2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
46 * Maximum number of parameters associated with an option,
47 * including the option name itself.
52 * Max size of options line and parameter.
54 #define OPTION_PARM_SIZE 256
55 #define OPTION_LINE_SIZE 256
57 extern const char title_string
[];
61 /* certain options are saved before --pull modifications are applied */
62 struct options_pre_pull
64 bool tuntap_options_defined
;
65 struct tuntap_options tuntap_options
;
68 struct route_option_list
*routes
;
70 int foreign_option_index
;
75 struct connection_entry
79 bool local_port_defined
;
81 bool port_option_used
;
87 int connect_retry_seconds
;
88 bool connect_retry_defined
;
89 int connect_retry_max
;
91 bool connect_timeout_defined
;
92 #ifdef ENABLE_HTTP_PROXY
93 struct http_proxy_options
*http_proxy_options
;
96 const char *socks_proxy_server
;
98 bool socks_proxy_retry
;
109 #ifdef ENABLE_CONNECTION
111 #define CONNECTION_LIST_SIZE 64
113 struct connection_list
118 struct connection_entry
*array
[CONNECTION_LIST_SIZE
];
124 struct remote_entry
*array
[CONNECTION_LIST_SIZE
];
129 /* Command line options */
135 /* first config file */
139 # define MODE_POINT_TO_POINT 0
140 # define MODE_SERVER 1
143 /* enable forward compatibility for post-2.1 features */
144 bool forward_compatible
;
151 const char *key_pass_file
;
156 bool show_tls_ciphers
;
161 /* Networking parms */
162 struct connection_entry ce
;
164 #ifdef ENABLE_CONNECTION
165 struct connection_list
*connection_list
;
166 struct remote_list
*remote_list
;
169 #ifdef GENERAL_PROXY_SUPPORT
170 struct auto_proxy_info
*auto_proxy_info
;
174 const char *ipchange
;
176 const char *dev_type
;
177 const char *dev_node
;
179 int topology
; /* one of the TOP_x values from proto.h */
180 const char *ifconfig_local
;
181 const char *ifconfig_remote_netmask
;
182 bool ifconfig_noexec
;
183 bool ifconfig_nowarn
;
184 #ifdef HAVE_GETTIMEOFDAY
187 int tun_mtu
; /* MTU of tun device */
189 bool tun_mtu_extra_defined
;
190 int link_mtu
; /* MTU of device over which tunnel packets pass via TCP/UDP */
191 bool tun_mtu_defined
; /* true if user overriding parm with command line option */
192 bool link_mtu_defined
; /* true if user overriding parm with command line option */
194 /* Advanced MTU negotiation and datagram fragmentation options */
195 int mtu_discover_type
; /* used if OS supports setting Path MTU discovery options on socket */
201 int fragment
; /* internal fragmentation size */
205 int keepalive_ping
; /* a proxy for ping/ping-restart */
206 int keepalive_timeout
;
208 int inactivity_timeout
; /* --inactive */
209 int inactivity_minimum_bytes
;
211 int ping_send_timeout
; /* Send a TCP/UDP ping to remote every n seconds */
212 int ping_rec_timeout
; /* Expect a TCP/UDP ping from remote at least once every n seconds */
213 bool ping_timer_remote
; /* Run ping timer only if we have a remote address */
214 bool tun_ipv6
; /* Build tun dev that supports IPv6 */
216 # define PING_UNDEF 0
218 # define PING_RESTART 2
219 int ping_rec_timeout_action
; /* What action to take on ping_rec_timeout (exit or restart)? */
222 int explicit_exit_notification
; /* Explicitly tell peer when we are exiting via OCC_EXIT message */
225 bool persist_tun
; /* Don't close/reopen TUN/TAP dev on SIGUSR1 or PING_RESTART */
