- Used static_cast instead of direct type conversions in places where
it's safe
- Used numeric_cast where failure is possible
- Changed types of arguments and locals when practical
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
With ovpn-co-v2 logic, control packets do not flow through netlink
anymore but they are sent directly via the transport socket.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
In order to avoid a useless dependency on the ovpn-dco tree, directly
include the ovpn_dco_linuc.h UAPI header in the codebase.
This is the only external requirement to build core with DCO support.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
- test_cpu_time: fix unused variable
- Allow GIT version to be reported as part of platform (version) string
- Update OpenSSL to 3.0.5, build fat lib for macos, drop 32 bit on iOS
- README.rst: some fixes for macOS instructions
- extpki.hpp: ignore deprecated EC_KEY_* functions
- mingw: fix OpenSSL on x86_64
- mingw: fix broken OpenSSL checkout
- test_ssl: fix ssl.enablelegacyProvider
- dco/GeNL: ignore message for unrelated interfaces
Signed-off-by: David Sommerseth <davids@openvpn.net>
OpenVPN 3.x has the same approach/problem for buffer allocation for the
tunnel packets that OpenVPN 2.x uses. Buffers are allocated very early
in the setup, so resizing/reacting to different frame sizes is not
really possible without major refactoring.
Therefore we use the same approach as with OpenVPN 2.x and allow a
MTU of up to 1600 by default and require setting tun-mtu-max in the
configuration file to allow larger values and allocate larger buffers.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Some netlink messages are sent as multicast by the kernel and will reach
all listening userspace processes. For this reason, the receiving
handler should discard non-interesting messages to avoid messing up the
local state.
Reported-by: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The event is of type INFO_JSON and is formatted:
TUN_BUILDER_CAPTURE:{...}
This info is useful to determine the properties of a
VPN client session such as VPN IPs, Gateway IPs,
and DNS resolvers, and can be directly used as
a VPN Connection Profile.
This patch also adds the
cli --tbc <file>
option to write the TunBuilderCapture JSON to a file.
Signed-off-by: James Yonan <james@openvpn.net>
Add support for default mssfix, which is calculated
based on upper bound value 1492 minus payload and
encapculation overhead.
Payload overhead includes:
- compression byte (except for V2, which doesn't add overhead)
- pktid (in CBC)
- IPv4 and TCP headers
Encapculation overhead:
- crypto overhead (for AEAD 16 bytes auth tag, 4 bytes pktid, 4 bytes opcode/peer-id = 24)
- 2 bytes packet size for TCP transport
Also for CBC we must take padding [1..blocksize] into account.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This change replaces the boolean add_bypass_routes with a new
flags parameter -- set the TunConfigFlags::ADD_BYPASS_ROUTES
flag to achieve the same functionality.
We also add some new flags for finer-grained control over
actions taken by tun_config:
* TunConfigFlags::DISABLE_IFACE_UP -- disable bringing the interface up
* TunConfigFlags::DISABLE_REROUTE_GW -- disable redirect-gateway
Signed-off-by: James Yonan <james@openvpn.net>
The get_peer API allows userspace to retrieve the data about a specific
peer. Implement the userspace counterpart so that OpenVPN can retrieve
the peer data when it needs to updte the client statistics.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Explicitly specify the return type of lambda expressions
so that we can avoid casting the return value.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
If DCO support is compiled in, detect if it is available (i.e. Windows driver
or Linux kernel module is loaded) and then use it, if it is.
This changes the default configuration for DCO from off to on, so users of
the library need to set ClientAPI::Config::dco to false in case they do not
want to use dco for a connection.
The change is also reflected in the reference client "ovpncli". If DCO is
enabled in a build, it will detect and use it. The previously available
"ovpncliovpndco" and "ovpncliovpndcowin" clients have thus been removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
It is not recommended to allocate big blocks on the stack, however
the sitnl sending routine is stacking a 16KB large buffer.
Allocate it using heap memory and avoid using the stack.
Addresses-Coverity: ("Large stack use")
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
When cycling through matching routes, the most specific (i.e. having the
longest prefix) should be selected. To achieve that, we must store the
prefix len of any selected route, so that it can be compared with the
next (if more than one is found).
As result, we return the prefix len of the matching route in the
route_res_t object.
Addresses-Coverity: ("Self assignment")
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
We are trying to adhere to the LLVM style as dictated by clang-format.
For this reason reformat all files in the dco/ subfolder with:
clang-fromat --style=LLVM -i $filename
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
The ovpn-dco netlink API has been heavily rewritten to accommodate
multi-peer support.
For this reason the genl component in ovpn3-core had to be adapted to
follow the new format and logic.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Make client code protocol-agnostic by encapsulating UDP/TCP
differences into ProtoBase/ProtoImpl/TCP/UDP classes.
Slightly change GeNL API to accomodate abovementioned changes.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Extend the ovpn-dco module to allow the user to specify ChaCha20Poly1305
as data channel cipher.
Same as AES-GCM, it also belongs to the AEAD family and its nonce length
is 12 bytes.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Since modern OpenVPN deployments negotiate AES-GCM,
there is no need to support AES-CBC / HMAC.
ovpn-dco doesn't support it, so clean up core as well.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
AES-GCM nonce is 12 bytes. OpenVPN obtains it by concatenating 4 bytes
packet id and rest (nonce_tail) from key material generated during TLS
handshake.
