├── .git-blame-ignore-revs ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ └── bug_report.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── build.yaml │ ├── coverity-scan.yml │ └── doxygen.yml ├── .gitignore ├── .mailmap ├── .svncommitters ├── AUTHORS ├── CMakeLists.txt ├── CMakePresets.json ├── CONTRIBUTING.rst ├── COPYING ├── COPYRIGHT.GPL ├── ChangeLog ├── Changes.rst ├── INSTALL ├── Makefile.am ├── NEWS ├── PORTS ├── README ├── README.awslc ├── README.cmake.md ├── README.dco.md ├── README.ec ├── README.mbedtls ├── README.wolfssl ├── compat.m4 ├── config.h.cmake.in ├── configure.ac ├── contrib ├── OCSP_check │ └── OCSP_check.sh ├── README ├── cmake │ ├── git-version.py │ └── parse-version.m4.py ├── extract-crl │ └── extractcrl.py ├── multilevel-init.patch ├── openvpn-fwmarkroute-1.00 │ ├── README │ ├── fwmarkroute.down │ └── fwmarkroute.up ├── vcpkg-manifests │ ├── mingw │ │ └── vcpkg.json │ └── windows │ │ └── vcpkg.json ├── vcpkg-ports │ └── pkcs11-helper │ │ ├── config-w32-vc.h.in-indicate-OpenSSL.patch │ │ ├── nmake-compatibility-with-vcpkg-nmake.patch │ │ ├── pkcs11-helper-001-RFC7512.patch │ │ ├── portfile.cmake │ │ └── vcpkg.json └── vcpkg-triplets │ ├── arm64-windows-ovpn.cmake │ ├── x64-mingw-ovpn.cmake │ ├── x64-windows-ovpn.cmake │ ├── x86-mingw-ovpn.cmake │ └── x86-windows-ovpn.cmake ├── debug ├── doval ├── dovalns └── valgrind-suppress ├── dev-tools ├── gen-release-tarballs.sh ├── gerrit-send-mail.py ├── git-pre-commit-uncrustify.sh ├── reformat-all.sh ├── special-files.lst ├── uncrustify.conf └── update-copyright.sh ├── distro ├── Makefile.am ├── dns-scripts │ ├── Makefile.am │ ├── haikuos_file-dns-updown.sh │ ├── openresolv-dns-updown.sh │ ├── resolvconf_file-dns-updown.sh │ └── systemd-dns-updown.sh └── systemd │ ├── Makefile.am │ ├── README.systemd │ ├── openvpn-client@.service.in │ ├── openvpn-server@.service.in │ └── tmpfiles-openvpn.conf ├── doc ├── CMakeLists.txt ├── Makefile.am ├── README.man ├── README.plugins ├── android.txt ├── doxygen │ ├── Makefile.am │ ├── doc_compression.h │ ├── doc_control_processor.h │ ├── doc_control_tls.h │ ├── doc_data_control.h │ ├── doc_data_crypto.h │ ├── doc_eventloop.h │ ├── doc_external_multiplexer.h │ ├── doc_fragmentation.h │ ├── doc_internal_multiplexer.h │ ├── doc_key_generation.h │ ├── doc_mainpage.h │ ├── doc_memory_management.h │ ├── doc_protocol_overview.h │ ├── doc_reliable.h │ ├── doc_tunnel_state.h │ └── openvpn.doxyfile.in ├── gui-notes.txt ├── interactive-service-notes.rst ├── keying-material-exporter.txt ├── man-sections │ ├── advanced-options.rst │ ├── cipher-negotiation.rst │ ├── client-options.rst │ ├── connection-profiles.rst │ ├── encryption-options.rst │ ├── example-fingerprint.rst │ ├── examples.rst │ ├── generic-options.rst │ ├── inline-files.rst │ ├── link-options.rst │ ├── log-options.rst │ ├── management-options.rst │ ├── network-config.rst │ ├── pkcs11-options.rst │ ├── plugin-options.rst │ ├── protocol-options.rst │ ├── proxy-options.rst │ ├── renegotiation.rst │ ├── script-options.rst │ ├── server-options.rst │ ├── signals.rst │ ├── tls-options.rst │ ├── unsupported-options.rst │ ├── virtual-routing-and-forwarding.rst │ ├── vpn-network-options.rst │ └── windows-options.rst ├── management-notes.txt ├── openvpn-examples.5.rst ├── openvpn.8.rst ├── t_server_null.rst ├── tests │ └── authentication-plugins.md └── tls-crypt-v2.txt ├── forked-test-driver ├── include ├── Makefile.am ├── openvpn-msg.h └── openvpn-plugin.h.in ├── ltrc.inc ├── m4 ├── .keep ├── ax_socklen_t.m4 └── pkg.m4 ├── renovate.json ├── sample ├── Makefile.am ├── sample-config-files │ ├── README │ ├── client.conf │ ├── firewall.sh │ ├── loopback-client │ ├── loopback-server │ ├── openvpn-shutdown.sh │ ├── openvpn-startup.sh │ └── server.conf ├── sample-keys │ ├── README │ ├── ca.crt │ ├── ca.key │ ├── client-ec.crt │ ├── client-ec.key │ ├── client-pass.key │ ├── client.crt │ ├── client.key │ ├── client.p12 │ ├── dh2048.pem │ ├── gen-sample-keys.sh │ ├── openssl.cnf │ ├── server-ec.crt │ ├── server-ec.key │ ├── server.crt │ ├── server.key │ └── ta.key ├── sample-plugins │ ├── Makefile.am │ ├── Makefile.plugins │ ├── README │ ├── client-connect │ │ ├── README │ │ └── sample-client-connect.c │ ├── defer │ │ ├── multi-auth.c │ │ └── winbuild │ ├── keying-material-exporter-demo │ │ ├── README │ │ ├── client.ovpn │ │ ├── http-client.py │ │ ├── http-server.py │ │ ├── keyingmaterialexporter.c │ │ └── server.ovpn │ ├── log │ │ ├── log.c │ │ ├── log_v3.c │ │ └── winbuild │ └── simple │ │ ├── base64.c │ │ ├── simple.c │ │ ├── simple.def │ │ └── winbuild └── sample-scripts │ ├── auth-pam.pl │ ├── bridge-start │ ├── bridge-stop │ ├── totpauth.py │ ├── ucn.pl │ └── verify-cn ├── src ├── Makefile.am ├── compat │ ├── Makefile.am │ ├── compat-basename.c │ ├── compat-daemon.c │ ├── compat-dirname.c │ ├── compat-gettimeofday.c │ ├── compat-strsep.c │ └── compat.h ├── openvpn │ ├── Makefile.am │ ├── argv.c │ ├── argv.h │ ├── auth_token.c │ ├── auth_token.h │ ├── base64.c │ ├── base64.h │ ├── basic.h │ ├── buffer.c │ ├── buffer.h │ ├── circ_list.h │ ├── clinat.c │ ├── clinat.h │ ├── common.h │ ├── comp-lz4.c │ ├── comp-lz4.h │ ├── comp.c │ ├── comp.h │ ├── compstub.c │ ├── console.c │ ├── console.h │ ├── console_builtin.c │ ├── console_systemd.c │ ├── crypto.c │ ├── crypto.h │ ├── crypto_backend.h │ ├── crypto_epoch.c │ ├── crypto_epoch.h │ ├── crypto_mbedtls.c │ ├── crypto_mbedtls.h │ ├── crypto_openssl.c │ ├── crypto_openssl.h │ ├── cryptoapi.c │ ├── cryptoapi.h │ ├── dco.c │ ├── dco.h │ ├── dco_freebsd.c │ ├── dco_freebsd.h │ ├── dco_internal.h │ ├── dco_linux.c │ ├── dco_linux.h │ ├── dco_win.c │ ├── dco_win.h │ ├── dhcp.c │ ├── dhcp.h │ ├── dns.c │ ├── dns.h │ ├── env_set.c │ ├── env_set.h │ ├── errlevel.h │ ├── error.c │ ├── error.h │ ├── event.c │ ├── event.h │ ├── fdmisc.c │ ├── fdmisc.h │ ├── forward.c │ ├── forward.h │ ├── fragment.c │ ├── fragment.h │ ├── gremlin.c │ ├── gremlin.h │ ├── helper.c │ ├── helper.h │ ├── httpdigest.c │ ├── httpdigest.h │ ├── init.c │ ├── init.h │ ├── integer.h │ ├── interval.c │ ├── interval.h │ ├── list.c │ ├── list.h │ ├── lladdr.c │ ├── lladdr.h │ ├── lzo.c │ ├── lzo.h │ ├── manage.c │ ├── manage.h │ ├── mbedtls_compat.h │ ├── mbuf.c │ ├── mbuf.h │ ├── memdbg.h │ ├── misc.c │ ├── misc.h │ ├── mroute.c │ ├── mroute.h │ ├── mss.c │ ├── mss.h │ ├── mstats.c │ ├── mstats.h │ ├── mtcp.c │ ├── mtcp.h │ ├── mtu.c │ ├── mtu.h │ ├── mudp.c │ ├── mudp.h │ ├── multi.c │ ├── multi.h │ ├── multi_io.c │ ├── multi_io.h │ ├── networking.h │ ├── networking_freebsd.c │ ├── networking_iproute2.c │ ├── networking_iproute2.h │ ├── networking_sitnl.c │ ├── networking_sitnl.h │ ├── ntlm.c │ ├── ntlm.h │ ├── occ.c │ ├── occ.h │ ├── openssl_compat.h │ ├── openvpn.c │ ├── openvpn.h │ ├── openvpn.manifest │ ├── openvpn_win32_resources.rc │ ├── options.c │ ├── options.h │ ├── options_util.c │ ├── options_util.h │ ├── otime.c │ ├── otime.h │ ├── ovpn_dco_freebsd.h │ ├── ovpn_dco_linux.h │ ├── ovpn_dco_win.h │ ├── packet_id.c │ ├── packet_id.h │ ├── perf.c │ ├── perf.h │ ├── ping.c │ ├── ping.h │ ├── pkcs11.c │ ├── pkcs11.h │ ├── pkcs11_backend.h │ ├── pkcs11_mbedtls.c │ ├── pkcs11_openssl.c │ ├── platform.c │ ├── platform.h │ ├── plugin.c │ ├── plugin.h │ ├── pool.c │ ├── pool.h │ ├── proto.c │ ├── proto.h │ ├── proxy.c │ ├── proxy.h │ ├── ps.c │ ├── ps.h │ ├── push.c │ ├── push.h │ ├── pushlist.h │ ├── reflect_filter.c │ ├── reflect_filter.h │ ├── reliable.c │ ├── reliable.h │ ├── route.c │ ├── route.h │ ├── run_command.c │ ├── run_command.h │ ├── schedule.c │ ├── schedule.h │ ├── session_id.c │ ├── session_id.h │ ├── shaper.c │ ├── shaper.h │ ├── sig.c │ ├── sig.h │ ├── socket.c │ ├── socket.h │ ├── socks.c │ ├── socks.h │ ├── ssl.c │ ├── ssl.h │ ├── ssl_backend.h │ ├── ssl_common.h │ ├── ssl_mbedtls.c │ ├── ssl_mbedtls.h │ ├── ssl_ncp.c │ ├── ssl_ncp.h │ ├── ssl_openssl.c │ ├── ssl_openssl.h │ ├── ssl_pkt.c │ ├── ssl_pkt.h │ ├── ssl_util.c │ ├── ssl_util.h │ ├── ssl_verify.c │ ├── ssl_verify.h │ ├── ssl_verify_backend.h │ ├── ssl_verify_mbedtls.c │ ├── ssl_verify_mbedtls.h │ ├── ssl_verify_openssl.c │ ├── ssl_verify_openssl.h │ ├── status.c │ ├── status.h │ ├── syshead.h │ ├── tls_crypt.c │ ├── tls_crypt.h │ ├── tun.c │ ├── tun.h │ ├── tun_afunix.c │ ├── tun_afunix.h │ ├── vlan.c │ ├── vlan.h │ ├── wfp_block.c │ ├── wfp_block.h │ ├── win32-util.c │ ├── win32-util.h │ ├── win32.c │ ├── win32.h │ ├── xkey_common.h │ ├── xkey_helper.c │ └── xkey_provider.c ├── openvpnmsica │ ├── CMakeLists.txt │ ├── Makefile.am │ ├── dllmain.c │ ├── msica_arg.c │ ├── msica_arg.h │ ├── msiex.c │ ├── msiex.h │ ├── openvpnmsica.c │ ├── openvpnmsica.h │ └── openvpnmsica_resources.rc ├── openvpnserv │ ├── CMakeLists.txt │ ├── Makefile.am │ ├── common.c │ ├── interactive.c │ ├── openvpnserv_resources.rc │ ├── service.c │ ├── service.h │ ├── validate.c │ └── validate.h ├── plugins │ ├── Makefile.am │ ├── auth-pam │ │ ├── Makefile.am │ │ ├── README.auth-pam │ │ ├── auth-pam.c │ │ ├── auth-pam.exports │ │ ├── pamdl.c │ │ ├── pamdl.h │ │ ├── utils.c │ │ └── utils.h │ └── down-root │ │ ├── Makefile.am │ │ ├── README.down-root │ │ ├── down-root.c │ │ └── down-root.exports └── tapctl │ ├── CMakeLists.txt │ ├── Makefile.am │ ├── basic.h │ ├── error.c │ ├── error.h │ ├── main.c │ ├── tap.c │ ├── tap.h │ ├── tapctl.exe.manifest │ └── tapctl_resources.rc ├── tests ├── Makefile.am ├── lwip_client_up.sh ├── ntlm_support.c ├── null_client_up.sh ├── t_client.rc-sample ├── t_client.sh.in ├── t_cltsrv-down.sh ├── t_cltsrv.sh ├── t_lpback.sh ├── t_net.sh ├── t_server_null.rc-sample ├── t_server_null.sh ├── t_server_null_client.sh ├── t_server_null_default.rc ├── t_server_null_server.sh ├── t_server_null_stress.sh ├── unit_tests │ ├── Makefile.am │ ├── README.md │ ├── example_test │ │ ├── Makefile.am │ │ ├── README.md │ │ ├── test.c │ │ └── test2.c │ ├── openvpn │ │ ├── Makefile.am │ │ ├── cert_data.h │ │ ├── input │ │ │ ├── user_only.txt │ │ │ └── user_pass.txt │ │ ├── mock_get_random.c │ │ ├── mock_management.c │ │ ├── mock_msg.c │ │ ├── mock_msg.h │ │ ├── mock_ssl_dependencies.c │ │ ├── mock_win32_execve.c │ │ ├── pkey_test_utils.c │ │ ├── test_argv.c │ │ ├── test_auth_token.c │ │ ├── test_buffer.c │ │ ├── test_common.h │ │ ├── test_crypto.c │ │ ├── test_cryptoapi.c │ │ ├── test_misc.c │ │ ├── test_ncp.c │ │ ├── test_networking.c │ │ ├── test_packet_id.c │ │ ├── test_pkcs11.c │ │ ├── test_pkt.c │ │ ├── test_provider.c │ │ ├── test_ssl.c │ │ ├── test_tls_crypt.c │ │ └── test_user_pass.c │ └── plugins │ │ ├── Makefile.am │ │ └── auth-pam │ │ ├── Makefile.am │ │ └── test_search_and_replace.c └── update_t_client_ips.sh └── version.m4 /.git-blame-ignore-revs: -------------------------------------------------------------------------------- 1 | # This FILE allows git blame to ignore reformatting changes and instead 2 | # shows the previous commit that changed the line. 3 | # 4 | # To avoid manually building the list of commits this commit 5 | # adds a file with a list of reformatting commits. TO use: 6 | # 7 | # git blame --ignore-revs-file=.git-blame-ignore-revs file 8 | # 9 | # or to automatically always use the file 10 | # 11 | # git config blame.ignoreRevsFile .git-blame-ignore-revs 12 | 13 | # Uncrustify 2020/06... (engine, pool, SSO) 14 | c1ff8f247f91c88a2df5502eeedf42857f9a6831 15 | 16 | # Uncrustify the tests/unit_tests/ part of our tree. 17 | da1574ef7826d73f01e120cbd1ba40ce39a305b7 18 | 19 | # Another round of uncrustify code cleanup. 20 | 9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f 21 | 22 | # networking_sitnl.c: uncrustify file 23 | 2c45d268ca65c522fbabb7c4dab5e721296b4623 24 | 25 | # Uncrustify tapctl and openvpnmsica 26 | 6280d3d5536174934ee22d3840457d61896e0e3a 27 | 28 | # tun.c: uncrustify 29 | baef44fc8769bbd99f4d699ce9f63180c29a5455 30 | 31 | # networking_sitnl.c: uncrustify file 32 | 2c45d268ca65c522fbabb7c4dab5e721296b4623 33 | 34 | # uncrustify openvpn sources 35 | f57431cdc88f22fa4d7962946f0d3187fe058539 36 | 37 | # More broadly enforce Allman style and braces-around-conditionals 38 | 4cd4899e8e80efae03c584a760fd107251735723 39 | 40 | # The Great Reformatting - first phase 41 | 81d882d5302b8b647202a6893b57dfdc61fd6df2 42 | 43 | # Fix trailing-whitespace errors in last patch. 44 | 3282632d9325267c850072db7545a884a1637f51 45 | 46 | # The Great Reformatting of 2022 47 | abe49856d81f51136d543539202a0bf8fb946474 48 | 49 | # Reformat for sp_after_comma=add 50 | e51d9a73693ee742b36e19fb1718e5e27167831d 51 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.c eol=lf 2 | *.h eol=lf 3 | *.rc eol=lf 4 | *.txt eol=lf 5 | *.bat eol=lf 6 | *.vc*proj* eol=crlf 7 | *.sln eol=crlf 8 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **IMPORTANT NOTE** 11 | Bugs about OpenVPN Access Server, OpenVPN Connect or any other product by OpenVPN Inc. should be directly reported to OpenVPN Inc. at https://support.openvpn.net 12 | 13 | **Describe the bug** 14 | A clear and concise description of what the bug is. 15 | 16 | **To Reproduce** 17 | Steps to reproduce the behavior. Please make sure to not post any secrets like keys and passwords. 18 | 19 | **Expected behavior** 20 | A clear and concise description of what you expected to happen. 21 | 22 | **Version information (please complete the following information):** 23 | - OS: [e.g. Ubuntu 22.04] 24 | - OpenVPN version: [e.g. 2.5.8] 25 | - Repeat for peer if relevant 26 | 27 | **Additional context** 28 | Add any other context about the problem here. 29 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Thank you for your contribution 2 | 3 | You are welcome to open PR, but they are used for discussion only. All 4 | patches must eventually go to the openvpn-devel mailing list for review: 5 | 6 | * https://lists.sourceforge.net/lists/listinfo/openvpn-devel 7 | 8 | Please send your patch using [git-send-email](https://git-scm.com/docs/git-send-email). For example to send your latest commit to the list: 9 | 10 | $ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1 11 | 12 | For details, see these Wiki articles: 13 | 14 | * https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation 15 | * https://community.openvpn.net/openvpn/wiki/Contributing 16 | -------------------------------------------------------------------------------- /.github/workflows/doxygen.yml: -------------------------------------------------------------------------------- 1 | name: Deploy Doxygen documentation to Pages 2 | on: 3 | push: 4 | branches: ["master"] 5 | workflow_dispatch: 6 | concurrency: 7 | group: "pages" 8 | cancel-in-progress: false 9 | jobs: 10 | build: 11 | runs-on: ubuntu-24.04 12 | steps: 13 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 14 | with: 15 | path: openvpn 16 | 17 | - name: Install dependencies 18 | run: | 19 | sudo apt update 20 | sudo apt install -y --no-install-recommends \ 21 | build-essential doxygen graphviz \ 22 | liblzo2-dev libpam0g-dev liblz4-dev libcap-ng-dev libnl-genl-3-dev linux-libc-dev man2html libcmocka-dev python3-docutils libtool automake autoconf libssl-dev 23 | 24 | - name: Build Doxygen documentation 25 | id: build 26 | run: | 27 | cd openvpn 28 | autoreconf -f -i 29 | cd .. 30 | mkdir doxygen 31 | cd doxygen 32 | ../openvpn/configure 33 | make doxygen 34 | touch doc/doxygen/html/.nojekyll 35 | - name: Upload static files as artifact 36 | id: deployment 37 | uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 38 | with: 39 | path: doxygen/doc/doxygen/html/ 40 | 41 | deploy: 42 | needs: build 43 | permissions: 44 | pages: write # to deploy to Pages 45 | id-token: write # to verify the deployment originates from an appropriate source 46 | environment: 47 | name: github-pages 48 | url: ${{ steps.deployment.outputs.page_url }} 49 | runs-on: ubuntu-24.04 50 | steps: 51 | - name: Deploy to GitHub Pages 52 | id: deployment 53 | uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 54 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.[oa] 2 | *.l[oa] 3 | *.dll 4 | *.exe 5 | *.exe.* 6 | *.obj 7 | *.pyc 8 | *.so 9 | *~ 10 | *.idb 11 | *.suo 12 | *.ncb 13 | *.log 14 | out 15 | .vs 16 | .deps 17 | .libs 18 | Makefile 19 | Makefile.in 20 | aclocal.m4 21 | autodefs.h 22 | autom4te.cache 23 | config.guess 24 | config.h 25 | config.h.in 26 | config.log 27 | config.status 28 | config.sub 29 | configure 30 | configure.h 31 | depcomp 32 | stamp-h1 33 | install-sh 34 | missing 35 | ltmain.sh 36 | libtool 37 | m4/libtool.m4 38 | m4/ltoptions.m4 39 | m4/ltsugar.m4 40 | m4/ltversion.m4 41 | m4/lt~obsolete.m4 42 | 43 | build 44 | doc/openvpn-examples.5 45 | doc/openvpn-examples.5.html 46 | doc/openvpn.8 47 | doc/openvpn.8.html 48 | /doc/doxygen/html/ 49 | /doc/doxygen/latex/ 50 | /doc/doxygen/openvpn.doxyfile 51 | distro/systemd/*.service 52 | distro/dns-scripts/dns-updown 53 | sample/sample-keys/sample-ca/ 54 | vendor/cmocka_build 55 | vendor/dist 56 | 57 | tests/t_client.sh 58 | tests/t_client-*-20??????-??????/ 59 | tests/t_server_null.rc 60 | t_client.rc 61 | t_client_ips.rc 62 | tests/unit_tests/**/*_testdriver 63 | 64 | src/openvpn/openvpn 65 | include/openvpn-plugin.h 66 | config-version.h 67 | nbproject 68 | test-driver 69 | compile 70 | stamp-h2 71 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Adriaan de Jong 2 | David Sommerseth 3 | Gert Doering 4 | Gert Doering 5 | Gert Doering 6 | Gert Doering 7 | James Yonan 8 | Jan Just Keijser 9 | JuanJo Ciarlante 10 | Karl O. Pinc 11 | Robert Fischer 12 | Samuli Seppänen 13 | Seth Mos 14 | -------------------------------------------------------------------------------- /.svncommitters: -------------------------------------------------------------------------------- 1 | james = James Yonan 2 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | James Yonan 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | CONTRIBUTING TO THE OPENVPN PROJECT 2 | =================================== 3 | 4 | Patches should be written against the Git "master" branch. Some patches may get 5 | backported to a release branch. 6 | 7 | The preferred procedure to send patches to the "openvpn-devel" mailing list: 8 | 9 | - https://lists.sourceforge.net/lists/listinfo/openvpn-devel 10 | 11 | While we do not merge GitHub pull requests as-is, we do allow their use for code 12 | review purposes. After the patch has been ACKed (reviewed and accepted), it must 13 | be sent to the mailing list. This last step does not necessarily need to be done 14 | by the patch author, although that is definitely recommended. 15 | 16 | When sending patches to "openvpn-devel" the subject line should be prefixed with 17 | [PATCH]. To avoid merging issues the patches should be generated with 18 | git-format-patch or sent using git-send-email. Try to split large patches into 19 | small, atomic pieces to make reviews easier. 20 | 21 | Please make sure that the source code formatting follows the guidelines at 22 | https://community.openvpn.net/openvpn/wiki/CodeStyle. Automated checking can be 23 | done with uncrustify (http://uncrustify.sourceforge.net/) and the configuration 24 | file which can be found in the git repository at dev-tools/uncrustify.conf. 25 | There is also a git pre-commit hook script, which runs uncrustify automatically 26 | each time you commit and lets you format your code conveniently, if needed. 27 | To install the hook simply run: dev-tools/git-pre-commit-uncrustify.sh install 28 | 29 | If you want quick feedback on a patch before sending it to openvpn-devel mailing 30 | list, you can visit the #openvpn-devel channel on irc.libera.chat. Note that 31 | you need to be logged in to Libera to join the channel: 32 | 33 | - https://libera.chat/guides/registration 34 | 35 | More detailed contribution instructions are available here: 36 | 37 | - https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation 38 | 39 | Note that the process for contributing to other OpenVPN projects such as 40 | openvpn-build, openvpn-gui, tap-windows6 and easy-rsa may differ from what was 41 | described above. Please refer to the contribution instructions of each 42 | respective project. 43 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OpenVPN/openvpn/9cc7c68bd8d42b9e1c02fd3f069d404b5c056b57/NEWS -------------------------------------------------------------------------------- /README.awslc: -------------------------------------------------------------------------------- 1 | This version of OpenVPN supports AWS-LC (AWS Libcrypto), AWS's open-source cryptographic library. 2 | 3 | If you encounter bugs in OpenVPN while using AWS-LC: 4 | 1. Try compiling OpenVPN with OpenSSL to determine if the issue is specific to AWS-LC 5 | 2. For AWS-LC-specific issues, please report them at: https://github.com/aws/aws-lc 6 | 7 | To build and install OpenVPN with AWS-LC: 8 | 9 | OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \ 10 | OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \ 11 | LDFLAGS="-Wl,-rpath=${AWS_LC_INSTALL_FOLDER}/lib" \ 12 | ./configure --with-crypto-library=openssl 13 | make 14 | make install 15 | 16 | ************************************************************************* 17 | Due to limitations in AWS-LC, the following features are missing 18 | * Windows CryptoAPI support 19 | -------------------------------------------------------------------------------- /README.ec: -------------------------------------------------------------------------------- 1 | Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic 2 | curves are an alternative to RSA for asymmetric encryption. 3 | 4 | Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only 5 | in OpenVPN; the data channel (encrypting the actual network traffic) uses 6 | symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key 7 | exchange (ECDH). 