OpenVPN
helper.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "helper.h"
34 #include "pool.h"
35 #include "push.h"
36 
37 #include "memdbg.h"
38 
39 
40 static const char *
41 print_netmask(int netbits, struct gc_arena *gc)
42 {
43  struct buffer out = alloc_buf_gc(128, gc);
44  const in_addr_t netmask = netbits_to_netmask(netbits);
45 
46  buf_printf(&out, "%s (/%d)", print_in_addr_t(netmask, 0, gc), netbits);
47 
48  return BSTR(&out);
49 }
50 
51 static const char *
52 print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
53 {
54  struct buffer out = alloc_buf_gc(128, gc);
55  ASSERT(route_gateway);
56  buf_printf(&out, "route-gateway %s", print_in_addr_t(route_gateway, 0, gc));
57  return BSTR(&out);
58 }
59 
60 static const char *
62 {
63  struct buffer out = alloc_buf_gc(32, gc);
64  buf_printf(&out, "route-gateway dhcp");
65  return BSTR(&out);
66 }
67 
68 static const char *
69 print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
70 {
71  struct buffer out = alloc_buf_gc(128, gc);
72  ASSERT(network);
73 
74  if (netmask)
75  {
76  buf_printf(&out, "route %s %s",
77  print_in_addr_t(network, 0, gc),
78  print_in_addr_t(netmask, 0, gc));
79  }
80  else
81  {
82  buf_printf(&out, "route %s",
83  print_in_addr_t(network, 0, gc));
84  }
85 
86  return BSTR(&out);
87 }
88 
89 static const char *
90 print_opt_topology(const int topology, struct gc_arena *gc)
91 {
92  struct buffer out = alloc_buf_gc(128, gc);
93 
94  buf_printf(&out, "topology %s", print_topology(topology));
95 
96  return BSTR(&out);
97 }
98 
99 static const char *
100 print_str_int(const char *str, const int i, struct gc_arena *gc)
101 {
102  struct buffer out = alloc_buf_gc(128, gc);
103  buf_printf(&out, "%s %d", str, i);
104  return BSTR(&out);
105 }
106 
107 static const char *
108 print_str(const char *str, struct gc_arena *gc)
109 {
110  struct buffer out = alloc_buf_gc(128, gc);
111  buf_printf(&out, "%s", str);
112  return BSTR(&out);
113 }
114 
115 static void
116 helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
117 {
118  rol_check_alloc(o);
120  print_in_addr_t(network, 0, &o->gc),
121  print_in_addr_t(netmask, 0, &o->gc),
122  NULL,
123  NULL);
124 }
125 
126 static void
127 verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
128 {
129  struct gc_arena gc = gc_new();
130  if ((a & subnet) != (b & subnet))
131  {
132  msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
133  opt,
134  print_in_addr_t(a, 0, &gc),
135  print_in_addr_t(b, 0, &gc),
136  print_in_addr_t(subnet, 0, &gc));
137  }
138  gc_free(&gc);
139 }
140 
141 
142 /*
143  * Process server, server-bridge, and client helper
144  * directives after the parameters themselves have been
145  * parsed and placed in struct options.
146  */
147 void
149 {
150  struct gc_arena gc = gc_new();
151 
152 #if P2MP
153 
154 /*
155  * Get tun/tap/null device type
156  */
157  const int dev = dev_type_enum(o->dev, o->dev_type);
158  const int topology = o->topology;
159 
160  /*
161  *
162  * HELPER DIRECTIVE for IPv6
163  *
164  * server-ipv6 2001:db8::/64
165  *
166  * EXPANDS TO:
167  *
168  * tun-ipv6
169  * push "tun-ipv6"
170  * ifconfig-ipv6 2001:db8::1 2001:db8::2
171  * if !nopool:
172  * ifconfig-ipv6-pool 2001:db8::1000/64
173  *
174  */
175  if (o->server_ipv6_defined)
176  {
177  if (o->client)
178  {
179  msg(M_USAGE, "--server-ipv6 and --client cannot be used together");
180  }
181 
182  if (o->server_flags & SF_NOPOOL)
183  {
184  msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" );
185  }
187  {
188  msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
189  }
190 
191  o->mode = MODE_SERVER;
192  o->tls_server = true;
193 
194  /* local ifconfig is "base address + 1" and "+2" */
200 
201  /* basic sanity check */
202  ASSERT(o->server_netbits_ipv6 >= 64 && o->server_netbits_ipv6 <= 124);
203 
204  o->ifconfig_ipv6_pool_defined = true;
205  /* For large enough pools we keep the original behaviour of adding
206  * 0x1000 when computing the base.
