2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2008-2023 David Sommerseth <dazo@eurephia.org>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, write to the Free Software Foundation, Inc.,
22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
35 #ifdef HAVE_CONFIG_VERSION_H
36 #include "config-version.h"
44 #include "run_command.h"
52 #include "packet_id.h"
61 #include "ssl_verify.h"
63 #include "xkey_common.h"
69 const char title_string
[] =
71 #ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS
"]"
75 #if defined(ENABLE_CRYPTO_MBEDTLS)
77 #elif defined(ENABLE_CRYPTO_OPENSSL)
81 #endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
89 #ifdef ENABLE_COMP_STUB
96 #ifdef PRODUCT_TAP_DEBUG
102 #if ENABLE_IP_PKTINFO
103 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
105 #elif defined(IP_RECVDSTADDR)
113 #ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
120 static const char usage_message
[] =
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
129 "--local host : Local host name or ip address. Implies --bind.\n"
130 "--remote host [port] : Remote host name or ip address.\n"
131 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
132 "--remote-random-hostname : Add a random string to remote DNS name.\n"
133 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
134 "--proto p : Use protocol p for communicating with peer.\n"
135 " p = udp (default), tcp-server, tcp-client\n"
136 " udp4, tcp4-server, tcp4-client\n"
137 " udp6, tcp6-server, tcp6-client\n"
138 "--proto-force p : only consider protocol p in list of connection profiles.\n"
140 "--connect-retry n [m] : For client, number of seconds to wait between\n"
141 " connection retries (default=%d). On repeated retries\n"
142 " the wait time is exponentially increased to a maximum of m\n"
144 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
145 "--http-proxy s p [up] [auth] : Connect to remote host\n"
146 " through an HTTP proxy at address s and port p.\n"
147 " If proxy authentication is required,\n"
148 " up is a file containing username/password on 2 lines, or\n"
149 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
150 " the proxy requires NTLM authentication.\n"
151 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
152 " determine auth method and query for username/password\n"
153 " if needed. auto-nct disables weak proxy auth methods.\n"
154 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
155 " Repeat to set multiple options.\n"
156 " VERSION version (default=1.0)\n"
157 " AGENT user-agent\n"
158 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
159 " address s and port p (default port = 1080).\n"
160 " If proxy authentication is required,\n"
161 " up is a file containing username/password on 2 lines, or\n"
162 " 'stdin' to prompt for console.\n"
163 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
164 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
165 " resolve for n seconds before failing (disabled by default).\n"
166 " Set n=\"infinite\" to retry indefinitely.\n"
167 "--float : Allow remote to change its IP address/port, such as through\n"
168 " DHCP (this is the default if --remote is not used).\n"
169 "--ipchange cmd : Run command cmd on remote ip address initial\n"
170 " setting or change -- execute as: cmd ip-address port#\n"
171 "--port port : TCP/UDP port # for both local and remote.\n"
172 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
173 "--rport port : TCP/UDP port # for remote (default=%s).\n"
174 "--bind : Bind to local address and port. (This is the default unless\n"
175 " --proto tcp-client"
179 "--nobind : Do not bind to local address and port.\n"
180 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
181 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
182 " this option only if the tun/tap device used with --dev\n"
183 " does not begin with \"tun\" or \"tap\".\n"
184 "--dev-node node : Explicitly set the device node rather than using\n"
185 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
186 #if defined(ENABLE_DCO)
187 "--disable-dco : Do not attempt using Data Channel Offload.\n"
189 "--lladdr hw : Set the link layer address of the tap device.\n"
190 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH
".\n"
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"default\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
216 " in --ifconfig-ipv6\n"
217 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
218 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes, dns, and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME
" servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
243 " ICMPv6 host unreachable messages on the client.\n"
244 " (Server) Instead of forwarding IPv6 packets send\n"
245 " ICMPv6 host unreachable packets to the client.\n"
246 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
247 "--push-peer-info : (client only) push client info to server.\n"
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--ignore-unkown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
252 " these options to be ignored when unknown\n"
253 "--script-security level: Where level can be:\n"
254 " 0 -- strictly no calling of external programs\n"
255 " 1 -- (default) only call built-ins such as ifconfig\n"
256 " 2 -- allow calling of built-ins and scripts\n"
257 " 3 -- allow password to be passed to scripts via env\n"
258 "--shaper n : Restrict output to peer to n bytes per second.\n"
259 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
260 " ping once every n seconds, restart if ping not received\n"
262 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
263 " produces a combined in/out byte count < bytes.\n"
264 "--session-timeout n: Limit connection time to n seconds.\n"
265 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
266 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
267 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
269 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
270 #if ENABLE_IP_PKTINFO
271 "--multihome : Configure a multi-homed UDP server.\n"
273 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
274 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
275 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
276 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
277 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
278 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
279 #if PASSTOS_CAPABILITY
280 "--passtos : TOS passthrough (applies to IPv4 only).\n"
282 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
283 " TCP/UDP MTU from it (default=%d).\n"
284 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
285 " as n bytes more than the tun-mtu size on read\n"
286 " (default TUN=0 TAP=%d).\n"
287 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
289 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
290 " 'no' -- Never send DF (Don't Fragment) frames\n"
291 " 'maybe' -- Use per-route hints\n"
292 " 'yes' -- Always DF (Don't Fragment)\n"
293 "--mtu-test : Empirically measure and report MTU.\n"
294 #ifdef ENABLE_FRAGMENT
295 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
296 " datagrams are sent which are larger than max bytes.\n"
297 " Adds 4 bytes of overhead per datagram.\n"
299 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
300 " or --fragment max value, whichever is lower.\n"
301 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
302 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
303 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
304 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
305 " can be matched in policy routing and packetfilter rules.\n"
306 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
307 " listening for connections. This allows sending encrypted packets\n"
308 " via a VRF present on the system.\n"
310 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
311 #ifdef ENABLE_MEMSTATS
312 "--memstats file : Write live usage stats to memory mapped binary file.\n"
314 "--mlock : Disable Paging -- ensures key material and tunnel\n"
315 " data will never be written to disk.\n"
316 "--up cmd : Run command cmd after successful tun device open.\n"
317 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
318 " ifconfig-local-ip ifconfig-remote-ip\n"
319 " (pre --user or --group UID/GID change)\n"
320 "--up-delay : Delay tun/tap open and possible --up script execution\n"
321 " until after TCP/UDP connection establishment with peer.\n"
322 "--down cmd : Run command cmd after tun device close.\n"
323 " (post --user/--group UID/GID change and/or --chroot)\n"
324 " (command parameters are same as --up option)\n"
325 "--down-pre : Run --down command before TUN/TAP close.\n"
326 "--up-restart : Run up/down commands for all restarts including those\n"
327 " caused by --ping-restart or SIGUSR1\n"
328 "--user user : Set UID to user after initialization.\n"
329 "--group group : Set GID to group after initialization.\n"
330 "--chroot dir : Chroot to this directory after initialization.\n"
331 #ifdef ENABLE_SELINUX
332 "--setcon context: Apply this SELinux context after initialization.\n"
334 "--cd dir : Change to this directory before initialization.\n"
335 "--daemon [name] : Become a daemon after initialization.\n"
336 " The optional 'name' parameter will be passed\n"
337 " as the program name to the system logger.\n"
338 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
339 " See --daemon above for a description of the 'name' parm.\n"
340 "--log file : Output log to file which is created/truncated on open.\n"
341 "--log-append file : Append log to file, or create file if nonexistent.\n"
342 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
343 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
344 "--writepid file : Write main process ID to file.\n"
345 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
346 "--echo [parms ...] : Echo parameters to log output.\n"
347 "--verb n : Set output verbosity to n (default=%d):\n"
348 " (Level 3 is recommended if you want a good summary\n"
349 " of what's happening without being swamped by output).\n"
350 " : 0 -- no output except fatal errors\n"
351 " : 1 -- startup info + connection initiated messages +\n"
352 " non-fatal encryption & net errors\n"
353 " : 2,3 -- show TLS negotiations & route info\n"
354 " : 4 -- show parameters\n"
355 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
356 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
357 " : 6 to 11 -- debug messages of increasing verbosity\n"
358 "--mute n : Log at most n consecutive messages in the same category.\n"
359 "--status file [n] : Write operational status to file every n seconds.\n"
360 "--status-version [n] : Choose the status file format version number.\n"
361 " Currently, n can be 1, 2, or 3 (default=1).\n"
362 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
364 "--gremlin mask : Special stress testing mode (for debugging only).\n"
366 #if defined(USE_COMP)
367 "--compress alg : Use compression algorithm alg\n"
368 "--allow-compression: Specify whether compression should be allowed\n"
369 #if defined(ENABLE_LZO)
370 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
371 " packet for incompressible data.\n"
372 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
376 #ifdef ENABLE_MANAGEMENT
377 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
378 " management functions. pass is a password file\n"
379 " or 'stdin' to prompt from console.\n"
380 #if UNIX_SOCK_SUPPORT
381 " To listen on a unix domain socket, specific the pathname\n"
382 " in place of ip and use 'unix' as the port number.\n"
384 "--management-client : Management interface will connect as a TCP client to\n"
385 " ip/port rather than listen as a TCP server.\n"
386 "--management-query-passwords : Query management channel for private key\n"
387 " and auth-user-pass passwords.\n"
388 "--management-query-proxy : Query management channel for proxy information.\n"
389 "--management-query-remote : Query management channel for --remote directive.\n"
390 "--management-hold : Start " PACKAGE_NAME
" in a hibernating state, until a client\n"
391 " of the management interface explicitly starts it.\n"
392 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
393 "--management-forget-disconnect : Forget passwords when management disconnect\n"
395 "--management-up-down : Report tunnel up/down events to management interface.\n"
396 "--management-log-cache n : Cache n lines of log file history for usage\n"
397 " by the management channel.\n"
398 #if UNIX_SOCK_SUPPORT
399 "--management-client-user u : When management interface is a unix socket, only\n"
400 " allow connections from user u.\n"
401 "--management-client-group g : When management interface is a unix socket, only\n"
402 " allow connections from group g.\n"
404 "--management-client-auth : gives management interface client the responsibility\n"
405 " to authenticate clients after their client certificate\n"
406 " has been verified.\n"
407 #endif /* ifdef ENABLE_MANAGEMENT */
409 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
410 " to its initialization function.\n"
412 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
413 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
414 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
416 "Multi-Client Server options (when --mode server is used):\n"
417 "--server network netmask : Helper option to easily configure server mode.\n"
418 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
419 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
420 " easily configure ethernet bridging server mode.\n"
421 "--push \"option\" : Push a config file option back to the peer for remote\n"
422 " execution. Peer must specify --pull in its config file.\n"
423 "--push-reset : Don't inherit global push list for specific\n"
424 " client instance.\n"
425 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
426 " a specific client instance.\n"
427 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
428 " to be dynamically allocated to connecting clients.\n"
429 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
430 " data to file, at seconds intervals (default=600).\n"
431 " If seconds=0, file will be treated as read-only.\n"
432 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
433 " to be dynamically allocated to connecting clients.\n"
434 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
435 " overrides --ifconfig-pool dynamic allocation.\n"
436 " Only valid in a client-specific config file.\n"
437 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
438 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
439 " Only valid in a client-specific config file.\n"
440 "--iroute network [netmask] : Route subnet to client.\n"
441 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
442 " Sets up internal routes only.\n"
443 " Only valid in a client-specific config file.\n"
444 "--disable : Client is disabled.\n"
445 " Only valid in a client-specific config file.\n"
446 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
447 " mandatory client certificate verification.\n"
448 " Default is to require the client to supply a certificate.\n"
449 "--username-as-common-name : For auth-user-pass authentication, use\n"
450 " the authenticated username as the common name,\n"
451 " rather than the common name from the client cert.\n"
452 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
453 " run command cmd to verify. If method='via-env', pass\n"
454 " user/pass via environment, if method='via-file', pass\n"
455 " user/pass via temporary file.\n"
456 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
457 " to each client, replacing the password. Useful when\n"
458 " OTP based two-factor auth mechanisms are in use and\n"
459 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
460 " for generated tokens can be set.\n"
461 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
462 " with those of the server will be disconnected.\n"
463 "--auth-user-pass-optional : Allow connections by clients that don't\n"
464 " specify a username/password.\n"
465 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
466 " any printable character.\n"
467 "--client-to-client : Internally route client-to-client traffic.\n"
468 "--duplicate-cn : Allow multiple clients with the same common name to\n"
469 " concurrently connect.\n"
470 "--client-connect cmd : Run command cmd on client connection.\n"
471 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
472 "--client-config-dir dir : Directory for custom client config files.\n"
473 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
474 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
475 "--hash-size r v : Set the size of the real address hash table to r and the\n"
476 " virtual address table to v.\n"
477 "--bcast-buffers n : Allocate n broadcast buffers.\n"
478 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
479 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
480 " as well as pushes it to connecting clients.\n"
481 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
482 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
483 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
484 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
485 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
486 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
487 " older than n seconds. Run this check every t\n"
488 " seconds (defaults to n).\n"
489 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
490 " clients. n = 1 - reconnect to same server,\n"
491 " 2 - advance to next server, default=1.\n"
493 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
494 " sessions to a web server at host:port. dir specifies an\n"
495 " optional directory to write origin IP:port data.\n"
498 "Client options (when connecting to a multi-client server):\n"
499 "--client : Helper option to easily configure client mode.\n"
500 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
501 " up is a file containing the username on the first line,\n"
502 " and a password on the second. If either the password or both\n"
503 " the username and the password are omitted OpenVPN will prompt\n"
504 " for them from console.\n"
505 "--pull : Accept certain config file options from the peer as if they\n"
506 " were part of the local config file. Must be specified\n"
507 " when connecting to a '--mode server' remote host.\n"
508 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
509 " server if it starts with the text t. The action flag accept,\n"
510 " ignore or reject causes the option to be allowed, removed or\n"
511 " rejected with error. May be specified multiple times, and\n"
512 " each filter is applied in the order of appearance.\n"
513 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
514 " Valid options are :\n"
515 " address <addr[:port]> [addr[:port]] : server address 4/6\n"
516 " resolve-domains <domain> [domain ...] : split domains\n"
517 " exclude-domains <domain> [domain ...] : domains not to resolve\n"
518 " dnssec <yes|no|optional> : option to use DNSSEC\n"
519 " type <DoH|DoT> : query server over HTTPS / TLS\n"
520 " sni <domain> : DNS server name indication\n"
521 "--dns search-domains <domain> [domain ...]:\n"
522 " Add domains to DNS domain search list\n"
523 "--auth-retry t : How to handle auth failures. Set t to\n"
524 " none (default), interact, or nointeract.\n"
525 "--static-challenge t e : Enable static challenge/response protocol using\n"
526 " challenge text t, with e indicating echo flag (0|1)\n"
527 "--connect-timeout n : when polling possible remote servers to connect to\n"
528 " in a round-robin fashion, spend no more than n seconds\n"
529 " waiting for a response before trying the next server.\n"
530 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
531 " incoming tun packets with same destination as host.\n"
532 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
533 " server/remote. n = # of retries, default=1.\n"
535 "Data Channel Encryption Options (must be compatible between peers):\n"
536 "(These options are meaningful for both Static Key & TLS-mode)\n"
537 "--secret f [d] : (DEPRECATED) Enable Static Key encryption mode (non-TLS).\n"
538 " Use shared secret file f, generate with --genkey.\n"
539 " The optional d parameter controls key directionality.\n"
540 " If d is specified, use separate keys for each\n"
541 " direction, set d=0 on one side of the connection,\n"
542 " and d=1 on the other side.\n"
543 "--auth alg : Authenticate packets with HMAC using message\n"
544 " digest algorithm alg (default=%s).\n"
545 " (usually adds 16 or 20 bytes per packet)\n"
546 " Set alg=none to disable authentication.\n"
547 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
548 " You should usually use --data-ciphers instead.\n"
549 " Set alg=none to disable encryption.\n"
550 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
551 #ifndef ENABLE_CRYPTO_MBEDTLS
552 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
554 "--no-replay : (DEPRECATED) Disable replay protection.\n"
555 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
556 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
557 " and a time window of t seconds.\n"
558 " Default n=%d t=%d\n"
559 "--replay-persist file : Persist replay-protection state across sessions\n"
561 "--test-crypto : Run a self-test of crypto features enabled.\n"
562 " For debugging only.\n"
563 #ifdef ENABLE_PREDICTION_RESISTANCE
564 "--use-prediction-resistance: Enable prediction resistance on the random\n"
565 " number generator.\n"
568 "TLS Key Negotiation Options:\n"
569 "(These options are meaningful only for TLS-mode)\n"
570 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
571 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
572 "--key-method m : (DEPRECATED) Data channel key exchange method. m should be a method\n"
573 " number, such as 1 (default), 2, etc.\n"
574 "--ca file : Certificate authority file in .pem format containing\n"
575 " root certificate.\n"
576 #ifndef ENABLE_CRYPTO_MBEDTLS
577 "--capath dir : A directory of trusted certificates (CAs"
579 #endif /* ENABLE_CRYPTO_MBEDTLS */
580 "--dh file : File containing Diffie Hellman parameters\n"
581 " in .pem format (for --tls-server only).\n"
582 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
583 "--cert file : Local certificate in .pem format -- must be signed\n"
584 " by a Certificate Authority in --ca file.\n"
585 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
586 "--key file : Local private key in .pem format.\n"
587 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
588 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
589 " is specified, require max TLS version supported by SSL implementation.\n"
590 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
591 #ifndef ENABLE_CRYPTO_MBEDTLS
592 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
593 " and optionally the root CA certificate.\n"
595 #ifdef ENABLE_X509ALTUSERNAME
596 "--x509-username-field : Field in x509 certificate containing the username.\n"
597 " Default is CN in the Subject field.\n"
599 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
600 " Valid algo flags are SHA1 and SHA256. \n"
602 "--cryptoapicert select-string : Load the certificate and private key from the\n"
603 " Windows Certificate System Store.\n"
605 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
606 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites seperated by : (optional)\n"
607 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
608 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
609 " (default=legacy).\n"
610 "--providers l : A list l of OpenSSL providers to load.\n"
611 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
612 " if no ACK from remote within n seconds (default=%d).\n"
613 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
614 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
615 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
616 " and at least min (defaults to 90%% of max on servers and equal\n"
617 " to max on clients).\n"
618 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
619 " of handshake initiation by any peer (default=%d).\n"
620 "--tran-window n : Transition window -- old key can live this many seconds\n"
621 " after new key renegotiation begins (default=%d).\n"
622 "--single-session: Allow only one session (reset state on restart).\n"
623 "--tls-exit : Exit on TLS negotiation failure.\n"
624 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
625 " control channel to protect against attacks on the TLS stack\n"
626 " and DoS attacks.\n"
627 " f (required) is a shared-secret key file.\n"
628 " The optional d parameter controls key directionality,\n"
629 " see --secret option for more info.\n"
630 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
631 " of the TLS control channel to hide the TLS certificate,\n"
632 " provide basic post-quantum security and protect against\n"
633 " attacks on the TLS stack and DoS attacks.\n"
634 " key (required) provides the pre-shared key file.\n"
635 " see --secret option for more info.\n"
636 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
637 " For servers: use key to decrypt client-specific keys. For\n"
638 " key generation (--genkey tls-crypt-v2-client): use key to\n"
639 " encrypt generated client-specific key. (See --tls-crypt.)\n"
640 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
641 " fresh tls-crypt-v2 client key, and store to\n"
642 " keyfile. If supplied, include metadata in wrapped key.\n"
643 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
644 " fresh tls-crypt-v2 server key, and store to keyfile\n"
645 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
646 " client-supplied tls-crypt-v2 client key\n"
647 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
648 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
649 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
650 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
651 " pending TLS connection that has otherwise passed all other\n"
652 " tests of certification. cmd should return 0 to allow\n"
653 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
654 " executed as 'cmd certificate_depth subject')\n"
655 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
656 " in an openvpn temporary file in [directory]. Peer cert is \n"
657 " stored before tls-verify script execution and deleted after.\n"
658 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
659 " DN name. The remote host must also pass all other tests\n"
660 " of verification.\n"
661 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
662 " an explicit nsCertType designation t = 'client' | 'server'.\n"
663 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
664 " plugins and management interface.\n"
665 #ifdef HAVE_EXPORT_KEYING_MATERIAL
666 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
667 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
669 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
670 " explicit key usage, you can specify more than one value.\n"
671 " value should be given in hex format.\n"
672 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
673 " explicit extended key usage. Extended key usage can be encoded\n"
674 " as an object identifier or OpenSSL string representation.\n"
675 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
676 " key usage and extended key usage based on RFC3280 TLS rules.\n"
677 " t = 'client' | 'server'.\n"
681 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
682 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
683 " path. Set for each provider.\n"
684 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
685 " 0 : Try to determine automatically (default).\n"
687 " 2 : Use SignRecover.\n"
688 " 4 : Use Decrypt.\n"
690 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
691 " certificate can be accessed. Set for each provider.\n"
692 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
693 " cache until token is removed.\n"
694 "--pkcs11-id-management : Acquire identity from management interface.\n"
695 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
696 #endif /* ENABLE_PKCS11 */
698 "SSL Library information:\n"
699 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
700 "--show-digests : Show message digest algorithms to use with --auth option.\n"
701 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
702 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
705 "Windows Specific:\n"
706 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
707 " from SystemRoot environment variable.\n"
708 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
709 " IP address using method = manual, netsh, ipapi,\n"
710 " dynamic, or adaptive (default = adaptive).\n"
711 " Dynamic method allows two optional parameters:\n"
712 " offset: DHCP server address offset (> -256 and < 256).\n"
713 " If 0, use network address, if >0, take nth\n"
714 " address forward from network address, if <0,\n"
715 " take nth address backward from broadcast\n"
718 " lease-time: Lease time in seconds.\n"
719 " Default is one year.\n"
720 "--route-method : Which method to use for adding routes on Windows?\n"
721 " adaptive (default) -- Try ipapi then fall back to exe.\n"
722 " ipapi -- Use IP helper API.\n"
723 " exe -- Call the route.exe shell command.\n"
724 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
725 " be used with --ip-win32 dynamic. For options\n"
726 " which allow multiple addresses,\n"
727 " --dhcp-option must be repeated.\n"
728 " DOMAIN name : Set DNS suffix\n"
729 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
730 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
731 " NTP : Set NTP server address(es)\n"
732 " NBDD : Set NBDD server address(es)\n"
733 " WINS addr : Set WINS server address(es)\n"
734 " NBT type : Set NetBIOS over TCP/IP Node type\n"
735 " 1: B, 2: P, 4: M, 8: H\n"
736 " NBS id : Set NetBIOS scope ID\n"
737 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
738 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
739 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
741 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
742 " on connection initiation.\n"
743 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
744 " attempting to set adapter properties.\n"
745 "--pause-exit : When run from a console window, pause before exiting.\n"
746 "--service ex [0|1] : For use when " PACKAGE_NAME
" is being instantiated by a\n"
747 " service, and should not be used directly by end-users.\n"
748 " ex is the name of an event object which, when\n"
749 " signaled, will cause " PACKAGE_NAME
" to exit. A second\n"
750 " optional parameter controls the initial state of ex.\n"
751 "--show-net-up : Show " PACKAGE_NAME
"'s view of routing table and net adapter list\n"
752 " after TAP adapter is up and routes have been added.\n"
753 "--windows-driver : Which tun driver to use?\n"
754 " ovpn-dco (default)\n"
757 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
758 "Windows Standalone Options:\n"
760 "--show-adapters : Show all TAP-Windows adapters.\n"
761 "--show-net : Show " PACKAGE_NAME
"'s view of routing table and net adapter list.\n"
762 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
763 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME
" running without admin privileges\n"
764 " to access TAP adapter.\n"
765 #endif /* ifdef _WIN32 */
767 "Generate a new key :\n"
768 "--genkey secret file : Generate a new random key of type and write to file\n"
769 " (for use with --secret, --tls-auth or --tls-crypt)."
770 #ifdef ENABLE_FEATURE_TUN_PERSIST
772 "Tun/tap config mode (available with linux 2.4+):\n"
773 "--mktun : Create a persistent tunnel.\n"
774 "--rmtun : Remove a persistent tunnel.\n"
775 "--dev tunX|tapX : tun/tap device\n"
776 "--dev-type dt : Device type. See tunnel options above for details.\n"
777 "--user user : User to set privilege to.\n"
778 "--group group : Group to set privilege to.\n"
782 "PKCS#11 standalone options:\n"
783 #ifdef DEFAULT_PKCS11_MODULE
784 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
786 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
788 " --verb option can be added *BEFORE* this.\n"
789 #endif /* ENABLE_PKCS11 */
791 "General Standalone Options:\n"
793 "--show-gateway : Show info about default gateway.\n"
797 #endif /* !ENABLE_SMALL */
800 * This is where the options defaults go.
801 * Any option not explicitly set here
805 init_options(struct options
*o
, const bool init_gc
)
811 gc_init(&o
->dns_options
.gc
);
814 o
->mode
= MODE_POINT_TO_POINT
;
815 o
->topology
= TOP_NET30
;
816 o
->ce
.proto
= PROTO_UDP
;
817 o
->ce
.af
= AF_UNSPEC
;
818 o
->ce
.bind_ipv6_only
= false;
819 o
->ce
.connect_retry_seconds
= 1;
820 o
->ce
.connect_retry_seconds_max
= 300;
821 o
->ce
.connect_timeout
= 120;
822 o
->connect_retry_max
= 0;
823 o
->ce
.local_port
= o
->ce
.remote_port
= OPENVPN_PORT
;
825 o
->status_file_update_freq
= 60;
826 o
->status_file_version
= 1;
827 o
->ce
.bind_local
= true;
828 o
->ce
.tun_mtu
= TUN_MTU_DEFAULT
;
830 o
->ce
.link_mtu
= LINK_MTU_DEFAULT
;
831 o
->ce
.tls_mtu
= TLS_MTU_DEFAULT
;
832 o
->ce
.mtu_discover_type
= -1;
834 o
->ce
.mssfix_default
= true;
835 o
->ce
.mssfix_encap
= true;
836 o
->route_delay_window
= 30;
837 o
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
838 o
->resolve_in_advance
= false;
841 #ifdef ENABLE_MANAGEMENT
842 o
->management_log_history_cache
= 250;
843 o
->management_echo_buffer_size
= 100;
844 o
->management_state_buffer_size
= 100;
846 #ifdef ENABLE_FEATURE_TUN_PERSIST
851 o
->tuntap_options
.ip_win32_type
= IPW32_SET_ADAPTIVE
;
853 o
->tuntap_options
.ip_win32_type
= IPW32_SET_DHCP_MASQ
;
855 o
->tuntap_options
.dhcp_lease_time
= 31536000; /* one year */
856 o
->tuntap_options
.dhcp_masq_offset
= 0; /* use network address as internal DHCP server address */
857 o
->route_method
= ROUTE_METHOD_ADAPTIVE
;
858 o
->block_outside_dns
= false;
859 o
->windows_driver
= WINDOWS_DRIVER_UNSPECIFIED
;
861 o
->vlan_accept
= VLAN_ALL
;
863 o
->real_hash_size
= 256;
864 o
->virtual_hash_size
= 256;
865 o
->n_bcast_buf
= 256;
866 o
->tcp_queue_limit
= 64;
867 o
->max_clients
= 1024;
868 o
->cf_initial_per
= 10;
869 o
->cf_initial_max
= 100;
870 o
->max_routes_per_client
= 256;
871 o
->stale_routes_check_interval
= 0;
872 o
->ifconfig_pool_persist_refresh_freq
= 600;
873 o
->scheduled_exit_interval
= 5;
874 o
->authname
= "SHA1";
876 o
->replay_window
= DEFAULT_SEQ_BACKTRACK
;
877 o
->replay_time
= DEFAULT_TIME_BACKTRACK
;
878 o
->key_direction
= KEY_DIRECTION_BIDIRECTIONAL
;
879 #ifdef ENABLE_PREDICTION_RESISTANCE
880 o
->use_prediction_resistance
= false;
883 o
->renegotiate_bytes
= -1;
884 o
->renegotiate_seconds
= 3600;
885 o
->renegotiate_seconds_min
= -1;
886 o
->handshake_window
= 60;
887 o
->transition_window
= 3600;
888 o
->tls_cert_profile
= NULL
;
889 o
->ecdh_curve
= NULL
;
890 #ifdef ENABLE_X509ALTUSERNAME
891 o
->x509_username_field
[0] = X509_USERNAME_FIELD_DEFAULT
;
894 o
->pkcs11_pin_cache_period
= -1;
895 #endif /* ENABLE_PKCS11 */
897 /* P2MP server context features */
898 o
->auth_token_generate
= false;
900 /* Set default --tmp-dir */
902 /* On Windows, find temp dir via environment variables */
903 o
->tmp_dir
= win_get_tempdir();
905 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
906 o
->tmp_dir
= getenv("TMPDIR");
912 o
->allow_recursive_routing
= false;
915 o
->tuntap_options
.disable_dco
= true;
916 #endif /* ENABLE_DCO */
920 uninit_options(struct options
*o
)
922 if (o
->connection_list
)
924 CLEAR(*o
->connection_list
);
928 CLEAR(*o
->remote_list
);
933 gc_free(&o
->dns_options
.gc
);
939 #define PUF_TYPE_UNDEF 0 /** undefined filter type */
940 #define PUF_TYPE_ACCEPT 1 /** filter type to accept a matching option */
941 #define PUF_TYPE_IGNORE 2 /** filter type to ignore a matching option */
942 #define PUF_TYPE_REJECT 3 /** filter type to reject and trigger SIGUSR1 */
946 struct pull_filter
*next
;
949 struct pull_filter_list
951 struct pull_filter
*head
;
952 struct pull_filter
*tail
;
958 pull_filter_type_name(int type
)
960 if (type
== PUF_TYPE_ACCEPT
)
964 if (type
== PUF_TYPE_IGNORE
)
968 if (type
== PUF_TYPE_REJECT
)
978 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
979 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
980 #define SHOW_STR_INLINE(var) SHOW_PARM(var, \
981 o->var ## _inline ? "[INLINE]" : \
982 (o->var ? o->var : "[UNDEF]"), \
984 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
985 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
986 #define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
987 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
988 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
990 #endif /* ifndef ENABLE_SMALL */
993 setenv_connection_entry(struct env_set
*es
,
994 const struct connection_entry
*e
,
997 setenv_str_i(es
, "proto", proto2ascii(e
->proto
, e
->af
, false), i
);
998 setenv_str_i(es
, "local", e
->local
, i
);
999 setenv_str_i(es
, "local_port", e
->local_port
, i
);
1000 setenv_str_i(es
, "remote", e
->remote
, i
);
1001 setenv_str_i(es
, "remote_port", e
->remote_port
, i
);
1003 if (e
->http_proxy_options
)
1005 setenv_str_i(es
, "http_proxy_server", e
->http_proxy_options
->server
, i
);
1006 setenv_str_i(es
, "http_proxy_port", e
->http_proxy_options
->port
, i
);
1008 if (e
->socks_proxy_server
)
1010 setenv_str_i(es
, "socks_proxy_server", e
->socks_proxy_server
, i
);
1011 setenv_str_i(es
, "socks_proxy_port", e
->socks_proxy_port
, i
);
1016 setenv_settings(struct env_set
*es
, const struct options
*o
)
1018 setenv_str(es
, "config", o
->config
);
1019 setenv_int(es
, "verb", o
->verbosity
);
1020 setenv_int(es
, "daemon", o
->daemon
);
1021 setenv_int(es
, "daemon_log_redirect", o
->log
);
1022 setenv_long_long(es
, "daemon_start_time", time(NULL
));
1023 setenv_int(es
, "daemon_pid", platform_getpid());
1025 if (o
->connection_list
)
1028 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
1030 setenv_connection_entry(es
, o
->connection_list
->array
[i
], i
+1);
1035 setenv_connection_entry(es
, &o
->ce
, 1);
1040 setenv_dns_options(&o
->dns_options
, es
);
1046 setenv_foreign_option(struct options
*o
, const char *argv
[], int len
, struct env_set
*es
)
1050 struct gc_arena gc
= gc_new();
1051 struct buffer name
= alloc_buf_gc(OPTION_PARM_SIZE
, &gc
);
1052 struct buffer value
= alloc_buf_gc(OPTION_PARM_SIZE
, &gc
);
1057 good
&= buf_printf(&name
, "foreign_option_%d", o
->foreign_option_index
+ 1);
1058 ++o
->foreign_option_index
;
1059 for (i
= 0; i
< len
; ++i
)
1065 good
&= buf_printf(&value
, " ");
1067 good
&= buf_printf(&value
, "%s", argv
[i
]);
1073 setenv_str(es
, BSTR(&name
), BSTR(&value
));
1077 msg(M_WARN
, "foreign_option: name/value overflow");
1082 #endif /* ifndef _WIN32 */
1085 get_ip_addr(const char *ip_string
, int msglevel
, bool *error
)
1087 unsigned int flags
= GETADDR_HOST_ORDER
;
1088 bool succeeded
= false;
1091 if (msglevel
& M_FATAL
)
1093 flags
|= GETADDR_FATAL
;
1096 ret
= getaddr(flags
, ip_string
, 0, &succeeded
, NULL
);
1097 if (!succeeded
&& error
)
1105 * Returns newly allocated string containing address part without "/nn".
1107 * If gc != NULL, the allocated memory is registered in the supplied gc.
1110 get_ipv6_addr_no_netbits(const char *addr
, struct gc_arena
*gc
)
1112 const char *end
= strchr(addr
, '/');
1116 ret
= string_alloc(addr
, gc
);
1120 size_t len
= end
- addr
;
1121 ret
= gc_malloc(len
+ 1, true, gc
);
1122 memcpy(ret
, addr
, len
);
1128 ipv6_addr_safe_hexplusbits( const char *ipv6_prefix_spec
)
1130 struct in6_addr t_addr
;
1131 unsigned int t_bits
;
1133 return get_ipv6_addr( ipv6_prefix_spec
, &t_addr
, &t_bits
, M_WARN
);
1137 string_substitute(const char *src
, int from
, int to
, struct gc_arena
*gc
)
1139 char *ret
= (char *) gc_malloc(strlen(src
) + 1, true, gc
);
1157 * Parses a hexstring and checks if the string has the correct length. Return
1158 * a verify_hash_list containing the parsed hash string.
