| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@eurephia.org>
|
| |
|
|
|
|
|
|
|
| |
ifconfig_pool_netmask
This isn't always present, and only triggers some warnings. As it's not used for
anything critical, get rid of it.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
|
| |
|
|
|
|
|
| |
This function is called also with IP adresses from networks behind clients, and
eurephia doesn't really need to process them.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
|
| |
|
|
|
|
|
|
|
| |
If routing subnets over the VPN tunnel, OpenVPN will learn addresses
inside these subnets. As these IP addresses are not directly connected
to a eurephia session, these errors can be silenced in normal operation.
So this logging was moved to DEBUG().
Signed-off-by: David Sommerseth <dazo@eurephia.org>
|
| |
|
|
|
|
|
| |
The check if dbargc exceeds MAX_ARGUMENTS was done _after_ it was checked
if the array element is NULL. This was not the intention.
Signed-off-by: David Sommerseth <dazo@eurephia.org>
|
| |
|
|
|
|
|
|
|
|
| |
The uid and accessess profile variables had changed order. Which
would cause a mismatch with the configured access profile and
user-cert link.
I'd like to thank Colin Ryan for catching this bug too.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
ENABLE_DEBUG block
It was not possible to build eurephia without --debug configured otherwise.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- SSLAPI_OPENSSL isn't available in this version. Print a warning
during compile time that OpenVPN must be compiled against OpenSSL.
If OpenVPN is not compiled against OpenSSL, it may most likely crash.
OpenVPN 2.3.2 and below can be compiled against PolarSSL and does
not contain the needed arguments->ssl_api variable to identify
SSL implementation at runtime.
- Bug: When moving the certificate information extraction to
openvpn_plugin_func_v1(), the certificate level was not
extracted correctly. It needs to be converted to an integer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
If the tunnel type was detected and a understandable device name
was found, the local devtype was not freed at all.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
As the X.509 certificate data isn't available when the certificate has been
validated, save the parsed certificate information in the per-client-context
OpenVPN provides in the v3 plug-in API.
When the client disconnects, the certificate information and per-client-context
buffer is released as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
| |
OpenVPN
The OpenVPN plug-in v3 API there is direct access to the X.509 certificate
data. This patch starts the adoptation to make use of that, but also to
preserve backwards compatibility.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
These changes should provide both the v1 API and the new v3 API,
depending on which OpenVPN is being used.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
This is to enable an improved logging feature in OpenVPN v2.3 and newer.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements a authentication plug-in framework which can be
used to do username/password authentication against another backend
per user/certificate.
Conflicts:
database/eurephiadb.c
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By setting this config option in the eurephia database, eurephia will
expect all user account/certificate links to be set up with an external
plug-in for username/password authentications.
Further, it is now ensured that system configuration issues or general
failures not related to the user authentication itself, is not counted
as a login attempt.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
framework
This enables using an external authentication plug-in if a user
account/certification link is configured to make user of it.
This change ensures that all configured authentiaction plug-ins are
loaded and is available when eurephia is initialised.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This enables a run-time loadable support for other authentication
modules. This can be used to make eurephia authenticate user's
passwords against other sources than the local eurephia database
itself.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| | |
| |
| |
| |
| |
| |
| | |
This will now log VPN client addresses only in the vpnaddr_history table,
and lastlog will log the firewall profile the session used.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |/
|
|
|
|
|
|
| |
- Only Linux have MADV_DONTFORK, so make it Linux specific
- Added a few missing include files which Linux included through their
include chains
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
This is to prepare for eDBget_uid() to also do lookups when certid
is not set.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If OpenVPN is configured with a unkown --dev name and --dev-type is used,
eurephia would in some specific situations double-free a memory region
keeping the dev-type information. GETENV_*() functions returns a pointer
to a buffer which is supposed to be free'd, but pointers returned by
eGet_value() should not be free'd.
And in the error situation if dev-type is not forced or detected, the
memory allocated by GETENV_DEVNAME() was not properly free'd.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
| |
This fixes a bug which appeared with newer OpenVPN versions, where
the OPENVPN_PLUGIN_LEARN_ADDRESS would be called in the end - also
in tun mode. And with the clean-up in session seed, in regards to
the netmask not being part of the session seed, this little code
made things worse. So lets get rid of it!
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This function replaces eDBregister_vpnmacaddr(). This new function
will in addition to the MAC address (if OpenVPN is running in TAP mode)
also register the client's IPv4 VPN address. It's also prepared for
logging the client's IPv6 VPN address.
This function supports both TUN and TAP mode, while the old function
only handled TAP mode.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is sometimes NULL, which is noticed more often when OpenVPN is
configured in tun mode. This makes it difficult to identify the
proper session key, as the seed isn't consistent.
It does not affect much in regarding to the seed itself, as the
netmask is most likely going to be the same for all clients anyhow.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
Check if we have a context available before setting ctx->tuntype.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
| |
The functions related to dynamic loading of shared objects are a part
of the standard libc library on FreeBSD, while in Linux it is in libdl.
However, the linker on Linux seems to add the libdl linking automatically
when needed, so no need to explicitly link this library.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
Make use of the iptables conntrack module instead of the older state module
for stateful firewalling.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
| |
Now eurephia will support both TUN and TAP configurations in
OpenVPN.
Thanks to Tavis Paquette and Matthew Gyurgyik for their willingness
to test out this patch.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
This memory leak got introduced with commit 525d75316848f79208101e48a54e2
which moves the daemonisation of the firewall thread. Two environment
variables was not freed after usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
The char buffer returned by eDBget_firewall_profile() must be freed after
usage.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
| |
The current implementation uses the MAC address of the client's VPN
interface. This also restricts eurephia to use TAP mode.
This patch adds preliminary support for also accepting the clients
IP address when updating the firewall rules. But the complete support
for TUN mode is not completed yet.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
As the firewall API has changed in regards to moving a way from
a string based implementation to a struct based implementation, the
older eurephia firewall module will not work any longer.
To make sure nothing bad happens, enforce that the efw-iptables
module is at least using API version 2. Also updated the module
version to reflect some changes as well.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This will later be used to be able to support OpenVPN in tun mode
as well as the now only supported tap mode. It will first try to
detect the tunnel type based on the 'dev_type' environment variable
if available. If not, it will try to figure it out based on the
device name. If this fails, it is possible to force the eurephia
to a specific device type by setting the openvpn_devtype config
variable.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
| |
The eurephia plug-in would daemonize the OpenVPN process by calling
daemonize() too early. This patch renames daemoinze() to efw_daemonize()
and calls it only in the firewall child process.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
Removed old and obsolete expressions used to reference the eurephia database driver.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
|
|
|
| |
- OpenVPN would not exit gracefully due to mq_send() returns 0 on success
- On-the-fly blacklisting with new API failed due to wrong value checking
The request->rule_destination is empty when request->mode==BLACKLIST, so
the check for rule_destination was moved to the appropriate place.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
Removed some #defines which was not needed and added missing comments.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
|
| |
Moved over the missing pieces to use the eFWupdateRequest struct. This is
a continuation of the work started in commit bdd956adcccd91ff553278fd73cea7
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
| |
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
| |
|
|
|
|
| |
On Fedora 13 and Rawhide, the sem_wait(), sem_timedwait() and sem_post() functions
is no longer available in librt, only in libpthread. Added extra CMake checks to
check if the functions are in libpthread if not found in librt.
|
| | |
|
| |
|
|
| |
This is related to the changes done in commit c6621d108bb8beb97ca61.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
All functions calling eFW_UpdateFirewall() and the iptables driver
needs to be updated as well.
|
