Go to the documentation of this file.
26 #elif defined(_MSC_VER)
33 #include <systemd/sd-daemon.h>
69 #define CF_LOAD_PERSISTED_PACKET_ID (1<<0)
70 #define CF_INIT_TLS_MULTI (1<<1)
71 #define CF_INIT_TLS_AUTH_STANDALONE (1<<2)
117 const char *dev_type,
119 const char *ifconfig_local,
120 const char *ifconfig_remote,
122 const char *signal_text,
123 const char *script_type,
147 if (!ifconfig_remote)
149 ifconfig_remote =
"";
162 arg, tun_mtu, ifconfig_local, ifconfig_remote,
context);
166 msg(
M_FATAL,
"ERROR: up/down plugin call failed");
179 ifconfig_local, ifconfig_remote,
context);
210 #ifdef ENABLE_MANAGEMENT
220 if (
streq(p[1],
"NONE"))
224 else if (p[2] && p[3])
228 msg(
M_INFO,
"Proxy set via management, disabling Data Channel Offload.");
232 if (
streq(p[1],
"HTTP"))
237 msg(
M_WARN,
"HTTP proxy support only works for TCP based connections");
246 else if (
streq(p[1],
"SOCKS"))
316 const char *parameters)
319 size_t len = strlen(command) + 1 + strlen(parameters) + 1;
367 char *out = malloc(len);
376 msg(
M_WARN,
"Out of bounds index in management query for remote entry: index = %u", index);
391 if (!strcmp(p[1],
"ACCEPT"))
396 else if (!strcmp(p[1],
"SKIP"))
402 else if (!strcmp(p[1],
"MOD") && p[2] && p[3])
435 int ce_changed =
true;
488 for (i = 0; i < l->
len; ++i)
575 int advance_count = 1;
599 msg(
M_FATAL,
"No usable connection profiles are present");
614 #ifdef ENABLE_MANAGEMENT
633 }
while (!ce_defined);
639 msg(
M_FATAL,
"All connections have been connect-retry-max (%d) times unsuccessful, exiting",
661 #ifdef ENABLE_MANAGEMENT
696 bool did_http =
false;
744 #if defined(ENABLE_PKCS11)
748 pkcs11_initialize(
true, c->
options.pkcs11_pin_cache_period);
751 pkcs11_addProvider(c->
options.pkcs11_providers[i], c->
options.pkcs11_protected_authentication[i],
752 c->
options.pkcs11_private_mode[i], c->
options.pkcs11_cert_private[i]);
764 strcpy(up.
username,
"Please insert your cryptographic token");
771 #ifdef ENABLE_SYSTEMD
776 sd_notifyf(0,
"READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
777 (
unsigned long) getpid());
793 close_port_share(
void)
797 port_share_close(port_share);
803 init_port_share(
struct context *c)
805 if (!port_share && (c->
options.port_share_host && c->
options.port_share_port))
807 port_share = port_share_open(c->
options.port_share_host,
810 c->
options.port_share_journal_dir);
811 if (port_share == NULL)
813 msg(
M_FATAL,
"Fatal error: Port sharing failed");
827 crypto_init_dmalloc();
838 if (!gettimeofday(&tv, NULL))
840 const unsigned int seed = (
unsigned int) tv.tv_sec ^ tv.tv_usec;
851 #ifdef OPENVPN_DEBUG_COMMAND_LINE
854 for (i = 0; i < argc; ++i)
875 #ifdef IFCONFIG_POOL_TEST
876 ifconfig_pool_test(0x0A010004, 0x0A0100FF);
880 #ifdef CHARACTER_CLASS_DEBUG
881 character_class_debug();
885 #ifdef EXTRACT_X509_FIELD_TEST
895 #ifdef TEST_GET_DEFAULT_GATEWAY
909 const char *fn = gen_path(
"foo",
918 #ifdef STATUS_PRINTF_TEST
927 msg(
M_WARN,
"STATUS_PRINTF_TEST: %s: write error", tmp_file);
937 mstats_open(
"/dev/shm/mstats.dat");
938 for (i = 0; i < 30; ++i)
940 mmap_stats->n_clients += 1;
