Lev Stipakov [Wed, 17 Sep 2025 09:05:48 +0000 (11:05 +0200)]
openvpnserv: Fix writing messages to the event log
There are two problems with the current implementation:
- due to the code bug, we never display actual error message
corresponding to the Windows error code. We use
FORMAT_MESSAGE_ALLOCATE_BUFFER, in which case we must pass
a pointer to the LPTSTR, not the LPTSTR itself.
- The error is not displayed in the "General" tab, which is very confusing.
One needs to go to the "Details" tab to see what is wrong.
This commit solves both problems. We now display a proper error
message in addition to the text provided by the service ("what went wrong").
While on it, remove trailing symbols ín a safer way.
To display the message in "General" tab, we create a registered message file
(openvpnservmsg.dll), which contains message template. Note that this requires
changes to the installer - we need to install the new DLL and
add a registry entry.
Gert Doering [Wed, 17 Sep 2025 12:07:15 +0000 (14:07 +0200)]
dev-tools/gerrit-send-mail.py: include Gerrit URL into the commit message
We used to reference to one of the mailing list archives as the formal
reference for the patch and the review discussions. With the problematic
reliability of the archives, I've started to manually add the URLs in
the OpenVPN Gerrit to the commits because they give a better reference
and (usually) all the feedback is there in a useful format.
So, enhance this dev-tool script to do this automatically.
Change-Id: Idb137ecbade4b0584a4d74aee34978062e247bc5 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1196
Message-Id: <20250917120720.30738-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59234672/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
The dco_check_option_ce(), for dco_win, checked only
the global protocol of the current connection entry,
but now it should be extended to the local_list
and since dco_win does not support more than 1
socket, checking the first entry of the local_list
will be enough.
Change-Id: I74e2b6aed3c7454e897db57f777e6a191be3d87f Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250912131056.42342-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59232442/
URL: https://gerrit.openvpn.net/c/openvpn/+/1173 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Fri, 12 Sep 2025 13:22:35 +0000 (15:22 +0200)]
Preserve --dhcp-option values from local config
Commit
2dfc4f8 ("dns: deal with --dhcp-options when --dns is active")
has changed the way how --dhcp-option values are stored. Instead of
storing them directly in tuntap_options, they are now stored in
dns_options->from_dhcp.
Before connect, we save options before --pull is applied, and for that
we call clone_dns_options(). However, this was missing to clone the
"from_dhcp" struct, and as a result, the values of --dhcp-option from
the local config have been lost.
Fix by adding shallow-copying of dhcp_options to clone_dns_options(). It
is safe to do because it only contains fixed-size arrays, scalar types
and pointers to the strings which this struct doesn't own.
dco: add standard mi prefix handling to multi_process_incoming_dco()
Our code generally expects functions that deal with a multi instance
to set up a log prefix at the beginning with set_prefix(mi) and clear
it at the end with clear_prefix().
Add the calls to multi_process_incoming_dco() in a similar way to
what is done for multi_process_incoming_link() - handling "link
events" and "dco events" the same, with correct prefix in the
function and no leftover prefix afterwards.
Github: closes OpenVPN/openvpn#799
Change-Id: I1ad5df0f6785ffe9becd9f83329a9335d1a36f24 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250911201222.25382-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32859.html
URL: https://gerrit.openvpn.net/c/openvpn/+/1116 Signed-off-by: Gert Doering <gert@greenie.muc.de>
On Windows, multi-socket support failed with mixed protocols due
to repeated socket_set() calls, which caused accept() to be triggered
before having an event to process. This fix skips socket_set()
calls for non-UDP sockets in MODE_SERVER inside multi_io_process_flags().
Change-Id: Ia389fcec50fb2bbc0aa5ad41a2c23c17c04e6e9b Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250912131207.42597-1-frank@lichtenheld.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/59232443/
URL: https://gerrit.openvpn.net/c/openvpn/+/1174 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Sun, 7 Sep 2025 21:12:46 +0000 (23:12 +0200)]
replace assert() calls with ASSERT()
OpenVPN's ASSERT() macro will do a bit more than the standard-libc
assert() call, namely print out which function and what expression
failed, before calling _exit(1). Also, it can not be accidentially
compiled-away (-DNDEBUG).
Use of ASSERT() is generally only advised in cases of "this must not
happen, but if it does, it's a programming or state corruption error
that we must know about". Use of assert() is lacking the extra debug
info, and as such, not advised at all.
Change-Id: I6480d6f741c2368a0d951004b91167d5943f8f9d Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: mandree <matthias.andree@gmx.de>
Message-Id: <20250907211252.23924-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32824.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 3 Sep 2025 17:03:39 +0000 (19:03 +0200)]
OpenVPN Release 2.7_beta1
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_beta1" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
New features alpha3 -> beta1 are
- a large number of signed/unsigned related warnings have been fixed
- bugfixes in --dns-updown script for linux systems using resolvconf
- rewrite of the management interface "bytecount" infastructure to better
interact with DCO
- PUSH_UPDATE server support (via management interface)
- introduction of route_redirect_gateway_ipv4 and _ipv6 env variables
- speeding up t_client tests by reducing per-test startup delay 3s -> 1s
The biggest noticeable difference in beta1 is the reformatting using
clang-format, leaving uncrustify as that wasn't stable across versions.
Marco Baffo [Wed, 3 Sep 2025 16:48:20 +0000 (18:48 +0200)]
PUSH_UPDATE message sender: enabling the server to send PUSH_UPDATE control messages
Using the management interface you can now target one or more clients
(via broadcast or via cid) and send a PUSH_UPDATE control message
to update some options. See doc/management-notes.txt for details.
Change-Id: Ie82bcc7a8e583de9156b185d71d1a323ed8df3fc Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250903164826.13284-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32807.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
management: stop bytecount on client disconnection
When a management interface client requests periodic bytecount
notifications, openvpn continues to emit them even after the client has
disconnected. Additionally, upon reconnecting, the client starts
receiving these notifications without having issued a new bytecount
command.
Stop the periodic bytecount operation when the management interface
client disconnects, preventing unnecessary stats polling when using DCO
and ensuring that clients only receive notifications they have
explicitly requested.
Change-Id: I1474d232278433d097baf85352dfc9a79853bad1 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902163514.22339-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32765.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco_linux: validate tun interface before fetching stats
If dco_get_peer_stats() is called with an uninitialized c->c1.tuntap it
results in a segfault. This issue happens when a client who has not
connected to any server:
- has --management and exits,
- has --management and a management interface client issues either
`bytecount` or `status` or
- if SIGUSR2 is sent to it.
Add a check to ensure the tun interface was set up before attempting to
retrieve peer statistics.
Change-Id: I40c11864745cc1619cb9cbf490b168f90feb5eac Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902164521.23145-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32768.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
On messages printed for async DCO events, the currently-set mi prefix
does not (always) belong to the peer that the async messages refer to,
creating confusion.
To avoid this, the M_NOIPREFIX flag is now used along with msglevel.
Change-Id: I84a73d625c79d6a6a19122e48c91960dbe01ec49 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902115954.29021-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59228149/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
management: resync timer on bytecount interval change
coarse_timer_wakeup tracks when the next timer-driven task will occur.
If a user issues `bytecount n` via the management interface, but the
next scheduled wakeup is more than n seconds away, bandwidth logging
will be delayed until that timer fires.
To ensure timely logging, reset the timer whenever a new `bytecount`
command is received. This guarantees that logging begins exactly n
seconds after the command, matching the user-defined interval.
Change-Id: Ic0035d52e0ea123398318870d2f4d21af927a602 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902160050.18640-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59228306/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 2 Sep 2025 10:36:01 +0000 (12:36 +0200)]
Refactor management bytecount tracking
There are few issues with it:
- when using DCO, the server part doesn't output BYTECOUNT_CLI since
process_incoming_link_part1/process_outgoing_link are not called
- when using DCO, the server part applies bytecount timer to the each
connection, unneccessary making too many calls to the kernel and also
uses incorrect BYTECOUNT output.
- client part outputs counters using timer, server part utilizes
traffic activity -> inconsistency
Following changes have been made:
- Use timer to output counters in client and server mode. Code which
deals with bytecount on traffic activity has been removed. This unifies
DCO and non-DCO, as well as client and server mode
- In server mode, peers stats are fetched with the single ioctl call
- Per-packet stats are not persisted anymore in the client mode during
traffic activity. Instead cumulative stats (including DCO stats) are
persisted when the session closes.
