aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2011-07-28Added data channel fragmentation docsDavid Sommerseth2-73/+460
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Added memory management documentationDavid Sommerseth2-9/+147
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Added reliability layer documentationDavid Sommerseth2-64/+430
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Added compression docsDavid Sommerseth3-49/+341
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Added control channel crypto docsDavid Sommerseth4-243/+841
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Doxygen: Added data channel crypto docsDavid Sommerseth2-25/+218
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-28Added Doxygen doxyfileAdriaan de Jong1-0/+279
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-07-01Fixes to easy-rsa/2.0Samuli Seppänen3-6/+309
As support for OpenSSL 1.0.0 requires a modified openssl.cnf file, it was decided to rename openssl.cnf to openssl-1.0.0.cnf for clarity and better support of different OpenSSL versions. The old openssl.cnf was renamed as openssl-0.9.8.cnf. This patch makes sure that all openssl*.cnf files are copied when running 'make install' in easy-rsa and makes the whichopensslcnf script aware of them as well. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-07-01Made domake-win builds to use easy-rsa/2.0/openssl-1.0.0.cnfSamuli Seppänen2-5/+5
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-07-01Updated "easy-rsa" for OpenSSL 1.0.0Samuli Seppänen5-22/+27
This patch fixes remaining issues with Trac ticket #125. It does the following: - Update easy-rsa/2.0/README - Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf - Add easy-rsa/2.0/openssl-1.0.0.cnf - Updated vars.bat.sample to use openssl-1.0.0.cnf - Updated win/openvpn.nsi to use openssl-1.0.0.cnf - Add a few undefined variables to vars and vars.bat.sample: required by OpenSSL 1.0.0 (at least on Windows) Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-06-20Revert "Add new openssl.cnf to easy-rsa/Windows"David Sommerseth1-350/+0
This reverts commit 663860ad04dd4190fddbee63e724d3fdceafd937. Accoding to Jan Just Keijser [1] there are issues with this new openssl.cnf file, so reverting this commit and wait for a new patch. [1] http://thread.gmane.org/gmane.network.openvpn.devel/4729/focus=4735
2011-06-20Add new openssl.cnf to easy-rsa/WindowsSamuli Seppänen1-0/+350
This is required for patch "Fix a build-ca issue on Windows" to work Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com>
2011-06-20Fix a build-ca issue on WindowsSamuli Seppänen2-3/+3
Fixes Trac ticket #125 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-06-15Remove support for Linux 2.2 configuration fallbackDavid Sommerseth2-20/+3
When configuring OpenVPN nowadays, the TUN/TAP configuration can sometimes jump into the Linux 2.2 fallback code paths, which will also fails. The reason it jumps into fallback mode is that the tun/tap device already exists or that /dev/net/tun does not exist. This can be very confusing, as /dev/tunX which the fallback mode tries to use, does not exist on Linux 2.4 and newer. Considering that the last Linux 2.2 update was released 25-Feb-2004 and the first Linux 2.4 release came 04-Jan-2001, there are no reasonable reasons to help users to stay on outdated kernels. I consider this extra code path just waste of bytes ... so lets make the world simpler. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-06-14Documented --x509-username-field optionRobert Fischer2-1/+9
Also fixed a typo in the --help screen. Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-06-14Added info about --show-proxy-settingsRobert Fischer2-0/+6
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-05-31Fix compiling issues with pkcs11 when --disable-management is configuredDavid Sommerseth1-0/+2
pkcs11.c seems to miss some header files which gets implicitly added when the management interface is enabled. Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Mr Dash Four <mr.dash.four@googlemail.com>
2011-05-27Don't define ENABLE_PUSH_PEER_INFO if SSL is not availableDavid Sommerseth1-0/+2
The push_peer_info feature depends on the SSL infrastructure and openvpn will fail to build if ./configure --disable-crypto --disable-ssl is used. The solution is to not define ENABLE_PUSH_PEER_INFO if we don't have crypto/ssl. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-05-23Merge remote-tracking branch 'cron2/feat_ipv6_payload_2.3'David Sommerseth5-26/+109
Conflicts: options.c - version string for IPv6 payload changed Signed-off-by: David Sommerseth <davids@redhat.com>
2011-05-22Windows IPv6 cleanup - properly remove IPv6 routes and interface configGert Doering5-24/+107
after tunnel shutdown. Needs to make delete_route_ipv6() visible from tun.c (route.c, route.h) and to properly zero-out host bits from IPv6 "network" at interface route clearing. Further, add IPv6 routes with "store=active" to make sure nothing lingers after a system crash while OpenVPN was running. While at it, small Solaris cleanup - use CLEAR() to zero-out "ifr" struct. Tested on Windows XP SP3 and Win7 by Gert Doering and Tony Lim. Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-05-19Fix const declarations in plug-in v3 structsDavid Sommerseth1-4/+4
Microsoft Visual Studio complains about const char const **ptr declarations and expects them to be be const char ** const ptr. The latter is what was the intention, that neither the pointer nor the value(s) it points at can be changed. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-05-19Change the netsh.exe command from "add" to "set".smos1-2/+2
This prevents the netsh.exe command from exiting with a status 1 when the address already exists. By adding store=active the address will not survive a reboot and be assigned temporarily. Tested on Windows 7 and Windows XP SP 2. Signed-off-by: smos <seth.mos@dds.nl> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-05-19Fix 2.2.0 build failure when management interface disabledMatthew L. Creech1-0/+2
I just upgraded to 2.2.0, and my build fails with: ps.c: In function 'port_share_open': ps.c:778:7: error: 'management' undeclared (first use in this function) ps.c:778:7: note: each undeclared identifier is reported only once for each function it appears in make[5]: *** [ps.o] Error 1 [Comment by David Sommerseth: This happens only when building with --enable-small, --disable-management and --disable-pkcs11 Also changed MANAGEMENT_ENABLED to ENABLE_MANAGEMENT from the original patch. ] Mailing-list: http://thread.gmane.org/gmane.network.openvpn.devel/4639 Signed-off-by: Matthew L. Creech <mlcreech@gmail.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-05-10Fix issues with some older GCC compilersSimon Matter1-3/+3
