This makes sure that it is properly normalized, and
on Windows seems to prevent CMake from using back
slashes which would break the build due to "unknown escape
sequence" errors.
Change-Id: I2551edfaaf5107649398a3fa1db2009ee8644671
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250507121226.13824-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31587.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
It's 2025, and almost all clients now run on Windows 10 or newer.
Instead of displaying:
"Windows version 10.0 (Windows 10 or greater), amd64 executable"
we now show the exact build number, e.g.:
"Windows version: 10.0.22631,amd64"
Remove "pre-Win7" checks in a few places.
Change-Id: I39d660ebeec76280e4d4357192b74bf2c0980615
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250505122712.5214-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31566.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the patchsets to add DNS configuration on Unix+MacOS systems, and
the addition of test stanzas to excercise and verify the OS specific
"dns-updown" script, it becomes important to trace test failures
("did it not ping because the DNS was not installed, or did something
else fail?") and also verify that DNS config is properly restored at
the end of each test.
Linux is probed with "resolvectl status", if available, and
"cat resolv.conf" if not. MacOS uses scutil --dns.
All other platforms use "cat resolv.conf" for now (because even if
"a tool to maintain DNS config" is available, in the end resolv.conf
is always where the final config lands).
Include a bit of restructuring to handle linux iproute2 testing in the
"Linux" branch, and make the control flow more amenable to having a
second case / esac block.
Change-Id: I9cae7314203424e4a604073c5445559260172477
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250505142224.24935-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31568.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When trying to reformat the code with a formatter
that actually checks line-lengths, these never
come out nice otherwise.
Change-Id: I7f0ba2261b61f6eed511cbd8bb2e880d774d1365
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250505105449.18826-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31561.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch updates the dco userspace API to
support communication with the new in-kernel
driver.
The main change involves updating the enums
used for Netlink messages to match the
definitions expected by the kernel module.
Change-Id: I009f4e7ad38636f1c0b78d267561194c2bb4c051
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250505085722.28761-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31554.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mention its default (on non-Windows systems), rephrase for brevity, fix
grammar, correct the module environment variable name and remove a wrong
default mentioned in a related option.
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250426121903.67930-1-kn@openbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol
when generating an mbed TLS configuration. This causes no actual
working key exporter to be in the binary.
Also add an explicit #error to catch this situation during compilation.
Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250425131002.21772-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fixes a potential double-free issue in tls_ctx_load_cert_uri()
by explicitly nullifying the pointer immediately after calling
OSSL_STORE_INFO_free(info).
This ensures that subsequent cleanup won't attempt to free the same
structure again.
Github: closesOpenVPN/openvpn#726
Change-Id: I4507be07cd5573b2117e837ef03187535a38a4b1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250417134636.21279-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31478.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since 2.7, OpenVPN service (used to start persistent connections)
runs under limited virtual service account NT SERVICE\OpenVPNService.
Since it should be able to use all command-line options
and cannot be made member of "OpenVPN Administrators" group,
it has to be handled separately.
Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250415155131.12458-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31435.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Do not include information for the trivial Python
scripts we have. Completely eliminates the "Namespaces"
page as well.
Change-Id: Ia7186b528773c0549748f1051c1c8d1db39a7e11
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250415155656.12963-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31433.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix broken links to OpenSSL documentation
- Remove some unnecessary \c for function names.
Doxygen does handle them automatically.
- Add some \c for --option since otherwise --
gets converted to one character (e.g. – in
HTML).
Change-Id: I9a27248557fabcd9f7584deb4aba16cd71fb803c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250415155720.13034-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31434.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Because this is a part of C99 if uint8_t is available.
Change-Id: I37482a8c322680add00bab52272f9945fbb3bd09
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250415155259.12601-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31440.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implement support for setting options from --dns. This is hugely
different than what we had so far with DNS related --dhcp-option.
The main difference it that we support split DNS and DNSSEC by making
use of NRPT (Name Resolution Policy Table). Also OpenVPN tries to keep
local DNS resolution working when DNS is redirected into the tunnel. To
prevent this from happening we have --block-outside-dns, in case you
wonder. Basically we collect domains and name server addresses from
network adapters and add so called exclude NRPT rules in addition to the
catch all rule that is pushed by the server.
All is done via the interactive service, since modifying all this
requires the elevated privileges that the openvpn process hopefully
doesn't have.
