By default the first enum value is 0.
But we check whether we set the flag by doing
BOOL dnssec = (msg->flags & nrpt_dnssec) != 0;
This can't ever be true.
Found by cppcheck.
Change-Id: Iff5be978817bfc0cd4d78818e7be7b90bad71f3c
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1606
Message-Id: <20260405102209.31528-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36487.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 08a19843a1)
Done with pre-commit run -a, so the version
defined in pre-commit config is used.
This also changes the Github workflow so that
there is no commit that fails GHA.
Change-Id: I2566ad493629e1f5fdfa6f6483b8973463404e3e
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250804151853.10565-1-gert@greenie.muc.de>
URL: https://gerrit.openvpn.net/c/openvpn/+/791
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This removes the postal address of the FSF and replaces
it with their URL.
Mostly generated with
sed -i -e 's@if not, write to the Free Software Foundation, Inc.,\
@if not, see <https://www.gnu.org/licenses/>.@'
sed -i -e '/51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA/d'
sed -i -e '/59 Temple Place, Suite 330, Boston, MA 02111-1307 USA/d'
With some manual fix-ups afterwards.
Change-Id: Ic3959970fa9ab993e98d4b38c025fd0efc7b92f2
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250803145126.23494-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32481.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Since DCO supports modern ciphers and server mode,
there is no reason to support Wintun anymore.
This also removes --windows-driver option support. The
default driver is DCO, as it has been since 2.6. If for
some reasons one doesn't want to use it, --disable-dco
multiplatform option will switch to tap-windows6.
Change-Id: I43ec390040bffeec05270271ea7fb54fb219c536
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20250513151006.13617-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31631.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The installer currently creates one adapter per driver. When a user tries
to start a second VPN connection while another is active, the client
fails with an unclear error message:
"All ovpn-dco adapters on this system are currently in use or disabled."
This message does not guide the user toward resolving the issue, such as by
running the shortcut "Add a new dco-win virtual network adapter."
To improve user experience, the client will now create an adapter on demand
when no available adapters exist. The client sends a command specifying
the adapter type to the interactive service, which then executes tapctl.exe
to create a new adapter.
This feature requires the interactive service, but this should not pose a
problem since even our automatic service has recently started relying on the
interactive service.
GitHub: OpenVPN/openvpn#728
Change-Id: I621d44ec6b0facc524875c15ddfd11ec47b06c15
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20250510181937.2993-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31617.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Implement support for setting options from --dns. This is hugely
different than what we had so far with DNS related --dhcp-option.
The main difference it that we support split DNS and DNSSEC by making
use of NRPT (Name Resolution Policy Table). Also OpenVPN tries to keep
local DNS resolution working when DNS is redirected into the tunnel. To
prevent this from happening we have --block-outside-dns, in case you
wonder. Basically we collect domains and name server addresses from
network adapters and add so called exclude NRPT rules in addition to the
catch all rule that is pushed by the server.
All is done via the interactive service, since modifying all this
requires the elevated privileges that the openvpn process hopefully
doesn't have.
Change-Id: I576e74f3276362606e9cbd50bb5adbebaaf209cc
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20250414180636.31936-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31426.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
In an attempt to better defend against the TunnelCrack attacks, enforce
that no traffic can pass to anything else than the VPN interface when
the 'block-local' flags is given with either --redirect-gateway or
--redirect-private.
Reuse much of the existing --block-outside-dns code, but make it more
general, so that it can also block any traffic, not just port 53.
Uses the Windows Filtering Platform for enforcement in addition to the
routes redirecting the networks into the tunnel.
Change-Id: Ic9bf797bfc7e2d471998a84cb0f071db3e4832ba
Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240605123856.26267-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28717.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
At the moments WINS servers are set either:
- via DHCP, which works only for tap-windows6 driver
- via netsh when running without interactice service
This means that in 2.6 default setup (interactive service and dco)
WINS is silently ignored.
Add WINS support for non-DHCP drivers (like dco) by passing
WINS settings to interactive service and set them there with
netsh call, similar approach as we use for setting DNS.
Fixes https://github.com/OpenVPN/openvpn/issues/373
Change-Id: I47c22dcb728011dcedaae47cd03a57219e9c7607
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20230728131246.694-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26903.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Manually excluded ovpn_dco_win.h because it is an
imported file. ovpn_dco_linux.h is already excluded
because it still says 2021.
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110160531.81010-1-frank@lichtenheld.com>
URL: https://patchwork.openvpn.net/project/openvpn2/patch/20230110160531.81010-1-frank@lichtenheld.com/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220125142456.18176-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23650.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Wintun requires ring buffers registration to be
performed by privileged process. In order to use
openvpn with wintun by non-Administrator, we
need to use interactive service and shared memory
to register buffers.
