2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #include <tap-windows.h>
41 #include "networking.h"
42 #include "ring_buffer.h"
46 #define WINTUN_COMPONENT_ID "wintun"
47 #define DCO_WIN_REFERENCE_STRING "ovpn-dco"
49 enum windows_driver_type
{
50 WINDOWS_DRIVER_UNSPECIFIED
,
51 WINDOWS_DRIVER_TAP_WINDOWS6
,
52 WINDOWS_DRIVER_WINTUN
,
57 #if defined(_WIN32) || defined(TARGET_ANDROID)
59 #define TUN_ADAPTER_INDEX_INVALID ((DWORD)-1)
61 /* time constants for --ip-win32 adaptive */
62 #define IPW32_SET_ADAPTIVE_DELAY_WINDOW 300
63 #define IPW32_SET_ADAPTIVE_TRY_NETSH 20
65 /* bit flags for DHCP options */
66 #define DHCP_OPTIONS_DHCP_OPTIONAL (1<<0)
67 #define DHCP_OPTIONS_DHCP_REQUIRED (1<<1)
69 struct tuntap_options
{
70 /* --ip-win32 options */
71 bool ip_win32_defined
;
75 #define IPW32_SET_MANUAL 0 /* "--ip-win32 manual" */
76 #define IPW32_SET_NETSH 1 /* "--ip-win32 netsh" */
77 #define IPW32_SET_IPAPI 2 /* "--ip-win32 ipapi" */
78 #define IPW32_SET_DHCP_MASQ 3 /* "--ip-win32 dynamic" */
79 #define IPW32_SET_ADAPTIVE 4 /* "--ip-win32 adaptive" */
87 /* --ip-win32 dynamic options */
88 bool dhcp_masq_custom_offset
;
92 /* --tap-sleep option */
95 /* --dhcp-option options */
99 const char *domain
; /* DOMAIN (15) */
101 const char *netbios_scope
; /* NBS (47) */
103 int netbios_node_type
; /* NBT 1,2,4,8 (46) */
105 #define N_DHCP_ADDR 4 /* Max # of addresses allowed for
109 in_addr_t dns
[N_DHCP_ADDR
];
113 in_addr_t wins
[N_DHCP_ADDR
];
117 in_addr_t ntp
[N_DHCP_ADDR
];
121 in_addr_t nbdd
[N_DHCP_ADDR
];
124 #define N_SEARCH_LIST_LEN 10 /* Max # of entries in domin-search list */
126 /* SEARCH (119), MacOS, Linux, Win10 1809+ */
127 const char *domain_search_list
[N_SEARCH_LIST_LEN
];
128 int domain_search_list_len
;
130 /* DISABLE_NBT (43, Vendor option 001) */
134 bool dhcp_pre_release
;
138 struct in6_addr dns6
[N_DHCP_ADDR
];
140 #if defined(TARGET_ANDROID)
141 const char *http_proxy
;
146 #elif defined(TARGET_LINUX)
148 struct tuntap_options
{
153 #elif defined(TARGET_FREEBSD)
155 struct tuntap_options
{
159 #else /* if defined(_WIN32) || defined(TARGET_ANDROID) */
161 struct tuntap_options
{
162 int dummy
; /* not used */
163 bool disable_dco
; /* not used, but removes the need in #ifdefs */
166 #endif /* if defined(_WIN32) || defined(TARGET_ANDROID) */
169 * Define a TUN/TAP dev.
