Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Antonio Quartulli
On 02/04/18 10:12, Marvin Adeff wrote:
> Even on the internet I can tell country, ISP etc. Very useful for security 
> ACLs etc. Unless I’m completely mistaken, I don’t believe this is easily done 
> in ipv6. 

mostly because at this very moment Tunnel Brokers are widely used and
they act as a "proxy", effectively covering the real location of the
client host.

Many websites just show you (client) as connecting from the country
where your Tunnel Broker is located.

When using native IPv6 this problem does not exists anymore.

Therefore, the proper way to get over this "limitation" (even though I
don't think is a real problem, but this is of course my perspective) is
to speed up the transition and move everybody over native IPv6 (which is
something we can't achieve if we continue to be "afraid" of using IPv6
in our everyday life).

Cheers,

-- 
Antonio Quartulli



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Gert,

Without invalidating the reason for your frustration, I am breathing a sigh of 
relief.

As a complete aside, in some ways ipv4 is actually more useful to me in my 
work. In a private network I can tell where in the network the traffic is 
coming from. Even on the internet I can tell country, ISP etc. Very useful for 
security ACLs etc. Unless I’m completely mistaken, I don’t believe this is 
easily done in ipv6. 

BTW, a big thank-you to you and all the devs in the OpenVPN project!

Marvin

> On Apr 1, 2018, at 12:34 PM, Gert Doering  wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
>> I had not considered the extra work and code required to maintain both 
>> versions. But I get it now. Here is the unfortunate position this puts us in:
> [..]
> 
> Well, that part of my e-mail was a bit of frustration speaking - I've
> been advocating IPv6 for over 20 years now, and while large parts of
> the access networks are offering IPv6 now, other parts are still being
> *built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
> work everywhere, not only in OpenVPN, seemingly for a lifetime.
> 
>> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.
> 
> As far as OpenVPN is concerned, I am not aware of any plans to remove 
> IPv4 support.
> 
> The extra code adds some maintenance and testing effort, but since this
> is all in place now (especially the test setups with "connect over IPv4
> or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
> be more work to rip out IPv4 now... :-)
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany g...@greenie.muc.de

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi,

On Sun, Apr 01, 2018 at 12:21:53PM -0700, Marvin Adeff wrote:
> I had not considered the extra work and code required to maintain both 
> versions. But I get it now. Here is the unfortunate position this puts us in:
[..]

Well, that part of my e-mail was a bit of frustration speaking - I've
been advocating IPv6 for over 20 years now, and while large parts of
the access networks are offering IPv6 now, other parts are still being
*built* with IPv4 only, or stubbornly stick to IPv4 only...  thus, double
work everywhere, not only in OpenVPN, seemingly for a lifetime.

> So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.

As far as OpenVPN is concerned, I am not aware of any plans to remove 
IPv4 support.

The extra code adds some maintenance and testing effort, but since this
is all in place now (especially the test setups with "connect over IPv4
or IPv6" and "send IPv4 and IPv6 packets through the test VPN") it would
be more work to rip out IPv4 now... :-)

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 0/3] follow-up netlink support, systemd integration

2018-04-01 Thread Christian Hesse
This series is a follow-up to 'add netlink support for Linux' by Antonio
Quartulli. It enhances integration with systemd and improves system security
by running the openvpn process with a dedicated user.

Christian Hesse (3):
  systemd: run openvpn with dedicated user
  systemd: do not downgrade UID/GID
  systemd: create configuration directories from tmpfiles

 configure.ac  | 8 
 distro/systemd/Makefile.am| 4 
 distro/systemd/openvpn-cli...@.service.in | 4 +++-
 distro/systemd/openvpn-ser...@.service.in | 4 +++-
 distro/systemd/sysusers-openvpn.conf  | 1 +
 distro/systemd/tmpfiles-openvpn.conf  | 6 --
 src/openvpn/init.c| 8 
 7 files changed, 31 insertions(+), 4 deletions(-)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 2/3] systemd: do not downgrade UID/GID

2018-04-01 Thread Christian Hesse
From: Christian Hesse 

Now that systemd starts the process with dedicated user we do no longer
want to downgrade privileges. Also remove CAP_SETGID and CAP_SETUID
from granted privileges.

