The psid cookie defense is designed to thwart resource exhaustion and
amplification attacks wherein a malicious client sends the server a
flood of CONTROL_HARD_RESET_CLIENT_V2 packets with spooofed source
addresses. This patch allows the server to defer client tracking
state creation until the client responds to the server's
CONTROL_HARD_RESET_SERVER_V2 message.
Signed-off-by: Mark Deric <jmark@openvpn.net>
This refactoring moves all generic methods into SendBase
that are independent of VPN protocol, while OpenVPN
protocol-specific methods will remain in Send.
Signed-off-by: James Yonan <james@openvpn.net>
The name Config is very generic and often leads to confusion which
class in particular is used in a given context. Rename Config to
ProtoConfig to give some more clue about the context.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
VPN Binding Profiles (previously committed as VPN Connection
Profiles) contain information on an active VPN client session
such as local VPN IPs, gateway, and DNS resolver addresses
that can be directly used by higher-layer HTTP/REST-API
clients to (a) ensure that sessions are routed over the VPN,
and (b) privately use the VPN-server-pushed DNS resolvers
without publishing them in /etc/resolv.conf.
Signed-off-by: James Yonan <james@openvpn.net>
A VPN connection profile is basically a JSON representation
of the server-pushed parameters of a VPN session such as
VPN IPs, Gateway IPs, and DNS servers. It can be obtained
on the client via TunBuilderCapture::to_json()
This patch allows an HTTP client or server to bind to the
VPN connection profile, so that the VPN IP is used as the
local address, the Gateway IP is optionally used as the
destination address, and DNS lookups are performed using
the pushed DNS servers (without needing to overwrite
/etc/resolv.conf).
For example, suppose the VPN connection profile
is in /pg/uplink-connection-info
Then we can bind to the VPN IP addresses on the server side:
http-listen @/pg/uplink-connection-info 8443 tcp4 ssl
http-listen @/pg/uplink-connection-info 8443 tcp6 ssl
Or connect to a remote REST API using the VPN session
and VPN server-provided resolvers.
<aws-client>
host mybucket.s3.amazonaws.com
port 443
vpn-connection-info /pg/uplink-connection-info
...
</aws-client>
Signed-off-by: James Yonan <james@openvpn.net>
AllowVPNClientConnectionProfile tells us to support
special address case for WS::ViaVPN, where address
begins with '@' followed by a client connection
profile filename.
Signed-off-by: James Yonan <james@openvpn.net>
This removes the feature of allowing directive to be a
prefix, but I didn't find any users of this method that
require it.
Signed-off-by: James Yonan <james@openvpn.net>
Change method signature from
void Protocol::mod_addr_version(const IP::Addr&)
to
void Protocol::mod_addr_version(const IP::Addr::Version)
This is done in preparation for allowing to override the protocol
version of a RemoteList::Item, where mod_addr_version() will be used.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Renamed expand_ports() to expand_ports_by_n_threads() and
added expand_ports_by_unit(). Both methods extend a set
of Listen::Item entries to span a port range.
Signed-off-by: James Yonan <james@openvpn.net>
* Added schedule_auth_pending_timeout()
* Removed the throw_on_error parameter to set_acl_index()
* Forward all PUSH_REQUEST messages to the management layer,
not just the first message.
* Added enum DisconnectType for labeling the disconnect type,
since there are now several different disconnect types
including halt/restart, relay transition, and auth pending.
Signed-off-by: James Yonan <james@openvpn.net>
CoarseTime objects that track an AsioTimer must always be
reset when the AsioTimer is cancelled. Not doing so can
cause a bug if the AsioTimer is reused after cancellation.
Signed-off-by: James Yonan <james@openvpn.net>
In VPNServerNetblock::Netblock, break out IP::Range clients
and IP::Addr bcast into a separate derived class ClientNetblock,
which provides a more minimalisic Netblock for use cases that
don't need to manage client VPN IP address pools.
Signed-off-by: James Yonan <james@openvpn.net>
* renamed ManClientInstanceSend to ManClientInstance::Send
* renamed ManClientInstanceRecv to ManClientInstance::Recv
* renamed ManClientInstanceFactory to ManClientInstance::Factory
* renamed TransportClientInstanceSend to TransportClientInstance::Send
* renamed TransportClientInstanceRecv to TransportClientInstance::Recv
* renamed TransportClientInstanceFactory to TransportClientInstance::Factory
* renamed TunClientInstanceRecv to TunClientInstance::Recv
* renamed TunClientInstanceSend to TunClientInstance::Send
* renamed TunClientInstanceFactory to TunClientInstance::Factory
Other related refactorings/removals:
Changes to ManClientInstance::Send:
* Added pre_stop() method.
* Renamed set_acl_id() to set_acl_index().
Changes to ManClientInstance::Recv:
* In push_reply(), removed routes and initial_fwmark parameters.
* Removed set_fwmark() method.
* Added tun_native_handle() method to return the tun socket
file descriptor and peer_id of a client instance.
Changes to ServerProto:
* Added C++11 override attribute to overridden virtual methods
Signed-off-by: James Yonan <james@openvpn.net>
