Re: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun device
Hi, > -Original Message- > From: Lev Stipakov [mailto:lstipa...@gmail.com] > Sent: Thursday, November 7, 2019 6:45 PM > To: openvpn-devel@lists.sourceforge.net > Cc: Lev Stipakov > Subject: [Openvpn-devel] [PATCH v2 3/7] wintun: implement opening wintun > device > > +const static GUID GUID_DEVCLASS_NET = { 0x4d36e972L, 0xe325, 0x11ce, { > +0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 } }; const static GUID > +GUID_DEVINTERFACE_NET = { 0xcac88484, 0x7 515, 0x4c03, { 0x82, 0xe6, > +0x71, 0xa8, 0x7a, 0xba, 0xc3, 0x61 } }; > + GUID_DEVCLASS_NET is declared in devguid.h, GUID_DEVINTERFACE_NET in ndisguid.h... No need to redefine them. However, while one could include those SDK files, one needs to add the appropriate .lib files too. It's not worth complicating for just a couple of GUIDs that will never ever change. So, ACK. The rest LGTM. Acked-by: Simon Rozman Best regards, Simon smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] wintun: add --windows-driver config option
From: Lev Stipakov This allows to specify which tun driver openvpn should use, tap-windows6 (default) or wintun. Note than wintun support will be added in follow-up patches. Signed-off-by: Lev Stipakov --- v3: - added man page - removed unneccesary assignment - make method static - removed unneeded _WIN32 define v2: - rebased on top of latest master doc/openvpn.8 | 8 src/openvpn/init.c| 4 src/openvpn/options.c | 46 -- src/openvpn/options.h | 1 + src/openvpn/tun.h | 1 + 5 files changed, 58 insertions(+), 2 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 11daa92..8a7e70f 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6147,6 +6147,14 @@ Note that pushing unknown options from server does not trigger fatal errors. .\"* .TP +.B \-\-windows\-driver +Specifies which tun driver to use. Values are +.B tap-windows6 +(default) and +.B wintun. +This is Windows-only option. +.\"* +.TP .B \-\-dhcp\-renew Ask Windows to renew the TAP adapter lease on startup. This option is normally unnecessary, as Windows automatically diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ae7bd63..0bdb0a9 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1733,6 +1733,10 @@ do_init_tun(struct context *c) c->c2.es, >net_ctx); +#ifdef _WIN32 +c->c1.tuntap->wintun = c->options.wintun; +#endif + init_tun_post(c->c1.tuntap, >c2.frame, >options.tuntap_options); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1838a69..a70a822 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -747,9 +747,10 @@ static const char usage_message[] = " optional parameter controls the initial state of ex.\n" "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net adapter list\n" " after TAP adapter is up and routes have been added.\n" -#ifdef _WIN32 +"--windows-driver : Which tun driver to use?\n" +" tap-windows6 (default)\n" +" wintun\n" "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n" -#endif "Windows Standalone Options:\n" "\n" "--show-adapters : Show all TAP-Windows adapters.\n" @@ -851,6 +852,7 @@ init_options(struct options *o, const bool init_gc) o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ o->route_method = ROUTE_METHOD_ADAPTIVE; o->block_outside_dns = false; +o->wintun = false; #endif o->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY; o->vlan_pvid = 1; @@ -2994,6 +2996,12 @@ options_postprocess_mutate_invariant(struct options *options) options->ifconfig_noexec = false; } +/* for wintun kernel doesn't send DHCP requests, so use ipapi to set IP address and netmask */ +if (options->wintun) +{ +options->tuntap_options.ip_win32_type = IPW32_SET_IPAPI; +} + remap_redirect_gateway_flags(options); #endif @@ -4039,6 +4047,33 @@ foreign_option(struct options *o, char *argv[], int len, struct env_set *es) } } +#ifdef _WIN32 +/** + * Parses --windows-driver config option + * + * @param str value of --windows-driver option + * @param msglevel msglevel to report parsing error + * @return bool true if --windows-driver is wintun, false otherwise + */ +static bool +parse_windows_driver(const char *str, const int msglevel) +{ +if (streq(str, "tap-windows6")) +{ +return false; +} +else if (streq(str, "wintun")) +{ +return true; +} +else +{ +msg(msglevel, "--windows-driver must be tap-windows6 or wintun"); +return false; +} +} +#endif + /* * parse/print topology coding */ @@ -5281,6 +5316,13 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->dev_type = p[1]; } +#ifdef _WIN32 +else if (streq(p[0], "windows-driver") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_GENERAL); +options->wintun = parse_windows_driver(p[1], M_FATAL); +} +#endif else if (streq(p[0], "dev-node") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index ff7a5bb..0a24e5e 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -632,6 +632,7 @@ struct options bool show_net_up; int route_method; bool block_outside_dns; +bool wintun; #endif bool use_peer_id; diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 5a0a933..df935f6 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -175,6 +175,7 @@ struct tuntap
Re: [Openvpn-devel] [PATCH v2 2/7] wintun: add --windows-driver config option
Hi, Should there not be a manpage entry in this commit too? > Indeed. Added to manpage. Why do we have to set c->c2.tuntap->wintun in both do_init_tun and > do_open_tun? Should one of them not suffice? > Just to be sure that it is assigned :) Removed unneeded second assignment. Should this --windows-driver option not be inside the #ifdef _WIN32 ? > In fact it is already in _WIN32, but the next option has #ifdef _WIN32 again, so I removed it. > > +#ifdef _WIN32 > > +bool > > +parse_windows_driver(const char *str, const int msglevel) > > I think this should be a static function. Also a short (doxygen) comment > explaining what the return value means would be nice. > Done. > > +bool wintun; > > Did you consider using an enum instead? I think it would make the code > easier to read. > Honestly I do not see to much value in converting bool to enum, it is unlikely that we'll have more tun drivers in the near future. Also changing it here would break follow-up patches. As verbally agreed, I'll look into it afterwards. v3 is on its way. -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 1/7] Visual Studio: upgrade project files to VS2019
Acked-by: Simon Rozman Note, the OpenSSL and other dependencies should also be built using the same version of MSVC. Best regards, Simon -Original Message- From: Lev Stipakov [mailto:lstipa...@gmail.com] Sent: Thursday, November 7, 2019 6:45 PM To: openvpn-devel@lists.sourceforge.net Cc: Lev Stipakov Subject: [Openvpn-devel] [PATCH v2 1/7] Visual Studio: upgrade project files to VS2019 From: Lev Stipakov Signed-off-by: Lev Stipakov --- src/compat/compat.vcxproj | 12 ++-- src/openvpn/openvpn.vcxproj | 12 ++-- src/openvpnmsica/openvpnmsica.vcxproj | 14 +++--- src/openvpnserv/openvpnserv.vcxproj | 12 ++-- src/tapctl/tapctl.vcxproj | 14 +++--- 5 files changed, 32 insertions(+), 32 deletions(-) diff --git a/src/compat/compat.vcxproj b/src/compat/compat.vcxproj index 111dacd..e388008 100644 --- a/src/compat/compat.vcxproj +++ b/src/compat/compat.vcxproj @@ -22,30 +22,30 @@ {4B2E2719-E661-45D7-9203-F6F456B22F19} compat Win32Proj - 10.0.17134.0 +10.0 StaticLibrary MultiByte true -v141 +v142 StaticLibrary MultiByte true -v141 +v142 StaticLibrary MultiByte -v141 +v142 StaticLibrary MultiByte -v141 +v142 @@ -115,4 +115,4 @@ - + \ No newline at end of file diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 42b..e77f026 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -22,30 +22,30 @@ {29DF226E-4D4E-440F-ADAF-5829CFD4CA94} openvpn Win32Proj - 10.0.17134.0 +10.0 Application true Unicode -v141 +v142 Application true Unicode -v141 +v142 Application Unicode -v141 +v142 Application Unicode -v141 +v142 @@ -301,4 +301,4 @@ - + \ No newline at end of file diff --git a/src/openvpnmsica/openvpnmsica.vcxproj b/src/openvpnmsica/openvpnmsica.vcxproj index 5f1d699..afa4fae 