├── .git-blame-ignore-revs ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ └── bug_report.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ └── build.yaml ├── .gitignore ├── .mailmap ├── .svncommitters ├── .travis.yml ├── .travis ├── build-check.sh ├── build-deps.sh └── coverity.sh ├── AUTHORS ├── CONTRIBUTING.rst ├── COPYING ├── COPYRIGHT.GPL ├── ChangeLog ├── Changes.rst ├── INSTALL ├── Makefile.am ├── NEWS ├── PORTS ├── README ├── README.dco.md ├── README.ec ├── README.mbedtls ├── README.wolfssl ├── build ├── Makefile.am ├── ltrc.inc └── msvc │ ├── Makefile.am │ └── msvc-generate │ ├── Makefile.am │ ├── Makefile.mak │ ├── git-version.py │ ├── msvc-generate.js │ ├── msvc-generate.vcxproj │ └── version.m4.in ├── compat.m4 ├── config-msvc-version.h.in ├── config-msvc.h ├── configure.ac ├── contrib ├── OCSP_check │ └── OCSP_check.sh ├── README ├── extract-crl │ └── extractcrl.py ├── multilevel-init.patch ├── openvpn-fwmarkroute-1.00 │ ├── README │ ├── fwmarkroute.down │ └── fwmarkroute.up ├── pull-resolv-conf │ ├── client.down │ └── client.up ├── vcpkg-ports │ └── pkcs11-helper │ │ ├── 0001-nmake-compatibility-with-vcpkg-nmake.patch │ │ ├── 0002-config-w32-vc.h.in-indicate-OpenSSL.patch │ │ ├── CONTROL │ │ ├── pkcs11-helper-001-RFC7512.patch │ │ ├── pkcs11-helper-002-dynamic_loader_flags.patch │ │ └── portfile.cmake └── vcpkg-triplets │ ├── arm64-windows-ovpn.cmake │ ├── x64-windows-ovpn.cmake │ └── x86-windows-ovpn.cmake ├── debug ├── doval ├── dovalns └── valgrind-suppress ├── dev-tools ├── gen-release-tarballs.sh ├── git-pre-commit-uncrustify.sh ├── reformat-all.sh ├── special-files.lst ├── uncrustify.conf └── update-copyright.sh ├── distro ├── Makefile.am └── systemd │ ├── Makefile.am │ ├── README.systemd │ ├── openvpn-client@.service.in │ ├── openvpn-server@.service.in │ └── tmpfiles-openvpn.conf ├── doc ├── Makefile.am ├── README.man ├── README.plugins ├── android.txt ├── doxygen │ ├── Makefile.am │ ├── doc_compression.h │ ├── doc_control_processor.h │ ├── doc_control_tls.h │ ├── doc_data_control.h │ ├── doc_data_crypto.h │ ├── doc_eventloop.h │ ├── doc_external_multiplexer.h │ ├── doc_fragmentation.h │ ├── doc_internal_multiplexer.h │ ├── doc_key_generation.h │ ├── doc_mainpage.h │ ├── doc_memory_management.h │ ├── doc_protocol_overview.h │ ├── doc_reliable.h │ ├── doc_tunnel_state.h │ └── openvpn.doxyfile.in ├── gui-notes.txt ├── interactive-service-notes.rst ├── keying-material-exporter.txt ├── man-sections │ ├── advanced-options.rst │ ├── cipher-negotiation.rst │ ├── client-options.rst │ ├── connection-profiles.rst │ ├── encryption-options.rst │ ├── example-fingerprint.rst │ ├── examples.rst │ ├── generic-options.rst │ ├── inline-files.rst │ ├── link-options.rst │ ├── log-options.rst │ ├── management-options.rst │ ├── network-config.rst │ ├── pkcs11-options.rst │ ├── plugin-options.rst │ ├── protocol-options.rst │ ├── proxy-options.rst │ ├── renegotiation.rst │ ├── script-options.rst │ ├── server-options.rst │ ├── signals.rst │ ├── tls-options.rst │ ├── unsupported-options.rst │ ├── virtual-routing-and-forwarding.rst │ ├── vpn-network-options.rst │ └── windows-options.rst ├── management-notes.txt ├── openvpn-examples.5.rst ├── openvpn.8.rst ├── tests │ └── authentication-plugins.md └── tls-crypt-v2.txt ├── include ├── Makefile.am ├── openvpn-msg.h └── openvpn-plugin.h.in ├── m4 ├── .keep ├── ax_socklen_t.m4 └── pkg.m4 ├── openvpn.sln ├── sample ├── Makefile.am ├── sample-config-files │ ├── README │ ├── client.conf │ ├── firewall.sh │ ├── home.up │ ├── loopback-client │ ├── loopback-server │ ├── office.up │ ├── openvpn-shutdown.sh │ ├── openvpn-startup.sh │ ├── server.conf │ ├── tls-home.conf │ └── tls-office.conf ├── sample-keys │ ├── README │ ├── ca.crt │ ├── ca.key │ ├── client-ec.crt │ ├── client-ec.key │ ├── client-pass.key │ ├── client.crt │ ├── client.key │ ├── client.p12 │ ├── dh2048.pem │ ├── gen-sample-keys.sh │ ├── openssl.cnf │ ├── server-ec.crt │ ├── server-ec.key │ ├── server.crt │ ├── server.key │ └── ta.key ├── sample-plugins │ ├── Makefile.am │ ├── Makefile.plugins │ ├── README │ ├── client-connect │ │ ├── README │ │ └── sample-client-connect.c │ ├── defer │ │ ├── multi-auth.c │ │ └── winbuild │ ├── keying-material-exporter-demo │ │ ├── README │ │ ├── client.ovpn │ │ ├── http-client.py │ │ ├── http-server.py │ │ ├── keyingmaterialexporter.c │ │ └── server.ovpn │ ├── log │ │ ├── log.c │ │ ├── log_v3.c │ │ └── winbuild │ └── simple │ │ ├── base64.c │ │ ├── simple.c │ │ ├── simple.def │ │ └── winbuild ├── sample-scripts │ ├── auth-pam.pl │ ├── bridge-start │ ├── bridge-stop │ ├── totpauth.py │ ├── ucn.pl │ └── verify-cn └── sample-windows │ └── sample.ovpn ├── src ├── Makefile.am ├── compat │ ├── Debug.props │ ├── Makefile.am │ ├── PropertySheet.props │ ├── Release.props │ ├── compat-basename.c │ ├── compat-daemon.c │ ├── compat-dirname.c │ ├── compat-gettimeofday.c │ ├── compat-strsep.c │ ├── compat-versionhelpers.h │ ├── compat.h │ └── compat.vcxproj ├── openvpn │ ├── Makefile.am │ ├── argv.c │ ├── argv.h │ ├── auth_token.c │ ├── auth_token.h │ ├── base64.c │ ├── base64.h │ ├── basic.h │ ├── block_dns.c │ ├── block_dns.h │ ├── buffer.c │ ├── buffer.h │ ├── circ_list.h │ ├── clinat.c │ ├── clinat.h │ ├── common.h │ ├── comp-lz4.c │ ├── comp-lz4.h │ ├── comp.c │ ├── comp.h │ ├── compstub.c │ ├── console.c │ ├── console.h │ ├── console_builtin.c │ ├── console_systemd.c │ ├── crypto.c │ ├── crypto.h │ ├── crypto_backend.h │ ├── crypto_mbedtls.c │ ├── crypto_mbedtls.h │ ├── crypto_openssl.c │ ├── crypto_openssl.h │ ├── cryptoapi.c │ ├── cryptoapi.h │ ├── dco.c │ ├── dco.h │ ├── dco_freebsd.c │ ├── dco_freebsd.h │ ├── dco_internal.h │ ├── dco_linux.c │ ├── dco_linux.h │ ├── dco_win.c │ ├── dco_win.h │ ├── dhcp.c │ ├── dhcp.h │ ├── dns.c │ ├── dns.h │ ├── env_set.c │ ├── env_set.h │ ├── errlevel.h │ ├── error.c │ ├── error.h │ ├── event.c │ ├── event.h │ ├── fdmisc.c │ ├── fdmisc.h │ ├── forward.c │ ├── forward.h │ ├── fragment.c │ ├── fragment.h │ ├── gremlin.c │ ├── gremlin.h │ ├── helper.c │ ├── helper.h │ ├── httpdigest.c │ ├── httpdigest.h │ ├── init.c │ ├── init.h │ ├── integer.h │ ├── interval.c │ ├── interval.h │ ├── list.c │ ├── list.h │ ├── lladdr.c │ ├── lladdr.h │ ├── lzo.c │ ├── lzo.h │ ├── manage.c │ ├── manage.h │ ├── mbuf.c │ ├── mbuf.h │ ├── memdbg.h │ ├── misc.c │ ├── misc.h │ ├── mroute.c │ ├── mroute.h │ ├── mss.c │ ├── mss.h │ ├── mstats.c │ ├── mstats.h │ ├── mtcp.c │ ├── mtcp.h │ ├── mtu.c │ ├── mtu.h │ ├── mudp.c │ ├── mudp.h │ ├── multi.c │ ├── multi.h │ ├── networking.h │ ├── networking_freebsd.c │ ├── networking_iproute2.c │ ├── networking_iproute2.h │ ├── networking_sitnl.c │ ├── networking_sitnl.h │ ├── ntlm.c │ ├── ntlm.h │ ├── occ.c │ ├── occ.h │ ├── openssl_compat.h │ ├── openvpn.c │ ├── openvpn.h │ ├── openvpn.manifest │ ├── openvpn.vcxproj │ ├── openvpn_win32_resources.rc │ ├── options.c │ ├── options.h │ ├── options_util.c │ ├── options_util.h │ ├── otime.c │ ├── otime.h │ ├── ovpn_dco_freebsd.h │ ├── ovpn_dco_linux.h │ ├── ovpn_dco_win.h │ ├── packet_id.c │ ├── packet_id.h │ ├── perf.c │ ├── perf.h │ ├── ping.c │ ├── ping.h │ ├── pkcs11.c │ ├── pkcs11.h │ ├── pkcs11_backend.h │ ├── pkcs11_mbedtls.c │ ├── pkcs11_openssl.c │ ├── platform.c │ ├── platform.h │ ├── plugin.c │ ├── plugin.h │ ├── pool.c │ ├── pool.h │ ├── proto.c │ ├── proto.h │ ├── proxy.c │ ├── proxy.h │ ├── ps.c │ ├── ps.h │ ├── push.c │ ├── push.h │ ├── pushlist.h │ ├── reflect_filter.c │ ├── reflect_filter.h │ ├── reliable.c │ ├── reliable.h │ ├── ring_buffer.h │ ├── route.c │ ├── route.h │ ├── run_command.c │ ├── run_command.h │ ├── schedule.c │ ├── schedule.h │ ├── session_id.c │ ├── session_id.h │ ├── shaper.c │ ├── shaper.h │ ├── sig.c │ ├── sig.h │ ├── socket.c │ ├── socket.h │ ├── socks.c │ ├── socks.h │ ├── ssl.c │ ├── ssl.h │ ├── ssl_backend.h │ ├── ssl_common.h │ ├── ssl_mbedtls.c │ ├── ssl_mbedtls.h │ ├── ssl_ncp.c │ ├── ssl_ncp.h │ ├── ssl_openssl.c │ ├── ssl_openssl.h │ ├── ssl_pkt.c │ ├── ssl_pkt.h │ ├── ssl_util.c │ ├── ssl_util.h │ ├── ssl_verify.c │ ├── ssl_verify.h │ ├── ssl_verify_backend.h │ ├── ssl_verify_mbedtls.c │ ├── ssl_verify_mbedtls.h │ ├── ssl_verify_openssl.c │ ├── ssl_verify_openssl.h │ ├── status.c │ ├── status.h │ ├── syshead.h │ ├── tls_crypt.c │ ├── tls_crypt.h │ ├── tun.c │ ├── tun.h │ ├── vcpkg.json │ ├── vlan.c │ ├── vlan.h │ ├── win32-util.c │ ├── win32-util.h │ ├── win32.c │ ├── win32.h │ ├── xkey_common.h │ ├── xkey_helper.c │ └── xkey_provider.c ├── openvpnmsica │ ├── Makefile.am │ ├── dllmain.c │ ├── msica_arg.c │ ├── msica_arg.h │ ├── msiex.c │ ├── msiex.h │ ├── openvpnmsica-Debug.props │ ├── openvpnmsica-Release.props │ ├── openvpnmsica.c │ ├── openvpnmsica.h │ ├── openvpnmsica.props │ ├── openvpnmsica.vcxproj │ └── openvpnmsica_resources.rc ├── openvpnserv │ ├── Makefile.am │ ├── common.c │ ├── interactive.c │ ├── openvpnserv.vcxproj │ ├── openvpnserv_resources.rc │ ├── service.c │ ├── service.h │ ├── validate.c │ └── validate.h ├── plugins │ ├── Makefile.am │ ├── auth-pam │ │ ├── Makefile.am │ │ ├── README.auth-pam │ │ ├── auth-pam.c │ │ ├── auth-pam.exports │ │ ├── pamdl.c │ │ ├── pamdl.h │ │ ├── utils.c │ │ └── utils.h │ └── down-root │ │ ├── Makefile.am │ │ ├── README.down-root │ │ ├── down-root.c │ │ └── down-root.exports └── tapctl │ ├── Makefile.am │ ├── basic.h │ ├── error.c │ ├── error.h │ ├── main.c │ ├── tap.c │ ├── tap.h │ ├── tapctl.exe.manifest │ ├── tapctl.props │ ├── tapctl.vcxproj │ └── tapctl_resources.rc ├── tests ├── Makefile.am ├── t_client.rc-sample ├── t_client.sh.in ├── t_cltsrv-down.sh ├── t_cltsrv.sh ├── t_lpback.sh ├── t_net.sh ├── unit_tests │ ├── Makefile.am │ ├── README.md │ ├── engine-key │ │ ├── Makefile.am │ │ ├── check_engine_keys.sh │ │ ├── libtestengine.c │ │ └── openssl.cnf.in │ ├── example_test │ │ ├── Makefile.am │ │ ├── README.md │ │ ├── test.c │ │ └── test2.c │ ├── openvpn │ │ ├── Makefile.am │ │ ├── mock_get_random.c │ │ ├── mock_msg.c │ │ ├── mock_msg.h │ │ ├── test_argv.c │ │ ├── test_auth_token.c │ │ ├── test_buffer.c │ │ ├── test_crypto.c │ │ ├── test_misc.c │ │ ├── test_ncp.c │ │ ├── test_networking.c │ │ ├── test_packet_id.c │ │ ├── test_pkt.c │ │ ├── test_provider.c │ │ └── test_tls_crypt.c │ └── plugins │ │ ├── Makefile.am │ │ └── auth-pam │ │ ├── Makefile.am │ │ └── test_search_and_replace.c └── update_t_client_ips.sh ├── version.m4 └── version.sh.in /.git-blame-ignore-revs: -------------------------------------------------------------------------------- 1 | # This FILE allows git blame to ignore reformatting changes and instead 2 | # shows the previous commit that changed the line. 3 | # 4 | # To avoid manually building the list of commits this commit 5 | # adds a file with a list of reformatting commits. TO use: 6 | # 7 | # git blame --ignore-revs-file=.git-blame-ignore-revs file 8 | # 9 | # or to automatically always use the file 10 | # 11 | # git config blame.ignoreRevsFile .git-blame-ignore-revs 12 | 13 | # Uncrustify 2020/06... (engine, pool, SSO) 14 | c1ff8f247f91c88a2df5502eeedf42857f9a6831 15 | 16 | # Uncrustify the tests/unit_tests/ part of our tree. 17 | da1574ef7826d73f01e120cbd1ba40ce39a305b7 18 | 19 | # Another round of uncrustify code cleanup. 20 | 9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f 21 | 22 | # networking_sitnl.c: uncrustify file 23 | 2c45d268ca65c522fbabb7c4dab5e721296b4623 24 | 25 | # Uncrustify tapctl and openvpnmsica 26 | 6280d3d5536174934ee22d3840457d61896e0e3a 27 | 28 | # tun.c: uncrustify 29 | baef44fc8769bbd99f4d699ce9f63180c29a5455 30 | 31 | # networking_sitnl.c: uncrustify file 32 | 2c45d268ca65c522fbabb7c4dab5e721296b4623 33 | 34 | # uncrustify openvpn sources 35 | f57431cdc88f22fa4d7962946f0d3187fe058539 36 | 37 | # More broadly enforce Allman style and braces-around-conditionals 38 | 4cd4899e8e80efae03c584a760fd107251735723 39 | 40 | # The Great Reformatting - first phase 41 | 81d882d5302b8b647202a6893b57dfdc61fd6df2 42 | 43 | # Fix trailing-whitespace errors in last patch. 44 | 3282632d9325267c850072db7545a884a1637f51 45 | 46 | # The Great Reformatting of 2022 47 | abe49856d81f51136d543539202a0bf8fb946474 48 | 49 | # Reformat for sp_after_comma=add 50 | e51d9a73693ee742b36e19fb1718e5e27167831d 51 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.c eol=lf 2 | *.h eol=lf 3 | *.rc eol=lf 4 | *.txt eol=lf 5 | *.bat eol=lf 6 | *.vc*proj* eol=crlf 7 | *.sln eol=crlf 8 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: '' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior. Please make sure to not post any secrets like keys and passwords. 15 | 16 | **Expected behavior** 17 | A clear and concise description of what you expected to happen. 18 | 19 | **Version information (please complete the following information):** 20 | - OS: [e.g. Ubuntu 22.04] 21 | - OpenVPN version: [e.g. 2.5.8] 22 | - Repeat for peer if relevant 23 | 24 | **Additional context** 25 | Add any other context about the problem here. 26 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Thank you for your contribution 2 | 3 | You are welcome to open PR, but they are used for discussion only. All 4 | patches must eventually go to the openvpn-devel mailing list for review: 5 | 6 | * https://lists.sourceforge.net/lists/listinfo/openvpn-devel 7 | 8 | Please send your patch using [git-send-email](https://git-scm.com/docs/git-send-email). For example to send your latest commit to the list: 9 | 10 | $ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1 11 | 12 | For details, see these Wiki articles: 13 | 14 | * https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation 15 | * https://community.openvpn.net/openvpn/wiki/Contributing 16 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.[oa] 2 | *.l[oa] 3 | *.dll 4 | *.exe 5 | *.exe.* 6 | *.obj 7 | *.pyc 8 | *.so 9 | *~ 10 | *.idb 11 | *.suo 12 | *.ncb 13 | *.vcproj.* 14 | *.vcxproj.user 15 | *.sln.cache 16 | *.log 17 | Release 18 | Debug 19 | Win32-Output 20 | .vs 21 | .deps 22 | .libs 23 | Makefile 24 | Makefile.in 25 | aclocal.m4 26 | autodefs.h 27 | autom4te.cache 28 | config.guess 29 | config.h 30 | config.h.in 31 | config.log 32 | config.status 33 | config.sub 34 | configure 35 | configure.h 36 | depcomp 37 | stamp-h1 38 | install-sh 39 | missing 40 | ltmain.sh 41 | libtool 42 | m4/libtool.m4 43 | m4/ltoptions.m4 44 | m4/ltsugar.m4 45 | m4/ltversion.m4 46 | m4/lt~obsolete.m4 47 | vcpkg_installed 48 | 49 | version.sh 50 | msvc-env-local.bat 51 | config-msvc-local.h 52 | config-msvc-version.h 53 | doc/openvpn-examples.5 54 | doc/openvpn-examples.5.html 55 | doc/openvpn.8 56 | doc/openvpn.8.html 57 | /doc/doxygen/html/ 58 | /doc/doxygen/latex/ 59 | /doc/doxygen/openvpn.doxyfile 60 | distro/systemd/*.service 61 | sample/sample-keys/sample-ca/ 62 | vendor/cmocka_build 63 | vendor/dist 64 | build/msvc/msvc-generate/version.m4 65 | 66 | tests/t_client.sh 67 | tests/t_client-*-20??????-??????/ 68 | t_client.rc 69 | t_client_ips.rc 70 | tests/unit_tests/**/*_testdriver 71 | tests/unit_tests/engine-key/client.key 72 | tests/unit_tests/engine-key/log.txt 73 | tests/unit_tests/engine-key/openssl.cnf 74 | tests/unit_tests/engine-key/passwd 75 | 76 | src/openvpn/openvpn 77 | include/openvpn-plugin.h 78 | config-version.h 79 | nbproject 80 | test-driver 81 | compile 82 | stamp-h2 83 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Adriaan de Jong 2 | David Sommerseth 3 | Gert Doering 4 | Gert Doering 5 | Gert Doering 6 | Gert Doering 7 | James Yonan 8 | Jan Just Keijser 9 | JuanJo Ciarlante 10 | Karl O. Pinc 11 | Robert Fischer 12 | Samuli Seppänen 13 | Seth Mos 14 | -------------------------------------------------------------------------------- /.svncommitters: -------------------------------------------------------------------------------- 1 | james = James Yonan 2 | -------------------------------------------------------------------------------- /.travis/build-check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -eux 3 | 4 | if [ "${TRAVIS_OS_NAME}" = "windows" ]; then 5 | PATH="/c/Program Files (x86)/Microsoft Visual Studio/2019/BuildTools/MSBuild/Current/Bin/":$PATH 6 | MSBuild.exe openvpn.sln //p:Platform=x64 && exit 0 7 | fi 8 | 9 | autoreconf -vi 10 | 11 | if [ -z ${CHOST+x} ]; then 12 | if [ "${TRAVIS_OS_NAME}" = "linux" ]; then 13 | export EXTRA_CONFIG="${EXTRA_CONFIG:-} --enable-werror" 14 | fi 15 | ./configure --with-crypto-library="${SSLLIB}" ${EXTRA_CONFIG:-} || (cat config.log && exit 1) 16 | make LDFLAGS="-Wl,-rpath,${PREFIX}/lib" -j$JOBS 17 | src/openvpn/openvpn --version || true 18 | if [ "${TRAVIS_OS_NAME}" = "linux" ]; then 19 | ldd src/openvpn/openvpn; 20 | fi 21 | if [ "${TRAVIS_OS_NAME}" = "osx" ]; then otool -L src/openvpn/openvpn; fi 22 | make check 23 | ${EXTRA_SCRIPT:-} 24 | else 25 | export TAP_CFLAGS="-I${PWD}/tap-windows-${TAP_WINDOWS_VERSION}/include" 26 | export LZO_CFLAGS="-I${PREFIX}/include" 27 | export LZO_LIBS="-L${PREFIX}/lib -llzo2" 28 | export PKCS11_HELPER_LIBS="-L${PREFIX}/lib -lpkcs11-helper" 29 | export PKCS11_HELPER_CFLAGS="-I${PREFIX}/include" 30 | ./configure --with-crypto-library="${SSLLIB}" --host=${CHOST} --build=x86_64-pc-linux-gnu --enable-pkcs11 --disable-plugins || (cat config.log && exit 1) 31 | make -j${JOBS} 32 | fi 33 | -------------------------------------------------------------------------------- /.travis/coverity.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | set -eu 3 | 4 | RUN_COVERITY="${RUN_COVERITY:-0}" 5 | 6 | export COVERITY_SCAN_PROJECT_NAME="OpenVPN/openvpn" 7 | export COVERITY_SCAN_BRANCH_PATTERN="release\/2.4" 8 | export COVERITY_SCAN_NOTIFICATION_EMAIL="scan-reports@openvpn.net" 9 | export COVERITY_SCAN_BUILD_COMMAND_PREPEND="autoreconf -vi && ./configure --enable-iproute2 && make clean" 10 | export COVERITY_SCAN_BUILD_COMMAND="make" 11 | 12 | if [ "${RUN_COVERITY}" = "1" ]; then 13 | # Ignore exit code, script exits with 1 if we're not on the right branch 14 | curl -s "https://scan.coverity.com/scripts/travisci_build_coverity_scan.sh" | bash || true 15 | else 16 | echo "Skipping coverity scan because \$RUN_COVERITY != \"1\"" 17 | fi 18 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | James Yonan 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.rst: -------------------------------------------------------------------------------- 1 | CONTRIBUTING TO THE OPENVPN PROJECT 2 | =================================== 3 | 4 | Patches should be written against the Git "master" branch. Some patches may get 5 | backported to a release branch. 6 | 7 | The preferred procedure to send patches to the "openvpn-devel" mailing list: 8 | 9 | - https://lists.sourceforge.net/lists/listinfo/openvpn-devel 10 | 11 | While we do not merge GitHub pull requests as-is, we do allow their use for code 12 | review purposes. After the patch has been ACKed (reviewed and accepted), it must 13 | be sent to the mailing list. This last step does not necessarily need to be done 14 | by the patch author, although that is definitely recommended. 15 | 16 | When sending patches to "openvpn-devel" the subject line should be prefixed with 17 | [PATCH]. To avoid merging issues the patches should be generated with 18 | git-format-patch or sent using git-send-email. Try to split large patches into 19 | small, atomic pieces to make reviews easier. 20 | 21 | Please make sure that the source code formatting follows the guidelines at 22 | https://community.openvpn.net/openvpn/wiki/CodeStyle. Automated checking can be 23 | done with uncrustify (http://uncrustify.sourceforge.net/) and the configuration 24 | file which can be found in the git repository at dev-tools/uncrustify.conf. 25 | There is also a git pre-commit hook script, which runs uncrustify automatically 26 | each time you commit and lets you format your code conveniently, if needed. 27 | To install the hook simply run: dev-tools/git-pre-commit-uncrustify.sh install 28 | 29 | If you want quick feedback on a patch before sending it to openvpn-devel mailing 30 | list, you can visit the #openvpn-devel channel on irc.libera.chat. Note that 31 | you need to be logged in to Libera to join the channel: 32 | 33 | - https://libera.chat/guides/registration 34 | 35 | More detailed contribution instructions are available here: 36 | 37 | - https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation 38 | 39 | Note that the process for contributing to other OpenVPN projects such as 40 | openvpn-build, openvpn-gui, tap-windows6 and easy-rsa may differ from what was 41 | described above. Please refer to the contribution instructions of each 42 | respective project. 43 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | OpenVPN ChangeLog 2 | Copyright (C) 2002-2023 OpenVPN Inc 3 | 4 | This file is not maintained in this branch of the OpenVPN git repository. 5 | 6 | Release branches (release/2.5, release/2.4, etc) have individual ChangeLog 7 | files with all changes relevant for these releases. 8 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mullvad/openvpn/589cca156357e05c6c3f07517184157585c8e9fc/NEWS -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | OpenVPN -- A Secure tunneling daemon 2 | 3 | Copyright (C) 2002-2022 OpenVPN Inc. This program is free software; 4 | you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License version 2 6 | as published by the Free Software Foundation. 7 | 8 | ************************************************************************* 9 | 10 | To get the latest release of OpenVPN, go to: 11 | 12 | https://openvpn.net/community-downloads/ 13 | 14 | To Build and Install, 15 | 16 | tar -zxf openvpn-.tar.gz 17 | cd openvpn- 18 | ./configure 19 | make 20 | make install 21 | 22 | or see the file INSTALL for more info. 23 | 24 | ************************************************************************* 25 | 26 | For detailed information on OpenVPN, including examples, see the man page 27 | http://openvpn.net/man.html 28 | 29 | For a sample VPN configuration, see 30 | http://openvpn.net/howto.html 31 | 32 | To report an issue, see 33 | https://github.com/OpenVPN/openvpn/issues/new 34 | (Note: We recently switched to GitHub for reporting new issues, 35 | old issues can be found at: 36 | https://community.openvpn.net/openvpn/report) 37 | 38 | For a description of OpenVPN's underlying protocol, 39 | see the file ssl.h included in the source distribution. 40 | 41 | ************************************************************************* 42 | 43 | Other Files & Directories: 44 | 45 | * configure.ac -- script to rebuild our configure 46 | script and makefile. 47 | 48 | * sample/sample-scripts/verify-cn 49 | 50 | A sample perl script which can be used with OpenVPN's 51 | --tls-verify option to provide a customized authentication 52 | test on embedded X509 certificate fields. 53 | 54 | * sample/sample-keys/ 55 | 56 | Sample RSA keys and certificates. DON'T USE THESE FILES 57 | FOR ANYTHING OTHER THAN TESTING BECAUSE THEY ARE TOTALLY INSECURE. 