941 mmap_stats->link_write_bytes += 8;
942 mmap_stats->link_read_bytes += 16;
966 #if defined(MEASURE_TLS_HANDSHAKE_STATS)
967 show_tls_performance_stats();
1059 msg(
M_USAGE,
"Using --genkey type with --secret filename is "
1060 "not supported. Use --genkey type filename instead.");
1068 msg(
M_USAGE,
"You must provide a filename to either --genkey "
1069 "or --secret, not both");
1078 msg(
M_WARN,
"WARNING: Using --genkey --secret filename is "
1079 "DEPRECATED. Use --genkey secret filename instead.");
1084 if (nbits_written < 0)
1090 "Randomly generated %d bit key written to %s", nbits_written,
1104 "--genkey tls-crypt-v2-client requires a server key to be set via --tls-crypt-v2 to create a client key");
1143 "options --mktun or --rmtun should only be used together with --dev");
1146 #if defined(ENABLE_DCO)
1158 msg(
M_WARN,
"Note: --mktun does not support DCO. Creating TUN interface.");
1165 #ifdef ENABLE_FEATURE_TUN_PERSIST
1177 "options --mktun and --rmtun are not available on your operating "
1178 "system. Please check 'man tun' (or 'tap'), whether your system "
1179 "supports using 'ifconfig %s create' / 'destroy' to create/remove "
1180 "persistent tunnel interfaces.",
options->
dev );
1194 #ifdef ENABLE_SYSTEMD
1196 if (sd_notify(0,
"READY=0") > 0)
1206 #if defined(__APPLE__) && defined(__clang__)
1207 #pragma clang diagnostic push
1208 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
1212 msg(
M_ERR,
"daemon() failed or unsupported");
1214 #if defined(__APPLE__) && defined(__clang__)
1215 #pragma clang diagnostic pop
1234 static const char why_not[] =
"will be delayed because of --client, --pull, or --up-delay";
1248 msg(
M_INFO,
"NOTE: chroot %s", why_not);
1263 msg(
M_INFO,
"NOTE: UID/GID downgrade %s", why_not);
1267 #ifdef ENABLE_MEMSTATS
1270 mstats_open(c->
options.memstats_fn);
1274 #ifdef ENABLE_SELINUX
1281 if (c->
options.selinux_context)
1285 if (-1 == setcon(c->
options.selinux_context))
1287 msg(
M_ERR,
"setcon to '%s' failed; is /proc accessible?", c->
options.selinux_context);
1296 msg(
M_INFO,
"NOTE: setcon %s", why_not);
1504 const char *gw = NULL;
1550 const char *gw = NULL;
1574 char *opt_list[] = {
"::/3",
"2000::/4",
"3000::/4",
"fc00::/7", NULL };
1577 for (i = 0; opt_list[i]; i++)
1605 static const char message[] =
"Initialization Sequence Completed";
1619 msg(
M_INFO,
"%s With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )", message);
1621 #ifdef ENABLE_SYSTEMD
1622 sd_notifyf(0,
"STATUS=Failed to start up: %s With Errors\nERRNO=1", message);
1629 #ifdef ENABLE_SYSTEMD
1630 sd_notifyf(0,
"STATUS=%s", message);
1645 #ifdef ENABLE_MANAGEMENT
1650 struct in6_addr *tun_local6 = NULL;
1653 socklen_t sa_len =
sizeof(local);
1654 const char *detail =
"SUCCESS";
1662 #if defined(_WIN32) || defined(ENABLE_SITNL)
1665 detail =
"ROUTE_ERROR";
1671 remote = actual->
dest;
1673 #if ENABLE_IP_PKTINFO
1676 switch (local.
addr.
sa.sa_family)
1679 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
1680 local.
addr.
in4.sin_addr = actual->pi.in4.ipi_spec_dst;
1682 local.
addr.
in4.sin_addr = actual->pi.in4;
1687 local.
addr.