8 | 9 | Key exchange (ECDH) 10 | ------------------- 11 | OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is 12 | used for authentication, the curve used for the server certificate will be used 13 | for ECDH too. When autodetection fails (e.g. when using RSA certificates) 14 | OpenVPN lets the crypto library decide if possible, or falls back to the 15 | secp384r1 curve. The list of groups/curves that the crypto library will choose 16 | from can be set with the --tls-groups option. 17 | 18 | An administrator can force an OpenVPN/OpenSSL server to use a specific curve 19 | using the --ecdh-curve option with one of the curves listed as 20 | available by the --show-groups option. Clients will use the same curve as 21 | selected by the server. 22 | 23 | Note that not all curves listed by --show-groups are available for use with TLS; 24 | in that case connecting will fail with a 'no shared cipher' TLS error. 25 | 26 | Authentication (ECDSA) 27 | ---------------------- 28 | Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which 29 | specific curves and cipher suites are available depends on your version and 30 | configuration of the crypto library. The crypto library will automatically 31 | select a cipher suite for the TLS control channel. 32 | 33 | Support for generating an ECDSA certificate chain is available in EasyRSA (in 34 | spite of it's name) since EasyRSA 3.0. The parameters you're looking for are 35 | '--use-algo=ec' and '--curve='. See the EasyRSA documentation for 36 | more details on generating ECDSA certificates. 37 | -------------------------------------------------------------------------------- /README.mbedtls: -------------------------------------------------------------------------------- 1 | This version of OpenVPN has mbed TLS support. To enable, follow the 2 | instructions below: 3 | 4 | To build and install, 5 | 6 | ./configure --with-crypto-library=mbedtls 7 | make 8 | make install 9 | 10 | This version requires mbed TLS version >= 2.0.0 or >= 3.2.1. 11 | 12 | ************************************************************************* 13 | 14 | Due to limitations in the mbed TLS library, the following features are missing 15 | in the mbed TLS version of OpenVPN: 16 | 17 | * PKCS#12 file support 18 | * --capath support - Loading certificate authorities from a directory 19 | * Windows CryptoAPI support 20 | * X.509 alternative username fields (must be "CN") 21 | 22 | Plugin/Script features: 23 | 24 | * X.509 subject line has a different format than the OpenSSL subject line 25 | * X.509 certificate tracking 26 | 27 | ************************************************************************* 28 | 29 | Mbed TLS 3 has implemented TLS 1.3, but support in OpenVPN requires the 30 | function mbedtls_ssl_export_keying_material() which is currently not in 31 | any released version. It is available when building mbed TLS from source 32 | (mbedtls-3.6 or development branch). 33 | 34 | Without this function, only TLS 1.2 is available. 35 | -------------------------------------------------------------------------------- /README.wolfssl: -------------------------------------------------------------------------------- 1 | Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is 2 | implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN 3 | receives very limited testing/support from the OpenVPN community itself. 4 | 5 | If bugs in OpenVPN when using wolfSSL are encountered, the user should try to 6 | also compile OpenVPN with OpenSSL to determine if these are bugs in the 7 | wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling 8 | with wolfSSL, please contact support@wolfssl.com directly. 9 | 10 | To Build and Install, 11 | 12 | ./configure --with-crypto-library=wolfssl 13 | make 14 | make install 15 | 16 | 17 | The wolfSSL library will include the installed options.h file by default. 18 | To include a custom user_settings.h file for wolfSSL, 19 | 20 | ./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h 21 | make 22 | make install 23 | 24 | ************************************************************************* 25 | Due to limitations in the wolfSSL TLS library or its compatibility layer, the 26 | following features are missing 27 | 28 | * blowfish support (BF-CBC), you must use something like 29 | cipher AES-128-CBC to avoid trying to use BF-CBC 30 | * Windows CryptoAPI support 31 | -------------------------------------------------------------------------------- /compat.m4: -------------------------------------------------------------------------------- 1 | dnl OpenVPN -- An application to securely tunnel IP networks 2 | dnl over a single UDP port, with support for SSL/TLS-based 3 | dnl session authentication and key exchange, 4 | dnl packet encryption, packet authentication, and 5 | dnl packet compression. 6 | dnl 7 | dnl Copyright (C) 2008-2012 Alon Bar-Lev 8 | dnl 9 | dnl This program is free software; you can redistribute it and/or modify 10 | dnl it under the terms of the GNU General Public License as published by 11 | dnl the Free Software Foundation; either version 2 of the License, or 12 | dnl (at your option) any later version. 13 | dnl 14 | dnl This program is distributed in the hope that it will be useful, 15 | dnl but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | dnl GNU General Public License for more details. 18 | dnl 19 | dnl You should have received a copy of the GNU General Public License along 20 | dnl with this program; if not, write to the Free Software Foundation, Inc., 21 | dnl 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | 23 | dnl Compatibility layer for 9 | # Copyright (C) 2022-2022 Lev Stipakov 10 | # 11 | # This program is free software; you can redistribute it and/or modify 12 | # it under the terms of the GNU General Public License version 2 13 | # as published by the Free Software Foundation. 14 | # 15 | # This program is distributed in the hope that it will be useful, 16 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | # GNU General Public License for more details. 19 | # 20 | # You should have received a copy of the GNU General Public License along 21 | # with this program; if not, write to the Free Software Foundation, Inc., 22 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | # 24 | 25 | # Usage: ./parse-version.m4.py m4file [directory] 26 | # Read , extract all lines looking like M4 define(), and translate 27 | # them into CMake style set(). Those are then written out to file 28 | # /version.cmake. 29 | # Intended to be used on top-level version.m4 file. 30 | 31 | import os 32 | import re 33 | import sys 34 | 35 | def main(): 36 | assert len(sys.argv) > 1 37 | version_path = sys.argv[1] 38 | output = [] 39 | with open(version_path, 'r') as version_file: 40 | for line in version_file: 41 | match = re.match(r'[ \t]*define\(\[(.*)\],[ \t]*\[(.*)\]\)[ \t]*', line) 42 | if match is not None: 43 | output.append(match.expand(r'set(\1 \2)')) 44 | out_path = os.path.join("%s" % (sys.argv[2] if len(sys.argv) > 2 else "."), "version.cmake") 45 | 46 | prev_content = "" 47 | try: 48 | with open(out_path, "r") as out_file: 49 | prev_content = out_file.read() 50 | except: 51 | # file doesn't exist 52 | pass 53 | 54 | content = "\n".join(output) + "\n" 55 | if prev_content != content: 56 | print("Writing %s" % out_path) 57 | with open(out_path, "w") as out_file: 58 | out_file.write(content) 59 | else: 60 | print("Content of %s hasn't changed" % out_path) 61 | 62 | if __name__ == "__main__": 63 | main() 64 | -------------------------------------------------------------------------------- /contrib/multilevel-init.patch: -------------------------------------------------------------------------------- 1 | --- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 2 | +++ openvpn 2004-05-12 20:34:33.000000000 +0200 3 | @@ -58,13 +58,13 @@ 4 | # returning success or failure status to caller (James Yonan). 5 | 6 | # Location of openvpn binary 7 | -openvpn="/usr/sbin/openvpn" 8 | +openvpn=/usr/sbin/openvpn 9 | 10 | # Lockfile 11 | -lock="/var/lock/subsys/openvpn" 12 | +lock=/var/lock/subsys/openvpn 13 | 14 | # PID directory 15 | -piddir="/var/run/openvpn" 16 | +piddir=/var/run/openvpn 17 | 18 | # Our working directory 19 | work=/etc/openvpn 20 | @@ -106,7 +106,7 @@ 21 | 22 | if [ -f $lock ]; then 23 | # we were not shut down correctly 24 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 25 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 26 | if [ -s $pidf ]; then 27 | kill `cat $pidf` >/dev/null 2>&1 28 | fi 29 | @@ -116,12 +116,12 @@ 30 | sleep 2 31 | fi 32 | 33 | - rm -f $piddir/*.pid $piddir/*/*.pid 34 | + find $piddir -name "*.pid"|xargs rm -f 35 | 36 | # Start every .conf in $work and run .sh if exists 37 | errors=0 38 | successes=0 39 | - for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do 40 | + for c in `find * -name "*.conf" 2>/dev/null`; do 41 | bn=${c%%.conf} 42 | if [ -f "$bn.sh" ]; then 43 | . $bn.sh 44 | @@ -147,7 +147,7 @@ 45 | ;; 46 | stop) 47 | echo -n $"Shutting down openvpn: " 48 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 49 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 50 | if [ -s $pidf ]; then 51 | kill `cat $pidf` >/dev/null 2>&1 52 | fi 53 | @@ -163,7 +163,7 @@ 54 | ;; 55 | reload) 56 | if [ -f $lock ]; then 57 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 58 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 59 | if [ -s $pidf ]; then 60 | kill -HUP `cat $pidf` >/dev/null 2>&1 61 | fi 62 | @@ -175,7 +175,7 @@ 63 | ;; 64 | reopen) 65 | if [ -f $lock ]; then 66 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 67 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 68 | if [ -s $pidf ]; then 69 | kill -USR1 `cat $pidf` >/dev/null 2>&1 70 | fi 71 | @@ -195,7 +195,7 @@ 72 | ;; 73 | status) 74 | if [ -f $lock ]; then 75 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 76 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 77 | if [ -s $pidf ]; then 78 | kill -USR2 `cat $pidf` >/dev/null 2>&1 79 | fi 80 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/README: -------------------------------------------------------------------------------- 1 | OpenVPN fwmark Routing 2 | Sean Reifschneider, 3 | Thursday November 27, 2003 4 | ========================== 5 | 6 | These scripts can be used with OpenVPN up and down scripts to set up 7 | routing on a Linux system such that the VPN traffic is sent via normal 8 | network connectivity, but other traffic to that network runs over the VPN. 9 | The idea is to allow encryption of data to the network the remote host is 10 | on, without interfering with the VPN traffic. You can't simply add a route 11 | to the remote network, becaues that will cause the VPN traffic to also try 12 | to run over the VPN, and breaks the VPN. 13 | 14 | These scripts use the Linux "fwmark" iptables rules to specify routing 15 | based not only on IP address, but also by port and protocol. This allows 16 | you to effectively say "if the packet is to this IP address on this port 17 | using this protocol, then use the normal default gateway, otherwise use the 18 | VPN gateway. 19 | 20 | This is set up on the client VPN system, not the VPN server. These scripts 21 | also set up all ICMP echo-responses to run across the VPN. You can 22 | comment the lines in the scripts to disable this, but I find this useful 23 | at coffee shops which have networks that block ICMP. 24 | 25 | To configure this, you need to set up these scripts as your up and down 26 | scripts in the config file. You will need to set these values in the 27 | config file: 28 | 29 | up /etc/openvpn/fwmarkroute.up 30 | down /etc/openvpn/fwmarkroute.down 31 | up-restart 32 | up-delay 33 | 34 | setenv remote_netmask_bits 24 35 | 36 | Note: For this to work, you can't set the "user" or "group" config options, 37 | because then the scripts will not run as root. 38 | 39 | The last setting allows you to control the size of the network the remote 40 | system is on. The remote end has to be set up to route, probably with 41 | masquerading or NAT. The network this netmask relates to is calculated 42 | using the value of "remote" in the conf file. 43 | 44 | Sean 45 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Bring down vpn routing. 4 | 5 | # calculate the network address 6 | remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` 7 | remote_network="${remote_network#*=}" 8 | 9 | # clear routing via VPN 10 | ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out 11 | ip route del table vpnonly.out via "$5" 12 | iptables -D OUTPUT -t mangle -p "$proto" \ 13 | -d "$remote_network"/"$remote_netmask_bits" \ 14 | --dport "$remote_port" -j ACCEPT 15 | iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 16 | 17 | # undo the ICMP ping tunneling 18 | iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ 19 | -j MARK --set-mark 3 20 | 21 | # flush route cache 22 | ip route flush cache 23 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Bring up vpn routing. 4 | 5 | # calculate the network address 6 | remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` 7 | remote_network="${remote_network#*=}" 8 | 9 | # add the stuff that doesn't change if it's not already there 10 | grep -q '^202 ' /etc/iproute2/rt_tables 11 | if [ "$?" -ne 0 ] 12 | then 13 | echo 202 vpn.out >> /etc/iproute2/rt_tables 14 | fi 15 | grep -q '^203 ' /etc/iproute2/rt_tables 16 | if [ "$?" -ne 0 ] 17 | then 18 | echo 203 vpnonly.out >> /etc/iproute2/rt_tables 19 | fi 20 | ip rule ls | grep -q 'lookup vpn.out *$' 21 | if [ "$?" -ne 0 ] 22 | then 23 | ip rule add fwmark 2 table vpn.out 24 | fi 25 | ip rule ls | grep -q 'lookup vpnonly.out *$' 26 | if [ "$?" -ne 0 ] 27 | then 28 | ip rule add fwmark 3 table vpnonly.out 29 | fi 30 | 31 | # route VPN traffic using the normal table 32 | iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ 33 | -j ACCEPT 34 | 35 | # route all other traffic to that host via VPN 36 | iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ 37 | -j MARK --set-mark 2 38 | 39 | # route all ICMP pings over the VPN 40 | iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ 41 | -j MARK --set-mark 3 42 | 43 | # NAT traffic going over the VPN, so it doesn't have an unknown address 44 | iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" 45 | 46 | # add routing commands 47 | ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out 48 | ip route add table vpnonly.out via "$5" 49 | ip route flush cache 50 | -------------------------------------------------------------------------------- /contrib/vcpkg-manifests/mingw/vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json", 3 | "name": "openvpn", 4 | "version": "2.7", 5 | "dependencies": [ 6 | "openssl", 7 | "tap-windows6", 8 | "lzo", 9 | "lz4", 10 | "pkcs11-helper", 11 | "cmocka" 12 | ] 13 | } 14 | -------------------------------------------------------------------------------- /contrib/vcpkg-manifests/windows/vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json", 3 | "name": "openvpn", 4 | "version": "2.7", 5 | "dependencies": [ 6 | { 7 | "name": "openssl", 8 | "features": ["tools"] 9 | }, 10 | "tap-windows6", 11 | "lzo", 12 | "lz4", 13 | "pkcs11-helper", 14 | "cmocka", 15 | { 16 | "name": "pkgconf", 17 | "host": true 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/config-w32-vc.h.in-indicate-OpenSSL.patch: -------------------------------------------------------------------------------- 1 | From c2293864de70fec322fe7e559055530ef56b9641 Mon Sep 17 00:00:00 2001 2 | From: Lev Stipakov 3 | Date: Tue, 11 Jan 2022 13:35:42 +0200 4 | Subject: [PATCH] config-w32-vc.h.in: indicate OpenSSL EC support 5 | 6 | Signed-off-by: Lev Stipakov 7 | --- 8 | config-w32-vc.h.in | 12 ++++++++++++ 9 | 1 file changed, 12 insertions(+) 10 | 11 | diff --git a/config-w32-vc.h b/config-w32-vc.h 12 | index 6d94841..db83825 100644 13 | --- a/config-w32-vc.h 14 | +++ b/config-w32-vc.h 15 | @@ -218,3 +218,15 @@ 16 | 17 | /* Define to 1 if you have the `DSA_SIG_set0' function. */ 18 | #define HAVE_DSA_SIG_SET0 1 19 | + 20 | +/* Define to 1 if you have the `ECDSA_SIG_set0' function. */ 21 | +#define HAVE_ECDSA_SIG_SET0 1 22 | + 23 | +/* Define to 1 if you have the `EC_KEY_METHOD_get_sign' function. */ 24 | +#define HAVE_EC_KEY_METHOD_GET_SIGN 1 25 | + 26 | +/* Define to 1 if you have the `EC_KEY_METHOD_set_sign' function. */ 27 | +#define HAVE_EC_KEY_METHOD_SET_SIGN 1 28 | + 29 | +/* Define to 1 if OpenSSL has EC support. */ 30 | +#define ENABLE_PKCS11H_OPENSSL_EC 1 31 | -- 32 | 2.23.0.windows.1 33 | 34 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/nmake-compatibility-with-vcpkg-nmake.patch: -------------------------------------------------------------------------------- 1 | From 2d3a2c05383f653544b9c7194dd1349c6d5f3067 Mon Sep 17 00:00:00 2001 2 | From: Lev Stipakov 3 | Date: Tue, 11 Jan 2022 13:24:51 +0200 4 | Subject: [PATCH] nmake: compatibility with vcpkg nmake 5 | 6 | Remove options which contradict or already set 7 | by vcpkg nmake scripts. 8 | 9 | Signed-off-by: Lev Stipakov 10 | --- 11 | lib/Makefile.w32-vc | 8 ++------ 12 | 1 file changed, 2 insertions(+), 6 deletions(-) 13 | 14 | diff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc 15 | index 96f1f89..be68a00 100644 16 | --- a/lib/Makefile.w32-vc 17 | +++ b/lib/Makefile.w32-vc 18 | @@ -75,15 +75,11 @@ OPENSSL_LIBS=-LIBPATH:$(OPENSSL_LIB) user32.lib advapi32.lib $(OPENSSL_STATIC) 19 | CFLAGS = -I../include $(OPENSSL_CFLAGS) -DWIN32 -DWIN32_LEAN_AND_MEAN -D_MBCS -D_CRT_SECURE_NO_DEPRECATE -D_WIN32_WINNT=0x0400 20 | CC=cl.exe 21 | RC=rc.exe 22 | -CCPARAMS=/nologo /W3 /O2 /FD /c 23 | - 24 | -CCPARAMS=$(CCPARAMS) /MD 25 | -CFLAGS=$(CFLAGS) -DNDEBUG 26 | +CCPARAMS=/c 27 | 28 | LINK32=link.exe 29 | LIB32=lib.exe 30 | -LINK32_FLAGS=/nologo /subsystem:windows /dll /incremental:no /release 31 | -LIB32_FLAGS=/nologo 32 | +LINK32_FLAGS=/dll 33 | 34 | HEADERS = \ 35 | config.h \ 36 | -- 37 | 2.23.0.windows.1 38 | 39 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "pkcs11-helper", 3 | "version": "1.30.0", 4 | "description": "pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications.", 5 | "homepage": "https://github.com/OpenSC/pkcs11-helper", 6 | "license": "BSD-3-Clause OR GPL-2.0-only" 7 | } 8 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/arm64-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE arm64) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x64-mingw-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x64) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE static) 4 | set(VCPKG_ENV_PASSTHROUGH PATH) 5 | 6 | set(VCPKG_CMAKE_SYSTEM_NAME MinGW) 7 | 8 | set(VCPKG_MAKE_BUILD_TRIPLET --host=x86_64-w64-mingw32) 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x64-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x64) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x86-mingw-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x86) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE static) 4 | set(VCPKG_ENV_PASSTHROUGH PATH) 5 | 6 | set(VCPKG_CMAKE_SYSTEM_NAME MinGW) 7 | 8 | set(VCPKG_MAKE_BUILD_TRIPLET --host=i686-w64-mingw32) 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x86-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x86) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /debug/doval: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PROGDIR=`dirname $0` 3 | unset LD_LIBRARY_PATH 4 | valgrind --tool=memcheck --error-limit=no --suppressions=$PROGDIR/debug/valgrind-suppress --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $PROGDIR/openvpn "$@" 5 | -------------------------------------------------------------------------------- /debug/dovalns: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | valgrind --tool=memcheck --error-limit=no --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $* 3 | -------------------------------------------------------------------------------- /dev-tools/special-files.lst: -------------------------------------------------------------------------------- 1 | E:doc/doxygen/doc_key_generation.h # @verbatim section gets mistreated, exclude it 2 | E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting 3 | E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting 4 | E:src/openvpn/ovpn_dco_linux.h # Preserve ovpn-dco upstream formatting 5 | E:src/openvpn/ovpn_dco_win.h # Preserve ovpn-dco-win upstream formatting 6 | -------------------------------------------------------------------------------- /dev-tools/uncrustify.conf: -------------------------------------------------------------------------------- 1 | # Use Allman-style 2 | indent_columns=4 3 | indent_braces=false 4 | indent_else_if=false 5 | indent_switch_case=4 6 | indent_label=1 7 | nl_if_brace=add 8 | nl_brace_else=add 9 | nl_elseif_brace=add 10 | nl_else_brace=add 11 | nl_else_if=remove 12 | nl_for_brace=add 13 | nl_while_brace=add 14 | nl_switch_brace=add 15 | nl_fdef_brace=add 16 | nl_do_brace=add 17 | sp_func_proto_paren=Remove 18 | sp_func_def_paren=Remove 19 | sp_func_call_paren=Remove 20 | sp_sizeof_paren=Remove 21 | 22 | # No tabs, spaces only 23 | indent_with_tabs=0 24 | align_with_tabs=false 25 | cmt_convert_tab_to_spaces=true 26 | 27 | # Do not put spaces between the # and preprocessor statements 28 | pp_space=remove 29 | 30 | # Various whitespace fiddling 31 | sp_assign=add 32 | sp_before_sparen=add 33 | sp_inside_sparen=remove 34 | sp_cond_colon=add 35 | sp_cond_question=add 36 | sp_bool=add 37 | sp_else_brace=add 38 | sp_brace_else=add 39 | sp_after_comma=add 40 | pos_arith=Lead 41 | pos_bool=Lead 42 | nl_func_type_name=add 43 | nl_before_case=true 44 | nl_assign_leave_one_liners=true 45 | nl_enum_leave_one_liners=true 46 | nl_brace_fparen=add 47 | nl_max=4 48 | nl_after_func_proto=2 49 | nl_end_of_file_min=1 50 | nl_end_of_file=force 51 | 52 | # Always use scoping braces for conditionals 53 | mod_full_brace_if=add 54 | mod_full_brace_if_chain=false 55 | mod_full_brace_while=add 56 | mod_full_brace_for=add 57 | mod_full_brace_do=add 58 | 59 | # Annotate #else and #endif statements 60 | mod_add_long_ifdef_endif_comment=20 61 | mod_add_long_ifdef_else_comment=5 62 | 63 | # Misc cleanup 64 | mod_remove_extra_semicolon=true 65 | 66 | # leave blank at end of empty for() statements 67 | sp_after_semi_for_empty=Add 68 | 69 | # Use C-style comments (/* .. */) 70 | cmt_c_nl_end=true 71 | cmt_star_cont=true 72 | cmt_cpp_to_c=true 73 | 74 | # Use "char **a"-style pointer stars/dereferences 75 | sp_before_ptr_star=Add 76 | sp_between_ptr_star=Remove 77 | sp_after_ptr_star=Remove 78 | sp_before_byref=Add 79 | sp_after_byref=Remove 80 | -------------------------------------------------------------------------------- /dev-tools/update-copyright.