Signed-off-by: Christian Hesse 
---
 distro/systemd/openvpn-cli...@.service.in | 2 +-
 distro/systemd/openvpn-ser...@.service.in | 2 +-
 src/openvpn/init.c| 8 
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/distro/systemd/openvpn-cli...@.service.in 
b/distro/systemd/openvpn-cli...@.service.in
index a103d751..ee7957a6 100644
--- a/distro/systemd/openvpn-cli...@.service.in
+++ b/distro/systemd/openvpn-cli...@.service.in
@@ -13,7 +13,7 @@ User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/client
 ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_CHROOT 
CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/distro/systemd/openvpn-ser...@.service.in 
b/distro/systemd/openvpn-ser...@.service.in
index 7275e86a..03d28a2e 100644
--- a/distro/systemd/openvpn-ser...@.service.in
+++ b/distro/systemd/openvpn-ser...@.service.in
@@ -13,7 +13,7 @@ User=openvpn
 Group=openvpn
 WorkingDirectory=/etc/openvpn/server
 ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
-AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SYS_CHROOT CAP_DAC_OVERRIDE
 LimitNPROC=10
 DeviceAllow=/dev/null rw
 DeviceAllow=/dev/net/tun rw
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 36c1a4c4..0fc60d62 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1151,6 +1151,14 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
 /* set user and/or group if we want to setuid/setgid */
 if (c0->uid_gid_specified)
 {
+#ifdef ENABLE_SYSTEMD
+if (sd_notify(0, "READY=0") > 0 && getuid() != 0)
+{
+msg(M_INFO, "NOTE: Running from systemd with non-root uid, 
skipping downgrade");
+return;
+}
+#endif
+
 if (no_delay)
 {
 platform_group_set(>platform_state_group);

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 3/3] systemd: create configuration directories from tmpfiles

2018-04-01 Thread Christian Hesse
From: Christian Hesse 

We have a dedicated user created by systemd-sysusers, so create
configuration directories from systemd-tmpfiles for proper permissions.
This mitigates a race condition at packaging/install time.

Signed-off-by: Christian Hesse 
---
 distro/systemd/tmpfiles-openvpn.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/distro/systemd/tmpfiles-openvpn.conf 
b/distro/systemd/tmpfiles-openvpn.conf
index 835dc1c8..0f96baa5 100644
--- a/distro/systemd/tmpfiles-openvpn.conf
+++ b/distro/systemd/tmpfiles-openvpn.conf
@@ -1,2 +1,4 @@
 d /run/openvpn-client 0750 openvpn openvpn -
 d /run/openvpn-server 0750 openvpn openvpn -
+d /etc/openvpn/client 0750 openvpn openvpn -
+d /etc/openvpn/server 0750 openvpn openvpn -

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Ok, I’ll only discard the irate part  ;-]

I had not considered the extra work and code required to maintain both 
versions. But I get it now. Here is the unfortunate position this puts us in:

We use OpenVPN for connection from 1000’s of devices located at customer 
facilities back to us. These devices/software have a lifespan of greater than 
10 years and most are extremely expensive (not easily replaced). So a large 
quantity are incapable of ipv6 (and frankly many customer facility networks are 
not fully functional with ipv6). Also some of the devices/software at our end 
that interface with those legacy customer devices are also not ipv6 capable. 

So if OpenVPN lost ipv4 support anytime soon, we would be in a world of hurt.  
There is much more detail about all this, but I wanted to keep this a short 
email. 

Thanks for listening. 

Marvin

> On Apr 1, 2018, at 11:39 AM, Gert Doering  wrote:
> 
> Hi,
> 
>> On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
>> Think of us poor mail list lurkers. Practically gave this one a heart 
>> attack!  Not having seen that private reply, I hope that means I can discard 
>> the long-ass (and quite irate) reply I was working on?
> 
> Please share!
> 
>> (Sent from an ipv4 address)
> 
> Whatever journey OpenVPN takes, the Internet as a whole will need to 
> either finish the move to IPv6, or give up and return to IPv4-only -
> running dual-stack is just too expensive in the long run.  Like, twice
> the amount of code needed for routing, address parsing, firewalling, ...
> 
> gert
> -- 
> "If was one thing all people took for granted, was conviction that if you 
> feed honest figures into a computer, honest figures come out. Never doubted 
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh Mistress
> 
> Gert Doering - Munich, Germany g...@greenie.muc.de

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi,

On Sun, Apr 01, 2018 at 11:19:57AM -0700, Marvin Adeff wrote:
> Think of us poor mail list lurkers. Practically gave this one a heart attack! 
>  Not having seen that private reply, I hope that means I can discard the 
> long-ass (and quite irate) reply I was working on?