100644 --- a/src/openvpnmsica/openvpnmsica.vcxproj +++ b/src/openvpnmsica/openvpnmsica.vcxproj @@ -31,32 +31,32 @@ {D41AA9D6-B818-476E-992E-0E16EB86BEE2} Win32Proj openvpnmsica - 10.0.17134.0 +10.0 DynamicLibrary true -v141 +v142 Unicode true DynamicLibrary true -v141 +v142 Unicode DynamicLibrary true -v141 +v142 Unicode DynamicLibrary false -v141 +v142 true Unicode true @@ -64,14 +64,14 @@ DynamicLibrary false -v141 +v142 true Unicode DynamicLibrary false -v141 +v142 true Unicode diff --git a/src/openvpnserv/openvpnserv.vcxproj b/src/openvpnserv/openvpnserv.vcxproj index 7407757..7061b7b 100644 --- a/src/openvpnserv/openvpnserv.vcxproj +++ b/src/openvpnserv/openvpnserv.vcxproj @@ -22,30 +22,30 @@ {9C91EE0B-817D-420A-A1E6-15A5A9D98BAD} openvpnserv Win32Proj - 10.0.17134.0 +10.0 Application Unicode true -v141 +v142 Application Unicode true -v141 +v142 Application Unicode -v141 +v142 Application Unicode -v141 +v142 @@ -139,4 +139,4 @@ - + \ No newline at end of file diff --git a/src/tapctl/tapctl.vcxproj b/src/tapctl/tapctl.vcxproj index 5c1983b..1d593fc 100644 --- a/src/tapctl/tapctl.vcxproj +++ b/src/tapctl/tapctl.vcxproj @@ -31,32 +31,32 @@ {A06436E7-D576-490D-8BA0-0751D920334A} Win32Proj tapctl - 10.0.17134.0 +10.0 Application true -v141 +v142 Unicode true Application true -v141 +v142 Unicode Application true -v141 +v142 Unicode Application false -v141 +v142 true Unicode true @@ -64,14 +64,14 @@ Application false -v141 +v142 true Unicode Application false -v141 +v142 true Unicode -- 2.7.4 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel smime.p7s Description: S/MIME cryptographic signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/7] wintun: add --windows-driver config option
Hi, Thanks for looking into wintun support. Definitely feature-ack. On 07-11-2019 18:45, Lev Stipakov wrote: > From: Lev Stipakov > > This allows to specify which tun driver openvpn should use, > tap-windows6 (default) or wintun. > > Note than wintun support will be added in follow-up patches. > > Signed-off-by: Lev Stipakov > --- > src/openvpn/init.c| 7 +++ > src/openvpn/options.c | 37 + > src/openvpn/options.h | 1 + > src/openvpn/tun.h | 1 + > 4 files changed, 46 insertions(+) Should there not be a manpage entry in this commit too? > > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index ae7bd63..c6d4953 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -1733,6 +1733,10 @@ do_init_tun(struct context *c) > c->c2.es, > >net_ctx); > > +#ifdef _WIN32 > +c->c1.tuntap->wintun = c->options.wintun; > +#endif > + > init_tun_post(c->c1.tuntap, >>c2.frame, >>options.tuntap_options); > @@ -1775,6 +1779,9 @@ do_open_tun(struct context *c) > /* store (hide) interactive service handle in tuntap_options */ > c->c1.tuntap->options.msg_channel = c->options.msg_channel; > msg(D_ROUTE, "interactive service msg_channel=%u", (unsigned int) > c->options.msg_channel); > + > +c->c1.tuntap->wintun = c->options.wintun; > + Why do we have to set c->c2.tuntap->wintun in both do_init_tun and do_open_tun? Should one of them not suffice? > #endif > > /* allocate route list structure */ > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 1838a69..5c5033e 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -747,6 +747,9 @@ static const char usage_message[] = > " optional parameter controls the initial state of > ex.\n" > "--show-net-up : Show " PACKAGE_NAME "'s view of routing table and net > adapter list\n" > " after TAP adapter is up and routes have been added.\n" > +"--windows-driver : Which tun driver to use?