Heiko Hund [Fri, 27 Jun 2025 08:24:53 +0000 (10:24 +0200)]
dns: create NRPT registry key if it doesn't exist
Windows 2019 Server by default does not have the key where local system
NRPT rules are stored. Tests have determined that NRPT is actually
working when rules are created under the key. So, instead of failing if
the key doesn't exist, we create it, and things will start working.
Github: OpenVPN/openvpn#768
Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250627082500.17075-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32001.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 26 Jun 2025 09:30:00 +0000 (11:30 +0200)]
run forced --dns-updown without --script-security
Due to a shortcut in the `--dns-updown force' implementation, running the
default dns-updown script required `--script-security 2'. This makes the
forced default script run without --script-security set.
Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250626093006.24789-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31994.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Thu, 26 Jun 2025 09:19:52 +0000 (11:19 +0200)]
fix macOS dns-updown handling of parallel full redirects
The script didn't handle scenarios well where two or more parallel VPN
connections want to replace the default DNS server. The DNS configuration
has a chance to get broken by the connections going down in a different
order than they came up in.
Disallowing all but the first connection to modify the default DNS server
will effectively prevent this issue. While it may break DNS for the
latter connections, it is the best we can do without knowing specifics
about the configurations.
Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250626091959.23505-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31988.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Wed, 25 Jun 2025 16:26:31 +0000 (18:26 +0200)]
dco linux: avoid sending local port to ovpn
When sending an OVPN_CMD_NEW_PEER netlink message to ovpn, we currently
attempt to include the local port along with the local address. However,
`dco_multi_get_localaddr()` does not record the port, so we end up
sending a zero value. This zero is rejected by ovpn's netlink policy,
leading to an error and aborted connection.
Since openvpn does not actually need to send the local port because the
module retrieves it directly from the socket, this commit ensures that
only the local address is sent.
Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250625162638.7769-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31971.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Mon, 23 Jun 2025 14:07:43 +0000 (16:07 +0200)]
dco linux: avoid redefining ovpn enums
Starting with Linux kernel version 6.16, a couple of ovpn-related enum
definitions were introduced in the `include/uapi/linux/if_link.h`
header. Redefining them in openvpn when they are already present in the
system headers can lead to conflicts or build issues.
This commit ensures that enum redefinitions are avoided by conditionally
using the existing definitions from the system header when available.
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Trac #1399
Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250622110311.1140-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31946.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Wed, 18 Jun 2025 13:37:38 +0000 (15:37 +0200)]
OpenVPN Release 2.7_alpha2
version.m4, ChangeLog
Changes.rst has not received an "2.7_alpha2" section - it has the
"highlevel" overview of what is new in 2.7, but for alpha/beta releases
it's better to look at git log to see what has been added/fixed.
The only new feature alpha1 -> alpha2 is "TLS 1.3 support with
bleeding-edge mbedTLS versions"
Optimize the current local_list implementation
by replacing the static array with a resizable
one, as the static allocation serves no real
purpose, particularly on the client side.
Github: OpenVPN/openvpn#682
Change-Id: I32effed9e273fbe8986d1f4e8da4a4d0ac216463 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250618140016.2766-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31927.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 18 Jun 2025 12:48:29 +0000 (14:48 +0200)]
dns: deal with --dhcp-options when --dns is active
Since --dns settings overrule DNS related --dhcp-options,
remove the latter when values were defined via --dns.
To stay as backward compatible as possible, we add foreign_options to
the script hook environment from the --dns values when a --up script
is defined. In that case the default --dns-updown is not run, even
when --dns values are present, to prevent double DNS configuration.
This way an existing --up script that deals with DNS can run, without
the immediate need to change after an openvpn upgrade and a server
pushing --dns options.
If you specify a custom --dns-updown, or force running the default
dns-updown that comes with openvpn, those compat env vars are not set
for --up scripts and the dns-updown command is run, even when there's
an --up script present.
Since Android uses the DNS values from tuntap_options, we always
override those with --dns stuff unconditionally. Also on Windows when
--ip-win32 is dynamic or adaptive, since DHCP relies on these as well.
