On FreeBSD 12 (tested and verified on 12.1-RELEASE-p2), after "ifconfig
inet6" for a tun/tap interface, there sometimes is a race condition
where the "IFDISABLED" flag shows up after a short time frame, under
a second, and never clears itself. This disables use of the configured
IPv6 address on the interface, breaking IPv6 over tun/tap operation.
This only happens if ipv6_activate_all_interfaces="YES" is not
set in /etc/rc.conf - but there might be reasons why this is not so.
As a workaround until this can be fixed on the FreeBSD side (or a
better workaround is found), sleep(1) after ifconfig, then call
"ifconfig $dev inet6 -ifdisable".
Yes, this is massively ugly but makes the problem completely go
away for my test systems.
(The same effect can be achieved with an --up script that does this,
but it's even less pretty - see trac ticket)
FreeBSD: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248172
v2: reword text, refer to FreeBSD bug with much more details
Trac: 1226
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200723121949.78223-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This refactors the common code between mbed SSL and OpenSSL into
export_user_keying_material and also prepares the backend functions
to export more than one key.
Also fix checking the return value of SSL_export_keying_material
only 1 is a success, -1 is also an error.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Cache secrets for mbed TLS instead generating all ekms
in the call back function
Patch V3: comment is no longer a lie. (fixed doxygen)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200814145153.12895-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20739.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit fixes two separate issues which are closely linked.
First, a 2.5 client cannot connect to a server which does not support NCP
and is not using one of the default --data-ciphers (AES-*-GCM).
This is because the 2.5 client does not use its configured --data-ciphers
cipher in the "fall back to OCC based cipher negotiation" case. Fix this.
Second, do not allow the 2.5 client to use --data-ciphers-fallback in the
above situation because that is not it's intended use (only to be used if
there is no pushed cipher [NCP] and no OCC provided cipher).
To reproduce the error use a client with only --data-ciphers set against
a server without NCP.
OPTIONS ERROR: failed to negotiate cipher with server.
Add the server's cipher ('AES-256-CBC') to --data-ciphers
(currently 'AES-256-CBC') if you want to connect to this server.
Reported by: Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200814080619.2108-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20734.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 6d19775a46 has removed SYSTEM elevation hack,
but introduced regression - inability to use wintun without
interactive service.
Proceed with ring buffers registration even if iservice is unavailable
and display relevant error message.
Trac: #1318
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200819070746.197-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20780.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Stress that these are handled internally only on some platforms
- Correct the statement about wintun
- Document DOMAIN-SEARCH
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1597604799-23135-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20759.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 5fde831c58 fixed NEXTADDR() for all *BSDs and MacOS.
OpenSolaris has to use a slightly different macro due to lack of
sockaddr->sa_len - but it has the same problem, first rounding up,
then memmove()'ing. Switch order.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200813101301.12720-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20731.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Explain the IV_NCP=2 client situation in 2.4 a bit better.
- Make more clear what exact versions are meant in the old client section
- add a missing - in a heading
Thanks to Richard Bohnhomme for initial proof reading.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200812085412.19178-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20714.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Mostly C90 -> C99 cleanups and "return immediately" instead of
wrapping function body into if.
(Review with ignore whitespace)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20676.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Extract data packet handling to its own function
- Replace two instances of
if (x) { code }
with
if (!x) return; code
- Remove extra curly braces that were used for pre C99 code style
to be able to declare variables in the middle of a block
This patch is easier to review with "ignore white space" as the
diff is then a lot smaller in that case and the changes more obvious.
Patch V2: Fix function name spelling, cleanup goto code in the new
handle_data_channel_packet function
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200811105541.2543-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20707.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Most of the new compress but not v2 version do use swap operation. For
'compress lzo' the swap option is not used for backwards compatibility.
For lz4 the swap option is also not a problem since there is no version
without swap. Unfortunately, compress introduced a second stub format
with swap, contrary to the one in 'comp-lzo no' that does not use swap.
