OpenVPN
helper.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "helper.h"
34 #include "pool.h"
35 #include "push.h"
36 
37 #include "memdbg.h"
38 
39 #if P2MP_SERVER
40 
41 static const char *
42 print_netmask(int netbits, struct gc_arena *gc)
43 {
44  struct buffer out = alloc_buf_gc(128, gc);
45  const in_addr_t netmask = netbits_to_netmask(netbits);
46 
47  buf_printf(&out, "%s (/%d)", print_in_addr_t(netmask, 0, gc), netbits);
48 
49  return BSTR(&out);
50 }
51 
52 static const char *
53 print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
54 {
55  struct buffer out = alloc_buf_gc(128, gc);
56  ASSERT(route_gateway);
57  buf_printf(&out, "route-gateway %s", print_in_addr_t(route_gateway, 0, gc));
58  return BSTR(&out);
59 }
60 
61 static const char *
63 {
64  struct buffer out = alloc_buf_gc(32, gc);
65  buf_printf(&out, "route-gateway dhcp");
66  return BSTR(&out);
67 }
68 
69 static const char *
70 print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
71 {
72  struct buffer out = alloc_buf_gc(128, gc);
73  ASSERT(network);
74 
75  if (netmask)
76  {
77  buf_printf(&out, "route %s %s",
78  print_in_addr_t(network, 0, gc),
79  print_in_addr_t(netmask, 0, gc));
80  }
81  else
82  {
83  buf_printf(&out, "route %s",
84  print_in_addr_t(network, 0, gc));
85  }
86 
87  return BSTR(&out);
88 }
89 
90 static const char *
91 print_opt_topology(const int topology, struct gc_arena *gc)
92 {
93  struct buffer out = alloc_buf_gc(128, gc);
94 
95  buf_printf(&out, "topology %s", print_topology(topology));
96 
97  return BSTR(&out);
98 }
99 
100 static const char *
101 print_str_int(const char *str, const int i, struct gc_arena *gc)
102 {
103  struct buffer out = alloc_buf_gc(128, gc);
104  buf_printf(&out, "%s %d", str, i);
105  return BSTR(&out);
106 }
107 
108 static const char *
109 print_str(const char *str, struct gc_arena *gc)
110 {
111  struct buffer out = alloc_buf_gc(128, gc);
112  buf_printf(&out, "%s", str);
113  return BSTR(&out);
114 }
115 
116 static void
117 helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
118 {
119  rol_check_alloc(o);
121  print_in_addr_t(network, 0, &o->gc),
122  print_in_addr_t(netmask, 0, &o->gc),
123  NULL,
124  NULL);
125 }
126 
127 static void
128 verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
129 {
130  struct gc_arena gc = gc_new();
131  if ((a & subnet) != (b & subnet))
132  {
133  msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
134  opt,
135  print_in_addr_t(a, 0, &gc),
136  print_in_addr_t(b, 0, &gc),
137  print_in_addr_t(subnet, 0, &gc));
138  }
139  gc_free(&gc);
140 }
141 
142 #endif /* if P2MP_SERVER */
143 
144 /*
145  * Process server, server-bridge, and client helper
146  * directives after the parameters themselves have been
147  * parsed and placed in struct options.
