Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package eduvpn-client for openSUSE:Factory checked in at 2025-05-26 18:33:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/eduvpn-client (Old) and /work/SRC/openSUSE:Factory/.eduvpn-client.new.2732 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "eduvpn-client" Mon May 26 18:33:54 2025 rev:2 rq:1279513 version:4.5.1 Changes: -------- --- /work/SRC/openSUSE:Factory/eduvpn-client/eduvpn-client.changes 2025-05-22 16:55:31.298493222 +0200 +++ /work/SRC/openSUSE:Factory/.eduvpn-client.new.2732/eduvpn-client.changes 2025-05-26 18:35:38.099669045 +0200 @@ -1,0 +2,7 @@ +Fri May 23 06:21:59 UTC 2025 - René Neumaier <[email protected]> - 4.5.1 + +- Update to 4.5.1 + * WireGuard: Add support for PresharedKey + * WireGuard: Fix allow LAN handling with split tunnel Issue: #635 + +------------------------------------------------------------------- Old: ---- linux-app-4.5.0.tar.xz linux-app-4.5.0.tar.xz.asc New: ---- linux-app-4.5.1.tar.xz linux-app-4.5.1.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ eduvpn-client.spec ++++++ --- /var/tmp/diff_new_pack.LWpr7C/_old 2025-05-26 18:35:40.343763645 +0200 +++ /var/tmp/diff_new_pack.LWpr7C/_new 2025-05-26 18:35:40.359764319 +0200 @@ -19,7 +19,7 @@ %define skip_python2 1 %define vname linux-app Name: eduvpn-client -Version: 4.5.0 +Version: 4.5.1 Release: 0 Summary: The eduVPN desktop client (CLI and GUI front-end) License: GPL-3.0-or-later ++++++ linux-app-4.5.0.tar.xz -> linux-app-4.5.1.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/CHANGES.md new/linux-app-4.5.1/CHANGES.md --- old/linux-app-4.5.0/CHANGES.md 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/CHANGES.md 2025-05-20 13:32:30.000000000 +0200 @@ -1,3 +1,13 @@ +# 4.5.1 (2025-05-20) +* Docs: + - Set IPv6_rpfilter loose as WG Ipv6 workaround + - Drop Fedora 40, add Fedora 42. Drop Linux Mint 20.x +* UI: + - Point to disco.eduvpn.org +* WireGuard: + - Add support for PresharedKey + - Fix allow LAN handling with split tunnel (#635) + # 4.5.0 (2025-04-16) * UI: - Fix usage of the version flag when re-opening the UI (#623) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/doc/md/installation.md new/linux-app-4.5.1/doc/md/installation.md --- old/linux-app-4.5.0/doc/md/installation.md 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/doc/md/installation.md 2025-05-20 13:32:30.000000000 +0200 @@ -87,24 +87,13 @@ $ sudo apt install eduvpn-client ``` -### Ubuntu 24.10 +### Ubuntu 25.04 ``` console $ sudo apt update $ sudo apt install apt-transport-https wget $ wget -O- https://app.eduvpn.org/linux/v4/deb/[email protected] | gpg --dearmor | sudo tee /usr/share/keyrings/eduvpn-v4.gpg >/dev/null -$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/eduvpn-v4.gpg] https://app.eduvpn.org/linux/v4/deb/ oracular main" | sudo tee /etc/apt/sources.list.d/eduvpn-v4.list -$ sudo apt update -$ sudo apt install eduvpn-client -``` - -### Linux Mint 20.x - -``` console -$ sudo apt update -$ sudo apt install apt-transport-https wget -$ wget -O- https://app.eduvpn.org/linux/v4/deb/[email protected] | gpg --dearmor | sudo tee /usr/share/keyrings/eduvpn-v4.gpg >/dev/null -$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/eduvpn-v4.gpg] https://app.eduvpn.org/linux/v4/deb/ focal main" | sudo tee /etc/apt/sources.list.d/eduvpn-v4.list +$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/eduvpn-v4.gpg] https://app.eduvpn.org/linux/v4/deb/ plucky main" | sudo tee /etc/apt/sources.list.d/eduvpn-v4.list $ sudo apt update $ sudo apt install eduvpn-client ``` @@ -131,7 +120,7 @@ $ sudo apt install eduvpn-client ``` -### Fedora (39, 40 & 41) +### Fedora (41 & 42) ``` console $ curl -O https://app.eduvpn.org/linux/v4/rpm/[email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/doc/md/support.md new/linux-app-4.5.1/doc/md/support.md --- old/linux-app-4.5.0/doc/md/support.md 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/doc/md/support.md 2025-05-20 13:32:30.000000000 +0200 @@ -29,10 +29,10 @@ ### Connecting to WireGuard VPN over IPv6 blocked by firewalld -Firewalld is a firewall that is used by default on e.g. Fedora. +Firewalld is a firewall that is used by default on e.g. Fedora (<42). There