2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 * 2004-01-28: Added Socks5 proxy support
27 * (Christof Meerwald, http://cmeerw.org)
41 #include "packet_id.h"
51 const char title_string
[] =
62 " [LZO" LZO_VERSION_NUM
"]"
67 #ifdef PRODUCT_TAP_DEBUG
81 static const char usage_message
[] =
85 "--config file : Read configuration options from file.\n"
86 "--help : Show options.\n"
87 "--version : Show copyright and version information.\n"
90 "--local host : Local host name or ip address. Implies --bind.\n"
91 "--remote host [port] : Remote host name or ip address.\n"
92 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
93 "--remote-random-hostname : Add a random string to remote DNS name.\n"
94 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
95 "--proto p : Use protocol p for communicating with peer.\n"
96 " p = udp (default), tcp-server, or tcp-client\n"
97 "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
98 " between connection retries (default=%d).\n"
99 "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
100 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
101 #ifdef GENERAL_PROXY_SUPPORT
102 "--auto-proxy : Try to sense proxy settings (or lack thereof) automatically.\n"
104 #ifdef ENABLE_HTTP_PROXY
105 "--http-proxy s p [up] [auth] : Connect to remote host\n"
106 " through an HTTP proxy at address s and port p.\n"
107 " If proxy authentication is required,\n"
108 " up is a file containing username/password on 2 lines, or\n"
109 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
110 " the proxy requires NTLM authentication.\n"
111 "--http-proxy s p 'auto': Like the above directive, but automatically determine\n"
112 " auth method and query for username/password if needed.\n"
113 "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
114 "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
115 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
116 " Repeat to set multiple options.\n"
117 " VERSION version (default=1.0)\n"
118 " AGENT user-agent\n"
121 "--socks-proxy s [p]: Connect to remote host through a Socks5 proxy at address\n"
122 " s and port p (default port = 1080).\n"
123 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
125 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
126 " resolve for n seconds before failing (disabled by default).\n"
127 " Set n=\"infinite\" to retry indefinitely.\n"
128 "--float : Allow remote to change its IP address/port, such as through\n"
129 " DHCP (this is the default if --remote is not used).\n"
130 "--ipchange cmd : Execute shell command cmd on remote ip address initial\n"
131 " setting or change -- execute as: cmd ip-address port#\n"
132 "--port port : TCP/UDP port # for both local and remote.\n"
133 "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
134 "--rport port : TCP/UDP port # for remote (default=%d).\n"
135 "--bind : Bind to local address and port. (This is the default unless\n"
136 " --proto tcp-client"
137 #ifdef ENABLE_HTTP_PROXY
144 "--nobind : Do not bind to local address and port.\n"
145 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
146 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
147 " this option only if the tun/tap device used with --dev\n"
148 " does not begin with \"tun\" or \"tap\".\n"
149 "--dev-node node : Explicitly set the device node rather than using\n"
150 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
151 "--lladdr hw : Set the link layer address of the tap device.\n"
152 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
153 "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
154 #ifdef CONFIG_FEATURE_IPROUTE
155 "--iproute cmd : Use this command instead of default " IPROUTE_PATH
".\n"
157 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
158 " endpoint and rn as a remote endpoint. l & rn should be\n"
159 " swapped on the other peer. l & rn must be private\n"
160 " addresses outside of the subnets used by either peer.\n"
161 " TAP: configure device to use IP address l as a local\n"
162 " endpoint and rn as a subnet mask.\n"
163 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
164 " pass --ifconfig parms by environment to scripts.\n"
165 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
166 " connection doesn't match the remote side.\n"
167 "--route network [netmask] [gateway] [metric] :\n"
168 " Add route to routing table after connection\n"
169 " is established. Multiple routes can be specified.\n"
170 " netmask default: 255.255.255.255\n"
171 " gateway default: taken from --route-gateway or --ifconfig\n"
172 " Specify default by leaving blank or setting to \"nil\".\n"
173 "--max-routes n : Specify the maximum number of routes that may be defined\n"
174 " or pulled from a server.\n"
175 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
176 "--route-metric m : Specify a default metric for use with --route.\n"
177 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
178 " adding routes (may be 0). If not specified, routes will\n"
179 " be added immediately after tun/tap open. On Windows, wait\n"
180 " up to w seconds for TUN/TAP adapter to come up.\n"
181 "--route-up cmd : Execute shell cmd after routes are added.\n"
182 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
183 " --route-up script using environmental variables.\n"
184 "--route-nopull : When used with --client or --pull, accept options pushed\n"
185 " by server EXCEPT for routes.\n"
186 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
187 " --ifconfig, --route, and --route-gateway.\n"
188 "--redirect-gateway [flags]: Automatically execute routing\n"
189 " commands to redirect all outgoing IP traffic through the\n"
190 " VPN. Add 'local' flag if both " PACKAGE_NAME
" servers are directly\n"
191 " connected via a common subnet, such as with WiFi.\n"
192 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
193 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
194 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
195 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
196 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
197 " the default gateway. Useful when pushing private subnets.\n"
198 "--setenv name value : Set a custom environmental variable to pass to script.\n"
199 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
200 " directives for future OpenVPN versions to be ignored.\n"
201 "--script-security level mode : mode='execve' (default) or 'system', level=\n"
202 " 0 -- strictly no calling of external programs\n"
203 " 1 -- (default) only call built-ins such as ifconfig\n"
204 " 2 -- allow calling of built-ins and scripts\n"
205 " 3 -- allow password to be passed to scripts via env\n"
206 "--shaper n : Restrict output to peer to n bytes per second.\n"
207 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
208 " ping once every n seconds, restart if ping not received\n"
210 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
211 " produces a combined in/out byte count < bytes.\n"
212 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
213 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
214 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
216 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
217 #if ENABLE_IP_PKTINFO
218 "--multihome : Configure a multi-homed UDP server.\n"
220 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
221 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
222 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
223 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
224 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
225 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
226 #if PASSTOS_CAPABILITY
227 "--passtos : TOS passthrough (applies to IPv4 only).\n"
229 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
230 " TCP/UDP MTU from it (default=%d).\n"
231 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
232 " as n bytes more than the tun-mtu size on read\n"
233 " (default TUN=0 TAP=%d).\n"
234 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
236 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
237 " 'no' -- Never send DF (Don't Fragment) frames\n"
238 " 'maybe' -- Use per-route hints\n"
239 " 'yes' -- Always DF (Don't Fragment)\n"
241 "--mtu-test : Empirically measure and report MTU.\n"
243 #ifdef ENABLE_FRAGMENT
244 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
245 " datagrams are sent which are larger than max bytes.\n"
246 " Adds 4 bytes of overhead per datagram.\n"
248 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
249 " or --fragment max value, whichever is lower.\n"
250 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
251 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
252 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
253 "--mlock : Disable Paging -- ensures key material and tunnel\n"
254 " data will never be written to disk.\n"
255 "--up cmd : Shell cmd to execute after successful tun device open.\n"
256 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
257 " ifconfig-local-ip ifconfig-remote-ip\n"
258 " (pre --user or --group UID/GID change)\n"
259 "--up-delay : Delay tun/tap open and possible --up script execution\n"
260 " until after TCP/UDP connection establishment with peer.\n"
261 "--down cmd : Shell cmd to run after tun device close.\n"
262 " (post --user/--group UID/GID change and/or --chroot)\n"
263 " (script parameters are same as --up option)\n"
264 "--down-pre : Call --down cmd/script before TUN/TAP close.\n"
265 "--up-restart : Run up/down scripts for all restarts including those\n"
266 " caused by --ping-restart or SIGUSR1\n"
267 "--user user : Set UID to user after initialization.\n"
268 "--group group : Set GID to group after initialization.\n"
269 "--chroot dir : Chroot to this directory after initialization.\n"
271 "--setcon context: Apply this SELinux context after initialization.\n"
273 "--cd dir : Change to this directory before initialization.\n"
274 "--daemon [name] : Become a daemon after initialization.\n"
275 " The optional 'name' parameter will be passed\n"
276 " as the program name to the system logger.\n"
277 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
278 " See --daemon above for a description of the 'name' parm.\n"
279 "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
280 " See --daemon above for a description of the 'name' parm.\n"
281 "--log file : Output log to file which is created/truncated on open.\n"
282 "--log-append file : Append log to file, or create file if nonexistent.\n"
283 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
284 "--writepid file : Write main process ID to file.\n"
285 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
288 "--nice-work n : Change thread priority of work thread. The work\n"
289 " thread is used for background processing such as\n"
290 " RSA key number crunching.\n"
293 "--echo [parms ...] : Echo parameters to log output.\n"
294 "--verb n : Set output verbosity to n (default=%d):\n"
295 " (Level 3 is recommended if you want a good summary\n"
296 " of what's happening without being swamped by output).\n"
297 " : 0 -- no output except fatal errors\n"
298 " : 1 -- startup info + connection initiated messages +\n"
299 " non-fatal encryption & net errors\n"
300 " : 2,3 -- show TLS negotiations & route info\n"
301 " : 4 -- show parameters\n"
302 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
303 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
304 " : 6 to 11 -- debug messages of increasing verbosity\n"
305 "--mute n : Log at most n consecutive messages in the same category.\n"
306 "--status file n : Write operational status to file every n seconds.\n"
307 "--status-version [n] : Choose the status file format version number.\n"
308 " Currently, n can be 1, 2, or 3 (default=1).\n"
310 "--disable-occ : Disable options consistency check between peers.\n"
313 "--gremlin mask : Special stress testing mode (for debugging only).\n"
316 "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
317 " packet for uncompressible data.\n"
318 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
321 #ifdef ENABLE_MANAGEMENT
322 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
323 " management functions. pass is a password file\n"
324 " or 'stdin' to prompt from console.\n"
325 #if UNIX_SOCK_SUPPORT
326 " To listen on a unix domain socket, specific the pathname\n"
327 " in place of ip and use 'unix' as the port number.\n"
329 "--management-client : Management interface will connect as a TCP client to\n"
330 " ip/port rather than listen as a TCP server.\n"
331 "--management-query-passwords : Query management channel for private key\n"
332 " and auth-user-pass passwords.\n"
333 "--management-hold : Start " PACKAGE_NAME
" in a hibernating state, until a client\n"
334 " of the management interface explicitly starts it.\n"
335 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
336 "--management-forget-disconnect : Forget passwords when management disconnect\n"
338 "--management-log-cache n : Cache n lines of log file history for usage\n"
339 " by the management channel.\n"
340 #if UNIX_SOCK_SUPPORT
341 "--management-client-user u : When management interface is a unix socket, only\n"
342 " allow connections from user u.\n"
343 "--management-client-group g : When management interface is a unix socket, only\n"
344 " allow connections from group g.\n"
346 #ifdef MANAGEMENT_DEF_AUTH
347 "--management-client-auth : gives management interface client the responsibility\n"
348 " to authenticate clients after their client certificate\n"
349 " has been verified.\n"
352 "--management-client-pf : management interface clients must specify a packet\n"
353 " filter file for each connecting client.\n"
357 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
358 " to its initialization function.\n"
363 "Multi-Client Server options (when --mode server is used):\n"
364 "--server network netmask : Helper option to easily configure server mode.\n"
365 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
366 " easily configure ethernet bridging server mode.\n"
