Add dynamic loader flag feature to bundled pkcs11-helper.
Required to allow special handling for PKCS11 providers on win32.
Signed-off-by: Marc Becker <marc.becker@astos.de>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20221214143325.2604-1-marc.becker@astos.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25691.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add vcpkg manifest file which lists
dependencies and enable manifest usage in
project file.
This simplifies build process by eliminating
separate "vcpkg install" step to install dependencies.
Since vcpkg added openssl3 port, remove ours.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220505121449.347-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24285.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This release has merged win32 support patch,
so our own patch could be removed from the port.
Upstream archive format changed back to BZIP2.
Signed-off-by: Marc Becker <becm@gmx.de>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220423135704.88164-1-becm@gmx.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24180.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While on it, remove deprecated vcpkg_fail_port_install().
since we don't care about UWP/Linux/OS X here.
Also bump github actions's vcpkg commit id.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220317122357.111-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23985.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
"make dist" uses 'tar -o' which breaks on long filenames:
tar:
openvpn-2.5.6/contrib/vcpkg-ports/pkcs11-helper/0003-config-w32-vc.h.in-ind
icate-OpenSSL-EC-support.patch:
file name is too long (max 99); not dumped
tar: Exiting with failure status due to previous errors
and then "make dist" continues.
Make filename shorter to make tar happy.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220316135411.217-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23977.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Having .dll for a single executable doesn't make
much sense. Static linking removes 117kb .dll
and grows .exe size by only 4kb.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220216134227.147-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23807.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Add openssl3 vcpkg port, which is slightly modified version of
openssl1.1.1 port from official vcpkg repo.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220126123502.403-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23662.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We always build with OpenSSL >= 1.1.1, which has EC support.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220111150647.267-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23527.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This release has merged openssl 1.1.1 support patch,
so our own patch could be removed from the port.
Remove unconditional /release flag, which is added by vcpkg
for release builds. Having this flag unconditionally breaks vcpkg
debug builds.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220111150605.208-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23526.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting from commit 21b2dbd3 "[scripts-audit] nmake buildsystem"
vcpkg has removed NO_DEBUG support from nmake buildsystem
and now builds debug variant unconditionally. Debug flags contradict
build options hardcoded in pkcs11 nmake script (like /O2).
Remove hardcoded release options and other options which
are (also) set by vcpkg nmake buildsystem.
Bump vcpkg commit in GitHub actions.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124100838.861-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23253.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commits
- 92535b6 ("contrib/vcpkg-ports: add openssl port with
--no-autoload-config option set (CVE-2121-3606)")
- 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows
(CVE-2121-3606)")
disabled OpenSSL config loading functionality, which could be
exploited by loading config from untrusted locations.
This feature might be useful for some users. This brings it back
and sets OpenSSL enviroment variables
OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES
which are used to load config, engines and modules, to a trusted location.
The location is constructed based on installation path, read from registry
on startup.
If installation path cannot be read, Windows\System32 is used as a
fallback.
While on it, remove unused "bool impersonate_as_system();" declaration.
Trac: #1296
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20211119015548.687-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23248.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
MSFT has merged PR to vcpkg which
added OPENSSL_NO_AUTOLOAD_CONFIG option
https://github.com/microsoft/vcpkg/pull/18389
This means that we don't need to have our own openssl port
and instead we just add
set(OPENSSL_NO_AUTOLOAD_CONFIG ON)
to our custom triplets.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210628080832.510-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22616.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In default configuration OpenSSL loads config from
certain location on disk, for example
c:\vcpkg\packages\openssl_x64-windows\openvpn.cnf
which may pose a security risk.
There is "no-autoload-config" config option for OpenSSL
which disables this functionality:
https://github.com/openssl/openssl/pull/5959
however it is not "exported" to vcpkg.
This adds openssl port overlay which sets "no-autoload-config"
config option. Here is the diff (indented with "!" to avoid
confusing "git am"):
! diff --git a/ports/openssl/windows/portfile.cmake
! b/ports/openssl/windows/portfile.cmake
! index 7a3bf08ed..c873eb756 100644
! --- a/ports/openssl/windows/portfile.cmake
! +++ b/ports/openssl/windows/portfile.cmake
! @@ -21,6 +21,7 @@ set(CONFIGURE_OPTIONS
! enable-capieng
! no-ssl2
! no-tests
! + no-autoload-config
! -utf-8
! ${OPENSSL_SHARED}
! )
There is also corresponsing PR to vcpkg:
https://github.com/microsoft/vcpkg/pull/18389
When above PR is merged, this port overlay can be removed.
CVE: 2121-3606
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210617061259.297-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22569.html
Commit 36b9aa "contrib/vcpkg-ports: add pkcs11-helper port"
has trimmed trailing white space in .patch files and thus corrupted them.
