Rename BufferAllocated --> BufferAllocatedRc
Buffer: split RC from BufferAllocated
Also make changes as needed where BufferAllocated is used
Buffer: Split allocation flags into own struct
Leaving flags in template causes each alias to have identical flags
by different names, which requires each type to pointlessly use
the nested name.
Make RC: Clean up headers buffer.hpp, make_rc.hpp
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
In the code base three different syntaxes for overriding virtual member
functions could be found:
1) virtual ... override
2) virtual ...
3) ... override
This converts all of them to the third syntax, as recommended by the ISO
C++ core guidelines in C.128
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The host route to the VPN server disappeared when a mac client, using
the agent, was reconnecting. That was causing --redirect-gateway tunnels
to break because no traffic could be sent anymore. Cause for this was
some internal state in the agent not being reset when the utun device
is temporarily removed during the restart.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Previous to this --dns and DNS related --dhcp-options shared the same
code to apply the settings to Windows and macOS systems. So, both
options were pretty much just aliases, with --dns offering more and
finer grained settings that were mostly ignored.
Now --dhcp-options are applied the way they have always been and --dns
does it its own - the new - way. Reason for this behavioral change is
foremost that we want it to be the same between openvpn version 2 and
version 3. But there are also a few new features (e.g. DNSSEC), previously
not present with the --dhcp-options.
The name server and split-domain configuration is exclusively set via
NRPT on Windows, since it overrules any other resolver setting. If there
is no split DNS configured and all domains are resolved using the pushed
name server, we make sure that local domain names are still resolvable by
adding so called exclude NRPT rules, that make sure local domains get
resolved by their local DNS resolvers.
Since Windows does not know about alternative secure transports, the
'transport' and 'sni' settings are ignored.
For macOS the 'dnssec' setting is ignored in addition to that. Besides
that not much does change on that platform. In case of --dns options the
explicit values are used now. The API in use may be changed at a later time.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Setting ADAPTER_DOMAIN_SUFFIX for non-DHCP adapters requires
registry modification. For that, we need adapter GUID.
This passes adapter GUID from agent to client via /tun-open call
and then from client to agent via /tun-setup call, when adapter
domain suffix is set.
Github: #304
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Krasovskiy Saveliy Igorevich <skrasovskiy@ozon.ru>
This allows the test_proto.cpp to supress all the logging of this
class. This is also the only place in our project that actually uses
a non-default loglevel for this class. A lot of files were defining the
OPENVPN_LOG_SSL(x) macro to be what the also remove ssllog.hpp would do
anyway if it were not defined.
The removed debug_level field only controlled the mssfix
logging and is now controlled by the general protocol logging instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The current implementation of "get best gateway"
is completely unaware of IPv6. Because of that
agent-enabled client is not able to connect to IPv6
server. This happens because the first call to agent
(add-bypass-route) fails, since we pass IPv6 address,
which agent tries to intrepret as IPv4 and fails.
Moreover, "add bypass route" logic looks for the best gateway
for the given remote, and the API we use (GetIpForwardTable and
GetBestGateway) doesn't work with IPv6.
This adds IPv6 support to BestGateway class and "add bypass route"
logic. For that we use IPv6-aware API such as GetIpForwardTable2
and own IP::Addr/4/6 absactions.
Fixes OVPN3-959.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When agent-enabled client disconnects, it signals
destroy_tun event, which signals to agent that tun
has to be teared down. For dco-win, event handle is passed
to agent with /tun-open request.
Before sending /establish request, client closes previous
tun instance. Closing tun involves signaling destroy_tun event.
Event handle is closed after signaling, and here we have a problem:
- client calls /tun-open and passes event handle to agent
- client calls /establish, and before that it signals destroy_tun
event, which handle is now closed
- at some point client disconnects and signals tun_destroy event
Since event was already signaled and its handle is closed, nothing
happens and agent doesn't tear tun down. As a consequence, DNS
resolution might not work if DNS is overriden by VPN.
When client exits, agent tears tun down by failsafe logic. This doesn't
work for Connect client, which obviously doesn't exit on disconnect.
Fix this problem by avoiding signaling event between /tun-open
and /establish requests. This is done by not adding tun_setup
destructor (which signals event) to tun_persist right after /tun-open
call. There is nothing to tear down at that point yet since tun is
opened later by /establish call.
As a downside of this approach, we lose callback in client code
if agent process dies in between /tun-setup and /establish. This is
not a big problem IMO and can be fixed later.
In addition to that, send destroy_tun event also in /establish
request when using dco. This is needed to cover persist-tun case
when we reconnect and get new tun options. In this case we instantiate
new tun_setup instance, but don't call /tun-open since we keep tun
handle. Hence we have to pass destroy_tun event via /establish request.
Fixes https://github.com/OpenVPN/openvpn3/issues/257
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In case of dco-win persist tun, adapter state (index and name)
persists over lifetime on TunSetup object. Add setter/getter
for adapter state to TunSetup.
While on it, ensure that TunSetup::establish() doesn't
acquire adapter handle for dco - this is done by another
dco-specific "get_handle" method. The handle is not
really used by establish() method when using dco-win.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Patchwork-Id: 2510
URL: https://patchwork.openvpn.net/patch/2510/
Message-Id: <20220607163049.10056-1-facboy@gmail.com>
Signed-off-by: David Sommerseth <davids@openvpn.net>
Remove the vars-osx64 and vars-iossim files which are no longer used.
The IOS simulator does not support the VPN API and builds for the
IOS simulator have not been done in a very long time nor are they
particular useful.
Also switch to pkg-config for jsoncpp by default.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Windows agent has been moved from common to core,
so for consistency move mac agent too.
Since agent and agent-enabled client depend on jsoncpp,
also move jsoncpp build scripts.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The CMakeLists.txt settings from the project root directory are
inherited by the defined subdirectories automatically.
Also switch to a simpler way of setting the CMAKE_MODULE_PATH.
According to the CMake documentation, this variable is empty by
default [1] and should not need to pull in existing settings.
Finally remove the comment regarding CMake's use case, as we are
moving towards full CMake support for OpenVPN 3.
Signed-off-by: David Sommerseth <davids@openvpn.net>
We skipped bypass route installation if new host address is the same
as previous one. This didin't take into account case when network
has changed and gateway for the host could change.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When adding bypass route to remote we always use
default gateway. This doesn't work when remote is not
reachable via default gateway (local network,
custom route - OVPN3-653).
Implement "get best gateway" logic by traversing routing
table and find gateway with longest prefix match and
highest metric.
In case of seamless tunnel and redirect-gw "get best gateway"
will return VPN gateway when adding bypass route during reconnect
to another remote. VPN tunnel is likely broken at this point
and bypass route via VPN make reconnect impossible.
Fix that by storing VPN interface index and, when finding best gateway,
filter routes which use VPN interface.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is needed to make openvpn-gui client work with openpvn3.
openvpn-gui passes all information, required to start vpn session,
to agent via named pipe. Agent impersonates another end of pipe,
which is gui process, running under user privileges, and starts
openvpn process.
openvpn-gui generates a random password, which is written by agent
into openvpn process's stdin. That password is used by openvpn-gui to
connect to openvpn's management interface.
openvpn-gui creates an event with unique name, which it is passed
to openvpn via command line. When user disconnects VPN session, gui
sets event into signalled state. openvpn waits on event and, when it is signalled, quits.
Signed-off-by: Lev Stipakov <lev@openvpn.net>