Document this weirdness to let not others fall into this trap.
v2: redo patch for rst man pages
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200811110248.3396-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20708.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The key state is virtually identical S_ACTIVE and we only did the state
state transition form S_ACTIVE to S_OP_NORMAL at the point where we
normally would have timed out the TLS negotiation. This is not a very
useful information to have and indeed we never use it anywhere.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20674.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This avoids the error messages trying to open already used utuns.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200810143707.5834-15-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20665.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This simplifies the code a bit and makes the code flow clearer as
it only adds three curly brackets in check_coarse_timers. Merging the
resulting check_coarse_timers_dowork function into the caller and
called function as with the other function does not make sense here
since it does more than similar function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-13-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20671.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Move check into caller.
Remove two in function forward declarations that are not needed from
check_tls_errors.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-12-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20670.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Move the check that calls this function into the calling function.
Also eliminate the if (len) check in the
check_incoming_control_channel_dowork function as it is only called
if len is > 0 anyway and replace it with a ASSERT.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-11-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20680.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This another of the small wrapper function where the check is
better move into the calling function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-10-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20672.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Rename the function to better capture its actual function.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20675.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This moves the timer check into process_coarse_timers and makes it
in line with the other functions. The the pf.enabled check is also moved
into process_coarse_timers to make it more clear this only is used if
pf is enabled at all.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20664.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Not all travis instances are fit for running t_net.sh test due to
various configurations knob that we have no access to.
Prevent failures by not running t_net.sh on travis at all.
The t_net.sh is executed by other test rigs which we have more control
over.
The test is skipped by specifying RUN_SUDO=false which will make any
pre-test fail, forcing the Makefile to skip that particular test.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810161723.25576-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20684.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This indirection is not very helpful in understanding the code
flow. Move the check to process_coarse_timers, remove the
check function, rename the do_work function to the "real" thing
and then drop the do_work wrapper as it does no longer serve a
purpose.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20668.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This was only used in a check that is better suited in the calling
functions. This also removes passing the buf argument to
link_socket_connection_initiated that also does not use that
parameter at all.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20677.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This adds a section in the man page that details the various behaviour
of older client/servers when using OpenVPN 2.5.
Patch V2: Include grammar/spelling fixes from
Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810090032.4220-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20660.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This reworks the NCP logic to be more strict about what is
considered an acceptable result of an NCP negotiation. It also
allows us to finally drop support for BF-CBC as default cipher.
All new behaviour is currently limited to server/client
mode with pull enabled. P2p mode without pull does not change.
New Server behaviour:
- when a client announces its supported ciphers through either
OCC or IV_CIPHER/IV_NCP we reject the client with a
AUTH_FAILED message if we have no common cipher.
- When a client does not announce any cipher in either
OCC or NCP we reject it unless data-ciphers-fallback is
specified in either ccd/ or config.
New client behaviour:
- When no cipher is pushed (or a cipher we refused to support)
and we also cannot support the server's cipher announced in
OCC we fail the connection and log why
- If there is no cipher in OCC but data-ciphers-fallback is
specified we will use the fallback cipher instead of failing the
connection
Both client and server behaviour:
- We only announce --cipher xyz in occ if we are willing
to support that cipher (always announce the cipher if
NCP is disabled or not in --client mode)
It means that we only announce the fallback-cipher if
it is also contained in --data-ciphers
Compatibility behaviour:
In 2.5 both client and server will use a --cipher xyz present
in the config to automatically set --data-ciphers-fallback xyz
and also append this cipher to the end of data-ciphers.
We log a warning about this and point to --data-ciphers and
--data-ciphers-fallback This also happens if the configuration
contains an explicit --cipher BF-CBC.
If --cipher is not set, we only warn that previous versions
allowed BF-CBC and point out how to re-enable BF-CBC. This will
break configs where someone connects a 2.3 client (or older)
to a 2.5 server AND has no explicit --cipher setting in the
server config. We still do it, because at some point we need
to drop the BF-CBC default - and affected users already had the
scary SWEET32 warning in their logs for a long time.
In short: If --cipher is explicitly set then 2.5 will work the
same as 2.4 did. When --cipher is not set, BF-CBC support is
dropped and we warn about it.
Examples how breaking the default BF-CBC will be logged:
Client side:
- Client connecting to server that does not push cipher but
has --cipher in OCC
OPTIONS ERROR: failed to negotiate cipher with server. Add the
server's cipher ('BF-CBC') to --data-ciphers (currently
'AES-256-GCM:AES-128-CBC') if you want to connect to this server.
- Client connecting to a server that does not support OCC:
OPTIONS ERROR: failed to negotiate cipher with server. Configure
--data-ciphers-fallback if you want connect to this server.
Server Side:
- Server has a client only supporting BF-CBC connecting:
styx/IP PUSH: No common cipher between server and client. Server
data-ciphers: 'CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-256-CBC:AES-128-CBC', client supports cipher 'BF-CBC'.
- Client without OCC:
styx/IP PUSH:No NCP or OCC cipher data received from peer.
styx/IP Use --data-ciphers-fallback with the cipher the client is using
if you want to allow the client to connect
In all cases the client is rejected with this message:
AUTH: Received control message: AUTH_FAILED,Data channel cipher
negotiation failed (no shared cipher)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: rename fallback-cipher to data-ciphers-fallback
add all corrections from Steffan
Ignore occ cipher for clients sending IV_CIPHERS
move client side ncp in its own function
do not print INSECURE cipher warning if BF-CBC is not allowed
Patch V3: fix minor style, add null check when client sends no peerinfo at
all
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200809141922.7853-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20656.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
struct compress_options is defined under USE_COMP, therefore
compilation fails when it is referenced without that define.
Since function show_compression_warning, which uses aforementioned
struct, is only called under USE_COMP, it is safe to wrap its definition
under USE_COMP, which fixes compilation issue.
Trac: #1308
Signed-off-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200805062548.38082-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20637.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As it appears commit 767e4c56be "Log
serial number of revoked certificate" hasn't survive refactoring
of CRL handling.
In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is valid, environment variable can be
used for that but once it is revoked, no user scripts are invoked
so there is no way to get serial number, only subject is logged.
Let's log certificate serial in case it is revoked and additionally
log certificate depth & subject in crl-verify "dir" mode for better
consistency with crl file (non-dir) mode.
v2: log if serial is not availble, require it in crl-verify dir mode
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20200805102333.3109-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20642.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V5: Fix typos, clarify man page section about deferred client-connect
script. Add section to Changes.rst
Patch V6: Convert manpage to rst
It also incorporates suggested changes from Richard Bonhomme
<tincanteksup@gmail.com> [0]
[0] Message-ID: <82c2d70f-e2f9-f810-2c55-788358a0cb08@gmail.com>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20331.h
tml
Patch V7: Re-include the changes of Changes.rst and openvpn-plugin.h
Clarify some parts of the documentation.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200720142703.3324-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The old code would run all (succeeding) handlers, then discover "one of
them set the 'disable' flag for this client", and then unroll all the
handlers.
Moving the 'disable' check into the loop makes it stop after the first
handler that fails or (succeeds and sets 'disable'). This is a bit
more logical in the log files, and has less potential side effects
due to running "later" client-connect handlers when we already know
they will have to be unrolled.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200727183436.6625-2-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20612.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If multi_client_connect_call_plugin_v1() goes to "deferred mode",
*and* there is no OPENVPN_CLIENT_CONNECT_DEFER handler, we
would read the "client specific options" file after every
(succeeded-because-not-present) call to plugin_call().
Move this to "after we have checked the deferred-cc file, and we
know for sure that we have CC_RET_SUCCEEDED".
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200727183436.6625-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20613.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
copy first, then round up the length when adding padding
to the advance.
Found by: GCC 9.3.0 (FreeBSD)
Signed-off-by: Matthias Andree <matthias.andree@gmx.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717171818.230371-1-matthias.andree@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20461.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch adds a message that informs the user that the ncp-cipher
is renamed to data-ciphers. This should address the following concerns:
- Users being confused by old options.
- Nudge users to use the modern variant of an option
The man page already documents ncp-ciphers as an old name for
data-ciphers, so looking it up in the man page will also work.