148  */
149 void
151 {
152  struct gc_arena gc = gc_new();
153 
154 #if P2MP
155 #if P2MP_SERVER
156 
157 /*
158  * Get tun/tap/null device type
159  */
160  const int dev = dev_type_enum(o->dev, o->dev_type);
161  const int topology = o->topology;
162 
163  /*
164  *
165  * HELPER DIRECTIVE for IPv6
166  *
167  * server-ipv6 2001:db8::/64
168  *
169  * EXPANDS TO:
170  *
171  * tun-ipv6
172  * push "tun-ipv6"
173  * ifconfig-ipv6 2001:db8::1 2001:db8::2
174  * if !nopool:
175  * ifconfig-ipv6-pool 2001:db8::1000/64
176  *
177  */
178  if (o->server_ipv6_defined)
179  {
180  if (!o->server_defined)
181  {
182  msg(M_USAGE, "--server-ipv6 must be used together with --server");
183  }
184  if (o->server_flags & SF_NOPOOL)
185  {
186  msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" );
187  }
189  {
190  msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
191  }
192 
193  /* local ifconfig is "base address + 1" and "+2" */
199 
200  /* pool starts at "base address + 0x1000" - leave enough room */
201  ASSERT( o->server_netbits_ipv6 <= 112 ); /* want 16 bits */
202 
203  o->ifconfig_ipv6_pool_defined = true;
205  add_in6_addr( o->server_network_ipv6, 0x1000 );
207 
208  push_option( o, "tun-ipv6", M_USAGE );
209  }
210 
211  /*
212  *
213  * HELPER DIRECTIVE:
214  *
215  * server 10.8.0.0 255.255.255.0
216  *
217  * EXPANDS TO:
218  *
219  * mode server
220  * tls-server
221  * push "topology [topology]"
222  *
223  * if tun AND (topology == net30 OR topology == p2p):
224  * ifconfig 10.8.0.1 10.8.0.2
225  * if !nopool:
226  * ifconfig-pool 10.8.0.4 10.8.0.251
227  * route 10.8.0.0 255.255.255.0
228  * if client-to-client:
229  * push "route 10.8.0.0 255.255.255.0"
230  * else if topology == net30:
231  * push "route 10.8.0.1"
232  *
233  * if tap OR (tun AND topology == subnet):
234  * ifconfig 10.8.0.1 255.255.255.0
235  * if !nopool:
236  * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
237  * push "route-gateway 10.8.0.1"
238  * if route-gateway unset:
239  * route-gateway 10.8.0.2
240  */
241 
242  if (o->server_defined)
243  {
244  int netbits = -2;
245  bool status = false;
246 
247  if (o->client)
248  {
249  msg(M_USAGE, "--server and --client cannot be used together");
250  }
251 
253  {
254  msg(M_USAGE, "--server and --server-bridge cannot be used together");
255  }
256 
257  if (o->shared_secret_file)
258  {
259  msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
260  }
261 
262  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
263  {
264  msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
265  }
266 
267  if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
268  {
269  msg(M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
270  }
271 
272  status = netmask_to_netbits(o->server_network, o->server_netmask, &netbits);
273  if (!status)
274  {
275  msg(M_USAGE, "--server directive network/netmask combination is invalid");
276  }
277 
278  if (netbits < 0)
279  {
280  msg(M_USAGE, "--server directive netmask is invalid");
281  }
282 
283  if (netbits < IFCONFIG_POOL_MIN_NETBITS)
284  {
285  msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
287  }
288 
289  if (dev == DEV_TYPE_TUN)
290  {
291  int pool_end_reserve = 4;
292 
293  if (netbits > 29)
294  {
295  msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
296  print_netmask(29, &gc));
297  }
298 
299  if (netbits == 29)
300  {
301  pool_end_reserve = 0;
302  }
303 
304  o->mode = MODE_SERVER;
305  o->tls_server = true;
306 
307  if (topology == TOP_NET30 || topology == TOP_P2P)
308  {
309  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
311 
312  if (!(o->server_flags & SF_NOPOOL))
313  {
314  o->ifconfig_pool_defined = true;
316  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
318  }
319 
321  if (o->enable_c2c)
322  {
324  }
325  else if (topology == TOP_NET30)
326  {
327  push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE);
328  }
329  }
330  else if (topology == TOP_SUBNET)
331  {
332  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
334 
335  if (!(o->server_flags & SF_NOPOOL))
336  {
337  o->ifconfig_pool_defined = true;
339  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
341  }
343 
345  if (!o->route_default_gateway)
346  {
348  }
349  }
350  else
351  {
352  ASSERT(0);
353  }
354 
355  push_option(o, print_opt_topology(topology, &o->gc), M_USAGE);
356  }
357  else if (dev == DEV_TYPE_TAP)
358  {
359  if (netbits > 30)
360  {
361  msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
362  print_netmask(30, &gc));
363  }
364 
