aboutsummaryrefslogtreecommitdiff
path: root/forward.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2011-04-26Merge branch 'svn-branch-2.1' into mergeDavid Sommerseth1-8/+24
Pulling in changes from James' 2.1/openvpn branch in SVN. Conflicts: buffer.c init.c manage.h multi.c openvpn.8 options.c ssl.c version.m4 win/sign.py Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2011-04-26Added "auth-token" client directive, which is intended to beJames Yonan1-2/+3
pushed by server, and that is used to offer a temporary session token to clients that can be used in place of a password on subsequent credential challenges. This accomplishes the security benefit of preventing caching of the real password while offering most of the advantages of password caching, i.e. not forcing the user to re-enter credentials for every TLS renegotiation or network hiccup. auth-token does two things: 1. if password caching is enabled, the token replaces the previous password, and 2. if the management interface is active, the token is output to it: >PASSWORD:Auth-Token:<token> Also made a minor change to HALT/RESTART processing when password caching is enabled. When client receives a HALT or RESTART message, and if the message text contains a flags block (i.e. [FFF]:message), if flag 'P' (preserve auth) is present in flags, don't purge the Auth password. Otherwise do purge the Auth password. Version 2.1.3o git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7088 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Client will now try to reconnect if no push reply receivedJames Yonan1-2/+2
within handshake-window seconds. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7066 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-26Extended "client-kill" management interface command (server-side)James Yonan1-2/+9
to accept an optional message string. The message string format is: RESTART|HALT,<human-readable-message> RESTART will tell the client to restart (i.e. SIGUSR1). HALT will tell the client to exit (i.e. SIGTERM). On the client, human-readable-message will be communicated via management interface: >NOTIFY,<severity>,<type>,<human-readable-message>" Version 2.1.3m git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@7063 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-04-24Enable IPv6 Payload in OpenVPN p2mp tun server mode. 20100104-1 release.Gert Doering1-1/+2
(cherry picked from commit ec9dce6387afd198881493bfebf13bb121e8a56b)
2011-03-25Misc fixes to r6708.James Yonan1-24/+12
Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
2011-02-18Added "client-nat" option for stateless, one-to-oneJames Yonan1-2/+10
NAT on the client side. Version 2.1.3i. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6944 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-12-13Misc fixes to r6708.James Yonan1-24/+12
Fixed issue where "signal SIGTERM" entered from the management interface might get subsequently downgraded to a SIGUSR1. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6716 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-11-18Merge branch 'feat_misc' into beta2.2David Sommerseth1-10/+0
Conflicts: acinclude.m4 config-win32.h configure.ac misc.c thread.c thread.h - These conflicts was mainly due to feat_misc getting old and mostly caused by the pthread clean-up patches in feat_misc Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-11-14Clean-up: Remove more dead and inactive code pathsDavid Sommerseth1-10/+0
These code paths was practically not needed with no locking mechanisms enabled and was just bloating the source code. Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: James Yonan <james@openvpn.net>
2010-10-21Exclude ping and control packets from activityDavide Brini1-2/+3
Problem: using --ping and --inactive together partially defeats the point of using --inactive as periodic ping packets are counted as activity. Here is the original discussion: http://article.gmane.org/gmane.network.openvpn.devel/3676 It turns out that "activity" is detected and recorded in two places in the code, both in forward.c: in process_outgoing_tun() for received packets, after they've been decrypted and sent to the TUN device; and in process_outgoing_link(), after they've been encrypted and written to the network socket. In the first case we can be sure that packets that get so far are really due to user activity, whereas in the second case there can be non-user packets (like OpenVPN's internal ping packets, and TLS control packets), and those should not be counted as activity as they are not coming from the user. So a need arises to detect those control packets and not count them as activity for the purposes of --inactive. Unfortunately, at that stage packets are already compressed and encrypted, so it's not possible to look into them to see what they are. However, there seems to be a convention in the code that packets whose buffer length in the context_2 structure is 0 should be ignored for certain purposes. TLS control packets follow that convention already, so this patch makes a small change in the code that generates the ping packets to set their buffer length to 0 as well. Finally, the call to register_activity() in process_outgoing_link() is made conditional to the buffer length being > 0. According to my tests, now --inactive behaves correctly according to the configured parameters (time or time+bytes) even when --ping is being used. forward.c: Call register_activity() in process_outgoing_link() only if the packet is not a ping or TLS control packet. openvpn.8: Updated the description of --inactive to describe the new semantics. ping.c: Set c->c2.buf.len = 0 after the ping packet has been generated and encrypted. Test routine is described here: <https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6> Signed-off-by: Davide Brini <dave_br@gmx.com> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
