- Reuse the MUST_BE_UNDEF macro in more places
- Add a second parameter so it actually reports the
correct option name
- Add MUST_BE_FALSE for similar cases
- Reorder the checks for cert/key options to make
more sense. Some of the checks could have never
fired due to wrong placement of the management
checks
- Some other small cleanups like missing spaces
in multiline string literal
Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250318155320.32573-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31155.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When multihome option is enabled, OpenVPN passes ipi_addr to DCO, which
is always 0.0.0.0. It should use ipi_spec_dst instead.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250227032522.3734947-1-dqfext@gmail.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59154010/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of spawning a netsh process, set the name server addresses
directly in the registry hive of the VPN interface.
This is a first step to get rid of the use of command line tools in the
service and move to a more API driven style of modifying the VPN adapter
configuration.
Change-Id: Id2bed0908e84c19b8fb6fe806376316793e550b4
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250312101156.5756-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59159531/
URL: https://gerrit.openvpn.net/c/openvpn/+/825
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Instead of using wmic on Windows to set one (the first) DNS domain,
modify the registry directly and let the resolver know that something
changed.
This fixes that more than one search domain suffix could only be applied
when DHCP and the tap driver was used. Now this works as well in netsh
mode with the interactive service.
If possible the search domains are stored with the rest of the VPN interface
parameter values. However, a global search list and one which is
distributed via group policy have priority (in that order), so we probe
for the existence of those first. In order to be able to restore the
original list in any case we store an "initial list" as a backup of the
search list before we modify it.
Github: closesOpenVPN/openvpn#642
Change-Id: Icaffbfa6b2e8efa2bd24a05537cb74b15f4fed96
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250312092259.26487-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31108.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allow the server to set and override the username that is assumed
for the client for interaction with the client after the authentication.
This is especially intended to allow the of use auth-gen-token in
scenarios where the clients use certificates and multi-factor
authentication.
It allows a client to successfully roam to a different server and have
a correct username and auth-token that can be accepted by that server as
fully authenticated user without requiring MFA again.
The scenario that this feature is probably most useful
when --management-client-auth is in use as in this mode the OpenVPN
server can accept clients without username/password but still use
--auth-gen-token with username and password to accept auth-token as
alternative authentication. A client without a username will also not
use the pushed auth-token. So setting/pushing an auth-token-user
will ensure that the client has a username.
Github: OpenVPN/openvpn#299
Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250311155904.4446-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31091.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This has been #if 0 for over a decade. Let's just
remove this.
Change-Id: If570253e57371e4126b0e8aa4c349e2051cb8b00
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309165500.21796-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31083.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
TCP connected sockets do not need any remote addr
because the destination is fixed.
For this reason we can avoid sending the remote addr
along the peer-new dco call.
This change is important on Linux because the new 'ovpn'
kernel module is stricter when it comes to accepting
netlink messages and will reject calls with TCP sockets
if a remote address is specified.
Change-Id: I76e2e616c6ffe436a9627fa71aaace74030b2f4a
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309153017.5163-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31078.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
openvpn process from registering the event. To handle this case, we
check if calls to the Linux DCO module return an error, and, if so, send
a SIGUSR1 signal to reset the session.
Most DCO commands that return an error already trigger a SIGUSR1 signal
or even call _exit(1). This commit extends that behavior to include
dco_get_peer_stats_multi() and dco_get_peer_stats().
Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit renames all instances of 'struct link_socket'
from the abbreviation 'ls' to the more descriptive 'sock'
making it clearer that the variables represent
socket-related structures.
No functional changes have been introduced.
Change-Id: Iff12c4dbac84a814612aa8b5b89224be08bb9058
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306101339.12985-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59156800/
URL: https://gerrit.openvpn.net/c/openvpn/+/874
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add all the bound sockets to the event loop.
The main server loop has been updated to handle both
TCP and UDP connections.
The hash function has also been modified to include the
protocol during the creation of new client instances.
There are also a couple of refinements to make the
whole code flow management capable of handling
different kind of clients:
MULTI: properly remove TCP instances by checking the multi_instance
protocol instead of the global one.
TLS: set the tls_option xmit_hold bool value to true only in case of
TCP child instance to avoid checking the global protocol
value.
INIT: initialize the c->c2.event_set in the inherit_context_top()
by default and not only in case of UDP since we could have
multiple different sockets.
Change-Id: I31bbf87e4e568021445c7512ecefadfd4a69b363
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306095928.10229-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31028.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
To make it easier to exclude them from compiler
warnings.
Based on the existing comment in init.c
Change-Id: I925accd8267f94ecfd9ccea85bae965dc2a10208
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250228170232.322186-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30990.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
To make it more easily available to everyone.
