sssd_unused.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

Diffstat (limited to 'src/man/po/es.po')

-rw-r--r--

217

1 files changed, 128 insertions, 89 deletions

/* * OpenVPN -- An application to securely tunnel IP networks * over a single UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> * * Additions for eurephia plugin done by: * David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2009 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program (see the file COPYING included with this * distribution); if not, write to the Free Software Foundation, Inc., * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* * 2004-01-28: Added Socks5 proxy support * (Christof Meerwald, http://cmeerw.org) */ #ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif #ifdef HAVE_CONFIG_VERSION_H #include "config-version.h" #endif #include "syshead.h" #include "buffer.h" #include "error.h" #include "common.h" #include "shaper.h" #include "crypto.h" #include "ssl.h" #include "options.h" #include "misc.h" #include "socket.h" #include "packet_id.h" #include "pkcs11.h" #include "win32.h" #include "push.h" #include "pool.h" #include "helper.h" #include "manage.h" #include "forward.h" #include <ctype.h> #include "memdbg.h" const char title_string[] = PACKAGE_STRING " " TARGET_ALIAS #ifdef ENABLE_CRYPTO #ifdef ENABLE_SSL #if defined(ENABLE_CRYPTO_POLARSSL) " [SSL (PolarSSL)]" #elif defined(ENABLE_CRYPTO_OPENSSL) " [SSL (OpenSSL)]" #else " [SSL]" #endif /* defined(ENABLE_CRYPTO_POLARSSL) */ #else /* ! ENABLE_SSL */ #if defined(ENABLE_CRYPTO_POLARSSL) " [CRYPTO (PolarSSL)]" #elif defined(ENABLE_CRYPTO_OPENSSL) " [CRYPTO (OpenSSL)]" #else " [CRYPTO]" #endif /* defined(ENABLE_CRYPTO_POLARSSL) */ #endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_LZO #ifdef ENABLE_LZO_STUB " [LZO (STUB)]" #else " [LZO]" #endif #endif #if EPOLL " [EPOLL]" #endif #ifdef PRODUCT_TAP_DEBUG " [TAPDBG]" #endif #ifdef ENABLE_PKCS11 " [PKCS11]" #endif #ifdef ENABLE_EUREPHIA " [eurephia]" #endif #if ENABLE_IP_PKTINFO " [MH]" #endif " [PF_INET6]" " [IPv6 payload 20110522-1 (2.2.0)]" " built on " __DATE__ ; #ifndef ENABLE_SMALL static const char usage_message[] = "%s\n" "\n" "General Options:\n" "--config file : Read configuration options from file.\n" "--help : Show options.\n" "--version : Show copyright and version information.\n" "\n" "Tunnel Options:\n" "--local host : Local host name or ip address. Implies --bind.\n" "--remote host [port] : Remote host name or ip address.\n" "--remote-random : If multiple --remote options specified, choose one randomly.\n" "--remote-random-hostname : Add a random string to remote DNS name.\n" "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n" "--proto p : Use protocol p for communicating with peer.\n" " p = udp (default), tcp-server, or tcp-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" " p = udp6, tcp6-server, or tcp6-client (ipv6)\n" "--connect-retry n : For --proto tcp-client, number of seconds to wait\n" " between connection retries (default=%d).\n" "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n" "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n" #ifdef ENABLE_HTTP_PROXY "--http-proxy s p [up] [auth] : Connect to remote host\n" " through an HTTP proxy at address s and port p.\n" " If proxy authentication is required,\n" " up is a file containing username/password on 2 lines, or\n" " 'stdin' to prompt from console. Add auth='ntlm' if\n" " the proxy requires NTLM authentication.\n" "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n" " determine auth method and query for username/password\n" " if needed. auto-nct disables weak proxy auth methods.\n" "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n" "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n" "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n" " Repeat to set multiple options.\n" " VERSION version (default=1.0)\n" " AGENT user-agent\n" #endif #ifdef ENABLE_SOCKS "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n" " address s and port p (default port = 1080).\n" " If proxy authentication is required,\n" " up is a file containing username/password on 2 lines, or\n" " 'stdin' to prompt for console.\n" "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n" #endif "--resolv-retry n: If hostname resolve fails for --remote, retry\n" " resolve for n seconds before failing (disabled by default).\n" " Set n=\"infinite\" to retry indefinitely.\n" "--float : Allow remote to change its IP address/port, such as through\n" " DHCP (this is the default if --remote is not used).\n" "--ipchange cmd : Run command cmd on remote ip address initial\n" " setting or change -- execute as: cmd ip-address port#\n" "--port port : TCP/UDP port # for both local and remote.\n" "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n" "--rport port : TCP/UDP port # for remote (default=%d).\n" "--bind : Bind to local address and port. (This is the default unless\n" " --proto tcp-client" #ifdef ENABLE_HTTP_PROXY " or --http-proxy" #endif #ifdef ENABLE_SOCKS " or --socks-proxy" #endif " is used).\n" "--nobind : Do not bind to local address and port.\n" "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n" "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n" " this option only if the tun/tap device used with --dev\n" " does not begin with \"tun\" or \"tap\".\n" "--dev-node node : Explicitly set the device node rather than using\n" " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" "--lladdr hw : Set the link layer address of the tap device.\n" "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n" "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n" #ifdef ENABLE_IPROUTE "--iproute cmd : Use this command instead of default " IPROUTE_PATH ".\n" #endif "--ifconfig l rn : TUN: configure device to use IP address l as a local\n" " endpoint and rn as a remote endpoint. l & rn should be\n" " swapped on the other peer. l & rn must be private\n" " addresses outside of the subnets used by either peer.\n" " TAP: configure device to use IP address l as a local\n" " endpoint and rn as a subnet mask.\n" "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n" " endpoint (as a /64) and r as remote endpoint\n" "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n" " pass --ifconfig parms by environment to scripts.\n" "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n" " connection doesn't match the remote side.\n" "--route network [netmask] [gateway] [metric] :\n" " Add route to routing table after connection\n" " is established. Multiple routes can be specified.\n" " netmask default: 255.255.255.255\n" " gateway default: taken from --route-gateway or --ifconfig\n" " Specify default by leaving blank or setting to \"nil\".\n" "--route-ipv6 network/bits [gateway] [metric] :\n" " Add IPv6 route to routing table after connection\n" " is established. Multiple routes can be specified.\n" " gateway default: taken from --route-ipv6-gateway or --ifconfig\n" "--max-routes n : Specify the maximum number of routes that may be defined\n" " or pulled from a server.\n" "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n" "--route-metric m : Specify a default metric for use with --route.\n" "--route-delay n [w] : Delay n seconds after connection initiation before\n" " adding routes (may be 0). If not specified, routes will\n" " be added immediately after tun/tap open. On Windows, wait\n" " up to w seconds for TUN/TAP adapter to come up.\n" "--route-up cmd : Run command cmd after routes are added.\n" "--route-pre-down cmd : Run command cmd before routes are removed.\n" "--route-noexec : Don't add routes automatically. Instead pass routes to\n" " --route-up script using environmental variables.\n" "--route-nopull : When used with --client or --pull, accept options pushed\n" " by server EXCEPT for routes and dhcp options.\n" "--allow-pull-fqdn : Allow client to pull DNS names from server for\n" " --ifconfig, --route, and --route-gateway.\n" "--redirect-gateway [flags]: Automatically execute routing\n" " commands to redirect all outgoing IP traffic through the\n" " VPN. Add 'local' flag if both " PACKAGE_NAME " servers are directly\n" " connected via a common subnet, such as with WiFi.\n" " Add 'def1' flag to set default route using using 0.0.0.0/1\n" " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n" " flag to add a direct route to DHCP server, bypassing tunnel.\n" " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n" "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n" " the default gateway. Useful when pushing private subnets.\n" #ifdef ENABLE_CLIENT_NAT "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n" #endif #ifdef ENABLE_PUSH_PEER_INFO "--push-peer-info : (client only) push client info to server.\n" #endif "--setenv name value : Set a custom environmental variable to pass to script.\n" "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n" " directives for future OpenVPN versions to be ignored.\n" "--script-security level mode : mode='execve' (default) or 'system', level=\n" " 0 -- strictly no calling of external programs\n" " 1 -- (default) only call built-ins such as ifconfig\n" " 2 -- allow calling of built-ins and scripts\n" " 3 -- allow password to be passed to scripts via env\n" "--shaper n : Restrict output to peer to n bytes per second.\n" "--keepalive n m : Helper option for setting timeouts in server mode. Send\n" " ping once every n seconds, restart if ping not received\n" " for m seconds.\n" "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n" " produces a combined in/out byte count < bytes.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" " remote address.\n" "--ping n : Ping remote once every n seconds over TCP/UDP port.\n" #if ENABLE_IP_PKTINFO "--multihome : Configure a multi-homed UDP server.\n" #endif "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n" "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n" "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n" " TCP/UDP MTU from it (default=%d).