Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing
On 30/12/2018 13:37, Samuli Seppänen wrote: > Il 28/12/18 16:21, tincanteksup ha scritto: >> Hi, >> >> On 27/12/2018 18:11, Samuli Seppänen wrote: >>> Hi, >>> >>> I've produced OpenVPN 2.4.6 packages for Ubuntu 18.04 and they're now >>> available here: >>> >>> https://build.openvpn.net/downloads/temp/ >>> >>> The Debian packaging files are taken from Ubuntu's own 18.04 openvpn >>> package. They already used our openvpn-client@.service and >>> openvpn-server@.service so I only need to make a few enhancements: >>> >>> - Restart active VPN client and server instances on upgrade >>> - Stop activate VPN client and server instances on uninstall >>> >>> I also tested upgrading from Ubuntu's own openvpn package and that >>> worked fine. >>> >>> Let me know if these packages work for you or if they don't. I'd like to >>> get the to our official apt repositories soon. >>> >> >> Successfully installed openvpn_2.4.6-bionic0_amd64.deb in Ubuntu 18.04, >> tested newly installed openvpn-client@.service which worked correctly. > > Excellent! The openvpn-client@ and openvpn-server@ unit file templates > "sneak in" to the Debian package from our upstream tarball. When looking > at the Debian packaging files there's absolutely no sign of them. But > they get installed and seem to work, including the tmpfiles configuration. Those new service files are the ones everyone should use. In our own packaging, we should abandon the b0rken unit files from the old-days Debian packages. This is especially true for OpenVPN 2.4+ when built with --enable-systemd (which should be mandatory on systemd systems!). The reason is that it uses much better systemd integration which allows systemd to understand better what openvpn is doing and when it fails. Plus, the openvpn process is being run with lesser privileges as well and for openvpn-server@ it will even attempt to restart automatically the server instance if it dies unexpectedly. And IIRC, we managed to get the new unit files into the Debian openvpn 2.4 package. And I just hope that they are updated with whatever we provide in our tarballs; if not - it might be considered broken packaging. The reason you'll find the b0rken unit files in the upstream Debian packages is to not break old existing installs. Which is nice, just that it behaves broken regardless. So if anyone is in doubt ... UPGRADE to the openvpn-{server,client}@.service unit files ASAP. -- kind regards, David Sommerseth OpenVPN Inc signature.asc Description: OpenPGP digital signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing
Hi, On 30/12/2018 14:56, Samuli Seppänen wrote: Hi, Il 29/12/18 22:06, tincanteksup ha scritto: debian/rules clean dh clean make: dh: Command not found Package "debhelper" is missing. When using Vagrant debhelper gets installed in the provisioning script: https://github.com/mattock/openvpn-vagrant/blob/sbuild/sbuild.sh That provisioning script should run fine on any Ubuntu 18.04 VM, not just inside Vagrant/Virtualbox. Yes, it all works now. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing
Hi, Il 29/12/18 22:06, tincanteksup ha scritto: > > > On 28/12/2018 14:21, tincanteksup wrote: >> Hi, >> >> On 27/12/2018 18:11, Samuli Seppänen wrote: >>> > >>> Also, if you can, please review these PRs which enable anyone to build >>> the Ubuntu/Debian packages, including ones for Ubuntu 18.04: >>> >>> https://github.com/OpenVPN/sbuild_wrapper/pull/1 >>> https://github.com/OpenVPN/openvpn-vagrant/pull/6 >>> >> >> Working on it .. >> > > Tested and working but with one note. > > scripts/prepare-all.sh > ``` > dpkg-buildpackage -d -S -uc -us > ``` > does not work. > > The failure is: > ``` > tct@home:~/openvpn/pkg-bsys$ sudo scripts/prepare-all.sh > --2018-12-29 16:04:53-- > http://build.openvpn.net/downloads/releases/openvpn-2.4.6.tar.gz > Resolving build.openvpn.net (build.openvpn.net)... 52.52.118.245, > 2600:1f1c:702:ae00:f27c:d805:3b80:a45d > Connecting to build.openvpn.net (build.openvpn.net)|52.52.118.245|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 1431971 (1.4M) [application/octet-stream] > Saving to: ‘openvpn-2.4.6.tar.gz’ > > openvpn-2.4.6.tar.gz > 100%[>] > 1.37M 159KB/s in 7.4s > > 2018-12-29 16:05:00 (190 KB/s) - ‘openvpn-2.4.6.tar.gz’ saved > [1431971/1431971] > > cp: 'debian/patches/series' and 'debian/patches/series' are the same file > dpkg-buildpackage: info: source package openvpn > dpkg-buildpackage: info: source version 2.4.6-bionic0 > dpkg-buildpackage: info: source distribution stable > dpkg-buildpackage: info: source changed by Samuli Seppänen > > dpkg-source --before-build openvpn-2.4.6 > dpkg-source: info: applying move_log_dir.patch > dpkg-source: info: applying auth-pam_libpam_so_filename.patch > dpkg-source: info: applying debian_nogroup_for_sample_files.patch > dpkg-source: info: applying openvpn-pkcs11warn.patch > dpkg-source: info: applying kfreebsd_support.patch > dpkg-source: info: applying match-manpage-and-command-help.patch > debian/rules clean > dh clean > make: dh: Command not found Package "debhelper" is missing. When using Vagrant debhelper gets installed in the provisioning script: https://github.com/mattock/openvpn-vagrant/blob/sbuild/sbuild.sh That provisioning script should run fine on any Ubuntu 18.04 VM, not just inside Vagrant/Virtualbox. > debian/rules:16: recipe for target 'clean' failed > make: *** [clean] Error 127 > dpkg-buildpackage: error: debian/rules clean subprocess returned exit > status 2 > > ``` > > Change scripts/prepare-all.sh > ``` > dpkg-buildpackage -nc -d -S -uc -us > ``` > Works, tested on two independent systems. > > The output is now: > ``` > tct@home:~/openvpn/pkg-bsys$ sudo scripts/prepare-all.sh > --2018-12-29 19:25:52-- > http://build.openvpn.net/downloads/releases/openvpn-2.4.6.tar.gz > Resolving build.openvpn.net (build.openvpn.net)... 52.52.118.245, > 2600:1f1c:702:ae00:f27c:d805:3b80:a45d > Connecting to build.openvpn.net (build.openvpn.net)|52.52.118.245|:80... > connected. > HTTP request sent, awaiting response... 200 OK > Length: 1431971 (1.4M) [application/octet-stream] > Saving to: ‘openvpn-2.4.6.tar.gz’ > > openvpn-2.4.6.tar.gz > 100%[>] > 1.37M 308KB/s in 5.0s > > 2018-12-29 19:25:57 (282 KB/s) - ‘openvpn-2.4.6.tar.gz’ saved > [1431971/1431971] > > cp: 'debian/patches/series' and 'debian/patches/series' are the same file > dpkg-buildpackage: info: source package openvpn > dpkg-buildpackage: info: source version 2.4.6-bionic0 > dpkg-buildpackage: info: source distribution stable > dpkg-buildpackage: info: source changed by Samuli Seppänen > > dpkg-source --before-build openvpn-2.4.6 > dpkg-source: info: applying move_log_dir.patch > dpkg-source: info: applying auth-pam_libpam_so_filename.patch > dpkg-source: info: applying debian_nogroup_for_sample_files.patch > dpkg-source: info: applying openvpn-pkcs11warn.patch > dpkg-source: info: applying kfreebsd_support.patch > dpkg-source: info: applying match-manpage-and-command-help.patch > dpkg-buildpackage: warning: building a source package without cleaning > up as you asked; it might contain undesired files > dpkg-source -b openvpn-2.4.6 > dpkg-source: info: using source format '3.0 (quilt)' > dpkg-source: info: building openvpn using existing > ./openvpn_2.4.6.orig.tar.gz > dpkg-source: info: building openvpn in openvpn_2.4.6-bionic0.debian.tar.xz > dpkg-source: info: building openvpn in openvpn_2.4.6-bionic0.dsc > dpkg-genbuildinfo --build=source > dpkg-genchanges --build=source >../openvpn_2.4.6-bionic0_source.changes > dpkg-genchanges: info: including full source code in upload > dpkg-source --after-build openvpn-2.4.6 > dpkg-source: info: unapplying match-manpage-and-command-help.patch > dpkg-source: info: unapplying kfreebsd_support.patch > dpkg-source: info: unapplying openvpn-pkcs11warn.patch > dpkg-source: info: unapplying
[Openvpn-devel] [PATCH 1/4] transport: introduce tranport API plugin codebase
From: Robin Tarsiger This API will allow plugins to provide virtual socket implementations with their own table of functions for operations on these sockets, with limited but functional integration with the main OpenVPN event loop. This new mechanism can be used to implement alternative transport protocols via external plugins, without interfering with the OpenVPN core codebase. A sample user of this API might be an obsufcation schema which manipulates the traffic before sending/receiving it. Signed-off-by: Robin Tarsiger [anto...@openvpn.net: refactored commits, restyled code] --- include/Makefile.am | 1 + include/openvpn-plugin.h.in | 31 +++- include/openvpn-transport.h | 240 src/openvpn/Makefile.am | 1 + src/openvpn/plugin.c| 4 + src/openvpn/plugin.h| 1 + src/openvpn/socket.h| 3 + src/openvpn/transport.c | 303 src/openvpn/transport.h | 94 +++ 9 files changed, 677 insertions(+), 1 deletion(-) create mode 100644 include/openvpn-transport.h create mode 100644 src/openvpn/transport.c create mode 100644 src/openvpn/transport.h diff --git a/include/Makefile.am b/include/Makefile.am index 484e4e12..5c0ffcc4 100644 --- a/include/Makefile.am +++ b/include/Makefile.am @@ -15,4 +15,5 @@ MAINTAINERCLEANFILES = \ include_HEADERS = \ openvpn-plugin.h \ + openvpn-transport.h \ openvpn-msg.h diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..3539e534 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -129,7 +129,8 @@ extern "C" { #define OPENVPN_PLUGIN_TLS_FINAL 10 #define OPENVPN_PLUGIN_ENABLE_PF 11 #define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 -#define OPENVPN_PLUGIN_N 13 +#define OPENVPN_PLUGIN_TRANSPORT 13 +#define OPENVPN_PLUGIN_N 14 /* * Build a mask out of a set of plug-in types. @@ -852,6 +853,34 @@ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_select_initialization_ OPENVPN_PLUGIN_DEF int OPENVPN_PLUGIN_FUNC(openvpn_plugin_min_version_required_v1) (void); +/* + * FUNCTION: openvpn_plugin_get_vtab_v1 + * + * This is only used for TRANSPORT plugins presently. It is called to + * retrieve a vtable structure to be used for binding virtual sockets + * which use the transport provided by the plugin. The selector is an + * OPENVPN_VTAB constant. *size_out must be set to the size of the + * structure returned. + * + * REQUIRED: only for TRANSPORT plugins + * + * RETURN VALUE + * + * A pointer to a vtable of the requested type, or NULL if no + * such vtable is provided by this plugin. + */ + +enum { +/* Return type: struct openvpn_transport_bind_vtab1 * + Plugin should provide OPENVPN_PLUGIN_TRANSPORT at open time. + */ +OPENVPN_VTAB_TRANSPORT_BIND_V1 = 0x54726e31 /* 'Trn1' */ +}; + + +OPENVPN_PLUGIN_DEF void *OPENVPN_PLUGIN_FUNC(openvpn_plugin_get_vtab_v1) +(int selector, size_t *size_out); + /* * Deprecated functions which are still supported for backward compatibility. */ diff --git a/include/openvpn-transport.h b/include/openvpn-transport.h new file mode 100644 index ..72872d9c --- /dev/null +++ b/include/openvpn-transport.h @@ -0,0 +1,240 @@ +/* + * Transport API handling code + * + * Copyright (C) 2018 Robin Tarsiger + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +#ifndef OPENVPN_TRANSPORT_H_ +#define OPENVPN_TRANSPORT_H_ + +/* PLATFORM: only POSIX-y platforms or Win32 here */ + +#ifdef _WIN32 + +/* Win32 */ +#define OPENVPN_TRANSPORT_PLATFORM_WIN32 +#include +#include +#include + +/* On Windows, platform-native events to wait on are provided to OpenVPN core as + * pairs of system events, normally corresponding to one potentially queued I/O + * operation in each direction. The read event is waited on if read events are + * requested, and the write event is waited on if write events are + * requested. Events need not be distinct, but usually will be. Two event + * handles must always be provided; neither is permitted to be NULL. */ +typedef const struct openvpn_transport_win32_event_pair { +HANDLE read; +HANDLE write; +}
[Openvpn-devel] [PATCH 0/4] Transport API: offload traffic manipulation to plugins
From: Antonio Quartulli Dear all, This patchset implements a new API called "Transport API" which allows the core codebase to offload traffic/socket manipulations to an external plugin. To understand its potential, imagine you want to apply a specific "mutation" on any packet going out and apply the its inverse, on the receiver side, for any incoming packet. Without this patchset, achieving this result would require a big surgery through the OpenVPN code, and it would be the same for any new mutation one wants to implements. Thanks to this new API the deemed effort is drastically reduced. In a few words, OpenVPN becomes extendible on a new front, by cutting the need to touch the core codebase any longer. An easy to imagine use case for this new API would be any "traffic obfuscation technique": instead of patching the core code (like the famous "xor patch"), a developer is now allowed to implement an external obfuscation plugin and distribute/maintain it indepdendently. This patchset comes with a sample plugin (obfs-test) which can be used as starting point for new implementations. Any feedback is welcome! Note: the code has gone through the following tests with positive outcome: - uncrustify - GitLab-CI (with my configs) - openvpn community buildbots Since it is quite a change (even though most of the new code is fairly isolated in its own module - transport.c/h), I expect more comments/discussion/bugs to spark from here. In any case, please consider myself as direct contact point to discuss further changes and improvements (even though I am not the signer of the patches). I'll be in responsible for ensuring this code gets merged sooner rather than later. Thanks a lot!! == Credits == This code has been developed by the Operator Foundation[1], under the umbrella project called "Jigsaw"[2], mainly promoted/sponsored by Google, Inc. Brandon, reading this email in CC, has been the contact point on the Operator Foundation's side, while Justin (in CC as well), managed the task on Google's behalf. OpenVPN, Inc. has offered its support to the cause by allowing its devs to allocate a number of hours to follow the project and ensure it could get all the guidance it required. [1] https://operatorfoundation.org/ [2] https://jigsaw.google.com/ Best Regards, Robin Tarsiger (4): transport: introduce tranport API plugin codebase socket: introduce INDIRECT transport protocol abstraction options: add support for --transport-plugin transport-plugin: add sample obfs-test plugin configure.ac | 9 + doc/openvpn.8 | 40 ++ include/Makefile.am | 1 + include/openvpn-plugin.h.in | 