Change-Id: I635c4018fb43b5976a39b6a90cb2e9cb2570cd6a Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250618124835.24737-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31922.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Tue, 17 Jun 2025 08:41:28 +0000 (10:41 +0200)]
Preserve socket protocol during float processing
During a float operation, we remove the old `mroute` object
corresponding to the current multi instance from the hash table and
insert a new one. With the introduction of the multi-socket feature, the
`mroute` structure gained a `proto` field, which must also be set in the
new instance, otherwise, hash table lookups will fail.
This commit ensures that the `proto` field is propagated from the
original to the new `mroute` object during float processing.
The ovpn netlink code reports more verbose error
strings to help userspace understand what went wrong,
rather than just returning, for example, -EINVAL.
However, userspace must instruct the kernel netlink
subsystem that it wants to receive such strings.
code for parsing such strings has always been present
but it was never used.
Set the socket option which enables such reporting.
Change-Id: I4457b1d7262e0a39c275d33aaef6c4bcbeae6ab3 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250609100216.3997-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31885.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Delete old sample-windows file and obsolete Windows sample handling
This file is apparently over 20 years old and
was never updated besides fixing some obvious
syntax errors with new versions.
So let's just get rid of it. AFAICT the Windows
installer does not use it. Only the
{server,client}.ovpn. And even there, it just uses
the files directly from the build directory and
does not depend on us renaming them (which is
obvious since we do not use the Makefile at all
in the Windows build, only CMake).
Github: Closes OpenVPN/openvpn#758
Change-Id: I15c730c9eb3f1338019577e7c665c0ca5b1edcd4 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250602153900.29646-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31850.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 20 May 2025 08:55:06 +0000 (10:55 +0200)]
win: fix collecting DNS exclude data
The size of the returned MULTI_SZ wide domains string was calculated
wrongly. Instead of adding the size of a WCHAR, only the size of a char
was used. As a result, the domains string was stored too short and was
missing the final string terminator.
DHCP assigned DNS server addresses are separated by space, not comma.
These spaces were not replaced by semicolon, as the spec requires.
Heiko Hund [Tue, 20 May 2025 10:51:12 +0000 (12:51 +0200)]
win: match search domains when creating exclude rules
Compare local domains for exclude rules to search domains and skip
matching ones. This prevents the creation of exclude rules when the
server indicates that the domain should be resolved via the VPN, by
pushing the search domain.
Change-Id: I4919af2b845a47787c08f454b108ef376ea5c0f6 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250520105119.10431-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31731.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Tue, 20 May 2025 07:33:48 +0000 (09:33 +0200)]
dns: fix potential NULL pointer dereference
Fix issue reported by Coverity (CID 1646952): Dereferencing a pointer
that might be NULL dvf when calling env_set_write_file.
In addition to the fix, inline the write_dns_vars_file() helper function.
Also output a log line in case this error happens, because when it
happens it will hinder communication with the updown runner process, i.e.
setting up / tearing down DNS things will not work as expected.
Change-Id: I275bf939f43577427e14890e7093d63c5213ae5d Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250520073354.17091-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31720.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes almost all of the remaining warnings in our
doxygen. Mostly about missing parameters in otherwise
documented functions (completely undocumented functions
do not cause warnings).
Other changes:
- Exclude out/ directory (used by CMakePresets.json)
- Output doxygen warnings into a separate file, which
can be used by CI systems to check for new warnings
- Increase DOT_GRAPH_MAX_NODES to avoid warnings about
some of the central header files (syshead.h and buffer.h)
Change-Id: I3bf775bbdea742575210606e174ccafe840677c9 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250519143550.21761-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31712.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
socket: don't transfer bind family to socket in case of ANY address
With the introduction of multisocket, we need to transfer the
AI family of the bound address to the socket, as it may differ
from what was set globally.
However, this operation makes sense only when getaddrinfo()
for bind is performed on a non-empty hostname.
An empty hostname (ANY) may return AF_INET which will break
following connection attempts to v6 only remotes.
Change-Id: I27f305d3ae9bf650bab409e99173688d9f88ab65 Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250325090121.28813-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31235.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Sun, 18 May 2025 22:02:39 +0000 (00:02 +0200)]
Make --dh none behaviour default if not specified
Nowadays ciphers that are using still DH and not ECDH are rarely chosen
as best cipher suite. Our man page even indicates that OpenSSL 1.0.1+
supports ECDH cipher suites. So it does not feel useful to force
specifying --dh anymore.