Change-Id: I3922714972fffb3d7b1592f882d09c1fe1137241
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20250228170045.321832-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30989.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Unlike Linux/FreeBSD, dco-win doesn't have access to a
system routing table, so we have to maintain internal routing
table in the driver. For that, we have 4 ioctls to add/delete
IPv4/IPv6 iroutes. When adding iroute, we pass peer-id, so that
the driver is able to associate a subnet with a peer context.
Change-Id: I36a5442c0a5667628f419bc64efe5fb562ad3b57
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250220124205.27502-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30958.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The uppercasing was first introduced together with the
x509-username-field option in commit 935c62be, and first released with
v2.2.0 in 2011. The uppercasing was later deprecated with commit
f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally
remove it.
This deprecated feature prevents you from using non-extension
all-lowercase fieldnames like `name`, because these are converted to
uppercase and then cause an error. The deprecation warning is also shown
in cases where there is no actual uppercasing happening, for example
with numerical forms (aka oids) like `2.5.4.41` (oid of `name`).
Signed-off-by: Corubba Smith <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30915.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When built against OpenSSL, the parameters of the x509-username-fields
option are in extract_x509_field_ssl() fed through OBJ_txt2obj() [0]
which accepts "long names and short names [...] as well as numerical
forms." Because of this, you can for example use `x509-username-field
2.5.4.41` to make OpenVPN read the `name` field [1].
x509-username-fields is currently not implemented for mbed TLS, so that
can be ignored.
[0] https://docs.openssl.org/1.1.1/man3/OBJ_nid2obj/
[1] https://oidref.com/2.5.4.41
Signed-off-by: Corubba Smith <corubba@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <eac80c73-e702-4d5c-b90a-fdaf4edd74f1@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30916.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The driver supports notifications mechanism, which
is used to notify userspace about various events,
such as peer keepalive timeout, key expire and so on.
This uses existing framework of subscribing and
receiving dco notifications, used by FreeBSD and Linux
implementations. On Windows we use overlapped IO,
which state we keep in DCO context. We create an event,
which is associated with overlapped operation,
and inject it into openvpn event loop. When event is
signalled, we read overlapped result into DCO context,
which is later used by already existing code which
handles peer deletion.
Change-Id: Iedc10616225f6769c66d3c29d4a462b622ebbc6e
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250220080907.9298-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30950.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is the main commit for dco-win multipeer
implementation.
This adds concept of "mode" to DCO implementation,
which is peer-to-peer or multipeer. Depending on mode,
some functions use MP-specific IOCTL commands, which
include peer-id as a part of input.
The driver initialization accomodates server mode,
in which tun device is created before transport.
Since on Windows the socket is visible to the kernel only,
control channel packets have to be prepended with remote
sockaddr of the peer - this allows userspace to distinguish
among peers. Sadly there is no reliable way to get peer local
address, such as on Linux/FreeBSD, so we have to do a bit of
guesswork to figure out IP address based on remote IP and local
routing table, which may backfire if there are multiple IPs
assigned to the same network adapter. However, as for now
peer-specific local IP is not used by the driver. We use
instead the result of bind() to the listening address.
Existing sockethandle_finalize() function has been refactored
to accomodate packets with possibly prepended sockaddr.
Change-Id: Ia267276d61fa1425ba205f54ba6eb89021f32dba
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250219215417.18260-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30935.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
On some newer Android handsets, changing to a different network
often does not trigger a TCP reset but continues using the old
connection (e.g. using mobile connection when WiFi becomes available)
Force a reconnect in these situation to have a more expected beheaviour.
Change-Id: Id4febcceecab33ee5189cd67b249a15d12b84799
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250215152456.5691-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30908.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When using --redirect-gateway (IPv4) while connected to an IPv6 remote,
OpenVPN still attempts to determine the IPv4 default gateway,
so link_socket_current_remote() returns IPV4_INVALID_ADDR (0xffffffff)
as the destination, leading to unintended behavior:
- the IPv4 default gateway (rl->rgi.gateway.addr) gets wiped.
- this prevents proper restoration of the original route when needed.
To fix this, if link_socket_current_remote() returns IPV4_INVALID_ADDR,
we now pass INADDR_ANY (0x00000000) to get_default_gateway(),
ensuring the function behaves correctly.
Change-Id: I02afe6817433ca21aae76671c35151ec6a066933
Signed-off-by: Marco Baffo <marco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250214153434.18539-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30895.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There is a mode to build with a real Android NDK that requires setting
up cmake to build with the NDK and so.
For quick&dirty compile tests that do not actually use the Android NDK
on Linux, -DFAKE_ANDROID on Linux can be used to compile a binary using
TARGET_ANDROID.
