passepartoutvpn
/
tunnelkit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
tunnelkit/TunnelKit/Sources/Protocols/OpenVPN/ConfigurationParser.swift

823 lines
34 KiB
Swift
Raw Normal View History

Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
//
// ConfigurationParser.swift
// TunnelKit
//
// Created by Davide De Rosa on 9/5/18.
Update copyright clause
2020-01-11 08:26:41 +00:00
// Copyright (c) 2020 Davide De Rosa. All rights reserved.
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
//
Update GitHub URL Move to passepartoutvpn org.
2019-05-14 08:58:47 +00:00
// https://github.com/passepartoutvpn
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
//
// This file is part of TunnelKit.
//
// TunnelKit is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// TunnelKit is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with TunnelKit. If not, see <http://www.gnu.org/licenses/>.
//
import Foundation
import SwiftyBeaver
Split Core into Core+OpenVPN Two Obj-C modules: - __TunnelKitCore - __TunnelKitOpenVPN Seems the only way to do it in multiple module maps. Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 00:05:34 +00:00
import __TunnelKitCore
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
private let log = SwiftyBeaver.self
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
extension OpenVPN {
Add jazzy doc to ConfigurationParser
2018-11-10 10:24:23 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/// Provides methods to parse a `Configuration` from an .ovpn configuration file.
public class ConfigurationParser {
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// XXX: parsing is very optimistic
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
struct Regex {
// MARK: General
static let cipher = NSRegularExpression("^cipher +[^,\\s]+")
static let auth = NSRegularExpression("^auth +[\\w\\-]+")
static let compLZO = NSRegularExpression("^comp-lzo.*")
static let compress = NSRegularExpression("^compress.*")
static let keyDirection = NSRegularExpression("^key-direction +\\d")
static let ping = NSRegularExpression("^ping +\\d+")
Allow keep alive timeout to be configured by the server or client
2019-09-30 18:54:29 +00:00
static let pingRestart = NSRegularExpression("^ping-restart +\\d+")
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
static let renegSec = NSRegularExpression("^reneg-sec +\\d+")
static let blockBegin = NSRegularExpression("^<[\\w\\-]+>")
static let blockEnd = NSRegularExpression("^<\\/[\\w\\-]+>")
// MARK: Client
Handle IPv4/IPv6 variants in SocketType
2020-02-29 21:47:51 +00:00
static let proto = NSRegularExpression("^proto +(udp[46]?|tcp[46]?)")
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
static let port = NSRegularExpression("^port +\\d+")
Handle IPv4/IPv6 variants in SocketType
2020-02-29 21:47:51 +00:00
static let remote = NSRegularExpression("^remote +[^ ]+( +\\d+)?( +(udp[46]?|tcp[46]?))?")
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
static let eku = NSRegularExpression("^remote-cert-tls +server")
static let remoteRandom = NSRegularExpression("^remote-random")
// MARK: Server
static let authToken = NSRegularExpression("^auth-token +[a-zA-Z0-9/=+]+")
static let peerId = NSRegularExpression("^peer-id +[0-9]+")
// MARK: Routing
static let topology = NSRegularExpression("^topology +(net30|p2p|subnet)")
static let ifconfig = NSRegularExpression("^ifconfig +[\\d\\.]+ [\\d\\.]+")
static let ifconfig6 = NSRegularExpression("^ifconfig-ipv6 +[\\da-fA-F:]+/\\d+ [\\da-fA-F:]+")
static let route = NSRegularExpression("^route +[\\d\\.]+( +[\\d\\.]+){0,2}")
static let route6 = NSRegularExpression("^route-ipv6 +[\\da-fA-F:]+/\\d+( +[\\da-fA-F:]+){0,2}")
static let gateway = NSRegularExpression("^route-gateway +[\\d\\.]+")
static let dns = NSRegularExpression("^dhcp-option +DNS6? +[\\d\\.a-fA-F:]+")
static let domain = NSRegularExpression("^dhcp-option +DOMAIN +[^ ]+")
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
static let proxy = NSRegularExpression("^dhcp-option +PROXY_(HTTPS? +[^ ]+ +\\d+|AUTO_CONFIG_URL +[^ ]+)")
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
static let proxyBypass = NSRegularExpression("^dhcp-option +PROXY_BYPASS +.+")
static let redirectGateway = NSRegularExpression("^redirect-gateway.*")
// MARK: Unsupported
// static let fragment = NSRegularExpression("^fragment +\\d+")
static let fragment = NSRegularExpression("^fragment")
static let connectionProxy = NSRegularExpression("^\\w+-proxy")
static let externalFiles = NSRegularExpression("^(ca|cert|key|tls-auth|tls-crypt) ")
static let connection = NSRegularExpression("^<connection>")
// MARK: Continuation
static let continuation = NSRegularExpression("^push-continuation [12]")
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
private enum Topology: String {
case net30
case p2p
case subnet
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
private enum RedirectGateway: String {
case def1 // default
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
case noIPv4 = "!ipv4"
case ipv6
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
case local
case autolocal
case blockLocal = "block-local"
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
case bypassDHCP = "bypass-dhcp"
case bypassDNS = "bypass-dns"
}
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/// Result of the parser.
