INFO,<payload>
Payload can be any UTF-8 printable string under 64 KB
(multiple lines are okay).
INFO notifications can be sent from server to client
in real-time, on any active client connection.
The client will attach the payload to an INFO event and
forward it to the controlling app via the event callback:
virtual void event(const Event&) = 0;
receive path to reassemble messages fragmented by the
SSL layer up to a max message size of 64 KB.
Ramifications:
* Peer info data and pushed options can be significantly
larger (i.e. approaching 64 KB).
* Less need for the options continuation feature.
Limitations:
* While this patch doesn't change the underlying OpenVPN
protocol, it can result in messages being sent that are
fragmented by the receiving SSL implementation into
multiple buffers. Implementations that lack reassembly
capabilities (such as OpenVPN 2.x at this point in time)
would see each buffer fragment as a separate message.
* This patch running on the server will break negotiation
with pre-peer-info clients. Basically this means it will
interoperate with any OpenVPN 3 version or OpenVPN 2.x
version that includes the June 2010 commit "Implemented a
key/value auth channel from client to server.
Version 2.1.1i".
(instead of 2):
(a) ordinary events such as CONNECTING, CONNECTED,
(b) nonfatal errors such as TRANSPORT_ERROR that will
automatically trigger a reconnect, and
(c) fatal errors such as AUTH_FAILED, that will be followed
by a DISCONNECT
In ClientAPI::Event, added a new "fatal" boolean to indicate
when errors are fatal.
Added a new non-fatal event TUN_ERROR that triggers a
reconnect when errors are indicated in tunio.hpp.
ClientAPI::Config::ipv6 string:
IPv6 preference
no -- disable IPv6, so tunnel will be IPv4-only
yes -- request combined IPv4/IPv6 tunnel
default (or empty string) -- leave decision to server
bool ClientAPI::Config::autologinSessions and default
to false. Previously, the logic was hardcoded to true.
Autologin Sessions can be enabled in the cli.cpp wrapper
using the -a flag.
ClientAPI::Config::gremlinConfig string.
The gremlin option allows extra packet latency
or unreliability to be added to the tunnel.
The format of the option is a comma-separated list
of numerical parameters:
send_delay_ms, recv_delay_ms, send_drop_prob, recv_drop_prob
Parameter description:
send_delay_ms : delay packets by n milliseconds before
transmission (UDP/TCP).
recv_delay_ms : delay received packets by n milliseconds
before processing them (UDP/TCP).
send_drop_prob : drop sent packets with probability 1/n
(UDP only).
recv_drop_prob : drop received packets with probability
1/n (UDP only).
Set any parameter to 0 to disable.
Gremlin parameters currently work with UDP and TCP
transport as documented above, but not for proxy transport.
Client must be built with the OPENVPN_GREMLIN flag to compile
gremlin functionality.
Command-line client can set the gremlin config
string using --gremlin or -G, for example:
--gremlin=250,250,64,64
When using the above parameters, an extra 500 milliseconds
will be added to round-trip latency, and 1/64 sent or
received packets will be dropped.
unless both logthread.hpp was included and logbase.hpp was NOT
included.
This change allows loggers other than
ClientAPI::OpenVPNClient::log() to be used with ovpn3 core.
interface management code into TunMac::Setup()
(tunsetup.hpp).
Added TunBuilderSetup::Config, Base, and Factory for use
as a unix-portable abstraction layer for tun interface
management code.
Added Stop object pointer to Mac OS X tun config
(TunMac::ClientConfig), so that tun management code can
detect stop commands if it's blocking outside of outer
asio::io_context.
data to the OpenVPN handshake (peer-info is a client -> server
key/value list that is part of the OpenVPN protocol). To
add peer-info key/value pairs, use ClientAPI::Config::peerInfo.
Incremented core OPENVPN_VERSION to "3.0.6".
* Performance degradation from recent commit was occurring
in PRNG.
