Added additional warnings to flag common gotchas:

* Warn when ethernet bridging that the IP address of the
  bridge adapter is probably not the same address that
  the LAN adapter was set to previously.

* When running as a server, warn if the LAN network address is
  the all-popular 192.168.[0|1].x, since this condition commonly
  leads to subnet conflicts down the road.

* Primarily on the client, check for subnet conflicts between
  the local LAN and the VPN subnet.

Added a 'netmask' parameter to get_default_gateway, to return
the netmask of the adapter containing the default gateway.
Only implemented on Windows so far.  Other platforms will
return 255.255.255.0.  Currently the netmask information is
only used to warn about subnet conflicts.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3179 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 64 insertions, 1 deletions

diff --git a/tun.c b/tun.c
index 22debbe..3c0e1ea 100644
--- a/tun.c
+++ b/tun.c
@@ -278,6 +278,58 @@ check_addr_clash (const char *name,
 }
 
 /*
+ * Issue a warning if ip/netmask (on the virtual IP network) conflicts with
+ * the settings on the local LAN.  This is designed to flag issues where
+ * (for example) the OpenVPN server LAN is running on 192.168.1.x, but then
+ * an OpenVPN client tries to connect from a public location that is also running
+ * off of a router set to 192.168.1.x.
+ */
+void
+check_subnet_conflict (const in_addr_t ip,
+		       const in_addr_t netmask,
+		       const char *prefix)
+{
+  struct gc_arena gc = gc_new ();
+  in_addr_t lan_gw = 0;
+  in_addr_t lan_netmask = 0;
+
+  if (get_default_gateway (&lan_gw, &lan_netmask))
+    {
+      const in_addr_t lan_network = lan_gw & lan_netmask; 
+      const in_addr_t network = ip & netmask;
+
+      /* do the two subnets defined by network/netmask and lan_network/lan_netmask intersect? */
+      if ((network & lan_netmask) == lan_network
+	  || (lan_network & netmask) == network)
+	{
+	  msg (M_WARN, "WARNING: potential %s subnet conflict between local LAN [%s/%s] and remote VPN [%s/%s]",
+	       prefix,
+	       print_in_addr_t (lan_network, 0, &gc),
+	       print_in_addr_t (lan_netmask, 0, &gc),
+	       print_in_addr_t (network, 0, &gc),
+	       print_in_addr_t (netmask, 0, &gc));
+	}
+    }
+  gc_free (&gc);
+}
+
+void
+warn_on_use_of_common_subnets (void)
+{
+  struct gc_arena gc = gc_new ();
+  in_addr_t lan_gw = 0;
+  in_addr_t lan_netmask = 0;
+
+  if (get_default_gateway (&lan_gw, &lan_netmask))
+    {
+      const in_addr_t lan_network = lan_gw & lan_netmask; 
+      if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100)
+	msg (M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.");
+    }
+  gc_free (&gc);
+}
+
+/*
  * Complain if --dev tap and --ifconfig is used on an OS for which
  * we don't have a custom tap ifconfig template below.
  */
@@ -462,6 +514,11 @@ init_tun (const char *dev,       /* --dev option */
 			    remote_public,
 			    tt->local,
 			    tt->remote_netmask);
+
+	  if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
+	    check_subnet_conflict (tt->local, tt->remote_netmask, "TUN/TAP adapter");
+	  else if (tt->type == DEV_TYPE_TUN)
+	    check_subnet_conflict (tt->local, ~0, "TUN/TAP adapter");
 	}
 
       /*
@@ -2856,7 +2913,10 @@ is_ip_in_adapter_subnet (const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_
 }
 
 DWORD
-adapter_index_of_ip (const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count)
+adapter_index_of_ip (const IP_ADAPTER_INFO *list,
+		     const in_addr_t ip,
+		     int *count,
+		     in_addr_t *netmask)
 {
   struct gc_arena gc = gc_new ();
   DWORD ret = ~0;
@@ -2898,6 +2958,9 @@ adapter_index_of_ip (const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count
   if (ret == ~0 && count)
     *count = 0;
 
+  if (netmask)
+    *netmask = highest_netmask;
+
   gc_free (&gc);
   return ret;
 }