Please share!

> (Sent from an ipv4 address)

Whatever journey OpenVPN takes, the Internet as a whole will need to 
either finish the move to IPv6, or give up and return to IPv4-only -
running dual-stack is just too expensive in the long run.  Like, twice
the amount of code needed for routing, address parsing, firewalling, ...

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Marvin Adeff
Think of us poor mail list lurkers. Practically gave this one a heart attack!  
Not having seen that private reply, I hope that means I can discard the 
long-ass (and quite irate) reply I was working on?

Marvin
(Sent from an ipv4 address)

> On Apr 1, 2018, at 8:52 AM, Jonathan K. Bullard  wrote:
> 
> Hi,
> 
>> On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering  wrote:
>> Hi,
>> 
>>> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
 On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
 
 As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
 be IPv6-only.  Removal of IPv4-related code and options will dramatically
 reduce code complexity, confusing options, bugs and user questions.
>> [..]
>>> 
>>> Nice try :)
>> 
>> Hah, caught in the act ;-)
>> 
>> (Apologies to Jonathan for scaring you about new user support issues...)
> 
> No apologies necessary! I fell for it completely and have no excuse. I
> probably laughed as hard as anyone else when I read your private reply
> that pointed out today's date.
> 
> Best regards,
> 
> Jon
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
Hi,

On Sun, Apr 1, 2018 at 11:34 AM, Gert Doering  wrote:
> Hi,
>
> On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
>> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
>>
>> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
>> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
>> > reduce code complexity, confusing options, bugs and user questions.
> [..]
>>
>> Nice try :)
>
> Hah, caught in the act ;-)
>
> (Apologies to Jonathan for scaring you about new user support issues...)

No apologies necessary! I fell for it completely and have no excuse. I
probably laughed as hard as anyone else when I read your private reply
that pointed out today's date.

Best regards,

Jon

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
Hi,

On Sun, Apr 01, 2018 at 10:19:37AM -0400, Selva Nair wrote:
> On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
> 
> > As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> > be IPv6-only.  Removal of IPv4-related code and options will dramatically
> > reduce code complexity, confusing options, bugs and user questions.
[..]
> 
> Nice try :)

Hah, caught in the act ;-)

(Apologies to Jonathan for scaring you about new user support issues...)

Trac #208 is really about *enabling* IPv6-only mode (which does not work
today), but not about *mandating* IPv6-only / taking away IPv4.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Selva Nair
Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:

> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.
>
> This affects:
>
>   --ifconfig
>   --route
>   --server
>   --proto udp4/tcp4
>   --ifconfig-pool
>
> More IPv4-related options will be identified and depreciated later.
>

Nice try :)

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 2/4] introduce sitnl: Simplified Interface To NetLink

2018-04-01 Thread Antonio Quartulli
This patch introduces a tiny netlink interface, optimized
for the openvpn use case.

It basically exposes all those operations that are currently
handled by directly calling the /sbin/ip command (or even
ifconfig/route, if configured).

By using netlink, openvpn won't need to spawn new processes
when configuring the tun interface or routes.
This new approach will also allow openvpn to be granted
CAP_NET_ADMIN and be able to properly work even though it
dropped the root privileges (currently handled via workarounds).

By moving this logic into the sitnl module, tun.c and route.c
also benefit from some code simplification

Signed-off-by: Antonio Quartulli 
---
 src/openvpn/Makefile.am |3 +
 src/openvpn/errlevel.h  |1 +
 src/openvpn/sitnl.c | 1195 +++
 src/openvpn/sitnl.h |  217 +
 4 files changed, 1416 insertions(+)
 create mode 100644 src/openvpn/sitnl.c
 create mode 100644 src/openvpn/sitnl.h

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index eda08351..8bd25049 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -131,6 +131,9 @@ openvpn_LDADD = \
$(OPTIONAL_SELINUX_LIBS) \
$(OPTIONAL_SYSTEMD_LIBS) \
$(OPTIONAL_DL_LIBS)
+if LINUX
+openvpn_SOURCES += sitnl.c sitnl.h
+endif
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc block_dns.c block_dns.h
 openvpn_LDADD += -lgdi32 -lws2_32 -lwininet -lcrypt32 -liphlpapi -lwinmm 
-lfwpuclnt -lrpcrt4 -lncrypt
diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h
index 5ca4fa8f..3f2a0f1b 100644
--- a/src/openvpn/errlevel.h
+++ b/src/openvpn/errlevel.h
@@ -109,6 +109,7 @@
 
 #define D_LOG_RW LOGLEV(5, 0,  0)/* Print 'R' or 'W' to 
stdout for read/write */
 
+#define D_RTNL   LOGLEV(6, 68, M_DEBUG)  /* show RTNL low level 
operations */
 #define D_LINK_RWLOGLEV(6, 69, M_DEBUG)  /* show TCP/UDP 
reads/writes (terse) */
 #define D_TUN_RW LOGLEV(6, 69, M_DEBUG)  /* show TUN/TAP 
reads/writes */
 #define D_TAP_WIN_DEBUG  LOGLEV(6, 69, M_DEBUG)  /* show TAP-Windows 
driver debug info */
diff --git a/src/openvpn/sitnl.c b/src/openvpn/sitnl.c
new file mode 100644
index ..e9018093
--- /dev/null
+++ b/src/openvpn/sitnl.c
@@ -0,0 +1,1195 @@
+/*
+ *  Simplified Interface To NetLink
+ *
+ *  Copyright (C) 2016-2018 Antonio Quartulli 
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#elif defined(_MSC_VER)
+#include "config-msvc.h"
+#endif
+
+#include "syshead.h"
+
+#include "errlevel.h"
+#include "buffer.h"
+#include "sitnl.h"
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#define SNDBUF_SIZE (1024 * 2)
+#define RCVBUF_SIZE (1024 * 4)
+
+/**
+ * Generic address data structure used to pass addresses and prefixes as
+ * argument to AF family agnostic functions
+ */
+typedef union {
+in_addr_t ipv4;
+struct in6_addr ipv6;
+} inet_address_t;
+
+/**
+ * Link state request message
+ */
+struct sitnl_link_req {
+struct nlmsghdr n;
+struct ifinfomsg i;
+char buf[256];
+};
+
+/**
+ * Address request message
+ */
+struct sitnl_addr_req {
+struct nlmsghdr n;
+struct ifaddrmsg i;
+char buf[256];
+};
+
+/**
+ * Route request message
+ */
+struct sitnl_route_req {
+struct nlmsghdr n;
+struct rtmsg r;
+char buf[256];
+};
+
+typedef int (*sitnl_parse_reply_cb)(struct nlmsghdr *msg, void *arg);
+
+/**
+ * Object returned by route request operation
+ */
+struct sitnl_route_data_cb {
+unsigned int iface;
+inet_address_t gw;
+};
+
+#define NLMSG_TAIL(nmsg) \
+((struct rtattr *)(((uint8_t *)(nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len)))
+
+#define SITNL_ADDATTR(_msg, _max_size, _attr, _data, _size) \
+{   \
+if (sitnl_addattr(_msg, _max_size, _attr, _data, _size) < 0)\
+{   \
+goto err;   \
+}   \
+}
+
+/**
+ * Helper function used to easily add attributes to a rtnl message
+ */
+static int

[Openvpn-devel] [RFC 1/4] configure: add LINUX conditional variable

2018-04-01 Thread Antonio Quartulli
This variable is helpful when the configure script
has to take actions that are strictly limited to
the LINUX platform, as required by the introduction
of netlink support.

Signed-off-by: Antonio Quartulli 
---
 configure.ac | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configure.ac b/configure.ac
index 626b4dd4..f2e4aa47 100644
--- a/configure.ac
+++ b/configure.ac
@@ -298,6 +298,7 @@ case "$host" in
*-*-linux*)
AC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix])
+   LINUX=yes
;;
*-*-solaris*)
AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])
@@ -1367,6 +1368,7 @@ AC_SUBST([OPTIONAL_PKCS11_HELPER_LIBS])
 AC_SUBST([PLUGIN_AUTH_PAM_CFLAGS])
 AC_SUBST([PLUGIN_AUTH_PAM_LIBS])
 