* Allow RNG to be used in place of PRNG. For PolarSSL
at least, this change completely reverses the
polymorphic ProtoContext performance degradation
and turns it into a net performance gain.
* Added bool prng to RNG constructors to allow
the implementation to optimize for PRNG
(only PolarSSL currently supports this).
Documented different use-cases for RNG vs. PRNG
in ProtoContext:
RNG -- Random number generator.
Use-cases demand highest cryptographic strength
such as key generation.
PRNG -- Pseudo-random number generator.
Use-cases demand cryptographic strength
combined with high performance. Used for
IV and ProtoSessionID generation.
(MacLifeCycle).
Monitor connection lifecycle notifications, such as sleep, wakeup,
network-unavailable, and network-available.
Note that not all platforms define a lifecycle object. Some
platforms such as Android and iOS manage lifecycle notifications at
the service level, and they call pause(), resume(), reconnect(),
etc. as needed using the main ovpncli API.
Also, added a reason string to Pause event.
Implemented full TunClient class for Windows with TAP driver
support. For now, we use netsh (rather than TAP driver DHCP)
to set all tunnel adapter properties, as this appears to work
great on Windows 7.
IPv6 is fully supported.
Known isues:
* netsh doesn't have a command for adding DNS search domains, so
we don't support them yet.
* While we always try to remove routes and added properties from
TAP adapter instance when we close out the session, for robustness,
when we bring up TAP adapter, we should try to delete any stale
routes on interface left over from previous session.
* Right now we call netsh with system(). For security and
compatibility with Windows apps (not only console apps),
we should use CreateProcess instead.
* Added better API documentation in ovpncli.hpp about the meaning
of replacePasswordWithSessionID and cachePassword.
* Log when creds are passed to server, including info about
whether creds are blank and whether a Session ID was used
in place of a password. Also indicate when creds are a
response to a static or dynamic challenge.
* Changed RESTART handling. When receiving a RESTART, always
attempt a restart, never halt. When receiving a RESTART with
psid==0, clear out any cached Session ID (if one exists) before
doing the restart.
* If can_retry_auth_with_cached_password() is called and modifies
the password, make sure to clear the
did_replace_password_with_session_id flag.
Core: Added forceAesCbcCiphersuites config flag. When enabled,
the TLS implementation will not set a minimum TLS version for
peer negotiation (even if tls-version-min is specified), but
will instead force one of these two ciphersuites:
1. TLS_DHE_RSA_WITH_AES_256_CBC_SHA, or
2. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
When forceAesCbcCiphersuites is disabled, no explicit set of
ciphersuites will be forced, but the TLS minimum version will
be set to 1.0 or (or higher if tls-version-min is specified).
Also added iOS preference and cli.cpp option to control the
forceAesCbcCiphersuites flag.
Ported iOS client and OpenVPN 3 core to ARM-64.
Now building a "fat binary" with Xcode 5.0.1 that
targets arm7, arm7s, and arm64.
Outstanding issues:
* IPv6 doesn't route through tunnel on iOS7
* Client doesn't install on iOS 5.1.1.
unrecognized, ignored, or unused.
This behavior is somewhat different (by design) to 2.x branch, which
will raise a fatal exception if an unrecognized option is
encountered.
will build the app as if it was running on the simulator, i.e. with
null tun device, but will build for an actual iOS device.
OPENVPN_SSL_DEBUG defined in ovpncli.cpp is now a debug level and
can be set to an integer value (or 0 to disable).
like the rest of the core.
Added verbose() method to class SessionStats so that clients can
know whether to pass extra text data to error() virtual method.
multiple addresses will be treated as if each address was an
individual remote directive.
Fixed issue where UDP transport driver was calling socket
connect method synchronously. This can cause exceptions
to be thrown in corner cases, such as "No route to host"
on OSX/iOS for connections to IPv6 addresses when no default
IPv6 route exists on system. Refactoring UDP connect
operation to be asychronous fixes the issue.