207  *
208  * Smaller pools can't get that far, therefore we just increase by 2
209  */
211  o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
213 
214  push_option( o, "tun-ipv6", M_USAGE );
215  }
216 
217  /*
218  *
219  * HELPER DIRECTIVE:
220  *
221  * server 10.8.0.0 255.255.255.0
222  *
223  * EXPANDS TO:
224  *
225  * mode server
226  * tls-server
227  * push "topology [topology]"
228  *
229  * if tun AND (topology == net30 OR topology == p2p):
230  * ifconfig 10.8.0.1 10.8.0.2
231  * if !nopool:
232  * ifconfig-pool 10.8.0.4 10.8.0.251
233  * route 10.8.0.0 255.255.255.0
234  * if client-to-client:
235  * push "route 10.8.0.0 255.255.255.0"
236  * else if topology == net30:
237  * push "route 10.8.0.1"
238  *
239  * if tap OR (tun AND topology == subnet):
240  * ifconfig 10.8.0.1 255.255.255.0
241  * if !nopool:
242  * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
243  * push "route-gateway 10.8.0.1"
244  * if route-gateway unset:
245  * route-gateway 10.8.0.2
246  */
247 
248  if (o->server_defined)
249  {
250  int netbits = -2;
251  bool status = false;
252 
253  if (o->client)
254  {
255  msg(M_USAGE, "--server and --client cannot be used together");
256  }
257 
259  {
260  msg(M_USAGE, "--server and --server-bridge cannot be used together");
261  }
262 
263  if (o->shared_secret_file)
264  {
265  msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
266  }
267 
268  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
269  {
270  msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
271  }
272 
273  if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
274  {
275  msg(M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
276  }
277 
278  status = netmask_to_netbits(o->server_network, o->server_netmask, &netbits);
279  if (!status)
280  {
281  msg(M_USAGE, "--server directive network/netmask combination is invalid");
282  }
283 
284  if (netbits < 0)
285  {
286  msg(M_USAGE, "--server directive netmask is invalid");
287  }
288 
289  if (netbits < IFCONFIG_POOL_MIN_NETBITS)
290  {
291  msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
293  }
294 
295  if (dev == DEV_TYPE_TUN)
296  {
297  int pool_end_reserve = 4;
298 
299  if (netbits > 29)
300  {
301  msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
302  print_netmask(29, &gc));
303  }
304 
305  if (netbits == 29)
306  {
307  pool_end_reserve = 0;
308  }
309 
310  o->mode = MODE_SERVER;
311  o->tls_server = true;
312 
313  if (topology == TOP_NET30 || topology == TOP_P2P)
314  {
315  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
317 
318  if (!(o->server_flags & SF_NOPOOL))
319  {
320  o->ifconfig_pool_defined = true;
322  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
324  }
325 
327  if (o->enable_c2c)
328  {
330  }
331  else if (topology == TOP_NET30)
332  {
333  push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE);
334  }
335  }
336  else if (topology == TOP_SUBNET)
337  {
338  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
340 
341  if (!(o->server_flags & SF_NOPOOL))
342  {
343  o->ifconfig_pool_defined = true;
345  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
347  }
349 
351  if (!o->route_default_gateway)
352  {
354  }
355  }
356  else
357  {
358  ASSERT(0);
359  }
360 
361  push_option(o, print_opt_topology(topology, &o->gc), M_USAGE);
362 
363  if (topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL))
364  {
365  msg(M_WARN, "WARNING: --topology net30 support for server "
366  "configs with IPv4 pools will be removed in a future "
367  "release. Please migrate to --topology subnet as soon "
368  "as possible.");
369  }
370  }
371  else if (dev == DEV_TYPE_TAP)
372  {
373  if (netbits > 30)
374  {
375  msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
376  print_netmask(30, &gc));
377  }
378 
379  o->mode = MODE_SERVER;
380  o->tls_server = true;
381  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
383 
384  if (!(o->server_flags & SF_NOPOOL))
385  {
386  o->ifconfig_pool_defined = true;
388  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
390  }
392 
394  }
395  else
396  {
397  ASSERT(0);
398  }
399 
400  /* set push-ifconfig-constraint directive */
401  if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