365  o->mode = MODE_SERVER;
366  o->tls_server = true;
367  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
369 
370  if (!(o->server_flags & SF_NOPOOL))
371  {
372  o->ifconfig_pool_defined = true;
374  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
376  }
378 
380  }
381  else
382  {
383  ASSERT(0);
384  }
385 
386  /* set push-ifconfig-constraint directive */
387  if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
388  {
392  }
393  }
394 
395  /*
396  * HELPER DIRECTIVE:
397  *
398  * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
399  *
400  * EXPANDS TO:
401  *
402  * mode server
403  * tls-server
404  *
405  * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
406  * push "route-gateway 10.8.0.4"
407  *
408  * OR
409  *
410  * server-bridge
411  *
412  * EXPANDS TO:
413  *
414  * mode server
415  * tls-server
416  *
417  * if !nogw:
418  * push "route-gateway dhcp"
419  */
421  {
422  if (o->client)
423  {
424  msg(M_USAGE, "--server-bridge and --client cannot be used together");
425  }
426 
427  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
428  {
429  msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
430  }
431 
432  if (o->shared_secret_file)
433  {
434  msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
435  }
436 
437  if (dev != DEV_TYPE_TAP)
438  {
439  msg(M_USAGE, "--server-bridge directive only makes sense with --dev tap");
440  }
441 
442  if (o->server_bridge_defined)
443  {
447  }
448 
449  o->mode = MODE_SERVER;
450  o->tls_server = true;
451 
452  if (o->server_bridge_defined)
453  {
454  o->ifconfig_pool_defined = true;
460  }
462  {
464  }
465  }
466  else
467 #endif /* P2MP_SERVER */
468 
469  /*
470  * HELPER DIRECTIVE:
471  *
472  * client
473  *
474  * EXPANDS TO:
475  *
476  * pull
477  * tls-client
478  */
479  if (o->client)
480  {
481  if (o->key_method != 2)
482  {
483  msg(M_USAGE, "--client requires --key-method 2");
484  }
485 
486  o->pull = true;
487  o->tls_client = true;
488  }
489 
490 #endif /* P2MP */
491 
492  gc_free(&gc);
493 }
494 
495 /*
496  *
497  * HELPER DIRECTIVE:
498  *
499  * keepalive 10 60
500  *
501  * EXPANDS TO:
502  *
503  * if mode server:
504  * ping 10
505  * ping-restart 120
506  * push "ping 10"
507  * push "ping-restart 60"
508  * else
509  * ping 10
510  * ping-restart 60
511  */
512 void
514 {
515  if (o->keepalive_ping || o->keepalive_timeout)
516  {
517  /*
518  * Sanity checks.
519  */
520  if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
521  {
522  msg(M_USAGE, "--keepalive parameters must be > 0");
523  }
524  if (o->keepalive_ping * 2 > o->keepalive_timeout)
525  {
526  msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
528  o->keepalive_ping);
529  }
530  if (o->ping_send_timeout || o->ping_rec_timeout)
531  {
532  msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
533  }
534 
535  /*
536  * Expand.
537  */
538  if (o->mode == MODE_POINT_TO_POINT)
539  {
543  }
544 #if P2MP_SERVER
545  else if (o->mode == MODE_SERVER)
546  {
550  push_option(o, print_str_int("ping", o->keepalive_ping, &o->gc), M_USAGE);
551  push_option(o, print_str_int("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
552  }
553 #endif
554  else
555  {
556  ASSERT(0);
557  }
558  }
559 }
560 
561 /*
562  *
563  * HELPER DIRECTIVE:
564  *
565  * tcp-nodelay
566  *
567  * EXPANDS TO:
568  *
569  * if mode server:
570  * socket-flags TCP_NODELAY
571  * push "socket-flags TCP_NODELAY"
572  */
573 void
575 {
576 #if P2MP_SERVER
578  {
579  if (o->mode == MODE_SERVER)
580  {
582  push_option(o, print_str("socket-flags TCP_NODELAY", &o->gc), M_USAGE);
583  }
584  else
585  {
587  }
588  }
589 #endif
590 }
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:239
bool tls_server
Definition: options.h:507
bool server_bridge_proxy_dhcp
Definition: options.h:405
const char * dev
Definition: options.h:230
int ping_rec_timeout_action
Definition: options.h:271
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2992
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:402
#define M_USAGE
Definition: error.h:111
#define SF_TCP_NODELAY_HELPER
Definition: options.h:401
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
#define IFCONFIG_POOL_MIN_NETBITS
Definition: pool.h:35
const char * shared_secret_file
Definition: options.h:485
bool enable_c2c
Definition: options.h:450
static const char * print_str(const char *str, struct gc_arena *gc)
Definition: helper.c:109
static const char * print_opt_topology(const int topology, struct gc_arena *gc)
Definition: helper.c:91
