Currently PG only allows to either send or withhold the reason to the
client but there are certain circumstances where you want to have more
detailed internal reason but still want to send some reason to the
client.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
-- disambiguate new_obj(): new_man_obj(), new_tun_obj
-- remove obfuscatory typedef <class> Base; use <class>
-- in servproto.hpp typedef ProtoContext::ProtoConfig to ProtoConfig
since Arne's already disambiguated Config
-- disambiguate Link<>: TCPLink<>, UDPLink<>
Added TODO comment on unneeded version of control_net_recv()
Signed-off-by: Mark Deric <jmark@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
This change replaces the boolean add_bypass_routes with a new
flags parameter -- set the TunConfigFlags::ADD_BYPASS_ROUTES
flag to achieve the same functionality.
We also add some new flags for finer-grained control over
actions taken by tun_config:
* TunConfigFlags::DISABLE_IFACE_UP -- disable bringing the interface up
* TunConfigFlags::DISABLE_REROUTE_GW -- disable redirect-gateway
Signed-off-by: James Yonan <james@openvpn.net>
* renamed ManClientInstanceSend to ManClientInstance::Send
* renamed ManClientInstanceRecv to ManClientInstance::Recv
* renamed ManClientInstanceFactory to ManClientInstance::Factory
* renamed TransportClientInstanceSend to TransportClientInstance::Send
* renamed TransportClientInstanceRecv to TransportClientInstance::Recv
* renamed TransportClientInstanceFactory to TransportClientInstance::Factory
* renamed TunClientInstanceRecv to TunClientInstance::Recv
* renamed TunClientInstanceSend to TunClientInstance::Send
* renamed TunClientInstanceFactory to TunClientInstance::Factory
Other related refactorings/removals:
Changes to ManClientInstance::Send:
* Added pre_stop() method.
* Renamed set_acl_id() to set_acl_index().
Changes to ManClientInstance::Recv:
* In push_reply(), removed routes and initial_fwmark parameters.
* Removed set_fwmark() method.
* Added tun_native_handle() method to return the tun socket
file descriptor and peer_id of a client instance.
Changes to ServerProto:
* Added C++11 override attribute to overridden virtual methods
Signed-off-by: James Yonan <james@openvpn.net>
to HTTP CONNECT but implemented over the OpenVPN protocol.
1. Client connects to relay server as if it were connecting
to an ordinary OpenVPN server.
2. Client authenticates to relay server using its client
certificate.
3. Client sends a PUSH_REQUEST method to relay server which
then replies with a RELAY message instead of PUSH_REPLY.
4. On receiving the RELAY message, the client attempts to
reconnect using the existing transport socket. The
server will proxy this new connection (at the transport
layer) to a second server (chosen by the relay server)
that is the target of proxy.
5. The client must establish and authenticate a new session
from scratch with the target server, only reusing the
transport layer socket from the original connection to
the relay server.
6. The relay acts as a man-in-the-middle only at the
transport layer (like most proxies), i.e. it forwards
the encrypted session between client and target server
without decrypting or having the capability to decrypt
the session.
7. The client is designed to protect against potentially
untrusted or malicious relays:
(a) The client never transmits the target server
username/password credentials to the relay server.
(b) The relay forwards the encrypted OpenVPN session
between client and target server without having
access to the session keys.
(c) The client configuration has a special directive
for relay server CA (<relay-extra-ca>) and relay
server tls-auth key (<relay-tls-auth>) to allow
for separation of TLS/crypto configuration between
relay and target servers.
(d) The client will reject any PUSH_REPLY messages
from the relay itself to prevent the relay from
trying to establish a tunnel directly with the
client.
Example configuring a client for relay:
# remote addresses point to the relay server
remote ... 1194 udp
remote ... 443 tcp
# include all other directives for connecting
# to the target server
# enable relay mode
relay-mode
# constrain the relay server's cert type
relay-ns-cert-type server
# include extra CAs that validate the relay
# server cert (optional).
<relay-extra-ca>
-----BEGIN CERTIFICATE-----
. . .
-----END CERTIFICATE-----
</relay-extra-ca>
# specify the TLS auth key for the relay server
relay-key-direction 1
<relay-tls-auth>
-----BEGIN OpenVPN Static key V1-----
. . .
-----END OpenVPN Static key V1-----
</relay-tls-auth>
* Make class Route standalone, moving it out of namespace
CIDRMap.
CryptoAlgs:
* Added comments
* For type-safety, mode() now returns a Mode rather than an
int.
CryptoDC:
* Added CRYPTO_DEFINED flag to indicate when encrypt() and
decrypt() methods are implemented by a data channel
provider.
Manage:
* Implemented skeleton management API for server-side client
authentication and managing client-instance properties.
Proto:
* Added Config::update_dc_factory() method.
* Support new CryptoDCInstance::CRYPTO_DEFINED flag.
* Updated server_auth() method to support SafeString transit
of client-provided auth-user-pass password to management
layer.
* control_send now does a reset() on the provided
Ptr reference before returning to reflect the
transfer-of-ownership of the underlying buffer.
* Implemented disable_keepalive() and override_dc_factory
methods.
Transbase (server) new methods:
// disable keepalive for rest of session
virtual void disable_keepalive() = 0;
// override the data channel factory
virtual void override_dc_factory(const CryptoDCFactory::Ptr& dc_factory) = 0;
// override the tun provider
virtual TunClientInstanceRecv* override_tun(TunClientInstanceSend* tun) = 0;
ServProto:
* Added abstract base classes for Tun factories and client instance
sender/receivers.
* Added Tun and Management linkages.
* Added new receiver methods for overriding the data channel
factory, Tun factory, and keepalive config.
* Added AuthCreds support.