This also makes most of them non-static to avoid the problem that these
functions depend on Initprocess::Init being instantiated before being
called.
Rename the local variables eval to eval_cfg to avoid shadowing the
class field of the same name.
Local DNS resolvers, such as Umbrella Roaming Client,
change DNS settings on adapters to 127.0.0.1.
This may not work with openvpn3 because:
- NRPT rule might be created for "." zone,
which redirects all DNS requests to the server
specified in rule. This takes precendence over adapters'
DNS settings.
- DNS requests might be blocked on all adapters
except TAP (tap-windows6/wintun/ovpn-dco-win) to prevent
DNS leaks.
To enable compatibility with local DNS resolvers, add
"allowLocalDnsResolvers" core config option, which,
when enabled, makes core to
- avoid creating NRPT rule for "." zone
- permit DNS requests to 127.0.0.1 / ::1
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Although the init calls were protected by a mutex more than consumer of
the API will the second one if the uninit was called too early.
While at it, move from explicit init/uninit calls to RAII.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Add tun/transport client skeleton for ovpn-dco,
which doesn't do any work except creating/removing
ovpn-dco device.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When VPN server is in local network and
not accessible via default gateway, adding bypass route
via default gw (as we do on windows/mac) makes server
inaccessible.
This handles client-side config option "redirect-gw local"
and skips adding bypass route via agent.
Fixes OVPN3-653
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Parse --windows-driver and set corresponding
value of config properties.
Could be used by clients to replicate openvpn2
behavior - use wintun driver if config contains
"--windows-driver wintun".
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is used to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is used to enable connectivity to a different remote
when force-tunneling is used and current VPN connection is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
socket_protect() is called before connecting to remote and this
makes sure that we will be able to (re)connect when there is
existing VPN connection and tunnel is broken.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This enables socket_protect call for all transports / platforms
with default implemenation being no-op.
This is needed for better round-robin DNS
fix for Connect clients (OVPN3-427).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Prefix error messages with a predefined string of the form:
ERR_PROFILE_xxxxx:
This way a user can parse the prefix and get a better understanding of
the error, without relying on the sole message.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This introduces experimental support for Wintun
as an alternative for tap-windows6.
In order to use wintun, set "ClientAPI::Config::wintun"
flag to "true" or use "-w" option in test client.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Packaging OpenVPN 3 Linux on Debian reports this warning:
openvpn3-core/client/ovpncli.cpp:1380:27: warning: macro "__DATE__" might prevent reproducible builds [-Wdate-time]
ret += " built on " __DATE__ " " __TIME__;
Reproducible builds is something which will come arrive in more
distributions, as it is a good way to verify that binary builds contains
the expected source code and has not been mangled by the packager.
This changes the current behaviour and will not provide the date/time
stamps unless the OPENVPN_DEBUG macro has been set. Enabling this
macro will re-enable the date/time stamp reporting via
OpenVPNClient::platform().
Signed-off-by: David Sommerseth <davids@openvpn.net>
In TLS 1.3 the RSA-PSS padding is required in addition to the
traditional PKCS1 padding used in TLS 1.2 and below. Add an
argument to the external sign function to signal what padding
is required. As quirkyness OpenSSL calls out requesting a NONE
padding instead of RSA-PASS.
We might need to move from RSA_method to EVP_PKEY_method in the
future.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
On Android local networks need to be excluded from the default (or any
other route) route if they should bypass the VPN. This adds a callback
to specifically bypass the local LAN networks.
On the linux client we need the information to which remote the client
is connecting to query the route information to ultimately discover the
device. On other platform that do not need these extra information we
ignore the extra arguments
The API uses std::string and bool instead of passing of passing IPAddr as
the API needs to be understand by Swig/Java and similar methods also opt in
favour of call by value and simply types.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Platforms like UWP and iOS may call core methods
from another threads. Since core is not thread-safe,
we provide OPENVPN_ASYNC_HANDLER macro which instantiates
lock guard. It follows RAII principle and locks global
mutex in constructor and unlocks in destructor. This
guarantees that code in block protected with this macro
won't be called simultaneously from different threads.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
// If true, consider AUTH_FAILED to be a non-fatal error,
// and retry the connection after a pause.
bool retryOnAuthFailed = false;
Signed-off-by: James Yonan <james@openvpn.net>
Added OPENVPN_OVPNCLI_ASYNC_SETUP flag, which causes most
of ClientAPI::OpenVPNClient::connect() setup to run as an
openvpn_io::post() handler. This is potentially useful in
i/o layer implementations to guarantee sequenced execution
of core setup and handlers.
Signed-off-by: James Yonan <james@openvpn.net>
To enable, #define OPENVPN_EXTERNAL_TUN_FACTORY
Then add override in your client class (that derives from
ClientAPI::OpenVPNClient):
virtual TunClientFactory* new_tun_factory(const ExternalTun::Config& conf, const OptionList& opt) override
{
...
}
Signed-off-by: James Yonan <james@openvpn.net>
* enabled by OPENVPN_OVPNCLI_SINGLE_THREAD compile flag.
* turns off the signal blocker.
* Adds overrideable clock_tick() virtual method with
configurable frequency that is used when processing
signals when the OpenVPN client is running in
single-thread mode.
Signed-off-by: James Yonan <james@openvpn.net>
Fixed some minor typos where state->session was used even
though a direct pointer to session was available.
Signed-off-by: James Yonan <james@openvpn.net>
Created a lightweight abstraction layer so that another i/o
reactor can be dropped in place of asio.
The basic approach is to rename all references to asio::xxx
types to openvpn_io::xxx and then make openvpn_io a
preprocessor variable that points to the top-level namespace
of the i/o reactor implementation.
All of the source files that currently include <asio.hpp> now
include <openvpn/io/io.hpp> instead:
This gives us a lightweight abstraction layer that allows us
to define openvpn_io to be something other than asio.
Other changes:
* Inclusion of asio by scripts/build is now optional, and is
enabled by passing ASIO=1 or ASIO_DIR=<dir>.
* Refactored openvpn/common/socktypes.hpp to no longer
require asio.
* Refactored openvpn/log/logthread.hpp to no longer require
asio.
* Added openvpn::get_hostname() method as alternative to
calling asio directly.
* openvpn/openssl/util/init.hpp will now #error
if USE_ASIO is undefined.
Signed-off-by: James Yonan <james@openvpn.net>
legacy -- allow 1024-bit RSA certs signed with SHA1
preferred -- require at least 2048-bit RSA certs signed
with SHA256 or higher
suiteb -- require NSA Suite-B
The current default is legacy.
The directive can be set in the profile or overridden/defaulted
in the client API via ClientAPI::Config::tlsCertProfileOverride
var.
TODO: implement for OpenSSL.