2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
37 print_netmask (int netbits
, struct gc_arena
*gc
)
39 struct buffer out
= alloc_buf_gc (128, gc
);
40 const in_addr_t netmask
= netbits_to_netmask (netbits
);
42 buf_printf (&out
, "%s (/%d)", print_in_addr_t (netmask
, 0, gc
), netbits
);
48 print_opt_route_gateway (const in_addr_t route_gateway
, struct gc_arena
*gc
)
50 struct buffer out
= alloc_buf_gc (128, gc
);
51 ASSERT (route_gateway
);
52 buf_printf (&out
, "route-gateway %s", print_in_addr_t (route_gateway
, 0, gc
));
57 print_opt_route_gateway_dhcp (struct gc_arena
*gc
)
59 struct buffer out
= alloc_buf_gc (32, gc
);
60 buf_printf (&out
, "route-gateway dhcp");
65 print_opt_route (const in_addr_t network
, const in_addr_t netmask
, struct gc_arena
*gc
)
67 struct buffer out
= alloc_buf_gc (128, gc
);
71 buf_printf (&out
, "route %s %s",
72 print_in_addr_t (network
, 0, gc
),
73 print_in_addr_t (netmask
, 0, gc
));
75 buf_printf (&out
, "route %s",
76 print_in_addr_t (network
, 0, gc
));
82 print_opt_topology (const int topology
, struct gc_arena
*gc
)
84 struct buffer out
= alloc_buf_gc (128, gc
);
86 buf_printf (&out
, "topology %s", print_topology (topology
));
92 print_str_int (const char *str
, const int i
, struct gc_arena
*gc
)
94 struct buffer out
= alloc_buf_gc (128, gc
);
95 buf_printf (&out
, "%s %d", str
, i
);
100 helper_add_route (const in_addr_t network
, const in_addr_t netmask
, struct options
*o
)
103 add_route_to_option_list (o
->routes
,
104 print_in_addr_t (network
, 0, &o
->gc
),
105 print_in_addr_t (netmask
, 0, &o
->gc
),
111 verify_common_subnet (const char *opt
, const in_addr_t a
, const in_addr_t b
, const in_addr_t subnet
)
113 struct gc_arena gc
= gc_new ();
114 if ((a
& subnet
) != (b
& subnet
))
115 msg (M_USAGE
, "%s IP addresses %s and %s are not in the same %s subnet",
117 print_in_addr_t (a
, 0, &gc
),
118 print_in_addr_t (b
, 0, &gc
),
119 print_in_addr_t (subnet
, 0, &gc
));
126 * Process server, server-bridge, and client helper
127 * directives after the parameters themselves have been
128 * parsed and placed in struct options.
131 helper_client_server (struct options
*o
)
133 struct gc_arena gc
= gc_new ();
141 * server 10.8.0.0 255.255.255.0
147 * push "topology [topology]"
149 * if tun AND (topology == net30 OR topology == p2p):
150 * ifconfig 10.8.0.1 10.8.0.2
152 * ifconfig-pool 10.8.0.4 10.8.0.251
153 * route 10.8.0.0 255.255.255.0
154 * if client-to-client:
155 * push "route 10.8.0.0 255.255.255.0"
156 * else if topology == net30:
157 * push "route 10.8.0.1"
159 * if tap OR (tun AND topology == subnet):
160 * ifconfig 10.8.0.1 255.255.255.0
161 * ifconfig-pool-constraint 10.8.0.0 255.255.255.0
163 * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
164 * push "route-gateway 10.8.0.1"
168 * Get tun/tap/null device type
170 const int dev
= dev_type_enum (o
->dev
, o
->dev_type
);
171 const int topology
= o
->topology
;
173 if (o
->server_defined
)
179 msg (M_USAGE
, "--server and --client cannot be used together");
181 if (o
->server_bridge_defined
|| o
->server_bridge_proxy_dhcp
)
182 msg (M_USAGE
, "--server and --server-bridge cannot be used together");
184 if (o
->shared_secret_file
)
185 msg (M_USAGE
, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
187 if (o
->ifconfig_pool_defined
)
188 msg (M_USAGE
, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
190 if (!(dev
== DEV_TYPE_TAP
|| dev
== DEV_TYPE_TUN
))
191 msg (M_USAGE
, "--server directive only makes sense with --dev tun or --dev tap");
193 status
= netmask_to_netbits (o
->server_network
, o
->server_netmask
, &netbits
);
195 msg (M_USAGE
, "--server directive network/netmask combination is invalid");
198 msg (M_USAGE
, "--server directive netmask is invalid");
200 if (netbits
< IFCONFIG_POOL_MIN_NETBITS
)
201 msg (M_USAGE
, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
202 print_netmask (IFCONFIG_POOL_MIN_NETBITS
, &gc
));
204 if (dev
== DEV_TYPE_TUN
)
206 int pool_end_reserve
= 4;
209 msg (M_USAGE
, "--server directive when used with --dev tun must define a subnet of %s or lower",
210 print_netmask (29, &gc
));
213 pool_end_reserve
= 0;
215 o
->mode
= MODE_SERVER
;
216 o
->tls_server
= true;
218 if (topology
== TOP_NET30
|| topology
== TOP_P2P
)
220 o
->ifconfig_local
= print_in_addr_t (o
->server_network
+ 1, 0, &o
->gc
);
221 o
->ifconfig_remote_netmask
= print_in_addr_t (o
->server_network
+ 2, 0, &o
->gc
);
223 if (!(o
->server_flags
& SF_NOPOOL
))
225 o
->ifconfig_pool_defined
= true;
226 o
->ifconfig_pool_start
= o
->server_network
+ 4;
227 o
->ifconfig_pool_end
= (o
->server_network
| ~o
->server_netmask
) - pool_end_reserve
;
228 ifconfig_pool_verify_range (M_USAGE
, o
->ifconfig_pool_start
, o
->ifconfig_pool_end
);
231 helper_add_route (o
->server_network
, o
->server_netmask
, o
);
233 push_option (o
, print_opt_route (o
->server_network
, o
->server_netmask
, &o
->gc
), M_USAGE
);
234 else if (topology
== TOP_NET30
)
235 push_option (o
, print_opt_route (o
->server_network
+ 1, 0, &o
->gc
), M_USAGE
);
237 else if (topology
== TOP_SUBNET
)
239 o
->ifconfig_local
= print_in_addr_t (o
->server_network
+ 1, 0, &o
->gc
);
240 o
->ifconfig_remote_netmask
= print_in_addr_t (o
->server_netmask
, 0, &o
->gc
);
242 if (!(o
->server_flags
& SF_NOPOOL
))
244 o
->ifconfig_pool_defined
= true;
245 o
->ifconfig_pool_start
= o
->server_network
+ 2;
246 o
->ifconfig_pool_end
= (o
->server_network
| ~o
->server_netmask
) - 2;
247 ifconfig_pool_verify_range (M_USAGE
, o
->ifconfig_pool_start
, o
->ifconfig_pool_end
);
248 o
->ifconfig_pool_netmask
= o
->server_netmask
;
251 push_option (o
, print_opt_route_gateway (o
->server_network
+ 1, &o
->gc
), M_USAGE
);
256 push_option (o
, print_opt_topology (topology
, &o
->gc
), M_USAGE
);
258 else if (dev
== DEV_TYPE_TAP
)
261 msg (M_USAGE
, "--server directive when used with --dev tap must define a subnet of %s or lower",
262 print_netmask (30, &gc
));
264 o
->mode
= MODE_SERVER
;
265 o
->tls_server
= true;
266 o
->ifconfig_local
= print_in_addr_t (o
->server_network
+ 1, 0, &o
->gc
);
267 o
->ifconfig_remote_netmask
= print_in_addr_t (o
->server_netmask
, 0, &o
->gc
);
269 if (!(o
->server_flags
& SF_NOPOOL
))
271 o
->ifconfig_pool_defined
= true;
272 o
->ifconfig_pool_start
= o
->server_network
+ 2;
273 o
->ifconfig_pool_end
= (o
->server_network
| ~o
->server_netmask
) - 1;
274 ifconfig_pool_verify_range (M_USAGE
, o
->ifconfig_pool_start
, o
->ifconfig_pool_end
);
275 o
->ifconfig_pool_netmask
= o
->server_netmask
;
278 push_option (o