Change-Id: If6afa1108f9234f98afdbe0de7b7320403871772
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250214125238.17558-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30885.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Drop Ubuntu 20.04
GHA runners will go away in April 2025
- Change ubuntu-latest to ubuntu-24.04
to make sure we are not surprised by
future changes.
- Update vcpkg digest to latest 33e9c99
- Update github actions to latest
Change-Id: I29b68675143988c3304395d9d5ec62289cf519a7
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20250212215151.619-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30852.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
With DCO and possible future hardware assisted OpenVPN acceleration we
are approaching the point where 32 bit IVs are not cutting it any more,
especially if we are limiting the IVs to the safe limits of AES-GCM where
the limit is more 2^29.
To illustrate the problem, some back of the envelope math here:
If we want to keep the current 3600s renegotiation interval and have
a safety margin of 25% (when we trigger renegotiation) we have about
3.2 million packets (2*32 * 0.7) to work with. That translates to
about 835k packets per second. Currently, implementation trigger the
renegotiation at 0xff00000000 or at 7/8 of the AEAD usage limit.
With 1300 Byte packets that translates into 8-9 Gbit/s. That is far
from unrealistic any more. Current DCO implementations are already in
spitting distance to that or might even reach (for a single client
connection) that if you have extremely fast
single core performance CPU.
With the AEAD usage limit, these limits are almost a factor of 8 lower
so with the limit becomes 1-2 GBit/s. This is already reached without
DCO on some platforms.
This introduces the epoch data format for AEAD data channel
ciphers in TLS mode ciphers. No effort has been made to support
larger packet counters in any other scenario since those are all legacy.
This uses the same approach of epoch keys as (D)TLS 1.3 does and switches
the data channel regularly for affected AEAD ciphers when reaching the
usage limit.
For Chacha20-Poly1305, which does not suffer the same problems as AES-GCM,
the full 48 bit of packet counter are used only after that the same logic
to switch to a new key as with AES-GCM is done.
Change-Id: I00751c42cb04e30205ba8e6584530831e0d143c5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250212161311.16888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30845.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 94b391d7ef5 changed context->link_socket to context->link_sockets
but did not change the Android code path.
Change-Id: If6a636b2099d948e249cf92ed2ba91d1698ee42f
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250212123820.19099-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30833.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a code path that only affects Android
Change-Id: I3f05318fb6f8d9e32d07532a4f0c6ccf8fb757ce
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250212123652.18183-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30832.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
mingw complains about "old-style function definition" and since we
use explicit (void) everyhwere else...
Change-Id: I59e34058d6e0611208767fbcf39d1b91784ebcf9
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250205170232.3473-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30813.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win doesn't yet support multisocket, so for the time
being we have to fallback to tap-windows6.
Change-Id: I8724eda269b816dd2cfd0833d467e6d24054e96f
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250205122341.4944-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30805.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This doesn't matter for Linux and FreeBSD but matters
for dco-win, where iroute subnet is mapped to a peer
context, which means that peer has to be created before
iroute is added.
Change-Id: I1cac0f036504c87205a3c97589a94a662cf79b99
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250201121102.27395-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When having a non-existent lwipovpn binary or similar problems, the
error reporting would often only report read error that were harder to
identify the real problem. Add the openvpn_waitpid_check method
that checks for error conditions and reports a better message in cases
of problems.
Change-Id: I81cbecd19018290d85c6c77fba7769f040d66233
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250201122006.32098-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30782.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-win requires control packets to be prepended
with sockaddr. For that, an offset value in buffer
must be kept. Doing it always doesn't harm and makes
code cleaner compared to adding "if (dco_win_server)"
condition.
Change-Id: I145573555aaace5e94774b5f977d032d3747ed72
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250121161025.37545-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30519.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When adding host route for IPv4, we use the default gateway. There are
cases, however, when this does not work - for example when remote
is not accessible via default gateway but via dedicated route.
Factor out code to look for the best gateway to reach the host from
get_default_gateway_ipv6() and generalize is for IPv4/6.
Change-Id: I6c7e1cef637fe9fb3f3bc6ff4fb2c65599cd86fb
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250131154135.32169-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30769.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove the old "read /proc/net/route and try to parse it" implementation
and always use the sitnl/netlink implementation of net_route_v4_best_gw().
This was kept "because we had it and it was working" but does not really
provide any benefit - netlink for route queries is there for v6 anyway,
and the main argument for keeping --enable-iproute2 is "some users want
to run non-standard 'ip' binaries to do things" - which is not affected
by this change.