Some older GCC compilers don't like that variables are declared in the middle of the code, and expect them on the top in the block/scope. Trac-ticket: 99 Signed-off-by: Simon Matter <simon.matter@invoca.ch> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-04-27Fix compile issues when using --enable-small and --disable-ssl/--disable-cryptoGustavo Zacarias1-1/+2
The tmp_dir string is required in the options struct regardless of options so spin it out of #if conditionals. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-26Solved hidden merge conflicts between master and svn-branch-2.1David Sommerseth2-4/+7
ps.c - The feat_ipv6_transport patch set modifies struct openvpn_sockaddr by adding a union named 'addr' in commit 8335caf929f21b31. ssl.c - A needed } and #endif had been dropped by a mistake Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-26Merge branch 'svn-branch-2.1' into mergeDavid Sommerseth39-333/+1702
Pulling in changes from James' 2.1/openvpn branch in SVN. Conflicts: buffer.c init.c manage.h multi.c openvpn.8 options.c ssl.c version.m4 win/sign.py Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-26Fixed compile issues on Windows.James Yonan4-4/+4
Version 2.1.3w git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7219 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Added new "extra-certs" and "verify-hash" options (see man page forJames Yonan7-1/+128
details). Increase the timeout after SIGUSR1 restart when restart is not due to server_poll_timeout. Version 2.1.3v git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7215 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Added 'dir' flag to "crl-verify" (see man page for info).James Yonan7-61/+96
Don't call SSL_CTX_set_client_CA_list or SSL_CTX_set_client_CA_list if not running in server mode (these functions are only useful for TLS/SSL servers). Modified openvpn_snprintf to return false on overflow, and true otherwise. When AUTH_FAILED,... is received, log the full string. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7213 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Revert r7092 and r7151, i.e. remove --enable-osxipconfigJames Yonan3-35/+1
configure option. ipconfig on Mac has certain behavior that makes it unsuitable for use by OpenVPN to configure tun/tap interface. Version 2.1.3u git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7191 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Version 2.1.3tJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7152 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26For Mac OSX, when DARWIN_USE_IPCONFIG is defined, retry ipconfigJames Yonan1-1/+11
command on failure once every second for up to 15 seconds. This is necessary to work around an issue observed on OSX 10.5 where the ipconfig command sometimes fails if executed immediately after the tun device open. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7151 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed bug in port-share that could cause port share process toJames Yonan2-1/+4
crash with output like this: TCP connection established with 85.190.0.3:41781 85.190.0.3:41781 SIGTERM[soft,port-share-redirect] received, client-instance exiting MANAGEMENT: TCP recv error: Socket operation on non-socket MANAGEMENT: Client disconnected MANAGEMENT: Triggering management exit Exiting due to fatal error EVENT: epoll_ctl EPOLL_CTL_MOD failed, sd=6: Bad file descriptor (errno=9) Then an error like this for every incoming connection that should be proxied: 76.120.71.74:55302 PORT SHARE: sendmsg failed -- unable to communicate with background process (6,8,-1,-1): Connection refused (errno=111) Version 2.1.3s git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7127 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed bug that incorrectly placed stricter TCP packet replay rules onJames Yonan6-14/+15
UDP sessions when the client daemon was running in UDP/TCP adaptive mode, and transitioned from TCP to UDP. The bug would cause a single dropped packet in UDP mode to trigger a barrage of packet replay errors followed by a disconnect and reconnect. Version 2.1.3r git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7125 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Added more packet ID debug info at debug level 3 for debuggingJames Yonan6-28/+142
false positive packet replays. Version 2.1.3q. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7109 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Added ./configure --enable-osxipconfig option for Mac OS X which willJames Yonan3-2/+26
enable the use of ipconfig (instead of ifconfig) for configuring the IP address and netmask of the tun/tap adapter. Version 2.1.3p git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7092 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Added "auth-token" client directive, which is intended to beJames Yonan11-13/+113
pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token:<token> Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26win/sign.py now accepts an optional tap-dir argument.James Yonan1-4/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7086 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Version 2.1.3nJames Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7069 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Client will now try to reconnect if no push reply receivedJames Yonan4-3/+20
within handshake-window seconds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7066 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Extended "client-kill" management interface command (server-side)James Yonan7-19/+53
to accept an optional message string. The message string format is: RESTART|HALT,<human-readable-message> RESTART will tell the client to restart (i.e. SIGUSR1). HALT will tell the client to exit (i.e. SIGTERM). On the client, human-readable-message will be communicated via management interface: >NOTIFY,<severity>,<type>,<human-readable-message>" Version 2.1.3m git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed bug introduced in r7031 that might cause this error message:James Yonan1-6/+16
