Menu
▾
▴
openvpn-devel — OpenVPN developers list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
(24) |
May
(14) |
Jun
(29) |
Jul
(33) |
Aug
(3) |
Sep
(8) |
Oct
(18) |
Nov
(1) |
Dec
(10) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(33) |
Mar
(7) |
Apr
(28) |
May
(30) |
Jun
(5) |
Jul
(10) |
Aug
(7) |
Sep
(32) |
Oct
(41) |
Nov
(20) |
Dec
(10) |
| 2004 |
Jan
(24) |
Feb
(18) |
Mar
(57) |
Apr
(40) |
May
(55) |
Jun
(48) |
Jul
(77) |
Aug
(15) |
Sep
(56) |
Oct
(80) |
Nov
(74) |
Dec
(52) |
| 2005 |
Jan
(38) |
Feb
(42) |
Mar
(39) |
Apr
(56) |
May
(79) |
Jun
(73) |
Jul
(16) |
Aug
(23) |
Sep
(68) |
Oct
(77) |
Nov
(52) |
Dec
(27) |
| 2006 |
Jan
(27) |
Feb
(18) |
Mar
(51) |
Apr
(62) |
May
(28) |
Jun
(50) |
Jul
(36) |
Aug
(33) |
Sep
(47) |
Oct
(50) |
Nov
(77) |
Dec
(13) |
| 2007 |
Jan
(15) |
Feb
(8) |
Mar
(14) |
Apr
(18) |
May
(25) |
Jun
(16) |
Jul
(16) |
Aug
(19) |
Sep
(32) |
Oct
(17) |
Nov
(5) |
Dec
(5) |
| 2008 |
Jan
(64) |
Feb
(25) |
Mar
(25) |
Apr
(6) |
May
(28) |
Jun
(20) |
Jul
(10) |
Aug
(27) |
Sep
(28) |
Oct
(59) |
Nov
(37) |
Dec
(43) |
| 2009 |
Jan
(40) |
Feb
(25) |
Mar
(12) |
Apr
(57) |
May
(46) |
Jun
(29) |
Jul
(39) |
Aug
(10) |
Sep
(20) |
Oct
(42) |
Nov
(50) |
Dec
(57) |
| 2010 |
Jan
(82) |
Feb
(165) |
Mar
(256) |
Apr
(260) |
May
(36) |
Jun
(87) |
Jul
(53) |
Aug
(89) |
Sep
(107) |
Oct
(51) |
Nov
(88) |
Dec
(117) |
| 2011 |
Jan
(69) |
Feb
(60) |
Mar
(113) |
Apr
(71) |
May
(67) |
Jun
(90) |
Jul
(88) |
Aug
(90) |
Sep
(48) |
Oct
(64) |
Nov
(69) |
Dec
(118) |
| 2012 |
Jan
(49) |
Feb
(528) |
Mar
(351) |
Apr
(190) |
May
(238) |
Jun
(193) |
Jul
(104) |
Aug
(100) |
Sep
(57) |
Oct
(41) |
Nov
(47) |
Dec
(51) |
| 2013 |
Jan
(94) |
Feb
(57) |
Mar
(96) |
Apr
(105) |
May
(77) |
Jun
(102) |
Jul
(27) |
Aug
(81) |
Sep
(32) |
Oct
(53) |
Nov
(127) |
Dec
(65) |
| 2014 |
Jan
(113) |
Feb
(59) |
Mar
(104) |
Apr
(259) |
May
(70) |
Jun
(70) |
Jul
(146) |
Aug
(45) |
Sep
(58) |
Oct
(149) |
Nov
(77) |
Dec
(83) |
| 2015 |
Jan
(53) |
Feb
(66) |
Mar
(86) |
Apr
(50) |
May
(135) |
Jun
(76) |
Jul
(151) |
Aug
(83) |
Sep
(97) |
Oct
(262) |
Nov
(245) |
Dec
(231) |
| 2016 |
Jan
(131) |
Feb
(233) |
Mar
(97) |
Apr
(138) |
May
(221) |
Jun
(254) |
Jul
(92) |
Aug
(248) |
Sep
(168) |
Oct
(275) |
Nov
(477) |
Dec
(445) |
| 2017 |
Jan
(218) |
Feb
(217) |
Mar
(146) |
Apr
(172) |
May
(216) |
Jun
(252) |
Jul
(164) |
Aug
(192) |
Sep
(190) |
Oct
(143) |
Nov
(255) |
Dec
(182) |
| 2018 |
Jan
(295) |
Feb
(164) |
Mar
(113) |
Apr
(147) |
May
(64) |
Jun
(262) |
Jul
(184) |
Aug
(90) |
Sep
(69) |
Oct
(364) |
Nov
(102) |
Dec
(101) |
| 2019 |
Jan
(119) |
Feb
(64) |
Mar
(64) |
Apr
(102) |
May
(57) |
Jun
(154) |
Jul
(84) |
Aug
(81) |
Sep
(76) |
Oct
(102) |
Nov
(233) |
Dec
(89) |
| 2020 |
Jan
(38) |
Feb
(170) |
Mar
(155) |
Apr
(172) |
May
(120) |
Jun
(223) |
Jul
(461) |
Aug
(227) |
Sep
(268) |
Oct
(113) |
Nov
(56) |
Dec
(124) |
| 2021 |
Jan
(121) |
Feb
(48) |
Mar
(334) |
Apr
(345) |
May
(207) |
Jun
(136) |
Jul
(71) |
Aug
(112) |
Sep
(122) |
Oct
(173) |
Nov
(184) |
Dec
(223) |
| 2022 |
Jan
(197) |
Feb
(206) |
Mar
(156) |
Apr
(212) |
May
(192) |
Jun
(170) |
Jul
(143) |
Aug
(380) |
Sep
(182) |
Oct
(148) |
Nov
(128) |
Dec
(269) |
| 2023 |
Jan
(248) |
Feb
(196) |
Mar
(264) |
Apr
(36) |
May
(123) |
Jun
(66) |
Jul
(120) |
Aug
(48) |
Sep
(157) |
Oct
(198) |
Nov
(300) |
Dec
(273) |
| 2024 |
Jan
(271) |
Feb
(147) |
Mar
(207) |
Apr
(78) |
May
(107) |
Jun
(168) |
Jul
(151) |
Aug
(51) |
Sep
(438) |
Oct
(221) |
Nov
(302) |
Dec
(357) |
| 2025 |
Jan
(451) |
Feb
(219) |
Mar
(326) |
Apr
(232) |
May
(306) |
Jun
(165) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: stipa (C. Review) <ge...@op...> - 2025-06-26 13:00:40
|
Attention is currently required from: d12fk, flichtenheld, plaisthos. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email ) Change subject: dns: create NRPT registry key if it doesn't exist ...................................................................... Patch Set 3: Code-Review+2 (1 comment) Patchset: PS3: Tested with DnsPolicyConfig key presented and not presented, works as expected - a subkey for NRPT rule got created. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b Gerrit-Change-Number: 1069 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 13:00:25 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 12:29:15
|
Attention is currently required from: flichtenheld, plaisthos, stipa. d12fk has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email ) Change subject: dns: create NRPT registry key if it doesn't exist ...................................................................... Patch Set 2: (1 comment) File src/openvpnserv/interactive.c: http://gerrit.openvpn.net/c/openvpn/+/1069/comment/e370619e_43d723cb : PS2, Line 2665: err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, 0, NULL, &nrpt, NULL); > Doesn't work for me - the DnsPolicyConfig is created but no subkeys are present. […] MSDN being wrong again ... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b Gerrit-Change-Number: 1069 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: stipa <lst...@gm...> Gerrit-Comment-Date: Thu, 26 Jun 2025 12:29:06 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: stipa <lst...@gm...> Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 12:28:50