in6.sin6_addr = actual->pi.in6.ipi6_addr;
1733 #ifdef ENABLE_MANAGEMENT
1744 msg(
M_WARN,
"WARNING: route-up plugin call failed");
1812 #ifdef TARGET_ANDROID
1828 #ifdef TARGET_ANDROID
1853 msg(
D_ROUTE,
"interactive service msg_channel=%" PRIuPTR,
1896 #ifdef TARGET_ANDROID
1965 msg(
M_INFO,
"Preserving previous TUN/TAP instance: %s",
2059 #ifdef ENABLE_MANAGEMENT
2212 msg(
D_DCO,
"Cannot set parameters for DCO peer (id=%u): %s",
2228 if (
buf_len(buf) > strlen(header))
2245 uint8_t line[1024] = { 0 };
2251 buf_printf(&out,
"Data Channel: cipher '%s'",
2256 buf_printf(&out,
"Data Channel: cipher '%s', auth '%s'",
2266 if (c->
c2.comp_context)
2268 buf_printf(&out,
", compression: '%s'", c->
c2.comp_context->alg.name);
2276 const char *header =
"Timers: ";
2317 if (
buf_len(&out) > strlen(header))
2323 header =
"Protocol options: ";
2351 if (
buf_len(&out) > strlen(header))
2368 struct frame *frame_fragment = NULL;
2369 #ifdef ENABLE_FRAGMENT
2390 do_up(
struct context *c,
bool pulled_options,
unsigned int option_types_found)
2392 int error_flags = 0;
2423 msg(
M_INFO,
"NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
2430 msg(
M_NONFATAL,
"dco-win doesn't yet support reopening TUN device");
2459 msg(
D_DCO,
"Cannot add peer to DCO: %s (%d)", strerror(-ret), ret);
2483 msg(
D_TLS_ERRORS,
"ERROR: Failed to apply P2P negotiated protocol options");
2491 msg(
D_TLS_ERRORS,
"ERROR: Failed to apply DCO keepalive or MSS fix parameters");
2536 unsigned int flags =
2584 "--data-ciphers-fallback not enabled. No usable "
2585 "data channel cipher");
2589 struct frame *frame_fragment = NULL;
2590 #ifdef ENABLE_FRAGMENT
2616 msg(
D_PUSH,
"OPTIONS IMPORT: --verb and/or --mute level changed");
2628 msg(
D_PUSH,
"OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp");
2633 msg(
D_PUSH_DEBUG,
"OPTIONS IMPORT: explicit notify parm(s) modified");
2641 comp_uninit(c->
c2.comp_context);
2642 c->
c2.comp_context = comp_init(&c->
options.comp);
2648 msg(
D_PUSH,
"OPTIONS IMPORT: traffic shaper enabled");
2654 msg(
D_PUSH,
"OPTIONS IMPORT: --sndbuf/--rcvbuf options modified");
2660 msg(
D_PUSH,
"OPTIONS IMPORT: --socket-flags option modified");
2666 msg(
D_PUSH,
"OPTIONS IMPORT: --persist options modified");
2670 msg(
D_PUSH,
"OPTIONS IMPORT: --ifconfig/up options modified");
2674 msg(
D_PUSH,
"OPTIONS IMPORT: route options modified");
2678 msg(
D_PUSH,
"OPTIONS IMPORT: route-related options modified");
2682 msg(
D_PUSH,
"OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified");
2686 msg(
D_PUSH,
"OPTIONS IMPORT: environment modified");
2709 "with data channel offload. Use --disable-dco to connect to "
2726 "tun-mtu-max %d in the client configuration",
2742 #ifdef ENABLE_MANAGEMENT
2777 if (GREMLIN_CONNECTION_FLOOD_LEVEL(c->
options.gremlin))
2947 msg(
D_MTU_DEBUG,
"MTU: adding %zu buffer tailroom for compression for %zu "
2990 #ifdef ENABLE_PREDICTION_RESISTANCE
2991 if (c->
options.use_prediction_resistance)
2993 rand_ctx_enable_prediction_resistance();
3043 msg(
M_INFO,
"Re-using pre-shared static key");
3070 msg(
M_FATAL,
"ERROR: tls-auth enabled, but no valid --auth "
3079 "Control Channel Authentication",
"tls-auth",
3119 msg(
M_WARN,
"ERROR: tls-crypt-v2 client key too large to work with "
3120 "requested --max-packet-size %d, requires at least "