\n" "--tun-mtu-extra n : Assume that tun/tap device might return as many\n" " as n bytes more than the tun-mtu size on read\n" " (default TUN=0 TAP=%d).\n" "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n" " from it.\n" "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n" " 'no' -- Never send DF (Don't Fragment) frames\n" " 'maybe' -- Use per-route hints\n" " 'yes' -- Always DF (Don't Fragment)\n" #ifdef ENABLE_OCC "--mtu-test : Empirically measure and report MTU.\n" #endif #ifdef ENABLE_FRAGMENT "--fragment max : Enable internal datagram fragmentation so that no UDP\n" " datagrams are sent which are larger than max bytes.\n" " Adds 4 bytes of overhead per datagram.\n" #endif "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n" " or --fragment max value, whichever is lower.\n" "--sndbuf size : Set the TCP/UDP send buffer size.\n" "--rcvbuf size : Set the TCP/UDP receive buffer size.\n" #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK "--mark value : Mark encrypted packets being sent with value. The mark value\n" " can be matched in policy routing and packetfilter rules.\n" #endif "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n" #ifdef ENABLE_MEMSTATS "--memstats file : Write live usage stats to memory mapped binary file.\n" #endif "--mlock : Disable Paging -- ensures key material and tunnel\n" " data will never be written to disk.\n" "--up cmd : Run command cmd after successful tun device open.\n" " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n" " ifconfig-local-ip ifconfig-remote-ip\n" " (pre --user or --group UID/GID change)\n" "--up-delay : Delay tun/tap open and possible --up script execution\n" " until after TCP/UDP connection establishment with peer.\n" "--down cmd : Run command cmd after tun device close.\n" " (post --user/--group UID/GID change and/or --chroot)\n" " (command parameters are same as --up option)\n" "--down-pre : Run --down command before TUN/TAP close.\n" "--up-restart : Run up/down commands for all restarts including those\n" " caused by --ping-restart or SIGUSR1\n" "--user user : Set UID to user after initialization.\n" "--group group : Set GID to group after initialization.\n" "--chroot dir : Chroot to this directory after initialization.\n" #ifdef ENABLE_SELINUX "--setcon context: Apply this SELinux context after initialization.\n" #endif "--cd dir : Change to this directory before initialization.\n" "--daemon [name] : Become a daemon after initialization.\n" " The optional 'name' parameter will be passed\n" " as the program name to the system logger.\n" "--syslog [name] : Output to syslog, but do not become a daemon.\n" " See --daemon above for a description of the 'name' parm.\n" "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n" " See --daemon above for a description of the 'name' parm.\n" "--log file : Output log to file which is created/truncated on open.\n" "--log-append file : Append log to file, or create file if nonexistent.\n" "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n" "--writepid file : Write main process ID to file.\n" "--nice n : Change process priority (>0 = lower, <0 = higher).\n" "--echo [parms ...] : Echo parameters to log output.\n" "--verb n : Set output verbosity to n (default=%d):\n" " (Level 3 is recommended if you want a good summary\n" " of what's happening without being swamped by output).\n" " : 0 -- no output except fatal errors\n" " : 1 -- startup info + connection initiated messages +\n" " non-fatal encryption & net errors\n" " : 2,3 -- show TLS negotiations & route info\n" " : 4 -- show parameters\n" " : 5 -- show 'RrWw' chars on console for each packet sent\n" " and received from TCP/UDP (caps) or tun/tap (lc)\n" " : 6 to 11 -- debug messages of increasing verbosity\n" "--mute n : Log at most n consecutive messages in the same category.\n" "--status file n : Write operational status to file every n seconds.\n" "--status-version [n] : Choose the status file format version number.\n" " Currently, n can be 1, 2, or 3 (default=1).\n" #ifdef ENABLE_OCC "--disable-occ : Disable options consistency check between peers.\n" #endif #ifdef ENABLE_DEBUG "--gremlin mask : Special stress testing mode (for debugging only).\n" #endif #ifdef ENABLE_LZO "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n" " packet for uncompressible data.\n" "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n" " is specified.\n" #endif #ifdef ENABLE_MANAGEMENT "--management ip port [pass] : Enable a TCP server on ip:port to handle\n" " management functions. pass is a password file\n" " or 'stdin' to prompt from console.\n" #if UNIX_SOCK_SUPPORT " To listen on a unix domain socket, specific the pathname\n" " in place of ip and use 'unix' as the port number.\n" #endif "--management-client : Management interface will connect as a TCP client to\n" " ip/port rather than listen as a TCP server.\n" "--management-query-passwords : Query management channel for private key\n" " and auth-user-pass passwords.\n" "--management-query-remote : Query management channel for --remote directive.\n" "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n" " of the management interface explicitly starts it.\n" "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n" "--management-forget-disconnect : Forget passwords when management disconnect\n" " event occurs.\n" "--management-up-down : Report tunnel up/down events to management interface.\n" "--management-log-cache n : Cache n lines of log file history for usage\n" " by the management channel.\n" #if UNIX_SOCK_SUPPORT "--management-client-user u : When management interface is a unix socket, only\n" " allow connections from user u.\n" "--management-client-group g : When management interface is a unix socket, only\n" " allow connections from group g.\n" #endif #ifdef MANAGEMENT_DEF_AUTH "--management-client-auth : gives management interface client the responsibility\n" " to authenticate clients after their client certificate\n" " has been verified.\n" #endif #ifdef MANAGEMENT_PF "--management-client-pf : management interface clients must specify a packet\n" " filter file for each connecting client.\n" #endif #endif #ifdef ENABLE_PLUGIN "--plugin m [str]: Load plug-in module m passing str as an argument\n" " to its initialization function.\n" #endif #if P2MP #if P2MP_SERVER "\n" "Multi-Client Server options (when --mode server is used):\n" "--server network netmask : Helper option to easily configure server mode.\n" "--server-ipv6 network/bits : Configure IPv6 server mode.\n" "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n" " easily configure ethernet bridging server mode.\n" "--push \"option\" : Push a config file option back to the peer for remote\n" " execution. Peer must specify --pull in its config file.\n" "--push-reset : Don't inherit global push list for specific\n" " client instance.\n" "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" " to be dynamically allocated to connecting clients.\n" "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n" " in tun mode. Not compatible with Windows clients.\n" "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n" " data to file, at seconds intervals (default=600).\n" " If seconds=0, file will be treated as read-only.\n" "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n" " to be dynamically allocated to connecting clients.\n" "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n" " overrides --ifconfig-pool dynamic allocation.\n" " Only valid in a client-specific config file.\n" "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n" " remote, overrides --ifconfig-ipv6-pool allocation.\n" " Only valid in a client-specific config file.\n" "--iroute network [netmask] : Route subnet to client.\n" "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n" " Sets up internal routes only.\n" " Only valid in a client-specific config file.\n" "--disable : Client is disabled.\n" " Only valid in a client-specific config file.\n" "--client-cert-not-required : Don't require client certificate, client\n" " will authenticate using username/password.\n" "--username-as-common-name : For auth-user-pass authentication, use\n" " the authenticated username as the common name,\n" " rather than the common name from the client cert.\n" "--auth-user-pass-verify cmd method: Query client for username/password and\n" " run command cmd to verify. If method='via-env', pass\n" " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" "--opt-verify : Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" " specify a username/password.\n" "--no-name-remapping : Allow Common Name and X509 Subject to include\n" " any printable character.\n" "--client-to-client : Internally route client-to-client traffic.\n" "--duplicate-cn : Allow multiple clients with the same common name to\n" " concurrently connect.\n" "--client-connect cmd : Run command cmd on client connection.\n" "--client-disconnect cmd : Run command cmd on client disconnection.\n" "--client-config-dir dir : Directory for custom client config files.\n" "--ccd-exclusive : Refuse connection unless custom client config is found.\n" "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n" "--hash-size r v : Set the size of the real address hash table to r and the\n" " virtual address table to v.\n" "--bcast-buffers n : Allocate n broadcast buffers.\n" "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n" "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n" " as well as pushes it to connecting clients.\n" "--learn-address cmd : Run command cmd to validate client virtual addresses.\n" "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n" "--max-clients n : Allow a maximum of n simultaneously connected clients.\n" "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n" "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n" " older than n seconds. Run this check every t\n" " seconds (defaults to n).