Side note: Custom generated Diffie Hellmann parameters are also
discouraged nowadays. The newest OpenSSL FIPS libraries even flat
out reject them:
FIPS 186-4 type domain parameters no longer allowed in FIPS mode,
since the required validation routines were removed from FIPS 186-5
But instead of adding support for loading the well-known curve just make
dh none the default and the recommended option as finite field Diffie
Hellmann is being deprecated anyway
(https://datatracker.ietf.org/doc/draft-ietf-tls-deprecate-obsolete-kex/)
and not supported by TLS 1.3 at all.
Change-Id: Ica02244c9f0ac9b4690a51f940fda9d900465289 Signed-off-by: Arne Schwabe <arne-openvpn@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250518220245.24489-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31695.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 17 May 2025 09:26:26 +0000 (11:26 +0200)]
dns: don't publish env vars to non-dns scripts
With --dns-updown in place we no longer need --dns option related vars in
the environment for other script hooks. Code for doing that is removed and
the function to set --dns stuff made static, for internal use only.
Change-Id: I3fb01ab76cf3df0874ba92e08f371d17607a8369 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250517092637.2103-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/search?l=mid&q=20250517092637.2103-1-gert@greenie.muc.de Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Sat, 17 May 2025 08:38:27 +0000 (10:38 +0200)]
dns: support running up/down command with privsep
With --user privileges are dropped after init. Unfortunately this
affects --dns-updown when undoing previous modifications.
To keep the privileges for just that, the concept of a dns updown runner
in introduced. It's basically a fork of openvpn at the time the
modifications to DNS are made. Its only capability is running the
--dns-updown command when asked to. The parent openvpn process signals
this by writing to a pipe the runner is waiting on.
Commands need to be ready to receive variables from a file instead of the
process environment. A shameless and effective workaround to keep the
protocol between the two processes simple.
Change-Id: I6b67e3a00dd84bf348b6af28115ee11138c3a111 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250517083833.28728-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31668.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Thu, 15 May 2025 15:00:31 +0000 (17:00 +0200)]
Implement ovpn version detection
Add detection of the ovpn kernel module type: if a backported
(out-of-tree) version is loaded, the MODULE_VERSION string is read from
sysfs; otherwise, for the in-tree module, the function reports the
kernel release and version.
Change-Id: I7fc033a7ffee73045316763356a95d75ef23f5ad Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250515150038.30097-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31652.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 14 May 2025 13:53:27 +0000 (15:53 +0200)]
dns: apply settings via script on unixoid systems
This introduces a new script hook, the dns-updown, and implements such a
command script for a few popular systems (and a default for the not so
popular ones). Like the name suggests this hook is soleley for dealing
with modifying how names are resolved when the VPN pushes some --dns
settings.
The default dns updown command is part of the distribution and is
installed with openvpn. You can change the path the command is located
at as a compile time option, defaults to libexecdir.
You can compile-time disable that the default dns-updown hook is
run by passing --disable-dns-updown-by-default to configure or
ccmake ENABLE_DNS_UPDOWN_BY_DEFAULT to OFF.
There's also a new runtime option --dns-updown, which can run a custom
command, force running the default when disabled or disable execution
of the dns-updown altogether.
Change-Id: Ifbe4ffb44d3bfcaa50adb38cacb3436fcdc71b10 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250514135334.14377-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31639.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 13 May 2025 15:09:59 +0000 (17:09 +0200)]
win: remove Wintun support
Since DCO supports modern ciphers and server mode,
there is no reason to support Wintun anymore.
This also removes --windows-driver option support. The
default driver is DCO, as it has been since 2.6. If for
some reasons one doesn't want to use it, --disable-dco
multiplatform option will switch to tap-windows6.
Change-Id: I43ec390040bffeec05270271ea7fb54fb219c536 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250513151006.13617-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31631.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Sat, 10 May 2025 18:19:30 +0000 (20:19 +0200)]
win: create adapter on demand
The installer currently creates one adapter per driver. When a user tries
to start a second VPN connection while another is active, the client
fails with an unclear error message:
"All ovpn-dco adapters on this system are currently in use or disabled."
