openvpn

mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-19 19:42:30 +02:00

History

Heiko Hund bf887c95e4 Windows: enforce 'block-local' with WFP filters In an attempt to better defend against the TunnelCrack attacks, enforce that no traffic can pass to anything else than the VPN interface when the 'block-local' flags is given with either --redirect-gateway or --redirect-private. Reuse much of the existing --block-outside-dns code, but make it more general, so that it can also block any traffic, not just port 53. Uses the Windows Filtering Platform for enforcement in addition to the routes redirecting the networks into the tunnel. Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> Acked-by: Lev Stipakov <lstipakov@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20240605123856.26267-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28717.html Signed-off-by: Gert Doering <gert@greenie.muc.de>		2024-06-05 19:22:43 +02:00
..
doxygen	dist: Include all documentation in distribution	2023-06-21 14:35:19 +02:00
man-sections	Windows: enforce 'block-local' with WFP filters	2024-06-05 19:22:43 +02:00
tests	sample-plugin: New plugin for testing multiple auth plugins	2022-03-15 16:29:22 +01:00
android.txt	Update android.txt to reflect more recent changes.	2022-09-12 09:10:23 +02:00
CMakeLists.txt	CMake: Support doc builds on Windows machines that do not have .py file association	2023-07-06 13:52:24 +02:00
gui-notes.txt	Document common uses of 'echo' directive, re-enable logging for 'echo'.	2021-01-20 20:18:07 +01:00
interactive-service-notes.rst	Add Interactive Service developer documentation	2018-06-09 20:14:26 +02:00
keying-material-exporter.txt	Fix various spelling mistakes	2019-02-06 19:07:34 +01:00
Makefile.am	Update Copyright statements to 2024	2024-03-18 18:46:26 +01:00
management-notes.txt	Make sending plain text control message session aware	2023-03-20 17:15:38 +01:00
openvpn-examples.5.rst	Add detailed man page section to setup a OpenVPN setup with peer-fingerprint	2021-08-01 19:47:44 +02:00
openvpn.8.rst	Update the last sections in the man page to a be a bit less outdated	2023-02-14 14:03:45 +01:00
README.man	doc/man: convert openvpn.8 to split-up .rst files	2020-07-17 11:23:18 +02:00
README.plugins	build: integrate plugins build into core build	2012-06-26 11:29:02 +02:00
tls-crypt-v2.txt	Implement HMAC based session id for tls-crypt v2	2022-05-06 14:16:05 +02:00

README.plugins

OpenVPN Plugins
---------------

Starting with OpenVPN 2.0-beta17, compiled plugin modules are
supported on any *nix OS which includes libdl or on Windows.
One or more modules may be loaded into OpenVPN using
the --plugin directive, and each plugin module is capable of
intercepting any of the script callbacks which OpenVPN supports:

(1) up
(2) down
(3) route-up
(4) ipchange
(5) tls-verify
(6) auth-user-pass-verify
(7) client-connect
(8) client-disconnect
(9) learn-address

See the openvpn-plugin.h file in the top-level directory of the
OpenVPN source distribution for more detailed information
on the plugin interface.

Included Plugins
----------------

auth-pam -- Authenticate using PAM and a split privilege
            execution model which functions even if
            root privileges or the execution environment
            have been altered with --user/--group/--chroot.
            Tested on Linux only.

down-root -- Enable the running of down scripts with root privileges
             even if --user/--group/--chroot have been used
             to drop root privileges or change the execution
             environment.  Not applicable on Windows.

examples -- A simple example that demonstrates a portable
            plugin, i.e. one which can be built for *nix
            or Windows from the same source.

Building Plugins
----------------

cd to the top-level directory of a plugin, and use the
"make" command to build it.  The examples plugin is
built using a build script, not a makefile.