Change-Id: I6f17140109106b37e6b0e690df1d87720ccf6f91
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250131084707.24905-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30748.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds Linux/SITNL platform functionality to the framework started by
commit 9df51cf56 and commit 0fcfc8381f.
v2: make comment reflect reality
Change-Id: I1db72d7dca648a8ea4ec65d173290a819971305c
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20250131084651.24765-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30749.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is an old debug option, which used to print "the default routes found"
for IPv4 and IPv6, and optionally "a route to a particular IPv6 target"
if passed an argument.
With the work started in commit 0fcfc8381f60d we want this to handle
IPv4 as well, mostly to be able to easily test per-platform
get_default_gateway() implementations.
The implementation is simplistic - if <arg> can be parsed as an IPv4 or
IPv6 address, that particular protocol lookup will do "the host route"
and the other one will stick to "the default route".
NOTE: as of this commit, there is no backend functionality for IPv4, so
it will not actually print anything interesting. This will be added in
further platform dependent commits.
v2: amend --help output
v3: uncrustify (#ifdef block too long, comments at #endif required now)
Change-Id: Ic438c583a782035ecb9b5ea65702a768ae2585f5
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250129173007.3280-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30728.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The current persist-tun section has no mention of
retaining IP/routes and its potential usage in traffic
leaking protection.
Spell this out to allow the user to better understand
when this option can play an important role.
Change-Id: I6816f61b308ca9f6d1f9f687a6dc8e0aa2d044e0
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250129094125.13420-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30684.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix issue reported by Coverity:
CID 1641564: Uninitialized variables (UNINIT)
Using unitialized value "maddr.proto" when
calling "mroute_addr_equal()".
Due to changes at the mroute structure
which now includes the protocol, the mgmt
iface client-kill-by-addr feature has been
updated to include this new value along
with IP:port.
While at it, changed the
mroute_addr_print_ex() format to display
the protocol only in case of MR_WITH_PROTO
avoid doing it on virtual addresses when
MR_WITH_PORT is not specified.
Change-Id: I4be0ff4d308213d2ef8ba66bd3178eee1f60fff1
Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250129161609.19202-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30716.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Additional context from PR on Github about changes in ssl_openssl.c
around line 1900:
This change addresses a subtle behavioral difference between AWS-LC
and OpenSSL regarding object ownership semantics in
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names).
OpenSSL Behavior:
Stores a reference to the provided cert_names stack
cert_names remains valid after SSL_CTX_set_client_CA_list
AWS-LC Behavior:
Creates a copy of the parameter cert_names (which is a stack of type
X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally
represent X509_NAME, it's an opaque byte string). Then frees the original
passed in cert_names.
After SSL_CTX_set_client_CA_list, cert_names no longer points to valid
memory.
The proposed changes reorder operations to getting the size of the
stack before the set operation as opposed to after the set operation.
No operations between the setter and stack size check modify
cert_names. Therefore, the logical outcome should remain the same
- and this would also handle the subtle behavioral difference in
AWS-LC.
Github: closesOpenVPN/openvpn#672
Signed-off-by: Shubham Mittal <smittals@amazon.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20250128220932.2113-1-smittals@amazon.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30682.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As a preparation of an upcoming refactoring of
get_default_gateway(), add `dest` parameter to
specify destination address to which we are looking
the best route.
Change-Id: I58735fb24bc4a94c803b7dfcd6de87af0f75522a
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250129095038.19056-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30685.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Change-Id: Ieca0f8aa07413682d39e73dd3ed21a0038d41f49
Signed-off-by: Alexander von Gluck <alex@terarocket.io>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128124129.109647-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30655.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A netlink error may contain more specific attributes: i.e.
missing attributes or missing neted objects.
Parse and print this information too.
Note that we are re-defining some enum entries that exist
in netlink.h starting with linux-6.1.
Since we do support distros not shipping an up-to-date
netlink.h, we had to re-define the entries we need for
this patch.
Change-Id: I9e27ff335d892429334137d028f8503da4e4ca5b
Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250128134454.2888-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30658.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Using the atoi method is a best effort method that parses as much of the
input string as possible as integer and ignores the rest or return 0
if the string cannot be parsed. This is lead to unexpected results.
Change the behaviour by printing a warning in these cases instead. When
parsing a configuration, these warnings will error out since the msglevel
is M_USAGE in this case. Example:
./src/openvpn/openvpn --resolv-retry 198jj
Options error: Cannot parse argument '198jj' as non-negative integer
Reported-By: Anqi Chen <chen.anqi3@northeastern.edu>
Reported-By: Cristina Nita-Rotaru <c.nitarotaru@northeastern.edu>
Change-Id: Ie1e2eb54d516b3ae87c5ca56fe8edd77ee2be4de
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250127122531.13105-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30627.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