PORT SHARE: sendmsg failed (unable to communicate with background process) git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7062 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Fixed issue where a client might receive multiple push replies fromJames Yonan3-2/+14
a server if it sent multiple push requests due to the server being slow to respond. This could cause the client to process pushed options twice, leading to duplicate pushed routes, among other issues. The fix, implemented server-side, is to reply only once to a push request even if multiple requests are received. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7060 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26env_filter_match now includes the serial number of all certsJames Yonan1-1/+1
in chain (as tls_serial_n vars), rather than only tls_serial_0. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7055 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Reduce log verbosity at level 3, with a focus on removing excessive log ↵James Yonan6-27/+33
verbosity generated by port-share activity. Version 2.1.3k git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7033 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Added optional journal directory argument to "port-share" directive, for ↵James Yonan8-33/+131
reporting client IP origins of proxied connections. git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7031 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Added --enable-lzo-stub configure option to build an OpenVPN client without ↵James Yonan7-14/+85
LZO, but that has limited interoperability with LZO-enabled servers. Modified "push-peer-info" option to push IV_LZO_STUB=1 to server when client was built with --enable-lzo-stub configure option. This tells the server that the client lacks LZO capabilities, so the server should turn off LZO compression for this client via "lzo no". Added "setenv PUSH_PEER_INFO" option having the same effect as "push-peer-info". Version 2.1.3j git-svn-id: http://svn.openvpn.net/projects/branches/BETA21@7023 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-25Merge branch 'feat_ipv6_payload'David Sommerseth27-134/+2622
Conflicts: options.c - feat_ipv6_payload and feat_ip6_transport both updates this file with presence information Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-25Merge branch 'feat_ipv6_transport'David Sommerseth23-265/+1564
2011-04-24rebased to 2.2RC2 (beta 2.2 branch)Gert Doering5-47/+95
removed mutex locking stuff (no more threading in 2.2) fixed rebase/merge artifacts in mroute.c add current ChangeLog.IPv6 and TODO.IPv6 to commit tag as ipv6-20110424-2 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24Implement "ipv6 ifconfig" for TAP interfaces on SolarisGert Doering1-2/+40
Solaris close_tun(): add explicit "unplumb'ing" of IPv6 tun/tap interfaces, otherwise they would linger around after OpenVPN exits. Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24bump IPv6 version number (openvpn --version) to 20100922-1Gert Doering2-1/+11
document Linux tun fixes and test results in ChangeLog.IPv6 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24bugfix for linux/iproute2: IPv6 ifconfig code block was not called forGert Doering1-14/+15
"dev tun"+"topology subnet" - moved code out of "if (tun)" block, works. add more debug information to help diagnose cases where IPv6 isn't working Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24correct URL for "more information about IPv6 patch is *here*"Gert Doering1-1/+1
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-242.2-beta3 has a signed TAP driver with the IPv6 code, but it's notGert Doering2-2/+7
version 9.7 as anticipated (that's 2.1.3) but 9.8 - change test to require 9.8, and change message to point to 2.2-beta3 and up. Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24renamed t_client.sh to t_client.sh.inGert Doering1-298/+0
build t_client.sh by configure at run-time, with proper paths to ip/ifconfig/netstat binaries, and (most important) with proper #!SHELL extend configure.ac to find "netstat" binary and to chmod +x "t_client.sh" Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24full "VPN client connect" test framework for OpenVPNGert Doering1-0/+298
run from "make check" if "t_client.rc" is found in workdir or srcdir (copy t_client.rc-sample, fill in specifics for your test server) Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24implement IPv6 ifconfig + route setup/deletion on OpenBSDGert Doering3-11/+71
destroy tunX interface on tun_close() tested on OpenBSD 4.7 Signed-off-by: Gert Doering <gert@greenie.muc.de>
2011-04-24revert unconditionally-enabling of setenv_es() logging (too noisy)Gert Doering1-1/+3
replace with #ifdef DEBUG_VERBOSE_SETENV compile-time flag
2011-04-24tag and release as 20100307-1Gert Doering3-2/+37
2011-04-24WIN32: if IPv6 requested in TUN mode, and TUN/TAP driver version is olderGert Doering1-0/+10
than 9.7, log warning and disable IPv6 (won't work anyway).
2011-04-24when deleting a route on win32, also add gateway addressGert Doering1-0/+11
(otherwise netsh.exe will succeed, but silently ignore request)
2011-04-24Win32: set next-hop for IPv6 routes according to TUN/TAP mode - in TUN mode,Gert Doering1-1/+11
use special next-hop address (fe80::8) that tapdrv will handle ND for
2011-04-24document recent changes and open TODOs, adapt --version info, tag releaseGert Doering3-1/+57
2011-04-24drop "book ipv6" from open_tun() and tuncfg() prototypesGert Doering1-2/+2
2011-04-24- Win32 IPv6 ifconfig support, using "netsh" callsGert Doering2-75/+157
- initialize tuntap->ipv6 in init.c::do_init_tun(), to make sure it's setup "early enough", no matter what ifconfig_order() wants - change call convention for open_tun(): drop "ipv6" flag, because it's incompatible with windows/openbsd calling sequence (ifconfig first, open_tun later) - also affects open_tun_generic() and tuncfg(). - drop ipv6_support() helper function - has no useful purpose anymore - introduce add_route_connected_v6_net() helper for Win32, Darwin, Netbsd (cleanup code) - fix NetBSD tunnel setup - destroy/recreate before ifconfig'ing, to make sure no leftover configuration lingers on tunnel from previous call (NetBSD tunnels are always persistent unless explicitely destroyed) - DARWIN (MacOS X) gets its own #ifdef section for open_tun()/close_tun() now, because close_tun() needs to cleanup IPv6 ifconfig
2011-04-24add IPv6 route add / route delete code for windows (using "netsh")Gert Doering1-2/+36