By some reasons ovpn-dco required userspace to provide 12 bytes
nonce_tail and generated 16 bytes nonce, even though kernel crypto API
uses only 12 bytes. This has been fixed in ovpn-dco and therefore has to
be fixed in userspace.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Commit cd68ae2740 ("ovpn-dco: support cipher 'none' and auth 'none'")
added initial support. This adds missing parts:
- do not throw exception in kocryto.hpp when using ovpn-dco
and cipher/auth are 'none'
- set hmac alg to OVPN_HMAC_ALG_NONE if crypto alg is 'none'
- pass hmac alg to ovpn-dco also when crypto alg is 'none'
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Since userspace doesn't know anything about data
channel traffic, keepalive should be handled in kernel.
Disable keepalive in userspace and implement
OVPN_CMD_SET_PEER ovpn-dco command, which sets
keepalive settings in kernel.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Implement OvpnDcoRekey, which parses key info
into format consumed by ovpn-dco.
Use KoRekey abstractions to hook into protocol layer
and get notified about rekeying events.
Pass new key to kernel or swap keys when commanded by
protocol layer.
Implement ovpn-dco netlink commands:
- OVPN_CMD_NEW_KEY
- OVPN_CMD_DEL_KEY
- OVPN_CMD_SWAP_KEYS
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Add dependency to libnl-genl, which is C library
for generic netlink communication.
Implement C++ wrapper for libnl-genl, inspired by
ovpn-cli - a test client for ovpn-dco kernel module.
Implement ovpn-dco netlink commands:
- OVPN_CMD_START_VPN - pass transport socket,
protocol (UDP) and mode (client).
- OVPN_CMD_NEW_PEER - pass local and remote
endpoint info.
- OVPN_CMD_PACKET - move (control channel) packets
between userspace and kernel.
- OVPN_CMD_DEL_PEER - sent by kernel when peer is deleted
due to keepalive timeout (causes reconnect) or any other
reason (considered as fatal).
This change allows to perform openvpn handshake and
establish connection which doesn't work, since data channel
keys are not passed to kernel yet.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
ovpn-dco doesn't have concept of "opening" nor
file descriptor, since communication is handled
via netlink (to be added later).
Signed-off-by: Lev Stipakov <lev@openvpn.net>
These two new methods can be used to create and delete a tun or an
ovpn-dco interface via RTNL API.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In some situations, the local6 variable is nullptr but a default IPv6
route has been configured. This causes a segfault later in the call
chain when add_del_route() is being called.
We already have avoid a similar situation with IPv4, so implement the
same kind of safe guard for IPv6: If no local IPv6 address has been
configured, don't attempt to add IPv6 routes.
Signed-off-by: David Sommerseth <davids@openvpn.net>
When building the clinetcfg test client in openvpn3-linux with DCO support,
the building fails with the following compiler error:
In file included from ./openvpn3-core/openvpn/common/base64.hpp:31:0,
from ./openvpn3-core/openvpn/init/initprocess.hpp:31,
from ./openvpn3-core/client/ovpncli.cpp:90,
from ./openvpn3-core/test/ovpncli/cli.cpp:58,
from src/tests/netcfg/cli.cpp:29:
./openvpn3-core/openvpn/tun/linux/client/tunsetup.hpp: In member function ‘int openvpn::TunLinuxSetup::Setup<TUNMETHODS>::establish(const openvpn::TunBuilderCapture&, openvpn::TunBuilderSetup::Config*, openvpn::Stop*, std::ostream&)’:
./openvpn3-core/openvpn/tun/linux/client/tunsetup.hpp:145:94: error: there are no arguments to ‘errinfo’ that depend on a template parameter, so a declaration of ‘errinfo’ must be available [-fpermissive]
OPENVPN_THROW(tun_open_error, "error opening tun device " << node <<": " << errinfo(errno));
^
./openvpn3-core/openvpn/common/exception.hpp:130:18: note: in definition of macro ‘OPENVPN_THROW’
_ovpn_exc << stuff; \
^
By including the asioerr.hpp header file in
openvpn/tun/linux/client/tunsetup.hpp, this failure is resolved.
Signed-off-by: David Sommerseth <davids@openvpn.net>
When building on RHEL 7 using the stock compiler (gcc-4.8.5), compiler
errors like this one began to appear after commit 8a502f3b61:
core/openvpn/tun/linux/client/tunsetup.hpp:61:11: error: conversion from ‘openvpn::ActionList*’ to non-scalar type ‘openvpn::ActionList::Ptr {aka openvpn::RCPtr<openvpn::ActionList>}’ requested
class Setup : public TunBuilderSetup::Base
^
On GCC 8.2 (via devtoolset-8), this error did not occur at all. This
looks like a compiler bug, as declaring an empty Setup() constructor
resolves this issue. But we currently want to have GCC 4.8.5 compilers
functional, as it provides native RHEL-7 support without any use of
software collections.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Since we now handle multiple replies from Netlink,
we need to pick if the gateway with longest route prefix
and lowest metric.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When profile contains several remotes or single remote which
is resolved into multiple IP addresses AND all traffic is redirected
to the VPN, client will reconnect to the next remote if connection
is broken. Since all traffic is redirected to VPN, except traffic to
current remote, reconnect fails.
Currently this problem is solved by creating bypass routes
to all remotes before establishing connection, so that reconnect
won't go via broken VPN. This solution is sub-optimal, since
it leaks traffic to other remotes.
This patch implements a better approach. Before connecting to
remote, we create a bypass route just for this remote. On reconnect
we replace an old route with a new one for the new remote.
We piggyback on socket_protect() method of OpenVPNClient
which is called before opening connection to remote.
Connection to a new remote usually means a new IP address etc,
so to prevent traffic leakage we first create a new tun interface,
set up routes and then remove old routes and tear down old tun interface.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