174 #define TUNNEL_TYPE(tt) ((tt) ? ((tt)->type) : DEV_TYPE_UNDEF)
175 int type
; /* DEV_TYPE_x as defined in proto.h */
177 #define TUNNEL_TOPOLOGY(tt) ((tt) ? ((tt)->topology) : TOP_UNDEF)
178 int topology
; /* one of the TOP_x values */
180 bool did_ifconfig_setup
;
181 bool did_ifconfig_ipv6_setup
;
183 bool persistent_if
; /* if existed before, keep on program end */
185 struct tuntap_options options
; /* options set on command line */
187 char *actual_name
; /* actual name of TUN/TAP dev, usually including unit number */
189 /* ifconfig parameters */
191 in_addr_t remote_netmask
;
193 struct in6_addr local_ipv6
;
194 struct in6_addr remote_ipv6
;
199 struct overlapped_io reads
;
200 struct overlapped_io writes
;
201 struct rw_handle rw_handle
;
203 /* used for setting interface address via IP Helper API
204 * or DHCP masquerade */
205 bool ipapi_context_defined
;
207 ULONG ipapi_instance
;
208 in_addr_t adapter_netmask
;
210 /* Windows adapter index for TAP-Windows adapter,
214 enum windows_driver_type windows_driver
;
217 HANDLE wintun_send_ring_handle
;
218 HANDLE wintun_receive_ring_handle
;
219 struct tun_ring
*wintun_send_ring
;
220 struct tun_ring
*wintun_receive_ring
;
221 #else /* ifdef _WIN32 */
222 int fd
; /* file descriptor for TUN/TAP dev */
223 #endif /* ifdef _WIN32 */
225 #ifdef TARGET_SOLARIS
229 #ifdef HAVE_NET_IF_UTUN_H
232 /* used for printing status info only */
233 unsigned int rwflags_debug
;
239 tuntap_defined(const struct tuntap
*tt
)
242 return tt
&& tt
->hand
!= NULL
;
244 return tt
&& tt
->fd
>= 0;
250 tuntap_is_wintun(struct tuntap
*tt
)
252 return tt
&& tt
->windows_driver
== WINDOWS_DRIVER_WINTUN
;
256 tuntap_ring_empty(struct tuntap
*tt
)
258 return tuntap_is_wintun(tt
) && (tt
->wintun_send_ring
->head
== tt
->wintun_send_ring
->tail
);
263 * Function prototypes
266 void open_tun(const char *dev
, const char *dev_type
, const char *dev_node
,
267 struct tuntap
*tt
, openvpn_net_ctx_t
*ctx
);
269 void close_tun(struct tuntap
*tt
, openvpn_net_ctx_t
*ctx
);
271 void tun_open_device(struct tuntap
*tt
, const char *dev_node
,
272 const char **device_guid
, struct gc_arena
*gc
);
274 void close_tun_handle(struct tuntap
*tt
);
276 int write_tun(struct tuntap
*tt
, uint8_t *buf
, int len
);
278 int read_tun(struct tuntap
*tt
, uint8_t *buf
, int len
);
280 void tuncfg(const char *dev
, const char *dev_type
, const char *dev_node
,
281 int persist_mode
, const char *username
,
282 const char *groupname
, const struct tuntap_options
*options
,
283 openvpn_net_ctx_t
*ctx
);
285 const char *guess_tuntap_dev(const char *dev
,
286 const char *dev_type
,
287 const char *dev_node
,
288 struct gc_arena
*gc
);
290 struct tuntap
*init_tun(const char *dev
, /* --dev option */
291 const char *dev_type
, /* --dev-type option */
292 int topology
, /* one of the TOP_x values */
293 const char *ifconfig_local_parm
, /* --ifconfig parm 1 */
294 const char *ifconfig_remote_netmask_parm
, /* --ifconfig parm 2 */
295 const char *ifconfig_ipv6_local_parm
, /* --ifconfig parm 1 / IPv6 */
296 int ifconfig_ipv6_netbits_parm
, /* --ifconfig parm 1 / bits */
297 const char *ifconfig_ipv6_remote_parm
, /* --ifconfig parm 2 / IPv6 */
298 struct addrinfo
*local_public
,
299 struct addrinfo
*remote_public
,
300 const bool strict_warn
,
302 openvpn_net_ctx_t
*ctx
,
305 void init_tun_post(struct tuntap
*tt
,
306 const struct frame
*frame
,
307 const struct tuntap_options
*options
);
309 void do_ifconfig_setenv(const struct tuntap
*tt
,
313 * do_ifconfig - configure the tunnel interface
315 * @param tt the tuntap interface context
316 * @param ifname the human readable interface name
317 * @param mtu the MTU value to set the interface to
318 * @param es the environment to be used when executing the commands
319 * @param ctx the networking API opaque context
321 void do_ifconfig(struct tuntap
*tt
, const char *ifname
, int tun_mtu
,
322 const struct env_set
*es
, openvpn_net_ctx_t
*ctx
);
325 * undo_ifconfig - undo configuration of the tunnel interface
327 * @param tt the tuntap interface context
328 * @param ctx the networking API opaque context
330 void undo_ifconfig(struct tuntap
*tt
, openvpn_net_ctx_t
*ctx
);
332 bool is_dev_type(const char *dev
, const char *dev_type
, const char *match_type
);
334 int dev_type_enum(const char *dev
, const char *dev_type
);
336 const char *dev_type_string(const char *dev
, const char *dev_type
);
338 const char *ifconfig_options_string(const struct tuntap
*tt
, bool remote
, bool disable
, struct gc_arena
*gc
);
340 bool is_tun_p2p(const struct tuntap
*tt
);
342 void check_subnet_conflict(const in_addr_t ip
,
343 const in_addr_t netmask
,
346 void warn_on_use_of_common_subnets(openvpn_net_ctx_t
*ctx
);
349 * Should ifconfig be called before or after
353 #define IFCONFIG_BEFORE_TUN_OPEN 0
354 #define IFCONFIG_AFTER_TUN_OPEN 1
356 #define IFCONFIG_DEFAULT IFCONFIG_AFTER_TUN_OPEN
361 #if defined(TARGET_LINUX)
362 return IFCONFIG_AFTER_TUN_OPEN
;
363 #elif defined(TARGET_SOLARIS)
364 return IFCONFIG_AFTER_TUN_OPEN
;
365 #elif defined(TARGET_OPENBSD)
366 return IFCONFIG_AFTER_TUN_OPEN
;
367 #elif defined(TARGET_DARWIN)
368 return IFCONFIG_AFTER_TUN_OPEN
;
369 #elif defined(TARGET_NETBSD)
370 return IFCONFIG_AFTER_TUN_OPEN
;
371 #elif defined(_WIN32)
372 return IFCONFIG_AFTER_TUN_OPEN
;
373 #elif defined(TARGET_ANDROID)
374 return IFCONFIG_BEFORE_TUN_OPEN
;
375 #else /* if defined(TARGET_LINUX) */
376 return IFCONFIG_DEFAULT
;
380 #define ROUTE_BEFORE_TUN 0
381 #define ROUTE_AFTER_TUN 1
382 #define ROUTE_ORDER_DEFAULT ROUTE_AFTER_TUN
387 #if defined(TARGET_ANDROID)
388 return ROUTE_BEFORE_TUN
;
390 return ROUTE_ORDER_DEFAULT
;
400 enum windows_driver_type windows_driver
;
401 struct tap_reg
*next
;
408 struct panel_reg
*next
;
411 struct device_instance_id_interface
413 LPBYTE net_cfg_instance_id
;
414 const char *device_interface
;
415 struct device_instance_id_interface
*next
;
418 int ascii2ipset(const char *name
);
420 const char *ipset2ascii(int index
);
422 const char *ipset2ascii_all(struct gc_arena
*gc
);
424 void verify_255_255_255_252(in_addr_t local
, in_addr_t remote
);
426 const IP_ADAPTER_INFO
*get_adapter_info_list(struct gc_arena
*gc
);
428 const IP_ADAPTER_INFO
*get_tun_adapter(const struct tuntap
*tt
, const IP_ADAPTER_INFO
*list
);
430 const IP_ADAPTER_INFO
*get_adapter_info(DWORD index
, struct gc_arena
*gc
);
432 const IP_PER_ADAPTER_INFO
*get_per_adapter_info(const DWORD index
, struct gc_arena
*gc
);
434 const IP_ADAPTER_INFO
*get_adapter(const IP_ADAPTER_INFO
*ai
, DWORD index
);
436 bool is_adapter_up(const struct tuntap
*tt
, const IP_ADAPTER_INFO
*list
);
438 bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO
*ai
, const in_addr_t ip
, in_addr_t
*highest_netmask
);
440 DWORD
adapter_index_of_ip(const IP_ADAPTER_INFO
*list
,
445 void show_tap_win_adapters(int msglev
, int warnlev
);
447 void show_adapters(int msglev
);
449 void tap_allow_nonadmin_access(const char *dev_node
);
451 void show_valid_win32_tun_subnets(void);
453 const char *tap_win_getinfo(const struct tuntap
*tt
, struct gc_arena
*gc
);
455 void tun_show_debug(struct tuntap
*tt
);
457 bool dhcp_release_by_adapter_index(const DWORD adapter_index
);
459 bool dhcp_renew_by_adapter_index(const DWORD adapter_index
);
461 void fork_register_dns_action(struct tuntap
*tt
);
463 void ipconfig_register_dns(const struct env_set
*es
);
465 void tun_standby_init(struct tuntap
*tt
);
467 bool tun_standby(struct tuntap
*tt
);
469 int tun_read_queue(struct tuntap
*tt
, int maxsize
);
471 int tun_write_queue(struct tuntap
*tt
, struct buffer
*buf
);
474 tuntap_stop(int status
)
477 * This corresponds to the STATUS_NO_SUCH_DEVICE
478 * error in tapdrvr.c.
482 return GetLastError() == ERROR_FILE_NOT_FOUND
;
488 tuntap_abort(int status
)
491 * Typically generated when driver is halted.
495 return GetLastError() == ERROR_OPERATION_ABORTED
;
500 int tun_write_win32(struct tuntap
*tt
, struct buffer
*buf
);
503 wintun_ring_packet_align(ULONG size
)
505 return (size
+ (WINTUN_PACKET_ALIGN
- 1)) & ~(WINTUN_PACKET_ALIGN
- 1);
509 wintun_ring_wrap(ULONG value
)
511 return value
& (WINTUN_RING_CAPACITY
- 1);
515 read_wintun(struct tuntap
*tt
, struct buffer
*buf
)
517 struct tun_ring
*ring
= tt
->wintun_send_ring
;
518 ULONG head
= ring
->head
;
519 ULONG tail
= ring
->tail
;
521 struct TUN_PACKET
*packet
;
522 ULONG aligned_packet_size
;
524 *buf
= tt
->reads
.buf_init
;
527 if ((head
>= WINTUN_RING_CAPACITY
) || (tail
>= WINTUN_RING_CAPACITY
))
529 msg(M_INFO
, "Wintun: ring capacity exceeded");
536 /* nothing to read */
540 content_len
= wintun_ring_wrap(tail
- head
);
541 if (content_len
< sizeof(struct TUN_PACKET_HEADER
))
543 msg(M_INFO
, "Wintun: incomplete packet header in send ring");
548 packet
= (struct TUN_PACKET
*) &ring
->data
[head
];
549 if (packet
->size
> WINTUN_MAX_PACKET_SIZE
)
551 msg(M_INFO
, "Wintun: packet too big in send ring");
556 aligned_packet_size
= wintun_ring_packet_align(sizeof(struct TUN_PACKET_HEADER
) + packet
->size
);
557 if (aligned_packet_size
> content_len
)
559 msg(M_INFO
, "Wintun: incomplete packet in send ring");
564 buf_write(buf
, packet
->data
, packet
->size
);
566 head
= wintun_ring_wrap(head
+ aligned_packet_size
);
571 is_ip_packet_valid(const struct buffer
*buf
)
573 const struct openvpn_iphdr
*ih
= (const struct openvpn_iphdr
*)BPTR(buf
