the RFC5705 based key material generation to the current custom
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
+Deprecated features
+-------------------
+``inetd`` has been removed
+ This was a very limited and not-well-tested way to run OpenVPN, on TCP
+ and TAP mode only.
+
+
Overview of changes in 2.5
==========================
Persist replay-protection state across sessions using ``file`` to save
and reload the state.
- This option will strengthen protection against replay attacks,
- especially when you are using OpenVPN in a dynamic context (such as with
- ``--inetd``) when OpenVPN sessions are frequently started and stopped.
-
This option will keep a disk copy of the current replay protection state
(i.e. the most recent packet timestamp and sequence number received from
the remote peer), so that if an OpenVPN session is stopped and
Output logging messages to ``file``, including output to stdout/stderr
which is generated by called scripts. If ``file`` already exists it will
be truncated. This option takes effect immediately when it is parsed in
- the command line and will supersede syslog output if ``--daemon`` or
- ``--inetd`` is also specified. This option is persistent over the entire
+ the command line and will supersede syslog output if ``--daemon``
+ is also specified. This option is persistent over the entire
course of an OpenVPN instantiation and will not be reset by
:code:`SIGHUP`, :code:`SIGUSR1`, or ``--ping-restart``.
ifconfig-ipv6-push ipv6addr/bits ipv6remote
---inetd args
- Valid syntaxes:
- ::
-
- inetd
- inetd wait
- inetd nowait
- inetd wait progname
-
- Use this option when OpenVPN is being run from the inetd or ``xinetd``\(8)
- server.
-
- The :code:`wait` and :code:`nowait` option must match what is specified
- in the inetd/xinetd config file. The :code:`nowait` mode can only be used
- with ``--proto tcp-server`` The default is :code:`wait`. The
- :code:`nowait` mode can be used to instantiate the OpenVPN daemon as a
- classic TCP server, where client connection requests are serviced on a
- single port number. For additional information on this kind of
- configuration, see the OpenVPN FAQ:
- https://community.openvpn.net/openvpn/wiki/325-openvpn-as-a--forking-tcp-server-which-can-service-multiple-clients-over-a-single-tcp-port
-
- This option precludes the use of ``--daemon``, ``--local`` or
- ``--remote``. Note that this option causes message and error output to
- be handled in the same way as the ``--daemon`` option. The optional
- ``progname`` parameter is also handled exactly as in ``--daemon``.
-
- Also note that in ``wait`` mode, each OpenVPN tunnel requires a separate
- TCP/UDP port and a separate inetd or xinetd entry. See the OpenVPN 1.x
- HOWTO for an example on using OpenVPN with xinetd:
- https://openvpn.net/community-resources/1xhowto/
-
--multihome
Configure a multi-homed UDP server. This option needs to be used when a
server has more than one IP address (e.g. multiple interfaces, or
+++ /dev/null
-# This OpenVPN config file
-# is the client side counterpart
-# of xinetd-server-config
-
-dev tun
-ifconfig 10.4.0.1 10.4.0.2
-remote my-server
-port 1194
-user nobody
-secret /root/openvpn/key
-inactive 600
+++ /dev/null
-# An xinetd configuration file for OpenVPN.
-#
-# This file should be renamed to openvpn or something suitably
-# descriptive and copied to the /etc/xinetd.d directory.
-# xinetd can then be made aware of this file by restarting
-# it or sending it a SIGHUP signal.
-#
-# For each potential incoming client, create a separate version
-# of this configuration file on a unique port number. Also note
-# that the key file and ifconfig endpoints should be unique for
-# each client. This configuration assumes that the OpenVPN
-# executable and key live in /root/openvpn. Change this to fit
-# your environment.
-
-service openvpn_1
-{
- type = UNLISTED
- port = 1194
- socket_type = dgram
- protocol = udp
- wait = yes
- user = root
- server = /root/openvpn/openvpn
- server_args = --inetd --dev tun --ifconfig 10.4.0.2 10.4.0.1 --secret /root/openvpn/key --inactive 600 --user nobody
-}
* Output mode priorities are as follows:
*
* (1) --log-x overrides everything
- * (2) syslog is used if --daemon or --inetd is defined and not --log-x
+ * (2) syslog is used if --daemon is defined and not --log-x
* (3) if OPENVPN_DEBUG_COMMAND_LINE is defined, output
* to constant logfile name.
* (4) Output to stdout.