367 "--push \"option\" : Push a config file option back to the peer for remote\n"
368 " execution. Peer must specify --pull in its config file.\n"
369 "--push-reset : Don't inherit global push list for specific\n"
370 " client instance.\n"
371 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
372 " to be dynamically allocated to connecting clients.\n"
373 "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
374 " in tun mode. Not compatible with Windows clients.\n"
375 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
376 " data to file, at seconds intervals (default=600).\n"
377 " If seconds=0, file will be treated as read-only.\n"
378 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
379 " overrides --ifconfig-pool dynamic allocation.\n"
380 " Only valid in a client-specific config file.\n"
381 "--iroute network [netmask] : Route subnet to client.\n"
382 " Sets up internal routes only.\n"
383 " Only valid in a client-specific config file.\n"
384 "--disable : Client is disabled.\n"
385 " Only valid in a client-specific config file.\n"
386 "--client-cert-not-required : Don't require client certificate, client\n"
387 " will authenticate using username/password.\n"
388 "--username-as-common-name : For auth-user-pass authentication, use\n"
389 " the authenticated username as the common name,\n"
390 " rather than the common name from the client cert.\n"
391 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
392 " run script cmd to verify. If method='via-env', pass\n"
393 " user/pass via environment, if method='via-file', pass\n"
394 " user/pass via temporary file.\n"
395 "--opt-verify : Clients that connect with options that are incompatible\n"
396 " with those of the server will be disconnected.\n"
397 "--auth-user-pass-optional : Allow connections by clients that don't\n"
398 " specify a username/password.\n"
399 "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
400 " any printable character.\n"
401 "--client-to-client : Internally route client-to-client traffic.\n"
402 "--duplicate-cn : Allow multiple clients with the same common name to\n"
403 " concurrently connect.\n"
404 "--client-connect cmd : Run script cmd on client connection.\n"
405 "--client-disconnect cmd : Run script cmd on client disconnection.\n"
406 "--client-config-dir dir : Directory for custom client config files.\n"
407 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
408 "--tmp-dir dir : Temporary directory, used for --client-connect return file.\n"
409 "--hash-size r v : Set the size of the real address hash table to r and the\n"
410 " virtual address table to v.\n"
411 "--bcast-buffers n : Allocate n broadcast buffers.\n"
412 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
413 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
414 " as well as pushes it to connecting clients.\n"
415 "--learn-address cmd : Run script cmd to validate client virtual addresses.\n"
416 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
417 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
418 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
420 "--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions\n"
421 " to a web server at host:port.\n"
425 "Client options (when connecting to a multi-client server):\n"
426 "--client : Helper option to easily configure client mode.\n"
427 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
428 " up is a file containing username/password on 2 lines,\n"
429 " or omit to prompt from console.\n"
430 "--pull : Accept certain config file options from the peer as if they\n"
431 " were part of the local config file. Must be specified\n"
432 " when connecting to a '--mode server' remote host.\n"
433 "--auth-retry t : How to handle auth failures. Set t to\n"
434 " none (default), interact, or nointeract.\n"
435 "--server-poll-timeout n : when polling possible remote servers to connect to\n"
436 " in a round-robin fashion, spend no more than n seconds\n"
437 " waiting for a response before trying the next server.\n"
440 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
441 " server/remote. n = # of retries, default=1.\n"
445 "Data Channel Encryption Options (must be compatible between peers):\n"
446 "(These options are meaningful for both Static Key & TLS-mode)\n"
447 "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
448 " Use shared secret file f, generate with --genkey.\n"
449 " The optional d parameter controls key directionality.\n"
450 " If d is specified, use separate keys for each\n"
451 " direction, set d=0 on one side of the connection,\n"
452 " and d=1 on the other side.\n"
453 "--auth alg : Authenticate packets with HMAC using message\n"
454 " digest algorithm alg (default=%s).\n"
455 " (usually adds 16 or 20 bytes per packet)\n"
456 " Set alg=none to disable authentication.\n"
457 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
459 " Set alg=none to disable encryption.\n"
460 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
461 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
462 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
463 "--keysize n : Size of cipher key in bits (optional).\n"
464 " If unspecified, defaults to cipher-specific default.\n"
466 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
467 "--no-replay : Disable replay protection.\n"
468 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
469 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
470 " and a time window of t seconds.\n"
471 " Default n=%d t=%d\n"
472 "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
473 "--replay-persist file : Persist replay-protection state across sessions\n"
475 "--test-crypto : Run a self-test of crypto features enabled.\n"
476 " For debugging only.\n"
479 "TLS Key Negotiation Options:\n"
480 "(These options are meaningful only for TLS-mode)\n"
481 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
482 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
483 "--key-method m : Data channel key exchange method. m should be a method\n"
484 " number, such as 1 (default), 2, etc.\n"
485 "--ca file : Certificate authority file in .pem format containing\n"
486 " root certificate.\n"
487 "--capath dir : A directory of trusted certificates (CAs"
488 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
492 " WARNING: no support of CRL available with this version.\n"
494 "--dh file : File containing Diffie Hellman parameters\n"
495 " in .pem format (for --tls-server only).\n"
496 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
497 "--cert file : Local certificate in .pem format -- must be signed\n"
498 " by a Certificate Authority in --ca file.\n"
499 "--key file : Local private key in .pem format.\n"
500 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
501 " and optionally the root CA certificate.\n"
503 "--cryptoapicert select-string : Load the certificate and private key from the\n"
504 " Windows Certificate System Store.\n"
506 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
507 " : Use --show-tls to see a list of supported TLS ciphers.\n"
508 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
509 " if no ACK from remote within n seconds (default=%d).\n"
510 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
511 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
512 "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
513 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
514 " of handshake initiation by any peer (default=%d).\n"
515 "--tran-window n : Transition window -- old key can live this many seconds\n"
516 " after new key renegotiation begins (default=%d).\n"
517 "--single-session: Allow only one session (reset state on restart).\n"
518 "--tls-exit : Exit on TLS negotiation failure.\n"
519 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
520 " control channel to protect against DoS attacks.\n"
521 " f (required) is a shared-secret passphrase file.\n"
522 " The optional d parameter controls key directionality,\n"
523 " see --secret option for more info.\n"
524 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
525 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
526 "--crl-verify crl: Check peer certificate against a CRL.\n"
527 "--tls-verify cmd: Execute shell command cmd to verify the X509 name of a\n"
528 " pending TLS connection that has otherwise passed all other\n"
529 " tests of certification. cmd should return 0 to allow\n"
530 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
531 " executed as 'cmd certificate_depth X509_NAME_oneline')\n"
532 "--tls-remote x509name: Accept connections only from a host with X509 name\n"
533 " x509name. The remote host must also pass all other tests\n"
534 " of verification.\n"
535 "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
536 " nsCertType designation t = 'client' | 'server'.\n"
537 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
538 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
539 " explicit key usage, you can specify more than one value.\n"
540 " value should be given in hex format.\n"
541 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
542 " explicit extended key usage. Extended key usage can be encoded\n"
543 " as an object identifier or OpenSSL string representation.\n"
544 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
545 " key usage and extended key usage based on RFC3280 TLS rules.\n"
546 " t = 'client' | 'server'.\n"
547 #endif /* OPENSSL_VERSION_NUMBER */
552 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
553 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
554 " path. Set for each provider.\n"
555 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
556 " 0 : Try to determind automatically (default).\n"
558 " 2 : Use SignRecover.\n"
559 " 4 : Use Decrypt.\n"
561 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
562 " certificate can be accessed. Set for each provider.\n"
563 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
564 " cache until token is removed.\n"
565 "--pkcs11-id-management : Acquire identity from management interface.\n"
566 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
567 #endif /* ENABLE_PKCS11 */
569 "SSL Library information:\n"
570 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
571 "--show-digests : Show message digest algorithms to use with --auth option.\n"
572 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
574 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
578 "Windows Specific:\n"
579 "--win-sys path|'env' : Pathname of Windows system directory, C:\\WINDOWS by default.\n"
580 " If specified as 'env', read the pathname from SystemRoot env var.\n"
581 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Win32 adapter\n"
582 " IP address using method = manual, netsh, ipapi,\n"
583 " dynamic, or adaptive (default = adaptive).\n"
584 " Dynamic method allows two optional parameters:\n"
585 " offset: DHCP server address offset (> -256 and < 256).\n"
586 " If 0, use network address, if >0, take nth\n"
587 " address forward from network address, if <0,\n"
588 " take nth address backward from broadcast\n"
591 " lease-time: Lease time in seconds.\n"
592 " Default is one year.\n"
593 "--route-method : Which method to use for adding routes on Windows?\n"
594 " adaptive (default) -- Try ipapi then fall back to exe.\n"
595 " ipapi -- Use IP helper API.\n"
596 " exe -- Call the route.exe shell command.\n"
597 "--dhcp-option type [parm] : Set extended TAP-Win32 properties, must\n"
598 " be used with --ip-win32 dynamic. For options\n"
599 " which allow multiple addresses,\n"
600 " --dhcp-option must be repeated.\n"
601 " DOMAIN name : Set DNS suffix\n"
602 " DNS addr : Set domain name server address(es)\n"
603 " NTP : Set NTP server address(es)\n"
604 " NBDD : Set NBDD server address(es)\n"
605 " WINS addr : Set WINS server address(es)\n"
606 " NBT type : Set NetBIOS over TCP/IP Node type\n"
607 " 1: B, 2: P, 4: M, 8: H\n"
608 " NBS id : Set NetBIOS scope ID\n"
609 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
610 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
611 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
613 "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
614 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
615 " attempting to set adapter properties.\n"
616 "--pause-exit : When run from a console window, pause before exiting.\n"
617 "--service ex [0|1] : For use when " PACKAGE_NAME
" is being instantiated by a\n"
618 " service, and should not be used directly by end-users.\n"
619 " ex is the name of an event object which, when\n"
620 " signaled, will cause " PACKAGE_NAME
" to exit. A second\n"
621 " optional parameter controls the initial state of ex.\n"
622 "--show-net-up : Show " PACKAGE_NAME
"'s view of routing table and net adapter list\n"
623 " after TAP adapter is up and routes have been added.\n"
624 "Windows Standalone Options:\n"
626 "--show-adapters : Show all TAP-Win32 adapters.\n"
627 "--show-net : Show " PACKAGE_NAME
"'s view of routing table and net adapter list.\n"
628 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
629 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME
" running without admin privileges\n"
630 " to access TAP adapter.\n"
633 "Generate a random key (only for non-TLS static key encryption mode):\n"
634 "--genkey : Generate a random key to be used as a shared secret,\n"
635 " for use with the --secret option.\n"
636 "--secret file : Write key to file.\n"
637 #endif /* USE_CRYPTO */
640 "Tun/tap config mode (available with linux 2.4+):\n"
641 "--mktun : Create a persistent tunnel.\n"
642 "--rmtun : Remove a persistent tunnel.\n"
643 "--dev tunX|tapX : tun/tap device\n"
644 "--dev-type dt : Device type. See tunnel options above for details.\n"
645 "--user user : User to set privilege to.\n"
646 "--group group : Group to set privilege to.\n"
650 "PKCS#11 standalone options:\n"
651 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
652 " --verb option can be added *BEFORE* this.\n"
653 #endif /* ENABLE_PKCS11 */
656 #endif /* !ENABLE_SMALL */
659 * This is where the options defaults go.
