first ipv4 route was always used.
On kernels earlier than 2.6.38 default routes are the last ones,
so arbitrary host/net route w/o gateway is likely be returned as
first, causing gateway to be invalid or empty.
After refactoring in 2.6.38 kernel default routes are on top, so
the problem with older kernels was hidden.
Fix this behavior by selecting first 0.0.0.0/0 if dst was not set
or empty. For IPv6, no behavior is changed - request ::/128 route,
so just clarify the sizes via netlink route api.
Tested on 5.4.0, 4.1.51, 2.6.36 and 2.6.22 kernels.
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20200908123625.23179-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20900.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 505d5ad8fadcdc56bae07f4b95c05acd93a47c24)
|
|
It's a long-standing and well-known problem that --push-reset removes
"critical" options from the push list (like "topology subnet") which
will then lead to non-working client configs. This can not be
reasonably fixed, because the list of "critical" options depends on
overall server config.
So just document the fact, and point people towards --push-remove as
a more selective tool.
Trac: #29
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200908111511.9271-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20899.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 5fd66510dfdef628fa95f156c5f9d80af9ae1531)
|
|
- Stress that these are handled internally only on some platforms
- Correct the statement about wintun
- Document DOMAIN-SEARCH
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1597604799-23135-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20759.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 2da29362cc93aa1b8c24386e162b9cdd3b55c3b1)
|
|
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200815120522.1404-3-mkroken@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20748.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit e33f44754a5f81ea013070dba3cdc162f41d1257)
|
|
- Explain the IV_NCP=2 client situation in 2.4 a bit better.
- Make more clear what exact versions are meant in the old client section
- add a missing - in a heading
Thanks to Richard Bohnhomme for initial proof reading.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200812085412.19178-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20714.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Most of the new compress but not v2 version do use swap operation. For
'compress lzo' the swap option is not used for backwards compatibility.
For lz4 the swap option is also not a problem since there is no version
without swap. Unfortunately, compress introduced a second stub format
with swap, contrary to the one in 'comp-lzo no' that does not use swap.
Document this weirdness to let not others fall into this trap.
v2: redo patch for rst man pages
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200811110248.3396-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20708.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This adds a section in the man page that details the various behaviour
of older client/servers when using OpenVPN 2.5.
Patch V2: Include grammar/spelling fixes from
Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810090032.4220-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20660.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This reworks the NCP logic to be more strict about what is
considered an acceptable result of an NCP negotiation. It also
allows us to finally drop support for BF-CBC as default cipher.
All new behaviour is currently limited to server/client
mode with pull enabled. P2p mode without pull does not change.
New Server behaviour:
- when a client announces its supported ciphers through either
OCC or IV_CIPHER/IV_NCP we reject the client with a
AUTH_FAILED message if we have no common cipher.
- When a client does not announce any cipher in either
OCC or NCP we reject it unless data-ciphers-fallback is
specified in either ccd/ or config.
New client behaviour:
- When no cipher is pushed (or a cipher we refused to support)
and we also cannot support the server's cipher announced in
OCC we fail the connection and log why
- If there is no cipher in OCC but data-ciphers-fallback is
specified we will use the fallback cipher instead of failing the
connection
Both client and server behaviour:
- We only announce --cipher xyz in occ if we are willing
to support that cipher (always announce the cipher if
NCP is disabled or not in --client mode)
It means that we only announce the fallback-cipher if
it is also contained in --data-ciphers
Compatibility behaviour:
In 2.5 both client and server will use a --cipher xyz present
in the config to automatically set --data-ciphers-fallback xyz
and also append this cipher to the end of data-ciphers.
We log a warning about this and point to --data-ciphers and
--data-ciphers-fallback This also happens if the configuration
contains an explicit --cipher BF-CBC.
If --cipher is not set, we only warn that previous versions
allowed BF-CBC and point out how to re-enable BF-CBC. This will
break configs where someone connects a 2.3 client (or older)
to a 2.5 server AND has no explicit --cipher setting in the
server config. We still do it, because at some point we need
to drop the BF-CBC default - and affected users already had the
scary SWEET32 warning in their logs for a long time.
In short: If --cipher is explicitly set then 2.5 will work the
same as 2.4 did. When --cipher is not set, BF-CBC support is
dropped and we warn about it.
Examples how breaking the default BF-CBC will be logged:
Client side:
- Client connecting to server that does not push cipher but
has --cipher in OCC
OPTIONS ERROR: failed to negotiate cipher with server. Add the
server's cipher ('BF-CBC') to --data-ciphers (currently
'AES-256-GCM:AES-128-CBC') if you want to connect to this server.
- Client connecting to a server that does not support OCC:
OPTIONS ERROR: failed to negotiate cipher with server. Configure
--data-ciphers-fallback if you want connect to this server.
Server Side:
- Server has a client only supporting BF-CBC connecting:
styx/IP PUSH: No common cipher between server and client. Server
data-ciphers: 'CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-256-CBC:AES-128-CBC', client supports cipher 'BF-CBC'.
- Client without OCC:
styx/IP PUSH:No NCP or OCC cipher data received from peer.
styx/IP Use --data-ciphers-fallback with the cipher the client is using
if you want to allow the client to connect
In all cases the client is rejected with this message:
AUTH: Received control message: AUTH_FAILED,Data channel cipher
negotiation failed (no shared cipher)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: rename fallback-cipher to data-ciphers-fallback
add all corrections from Steffan
Ignore occ cipher for clients sending IV_CIPHERS
move client side ncp in its own function
do not print INSECURE cipher warning if BF-CBC is not allowed
Patch V3: fix minor style, add null check when client sends no peerinfo at
all
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200809141922.7853-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20656.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Fix typos, clarify man page section about deferred client-connect
script. Add section to Changes.rst
Patch V6: Convert manpage to rst
It also incorporates suggested changes from Richard Bonhomme
<tincanteksup@gmail.com> [0]
[0] Message-ID: <82c2d70f-e2f9-f810-2c55-788358a0cb08@gmail.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20331.h
tml
Patch V7: Re-include the changes of Changes.rst and openvpn-plugin.h
Clarify some parts of the documentation.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720142703.3324-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
The change in name signals that data-ciphers is the preferred way to
configure data channel (and not --cipher). The data prefix is chosen
to avoid ambiguity and make it distinct from tls-cipher for the TLS
ciphers.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20444.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
This allows us to skip waiting for the first PUSH_REQUEST message from
the client to send the response.
This changes the interpretation of IV_PROTO from a scalar to a bitfield
Since we only have IV_PROTO=2 defined so far and will support DATA_V2
this should not make any problem. This avoid adding another IV_xxx variable
that takes valuable space in the protocol frame.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Use bitmask for IV_PROTO_DATA_V2 and add more documentation.
Patch V3: Rewrite IV_PROTO paragraph in man page, incoperate spelling fixes
by Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200721163811.22745-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20525.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. In
TLS1.3 key exchange is independent from the signature/key of the
certificates, so allowing all groups per default is not a sensible
choice anymore and instead a shorter list is reasonable.
However, when using certificates with exotic curves that are not on
the group list, the signatures of these certificates will no longer
be accepted.
The tls-groups option allows to modify the group list to account
for these corner cases.
Patch V2: Uses local gc_arena instead of malloc/free, reword commit
message. Fix other typos/clarify messages
Patch V3: Style fixes, adjust code to changes from mbedTLS session
fix
Patch V5: Fix compilation with OpenSSL 1.0.2
Patch V6: Redo the 'while((token = strsep(&tmp_groups, ":"))' change
which accidentally got lost.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20200721154922.17144-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
Key-method 1 is only needed to talk to pre OpenVPN 2.0 clients.
Patch V2: Fix style. Make V1 op codes illegal, remove all code handling
v1 op codes and give a good warning message if we encounter
them in the legal op codes pre-check.
Patch V3: Add a bit more comments in the existing methods.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20200721100128.9850-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20516.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|