* Delegate network settings to ad-hoc builder
- Assert network settings nil or non-empty, NOT precondition
- Fix log about local DNS, only if not gateway
- Remove non-working block-local code
Fixes#289, fixes#290
* Unmask safe and helpful network settings
No need to duplicate a well-written API.
- Offer convenience accessors in Configuration[Builder]
- Make Configuration init non-optional
Sanity checks are done in Builder with throws and decoded object
is always deemed valid.
In order to avoid chaos from multiple profiles, retain the
profile to be installed and remove all the other ones. Also,
make sure to do the removal AFTER install, as doing it
before would trigger the VPN permission alert again.
XXX: there is some weird behavior from NetworkExtension
occasionally sending notifications with a bogus NEVPNManager
object having a nil .localizedDescription and other properties set
to nonsensical values. Discard the notification when such an object
is identified.
Encapsulate extra NetworkExtension settings:
- passwordReference
- onDemandRules
- disconnectsOnSleep
Also:
- Only set on-demand if any rules are set
- Assume VPN is enabled even with on-demand disabled
- Use DataCount instead of raw Int pair
Attach useful information to VPN notifications:
- VPN isEnabled
- VPN status
- VPN command error
- Tunnel bundle identifier (if available)
Expose specific OpenVPN/WireGuard shared data via extensions in
UserDefaults/FileManager.
Finally, drop incomplete IKE support. No fit.
* Verify CA from on-disk file
Revert part of #213 again, because `SSL_CTX_load_verify_locations`
is just more reliable at setting up the trust store.
It looks like it's able to reference the .pem multiple times in
those cases where the root issuer of the CA is also embedded in
the file (which is the case with e.g. Let's Encrypt).
This is better than the current implementation, and I couldn't
easily find a way to do the same in-memory. I'd rather use the
standard API here.
See 7a85d3cac7
Minimize target dependency on OpenSSL (easier to drop later).
Outside of OpenVPN tunnel extension, OpenSSL is only used to
decrypt encrypted private keys in CryptoContainer (found in
TunnelKitOpenVPNCore, therefore "temporarily" dependent on
CTunnelKitOpenVPNAppExtension for TLSBox/CryptoBox).