|
Attention is currently required from: d12fk, flichtenheld, plaisthos.
Hello flichtenheld, plaisthos, stipa,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
to look at the new patch set (#3).
Change subject: dns: create NRPT registry key if it doesn't exist
......................................................................
dns: create NRPT registry key if it doesn't exist
Windows 2019 Server by default does not have the key where local system
NRPT rules are stored. Tests have determined that NRPT is actually
working when rules are created under the key. So, instead of failing if
the key doesn't exist, we create it, and things will start working.
Github: OpenVPN/openvpn#768
Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpnserv/interactive.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1069/3
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 3bd2722..628a96b 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2662,7 +2662,7 @@
if (err == ERROR_FILE_NOT_FOUND)
{
*gpol = FALSE;
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, KEY_ALL_ACCESS, &nrpt);
+ err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, KEY_ALL_ACCESS, NULL, &nrpt, NULL);
if (err)
{
nrpt = INVALID_HANDLE_VALUE;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Gerrit-Change-Number: 1069
Gerrit-PatchSet: 3
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-Reviewer: stipa <lst...@gm...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-Attention: d12fk <he...@op...>
Gerrit-MessageType: newpatchset
|
|
From: stipa (C. Review) <ge...@op...> - 2025-06-26 11:01:26
|
Attention is currently required from: d12fk, flichtenheld, plaisthos. stipa has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email ) Change subject: dns: create NRPT registry key if it doesn't exist ...................................................................... Patch Set 2: Code-Review-2 (1 comment) File src/openvpnserv/interactive.c: http://gerrit.openvpn.net/c/openvpn/+/1069/comment/4e9b30f4_a9c94189 : PS2, Line 2665: err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, 0, NULL, &nrpt, NULL); Doesn't work for me - the DnsPolicyConfig is created but no subkeys are present. Also in Event Log there is: openvpnserv error: DeleteNrptRules: could not open NRPT base key (5) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b Gerrit-Change-Number: 1069 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-Reviewer: stipa <lst...@gm...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 11:01:11 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 10:49:52
|
Attention is currently required from: flichtenheld, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
to look at the new patch set (#2).
Change subject: dns: create NRPT registry key if it doesn't exist
......................................................................
dns: create NRPT registry key if it doesn't exist
Windows 2019 Server by default does not have the key where local system
NRPT rules are stored. Tests have determined that NRPT is actually
working when rules are created under the key. So, instead of failing if
the key doesn't exist, we create it, and things will start working.
Github: OpenVPN/openvpn#768
Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpnserv/interactive.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1069/2
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 3bd2722..0a00a6a 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2662,7 +2662,7 @@
if (err == ERROR_FILE_NOT_FOUND)
{
*gpol = FALSE;
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, KEY_ALL_ACCESS, &nrpt);
+ err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, 0, NULL, &nrpt, NULL);
if (err)
{
nrpt = INVALID_HANDLE_VALUE;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Gerrit-Change-Number: 1069
Gerrit-PatchSet: 2
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 10:37:58
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
to review the following change.
Change subject: dns: create NRPT registry key if it doesn't exist
......................................................................
dns: create NRPT registry key if it doesn't exist
Windows 2019 Server by default does not have the key where local system
NRPT rules are stored. Tests have determined that NRPT is actually
working when rules are created under the key. So, instead of failing if
the key doesn't exist, we create it, and things will start working.
Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpnserv/interactive.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1069/1
diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c
index 3bd2722..0a00a6a 100644
--- a/src/openvpnserv/interactive.c
+++ b/src/openvpnserv/interactive.c
@@ -2662,7 +2662,7 @@
if (err == ERROR_FILE_NOT_FOUND)
{
*gpol = FALSE;
- err = RegOpenKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, KEY_ALL_ACCESS, &nrpt);
+ err = RegCreateKeyExA(HKEY_LOCAL_MACHINE, sys_key, 0, NULL, 0, 0, NULL, &nrpt, NULL);
if (err)
{
nrpt = INVALID_HANDLE_VALUE;
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1069?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I46132ebaf3bf3b16798b6f2416f7bf7272f5646b
Gerrit-Change-Number: 1069
Gerrit-PatchSet: 1
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: Gert D. <ge...@gr...> - 2025-06-26 09:30:22
|
From: Heiko Hund <he...@is...> Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security set. Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1065 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 939ae09..ea3d91b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -264,7 +264,7 @@ clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); clone.updown = o->updown; - clone.user_set_updown = o->user_set_updown; + clone.updown_flags = o->updown_flags; return clone; } @@ -580,7 +580,7 @@ argv_printf(&argv, "%s", o->updown); argv_msg(M_INFO, &argv); int res; - if (o->user_set_updown) + if (dns_updown_user_set(o)) { res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown"); } @@ -692,7 +692,7 @@ run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; - if (!dns->updown || (o->up_script && !dns->user_set_updown)) + if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) { return; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 688daa7..d33f64e 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -42,13 +42,18 @@ DNS_TRANSPORT_TLS }; +enum dns_updown_flags { + DNS_UPDOWN_NO_FLAGS, + DNS_UPDOWN_USER_SET, + DNS_UPDOWN_FORCED +}; + struct dns_domain { struct dns_domain *next; const char *name; }; -struct dns_server_addr -{ +struct dns_server_addr { union { struct in_addr a4; struct in6_addr a6; @@ -103,7 +108,7 @@ struct dns_server *servers; struct gc_arena gc; const char *updown; - bool user_set_updown; + enum dns_updown_flags updown_flags; }; /** @@ -195,4 +200,26 @@ */ void show_dns_options(const struct dns_options *o); +/** + * Returns whether dns-updown is user defined + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_user_set(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_USER_SET; +} + +/** + * Returns whether dns-updown is forced to run + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_forced(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_FORCED; +} + #endif /* ifndef DNS_H */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7e26069..af097f8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3593,7 +3593,7 @@ struct gc_arena gc = gc_new(); struct dns_options *dns = &o->dns_options; - if (dns->servers || dns->user_set_updown) + if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns)) { /* Clean up env from --dhcp-option DNS config */ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); @@ -3667,7 +3667,7 @@ } } } - else if (o->up_script && !dns->user_set_updown) + else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)) { /* Set foreign option env vars from --dns config */ const char *p[] = { "dhcp-option", NULL, NULL }; @@ -8182,15 +8182,15 @@ if (streq(p[1], "disable")) { dns->updown = NULL; - dns->user_set_updown = false; + dns->updown_flags = DNS_UPDOWN_NO_FLAGS; } else if (streq(p[1], "force")) { /* force dns-updown run, even if a --up script is defined */ - if (dns->user_set_updown == false) + if (!dns_updown_user_set(dns)) { dns->updown = DEFAULT_DNS_UPDOWN; - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_FORCED; } } else @@ -8201,7 +8201,7 @@ dns->updown = NULL; } set_user_script(options, &dns->updown, p[1], p[0], false); - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_USER_SET; } } else if (streq(p[0], "dns") && p[1]) |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-26 09:26:52
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email ) Change subject: fix macOS dns-updown handling of parallel full redirects ...................................................................... fix macOS dns-updown handling of parallel full redirects The script didn't handle scenarios well where two or more parallel VPN connections want to replace the default DNS server. The DNS configuration has a chance to get broken by the connections going down in a different order than they came up in. Disallowing all but the first connection to modify the default DNS server will effectively prevent this issue. While it may break DNS for the latter connections, it is the best we can do without knowing specifics about the configurations. Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31988.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 9 insertions(+), 0 deletions(-) diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 89d6882..c15abaa 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -30,6 +30,7 @@ itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" +dns_backup_key_pattern="State:/Network/Service/openvpn-.*/DnsBackup" function primary_dns_key { local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) @@ -166,6 +167,11 @@ echo -e "${cmds}" | /usr/sbin/scutil set_search_domains "$search_domains" else + echo list ${dns_backup_key_pattern} | /usr/sbin/scutil | grep -q 'no key' || { + echo "setting DNS failed, already redirecting to another tunnel" + exit 1 + } + local cmds="" cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" @@ -200,6 +206,9 @@ echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else + # Do not unset if this tunnel did not set/backup DNS before + echo list ${dns_backup_key} | /usr/sbin/scutil | grep -qv 'no key' || return + local cmds="" cmds+="get ${dns_backup_key}\n" cmds+="set $(primary_dns_key)\n" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Gerrit-Change-Number: 1066 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-26 09:26:46
|
cron2 has uploaded a new patch set (#3) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by plaisthos Change subject: fix macOS dns-updown handling of parallel full redirects ...................................................................... fix macOS dns-updown handling of parallel full redirects The script didn't handle scenarios well where two or more parallel VPN connections want to replace the default DNS server. The DNS configuration has a chance to get broken by the connections going down in a different order than they came up in. Disallowing all but the first connection to modify the default DNS server will effectively prevent this issue. While it may break DNS for the latter connections, it is the best we can do without knowing specifics about the configurations. Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31988.html Signed-off-by: Gert Doering <ge...@gr...> --- M distro/dns-scripts/macos-dns-updown.sh 1 file changed, 9 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/1066/3 diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 89d6882..c15abaa 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -30,6 +30,7 @@ itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" +dns_backup_key_pattern="State:/Network/Service/openvpn-.*/DnsBackup" function primary_dns_key { local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) @@ -166,6 +167,11 @@ echo -e "${cmds}" | /usr/sbin/scutil set_search_domains "$search_domains" else + echo list ${dns_backup_key_pattern} | /usr/sbin/scutil | grep -q 'no key' || { + echo "setting DNS failed, already redirecting to another tunnel" + exit 1 + } + local cmds="" cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" @@ -200,6 +206,9 @@ echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else + # Do not unset if this tunnel did not set/backup DNS before + echo list ${dns_backup_key} | /usr/sbin/scutil | grep -qv 'no key' || return + local cmds="" cmds+="get ${dns_backup_key}\n" cmds+="set $(primary_dns_key)\n" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Gerrit-Change-Number: 1066 Gerrit-PatchSet: 3 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: Gert D. <ge...@gr...> - 2025-06-26 09:26:28
|
I have just stared a bit at the code ("looks reasonable"), thanks to
Arne for confirming that it fixes the observed problem ("two VPN
connections active at the same time, both trying to redirect all DNS
queries"). Basically this will do nothing but print an error for the
second VPN to come up - and there is not much else we can do in this
scenario.