660 * Any option not explicitly set here
664 init_options (struct options
*o
, const bool init_gc
)
672 o
->mode
= MODE_POINT_TO_POINT
;
673 o
->topology
= TOP_NET30
;
674 o
->ce
.proto
= PROTO_UDPv4
;
675 o
->ce
.connect_retry_seconds
= 5;
676 o
->ce
.connect_timeout
= 10;
677 o
->ce
.connect_retry_max
= 0;
678 o
->ce
.local_port
= o
->ce
.remote_port
= OPENVPN_PORT
;
680 o
->status_file_update_freq
= 60;
681 o
->status_file_version
= 1;
682 o
->ce
.bind_local
= true;
683 o
->tun_mtu
= TUN_MTU_DEFAULT
;
684 o
->link_mtu
= LINK_MTU_DEFAULT
;
685 o
->mtu_discover_type
= -1;
686 o
->mssfix
= MSSFIX_DEFAULT
;
687 o
->route_delay_window
= 30;
688 o
->max_routes
= MAX_ROUTES_DEFAULT
;
689 o
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
693 #ifdef ENABLE_MANAGEMENT
694 o
->management_log_history_cache
= 250;
695 o
->management_echo_buffer_size
= 100;
696 o
->management_state_buffer_size
= 100;
706 o
->tuntap_options
.txqueuelen
= 100;
710 o
->tuntap_options
.ip_win32_type
= IPW32_SET_ADAPTIVE
;
712 o
->tuntap_options
.ip_win32_type
= IPW32_SET_DHCP_MASQ
;
714 o
->tuntap_options
.dhcp_lease_time
= 31536000; /* one year */
715 o
->tuntap_options
.dhcp_masq_offset
= 0; /* use network address as internal DHCP server address */
716 o
->route_method
= ROUTE_METHOD_ADAPTIVE
;
722 o
->real_hash_size
= 256;
723 o
->virtual_hash_size
= 256;
724 o
->n_bcast_buf
= 256;
725 o
->tcp_queue_limit
= 64;
726 o
->max_clients
= 1024;
727 o
->max_routes_per_client
= 256;
728 o
->ifconfig_pool_persist_refresh_freq
= 600;
731 o
->scheduled_exit_interval
= 5;
732 o
->server_poll_timeout
= 0;
735 o
->ciphername
= "BF-CBC";
736 o
->ciphername_defined
= true;
737 o
->authname
= "SHA1";
738 o
->authname_defined
= true;
739 o
->prng_hash
= "SHA1";
740 o
->prng_nonce_secret_len
= 16;
742 o
->replay_window
= DEFAULT_SEQ_BACKTRACK
;
743 o
->replay_time
= DEFAULT_TIME_BACKTRACK
;
745 o
->key_direction
= KEY_DIRECTION_BIDIRECTIONAL
;
749 o
->renegotiate_seconds
= 3600;
750 o
->handshake_window
= 60;
751 o
->transition_window
= 3600;
755 o
->pkcs11_pin_cache_period
= -1;
756 #endif /* ENABLE_PKCS11 */
760 uninit_options (struct options
*o
)
768 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
769 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
770 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
771 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
772 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
773 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
778 setenv_connection_entry (struct env_set
*es
,
779 const struct connection_entry
*e
,
782 setenv_str_i (es
, "proto", proto2ascii (e
->proto
, false), i
);
783 setenv_str_i (es
, "local", e
->local
, i
);
784 setenv_int_i (es
, "local_port", e
->local_port
, i
);
785 setenv_str_i (es
, "remote", e
->remote
, i
);
786 setenv_int_i (es
, "remote_port", e
->remote_port
, i
);
788 #ifdef ENABLE_HTTP_PROXY
789 if (e
->http_proxy_options
)
791 setenv_str_i (es
, "http_proxy_server", e
->http_proxy_options
->server
, i
);
792 setenv_int_i (es
, "http_proxy_port", e
->http_proxy_options
->port
, i
);
796 if (e
->socks_proxy_server
)
798 setenv_str_i (es
, "socks_proxy_server", e
->socks_proxy_server
, i
);
799 setenv_int_i (es
, "socks_proxy_port", e
->socks_proxy_port
, i
);
805 setenv_settings (struct env_set
*es
, const struct options
*o
)
807 setenv_str (es
, "config", o
->config
);
808 setenv_int (es
, "verb", o
->verbosity
);
809 setenv_int (es
, "daemon", o
->daemon
);
810 setenv_int (es
, "daemon_log_redirect", o
->log
);
811 setenv_unsigned (es
, "daemon_start_time", time(NULL
));
812 setenv_int (es
, "daemon_pid", openvpn_getpid());
814 #ifdef ENABLE_CONNECTION
815 if (o
->connection_list
)
818 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
819 setenv_connection_entry (es
, o
->connection_list
->array
[i
], i
+1);
823 setenv_connection_entry (es
, &o
->ce
, 1);
827 get_ip_addr (const char *ip_string
, int msglevel
, bool *error
)
829 unsigned int flags
= GETADDR_HOST_ORDER
;
830 bool succeeded
= false;
833 if (msglevel
& M_FATAL
)
834 flags
|= GETADDR_FATAL
;
836 ret
= getaddr (flags
, ip_string
, 0, &succeeded
, NULL
);
837 if (!succeeded
&& error
)
843 string_substitute (const char *src
, int from
, int to
, struct gc_arena
*gc
)
845 char *ret
= (char *) gc_malloc (strlen (src
) + 1, true, gc
);
861 is_persist_option (const struct options
*o
)
863 return o
->persist_tun
865 || o
->persist_local_ip
866 || o
->persist_remote_ip
874 is_stateful_restart (const struct options
*o
)
876 return is_persist_option (o
) || connection_list_defined (o
);
884 show_dhcp_option_addrs (const char *name
, const in_addr_t
*array
, int len
)
886 struct gc_arena gc
= gc_new ();
888 for (i
= 0; i
< len
; ++i
)
890 msg (D_SHOW_PARMS
, " %s[%d] = %s",
893 print_in_addr_t (array
[i
], 0, &gc
));
899 show_tuntap_options (const struct tuntap_options
*o
)
901 SHOW_BOOL (ip_win32_defined
);
902 SHOW_INT (ip_win32_type
);
903 SHOW_INT (dhcp_masq_offset
);
904 SHOW_INT (dhcp_lease_time
);
905 SHOW_INT (tap_sleep
);
906 SHOW_BOOL (dhcp_options
);
907 SHOW_BOOL (dhcp_renew
);
908 SHOW_BOOL (dhcp_pre_release
);
909 SHOW_BOOL (dhcp_release
);
911 SHOW_STR (netbios_scope
);
912 SHOW_INT (netbios_node_type
);
913 SHOW_BOOL (disable_nbt
);
915 show_dhcp_option_addrs ("DNS", o
->dns
, o
->dns_len
);
916 show_dhcp_option_addrs ("WINS", o
->wins
, o
->wins_len
);
917 show_dhcp_option_addrs ("NTP", o
->ntp
, o
->ntp_len
);
918 show_dhcp_option_addrs ("NBDD", o
->nbdd
, o
->nbdd_len
);
924 dhcp_option_address_parse (const char *name
, const char *parm
, in_addr_t
*array
, int *len
, int msglevel
)
926 if (*len
>= N_DHCP_ADDR
)
928 msg (msglevel
, "--dhcp-option %s: maximum of %d %s servers can be specified",
935 if (ip_addr_dotted_quad_safe (parm
)) /* FQDN -- IP address only */
938 const in_addr_t addr
= get_ip_addr (parm
, msglevel
, &error
);
940 array
[(*len
)++] = addr
;
944 msg (msglevel
, "dhcp-option parameter %s '%s' must be an IP address", name
, parm
);
956 show_p2mp_parms (const struct options
*o
)
958 struct gc_arena gc
= gc_new ();
961 msg (D_SHOW_PARMS
, " server_network = %s", print_in_addr_t (o
->server_network
, 0, &gc
));
962 msg (D_SHOW_PARMS
, " server_netmask = %s", print_in_addr_t (o
->server_netmask
, 0, &gc
));
963 msg (D_SHOW_PARMS
, " server_bridge_ip = %s", print_in_addr_t (o
->server_bridge_ip
, 0, &gc
));
964 msg (D_SHOW_PARMS
, " server_bridge_netmask = %s", print_in_addr_t (o
->server_bridge_netmask
, 0, &gc
));
965 msg (D_SHOW_PARMS
, " server_bridge_pool_start = %s", print_in_addr_t (o
->server_bridge_pool_start
, 0, &gc
));
966 msg (D_SHOW_PARMS
, " server_bridge_pool_end = %s", print_in_addr_t (o
->server_bridge_pool_end
, 0, &gc
));
967 if (o
->push_list
.head
)
969 const struct push_entry
*e
= o
->push_list
.head
;
973 msg (D_SHOW_PARMS
, " push_entry = '%s'", e
->option
);
977 SHOW_BOOL (ifconfig_pool_defined
);
978 msg (D_SHOW_PARMS
, " ifconfig_pool_start = %s", print_in_addr_t (o
->ifconfig_pool_start
, 0, &gc
));
979 msg (D_SHOW_PARMS
, " ifconfig_pool_end = %s", print_in_addr_t (o
->ifconfig_pool_end
, 0, &gc
));
980 msg (D_SHOW_PARMS
, " ifconfig_pool_netmask = %s", print_in_addr_t (o
->ifconfig_pool_netmask
, 0, &gc
));
981 SHOW_STR (ifconfig_pool_persist_filename
);
982 SHOW_INT (ifconfig_pool_persist_refresh_freq
);
983 SHOW_INT (n_bcast_buf
);
984 SHOW_INT (tcp_queue_limit
);
985 SHOW_INT (real_hash_size
