release/src/router/openvpn/helper.c

   1 /*
   2  *  OpenVPN -- An application to securely tunnel IP networks
   3  *             over a single TCP/UDP port, with support for SSL/TLS-based
   4  *             session authentication and key exchange,
   5  *             packet encryption, packet authentication, and
   6  *             packet compression.
   7  *
   8  *  Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
   9  *
  10  *  This program is free software; you can redistribute it and/or modify
  11  *  it under the terms of the GNU General Public License version 2
  12  *  as published by the Free Software Foundation.
  13  *
  14  *  This program is distributed in the hope that it will be useful,
  15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17  *  GNU General Public License for more details.
  18  *
  19  *  You should have received a copy of the GNU General Public License
  20  *  along with this program (see the file COPYING included with this
  21  *  distribution); if not, write to the Free Software Foundation, Inc.,
  22  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  23  */
  24
  25 #include "syshead.h"
  26
  27 #include "forward.h"
  28 #include "helper.h"
  29 #include "pool.h"
  30 #include "push.h"
  31
  32 #include "memdbg.h"
  33
  34 #if P2MP_SERVER
  35
  36 static const char *
  37 print_netmask (int netbits, struct gc_arena *gc)
  38 {
  39   struct buffer out = alloc_buf_gc (128, gc);
  40   const in_addr_t netmask = netbits_to_netmask (netbits);
  41
  42   buf_printf (&out, "%s (/%d)", print_in_addr_t (netmask, 0, gc), netbits);
  43
  44   return BSTR (&out);
  45 }
  46
  47 static const char *
  48 print_opt_route_gateway (const in_addr_t route_gateway, struct gc_arena *gc)
  49 {
  50   struct buffer out = alloc_buf_gc (128, gc);
  51   ASSERT (route_gateway);
  52   buf_printf (&out, "route-gateway %s", print_in_addr_t (route_gateway, 0, gc));
  53   return BSTR (&out);
  54 }
  55
  56 static const char *
  57 print_opt_route_gateway_dhcp (struct gc_arena *gc)
  58 {
  59   struct buffer out = alloc_buf_gc (32, gc);
  60   buf_printf (&out, "route-gateway dhcp");
  61   return BSTR (&out);
  62 }
  63
  64 static const char *
  65 print_opt_route (const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
  66 {
  67   struct buffer out = alloc_buf_gc (128, gc);
  68   ASSERT (network);
  69
  70   if (netmask)
  71     buf_printf (&out, "route %s %s",
  72                 print_in_addr_t (network, 0, gc),
  73                 print_in_addr_t (netmask, 0, gc));
  74   else
  75     buf_printf (&out, "route %s",
  76                 print_in_addr_t (network, 0, gc));
  77
  78   return BSTR (&out);
  79 }
  80
  81 static const char *
  82 print_opt_topology (const int topology, struct gc_arena *gc)
  83 {
  84   struct buffer out = alloc_buf_gc (128, gc);
  85
  86   buf_printf (&out, "topology %s", print_topology (topology));
  87
  88   return BSTR (&out);
  89 }
  90
  91 static const char *
  92 print_str_int (const char *str, const int i, struct gc_arena *gc)
  93 {
  94   struct buffer out = alloc_buf_gc (128, gc);
  95   buf_printf (&out, "%s %d", str, i);
  96   return BSTR (&out);
  97 }
  98
  99 static const char *
 100 print_str (const char *str, struct gc_arena *gc)
 101 {
 102   struct buffer out = alloc_buf_gc (128, gc);
 103   buf_printf (&out, "%s", str);
 104   return BSTR (&out);
 105 }
 106
 107 static void
 108 helper_add_route (const in_addr_t network, const in_addr_t netmask, struct options *o)
 109 {
 110   rol_check_alloc (o);
 111   add_route_to_option_list (o->routes,
 112                             print_in_addr_t (network, 0, &o->gc),
 113                             print_in_addr_t (netmask, 0, &o->gc),
 114                             NULL,
 115                             NULL);
 116 }
 117
 118 static void
 119 verify_common_subnet (const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
 120 {
 121   struct gc_arena gc = gc_new ();
 122   if ((a & subnet) != (b & subnet))
 123     msg (M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
 124          opt,
 125          print_in_addr_t (a, 0, &gc),
 126          print_in_addr_t (b, 0, &gc),
 127          print_in_addr_t (subnet, 0, &gc));
 128   gc_free (&gc);
 129 }
 130
 131 #endif
 132
 133 /*
 134  * Process server, server-bridge, and client helper
 135  * directives after the parameters themselves have been
 136  * parsed and placed in struct options.