, print_opt_route_gateway (o
->server_network
+ 1, &o
->gc
), M_USAGE
);
285 /* set push-ifconfig-constraint directive */
286 if ((dev
== DEV_TYPE_TAP
|| topology
== TOP_SUBNET
))
288 o
->push_ifconfig_constraint_defined
= true;
289 o
->push_ifconfig_constraint_network
= o
->server_network
;
290 o
->push_ifconfig_constraint_netmask
= o
->server_netmask
;
297 * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
304 * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
305 * push "route-gateway 10.8.0.4"
316 * push "route-gateway dhcp"
318 else if (o
->server_bridge_defined
| o
->server_bridge_proxy_dhcp
)
321 msg (M_USAGE
, "--server-bridge and --client cannot be used together");
323 if (o
->ifconfig_pool_defined
)
324 msg (M_USAGE
, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
326 if (o
->shared_secret_file
)
327 msg (M_USAGE
, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
329 if (dev
!= DEV_TYPE_TAP
)
330 msg (M_USAGE
, "--server-bridge directive only makes sense with --dev tap");
332 if (o
->server_bridge_defined
)
334 verify_common_subnet ("--server-bridge", o
->server_bridge_ip
, o
->server_bridge_pool_start
, o
->server_bridge_netmask
);
335 verify_common_subnet ("--server-bridge", o
->server_bridge_pool_start
, o
->server_bridge_pool_end
, o
->server_bridge_netmask
);
336 verify_common_subnet ("--server-bridge", o
->server_bridge_ip
, o
->server_bridge_pool_end
, o
->server_bridge_netmask
);
339 o
->mode
= MODE_SERVER
;
340 o
->tls_server
= true;
342 if (o
->server_bridge_defined
)
344 o
->ifconfig_pool_defined
= true;
345 o
->ifconfig_pool_start
= o
->server_bridge_pool_start
;
346 o
->ifconfig_pool_end
= o
->server_bridge_pool_end
;
347 ifconfig_pool_verify_range (M_USAGE
, o
->ifconfig_pool_start
, o
->ifconfig_pool_end
);
348 o
->ifconfig_pool_netmask
= o
->server_bridge_netmask
;
349 push_option (o
, print_opt_route_gateway (o
->server_bridge_ip
, &o
->gc
), M_USAGE
);
351 else if (o
->server_bridge_proxy_dhcp
)
353 push_option (o
, print_opt_route_gateway_dhcp (&o
->gc
), M_USAGE
);
357 #endif /* P2MP_SERVER */
371 if (o
->key_method
!= 2)
372 msg (M_USAGE
, "--client requires --key-method 2");
375 o
->tls_client
= true;
395 * push "ping-restart 60"
401 helper_keepalive (struct options
*o
)
403 if (o
->keepalive_ping
|| o
->keepalive_timeout
)
408 if (o
->keepalive_ping
<= 0 || o
->keepalive_timeout
<= 0)
409 msg (M_USAGE
, "--keepalive parameters must be > 0");
410 if (o
->keepalive_ping
* 2 > o
->keepalive_timeout
)
411 msg (M_USAGE
, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
412 o
->keepalive_timeout
,
414 if (o
->ping_send_timeout
|| o
->ping_rec_timeout
)
415 msg (M_USAGE
, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
420 if (o
->mode
== MODE_POINT_TO_POINT
)
422 o
->ping_rec_timeout_action
= PING_RESTART
;
423 o
->ping_send_timeout
= o
->keepalive_ping
;
424 o
->ping_rec_timeout
= o
->keepalive_timeout
;
427 else if (o
->mode
== MODE_SERVER
)
429 o
->ping_rec_timeout_action
= PING_RESTART
;
430 o
->ping_send_timeout
= o
->keepalive_ping
;
431 o
->ping_rec_timeout
= o
->keepalive_timeout
* 2;
432 push_option (o
, print_str_int ("ping", o
->keepalive_ping
, &o
->gc
), M_USAGE
);
433 push_option (o
, print_str_int ("ping-restart", o
->keepalive_timeout
, &o
->gc
), M_USAGE
);