public struct Result {
Add jazzy doc to ConfigurationParser
2018-11-10 10:24:23 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/// Original URL of the configuration file, if parsed from an URL.
public let url: URL?
Add jazzy doc to ConfigurationParser
2018-11-10 10:24:23 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/// The overall parsed `Configuration`.
public let configuration: Configuration
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/// The lines of the configuration file stripped of any sensitive data. Lines that
/// the parser does not recognize are discarded in the first place.
///
/// - Seealso: `ConfigurationParser.parsed(...)`
public let strippedLines: [String]?
/// Holds an optional `ConfigurationError` that didn't block the parser, but it would be worth taking care of.
public let warning: ConfigurationError?
}
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/**
Parses an .ovpn file from an URL.
- Parameter url: The URL of the configuration file.
- Parameter passphrase: The optional passphrase for encrypted data.
- Parameter returnsStripped: When `true`, stores the stripped file into `Result.strippedLines`. Defaults to `false`.
- Returns: The `Result` outcome of the parsing.
- Throws: `ConfigurationError` if the configuration file is wrong or incomplete.
*/
public static func parsed(fromURL url: URL, passphrase: String? = nil, returnsStripped: Bool = false) throws -> Result {
let lines = try String(contentsOf: url).trimmedLines()
Only require --ca and --cipher from clients Not in a PUSH_REPLY, for example.
2019-11-20 18:46:52 +00:00
return try parsed(fromLines: lines, isClient: true, passphrase: passphrase, originalURL: url, returnsStripped: returnsStripped)
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
}
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 05:47:27 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
/**
Parses a configuration from an array of lines.
- Parameter lines: The array of lines holding the configuration.
Only require --ca and --cipher from clients Not in a PUSH_REPLY, for example.
2019-11-20 18:46:52 +00:00
- Parameter isClient: Enables additional checks for client configurations.
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
- Parameter passphrase: The optional passphrase for encrypted data.
- Parameter originalURL: The optional original URL of the configuration file.
- Parameter returnsStripped: When `true`, stores the stripped file into `Result.strippedLines`. Defaults to `false`.
- Returns: The `Result` outcome of the parsing.
- Throws: `ConfigurationError` if the configuration file is wrong or incomplete.
*/
Only require --ca and --cipher from clients Not in a PUSH_REPLY, for example.
2019-11-20 18:46:52 +00:00
public static func parsed(fromLines lines: [String], isClient: Bool = false, passphrase: String? = nil, originalURL: URL? = nil, returnsStripped: Bool = false) throws -> Result {
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var optStrippedLines: [String]? = returnsStripped ? [] : nil
var optWarning: ConfigurationError?
var unsupportedError: ConfigurationError?
var currentBlockName: String?
var currentBlock: [String] = []
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var optCipher: Cipher?
var optDigest: Digest?
var optCompressionFraming: CompressionFraming?
var optCompressionAlgorithm: CompressionAlgorithm?
var optCA: CryptoContainer?
var optClientCertificate: CryptoContainer?
var optClientKey: CryptoContainer?
var optKeyDirection: StaticKey.Direction?
var optTLSKeyLines: [Substring]?
var optTLSStrategy: TLSWrap.Strategy?
var optKeepAliveSeconds: TimeInterval?
