Age | Commit message (Collapse) | Author | Files | Lines |
|
Modified win/build_all.py so that it parses command-line options using getopt.
Added option "-u / --unsigned" which allows forcing unsigned builds and a "-h /
--help" option. By default a signed build is generated, provided that the Python
SignTool module is installed. If not, the build is interrupted.
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: Peter Stuge <peter@stuge.se>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6656 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
not free, since it is allocated by OpenSSL.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6655 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling
with --disable-crypto activated. He suggested a patch, which only
partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a
new feature which further made it impossible to compile without crypto.
This patch fixes both issues, based on Peter Korsgaard's patch.
[1] <http://sourceforge.net/mailarchive/forum.php?thread_name=87fwx08bod.fsf%40macbook.be.48ers.dk&forum_name=openvpn-devel>
Signed-off-by: James Yonan <james@openvpn.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Signed-off-by: Jesse Young <jesse.young@gmail.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
|
|
Reformulated parts of this entry to clarify that the OpenVPN
will not attempt notifying the server unless this option is used.
This misunderstanding was reported anonymously to the old SF.net
tracker.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Trac-ticket: 40
|
|
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: krzee <jeff@doeshosting.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
OpenVPN should send a Host: header to comply with the HTTP/1.1
specification.
Full discussion of this patch can be found here:
<http://thread.gmane.org/gmane.network.openvpn.devel/4039>
Signed-off-by: Lars Hupel <hupel@in.tum.de>
Acked-by: Peter Stuge <peter@stuge.se>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Trac-ticket: 63
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6585 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
base64.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6569 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
where credentials are entered from stdin. This capability is
compiled when ENABLE_CLIENT_CR is defined in syshead.h (enabled
by default).
Challenge/response support was previously implemented for creds
that are queried via the management interface. In this case,
the challenge message will be returned as a custom
client-reason-text string (see management-notes.txt for more
info) on auth failure.
Also, see the comments in misc.c above get_auth_challenge()
for info on the OpenVPN challenge/response protocol.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6568 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
(Gert Doering).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6566 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
The init_route() function will leave &netlist untouched for
get_special_addr() routes ("remote_host" being one of them).
netlist is on stack, contains random garbage, and netlist.len
will not be 0 - thus, random stack data is copied from
netlist.data[] until the route_list is full.
This issue has been reported several places lately:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=600166
http://thread.gmane.org/gmane.network.openvpn.devel/4083
https://forums.openvpn.net/viewtopic.php?f=1&t=7201&p=8168
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
The warnings reported where:
--------------------------------------------------------
misc.c:158: warning: ignoring return value of ‘nice’, declared with attribute warn_unused_result
options.c:4033: warning: format not a string literal and no format arguments
options.c:4043: warning: format not a string literal and no format arguments
options.c:4053: warning: format not a string literal and no format arguments
push.c:182: warning: format not a string literal and no format arguments
push.c:199: warning: format not a string literal and no format arguments
push.c:235: warning: format not a string literal and no format arguments
status.c:171: warning: ignoring return value of ‘ftruncate’, declared with attribute warn_unused_result
--------------------------------------------------------
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Peter Stuge <peter@stuge.se>
|
|
Several places we exited with 0 instead of 77 when we want to indicate
that we should skip this test.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This is to avoid 'make check' fail if this extra test case is not
configured.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This is now built using "configure", knows how to find "ip", "ifconfig" and "netstat" (configure
does the work :-) ), *and* has been tested on Solaris (works!).
extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh"
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Run from "make check" if "t_client.rc" is found in workdir or srcdir
(copy t_client.rc-sample, fill in specifics for your test server)
How does it work?
- you run "sudo make check" (needs root access to configure tun if!)
- t_client.sh reads t_client.rc from current dir or ${srcdir}
- t_client.rc defines a number of "test suffixes" to run (could be
"1" "2" "3" or "p2m", "p2p", "special" or whatever you like), and
for each suffix, there's config variables to specify
- how to call OpenVPN
- which hosts to ping for IPv4 and IPv6 when OpenVPN is up
(and actually before starting OpenVPN - to make the test more
meaningful, I have decided that the test hosts must not ping
before the tests starts)
- which addresses must show up in the output of "ifconfig" after
OpenVPN has started
- all variables except OPENVPN_CONF_<x> are optional
(this should all be fairly obvious from looking at t_client.rc-sample)
- the script wants to connect to a well-defined OpenVPN server that
will assign well-known IPv4 (and IPv6) addresses, have well-defined
pingable addresse, etc. - so you need to setup the test server before
the script is useful for you. (Whether you use certificates or
username/password is up to you, you could even mix and match - run
one test with certs, and one with user/pass against different target
ports... :-) )
[we *could* run a "reference server" somewhere and ship a sample
t_client.rc + cert so that users could use this right away, but I
do not currently have the resources to run such a public server]
- whatever the script does is logged to a newly created directory
below the current directory (openvpn output, ifconfig+route before
starting OpenVPN, while running it, after ending it)
- important: at least on NetBSD and OpenBSD, the script will print
one failure, because the tun0 interface created is not destroyed
after openvpn ends. For OpenBSD, I have changed close_tun() to
do so ("ifconfig tun0 destroy"), for NetBSD I have not yet changed
anything - but I strongly believe that the output of "ifconfig+route"
should be reverted to exactly how it looked like before OpenVPN
was started, so I consider this a bug in the NetBSD-specific bits
of OpenVPN (and will look into this).
- the test framework has been tested on Linux, NetBSD and OpenBSD.
It *should* work fine on FreeBSD and Solaris.
It works on MacOS X (but the output looks funny, because /bin/sh
does not implement "echo -e" - need to add configure trickery)
It will *not* work on Windows yet - I haven't looked into what's
needed to make it work (background processes and signals in mingw
bash?), maybe it's as easy as adding the necessary "ipconfig" and
"netsh" commands to print interface + routing config...
- I have only tested "connect via IPv4 transport, use IPv4+IPv6 payload",
but the framework is generic enough that "connect via IPv6 transport"
should work just fine (just setup OPENVPN_CONF_x accordingly in the
t_client.rc).
- this is neither finished nor pretty, but it helps me a *lot* in
quickly testing whether I broke anything when fiddling system-dependent
code (tun.c, route.c) across multiple build hosts - so I hope this
is going to be fairly useful to Samuli and the buildbot :-)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
When compiling against OpenSSL v1.0.0, the following compiler warnings
appears.
ssl.c: In function ‘verify_callback’:
ssl.c:944: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c:947: warning: passing argument 1 of ‘sk_value’ from incompatible
pointer type
/usr/include/openssl/stack.h:80: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509_REVOKED *’
ssl.c: In function ‘init_ssl’:
ssl.c:1565: warning: passing argument 1 of ‘sk_num’ from incompatible
pointer type
/usr/include/openssl/stack.h:79: note: expected ‘const struct _STACK *’
but argument is of type ‘struct stack_st_X509 *’
ssl.c: In function ‘print_details’:
ssl.c:1766: warning: assignment discards qualifiers from pointer target type
Trac ticket #5
https://community.openvpn.net/openvpn/ticket/5
Signed-off-by: chantra <chantra@debuntu.org>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Previous fix (commit eb973e055bc249948) fixed NetBSD but not OpenBSD
(include <sys/socket.h> *after* <sys/types.h>)
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: krzee <jeff@doeshosting.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Configure will not find <net/if.h> due to missing <sys/types.h> in the test program,
and thus, tun.c will fail to compile with missing symbol IFF_MULTICAST.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: krzee <jeff@doeshosting.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This is a fix for trac ticket #20,
<https://community.openvpn.net/openvpn/ticket/20>
which was started in the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2078470&group_id=48978&atid=454719>
The implemented solution is to give a warning for each of the different script hooks
available. The last configured script will override any earlier configured scripts,
to ensure that the command line can override the configuration file.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
Problem: using --ping and --inactive together partially defeats the
point of using --inactive as periodic ping packets are counted as
activity. Here is the original discussion:
http://article.gmane.org/gmane.network.openvpn.devel/3676
It turns out that "activity" is detected and recorded in two places
in the code, both in forward.c: in process_outgoing_tun() for received
packets, after they've been decrypted and sent to the TUN device; and
in process_outgoing_link(), after they've been encrypted and written
to the network socket.
In the first case we can be sure that packets that get so far are
really due to user activity, whereas in the second case there can be
non-user packets (like OpenVPN's internal ping packets, and TLS control
packets), and those should not be counted as activity as they are not
coming from the user.