58 | 59 | * sample/sample-config-files/ 60 | 61 | A collection of OpenVPN config files and scripts from 62 | the HOWTO at http://openvpn.net/howto.html 63 | 64 | ************************************************************************* 65 | 66 | Note that easy-rsa and tap-windows are now maintained in their own subprojects. 67 | Their source code is available here: 68 | 69 | https://github.com/OpenVPN/easy-rsa 70 | https://github.com/OpenVPN/tap-windows6 71 | 72 | The old cross-compilation environment (domake-win) and the Python-based 73 | buildsystem have been replaced with openvpn-build: 74 | 75 | https://github.com/OpenVPN/openvpn-build 76 | 77 | See the INSTALL file for usage information. 78 | -------------------------------------------------------------------------------- /README.ec: -------------------------------------------------------------------------------- 1 | Since 2.4.0, OpenVPN has official support for elliptic curve crypto. Elliptic 2 | curves are an alternative to RSA for asymmetric encryption. 3 | 4 | Elliptic curve crypto ('ECC') can be used for the ('TLS') control channel only 5 | in OpenVPN; the data channel (encrypting the actual network traffic) uses 6 | symmetric encryption. ECC can be used in TLS for authentication (ECDSA) and key 7 | exchange (ECDH). 8 | 9 | Key exchange (ECDH) 10 | ------------------- 11 | OpenVPN 2.4.0 and newer automatically initialize ECDH parameters. When ECDSA is 12 | used for authentication, the curve used for the server certificate will be used 13 | for ECDH too. When autodetection fails (e.g. when using RSA certificates) 14 | OpenVPN lets the crypto library decide if possible, or falls back to the 15 | secp384r1 curve. The list of groups/curves that the crypto library will choose 16 | from can be set with the --tls-groups option. 17 | 18 | An administrator can force an OpenVPN/OpenSSL server to use a specific curve 19 | using the --ecdh-curve option with one of the curves listed as 20 | available by the --show-groups option. Clients will use the same curve as 21 | selected by the server. 22 | 23 | Note that not all curves listed by --show-groups are available for use with TLS; 24 | in that case connecting will fail with a 'no shared cipher' TLS error. 25 | 26 | Authentication (ECDSA) 27 | ---------------------- 28 | Since OpenVPN 2.4.0, using ECDSA certificates works 'out of the box'. Which 29 | specific curves and cipher suites are available depends on your version and 30 | configuration of the crypto library. The crypto library will automatically 31 | select a cipher suite for the TLS control channel. 32 | 33 | Support for generating an ECDSA certificate chain is available in EasyRSA (in 34 | spite of it's name) since EasyRSA 3.0. The parameters you're looking for are 35 | '--use-algo=ec' and '--curve='. See the EasyRSA documentation for 36 | more details on generating ECDSA certificates. 37 | -------------------------------------------------------------------------------- /README.mbedtls: -------------------------------------------------------------------------------- 1 | This version of OpenVPN has mbed TLS support. To enable follow the following 2 | instructions: 3 | 4 | To Build and Install, 5 | 6 | ./configure --with-crypto-library=mbedtls 7 | make 8 | make install 9 | 10 | This version depends on mbed TLS 2.0 (and requires at least 2.0.0). 11 | 12 | ************************************************************************* 13 | 14 | Warning: 15 | 16 | As of mbed TLS 2.17, it can be licensed *only* under the Apache v2.0 license. 17 | That license is incompatible with OpenVPN's GPLv2. 18 | 19 | If you wish to distribute OpenVPN linked with mbed TLS, there are two options: 20 | 21 | * Ensure that your case falls under the system library exception in GPLv2, or 22 | 23 | * Use an earlier version of mbed TLS. Version 2.16.12 is the last release 24 | that may be licensed under GPLv2. Unfortunately, this version is 25 | unsupported and won't receive any more updates. 26 | 27 | If nothing changes about the license situation, mbed TLS support may be 28 | deprecated in a future release of OpenVPN. 29 | 30 | ************************************************************************* 31 | 32 | Due to limitations in the mbed TLS library, the following features are missing 33 | in the mbed TLS version of OpenVPN: 34 | 35 | * PKCS#12 file support 36 | * --capath support - Loading certificate authorities from a directory 37 | * Windows CryptoAPI support 38 | * X.509 alternative username fields (must be "CN") 39 | 40 | Plugin/Script features: 41 | 42 | * X.509 subject line has a different format than the OpenSSL subject line 43 | * X.509 certificate export does not work 44 | * X.509 certificate tracking 45 | -------------------------------------------------------------------------------- /README.wolfssl: -------------------------------------------------------------------------------- 1 | Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is 2 | implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN 3 | receives very limited testing/support from the OpenVPN community itself. 4 | 5 | If bugs in OpenVPN when using wolfSSL are encountered, the user should try to 6 | also compile OpenVPN with OpenSSL to determine if these are bugs in the 7 | wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling 8 | with wolfSSL, please contact support@wolfssl.com directly. 9 | 10 | To Build and Install, 11 | 12 | ./configure --with-crypto-library=wolfssl 13 | make 14 | make install 15 | 16 | 17 | The wolfSSL library will include the installed options.h file by default. 18 | To include a custom user_settings.h file for wolfSSL, 19 | 20 | ./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h 21 | make 22 | make install 23 | 24 | ************************************************************************* 25 | Due to limitations in the wolfSSL TLS library or its compatibility layer, the 26 | following features are missing 27 | 28 | * blowfish support (BF-CBC), you must use something like 29 | cipher AES-128-CBC to avoid trying to use BF-CBC 30 | * Windows CryptoAPI support 31 | -------------------------------------------------------------------------------- /build/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | EXTRA_DIST = \ 15 | ltrc.inc 16 | 17 | SUBDIRS = msvc 18 | -------------------------------------------------------------------------------- /build/ltrc.inc: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2008-2012 Alon Bar-Lev 9 | # 10 | # Required to build Windows resource file 11 | 12 | RCCOMPILE = $(RC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ 13 | $(AM_CPPFLAGS) $(CPPFLAGS) 14 | LTRCCOMPILE = $(LIBTOOL) --mode=compile --tag=RC $(RCCOMPILE) 15 | 16 | .rc.lo: 17 | $(LTRCCOMPILE) -i "$<" -o "$@" 18 | 19 | .rc.o: 20 | $(RCCOMPILE) -i "$<" -o "$@" 21 | 22 | .mc.rc: 23 | $(WINDMC) "$<" 24 | -------------------------------------------------------------------------------- /build/msvc/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = msvc-generate 16 | -------------------------------------------------------------------------------- /build/msvc/msvc-generate/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | dist_noinst_DATA = \ 16 | msvc-generate.vcxproj \ 17 | Makefile.mak \ 18 | msvc-generate.js 19 | -------------------------------------------------------------------------------- /build/msvc/msvc-generate/version.m4.in: -------------------------------------------------------------------------------- 1 | define([OPENVPN_VERSION_MAJOR], [@PRODUCT_VERSION_MAJOR@]) 2 | define([OPENVPN_VERSION_MINOR], [@PRODUCT_VERSION_MINOR@]) 3 | define([OPENVPN_VERSION_PATCH], [@PRODUCT_VERSION_PATCH@]) 4 | -------------------------------------------------------------------------------- /compat.m4: -------------------------------------------------------------------------------- 1 | dnl OpenVPN -- An application to securely tunnel IP networks 2 | dnl over a single UDP port, with support for SSL/TLS-based 3 | dnl session authentication and key exchange, 4 | dnl packet encryption, packet authentication, and 5 | dnl packet compression. 6 | dnl 7 | dnl Copyright (C) 2008-2012 Alon Bar-Lev 8 | dnl 9 | dnl This program is free software; you can redistribute it and/or modify 10 | dnl it under the terms of the GNU General Public License as published by 11 | dnl the Free Software Foundation; either version 2 of the License, or 12 | dnl (at your option) any later version. 13 | dnl 14 | dnl This program is distributed in the hope that it will be useful, 15 | dnl but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | dnl GNU General Public License for more details. 18 | dnl 19 | dnl You should have received a copy of the GNU General Public License along 20 | dnl with this program; if not, write to the Free Software Foundation, Inc., 21 | dnl 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | 23 | dnl Compatibility layer for 2 | 3 | #define CONFIGURE_DEFINES "N/A" 4 | 5 | #define ENABLE_PF 1 6 | #define ENABLE_CRYPTO_OPENSSL 1 7 | #define ENABLE_FRAGMENT 1 8 | #define ENABLE_HTTP_PROXY 1 9 | #define ENABLE_LZO 1 10 | #define ENABLE_LZ4 1 11 | #define ENABLE_MANAGEMENT 1 12 | #define ENABLE_PKCS11 1 13 | #define ENABLE_PLUGIN 1 14 | #define ENABLE_PORT_SHARE 1 15 | #define ENABLE_SOCKS 1 16 | 17 | #define HAVE_FCNTL_H 1 18 | #define HAVE_STDIO_H 1 19 | #define HAVE_STDLIB_H 1 20 | #define HAVE_STRERROR 1 21 | #define HAVE_STRINGS_H 1 22 | #define HAVE_STRING_H 1 23 | #define HAVE_LIMITS_H 1 24 | #define HAVE_SYSTEM 1 25 | #define HAVE_TIME 1 26 | #define HAVE_TIME_H 1 27 | #define HAVE_WINDOWS_H 1 28 | #define HAVE_WINSOCK2_H 1 29 | #define HAVE_WS2TCPIP_H 1 30 | #define HAVE_IO_H 1 31 | #define HAVE_SYS_TYPES_H 1 32 | #define HAVE_SYS_STAT_H 1 33 | #define HAVE_LZO_LZO1X_H 1 34 | #define HAVE_LZO_LZOUTIL_H 1 35 | #define HAVE_VERSIONHELPERS_H 1 36 | 37 | #define HAVE_ACCESS 1 38 | #define HAVE_CHDIR 1 39 | #define HAVE_CHSIZE 1 40 | #define HAVE_IN_PKTINFO 1 41 | 42 | #define HAVE_OPENSSL_ENGINE 1 43 | #define HAVE_EXPORT_KEYING_MATERIAL 1 44 | 45 | #define HAVE_DIINSTALLDEVICE 1 46 | 47 | #ifndef __cplusplus 48 | #define inline __inline 49 | #endif 50 | 51 | #define TARGET_WIN32 1 52 | #define TARGET_ALIAS "Windows-MSVC" 53 | 54 | #define HAVE_DECL_SO_MARK 0 55 | 56 | #define strncasecmp strnicmp 57 | #define strcasecmp _stricmp 58 | 59 | #if _MSC_VER<1900 60 | #define snprintf _snprintf 61 | #endif 62 | 63 | #if _MSC_VER < 1800 64 | #define strtoull strtoul 65 | #endif 66 | 67 | #define in_addr_t uint32_t 68 | #define ssize_t SSIZE_T 69 | 70 | #define S_IRUSR _S_IREAD 71 | #define S_IWUSR _S_IWRITE 72 | #define S_IRGRP (S_IRUSR >> 3) 73 | #define R_OK 4 74 | #define W_OK 2 75 | #define X_OK 1 76 | #define F_OK 0 77 | 78 | #define SIGHUP 1 79 | #define SIGINT 2 80 | #define SIGUSR1 10 81 | #define SIGUSR2 12 82 | #define SIGTERM 15 83 | 84 | #include 85 | typedef uint16_t in_port_t; 86 | 87 | #ifdef HAVE_CONFIG_MSVC_LOCAL_H 88 | #include 89 | #endif 90 | 91 | #define ENABLE_DCO 1 92 | 93 | #define HAVE_CONFIG_VERSION_H 1 94 | -------------------------------------------------------------------------------- /contrib/README: -------------------------------------------------------------------------------- 1 | This directory contains scripts and patches contributed 2 | by users. 3 | -------------------------------------------------------------------------------- /contrib/multilevel-init.patch: -------------------------------------------------------------------------------- 1 | --- /etc/init.d/openvpn 2004-05-12 20:30:06.000000000 +0200 2 | +++ openvpn 2004-05-12 20:34:33.000000000 +0200 3 | @@ -58,13 +58,13 @@ 4 | # returning success or failure status to caller (James Yonan). 5 | 6 | # Location of openvpn binary 7 | -openvpn="/usr/sbin/openvpn" 8 | +openvpn=/usr/sbin/openvpn 9 | 10 | # Lockfile 11 | -lock="/var/lock/subsys/openvpn" 12 | +lock=/var/lock/subsys/openvpn 13 | 14 | # PID directory 15 | -piddir="/var/run/openvpn" 16 | +piddir=/var/run/openvpn 17 | 18 | # Our working directory 19 | work=/etc/openvpn 20 | @@ -106,7 +106,7 @@ 21 | 22 | if [ -f $lock ]; then 23 | # we were not shut down correctly 24 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 25 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 26 | if [ -s $pidf ]; then 27 | kill `cat $pidf` >/dev/null 2>&1 28 | fi 29 | @@ -116,12 +116,12 @@ 30 | sleep 2 31 | fi 32 | 33 | - rm -f $piddir/*.pid $piddir/*/*.pid 34 | + find $piddir -name "*.pid"|xargs rm -f 35 | 36 | # Start every .conf in $work and run .sh if exists 37 | errors=0 38 | successes=0 39 | - for c in `/bin/ls *.conf */*.conf 2>/dev/null`; do 40 | + for c in `find * -name "*.conf" 2>/dev/null`; do 41 | bn=${c%%.conf} 42 | if [ -f "$bn.sh" ]; then 43 | . $bn.sh 44 | @@ -147,7 +147,7 @@ 45 | ;; 46 | stop) 47 | echo -n $"Shutting down openvpn: " 48 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 49 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 50 | if [ -s $pidf ]; then 51 | kill `cat $pidf` >/dev/null 2>&1 52 | fi 53 | @@ -163,7 +163,7 @@ 54 | ;; 55 | reload) 56 | if [ -f $lock ]; then 57 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 58 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 59 | if [ -s $pidf ]; then 60 | kill -HUP `cat $pidf` >/dev/null 2>&1 61 | fi 62 | @@ -175,7 +175,7 @@ 63 | ;; 64 | reopen) 65 | if [ -f $lock ]; then 66 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 67 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 68 | if [ -s $pidf ]; then 69 | kill -USR1 `cat $pidf` >/dev/null 2>&1 70 | fi 71 | @@ -195,7 +195,7 @@ 72 | ;; 73 | status) 74 | if [ -f $lock ]; then 75 | - for pidf in `/bin/ls $piddir/*.pid $piddir/*/*.pid 2>/dev/null`; do 76 | + for pidf in `find $piddir -name "*.pid" 2>/dev/null`; do 77 | if [ -s $pidf ]; then 78 | kill -USR2 `cat $pidf` >/dev/null 2>&1 79 | fi 80 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/README: -------------------------------------------------------------------------------- 1 | OpenVPN fwmark Routing 2 | Sean Reifschneider, 3 | Thursday November 27, 2003 4 | ========================== 5 | 6 | These scripts can be used with OpenVPN up and down scripts to set up 7 | routing on a Linux system such that the VPN traffic is sent via normal 8 | network connectivity, but other traffic to that network runs over the VPN. 9 | The idea is to allow encryption of data to the network the remote host is 10 | on, without interfering with the VPN traffic. You can't simply add a route 11 | to the remote network, becaues that will cause the VPN traffic to also try 12 | to run over the VPN, and breaks the VPN. 13 | 14 | These scripts use the Linux "fwmark" iptables rules to specify routing 15 | based not only on IP address, but also by port and protocol. This allows 16 | you to effectively say "if the packet is to this IP address on this port 17 | using this protocol, then use the normal default gateway, otherwise use the 18 | VPN gateway. 19 | 20 | This is set up on the client VPN system, not the VPN server. These scripts 21 | also set up all ICMP echo-responses to run across the VPN. You can 22 | comment the lines in the scripts to disable this, but I find this useful 23 | at coffee shops which have networks that block ICMP. 24 | 25 | To configure this, you need to set up these scripts as your up and down 26 | scripts in the config file. You will need to set these values in the 27 | config file: 28 | 29 | up /etc/openvpn/fwmarkroute.up 30 | down /etc/openvpn/fwmarkroute.down 31 | up-restart 32 | up-delay 33 | 34 | setenv remote_netmask_bits 24 35 | 36 | Note: For this to work, you can't set the "user" or "group" config options, 37 | because then the scripts will not run as root. 38 | 39 | The last setting allows you to control the size of the network the remote 40 | system is on. The remote end has to be set up to route, probably with 41 | masquerading or NAT. The network this netmask relates to is calculated 42 | using the value of "remote" in the conf file. 43 | 44 | Sean 45 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/fwmarkroute.down: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Bring down vpn routing. 4 | 5 | # calculate the network address 6 | remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` 7 | remote_network="${remote_network#*=}" 8 | 9 | # clear routing via VPN 10 | ip route del "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out 11 | ip route del table vpnonly.out via "$5" 12 | iptables -D OUTPUT -t mangle -p "$proto" \ 13 | -d "$remote_network"/"$remote_netmask_bits" \ 14 | --dport "$remote_port" -j ACCEPT 15 | iptables -D OUTPUT -t mangle -d "$remote" -j MARK --set-mark 2 16 | 17 | # undo the ICMP ping tunneling 18 | iptables -D OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ 19 | -j MARK --set-mark 3 20 | 21 | # flush route cache 22 | ip route flush cache 23 | -------------------------------------------------------------------------------- /contrib/openvpn-fwmarkroute-1.00/fwmarkroute.up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # Bring up vpn routing. 4 | 5 | # calculate the network address 6 | remote_network=`ipcalc -n "$remote"/"$remote_netmask_bits"` 7 | remote_network="${remote_network#*=}" 8 | 9 | # add the stuff that doesn't change if it's not already there 10 | grep -q '^202 ' /etc/iproute2/rt_tables 11 | if [ "$?" -ne 0 ] 12 | then 13 | echo 202 vpn.out >> /etc/iproute2/rt_tables 14 | fi 15 | grep -q '^203 ' /etc/iproute2/rt_tables 16 | if [ "$?" -ne 0 ] 17 | then 18 | echo 203 vpnonly.out >> /etc/iproute2/rt_tables 19 | fi 20 | ip rule ls | grep -q 'lookup vpn.out *$' 21 | if [ "$?" -ne 0 ] 22 | then 23 | ip rule add fwmark 2 table vpn.out 24 | fi 25 | ip rule ls | grep -q 'lookup vpnonly.out *$' 26 | if [ "$?" -ne 0 ] 27 | then 28 | ip rule add fwmark 3 table vpnonly.out 29 | fi 30 | 31 | # route VPN traffic using the normal table 32 | iptables -A OUTPUT -t mangle -p "$proto" -d "$remote" --dport "$remote_port" \ 33 | -j ACCEPT 34 | 35 | # route all other traffic to that host via VPN 36 | iptables -A OUTPUT -t mangle -d "$remote_network"/"$remote_netmask_bits" \ 37 | -j MARK --set-mark 2 38 | 39 | # route all ICMP pings over the VPN 40 | iptables -A OUTPUT -t mangle --protocol icmp --icmp-type echo-request \ 41 | -j MARK --set-mark 3 42 | 43 | # NAT traffic going over the VPN, so it doesn't have an unknown address 44 | iptables -t nat -A POSTROUTING -o "$1" -j SNAT --to-source "$4" 45 | 46 | # add routing commands 47 | ip route add "$remote_network"/"$remote_netmask_bits" via "$5" table vpn.out 48 | ip route add table vpnonly.out via "$5" 49 | ip route flush cache 50 | -------------------------------------------------------------------------------- /contrib/pull-resolv-conf/client.down: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Copyright (c) 2005-2018 OpenVPN Inc 4 | # Licensed under the GPL version 2 5 | 6 | # First version by Jesse Adelman 7 | # someone at boldandbusted dink com 8 | # http://www.boldandbusted.com/ 9 | 10 | # PURPOSE: This script automatically removes the /etc/resolv.conf entries previously 11 | # set by the companion script "client.up". 12 | 13 | # INSTALL NOTES: 14 | # Place this in /etc/openvpn/client.down 15 | # Then, add the following to your /etc/openvpn/.conf: 16 | # client 17 | # up /etc/openvpn/client.up 18 | # down /etc/openvpn/client.down 19 | # Next, "chmod a+x /etc/openvpn/client.down" 20 | 21 | # USAGE NOTES: 22 | # Note that this script is best served with the companion "client.up" 23 | # script. 24 | 25 | # Tested under Debian lenny with OpenVPN 2.1_rc11 26 | # It should work with any UNIX with a POSIX sh, /etc/resolv.conf or resolvconf 27 | 28 | # This runs with the context of the OpenVPN UID/GID 29 | # at the time of execution. This generally means that 30 | # the client "up" script will run fine, but the "down" script 31 | # will require the use of the OpenVPN "down-root" plugin 32 | # which is in the plugins/ directory of the OpenVPN source tree 33 | # The config example above would have to be changed to: 34 | # client 35 | # up /etc/openvpn/client.up 36 | # plugin openvpn-plugin-down-root.so "/etc/openvpn/client.down" 37 | 38 | # A horrid work around, from a security perspective, 39 | # is to run OpenVPN as root. THIS IS NOT RECOMMENDED. You have 40 | # been WARNED. 41 | PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin 42 | 43 | if type resolvconf >/dev/null 2>&1; then 44 | resolvconf -d "${dev}" -f 45 | elif [ -e /etc/resolv.conf.ovpnsave ] ; then 46 | # cp + rm rather than mv in case it's a symlink 47 | cp /etc/resolv.conf.ovpnsave /etc/resolv.conf 48 | rm -f /etc/resolv.conf.ovpnsave 49 | fi 50 | 51 | exit 0 52 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/0001-nmake-compatibility-with-vcpkg-nmake.patch: -------------------------------------------------------------------------------- 1 | From 2d3a2c05383f653544b9c7194dd1349c6d5f3067 Mon Sep 17 00:00:00 2001 2 | From: Lev Stipakov 3 | Date: Tue, 11 Jan 2022 13:24:51 +0200 4 | Subject: [PATCH] nmake: compatibility with vcpkg nmake 5 | 6 | Remove options which contradict or already set 7 | by vcpkg nmake scripts. 8 | 9 | Signed-off-by: Lev Stipakov 10 | --- 11 | lib/Makefile.w32-vc | 8 ++------ 12 | 1 file changed, 2 insertions(+), 6 deletions(-) 13 | 14 | diff --git a/lib/Makefile.w32-vc b/lib/Makefile.w32-vc 15 | index 96f1f89..be68a00 100644 16 | --- a/lib/Makefile.w32-vc 17 | +++ b/lib/Makefile.w32-vc 18 | @@ -75,15 +75,11 @@ OPENSSL_LIBS=-LIBPATH:$(OPENSSL_LIB) user32.lib advapi32.lib $(OPENSSL_STATIC) 19 | CFLAGS = -I../include $(OPENSSL_CFLAGS) -DWIN32 -DWIN32_LEAN_AND_MEAN -D_MBCS -D_CRT_SECURE_NO_DEPRECATE -D_WIN32_WINNT=0x0400 20 | CC=cl.exe 21 | RC=rc.exe 22 | -CCPARAMS=/nologo /W3 /O2 /FD /c 23 | - 24 | -CCPARAMS=$(CCPARAMS) /MD 25 | -CFLAGS=$(CFLAGS) -DNDEBUG 26 | +CCPARAMS=/c 27 | 28 | LINK32=link.exe 29 | LIB32=lib.exe 30 | -LINK32_FLAGS=/nologo /subsystem:windows /dll /incremental:no /release 31 | -LIB32_FLAGS=/nologo 32 | +LINK32_FLAGS=/dll 33 | 34 | HEADERS = \ 35 | config.h \ 36 | -- 37 | 2.23.0.windows.1 38 | 39 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/0002-config-w32-vc.h.in-indicate-OpenSSL.patch: -------------------------------------------------------------------------------- 1 | From c2293864de70fec322fe7e559055530ef56b9641 Mon Sep 17 00:00:00 2001 2 | From: Lev Stipakov 3 | Date: Tue, 11 Jan 2022 13:35:42 +0200 4 | Subject: [PATCH] config-w32-vc.h.in: indicate OpenSSL EC support 5 | 6 | Signed-off-by: Lev Stipakov 7 | --- 8 | config-w32-vc.h.in | 12 ++++++++++++ 9 | 1 file changed, 12 insertions(+) 10 | 11 | diff --git a/config-w32-vc.h b/config-w32-vc.h 12 | index 6d94841..db83825 100644 13 | --- a/config-w32-vc.h 14 | +++ b/config-w32-vc.h 15 | @@ -218,3 +218,15 @@ 16 | 17 | /* Define to 1 if you have the `DSA_SIG_set0' function. */ 18 | #define HAVE_DSA_SIG_SET0 1 19 | + 20 | +/* Define to 1 if you have the `ECDSA_SIG_set0' function. */ 21 | +#define HAVE_ECDSA_SIG_SET0 1 22 | + 23 | +/* Define to 1 if you have the `EC_KEY_METHOD_get_sign' function. */ 24 | +#define HAVE_EC_KEY_METHOD_GET_SIGN 1 25 | + 26 | +/* Define to 1 if you have the `EC_KEY_METHOD_set_sign' function. */ 27 | +#define HAVE_EC_KEY_METHOD_SET_SIGN 1 28 | + 29 | +/* Define to 1 if OpenSSL has EC support. */ 30 | +#define ENABLE_PKCS11H_OPENSSL_EC 1 31 | -- 32 | 2.23.0.windows.1 33 | 34 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/CONTROL: -------------------------------------------------------------------------------- 1 | Source: pkcs11-helper 2 | Version: 1.29-1 3 | Homepage: https://github.com/OpenSC/pkcs11-helper 4 | Description: pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications. 5 | -------------------------------------------------------------------------------- /contrib/vcpkg-ports/pkcs11-helper/portfile.cmake: -------------------------------------------------------------------------------- 1 | set(VERSION 1.29.0) 2 | 3 | vcpkg_download_distfile(ARCHIVE 4 | URLS "https://github.com/OpenSC/pkcs11-helper/releases/download/pkcs11-helper-${VERSION}/pkcs11-helper-${VERSION}.tar.bz2" 5 | FILENAME "pkcs11-helper-${VERSION}.tar.bz2" 6 | SHA512 c530f5a4b5826a02bfe787a1293a7595d5a0d6348daa16675bd10c6d6734b1f24a3cc73b5b89433cf1edf8815f8b7298fdfd1ed686f096bb5edfb425e9430eb2 7 | ) 8 | 9 | vcpkg_extract_source_archive_ex( 10 | OUT_SOURCE_PATH SOURCE_PATH 11 | ARCHIVE ${ARCHIVE} 12 | REF ${VERSION} 13 | PATCHES 14 | 0001-nmake-compatibility-with-vcpkg-nmake.patch 15 | 0002-config-w32-vc.h.in-indicate-OpenSSL.patch 16 | pkcs11-helper-001-RFC7512.patch 17 | pkcs11-helper-002-dynamic_loader_flags.patch 18 | ) 19 | 20 | vcpkg_build_nmake( 21 | SOURCE_PATH ${SOURCE_PATH} 22 | PROJECT_SUBPATH lib 23 | PROJECT_NAME Makefile.w32-vc 24 | OPTIONS 25 | OPENSSL=1 26 | OPENSSL_HOME=${CURRENT_PACKAGES_DIR}/../openssl_${TARGET_TRIPLET} 27 | ) 28 | 29 | file(INSTALL ${SOURCE_PATH}/include/pkcs11-helper-1.0 DESTINATION ${CURRENT_PACKAGES_DIR}/include/) 30 | file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/lib) 31 | file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/pkcs11-helper.dll.lib DESTINATION ${CURRENT_PACKAGES_DIR}/debug/lib) 32 | 33 | file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/bin) 34 | file(INSTALL ${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg/lib/libpkcs11-helper-1.dll DESTINATION ${CURRENT_PACKAGES_DIR}/debug/bin) 35 | 36 | file(INSTALL ${SOURCE_PATH}/COPYING DESTINATION ${CURRENT_PACKAGES_DIR}/share/${PORT} RENAME copyright) 37 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/arm64-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE arm64) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x64-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x64) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /contrib/vcpkg-triplets/x86-windows-ovpn.cmake: -------------------------------------------------------------------------------- 1 | set(VCPKG_TARGET_ARCHITECTURE x86) 2 | set(VCPKG_CRT_LINKAGE dynamic) 3 | set(VCPKG_LIBRARY_LINKAGE dynamic) 4 | 5 | set(STATIC_PORTS lz4 lzo) 6 | if(PORT IN_LIST STATIC_PORTS) 7 | set(VCPKG_LIBRARY_LINKAGE static) 8 | endif() 9 | -------------------------------------------------------------------------------- /debug/doval: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | PROGDIR=`dirname $0` 3 | unset LD_LIBRARY_PATH 4 | valgrind --tool=memcheck --error-limit=no --suppressions=$PROGDIR/debug/valgrind-suppress --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $PROGDIR/openvpn "$@" 5 | -------------------------------------------------------------------------------- /debug/dovalns: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | valgrind --tool=memcheck --error-limit=no --gen-suppressions=all --leak-check=full --show-reachable=yes --num-callers=32 $* 3 | -------------------------------------------------------------------------------- /dev-tools/special-files.lst: -------------------------------------------------------------------------------- 1 | E:doc/doxygen/doc_key_generation.h # @verbatim section gets mistreated, exclude it 2 | E:src/compat/compat-lz4.c # Preserve LZ4 upstream formatting 3 | E:src/compat/compat-lz4.h # Preserve LZ4 upstream formatting 4 | E:src/openvpn/ovpn_dco_linux.h # Preserve ovpn-dco upstream formatting 5 | E:src/openvpn/ovpn_dco_win.h # Preserve ovpn-dco-win upstream formatting 6 | -------------------------------------------------------------------------------- /dev-tools/uncrustify.conf: -------------------------------------------------------------------------------- 1 | # Use Allman-style 2 | indent_columns=4 3 | indent_braces=false 4 | indent_else_if=false 5 | indent_switch_case=4 6 | indent_label=1 7 | nl_if_brace=add 8 | nl_brace_else=add 9 | nl_elseif_brace=add 10 | nl_else_brace=add 11 | nl_else_if=remove 12 | nl_for_brace=add 13 | nl_while_brace=add 14 | nl_switch_brace=add 15 | nl_fdef_brace=add 16 | nl_do_brace=add 17 | sp_func_proto_paren=Remove 18 | sp_func_def_paren=Remove 19 | sp_func_call_paren=Remove 20 | sp_sizeof_paren=Remove 21 | 22 | # No tabs, spaces only 23 | indent_with_tabs=0 24 | align_with_tabs=false 25 | cmt_convert_tab_to_spaces=true 26 | 27 | # Do not put spaces between the # and preprocessor statements 28 | pp_space=remove 29 | 30 | # Various whitespace fiddling 31 | sp_assign=add 32 | sp_before_sparen=add 33 | sp_inside_sparen=remove 34 | sp_cond_colon=add 35 | sp_cond_question=add 36 | sp_bool=add 37 | sp_else_brace=add 38 | sp_brace_else=add 39 | sp_after_comma=add 40 | pos_arith=Lead 41 | pos_bool=Lead 42 | nl_func_type_name=add 43 | nl_before_case=true 44 | nl_assign_leave_one_liners=true 45 | nl_enum_leave_one_liners=true 46 | nl_brace_fparen=add 47 | nl_max=4 48 | nl_after_func_proto=2 49 | nl_end_of_file_min=1 50 | nl_end_of_file=force 51 | 52 | # Always use scoping braces for conditionals 53 | mod_full_brace_if=add 54 | mod_full_brace_if_chain=false 55 | mod_full_brace_while=add 56 | mod_full_brace_for=add 57 | mod_full_brace_do=add 58 | 59 | # Annotate #else and #endif statements 60 | mod_add_long_ifdef_endif_comment=20 61 | mod_add_long_ifdef_else_comment=5 62 | 63 | # Misc cleanup 64 | mod_remove_extra_semicolon=true 65 | 66 | # leave blank at end of empty for() statements 67 | sp_after_semi_for_empty=Add 68 | 69 | # Use C-style comments (/* .. */) 70 | cmt_c_nl_end=true 71 | cmt_star_cont=true 72 | cmt_cpp_to_c=true 73 | 74 | # Use "char **a"-style pointer stars/dereferences 75 | sp_before_ptr_star=Add 76 | sp_between_ptr_star=Remove 77 | sp_after_ptr_star=Remove 78 | sp_before_byref=Add 79 | sp_after_byref=Remove 80 | -------------------------------------------------------------------------------- /dev-tools/update-copyright.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # update-copyright-sh - Simple tool to update the Copyright lines 3 | # in all files checked into git 4 | # 5 | # Copyright (C) 2016-2023 OpenVPN Inc 6 | # Copyright (C) 2016-2023 David Sommerseth 7 | # 8 | # This program is free software; you can redistribute it and/or 9 | # modify it under the terms of the GNU General Public License 10 | # as published by the Free Software Foundation; either version 2 11 | # of the License. 12 | # 13 | # This program is distributed in the hope that it will be useful, 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | # GNU General Public License for more details. 17 | # 18 | # You should have received a copy of the GNU General Public License 19 | # along with this program; if not, write to the Free Software 20 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 | # 22 | 23 | # Basic shell sanity 24 | set -eu 25 | 26 | # Simple argument control 27 | if [ $# -ne 1 ]; then 28 | echo "Usage: $0 " 29 | exit 1 30 | fi 31 | 32 | # Only update Copyright lines with these owners 33 | # The 'or' operator is GNU sed specific, and must be \| 34 | UPDATE_COPYRIGHT_LINES="@openvpn\.net\|@fox-it\.com\|@sophos.com\|@eurephia\.org\|@greenie\.muc\.de\|@rozman.si\|@unstable\.cc\|@rfc2549.org\|@karger\.me\|selva.nair@" 35 | COPY_YEAR="$1" 36 | 37 | cd "$(git rev-parse --show-toplevel)" 38 | for file in $(git ls-files | grep -v vendor/); 39 | do 40 | echo -n "Updating $file ..." 41 | # The first sed operation covers 20xx-20yy copyright lines, 42 | # The second sed operation changes 20xx -> 20xx-20yy 43 | sed -e "/$UPDATE_COPYRIGHT_LINES/s/\(Copyright (C) 20..-\)\(20..\)[[:blank:]]\+/\1$COPY_YEAR /" \ 44 | -e "/$UPDATE_COPYRIGHT_LINES/s/\(Copyright (C) \)\(20..\)[[:blank:]]\+/\1\2-$COPY_YEAR /" \ 45 | -i $file 46 | echo " Done" 47 | done 48 | echo 49 | echo "** All files updated with $COPY_YEAR as the ending copyright year" 50 | echo 51 | exit 0 52 | -------------------------------------------------------------------------------- /distro/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = systemd 16 | -------------------------------------------------------------------------------- /distro/systemd/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2017-2023 OpenVPN Inc 9 | # 10 | 11 | %.service: %.service.in Makefile 12 | $(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \ 13 | $< > $@.tmp && mv $@.tmp $@ 14 | 15 | EXTRA_DIST = \ 16 | tmpfiles-openvpn.conf \ 17 | openvpn-client@.service.in \ 18 | openvpn-server@.service.in 19 | 20 | if ENABLE_SYSTEMD 21 | systemdunit_DATA = \ 22 | openvpn-client@.service \ 23 | openvpn-server@.service 24 | CLEANFILES = $(systemdunit_DATA) 25 | tmpfiles_DATA = \ 26 | tmpfiles-openvpn.conf 27 | dist_doc_DATA = \ 28 | README.systemd 29 | 30 | install-data-hook: 31 | mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf 32 | endif 33 | 34 | MAINTAINERCLEANFILES = \ 35 | $(srcdir)/Makefile.in 36 | -------------------------------------------------------------------------------- /distro/systemd/openvpn-client@.service.in: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenVPN tunnel for %I 3 | After=syslog.target network-online.target 4 | Wants=network-online.target 5 | Documentation=man:openvpn(8) 6 | Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage 7 | Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO 8 | 9 | [Service] 10 | Type=notify 11 | PrivateTmp=true 12 | WorkingDirectory=/etc/openvpn/client 13 | ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf 14 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE 15 | LimitNPROC=10 16 | DeviceAllow=/dev/null rw 17 | DeviceAllow=/dev/net/tun rw 18 | ProtectSystem=true 19 | ProtectHome=true 20 | KillMode=process 21 | 22 | [Install] 23 | WantedBy=multi-user.target 24 | -------------------------------------------------------------------------------- /distro/systemd/openvpn-server@.service.in: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=OpenVPN service for %I 3 | After=syslog.target network-online.target 4 | Wants=network-online.target 5 | Documentation=man:openvpn(8) 6 | Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage 7 | Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO 8 | 9 | [Service] 10 | Type=notify 11 | PrivateTmp=true 12 | WorkingDirectory=/etc/openvpn/server 13 | ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf 14 | CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE 15 | LimitNPROC=10 16 | DeviceAllow=/dev/null rw 17 | DeviceAllow=/dev/net/tun rw 18 | ProtectSystem=true 19 | ProtectHome=true 20 | KillMode=process 21 | RestartSec=5s 22 | Restart=on-failure 23 | 24 | [Install] 25 | WantedBy=multi-user.target 26 | -------------------------------------------------------------------------------- /distro/systemd/tmpfiles-openvpn.conf: -------------------------------------------------------------------------------- 1 | d /run/openvpn-client 0710 root root - 2 | d /run/openvpn-server 0710 root root - 3 | -------------------------------------------------------------------------------- /doc/README.man: -------------------------------------------------------------------------------- 1 | 2 | man page documentation 3 | ====================== 4 | 5 | The man page content maintained in the openvpn.8.rst file and proper man and 6 | the html version of the man page are generated using python-docutils. Both 7 | the man page and html file are generated during 'make dist' or 'make distcheck' 8 | and should be distributed inside the tarball by default. 9 | 10 | Users compiling OpenVPN from the tarball should not need to regenerate the 11 | man/html files unless the source file needs to be modified. 12 | 13 | Further information: 14 | 15 | * Python docutils project: 16 | https://docutils.sourceforge.io/ 17 | 18 | * Quickstart on .rst 19 | https://docutils.sourceforge.io/docs/user/rst/quickstart.html 20 | 21 | * reStructuredText Markup Specifictaion (.rst) 22 | https://docutils.sourceforge.io/docs/ref/rst/restructuredtext.html 23 | -------------------------------------------------------------------------------- /doc/README.plugins: -------------------------------------------------------------------------------- 1 | OpenVPN Plugins 2 | --------------- 3 | 4 | Starting with OpenVPN 2.0-beta17, compiled plugin modules are 5 | supported on any *nix OS which includes libdl or on Windows. 6 | One or more modules may be loaded into OpenVPN using 7 | the --plugin directive, and each plugin module is capable of 8 | intercepting any of the script callbacks which OpenVPN supports: 9 | 10 | (1) up 11 | (2) down 12 | (3) route-up 13 | (4) ipchange 14 | (5) tls-verify 15 | (6) auth-user-pass-verify 16 | (7) client-connect 17 | (8) client-disconnect 18 | (9) learn-address 19 | 20 | See the openvpn-plugin.h file in the top-level directory of the 21 | OpenVPN source distribution for more detailed information 22 | on the plugin interface. 23 | 24 | Included Plugins 25 | ---------------- 26 | 27 | auth-pam -- Authenticate using PAM and a split privilege 28 | execution model which functions even if 29 | root privileges or the execution environment 30 | have been altered with --user/--group/--chroot. 31 | Tested on Linux only. 32 | 33 | down-root -- Enable the running of down scripts with root privileges 34 | even if --user/--group/--chroot have been used 35 | to drop root privileges or change the execution 36 | environment. Not applicable on Windows. 37 | 38 | examples -- A simple example that demonstrates a portable 39 | plugin, i.e. one which can be built for *nix 40 | or Windows from the same source. 41 | 42 | Building Plugins 43 | ---------------- 44 | 45 | cd to the top-level directory of a plugin, and use the 46 | "make" command to build it. The examples plugin is 47 | built using a build script, not a makefile. 48 | -------------------------------------------------------------------------------- /doc/doxygen/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2017-2021 Fox-IT B.V. 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | DISTCLEANFILES = openvpn.doxyfile 15 | 16 | .PHONY: doxygen 17 | doxygen: openvpn.doxyfile 18 | doxygen openvpn.doxyfile 19 | 20 | clean-local: 21 | -rm -rf html latex 22 | -------------------------------------------------------------------------------- /doc/doxygen/doc_external_multiplexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * External Multiplexer module documentation file. 28 | */ 29 | 30 | /** 31 | * @addtogroup external_multiplexer External Multiplexer module 32 | * 33 | * The External Multiplexer is the link between the external network 34 | * interface and the other OpenVPN modules. It reads packets from the 35 | * external network interface, determines which remote OpenVPN peer and 36 | * VPN tunnel they are associated with, and whether they are data channel 37 | * or control channel packets. It then passes the packets on to the 38 | * appropriate processing module. 39 | * 40 | * This module also handles packets traveling in the reverse direction, 41 | * which have been generated by the local control channel or which have 42 | * already been processed by the \link data_control Data Channel Control 43 | * module\endlink and are destined for a remote host reachable through a 44 | * VPN tunnel. 45 | */ 46 | -------------------------------------------------------------------------------- /doc/doxygen/doc_internal_multiplexer.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * Internal Multiplexer module documentation file. 28 | */ 29 | 30 | /** 31 | * @addtogroup internal_multiplexer Internal Multiplexer module 32 | * 33 | * The Internal Multiplexer is the link between the virtual tun/tap 34 | * network interface and the \link data_control Data Channel Control 35 | * module\endlink. It reads packets from the virtual network interface, 36 | * determines for which remote OpenVPN peer they are destined, and then 37 | * passes the packets on to the Data Channel Control module together with 38 | * information about their destination VPN tunnel instance. 39 | * 40 | * This module also handles packets traveling in the reverse direction, 41 | * which have already been processed by the Data Channel Control module 42 | * and are destined for a locally reachable host. 43 | */ 44 | -------------------------------------------------------------------------------- /doc/doxygen/doc_reliable.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2010-2021 Fox Crypto B.V. 9 | * 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file 27 | * Reliability Layer module documentation file. 28 | */ 29 | 30 | /** 31 | * @defgroup reliable Reliability Layer module 32 | * 33 | * The Reliability Layer is part of OpenVPN's control channel. It 34 | * provides a reliable and sequential transport mechanism for control 35 | * channel messages between OpenVPN peers. This module forms the 36 | * interface between the \link external_multiplexer External 37 | * Multiplexer\endlink and the \link control_tls Control Channel TLS 38 | * module\endlink. 39 | * 40 | * @par UDP or TCP as VPN tunnel transport 41 | * 42 | * This is especially important when OpenVPN is configured to communicate 43 | * over UDP, because UDP does not offer a reliable and sequential 44 | * transport. OpenVPN endpoints can also communicate over TCP which does 45 | * provide a reliable and sequential transport. In both cases, using UDP 46 | * or TCP as an external transport, the internal Reliability Layer is 47 | * active. 48 | */ 49 | -------------------------------------------------------------------------------- /doc/man-sections/inline-files.rst: -------------------------------------------------------------------------------- 1 | INLINE FILE SUPPORT 2 | =================== 3 | 4 | OpenVPN allows including files in the main configuration for the ``--ca``, 5 | ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, 6 | ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, 7 | ``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, 8 | ``--tls-crypt-v2`` and ``--verify-hash`` options. 9 | 10 | Each inline file started by the line ```` 12 | 13 | Here is an example of an inline file usage 14 | 15 | :: 16 | 17 | 18 | -----BEGIN CERTIFICATE----- 19 | [...] 20 | -----END CERTIFICATE----- 21 | 22 | 23 | When using the inline file feature with ``--pkcs12`` the inline file has 24 | to be base64 encoded. Encoding of a .p12 file into base64 can be done 25 | for example with OpenSSL by running :code:`openssl base64 -in input.p12` 26 | -------------------------------------------------------------------------------- /doc/man-sections/network-config.rst: -------------------------------------------------------------------------------- 1 | NETWORK CONFIGURATION 2 | ===================== 3 | 4 | OpenVPN consists of two sides of network configuration. One side is the 5 | *link* between the local and remote side, the other side is the *virtual 6 | network adapter* (tun/tap device). 7 | 8 | .. include:: link-options.rst 9 | .. include:: vpn-network-options.rst 10 | .. include:: virtual-routing-and-forwarding.rst 11 | -------------------------------------------------------------------------------- /doc/man-sections/renegotiation.rst: -------------------------------------------------------------------------------- 1 | Data Channel Renegotiation 2 | -------------------------- 3 | 4 | When running OpenVPN in client/server mode, the data channel will use a 5 | separate ephemeral encryption key which is rotated at regular intervals. 6 | 7 | --reneg-bytes n 8 | Renegotiate data channel key after ``n`` bytes sent or received 9 | (disabled by default with an exception, see below). OpenVPN allows the 10 | lifetime of a key to be expressed as a number of bytes 11 | encrypted/decrypted, a number of packets, or a number of seconds. A key 12 | renegotiation will be forced if any of these three criteria are met by 13 | either peer. 14 | 15 | If using ciphers with cipher block sizes less than 128-bits, 16 | ``--reneg-bytes`` is set to 64MB by default, unless it is explicitly 17 | disabled by setting the value to :code:`0`, but this is 18 | **HIGHLY DISCOURAGED** as this is designed to add some protection against 19 | the SWEET32 attack vector. For more information see the ``--cipher`` 20 | option. 21 | 22 | --reneg-pkts n 23 | Renegotiate data channel key after **n** packets sent and received 24 | (disabled by default). 25 | 26 | --reneg-sec args 27 | Renegotiate data channel key after at most ``max`` seconds 28 | (default :code:`3600`) and at least ``min`` seconds (default is 90% of 29 | ``max`` for servers, and equal to ``max`` for clients). 30 | :: 31 | 32 | reneg-sec max [min] 33 | 34 | The effective ``--reneg-sec`` value used is per session 35 | pseudo-uniform-randomized between ``min`` and ``max``. 36 | 37 | With the default value of :code:`3600` this results in an effective per 38 | session value in the range of :code:`3240` .. :code:`3600` seconds for 39 | servers, or just 3600 for clients. 40 | 41 | When using dual-factor authentication, note that this default value may 42 | cause the end user to be challenged to reauthorize once per hour. 43 | 44 | Also, keep in mind that this option can be used on both the client and 45 | server, and whichever uses the lower value will be the one to trigger 46 | the renegotiation. A common mistake is to set ``--reneg-sec`` to a 47 | higher value on either the client or server, while the other side of the 48 | connection is still using the default value of :code:`3600` seconds, 49 | meaning that the renegotiation will still occur once per :code:`3600` 50 | seconds. The solution is to increase --reneg-sec on both the client and 51 | server, or set it to :code:`0` on one side of the connection (to 52 | disable), and to your chosen value on the other side. 53 | -------------------------------------------------------------------------------- /doc/man-sections/signals.rst: -------------------------------------------------------------------------------- 1 | SIGNALS 2 | ======= 3 | 4 | :code:`SIGHUP` 5 | Cause OpenVPN to close all TUN/TAP and network connections, restart, 6 | re-read the configuration file (if any), and reopen TUN/TAP and network 7 | connections. 8 | 9 | :code:`SIGUSR1` 10 | Like :code:`SIGHUP``, except don't re-read configuration file, and 11 | possibly don't close and reopen TUN/TAP device, re-read key files, 12 | preserve local IP address/port, or preserve most recently authenticated 13 | remote IP address/port based on ``--persist-tun``, ``--persist-key``, 14 | ``--persist-local-ip`` and ``--persist-remote-ip`` options respectively 15 | (see above). 16 | 17 | This signal may also be internally generated by a timeout condition, 18 | governed by the ``--ping-restart`` option. 19 | 20 | This signal, when combined with ``--persist-remote-ip``, may be sent 21 | when the underlying parameters of the host's network interface change 22 | such as when the host is a DHCP client and is assigned a new IP address. 23 | See ``--ipchange`` for more information. 24 | 25 | :code:`SIGUSR2` 26 | Causes OpenVPN to display its current statistics (to the syslog file if 27 | ``--daemon`` is used, or stdout otherwise). 28 | 29 | :code:`SIGINT`, :code:`SIGTERM` 30 | Causes OpenVPN to exit gracefully. 31 | -------------------------------------------------------------------------------- /doc/man-sections/unsupported-options.rst: -------------------------------------------------------------------------------- 1 | 2 | UNSUPPORTED OPTIONS 3 | =================== 4 | 5 | Options listed in this section have been removed from OpenVPN and are no 6 | longer supported 7 | 8 | --client-cert-not-required 9 | Removed in OpenVPN 2.5. This should be replaxed with 10 | ``--verify-client-cert none``. 11 | 12 | --ifconfig-pool-linear 13 | Removed in OpenVPN 2.5. This should be replaced with ``--topology p2p``. 14 | 15 | --key-method 16 | Removed in OpenVPN 2.5. This option should not be used, as using the old 17 | ``key-method`` weakens the VPN tunnel security. The old ``key-method`` 18 | was also only needed when the remote side was older than OpenVPN 2.0. 19 | 20 | --management-client-pf 21 | Removed in OpenVPN 2.6. The built-in packet filtering (pf) functionality 22 | has been removed. 23 | 24 | --ncp-disable 25 | Removed in OpenVPN 2.6. This option mainly served a role as debug option 26 | when NCP was first introduced. It should no longer be necessary. 27 | 28 | --no-iv 29 | Removed in OpenVPN 2.5. This option should not be used as it weakens the 30 | VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. 31 | 32 | --no-replay 33 | Removed in OpenVPN 2.5. This option should not be used as it weakens the 34 | VPN tunnel security. 35 | 36 | --ns-cert-type 37 | Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported 38 | in recent SSL/TLS libraries. If your certificates does not include *key 39 | usage* and *extended key usage* fields, they must be upgraded and the 40 | ``--remote-cert-tls`` option should be used instead. 41 | 42 | --prng 43 | Removed in OpenVPN 2.6. We now always use the PRNG of the SSL library. 44 | -------------------------------------------------------------------------------- /doc/openvpn-examples.5.rst: -------------------------------------------------------------------------------- 1 | =============================== 2 | openvpn examples 3 | =============================== 4 | ------------------------- 5 | Secure IP tunnel daemon 6 | ------------------------- 7 | 8 | :Manual section: 5 9 | :Manual group: Configuration files 10 | 11 | 12 | INTRODUCTION 13 | ============ 14 | 15 | This man page gives a few simple examples to create OpenVPN setups and configuration files. 16 | 17 | .. include:: man-sections/example-fingerprint.rst 18 | .. include:: man-sections/examples.rst 19 | -------------------------------------------------------------------------------- /include/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in \ 14 | $(srcdir)/openvpn-plugin.h.in 15 | 16 | include_HEADERS = \ 17 | openvpn-plugin.h \ 18 | openvpn-msg.h 19 | -------------------------------------------------------------------------------- /m4/.keep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mullvad/openvpn/589cca156357e05c6c3f07517184157585c8e9fc/m4/.keep -------------------------------------------------------------------------------- /m4/ax_socklen_t.m4: -------------------------------------------------------------------------------- 1 | dnl -- The following is base of curl's acinclude.m4 -- 2 | dnl Check for socklen_t: historically on BSD it is an int, and in 3 | dnl POSIX 1g it is a type of its own, but some platforms use different 4 | dnl types for the argument to getsockopt, getpeername, etc. So we 5 | dnl have to test to find something that will work. 6 | AC_DEFUN([AX_TYPE_SOCKLEN_T], [ 7 | AC_CHECK_TYPE( 8 | [socklen_t], 9 | , 10 | [ 11 | AS_VAR_PUSHDEF([VAR],[ax_cv_socklen_t_equiv])dnl 12 | AC_CACHE_CHECK( 13 | [for socklen_t equivalent], 14 | [VAR], 15 | [ 16 | #AS_CASE is not supported on 28 | #include 29 | int getpeername (int, $arg2 *, $t *); 30 | ]], 31 | [[ 32 | $t len; 33 | getpeername(0,0,&len); 34 | ]] 35 | )], 36 | [VAR="$t"; break] 37 | ) 38 | done 39 | test -n "$VAR" && break 40 | done 41 | ;; 42 | esac 43 | ] 44 | AS_VAR_IF( 45 | [VAR], 46 | [], 47 | [AC_MSG_ERROR([Cannot find a type to use in place of socklen_t])], 48 | [AC_DEFINE_UNQUOTED( 49 | [socklen_t], 50 | [$VAR], 51 | [type to use in place of socklen_t if not defined] 52 | )] 53 | ) 54 | ) 55 | ], 56 | [[ 57 | #include 58 | #ifdef _WIN32 59 | #include 60 | #else 61 | #include 62 | #endif 63 | ]] 64 | ) 65 | ]) 66 | -------------------------------------------------------------------------------- /sample/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | DISTCLEANFILES = \ 16 | $(builddir)/sample-plugins/Makefile 17 | 18 | EXTRA_DIST = \ 19 | sample-plugins \ 20 | sample-config-files \ 21 | sample-windows \ 22 | sample-keys \ 23 | sample-scripts 24 | 25 | if WIN32 26 | sample_DATA = \ 27 | client.ovpn \ 28 | server.ovpn \ 29 | sample-windows/sample.ovpn 30 | 31 | client.ovpn: sample-config-files/client.conf 32 | -rm -f client.ovpn 33 | cp "$(srcdir)/sample-config-files/client.conf" client.ovpn 34 | server.ovpn: sample-config-files/server.conf 35 | -rm -f server.ovpn 36 | cp "$(srcdir)/sample-config-files/server.conf" server.ovpn 37 | endif 38 | -------------------------------------------------------------------------------- /sample/sample-config-files/README: -------------------------------------------------------------------------------- 1 | Sample OpenVPN Configuration Files. 2 | 3 | These files are part of the OpenVPN HOWTO 4 | which is located at: 5 | 6 | http://openvpn.net/howto.html 7 | -------------------------------------------------------------------------------- /sample/sample-config-files/home.up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | route add -net 10.0.0.0 netmask 255.255.255.0 gw $5 3 | -------------------------------------------------------------------------------- /sample/sample-config-files/loopback-server: -------------------------------------------------------------------------------- 1 | # Perform a TLS loopback test -- server side. 2 | # 3 | # This test performs a TLS negotiation once every 10 seconds, 4 | # and will terminate after 2 minutes. 5 | # 6 | # From the root directory of the OpenVPN distribution, 7 | # after openvpn has been built, run: 8 | # 9 | # ./openvpn --config sample-config-files/loopback-client (In one window) 10 | # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window) 11 | 12 | rport 16001 13 | lport 16000 14 | remote localhost 15 | local localhost 16 | dev null 17 | verb 3 18 | reneg-sec 10 19 | tls-server 20 | dh sample-keys/dh2048.pem 21 | ca sample-keys/ca.crt 22 | key sample-keys/server.key 23 | cert sample-keys/server.crt 24 | tls-auth sample-keys/ta.key 0 25 | cipher AES-256-GCM 26 | ping 1 27 | inactive 120 10000000 28 | -------------------------------------------------------------------------------- /sample/sample-config-files/office.up: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | route add -net 10.0.1.0 netmask 255.255.255.0 gw $5 3 | -------------------------------------------------------------------------------- /sample/sample-config-files/openvpn-shutdown.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # stop all openvpn processes 4 | 5 | killall -TERM openvpn 6 | -------------------------------------------------------------------------------- /sample/sample-config-files/openvpn-startup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A sample OpenVPN startup script 4 | # for Linux. 5 | 6 | # openvpn config file directory 7 | dir=/etc/openvpn 8 | 9 | # load the firewall 10 | $dir/firewall.sh 11 | 12 | # load TUN/TAP kernel module 13 | modprobe tun 14 | 15 | # enable IP forwarding 16 | echo 1 > /proc/sys/net/ipv4/ip_forward 17 | 18 | # Invoke openvpn for each VPN tunnel 19 | # in daemon mode. Alternatively, 20 | # you could remove "--daemon" from 21 | # the command line and add "daemon" 22 | # to the config file. 23 | # 24 | # Each tunnel should run on a separate 25 | # UDP port. Use the "port" option 26 | # to control this. Like all of 27 | # OpenVPN's options, you can 28 | # specify "--port 8000" on the command 29 | # line or "port 8000" in the config 30 | # file. 31 | 32 | openvpn --cd $dir --daemon --config vpn1.conf 33 | openvpn --cd $dir --daemon --config vpn2.conf 34 | openvpn --cd $dir --daemon --config vpn2.conf 35 | -------------------------------------------------------------------------------- /sample/sample-config-files/tls-home.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Sample OpenVPN configuration file for 3 | # home using SSL/TLS mode and RSA certificates/keys. 4 | # 5 | # '#' or ';' may be used to delimit comments. 6 | 7 | # Use a dynamic tun device. For non-Linux OSes, you may want to use an 8 | # explicit unit number such as "tun1". 9 | # OpenVPN also supports virtual ethernet "tap" devices. 10 | dev tun 11 | 12 | # Our OpenVPN peer is the office gateway. 13 | remote 1.2.3.4 14 | 15 | # 10.1.0.2 is our local VPN endpoint (home). 16 | # 10.1.0.1 is our remote VPN endpoint (office). 17 | ifconfig 10.1.0.2 10.1.0.1 18 | 19 | # Our up script will establish routes 20 | # once the VPN is alive. 21 | up ./home.up 22 | 23 | # In SSL/TLS key exchange, Office will 24 | # assume server role and Home 25 | # will assume client role. 26 | tls-client 27 | 28 | # Certificate Authority file 29 | ca my-ca.crt 30 | 31 | # Our certificate/public key 32 | cert home.crt 33 | 34 | # Our private key 35 | key home.key 36 | 37 | # Our data channel cipher (must match peer config) 38 | cipher AES-256-GCM 39 | 40 | # OpenVPN 2.0 uses UDP port 1194 by default 41 | # (official port assignment by iana.org 11/04). 42 | # OpenVPN 1.x uses UDP port 5000 by default. 43 | # Each OpenVPN tunnel must use 44 | # a different port number. 45 | # lport or rport can be used 46 | # to denote different ports 47 | # for local and remote. 48 | ; port 1194 49 | 50 | # Downgrade UID and GID to an 51 | # unpriviledged user after initialization 52 | # for extra security. 53 | ; user openvpn 54 | ; group openvpn 55 | 56 | # If you built OpenVPN with 57 | # LZO compression, uncomment 58 | # out the following line. 59 | ; comp-lzo 60 | 61 | # Send a UDP ping to remote once 62 | # every 15 seconds to keep 63 | # stateful firewall connection 64 | # alive. Uncomment this 65 | # out if you are using a stateful 66 | # firewall. 67 | ; ping 15 68 | 69 | # Uncomment this section for a more reliable detection when a system 70 | # loses its connection. For example, dial-ups or laptops that 71 | # travel to other locations. 72 | ; ping 15 73 | ; ping-restart 45 74 | ; ping-timer-rem 75 | ; persist-tun 76 | ; persist-key 77 | 78 | # Verbosity level. 79 | # 0 -- quiet except for fatal errors. 80 | # 1 -- mostly quiet, but display non-fatal network errors. 81 | # 3 -- medium output, good for normal operation. 82 | # 9 -- verbose, good for troubleshooting 83 | verb 3 84 | -------------------------------------------------------------------------------- /sample/sample-config-files/tls-office.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Sample OpenVPN configuration file for 3 | # office using SSL/TLS mode and RSA certificates/keys. 4 | # 5 | # '#' or ';' may be used to delimit comments. 6 | 7 | # Use a dynamic tun device. 8 | # For Linux 2.2 or non-Linux OSes, 9 | # you may want to use an explicit 10 | # unit number such as "tun1". 11 | # OpenVPN also supports virtual 12 | # ethernet "tap" devices. 13 | dev tun 14 | 15 | # 10.1.0.1 is our local VPN endpoint (office). 16 | # 10.1.0.2 is our remote VPN endpoint (home). 17 | ifconfig 10.1.0.1 10.1.0.2 18 | 19 | # Our up script will establish routes 20 | # once the VPN is alive. 21 | up ./office.up 22 | 23 | # In SSL/TLS key exchange, Office will 24 | # assume server role and Home 25 | # will assume client role. 26 | tls-server 27 | 28 | # Diffie-Hellman Parameters (tls-server only) 29 | dh dh2048.pem 30 | 31 | # Certificate Authority file 32 | ca my-ca.crt 33 | 34 | # Our certificate/public key 35 | cert office.crt 36 | 37 | # Our private key 38 | key office.key 39 | 40 | # Our data channel cipher (must match peer config) 41 | cipher AES-256-GCM 42 | 43 | # OpenVPN 2.0 uses UDP port 1194 by default 44 | # (official port assignment by iana.org 11/04). 45 | # OpenVPN 1.x uses UDP port 5000 by default. 46 | # Each OpenVPN tunnel must use 47 | # a different port number. 48 | # lport or rport can be used 49 | # to denote different ports 50 | # for local and remote. 51 | ; port 1194 52 | 53 | # Downgrade UID and GID to an 54 | # unpriviledged user after initialization 55 | # for extra security. 56 | ; user openvpn 57 | ; group openvpn 58 | 59 | # If you built OpenVPN with 60 | # LZO compression, uncomment 61 | # out the following line. 62 | ; comp-lzo 63 | 64 | # Send a UDP ping to remote once 65 | # every 15 seconds to keep 66 | # stateful firewall connection 67 | # alive. Uncomment this 68 | # out if you are using a stateful 69 | # firewall. 70 | ; ping 15 71 | 72 | # Uncomment this section for a more reliable detection when a system 73 | # loses its connection. For example, dial-ups or laptops that 74 | # travel to other locations. 75 | ; ping 15 76 | ; ping-restart 45 77 | ; ping-timer-rem 78 | ; persist-tun 79 | ; persist-key 80 | 81 | # Verbosity level. 82 | # 0 -- quiet except for fatal errors. 83 | # 1 -- mostly quiet, but display non-fatal network errors. 84 | # 3 -- medium output, good for normal operation. 85 | # 9 -- verbose, good for troubleshooting 86 | verb 3 87 | -------------------------------------------------------------------------------- /sample/sample-keys/README: -------------------------------------------------------------------------------- 1 | Sample RSA and EC keys. 2 | 3 | Run ./gen-sample-keys.sh to generate fresh test keys. 4 | 5 | See the examples section of the man page for usage examples. 6 | 7 | NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. 8 | DON'T USE THEM FOR ANY REAL WORK BECAUSE 9 | THEY ARE TOTALLY INSECURE! 10 | 11 | ca.{crt,key} -- sample CA key/cert 12 | server.{crt,key} -- sample server key/cert 13 | client.{crt,key} -- sample client key/cert 14 | client-pass.key -- sample client key with password-encrypted key 15 | password = "password" 16 | client.p12 -- sample client pkcs12 bundle 17 | password = "password" 18 | client-ec.{crt,key} -- sample elliptic curve client key/cert 19 | server-ec.{crt,key} -- sample elliptic curve server key/cert 20 | -------------------------------------------------------------------------------- /sample/sample-keys/ca.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIGKDCCBBCgAwIBAgIJAKFO3vqQ8q6BMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNV 3 | BAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UEChMM 4 | T3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21haW4w 5 | HhcNMTQxMDIyMjE1OTUyWhcNMjQxMDE5MjE1OTUyWjBmMQswCQYDVQQGEwJLRzEL 6 | MAkGA1UECBMCTkExEDAOBgNVBAcTB0JJU0hLRUsxFTATBgNVBAoTDE9wZW5WUE4t 7 | VEVTVDEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0Lm15ZG9tYWluMIICIjANBgkq 8 | hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsJVPCqt3vtoDW2U0DII1QIh2Qs0dqh88 9 | 8nivxAIm2LTq93e9fJhsq3P/UVYAYSeCIrekXypR0EQgSgcNTvGBMe20BoHO5yvb 10 | GjKPmjfLj6XRotCOGy8EDl/hLgRY9efiA8wsVfuvF2q/FblyJQPR/gPiDtTmUiqF 11 | qXa7AJmMrqFsnWppOuGd7Qc6aTsae4TF1e/gUTCTraa7NeHowDaKhdyFmEEnCYR5 12 | CeUsx2JlFWAH8PCrxBpHYbmGyvS0kH3+rQkaSM/Pzc2bS4ayHaOYRK5XsGq8XiNG 13 | KTTLnSaCdPeHsI+3xMHmEh+u5Og2DFGgvyD22gde6W2ezvEKCUDrzR7bsnYqqyUy 14 | n7LxnkPXGyvR52T06G8KzLKQRmDlPIXhzKMO07qkHmIonXTdF7YI1azwHpAtN4dS 15 | rUe1bvjiTSoEsQPfOAyvD0RMK/CBfgEZUzAB50e/IlbZ84c0DJfUMOm4xCyft1HF 16 | YpYeyCf5dxoIjweCPOoP426+aTXM7kqq0ieIr6YxnKV6OGGLKEY+VNZh1DS7enqV 17 | HP5i8eimyuUYPoQhbK9xtDGMgghnc6Hn8BldPMcvz98HdTEH4rBfA3yNuCxLSNow 18 | 4jJuLjNXh2QeiUtWtkXja7ec+P7VqKTduJoRaX7cs+8E3ImigiRnvmK+npk7Nt1y 19 | YE9hBRhSoLsCAwEAAaOB2DCB1TAdBgNVHQ4EFgQUK0DlyX319JY46S/jL9lAZMmO 20 | BZswgZgGA1UdIwSBkDCBjYAUK0DlyX319JY46S/jL9lAZMmOBZuhaqRoMGYxCzAJ 21 | BgNVBAYTAktHMQswCQYDVQQIEwJOQTEQMA4GA1UEBxMHQklTSEtFSzEVMBMGA1UE 22 | ChMMT3BlblZQTi1URVNUMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhvc3QubXlkb21h 23 | aW6CCQChTt76kPKugTAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG 24 | 9w0BAQsFAAOCAgEABc77f4C4P8fIS+V8qCJmVNSDU44UZBc+D+J6ZTgW8JeOHUIj 25 | Bh++XDg3gwat7pIWQ8AU5R7h+fpBI9n3dadyIsMHGwSogHY9Gw7di2RVtSFajEth 26 | rvrq0JbzpwoYedMh84sJ2qI/DGKW9/Is9+O52fR+3z3dY3gNRDPQ5675BQ5CQW9I 27 | AJgLOqzD8Q0qrXYi7HaEqzNx6p7RDTuhFgvTd+vS5d5+28Z5fm2umnq+GKHF8W5P 28 | ylp2Js119FTVO7brusAMKPe5emc7tC2ov8OFFemQvfHR41PLryap2VD81IOgmt/J 29 | kX/j/y5KGux5HZ3lxXqdJbKcAq4NKYQT0mCkRD4l6szaCEJ+k0SiM9DdTcBDefhR 30 | 9q+pCOyMh7d8QjQ1075mF7T+PGkZQUW1DUjEfrZhICnKgq+iEoUmM0Ee5WtRqcnu 31 | 5BTGQ2mSfc6rV+Vr+eYXqcg7Nxb3vFXYSTod1UhefonVqwdmyJ2sC79zp36Tbo2+ 32 | 65NW2WJK7KzPUyOJU0U9bcu0utvDOvGWmG+aHbymJgcoFzvZmlXqMXn97pSFn4jV 33 | y3SLRgJXOw1QLXL2Y5abcuoBVr4gCOxxk2vBeVxOMRXNqSWZOFIF1bu/PxuDA+Sa 34 | hEi44aHbPXt9opdssz/hdGfd8Wo7vEJrbg7c6zR6C/Akav1Rzy9oohIdgOw= 35 | -----END CERTIFICATE----- 36 | -------------------------------------------------------------------------------- /sample/sample-keys/client-ec.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQg2RVk/d0yok086M9bLPIi 3 | eu4DfcBUwphOnkje1/7VSY+hRANCAAQ7zmJdb4eCdSTCWPUOiE1XDQaycYiHWBm7 4 | 3l9/UmJRokiRg0iRkD6HAg8VUflolxIK/dI8h4NLZVQARI0odkkF 5 | -----END PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /sample/sample-keys/client-pass.key: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | Proc-Type: 4,ENCRYPTED 3 | DEK-Info: AES-256-CBC,ECC1F209896FC2621233FFF6F1FFD045 4 | 5 | i6t7VKTyNNELTvrBO464e02nFg9rvYwumxd0sfqcPtaKmRK2mrZmEd/Xh0Nv1WyB 6 | PyuJo78qQixAtxObRbkSNINzTr5C8IDrE6+wQYCJinvO54U0o+ksv0tsyLngz1cb 7 | is8ZqHXrRgJ3qGFQWmFRtFKFQvSXOTDX3fLkEB53HfeblQCxBCnJ82Sp7ivnVR/j 8 | Q8qQRy1RMbzIN0trEGf0Zi4tHEvXL1u7Y+olQzSlmWWaQt20hhXUOMLhMtlRsAo7 9 | AwjlE94JjAfJ1q1dwIcRN4c9Lk8GkiX6w7nDpRACDpk2S8ifCqi69eGe4+g7owhL 10 | 74bgs64PmM9a2sNXy1v6WE3c/t6sSrZiMvrGsqMo4sBlrQ9WXe0Naon7heBkPcdS 11 | px0YJjnyBXHMIH+ASmALSJ5JXq9vt2xRFf0dOsGapxhP+7bZJ5Pwyk/yUu5uHFbM 12 | /aBemlrZJzlKeYiiwpwx2whQAtDwN41zMG+r27EzSU/AaDV40NPiwwycpWt/Bp1e 13 | z1ag0JuS0an+PK4jmREtzT5U5BeAVM91x8YttOPpmUIpahAa1zwdYPRAIkbmPJ4z 14 | ZH+9YoPH4hoBQKdIhshYktjdI++xNiKXAUGUz5YoX8S68SsLdmKvhnQ7fu5VvOkA 15 | 2pb7taXGy7zfn+a/fWauhuceV9HPlAXMIu3GsssODoNly3vpcFeiMySKppygJ3Eg 16 | A3o9n8UepD+jXflKG/R/t7U3hT6LqSIvQWqBqYMEVFMCNzSsJ/ce/4veFvx343zT 17 | qdxuzYqyiXM74cynpfqHdVa9SFICTesNdVDI0FdOXhSQ4bHJc7Xp9FFJdS0lMRw4 18 | ACwKxvs8lo4Gx1WFyCqH5OxosKtDHQYzdUJfSWVJlhhOFR3GncR9qSe3O5fkhJfs 19 | TALnC+xTJyCkSB2k0/bxVLIhlkPdCwzsrN/B6X2CDBdg0mQIo0LaPzGF8VneM20d 20 | XebYn751XSiL3HKyq8G5AEFwj9AO3Q8gKuP2fPoWdngJ2GT+mt1m2fIw9Igu39J0 21 | ZMegyUN0wSIiA5AkgryK9U+PJEiJmLzOJ/NGr7E5tPF18eZWapK4KZ8TXC4RNiye 22 | g+apGa+xZJz2VQp/Mrcdj9D4UDJFQjrvKaS0PXJDoYUXFBoMv3rxijzRVxlhhuJY 23 | yZ0At+UqZD5wpuWW6DRrgJIpy0HNhbaLmgsU0Co0HKviB0x8hvMJbi/uCoPTOdPz 24 | sPB7CN2i3oXe7xw1HfSTSFWb4leqjlKwNgfV42ox0QUjkkADeeuY+56g/B2+QmdE 25 | vXrc6sDwfNUwRUzeMn8yfum/aW1y/wrqF/qPTBQqFd85vlzS+NfXIKDg04cAljTu 26 | +2BLzvizh9Bb68iG4PykNXbjbAir1EbQG1tCzq1eKhERjgrxdv6+XqAmvchMCeL5 27 | L6hvfQFBPCo/4xnMpU5wooFarO/kGdKlGr5rXOydgfL618Td18BIX+FHQFb3zzVU 28 | y2NR4++DslJAZgAU+512zzpW1m3JtaRoyqyoLE2YFPlW804Xc1PBB3Ix6Wyzcegy 29 | D4qMk5qxjBkXEsBBSCYfVbWoMBeMhnvxkz0b9wkPtAW/jEJCB2Kkn/5yMC0DkePO 30 | -----END RSA PRIVATE KEY----- 31 | -------------------------------------------------------------------------------- /sample/sample-keys/client.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDsZY/pEsIaW+ZW 3 | KgipgjotRHijADuwn+cnEECT7/HMPqCqBKKAGxOp5v6B1nCQqNjU3jDYNQDSvmLw 4 | SNr8FY3Exm0LmfErgwAK0yojC+XN+TXfQ2EVcq2VmPZzIUFeoN1HJ6DVmtRBqBwd 5 | VyBxF4/3KJ4+B87s1Q5CTx50R45HndIUKCcsFBD10Za1k3SE7/kE3o1Kb993q+rR 6 | WNNE/loEAf8Gepf3/eNXSOHw30ATn2YjWuNVVD1UOe4A+RLx0t90LrrX8I3G3RhY 7 | HJMiC3X6qNbgtS8tudT+uU+G4nVIFmD7P8m0MEIp+zuzK7lZgWpG80WDv/3VGv83 8 | DG9b/WHxAgMBAAECggEBAIOdaCpUD02trOh8LqZxowJhBOl7z7/ex0uweMPk67LT 9 | i5AdVHwOlzwZJ8oSIknoOBEMRBWcLQEojt1JMuL2/R95emzjIKshHHzqZKNulFvB 10 | TIUpdnwChTKtH0mqUkLlPU3Ienty4IpNlpmfUKimfbkWHERdBJBHbtDsTABhdo3X 11 | 9pCF/yRKqJS2Fy/Mkl3gv1y/NB1OL4Jhl7vQbf+kmgfQN2qdOVe2BOKQ8NlPUDmE 12 | /1XNIDaE3s6uvUaoFfwowzsCCwN2/8QrRMMKkjvV+lEVtNmQdYxj5Xj5IwS0vkK0 13 | 6icsngW87cpZxxc1zsRWcSTloy5ohub4FgKhlolmigECgYEA+cBlxzLvaMzMlBQY 14 | kCac9KQMvVL+DIFHlZA5i5L/9pRVp4JJwj3GUoehFJoFhsxnKr8HZyLwBKlCmUVm 15 | VxnshRWiAU18emUmeAtSGawlAS3QXhikVZDdd/L20YusLT+DXV81wlKR97/r9+17 16 | klQOLkSdPm9wcMDOWMNHX8bUg8kCgYEA8k+hQv6+TR/+Beao2IIctFtw/EauaJiJ 17 | wW5ql1cpCLPMAOQUvjs0Km3zqctfBF8mUjdkcyJ4uhL9FZtfywY22EtRIXOJ/8VR 18 | we65mVo6RLR8YVM54sihanuFOnlyF9LIBWB+9pUfh1/Y7DSebh7W73uxhAxQhi3Y 19 | QwfIQIFd8OkCgYBalH4VXhLYhpaYCiXSej6ot6rrK2N6c5Tb2MAWMA1nh+r84tMP 20 | gMoh+pDgYPAqMI4mQbxUmqZEeoLuBe6VHpDav7rPECRaW781AJ4ZM4cEQ3Jz/inz 21 | 4qOAMn10CF081/Ez9ykPPlU0bsYNWHNd4eB2xWnmUBKOwk7UgJatVPaUiQKBgQCI 22 | f18CVGpzG9CHFnaK8FCnMNOm6VIaTcNcGY0mD81nv5Dt943P054BQMsAHTY7SjZW 23 | HioRyZtkhonXAB2oSqnekh7zzxgv4sG5k3ct8evdBCcE1FNJc2eqikZ0uDETRoOy 24 | s7cRxNNr+QxDkyikM+80HOPU1PMPgwfOSrX90GJQ8QKBgEBKohGMV/sNa4t14Iau 25 | qO8aagoqh/68K9GFXljsl3/iCSa964HIEREtW09Qz1w3dotEgp2w8bsDa+OwWrLy 26 | 0SY7T5jRViM3cDWRlUBLrGGiL0FiwsfqiRiji60y19erJgrgyGVIb1kIgIBRkgFM 27 | 2MMweASzTmZcri4PA/5C0HYb 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /sample/sample-keys/client.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mullvad/openvpn/589cca156357e05c6c3f07517184157585c8e9fc/sample/sample-keys/client.p12 -------------------------------------------------------------------------------- /sample/sample-keys/dh2048.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEArdnA32xujHPlPI+jPffHSoMUZ+b5gRz1H1Lw9//Gugm5TAsRiYrB 3 | t2BDSsMKvAjyqN+i5SJv4TOk98kRRKB27iPvyXmiL945VaDQl/UehCySjYlGFUjW 4 | 9nuo+JwQxeSbw0TLiSYoYJZQ8X1CxPl9mgJl277O4cW1Gc8I/bWa+ipU/4K5wv3h 5 | GI8nt+6A0jN3M/KebotMP101G4k0l0qsY4oRMTmP+z3oAP0qU9NZ1jiuMFVzRlNp 6 | 5FdYF7ctrH+tBF+QmyT4SRKSED4wE4oX6gp420NaBhIEQifIj75wlMDtxQlpkN+x 7 | QkjsEbPlaPKHGQ4uupssChVUi8IM2yq5EwIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /sample/sample-keys/server-ec.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgLHGYqSlzoRaogmJfrC+E 3 | ozTothB9bORaQ1C/3FmeQ6ehRANCAAQhCawn5gA6V/T2x3ipsfTX10VZOeSj0yyU 4 | +WFK5rnph1fID4gDoFbuNOfkTiBjbMFuwQSsuS+pdmnTfUn/8TTL 5 | -----END PRIVATE KEY----- 6 | -------------------------------------------------------------------------------- /sample/sample-keys/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCluKLuzrGmD2qy 3 | n9MiF3neCZhxePqnzjZRVFfHMZlW0YrWxf1S5ogOe/nqJ3q/PxTsqtL/i1ZYrMpR 4 | d8U8tuSDbyIGLVvr51nUq0LI1amHc7NzNlEvpdCQoodkVGwS07h2R2mvro8As3C5 5 | 52c/jGo9eV+BJ6MOqqc9gUgQsRhsOC6PenvFPSHI+aB/FyuIT7ry7G0kjmzxClzZ 6 | W7Gw/EnLStJYxiolsJeEw57/NIwQRn8P+zxZeqYpDK6OUDryU4RALdWRewo3joJ3 7 | zmYvNHdcpUU7ABmnB9GS5ma5O07pY/wzmBquewh9Ct96uqpZbYaCCmQr2lmnTE7v 8 | Pb0EoksxAgMBAAECggEAPMOMin+jR75TYxeTNObiunVOPh0b2zeTVxLT9KfND7ZZ 9 | cBK8pg79SEJRCnhbW5BnvbeNEkIm8PC6ZlDCM1bkRwUStq0fDUqQ95esLzOYq5/S 10 | 5qW98viblszhU/pYfja/Zi8dI1uf96PT63Zbt0NnGQ9N42+DLDeKhtTGdchZqiQA 11 | LeSR0bQanY4tUUtCNYvBT8E3pzhoIsUzVwzIK53oovRpcOX3pMXVYZsmNhXdFFRy 12 | YkjMXpj7fGyaAJK0QsC+PsgrKuhXDzDttsG2lI/mq9+7RXB3d/pzhmBVWynVH2lw 13 | iQ7ONkSz7akDz/4I4WmxJep+FfQJYgK6rnLAlQqauQKBgQDammSAprnvDvNhSEp8 14 | W+xt7jQnFqaENbGgP0/D/OZMXc4khgexqlKFmSnBCRDmQ6JvLTWqDXC4+aqAbFQz 15 | zAIjiKaT+so8xvFRob+rBMJY5JLYKNa+zUUanfORUNYLFJPvFqnrWGaJ9uufdaM7 16 | 0a5bu95PN74NXee3DBbpBv8HLwKBgQDCEk+IjNbjMT+Neq0ywUeM5rFrUKi92abe 17 | AgsVpjbighRV+6jA2lZFJcize+xYJ9wiOR1/TEI9PZ2OtBkqpwVdvTEHTagRLcvd 18 | NfGcptREDnNLoNWA22buQpztiEduutACWQsrd+JQmqbUicUdW4zw86/oCMbYCW3V 19 | QmYOLns7nwKBgHHUX20WZE91S4pmqFKlUzHTDdkk1ESX6Qx2q0R01j8BwawHFs6O 20 | 0DW9EZ7w55nfsh+OPRl1sjK/3ubMgfQO0TZLm+IGf3Sya0qEnVeiPMkpDMX+TgRA 21 | wzEe+ou6uho+9uFSvdxMxeglaYA5M2ycvNwLsbEyZ4ZyVYxdgTiKahYFAoGAcIfP 22 | iD0qKQiYcj/tB94cz+3AeJqHjbYT1O1YYhBECOkmQ4kuG80+cs/q5W/45lEOiuWV 23 | Xgfo7Lu6jVGOujWoneci87oqtvNYH4e09oGh2WiLoBG9Wv9dWtBTUERSLzmxfXsG 24 | SAk2uEhEbj8IhfJc8iZLHH9iVUh6YEslBBodqL8CgYEAlAhvcqAvw5SzsfBR5Mcu 25 | 4Nql6mXEVhHCvS4hdFCGaNF0z9A6eBORKJpdLWnqhpquDQDsghWE+Ga4QKSNFIi1 26 | fnAaykmZuY3ToqNOIaVlYM6HpMEz0wHQbTWfDLGcTFcElLZgMAk7VlDyiYVOco+E 27 | QX9lXOO1PGpLzXhlDxSe63Y= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /sample/sample-keys/ta.key: -------------------------------------------------------------------------------- 1 | # 2 | # 2048 bit OpenVPN static key 3 | # 4 | -----BEGIN OpenVPN Static key V1----- 5 | a863b1cbdb911ff4ef3360ce135157e7 6 | 241a465f5045f51cf9a92ebc24da34fd 7 | 5fc48456778c977e374d55a8a7298aef 8 | 40d0ab0c60b5e09838510526b73473a0 9 | 8da46a8c352572dd86d4a871700a915b 10 | 6aaa58a9dac560db2dfdd7ef15a202e1 11 | fca6913d7ee79c678c5798fbf7bd920c 12 | caa7a64720908da7254598b052d07f55 13 | 5e31dc5721932cffbdd8965d04107415 14 | 46c86823da18b66aab347e4522cc05ff 15 | 634968889209c96b1024909cd4ce574c 16 | f829aa9c17d5df4a66043182ee23635d 17 | 8cabf5a7ba02345ad94a3aa25a63d55c 18 | e13f4ad235a0825e3fe17f9419baff1c 19 | e73ad1dd652f1e48c7102fe8ee181e54 20 | 10a160ae255f63fd01db1f29e6efcb8e 21 | -----END OpenVPN Static key V1----- 22 | -------------------------------------------------------------------------------- /sample/sample-plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # 10 | 11 | MAINTAINERCLEANFILES = \ 12 | $(srcdir)/Makefile.in 13 | 14 | AM_CPPFLAGS = -I$(top_srcdir) -I$(top_builddir) \ 15 | -I$(top_srcdir)/include -I$(top_builddir)/include 16 | 17 | # We don't want automake to pull in libtool for building these 18 | # sample-plugins. Even though this breaks the conceptual ideas 19 | # around autoconf/automake/libtools ... these sample plug-ins 20 | # are just sample code, not to be installed or distributed outside 21 | # of the source tarball. Not even built by default, by design. 22 | # 23 | # We only add this as a simple and convenient way to build all 24 | # these plug-ins with the same build parameters as the rest 25 | # of the OpenVPN code. 26 | # 27 | # All the plugins which will be built are processed in this 28 | # separate Makefile, which disconnects everything just enough 29 | # to achieve our goal. 30 | include Makefile.plugins 31 | 32 | 33 | dist-hook : 34 | make -f Makefile.plugins clean 35 | -------------------------------------------------------------------------------- /sample/sample-plugins/Makefile.plugins: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-2.0-only 2 | # 3 | # Copyright (C) 2020-2023 OpenVPN Inc 4 | # 5 | 6 | # 7 | # Plug-ins to build - listed entries should not carry any extensions 8 | # 9 | PLUGINS = \ 10 | defer/multi-auth \ 11 | keying-material-exporter-demo/keyingmaterialexporter \ 12 | log/log log/log_v3 \ 13 | simple/base64 \ 14 | simple/simple \ 15 | client-connect/sample-client-connect 16 | 17 | # All the plugins to build - rewritten with .so extension 18 | all : $(foreach var, $(PLUGINS), $(var).so) 19 | 20 | # Do not automatically remove object files 21 | # This is a special Make setting, to avoid adding an implicit 22 | # 'rm' command on object files - due to the .c.o/%.so rules below 23 | .PRECIOUS: %.o 24 | 25 | # Compile step 26 | .c.o : 27 | test -d `dirname $@` || $(MKDIR_P) `dirname $@`; \ 28 | $(CC) -c -o $@ $(CFLAGS) $(AM_CPPFLAGS) -fPIC $< 29 | 30 | # Link step 31 | %.so : %.o 32 | $(CC) $(LDFLAGS) -shared -fPIC -o $@ $< 33 | 34 | # Clean up all build object and shared object files 35 | clean : 36 | rm -f $(foreach var, $(PLUGINS), $(var).o) \ 37 | $(foreach var, $(PLUGINS), $(var).so) 38 | -------------------------------------------------------------------------------- /sample/sample-plugins/README: -------------------------------------------------------------------------------- 1 | OpenVPN plug-in examples. 2 | 3 | Examples provided: 4 | 5 | * authentication and logging 6 | simple/simple.c -- using the --auth-user-pass-verify callback, verify 7 | that the username/password is "foo"/"bar". 8 | defer/multi-auth.c 9 | -- using the --auth-user-pass-verify callback, 10 | test deferred authentication. Can be used to test multiple 11 | authentication plugins in the same server config. 12 | log/log.c -- Extended variant of simple/simple.c which adds more 13 | logging of what is happening inside the plug-in 14 | log/log_v3.c -- A variant of log/log.c, which makes use of the 15 | OpenVPN plug-in v3 API. This will also log even more 16 | information related to certificates in use. 17 | 18 | * client-connect (and logging) 19 | client-connect/sample-client-connect -- demonstrate how to use the 20 | CLIENT_CONNECT and CLIENT_CONNECT_V2 hooks to achieve 21 | "per client configuration / logging / ..." actions, 22 | both in synchronous and async/deferred mode 23 | 24 | * cryptography related 25 | simple/base64.c -- Example using the OpenVPN exported base64 encode/decode 26 | functions 27 | keying-material-exporter-demo/keyingmaterialexporter.c 28 | -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705] 29 | (openvpn/doc/keying-material-exporter.txt). For more details, see 30 | keying-material-exporter-demo/README 31 | 32 | 33 | To build on *BSD/Linux platforms (requires GNU Make): 34 | 35 | gmake (builds a default set of plug-ins) 36 | gmake simple/simple.so 37 | 38 | To build on Windows platform (MinGW): 39 | 40 | cd simple; ./winbuild simple.so 41 | 42 | To use in OpenVPN, add to config file: 43 | 44 | plugin simple.so (Linux/BSD/etc.) 45 | plugin simple.dll 46 | -------------------------------------------------------------------------------- /sample/sample-plugins/client-connect/README: -------------------------------------------------------------------------------- 1 | OpenVPN plugin examples. 2 | 3 | Examples provided: 4 | 5 | sample-client-connect.c 6 | 7 | - hook to all plugin hooks that openvpn offers 8 | - log which hook got called 9 | - on CLIENT_CONNECT or CLIENT_CONNECT_V2 set some config variables 10 | (controlled by "setenv plugin_cc_config ..." and "plugin_cc2_config" 11 | in openvpn's config) 12 | 13 | - if the environment variable UV_WANT_CC_FAIL is set, fail 14 | - if the environment variable UV_WANT_CC_DISABLE is set, reject ("disable") 15 | - if the environment variable UV_WANT_CC_ASYNC is set, go to 16 | asynchronous/deferred mode on CLIENT_CONNECT, and sleep for 17 | ${UV_WANT_CC_ASYNC} seconds 18 | 19 | - if the environment variable UV_WANT_CC2_FAIL is set, fail CC2 20 | - if the environment variable UV_WANT_CC2_DISABLE is set, reject ("disable") 21 | - if the environment variable UV_WANT_CC2_ASYNC is set, go to 22 | asynchronous/deferred mode on CLIENT_CONNECT_V2, and sleep for 23 | ${UV_WANT_CC2_ASYNC} seconds 24 | 25 | (this can be client-controlled with --setenv UV_WANT_CC_ASYNC nnn 26 | etc. --> for easy testing server code paths) 27 | 28 | To build for unixy platforms (not very sophisticated right now, needs gmake): 29 | 30 | .../sample-plugins$ gmake client-connect/sample-client-connect.so 31 | 32 | (This plugin has not been tested on Windows, and might not even work due 33 | to its use of fork() and wait(). Let us know if it does or needs patches) 34 | 35 | 36 | To use in OpenVPN, add to config file: 37 | 38 | plugin sample-client-connect.so (Linux/BSD/etc.) 39 | -------------------------------------------------------------------------------- /sample/sample-plugins/defer/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../build" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/client.ovpn: -------------------------------------------------------------------------------- 1 | tls-client 2 | pull 3 | 4 | keying-material-exporter "EXPORTER_SSO_TEST" 16 5 | reneg-sec 0 6 | 7 | ca ../../sample-keys/ca.crt 8 | cert ../../sample-keys/client.crt 9 | key ../../sample-keys/client.key 10 | 11 | plugin ./keyingmaterialexporter.so 12 | 13 | remote 127.0.0.1 1194 14 | proto udp 15 | dev tun 16 | nobind 17 | 18 | verb 4 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/http-client.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import os 4 | import httplib 5 | 6 | f = '/tmp/openvpn_sso_user' 7 | with open (f, "r") as myfile: 8 | session_key = myfile.read().replace('\n', '') 9 | 10 | conn = httplib.HTTPConnection("10.8.0.1:8080") 11 | conn.request("GET", "/" + session_key) 12 | r1 = conn.getresponse() 13 | 14 | if r1.status == 200: 15 | body = r1.read().rstrip() 16 | print body 17 | elif r1.status == 404: 18 | print "Authentication failed" 19 | else: 20 | print r1.status, r1.reason 21 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/http-server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer 3 | import os 4 | 5 | class ExampleHTTPRequestHandler(BaseHTTPRequestHandler): 6 | 7 | def do_GET(self): 8 | session_key = os.path.basename(self.path) 9 | file = '/tmp/openvpn_sso_' + session_key 10 | print 'session file: ' + file 11 | try: 12 | f = open(file) 13 | #send code 200 response 14 | self.send_response(200) 15 | #send header first 16 | self.send_header('Content-type','text-html') 17 | self.end_headers() 18 | #send file content to client 19 | user = f.read().rstrip() 20 | print 'session user: ' + user 21 | print 'session key: ' + session_key 22 | self.wfile.write('

Greetings ' + user \ 23 | + '. You are authorized' \ 24 | '

' \ 25 | '') 26 | f.close() 27 | return 28 | except IOError: 29 | self.send_error(404, 'authentication failed') 30 | 31 | def run(): 32 | #ip and port of servr 33 | #by default http server port is 80 34 | server_address = ('0.0.0.0', 8080) 35 | httpd = HTTPServer(server_address, ExampleHTTPRequestHandler) 36 | print('http server started') 37 | httpd.serve_forever() 38 | print('http server stopped') 39 | 40 | if __name__ == '__main__': 41 | run() 42 | -------------------------------------------------------------------------------- /sample/sample-plugins/keying-material-exporter-demo/server.ovpn: -------------------------------------------------------------------------------- 1 | tls-server 2 | reneg-sec 0 3 | 4 | keying-material-exporter "EXPORTER_SSO_TEST" 16 5 | duplicate-cn 6 | 7 | plugin ./keyingmaterialexporter.so 8 | ca ../../sample-keys/ca.crt 9 | cert ../../sample-keys/server.crt 10 | key ../../sample-keys/server.key 11 | dh ../../sample-keys/dh2048.pem 12 | 13 | server 10.8.0.0 255.255.255.0 14 | port 1194 15 | proto udp 16 | dev tun 17 | 18 | verb 4 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/log/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../include" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-plugins/simple/simple.def: -------------------------------------------------------------------------------- 1 | LIBRARY OpenVPN_PLUGIN_SAMPLE 2 | DESCRIPTION "Sample OpenVPN plug-in module." 3 | EXPORTS 4 | openvpn_plugin_open_v1 @1 5 | openvpn_plugin_func_v1 @2 6 | openvpn_plugin_close_v1 @3 7 | -------------------------------------------------------------------------------- /sample/sample-plugins/simple/winbuild: -------------------------------------------------------------------------------- 1 | # 2 | # Build an OpenVPN plugin module on Windows/MinGW. 3 | # The argument should be the base name of the C source file 4 | # (without the .c). 5 | # 6 | 7 | # This directory is where we will look for openvpn-plugin.h 8 | INCLUDE="-I../../../include" 9 | 10 | CC_FLAGS="-O2 -Wall" 11 | 12 | gcc -DBUILD_DLL $CC_FLAGS $INCLUDE -c $1.c 13 | gcc --disable-stdcall-fixup -mdll -DBUILD_DLL -o junk.tmp -Wl,--base-file,base.tmp $1.o 14 | rm junk.tmp 15 | dlltool --dllname $1.dll --base-file base.tmp --output-exp temp.exp --input-def $1.def 16 | rm base.tmp 17 | gcc --enable-stdcall-fixup -mdll -DBUILD_DLL -o $1.dll $1.o -Wl,temp.exp 18 | rm temp.exp 19 | -------------------------------------------------------------------------------- /sample/sample-scripts/bridge-start: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ################################# 4 | # Set up Ethernet bridge on Linux 5 | # Requires: bridge-utils 6 | ################################# 7 | 8 | # Define Bridge Interface 9 | br="br0" 10 | 11 | # Define list of TAP interfaces to be bridged, 12 | # for example tap="tap0 tap1 tap2". 13 | tap="tap0" 14 | 15 | # Define physical ethernet interface to be bridged 16 | # with TAP interface(s) above. 17 | eth="eth0" 18 | eth_ip="192.168.8.4" 19 | eth_netmask="255.255.255.0" 20 | eth_broadcast="192.168.8.255" 21 | 22 | for t in $tap; do 23 | openvpn --mktun --dev $t 24 | done 25 | 26 | brctl addbr $br 27 | brctl addif $br $eth 28 | 29 | for t in $tap; do 30 | brctl addif $br $t 31 | done 32 | 33 | for t in $tap; do 34 | ifconfig $t 0.0.0.0 promisc up 35 | done 36 | 37 | ifconfig $eth 0.0.0.0 promisc up 38 | 39 | ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast 40 | -------------------------------------------------------------------------------- /sample/sample-scripts/bridge-stop: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | #################################### 4 | # Tear Down Ethernet bridge on Linux 5 | #################################### 6 | 7 | # Define Bridge Interface 8 | br="br0" 9 | 10 | # Define list of TAP interfaces to be bridged together 11 | tap="tap0" 12 | 13 | ifconfig $br down 14 | brctl delbr $br 15 | 16 | for t in $tap; do 17 | openvpn --rmtun --dev $t 18 | done 19 | -------------------------------------------------------------------------------- /sample/sample-scripts/ucn.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -t 2 | 3 | # OpenVPN --auth-user-pass-verify script. 4 | # Only authenticate if username equals common_name. 5 | # In OpenVPN config file: 6 | # auth-user-pass-verify ./ucn.pl via-env 7 | 8 | $username = $ENV{'username'}; 9 | $common_name = $ENV{'common_name'}; 10 | 11 | exit !(length($username) > 0 && length($common_name) > 0 && $username eq $common_name); 12 | -------------------------------------------------------------------------------- /sample/sample-scripts/verify-cn: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | # verify-cn -- a sample OpenVPN tls-verify script 4 | # 5 | # Return 0 if cn matches the common name component of 6 | # subject, 1 otherwise. 7 | # 8 | # For example in OpenVPN, you could use the directive: 9 | # 10 | # tls-verify "./verify-cn /etc/openvpn/allowed_clients" 11 | # 12 | # This would cause the connection to be dropped unless 13 | # the client common name is listed on a line in the 14 | # allowed_clients file. 15 | 16 | die "usage: verify-cn cnfile certificate_depth subject" if (@ARGV != 3); 17 | 18 | # Parse out arguments: 19 | # cnfile -- The file containing the list of common names, one per 20 | # line, which the client is required to have, 21 | # taken from the argument to the tls-verify directive 22 | # in the OpenVPN config file. 23 | # The file can have blank lines and comment lines that begin 24 | # with the # character. 25 | # depth -- The current certificate chain depth. In a typical 26 | # bi-level chain, the root certificate will be at level 27 | # 1 and the client certificate will be at level 0. 28 | # This script will be called separately for each level. 29 | # x509 -- the X509 subject string as extracted by OpenVPN from 30 | # the client's provided certificate. 31 | ($cnfile, $depth, $x509) = @ARGV; 32 | 33 | if ($depth == 0) { 34 | # If depth is zero, we know that this is the final 35 | # certificate in the chain (i.e. the client certificate), 36 | # and the one we are interested in examining. 37 | # If so, parse out the common name substring in 38 | # the X509 subject string. 39 | 40 | if ($x509 =~ / CN=([^,]+)/) { 41 | $cn = $1; 42 | # Accept the connection if the X509 common name 43 | # string matches the passed cn argument. 44 | open(FH, '<', $cnfile) or exit 1; # can't open, nobody authenticates! 45 | while (defined($line = )) { 46 | if ($line !~ /^[[:space:]]*(#|$)/o) { 47 | chop($line); 48 | if ($line eq $cn) { 49 | exit 0; 50 | } 51 | } 52 | } 53 | close(FH); 54 | } 55 | 56 | # Authentication failed -- Either we could not parse 57 | # the X509 subject string, or the common name in the 58 | # subject string didn't match the passed cn argument. 59 | exit 1; 60 | } 61 | 62 | # If depth is nonzero, tell OpenVPN to continue processing 63 | # the certificate chain. 64 | exit 0; 65 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = compat openvpn openvpnmsica openvpnserv plugins tapctl 16 | -------------------------------------------------------------------------------- /src/compat/Debug.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | <_PropertySheetDisplayName>compat-Debug 9 | true 10 | 11 | 12 | 13 | EnableFastChecks 14 | Disabled 15 | _DEBUG;%(PreprocessorDefinitions) 16 | MultiThreadedDebugDLL 17 | EditAndContinue 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/compat/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | EXTRA_DIST = \ 16 | compat.vcxproj \ 17 | PropertySheet.props \ 18 | Debug.props \ 19 | Release.props 20 | 21 | noinst_LTLIBRARIES = libcompat.la 22 | 23 | libcompat_la_SOURCES = \ 24 | compat.h \ 25 | compat-dirname.c \ 26 | compat-basename.c \ 27 | compat-gettimeofday.c \ 28 | compat-daemon.c \ 29 | compat-strsep.c \ 30 | compat-versionhelpers.h 31 | -------------------------------------------------------------------------------- /src/compat/PropertySheet.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | $(SolutionDir)$(Platform)-Output\$(Configuration)\ 7 | <_PropertySheetDisplayName>compat 8 | 9 | 10 | 11 | Level3 12 | WIN32;$(CPPFLAGS);%(PreprocessorDefinitions) 13 | $(SolutionDir);$(SolutionDir)include;%(AdditionalIncludeDirectories) 14 | 15 | 16 | true 17 | 18 | 19 | 20 | $(SOLUTIONDIR) 21 | 22 | 23 | 24 | 25 | $(SOLUTIONDIR) 26 | true 27 | 28 | 29 | -------------------------------------------------------------------------------- /src/compat/Release.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | <_PropertySheetDisplayName>compat-Release 9 | false 10 | 11 | 12 | 13 | true 14 | true 15 | MultiThreadedDLL 16 | ProgramDatabase 17 | NDEBUG;%(PreprocessorDefinitions) 18 | Guard 19 | 20 | 21 | true 22 | true 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /src/compat/compat-basename.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2011 - David Sommerseth 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #elif defined(_MSC_VER) 27 | #include "config-msvc.h" 28 | #endif 29 | 30 | #ifndef HAVE_BASENAME 31 | 32 | #include "compat.h" 33 | #include 34 | 35 | /* Modified version based on glibc-2.14.1 by Roland McGrath 36 | * This version is extended to handle both / and \ in path names 37 | */ 38 | char * 39 | basename(char *filename) 40 | { 41 | char *p = strrchr(filename, '/'); 42 | if (!p) 43 | { 44 | /* If NULL, check for \ instead ... might be Windows a path */ 45 | p = strrchr(filename, '\\'); 46 | } 47 | return p ? p + 1 : (char *) filename; 48 | } 49 | 50 | #endif /* HAVE_BASENAME */ 51 | -------------------------------------------------------------------------------- /src/compat/compat-strsep.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2019-2023 Arne Schwabe 9 | * Copyright (C) 1992-2019 Free Software Foundation, Inc. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifdef HAVE_CONFIG_H 26 | #include "config.h" 27 | #elif defined(_MSC_VER) 28 | #include "config-msvc.h" 29 | #endif 30 | 31 | #ifndef HAVE_STRSEP 32 | #include 33 | 34 | /* 35 | * Modified version based on the glibc 36 | */ 37 | char * 38 | strsep(char **stringp, const char *delim) 39 | { 40 | char *begin, *end; 41 | begin = *stringp; 42 | if (begin == NULL) 43 | { 44 | return NULL; 45 | } 46 | /* Find the end of the token. */ 47 | end = begin + strcspn(begin, delim); 48 | if (*end) 49 | { 50 | /* Terminate the token and set *STRINGP past NUL character. */ 51 | *end++ = '\0'; 52 | *stringp = end; 53 | } 54 | else 55 | { 56 | /* No more delimiters; this is the last token. */ 57 | *stringp = NULL; 58 | } 59 | return begin; 60 | } 61 | #endif /* ifndef HAVE_STRSEP */ 62 | -------------------------------------------------------------------------------- /src/compat/compat.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2011 - David Sommerseth 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef COMPAT_H 25 | #define COMPAT_H 26 | 27 | #ifdef _WIN32 28 | #include 29 | #include 30 | #endif 31 | 32 | #ifdef HAVE_SYS_TIME_H 33 | #include 34 | #endif 35 | 36 | #ifdef HAVE_SYS_SOCKET_H 37 | #include 38 | #endif 39 | 40 | #ifndef HAVE_DIRNAME 41 | char *dirname(char *str); 42 | 43 | #endif /* HAVE_DIRNAME */ 44 | 45 | #ifndef HAVE_BASENAME 46 | char *basename(char *str); 47 | 48 | #endif /* HAVE_BASENAME */ 49 | 50 | #ifndef HAVE_GETTIMEOFDAY 51 | int gettimeofday(struct timeval *tv, void *tz); 52 | 53 | #endif 54 | 55 | #ifndef HAVE_DAEMON 56 | int daemon(int nochdir, int noclose); 57 | 58 | #endif 59 | 60 | #ifndef HAVE_STRSEP 61 | char *strsep(char **stringp, const char *delim); 62 | 63 | #endif 64 | 65 | #endif /* COMPAT_H */ 66 | -------------------------------------------------------------------------------- /src/openvpn/argv.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | * 23 | * 24 | * A printf-like function (that only recognizes a subset of standard printf 25 | * format operators) that prints arguments to an argv list instead 26 | * of a standard string. This is used to build up argv arrays for passing 27 | * to execve. 28 | */ 29 | 30 | #ifndef ARGV_H 31 | #define ARGV_H 32 | 33 | #include "buffer.h" 34 | 35 | struct argv { 36 | struct gc_arena gc; 37 | size_t capacity; 38 | size_t argc; 39 | char **argv; 40 | }; 41 | 42 | struct argv argv_new(void); 43 | 44 | void argv_free(struct argv *a); 45 | 46 | const char *argv_str(const struct argv *a, struct gc_arena *gc, const unsigned int flags); 47 | 48 | struct argv argv_insert_head(const struct argv *a, const char *head); 49 | 50 | void argv_msg(const int msglev, const struct argv *a); 51 | 52 | void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix); 53 | 54 | void argv_parse_cmd(struct argv *a, const char *s); 55 | 56 | bool argv_printf(struct argv *a, const char *format, ...) 57 | #ifdef __GNUC__ 58 | #if __USE_MINGW_ANSI_STDIO 59 | __attribute__ ((format(gnu_printf, 2, 3))) 60 | #else 61 | __attribute__ ((format(__printf__, 2, 3))) 62 | #endif 63 | #endif 64 | ; 65 | 66 | bool argv_printf_cat(struct argv *a, const char *format, ...) 67 | #ifdef __GNUC__ 68 | #if __USE_MINGW_ANSI_STDIO 69 | __attribute__ ((format(gnu_printf, 2, 3))) 70 | #else 71 | __attribute__ ((format(__printf__, 2, 3))) 72 | #endif 73 | #endif 74 | ; 75 | 76 | #endif /* ifndef ARGV_H */ 77 | -------------------------------------------------------------------------------- /src/openvpn/base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan 3 | * (Royal Institute of Technology, Stockholm, Sweden). 4 | * All rights reserved. 5 | * 6 | * Redistribution and use in source and binary forms, with or without 7 | * modification, are permitted provided that the following conditions 8 | * are met: 9 | * 10 | * 1. Redistributions of source code must retain the above copyright 11 | * notice, this list of conditions and the following disclaimer. 12 | * 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 17 | * 3. Neither the name of the Institute nor the names of its contributors 18 | * may be used to endorse or promote products derived from this software 19 | * without specific prior written permission. 20 | * 21 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 | * SUCH DAMAGE. 32 | */ 33 | 34 | #ifndef _BASE64_H_ 35 | #define _BASE64_H_ 36 | 37 | /** Compute resulting base64 length. 6 bits per byte, padded to 4 bytes. */ 38 | #define OPENVPN_BASE64_LENGTH(binary_length) \ 39 | ((((8 * binary_length) / 6) + 3) & ~3) 40 | 41 | /** Compute the maximal number of bytes encoded in a base64 string. */ 42 | #define OPENVPN_BASE64_DECODED_LENGTH(base64_length) \ 43 | ((base64_length / 4) * 3) 44 | 45 | int openvpn_base64_encode(const void *data, int size, char **str); 46 | 47 | int openvpn_base64_decode(const char *str, void *data, int size); 48 | 49 | #endif 50 | -------------------------------------------------------------------------------- /src/openvpn/basic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef BASIC_H 25 | #define BASIC_H 26 | 27 | #define BOOL_CAST(x) ((x) ? (true) : (false)) 28 | 29 | /* size of an array */ 30 | #define SIZE(x) (sizeof(x)/sizeof(x[0])) 31 | 32 | /* clear an object (may be optimized away, use secure_memzero() to erase secrets) */ 33 | #define CLEAR(x) memset(&(x), 0, sizeof(x)) 34 | 35 | #define IPV4_NETMASK_HOST 0xffffffffU 36 | 37 | #endif 38 | -------------------------------------------------------------------------------- /src/openvpn/comp-lz4.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * Copyright (C) 2013-2023 Gert Doering 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef OPENVPN_COMP_LZ4_H 26 | #define OPENVPN_COMP_LZ4_H 27 | 28 | #if defined(ENABLE_LZ4) 29 | 30 | #include "buffer.h" 31 | 32 | extern const struct compress_alg lz4_alg; 33 | extern const struct compress_alg lz4v2_alg; 34 | 35 | struct lz4_workspace 36 | { 37 | int dummy; 38 | }; 39 | 40 | #endif /* ENABLE_LZ4 */ 41 | #endif 42 | -------------------------------------------------------------------------------- /src/openvpn/cryptoapi.h: -------------------------------------------------------------------------------- 1 | #ifndef _CRYPTOAPI_H_ 2 | #define _CRYPTOAPI_H_ 3 | 4 | int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop); 5 | 6 | 7 | #endif /* !_CRYPTOAPI_H_ */ 8 | -------------------------------------------------------------------------------- /src/openvpn/dco_freebsd.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Interface to FreeBSD dco networking code 3 | * 4 | * Copyright (C) 2022 Rubicon Communications, LLC (Netgate). All Rights Reserved. 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | #ifndef DCO_FREEBSD_H 21 | #define DCO_FREEBSD_H 22 | 23 | #if defined(ENABLE_DCO) && defined(TARGET_FREEBSD) 24 | 25 | #include "buffer.h" 26 | #include "event.h" 27 | 28 | #include "ovpn_dco_freebsd.h" 29 | 30 | #define DCO_IROUTE_METRIC 100 31 | 32 | typedef enum ovpn_key_slot dco_key_slot_t; 33 | typedef enum ovpn_key_cipher dco_cipher_t; 34 | 35 | enum ovpn_message_type_t { 36 | OVPN_CMD_DEL_PEER, 37 | OVPN_CMD_PACKET, 38 | }; 39 | 40 | enum ovpn_del_reason_t { 41 | OVPN_DEL_PEER_REASON_EXPIRED, 42 | OVPN_DEL_PEER_REASON_TRANSPORT_ERROR, 43 | OVPN_DEL_PEER_REASON_USERSPACE, 44 | }; 45 | 46 | typedef struct dco_context { 47 | bool open; 48 | int fd; 49 | int pipefd[2]; 50 | 51 | char ifname[IFNAMSIZ]; 52 | 53 | struct buffer dco_packet_in; 54 | 55 | int dco_message_type; 56 | int dco_message_peer_id; 57 | int dco_del_peer_reason; 58 | uint64_t dco_read_bytes; 59 | uint64_t dco_write_bytes; 60 | } dco_context_t; 61 | 62 | #endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */ 63 | #endif /* ifndef DCO_FREEBSD_H */ 64 | -------------------------------------------------------------------------------- /src/openvpn/dco_linux.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Interface to linux dco networking code 3 | * 4 | * Copyright (C) 2020-2023 Antonio Quartulli 5 | * Copyright (C) 2020-2023 Arne Schwabe 6 | * Copyright (C) 2020-2023 OpenVPN Inc 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program (see the file COPYING included with this 19 | * distribution); if not, write to the Free Software Foundation, Inc., 20 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 | */ 22 | #ifndef DCO_LINUX_H 23 | #define DCO_LINUX_H 24 | 25 | #if defined(ENABLE_DCO) && defined(TARGET_LINUX) 26 | 27 | #include "event.h" 28 | 29 | #include "ovpn_dco_linux.h" 30 | 31 | #include 32 | #include 33 | 34 | typedef enum ovpn_key_slot dco_key_slot_t; 35 | typedef enum ovpn_cipher_alg dco_cipher_t; 36 | 37 | 38 | typedef struct 39 | { 40 | struct nl_sock *nl_sock; 41 | struct nl_cb *nl_cb; 42 | int status; 43 | 44 | enum ovpn_mode ifmode; 45 | 46 | int ovpn_dco_id; 47 | int ovpn_dco_mcast_id; 48 | 49 | unsigned int ifindex; 50 | 51 | struct buffer dco_packet_in; 52 | 53 | int dco_message_type; 54 | int dco_message_peer_id; 55 | int dco_del_peer_reason; 56 | uint64_t dco_read_bytes; 57 | uint64_t dco_write_bytes; 58 | } dco_context_t; 59 | 60 | #endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */ 61 | #endif /* ifndef DCO_LINUX_H */ 62 | -------------------------------------------------------------------------------- /src/openvpn/dco_win.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Interface to ovpn-win-dco networking code 3 | * 4 | * Copyright (C) 2020-2023 Arne Schwabe 5 | * Copyright (C) 2020-2023 OpenVPN Inc 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License version 2 9 | * as published by the Free Software Foundation. 10 | * 11 | * This program is distributed in the hope that it will be useful, 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | * 16 | * You should have received a copy of the GNU General Public License 17 | * along with this program (see the file COPYING included with this 18 | * distribution); if not, write to the Free Software Foundation, Inc., 19 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | #ifndef DCO_WIN_H 23 | #define DCO_WIN_H 24 | 25 | #if defined(ENABLE_DCO) && defined(_WIN32) 26 | 27 | #include "buffer.h" 28 | #include "ovpn_dco_win.h" 29 | #include "sig.h" 30 | 31 | typedef OVPN_KEY_SLOT dco_key_slot_t; 32 | typedef OVPN_CIPHER_ALG dco_cipher_t; 33 | 34 | struct dco_context { 35 | struct tuntap *tt; 36 | }; 37 | 38 | typedef struct dco_context dco_context_t; 39 | 40 | struct tuntap 41 | create_dco_handle(const char *devname, struct gc_arena *gc); 42 | 43 | void 44 | dco_create_socket(HANDLE handle, struct addrinfo *remoteaddr, bool bind_local, 45 | struct addrinfo *bind, int timeout, 46 | struct signal_info *sig_info); 47 | 48 | void 49 | dco_start_tun(struct tuntap *tt); 50 | 51 | #else /* if defined(ENABLE_DCO) && defined(_WIN32) */ 52 | 53 | static inline void 54 | dco_start_tun(struct tuntap *tt) 55 | { 56 | ASSERT(false); 57 | } 58 | 59 | #endif /* defined(_WIN32) */ 60 | #endif /* ifndef DCO_H */ 61 | -------------------------------------------------------------------------------- /src/openvpn/fdmisc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #elif defined(_MSC_VER) 27 | #include "config-msvc.h" 28 | #endif 29 | 30 | #include "syshead.h" 31 | 32 | #include "fdmisc.h" 33 | #include "error.h" 34 | 35 | #include "memdbg.h" 36 | 37 | /* Set a file descriptor to non-blocking */ 38 | bool 39 | set_nonblock_action(socket_descriptor_t fd) 40 | { 41 | #ifdef _WIN32 42 | u_long arg = 1; 43 | if (ioctlsocket(fd, FIONBIO, &arg)) 44 | { 45 | return false; 46 | } 47 | #else /* ifdef _WIN32 */ 48 | if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) 49 | { 50 | return false; 51 | } 52 | #endif 53 | return true; 54 | } 55 | 56 | /* Set a file descriptor to not be passed across execs */ 57 | bool 58 | set_cloexec_action(socket_descriptor_t fd) 59 | { 60 | #ifndef _WIN32 61 | if (fcntl(fd, F_SETFD, FD_CLOEXEC) < 0) 62 | { 63 | return false; 64 | } 65 | #endif 66 | return true; 67 | } 68 | 69 | /* Set a file descriptor to non-blocking */ 70 | void 71 | set_nonblock(socket_descriptor_t fd) 72 | { 73 | if (!set_nonblock_action(fd)) 74 | { 75 | msg(M_ERR, "Set socket to non-blocking mode failed"); 76 | } 77 | } 78 | 79 | /* Set a file descriptor to not be passed across execs */ 80 | void 81 | set_cloexec(socket_descriptor_t fd) 82 | { 83 | if (!set_cloexec_action(fd)) 84 | { 85 | msg(M_ERR, "Set FD_CLOEXEC flag on file descriptor failed"); 86 | } 87 | } 88 | -------------------------------------------------------------------------------- /src/openvpn/fdmisc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef FD_MISC_H 25 | #define FD_MISC_H 26 | 27 | #include "basic.h" 28 | #include "error.h" 29 | #include "syshead.h" 30 | 31 | bool set_nonblock_action(socket_descriptor_t fd); 32 | 33 | bool set_cloexec_action(socket_descriptor_t fd); 34 | 35 | void set_nonblock(socket_descriptor_t fd); 36 | 37 | void set_cloexec(socket_descriptor_t fd); 38 | 39 | static inline void 40 | openvpn_fd_set(socket_descriptor_t fd, fd_set *setp) 41 | { 42 | #ifndef _WIN32 /* The Windows FD_SET() implementation does not overflow */ 43 | ASSERT(fd >= 0 && fd < FD_SETSIZE); 44 | #endif 45 | FD_SET(fd, setp); 46 | } 47 | #undef FD_SET /* prevent direct use of FD_SET() */ 48 | 49 | #endif /* FD_MISC_H */ 50 | -------------------------------------------------------------------------------- /src/openvpn/helper.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Process helper directives such as server, client, and keepalive. 26 | */ 27 | 28 | #ifndef HELPER_H 29 | #define HELPER_H 30 | 31 | #include "options.h" 32 | 33 | void helper_keepalive(struct options *o); 34 | 35 | void helper_client_server(struct options *o); 36 | 37 | void helper_tcp_nodelay(struct options *o); 38 | 39 | #endif 40 | -------------------------------------------------------------------------------- /src/openvpn/httpdigest.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #if PROXY_DIGEST_AUTH 25 | 26 | #define HASHLEN 16 27 | typedef unsigned char HASH[HASHLEN]; 28 | #define HASHHEXLEN 32 29 | typedef unsigned char HASHHEX[HASHHEXLEN+1]; 30 | #undef IN 31 | #undef OUT 32 | #define IN const 33 | #define OUT 34 | 35 | /* calculate H(A1) as per HTTP Digest spec */ 36 | void DigestCalcHA1( 37 | IN char *pszAlg, 38 | IN char *pszUserName, 39 | IN char *pszRealm, 40 | IN char *pszPassword, 41 | IN char *pszNonce, 42 | IN char *pszCNonce, 43 | OUT HASHHEX SessionKey 44 | ); 45 | 46 | /* calculate request-digest/response-digest as per HTTP Digest spec */ 47 | void DigestCalcResponse( 48 | IN HASHHEX HA1, /* H(A1) */ 49 | IN char *pszNonce, /* nonce from server */ 50 | IN char *pszNonceCount, /* 8 hex digits */ 51 | IN char *pszCNonce, /* client nonce */ 52 | IN char *pszQop, /* qop-value: "", "auth", "auth-int" */ 53 | IN char *pszMethod, /* method from the request */ 54 | IN char *pszDigestUri, /* requested URL */ 55 | IN HASHHEX HEntity, /* H(entity body) if qop="auth-int" */ 56 | OUT HASHHEX Response /* request-digest or response-digest */ 57 | ); 58 | 59 | #endif /* if PROXY_DIGEST_AUTH */ 60 | -------------------------------------------------------------------------------- /src/openvpn/interval.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef HAVE_CONFIG_H 25 | #include "config.h" 26 | #elif defined(_MSC_VER) 27 | #include "config-msvc.h" 28 | #endif 29 | 30 | #include "syshead.h" 31 | 32 | #include "interval.h" 33 | 34 | #include "memdbg.h" 35 | 36 | void 37 | interval_init(struct interval *top, int horizon, int refresh) 38 | { 39 | CLEAR(*top); 40 | top->refresh = refresh; 41 | top->horizon = horizon; 42 | } 43 | 44 | bool 45 | event_timeout_trigger(struct event_timeout *et, 46 | struct timeval *tv, 47 | const int et_const_retry) 48 | { 49 | if (!et->defined) 50 | { 51 | return false; 52 | } 53 | 54 | bool ret = false; 55 | time_t wakeup = event_timeout_remaining(et); 56 | 57 | if (wakeup <= 0) 58 | { 59 | #if INTERVAL_DEBUG 60 | dmsg(D_INTERVAL, "EVENT event_timeout_trigger (%d) etcr=%d", et->n, 61 | et_const_retry); 62 | #endif 63 | if (et_const_retry < 0) 64 | { 65 | et->last = now; 66 | wakeup = et->n; 67 | ret = true; 68 | } 69 | else 70 | { 71 | wakeup = et_const_retry; 72 | } 73 | } 74 | 75 | if (tv && wakeup < tv->tv_sec) 76 | { 77 | #if INTERVAL_DEBUG 78 | dmsg(D_INTERVAL, "EVENT event_timeout_wakeup (%d/%d) etcr=%d", 79 | (int) wakeup, et->n, et_const_retry); 80 | #endif 81 | tv->tv_sec = wakeup; 82 | tv->tv_usec = 0; 83 | } 84 | return ret; 85 | } 86 | -------------------------------------------------------------------------------- /src/openvpn/lladdr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Support routine for configuring link layer address 3 | */ 4 | 5 | #ifdef HAVE_CONFIG_H 6 | #include "config.h" 7 | #elif defined(_MSC_VER) 8 | #include "config-msvc.h" 9 | #endif 10 | 11 | #include "syshead.h" 12 | #include "error.h" 13 | #include "misc.h" 14 | #include "run_command.h" 15 | #include "lladdr.h" 16 | #include "proto.h" 17 | 18 | int 19 | set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, 20 | const struct env_set *es) 21 | { 22 | int r; 23 | 24 | if (!ifname || !lladdr) 25 | { 26 | return -1; 27 | } 28 | 29 | #if defined(TARGET_LINUX) 30 | uint8_t addr[OPENVPN_ETH_ALEN]; 31 | 32 | sscanf(lladdr, MAC_FMT, MAC_SCAN_ARG(addr)); 33 | r = (net_addr_ll_set(ctx, ifname, addr) == 0); 34 | #else /* if defined(TARGET_LINUX) */ 35 | struct argv argv = argv_new(); 36 | #if defined(TARGET_SOLARIS) 37 | argv_printf(&argv, 38 | "%s %s ether %s", 39 | IFCONFIG_PATH, 40 | ifname, lladdr); 41 | #elif defined(TARGET_OPENBSD) 42 | argv_printf(&argv, 43 | "%s %s lladdr %s", 44 | IFCONFIG_PATH, 45 | ifname, lladdr); 46 | #elif defined(TARGET_DARWIN) 47 | argv_printf(&argv, 48 | "%s %s lladdr %s", 49 | IFCONFIG_PATH, 50 | ifname, lladdr); 51 | #elif defined(TARGET_FREEBSD) 52 | argv_printf(&argv, 53 | "%s %s ether %s", 54 | IFCONFIG_PATH, 55 | ifname, lladdr); 56 | #else /* if defined(TARGET_SOLARIS) */ 57 | msg(M_WARN, "Sorry, but I don't know how to configure link layer addresses on this operating system."); 58 | return -1; 59 | #endif /* if defined(TARGET_SOLARIS) */ 60 | argv_msg(M_INFO, &argv); 61 | r = openvpn_execve_check(&argv, es, M_WARN, "ERROR: Unable to set link layer address."); 62 | argv_free(&argv); 63 | #endif /* if defined(TARGET_LINUX) */ 64 | 65 | if (r) 66 | { 67 | msg(M_INFO, "TUN/TAP link layer address set to %s", lladdr); 68 | } 69 | 70 | return r; 71 | } 72 | -------------------------------------------------------------------------------- /src/openvpn/lladdr.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Support routine for configuring link layer address 3 | */ 4 | 5 | #include "misc.h" 6 | #include "networking.h" 7 | 8 | int set_lladdr(openvpn_net_ctx_t *ctx, const char *ifname, const char *lladdr, 9 | const struct env_set *es); 10 | -------------------------------------------------------------------------------- /src/openvpn/mss.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef MSS_H 25 | #define MSS_H 26 | 27 | #include "proto.h" 28 | #include "error.h" 29 | #include "mtu.h" 30 | #include "ssl_common.h" 31 | 32 | void mss_fixup_ipv4(struct buffer *buf, int maxmss); 33 | 34 | void mss_fixup_ipv6(struct buffer *buf, int maxmss); 35 | 36 | void mss_fixup_dowork(struct buffer *buf, uint16_t maxmss); 37 | 38 | /** Set the --mssfix option. */ 39 | void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, 40 | const struct options *options, 41 | struct link_socket_info *lsi); 42 | 43 | /** 44 | * Checks and adjusts the fragment and mssfix value according to the 45 | * discovered path mtu value 46 | * @param c context to adjust 47 | */ 48 | void frame_adjust_path_mtu(struct context *c); 49 | 50 | #endif /* ifndef MSS_H */ 51 | -------------------------------------------------------------------------------- /src/openvpn/mstats.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Maintain usage stats in a memory-mapped file 26 | */ 27 | 28 | #if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) 29 | #define OPENVPN_MEMSTATS_H 30 | 31 | #include "basic.h" 32 | 33 | /* this struct is mapped to the file */ 34 | struct mmap_stats { 35 | counter_type link_read_bytes; /* counter_type can be assumed to be a uint64_t */ 36 | counter_type link_write_bytes; 37 | int n_clients; 38 | 39 | #define MSTATS_UNDEF 0 40 | #define MSTATS_ACTIVE 1 41 | #define MSTATS_EXPIRED 2 42 | int state; 43 | }; 44 | 45 | extern volatile struct mmap_stats *mmap_stats; /* GLOBAL */ 46 | 47 | void mstats_open(const char *fn); 48 | 49 | void mstats_close(void); 50 | 51 | #endif /* if !defined(OPENVPN_MEMSTATS_H) && defined(ENABLE_MEMSTATS) */ 52 | -------------------------------------------------------------------------------- /src/openvpn/mtcp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * TCP specific code for --mode server 26 | */ 27 | 28 | #ifndef MTCP_H 29 | #define MTCP_H 30 | 31 | #include "event.h" 32 | 33 | /* 34 | * Extra state info needed for TCP mode 35 | */ 36 | struct multi_tcp 37 | { 38 | struct event_set *es; 39 | struct event_set_return *esr; 40 | int n_esr; 41 | int maxevents; 42 | unsigned int tun_rwflags; 43 | #ifdef ENABLE_MANAGEMENT 44 | unsigned int management_persist_flags; 45 | #endif 46 | }; 47 | 48 | struct multi_instance; 49 | struct context; 50 | 51 | struct multi_tcp *multi_tcp_init(int maxevents, int *maxclients); 52 | 53 | void multi_tcp_free(struct multi_tcp *mtcp); 54 | 55 | void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi); 56 | 57 | bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi); 58 | 59 | void multi_tcp_instance_specific_free(struct multi_instance *mi); 60 | 61 | void multi_tcp_link_out_deferred(struct multi_context *m, struct multi_instance *mi); 62 | 63 | 64 | /**************************************************************************/ 65 | /** 66 | * Main event loop for OpenVPN in TCP server mode. 67 | * @ingroup eventloop 68 | * 69 | * @param top - Top-level context structure. 70 | */ 71 | void tunnel_server_tcp(struct context *top); 72 | 73 | 74 | void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event); 75 | 76 | #endif /* ifndef MTCP_H */ 77 | -------------------------------------------------------------------------------- /src/openvpn/mudp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * UDP specific code for --mode server 26 | */ 27 | 28 | #ifndef MUDP_H 29 | #define MUDP_H 30 | 31 | struct context; 32 | struct multi_context; 33 | 34 | 35 | /** 36 | * Main event loop for OpenVPN in UDP server mode. 37 | * @ingroup eventloop 38 | * 39 | * This function implements OpenVPN's main event loop for UDP server mode. 40 | * 41 | * @param top - Top-level context structure. 42 | */ 43 | void tunnel_server_udp(struct context *top); 44 | 45 | 46 | /**************************************************************************/ 47 | /** 48 | * Get, and if necessary create, the multi_instance associated with a 49 | * packet's source address. 50 | * @ingroup external_multiplexer 51 | * 52 | * This function extracts the source address of a recently read packet 53 | * from \c m->top.c2.from and uses that source address as a hash key for 54 | * the hash table \c m->hash. If an entry exists, this function returns 55 | * it. If no entry exists, this function handles its creation, and if 56 | * successful, returns the newly created instance. 57 | * 58 | * @param m - The single multi_context structure. 59 | * 60 | * @return A pointer to a multi_instance if one already existed for the 61 | * packet's source address or if one was a newly created successfully. 62 | * NULL if one did not yet exist and a new one was not created. 63 | */ 64 | struct multi_instance *multi_get_create_instance_udp(struct multi_context *m, bool *floated); 65 | 66 | #endif /* ifndef MUDP_H */ 67 | -------------------------------------------------------------------------------- /src/openvpn/networking_iproute2.