static void helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
Definition: helper.c:117
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:4014
bool ifconfig_pool_defined
Definition: options.h:414
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:369
unsigned int sockflags
Definition: options.h:340
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define SF_TCP_NODELAY
Definition: socket.h:209
#define in_addr_t
Definition: config-msvc.h:104
int keepalive_timeout
Definition: options.h:259
#define PING_RESTART
Definition: options.h:270
#define ASSERT(x)
Definition: error.h:221
in_addr_t ifconfig_pool_end
Definition: options.h:416
int ping_rec_timeout
Definition: options.h:265
#define MODE_SERVER
Definition: options.h:191
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:125
#define TOP_P2P
Definition: proto.h:44
const char * route_default_gateway
Definition: options.h:345
static const char * print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
Definition: helper.c:70
bool push_ifconfig_constraint_defined
Definition: options.h:441
#define SF_NOPOOL
Definition: options.h:400
const char * print_topology(const int topology)
Definition: options.c:4010
in_addr_t server_bridge_pool_start
Definition: options.h:410
bool server_defined
Definition: options.h:393
static const char * print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
Definition: helper.c:53
int mode
Definition: options.h:192
bool ifconfig_ipv6_pool_defined
Definition: options.h:421
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:443
int ifconfig_ipv6_netbits
Definition: options.h:238
bool tls_client
Definition: options.h:508
int topology
Definition: options.h:234
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2972
static const char * print_str_int(const char *str, const int i, struct gc_arena *gc)
Definition: helper.c:101
#define DEV_TYPE_TUN
Definition: proto.h:37
static const char * print_netmask(int netbits, struct gc_arena *gc)
Definition: helper.c:42
static const char * print_opt_route_gateway_dhcp(struct gc_arena *gc)
Definition: helper.c:62
in_addr_t server_bridge_ip
Definition: options.h:408
in_addr_t server_netmask
Definition: options.h:395
static SERVICE_STATUS status
Definition: automatic.c:43
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:422
in_addr_t ifconfig_pool_start
Definition: options.h:415
#define msg
Definition: error.h:173
Interface functions to the internal and external multiplexers.
int ping_send_timeout
Definition: options.h:264
#define TOP_NET30
Definition: proto.h:43
const char * ifconfig_ipv6_remote
Definition: options.h:239
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:484
const char * ifconfig_ipv6_local
Definition: options.h:237
void rol_check_alloc(struct options *options)
Definition: options.c:1397
in_addr_t ifconfig_pool_netmask
Definition: options.h:417
bool client
Definition: options.h:470
void helper_client_server(struct options *o)
Definition: helper.c:150
#define MODE_POINT_TO_POINT
Definition: options.h:190
int keepalive_ping
Definition: options.h:258
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
in_addr_t server_network
Definition: options.h:394
void helper_keepalive(struct options *o)
Definition: helper.c:513
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:574
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
struct route_option_list * routes
Definition: options.h:352
unsigned int server_flags
Definition: options.h:403
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
unsigned int server_netbits_ipv6
Definition: options.h:398
const char * ifconfig_local
Definition: options.h:235
bool pull
Definition: options.h:471
#define BSTR(buf)
Definition: buffer.h:129
bool server_ipv6_defined
Definition: options.h:396
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:561
struct gc_arena gc
Definition: options.h:183
in_addr_t server_bridge_pool_end
Definition: options.h:411
in_addr_t push_ifconfig_constraint_network
Definition: options.h:442
const char * ifconfig_remote_netmask
Definition: options.h:236
struct in6_addr server_network_ipv6
Definition: options.h:397
in_addr_t server_bridge_netmask
Definition: options.h:409
bool server_bridge_defined
Definition: options.h:407
int key_method
Definition: options.h:556
int ifconfig_ipv6_pool_netbits
Definition: options.h:423
struct in6_addr add_in6_addr(struct in6_addr base, uint32_t add)
Definition: socket.c:3014
const char * dev_type
Definition: options.h:231
#define DEV_TYPE_TAP
Definition: proto.h:38
static void verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
Definition: helper.c:128