3121 "--max-packet-size %d. Packets will ignore requested "
3151 msg(
M_FATAL,
"Error: private key password verification failed");
3236 bool packet_id_long_form;
3268 if (packet_id_long_form)
3343 #ifdef ENABLE_X509ALTUSERNAME
3357 #ifdef ENABLE_MANAGEMENT
3379 #ifdef ENABLE_MANAGEMENT
3384 to.comp_options =
options->comp;
3387 #ifdef HAVE_EXPORT_KEYING_MATERIAL
3388 if (
options->keying_material_exporter_label)
3474 "Control Channel MTU parms");
3484 "TLS-Auth MTU parms");
3504 "******* WARNING *******: All encryption and authentication features "
3505 "disabled -- All data will be tunnelled as clear text and will not be "
3506 "protected against man-in-the-middle changes. "
3507 "PLEASE DO RECONSIDER THIS CONFIGURATION!");
3544 #ifdef ENABLE_FRAGMENT
3554 #if defined(ENABLE_FRAGMENT)
3561 "WARNING: using --fragment and --mtu-test together may produce an inaccurate MTU test result");
3565 #ifdef ENABLE_FRAGMENT
3568 msg(
M_WARN,
"WARNING: if you use --mssfix and --fragment, you should "
3569 "set --fragment (%d) larger or equal than --mssfix (%d)",
3575 msg(
M_WARN,
"WARNING: if you use --mssfix and --fragment, you should "
3576 "use the \"mtu\" flag for both or none of of them.");
3588 msg(
M_WARN,
"WARNING: --ping should normally be used with --ping-restart or --ping-exit");
3592 #ifdef ENABLE_SELINUX
3593 || o->selinux_context
3599 msg(
M_WARN,
"WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail");
3607 msg(
M_WARN,
"WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail");
3613 msg(
M_WARN,
"WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure");
3618 msg(
M_WARN,
"WARNING: using --pull/--client and --ifconfig together is probably not what you want");
3623 msg(
M_WARN,
"NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to");
3630 msg(
M_WARN,
"WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want");
3634 msg(
M_WARN,
"WARNING: --ifconfig-pool-persist will not work with --duplicate-cn");
3638 msg(
M_WARN,
"WARNING: --keepalive option is missing from server config");
3644 msg(
M_WARN,
"WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure");
3657 msg(
M_WARN,
"WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.");
3661 msg(
M_WARN,
"WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.");
3669 msg(
M_WARN,
"NOTE: the current --script-security setting may allow this configuration to call user-defined scripts");
3673 msg(
M_WARN,
"WARNING: the current --script-security setting may allow passwords to be passed to scripts via environmental variables");
3677 msg(
M_WARN,
"NOTE: starting with " PACKAGE_NAME " 2.1, '--script-security 2' or higher is required to call user-defined scripts or executables");
3701 b->decompress_buf =
alloc_buf(buf_size);
3739 #ifdef ENABLE_FRAGMENT
3772 #ifdef ENABLE_FRAGMENT
3776 "Fragmentation MTU parms");
3799 msg(
D_SHOW_OCC,
"Expected Remote Options String (VER=%s): '%s'",
3978 #ifdef ENABLE_FRAGMENT
3999 bool need_us_timeout)
4001 unsigned int flags = 0;
4007 if (need_us_timeout)
4124 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are running on Windows");
4128 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are not using UDP");
4134 msg(
M_INFO,
"NOTE: --fast-io is disabled since we are using --shaper");
4158 #ifdef ENABLE_PLUGIN
4184 for (i = 0; i < config.