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Generic interface to platform specific networking code 3 | * 4 | * Copyright (C) 2016-2023 Antonio Quartulli 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | 22 | #ifndef NETWORKING_IP_H_ 23 | #define NETWORKING_IP_H_ 24 | 25 | #include "env_set.h" 26 | 27 | typedef char openvpn_net_iface_t; 28 | 29 | struct openvpn_net_ctx 30 | { 31 | struct env_set *es; 32 | struct gc_arena gc; 33 | }; 34 | 35 | typedef struct openvpn_net_ctx openvpn_net_ctx_t; 36 | 37 | #endif /* NETWORKING_IP_H_ */ 38 | -------------------------------------------------------------------------------- /src/openvpn/networking_sitnl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Generic interface to platform specific networking code 3 | * 4 | * Copyright (C) 2016-2023 Antonio Quartulli 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License 16 | * along with this program (see the file COPYING included with this 17 | * distribution); if not, write to the Free Software Foundation, Inc., 18 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 | */ 20 | 21 | 22 | #ifndef NETWORKING_SITNL_H_ 23 | #define NETWORKING_SITNL_H_ 24 | 25 | typedef char openvpn_net_iface_t; 26 | typedef void *openvpn_net_ctx_t; 27 | 28 | #endif /* NETWORKING_SITNL_H_ */ 29 | -------------------------------------------------------------------------------- /src/openvpn/ntlm.h: -------------------------------------------------------------------------------- 1 | #ifndef NTLM_H 2 | #define NTLM_H 3 | 4 | #if NTLM 5 | 6 | const char *ntlm_phase_1(const struct http_proxy_info *p, struct gc_arena *gc); 7 | 8 | const char *ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, struct gc_arena *gc); 9 | 10 | #endif 11 | 12 | #endif 13 | -------------------------------------------------------------------------------- /src/openvpn/openvpn.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 26 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /src/openvpn/openvpn_win32_resources.rc: -------------------------------------------------------------------------------- 1 | #ifdef HAVE_CONFIG_H 2 | #include 3 | #else 4 | #include 5 | #endif 6 | #include 7 | 8 | #pragma code_page(65001) /* UTF8 */ 9 | 10 | 1 RT_MANIFEST "openvpn.manifest" 11 | 12 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 13 | 14 | VS_VERSION_INFO VERSIONINFO 15 | FILEVERSION OPENVPN_VERSION_RESOURCE 16 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 17 | FILEFLAGSMASK 0x3fL 18 | #ifdef _DEBUG 19 | FILEFLAGS 0x1L 20 | #else 21 | FILEFLAGS 0x0L 22 | #endif 23 | FILEOS 0x40004L 24 | FILETYPE VFT_APP 25 | FILESUBTYPE 0x0L 26 | BEGIN 27 | BLOCK "StringFileInfo" 28 | BEGIN 29 | BLOCK "040904b0" 30 | BEGIN 31 | VALUE "CompanyName", "The OpenVPN Project" 32 | VALUE "FileDescription", "OpenVPN Daemon" 33 | VALUE "FileVersion", PACKAGE_VERSION ".0" 34 | VALUE "InternalName", "OpenVPN" 35 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 36 | VALUE "OriginalFilename", "openvpn.exe" 37 | VALUE "ProductName", "OpenVPN" 38 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 39 | END 40 | END 41 | BLOCK "VarFileInfo" 42 | BEGIN 43 | VALUE "Translation", 0x409, 1200 44 | END 45 | END 46 | -------------------------------------------------------------------------------- /src/openvpn/options_util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * Copyright (C) 2010-2021 Fox Crypto B.V. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef OPTIONS_UTIL_H_ 26 | #define OPTIONS_UTIL_H_ 27 | 28 | #include "options.h" 29 | 30 | const char * 31 | parse_auth_failed_temp(struct options *o, const char *reason); 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /src/openvpn/pkcs11.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef OPENVPN_PKCS11_H 25 | #define OPENVPN_PKCS11_H 26 | 27 | #if defined(ENABLE_PKCS11) 28 | 29 | #include "ssl_common.h" 30 | 31 | bool 32 | pkcs11_initialize( 33 | const bool fProtectedAuthentication, 34 | const int nPINCachePeriod 35 | ); 36 | 37 | void 38 | pkcs11_terminate(); 39 | 40 | bool 41 | pkcs11_addProvider( 42 | const char *const provider, 43 | const bool fProtectedAuthentication, 44 | const unsigned private_mode, 45 | const bool fCertIsPrivate 46 | ); 47 | 48 | int 49 | pkcs11_logout(); 50 | 51 | int 52 | pkcs11_management_id_count(); 53 | 54 | bool 55 | pkcs11_management_id_get( 56 | const int index, 57 | char **id, 58 | char **base64 59 | ); 60 | 61 | int 62 | tls_ctx_use_pkcs11( 63 | struct tls_root_ctx *const ssl_ctx, 64 | bool pkcs11_id_management, 65 | const char *const pkcs11_id 66 | ); 67 | 68 | void 69 | show_pkcs11_ids( 70 | const char *const provider, 71 | bool cert_private 72 | ); 73 | 74 | #endif /* ENABLE_PKCS11 */ 75 | 76 | #endif /* OPENVPN_PKCS11H_H */ 77 | -------------------------------------------------------------------------------- /src/openvpn/ps.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef PS_H 25 | #define PS_H 26 | 27 | #if PORT_SHARE 28 | 29 | #include "basic.h" 30 | #include "buffer.h" 31 | #include "ssl.h" 32 | 33 | typedef void (*post_fork_cleanup_func_t)(void *arg); 34 | 35 | struct port_share { 36 | /* Foreground's socket to background process */ 37 | socket_descriptor_t foreground_fd; 38 | 39 | /* Process ID of background process */ 40 | pid_t background_pid; 41 | }; 42 | 43 | extern struct port_share *port_share; 44 | 45 | struct port_share *port_share_open(const char *host, 46 | const char *port, 47 | const int max_initial_buf, 48 | const char *journal_dir); 49 | 50 | void port_share_close(struct port_share *ps); 51 | 52 | void port_share_abort(struct port_share *ps); 53 | 54 | bool is_openvpn_protocol(const struct buffer *buf); 55 | 56 | void port_share_redirect(struct port_share *ps, const struct buffer *head, socket_descriptor_t sd); 57 | 58 | #endif /* if PORT_SHARE */ 59 | #endif /* ifndef PS_H */ 60 | -------------------------------------------------------------------------------- /src/openvpn/pushlist.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #if !defined(PUSHLIST_H) 25 | #define PUSHLIST_H 26 | 27 | /* parameters to be pushed to peer */ 28 | 29 | struct push_entry { 30 | struct push_entry *next; 31 | bool enable; 32 | const char *option; 33 | }; 34 | 35 | struct push_list { 36 | struct push_entry *head; 37 | struct push_entry *tail; 38 | }; 39 | 40 | #endif /* if !defined(PUSHLIST_H) */ 41 | -------------------------------------------------------------------------------- /src/openvpn/session_id.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | /* 25 | * Each session is identified by a random 8-byte session identifier. 26 | * 27 | * For efficiency, the session id is only transmitted over the control 28 | * channel (which only sees traffic occasionally when keys are being 29 | * negotiated). The data channel sees a smaller version of the session-id -- 30 | * it is called the key_id and is currently 2 bits long. 31 | */ 32 | 33 | #ifdef HAVE_CONFIG_H 34 | #include "config.h" 35 | #elif defined(_MSC_VER) 36 | #include "config-msvc.h" 37 | #endif 38 | 39 | #include "syshead.h" 40 | 41 | #include "error.h" 42 | #include "common.h" 43 | #include "crypto.h" 44 | #include "session_id.h" 45 | 46 | #include "memdbg.h" 47 | 48 | const struct session_id x_session_id_zero; 49 | 50 | void 51 | session_id_random(struct session_id *sid) 52 | { 53 | prng_bytes(sid->id, SID_SIZE); 54 | } 55 | 56 | const char * 57 | session_id_print(const struct session_id *sid, struct gc_arena *gc) 58 | { 59 | return format_hex(sid->id, SID_SIZE, 0, gc); 60 | } 61 | -------------------------------------------------------------------------------- /src/openvpn/ssl_openssl.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * Copyright (C) 2010-2021 Fox Crypto B.V. 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | /** 26 | * @file Control Channel OpenSSL Backend 27 | */ 28 | 29 | #ifndef SSL_OPENSSL_H_ 30 | #define SSL_OPENSSL_H_ 31 | 32 | #include 33 | #include 34 | 35 | /** 36 | * Structure that wraps the TLS context. Contents differ depending on the 37 | * SSL library used. 38 | */ 39 | struct tls_root_ctx { 40 | SSL_CTX *ctx; 41 | time_t crl_last_mtime; 42 | off_t crl_last_size; 43 | }; 44 | 45 | struct key_state_ssl { 46 | SSL *ssl; /* SSL object -- new obj created for each new key */ 47 | BIO *ssl_bio; /* read/write plaintext from here */ 48 | BIO *ct_in; /* write ciphertext to here */ 49 | BIO *ct_out; /* read ciphertext from here */ 50 | }; 51 | 52 | /** 53 | * Allocate space in SSL objects in which to store a struct tls_session 54 | * pointer back to parent. 55 | */ 56 | extern int mydata_index; /* GLOBAL */ 57 | 58 | static inline void 59 | tls_clear_error(void) 60 | { 61 | ERR_clear_error(); 62 | } 63 | 64 | #endif /* SSL_OPENSSL_H_ */ 65 | -------------------------------------------------------------------------------- /src/openvpn/vcpkg.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/microsoft/vcpkg/master/scripts/vcpkg.schema.json", 3 | "name": "openvpn", 4 | "version": "2.6", 5 | "dependencies": [ 6 | "openssl", 7 | "tap-windows6", 8 | "lzo", 9 | "lz4", 10 | "pkcs11-helper" 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /src/openvpn/vlan.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single TCP/UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Technologies, Inc. 9 | * Copyright (C) 2010 Fabian Knittel 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef VLAN_H 26 | #define VLAN_H 27 | 28 | #include "buffer.h" 29 | #include "mroute.h" 30 | #include "openvpn.h" 31 | 32 | struct multi_context; 33 | struct multi_instance; 34 | 35 | int16_t 36 | vlan_decapsulate(const struct context *c, struct buffer *buf); 37 | 38 | bool 39 | vlan_is_tagged(const struct buffer *buf); 40 | 41 | void 42 | vlan_process_outgoing_tun(struct multi_context *m, struct multi_instance *mi); 43 | 44 | #endif /* VLAN_H */ 45 | -------------------------------------------------------------------------------- /src/openvpn/win32-util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2002-2023 OpenVPN Inc 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifdef _WIN32 25 | #ifndef OPENVPN_WIN32_UTIL_H 26 | #define OPENVPN_WIN32_UTIL_H 27 | 28 | #include 29 | 30 | #include "mtu.h" 31 | #include "openvpn-msg.h" 32 | #include "argv.h" 33 | 34 | /* Convert a string from UTF-8 to UCS-2 */ 35 | WCHAR *wide_string(const char *utf8, struct gc_arena *gc); 36 | 37 | /* return true if filename is safe to be used on Windows */ 38 | bool win_safe_filename(const char *fn); 39 | 40 | #endif /* OPENVPN_WIN32_UTIL_H */ 41 | #endif /* ifdef _WIN32 */ 42 | -------------------------------------------------------------------------------- /src/openvpnmsica/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # openvpnmsica -- Custom Action DLL to provide OpenVPN-specific support to MSI packages 3 | # 4 | # Copyright (C) 2002-2023 OpenVPN Inc 5 | # Copyright (C) 2018-2023 Simon Rozman 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 9 | # as published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License along 17 | # with this program; if not, write to the Free Software Foundation, Inc., 18 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 19 | # 20 | 21 | include $(top_srcdir)/build/ltrc.inc 22 | 23 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 24 | 25 | EXTRA_DIST = \ 26 | openvpnmsica.vcxproj \ 27 | openvpnmsica.props \ 28 | openvpnmsica-Debug.props \ 29 | openvpnmsica-Release.props 30 | 31 | AM_CPPFLAGS = \ 32 | -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 33 | 34 | AM_CFLAGS = \ 35 | $(TAP_CFLAGS) 36 | 37 | if WIN32 38 | lib_LTLIBRARIES = libopenvpnmsica.la 39 | libopenvpnmsica_la_CFLAGS = \ 40 | -municode -D_UNICODE \ 41 | -UNTDDI_VERSION -U_WIN32_WINNT \ 42 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA \ 43 | -Wl,--kill-at 44 | libopenvpnmsica_la_LDFLAGS = -ladvapi32 -lole32 -lmsi -lsetupapi -liphlpapi -lshell32 -lshlwapi -lversion -lnewdev -no-undefined -avoid-version 45 | endif 46 | 47 | libopenvpnmsica_la_SOURCES = \ 48 | dllmain.c \ 49 | msiex.c msiex.h \ 50 | msica_arg.c msica_arg.h \ 51 | openvpnmsica.c openvpnmsica.h \ 52 | $(top_srcdir)/src/tapctl/basic.h \ 53 | $(top_srcdir)/src/tapctl/error.c $(top_srcdir)/src/tapctl/error.h \ 54 | $(top_srcdir)/src/tapctl/tap.c $(top_srcdir)/src/tapctl/tap.h \ 55 | openvpnmsica_resources.rc 56 | -------------------------------------------------------------------------------- /src/openvpnmsica/openvpnmsica-Debug.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | MultiThreadedDebug 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /src/openvpnmsica/openvpnmsica-Release.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | MultiThreaded 11 | Guard 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /src/openvpnmsica/openvpnmsica.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | lib$(ProjectName) 7 | 8 | 9 | 10 | _WIN32_WINNT=_WIN32_WINNT_VISTA;%(PreprocessorDefinitions) 11 | 12 | 13 | Windows 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/openvpnmsica/openvpnmsica_resources.rc: -------------------------------------------------------------------------------- 1 | /* 2 | * openvpnmsica -- Custom Action DLL to provide OpenVPN-specific support to MSI packages 3 | * 4 | * Copyright (C) 2018-2023 Simon Rozman 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 | */ 19 | 20 | #ifdef HAVE_CONFIG_H 21 | #include 22 | #else 23 | #include 24 | #endif 25 | #include 26 | 27 | #pragma code_page(65001) /* UTF8 */ 28 | 29 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 30 | 31 | VS_VERSION_INFO VERSIONINFO 32 | FILEVERSION OPENVPN_VERSION_RESOURCE 33 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 34 | FILEFLAGSMASK VS_FF_DEBUG | VS_FF_PRERELEASE | VS_FF_PATCHED | VS_FF_PRIVATEBUILD | VS_FF_SPECIALBUILD 35 | #ifdef _DEBUG 36 | FILEFLAGS VS_FF_DEBUG 37 | #else 38 | FILEFLAGS 0x0L 39 | #endif 40 | FILEOS VOS_NT_WINDOWS32 41 | FILETYPE VFT_DLL 42 | FILESUBTYPE 0x0L 43 | BEGIN 44 | BLOCK "StringFileInfo" 45 | BEGIN 46 | BLOCK "040904b0" 47 | BEGIN 48 | VALUE "CompanyName", "The OpenVPN Project" 49 | VALUE "FileDescription", "Custom Action DLL to provide OpenVPN-specific support to MSI packages" 50 | VALUE "FileVersion", PACKAGE_VERSION ".0" 51 | VALUE "InternalName", "OpenVPN" 52 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 53 | VALUE "OriginalFilename", "libopenvpnmsica.dll" 54 | VALUE "ProductName", "OpenVPN" 55 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 56 | END 57 | END 58 | BLOCK "VarFileInfo" 59 | BEGIN 60 | VALUE "Translation", 0x409, 1200 61 | END 62 | END 63 | -------------------------------------------------------------------------------- /src/openvpnserv/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | include $(top_srcdir)/build/ltrc.inc 13 | 14 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 15 | 16 | EXTRA_DIST = \ 17 | openvpnserv.vcxproj 18 | 19 | AM_CPPFLAGS = \ 20 | -I$(top_srcdir)/include -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat 21 | 22 | if WIN32 23 | sbin_PROGRAMS = openvpnserv 24 | openvpnserv_CFLAGS = \ 25 | -municode -D_UNICODE \ 26 | -UNTDDI_VERSION -U_WIN32_WINNT \ 27 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 28 | openvpnserv_LDADD = -ladvapi32 -luserenv -liphlpapi -lfwpuclnt -lrpcrt4 -lshlwapi -lnetapi32 -lws2_32 -lntdll 29 | endif 30 | 31 | openvpnserv_SOURCES = \ 32 | common.c \ 33 | interactive.c \ 34 | service.c service.h \ 35 | validate.c validate.h \ 36 | $(top_srcdir)/src/openvpn/block_dns.c $(top_srcdir)/src/openvpn/block_dns.h \ 37 | openvpnserv_resources.rc \ 38 | $(top_srcdir)/src/openvpn/ring_buffer.h 39 | -------------------------------------------------------------------------------- /src/openvpnserv/openvpnserv_resources.rc: -------------------------------------------------------------------------------- 1 | #ifdef HAVE_CONFIG_H 2 | #include 3 | #else 4 | #include 5 | #endif 6 | #include 7 | 8 | #pragma code_page(65001) /* UTF8 */ 9 | 10 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 11 | 12 | VS_VERSION_INFO VERSIONINFO 13 | FILEVERSION OPENVPN_VERSION_RESOURCE 14 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 15 | FILEFLAGSMASK 0x3fL 16 | #ifdef _DEBUG 17 | FILEFLAGS 0x1L 18 | #else 19 | FILEFLAGS 0x0L 20 | #endif 21 | FILEOS 0x40004L 22 | FILETYPE VFT_APP 23 | FILESUBTYPE 0x0L 24 | BEGIN 25 | BLOCK "StringFileInfo" 26 | BEGIN 27 | BLOCK "040904b0" 28 | BEGIN 29 | VALUE "CompanyName", "The OpenVPN Project" 30 | VALUE "FileDescription", "OpenVPN Service" 31 | VALUE "FileVersion", PACKAGE_VERSION ".0" 32 | VALUE "InternalName", "OpenVPN" 33 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 34 | VALUE "OriginalFilename", "openvpnserv.exe" 35 | VALUE "ProductName", "OpenVPN" 36 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 37 | END 38 | END 39 | BLOCK "VarFileInfo" 40 | BEGIN 41 | VALUE "Translation", 0x409, 1200 42 | END 43 | END 44 | -------------------------------------------------------------------------------- /src/openvpnserv/validate.h: -------------------------------------------------------------------------------- 1 | 2 | /* 3 | * OpenVPN -- An application to securely tunnel IP networks 4 | * over a single TCP/UDP port, with support for SSL/TLS-based 5 | * session authentication and key exchange, 6 | * packet encryption, packet authentication, and 7 | * packet compression. 8 | * 9 | * Copyright (C) 2016-2023 Selva Nair 10 | * 11 | * This program is free software; you can redistribute it and/or modify 12 | * it under the terms of the GNU General Public License version 2 13 | * as published by the Free Software Foundation. 14 | * 15 | * This program is distributed in the hope that it will be useful, 16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 | * GNU General Public License for more details. 19 | * 20 | * You should have received a copy of the GNU General Public License along 21 | * with this program; if not, write to the Free Software Foundation, Inc., 22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 | */ 24 | 25 | #ifndef VALIDATE_H 26 | #define VALIDATE_H 27 | 28 | #include "service.h" 29 | 30 | /* Authorized groups who can use any options and config locations */ 31 | #define SYSTEM_ADMIN_GROUP TEXT("Administrators") 32 | #define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators") 33 | /* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ 34 | 35 | BOOL 36 | IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); 37 | 38 | BOOL 39 | CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); 40 | 41 | static inline BOOL 42 | IsOption(const WCHAR *o) 43 | { 44 | return (wcsncmp(o, L"--", 2) == 0); 45 | } 46 | 47 | #endif /* ifndef VALIDATE_H */ 48 | -------------------------------------------------------------------------------- /src/plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = auth-pam down-root 16 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin 3 | # 4 | # Copyright (C) 2012 Alon Bar-Lev 5 | # 6 | 7 | MAINTAINERCLEANFILES = \ 8 | $(srcdir)/Makefile.in 9 | 10 | AM_CFLAGS = \ 11 | -I$(top_srcdir)/include \ 12 | $(PLUGIN_AUTH_PAM_CFLAGS) \ 13 | $(OPTIONAL_CRYPTO_CFLAGS) 14 | 15 | if ENABLE_PLUGIN_AUTH_PAM 16 | plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la 17 | dist_doc_DATA = README.auth-pam 18 | endif 19 | 20 | openvpn_plugin_auth_pam_la_SOURCES = \ 21 | utils.c \ 22 | auth-pam.c \ 23 | pamdl.c pamdl.h \ 24 | auth-pam.exports 25 | openvpn_plugin_auth_pam_la_LIBADD = \ 26 | $(PLUGIN_AUTH_PAM_LIBS) 27 | openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ 28 | -export-symbols "$(srcdir)/auth-pam.exports" \ 29 | -module -shared -avoid-version -no-undefined 30 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/auth-pam.exports: -------------------------------------------------------------------------------- 1 | openvpn_plugin_open_v3 2 | openvpn_plugin_func_v1 3 | openvpn_plugin_close_v1 4 | openvpn_plugin_abort_v1 5 | -------------------------------------------------------------------------------- /src/plugins/auth-pam/pamdl.h: -------------------------------------------------------------------------------- 1 | #ifdef USE_PAM_DLOPEN 2 | /* Dynamically load and unload the PAM library */ 3 | int dlopen_pam(const char *so); 4 | 5 | void dlclose_pam(void); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /src/plugins/down-root/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN (TM) Down Root Plugin -- OpenVPN Plugin 3 | # 4 | # Copyright (C) 2012 Alon Bar-Lev 5 | # 6 | 7 | MAINTAINERCLEANFILES = \ 8 | $(srcdir)/Makefile.in 9 | 10 | AM_CFLAGS = \ 11 | -I$(top_srcdir)/include \ 12 | $(OPTIONAL_CRYPTO_CFLAGS) 13 | 14 | if ENABLE_PLUGIN_DOWN_ROOT 15 | plugin_LTLIBRARIES = openvpn-plugin-down-root.la 16 | dist_doc_DATA = README.down-root 17 | endif 18 | 19 | openvpn_plugin_down_root_la_SOURCES = \ 20 | down-root.c \ 21 | down-root.exports 22 | openvpn_plugin_down_root_la_LDFLAGS = $(AM_LDFLAGS) \ 23 | -export-symbols "$(srcdir)/down-root.exports" \ 24 | -module -shared -avoid-version -no-undefined 25 | -------------------------------------------------------------------------------- /src/plugins/down-root/README.down-root: -------------------------------------------------------------------------------- 1 | down-root -- an OpenVPN Plugin Module 2 | 3 | SYNOPSIS 4 | 5 | The down-root module allows an OpenVPN configuration to 6 | call a down script with root privileges, even when privileges 7 | have been dropped using --user/--group/--chroot. 8 | 9 | This module uses a split privilege execution model which will 10 | fork() before OpenVPN drops root privileges, at the point where 11 | the --up script is usually called. The module will then remain 12 | in a wait state until it receives a message from OpenVPN via 13 | pipe to execute the down script. Thus, the down script will be 14 | run in the same execution environment as the up script. 15 | 16 | BUILD 17 | 18 | Build this module with the "make" command. The plugin 19 | module will be named openvpn-plugin-down-root.so 20 | 21 | USAGE 22 | 23 | To use this module, add to your OpenVPN config file: 24 | 25 | plugin openvpn-plugin-down-root.so "command ..." 26 | 27 | CAVEATS 28 | 29 | This module will only work on *nix systems, not Windows. 