402  {
406  }
407  }
408 
409  /*
410  * HELPER DIRECTIVE:
411  *
412  * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
413  *
414  * EXPANDS TO:
415  *
416  * mode server
417  * tls-server
418  *
419  * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
420  * push "route-gateway 10.8.0.4"
421  *
422  * OR
423  *
424  * server-bridge
425  *
426  * EXPANDS TO:
427  *
428  * mode server
429  * tls-server
430  *
431  * if !nogw:
432  * push "route-gateway dhcp"
433  */
435  {
436  if (o->client)
437  {
438  msg(M_USAGE, "--server-bridge and --client cannot be used together");
439  }
440 
441  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
442  {
443  msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
444  }
445 
446  if (o->shared_secret_file)
447  {
448  msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
449  }
450 
451  if (dev != DEV_TYPE_TAP)
452  {
453  msg(M_USAGE, "--server-bridge directive only makes sense with --dev tap");
454  }
455 
456  if (o->server_bridge_defined)
457  {
461  }
462 
463  o->mode = MODE_SERVER;
464  o->tls_server = true;
465 
466  if (o->server_bridge_defined)
467  {
468  o->ifconfig_pool_defined = true;
474  }
476  {
478  }
479  }
480  else
481  /*
482  * HELPER DIRECTIVE:
483  *
484  * client
485  *
486  * EXPANDS TO:
487  *
488  * pull
489  * tls-client
490  */
491  if (o->client)
492  {
493  o->pull = true;
494  o->tls_client = true;
495  }
496 
497 #endif /* P2MP */
498 
499  gc_free(&gc);
500 }
501 
502 /*
503  *
504  * HELPER DIRECTIVE:
505  *
506  * keepalive 10 60
507  *
508  * EXPANDS TO:
509  *
510  * if mode server:
511  * ping 10
512  * ping-restart 120
513  * push "ping 10"
514  * push "ping-restart 60"
515  * else
516  * ping 10
517  * ping-restart 60
518  */
519 void
521 {
522  if (o->keepalive_ping || o->keepalive_timeout)
523  {
524  /*
525  * Sanity checks.
526  */
527  if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
528  {
529  msg(M_USAGE, "--keepalive parameters must be > 0");
530  }
531  if (o->keepalive_ping * 2 > o->keepalive_timeout)
532  {
533  msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
535  o->keepalive_ping);
536  }
537  if (o->ping_send_timeout || o->ping_rec_timeout)
538  {
539  msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
540  }
541 
542  /*
543  * Expand.
544  */
545  if (o->mode == MODE_POINT_TO_POINT)
546  {
550  }
551  else if (o->mode == MODE_SERVER)
552  {
556  push_option(o, print_str_int("ping", o->keepalive_ping, &o->gc), M_USAGE);
557  push_option(o, print_str_int("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
558  }
559  else
560  {
561  ASSERT(0);
562  }
563  }
564 }
565 
566 /*
567  *
568  * HELPER DIRECTIVE:
569  *
570  * tcp-nodelay
571  *
572  * EXPANDS TO:
573  *
574  * if mode server:
575  * socket-flags TCP_NODELAY
576  * push "socket-flags TCP_NODELAY"
577  */
578 void
580 {
582  {
583  if (o->mode == MODE_SERVER)
584  {
586  push_option(o, print_str("socket-flags TCP_NODELAY", &o->gc), M_USAGE);
587  }
588  else
589  {
591  }
592  }
593 }
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:364
bool tls_server
Definition: options.h:526
bool server_bridge_proxy_dhcp
Definition: options.h:418
const char * dev
Definition: options.h:247
int ping_rec_timeout_action
Definition: options.h:286
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3021
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:415
#define M_USAGE
Definition: error.h:111
#define SF_TCP_NODELAY_HELPER
Definition: options.h:414
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
#define IFCONFIG_POOL_MIN_NETBITS
Definition: pool.h:35
const char * shared_secret_file
Definition: options.h:502
bool enable_c2c
Definition: options.h:463
static const char * print_str(const char *str, struct gc_arena *gc)
Definition: helper.c:108
static const char * print_opt_topology(const int topology, struct gc_arena *gc)
Definition: helper.c:90
static void helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
Definition: helper.c:116
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:3879
bool ifconfig_pool_defined
Definition: options.h:427
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:379
unsigned int sockflags
Definition: options.h:356