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # update-copyright-sh - Simple tool to update the Copyright lines 3 | # in all files checked into git 4 | # 5 | # Copyright (C) 2016-2025 OpenVPN Inc 6 | # Copyright (C) 2016-2025 David Sommerseth 7 | # 8 | # This program is free software; you can redistribute it and/or 9 | # modify it under the terms of the GNU General Public License 10 | # as published by the Free Software Foundation; either version 2 11 | # of the License. 12 | # 13 | # This program is distributed in the hope that it will be useful, 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | # GNU General Public License for more details. 17 | # 18 | # You should have received a copy of the GNU General Public License 19 | # along with this program; if not, write to the Free Software 20 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 | # 22 | 23 | # Basic shell sanity 24 | set -eu 25 | 26 | # Simple argument control 27 | if [ $# -ne 1 ]; then 28 | echo "Usage: $0 " 29 | exit 1 30 | fi 31 | 32 | # Only update Copyright lines with these owners 33 | # The 'or' operator is GNU sed specific, and must be \| 34 | UPDATE_COPYRIGHT_LINES="@openvpn\.net\|@fox-it\.com\|@sophos.com\|@eurephia\.org\|@greenie\.muc\.de\|@rozman.si\|@unstable\.cc\|@rfc2549.org\|@karger\.me\|selva.nair@" 35 | COPY_YEAR="$1" 36 | 37 | cd "$(git rev-parse --show-toplevel)" 38 | for file in $(git ls-files | grep -v vendor/); 39 | do 40 | echo -n "Updating $file ..." 41 | # The first sed operation covers 20xx-20yy copyright lines, 42 | # The second sed operation changes 20xx -> 20xx-20yy 43 | sed -e "/$UPDATE_COPYRIGHT_LINES/s/\(Copyright (C) 20..-\)\(20..\)[[:blank:]]\+/\1$COPY_YEAR /" \ 44 | -e "/$UPDATE_COPYRIGHT_LINES/s/\(Copyright (C) \)\(20..\)[[:blank:]]\+/\1\2-$COPY_YEAR /" \ 45 | -i $file 46 | echo " Done" 47 | done 48 | echo 49 | echo "** All files updated with $COPY_YEAR as the ending copyright year" 50 | echo 51 | exit 0 52 | -------------------------------------------------------------------------------- /distro/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = systemd 16 | 17 | if ENABLE_DNS_UPDOWN 18 | SUBDIRS += dns-scripts 19 | endif 20 | -------------------------------------------------------------------------------- /distro/dns-scripts/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | EXTRA_DIST = \ 15 | systemd-dns-updown.sh \ 16 | openresolv-dns-updown.sh \ 17 | haikuos_file-dns-updown.sh \ 18 | resolvconf_file-dns-updown.sh 19 | 20 | script_SCRIPTS = \ 21 | dns-updown 22 | 23 | CLEANFILES = $(script_SCRIPTS) 24 | 25 | dns-updown: @DNS_UPDOWN_TYPE@-dns-updown.sh 26 | cp ${srcdir}/@DNS_UPDOWN_TYPE@-dns-updown.sh $@ 27 | chmod +x $@ 28 | 29 | all: $(script_SCRIPTS) 30 | -------------------------------------------------------------------------------- /distro/systemd/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2017-2025 OpenVPN Inc 9 | # 10 | 11 | %.service: %.service.in Makefile 12 | $(AM_V_GEN)sed \ 13 | -e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|g' \ 14 | -e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|g' \ 15 | -e 's|\@sbindir\@|$(sbindir)|g' \ 16 | $< > $@.tmp && mv $@.tmp $@ 17 | 18 | EXTRA_DIST = \ 19 | tmpfiles-openvpn.conf \ 20 | openvpn-client@.service.in \ 21 | openvpn-server@.service.in 22 | 23 | if ENABLE_SYSTEMD 24 | systemdunit_DATA = \ 25 | openvpn-client@.service \ 26 | openvpn-server@.service 27 | CLEANFILES = $(systemdunit_DATA) 28 | tmpfiles_DATA = \ 29 | tmpfiles-openvpn.conf 30 | dist_doc_DATA = \ 31 | README.systemd 32 | 33 | install-data-hook: 34 | mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf 35 | endif 36 | 37 | MAINTAINERCLEANFILES = \ 38 | $(srcdir)/Makefile.in 39 | -------------------------------------------------------------------------------- /distro/systemd/openvpn-client@.service.in: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenVPN tunnel for %I 3 | After=network-online.target 4 | Wants=network-online.target 5 | Documentation=man:openvpn(8) 6 | Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ 7 | Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO 8 | 9 | [Service] 10 | Type=notify 11 | PrivateTmp=true 12 | WorkingDirectory=/etc/openvpn/client 13 | ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf 14 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE 15 | LimitNPROC=10 16 | DeviceAllow=/dev/null rw 17 | DeviceAllow=/dev/net/tun rw 18 | ProtectSystem=true 19 | ProtectHome=true 20 | KillMode=process 21 | 22 | [Install] 23 | WantedBy=multi-user.target 24 | -------------------------------------------------------------------------------- /distro/systemd/openvpn-server@.service.in: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenVPN service for %I 3 | After=network-online.target 4 | Wants=network-online.target 5 | Documentation=man:openvpn(8) 6 | Documentation=https://openvpn.net/community-resources/reference-manual-for-openvpn-@OPENVPN_VERSION_MAJOR@-@OPENVPN_VERSION_MINOR@/ 7 | Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO 8 | 9 | [Service] 10 | Type=notify 11 | PrivateTmp=true 12 | WorkingDirectory=/etc/openvpn/server 13 | ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf 14 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE 15 | LimitNPROC=10 16 | DeviceAllow=/dev/null rw 17 | DeviceAllow=/dev/net/tun rw 18 | ProtectSystem=true 19 | ProtectHome=true 20 | KillMode=process 21 | RestartSec=5s 22 | Restart=on-failure 23 | 24 | [Install] 25 | WantedBy=multi-user.target 26 | -------------------------------------------------------------------------------- /distro/systemd/tmpfiles-openvpn.conf: -------------------------------------------------------------------------------- 1 | d /run/openvpn-client 0710 root root - 2 | d /run/openvpn-server 0710 root root - 3 | -------------------------------------------------------------------------------- /doc/README.man: -------------------------------------------------------------------------------- 1 | 2 | man page documentation 3 | ====================== 4 | 5 | The man page content maintained in the openvpn.8.rst file and proper man and 6 | the html version of the man page are generated using python-docutils. Both 7 | the man page and html file are generated during 'make dist' or 'make distcheck' 8 | and should be distributed inside the tarball by default. 9 | 10 | Users compiling OpenVPN from the tarball should not need to regenerate the 11 | man/html files unless the source file needs to be modified. 12 | 13 | Further information: 14 | 15 | * Python docutils project: 16 | https://docutils.sourceforge.io/ 17 | 18 | * Quickstart on .rst 19 | https://docutils.sourceforge.io/docs/user/rst/quickstart.html 20 | 21 | * reStructuredText Markup Specifictaion (.rst) 22 | https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html 23 | -------------------------------------------------------------------------------- /doc/README.plugins: -------------------------------------------------------------------------------- 1 | OpenVPN Plugins 2 | --------------- 3 | 4 | Starting with OpenVPN 2.0-beta17, compiled plugin modules are 5 | supported on any *nix OS which includes libdl or on Windows. 6 | One or more modules may be loaded into OpenVPN using 7 | the --plugin directive, and each plugin module is capable of 8 | intercepting any of the script callbacks which OpenVPN supports: 9 | 10 | (1) up 11 | (2) down 12 | (3) route-up 13 | (4) ipchange 14 | (5) tls-verify 15 | (6) auth-user-pass-verify 16 | (7) client-connect 17 | (8) client-disconnect 18 | (9) learn-address 19 | 20 | See the openvpn-plugin.h file in the top-level directory of the 21 | OpenVPN source distribution for more detailed information 22 | on the plugin interface. 23 | 24 | Included Plugins 25 | ---------------- 26 | 27 | auth-pam -- Authenticate using PAM and a split privilege 28 | execution model which functions even if 29 | root privileges or the execution environment 30 | have been altered with --user/--group/--chroot. 31 | Tested on Linux only. 32 | 33 | down-root -- Enable the running of down scripts with root privileges 34 | even if --user/--group/--chroot have been used 35 | to drop root privileges or change the execution 36 | environment. Not applicable on Windows. 37 | 38 | examples -- A simple example that demonstrates a portable 39 | plugin, i.e. one which can be built for *nix 40 | or Windows from the same source. 41 | 42 | Building Plugins 43 | ---------------- 44 | 45 | cd to the top-level directory of a plugin, and use the 46 | "make" command to build it. The examples plugin is 47 | built using a build script, not a makefile. 48 | -------------------------------------------------------------------------------- /doc/doxygen/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2017-2021 Fox-IT B.V. 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | DISTCLEANFILES = openvpn.doxyfile 15 | 16 | DOXYGEN_EXTRA_FILES = \ 17 | doc_compression.h \ 18 | doc_control_processor.h \ 19 | doc_control_tls.h \ 20 | doc_data_control.h \ 21 | doc_data_crypto.h \ 22 | doc_eventloop.h \ 23 | doc_external_multiplexer.h \ 24 | doc_fragmentation.h \ 25 | doc_internal_multiplexer.h \ 26 | doc_key_generation.h \ 27 | doc_mainpage.h \ 28 | doc_memory_management.h \ 29 | doc_protocol_overview.h \ 30 | doc_reliable.h \ 31 | doc_tunnel_state.h 32 | 33 | EXTRA_DIST = $(DOXYGEN_EXTRA_FILES) 34 | 35 | .PHONY: doxygen 36 | doxygen: openvpn.doxyfile $(DOXYGEN_EXTRA_FILES) 37 | doxygen openvpn.doxyfile 38 | 39 | clean-local: 40 | -rm -rf html latex 41 | -------------------------------------------------------------------------------- /doc/doxygen/doc_external_multiplexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * External Multiplexer module documentation file. 28 | */ 29 | 30 | /** 31 | * @addtogroup external_multiplexer External Multiplexer module 32 | * 33 | * The External Multiplexer is the link between the external network 34 | * interface and the other OpenVPN modules. It reads packets from the 35 | * external network interface, determines which remote OpenVPN peer and 36 | * VPN tunnel they are associated with, and whether they are data channel 37 | * or control channel packets. It then passes the packets on to the 38 | * appropriate processing module. 39 | * 40 | * This module also handles packets traveling in the reverse direction, 41 | * which have been generated by the local control channel or which have 42 | * already been processed by the \link data_control Data Channel Control 43 | * module\endlink and are destined for a remote host reachable through a 44 | * VPN tunnel. 45 | */ 46 | -------------------------------------------------------------------------------- /doc/doxygen/doc_internal_multiplexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * Internal Multiplexer module documentation file. 28 | */ 29 | 30 | /** 31 | * @addtogroup internal_multiplexer Internal Multiplexer module 32 | * 33 | * The Internal Multiplexer is the link between the virtual tun/tap 34 | * network interface and the \link data_control Data Channel Control 35 | * module\endlink. It reads packets from the virtual network interface, 36 | * determines for which remote OpenVPN peer they are destined, and then 37 | * passes the packets on to the Data Channel Control module together with 38 | * information about their destination VPN tunnel instance. 39 | * 40 | * This module also handles packets traveling in the reverse direction, 41 | * which have already been processed by the Data Channel Control module 42 | * and are destined for a locally reachable host. 43 | */ 44 | -------------------------------------------------------------------------------- /doc/doxygen/doc_reliable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * Reliability Layer module documentation file. 28 | */ 29 | 30 | /** 31 | * @defgroup reliable Reliability Layer module 32 | * 33 | * The Reliability Layer is part of OpenVPN's control channel. It 34 | * provides a reliable and sequential transport mechanism for control 35 | * channel messages between OpenVPN peers. This module forms the 36 | * interface between the \link external_multiplexer External 37 | * Multiplexer\endlink and the \link control_tls Control Channel TLS 38 | * module\endlink. 39 | * 40 | * @par UDP or TCP as VPN tunnel transport 41 | * 42 | * This is especially important when OpenVPN is configured to communicate 43 | * over UDP, because UDP does not offer a reliable and sequential 44 | * transport. OpenVPN endpoints can also communicate over TCP which does 45 | * provide a reliable and sequential transport. In both cases, using UDP 46 | * or TCP as an external transport, the internal Reliability Layer is 47 | * active. 48 | */ 49 | -------------------------------------------------------------------------------- /doc/man-sections/inline-files.rst: -------------------------------------------------------------------------------- 1 | INLINE FILE SUPPORT 2 | =================== 3 | 4 | OpenVPN allows including files in the main configuration for the ``--ca``, 5 | ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, 6 | ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, 7 | ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, 8 | ``--tls-crypt-v2``, ``--verify-hash`` and ``--auth-user-pass`` options. 9 | 10 | Each inline file started by the line ```` 12 | 13 | Here is an example of an inline file usage 14 | 15 | :: 16 | 17 | 18 | -----BEGIN CERTIFICATE----- 19 | [...] 20 | -----END CERTIFICATE----- 21 | 22 | 23 | When using the inline file feature with ``--pkcs12`` the inline file has 24 | to be base64 encoded. Encoding of a .p12 file into base64 can be done 25 | for example with OpenSSL by running :code:`openssl base64 -in input.p12` 26 | -------------------------------------------------------------------------------- /doc/man-sections/network-config.rst: -------------------------------------------------------------------------------- 1 | NETWORK CONFIGURATION 2 | ===================== 3 | 4 | OpenVPN consists of two sides of network configuration. One side is the 5 | *link* between the local and remote side, the other side is the *virtual 6 | network adapter* (tun/tap device). 7 | 8 | .. include:: link-options.rst 9 | .. include:: vpn-network-options.rst 10 | .. include:: virtual-routing-and-forwarding.rst 11 | -------------------------------------------------------------------------------- /doc/man-sections/renegotiation.rst: -------------------------------------------------------------------------------- 1 | Data Channel Renegotiation 2 | `````````````````````````` 3 | 4 | When running OpenVPN in client/server mode, the data channel will use a 5 | separate ephemeral encryption key which is rotated at regular intervals. 6 | 7 | --reneg-bytes n 8 | Renegotiate data channel key after ``n`` bytes sent or received 9 | (disabled by default with an exception, see below). OpenVPN allows the 10 | lifetime of a key to be expressed as a number of bytes 11 | encrypted/decrypted, a number of packets, or a number of seconds. A key 12 | renegotiation will be forced if any of these three criteria are met by 13 | either peer. 14 | 15 | If using ciphers with cipher block sizes less than 128-bits, 16 | ``--reneg-bytes`` is set to 64MB by default, unless it is explicitly 17 | disabled by setting the value to :code:`0`, but this is 18 | **HIGHLY DISCOURAGED** as this is designed to add some protection against 19 | the SWEET32 attack vector. For more information see the ``--cipher`` 20 | option. 21 | 22 | --reneg-pkts n 23 | Renegotiate data channel key after **n** packets sent and received 24 | (disabled by default). 25 | 26 | --reneg-sec args 27 | Renegotiate data channel key after at most ``max`` seconds 28 | (default :code:`3600`) and at least ``min`` seconds (default is 90% of 29 | ``max`` for servers, and equal to ``max`` for clients). 30 | :: 31 | 32 | reneg-sec max [min] 33 | 34 | The effective ``--reneg-sec`` value used is per session 35 | pseudo-uniform-randomized between ``min`` and ``max``. 36 | 37 | With the default value of :code:`3600` this results in an effective per 38 | session value in the range of :code:`3240` .. :code:`3600` seconds for 39 | servers, or just 3600 for clients. 40 | 41 | When using dual-factor authentication, note that this default value may 42 | cause the end user to be challenged to reauthorize once per hour. 43 | 44 | Also, keep in mind that this option can be used on both the client and 45 | server, and whichever uses the lower value will be the one to trigger 46 | the renegotiation. A common mistake is to set ``--reneg-sec`` to a 47 | higher value on either the client or server, while the other side of the 48 | connection is still using the default value of :code:`3600` seconds, 49 | meaning that the renegotiation will still occur once per :code:`3600` 50 | seconds. The solution is to increase --reneg-sec on both the client and 51 | server, or set it to :code:`0` on one side of the connection (to 52 | disable), and to your chosen value on the other side. 53 | -------------------------------------------------------------------------------- /doc/man-sections/signals.rst: -------------------------------------------------------------------------------- 1 | SIGNALS 2 | ======= 3 | 4 | :code:`SIGHUP` 5 | Cause OpenVPN to close all TUN/TAP and network connections, restart, 6 | re-read the configuration file (if any), and reopen TUN/TAP and network 7 | connections. 8 | 9 | :code:`SIGUSR1` 10 | Like :code:`SIGHUP``, except don't re-read configuration file, and 11 | possibly don't close and reopen TUN/TAP device, re-read key files, 12 | preserve local IP address/port, or preserve most recently authenticated 13 | remote IP address/port based on ``--persist-tun``, ``--persist-local-ip`` 14 | and ``--persist-remote-ip`` options respectively (see above). 15 | 16 | This signal may also be internally generated by a timeout condition, 17 | governed by the ``--ping-restart`` option. 18 | 19 | This signal, when combined with ``--persist-remote-ip``, may be sent 20 | when the underlying parameters of the host's network interface change 21 | such as when the host is a DHCP client and is assigned a new IP address. 22 | See ``--ipchange`` for more information. 23 | 24 | :code:`SIGUSR2` 25 | Causes OpenVPN to display its current statistics (to the syslog file if 26 | ``--daemon`` is used, or stdout otherwise). 27 | 28 | :code:`SIGINT`, :code:`SIGTERM` 29 | Causes OpenVPN to exit gracefully. 30 | -------------------------------------------------------------------------------- /doc/man-sections/unsupported-options.rst: -------------------------------------------------------------------------------- 1 | 2 | UNSUPPORTED OPTIONS 3 | =================== 4 | 5 | Options listed in this section have been removed from OpenVPN and are no 6 | longer supported 7 | 8 | --client-cert-not-required 9 | Removed in OpenVPN 2.5. This should be replaxed with 10 | ``--verify-client-cert none``. 11 | 12 | --ifconfig-pool-linear 13 | Removed in OpenVPN 2.5. This should be replaced with ``--topology p2p``. 14 | 15 | --key-method 16 | Removed in OpenVPN 2.5. This option should not be used, as using the old 17 | ``key-method`` weakens the VPN tunnel security. The old ``key-method`` 18 | was also only needed when the remote side was older than OpenVPN 2.0. 19 | 20 | --management-client-pf 21 | Removed in OpenVPN 2.6. The built-in packet filtering (pf) functionality 22 | has been removed. 23 | 24 | --ncp-disable 25 | Removed in OpenVPN 2.6. This option mainly served a role as debug option 26 | when NCP was first introduced. It should no longer be necessary. 27 | 28 | --no-iv 29 | Removed in OpenVPN 2.5. This option should not be used as it weakens the 30 | VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. 31 | 32 | --no-replay 33 | Removed in OpenVPN 2.7. This option should not be used as it weakens the 34 | VPN tunnel security. Previously we claimed to have removed this in 35 | OpenVPN 2.5, but this wasn't actually the case. 36 | 37 | --ns-cert-type 38 | Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported 39 | in recent SSL/TLS libraries. If your certificates does not include *key 40 | usage* and *extended key usage* fields, they must be upgraded and the 41 | ``--remote-cert-tls`` option should be used instead. 42 | 43 | --prng 44 | Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. 45 | 46 | --persist-key 47 | Ignored since OpenVPN 2.7. Keys are now always persisted across restarts. -------------------------------------------------------------------------------- /doc/openvpn-examples.5.rst: -------------------------------------------------------------------------------- 1 | =============================== 2 | openvpn examples 3 | =============================== 4 | ------------------------- 5 | Secure IP tunnel daemon 6 | ------------------------- 7 | 8 | :Manual section: 5 9 | :Manual group: Configuration files 10 | 11 | 12 | INTRODUCTION 13 | ============ 14 | 15 | This man page gives a few simple examples to create OpenVPN setups and configuration files. 16 | 17 | .. include:: man-sections/example-fingerprint.rst 18 | .. include:: man-sections/examples.rst 19 | -------------------------------------------------------------------------------- /include/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in \ 14 | $(srcdir)/openvpn-plugin.h.in 15 | 16 | include_HEADERS = \ 17 | openvpn-plugin.h \ 18 | openvpn-msg.h 19 | -------------------------------------------------------------------------------- /ltrc.inc: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2008-2012 Alon Bar-Lev 9 | # 10 | # Required to build Windows resource file 11 | 12 | RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ 13 | $(AM_CPPFLAGS) $(CPPFLAGS) 14 | LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) 15 | 16 | .rc.lo: 17 | $(LTRCCOMPILE) -i "$<" -o "$@" 18 | 19 | .rc.o: 20 | $(RCCOMPILE) -i "$<" -o "$@" 21 | 22 | .mc.rc: 23 | $(WINDMC) "$<" 24 | -------------------------------------------------------------------------------- /m4/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OpenVPN/openvpn/9cc7c68bd8d42b9e1c02fd3f069d404b5c056b57/m4/.keep -------------------------------------------------------------------------------- /m4/ax_socklen_t.m4: -------------------------------------------------------------------------------- 1 | dnl -- The following is base of curl's acinclude.m4 -- 2 | dnl Check for socklen_t: historically on BSD it is an int, and in 3 | dnl POSIX 1g it is a type of its own, but some platforms use different 4 | dnl types for the argument to getsockopt, getpeername, etc. So we 5 | dnl have to test to find something that will work. 6 | AC_DEFUN([AX_TYPE_SOCKLEN_T], [ 7 | AC_CHECK_TYPE( 8 | [socklen_t], 9 | , 10 | [ 11 | AS_VAR_PUSHDEF([VAR],[ax_cv_socklen_t_equiv])dnl 12 | AC_CACHE_CHECK( 13 | [for socklen_t equivalent], 14 | [VAR], 15 | [ 16 | #AS_CASE is not supported on 28 | #include 29 | int getpeername (int, $arg2 *, $t *); 30 | ]], 31 | [[ 32 | $t len; 33 | getpeername(0,0,&len); 34 | ]] 35 | )], 36 | [VAR="$t"; break] 37 | ) 38 | done 39 | test -n "$VAR" && break 40 | done 41 | ;; 42 | esac 43 | ] 44 | AS_VAR_IF( 45 | [VAR], 46 | [], 47 | [AC_MSG_ERROR([Cannot find a type to use in place of socklen_t])], 48 | [AC_DEFINE_UNQUOTED( 49 | [socklen_t], 50 | [$VAR], 51 | [type to use in place of socklen_t if not defined] 52 | )] 53 | ) 54 | ) 55 | ], 56 | [[ 57 | #include 58 | #ifdef _WIN32 59 | #include 60 | #else 61 | #include 62 | #endif 63 | ]] 64 | ) 65 | ]) 66 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "packageRules": [ 4 | { 5 | "matchDepTypes": [ 6 | "action" 7 | ], 8 | "groupName": "github actions", 9 | "pinDigests": true, 10 | "extends": [ 11 | "schedule:monthly" 12 | ] 13 | }, 14 | { 15 | "matchDepNames": [ 16 | "vcpkg" 17 | ], 18 | "extends": [ 19 | "schedule:monthly" 20 | ] 21 | } 22 | ], 23 | "customManagers": [ 24 | { 25 | "customType": "regex", 26 | "managerFilePatterns": [ 27 | "/^\\.github/workflows/.+\\.ya?ml$/" 28 | ], 29 | "matchStrings": [ 30 | "vcpkgGitCommitId:\\s*(?.*?)\\n" 31 | ], 32 | "currentValueTemplate": "master", 33 | "depNameTemplate": "vcpkg", 34 | "packageNameTemplate": "https://github.com/microsoft/vcpkg", 35 | "datasourceTemplate": "git-refs" 36 | }, 37 | { 38 | "customType": "regex", 39 | "managerFilePatterns": [ 40 | "/^\\.github/workflows/.+\\.ya?ml$/" 41 | ], 42 | "matchStrings": [ 43 | "versioning=(?.*?)\\n\\s*repository:\\s*(?.*?)\\n\\s*ref:\\s*(?.*?)\\n" 44 | ], 45 | "datasourceTemplate": "github-tags" 46 | } 47 | ] 48 | } 49 | -------------------------------------------------------------------------------- /sample/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | DISTCLEANFILES = \ 16 | $(builddir)/sample-plugins/Makefile 17 | 18 | EXTRA_DIST = \ 19 | sample-plugins \ 20 | sample-config-files \ 21 | sample-keys \ 22 | sample-scripts 23 | -------------------------------------------------------------------------------- /sample/sample-config-files/README: -------------------------------------------------------------------------------- 1 | Sample OpenVPN Configuration Files. 2 | 3 | These files are part of the OpenVPN HOWTO 4 | which is located at: 5 | 6 | http://openvpn.net/howto.html 7 | 8 | See also the openvpn-examples man page. 9 | -------------------------------------------------------------------------------- /sample/sample-config-files/loopback-server: -------------------------------------------------------------------------------- 1 | # Perform a TLS loopback test -- server side. 2 | # 3 | # This test performs a TLS negotiation once every 10 seconds, 4 | # and will terminate after 2 minutes. 5 | # 6 | # From the root directory of the OpenVPN distribution, 7 | # after openvpn has been built, run: 8 | # 9 | # ./openvpn --config sample-config-files/loopback-client (In one window) 10 | # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) 11 | 12 | rport 16001 13 | lport 16000 14 | remote localhost 15 | local localhost 16 | dev null 17 | verb 3 18 | reneg-sec 10 19 | tls-server 20 | dh sample-keys/dh2048.pem 21 | ca sample-keys/ca.crt 22 | key sample-keys/server.key 23 | cert sample-keys/server.crt 24 | tls-auth sample-keys/ta.key 0 25 | cipher AES-256-GCM 26 | ping 1 27 | inactive 120 10000000 28 | -------------------------------------------------------------------------------- /sample/sample-config-files/openvpn-shutdown.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # stop all openvpn processes 4 | 5 | killall -TERM openvpn 6 | -------------------------------------------------------------------------------- /sample/sample-config-files/openvpn-startup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A sample OpenVPN startup script 4 | # for Linux. 5 | 6 | # openvpn config file directory 7 | dir=/etc/openvpn 8 | 9 | # load the firewall 10 | $dir/firewall.sh 11 | 12 | # load TUN/TAP kernel module 13 | modprobe tun 14 | 15 | # enable IP forwarding 16 | echo 1 > /proc/sys/net/ipv4/ip_forward 17 | 18 | # Invoke openvpn for each VPN tunnel 19 | # in daemon mode. Alternatively, 20 | # you could remove "--daemon" from 21 | # the command line and add "daemon" 22 | # to the config file. 23 | # 24 | # Each tunnel should run on a separate 25 | # UDP port. Use the "port" option 26 | # to control this. Like all of 27 | # OpenVPN's options, you can 28 | # specify "--port 8000" on the command 29 | # line or "port 8000" in the config 30 | # file. 31 | 32 | openvpn --cd $dir --daemon --config vpn1.conf 33 | openvpn --cd $dir --daemon --config vpn2.conf 34 | openvpn --cd $dir --daemon --config vpn2.conf 35 | -------------------------------------------------------------------------------- /sample/sample-keys/README: -------------------------------------------------------------------------------- 1 | Sample RSA and EC keys. 2 | 3 | Run ./gen-sample-keys.sh to generate fresh test keys. 4 | 5 | See the examples section of the man page for usage examples. 6 | 7 | NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. 8 | DON'T USE THEM FOR ANY REAL WORK BECAUSE 9 | THEY ARE TOTALLY INSECURE! 10 | 11 | ca.{crt,key} -- sample CA key/cert 12 | server.{crt,key} -- sample server key/cert 13 | client.{crt,key} -- sample client key/cert 14 | client-pass.key -- sample client key with password-encrypted key 15 | password = "password" 16 | client.p12 -- sample client pkcs12 bundle 17 | password = "password" 18 | client-ec.{crt,key} -- sample elliptic curve client key/cert 19 | server-ec.{crt,key} -- sample elliptic curve server key/cert 20 | -------------------------------------------------------------------------------- /sample/sample-keys/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIGPjCCBCagAwIBAgIUb1C400ZucjRZvAAz3XyuEusnRgYwDQYJKoZIhvcNAQEL 3 | BQAwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgMAk5BMRAwDgYDVQQHDAdCSVNIS0VL 4 | MRUwEwYDVQQKDAxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15aG9z 5 | dC5teWRvbWFpbjAeFw0yMzExMDcxMjIzMzlaFw0zMzExMDQxMjIzMzlaMGYxCzAJ 6 | BgNVBAYTAktHMQswCQYDVQQIDAJOQTEQMA4GA1UEBwwHQklTSEtFSzEVMBMGA1UE 7 | CgwMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h 8 | aW4wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCI+p/ZLGUHCANTTFaK 9 | nw+J3wi+ef2EKJ5WHt5PWMuBeaDpeU4Ghuaow8HlRPjG9lDRHtn+WQgZz9nUejYH 10 | +wtmN2BHwJAM4OeUVoB95tBrxd/VDCrdIvypVKldHsU3VkEbvPAl1jq68WVk+DXM 11 | FZqTUoafDK+irOvL7Z5j2gA3FDzRUQs0L+jCvRTl4omFSjSQwoBCoVXxNEAg9jgy 12 | lNWUHx+JHDB8dk+gEmDai20ggBWeAeThUU9dVZvwjv4E7zMRMx1skCRdWcyALJQf 13 | fjc9q6gnB9X9nPxXdWb/lYKcivJBmBRHLeirnUFL2S2IYRc2H0ZbX1d+WzDJV37+ 14 | DKYy9ehltyHFiaXmZThJ2Kg/mAD55U3NCWNBXmQ0CvzhUh6QIQiOJNQHmK0qxgnc 15 | POJeE4X55dv1nAGD/0fGeHTcuShzUoipCKAd1CZdXK2Ge3gZRH2WUvlQGd5JARd4 16 | 3zbd2wXZX0h0e1/BWQVeXx/Cg6u31B5lll7B3rWeoZHvfV9DSC7e3IEOhgzG5cyA 17 | h+wrtlCszjiMreHSSYCQh9tlyK+ACOJUFtZFGdseBsMxRgXWtHr+ypW2iJI4KsEU 18 | /MNXr1Bqg7FGxIw0Oyc2zyzjgD9aq4CKEy64MYB1ZYf41Rbc2Z+pMx1MW9orsPp7 19 | qSp6SmpTk0RTHpH0O2wNC9F26wIDAQABo4HjMIHgMB0GA1UdDgQWBBRzsbjWipVr 20 | EuB0fMVXVZiUW6x4XjCBowYDVR0jBIGbMIGYgBRzsbjWipVrEuB0fMVXVZiUW6x4 21 | XqFqpGgwZjELMAkGA1UEBhMCS0cxCzAJBgNVBAgMAk5BMRAwDgYDVQQHDAdCSVNI 22 | S0VLMRUwEwYDVQQKDAxPcGVuVlBOLVRFU1QxITAfBgkqhkiG9w0BCQEWEm1lQG15 23 | aG9zdC5teWRvbWFpboIUb1C400ZucjRZvAAz3XyuEusnRgYwDAYDVR0TBAUwAwEB 24 | /zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBABqhFuSPgqplHQtFnWwQ 25 | TKfrElQJ07gF0eaBBijQVSm2MswB2xnWF/S2NRjIpw7k5ZlmZsAbCVcGMwqJOkfJ 26 | yX3Z7gK+yNrZehzNSOCkv+H79ExsS9/HETSqZxMevIIH7O0t/pACv20f85unBzhc 27 | x+980RzufuHK17sG3Z+z+d6i9XDhaZvV/gm6bWTXft1ufRzI5R48xWVAfJd1X9Ln 28 | bZmqF9Ye1GHxka1Xna9nOCgAuYYoGxq2VkUSIjlRCMaLCHlsWEn0JbRnQXPfBts6 29 | /yQBywcEekKRutCugn5bn625kAJHWGxcb0xIXj+Rqnp2++p33lbE4J09zfIkh5hV 30 | RvCSzaE0Z3Kly9237CV+DyAqzrBJq5HHN/AT6+xFd2yGPMPKH8hKbf3jIprexNEp 31 | oG1XC/dsPFkPLUyeD++kVjzsLiDmYAn2x3Dco6cWD7FfEljb1pHkAp5CctU9TjZH 32 | 21xcAsPbfS0vrDmj8zG7eTU+BtleL4AfxEVsMBzrUB6jSdUMpJ/hRtni4RxOHLmU 33 | 0DqtHIqrDrC5Gb2KunNUIYqPp+80LSD1/Edo5Vr+k5AiFYCzZFXSab+6e4hEsLEV 34 | nQNMmcPVWATQ2najGfNftmhwQx9hU4gJaCw/rfhEmwIif5BxgG5VPUzy97T+GmOZ 35 | InB0RDylv3Lq3Hs8mBF4nRt7 36 | -----END CERTIFICATE----- 37 | -------------------------------------------------------------------------------- /sample/sample-keys/client-ec.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQggBG28jKEqUG3n/wcnvcr 3 | h2VP5dXkRChxqLw3ydT+HpGhRANCAAQlvT7axc01wETVghF3eiQSHkBTev8NDGcF 4 | lM5dRCZRmwxXsTgwnb0TA1kSDsg1XMq20YFBnayf7CtYBylt019c 5 | -----END PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /sample/sample-keys/client-pass.key: -------------------------------------------------------------------------------- 1 | -----BEGIN ENCRYPTED PRIVATE KEY----- 2 | MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIVDt6h9I/tNsCAggA 3 | MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDK/DTdm5la+nBeb36XV2oxBIIE 4 | 0Elt0ly1Cwc1o6EHRs3rFT3EYqm9DMVrcQgquI0qdbbUMtAsDmMFmW9TI7wedCDR 5 | Ey3olanxK2dwz9qupSmtH25j4dFtPVxfF0moND6I4cQTmzBzTOjkK4LzgMucWfFL 6 | +J/GQxJsh0npaEu2t7HSpbKDR4uWcRiPkjxc7gFRPJH8NF51ySnF7htUODh/lmsM 7 | mRbdD5asKzIvrOJSVWBs7RLtj8GRCHttOLMq6ib3O0/8WvBDPEVXfPJMH8JRNxJc 8 | woz6CSOPoI7yd9tKnRf0YGOuPiFWc1J1LTqgvWxVuwaUGrlwRZQ3nMnKK9jfXIGr 9 | FmhkHYFqWX2tpYy1nI9i7qYqG0MdWTmf/Gng1/YA5jTDW3dpcCnm5bd2eyzgw0qG 10 | PFnjjdVlJnEKZe5phTzrffzKWW8oOBDRww63RtgnNykipPK2V+Wq3RHQ3Oach8ZB 11 | 0RqyLCG1wFLN9qA3TmvmPDDLsksLj9LiCstqo6FyHrvy1NFsCVlVqeVcOay1VCT9 12 | ApFHa5SRaW5PxTSUKfses1eIjB48Z+yplJ+6sIkv4jrTcXyjrJSmZA8GU1jVvO08 13 | O2W4PGLX3C4B6iIel2eZMyG2EHM24kIAH4Dqx+GDZBhSuRBwhTN7+c9nX3fmVs3t 14 | cTe1uPOYu73W9zHLOSIRkO8WKcyoTzf5FQqfVhVRLmb1Z0pA+qVQps6g7DyL1/da 15 | zwHYgdAk0wSK20JYlXOz+7lYUsg/o4sFKTYseHVQIhXyEfUIE5gBxTEltCc+FBlI 16 | q0wLW5axVFJZx1uaEV0/mAOLSkL8QEKd5VOlV+mT7sDk38AdyoBbk2rmmn4SeYB5 17 | tmAzNC1d8aTAANo51bvt9BL3gzzvAduwuzl/3kYGsd7ASnrYZYDMwxtObR3Ltj12 18 | Jq+Uv9lknmsbuhNWY/rXE0eQT2sT7PIW4Y3HqxzVlA3TeWc6ug7GLbabQMfeFPct 19 | OouOgj74jIvqBRYzLvyAdLKBuDadSVvCpxJddgS9mc3Ne53YPKtT8tPSuPzDVLRp 20 | rMQyHKh+C9HCEozDGAjzLbr/icE1PfmxDfKbl99C5bRG2WlSL3VNxcuRr7o09LRK 21 | Y2k/zE0WzQtgiNaV9MOykcf3NBgRhIYwpH+O1oT2kxlorAWJbh3FyFZUxZlPr+we 22 | dZSBXtrZ/6aevm76f/qsHvjqC3MfHbQ5544Z5lEvPGke2w7du7Vcu7141Oghzl0a 23 | qw1gCok/CKy4iWoTS8sfnaKB5eXhk9KFHN/ALHztDQlq2qQ6O2KEIndHzd3IAspB 24 | NgEFW+UmSankwA5QnDCoyqgvnybaCJwRcsk189PJYOUQMKrvwzdYWQJIkA/XZDGq 25 | 3TF9+bm7hJifD4nOMI0RYU5kROPLR4nKUTkRVOaMEdV8jTCWzjPaffiYKk8IDVhy 26 | zVnKpuuiPBU6mZKIlBwMAEwUdFSUZ8huRCoa8UGqyukJmYR5JSxJVwtqwtCqHsXd 27 | 2nujp0MvGdJy7V/9TIocKCbJOgubuOYt3F+tp78fUYY0P0TAVIa94Be/P5B+tzKN 28 | /EjT+mv6RP6YnFSKSGC8CKTolPa2rKJBH+UpaHdFdbKifmY+snIMe2wzYlI62gFj 29 | uJc7ZHyi4MMbzdWSLblOP+KUhn0qKBJAS12cgOVWP5bb 30 | -----END ENCRYPTED PRIVATE KEY----- 31 | -------------------------------------------------------------------------------- /sample/sample-keys/client.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDdrrIKQObP4cGi 3 | odKDLDGY4huyhUBnAPqrv8+dFNHGt2ODql+cFKDSTQQ6SpLmkkukhkAmQr2Dt/xJ 4 | t1bSyudwhRaPizvaR56LakrI5qjermstUiIMnc9nu30eZgVTi3yurdGmUl89nmso 5 | GFfZoUItwLBN2krwKaoCNIYCqq9nCQbtRSGOjPh1Vsfq6E+IjhyLW2gtsWal5MY2 6 | 4nCN/u8Q8FL4U5a/flFw8j+uWIc40aNr9jhRmxbOZzWObXZjTWubfXfaVW8gsWZP 7 | mi2kczpSIYY886ZaZ+V9EPU2ViF+AyK9mOkYtD+ztQ3t1e9Ulm+dRmxvDrpLGvfM 8 | 1OUkutKlAgMBAAECggEANwi9ron6QzWaqtNdva7lCT1o/uLR4EB/+s99rVOT2K+C 9 | hxdu8QK2Aj+YgxgsbA15tfiWSGldPywX9/0KEv7IgkioFy7Lxx7sn1PeCQ4qck3+ 10 | 0ZuIVHWBHhGPuFI/lEQWyg7g81eTyWpg0+1nMeI02cLyggFlhUXyrOV5N4REU2GW 11 | C0KBQFyVQJPrFszomK8qsHOu/gaGC1vOwgIID3cQ3iLKXkoHNmHO4hgbeSy+SfDP 12 | Q5C0xxKQa2RUz0nLbByuGtLYOsJmbjUMWjFXyjmwBsPCcvRmFRdnxFvlnzwGEH4M 13 | ZKsw+49p1iJFyuCv7KJ/ILLJmoEuryjrSmdj3esIqQKBgQDwC24VBQLNmlug8rkG 14 | YWaRePsWRJylDlWIeHnfmGe27p7ytxOvGe6hnPu6nfg8nXHtruZCIhGya6qbuVmL 15 | vGrg94ia4MSpDVUgGiElXXQ/Pl7O9/lnSlIlxcBAgd8uggxIAzCeYI6c3r7AQcmY 16 | jARMwYNCxJjz5nLctMe2MCs4LwKBgQDsatDXb3xr6jmflCUZa8Kx8SOgBWEZTEGz 17 | KEoCQWnF2fHUCy4Bwm8Imnws3iX0198TyxkVD2rP8oGwFj2SAVtI2L8Y/g5A05TA 18 | knfmVECvGp/MN266ZdCA8G/MKbk727TxyJs+4AseAi5p6cBULqZHsJaZE74qlcEl 19 | 5gFQu35ZawKBgBBgRz9J2zoZmLyvMm48ANpVzZNkVOdxxeYMigv2AsVZHCDk2oPs 20 | mfoOkqHVmxTPjPExKGZEmr54V+hNyc0dqpD0ci5WvTPnQ/JvtektqfuSjrdB9ZLV 21 | YCtRhV8hPQ+YMaxMA2oankAXdh35nv44NybhYMoSTXj+NMHX13QXbytjAoGAdVKw 22 | 3yixWzB6dinjm1Dx5rJfVos024QPWqRUzfe+UPROYUdHBpKB3YgktXNs7KuwRbdV 23 | dDEZdabIGyV+WpWXwnflpbZ2Rk95k3NcUw5ep0cUJBkiNxhNt58aK/xMs1rd2dsO 24 | x84RVkwI0oCw9FXOKOeGZOL6TVHR70fMQU86bY8CgYEAqg/1AD9lXzbR57zaR/br 25 | AIn0WWU2mnU7Dc4uhmQd9+JExqrplKKHrUp8eQEOW8nij6MbPYlpgkMdatvDOJqP 26 | WrYtwZsKXGhnalvbS3ye20HqpjYpBR7co3Q9KMaaDNoQe9HtjbT80GXpQEbJN2Iu 27 | ADo3hPoX0yENIbKFccMuptM= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /sample/sample-keys/client.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OpenVPN/openvpn/9cc7c68bd8d42b9e1c02fd3f069d404b5c056b57/sample/sample-keys/client.p12 -------------------------------------------------------------------------------- /sample/sample-keys/dh2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEAgGOVdT2c3GUITi1pF9u+yo72PRBW7I7SnNIsHmXCRYibpyPMGxKM 3 | ROK6rduMllC0CjiXQZhMfqCg+GIca9xxBPKtTnwtKWD3eH5wgs24kw86mODITjJk 4 | 6lTNM8it2HY4UuIQoFCqCdt5f5Gwgh2nwU5+dy731md6pmw9x9jUEXoyh67CeZfb 5 | C45x5ttzjpSBvYe5ZIiUypYKumYhdiZhk0RLefEtlUYF9oXrUExDqfYDpSO/1/X3 6 | oHC0O0EV3Lh1boZTG7+FjcvMYLIKYUDTmxHpII6/OAHhprg7U9ui1i7GyQRv1lze 7 | QV3FGO4UwLntnv352iYy91b0ls2mwD+zTwIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /sample/sample-keys/server-ec.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQghKHFa1jQGnTwZbFNJoJv 3 | RABNN9RrBuBkrXPCwOdUnt6hRANCAATWNz5jYwDISK0SAVPocku1UGb8j5ql6pPP 4 | lH6ddeebxX4Ib37ltLbnxPFBqEkN8eh8EUCuoPPg5PSN1BVHOFX9 5 | -----END PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /sample/sample-keys/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCvk86dhofEirs4 3 | b1AWmylw2lq9s0xaA7jhlPU/Sz8bBep3njRZAZnegeKHOtQFGEAmf6PpglK8MoQy 4 | uTxhH2haiQEXIey5M1uWMxaRDzavww9oEETq5vkANRNhPeegsUuRMbgRAqCYzf2q 5 | 51NsMQWHNlbF5IwSltbwxFqnDZZf9nqVrVjlbYZUderaqv0dDDgZaqYkxiVgc8Sp 6 | hlGv9lJFSPGWFo4Z/z/Oe9GW9ix1EhaQJ3gnCQp3oNhuZLAJlHyVgXanw759Wgxa 7 | 5C3SFW0Au4OmrDXcHvf1Z6wvcAf9lNmx2vSPZGeS8fGocifdXNTxOKt2uE44JtRM 8 | 2YdMQmPVAgMBAAECggEAGe0W0rv4IFWRVRawGiZ0oBgeKL+TxAGjXewZABekYeEl 9 | wN647CEIZOAuYGRCGoknhTJ5NGnsvaLX/TAiclT+RnV5673ersTz/oyHWzQxPGhD 10 | 8MyLi1mVOyqbNKi8zfBgMDh0mE5trc1SaoIYwh5wVTROQTqA/zMML3v5xuEta03u 11 | BMsNWMzm/fFXRvO6ydxdpFZkQJUeNvsGizrAhtFqsm8Cba9f/yEduyAdj2DpkG8A 12 | H8KmBQcAFstWX1hcC92V8qlf8RwA1o5TN82Nu2dwa+xkCTsOFK8uVE8lBkjB3C0O 13 | H4fGlwJ4BLUZPxIYaefn38LIQr8hZ9ITstmM2+EFoQKBgQDGD1CTdbAfGv9vBSle 14 | cinxflcgXOpr6XdGWZZz5VPvdE91fMgnwHOnGVZI0pI5xxO3FvrujjZ2yzTu+yme 15 | MG5YWjMraqdWZ0speJK7/nxIPNK+frCvVzY2sA/STgUEni2XnNkiC7w0VXWnT/xP 16 | rmCuJeJ211eF2bd4rrldeg9ApwKBgQDi8MiBDJFRxlP9xCTPVdTixN88Fy7JBFJE 17 | uZNtKeLkg2ce7bvNc9QOePXCM9Fn0NOuBTLf4SMkfFybyDKn7BTznwA0Yz2muyaK 18 | rzmGeGP+gzw5MQk6nzk8NIzdMYr3G9ockrMTYBNPVoiwhbshlVWNg3Qvic7cXDoB 19 | Q1bXfrurIwKBgQDFUDiLz3E4a+MRrWi7SKz0g1M1UJvSCfLjyRiUOWFXat5GQ5v7 20 | zkTpsdo+DlnS6buAaYpv4onr6yG++8VIbSNhLetQU56F+73rgM1eMHeMV9v0H67R 21 | 3+aIsPnyH/vrz9HH+2BuBJbo5EKj/pF0qFp05BUrI/lzxaR8vES7FYDgfQKBgQDF 22 | +zWQj7w/UPx5SKKsVr7wTrxJmhfwulpjJlqdQ4tzu8c8zj2m0UPQlGoiUD6BiUcC 23 | a/qkIa8c53mLVi4LHQRyPOZazbE9Qcwv9QoEbAcgRLFHW6YnhDzUbyvs1IndZmjz 24 | wG+Fma1+64k4JpLIi5UlbebwihLzX2ojK/IY8bEbbQKBgQC81tY7mRPAYnl5QmIQ 25 | YLqvQyHf/a2bVY+3XNyLF6tWngCOyt8z4Dy3pTRVI2KMVXL9+zPWuJdabwwVlWJs 26 | 9CzR9SqYkaPP3mlbZXWt5X10OiyNU+kcCvTRNZ10OUr8XJ0tHRIuJxgBGoXdWxSF 27 | 6uIa5Vvw9DOMFGnbugLbWuMYjQ== 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /sample/sample-keys/ta.key: -------------------------------------------------------------------------------- 1 | # 2 | # 2048 bit OpenVPN static key 3 | # 4 | -----BEGIN OpenVPN Static key V1----- 5 | 21d94830510107f8753d3b6f3145e01d 6 | ed37075115afcb0538ecdd8503ee9663 7 | 7218c9ed38d908d594231d7d143c73da 8 | 5055310f89d336da99c8b3dcb18909c7 9 | 9dd44f540670ebc0f120beb7211e9683 10 | 9cb542572c48bfa7ffaa9a22cb8304b7 11 | 869b92f4442918e598745bb78ac8877f 12 | 02b00a7cdef3f2446c130d39a7c45126 13 | 9ef399fd6029cdfc80a7c604041312ab 14 | 0a969bc906bdee6e6d707afdcbe8c7fb 15 | 97beb66049c3d328340775025433ceba 16 | 1e38008a826cf92443d903106199373b 17 | dadd9c2c735cf481e580db4e81b99f12 18 | e3f46b6159c687cd1b9e689f7712573c 19 | 0f02735a45573dfb5cd55cf464942389 20 | 2c7e91f439bdd7337a8ceebd302cfbfa 21 | -----END OpenVPN Static key V1----- 22 | -------------------------------------------------------------------------------- /sample/sample-plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_builddir) \ 15 | -I$(top_srcdir)/include -I$(top_builddir)/include 16 | 17 | # We don't want automake to pull in libtool for building these 18 | # sample-plugins. Even though this breaks the conceptual ideas 19 | # around autoconf/automake/libtools ... these sample plug-ins 20 | # are just sample code, not to be installed or distributed outside 21 | # of the source tarball. Not even built by default, by design. 22 | # 23 | # We only add this as a simple and convenient way to build all 24 | # these plug-ins with the same build parameters as the rest 25 | # of the OpenVPN code. 26 | # 27 | # All the plugins which will be built are processed in this 28 | # separate Makefile, which disconnects everything just enough 29 | # to achieve our goal. 30 | include Makefile.plugins 31 | 32 | 33 | dist-hook : 34 | make -f Makefile.plugins clean 35 | -------------------------------------------------------------------------------- /sample/sample-plugins/Makefile.plugins: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0-only 2 | # 3 | # Copyright (C) 2020-2025 OpenVPN Inc 4 | # 5 | 6 | # 7 | # Plug-ins to build - listed entries should not carry any extensions 8 | # 9 | PLUGINS = \ 10 | defer/multi-auth \ 11 | keying-material-exporter-demo/keyingmaterialexporter \ 12 | log/log log/log_v3 \ 13 | simple/base64 \ 14 | simple/simple \ 15 | client-connect/sample-client-connect 16 | 17 | # All the plugins to build - rewritten with .so extension 18 | all : $(foreach var, $(PLUGINS), $(var).so) 19 | 20 | # Do not automatically remove object files 21 | # This is a special Make setting, to avoid adding an implicit 22 | # 'rm' command on object files - due to the .c.o/%.so rules below 23 | .PRECIOUS: %.o 24 | 25 | # Compile step 26 | .c.o : 27 | test -d `dirname $@` || $(MKDIR_P) `dirname $@`; \ 28 | $(CC) -c -o $@ $(CFLAGS) $(AM_CPPFLAGS) -fPIC $< 29 | 30 | # Link step 31 | %.so : %.o 32 | $(CC) $(LDFLAGS) -shared -fPIC -o $@ $< 33 | 34 | # Clean up all build object and shared object files 35 | clean : 36 | rm -f $(foreach var, $(PLUGINS), $(var).o) \ 37 | $(foreach var, $(PLUGINS), $(var).so) 38 | -------------------------------------------------------------------------------- /sample/sample-plugins/README: -------------------------------------------------------------------------------- 1 | OpenVPN plug-in examples. 2 | 3 | Examples provided: 4 | 5 | * authentication and logging 6 | simple/simple.c -- using the --auth-user-pass-verify callback, verify 7 | that the username/password is "foo"/"bar". 8 | defer/multi-auth.c 9 | -- using the --auth-user-pass-verify callback, 10 | test deferred authentication. Can be used to test multiple 11 | authentication plugins in the same server config. 12 | log/log.c -- Extended variant of simple/simple.c which adds more 13 | logging of what is happening inside the plug-in 14 | log/log_v3.c -- A variant of log/log.c, which makes use of the 15 | OpenVPN plug-in v3 API. This will also log even more 16 | information related to certificates in use. 17 | 18 | * client-connect (and logging) 19 | client-connect/sample-client-connect -- demonstrate how to use the 20 | CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks to achieve 21 | "per client configuration / logging / ..." actions, 22 | both in synchronous and async/deferred mode 23 | 24 | * cryptography related 25 | simple/base64.c -- Example using the OpenVPN exported base64 encode/decode 26 | functions 27 | keying-material-exporter-demo/keyingmaterialexporter.c 28 | -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705] 29 | (openvpn/doc/keying-material-exporter.txt). For more details, see 30 | keying-material-exporter-demo/README 31 | 32 | 33 | To build on *BSD/Linux platforms (requires GNU Make): 34 | 35 | gmake (builds a default set of plug-ins) 36 | gmake simple/simple.so 37 | 38 | To build on Windows platform (MinGW): 39 | 40 | cd simple; ./winbuild simple.so 41 | 42 | To use in OpenVPN, add to config file: 43 | 44 | plugin simple.so (Linux/BSD/etc.) 45 | plugin simple.dll 46 | -------------------------------------------------------------------------------- /sample/sample-plugins/client-connect/README: -------------------------------------------------------------------------------- 1 | OpenVPN plugin examples. 2 | 3 | Examples provided: 4 | 5 | sample-client-connect.c 6 | 7 | - hook to all plugin hooks that openvpn offers 8 | - log which hook got called 9 | - on CLIENT_CONNECT or CLIENT_CONNECT_V2 set some config variables 10 | (controlled by "setenv plugin_cc_config ..." and "plugin_cc2_config" 11 | in openvpn's config) 12 | 13 | - if the environment variable UV_WANT_CC_FAIL is set, fail 14 | - if the environment variable UV_WANT_CC_DISABLE is set, reject ("disable") 15 | - if the environment variable UV_WANT_CC_ASYNC is set, go to 16 | asynchronous/deferred mode on CLIENT_CONNECT, and sleep for 17 | ${UV_WANT_CC_ASYNC} seconds 18 | 19 | - if the environment variable UV_WANT_CC2_FAIL is set, fail CC2 20 | - if the environment variable UV_WANT_CC2_DISABLE is set, reject ("disable") 21 | - if the environment variable UV_WANT_CC2_ASYNC is set, go to 22 | asynchronous/deferred mode on CLIENT_CONNECT_V2, and sleep for 23 | ${UV_WANT_CC2_ASYNC} seconds 24 | 25 | (this can be client-controlled with --setenv UV_WANT_CC_ASYNC nnn 26 | etc. --> for easy testing server code paths) 27 | 28 | To build for unixy platforms (not very sophisticated right now, needs gmake): 29 | 30 | .../sample-plugins$ gmake client-connect/sample-client-connect.so 31 | 32 | (This plugin has not been tested on Windows, and might not even work due 33 | to its use of fork() and wait(). Let us know if it does or needs patches) 34 | 35 | 36 | To use in OpenVPN, add to config file: 37 | 38 | plugin sample-client-connect.so (Linux/BSD/etc.) 39 | -------------------------------------------------------------------------------- /sample/sample-plugins/defer/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../build" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/README: -------------------------------------------------------------------------------- 1 | OpenVPN plugin examples. Daniel Kubec 2 | 3 | Examples provided: 4 | 5 | keyingmaterialexporter.c -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705] 6 | (openvpn/doc/keying-material-exporter.txt) 7 | 8 | This example demonstrates authenticating a user over HTTP who have already 9 | established an OpenVPN connecting using the --keying-material-exporter 10 | feature. 11 | 12 | Requires: 13 | OpenVPN RFC-5705 Support, OpenSSL >= 1.0.1 14 | 15 | Files: 16 | http-server.py -- Example HTTP Server listen 0.0.0.0:8080 17 | http-client.py -- Example HTTP Client connect 10.8.0.1:8080 [GET /$SESSIONID] 18 | 19 | server.ovpn -- Example HTTP SSO VPN Server configuration 20 | client.ovpn -- Example HTTP SSO VPN Client configuration 21 | 22 | keyingmaterialexporter.c, 23 | keyingmaterialexporter.so -- Example OpenVPN Client and Server plugin 24 | 25 | To build: 26 | ./build keyingmaterialexporter 27 | 28 | To use in OpenVPN: 29 | 30 | Enter openvpn/sample/sample-plugins/keyingmaterialexporter directory 31 | and in separate terminals, start these four processes: 32 | 33 | $ openvpn --config ./server.ovpn 34 | $ openvpn --config ./client.ovpn 35 | $ ./http-server.py 36 | $ ./http-client.py 37 | 38 | Test: 39 | 40 | openvpn --config ./server.ovpn 41 | ############################## 42 | 43 | PLUGIN SSO: app session created 44 | PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 45 | PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd 46 | PLUGIN SSO: app session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd 47 | PLUGIN SSO: app session user: Test-Client 48 | 49 | openvpn --config ./client.ovpn 50 | ############################## 51 | PLUGIN SSO: app session created 52 | PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 53 | PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd 54 | PLUGIN SSO: app session file: /tmp/openvpn_sso_user 55 | PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_FINAL status=0 56 | 57 | HTTP_SERVER: 58 | http-server.py 59 | ################ 60 | http server started 61 | session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd 62 | 10.8.0.1 - - [02/Apr/2015 15:03:33] "GET /a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP/1.1" 200 - 63 | session user: Test-Client 64 | session key: a5885abc84d361803f58ede1ef9c0adf99e720cd 65 | 66 | HTTP_SERVER: 67 | http-client.py 68 |

Greetings Test-Client. You are authorized

69 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/client.ovpn: -------------------------------------------------------------------------------- 1 | tls-client 2 | pull 3 | 4 | keying-material-exporter "EXPORTER_SSO_TEST" 16 5 | reneg-sec 0 6 | 7 | ca ../../sample-keys/ca.crt 8 | cert ../../sample-keys/client.crt 9 | key ../../sample-keys/client.key 10 | 11 | plugin ./keyingmaterialexporter.so 12 | 13 | remote 127.0.0.1 1194 14 | proto udp 15 | dev tun 16 | nobind 17 | 18 | verb 4 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/http-client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import os 4 | import httplib 5 | 6 | f = '/tmp/openvpn_sso_user' 7 | with open (f, "r") as myfile: 8 | session_key = myfile.read().replace('\n', '') 9 | 10 | conn = httplib.HTTPConnection("10.8.0.1:8080") 11 | conn.request("GET", "/" + session_key) 12 | r1 = conn.getresponse() 13 | 14 | if r1.status == 200: 15 | body = r1.read().rstrip() 16 | print body 17 | elif r1.status == 404: 18 | print "Authentication failed" 19 | else: 20 | print r1.status, r1.reason 21 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/http-server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer 3 | import os 4 | 5 | class ExampleHTTPRequestHandler(BaseHTTPRequestHandler): 6 | 7 | def do_GET(self): 8 | session_key = os.path.basename(self.path) 9 | file = '/tmp/openvpn_sso_' + session_key 10 | print 'session file: ' + file 11 | try: 12 | f = open(file) 13 | #send code 200 response 14 | self.send_response(200) 15 | #send header first 16 | self.send_header('Content-type','text-html') 17 | self.end_headers() 18 | #send file content to client 19 | user = f.read().rstrip() 20 | print 'session user: ' + user 21 | print 'session key: ' + session_key 22 | self.wfile.write('

Greetings ' + user \ 23 | + '. You are authorized' \ 24 | '

' \ 25 | '') 26 | f.close() 27 | return 28 | except IOError: 29 | self.send_error(404, 'authentication failed') 30 | 31 | def run(): 32 | #ip and port of servr 33 | #by default http server port is 80 34 | server_address = ('0.0.0.0', 8080) 35 | httpd = HTTPServer(server_address, ExampleHTTPRequestHandler) 36 | print('http server started') 37 | httpd.serve_forever() 38 | print('http server stopped') 39 | 40 | if __name__ == '__main__': 41 | run() 42 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/server.ovpn: -------------------------------------------------------------------------------- 1 | tls-server 2 | reneg-sec 0 3 | 4 | keying-material-exporter "EXPORTER_SSO_TEST" 16 5 | duplicate-cn 6 | 7 | plugin ./keyingmaterialexporter.so 8 | ca ../../sample-keys/ca.crt 9 | cert ../../sample-keys/server.crt 10 | key ../../sample-keys/server.key 11 | dh ../../sample-keys/dh2048.pem 12 | 13 | server 10.8.0.0 255.255.255.0 14 | port 1194 15 | proto udp 16 | dev tun 17 | 18 | verb 4 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/log/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../include" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/simple/simple.def: -------------------------------------------------------------------------------- 1 | LIBRARY OpenVPN_PLUGIN_SAMPLE 2 | DESCRIPTION "Sample OpenVPN plug-in module." 3 | EXPORTS 4 | openvpn_plugin_open_v1 @1 5 | openvpn_plugin_func_v1 @2 6 | openvpn_plugin_close_v1 @3 7 | -------------------------------------------------------------------------------- /sample/sample-plugins/simple/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../include" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-scripts/bridge-start: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ################################# 4 | # Set up Ethernet bridge on Linux 5 | # Requires: bridge-utils 6 | ################################# 7 | 8 | # Define Bridge Interface 9 | br="br0" 10 | 11 | # Define list of TAP interfaces to be bridged, 12 | # for example tap="tap0 tap1 tap2". 13 | tap="tap0" 14 | 15 | # Define physical ethernet interface to be bridged 16 | # with TAP interface(s) above. 17 | eth="eth0" 18 | eth_ip="192.168.8.4" 19 | eth_netmask="255.255.255.0" 20 | eth_broadcast="192.168.8.255" 21 | 22 | for t in $tap; do 23 | openvpn --mktun --dev $t 24 | done 25 | 26 | brctl addbr $br 27 | brctl addif $br $eth 28 | 29 | for t in $tap; do 30 | brctl addif $br $t 31 | done 32 | 33 | for t in $tap; do 34 | ifconfig $t 0.0.0.0 promisc up 35 | done 36 | 37 | ifconfig $eth 0.0.0.0 promisc up 38 | 39 | ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast 40 | -------------------------------------------------------------------------------- /sample/sample-scripts/bridge-stop: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #################################### 4 | # Tear Down Ethernet bridge on Linux 5 | #################################### 6 | 7 | # Define Bridge Interface 8 | br="br0" 9 | 10 | # Define list of TAP interfaces to be bridged together 11 | tap="tap0" 12 | 13 | ifconfig $br down 14 | brctl delbr $br 15 | 16 | for t in $tap; do 17 | openvpn --rmtun --dev $t 18 | done 19 | -------------------------------------------------------------------------------- /sample/sample-scripts/ucn.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -t 2 | 3 | # OpenVPN --auth-user-pass-verify script. 4 | # Only authenticate if username equals common_name. 5 | # In OpenVPN config file: 6 | # auth-user-pass-verify ./ucn.pl via-env 7 | 8 | $username = $ENV{'username'}; 9 | $common_name = $ENV{'common_name'}; 10 | 11 | exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name); 12 | -------------------------------------------------------------------------------- /sample/sample-scripts/verify-cn: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | # verify-cn -- a sample OpenVPN tls-verify script 4 | # 5 | # Return 0 if cn matches the common name component of 6 | # subject, 1 otherwise. 7 | # 8 | # For example in OpenVPN, you could use the directive: 9 | # 10 | # tls-verify "./verify-cn /etc/openvpn/allowed_clients" 11 | # 12 | # This would cause the connection to be dropped unless 13 | # the client common name is listed on a line in the 14 | # allowed_clients file. 15 | 16 | die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); 17 | 18 | # Parse out arguments: 19 | # cnfile -- The file containing the list of common names, one per 20 | # line, which the client is required to have, 21 | # taken from the argument to the tls-verify directive 22 | # in the OpenVPN config file. 23 | # The file can have blank lines and comment lines that begin 24 | # with the # character. 25 | # depth -- The current certificate chain depth. In a typical 26 | # bi-level chain, the root certificate will be at level 27 | # 1 and the client certificate will be at level 0. 28 | # This script will be called separately for each level. 29 | # x509 -- the X509 subject string as extracted by OpenVPN from 30 | # the client's provided certificate. 31 | ($cnfile, $depth, $x509) = @ARGV; 32 | 33 | if ($depth == 0) { 34 | # If depth is zero, we know that this is the final 35 | # certificate in the chain (i.e. the client certificate), 36 | # and the one we are interested in examining. 37 | # If so, parse out the common name substring in 38 | # the X509 subject string. 39 | 40 | if ($x509 =~ / CN=([^,]+)/) { 41 | $cn = $1; 42 | # Accept the connection if the X509 common name 43 | # string matches the passed cn argument. 44 | open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! 45 | while (defined($line = )) { 46 | if ($line !~ /^[[:space:]]*(#|$)/o) { 47 | chop($line); 48 | if ($line eq $cn) { 49 | exit 0; 50 | } 51 | } 52 | } 53 | close(FH); 54 | } 55 | 56 | # Authentication failed -- Either we could not parse 57 | # the X509 subject string, or the common name in the 58 | # subject string didn't match the passed cn argument. 59 | exit 1; 60 | } 61 | 62 | # If depth is nonzero, tell OpenVPN to continue processing 63 | # the certificate chain. 64 | exit 0; 65 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = compat openvpn openvpnmsica openvpnserv plugins tapctl 16 | -------------------------------------------------------------------------------- /src/compat/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | noinst_LTLIBRARIES = libcompat.la 16 | 17 | libcompat_la_SOURCES = \ 18 | compat.h \ 19 | compat-dirname.c \ 20 | compat-basename.c \ 21 | compat-gettimeofday.c \ 22 | compat-daemon.c \ 23 | compat-strsep.c -------------------------------------------------------------------------------- /src/compat/compat-basename.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2011 - David Sommerseth 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #endif 27 | 28 | #ifndef HAVE_BASENAME 29 | 30 | #include "compat.h" 31 | #include 32 | 33 | /* Modified version based on glibc-2.14.1 by Roland McGrath 34 | * This version is extended to handle both / and \ in path names 35 | */ 36 | char * 37 | basename(char *filename) 38 | { 39 | char *p = strrchr(filename, '/'); 40 | if (!p) 41 | { 42 | /* If NULL, check for \ instead ... might be Windows a path */ 43 | p = strrchr(filename, '\\'); 44 | } 45 | return p ? p + 1 : (char *) filename; 46 | } 47 | 48 | #endif /* HAVE_BASENAME */ 49 | -------------------------------------------------------------------------------- /src/compat/compat-strsep.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2019-2025 Arne Schwabe 9 | * Copyright (C) 1992-2019 Free Software Foundation, Inc. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifdef HAVE_CONFIG_H 26 | #include "config.h" 27 | #endif 28 | 29 | #ifndef HAVE_STRSEP 30 | #include 31 | 32 | /* 33 | * Modified version based on the glibc 34 | */ 35 | char * 36 | strsep(char **stringp, const char *delim) 37 | { 38 | char *begin, *end; 39 | begin = *stringp; 40 | if (begin == NULL) 41 | { 42 | return NULL; 43 | } 44 | /* Find the end of the token. */ 45 | end = begin + strcspn(begin, delim); 46 | if (*end) 47 | { 48 | /* Terminate the token and set *STRINGP past NUL character. */ 49 | *end++ = '\0'; 50 | *stringp = end; 51 | } 52 | else 53 | { 54 | /* No more delimiters; this is the last token. */ 55 | *stringp = NULL; 56 | } 57 | return begin; 58 | } 59 | #endif /* ifndef HAVE_STRSEP */ 60 | -------------------------------------------------------------------------------- /src/compat/compat.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2011 - David Sommerseth 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef COMPAT_H 25 | #define COMPAT_H 26 | 27 | #ifdef _WIN32 28 | #include 29 | #include 30 | #endif 31 | 32 | #ifdef HAVE_SYS_TIME_H 33 | #include 34 | #endif 35 | 36 | #ifdef HAVE_SYS_SOCKET_H 37 | #include 38 | #endif 39 | 40 | #ifndef HAVE_DIRNAME 41 | char *dirname(char *str); 42 | 43 | #endif /* HAVE_DIRNAME */ 44 | 45 | #ifndef HAVE_BASENAME 46 | char *basename(char *str); 47 | 48 | #endif /* HAVE_BASENAME */ 49 | 50 | #ifndef HAVE_GETTIMEOFDAY 51 | int gettimeofday(struct timeval *tv, void *tz); 52 | 53 | #endif 54 | 55 | #ifndef HAVE_DAEMON 56 | int daemon(int nochdir, int noclose); 57 | 58 | #endif 59 | 60 | #ifndef HAVE_STRSEP 61 | char *strsep(char **stringp, const char *delim); 62 | 63 | #endif 64 | 65 | #endif /* COMPAT_H */ 66 | -------------------------------------------------------------------------------- /src/openvpn/argv.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | * 23 | * 24 | * A printf-like function (that only recognizes a subset of standard printf 25 | * format operators) that prints arguments to an argv list instead 26 | * of a standard string. This is used to build up argv arrays for passing 27 | * to execve. 28 | */ 29 | 30 | #ifndef ARGV_H 31 | #define ARGV_H 32 | 33 | #include "buffer.h" 34 | 35 | struct argv { 36 | struct gc_arena gc; 37 | size_t capacity; 38 | size_t argc; 39 | char **argv; 40 | }; 41 | 42 | struct argv argv_new(void); 43 | 44 | void argv_free(struct argv *a); 45 | 46 | const char *argv_str(const struct argv *a, struct gc_arena *gc, const unsigned int flags); 47 | 48 | struct argv argv_insert_head(const struct argv *a, const char *head); 49 | 50 | void argv_msg(const int msglev, const struct argv *a); 51 | 52 | void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix); 53 | 54 | void argv_parse_cmd(struct argv *a, const char *s); 55 | 56 | bool argv_printf(struct argv *a, const char *format, ...) 57 | #ifdef __GNUC__ 58 | #if __USE_MINGW_ANSI_STDIO 59 | __attribute__ ((format(gnu_printf, 2, 3))) 60 | #else 61 | __attribute__ ((format(__printf__, 2, 3))) 62 | #endif 63 | #endif 64 | ; 65 | 66 | bool argv_printf_cat(struct argv *a, const char *format, ...) 67 | #ifdef __GNUC__ 68 | #if __USE_MINGW_ANSI_STDIO 69 | __attribute__ ((format(gnu_printf, 2, 3))) 70 | #else 71 | __attribute__ ((format(__printf__, 2, 3))) 72 | #endif 73 | #endif 74 | ; 75 | 76 | #endif /* ifndef ARGV_H */ 77 | -------------------------------------------------------------------------------- /src/openvpn/base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 3 | * (Royal Institute of Technology, Stockholm, Sweden). 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions 8 | * are met: 9 | * 10 | * 1. Redistributions of source code must retain the above copyright 11 | * notice, this list of conditions and the following disclaimer. 12 | * 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * 3. Neither the name of the Institute nor the names of its contributors 18 | * may be used to endorse or promote products derived from this software 19 | * without specific prior written permission. 20 | * 21 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 | * SUCH DAMAGE. 32 | */ 33 | 34 | #ifndef _BASE64_H_ 35 | #define _BASE64_H_ 36 | 37 | /** Compute resulting base64 length. 6 bits per byte, padded to 4 bytes. */ 38 | #define OPENVPN_BASE64_LENGTH(binary_length) \ 39 | ((((8 * binary_length) / 6) + 3) & ~3) 40 | 41 | /** Compute the maximal number of bytes encoded in a base64 string. */ 42 | #define OPENVPN_BASE64_DECODED_LENGTH(base64_length) \ 43 | ((base64_length / 4) * 3) 44 | 45 | int openvpn_base64_encode(const void *data, int size, char **str); 46 | 47 | int openvpn_base64_decode(const char *str, void *data, int size); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /src/openvpn/basic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef BASIC_H 25 | #define BASIC_H 26 | 27 | #define BOOL_CAST(x) ((x) ? (true) : (false)) 28 | 29 | /* size of an array */ 30 | #define SIZE(x) (sizeof(x)/sizeof(x[0])) 31 | 32 | /* clear an object (may be optimized away, use secure_memzero() to erase secrets) */ 33 | #define CLEAR(x) memset(&(x), 0, sizeof(x)) 34 | 35 | #define IPV4_NETMASK_HOST 0xffffffffU 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /src/openvpn/clinat.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #if !defined(CLINAT_H) 25 | #define CLINAT_H 26 | 27 | #include "buffer.h" 28 | 29 | #define MAX_CLIENT_NAT 64 30 | 31 | #define CN_OUTGOING 0 32 | #define CN_INCOMING 1 33 | 34 | struct client_nat_entry { 35 | #define CN_SNAT 0 36 | #define CN_DNAT 1 37 | int type; 38 | in_addr_t network; 39 | in_addr_t netmask; 40 | in_addr_t foreign_network; 41 | }; 42 | 43 | struct client_nat_option_list { 44 | int n; 45 | struct client_nat_entry entries[MAX_CLIENT_NAT]; 46 | }; 47 | 48 | struct client_nat_option_list *new_client_nat_list(struct gc_arena *gc); 49 | 50 | struct client_nat_option_list *clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc); 51 | 52 | void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src); 53 | 54 | void print_client_nat_list(const struct client_nat_option_list *list, int msglevel); 55 | 56 | void add_client_nat_to_option_list(struct client_nat_option_list *dest, 57 | const char *type, 58 | const char *network, 59 | const char *netmask, 60 | const char *foreign_network, 61 | int msglevel); 62 | 63 | void client_nat_transform(const struct client_nat_option_list *list, 64 | struct buffer *ipbuf, 65 | const int direction); 66 | 67 | #endif /* if !defined(CLINAT_H) */ 68 | -------------------------------------------------------------------------------- /src/openvpn/comp-lz4.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * Copyright (C) 2013-2025 Gert Doering 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef OPENVPN_COMP_LZ4_H 26 | #define OPENVPN_COMP_LZ4_H 27 | 28 | #if defined(ENABLE_LZ4) 29 | 30 | #include "buffer.h" 31 | 32 | extern const struct compress_alg lz4_alg; 33 | extern const struct compress_alg lz4v2_alg; 34 | 35 | struct lz4_workspace 36 | { 37 | int dummy; 38 | }; 39 | 40 | #endif /* ENABLE_LZ4 */ 41 | #endif 42 | -------------------------------------------------------------------------------- /src/openvpn/cryptoapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _CRYPTOAPI_H_ 2 | #define _CRYPTOAPI_H_ 3 | 4 | int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop); 5 | 6 | 7 | #endif /* !_CRYPTOAPI_H_ */ 8 | -------------------------------------------------------------------------------- /src/openvpn/dco_freebsd.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Interface to FreeBSD dco networking code 3 | * 4 | * Copyright (C) 2022 Rubicon Communications, LLC (Netgate). All Rights Reserved. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | #ifndef DCO_FREEBSD_H 21 | #define DCO_FREEBSD_H 22 | 23 | #if defined(ENABLE_DCO) && defined(TARGET_FREEBSD) 24 | 25 | #include "buffer.h" 26 | #include "event.h" 27 | 28 | #include "ovpn_dco_freebsd.h" 29 | 30 | #define DCO_IROUTE_METRIC 100 31 | 32 | typedef enum ovpn_key_slot dco_key_slot_t; 33 | typedef enum ovpn_key_cipher dco_cipher_t; 34 | 35 | enum ovpn_message_type_t { 36 | OVPN_CMD_DEL_PEER, 37 | OVPN_CMD_PACKET, 38 | OVPN_CMD_SWAP_KEYS, 39 | }; 40 | 41 | enum ovpn_del_reason_t { 42 | OVPN_DEL_PEER_REASON_EXPIRED, 43 | OVPN_DEL_PEER_REASON_TRANSPORT_ERROR, 44 | OVPN_DEL_PEER_REASON_USERSPACE, 45 | OVPN_DEL_PEER_REASON_TRANSPORT_DISCONNECT, 46 | }; 47 | 48 | typedef struct dco_context { 49 | bool open; 50 | int fd; 51 | int pipefd[2]; 52 | 53 | char ifname[IFNAMSIZ]; 54 | 55 | int dco_message_type; 56 | int dco_message_peer_id; 57 | int dco_del_peer_reason; 58 | uint64_t dco_read_bytes; 59 | uint64_t dco_write_bytes; 60 | } dco_context_t; 61 | 62 | #endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */ 63 | #endif /* ifndef DCO_FREEBSD_H */ 64 | -------------------------------------------------------------------------------- /src/openvpn/dco_linux.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Interface to linux dco networking code 3 | * 4 | * Copyright (C) 2020-2025 Antonio Quartulli 5 | * Copyright (C) 2020-2025 Arne Schwabe 6 | * Copyright (C) 2020-2025 OpenVPN Inc 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program (see the file COPYING included with this 19 | * distribution); if not, write to the Free Software Foundation, Inc., 20 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 | */ 22 | #ifndef DCO_LINUX_H 23 | #define DCO_LINUX_H 24 | 25 | #if defined(ENABLE_DCO) && defined(TARGET_LINUX) 26 | 27 | #include "event.h" 28 | 29 | #include "ovpn_dco_linux.h" 30 | 31 | #include 32 | #include 33 | 34 | /* Defines to avoid mismatching with other platforms */ 35 | #define OVPN_CMD_DEL_PEER OVPN_CMD_PEER_DEL_NTF 36 | #define OVPN_CMD_SWAP_KEYS OVPN_CMD_KEY_SWAP_NTF 37 | 38 | typedef enum ovpn_key_slot dco_key_slot_t; 39 | typedef enum ovpn_cipher_alg dco_cipher_t; 40 | 41 | /* OVPN section */ 42 | 43 | enum ovpn_mode { 44 | OVPN_MODE_P2P, 45 | OVPN_MODE_MP, 46 | }; 47 | 48 | enum ovpn_ifla_attrs { 49 | IFLA_OVPN_UNSPEC = 0, 50 | IFLA_OVPN_MODE, 51 | 52 | __IFLA_OVPN_AFTER_LAST, 53 | IFLA_OVPN_MAX = __IFLA_OVPN_AFTER_LAST - 1, 54 | }; 55 | 56 | typedef struct 57 | { 58 | struct nl_sock *nl_sock; 59 | struct nl_cb *nl_cb; 60 | int status; 61 | 62 | enum ovpn_mode ifmode; 63 | 64 | int ovpn_dco_id; 65 | int ovpn_dco_mcast_id; 66 | 67 | unsigned int ifindex; 68 | 69 | int dco_message_type; 70 | int dco_message_peer_id; 71 | int dco_message_key_id; 72 | int dco_del_peer_reason; 73 | uint64_t dco_read_bytes; 74 | uint64_t dco_write_bytes; 75 | } dco_context_t; 76 | 77 | #endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */ 78 | #endif /* ifndef DCO_LINUX_H */ 79 | -------------------------------------------------------------------------------- /src/openvpn/fdmisc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #endif 27 | 28 | #include "syshead.h" 29 | 30 | #include "fdmisc.h" 31 | #include "error.h" 32 | 33 | #include "memdbg.h" 34 | 35 | /* Set a file descriptor to non-blocking */ 36 | bool 37 | set_nonblock_action(socket_descriptor_t fd) 38 | { 39 | #ifdef _WIN32 40 | u_long arg = 1; 41 | if (ioctlsocket(fd, FIONBIO, &arg)) 42 | { 43 | return false; 44 | } 45 | #else /* ifdef _WIN32 */ 46 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) 47 | { 48 | return false; 49 | } 50 | #endif 51 | return true; 52 | } 53 | 54 | /* Set a file descriptor to not be passed across execs */ 55 | bool 56 | set_cloexec_action(socket_descriptor_t fd) 57 | { 58 | #ifndef _WIN32 59 | if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) 60 | { 61 | return false; 62 | } 63 | #endif 64 | return true; 65 | } 66 | 67 | /* Set a file descriptor to non-blocking */ 68 | void 69 | set_nonblock(socket_descriptor_t fd) 70 | { 71 | if (!set_nonblock_action(fd)) 72 | { 73 | msg(M_ERR, "Set socket to non-blocking mode failed"); 74 | } 75 | } 76 | 77 | /* Set a file descriptor to not be passed across execs */ 78 | void 79 | set_cloexec(socket_descriptor_t fd) 80 | { 81 | if (!set_cloexec_action(fd)) 82 | { 83 | msg(M_ERR, "Set FD_CLOEXEC flag on file descriptor failed"); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /src/openvpn/fdmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef FD_MISC_H 25 | #define FD_MISC_H 26 | 27 | #include "basic.h" 28 | #include "error.h" 29 | #include "syshead.h" 30 | 31 | bool set_nonblock_action(socket_descriptor_t fd); 32 | 33 | bool set_cloexec_action(socket_descriptor_t fd); 34 | 35 | void set_nonblock(socket_descriptor_t fd); 36 | 37 | void set_cloexec(socket_descriptor_t fd); 38 | 39 | static inline void 40 | openvpn_fd_set(socket_descriptor_t fd, fd_set *setp) 41 | { 42 | #ifndef _WIN32 /* The Windows FD_SET() implementation does not overflow */ 43 | ASSERT(fd >= 0 && fd < FD_SETSIZE); 44 | #endif 45 | FD_SET(fd, setp); 46 | } 47 | #undef FD_SET /* prevent direct use of FD_SET() */ 48 | 49 | #endif /* FD_MISC_H */ 50 | -------------------------------------------------------------------------------- /src/openvpn/helper.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Process helper directives such as server, client, and keepalive. 26 | */ 27 | 28 | #ifndef HELPER_H 29 | #define HELPER_H 30 | 31 | #include "options.h" 32 | 33 | void helper_setdefault_topology(struct options *o); 34 | 35 | void helper_keepalive(struct options *o); 36 | 37 | void helper_client_server(struct options *o); 38 | 39 | void helper_tcp_nodelay(struct options *o); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /src/openvpn/httpdigest.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #if PROXY_DIGEST_AUTH 25 | 26 | #define HASHLEN 16 27 | typedef unsigned char HASH[HASHLEN]; 28 | #define HASHHEXLEN 32 29 | typedef unsigned char HASHHEX[HASHHEXLEN+1]; 30 | #undef IN 31 | #undef OUT 32 | #define IN const 33 | #define OUT 34 | 35 | /* calculate H(A1) as per HTTP Digest spec */ 36 | void DigestCalcHA1( 37 | IN char *pszAlg, 38 | IN char *pszUserName, 39 | IN char *pszRealm, 40 | IN char *pszPassword, 41 | IN char *pszNonce, 42 | IN char *pszCNonce, 43 | OUT HASHHEX SessionKey 44 | ); 45 | 46 | /* calculate request-digest/response-digest as per HTTP Digest spec */ 47 | void DigestCalcResponse( 48 | IN HASHHEX HA1, /* H(A1) */ 49 | IN char *pszNonce, /* nonce from server */ 50 | IN char *pszNonceCount, /* 8 hex digits */ 51 | IN char *pszCNonce, /* client nonce */ 52 | IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ 53 | IN char *pszMethod, /* method from the request */ 54 | IN char *pszDigestUri, /* requested URL */ 55 | IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ 56 | OUT HASHHEX Response /* request-digest or response-digest */ 57 | ); 58 | 59 | #endif /* if PROXY_DIGEST_AUTH */ 60 | -------------------------------------------------------------------------------- /src/openvpn/interval.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #endif 27 | 28 | #include "syshead.h" 29 | 30 | #include "interval.h" 31 | 32 | #include "memdbg.h" 33 | 34 | void 35 | interval_init(struct interval *top, int horizon, int refresh) 36 | { 37 | CLEAR(*top); 38 | top->refresh = refresh; 39 | top->horizon = horizon; 40 | } 41 | 42 | bool 43 | event_timeout_trigger(struct event_timeout *et, 44 | struct timeval *tv, 45 | const int et_const_retry) 46 | { 47 | if (!et->defined) 48 | { 49 | return false; 50 | } 51 | 52 | bool ret = false; 53 | time_t wakeup = event_timeout_remaining(et); 54 | 55 | if (wakeup <= 0) 56 | { 57 | #if INTERVAL_DEBUG 58 | dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, 59 | et_const_retry); 60 | #endif 61 | if (et_const_retry < 0) 62 | { 63 | et->last = now; 64 | wakeup = et->n; 65 | ret = true; 66 | } 67 | else 68 | { 69 | wakeup = et_const_retry; 70 | } 71 | } 72 | 73 | if (tv && wakeup < tv->tv_sec) 74 | { 75 | #if INTERVAL_DEBUG 76 | dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", 77 | (int) wakeup, et->n, et_const_retry); 78 | #endif 79 | tv->tv_sec = wakeup; 80 | tv->tv_usec = 0; 81 | } 82 | return ret; 83 | } 84 | -------------------------------------------------------------------------------- /src/openvpn/lladdr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Support routine for configuring link layer address 3 | */ 4 | 5 | #ifdef HAVE_CONFIG_H 6 | #include "config.h" 7 | #endif 8 | 9 | #include "syshead.h" 10 | #include "error.h" 11 | #include "misc.h" 12 | #include "run_command.h" 13 | #include "lladdr.h" 14 | #include "proto.h" 15 | 16 | int 17 | set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, 18 | const struct env_set *es) 19 | { 20 | int r; 21 | 22 | if (!ifname || !lladdr) 23 | { 24 | return -1; 25 | } 26 | 27 | #if defined(TARGET_LINUX) 28 | uint8_t addr[OPENVPN_ETH_ALEN]; 29 | 30 | sscanf(lladdr, MAC_FMT, MAC_SCAN_ARG(addr)); 31 | r = (net_addr_ll_set(ctx, ifname, addr) == 0); 32 | #else /* if defined(TARGET_LINUX) */ 33 | struct argv argv = argv_new(); 34 | #if defined(TARGET_SOLARIS) 35 | argv_printf(&argv, 36 | "%s %s ether %s", 37 | IFCONFIG_PATH, 38 | ifname, lladdr); 39 | #elif defined(TARGET_OPENBSD) 40 | argv_printf(&argv, 41 | "%s %s lladdr %s", 42 | IFCONFIG_PATH, 43 | ifname, lladdr); 44 | #elif defined(TARGET_DARWIN) 45 | argv_printf(&argv, 46 | "%s %s lladdr %s", 47 | IFCONFIG_PATH, 48 | ifname, lladdr); 49 | #elif defined(TARGET_FREEBSD) 50 | argv_printf(&argv, 51 | "%s %s ether %s", 52 | IFCONFIG_PATH, 53 | ifname, lladdr); 54 | #else /* if defined(TARGET_SOLARIS) */ 55 | msg(M_WARN, "Sorry, but I don't know how to configure link layer addresses on this operating system."); 56 | return -1; 57 | #endif /* if defined(TARGET_SOLARIS) */ 58 | argv_msg(M_INFO, &argv); 59 | r = openvpn_execve_check(&argv, es, M_WARN, "ERROR: Unable to set link layer address."); 60 | argv_free(&argv); 61 | #endif /* if defined(TARGET_LINUX) */ 62 | 63 | if (r) 64 | { 65 | msg(M_INFO, "TUN/TAP link layer address set to %s", lladdr); 66 | } 67 | 68 | return r; 69 | } 70 | -------------------------------------------------------------------------------- /src/openvpn/lladdr.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Support routine for configuring link layer address 3 | */ 4 | 5 | #include "misc.h" 6 | #include "networking.h" 7 | 8 | int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, 9 | const struct env_set *es); 10 | -------------------------------------------------------------------------------- /src/openvpn/mss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef MSS_H 25 | #define MSS_H 26 | 27 | #include "proto.h" 28 | #include "error.h" 29 | #include "mtu.h" 30 | #include "ssl_common.h" 31 | 32 | void mss_fixup_ipv4(struct buffer *buf, uint16_t maxmss); 33 | 34 | void mss_fixup_ipv6(struct buffer *buf, uint16_t maxmss); 35 | 36 | void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); 37 | 38 | /** Set the --mssfix option. */ 39 | void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, 40 | const struct options *options, 41 | struct link_socket_info *lsi); 42 | 43 | /** 44 | * Checks and adjusts the fragment and mssfix value according to the 45 | * discovered path mtu value 46 | * @param c context to adjust 47 | */ 48 | void frame_adjust_path_mtu(struct context *c); 49 | 50 | #endif /* ifndef MSS_H */ 51 | -------------------------------------------------------------------------------- /src/openvpn/mstats.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Maintain usage stats in a memory-mapped file 26 | */ 27 | 28 | #if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) 29 | #define OPENVPN_MEMSTATS_H 30 | 31 | #include "basic.h" 32 | 33 | /* this struct is mapped to the file */ 34 | struct mmap_stats { 35 | counter_type link_read_bytes; /* counter_type can be assumed to be a uint64_t */ 36 | counter_type link_write_bytes; 37 | int n_clients; 38 | 39 | #define MSTATS_UNDEF 0 40 | #define MSTATS_ACTIVE 1 41 | #define MSTATS_EXPIRED 2 42 | int state; 43 | }; 44 | 45 | extern volatile struct mmap_stats *mmap_stats; /* GLOBAL */ 46 | 47 | void mstats_open(const char *fn); 48 | 49 | void mstats_close(void); 50 | 51 | #endif /* if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) */ 52 | -------------------------------------------------------------------------------- /src/openvpn/mtcp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * TCP specific code for --mode server 26 | */ 27 | 28 | #ifndef MTCP_H 29 | #define MTCP_H 30 | 31 | #include "event.h" 32 | 33 | struct multi_context; 34 | struct multi_instance; 35 | struct context; 36 | 37 | void multi_tcp_dereference_instance(struct multi_io *multi_io, struct multi_instance *mi); 38 | 39 | bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi); 40 | 41 | void multi_tcp_instance_specific_free(struct multi_instance *mi); 42 | 43 | bool multi_tcp_process_outgoing_link(struct multi_context *m, bool defer, const unsigned int mpp_flags); 44 | 45 | bool multi_tcp_process_outgoing_link_ready(struct multi_context *m, struct multi_instance *mi, const unsigned int mpp_flags); 46 | 47 | struct multi_instance *multi_create_instance_tcp(struct multi_context *m, struct link_socket *sock); 48 | 49 | void multi_tcp_link_out_deferred(struct multi_context *m, struct multi_instance *mi); 50 | 51 | void multi_tcp_delete_event(struct multi_io *multi_io, event_t event); 52 | 53 | #endif /* ifndef MTCP_H */ 54 | -------------------------------------------------------------------------------- /src/openvpn/networking_iproute2.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Generic interface to platform specific networking code 3 | * 4 | * Copyright (C) 2016-2025 Antonio Quartulli 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | 22 | #ifndef NETWORKING_IP_H_ 23 | #define NETWORKING_IP_H_ 24 | 25 | #include "env_set.h" 26 | 27 | typedef char openvpn_net_iface_t; 28 | 29 | struct openvpn_net_ctx 30 | { 31 | struct env_set *es; 32 | struct gc_arena gc; 33 | }; 34 | 35 | typedef struct openvpn_net_ctx openvpn_net_ctx_t; 36 | 37 | #endif /* NETWORKING_IP_H_ */ 38 | -------------------------------------------------------------------------------- /src/openvpn/networking_sitnl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Generic interface to platform specific networking code 3 | * 4 | * Copyright (C) 2016-2025 Antonio Quartulli 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | 22 | #ifndef NETWORKING_SITNL_H_ 23 | #define NETWORKING_SITNL_H_ 24 | 25 | typedef char openvpn_net_iface_t; 26 | typedef void *openvpn_net_ctx_t; 27 | 28 | #endif /* NETWORKING_SITNL_H_ */ 29 | -------------------------------------------------------------------------------- /src/openvpn/ntlm.h: -------------------------------------------------------------------------------- 1 | #ifndef NTLM_H 2 | #define NTLM_H 3 | 4 | #if NTLM 5 | 6 | const char *ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc); 7 | 8 | const char *ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc); 9 | 10 | #endif 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /src/openvpn/openvpn.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 26 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/openvpn/openvpn_win32_resources.rc: -------------------------------------------------------------------------------- 1 | #ifdef HAVE_CONFIG_H 2 | #include 3 | #endif 4 | #include 5 | 6 | #pragma code_page(65001) /* UTF8 */ 7 | 8 | 1 RT_MANIFEST "openvpn.manifest" 9 | 10 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 11 | 12 | VS_VERSION_INFO VERSIONINFO 13 | FILEVERSION OPENVPN_VERSION_RESOURCE 14 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 15 | FILEFLAGSMASK 0x3fL 16 | #ifdef _DEBUG 17 | FILEFLAGS 0x1L 18 | #else 19 | FILEFLAGS 0x0L 20 | #endif 21 | FILEOS 0x40004L 22 | FILETYPE VFT_APP 23 | FILESUBTYPE 0x0L 24 | BEGIN 25 | BLOCK "StringFileInfo" 26 | BEGIN 27 | BLOCK "040904b0" 28 | BEGIN 29 | VALUE "CompanyName", "The OpenVPN Project" 30 | VALUE "FileDescription", "OpenVPN Daemon" 31 | VALUE "FileVersion", PACKAGE_VERSION ".0" 32 | VALUE "InternalName", "OpenVPN" 33 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 34 | VALUE "OriginalFilename", "openvpn.exe" 35 | VALUE "ProductName", "OpenVPN" 36 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 37 | END 38 | END 39 | BLOCK "VarFileInfo" 40 | BEGIN 41 | VALUE "Translation", 0x409, 1200 42 | END 43 | END 44 | -------------------------------------------------------------------------------- /src/openvpn/options_util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * Copyright (C) 2010-2021 Fox Crypto B.V. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef OPTIONS_UTIL_H_ 26 | #define OPTIONS_UTIL_H_ 27 | 28 | #include "options.h" 29 | 30 | const char * 31 | parse_auth_failed_temp(struct options *o, const char *reason); 32 | 33 | 34 | /** Checks if the string is a valid integer by checking if it can be 35 | * converted to an integer */ 36 | bool 37 | valid_integer(const char *str, bool positive); 38 | 39 | /** 40 | * Converts a str to a positive number if the string represents a postive 41 | * integer number. Otherwise print a warning with msglevel and return 0 42 | */ 43 | int 44 | positive_atoi(const char *str, int msglevel); 45 | 46 | /** 47 | * Converts a str to an integer if the string can be represented as an 48 | * integer number. Otherwise print a warning with msglevel and return 0 49 | */ 50 | int 51 | atoi_warn(const char *str, int msglevel); 52 | 53 | #endif /* ifndef OPTIONS_UTIL_H_ */ 54 | -------------------------------------------------------------------------------- /src/openvpn/pkcs11.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef OPENVPN_PKCS11_H 25 | #define OPENVPN_PKCS11_H 26 | 27 | #if defined(ENABLE_PKCS11) 28 | 29 | #include "ssl_common.h" 30 | 31 | bool 32 | pkcs11_initialize( 33 | const bool fProtectedAuthentication, 34 | const int nPINCachePeriod 35 | ); 36 | 37 | void 38 | pkcs11_terminate(void); 39 | 40 | bool 41 | pkcs11_addProvider( 42 | const char *const provider, 43 | const bool fProtectedAuthentication, 44 | const unsigned private_mode, 45 | const bool fCertIsPrivate 46 | ); 47 | 48 | int 49 | pkcs11_logout(void); 50 | 51 | int 52 | pkcs11_management_id_count(void); 53 | 54 | bool 55 | pkcs11_management_id_get( 56 | const int index, 57 | char **id, 58 | char **base64 59 | ); 60 | 61 | int 62 | tls_ctx_use_pkcs11( 63 | struct tls_root_ctx *const ssl_ctx, 64 | bool pkcs11_id_management, 65 | const char *const pkcs11_id 66 | ); 67 | 68 | void 69 | show_pkcs11_ids( 70 | const char *const provider, 71 | bool cert_private 72 | ); 73 | 74 | #endif /* ENABLE_PKCS11 */ 75 | 76 | #endif /* OPENVPN_PKCS11H_H */ 77 | -------------------------------------------------------------------------------- /src/openvpn/ps.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef PS_H 25 | #define PS_H 26 | 27 | #if PORT_SHARE 28 | 29 | #include "basic.h" 30 | #include "buffer.h" 31 | #include "ssl.h" 32 | 33 | struct port_share { 34 | /* Foreground's socket to background process */ 35 | socket_descriptor_t foreground_fd; 36 | 37 | /* Process ID of background process */ 38 | pid_t background_pid; 39 | }; 40 | 41 | extern struct port_share *port_share; 42 | 43 | struct port_share *port_share_open(const char *host, 44 | const char *port, 45 | const int max_initial_buf, 46 | const char *journal_dir); 47 | 48 | void port_share_close(struct port_share *ps); 49 | 50 | void port_share_abort(struct port_share *ps); 51 | 52 | bool is_openvpn_protocol(const struct buffer *buf); 53 | 54 | void port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd); 55 | 56 | #endif /* if PORT_SHARE */ 57 | #endif /* ifndef PS_H */ 58 | -------------------------------------------------------------------------------- /src/openvpn/pushlist.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #if !defined(PUSHLIST_H) 25 | #define PUSHLIST_H 26 | 27 | /* parameters to be pushed to peer */ 28 | 29 | struct push_entry { 30 | struct push_entry *next; 31 | bool enable; 32 | const char *option; 33 | }; 34 | 35 | struct push_list { 36 | struct push_entry *head; 37 | struct push_entry *tail; 38 | }; 39 | 40 | #endif /* if !defined(PUSHLIST_H) */ 41 | -------------------------------------------------------------------------------- /src/openvpn/session_id.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Each session is identified by a random 8-byte session identifier. 26 | * 27 | * For efficiency, the session id is only transmitted over the control 28 | * channel (which only sees traffic occasionally when keys are being 29 | * negotiated). The data channel sees a smaller version of the session-id -- 30 | * it is called the key_id and is currently 2 bits long. 31 | */ 32 | 33 | #ifdef HAVE_CONFIG_H 34 | #include "config.h" 35 | #endif 36 | 37 | #include "syshead.h" 38 | 39 | #include "error.h" 40 | #include "common.h" 41 | #include "crypto.h" 42 | #include "session_id.h" 43 | 44 | #include "memdbg.h" 45 | 46 | const struct session_id x_session_id_zero; 47 | 48 | void 49 | session_id_random(struct session_id *sid) 50 | { 51 | prng_bytes(sid->id, SID_SIZE); 52 | } 53 | 54 | const char * 55 | session_id_print(const struct session_id *sid, struct gc_arena *gc) 56 | { 57 | return format_hex(sid->id, SID_SIZE, 0, gc); 58 | } 59 | -------------------------------------------------------------------------------- /src/openvpn/ssl_openssl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * Copyright (C) 2010-2021 Fox Crypto B.V. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * Control Channel OpenSSL Backend 28 | */ 29 | 30 | #ifndef SSL_OPENSSL_H_ 31 | #define SSL_OPENSSL_H_ 32 | 33 | #include 34 | #include 35 | 36 | /** 37 | * Structure that wraps the TLS context. Contents differ depending on the 38 | * SSL library used. 39 | */ 40 | struct tls_root_ctx { 41 | SSL_CTX *ctx; 42 | time_t crl_last_mtime; 43 | off_t crl_last_size; 44 | }; 45 | 46 | struct key_state_ssl { 47 | SSL *ssl; /* SSL object -- new obj created for each new key */ 48 | BIO *ssl_bio; /* read/write plaintext from here */ 49 | BIO *ct_in; /* write ciphertext to here */ 50 | BIO *ct_out; /* read ciphertext from here */ 51 | }; 52 | 53 | /** 54 | * Allocate space in SSL objects in which to store a struct tls_session 55 | * pointer back to parent. 56 | */ 57 | extern int mydata_index; /* GLOBAL */ 58 | 59 | static inline void 60 | tls_clear_error(void) 61 | { 62 | ERR_clear_error(); 63 | } 64 | 65 | #endif /* SSL_OPENSSL_H_ */ 66 | -------------------------------------------------------------------------------- /src/openvpn/tun_afunix.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef AFUNIX_TUN_H 25 | #define AFUNIX_TUN_H 26 | #include 27 | 28 | #include "tun.h" 29 | 30 | /** 31 | * Opens an AF_UNIX based tun device. This also executes the command that 32 | * the user provided taking care of implementing the actual tun 33 | * device. 34 | */ 35 | void 36 | open_tun_afunix(struct options *o, 37 | int mtu, 38 | struct tuntap *tt, 39 | struct env_set *env); 40 | 41 | 42 | /** 43 | * Closes the socket used for the AF_UNIX based device. Also sends a 44 | * SIGINT to the child process that was spawned to handle the tun device 45 | */ 46 | void 47 | close_tun_afunix(struct tuntap *tt); 48 | 49 | /** 50 | * Writes a packet to a AF_UNIX based tun device. 51 | */ 52 | ssize_t 53 | write_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); 54 | 55 | /** 56 | * Reads a packet from a AF_UNIX based tun device. 57 | */ 58 | ssize_t 59 | read_tun_afunix(struct tuntap *tt, uint8_t *buf, int len); 60 | 61 | #endif /* AFUNIX_TUN_H */ 62 | 63 | /** 64 | * Checks whether a --dev-node parameter specifies a AF_UNIX device 65 | * @param devnode the string to check 66 | * @return true if the string starts with unix: 67 | */ 68 | static inline bool 69 | is_tun_afunix(const char *devnode) 70 | { 71 | return devnode && strprefix(devnode, "unix:"); 72 | } 73 | -------------------------------------------------------------------------------- /src/openvpn/vlan.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Technologies, Inc. 9 | * Copyright (C) 2010 Fabian Knittel 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef VLAN_H 26 | #define VLAN_H 27 | 28 | #include "buffer.h" 29 | #include "mroute.h" 30 | #include "openvpn.h" 31 | 32 | struct multi_context; 33 | struct multi_instance; 34 | 35 | int16_t 36 | vlan_decapsulate(const struct context *c, struct buffer *buf); 37 | 38 | bool 39 | vlan_is_tagged(const struct buffer *buf); 40 | 41 | void 42 | vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi); 43 | 44 | #endif /* VLAN_H */ 45 | -------------------------------------------------------------------------------- /src/openvpn/win32-util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef _WIN32 25 | #ifndef OPENVPN_WIN32_UTIL_H 26 | #define OPENVPN_WIN32_UTIL_H 27 | 28 | #include 29 | 30 | #include "mtu.h" 31 | #include "openvpn-msg.h" 32 | #include "argv.h" 33 | 34 | /* Convert a string from UTF-8 to UCS-2 */ 35 | WCHAR *wide_string(const char *utf8, struct gc_arena *gc); 36 | 37 | /* Convert a string from UTF-16 to UTF-8 */ 38 | char *utf16to8(const wchar_t *utf16, struct gc_arena *gc); 39 | 40 | /* return true if filename is safe to be used on Windows */ 41 | bool win_safe_filename(const char *fn); 42 | 43 | /* Find temporary directory */ 44 | const char *win_get_tempdir(void); 45 | 46 | #endif /* OPENVPN_WIN32_UTIL_H */ 47 | #endif /* ifdef _WIN32 */ 48 | -------------------------------------------------------------------------------- /src/openvpnmsica/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | if (NOT WIN32) 2 | return () 3 | endif () 4 | 5 | project(openvpnmsica) 6 | 7 | add_library(openvpnmsica SHARED) 8 | 9 | target_include_directories(openvpnmsica PRIVATE 10 | ${CMAKE_CURRENT_BINARY_DIR}/../../ 11 | ../../include/ 12 | ../compat/ 13 | ) 14 | target_sources(openvpnmsica PRIVATE 15 | dllmain.c 16 | msiex.c msiex.h 17 | msica_arg.c msica_arg.h 18 | openvpnmsica.c openvpnmsica.h 19 | ../tapctl/basic.h 20 | ../tapctl/error.c ../tapctl/error.h 21 | ../tapctl/tap.c ../tapctl/tap.h 22 | openvpnmsica_resources.rc 23 | ) 24 | target_compile_options(openvpnmsica PRIVATE 25 | -D_UNICODE 26 | -UNTDDI_VERSION 27 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 28 | ) 29 | 30 | if (MSVC) 31 | target_compile_options(openvpnmsica PRIVATE 32 | "$<$:/MT>" 33 | "$<$:/MTd>" 34 | ) 35 | endif () 36 | 37 | target_link_libraries(openvpnmsica 38 | advapi32.lib ole32.lib msi.lib setupapi.lib iphlpapi.lib shell32.lib shlwapi.lib version.lib newdev.lib) 39 | if (MINGW) 40 | target_compile_options(openvpnmsica PRIVATE -municode) 41 | target_link_options(openvpnmsica PRIVATE -municode) 42 | target_link_options(openvpnmsica PRIVATE 43 | -Wl,--kill-at) 44 | endif () 45 | -------------------------------------------------------------------------------- /src/openvpnmsica/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # openvpnmsica -- Custom Action DLL to provide OpenVPN-specific support to MSI packages 3 | # 4 | # Copyright (C) 2002-2025 OpenVPN Inc 5 | # Copyright (C) 2018-2025 Simon Rozman 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 9 | # as published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License along 17 | # with this program; if not, write to the Free Software Foundation, Inc., 18 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 19 | # 20 | 21 | include $(top_srcdir)/ltrc.inc 22 | 23 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 24 | 25 | AM_CPPFLAGS = \ 26 | -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 27 | 28 | AM_CFLAGS = \ 29 | $(TAP_CFLAGS) 30 | 31 | EXTRA_DIST = \ 32 | CMakeLists.txt 33 | 34 | if WIN32 35 | lib_LTLIBRARIES = libopenvpnmsica.la 36 | libopenvpnmsica_la_CFLAGS = \ 37 | -municode -D_UNICODE \ 38 | -UNTDDI_VERSION -U_WIN32_WINNT \ 39 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA \ 40 | -Wl,--kill-at 41 | libopenvpnmsica_la_LDFLAGS = -ladvapi32 -lole32 -lmsi -lsetupapi -liphlpapi -lshell32 -lshlwapi -lversion -lnewdev -no-undefined -avoid-version 42 | endif 43 | 44 | libopenvpnmsica_la_SOURCES = \ 45 | dllmain.c \ 46 | msiex.c msiex.h \ 47 | msica_arg.c msica_arg.h \ 48 | openvpnmsica.c openvpnmsica.h \ 49 | $(top_srcdir)/src/tapctl/basic.h \ 50 | $(top_srcdir)/src/tapctl/error.c $(top_srcdir)/src/tapctl/error.h \ 51 | $(top_srcdir)/src/tapctl/tap.c $(top_srcdir)/src/tapctl/tap.h \ 52 | openvpnmsica_resources.rc 53 | -------------------------------------------------------------------------------- /src/openvpnmsica/openvpnmsica_resources.rc: -------------------------------------------------------------------------------- 1 | /* 2 | * openvpnmsica -- Custom Action DLL to provide OpenVPN-specific support to MSI packages 3 | * 4 | * Copyright (C) 2018-2025 Simon Rozman 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 | */ 19 | 20 | #ifdef HAVE_CONFIG_H 21 | #include 22 | #endif 23 | #include 24 | 25 | #pragma code_page(65001) /* UTF8 */ 26 | 27 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 28 | 29 | VS_VERSION_INFO VERSIONINFO 30 | FILEVERSION OPENVPN_VERSION_RESOURCE 31 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 32 | FILEFLAGSMASK VS_FF_DEBUG | VS_FF_PRERELEASE | VS_FF_PATCHED | VS_FF_PRIVATEBUILD | VS_FF_SPECIALBUILD 33 | #ifdef _DEBUG 34 | FILEFLAGS VS_FF_DEBUG 35 | #else 36 | FILEFLAGS 0x0L 37 | #endif 38 | FILEOS VOS_NT_WINDOWS32 39 | FILETYPE VFT_DLL 40 | FILESUBTYPE 0x0L 41 | BEGIN 42 | BLOCK "StringFileInfo" 43 | BEGIN 44 | BLOCK "040904b0" 45 | BEGIN 46 | VALUE "CompanyName", "The OpenVPN Project" 47 | VALUE "FileDescription", "Custom Action DLL to provide OpenVPN-specific support to MSI packages" 48 | VALUE "FileVersion", PACKAGE_VERSION ".0" 49 | VALUE "InternalName", "OpenVPN" 50 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 51 | VALUE "OriginalFilename", "libopenvpnmsica.dll" 52 | VALUE "ProductName", "OpenVPN" 53 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 54 | END 55 | END 56 | BLOCK "VarFileInfo" 57 | BEGIN 58 | VALUE "Translation", 0x409, 1200 59 | END 60 | END 61 | -------------------------------------------------------------------------------- /src/openvpnserv/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | if (NOT WIN32) 2 | return () 3 | endif () 4 | 5 | project(openvpnserv) 6 | 7 | add_executable(openvpnserv) 8 | 9 | target_include_directories(openvpnserv PRIVATE 10 | ${CMAKE_CURRENT_BINARY_DIR}/../../ 11 | ../../include/ 12 | ../openvpn/ 13 | ../compat/ 14 | ) 15 | target_sources(openvpnserv PRIVATE 16 | common.c 17 | interactive.c 18 | service.c service.h 19 | validate.c validate.h 20 | ../tapctl/basic.h 21 | ../openvpn/wfp_block.c ../openvpn/wfp_block.h 22 | openvpnserv_resources.rc 23 | ) 24 | target_compile_options(openvpnserv PRIVATE 25 | -D_UNICODE 26 | -UNTDDI_VERSION 27 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 28 | ) 29 | target_link_libraries(openvpnserv 30 | advapi32.lib userenv.lib iphlpapi.lib fwpuclnt.lib rpcrt4.lib 31 | shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib) 32 | if (MINGW) 33 | target_compile_options(openvpnserv PRIVATE -municode) 34 | target_link_options(openvpnserv PRIVATE -municode) 35 | endif () 36 | -------------------------------------------------------------------------------- /src/openvpnserv/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | include $(top_srcdir)/ltrc.inc 13 | 14 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 15 | 16 | AM_CPPFLAGS = \ 17 | -I$(top_srcdir)/include -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat 18 | 19 | EXTRA_DIST = \ 20 | CMakeLists.txt 21 | 22 | if WIN32 23 | sbin_PROGRAMS = openvpnserv 24 | openvpnserv_CFLAGS = \ 25 | -municode -D_UNICODE \ 26 | -UNTDDI_VERSION -U_WIN32_WINNT \ 27 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 28 | openvpnserv_LDADD = \ 29 | -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 \ 30 | -lshlwapi -lnetapi32 -lws2_32 -lntdll -lole32 31 | endif 32 | 33 | openvpnserv_SOURCES = \ 34 | common.c \ 35 | interactive.c \ 36 | service.c service.h \ 37 | validate.c validate.h \ 38 | $(top_srcdir)/src/openvpn/wfp_block.c $(top_srcdir)/src/openvpn/wfp_block.h \ 39 | openvpnserv_resources.rc 40 | -------------------------------------------------------------------------------- /src/openvpnserv/openvpnserv_resources.rc: -------------------------------------------------------------------------------- 1 | #ifdef HAVE_CONFIG_H 2 | #include 3 | #endif 4 | #include 5 | 6 | #pragma code_page(65001) /* UTF8 */ 7 | 8 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 9 | 10 | VS_VERSION_INFO VERSIONINFO 11 | FILEVERSION OPENVPN_VERSION_RESOURCE 12 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 13 | FILEFLAGSMASK 0x3fL 14 | #ifdef _DEBUG 15 | FILEFLAGS 0x1L 16 | #else 17 | FILEFLAGS 0x0L 18 | #endif 19 | FILEOS 0x40004L 20 | FILETYPE VFT_APP 21 | FILESUBTYPE 0x0L 22 | BEGIN 23 | BLOCK "StringFileInfo" 24 | BEGIN 25 | BLOCK "040904b0" 26 | BEGIN 27 | VALUE "CompanyName", "The OpenVPN Project" 28 | VALUE "FileDescription", "OpenVPN Service" 29 | VALUE "FileVersion", PACKAGE_VERSION ".0" 30 | VALUE "InternalName", "OpenVPN" 31 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 32 | VALUE "OriginalFilename", "openvpnserv.exe" 33 | VALUE "ProductName", "OpenVPN" 34 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 35 | END 36 | END 37 | BLOCK "VarFileInfo" 38 | BEGIN 39 | VALUE "Translation", 0x409, 1200 40 | END 41 | END 42 | -------------------------------------------------------------------------------- /src/openvpnserv/validate.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * OpenVPN -- An application to securely tunnel IP networks 4 | * over a single TCP/UDP port, with support for SSL/TLS-based 5 | * session authentication and key exchange, 6 | * packet encryption, packet authentication, and 7 | * packet compression. 8 | * 9 | * Copyright (C) 2016-2025 Selva Nair 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef VALIDATE_H 26 | #define VALIDATE_H 27 | 28 | #include "service.h" 29 | 30 | /* Authorized groups who can use any options and config locations */ 31 | #define SYSTEM_ADMIN_GROUP L"Administrators" 32 | #define OVPN_ADMIN_GROUP L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ 33 | #define OVPN_SERVICE_USER L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ 34 | 35 | /* 36 | * Check whether user is a member of Administrators group or 37 | * the group specified in ovpn_admin_group or 38 | * OpenVPN Virtual Service Account user 39 | */ 40 | BOOL 41 | IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user); 42 | 43 | BOOL 44 | CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); 45 | 46 | static inline BOOL 47 | IsOption(const WCHAR *o) 48 | { 49 | return (wcsncmp(o, L"--", 2) == 0); 50 | } 51 | 52 | #endif /* ifndef VALIDATE_H */ 53 | -------------------------------------------------------------------------------- /src/plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = auth-pam down-root 16 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin 3 | # 4 | # Copyright (C) 2012 Alon Bar-Lev 5 | # 6 | 7 | MAINTAINERCLEANFILES = \ 8 | $(srcdir)/Makefile.in 9 | 10 | AM_CFLAGS = \ 11 | -I$(top_srcdir)/include \ 12 | $(PLUGIN_AUTH_PAM_CFLAGS) \ 13 | $(OPTIONAL_CRYPTO_CFLAGS) 14 | 15 | if ENABLE_PLUGIN_AUTH_PAM 16 | plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la 17 | dist_doc_DATA = README.auth-pam 18 | endif 19 | 20 | openvpn_plugin_auth_pam_la_SOURCES = \ 21 | utils.c \ 22 | auth-pam.c \ 23 | pamdl.c pamdl.h \ 24 | auth-pam.exports 25 | openvpn_plugin_auth_pam_la_LIBADD = \ 26 | $(PLUGIN_AUTH_PAM_LIBS) 27 | openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ 28 | -export-symbols "$(srcdir)/auth-pam.exports" \ 29 | -module -shared -avoid-version -no-undefined 30 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/auth-pam.exports: -------------------------------------------------------------------------------- 1 | openvpn_plugin_open_v3 2 | openvpn_plugin_func_v1 3 | openvpn_plugin_close_v1 4 | openvpn_plugin_abort_v1 5 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/pamdl.h: -------------------------------------------------------------------------------- 1 | #ifdef USE_PAM_DLOPEN 2 | /* Dynamically load and unload the PAM library */ 3 | int dlopen_pam(const char *so); 4 | 5 | void dlclose_pam(void); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /src/plugins/down-root/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN (TM) Down Root Plugin -- OpenVPN Plugin 3 | # 4 | # Copyright (C) 2012 Alon Bar-Lev 5 | # 6 | 7 | MAINTAINERCLEANFILES = \ 8 | $(srcdir)/Makefile.in 9 | 10 | AM_CFLAGS = \ 11 | -I$(top_srcdir)/include \ 12 | $(OPTIONAL_CRYPTO_CFLAGS) 13 | 14 | if ENABLE_PLUGIN_DOWN_ROOT 15 | plugin_LTLIBRARIES = openvpn-plugin-down-root.la 16 | dist_doc_DATA = README.down-root 17 | endif 18 | 19 | openvpn_plugin_down_root_la_SOURCES = \ 20 | down-root.c \ 21 | down-root.exports 22 | openvpn_plugin_down_root_la_LDFLAGS = $(AM_LDFLAGS) \ 23 | -export-symbols "$(srcdir)/down-root.exports" \ 24 | -module -shared -avoid-version -no-undefined 25 | -------------------------------------------------------------------------------- /src/plugins/down-root/README.down-root: -------------------------------------------------------------------------------- 1 | down-root -- an OpenVPN Plugin Module 2 | 3 | SYNOPSIS 4 | 5 | The down-root module allows an OpenVPN configuration to 6 | call a down script with root privileges, even when privileges 7 | have been dropped using --user/--group/--chroot. 8 | 9 | This module uses a split privilege execution model which will 10 | fork() before OpenVPN drops root privileges, at the point where 11 | the --up script is usually called. The module will then remain 12 | in a wait state until it receives a message from OpenVPN via 13 | pipe to execute the down script. Thus, the down script will be 14 | run in the same execution environment as the up script. 15 | 16 | BUILD 17 | 18 | Build this module with the "make" command. The plugin 19 | module will be named openvpn-plugin-down-root.so 20 | 21 | USAGE 22 | 23 | To use this module, add to your OpenVPN config file: 24 | 25 | plugin openvpn-plugin-down-root.so "command ..." 26 | 27 | CAVEATS 28 | 29 | This module will only work on *nix systems, not Windows. 30 | -------------------------------------------------------------------------------- /src/plugins/down-root/down-root.exports: -------------------------------------------------------------------------------- 1 | openvpn_plugin_open_v1 2 | openvpn_plugin_func_v1 3 | openvpn_plugin_close_v1 4 | openvpn_plugin_abort_v1 5 | -------------------------------------------------------------------------------- /src/tapctl/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | if (NOT WIN32) 2 | return () 3 | endif () 4 | 5 | project(tapctl) 6 | 7 | add_executable(tapctl) 8 | 9 | target_include_directories(tapctl PRIVATE 10 | ${CMAKE_CURRENT_BINARY_DIR}/../../ 11 | ../../include/ 12 | ../compat/ 13 | ) 14 | target_sources(tapctl PRIVATE 15 | basic.h 16 | error.c error.h 17 | main.c 18 | tap.c tap.h 19 | tapctl_resources.rc 20 | ) 21 | target_compile_options(tapctl PRIVATE 22 | -D_UNICODE 23 | -UNTDDI_VERSION 24 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 25 | ) 26 | target_link_libraries(tapctl 27 | advapi32.lib ole32.lib setupapi.lib) 28 | if (MINGW) 29 | target_compile_options(tapctl PRIVATE -municode) 30 | target_link_options(tapctl PRIVATE -municode) 31 | endif () 32 | -------------------------------------------------------------------------------- /src/tapctl/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # tapctl -- Utility to manipulate TUN/TAP interfaces on Windows 3 | # 4 | # Copyright (C) 2002-2025 OpenVPN Inc 5 | # Copyright (C) 2018-2025 Simon Rozman 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 9 | # as published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License along 17 | # with this program; if not, write to the Free Software Foundation, Inc., 18 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 19 | # 20 | 21 | include $(top_srcdir)/ltrc.inc 22 | 23 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 24 | 25 | AM_CPPFLAGS = \ 26 | -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 27 | 28 | AM_CFLAGS = \ 29 | $(TAP_CFLAGS) 30 | 31 | EXTRA_DIST = \ 32 | CMakeLists.txt \ 33 | tapctl.exe.manifest 34 | 35 | if WIN32 36 | sbin_PROGRAMS = tapctl 37 | tapctl_CFLAGS = \ 38 | -municode -D_UNICODE \ 39 | -UNTDDI_VERSION -U_WIN32_WINNT \ 40 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 41 | tapctl_LDADD = -ladvapi32 -lole32 -lsetupapi 42 | endif 43 | 44 | tapctl_SOURCES = \ 45 | basic.h \ 46 | error.c error.h \ 47 | main.c \ 48 | tap.c tap.h \ 49 | tapctl_resources.rc 50 | -------------------------------------------------------------------------------- /src/tapctl/basic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * basic -- Basic macros 3 | * https://community.openvpn.net/openvpn/wiki/Tapctl 4 | * 5 | * Copyright (C) 2002-2025 OpenVPN Inc 6 | * Copyright (C) 2018-2025 Simon Rozman 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License along 18 | * with this program; if not, write to the Free Software Foundation, Inc., 19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 | */ 21 | 22 | #ifndef BASIC_H 23 | #define BASIC_H 24 | 25 | /* We do not support non-unicode builds */ 26 | #ifndef UNICODE 27 | #define UNICODE 28 | #endif 29 | 30 | #define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}" 31 | #define PRIGUID_PARAM(g) \ 32 | (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7] 33 | #define PRIGUID_PARAM_REF(g) \ 34 | &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7] 35 | 36 | #define __L(q) L ## q 37 | #define _L(q) __L(q) 38 | 39 | #ifndef _In_ 40 | #define _In_ 41 | #endif 42 | #ifndef _In_opt_ 43 | #define _In_opt_ 44 | #endif 45 | #ifndef _In_z_ 46 | #define _In_z_ 47 | #endif 48 | #ifndef _Inout_ 49 | #define _Inout_ 50 | #endif 51 | #ifndef _Inout_opt_ 52 | #define _Inout_opt_ 53 | #endif 54 | #ifndef _Out_ 55 | #define _Out_ 56 | #endif 57 | #ifndef _Out_opt_ 58 | #define _Out_opt_ 59 | #endif 60 | #ifndef _Out_z_cap_ 61 | #define _Out_z_cap_(n) 62 | #endif 63 | 64 | #endif /* ifndef BASIC_H */ 65 | -------------------------------------------------------------------------------- /src/tapctl/error.c: -------------------------------------------------------------------------------- 1 | /* 2 | * error -- OpenVPN compatible error reporting API 3 | * https://community.openvpn.net/openvpn/wiki/Tapctl 4 | * 5 | * Copyright (C) 2002-2025 OpenVPN Inc 6 | * Copyright (C) 2018-2025 Simon Rozman 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License along 18 | * with this program; if not, write to the Free Software Foundation, Inc., 19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 | */ 21 | 22 | #include "error.h" 23 | 24 | 25 | /* Globals */ 26 | unsigned int x_debug_level; /* GLOBAL */ 27 | 28 | 29 | void 30 | x_msg(const unsigned int flags, const char *format, ...) 31 | { 32 | va_list arglist; 33 | va_start(arglist, format); 34 | x_msg_va(flags, format, arglist); 35 | va_end(arglist); 36 | } 37 | -------------------------------------------------------------------------------- /src/tapctl/tapctl.exe.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /src/tapctl/tapctl_resources.rc: -------------------------------------------------------------------------------- 1 | /* 2 | * tapctl -- Utility to manipulate TUN/TAP adapters on Windows 3 | * 4 | * Copyright (C) 2018-2025 Simon Rozman 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 | */ 19 | 20 | #ifdef HAVE_CONFIG_H 21 | #include 22 | #endif 23 | #include 24 | 25 | #pragma code_page(65001) /* UTF8 */ 26 | 27 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 28 | 29 | VS_VERSION_INFO VERSIONINFO 30 | FILEVERSION OPENVPN_VERSION_RESOURCE 31 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 32 | FILEFLAGSMASK VS_FF_DEBUG | VS_FF_PRERELEASE | VS_FF_PATCHED | VS_FF_PRIVATEBUILD | VS_FF_SPECIALBUILD 33 | #ifdef _DEBUG 34 | FILEFLAGS VS_FF_DEBUG 35 | #else 36 | FILEFLAGS 0x0L 37 | #endif 38 | FILEOS VOS_NT_WINDOWS32 39 | FILETYPE VFT_APP 40 | FILESUBTYPE 0x0L 41 | BEGIN 42 | BLOCK "StringFileInfo" 43 | BEGIN 44 | BLOCK "040904b0" 45 | BEGIN 46 | VALUE "CompanyName", "The OpenVPN Project" 47 | VALUE "FileDescription", "Utility to manipulate TUN/TAP adapters on Windows" 48 | VALUE "FileVersion", PACKAGE_VERSION ".0" 49 | VALUE "InternalName", "OpenVPN" 50 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 51 | VALUE "OriginalFilename", "tapctl.exe" 52 | VALUE "ProductName", "OpenVPN" 53 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 54 | END 55 | END 56 | BLOCK "VarFileInfo" 57 | BEGIN 58 | VALUE "Translation", 0x409, 1200 59 | END 60 | END 61 | 62 | 1 RT_MANIFEST "tapctl.exe.manifest" 63 | -------------------------------------------------------------------------------- /tests/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2025 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = unit_tests 16 | 17 | AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) System Tests' 18 | SH_LOG_DRIVER = $(SHELL) $(top_srcdir)/forked-test-driver 19 | 20 | if !WIN32 21 | test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh t_server_null.sh 22 | 23 | check_PROGRAMS = ntlm_support 24 | if HAVE_SITNL 25 | test_scripts += t_net.sh 26 | endif 27 | endif 28 | 29 | TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" 30 | TEST_EXTENSIONS = .sh 31 | TESTS = $(test_scripts) 32 | 33 | dist_noinst_SCRIPTS = \ 34 | t_cltsrv.sh \ 35 | t_cltsrv-down.sh \ 36 | t_lpback.sh \ 37 | t_net.sh \ 38 | t_server_null.sh \ 39 | t_server_null_client.sh \ 40 | t_server_null_server.sh \ 41 | t_server_null_default.rc \ 42 | update_t_client_ips.sh 43 | 44 | t_client.log: t_server_null.log 45 | 46 | dist_noinst_DATA = \ 47 | t_client.rc-sample 48 | 49 | ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ 50 | ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) 51 | ntlm_support_SOURCES = ntlm_support.c \ 52 | unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ 53 | $(top_srcdir)/src/openvpn/buffer.c \ 54 | $(top_srcdir)/src/openvpn/crypto.c \ 55 | $(top_srcdir)/src/openvpn/crypto_epoch.c \ 56 | $(top_srcdir)/src/openvpn/crypto_openssl.c \ 57 | $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ 58 | $(top_srcdir)/src/openvpn/otime.c \ 59 | $(top_srcdir)/src/openvpn/packet_id.c \ 60 | $(top_srcdir)/src/openvpn/platform.c 61 | -------------------------------------------------------------------------------- /tests/lwip_client_up.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Determine the OpenVPN PID from its pid file. This works reliably even when 4 | # the OpenVPN process is backgrounded for parallel tests. 5 | MY_PPID=`cat $pid` 6 | 7 | # Add this client's VPN IP and PID to a file. This enables 8 | # t_server_null_client.sh to kill this OpenVPN client after fping tests have 9 | # finished. 10 | echo "$ifconfig_local,$MY_PPID" >> ./$test_name.lwip 11 | 12 | # Wait long enough to allow fping tests to finish. Also ensure that this 13 | # OpenVPN client is killed even if t_server_null_client.sh failed to do it. 14 | (sleep 15 15 | echo "ERROR: t_server_null_client.sh failed to kill OpenVPN client with PID $MY_PPID in test $test_name. Killing it in lwip_client_up.sh." 16 | kill -15 $MY_PPID 17 | ) & 18 | -------------------------------------------------------------------------------- /tests/ntlm_support.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2023-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #endif 27 | 28 | #include "syshead.h" 29 | 30 | #include "crypto.h" 31 | #include "error.h" 32 | 33 | int 34 | main(void) 35 | { 36 | #ifdef NTLM 37 | #if defined(ENABLE_CRYPTO_OPENSSL) 38 | provider_t *legacy = crypto_load_provider("legacy"); 39 | provider_t *def = crypto_load_provider("default"); 40 | #endif 41 | if (!md_valid("MD4")) 42 | { 43 | msg(M_FATAL, "MD4 not supported"); 44 | } 45 | if (!md_valid("MD5")) 46 | { 47 | msg(M_FATAL, "MD5 not supported"); 48 | } 49 | #if defined(ENABLE_CRYPTO_OPENSSL) 50 | crypto_unload_provider("legacy", legacy); 51 | crypto_unload_provider("default", def); 52 | #endif 53 | #else /* ifdef NTLM */ 54 | msg(M_FATAL, "NTLM support not compiled in"); 55 | #endif 56 | } 57 | -------------------------------------------------------------------------------- /tests/null_client_up.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Stop the parent process (openvpn) gracefully after a small delay 4 | 5 | # Determine the OpenVPN PID from its pid file. This works reliably even when 6 | # the OpenVPN process is backgrounded for parallel tests. 7 | MY_PPID=`cat $pid` 8 | 9 | # Allow OpenVPN to finish initializing while waiting in the background and then 10 | # killing the process gracefully. 11 | (sleep 5 ; kill -15 $MY_PPID) & 12 | -------------------------------------------------------------------------------- /tests/t_cltsrv-down.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | echo "${role}:${signal}" >&3 3 | -------------------------------------------------------------------------------- /tests/t_server_null.rc-sample: -------------------------------------------------------------------------------- 1 | # Uncomment to run tests with sudo 2 | #RUN_SUDO="sudo -E" 3 | 4 | TEST_RUN_LIST="1 2 3 10 11" 5 | 6 | TEST_NAME_10="t_server_null_client.sh-openvpn_2_6_8_udp" 7 | SHOULD_PASS_10="yes" 8 | CLIENT_EXEC_10="/usr/sbin/openvpn" 9 | CLIENT_CONF_10="${CLIENT_CONF_BASE} --remote 127.0.0.1 1194 udp --proto udp" 10 | 11 | TEST_NAME_11="t_server_null_client.sh-openvpn_2_6_8_tcp" 12 | SHOULD_PASS_11="yes" 13 | CLIENT_EXEC_11="/usr/sbin/openvpn" 14 | CLIENT_CONF_11="${CLIENT_CONF_BASE} --remote 127.0.0.1 1195 tcp --proto tcp" 15 | -------------------------------------------------------------------------------- /tests/t_server_null.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | TSERVER_NULL_SKIP_RC="${TSERVER_NULL_SKIP_RC:-77}" 4 | 5 | if ! [ -r "./t_server_null.rc" ] ; then 6 | echo "${0}: cannot find './t_server_null.rc. SKIPPING TEST.'" >&2 7 | exit "${TSERVER_NULL_SKIP_RC}" 8 | fi 9 | 10 | . ./t_server_null.rc 11 | 12 | if KILL_EXEC=$(which kill); then 13 | export KILL_EXEC 14 | else 15 | echo "${0}: kill not found in \$PATH" >&2 16 | exit "${TSERVER_NULL_SKIP_RC}" 17 | fi 18 | 19 | # Ensure PREFER_KSU is in a known state 20 | PREFER_KSU="${PREFER_KSU:-0}" 21 | 22 | # make sure we have permissions to run ifconfig/route from OpenVPN 23 | # can't use "id -u" here - doesn't work on Solaris 24 | ID=$(id) 25 | if expr "$ID" : "uid=0" >/dev/null 26 | then : 27 | else 28 | if [ "${PREFER_KSU}" -eq 1 ]; 29 | then 30 | # Check if we have a valid kerberos ticket 31 | if klist -l 1>/dev/null 2>/dev/null; then 32 | RUN_SUDO="ksu -q -e" 33 | else 34 | # No kerberos ticket found, skip ksu and fallback to RUN_SUDO 35 | PREFER_KSU=0 36 | echo "${0}: No Kerberos ticket available. Will not use ksu." 37 | fi 38 | fi 39 | 40 | if [ -z "$RUN_SUDO" ] 41 | then 42 | echo "${0}: this test must run be as root, or RUN_SUDO=... " >&2 43 | echo " must be set correctly in 't_server_null.rc'. SKIP." >&2 44 | exit "${TSERVER_NULL_SKIP_RC}" 45 | else 46 | # Run a no-op command with privilege escalation (e.g. sudo) so that 47 | # we (hopefully) do not have to ask the users password during the test. 48 | if $RUN_SUDO "${KILL_EXEC}" -0 $$ 49 | then 50 | echo "${0}: $RUN_SUDO $KILL_EXEC -0 succeeded, good." 51 | else 52 | echo "${0}: $RUN_SUDO $KILL_EXEC -0 failed, cannot go on. SKIP." >&2 53 | exit "${TSERVER_NULL_SKIP_RC}" 54 | fi 55 | fi 56 | fi 57 | 58 | srcdir="${srcdir:-.}" 59 | export t_server_null_logdir=t_server_null-`hostname`-`date +%Y%m%d-%H%M%S` 60 | 61 | # Create directory for server and client logs 62 | mkdir $t_server_null_logdir 63 | 64 | "${srcdir}/t_server_null_server.sh" & 65 | T_SERVER_NULL_SERVER_PID=$! 66 | 67 | "${srcdir}/t_server_null_client.sh" 68 | retval=$? 69 | 70 | # When running make jobs in parallel ("make -j check") we need to ensure 71 | # that this script does not exit before all --dev null servers are dead and 72 | # their network interfaces are gone. Otherwise t_client.sh will fail because 73 | # pre and post ifconfig output does not match. 74 | wait $T_SERVER_NULL_SERVER_PID 75 | 76 | if [ $? -ne 0 ]; then 77 | exit 1 78 | else 79 | exit $retval 80 | fi 81 | -------------------------------------------------------------------------------- /tests/t_server_null_stress.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Run this stress test as root to avoid sudo authorization from timing out. 4 | 5 | ITERATIONS="${1:-100}" 6 | 7 | . ./t_server_null_default.rc 8 | 9 | export pid_files="" 10 | for SUF in $TEST_SERVER_LIST 11 | do 12 | eval server_name=\"\$SERVER_NAME_$SUF\" 13 | pid_files="${pid_files} ./${server_name}.pid" 14 | done 15 | 16 | LOG_BASEDIR="make-check" 17 | mkdir -p "${LOG_BASEDIR}" 18 | 19 | count=0 20 | while [ $count -lt $ITERATIONS ]; do 21 | count=$(( count + 1 )) 22 | make check TESTS=t_server_null.sh SUBDIRS= > /dev/null 2>&1 23 | retval=$? 24 | 25 | echo "Iteration ${count}: return value ${retval}" >> "${LOG_BASEDIR}/make-check.log" 26 | if [ $retval -ne 0 ]; then 27 | DIR="${LOG_BASEDIR}/make-check-${count}" 28 | mkdir -p "${DIR}" 29 | cp t_server_null*.log "${DIR}/" 30 | cp test-suite.log "${DIR}/" 31 | ps aux|grep openvpn|grep -vE '(suppress|grep)' > "${DIR}/psaux" 32 | fi 33 | done 34 | -------------------------------------------------------------------------------- /tests/unit_tests/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | if ENABLE_UNITTESTS 4 | SUBDIRS = example_test openvpn plugins 5 | endif 6 | -------------------------------------------------------------------------------- /tests/unit_tests/README.md: -------------------------------------------------------------------------------- 1 | Unit Tests 2 | =========== 3 | 4 | This directory contains unit tests for openvpn. New features/bugfixes should be written in a test friendly way and come with corresponding tests. 5 | 6 | Run tests 7 | ---------- 8 | 9 | Tests are run by `make check`. A failed tests stops test execution. To run all 10 | tests regardless of errors call `make -k check`. 11 | 12 | Add new tests to existing test suite 13 | ------------------------------------- 14 | 15 | Test suites are organized in directories. [example_test/](example_test/) is an example 16 | for a test suite with two test executables. Feel free to use it as a template for new tests. 17 | 18 | Test suites 19 | -------------------- 20 | 21 | Test suites live inside a subdirectory of `$ROOT/tests/unit_tests`, e.g. `$ROOT/tests/unit_tests/my_feature`. 22 | 23 | Test suites are configured by a `Makefile.am`. Tests are executed by testdrivers. One testsuite can contain more than one testdriver. 24 | 25 | ### Hints 26 | * Name suites & testdrivers in a way that the name of the driver says something about which component/feature is tested 27 | * Name the testdriver executable `*_testdriver`. This way it gets picked up by the default `.gitignore` 28 | * If this is not feasible: Add all output to a `.gitignore`* Use descriptive test names: `coffee_brewing__with_no_beans__fails` vs. `test34` 29 | * Testing a configurable feature? Wrap test execution with a conditional (see [auth_pam](plugins/auth-pam/Makefile.am) for an example) 30 | * Add multiple test-drivers when one testdriver looks crowded with tests 31 | 32 | ### New Test Suites 33 | 1. Organize tests in folders for features. 34 | 2. Add the new test directory to `SUBDIRS` in `Makefile.am` 35 | 3. Edit `configure.ac` and add the new `Makefile` to `AC_CONFIG_FILES` 36 | 4. Run `./configure`, and *enable* the feature you'd like to test 37 | 5. Make sure that `make check` runs your tests 38 | 6. Check: Would a stranger be able to easily find your tests by you looking at the test output? 39 | 7. Run `./configure`, and *disable* the feature you'd like to test 40 | 8. Make sure that `make check` does *not run* your tests 41 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) example Unit-Tests' 4 | 5 | check_PROGRAMS = example_testdriver example2_testdriver 6 | 7 | if !CROSS_COMPILING 8 | TESTS = $(check_PROGRAMS) 9 | endif 10 | 11 | example_testdriver_CFLAGS = @TEST_CFLAGS@ 12 | example_testdriver_LDFLAGS = @TEST_LDFLAGS@ 13 | example_testdriver_SOURCES = test.c 14 | 15 | example2_testdriver_CFLAGS = @TEST_CFLAGS@ 16 | example2_testdriver_LDFLAGS = @TEST_LDFLAGS@ 17 | example2_testdriver_SOURCES = test2.c 18 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/README.md: -------------------------------------------------------------------------------- 1 | This test only checks that test compilation works. This example contains two test executables. 2 | 3 | These tests can be used as template for 'real' tests. 4 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | static int 11 | setup(void **state) 12 | { 13 | int *answer = malloc(sizeof(int)); 14 | 15 | *answer = 42; 16 | *state = answer; 17 | 18 | return 0; 19 | } 20 | 21 | static int 22 | teardown(void **state) 23 | { 24 | free(*state); 25 | 26 | return 0; 27 | } 28 | 29 | static void 30 | null_test_success(void **state) 31 | { 32 | (void) state; 33 | } 34 | 35 | static void 36 | int_test_success(void **state) 37 | { 38 | int *answer = *state; 39 | assert_int_equal(*answer, 42); 40 | } 41 | 42 | __attribute__((unused)) 43 | static void 44 | failing_test(void **state) 45 | { 46 | /* This tests fails to test that make check fails */ 47 | assert_int_equal(0, 42); 48 | } 49 | 50 | int 51 | main(void) 52 | { 53 | const struct CMUnitTest tests[] = { 54 | cmocka_unit_test(null_test_success), 55 | cmocka_unit_test_setup_teardown(int_test_success, setup, teardown), 56 | /* cmocka_unit_test(failing_test), */ 57 | }; 58 | 59 | return cmocka_run_group_tests_name("success_test", tests, NULL, NULL); 60 | } 61 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/test2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | 11 | static void 12 | test_true(void **state) 13 | { 14 | (void) state; 15 | } 16 | 17 | 18 | int 19 | main(void) 20 | { 21 | const struct CMUnitTest tests[] = { 22 | cmocka_unit_test(test_true), 23 | }; 24 | 25 | return cmocka_run_group_tests_name("success_test2", tests, NULL, NULL); 26 | } 27 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/input/user_only.txt: -------------------------------------------------------------------------------- 1 | fuser 2 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/input/user_pass.txt: -------------------------------------------------------------------------------- 1 | fuser 2 | fpassword 3 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_get_random.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2017-2021 Fox Crypto B.V. 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | unsigned long 33 | get_random(void) 34 | { 35 | /* rand() is not very random, but it's C99 and this is just for testing */ 36 | return rand(); 37 | } 38 | 39 | void 40 | prng_bytes(uint8_t *output, int len) 41 | { 42 | for (int i = 0; i < len; i++) 43 | { 44 | output[i] = (uint8_t)rand(); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_management.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* Minimal set of mocked management function/globals to get unit tests to 25 | * compile */ 26 | 27 | #ifdef HAVE_CONFIG_H 28 | #include "config.h" 29 | #endif 30 | 31 | #include "syshead.h" 32 | 33 | #include "manage.h" 34 | 35 | #ifdef ENABLE_MANAGEMENT 36 | 37 | struct management *management; /* GLOBAL */ 38 | 39 | void 40 | management_auth_failure(struct management *man, const char *type, const char *reason) 41 | { 42 | ASSERT(false); 43 | } 44 | 45 | char * 46 | management_query_pk_sig(struct management *man, const char *b64_data, 47 | const char *algorithm) 48 | { 49 | return NULL; 50 | } 51 | #endif 52 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_msg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2016-2021 Fox Crypto B.V. 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef MOCK_MSG_H 25 | #define MOCK_MSG_H 26 | 27 | /** 28 | * Mock debug level defaults to 0, which gives clean(-ish) test reports. Call 29 | * this function from your test driver to increase debug output when you 30 | * need debug output. 31 | */ 32 | void mock_set_debug_level(int level); 33 | 34 | #define MOCK_MSG_BUF 2048 35 | 36 | extern bool fatal_error_triggered; 37 | extern char mock_msg_buf[MOCK_MSG_BUF]; 38 | 39 | void 40 | mock_set_debug_level(int level); 41 | 42 | int 43 | mock_get_debug_level(void); 44 | 45 | void 46 | mock_set_print_debug_level(int level); 47 | 48 | #endif /* MOCK_MSG */ 49 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_ssl_dependencies.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2025 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* Minimal set of mocked function/globals to get unit tests to 25 | * compile that use the ssl_* files */ 26 | 27 | #ifdef HAVE_CONFIG_H 28 | #include "config.h" 29 | #endif 30 | 31 | #include "syshead.h" 32 | 33 | #include 34 | #include 35 | 36 | 37 | #include "ssl.h" 38 | #include "ssl_verify.h" 39 | 40 | int 41 | parse_line(const char *line, char **p, const int n, const char *file, 42 | const int line_num, int msglevel, struct gc_arena *gc) 43 | { 44 | /* Dummy function to get the linker happy, should never be called */ 45 | assert_true(false); 46 | return 0; 47 | } 48 | 49 | 50 | int 51 | pem_password_callback(char *buf, int size, int rwflag, void *u) 52 | { 53 | return 0; 54 | } 55 | 56 | void 57 | cert_hash_remember(struct tls_session *session, const int cert_depth, 58 | const struct buffer *cert_hash) 59 | { 60 | assert_false(true); 61 | } 62 | 63 | result_t 64 | verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) 65 | { 66 | return FAILURE; 67 | } 68 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_win32_execve.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2023-2025 OpenVPN Inc 9 | * Copyright (C) 2023-2025 Arne Schwabe 10 | * 11 | * 12 | * This program is free software; you can redistribute it and/or modify 13 | * it under the terms of the GNU General Public License version 2 14 | * as published by the Free Software Foundation. 15 | * 16 | * This program is distributed in the hope that it will be useful, 17 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 19 | * GNU General Public License for more details. 20 | * 21 | * You should have received a copy of the GNU General Public License along 22 | * with this program; if not, write to the Free Software Foundation, Inc., 23 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 24 | */ 25 | 26 | #include "config.h" 27 | #include "syshead.h" 28 | 29 | #include "win32.h" 30 | 31 | #ifdef _WIN32 32 | int 33 | openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags) 34 | { 35 | ASSERT(0); 36 | } 37 | #endif 38 | -------------------------------------------------------------------------------- /tests/unit_tests/plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | SUBDIRS = auth-pam 4 | -------------------------------------------------------------------------------- /tests/unit_tests/plugins/auth-pam/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | AM_TESTSUITE_SUMMARY_HEADER = ' for $(PACKAGE_STRING) auth_pam Plugin Unit-Tests' 4 | 5 | if ENABLE_PLUGIN_AUTH_PAM 6 | check_PROGRAMS = auth_pam_testdriver 7 | TESTS = $(check_PROGRAMS) 8 | endif 9 | 10 | auth_pam_testdriver_SOURCES = test_search_and_replace.c $(top_srcdir)/src/plugins/auth-pam/utils.h $(top_srcdir)/src/plugins/auth-pam/utils.c 11 | auth_pam_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(top_srcdir)/src/plugins/auth-pam 12 | auth_pam_testdriver_LDFLAGS = @TEST_LDFLAGS@ 13 | -------------------------------------------------------------------------------- /tests/update_t_client_ips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This --up script caches the IPs handed out by the test VPN server to a file 4 | # for later use. 5 | 6 | RC="$TOP_BUILDDIR/t_client_ips.rc" 7 | 8 | grep EXPECT_IFCONFIG4_$TESTNUM= $RC > /dev/null 2>&1 9 | if [ $? -ne 0 ]; then 10 | echo "EXPECT_IFCONFIG4_$TESTNUM=$ifconfig_local" >> $RC 11 | fi 12 | 13 | grep EXPECT_IFCONFIG6_$TESTNUM= $RC > /dev/null 2>&1 14 | if [ $? -ne 0 ]; then 15 | echo "EXPECT_IFCONFIG6_$TESTNUM=$ifconfig_ipv6_local" >> $RC 16 | fi 17 | -------------------------------------------------------------------------------- /version.m4: -------------------------------------------------------------------------------- 1 | dnl define the OpenVPN version 2 | define([PRODUCT_NAME], [OpenVPN]) 3 | define([PRODUCT_TARNAME], [openvpn]) 4 | define([PRODUCT_VERSION_MAJOR], [2]) 5 | define([PRODUCT_VERSION_MINOR], [7]) 6 | define([PRODUCT_VERSION_PATCH], [_alpha1]) 7 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) 8 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) 9 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) 10 | define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) 11 | define([PRODUCT_VERSION_RESOURCE], [2,7,0,0]) 12 | dnl define the TAP version 13 | define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) 14 | define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) 15 | define([PRODUCT_TAP_WIN_MIN_MINOR], [9]) 16 | --------------------------------------------------------------------------------