upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-06-08 16:35:26 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
OpenVPN
3493 commits 19 branches 146 tags 53 MiB
C 94.4%
Shell 2.1%
M4 1.2%
CMake 1.2%
Makefile 0.8%
Other 0.3%
Find a file
Arne Schwabe b520c68c67 Add connect-freq-initial option to limit initial connection responses 
This limits the number of packets OpenVPN will respond to. This avoids
OpenVPN servers being abused for refelection attacks in a large scale
as we gotten a lot more efficient with the cookie approach in our
initial connection handling.

The defaults of 100 attempts per 10s should work for most people,
esepcially since completed three way handshakes are not counted. So
the default will throttle connection attempts on server with high packet
loss or that are actually under a DOS.

The 100 per 10s are similar in size to the old 2.5 and earlier behaviour
where every initial connection attempt would take up a slot of the
max-clients sessions and those would only expire after the TLS timeout.
This roughly translates to 1024 connection attempts in 60s on an
empty server.

OpenVPN will announce once per period when starting to drop packets and
ultimatively how many packets it dropped:

    Connection Attempt Note: --connect-freq-initial 100 10 rate limit
    exceeded, dropping initial handshake packets for the next 10 seconds

    Connection Attempt Dropped 217 initial handshake packets due to
    --connect-freq-initial 100 10

to inform an admin about the consequences of this feature.

Patch v2: use strtol instead of atoi to be able to differentiate between
          an error parsing and parsing 0. Use int64_t instead int to
          avoid overflow errors.

Patch v3: Add message when we start dropping. Add a few fixes to the logic.
          improve docs

Patch v4: missing missing return statement.
Patch v5: add build files for msvc build

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230110015901.933522-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25938.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
2023-01-10 08:04:05 +01:00
.github GitHub Issues: Create first issue template (Bug) 2022-11-30 15:47:11 +01:00
.travis Change travis build scripts to use https when fetching prerequisites. 2020-11-24 18:01:46 +01:00
build msvc: upgrade to Visual Studio 2022 2022-12-22 18:28:24 +01:00
contrib vcpkg-ports/pkcs11-helper: support loader flags 2022-12-15 09:26:00 +01:00
debug build: standard directory layout 2012-03-22 22:07:08 +01:00
dev-tools dco-win: introduce low-level code for handling ovpn-dco-win in Windows 2022-08-18 20:16:48 +02:00
distro Linux: Retain CAP_NET_ADMIN when dropping privileges 2022-08-11 11:59:08 +02:00
doc Add connect-freq-initial option to limit initial connection responses 2023-01-10 08:04:05 +01:00
include Implement --client-crresponse script options and plugin interface 2022-09-11 11:04:44 +02:00
m4 Remove support for non ISO C99 vararg support 2021-03-28 16:34:42 +02:00
sample documentation: avoid recommending --user nobody 2022-12-01 16:20:12 +01:00
src Add connect-freq-initial option to limit initial connection responses 2023-01-10 08:04:05 +01:00
tests Replace realloc with new gc_realloc function 2022-12-27 18:31:53 +01:00
.git-blame-ignore-revs uncrustify: add sp_after_comma=add 2022-05-22 13:10:22 +02:00
.gitattributes cleanup: add .gitattributes to control eol style explicitly 2012-04-26 20:54:26 +02:00
.gitignore vcpkg: switch to manifest 2022-05-05 15:41:23 +02:00
.mailmap Update .mailmap to unify and clean up odd names and e-mail addresses 2016-10-18 13:46:04 +02:00
.svncommitters Added mapping files from SVN commit ID to more descriptive commit IDs. 2010-10-21 11:31:26 +02:00
.travis.yml travis: don't run t_net.sh test 2020-08-10 18:34:19 +02:00
AUTHORS This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
ChangeLog Remove outdated information from ChangeLog, point at release branches. 2022-08-10 19:01:12 +02:00
Changes.rst Add connect-freq-initial option to limit initial connection responses 2023-01-10 08:04:05 +01:00
compat.m4 Remove checks for uint* types that are part of C99 2021-04-07 08:30:34 +02:00
config-msvc-version.h.in msvc: fix product version display 2021-10-14 16:29:35 +02:00
config-msvc.h msvc: add branch name and commit hash to version output 2022-09-26 11:21:44 +02:00
configure.ac dco-win: introduce low-level code for handling ovpn-dco-win in Windows 2022-08-18 20:16:48 +02:00
CONTRIBUTING.rst Add git pre-commit hook script to uncrustify 2022-04-22 09:25:55 +02:00
COPYING update copyright year to 2022 2022-01-26 13:38:41 +01:00
COPYRIGHT.GPL copyright: Update GPLv2 license texts 2017-06-16 10:38:03 +02:00
INSTALL GitHub Issues: add new links to INSTALL and README 2022-11-30 15:46:35 +01:00
Makefile.am Get rid of README.IPv6 and TODO.IPv6 2022-02-13 11:40:20 +01:00
NEWS This is the start of the BETA21 branch. 2005-09-26 05:28:27 +00:00
openvpn.sln msvc: add ARM64 configuration 2021-05-10 17:54:57 +02:00
PORTS Update PORTS 2022-11-28 12:39:09 +01:00
README GitHub Issues: add new links to INSTALL and README 2022-11-30 15:46:35 +01:00
README.dco.md dco-win: add documentation to README.dco.md 2022-08-25 22:17:50 +02:00
README.ec Implement tls-groups option to specify eliptic curves/groups 2020-07-21 22:33:58 +02:00
README.mbedtls Add warning about mbed TLS licensing problem 2022-02-17 16:13:53 +01:00
README.wolfssl README.wolfssl Update 2021-03-19 15:19:31 +01:00
version.m4 Change version.m4 to 2.7_git 2022-12-01 16:33:25 +01:00
version.sh.in build: windows: install version.sh to allow installer read version 2012-03-24 00:14:23 +01:00

README 

OpenVPN -- A Secure tunneling daemon

Copyright (C) 2002-2022 OpenVPN Inc. This program is free software;
you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2
as published by the Free Software Foundation.

*************************************************************************

To get the latest release of OpenVPN, go to:

	https://openvpn.net/community-downloads/

To Build and Install,

	tar -zxf openvpn-<version>.tar.gz
	cd openvpn-<version>
	./configure
	make
	make install

or see the file INSTALL for more info.

*************************************************************************

For detailed information on OpenVPN, including examples, see the man page
  http://openvpn.net/man.html

For a sample VPN configuration, see
  http://openvpn.net/howto.html

To report an issue, see
  https://github.com/OpenVPN/openvpn/issues/new
  (Note: We recently switched to GitHub for reporting new issues,
   old issues can be found at:
   https://community.openvpn.net/openvpn/report)

For a description of OpenVPN's underlying protocol,
  see the file ssl.h included in the source distribution.

*************************************************************************

Other Files & Directories:

* configure.ac -- script to rebuild our configure
  script and makefile.

* sample/sample-scripts/verify-cn

  A sample perl script which can be used with OpenVPN's
  --tls-verify option to provide a customized authentication
  test on embedded X509 certificate fields.

* sample/sample-keys/

  Sample RSA keys and certificates.  DON'T USE THESE FILES
  FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE.

* sample/sample-config-files/

  A collection of OpenVPN config files and scripts from
  the HOWTO at http://openvpn.net/howto.html

*************************************************************************

Note that easy-rsa and tap-windows are now maintained in their own subprojects.
Their source code is available here:

  https://github.com/OpenVPN/easy-rsa
  https://github.com/OpenVPN/tap-windows6

The old cross-compilation environment (domake-win) and the Python-based
buildsystem have been replaced with openvpn-build:

  https://github.com/OpenVPN/openvpn-build

See the INSTALL file for usage information.