- somewhat preliminary, as the next-hop setting requirements of tun/tap driver are not decided yet, and "route add" might need to be adapted
2011-04-24env_block(): if PATH is not set, add standard PATH setting to env so thatGert Doering1-0/+16
"netsh.exe" can find "framedyn.dll" (needs work)
2011-04-24* make ipv6_payload compile under windowzeJuanJo Ciarlante3-0/+61
- create inet_ntop() and inet_pton() wrap-implementations using WSAAddressToString() and WSAStringToAddress() functions - add relevant win32-only headers to syshead.h NOTE: syshead.h changes are already included in ipv6_transport
2011-04-24add some TODOs to TODO.IPv6Gert Doering1-6/+6
--version: change printing of IPv6 payload patch version to [...] style fix "make check" regression in tun.c (unnecessary change reverted)
2011-04-24NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems thatGert Doering1-43/+0
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back to old IPv4-only code without address-family prepending. (cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
2011-04-24remove NOTES file from commit - private scribblingGert Doering1-180/+0
(cherry picked from commit 5df8fe6b0eb3c0f351f322b4690e4d9388980aba)
2011-04-24Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.Gert Doering4-6/+269
(cherry picked from commit ec9dce6387afd198881493bfebf13bb121e8a56b)
2011-04-24basic documentation of IPv6 related options and their syntaxGert Doering1-0/+53
2011-04-24undo accidential duplication of existing "--iroute" line in the help textGert Doering1-1/+0
2011-04-24add some TODOs to TODO.IPv6Gert Doering4-6/+31
--version: change printing of IPv6 payload patch version to [...] style fix "make check" regression in tun.c (unnecessary change reverted)
2011-04-24new feature: "ifconfig-ipv6-push" (from ccd/ config)Gert Doering6-32/+212
affects options.h, options.c, multi.c benefit: static IPv6 address assignment from radiusplugin (etc) rewritten get_ipv6_addr() to handle IPv6 addresses with and without "/bits" affects route.c and mainly options.c benefit: ifconfig-ipv6, ifconfig-ipv6-pool can now be accept configurations with networks != /64 (the rest of the implementation is not yet completely there, but this is imporant preparation work to be able to add /bits to "push 'ifconfig-ipv6 ...'" later on without breaking clients do not try to add/delete IPv6 routes if no IPv6 on tunnel affects: route.c benefit: avoid error messages, and make IPv6 troubleshooting easier flag as "config error" if --ifconfig-ipv6-pool used without --ifconfig-ipv6 flag as "config error" if --ifconfig-ipv6-pool used without --server print warning if --ifconfig-ipv6 is used without --tun-ipv6 changes documented in more detail in ChangeLog.IPv6 * release patch set 20100114-1 (cherry picked from commit c04f774c7e9bed602818b1fe2ff4e83cf913d471)
2011-04-244a, 9, 10, 11, 12 added - and 11. done right away :-)Gert Doering1-0/+34
(cherry picked from commit ea382a1d550ac100d27c8118777e3160c85d06d2)
2011-04-24NetBSD fixes - on 4.0 and up, use multi-af mode. On earlier systems thatGert Doering1-21/+52
do not have TUNSIFHEAD (and do not have IPv6 capable tunnels), fall back to old IPv4-only code without address-family prepending. (cherry picked from commit 2a57c58b185deb11b0a62c584489fff59258146c)
2011-04-24remove NOTES file from commit - private scribblingGert Doering1-180/+0
(cherry picked from commit 5df8fe6b0eb3c0f351f322b4690e4d9388980aba)
2011-04-24Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.Gert Doering25-81/+1915
(cherry picked from commit ec9dce6387afd198881493bfebf13bb121e8a56b)
2011-04-21Update man page with info about --connect-timeoutRobert Fischer1-0/+8
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-21Update man page with info about --capathRobert Fischer1-0/+5
Signed-off-by: Robert Fischer <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-21Add a simple comment regarding openvpn_snprintf() is duplicatedDavid Sommerseth1-0/+3
Commit df5a4380c3931520d5fae2b18f0fc2e67a883aae copies this function from buffer.c to service-win32/openvpnserv.c. Any changes on either places should be done in both implementations. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-21Improve the mysprintf() issue in openvpnserv.cDavid Sommerseth1-11/+28
A quick and dirty compile fix was introduced in commit 77d244050964525417, and was accepted under the condition that it would be a temporary fix. As the usage of _snprintf() is realy not ideal on Windows, this patch uses the same well tested openvpn_snprintf() function from buffer.c. It was a longer discussion of several possibilities to re-use that code, but in the end it seemed easier to just copy-paste this function to openvpnserv.c for now. The reason for this conclusion was that the function is really simple, well defined and will most likely not be changed much in the future. It is also added a comment in openvpnserv.c where this function has its origins. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-04-15Fixed a bug with GUI icon deletion on upgrade from 2.2-RC or earlierSamuli Seppänen1-0/+6
This bug was introduced in commit 110e42d199e735ab1a31388c5678f59d0fa9510c. Trac-ticket: 120 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-04-14Avoid re-defining uint32_t when using mingw compilerGisle Vanem1-0/+7
Since MingW for quite a long time (since 3.2 in 2008?) has defined 'uint32_t' etc. in it's <stdint.h>, we need to guard against defining them again. Ideally we should figure out in what version of MingW this happened. But for now: Signed-off-by: Gisle Vanem <gvanem@broadpark.no> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Added man page entry for --management-clientrf1-0/+7
Track-ticket: 114 Signed-off-by: rf <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Update man page with info about --remote-random-hostnamerf1-0/+6
Trac-ticket: 115 Signed-off-by: rf <ml-openvpn@trispace.org> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Fixed copying of tapinstall.exe to dist/bin when using prebuilt TAP-driversSamuli Seppänen1-1/+1
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Removed Win2k from supported platforms list in INSTALL and win/openvpn.nsiSamuli Seppänen2-5/+3
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Fix a bug in devcon source code handlingSamuli Seppänen1-1/+1
The win/config_ti.py build script assumes to find ../tapinstall/7600/sources.in which does not exists in devcon.exe source code directory. This makes config_ti.py look for ../tapinstall/7600/sources instead. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-14Change the default --tmp-dir path to a more suitable pathDavid Sommerseth3-4/+36