 137  */
 138 void
 139 helper_client_server (struct options *o)
 140 {
 141   struct gc_arena gc = gc_new ();
 142
 143 #if P2MP
 144 #if P2MP_SERVER
 145   /*
 146    *
 147    * HELPER DIRECTIVE:
 148    *
 149    * server 10.8.0.0 255.255.255.0
 150    *
 151    * EXPANDS TO:
 152    *
 153    * mode server
 154    * tls-server
 155    * push "topology [topology]"
 156    *
 157    * if tun AND (topology == net30 OR topology == p2p):
 158    *   ifconfig 10.8.0.1 10.8.0.2
 159    *   if !nopool:
 160    *     ifconfig-pool 10.8.0.4 10.8.0.251
 161    *   route 10.8.0.0 255.255.255.0
 162    *   if client-to-client:
 163    *     push "route 10.8.0.0 255.255.255.0"
 164    *   else if topology == net30:
 165    *     push "route 10.8.0.1"
 166    *
 167    * if tap OR (tun AND topology == subnet):
 168    *   ifconfig 10.8.0.1 255.255.255.0
 169    *   if !nopool:
 170    *     ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
 171    *   push "route-gateway 10.8.0.1"
 172    */
 173
 174   /*
 175    * Get tun/tap/null device type
 176    */
 177   const int dev = dev_type_enum (o->dev, o->dev_type);
 178   const int topology = o->topology;
 179
 180   if (o->server_defined)
 181     {
 182       int netbits = -2;
 183       bool status = false;
 184
 185       if (o->client)
 186         msg (M_USAGE, "--server and --client cannot be used together");
 187
 188       if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
 189         msg (M_USAGE, "--server and --server-bridge cannot be used together");
 190
 191       if (o->shared_secret_file)
 192         msg (M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
 193
 194       if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
 195         msg (M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
 196
 197       if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
 198         msg (M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
 199
 200       status = netmask_to_netbits (o->server_network, o->server_netmask, &netbits);
 201       if (!status)
 202         msg (M_USAGE, "--server directive network/netmask combination is invalid");
 203
 204       if (netbits < 0)
 205         msg (M_USAGE, "--server directive netmask is invalid");
 206
 207       if (netbits < IFCONFIG_POOL_MIN_NETBITS)
 208         msg (M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
 209              print_netmask (IFCONFIG_POOL_MIN_NETBITS, &gc));
 210
 211       if (dev == DEV_TYPE_TUN)
 212         {
 213           int pool_end_reserve = 4;
 214
 215           if (netbits > 29)
 216             msg (M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
 217                  print_netmask (29, &gc));
 218
 219           if (netbits == 29)
 220             pool_end_reserve = 0;
 221
 222           o->mode = MODE_SERVER;
 223           o->tls_server = true;
 224
 225           if (topology == TOP_NET30 || topology == TOP_P2P)
 226             {
 227               o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
 228               o->ifconfig_remote_netmask = print_in_addr_t (o->server_network + 2, 0, &o->gc);
 229
 230               if (!(o->server_flags & SF_NOPOOL))
 231                 {
 232                   o->ifconfig_pool_defined = true;
 233                   o->ifconfig_pool_start = o->server_network + 4;
 234                   o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
 235                   ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
 236                 }
 237
 238               helper_add_route (o->server_network, o->server_netmask, o);
 239               if (o->enable_c2c)
 240                 push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE);
 241               else if (topology == TOP_NET30)
 242                 push_option (o, print_opt_route (o->server_network + 1, 0, &o->gc), M_USAGE);
 243             }
 244           else if (topology == TOP_SUBNET)
 245             {
 246               o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
 247               o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
 248
 249               if (!(o->server_flags & SF_NOPOOL))
 250                 {
 251                   o->ifconfig_pool_defined = true;
 252                   o->ifconfig_pool_start = o->server_network + 2;
 253                   o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
 254                   ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
 255                 }
 256               o->ifconfig_pool_netmask = o->server_netmask;
 257
 258               push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
 259             }
 260           else
 261             ASSERT (0);
 262
 263           push_option (o, print_opt_topology (topology, &o->gc), M_USAGE);
 264         }
 265       else if (dev == DEV_TYPE_TAP)
 266         {
 267           if (netbits > 30)
 268             msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
 269                  print_netmask (30, &gc));
 270
 271           o->mode = MODE_SERVER;
 272           o->tls_server = true;
 273           o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
 274           o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
 275
 276           if (!(o->server_flags & SF_NOPOOL))
 277             {
 278               o->ifconfig_pool_defined = true;
 279               o->ifconfig_pool_start = o->server_network + 2;
 280               o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
 281               ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
 282             }
 283           o->ifconfig_pool_netmask = o->server_netmask;
 284
 285           push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
 286         }
 287       else