Implemented remote-random.
Separated the functionality of replacePasswordWithSessionID
and cachePassword, and allow them to be used together,
in which case the session ID will be used as the password
until it expires or is invalidated, then the cached
password will be used to reauth.
Android: 1.1.9 build 31
* Reverted key-direction back to a default of 1.
* Raise fatal error if "fragment" option is used.
* Made TunBuilderCapture more useful as a base class for
tun construction on various platforms.
* Added disableClientCert flag at ovpncli.hpp API.
* Updated help FAQ with more details on how to
properly set key-direction, and notes about
possible network disconnect during voice calls.
* VoD profiles can be defined using the iPhone Configuration utility:
1. Connection Type should be set to Custom SSL
2. Identifier should be set to net.openvpn.OpenVPN-Connect.vpnplugin
3. Server can be set to a hostname, or "DEFAULT" to use the
hostname(s) from the OpenVPN configuration.
4. User Authentication should be set to Certificate, and the client
certificate+key should be attached as a PKCS#12 file.
5. VPN On Demand should be enabled and match entries should be
defined.
In addition, the OpenVPN client configuration file may be defined
via key/value pairs:
1. VoD requires an autologin profile.
2. Define each OpenVPN directive as a key, with arguments
specified as the value.
3. For Access server meta-directives such as
OVPN_ACCESS_SERVER_USERNAME, remove the "OVPN_ACCESS_SERVER_"
prefix, giving USERNAME as the directive.
4. If no arguments are present, use "NOARGS" as the value.
5. If multiple instances of the same directive are present,
number the directives in the order they should be processed by
appending .<n> to the directive, where n is an integer,
such as remote.1 or remote.2
6. For multi-line directives such as <ca> and <tls-auth>, you must
convert the multi-line argument to a single line by specifying
line breaks as \n -- also note that because of
this escaping model, you must use \\ to pass backslash itself.
* VoD profiles are recognized and listed by the app.
* The app can disconnect but not connect a VoD profile.
* Most app-level functionality such as logging and preferences
work correctly for VoD profiles.
Core changes:
* Added support for key-direction parameter in core.
DNS Fallback (enabled by default) -- Use Google DNS servers as a
fallback for connections that route all internet traffic through
the VPN tunnel but don't define any VPN DNS servers.
* Implement a simple DNS cache to work around issue with
Seamless Tunnel -- When Seamless Tunnel is enabled,
reconnections are unable to send DNS requests because
the internet is blocked. This fix caches the IP address
used for the initial connection, then reuses it
over the lifetime of the Seamless Tunnel.
* Try to ensure that connections properly pause on device
sleep (when sleep on screen blanking is NOT enabled) so
that they will survive until wakeup.
iOS:
* Don't choke on foreign profiles (such as VPN On Demand) that are
imported onto the device but lack critical info such as a
config file.
Android:
* Added a preference item tun_persist -- in the UI it is
described as "Seamless Tunnel -- Block internet while VPN
is paused or reconnecting"
* If tun_persist is enabled, hold onto tun socket during
reconnects or pauses, and don't rebuild the tunnel
on reconnect unless its controlling parameters have changed.
cert chain to the core, rather than only the leaf cert.
This allows profiles to be used that lack "ca", "cert",
or "key" directives -- instead, these values are read from the
KeyChain.
If "ca" IS NOT defined in the profile, it will be set to
the chain of supporting certs assocated with the Keychain
leaf cert.
If "ca" IS defined by the profile, then the chain of supporting
certs will go into the "extra-certs" list, meaning that it
will support the client cert but not serve as an authority
to verify the server cert.
* Fixed core segfault that would occur if external_pki_cert_request
returned an error status.
* More robust handling of External PKI alias invalidation.
* Minor fixes to allow jellybean_hack.cpp to build in
debug mode.