Allow keep alive timeout to be configured by the server or client
2019-09-30 18:54:29 +00:00
var optKeepAliveTimeoutSeconds: TimeInterval?
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var optRenegotiateAfterSeconds: TimeInterval?
//
var optDefaultProto: SocketType?
var optDefaultPort: UInt16?
var optRemotes: [(String, UInt16?, SocketType?)] = [] // address, port, socket
var optChecksEKU: Bool?
var optRandomizeEndpoint: Bool?
//
var optAuthToken: String?
var optPeerId: UInt32?
//
var optTopology: String?
var optIfconfig4Arguments: [String]?
var optIfconfig6Arguments: [String]?
var optGateway4Arguments: [String]?
var optRoutes4: [(String, String, String?)] = [] // address, netmask, gateway
var optRoutes6: [(String, UInt8, String?)] = [] // destination, prefix, gateway
var optDNSServers: [String]?
Parse multiple "dhcp-option DOMAIN" lines
2019-10-25 15:21:34 +00:00
var optSearchDomains: [String]?
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var optHTTPProxy: Proxy?
var optHTTPSProxy: Proxy?
Address review comments
2019-10-22 19:03:25 +00:00
var optProxyAutoConfigurationURL: URL?
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var optProxyBypass: [String]?
var optRedirectGateway: Set<RedirectGateway>?
log.verbose("Configuration file:")
for line in lines {
log.verbose(line)
var isHandled = false
var strippedLine = line
defer {
if isHandled {
optStrippedLines?.append(strippedLine)
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Unsupported
// check blocks first
Regex.connection.enumerateComponents(in: line) { (_) in
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "<connection> blocks")
}
Regex.fragment.enumerateComponents(in: line) { (_) in
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "fragment")
}
Regex.connectionProxy.enumerateComponents(in: line) { (_) in
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "proxy: \"\(line)\"")
}
Regex.externalFiles.enumerateComponents(in: line) { (_) in
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "external file: \"\(line)\"")
}
if line.contains("mtu") || line.contains("mssfix") {
isHandled = true
}
// MARK: Continuation
Throw to exit PUSH_REPLY parsing on continuation
2019-03-22 10:58:30 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var isContinuation = false
Regex.continuation.enumerateArguments(in: line) {
isContinuation = ($0.first == "2")
}
guard !isContinuation else {
Prefix top-level entities with OpenVPN*
2019-05-19 12:19:23 +00:00
throw OpenVPNError.continuationPushReply
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
}
Throw to exit PUSH_REPLY parsing on continuation
2019-03-22 10:58:30 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Inline content
if unsupportedError == nil {
if currentBlockName == nil {
Regex.blockBegin.enumerateComponents(in: line) {
isHandled = true
let tag = $0.first!
let from = tag.index(after: tag.startIndex)
let to = tag.index(before: tag.endIndex)
currentBlockName = String(tag[from..<to])
currentBlock = []
}
}
Regex.blockEnd.enumerateComponents(in: line) {
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
isHandled = true
let tag = $0.first!