GitHub: closes OpenVPN/openvpn#820
Change-Id: I43a93f0d84f01fd808a64115e1b8c3b806706491 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902103606.22181-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59228150/ Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 2 Sep 2025 12:25:36 +0000 (14:25 +0200)]
dco-win: add support for multipeer stats
Use the new driver API to fetch per-peer link and VPN byte counters
in both client and server modes.
Two usage modes are supported:
- Single peer: pass the peer ID and a fixed-size output buffer. If the
IOCTL is not supported (old driver), fall back to the legacy API.
- All peers: first call the IOCTL with a small output buffer to get
the required size, then allocate a buffer and call again to fetch
stats for all peers.
Change-Id: I525d7300e49f9a5a18e7146ee35ccc2af8184b8a Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250902122542.31023-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32744.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Tue, 26 Aug 2025 18:40:38 +0000 (20:40 +0200)]
Introduce env variables to communicate desired gateway redirection to NM.
When run under Network Manager control, OpenVPN is not allowed to
control routing. Instead, NM uses the OpenVPN-set environment variables
("route_network_1" etc) to set up routes as requested. This method never
worked properly for "redirect-gateway", as the information was not made
available in environment variables.
<not set> = no gateway redirection desired
1 = "redirect-gateway for that protocol in question"
2 = "include block-local to redirect the local LAN as well"
We intentionally do not expose all the IPv4 flags ("local", "def1", ...)
as this is really internal OpenVPN historical cruft.
Change-Id: I1e623b4a836f7216750867243299c7e4d0bd32d0 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250826184046.21434-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32686.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 19 Aug 2025 21:22:09 +0000 (23:22 +0200)]
Check message id/acked ids too when doing sessionid cookie checks
This fixes that control packets on a floating client can trigger
creating a new session in special circumstances:
To trigger this circumstance a connection needs to
- starts on IP A
- successfully floats to IP B by data packet
- then has a control packet from IP A before any
data packet can trigger the float back to IP A
and all of this needs to happen in the 60s time
that hmac cookie is valid in the default
configuration.
In this scenario we would trigger a new connection as the HMAC
session id would be valid.
This patch adds checking also of the message-id and acked ids to
discern packet from the initial three-way handshake where these
ids are 0 or 1 from any later packet.
This will now trigger (at verb 4 or higher) a messaged like:
Packet (P_ACK_V1) with invalid or missing SID
instead.
Also remove a few duplicated free_tls_pre_decrypt_state in test_ssl.
Reported-By: Walter Doekes <walter.openvpn@wjd.nu> Tested-By: Walter Doekes <walter.openvpn@wjd.nu>
Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250819212214.16218-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32626.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Previously we ignored the second argument to --hash-size.
This bug is older than the openvpn git repository, but
clearly this is not an option often used (or at all).
Change-Id: Ibec7ffb9085503f72e79514776042bc310384f13 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250822205223.3492-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32658.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 20 Aug 2025 17:54:53 +0000 (19:54 +0200)]
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use
'--dh none' to disable traditional Diffie Hellman, since more secure
ECDH algorithms are available that do not use explicit DH parameters.
If configured with a suffiently high securelevel (3+), or if running in
FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests
fail.
Thus, remove all the DH2048 stuff from our sample configs.
Github: triggered by OpenVPN/openvpn#819
Change-Id: If66438662bd862a195b2a69c4fa45f63838982b7 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250820175459.11227-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32632.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Mon, 18 Aug 2025 16:46:08 +0000 (18:46 +0200)]
dns: fix systemd dns-updown script
In the resolvconf part of the script there was one instance of a dynamic
variable using _* left. The _* ones do not work as the regular ones, but
only when you directly place them within ${!}, not indirectly using a
variable.
Convert the code to use a loop and a check, like in all the other places
in the script.
Change-Id: Id800cad0e92e0abc0d96079fdb5a9d57578e1446 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250818164608.39836-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32621.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
t_client.sh: Do not wait 3 seconds for OpenVPN to come up
On most machines 1 second should be quite enough. Given
that we run currently 23 tests on most t_client runs, this
makes over 40 seconds difference. Not nothing.