1160 * @param str String to check/parse
1161 * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1)
1162 * @param msglevel message level to use when printing warnings/errors
1163 * @param gc The returned object will be allocated in this gc
1165 static struct verify_hash_list
*
1166 parse_hash_fingerprint(const char *str
, int nbytes
, int msglevel
, struct gc_arena
*gc
)
1169 const char *cp
= str
;
1171 struct verify_hash_list
*ret
;
1172 ALLOC_OBJ_CLEAR_GC(ret
, struct verify_hash_list
, gc
);
1177 while (*cp
&& i
< nbytes
)
1179 /* valid segments consist of exactly two hex digits, then ':' or EOS */
1180 if (!isxdigit(cp
[0])
1182 || (cp
[2] != ':' && cp
[2] != '\0')
1183 || sscanf(cp
, "%x", &byte
) != 1)
1185 msg(msglevel
, "format error in hash fingerprint: %s", str
);
1189 ret
->hash
[i
++] = (uint8_t)byte
;
1200 msg(msglevel
, "hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes
, i
, str
);
1202 else if (term
!= '\0')
1204 msg(msglevel
, "hash fingerprint too long - expected only %d bytes: %s", nbytes
, str
);
1210 * Parses a string consisting of multiple lines of hexstrings and checks if each
1211 * string has the correct length. Empty lines are ignored. Returns
1212 * a linked list of (possibly) multiple verify_hash_list objects.
1214 * @param str String to check/parse
1215 * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1)
1216 * @param msglevel message level to use when printing warnings/errors
1217 * @param gc The returned list items will be allocated in this gc
1219 static struct verify_hash_list
*
1220 parse_hash_fingerprint_multiline(const char *str
, int nbytes
, int msglevel
,
1221 struct gc_arena
*gc
)
1223 struct gc_arena gc_temp
= gc_new();
1224 char *lines
= string_alloc(str
, &gc_temp
);
1226 struct verify_hash_list
*ret
= NULL
;
1229 while ((line
= strsep(&lines
, "\n")))
1231 /* ignore leading whitespace */
1232 while (isspace(*line
))
1236 /* skip empty lines and comment lines */
1237 if (strlen(line
) == 0 || *line
== '#' || *line
== ';')
1242 struct verify_hash_list
*hash
= parse_hash_fingerprint(line
, nbytes
,
1260 #ifndef ENABLE_SMALL
1263 show_dhcp_option_list(const char *name
, const char *const *array
, int len
)
1266 for (i
= 0; i
< len
; ++i
)
1268 msg(D_SHOW_PARMS
, " %s[%d] = %s", name
, i
, array
[i
] );
1273 show_dhcp_option_addrs(const char *name
, const in_addr_t
*array
, int len
)
1275 struct gc_arena gc
= gc_new();
1277 for (i
= 0; i
< len
; ++i
)
1279 msg(D_SHOW_PARMS
, " %s[%d] = %s",
1282 print_in_addr_t(array
[i
], 0, &gc
));
1288 show_tuntap_options(const struct tuntap_options
*o
)
1290 SHOW_BOOL(ip_win32_defined
);
1291 SHOW_INT(ip_win32_type
);
1292 SHOW_INT(dhcp_masq_offset
);
1293 SHOW_INT(dhcp_lease_time
);
1294 SHOW_INT(tap_sleep
);
1295 SHOW_UNSIGNED(dhcp_options
);
1296 SHOW_BOOL(dhcp_renew
);
1297 SHOW_BOOL(dhcp_pre_release
);
1299 SHOW_STR(netbios_scope
);
1300 SHOW_INT(netbios_node_type
);
1301 SHOW_BOOL(disable_nbt
);
1303 show_dhcp_option_addrs("DNS", o
->dns
, o
->dns_len
);
1304 show_dhcp_option_addrs("WINS", o
->wins
, o
->wins_len
);
1305 show_dhcp_option_addrs("NTP", o
->ntp
, o
->ntp_len
);
1306 show_dhcp_option_addrs("NBDD", o
->nbdd
, o
->nbdd_len
);
1307 show_dhcp_option_list("DOMAIN-SEARCH", o
->domain_search_list
, o
->domain_search_list_len
);
1310 #endif /* ifndef ENABLE_SMALL */
1311 #endif /* ifdef _WIN32 */
1313 #if defined(_WIN32) || defined(TARGET_ANDROID)
1315 dhcp_option_dns6_parse(const char *parm
, struct in6_addr
*dns6_list
, int *len
, int msglevel
)
1317 struct in6_addr addr
;
1318 if (*len
>= N_DHCP_ADDR
)
1320 msg(msglevel
, "--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1323 else if (get_ipv6_addr(parm
, &addr
, NULL
, msglevel
))
1325 dns6_list
[(*len
)++] = addr
;
1329 dhcp_option_address_parse(const char *name
, const char *parm
, in_addr_t
*array
, int *len
, int msglevel
)
1331 if (*len
>= N_DHCP_ADDR
)
1333 msg(msglevel
, "--dhcp-option %s: maximum of %d %s servers can be specified",
1340 if (ip_addr_dotted_quad_safe(parm
)) /* FQDN -- IP address only */
1343 const in_addr_t addr
= get_ip_addr(parm
, msglevel
, &error
);
1346 array
[(*len
)++] = addr
;
1351 msg(msglevel
, "dhcp-option parameter %s '%s' must be an IP address", name
, parm
);
1357 * If DNS options are set use these for TUN/TAP options as well.
1358 * Applies to DNS, DNS6 and DOMAIN-SEARCH.
1359 * Existing options will be discarded.
1362 tuntap_options_copy_dns(struct options
*o
)
1364 struct tuntap_options
*tt
= &o
->tuntap_options
;
1365 struct dns_options
*dns
= &o
->dns_options
;
1367 if (dns
->search_domains
)
1369 tt
->domain_search_list_len
= 0;
1370 const struct dns_domain
*domain
= dns
->search_domains
;
1371 while (domain
&& tt
->domain_search_list_len
< N_SEARCH_LIST_LEN
)
1373 tt
->domain_search_list
[tt
->domain_search_list_len
++] = domain
->name
;
1374 domain
= domain
->next
;
1378 msg(M_WARN
, "WARNING: couldn't copy all --dns search-domains to --dhcp-option");
1386 bool overflow
= false;
1387 const struct dns_server
*server
= dns
->servers
;
1390 if (server
->addr4_defined
&& tt
->dns_len
< N_DHCP_ADDR
)
1392 tt
->dns
[tt
->dns_len
++] = server
->addr4
.s_addr
;
1398 if (server
->addr6_defined
&& tt
->dns6_len
< N_DHCP_ADDR
)
1400 tt
->dns6
[tt
->dns6_len
++] = server
->addr6
;
1406 server
= server
->next
;
1410 msg(M_WARN
, "WARNING: couldn't copy all --dns server addresses to --dhcp-option");
1414 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1416 foreign_options_copy_dns(struct options
*o
, struct env_set
*es
)
1418 const struct dns_domain
*domain
= o
->dns_options
.search_domains
;
1419 const struct dns_server
*server
= o
->dns_options
.servers
;
1420 if (!domain
&& !server
)
1425 /* reset the index since we're starting all over again */
1426 int opt_max
= o
->foreign_option_index
;
1427 o
->foreign_option_index
= 0;
1429 for (int i
= 1; i
<= opt_max
; ++i
)
1432 openvpn_snprintf(name
, sizeof(name
), "foreign_option_%d", i
);
1434 const char *env_str
= env_set_get(es
, name
);
1435 const char *value
= strchr(env_str
, '=') + 1;
1436 if ((domain
&& strstr(value
, "dhcp-option DOMAIN-SEARCH") == value
)
1437 || (server
&& strstr(value
, "dhcp-option DNS") == value
))
1439 setenv_del(es
, name
);
1443 setenv_foreign_option(o
, &value
, 1, es
);
1447 struct gc_arena gc
= gc_new();
1451 if (server
->addr4_defined
)
1453 const char *argv
[] = {
1456 print_in_addr_t(server
->addr4
.s_addr
, 0, &gc
)
1458 setenv_foreign_option(o
, argv
, 3, es
);
1460 if (server
->addr6_defined
)
1462 const char *argv
[] = {
1465 print_in6_addr(server
->addr6
, 0, &gc
)
1467 setenv_foreign_option(o
, argv
, 3, es
);
1469 server
= server
->next
;
1473 const char *argv
[] = { "dhcp-option", "DOMAIN-SEARCH", domain
->name
};
1474 setenv_foreign_option(o
, argv
, 3, es
);
1475 domain
= domain
->next
;
1480 /* remove old leftover entries */
1481 while (o
->foreign_option_index
< opt_max
)
1484 openvpn_snprintf(name
, sizeof(name
), "foreign_option_%d", opt_max
--);
1485 setenv_del(es
, name
);
1488 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
1490 #ifndef ENABLE_SMALL
1492 print_vlan_accept(enum vlan_acceptable_frames mode
)
1496 case VLAN_ONLY_TAGGED
:
1499 case VLAN_ONLY_UNTAGGED_OR_PRIORITY
:
1509 show_p2mp_parms(const struct options
*o
)
1511 struct gc_arena gc
= gc_new();
1513 msg(D_SHOW_PARMS
, " server_network = %s", print_in_addr_t(o
->server_network
, 0, &gc
));
1514 msg(D_SHOW_PARMS
, " server_netmask = %s", print_in_addr_t(o
->server_netmask
, 0, &gc
));
1515 msg(D_SHOW_PARMS
, " server_network_ipv6 = %s", print_in6_addr(o
->server_network_ipv6
, 0, &gc
) );
1516 SHOW_INT(server_netbits_ipv6
);
1517 msg(D_SHOW_PARMS
, " server_bridge_ip = %s", print_in_addr_t(o
->server_bridge_ip
, 0, &gc
));
1518 msg(D_SHOW_PARMS
, " server_bridge_netmask = %s", print_in_addr_t(o
->server_bridge_netmask
, 0, &gc
));
1519 msg(D_SHOW_PARMS
, " server_bridge_pool_start = %s", print_in_addr_t(o
->server_bridge_pool_start
, 0, &gc
));
1520 msg(D_SHOW_PARMS
, " server_bridge_pool_end = %s", print_in_addr_t(o
->server_bridge_pool_end
, 0, &gc
));
1521 if (o
->push_list
.head
)
1523 const struct push_entry
*e
= o
->push_list
.head
;
1528 msg(D_SHOW_PARMS
, " push_entry = '%s'", e
->option
);
1533 SHOW_BOOL(ifconfig_pool_defined
);
1534 msg(D_SHOW_PARMS
, " ifconfig_pool_start = %s", print_in_addr_t(o
->ifconfig_pool_start
, 0, &gc
));
1535 msg(D_SHOW_PARMS
, " ifconfig_pool_end = %s", print_in_addr_t(o
->ifconfig_pool_end
, 0, &gc
));
1536 msg(D_SHOW_PARMS
, " ifconfig_pool_netmask = %s", print_in_addr_t(o
->ifconfig_pool_netmask
, 0, &gc
));
1537 SHOW_STR(ifconfig_pool_persist_filename
);
1538 SHOW_INT(ifconfig_pool_persist_refresh_freq
);
1539 SHOW_BOOL(ifconfig_ipv6_pool_defined
);
1540 msg(D_SHOW_PARMS
, " ifconfig_ipv6_pool_base = %s", print_in6_addr(o
->ifconfig_ipv6_pool_base
, 0, &gc
));
1541 SHOW_INT(ifconfig_ipv6_pool_netbits
);
1542 SHOW_INT(n_bcast_buf
);
1543 SHOW_INT(tcp_queue_limit
);
1544 SHOW_INT(real_hash_size
);
1545 SHOW_INT(virtual_hash_size
);
1546 SHOW_STR(client_connect_script
);
1547 SHOW_STR(learn_address_script
);
1548 SHOW_STR(client_disconnect_script
);
1549 SHOW_STR(client_crresponse_script
);
1550 SHOW_STR(client_config_dir
);
1551 SHOW_BOOL(ccd_exclusive
);
1553 SHOW_BOOL(push_ifconfig_defined
);
1554 msg(D_SHOW_PARMS
, " push_ifconfig_local = %s", print_in_addr_t(o
->push_ifconfig_local
, 0, &gc
));
1555 msg(D_SHOW_PARMS
, " push_ifconfig_remote_netmask = %s", print_in_addr_t(o
->push_ifconfig_remote_netmask
, 0, &gc
));
1556 SHOW_BOOL(push_ifconfig_ipv6_defined
);
1557 msg(D_SHOW_PARMS
, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr(o
->push_ifconfig_ipv6_local
, 0, &gc
), o
->push_ifconfig_ipv6_netbits
);
1558 msg(D_SHOW_PARMS
, " push_ifconfig_ipv6_remote = %s", print_in6_addr(o
->push_ifconfig_ipv6_remote
, 0, &gc
));
1559 SHOW_BOOL(enable_c2c
);
1560 SHOW_BOOL(duplicate_cn
);
1563 SHOW_INT(cf_initial_max
);
1564 SHOW_INT(cf_initial_per
);
1565 SHOW_INT(max_clients
);
1566 SHOW_INT(max_routes_per_client
);
1567 SHOW_STR(auth_user_pass_verify_script
);
1568 SHOW_BOOL(auth_user_pass_verify_script_via_file
);
1569 SHOW_BOOL(auth_token_generate
);
1570 SHOW_INT(auth_token_lifetime
);
1571 SHOW_STR_INLINE(auth_token_secret_file
);
1573 SHOW_STR(port_share_host
);
1574 SHOW_STR(port_share_port
);
1576 SHOW_BOOL(vlan_tagging
);
1577 msg(D_SHOW_PARMS
, " vlan_accept = %s", print_vlan_accept(o
->vlan_accept
));
1578 SHOW_INT(vlan_pvid
);
1582 SHOW_STR_INLINE(auth_user_pass_file
);
1587 #endif /* ! ENABLE_SMALL */
1590 option_iroute(struct options
*o
,
1591 const char *network_str
,
1592 const char *netmask_str
,
1597 ALLOC_OBJ_GC(ir
, struct iroute
, &o
->gc
);
1598 ir
->network
= getaddr(GETADDR_HOST_ORDER
, network_str
, 0, NULL
, NULL
);
1599 ir
->netbits
= 32; /* host route if no netmask given */
1603 const in_addr_t netmask
= getaddr(GETADDR_HOST_ORDER
, netmask_str
, 0, NULL
, NULL
);
1604 ir
->netbits
= netmask_to_netbits2(netmask
);
1606 if (ir
->netbits
< 0)
1608 msg(msglevel
, "in --iroute %s %s : Bad network/subnet specification",
1615 ir
->next
= o
->iroutes
;
1620 option_iroute_ipv6(struct options
*o
,
1621 const char *prefix_str
,
1624 struct iroute_ipv6
*ir
;
1626 ALLOC_OBJ_GC(ir
, struct iroute_ipv6
, &o
->gc
);
1628 if (!get_ipv6_addr(prefix_str
, &ir
->network
, &ir
->netbits
, msglevel
))
1630 msg(msglevel
, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1635 ir
->next
= o
->iroutes_ipv6
;
1636 o
->iroutes_ipv6
= ir
;
1639 #ifndef ENABLE_SMALL
1641 show_http_proxy_options(const struct http_proxy_options
*o
)
1644 msg(D_SHOW_PARMS
, "BEGIN http_proxy");
1647 SHOW_STR(auth_method_string
);
1648 SHOW_STR(auth_file
);
1649 SHOW_STR(http_version
);
1650 SHOW_STR(user_agent
);
1651 for (i
= 0; i
< MAX_CUSTOM_HTTP_HEADER
&& o
->custom_headers
[i
].name
; i
++)
1653 if (o
->custom_headers
[i
].content
)
1655 msg(D_SHOW_PARMS
, " custom_header[%d] = %s: %s", i
,
1656 o
->custom_headers
[i
].name
, o
->custom_headers
[i
].content
);
1660 msg(D_SHOW_PARMS
, " custom_header[%d] = %s", i
,
1661 o
->custom_headers
[i
].name
);
1664 msg(D_SHOW_PARMS
, "END http_proxy");
1666 #endif /* ifndef ENABLE_SMALL */
1669 options_detach(struct options
*o
)
1673 o
->client_nat
= NULL
;
1678 rol_check_alloc(struct options
*options
)
1680 if (!options
->routes
)
1682 options
->routes
= new_route_option_list(&options
->gc
);
1687 rol6_check_alloc(struct options
*options
)
1689 if (!options
->routes_ipv6
)
1691 options
->routes_ipv6
= new_route_ipv6_option_list(&options
->gc
);
1696 cnol_check_alloc(struct options
*options
)
1698 if (!options
->client_nat
)
1700 options
->client_nat
= new_client_nat_list(&options
->gc
);
1704 #ifndef ENABLE_SMALL
1706 show_connection_entry(const struct connection_entry
*o
)
1708 msg(D_SHOW_PARMS
, " proto = %s", proto2ascii(o
->proto
, o
->af
, false));
1710 SHOW_STR(local_port
);
1712 SHOW_STR(remote_port
);
1713 SHOW_BOOL(remote_float
);
1714 SHOW_BOOL(bind_defined
);
1715 SHOW_BOOL(bind_local
);
1716 SHOW_BOOL(bind_ipv6_only
);
1717 SHOW_INT(connect_retry_seconds
);
1718 SHOW_INT(connect_timeout
);
1720 if (o
->http_proxy_options
)
1722 show_http_proxy_options(o
->http_proxy_options
);
1724 SHOW_STR(socks_proxy_server
);
1725 SHOW_STR(socks_proxy_port
);
1727 SHOW_BOOL(tun_mtu_defined
);
1729 SHOW_BOOL(link_mtu_defined
);
1730 SHOW_INT(tun_mtu_extra
);
1731 SHOW_BOOL(tun_mtu_extra_defined
);
1734 SHOW_INT(mtu_discover_type
);
1736 #ifdef ENABLE_FRAGMENT
1740 SHOW_BOOL(mssfix_encap
);
1741 SHOW_BOOL(mssfix_fixed
);
1743 SHOW_INT(explicit_exit_notification
);
1745 SHOW_STR_INLINE(tls_auth_file
);
1746 SHOW_PARM(key_direction
, keydirection2ascii(o
->key_direction
, false, true),
1748 SHOW_STR_INLINE(tls_crypt_file
);
1749 SHOW_STR_INLINE(tls_crypt_v2_file
);
1754 show_connection_entries(const struct options
*o
)
1756 if (o
->connection_list
)
1758 const struct connection_list
*l
= o
->connection_list
;
1760 for (i
= 0; i
< l
->len
; ++i
)
1762 msg(D_SHOW_PARMS
, "Connection profiles [%d]:", i
);
1763 show_connection_entry(l
->array
[i
]);
1768 msg(D_SHOW_PARMS
, "Connection profiles [default]:");
1769 show_connection_entry(&o
->ce
);
1771 msg(D_SHOW_PARMS
, "Connection profiles END");
1775 show_pull_filter_list(const struct pull_filter_list
*l
)
1777 struct pull_filter
*f
;
1783 msg(D_SHOW_PARMS
, " Pull filters:");
1784 for (f
= l
->head
; f
; f
= f
->next
)
1786 msg(D_SHOW_PARMS
, " %s \"%s\"", pull_filter_type_name(f
->type
), f
->pattern
);
1790 #endif /* ifndef ENABLE_SMALL */
1793 show_settings(const struct options
*o
)
1795 #ifndef ENABLE_SMALL
1796 msg(D_SHOW_PARMS
, "Current Parameter Settings:");
1802 #ifdef ENABLE_FEATURE_TUN_PERSIST
1803 SHOW_BOOL(persist_config
);
1804 SHOW_INT(persist_mode
);
1807 SHOW_BOOL(show_ciphers
);
1808 SHOW_BOOL(show_digests
);
1809 SHOW_BOOL(show_engines
);
1811 SHOW_STR(genkey_filename
);
1812 SHOW_STR(key_pass_file
);
1813 SHOW_BOOL(show_tls_ciphers
);
1815 SHOW_INT(connect_retry_max
);
1816 show_connection_entries(o
);
1818 SHOW_BOOL(remote_random
);
1824 #if defined(ENABLE_DCO)
1825 SHOW_BOOL(tuntap_options
.disable_dco
);
1829 SHOW_STR(ifconfig_local
);
1830 SHOW_STR(ifconfig_remote_netmask
);
1831 SHOW_BOOL(ifconfig_noexec
);
1832 SHOW_BOOL(ifconfig_nowarn
);
1833 SHOW_STR(ifconfig_ipv6_local
);
1834 SHOW_INT(ifconfig_ipv6_netbits
);
1835 SHOW_STR(ifconfig_ipv6_remote
);
1842 SHOW_INT(keepalive_ping
);
1843 SHOW_INT(keepalive_timeout
);
1844 SHOW_INT(inactivity_timeout
);
1845 SHOW_INT(session_timeout
);
1846 SHOW_INT64(inactivity_minimum_bytes
);
1847 SHOW_INT(ping_send_timeout
);
1848 SHOW_INT(ping_rec_timeout
);
1849 SHOW_INT(ping_rec_timeout_action
);
1850 SHOW_BOOL(ping_timer_remote
);
1851 SHOW_INT(remap_sigusr1
);
1852 SHOW_BOOL(persist_tun
);
1853 SHOW_BOOL(persist_local_ip
);
1854 SHOW_BOOL(persist_remote_ip
);
1855 SHOW_BOOL(persist_key
);
1857 #if PASSTOS_CAPABILITY
1861 SHOW_INT(resolve_retry_seconds
);
1862 SHOW_BOOL(resolve_in_advance
);
1865 SHOW_STR(groupname
);
1866 SHOW_STR(chroot_dir
);
1868 #ifdef ENABLE_SELINUX
1869 SHOW_STR(selinux_context
);
1872 SHOW_STR(up_script
);
1873 SHOW_STR(down_script
);
1874 SHOW_BOOL(down_pre
);
1875 SHOW_BOOL(up_restart
);
1876 SHOW_BOOL(up_delay
);
1879 SHOW_BOOL(suppress_timestamps
);
1880 SHOW_BOOL(machine_readable_output
);
1882 SHOW_INT(verbosity
);
1887 SHOW_STR(status_file
);
1888 SHOW_INT(status_file_version
);
1889 SHOW_INT(status_file_update_freq
);
1894 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1897 SHOW_INT(sockflags
);
1903 SHOW_INT(comp
.flags
);
1906 SHOW_STR(route_script
);
1907 SHOW_STR(route_default_gateway
);
1908 SHOW_INT(route_default_metric
);
1909 SHOW_BOOL(route_noexec
);
1910 SHOW_INT(route_delay
);
1911 SHOW_INT(route_delay_window
);
1912 SHOW_BOOL(route_delay_defined
);
1913 SHOW_BOOL(route_nopull
);
1914 SHOW_BOOL(route_gateway_via_dhcp
);
1915 SHOW_BOOL(allow_pull_fqdn
);
1916 show_pull_filter_list(o
->pull_filter_list
);
1920 print_route_options(o
->routes
, D_SHOW_PARMS
);
1925 print_client_nat_list(o
->client_nat
, D_SHOW_PARMS
);
1928 show_dns_options(&o
->dns_options
);
1930 #ifdef ENABLE_MANAGEMENT
1931 SHOW_STR(management_addr
);
1932 SHOW_STR(management_port
);
1933 SHOW_STR(management_user_pass
);
1934 SHOW_INT(management_log_history_cache
);
1935 SHOW_INT(management_echo_buffer_size
);
1936 SHOW_STR(management_client_user
);
1937 SHOW_STR(management_client_group
);
1938 SHOW_INT(management_flags
);
1940 #ifdef ENABLE_PLUGIN
1943 plugin_option_list_print(o
->plugin_list
, D_SHOW_PARMS
);
1947 SHOW_STR_INLINE(shared_secret_file
);
1948 SHOW_PARM(key_direction
, keydirection2ascii(o
->key_direction
, false, true), "%s");
1949 SHOW_STR(ciphername
);
1950 SHOW_STR(ncp_ciphers
);
1952 #ifndef ENABLE_CRYPTO_MBEDTLS
1954 #endif /* ENABLE_CRYPTO_MBEDTLS */
1956 SHOW_BOOL(mute_replay_warnings
);
1957 SHOW_INT(replay_window
);
1958 SHOW_INT(replay_time
);
1959 SHOW_STR(packet_id_file
);
1960 SHOW_BOOL(test_crypto
);
1961 #ifdef ENABLE_PREDICTION_RESISTANCE
1962 SHOW_BOOL(use_prediction_resistance
);
1965 SHOW_BOOL(tls_server
);
1966 SHOW_BOOL(tls_client
);
1967 SHOW_STR_INLINE(ca_file
);
1969 SHOW_STR_INLINE(dh_file
);
1970 if ((o
->management_flags
& MF_EXTERNAL_CERT
))
1972 SHOW_PARM("cert_file", "EXTERNAL_CERT", "%s");
1976 SHOW_STR_INLINE(cert_file
);
1978 SHOW_STR_INLINE(extra_certs_file
);
1980 if ((o
->management_flags
& MF_EXTERNAL_KEY
))
1982 SHOW_PARM("priv_key_file", "EXTERNAL_PRIVATE_KEY", "%s");
1986 SHOW_STR_INLINE(priv_key_file
);
1988 #ifndef ENABLE_CRYPTO_MBEDTLS
1989 SHOW_STR_INLINE(pkcs12_file
);
1991 #ifdef ENABLE_CRYPTOAPI
1992 SHOW_STR(cryptoapi_cert
);
1994 SHOW_STR(cipher_list
);
1995 SHOW_STR(cipher_list_tls13
);
1996 SHOW_STR(tls_cert_profile
);
1997 SHOW_STR(tls_verify
);
1998 SHOW_STR(tls_export_cert
);
1999 SHOW_INT(verify_x509_type
);
2000 SHOW_STR(verify_x509_name
);
2001 SHOW_STR_INLINE(crl_file
);
2002 SHOW_INT(ns_cert_type
);
2005 for (i
= 0; i
<MAX_PARMS
; i
++)
2007 SHOW_INT(remote_cert_ku
[i
]);
2010 SHOW_STR(remote_cert_eku
);
2013 SHOW_INT(verify_hash_algo
);
2014 SHOW_INT(verify_hash_depth
);
2015 struct gc_arena gc
= gc_new();
2016 struct verify_hash_list
*hl
= o
->verify_hash
;
2017 int digest_len
= (o
->verify_hash_algo
== MD_SHA1
) ? SHA_DIGEST_LENGTH
:
2018 SHA256_DIGEST_LENGTH
;
2021 char *s
= format_hex_ex(hl
->hash
, digest_len
, 0,
2023 SHOW_PARM(verify_hash
, s
, "%s");
2028 SHOW_INT(ssl_flags
);
2030 SHOW_INT(tls_timeout
);
2032 SHOW_INT(renegotiate_bytes
);
2033 SHOW_INT(renegotiate_packets
);
2034 SHOW_INT(renegotiate_seconds
);
2036 SHOW_INT(handshake_window
);
2037 SHOW_INT(transition_window
);
2039 SHOW_BOOL(single_session
);
2040 SHOW_BOOL(push_peer_info
);
2041 SHOW_BOOL(tls_exit
);
2043 SHOW_STR(tls_crypt_v2_metadata
);
2045 #ifdef ENABLE_PKCS11
2048 for (i
= 0; i
<MAX_PARMS
&& o
->pkcs11_providers
[i
] != NULL
; i
++)
2050 SHOW_PARM(pkcs11_providers
, o
->pkcs11_providers
[i
], "%s");
2055 for (i
= 0; i
<MAX_PARMS
; i
++)
2057 SHOW_PARM(pkcs11_protected_authentication
, o
->pkcs11_protected_authentication
[i
] ? "ENABLED" : "DISABLED", "%s");
2062 for (i
= 0; i
<MAX_PARMS
; i
++)
2064 SHOW_PARM(pkcs11_private_mode
, o
->pkcs11_private_mode
[i
], "%08x");
2069 for (i
= 0; i
<MAX_PARMS
; i
++)
2071 SHOW_PARM(pkcs11_cert_private
, o
->pkcs11_cert_private
[i
] ? "ENABLED" : "DISABLED", "%s");
2074 SHOW_INT(pkcs11_pin_cache_period
);
2075 SHOW_STR(pkcs11_id
);
2076 SHOW_BOOL(pkcs11_id_management
);
2077 #endif /* ENABLE_PKCS11 */
2082 SHOW_BOOL(show_net_up
);
2083 SHOW_INT(route_method
);
2084 SHOW_BOOL(block_outside_dns
);
2085 show_tuntap_options(&o
->tuntap_options
);
2087 #endif /* ifndef ENABLE_SMALL */
2095 #ifdef ENABLE_MANAGEMENT
2097 static struct http_proxy_options
*
2098 parse_http_proxy_override(const char *server
,
2102 struct gc_arena
*gc
)
2106 struct http_proxy_options
*ho
;
2107 ALLOC_OBJ_CLEAR_GC(ho
, struct http_proxy_options
, gc
);
2108 ho
->server
= string_alloc(server
, gc
);
2110 if (flags
&& !strcmp(flags
, "nct"))
2112 ho
->auth_retry
= PAR_NCT
;
2116 ho
->auth_retry
= PAR_ALL
;
2118 ho
->http_version
= "1.0";
2119 ho
->user_agent
= "OpenVPN-Autoproxy/1.0";
2129 options_postprocess_http_proxy_override(struct options
*o
)
2131 const struct connection_list
*l
= o
->connection_list
;
2133 bool succeed
= false;
2134 for (i
= 0; i
< l
->len
; ++i
)
2136 struct connection_entry
*ce
= l
->array
[i
];
2137 if (ce
->proto
== PROTO_TCP_CLIENT
|| ce
->proto
== PROTO_TCP
)
2139 ce
->http_proxy_options
= o
->http_proxy_override
;
2145 for (i
= 0; i
< l
->len
; ++i
)
2147 struct connection_entry
*ce
= l
->array
[i
];
2148 if (ce
->proto
== PROTO_UDP
)
2150 ce
->flags
|= CE_DISABLED
;
2156 msg(M_WARN
, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2160 #endif /* ifdef ENABLE_MANAGEMENT */
2162 static struct connection_list
*
2163 alloc_connection_list_if_undef(struct options
*options
)
2165 if (!options
->connection_list
)
2167 ALLOC_OBJ_CLEAR_GC(options
->connection_list
, struct connection_list
, &options
->gc
);
2169 return options
->connection_list
;
2172 static struct connection_entry
*
2173 alloc_connection_entry(struct options
*options
, const int msglevel
)
2175 struct connection_list
*l
= alloc_connection_list_if_undef(options
);
2176 struct connection_entry
*e
;
2178 if (l
->len
== l
->capacity
)
2180 int capacity
= l
->capacity
+ CONNECTION_LIST_SIZE
;
2181 struct connection_entry
**ce
= gc_realloc(l
->array
, capacity
*sizeof(struct connection_entry
*), &options
->gc
);
2184 msg(msglevel
, "Unable to process more connection options: out of memory. Number of entries = %d", l
->len
);
2188 l
->capacity
= capacity
;
2190 ALLOC_OBJ_GC(e
, struct connection_entry
, &options
->gc
);
2191 l
->array
[l
->len
++] = e
;
2195 static struct remote_list
*
2196 alloc_remote_list_if_undef(struct options
*options
)
2198 if (!options
->remote_list
)
2200 ALLOC_OBJ_CLEAR_GC(options
->remote_list
, struct remote_list
, &options
->gc
);
2202 return options
->remote_list
;
2205 static struct remote_entry
*
2206 alloc_remote_entry(struct options
*options
, const int msglevel
)
2208 struct remote_list
*l
= alloc_remote_list_if_undef(options
);
2209 struct remote_entry
*e
;
2211 if (l
->len
== l
->capacity
)
2213 int capacity
= l
->capacity
+ CONNECTION_LIST_SIZE
;
2214 struct remote_entry
**re
= gc_realloc(l
->array
, capacity
*sizeof(struct remote_entry
*), &options
->gc
);
2217 msg(msglevel
, "Unable to process more remote options: out of memory. Number of entries = %d", l
->len
);
2221 l
->capacity
= capacity
;
2223 ALLOC_OBJ_GC(e
, struct remote_entry
, &options
->gc
);
2224 l
->array
[l
->len
++] = e
;
2228 static struct pull_filter_list
*
2229 alloc_pull_filter_list(struct options
*o
)
2231 if (!o
->pull_filter_list
)
2233 ALLOC_OBJ_CLEAR_GC(o
->pull_filter_list
, struct pull_filter_list
, &o
->gc
);
2235 return o
->pull_filter_list
;
2238 static struct pull_filter
*
2239 alloc_pull_filter(struct options
*o
, const int msglevel
)
2241 struct pull_filter_list
*l
= alloc_pull_filter_list(o
);
2242 struct pull_filter
*f
;
2244 ALLOC_OBJ_CLEAR_GC(f
, struct pull_filter
, &o
->gc
);
2260 connection_entry_load_re(struct connection_entry
*ce
, const struct remote_entry
*re
)
2264 ce
->remote
= re
->remote
;
2266 if (re
->remote_port
)
2268 ce
->remote_port
= re
->remote_port
;
2272 ce
->proto
= re
->proto
;
2281 connection_entry_preload_key(const char **key_file
, bool *key_inline
,
2282 struct gc_arena
*gc
)
2284 if (key_file
&& *key_file
&& !(*key_inline
))
2286 struct buffer in
= buffer_read_from_file(*key_file
, gc
);
2287 if (!buf_valid(&in
))
2289 msg(M_FATAL
, "Cannot pre-load keyfile (%s)", *key_file
);
2292 *key_file
= (const char *) in
.data
;
2298 check_ca_required(const struct options
*options
)
2300 if (options
->verify_hash_no_ca
2301 || options
->pkcs12_file
2303 #ifndef ENABLE_CRYPTO_MBEDTLS
2311 const char *const str
= "You must define CA file (--ca)"
2312 #ifndef ENABLE_CRYPTO_MBEDTLS
2313 " or CA path (--capath)"
2315 " and/or peer fingerprint verification (--peer-fingerprint)";
2316 msg(M_USAGE
, "%s", str
);
2320 options_postprocess_verify_ce(const struct options
*options
,
2321 const struct connection_entry
*ce
)
2323 struct options defaults
;
2324 int dev
= DEV_TYPE_UNDEF
;
2327 init_options(&defaults
, true);
2329 if (options
->test_crypto
)
2331 notnull(options
->shared_secret_file
, "key file (--secret)");
2335 notnull(options
->dev
, "TUN/TAP device (--dev)");
2339 * Get tun/tap/null device type
2341 dev
= dev_type_enum(options
->dev
, options
->dev_type
);
2344 * If "proto tcp" is specified, make sure we know whether it is
2345 * tcp-client or tcp-server.