\n" #if PORT_SHARE "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n" " sessions to a web server at host:port. dir specifies an\n" " optional directory to write origin IP:port data.\n" #endif #endif "\n" "Client options (when connecting to a multi-client server):\n" "--client : Helper option to easily configure client mode.\n" "--auth-user-pass [up] : Authenticate with server using username/password.\n" " up is a file containing username/password on 2 lines,\n" " or omit to prompt from console.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" "--auth-retry t : How to handle auth failures. Set t to\n" " none (default), interact, or nointeract.\n" "--static-challenge t e : Enable static challenge/response protocol using\n" " challenge text t, with e indicating echo flag (0|1)\n" "--server-poll-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" #endif #ifdef ENABLE_OCC "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n" " server/remote. n = # of retries, default=1.\n" #endif #ifdef ENABLE_CRYPTO "\n" "Data Channel Encryption Options (must be compatible between peers):\n" "(These options are meaningful for both Static Key & TLS-mode)\n" "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n" " Use shared secret file f, generate with --genkey.\n" " The optional d parameter controls key directionality.\n" " If d is specified, use separate keys for each\n" " direction, set d=0 on one side of the connection,\n" " and d=1 on the other side.\n" "--auth alg : Authenticate packets with HMAC using message\n" " digest algorithm alg (default=%s).\n" " (usually adds 16 or 20 bytes per packet)\n" " Set alg=none to disable authentication.\n" "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH "--keysize n : Size of cipher key in bits (optional).\n" " If unspecified, defaults to cipher-specific default.\n" #endif #ifndef ENABLE_CRYPTO_POLARSSL "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif "--no-replay : Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" " Default n=%d t=%d\n" "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n" "--replay-persist file : Persist replay-protection state across sessions\n" " using file.\n" "--test-crypto : Run a self-test of crypto features enabled.\n" " For debugging only.\n" #ifdef ENABLE_PREDICTION_RESISTANCE "--use-prediction-resistance: Enable prediction resistance on the random\n" " number generator.\n" #endif #ifdef ENABLE_SSL "\n" "TLS Key Negotiation Options:\n" "(These options are meaningful only for TLS-mode)\n" "--tls-server : Enable TLS and assume server role during TLS handshake.\n" "--tls-client : Enable TLS and assume client role during TLS handshake.\n" "--key-method m : Data channel key exchange method. m should be a method\n" " number, such as 1 (default), 2, etc.\n" "--ca file : Certificate authority file in .pem format containing\n" " root certificate.\n" #ifndef ENABLE_CRYPTO_POLARSSL "--capath dir : A directory of trusted certificates (CAs" #if OPENSSL_VERSION_NUMBER >= 0x00907000L " and CRLs).\n" #else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ ").\n" " WARNING: no support of CRL available with this version.\n" #endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ #endif /* ENABLE_CRYPTO_POLARSSL */ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" "--cert file : Local certificate in .pem format -- must be signed\n" " by a Certificate Authority in --ca file.\n" "--extra-certs file : one or more PEM certs that complete the cert chain.\n" "--key file : Local private key in .pem format.\n" #ifndef ENABLE_CRYPTO_POLARSSL "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" " and optionally the root CA certificate.\n" #endif #ifdef ENABLE_X509ALTUSERNAME "--x509-username-field : Field used in x509 certificate to be username.\n" " Default is CN.\n" #endif "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n" #ifdef WIN32 "--cryptoapicert select-string : Load the certificate and private key from the\n" " Windows Certificate System Store.\n" #endif "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n" " : Use --show-tls to see a list of supported TLS ciphers.\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n" "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n" "--hand-window n : Data channel key exchange must finalize within n seconds\n" " of handshake initiation by any peer (default=%d).\n" "--tran-window n : Transition window -- old key can live this many seconds\n" " after new key renegotiation begins (default=%d).\n" "--single-session: Allow only one session (reset state on restart).\n" "--tls-exit : Exit on TLS negotiation failure.\n" "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n" " control channel to protect against DoS attacks.\n" " f (required) is a shared-secret passphrase file.\n" " The optional d parameter controls key directionality,\n" " see --secret option for more info.\n" "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n" "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n" "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n" "--tls-verify cmd: Run command cmd to verify the X509 name of a\n" " pending TLS connection that has otherwise passed all other\n" " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" " in an openvpn temporary file in [directory]. Peer cert is \n" " stored before tls-verify script execution and deleted after.\n" "--tls-remote x509name: Accept connections only from a host with X509 name\n" " x509name. The remote host must also pass all other tests\n" " of verification.\n" "--ns-cert-type t: Require that peer certificate was signed with an explicit\n" " nsCertType designation t = 'client' | 'server'.\n" #ifdef ENABLE_X509_TRACK "--x509-track x : Save peer X509 attribute x in environment for use by\n" " plugins and management interface.\n" #endif #if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL "--remote-cert-ku v ... : Require that the peer certificate was signed with\n" " explicit key usage, you can specify more than one value.\n" " value should be given in hex format.\n" "--remote-cert-eku oid : Require that the peer certificate was signed with\n" " explicit extended key usage. Extended key usage can be encoded\n" " as an object identifier or OpenSSL string representation.\n" "--remote-cert-tls t: Require that peer certificate was signed with explicit\n" " key usage and extended key usage based on RFC3280 TLS rules.\n" " t = 'client' | 'server'.\n" #endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */ #endif /* ENABLE_SSL */ #ifdef ENABLE_PKCS11 "\n" "PKCS#11 Options:\n" "--pkcs11-providers provider ... : PKCS#11 provider to load.\n" "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n" " path. Set for each provider.\n" "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n" " 0 : Try to determind automatically (default).\n" " 1 : Use Sign.\n" " 2 : Use SignRecover.\n" " 4 : Use Decrypt.\n" " 8 : Use Unwrap.\n" "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n" " certificate can be accessed. Set for each provider.\n" "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n" " cache until token is removed.\n" "--pkcs11-id-management : Acquire identity from management interface.\n" "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n" #endif /* ENABLE_PKCS11 */ "\n" "SSL Library information:\n" "--show-ciphers : Show cipher algorithms to use with --cipher option.\n" "--show-digests : Show message digest algorithms to use with --auth option.\n" "--show-engines : Show hardware crypto accelerator engines (if available).\n" #ifdef ENABLE_SSL "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n" #endif #ifdef WIN32 "\n" "Windows Specific:\n" "--win-sys path : Pathname of Windows system directory. Default is the pathname\n" " from SystemRoot environment variable.\n" "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n" " IP address using method = manual, netsh, ipapi,\n" " dynamic, or adaptive (default = adaptive).\n" " Dynamic method allows two optional parameters:\n" " offset: DHCP server address offset (> -256 and < 256).\n" " If 0, use network address, if >0, take nth\n" " address forward from network address, if <0,\n" " take nth address backward from broadcast\n" " address.\n" " Default is 0.\n" " lease-time: Lease time in seconds.\n" " Default is one year.\n" "--route-method : Which method to use for adding routes on Windows?\n" " adaptive (default) -- Try ipapi then fall back to exe.\n" " ipapi -- Use IP helper API.\n" " exe -- Call the route.exe shell command.\n" "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n" " be used with --ip-win32 dynamic. For options\n" " which allow multiple addresses,\n" " --dhcp-option must be repeated.\n" " DOMAIN name : Set DNS suffix\n" " DNS addr : Set domain name server address(es)\n" " NTP : Set NTP server address(es)\n" " NBDD : Set NBDD server address(es)\n" " WINS addr : Set WINS server address(es)\n" " NBT type : Set NetBIOS over TCP/IP Node type\n" " 1: B, 2: P, 4: M, 8: H\n" " NBS id : Set NetBIOS scope ID\n" " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n" "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n" "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n" " startup.\n" "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n" "--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n" " and ipconfig /registerdns on connection initiation.\n" "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n" " attempting to set adapter properties.\n" "--pause-exit : When run from a console window, pause before exiting.\n" "--service ex [0|1] : For use when " PACKAGE_NAME " is being instantiated by a\n" " service, and should not be used directly by end-users.\n" " ex is the name of an event object which, when\n" " signaled, will cause " PACKAGE_NAME " to exit. A second\n" " optional parameter controls the initial state of ex.