This message does not guide the user toward resolving the issue, such as by
running the shortcut "Add a new dco-win virtual network adapter."
To improve user experience, the client will now create an adapter on demand
when no available adapters exist. The client sends a command specifying
the adapter type to the interactive service, which then executes tapctl.exe
to create a new adapter.
This feature requires the interactive service, but this should not pose a
problem since even our automatic service has recently started relying on the
interactive service.
GitHub: OpenVPN/openvpn#728
Change-Id: I621d44ec6b0facc524875c15ddfd11ec47b06c15 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20250510181937.2993-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31617.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
When we check for the header and then symbols
in that header combine this so that the
relationship between the tests is clear and
that we do not do tests we know will fail.
Change-Id: I0c4fce76c81c5297ff5469d787114f1279bf35e5 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250508174624.7504-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31602.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
CMake: Make sure to treat UNIT_TEST_SOURCEDIR as path
This makes sure that it is properly normalized, and
on Windows seems to prevent CMake from using back
slashes which would break the build due to "unknown escape
sequence" errors.
Change-Id: I2551edfaaf5107649398a3fa1db2009ee8644671 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250507121226.13824-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31587.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 5 May 2025 14:22:16 +0000 (16:22 +0200)]
Add information-gathering about DNS resolvers configured to t_client.sh(.in)
With the patchsets to add DNS configuration on Unix+MacOS systems, and
the addition of test stanzas to excercise and verify the OS specific
"dns-updown" script, it becomes important to trace test failures
("did it not ping because the DNS was not installed, or did something
else fail?") and also verify that DNS config is properly restored at
the end of each test.
Linux is probed with "resolvectl status", if available, and
"cat resolv.conf" if not. MacOS uses scutil --dns.
All other platforms use "cat resolv.conf" for now (because even if
"a tool to maintain DNS config" is available, in the end resolv.conf
is always where the final config lands).
Include a bit of restructuring to handle linux iproute2 testing in the
"Linux" branch, and make the control flow more amenable to having a
second case / esac block.
Change-Id: I9cae7314203424e4a604073c5445559260172477 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250505142224.24935-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31568.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mention its default (on non-Windows systems), rephrase for brevity, fix
grammar, correct the module environment variable name and remove a wrong
default mentioned in a related option. Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250426121903.67930-1-kn@openbsd.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31514.html
Arne Schwabe [Fri, 25 Apr 2025 13:09:54 +0000 (15:09 +0200)]
Fix mbed TLS key exporter functionality in 3.6.x and cmake
Cmake did not check for the mbedtls_ssl_set_export_keys_cb symbol
when generating an mbed TLS configuration. This causes no actual
working key exporter to be in the binary.
Also add an explicit #error to catch this situation during compilation.
Change-Id: If38e80e268dc0ee7e57de2c175c5b4db0ce55ed0 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250425131002.21772-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31510.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 17 Apr 2025 13:46:30 +0000 (15:46 +0200)]
ssl_openssl.c: Prevent potential double-free
Fixes a potential double-free issue in tls_ctx_load_cert_uri()
by explicitly nullifying the pointer immediately after calling
OSSL_STORE_INFO_free(info).
This ensures that subsequent cleanup won't attempt to free the same
structure again.
Github: closes OpenVPN/openvpn#726
Change-Id: I4507be07cd5573b2117e837ef03187535a38a4b1 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250417134636.21279-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31478.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix broken links to OpenSSL documentation
- Remove some unnecessary \c for function names.
Doxygen does handle them automatically.
- Add some \c for --option since otherwise --
gets converted to one character (e.g. – in
HTML).
Change-Id: I9a27248557fabcd9f7584deb4aba16cd71fb803c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250415155720.13034-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31434.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implement support for setting options from --dns. This is hugely
different than what we had so far with DNS related --dhcp-option.
