This flag was introduced to allow clients to decide if they want to
ignore non-split DNS option pushed to them. So, to be compatible with
the previous behavior with --dhcp-option, we act on the flag as wenn
when there are no resolve-domains specified.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
The option is only enforced with the --dns option, since DNS settings
coming in via --dhcp-option have always voluntarily blocked port 53.
This behavior is kept for backwards compatibility.
Since the --dns option allows local name servers to continue to work,
even thought no split DNS is pushed, supporting the option makes sense.
If admins do not want any DNS queries outside the tunnel, this is the
option to push alongside the --dns options.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Incompatible changes to the --dns server address and --dns server
exclude-domains options were introduced after the code for handling them
was released. Add and send a new IV_PROTO flag, so servers which act on
the flags set can differentiate between clients which have implemented
--dns and those which just support the new option. This enables them to
decide which variant of options to send to the client.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Previous to this --dns and DNS related --dhcp-options shared the same
code to apply the settings to Windows and macOS systems. So, both
options were pretty much just aliases, with --dns offering more and
finer grained settings that were mostly ignored.
Now --dhcp-options are applied the way they have always been and --dns
does it its own - the new - way. Reason for this behavioral change is
foremost that we want it to be the same between openvpn version 2 and
version 3. But there are also a few new features (e.g. DNSSEC), previously
not present with the --dhcp-options.
The name server and split-domain configuration is exclusively set via
NRPT on Windows, since it overrules any other resolver setting. If there
is no split DNS configured and all domains are resolved using the pushed
name server, we make sure that local domain names are still resolvable by
adding so called exclude NRPT rules, that make sure local domains get
resolved by their local DNS resolvers.
Since Windows does not know about alternative secure transports, the
'transport' and 'sni' settings are ignored.
For macOS the 'dnssec' setting is ignored in addition to that. Besides
that not much does change on that platform. In case of --dns options the
explicit values are used now. The API in use may be changed at a later time.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Create a struct NetApi, which contains various network related functions
that will be used. This is done so that these operations can be injected
as a dependency and thus replaced with mock operation for the purpose of
testing.
There are also functions which operate solely on the Registry, those are
left out of the NetApi since they can already be abstracted by struct Reg.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Create a struct Reg, which contains various setter and getter functions
for different registry types and other operations that will be used.
This is done so that these operations can be injected as a dependency
and thus replaced with mock operation for the purpose of testing.
Besides that it makes code more brief and less error prone, since
there's now one implementation for converting C <-> C++ for each operation.
Move existing class RegKey and class RegKeyEnumerator into struct Reg as
well, so they are now known as Reg::Key and Reg::KeyEnumerator.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Functions from_utf8() and to_utf8() added one extra '\0' glyph to the
output string, i.e. if the input basic_string::size() was 8 the output
was 9. Normally this would not make a difference since for most string
usage, as the extra NUL at the end would mostly be ignored. However if
you used the output string to append to another string the extra NULs
were actually also appended, resulting in a string with embedded NUL
characters. Which is a problem with the next use case.
The pack_string_vector() function failed to produce a wide MULTI_SZ
string from a vector of strings, unlike advertised. The extra NUL
actually led to the MULTI_SZ string always being terminated after the
first string. Besides that, the function actually never terminated the
MULTI_SZ in the first place and also failed to handle empty vectors
gracefully.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Since C++17 the codecvt header is deprecated and scheduled for removal
in C++26. MSVC warns about use of the deprecated API already, other will
follow soon. It was decided to deprecate and remove it since it does not
support the current UNICODE standard anymore.
Also test for the _WIN32 define, instead of WIN32, so that this keeps
working with MinGW headers, when cross-compiling.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
MinGW's g++ displays this warning when compiling:
warning: the address of ‘IP_ADDRESS_STRING::String’ will never be NULL [-Waddress]
since String is defined as a C array, it can never be nullptr, so the
warning is correct and the check can be removed.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Instead of using nullptr for uninitialized RegKey, use the value defined
in WIN32 API for that. We need to check for it anyways, so unifying this
makes the checks more straight forward.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
OpenVPN uses a idiosyncrasy that all ciphers are uppercase but none is
spelt lowercase and excepts this idiosyncrasy also in IV_CIPHERS
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The reauthentication logic differs from openvpn2
and the code is a bit hard to follow. Simplify
the code and make it behave like in openvpn2.
