Gert Doering [Fri, 3 Feb 2012 16:11:03 +0000 (17:11 +0100)]
Implement IPv6 interface config with non-/64 prefix lengths.
Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to
initialize tt->netbits_ipv6 (previously: always /64). Actual interface
setup code already used tt->netbits_ipv6, so no changes needed there.
Remove restrictions on "/netbits" value for --server-ipv6 config option
(can now be /64.../112, previously had to be exactly /64). Supporting
even smaller networks could cause problems with ipv6-pool handling and
are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6".
Add /netbits to pushed "ifconfig-ipv6" values on server side (client
side always accepted this, but ignored it so far, so this does not
break compatibility).
Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Mon, 26 Dec 2011 00:18:50 +0000 (00:18 +0000)]
Added support for "on-link" routes on Linux client
These are routes where the gateway is specified as an interface rather
than an address. This allows redirect-gateway to work on Linux clients
whose connection to the internet is via a point-to-point link such as
PPP.
Note that at the moment, this capability is incompatible with
the "redirect-gateway block-local" directive -- this is because
the block-local directive blocks all traffic from the local LAN
except for the local and gateway addresses. Since a PPP link
is essentially a subnet of two addresses, local and remote (i.e.
gateway), the set of addresses that would be blocked by block-local
is empty. Therefore, the "redirect-gateway block-local" directive
will be ignored on PPP links.
To view the OpenVPN client's current determination of the default
gateway, use this command:
./openvpn --show-gateway
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7794 e7ae566f-a301-0410-adde-c780ea21d3b5 Signed-off-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
This patchs adds a script/plug-in hook which is called right before the
network routes are taken down. This gives external processes a
possibility to tear down communication over the VPN before the VPN
disappears.
One use case can be to mount a networked file system over the VPN via
--route-up. And then to unmount this file system via --route-pre-down
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 22 Jan 2012 21:21:22 +0000 (23:21 +0200)]
Platform cleanup for FreeBSD
- cleanup TUN/TAP devices at program end ("ifconfig ... destroy")
- make TUN device setup for "topology subnet" work together with IPv6
(setup correct netmask and route, but do not use IFF_BROADCAST)
There's one catch for FreeBSD 8.2 if you use pf(4): it will block IPv6
fragments by default, so the standard t_client.sh test sets fail unless
you specifically add "pass in on tun1 fragment" rules - but there's
nothing OpenVPN can do about it.
Tested with IPv4 and IPv6 on 7.4-RELEASE/amd64 and 8.2-RELEASE/amd64
Signed-off-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5303 Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Mon, 16 Jan 2012 11:00:33 +0000 (12:00 +0100)]
Don't check for file presence on inline files
The configuration file supports inline files for --ca, --cert, --dh,
--extra-certs, --key, --pkcs12, --secret and --tls-auth. When this
is used, the filename is set to [[INLINE]] (defined by INLINE_FILE_TAG).
If the filename is set to INLINE_FILE_TAG for these options, don't
call check_file_access().
[v2 Simplify the code, using a flag to check_file_access()]
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Sat, 14 Jan 2012 11:34:59 +0000 (12:34 +0100)]
Fix pool logging when IPv6 is not enabled
If IPv6 tunnelling is not enabled, a bogus IPv6 address would be
printed in the log, like this:
MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2180:8:2100:0:d4b4:f11d:18bf:2f00
It turns out that the remote_ipv6 buffer was not cleared. Added
an extra check to also replace a "IPv6=::" log message with
information that the IPv6 feature is disabled in these cases.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Wed, 11 Jan 2012 13:52:21 +0000 (14:52 +0100)]
autotools ./configure don't like compat.h
The compat.h include file cannot be loaded when ./configure runs,
as many of the HAVE_* declarations are not set. This makes test
compilations when looking for features fail.
As ./configure will load syshead.h, it pulls in compat.h this way.
Looking more carefully at syshead.h, there's a #ifndef PACKAGE_NAME
check if config.h should be included. This looks like a check if
syshead.h is loaded via ./configure or if it is a more normal
compilation. Moving the compat.h inclusion into this #ifndef block.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 21 Nov 2011 15:17:44 +0000 (16:17 +0100)]
Fix compilation errors on Linux platforms without SO_MARK
When trying to compile OpenVPN on RHEL5/CentOS5, it would fail
due to missing declaration of SO_MARK. SO_MARK is a feature which
first arrived in 2.6.26, and was never backported to RHEL5's 2.6.18
kernel base.
This patch adds a check at configure time, to see if SO_MARK is
available or not.
Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Wed, 11 Jan 2012 14:30:28 +0000 (15:30 +0100)]
New Windows build fixes
compat.c: In basename() a typo had gone undetected through the review process,
and also that the declaration was a little bit different from what's defined in
compat.h
misc.c: commit 9449e6a9eba30c9ed054f57d630a88c9f087080f adds #include <unistd.h>.