Restore trailing whitespaces to "uncorrupt" patches.
** applied with git am --whitespace=nowarn **
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-By: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210615104331.210-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
pkcs11-helper is a dependency library used by OpenVPN.
So far it has been built only by mingw.
Since we're making MSVC build system a first class citizen,
we need to build depencencies with MSVC, which we do with vcpkg.
All dependencies are in vcpkg official repo, expect pkcs11-helper.
This provides vcpkg port for building pkcs11-helper.
Example usage:
vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports install pkcs11-helper
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210607104213.216-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22503.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This finally enables standalone MSVC building, without
dependency on openvpn-build/msvc. This makes MSVC build
process much simpler.
Dependencies are managed by vcpkg. To install dependencies, run:
> vcpkg --overlay-ports=<openvpn>\contrib\vcpkg-ports
--overlay-triplets=<openvpn>\contrib\vcpkg-triplets install
lz4:x64-windows-ovpn lzo:x64-windows-ovpn
openssl-windows:x64-windows-ovpn pkcs11-helper:x64-windows-ovpn
tap-windows6:x64-windows-ovpn
To build for other arch, use x86-windows-ovpn or arm64-windows-ovpn.
Custom triplets are defines so that lz4 is linked statically and
other libraries dynamically.
Since we don't have CMake support yet, we cannot use vcpkg manifest
mode, since it doesn't work with overlay ports
(https://github.com/microsoft/vcpkg/issues/12289),
therefore this one-time manual dependency installation is required.
While on it, bump msvc-generate project target version to VS2019 and
cleanup leftovers from compat.vcxproj.filters.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210514045704.686-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22389.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When --crl-verify is enabled, specified CRL file gets reloaded on
every client connection. With huge CRL files it may take a significant
amount of time - seconds and tens of seconds, during which OpenVPN is
blocked and can't serve existing and/or incoming connections due its
singlethread nature.
In alternative mode --crl-verify option takes directory containing
files named as decimal serial numbers of the revoked certificates and
'dir' flag, revoked certificate check is being done by checking the
presence of client's certificate number in that directory.
This script allow to perform incremental extraction of revoked serial
numbers from CRL by adding absent ones and removing excess ones.
Usage example:
extractcrl.py -f pem /path/to/crl.pem /path/to/outdir
extractcrl.py -f der /path/to/crl.crl /path/to/outdir
cat /path/to/crl.pem | extractcrl.py -f pem - /path/to/outdir
cat /path/to/crl.crl | extractcrl.py -f der - /path/to/outdir
Output example:
Loaded: 309797 revoked certs in 4.136s
Scanned: 312006 files in 0.61s
Created: 475 files in 0.05s
Removed: 2684 files in 0.116s
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201002215146.31324-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21154.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The autumn of 2017, OpenVPN Technologies, Inc changed name to just
OpenVPN Inc. Otherwise, extend the copyright to cover 2018 as well.
With the exception of the company name change, all changes have been
performed by the dev-tools/update-copyright.sh script.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180131140314.11103-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This makes the down script work both as regular down script as well as
with the
down-root plugin. The up script is just changed for consistency.
Signed-off-by: Conrad Hoffmann <ch@bitfehler.net>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20170802181435.14549-2-ch@bitfehler.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15165.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
After the security audits performed by Cryptography Engineering the
spring of 2017 [1], there were several concerns about the contrib code
for the macOS keychain support. After more careful review of this
code base, it was considered to be in such a bad shape that it will
need a massive overhaul. There were more issues than what the security
audit revealed.
It was attempted several times to get in touch with the contributor
of this code; with no response at all [2]. There has however
been some discussions with the Tunnelblick project [3]. There is one
person there willing to go through this and improve the situation.
The main Tunnelblick maintainer is also willing to include the improved
code to their project instead of having this as a contrib code in
the upstream OpenVPN project.
So this patch just removes the code which we will no longer
ship as part of OpenVPN - and the Tunnelblick project will take
over the responsibility for this code base on their own. And since
this code base is purely macOS specific, this seems to be a far
better place for this code to reside.
Signed-off-by: David Sommerseth <davids@openvpn.net>
[1]
<http://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer
Audits#OVPN-04-1:PossibleNULLpointerderefenceincontribkeychain-mcdcert_data
.c>
[2]
<https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14559.
html>
[3] <https://github.com/Tunnelblick/Tunnelblick/pull/369>
Acked-by: Jonathan K. Bullard <jkbullard@gmail.com>
Message-Id: <20170725130314.12919-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15130.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
The COPYRIGHT.GPL file was slightly out-of-sync with the last GPLv2
license from Free Software Foundation, Inc.
The changes are primarily a new address, which required touching almost
all the project files.