So a need arises to detect those control packets and not count them as
activity for the purposes of --inactive. Unfortunately, at that stage
packets are already compressed and encrypted, so it's not possible to
look into them to see what they are. However, there seems to be a
convention in the code that packets whose buffer length in the context_2
structure is 0 should be ignored for certain purposes. TLS control
packets follow that convention already, so this patch makes a small
change in the code that generates the ping packets to set their buffer
length to 0 as well.
Finally, the call to register_activity() in process_outgoing_link() is
made conditional to the buffer length being > 0.
According to my tests, now --inactive behaves correctly according to
the configured parameters (time or time+bytes) even when --ping is
being used.
forward.c:
Call register_activity() in process_outgoing_link() only if the
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Test routine is described here:
<https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6>
Signed-off-by: Davide Brini <dave_br@gmx.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Just minor updates to comments in openvpn-plugin.h
Signed-off-by: chantra <chantra@debuntu.org>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Solves bug ticket 13
<https://community.openvpn.net/openvpn/ticket/13>
When the client sends PUSH_REQUESTS, it waits until the server sends PUSH_REPLY.
If the server do not have anything to push to the client nothing happens. The
client will then regularly send new PUSH_REQUESTS until it gets an answer, which
results in not completing the connection negotiation.
This patch makes the server send an empty PUSH_REPLY when it has nothing to more
to push to the client.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
Allow subnets for like 192.168.100.8/28 to be understood. A warning
will be logged when subnet is incorrect and is being corrected to what
is assumed to be correct.
Signed-off-by: chantra <chantra@debuntu.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
contrib/OCSP_check/OCSP_check.sh:
I discovered that, quite surprisingly, the exit status of "openssl ocsp"
is 0 even if the certificate status is "revoked". This means that the
logic of the script needs to be rewritten so that it parses the output
returned by the query and explicitly looks for a
"0x<serial number>: good"
line, and exit if either the command has a non-zero exit status, or the
above line is not found.
Doing that portably without bashisms requires some juggling around, so
perhaps the code is slightly less clean now, but it does have many
comments.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
For OpenVPN clients with long living connections, this message is repeated
everytime the connection is renegotiated. This patch removes this behaviour
and will only show this warning once.
Patch ACKed on the developers meeting 2009-04-29.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
contrib/OCSP_check/OCSP_check.sh:
New barebone script to demonstrate how to use $tls_serial_{n}
to perform simple OCSP queries using OpenSSL command line
"openssl ocsp". Minimal sanity checks to fail if user tries to
use it without customizing.
openvpn.8:
Added some notes about $tls_serial_{n} format and usage to the
existing description.
ssl.c:
correctly manage and export serial numbers of any size (as
parsed by OpenSSL) into the environment. Set to empty string
in case of errors, as 0 and negative numbers are all possible
(although illegal) certificate serial numbers. Use an OpenSSL
BIO object to do the job. Conforms to coding style guidelines.
See the discussion at
http://article.gmane.org/gmane.network.openvpn.devel/3588
for more details.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
In commit a9c9a89e96dc1e4e843e05ecadc4349b81606b06 the
client.{up,down} scripts where overhauled and bashism was removed.
During that process, a #! change was missing.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Patch arrived from Davide Brini:
- No more bashisms (AFAICT). Should work with any POSIX-compatible shell
(which means "almost all reasonably recent shells"), though I've only tested
with bash and dash.
- Unnecessary calls to external tools (sed) removed
- Manages multiple DNS and DOMAIN options. Each DNS option becomes a
"nameserver" line in the new resolv.conf (up to a maximum of 3). If there's a
single DOMAIN option, it becomes a "domain" line in resolv.conf; otherwise,
all the domains are listed in a "search" line in resolv.conf (eg "search
foo.com example.net").
- Client.up renames the existing resolv.conf and creates a brand new one;
client.down restores it from the saved copy when the VPN terminates (the usual
rules about running as root apply). This is how Gentoo does that; the old
scripts instead added/removed some lines at the beginning of the file, which
looks a less clean approach to me. The rename approach also dramatically
simplifies and shortens client.down, as you'll see.
- Uses resolvconf if it's available (detected by the presence of
/sbin/resolvconf) rather than writing to resolv.conf directly. Not sure
whether this is a Linux-only thing or other systems use it though.
Script has been smoke tested on Fedora 12 with OpenVPN 2.1.1 without
the resolvconf package , and in addition Debian Lenny with
OpenVPN 2.1_rc11 according to the patch.
