Commit Graph

433 Commits

Author SHA1 Message Date
Davide De Rosa 13027b8932 Only require --ca and --cipher from clients
Not in a PUSH_REPLY, for example.
2019-11-20 19:48:40 +01:00
Davide De Rosa b1c11e3e56 Make --ca and --cipher non-optional in .ovpn
Dodge those annoying scenarios where server cipher is not set
and defaults to BF-CBC, whereas default TunnelKit cipher
is AES-128-CBC. And data channel stalls.
2019-11-20 01:07:39 +01:00
Davide De Rosa 4ced1c499d Use modern structure for notifications 2019-11-02 11:32:16 +01:00
Davide De Rosa 3a38b0da15 Log effective search domains 2019-10-25 19:08:44 +02:00
Davide De Rosa 4e77f5b6b3 Parse multiple "dhcp-option DOMAIN" lines 2019-10-25 17:21:44 +02:00
Davide De Rosa 645f65ccd0 Adjust Configuration.searchDomain to searchDomains
XXX: "breaks" search domains in existing VPN profiles. Reinstall
to fix.
2019-10-25 17:17:48 +02:00
Davide De Rosa 495944297c
Merge pull request #126 from ThinkChaos/fix_pac_logging
Fix logging for Proxy Auto-Configuration (PAC)
2019-10-23 13:07:03 +02:00
Davide De Rosa e5a7a09b7f Parse PAC from provider configuration
Not propagated to AppExtension.
2019-10-23 13:02:29 +02:00
Davide De Rosa dcac7cb2d4 Fix hidden IPv4Settings fields 2019-10-23 10:55:37 +02:00
Davide De Rosa 7608ae2e3c Expose server configuration via provider message 2019-10-23 10:27:51 +02:00
ThinkChaos 907bbe20ae Fix logging for Proxy Auto-Configuration (PAC) 2019-10-23 01:08:39 +02:00
Davide De Rosa 7d0cba8df8
Merge pull request #125 from ThinkChaos/proxy_auto_conf
Add Proxy Auto-Configuration (PAC) support
2019-10-22 21:55:29 +02:00
ThinkChaos 26d7b9fe0f Address review comments 2019-10-22 21:03:25 +02:00
Davide De Rosa 98b9d71eb3 Assume VPN gateway when route gw is "vpn_gateway" 2019-10-22 13:53:36 +02:00
Davide De Rosa eb09493882
Merge pull request #122 from rob-patchett/ping-timeout
Allow keep-alive timeout to be configured by the server or client
2019-10-22 10:51:27 +02:00
Robert Patchett 87cb448d12 Fix comment typo 2019-10-22 10:43:57 +02:00
ThinkChaos c6cb5a646a Add Proxy Auto-Configuration (PAC) support 2019-10-21 21:47:45 +02:00
Robert Patchett bdf34f8882 Set tunnel provider's reasserting to false after the system starts using the tunnel 2019-10-17 14:23:16 +02:00
Robert Patchett 55f7e64f19 Allow keep alive timeout to be configured by the server or client 2019-09-30 11:54:29 -07:00
Davide De Rosa d22f40f7e9 Fix potential OOB in memcmp() 2019-09-17 23:41:35 +02:00
Davide De Rosa d815f5222f Change var to let
Xcode no more signals wrong side-effect in withUnsafeBytes.
2019-09-17 16:09:09 +02:00
Davide De Rosa e0ab2a1ddb Disconnect if HARD_RESET received while SOFT_RESET
Bad condition for .staleSession

Fixes #120

See 0f2234f1d1
2019-09-03 00:27:54 +02:00
Davide De Rosa de21adfef6 Beware of execution queue in write callbacks
self.link was not checked against in tunnel queue.
2019-08-23 09:15:59 +02:00
Davide De Rosa 6b281711c7 Ignore errors from outdated link writes
Prevents async delegation after cleanup.
2019-08-23 09:15:57 +02:00
Davide De Rosa a4333eaafe Revert ENOBUFS mitigation, do disconnect instead
Reverts #87 "fix"
2019-07-26 21:14:57 +02:00
Davide De Rosa aefeb252b3 Do not defer stop more than once
May cause multiple delegation and queue deadlock when a
reconnection is scheduled to trigger.

Fixes #106
2019-07-09 14:09:02 +02:00
Davide De Rosa 2c56a8ea95 Send PUSH_REQUEST immediately after auth
First call would always fail otherwise.
2019-07-09 12:40:10 +02:00
Davide De Rosa 40139cbef0 Replace key flag with session-wide isRenegotiating
Prevent new if one in progress.

Fixes #105
2019-07-09 12:17:12 +02:00
Davide De Rosa 0f2234f1d1 Assume stale session if server sends HARD_RESET
When unsolicited.
2019-07-09 11:42:12 +02:00
Davide De Rosa 1dcf4d7745 Shut down abruptly to work around macOS bug
Fixes #111
2019-07-07 23:36:06 +02:00
Davide De Rosa b04f7f20d4 Log info about DNS servers in use 2019-07-03 19:04:53 +02:00
Davide De Rosa eb56a9a56c Optimize [Data].flatCount 2019-06-05 14:14:15 +02:00
Davide De Rosa 2ddf712176 Update jazzy YAML 2019-05-24 16:04:19 +02:00
Davide De Rosa be1081aad6 Nest subspecs by purpose
- Protocols
- Extra
2019-05-24 16:02:59 +02:00
Davide De Rosa 21eee24e7c Add missing documentation 2019-05-24 16:02:06 +02:00
Davide De Rosa 72ce14b676 Make AppExtension entities public 2019-05-24 16:02:06 +02:00
Davide De Rosa 3edd00b2da Drop deprecated endpointProtocols 2019-05-24 10:59:20 +02:00
Davide De Rosa 185f0707cf Move OpenVPN configuration part on top 2019-05-24 10:59:20 +02:00
Davide De Rosa 1f8c51c126 Parse OpenVPN.Configuration from defaults 2019-05-24 10:59:20 +02:00
Davide De Rosa 5561c7adc6 Group OpenVPN.Configuration funcs into extension
- with (creation)
- store (convert to dict)
- print (log)
2019-05-24 10:54:25 +02:00
Davide De Rosa a85404e951 Rename provider class to OpenVPNTunnelProvider 2019-05-24 10:41:30 +02:00
Davide De Rosa 9445b825d0 Make AppExtension generic
- Make AppExtension a standalone util subspec
- Move OpenVPN tunnel provider to OpenVPN subspec
- Move Utils to Core subspec
- Depend OpenVPN on Core + AppExtension
2019-05-24 10:41:26 +02:00
Davide De Rosa b6da3f2d13 Rename proxy to session
According to SessionProxy -> OpenVPNSession.
2019-05-19 15:56:44 +02:00
Davide De Rosa 8be0f14aa9 Move PRNG initialization to namespace level 2019-05-19 15:52:55 +02:00
Davide De Rosa d057e9645b Restore AppExtension with recent changes 2019-05-19 15:50:12 +02:00
Davide De Rosa 6ebf025859 Take Session protocol out of OpenVPNSession
Fix some doc.
2019-05-19 15:08:43 +02:00
Davide De Rosa 313d076ddf Move Error extension to Core 2019-05-19 14:34:27 +02:00
Davide De Rosa c4a84a5ade Prefix top-level entities with OpenVPN* 2019-05-19 14:34:23 +02:00
Davide De Rosa 9c7ae47679 Make SessionProxy* top level
Drop redundant SessionReply.
2019-05-19 14:17:18 +02:00
Davide De Rosa 465e08e42f Wrap OpenVPN entities in pseudonamespace
Temporarily exclude AppExtension and tests.
2019-05-19 14:05:02 +02:00
Davide De Rosa 50d492096f Move a few generic entities to Core
- IPv4Settings
- IPv6Settings
- Proxy
- EndpointProtocol (Codable)
2019-05-19 12:40:20 +02:00
Davide De Rosa 930f05c984 Move OpenVPN timeouts out of Core 2019-05-19 12:39:51 +02:00
Davide De Rosa 5b81aa6a78 Drop "Box" from error codes 2019-05-19 12:22:32 +02:00
Davide De Rosa 9da7fa9667 Split Core into Core+OpenVPN
Two Obj-C modules:

- __TunnelKitCore
- __TunnelKitOpenVPN

Seems the only way to do it in multiple module maps.

Move OpenVPN specifics out of CoreConfiguration.
2019-05-19 12:22:32 +02:00
Davide De Rosa 491092f2a3 Drop extra header lines 2019-05-19 12:21:44 +02:00
Davide De Rosa 21b67fd9ff Make CoreConfiguration a class for bundle lookup 2019-05-19 11:36:26 +02:00
Davide De Rosa 470c50b037 Return just <masked> when masked description
Why bother with useless hashes?
2019-05-19 11:36:26 +02:00
Davide De Rosa d19e029131 Use guard 2019-05-19 11:36:26 +02:00
Davide De Rosa 713a46d817 Update GitHub URL
Move to passepartoutvpn org.
2019-05-14 10:58:47 +02:00
Davide De Rosa 7cbcfcd264 Fix condition for SOFT_RESET
May receive multiple packets while handling in progress.
2019-05-13 12:15:44 +02:00
Davide De Rosa d06b2e1928 Shut down if no default gateway 2019-05-11 17:40:46 +02:00
Davide De Rosa 5ce49953a0 Assume empty policies to override server settings
Empty != nil. When nil, pull from server.
2019-05-11 16:33:49 +02:00
Davide De Rosa 43c70b2673 Refine logging of some configuration
Log about routing entries.
2019-05-11 14:54:25 +02:00
Davide De Rosa ff0dfc450c Get TLS security level via AppExtension
Improves #97
2019-05-08 16:16:30 +02:00
Davide De Rosa 3a136bdce9 Make TLS security level an option
Default level by default.
2019-05-08 16:10:35 +02:00
Davide De Rosa 82f0431303 Take optional securityLevel field in TLSBox 2019-05-08 15:54:05 +02:00
Davide De Rosa 97f178cdac Tolerate weak certificates
Lower SSL security level.

Fixes #97
2019-05-05 17:51:24 +02:00
Davide De Rosa 273007cc59 Copy route.h from macOS
Missing on iOS.
2019-05-03 15:14:25 +02:00
Davide De Rosa a693075e90 Block LAN when redirect-gateway block-local
Fixes #81
2019-05-03 15:14:25 +02:00
Davide De Rosa 13cae06a49 Add method to partition a subnet 2019-05-03 15:14:25 +02:00
Davide De Rosa 03a1eb2203 Return IPv4 network mask for a route 2019-05-03 15:14:25 +02:00
Davide De Rosa 4295e63c98 Read relevant routing table 2019-05-03 15:14:25 +02:00
Davide De Rosa d44d08c95e Retain self weakly for shutdown on timeout 2019-05-02 13:13:43 +02:00
Davide De Rosa 1430241b0c Do not fake BF-CBC, pleae 2019-05-01 23:18:54 +02:00
Davide De Rosa 037f08ed62 Retry auth once without local options
Hack around picky server implementations.

Fixes #95
2019-05-01 11:14:52 +02:00
Davide De Rosa 14b7f08fb5 Use strict ordering in local options
And add TLS wrapping.
2019-05-01 11:14:38 +02:00
Davide De Rosa 7389d72f1f Fix mutable SessionProxy.Configuration 2019-05-01 11:14:38 +02:00
Davide De Rosa f799f47c25 Add direct routes to DNS servers
If VPN is not default gateway.

Further fix of #94
2019-04-28 15:51:16 +02:00
Davide De Rosa 0b72a30cdd Add full set of CloudFlare DNS servers 2019-04-28 10:56:39 +02:00
Davide De Rosa ebabf02eb5 Fix DNS in VPN when not default gateway
Awful API requires .matchDomains = [""]

Fixes #94
2019-04-28 10:39:55 +02:00
Davide De Rosa b331e3cfe6 Mask fallback DNS servers
Comment about fallback DNS being public
2019-04-28 10:39:25 +02:00
Davide De Rosa 7978398e1e Fix logging of routing policies 2019-04-27 22:55:20 +02:00
Davide De Rosa 0ee39c8fb0 Extend handling of redirect-gateway flags
- def1 (IPv4)
- ipv6 (IPv6)
- !ipv4 (IPv6 only)
2019-04-27 22:55:20 +02:00
Davide De Rosa 155bd5f1e7 Revert def1 trick
Not needed, routes are not persistent.

Revert 7d26323d3f
2019-04-27 22:55:19 +02:00
Davide De Rosa 7d26323d3f Use OpenVPN trick to retain default gateway
Override default gateway with 2 split routes.

- IPv4: 0.0.0.0/1, 128.0.0.0/1
- IPv6: 2000::/4, 3000::/4
2019-04-27 22:29:51 +02:00
Davide De Rosa 3505f68b04 Revert DNS merge
Revert 1d3660459e
2019-04-27 18:25:08 +02:00
Davide De Rosa a48bcc7261 Decrypt generic EVP private key
Why PKCS#8?
2019-04-27 10:54:32 +02:00
Davide De Rosa e0c06ece18 Drop extra EVP_PKEY_free call 2019-04-27 10:44:08 +02:00
Davide De Rosa 6fb409b112 Drop UDP packets on no buffer space available
Tolerate only on data channel. Control channel should never reach
high speeds.

Fixes #87
2019-04-25 17:29:10 +02:00
Davide De Rosa b8cd969a1a Fall back to configurable preset DNS servers
Default to CloudFlare 1.1.1.1

Hard time making it work with system DNS servers. Retry later.
2019-04-25 17:18:28 +02:00
Davide De Rosa 31d9019f1a Read system-wide DNS servers
Add libresolv to podspec.
2019-04-25 16:36:16 +02:00
Davide De Rosa 1d3660459e Merge local and remote DNS servers
- Local first
- Remote last
2019-04-25 16:18:54 +02:00
Davide De Rosa 82394e0433 Skip DNS settings if no servers are provided 2019-04-25 16:18:54 +02:00
Davide De Rosa 4ce2d78c5a Adjust log of routing policies
Consistent with print configuration.
2019-04-25 16:18:52 +02:00
Davide De Rosa 1b0c9979ce Log "default" DNS when servers are empty 2019-04-25 16:09:04 +02:00
Davide De Rosa 3f37489c13 Handle pushed routing policies 2019-04-25 16:02:19 +02:00
Davide De Rosa 7382616e8b Parse routing policies for TunnelKitProvider 2019-04-25 14:39:47 +02:00
Davide De Rosa f9f642b64e Set as default gateway based on routing policies
Also fix IPv6 routes not properly set.
2019-04-25 14:39:40 +02:00
Davide De Rosa 224a76ac58 Parse --redirect-gateway from configuration
FIXME: for now only redirects ALL traffic when the option is found
in the configuration file, whatever the arguments.

Also drop unnecessary base options in tests as everything was made
optional recently.
2019-04-25 14:39:23 +02:00
Davide De Rosa 1b8647bcac Convert PacketSteram to Obj-C
For better TCP efficiency.
2019-04-25 12:42:29 +02:00