Commit Graph

40 Commits

Author SHA1 Message Date
Davide De Rosa 729e8973cf
Hide errors behind façade TunnelKit*Error (#325) 2023-07-02 11:56:40 +02:00
Davide De Rosa 0c77062add
Add SwiftLint (#318) 2023-04-20 21:52:45 +02:00
Davide De Rosa c62fc4adaa
Drop #available(iOS 14) (#317) 2023-04-20 21:44:32 +02:00
Davide De Rosa e0c0cc137f
Split DNS domain and search domains (#313) 2023-03-17 20:22:21 +01:00
Davide De Rosa 11ae9e4141
Delay tunnel disposal (#311)
Postpone reconnection due to on-demand trigger.
2023-03-17 20:20:44 +01:00
Davide De Rosa d7fbeb0d90 Update copyright 2023-03-17 16:58:36 +01:00
Tejas Mehta 5ecd732cc2
Add Complete XOR Patch Functionality (#255)
Co-authored-by: Davide De Rosa <keeshux@gmail.com>
2022-11-06 17:46:10 +01:00
Davide De Rosa a3b85430fd Unmask more safe things
- IPv4/6 address and default gateway within VPN

- Route destination and gateway
2022-10-29 20:29:36 +02:00
Davide De Rosa cae371bb40
Split IPv4/6 settings and routes (#298)
* Postpone setting route gateway

Resolve in NetworkSettingsBuilder.

* Store routes separately from IP*Settings

Parse as optionals to avoid empty arrays.

* Deprecate routes stored in IP*Settings

* Apply routes from new fields

* Update CHANGELOG
2022-10-29 12:24:28 +02:00
Davide De Rosa 703d1416ad
Deal with remote options properly (#297)
Some take over, some are merged.

Also:

- Drop non-existing DOMAIN-SEARCH dhcp-option

- Only first DNS domain was parsed
2022-10-29 11:00:39 +02:00
Davide De Rosa 8ac21771e3 Fix default gateway not set when --route-nopull
The "no pull" flag is already accounted for when routingPolicies is
computed (e.g. default gateway). Evaluate it properly for routes
instead.

See 31db8ebb9d
2022-10-28 15:38:29 +02:00
Davide De Rosa 65c41c257b
Unify logging of local/remote options (#295) 2022-10-27 00:40:46 +02:00
Davide De Rosa 5913b801a9 Simplify hasGateway check 2022-10-27 00:23:57 +02:00
Davide De Rosa 31db8ebb9d
Delegate network settings to ad-hoc builder (#292)
* Delegate network settings to ad-hoc builder

- Assert network settings nil or non-empty, NOT precondition

- Fix log about local DNS, only if not gateway

- Remove non-working block-local code

Fixes #289, fixes #290

* Unmask safe and helpful network settings
2022-10-25 08:58:34 +02:00
Davide De Rosa 17c272d733
Support --remote-random-hostname (#286) 2022-10-17 09:00:23 +02:00
Davide De Rosa 36f0b2c03d Extend description of link remote with protocol 2022-10-14 08:23:23 +02:00
Davide De Rosa f17bb110c2 Adjust log of DNS settings according to gateway 2022-10-13 18:34:31 +02:00
Davide De Rosa a3822678cf
Support --route-nopull (#280)
* Parse --route-no-pull

When provided, pull everything except:

- Routes
- DNS
- Proxy

Implement with higher granularity compared to OpenVPN.

* Apply no-pull mask in tunnel settings

Pull server settings by default to match standard OpenVPN
behavior. Library was prioritizing client over server.

* Add link in CHANGELOG
2022-10-08 08:54:55 +02:00
Davide De Rosa 5c84c15416 Use localOptions to clarify context
localOptions = cfg.configuration
2022-09-25 17:23:13 +02:00
Davide De Rosa 83a2842214 Customize app extension log path
Store path into App Group. Do not read it from UserDefaults in
app extension because value is immediately available in provider
configuration.
2022-06-17 09:19:54 +02:00
Davide De Rosa 4eb9a92c2e Hide setters of shared provider defaults
Tunnel values were overwritable by app.

Instead:

- Write from app extension with "private" setter (_appexSet*)

- Read from app with public getter
2022-06-17 09:18:28 +02:00
Davide De Rosa 178dda56ac Simplify .configureLogging() in app extensions 2022-06-17 09:16:41 +02:00
Davide De Rosa e075ba6a76 Make DNS servers optional in DoT like in DoH
Domain name can actually by an IP address and not require a DNS
server to resolve.
2022-04-25 21:46:16 +02:00
Davide De Rosa f0a5557cfb Fix previous commit further (my bad) 2022-04-13 22:55:43 +02:00
Davide De Rosa 07e94b2d5c Fix target name in import 2022-04-13 22:40:05 +02:00
Davide De Rosa f046bcd629 Add options to explicitly enable/disable DNS/proxy
DNS/proxy settings, when missing from configuration, fall back to
whatever the server pushes.

With isDNSEnabled/isProxyEnabled it's now possible to override this
behavior.
2022-03-26 17:22:45 +01:00
Davide De Rosa 4bfa0b4e74 Make sure MTU is positive 2022-03-26 17:08:45 +01:00
Davide De Rosa 3bdff1ee8b Customize WireGuard debug log format 2022-03-25 18:02:39 +01:00
Davide De Rosa ff235e2b96 Log OpenVPN tunnel via SwiftyBeaver file
This way debug log is updated without manual flush.

Useful for immediate access.
2022-03-12 10:35:39 +01:00
Davide De Rosa 3807b4754b Review some Core/OpenVPN entities
- Drop redundant Equatable (automatic in structs)
- Make IPv4/6 routes Hashable
- Expose StaticKey as hex String
- Mask PAC URL
2022-03-12 10:35:39 +01:00
Davide De Rosa 3741a17c20 Rewrite Manager package to make it stateless
In order to avoid chaos from multiple profiles, retain the
profile to be installed and remove all the other ones. Also,
make sure to do the removal AFTER install, as doing it
before would trigger the VPN permission alert again.

XXX: there is some weird behavior from NetworkExtension
occasionally sending notifications with a bogus NEVPNManager
object having a nil .localizedDescription and other properties set
to nonsensical values. Discard the notification when such an object
is identified.

Encapsulate extra NetworkExtension settings:

- passwordReference
- onDemandRules
- disconnectsOnSleep

Also:

- Only set on-demand if any rules are set
- Assume VPN is enabled even with on-demand disabled
- Use DataCount instead of raw Int pair

Attach useful information to VPN notifications:

- VPN isEnabled
- VPN status
- VPN command error
- Tunnel bundle identifier (if available)

Expose specific OpenVPN/WireGuard shared data via extensions in
UserDefaults/FileManager.

Finally, drop incomplete IKE support. No fit.
2022-03-12 10:35:39 +01:00
Davide De Rosa 133b4b2337 Replace hostname/endpointProtocols with remotes
Like official OpenVPN options.
2022-03-05 14:20:29 +01:00
Davide De Rosa 2646762bb4 [ci skip] Update copyright 2022-02-04 12:57:40 +01:00
Davide De Rosa 9c63b856cb
Verify CA from on-disk file (#237)
* Verify CA from on-disk file

Revert part of #213 again, because `SSL_CTX_load_verify_locations`
is just more reliable at setting up the trust store.

It looks like it's able to reference the .pem multiple times in
those cases where the root issuer of the CA is also embedded in
the file (which is the case with e.g. Let's Encrypt).

This is better than the current implementation, and I couldn't
easily find a way to do the same in-memory. I'd rather use the
standard API here.

See 7a85d3cac7
2021-11-27 12:32:30 +01:00
Davide De Rosa 7a85d3cac7
Restore and fix former PEM caching PR (#235)
This reverts commit 995009121a.

* Improve error handling

* Trust intermediate CA

* Update CHANGELOG
2021-11-25 12:36:17 +01:00
Davide De Rosa 74f38d335b Move TunnelKit errors specific to OpenVPN
Use local error domain in LZO to not depend on anything.
2021-11-23 19:17:43 +01:00
Davide De Rosa bb5cd1e1ab Return password reference at the time of setting
Simplifies app/extension IPC.
2021-11-23 19:17:43 +01:00
Davide De Rosa 995009121a Revert "Avoid caching PEMs on disk (#213)"
This reverts commit 00d908cc89.
2021-11-18 12:05:06 +01:00
Davide De Rosa 9e14f33235 Drop jazzy, will use DocC 2021-11-12 10:00:55 +01:00
Davide De Rosa 50064fc3d0 Increase components granularity
Minimize target dependency on OpenSSL (easier to drop later).

Outside of OpenVPN tunnel extension, OpenSSL is only used to
decrypt encrypted private keys in CryptoContainer (found in
TunnelKitOpenVPNCore, therefore "temporarily" dependent on
CTunnelKitOpenVPNAppExtension for TLSBox/CryptoBox).
2021-11-11 15:18:03 +01:00