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define SF_TCP_NODELAY
Definition: socket.h:209
#define in_addr_t
Definition: config-msvc.h:140
int keepalive_timeout
Definition: options.h:274
#define PING_RESTART
Definition: options.h:285
#define ASSERT(x)
Definition: error.h:221
in_addr_t ifconfig_pool_end
Definition: options.h:429
int ping_rec_timeout
Definition: options.h:280
#define MODE_SERVER
Definition: options.h:205
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:125
#define TOP_P2P
Definition: proto.h:44
const char * route_default_gateway
Definition: options.h:361
static const char * print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
Definition: helper.c:69
bool push_ifconfig_constraint_defined
Definition: options.h:454
#define SF_NOPOOL
Definition: options.h:413
const char * print_topology(const int topology)
Definition: options.c:4225
in_addr_t server_bridge_pool_start
Definition: options.h:423
bool server_defined
Definition: options.h:406
static const char * print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
Definition: helper.c:52
int mode
Definition: options.h:206
bool ifconfig_ipv6_pool_defined
Definition: options.h:434
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:456
int ifconfig_ipv6_netbits
Definition: options.h:255
bool tls_client
Definition: options.h:527
int topology
Definition: options.h:251
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3001
static const char * print_str_int(const char *str, const int i, struct gc_arena *gc)
Definition: helper.c:100
#define DEV_TYPE_TUN
Definition: proto.h:37
static const char * print_netmask(int netbits, struct gc_arena *gc)
Definition: helper.c:41
static const char * print_opt_route_gateway_dhcp(struct gc_arena *gc)
Definition: helper.c:61
in_addr_t server_bridge_ip
Definition: options.h:421
in_addr_t server_netmask
Definition: options.h:408
static SERVICE_STATUS status
Definition: automatic.c:43
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:435
in_addr_t ifconfig_pool_start
Definition: options.h:428
#define msg
Definition: error.h:173
Interface functions to the internal and external multiplexers.
int ping_send_timeout
Definition: options.h:279
#define TOP_NET30
Definition: proto.h:43
const char * ifconfig_ipv6_remote
Definition: options.h:256
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:493
const char * ifconfig_ipv6_local
Definition: options.h:254
void rol_check_alloc(struct options *options)
Definition: options.c:1412
in_addr_t ifconfig_pool_netmask
Definition: options.h:430
bool client
Definition: options.h:487
void helper_client_server(struct options *o)
Definition: helper.c:148
#define MODE_POINT_TO_POINT
Definition: options.h:204
int keepalive_ping
Definition: options.h:273
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
in_addr_t server_network
Definition: options.h:407
void helper_keepalive(struct options *o)
Definition: helper.c:520
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:579
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
struct route_option_list * routes
Definition: options.h:368
#define M_WARN
Definition: error.h:96
unsigned int server_flags
Definition: options.h:416
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
unsigned int server_netbits_ipv6
Definition: options.h:411
const char * ifconfig_local
Definition: options.h:252
bool pull
Definition: options.h:488
#define BSTR(buf)
Definition: buffer.h:129
bool server_ipv6_defined
Definition: options.h:409
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:643
struct gc_arena gc
Definition: options.h:197
in_addr_t server_bridge_pool_end
Definition: options.h:424
in_addr_t push_ifconfig_constraint_network
Definition: options.h:455
const char * ifconfig_remote_netmask
Definition: options.h:253
struct in6_addr server_network_ipv6
Definition: options.h:410
in_addr_t server_bridge_netmask
Definition: options.h:422
bool server_bridge_defined
Definition: options.h:420
int ifconfig_ipv6_pool_netbits
Definition: options.h:436
struct in6_addr add_in6_addr(struct in6_addr base, uint32_t add)
Definition: socket.c:3043
const char * dev_type
Definition: options.h:248
#define DEV_TYPE_TAP
Definition: proto.h:38
static void verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
Definition: helper.c:127