We keep the existing 30s maximum wait-time since sometimes
we want to do tests with intentionally slow servers.
Change-Id: Ice8c7ff4d8118a9e6465a4724207a355138360b8 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250807203741.31359-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32585.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In some cases an actual ColumnLimit leads to unfortunate
formatting. So leave the decision to developers after all.
This commit contains:
- changes that clang-format did as reaction to the config
change
- manual cleanups of these changes
- manual cleanup of some previous changes done
with ColumnLimit 100
Change-Id: Ibd900adfc775b7f785f1d5630184a124f5d8ff4b Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250805132706.27619-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32523.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sun, 3 Aug 2025 14:49:45 +0000 (16:49 +0200)]
Log setting DNS via NRPT
Unlike other ways of setting DNS, we don't log anything
when we use NRPT. Since dco-win/--dns is the recommended
configuration and it uses NRPT to set DNS, let's log it.
Change-Id: Ib2f30fe69cb676e347e4d59cd2db68db7568ba5b Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250803144950.21034-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32480.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update GPL header in all source files to current recommended version
This removes the postal address of the FSF and replaces
it with their URL.
Mostly generated with
sed -i -e 's@if not, write to the Free Software Foundation, Inc.,\
@if not, see <https://www.gnu.org/licenses/>.@'
sed -i -e '/51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA/d'
sed -i -e '/59 Temple Place, Suite 330, Boston, MA 02111-1307 USA/d'
With some manual fix-ups afterwards.
Change-Id: Ic3959970fa9ab993e98d4b38c025fd0efc7b92f2 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250803145126.23494-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32481.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Thu, 31 Jul 2025 06:51:26 +0000 (08:51 +0200)]
OpenVPN Release 2.7_alpha3
version.m4, ChangeLog, Changes.rst
Changes.rst has not received an "2.7_alpha3" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
New features alpha2 -> alpha3 are
- --dns-updown script for macOS
- client-side support for PUSH_UPDATE handling
- support for floating TLS clients when DCO is active
(handling float notifications sent from kernel to userland)
- use of user-defined routing tables on Linux
- PQE support for WolfSSL
Besides new features, alpha3 sees a rewrite of the way kernel events
are handled by the linux DCO module, because under certain circumstances
notifications could get lost, leading to problems later.
Lev Stipakov [Thu, 31 Jul 2025 12:24:05 +0000 (14:24 +0200)]
Fix DNS options duplication on PUSH_UPDATE
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
has removed reset of tuntap DNS options. Due to that, incoming --dns
options are added to existing ones instead of overwriting them.
It has also added a new storage for --dhcp-option. The push-update
code didn't clear it and as a result, incoming --dhcp-option options
were added to existing ones instead of overwriting them.
Fixed by:
- resetting tuntap DNS options (regression from abovementioned commit)
- clearing dhcp options storage in push-update code
GitHub: fixes OpenVPN/openvpn#804
Change-Id: Ife4d8fc5f8e2183e61226d66a76bbaa02c06f787 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Heiko Hund <heiko@openvpn.net>
Message-Id: <20250731122410.12200-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32448.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update systemd service name param to match command
The service name displays `%I` which invokes systemd's path mangling
(notably, converting `-` to `/`), suggesting you need to provide an
encoded parameter (via e.g. `systemd-escape`), but the start command
itself uses `%i` which doesn't do the conversion.
This updates the service name to match the start command.
Signed-off-by: Terrance <git@terrance.allofti.me> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250729180014.11550-2-sourceforge@terrance.allofti.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32423.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 31 Jul 2025 10:48:27 +0000 (12:48 +0200)]
Fix --dns options for TAP adapter
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
has accidentally removed setting of the DHCP_OPTIONS_DHCP_OPTIONAL
flag when copying --dns options. This flag is required to apply options
via DHCP string, which we do for TAP adapter. As a result, --dns options
stopped working for TAP.
Fix by setting this flag when copying --dns options to tuntap_options.
Change-Id: Id95cd14095a03afb3140a03ae96e9f5679e4fe89 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250731104833.23305-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32436.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Wed, 30 Jul 2025 18:04:26 +0000 (20:04 +0200)]
Fix broken DHCP options
Commit
2dfc4f ("dns: deal with --dhcp-options when --dns is active")
broke support for --dhcp-options. It removed the setting of the
DHCP_OPTIONS_DHCP_OPTIONAL flag for some DHCP options. This flag is
required for those options to be applied correctly, as it is used
when building the DHCP options string that is passed to the TAP driver.
This commit fixes the issue by restoring the setting of this flag.
GitHub: fixes OpenVPN/openvpn#791
Change-Id: I0d75efcceb826d06e74abd003d5377468ff9fe3b Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250730180527.25339-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32427.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
To support link-local (IPv6) addresses we must pass the scope to the kernel as
well. We should also extract it from the kernel notification for float events.
Signed-off-by: Kristof Provost <kprovost@netgate.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729093857.37832-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32401.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:41:01 +0000 (12:41 +0200)]
PUSH_UPDATE: Added update_option() function.
When the function receives an option to update, it first checks whether it has
already received an option of the same type within the same update message.
If it has already received it, it simply calls add_option(), otherwise it
deletes all the values already present for that option first.
Change-Id: Ia45c99e6df7b3ad24020c10b8a9b3577984ecdc2 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104110.27704-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32408.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:40:50 +0000 (12:40 +0200)]
PUSH_UPDATE: Added remove_option() and do_update().
* Added remove_option() function and some utility functions to remove options at
runtime following the push-update logic.
* Added do_update() function to close and reopen the tun and apply option updates.
Change-Id: I507180d7397b6959844a30908010132bc3411067 Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104056.27634-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32407.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Marco Baffo [Tue, 29 Jul 2025 10:40:39 +0000 (12:40 +0200)]
PUSH_UPDATE: Allow OpenVPN in client mode to receive and handle PUSH UPDATE control messages to allow options updating at runtime.
* Added IV_PROTO_PUSH_UPDATE flag bit to support push-updates.
* Added process_incoming_push_update(), in a separate file to create tests more easily.
* Modified incoming_push_message(), process_incoming_push_msg(), apply_push_options(),
apply_pull_filter() to process also push-update messages.
* Added the check_push_update_option_flags() function used in apply_pull_filter() to
check options formatting inside push-update messages, if the options are updatables
and to check for '?' and '-' flags that may be present in front of the options.
The '-' flag is used to indicate that the option in question should be removed,
while the '?' indicates that the option is optional and to do not generate
errors if the client cannot update that option.
For more info you can read the RFC at https://github.com/OpenVPN/openvpn-rfc .
* Created some unit tests for the push-update message handling in test_push_update_msg.c.
Change-Id: I6ecd4cb47571cc8c20e46de8595c742aeec6064a Signed-off-by: Marco Baffo <marco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250729104045.27582-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32406.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco-freebsd: always enable float notification support
If the kernel doesn't support it we'll simply never get the notification. In
other words, there's no downside to always enabling this, so let's do that.
Signed-off-by: Kristof Provost <kprovost@netgate.com>
Message-Id: <20250729093907.37849-1-kprovost@netgate.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32402.html Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was relatively complex for the actual usage.
Looked at the code because of -Wconversion warnings
related to the len argument. So this should also be
gone.
Change-Id: I7efc77f63734501dfa8a8f5bed17b1a1b4e9e201 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250728125647.26992-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32396.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 28 Jul 2025 08:42:49 +0000 (10:42 +0200)]
mudp.c, multi.c, multi_io.c: get rid of 'all three DCO platforms' #ifdefs
With commit b66b80b2a all three platforms with DCO support have DCO float
notifications now, so the #ifdef inside multi_process_incoming_dco() is
no longer needed.
Also, the whole notification block (process_incoming_del_peer() and
multi_process_incoming_dco()) was surrounded by an
#ifdef ENABLE_DCO "and all 3 platforms"
which is also not making sense anymore (if we add a fourth DCO platform,
we need to aim for having "all notifications from day 1", at least having
the stubs and defines).
Last not least, the event stuff in mudp.c and multi_io.c had grown the
same construct - and we'll need events for any future DCO platform, too.
So, fix those #ifdef as well, while at it.
Change-Id: I6977d23b5289eba5db436608e0500216e0e689ec Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250728084255.1824-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32377.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch is intended to reduce code duplication and
cleanup the DCO code around the PEER_GET command.