Change-Id: I576e74f3276362606e9cbd50bb5adbebaaf209cc
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250414180636.31936-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31426.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The recent introduction of the multisocket support
did not account for some Windows-specific DCO paths.
This patch restores correct behavior on Windows.
Key changes:
- Add WIN32 guards around DCO-specifc code.
- Disable wait_signal() when running in
server mode, as it conflicts with the
event engine since Windows handles
signals as I/Os.
- Ensure correct socket handling for TCP
vs UDP.
Github: closesopenvpn/OpenVPN#720
Change-Id: I719b1aa2d2f4d63dc9c18d8e313fba339e3e4b0c
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250410215037.11878-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31419.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- update vcpkg reference to 856505bb76
This includes a general work-around for the CMake 4.0
compat. See commit
a1aebfa9d5eae7cf493e0a706b43915d687bb860.
- update lukka/get-cmake action to v4
- update dependency aws/aws-lc to v1.49.1
Change-Id: Ibabb4aa80d7786614dbd6b76bd4cd096f217acfd
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20250409131148.18147-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31399.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With TLS 1.0 to 1.2, the used key agreement was depended on the certificates
themselves. With TLS 1.3 this is no longer the case but basically always
X25519 was used. So this information has not been very interesting so far.
With OpenSSL 3.5.0 and the new X25519MLKEM768 hybrid key agreement, the used
key agreement group actually becomes interesting information.
This commit adds printing this information for OpenSSL 3.0.0+ and uses
a compat version for OpenSSL 3.0-3.1 to avoid an additional ifdef in the
code itself.
Example output with ML-DSA-65 certificates on the server (client output):
Control Channel: TLSv1.3, cipher
TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 15616
bits ML-DSA-65, signature: id-ml-dsa-65, peer signing
digest/type: mldsa65 id-ml-dsa-65,
key agreement: X25519MLKEM768
with an secp384r1 certificate:
Control Channel: TLSv1.3, cipher
TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384
bits ECsecp384r1, signature: ecdsa-with-SHA256, peer signing
digest/type: ecdsa_secp384r1_sha384 ECDSA,
key agreement: X25519MLKEM768
Change-Id: I90d54853fe1b1d820661cc2c099e07ec5d31ed05
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250409122409.17616-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31393.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently override-username is artificially restricted to the length of
TLS common-name (64) for the corner case of using username-as-common-name,
which we explicitly do not recommend to use.
Do away with that limitation and only error out on longer usernames when
username-as-common-name is actually in effect.
Change-Id: I1c2c050dd160746a0f8d9c234abe1e258bc8e48d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250402134546.3504-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31323.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs.
NIDS do not work with provider provided signatures or the new PQ
signatures introduced in OpenSSL 3.5.
Remove also the comment that was added earlier that says that there
is no proper API replacement for SSL_get_peer_signature_nid yet as
OpenSSL 3.5.0 has now introduced it.
Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250402153337.5262-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31336.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix the HTML format for --local directive
to match the manpage structure.
Change-Id: I8d981a66932a5424ed959b12ee0cdddf881de91e
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Samuli Seppänen <sasepp@proton.me>
Message-Id: <20250402140901.18218-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31321.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
FreeBSD-DCO does not support TCP as transport protocol so in order to
be able to use DCO in a multi-socket environment we need to check the
local_list entries and disable DCO if any of the listening socket
is TCP.
While at it, removed some dead code left from Multisocket polishing.
Github: closesOpenVPN/openvpn#710
Change-Id: I9b6359076a61ae2bbb8e5cea00e33969cb5f92cf
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250402132148.18810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31324.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.
The error condition results in an ASSERT statement being triggered,
NOTE: due to the security sensitive nature, this patch was prepared
under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.
CVE: 2025-2704
Change-Id: I07c1352204d308e5bde5f0b85e561a5dd0bc63c8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <385d88f0-d7c9-4330-82ff-9f5931183afd@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The OVERLAPPED structure must remain valid for the entire duration of an
asynchronous operation. Previously, when a TCP connection was pending
inside the NEW_PEER call, the OVERLAPPED structure was defined as a
local variable within dco_p2p_new_peer().
When CancelIo() was called later from close_tun_handle(), the OVERLAPPED
structure was already out of scope, resulting in undefined behavior and
stack corruption.
This fix moves the OVERLAPPED structure to the tuntap struct, ensuring
it remains valid throughout the operation's lifetime.