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Signed-off-by: Davide Brini <dave_br@gmx.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
If create_temp_file() returns NULL, this strlen() check would cause
a SEGV.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
Fabian Knittel noticed that this delete_file() calls should have been
removed in commit 5d30273a8741d2c1410bfdbc08b341398bf39b40
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
As this function now creates the temp file, it is no longer
'not-yet-created', but 'freshly created'.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
All places where create_temp_filename() was called are now calling
create_temp_file(). Extra checks on the result of create_temp_file()
is added in addition.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
By hardening the create_temp_filename() function to check if the generated
filename exists and to create the temp file with only S_IRUSR|S_IWUSR bit
files set before calling the script, it should become even more difficult to
exploit such a scenario.
After a discussion on the mailing list, Fabian Knittel provided an enhanced
version of the inital patch which is added to this patch.
This patch also renames create_temp_filename() to create_temp_file(), as this
patch also creates the temporary file. The function returns the filename of the
created file, or NULL on error.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: Fabian Knittel <fabian.knittel@avona.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This is in response to a reported Debian bug, where the connection counter overflows.
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576827>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
sf.net tracker:
<https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Tested-by: Pavel Shramov <shramov@mexmat.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
|
|
the MS Active Directory through auth-pam and Samba. I used the following line in my configs (without the linebreak of course):
plugin /opt/openvpn/openvpn-auth-pam.so
"openvpn login OURDOMAIN+USERNAME password PASSWORD"
Finally I turned on more verbose logging and found that the plugin did
not recognize "USERNAME" as something to replace, because it expected
the string to be surrounded by whitespace. I wrote the following patch
to correct this. I hope you find it useful,
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
|
|
This is a modified version of a patch sent to the sf.net
patch tracker:
<http://sourceforge.net/tracker/?func=detail&aid=2491190&group_id=48978&atid=454721>
After having disucssed this patch on IRC (#openvpn-discussions)
March 4, 2010, it was decided to accept this patch when not modifying
TARGET_* defines through out the code. Further, in a mail comment
Alon Bar-Lev had some other comments of what would be needed to be done.
Mail reference:
<http://thread.gmane.org/gmane.network.openvpn.devel/3176>
This patch has been tested by bootstrapping the code on a RHEL4.6 box.
with the following autotools packages installed:
autoconf-2.59-5
automake-1.9.2-3
libtool-1.5.6-4.EL4.2
It builds cleanly and 'make check' passes.
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
Acked-by: Alon Bar-Lev <alon.barlev@gmail.com>
|
|
This is to include peercred support on hosts where _GNU_SOURCE is not
defined by default. This issue has been found on Gentoo with glibc-2.8.
The solution was discussed on the IRC meeting March 4, 2010
in #openvpn-discussions.
<http://thread.gmane.org/gmane.network.openvpn.devel/3242>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
There was a debian bugreport which was filed in 2005 . It was patched but
it seems that nobody forwarded the patch to the openvpn project itself.
The problem is quite simple:
The dashes for options (the double dashes) are not escaped. This causes
trouble in relationship with utf-8 .
Since the bugreport was closed it was patched within the debian/ubuntu
packages itself. I've attached the patch to get it atleast reviewed by the
openvpn project itself.
See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=296133> for details.
sf.net tracker:
<https://sourceforge.net/tracker/?func=detail&aid=2935611&group_id=48978&atid=454721>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Tested-by: Jan Just Keijser <janjust@nikhef.nl>
Tested-by: Pavel Shramov <shramov@mexmat.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
|
|
Many of the scripts in the openvpn source have their shell set to
/bin/bash, but only two use bash features. The attached patch (against
openvpn-2.1_rc9) sets the shell on the rest of the scripts to /bin/sh for
better portability. The only scripts that actually require bash are
contrib/pull-resolv-conf/client.{up,down} ; they use the ${!var} variable
indirection feature.
sf.net tracker:
<https://sourceforge.net/tracker/?func=detail&aid=2040296&group_id=48978&atid=454721>
Discussed on the IRC meeting March 4, 2010 in #openvpn-discussions.
<http://thread.gmane.org/gmane.network.openvpn.devel/3242>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: James Yonan <james@openvpn.net>
|
|
I am running a multihomed host where 'local <extip>' must be specified
for proper operation. Unfortunately, this implies 'lport 1194' or
another static port.
This causes problems with stateful firewalls which register the host/port
pairs in the internal connection tracking table. On ungraceful reconnects,
the new TCP connection will have same the host/port pairs but unexpected
sequence numbers. The new connection will be assumed as invalid hence and
be dropped.
It would be nice when local port can be configured to be bound to a
random port number. After reading code,
| else if (streq (p[0], "lport") && p[1])
| ...
| port = atoi (p[1]);
|- if (!legal_ipv4_port (port))
|+ if (port != 0 && !legal_ipv4_port (port))
| {
in options.c seems to be the only required change.
This has been discussed here:
<http://thread.gmane.org/gmane.network.openvpn.user/28622>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
(ACKed by Eric F Crist and David Sommerseth)
(cherry picked from commit dd66b12647852e3f1267be70b0fb3b11deedf377)
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
With --verb 5, openvpn logs a single letter (rwRW) for each package
received or sent. I recently ran into a problem with the tun device on
Linux where the read from that device returned 0. Unfortunately this was
also logged as "r", which made me assume that openvpn had received
something, while it actually hadn't.
(See https://dev.openwrt.org/ticket/6650 for the bug that made me find out
about this problem with openvpn.)
I'm attaching a patch which prevents openvpn from logging "r" or "R" when
it didn't actually read anything. This is against openvpn 2.1-rc20, but
probably still applies to the most recent version.
This patch was received anonymously via the sf.net bug tracker:
<http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
This patch should be easy to process.
A resubmission of the patch sent to this list on 04/23/2009.
The patch changes the verify-cn script sample
to be used with --tls-verify so that instead of having
to hardcode a cn to verify in the OpenVPN configuration file
the allowed cns may be written into a separate file.
This makes the process of verifying cns a whole
lot more dynamic, to the point where it is useful
in the real world.
One problem with this patch is that it is backwards
incompatible. I did not bother keeping the original
calling interface as A) it's a sample script, and B) the
original's functionality seems useless
and equalivant functionality is easily available
with the new script.
The problem with the original is that there seems
little point in verifying a client's cn when all
the clients share one cn, as would have to be
the case when the cn is hardcoded into the openvpn
config file.
This patch applies against the testing allmiscs branch,
and should apply against any of the other testing
branches as well.
It works for me. I've tested it throughly but not
used it extensively in production.
Regards,
Karl <kop@meme.com>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Eric F Crist <ecrist@secure-computing.net>
|
|
Unfortunately, this will not rewrite the commit history. So all commits
done by james@e7ae566f-a301-0410-adde-c780ea21d3b5 is James Yonans commits.
It was considered to risky to use git tools to rewrite the commit history, as
it could influence those already using this git tree.
|
|
Version 2.1.3a
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6424 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
txqueuelen directive is set to 0.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6420 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
rendered as base64.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
signing drivers and .exe files.
Added win/tap_span.py for building multiple versions of the TAP driver
and tapinstall binaries using different DDK versions to span from Win2K
to Win7 and beyond.
Version 2.1.3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6404 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Fixed potential local privilege escalation vulnerability in
Windows service. The Windows service did not properly quote the
executable filename passed to CreateService. A local attacker
with write access to the root directory C:\ could create an
executable that would be run with the same privilege level as
the OpenVPN Windows service. However, since non-Administrative
users normally lack write permission on C:\, this vulnerability
is generally not exploitable except on older versions of Windows
(such as Win2K) where the default permissions on C:\ would allow
any user to create files there.
Credit: Scott Laurie, MWR InfoSecurity
Version 2.1.2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6400 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6384 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
in "make dist" tarball.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6382 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
of existing --register-dns commands.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6352 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
TLS control channel (such as AUTH_FAILED) that occur during
or immediately after a TLS renegotiation might be dropped.
Version 2.1.1n
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6350 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6347 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
win/build_all.py except that it doesn't build the
TAP drivers or tapinstall.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6306 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Fixed some issues on Windows with --log, subprocess creation
for command execution, and stdout/stderr redirection.
Version 2.1.1m.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6304 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
commands.
When only a single IP address is desired from a multi-address DNS
expansion, use the first address rather than a random selection.
Version 2.1.1l
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6291 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6285 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
core dump if http-proxy-fallback-disable command was issued in
response to ">PROXY:NEED_NOW management" interface notification.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6284 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
# Build debugging version of openvpn.exe
!define PRODUCT_OPENVPN_DEBUG
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6283 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
for HTTP Proxy Basic Authentication would go into an infinite
retry-fail loop instead of requerying the management interface for
new creds.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5701 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Version 2.1.1i
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5668 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
easier for OpenVPN client UIs to start a pre-existing client config file with
proxy options, or to adaptively fall back to a proxy connection if a direct
connection fails.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* use strcasecmp instead of stricmp
* define HASH and HASHHEX as unsigned char to avoid compiler
warnings
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5629 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Improved the ability of http-auth "auto" flag to dynamically detect
the auth method required by the proxy.
Added http-auth "auto-nct" flag to reject weak proxy auth methods.
Added HTTP proxy digest authentication method.
Removed extraneous openvpn_sleep calls from proxy.c.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5628 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
was not being compiled in.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5620 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
win directory.
Fixed minor issue in TAP driver DEBUG builds where
non-null-terminated unicode strings were being
printed incorrectly.
Version 2.1.1g
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5577 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Don't delete config-win32.h, because this is now a true source file
and no longer a generated file.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5558 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* Added env-filter MI command to perform filtering on env vars
passed through as a part of --management-client-auth
* man_write will now try to aggregate output into larger blocks
(up to 1024 bytes) for more efficient i/o
Version 2.1.1f
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5557 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
python msvc\config.py
nmake /f msvc\msvc.mak
Version 2.1.1e
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5516 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
socket is created rather than waiting until after connect/listen.
Version 2.1.1d
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5514 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Enable exponential backoff in reliability layer
retransmits.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5490 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
notification to include a client reason string:
>PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5468 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5467 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5466 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
so that the server-side value would take precedence,
the auth_deferred_expire_window function would incorrectly
return a window period of 0 seconds. In this case, the
correct window period should be the handshake window
period.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5464 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
a process hang with 100% CPU utilization in --management-client
mode if the management interface client disconnected at the
point where credentials are queried.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5458 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5371 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5370 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to the client when a bad password is given for mid-session reauth.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5369 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
init.c prior to daemon exit to ensure that the tun/tap interface is
closed and any added routes are deleted.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5367 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
RPM distribution) where it was referencing a non-existent
subdirectory in the tarball, causing it to fail (patch from
David Sommerseth).
Version 2.1.1.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5269 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
* Updated ChangeLog.
* Note in man page that clients connecting to a --multihome server
should always use the --nobind option.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5266 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5265 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5264 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
1. Fail gracefully rather than segfault if calloc returns NULL.
2. The openvpn_plugin_abort_v1 function can potentially be called
with handle == NULL. Add code to detect this case, and if
so, avoid dereferencing pointers derived from handle.
(Thanks to David Sommerseth for finding this bug).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5261 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5169 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
or "dhcp-renew" options were combined with "route-gateway dhcp".
The problem is that the IP Helper functions for DHCP release and
renew are blocking, and so calling them from a single-threaded
client stops tunnel traffic forwarding, and hence breaks
"route-gateway dhcp" which requires an active tunnel. The fix is
to call the IP Helper functions for DHCP release and renew from
another process.
Version 2.1_rc21b.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5164 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
make it a hard failure, rather than just a warning.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5159 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5152 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5106 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
renegotiations -- this is similer to how the common name is also
locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
implied, so new usage is:
./doval [openvpn parms]
instead of:
./doval ./openvpn [openvpn parms]
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5104 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
renegotiations -- this is similer to how the common name is also
locked.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5098 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
that cannot directly be used as a config file. The directive
will simply cause OpenVPN to exit with an error if a generic
config file is used.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5077 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
included in the .tar.gz file built by make dist.
Re-released as Version 2.1_rc20
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5058 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5023 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
now send a RESTART message to client.
This feature is intended to make UDP clients respond the same as TCP
clients in the case where the server issues a RESTART message in
order to force the client to reconnect and pull a new options/route
list.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5021 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
log file.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5020 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
when an AUTH_FAILED message is returned to the client. This
string can be set by the server-side managment interface and read
by the client-side management interface.
For more info, see management/management-notes.txt, and look for
references to "client-reason-text".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5012 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
redirect-gateway option by itself, without any extra parameters,
would cause the option to be ignored.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5011 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
servers to connect to in a round-robin fashion, spend no more than
n seconds waiting for a response before trying the next server.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5010 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to clients, including routes. Previously, all pushed options needed
to fit within a 1024 byte options string.
Remember that to make use of this feature to allow many routes to
be pushed to clients, the client config file must specify the
max-routes option, and the number of pushed routes cannot exceed
this limit. Also, both server and client must include this commit.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4991 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
file or pulled from a server) can now be configured via the new
"max-routes" directive.
Previously, the limit was set to 100 and fixed by a compile-time
constant. Now the limit is dynamic and can be modified by the
"max-routes" directive. If max-routes is not specified, the default
limit is 100.
Note that this change does not address the maximum size of the
pushed options string sent from server to client, which is still
controlled by the TLS_CHANNEL_BUF_SIZE compile-time constant.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4967 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
after connection initiation rather than 0 seconds after.
Successive PUSH_REQUEST messages after the first will continue to be
sent at 5 second intervals until a response is received. This tends
to speed up the client connection sequence by 4 seconds because the
first PUSH_REQUEST message is usually sent too soon and is dropped,
causing a wait of 5 seconds until the next PUSH_REQUEST message is
sent.
Version 2.1_rc19d
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4965 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4946 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
(Sebastien Raveau).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4932 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--disable-def-auth Disable deferred authentication
--disable-pf Disable internal packet filter
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4852 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
in route.c to make it easier to spot them.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4851 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
server load statistics.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4844 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4843 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4837 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4836 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4712 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
use a DPC (deferred procedure call) to defer packet injection until
IRQL < DISPATCH_LEVEL, rather than calling NdisMEthIndicateReceive
in the context of AdapterTransmit. This is an attempt to reduce kernel
stack usage, and prevent EXCEPTION_DOUBLE_FAULT BSODs that have been
observed on Vista. Updated TAP driver version number to 9.6.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4606 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
building for multiple architectures causes the previous tapdrvr.cod to
be overwritten.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4604 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with <autoconf-2.60.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4539 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4526 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
does not build on Windows on non-MINGW32.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4525 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4501 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4500 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
set correctly when the 'local' option is specifed.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4476 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
functionality (Alon Bar-Lev).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4475 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
client will examine the routing table and determine whether (a) the
OpenVPN server is reachable via a locally connected interface, or (b)
traffic to the server must be forwarded through the default router.
Only add a special bypass route for the OpenVPN server if (b) is true.
If (a) is true, behave as if the 'local' flag is specified, and do not
add a bypass route.
The new 'autolocal' flag depends on the non-portable test_local_addr()
function in route.c, which is currently only implemented for Windows.
The 'autolocal' flag will act as a no-op on platforms that have not
yet defined a test_local_addr() function.
Increased TLS_CHANNEL_BUF_SIZE to 2048 from 1024 (this will allow for
more option content to be pushed from server to client).
Raised D_MULTI_DROPPED debug level to 4 from 3.
Version 2.1_rc16b.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4446 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to be pushed to the client in such a way that they don't accidently
obscure critical local addresses such as the DHCP server address and
DNS server addresses.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4436 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Windows, where sending a set of several commands to the
management interface in quick succession might cause the
latter commands in the set to be ignored.
Increased management interface input command buffer size
from 256 to 1024 bytes.
Minor tweaks to Windows build system.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4414 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
commands are echoed from 7 to 3. Passwords will be filtered.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4413 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4363 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
and to use the Server 2008 WDK (6001.18002).
In cryptoapi.c, renamed CryptAcquireCertificatePrivateKey to
OpenVPNCryptAcquireCertificatePrivateKey to work around
a symbol conflict in MinGW-5.1.4.exe.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4318 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
that result in the termination of the daemon will be written
to stderr.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4131 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with unix domain sockets.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4128 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from stdin, when "stdin" is given as the config
file name.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4127 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
if SIGNTOOL is defined, even if EXTRACT_FILES is enabled.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3976 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
compilers.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3903 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3902 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3901 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3900 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3899 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Windows installer changes:
* ifdefed out the check Windows version code which is causing
problems on Windows 7
* don't define SF_SELECTED if it is already defined
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3855 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
if EXTRACT_FILES is defined in settings.in.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3791 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
In management interface, added new ">CLIENT:ESTABLISHED" notification.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3763 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
key was specified as an inline file.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3743 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3729 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to management interface client when management-client-auth
is enabled.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3718 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
display the current number of authenticated clients
connected to the server.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3717 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3620 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Changed Windows installer to use LZMA instead of BZIP2 compression.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3616 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
process ID of the current OpenVPN process (Angelo Laub).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3552 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to inhibit the pushing of the route-gateway parameter to
clients.
Miscellaneous man page edits, fixed some formatting issues.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3550 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3525 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
segfault when a --plugin module is used.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3524 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
flag on the server as well as pushes it to connecting clients.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3513 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3507 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
server-only option and should therefore generate an
error when used on the client.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3506 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with options that are incompatible with those of the server
will be disconnected.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3505 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
number generator) parameters. In previous OpenVPN
versions, the PRNG was hardcoded to use the SHA1
hash. Now any OpenSSL hash may be used. This is
part of an effort to remove hardcoded references to
a specific cipher or cryptographic hash algorithm.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3503 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3496 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
backward compatibility with system() call semantics used in OpenVPN
2.1_rc8 and earlier. To preserve backward compatibility use:
script-security 3 system
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3495 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Version 2.1_rc13b
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3494 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3477 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
config file syntax checking to allow directives for future OpenVPN
versions to be ignored.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3476 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
of KEY_NAME environmental variable parameter to openssl.cnf
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3472 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
it from being combined with --server directive.
Now, for example, we can configure thusly:
server 10.8.0.0 255.255.255.0 nopool
ifconfig-pool 10.8.0.2 10.8.0.99 255.255.255.0
to have ifconfig-pool manage only a subset
of the VPN subnet.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3471 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
--status-version 3.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3468 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
and username strings to include any printable character including
space, but excluding control characters such as tab, newline, and
carriage-return.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3467 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
except tabs are used as delimiters instead of commas.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3466 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
the Common Name convention from the cert/key filename
convention.
For example:
KEY_CN="James's Laptop" KEY_NAME="james" ./pkitool james
will crete a client certificate/key pair of james.crt/james.key
having a Common Name of "James's Laptop" and a Name of "james".
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3463 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
X509_{n}_{subject_field}.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3462 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
set the KEY_NAME environmental variable to set the "name"
X509 subject field in generated certificates.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3460 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
X509_{cert_depth}_{name}={value}
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3459 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
deferred authentication.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3457 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to work when OpenVPN is running as a server.
Documented Management Interface "bytecount" command in
management/management-notes.txt.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3452 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
file) and SAMPCONF_DH (Diffie-Helman parameters) to Windows
build system, and may be defined in settings.in.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3450 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
input files to gen, so that gen can be disconnected from
the rest of the source tree and makensis openvpn.nsi will
still function correctly.
Added additional SAMPCONF_(CA|CRT|KEY) macros to settings.in
(commented out by default).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3439 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
or higher being required to execute user-defined scripts or
executables.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3436 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
with the goal of fixing a build issue on Fedora 9 that was
introduced in 2.1_rc13.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3434 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Minor fixes to Windows build scripts.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3417 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Telethra to OpenVPN Technologies.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
domain socket, for example:
management /tmp/openvpn unix
Also added management-client-user and management-client-group
directives to control which processes are allowed to connect
to the socket.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3396 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3349 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
was incorrectly expecting the lladdr parameter to be an IP address
when it is actually a MAC address (HoverHell).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3339 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
part of the tarball (Matthias Andree).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3332 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
Fixed a bug that can cause SSL/TLS negotiations in UDP mode
to fail if UDP packets are dropped.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3330 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3323 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3318 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
deferred authentication features in 2.1_rc8.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3316 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
to more closely conform to RFC 3696:
* DNS name length must not exceed 255 characters
* DNS name characters must be limited to alphanumeric,
dash ('-'), and dot ('.')
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3312 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
arguments since all scripts were called by system().
The security hardening changes made to 2.1_rc9 no longer
use system(), but rather use the safer execve or CreateProcess
system calls. The security hardening also introduced a
backward incompatibility with 2.1_rc8 and earlier in that
script parameters were no longer shell-expanded, so
for example:
client-connect "docc CLIENT-CONNECT"
would fail to work because execve would try to execute
a script called "docc CLIENT-CONNECT" instead of "docc"
with "CLIENT-CONNECT" as the first argument.
This patch fixes the issue, bringing the script argument
semantics back to pre 2.1_rc9 behavior in order to preserve
backward compatibility while still using execve or CreateProcess
to execute the script/executable.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3311 e7ae566f-a301-0410-adde-c780ea21d3b5
|
|
from server (rather than only IP address) for --ifconfig, --route, and
--route-gateway. OpenVPN versions 2.1_rc7 and earlier allowed DNS names
for these options to be pulled and translated to IP addresses by default.
Now --allow-pull-fqdn will be explicitly required on the client to enable
DNS-name-to-IP-address translation of pulled options.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3307 e7ae566f-a301-0410-adde-c780ea21d3b5
|