The main difference it that we support split DNS and DNSSEC by making
use of NRPT (Name Resolution Policy Table). Also OpenVPN tries to keep
local DNS resolution working when DNS is redirected into the tunnel. To
prevent this from happening we have --block-outside-dns, in case you
wonder. Basically we collect domains and name server addresses from
network adapters and add so called exclude NRPT rules in addition to the
catch all rule that is pushed by the server.
All is done via the interactive service, since modifying all this
requires the elevated privileges that the openvpn process hopefully
doesn't have.
Change-Id: I576e74f3276362606e9cbd50bb5adbebaaf209cc Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250414180636.31936-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31426.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
The recent introduction of the multisocket support
did not account for some Windows-specific DCO paths.
This patch restores correct behavior on Windows.
Key changes:
- Add WIN32 guards around DCO-specifc code.
- Disable wait_signal() when running in
server mode, as it conflicts with the
event engine since Windows handles
signals as I/Os.
- Ensure correct socket handling for TCP
vs UDP.
Github: closes openvpn/OpenVPN#720
Change-Id: I719b1aa2d2f4d63dc9c18d8e313fba339e3e4b0c Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250410215037.11878-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31419.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
- update vcpkg reference to 856505bb76
This includes a general work-around for the CMake 4.0
compat. See commit a1aebfa9d5eae7cf493e0a706b43915d687bb860.
- update lukka/get-cmake action to v4
- update dependency aws/aws-lc to v1.49.1
Change-Id: Ibabb4aa80d7786614dbd6b76bd4cd096f217acfd Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Yuriy Darnobyt <yura.uddr@gmail.com>
Message-Id: <20250409131148.18147-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31399.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 9 Apr 2025 12:24:03 +0000 (14:24 +0200)]
Also print key agreement when printing negotiated details
With TLS 1.0 to 1.2, the used key agreement was depended on the certificates
themselves. With TLS 1.3 this is no longer the case but basically always
X25519 was used. So this information has not been very interesting so far.
With OpenSSL 3.5.0 and the new X25519MLKEM768 hybrid key agreement, the used
key agreement group actually becomes interesting information.
This commit adds printing this information for OpenSSL 3.0.0+ and uses
a compat version for OpenSSL 3.0-3.1 to avoid an additional ifdef in the
code itself.
Example output with ML-DSA-65 certificates on the server (client output):
Arne Schwabe [Wed, 2 Apr 2025 13:45:39 +0000 (15:45 +0200)]
Use USER_PASS_LEN instead of TLS_USERNAME_LEN for override-username
Currently override-username is artificially restricted to the length of
TLS common-name (64) for the corner case of using username-as-common-name,
which we explicitly do not recommend to use.
Do away with that limitation and only error out on longer usernames when
username-as-common-name is actually in effect.
Change-Id: I1c2c050dd160746a0f8d9c234abe1e258bc8e48d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250402134546.3504-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31323.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Wed, 2 Apr 2025 15:33:28 +0000 (17:33 +0200)]
Use SSL_get0_peer_signature_name instead of SSL_get_peer_signature_nid
SSL_get0_peer_signature_name returns a string instead of hardcoded NIDs.
NIDS do not work with provider provided signatures or the new PQ
signatures introduced in OpenSSL 3.5.
Remove also the comment that was added earlier that says that there
is no proper API replacement for SSL_get_peer_signature_nid yet as
OpenSSL 3.5.0 has now introduced it.
Change-Id: I2bc782ceebcc91a8dc8ada0bb72ac042be46cad6 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Message-Id: <20250402153337.5262-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31336.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
FreeBSD-DCO does not support TCP as transport protocol so in order to
be able to use DCO in a multi-socket environment we need to check the
local_list entries and disable DCO if any of the listening socket
is TCP.
While at it, removed some dead code left from Multisocket polishing.
Github: closes OpenVPN/openvpn#710
Change-Id: I9b6359076a61ae2bbb8e5cea00e33969cb5f92cf Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250402132148.18810-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31324.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 1 Apr 2025 17:30:37 +0000 (19:30 +0200)]
Allow tls-crypt-v2 to be setup only on initial packet of a session
This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.
The error condition results in an ASSERT statement being triggered,
NOTE: due to the security sensitive nature, this patch was prepared
under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.
CVE: 2025-2704
Change-Id: I07c1352204d308e5bde5f0b85e561a5dd0bc63c8 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <385d88f0-d7c9-4330-82ff-9f5931183afd@rfc2549.org> Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Tue, 1 Apr 2025 18:15:30 +0000 (20:15 +0200)]
dco-win: Fix crash when cancelling pending operation
The OVERLAPPED structure must remain valid for the entire duration of an
asynchronous operation. Previously, when a TCP connection was pending
inside the NEW_PEER call, the OVERLAPPED structure was defined as a
local variable within dco_p2p_new_peer().
When CancelIo() was called later from close_tun_handle(), the OVERLAPPED
structure was already out of scope, resulting in undefined behavior and
stack corruption.
This fix moves the OVERLAPPED structure to the tuntap struct, ensuring
it remains valid throughout the operation's lifetime.
Github: closes OpenVPN/openvpn#715
Change-Id: Ib1db457c42a80f6b8fc0e3ceb4a895d4cf7f0155 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250401181535.7854-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59168247/
URL: https://gerrit.openvpn.net/c/openvpn/+/928 Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Fix Android build with newer vcpkg
Need to sync CMAKE_SYSTEM_VERSION with vcpkg.
- Update mbedTLS v3 builds to latest release.
Depends on commit 4897c522948c8cdb82c0325ee08f6907cfc16f57
- Update all actions to latest releases.
Change-Id: Ie9bffcc487f53a3a8ae6e59b79e654360d99902c Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250331153309.77901-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31290.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Turns out that "apt install cmake" is useless since
Github installs also CMake but not as a package. So
make sure we control which CMake we get and not
Github.
Switch to get-cmake action (which also installs ninja)
and remove the installation via apt.
Change-Id: Ief11d5d7ccae084c863b50054d4e97c71f57d6f0 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250401170420.29808-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31299.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Thu, 27 Mar 2025 15:36:00 +0000 (16:36 +0100)]
Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
In case when key_state_export_keying_material fails we left a
half-initialised tls_wrap_reneg structure in the tls_session.
Later calls to try to free this structure causes freeing of
invalid memory locations.
To test: make key_state_export_keying_material return false even though
HAVE_EXPORT_KEYING_MATERIAL is defined and connect to a server
supporting dynamic tls-crypt (2.6.0+)
Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250327153606.15282-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31267.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Fix compatibility with mbedTLS 2.28.10+ and 3.6.3+
From release notes:
In TLS clients, if mbedtls_ssl_set_hostname() has not been called,
mbedtls_ssl_handshake() now fails with
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
if certificate-based authentication of the server is attempted.
This is because authenticating a server without knowing what name
to expect is usually insecure. To restore the old behavior, either
call mbedtls_ssl_set_hostname() with NULL as the hostname [...]
Change-Id: I8bbb6ffdac7d0029dbf3c13e62c11b61813c15ef Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250327113356.11233-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31262.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Tue, 25 Mar 2025 19:57:43 +0000 (20:57 +0100)]
Mention address if not unspecific on DNS failure
With the recent changes breaking configs that included lport 0, it became
apparent that having the address family in the error message when
resolving fails, would have made diagnosis in this case and probably others
much easier.
Change-Id: I1c8fcd5bb6e1fa0020d52879eefbafdb2630e7b5 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250325195750.7899-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31237.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering [Mon, 24 Mar 2025 18:27:26 +0000 (19:27 +0100)]
Make 'lport 0' no longer sufficient to do '--bind'.
'lport <anything>' used to trigger 'do socket bind', which is not
useful in itself for the 'lport 0' case (port 0 -> OS assigns a
random port, as it is done for unbound sockets) unless also binding
to a particular local IP address ('--local 192.0.2.1').
The trigger for 'lport has been used, do socket bind' is
ce.local_port_defined -> change the code to test for "0", and
only set this for non-0 ports (NOTE: this is a string match,
so if you really really want the old "lport 0" behaviour, using
"lport 00" still does that...).
The ce.local_port value is still set, so '--lport 0' together
with '--local 192.0.2.1' will give you a random port number
bound to that IP address - without 'lport 0' it would default
to 1194 or the value of '--port' (if not using '--rport').