This breaks building on Windows. As unistd.h is already loaded via syshead.h on
systems where unistd.h exists, we don't need it here.
Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Samuli Seppänen <samuli@openvpn.net>
Visual Studio does not enable certiain standard Unix functions,
such as access(). By defining _CRT_NONSTDC_NO_WARNINGS and
_CRT_SECURE_NO_WARNINGS, these functions are enabled.
This patch also adds a ./configure check for access() as well,
in case this needs to be implemented on other platforms lacking
this feature. Which is why HAVE_ACCESS is defined in win/config.h.in
Thanks to Alon Bar-Lev for helping solving this.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5179/focus=5200
Move away from openvpn_basename() over to platform provided basename()
This kicks out the openvpn_basename() function from misc.[ch] and puts
glibc equivalents into compat.[ch]. This is to provide the same
functionality on platforms not having a native basename() function
available.
In addition this patch adds dirname() which commit 0f2bc0dd92f43c91e
depends. Without dirname(), openvpn won't build in Visual Studio.
v2: Move all functions from compat.h to compat.c
v3: Use glibc versions of basename() and dirname() instead
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5178/focus=5215
If openvpn_execve() is not able to fork(), it would not make any noise
about it. So this patch adds a log notification if this happens.
In addition, if openvpn_execve() is called with an empty argv array,
it should exit instantly. This is not expected to happen at all and
might indicate a much more serious issue (or programming error)
somewhere else in the code. Thus, abort execution to get these issues
flushed out as quickly as possible.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Fri, 30 Dec 2011 20:42:13 +0000 (21:42 +0100)]
Fix list-overrun checks in copy_route_[ipv6_]option_list()
The old code checks how many items are in use(!) in the source
list, but then copies the full list over the destination memory
arena. Check the source list *capacity*.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Fri, 30 Dec 2011 20:08:49 +0000 (21:08 +0100)]
Fix build-up of duplicate IPv6 routes on reconnect.
options.c: extend pre_pull_save() and pre_pull_restore() to
save/restore options->routes_ipv6 as well
options.h: add routes_ipv6 to "struct options_pre_pull"
route.h, route.c: add clone_route_ipv6_option_list() and
copy_route_ipv6_option_list() helper functions
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
James Yonan [Thu, 3 Nov 2011 02:03:35 +0000 (02:03 +0000)]
Fixed client issues with DHCP Router option extraction/deletion when
using layer 2 with DHCP proxy:
* Extract/delete Router option from both DHCPOFFER and DHCPACK
messages. Prevously we only considered DHCPACK messages.
With DHCPACK messages, we extract the Router IP for
use as the vpn_gateway, as well as delete the Router option from
the DHCP message. For DHCPOFFER, we only delete the Router
message.
* Monitor all DHCPOFFER and DHCPACK messages for possible Router
options needing to be extracted/deleted. Previously, we turned
off monitoring after the first successful extraction/deletion
from a DHCPACK message.
* Previously, we deleted Router options by padding them with DHCP
PAD options. This has proven not to work with some DHCP clients,
so we now delete the message entirely, and add PADs to the end of
the message so as not to change its length.
* In some cases, UDP checksum was not being correctly updated for
modified DHCP packets.
To properly use this feature on Linux, after tunnel comes up,
run these commands:
Don't look for 'stdin' file when using --auth-user-pass
This argument allows the keyword 'stdin' to indicate that the input
is to be read from the stdin. Don't check for file existence if the
file name is set to 'stdin'
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Thu, 24 Nov 2011 21:45:21 +0000 (22:45 +0100)]
Fix bug after removing Linux 2.2 support
In commit ce637abdafdc19547fc97192033a4d1703ecaf23 the Linux 2.2 support
was removed. When this happened an extra error check was avoided which
would normally kicked in if the tun/tap device would not be available.
Instead the following line was filling the log continously:
Thu Nov 24 22:33:15 2011 read from TUN/TAP : File descriptor in bad state (code=77)
This patch changes the msg() declarations to use the M_FATAL *) flag,
which will halt the execution of the program in these error sitauations.
As the program will really halt, the return declarations was also removed.
Gert Doering [Thu, 24 Nov 2011 20:09:36 +0000 (21:09 +0100)]
work around inet_ntop/inet_pton problems for MSVC builds on WinXP
always use our built-in replacement functions now, even if building
on Win7 (which has inet_ntop/inet_pton in the system libraries) because
the resulting binary will then fail on WinXP.
Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
David Sommerseth [Thu, 16 Jun 2011 15:27:06 +0000 (17:27 +0200)]
Do some file/directory tests before really starting openvpn
OpenVPN can handle over 30 different files and directories, and it is easy
to misconfigure some of them. In many situations OpenVPN will even start
running, even with a wrong file path or without the proper permissions, and
then it will complain much later on. In some cases the error being seen at
this late point might even be difficult to relate to a configuration option.
This patch tries to catch as many of these files as soon as possible, kind of
to "smoke-test" the files and directories to avoid the most likely errors.
Trac-ticket: 73 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Fri, 18 Nov 2011 12:21:43 +0000 (13:21 +0100)]
Make '--win-sys env' default
Without this patch, the default path used by OpenVPN is hard coded
to C:\WINDOWS. As users might install Windows in a different directory,
this approach will cause OpenVPN to malfunction in some configurations.
OpenVPN have supported using the system path, by adding --win-sys env.
This patch removes the hard coded approach and uses the --win-sys env
approach by default instead.
Trac-ticket: 66
URL: http://thread.gmane.org/gmane.network.openvpn.user/32508 Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth [Mon, 21 Nov 2011 11:49:33 +0000 (12:49 +0100)]
Fix FreeBSD/OpenBSD/NetBSD compiler warnings in get_default_gateway()
On these platforms (including DragonFly), get_default_gateway() would in some
cases return false. As get_default_gateway() is defined as a void function, and
none of the callers expect a return value -> just return without any value.
Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Samuli Seppänen [Wed, 9 Nov 2011 09:49:36 +0000 (11:49 +0200)]
Fixed a regression causing VS2008/Python build failure
Patch "Added options to switch between OpenSSL and PolarSSL and PKCS11" caused a
regression when building OpenVPN with Visual Studio 2008/Python build system.
The underlying cause was a wrong path to lzo2.lib.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 31 Oct 2011 15:29:20 +0000 (16:29 +0100)]
Minor cleanup to enable warning-free Windows build:
- Changed int32_t to size_t
- Removed some unused variables
- Added missing include files
- changed ordering to ensure variable declarations are before asserts
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Gert Doering [Thu, 10 Nov 2011 19:15:44 +0000 (20:15 +0100)]
add missing break between "case IPv4" and "case IPv6", leading to the
minimum-size for IPv6 being applied to IPv4 packets, subsequently
leading to drop of small-sized IPv4 packets.
Bug found & fixed by Christian Niessner.
Signed-off-by: Christian Niessner <bug-report@secadm.de> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Mon, 24 Oct 2011 08:46:00 +0000 (10:46 +0200)]
Got rid of a few magic numbers in ntlm.c
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Sun, 16 Oct 2011 13:56:31 +0000 (15:56 +0200)]
Moved to PolarSSL 1.0.0:
- Reversed des_key_check_weak output check, as the library changed this
- Changed POLARSSL_MODE_CFB to POLARSSL_MODE_CFB128
- Changed the bio write function to accept const input
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Thu, 7 Jul 2011 08:05:32 +0000 (10:05 +0200)]
Further improvements to plugin support:
- Renamed struct entries to explicitly show them as disabled
- Added a warning if USE_SSL is enabled, but neither ssl_verify_openssl.h or ssl_verify_polarssl.h is included
- If neither of those files is included, disable ssl support for a plugin including openvpn-plugin.h
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 5 Jul 2011 10:46:33 +0000 (12:46 +0200)]
Added SSL library to title string
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 5 Jul 2011 08:32:09 +0000 (10:32 +0200)]
Removed support for management external keys in PolarSSL
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 5 Jul 2011 08:16:46 +0000 (10:16 +0200)]
Disable CryptoAPI when not using OpenSSL, and document that fact.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 5 Jul 2011 08:05:32 +0000 (10:05 +0200)]
Added warning that --capath is not available with PolarSSL
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Tue, 5 Jul 2011 08:02:40 +0000 (10:02 +0200)]
Added a warning that the PolarSSL library does not support pkcs12 files.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Sat, 2 Jul 2011 12:28:56 +0000 (14:28 +0200)]
Updated ssl_polarssl.c to work with 0.99-pre5
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Sat, 2 Jul 2011 12:28:17 +0000 (14:28 +0200)]
Changed PolarSSL crypto backend to support v0.99-pre5
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Sat, 2 Jul 2011 09:00:49 +0000 (11:00 +0200)]
Added SHA_DIGEST_SIZE definition
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Fri, 1 Jul 2011 15:31:44 +0000 (17:31 +0200)]
Fixed a bug in the hash generation in ssl_verify_openssl.c
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong [Fri, 1 Jul 2011 12:15:11 +0000 (14:15 +0200)]
Added PolarSSL support:
- Crypto library
- SSL library
- PKCS#11 support
For missing features, please see README.polarssl
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
projects / thirdparty / openvpn.git / log