2347 if (ce
->proto
== PROTO_TCP
)
2350 "--proto tcp is ambiguous in this context. Please specify "
2351 "--proto tcp-server or --proto tcp-client");
2354 if (options
->lladdr
&& dev
!= DEV_TYPE_TAP
)
2356 msg(M_USAGE
, "--lladdr can only be used in --dev tap mode");
2360 * Sanity check on MTU parameters
2362 if (options
->ce
.tun_mtu_defined
&& options
->ce
.link_mtu_defined
)
2364 msg(M_USAGE
, "only one of --tun-mtu or --link-mtu may be defined");
2367 if (!proto_is_udp(ce
->proto
) && options
->mtu_test
)
2369 msg(M_USAGE
, "--mtu-test only makes sense with --proto udp");
2372 /* will we be pulling options from server? */
2373 pull
= options
->pull
;
2376 * Sanity check on --local, --remote, and --ifconfig
2379 if (proto_is_net(ce
->proto
)
2380 && string_defined_equal(ce
->local
, ce
->remote
)
2381 && string_defined_equal(ce
->local_port
, ce
->remote_port
))
2383 msg(M_USAGE
, "--remote and --local addresses are the same");
2386 if (string_defined_equal(ce
->remote
, options
->ifconfig_local
)
2387 || string_defined_equal(ce
->remote
, options
->ifconfig_remote_netmask
))
2390 "--local and --remote addresses must be distinct from --ifconfig "
2394 if (string_defined_equal(ce
->local
, options
->ifconfig_local
)
2395 || string_defined_equal(ce
->local
, options
->ifconfig_remote_netmask
))
2398 "--local addresses must be distinct from --ifconfig addresses");
2401 if (string_defined_equal(options
->ifconfig_local
,
2402 options
->ifconfig_remote_netmask
))
2405 "local and remote/netmask --ifconfig addresses must be different");
2408 if (ce
->bind_defined
&& !ce
->bind_local
)
2410 msg(M_USAGE
, "--bind and --nobind can't be used together");
2413 if (ce
->local
&& !ce
->bind_local
)
2416 "--local and --nobind don't make sense when used together");
2419 if (ce
->local_port_defined
&& !ce
->bind_local
)
2422 "--lport and --nobind don't make sense when used together");
2425 if (!ce
->remote
&& !ce
->bind_local
)
2427 msg(M_USAGE
, "--nobind doesn't make sense unless used with --remote");
2431 * Check for consistency of management options
2433 #ifdef ENABLE_MANAGEMENT
2434 if (!options
->management_addr
2435 && (options
->management_flags
2436 || options
->management_log_history_cache
!= defaults
.management_log_history_cache
))
2438 msg(M_USAGE
, "--management is not specified, however one or more options which modify the behavior of --management were specified");
2441 if ((options
->management_client_user
|| options
->management_client_group
)
2442 && !(options
->management_flags
& MF_UNIX_SOCK
))
2444 msg(M_USAGE
, "--management-client-(user|group) can only be used on unix domain sockets");
2447 if (options
->management_addr
2448 && !(options
->management_flags
& MF_UNIX_SOCK
)
2449 && (!options
->management_user_pass
))
2451 msg(M_WARN
, "WARNING: Using --management on a TCP port WITHOUT "
2452 "passwords is STRONGLY discouraged and considered insecure");
2455 #endif /* ifdef ENABLE_MANAGEMENT */
2457 #if !defined(HAVE_XKEY_PROVIDER)
2458 if ((tls_version_max() >= TLS_VER_1_3
)
2459 && (options
->management_flags
& MF_EXTERNAL_KEY
)
2460 && !(options
->management_flags
& (MF_EXTERNAL_KEY_NOPADDING
))
2463 msg(M_FATAL
, "management-external-key with TLS 1.3 or later requires "
2464 "nopadding argument/support");
2468 * Windows-specific options.
2472 if (dev
== DEV_TYPE_TUN
&& !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
2474 msg(M_USAGE
, "On Windows, --ifconfig is required when --dev tun is used");
2477 if ((options
->tuntap_options
.ip_win32_defined
)
2478 && !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
2480 msg(M_USAGE
, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2483 if (options
->tuntap_options
.dhcp_options
& DHCP_OPTIONS_DHCP_REQUIRED
)
2485 const char *prefix
= "Some dhcp-options require DHCP server";
2486 if (options
->windows_driver
!= WINDOWS_DRIVER_TAP_WINDOWS6
)
2488 msg(M_USAGE
, "%s, which is not supported by selected %s driver",
2489 prefix
, print_windows_driver(options
->windows_driver
));
2491 else if (options
->tuntap_options
.ip_win32_type
!= IPW32_SET_DHCP_MASQ
2492 && options
->tuntap_options
.ip_win32_type
!= IPW32_SET_ADAPTIVE
)
2494 msg(M_USAGE
, "%s, which requires --ip-win32 dynamic or adaptive",
2499 if (options
->windows_driver
== WINDOWS_DRIVER_WINTUN
&& dev
!= DEV_TYPE_TUN
)
2501 msg(M_USAGE
, "--windows-driver wintun requires --dev tun");
2503 #endif /* ifdef _WIN32 */
2506 * Check that protocol options make sense.
2509 #ifdef ENABLE_FRAGMENT
2510 if (!proto_is_udp(ce
->proto
) && ce
->fragment
)
2512 msg(M_USAGE
, "--fragment can only be used with --proto udp");
2516 if (!ce
->remote
&& ce
->proto
== PROTO_TCP_CLIENT
)
2518 msg(M_USAGE
, "--remote MUST be used in TCP Client mode");
2521 if ((ce
->http_proxy_options
) && ce
->proto
!= PROTO_TCP_CLIENT
)
2524 "--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2528 if ((ce
->http_proxy_options
) && !ce
->http_proxy_options
->server
)
2531 "--http-proxy not specified but other http proxy options present");
2534 if (ce
->http_proxy_options
&& ce
->socks_proxy_server
)
2537 "--http-proxy can not be used together with --socks-proxy");
2540 if (ce
->socks_proxy_server
&& ce
->proto
== PROTO_TCP_SERVER
)
2542 msg(M_USAGE
, "--socks-proxy can not be used in TCP Server mode");
2545 if (ce
->proto
== PROTO_TCP_SERVER
&& (options
->connection_list
->len
> 1))
2547 msg(M_USAGE
, "TCP server mode allows at most one --remote address");
2551 * Check consistency of --mode server options.
2553 if (options
->mode
== MODE_SERVER
)
2555 #define USAGE_VALID_SERVER_PROTOS "--mode server currently only supports " \
2556 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2557 #ifdef TARGET_ANDROID
2558 msg(M_FATAL
, "--mode server not supported on Android");
2560 if (!(dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
))
2562 msg(M_USAGE
, "--mode server only works with --dev tun or --dev tap");
2566 msg(M_USAGE
, "--pull cannot be used with --mode server");
2568 if (options
->pull_filter_list
)
2570 msg(M_WARN
, "--pull-filter ignored for --mode server");
2572 if (!(proto_is_udp(ce
->proto
) || ce
->proto
== PROTO_TCP_SERVER
))
2574 msg(M_USAGE
, USAGE_VALID_SERVER_PROTOS
);
2577 if ((options
->port_share_host
|| options
->port_share_port
)
2578 && (ce
->proto
!= PROTO_TCP_SERVER
))
2580 msg(M_USAGE
, "--port-share only works in TCP server mode "
2581 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2584 if (!options
->tls_server
)
2586 msg(M_USAGE
, "--mode server requires --tls-server");
2590 msg(M_USAGE
, "--remote cannot be used with --mode server");
2592 if (!ce
->bind_local
)
2594 msg(M_USAGE
, "--nobind cannot be used with --mode server");
2596 if (ce
->http_proxy_options
)
2598 msg(M_USAGE
, "--http-proxy cannot be used with --mode server");
2600 if (ce
->socks_proxy_server
)
2602 msg(M_USAGE
, "--socks-proxy cannot be used with --mode server");
2604 /* <connection> blocks force to have a remote embedded, so we check
2605 * for the --remote and bail out if it is present
2607 if (options
->connection_list
->len
>1
2608 || options
->connection_list
->array
[0]->remote
)
2610 msg(M_USAGE
, "<connection> cannot be used with --mode server");
2613 if (options
->shaper
)
2615 msg(M_USAGE
, "--shaper cannot be used with --mode server");
2617 if (options
->ipchange
)
2620 "--ipchange cannot be used with --mode server (use "
2621 "--client-connect instead)");
2623 if (!(proto_is_dgram(ce
->proto
) || ce
->proto
== PROTO_TCP_SERVER
))
2625 msg(M_USAGE
, USAGE_VALID_SERVER_PROTOS
);
2627 if (!proto_is_udp(ce
->proto
) && (options
->cf_max
|| options
->cf_per
))
2629 msg(M_USAGE
, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2631 if (!(dev
== DEV_TYPE_TAP
|| (dev
== DEV_TYPE_TUN
&& options
->topology
== TOP_SUBNET
)) && options
->ifconfig_pool_netmask
)
2633 msg(M_USAGE
, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2635 if (options
->routes
&& (options
->routes
->flags
& RG_ENABLE
))
2637 msg(M_USAGE
, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2639 if (options
->route_delay_defined
)
2641 msg(M_USAGE
, "--route-delay cannot be used with --mode server");
2643 if (options
->up_delay
)
2645 msg(M_USAGE
, "--up-delay cannot be used with --mode server");
2647 if (!options
->ifconfig_pool_defined
2648 && !options
->ifconfig_ipv6_pool_defined
2649 && options
->ifconfig_pool_persist_filename
)
2652 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2654 if (options
->ifconfig_ipv6_pool_defined
&& !options
->ifconfig_ipv6_local
)
2656 msg(M_USAGE
, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2658 if (options
->allow_recursive_routing
)
2660 msg(M_USAGE
, "--allow-recursive-routing cannot be used with --mode server");
2662 if (options
->auth_user_pass_file
)
2664 msg(M_USAGE
, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2666 if (options
->ccd_exclusive
&& !options
->client_config_dir
)
2668 msg(M_USAGE
, "--ccd-exclusive must be used with --client-config-dir");
2670 if (options
->auth_token_generate
&& !options
->renegotiate_seconds
)
2672 msg(M_USAGE
, "--auth-gen-token needs a non-infinite "
2673 "--renegotiate_seconds setting");
2675 if (options
->auth_token_generate
&& options
->auth_token_renewal
2676 && options
->auth_token_renewal
< 2 * options
->handshake_window
)
2678 msg(M_USAGE
, "--auth-gen-token renewal time needs to be at least "
2679 " two times --hand-window (%d).",
2680 options
->handshake_window
);
2684 const bool ccnr
= (options
->auth_user_pass_verify_script
2685 || PLUGIN_OPTION_LIST(options
)
2686 || MAN_CLIENT_AUTH_ENABLED(options
));
2687 const char *postfix
= "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2688 if ((options
->ssl_flags
& (SSLF_CLIENT_CERT_NOT_REQUIRED
|SSLF_CLIENT_CERT_OPTIONAL
)) && !ccnr
)
2690 msg(M_USAGE
, "--verify-client-cert none|optional %s", postfix
);
2692 if ((options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) && !ccnr
)
2694 msg(M_USAGE
, "--username-as-common-name %s", postfix
);
2696 if ((options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) && !ccnr
)
2698 msg(M_USAGE
, "--auth-user-pass-optional %s", postfix
);
2702 if (options
->vlan_tagging
&& dev
!= DEV_TYPE_TAP
)
2704 msg(M_USAGE
, "--vlan-tagging must be used with --dev tap");
2706 if (!options
->vlan_tagging
)
2708 if (options
->vlan_accept
!= defaults
.vlan_accept
)
2710 msg(M_USAGE
, "--vlan-accept requires --vlan-tagging");
2712 if (options
->vlan_pvid
!= defaults
.vlan_pvid
)
2714 msg(M_USAGE
, "--vlan-pvid requires --vlan-tagging");
2721 * When not in server mode, err if parameters are
2722 * specified which require --mode server.
2724 if (options
->ifconfig_pool_defined
|| options
->ifconfig_pool_persist_filename
)
2726 msg(M_USAGE
, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2728 if (options
->ifconfig_ipv6_pool_defined
)
2730 msg(M_USAGE
, "--ifconfig-ipv6-pool requires --mode server");
2732 if (options
->real_hash_size
!= defaults
.real_hash_size
2733 || options
->virtual_hash_size
!= defaults
.virtual_hash_size
)
2735 msg(M_USAGE
, "--hash-size requires --mode server");
2737 if (options
->learn_address_script
)
2739 msg(M_USAGE
, "--learn-address requires --mode server");
2741 if (options
->client_connect_script
)
2743 msg(M_USAGE
, "--client-connect requires --mode server");
2745 if (options
->client_crresponse_script
)
2747 msg(M_USAGE
, "--client-crresponse requires --mode server");
2749 if (options
->client_disconnect_script
)
2751 msg(M_USAGE
, "--client-disconnect requires --mode server");
2753 if (options
->client_config_dir
|| options
->ccd_exclusive
)
2755 msg(M_USAGE
, "--client-config-dir/--ccd-exclusive requires --mode server");
2757 if (options
->enable_c2c
)
2759 msg(M_USAGE
, "--client-to-client requires --mode server");
2761 if (options
->duplicate_cn
)
2763 msg(M_USAGE
, "--duplicate-cn requires --mode server");
2765 if (options
->cf_max
|| options
->cf_per
)
2767 msg(M_USAGE
, "--connect-freq requires --mode server");
2769 if (options
->ssl_flags
& (SSLF_CLIENT_CERT_NOT_REQUIRED
|SSLF_CLIENT_CERT_OPTIONAL
))
2771 msg(M_USAGE
, "--verify-client-cert requires --mode server");
2773 if (options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
)
2775 msg(M_USAGE
, "--username-as-common-name requires --mode server");
2777 if (options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
)
2779 msg(M_USAGE
, "--auth-user-pass-optional requires --mode server");
2781 if (options
->ssl_flags
& SSLF_OPT_VERIFY
)
2783 msg(M_USAGE
, "--opt-verify requires --mode server");
2785 if (options
->server_flags
& SF_TCP_NODELAY_HELPER
)
2787 msg(M_WARN
, "WARNING: setting tcp-nodelay on the client side will not "
2788 "affect the server. To have TCP_NODELAY in both direction use "
2789 "tcp-nodelay in the server configuration instead.");
2791 if (options
->auth_user_pass_verify_script
)
2793 msg(M_USAGE
, "--auth-user-pass-verify requires --mode server");
2795 if (options
->auth_token_generate
)
2797 msg(M_USAGE
, "--auth-gen-token requires --mode server");
2800 if (options
->port_share_host
|| options
->port_share_port
)
2802 msg(M_USAGE
, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2806 if (options
->stale_routes_check_interval
)
2808 msg(M_USAGE
, "--stale-routes-check requires --mode server");
2811 if (options
->vlan_tagging
)
2813 msg(M_USAGE
, "--vlan-tagging requires --mode server");
2818 * Check consistency of replay options
2820 if (!options
->replay
2821 && (options
->replay_window
!= defaults
.replay_window
2822 || options
->replay_time
!= defaults
.replay_time
))
2824 msg(M_USAGE
, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2828 * SSL/TLS mode sanity checks.
2830 if (options
->tls_server
+ options
->tls_client
2831 +(options
->shared_secret_file
!= NULL
) > 1)
2833 msg(M_USAGE
, "specify only one of --tls-server, --tls-client, or --secret");
2836 if (!options
->tls_server
&& !options
->tls_client
)
2838 msg(M_INFO
, "DEPRECATION: No tls-client or tls-server option in "
2839 "configuration detected. OpenVPN 2.7 will remove the "
2840 "functionality to run a VPN without TLS. "
2841 "See the examples section in the manual page for "
2842 "examples of a similar quick setup with peer-fingerprint.");
2845 if (options
->ssl_flags
& (SSLF_CLIENT_CERT_NOT_REQUIRED
|SSLF_CLIENT_CERT_OPTIONAL
))
2847 msg(M_WARN
, "WARNING: POTENTIALLY DANGEROUS OPTION "
2848 "--verify-client-cert none|optional "
2849 "may accept clients which do not present a certificate");
2852 const int tls_version_max
=
2853 (options
->ssl_flags
>> SSLF_TLS_VERSION_MAX_SHIFT
)
2854 & SSLF_TLS_VERSION_MAX_MASK
;
2855 const int tls_version_min
=
2856 (options
->ssl_flags
>> SSLF_TLS_VERSION_MIN_SHIFT
)
2857 & SSLF_TLS_VERSION_MIN_MASK
;
2859 if (tls_version_max
> 0 && tls_version_max
< tls_version_min
)
2861 msg(M_USAGE
, "--tls-version-min bigger than --tls-version-max");
2864 if (options
->tls_server
|| options
->tls_client
)
2866 check_ca_required(options
);
2867 #ifdef ENABLE_PKCS11
2868 if (!options
->pkcs11_providers
[0] && options
->pkcs11_id
)
2870 msg(M_WARN
, "Option pkcs11-id is ignored as no pkcs11-providers are specified");
2872 else if (!options
->pkcs11_providers
[0] && options
->pkcs11_id_management
)
2874 msg(M_WARN
, "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2877 if (options
->pkcs11_providers
[0])
2879 if (options
->pkcs11_id_management
&& options
->pkcs11_id
!= NULL
)
2881 msg(M_USAGE
, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2883 if (!options
->pkcs11_id_management
&& options
->pkcs11_id
== NULL
)
2885 msg(M_USAGE
, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2887 if (options
->cert_file
)
2889 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2891 if (options
->priv_key_file
)
2893 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2895 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2897 msg(M_USAGE
, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2899 if (options
->management_flags
& MF_EXTERNAL_CERT
)
2901 msg(M_USAGE
, "Parameter --management-external-cert cannot be used when --pkcs11-provider is also specified.");
2903 if (options
->pkcs12_file
)
2905 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2907 #ifdef ENABLE_CRYPTOAPI
2908 if (options
->cryptoapi_cert
)
2910 msg(M_USAGE
, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2915 #endif /* ifdef ENABLE_PKCS11 */
2916 if ((options
->management_flags
& MF_EXTERNAL_KEY
) && options
->priv_key_file
)
2918 msg(M_USAGE
, "--key and --management-external-key are mutually exclusive");
2920 else if ((options
->management_flags
& MF_EXTERNAL_CERT
))
2922 if (options
->cert_file
)
2924 msg(M_USAGE
, "--cert and --management-external-cert are mutually exclusive");
2926 else if (!(options
->management_flags
& MF_EXTERNAL_KEY
))
2928 msg(M_USAGE
, "--management-external-cert must be used with --management-external-key");
2932 #ifdef ENABLE_CRYPTOAPI
2933 if (options
->cryptoapi_cert
)
2935 if (options
->cert_file
)
2937 msg(M_USAGE
, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2939 if (options
->priv_key_file
)
2941 msg(M_USAGE
, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2943 if (options
->pkcs12_file
)
2945 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2947 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2949 msg(M_USAGE
, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2951 if (options
->management_flags
& MF_EXTERNAL_CERT
)
2953 msg(M_USAGE
, "Parameter --management-external-cert cannot be used when --cryptoapicert is also specified.");
2957 #endif /* ifdef ENABLE_CRYPTOAPI */
2958 if (options
->pkcs12_file
)
2960 #ifdef ENABLE_CRYPTO_MBEDTLS
2961 msg(M_USAGE
, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN.");
2963 if (options
->ca_path
)
2965 msg(M_USAGE
, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2967 if (options
->cert_file
)
2969 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2971 if (options
->priv_key_file
)
2973 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs12 is also specified.");
2975 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2977 msg(M_USAGE
, "Parameter --management-external-key cannot be used when --pkcs12 is also specified.");
2979 if (options
->management_flags
& MF_EXTERNAL_CERT
)
2981 msg(M_USAGE
, "Parameter --management-external-cert cannot be used when --pkcs12 is also specified.");
2983 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2987 #ifdef ENABLE_CRYPTO_MBEDTLS
2988 if (options
->ca_path
)
2990 msg(M_USAGE
, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
2992 #endif /* ifdef ENABLE_CRYPTO_MBEDTLS */
2997 ((options
->cert_file
!= NULL
) || (options
->management_flags
& MF_EXTERNAL_CERT
))
2998 + ((options
->priv_key_file
!= NULL
) || (options
->management_flags
& MF_EXTERNAL_KEY
));
3002 if (!options
->auth_user_pass_file
)
3004 msg(M_USAGE
, "No client-side authentication method is "
3005 "specified. You must use either "
3006 "--cert/--key, --pkcs12, or "
3007 "--auth-user-pass");
3012 msg(M_USAGE
, "If you use one of --cert or --key, you must use them both");
3017 if (!(options
->management_flags
& MF_EXTERNAL_CERT
))
3019 notnull(options
->cert_file
, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
3021 if (!(options
->management_flags
& MF_EXTERNAL_KEY
))
3023 notnull(options
->priv_key_file
, "private key file (--key) or PKCS#12 file (--pkcs12)");
3027 if (ce
->tls_auth_file
&& ce
->tls_crypt_file
)
3029 msg(M_USAGE
, "--tls-auth and --tls-crypt are mutually exclusive");
3031 if (options
->tls_client
&& ce
->tls_crypt_v2_file
3032 && (ce
->tls_auth_file
|| ce
->tls_crypt_file
))
3034 msg(M_USAGE
, "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
3040 * Make sure user doesn't specify any TLS options
3041 * when in non-TLS mode.
3044 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) {msg(M_USAGE, err, #parm); \
3047 const char err
[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
3049 MUST_BE_UNDEF(ca_file
);
3050 MUST_BE_UNDEF(ca_path
);
3051 MUST_BE_UNDEF(dh_file
);
3052 MUST_BE_UNDEF(cert_file
);
3053 MUST_BE_UNDEF(priv_key_file
);
3054 #ifndef ENABLE_CRYPTO_MBEDTLS
3055 MUST_BE_UNDEF(pkcs12_file
);
3057 MUST_BE_UNDEF(cipher_list
);
3058 MUST_BE_UNDEF(cipher_list_tls13
);
3059 MUST_BE_UNDEF(tls_cert_profile
);
3060 MUST_BE_UNDEF(tls_verify
);
3061 MUST_BE_UNDEF(tls_export_cert
);
3062 MUST_BE_UNDEF(verify_x509_name
);
3063 MUST_BE_UNDEF(tls_timeout
);
3064 MUST_BE_UNDEF(renegotiate_bytes
);
3065 MUST_BE_UNDEF(renegotiate_packets
);
3066 MUST_BE_UNDEF(renegotiate_seconds
);
3067 MUST_BE_UNDEF(handshake_window
);
3068 MUST_BE_UNDEF(transition_window
);
3069 MUST_BE_UNDEF(tls_auth_file
);
3070 MUST_BE_UNDEF(tls_crypt_file
);
3071 MUST_BE_UNDEF(tls_crypt_v2_file
);
3072 MUST_BE_UNDEF(single_session
);
3073 MUST_BE_UNDEF(push_peer_info
);
3074 MUST_BE_UNDEF(tls_exit
);
3075 MUST_BE_UNDEF(crl_file
);
3076 MUST_BE_UNDEF(ns_cert_type
);
3077 MUST_BE_UNDEF(remote_cert_ku
[0]);
3078 MUST_BE_UNDEF(remote_cert_eku
);
3079 #ifdef ENABLE_PKCS11
3080 MUST_BE_UNDEF(pkcs11_providers
[0]);
3081 MUST_BE_UNDEF(pkcs11_private_mode
[0]);
3082 MUST_BE_UNDEF(pkcs11_id
);
3083 MUST_BE_UNDEF(pkcs11_id_management
);
3088 msg(M_USAGE
, err
, "--pull");
3091 #undef MUST_BE_UNDEF
3093 if (options
->auth_user_pass_file
&& !options
->pull
)
3095 msg(M_USAGE
, "--auth-user-pass requires --pull");
3098 uninit_options(&defaults
);
3102 options_postprocess_mutate_ce(struct options
*o
, struct connection_entry
*ce
)
3104 const int dev
= dev_type_enum(o
->dev
, o
->dev_type
);
3106 if (o
->server_defined
|| o
->server_bridge_defined
|| o
->server_bridge_proxy_dhcp
)
3108 if (ce
->proto
== PROTO_TCP
)
3110 ce
->proto
= PROTO_TCP_SERVER
;
3116 if (ce
->proto
== PROTO_TCP
)
3118 ce
->proto
= PROTO_TCP_CLIENT
;
3122 /* an option is present that requires local bind to enabled */
3123 bool need_bind
= ce
->local
|| ce
->local_port_defined
|| ce
->bind_defined
;
3125 /* socks proxy is enabled */
3126 bool uses_socks
= ce
->proto
== PROTO_UDP
&& ce
->socks_proxy_server
;
3128 /* If binding is not forced by an explicit option and we have (at least)
3129 * one of --tcp-client, --pull (or --client), or socks we do not bind
3130 * locally to have "normal" IP client behaviour of a random source port */
3131 if (!need_bind
&& (ce
->proto
== PROTO_TCP_CLIENT
|| uses_socks
|| o
->pull
))
3133 ce
->bind_local
= false;
3136 if (!ce
->bind_local
)
3138 ce
->local_port
= NULL
;
3141 /* if protocol forcing is enabled, disable all protocols
3142 * except for the forced one
3144 if (o
->proto_force
>= 0 && o
->proto_force
!= ce
->proto
)
3146 ce
->flags
|= CE_DISABLED
;
3149 /* our socks code is not fully IPv6 enabled yet (TCP works, UDP not)
3150 * so fall back to IPv4-only (trac #1221)
3152 if (ce
->socks_proxy_server
&& proto_is_udp(ce
->proto
) && ce
->af
!= AF_INET
)
3154 if (ce
->af
== AF_INET6
)
3156 msg(M_INFO
, "WARNING: '--proto udp6' is not compatible with "
3157 "'--socks-proxy' today. Forcing IPv4 mode." );
3161 msg(M_INFO
, "NOTICE: dual-stack mode for '--proto udp' does not "
3162 "work correctly with '--socks-proxy' today. Forcing IPv4." );
3171 if (!ce
->tun_mtu_defined
&& !ce
->link_mtu_defined
)
3173 ce
->tun_mtu_defined
= true;
3175 if ((dev
== DEV_TYPE_TAP
) && !ce
->tun_mtu_extra_defined
)
3177 ce
->tun_mtu_extra_defined
= true;
3178 ce
->tun_mtu_extra
= TAP_MTU_EXTRA_DEFAULT
;
3183 * If --mssfix is supplied without a parameter or not specified at all,
3184 * default it to --fragment value, if --fragment is specified and otherwise
3185 * to the default if tun-mtu is 1500
3187 if (o
->ce
.mssfix_default
)
3189 #ifdef ENABLE_FRAGMENT
3192 ce
->mssfix
= ce
->fragment
;
3196 if (ce
->tun_mtu_defined
)
3198 if (o
->ce
.tun_mtu
== TUN_MTU_DEFAULT
)
3200 /* We want to only set mssfix default value if we use a default
3201 * MTU Size, otherwise the different size of tun should either
3202 * already solve the problem or mssfix might artifically make the
3203 * payload packets smaller without mssfix 0 */
3204 ce
->mssfix
= MSSFIX_DEFAULT
;
3205 ce
->mssfix_encap
= true;
3209 /* We still apply the mssfix value but only adjust it to the
3210 * size of the tun interface. */
3211 ce
->mssfix
= ce
->tun_mtu
;
3212 ce
->mssfix_fixed
= true;
3218 * Set per-connection block tls-auth/crypt/crypto-v2 fields if undefined.
3220 * At the end only one of these will be really set because the parser
3221 * logic prevents configurations where more are set.
3223 if (!ce
->tls_auth_file
&& !ce
->tls_crypt_file
&& !ce
->tls_crypt_v2_file
)
3225 ce
->tls_auth_file
= o
->tls_auth_file
;
3226 ce
->tls_auth_file_inline
= o
->tls_auth_file_inline
;
3227 ce
->key_direction
= o
->key_direction
;
3229 ce
->tls_crypt_file
= o
->tls_crypt_file
;
3230 ce
->tls_crypt_file_inline
= o
->tls_crypt_file_inline
;
3232 ce
->tls_crypt_v2_file
= o
->tls_crypt_v2_file
;
3233 ce
->tls_crypt_v2_file_inline
= o
->tls_crypt_v2_file_inline
;
3236 /* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
3237 * keys were not already embedded in the config file.
3241 connection_entry_preload_key(&ce
->tls_auth_file
,
3242 &ce
->tls_auth_file_inline
, &o
->gc
);
3243 connection_entry_preload_key(&ce
->tls_crypt_file
,
3244 &ce
->tls_crypt_file_inline
, &o
->gc
);
3245 connection_entry_preload_key(&ce
->tls_crypt_v2_file
,
3246 &ce
->tls_crypt_v2_file_inline
, &o
->gc
);
3249 if (!proto_is_udp(ce
->proto
) && ce
->explicit_exit_notification
)
3251 msg(M_WARN
, "NOTICE: --explicit-exit-notify ignored for --proto tcp");
3252 ce
->explicit_exit_notification
= 0;
3257 /* If iservice is in use, we need def1 method for redirect-gateway */
3259 remap_redirect_gateway_flags(struct options
*opt
)
3262 && opt
->route_method
== ROUTE_METHOD_SERVICE
3263 && opt
->routes
->flags
& RG_REROUTE_GW
3264 && !(opt
->routes
->flags
& RG_DEF1
))
3266 msg(M_INFO
, "Flag 'def1' added to --redirect-gateway (iservice is in use)");
3267 opt
->routes
->flags
|= RG_DEF1
;
3273 * Save/Restore certain option defaults before --pull is applied.
3277 pre_connect_save(struct options
*o
)
3279 ALLOC_OBJ_CLEAR_GC(o
->pre_connect
, struct options_pre_connect
, &o
->gc
);
3280 o
->pre_connect
->tuntap_options
= o
->tuntap_options
;
3281 o
->pre_connect
->tuntap_options_defined
= true;
3282 o
->pre_connect
->foreign_option_index
= o
->foreign_option_index
;
3286 o
->pre_connect
->routes
= clone_route_option_list(o
->routes
, &o
->gc
);
3287 o
->pre_connect
->routes_defined
= true;
3291 o
->pre_connect
->routes_ipv6
= clone_route_ipv6_option_list(o
->routes_ipv6
, &o
->gc
);
3292 o
->pre_connect
->routes_ipv6_defined
= true;
3296 o
->pre_connect
->client_nat
= clone_client_nat_option_list(o
->client_nat
, &o
->gc
);
3297 o
->pre_connect
->client_nat_defined
= true;
3300 o
->pre_connect
->route_default_gateway
= o
->route_default_gateway
;
3301 o
->pre_connect
->route_ipv6_default_gateway
= o
->route_ipv6_default_gateway
;
3303 o
->pre_connect
->dns_options
= clone_dns_options(o
->dns_options
, &o
->gc
);
3305 /* NCP related options that can be overwritten by a push */
3306 o
->pre_connect
->ciphername
= o
->ciphername
;
3307 o
->pre_connect
->authname
= o
->authname
;
3309 /* Ping related options should be reset to the config values on reconnect */
3310 o
->pre_connect
->ping_rec_timeout
= o
->ping_rec_timeout
;
3311 o
->pre_connect
->ping_rec_timeout_action
= o
->ping_rec_timeout_action
;
3312 o
->pre_connect
->ping_send_timeout
= o
->ping_send_timeout
;
3314 /* Miscellaneous Options */
3316 o
->pre_connect
->comp
= o
->comp
;
3321 pre_connect_restore(struct options
*o
, struct gc_arena
*gc
)
3323 const struct options_pre_connect
*pp
= o
->pre_connect
;
3326 CLEAR(o
->tuntap_options
);
3327 if (pp
->tuntap_options_defined
)
3329 o
->tuntap_options
= pp
->tuntap_options
;
3332 if (pp
->routes_defined
)
3335 copy_route_option_list(o
->routes
, pp
->routes
, gc
);
3342 if (pp
->routes_ipv6_defined
)
3344 rol6_check_alloc(o
);
3345 copy_route_ipv6_option_list(o
->routes_ipv6
, pp
->routes_ipv6
, gc
);
3349 o
->routes_ipv6
= NULL
;
3352 o
->route_default_gateway
= pp
->route_default_gateway
;
3353 o
->route_ipv6_default_gateway
= pp
->route_ipv6_default_gateway
;
3355 /* Free DNS options and reset them to pre-pull state */
3356 gc_free(&o
->dns_options
.gc
);
3357 struct gc_arena dns_gc
= gc_new();
3358 o
->dns_options
= clone_dns_options(pp
->dns_options
, &dns_gc
);
3359 o
->dns_options
.gc
= dns_gc
;
3361 if (pp
->client_nat_defined
)
3363 cnol_check_alloc(o
);
3364 copy_client_nat_option_list(o
->client_nat
, pp
->client_nat
);
3368 o
->client_nat
= NULL
;
3371 o
->foreign_option_index
= pp
->foreign_option_index
;
3373 o
->ciphername
= pp
->ciphername
;
3374 o
->authname
= pp
->authname
;
3376 o
->ping_rec_timeout
= pp
->ping_rec_timeout
;
3377 o
->ping_rec_timeout_action
= pp
->ping_rec_timeout_action
;
3378 o
->ping_send_timeout
= pp
->ping_send_timeout
;
3380 /* Miscellaneous Options */
3386 o
->push_continuation
= 0;
3387 o
->push_option_types_found
= 0;
3388 o
->imported_protocol_flags
= 0;
3392 options_postprocess_mutate_invariant(struct options
*options
)
3395 const int dev
= dev_type_enum(options
->dev
, options
->dev_type
);
3397 /* when using wintun/ovpn-dco, kernel doesn't send DHCP requests, so don't use it */
3398 if ((options
->windows_driver
== WINDOWS_DRIVER_WINTUN
3399 || options
->windows_driver
== WINDOWS_DRIVER_DCO
)
3400 && (options
->tuntap_options
.ip_win32_type
== IPW32_SET_DHCP_MASQ
3401 || options
->tuntap_options
.ip_win32_type
== IPW32_SET_ADAPTIVE
))
3403 options
->tuntap_options
.ip_win32_type
= IPW32_SET_NETSH
;
3406 if ((dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
) && !options
->route_delay_defined
)
3408 /* delay may only be necessary when we perform DHCP handshake */
3409 const bool dhcp
= (options
->tuntap_options
.ip_win32_type
== IPW32_SET_DHCP_MASQ
)
3410 || (options
->tuntap_options
.ip_win32_type
== IPW32_SET_ADAPTIVE
);
3411 if ((options
->mode
== MODE_POINT_TO_POINT
) && dhcp
)
3413 options
->route_delay_defined
= true;
3414 options
->route_delay
= 5; /* Vista sometimes has a race without this */
3418 if (options
->ifconfig_noexec
)
3420 options
->tuntap_options
.ip_win32_type
= IPW32_SET_MANUAL
;
3421 options
->ifconfig_noexec
= false;
3424 remap_redirect_gateway_flags(options
);
3427 * Check consistency of --mode server options.
3429 if (options
->mode
== MODE_SERVER
)
3432 * We need to explicitly set --tap-sleep because
3433 * we do not schedule event timers in the top-level context.