* Fix attempt for java.lang.NullPointerException in
net.openvpn.openvpn.OpenVPNService.onStartCommand(OpenVPNService.java:838)
* Allow non-unified profiles (i.e. profiles containing directives that
reference other files) to be imported from SD card, as long
as all referenced files are present in the same directory on the
SD card as the profile.
* Relaxed parsing of "remote" directive to allow the port and/or
protocol parameters to be omitted. The port defaults to 1194
and the protocol to UDP. Either defaults can be changed with
the "port" or "proto" directive.
* Fixed issue where profile parser was choking on files containing
Windows-style line-endings.
Implemented IPv6 in iOS client.
Added new flags to redirect-gateway to control whether redirection
occurs at IPv4 or IPv6 levels (or both):
* ipv4 (default)
* !ipv4
* ipv6
* !ipv6
Added new directive "redirect-dns yes|no". If yes, all DNS requests
will be forwarded through pushed DNS servers. If no, only DNS
requests that match domains enumerated in "dhcp-option DOMAIN"
directives will be forwarded. If redirect-dns is omitted, it will
default to yes if redirect-gateway is specified at the IPv4 level
(this is the normal pre-existing behavior).
Allow the following aggregated options that are normally pushed by
the server to be defined in the config file as well. These options
will be combined with server-pushed options:
* route
* route-ipv6
* redirect-gateway
* redirect-private
* dhcp-option
Allow the following singleton options (i.e. options that don't
aggregate), that are normally pushed, to be defined in the config
file (note that server-pushed singleton options will override the
config file setting):
* redirect-dns
The Connection Details section of the UI now displays VPN IP
addresses for IPv4 and IPv6.
Added new pushable option "client-ip IP_ADDR" that can be pushed
by the server with the client's IP address as seen by the server.
The client will then show the address in the Connection Details
section of the UI.
yes -- support compression on both uplink and downlink
asym -- support compression on downlink only
no (default) -- no compression (stubs only)
Added our own internal LZO decompressor, which is enabled when
HAVE_LZO is undefined and the standard LZO library is not linked.
This allows clients to support LZO in downlink mode only
if the library isn't available.
Android version: 1.1 beta 1
More alignment of iOS and Android clients:
* Normalized building of dependencies for Android and iOS:
This build adds some new library dependencies:
The library versions required are enumerated in
ovpn3/lib-versions, currently:
export BOOST_VERSION=boost_1_51_0
export OPENSSL_VERSION=openssl-1.0.1c
export POLARSSL_VERSION=polarssl-1.1.4
export LZO_VERSION=lzo-2.06
To build, first mkdir ~/src/android and ~/src/mac if they don't
already exist. Set the env var O3 to point to the ovpn3 dir,
usually ~/src/ovpn3.
Build on iOS:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
Build on Android:
[set PATH to include NDK]
cd ~/src/android
$O3/scripts/android/build-boost
$O3/scripts/android/build-minicrypto
$O3/scripts/android/build-polarssl
$O3/scripts/android/build-lzo
* Integrated Minicrypto library (an assembly language library
of low-level crypto functions adapted from OpenSSL).
* Added LZO compression with a preference/settings item
to enable or disable.
* Added special compression handling to support older servers
that ignore compression handshake -- this will handle receiving
compressed packets even if we didn't ask for them.
* Normalized profile naming conventions.
iOS changes:
* Log tunnel performance stats immediately on disconnection
of tunnel.
Android changes:
* Client now supports loading profiles as attachments
opened from other apps.
* Added Import Private Tunnel menu item, however current
Private Tunnel download page needs to be adapted to fit
requirements of Android download manager.
* Enter key should advance to the next input field,
or connect if entered from the last field.
* Import from Access Server now provides the option to
download autologin vs. userlogin profiles.
* "About" page now shows copyright text for included
libraries/content (except for LZO and PolarSSL
which will presumably be commercially licensed).