In commit 4e1cc5f6dda22e9 the create_temp_filename() function was reviewed and hardened, which in the end renamed this function to create_temp_file() in commit 495e3cec5d156. With these changes it became more evident that OpenVPN needs a directory where it can create temporary files. The create_temp_file() will create such files f.ex. if --client-connect or --plugin which makes use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook, such as openvpn-auth-pam.so. When this happens, OpenVPN will normally create these files in the directory OpenVPN was started. In many cases, this will fail due to restricted access. By using --tmp-dir and pointing it to a directory writeable to the user running OpenVPN, it works again. This patch makes OpenVPN use a more suitable temproary directory by default, instead of the current working directory. On non-Windows platforms this default value is set to '/tmp', but can be modified at compile-time by running ./configure --with-tmp-dir-path=<TEMP DIR PATH>. On Windows, it will use GetTempPath() to find temporary paths recommended by the OS. If this fails, it will fallback to the old behaviour, using the directory where OpenVPN was started. In any cases, this default value can be overridden in the configuration file by using the --tmp-dir option, as before. To check what the default is at runime, you can see this easily by doing this: $ ./openvpn --verb 4 --dev tun | grep tmp_dir Signed-off-by: David Sommerseth <davids@redhat.com> Tested-by: Jan Just Keijser <janjust@nikhef.nl> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-04-14Fixed bug in port-share that could cause port share process to crashJames Yonan1-0/+3
with output like this: TCP connection established with 85.190.0.3:41781 85.190.0.3:41781 SIGTERM[soft,port-share-redirect] received, client-instance exiting MANAGEMENT: TCP recv error: Socket operation on non-socket MANAGEMENT: Client disconnected MANAGEMENT: Triggering management exit Exiting due to fatal error EVENT: epoll_ctl EPOLL_CTL_MOD failed, sd=6: Bad file descriptor (errno=9) Then an error like this for every incoming connection that should be proxied: 76.120.71.74:55302 PORT SHARE: sendmsg failed -- unable to communicate with background process (6,8,-1,-1): Connection refused (errno=111) Version 2.1.3s
2011-04-14Add more detailed explanation regarding the function of "--rdns-internal"Gert Doering1-1/+7
As agreed in last thursday's IRC meeting [1], I've added a comment to the code explaining "--rdns-internal". It's really very much an internal option, so it does not need to go to the man page. [1] http://thread.gmane.org/gmane.network.openvpn.devel/4573 Signed-off-by: Gert Doering <gert@greenie.muc.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-04-14Change all CRLF linefeeds to LF linefeedsSamuli Seppänen24-1013/+1013
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-04-05Add man page entry for --redirect-privateSamuli Seppänen1-0/+5
Trac-ticket: 107 Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-03-31Fix the --client-cert-not-required featureDavid Sommerseth1-4/+6
Commit 2e8337de248ef0b5b48cbb2964da0d5c3f28b15b introduced a new feature for using other SSL certificate fields for authentication than the CN field. This commit introduced a bug, which made the verify_callback() function getting called even if --client-cert-not-required was enabled in the config. The reason for this was that an 'else' statement was lacking a couple of curly braces. The offending commit in reality moved the setup of the verify_callback() function out of the 'else' statement. Report-URL: https://community.openvpn.net/openvpn/ticket/108 Report-URL: https://forums.openvpn.net/topic7751.html Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Jan Just Keijser <janjust@nikhef.nl>
2011-03-27* ipv6-0.4.16: fix mingw32 buildJuanJo Ciarlante4-27/+45
2011-03-27* ipv6-0.4.15b: rebase over openvpn-testing-masterJuanJo Ciarlante3-14/+17
2011-03-25* ipv6-0.4.15: add --multihome support to xBSDJuanJo Ciarlante3-3/+57
- _both_ for IPv4 (which was missing) and for IPv6 - tested on OpenBSD 4.7, FreeBSD 8.1
2011-03-25* ipv6-0.4.14: fix xinetd usage:JuanJo Ciarlante1-2/+34
- closes http://bugs.debian.org/574164 - also needed for --disable-ipv6 builds - supports IPv6 from xinetd
2011-03-25* fix --multihome for ipv6: IPV6_RECVPKTINFOJuanJo Ciarlante1-10/+17
- setsockopt IPV6_RECVPKTINFO (not IPV6_PKTINFO!) - do check for setsockopt() failures - append %<iface> in INFO msg
2011-03-25* fix --multihome for ipv4: cmsg_len must compare against in_pktinfoJuanJo Ciarlante1-13/+14
size, not the full 4+6 union, also use saner variable names.
2011-03-25* undo mroute.c changes related to ipv6 payload,JuanJo Ciarlante1-30/+0
nothing to do w/ipv6 transport afterall.
2011-03-25* rebased to v2.1.1 releaseJuanJo Ciarlante1-2/+8
* document {un,}trusted_ip6 in manpage
2011-03-25* doc updatesJuanJo Ciarlante1-2/+4
2011-03-25* fix --disable-ipv6 buildJuanJo Ciarlante1-0/+6
2011-03-25* updated docJuanJo Ciarlante2-3/+3
2011-03-25* polished redirect-gateway (ipv4 on ipv6 endpoints) supportJuanJo Ciarlante3-2/+8
2011-03-25* (prototype) fix for supporting "redirect-gateway" for tunneled ipv4 over ↵JuanJo Ciarlante2-8/+12
ipv6 endpoints
2011-03-25* no new funcionality, just small cleanups:JuanJo Ciarlante4-42/+41
- cmdline options help: add tcp6/udp6 missing messages - win32: expand usage of proto_is_udp(), proto_is_tcp() - replace some memset(&obj, 0, sizeof obj) by openvpn's CLEAR(obj)
2011-03-25* openbsd: no IFF_MULTICAST, #ifdef around itJuanJo Ciarlante1-0/+2
2011-03-25* doc updatesJuanJo Ciarlante1-18/+23
2011-03-25* fixed segfault for undef address family in print_sockaddr_ex (thanks Marcel!)JuanJo Ciarlante1-4/+4
2011-03-25* socket.c: better buf logic in print_sockaddr_exJuanJo Ciarlante1-3/+3
2011-03-25* TODO.ipv6 updateJuanJo Ciarlante1-0/+4
2011-03-25* fix multi-tcp crash (corrected assertion)JuanJo Ciarlante2-2/+10
2011-03-25* init.c: small in-doc tweaksJuanJo Ciarlante1-1/+4
2011-03-25* init.c: document the ENABLE_MANAGEMENT place to work onJuanJo Ciarlante2-0/+5
2011-03-25* updated {README,TODO}.ipv6 from feedback at openvpn-devel mlistJuanJo Ciarlante2-20/+32
2011-03-25* renamed README.ipv6{.txt,}JuanJo Ciarlante1-0/+0
2011-03-25* correctly setup hints.ai_socktype for getaddrinfo(),JuanJo Ciarlante4-15/+28
althought sorta hacky, see TODO.ipv6.
