The GitHub rendering was not optimal and commit fa2919b27c added a few
more changes disabling HTML rendering completely. This moves the
formatting closer to the .rst format GitHub supports.
Also fix a few various typ0s and a slight sentence improvement in the
new ovpn-dco section.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The case when server is in local network and pushes
redirect-gw wasn't properly handled - gw.defined() is false,
but gw.localroute() is true. We threw an exception
because we weren't able to get a gateway for bypass route.
Since in "server in local network" case bypass route
is not needed, fix it by skipping code branch which
checks for the gateway and installs bypass route.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
The case when server is in local network and pushes
redirect-gw wasn't properly handled - gw.defined() is false,
but gw.localroute() is true. We threw an exception
because we weren't able to get a gateway for bypass route.
Since in "server in local network" case bypass route
is not needed, fix it by skipping code branch which
checks for the gateway and installs bypass route.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When adding bypass route to remote we always use
default gateway. This doesn't work when remote is not
reachable via default gateway (local network,
custom route - OVPN3-653).
Implement "get best gateway" logic by traversing routing
table and find gateway with longest prefix match and
highest metric.
In case of seamless tunnel and redirect-gw "get best gateway"
will return VPN gateway when adding bypass route during reconnect
to another remote. VPN tunnel is likely broken at this point
and bypass route via VPN make reconnect impossible.
Fix that by storing VPN interface index and, when finding best gateway,
filter routes which use VPN interface.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When adding bypass route to remote we always use
default gateway. This doesn't work when remote is not
reachable via default gateway (local network,
custom route - OVPN3-653).
Implement "get best gateway" logic by traversing routing
table and find gateway with longest prefix match and
highest metric.
In case of seamless tunnel and redirect-gw "get best gateway"
will return VPN gateway when adding bypass route during reconnect
to another remote. VPN tunnel is likely broken at this point
and bypass route via VPN make reconnect impossible.
Fix that by storing VPN interface index and, when finding best gateway,
filter routes which use VPN interface.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
(cherry picked from commit e8030c2a421390a10506ec5dbfc6034f949aaf07)
Example with ovpncli:
EVENT: WARN Proto: Using a 64-bit block cipher that is vulnerable to the SWEET32 attack. Please inform your admin to upgrade to a stronger algorithm. Support for 64-bit block cipher will be dropped in the future.
VENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This code was originally used in the Connect clients to allow PKIs that
use the (not commonly used) Name constraints feature. This is a
potential security risk but was done to allow PKIs that used that
feature. OpenSSL natively supports Name constraints and will check these.
Remove this hacky feature as feature as it also breaks compiling with
an unpatched mbed TLS and is not used by code anymore.
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use ::CreateIpForwardEntry2() to add route instead of
expensive netsh call. Make it as a default choce.
Add unit test.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit 941104cf4 refactored the way how test files are added, but
broke (disabled) execution of sitnl and cputime tests. Fix that.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Since userspace and kernel are different build environments,
it probably makes more sense to move includes in <kovpn/kovpn.h>
out to their enclosing scopes.
Signed-off-by: James Yonan <james@openvpn.net>
Linux 5.4 is much more strict about validation of RPS CPU
bits, so we now need to count the number of CPUs and create
an exact mask rather than simply setting ffffffff.
Signed-off-by: James Yonan <james@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
- add tunbuilder support to OvpnDcoClient
Linux client uses core library in non-privileged
process which cannot do modify routing, add/remove interfaces etc.
Those operartions are executed in separate privileged
process via tunbuilder API.
- pass data between userspace/kernel via pipe
In Linux client, control channel packets are handled by
unprivileged process, which doesn't have direct access to netlink
socket to talk directly to kernel module. In order to enable
communication with kernel by unprivileged process, receiving side
of tunbuilder API, which itself is ran in privileged process,
creates socketpair and connects netlink socket with another socket,
which is passed back to unprivileged process. Unpriviled process
uses that socket to communicate with kernel module instead of GeNL
object.
- remove remnants of kovpn support from tunbuilder and tunbuilder
support from kovpn tun/transport client.
Kovpn doesn't need tunbuilder support, so relevant code is removed.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Since userspace doesn't know anything about data
channel traffic, keepalive should be handled in kernel.
Disable keepalive in userspace and implement
OVPN_CMD_SET_PEER ovpn-dco command, which sets
keepalive settings in kernel.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Implement OvpnDcoRekey, which parses key info
into format consumed by ovpn-dco.
Use KoRekey abstractions to hook into protocol layer
and get notified about rekeying events.
Pass new key to kernel or swap keys when commanded by
protocol layer.
Implement ovpn-dco netlink commands:
- OVPN_CMD_NEW_KEY
- OVPN_CMD_DEL_KEY
- OVPN_CMD_SWAP_KEYS
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In preparation for ovpn-dco support, move kovpn-specific code
out of KoRekey::Key into own Korekey::KovpnKey class.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add dependency to libnl-genl, which is C library
for generic netlink communication.
Implement C++ wrapper for libnl-genl, inspired by
ovpn-cli - a test client for ovpn-dco kernel module.
Implement ovpn-dco netlink commands:
- OVPN_CMD_START_VPN - pass transport socket,
protocol (UDP) and mode (client).
- OVPN_CMD_NEW_PEER - pass local and remote
endpoint info.
- OVPN_CMD_PACKET - move (control channel) packets
between userspace and kernel.
- OVPN_CMD_DEL_PEER - sent by kernel when peer is deleted
due to keepalive timeout (causes reconnect) or any other
reason (considered as fatal).
This change allows to perform openvpn handshake and
establish connection which doesn't work, since data channel
keys are not passed to kernel yet.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
ovpn-dco doesn't have concept of "opening" nor
file descriptor, since communication is handled
via netlink (to be added later).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add tun/transport client skeleton for ovpn-dco,
which doesn't do any work except creating/removing
ovpn-dco device.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
As other transport clients, call socket_protect()
before establishing connection.
This gives ability to create bypass route.
Signed-off-by: Lev Stipakov <lev@openvpn.net>