\n" > +" tap-windows6 (default)\n" > +" wintun\n" > #ifdef _WIN32 Should this --windows-driver option not be inside the #ifdef _WIN32 ? > "--block-outside-dns : Block DNS on other network adapters to prevent > DNS leaks\n" > #endif > @@ -851,6 +854,7 @@ init_options(struct options *o, const bool init_gc) > o->tuntap_options.dhcp_masq_offset = 0; /* use network address as > internal DHCP server address */ > o->route_method = ROUTE_METHOD_ADAPTIVE; > o->block_outside_dns = false; > +o->wintun = false; > #endif > o->vlan_accept = VLAN_ONLY_UNTAGGED_OR_PRIORITY; > o->vlan_pvid = 1; > @@ -2994,6 +2998,12 @@ options_postprocess_mutate_invariant(struct options > *options) > options->ifconfig_noexec = false; > } > > +/* for wintun kernel doesn't send DHCP requests, so use ipapi to set IP > address and netmask */ > +if (options->wintun) > +{ > +options->tuntap_options.ip_win32_type = IPW32_SET_IPAPI; > +} > + > remap_redirect_gateway_flags(options); > #endif > > @@ -4039,6 +4049,26 @@ foreign_option(struct options *o, char *argv[], int > len, struct env_set *es) > } > } > > +#ifdef _WIN32 > +bool > +parse_windows_driver(const char *str, const int msglevel) I think this should be a static function. Also a short (doxygen) comment explaining what the return value means would be nice. > +{ > +if (streq(str, "tap-windows6")) > +{ > +return false; > +} > +else if (streq(str, "wintun")) > +{ > +return true; > +} > +else > +{ > +msg(msglevel, "--windows-driver must be tap-windows6 or wintun"); > +return false; > +} > +} > +#endif > + > /* > * parse/print topology coding > */ > @@ -5281,6 +5311,13 @@ add_option(struct options *options, > VERIFY_PERMISSION(OPT_P_GENERAL); > options->dev_type = p[1]; > } > +#ifdef _WIN32 > +else if (streq(p[0], "windows-driver") && p[1] && !p[2]) > +{ > +VERIFY_PERMISSION(OPT_P_GENERAL); > +options->wintun = parse_windows_driver(p[1], M_FATAL); > +} > +#endif > else if (streq(p[0], "dev-node") && p[1] && !p[2]) > { > VERIFY_PERMISSION(OPT_P_GENERAL); > diff --git a/src/openvpn/options.h b/src/openvpn/options.h > index ff7a5bb..0a24e5e 100644 > --- a/src/openvpn/options.h > +++ b/src/openvpn/options.h > @@ -632,6 +632,7 @@ struct options > bool show_net_up; > int route_method; > bool block_outside_dns; > +bool wintun; Did you consider using an enum instead? I think it would make the code easier to read. E.g. with typedef enum { WINDRV_TAP6, WINDRV_WINTUN } windrv_t; in tun.h or so, we'd get options->windrv = WINDRV_TAP6 instead of options->wintun = false. >
Re: [Openvpn-devel] using arm64 on travis ?
пт, 8 нояб. 2019 г. в 14:02, Gert Doering : > Hi, > > On Fri, Nov 08, 2019 at 12:39:00PM +0500, ?? wrote: > > https://docs.travis-ci.com/user/multi-cpu-architectures > > > > we can switch some builds to arm64. any suggestions ? > > Sounds good. Right now we only have i386 and amd64 builds (since my > SPARC machine is going away and my Pi3 slave is still not operational). > not as good as it could be :) travis-ci uses the same cache key for amd64 and arm64 builds, so (currently) openssl build caches are messed up. but it is easy to resolve > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never > doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh > Mistress > > Gert Doering - Munich, Germany > g...@greenie.muc.de > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: travis: add Visual Studio build
Acked-by: Gert Doering Thanks. Looks reasonable, let's see what Travis has to say about it :) Your patch has been applied to the master branch. commit 633fe5185d063a1d1a1bce4170b283ab4273d95d Author: Lev Stipakov Date: Thu Nov 7 23:29:34 2019 +0200 travis: add Visual Studio build Signed-off-by: Lev Stipakov Acked-by: Gert Doering Message-Id: <1573162174-28461-1-git-send-email-lstipa...@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19035.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2 8/9] VLAN: add documentation to manpage