2011-03-25* make possible to x-compile openvpn/win32 in LinuxJuanJo Ciarlante1-6/+26
2011-03-25* doc update w/unittests resultsJuanJo Ciarlante1-2/+10
2011-03-25* document ipv6 milestone statusJuanJo Ciarlante1-3/+6
2011-03-25* ipv6 on win32 "milestone": 1st snapshot that passes all unittestsJuanJo Ciarlante4-11/+98
2011-03-25* fixed win32 non-ipv6 buildJuanJo Ciarlante4-9/+21
2011-03-25* added README.ipv6.txtJuanJo Ciarlante1-0/+67
2011-03-25* important fix for tcp6 reconnectionJuanJo Ciarlante1-1/+14
was incorrectly creating a PF_INET socket
2011-03-25* support --disable-ipv6 build properly:JuanJo Ciarlante6-61/+86
- tests now are pass (and fail) properly for ipv6/4 builds * more GNU indenting
2011-03-25* socket.c: use USE_PF_INET6 in switch constructs to actually toss them out,JuanJo Ciarlante1-206/+226
GNU indentation for my deltas
2011-03-25* migrated all getaddrinfo() to getaddr6JuanJo Ciarlante1-133/+101
* tests Ok: {loopback,remote}{udp,tcp}{4,6}
2011-03-25* created getaddr6(), use it from resolve_remote()JuanJo Ciarlante1-15/+265
next: merge ipv{4,6} signal logic into one inside resolve_remote() * passes {loopback,remote}{udp,tcp}{4,6} tests
2011-03-25* rebased openvpn-2.1_rc1b.jjo.20061206.d.patchJuanJo Ciarlante13-190/+856
* passes {udp,tcp}x{v4,v6} loopback tests * passes {udp,tcp}x{v6} remote tests
2011-03-25Clarify --tmp-dir optionchantra2-1/+18
Signed-off-by: chantra <chantra@debuntu.org> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-25Use a version-less version identifier on the master branchDavid Sommerseth1-1/+1
Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-25common_name passing in auth_pam pluginJoe Patterson2-3/+10
Added the ability to have "COMMONNAME" replaced with certificate common name in pam conversation. Signed-off-by: Joe Patterson <j.m.patterson@gmail.com> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-25Fixed typo in plugin.hStefan Hellermann1-1/+1
A additional ';' had sneaked in commit 4c4b8cedfa98e8892a53. Lets kick it out again. Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-25plugin.h: update prototype of plugin_call dummy in !ENABLE_PLUGIN caseStefan Hellermann1-1/+3
Commit 2db5a0ac3e053857d97e468de53e70a605f54561 adds two arguments to plugin_call(...), but missed the !ENABLE_PLUGIN case. With !ENABLE_PLUGIN, plugin_call(...) is only a dummy, so add these two parameters there too. Signed-off-by: Stefan Hellermann <stefan@the2masters.de> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-25Separate the general plug-in version constant and v3 plug-in structs versionDavid Sommerseth3-4/+18
After a review of the second round of the the v3 plug-in implementation, it was decided to use a separate constant defining the version of the structs used for argument and return value passing, instead of OPENVPN_PLUGIN_VERSION. To not make it too complex, this patch uses a shared version constant for all the v3 structures. It is not expected that these strucutures will change too much and too often. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Added a simple plug-in demonstrating the v3 plug-in API.David Sommerseth1-0/+245
To build the plug-in, do ./build log_v3 in the plugin/examples directory. This plug-in can be tested by running an OpenVPN server like this: # ./openvpn --plugin plugin/examples/log_v3.so --dev tun \ --server 192.168.240.0 255.255.255.0 --ca sample-keys/ca.crt \ --cert sample-keys/server.crt --key sample-keys/server.key \ --dh sample-keys/dh1024.pem The client can be started like this: # ./openvpn --client --remote localhost --ca sample-keys/ca.crt \ --cert sample-keys/client.crt --key sample-keys/client.key \ --dev tun --nobind --auth-user-pass This plug-in will only log arguments and environment variables it receives during all the different plug-in phases OpenVPN currently supports. It will also parse the X509 certificate information given during the TLS_VERIFY phase. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Extend the v3 plug-in API to send over X509 certificatesDavid Sommerseth9-16/+32
The certificates sent to the plug-in API will only happen during the OPENVPN_PLUGIN_TLS_VERIFY phase and will contain a pointer to the OpenSSL X509 certificate data. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Implement the core v3 plug-in function calls.David Sommerseth1-2/+27
Let OpenVPN call the openvpn_plugin_open_v3() and openvpn_plugin_func_v3() plug-in functions if they exist in the plug-in. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Define the new openvpn_plugin_{open,func}_v3() APIDavid Sommerseth3-3/+227
This just implements the basic API changes needed for the newer and more flexible plug-in API. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Provide 'dev_type' environment variable to plug-ins and script hooksDavid Sommerseth3-0/+8
Normally OpenVPN is configured with --dev {tun,tap}, but it is also possible to use --dev myvpn instead. In these situations, OpenVPN will request --dev-type as well to be able to set up a tun or tap device properly. The 'dev' environment variable will contain the value provided by --dev. In those cases where the plug-in/script need to behave differently when using a tun device versus using a tap device, there are no possibilities for it to know what kind of device --dev myvpn would be. This patch adds a 'dev_type' environment variable which contains a string of the device type, either automatically discovered based on the --dev name, or set using the --dev-type option. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2011-03-25Misc fixes to r6708.James Yonan8-51/+72
Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-03-25Added "management-external-key" option. This option can be usedJames Yonan10-59/+433
instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then sign BASE64_DATA using the private key and return the signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-03-25Fixed compiling issues when using --disable-cryptoJames Yonan1-0/+1
Peter Korsgaard <jacmet@sunsite.dk> reported an issue [1] when compiling with --disable-crypto activated. He suggested a patch, which only partly solved the issue. SVN r6568 / commit 3cf9dd88fd84108 added a new feature which further made it impossible to compile without crypto. This patch fixes both issues, based on Peter Korsgaard's patch. [1] <http://sourceforge.net/mailarchive/forum.php?thread_name=87fwx08bod.fsf%40macbook.be.48ers.dk&forum_name=openvpn-devel> Signed-off-by: James Yonan <james@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-03-25Add extv3 X509 field support to --x509-username-fieldMarkus Koetter2-1/+71
This allows using other X509 certificate fields for the certificate authentication. To use altSubjectName, use --x509-username-field ext:altSubjectName This feature requires OpenVPN to be built with --enable-x509-alt-username This patch is slightly modified, to honour --enable-x509-alt-username compile time configuration. Two #ifdef's are added. Signed-off-by: Markus Koetter <koetter@rrzn-hiwi.uni-hannover.de> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-24Preparing for the v2.2-RC2 releasev2.2-RC2David Sommerseth2-2/+24
Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-24Windows cross-compile cleanupAlon Bar-Lev4-26/+26
It should be sufficient to just try to see if socklen_t is defined. Next, on all platforms it would be int in all other platforms. And, there is no need to check for the type in monolitic environment like Windows, as it will be always the same. Currently it fails cross compile windows in mingw-w64 compiler, as winsock.h is as follows: """ /* define WINSOCK_API_LINKAGE and WSAAPI for less * diff output between winsock.h and winsock2.h, but * remember to undefine them at the end of file */ """ And the macro uses these macros which are internal winsock macros and should not be used anyway. Also, when did the autodefs.h went mandatory? Why is it in tap-win32/common.h while no constant is actually used? The use of WSA_IO_INCOMPLETE without including winsock2.h is invalid! Look at http://msdn.microsoft.com/en-us/library/aa921087.aspx Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-24Clarified --client-config-dir section on the man-page.Samuli Seppänen1-1/+3
