[Openvpn-devel] [PATCH v4-master] Add Windows DNS Leak fix using WFP ('block-outside-dns')

2015-11-19 Thread ValdikSS 

This option blocks all out-of-tunnel communication on TCP/UDP port 53 (except
for OpenVPN itself), preventing DNS Leaks on Windows 8.1 and 10.
---
 doc/openvpn.8   |  12 +++-
 src/openvpn/Makefile.am |   2 +-
 src/openvpn/init.c  |  22 ++
 src/openvpn/openvpn.vcxproj |   4 +-
 src/openvpn/options.c   |  14 
 src/openvpn/options.h   |   1 +
 src/openvpn/win32.c | 166 
 src/openvpn/win32.h |  56 +++
 8 files changed, 272 insertions(+), 5 deletions(-)
 mode change 100755 => 100644 src/openvpn/openvpn.vcxproj

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 2978b7f..dc7eea1 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -1129,8 +1129,8 @@ When used with
 .B \-\-client
 or
 .B \-\-pull,
-accept options pushed by server EXCEPT for routes and dhcp options
-like DNS servers.
+accept options pushed by server EXCEPT for routes, block-outside-dns and dhcp
+options like DNS servers.
  When used on the client, this option effectively bars the
 server from adding routes to the client's routing table,
@@ -5562,6 +5562,14 @@ adapter list to the syslog or log file after the TUN/TAP 
adapter
 has been brought up and any routes have been added.
 .\"*
 .TP
+.B \-\-block\-outside\-dns
+Block DNS servers on other network adapters to prevent
+DNS leaks. This option prevents any application from accessing
+TCP or UDP port 53 except one inside the tunnel. It uses +Windows Filtering 
Platform (WFP) and works on Windows Vista or
+later.
+.\"*
+.TP
 .B \-\-dhcp\-renew
 Ask Windows to renew the TAP adapter lease on startup.
 This option is normally unnecessary, as Windows automatically
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index c840f16..c55a520 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -127,5 +127,5 @@ openvpn_LDADD = \
$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
-openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm
+openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm 
-lfwpuclnt -lrpcrt4
 endif
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index c5c0ab6..dfc1314 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1468,6 +1468,20 @@ do_open_tun (struct context *c)
   "up",
   c->c2.es);
 +#if defined(WIN32)
+  if (c->options.block_outside_dns)
+  {
+  if (!win_wfp_init())
+msg (M_FATAL, "Initialising WFP failed!");
+else
+{
+dmsg (D_LOW, "Blocking outside DNS");
+if (!win_wfp_block_dns(c->c1.tuntap->adapter_index))
+msg (M_FATAL, "Blocking DNS failed!");
+}
+  }
+#endif
+
   /* possibly add routes */
   if ((route_order() == ROUTE_AFTER_TUN) && 
(!c->options.route_delay_defined))
do_route (>options, c->c1.route_list, c->c1.route_ipv6_list,
@@ -1596,6 +1610,14 @@ do_close_tun (struct context *c, bool force)
   "down",
   c->c2.es);
 +#if defined(WIN32)
+if (c->options.block_outside_dns)
+{
+if (!win_wfp_uninit())
+msg (M_FATAL, "Uninitialising WFP failed!");
+}
+#endif
+
  /* actually close tun/tap device based on --down-pre flag */
  if (c->options.down_pre)
do_close_tun_simple (c);
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
old mode 100755
new mode 100644
index b117b0b..821c46c
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
@@ -64,7 +64,7 @@
   
$(SOURCEBASE);%(AdditionalIncludeDirectories)
 
 
- 
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+ 
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)

   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   true
   Console
@@ -89,7 +89,7 @@
   
$(SOURCEBASE);%(AdditionalIncludeDirectories)
 
 
- 
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;%(AdditionalDependencies)
+ 
libeay32.lib;ssleay32.lib;lzo2.lib;pkcs11-helper.dll.lib;gdi32.lib;ws2_32.lib;wininet.lib;crypt32.lib;iphlpapi.lib;winmm.lib;Fwpuclnt.lib;Rpcrt4.lib;%(AdditionalDependencies)

   
$(OPENSSL_HOME)/lib;$(LZO_HOME)/lib;$(PKCS11H_HOME)/lib;%(AdditionalLibraryDirectories)
   true
   Console
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 901d710..9cd83a7 100644
--- a/src/openvpn/options.c
+++

[Openvpn-devel] [PATCH] Adjust server-ipv6 documentation

2015-11-19 Thread Christos Trochalakis 

ifconfig-ipv6-pool starts at 0x1000 and not 0x1 since v2.3
c55e9562: Implement IPv6 interface config with non-/64 prefix lengths

Signed-off-by: Christos Trochalakis 
---

You were right about nopool, I assumed that it was about a server-ipv6
nopool option.

src/openvpn/helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 339e2ae..62f88ec 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -167,7 +167,7 @@ helper_client_server (struct options *o)
   * push "tun-ipv6"
   * ifconfig-ipv6 2001:db8::1 2001:db8::2
   * if !nopool: 
-   *   ifconfig-ipv6-pool 2001:db8::1:0/64

+   *   ifconfig-ipv6-pool 2001:db8::1000/64
   * 
   */

   if ( o->server_ipv6_defined )
--
2.6.2