\n" "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n" " after TAP adapter is up and routes have been added.\n" "Windows Standalone Options:\n" "\n" "--show-adapters : Show all TAP-Windows adapters.\n" "--show-net : Show " PACKAGE_NAME "'s view of routing table and net adapter list.\n" "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n" "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME " running without admin privileges\n" " to access TAP adapter.\n" #endif "\n" "Generate a random key (only for non-TLS static key encryption mode):\n" "--genkey : Generate a random key to be used as a shared secret,\n" " for use with the --secret option.\n" "--secret file : Write key to file.\n" #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_FEATURE_TUN_PERSIST "\n" "Tun/tap config mode (available with linux 2.4+):\n" "--mktun : Create a persistent tunnel.\n" "--rmtun : Remove a persistent tunnel.\n" "--dev tunX|tapX : tun/tap device\n" "--dev-type dt : Device type. See tunnel options above for details.\n" "--user user : User to set privilege to.\n" "--group group : Group to set privilege to.\n" #endif #ifdef ENABLE_PKCS11 "\n" "PKCS#11 standalone options:\n" "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n" " --verb option can be added *BEFORE* this.\n" #endif /* ENABLE_PKCS11 */ "\n" "General Standalone Options:\n" #ifdef ENABLE_DEBUG "--show-gateway : Show info about default gateway.\n" #endif ; #endif /* !ENABLE_SMALL */ /* * This is where the options defaults go. * Any option not explicitly set here * will be set to 0. */ void init_options (struct options *o, const bool init_gc) { CLEAR (*o); if (init_gc) { gc_init (&o->gc); o->gc_owned = true; } o->mode = MODE_POINT_TO_POINT; o->topology = TOP_NET30; o->ce.proto = PROTO_UDPv4; o->ce.connect_retry_seconds = 5; o->ce.connect_timeout = 10; o->ce.connect_retry_max = 0; o->ce.local_port = o->ce.remote_port = OPENVPN_PORT; o->verbosity = 1; o->status_file_update_freq = 60; o->status_file_version = 1; o->ce.bind_local = true; o->ce.tun_mtu = TUN_MTU_DEFAULT; o->ce.link_mtu = LINK_MTU_DEFAULT; o->ce.mtu_discover_type = -1; o->ce.mssfix = MSSFIX_DEFAULT; o->route_delay_window = 30; o->max_routes = MAX_ROUTES_DEFAULT; o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->proto_force = -1; #ifdef ENABLE_OCC o->occ = true; #endif #ifdef ENABLE_MANAGEMENT o->management_log_history_cache = 250; o->management_echo_buffer_size = 100; o->management_state_buffer_size = 100; #endif #ifdef ENABLE_FEATURE_TUN_PERSIST o->persist_mode = 1; #endif #ifndef WIN32 o->rcvbuf = 65536; o->sndbuf = 65536; #endif #ifdef TARGET_LINUX o->tuntap_options.txqueuelen = 100; #endif #ifdef WIN32 #if 0 o->tuntap_options.ip_win32_type = IPW32_SET_ADAPTIVE; #else o->tuntap_options.ip_win32_type = IPW32_SET_DHCP_MASQ; #endif o->tuntap_options.dhcp_lease_time = 31536000; /* one year */ o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ o->route_method = ROUTE_METHOD_ADAPTIVE; #endif #if P2MP_SERVER o->real_hash_size = 256; o->virtual_hash_size = 256; o->n_bcast_buf = 256; o->tcp_queue_limit = 64; o->max_clients = 1024; o->max_routes_per_client = 256; o->stale_routes_check_interval = 0; o->ifconfig_pool_persist_refresh_freq = 600; #endif #if P2MP o->scheduled_exit_interval = 5; o->server_poll_timeout = 0; #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true; o->prng_hash = "SHA1"; o->prng_nonce_secret_len = 16; o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; o->use_iv = true; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; #ifdef ENABLE_PREDICTION_RESISTANCE o->use_prediction_resistance = false; #endif #ifdef ENABLE_SSL o->key_method = 2; o->tls_timeout = 2; o->renegotiate_seconds = 3600; o->handshake_window = 60; o->transition_window = 3600; #ifdef ENABLE_X509ALTUSERNAME o->x509_username_field = X509_USERNAME_FIELD_DEFAULT; #endif #endif /* ENABLE_SSL */ #endif /* ENABLE_CRYPTO */ #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ /* tmp is only used in P2MP server context */ #if P2MP_SERVER /* Set default --tmp-dir */ #ifdef WIN32 /* On Windows, find temp dir via enviroment variables */ o->tmp_dir = win_get_tempdir(); #else /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */ o->tmp_dir = getenv("TMPDIR"); if( !o->tmp_dir ) { o->tmp_dir = "/tmp"; } #endif /* WIN32 */ #endif /* P2MP_SERVER */ } void uninit_options (struct options *o) { if (o->gc_owned) { gc_free (&o->gc); } } #ifdef ENABLE_DEBUG #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value)) #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d") #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u") #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x") #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s"); #endif void setenv_connection_entry (struct env_set *es, const struct connection_entry *e, const int i) { setenv_str_i (es, "proto", proto2ascii (e->proto, false), i); setenv_str_i (es, "local", e->local, i); setenv_int_i (es, "local_port", e->local_port, i); setenv_str_i (es, "remote", e->remote, i); setenv_int_i (es, "remote_port", e->remote_port, i); #ifdef ENABLE_HTTP_PROXY if (e->http_proxy_options) { setenv_str_i (es, "http_proxy_server", e->http_proxy_options->server, i); setenv_int_i (es, "http_proxy_port", e->http_proxy_options->port, i); } #endif #ifdef ENABLE_SOCKS if (e->socks_proxy_server) { setenv_str_i (es, "socks_proxy_server", e->socks_proxy_server, i); setenv_int_i (es, "socks_proxy_port", e->socks_proxy_port, i); } #endif } void setenv_settings (struct env_set *es, const struct options *o) { setenv_str (es, "config", o->config); setenv_int (es, "verb", o->verbosity); setenv_int (es, "daemon", o->daemon); setenv_int (es, "daemon_log_redirect", o->log); setenv_unsigned (es, "daemon_start_time", time(NULL)); setenv_int (es, "daemon_pid", platform_getpid()); if (o->connection_list) { int i; for (i = 0; i < o->connection_list->len; ++i) setenv_connection_entry (es, o->connection_list->array[i], i+1); } else setenv_connection_entry (es, &o->ce, 1); } static in_addr_t get_ip_addr (const char *ip_string, int msglevel, bool *error) { unsigned int flags = GETADDR_HOST_ORDER; bool succeeded = false; in_addr_t ret; if (msglevel & M_FATAL) flags |= GETADDR_FATAL; ret = getaddr (flags, ip_string, 0, &succeeded, NULL); if (!succeeded && error) *error = true; return ret; } /* helper: parse a text string containing an IPv6 address + netbits * in "standard format" (2001:dba::/32) * "/nn" is optional, default to /64 if missing * * return true if parsing succeeded, modify *network and *netbits * return address part without "/nn" in *printable_ipv6 (if != NULL) */ bool get_ipv6_addr( const char * prefix_str, struct in6_addr *network, unsigned int * netbits, char ** printable_ipv6, int msglevel ) { int rc; char * sep, * endp; int bits; struct in6_addr t_network; sep = strchr( prefix_str, '/' ); if ( sep == NULL ) { bits = 64; } else { bits = strtol( sep+1, &endp, 10 ); if ( *endp != '\0' || bits < 0 || bits > 128 ) { msg (msglevel, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str); return false; } } /* temporary replace '/' in caller-provided string with '\0', otherwise * inet_pton() will refuse prefix string * (alternative would be to strncpy() the prefix to temporary buffer) */ if ( sep != NULL ) *sep = '\0'; rc = inet_pton( AF_INET6, prefix_str, &t_network ); if ( rc == 1 && printable_ipv6 != NULL ) { *printable_ipv6 = string_alloc( prefix_str, NULL ); } if ( sep != NULL ) *sep = '/'; if ( rc != 1 ) { msg (msglevel, "IPv6 prefix '%s': invalid IPv6 address", prefix_str); return false; } if ( netbits != NULL ) { *netbits = bits; } if ( network != NULL ) { *network = t_network; } return true; /* parsing OK, values set */ } static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec ) { struct in6_addr t_addr; unsigned int t_bits; return get_ipv6_addr( ipv6_prefix_spec, &t_addr, &t_bits, NULL, M_WARN ); } static char * string_substitute (const char *src, int from, int to, struct gc_arena *gc) { char *ret = (char *) gc_malloc (strlen (src) + 1, true, gc); char *dest = ret; char c; do { c = *src++; if (c == from) c = to; *dest++ = c; } while (c); return ret; } #ifdef ENABLE_SSL static uint8_t * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { int i; const char *cp = str; uint8_t *ret = (uint8_t *) gc_malloc (nbytes, true, gc); char term = 1; int byte; char bs[3]; for (i = 0; i < nbytes; ++i) { if (strlen(cp) < 2) msg (msglevel, "format error in hash fingerprint: %s", str); bs[0] = *cp++; bs[1] = *cp++; bs[2] = 0; byte = 0; if (sscanf(bs, "%x", &byte) != 1) msg (msglevel, "format error in hash fingerprint hex byte: %s", str); ret[i] = (uint8_t)byte; term = *cp++; if (term != ':' && term != 0) msg (msglevel, "format error in hash fingerprint delimiter: %s", str); if (term == 0) break; } if (term != 0 || i != nbytes-1) msg (msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str); return ret; } #endif #ifdef WIN32 #ifdef ENABLE_DEBUG static void show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len) { struct gc_arena gc = gc_new (); int i; for (i = 0; i < len; ++i) { msg (D_SHOW_PARMS, " %s[%d] = %s", name, i, print_in_addr_t (array[i], 0, &gc)); } gc_free (&gc); } static void show_tuntap_options (const struct tuntap_options *o) { SHOW_BOOL (ip_win32_defined); SHOW_INT (ip_win32_type); SHOW_INT (dhcp_masq_offset); SHOW_INT (dhcp_lease_time); SHOW_INT (tap_sleep); SHOW_BOOL (dhcp_options); SHOW_BOOL (dhcp_renew); SHOW_BOOL (dhcp_pre_release); SHOW_BOOL (dhcp_release); SHOW_STR (domain); SHOW_STR (netbios_scope); SHOW_INT (netbios_node_type); SHOW_BOOL (disable_nbt); show_dhcp_option_addrs ("DNS", o->dns, o->dns_len); show_dhcp_option_addrs ("WINS", o->wins, o->wins_len); show_dhcp_option_addrs ("NTP", o->ntp, o->ntp_len); show_dhcp_option_addrs ("NBDD", o->nbdd, o->nbdd_len); } #endif static void dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array, int *len, int msglevel) { if (*len >= N_DHCP_ADDR) { msg (msglevel, "--dhcp-option %s: maximum of %d %s servers can be specified", name, N_DHCP_ADDR, name); } else { if (ip_addr_dotted_quad_safe (parm)) /* FQDN -- IP address only */ { bool error = false; const in_addr_t addr = get_ip_addr (parm, msglevel, &error); if (!error) array[(*len)++] = addr; } else { msg (msglevel, "dhcp-option parameter %s '%s' must be an IP address", name, parm); } } } #endif #if P2MP #ifdef ENABLE_DEBUG static void show_p2mp_parms (const struct options *o) { struct gc_arena gc = gc_new (); #if P2MP_SERVER msg (D_SHOW_PARMS, " server_network = %s", print_in_addr_t (o->server_network, 0, &gc)); msg (D_SHOW_PARMS, " server_netmask = %s", print_in_addr_t (o->server_netmask, 0, &gc)); msg (D_SHOW_PARMS, " server_network_ipv6 = %s", print_in6_addr (o->server_network_ipv6, 0, &gc) ); SHOW_INT (server_netbits_ipv6); msg (D_SHOW_PARMS, " server_bridge_ip = %s", print_in_addr_t (o->server_bridge_ip, 0, &gc)); msg (D_SHOW_PARMS, " server_bridge_netmask = %s", print_in_addr_t (o->server_bridge_netmask, 0, &gc)); msg (D_SHOW_PARMS, " server_bridge_pool_start = %s", print_in_addr_t (o->server_bridge_pool_start, 0, &gc)); msg (D_SHOW_PARMS, " server_bridge_pool_end = %s", print_in_addr_t (o->server_bridge_pool_end, 0, &gc)); if (o->push_list.head) { const struct push_entry *e = o->push_list.head; while (e) { if (e->enable) msg (D_SHOW_PARMS, " push_entry = '%s'", e->option); e = e->next; } } SHOW_BOOL (ifconfig_pool_defined); msg (D_SHOW_PARMS, " ifconfig_pool_start = %s", print_in_addr_t (o->ifconfig_pool_start, 0, &gc)); msg (D_SHOW_PARMS, " ifconfig_pool_end = %s", print_in_addr_t (o->ifconfig_pool_end, 0, &gc)); msg (D_SHOW_PARMS, " ifconfig_pool_netmask = %s", print_in_addr_t (o->ifconfig_pool_netmask, 0, &gc)); SHOW_STR (ifconfig_pool_persist_filename); SHOW_INT (ifconfig_pool_persist_refresh_freq); SHOW_BOOL (ifconfig_ipv6_pool_defined); msg (D_SHOW_PARMS, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o->ifconfig_ipv6_pool_base, 0, &gc)); SHOW_INT (ifconfig_ipv6_pool_netbits); SHOW_INT (n_bcast_buf); SHOW_INT (tcp_queue_limit); SHOW_INT (real_hash_size); SHOW_INT (virtual_hash_size); SHOW_STR (client_connect_script); SHOW_STR (learn_address_script); SHOW_STR (client_disconnect_script); SHOW_STR (client_config_dir); SHOW_BOOL (ccd_exclusive); SHOW_STR (tmp_dir); SHOW_BOOL (push_ifconfig_defined); msg (D_SHOW_PARMS, " push_ifconfig_local = %s", print_in_addr_t (o->push_ifconfig_local, 0, &gc)); msg (D_SHOW_PARMS, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o->push_ifconfig_remote_netmask, 0, &gc)); SHOW_BOOL (push_ifconfig_ipv6_defined); msg (D_SHOW_PARMS, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o->push_ifconfig_ipv6_local, 0, &gc), o->push_ifconfig_ipv6_netbits ); msg (D_SHOW_PARMS, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o->push_ifconfig_ipv6_remote, 0, &gc)); SHOW_BOOL (enable_c2c); SHOW_BOOL (duplicate_cn); SHOW_INT (cf_max); SHOW_INT (cf_per); SHOW_INT (max_clients); SHOW_INT (max_routes_per_client); SHOW_STR (auth_user_pass_verify_script); SHOW_BOOL (auth_user_pass_verify_script_via_file); #if PORT_SHARE SHOW_STR (port_share_host); SHOW_INT (port_share_port); #endif #endif /* P2MP_SERVER */ SHOW_BOOL (client); SHOW_BOOL (pull); SHOW_STR (auth_user_pass_file); gc_free (&gc); } #endif /* ENABLE_DEBUG */ #if P2MP_SERVER static void option_iroute (struct options *o, const char *network_str, const char *netmask_str, int msglevel) { struct iroute *ir; ALLOC_OBJ_GC (ir, struct iroute, &o->gc); ir->network = getaddr (GETADDR_HOST_ORDER, network_str, 0, NULL, NULL); ir->netbits = -1; if (netmask_str) { const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, netmask_str, 0, NULL, NULL); if (!netmask_to_netbits (ir->network, netmask, &ir->netbits)) { msg (msglevel, "in --iroute %s %s : Bad network/subnet specification", network_str, netmask_str); return; } } ir->next = o->iroutes; o->iroutes = ir; } static void option_iroute_ipv6 (struct options *o, const char *prefix_str, int msglevel) { struct iroute_ipv6 *ir; ALLOC_OBJ_GC (ir, struct iroute_ipv6, &o->gc); if ( get_ipv6_addr (prefix_str, &ir->network, &ir->netbits, NULL, msglevel ) < 0 ) { msg (msglevel, "in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str); return; } ir->next = o->iroutes_ipv6; o->iroutes_ipv6 = ir; } #endif /* P2MP_SERVER */ #endif /* P2MP */ #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG) static void show_http_proxy_options (const struct http_proxy_options *o) { msg (D_SHOW_PARMS, "BEGIN http_proxy"); SHOW_STR (server); SHOW_INT (port); SHOW_STR (auth_method_string); SHOW_STR (auth_file); SHOW_BOOL (retry); SHOW_INT (timeout); SHOW_STR (http_version); SHOW_STR (user_agent); msg (D_SHOW_PARMS, "END http_proxy"); } #endif void options_detach (struct options *o) { gc_detach (&o->gc); o->routes = NULL; #ifdef ENABLE_CLIENT_NAT o->client_nat = NULL; #endif #if P2MP_SERVER clone_push_list(o); #endif } void rol_check_alloc (struct options *options) { if (!options->routes) options->routes = new_route_option_list (options->max_routes, &options->gc); } void rol6_check_alloc (struct options *options) { if (!options->routes_ipv6) options->routes_ipv6 = new_route_ipv6_option_list (options->max_routes, &options->gc); } #ifdef ENABLE_CLIENT_NAT static void cnol_check_alloc (struct options *options) { if (!options->client_nat) options->client_nat = new_client_nat_list (&options->gc); } #endif #ifdef ENABLE_DEBUG static void show_connection_entry (const struct connection_entry *o) { msg (D_SHOW_PARMS, " proto = %s", proto2ascii (o->proto, false)); SHOW_STR (local); SHOW_INT (local_port); SHOW_STR (remote); SHOW_INT (remote_port); SHOW_BOOL (remote_float); SHOW_BOOL (bind_defined); SHOW_BOOL (bind_local); SHOW_INT (connect_retry_seconds); SHOW_INT (connect_timeout); SHOW_INT (connect_retry_max); #ifdef ENABLE_HTTP_PROXY if (o->http_proxy_options) show_http_proxy_options (o->http_proxy_options); #endif #ifdef ENABLE_SOCKS SHOW_STR (socks_proxy_server); SHOW_INT (socks_proxy_port); SHOW_BOOL (socks_proxy_retry); #endif SHOW_INT (tun_mtu); SHOW_BOOL (tun_mtu_defined); SHOW_INT (link_mtu); SHOW_BOOL (link_mtu_defined); SHOW_INT (tun_mtu_extra); SHOW_BOOL (tun_mtu_extra_defined); SHOW_INT (mtu_discover_type); #ifdef ENABLE_FRAGMENT SHOW_INT (fragment); #endif SHOW_INT (mssfix); #ifdef ENABLE_OCC SHOW_INT (explicit_exit_notification); #endif } static void show_connection_entries (const struct options *o) { msg (D_SHOW_PARMS, "Connection profiles [default]:"); show_connection_entry (&o->ce); if (o->connection_list) { const struct connection_list *l = o->connection_list; int i; for (i = 0; i < l->len; ++i) { msg (D_SHOW_PARMS, "Connection profiles [%d]:", i); show_connection_entry (l->array[i]); } } msg (D_SHOW_PARMS, "Connection profiles END"); } #endif void show_settings (const struct options *o) { #ifdef ENABLE_DEBUG msg (D_SHOW_PARMS, "Current Parameter Settings:"); SHOW_STR (config); SHOW_INT (mode); #ifdef ENABLE_FEATURE_TUN_PERSIST SHOW_BOOL (persist_config); SHOW_INT (persist_mode); #endif #ifdef ENABLE_CRYPTO SHOW_BOOL (show_ciphers); SHOW_BOOL (show_digests); SHOW_BOOL (show_engines); SHOW_BOOL (genkey); #ifdef ENABLE_SSL SHOW_STR (key_pass_file); SHOW_BOOL (show_tls_ciphers); #endif #endif show_connection_entries (o); SHOW_BOOL (remote_random); SHOW_STR (ipchange); SHOW_STR (dev); SHOW_STR (dev_type); SHOW_STR (dev_node); SHOW_STR (lladdr); SHOW_INT (topology); SHOW_BOOL (tun_ipv6); SHOW_STR (ifconfig_local); SHOW_STR (ifconfig_remote_netmask); SHOW_BOOL (ifconfig_noexec); SHOW_BOOL (ifconfig_nowarn); SHOW_STR (ifconfig_ipv6_local); SHOW_INT (ifconfig_ipv6_netbits); SHOW_STR (ifconfig_ipv6_remote); #ifdef ENABLE_FEATURE_SHAPER SHOW_INT (shaper); #endif #ifdef ENABLE_OCC SHOW_INT (mtu_test); #endif SHOW_BOOL (mlock); SHOW_INT (keepalive_ping); SHOW_INT (keepalive_timeout); SHOW_INT (inactivity_timeout); SHOW_INT (ping_send_timeout); SHOW_INT (ping_rec_timeout); SHOW_INT (ping_rec_timeout_action); SHOW_BOOL (ping_timer_remote); SHOW_INT (remap_sigusr1); SHOW_BOOL (persist_tun); SHOW_BOOL (persist_local_ip); SHOW_BOOL (persist_remote_ip); SHOW_BOOL (persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL (passtos); #endif SHOW_INT (resolve_retry_seconds); SHOW_STR (username); SHOW_STR (groupname); SHOW_STR (chroot_dir); SHOW_STR (cd_dir); #ifdef ENABLE_SELINUX SHOW_STR (selinux_context); #endif SHOW_STR (writepid); SHOW_STR (up_script); SHOW_STR (down_script); SHOW_BOOL (down_pre); SHOW_BOOL (up_restart); SHOW_BOOL (up_delay); SHOW_BOOL (daemon); SHOW_INT (inetd); SHOW_BOOL (log); SHOW_BOOL (suppress_timestamps); SHOW_INT (nice); SHOW_INT (verbosity); SHOW_INT (mute); #ifdef ENABLE_DEBUG SHOW_INT (gremlin); #endif SHOW_STR (status_file); SHOW_INT (status_file_version); SHOW_INT (status_file_update_freq); #ifdef ENABLE_OCC SHOW_BOOL (occ); #endif SHOW_INT (rcvbuf); SHOW_INT (sndbuf); #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK SHOW_INT (mark); #endif SHOW_INT (sockflags); SHOW_BOOL (fast_io); #ifdef ENABLE_LZO SHOW_INT (lzo); #endif SHOW_STR (route_script); SHOW_STR (route_default_gateway); SHOW_INT (route_default_metric); SHOW_BOOL (route_noexec); SHOW_INT (route_delay); SHOW_INT (route_delay_window); SHOW_BOOL (route_delay_defined); SHOW_BOOL (route_nopull); SHOW_BOOL (route_gateway_via_dhcp); SHOW_INT (max_routes); SHOW_BOOL (allow_pull_fqdn); if (o->routes) print_route_options (o->routes, D_SHOW_PARMS); #ifdef ENABLE_CLIENT_NAT if (o->client_nat) print_client_nat_list(o->client_nat, D_SHOW_PARMS); #endif #ifdef ENABLE_MANAGEMENT SHOW_STR (management_addr); SHOW_INT (management_port); SHOW_STR (management_user_pass); SHOW_INT (management_log_history_cache); SHOW_INT (management_echo_buffer_size); SHOW_STR (management_write_peer_info_file); SHOW_STR (management_client_user); SHOW_STR (management_client_group); SHOW_INT (management_flags); #endif #ifdef ENABLE_PLUGIN if (o->plugin_list) plugin_option_list_print (o->plugin_list, D_SHOW_PARMS); #endif #ifdef ENABLE_CRYPTO SHOW_STR (shared_secret_file); SHOW_INT (key_direction); SHOW_BOOL (ciphername_defined); SHOW_STR (ciphername); SHOW_BOOL (authname_defined); SHOW_STR (authname); SHOW_STR (prng_hash); SHOW_INT (prng_nonce_secret_len); SHOW_INT (keysize); #ifndef ENABLE_CRYPTO_POLARSSL SHOW_BOOL (engine); #endif /* ENABLE_CRYPTO_POLARSSL */ SHOW_BOOL (replay); SHOW_BOOL (mute_replay_warnings); SHOW_INT (replay_window); SHOW_INT (replay_time); SHOW_STR (packet_id_file); SHOW_BOOL (use_iv); SHOW_BOOL (test_crypto); #ifdef ENABLE_PREDICTION_RESISTANCE SHOW_BOOL (use_prediction_resistance); #endif #ifdef ENABLE_SSL SHOW_BOOL (tls_server); SHOW_BOOL (tls_client); SHOW_INT (key_method); SHOW_STR (ca_file); SHOW_STR (ca_path); SHOW_STR (dh_file); SHOW_STR (cert_file); SHOW_STR (priv_key_file); #ifndef ENABLE_CRYPTO_POLARSSL SHOW_STR (pkcs12_file); #endif #ifdef ENABLE_CRYPTOAPI SHOW_STR (cryptoapi_cert); #endif SHOW_STR (cipher_list); SHOW_STR (tls_verify); SHOW_STR (tls_export_cert); SHOW_STR (tls_remote); SHOW_STR (crl_file); SHOW_INT (ns_cert_type); { int i; for (i=0;i<MAX_PARMS;i++) SHOW_INT (remote_cert_ku[i]); } SHOW_STR (remote_cert_eku); SHOW_INT (ssl_flags); SHOW_INT (tls_timeout); SHOW_INT (renegotiate_bytes); SHOW_INT (renegotiate_packets); SHOW_INT (renegotiate_seconds); SHOW_INT (handshake_window); SHOW_INT (transition_window); SHOW_BOOL (single_session); #ifdef ENABLE_PUSH_PEER_INFO SHOW_BOOL (push_peer_info); #endif SHOW_BOOL (tls_exit); SHOW_STR (tls_auth_file); #endif #endif #ifdef ENABLE_PKCS11 { int i; for (i=0;i<MAX_PARMS && o->pkcs11_providers[i] != NULL;i++) SHOW_PARM (pkcs11_providers, o->pkcs11_providers[i], "%s"); } { int i; for (i=0;i<MAX_PARMS;i++) SHOW_PARM (pkcs11_protected_authentication, o->pkcs11_protected_authentication[i] ? "ENABLED" : "DISABLED", "%s"); } { int i; for (i=0;i<MAX_PARMS;i++) SHOW_PARM (pkcs11_private_mode, o->pkcs11_private_mode[i], "%08x"); } { int i; for (i=0;i<MAX_PARMS;i++) SHOW_PARM (pkcs11_cert_private, o->pkcs11_cert_private[i] ? "ENABLED" : "DISABLED", "%s"); } SHOW_INT (pkcs11_pin_cache_period); SHOW_STR (pkcs11_id); SHOW_BOOL (pkcs11_id_management); #endif /* ENABLE_PKCS11 */ #if P2MP show_p2mp_parms (o); #endif #ifdef WIN32 SHOW_BOOL (show_net_up); SHOW_INT (route_method); show_tuntap_options (&o->tuntap_options); #endif #endif } #undef SHOW_PARM #undef SHOW_STR #undef SHOW_INT #undef SHOW_BOOL #ifdef ENABLE_HTTP_PROXY struct http_proxy_options * init_http_options_if_undefined (struct options *o) { if (!o->ce.http_proxy_options) { ALLOC_OBJ_CLEAR_GC (o->ce.http_proxy_options, struct http_proxy_options, &o->gc); /* http proxy defaults */ o->ce.http_proxy_options->timeout = 5; o->ce.http_proxy_options->http_version = "1.0"; } return o->ce.http_proxy_options; } #endif #if HTTP_PROXY_FALLBACK static struct http_proxy_options * parse_http_proxy_override (const char *server, const char *port, const char *flags, const int msglevel, struct gc_arena *gc) { if (server && port) { struct http_proxy_options *ho; const int int_port = atoi(port); if (!legal_ipv4_port (int_port)) { msg (msglevel, "Bad http-proxy port number: %s", port); return NULL; } ALLOC_OBJ_CLEAR_GC (ho, struct http_proxy_options, gc); ho->server = string_alloc(server, gc); ho->port = int_port; ho->retry = true; ho->timeout = 5; if (flags && !strcmp(flags, "nct")) ho->auth_retry = PAR_NCT; else ho->auth_retry = PAR_ALL; ho->http_version = "1.0"; ho->user_agent = "OpenVPN-Autoproxy/1.0"; return ho; } else return NULL; } struct http_proxy_options * parse_http_proxy_fallback (struct context *c, const char *server, const char *port, const char *flags, const int msglevel) { struct gc_arena gc = gc_new (); struct http_proxy_options *ret = NULL; struct http_proxy_options *hp = parse_http_proxy_override(server, port, flags, msglevel, &gc); if (hp) { struct hpo_store *hpos = c->options.hpo_store; if (!hpos) { ALLOC_OBJ_CLEAR_GC (hpos, struct hpo_store, &c->options.gc); c->options.hpo_store = hpos; } hpos->hpo = *hp; hpos->hpo.server = hpos->server; strncpynt(hpos->server, hp->server, sizeof(hpos->server)); ret = &hpos->hpo; } gc_free (&gc); return ret; } static void http_proxy_warn(const char *name) { msg (M_WARN, "Note: option %s ignored because no TCP-based connection profiles are defined", name); } void options_postprocess_http_proxy_fallback (struct options *o) { struct connection_list *l = o->connection_list; if (l) { int i; for (i = 0; i < l->len; ++i) { struct connection_entry *ce = l->array[i]; if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4) { if (l->len < CONNECTION_LIST_SIZE) { struct connection_entry *newce; ALLOC_OBJ_GC (newce, struct connection_entry, &o->gc); *newce = *ce; newce->flags |= CE_HTTP_PROXY_FALLBACK; newce->http_proxy_options = NULL; newce->ce_http_proxy_fallback_timestamp = 0; l->array[l->len++] = newce; } return; } } } http_proxy_warn("http-proxy-fallback"); } void options_postprocess_http_proxy_override (struct options *o) { const struct connection_list *l = o->connection_list; if (l) { int i; bool succeed = false; for (i = 0; i < l->len; ++i) { struct connection_entry *ce = l->array[i]; if (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv4) { ce->http_proxy_options = o->http_proxy_override; succeed = true; } } if (succeed) { for (i = 0; i < l->len; ++i) { struct connection_entry *ce = l->array[i]; if (ce->proto == PROTO_UDPv4) { ce->flags |= CE_DISABLED; } } } else { http_proxy_warn("http-proxy-override"); } } } #endif static struct connection_list * alloc_connection_list_if_undef (struct options *options) { if (!options->connection_list) ALLOC_OBJ_CLEAR_GC (options->connection_list, struct connection_list, &options->gc); return options->connection_list; } static struct connection_entry * alloc_connection_entry (struct options *options, const int msglevel) { struct connection_list *l = alloc_connection_list_if_undef (options); struct connection_entry *e; if (l->len >= CONNECTION_LIST_SIZE) { msg (msglevel, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE); return NULL; } ALLOC_OBJ_GC (e, struct connection_entry, &options->gc); l->array[l->len++] = e; return e; } static struct remote_list * alloc_remote_list_if_undef (struct options *options) { if (!options->remote_list) ALLOC_OBJ_CLEAR_GC (options->remote_list, struct remote_list, &options->gc); return options->remote_list; } static struct remote_entry * alloc_remote_entry (struct options *options, const int msglevel) { struct remote_list *l = alloc_remote_list_if_undef (options); struct remote_entry *e; if (l->len >= CONNECTION_LIST_SIZE) { msg (msglevel, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE); return NULL; } ALLOC_OBJ_GC (e, struct remote_entry, &options->gc); l->array[l->len++] = e; return e; } void connection_entry_load_re (struct connection_entry *ce, const struct remote_entry *re) { if (re->remote) ce->remote = re->remote; if (re->remote_port >= 0) ce->remote_port = re->remote_port; if (re->proto >= 0) ce->proto = re->proto; } static void options_postprocess_verify_ce (const struct options *options, const struct connection_entry *ce) { struct options defaults; int dev = DEV_TYPE_UNDEF; bool pull = false; init_options (&defaults, true); #ifdef ENABLE_CRYPTO if (options->test_crypto) { notnull (options->shared_secret_file, "key file (--secret)"); } else #endif notnull (options->dev, "TUN/TAP device (--dev)"); /* * Get tun/tap/null device type */ dev = dev_type_enum (options->dev, options->dev_type); /* * If "proto tcp" is specified, make sure we know whether it is * tcp-client or tcp-server. */ if (ce->proto == PROTO_TCPv4) msg (M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); /* * Sanity check on daemon/inetd modes */ if (options->daemon && options->inetd) msg (M_USAGE, "only one of --daemon or --inetd may be specified"); if (options->inetd && (ce->local || ce->remote)) msg (M_USAGE, "--local or --remote cannot be used with --inetd"); if (options->inetd && ce->proto == PROTO_TCPv4_CLIENT) msg (M_USAGE, "--proto tcp-client cannot be used with --inetd"); if (options->inetd == INETD_NOWAIT && ce->proto != PROTO_TCPv4_SERVER) msg (M_USAGE, "--inetd nowait can only be used with --proto tcp-server"); if (options->inetd == INETD_NOWAIT #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL) && !(options->tls_server || options->tls_client) #endif ) msg (M_USAGE, "--inetd nowait can only be used in TLS mode"); if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP) msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); if (options->lladdr && dev != DEV_TYPE_TAP) msg (M_USAGE, "--lladdr can only be used in --dev tap mode"); /* * Sanity check on TCP mode options */ if (ce->connect_retry_defined && ce->proto != PROTO_TCPv4_CLIENT && ce->proto != PROTO_TCPv6_CLIENT) msg (M_USAGE, "--connect-retry doesn't make sense unless also used with " "--proto tcp-client or tcp6-client"); if (ce->connect_timeout_defined && ce->proto != PROTO_TCPv4_CLIENT && ce->proto != PROTO_TCPv6_CLIENT) msg (M_USAGE, "--connect-timeout doesn't make sense unless also used with " "--proto tcp-client or tcp6-client"); /* * Sanity check on MTU parameters */ if (options->ce.tun_mtu_defined && options->ce.link_mtu_defined) msg (M_USAGE, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT); #ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && options->mtu_test) msg (M_USAGE, "--mtu-test only makes sense with --proto udp"); #endif /* will we be pulling options from server? */ #if P2MP pull = options->pull; #endif /* * Sanity check on --local, --remote, and --ifconfig */ if (proto_is_net(ce->proto) && string_defined_equal (ce->local, ce->remote) && ce->local_port == ce->remote_port) msg (M_USAGE, "--remote and --local addresses are the same"); if (string_defined_equal (ce->remote, options->ifconfig_local) || string_defined_equal (ce->remote, options->ifconfig_remote_netmask)) msg (M_USAGE, "--local and --remote addresses must be distinct from --ifconfig addresses"); if (string_defined_equal (ce->local, options->ifconfig_local) || string_defined_equal (ce->local, options->ifconfig_remote_netmask)) msg (M_USAGE, "--local addresses must be distinct from --ifconfig addresses"); if (string_defined_equal (options->ifconfig_local, options->ifconfig_remote_netmask)) msg (M_USAGE, "local and remote/netmask --ifconfig addresses must be different"); if (ce->bind_defined && !ce->bind_local) msg (M_USAGE, "--bind and --nobind can't be used together"); if (ce->local && !ce->bind_local) msg (M_USAGE, "--local and --nobind don't make sense when used together"); if (ce->local_port_defined && !ce->bind_local) msg (M_USAGE, "--lport and --nobind don't make sense when used together"); if (!ce->remote && !ce->bind_local) msg (M_USAGE, "--nobind doesn't make sense unless used with --remote"); /* * Check for consistency of management options */ #ifdef ENABLE_MANAGEMENT if (!options->management_addr && (options->management_flags || options->management_write_peer_info_file || options->management_log_history_cache != defaults.management_log_history_cache)) msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified"); if ((options->management_client_user || options->management_client_group) && !