n; ++i)
4186 unsigned int option_types_found = 0;
4193 &option_types_found,
4230 #ifdef ENABLE_MANAGEMENT
4245 msg(msglevel,
"END");
4247 msg(msglevel,
"ERROR: Sorry, this command is currently only implemented on Windows");
4251 #ifdef TARGET_ANDROID
4253 management_callback_network_change(
void *arg,
bool samenetwork)
4295 #ifdef ENABLE_MANAGEMENT
4306 #ifdef TARGET_ANDROID
4307 cb.network_change = management_callback_network_change;
4316 #ifdef ENABLE_MANAGEMENT
4365 msg(
M_WARN,
"Signal received from management interface, exiting");
4393 #ifdef ENABLE_MANAGEMENT
4404 #ifdef ENABLE_MANAGEMENT
4529 #ifdef ENABLE_PLUGIN
4583 #ifdef ENABLE_FRAGMENT
4593 unsigned int crypto_flags = 0;
4617 c->
c2.comp_context = comp_init(&
options->comp);
4633 #ifdef ENABLE_FRAGMENT
4651 int error_flags = 0;
4675 #ifdef ENABLE_PLUGIN
4711 #ifdef ENABLE_PLUGIN
4759 if (c->
c2.comp_context)
4761 comp_uninit(c->
c2.comp_context);
4762 c->
c2.comp_context = NULL;
4785 #ifdef ENABLE_MANAGEMENT
4792 #ifdef ENABLE_PLUGIN
4803 #ifdef ENABLE_FRAGMENT
4864 #ifdef ENABLE_PLUGIN
4946 dest->
c2.comp_context = NULL;
4987 unsigned int pid = 0;
4991 msg(
M_ERR,
"Open error on pid file %s", filename);
4996 fprintf(fp,
"%u\n", pid);
4999 msg(
M_ERR,
"Close error on pid file %s", filename);
const char * tls_crypt_file
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
static void do_close_ifconfig_pool_persist(struct context *c)
unsigned int pull_permission_mask(const struct context *c)
struct event_timeout route_wakeup
void tun_standby_init(struct tuntap *tt)
bool do_test_crypto(const struct options *o)
struct tls_auth_standalone * tls_auth_standalone
TLS state structure required for the initial authentication of a client's connection attempt.
enum genkey_type genkey_type
struct plugin_list * plugin_list_init(const struct plugin_option_list *list)
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
static void do_close_plugins(struct context *c)
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
volatile int signal_received
void do_ifconfig_setenv(const struct tuntap *tt, struct env_set *es)
static void do_init_server_poll_timeout(struct context *c)
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
static void next_connection_entry(struct context *c)
#define CE_MAN_QUERY_REMOTE_MOD
struct verify_hash_list * verify_hash
#define OPENVPN_PLUGIN_UP
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
unsigned int mss_fix
The actual MSS value that should be written to the payload packets.
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
const char * config_ncp_ciphers
void management_post_tunnel_open(struct management *man, const in_addr_t tun_local_ip)
static void do_close_tls(struct context *c)
void fragment_frame_init(struct fragment_master *f, const struct frame *frame)
Allocate internal packet buffers for a fragment_master structure.
void notnull(const char *arg, const char *description)
const char * verify_x509_name
struct static_challenge_info sc_info
#define OPENVPN_PLUGIN_DOWN
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
const struct link_socket * accept_from
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
static struct gc_arena gc_new(void)
struct fragment_master * fragment_init(struct frame *frame)
Allocate and initialize a fragment_master structure.
void do_ifconfig(struct tuntap *tt, const char *ifname, int tun_mtu, const struct env_set *es, openvpn_net_ctx_t *ctx)
do_ifconfig - configure the tunnel interface
int connect_retry_seconds
int explicit_exit_notification
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
bool open_management(struct context *c)
struct frame frame_initial
void fragment_free(struct fragment_master *f)
Free a fragment_master structure and its internal packet buffers.
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
struct context_persist persist
Persistent context.
int len
Length in bytes of the actual content within the allocated memory.
void restore_signal_state(void)
void frame_print(const struct frame *frame, int level, const char *prefix)
void signal_reset(struct signal_info *si)
const char * socks_proxy_server
int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, const struct env_set *es)
void open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt, openvpn_net_ctx_t *ctx)
static void init_connection_list(struct context *c)
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
bool management_hold(struct management *man, int holdtime)
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
void init_query_passwords(const struct context *c)
Query for private key and auth-user-pass username/passwords.
void env_set_destroy(struct env_set *es)
const char * auth_token_secret_file
#define EVENT_METHOD_US_TIMEOUT
enum windows_driver_type windows_driver
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
struct tuntap * tuntap
Tun/tap virtual network interface.
bool tls_crypt_file_inline
static void set_check_status_error_delay(unsigned int milliseconds)
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
int64_t inactivity_minimum_bytes
void packet_id_persist_load(struct packet_id_persist *p, const char *filename)
static void do_close_free_buf(struct context *c)
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
static int occ_reset_op(void)
void management_sleep(const int n)
A sleep function that services the management layer for n seconds rather than doing nothing.
bool tuntap_owned
Whether the tun/tap interface should be cleaned up when this context is cleaned up.
static void do_open_status_output(struct context *c)
Contains all state information for one tunnel.
static void do_setup_fast_io(struct context *c)