Your patch has been applied to the master branch.
commit 7a2b814fee06ab1edeb5f9ad104880f0fef5b0ba
Author: Heiko Hund
Date: Thu Jun 26 11:19:52 2025 +0200
fix macOS dns-updown handling of parallel full redirects
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Arne Schwabe <arn...@rf...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31988.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-26 09:23:27
|
Attention is currently required from: d12fk, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email ) Change subject: fix macOS dns-updown handling of parallel full redirects ...................................................................... Patch Set 2: (1 comment) Patchset: PS2: I tested it and it worked. 2025-06-26 11:15:51 /Users/arne/oss/openvpn-git/distro/dns-scripts/macos-dns-updown.sh setting DNS failed, already redirecting to another tunnel 2025-06-26 11:15:51 dns up command exited with status 1 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Gerrit-Change-Number: 1066 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:18:07 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-06-26 09:22:03
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: Tested, looks good -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:21:48 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Gert D. <ge...@gr...> - 2025-06-26 09:20:13
|
From: Heiko Hund <he...@is...> The script didn't handle scenarios well where two or more parallel VPN connections want to replace the default DNS server. The DNS configuration has a chance to get broken by the connections going down in a different order than they came up in. Disallowing all but the first connection to modify the default DNS server will effectively prevent this issue. While it may break DNS for the latter connections, it is the best we can do without knowing specifics about the configurations. Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Signed-off-by: Heiko Hund <he...@is...> Acked-by: Arne Schwabe <arn...@rf...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1066 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arn...@rf...> diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 89d6882..c15abaa 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -30,6 +30,7 @@ itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" +dns_backup_key_pattern="State:/Network/Service/openvpn-.*/DnsBackup" function primary_dns_key { local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) @@ -166,6 +167,11 @@ echo -e "${cmds}" | /usr/sbin/scutil set_search_domains "$search_domains" else + echo list ${dns_backup_key_pattern} | /usr/sbin/scutil | grep -q 'no key' || { + echo "setting DNS failed, already redirecting to another tunnel" + exit 1 + } + local cmds="" cmds+="get $(primary_dns_key)\n" cmds+="set ${dns_backup_key}\n" @@ -200,6 +206,9 @@ echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else + # Do not unset if this tunnel did not set/backup DNS before + echo list ${dns_backup_key} | /usr/sbin/scutil | grep -qv 'no key' || return + local cmds="" cmds+="get ${dns_backup_key}\n" cmds+="set $(primary_dns_key)\n" |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-26 09:18:01
|
Attention is currently required from: d12fk, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email ) Change subject: fix macOS dns-updown handling of parallel full redirects ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1066?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7b413578a8fc0c65fca26f72b901a9f7bc34b137 Gerrit-Change-Number: 1066 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:17:52 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 09:15:05
|
Attention is currently required from: flichtenheld, plaisthos. d12fk has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 2: (1 comment) File src/openvpn/dns.c: http://gerrit.openvpn.net/c/openvpn/+/1065/comment/432c3110_649da563 : PS1, Line 583: if (dns_updown_user_set(o)) > ``` […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:14:51 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 09:10:47
|
Attention is currently required from: d12fk, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
to look at the new patch set (#2).
Change subject: run forced --dns-updown without --script-security
......................................................................
run forced --dns-updown without --script-security
Due to a shortcut in the `--dns-updown force' implementation, running the
default dns-updown script required `--script-security 2'. This makes the
forced default script run without --script-security set.
Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/options.c
3 files changed, 39 insertions(+), 12 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/1065/2
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index 939ae09..ea3d91b 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -264,7 +264,7 @@
clone.servers = clone_dns_servers(o->servers, gc);
clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc);
clone.updown = o->updown;
- clone.user_set_updown = o->user_set_updown;
+ clone.updown_flags = o->updown_flags;
return clone;
}
@@ -580,7 +580,7 @@
argv_printf(&argv, "%s", o->updown);
argv_msg(M_INFO, &argv);
int res;
- if (o->user_set_updown)
+ if (dns_updown_user_set(o))
{
res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown");
}
@@ -692,7 +692,7 @@
run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner)
{
struct dns_options *dns = &o->dns_options;
- if (!dns->updown || (o->up_script && !dns->user_set_updown))
+ if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)))
{
return;
}
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 688daa7..d33f64e 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -42,13 +42,18 @@
DNS_TRANSPORT_TLS
};
+enum dns_updown_flags {
+ DNS_UPDOWN_NO_FLAGS,
+ DNS_UPDOWN_USER_SET,
+ DNS_UPDOWN_FORCED
+};
+
struct dns_domain {
struct dns_domain *next;
const char *name;
};
-struct dns_server_addr
-{
+struct dns_server_addr {
union {
struct in_addr a4;
struct in6_addr a6;
@@ -103,7 +108,7 @@
struct dns_server *servers;
struct gc_arena gc;
const char *updown;
- bool user_set_updown;
+ enum dns_updown_flags updown_flags;
};
/**
@@ -195,4 +200,26 @@
*/
void show_dns_options(const struct dns_options *o);
+/**
+ * Returns whether dns-updown is user defined
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_user_set(const struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_USER_SET;
+}
+
+/**
+ * Returns whether dns-updown is forced to run
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_forced(const struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_FORCED;
+}
+
#endif /* ifndef DNS_H */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7e26069..af097f8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3593,7 +3593,7 @@
struct gc_arena gc = gc_new();
struct dns_options *dns = &o->dns_options;
- if (dns->servers || dns->user_set_updown)
+ if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
{
/* Clean up env from --dhcp-option DNS config */
struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
@@ -3667,7 +3667,7 @@
}
}
}
- else if (o->up_script && !dns->user_set_updown)
+ else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
{
/* Set foreign option env vars from --dns config */
const char *p[] = { "dhcp-option", NULL, NULL };
@@ -8182,15 +8182,15 @@
if (streq(p[1], "disable"))
{
dns->updown = NULL;
- dns->user_set_updown = false;
+ dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
}
else if (streq(p[1], "force"))
{
/* force dns-updown run, even if a --up script is defined */
- if (dns->user_set_updown == false)
+ if (!dns_updown_user_set(dns))
{
dns->updown = DEFAULT_DNS_UPDOWN;
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_FORCED;
}
}
else
@@ -8201,7 +8201,7 @@
dns->updown = NULL;
}
set_user_script(options, &dns->updown, p[1], p[0], false);
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_USER_SET;
}
}
else if (streq(p[0], "dns") && p[1])
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Gerrit-Change-Number: 1065
Gerrit-PatchSet: 2
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: d12fk <he...@op...>
Gerrit-MessageType: newpatchset
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-06-26 09:03:30
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 1: Code-Review-2 (1 comment) File src/openvpn/dns.c: http://gerrit.openvpn.net/c/openvpn/+/1065/comment/5051e657_d2d6667f : PS1, Line 583: if (dns_updown_user_set(o)) ``` dns.c: In function ‘do_run_up_down_command’: dns.c:583:29: error: passing argument 1 of ‘dns_updown_user_set’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 583 | if (dns_updown_user_set(o)) | ^ In file included from dns.c:30: dns.h:209:41: note: expected ‘struct dns_options *’ but argument is of type ‘const struct dns_options *’ 209 | dns_updown_user_set(struct dns_options *o) | ~~~~~~~~~~~~~~~~~~~~^ ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 1 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:03:20 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-26 08:14:39
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1067?usp=email
to look at the new patch set (#3).
Change subject: Check message id/acked ids too when doing sessionid cookie checks
......................................................................
Check message id/acked ids too when doing sessionid cookie checks
This fixes that control packets on a floating client can trigger
creating a new session in special circumstances:
To trigger this circumstance a connection needs to
- starts on IP A
- successfully floats to IP B by data packet
- then has a control packet from IP A before any
data packet can trigger the float back to IP A
and all of this needs to happen in the 60s time
that hmac cookie is valid in the default
configuration.
In this scenario we would trigger a new connection as the HMAC
session id would be valid.
This patch adds checking also of the message-id and acked ids to
discern packet from the initial three-way handshake where these
ids 0 or 1 from any later packet.
This will now trigger (at verb 4 or higher) a messaged like:
Packet (P_ACK_V1) with invalid or missing SID
instead.
Reported-By: Walter Doekes <wal...@wj...>
Tested-By: Walter Doekes <wal...@wj...>
Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/mudp.c
M src/openvpn/ssl_pkt.c
M src/openvpn/ssl_pkt.h
M tests/unit_tests/openvpn/test_pkt.c
4 files changed, 112 insertions(+), 6 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/67/1067/3
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 93e65e0..9cd667c 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -63,7 +63,6 @@
msg(D_MULTI_DEBUG, "Reset packet from client, sending HMAC based reset challenge");
}
-
/* Returns true if this packet should create a new session */
static bool
do_pre_decrypt_check(struct multi_context *m,
@@ -155,7 +154,8 @@
* need to contain the peer id */
struct gc_arena gc = gc_new();
- bool ret = check_session_id_hmac(state, from, hmac, handwindow);
+ bool pkt_is_ack = (verdict == VERDICT_VALID_ACK_V1);
+ bool ret = check_session_id_hmac(state, from, hmac, handwindow, pkt_is_ack);
const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf);
@@ -171,6 +171,7 @@
msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), "
"accepting new connection.", packet_opcode_name(op), peer);
}
+
gc_free(&gc);
return ret;
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c
index bfd405f..0bbc465 100644
--- a/src/openvpn/ssl_pkt.c
+++ b/src/openvpn/ssl_pkt.c
@@ -293,6 +293,7 @@
}
}
+
/*
* This function is similar to tls_pre_decrypt, except it is called
* when we are in server mode and receive an initial incoming
@@ -530,7 +531,8 @@
check_session_id_hmac(struct tls_pre_decrypt_state *state,
const struct openvpn_sockaddr *from,
hmac_ctx_t *hmac,
- int handwindow)
+ int handwindow,
+ bool pkt_is_ack)
{
if (!from)
{
@@ -545,6 +547,36 @@
return false;
}
+ /* Check if the packet ID of the packet or ACKED packet is <= 1 */
+ for (int i = 0; i < ack.len; i++)
+ {
+ /* This packet ACKs a packet that has a higher packet id than the
+ * ones expected in the three-way handshake, consider it as invalid
+ * for the session */
+ if (ack.packet_id[i] > 1)
+ {
+ return false;
+ }
+ }
+
+ if (!pkt_is_ack)
+ {
+ packet_id_type message_id;
+ /* Extract the packet ID from the packet */
+ if (!reliable_ack_read_packet_id(&buf, &message_id))
+ {
+ return false;
+ }
+
+ /* similar check. Anything larger than 1 is not considered part of the
+ * three-way handshake */
+ if (message_id > 1)
+ {
+ return false;
+ }
+ }
+
+
/* check adjacent timestamps too */
for (int offset = -2; offset <= 1; offset++)
{
diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h
index 98a39d3..1b6bcc0 100644
--- a/src/openvpn/ssl_pkt.h
+++ b/src/openvpn/ssl_pkt.h
@@ -180,17 +180,24 @@
/**
* Checks if a control packet has a correct HMAC server session id
*
+ * This will also consider packets that have a packet id higher
+ * than 1 or ack packets higher than 1 to be invalid as they are
+ * not part of the initial three way handshake of OpenVPN and should
+ * not create a new connection.
+ *
* @param state session information
* @param from link_socket from the client
* @param hmac the hmac context to use for the calculation
* @param handwindow the quantisation of the current time
+ * @param pkt_is_ack the packet being checked is a P_ACK_V1
* @return the expected server session id
*/
bool
check_session_id_hmac(struct tls_pre_decrypt_state *state,
const struct openvpn_sockaddr *from,
hmac_ctx_t *hmac,
- int handwindow);
+ int handwindow,
+ bool pkt_is_ack);
/*
* Write a control channel authentication record.
diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c
index ebffabe..56ed842 100644
--- a/tests/unit_tests/openvpn/test_pkt.c
+++ b/tests/unit_tests/openvpn/test_pkt.c
@@ -170,6 +170,27 @@
0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e
};
+/* no tls-auth, P_ACK_V1, acks 0,1, and 2 */
+const uint8_t client_ack_123_none_random_id[] = {
+ 0x28,
+ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8,
+ 0x03,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x01,
+ 0x00, 0x00, 0x00, 0x02,
+ 0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e
+};
+
+/* no tls-auth, P_CONTROL_V1, acks 0, msg-id 2 */
+const uint8_t client_control_none_random_id[] = {
+ 0x20,
+ 0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8,
+ 0x01,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x02
+};
+
+
struct tls_auth_standalone
init_tas_auth(int key_direction)
{
@@ -439,7 +460,7 @@
assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
/* This is a valid packet but containing a random id instead of an HMAC id*/
- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
+ bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30, false);
assert_false(valid);
free_tls_pre_decrypt_state(&state);
@@ -470,7 +491,7 @@
verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
- bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
+ bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30, true);
assert_true(valid);
free_tls_pre_decrypt_state(&state);
@@ -479,6 +500,50 @@
hmac_ctx_free(hmac);
}
+static void
+test_verify_hmac_none_out_of_range_ack(void **ut_state)
+{
+ hmac_ctx_t *hmac = session_id_hmac_init();
+
+ struct link_socket_actual from = { 0 };
+ from.dest.addr.sa.sa_family = AF_INET;
+
+ struct tls_auth_standalone tas = { 0 };
+ struct tls_pre_decrypt_state state = { 0 };
+
+ struct buffer buf = alloc_buf(1024);
+ enum first_packet_verdict verdict;
+
+ tas.tls_wrap.mode = TLS_WRAP_NONE;
+
+ buf_reset_len(&buf);
+ buf_write(&buf, client_ack_123_none_random_id, sizeof(client_ack_123_none_random_id));
+
+
+ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
+ assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
+
+ /* should fail because it acks 2 */
+ bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30, true);
+ assert_false(valid);
+
+ /* Try test with the control with a too high message id now */
+ buf_reset_len(&buf);
+ buf_write(&buf, client_control_none_random_id, sizeof(client_control_none_random_id));
+
+ verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
+ assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
+
+ /* should fail because it has message id 2 */
+ valid = check_session_id_hmac(&state, &from.dest, hmac, 30, true);
+ assert_false(valid);
+
+ free_tls_pre_decrypt_state(&state);
+ free_buf(&buf);
+ hmac_ctx_cleanup(hmac);
+ hmac_ctx_free(hmac);
+}
+
static hmac_ctx_t *
init_static_hmac(void)
{
@@ -667,6 +732,7 @@
cmocka_unit_test(test_calc_session_id_hmac_static),
cmocka_unit_test(test_verify_hmac_none),
cmocka_unit_test(test_verify_hmac_tls_auth),
+ cmocka_unit_test(test_verify_hmac_none_out_of_range_ack),
cmocka_unit_test(test_generate_reset_packet_plain),
cmocka_unit_test(test_generate_reset_packet_tls_auth),
cmocka_unit_test(test_extract_control_message)
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1067?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403
Gerrit-Change-Number: 1067
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newpatchset
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-26 08:11:49
|
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1067?usp=email ) Change subject: Check message id/acked ids too when doing sessionid cookie checks ...................................................................... Set Ready For Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1067?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403 Gerrit-Change-Number: 1067 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 26 Jun 2025 08:11:35 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: No Gerrit-MessageType: comment |
|
From: Arne S. <ar...@rf...> - 2025-06-25 22:43:49
|
Am 25.06.25 um 15:30 schrieb Walter Doekes:
> Good. I backported the patch so it ran against the culprit version
> (b3647114).
>
> I got these mesages:
>
>
> SENT CONTROL [mycommonname]: 'PUSH_REPLY,route ... 255.255.255.255
> net_gateway,route-gateway 10.x.x.1,topology subnet,ping 15,ping-restart
> 55,route 10.x.x.0 255.255.0.0 vpn_gateway,ifconfig 10.x.x.3
> 255.255.255.0,peer-id 4,cipher AES-256-GCM' (status=1)
>
> Packet with invalid or missing SID from [AF_INET]HOME_IP:33567
>
> Float requested for peer 4 to HOME_IP:33567
>
> peer 4 (mycommonname) floated from VPN_IP:33567 to [AF_INET]HOME_IP:33567
>
>
>
> The "Packet with invalid or missing SID" is new to me. But other than
> that, it works.
Thanks for testing and confirming that it works.
> I also tried it against 2.6-latest (0169b4ad). Also works. There the
> message is:
>
> Packet (P_ACK_V1) with invalid or missing SID from [AF_INET]HOME_IP:46088
>
> I can't tell if this new message is problematic or not. It doesn't
> negatively impact my connection setup. And I (now) know when to expect it.
>
>
>
> As for your patch: there's a minor typo in your patch at ssl_pkt.h in the
> signature:
>
> "bool check_session_id_hmac" should be "bool pkt_is_ack"
Thanks will fix in the next revision.
> Further, I would prefer if the commit message itself mentioned something
> about "floating IPs and 60 second timeout after connect" instead of "rare
> circumstances" which are not rare in 100% of my use cases. That might be
> beneficial to the next person who runs into this.
You need a connection that
- starts on IP A
- successfully floats to IP B by data packet
- then has a control packet from IP A before any data packet can trigger
the float back to IP A
In this scenario we would trigger a new connection coming before while
know we detect that this should not trigger a new connection as it is
not a new connection attempt. So instead of creating a new connection,
you see (at verb 4 or higher) the message
Packet (P_ACK_V1) with invalid or missing SID
instead with the patch.
I will update the commit message when the patch is no longer in draft
mode. I wanted to confirm that this is actually the problem/scenario we
are fixing before finishing the patch.
Arne
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-06-25 22:23:41
|
Attention is currently required from: comododragon, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email ) Change subject: Added PQE to WolfSSL ...................................................................... Patch Set 5: Code-Review+1 (3 comments) Patchset: PS5: I tested the patch and it works and is also a lot cleaner than the first version. There are some documentation updates I would like to see (see the other comments) to ensure users to don't get lost with the difference in OpenSSL vs wolfSSL names and defaults. Also wolfSSL's ML-DSA-87 seems to be a bit wacky for now. It cannot read the private key generated by OpenSSL and when connecting to a server with ml-kem and fingerprints it seems not be able to read some of the fields with the current APIs that we use: [wolfSSL] Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: , signature: ML-DSA 87, peer signing digest/type: SHA512 ML-DSA 87 vs [OpenSSL] Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 20736 bits ML-DSA-87, signature: id-ml-dsa-87, peer signing digest/type: mldsa87 id-ml-dsa-87, key agreement: X25519MLKEM768 but that should be probably adresses in a different patch. File README.wolfssl: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/19a0ea53_119798bd : PS3, Line 39: WolfSSL supports the following Quantum Safe algorithms by specifying them using the `tls-groups` > What do you mean? WolfSSL allows the definition of secp384r1 and P-384 respectively interchangeably. Okay you are right for the *plain* P384 curve but not for the hybrid ones (see below). But we NEED to mention is that the names of the new key agreements are different. If you try to use the names that work with OpenSSL (https://community.openvpn.net/PQCryptoOpenVPN) you get only an error Failed to set allowed TLS group list: secp384r1:X25519MLKEM768 while OpenSSL also does not like the wolfSSL names. It is probably good to least mention the difference in the naming, e.g. by adding the names of the OpenSSL (our TLS library) in brackes in the readme. Also OpenSSL *only* accepts secp384r1MLKEM1024 and not P384MLKEM1024. So it is something more than just removing the _ from the names. So I still it would be good document this fact at least in the man page for tls-groups by adding a paragraph like: Please note that when OpenVPN is compiled with wolfSSL, the names of the groups might be called different, especially the PQ groups (e.g. X25519_ML_KEM_512 instead of X25519MLKEM768 or P384_MLKEM_1024 instead of secp384r1MLKEM1024) File README.wolfssl: http://gerrit.openvpn.net/c/openvpn/+/1046/comment/41367317_be158cd2 : PS5, Line 38: option in an OpenVPN config. Add a paragraph here like: In contrast to OpenSSL that includes X25519MLKEM768 in the default configuration, wolfSSL will need to explicitly have tls-groups configured to include (at least one) PQ KEM. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1046?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie0529c2074964b3be034f01e0ef53090a6edbd35 Gerrit-Change-Number: 1046 Gerrit-PatchSet: 5 Gerrit-Owner: comododragon <rei...@fo...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Attention: comododragon <rei...@fo...> Gerrit-Comment-Date: Wed, 25 Jun 2025 22:23:31 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: plaisthos <arn...@rf...> Comment-In-Reply-To: comododragon <rei...@fo...> Gerrit-MessageType: comment |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-25 16:50:02
|
cron2 has uploaded a new patch set (#2) to the change originally created by ralf_lici. ( http://gerrit.openvpn.net/c/openvpn/+/1068?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by ordex Change subject: dco linux: avoid sending local port to ovpn ...................................................................... dco linux: avoid sending local port to ovpn When sending an OVPN_CMD_NEW_PEER netlink message to ovpn, we currently attempt to include the local port along with the local address. However, `dco_multi_get_localaddr()` does not record the port, so we end up sending a zero value. This zero is rejected by ovpn's netlink policy, leading to an error and aborted connection. Since openvpn does not actually need to send the local port because the module retrieves it directly from the socket, this commit ensures that only the local address is sent. Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Antonio Quartulli <an...@ma...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31971.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco_linux.c 1 file changed, 0 insertions(+), 2 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/68/1068/2 diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 0345413..22a445a 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -265,13 +265,11 @@ { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV4, sizeof(struct in_addr), &((struct sockaddr_in *)localaddr)->sin_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in *)localaddr)->sin_port); } else if (localaddr->sa_family == AF_INET6) { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV6, sizeof(struct in6_addr), &((struct sockaddr_in6 *)localaddr)->sin6_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in6 *)localaddr)->sin6_port); } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1068?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Gerrit-Change-Number: 1068 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-25 16:50:00
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1068?usp=email ) Change subject: dco linux: avoid sending local port to ovpn ...................................................................... dco linux: avoid sending local port to ovpn When sending an OVPN_CMD_NEW_PEER netlink message to ovpn, we currently attempt to include the local port along with the local address. However, `dco_multi_get_localaddr()` does not record the port, so we end up sending a zero value. This zero is rejected by ovpn's netlink policy, leading to an error and aborted connection. Since openvpn does not actually need to send the local port because the module retrieves it directly from the socket, this commit ensures that only the local address is sent. Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Antonio Quartulli <an...@ma...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31971.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco_linux.c 1 file changed, 0 insertions(+), 2 deletions(-) diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 0345413..22a445a 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -265,13 +265,11 @@ { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV4, sizeof(struct in_addr), &((struct sockaddr_in *)localaddr)->sin_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in *)localaddr)->sin_port); } else if (localaddr->sa_family == AF_INET6) { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV6, sizeof(struct in6_addr), &((struct sockaddr_in6 *)localaddr)->sin6_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in6 *)localaddr)->sin6_port); } } -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1068?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Gerrit-Change-Number: 1068 Gerrit-PatchSet: 2 Gerrit-Owner: ralf_lici <ra...@ma...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
|
From: Gert D. <ge...@gr...> - 2025-06-25 16:49:36
|
I have tested this on Linux + DCO "client side" (which should not excercise
this code path at all, so "no change") and have set up a server instance
that has "--multihome" in the config - and as expected, the current code
fails
2025-06-25 18:37:44 us=736543 freebsd-74-amd64/udp6:194.97.140.3:51620 peer-id=0 Cannot add peer to DCO for freebsd-74-amd64/udp6:194.97.140.3:51620 peer-id=0: Numerical result out of range (-34)
.. and the fixed code succeeds. Well spotted... (I do have a --multihome
server instance somewhere, but not "with DCO", meh - now I have one).
Your patch has been applied to the master branch.
commit 6c2bd6be4f8ac4f0b25aa05e2d5eb9bf6b736cd1
Author: Ralf Lici
Date: Wed Jun 25 18:26:31 2025 +0200
dco linux: avoid sending local port to ovpn
Signed-off-by: Ralf Lici <ra...@ma...>
Acked-by: Antonio Quartulli <an...@ma...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31971.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: Gert D. <ge...@gr...> - 2025-06-25 16:26:47
|
From: Ralf Lici <ra...@ma...> When sending an OVPN_CMD_NEW_PEER netlink message to ovpn, we currently attempt to include the local port along with the local address. However, `dco_multi_get_localaddr()` does not record the port, so we end up sending a zero value. This zero is rejected by ovpn's netlink policy, leading to an error and aborted connection. Since openvpn does not actually need to send the local port because the module retrieves it directly from the socket, this commit ensures that only the local address is sent. Change-Id: I5d9535d46e5a5488f4a2b637a6fcb99aad668fee Signed-off-by: Ralf Lici <ra...@ma...> Acked-by: Antonio Quartulli <an...@ma...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1068 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli <an...@ma...> diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 0345413..22a445a 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -265,13 +265,11 @@ { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV4, sizeof(struct in_addr), &((struct sockaddr_in *)localaddr)->sin_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in *)localaddr)->sin_port); } else if (localaddr->sa_family == AF_INET6) { NLA_PUT(nl_msg, OVPN_A_PEER_LOCAL_IPV6, sizeof(struct in6_addr), &((struct sockaddr_in6 *)localaddr)->sin6_addr); - NLA_PUT_U16(nl_msg, OVPN_A_PEER_LOCAL_PORT, ((struct sockaddr_in6 *)localaddr)->sin6_port); } } |
153 messages has been excluded from this view by a project administrator.