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
let from = tag.index(tag.startIndex, offsetBy: 2)
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
let to = tag.index(before: tag.endIndex)
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
let blockName = String(tag[from..<to])
guard blockName == currentBlockName else {
return
}
// first is opening tag
currentBlock.removeFirst()
switch blockName {
case "ca":
optCA = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "cert":
optClientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "key":
ConfigurationParser.normalizeEncryptedPEMBlock(block: &currentBlock)
optClientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "tls-auth":
optTLSKeyLines = currentBlock.map { Substring($0) }
optTLSStrategy = .auth
case "tls-crypt":
optTLSKeyLines = currentBlock.map { Substring($0) }
optTLSStrategy = .crypt
default:
break
}
currentBlockName = nil
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
currentBlock = []
}
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
if let _ = currentBlockName {
currentBlock.append(line)
continue
}
// MARK: General
Regex.cipher.enumerateArguments(in: line) {
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
isHandled = true
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
guard let rawValue = $0.first else {
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
return
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optCipher = Cipher(rawValue: rawValue.uppercased())
if optCipher == nil {
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "cipher \(rawValue)")
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.auth.enumerateArguments(in: line) {
isHandled = true
guard let rawValue = $0.first else {
return
}
optDigest = Digest(rawValue: rawValue.uppercased())
if optDigest == nil {
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "auth \(rawValue)")
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.compLZO.enumerateArguments(in: line) {
isHandled = true
optCompressionFraming = .compLZO
if !LZOIsSupported() {
guard let arg = $0.first else {
optWarning = optWarning ?? .unsupportedConfiguration(option: line)
return
}
guard arg == "no" else {
unsupportedError = .unsupportedConfiguration(option: line)
return
}
} else {
let arg = $0.first
optCompressionAlgorithm = (arg == "no") ? .disabled : .LZO
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.compress.enumerateArguments(in: line) {
isHandled = true
optCompressionFraming = .compress
if !LZOIsSupported() {
guard $0.isEmpty else {
unsupportedError = .unsupportedConfiguration(option: line)
return
}
} else {
if let arg = $0.first {
optCompressionAlgorithm = (arg == "lzo") ? .LZO : .other
} else {
optCompressionAlgorithm = .disabled
}
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.keyDirection.enumerateArguments(in: line) {
isHandled = true
guard let arg = $0.first, let value = Int(arg) else {
return
}
optKeyDirection = StaticKey.Direction(rawValue: value)
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.ping.enumerateArguments(in: line) {
isHandled = true
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
guard let arg = $0.first else {
return
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optKeepAliveSeconds = TimeInterval(arg)
}
Allow keep alive timeout to be configured by the server or client
2019-09-30 18:54:29 +00:00
Regex.pingRestart.enumerateArguments(in: line) {
isHandled = true
guard let arg = $0.first else {
return
}
optKeepAliveTimeoutSeconds = TimeInterval(arg)
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.renegSec.enumerateArguments(in: line) {
isHandled = true
guard let arg = $0.first else {
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
return
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optRenegotiateAfterSeconds = TimeInterval(arg)
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Client
Regex.proto.enumerateArguments(in: line) {
isHandled = true
guard let str = $0.first else {
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
return
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optDefaultProto = SocketType(protoString: str)
if optDefaultProto == nil {
unsupportedError = ConfigurationError.unsupportedConfiguration(option: "proto \(str)")
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.port.enumerateArguments(in: line) {
isHandled = true
guard let str = $0.first else {
return
}
optDefaultPort = UInt16(str)
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.remote.enumerateArguments(in: line) {
isHandled = true
guard let hostname = $0.first else {
return
}
var port: UInt16?
var proto: SocketType?
var strippedComponents = ["remote", "<hostname>"]
if $0.count > 1 {
port = UInt16($0[1])
strippedComponents.append($0[1])
}
if $0.count > 2 {
proto = SocketType(protoString: $0[2])
strippedComponents.append($0[2])
}
optRemotes.append((hostname, port, proto))
// replace private data
strippedLine = strippedComponents.joined(separator: " ")
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.eku.enumerateComponents(in: line) { (_) in
isHandled = true
optChecksEKU = true
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.remoteRandom.enumerateComponents(in: line) { (_) in
isHandled = true
optRandomizeEndpoint = true
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Server
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.authToken.enumerateArguments(in: line) {
optAuthToken = $0[0]
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.peerId.enumerateArguments(in: line) {
optPeerId = UInt32($0[0])
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Routing
Regex.topology.enumerateArguments(in: line) {
optTopology = $0.first
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.ifconfig.enumerateArguments(in: line) {
optIfconfig4Arguments = $0
Treat empty DNS servers as nil Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-16 22:42:07 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.ifconfig6.enumerateArguments(in: line) {
optIfconfig6Arguments = $0
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.route.enumerateArguments(in: line) {
let routeEntryArguments = $0
let address = routeEntryArguments[0]
let mask = (routeEntryArguments.count > 1) ? routeEntryArguments[1] : "255.255.255.255"
Assume VPN gateway when route gw is "vpn_gateway"
2019-10-22 11:52:24 +00:00
var gateway = (routeEntryArguments.count > 2) ? routeEntryArguments[2] : nil // defaultGateway4
if gateway == "vpn_gateway" {
gateway = nil
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optRoutes4.append((address, mask, gateway))
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 05:47:27 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.route6.enumerateArguments(in: line) {
let routeEntryArguments = $0
Handle dhcp-option PROXY_BYPASS
2019-04-13 17:03:27 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
let destinationComponents = routeEntryArguments[0].components(separatedBy: "/")
guard destinationComponents.count == 2 else {
return
}
guard let prefix = UInt8(destinationComponents[1]) else {
return
}
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 05:47:27 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
let destination = destinationComponents[0]
Assume VPN gateway when route gw is "vpn_gateway"
2019-10-22 11:52:24 +00:00
var gateway = (routeEntryArguments.count > 1) ? routeEntryArguments[1] : nil // defaultGateway6
if gateway == "vpn_gateway" {
gateway = nil
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optRoutes6.append((destination, prefix, gateway))
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 05:47:27 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.gateway.enumerateArguments(in: line) {
optGateway4Arguments = $0
Handle dhcp-option PROXY_BYPASS
2019-04-13 17:03:27 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
Regex.dns.enumerateArguments(in: line) {
guard $0.count == 2 else {
return
}
if optDNSServers == nil {
optDNSServers = []
}
optDNSServers?.append($0[1])
}
Regex.domain.enumerateArguments(in: line) {
guard $0.count == 2 else {
return
}
Parse multiple "dhcp-option DOMAIN" lines
2019-10-25 15:21:34 +00:00
if optSearchDomains == nil {
optSearchDomains = []
}
optSearchDomains?.append($0[1])
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
}
Regex.proxy.enumerateArguments(in: line) {
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
if $0.count == 2 {
Address review comments
2019-10-22 19:03:25 +00:00
guard let url = URL(string: $0[1]) else {
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
unsupportedError = ConfigurationError.malformed(option: "dhcp-option PROXY_AUTO_CONFIG_URL has malformed URL")
Address review comments
2019-10-22 19:03:25 +00:00
return
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
}
Address review comments
2019-10-22 19:03:25 +00:00
optProxyAutoConfigurationURL = url
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
return
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
guard $0.count == 3, let port = UInt16($0[2]) else {
return
}
switch $0[0] {
case "PROXY_HTTPS":
optHTTPSProxy = Proxy($0[1], port)
case "PROXY_HTTP":
optHTTPProxy = Proxy($0[1], port)
Add Proxy Auto-Configuration (PAC) support
2019-10-21 19:47:45 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
default:
break
}
}
Regex.proxyBypass.enumerateArguments(in: line) {
guard !$0.isEmpty else {
return
}
optProxyBypass = $0
optProxyBypass?.removeFirst()
}
Regex.redirectGateway.enumerateArguments(in: line) {
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// redirect IPv4 by default
optRedirectGateway = [.def1]
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
for arg in $0 {
guard let opt = RedirectGateway(rawValue: arg) else {
continue
}
optRedirectGateway?.insert(opt)
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
}
}
Handle dhcp-option PROXY_BYPASS
2019-04-13 17:03:27 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
//
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
if let error = unsupportedError {
throw error
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Only require --ca and --cipher from clients Not in a PUSH_REPLY, for example.
2019-11-20 18:46:52 +00:00
if isClient {
guard let _ = optCA else {
throw ConfigurationError.missingConfiguration(option: "ca")
}
guard let _ = optCipher else {
throw ConfigurationError.missingConfiguration(option: "cipher")
}
Make --ca and --cipher non-optional in .ovpn Dodge those annoying scenarios where server cipher is not set and defaults to BF-CBC, whereas default TunnelKit cipher is AES-128-CBC. And data channel stalls.
2019-11-20 00:03:50 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
//
var sessionBuilder = ConfigurationBuilder()
// MARK: General
sessionBuilder.cipher = optCipher
sessionBuilder.digest = optDigest
sessionBuilder.compressionFraming = optCompressionFraming
sessionBuilder.compressionAlgorithm = optCompressionAlgorithm
sessionBuilder.ca = optCA
sessionBuilder.clientCertificate = optClientCertificate
if let clientKey = optClientKey, clientKey.isEncrypted {
guard let passphrase = passphrase else {
throw ConfigurationError.encryptionPassphrase
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
do {
sessionBuilder.clientKey = try clientKey.decrypted(with: passphrase)
} catch let e {
throw ConfigurationError.unableToDecrypt(error: e)
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
} else {
sessionBuilder.clientKey = optClientKey
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
if let keyLines = optTLSKeyLines, let strategy = optTLSStrategy {
let optKey: StaticKey?
switch strategy {
case .auth:
optKey = StaticKey(lines: keyLines, direction: optKeyDirection)
case .crypt:
optKey = StaticKey(lines: keyLines, direction: .client)
}
if let key = optKey {
sessionBuilder.tlsWrap = TLSWrap(strategy: strategy, key: key)
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.keepAliveInterval = optKeepAliveSeconds
Allow keep alive timeout to be configured by the server or client
2019-09-30 18:54:29 +00:00
sessionBuilder.keepAliveTimeout = optKeepAliveTimeoutSeconds
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.renegotiatesAfter = optRenegotiateAfterSeconds
// MARK: Client
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
optDefaultProto = optDefaultProto ?? .udp
optDefaultPort = optDefaultPort ?? 1194
if !optRemotes.isEmpty {
sessionBuilder.hostname = optRemotes[0].0
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
var fullRemotes: [(String, UInt16, SocketType)] = []
let hostname = optRemotes[0].0
optRemotes.forEach {
guard $0.0 == hostname else {
return
}
guard let port = $0.1 ?? optDefaultPort else {
return
}
guard let socketType = $0.2 ?? optDefaultProto else {
return
}
fullRemotes.append((hostname, port, socketType))
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.endpointProtocols = fullRemotes.map { EndpointProtocol($0.2, $0.1) }
} else {
sessionBuilder.hostname = nil
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.checksEKU = optChecksEKU
sessionBuilder.randomizeEndpoint = optRandomizeEndpoint
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// MARK: Server
sessionBuilder.authToken = optAuthToken
sessionBuilder.peerId = optPeerId
// MARK: Routing
//
// excerpts from OpenVPN manpage
//
// "--ifconfig l rn":
//
// Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices in point-to-point mode, rn is the IP address of
// the remote VPN endpoint. For TAP devices, or TUN devices used with --topology subnet, rn is the subnet mask of the virtual network segment which
// is being created or connected to.
//
// "--topology mode":
//
// Note: Using --topology subnet changes the interpretation of the arguments of --ifconfig to mean "address netmask", no longer "local remote".
//
if let ifconfig4Arguments = optIfconfig4Arguments {
guard ifconfig4Arguments.count == 2 else {
throw ConfigurationError.malformed(option: "ifconfig takes 2 arguments")
}
let address4: String
let addressMask4: String
let defaultGateway4: String
let topology = Topology(rawValue: optTopology ?? "") ?? .net30
switch topology {
case .subnet:
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
// default gateway required when topology is subnet
guard let gateway4Arguments = optGateway4Arguments, gateway4Arguments.count == 1 else {
throw ConfigurationError.malformed(option: "route-gateway takes 1 argument")
}
address4 = ifconfig4Arguments[0]
addressMask4 = ifconfig4Arguments[1]
defaultGateway4 = gateway4Arguments[0]
Block LAN when redirect-gateway block-local Fixes #81
2019-05-01 15:15:41 +00:00
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
default:
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
address4 = ifconfig4Arguments[0]
addressMask4 = "255.255.255.255"
defaultGateway4 = ifconfig4Arguments[1]
}
let routes4 = optRoutes4.map { IPv4Settings.Route($0.0, $0.1, $0.2 ?? defaultGateway4) }
sessionBuilder.ipv4 = IPv4Settings(
address: address4,
addressMask: addressMask4,
defaultGateway: defaultGateway4,
routes: routes4
)
}
if let ifconfig6Arguments = optIfconfig6Arguments {
guard ifconfig6Arguments.count == 2 else {
throw ConfigurationError.malformed(option: "ifconfig-ipv6 takes 2 arguments")
}
let address6Components = ifconfig6Arguments[0].components(separatedBy: "/")
guard address6Components.count == 2 else {
throw ConfigurationError.malformed(option: "ifconfig-ipv6 address must have a /prefix")
}
guard let addressPrefix6 = UInt8(address6Components[1]) else {
throw ConfigurationError.malformed(option: "ifconfig-ipv6 address prefix must be a 8-bit number")
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
let address6 = address6Components[0]
let defaultGateway6 = ifconfig6Arguments[1]
let routes6 = optRoutes6.map { IPv6Settings.Route($0.0, $0.1, $0.2 ?? defaultGateway6) }
sessionBuilder.ipv6 = IPv6Settings(
address: address6,
addressPrefixLength: addressPrefix6,
defaultGateway: defaultGateway6,
routes: routes6
)
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
}
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.dnsServers = optDNSServers
Parse multiple "dhcp-option DOMAIN" lines
2019-10-25 15:21:34 +00:00
sessionBuilder.searchDomains = optSearchDomains
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.httpProxy = optHTTPProxy
sessionBuilder.httpsProxy = optHTTPSProxy
Address review comments
2019-10-22 19:03:25 +00:00
sessionBuilder.proxyAutoConfigurationURL = optProxyAutoConfigurationURL
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
sessionBuilder.proxyBypassDomains = optProxyBypass
if let flags = optRedirectGateway {
var policies: Set<RoutingPolicy> = []
for opt in flags {
switch opt {
case .def1:
policies.insert(.IPv4)
case .ipv6:
policies.insert(.IPv6)
case .blockLocal:
policies.insert(.blockLocal)
default:
// TODO: handle [auto]local and block-*
continue
}
}
if flags.contains(.noIPv4) {
policies.remove(.IPv4)
}
sessionBuilder.routingPolicies = [RoutingPolicy](policies)
Extend handling of redirect-gateway flags - def1 (IPv4) - ipv6 (IPv6) - !ipv4 (IPv6 only)
2019-04-27 11:43:09 +00:00
}
Parse --redirect-gateway from configuration FIXME: for now only redirects ALL traffic when the option is found in the configuration file, whatever the arguments. Also drop unnecessary base options in tests as everything was made optional recently.
2019-04-25 11:06:22 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
//
return Result(
url: originalURL,
configuration: sessionBuilder.build(),
strippedLines: optStrippedLines,
warning: optWarning
)
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
Wrap OpenVPN entities in pseudonamespace Temporarily exclude AppExtension and tests.
2019-05-19 12:04:41 +00:00
private static func normalizeEncryptedPEMBlock(block: inout [String]) {
// if block.count >= 1 && block[0].contains("ENCRYPTED") {
// return true
// }
// XXX: restore blank line after encryption header (easier than tweaking trimmedLines)
if block.count >= 3 && block[1].contains("Proc-Type") {
block.insert("", at: 3)
// return true
}
// return false
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
}
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
private extension String {
Parse configuration from .ovpn file
2018-11-10 09:45:00 +00:00
func trimmedLines() -> [String] {
return components(separatedBy: .newlines).map {
$0.trimmingCharacters(in: .whitespacesAndNewlines)
}.filter {
!$0.isEmpty
}
}
}
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
private extension SocketType {
init?(protoString: String) {
Handle IPv4/IPv6 variants in SocketType
2020-02-29 21:47:51 +00:00
self.init(rawValue: protoString.uppercased())
Merge OptionsBundle into Configuration FIXME: issues with non-optional .cipher and .compressionFraming Because: - No pushed cipher (nil) is NOT .aes128cbc - No pushed framing (nil) is NOT .disabled Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 10:40:28 +00:00
}
}