30 | -------------------------------------------------------------------------------- /src/plugins/down-root/down-root.exports: -------------------------------------------------------------------------------- 1 | openvpn_plugin_open_v1 2 | openvpn_plugin_func_v1 3 | openvpn_plugin_close_v1 4 | openvpn_plugin_abort_v1 5 | -------------------------------------------------------------------------------- /src/tapctl/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # tapctl -- Utility to manipulate TUN/TAP interfaces on Windows 3 | # 4 | # Copyright (C) 2002-2023 OpenVPN Inc 5 | # Copyright (C) 2018-2023 Simon Rozman 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 9 | # as published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License along 17 | # with this program; if not, write to the Free Software Foundation, Inc., 18 | # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 19 | # 20 | 21 | include $(top_srcdir)/build/ltrc.inc 22 | 23 | MAINTAINERCLEANFILES = $(srcdir)/Makefile.in 24 | 25 | EXTRA_DIST = \ 26 | tapctl.vcxproj \ 27 | tapctl.props \ 28 | tapctl.exe.manifest 29 | 30 | AM_CPPFLAGS = \ 31 | -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 32 | 33 | AM_CFLAGS = \ 34 | $(TAP_CFLAGS) 35 | 36 | if WIN32 37 | sbin_PROGRAMS = tapctl 38 | tapctl_CFLAGS = \ 39 | -municode -D_UNICODE \ 40 | -UNTDDI_VERSION -U_WIN32_WINNT \ 41 | -D_WIN32_WINNT=_WIN32_WINNT_VISTA 42 | tapctl_LDADD = -ladvapi32 -lole32 -lsetupapi 43 | endif 44 | 45 | tapctl_SOURCES = \ 46 | basic.h \ 47 | error.c error.h \ 48 | main.c \ 49 | tap.c tap.h \ 50 | tapctl_resources.rc 51 | -------------------------------------------------------------------------------- /src/tapctl/basic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * basic -- Basic macros 3 | * https://community.openvpn.net/openvpn/wiki/Tapctl 4 | * 5 | * Copyright (C) 2002-2023 OpenVPN Inc 6 | * Copyright (C) 2018-2023 Simon Rozman 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License along 18 | * with this program; if not, write to the Free Software Foundation, Inc., 19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 | */ 21 | 22 | #ifndef BASIC_H 23 | #define BASIC_H 24 | 25 | #ifdef _UNICODE 26 | #define PRIsLPTSTR "ls" 27 | #define PRIsLPOLESTR "ls" 28 | #else 29 | #define PRIsLPTSTR "s" 30 | #define PRIsLPOLESTR "ls" 31 | #endif 32 | #define PRIXGUID "{%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX}" 33 | #define PRIGUID_PARAM(g) \ 34 | (g).Data1, (g).Data2, (g).Data3, (g).Data4[0], (g).Data4[1], (g).Data4[2], (g).Data4[3], (g).Data4[4], (g).Data4[5], (g).Data4[6], (g).Data4[7] 35 | #define PRIGUID_PARAM_REF(g) \ 36 | &(g).Data1, &(g).Data2, &(g).Data3, &(g).Data4[0], &(g).Data4[1], &(g).Data4[2], &(g).Data4[3], &(g).Data4[4], &(g).Data4[5], &(g).Data4[6], &(g).Data4[7] 37 | 38 | #define __L(q) L ## q 39 | #define _L(q) __L(q) 40 | 41 | #ifndef _In_ 42 | #define _In_ 43 | #endif 44 | #ifndef _In_opt_ 45 | #define _In_opt_ 46 | #endif 47 | #ifndef _In_z_ 48 | #define _In_z_ 49 | #endif 50 | #ifndef _Inout_ 51 | #define _Inout_ 52 | #endif 53 | #ifndef _Inout_opt_ 54 | #define _Inout_opt_ 55 | #endif 56 | #ifndef _Out_ 57 | #define _Out_ 58 | #endif 59 | #ifndef _Out_opt_ 60 | #define _Out_opt_ 61 | #endif 62 | #ifndef _Out_z_cap_ 63 | #define _Out_z_cap_(n) 64 | #endif 65 | 66 | #endif /* ifndef BASIC_H */ 67 | -------------------------------------------------------------------------------- /src/tapctl/error.c: -------------------------------------------------------------------------------- 1 | /* 2 | * error -- OpenVPN compatible error reporting API 3 | * https://community.openvpn.net/openvpn/wiki/Tapctl 4 | * 5 | * Copyright (C) 2002-2023 OpenVPN Inc 6 | * Copyright (C) 2018-2023 Simon Rozman 7 | * 8 | * This program is free software; you can redistribute it and/or modify 9 | * it under the terms of the GNU General Public License version 2 10 | * as published by the Free Software Foundation. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License along 18 | * with this program; if not, write to the Free Software Foundation, Inc., 19 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 | */ 21 | 22 | #include "error.h" 23 | 24 | 25 | /* Globals */ 26 | unsigned int x_debug_level; /* GLOBAL */ 27 | 28 | 29 | void 30 | x_msg(const unsigned int flags, const char *format, ...) 31 | { 32 | va_list arglist; 33 | va_start(arglist, format); 34 | x_msg_va(flags, format, arglist); 35 | va_end(arglist); 36 | } 37 | -------------------------------------------------------------------------------- /src/tapctl/tapctl.exe.manifest: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /src/tapctl/tapctl.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | false 7 | 8 | 9 | 10 | _CONSOLE;_WIN32_WINNT=_WIN32_WINNT_VISTA;%(PreprocessorDefinitions) 11 | ..\compat;$(TAP_WINDOWS_HOME)/include;%(AdditionalIncludeDirectories) 12 | 13 | 14 | Console 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /src/tapctl/tapctl_resources.rc: -------------------------------------------------------------------------------- 1 | /* 2 | * tapctl -- Utility to manipulate TUN/TAP adapters on Windows 3 | * 4 | * Copyright (C) 2018-2023 Simon Rozman 5 | * 6 | * This program is free software; you can redistribute it and/or modify 7 | * it under the terms of the GNU General Public License version 2 8 | * as published by the Free Software Foundation. 9 | * 10 | * This program is distributed in the hope that it will be useful, 11 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | * 15 | * You should have received a copy of the GNU General Public License along 16 | * with this program; if not, write to the Free Software Foundation, Inc., 17 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 18 | */ 19 | 20 | #ifdef HAVE_CONFIG_H 21 | #include 22 | #else 23 | #include 24 | #endif 25 | #include 26 | 27 | #pragma code_page(65001) /* UTF8 */ 28 | 29 | LANGUAGE LANG_NEUTRAL, SUBLANG_NEUTRAL 30 | 31 | VS_VERSION_INFO VERSIONINFO 32 | FILEVERSION OPENVPN_VERSION_RESOURCE 33 | PRODUCTVERSION OPENVPN_VERSION_RESOURCE 34 | FILEFLAGSMASK VS_FF_DEBUG | VS_FF_PRERELEASE | VS_FF_PATCHED | VS_FF_PRIVATEBUILD | VS_FF_SPECIALBUILD 35 | #ifdef _DEBUG 36 | FILEFLAGS VS_FF_DEBUG 37 | #else 38 | FILEFLAGS 0x0L 39 | #endif 40 | FILEOS VOS_NT_WINDOWS32 41 | FILETYPE VFT_APP 42 | FILESUBTYPE 0x0L 43 | BEGIN 44 | BLOCK "StringFileInfo" 45 | BEGIN 46 | BLOCK "040904b0" 47 | BEGIN 48 | VALUE "CompanyName", "The OpenVPN Project" 49 | VALUE "FileDescription", "Utility to manipulate TUN/TAP adapters on Windows" 50 | VALUE "FileVersion", PACKAGE_VERSION ".0" 51 | VALUE "InternalName", "OpenVPN" 52 | VALUE "LegalCopyright", "Copyright © The OpenVPN Project" 53 | VALUE "OriginalFilename", "tapctl.exe" 54 | VALUE "ProductName", "OpenVPN" 55 | VALUE "ProductVersion", PACKAGE_VERSION ".0" 56 | END 57 | END 58 | BLOCK "VarFileInfo" 59 | BEGIN 60 | VALUE "Translation", 0x409, 1200 61 | END 62 | END 63 | 64 | 1 RT_MANIFEST "tapctl.exe.manifest" 65 | -------------------------------------------------------------------------------- /tests/Makefile.am: -------------------------------------------------------------------------------- 1 | # 2 | # OpenVPN -- An application to securely tunnel IP networks 3 | # over a single UDP port, with support for SSL/TLS-based 4 | # session authentication and key exchange, 5 | # packet encryption, packet authentication, and 6 | # packet compression. 7 | # 8 | # Copyright (C) 2002-2023 OpenVPN Inc 9 | # Copyright (C) 2006-2012 Alon Bar-Lev 10 | # 11 | 12 | MAINTAINERCLEANFILES = \ 13 | $(srcdir)/Makefile.in 14 | 15 | SUBDIRS = unit_tests 16 | 17 | test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh 18 | if HAVE_SITNL 19 | test_scripts += t_net.sh 20 | endif 21 | 22 | TESTS_ENVIRONMENT = top_srcdir="$(top_srcdir)" 23 | TESTS = $(test_scripts) 24 | 25 | dist_noinst_SCRIPTS = \ 26 | $(test_scripts) \ 27 | t_cltsrv-down.sh \ 28 | update_t_client_ips.sh 29 | 30 | dist_noinst_DATA = \ 31 | t_client.rc-sample 32 | -------------------------------------------------------------------------------- /tests/t_cltsrv-down.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | echo "${role}:${signal}" >&3 3 | -------------------------------------------------------------------------------- /tests/unit_tests/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | if ENABLE_UNITTESTS 4 | SUBDIRS = example_test openvpn plugins 5 | if OPENSSL_ENGINE 6 | SUBDIRS += engine-key 7 | endif 8 | endif 9 | -------------------------------------------------------------------------------- /tests/unit_tests/README.md: -------------------------------------------------------------------------------- 1 | Unit Tests 2 | =========== 3 | 4 | This directory contains unit tests for openvpn. New features/bugfixes should be written in a test friendly way and come with corresponding tests. 5 | 6 | Run tests 7 | ---------- 8 | 9 | Tests are run by `make check`. A failed tests stops test execution. To run all 10 | tests regardless of errors call `make -k check`. 11 | 12 | Add new tests to existing test suite 13 | ------------------------------------- 14 | 15 | Test suites are organized in directories. [example_test/](example_test/) is an example 16 | for a test suite with two test executables. Feel free to use it as a template for new tests. 17 | 18 | Test suites 19 | -------------------- 20 | 21 | Test suites live inside a subdirectory of `$ROOT/tests/unit_tests`, e.g. `$ROOT/tests/unit_tests/my_feature`. 22 | 23 | Test suites are configured by a `Makefile.am`. Tests are executed by testdrivers. One testsuite can contain more than one testdriver. 24 | 25 | ### Hints 26 | * Name suites & testdrivers in a way that the name of the driver says something about which component/feature is tested 27 | * Name the testdriver executable `*_testdriver`. This way it gets picked up by the default `.gitignore` 28 | * If this is not feasible: Add all output to a `.gitignore`* Use descriptive test names: `coffee_brewing__with_no_beans__fails` vs. `test34` 29 | * Testing a configurable feature? Wrap test execution with a conditional (see [auth_pam](plugins/auth-pam/Makefile.am) for an example) 30 | * Add multiple test-drivers when one testdriver looks crowded with tests 31 | 32 | ### New Test Suites 33 | 1. Organize tests in folders for features. 34 | 2. Add the new test directory to `SUBDIRS` in `Makefile.am` 35 | 3. Edit `configure.ac` and add the new `Makefile` to `AC_CONFIG_FILES` 36 | 4. Run `./configure`, and *enable* the feature you'd like to test 37 | 5. Make sure that `make check` runs your tests 38 | 6. Check: Would a stranger be able to easily find your tests by you looking at the test output? 39 | 7. Run `./configure`, and *disable* the feature you'd like to test 40 | 8. Make sure that `make check` does *not run* your tests 41 | -------------------------------------------------------------------------------- /tests/unit_tests/engine-key/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | check_LTLIBRARIES = libtestengine.la 4 | conffiles = openssl.cnf 5 | EXTRA_DIST = \ 6 | openssl.cnf.in \ 7 | check_engine_keys.sh 8 | 9 | TESTS_ENVIRONMENT = srcdir="$(abs_srcdir)"; \ 10 | builddir="$(abs_builddir)"; \ 11 | top_builddir="$(top_builddir)"; \ 12 | top_srcdir="$(top_srcdir)"; \ 13 | export srcdir builddir top_builddir top_srcdir; 14 | 15 | TESTS = check_engine_keys.sh 16 | check_engine_keys.sh: $(conffiles) 17 | 18 | CLEANFILES = \ 19 | client.key \ 20 | passwd \ 21 | log.txt \ 22 | $(conffiles) 23 | 24 | openssl.cnf: $(srcdir)/openssl.cnf.in 25 | sed "s|ABSBUILDDIR|$(abs_builddir)|" < $(srcdir)/openssl.cnf.in > $@ 26 | 27 | libtestengine_la_SOURCES = libtestengine.c 28 | libtestengine_la_LDFLAGS = @TEST_LDFLAGS@ -rpath /lib -shrext .so 29 | libtestengine_la_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) 30 | -------------------------------------------------------------------------------- /tests/unit_tests/engine-key/check_engine_keys.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | OPENSSL_CONF="${builddir}/openssl.cnf" 4 | export OPENSSL_CONF 5 | 6 | password='AT3S4PASSWD' 7 | 8 | key="${builddir}/client.key" 9 | pwdfile="${builddir}/passwd" 10 | 11 | # create an engine key for us 12 | sed 's/PRIVATE KEY/TEST ENGINE KEY/' < ${top_srcdir}/sample/sample-keys/client.key > ${key} 13 | echo "$password" > $pwdfile 14 | 15 | # our version of grep to output log.txt on failure in case it's an openssl 16 | # error mismatch and the grep expression needs updating 17 | loggrep() { 18 | egrep -q "$1" log.txt || { echo '---- begin log.txt ----'; cat log.txt; echo '--- end log.txt ---'; return 1; } 19 | } 20 | 21 | # note here we've induced a mismatch in the client key and the server 22 | # cert which openvpn should report and die. Check that it does. Note 23 | # also that this mismatch depends on openssl not openvpn, so it is 24 | # somewhat fragile 25 | ${top_builddir}/src/openvpn/openvpn --cd ${top_srcdir}/sample --config sample-config-files/loopback-server --engine testengine --key ${key} --askpass $pwdfile > log.txt 2>&1 26 | 27 | # first off check we died because of a key mismatch. If this doesn't 28 | # pass, suspect openssl of returning different messages and update the 29 | # test accordingly 30 | loggrep '(x509 certificate routines:(X509_check_private_key)?:key values mismatch|func\(128\):reason\(116\))' log.txt || { echo "Key mismatch not detected"; exit 1; } 31 | 32 | # now look for the engine prints (these are under our control) 33 | loggrep 'ENGINE: engine_init called' || { echo "Engine initialization not detected"; exit 1; } 34 | loggrep 'ENGINE: engine_load_key called' || { echo "Key was not loaded from engine"; exit 1; } 35 | loggrep "ENGINE: engine_load_key got password ${password}" || { echo "Key password was not retrieved by the engine"; exit 1; } 36 | exit 0 37 | -------------------------------------------------------------------------------- /tests/unit_tests/engine-key/openssl.cnf.in: -------------------------------------------------------------------------------- 1 | HOME = . 2 | openssl_conf = openssl_init 3 | 4 | [req] 5 | [openssl_init] 6 | engines = engines_section 7 | 8 | [engines_section] 9 | testengine = testengine_section 10 | 11 | [testengine_section] 12 | dynamic_path = ABSBUILDDIR/.libs/libtestengine.so 13 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | check_PROGRAMS = example_testdriver example2_testdriver 4 | 5 | TESTS = $(check_PROGRAMS) 6 | 7 | example_testdriver_CFLAGS = @TEST_CFLAGS@ 8 | example_testdriver_LDFLAGS = @TEST_LDFLAGS@ 9 | example_testdriver_SOURCES = test.c 10 | 11 | example2_testdriver_CFLAGS = @TEST_CFLAGS@ 12 | example2_testdriver_LDFLAGS = @TEST_LDFLAGS@ 13 | example2_testdriver_SOURCES = test2.c 14 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/README.md: -------------------------------------------------------------------------------- 1 | This test only checks that test compilation works. This example contains two test executables. 2 | 3 | These tests can be used as template for 'real' tests. 4 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/test.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | static int 10 | setup(void **state) 11 | { 12 | int *answer = malloc(sizeof(int)); 13 | 14 | *answer = 42; 15 | *state = answer; 16 | 17 | return 0; 18 | } 19 | 20 | static int 21 | teardown(void **state) 22 | { 23 | free(*state); 24 | 25 | return 0; 26 | } 27 | 28 | static void 29 | null_test_success(void **state) 30 | { 31 | (void) state; 32 | } 33 | 34 | static void 35 | int_test_success(void **state) 36 | { 37 | int *answer = *state; 38 | assert_int_equal(*answer, 42); 39 | } 40 | 41 | __attribute__((unused)) 42 | static void 43 | failing_test(void **state) 44 | { 45 | /* This tests fails to test that make check fails */ 46 | assert_int_equal(0, 42); 47 | } 48 | 49 | int 50 | main(void) 51 | { 52 | const struct CMUnitTest tests[] = { 53 | cmocka_unit_test(null_test_success), 54 | cmocka_unit_test_setup_teardown(int_test_success, setup, teardown), 55 | /* cmocka_unit_test(failing_test), */ 56 | }; 57 | 58 | return cmocka_run_group_tests_name("success_test", tests, NULL, NULL); 59 | } 60 | -------------------------------------------------------------------------------- /tests/unit_tests/example_test/test2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | 10 | static void 11 | test_true(void **state) 12 | { 13 | (void) state; 14 | } 15 | 16 | 17 | int 18 | main(void) 19 | { 20 | const struct CMUnitTest tests[] = { 21 | cmocka_unit_test(test_true), 22 | }; 23 | 24 | return cmocka_run_group_tests_name("success_test2", tests, NULL, NULL); 25 | } 26 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_get_random.c: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2017-2021 Fox Crypto B.V. 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | unsigned long 33 | get_random(void) 34 | { 35 | /* rand() is not very random, but it's C99 and this is just for testing */ 36 | return rand(); 37 | } 38 | 39 | void 40 | prng_bytes(uint8_t *output, int len) 41 | { 42 | for (int i = 0; i < len; i++) 43 | { 44 | output[i] = rand(); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /tests/unit_tests/openvpn/mock_msg.h: -------------------------------------------------------------------------------- 1 | /* 2 | * OpenVPN -- An application to securely tunnel IP networks 3 | * over a single UDP port, with support for SSL/TLS-based 4 | * session authentication and key exchange, 5 | * packet encryption, packet authentication, and 6 | * packet compression. 7 | * 8 | * Copyright (C) 2016-2021 Fox Crypto B.V. 9 | * 10 | * This program is free software; you can redistribute it and/or modify 11 | * it under the terms of the GNU General Public License version 2 12 | * as published by the Free Software Foundation. 13 | * 14 | * This program is distributed in the hope that it will be useful, 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | * GNU General Public License for more details. 18 | * 19 | * You should have received a copy of the GNU General Public License along 20 | * with this program; if not, write to the Free Software Foundation, Inc., 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 22 | */ 23 | 24 | #ifndef MOCK_MSG_H 25 | #define MOCK_MSG_H 26 | 27 | /** 28 | * Mock debug level defaults to 0, which gives clean(-ish) test reports. Call 29 | * this function from your test driver to increase debug output when you 30 | * need debug output. 31 | */ 32 | void mock_set_debug_level(int level); 33 | 34 | #endif /* MOCK_MSG */ 35 | -------------------------------------------------------------------------------- /tests/unit_tests/plugins/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | SUBDIRS = auth-pam 4 | -------------------------------------------------------------------------------- /tests/unit_tests/plugins/auth-pam/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | if ENABLE_PLUGIN_AUTH_PAM 4 | check_PROGRAMS = auth_pam_testdriver 5 | TESTS = $(check_PROGRAMS) 6 | endif 7 | 8 | sut_sourcedir = $(top_srcdir)/src/plugins/auth-pam 9 | 10 | auth_pam_testdriver_SOURCES = test_search_and_replace.c $(sut_sourcedir)/utils.h $(sut_sourcedir)/utils.c 11 | auth_pam_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(sut_sourcedir) 12 | auth_pam_testdriver_LDFLAGS = @TEST_LDFLAGS@ 13 | -------------------------------------------------------------------------------- /tests/unit_tests/plugins/auth-pam/test_search_and_replace.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include "utils.h" 10 | 11 | static void 12 | pass_any_null_param__returns_null() 13 | { 14 | 15 | char DUMMY[] = "DUMMY"; 16 | 17 | assert_null(searchandreplace(NULL, DUMMY, DUMMY)); 18 | assert_null(searchandreplace(DUMMY, NULL, DUMMY)); 19 | assert_null(searchandreplace(DUMMY, DUMMY, NULL)); 20 | } 21 | 22 | static void 23 | pass_any_empty_string__returns_null() 24 | { 25 | 26 | char DUMMY[] = "DUMMY"; 27 | char EMPTY[] = ""; 28 | 29 | assert_null(searchandreplace(EMPTY, DUMMY, DUMMY)); 30 | assert_null(searchandreplace(DUMMY, EMPTY, DUMMY)); 31 | assert_null(searchandreplace(DUMMY, DUMMY, EMPTY)); 32 | } 33 | 34 | static void 35 | replace_single_char__one_time__match_is_replaced() 36 | { 37 | char *replaced = searchandreplace("X", "X", "Y"); 38 | 39 | assert_non_null(replaced); 40 | assert_string_equal("Y", replaced); 41 | 42 | free(replaced); 43 | } 44 | 45 | static void 46 | replace_single_char__multiple_times__match_all_matches_are_replaced() 47 | { 48 | char *replaced = searchandreplace("XaX", "X", "Y"); 49 | 50 | assert_non_null(replaced); 51 | assert_string_equal("YaY", replaced); 52 | 53 | free(replaced); 54 | } 55 | 56 | static void 57 | replace_longer_text__multiple_times__match_all_matches_are_replaced() 58 | { 59 | char *replaced = searchandreplace("XXaXX", "XX", "YY"); 60 | 61 | assert_non_null(replaced); 62 | assert_string_equal("YYaYY", replaced); 63 | 64 | free(replaced); 65 | } 66 | 67 | static void 68 | pattern_not_found__returns_original() 69 | { 70 | char *replaced = searchandreplace("abc", "X", "Y"); 71 | 72 | assert_non_null(replaced); 73 | assert_string_equal("abc", replaced); 74 | 75 | free(replaced); 76 | } 77 | 78 | 79 | int 80 | main(void) 81 | { 82 | const struct CMUnitTest tests[] = { 83 | cmocka_unit_test(pass_any_null_param__returns_null), 84 | cmocka_unit_test(pass_any_empty_string__returns_null), 85 | cmocka_unit_test(replace_single_char__one_time__match_is_replaced), 86 | cmocka_unit_test(replace_single_char__multiple_times__match_all_matches_are_replaced), 87 | cmocka_unit_test(replace_longer_text__multiple_times__match_all_matches_are_replaced), 88 | cmocka_unit_test(pattern_not_found__returns_original), 89 | }; 90 | 91 | return cmocka_run_group_tests_name("searchandreplace", tests, NULL, NULL); 92 | } 93 | -------------------------------------------------------------------------------- /tests/update_t_client_ips.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # This --up script caches the IPs handed out by the test VPN server to a file 4 | # for later use. 5 | 6 | RC="$TOP_BUILDDIR/t_client_ips.rc" 7 | 8 | grep EXPECT_IFCONFIG4_$TESTNUM= $RC > /dev/null 2>&1 9 | if [ $? -ne 0 ]; then 10 | echo "EXPECT_IFCONFIG4_$TESTNUM=$ifconfig_local" >> $RC 11 | fi 12 | 13 | grep EXPECT_IFCONFIG6_$TESTNUM= $RC > /dev/null 2>&1 14 | if [ $? -ne 0 ]; then 15 | echo "EXPECT_IFCONFIG6_$TESTNUM=$ifconfig_ipv6_local" >> $RC 16 | fi 17 | -------------------------------------------------------------------------------- /version.m4: -------------------------------------------------------------------------------- 1 | dnl define the OpenVPN version 2 | define([PRODUCT_NAME], [OpenVPN]) 3 | define([PRODUCT_TARNAME], [openvpn]) 4 | define([PRODUCT_VERSION_MAJOR], [2]) 5 | define([PRODUCT_VERSION_MINOR], [7]) 6 | define([PRODUCT_VERSION_PATCH], [_git]) 7 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) 8 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) 9 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) 10 | define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) 11 | define([PRODUCT_VERSION_RESOURCE], [2,7,0,0]) 12 | dnl define the TAP version 13 | define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) 14 | define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) 15 | define([PRODUCT_TAP_WIN_MIN_MINOR], [9]) 16 | -------------------------------------------------------------------------------- /version.sh.in: -------------------------------------------------------------------------------- 1 | OPENVPN_PACKAGE_NAME="@PACKAGE_NAME@" 2 | OPENVPN_PACKAGE_TARNAME="@PACKAGE_TARNAME@" 3 | OPENVPN_PACKAGE_VERSION="@PACKAGE_VERSION@" 4 | OPENVPN_PACKAGE_HOST="@host@" 5 | --------------------------------------------------------------------------------