OpenVPN
helper.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "forward.h"
33 #include "helper.h"
34 #include "pool.h"
35 #include "push.h"
36 
37 #include "memdbg.h"
38 
39 
40 static const char *
41 print_netmask(int netbits, struct gc_arena *gc)
42 {
43  struct buffer out = alloc_buf_gc(128, gc);
44  const in_addr_t netmask = netbits_to_netmask(netbits);
45 
46  buf_printf(&out, "%s (/%d)", print_in_addr_t(netmask, 0, gc), netbits);
47 
48  return BSTR(&out);
49 }
50 
51 static const char *
52 print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
53 {
54  struct buffer out = alloc_buf_gc(128, gc);
55  ASSERT(route_gateway);
56  buf_printf(&out, "route-gateway %s", print_in_addr_t(route_gateway, 0, gc));
57  return BSTR(&out);
58 }
59 
60 static const char *
62 {
63  struct buffer out = alloc_buf_gc(32, gc);
64  buf_printf(&out, "route-gateway dhcp");
65  return BSTR(&out);
66 }
67 
68 static const char *
69 print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
70 {
71  struct buffer out = alloc_buf_gc(128, gc);
72  ASSERT(network);
73 
74  if (netmask)
75  {
76  buf_printf(&out, "route %s %s",
77  print_in_addr_t(network, 0, gc),
78  print_in_addr_t(netmask, 0, gc));
79  }
80  else
81  {
82  buf_printf(&out, "route %s",
83  print_in_addr_t(network, 0, gc));
84  }
85 
86  return BSTR(&out);
87 }
88 
89 static const char *
90 print_opt_topology(const int topology, struct gc_arena *gc)
91 {
92  struct buffer out = alloc_buf_gc(128, gc);
93 
94  buf_printf(&out, "topology %s", print_topology(topology));
95 
96  return BSTR(&out);
97 }
98 
99 static const char *
100 print_str_int(const char *str, const int i, struct gc_arena *gc)
101 {
102  struct buffer out = alloc_buf_gc(128, gc);
103  buf_printf(&out, "%s %d", str, i);
104  return BSTR(&out);
105 }
106 
107 static const char *
108 print_str(const char *str, struct gc_arena *gc)
109 {
110  struct buffer out = alloc_buf_gc(128, gc);
111  buf_printf(&out, "%s", str);
112  return BSTR(&out);
113 }
114 
115 static void
116 helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
117 {
118  rol_check_alloc(o);
120  print_in_addr_t(network, 0, &o->gc),
121  print_in_addr_t(netmask, 0, &o->gc),
122  NULL,
123  NULL);
124 }
125 
126 static void
127 verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
128 {
129  struct gc_arena gc = gc_new();
130  if ((a & subnet) != (b & subnet))
131  {
132  msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
133  opt,
134  print_in_addr_t(a, 0, &gc),
135  print_in_addr_t(b, 0, &gc),
136  print_in_addr_t(subnet, 0, &gc));
137  }
138  gc_free(&gc);
139 }
140 
141 
142 /*
143  * Process server, server-bridge, and client helper
144  * directives after the parameters themselves have been
145  * parsed and placed in struct options.
146  */
147 void
149 {
150  struct gc_arena gc = gc_new();
151 
152  /*
153  * Get tun/tap/null device type
154  */
155  const int dev = dev_type_enum(o->dev, o->dev_type);
156  const int topology = o->topology;
157 
158  /*
159  *
160  * HELPER DIRECTIVE for IPv6
161  *
162  * server-ipv6 2001:db8::/64
163  *
164  * EXPANDS TO:
165  *
166  * tun-ipv6
167  * push "tun-ipv6"
168  * ifconfig-ipv6 2001:db8::1 2001:db8::2
169  * if !nopool:
170  * ifconfig-ipv6-pool 2001:db8::1000/64
171  *
172  */
173  if (o->server_ipv6_defined)
174  {
175  if (o->client)
176  {
177  msg(M_USAGE, "--server-ipv6 and --client cannot be used together");
178  }
179 
180  if (o->server_flags & SF_NOPOOL)
181  {
182  msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" );
183  }
185  {
186  msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
187  }
188 
189  o->mode = MODE_SERVER;
190  o->tls_server = true;
191 
192  /* local ifconfig is "base address + 1" and "+2" */
198 
199  /* basic sanity check */
200  ASSERT(o->server_netbits_ipv6 >= 64 && o->server_netbits_ipv6 <= 124);
201 
202  o->ifconfig_ipv6_pool_defined = true;
203  /* For large enough pools we keep the original behaviour of adding
204  * 0x1000 when computing the base.
205  *
206  * Smaller pools can't get that far, therefore we just increase by 2
207  */
209  o->server_netbits_ipv6 < 112 ? 0x1000 : 2);
211 
212  push_option( o, "tun-ipv6", M_USAGE );
213  }
214 
215  /*
216  *
217  * HELPER DIRECTIVE:
218  *
219  * server 10.8.0.0 255.255.255.0
220  *
221  * EXPANDS TO:
222  *
223  * mode server
224  * tls-server
225  * push "topology [topology]"
226  *
227  * if tun AND (topology == net30 OR topology == p2p):
228  * ifconfig 10.8.0.1 10.8.0.2
229  * if !nopool:
230  * ifconfig-pool 10.8.0.4 10.8.0.251
231  * route 10.8.0.0 255.255.255.0
232  * if client-to-client:
233  * push "route 10.8.0.0 255.255.255.0"
234  * else if topology == net30:
235  * push "route 10.8.0.1"
236  *
237  * if tap OR (tun AND topology == subnet):
238  * ifconfig 10.8.0.1 255.255.255.0
239  * if !nopool:
240  * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0
241  * push "route-gateway 10.8.0.1"
242  * if route-gateway unset:
243  * route-gateway 10.8.0.2
244  */
245 
246  if (o->server_defined)
247  {
248  int netbits = -2;
249  bool status = false;
250 
251  if (o->client)
252  {
253  msg(M_USAGE, "--server and --client cannot be used together");
254  }
255 
257  {
258  msg(M_USAGE, "--server and --server-bridge cannot be used together");
259  }
260 
261  if (o->shared_secret_file)
262  {
263  msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
264  }
265 
266  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
267  {
268  msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
269  }
270 
271  if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
272  {
273  msg(M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
274  }
275 
276  status = netmask_to_netbits(o->server_network, o->server_netmask, &netbits);
277  if (!status)
278  {
279  msg(M_USAGE, "--server directive network/netmask combination is invalid");
280  }
281 
282  if (netbits < 0)
283  {
284  msg(M_USAGE, "--server directive netmask is invalid");
285  }
286 
287  if (netbits < IFCONFIG_POOL_MIN_NETBITS)
288  {
289  msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
291  }
292 
293  if (dev == DEV_TYPE_TUN)
294  {
295  int pool_end_reserve = 4;
296 
297  if (netbits > 29)
298  {
299  msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
300  print_netmask(29, &gc));
301  }
302 
303  if (netbits == 29)
304  {
305  pool_end_reserve = 0;
306  }
307 
308  o->mode = MODE_SERVER;
309  o->tls_server = true;
310 
311  if (topology == TOP_NET30 || topology == TOP_P2P)
312  {
313  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
315 
316  if (!(o->server_flags & SF_NOPOOL))
317  {
318  o->ifconfig_pool_defined = true;
320  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
322  }
323 
325  if (o->enable_c2c)
326  {
328  }
329  else if (topology == TOP_NET30)
330  {
331  push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE);
332  }
333  }
334  else if (topology == TOP_SUBNET)
335  {
336  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
338 
339  if (!(o->server_flags & SF_NOPOOL))
340  {
341  o->ifconfig_pool_defined = true;
343  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
345  }
347 
349  if (!o->route_default_gateway)
350  {
352  }
353  }
354  else
355  {
356  ASSERT(0);
357  }
358 
359  push_option(o, print_opt_topology(topology, &o->gc), M_USAGE);
360 
361  if (topology == TOP_NET30 && !(o->server_flags & SF_NOPOOL))
362  {
363  msg(M_WARN, "WARNING: --topology net30 support for server "
364  "configs with IPv4 pools will be removed in a future "
365  "release. Please migrate to --topology subnet as soon "
366  "as possible.");
367  }
368  }
369  else if (dev == DEV_TYPE_TAP)
370  {
371  if (netbits > 30)
372  {
373  msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
374  print_netmask(30, &gc));
375  }
376 
377  o->mode = MODE_SERVER;
378  o->tls_server = true;
379  o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc);
381 
382  if (!(o->server_flags & SF_NOPOOL))
383  {
384  o->ifconfig_pool_defined = true;
386  o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
388  }
390 
392  }
393  else
394  {
395  ASSERT(0);
396  }
397 
398  /* set push-ifconfig-constraint directive */
399  if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
400  {
404  }
405  }
406 
407  /*
408  * HELPER DIRECTIVE:
409  *
410  * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
411  *
412  * EXPANDS TO:
413  *
414  * mode server
415  * tls-server
416  *
417  * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
418  * push "route-gateway 10.8.0.4"
419  *
420  * OR
421  *
422  * server-bridge
423  *
424  * EXPANDS TO:
425  *
426  * mode server
427  * tls-server
428  *
429  * if !nogw:
430  * push "route-gateway dhcp"
431  */
433  {
434  if (o->client)
435  {
436  msg(M_USAGE, "--server-bridge and --client cannot be used together");
437  }
438 
439  if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
440  {
441  msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
442  }
443 
444  if (o->shared_secret_file)
445  {
446  msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
447  }
448 
449  if (dev != DEV_TYPE_TAP)
450  {
451  msg(M_USAGE, "--server-bridge directive only makes sense with --dev tap");
452  }
453 
454  if (o->server_bridge_defined)
455  {
459  }
460 
461  o->mode = MODE_SERVER;
462  o->tls_server = true;
463 
464  if (o->server_bridge_defined)
465  {
466  o->ifconfig_pool_defined = true;
472  }
474  {
476  }
477  }
478  else
479  /*
480  * HELPER DIRECTIVE:
481  *
482  * client
483  *
484  * EXPANDS TO:
485  *
486  * pull
487  * tls-client
488  */
489  if (o->client)
490  {
491  o->pull = true;
492  o->tls_client = true;
493  }
494 
495  gc_free(&gc);
496 }
497 
498 /*
499  *
500  * HELPER DIRECTIVE:
501  *
502  * keepalive 10 60
503  *
504  * EXPANDS TO:
505  *
506  * if mode server:
507  * ping 10
508  * ping-restart 120
509  * push "ping 10"
510  * push "ping-restart 60"
511  * else
512  * ping 10
513  * ping-restart 60
514  */
515 void
517 {
518  if (o->keepalive_ping || o->keepalive_timeout)
519  {
520  /*
521  * Sanity checks.
522  */
523  if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
524  {
525  msg(M_USAGE, "--keepalive parameters must be > 0");
526  }
527  if (o->keepalive_ping * 2 > o->keepalive_timeout)
528  {
529  msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
531  o->keepalive_ping);
532  }
533  if (o->ping_send_timeout || o->ping_rec_timeout)
534  {
535  msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
536  }
537 
538  /*
539  * Expand.
540  */
541  if (o->mode == MODE_POINT_TO_POINT)
542  {
546  }
547  else if (o->mode == MODE_SERVER)
548  {
552  push_option(o, print_str_int("ping", o->keepalive_ping, &o->gc), M_USAGE);
553  push_option(o, print_str_int("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
554  }
555  else
556  {
557  ASSERT(0);
558  }
559  }
560 }
561 
562 /*
563  *
564  * HELPER DIRECTIVE:
565  *
566  * tcp-nodelay
567  *
568  * EXPANDS TO:
569  *
570  * if mode server:
571  * socket-flags TCP_NODELAY
572  * push "socket-flags TCP_NODELAY"
573  */
574 void
576 {
578  {
579  if (o->mode == MODE_SERVER)
580  {
582  push_option(o, print_str("socket-flags TCP_NODELAY", &o->gc), M_USAGE);
583  }
584  else
585  {
587  }
588  }
589 }
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:361
bool tls_server
Definition: options.h:535
bool server_bridge_proxy_dhcp
Definition: options.h:431
const char * dev
Definition: options.h:269
int ping_rec_timeout_action
Definition: options.h:306
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2896
#define SF_NO_PUSH_ROUTE_GATEWAY
Definition: options.h:428
#define M_USAGE
Definition: error.h:115
#define SF_TCP_NODELAY_HELPER
Definition: options.h:427
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
#define IFCONFIG_POOL_MIN_NETBITS
Definition: pool.h:33
const char * shared_secret_file
Definition: options.h:513
bool enable_c2c
Definition: options.h:476
static const char * print_str(const char *str, struct gc_arena *gc)
Definition: helper.c:108
static const char * print_opt_topology(const int topology, struct gc_arena *gc)
Definition: helper.c:90
static void helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o)
Definition: helper.c:116
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:3861
bool ifconfig_pool_defined
Definition: options.h:440
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:377
unsigned int sockflags
Definition: options.h:373
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define SF_TCP_NODELAY
Definition: socket.h:204
#define in_addr_t
Definition: config-msvc.h:103
int keepalive_timeout
Definition: options.h:294
#define PING_RESTART
Definition: options.h:305
#define ASSERT(x)
Definition: error.h:204
in_addr_t ifconfig_pool_end
Definition: options.h:442
int ping_rec_timeout
Definition: options.h:300
#define MODE_SERVER
Definition: options.h:223
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
Definition: pool.c:123
#define TOP_P2P
Definition: proto.h:44
const char * route_default_gateway
Definition: options.h:378
static const char * print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
Definition: helper.c:69
bool push_ifconfig_constraint_defined
Definition: options.h:467
#define SF_NOPOOL
Definition: options.h:426
const char * print_topology(const int topology)
Definition: options.c:4334
in_addr_t server_bridge_pool_start
Definition: options.h:436
bool server_defined
Definition: options.h:419
static const char * print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc)
Definition: helper.c:52
int mode
Definition: options.h:224
bool ifconfig_ipv6_pool_defined
Definition: options.h:447
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:469
int ifconfig_ipv6_netbits
Definition: options.h:277
bool tls_client
Definition: options.h:536
int topology
Definition: options.h:273
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2876
static const char * print_str_int(const char *str, const int i, struct gc_arena *gc)
Definition: helper.c:100
#define DEV_TYPE_TUN
Definition: proto.h:37
static const char * print_netmask(int netbits, struct gc_arena *gc)
Definition: helper.c:41
static const char * print_opt_route_gateway_dhcp(struct gc_arena *gc)
Definition: helper.c:61
in_addr_t server_bridge_ip
Definition: options.h:434
in_addr_t server_netmask
Definition: options.h:421
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:448
in_addr_t ifconfig_pool_start
Definition: options.h:441
Interface functions to the internal and external multiplexers.
int ping_send_timeout
Definition: options.h:299
#define TOP_NET30
Definition: proto.h:43
const char * ifconfig_ipv6_remote
Definition: options.h:278
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:493
const char * ifconfig_ipv6_local
Definition: options.h:276
void rol_check_alloc(struct options *options)
Definition: options.c:1452
in_addr_t ifconfig_pool_netmask
Definition: options.h:443
bool client
Definition: options.h:500
#define msg(flags,...)
Definition: error.h:153
void helper_client_server(struct options *o)
Definition: helper.c:148
#define MODE_POINT_TO_POINT
Definition: options.h:222
int keepalive_ping
Definition: options.h:293
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
in_addr_t server_network
Definition: options.h:420
void helper_keepalive(struct options *o)
Definition: helper.c:516
void helper_tcp_nodelay(struct options *o)
Definition: helper.c:575
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
struct route_option_list * routes
Definition: options.h:385
#define M_WARN
Definition: error.h:100
unsigned int server_flags
Definition: options.h:429
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
unsigned int server_netbits_ipv6
Definition: options.h:424
const char * ifconfig_local
Definition: options.h:274
bool pull
Definition: options.h:501
#define BSTR(buf)
Definition: buffer.h:129
bool server_ipv6_defined
Definition: options.h:422
void push_option(struct options *o, const char *opt, int msglevel)
Definition: push.c:758
struct gc_arena gc
Definition: options.h:215
in_addr_t server_bridge_pool_end
Definition: options.h:437
in_addr_t push_ifconfig_constraint_network
Definition: options.h:468
static SERVICE_STATUS status
Definition: interactive.c:56
const char * ifconfig_remote_netmask
Definition: options.h:275
struct in6_addr server_network_ipv6
Definition: options.h:423
in_addr_t server_bridge_netmask
Definition: options.h:435
bool server_bridge_defined
Definition: options.h:433
int ifconfig_ipv6_pool_netbits
Definition: options.h:449
struct in6_addr add_in6_addr(struct in6_addr base, uint32_t add)
Definition: socket.c:2918
const char * dev_type
Definition: options.h:270
#define DEV_TYPE_TAP
Definition: proto.h:38
static void verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
Definition: helper.c:127