Openvpn process creates memory mapping object and event
for send and receive ring and passes handles to interactive
service. There handles are duplicated and memory mapped
object is mapped into the address space of service process.
Then address of mapped view and event handle is passed to
wintun kernel driver.
After interactive service preformed registration,
openvpn process maps memory mapped object into
own address space. Thus mapped views in openvpn
and service process represent the same memory region.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Simon Rozman <simon@rozman.si>
Message-Id: <20191217125041.207-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19244.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently, if dhcp on the TAP interface is disabled, OpenVPN
on Windows tries to enable it using netsh but that succeeds only when
run with admin privileges.
When interactive service is available, delegate this task to the
service.
Trac: #1111
Tested on Windows 7
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1538510474-27602-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17517.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The autumn of 2017, OpenVPN Technologies, Inc changed name to just
OpenVPN Inc. Otherwise, extend the copyright to cover 2018 as well.
With the exception of the company name change, all changes have been
performed by the dev-tools/update-copyright.sh script.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180131140314.11103-1-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16418.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The COPYRIGHT.GPL file was slightly out-of-sync with the last GPLv2
license from Free Software Foundation, Inc.
The changes are primarily a new address, which required touching almost
all the project files.
Except of that, it is just minor adjustments to formatting, removal of
form-feed characters and referencing "GNU Lesser General Public License"
instead of "GNU Library General Public License".
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170329093648.10156-1-davids@openvpn.net>
URL: https://www.mail-archive.com/search?l=mid&q=20170329093648.10156-1-davids@openvpn.net
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This is the first commit of the big reformatting task. This
is performed by running the ./dev-tools/reformat-all.sh script.
This is based upon the v3 reformat-all.sh/uncrustify.conf version
which is now applied to git master.
Signed-off-by: David Sommerseth <davids@openvpn.net>
- Any existing addresses are deleted before adding
- On close_tun all addresses are deleted (only if any were added)
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479958527-29491-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The call to the service returns promptly after delegating the job to
a thread, before the task is completed. In the thread, "net stop dnscache",
"net start dnscache", "ipconfig /flushdns" and "ipconfig /register-dns"
are executed in that order.
Parallel execution of these commands is prevented by a lock that is
common to all connections started by the service.
Note: "net stop .." is used instead of "sc stop.." as the latter can
return before the service has fully stopped (in STOP_PENDING state),
causing the subsequent start to fail.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1457671646-4322-1-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11354
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Add a new message type in openvpn-msg.h
- Pass msg_channel HANDLE to win_wfp_block_dns and win_wfp_uninit
- Add a handler in interactive.c for block_dns request
The service build now depends on block_dns.[ch] in src/openvpn
v2 changes:
- Make CmpEngine non-nested (be nice with non-gcc compilers)
- Print error code in hex
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1456457091-3872-2-git-send-email-selva.nair@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11265
Signed-off-by: Gert Doering <gert@greenie.muc.de>
v1: Heiko Hund
- Message-ID: <2215306.x9ci9DhAZ9@de-gn-40970>
- extend openvpn service to provide "automatic service" and "interactive
service" (which is used by GUI and OpenVPN to run openvpn non-privileged
and still be able to install routes and configure IPv6 addresses)
- add --msg-channel <n> option to openvpn to tell it which pipe to use
to talk to the interactive service (used in tun.c for ifconfig + ARP
flush, and route.c for routing)
- add openvpn-msg.h with message definitions for talking to interactive
service
- routing in openvpn uses message-pipe automatically if --msg-channel <n>
is configured, no other option needed
- today, the integration in route.c and tun.c is windows-only, but could
be adapted to other platforms
v2: Steffan Karger
- Message-ID: <548D9046.5000600@karger.me>
- include "openvpn-msg.h" not "include/openvpn-msg.h"
- add $(top_srcdir)/include to openvpnsrv build for out-of-tree builds
v3: Gert Doering, rebasing and integrating review feedback
- rebased to 417fe4a72c
- r->metric_defined is now r->flags & RT_METRIC_DEFINED (c3ef2d2333)
- move "openvpn-msg.h" include inside #ifdef WIN32 (windows-only right now)
- hide "msg_channel" extra option inside tt->tuntap_options, so we do not
need an extra argument to all the add/del_route...() functions
- do_route_ipv6_service(): use r->adapter index (if set) for RGI6 routes
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Selva Nair <selva.nair@gmail.com> (Service changes)
Acked-by: Arne Schwabe <arne@rfc2549.org> (OpenVPN changes)
Message-Id: <1453835508-26119-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11027
Signed-off-by: Gert Doering <gert@greenie.muc.de>