Note that I did not add "deprecated old option" to this message
since I still think that eventually removing the option will only
break configs and we gain almost nothing from that.
Also still accepting the option even though we do not recommend usage of
it also follows the robustness principle of:
"be strict in what you send and tolerant in what you receive"
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200724142557.25204-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20573.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The change in name signals that data-ciphers is the preferred way to
configure data channel (and not --cipher). The data prefix is chosen
to avoid ambiguity and make it distinct from tls-cipher for the TLS
ciphers.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20444.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The introduction of IV_PROTO_REQUEST_PUSH (c290df55) sometimes causes the
server to reply before we setup the push timer. The push reply will then
clear a timer that has not been setup yet. We then start sending push
request after we have gone through the whole initialisation already.
This patch also clears the connestion_established timer that sets up the
push request timer. This lead to the
management_set_state(management, OPENVPN_STATE_GET_CONFIG, ...)
function not being called. But to display "waiting for configuration..." or
sending a "getting config state" after "initialisation" does not make sense
anyway.
Also add the IV_PROTO_REQUEST_PUSH feature as new feature in Changes.rst
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200725234803.22058-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20589.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The check event_timeout_defined in check_connection_established is
completely redundant as event_timeout_trigger will do the very same
check as first action. Removing this check makes the function
superfluous. To further improve the code move the call check if the
time is expired into process_coarse_timers
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200725234803.22058-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20588.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
For lack of a better API (or knowledge about a better API) we try to
open utun devices on macOS by trying utun0 to utun255 and use the
first one that works. On my Mac I have already 4 devices that
do nothing but are just there and another VPN connection resulting in a
number of error messages. This explicitly shows in the log that we
tried the devices instead of some unspecific error.
This changes the log from:
Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opened utun device utun5
to
Opening utun0 failed (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun1 failed (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun2 failed (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun3 failed (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opening utun4 failed (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
Opened utun device utun5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Feature-ACK-by: "Jonathan K. Bullard" <jkbullard@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200725235023.22441-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20590.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As discussed a while ago on the mailing list and
community meetings, having SYSTEM elevation hack
inside openvpn code considered harmful.
Since interactive service is the recommended way
of using openvpn on Windows, limiting wintun usage to
interactive service should not be an issue.
Remove elevation hack code and provide an error message
telling user to use interactive service or do SYSTEM
elevation himself via psexec.
Move implementation of register_ring_buffers() to header
amd delete ring_buffer.c.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200724104841.89-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20567.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
commit 25a422cc60 deprecated --inetd, which is still something we want.
Unlike all "usual" deprecated option warnings, we cannot print this at
option parsing time, because we need logging to be set up first - otherwise
the deprecation warning is sent via the socket (on stdin/stdout)
towards the connecting client, totally breaking this mode.
(Which is why we want to deprecate it: too special even for us)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200724181324.19037-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add manifest file to detect Windows versions greater than Windows 8.
Below is example output on Windows 10.
Before:
Windows version 6.2 (Windows 8 or greater) 64bit
After:
Windows version 10.0 (Windows 10 or greater) 64bit
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200724195634.493-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20580.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is a corner case of a corner case option. It only works with tcp,
tap and needs special configuration.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200723155937.1867-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20554.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows us to skip waiting for the first PUSH_REQUEST message from
the client to send the response.
This changes the interpretation of IV_PROTO from a scalar to a bitfield
Since we only have IV_PROTO=2 defined so far and will support DATA_V2
this should not make any problem. This avoid adding another IV_xxx variable
that takes valuable space in the protocol frame.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Use bitmask for IV_PROTO_DATA_V2 and add more documentation.
Patch V3: Rewrite IV_PROTO paragraph in man page, incoperate spelling fixes
by Richard Bonhomme <tincanteksup@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200721163811.22745-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20525.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The NCP rework introduced a regression of sending a --cipher
command as part of the push message when the client does not
support NCP. This is is more a cosmetic issue since the client
will log that as warning in the log and ignore it.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200717134739.21168-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20437.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