31 +- include/openvpn-transport.h | 240 + src/openvpn/Makefile.am | 1 + src/openvpn/forward.c | 5 + src/openvpn/init.c| 1 + src/openvpn/options.c | 31 ++ src/openvpn/options.h | 1 + src/openvpn/plugin.c | 4 + src/openvpn/plugin.h | 1 + src/openvpn/socket.c | 148 +- src/openvpn/socket.h | 74 +++ src/openvpn/transport.c | 303 +++ src/openvpn/transport.h | 99 src/plugins/Makefile.am | 2 +- src/plugins/obfs-test/Makefile.am | 29 ++ src/plugins/obfs-test/README.obfs-test| 26 + src/plugins/obfs-test/obfs-test-args.c| 60 +++ src/plugins/obfs-test/obfs-test-munging.c | 129 + src/plugins/obfs-test/obfs-test-posix.c | 207 src/plugins/obfs-test/obfs-test-win32.c | 579 ++ src/plugins/obfs-test/obfs-test.c | 94 src/plugins/obfs-test/obfs-test.exports | 4 + src/plugins/obfs-test/obfs-test.h | 42 ++ 26 files changed, 2155 insertions(+), 6 deletions(-) create mode 100644 include/openvpn-transport.h create mode 100644 src/openvpn/transport.c create mode 100644 src/openvpn/transport.h create mode 100644 src/plugins/obfs-test/Makefile.am create mode 100644 src/plugins/obfs-test/README.obfs-test create mode 100644 src/plugins/obfs-test/obfs-test-args.c create mode 100644 src/plugins/obfs-test/obfs-test-munging.c create mode 100644 src/plugins/obfs-test/obfs-test-posix.c create mode 100644 src/plugins/obfs-test/obfs-test-win32.c create mode 100644 src/plugins/obfs-test/obfs-test.c create mode 100644 src/plugins/obfs-test/obfs-test.exports create mode 100644 src/plugins/obfs-test/obfs-test.h -- 2.19.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/4] options: add support for --transport-plugin
From: Robin Tarsiger Add a new config option to allow the user to specify a transport plugin implementing the new API. This plugin can be used to manipulate traffic in any way, as designed by the plugin developer. The fondamental advantage of this plugin is that the core codebase does not need to know anything about its implementation, as soon as it implements the transport API properly. A plugin specified with --transport-plugin must be already loaded via --plugin. --transport-plugin is a per-connection-block option and specifies which plugin to use for this particular connection. It can take additional arguments, if required by the specific plugin. The manpage has been extended accordingly. Signed-off-by: Robin Tarsiger [anto...@openvpn.net: refactored commits, restyled code] --- doc/openvpn.8 | 40 src/openvpn/init.c| 1 + src/openvpn/options.c | 31 +++ src/openvpn/options.h | 1 + src/openvpn/socket.c | 2 ++ src/openvpn/socket.h | 1 + 6 files changed, 76 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 7abcaf1e..9325dabd 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2847,6 +2847,46 @@ every module and script must return success (0) in order for the connection to be authenticated. .\"* .TP +.B \-\-transport-plugin module-pathname [connection-args] +Use the loaded plugin module identified by +.B module-pathname +to provide a transport layer for the connection. The +.B module-pathname +must be exactly equivalent to a pathname supplied to a +.B \-\-plugin +option. The same transport plugin may be used for +multiple connections, in which case the +.B \-\-plugin +option which loads it should only occur once. However, +only one transport plugin may be specified per +connection. + +If +.B connection-args +are present, these arguments are passed to the transport +plugin when establishing this connection specifically; this +is distinct from any per-plugin arguments which may have +been specified using the +.B \-\-plugin +option. Documentation for possible +.B connection-args +may be provided along