(options->management_flags & MF_UNIX_SOCK)) msg (M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); #endif /* * Windows-specific options. */ #ifdef WIN32 if (dev == DEV_TYPE_TUN && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) msg (M_USAGE, "On Windows, --ifconfig is required when --dev tun is used"); if ((options->tuntap_options.ip_win32_defined) && !(pull || (options->ifconfig_local && options->ifconfig_remote_netmask))) msg (M_USAGE, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used"); if (options->tuntap_options.dhcp_options && options->tuntap_options.ip_win32_type != IPW32_SET_DHCP_MASQ && options->tuntap_options.ip_win32_type != IPW32_SET_ADAPTIVE) msg (M_USAGE, "--dhcp-options requires --ip-win32 dynamic or adaptive"); #endif /* * Check that protocol options make sense. */ #ifdef ENABLE_FRAGMENT if (!proto_is_udp(ce->proto) && ce->fragment) msg (M_USAGE, "--fragment can only be used with --proto udp"); #endif #ifdef ENABLE_OCC if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) msg (M_USAGE, "--explicit-exit-notify can only be used with --proto udp"); #endif if (!ce->remote && (ce->proto == PROTO_TCPv4_CLIENT || ce->proto == PROTO_TCPv6_CLIENT)) msg (M_USAGE, "--remote MUST be used in TCP Client mode"); #ifdef ENABLE_HTTP_PROXY if ((ce->http_proxy_options) && ce->proto != PROTO_TCPv4_CLIENT) msg (M_USAGE, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)"); #endif #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS) if (ce->http_proxy_options && ce->socks_proxy_server) msg (M_USAGE, "--http-proxy can not be used together with --socks-proxy"); #endif #ifdef ENABLE_SOCKS if (ce->socks_proxy_server && ce->proto == PROTO_TCPv4_SERVER) msg (M_USAGE, "--socks-proxy can not be used in TCP Server mode"); #endif if ((ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER) && connection_list_defined (options)) msg (M_USAGE, "TCP server mode allows at most one --remote address"); #if P2MP_SERVER /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { if (!(dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP)) msg (M_USAGE, "--mode server only works with --dev tun or --dev tap"); if (options->pull) msg (M_USAGE, "--pull cannot be used with --mode server"); if (!(proto_is_udp(ce->proto) || ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or proto tcp6-server"); #if PORT_SHARE if ((options->port_share_host || options->port_share_port) && (ce->proto != PROTO_TCPv4_SERVER && ce->proto != PROTO_TCPv6_SERVER)) msg (M_USAGE, "--port-share only works in TCP server mode " "(--proto tcp-server or tcp6-server)"); #endif if (!options->tls_server) msg (M_USAGE, "--mode server requires --tls-server"); if (ce->remote) msg (M_USAGE, "--remote cannot be used with --mode server"); if (!ce->bind_local) msg (M_USAGE, "--nobind cannot be used with --mode server"); #ifdef ENABLE_HTTP_PROXY if (ce->http_proxy_options) msg (M_USAGE, "--http-proxy cannot be used with --mode server"); #endif #ifdef ENABLE_SOCKS if (ce->socks_proxy_server) msg (M_USAGE, "--socks-proxy cannot be used with --mode server"); #endif if (options->connection_list) msg (M_USAGE, "<connection> cannot be used with --mode server"); #if 0 if (options->tun_ipv6) msg (M_USAGE, "--tun-ipv6 cannot be used with --mode server"); #endif if (options->shaper) msg (M_USAGE, "--shaper cannot be used with --mode server"); if (options->inetd) msg (M_USAGE, "--inetd cannot be used with --mode server"); if (options->ipchange) msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER || ce->proto == PROTO_TCPv6_SERVER)) msg (M_USAGE, "--mode server currently only supports " "--proto udp or --proto tcp-server or --proto tcp6-server"); if (!proto_is_udp(ce->proto) && (options->cf_max || options->cf_per)) msg (M_USAGE, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead."); if (!(dev == DEV_TYPE_TAP || (dev == DEV_TYPE_TUN && options->topology == TOP_SUBNET)) && options->ifconfig_pool_netmask) msg (M_USAGE, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode"); #ifdef ENABLE_OCC if (ce->explicit_exit_notification) msg (M_USAGE, "--explicit-exit-notify cannot be used with --mode server"); #endif if (options->routes && (options->routes->flags & RG_ENABLE)) msg (M_USAGE, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)"); if (options->route_delay_defined) msg (M_USAGE, "--route-delay cannot be used with --mode server"); if (options->up_delay) msg (M_USAGE, "--up-delay cannot be used with --mode server"); if (!options->ifconfig_pool_defined && options->ifconfig_pool_persist_filename) msg (M_USAGE, "--ifconfig-pool-persist must be used with --ifconfig-pool"); if (options->ifconfig_ipv6_pool_defined && !options->ifconfig_ipv6_local ) msg (M_USAGE, "--ifconfig-ipv6-pool needs --ifconfig-ipv6"); if (options->ifconfig_ipv6_local && !options->tun_ipv6 ) msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6"); if (options->auth_user_pass_file) msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); if (options->ccd_exclusive && !options->client_config_dir) msg (M_USAGE, "--ccd-exclusive must be used with --client-config-dir"); if (options->key_method != 2) msg (M_USAGE, "--mode server requires --key-method 2"); { const bool ccnr = (options->auth_user_pass_verify_script || PLUGIN_OPTION_LIST (options) || MAN_CLIENT_AUTH_ENABLED (options)); const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin"; if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr) msg (M_USAGE, "--client-cert-not-required %s", postfix); if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr) msg (M_USAGE, "--username-as-common-name %s", postfix); if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr) msg (M_USAGE, "--auth-user-pass-optional %s", postfix); } } else { /* * When not in server mode, err if parameters are * specified which require --mode server. */ if (options->ifconfig_pool_defined || options->ifconfig_pool_persist_filename) msg (M_USAGE, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server"); if (options->ifconfig_ipv6_pool_defined) msg (M_USAGE, "--ifconfig-ipv6-pool requires --mode server"); if (options->real_hash_size != defaults.real_hash_size || options->virtual_hash_size != defaults.virtual_hash_size) msg (M_USAGE, "--hash-size requires --mode server"); if (options->learn_address_script) msg (M_USAGE, "--learn-address requires --mode server"); if (options->client_connect_script) msg (M_USAGE, "--client-connect requires --mode server"); if (options->client_disconnect_script) msg (M_USAGE, "--client-disconnect requires --mode server"); if (options->client_config_dir || options->ccd_exclusive) msg (M_USAGE, "--client-config-dir/--ccd-exclusive requires --mode server"); if (options->enable_c2c) msg (M_USAGE, "--client-to-client requires --mode server"); if (options->duplicate_cn) msg (M_USAGE, "--duplicate-cn requires --mode server"); if (options->cf_max || options->cf_per) msg (M_USAGE, "--connect-freq requires --mode server"); if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) msg (M_USAGE, "--client-cert-not-required requires --mode server"); if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) msg (M_USAGE, "--username-as-common-name requires --mode server"); if (options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) msg (M_USAGE, "--auth-user-pass-optional requires --mode server"); if (options->ssl_flags & SSLF_OPT_VERIFY) msg (M_USAGE, "--opt-verify requires --mode server"); if (options->server_flags & SF_TCP_NODELAY_HELPER) msg (M_USAGE, "--tcp-nodelay requires --mode server"); if (options->auth_user_pass_verify_script) msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); #if PORT_SHARE if (options->port_share_host || options->port_share_port) msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); #endif if (options->stale_routes_check_interval) msg (M_USAGE, "--stale-routes-check requires --mode server"); } #endif /* P2MP_SERVER */ #ifdef ENABLE_CRYPTO /* * Check consistency of replay options */ if ((!proto_is_udp(ce->proto)) && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) msg (M_USAGE, "--replay-window only makes sense with --proto udp"); if (!options->replay && (options->replay_window != defaults.replay_window || options->replay_time != defaults.replay_time)) msg (M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay"); /* * SSL/TLS mode sanity checks. */ #ifdef ENABLE_SSL if (options->tls_server + options->tls_client + (options->shared_secret_file != NULL) > 1) msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret"); if (options->tls_server) { notnull (options->dh_file, "DH file (--dh)"); } if (options->tls_server || options->tls_client) { #ifdef ENABLE_PKCS11 if (options->pkcs11_providers[0]) { notnull (options->ca_file, "CA file (--ca)"); if (options->pkcs11_id_management && options->pkcs11_id != NULL) msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); if (!options->pkcs11_id_management && options->pkcs11_id == NULL) msg(M_USAGE, "Parameter --pkcs11-id or --pkcs11-id-management should be specified."); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --pkcs11-provider is also specified."); if (options->priv_key_file) msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); if (options->pkcs12_file) msg(M_USAGE, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified."); #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) msg(M_USAGE, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified."); #endif } else #endif #ifdef ENABLE_CRYPTOAPI if (options->cryptoapi_cert) { if ((!(options->ca_file)) && (!(options->ca_path))) msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); if (options->priv_key_file) msg(M_USAGE, "Parameter --key cannot be used when --cryptoapicert is also specified."); if (options->pkcs12_file) msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); } else #endif if (options->pkcs12_file) { #ifdef ENABLE_CRYPTO_POLARSSL msg(M_USAGE, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN."); #else if (options->ca_path) msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); if (options->cert_file) msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); if (options->priv_key_file) msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); #endif } else { #ifdef ENABLE_CRYPTO_POLARSSL if (!(options->ca_file)) msg(M_USAGE, "You must define CA file (--ca)"); if (options->ca_path) msg(M_USAGE, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN."); #else if ((!(options->ca_file)) && (!(options->ca_path))) msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); #endif if (pull) { const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL); if (sum == 0) { #if P2MP if (!options->auth_user_pass_file) #endif msg (M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass"); } else if (sum == 2) ; else { msg (M_USAGE, "If you use one of --cert or --key, you must use them both"); } } else { notnull (options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); notnull (options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); } } } else { /* * Make sure user doesn't specify any TLS options * when in non-TLS mode. */ #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm); const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."; MUST_BE_UNDEF (ca_file); MUST_BE_UNDEF (ca_path); MUST_BE_UNDEF (dh_file); MUST_BE_UNDEF (cert_file); MUST_BE_UNDEF (priv_key_file); #ifndef ENABLE_CRYPTO_POLARSSL MUST_BE_UNDEF (pkcs12_file); #endif MUST_BE_UNDEF (cipher_list); MUST_BE_UNDEF (tls_verify); MUST_BE_UNDEF (tls_export_cert); MUST_BE_UNDEF (tls_remote); MUST_BE_UNDEF (tls_timeout); MUST_BE_UNDEF (renegotiate_bytes); MUST_BE_UNDEF (renegotiate_packets); MUST_BE_UNDEF (renegotiate_seconds); MUST_BE_UNDEF (handshake_window); MUST_BE_UNDEF (transition_window); MUST_BE_UNDEF (tls_auth_file); MUST_BE_UNDEF (single_session); #ifdef ENABLE_PUSH_PEER_INFO MUST_BE_UNDEF (push_peer_info); #endif MUST_BE_UNDEF (tls_exit); MUST_BE_UNDEF (crl_file); MUST_BE_UNDEF (key_method); MUST_BE_UNDEF (ns_cert_type); MUST_BE_UNDEF (remote_cert_ku[0]); MUST_BE_UNDEF (remote_cert_eku); #ifdef ENABLE_PKCS11 MUST_BE_UNDEF (pkcs11_providers[0]); MUST_BE_UNDEF (pkcs11_private_mode[0]); MUST_BE_UNDEF (pkcs11_id); MUST_BE_UNDEF (pkcs11_id_management); #endif if (pull) msg (M_USAGE, err, "--pull"); } #undef MUST_BE_UNDEF #endif /* ENABLE_CRYPTO */ #endif /* ENABLE_SSL */ #if P2MP if (options->auth_user_pass_file && !options->pull) msg (M_USAGE, "--auth-user-pass requires --pull"); #endif uninit_options (&defaults); } static void options_postprocess_mutate_ce (struct options *o, struct connection_entry *ce) { const int dev = dev_type_enum (o->dev, o->dev_type); #if P2MP_SERVER if (o->server_defined || o->server_bridge_defined || o->server_bridge_proxy_dhcp) { if (ce->proto == PROTO_TCPv4) ce->proto = PROTO_TCPv4_SERVER; } #endif #if P2MP if (o->client) { if (ce->proto == PROTO_TCPv4) ce->proto = PROTO_TCPv4_CLIENT; else if (ce->proto == PROTO_TCPv6) ce->proto = PROTO_TCPv6_CLIENT; } #endif if (ce->proto == PROTO_TCPv4_CLIENT && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; #ifdef ENABLE_SOCKS if (ce->proto == PROTO_UDPv4 && ce->socks_proxy_server && !ce->local && !ce->local_port_defined && !ce->bind_defined) ce->bind_local = false; #endif if (!ce->bind_local) ce->local_port = 0; /* if protocol forcing is enabled, disable all protocols except for the forced one */ if (o->proto_force >= 0 && proto_is_tcp(o->proto_force) != proto_is_tcp(ce->proto)) ce->flags |= CE_DISABLED; /* * If --mssfix is supplied without a parameter, default * it to --fragment value, if --fragment is specified. */ if (o->ce.mssfix_default) { #ifdef ENABLE_FRAGMENT if (ce->fragment) o->ce.mssfix = ce->fragment; #else msg (M_USAGE, "--mssfix must specify a parameter"); #endif } /* * Set MTU defaults */ { if (!ce->tun_mtu_defined && !ce->link_mtu_defined) { ce->tun_mtu_defined = true; } if ((dev == DEV_TYPE_TAP) && !ce->tun_mtu_extra_defined) { ce->tun_mtu_extra_defined = true; ce->tun_mtu_extra = TAP_MTU_EXTRA_DEFAULT; } } } static void options_postprocess_mutate_invariant (struct options *options) { const int dev = dev_type_enum (options->dev, options->dev_type); /* * In forking TCP server mode, you don't need to ifconfig * the tap device (the assumption is that it will be bridged). */ if (options->inetd == INETD_NOWAIT) options->ifconfig_noexec = true; #ifdef WIN32 if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) { if (options->mode == MODE_POINT_TO_POINT) { options->route_delay_defined = true; options->route_delay = 5; /* Vista sometimes has a race without this */ } } if (options->ifconfig_noexec) { options->tuntap_options.ip_win32_type = IPW32_SET_MANUAL; options->ifconfig_noexec = false; } #endif #if P2MP_SERVER /* * Check consistency of --mode server options. */ if (options->mode == MODE_SERVER) { #ifdef WIN32 /* * We need to explicitly set --tap-sleep because * we do not schedule event timers in the top-level context. */ options->tuntap_options.tap_sleep = 10; if (options->route_delay_defined && options->route_delay) options->tuntap_options.tap_sleep = options->route_delay; options->route_delay_defined = false; #endif } #endif } static void options_postprocess_verify (const struct options *o) { if (o->connection_list) { int i; for (i = 0; i < o->connection_list->len; ++i) options_postprocess_verify_ce (o, o->connection_list->array[i]); } else options_postprocess_verify_ce (o, &o->ce); } static void options_postprocess_mutate (struct options *o) { /* * Process helper-type options which map to other, more complex * sequences of options. */ helper_client_server (o); helper_keepalive (o); helper_tcp_nodelay (o); options_postprocess_mutate_invariant (o); if (o->remote_list && !o->connection_list) { /* * For compatibility with 2.0.x, map multiple --remote options * into connection list (connection lists added in 2.1). */ if (o->remote_list->len > 1 || o->force_connection_list) { const struct remote_list *rl = o->remote_list; int i; for (i = 0; i < rl->len; ++i) { const struct remote_entry *re = rl->array[i]; struct connection_entry ce = o->ce; struct connection_entry *ace; ASSERT (re->remote); connection_entry_load_re (&ce, re); ace = alloc_connection_entry (o, M_USAGE); ASSERT (ace); *ace = ce; } } else if (o->remote_list->len == 1) /* one --remote option specified */ { connection_entry_load_re (&o->ce, o->remote_list->array[0]); } else { ASSERT (0); } } if (o->connection_list) { int i; for (i = 0; i < o->connection_list->len; ++i) options_postprocess_mutate_ce (o, o->connection_list->array[i]); #if HTTP_PROXY_FALLBACK if (o->http_proxy_override) options_postprocess_http_proxy_override(o); else if (o->http_proxy_fallback) options_postprocess_http_proxy_fallback(o); #endif } else options_postprocess_mutate_ce (o, &o->ce); #if P2MP /* * Save certain parms before modifying options via --pull */ pre_pull_save (o); #endif } /* * Check file/directory sanity * */ #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */ #define CHKACC_FILE (1<<0) /** Check for a file/directory precense */ #define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */ #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ #define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */ #define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) { int errcode = 0; /* If no file configured, no errors to look for */ if (!file) return false; /* If this may be an inline file, and the proper inline "filename" is set - no issues */ if ((type & CHKACC_INLINE) && streq(file, INLINE_FILE_TAG) ) return false; /* If stdin is allowed and the file name is 'stdin', then do no * further checks as stdin is always available */ if( (type & CHKACC_ACPTSTDIN) && streq(file, "stdin") ) return false; /* Is the directory path leading to the given file accessible? */ if (type & CHKACC_DIRPATH) { char *fullpath = strdup(file); /* POSIX dirname() implementaion may modify its arguments */ char *dirpath = dirname(fullpath); if (platform_access (dirpath, mode|X_OK) != 0) errcode = errno; free(fullpath); } /* Is the file itself accessible? */ if (!errcode && (type & CHKACC_FILE) && (platform_access (file, mode) != 0) ) errcode = errno; /* If the file exists and is accessible, is it writable? */ if (!errcode && (type & CHKACC_FILEXSTWR) && (platform_access (file, F_OK) == 0) ) if (platform_access (file, W_OK) != 0) errcode = errno; /* Scream if an error is found */ if( errcode > 0 ) msg (M_NOPREFIX|M_OPTERR, "%s fails with '%s': %s", opt, file, strerror(errno));


context:
space:
mode: