Davide De Rosa
9da7fa9667
Split Core into Core+OpenVPN
...
Two Obj-C modules:
- __TunnelKitCore
- __TunnelKitOpenVPN
Seems the only way to do it in multiple module maps.
Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa
491092f2a3
Drop extra header lines
2019-05-19 12:21:44 +02:00
Davide De Rosa
21b67fd9ff
Make CoreConfiguration a class for bundle lookup
2019-05-19 11:36:26 +02:00
Davide De Rosa
470c50b037
Return just <masked> when masked description
...
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa
d19e029131
Use guard
2019-05-19 11:36:26 +02:00
Davide De Rosa
713a46d817
Update GitHub URL
...
Move to passepartoutvpn org.
2019-05-14 10:58:47 +02:00
Davide De Rosa
7cbcfcd264
Fix condition for SOFT_RESET
...
May receive multiple packets while handling in progress.
2019-05-13 12:15:44 +02:00
Davide De Rosa
d06b2e1928
Shut down if no default gateway
2019-05-11 17:40:46 +02:00
Davide De Rosa
5ce49953a0
Assume empty policies to override server settings
...
Empty != nil. When nil, pull from server.
2019-05-11 16:33:49 +02:00
Davide De Rosa
43c70b2673
Refine logging of some configuration
...
Log about routing entries.
2019-05-11 14:54:25 +02:00
Davide De Rosa
ff0dfc450c
Get TLS security level via AppExtension
...
Improves #97
2019-05-08 16:16:30 +02:00
Davide De Rosa
3a136bdce9
Make TLS security level an option
...
Default level by default.
2019-05-08 16:10:35 +02:00
Davide De Rosa
82f0431303
Take optional securityLevel field in TLSBox
2019-05-08 15:54:05 +02:00
Davide De Rosa
97f178cdac
Tolerate weak certificates
...
Lower SSL security level.
Fixes #97
2019-05-05 17:51:24 +02:00
Davide De Rosa
273007cc59
Copy route.h from macOS
...
Missing on iOS.
2019-05-03 15:14:25 +02:00
Davide De Rosa
a693075e90
Block LAN when redirect-gateway block-local
...
Fixes #81
2019-05-03 15:14:25 +02:00
Davide De Rosa
13cae06a49
Add method to partition a subnet
2019-05-03 15:14:25 +02:00
Davide De Rosa
03a1eb2203
Return IPv4 network mask for a route
2019-05-03 15:14:25 +02:00
Davide De Rosa
4295e63c98
Read relevant routing table
2019-05-03 15:14:25 +02:00
Davide De Rosa
d44d08c95e
Retain self weakly for shutdown on timeout
2019-05-02 13:13:43 +02:00
Davide De Rosa
1430241b0c
Do not fake BF-CBC, pleae
2019-05-01 23:18:54 +02:00
Davide De Rosa
037f08ed62
Retry auth once without local options
...
Hack around picky server implementations.
Fixes #95
2019-05-01 11:14:52 +02:00
Davide De Rosa
14b7f08fb5
Use strict ordering in local options
...
And add TLS wrapping.
2019-05-01 11:14:38 +02:00
Davide De Rosa
7389d72f1f
Fix mutable SessionProxy.Configuration
2019-05-01 11:14:38 +02:00
Davide De Rosa
f799f47c25
Add direct routes to DNS servers
...
If VPN is not default gateway.
Further fix of #94
2019-04-28 15:51:16 +02:00
Davide De Rosa
0b72a30cdd
Add full set of CloudFlare DNS servers
2019-04-28 10:56:39 +02:00
Davide De Rosa
ebabf02eb5
Fix DNS in VPN when not default gateway
...
Awful API requires .matchDomains = [""]
Fixes #94
2019-04-28 10:39:55 +02:00
Davide De Rosa
b331e3cfe6
Mask fallback DNS servers
...
Comment about fallback DNS being public
2019-04-28 10:39:25 +02:00
Davide De Rosa
7978398e1e
Fix logging of routing policies
2019-04-27 22:55:20 +02:00
Davide De Rosa
0ee39c8fb0
Extend handling of redirect-gateway flags
...
- def1 (IPv4)
- ipv6 (IPv6)
- !ipv4 (IPv6 only)
2019-04-27 22:55:20 +02:00
Davide De Rosa
155bd5f1e7
Revert def1 trick
...
Not needed, routes are not persistent.
Revert 7d26323d3f
2019-04-27 22:55:19 +02:00
Davide De Rosa
7d26323d3f
Use OpenVPN trick to retain default gateway
...
Override default gateway with 2 split routes.
- IPv4: 0.0.0.0/1, 128.0.0.0/1
- IPv6: 2000::/4, 3000::/4
2019-04-27 22:29:51 +02:00
Davide De Rosa
3505f68b04
Revert DNS merge
...
Revert 1d3660459e
2019-04-27 18:25:08 +02:00
Davide De Rosa
a48bcc7261
Decrypt generic EVP private key
...
Why PKCS#8?
2019-04-27 10:54:32 +02:00
Davide De Rosa
e0c06ece18
Drop extra EVP_PKEY_free call
2019-04-27 10:44:08 +02:00
Davide De Rosa
6fb409b112
Drop UDP packets on no buffer space available
...
Tolerate only on data channel. Control channel should never reach
high speeds.
Fixes #87
2019-04-25 17:29:10 +02:00
Davide De Rosa
b8cd969a1a
Fall back to configurable preset DNS servers
...
Default to CloudFlare 1.1.1.1
Hard time making it work with system DNS servers. Retry later.
2019-04-25 17:18:28 +02:00
Davide De Rosa
31d9019f1a
Read system-wide DNS servers
...
Add libresolv to podspec.
2019-04-25 16:36:16 +02:00
Davide De Rosa
1d3660459e
Merge local and remote DNS servers
...
- Local first
- Remote last
2019-04-25 16:18:54 +02:00
Davide De Rosa
82394e0433
Skip DNS settings if no servers are provided
2019-04-25 16:18:54 +02:00
Davide De Rosa
4ce2d78c5a
Adjust log of routing policies
...
Consistent with print configuration.
2019-04-25 16:18:52 +02:00
Davide De Rosa
1b0c9979ce
Log "default" DNS when servers are empty
2019-04-25 16:09:04 +02:00
Davide De Rosa
3f37489c13
Handle pushed routing policies
2019-04-25 16:02:19 +02:00
Davide De Rosa
7382616e8b
Parse routing policies for TunnelKitProvider
2019-04-25 14:39:47 +02:00
Davide De Rosa
f9f642b64e
Set as default gateway based on routing policies
...
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa
224a76ac58
Parse --redirect-gateway from configuration
...
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.
Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa
1b8647bcac
Convert PacketSteram to Obj-C
...
For better TCP efficiency.
2019-04-25 12:42:29 +02:00
Davide De Rosa
ef5180a4ed
Set tls-auth/crypt timestamp once
...
Packets rejected due to replay protection.
Fixes #88
Fixes #61
2019-04-23 23:07:32 +02:00
Davide De Rosa
65af163aeb
Do not resend non-acked packets if reliable
...
In control channel.
2019-04-23 23:06:39 +02:00
Davide De Rosa
707db2c6de
Add keydir to local options
2019-04-20 17:20:45 +02:00
Davide De Rosa
9b8be02c2a
Shut down when no IPv4/6 routing available
...
Would fake-connect without VPN icon otherwise.
2019-04-19 09:45:15 +02:00
Davide De Rosa
c565e32dcd
Add "dev-type tun" to local options
...
Plus other hardcoded options like key-method and tls-client.
Seems that older OpenVPN servers didn't send routing info in
PUSH_REPLY if dev-type is not specified explicitly.
Fixes #86
2019-04-18 13:10:57 +02:00
Davide De Rosa
95ba9dacdb
Fix typo
2019-04-18 12:02:23 +02:00
Davide De Rosa
887e2ae55d
Consider stale if HARD_RESET while connected
...
Was disconnecting when more than one HARD_RESET_SERVER was
received during negotiation.
2019-04-17 09:24:16 +02:00
Davide De Rosa
233aa02169
Add FIXME for default DNS from network interface
2019-04-17 00:50:53 +02:00
Davide De Rosa
b199064b94
Only override domain if non-nil
2019-04-17 00:50:53 +02:00
Davide De Rosa
28fd80f4e0
Treat empty DNS servers as nil
...
Empty local DNS array was pretty much hiding server-pushed DNS.
2019-04-17 00:50:53 +02:00
Davide De Rosa
6fd6d228bf
Loop pulling plain text from TLS
...
There might be more data to read.
Fixes #71 , #73
2019-04-17 00:18:02 +02:00
Davide De Rosa
88cd62064a
Handle continuation in PUSH_REPLY
2019-04-16 23:59:56 +02:00
Davide De Rosa
380ac2beac
Throw to exit PUSH_REPLY parsing on continuation
2019-04-16 23:59:56 +02:00
Davide De Rosa
23b6e3b98e
Relax negotiation timeouts
2019-04-16 23:59:56 +02:00
Davide De Rosa
d097afccdc
Resend PUSH_REQUEST every 2 seconds
...
Regardless of link reliability.
2019-04-16 23:43:33 +02:00
Davide De Rosa
ad964e2041
Send local options with authentication
...
Fixes some obsolete servers requiring cipher keysize.
2019-04-15 17:37:57 +02:00
Davide De Rosa
322242de5c
Fix malformed key generation message
...
Make nullTerminated argument explicit, easier to debug.
Fixes #67
2019-04-13 23:55:18 +02:00
Davide De Rosa
0a956f5b9f
Handle dhcp-option PROXY_BYPASS
2019-04-13 19:23:02 +02:00
Davide De Rosa
b118030d43
Enable both HTTP and HTTPS proxies
2019-04-13 17:55:08 +02:00
Davide De Rosa
904e7bae21
Apply proxy settings if present
...
Fixes #74
2019-04-12 08:21:04 +02:00
Davide De Rosa
ef9f3c6d0a
Parse proxies into AppExtension configuration
2019-04-12 08:21:04 +02:00
Davide De Rosa
5fb70b5bab
Parse dhcp-option PROXY_HTTP* into Configuration
2019-04-12 08:10:47 +02:00
Davide De Rosa
26cec205a7
Move builder() to extension
2019-04-11 16:46:52 +02:00
Davide De Rosa
5df614b5e2
Fix incomplete builder() from Configuration
...
Adding a Configuration field is error-prone beyond reason...
2019-04-11 15:30:14 +02:00
Davide De Rosa
914864c31a
Infer serverAddress from sessionConfiguration
2019-04-09 20:45:28 +02:00
Davide De Rosa
3fe9c6de6d
Make hostname optional in ConnectionStrategy
...
Assume preferring resolved addresses.
2019-04-09 20:34:03 +02:00
Davide De Rosa
9f358d6326
Accept nil cipher/digest in AppExtension
...
Reorganize code for clarity.
2019-04-07 08:35:40 +02:00
Davide De Rosa
3717136bd9
Move EndpointProtocol Codable to Core spec
2019-04-05 00:46:45 +02:00
Davide De Rosa
5e2f9b59f1
Rename ParsingResult to Result
...
No need to prefix an inner class.
2019-04-04 19:22:22 +02:00
Davide De Rosa
7333ea226c
Document ignored settings client-side
2019-04-04 18:51:06 +02:00
Davide De Rosa
8394fd0676
Rely on default ConfigurationBuilder.init()
2019-04-04 18:51:06 +02:00
Davide De Rosa
55534df6fa
Work around cipher/digest/framing issues
...
- Make them optional
- Set default values inside SessionProxy
Fallback is not needed anywhere else.
2019-04-04 18:51:06 +02:00
Davide De Rosa
0d86bd20b6
Expose ConfigurationBuilder.init()
2019-04-04 18:51:06 +02:00
Davide De Rosa
4dc9539260
Rename OptionsError to ConfigurationError
2019-04-04 18:51:06 +02:00
Davide De Rosa
a2250686b6
Merge OptionsBundle into Configuration
...
FIXME: issues with non-optional .cipher and .compressionFraming
Because:
- No pushed cipher (nil) is NOT .aes128cbc
- No pushed framing (nil) is NOT .disabled
Breaks conditions on pushed cipher/framing via PUSH_REPLY.
2019-04-04 18:51:06 +02:00
Davide De Rosa
cfe61d5d40
Retain .endpointProtocols for migration
...
For deserialization of old format.
2019-04-04 13:10:33 +02:00
Davide De Rosa
7aec0637b2
Move endpoints inside SessionProxy.Configuration
...
Make optional.
TunnelKitProvider still gets hostname from .serverAddress rather
than SessionProxy.Configuration
Also drop useless Equatable implementations.
2019-04-04 13:09:50 +02:00
Davide De Rosa
e8396ec2cd
Parse search domain from configuration
...
Fixes #77
2019-04-03 14:29:09 +02:00
Davide De Rosa
370e68aa3f
Parse search domain from dhcp-option DOMAIN
2019-04-03 14:29:09 +02:00
Davide De Rosa
fe2ad52df0
Document OptionsBundle
...
Move most from SessionProxy.Configuration.
2019-04-03 13:34:08 +02:00
Davide De Rosa
f9ae3412a5
Move malformed error out of unrelated SessionError
...
Also give more detail about the reason.
2019-04-03 13:20:49 +02:00
Davide De Rosa
42232804ca
Rename file to public entity
2019-04-03 13:19:47 +02:00
Davide De Rosa
49c805af52
Fix a few isHandled
...
Skip to exclude from strippedLines.
2019-04-03 13:19:47 +02:00
Davide De Rosa
9876c81de5
Parse PUSH_REPLY options in OptionsBundle
...
- auth-token
- peer-id
- Routing
Reorganize options by semantic.
Reuse OptionsBundle in PushReply.
2019-04-03 13:19:21 +02:00
Davide De Rosa
b9b9c4db60
Parse basic options in OptionsBundle
...
- Handle isEncrypted inside CryptoContainer
- Rename ParsingError to OptionsError
Reuse OptionsBundle in ConfigurationParser.
2019-04-03 13:19:16 +02:00
Davide De Rosa
e7dadefabb
Generalize cipher regex
2019-04-03 12:20:53 +02:00
Davide De Rosa
d72b583900
Improve parsing of PUSH_REPLY prefix
2019-04-03 12:20:53 +02:00
Davide De Rosa
27901c991b
Skip deinit documentation
2019-04-02 19:18:23 +02:00
Davide De Rosa
ccb6329f05
Don't parse a block begin while inside a block
...
If a PEM contained anything like <foobar>, the parser was doomed.
Fixes #78
2019-04-02 19:07:48 +02:00
Davide De Rosa
11fd418f82
Extend encrypted private key quick test
...
Test .ovpn didn't use an PKCS#8 key due to a slip-up. Fixing it
unveiled that isEncrypted returned false for PKCS#8 keys.
Fixes #80
2019-04-02 11:41:18 +02:00
Davide De Rosa
22f80735ca
Strip certificate preamble
...
Fixes #78
2019-04-02 00:55:58 +02:00
Davide De Rosa
def622506b
Check PKCS#1 via "Proc-Type" presence instead
2019-04-02 00:37:52 +02:00
Davide De Rosa
47b80d5361
Refactor to decrypt generic key
2019-04-02 00:31:54 +02:00