This patch adds documentation for all the VLAN related knobs. Signed-off-by: Fabian Knittel Signed-off-by: Antonio Quartulli --- Changes from v1: - slight rewording of some sentences, as suggested by Arne doc/openvpn.8 | 99 ++- 1 file changed, 98 insertions(+), 1 deletion(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 11daa92a..b6ab478b 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3440,7 +3440,8 @@ without needing to restart the server. The following options are legal in a client\-specific context: -.B \-\-push, \-\-push\-reset, \-\-push\-remove, \-\-iroute, \-\-ifconfig\-push, +.B \-\-push, \-\-push\-reset, \-\-push\-remove, \-\-iroute, +.B \-\-ifconfig\-push, \-\-vlan\-pvid and .B \-\-config. .\"* @@ -3908,6 +3909,102 @@ connection is torn down. Not implemented on Windows. .\"* +.TP +.B \-\-vlan\-tagging +Server-only option. Turns the OpenVPN server instance into a switch that +understands VLAN\-tagging, based on IEEE 802.1Q. + +The server TAP device and each of the connecting clients is seen as a port of the +switch. All client ports are in untagged mode and the server TAP device is +VLAN-tagged, untagged or accepts both, depending on the +.B \-\-vlan\-accept setting. + +Ethernet frames with a prepended 802.1Q tag are called "tagged". If the VLAN +Identifier (VID) field in such a tag is non-zero, the frame is called +"VLAN\-tagged". If the VID is zero, but the Priority Control Point (PCP) field +is non\-zero, the frame is called "prio\-tagged". If there is no 802.1Q tag, the +frame is "untagged". + +Using the +.B \-\-vlan\-pvid v +option once per client (see \-\-client\-config\-dir), each port can be associated +with a certain VID. Packets +can only be forwarded between ports having the same VID. Therefore, clients +with differing VIDs are completely separated from one\-another, even if +.B \-\-client\-to\-client +is activated. + +The packet filtering takes place in the OpenVPN server. Clients should not +have any VLAN tagging configuration applied. + +The +.B \-\-vlan\-tagging +option is off by default. While turned off, OpenVPN +accepts any Ethernet frame and does not perform any special processing +for VLAN\-tagged packets. + +The option can only be activated in +.B \-\-dev tap mode. + +.\"* +.TP +.B \-\-vlan\-accept all | tagged | untagged +Configure the VLAN tagging policy for the server TAP device. The following modes +are available: + +.B tagged +\-\- Admit only VLAN\-tagged frames. +Only VLAN\-tagged packets are accepted, while untagged or priority\-tagged +packets are dropped when entering the server TAP device. + +.br +.B untagged +\-\- Admit only untagged and prio\-tagged frames. +.br +VLAN\-tagged packets are not accepted, while untagged or priority\-tagged +packets entering the server TAP device are tagged with the value configured +for the global +.B \-\-vlan\-pvid +setting. +.br +.B all +(default) \-\- Admit all frames. +.br +All packets are admitted and then treated like untagged or tagged mode +respectively. + +(Note: Some vendors refer to switch ports running in +.B tagged +mode as "trunk ports" and switch ports running in +.B untagged +mode as "access ports".) + +Packets forwarded from clients to the server are VLAN\-tagged +with the originating client's PVID, unless the VID matches the +global \-\-vlan\-pvid, in which case the tag is removed. + +If no PVID is configured for a given client (see \-\-vlan\-pvid) packets +are tagged with 1 by default. +.\"* +.TP +.B \-\-vlan\-pvid v +Specifies which VLAN identifier a "port" is associated with. Only valid when +\fB\-\-vlan\-tagging\fR is speficied. + +In the client context, the setting specifies which VLAN ID a client is +associated with. In the global context, the VLAN ID of the server TAP device is set. +The latter only makes sense for +.B \-\-vlan\-accept untagged +and +.B \-\-vlan\-accept all +modes. + +Valid values for +.B v +go from 1 through to 4094. Defaults to 1. + +In some switch implementations, the PVID is also referred to as "Native VLAN". +.\"* .SS Client Mode Use client mode when connecting to an OpenVPN server which has -- 2.24.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] using arm64 on travis ?
Hi, On Fri, Nov 08, 2019 at 12:39:00PM +0500, ?? wrote: > https://docs.travis-ci.com/user/multi-cpu-architectures > > we can switch some builds to arm64. any suggestions ? Sounds good. Right now we only have i386 and amd64 builds (since my SPARC machine is going away and my Pi3 slave is still not operational). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel