Remove the exception for the item in use when re-resolving a RemoteList.
This can be done now, that Item are referred to with a smart pointer
instead of a direct reference from extern.
Instead reset the address index for that item, so that it doesn't point
to a potentially non-existent address.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Returning a reference can be harmful, since Items can potentially disappear
during lookup of hostnames. Thus, return a refcounted Ptr instead, so
that external references to internal data doesn't restrict RemoteList in
its daily business.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
first_item() returns a nullptr in case there's no first item in the
RemoteList. This behavior can be achieved by calling defined() before
get_item(0). In addition to that existing code failed to check for
nullptr and dereferenced whatever was returned. Thus the method was
considered harmful and is removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is done to silence the inconsistent-missing-override warning, which
is new, since we introduced override into the files. I guess it is best
practise anyway, since C++11. So, no hard feelings.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Instead of using the quite abstract 'primary' and 'secondary', change
them to what they are actually indexing: items and item's addresses.
While at it, also rename private RemoteList methods primary_index()
and secondary_length().
This came up during code review, since it wasn't completly clear to the
uninitiated what it was indexing in the first place.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since we're now using it to also re-lookup stale RemoteList items the
new name makes more sense. Also changed the NotifyCallback method to
bulk_resolve_done().
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Try to resolve and cache addresses again each time the tunnel is
re-negotiated. Only items which are beyond their lifetime are considered.
This is done hoping that the VPN DNS is able to resolve server addresses
correctly, so that those --remotes which have changed addresses can be
used again in the future.
The motivation for this change were slowly but steadly outdated pre-cached
remotes when --persist-tun is used. Eventually all cached addresses are
outdated, resulting in loss of connection.
While this approach is not guaranteed to work it's probably better than
doing nothing.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add a NotifyCallback for tunnel renegotiation. It is called whenever
a secondary KeyContext reaches the active state, i.e. is fully negotiated.
The already existing virtual active() method is extended to have a bool
parameter to signal if it was the primary (i.e. first) or a secondary
KeyContext which was negotiated, so that ClientProto can call the
callback then.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Take option value if pushed for the next round of remote address
caching.
Since the push replies are processed in Session, we need to extend the
transport slightly to process pushed options. There was no need so far,
since transport options are used before the session starts. The remote
cache timeout is currently the only exception to this rule.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The option allows to set a lifetime in seconds after which cached
RemoteList::Item addesses are considered stale. The option is also
pushable.
It is useful in case persist-tun prevents regular lookup of hostnames
and the cached addresses need to be updated without restarting the
tunnel.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
reset() of the index is moved from start() to the c'tor, so that it is
only done once, i.e. a repeated call of start() doesn't change the
index.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Instead of reset()ing the index after potential prunes, maintain the
current index via Index::set_primary(), so that is still valid when Item
before it are pruned.
It is mainly done, so that RemoteList::PreResolve is able to keep the
current index intact
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Add method to set the primary index. Needed when the Item list is
to be reorganized without reset()ing the index.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
If caching of addresses is disabled, reset_item() only after all resolved
adresses of an item have been tried.
Previous to this fix only the first address was tried, before RemoteList
moved on with next item's (first) address.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Previous to this auth-tokens would only be accepted with auto-login
profiles, or when an old style dynamic challenge (CRV1) happened.
Now, accepts the auth-token unconditionally, even if not user/pass
authentication was configured before.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is e.g. sent during renegotiation when the lifetime of an auth-token
on the server has expired.
Due to shortcut evaluation of the logical OR expression the call to
can_retry_auth_with_cached_password() never happened with connections
that use autologin(_session). Since the called function has side effects
on the ClientCreds object, i.e. resetting the session_id to the saved
password, an endless loop of retries with the expired auth-token
followed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since the method changes internal state the old name is very misleading.
Change it to ClientCreds::reset_to_cached_password() as it describes
exactly what's happening.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Previous to this auth-tokens would only be accepted with auto-login
profiles, or when an old style dynamic challenge (CRV1) happened.
Now, accepts the auth-token unconditionally, even if not user/pass
authentication was configured before.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This is e.g. sent during renegotiation when the lifetime of an auth-token
on the server has expired.
Due to shortcut evaluation of the logical OR expression the call to
can_retry_auth_with_cached_password() never happened with connections
that use autologin(_session). Since the called function has side effects
on the ClientCreds object, i.e. resetting the session_id to the saved
password, an endless loop of retries with the expired auth-token
followed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Instead of throwing an exception with --remote-random-hostname, when
no RNG is present during construction, we treat an explicit null RNG
as a choice not to randomize the hosts. To make that choice explicit,
the default value for the RNG is removed, so that callers need to
decide which behavior they want.
Closes#53 in the openvpn3-linux issue tracker.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This method is called to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This adds a watchdog thread, which wakes up when client
process exits and closes tun. Watchdog is removed
when agent process exits.
To monitor process exit, we use kqueue's NOTE_EXIT event,
to interrupt waiting on graceful exit we use self-pipe trick.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
httpcliset : when preserve_http_state is false, close out
the HTTPStateContainer before calling completion callback,
so as to improve reentrancy-safety if completion callback
tries to queue a new request.
The problem with the above commit is that it breaks
the interprocess socket-passing technique in
UnixCommandAgent::establish(), requiring that we deploy a
WS::ClientSet::SyncPersistState object to extend the
lifetime of the HTTP connection state.
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The new element ClientAPI::Config::protoVersionOverride can be set
to 4 or 6 respectively, to override the transport protocol IP version
used by RemoteList::Item entries. Clients can force all --remotes
to use IPv4 or IPv6 using this entry, if they know that only one of
the two is available in the current network.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Make it possible to enforce the protocol family by appending 4/6 to
to the protocol, e.g. tcp6 or udp4. While it is already possible to
have protocol options like these in the configuration, they are not
enforced so far. Thus you could still be connected to a v6 address
even though the config requested v4 only.
Since v2.3 the openvpn 2.x series behaves like this. So, this is also
to catch up with the behavior there.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Change method signature from
void Protocol::mod_addr_version(const IP::Addr&)
to
void Protocol::mod_addr_version(const IP::Addr::Version)
This is done in preparation for allowing to override the protocol
version of a RemoteList::Item, where mod_addr_version() will be used.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Extend struct ProvideCreds so that it can also hold HTTP proxy
credentials. This makes it possible to use proxy settings from
options, but provide credentials separately.
This is in contrast to the already existing struct Config::proxy*
which need to be given as a complete set to override eventual
HTTP proxy options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Introduce explicit methods for getting default port/proto values.
Use the methods once (per block) instead of implicitly parsing the
values again for every remote option found.
Signed-off-by: Heiko Hund <heiko@openvpn.net>