is an issue with IPv6 traffic and WireGuard, see: the upstream [GitHub issue](https://github.com/firewalld/firewalld/issues/1203) and the [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2293925). -The workaround is to set `IPv6_rpfilter=no` in `/etc/firewalld/firewalld.conf` and restarting `firewalld.service` (`systemctl restart firewalld`) or rebooting. +The workaround is to set `IPv6_rpfilter=loose` in `/etc/firewalld/firewalld.conf` and restarting `firewalld.service` (`systemctl restart firewalld`) or rebooting. This is the default in Fedora 42. ### OpenVPN <= 2.5.7 and OpenSSL 3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/eduvpn/__init__.py new/linux-app-4.5.1/eduvpn/__init__.py --- old/linux-app-4.5.0/eduvpn/__init__.py 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/eduvpn/__init__.py 2025-05-20 13:32:30.000000000 +0200 @@ -1 +1 @@ -__version__ = "4.5.0" +__version__ = "4.5.1" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/eduvpn/data/share/eduvpn/builder/mainwindow.ui new/linux-app-4.5.1/eduvpn/data/share/eduvpn/builder/mainwindow.ui --- old/linux-app-4.5.0/eduvpn/data/share/eduvpn/builder/mainwindow.ui 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/eduvpn/data/share/eduvpn/builder/mainwindow.ui 2025-05-20 13:32:30.000000000 +0200 @@ -1483,7 +1483,7 @@ <property name="can-focus">True</property> <property name="halign">start</property> <property name="label" translatable="yes">You can contact your organization by going to the following page: -<a href="https://status.eduvpn.org/">eduVPN contact status page</a>.</property> +<a href="https://disco.eduvpn.org/">eduVPN discovery page</a>.</property> <property name="use-markup">True</property> </object> <packing> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/eduvpn/nm.py new/linux-app-4.5.1/eduvpn/nm.py --- old/linux-app-4.5.0/eduvpn/nm.py 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/eduvpn/nm.py 2025-05-20 13:32:30.000000000 +0200 @@ -5,7 +5,7 @@ import uuid from configparser import ConfigParser from contextlib import closing -from ipaddress import ip_address, ip_interface +from ipaddress import ip_address, ip_interface, ip_network from pathlib import Path from shutil import rmtree from socket import AF_INET, AF_INET6, IPPROTO_TCP, SOCK_DGRAM, socket @@ -457,6 +457,27 @@ _logger.debug("writing wireguard configuration to Network Manager") ipv4s = [] ipv6s = [] + lan_4 = [] + lan_6 = [] + # set LANs to whitelist + # we cannot just add a ip rule that takes everything from main table except the default route + # as we have Tunnelcrack/Tunnelvision attacks to worry about + # from RFC1918: https://datatracker.ietf.org/doc/html/rfc1918#section-3 + if allow_wg_lan: + lan_4 = [ + ip_network("10.0.0.0/8"), + ip_network("172.16.0.0/12"), + ip_network("192.168.0.0/16"), + ] + # from RFC4193 https://datatracker.ietf.org/doc/html/rfc4193#section-3.1 + lan_6 = [ip_network("fc00::/7")] + # we check if traffic to the VPN ip is in one of the LAN ranges + # if so, then we need to ensure that this traffic is going to the WG routing table + # We can't just add a routing rule that it is always going to the WG routing table + # as there could be public IPs here, and then we would get a routing loop + needs_exclude_v4 = [] + needs_exclude_v6 = [] + self.wg_gateway_ip = None for ip in config["Interface"]["Address"].split(","): addr = ip_interface(ip.strip()) @@ -467,8 +488,19 @@ raise RuntimeError("common lib not available") self.wg_gateway_ip = self.common_lib.calculate_gateway(net_str) ipv4s.append(NM.IPAddress(AF_INET, str(addr.ip), addr.network.prefixlen)) + + # if this VPN v4 IP is in one of the LAN v4 ranges + # we need to exclude this from the LAN v4 allow list + for lan in lan_4: + if addr in lan: + needs_exclude_v4.append((str(addr.ip), addr.network.prefixlen)) elif addr.version == 6: ipv6s.append(NM.IPAddress(AF_INET6, str(addr.ip), addr.network.prefixlen)) + # if this VPN v6 IP is in one of the LAN v6 ranges + # we need to exclude this from the LAN v6 allow list + for lan in lan_6: + if addr in lan: + needs_exclude_v6.append((str(addr.ip), addr.network.prefixlen)) dns4 = [] dns6 = [] @@ -504,6 +536,13 @@ wg_endpoint = config["Peer"]["Endpoint"] peer.set_endpoint(wg_endpoint, allow_invalid=False) + psk = config["Peer"].get("PresharedKey") + if psk: + peer.set_preshared_key(psk, accept_invalid=False) + # for some reason this needs to be set + # AGENT_OWNED doesn't work + peer.set_preshared_key_flags(NM.SettingSecretFlags.NONE) + peer.set_public_key(config["Peer"]["PublicKey"], accept_invalid=False) for ip in config["Peer"]["AllowedIPs"].split(","): peer.append_allowed_ip(ip.strip(), accept_invalid=False) @@ -576,17 +615,8 @@ # We want to make this configurable # Additionally, the overlap case with split tunnel doesn't work: https://codeberg.org/eduvpn/linux-app/issues/551 - # set LANs to whitelist - # we cannot just add a ip rule that takes everything from main table except the default route - # as we have Tunnelcrack/Tunnelvision attacks to worry about - # from RFC1918: https://datatracker.ietf.org/doc/html/rfc1918#section-3 - lan_4 = [("10.0.0.0", 8), ("172.16.0.0", 12), ("192.168.0.0", 16)] - # from RFC4193 https://datatracker.ietf.org/doc/html/rfc4193#section-3.1 - lan_6 = [("fc00::", 7)] - rules = [(4, AF_INET, s_ip4, 32, lan_4), (6, AF_INET6, s_ip6, 128, lan_6)] - # priority 1 not fwmark fwmarknum table fwmarknum - prios = self.get_priorities(proxy is not None, allow_wg_lan) + rules = [(4, AF_INET, s_ip4, 32, lan_4), (6, AF_INET6, s_ip6, 128, lan_6)] for ipver, family, setting, subnet, lans in rules: rule = NM.IPRoutingRule.new(family) rule.set_priority(prios[0]) @@ -613,17 +643,20 @@ # when LAN should be allowed, we have to add a higher priority suppress prefixlength rule if allow_wg_lan: - exclude_rule = NM.IPRoutingRule.new(family) - exclude_rule.set_priority(prios[3]) - exclude_rule.set_invert(True) - # fwmask 0xffffffff is the default - exclude_rule.set_fwmark(fwmark, 0xFFFFFFFF) - exclude_rule.set_table(fwmark) - exclude_rule.set_suppress_prefixlength(0) - setting.add_routing_rule(exclude_rule) - for ipr in lans: + # make sure that traffic to the VPN ip range doesn't match the LAN rules + exclude_ips = needs_exclude_v6 + if ipver == 4: + exclude_ips = needs_exclude_v4 + for ipaddr, subnet in exclude_ips: + exclude_rule = NM.IPRoutingRule.new(family) + exclude_rule.set_priority(prios[3]) + exclude_rule.set_to(ipaddr, subnet) + exclude_rule.set_table(fwmark) + exclude_rule.set_suppress_prefixlength(0) + setting.add_routing_rule(exclude_rule) + for lan in lans: lan_rule = NM.IPRoutingRule.new(family) - lan_rule.set_to(ipr[0], ipr[1]) + lan_rule.set_to(str(lan.network_address), lan.prefixlen) lan_rule.set_priority(prios[2]) lan_rule.set_suppress_prefixlength(0) setting.add_routing_rule(lan_rule) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/install.sh new/linux-app-4.5.1/install.sh --- old/linux-app-4.5.0/install.sh 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/install.sh 2025-05-20 13:32:30.000000000 +0200 @@ -66,7 +66,7 @@ case $VERSION_CODENAME in # ubuntu versions - "focal" | "jammy" | "noble" | "oracular" | "bullseye" | "bookworm") + "focal" | "jammy" | "noble" | "plucky" | "bullseye" | "bookworm") install_deb "$VERSION_CODENAME" ;; # For linux mint we need to do some redirections to ubuntu codenames diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/setup.cfg new/linux-app-4.5.1/setup.cfg --- old/linux-app-4.5.0/setup.cfg 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/setup.cfg 2025-05-20 13:32:30.000000000 +0200 @@ -1,6 +1,6 @@ [metadata] name = eduvpn_client -version = 4.5.0 +version = 4.5.1 author = Jeroen Wijenbergh author_email = [email protected] description = eduVPN client for Linux diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/linux-app-4.5.0/upload_release.sh new/linux-app-4.5.1/upload_release.sh --- old/linux-app-4.5.0/upload_release.sh 2025-04-17 15:11:50.000000000 +0200 +++ new/linux-app-4.5.1/upload_release.sh 2025-05-20 13:32:30.000000000 +0200 @@ -33,6 +33,9 @@ CHANGES=$(printf "These releases are signed with \`keys/[email protected]\` and \`keys/minisign-CA9409316AC93C07.pub\`\nChangelog:\n%s" "${CHANGES_TRIM}") fi +# make sure newlines are converted correctly, otherwise Codeberg API gives an error +CHANGES=${CHANGES//$'\n'/\\n} + if ! command -v "curl" &>/dev/null; then echo "please install curl for contacting the Codeberg API" exit 1