226 bool persist_local_ip
; /* Don't re-resolve local address on SIGUSR1 or PING_RESTART */
227 bool persist_remote_ip
; /* Don't re-resolve remote address on SIGUSR1 or PING_RESTART */
228 bool persist_key
; /* Don't re-read key files on SIGUSR1 or PING_RESTART */
230 int mssfix
; /* Upper bound on TCP MSS */
231 bool mssfix_default
; /* true if --mssfix was supplied without a parameter */
233 #if PASSTOS_CAPABILITY
237 int resolve_retry_seconds
; /* If hostname resolve fails, retry for n seconds */
239 struct tuntap_options tuntap_options
;
242 const char *username
;
243 const char *groupname
;
244 const char *chroot_dir
;
247 char *selinux_context
;
249 const char *writepid
;
250 const char *up_script
;
251 const char *down_script
;
259 /* inetd modes defined in socket.h */
263 bool suppress_timestamps
;
272 const char *status_file
;
273 int status_file_version
;
274 int status_file_update_freq
;
276 /* optimize TUN/TAP/UDP writes */
280 /* LZO_x flags from lzo.h */
289 unsigned int sockflags
;
291 /* route management */
292 const char *route_script
;
293 const char *route_default_gateway
;
294 int route_default_metric
;
297 int route_delay_window
;
298 bool route_delay_defined
;
300 struct route_option_list
*routes
;
302 bool route_gateway_via_dhcp
;
303 bool allow_pull_fqdn
; /* as a client, allow server to push a FQDN for certain parameters */
306 /* Enable options consistency check between peers */
310 #ifdef ENABLE_MANAGEMENT
311 const char *management_addr
;
313 const char *management_user_pass
;
314 int management_log_history_cache
;
315 int management_echo_buffer_size
;
316 int management_state_buffer_size
;
317 const char *management_write_peer_info_file
;
319 const char *management_client_user
;
320 const char *management_client_group
;
322 /* Mask of MF_ values of manage.h */
323 unsigned int management_flags
;
327 struct plugin_option_list
*plugin_list
;
339 in_addr_t server_network
;
340 in_addr_t server_netmask
;
342 # define SF_NOPOOL (1<<0)
343 # define SF_TCP_NODELAY_HELPER (1<<1)
344 # define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
345 unsigned int server_flags
;
347 bool server_bridge_proxy_dhcp
;
349 bool server_bridge_defined
;
350 in_addr_t server_bridge_ip
;
351 in_addr_t server_bridge_netmask
;
352 in_addr_t server_bridge_pool_start
;
353 in_addr_t server_bridge_pool_end
;
355 struct push_list push_list
;
356 bool ifconfig_pool_defined
;
357 in_addr_t ifconfig_pool_start
;
358 in_addr_t ifconfig_pool_end
;
359 in_addr_t ifconfig_pool_netmask
;
360 const char *ifconfig_pool_persist_filename
;
361 int ifconfig_pool_persist_refresh_freq
;
363 int virtual_hash_size
;
364 const char *client_connect_script
;
365 const char *client_disconnect_script
;
366 const char *learn_address_script
;
368 const char *client_config_dir
;
373 struct iroute
*iroutes
;
374 bool push_ifconfig_defined
;
375 in_addr_t push_ifconfig_local
;
376 in_addr_t push_ifconfig_remote_netmask
;
377 bool push_ifconfig_constraint_defined
;
378 in_addr_t push_ifconfig_constraint_network
;
379 in_addr_t push_ifconfig_constraint_netmask
;
385 int max_routes_per_client
;
387 const char *auth_user_pass_verify_script
;
388 bool auth_user_pass_verify_script_via_file
;
389 unsigned int ssl_flags
; /* set to SSLF_x flags from ssl.h */
391 char *port_share_host
;
397 bool pull
; /* client pull of config options from server */
398 int push_continuation
;
399 const char *auth_user_pass_file
;
400 struct options_pre_pull
*pre_pull
;
402 int server_poll_timeout
;
404 int scheduled_exit_interval
;
410 const char *shared_secret_file
;
411 #if ENABLE_INLINE_FILES
412 const char *shared_secret_file_inline
;
415 bool ciphername_defined
;
416 const char *ciphername
;
417 bool authname_defined
;
418 const char *authname
;
420 const char *prng_hash
;
421 int prng_nonce_secret_len
;
424 bool mute_replay_warnings
;
427 const char *packet_id_file
;
432 /* TLS (control channel) parms */
438 const char *cert_file
;
439 const char *priv_key_file
;
440 const char *pkcs12_file
;
441 const char *cipher_list
;
442 const char *tls_verify
;
443 const char *tls_remote
;
444 const char *crl_file
;
446 #if ENABLE_INLINE_FILES
447 const char *ca_file_inline
;
448 const char *cert_file_inline
;
449 char *priv_key_file_inline
;
450 const char *dh_file_inline
;
453 int ns_cert_type
; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
454 unsigned remote_cert_ku
[MAX_PARMS
];
455 const char *remote_cert_eku
;
458 const char *pkcs11_providers
[MAX_PARMS
];
459 unsigned pkcs11_private_mode
[MAX_PARMS
];
460 bool pkcs11_protected_authentication
[MAX_PARMS
];
461 bool pkcs11_cert_private
[MAX_PARMS
];
462 int pkcs11_pin_cache_period
;
463 const char *pkcs11_id
;
464 bool pkcs11_id_management
;
468 const char *cryptoapi_cert
;
471 /* data channel key exchange method */
474 /* Per-packet timeout on control channel */
477 /* Data channel key renegotiation parameters */
478 int renegotiate_bytes
;
479 int renegotiate_packets
;
480 int renegotiate_seconds
;
482 /* Data channel key handshake must finalize
483 within n seconds of handshake initiation. */
484 int handshake_window
;
486 /* Old key allowed to live n seconds after new key goes active */
487 int transition_window
;
489 /* Special authentication MAC for TLS control channel */
490 const char *tls_auth_file
; /* shared secret */
491 #if ENABLE_INLINE_FILES
492 const char *tls_auth_file_inline
;
495 /* Allow only one session */
501 #endif /* USE_CRYPTO */
503 /* special state parms */
504 int foreign_option_index
;
507 const char *exit_event_name
;
508 bool exit_event_initial_state
;
514 #define streq(x, y) (!strcmp((x), (y)))
519 #define OPT_P_GENERAL (1<<0)
520 #define OPT_P_UP (1<<1)
521 #define OPT_P_ROUTE (1<<2)
522 #define OPT_P_IPWIN32 (1<<3)
523 #define OPT_P_SCRIPT (1<<4)
524 #define OPT_P_SETENV (1<<5)
525 #define OPT_P_SHAPER (1<<6)
526 #define OPT_P_TIMER (1<<7)
527 #define OPT_P_PERSIST (1<<8)
528 #define OPT_P_PERSIST_IP (1<<9)
529 #define OPT_P_COMP (1<<10) /* TODO */
530 #define OPT_P_MESSAGES (1<<11)
531 #define OPT_P_CRYPTO (1<<12) /* TODO */
532 #define OPT_P_TLS_PARMS (1<<13) /* TODO */
533 #define OPT_P_MTU (1<<14) /* TODO */
534 #define OPT_P_NICE (1<<15)
535 #define OPT_P_PUSH (1<<16)
536 #define OPT_P_INSTANCE (1<<17)
537 #define OPT_P_CONFIG (1<<18)
538 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
539 #define OPT_P_ECHO (1<<20)
540 #define OPT_P_INHERIT (1<<21)
541 #define OPT_P_ROUTE_EXTRAS (1<<22)
542 #define OPT_P_PULL_MODE (1<<23)
543 #define OPT_P_PLUGIN (1<<24)
544 #define OPT_P_SOCKBUF (1<<25)
545 #define OPT_P_SOCKFLAGS (1<<26)
546 #define OPT_P_CONNECTION (1<<27)
548 #define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
551 #define PULL_DEFINED(opt) ((opt)->pull)
553 #define PUSH_DEFINED(opt) ((opt)->push_list)
558 #define PULL_DEFINED(opt) (false)
562 #define PUSH_DEFINED(opt) (false)
566 #define ROUTE_OPTION_FLAGS(o) ((o)->route_method & ROUTE_METHOD_MASK)
568 #define ROUTE_OPTION_FLAGS(o) (0)
571 #ifdef HAVE_GETTIMEOFDAY
572 #define SHAPER_DEFINED(opt) ((opt)->shaper)
574 #define SHAPER_DEFINED(opt) (false)
578 #define PLUGIN_OPTION_LIST(opt) ((opt)->plugin_list)
580 #define PLUGIN_OPTION_LIST(opt) (NULL)
583 #ifdef MANAGEMENT_DEF_AUTH
584 #define MAN_CLIENT_AUTH_ENABLED(opt) ((opt)->management_flags & MF_CLIENT_AUTH)
586 #define MAN_CLIENT_AUTH_ENABLED(opt) (false)
589 void parse_argv (struct options
*options
,
593 const unsigned int permission_mask
,
594 unsigned int *option_types_found
,
597 void notnull (const char *arg
, const char *description
);
599 void usage_small (void);
601 void init_options (struct options
*o
, const bool init_gc
);
602 void uninit_options (struct options
*o
);
604 void setenv_settings (struct env_set
*es
, const struct options
*o
);
605 void show_settings (const struct options
*o
);
607 bool string_defined_equal (const char *s1
, const char *s2
);
611 const char *options_string_version (const char* s
, struct gc_arena
*gc
);
613 char *options_string (const struct options
*o
,
614 const struct frame
*frame
,
617 struct gc_arena
*gc
);
619 bool options_cmp_equal_safe (char *actual
, const char *expected
, size_t actual_n
);
620 void options_warning_safe (char *actual
, const char *expected
, size_t actual_n
);
621 bool options_cmp_equal (char *actual
, const char *expected
);
622 void options_warning (char *actual
, const char *expected
);
626 void options_postprocess (struct options
*options
);
628 void pre_pull_save (struct options
*o
);
629 void pre_pull_restore (struct options
*o
);
631 bool apply_push_options (struct options
*options
,
633 unsigned int permission_mask
,
634 unsigned int *option_types_found
,
637 bool is_persist_option (const struct options
*o
);
638 bool is_stateful_restart (const struct options
*o
);
640 void options_detach (struct options
*o
);
642 void options_server_import (struct options
*o
,
643 const char *filename
,
645 unsigned int permission_mask
,
646 unsigned int *option_types_found
,
649 void pre_pull_default (struct options
*o
);
651 void rol_check_alloc (struct options
*options
);
653 int parse_line (const char *line
,
659 struct gc_arena
*gc
);
662 * parse/print topology coding
665 int parse_topology (const char *str
, const int msglevel
);
666 const char *print_topology (const int topology
);
669 * Manage auth-retry variable
675 #define AR_INTERACT 1
676 #define AR_NOINTERACT 2
678 int auth_retry_get (void);
679 bool auth_retry_set (const int msglevel
, const char *option
);
680 const char *auth_retry_print (void);
684 void options_string_import (struct options
*options
,
687 const unsigned int permission_mask
,
688 unsigned int *option_types_found
,
695 connection_list_defined (const struct options
*o
)
697 #ifdef ENABLE_CONNECTION
698 return o
->connection_list
!= NULL
;
705 connection_list_set_no_advance (struct options
*o
)
707 #ifdef ENABLE_CONNECTION
708 if (o
->connection_list
)
709 o
->connection_list
->no_advance
= true;