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-24Clarify default value for the --inactive option.David Sommerseth1-1/+1
It is not clear in the manual that this feature is disabled by default. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-03-24Open log files as text files on WindowsDavid Sommerseth1-1/+1
By giving the "t" flag to _fdopen() on Windows, the file will be opened in a "translate mode", where it will take care of converting \n to \r\n, and also look for the CTRL-Z mark when opening the log file in append mode. Reference: <http://msdn.microsoft.com/en-us/library/dye30d82%28VS.80%29.aspx> Thanks to Alon Bar-Lev for pointing out this solution. Reported-by: Thomas Reifferscheid Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de>
2011-03-23Fixes to Makefile.amSamuli Seppänen1-2/+2
Removed reference to config-win32.h, which has been removed. Added management-notes.txt to dist_doc_DATA. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-21Updated INSTALL-win32.txtSamuli Seppänen1-11/+12
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-21Replaced config-win32.h with win/config.h.inSamuli Seppänen8-358/+372
The original config-win32.h - a static header file - has been superceded by both "domake-win" script and the new Python-based buildsystem. Transformed it into a template file, win/config.h.in, which obtains the most commonly used build parameters from win/settings.in. Added support code to win/config.py and win/wb.py to preprocess win/config.h.in and copy it to config.h, from where source and header files can find it. Removed all references to config-win32.h. Also removed obsolete PACKAGE_BUGREPORT and USE_PTHREAD variables from the win/config.h.in file. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-21Fixes to win/openvpn.nsiSamuli Seppänen1-2/+17
Added support for generating installer with unsigned TAP drivers. Fixed Windows Vista/7 Start menu shortcut uninstall failure. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-21Added support for prebuilt TAP-drivers. Automated embedding manifests.Samuli Seppänen6-79/+111
Removed win/make_dist.py's dependency on TAP-driver and tapinstall.exe building. Also added manifest embedding commands to win/make_dist.py. To avoid duplicate code moved the "build_vc" method from win/build.py to win/wb.py and renamed it "run_in_vs_shell". Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-03-10Implement IPv6 in TUN mode for Windows TAP driver.Gert Doering3-4/+254
* install-win32/settings.in: bump version to 9.7, TAP_RELDATE to "07/03/2010". * tap-win32/proto.h: add data types and definitions needed for IPv6 * tap-win32/types.h: add m_UserToTap_IPv6 ethernet header for IPv6 packets * tap-win32/tapdrvr.c: implement support for IPv6 in TUN mode: - IPv6 packets User->OS need correct ether type - IPv6 packets OS->User get correctly forwarded - IPv6 neighbour discovery packets for "fe80::8" (magic address installed as route-nexthop by OpenVPN.exe) get answered locally (cherry picked from commit 175e17a5abd5969f6803a9cc9587b7959e1100ae) Signed-off-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-03-01Fix line continuation in chkconfig init script description.Ville Skyttä1-4/+4
See the chkconfig(8) man page for details. Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-02-28Fix packaging of config-win32.h and service-win32/msvc.makv2.2-RCDavid Sommerseth2-3/+6
The config-win32.h and service-win32/msvc.mak was not included into the final source balls when using 'make dist', which is crucial for Windows building. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Samuli Seppänen <samuli@openvpn.net>
2011-02-28Preparing for the OpenVPN 2.2-RC releaseDavid Sommerseth2-2/+30
Signed-off-by: David Sommerseth <davids@redhat.com>
2011-02-28Temporary snprintf-related fix to service-win32/openvpnserv.cSamuli Seppänen1-2/+1
This is intended just as a TEMPORARY solution to get the 2.2-RC released. The intesion is to get this fixed with a better solution for the final 2.2 release. This patch has also been discussed here: http://thread.gmane.org/gmane.network.openvpn.devel/4325/ The only reason for this patch to be accepted in its current shape, is that it will be fixed before the final 2.2 release. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
2011-02-27Changes to buildsystem patchsetSamuli Seppänen4-26/+34
Implemented changes to the buildsystem patchset suggested by jamesyonan in IRC meeting on 17th Feb 2010: 1) Remove variables added to version.m4 and use win/settings.in instead 2) Add ENABLE_<FEATURE> configuration to win/settings.in instead of parsing config-win32.h for them This patch applies on top of the previous 13 patches. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added first version of NSI installer script to win/openvpn.nsiSamuli Seppänen1-0/+802
This win/openvpn.nsi file is a heavily cleaned-up version of the install-win32/openvpn.nsi file. The key differences: - paths have been adapted to new buildsystem's requirements - obsolete XGUI support has been removed - unused Windows version detection has been removed - variables specific to new build system (win/settings.in, version.m4) are imported - a few new installer options have been introduced: - install lzo2.dll - install msvcr90.dll (a requirement from VS2008 builds) Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Copied install-win32/setpath.nsi to win/setpath.nsiSamuli Seppänen1-0/+231
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Several modifications to win/make_dist.py to allow building the NSI installerSamuli Seppänen1-3/+25
Added copying of all remaining openvpn dependencies to dist directory so that the NSI installer script (win/openvpn.nsi) can find and use them more easily. This includes openvpn.exe, openvpnserv.exe, libpkcs11-helper-1.dll, openssl.exe, and example files. The associated, external DDL/manifest files are copied also, so that embedding them with mt.exe is easier. This is a temporary solution until nmake makefiles are modified to automate this process, except for a few of the library dependencies (lzo2.dll and libpkcs11-helper-1.dll). Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added comments to win/build_ddk.pySamuli Seppänen1-0/+1
Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added openvpnserv.exe building to win/build.pySamuli Seppänen1-1/+8
Made win/build.py call nmake in service-win32 directory to build openvpnserv.exe after main build (openvpn.exe) has finished. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added configure.h and version.m4 variable parsing to win/config.pySamuli Seppänen1-1/+3
Python-based buildsystem uses win/config.py to obtain global build parameters from various sources. Added parsing of the (fake) configure.h and version.m4 to it so that other Python build files can use them. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added command-line switch to win/build_all.py to skip TAP driver buildingSamuli Seppänen1-7/+16
Modified win/build_all.py so that by giving -n or --notap switch the TAP driver is not built. This is useful if using prebuilt TAP drivers, or when WinDDK is not installed. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added comments and made small modifications to win/msvc.mak.inSamuli Seppänen1-16/+16
The win/msvc.mak.in file is used as basis for msvc.mak file which drives openvpn.exe building. This change separates output file from LINK32_FLAGS and adds helpful comments to the win/msvc.mak.in file. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added support for viewing config-win32.h paramters to win/show.pySamuli Seppänen1-3/+3