+AM_CONDITIONAL([LINUX], [test "${LINUX}" = "yes"])
 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
 AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"])
 AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = 
"yes"])
-- 
2.16.3


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 4/4] route.c: use sitnl to handle route configuration on Linux

2018-04-01 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli 
---
 src/openvpn/route.c | 364 ++--
 1 file changed, 71 insertions(+), 293 deletions(-)

diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 8990a986..4b398366 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -41,6 +41,7 @@
 #include "manage.h"
 #include "win32.h"
 #include "options.h"
+#include "sitnl.h"
 
 #include "memdbg.h"
 
@@ -1529,13 +1530,17 @@ add_route(struct route_ipv4 *r,
 {
 struct gc_arena gc;
 struct argv argv = argv_new();
+#if !defined(TARGET_LINUX)
 const char *network;
 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
 const char *netmask;
 #endif
 const char *gateway;
+#endif
+const char *iface;
 bool status = false;
 int is_local_route;
+int metric;
 
 if (!(r->flags & RT_DEFINED))
 {
@@ -1544,11 +1549,13 @@ add_route(struct route_ipv4 *r,
 
 gc_init();
 
+#if !defined(TARGET_LINUX)
 network = print_in_addr_t(r->network, 0, );
 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
 netmask = print_in_addr_t(r->netmask, 0, );
 #endif
 gateway = print_in_addr_t(r->gateway, 0, );
+#endif
 
 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
 if (is_local_route == LR_ERROR)
@@ -1557,47 +1564,26 @@ add_route(struct route_ipv4 *r,
 }
 
 #if defined(TARGET_LINUX)
-#ifdef ENABLE_IPROUTE
-argv_printf(, "%s route add %s/%d",
-iproute_path,
-network,
-netmask_to_netbits2(r->netmask));
-
-if (r->flags & RT_METRIC_DEFINED)
-{
-argv_printf_cat(, "metric %d", r->metric);
-}
-
+iface = NULL;
 if (is_on_link(is_local_route, flags, rgi))
 {
-argv_printf_cat(, "dev %s", rgi->iface);
+iface = rgi->iface;
 }
-else
-{
-argv_printf_cat(, "via %s", gateway);
-}
-#else  /* ifdef ENABLE_IPROUTE */
-argv_printf(, "%s add -net %s netmask %s",
-ROUTE_PATH,
-network,
-netmask);
+
+metric = -1;
 if (r->flags & RT_METRIC_DEFINED)
 {
-argv_printf_cat(, "metric %d", r->metric);
-}
-if (is_on_link(is_local_route, flags, rgi))
-{
-argv_printf_cat(, "dev %s", rgi->iface);
+metric = r->metric;
 }
-else
+
+status = true;
+if (sitnl_route_v4_add(>network, netmask_to_netbits2(r->netmask),
+   >gateway, iface, 0, metric) < 0)
 {
-argv_printf_cat(, "gw %s", gateway);
+msg(M_WARN, "ERROR: Linux route add command failed");
+status = false;
 }
 
-#endif  /*ENABLE_IPROUTE*/
-argv_msg(D_ROUTE, );
-status = openvpn_execve_check(, es, 0, "ERROR: Linux route add 
command failed");
-
 #elif defined (TARGET_ANDROID)
 char out[128];
 
@@ -1853,7 +1839,7 @@ add_route_ipv6(struct route_ipv6 *r6, const struct tuntap 
*tt, unsigned int flag
 const char *gateway;
 bool status = false;
 const char *device = tt->actual_name;
-
+int metric;
 bool gateway_needed = false;
 
 if (!(r6->flags & RT_DEFINED) )
@@ -1918,38 +1904,20 @@ add_route_ipv6(struct route_ipv6 *r6, const struct 
tuntap *tt, unsigned int flag
 }
 
 #if defined(TARGET_LINUX)
-#ifdef ENABLE_IPROUTE
-argv_printf(, "%s -6 route add %s/%d dev %s",
-iproute_path,
-network,
-r6->netbits,
-device);
-if (gateway_needed)
-{
-argv_printf_cat(, "via %s", gateway);
-}
-if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0)
+metric = -1;
+if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
 {
-argv_printf_cat(, " metric %d", r6->metric);
+metric = r6->metric;
 }
 
-#else  /* ifdef ENABLE_IPROUTE */
-argv_printf(, "%s -A inet6 add %s/%d dev %s",
-ROUTE_PATH,
-network,
-r6->netbits,
-device);
-if (gateway_needed)
+status = true;
+if (sitnl_route_v6_add(>network, r6->netbits,
+   gateway_needed ? >gateway : NULL, device, 0,
+   metric) < 0)
 {
-argv_printf_cat(, "gw %s", gateway);
+msg(M_WARN, "ERROR: Linux IPv6 route can't be added");
+status = false;
 }
-if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0)
-{
-argv_printf_cat(, " metric %d", r6->metric);
-}
-#endif  /*ENABLE_IPROUTE*/
-argv_msg(D_ROUTE, );
-status = openvpn_execve_check(, es, 0, "ERROR: Linux route -6/-A 
inet6 add command failed");
 
 #elif defined (TARGET_ANDROID)
 char out[64];
@@ -2135,6 +2103,7 @@ delete_route(struct route_ipv4 *r,
 {
 struct gc_arena gc;
 struct argv argv = argv_new();
+#if !defined(TARGET_LINUX)
 const char *network;
 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
 const char *netmask;
@@ -2142,7 +2111,8 @@ 

[Openvpn-devel] [RFC 0/4] add netlink support for Linux

2018-04-01 Thread Antonio Quartulli
Hi all,

this patchset introduces native netlink support for the Linux platform.

At the moment openvpn operates on the tun interface and on the routing
table by directly invoking the "ip" command (or ifconfig/route if
nettools is selected at compile time).

With this patchset, openvpn would not need to fork new processes to
run the "ip" binary any longer, but would directly talk to the kernel
by means of the netlink interface.
This means simpler/cleaner code and, possibly, faster execution.

Another important advantage of this change is that the openvpn
process will be in charge of directly working with the kernel, thus
it can be granted special capabilities so that interfaces/routes
operations can be carried out even when running as non-root.

Christian Hesse is working on a follow-up patch to properly allow the
above.

This patchset also offers a first step towards a refactoring
of the tun.c and route.c code.


The idea moving forward is to drop nettools support once this patchset
is merged, but to retain support for ip and the --ifconfig/route-noexec
options.


Feedback of any type is of course welcome.


This patch is posted as RFC because, as agreed during the last
Hackathon, it will be considered for merging only when unit-tests
will also be available. On to pof that, several aspects (like
allowing iproute2 to be still used) have to be properly implemented.


This code can also be found on GitHub (based on latest master) at:
https://github.com/ordex/openvpn/tree/sitnl


Regards,


Antonio Quartulli (4):
  configure: add LINUX conditional variable
  introduce sitnl: Simplified Interface To NetLink
  tun.c: use sitnl to handle tun configuration on Linux
  route.c: use sitnl to handle route configuration on Linux

 configure.ac|2 +
 src/openvpn/Makefile.am |3 +
 src/openvpn/errlevel.h  |1 +
 src/openvpn/route.c |  364 +++
 src/openvpn/sitnl.c | 1195 +++
 src/openvpn/sitnl.h |  217 +
 src/openvpn/tun.c   |  199 +++-
 7 files changed, 1547 insertions(+), 434 deletions(-)
 create mode 100644 src/openvpn/sitnl.c
 create mode 100644 src/openvpn/sitnl.h

-- 
2.16.3


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [RFC 3/4] tun.c: use sitnl to handle tun configuration on Linux

2018-04-01 Thread Antonio Quartulli
Signed-off-by: Antonio Quartulli 
---
 src/openvpn/tun.c | 199 --
 1 file changed, 58 insertions(+), 141 deletions(-)

diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c
index 263cacdf..4e0b3f90 100644
--- a/src/openvpn/tun.c
+++ b/src/openvpn/tun.c
@@ -46,6 +46,7 @@
 #include "route.h"
 #include "win32.h"
 #include "block_dns.h"
+#include "sitnl.h"
 
 #include "memdbg.h"
 
@@ -883,10 +884,12 @@ do_ifconfig(struct tuntap *tt,
 if (tt->did_ifconfig_setup)
 {
 bool tun = false;
+#if !defined(TARGET_LINUX)
 const char *ifconfig_local = NULL;
 const char *ifconfig_remote_netmask = NULL;
 const char *ifconfig_broadcast = NULL;
 const char *ifconfig_ipv6_local = NULL;
+#endif
 bool do_ipv6 = false;
 struct argv argv = argv_new();
 
@@ -898,18 +901,23 @@ do_ifconfig(struct tuntap *tt,
  */
 tun = is_tun_p2p(tt);
 
+#if !defined(TARGET_LINUX)
 /*
  * Set ifconfig parameters
  */
 ifconfig_local = print_in_addr_t(tt->local, 0, );
 ifconfig_remote_netmask = print_in_addr_t(tt->remote_netmask, 0, );
+#endif
 
 if (tt->did_ifconfig_ipv6_setup)
 {
+#if !defined(TARGET_LINUX)
 ifconfig_ipv6_local = print_in6_addr(tt->local_ipv6, 0, );
+#endif
 do_ipv6 = true;
 }
 
+#if !defined(TARGET_LINUX)
 /*
  * If TAP-style device, generate broadcast address.
  */
@@ -917,6 +925,7 @@ do_ifconfig(struct tuntap *tt,
 {
 ifconfig_broadcast = print_in_addr_t(tt->broadcast, 0, );
 }
+#endif
 
 #ifdef ENABLE_MANAGEMENT
 if (management)
@@ -933,102 +942,43 @@ do_ifconfig(struct tuntap *tt,
 
 
 #if defined(TARGET_LINUX)
-#ifdef ENABLE_IPROUTE
-/*
- * Set the MTU for the device
- */
-argv_printf(,
-"%s link set dev %s up mtu %d",
-iproute_path,
-actual,
-tun_mtu
-);
-argv_msg(M_INFO, );
-openvpn_execve_check(, es, S_FATAL, "Linux ip link set failed");
-
-if (tun)
-{
-
-/*
- * Set the address for the device
- */
-argv_printf(,
-"%s addr add dev %s local %s peer %s",
-iproute_path,
-actual,
-ifconfig_local,
-ifconfig_remote_netmask
-);
-argv_msg(M_INFO, );
-openvpn_execve_check(, es, S_FATAL, "Linux ip addr add 
failed");
-}
-else
+if (sitnl_iface_mtu_set(actual, tun_mtu) < 0)
 {
-argv_printf(,
-"%s addr add dev %s %s/%d broadcast %s",
-iproute_path,
-actual,
-ifconfig_local,
-netmask_to_netbits2(tt->remote_netmask),
-ifconfig_broadcast
-);
-argv_msg(M_INFO, );
-openvpn_execve_check(, es, S_FATAL, "Linux ip addr add 
failed");
+msg(M_FATAL, "Linux can't set mtu (%d) on %s", tun_mtu, actual);
 }
-if (do_ipv6)
+
+if (sitnl_iface_up(actual, true) < 0)
 {
-argv_printf( ,
- "%s -6 addr add %s/%d dev %s",
- iproute_path,
- ifconfig_ipv6_local,
- tt->netbits_ipv6,
- actual
- );
-argv_msg(M_INFO, );
-openvpn_execve_check(, es, S_FATAL, "Linux ip -6 addr add 
failed");
+msg(M_FATAL, "Linux can't bring %s up", actual);
 }
-tt->did_ifconfig = true;
-#else  /* ifdef ENABLE_IPROUTE */
+
 if (tun)
 {
-argv_printf(,
-"%s %s %s pointopoint %s mtu %d",
-IFCONFIG_PATH,
-actual,
-ifconfig_local,
-ifconfig_remote_netmask,
-tun_mtu
-);
+if (sitnl_addr_ptp_v4_add(actual, >local,
+  >remote_netmask) < 0)
+{
+msg(M_FATAL, "Linux can't add IP to TUN interface %s", actual);
+}
 }
 else
 {
-argv_printf(,
-"%s %s %s netmask %s mtu %d broadcast %s",
-IFCONFIG_PATH,
-actual,
-ifconfig_local,
-ifconfig_remote_netmask,
-tun_mtu,
-ifconfig_broadcast
-);
+if (sitnl_addr_v4_add(actual, >local,
+

Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Samuel Thibault
Hello,

Jonathan K. Bullard, on dim. 01 avril 2018 06:17:55 -0400, wrote:
> Either way, can anyone give an approximate release date for 2.5, so we
> can have a time frame for the change? (Even a "not before" date would
> be very helpful in evaluating the impact of these proposed changes.)

I guess it'll be "not before" tomorrow.

Samuel

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Jonathan K. Bullard
 Hi,

On Sun, Apr 1, 2018 at 2:30 AM, Gert Doering  wrote:
> As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
> be IPv6-only.  Removal of IPv4-related code and options will dramatically
> reduce code complexity, confusing options, bugs and user questions.
>
> Add deprecation warnings for IPv4-related config options to 2.4 branch,
> so users have enough time to move their setups to work on IPv6-only
> before 2.5 will be released.

Are you proposing to remove all IPv4 support from OpenVPN 2.5, so that
an IPv6 connection will be required and an IPv4-only connection will
not work?

Or is this is about removing IPv4-only options and code and leaving
options and code that work for either IPv4 or IPv6, so users could
continue to have an IPv4-only setup by changing the names of a few
options in their configuration files?

Either way, can anyone give an approximate release date for 2.5, so we
can have a time frame for the change? (Even a "not before" date would
be very helpful in evaluating the impact of these proposed changes.)

Best regards,

Jon Bullard (Tunnelblick developer)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH] Depreciate IPv4-related options.

2018-04-01 Thread Gert Doering
As discussed in trac #208 and on IRC with Antonio, OpenVPN 2.5 will
be IPv6-only.  Removal of IPv4-related code and options will dramatically
reduce code complexity, confusing options, bugs and user questions.

Add deprecation warnings for IPv4-related config options to 2.4 branch,
so users have enough time to move their setups to work on IPv6-only
before 2.5 will be released.

This affects:

  --ifconfig
  --route
  --server
  --proto udp4/tcp4
  --ifconfig-pool

More IPv4-related options will be identified and depreciated later.

Trac: #208

Signed-off-by: Gert Doering 
---
 src/openvpn/options.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9fef3945..46d33c0b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -5258,6 +5258,7 @@ add_option(struct options *options,
 msg(msglevel, "ifconfig parms '%s' and '%s' must be valid 
addresses", p[1], p[2]);
 goto err;
 }
+msg(M_WARN, "DEPRECATED OPTION: --ifconfig, please update your 
configuration to use IPv6 (--ifconfig-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
 }
 else if (streq(p[0], "ifconfig-ipv6") && p[1] && p[2] && !p[3])
 {
@@ -5928,6 +5929,10 @@ add_option(struct options *options,
 }
 options->ce.proto = proto;
 options->ce.af = af;
+   if (af == AF_INET)
+{
+msg(M_WARN, "DEPRECATED OPTION: --proto %s, please update your 
configuration to use IPv6. IPv4 support will be removed in OpenVPN v2.5.", 
p[1]);
+}
 }
 else if (streq(p[0], "proto-force") && p[1] && !p[2])
 {
@@ -6151,6 +6156,7 @@ add_option(struct options *options,
 }
 else if (streq(p[0], "route") && p[1] && !p[5])
 {
+   static int route_warning_printed = 0;
 VERIFY_PERMISSION(OPT_P_ROUTE);
 rol_check_alloc(options);
 if (pull_mode)
@@ -6172,6 +6178,10 @@ add_option(struct options *options,
 }
 }
 add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
+if (route_warning_printed++ < 1)
+{
+msg(M_WARN, "DEPRECATED OPTION: --route, please update your 
configuration to use IPv6 (--route-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
+}
 }
 else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
 {
@@ -6459,6 +6469,7 @@ add_option(struct options *options,
 goto err;
 }
 }
+msg(M_WARN, "DEPRECATED OPTION: --server, please update your 
configuration to use IPv6 (--server-ipv6). IPv4 support will be removed in 
OpenVPN v2.5.");
 }
 else if (streq(p[0], "server-ipv6") && p[1] && !p[3])
 {
@@ -6566,6 +6577,7 @@ add_option(struct options *options,
 {
 options->ifconfig_pool_netmask = netmask;
 }
+msg(M_WARN, "DEPRECATED OPTION: --ifconfig-pool, please update your 
configuration to use IPv6 (--ifconfig-ipv6-pool). IPv4 support will be removed 
in OpenVPN v2.5.");
 }
 else if (streq(p[0], "ifconfig-pool-persist") && p[1] && !p[3])
 {
-- 
2.16.1


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel