search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add OpenVPN 2.1rc12 source (unconfigured)
[tomato.git] / release / src / router / openvpn / helper.c
blobf21d07e1d477b5d5ff9f7cece0ebe63f34f4beae
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include "syshead.h"
26
27 #include "forward.h"
28 #include "helper.h"
29 #include "pool.h"
30 #include "push.h"
31
32 #include "memdbg.h"
33
34 #if P2MP_SERVER
35
36 static const char *
37 print_netmask (int netbits, struct gc_arena *gc)
38 {
39 struct buffer out = alloc_buf_gc (128, gc);
40 const in_addr_t netmask = netbits_to_netmask (netbits);
41
42 buf_printf (&out, "%s (/%d)", print_in_addr_t (netmask, 0, gc), netbits);
43
44 return BSTR (&out);
45 }
46
47 static const char *
48 print_opt_route_gateway (const in_addr_t route_gateway, struct gc_arena *gc)
49 {
50 struct buffer out = alloc_buf_gc (128, gc);
51 ASSERT (route_gateway);
52 buf_printf (&out, "route-gateway %s", print_in_addr_t (route_gateway, 0, gc));
53 return BSTR (&out);
54 }
55
56 static const char *
57 print_opt_route_gateway_dhcp (struct gc_arena *gc)
58 {
59 struct buffer out = alloc_buf_gc (32, gc);
60 buf_printf (&out, "route-gateway dhcp");
61 return BSTR (&out);
62 }
63
64 static const char *
65 print_opt_route (const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
66 {
67 struct buffer out = alloc_buf_gc (128, gc);
68 ASSERT (network);
69
70 if (netmask)
71 buf_printf (&out, "route %s %s",
72 print_in_addr_t (network, 0, gc),
73 print_in_addr_t (netmask, 0, gc));
74 else
75 buf_printf (&out, "route %s",
76 print_in_addr_t (network, 0, gc));
77
78 return BSTR (&out);
79 }
80
81 static const char *
82 print_opt_topology (const int topology, struct gc_arena *gc)
83 {
84 struct buffer out = alloc_buf_gc (128, gc);
85
86 buf_printf (&out, "topology %s", print_topology (topology));
87
88 return BSTR (&out);
89 }
90
91 static const char *
92 print_str_int (const char *str, const int i, struct gc_arena *gc)
93 {
94 struct buffer out = alloc_buf_gc (128, gc);
95 buf_printf (&out, "%s %d", str, i);
96 return BSTR (&out);
97 }
98
99 static void
100 helper_add_route (const in_addr_t network, const in_addr_t netmask, struct options *o)
101 {
102 rol_check_alloc (o);
103 add_route_to_option_list (o->routes,
104 print_in_addr_t (network, 0, &o->gc),
105 print_in_addr_t (netmask, 0, &o->gc),
106 NULL,
107 NULL);
108 }
109
110 static void
111 verify_common_subnet (const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
112 {
113 struct gc_arena gc = gc_new ();
114 if ((a & subnet) != (b & subnet))
115 msg (M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
116 opt,
117 print_in_addr_t (a, 0, &gc),
118 print_in_addr_t (b, 0, &gc),
119 print_in_addr_t (subnet, 0, &gc));
120 gc_free (&gc);
121 }
122
123 #endif
124
125 /*
126 * Process server, server-bridge, and client helper
127 * directives after the parameters themselves have been
128 * parsed and placed in struct options.
129 */
130 void
131 helper_client_server (struct options *o)
132 {
133 struct gc_arena gc = gc_new ();
134
135 #if P2MP
136 #if P2MP_SERVER
137 /*
138 *
139 * HELPER DIRECTIVE:
140 *
141 * server 10.8.0.0 255.255.255.0
142 *
143 * EXPANDS TO:
144 *
145 * mode server
146 * tls-server
147 * push "topology [topology]"
148 *
149 * if tun AND (topology == net30 OR topology == p2p):
150 * ifconfig 10.8.0.1 10.8.0.2
151 * if !nopool:
152 * ifconfig-pool 10.8.0.4 10.8.0.251
153 * route 10.8.0.0 255.255.255.0
154 * if client-to-client:
155 * push "route 10.8.0.0 255.255.255.0"
156 * else if topology == net30:
157 * push "route 10.8.0.1"
158 *
159 * if tap OR (tun AND topology == subnet):
160 * ifconfig 10.8.0.1 255.255.255.0
161 * ifconfig-pool-constraint 10.8.0.0 255.255.255.0
162 * if !nopool:
163 * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
164 * push "route-gateway 10.8.0.1"
165 */
166
167 /*
168 * Get tun/tap/null device type
169 */
170 const int dev = dev_type_enum (o->dev, o->dev_type);
171 const int topology = o->topology;
172
173 if (o->server_defined)
174 {
175 int netbits = -2;
176 bool status = false;
177
178 if (o->client)
179 msg (M_USAGE, "--server and --client cannot be used together");
180
181 if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
182 msg (M_USAGE, "--server and --server-bridge cannot be used together");
183
184 if (o->shared_secret_file)
185 msg (M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
186
187 if (o->ifconfig_pool_defined)
188 msg (M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
189
190 if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
191 msg (M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
192
193 status = netmask_to_netbits (o->server_network, o->server_netmask, &netbits);
194 if (!status)
195 msg (M_USAGE, "--server directive network/netmask combination is invalid");
196
197 if (netbits < 0)
198 msg (M_USAGE, "--server directive netmask is invalid");
199
200 if (netbits < IFCONFIG_POOL_MIN_NETBITS)
201 msg (M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
202 print_netmask (IFCONFIG_POOL_MIN_NETBITS, &gc));
203
204 if (dev == DEV_TYPE_TUN)
205 {
206 int pool_end_reserve = 4;
207
208 if (netbits > 29)
209 msg (M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
210 print_netmask (29, &gc));
211
212 if (netbits == 29)
213 pool_end_reserve = 0;
214
215 o->mode = MODE_SERVER;
216 o->tls_server = true;
217
218 if (topology == TOP_NET30 || topology == TOP_P2P)
219 {
220 o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
221 o->ifconfig_remote_netmask = print_in_addr_t (o->server_network + 2, 0, &o->gc);
222
223 if (!(o->server_flags & SF_NOPOOL))
224 {
225 o->ifconfig_pool_defined = true;
226 o->ifconfig_pool_start = o->server_network + 4;
227 o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
228 ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
229 }
230
231 helper_add_route (o->server_network, o->server_netmask, o);
232 if (o->enable_c2c)
233 push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE);
234 else if (topology == TOP_NET30)
235 push_option (o, print_opt_route (o->server_network + 1, 0, &o->gc), M_USAGE);
236 }
237 else if (topology == TOP_SUBNET)
238 {
239 o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
240 o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
241
242 if (!(o->server_flags & SF_NOPOOL))
243 {
244 o->ifconfig_pool_defined = true;
245 o->ifconfig_pool_start = o->server_network + 2;
246 o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
247 ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
248 o->ifconfig_pool_netmask = o->server_netmask;
249 }
250
251 push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
252 }
253 else
254 ASSERT (0);
255
256 push_option (o, print_opt_topology (topology, &o->gc), M_USAGE);
257 }
258 else if (dev == DEV_TYPE_TAP)
259 {
260 if (netbits > 30)
261 msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
262 print_netmask (30, &gc));
263
264 o->mode = MODE_SERVER;
265 o->tls_server = true;
266 o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
267 o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
268
269 if (!(o->server_flags & SF_NOPOOL))
270 {
271 o->ifconfig_pool_defined = true;
272 o->ifconfig_pool_start = o->server_network + 2;
273 o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
274 ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
275 o->ifconfig_pool_netmask = o->server_netmask;
276 }
277
278 push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
279 }
280 else
281 {
282 ASSERT (0);
283 }
284
285 /* set push-ifconfig-constraint directive */
286 if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
287 {
288 o->push_ifconfig_constraint_defined = true;
289 o->push_ifconfig_constraint_network = o->server_network;
290 o->push_ifconfig_constraint_netmask = o->server_netmask;
291 }
292 }
293
294 /*
295 * HELPER DIRECTIVE:
296 *
297 * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
298 *
299 * EXPANDS TO:
300 *
301 * mode server
302 * tls-server
303 *
304 * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
305 * push "route-gateway 10.8.0.4"
306 *
307 * OR
308 *
309 * server-bridge
310 *
311 * EXPANDS TO:
312 *
313 * mode server
314 * tls-server
315 *
316 * push "route-gateway dhcp"
317 */
318 else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
319 {
320 if (o->client)
321 msg (M_USAGE, "--server-bridge and --client cannot be used together");
322
323 if (o->ifconfig_pool_defined)
324 msg (M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
325
326 if (o->shared_secret_file)
327 msg (M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
328
329 if (dev != DEV_TYPE_TAP)
330 msg (M_USAGE, "--server-bridge directive only makes sense with --dev tap");
331
332 if (o->server_bridge_defined)
333 {
334 verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask);
335 verify_common_subnet ("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask);
336 verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask);
337 }
338
339 o->mode = MODE_SERVER;
340 o->tls_server = true;
341
342 if (o->server_bridge_defined)
343 {
344 o->ifconfig_pool_defined = true;
345 o->ifconfig_pool_start = o->server_bridge_pool_start;
346 o->ifconfig_pool_end = o->server_bridge_pool_end;
347 ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
348 o->ifconfig_pool_netmask = o->server_bridge_netmask;
349 push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);
350 }
351 else if (o->server_bridge_proxy_dhcp)
352 {
353 push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE);
354 }
355 }
356 else
357 #endif /* P2MP_SERVER */
358
359 /*
360 * HELPER DIRECTIVE:
361 *
362 * client
363 *
364 * EXPANDS TO:
365 *
366 * pull
367 * tls-client
368 */
369 if (o->client)
370 {
371 if (o->key_method != 2)
372 msg (M_USAGE, "--client requires --key-method 2");
373
374 o->pull = true;
375 o->tls_client = true;
376 }
377
378 #endif /* P2MP */
379
380 gc_free (&gc);
381 }
382
383 /*
384 *
385 * HELPER DIRECTIVE:
386 *
387 * keepalive 10 60
388 *
389 * EXPANDS TO:
390 *
391 * if mode server:
392 * ping 10
393 * ping-restart 120
394 * push "ping 10"
395 * push "ping-restart 60"
396 * else
397 * ping 10
398 * ping-restart 60
399 */
400 void
401 helper_keepalive (struct options *o)
402 {
403 if (o->keepalive_ping || o->keepalive_timeout)
404 {
405 /*
406 * Sanity checks.
407 */
408 if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
409 msg (M_USAGE, "--keepalive parameters must be > 0");
410 if (o->keepalive_ping * 2 > o->keepalive_timeout)
411 msg (M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
412 o->keepalive_timeout,
413 o->keepalive_ping);
414 if (o->ping_send_timeout || o->ping_rec_timeout)
415 msg (M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
416
417 /*
418 * Expand.
419 */
420 if (o->mode == MODE_POINT_TO_POINT)
421 {
422 o->ping_rec_timeout_action = PING_RESTART;
423 o->ping_send_timeout = o->keepalive_ping;
424 o->ping_rec_timeout = o->keepalive_timeout;
425 }
426 #if P2MP_SERVER
427 else if (o->mode == MODE_SERVER)
428 {
429 o->ping_rec_timeout_action = PING_RESTART;
430 o->ping_send_timeout = o->keepalive_ping;
431 o->ping_rec_timeout = o->keepalive_timeout * 2;
432 push_option (o, print_str_int ("ping", o->keepalive_ping, &o->gc), M_USAGE);
433 push_option (o, print_str_int ("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
434 }
435 #endif
436 else
437 {
438 ASSERT (0);
439 }
440 }
441 }
Tomato firmware and modifications.