3435 options
->tuntap_options
.tap_sleep
= 10;
3436 if (options
->route_delay_defined
&& options
->route_delay
)
3438 options
->tuntap_options
.tap_sleep
= options
->route_delay
;
3440 options
->route_delay_defined
= false;
3442 #endif /* ifdef _WIN32 */
3444 #ifdef DEFAULT_PKCS11_MODULE
3445 /* If p11-kit is present on the system then load its p11-kit-proxy.so
3446 * by default if the user asks for PKCS#11 without otherwise specifying
3447 * the module to use. */
3448 if (!options
->pkcs11_providers
[0]
3449 && (options
->pkcs11_id
|| options
->pkcs11_id_management
))
3451 options
->pkcs11_providers
[0] = DEFAULT_PKCS11_MODULE
;
3457 options_postprocess_verify(const struct options
*o
)
3459 if (o
->connection_list
)
3462 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
3464 options_postprocess_verify_ce(o
, o
->connection_list
->array
[i
]);
3469 options_postprocess_verify_ce(o
, &o
->ce
);
3472 dns_options_verify(M_FATAL
, &o
->dns_options
);
3474 if (dco_enabled(o
) && o
->enable_c2c
)
3476 msg(M_WARN
, "Note: --client-to-client has no effect when using data "
3477 "channel offload: packets are always sent to the VPN "
3478 "interface and then routed based on the system routing table");
3483 * Checks for availibility of Chacha20-Poly1305 and sets
3484 * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
3485 * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
3488 options_postprocess_setdefault_ncpciphers(struct options
*o
)
3492 /* custom --data-ciphers set, keep list */
3496 /* check if crypto library supports chacha */
3497 bool can_do_chacha
= cipher_valid("CHACHA20-POLY1305");
3499 if (can_do_chacha
&& dco_enabled(o
))
3501 /* also make sure that dco supports chacha */
3502 can_do_chacha
= tls_item_in_cipher_list("CHACHA20-POLY1305", dco_get_supported_ciphers());
3507 o
->ncp_ciphers
= "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
3511 o
->ncp_ciphers
= "AES-256-GCM:AES-128-GCM";
3516 options_postprocess_cipher(struct options
*o
)
3518 if (!o
->pull
&& !(o
->mode
== MODE_SERVER
))
3520 /* If the cipher is not set, use the old default of BF-CBC. We will
3521 * warn that this is deprecated on cipher initialisation, no need
3522 * to warn here as well */
3525 o
->ciphername
= "BF-CBC";
3529 o
->enable_ncp_fallback
= true;
3534 /* pull or P2MP mode */
3537 /* We still need to set the ciphername to BF-CBC since various other
3538 * parts of OpenVPN assert that the ciphername is set */
3539 o
->ciphername
= "BF-CBC";
3541 msg(M_INFO
, "Note: --cipher is not set. OpenVPN versions before 2.5 "
3542 "defaulted to BF-CBC as fallback when cipher negotiation "
3543 "failed in this case. If you need this fallback please add "
3544 "'--data-ciphers-fallback BF-CBC' to your configuration "
3545 "and/or add BF-CBC to --data-ciphers.");
3547 else if (!o
->enable_ncp_fallback
3548 && !tls_item_in_cipher_list(o
->ciphername
, o
->ncp_ciphers
))
3550 msg(M_WARN
, "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3551 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3553 o
->ciphername
, o
->ncp_ciphers
);
3558 * The option --compat-mode is used to set up default settings to values
3559 * used on the specified openvpn version and earlier.
3561 * This function is used in various "default option" paths to test if the
3562 * user requested compatibility with a version before the one specified
3563 * as argument. This way some default settings can be automatically
3564 * altered to guarantee compatibility with the version specified by the
3565 * user via --compat-mode.
3567 * @param version need compatibility with openvpn versions before the
3568 * one specified (20401 = before 2.4.1)
3569 * @return whether compatibility should be enabled
3572 need_compatibility_before(const struct options
*o
, unsigned int version
)
3574 return o
->backwards_compatible
!= 0 && o
->backwards_compatible
< version
;
3578 * Changes default values so that OpenVPN can be compatible with the user
3582 options_set_backwards_compatible_options(struct options
*o
)
3584 /* TLS min version is not set */
3585 int tls_ver_min
= (o
->ssl_flags
>> SSLF_TLS_VERSION_MIN_SHIFT
)
3586 & SSLF_TLS_VERSION_MIN_MASK
;
3587 if (tls_ver_min
== 0)
3589 int tls_ver_max
= (o
->ssl_flags
>> SSLF_TLS_VERSION_MAX_SHIFT
)
3590 & SSLF_TLS_VERSION_MAX_MASK
;
3591 if (need_compatibility_before(o
, 20307))
3593 /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */
3594 o
->ssl_flags
|= (TLS_VER_1_0
<< SSLF_TLS_VERSION_MIN_SHIFT
);
3596 else if (tls_ver_max
== 0 || tls_ver_max
>= TLS_VER_1_2
)
3598 /* Use TLS 1.2 as proper default */
3599 o
->ssl_flags
|= (TLS_VER_1_2
<< SSLF_TLS_VERSION_MIN_SHIFT
);
3603 /* Maximize the minimum version */
3604 o
->ssl_flags
|= (tls_ver_max
<< SSLF_TLS_VERSION_MIN_SHIFT
);
3608 if (need_compatibility_before(o
, 20400))
3612 /* If ciphername is not set default to BF-CBC when targeting these
3613 * old versions that do not have NCP */
3614 o
->ciphername
= "BF-CBC";
3616 /* Versions < 2.4.0 additionally might be compiled with --enable-small and
3617 * not have OCC strings required for "poor man's NCP" */
3618 o
->enable_ncp_fallback
= true;
3621 /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers.
3622 * Version 2.4 probably does not need it but NCP was not so
3623 * good with 2.4 and ncp-disable might be more common on 2.4 peers.
3624 * Only do this iff --cipher is set (explicitly or by compat mode
3625 * < 2.4.0, see above). This is not 100% correct backwards compatible
3626 * behaviour but 2.5 already behaved like this */
3627 if (o
->ciphername
&& need_compatibility_before(o
, 20500)
3628 && !tls_item_in_cipher_list(o
->ciphername
, o
->ncp_ciphers
))
3630 append_cipher_to_ncp_list(o
, o
->ciphername
);
3634 /* Compression is deprecated and we do not want to announce support for it
3635 * by default anymore, additionally DCO breaks with compression.
3637 * Disable compression by default starting with 2.6.0 if no other
3638 * compression related option has been explicitly set */
3639 if (!comp_non_stub_enabled(&o
->comp
) && !need_compatibility_before(o
, 20600)
3640 && (o
->comp
.flags
== 0))
3642 o
->comp
.flags
= COMP_F_ALLOW_STUB_ONLY
|COMP_F_ADVERTISE_STUBS_ONLY
;
3648 options_postprocess_mutate(struct options
*o
, struct env_set
*es
)
3652 * Process helper-type options which map to other, more complex
3653 * sequences of options.
3655 helper_client_server(o
);
3656 helper_keepalive(o
);
3657 helper_tcp_nodelay(o
);
3659 options_postprocess_setdefault_ncpciphers(o
);
3660 options_set_backwards_compatible_options(o
);
3662 options_postprocess_cipher(o
);
3663 o
->ncp_ciphers
= mutate_ncp_cipher_list(o
->ncp_ciphers
, &o
->gc
);
3664 if (o
->ncp_ciphers
== NULL
)
3666 msg(M_USAGE
, "--data-ciphers list contains unsupported ciphers or is too long.");
3669 if (o
->remote_list
&& !o
->connection_list
)
3672 * Convert remotes into connection list
3674 const struct remote_list
*rl
= o
->remote_list
;
3675 for (i
= 0; i
< rl
->len
; ++i
)
3677 const struct remote_entry
*re
= rl
->array
[i
];
3678 struct connection_entry ce
= o
->ce
;
3679 struct connection_entry
*ace
;
3682 connection_entry_load_re(&ce
, re
);
3683 ace
= alloc_connection_entry(o
, M_USAGE
);
3688 else if (!o
->remote_list
&& !o
->connection_list
)
3690 struct connection_entry
*ace
;
3691 ace
= alloc_connection_entry(o
, M_USAGE
);
3696 ASSERT(o
->connection_list
);
3697 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
3699 options_postprocess_mutate_ce(o
, o
->connection_list
->array
[i
]);
3704 /* Check that DH file is specified, or explicitly disabled */
3705 notnull(o
->dh_file
, "DH file (--dh)");
3706 if (streq(o
->dh_file
, "none"))
3711 else if (o
->dh_file
)
3713 /* DH file is only meaningful in a tls-server context. */
3714 msg(M_WARN
, "WARNING: Ignoring option 'dh' in tls-client mode, please only "
3715 "include this in your server configuration");
3718 #if ENABLE_MANAGEMENT
3719 if (o
->http_proxy_override
)
3721 options_postprocess_http_proxy_override(o
);
3724 if (!o
->ca_file
&& !o
->ca_path
&& o
->verify_hash
3725 && o
->verify_hash_depth
== 0)
3727 msg(M_INFO
, "Using certificate fingerprint to verify peer (no CA "
3729 o
->verify_hash_no_ca
= true;
3732 if (o
->config
&& streq(o
->config
, "stdin") && o
->remap_sigusr1
== SIGHUP
)
3734 msg(M_USAGE
, "Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3735 "incompatible with each other.");
3740 /* check if any option should force disabling DCO */
3741 o
->tuntap_options
.disable_dco
= !dco_check_option(D_DCO
, o
)
3742 || !dco_check_startup_option(D_DCO
, o
);
3748 o
->windows_driver
= WINDOWS_DRIVER_DCO
;
3752 if (o
->windows_driver
== WINDOWS_DRIVER_DCO
)
3754 msg(M_WARN
, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3755 o
->windows_driver
= WINDOWS_DRIVER_TAP_WINDOWS6
;
3757 else if (o
->windows_driver
== WINDOWS_DRIVER_UNSPECIFIED
)
3759 o
->windows_driver
= WINDOWS_DRIVER_TAP_WINDOWS6
;
3764 if (dco_enabled(o
) && o
->dev_node
)
3766 msg(M_WARN
, "Note: ignoring --dev-node as it has no effect when using "
3767 "data channel offload");
3771 /* this depends on o->windows_driver, which is set above */
3772 options_postprocess_mutate_invariant(o
);
3775 * Save certain parms before modifying options during connect, especially
3780 dns_options_preprocess_pull(&o
->dns_options
);
3784 #if defined(_WIN32) || defined(TARGET_ANDROID)
3785 tuntap_options_copy_dns(o
);
3787 foreign_options_copy_dns(o
, es
);
3790 if (o
->auth_token_generate
&& !o
->auth_token_renewal
)
3792 o
->auth_token_renewal
= o
->renegotiate_seconds
;
3794 pre_connect_save(o
);
3798 * Check file/directory sanity
3801 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
3803 #define CHKACC_FILE (1<<0) /** Check for a file/directory presence */
3804 #define CHKACC_DIRPATH (1<<1) /** Check for directory presence where a file should reside */
3805 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
3806 #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */
3807 #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */
3810 check_file_access(const int type
, const char *file
, const int mode
, const char *opt
)
3814 /* If no file configured, no errors to look for */
3820 /* If stdin is allowed and the file name is 'stdin', then do no
3821 * further checks as stdin is always available
3823 if ( (type
& CHKACC_ACPTSTDIN
) && streq(file
, "stdin") )
3828 /* Is the directory path leading to the given file accessible? */
3829 if (type
& CHKACC_DIRPATH
)
3831 char *fullpath
= string_alloc(file
, NULL
); /* POSIX dirname() implementation may modify its arguments */
3832 char *dirpath
= dirname(fullpath
);
3834 if (platform_access(dirpath
, mode
|X_OK
) != 0)
3841 /* Is the file itself accessible? */
3842 if (!errcode
&& (type
& CHKACC_FILE
) && (platform_access(file
, mode
) != 0) )
3847 /* If the file exists and is accessible, is it writable? */
3848 if (!errcode
&& (type
& CHKACC_FILEXSTWR
) && (platform_access(file
, F_OK
) == 0) )
3850 if (platform_access(file
, W_OK
) != 0)
3856 /* Warn if a given private file is group/others accessible. */
3857 if (type
& CHKACC_PRIVATE
)
3860 if (platform_stat(file
, &st
))
3862 msg(M_WARN
| M_ERRNO
, "WARNING: cannot stat file '%s'", file
);
3867 if (st
.st_mode
& (S_IRWXG
|S_IRWXO
))
3869 msg(M_WARN
, "WARNING: file '%s' is group or others accessible", file
);
3875 /* Scream if an error is found */
3878 msg(M_NOPREFIX
| M_OPTERR
| M_ERRNO
, "%s fails with '%s'", opt
, file
);
3881 /* Return true if an error occurred */
3882 return (errcode
!= 0 ? true : false);
3885 /* A wrapper for check_file_access() which also takes a chroot directory.
3886 * If chroot is NULL, behaviour is exactly the same as calling check_file_access() directly,
3887 * otherwise it will look for the file inside the given chroot directory instead.
3890 check_file_access_chroot(const char *chroot
, const int type
, const char *file
, const int mode
, const char *opt
)
3894 /* If no file configured, no errors to look for */
3900 /* If chroot is set, look for the file/directory inside the chroot */
3903 struct gc_arena gc
= gc_new();
3904 struct buffer chroot_file
;
3906 chroot_file
= prepend_dir(chroot
, file
, &gc
);
3907 ret
= check_file_access(type
, BSTR(&chroot_file
), mode
, opt
);
3912 /* No chroot in play, just call core file check function */
3913 ret
= check_file_access(type
, file
, mode
, opt
);
3919 * A wrapper for check_file_access_chroot() that returns false immediately if
3920 * the file is inline (and therefore there is no access to check)
3923 check_file_access_chroot_inline(bool is_inline
, const char *chroot
,
3924 const int type
, const char *file
,
3925 const int mode
, const char *opt
)
3932 return check_file_access_chroot(chroot
, type
, file
, mode
, opt
);
3936 * A wrapper for check_file_access() that returns false immediately if the file
3937 * is inline (and therefore there is no access to check)
3940 check_file_access_inline(bool is_inline
, const int type
, const char *file
,
3941 const int mode
, const char *opt
)
3948 return check_file_access(type
, file
, mode
, opt
);
3952 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
3953 * valid file with appropriate permissions.
3955 * "command" consists of a path, optionally followed by a space, which may be
3956 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
3959 * The path and arguments in "command" may be single- or double-quoted or escaped.
3961 * The path is extracted from "command", then check_file_access() is called to check it. The
3962 * arguments, if any, are ignored.
3964 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
3965 * check_file_access() arguments.
3968 check_cmd_access(const char *command
, const char *opt
, const char *chroot
)
3973 /* If no command was set, there are no errors to look for */
3979 /* Extract executable path and arguments */
3981 argv_parse_cmd(&argv
, command
);
3983 /* if an executable is specified then check it; otherwise, complain */
3986 /* Scripts requires R_OK as well, but that might fail on binaries which
3987 * only requires X_OK to function on Unix - a scenario not unlikely to
3988 * be seen on suid binaries.
3990 return_code
= check_file_access_chroot(chroot
, CHKACC_FILE
, argv
.argv
[0], X_OK
, opt
);
3994 msg(M_NOPREFIX
|M_OPTERR
, "%s fails with '%s': No path to executable.",
4005 * Sanity check of all file/dir options. Checks that file/dir
4006 * is accessible by OpenVPN
4009 options_postprocess_filechecks(struct options
*options
)
4013 /* ** SSL/TLS/crypto related files ** */
4014 errs
|= check_file_access_inline(options
->dh_file_inline
, CHKACC_FILE
,
4015 options
->dh_file
, R_OK
, "--dh");
4017 if (!options
->verify_hash_no_ca
)
4019 errs
|= check_file_access_inline(options
->ca_file_inline
, CHKACC_FILE
,
4020 options
->ca_file
, R_OK
, "--ca");
4023 errs
|= check_file_access_chroot(options
->chroot_dir
, CHKACC_FILE
,
4024 options
->ca_path
, R_OK
, "--capath");
4026 errs
|= check_file_access_inline(options
->cert_file_inline
, CHKACC_FILE
,
4027 options
->cert_file
, R_OK
, "--cert");
4029 errs
|= check_file_access_inline(options
->extra_certs_file
, CHKACC_FILE
,
4030 options
->extra_certs_file
, R_OK
,
4033 if (!(options
->management_flags
& MF_EXTERNAL_KEY
))
4035 errs
|= check_file_access_inline(options
->priv_key_file_inline
,
4036 CHKACC_FILE
|CHKACC_PRIVATE
,
4037 options
->priv_key_file
, R_OK
, "--key");
4040 errs
|= check_file_access_inline(options
->pkcs12_file_inline
,
4041 CHKACC_FILE
|CHKACC_PRIVATE
,
4042 options
->pkcs12_file
, R_OK
, "--pkcs12");
4044 if (options
->ssl_flags
& SSLF_CRL_VERIFY_DIR
)
4046 errs
|= check_file_access_chroot(options
->chroot_dir
, CHKACC_FILE
,
4047 options
->crl_file
, R_OK
|X_OK
,
4048 "--crl-verify directory");
4052 errs
|= check_file_access_chroot_inline(options
->crl_file_inline
,
4053 options
->chroot_dir
,
4054 CHKACC_FILE
, options
->crl_file
,
4055 R_OK
, "--crl-verify");
4058 ASSERT(options
->connection_list
);
4059 for (int i
= 0; i
< options
->connection_list
->len
; ++i
)
4061 struct connection_entry
*ce
= options
->connection_list
->array
[i
];
4063 errs
|= check_file_access_inline(ce
->tls_auth_file_inline
,
4064 CHKACC_FILE
|CHKACC_PRIVATE
,
4065 ce
->tls_auth_file
, R_OK
,
4067 errs
|= check_file_access_inline(ce
->tls_crypt_file_inline
,
4068 CHKACC_FILE
|CHKACC_PRIVATE
,
4069 ce
->tls_crypt_file
, R_OK
,
4071 errs
|= check_file_access_inline(ce
->tls_crypt_v2_file_inline
,
4072 CHKACC_FILE
|CHKACC_PRIVATE
,
4073 ce
->tls_crypt_v2_file
, R_OK
,
4077 errs
|= check_file_access_inline(options
->shared_secret_file_inline
,
4078 CHKACC_FILE
|CHKACC_PRIVATE
,
4079 options
->shared_secret_file
, R_OK
,
4082 errs
|= check_file_access(CHKACC_DIRPATH
|CHKACC_FILEXSTWR
,
4083 options
->packet_id_file
, R_OK
|W_OK
, "--replay-persist");
4085 /* ** Password files ** */
4086 errs
|= check_file_access(CHKACC_FILE
|CHKACC_ACPTSTDIN
|CHKACC_PRIVATE
,
4087 options
->key_pass_file
, R_OK
, "--askpass");
4088 #ifdef ENABLE_MANAGEMENT
4089 errs
|= check_file_access(CHKACC_FILE
|CHKACC_ACPTSTDIN
|CHKACC_PRIVATE
,
4090 options
->management_user_pass
, R_OK
,
4091 "--management user/password file");
4092 #endif /* ENABLE_MANAGEMENT */
4093 errs
|= check_file_access_inline(options
->auth_user_pass_file_inline
,
4094 CHKACC_FILE
|CHKACC_ACPTSTDIN
|CHKACC_PRIVATE
,
4095 options
->auth_user_pass_file
, R_OK
,
4096 "--auth-user-pass");
4097 /* ** System related ** */
4098 errs
|= check_file_access(CHKACC_FILE
, options
->chroot_dir
,
4099 R_OK
|X_OK
, "--chroot directory");
4100 errs
|= check_file_access(CHKACC_DIRPATH
|CHKACC_FILEXSTWR
, options
->writepid
,
4101 R_OK
|W_OK
, "--writepid");
4103 /* ** Log related ** */
4104 errs
|= check_file_access(CHKACC_DIRPATH
|CHKACC_FILEXSTWR
, options
->status_file
,
4105 R_OK
|W_OK
, "--status");
4107 /* ** Config related ** */
4108 errs
|= check_file_access_chroot(options
->chroot_dir
, CHKACC_FILE
, options
->tls_export_cert
,
4109 R_OK
|W_OK
|X_OK
, "--tls-export-cert");
4110 errs
|= check_file_access_chroot(options
->chroot_dir
, CHKACC_FILE
, options
->client_config_dir
,
4111 R_OK
|X_OK
, "--client-config-dir");
4112 errs
|= check_file_access_chroot(options
->chroot_dir
, CHKACC_FILE
, options
->tmp_dir
,
4113 R_OK
|W_OK
|X_OK
, "Temporary directory (--tmp-dir)");
4117 msg(M_USAGE
, "Please correct these errors.");
4120 #endif /* !ENABLE_SMALL */
4123 * Sanity check on options.
4124 * Also set some options based on other
4128 options_postprocess(struct options
*options
, struct env_set
*es
)
4130 options_postprocess_mutate(options
, es
);
4131 options_postprocess_verify(options
);
4132 #ifndef ENABLE_SMALL
4133 options_postprocess_filechecks(options
);
4134 #endif /* !ENABLE_SMALL */
4138 * Sanity check on options after more options were pulled from server.
4139 * Also time to modify some options based on other options.
4142 options_postprocess_pull(struct options
*o
, struct env_set
*es
)
4144 bool success
= dns_options_verify(D_PUSH_ERRORS
, &o
->dns_options
);
4147 dns_options_postprocess_pull(&o
->dns_options
);
4148 setenv_dns_options(&o
->dns_options
, es
);
4149 #if defined(_WIN32) || defined(TARGET_ANDROID)
4150 tuntap_options_copy_dns(o
);
4152 foreign_options_copy_dns(o
, es
);
4159 * Build an options string to represent data channel encryption options.
4160 * This string must match exactly between peers. The keysize is checked
4161 * separately by read_key().
4163 * The following options must match on both peers:
4167 * --dev tun|tap [unit number need not match]
4168 * --dev-type tun|tap
4173 * --proto tcp-client [matched with --proto tcp-server
4174 * on the other end of the connection]
4175 * --proto tcp-server [matched with --proto tcp-client on
4176 * the other end of the connection]
4178 * --ifconfig x y [matched with --ifconfig y x on
4179 * the other end of the connection]
4195 * --tls-client [matched with --tls-server on
4196 * the other end of the connection]
4197 * --tls-server [matched with --tls-client on
4198 * the other end of the connection]
4201 options_string(const struct options
*o
,
4202 const struct frame
*frame
,
4204 openvpn_net_ctx_t
*ctx
,
4206 struct gc_arena
*gc
)
4208 struct buffer out
= alloc_buf(OPTION_LINE_SIZE
);
4209 bool tt_local
= false;
4211 buf_printf(&out
, "V4");
4217 buf_printf(&out
, ",dev-type %s", dev_type_string(o
->dev
, o
->dev_type
));
4218 /* the link-mtu that we send has only a meaning if have a fixed
4219 * cipher (p2p) or have a fallback cipher configured for older non
4220 * ncp clients. But not sending it will make even 2.4 complain
4221 * about it being missing. So still send it. */
4222 buf_printf(&out
, ",link-mtu %u",
4223 (unsigned int) calc_options_string_link_mtu(o
, frame
));
4225 if (o
->ce
.occ_mtu
!= 0)
4227 buf_printf(&out
, ",tun-mtu %d", o
->ce
.occ_mtu
);
4231 buf_printf(&out
, ",tun-mtu %d", frame
->tun_mtu
);
4234 buf_printf(&out
, ",proto %s", proto_remote(o
->ce
.proto
, remote
));
4236 bool p2p_nopull
= o
->mode
== MODE_POINT_TO_POINT
&& !PULL_DEFINED(o
);
4237 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
4238 * is usually pushed by the server, triggering a non-helpful warning
4240 if (o
->ifconfig_ipv6_local
&& p2p_nopull
)
4242 buf_printf(&out
, ",tun-ipv6");
4246 * Try to get ifconfig parameters into the options string.
4247 * If tt is undefined, make a temporary instantiation.
4251 tt
= init_tun(o
->dev
,
4255 o
->ifconfig_remote_netmask
,
4256 o
->ifconfig_ipv6_local
,
4257 o
->ifconfig_ipv6_netbits
,
4258 o
->ifconfig_ipv6_remote
,
4271 if (tt
&& p2p_nopull
)
4273 const char *ios
= ifconfig_options_string(tt
, remote
, o
->ifconfig_nowarn
, gc
);
4274 if (ios
&& strlen(ios
))
4276 buf_printf(&out
, ",ifconfig %s", ios
);
4286 if (o
->comp
.alg
!= COMP_ALG_UNDEF
)
4288 buf_printf(&out
, ",comp-lzo"); /* for compatibility, this simply indicates that compression context is active, not necessarily LZO per-se */
4292 #ifdef ENABLE_FRAGMENT
4295 buf_printf(&out
, ",mtu-dynamic");
4299 #define TLS_CLIENT (o->tls_client)
4300 #define TLS_SERVER (o->tls_server)
4306 const char *kd
= keydirection2ascii(o
->key_direction
, remote
, false);
4309 buf_printf(&out
, ",keydir %s", kd
);
4316 if (o
->shared_secret_file
|| TLS_CLIENT
|| TLS_SERVER
)
4320 ASSERT((o
->shared_secret_file
!= NULL
)
4321 + (TLS_CLIENT
== true)
4322 + (TLS_SERVER
== true)
4325 /* Skip resolving BF-CBC to allow SSL libraries without BF-CBC
4326 * to work here in the default configuration */
4327 const char *ciphername
= o
->ciphername
;
4330 if (strcmp(o
->ciphername
, "BF-CBC") == 0)
4332 init_key_type(&kt
, "none", o
->authname
, true, false);
4337 init_key_type(&kt
, o
->ciphername
, o
->authname
, true, false);
4338 ciphername
= cipher_kt_name(kt
.cipher
);
4339 if (cipher_defined(o
->ciphername
))
4341 keysize
= cipher_kt_key_size(kt
.cipher
) * 8;
4344 /* Only announce the cipher to our peer if we are willing to
4346 if (p2p_nopull
|| tls_item_in_cipher_list(ciphername
, o
->ncp_ciphers
))
4348 buf_printf(&out
, ",cipher %s", ciphername
);
4350 buf_printf(&out
, ",auth %s", md_kt_name(kt
.digest
));
4351 buf_printf(&out
, ",keysize %d", keysize
);
4352 if (o
->shared_secret_file
)
4354 buf_printf(&out
, ",secret");
4358 buf_printf(&out
, ",no-replay");
4361 #ifdef ENABLE_PREDICTION_RESISTANCE
4362 if (o
->use_prediction_resistance
)
4364 buf_printf(&out
, ",use-prediction-resistance");
4373 if (TLS_CLIENT
|| TLS_SERVER
)
4375 if (o
->ce
.tls_auth_file
)
4377 buf_printf(&out
, ",tls-auth");
4379 /* Not adding tls-crypt here, because we won't reach this code if
4380 * tls-auth/tls-crypt does not match. Removing tls-auth here would
4381 * break stuff, so leaving that in place. */
4383 buf_printf(&out
, ",key-method %d", KEY_METHOD_2
);
4390 buf_printf(&out
, ",tls-server");
4392 else if (TLS_SERVER
)
4394 buf_printf(&out
, ",tls-client");
4401 buf_printf(&out
, ",tls-client");
4403 else if (TLS_SERVER
)
4405 buf_printf(&out
, ",tls-server");
4417 * Compare option strings for equality.
4418 * If the first two chars of the strings differ, it means that
4419 * we are looking at different versions of the options string,
4420 * therefore don't compare them and return true.
4424 options_cmp_equal(char *actual
, const char *expected
)
4426 return options_cmp_equal_safe(actual
, expected
, strlen(actual
) + 1);
4430 options_warning(char *actual
, const char *expected
)
4432 options_warning_safe(actual
, expected
, strlen(actual
) + 1);
4436 options_warning_extract_parm1(const char *option_string
,
4437 struct gc_arena
*gc_ret
)
4439 struct gc_arena gc
= gc_new();
4440 struct buffer b
= string_alloc_buf(option_string
, &gc
);
4441 char *p
= gc_malloc(OPTION_PARM_SIZE
, false, &gc
);
4444 buf_parse(&b
, ' ', p
, OPTION_PARM_SIZE
);
4445 ret
= string_alloc(p
, gc_ret
);
4451 options_warning_safe_scan2(const int msglevel
,
4453 const bool report_inconsistent
,
4455 const struct buffer
*b2_src
,
4456 const char *b1_name
,
4457 const char *b2_name
)
4459 /* We will stop sending 'key-method', 'keydir', 'proto' and 'tls-auth' in
4460 * OCC in a future version (because it's not useful). To reduce questions
4461 * when interoperating, we no longer printing a warning about it.
4463 if (strprefix(p1
, "key-method ")
4464 || strprefix(p1
, "keydir ")
4465 || strprefix(p1
, "proto ")
4466 || streq(p1
, "tls-auth")
4467 || strprefix(p1
, "tun-ipv6")
4468 || strprefix(p1
, "cipher "))
4475 struct gc_arena gc
= gc_new();
4476 struct buffer b2
= *b2_src
;
4477 const char *p1_prefix
= options_warning_extract_parm1(p1
, &gc
);
4478 char *p2
= gc_malloc(OPTION_PARM_SIZE
, false, &gc
);
4480 while (buf_parse(&b2
, delim
, p2
, OPTION_PARM_SIZE
))
4484 const char *p2_prefix
= options_warning_extract_parm1(p2
, &gc
);
4486 if (!strcmp(p1
, p2
))
4490 if (!strcmp(p1_prefix
, p2_prefix
))
4492 if (report_inconsistent
)
4494 msg(msglevel
, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4495 safe_print(p1_prefix
, &gc
),
4497 safe_print(p1
, &gc
),
4499 safe_print(p2
, &gc
));
4506 msg(msglevel
, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4507 safe_print(p1_prefix
, &gc
),
4511 safe_print(p1
, &gc
));
4519 options_warning_safe_scan1(const int msglevel
,
4521 const bool report_inconsistent
,
4522 const struct buffer
*b1_src
,
4523 const struct buffer
*b2_src
,
4524 const char *b1_name
,
4525 const char *b2_name
)
4527 struct gc_arena gc
= gc_new();
4528 struct buffer b
= *b1_src
;
4529 char *p
= gc_malloc(OPTION_PARM_SIZE
, true, &gc
);
4531 while (buf_parse(&b
, delim
, p
, OPTION_PARM_SIZE
))
4533 options_warning_safe_scan2(msglevel
, delim
, report_inconsistent
, p
, b2_src
, b1_name
, b2_name
);
4540 options_warning_safe_ml(const int msglevel
, char *actual
, const char *expected
, size_t actual_n
)
4542 struct gc_arena gc
= gc_new();
4546 struct buffer local
= alloc_buf_gc(OPTION_PARM_SIZE
+ 16, &gc
);
4547 struct buffer remote
= alloc_buf_gc(OPTION_PARM_SIZE
+ 16, &gc
);
4548 actual
[actual_n
- 1] = 0;
4550 buf_printf(&local
, "version %s", expected
);
4551 buf_printf(&remote
, "version %s", actual
);
4553 options_warning_safe_scan1(msglevel
, ',', true,
4557 options_warning_safe_scan1(msglevel
, ',', false,
4566 options_cmp_equal_safe(char *actual
, const char *expected
, size_t actual_n
)
4568 struct gc_arena gc
= gc_new();
4573 actual
[actual_n
- 1] = 0;
4574 if (strncmp(actual
, expected
, 2))
4576 msg(D_SHOW_OCC
, "NOTE: Options consistency check may be skewed by version differences");
4577 options_warning_safe_ml(D_SHOW_OCC
, actual
, expected
, actual_n
);
4581 ret
= !strcmp(actual
, expected
);
4589 options_warning_safe(char *actual
, const char *expected
, size_t actual_n
)
4591 options_warning_safe_ml(D_SHOW_OCC
, actual
, expected
, actual_n
);
4595 options_string_version(const char *s
, struct gc_arena
*gc
)
4597 struct buffer out
= alloc_buf_gc(4, gc
);
4598 strncpynt((char *) BPTR(&out
), s
, 3);
4603 options_string_extract_option(const char *options_string
, const char *opt_name
,
4604 struct gc_arena
*gc
)
4607 const size_t opt_name_len
= strlen(opt_name
);
4609 const char *p
= options_string
;
4612 if (0 == strncmp(p
, opt_name
, opt_name_len
)
4613 && strlen(p
) > (opt_name_len
+1) && p
[opt_name_len
] == ' ')
4615 /* option found, extract value */
4616 const char *start
= &p
[opt_name_len
+1];
4617 const char *end
= strchr(p
, ',');
4618 size_t val_len
= end
? end
- start
: strlen(start
);
4619 ret
= gc_malloc(val_len
+1, true, gc
);
4620 memcpy(ret
, start
, val_len
);
4626 p
++; /* skip delimiter */
4634 * Parses --windows-driver config option
4636 * @param str value of --windows-driver option
4637 * @param msglevel msglevel to report parsing error
4638 * @return enum windows_driver_type driver type, WINDOWS_DRIVER_UNSPECIFIED on unknown --windows-driver value
4640 static enum windows_driver_type
4641 parse_windows_driver(const char *str
, const int msglevel
)
4643 if (streq(str
, "tap-windows6"))
4645 return WINDOWS_DRIVER_TAP_WINDOWS6
;
4647 else if (streq(str
, "wintun"))
4649 return WINDOWS_DRIVER_WINTUN
;
4652 else if (streq(str
, "ovpn-dco"))
4654 return WINDOWS_DRIVER_DCO
;
4658 msg(msglevel
, "--windows-driver must be tap-windows6, wintun "
4660 return WINDOWS_DRIVER_UNSPECIFIED
;
4663 #endif /* ifdef _WIN32 */
4666 * parse/print topology coding
4670 parse_topology(const char *str
, const int msglevel
)
4672 if (streq(str
, "net30"))
4676 else if (streq(str
, "p2p"))
4680 else if (streq(str
, "subnet"))
4686 msg(msglevel
, "--topology must be net30, p2p, or subnet");
4692 print_topology(const int topology
)
4714 * Manage auth-retry variable
4717 static int global_auth_retry
; /* GLOBAL */
4720 auth_retry_get(void)
4722 return global_auth_retry
;
4726 auth_retry_set(const int msglevel
, const char *option
)
4728 if (streq(option
, "interact"))
4730 global_auth_retry
= AR_INTERACT
;
4732 else if (streq(option
, "nointeract"))
4734 global_auth_retry
= AR_NOINTERACT
;
4736 else if (streq(option
, "none"))
4738 global_auth_retry
= AR_NONE
;
4742 msg(msglevel
, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
4749 auth_retry_print(void)
4751 switch (global_auth_retry
)
4757 return "nointeract";
4768 * Print the help message.