}
}
#else /* if SYSLOG_CAPABILITY */
- msg(M_WARN, "Warning on use of --daemon/--inetd: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages");
+ msg(M_WARN, "Warning on use of --daemon: this operating system lacks daemon logging features, therefore when I become a daemon, I won't be able to log status or error messages");
#endif
}
#endif
{
/* received a disconnect from a connection-oriented protocol */
- if (c->options.inetd)
+ if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
{
- register_signal(c, SIGTERM, "connection-reset-inetd");
- msg(D_STREAM_ERRORS, "Connection reset, inetd/xinetd exit [%d]", status);
+ msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
+ management_sleep(1);
}
else
{
- if (event_timeout_defined(&c->c2.explicit_exit_notification_interval))
- {
- msg(D_STREAM_ERRORS, "Connection reset during exit notification period, ignoring [%d]", status);
- management_sleep(1);
- }
- else
- {
- register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
- msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
- }
+ register_signal(c, SIGUSR1, "connection-reset"); /* SOFT-SIGUSR1 -- TCP connection reset */
+ msg(D_STREAM_ERRORS, "Connection reset, restarting [%d]", status);
}
}
perf_pop();
if (options->daemon)
{
- ASSERT(!options->inetd);
/* Don't chdir immediately, but the end of the init sequence, if needed */
#if defined(__APPLE__) && defined(__clang__)
#endif
c->options.ce.bind_local,
c->options.ce.remote_float,
- c->options.inetd,
&c->c1.link_socket_addr,
c->options.ipchange,
c->plugins,
}
}
-/*
- * If xinetd/inetd mode, don't allow restart.
- */
-static void
-do_close_check_if_restart_permitted(struct context *c)
-{
- if (c->options.inetd
- && (c->sig->signal_received == SIGHUP
- || c->sig->signal_received == SIGUSR1))
- {
- c->sig->signal_received = SIGTERM;
- msg(M_INFO,
- PACKAGE_NAME
- " started by inetd/xinetd cannot restart... Exiting.");
- }
-}
-
/*
* free buffers
*/
|| c->mode == CM_CHILD_UDP
|| c->mode == CM_TOP)
{
- /* if xinetd/inetd mode, don't allow restart */
- do_close_check_if_restart_permitted(c);
-
#ifdef USE_COMP
if (c->c2.comp_context)
{
#endif
}
-/*
- * dup inetd/xinetd socket descriptor and save
- */
-
-int inetd_socket_descriptor = SOCKET_UNDEFINED; /* GLOBAL */
-
-void
-save_inetd_socket_descriptor(void)
-{
- inetd_socket_descriptor = INETD_SOCKET_DESCRIPTOR;
-#if defined(HAVE_DUP) && defined(HAVE_DUP2)
- /* use handle passed by inetd/xinetd */
- if ((inetd_socket_descriptor = dup(INETD_SOCKET_DESCRIPTOR)) < 0)
- {
- msg(M_ERR, "INETD_SOCKET_DESCRIPTOR dup(%d) failed", INETD_SOCKET_DESCRIPTOR);
- }
- set_std_files_to_null(true);
-#endif
-}
-
/*
* Prepend a random string to hostname to prevent DNS caching.
* For example, foo.bar.gov would be modified to <random-chars>.foo.bar.gov.
#include "buffer.h"
#include "platform.h"
-/* socket descriptor passed by inetd/xinetd server to us */
-#define INETD_SOCKET_DESCRIPTOR 0
-
/* forward declarations */
struct plugin_list;
/* Set standard file descriptors to /dev/null */
void set_std_files_to_null(bool stdin_only);
-/* dup inetd/xinetd socket descriptor and save */
-extern int inetd_socket_descriptor;
-void save_inetd_socket_descriptor(void);
-
/* Make arrays of strings */
const char **make_arg_array(const char *first, const char *parms, struct gc_arena *gc);
" as the program name to the system logger.\n"
"--syslog [name] : Output to syslog, but do not become a daemon.\n"
" See --daemon above for a description of the 'name' parm.\n"
- "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
- " See --daemon above for a description of the 'name' parm.\n"
"--log file : Output log to file which is created/truncated on open.\n"
"--log-append file : Append log to file, or create file if nonexistent.\n"
"--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
SHOW_BOOL(up_restart);
SHOW_BOOL(up_delay);
SHOW_BOOL(daemon);
- SHOW_INT(inetd);
SHOW_BOOL(log);
SHOW_BOOL(suppress_timestamps);
SHOW_BOOL(machine_readable_output);
"--proto tcp-server or --proto tcp-client");
}
- /*
- * Sanity check on daemon/inetd modes
- */
-
- if (options->daemon && options->inetd)
- {
- msg(M_USAGE, "only one of --daemon or --inetd may be specified");
- }
-
- if (options->inetd && (ce->local || ce->remote))
- {
- msg(M_USAGE, "--local or --remote cannot be used with --inetd");
- }
-
- if (options->inetd && ce->proto == PROTO_TCP_CLIENT)
- {
- msg(M_USAGE, "--proto tcp-client cannot be used with --inetd");
- }
-
- if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCP_SERVER)
- {
- msg(M_USAGE, "--inetd nowait can only be used with --proto tcp-server");
- }
-
- if (options->inetd == INETD_NOWAIT
- && !(options->tls_server || options->tls_client))
- {
- msg(M_USAGE, "--inetd nowait can only be used in TLS mode");
- }
-
- if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP)
- {
- msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode");
- }
-
- if (options->inetd)
- {
- msg(M_WARN,
- "DEPRECATED OPTION: --inetd mode is deprecated and will be removed "
- "in OpenVPN 2.6");
- }
-
if (options->lladdr && dev != DEV_TYPE_TAP)
{
msg(M_USAGE, "--lladdr can only be used in --dev tap mode");
{
msg(M_USAGE, "--shaper cannot be used with --mode server");
}
- if (options->inetd)
- {
- msg(M_USAGE, "--inetd cannot be used with --mode server");
- }
if (options->ipchange)
{
msg(M_USAGE,
{
#ifdef _WIN32
const int dev = dev_type_enum(options->dev, options->dev_type);
-#endif
- /*
- * In forking TCP server mode, you don't need to ifconfig
- * the tap device (the assumption is that it will be bridged).
- */
- if (options->inetd == INETD_NOWAIT)
- {
- options->ifconfig_noexec = true;
- }
-
-#ifdef _WIN32
/* when using wintun, kernel doesn't send DHCP requests, so don't use it */
if (options->windows_driver == WINDOWS_DRIVER_WINTUN
&& (options->tuntap_options.ip_win32_type == IPW32_SET_DHCP_MASQ || options->tuntap_options.ip_win32_type == IPW32_SET_ADAPTIVE))
}
}
}
- else if (streq(p[0], "inetd") && !p[3])
- {
- VERIFY_PERMISSION(OPT_P_GENERAL);
- if (!options->inetd)
- {
- int z;
- const char *name = NULL;
- const char *opterr = "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
-
- options->inetd = -1;
-
- for (z = 1; z <= 2; ++z)
- {
- if (p[z])
- {
- if (streq(p[z], "wait"))
- {
- if (options->inetd != -1)
- {
- msg(msglevel, "%s", opterr);
- goto err;
- }
- else
- {
- options->inetd = INETD_WAIT;
- }
- }
- else if (streq(p[z], "nowait"))
- {
- if (options->inetd != -1)
- {
- msg(msglevel, "%s", opterr);
- goto err;
- }
- else
- {
- options->inetd = INETD_NOWAIT;
- }
- }
- else
- {
- if (name != NULL)
- {
- msg(msglevel, "%s", opterr);
- goto err;
- }
- name = p[z];
- }
- }
- }
-
- /* default */
- if (options->inetd == -1)
- {
- options->inetd = INETD_WAIT;
- }
-
- save_inetd_socket_descriptor();
- open_syslog(name, true);
- }
- }
else if (streq(p[0], "log") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
int remap_sigusr1;
- /* inetd modes defined in socket.h */
- int inetd;
-
bool log;
bool suppress_timestamps;
bool machine_readable_output;
#endif
bool bind_local,
bool remote_float,
- int inetd,
struct link_socket_addr *lsa,
const char *ipchange_command,
const struct plugin_list *plugins,
sock->http_proxy = http_proxy;
sock->socks_proxy = socks_proxy;
sock->bind_local = bind_local;
- sock->inetd = inetd;
sock->resolve_retry_seconds = resolve_retry_seconds;
sock->mtu_discover_type = mtu_discover_type;
{
ASSERT(accept_from);
ASSERT(sock->info.proto == PROTO_TCP_SERVER);
- ASSERT(!sock->inetd);
sock->sd = accept_from->sd;
/* inherit (possibly guessed) info AF from parent context */
sock->info.af = accept_from->info.af;
if (sock->http_proxy)
{
ASSERT(sock->info.proto == PROTO_TCP_CLIENT);
- ASSERT(!sock->inetd);
/* the proxy server */
sock->remote_host = http_proxy->options.server;
/* or in Socks proxy mode? */
else if (sock->socks_proxy)
{
- ASSERT(!sock->inetd);
-
/* the proxy server */
sock->remote_host = socks_proxy->server;
sock->remote_port = socks_proxy->port;
}
}
- /* were we started by inetd or xinetd? */
- if (sock->inetd)
- {
- ASSERT(sock->info.proto != PROTO_TCP_CLIENT);
- ASSERT(socket_defined(inetd_socket_descriptor));
- sock->sd = inetd_socket_descriptor;
- set_cloexec(sock->sd); /* not created by create_socket*() */
- }
- else if (mode != LS_MODE_TCP_ACCEPT_FROM)
+ if (mode != LS_MODE_TCP_ACCEPT_FROM)
{
if (sock->bind_local)
{
}
}
-static
-void
-phase2_inetd(struct link_socket *sock, const struct frame *frame,
- const char *remote_dynamic, volatile int *signal_received)
-{
- bool remote_changed = false;
-
- if (sock->info.proto == PROTO_TCP_SERVER)
- {
- /* AF_INET as default (and fallback) for inetd */
- sock->info.lsa->actual.dest.addr.sa.sa_family = AF_INET;
-#ifdef HAVE_GETSOCKNAME
- {
- /* inetd: hint family type for dest = local's */
- struct openvpn_sockaddr local_addr;
- socklen_t addrlen = sizeof(local_addr);
- if (getsockname(sock->sd, &local_addr.addr.sa, &addrlen) == 0)
- {
- sock->info.lsa->actual.dest.addr.sa.sa_family = local_addr.addr.sa.sa_family;
- dmsg(D_SOCKET_DEBUG, "inetd(%s): using sa_family=%d from getsockname(%d)",
- proto2ascii(sock->info.proto, sock->info.af, false),
- local_addr.addr.sa.sa_family, (int)sock->sd);
- }
- else
- {
- int saved_errno = errno;
- msg(M_WARN|M_ERRNO, "inetd(%s): getsockname(%d) failed, using AF_INET",
- proto2ascii(sock->info.proto, sock->info.af, false), (int)sock->sd);
- /* if not called with a socket on stdin, --inetd cannot work */
- if (saved_errno == ENOTSOCK)
- {
- msg(M_FATAL, "ERROR: socket required for --inetd operation");
- }
- }
- }
-#else /* ifdef HAVE_GETSOCKNAME */
- msg(M_WARN, "inetd(%s): this OS does not provide the getsockname() "
- "function, using AF_INET",
- proto2ascii(sock->info.proto, false));
-#endif /* ifdef HAVE_GETSOCKNAME */
- sock->sd =
- socket_listen_accept(sock->sd,
- &sock->info.lsa->actual,
- remote_dynamic,
- sock->info.lsa->bind_local,
- false,
- sock->inetd == INETD_NOWAIT,
- signal_received);
- }
- ASSERT(!remote_changed);
-}
-
static void
phase2_set_socket_flags(struct link_socket *sock)
{
const int msglevel = (sock->mode == LS_MODE_TCP_ACCEPT_FROM) ? D_INIT_MEDIUM : M_INFO;
/* print local address */
- if (sock->inetd)
- {
- msg(msglevel, "%s link local: [inetd]", proto2ascii(sock->info.proto, sock->info.af, true));
- }
- else if (sock->bind_local)
+ if (sock->bind_local)
{
sa_family_t ai_family = sock->info.lsa->actual.dest.addr.sa.sa_family;
/* Socket is always bound on the first matching address,
remote_dynamic = sock->remote_host;
}
- /* were we started by inetd or xinetd? */
- if (sock->inetd)
- {
- phase2_inetd(sock, frame, remote_dynamic, &sig_info->signal_received);
- if (sig_info->signal_received)
- {
- goto done;
- }