Summary: socket bind is now only done if one of these is set
- --lport <port> with <port> not "0"
- --bind (default on the client is "--nobind")
- --local <address>
Github: schwabe/ics-openvpn#1794
Change-Id: I1976307a7643c82f31d55ca32c79cbe64b6fffc6 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Message-Id: <20250324182735.12657-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31222.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 24 Mar 2025 13:54:33 +0000 (14:54 +0100)]
Improve documentation for override-username
- Mention that pushing auth-token-user only happens when OpenVPN also
generates the auth-token.
- mention that OpenVPN will only accept the original and overridden username
from a client
- suggest to use auth-token-user when a user generates the auth-token
Change-Id: Ifc7443974345042ab9945d6a10e1d1b4525e5e05 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324135441.26725-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31210.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe [Mon, 24 Mar 2025 13:37:53 +0000 (14:37 +0100)]
Directly use _countof in array initialisation
This fixes the build failures on MSVC cl compiler.
MSVC cl does not thinks of the expression of a const variable times
an integer to be compile time static. C23 introduce the constexpr
(like in C++) statement for that but we are only on C11 for now.
So directly use the _countof(msg->addr) expression in the array
initialisation.
Change-Id: Ib579c1538eb5440bb7008bc866a5cb7d74844374 Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324133759.13155-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31205.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Mon, 24 Mar 2025 08:33:44 +0000 (09:33 +0100)]
win: calculate address string buffer size
Instead of making the string buffer statically sized for a max. of
four addresses, calculate it to hold up to the max number of addresses
a dns_cfg_message_t can hold (currently four as well). Improves the code
so that it doesn't rely on the addresses never being more than four in
the future.
Change-Id: I23710b1f5b2122ec1f14465911836c0f0afa9c64 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250324083350.4019-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31196.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
options: Cleanup and simplify options_postprocess_verify_ce
- Reuse the MUST_BE_UNDEF macro in more places
- Add a second parameter so it actually reports the
correct option name
- Add MUST_BE_FALSE for similar cases
- Reorder the checks for cert/key options to make
more sense. Some of the checks could have never
fired due to wrong placement of the management
checks
- Some other small cleanups like missing spaces
in multiline string literal
Change-Id: I4f766fa22865eaf4466c31cf55e3d73b00008c38 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250318155320.32573-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31155.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 12 Mar 2025 10:11:50 +0000 (11:11 +0100)]
dns: do not use netsh to set name server addresses
Instead of spawning a netsh process, set the name server addresses
directly in the registry hive of the VPN interface.
This is a first step to get rid of the use of command line tools in the
service and move to a more API driven style of modifying the VPN adapter
configuration.
Change-Id: Id2bed0908e84c19b8fb6fe806376316793e550b4 Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250312101156.5756-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59159531/
URL: https://gerrit.openvpn.net/c/openvpn/+/825 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Heiko Hund [Wed, 12 Mar 2025 09:22:53 +0000 (10:22 +0100)]
dns: support multiple domains without DHCP
Instead of using wmic on Windows to set one (the first) DNS domain,
modify the registry directly and let the resolver know that something
changed.
This fixes that more than one search domain suffix could only be applied
when DHCP and the tap driver was used. Now this works as well in netsh
mode with the interactive service.
If possible the search domains are stored with the rest of the VPN interface
parameter values. However, a global search list and one which is
distributed via group policy have priority (in that order), so we probe
for the existence of those first. In order to be able to restore the
original list in any case we store an "initial list" as a backup of the
search list before we modify it.
Arne Schwabe [Tue, 11 Mar 2025 15:59:04 +0000 (16:59 +0100)]
Implement override-username
This allow the server to set and override the username that is assumed
for the client for interaction with the client after the authentication.
This is especially intended to allow the of use auth-gen-token in
scenarios where the clients use certificates and multi-factor
authentication.
It allows a client to successfully roam to a different server and have
a correct username and auth-token that can be accepted by that server as
fully authenticated user without requiring MFA again.
The scenario that this feature is probably most useful
when --management-client-auth is in use as in this mode the OpenVPN
server can accept clients without username/password but still use
--auth-gen-token with username and password to accept auth-token as
alternative authentication. A client without a username will also not
use the pushed auth-token. So setting/pushing an auth-token-user
will ensure that the client has a username.