4773 FILE *fp
= msg_fp(0);
4777 fprintf(fp
, "Usage message not available\n");
4782 init_options(&o
, true);
4784 fprintf(fp
, usage_message
,
4786 o
.ce
.connect_retry_seconds
,
4787 o
.ce
.connect_retry_seconds_max
,
4788 o
.ce
.local_port
, o
.ce
.remote_port
,
4789 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
4792 o
.replay_window
, o
.replay_time
,
4793 o
.tls_timeout
, o
.renegotiate_seconds
,
4794 o
.handshake_window
, o
.transition_window
);
4797 #endif /* ENABLE_SMALL */
4799 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
4805 msg(M_WARN
|M_NOPREFIX
, "Use --help for more information.");
4806 openvpn_exit(OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
4811 show_windows_version(const unsigned int flags
)
4813 struct gc_arena gc
= gc_new();
4814 msg(flags
, "Windows version %s", win32_version_string(&gc
, true));
4820 show_library_versions(const unsigned int flags
)
4823 #define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4825 #define LZO_LIB_VER_STR "", ""
4828 msg(flags
, "library versions: %s%s%s", get_ssl_library_version(),
4831 #undef LZO_LIB_VER_STR
4837 msg(M_INFO
|M_NOPREFIX
, "%s", title_string
);
4838 show_library_versions( M_INFO
|M_NOPREFIX
);
4840 show_windows_version( M_INFO
|M_NOPREFIX
);
4842 msg(M_INFO
|M_NOPREFIX
, "Originally developed by James Yonan");
4843 msg(M_INFO
|M_NOPREFIX
, "Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>");
4844 #ifndef ENABLE_SMALL
4845 #ifdef CONFIGURE_DEFINES
4846 msg(M_INFO
|M_NOPREFIX
, "Compile time defines: %s", CONFIGURE_DEFINES
);
4848 #ifdef CONFIGURE_SPECIAL_BUILD
4849 msg(M_INFO
|M_NOPREFIX
, "special build: %s", CONFIGURE_SPECIAL_BUILD
);
4852 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
);
4856 notnull(const char *arg
, const char *description
)
4860 msg(M_USAGE
, "You must define %s", description
);
4865 string_defined_equal(const char *s1
, const char *s2
)
4869 return !strcmp(s1
, s2
);
4879 ping_rec_err(int msglevel
)
4881 msg(msglevel
, "only one of --ping-exit or --ping-restart options may be specified");
4886 positive_atoi(const char *str
)
4888 const int i
= atoi(str
);
4889 return i
< 0 ? 0 : i
;
4892 #ifdef _WIN32 /* This function is only used when compiling on Windows */
4894 atou(const char *str
)
4896 unsigned int val
= 0;
4897 sscanf(str
, "%u", &val
);
4903 space(unsigned char c
)
4905 return c
== '\0' || isspace(c
);
4909 parse_line(const char *line
,
4915 struct gc_arena
*gc
)
4917 const int STATE_INITIAL
= 0;
4918 const int STATE_READING_QUOTED_PARM
= 1;
4919 const int STATE_READING_UNQUOTED_PARM
= 2;
4920 const int STATE_DONE
= 3;
4921 const int STATE_READING_SQUOTED_PARM
= 4;
4923 const char *error_prefix
= "";
4926 const char *c
= line
;
4927 int state
= STATE_INITIAL
;
4928 bool backslash
= false;
4931 char parm
[OPTION_PARM_SIZE
];
4932 unsigned int parm_len
= 0;
4934 msglevel
&= ~M_OPTERR
;
4936 if (msglevel
& M_MSG_VIRT_OUT
)
4938 error_prefix
= "ERROR: ";
4946 if (!backslash
&& in
== '\\' && state
!= STATE_READING_SQUOTED_PARM
)
4952 if (state
== STATE_INITIAL
)
4956 if (in
== ';' || in
== '#') /* comment */
4960 if (!backslash
&& in
== '\"')
4962 state
= STATE_READING_QUOTED_PARM
;
4964 else if (!backslash
&& in
== '\'')
4966 state
= STATE_READING_SQUOTED_PARM
;
4971 state
= STATE_READING_UNQUOTED_PARM
;
4975 else if (state
== STATE_READING_UNQUOTED_PARM
)
4977 if (!backslash
&& space(in
))
4986 else if (state
== STATE_READING_QUOTED_PARM
)
4988 if (!backslash
&& in
== '\"')
4997 else if (state
== STATE_READING_SQUOTED_PARM
)
5008 if (state
== STATE_DONE
)
5010 /* ASSERT (parm_len > 0); */
5011 p
[ret
] = gc_malloc(parm_len
+ 1, true, gc
);
5012 memcpy(p
[ret
], parm
, parm_len
);
5013 p
[ret
][parm_len
] = '\0';
5014 state
= STATE_INITIAL
;
5019 if (backslash
&& out
)
5021 if (!(out
== '\\' || out
== '\"' || space(out
)))
5024 msg(msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix
, file
, line_num
);
5026 msg(msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
"\\\\static.key\"", error_prefix
, file
, line_num
);
5034 /* store parameter character */
5037 if (parm_len
>= SIZE(parm
))
5039 parm
[SIZE(parm
) - 1] = 0;
5040 msg(msglevel
, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5041 error_prefix
, file
, line_num
, (int) SIZE(parm
), parm
);
5044 parm
[parm_len
++] = out
;
5047 /* avoid overflow if too many parms in one config file line */
5053 } while (*c
++ != '\0');
5055 if (state
== STATE_READING_QUOTED_PARM
)
5057 msg(msglevel
, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix
, file
, line_num
);
5060 if (state
== STATE_READING_SQUOTED_PARM
)
5062 msg(msglevel
, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix
, file
, line_num
);
5065 if (state
!= STATE_INITIAL
)
5067 msg(msglevel
, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix
, state
, file
, line_num
);
5073 for (i
= 0; i
< ret
; ++i
)
5075 msg(M_INFO
|M_NOPREFIX
, "%s:%d ARG[%d] '%s'", file
, line_num
, i
, p
[i
]);
5083 bypass_doubledash(char **p
)
5085 if (strlen(*p
) >= 3 && !strncmp(*p
, "--", 2))
5092 #define IS_TYPE_FP 1
5093 #define IS_TYPE_BUF 2
5097 struct buffer
*multiline
;
5102 in_src_get(const struct in_src
*is
, char *line
, const int size
)
5104 if (is
->type
== IS_TYPE_FP
)
5106 return BOOL_CAST(fgets(line
, size
, is
->u
.fp
));
5108 else if (is
->type
== IS_TYPE_BUF
)
5110 bool status
= buf_parse(is
->u
.multiline
, '\n', line
, size
);
5111 if ((int) strlen(line
) + 1 < size
)
5125 read_inline_file(struct in_src
*is
, const char *close_tag
,
5126 int *num_lines
, struct gc_arena
*gc
)
5128 char line
[OPTION_LINE_SIZE
];
5129 struct buffer buf
= alloc_buf(8*OPTION_LINE_SIZE
);
5131 bool endtagfound
= false;
5133 while (in_src_get(is
, line
, sizeof(line
)))
5136 char *line_ptr
= line
;
5137 /* Remove leading spaces */
5138 while (isspace(*line_ptr
))
5142 if (!strncmp(line_ptr
, close_tag
, strlen(close_tag
)))
5147 if (!buf_safe(&buf
, strlen(line
)+1))
5149 /* Increase buffer size */
5150 struct buffer buf2
= alloc_buf(buf
.capacity
* 2);
5151 ASSERT(buf_copy(&buf2
, &buf
));
5156 buf_printf(&buf
, "%s", line
);
5160 msg(M_FATAL
, "ERROR: Endtag %s missing", close_tag
);
5162 ret
= string_alloc(BSTR(&buf
), gc
);
5165 secure_memzero(line
, sizeof(line
));
5170 check_inline_file(struct in_src
*is
, char *p
[], struct gc_arena
*gc
)
5172 int num_inline_lines
= 0;
5177 if (arg
[0] == '<' && arg
[strlen(arg
)-1] == '>')
5179 struct buffer close_tag
;
5181 arg
[strlen(arg
) - 1] = '\0';
5182 p
[0] = string_alloc(arg
+ 1, gc
);
5183 close_tag
= alloc_buf(strlen(p
[0]) + 4);
5184 buf_printf(&close_tag
, "</%s>", p
[0]);
5185 p
[1] = read_inline_file(is
, BSTR(&close_tag
), &num_inline_lines
, gc
);
5187 free_buf(&close_tag
);
5190 return num_inline_lines
;
5194 check_inline_file_via_fp(FILE *fp
, char *p
[], struct gc_arena
*gc
)
5197 is
.type
= IS_TYPE_FP
;
5199 return check_inline_file(&is
, p
, gc
);
5203 check_inline_file_via_buf(struct buffer
*multiline
, char *p
[],
5204 struct gc_arena
*gc
)
5207 is
.type
= IS_TYPE_BUF
;
5208 is
.u
.multiline
= multiline
;
5209 return check_inline_file(&is
, p
, gc
);
5213 add_option(struct options
*options
,
5220 const unsigned int permission_mask
,
5221 unsigned int *option_types_found
,
5222 struct env_set
*es
);
5225 read_config_file(struct options
*options
,
5228 const char *top_file
,
5231 const unsigned int permission_mask
,
5232 unsigned int *option_types_found
,
5235 const int max_recursive_levels
= 10;
5238 char line
[OPTION_LINE_SIZE
+1];
5239 char *p
[MAX_PARMS
+1];
5242 if (level
<= max_recursive_levels
)
5244 if (streq(file
, "stdin"))
5250 fp
= platform_fopen(file
, "r");
5255 while (fgets(line
, sizeof(line
), fp
))
5260 if (strlen(line
) == OPTION_LINE_SIZE
)
5262 msg(msglevel
, "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5263 file
, line_num
, OPTION_LINE_SIZE
, line
);
5266 /* Ignore UTF-8 BOM at start of stream */
5267 if (line_num
== 1 && strncmp(line
, "\xEF\xBB\xBF", 3) == 0)
5271 if (parse_line(line
+ offset
, p
, SIZE(p
)-1, file
, line_num
, msglevel
, &options
->gc
))
5273 bypass_doubledash(&p
[0]);
5274 int lines_inline
= check_inline_file_via_fp(fp
, p
, &options
->gc
);
5275 add_option(options
, p
, lines_inline
, file
, line_num
, level
,
5276 msglevel
, permission_mask
, option_types_found
,
5278 line_num
+= lines_inline
;
5288 msg(msglevel
, "In %s:%d: Error opening configuration file: %s", top_file
, top_line
, file
);
5293 msg(msglevel
, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file
, top_line
, file
);
5295 secure_memzero(line
, sizeof(line
));
5300 read_config_string(const char *prefix
,
5301 struct options
*options
,
5304 const unsigned int permission_mask
,
5305 unsigned int *option_types_found
,
5308 char line
[OPTION_LINE_SIZE
];
5309 struct buffer multiline
;
5312 buf_set_read(&multiline
, (uint8_t *)config
, strlen(config
));
5314 while (buf_parse(&multiline
, '\n', line
, sizeof(line
)))
5316 char *p
[MAX_PARMS
+1];
5319 if (parse_line(line
, p
, SIZE(p
)-1, prefix
, line_num
, msglevel
, &options
->gc
))
5321 bypass_doubledash(&p
[0]);
5322 int lines_inline
= check_inline_file_via_buf(&multiline
, p
, &options
->gc
);
5323 add_option(options
, p
, lines_inline
, prefix
, line_num
, 0, msglevel
,
5324 permission_mask
, option_types_found
, es
);
5325 line_num
+= lines_inline
;
5329 secure_memzero(line
, sizeof(line
));
5333 parse_argv(struct options
*options
,
5337 const unsigned int permission_mask
,
5338 unsigned int *option_types_found
,
5347 /* config filename specified only? */
5348 if (argc
== 2 && strncmp(argv
[1], "--", 2))
5350 char *p
[MAX_PARMS
+1];
5354 add_option(options
, p
, false, NULL
, 0, 0, msglevel
, permission_mask
,
5355 option_types_found
, es
);
5359 /* parse command line */
5360 for (int i
= 1; i
< argc
; ++i
)
5362 char *p
[MAX_PARMS
+1];
5365 if (strncmp(p
[0], "--", 2))
5367 msg(msglevel
, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p
[0]);
5375 for (j
= 1; j
< MAX_PARMS
; ++j
)
5379 char *arg
= argv
[i
+ j
];
5380 if (strncmp(arg
, "--", 2))
5390 add_option(options
, p
, false, NULL
, 0, 0, msglevel
, permission_mask
,
5391 option_types_found
, es
);
5398 * Filter an option line by all pull filters.
5400 * If a match is found, the line is modified depending on
5401 * the filter type, and returns true. If the filter type is
5402 * reject, SIGUSR1 is triggered and the return value is false.
5403 * In that case the caller must end the push processing.
5406 apply_pull_filter(const struct options
*o
, char *line
)
5408 struct pull_filter
*f
;
5410 if (!o
->pull_filter_list
)
5415 /* skip leading spaces matching the behaviour of parse_line */
5416 while (isspace(*line
))
5421 for (f
= o
->pull_filter_list
->head
; f
; f
= f
->next
)
5423 if (f
->type
== PUF_TYPE_ACCEPT
&& strncmp(line
, f
->pattern
, f
->size
) == 0)
5425 msg(D_LOW
, "Pushed option accepted by filter: '%s'", line
);
5428 else if (f
->type
== PUF_TYPE_IGNORE
&& strncmp(line
, f
->pattern
, f
->size
) == 0)
5430 msg(D_PUSH
, "Pushed option removed by filter: '%s'", line
);
5434 else if (f
->type
== PUF_TYPE_REJECT
&& strncmp(line
, f
->pattern
, f
->size
) == 0)
5436 msg(M_WARN
, "Pushed option rejected by filter: '%s'. Restarting.", line
);
5438 throw_signal_soft(SIGUSR1
, "Offending option received from server");
5446 apply_push_options(struct options
*options
,
5448 unsigned int permission_mask
,
5449 unsigned int *option_types_found
,
5452 char line
[OPTION_PARM_SIZE
];
5454 const char *file
= "[PUSH-OPTIONS]";
5455 const int msglevel
= D_PUSH_ERRORS
|M_OPTERR
;
5457 while (buf_parse(buf
, ',', line
, sizeof(line
)))
5459 char *p
[MAX_PARMS
+1];
5462 if (!apply_pull_filter(options
, line
))
5464 return false; /* Cause push/pull error and stop push processing */
5466 if (parse_line(line
, p
, SIZE(p
)-1, file
, line_num
, msglevel
, &options
->gc
))
5468 add_option(options
, p
, false, file
, line_num
, 0, msglevel
,
5469 permission_mask
, option_types_found
, es
);
5476 options_server_import(struct options
*o
,
5477 const char *filename
,
5479 unsigned int permission_mask
,
5480 unsigned int *option_types_found
,
5483 msg(D_PUSH
, "OPTIONS IMPORT: reading client specific options from: %s", filename
);
5496 options_string_import(struct options
*options
,
5499 const unsigned int permission_mask
,
5500 unsigned int *option_types_found
,
5503 read_config_string("[CONFIG-STRING]", options
, config
, msglevel
, permission_mask
, option_types_found
, es
);
5506 #define VERIFY_PERMISSION(mask) { \
5507 if (!verify_permission(p[0], file, line, (mask), permission_mask, \
5508 option_types_found, msglevel, options, is_inline)) \
5515 verify_permission(const char *name
,
5518 const unsigned int type
,
5519 const unsigned int allowed
,
5520 unsigned int *found
,
5522 struct options
*options
,
5525 if (!(type
& allowed
))
5527 msg(msglevel
, "option '%s' cannot be used in this context (%s)", name
, file
);
5531 if (is_inline
&& !(type
& OPT_P_INLINE
))
5533 msg(msglevel
, "option '%s' is not expected to be inline (%s:%d)", name
,
5543 #ifndef ENABLE_SMALL
5544 /* Check if this options is allowed in connection block,
5545 * but we are currently not in a connection block
5546 * unless this is a pushed option.
5547 * Parsing a connection block uses a temporary options struct without
5551 if ((type
& OPT_P_CONNECTION
) && options
->connection_list
5552 && !(allowed
& OPT_P_PULL_MODE
))
5556 msg(M_WARN
, "Option '%s' in %s:%d is ignored by previous <connection> blocks ", name
, file
, line
);
5560 msg(M_WARN
, "Option '%s' is ignored by previous <connection> blocks", name
);
5568 * Check that an option doesn't have too
5572 #define NM_QUOTE_HINT (1<<0)
5575 no_more_than_n_args(const int msglevel
,
5578 const unsigned int flags
)
5580 const int len
= string_array_len((const char **)p
);
5589 msg(msglevel
, "the --%s directive should have at most %d parameter%s.%s",
5592 max
>= 3 ? "s" : "",
5593 (flags
& NM_QUOTE_HINT
) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
5603 msglevel_forward_compatible(struct options
*options
, const int msglevel
)
5605 return options
->forward_compatible
? M_WARN
: msglevel
;
5609 set_user_script(struct options
*options
,
5610 const char **script
,
5611 const char *new_script
,
5617 msg(M_WARN
, "Multiple --%s scripts defined. "
5618 "The previously configured script is overridden.", type
);
5620 *script
= new_script
;
5621 options
->user_script_used
= true;
5623 #ifndef ENABLE_SMALL
5625 char script_name
[100];
5626 openvpn_snprintf(script_name
, sizeof(script_name
),
5627 "--%s script", type
);
5629 if (check_cmd_access(*script
, script_name
, (in_chroot
? options
->chroot_dir
: NULL
)))
5631 msg(M_USAGE
, "Please correct this error.");
5640 show_compression_warning(struct compress_options
*info
)
5642 if (comp_non_stub_enabled(info
))
5645 * Check if already displayed the strong warning and enabled full
5648 if (!(info
->flags
& COMP_F_ALLOW_COMPRESS
))
5650 msg(M_WARN
, "WARNING: Compression for receiving enabled. "
5651 "Compression has been used in the past to break encryption. "
5652 "Sent packets are not compressed unless \"allow-compression yes\" "
5660 key_is_external(const struct options
*options
)
5663 ret
= ret
|| (options
->management_flags
& MF_EXTERNAL_KEY
);
5664 #ifdef ENABLE_PKCS11
5665 ret
= ret
|| (options
->pkcs11_providers
[0] != NULL
);
5667 #ifdef ENABLE_CRYPTOAPI
5668 ret
= ret
|| options
->cryptoapi_cert
;
5675 add_option(struct options
*options
,
5682 const unsigned int permission_mask
,
5683 unsigned int *option_types_found
,
5686 struct gc_arena gc
= gc_new();
5687 const bool pull_mode
= BOOL_CAST(permission_mask
& OPT_P_PULL_MODE
);
5688 int msglevel_fc
= msglevel_forward_compatible(options
, msglevel
);
5690 ASSERT(MAX_PARMS
>= 7);
5693 * If directive begins with "setenv opt" prefix, don't raise an error if
5694 * directive is unrecognized.
5696 if (streq(p
[0], "setenv") && p
[1] && streq(p
[1], "opt") && !(permission_mask
& OPT_P_PULL_MODE
))
5700 p
[2] = "setenv opt"; /* will trigger an error that includes setenv opt */
5703 msglevel_fc
= M_WARN
;
5708 file
= "[CMD-LINE]";
5711 if (streq(p
[0], "help"))
5713 VERIFY_PERMISSION(OPT_P_GENERAL
);
5717 msg(msglevel
, "--help does not accept any parameters");
5721 if (streq(p
[0], "version") && !p
[1])
5723 VERIFY_PERMISSION(OPT_P_GENERAL
);
5726 else if (streq(p
[0], "config") && p
[1] && !p
[2])
5728 VERIFY_PERMISSION(OPT_P_CONFIG
);
5730 /* save first config file only in options */
5731 if (!options
->config
)
5733 options
->config
= p
[1];
5736 read_config_file(options
, p
[1], level
, file
, line
, msglevel
, permission_mask
, option_types_found
, es
);
5738 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
5739 else if (streq(p
[0], "show-gateway") && !p
[2])
5741 struct route_gateway_info rgi
;
5742 struct route_ipv6_gateway_info rgi6
;
5743 struct in6_addr remote
= IN6ADDR_ANY_INIT
;
5744 openvpn_net_ctx_t net_ctx
;
5745 VERIFY_PERMISSION(OPT_P_GENERAL
);
5748 get_ipv6_addr(p
[1], &remote
, NULL
, M_WARN
);
5750 net_ctx_init(NULL
, &net_ctx
);
5751 get_default_gateway(&rgi
, &net_ctx
);
5752 get_default_gateway_ipv6(&rgi6
, &remote
, &net_ctx
);
5753 print_default_gateway(M_INFO
, &rgi
, &rgi6
);
5754 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5757 else if (streq(p
[0], "echo") || streq(p
[0], "parameter"))
5759 struct buffer string
= alloc_buf_gc(OPTION_PARM_SIZE
, &gc
);
5763 VERIFY_PERMISSION(OPT_P_ECHO
);
5765 for (j
= 1; j
< MAX_PARMS
; ++j
)
5773 good
&= buf_printf(&string
, " ");
5775 good
&= buf_printf(&string
, "%s", p
[j
]);
5779 /* only message-related ECHO are logged, since other ECHOs
5780 * can potentially include security-sensitive strings */
5781 if (p
[1] && strncmp(p
[1], "msg", 3) == 0)
5783 msg(M_INFO
, "%s:%s",
5784 pull_mode
? "ECHO-PULL" : "ECHO",
5787 #ifdef ENABLE_MANAGEMENT
5790 management_echo(management
, BSTR(&string
), pull_mode
);
5796 msg(M_WARN
, "echo/parameter option overflow");
5799 #ifdef ENABLE_MANAGEMENT
5800 else if (streq(p
[0], "management") && p
[1] && p
[2] && !p
[4])
5802 VERIFY_PERMISSION(OPT_P_GENERAL
);
5803 if (streq(p
[2], "unix"))
5805 #if UNIX_SOCK_SUPPORT
5806 options
->management_flags
|= MF_UNIX_SOCK
;
5808 msg(msglevel
, "MANAGEMENT: this platform does not support unix domain sockets");
5813 options
->management_addr
= p
[1];
5814 options
->management_port
= p
[2];
5817 options
->management_user_pass
= p
[3];
5820 else if (streq(p
[0], "management-client-user") && p
[1] && !p
[2])
5822 VERIFY_PERMISSION(OPT_P_GENERAL
);
5823 options
->management_client_user
= p
[1];
5825 else if (streq(p
[0], "management-client-group") && p
[1] && !p
[2])
5827 VERIFY_PERMISSION(OPT_P_GENERAL
);
5828 options
->management_client_group
= p
[1];
5830 else if (streq(p
[0], "management-query-passwords") && !p
[1])
5832 VERIFY_PERMISSION(OPT_P_GENERAL
);
5833 options
->management_flags
|= MF_QUERY_PASSWORDS
;
5835 else if (streq(p
[0], "management-query-remote") && !p
[1])
5837 VERIFY_PERMISSION(OPT_P_GENERAL
);
5838 options
->management_flags
|= MF_QUERY_REMOTE
;
5840 else if (streq(p
[0], "management-query-proxy") && !p
[1])
5842 VERIFY_PERMISSION(OPT_P_GENERAL
);
5843 options
->management_flags
|= MF_QUERY_PROXY
;
5845 else if (streq(p
[0], "management-hold") && !p
[1])
5847 VERIFY_PERMISSION(OPT_P_GENERAL
);
5848 options
->management_flags
|= MF_HOLD
;
5850 else if (streq(p
[0], "management-signal") && !p
[1])
5852 VERIFY_PERMISSION(OPT_P_GENERAL
);
5853 options
->management_flags
|= MF_SIGNAL
;
5855 else if (streq(p
[0], "management-forget-disconnect") && !p
[1])
5857 VERIFY_PERMISSION(OPT_P_GENERAL
);
5858 options
->management_flags
|= MF_FORGET_DISCONNECT
;
5860 else if (streq(p
[0], "management-up-down") && !p
[1])
5862 VERIFY_PERMISSION(OPT_P_GENERAL
);
5863 options
->management_flags
|= MF_UP_DOWN
;
5865 else if (streq(p
[0], "management-client") && !p
[1])
5867 VERIFY_PERMISSION(OPT_P_GENERAL
);
5868 options
->management_flags
|= MF_CONNECT_AS_CLIENT
;
5870 else if (streq(p
[0], "management-external-key"))
5872 VERIFY_PERMISSION(OPT_P_GENERAL
);
5873 for (int j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5875 if (streq(p
[j
], "nopadding"))
5877 options
->management_flags
|= MF_EXTERNAL_KEY_NOPADDING
;
5879 else if (streq(p
[j
], "pkcs1"))
5881 options
->management_flags
|= MF_EXTERNAL_KEY_PKCS1PAD
;
5883 else if (streq(p
[j
], "pss"))
5885 options
->management_flags
|= MF_EXTERNAL_KEY_PSSPAD
;
5887 else if (streq(p
[j
], "digest"))
5889 options
->management_flags
|= MF_EXTERNAL_KEY_DIGEST
;
5893 msg(msglevel
, "Unknown management-external-key flag: %s", p
[j
]);
5897 * When no option is present, assume that only PKCS1
5898 * padding is supported
5900 if (!(options
->management_flags
5901 &(MF_EXTERNAL_KEY_NOPADDING
| MF_EXTERNAL_KEY_PKCS1PAD
)))
5903 options
->management_flags
|= MF_EXTERNAL_KEY_PKCS1PAD
;
5905 options
->management_flags
|= MF_EXTERNAL_KEY
;
5907 else if (streq(p
[0], "management-external-cert") && p
[1] && !p
[2])
5909 VERIFY_PERMISSION(OPT_P_GENERAL
);
5910 options
->management_flags
|= MF_EXTERNAL_CERT
;
5911 options
->management_certificate
= p
[1];
5913 else if (streq(p
[0], "management-client-auth") && !p
[1])
5915 VERIFY_PERMISSION(OPT_P_GENERAL
);
5916 options
->management_flags
|= MF_CLIENT_AUTH
;
5918 else if (streq(p
[0], "management-log-cache") && p
[1] && !p
[2])
5922 VERIFY_PERMISSION(OPT_P_GENERAL
);
5926 msg(msglevel
, "--management-log-cache parameter is out of range");
5929 options
->management_log_history_cache
= cache
;
5931 #endif /* ifdef ENABLE_MANAGEMENT */
5932 #ifdef ENABLE_PLUGIN
5933 else if (streq(p
[0], "plugin") && p
[1])
5935 VERIFY_PERMISSION(OPT_P_PLUGIN
);
5936 if (!options
->plugin_list
)
5938 options
->plugin_list
= plugin_option_list_new(&options
->gc
);
5940 if (!plugin_option_list_add(options
->plugin_list
, &p
[1], &options
->gc
))
5942 msg(msglevel
, "plugin add failed: %s", p
[1]);
5947 else if (streq(p
[0], "mode") && p
[1] && !p
[2])
5949 VERIFY_PERMISSION(OPT_P_GENERAL
);
5950 if (streq(p
[1], "p2p"))
5952 options
->mode
= MODE_POINT_TO_POINT
;
5954 else if (streq(p
[1], "server"))
5956 options
->mode
= MODE_SERVER
;
5960 msg(msglevel
, "Bad --mode parameter: %s", p
[1]);
5964 else if (streq(p
[0], "dev") && p
[1] && !p
[2])
5966 VERIFY_PERMISSION(OPT_P_GENERAL
);
5967 options
->dev
= p
[1];
5969 else if (streq(p
[0], "dev-type") && p
[1] && !p
[2])
5971 VERIFY_PERMISSION(OPT_P_GENERAL
);
5972 options
->dev_type
= p
[1];
5975 else if (streq(p
[0], "windows-driver") && p
[1] && !p
[2])
5977 VERIFY_PERMISSION(OPT_P_GENERAL
);
5978 options
->windows_driver
= parse_windows_driver(p
[1], M_FATAL
);
5981 else if (streq(p
[0], "disable-dco"))
5983 options
->tuntap_options
.disable_dco
= true;
5985 else if (streq(p
[0], "dev-node") && p
[1] && !p
[2])
5987 VERIFY_PERMISSION(OPT_P_GENERAL
);
5988 options
->dev_node
= p
[1];
5990 else if (streq(p
[0], "lladdr") && p
[1] && !p
[2])
5992 VERIFY_PERMISSION(OPT_P_UP
);
5993 if (mac_addr_safe(p
[1])) /* MAC address only */
5995 options
->lladdr
= p
[1];
5999 msg(msglevel
, "lladdr parm '%s' must be a MAC address", p
[1]);
6003 else if (streq(p
[0], "topology") && p
[1] && !p
[2])
6005 VERIFY_PERMISSION(OPT_P_UP
);
6006 options
->topology
= parse_topology(p
[1], msglevel
);
6008 else if (streq(p
[0], "tun-ipv6") && !p
[1])
6012 msg(M_WARN
, "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6015 #ifdef ENABLE_IPROUTE
6016 else if (streq(p
[0], "iproute") && p
[1] && !p
[2])
6018 VERIFY_PERMISSION(OPT_P_GENERAL
);
6019 iproute_path
= p
[1];
6022 else if (streq(p
[0], "ifconfig") && p
[1] && p
[2] && !p
[3])
6024 VERIFY_PERMISSION(OPT_P_UP
);
6025 if (ip_or_dns_addr_safe(p
[1], options
->allow_pull_fqdn
) && ip_or_dns_addr_safe(p
[2], options
->allow_pull_fqdn
)) /* FQDN -- may be DNS name */
6027 options
->ifconfig_local
= p
[1];
6028 options
->ifconfig_remote_netmask
= p
[2];
6032 msg(msglevel
, "ifconfig parms '%s' and '%s' must be valid addresses", p
[1], p
[2]);
6036 else if (streq(p
[0], "ifconfig-ipv6") && p
[1] && p
[2] && !p
[3])
6038 unsigned int netbits
;
6040 VERIFY_PERMISSION(OPT_P_UP
);
6041 if (get_ipv6_addr( p
[1], NULL
, &netbits
, msglevel
)
6042 && ipv6_addr_safe( p
[2] ) )
6044 if (netbits
< 64 || netbits
> 124)
6046 msg( msglevel
, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits
);
6050 options
->ifconfig_ipv6_local
= get_ipv6_addr_no_netbits(p
[1], &options
->gc
);
6051 options
->ifconfig_ipv6_netbits
= netbits
;
6052 options
->ifconfig_ipv6_remote
= p
[2];
6056 msg(msglevel
, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p
[1], p
[2]);
6060 else if (streq(p
[0], "ifconfig-noexec") && !p
[1])
6062 VERIFY_PERMISSION(OPT_P_UP
);
6063 options
->ifconfig_noexec
= true;
6065 else if (streq(p
[0], "ifconfig-nowarn") && !p
[1])
6067 VERIFY_PERMISSION(OPT_P_UP
);
6068 options
->ifconfig_nowarn
= true;
6070 else if (streq(p
[0], "local") && p
[1] && !p
[2])
6072 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6073 options
->ce
.local
= p
[1];
6075 else if (streq(p
[0], "remote-random") && !p
[1])
6077 VERIFY_PERMISSION(OPT_P_GENERAL
);
6078 options
->remote_random
= true;
6080 else if (streq(p
[0], "connection") && p
[1] && !p
[3])
6082 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
6086 struct connection_entry
*e
;
6088 init_options(&sub
, true);
6089 sub
.ce
= options
->ce
;
6090 read_config_string("[CONNECTION-OPTIONS]", &sub
, p
[1], msglevel
,
6091 OPT_P_CONNECTION
, option_types_found
, es
);
6094 msg(msglevel
, "Each 'connection' block must contain exactly one 'remote' directive");
6095 uninit_options(&sub
);
6099 e
= alloc_connection_entry(options
, msglevel
);
6102 uninit_options(&sub
);
6106 gc_transfer(&options
->gc
, &sub
.gc
);
6107 uninit_options(&sub
);
6110 else if (streq(p
[0], "ignore-unknown-option") && p
[1])
6115 const char **ignore
;
6117 VERIFY_PERMISSION(OPT_P_GENERAL
);
6118 /* Find out how many options to be ignored */
6119 for (i
= 1; p
[i
]; i
++)
6124 /* add number of options already ignored */
6125 for (i
= 0; options
->ignore_unknown_option
6126 && options
->ignore_unknown_option
[i
]; i
++)
6131 /* Allocate array */
6132 ALLOC_ARRAY_GC(ignore
, const char *, numignored
+1, &options
->gc
);
6133 for (i
= 0; options
->ignore_unknown_option
6134 && options
->ignore_unknown_option
[i
]; i
++)
6136 ignore
[i
] = options
->ignore_unknown_option
[i
];
6139 options
->ignore_unknown_option
= ignore
;
6141 for (j
= 1; p
[j
]; j
++)
6143 /* Allow the user to specify ignore-unknown-option --opt too */
6144 if (p
[j
][0]=='-' && p
[j
][1]=='-')
6146 options
->ignore_unknown_option
[i
] = (p
[j
]+2);
6150 options
->ignore_unknown_option
[i
] = p
[j
];
6155 options
->ignore_unknown_option
[i
] = NULL
;
6157 #if ENABLE_MANAGEMENT
6158 else if (streq(p
[0], "http-proxy-override") && p
[1] && p
[2] && !p
[4])
6160 VERIFY_PERMISSION(OPT_P_GENERAL
);
6161 options
->http_proxy_override
= parse_http_proxy_override(p
[1], p
[2], p
[3], msglevel
, &options
->gc
);
6162 if (!options
->http_proxy_override
)
6168 else if (streq(p
[0], "remote") && p
[1] && !p
[4])
6170 struct remote_entry re
;
6171 re
.remote
= re
.remote_port
= NULL
;
6175 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6179 re
.remote_port
= p
[2];
6182 const int proto
= ascii2proto(p
[3]);
6183 const sa_family_t af
= ascii2af(p
[3]);
6187 "remote: bad protocol associated with host %s: '%s'",
6195 if (permission_mask
& OPT_P_GENERAL
)
6197 struct remote_entry
*e
= alloc_remote_entry(options
, msglevel
);
6204 else if (permission_mask
& OPT_P_CONNECTION
)
6206 connection_entry_load_re(&options
->ce
, &re
);
6209 else if (streq(p
[0], "resolv-retry") && p
[1] && !p
[2])
6211 VERIFY_PERMISSION(OPT_P_GENERAL
);
6212 if (streq(p
[1], "infinite"))
6214 options
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
6218 options
->resolve_retry_seconds
= positive_atoi(p
[1]);
6221 else if ((streq(p
[0], "preresolve") || streq(p
[0], "ip-remote-hint")) && !p
[2])
6223 VERIFY_PERMISSION(OPT_P_GENERAL
);
6224 options
->resolve_in_advance
= true;
6225 /* Note the ip-remote-hint and the argument p[1] are for
6226 * backward compatibility */
6229 options
->ip_remote_hint
= p
[1];
6232 else if (streq(p
[0], "connect-retry") && p
[1] && !p
[3])
6234 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6235 options
->ce
.connect_retry_seconds
= positive_atoi(p
[1]);
6237 * Limit the base value of retry wait interval to 16 bits to avoid
6238 * overflow when scaled up for exponential backoff
6240 if (options
->ce
.connect_retry_seconds
> 0xFFFF)
6242 options
->ce
.connect_retry_seconds
= 0xFFFF;
6243 msg(M_WARN
, "connect retry wait interval truncated to %d",
6244 options
->ce
.connect_retry_seconds
);
6249 options
->ce
.connect_retry_seconds_max
=
6250 max_int(positive_atoi(p
[2]), options
->ce
.connect_retry_seconds
);
6253 else if ((streq(p
[0], "connect-timeout") || streq(p
[0], "server-poll-timeout"))
6256 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6257 options
->ce
.connect_timeout
= positive_atoi(p
[1]);
6259 else if (streq(p
[0], "connect-retry-max") && p
[1] && !p
[2])
6261 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6262 options
->connect_retry_max
= positive_atoi(p
[1]);
6264 else if (streq(p
[0], "ipchange") && p
[1])
6266 VERIFY_PERMISSION(OPT_P_SCRIPT
);
6267 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
6271 set_user_script(options
,
6273 string_substitute(p
[1], ',', ' ', &options
->gc
),
6276 else if (streq(p
[0], "float") && !p
[1])
6278 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6279 options
->ce
.remote_float
= true;
6282 else if (streq(p
[0], "gremlin") && p
[1] && !p
[2])
6284 VERIFY_PERMISSION(OPT_P_GENERAL
);
6285 options
->gremlin
= positive_atoi(p
[1]);
6288 else if (streq(p
[0], "chroot") && p
[1] && !p
[2])
6290 VERIFY_PERMISSION(OPT_P_GENERAL
);
6291 options
->chroot_dir
= p
[1];
6293 else if (streq(p
[0], "cd") && p
[1] && !p
[2])
6295 VERIFY_PERMISSION(OPT_P_GENERAL
);
6296 if (platform_chdir(p
[1]))
6298 msg(M_ERR
, "cd to '%s' failed", p
[1]);
6301 options
->cd_dir
= p
[1];
6303 #ifdef ENABLE_SELINUX
6304 else if (streq(p
[0], "setcon") && p
[1] && !p
[2])
6306 VERIFY_PERMISSION(OPT_P_GENERAL
);
6307 options
->selinux_context
= p
[1];
6310 else if (streq(p
[0], "writepid") && p
[1] && !p
[2])
6312 VERIFY_PERMISSION(OPT_P_GENERAL
);
6313 options
->writepid
= p
[1];
6315 else if (streq(p
[0], "up") && p
[1])
6317 VERIFY_PERMISSION(OPT_P_SCRIPT
);
6318 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
6322 set_user_script(options
, &options
->up_script
, p
[1], "up", false);
6324 else if (streq(p
[0], "down") && p
[1])
6326 VERIFY_PERMISSION(OPT_P_SCRIPT
);
6327 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
6331 set_user_script(options
, &options
->down_script
, p
[1], "down", true);
6333 else if (streq(p
[0], "down-pre") && !p
[1])
6335 VERIFY_PERMISSION(OPT_P_GENERAL
);
6336 options
->down_pre
= true;
6338 else if (streq(p
[0], "up-delay") && !p
[1])
6340 VERIFY_PERMISSION(OPT_P_GENERAL
);
6341 options
->up_delay
= true;
6343 else if (streq(p
[0], "up-restart") && !p
[1])
6345 VERIFY_PERMISSION(OPT_P_GENERAL
);
6346 options
->up_restart
= true;
6348 else if (streq(p
[0], "syslog") && !p
[2])
6350 VERIFY_PERMISSION(OPT_P_GENERAL
);
6351 open_syslog(p
[1], false);
6353 else if (streq(p
[0], "daemon") && !p
[2])
6356 VERIFY_PERMISSION(OPT_P_GENERAL
);
6357 if (!options
->daemon
)
6359 options
->daemon
= didit
= true;
6360 open_syslog(p
[1], false);
6366 msg(M_WARN
, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p
[1]);
6371 else if (streq(p
[0], "log") && p
[1] && !p
[2])
6373 VERIFY_PERMISSION(OPT_P_GENERAL
);
6374 options
->log
= true;
6375 redirect_stdout_stderr(p
[1], false);
6377 else if (streq(p
[0], "suppress-timestamps") && !p
[1])
6379 VERIFY_PERMISSION(OPT_P_GENERAL
);
6380 options
->suppress_timestamps
= true;
6381 set_suppress_timestamps(true);
6383 else if (streq(p
[0], "machine-readable-output") && !p
[1])
6385 VERIFY_PERMISSION(OPT_P_GENERAL
);
6386 options
->machine_readable_output
= true;
6387 set_machine_readable_output(true);
6389 else if (streq(p
[0], "log-append") && p
[1] && !p
[2])
6391 VERIFY_PERMISSION(OPT_P_GENERAL
);
6392 options
->log
= true;
6393 redirect_stdout_stderr(p
[1], true);
6395 #ifdef ENABLE_MEMSTATS
6396 else if (streq(p
[0], "memstats") && p
[1] && !p
[2])
6398 VERIFY_PERMISSION(OPT_P_GENERAL
);
6399 options
->memstats_fn
= p
[1];
6402 else if (streq(p
[0], "mlock") && !p
[1])
6404 VERIFY_PERMISSION(OPT_P_GENERAL
);
6405 options
->mlock
= true;
6407 #if ENABLE_IP_PKTINFO
6408 else if (streq(p
[0], "multihome") && !p
[1])
6410 VERIFY_PERMISSION(OPT_P_GENERAL
);
6411 options
->sockflags
|= SF_USE_IP_PKTINFO
;
6414 else if (streq(p
[0], "verb") && p
[1] && !p
[2])
6416 VERIFY_PERMISSION(OPT_P_MESSAGES
);
6417 options
->verbosity
= positive_atoi(p
[1]);
6418 if (options
->verbosity
>= (D_TLS_DEBUG_MED
& M_DEBUG_LEVEL
))
6420 /* We pass this flag to the SSL library to avoid
6421 * mbed TLS always generating debug level logging */
6422 options
->ssl_flags
|= SSLF_TLS_DEBUG_ENABLED
;
6424 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6425 /* Warn when a debug verbosity is supplied when built without debug support */
6426 if (options
->verbosity
>= 7)
6428 msg(M_WARN
, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6429 options
->verbosity
);
6433 else if (streq(p
[0], "mute") && p
[1] && !p
[2])
6435 VERIFY_PERMISSION(OPT_P_MESSAGES
);
6436 options
->mute
= positive_atoi(p
[1]);
6438 else if (streq(p
[0], "errors-to-stderr") && !p
[1])
6440 VERIFY_PERMISSION(OPT_P_MESSAGES
);
6443 else if (streq(p
[0], "status") && p
[1] && !p
[3])
6445 VERIFY_PERMISSION(OPT_P_GENERAL
);
6446 options
->status_file
= p
[1];
6449 options
->status_file_update_freq
= positive_atoi(p
[2]);
6452 else if (streq(p
[0], "status-version") && p
[1] && !p
[2])
6456 VERIFY_PERMISSION(OPT_P_GENERAL
);
6457 version
= atoi(p
[1]);
6458 if (version
< 1 || version
> 3)
6460 msg(msglevel
, "--status-version must be 1 to 3");
6463 options
->status_file_version
= version
;
6465 else if (streq(p
[0], "remap-usr1") && p
[1] && !p
[2])
6467 VERIFY_PERMISSION(OPT_P_GENERAL
);
6468 if (streq(p
[1], "SIGHUP"))
6470 options
->remap_sigusr1
= SIGHUP
;
6472 else if (streq(p
[1], "SIGTERM"))
6474 options
->remap_sigusr1
= SIGTERM
;
6478 msg(msglevel
, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6482 else if ((streq(p
[0], "link-mtu") || streq(p
[0], "udp-mtu")) && p
[1] && !p
[2])
6484 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6485 options
->ce
.link_mtu
= positive_atoi(p
[1]);
6486 options
->ce
.link_mtu_defined
= true;
6488 else if (streq(p
[0], "tun-mtu") && p
[1] && !p
[3])
6490 VERIFY_PERMISSION(OPT_P_PUSH_MTU
|OPT_P_CONNECTION
);
6491 options
->ce
.tun_mtu
= positive_atoi(p
[1]);
6492 options
->ce
.tun_mtu_defined
= true;
6495 options
->ce
.occ_mtu
= positive_atoi(p
[2]);
6499 options
->ce
.occ_mtu
= 0;
6502 else if (streq(p
[0], "tun-mtu-max") && p
[1] && !p
[3])
6504 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6505 int max_mtu
= positive_atoi(p
[1]);
6506 if (max_mtu
< 68 || max_mtu
> 65536)
6508 msg(msglevel
, "--tun-mtu-max value '%s' is invalid", p
[1]);
6512 options
->ce
.tun_mtu_max
= max_mtu
;
6515 else if (streq(p
[0], "tun-mtu-extra") && p
[1] && !p
[2])
6517 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6518 options
->ce
.tun_mtu_extra
= positive_atoi(p
[1]);
6519 options
->ce
.tun_mtu_extra_defined
= true;
6521 else if (streq(p
[0], "max-packet-size") && p
[1] && !p
[2])
6523 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6524 int maxmtu
= positive_atoi(p
[1]);
6525 options
->ce
.tls_mtu
= constrain_int(maxmtu
, TLS_CHANNEL_MTU_MIN
, TLS_CHANNEL_BUF_SIZE
);
6527 if (maxmtu
< TLS_CHANNEL_MTU_MIN
|| maxmtu
> TLS_CHANNEL_BUF_SIZE
)
6529 msg(M_WARN
, "Note: max-packet-size value outside of allowed "
6530 "control channel packet size (%d to %d), will use %d "
6531 "instead.", TLS_CHANNEL_MTU_MIN
, TLS_CHANNEL_BUF_SIZE
,
6532 options
->ce
.tls_mtu
);
6535 /* also set mssfix maxmtu mtu */
6536 options
->ce
.mssfix
= maxmtu
;
6537 options
->ce
.mssfix_default
= false;
6538 options
->ce
.mssfix_encap
= true;
6540 #ifdef ENABLE_FRAGMENT
6541 else if (streq(p
[0], "mtu-dynamic"))
6543 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6544 msg(msglevel
, "--mtu-dynamic has been replaced by --fragment");
6547 else if (streq(p
[0], "fragment") && p
[1] && !p
[3])
6549 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6550 options
->ce
.fragment
= positive_atoi(p
[1]);
6552 if (p
[2] && streq(p
[2], "mtu"))
6554 options
->ce
.fragment_encap
= true;
6558 msg(msglevel
, "Unknown parameter to --fragment: %s", p
[2]);
6561 #endif /* ifdef ENABLE_FRAGMENT */
6562 else if (streq(p
[0], "mtu-disc") && p
[1] && !p
[2])
6564 VERIFY_PERMISSION(OPT_P_MTU
|OPT_P_CONNECTION
);
6565 options
->ce
.mtu_discover_type
= translate_mtu_discover_type_name(p
[1]);
6567 else if (streq(p
[0], "mtu-test") && !p
[1])
6569 VERIFY_PERMISSION(OPT_P_GENERAL
);
6570 options
->mtu_test
= true;
6572 else if (streq(p
[0], "nice") && p
[1] && !p
[2])
6574 VERIFY_PERMISSION(OPT_P_NICE
);
6575 options
->nice
= atoi(p
[1]);
6577 else if (streq(p
[0], "rcvbuf") && p
[1] && !p
[2])
6579 VERIFY_PERMISSION(OPT_P_SOCKBUF
);
6580 options
->rcvbuf
= positive_atoi(p
[1]);
6582 else if (streq(p
[0], "sndbuf") && p
[1] && !p
[2])
6584 VERIFY_PERMISSION(OPT_P_SOCKBUF
);
6585 options
->sndbuf
= positive_atoi(p
[1]);
6587 else if (streq(p
[0], "mark") && p
[1] && !p
[2])
6589 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
6590 VERIFY_PERMISSION(OPT_P_GENERAL
);
6591 options
->mark
= atoi(p
[1]);
6594 else if (streq(p
[0], "socket-flags"))
6597 VERIFY_PERMISSION(OPT_P_SOCKFLAGS
);
6598 for (j
= 1; j
< MAX_PARMS
&& p
[j
]; ++j
)
6600 if (streq(p
[j
], "TCP_NODELAY"))
6602 options
->sockflags
|= SF_TCP_NODELAY
;
6606 msg(msglevel
, "unknown socket flag: %s", p
[j
]);
6611 else if (streq(p
[0], "bind-dev") && p
[1])
6613 VERIFY_PERMISSION(OPT_P_SOCKFLAGS
);
6614 options
->bind_dev
= p
[1];
6617 else if (streq(p
[0], "txqueuelen") && p
[1] && !p
[2])
6619 VERIFY_PERMISSION(OPT_P_GENERAL
);
6621 options
->tuntap_options
.txqueuelen
= positive_atoi(p
[1]);
6623 msg(msglevel
, "--txqueuelen not supported on this OS");
6627 else if (streq(p
[0], "shaper") && p
[1] && !p
[2])
6631 VERIFY_PERMISSION(OPT_P_SHAPER
);
6632 shaper
= atoi(p
[1]);
6633 if (shaper
< SHAPER_MIN
|| shaper
> SHAPER_MAX
)
6635 msg(msglevel
, "Bad shaper value, must be between %d and %d",
6636 SHAPER_MIN
, SHAPER_MAX
);
6639 options
->shaper
= shaper
;
6641 else if (streq(p
[0], "port") && p
[1] && !p
[2])
6643 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6644 options
->ce
.local_port
= options
->ce
.remote_port
= p
[1];
6646 else if (streq(p
[0], "lport") && p
[1] && !p
[2])
6648 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6649 options
->ce
.local_port_defined
= true;
6650 options
->ce
.local_port
= p
[1];
6652 else if (streq(p
[0], "rport") && p
[1] && !p
[2])
6654 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6655 options
->ce
.remote_port
= p
[1];
6657 else if (streq(p
[0], "bind") && !p
[2])
6659 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6660 options
->ce
.bind_defined
= true;
6661 if (p
[1] && streq(p
[1], "ipv6only"))
6663 options
->ce
.bind_ipv6_only
= true;
6667 else if (streq(p
[0], "nobind") && !p
[1])
6669 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6670 options
->ce
.bind_local
= false;
6672 else if (streq(p
[0], "fast-io") && !p
[1])
6674 VERIFY_PERMISSION(OPT_P_GENERAL
);
6675 options
->fast_io
= true;
6677 else if (streq(p
[0], "inactive") && p
[1] && !p
[3])
6679 VERIFY_PERMISSION(OPT_P_TIMER
);
6680 options
->inactivity_timeout
= positive_atoi(p
[1]);
6683 int64_t val
= atoll(p
[2]);
6684 options
->inactivity_minimum_bytes
= (val
< 0) ? 0 : val
;
6685 if (options
->inactivity_minimum_bytes
> INT_MAX
)
6687 msg(M_WARN
, "WARNING: '--inactive' with a 'bytes' value"
6688 " >2 Gbyte was silently ignored in older versions. If "
6689 " your VPN exits unexpectedly with 'Inactivity timeout'"
6690 " in %d seconds, revisit this value.",
6691 options
->inactivity_timeout
);
6695 else if (streq(p
[0], "session-timeout") && p
[1] && !p
[2])
6697 VERIFY_PERMISSION(OPT_P_TIMER
);
6698 options
->session_timeout
= positive_atoi(p
[1]);
6700 else if (streq(p
[0], "proto") && p
[1] && !p
[2])
6704 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6705 proto
= ascii2proto(p
[1]);
6706 af
= ascii2af(p
[1]);
6710 "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
6712 proto2ascii_all(&gc
));
6715 options
->ce
.proto
= proto
;
6716 options
->ce
.af
= af
;
6718 else if (streq(p
[0], "proto-force") && p
[1] && !p
[2])
6721 VERIFY_PERMISSION(OPT_P_GENERAL
);
6722 proto_force
= ascii2proto(p
[1]);
6723 if (proto_force
< 0)
6725 msg(msglevel
, "Bad --proto-force protocol: '%s'", p
[1]);
6728 options
->proto_force
= proto_force
;
6730 else if (streq(p
[0], "http-proxy") && p
[1] && !p
[5])
6732 struct http_proxy_options
*ho
;
6734 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6739 msg(msglevel
, "http-proxy port number not defined");
6743 ho
= init_http_proxy_options_once(&options
->ce
.http_proxy_options
, &options
->gc
);
6751 /* auto -- try to figure out proxy addr, port, and type automatically */
6752 /* semiauto -- given proxy addr:port, try to figure out type automatically */
6753 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
6754 if (streq(p
[3], "auto"))
6756 ho
->auth_retry
= PAR_ALL
;
6758 else if (streq(p
[3], "auto-nct"))
6760 ho
->auth_retry
= PAR_NCT
;
6764 ho
->auth_method_string
= "basic";
6765 ho
->auth_file
= p
[3];
6769 ho
->auth_method_string
= p
[4];
6775 ho
->auth_method_string
= "none";
6778 else if (streq(p
[0], "http-proxy-user-pass") && p
[1])
6780 struct http_proxy_options
*ho
;
6781 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
6782 ho
= init_http_proxy_options_once(&options
->ce
.http_proxy_options
, &options
->gc
);
6783 ho
->auth_file
= p
[1];
6784 ho
->inline_creds
= is_inline
;
6786 else if (streq(p
[0], "http-proxy-retry") || streq(p
[0], "socks-proxy-retry"))
6788 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6789 msg(M_WARN
, "DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
6790 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
6791 "Use connect-retry-max 1 to get a similar behavior as before.");
6793 else if (streq(p
[0], "http-proxy-timeout") && p
[1] && !p
[2])
6795 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6796 msg(M_WARN
, "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
6797 "server is established is managed with a single timeout set by connect-timeout");
6799 else if (streq(p
[0], "http-proxy-option") && p
[1] && !p
[4])
6801 struct http_proxy_options
*ho
;
6803 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6804 ho
= init_http_proxy_options_once(&options
->ce
.http_proxy_options
, &options
->gc
);
6806 if (streq(p
[1], "VERSION") && p
[2] && !p
[3])
6808 ho
->http_version
= p
[2];
6810 else if (streq(p
[1], "AGENT") && p
[2] && !p
[3])
6812 ho
->user_agent
= p
[2];
6814 else if ((streq(p
[1], "EXT1") || streq(p
[1], "EXT2") || streq(p
[1], "CUSTOM-HEADER"))
6817 /* In the wild patched versions use both EXT1/2 and CUSTOM-HEADER
6818 * with either two argument or one */
6820 struct http_custom_header
*custom_header
= NULL
;
6822 /* Find the first free header */
6823 for (i
= 0; i
< MAX_CUSTOM_HTTP_HEADER
; i
++)
6825 if (!ho
->custom_headers
[i
].name
)
6827 custom_header
= &ho
->custom_headers
[i
];
6833 msg(msglevel
, "Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'", MAX_CUSTOM_HTTP_HEADER
, p
[1]);
6837 /* We will save p[2] and p[3], the proxy code will detect if
6839 custom_header
->name
= p
[2];
6840 custom_header
->content
= p
[3];
6845 msg(msglevel
, "Bad http-proxy-option or missing or extra parameter: '%s'", p
[1]);
6848 else if (streq(p
[0], "socks-proxy") && p
[1] && !p
[4])
6850 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
6854 options
->ce
.socks_proxy_port
= p
[2];
6858 options
->ce
.socks_proxy_port
= "1080";
6860 options
->ce
.socks_proxy_server
= p
[1];
6861 options
->ce
.socks_proxy_authfile
= p
[3]; /* might be NULL */
6863 else if (streq(p
[0], "keepalive") && p
[1] && p
[2] && !p
[3])
6865 VERIFY_PERMISSION(OPT_P_GENERAL
);
6866 options
->keepalive_ping
= atoi(p
[1]);
6867 options
->keepalive_timeout
= atoi(p
[2]);
6869 else if (streq(p
[0], "ping") && p
[1] && !p
[2])
6871 VERIFY_PERMISSION(OPT_P_TIMER
);
6872 options
->ping_send_timeout
= positive_atoi(p
[1]);
6874 else if (streq(p
[0], "ping-exit") && p
[1] && !p
[2])
6876 VERIFY_PERMISSION(OPT_P_TIMER
);
6877 options
->ping_rec_timeout
= positive_atoi(p
[1]);
6878 options
->ping_rec_timeout_action
= PING_EXIT
;
6880 else if (streq(p
[0], "ping-restart") && p
[1] && !p
[2])
6882 VERIFY_PERMISSION(OPT_P_TIMER
);
6883 options
->ping_rec_timeout
= positive_atoi(p
[1]);
6884 options
->ping_rec_timeout_action
= PING_RESTART
;
6886 else if (streq(p
[0], "ping-timer-rem") && !p
[1])
6888 VERIFY_PERMISSION(OPT_P_TIMER
);
6889 options
->ping_timer_remote
= true;
6891 else if (streq(p
[0], "explicit-exit-notify") && !p
[2])
6893 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
|OPT_P_EXPLICIT_NOTIFY
);
6896 options
->ce
.explicit_exit_notification
= positive_atoi(p
[1]);
6900 options
->ce
.explicit_exit_notification
= 1;
6903 else if (streq(p
[0], "persist-tun") && !p
[1])
6905 VERIFY_PERMISSION(OPT_P_PERSIST
);
6906 options
->persist_tun
= true;
6908 else if (streq(p
[0], "persist-key") && !p
[1])
6910 VERIFY_PERMISSION(OPT_P_PERSIST
);
6911 options
->persist_key
= true;
6913 else if (streq(p
[0], "persist-local-ip") && !p
[1])
6915 VERIFY_PERMISSION(OPT_P_PERSIST_IP
);
6916 options
->persist_local_ip
= true;
6918 else if (streq(p
[0], "persist-remote-ip") && !p
[1])
6920 VERIFY_PERMISSION(OPT_P_PERSIST_IP
);
6921 options
->persist_remote_ip
= true;
6923 else if (streq(p
[0], "client-nat") && p
[1] && p
[2] && p
[3] && p
[4] && !p
[5])
6925 VERIFY_PERMISSION(OPT_P_ROUTE
);
6926 cnol_check_alloc(options
);
6927 add_client_nat_to_option_list(options
->client_nat
, p
[1], p
[2], p
[3], p
[4], msglevel
);
6929 else if (streq(p
[0], "route") && p
[1] && !p
[5])
6931 VERIFY_PERMISSION(OPT_P_ROUTE
);
6932 rol_check_alloc(options
);
6935 if (!ip_or_dns_addr_safe(p
[1], options
->allow_pull_fqdn
) && !is_special_addr(p
[1])) /* FQDN -- may be DNS name */
6937 msg(msglevel
, "route parameter network/IP '%s' must be a valid address", p
[1]);
6940 if (p
[2] && !ip_addr_dotted_quad_safe(p
[2])) /* FQDN -- must be IP address */
6942 msg(msglevel
, "route parameter netmask '%s' must be an IP address", p
[2]);
6945 if (p
[3] && !ip_or_dns_addr_safe(p
[3], options
->allow_pull_fqdn
) && !is_special_addr(p
[3])) /* FQDN -- may be DNS name */
6947 msg(msglevel
, "route parameter gateway '%s' must be a valid address", p
[3]);
6951 add_route_to_option_list(options
->routes
, p
[1], p
[2], p
[3], p
[4]);
6953 else if (streq(p
[0], "route-ipv6") && p
[1] && !p
[4])
6955 VERIFY_PERMISSION(OPT_P_ROUTE
);
6956 rol6_check_alloc(options
);
6959 if (!ipv6_addr_safe_hexplusbits(p
[1]))
6961 msg(msglevel
, "route-ipv6 parameter network/IP '%s' must be a valid address", p
[1]);
6964 if (p
[2] && !ipv6_addr_safe(p
[2]))
6966 msg(msglevel
, "route-ipv6 parameter gateway '%s' must be a valid address", p
[2]);
6969 /* p[3] is metric, if present */
6971 add_route_ipv6_to_option_list(options
->routes_ipv6
, p
[1], p
[2], p
[3]);
6973 else if (streq(p
[0], "max-routes") && !p
[2])
6975 msg(M_WARN
, "DEPRECATED OPTION: --max-routes option ignored."
6976 "The number of routes is unlimited as of OpenVPN 2.4. "
6977 "This option will be removed in a future version, "
6978 "please remove it from your configuration.");
6980 else if (streq(p
[0], "route-gateway") && p
[1] && !p
[2])
6982 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS
);
6983 if (streq(p
[1], "dhcp"))
6985 options
->route_gateway_via_dhcp
= true;
6989 if (ip_or_dns_addr_safe(p
[1], options
->allow_pull_fqdn
) || is_special_addr(p
[1])) /* FQDN -- may be DNS name */
6991 options
->route_default_gateway
= p
[1];
6995 msg(msglevel
, "route-gateway parm '%s' must be a valid address", p
[1]);
7000 else if (streq(p
[0], "route-ipv6-gateway") && p
[1] && !p
[2])
7002 if (ipv6_addr_safe(p
[1]))
7004 options
->route_ipv6_default_gateway
= p
[1];
7008 msg(msglevel
, "route-ipv6-gateway parm '%s' must be a valid address", p
[1]);
7012 else if (streq(p
[0], "route-metric") && p
[1] && !p
[2])
7014 VERIFY_PERMISSION(OPT_P_ROUTE
);
7015 options
->route_default_metric
= positive_atoi(p
[1]);
7017 else if (streq(p
[0], "route-delay") && !p
[3])
7019 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS
);
7020 options
->route_delay_defined
= true;
7023 options
->route_delay
= positive_atoi(p
[1]);
7026 options
->route_delay_window
= positive_atoi(p
[2]);
7031 options
->route_delay
= 0;
7034 else if (streq(p
[0], "route-up") && p
[1])
7036 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7037 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7041 set_user_script(options
, &options
->route_script
, p
[1], "route-up", false);
7043 else if (streq(p
[0], "route-pre-down") && p
[1])
7045 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7046 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7050 set_user_script(options
,
7051 &options
->route_predown_script
,
7053 "route-pre-down", true);
7055 else if (streq(p
[0], "route-noexec") && !p
[1])
7057 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7058 options
->route_noexec
= true;
7060 else if (streq(p
[0], "route-nopull") && !p
[1])
7062 VERIFY_PERMISSION(OPT_P_GENERAL
);
7063 options
->route_nopull
= true;
7065 else if (streq(p
[0], "pull-filter") && p
[1] && p
[2] && !p
[3])
7067 struct pull_filter
*f
;
7068 VERIFY_PERMISSION(OPT_P_GENERAL
)
7069 f
= alloc_pull_filter(options
, msglevel
);
7071 if (strcmp("accept", p
[1]) == 0)
7073 f
->type
= PUF_TYPE_ACCEPT
;
7075 else if (strcmp("ignore", p
[1]) == 0)
7077 f
->type
= PUF_TYPE_IGNORE
;
7079 else if (strcmp("reject", p
[1]) == 0)
7081 f
->type
= PUF_TYPE_REJECT
;
7085 msg(msglevel
, "Unknown --pull-filter type: %s", p
[1]);
7089 f
->size
= strlen(p
[2]);
7091 else if (streq(p
[0], "allow-pull-fqdn") && !p
[1])
7093 VERIFY_PERMISSION(OPT_P_GENERAL
);
7094 options
->allow_pull_fqdn
= true;
7096 else if (streq(p
[0], "redirect-gateway") || streq(p
[0], "redirect-private"))
7099 VERIFY_PERMISSION(OPT_P_ROUTE
);
7100 rol_check_alloc(options
);
7102 if (options
->routes
->flags
& RG_ENABLE
)
7105 "WARNING: You have specified redirect-gateway and "
7106 "redirect-private at the same time (or the same option "
7107 "multiple times). This is not well supported and may lead to "
7108 "unexpected results");
7111 options
->routes
->flags
|= RG_ENABLE
;
7113 if (streq(p
[0], "redirect-gateway"))
7115 options
->routes
->flags
|= RG_REROUTE_GW
;
7117 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
7119 if (streq(p
[j
], "local"))
7121 options
->routes
->flags
|= RG_LOCAL
;
7123 else if (streq(p
[j
], "autolocal"))
7125 options
->routes
->flags
|= RG_AUTO_LOCAL
;
7127 else if (streq(p
[j
], "def1"))
7129 options
->routes
->flags
|= RG_DEF1
;
7131 else if (streq(p
[j
], "bypass-dhcp"))
7133 options
->routes
->flags
|= RG_BYPASS_DHCP
;
7135 else if (streq(p
[j
], "bypass-dns"))
7137 options
->routes
->flags
|= RG_BYPASS_DNS
;
7139 else if (streq(p
[j
], "block-local"))
7141 options
->routes
->flags
|= RG_BLOCK_LOCAL
;
7143 else if (streq(p
[j
], "ipv6"))
7145 rol6_check_alloc(options
);
7146 options
->routes_ipv6
->flags
|= RG_REROUTE_GW
;
7148 else if (streq(p
[j
], "!ipv4"))
7150 options
->routes
->flags
&= ~(RG_REROUTE_GW
| RG_ENABLE
);
7154 msg(msglevel
, "unknown --%s flag: %s", p
[0], p
[j
]);
7159 /* we need this here to handle pushed --redirect-gateway */
7160 remap_redirect_gateway_flags(options
);
7163 else if (streq(p
[0], "block-ipv6") && !p
[1])
7165 VERIFY_PERMISSION(OPT_P_ROUTE
);
7166 options
->block_ipv6
= true;
7168 else if (streq(p
[0], "remote-random-hostname") && !p
[1])
7170 VERIFY_PERMISSION(OPT_P_GENERAL
);
7171 options
->sockflags
|= SF_HOST_RANDOMIZE
;
7173 else if (streq(p
[0], "setenv") && p
[1] && !p
[3])
7175 VERIFY_PERMISSION(OPT_P_GENERAL
);
7176 if (streq(p
[1], "REMOTE_RANDOM_HOSTNAME") && !p
[2])
7178 options
->sockflags
|= SF_HOST_RANDOMIZE
;
7180 else if (streq(p
[1], "GENERIC_CONFIG"))
7182 msg(msglevel
, "this is a generic configuration and cannot directly be used");
7185 else if (streq(p
[1], "PUSH_PEER_INFO") && !p
[2])
7187 options
->push_peer_info
= true;
7189 else if (streq(p
[1], "SERVER_POLL_TIMEOUT") && p
[2])
7191 options
->ce
.connect_timeout
= positive_atoi(p
[2]);
7195 if (streq(p
[1], "FORWARD_COMPATIBLE") && p
[2] && streq(p
[2], "1"))
7197 options
->forward_compatible
= true;
7198 msglevel_fc
= msglevel_forward_compatible(options
, msglevel
);
7200 setenv_str(es
, p
[1], p
[2] ? p
[2] : "");
7203 else if (streq(p
[0], "compat-mode") && p
[1] && !p
[3])
7205 unsigned int major
, minor
, patch
;
7206 if (!(sscanf(p
[1], "%u.%u.%u", &major
, &minor
, &patch
) == 3))
7208 msg(msglevel
, "cannot parse version number for --compat-mode: %s",
7213 options
->backwards_compatible
= major
* 10000 + minor
* 100 + patch
;
7215 else if (streq(p
[0], "setenv-safe") && p
[1] && !p
[3])
7217 VERIFY_PERMISSION(OPT_P_SETENV
);
7218 setenv_str_safe(es
, p
[1], p
[2] ? p
[2] : "");
7220 else if (streq(p
[0], "script-security") && p
[1] && !p
[2])
7222 VERIFY_PERMISSION(OPT_P_GENERAL
);
7223 script_security_set(atoi(p
[1]));
7225 else if (streq(p
[0], "mssfix") && !p
[3])
7227 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
7230 /* value specified, assume encapsulation is not
7231 * included unless "mtu" follows later */
7232 options
->ce
.mssfix
= positive_atoi(p
[1]);
7233 options
->ce
.mssfix_encap
= false;
7234 options
->ce
.mssfix_default
= false;
7238 /* Set MTU to default values */
7239 options
->ce
.mssfix_default
= true;
7240 options
->ce
.mssfix_encap
= true;
7241 options
->ce
.mssfix_fixed
= false;
7244 if (p
[2] && streq(p
[2], "mtu"))
7246 options
->ce
.mssfix_encap
= true;
7248 else if (p
[2] && streq(p
[2], "fixed"))
7250 options
->ce
.mssfix_fixed
= true;
7254 msg(msglevel
, "Unknown parameter to --mssfix: %s", p
[2]);
7257 else if (streq(p
[0], "disable-occ") && !p
[1])
7259 VERIFY_PERMISSION(OPT_P_GENERAL
);
7260 options
->occ
= false;
7262 else if (streq(p
[0], "server") && p
[1] && p
[2] && !p
[4])
7264 const int lev
= M_WARN
;
7266 in_addr_t network
, netmask
;
7268 VERIFY_PERMISSION(OPT_P_GENERAL
);
7269 network
= get_ip_addr(p
[1], lev
, &error
);
7270 netmask
= get_ip_addr(p
[2], lev
, &error
);
7271 if (error
|| !network
|| !netmask
)
7273 msg(msglevel
, "error parsing --server parameters");
7276 options
->server_defined
= true;
7277 options
->server_network
= network
;
7278 options
->server_netmask
= netmask
;
7282 if (streq(p
[3], "nopool"))
7284 options
->server_flags
|= SF_NOPOOL
;
7288 msg(msglevel
, "error parsing --server: %s is not a recognized flag", p
[3]);
7293 else if (streq(p
[0], "server-ipv6") && p
[1] && !p
[2])
7295 const int lev
= M_WARN
;
7296 struct in6_addr network
;
7297 unsigned int netbits
= 0;
7299 VERIFY_PERMISSION(OPT_P_GENERAL
);
7300 if (!get_ipv6_addr(p
[1], &network
, &netbits
, lev
) )
7302 msg(msglevel
, "error parsing --server-ipv6 parameter");
7305 if (netbits
< 64 || netbits
> 124)
7308 "--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7313 options
->server_ipv6_defined
= true;
7314 options
->server_network_ipv6
= network
;
7315 options
->server_netbits_ipv6
= netbits
;
7317 else if (streq(p
[0], "server-bridge") && p
[1] && p
[2] && p
[3] && p
[4] && !p
[5])
7319 const int lev
= M_WARN
;
7321 in_addr_t ip
, netmask
, pool_start