);
575 if (OPENVPN_IPH_GET_VER(ih
->version_len
) == 4)
577 if (BLEN(buf
) < sizeof(struct openvpn_iphdr
))
582 else if (OPENVPN_IPH_GET_VER(ih
->version_len
) == 6)
584 if (BLEN(buf
) < sizeof(struct openvpn_ipv6hdr
))
598 write_wintun(struct tuntap
*tt
, struct buffer
*buf
)
600 struct tun_ring
*ring
= tt
->wintun_receive_ring
;
601 ULONG head
= ring
->head
;
602 ULONG tail
= ring
->tail
;
603 ULONG aligned_packet_size
;
605 struct TUN_PACKET
*packet
;
607 /* wintun marks ring as corrupted (overcapacity) if it receives invalid IP packet */
608 if (!is_ip_packet_valid(buf
))
610 msg(D_LOW
, "write_wintun(): drop invalid IP packet");
614 if ((head
>= WINTUN_RING_CAPACITY
) || (tail
>= WINTUN_RING_CAPACITY
))
616 msg(M_INFO
, "write_wintun(): head/tail value is over capacity");
620 aligned_packet_size
= wintun_ring_packet_align(sizeof(struct TUN_PACKET_HEADER
) + BLEN(buf
));
621 buf_space
= wintun_ring_wrap(head
- tail
- WINTUN_PACKET_ALIGN
);
622 if (aligned_packet_size
> buf_space
)
624 msg(M_INFO
, "write_wintun(): ring is full");
628 /* copy packet size and data into ring */
629 packet
= (struct TUN_PACKET
* )&ring
->data
[tail
];
630 packet
->size
= BLEN(buf
);
631 memcpy(packet
->data
, BPTR(buf
), BLEN(buf
));
634 ring
->tail
= wintun_ring_wrap(tail
+ aligned_packet_size
);
635 if (ring
->alertable
!= 0)
637 SetEvent(tt
->rw_handle
.write
);
644 write_tun_buffered(struct tuntap
*tt
, struct buffer
*buf
)
646 if (tt
->windows_driver
== WINDOWS_DRIVER_WINTUN
)
648 return write_wintun(tt
, buf
);
652 return tun_write_win32(tt
, buf
);
657 tuntap_is_dco_win(struct tuntap
*tt
)
659 return tt
&& tt
->windows_driver
== WINDOWS_DRIVER_DCO
;
663 tuntap_is_dco_win_timeout(struct tuntap
*tt
, int status
)
665 return tuntap_is_dco_win(tt
) && (status
< 0) && (openvpn_errno() == ERROR_NETNAME_DELETED
);
669 print_windows_driver(enum windows_driver_type windows_driver
);
671 #else /* ifdef _WIN32 */
674 tuntap_stop(int status
)
680 tuntap_abort(int status
)
686 tun_standby_init(struct tuntap
*tt
)
691 tun_standby(struct tuntap
*tt
)
698 tuntap_is_dco_win(struct tuntap
*tt
)
704 tuntap_is_dco_win_timeout(struct tuntap
*tt
, int status
)
709 #endif /* ifdef _WIN32 */
712 * TUN/TAP I/O wait functions
715 static inline event_t
716 tun_event_handle(const struct tuntap
*tt
)
719 return &tt
->rw_handle
;
726 tun_set(struct tuntap
*tt
,
727 struct event_set
*es
,
728 unsigned int rwflags
,
730 unsigned int *persistent
)
732 if (!tuntap_defined(tt
) || tuntap_is_dco_win(tt
))
737 /* if persistent is defined, call event_ctl only if rwflags has changed since last call */
738 if (!persistent
|| *persistent
!= rwflags
)
740 event_ctl(es
, tun_event_handle(tt
), rwflags
, arg
);
743 *persistent
= rwflags
;
747 if (tt
->windows_driver
== WINDOWS_DRIVER_TAP_WINDOWS6
&& (rwflags
& EVENT_READ
))
749 tun_read_queue(tt
, 0);
752 tt
->rwflags_debug
= rwflags
;
756 const char *tun_stat(const struct tuntap
*tt
, unsigned int rwflags
, struct gc_arena
*gc
);
757 bool tun_name_is_fixed(const char *dev
);
760 is_tun_type_set(const struct tuntap
*tt
)
762 return tt
&& tt
->type
!= DEV_TYPE_UNDEF
;