+ /* Second chance to resolv/create socket */
+ resolve_remote(sock, 2, &remote_dynamic, &sig_info->signal_received);
- }
- else
+ /* If a valid remote has been found, create the socket with its addrinfo */
+ if (sock->info.lsa->current_remote)
{
- /* Second chance to resolv/create socket */
- resolve_remote(sock, 2, &remote_dynamic, &sig_info->signal_received);
+ create_socket(sock, sock->info.lsa->current_remote);
+ }
- /* If a valid remote has been found, create the socket with its addrinfo */
- if (sock->info.lsa->current_remote)
- {
- create_socket(sock, sock->info.lsa->current_remote);
- }
+ /* If socket has not already been created create it now */
+ if (sock->sd == SOCKET_UNDEFINED)
+ {
+ /* If we have no --remote and have still not figured out the
+ * protocol family to use we will use the first of the bind */
- /* If socket has not already been created create it now */
- if (sock->sd == SOCKET_UNDEFINED)
+ if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local)
{
- /* If we have no --remote and have still not figured out the
- * protocol family to use we will use the first of the bind */
-
- if (sock->bind_local && !sock->remote_host && sock->info.lsa->bind_local)
+ /* Warn if this is because neither v4 or v6 was specified
+ * and we should not connect a remote */
+ if (sock->info.af == AF_UNSPEC)
{
- /* Warn if this is because neither v4 or v6 was specified
- * and we should not connect a remote */
- if (sock->info.af == AF_UNSPEC)
- {
- msg(M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s",
- addr_family_name(sock->info.lsa->bind_local->ai_family));
- sock->info.af = sock->info.lsa->bind_local->ai_family;
- }
-
- create_socket(sock, sock->info.lsa->bind_local);
+ msg(M_WARN, "Could not determine IPv4/IPv6 protocol. Using %s",
+ addr_family_name(sock->info.lsa->bind_local->ai_family));
+ sock->info.af = sock->info.lsa->bind_local->ai_family;
}
- }
- /* Socket still undefined, give a warning and abort connection */
- if (sock->sd == SOCKET_UNDEFINED)
- {
- msg(M_WARN, "Could not determine IPv4/IPv6 protocol");
- sig_info->signal_received = SIGUSR1;
- goto done;
+ create_socket(sock, sock->info.lsa->bind_local);
}
+ }
- if (sig_info->signal_received)
- {
- goto done;
- }
+ /* Socket still undefined, give a warning and abort connection */
+ if (sock->sd == SOCKET_UNDEFINED)
+ {
+ msg(M_WARN, "Could not determine IPv4/IPv6 protocol");
+ sig_info->signal_received = SIGUSR1;
+ goto done;
+ }
- if (sock->info.proto == PROTO_TCP_SERVER)
- {
- phase2_tcp_server(sock, remote_dynamic,
- &sig_info->signal_received);
- }
- else if (sock->info.proto == PROTO_TCP_CLIENT)
- {
- phase2_tcp_client(sock, sig_info);
+ if (sig_info->signal_received)
+ {
+ goto done;
+ }
- }
- else if (sock->info.proto == PROTO_UDP && sock->socks_proxy)
- {
- phase2_socks_client(sock, sig_info);
- }
+ if (sock->info.proto == PROTO_TCP_SERVER)
+ {
+ phase2_tcp_server(sock, remote_dynamic,
+ &sig_info->signal_received);
+ }
+ else if (sock->info.proto == PROTO_TCP_CLIENT)
+ {
+ phase2_tcp_client(sock, sig_info);
+
+ }
+ else if (sock->info.proto == PROTO_UDP && sock->socks_proxy)
+ {
+ phase2_socks_client(sock, sig_info);
+ }
#ifdef TARGET_ANDROID
- if (sock->sd != -1)
- {
- protect_fd_nonlocal(sock->sd, &sock->info.lsa->actual.dest.addr.sa);
- }
+ if (sock->sd != -1)
+ {
+ protect_fd_nonlocal(sock->sd, &sock->info.lsa->actual.dest.addr.sa);
+ }
#endif
- if (sig_info->signal_received)
- {
- goto done;
- }
+ if (sig_info->signal_received)
+ {
+ goto done;
}
phase2_set_socket_flags(sock);
struct cached_dns_entry *dns_cache;
bool bind_local;
-#define INETD_NONE 0
-#define INETD_WAIT 1
-#define INETD_NOWAIT 2
- int inetd;
-
#define LS_MODE_DEFAULT 0
#define LS_MODE_TCP_LISTEN 1
#define LS_MODE_TCP_ACCEPT_FROM 2
#endif
bool bind_local,
bool remote_float,
- int inetd,
struct link_socket_addr *lsa,
const char *ipchange_command,
const struct plugin_list *plugins,
projects / thirdparty / openvpn.git / commitdiff