Github: OpenVPN/openvpn#299
Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250311155904.4446-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31091.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
TCP connected sockets do not need any remote addr
because the destination is fixed.
For this reason we can avoid sending the remote addr
along the peer-new dco call.
This change is important on Linux because the new 'ovpn'
kernel module is stricter when it comes to accepting
netlink messages and will reject calls with TCP sockets
if a remote address is specified.
Change-Id: I76e2e616c6ffe436a9627fa71aaace74030b2f4a Signed-off-by: Antonio Quartulli <antonio@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250309153017.5163-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31078.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Ralf Lici [Wed, 5 Mar 2025 17:17:30 +0000 (18:17 +0100)]
Handle missing DCO peer by restarting the session
Occasionally, CMD_DEL_PEER is not delivered to userspace, preventing the
openvpn process from registering the event. To handle this case, we
check if calls to the Linux DCO module return an error, and, if so, send
a SIGUSR1 signal to reset the session.
Most DCO commands that return an error already trigger a SIGUSR1 signal
or even call _exit(1). This commit extends that behavior to include
dco_get_peer_stats_multi() and dco_get_peer_stats().
Change-Id: Ib118426c5a69256894040c69856a4003d9f4637c Signed-off-by: Ralf Lici <ralf@mandelbit.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250305171730.250444-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31022.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rename occurences of 'struct link_socket' from 'ls' to 'sock'
This commit renames all instances of 'struct link_socket'
from the abbreviation 'ls' to the more descriptive 'sock'
making it clearer that the variables represent
socket-related structures.
No functional changes have been introduced.
Change-Id: Iff12c4dbac84a814612aa8b5b89224be08bb9058 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306101339.12985-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59156800/
URL: https://gerrit.openvpn.net/c/openvpn/+/874 Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add support for simultaneous use of UDP and TCP sockets
Add all the bound sockets to the event loop.
The main server loop has been updated to handle both
TCP and UDP connections.
The hash function has also been modified to include the
protocol during the creation of new client instances.
There are also a couple of refinements to make the
whole code flow management capable of handling
different kind of clients:
MULTI: properly remove TCP instances by checking the multi_instance
protocol instead of the global one.
TLS: set the tls_option xmit_hold bool value to true only in case of
TCP child instance to avoid checking the global protocol
value.
INIT: initialize the c->c2.event_set in the inherit_context_top()
by default and not only in case of UDP since we could have
multiple different sockets.
Change-Id: I31bbf87e4e568021445c7512ecefadfd4a69b363 Signed-off-by: Gianmarco De Gregori <gianmarco@mandelbit.com> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250306095928.10229-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31028.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Lev Stipakov [Thu, 20 Feb 2025 12:42:05 +0000 (13:42 +0100)]
dco-win: support for iroutes
Unlike Linux/FreeBSD, dco-win doesn't have access to a
system routing table, so we have to maintain internal routing
table in the driver. For that, we have 4 ioctls to add/delete
IPv4/IPv6 iroutes. When adding iroute, we pass peer-id, so that
the driver is able to associate a subnet with a peer context.
Change-Id: I36a5442c0a5667628f419bc64efe5fb562ad3b57 Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250220124205.27502-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30958.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
Corubba Smith [Sat, 15 Feb 2025 19:00:33 +0000 (20:00 +0100)]
Remove x509-username-fields uppercasing
The uppercasing was first introduced together with the
x509-username-field option in commit 935c62be, and first released with
v2.2.0 in 2011. The uppercasing was later deprecated with commit f4e0ad82 and release v2.4.0 in 2016. It think it is time to finally
remove it.
This deprecated feature prevents you from using non-extension
all-lowercase fieldnames like `name`, because these are converted to
uppercase and then cause an error. The deprecation warning is also shown
in cases where there is no actual uppercasing happening, for example
with numerical forms (aka oids) like `2.5.4.41` (oid of `name`).
Signed-off-by: Corubba Smith <corubba@gmx.de> Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <cb8317eb-bfb6-47e8-9bc3-ae5cc603ff21@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30915.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
projects / thirdparty / openvpn.git / log