 288         {
 289           ASSERT (0);
 290         }
 291
 292       /* set push-ifconfig-constraint directive */
 293       if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
 294         {
 295           o->push_ifconfig_constraint_defined = true;
 296           o->push_ifconfig_constraint_network = o->server_network;
 297           o->push_ifconfig_constraint_netmask = o->server_netmask;
 298         }
 299     }
 300
 301   /*
 302    * HELPER DIRECTIVE:
 303    *
 304    * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
 305    *
 306    * EXPANDS TO:
 307    *
 308    * mode server
 309    * tls-server
 310    *
 311    * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
 312    * push "route-gateway 10.8.0.4"
 313    *
 314    * OR
 315    *
 316    * server-bridge
 317    *
 318    * EXPANDS TO:
 319    *
 320    * mode server
 321    * tls-server
 322    *
 323    * if !nogw:
 324    *   push "route-gateway dhcp"
 325    */
 326   else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
 327     {
 328       if (o->client)
 329         msg (M_USAGE, "--server-bridge and --client cannot be used together");
 330
 331       if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
 332         msg (M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
 333
 334       if (o->shared_secret_file)
 335         msg (M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
 336
 337       if (dev != DEV_TYPE_TAP)
 338         msg (M_USAGE, "--server-bridge directive only makes sense with --dev tap");
 339
 340       if (o->server_bridge_defined)
 341         {
 342           verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask);
 343           verify_common_subnet ("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask);
 344           verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask);
 345         }
 346
 347       o->mode = MODE_SERVER;
 348       o->tls_server = true;
 349
 350       if (o->server_bridge_defined)
 351         {
 352           o->ifconfig_pool_defined = true;
 353           o->ifconfig_pool_start = o->server_bridge_pool_start;
 354           o->ifconfig_pool_end = o->server_bridge_pool_end;
 355           ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
 356           o->ifconfig_pool_netmask = o->server_bridge_netmask;
 357           push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);
 358         }
 359       else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY))
 360         {
 361           push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE);
 362         }
 363     }
 364   else
 365 #endif /* P2MP_SERVER */
 366
 367   /*
 368    * HELPER DIRECTIVE:
 369    *
 370    * client
 371    *
 372    * EXPANDS TO:
 373    *
 374    * pull
 375    * tls-client
 376    */
 377   if (o->client)
 378     {
 379       if (o->key_method != 2)
 380         msg (M_USAGE, "--client requires --key-method 2");
 381
 382       o->pull = true;
 383       o->tls_client = true;
 384     }
 385
 386 #endif /* P2MP */
 387
 388   gc_free (&gc);
 389 }
 390
 391 /*
 392  *
 393  * HELPER DIRECTIVE:
 394  *
 395  * keepalive 10 60
 396  *
 397  * EXPANDS TO:
 398  *
 399  * if mode server:
 400  *   ping 10
 401  *   ping-restart 120
 402  *   push "ping 10"
 403  *   push "ping-restart 60"
 404  * else
 405  *   ping 10
 406  *   ping-restart 60
 407  */
 408 void
 409 helper_keepalive (struct options *o)
 410 {
 411   if (o->keepalive_ping || o->keepalive_timeout)
 412     {
 413       /*
 414        * Sanity checks.
 415        */
 416       if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
 417         msg (M_USAGE, "--keepalive parameters must be > 0");
 418       if (o->keepalive_ping * 2 > o->keepalive_timeout)
 419         msg (M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d).  A ratio of 1:5 or 1:6 would be even better.  Recommended setting is --keepalive 10 60.",
 420              o->keepalive_timeout,
 421              o->keepalive_ping);
 422       if (o->ping_send_timeout || o->ping_rec_timeout)
 423         msg (M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart.  If you use --keepalive, you don't need any of the other --ping directives.");
 424
 425       /*
 426        * Expand.
 427        */
 428       if (o->mode == MODE_POINT_TO_POINT)
 429         {
 430           o->ping_rec_timeout_action = PING_RESTART;
 431           o->ping_send_timeout = o->keepalive_ping;
 432           o->ping_rec_timeout = o->keepalive_timeout;
 433         }
 434 #if P2MP_SERVER
 435       else if (o->mode == MODE_SERVER)
 436         {
 437           o->ping_rec_timeout_action = PING_RESTART;
 438           o->ping_send_timeout = o->keepalive_ping;
 439           o->ping_rec_timeout = o->keepalive_timeout * 2;
 440           push_option (o, print_str_int ("ping", o->keepalive_ping, &o->gc), M_USAGE);
 441           push_option (o, print_str_int ("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
 442         }
 443 #endif
 444       else
 445         {
 446           ASSERT (0);
 447         }
 448     }
 449 }
 450
 451 /*
 452  *
 453  * HELPER DIRECTIVE:
 454  *
 455  * tcp-nodelay
 456  *
 457  * EXPANDS TO:
 458  *
 459  * if mode server:
 460  *   socket-flags TCP_NODELAY
 461  *   push "socket-flags TCP_NODELAY"
 462  */
 463 void
 464 helper_tcp_nodelay (struct options *o)
 465 {
 466 #if P2MP_SERVER
 467   if (o->server_flags & SF_TCP_NODELAY_HELPER)
 468     {
 469       if (o->mode == MODE_SERVER)
 470         {
 471           o->sockflags |= SF_TCP_NODELAY;
 472           push_option (o, print_str ("socket-flags TCP_NODELAY", &o->gc), M_USAGE);
 473         }
 474       else
 475         {
 476           ASSERT (0);
 477         }
 478     }
 479 #endif
 480 }