Github: closesOpenVPN/openvpn#715
Change-Id: Ib1db457c42a80f6b8fc0e3ceb4a895d4cf7f0155
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250401181535.7854-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59168247/
URL: https://gerrit.openvpn.net/c/openvpn/+/928
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix Android build with newer vcpkg
Need to sync CMAKE_SYSTEM_VERSION with vcpkg.
- Update mbedTLS v3 builds to latest release.
Depends on commit
4897c522948c8cdb82c0325ee08f6907cfc16f57
- Update all actions to latest releases.
Change-Id: Ie9bffcc487f53a3a8ae6e59b79e654360d99902c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250331153309.77901-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31290.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Turns out that "apt install cmake" is useless since
Github installs also CMake but not as a package. So
make sure we control which CMake we get and not
Github.
Switch to get-cmake action (which also installs ninja)
and remove the installation via apt.
Change-Id: Ief11d5d7ccae084c863b50054d4e97c71f57d6f0
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250401170420.29808-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31299.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When creating a socket to connect to a remote (this happens
in client mode) always use the protocol specified for the
remote.
The listening protocol in this case is just ignored as it
does not make any sense.
Change-Id: I6d2ec69ac7a9ef5900d8f1d8541d6a19c9cb7df9
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250325105724.1285-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31234.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In case when key_state_export_keying_material fails we left a
half-initialised tls_wrap_reneg structure in the tls_session.
Later calls to try to free this structure causes freeing of
invalid memory locations.
To test: make key_state_export_keying_material return false even though
HAVE_EXPORT_KEYING_MATERIAL is defined and connect to a server
supporting dynamic tls-crypt (2.6.0+)
Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250327153606.15282-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31267.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Trying to verify some of the negotiation parts.
Change-Id: I47d95eee8a00b9878331fd6cd6a7db12665f5537
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Samuli Seppänen <sasepp@proton.me>
Message-Id: <20250327094700.305156-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31258.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
From release notes:
In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname [...]
Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250327113356.11233-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31262.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With the recent changes breaking configs that included lport 0, it became
apparent that having the address family in the error message when
resolving fails, would have made diagnosis in this case and probably others
much easier.
Change-Id: I1c8fcd5bb6e1fa0020d52879eefbafdb2630e7b5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250325195750.7899-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31237.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
'lport <anything>' used to trigger 'do socket bind', which is not
useful in itself for the 'lport 0' case (port 0 -> OS assigns a
random port, as it is done for unbound sockets) unless also binding
to a particular local IP address ('--local 192.0.2.1').
The trigger for 'lport has been used, do socket bind' is
ce.local_port_defined -> change the code to test for "0", and
only set this for non-0 ports (NOTE: this is a string match,
so if you really really want the old "lport 0" behaviour, using
"lport 00" still does that...).
The ce.local_port value is still set, so '--lport 0' together
with '--local 192.0.2.1' will give you a random port number
bound to that IP address - without 'lport 0' it would default
to 1194 or the value of '--port' (if not using '--rport').
Summary: socket bind is now only done if one of these is set
- --lport <port> with <port> not "0"
- --bind (default on the client is "--nobind")
- --local <address>
Github: schwabe/ics-openvpn#1794
Change-Id: I1976307a7643c82f31d55ca32c79cbe64b6fffc6
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250324182735.12657-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Mention that pushing auth-token-user only happens when OpenVPN also
generates the auth-token.
- mention that OpenVPN will only accept the original and overridden username
from a client
- suggest to use auth-token-user when a user generates the auth-token
Change-Id: Ifc7443974345042ab9945d6a10e1d1b4525e5e05
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324135441.26725-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31210.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes the build failures on MSVC cl compiler.
MSVC cl does not thinks of the expression of a const variable times
an integer to be compile time static. C23 introduce the constexpr
(like in C++) statement for that but we are only on C11 for now.
So directly use the _countof(msg->addr) expression in the array
initialisation.
Change-Id: Ib579c1538eb5440bb7008bc866a5cb7d74844374
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324133759.13155-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31205.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of making the string buffer statically sized for a max. of
four addresses, calculate it to hold up to the max number of addresses
a dns_cfg_message_t can hold (currently four as well). Improves the code
so that it doesn't rely on the addresses never being more than four in
the future.
Change-Id: I23710b1f5b2122ec1f14465911836c0f0afa9c64
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324083350.4019-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31196.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit db48cea chagned logic to move logic from a variable and repeated
checks to an if clause.
The old code had
const bool ccnr = (options->auth_user_pass_verify_script
|| PLUGIN_OPTION_LIST(options)
|| MAN_CLIENT_AUTH_ENABLED(options));
followed by several condition that checked !ccnr
This commit fixes the if clause by correctly applying De Morgan's law.
Github: closesOpenVPN/openvpn#706
Change-Id: I28a8abd0ee3fa9168a716171b0a405476089c4a1
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250323211359.14117-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59164222/
URL: http://gerrit.openvpn.net/c/openvpn/+/912
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These are slightly different and so not covered
by my automatic conversion script. Use __func__
to make the actual string slightly shorter.
Change-Id: If15862fe537496ac836fc443936ff8e7876a39c0
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250318173914.24425-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31161.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Reuse the MUST_BE_UNDEF macro in more places
- Add a second parameter so it actually reports the
correct option name
- Add MUST_BE_FALSE for similar cases
- Reorder the checks for cert/key options to make
more sense. Some of the checks could have never
fired due to wrong placement of the management
checks
- Some other small cleanups like missing spaces
in multiline string literal
Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250318155320.32573-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31155.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which
is always 0.0.0.0. It should use ipi_spec_dst instead.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250227032522.3734947-1-dqfext@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59154010/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of spawning a netsh process, set the name server addresses
directly in the registry hive of the VPN interface.
This is a first step to get rid of the use of command line tools in the
service and move to a more API driven style of modifying the VPN adapter
configuration.
Change-Id: Id2bed0908e84c19b8fb6fe806376316793e550b4
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250312101156.5756-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59159531/
URL: https://gerrit.openvpn.net/c/openvpn/+/825
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of using wmic on Windows to set one (the first) DNS domain,
modify the registry directly and let the resolver know that something
changed.
This fixes that more than one search domain suffix could only be applied
when DHCP and the tap driver was used. Now this works as well in netsh
mode with the interactive service.
If possible the search domains are stored with the rest of the VPN interface
parameter values. However, a global search list and one which is
distributed via group policy have priority (in that order), so we probe
for the existence of those first. In order to be able to restore the
original list in any case we store an "initial list" as a backup of the
search list before we modify it.
Github: closesOpenVPN/openvpn#642
Change-Id: Icaffbfa6b2e8efa2bd24a05537cb74b15f4fed96
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250312092259.26487-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31108.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allow the server to set and override the username that is assumed
for the client for interaction with the client after the authentication.
This is especially intended to allow the of use auth-gen-token in
scenarios where the clients use certificates and multi-factor
authentication.
It allows a client to successfully roam to a different server and have
a correct username and auth-token that can be accepted by that server as
fully authenticated user without requiring MFA again.
The scenario that this feature is probably most useful
when --management-client-auth is in use as in this mode the OpenVPN
server can accept clients without username/password but still use
--auth-gen-token with username and password to accept auth-token as
alternative authentication. A client without a username will also not
use the pushed auth-token. So setting/pushing an auth-token-user
will ensure that the client has a username.
Github: OpenVPN/openvpn#299
Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250311155904.4446-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31091.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This has been #if 0 for over a decade. Let's just
remove this.
Change-Id: If570253e57371e4126b0e8aa4c349e2051cb8b00
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309165500.21796-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31083.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
TCP connected sockets do not need any remote addr
because the destination is fixed.
For this reason we can avoid sending the remote addr
along the peer-new dco call.
This change is important on Linux because the new 'ovpn'
kernel module is stricter when it comes to accepting
netlink messages and will reject calls with TCP sockets
if a remote address is specified.
Change-Id: I76e2e616c6ffe436a9627fa71aaace74030b2f4a
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309153017.5163-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31078.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
openvpn process from registering the event. To handle this case, we
check if calls to the Linux DCO module return an error, and, if so, send
a SIGUSR1 signal to reset the session.
Most DCO commands that return an error already trigger a SIGUSR1 signal
or even call _exit(1). This commit extends that behavior to include
dco_get_peer_stats_multi() and dco_get_peer_stats().
Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit renames all instances of 'struct link_socket'
from the abbreviation 'ls' to the more descriptive 'sock'
making it clearer that the variables represent
socket-related structures.
No functional changes have been introduced.
Change-Id: Iff12c4dbac84a814612aa8b5b89224be08bb9058
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306101339.12985-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59156800/
URL: https://gerrit.openvpn.net/c/openvpn/+/874
Signed-off-by: Gert Doering <gert@greenie.muc.de>