2010-10-21verb 5 logging wrongly reports received bytesDavid Sommerseth1-2/+2
With --verb 5, openvpn logs a single letter (rwRW) for each package received or sent. I recently ran into a problem with the tun device on Linux where the read from that device returned 0. Unfortunately this was also logged as "r", which made me assume that openvpn had received something, while it actually hadn't. (See https://dev.openwrt.org/ticket/6650 for the bug that made me find out about this problem with openvpn.) I'm attaching a patch which prevents openvpn from logging "r" or "R" when it didn't actually read anything. This is against openvpn 2.1-rc20, but probably still applies to the most recent version. This patch was received anonymously via the sf.net bug tracker: <http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2010-05-24Implemented http-proxy-override and http-proxy-fallback directives to make itJames Yonan1-3/+14
easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5652 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-04-28Updated copyright date to 2010.James Yonan1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5599 e7ae566f-a301-0410-adde-c780ea21d3b5
2010-02-19verb 5 logging wrongly reports received bytesDavid Sommerseth1-2/+2
With --verb 5, openvpn logs a single letter (rwRW) for each package received or sent. I recently ran into a problem with the tun device on Linux where the read from that device returned 0. Unfortunately this was also logged as "r", which made me assume that openvpn had received something, while it actually hadn't. (See https://dev.openwrt.org/ticket/6650 for the bug that made me find out about this problem with openvpn.) I'm attaching a patch which prevents openvpn from logging "r" or "R" when it didn't actually read anything. This is against openvpn 2.1-rc20, but probably still applies to the most recent version. This patch was received anonymously via the sf.net bug tracker: <http://sourceforge.net/tracker/?func=detail&atid=454719&aid=2951003&group_id=48978> Signed-off-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: David Sommerseth <dazo@users.sourceforge.net> Acked-by: Gert Doering <gert@greenie.muc.de>
2009-11-19Fixed a client-side bug that occurred when the "dhcp-pre-release"james1-1/+2
or "dhcp-renew" options were combined with "route-gateway dhcp". The problem is that the IP Helper functions for DHCP release and renew are blocking, and so calling them from a single-threaded client stops tunnel traffic forwarding, and hence breaks "route-gateway dhcp" which requires an active tunnel. The fix is to call the IP Helper functions for DHCP release and renew from another process. Version 2.1_rc21b. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5164 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-10-01client-kill management interface command, when issued on server, willjames1-4/+7
now send a RESTART message to client. This feature is intended to make UDP clients respond the same as TCP clients in the case where the server issues a RESTART message in order to force the client to reconnect and pull a new options/route list. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5021 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-28Added --server-poll-timeout option : when polling possible remotejames1-0/+17
servers to connect to in a round-robin fashion, spend no more than n seconds waiting for a response before trying the next server. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5010 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-09-16Modified client to send a PUSH_REQUEST message to server 1 secondjames1-4/+5
after connection initiation rather than 0 seconds after. Successive PUSH_REQUEST messages after the first will continue to be sent at 5 second intervals until a response is received. This tends to speed up the client connection sequence by 4 seconds because the first PUSH_REQUEST message is usually sent too soon and is dropped, causing a wait of 5 seconds until the next PUSH_REQUEST message is sent. Version 2.1_rc19d git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4965 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-08-23Added "load-stats" management interface command to get globaljames1-0/+6
server load statistics. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4844 e7ae566f-a301-0410-adde-c780ea21d3b5
2009-05-30Update copyright to 2009.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@4477 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-24Extended Management Interface "bytecount" commandjames1-3/+13
to work when OpenVPN is running as a server. Documented Management Interface "bytecount" command in management/management-notes.txt. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3452 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-10-06Copyright notice changed to reflect change in name ofjames1-1/+1
Telethra to OpenVPN Technologies. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3409 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-09-30Management interface can now listen on a unixjames1-4/+4