Except of that, it is just minor adjustments to formatting, removal of
form-feed characters and referencing "GNU Lesser General Public License"
instead of "GNU Library General Public License".
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170329093648.10156-1-davids@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20170329093648.10156-1-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is the first commit of the big reformatting task. This
is performed by running the ./dev-tools/reformat-all.sh script.
This is based upon the v3 reformat-all.sh/uncrustify.conf version
which is now applied to git master.
Signed-off-by: David Sommerseth <davids@openvpn.net>
When no DOMAIN is received from push/pull, do not add either domain or
search to the resolv.conf. Fix typo in comment resolv.con[f]. Only add
new line when using domain or search.
URL: https://github.com/OpenVPN/openvpn/pull/34
Acked-by: Steffan Karger <steffan@karger.me>
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <1463736310-17846-1-git-send-email-samuli@openvpn.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11682
Signed-off-by: David Sommerseth <dazo@privateinternetaccess.com>
As reported in trac #582, the OCSP_check.sh script should use grep -E,
instead of grep -F when it uses ^ in the expression.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456409434-14784-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11254
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This patch adds support for using certificates stored in the Mac OSX
Keychain to authenticate with the OpenVPN server. This works with
certificates stored on the computer as well as certificates on hardware
tokens that support Apple's tokend interface. The patch is based on
the Windows Crypto API certificate functionality that currently exists
in OpenVPN.
This patch version implements management client which handles RSA-SIGN
command for RSA offloading. Also it handles new 'NEED-CERTIFICATE'
request to pass a certificate from the keychain to OpenVPN.
OpenVPN itself gets new 'NEED-CERTIFICATE" command which is called when
--management-external-cert is used. It is implemented as a multiline
command very similar to an existing 'RSA-SIGN' command.
The patch is against commit 3341a98c28.
v4:
- added '--management-external-cert' argument
- keychain-mcd now parses NEED-CERTIFICATE argument if 'auto' is passed
as cmdline's identity template
- fixed typo in help output option name
- added '--management-external-cert' info in openvpn(8) manpage
- added 'certificate' command documentation into doc/management-notes.txt
v3:
- used new 'NEED-CERTIFICATE' command for certificate data request
instead of 'NEED-OK'
- improved option checking
- improved invalid certificate selection string handling
- added man page for keychain-mcd
- handle INFO, FATAL commands from openvpn and show them to user
* ACK from Arne Schwabe for OpenVPN part
* ACK from James based on Arne's testing
v2 (http://sourceforge.net/p/openvpn/mailman/message/33225603/):
- used management interface to communicate with OpenVPN process
v1 (http://sourceforge.net/p/openvpn/mailman/message/33125844/):
- used RSA_METHOD to extend openvpn itself
Signed-off-by: Vasily Kulikov <segoon@openwall.com>
--
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20150225160718.GA6306@cachalot>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9486
Signed-off-by: Gert Doering <gert@greenie.muc.de>
in case the reposnses are too old, ocsp tool can return text like this:
Response verify OK
ca/cert.pem: WARNING: Status times invalid.
139990703290240:error:2707307D:OCSP routines:OCSP_check_validity:status
expired:ocsp_cl.c:358:
good
This Update: Sep 21 12:12:48 2014 GMT
Next Update: Sep 22 12:12:48 2014 GMT
light change in buffering can cause "verify OK" and "ca/cert.pem: good"
to be placed in a way that matching will be valid
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-2-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9055
Signed-off-by: Gert Doering <gert@greenie.muc.de>
when openssl returns result of parsing and verification of the
OCSP response, the signature verification is separate from the certificate
status, as such it's necessary to check both of them.
Otherwise results like:
Response Verify Failure
140170966779776:error:27069076:OCSP routines:OCSP_basic_verify:signer
certificate not found:ocsp_vfy.c:85:
ca/cert.pem: good
This Update: Sep 23 12:12:28 2014 GMT
will be accepted as being trustworthy.
Note that "Response verify OK" is printed on stderr, so it can't
be discarded.
Signed-off-by: Hubert Kario <hkario@redhat.com>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1411727041-11884-1-git-send-email-hkario@redhat.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9054
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is an extra fix needed on top of 959d607, which already changes the
serial parameter to correctly use decimal representation.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1398588561-18964-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8650
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Commit 7d5e26cbb5 fixed extracting serial but did not change the format,
which always has been decimal. This patch fixes the manpage and
OSCP.sh script to conform with the implementation.
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1396001222-5033-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8409
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Jesse Young <jesse.young@gmail.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
See the discussion at
http://article.gmane.org/gmane.network.openvpn.devel/3588
for more details.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
In commit a9c9a89e96 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Patch arrived from Davide Brini:
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>