- password is cached by default
- password is purged when auth-nocache is presented in a local config or pushed
- when AUTH_FAILED is received and we have no session-id, throw a fatal error
- when AUTH_FAILED is received and user interaction is required for
authentication (MFA), throw a fatal error
- when AUTH_FAILED is received, user interaction is not required
for authentication and either we have a cached password OR password is not
needed, we reconnect.
Password is "needed" when non-empty password is provided.
User interaction is required for static/dynamic challenge and SAML.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
In openvpn2 WFP block filters are added when the 'block-local' flag is
pushed to clients together with --redirect-{gateway|private}. That is
done in addition to adding routes to harden defense against attacks
collectively known as Tunnelcrack on Windows systems.
Since the openvpn3 library did not deal with the block-local flag at all
before this commit, on Windows it is sufficient to simply block traffic
to local interfaces by placing firewall rules. Traffic will only be
allowed originating from the OpenVPN process, on the VPN interface, and
loopback.
Note that previously WFP rules were already added to prevent access to
local DNS servers, when DNS servers were pushed. These are contained
within the ones added with 'block-local' and need not be set
additionally in that case.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Some classes are moved to subclasses of class WFP. Other things just got
a more descriptive name. Here is what this commit changes effectively:
* class WFPContext -> class WFP::Context
* class WFP::WFPEngine -> class WFP::EngineHandle (private)
* class ActionWFP is split into ActionBase and two derived classes
ActionBlock and ActionUnblock, so that the purpose is more visible
to the uninitiated observer (instead of just a bool making the
difference)
* instead of the 'tap_' prefix to names, use 'itf_' now, since we're
not only dealing with tap interfaces anymore
* INVALID_HANDLE_VALUE is used instead of NULL to mark a WIN32 handle
as uninitialized
Signed-off-by: Heiko Hund <heiko@openvpn.net>
We currently accept cipher none as pushed cipher when legacy ciphers are
enabled but do not announce support for it in IV_CIPHERS. This means we
currently display inconsistent behaviour. Servers that ignore IV_CIPHERS
can use none but server that are correctly working cannot.
Setting ADAPTER_DOMAIN_SUFFIX for non-DHCP adapters requires
registry modification. For that, we need adapter GUID.
This passes adapter GUID from agent to client via /tun-open call
and then from client to agent via /tun-setup call, when adapter
domain suffix is set.
Github: #304
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Krasovskiy Saveliy Igorevich <skrasovskiy@ozon.ru>
With compression logic now being able to be tuned at runtime the
different executable to allow a different define for the compression
log level is no longer needed.
Prefix the defines of test_proto.cpp with PROTO_ to avoid collision of
these very generic named defines
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This allows the test_proto.cpp to supress all the logging of this
class. This is also the only place in our project that actually uses
a non-default loglevel for this class. A lot of files were defining the
OPENVPN_LOG_SSL(x) macro to be what the also remove ssllog.hpp would do
anyway if it were not defined.
The removed debug_level field only controlled the mssfix
logging and is now controlled by the general protocol logging instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This template base class allows specifying a maximum log level that
can be used to make the logging function empty above that level.
This allows us to make our logging more structured and move to a more
standard logging approach. The use of if constexpr ensures that logging of
very high level is not emitting code.
This also add a few macros (LOG_VERBOSE, LOG_INFO, LOG_TRACE) that are drop
in replacements for the old OPENVPN_xx_LOG and OPENVPN_xx_LOG_VERBOSE macros
and also ensure not to do string construction if logging at a certain level
is already disabled at compile time.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The openvpn3-linux ships with a netcfg-cli client, which is essentially
the same code as test/ovpncli/cli.cpp but it uses the
net.openvpn.v3.netcfg D-Bus service to create the virtual network
adapter and the related network and DNS configuration. This is a useful
test client when only wanting to test the Network Configuration service
openvpn3-linux ships with.
As part of the refactoring of the D-Bus implementation in
openvpn3-linux, the supporting D-Bus setup needs to be adjusted to the
new D-Bus API.
It has been considered to support both types of APIs, but the legacy
D-Bus API is deprecated and will not be used any more after the release
of OpenVPN 3 Linux v22_dev. Prior releases will depend on an older
OpenVPN 3 Core library version, which contains the old API.
Signed-off-by: David Sommerseth <davids@openvpn.net>
The code in dco/dcocli.hpp used #if ENABLE_KOVPN, which will
fail on newer compilers if the macro is defined in a source
file. Compilers may not complain if the macro is defined on
the command line, via -D.
This type of checks should use either #ifdef or #if defined(...).
The #if conditional expects a boolean expression.
Since these code blocks also depended on #elif (also expects
a boolean expression , the defined(...) approach was chosen
throughout this file.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Currently the protocontext is used as kind of composition but not really
and makes following the code harder, since this inheritance not only serves
for composition but also as callbacks through virtual method inheritance.
Making ProtoContext a normal field and definining a callback interface makes
the class relationship easier to understand.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
By resetting the timer on each incoming packet, we can capture more gaps.
Consider the following examples:
Old logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
60 seconds: 48 bytes received for the last 60 seconds, continue...
90 seconds: An ICMP packet was received with 48 bytes.
120 seconds: 48 bytes received...
New logic:
0 seconds: openvpn3 starts with an inactive timeout of 60 seconds.
30 seconds: An ICMP packet was received with 48 bytes.
Inactive timeout reset!.
90 seconds: Inactive timeout triggered. Terminating session..."
Signed-off-by: illia.polishchuk illia.polishchuk@openvpn.com
When correcting conversion issues in RouteBase a to_string bug was
introduced which caused some characters to be escaped when inserted
to the string, for example a prefix_len of 0 would render as "\0"
rather than inserting '0'. The std::ios::binary flag does not seem
to prevent this for std::ostringstream so I have cast the data member
up to uint16_t which should be safe, and solves the issue.
Added a unit test to demonstrate the issue. Old code output was
"0.0.0.0/\0", now outputs "0.0.0.0/0" as expected.
Signed-off-by: Charlie Vigue <charlie.vigue@openvpn.com>
A refactoring of the logging code in commit 9ffa263b removed
conventional #ifndef header guards and replaced them with #pragma
once. Some consumers of the code used the header #defines to guide
their behavior. The missing guards caused the consumers to log
incorrectly. The fix was to still rely on the #pragma once for
guarding, but to reinstate the #defines from the original headers.
Signed-off-by: Mark Deric <jmark@openvpn.net>
So that we override values from the global Ops
configuration we do not like.
While here change rebaseWhen. Since we do rebase
everything before merge anyway, let's renovate
do it for us.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
The previous commit restructured the way how peer info was built and
accidentally move those into its own method without calling the method.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The sys/socket.h header is not available on Windows. This issue was
introduced in commit 1b4f736bb9, so the same fencing used in
that commit was also added around the #include statement.
Signed-off-by: David Sommerseth <davids@openvpn.net>
In commit 1b4f736bb9, an additional parentheses was added to
the MacGatewayInfo constructor. This results in code which cannot be
compiled.
Signed-off-by: David Sommerseth <davids@openvpn.net>
A few minor changes:
- add ORGANIZATION meta option to ignore list
- remove excessive OVPN_ACCESS_SERVER_ prefix from NO_WEB meta option
- Increase status message length from 256 to 2048 to be able to show
the full list of unsupported options
Signed-off-by: Lev Stipakov <lev@openvpn.net>
ERR_INVALID_OPTION_DNS -- invalid value for some of DNS\Domain options
ERR_INVALID_OPTION_CRYPTO -- invalid value for some of SSL\Crypto option
ERR_INVALID_CONFIG -- missing option or not supported option
ERR_INVALID_OPTION_PUSHED -- pushed to server option error
ERR_INVALID_OPTION_VAL -- invalid value for some general option
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
The OPENVPN_EXCEPTION_WITH_CODE(C, DEFAULT_CODE, ...)
macro creates enum C_code with __VA_ARGS__ codes
and constructor with the C_code as first argument which
adds label at the beginning of error message, other
constructors add DEFAULT_CODE label
Signed-off-by: Illia Polishchuk <illia.polishchuk@openvpn.com>