domain socket, for example: management /tmp/openvpn unix Also added management-client-user and management-client-group directives to control which processes are allowed to connect to the socket. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3396 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-08-02Added "--server-bridge" (without parameters) to enablejames1-1/+11
DHCP proxy mode: Configure server mode for ethernet bridging using a DHCP-proxy, where clients talk to the OpenVPN server-side DHCP server to receive their IP address allocation and DNS server addresses. Added "--route-gateway dhcp", to enable the extraction of the gateway address from a DHCP negotiation with the OpenVPN server-side LAN. Modified client.conf and server.conf to reflect new option modes. Incremented version to 2.1_rc9a. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3164 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-07-14Copyright change OpenVPN Solutions LLC -> Telethra, Inc.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3048 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11Updated copyright notice to 2008.james1-1/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2995 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11Merged connection profiles fromjames1-2/+2
http://svn.openvpn.net/projects/openvpn/test/conn git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2993 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-11Updated version to 2.1_rc7e.james1-1/+1
Added client authentication and packet filtering capability to management interface. Extended packet filtering capability to work on both --dev tun and --dev tap tunnels. Updated valgrind-suppress file. Made "Linux ip addr del failed" error nonfatal. Amplified --client-cert-not-required warning. Added #pragma pack to proto.h. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2991 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-06-04Incremented version to 2.1_rc7d.james1-0/+4
Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-05-24Support asynchronous/deferred authentication injames1-3/+9
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin handler. See documentation in openvpn-plugin.h and example usage in plugin/defer/simple.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2969 e7ae566f-a301-0410-adde-c780ea21d3b5
2008-05-12Moved branch into official BETA21 position.james1-6/+0
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2959 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-06-11Added optional minimum-number-of-bytesjames1-7/+6
parameter to --inactive directive. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@1036 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-02-16Added --port-share option for allowing OpenVPN and HTTPSjames1-8/+22
server to share the same port number. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@893 e7ae566f-a301-0410-adde-c780ea21d3b5
2006-02-10Added "bytecount" command to management interface.james1-0/+8
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@887 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-12-22--ip-win32 adaptive is now the default.james1-1/+12
--ip-win32 netsh (or --ip-win32 adaptive when in netsh mode) can now set DNS/WINS addresses on the TAP-Win32 adapter. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@857 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-12-14svn merge -r 845:854 $SO/trunk/openvpn .james1-0/+1
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@855 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-31Windows reliability changes:james1-3/+7
* Added code to make sure that the local PATH environmental variable points to the Windows system32 directory. * Added new --ip-win32 adaptive mode which tries 'dynamic' and then fails over to 'netsh' if the DHCP negotiation fails. * Made --ip-win32 adaptive the default. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@739 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-26svn merge -r 672:731 $SO/trunk/openvpnjames1-8/+9
Merged multi.c:1586 assertion fix attempt from trunk. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@732 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-20Added actual remote address used to the ">STATE" alertjames1-0/+1
in the management interface (Rolf Fokkens). git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@701 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-19svn merge -r 670:672 $SO/trunk/openvpnjames1-8/+2
Brought up-to-date with 2.0.x branch. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@673 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-15Minor style cleanup for --enable-pedantic.james1-2/+2
Still need some pedantic cleanup in pkcs11.c. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@624 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-15svn merge -r 618:619 $SO/patches/openvpn-2-0_rc16-mh/openvpnjames1-10/+15
Merged --multihome patch + aggregated sockflags. Pre-2.1_beta3 git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@622 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-10-02version 2.1_beta1james1-2/+2
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@588 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-09-26version 2.1_beta1james1-2/+39
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@581 e7ae566f-a301-0410-adde-c780ea21d3b5
2005-09-26This is the start of the BETA21 branch.james1-0/+1402
It includes the --topology feature, and TAP-Win32 driver changes to allow non-admin access. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5