Specifically it:
* unified PEER_GET reply parser for `multi` and
`non-multi` case
* unified PEER_GET request trigger for `multi` and
`non-multi` case
* dropped struct multi_context from the argument list of
dco_get_peer_stats_multi()
Github: closes OpenVPN/openvpn#800
Change-Id: Icbc70225d53ca678b8c22ed437b424c16e199d66 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250727102245.24931-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32361.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
add flag to print addresses in a consistent format during float
Introduce the MAPF_SHOW_FAMILY flag to prepend the address family to the
address when printing an mroute_addr object, similar to
print_sockaddr_ex(). This ensures that when logging a float operation,
both the old and new addresses are printed in the same format:
$proto:[$family]$address:$port.
Note: when using this flag with an IPv4-mapped IPv6 address, the output
will appear as: [AF_INET6]a.b.c.d
Change-Id: I43cd3d564d8c6ad4e41de5a38130d90cb6778395 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250725194147.17517-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32345.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently whenever we send a PEER_GET request to ovpn, we also
set the CB that is supposed to parse the reply.
However, due to the async nature of netlink messages, we could
get an unrelated notification, sent by ovpn (kernel) upon some event,
after userland has set the CB, but before parsing the awaited reply.
When this happens, the notification is then parsed with the
configured CB instead of the notification parser, thus effectively
rejecting the notification and losing the event.
To fix this inconsistency, make ovpn_handle_msg() the default and
only netlink parser CB. It is configured upon DCO initialization
and is never removed.
ovpn_handle_msg() will check the message type and will call the
corresponding handler. This way, no matter what message we get at
what time, we'll always parse it correctly.
As a bonus we can also simplify the nl_sendmsg() API as we
don't need to pass the cb and its argument anymore.
The ID of the NLCTRL family is now also stored in the DCO
context as we need it to check when we receive a mcast ID
lookup message.
Change-Id: I23ad79e14844aefde9ece34dadef0b75ff267201
Github: closes OpenVPN/openvpn#793 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250725172708.19456-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32339.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
ovpn_handle_msg() is soon becoming the main entry point for parsing
*all* incoming netlink messages. For this reason it is essential
that this function is kept simple and slim.
Move all code parsing netlink multicast notifications to their own
helpers and then invoke them.
This patch does not introduce any functional change.
It is intended in preparation for extending ovpn_handle_msg() to
become a genering netlink message parser.
Change-Id: I7bbc40b7b66f6e0512cd2cf9791766bcc4970461 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723153224.13708-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32298.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Future DCO code will require accessing the `multi` member of the
context object.
For this reason a pointer to the context has to be stored in the
DCO context along with the rest.
At this point, rather than making the call to ovpn_dco_init()
longer with more and more parameters, pass the struct context
only and let the implementation extract the needed fields.
Change-Id: I673a17f8c5dec66cc6c28c1ed44780a7a63927d7 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723133918.19431-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32293.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In preparation for the implementation of a generic netlink
message parser, move all parsing functions above ovpn_handle_msg().
The latter is soon going to become a generic message parser which
will invoke specific handlers, thus they are required to be defined
earlier in the file.
No functional change is intended.
This patch is only meant to reduce entropy in the patch which will do
the real netlink parser change.
Better reviewed with: git show --color-moved
Change-Id: I94004579aef4a1ccccdbcf8edd7b722e5a611c72 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723060747.19524-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32263.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
dco_linux: use M_FATAL instead of M_ERR in netlink error code paths
Netlink code doesn't set errno upon error (with the exception of
any *alloc() function which probably inherits the errno=ENOMEM
from the underlying malloc call), therefore we should not print
error messages with M_ERR, but rather rely on M_FATAL.
M_ERR is equivalent to M_FATAL with the addition of appending
": $errno" to the error string.
Since errno is not meaningful in this context, we can just opt
for the less confusing M_FATAL.
Change-Id: Ifc442b4426c02de7282d0f69629e8a10b679c589 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250723063039.25449-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32271.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Extend the log message printed when an instance floats to an address
already taken by another instance with the same certificate. The updated
message now includes the instance being closed, the reason it's being
closed, and the new instance taking over that address.
Change-Id: I217cfb319b85fd75a88f7d4d50c374d28771df28 Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250718191702.9451-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32226.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Multi-socket: Fix assert triggered by stale peer-id reuse
Fixed a bug where clients using different transport
protocols (UDP, TCP) could interfere with each other
after a server restart.
The issue occurred when a client reused a previously
assigned peer-id that was now associated with a
different client using a different transport protocol.
For example, a UDP client could send packets with a
peer-id now assigned to a TCP client, which lacks
a valid context->c2.from which is filled by the
recvfrom(), causing an assert to be triggered.
A protocol check has been added to prevent packets
from different protocols from hijacking active
connections.
Github: OpenVPN/openvpn#773
Change-Id: Iecbbcf32c0059f2b16a05333b3794599060d7d6a Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250718185559.4515-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32220.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When a peer changes its UDP endpoint, the DCO module emits a
notification to userpace. The message is parsed and the relevant
information are extracted in order to process the floating operation.
Note that we preserve IPv4-mapped IPv6 addresses in userspace when
receiving a pure IPv4 address from the module, otherwise openvpn
wouldn't be able to retrieve the multi_instance using the transport
address hash table lookup.
It may happen that a netlink notification gets lost, causing us to skip
a float step. If the peer then floats back to its previous address,
userspace closes the only valid instance while trying to process the
float, leading to a segfault. To prevent this, we ignore float attempts
to an address already taken by a peer with the same peer ID.
Change-Id: I33e9272b4196c7634db2fb33a75ae4261660867f Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de> Acked-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250718122230.14008-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32210.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
configure.ac: Remove use of PKCS11_HELPER_LIBS in mbedTLS checks
This code was copied over and over since many years,
since commit 9a3f670248d6f519a399e65a7232e2196b5115db
("Fixed autoconf script to properly detect missing pkcs11
with polarssl"). It is unclear what exact purpose it
served back then but probably it is obsolete. It is
definitely wrong since it means that you get
PKCS11_HELPER_LIBS even if you do not specify
--enable-pkcs11.
Change-Id: I317be5253d6563906dd3826421dc81f737beba76 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250716151857.385959-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32187.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In case more than one openvpn connection is coming up or going down at
the same time, there is potential for breakage, since the operations
performed are not atomic.
Introduce a locking mechanism, which let's scripts run in sequence, to
prevent races between them.
Change-Id: I7adfaa08df6a17545cca8264d7230b5e65e49719 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250711100700.241668-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32108.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
In case anything changed the global DNS server addresses, while the
tunnel was connected, do not restore the backup of the global DNS
configuration we made when connecting. Doing so would likely change
DNS to something unexpected. Instead just clear the backup and leave
a message in the log.
Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250711152309.286177-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32110.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 15 Jul 2025 12:29:49 +0000 (14:29 +0200)]
Cleanup/simplify mbed TLS related define from autoconf
Instead of a custom logic using 0/1 to be defined when the functions
are present or not, use the standard check and adjust the source code
accordingly.
Also not compile mbed key helper with MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
The helper methods are only used when we don't have
MBEDTLS_SSL_KEYING_MATERIAL_EXPORT and mbedtls_ssl_export_keying_material.
Remove AEAD check that tests for presence of mbedtls_cipher_write_tag
and mbedtls_cipher_check_tag. Having an mbed TLS version that does not
support that is highly unlikely. It might have been a good check in
PolarSSL's time but is not today anymore.
This also adds some missing support for mbed 2.x related defines to
cmake based build.
Change-Id: I0f325800ebeb20bd5ef3ff78e5c5fcf0f6f74efd Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250715122957.22311-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32145.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When connections go up and down there are situations where search
domains of a split DNS connection are either lost, or survive the
lifetime of the connction. This can happen when there is also a
connection that modifies the global DNS setting. When it backs-up the
global settings before modifying them, or when it restores the backup,
the search domains could contain or miss VPN domains from other
connections, leading to misconfiguration.
The fix is to also update the backed-up search domains when a split DNS
connection comes up or goes down. That way the backup is always up to
date and restoring it will keep the global search domains as expected.
Change-Id: Ide2cddad193c636eb440c9752751176dae0a6897 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250714160903.7479-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32127.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
