Since we now handle multiple replies from Netlink,
we need to pick if the gateway with longest route prefix
and lowest metric.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This takes into use new TunSetup API which enables to create bypass
routes before establishing connection.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When profile contains several remotes or single remote which
is resolved into multiple IP addresses AND all traffic is redirected
to the VPN, client will reconnect to the next remote if connection
is broken. Since all traffic is redirected to VPN, except traffic to
current remote, reconnect fails.
Currently this problem is solved by creating bypass routes
to all remotes before establishing connection, so that reconnect
won't go via broken VPN. This solution is sub-optimal, since
it leaks traffic to other remotes.
This patch implements a better approach. Before connecting to
remote, we create a bypass route just for this remote. On reconnect
we replace an old route with a new one for the new remote.
We piggyback on socket_protect() method of OpenVPNClient
which is called before opening connection to remote.
Connection to a new remote usually means a new IP address etc,
so to prevent traffic leakage we first create a new tun interface,
set up routes and then remove old routes and tear down old tun interface.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When creating bypass route for server, it is better
to use gateway for server address instead of 0.0.0.0 or ::0.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This will be needed to exclude gateway on tun interface when
creating bypass route.
Note that this is required only for sitnl, since iproute-based routines
already ignore tun gateway.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Gateways are returned in multipart netlink
message, so we must properly handle those
instead of bailing out after reading first message.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
That API was introduced in commit 5c00943
to implement persistence for macOS. That functionality
was refactored in 0609c76, but framework was left intact.
Since socket_protect() is called almost at the
same time as ip_hole_punch() and also receives
remote address, there is no need in this unused
API anymore.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Packaging OpenVPN 3 Linux on Debian reports this warning:
openvpn3-core/client/ovpncli.cpp:1380:27: warning: macro "__DATE__" might prevent reproducible builds [-Wdate-time]
ret += " built on " __DATE__ " " __TIME__;
Reproducible builds is something which will come arrive in more
distributions, as it is a good way to verify that binary builds contains
the expected source code and has not been mangled by the packager.
This changes the current behaviour and will not provide the date/time
stamps unless the OPENVPN_DEBUG macro has been set. Enabling this
macro will re-enable the date/time stamp reporting via
OpenVPNClient::platform().
Signed-off-by: David Sommerseth <davids@openvpn.net>
There are two ways how Linux tun can be manipulated -
by using iproute2 or netlink. Both implementations have
defined identical Setup class implementation.
This commit factors out Setup class from tun implementations
and templatizes it, which removes need in duplicated code.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
When porting this patch I accidentally got the conflict backwards and
the resulting patch is nonsense. I am not sure how this managed to
survive a full Jenkins run.
The asio upgrade of 0.1.13 brought us over the limit of 65k
entitities in a single compilation unit. /bigobj allows more
methods
The ovpn3-core.vcxproj already uses this flag
commit e9c0bd00be
Author: Arne Schwabe <arne@openvpn.net>
Date: Tue Oct 23 13:47:07 2018 +0200
Remove unused private field
crypto_init_ is not used at all and since it is a private field it is
safe to remove.
We also revert the following commit which is redundant once the above
commit is reverted.
commit d87f5bbc04
Author: Antonio Quartulli <antonio@openvpn.net>
Date: Thu Nov 15 21:03:46 2018 +1000
OpenSSL: init library
From the manpage:
"SSL_library_init() must be called before any other action takes place."
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
Signed-off-by: James Yonan <james@openvpn.net>
ASIO's code for returning error messages doesn't play well with
non-ASCII chars. This quick fix makes ASIO use English.
A proper fix, which is more invasive (use FormatMessageW and
WideCharToMultiByte with UTF-8) will be provided separately.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Without this fix, some gcc compilers will issue the warning below when
building the reference client:
../../openvpn/common/base64.hpp: In constructor
‘openvpn::Base64::UCharWrap::UCharWrap(unsigned char*, size_t)’:
../../openvpn/common/base64.hpp:77:9: warning:
‘openvpn::Base64::UCharWrap::size’ will be initialized after [-Wreorder]
size_t size;
^
../../openvpn/common/base64.hpp:76:17: warning: ‘unsigned char*
openvpn::Base64::UCharWrap::data’ [-Wreorder]
unsigned char *data;
^
../../openvpn/common/base64.hpp:63:2: warning: when initialized here
[-Wreorder]
UCharWrap(unsigned char *data, size_t size):
^
This patch fixes this issue as well as removing a redundant public
declaration and fixing some whitespace issues.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Since the Core Library doesn't really handle TAP mode, reject
configuration profiles expecting TAP mode as soon as possible.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The TunWin::ClientConfig::layer_2_supported() returns true, while the
rest of the Core library does not handle TAP mode/OSI Layer 2 packets at
all. This causes a challenge on Windows as it needs to have TAP support
on the virtual network device side - the tap-windows6 driver is TAP
only. So this method must return true. Currently OpenVPN just emulates
TAP mode by encapuslating TUN packets into somewhat proper Ethernet
frames.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In TLS 1.3 the RSA-PSS padding is required in addition to the
traditional PKCS1 padding used in TLS 1.2 and below. Add an
argument to the external sign function to signal what padding
is required. As quirkyness OpenSSL calls out requesting a NONE
padding instead of RSA-PASS.
We might need to move from RSA_method to EVP_PKEY_method in the
future.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In OpenSSL 1.1 most types are opaque types that cannot directly accessed
or initialised. Accordingly change ctx to a pointer.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The OpenSSL manpage also points to use a function like (SSL_get_ex_data).
And we already use this functionality for storing and getting the SSL
class instance.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The OpenSSL 1.1 check is a bit stricter than our own custom check but
OpenVPN 2.x uses the same (stricter) check.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The old logic was not matching and was also dubious (probably due the
confusion of OpenSSL TLS1_method meaning TLS 1.0 only)
Signed-off-by: Arne Schwabe <arne@openvpn.net>