, pool_end
;
7323 VERIFY_PERMISSION(OPT_P_GENERAL
);
7324 ip
= get_ip_addr(p
[1], lev
, &error
);
7325 netmask
= get_ip_addr(p
[2], lev
, &error
);
7326 pool_start
= get_ip_addr(p
[3], lev
, &error
);
7327 pool_end
= get_ip_addr(p
[4], lev
, &error
);
7328 if (error
|| !ip
|| !netmask
|| !pool_start
|| !pool_end
)
7330 msg(msglevel
, "error parsing --server-bridge parameters");
7333 options
->server_bridge_defined
= true;
7334 options
->server_bridge_ip
= ip
;
7335 options
->server_bridge_netmask
= netmask
;
7336 options
->server_bridge_pool_start
= pool_start
;
7337 options
->server_bridge_pool_end
= pool_end
;
7339 else if (streq(p
[0], "server-bridge") && p
[1] && streq(p
[1], "nogw") && !p
[2])
7341 VERIFY_PERMISSION(OPT_P_GENERAL
);
7342 options
->server_bridge_proxy_dhcp
= true;
7343 options
->server_flags
|= SF_NO_PUSH_ROUTE_GATEWAY
;
7345 else if (streq(p
[0], "server-bridge") && !p
[1])
7347 VERIFY_PERMISSION(OPT_P_GENERAL
);
7348 options
->server_bridge_proxy_dhcp
= true;
7350 else if (streq(p
[0], "push") && p
[1] && !p
[2])
7352 VERIFY_PERMISSION(OPT_P_PUSH
);
7353 push_options(options
, &p
[1], msglevel
, &options
->gc
);
7355 else if (streq(p
[0], "push-reset") && !p
[1])
7357 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7358 push_reset(options
);
7360 else if (streq(p
[0], "push-remove") && p
[1] && !p
[2])
7362 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7363 msg(D_PUSH
, "PUSH_REMOVE '%s'", p
[1]);
7364 push_remove_option(options
, p
[1]);
7366 else if (streq(p
[0], "ifconfig-pool") && p
[1] && p
[2] && !p
[4])
7368 const int lev
= M_WARN
;
7370 in_addr_t start
, end
, netmask
= 0;
7372 VERIFY_PERMISSION(OPT_P_GENERAL
);
7373 start
= get_ip_addr(p
[1], lev
, &error
);
7374 end
= get_ip_addr(p
[2], lev
, &error
);
7377 netmask
= get_ip_addr(p
[3], lev
, &error
);
7381 msg(msglevel
, "error parsing --ifconfig-pool parameters");
7384 if (!ifconfig_pool_verify_range(msglevel
, start
, end
))
7389 options
->ifconfig_pool_defined
= true;
7390 options
->ifconfig_pool_start
= start
;
7391 options
->ifconfig_pool_end
= end
;
7394 options
->ifconfig_pool_netmask
= netmask
;
7397 else if (streq(p
[0], "ifconfig-pool-persist") && p
[1] && !p
[3])
7399 VERIFY_PERMISSION(OPT_P_GENERAL
);
7400 options
->ifconfig_pool_persist_filename
= p
[1];
7403 options
->ifconfig_pool_persist_refresh_freq
= positive_atoi(p
[2]);
7406 else if (streq(p
[0], "ifconfig-ipv6-pool") && p
[1] && !p
[2])
7408 const int lev
= M_WARN
;
7409 struct in6_addr network
;
7410 unsigned int netbits
= 0;
7412 VERIFY_PERMISSION(OPT_P_GENERAL
);
7413 if (!get_ipv6_addr(p
[1], &network
, &netbits
, lev
) )
7415 msg(msglevel
, "error parsing --ifconfig-ipv6-pool parameters");
7418 if (netbits
< 64 || netbits
> 124)
7421 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7426 options
->ifconfig_ipv6_pool_defined
= true;
7427 options
->ifconfig_ipv6_pool_base
= network
;
7428 options
->ifconfig_ipv6_pool_netbits
= netbits
;
7430 else if (streq(p
[0], "hash-size") && p
[1] && p
[2] && !p
[3])
7434 VERIFY_PERMISSION(OPT_P_GENERAL
);
7436 virtual = atoi(p
[2]);
7437 if (real
< 1 || virtual < 1)
7439 msg(msglevel
, "--hash-size sizes must be >= 1 (preferably a power of 2)");
7442 options
->real_hash_size
= real
;
7443 options
->virtual_hash_size
= real
;
7445 else if (streq(p
[0], "connect-freq") && p
[1] && p
[2] && !p
[3])
7449 VERIFY_PERMISSION(OPT_P_GENERAL
);
7450 cf_max
= atoi(p
[1]);
7451 cf_per
= atoi(p
[2]);
7452 if (cf_max
< 0 || cf_per
< 0)
7454 msg(msglevel
, "--connect-freq parms must be > 0");
7457 options
->cf_max
= cf_max
;
7458 options
->cf_per
= cf_per
;
7460 else if (streq(p
[0], "connect-freq-initial") && p
[1] && p
[2] && !p
[3])
7462 long cf_max
, cf_per
;
7464 VERIFY_PERMISSION(OPT_P_GENERAL
);
7466 cf_max
= strtol(p
[1], &e1
, 10);
7467 cf_per
= strtol(p
[2], &e2
, 10);
7468 if (cf_max
< 0 || cf_per
< 0 || *e1
!= '\0' || *e2
!= '\0')
7470 msg(msglevel
, "--connect-freq-initial parameters must be integers and >= 0");
7473 options
->cf_initial_max
= cf_max
;
7474 options
->cf_initial_per
= cf_per
;
7476 else if (streq(p
[0], "max-clients") && p
[1] && !p
[2])
7480 VERIFY_PERMISSION(OPT_P_GENERAL
);
7481 max_clients
= atoi(p
[1]);
7482 if (max_clients
< 0)
7484 msg(msglevel
, "--max-clients must be at least 1");
7487 if (max_clients
>= MAX_PEER_ID
) /* max peer-id value */
7489 msg(msglevel
, "--max-clients must be less than %d", MAX_PEER_ID
);
7492 options
->max_clients
= max_clients
;
7494 else if (streq(p
[0], "max-routes-per-client") && p
[1] && !p
[2])
7496 VERIFY_PERMISSION(OPT_P_INHERIT
);
7497 options
->max_routes_per_client
= max_int(atoi(p
[1]), 1);
7499 else if (streq(p
[0], "client-cert-not-required") && !p
[1])
7501 VERIFY_PERMISSION(OPT_P_GENERAL
);
7502 msg(M_FATAL
, "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
7504 else if (streq(p
[0], "verify-client-cert") && !p
[2])
7506 VERIFY_PERMISSION(OPT_P_GENERAL
);
7508 /* Reset any existing flags */
7509 options
->ssl_flags
&= ~SSLF_CLIENT_CERT_OPTIONAL
;
7510 options
->ssl_flags
&= ~SSLF_CLIENT_CERT_NOT_REQUIRED
;
7513 if (streq(p
[1], "none"))
7515 options
->ssl_flags
|= SSLF_CLIENT_CERT_NOT_REQUIRED
;
7517 else if (streq(p
[1], "optional"))
7519 options
->ssl_flags
|= SSLF_CLIENT_CERT_OPTIONAL
;
7521 else if (!streq(p
[1], "require"))
7523 msg(msglevel
, "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
7528 else if (streq(p
[0], "username-as-common-name") && !p
[1])
7530 VERIFY_PERMISSION(OPT_P_GENERAL
);
7531 options
->ssl_flags
|= SSLF_USERNAME_AS_COMMON_NAME
;
7533 else if (streq(p
[0], "auth-user-pass-optional") && !p
[1])
7535 VERIFY_PERMISSION(OPT_P_GENERAL
);
7536 options
->ssl_flags
|= SSLF_AUTH_USER_PASS_OPTIONAL
;
7538 else if (streq(p
[0], "opt-verify") && !p
[1])
7540 VERIFY_PERMISSION(OPT_P_GENERAL
);
7541 msg(M_INFO
, "DEPRECATION: opt-verify is deprecated and will be removed "
7543 options
->ssl_flags
|= SSLF_OPT_VERIFY
;
7545 else if (streq(p
[0], "auth-user-pass-verify") && p
[1])
7547 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7548 if (!no_more_than_n_args(msglevel
, p
, 3, NM_QUOTE_HINT
))
7554 if (streq(p
[2], "via-env"))
7556 options
->auth_user_pass_verify_script_via_file
= false;
7558 else if (streq(p
[2], "via-file"))
7560 options
->auth_user_pass_verify_script_via_file
= true;
7564 msg(msglevel
, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
7570 msg(msglevel
, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
7573 set_user_script(options
,
7574 &options
->auth_user_pass_verify_script
,
7575 p
[1], "auth-user-pass-verify", true);
7577 else if (streq(p
[0], "auth-gen-token"))
7579 VERIFY_PERMISSION(OPT_P_GENERAL
);
7580 options
->auth_token_generate
= true;
7581 options
->auth_token_lifetime
= p
[1] ? positive_atoi(p
[1]) : 0;
7583 for (int i
= 2; i
< MAX_PARMS
&& p
[i
] != NULL
; i
++)
7585 /* the second parameter can be the renewal time */
7586 if (i
== 2 && positive_atoi(p
[i
]))
7588 options
->auth_token_renewal
= positive_atoi(p
[i
]);
7590 else if (streq(p
[i
], "external-auth"))
7592 options
->auth_token_call_auth
= true;
7596 msg(msglevel
, "Invalid argument to auth-gen-token: %s (%d)", p
[i
], i
);
7601 else if (streq(p
[0], "auth-gen-token-secret") && p
[1] && !p
[2])
7603 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
7604 options
->auth_token_secret_file
= p
[1];
7605 options
->auth_token_secret_file_inline
= is_inline
;
7608 else if (streq(p
[0], "client-connect") && p
[1])
7610 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7611 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7615 set_user_script(options
, &options
->client_connect_script
,
7616 p
[1], "client-connect", true);
7618 else if (streq(p
[0], "client-crresponse") && p
[1])
7620 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7621 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7625 set_user_script(options
, &options
->client_crresponse_script
,
7626 p
[1], "client-crresponse", true);
7628 else if (streq(p
[0], "client-disconnect") && p
[1])
7630 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7631 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7635 set_user_script(options
, &options
->client_disconnect_script
,
7636 p
[1], "client-disconnect", true);
7638 else if (streq(p
[0], "learn-address") && p
[1])
7640 VERIFY_PERMISSION(OPT_P_SCRIPT
);
7641 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
7645 set_user_script(options
, &options
->learn_address_script
,
7646 p
[1], "learn-address", true);
7648 else if (streq(p
[0], "tmp-dir") && p
[1] && !p
[2])
7650 VERIFY_PERMISSION(OPT_P_GENERAL
);
7651 options
->tmp_dir
= p
[1];
7653 else if (streq(p
[0], "client-config-dir") && p
[1] && !p
[2])
7655 VERIFY_PERMISSION(OPT_P_GENERAL
);
7656 options
->client_config_dir
= p
[1];
7658 else if (streq(p
[0], "ccd-exclusive") && !p
[1])
7660 VERIFY_PERMISSION(OPT_P_GENERAL
);
7661 options
->ccd_exclusive
= true;
7663 else if (streq(p
[0], "bcast-buffers") && p
[1] && !p
[2])
7667 VERIFY_PERMISSION(OPT_P_GENERAL
);
7668 n_bcast_buf
= atoi(p
[1]);
7669 if (n_bcast_buf
< 1)
7671 msg(msglevel
, "--bcast-buffers parameter must be > 0");
7673 options
->n_bcast_buf
= n_bcast_buf
;
7675 else if (streq(p
[0], "tcp-queue-limit") && p
[1] && !p
[2])
7677 int tcp_queue_limit
;
7679 VERIFY_PERMISSION(OPT_P_GENERAL
);
7680 tcp_queue_limit
= atoi(p
[1]);
7681 if (tcp_queue_limit
< 1)
7683 msg(msglevel
, "--tcp-queue-limit parameter must be > 0");
7685 options
->tcp_queue_limit
= tcp_queue_limit
;
7688 else if (streq(p
[0], "port-share") && p
[1] && p
[2] && !p
[4])
7690 VERIFY_PERMISSION(OPT_P_GENERAL
);
7691 options
->port_share_host
= p
[1];
7692 options
->port_share_port
= p
[2];
7693 options
->port_share_journal_dir
= p
[3];
7696 else if (streq(p
[0], "client-to-client") && !p
[1])
7698 VERIFY_PERMISSION(OPT_P_GENERAL
);
7699 options
->enable_c2c
= true;
7701 else if (streq(p
[0], "duplicate-cn") && !p
[1])
7703 VERIFY_PERMISSION(OPT_P_GENERAL
);
7704 options
->duplicate_cn
= true;
7706 else if (streq(p
[0], "iroute") && p
[1] && !p
[3])
7708 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7709 option_iroute(options
, p
[1], p
[2], msglevel
);
7711 else if (streq(p
[0], "iroute-ipv6") && p
[1] && !p
[2])
7713 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7714 option_iroute_ipv6(options
, p
[1], msglevel
);
7716 else if (streq(p
[0], "ifconfig-push") && p
[1] && p
[2] && !p
[4])
7718 in_addr_t local
, remote_netmask
;
7720 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7721 local
= getaddr(GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
7722 remote_netmask
= getaddr(GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[2], 0, NULL
, NULL
);
7723 if (local
&& remote_netmask
)
7725 options
->push_ifconfig_defined
= true;
7726 options
->push_ifconfig_local
= local
;
7727 options
->push_ifconfig_remote_netmask
= remote_netmask
;
7730 options
->push_ifconfig_local_alias
= getaddr(GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[3], 0, NULL
, NULL
);
7735 msg(msglevel
, "cannot parse --ifconfig-push addresses");
7739 else if (streq(p
[0], "ifconfig-push-constraint") && p
[1] && p
[2] && !p
[3])
7741 in_addr_t network
, netmask
;
7743 VERIFY_PERMISSION(OPT_P_GENERAL
);
7744 network
= getaddr(GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
7745 netmask
= getaddr(GETADDR_HOST_ORDER
, p
[2], 0, NULL
, NULL
);
7746 if (network
&& netmask
)
7748 options
->push_ifconfig_constraint_defined
= true;
7749 options
->push_ifconfig_constraint_network
= network
;
7750 options
->push_ifconfig_constraint_netmask
= netmask
;
7754 msg(msglevel
, "cannot parse --ifconfig-push-constraint addresses");
7758 else if (streq(p
[0], "ifconfig-ipv6-push") && p
[1] && !p
[3])
7760 struct in6_addr local
, remote
;
7761 unsigned int netbits
;
7763 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7765 if (!get_ipv6_addr( p
[1], &local
, &netbits
, msglevel
) )
7767 msg(msglevel
, "cannot parse --ifconfig-ipv6-push addresses");
7773 if (!get_ipv6_addr( p
[2], &remote
, NULL
, msglevel
) )
7775 msg( msglevel
, "cannot parse --ifconfig-ipv6-push addresses");
7781 if (!options
->ifconfig_ipv6_local
7782 || !get_ipv6_addr( options
->ifconfig_ipv6_local
, &remote
,
7785 msg( msglevel
, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
7790 options
->push_ifconfig_ipv6_defined
= true;
7791 options
->push_ifconfig_ipv6_local
= local
;
7792 options
->push_ifconfig_ipv6_netbits
= netbits
;
7793 options
->push_ifconfig_ipv6_remote
= remote
;
7794 options
->push_ifconfig_ipv6_blocked
= false;
7796 else if (streq(p
[0], "disable") && !p
[1])
7798 VERIFY_PERMISSION(OPT_P_INSTANCE
);
7799 options
->disable
= true;
7801 else if (streq(p
[0], "tcp-nodelay") && !p
[1])
7803 VERIFY_PERMISSION(OPT_P_GENERAL
);
7804 options
->server_flags
|= SF_TCP_NODELAY_HELPER
;
7806 else if (streq(p
[0], "stale-routes-check") && p
[1] && !p
[3])
7808 int ageing_time
, check_interval
;
7810 VERIFY_PERMISSION(OPT_P_GENERAL
);
7811 ageing_time
= atoi(p
[1]);
7814 check_interval
= atoi(p
[2]);
7818 check_interval
= ageing_time
;
7821 if (ageing_time
< 1 || check_interval
< 1)
7823 msg(msglevel
, "--stale-routes-check aging time and check interval must be >= 1");
7826 options
->stale_routes_ageing_time
= ageing_time
;
7827 options
->stale_routes_check_interval
= check_interval
;
7830 else if (streq(p
[0], "client") && !p
[1])
7832 VERIFY_PERMISSION(OPT_P_GENERAL
);
7833 options
->client
= true;
7835 else if (streq(p
[0], "pull") && !p
[1])
7837 VERIFY_PERMISSION(OPT_P_GENERAL
);
7838 options
->pull
= true;
7840 else if (streq(p
[0], "push-continuation") && p
[1] && !p
[2])
7842 VERIFY_PERMISSION(OPT_P_PULL_MODE
);
7843 options
->push_continuation
= atoi(p
[1]);
7845 else if (streq(p
[0], "auth-user-pass") && !p
[2])
7847 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
7850 options
->auth_user_pass_file
= p
[1];
7851 options
->auth_user_pass_file_inline
= is_inline
;
7855 options
->auth_user_pass_file
= "stdin";
7858 else if (streq(p
[0], "auth-retry") && p
[1] && !p
[2])
7860 VERIFY_PERMISSION(OPT_P_GENERAL
);
7861 auth_retry_set(msglevel
, p
[1]);
7863 #ifdef ENABLE_MANAGEMENT
7864 else if (streq(p
[0], "static-challenge") && p
[1] && p
[2] && !p
[3])
7866 VERIFY_PERMISSION(OPT_P_GENERAL
);
7867 options
->sc_info
.challenge_text
= p
[1];
7870 options
->sc_info
.flags
|= SC_ECHO
;
7874 else if (streq(p
[0], "msg-channel") && p
[1])
7877 VERIFY_PERMISSION(OPT_P_GENERAL
);
7878 HANDLE process
= GetCurrentProcess();
7879 HANDLE handle
= (HANDLE
) atoll(p
[1]);
7880 if (!DuplicateHandle(process
, handle
, process
, &options
->msg_channel
, 0,
7881 FALSE
, DUPLICATE_CLOSE_SOURCE
| DUPLICATE_SAME_ACCESS
))
7883 msg(msglevel
, "could not duplicate service pipe handle");
7886 options
->route_method
= ROUTE_METHOD_SERVICE
;
7887 #else /* ifdef _WIN32 */
7888 msg(msglevel
, "--msg-channel is only supported on Windows");
7893 else if (streq(p
[0], "win-sys") && p
[1] && !p
[2])
7895 VERIFY_PERMISSION(OPT_P_GENERAL
);
7896 if (streq(p
[1], "env"))
7898 msg(M_INFO
, "NOTE: --win-sys env is default from OpenVPN 2.3. "
7899 "This entry will now be ignored. "
7900 "Please remove this entry from your configuration file.");
7904 set_win_sys_path(p
[1], es
);
7907 else if (streq(p
[0], "route-method") && p
[1] && !p
[2])
7909 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS
);
7910 if (streq(p
[1], "adaptive"))
7912 options
->route_method
= ROUTE_METHOD_ADAPTIVE
;
7914 else if (streq(p
[1], "ipapi"))
7916 options
->route_method
= ROUTE_METHOD_IPAPI
;
7918 else if (streq(p
[1], "exe"))
7920 options
->route_method
= ROUTE_METHOD_EXE
;
7924 msg(msglevel
, "--route method must be 'adaptive', 'ipapi', or 'exe'");
7928 else if (streq(p
[0], "ip-win32") && p
[1] && !p
[4])
7930 const int index
= ascii2ipset(p
[1]);
7931 struct tuntap_options
*to
= &options
->tuntap_options
;
7933 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
7938 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
7940 ipset2ascii_all(&gc
));
7944 if (index
== IPW32_SET_ADAPTIVE
)
7946 options
->route_delay_window
= IPW32_SET_ADAPTIVE_DELAY_WINDOW
;
7949 if (index
== IPW32_SET_DHCP_MASQ
)
7953 if (!streq(p
[2], "default"))
7955 int offset
= atoi(p
[2]);
7957 if (!(offset
> -256 && offset
< 256))
7959 msg(msglevel
, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset
);
7963 to
->dhcp_masq_custom_offset
= true;
7964 to
->dhcp_masq_offset
= offset
;
7969 const int min_lease
= 30;
7971 lease_time
= atoi(p
[3]);
7972 if (lease_time
< min_lease
)
7974 msg(msglevel
, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time
, min_lease
);
7977 to
->dhcp_lease_time
= lease_time
;
7981 to
->ip_win32_type
= index
;
7982 to
->ip_win32_defined
= true;
7984 #endif /* ifdef _WIN32 */
7985 else if (streq(p
[0], "dns") && p
[1])
7987 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
7989 if (streq(p
[1], "search-domains") && p
[2])
7991 dns_domain_list_append(&options
->dns_options
.search_domains
, &p
[2], &options
->dns_options
.gc
);
7993 else if (streq(p
[1], "server") && p
[2] && p
[3] && p
[4])
7996 if (!dns_server_priority_parse(&priority
, p
[2], pull_mode
))
7998 msg(msglevel
, "--dns server: invalid priority value '%s'", p
[2]);
8002 struct dns_server
*server
= dns_server_get(&options
->dns_options
.servers
, priority
, &options
->dns_options
.gc
);
8004 if (streq(p
[3], "address") && !p
[6])
8006 for (int i
= 4; p
[i
]; i
++)
8008 if (!dns_server_addr_parse(server
, p
[i
]))
8010 msg(msglevel
, "--dns server %ld: malformed or duplicate address '%s'", priority
, p
[i
]);
8015 else if (streq(p
[3], "resolve-domains"))
8017 if (server
->domain_type
== DNS_EXCLUDE_DOMAINS
)
8019 msg(msglevel
, "--dns server %ld: cannot use resolve-domains and exclude-domains", priority
);
8022 server
->domain_type
= DNS_RESOLVE_DOMAINS
;
8023 dns_domain_list_append(&server
->domains
, &p
[4], &options
->dns_options
.gc
);
8025 else if (streq(p
[3], "exclude-domains"))
8027 if (server
->domain_type
== DNS_RESOLVE_DOMAINS
)
8029 msg(msglevel
, "--dns server %ld: cannot use exclude-domains and resolve-domains", priority
);
8032 server
->domain_type
= DNS_EXCLUDE_DOMAINS
;
8033 dns_domain_list_append(&server
->domains
, &p
[4], &options
->dns_options
.gc
);
8035 else if (streq(p
[3], "dnssec") && !p
[5])
8037 if (streq(p
[4], "yes"))
8039 server
->dnssec
= DNS_SECURITY_YES
;
8041 else if (streq(p
[4], "no"))
8043 server
->dnssec
= DNS_SECURITY_NO
;
8045 else if (streq(p
[4], "optional"))
8047 server
->dnssec
= DNS_SECURITY_OPTIONAL
;
8051 msg(msglevel
, "--dns server %ld: malformed dnssec value '%s'", priority
, p
[4]);
8055 else if (streq(p
[3], "transport") && !p
[5])
8057 if (streq(p
[4], "plain"))
8059 server
->transport
= DNS_TRANSPORT_PLAIN
;
8061 else if (streq(p
[4], "DoH"))
8063 server
->transport
= DNS_TRANSPORT_HTTPS
;
8065 else if (streq(p
[4], "DoT"))
8067 server
->transport
= DNS_TRANSPORT_TLS
;
8071 msg(msglevel
, "--dns server %ld: malformed transport value '%s'", priority
, p
[4]);
8075 else if (streq(p
[3], "sni") && !p
[5])
8081 msg(msglevel
, "--dns server %ld: unknown option type '%s' or missing or unknown parameter", priority
, p
[3]);
8087 msg(msglevel
, "--dns: unknown option type '%s' or missing or unknown parameter", p
[1]);
8091 #if defined(_WIN32) || defined(TARGET_ANDROID)
8092 else if (streq(p
[0], "dhcp-option") && p
[1])
8094 struct tuntap_options
*o
= &options
->tuntap_options
;
8095 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8097 if ((streq(p
[1], "DOMAIN") || streq(p
[1], "ADAPTER_DOMAIN_SUFFIX"))
8101 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_OPTIONAL
;
8103 else if (streq(p
[1], "NBS") && p
[2] && !p
[3])
8105 o
->netbios_scope
= p
[2];
8106 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8108 else if (streq(p
[1], "NBT") && p
[2] && !p
[3])
8112 if (!(t
== 1 || t
== 2 || t
== 4 || t
== 8))
8114 msg(msglevel
, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t
);
8117 o
->netbios_node_type
= t
;
8118 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8120 else if ((streq(p
[1], "DNS") || streq(p
[1], "DNS6")) && p
[2] && !p
[3]
8121 && (!strstr(p
[2], ":") || ipv6_addr_safe(p
[2])))
8123 if (strstr(p
[2], ":"))
8125 dhcp_option_dns6_parse(p
[2], o
->dns6
, &o
->dns6_len
, msglevel
);
8129 dhcp_option_address_parse("DNS", p
[2], o
->dns
, &o
->dns_len
, msglevel
);
8130 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_OPTIONAL
;
8133 else if (streq(p
[1], "WINS") && p
[2] && !p
[3])
8135 dhcp_option_address_parse("WINS", p
[2], o
->wins
, &o
->wins_len
, msglevel
);
8136 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_OPTIONAL
;
8138 else if (streq(p
[1], "NTP") && p
[2] && !p
[3])
8140 dhcp_option_address_parse("NTP", p
[2], o
->ntp
, &o
->ntp_len
, msglevel
);
8141 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8143 else if (streq(p
[1], "NBDD") && p
[2] && !p
[3])
8145 dhcp_option_address_parse("NBDD", p
[2], o
->nbdd
, &o
->nbdd_len
, msglevel
);
8146 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8148 else if (streq(p
[1], "DOMAIN-SEARCH") && p
[2] && !p
[3])
8150 if (o
->domain_search_list_len
< N_SEARCH_LIST_LEN
)
8152 o
->domain_search_list
[o
->domain_search_list_len
++] = p
[2];
8156 msg(msglevel
, "--dhcp-option %s: maximum of %d search entries can be specified",
8157 p
[1], N_SEARCH_LIST_LEN
);
8159 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8161 else if (streq(p
[1], "DISABLE-NBT") && !p
[2])
8164 o
->dhcp_options
|= DHCP_OPTIONS_DHCP_REQUIRED
;
8166 #if defined(TARGET_ANDROID)
8167 else if (streq(p
[1], "PROXY_HTTP") && p
[3] && !p
[4])
8169 o
->http_proxy_port
= atoi(p
[3]);
8170 o
->http_proxy
= p
[2];
8175 msg(msglevel
, "--dhcp-option: unknown option type '%s' or missing or unknown parameter", p
[1]);
8179 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
8181 else if (streq(p
[0], "show-adapters") && !p
[1])
8183 VERIFY_PERMISSION(OPT_P_GENERAL
);
8184 show_tap_win_adapters(M_INFO
|M_NOPREFIX
, M_WARN
|M_NOPREFIX
);
8185 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8187 else if (streq(p
[0], "show-net") && !p
[1])
8189 VERIFY_PERMISSION(OPT_P_GENERAL
);
8190 show_routes(M_INFO
|M_NOPREFIX
);
8191 show_adapters(M_INFO
|M_NOPREFIX
);
8192 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8194 else if (streq(p
[0], "show-net-up") && !p
[1])
8196 VERIFY_PERMISSION(OPT_P_UP
);
8197 options
->show_net_up
= true;
8199 else if (streq(p
[0], "tap-sleep") && p
[1] && !p
[2])
8202 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8204 if (s
< 0 || s
>= 256)
8206 msg(msglevel
, "--tap-sleep parameter must be between 0 and 255");
8209 options
->tuntap_options
.tap_sleep
= s
;
8211 else if (streq(p
[0], "dhcp-renew") && !p
[1])
8213 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8214 options
->tuntap_options
.dhcp_renew
= true;
8216 else if (streq(p
[0], "dhcp-pre-release") && !p
[1])
8218 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8219 options
->tuntap_options
.dhcp_pre_release
= true;
8220 options
->tuntap_options
.dhcp_renew
= true;
8222 else if (streq(p
[0], "dhcp-release") && !p
[1])
8224 msg(M_WARN
, "Obsolete option --dhcp-release detected. This is now on by default");
8226 else if (streq(p
[0], "dhcp-internal") && p
[1] && !p
[2]) /* standalone method for internal use */
8228 unsigned int adapter_index
;
8229 VERIFY_PERMISSION(OPT_P_GENERAL
);
8230 set_debug_level(options
->verbosity
, SDL_CONSTRAIN
);
8231 adapter_index
= atou(p
[1]);
8232 sleep(options
->tuntap_options
.tap_sleep
);
8233 if (options
->tuntap_options
.dhcp_pre_release
)
8235 dhcp_release_by_adapter_index(adapter_index
);
8237 if (options
->tuntap_options
.dhcp_renew
)
8239 dhcp_renew_by_adapter_index(adapter_index
);
8241 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8243 else if (streq(p
[0], "register-dns") && !p
[1])
8245 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8246 options
->tuntap_options
.register_dns
= true;
8248 else if (streq(p
[0], "block-outside-dns") && !p
[1])
8250 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8251 options
->block_outside_dns
= true;
8253 else if (streq(p
[0], "rdns-internal") && !p
[1])
8254 /* standalone method for internal use
8256 * (if --register-dns is set, openvpn needs to call itself in a
8257 * sub-process to execute the required functions in a non-blocking
8258 * way, and uses --rdns-internal to signal that to itself)
8261 VERIFY_PERMISSION(OPT_P_GENERAL
);
8262 set_debug_level(options
->verbosity
, SDL_CONSTRAIN
);
8263 if (options
->tuntap_options
.register_dns
)
8265 ipconfig_register_dns(NULL
);
8267 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8269 else if (streq(p
[0], "show-valid-subnets") && !p
[1])
8271 VERIFY_PERMISSION(OPT_P_GENERAL
);
8272 show_valid_win32_tun_subnets();
8273 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8275 else if (streq(p
[0], "pause-exit") && !p
[1])
8277 VERIFY_PERMISSION(OPT_P_GENERAL
);
8278 set_pause_exit_win32();
8280 else if (streq(p
[0], "service") && p
[1] && !p
[3])
8282 VERIFY_PERMISSION(OPT_P_GENERAL
);
8283 options
->exit_event_name
= p
[1];
8286 options
->exit_event_initial_state
= (atoi(p
[2]) != 0);
8289 else if (streq(p
[0], "allow-nonadmin") && !p
[2])
8291 VERIFY_PERMISSION(OPT_P_GENERAL
);
8292 tap_allow_nonadmin_access(p
[1]);
8293 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
8295 else if (streq(p
[0], "user") && p
[1] && !p
[2])
8297 VERIFY_PERMISSION(OPT_P_GENERAL
);
8298 msg(M_WARN
, "NOTE: --user option is not implemented on Windows");
8300 else if (streq(p
[0], "group") && p
[1] && !p
[2])
8302 VERIFY_PERMISSION(OPT_P_GENERAL
);
8303 msg(M_WARN
, "NOTE: --group option is not implemented on Windows");
8305 #else /* ifdef _WIN32 */
8306 else if (streq(p
[0], "user") && p
[1] && !p
[2])
8308 VERIFY_PERMISSION(OPT_P_GENERAL
);
8309 options
->username
= p
[1];
8311 else if (streq(p
[0], "group") && p
[1] && !p
[2])
8313 VERIFY_PERMISSION(OPT_P_GENERAL
);
8314 options
->groupname
= p
[1];
8316 else if (streq(p
[0], "dhcp-option") && p
[1] && !p
[3])
8318 VERIFY_PERMISSION(OPT_P_DHCPDNS
);
8319 setenv_foreign_option(options
, (const char **)p
, 3, es
);
8321 else if (streq(p
[0], "route-method") && p
[1] && !p
[2]) /* ignore when pushed to non-Windows OS */
8323 VERIFY_PERMISSION(OPT_P_ROUTE_EXTRAS
);
8325 #endif /* ifdef _WIN32 */
8326 #if PASSTOS_CAPABILITY
8327 else if (streq(p
[0], "passtos") && !p
[1])
8329 VERIFY_PERMISSION(OPT_P_GENERAL
);
8330 options
->passtos
= true;
8333 #if defined(USE_COMP)
8334 else if (streq(p
[0], "allow-compression") && p
[1] && !p
[2])
8336 VERIFY_PERMISSION(OPT_P_GENERAL
);
8338 if (streq(p
[1], "no"))
8340 options
->comp
.flags
=
8341 COMP_F_ALLOW_STUB_ONLY
|COMP_F_ADVERTISE_STUBS_ONLY
;
8342 if (comp_non_stub_enabled(&options
->comp
))
8344 msg(msglevel
, "'--allow-compression no' conflicts with "
8345 " enabling compression");
8348 else if (options
->comp
.flags
& COMP_F_ALLOW_STUB_ONLY
)
8350 /* Also printed on a push to hint at configuration problems */
8351 msg(msglevel
, "Cannot set allow-compression to '%s' "
8352 "after set to 'no'", p
[1]);
8355 else if (streq(p
[1], "asym"))
8357 options
->comp
.flags
&= ~COMP_F_ALLOW_COMPRESS
;
8358 options
->comp
.flags
|= COMP_F_ALLOW_ASYM
;
8360 else if (streq(p
[1], "yes"))
8362 msg(M_WARN
, "WARNING: Compression for sending and receiving enabled. Compression has "
8363 "been used in the past to break encryption. Allowing compression allows "
8364 "attacks that break encryption. Using \"--allow-compression yes\" is "
8365 "strongly discouraged for common usage. See --compress in the manual "
8366 "page for more information ");
8368 options
->comp
.flags
|= COMP_F_ALLOW_COMPRESS
;
8372 msg(msglevel
, "bad allow-compression option: %s -- "
8373 "must be 'yes', 'no', or 'asym'", p
[1]);
8377 else if (streq(p
[0], "comp-lzo") && !p
[2])
8379 VERIFY_PERMISSION(OPT_P_COMP
);
8381 /* All lzo variants do not use swap */
8382 options
->comp
.flags
&= ~COMP_F_SWAP
;
8383 #if defined(ENABLE_LZO)
8384 if (p
[1] && streq(p
[1], "no"))
8387 options
->comp
.alg
= COMP_ALG_STUB
;
8388 options
->comp
.flags
&= ~COMP_F_ADAPTIVE
;
8390 #if defined(ENABLE_LZO)
8391 else if (options
->comp
.flags
& COMP_F_ALLOW_STUB_ONLY
)
8393 /* Also printed on a push to hint at configuration problems */
8394 msg(msglevel
, "Cannot set comp-lzo to '%s', "
8395 "allow-compression is set to 'no'", p
[1]);
8400 if (streq(p
[1], "yes"))
8402 options
->comp
.alg
= COMP_ALG_LZO
;
8403 options
->comp
.flags
&= ~COMP_F_ADAPTIVE
;
8405 else if (streq(p
[1], "adaptive"))
8407 options
->comp
.alg
= COMP_ALG_LZO
;
8408 options
->comp
.flags
|= COMP_F_ADAPTIVE
;
8412 msg(msglevel
, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p
[1]);
8418 options
->comp
.alg
= COMP_ALG_LZO
;
8419 options
->comp
.flags
|= COMP_F_ADAPTIVE
;
8421 show_compression_warning(&options
->comp
);
8422 #endif /* if defined(ENABLE_LZO) */
8424 else if (streq(p
[0], "comp-noadapt") && !p
[1])
8427 * We do not need to check here if we allow compression since
8428 * it only modifies a flag if compression is enabled
8430 VERIFY_PERMISSION(OPT_P_COMP
);
8431 options
->comp
.flags
&= ~COMP_F_ADAPTIVE
;
8433 else if (streq(p
[0], "compress") && !p
[2])
8435 VERIFY_PERMISSION(OPT_P_COMP
);
8438 if (streq(p
[1], "stub"))
8440 options
->comp
.alg
= COMP_ALG_STUB
;
8441 options
->comp
.flags
|= (COMP_F_SWAP
|COMP_F_ADVERTISE_STUBS_ONLY
);
8443 else if (streq(p
[1], "stub-v2"))
8445 options
->comp
.alg
= COMP_ALGV2_UNCOMPRESSED
;
8446 options
->comp
.flags
|= COMP_F_ADVERTISE_STUBS_ONLY
;
8448 else if (streq(p
[1], "migrate"))
8450 options
->comp
.alg
= COMP_ALG_UNDEF
;
8451 options
->comp
.flags
= COMP_F_MIGRATE
;
8454 else if (options
->comp
.flags
& COMP_F_ALLOW_STUB_ONLY
)
8456 /* Also printed on a push to hint at configuration problems */
8457 msg(msglevel
, "Cannot set compress to '%s', "
8458 "allow-compression is set to 'no'", p
[1]);
8461 #if defined(ENABLE_LZO)
8462 else if (streq(p
[1], "lzo"))
8464 options
->comp
.alg
= COMP_ALG_LZO
;
8465 options
->comp
.flags
&= ~(COMP_F_ADAPTIVE
| COMP_F_SWAP
);
8468 #if defined(ENABLE_LZ4)
8469 else if (streq(p
[1], "lz4"))
8471 options
->comp
.alg
= COMP_ALG_LZ4
;
8472 options
->comp
.flags
|= COMP_F_SWAP
;
8474 else if (streq(p
[1], "lz4-v2"))
8476 options
->comp
.alg
= COMP_ALGV2_LZ4
;
8481 msg(msglevel
, "bad comp option: %s", p
[1]);
8487 options
->comp
.alg
= COMP_ALG_STUB
;
8488 options
->comp
.flags
|= COMP_F_SWAP
;
8490 show_compression_warning(&options
->comp
);
8492 #endif /* USE_COMP */
8493 else if (streq(p
[0], "show-ciphers") && !p
[1])
8495 VERIFY_PERMISSION(OPT_P_GENERAL
);
8496 options
->show_ciphers
= true;
8498 else if (streq(p
[0], "show-digests") && !p
[1])
8500 VERIFY_PERMISSION(OPT_P_GENERAL
);
8501 options
->show_digests
= true;
8503 else if (streq(p
[0], "show-engines") && !p
[1])
8505 VERIFY_PERMISSION(OPT_P_GENERAL
);
8506 options
->show_engines
= true;
8508 else if (streq(p
[0], "key-direction") && p
[1] && !p
[2])
8512 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
);
8514 key_direction
= ascii2keydirection(msglevel
, p
[1]);
8515 if (key_direction
>= 0)
8517 if (permission_mask
& OPT_P_GENERAL
)
8519 options
->key_direction
= key_direction
;
8521 else if (permission_mask
& OPT_P_CONNECTION
)
8523 options
->ce
.key_direction
= key_direction
;
8531 else if (streq(p
[0], "secret") && p
[1] && !p
[3])
8533 msg(M_WARN
, "DEPRECATED OPTION: The option --secret is deprecated.");
8534 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8535 options
->shared_secret_file
= p
[1];
8536 options
->shared_secret_file_inline
= is_inline
;
8537 if (!is_inline
&& p
[2])
8541 key_direction
= ascii2keydirection(msglevel
, p
[2]);
8542 if (key_direction
>= 0)
8544 options
->key_direction
= key_direction
;
8552 else if (streq(p
[0], "genkey") && !p
[4])
8554 VERIFY_PERMISSION(OPT_P_GENERAL
);
8555 options
->genkey
= true;
8558 options
->genkey_type
= GENKEY_SECRET
;
8562 if (streq(p
[1], "secret") || streq(p
[1], "tls-auth")
8563 || streq(p
[1], "tls-crypt"))
8565 options
->genkey_type
= GENKEY_SECRET
;
8567 else if (streq(p
[1], "tls-crypt-v2-server"))
8569 options
->genkey_type
= GENKEY_TLS_CRYPTV2_SERVER
;
8571 else if (streq(p
[1], "tls-crypt-v2-client"))
8573 options
->genkey_type
= GENKEY_TLS_CRYPTV2_CLIENT
;
8576 options
->genkey_extra_data
= p
[3];
8579 else if (streq(p
[1], "auth-token"))
8581 options
->genkey_type
= GENKEY_AUTH_TOKEN
;
8585 msg(msglevel
, "unknown --genkey type: %s", p
[1]);
8591 options
->genkey_filename
= p
[2];
8594 else if (streq(p
[0], "auth") && p
[1] && !p
[2])
8596 VERIFY_PERMISSION(OPT_P_GENERAL
);
8597 options
->authname
= p
[1];
8599 else if (streq(p
[0], "cipher") && p
[1] && !p
[2])
8601 VERIFY_PERMISSION(OPT_P_NCP
|OPT_P_INSTANCE
);
8602 options
->ciphername
= p
[1];
8604 else if (streq(p
[0], "data-ciphers-fallback") && p
[1] && !p
[2])
8606 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INSTANCE
);
8607 options
->ciphername
= p
[1];
8608 options
->enable_ncp_fallback
= true;
8610 else if ((streq(p
[0], "data-ciphers") || streq(p
[0], "ncp-ciphers"))
8613 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INSTANCE
);
8614 if (streq(p
[0], "ncp-ciphers"))
8616 msg(M_INFO
, "Note: Treating option '--ncp-ciphers' as "
8617 " '--data-ciphers' (renamed in OpenVPN 2.5).");
8619 options
->ncp_ciphers
= p
[1];
8621 else if (streq(p
[0], "key-derivation") && p
[1])
8623 /* NCP only option that is pushed by the server to enable EKM,
8624 * should not be used by normal users in config files*/
8625 VERIFY_PERMISSION(OPT_P_NCP
)
8626 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8627 if (streq(p
[1], "tls-ekm"))
8629 options
->imported_protocol_flags
|= CO_USE_TLS_KEY_MATERIAL_EXPORT
;
8634 msg(msglevel
, "Unknown key-derivation method %s", p
[1]);
8637 else if (streq(p
[0], "protocol-flags") && p
[1])
8639 /* NCP only option that is pushed by the server to enable protocol
8640 * features that are negotiated, should not be used by normal users
8641 * in config files */
8642 VERIFY_PERMISSION(OPT_P_NCP
)
8643 for (size_t j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; j
++)
8645 if (streq(p
[j
], "cc-exit"))
8647 options
->imported_protocol_flags
|= CO_USE_CC_EXIT_NOTIFY
;
8649 #ifdef HAVE_EXPORT_KEYING_MATERIAL
8650 else if (streq(p
[j
], "tls-ekm"))
8652 options
->imported_protocol_flags
|= CO_USE_TLS_KEY_MATERIAL_EXPORT
;
8657 msg(msglevel
, "Unknown protocol-flags flag: %s", p
[j
]);
8661 else if (streq(p
[0], "prng") && p
[1] && !p
[3])
8663 msg(M_WARN
, "NOTICE: --prng option ignored (SSL library PRNG is used)");
8665 else if (streq(p
[0], "no-replay") && !p
[1])
8667 VERIFY_PERMISSION(OPT_P_GENERAL
);
8668 options
->replay
= false;
8670 else if (streq(p
[0], "replay-window") && !p
[3])
8672 VERIFY_PERMISSION(OPT_P_GENERAL
);
8677 replay_window
= atoi(p
[1]);
8678 if (!(MIN_SEQ_BACKTRACK
<= replay_window
&& replay_window
<= MAX_SEQ_BACKTRACK
))
8680 msg(msglevel
, "replay-window window size parameter (%d) must be between %d and %d",
8686 options
->replay_window
= replay_window
;
8692 replay_time
= atoi(p
[2]);
8693 if (!(MIN_TIME_BACKTRACK
<= replay_time
&& replay_time
<= MAX_TIME_BACKTRACK
))
8695 msg(msglevel
, "replay-window time window parameter (%d) must be between %d and %d",
8698 MAX_TIME_BACKTRACK
);
8701 options
->replay_time
= replay_time
;
8706 msg(msglevel
, "replay-window option is missing window size parameter");
8710 else if (streq(p
[0], "mute-replay-warnings") && !p
[1])
8712 VERIFY_PERMISSION(OPT_P_GENERAL
);
8713 options
->mute_replay_warnings
= true;
8715 else if (streq(p
[0], "replay-persist") && p
[1] && !p
[2])
8717 VERIFY_PERMISSION(OPT_P_GENERAL
);
8718 options
->packet_id_file
= p
[1];
8720 else if (streq(p
[0], "test-crypto") && !p
[1])
8722 VERIFY_PERMISSION(OPT_P_GENERAL
);
8723 options
->test_crypto
= true;
8725 #ifndef ENABLE_CRYPTO_MBEDTLS
8726 else if (streq(p
[0], "engine") && !p
[2])
8728 VERIFY_PERMISSION(OPT_P_GENERAL
);
8731 options
->engine
= p
[1];
8735 options
->engine
= "auto";
8738 #endif /* ENABLE_CRYPTO_MBEDTLS */
8739 else if (streq(p
[0], "providers") && p
[1])
8741 for (size_t j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; j
++)
8743 options
->providers
.names
[j
] = p
[j
];
8746 #ifdef ENABLE_PREDICTION_RESISTANCE
8747 else if (streq(p
[0], "use-prediction-resistance") && !p
[1])
8749 VERIFY_PERMISSION(OPT_P_GENERAL
);
8750 options
->use_prediction_resistance
= true;
8753 else if (streq(p
[0], "show-tls") && !p
[1])
8755 VERIFY_PERMISSION(OPT_P_GENERAL
);
8756 options
->show_tls_ciphers
= true;
8758 else if ((streq(p
[0], "show-curves") || streq(p
[0], "show-groups")) && !p
[1])
8760 VERIFY_PERMISSION(OPT_P_GENERAL
);
8761 options
->show_curves
= true;
8763 else if (streq(p
[0], "ecdh-curve") && p
[1] && !p
[2])
8765 VERIFY_PERMISSION(OPT_P_GENERAL
);
8766 msg(M_WARN
, "Consider setting groups/curves preference with "
8767 "tls-groups instead of forcing a specific curve with "
8769 options
->ecdh_curve
= p
[1];
8771 else if (streq(p
[0], "tls-server") && !p
[1])
8773 VERIFY_PERMISSION(OPT_P_GENERAL
);
8774 options
->tls_server
= true;
8776 else if (streq(p
[0], "tls-client") && !p
[1])
8778 VERIFY_PERMISSION(OPT_P_GENERAL
);
8779 options
->tls_client
= true;
8781 else if (streq(p
[0], "ca") && p
[1] && !p
[2])
8783 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8784 options
->ca_file
= p
[1];
8785 options
->ca_file_inline
= is_inline
;
8787 #ifndef ENABLE_CRYPTO_MBEDTLS
8788 else if (streq(p
[0], "capath") && p
[1] && !p
[2])
8790 VERIFY_PERMISSION(OPT_P_GENERAL
);
8791 options
->ca_path
= p
[1];
8793 #endif /* ENABLE_CRYPTO_MBEDTLS */
8794 else if (streq(p
[0], "dh") && p
[1] && !p
[2])
8796 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8797 options
->dh_file
= p
[1];
8798 options
->dh_file_inline
= is_inline
;
8800 else if (streq(p
[0], "cert") && p
[1] && !p
[2])
8802 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8803 options
->cert_file
= p
[1];
8804 options
->cert_file_inline
= is_inline
;
8806 else if (streq(p
[0], "extra-certs") && p
[1] && !p
[2])
8808 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8809 options
->extra_certs_file
= p
[1];
8810 options
->extra_certs_file_inline
= is_inline
;
8812 else if ((streq(p
[0], "verify-hash") && p
[1] && !p
[3])
8813 || (streq(p
[0], "peer-fingerprint") && p
[1] && !p
[2]))
8815 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8817 int verify_hash_depth
= 0;
8818 if (streq(p
[0], "verify-hash"))
8820 msg(M_WARN
, "DEPRECATED OPTION: The option --verify-hash is deprecated. "
8821 "You should switch to the either use the level 1 certificate as "
8822 "--ca option, use --tls-verify or use --peer-fingerprint");
8823 /* verify level 1 cert, i.e. the CA that signed the leaf cert */
8824 verify_hash_depth
= 1;
8827 options
->verify_hash_algo
= MD_SHA256
;
8829 int digest_len
= SHA256_DIGEST_LENGTH
;
8831 if (options
->verify_hash
&& options
->verify_hash_depth
!= verify_hash_depth
)
8833 msg(msglevel
, "ERROR: Setting %s not allowed. --verify-hash and"
8834 " --peer-fingerprint are mutually exclusive", p
[0]);
8838 if (streq(p
[0], "verify-hash"))
8840 if ((!p
[2] && !is_inline
) || (p
[2] && streq(p
[2], "SHA1")))
8842 options
->verify_hash_algo
= MD_SHA1
;
8843 digest_len
= SHA_DIGEST_LENGTH
;
8845 else if (p
[2] && !streq(p
[2], "SHA256"))
8847 msg(msglevel
, "invalid or unsupported hashing algorithm: %s "
8848 "(only SHA1 and SHA256 are supported)", p
[2]);
8853 struct verify_hash_list
*newlist
;
8854 newlist
= parse_hash_fingerprint_multiline(p
[1], digest_len
,
8855 msglevel
, &options
->gc
);
8857 /* Append the new list to the end of our current list */
8858 if (!options
->verify_hash
)
8860 options
->verify_hash
= newlist
;
8861 options
->verify_hash_depth
= verify_hash_depth
;
8865 /* since both the old and new list can have multiple entries
8866 * we need to go to the end of one of them to concatenate them */
8867 struct verify_hash_list
*listend
= options
->verify_hash
;
8868 while (listend
->next
)
8870 listend
= listend
->next
;
8872 listend
->next
= newlist
;
8875 #ifdef ENABLE_CRYPTOAPI
8876 else if (streq(p
[0], "cryptoapicert") && p
[1] && !p
[2])
8878 VERIFY_PERMISSION(OPT_P_GENERAL
);
8879 options
->cryptoapi_cert
= p
[1];
8882 else if (streq(p
[0], "key") && p
[1] && !p
[2])
8884 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8885 options
->priv_key_file
= p
[1];
8886 options
->priv_key_file_inline
= is_inline
;
8888 else if (streq(p
[0], "tls-version-min") && p
[1] && !p
[3])
8891 VERIFY_PERMISSION(OPT_P_GENERAL
);
8892 ver
= tls_version_parse(p
[1], p
[2]);
8893 if (ver
== TLS_VER_BAD
)
8895 msg(msglevel
, "unknown tls-version-min parameter: %s", p
[1]);
8898 options
->ssl_flags
&=
8899 ~(SSLF_TLS_VERSION_MIN_MASK
<< SSLF_TLS_VERSION_MIN_SHIFT
);
8900 options
->ssl_flags
|= (ver
<< SSLF_TLS_VERSION_MIN_SHIFT
);
8902 else if (streq(p
[0], "tls-version-max") && p
[1] && !p
[2])
8905 VERIFY_PERMISSION(OPT_P_GENERAL
);
8906 ver
= tls_version_parse(p
[1], NULL
);
8907 if (ver
== TLS_VER_BAD
)
8909 msg(msglevel
, "unknown tls-version-max parameter: %s", p
[1]);
8912 options
->ssl_flags
&=
8913 ~(SSLF_TLS_VERSION_MAX_MASK
<< SSLF_TLS_VERSION_MAX_SHIFT
);
8914 options
->ssl_flags
|= (ver
<< SSLF_TLS_VERSION_MAX_SHIFT
);
8916 #ifndef ENABLE_CRYPTO_MBEDTLS
8917 else if (streq(p
[0], "pkcs12") && p
[1] && !p
[2])
8919 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8920 options
->pkcs12_file
= p
[1];
8921 options
->pkcs12_file_inline
= is_inline
;
8923 #endif /* ENABLE_CRYPTO_MBEDTLS */
8924 else if (streq(p
[0], "askpass") && !p
[2])
8926 VERIFY_PERMISSION(OPT_P_GENERAL
);
8929 options
->key_pass_file
= p
[1];
8933 options
->key_pass_file
= "stdin";
8936 else if (streq(p
[0], "auth-nocache") && !p
[1])
8938 VERIFY_PERMISSION(OPT_P_GENERAL
);
8939 ssl_set_auth_nocache();
8941 else if (streq(p
[0], "auth-token") && p
[1] && !p
[2])
8943 VERIFY_PERMISSION(OPT_P_ECHO
);
8944 ssl_set_auth_token(p
[1]);
8945 #ifdef ENABLE_MANAGEMENT
8948 management_auth_token(management
, p
[1]);
8952 else if (streq(p
[0], "auth-token-user") && p
[1] && !p
[2])
8954 VERIFY_PERMISSION(OPT_P_ECHO
);
8955 ssl_set_auth_token_user(p
[1]);
8957 else if (streq(p
[0], "single-session") && !p
[1])
8959 VERIFY_PERMISSION(OPT_P_GENERAL
);
8960 options
->single_session
= true;
8962 else if (streq(p
[0], "push-peer-info") && !p
[1])
8964 VERIFY_PERMISSION(OPT_P_GENERAL
);
8965 options
->push_peer_info
= true;
8967 else if (streq(p
[0], "tls-exit") && !p
[1])
8969 VERIFY_PERMISSION(OPT_P_GENERAL
);
8970 options
->tls_exit
= true;
8972 else if (streq(p
[0], "tls-cipher") && p
[1] && !p
[2])
8974 VERIFY_PERMISSION(OPT_P_GENERAL
);
8975 options
->cipher_list
= p
[1];
8977 else if (streq(p
[0], "tls-cert-profile") && p
[1] && !p
[2])
8979 VERIFY_PERMISSION(OPT_P_GENERAL
);
8980 options
->tls_cert_profile
= p
[1];
8982 else if (streq(p
[0], "tls-ciphersuites") && p
[1] && !p
[2])
8984 VERIFY_PERMISSION(OPT_P_GENERAL
);
8985 options
->cipher_list_tls13
= p
[1];
8987 else if (streq(p
[0], "tls-groups") && p
[1] && !p
[2])
8989 VERIFY_PERMISSION(OPT_P_GENERAL
);
8990 options
->tls_groups
= p
[1];
8992 else if (streq(p
[0], "crl-verify") && p
[1] && ((p
[2] && streq(p
[2], "dir"))
8995 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INLINE
);
8996 if (p
[2] && streq(p
[2], "dir"))
8998 options
->ssl_flags
|= SSLF_CRL_VERIFY_DIR
;
9000 options
->crl_file
= p
[1];
9001 options
->crl_file_inline
= is_inline
;
9003 else if (streq(p
[0], "tls-verify") && p
[1])
9005 VERIFY_PERMISSION(OPT_P_SCRIPT
);
9006 if (!no_more_than_n_args(msglevel
, p
, 2, NM_QUOTE_HINT
))
9010 set_user_script(options
, &options
->tls_verify
,
9011 string_substitute(p
[1], ',', ' ', &options
->gc
),
9012 "tls-verify", true);
9014 #ifndef ENABLE_CRYPTO_MBEDTLS
9015 else if (streq(p
[0], "tls-export-cert") && p
[1] && !p
[2])
9017 VERIFY_PERMISSION(OPT_P_GENERAL
);
9018 options
->tls_export_cert
= p
[1];
9021 else if (streq(p
[0], "compat-names"))
9023 VERIFY_PERMISSION(OPT_P_GENERAL
);
9024 msg(msglevel
, "--compat-names was removed in OpenVPN 2.5. "
9025 "Update your configuration.");
9028 else if (streq(p
[0], "no-name-remapping") && !p
[1])
9030 VERIFY_PERMISSION(OPT_P_GENERAL
);
9031 msg(msglevel
, "--no-name-remapping was removed in OpenVPN 2.5. "
9032 "Update your configuration.");
9035 else if (streq(p
[0], "verify-x509-name") && p
[1] && strlen(p
[1]) && !p
[3])
9037 int type
= VERIFY_X509_SUBJECT_DN
;
9038 VERIFY_PERMISSION(OPT_P_GENERAL
);
9041 if (streq(p
[2], "subject"))
9043 type
= VERIFY_X509_SUBJECT_DN
;
9045 else if (streq(p
[2], "name"))
9047 type
= VERIFY_X509_SUBJECT_RDN
;
9049 else if (streq(p
[2], "name-prefix"))
9051 type
= VERIFY_X509_SUBJECT_RDN_PREFIX
;
9055 msg(msglevel
, "unknown X.509 name type: %s", p
[2]);
9059 options
->verify_x509_type
= type
;
9060 options
->verify_x509_name
= p
[1];
9062 else if (streq(p
[0], "ns-cert-type") && p
[1] && !p
[2])
9064 VERIFY_PERMISSION(OPT_P_GENERAL
);
9065 if (streq(p
[1], "server"))
9067 options
->ns_cert_type
= NS_CERT_CHECK_SERVER
;
9069 else if (streq(p
[1], "client"))
9071 options
->ns_cert_type
= NS_CERT_CHECK_CLIENT
;
9075 msg(msglevel
, "--ns-cert-type must be 'client' or 'server'");
9079 else if (streq(p
[0], "remote-cert-ku"))
9081 VERIFY_PERMISSION(OPT_P_GENERAL
);
9084 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9086 sscanf(p
[j
], "%x", &(options
->remote_cert_ku
[j
-1]));
9090 /* No specific KU required, but require KU to be present */
9091 options
->remote_cert_ku
[0] = OPENVPN_KU_REQUIRED
;
9094 else if (streq(p
[0], "remote-cert-eku") && p
[1] && !p
[2])
9096 VERIFY_PERMISSION(OPT_P_GENERAL
);
9097 options
->remote_cert_eku
= p
[1];
9099 else if (streq(p
[0], "remote-cert-tls") && p
[1] && !p
[2])
9101 VERIFY_PERMISSION(OPT_P_GENERAL
);
9103 if (streq(p
[1], "server"))
9105 options
->remote_cert_ku
[0] = OPENVPN_KU_REQUIRED
;
9106 options
->remote_cert_eku
= "TLS Web Server Authentication";
9108 else if (streq(p
[1], "client"))
9110 options
->remote_cert_ku
[0] = OPENVPN_KU_REQUIRED
;
9111 options
->remote_cert_eku
= "TLS Web Client Authentication";
9115 msg(msglevel
, "--remote-cert-tls must be 'client' or 'server'");
9119 else if (streq(p
[0], "tls-timeout") && p
[1] && !p
[2])
9121 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9122 options
->tls_timeout
= positive_atoi(p
[1]);
9124 else if (streq(p
[0], "reneg-bytes") && p
[1] && !p
[2])
9126 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9127 options
->renegotiate_bytes
= positive_atoi(p
[1]);
9129 else if (streq(p
[0], "reneg-pkts") && p
[1] && !p
[2])
9131 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9132 options
->renegotiate_packets
= positive_atoi(p
[1]);
9134 else if (streq(p
[0], "reneg-sec") && p
[1] && !p
[3])
9136 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9137 options
->renegotiate_seconds
= positive_atoi(p
[1]);
9140 options
->renegotiate_seconds_min
= positive_atoi(p
[2]);
9143 else if (streq(p
[0], "hand-window") && p
[1] && !p
[2])
9145 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9146 options
->handshake_window
= positive_atoi(p
[1]);
9148 else if (streq(p
[0], "tran-window") && p
[1] && !p
[2])
9150 VERIFY_PERMISSION(OPT_P_TLS_PARMS
);
9151 options
->transition_window
= positive_atoi(p
[1]);
9153 else if (streq(p
[0], "tls-auth") && p
[1] && !p
[3])
9155 int key_direction
= -1;
9157 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
|OPT_P_INLINE
);
9159 if (permission_mask
& OPT_P_GENERAL
)
9161 options
->tls_auth_file
= p
[1];
9162 options
->tls_auth_file_inline
= is_inline
;
9164 if (!is_inline
&& p
[2])
9166 key_direction
= ascii2keydirection(msglevel
, p
[2]);
9167 if (key_direction
< 0)
9171 options
->key_direction
= key_direction
;
9175 else if (permission_mask
& OPT_P_CONNECTION
)
9177 options
->ce
.tls_auth_file
= p
[1];
9178 options
->ce
.tls_auth_file_inline
= is_inline
;
9179 options
->ce
.key_direction
= KEY_DIRECTION_BIDIRECTIONAL
;
9181 if (!is_inline
&& p
[2])
9183 key_direction
= ascii2keydirection(msglevel
, p
[2]);
9184 if (key_direction
< 0)
9188 options
->ce
.key_direction
= key_direction
;
9192 else if (streq(p
[0], "tls-crypt") && p
[1] && !p
[3])
9194 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
|OPT_P_INLINE
);
9195 if (permission_mask
& OPT_P_GENERAL
)
9197 options
->tls_crypt_file
= p
[1];
9198 options
->tls_crypt_file_inline
= is_inline
;
9200 else if (permission_mask
& OPT_P_CONNECTION
)
9202 options
->ce
.tls_crypt_file
= p
[1];
9203 options
->ce
.tls_crypt_file_inline
= is_inline
;
9206 else if (streq(p
[0], "tls-crypt-v2") && p
[1] && !p
[3])
9208 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_CONNECTION
|OPT_P_INLINE
);
9209 if (permission_mask
& OPT_P_GENERAL
)
9211 options
->tls_crypt_v2_file
= p
[1];
9212 options
->tls_crypt_v2_file_inline
= is_inline
;
9214 else if (permission_mask
& OPT_P_CONNECTION
)
9216 options
->ce
.tls_crypt_v2_file
= p
[1];
9217 options
->ce
.tls_crypt_v2_file_inline
= is_inline
;
9220 if (p
[2] && streq(p
[2], "force-cookie"))
9222 options
->ce
.tls_crypt_v2_force_cookie
= true;
9224 else if (p
[2] && streq(p
[2], "allow-noncookie"))
9226 options
->ce
.tls_crypt_v2_force_cookie
= false;
9230 msg(msglevel
, "Unsupported tls-crypt-v2 argument: %s", p
[2]);
9233 else if (streq(p
[0], "tls-crypt-v2-verify") && p
[1] && !p
[2])
9235 VERIFY_PERMISSION(OPT_P_GENERAL
);
9236 options
->tls_crypt_v2_verify_script
= p
[1];
9238 else if (streq(p
[0], "x509-track") && p
[1] && !p
[2])
9240 VERIFY_PERMISSION(OPT_P_GENERAL
);
9241 x509_track_add(&options
->x509_track
, p
[1], msglevel
, &options
->gc
);
9243 #ifdef ENABLE_X509ALTUSERNAME
9244 else if (streq(p
[0], "x509-username-field") && p
[1])
9246 /* This option used to automatically upcase the fieldnames passed as the
9247 * option arguments, e.g., "ou" became "OU". Now, this "helpfulness" is
9248 * fine-tuned by only upcasing Subject field attribute names which consist
9249 * of all lower-case characters. Mixed-case attributes such as
9250 * "emailAddress" are left as-is. An option parameter having the "ext:"
9251 * prefix for matching X.509v3 extended fields will also remain unchanged.
9253 VERIFY_PERMISSION(OPT_P_GENERAL
);
9254 for (size_t j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9258 if (strncmp("ext:", s
, 4) != 0)
9261 while (s
[i
] && !isupper(s
[i
]))
9267 while ((*s
= toupper(*s
)) != '\0')
9271 msg(M_WARN
, "DEPRECATED FEATURE: automatically upcased the "
9272 "--x509-username-field parameter to '%s'; please update your"
9273 "configuration", p
[j
]);
9276 else if (!x509_username_field_ext_supported(s
+4))
9278 msg(msglevel
, "Unsupported x509-username-field extension: %s", s
);
9280 options
->x509_username_field
[j
-1] = p
[j
];
9283 #endif /* ENABLE_X509ALTUSERNAME */
9284 #ifdef ENABLE_PKCS11
9285 else if (streq(p
[0], "show-pkcs11-ids") && !p
[3])
9287 char *provider
= p
[1];
9288 bool cert_private
= (p
[2] == NULL
? false : ( atoi(p
[2]) != 0 ));
9290 #ifdef DEFAULT_PKCS11_MODULE
9293 provider
= DEFAULT_PKCS11_MODULE
;
9298 int i
= strtol(provider
, &endp
, 10);
9302 /* There was one argument, and it was purely numeric.
9303 * Interpret it as the cert_private argument */
9304 provider
= DEFAULT_PKCS11_MODULE
;
9308 #else /* ifdef DEFAULT_PKCS11_MODULE */
9311 msg(msglevel
, "--show-pkcs11-ids requires a provider parameter");
9314 #endif /* ifdef DEFAULT_PKCS11_MODULE */
9315 VERIFY_PERMISSION(OPT_P_GENERAL
);
9317 set_debug_level(options
->verbosity
, SDL_CONSTRAIN
);
9318 show_pkcs11_ids(provider
, cert_private
);
9319 openvpn_exit(OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
9321 else if (streq(p
[0], "pkcs11-providers") && p
[1])
9325 VERIFY_PERMISSION(OPT_P_GENERAL
);
9327 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9329 options
->pkcs11_providers
[j
-1] = p
[j
];
9332 else if (streq(p
[0], "pkcs11-protected-authentication"))
9336 VERIFY_PERMISSION(OPT_P_GENERAL
);
9338 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9340 options
->pkcs11_protected_authentication
[j
-1] = atoi(p
[j
]) != 0 ? 1 : 0;
9343 else if (streq(p
[0], "pkcs11-private-mode") && p
[1])
9347 VERIFY_PERMISSION(OPT_P_GENERAL
);
9349 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9351 sscanf(p
[j
], "%x", &(options
->pkcs11_private_mode
[j
-1]));
9354 else if (streq(p
[0], "pkcs11-cert-private"))
9358 VERIFY_PERMISSION(OPT_P_GENERAL
);
9360 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
9362 options
->pkcs11_cert_private
[j
-1] = atoi(p
[j
]) != 0 ? 1 : 0;
9365 else if (streq(p
[0], "pkcs11-pin-cache") && p
[1] && !p
[2])
9367 VERIFY_PERMISSION(OPT_P_GENERAL
);
9368 options
->pkcs11_pin_cache_period
= atoi(p
[1]);
9370 else if (streq(p
[0], "pkcs11-id") && p
[1] && !p
[2])
9372 VERIFY_PERMISSION(OPT_P_GENERAL
);
9373 options
->pkcs11_id
= p
[1];
9375 else if (streq(p
[0], "pkcs11-id-management") && !p
[1])
9377 VERIFY_PERMISSION(OPT_P_GENERAL
);
9378 options
->pkcs11_id_management
= true;
9380 #endif /* ifdef ENABLE_PKCS11 */
9381 else if (streq(p
[0], "rmtun") && !p
[1])
9383 VERIFY_PERMISSION(OPT_P_GENERAL
);
9384 options
->persist_config
= true;
9385 options
->persist_mode
= 0;
9387 else if (streq(p
[0], "mktun") && !p
[1])
9389 VERIFY_PERMISSION(OPT_P_GENERAL
);
9390 options
->persist_config
= true;
9391 options
->persist_mode
= 1;
9393 else if (streq(p
[0], "peer-id") && p
[1] && !p
[2])
9395 VERIFY_PERMISSION(OPT_P_PEER_ID
);
9396 options
->use_peer_id
= true;
9397 options
->peer_id
= atoi(p
[1]);
9399 #ifdef HAVE_EXPORT_KEYING_MATERIAL
9400 else if (streq(p
[0], "keying-material-exporter") && p
[1] && p
[2])
9402 int ekm_length
= positive_atoi(p
[2]);
9404 VERIFY_PERMISSION(OPT_P_GENERAL
);
9406 if (strncmp(p
[1], "EXPORTER", 8))
9408 msg(msglevel
, "Keying material exporter label must begin with "
9412 if (streq(p
[1], EXPORT_KEY_DATA_LABEL
))
9414 msg(msglevel
, "Keying material exporter label must not be '"
9415 EXPORT_KEY_DATA_LABEL
"'.");
9417 if (ekm_length
< 16 || ekm_length
> 4095)
9419 msg(msglevel
, "Invalid keying material exporter length");
9423 options
->keying_material_exporter_label
= p
[1];
9424 options
->keying_material_exporter_length
= ekm_length
;
9426 #endif /* HAVE_EXPORT_KEYING_MATERIAL */
9427 else if (streq(p
[0], "allow-recursive-routing") && !p
[1])
9429 VERIFY_PERMISSION(OPT_P_GENERAL
);
9430 options
->allow_recursive_routing
= true;
9432 else if (streq(p
[0], "vlan-tagging") && !p
[1])
9434 VERIFY_PERMISSION(OPT_P_GENERAL
);
9435 options
->vlan_tagging
= true;
9437 else if (streq(p
[0], "vlan-accept") && p
[1] && !p
[2])
9439 VERIFY_PERMISSION(OPT_P_GENERAL
);
9440 if (streq(p
[1], "tagged"))
9442 options
->vlan_accept
= VLAN_ONLY_TAGGED
;
9444 else if (streq(p
[1], "untagged"))
9446 options
->vlan_accept
= VLAN_ONLY_UNTAGGED_OR_PRIORITY
;
9448 else if (streq(p
[1], "all"))
9450 options
->vlan_accept
= VLAN_ALL
;
9454 msg(msglevel
, "--vlan-accept must be 'tagged', 'untagged' or 'all'");
9458 else if (streq(p
[0], "vlan-pvid") && p
[1] && !p
[2])
9460 VERIFY_PERMISSION(OPT_P_GENERAL
|OPT_P_INSTANCE
);
9461 options
->vlan_pvid
= positive_atoi(p
[1]);
9462 if (options
->vlan_pvid
< OPENVPN_8021Q_MIN_VID
9463 || options
->vlan_pvid
> OPENVPN_8021Q_MAX_VID
)
9466 "the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9467 OPENVPN_8021Q_MIN_VID
, OPENVPN_8021Q_MAX_VID
);
9474 int msglevel
= msglevel_fc
;
9475 /* Check if an option is in --ignore-unknown-option and
9476 * set warning level to non fatal */
9477 for (i
= 0; options
->ignore_unknown_option
&& options
->ignore_unknown_option
[i
]; i
++)
9479 if (streq(p
[0], options
->ignore_unknown_option
[i
]))
9487 msg(msglevel
, "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file
, line
, p
[0], PACKAGE_VERSION
);
9491 msg(msglevel
, "Unrecognized option or missing or extra parameter(s): --%s (%s)", p
[0], PACKAGE_VERSION
);