The win/show.py tools is used to view build parameters interactively. This changes it so that it displays parameters parsed from config-win32.h in addition to those from win/settings.in. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added helper functionality to win/wb.pySamuli Seppänen1-0/+99
This change adds several helper functions to win/wb.py: - config-win32.h parser (to read build configuration options) - helper function to cd to service-win32 for openvpnserv.exe building - code to dynamically generate TAP-driver -related variables from version.m4, required by tap-win32/tapdrv.c - configure.h generator to allow viewing build options using openvpn --version - creation of temporary version.m4-based file to allow importing it's variables to the NSI installer script (win/openvpn.nsi) - helper function to rename files (used in win/make_dist.py) Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Moved TAP-driver version info to version.m4. Cleaned up win/settings.in.Samuli Seppänen2-17/+13
Previously parts of TAP-driver version information were stored in win/settings.in. This patch moves all of it to version.m4. This patch also cleans up and adds comments to win/settings.in Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added a nmake makefile for openvpnserv.exe buildingSamuli Seppänen1-0/+30
This change adds a nmake makefile (service-win32/msvc.mak) which allows building openvpnserv.exe using the new Python-based buildsystem. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-27Added ENABLE_PASSWORD_SAVE to config-win32.hSamuli Seppänen1-0/+3
This change adds ENABLE_PASSWORD_SAVE to config-win32.h. This option is also defined in win/settings.in, but it does not have any effect there. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-02-18Added "client-nat" option for stateless, one-to-oneJames Yonan15-17/+490
NAT on the client side. Version 2.1.3i. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6944 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Properly handle certificate serial numbers > 32 bits.James Yonan2-4/+12
Version 2.1.3h git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6931 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Fixes to r6925.James Yonan1-3/+3
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6927 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-14Implemented get_default_gateway_mac_addr for Mac OS X (previously,James Yonan3-59/+125
was only defined for Windows and Linux). This enables OS X to report the MAC address of the default gateway to the server for ID purposes when client-side --push-peer-info option is specified. Also, minor fix to OS X get_default_gateway function: * include net/route.h directly rather than selectively paste stuff from it into route.c git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6925 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-18Fixed minor compile issue triggered on builds whereJames Yonan1-1/+1
MANAGEMENT_DEF_AUTH is not enabled. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6830 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-10* added --management-up-down option to allow management interfaceJames Yonan6-21/+55
to be notified of tunnel up/down events. * pulled --ip-win32 options will be suppressed on the client if --route-nopull option is specified. Version 2.1.3f git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6813 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-01-06Fix compiler warning when compiling against OpenSSL 1.0.0David Sommerseth1-1/+1
The declaration of SSL_get_current_cipher() has changed to be return a const value. And this makes compilers a little bit grumpy. gcc: ssl.c: In function ‘print_details’: ssl.c:1918: warning: assignment discards qualifiers from pointer target type Visual C: ssl.c (1918): warning C4019: '=' : different 'const' qualifiers Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 7bd3cea4c2f2aa8ed1bf548a3233ae2c3619d47d)
2011-01-05Added --x509-track option.James Yonan10-4/+186
Version 2.1.3e git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6780 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-20Minor addition of logging info before and afterJames Yonan1-0/+2
execution of Windows net commands. Version 2.1.3d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6712 e7ae566f-a301-0410-adde-c780ea21d3b5 Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 7621741b480f93411928c66735d2ee9c7f69de3b)
2010-12-17Make the --x509-username-field feature an opt-in featureDavid Sommerseth4-0/+23
After some discussion [1] regarding an extension of this feature, James Yonan wanted this extension to be an opt-in feature. However, as it does not make sense to opt-in on a extension of a feature which was discussed, this patch makes the base feature an opt-in instead. The base feature comes from commit 2e8337de248ef0b5b48cbb2964 (beta2.2) and commit 935c62be9c0c8a256112 (feat_misc). [1] http://thread.gmane.org/gmane.network.openvpn.devel/4266 Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: James Yonan <james@openvpn.net> (cherry picked from commit 024972e2ced84c6e5cabc43620ab510e5693d1d4)
2010-12-13Misc fixes to r6708.James Yonan8-51/+72
Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-10Minor addition of logging info before and afterJames Yonan2-1/+3
execution of Windows net commands. Version 2.1.3d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6712 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-09Added "management-external-key" option. This option can be usedJames Yonan10-59/+433
instead of "key" in client mode, and allows the client to run without the need to load the actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: >RSA_SIGN:[BASE64_DATA] The management interface client should then sign BASE64_DATA using the private key and return the signature as follows: rsa-sig [BASE64_SIG_LINE] . . . END This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-04Change variadic macros to C99 style.Matthias Andree1-4/+4
The macros used GCC's pre-C99 syntax, which could not be compiled with Microsoft Visual Studio 2008. Note this breaks compatibility with GCC versions before 3.0, which is deemed safe in a discussion on IRC with David Sommerseth and Samuli Seppänen on #openvpn-devel (RHEL 3 uses GCC 3.2 already). Compiled tested on VS2008 by Samuli, on Cygwin GCC 3.4 and GCC 4.3 by myself. Signed-off-by: Matthias Andree <matthias.andree@gmx.de> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> (cherry picked from commit 9469168e3abb09bd78297208a917ee4d9c025041)
2010-11-25Prepared v2.2-beta5 for releasev2.2-beta5David Sommerseth2-1/+6
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-25Merge branch 'feat_misc' into beta2.2David Sommerseth1-1/+1
2010-11-25Fixed an issue causing a build failure with MS Visual Studio 2008.Samuli Seppänen1-1/+1
The new SOCKS auth code in socks.c contained a call to sprintf instead of openvpn_sprintf. This caused build to fail if MS Visual Studio 2008 C compiler was used. This change fixes that issue. Signed-off-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-21Prepared for v2.2-beta4 for releasev2.2-beta4David Sommerseth2-2/+2
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Updated ChangeLog with info about last mergesDavid Sommerseth1-0/+39
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-18Merge branch 'feat_misc' into beta2.2David Sommerseth46-1064/+60
Conflicts: acinclude.m4 config-win32.h configure.ac misc.c thread.c thread.h - These conflicts was mainly due to feat_misc getting old and mostly caused by the pthread clean-up patches in feat_misc Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>