Add /add-bypass-route method, which is called
by socket_protect() call in client before opening
connection to remote.
This is needed to do reconnect to another remote
in case when force-tunneling is used and existing
VPN tunnel is broken.
OVPN3-427
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This enables agent to use Wintun instead of tap-windows6
as a tun driver. We pass an optional boolean flag, based on
config setting, from client to agent. That flag is then passed
by agent to TunSetup, which selects tun driver.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Sometimes when machine wakes from sleep,
it takes too long for agent service to start. This causes
an error which core treats as fatal and stops connection.
Fix by detecting timeout and throw non-fatal error, which
makes core reconnect.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
This commit includes:
* Added ASIO=1 to many "go" scripts that require asio
* Renamed "asio::" to "openvpn_io::".
Signed-off-by: James Yonan <james@openvpn.net>
* When transmitting Windows event objects from client app to
agent/service, duplicate the event HANDLEs before
transmission in case the original HANDLEs are closed before
the agent receives them. This has a minor disadvantage in
that the duplicated HANDLEs will leak if the agent/service
never establishes ownership over them.
* When agent/service receives event HANDLEs, since they have
already been duplicated in the context of the remote
process, move (instead of copy) the HANDLEs into the local
process context by using the DUPLICATE_CLOSE_SOURCE flag
to DuplicateHandle.
* When agent/service receives event HANDLEs, do some basic
sanity checks on them before calling async_wait.
* Split agent/service impersonation block into two sections,
one that can be executed before parent()->establish_tun()
and one after. This is done so that any exceptions
thrown by the pre-establish_tun() block can prevent the
expensive establish_tun() method from starting.
* In agent/service, call parent()->destroy_tun(os) if any
exceptions are thrown from http_request_received().
* Avoid TAP HANDLE leakage on named pipe comm link errors
when the agent has duplicated the HANDLE but before the
app has received it by using a Windows Event object
("confirm_event") that the agent client can use to assert
ownership over the HANDLE. If confirm_event never
signals, the agent will take responsibility for closing
the duplicated HANDLE.
* Trigger tun destroy through a Windows Event
("destroy_event") instead of a separate API method
("/tun-destroy") for better robustness since the Event
can easily be signaled by the app-side tuncli instance
destructor without any potential for exceptions.
* Agent client will now detect unexpected agent/service
process termination and immediately disconnect any
active session via this error:
self->parent.tun_error(Error::TUN_IFACE_DISABLED,
"service failure");
* /tun-setup API method will now explicitly close any
pre-existing tun instance before establishing a new
instance.
* Increased agent client API timeout from 10 to 30 seconds.
* Increased verbosity of agent/service logging in
agent.log.
* TAP interface is now opened from the service and
the TAP HANDLE is communicated back to the client.
This allows us to configure the TAP driver to
reject open requests from non-privileged users.
* Old ActionList approach required us to validate and
execute command lines sent from client to service.
The new API approach is higher-level and communicates
at the TunBuilderCapture level instead of using
lists of command lines (ActionList objects) that must
be sanity-checked.
* ovpnagent service can now detect client crashes and
close out an active tun session, preventing network
lockout.
1. OpenVPN Agent service -- ovpnagent/win/ovpnagent.cpp
2. OpenVPN agent client -- openvpn/client/win/cmdagent.hpp
Common configuration in openvpn/client/win/agentconfig.hpp
The client and service communicate over a named pipe, and
Windows Vista+ platforms will verify that both client and
server .exe files are running from the same directory.
Build OpenVPN 3 Windows client with OPENVPN_COMMAND_AGENT
to enable the privilege separation layer.
We need to support customization of pipe name in case when few
clients based on ovpnagent running at the same time. Name of
pipe is defined by build-time variable “OVPNAGENT_NAME” (we
already use it as name of Windows service).
Signed-off-by: Yuriy Barnovych <yuriy@openvpn.net>
Jira: UCONNECT-1151
1. OpenVPN Agent service -- ovpnagent/win/ovpnagent.cpp
2. OpenVPN agent client -- openvpn/client/win/cmdagent.hpp
Common configuration in openvpn/client/win/agentconfig.hpp
The client and service communicate over a named pipe, and
Windows Vista+ platforms will verify that both client and
server .exe files are running from the same directory.
Build OpenVPN 3 Windows client with OPENVPN_COMMAND_AGENT
to enable the privilege separation layer.
