| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
(ifconfig_ipv6_local, ifconfig_ipv6_netbits, ifconfig_ipv6_remote,
route_ipv6_network_{n}, route_ipv6_gateway_{n})
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Removed done label and cleaned up return values.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Avoid an extra goto label and make the code a bit simpler.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The UTF-8 support that came with commit 2627335 does allow international
usernames and passwords. This patch introduces UTF-8 support for X.509 DNs.
Additionally, instead of using the legacy openssl format, DNs are now
displayed in RFC 2253 format; "/C=ru/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0
\xB2\xD0\xB0/O=\xD0\x9A\xD1\x80\xD0\xB5\xD0\xBC\xD0\xBB\xD1\x8C/CN=kreml.ru"
becomes "C=ru, L=Москва, O=Кремль, CN=kreml.ru".
Since the specific character classes for X.509 names are removed, the
"no-name-remapping" configuration option has no use anymore and is removed
as well.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit 9c6ee9d1ecd85535c was incomplete - while it will run openvpn with
sudo, it will not use sudo for the "kill" commands needed to test whether
the background process is still there, and for actually stopping openvpn
after the test has finished.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add "ifconfig_ipv6_netbits_parm" parameter to init_tun(), use that to
initialize tt->netbits_ipv6 (previously: always /64). Actual interface
setup code already used tt->netbits_ipv6, so no changes needed there.
Remove restrictions on "/netbits" value for --server-ipv6 config option
(can now be /64.../112, previously had to be exactly /64). Supporting
even smaller networks could cause problems with ipv6-pool handling and
are only allowed for explicit "ifconfig-ipv6", not for "server-ipv6".
Add /netbits to pushed "ifconfig-ipv6" values on server side (client
side always accepted this, but ignored it so far, so this does not
break compatibility).
Tested on Linux/ifconfig, Linux/iproute2 and FreeBSD 7.4
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch makes openvpn read unicode from the console and convert the input
to UTF-8. And then display UTF-8 output to the console correctly.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are routes where the gateway is specified as an interface rather
than an address. This allows redirect-gateway to work on Linux clients
whose connection to the internet is via a point-to-point link such as
PPP.
Note that at the moment, this capability is incompatible with
the "redirect-gateway block-local" directive -- this is because
the block-local directive blocks all traffic from the local LAN
except for the local and gateway addresses. Since a PPP link
is essentially a subnet of two addresses, local and remote (i.e.
gateway), the set of addresses that would be blocked by block-local
is empty. Therefore, the "redirect-gateway block-local" directive
will be ignored on PPP links.
To view the OpenVPN client's current determination of the default
gateway, use this command:
./openvpn --show-gateway
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7794 e7ae566f-a301-0410-adde-c780ea21d3b5
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patchs adds a script/plug-in hook which is called right before the
network routes are taken down. This gives external processes a
possibility to tear down communication over the VPN before the VPN
disappears.
One use case can be to mount a networked file system over the VPN via
--route-up. And then to unmount this file system via --route-pre-down
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- cleanup TUN/TAP devices at program end ("ifconfig ... destroy")
- make TUN device setup for "topology subnet" work together with IPv6
(setup correct netmask and route, but do not use IFF_BROADCAST)
There's one catch for FreeBSD 8.2 if you use pf(4): it will block IPv6
fragments by default, so the standard t_client.sh test sets fail unless
you specifically add "pass in on tun1 fragment" rules - but there's
nothing OpenVPN can do about it.
Tested with IPv4 and IPv6 on 7.4-RELEASE/amd64 and 8.2-RELEASE/amd64
Signed-off-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5303
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The configuration file supports inline files for --ca, --cert, --dh,
--extra-certs, --key, --pkcs12, --secret and --tls-auth. When this
is used, the filename is set to [[INLINE]] (defined by INLINE_FILE_TAG).
If the filename is set to INLINE_FILE_TAG for these options, don't
call check_file_access().
[v2 Simplify the code, using a flag to check_file_access()]
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If IPv6 tunnelling is not enabled, a bogus IPv6 address would be
printed in the log, like this:
MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=2180:8:2100:0:d4b4:f11d:18bf:2f00
It turns out that the remote_ipv6 buffer was not cleared. Added
an extra check to also replace a "IPv6=::" log message with
information that the IPv6 feature is disabled in these cases.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The compat.h include file cannot be loaded when ./configure runs,
as many of the HAVE_* declarations are not set. This makes test
compilations when looking for features fail.
As ./configure will load syshead.h, it pulls in compat.h this way.
Looking more carefully at syshead.h, there's a #ifndef PACKAGE_NAME
check if config.h should be included. This looks like a check if
syshead.h is loaded via ./configure or if it is a more normal
compilation. Moving the compat.h inclusion into this #ifndef block.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When trying to compile OpenVPN on RHEL5/CentOS5, it would fail
due to missing declaration of SO_MARK. SO_MARK is a feature which
first arrived in 2.6.26, and was never backported to RHEL5's 2.6.18
kernel base.
This patch adds a check at configure time, to see if SO_MARK is
available or not.
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
compat.c: In basename() a typo had gone undetected through the review process,
and also that the declaration was a little bit different from what's defined in
compat.h
misc.c: commit 9449e6a9eba30c9ed054f57d630a88c9f087080f adds #include <unistd.h>.
This breaks building on Windows. As unistd.h is already loaded via syshead.h on
systems where unistd.h exists, we don't need it here.
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Visual Studio does not enable certiain standard Unix functions,
such as access(). By defining _CRT_NONSTDC_NO_WARNINGS and
_CRT_SECURE_NO_WARNINGS, these functions are enabled.
This patch also adds a ./configure check for access() as well,
in case this needs to be implemented on other platforms lacking
this feature. Which is why HAVE_ACCESS is defined in win/config.h.in
Thanks to Alon Bar-Lev for helping solving this.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5179/focus=5200
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This kicks out the openvpn_basename() function from misc.[ch] and puts
glibc equivalents into compat.[ch]. This is to provide the same
functionality on platforms not having a native basename() function
available.
In addition this patch adds dirname() which commit 0f2bc0dd92f43c91e
depends. Without dirname(), openvpn won't build in Visual Studio.
v2: Move all functions from compat.h to compat.c
v3: Use glibc versions of basename() and dirname() instead
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5178/focus=5215
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If openvpn_execve() is not able to fork(), it would not make any noise
about it. So this patch adds a log notification if this happens.
In addition, if openvpn_execve() is called with an empty argv array,
it should exit instantly. This is not expected to happen at all and
might indicate a much more serious issue (or programming error)
somewhere else in the code. Thus, abort execution to get these issues
flushed out as quickly as possible.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
Systemd requires console query to be forwarded using its own
tool.
Signed-off-by: Frederic Crozat <fcrozat@suse.com>
Acked-by: David Sommerseth <davids@redhat.com>
URL: http://thread.gmane.org/gmane.network.openvpn.devel/5073/focus=5277
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The old code checks how many items are in use(!) in the source
list, but then copies the full list over the destination memory
arena. Check the source list *capacity*.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
options.c: extend pre_pull_save() and pre_pull_restore() to
save/restore options->routes_ipv6 as well
options.h: add routes_ipv6 to "struct options_pre_pull"
route.h, route.c: add clone_route_ipv6_option_list() and
copy_route_ipv6_option_list() helper functions
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
The checks introduced in commit 0f2bc0dd92f43c91e33bba8a66b06b98f281efc1
didn't properly remove checks if crypto or SSL was disabled at compile time.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
subnet mode.
Version 2.1.18
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7706 e7ae566f-a301-0410-adde-c780ea21d3b5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
using layer 2 with DHCP proxy:
* Extract/delete Router option from both DHCPOFFER and DHCPACK
messages. Prevously we only considered DHCPACK messages.
With DHCPACK messages, we extract the Router IP for
use as the vpn_gateway, as well as delete the Router option from
the DHCP message. For DHCPOFFER, we only delete the Router
message.
* Monitor all DHCPOFFER and DHCPACK messages for possible Router
options needing to be extracted/deleted. Previously, we turned
off monitoring after the first successful extraction/deletion
from a DHCPACK message.
* Previously, we deleted Router options by padding them with DHCP
PAD options. This has proven not to work with some DHCP clients,
so we now delete the message entirely, and add PADs to the end of
the message so as not to change its length.
* In some cases, UDP checksum was not being correctly updated for
modified DHCP packets.
To properly use this feature on Linux, after tunnel comes up,
run these commands:
ifconfig tap0 up
dhclient tap0
Version 2.1.17
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7682 e7ae566f-a301-0410-adde-c780ea21d3b5
|
| |
|
|
|
|
|
|
| |
in a memory-mapped file.
Version 2.1.16
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7653 e7ae566f-a301-0410-adde-c780ea21d3b5
|
| |
|
|
|
|
| |
verbosity at level 3.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7645 e7ae566f-a301-0410-adde-c780ea21d3b5
|
| |
|
|
|
|
|
|
|
| |
This argument allows the keyword 'stdin' to indicate that the input
is to be read from the stdin. Don't check for file existence if the
file name is set to 'stdin'
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In commit ce637abdafdc19547fc97192033a4d1703ecaf23 the Linux 2.2 support
was removed. When this happened an extra error check was avoided which
would normally kicked in if the tun/tap device would not be available.
Instead the following line was filling the log continously:
Thu Nov 24 22:33:15 2011 read from TUN/TAP : File descriptor in bad state (code=77)
This patch changes the msg() declarations to use the M_FATAL *) flag,
which will halt the execution of the program in these error sitauations.
As the program will really halt, the return declarations was also removed.
*) #define M_ERR (M_FATAL | M_ERRNO) (from error.h)
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
always use our built-in replacement functions now, even if building
on Win7 (which has inet_ntop/inet_pton in the system libraries) because
the resulting binary will then fail on WinXP.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN can handle over 30 different files and directories, and it is easy
to misconfigure some of them. In many situations OpenVPN will even start
running, even with a wrong file path or without the proper permissions, and
then it will complain much later on. In some cases the error being seen at
this late point might even be difficult to relate to a configuration option.
This patch tries to catch as many of these files as soon as possible, kind of
to "smoke-test" the files and directories to avoid the most likely errors.
Trac-ticket: 73
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
| |
(driver is known-buggy for small IPv4 packets in tun mode)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
(bugfixed tapdrvr.c regarding small IPv4 packets)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this patch, the default path used by OpenVPN is hard coded
to C:\WINDOWS. As users might install Windows in a different directory,
this approach will cause OpenVPN to malfunction in some configurations.
OpenVPN have supported using the system path, by adding --win-sys env.
This patch removes the hard coded approach and uses the --win-sys env
approach by default instead.
Trac-ticket: 66
URL: http://thread.gmane.org/gmane.network.openvpn.user/32508
Signed-off-by: David Sommerseth <davids@redhat.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
| |
On these platforms (including DragonFly), get_default_gateway() would in some
cases return false. As get_default_gateway() is defined as a void function, and
none of the callers expect a return value -> just return without any value.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
| |
|
|
|
|
|
|
|
|
| |
Patch "Added options to switch between OpenSSL and PolarSSL and PKCS11" caused a
regression when building OpenVPN with Visual Studio 2008/Python build system.
The underlying cause was a wrong path to lzo2.lib.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Heiko Hund <heiko.hund@sophos.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- Changed int32_t to size_t
- Removed some unused variables
- Added missing include files
- changed ordering to ensure variable declarations are before asserts
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
at compile time. Also included the option to enable/disable PKCS11.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
| |
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since prng_uninit is SSL-library agnostic, but crypto_uninit_lib isn't,
the function was moved up a level.
Also removed one unused variable (j) in tls1_P_hash().
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
minimum-size for IPv6 being applied to IPv4 packets, subsequently
leading to drop of small-sized IPv4 packets.
Bug found & fixed by Christian Niessner.
Signed-off-by: Christian Niessner <bug-report@secadm.de>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
PolarSSL does not support PKCS#12 certificate/key bundles, but had a
typo where #ifdef USE_POLARSSL was used, and it should have been #ifndef
instead.
Also added a few extra exclusions of PKCS#12 messages where appropriate,
to avoid confusing users.
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Adriaan de Jong <dejong@fox-it.com>
|
| |
|
|
|
|
|
|
| |
Fixed a bug where the wrong value was being passed to plugin_call_ssl, due to a missing comma.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
Replaced des_set_key_unchecked and des_ecb_encrypt functions in cipher_des_encrypt_ecb
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
| |
|
|
|
|
|
|
| |
This is to allow building on NetBSD which does not install <des_old.h> anymore
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
|