with the plugin in use. + +When a transport plugin is in use, the +.B \-\-proto +option should not normally be used and will usually result in +an error, as the transport plugin takes over from the native +transport protocol that would otherwise be specified. The +rest of OpenVPN will operate in a manner similar to that of +UDP mode, using the pseudo-protocol "indirect". There is one +remaining rare use for +.B \-\-proto +in this case, which is to force a specific address family for +transport plugins for which this is still meaningful. This can +be done by specifying "indirect4" or "indirect6" as the +protocol. +.\"* +.TP .B \-\-keying\-material\-exporter label len Save Exported Keying Material [RFC5705] of len bytes (must be between 16 and 4095 bytes) using label in environment diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 560d87db..9f7b5fdd 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3335,6 +3335,7 @@ do_init_socket_1(struct context *c, const int mode) >c1.link_socket_addr, c->options.ipchange, c->plugins, +c->options.ce.transport_plugin_argv, c->options.resolve_retry_seconds, c->options.ce.mtu_discover_type, c->options.rcvbuf, diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 0cf8db76..7e905532 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -403,6 +403,9 @@ static const char usage_message[] = #ifdef ENABLE_PLUGIN "--plugin m [str]: Load plug-in module m passing str as an argument\n" " to its initialization function.\n" +"--transport-plugin m [args]: Use plug-in module m to provide the transport\n" +" layer, with optional per-connection args. The\n" +" module must already be loaded with --plugin.\n" #endif #if P2MP #if P2MP_SERVER @@ -2005,6 +2008,22 @@ options_postprocess_verify_ce(const struct options *options, const struct connec msg(M_USAGE, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client"); } +#ifdef ENABLE_PLUGIN +/* + * "proto indirect" may not be specified directly without a + * transport-plugin, and vice versa. + */ +if (ce->proto == PROTO_INDIRECT && !ce->transport_plugin_argv) +{ +msg(M_USAGE, "--proto indirect may not be used without a transport-plugin line"); +} + +if (ce->transport_plugin_argv && ce->proto != PROTO_INDIRECT) +{ +msg(M_USAGE, "--transport-plugin must be used with --proto
[Openvpn-devel] [PATCH 2/4] socket: introduce INDIRECT transport protocol abstraction
From: Robin Tarsiger This new transport protocol is used to tell the core code that traffic should not be directly processed, but should rather be rerouted to a transport plugin. It is basically an abstraction as it does not say tell the code how to process the data, but simply forces its redirection to the external code. Signed-off-by: Robin Tarsiger [anto...@openvpn.net: refactored commits, restyled code] --- src/openvpn/forward.c | 5 ++ src/openvpn/socket.c| 146 ++-- src/openvpn/socket.h| 70 +++ src/openvpn/transport.h | 5 ++ 4 files changed, 222 insertions(+), 4 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0a90fff0..a7092c7e 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -2150,6 +2150,11 @@ io_wait_dowork(struct context *c, const unsigned int flags) { int i; c->c2.event_set_status = 0; +#ifdef ENABLE_PLUGIN +c->c2.event_set_status |= +(socket_indirect_pump(c->c2.link_socket, esr, ) & 3) +<< socket_shift; +#endif for (i = 0; i < status; ++i) { const struct event_set_return *e = [i]; diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index db944245..b548ab7a 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -41,6 +41,7 @@ #include "manage.h" #include "openvpn.h" #include "forward.h" +#include "transport.h" #include "memdbg.h" @@ -49,6 +50,9 @@ const int proto_overhead[] = { /* indexed by PROTO_x */ IPv4_UDP_HEADER_SIZE, /* IPv4 */ IPv4_TCP_HEADER_SIZE, IPv4_TCP_HEADER_SIZE, +#ifdef ENABLE_PLUGIN +INDIRECT_HEADER_SIZE, +#endif IPv6_UDP_HEADER_SIZE, /* IPv6 */ IPv6_TCP_HEADER_SIZE, IPv6_TCP_HEADER_SIZE, @@ -1103,9 +1107,46 @@ bind_local(struct link_socket *sock, const sa_family_t ai_family) } } +#ifdef ENABLE_PLUGIN + +static void +create_socket_indirect(struct link_socket *sock, sa_family_t ai_family) +{ +struct addrinfo *bind_addresses = NULL; +if (sock->bind_local) +{ +bind_addresses = sock->info.lsa->bind_local; +} + +sock->indirect = transport_bind(sock->info.plugins, +sock->info.transport_plugin_argv, +ai_family, +bind_addresses); +} + +bool +proto_is_indirect(int proto) +{ +return proto == PROTO_INDIRECT; +} + +#else /* ifdef ENABLE_PLUGIN */ + +static void +create_socket_indirect(struct link_socket *sock, sa_family_t ai_family) +{ +} + +#endif /* ENABLE_PLUGIN */ + static void create_socket(struct link_socket *sock, struct addrinfo *addr) { +if (proto_is_indirect(sock->info.proto)) +{ +create_socket_indirect(sock, addr->ai_family); +} + if (addr->ai_protocol == IPPROTO_UDP || addr->ai_socktype == SOCK_DGRAM) { sock->sd = create_socket_udp(addr, sock->sockflags); @@ -2279,7 +2320,11 @@ link_socket_init_phase2(struct link_socket *sock, } /* If socket has not already been created create it now */ -if (sock->sd == SOCKET_UNDEFINED) +if (sock->sd == SOCKET_UNDEFINED +#ifdef ENABLE_PLUGIN +&& !sock->indirect +#endif +) { /* If we have no --remote and have still not figured out the * protocol family to use we will use the first of the bind */ @@ -2300,7 +2345,11 @@ link_socket_init_phase2(struct link_socket *sock, } /* Socket still undefined, give a warning and abort connection */ -if (sock->sd == SOCKET_UNDEFINED) +if (sock->sd == SOCKET_UNDEFINED +#ifdef ENABLE_PLUGIN +&& !sock->indirect +#endif +) { msg(M_WARN, "Could not determine IPv4/IPv6 protocol"); sig_info->signal_received = SIGUSR1; @@ -2338,7 +2387,10 @@ link_socket_init_phase2(struct link_socket *sock, } } -phase2_set_socket_flags(sock); +if (sock->sd != SOCKET_UNDEFINED) +{ +phase2_set_socket_flags(sock); +} linksock_print_addr(sock); done: @@ -2362,6 +2414,14 @@ link_socket_close(struct link_socket *sock) const int gremlin = 0; #endif +#ifdef ENABLE_PLUGIN +if (sock->indirect) +{ +sock->indirect->vtab->close(sock->indirect); +sock->indirect = NULL; +} +#endif + if (socket_defined(sock->sd)) { #ifdef _WIN32 @@ -3143,16 +3203,25 @@ static const struct proto_names proto_names[] = { {"tcp-server", "TCP_SERVER", AF_UNSPEC, PROTO_TCP_SERVER}, {"tcp-client", "TCP_CLIENT", AF_UNSPEC, PROTO_TCP_CLIENT}, {"tcp","TCP", AF_UNSPEC, PROTO_TCP}, +#ifdef ENABLE_PLUGIN +{"indirect", "INDIRECT", AF_UNSPEC, PROTO_INDIRECT}, +#endif /* force IPv4 */ {"udp4", "UDPv4",
[Openvpn-devel] [PATCH 4/4] transport-plugin: add sample obfs-test plugin
From: Robin Tarsiger Add a sample plugin to explain how the new transport API is expected to be implemented and work. It can be used for testing. Signed-off-by: Robin Tarsiger [anto...@openvpn.net: refactored commits, restyled code] --- configure.ac | 9 + src/plugins/Makefile.am | 2 +- src/plugins/obfs-test/Makefile.am | 29 ++ src/plugins/obfs-test/README.obfs-test| 26 + src/plugins/obfs-test/obfs-test-args.c| 60 +++ src/plugins/obfs-test/obfs-test-munging.c | 129 + src/plugins/obfs-test/obfs-test-posix.c | 207 src/plugins/obfs-test/obfs-test-win32.c | 579 ++ src/plugins/obfs-test/obfs-test.c | 94 src/plugins/obfs-test/obfs-test.exports | 4 + src/plugins/obfs-test/obfs-test.h | 42 ++ 11 files changed, 1180 insertions(+), 1 deletion(-) create mode 100644 src/plugins/obfs-test/Makefile.am create mode 100644 src/plugins/obfs-test/README.obfs-test create mode 100644 src/plugins/obfs-test/obfs-test-args.c create mode 100644 src/plugins/obfs-test/obfs-test-munging.c create mode 100644 src/plugins/obfs-test/obfs-test-posix.c create mode 100644 src/plugins/obfs-test/obfs-test-win32.c create mode 100644 src/plugins/obfs-test/obfs-test.c create mode 100644 src/plugins/obfs-test/obfs-test.exports create mode 100644 src/plugins/obfs-test/obfs-test.h diff --git a/configure.ac b/configure.ac index 1e6891b1..b4196812 100644 --- a/configure.ac +++ b/configure.ac @@ -200,6 +200,13 @@ AC_ARG_ENABLE( ] ) +AC_ARG_ENABLE( + [plugin-obfs-test], + [AS_HELP_STRING([--disable-plugin-obfs-test], [disable obfs-test plugin @<:@default=platform specific@:>@])], + , + [enable_plugin_obfs_test="no"] +) + AC_ARG_ENABLE( [pam-dlopen], [AS_HELP_STRING([--enable-pam-dlopen], [dlopen libpam @<:@default=no@:>@])], @@ -1344,6 +1351,7 @@ AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) +AM_CONDITIONAL([ENABLE_PLUGIN_OBFS_TEST], [test "${enable_plugin_obfs_test}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) sampledir="\$(docdir)/sample" @@ -1403,6 +1411,7 @@ AC_CONFIG_FILES([ src/plugins/Makefile src/plugins/auth-pam/Makefile src/plugins/down-root/Makefile + src/plugins/obfs-test/Makefile tests/Makefile tests/unit_tests/Makefile tests/unit_tests/example_test/Makefile diff --git a/src/plugins/Makefile.am b/src/plugins/Makefile.am index f3461786..848bac03 100644 --- a/src/plugins/Makefile.am +++ b/src/plugins/Makefile.am @@ -12,4 +12,4 @@ MAINTAINERCLEANFILES = \ $(srcdir)/Makefile.in -SUBDIRS = auth-pam down-root +SUBDIRS = auth-pam down-root obfs-test diff --git a/src/plugins/obfs-test/Makefile.am b/src/plugins/obfs-test/Makefile.am new file mode 100644 index ..4cc8d183 --- /dev/null +++ b/src/plugins/obfs-test/Makefile.am @@ -0,0 +1,29 @@ +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +AM_CFLAGS = \ + -I$(top_srcdir)/include \ + $(OPTIONAL_CRYPTO_CFLAGS) + +if ENABLE_PLUGIN_OBFS_TEST +plugin_LTLIBRARIES = openvpn-plugin-obfs-test.la +endif + +openvpn_plugin_obfs_test_la_SOURCES = \ + obfs-test.c \ + obfs-test-munging.c \ + obfs-test-args.c \ + obfs-test.exports + +if WIN32 +openvpn_plugin_obfs_test_la_SOURCES += obfs-test-win32.c +openvpn_plugin_obfs_test_la_LIBADD = -lws2_32 -lwininet +else !WIN32 +openvpn_plugin_obfs_test_la_SOURCES += obfs-test-posix.c +# No LIBADD necessary; we assume we can access the global symbol space, +# and core OpenVPN will already link with everything needed for sockets. +endif + +openvpn_plugin_obfs_test_la_LDFLAGS = $(AM_LDFLAGS) \ + -export-symbols "$(srcdir)/obfs-test.exports" \ + -module -shared -avoid-version -no-undefined diff --git a/src/plugins/obfs-test/README.obfs-test b/src/plugins/obfs-test/README.obfs-test new file mode 100644 index ..5492ee02 --- /dev/null +++ b/src/plugins/obfs-test/README.obfs-test @@ -0,0 +1,26 @@ +obfs-test + +SYNOPSIS + +The obfs-test plugin is a proof of concept for supporting protocol +obfuscation for OpenVPN via a socket intercept plugin. + +BUILD + +You must specify --enable-plugin-obfs-test at configure time to +trigger building this plugin. It should function on POSIX-y platforms +and Windows. + +USAGE + +To invoke this plugin, load it via an appropriate plugin line in the +configuration file, and then specify 'proto indirect' rather than any +other protocol. Packets will then be passed via UDP, but they will +also undergo a very basic content transformation, and the bind port +will be altered (see obfs-test-munging.c for details).