);
986 SHOW_INT (virtual_hash_size
);
987 SHOW_STR (client_connect_script
);
988 SHOW_STR (learn_address_script
);
989 SHOW_STR (client_disconnect_script
);
990 SHOW_STR (client_config_dir
);
991 SHOW_BOOL (ccd_exclusive
);
993 SHOW_BOOL (push_ifconfig_defined
);
994 msg (D_SHOW_PARMS
, " push_ifconfig_local = %s", print_in_addr_t (o
->push_ifconfig_local
, 0, &gc
));
995 msg (D_SHOW_PARMS
, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o
->push_ifconfig_remote_netmask
, 0, &gc
));
996 SHOW_BOOL (enable_c2c
);
997 SHOW_BOOL (duplicate_cn
);
1000 SHOW_INT (max_clients
);
1001 SHOW_INT (max_routes_per_client
);
1002 SHOW_STR (auth_user_pass_verify_script
);
1003 SHOW_BOOL (auth_user_pass_verify_script_via_file
);
1004 SHOW_INT (ssl_flags
);
1006 SHOW_STR (port_share_host
);
1007 SHOW_INT (port_share_port
);
1009 #endif /* P2MP_SERVER */
1013 SHOW_STR (auth_user_pass_file
);
1018 #endif /* ENABLE_DEBUG */
1023 option_iroute (struct options
*o
,
1024 const char *network_str
,
1025 const char *netmask_str
,
1030 ALLOC_OBJ_GC (ir
, struct iroute
, &o
->gc
);
1031 ir
->network
= getaddr (GETADDR_HOST_ORDER
, network_str
, 0, NULL
, NULL
);
1036 const in_addr_t netmask
= getaddr (GETADDR_HOST_ORDER
, netmask_str
, 0, NULL
, NULL
);
1037 if (!netmask_to_netbits (ir
->network
, netmask
, &ir
->netbits
))
1039 msg (msglevel
, "in --iroute %s %s : Bad network/subnet specification",
1046 ir
->next
= o
->iroutes
;
1050 #endif /* P2MP_SERVER */
1053 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
1055 show_http_proxy_options (const struct http_proxy_options
*o
)
1057 msg (D_SHOW_PARMS
, "BEGIN http_proxy");
1060 SHOW_STR (auth_method_string
);
1061 SHOW_STR (auth_file
);
1064 SHOW_STR (http_version
);
1065 SHOW_STR (user_agent
);
1066 msg (D_SHOW_PARMS
, "END http_proxy");
1071 options_detach (struct options
*o
)
1081 rol_check_alloc (struct options
*options
)
1083 if (!options
->routes
)
1084 options
->routes
= new_route_option_list (options
->max_routes
, &options
->gc
);
1089 show_connection_entry (const struct connection_entry
*o
)
1091 msg (D_SHOW_PARMS
, " proto = %s", proto2ascii (o
->proto
, false));
1093 SHOW_INT (local_port
);
1095 SHOW_INT (remote_port
);
1096 SHOW_BOOL (remote_float
);
1097 SHOW_BOOL (bind_defined
);
1098 SHOW_BOOL (bind_local
);
1099 SHOW_INT (connect_retry_seconds
);
1100 SHOW_INT (connect_timeout
);
1101 SHOW_INT (connect_retry_max
);
1103 #ifdef ENABLE_HTTP_PROXY
1104 if (o
->http_proxy_options
)
1105 show_http_proxy_options (o
->http_proxy_options
);
1108 SHOW_STR (socks_proxy_server
);
1109 SHOW_INT (socks_proxy_port
);
1110 SHOW_BOOL (socks_proxy_retry
);
1115 show_connection_entries (const struct options
*o
)
1117 msg (D_SHOW_PARMS
, "Connection profiles [default]:");
1118 show_connection_entry (&o
->ce
);
1119 #ifdef ENABLE_CONNECTION
1120 if (o
->connection_list
)
1122 const struct connection_list
*l
= o
->connection_list
;
1124 for (i
= 0; i
< l
->len
; ++i
)
1126 msg (D_SHOW_PARMS
, "Connection profiles [%d]:", i
);
1127 show_connection_entry (l
->array
[i
]);
1131 msg (D_SHOW_PARMS
, "Connection profiles END");
1137 show_settings (const struct options
*o
)
1140 msg (D_SHOW_PARMS
, "Current Parameter Settings:");
1146 #ifdef TUNSETPERSIST
1147 SHOW_BOOL (persist_config
);
1148 SHOW_INT (persist_mode
);
1152 SHOW_BOOL (show_ciphers
);
1153 SHOW_BOOL (show_digests
);
1154 SHOW_BOOL (show_engines
);
1157 SHOW_STR (key_pass_file
);
1158 SHOW_BOOL (show_tls_ciphers
);
1162 show_connection_entries (o
);
1164 SHOW_BOOL (remote_random
);
1166 SHOW_STR (ipchange
);
1168 SHOW_STR (dev_type
);
1169 SHOW_STR (dev_node
);
1171 SHOW_INT (topology
);
1172 SHOW_BOOL (tun_ipv6
);
1173 SHOW_STR (ifconfig_local
);
1174 SHOW_STR (ifconfig_remote_netmask
);
1175 SHOW_BOOL (ifconfig_noexec
);
1176 SHOW_BOOL (ifconfig_nowarn
);
1178 #ifdef HAVE_GETTIMEOFDAY
1182 SHOW_BOOL (tun_mtu_defined
);
1183 SHOW_INT (link_mtu
);
1184 SHOW_BOOL (link_mtu_defined
);
1185 SHOW_INT (tun_mtu_extra
);
1186 SHOW_BOOL (tun_mtu_extra_defined
);
1188 #ifdef ENABLE_FRAGMENT
1189 SHOW_INT (fragment
);
1192 SHOW_INT (mtu_discover_type
);
1195 SHOW_INT (mtu_test
);
1200 SHOW_INT (keepalive_ping
);
1201 SHOW_INT (keepalive_timeout
);
1202 SHOW_INT (inactivity_timeout
);
1203 SHOW_INT (ping_send_timeout
);
1204 SHOW_INT (ping_rec_timeout
);
1205 SHOW_INT (ping_rec_timeout_action
);
1206 SHOW_BOOL (ping_timer_remote
);
1207 SHOW_INT (remap_sigusr1
);
1209 SHOW_INT (explicit_exit_notification
);
1211 SHOW_BOOL (persist_tun
);
1212 SHOW_BOOL (persist_local_ip
);
1213 SHOW_BOOL (persist_remote_ip
);
1214 SHOW_BOOL (persist_key
);
1218 #if PASSTOS_CAPABILITY
1219 SHOW_BOOL (passtos
);
1222 SHOW_INT (resolve_retry_seconds
);
1224 SHOW_STR (username
);
1225 SHOW_STR (groupname
);
1226 SHOW_STR (chroot_dir
);
1229 SHOW_STR (selinux_context
);
1231 SHOW_STR (writepid
);
1232 SHOW_STR (up_script
);
1233 SHOW_STR (down_script
);
1234 SHOW_BOOL (down_pre
);
1235 SHOW_BOOL (up_restart
);
1236 SHOW_BOOL (up_delay
);
1240 SHOW_BOOL (suppress_timestamps
);
1242 SHOW_INT (verbosity
);
1247 SHOW_STR (status_file
);
1248 SHOW_INT (status_file_version
);
1249 SHOW_INT (status_file_update_freq
);
1256 SHOW_INT (sockflags
);
1258 SHOW_BOOL (fast_io
);
1264 SHOW_STR (route_script
);
1265 SHOW_STR (route_default_gateway
);
1266 SHOW_INT (route_default_metric
);
1267 SHOW_BOOL (route_noexec
);
1268 SHOW_INT (route_delay
);
1269 SHOW_INT (route_delay_window
);
1270 SHOW_BOOL (route_delay_defined
);
1271 SHOW_BOOL (route_nopull
);
1272 SHOW_BOOL (route_gateway_via_dhcp
);
1273 SHOW_INT (max_routes
);
1274 SHOW_BOOL (allow_pull_fqdn
);
1276 print_route_options (o
->routes
, D_SHOW_PARMS
);
1278 #ifdef ENABLE_MANAGEMENT
1279 SHOW_STR (management_addr
);
1280 SHOW_INT (management_port
);
1281 SHOW_STR (management_user_pass
);
1282 SHOW_INT (management_log_history_cache
);
1283 SHOW_INT (management_echo_buffer_size
);
1284 SHOW_STR (management_write_peer_info_file
);
1285 SHOW_STR (management_client_user
);
1286 SHOW_STR (management_client_group
);
1287 SHOW_INT (management_flags
);
1289 #ifdef ENABLE_PLUGIN
1291 plugin_option_list_print (o
->plugin_list
, D_SHOW_PARMS
);
1295 SHOW_STR (shared_secret_file
);
1296 SHOW_INT (key_direction
);
1297 SHOW_BOOL (ciphername_defined
);
1298 SHOW_STR (ciphername
);
1299 SHOW_BOOL (authname_defined
);
1300 SHOW_STR (authname
);
1301 SHOW_STR (prng_hash
);
1302 SHOW_INT (prng_nonce_secret_len
);
1306 SHOW_BOOL (mute_replay_warnings
);
1307 SHOW_INT (replay_window
);
1308 SHOW_INT (replay_time
);
1309 SHOW_STR (packet_id_file
);
1311 SHOW_BOOL (test_crypto
);
1314 SHOW_BOOL (tls_server
);
1315 SHOW_BOOL (tls_client
);
1316 SHOW_INT (key_method
);
1320 SHOW_STR (cert_file
);
1321 SHOW_STR (priv_key_file
);
1322 SHOW_STR (pkcs12_file
);
1324 SHOW_STR (cryptoapi_cert
);
1326 SHOW_STR (cipher_list
);
1327 SHOW_STR (tls_verify
);
1328 SHOW_STR (tls_remote
);
1329 SHOW_STR (crl_file
);
1330 SHOW_INT (ns_cert_type
);
1333 for (i
=0;i
<MAX_PARMS
;i
++)
1334 SHOW_INT (remote_cert_ku
[i
]);
1336 SHOW_STR (remote_cert_eku
);
1338 SHOW_INT (tls_timeout
);
1340 SHOW_INT (renegotiate_bytes
);
1341 SHOW_INT (renegotiate_packets
);
1342 SHOW_INT (renegotiate_seconds
);
1344 SHOW_INT (handshake_window
);
1345 SHOW_INT (transition_window
);
1347 SHOW_BOOL (single_session
);
1348 SHOW_BOOL (tls_exit
);
1350 SHOW_STR (tls_auth_file
);
1354 #ifdef ENABLE_PKCS11
1357 for (i
=0;i
<MAX_PARMS
&& o
->pkcs11_providers
[i
] != NULL
;i
++)
1358 SHOW_PARM (pkcs11_providers
, o
->pkcs11_providers
[i
], "%s");
1362 for (i
=0;i
<MAX_PARMS
;i
++)
1363 SHOW_PARM (pkcs11_protected_authentication
, o
->pkcs11_protected_authentication
[i
] ? "ENABLED" : "DISABLED", "%s");
1367 for (i
=0;i
<MAX_PARMS
;i
++)
1368 SHOW_PARM (pkcs11_private_mode
, o
->pkcs11_private_mode
[i
], "%08x");
1372 for (i
=0;i
<MAX_PARMS
;i
++)
1373 SHOW_PARM (pkcs11_cert_private
, o
->pkcs11_cert_private
[i
] ? "ENABLED" : "DISABLED", "%s");
1375 SHOW_INT (pkcs11_pin_cache_period
);
1376 SHOW_STR (pkcs11_id
);
1377 SHOW_BOOL (pkcs11_id_management
);
1378 #endif /* ENABLE_PKCS11 */
1381 show_p2mp_parms (o
);
1385 SHOW_BOOL (show_net_up
);
1386 SHOW_INT (route_method
);
1387 show_tuntap_options (&o
->tuntap_options
);
1397 #ifdef ENABLE_HTTP_PROXY
1399 struct http_proxy_options
*
1400 init_http_options_if_undefined (struct options
*o
)
1402 if (!o
->ce
.http_proxy_options
)
1404 ALLOC_OBJ_CLEAR_GC (o
->ce
.http_proxy_options
, struct http_proxy_options
, &o
->gc
);
1405 /* http proxy defaults */
1406 o
->ce
.http_proxy_options
->timeout
= 5;
1407 o
->ce
.http_proxy_options
->http_version
= "1.0";
1409 return o
->ce
.http_proxy_options
;
1414 #if ENABLE_CONNECTION
1416 static struct connection_list
*
1417 alloc_connection_list_if_undef (struct options
*options
)
1419 if (!options
->connection_list
)
1420 ALLOC_OBJ_CLEAR_GC (options
->connection_list
, struct connection_list
, &options
->gc
);
1421 return options
->connection_list
;
1424 static struct connection_entry
*
1425 alloc_connection_entry (struct options
*options
, const int msglevel
)
1427 struct connection_list
*l
= alloc_connection_list_if_undef (options
);
1428 struct connection_entry
*e
;
1430 if (l
->len
>= CONNECTION_LIST_SIZE
)
1432 msg (msglevel
, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE
);
1435 ALLOC_OBJ_GC (e
, struct connection_entry
, &options
->gc
);
1436 l
->array
[l
->len
++] = e
;
1440 static struct remote_list
*
1441 alloc_remote_list_if_undef (struct options
*options
)
1443 if (!options
->remote_list
)
1444 ALLOC_OBJ_CLEAR_GC (options
->remote_list
, struct remote_list
, &options
->gc
);
1445 return options
->remote_list
;
1448 static struct remote_entry
*
1449 alloc_remote_entry (struct options
*options
, const int msglevel
)
1451 struct remote_list
*l
= alloc_remote_list_if_undef (options
);
1452 struct remote_entry
*e
;
1454 if (l
->len
>= CONNECTION_LIST_SIZE
)
1456 msg (msglevel
, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE
);
1459 ALLOC_OBJ_GC (e
, struct remote_entry
, &options
->gc
);
1460 l
->array
[l
->len
++] = e
;
1467 connection_entry_load_re (struct connection_entry
*ce
, const struct remote_entry
*re
)
1470 ce
->remote
= re
->remote
;
1471 if (re
->remote_port
>= 0)
1472 ce
->remote_port
= re
->remote_port
;
1474 ce
->proto
= re
->proto
;
1478 options_postprocess_verify_ce (const struct options
*options
, const struct connection_entry
*ce
)
1480 struct options defaults
;
1481 int dev
= DEV_TYPE_UNDEF
;
1484 init_options (&defaults
, true);
1487 if (options
->test_crypto
)
1489 notnull (options
->shared_secret_file
, "key file (--secret)");
1493 notnull (options
->dev
, "TUN/TAP device (--dev)");
1496 * Get tun/tap/null device type
1498 dev
= dev_type_enum (options
->dev
, options
->dev_type
);
1501 * If "proto tcp" is specified, make sure we know whether it is
1502 * tcp-client or tcp-server.
1504 if (ce
->proto
== PROTO_TCPv4
)
1505 msg (M_USAGE
, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1508 * Sanity check on daemon/inetd modes
1511 if (options
->daemon
&& options
->inetd
)
1512 msg (M_USAGE
, "only one of --daemon or --inetd may be specified");
1514 if (options
->inetd
&& (ce
->local
|| ce
->remote
))
1515 msg (M_USAGE
, "--local or --remote cannot be used with --inetd");
1517 if (options
->inetd
&& ce
->proto
== PROTO_TCPv4_CLIENT
)
1518 msg (M_USAGE
, "--proto tcp-client cannot be used with --inetd");
1520 if (options
->inetd
== INETD_NOWAIT
&& ce
->proto
!= PROTO_TCPv4_SERVER
)
1521 msg (M_USAGE
, "--inetd nowait can only be used with --proto tcp-server");
1523 if (options
->inetd
== INETD_NOWAIT
1524 #if defined(USE_CRYPTO) && defined(USE_SSL)
1525 && !(options
->tls_server
|| options
->tls_client
)
1528 msg (M_USAGE
, "--inetd nowait can only be used in TLS mode");
1530 if (options
->inetd
== INETD_NOWAIT
&& dev
!= DEV_TYPE_TAP
)
1531 msg (M_USAGE
, "--inetd nowait only makes sense in --dev tap mode");
1534 if (options
->lladdr
&& dev
!= DEV_TYPE_TAP
)
1535 msg (M_USAGE
, "--lladdr can only be used in --dev tap mode");
1538 * Sanity check on TCP mode options
1541 if (ce
->connect_retry_defined
&& ce
->proto
!= PROTO_TCPv4_CLIENT
)
1542 msg (M_USAGE
, "--connect-retry doesn't make sense unless also used with --proto tcp-client");
1544 if (ce
->connect_timeout_defined
&& ce
->proto
!= PROTO_TCPv4_CLIENT
)
1545 msg (M_USAGE
, "--connect-timeout doesn't make sense unless also used with --proto tcp-client");
1548 * Sanity check on MTU parameters
1550 if (options
->tun_mtu_defined
&& options
->link_mtu_defined
)
1551 msg (M_USAGE
, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT
);
1554 if (ce
->proto
!= PROTO_UDPv4
&& options
->mtu_test
)
1555 msg (M_USAGE
, "--mtu-test only makes sense with --proto udp");
1558 /* will we be pulling options from server? */
1560 pull
= options
->pull
;
1564 * Sanity check on --local, --remote, and --ifconfig
1567 if (string_defined_equal (ce
->local
, ce
->remote
)
1568 && ce
->local_port
== ce
->remote_port
)
1569 msg (M_USAGE
, "--remote and --local addresses are the same");
1571 if (string_defined_equal (ce
->remote
, options
->ifconfig_local
)
1572 || string_defined_equal (ce
->remote
, options
->ifconfig_remote_netmask
))
1573 msg (M_USAGE
, "--local and --remote addresses must be distinct from --ifconfig addresses");
1575 if (string_defined_equal (ce
->local
, options
->ifconfig_local
)
1576 || string_defined_equal (ce
->local
, options
->ifconfig_remote_netmask
))
1577 msg (M_USAGE
, "--local addresses must be distinct from --ifconfig addresses");
1579 if (string_defined_equal (options
->ifconfig_local
, options
->ifconfig_remote_netmask
))
1580 msg (M_USAGE
, "local and remote/netmask --ifconfig addresses must be different");
1582 if (ce
->bind_defined
&& !ce
->bind_local
)
1583 msg (M_USAGE
, "--bind and --nobind can't be used together");
1585 if (ce
->local
&& !ce
->bind_local
)
1586 msg (M_USAGE
, "--local and --nobind don't make sense when used together");
1588 if (ce
->local_port_defined
&& !ce
->bind_local
)
1589 msg (M_USAGE
, "--lport and --nobind don't make sense when used together");
1591 if (!ce
->remote
&& !ce
->bind_local
)
1592 msg (M_USAGE
, "--nobind doesn't make sense unless used with --remote");
1595 * Check for consistency of management options
1597 #ifdef ENABLE_MANAGEMENT
1598 if (!options
->management_addr
&&
1599 (options
->management_flags
1600 || options
->management_write_peer_info_file
1601 || options
->management_log_history_cache
!= defaults
.management_log_history_cache
))
1602 msg (M_USAGE
, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1604 if ((options
->management_client_user
|| options
->management_client_group
)
1605 && !(options
->management_flags
& MF_UNIX_SOCK
))
1606 msg (M_USAGE
, "--management-client-(user|group) can only be used on unix domain sockets");
1610 * Windows-specific options.
1614 if (dev
== DEV_TYPE_TUN
&& !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
1615 msg (M_USAGE
, "On Windows, --ifconfig is required when --dev tun is used");
1617 if ((options
->tuntap_options
.ip_win32_defined
)
1618 && !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
1619 msg (M_USAGE
, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1621 if (options
->tuntap_options
.dhcp_options
1622 && options
->tuntap_options
.ip_win32_type
!= IPW32_SET_DHCP_MASQ
1623 && options
->tuntap_options
.ip_win32_type
!= IPW32_SET_ADAPTIVE
)
1624 msg (M_USAGE
, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1628 * Check that protocol options make sense.
1631 #ifdef ENABLE_FRAGMENT
1632 if (ce
->proto
!= PROTO_UDPv4
&& options
->fragment
)
1633 msg (M_USAGE
, "--fragment can only be used with --proto udp");
1637 if (ce
->proto
!= PROTO_UDPv4
&& options
->explicit_exit_notification
)
1638 msg (M_USAGE
, "--explicit-exit-notify can only be used with --proto udp");
1641 if (!ce
->remote
&& ce
->proto
== PROTO_TCPv4_CLIENT
)
1642 msg (M_USAGE
, "--remote MUST be used in TCP Client mode");
1644 #ifdef ENABLE_HTTP_PROXY
1645 if ((ce
->http_proxy_options
|| options
->auto_proxy_info
) && ce
->proto
!= PROTO_TCPv4_CLIENT
)
1646 msg (M_USAGE
, "--http-proxy or --auto-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1649 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1650 if (ce
->http_proxy_options
&& ce
->socks_proxy_server
)
1651 msg (M_USAGE
, "--http-proxy can not be used together with --socks-proxy");
1655 if (ce
->socks_proxy_server
&& ce
->proto
== PROTO_TCPv4_SERVER
)
1656 msg (M_USAGE
, "--socks-proxy can not be used in TCP Server mode");
1659 if (ce
->proto
== PROTO_TCPv4_SERVER
&& connection_list_defined (options
))
1660 msg (M_USAGE
, "TCP server mode allows at most one --remote address");
1665 * Check consistency of --mode server options.
1667 if (options
->mode
== MODE_SERVER
)
1669 if (!(dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
))
1670 msg (M_USAGE
, "--mode server only works with --dev tun or --dev tap");
1672 msg (M_USAGE
, "--pull cannot be used with --mode server");
1673 if (!(ce
->proto
== PROTO_UDPv4
|| ce
->proto
== PROTO_TCPv4_SERVER
))
1674 msg (M_USAGE
, "--mode server currently only supports --proto udp or --proto tcp-server");
1676 if ((options
->port_share_host
|| options
->port_share_port
) && ce
->proto
!= PROTO_TCPv4_SERVER
)
1677 msg (M_USAGE
, "--port-share only works in TCP server mode (--proto tcp-server)");
1679 if (!options
->tls_server
)
1680 msg (M_USAGE
, "--mode server requires --tls-server");
1682 msg (M_USAGE
, "--remote cannot be used with --mode server");
1683 if (!ce
->bind_local
)
1684 msg (M_USAGE
, "--nobind cannot be used with --mode server");
1685 #ifdef ENABLE_HTTP_PROXY
1686 if (ce
->http_proxy_options
)
1687 msg (M_USAGE
, "--http-proxy cannot be used with --mode server");
1690 if (ce
->socks_proxy_server
)
1691 msg (M_USAGE
, "--socks-proxy cannot be used with --mode server");
1693 #ifdef ENABLE_CONNECTION
1694 if (options
->connection_list
)
1695 msg (M_USAGE
, "<connection> cannot be used with --mode server");
1697 if (options
->tun_ipv6
)
1698 msg (M_USAGE
, "--tun-ipv6 cannot be used with --mode server");
1699 if (options
->shaper
)
1700 msg (M_USAGE
, "--shaper cannot be used with --mode server");
1702 msg (M_USAGE
, "--inetd cannot be used with --mode server");
1703 if (options
->ipchange
)
1704 msg (M_USAGE
, "--ipchange cannot be used with --mode server (use --client-connect instead)");
1705 if (!(ce
->proto
== PROTO_UDPv4
|| ce
->proto
== PROTO_TCPv4_SERVER
))
1706 msg (M_USAGE
, "--mode server currently only supports --proto udp or --proto tcp-server");
1707 if (ce
->proto
!= PROTO_UDPv4
&& (options
->cf_max
|| options
->cf_per
))
1708 msg (M_USAGE
, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
1709 if (!(dev
== DEV_TYPE_TAP
|| (dev
== DEV_TYPE_TUN
&& options
->topology
== TOP_SUBNET
)) && options
->ifconfig_pool_netmask
)
1710 msg (M_USAGE
, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
1712 if (options
->explicit_exit_notification
)
1713 msg (M_USAGE
, "--explicit-exit-notify cannot be used with --mode server");
1715 if (options
->routes
&& (options
->routes
->flags
& RG_ENABLE
))
1716 msg (M_USAGE
, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
1717 if (options
->route_delay_defined
)
1718 msg (M_USAGE
, "--route-delay cannot be used with --mode server");
1719 if (options
->up_delay
)
1720 msg (M_USAGE
, "--up-delay cannot be used with --mode server");
1721 if (!options
->ifconfig_pool_defined
&& options
->ifconfig_pool_persist_filename
)
1722 msg (M_USAGE
, "--ifconfig-pool-persist must be used with --ifconfig-pool");
1723 if (options
->auth_user_pass_file
)
1724 msg (M_USAGE
, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
1725 if (options
->ccd_exclusive
&& !options
->client_config_dir
)
1726 msg (M_USAGE
, "--ccd-exclusive must be used with --client-config-dir");
1727 if (options
->key_method
!= 2)
1728 msg (M_USAGE
, "--mode server requires --key-method 2");
1731 const bool ccnr
= (options
->auth_user_pass_verify_script
1732 || PLUGIN_OPTION_LIST (options
)
1733 || MAN_CLIENT_AUTH_ENABLED (options
));
1734 const char *postfix
= "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
1735 if ((options
->ssl_flags
& SSLF_CLIENT_CERT_NOT_REQUIRED
) && !ccnr
)
1736 msg (M_USAGE
, "--client-cert-not-required %s", postfix
);
1737 if ((options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) && !ccnr
)
1738 msg (M_USAGE
, "--username-as-common-name %s", postfix
);
1739 if ((options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) && !ccnr
)
1740 msg (M_USAGE
, "--auth-user-pass-optional %s", postfix
);
1743 if ((options
->ssl_flags
& SSLF_NO_NAME_REMAPPING
) && script_method
== SM_SYSTEM
)
1744 msg (M_USAGE
, "--script-security method='system' cannot be combined with --no-name-remapping");
1749 * When not in server mode, err if parameters are
1750 * specified which require --mode server.
1752 if (options
->ifconfig_pool_defined
|| options
->ifconfig_pool_persist_filename
)
1753 msg (M_USAGE
, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
1754 if (options
->real_hash_size
!= defaults
.real_hash_size
1755 || options
->virtual_hash_size
!= defaults
.virtual_hash_size
)
1756 msg (M_USAGE
, "--hash-size requires --mode server");
1757 if (options
->learn_address_script
)
1758 msg (M_USAGE
, "--learn-address requires --mode server");
1759 if (options
->client_connect_script
)
1760 msg (M_USAGE
, "--client-connect requires --mode server");
1761 if (options
->client_disconnect_script
)
1762 msg (M_USAGE
, "--client-disconnect requires --mode server");
1763 if (options
->tmp_dir
)
1764 msg (M_USAGE
, "--tmp-dir requires --mode server");
1765 if (options
->client_config_dir
|| options
->ccd_exclusive
)
1766 msg (M_USAGE
, "--client-config-dir/--ccd-exclusive requires --mode server");
1767 if (options
->enable_c2c
)
1768 msg (M_USAGE
, "--client-to-client requires --mode server");
1769 if (options
->duplicate_cn
)
1770 msg (M_USAGE
, "--duplicate-cn requires --mode server");
1771 if (options
->cf_max
|| options
->cf_per
)
1772 msg (M_USAGE
, "--connect-freq requires --mode server");
1773 if (options
->ssl_flags
& SSLF_CLIENT_CERT_NOT_REQUIRED
)
1774 msg (M_USAGE
, "--client-cert-not-required requires --mode server");
1775 if (options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
)
1776 msg (M_USAGE
, "--username-as-common-name requires --mode server");
1777 if (options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
)
1778 msg (M_USAGE
, "--auth-user-pass-optional requires --mode server");
1779 if (options
->ssl_flags
& SSLF_NO_NAME_REMAPPING
)
1780 msg (M_USAGE
, "--no-name-remapping requires --mode server");
1781 if (options
->ssl_flags
& SSLF_OPT_VERIFY
)
1782 msg (M_USAGE
, "--opt-verify requires --mode server");
1783 if (options
->server_flags
& SF_TCP_NODELAY_HELPER
)
1784 msg (M_USAGE
, "--tcp-nodelay requires --mode server");
1785 if (options
->auth_user_pass_verify_script
)
1786 msg (M_USAGE
, "--auth-user-pass-verify requires --mode server");
1788 if (options
->port_share_host
|| options
->port_share_port
)
1789 msg (M_USAGE
, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
1793 #endif /* P2MP_SERVER */
1798 * Check consistency of replay options
1800 if ((ce
->proto
!= PROTO_UDPv4
)
1801 && (options
->replay_window
!= defaults
.replay_window
1802 || options
->replay_time
!= defaults
.replay_time
))
1803 msg (M_USAGE
, "--replay-window only makes sense with --proto udp");
1805 if (!options
->replay
1806 && (options
->replay_window
!= defaults
.replay_window
1807 || options
->replay_time
!= defaults
.replay_time
))
1808 msg (M_USAGE
, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
1811 * SSL/TLS mode sanity checks.
1815 if (options
->tls_server
+ options
->tls_client
+
1816 (options
->shared_secret_file
!= NULL
) > 1)
1817 msg (M_USAGE
, "specify only one of --tls-server, --tls-client, or --secret");
1819 if (options
->tls_server
)
1821 notnull (options
->dh_file
, "DH file (--dh)");
1823 if (options
->tls_server
|| options
->tls_client
)
1825 #ifdef ENABLE_PKCS11
1826 if (options
->pkcs11_providers
[0])
1828 notnull (options
->ca_file
, "CA file (--ca)");
1830 if (options
->pkcs11_id_management
&& options
->pkcs11_id
!= NULL
)
1831 msg(M_USAGE
, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
1832 if (!options
->pkcs11_id_management
&& options
->pkcs11_id
== NULL
)
1833 msg(M_USAGE
, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
1834 if (options
->cert_file
)
1835 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
1836 if (options
->priv_key_file
)
1837 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
1838 if (options
->pkcs12_file
)
1839 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
1841 if (options
->cryptoapi_cert
)
1842 msg(M_USAGE
, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
1848 if (options
->cryptoapi_cert
)
1850 if ((!(options
->ca_file
)) && (!(options
->ca_path
)))
1851 msg(M_USAGE
, "You must define CA file (--ca) or CA path (--capath)");
1852 if (options
->cert_file
)
1853 msg(M_USAGE
, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
1854 if (options
->priv_key_file
)
1855 msg(M_USAGE
, "Parameter --key cannot be used when --cryptoapicert is also specified.");
1856 if (options
->pkcs12_file
)
1857 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
1861 if (options
->pkcs12_file
)
1863 if (options
->ca_path
)
1864 msg(M_USAGE
, "Parameter --capath cannot be used when --pkcs12 is also specified.");
1865 if (options
->cert_file
)
1866 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs12 is also specified.");
1867 if (options
->priv_key_file
)
1868 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs12 is also specified.");
1872 if ((!(options
->ca_file
)) && (!(options
->ca_path
)))
1873 msg(M_USAGE
, "You must define CA file (--ca) or CA path (--capath)");
1876 const int sum
= (options
->cert_file
!= NULL
) + (options
->priv_key_file
!= NULL
);
1880 if (!options
->auth_user_pass_file
)
1882 msg (M_USAGE
, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
1888 msg (M_USAGE
, "If you use one of --cert or --key, you must use them both");
1893 notnull (options
->cert_file
, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
1894 notnull (options
->priv_key_file
, "private key file (--key) or PKCS#12 file (--pkcs12)");
1901 * Make sure user doesn't specify any TLS options
1902 * when in non-TLS mode.
1905 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
1907 const char err
[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
1909 MUST_BE_UNDEF (ca_file
);
1910 MUST_BE_UNDEF (ca_path
);
1911 MUST_BE_UNDEF (dh_file
);
1912 MUST_BE_UNDEF (cert_file
);
1913 MUST_BE_UNDEF (priv_key_file
);
1914 MUST_BE_UNDEF (pkcs12_file
);
1915 MUST_BE_UNDEF (cipher_list
);
1916 MUST_BE_UNDEF (tls_verify
);
1917 MUST_BE_UNDEF (tls_remote
);
1918 MUST_BE_UNDEF (tls_timeout
);
1919 MUST_BE_UNDEF (renegotiate_bytes
);
1920 MUST_BE_UNDEF (renegotiate_packets
);
1921 MUST_BE_UNDEF (renegotiate_seconds
);
1922 MUST_BE_UNDEF (handshake_window
);
1923 MUST_BE_UNDEF (transition_window
);
1924 MUST_BE_UNDEF (tls_auth_file
);
1925 MUST_BE_UNDEF (single_session
);
1926 MUST_BE_UNDEF (tls_exit
);
1927 MUST_BE_UNDEF (crl_file
);
1928 MUST_BE_UNDEF (key_method
);
1929 MUST_BE_UNDEF (ns_cert_type
);
1930 MUST_BE_UNDEF (remote_cert_ku
[0]);
1931 MUST_BE_UNDEF (remote_cert_eku
);
1932 #ifdef ENABLE_PKCS11
1933 MUST_BE_UNDEF (pkcs11_providers
[0]);
1934 MUST_BE_UNDEF (pkcs11_private_mode
[0]);
1935 MUST_BE_UNDEF (pkcs11_id
);
1936 MUST_BE_UNDEF (pkcs11_id_management
);
1940 msg (M_USAGE
, err
, "--pull");
1942 #undef MUST_BE_UNDEF
1943 #endif /* USE_CRYPTO */
1944 #endif /* USE_SSL */
1947 if (options
->auth_user_pass_file
&& !options
->pull
)
1948 msg (M_USAGE
, "--auth-user-pass requires --pull");
1951 uninit_options (&defaults
);
1955 options_postprocess_mutate_ce (struct options
*o
, struct connection_entry
*ce
)
1958 if (o
->server_defined
|| o
->server_bridge_defined
|| o
->server_bridge_proxy_dhcp
)
1960 if (ce
->proto
== PROTO_TCPv4
)
1961 ce
->proto
= PROTO_TCPv4_SERVER
;
1967 if (ce
->proto
== PROTO_TCPv4
)
1968 ce
->proto
= PROTO_TCPv4_CLIENT
;
1972 if (ce
->proto
== PROTO_TCPv4_CLIENT
&& !ce
->local
&& !ce
->local_port_defined
&& !ce
->bind_defined
)
1973 ce
->bind_local
= false;
1976 if (ce
->proto
== PROTO_UDPv4
&& ce
->socks_proxy_server
&& !ce
->local
&& !ce
->local_port_defined
&& !ce
->bind_defined
)
1977 ce
->bind_local
= false;
1980 if (!ce
->bind_local
)
1985 options_postprocess_mutate_invariant (struct options
*options
)
1987 const int dev
= dev_type_enum (options
->dev
, options
->dev_type
);
1990 * If --mssfix is supplied without a parameter, default
1991 * it to --fragment value, if --fragment is specified.
1993 if (options
->mssfix_default
)
1995 #ifdef ENABLE_FRAGMENT
1996 if (options
->fragment
)
1997 options
->mssfix
= options
->fragment
;
1999 msg (M_USAGE
, "--mssfix must specify a parameter");
2004 * In forking TCP server mode, you don't need to ifconfig
2005 * the tap device (the assumption is that it will be bridged).
2007 if (options
->inetd
== INETD_NOWAIT
)
2008 options
->ifconfig_noexec
= true;
2014 if (!options
->tun_mtu_defined
&& !options
->link_mtu_defined
)
2016 options
->tun_mtu_defined
= true;
2018 if ((dev
== DEV_TYPE_TAP
) && !options
->tun_mtu_extra_defined
)
2020 options
->tun_mtu_extra_defined
= true;
2021 options
->tun_mtu_extra
= TAP_MTU_EXTRA_DEFAULT
;
2026 if ((dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
) && !options
->route_delay_defined
)
2028 if (options
->mode
== MODE_POINT_TO_POINT
)
2030 options
->route_delay_defined
= true;
2031 options
->route_delay
= 5; /* Vista sometimes has a race without this */
2035 if (options
->ifconfig_noexec
)
2037 options
->tuntap_options
.ip_win32_type
= IPW32_SET_MANUAL
;
2038 options
->ifconfig_noexec
= false;
2044 * Check consistency of --mode server options.
2046 if (options
->mode
== MODE_SERVER
)
2050 * We need to explicitly set --tap-sleep because
2051 * we do not schedule event timers in the top-level context.
2053 options
->tuntap_options
.tap_sleep
= 10;
2054 if (options
->route_delay_defined
&& options
->route_delay
)
2055 options
->tuntap_options
.tap_sleep
= options
->route_delay
;
2056 options
->route_delay_defined
= false;
2063 options_postprocess_verify (const struct options
*o
)
2065 #ifdef ENABLE_CONNECTION
2066 if (o
->connection_list
)
2069 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
2070 options_postprocess_verify_ce (o
, o
->connection_list
->array
[i
]);
2074 options_postprocess_verify_ce (o
, &o
->ce
);
2078 options_postprocess_mutate (struct options
*o
)
2081 * Process helper-type options which map to other, more complex
2082 * sequences of options.
2084 helper_client_server (o
);
2085 helper_keepalive (o
);
2086 helper_tcp_nodelay (o
);
2088 options_postprocess_mutate_invariant (o
);
2090 #ifdef ENABLE_CONNECTION
2091 if (o
->remote_list
&& !o
->connection_list
)
2094 * For compatibility with 2.0.x, map multiple --remote options
2095 * into connection list (connection lists added in 2.1).
2097 if (o
->remote_list
->len
> 1)
2099 const struct remote_list
*rl
= o
->remote_list
;
2101 for (i
= 0; i
< rl
->len
; ++i
)
2103 const struct remote_entry
*re
= rl
->array
[i
];
2104 struct connection_entry ce
= o
->ce
;
2105 struct connection_entry
*ace
;
2107 ASSERT (re
->remote
);
2108 connection_entry_load_re (&ce
, re
);
2109 ace
= alloc_connection_entry (o
, M_USAGE
);
2114 else if (o
->remote_list
->len
== 1) /* one --remote option specfied */
2116 connection_entry_load_re (&o
->ce
, o
->remote_list
->array
[0]);
2123 if (o
->connection_list
)
2126 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
2127 options_postprocess_mutate_ce (o
, o
->connection_list
->array
[i
]);
2131 options_postprocess_mutate_ce (o
, &o
->ce
);
2135 * Save certain parms before modifying options via --pull
2142 * Sanity check on options.
2143 * Also set some options based on other
2147 options_postprocess (struct options
*options
)
2149 options_postprocess_mutate (options
);
2150 options_postprocess_verify (options
);
2156 * Save/Restore certain option defaults before --pull is applied.
2160 pre_pull_save (struct options
*o
)
2164 ALLOC_OBJ_CLEAR_GC (o
->pre_pull
, struct options_pre_pull
, &o
->gc
);
2165 o
->pre_pull
->tuntap_options
= o
->tuntap_options
;
2166 o
->pre_pull
->tuntap_options_defined
= true;
2167 o
->pre_pull
->foreign_option_index
= o
->foreign_option_index
;
2170 o
->pre_pull
->routes
= clone_route_option_list(o
->routes
, &o
->gc
);
2171 o
->pre_pull
->routes_defined
= true;
2177 pre_pull_restore (struct options
*o
)
2179 const struct options_pre_pull
*pp
= o
->pre_pull
;
2182 CLEAR (o
->tuntap_options
);
2183 if (pp
->tuntap_options_defined
)
2184 o
->tuntap_options
= pp
->tuntap_options
;
2186 if (pp
->routes_defined
)
2188 rol_check_alloc (o
);
2189 copy_route_option_list (o
->routes
, pp
->routes
);
2194 o
->foreign_option_index
= pp
->foreign_option_index
;
2197 o
->push_continuation
= 0;
2205 * Build an options string to represent data channel encryption options.
2206 * This string must match exactly between peers. The keysize is checked
2207 * separately by read_key().
2209 * The following options must match on both peers:
2213 * --dev tun|tap [unit number need not match]
2214 * --dev-type tun|tap
2219 * --proto tcp-client [matched with --proto tcp-server
2220 * on the other end of the connection]
2221 * --proto tcp-server [matched with --proto tcp-client on
2222 * the other end of the connection]
2224 * --ifconfig x y [matched with --ifconfig y x on
2225 * the other end of the connection]
2242 * --tls-client [matched with --tls-server on
2243 * the other end of the connection]
2244 * --tls-server [matched with --tls-client on
2245 * the other end of the connection]
2249 options_string (const struct options
*o
,
2250 const struct frame
*frame
,
2253 struct gc_arena
*gc
)
2255 struct buffer out
= alloc_buf (OPTION_LINE_SIZE
);
2256 bool tt_local
= false;
2258 buf_printf (&out
, "V4");
2264 buf_printf (&out
, ",dev-type %s", dev_type_string (o
->dev
, o
->dev_type
));
2265 buf_printf (&out
, ",link-mtu %d", EXPANDED_SIZE (frame
));
2266 buf_printf (&out
, ",tun-mtu %d", PAYLOAD_SIZE (frame
));
2267 buf_printf (&out
, ",proto %s", proto2ascii (proto_remote (o
->ce
.proto
, remote
), true));
2269 buf_printf (&out
, ",tun-ipv6");
2272 * Try to get ifconfig parameters into the options string.
2273 * If tt is undefined, make a temporary instantiation.
2277 tt
= init_tun (o
->dev
,
2281 o
->ifconfig_remote_netmask
,
2290 if (tt
&& o
->mode
== MODE_POINT_TO_POINT
&& !PULL_DEFINED(o
))
2292 const char *ios
= ifconfig_options_string (tt
, remote
, o
->ifconfig_nowarn
, gc
);
2293 if (ios
&& strlen (ios
))
2294 buf_printf (&out
, ",ifconfig %s", ios
);
2303 if (o
->lzo
& LZO_SELECTED
)
2304 buf_printf (&out
, ",comp-lzo");
2307 #ifdef ENABLE_FRAGMENT
2309 buf_printf (&out
, ",mtu-dynamic");
2315 #define TLS_CLIENT (o->tls_client)
2316 #define TLS_SERVER (o->tls_server)
2318 #define TLS_CLIENT (false)
2319 #define TLS_SERVER (false)
2326 const char *kd
= keydirection2ascii (o
->key_direction
, remote
);
2328 buf_printf (&out
, ",keydir %s", kd
);
2334 if (o
->shared_secret_file
|| TLS_CLIENT
|| TLS_SERVER
)
2338 ASSERT ((o
->shared_secret_file
!= NULL
)
2339 + (TLS_CLIENT
== true)
2340 + (TLS_SERVER
== true)
2343 init_key_type (&kt
, o
->ciphername
, o
->ciphername_defined
,
2344 o
->authname
, o
->authname_defined
,
2345 o
->keysize
, true, false);
2347 buf_printf (&out
, ",cipher %s", kt_cipher_name (&kt
));
2348 buf_printf (&out
, ",auth %s", kt_digest_name (&kt
));
2349 buf_printf (&out
, ",keysize %d", kt_key_size (&kt
));
2350 if (o
->shared_secret_file
)
2351 buf_printf (&out
, ",secret");
2353 buf_printf (&out
, ",no-replay");
2355 buf_printf (&out
, ",no-iv");
2363 if (TLS_CLIENT
|| TLS_SERVER
)
2365 if (o
->tls_auth_file
)
2366 buf_printf (&out
, ",tls-auth");
2368 if (o
->key_method
> 1)
2369 buf_printf (&out
, ",key-method %d", o
->key_method
);
2375 buf_printf (&out
, ",tls-server");
2376 else if (TLS_SERVER
)
2377 buf_printf (&out
, ",tls-client");
2382 buf_printf (&out
, ",tls-client");
2383 else if (TLS_SERVER
)
2384 buf_printf (&out
, ",tls-server");
2387 #endif /* USE_SSL */
2392 #endif /* USE_CRYPTO */
2398 * Compare option strings for equality.
2399 * If the first two chars of the strings differ, it means that
2400 * we are looking at different versions of the options string,
2401 * therefore don't compare them and return true.
2405 options_cmp_equal (char *actual
, const char *expected
)
2407 return options_cmp_equal_safe (actual
, expected
, strlen (actual
) + 1);
2411 options_warning (char *actual
, const char *expected
)
2413 options_warning_safe (actual
, expected
, strlen (actual
) + 1);
2417 options_warning_extract_parm1 (const char *option_string
,
2418 struct gc_arena
*gc_ret
)
2420 struct gc_arena gc
= gc_new ();
2421 struct buffer b
= string_alloc_buf (option_string
, &gc
);
2422 char *p
= gc_malloc (OPTION_PARM_SIZE
, false, &gc
);
2425 buf_parse (&b
, ' ', p
, OPTION_PARM_SIZE
);
2426 ret
= string_alloc (p
, gc_ret
);
2432 options_warning_safe_scan2 (const int msglevel
,
2434 const bool report_inconsistent
,
2436 const struct buffer
*b2_src
,
2437 const char *b1_name
,
2438 const char *b2_name
)
2440 if (strlen (p1
) > 0)
2442 struct gc_arena gc
= gc_new ();
2443 struct buffer b2
= *b2_src
;
2444 const char *p1_prefix
= options_warning_extract_parm1 (p1
, &gc
);
2445 char *p2
= gc_malloc (OPTION_PARM_SIZE
, false, &gc
);
2447 while (buf_parse (&b2
, delim
, p2
, OPTION_PARM_SIZE
))
2451 const char *p2_prefix
= options_warning_extract_parm1 (p2
, &gc
);
2453 if (!strcmp (p1
, p2
))
2455 if (!strcmp (p1_prefix
, p2_prefix
))
2457 if (report_inconsistent
)
2458 msg (msglevel
, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
2459 safe_print (p1_prefix
, &gc
),
2461 safe_print (p1
, &gc
),
2463 safe_print (p2
, &gc
));
2469 msg (msglevel
, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
2470 safe_print (p1_prefix
, &gc
),
2474 safe_print (p1
, &gc
));
2482 options_warning_safe_scan1 (const int msglevel
,
2484 const bool report_inconsistent
,
2485 const struct buffer
*b1_src
,
2486 const struct buffer
*b2_src
,
2487 const char *b1_name
,
2488 const char *b2_name
)
2490 struct gc_arena gc
= gc_new ();
2491 struct buffer b
= *b1_src
;
2492 char *p
= gc_malloc (OPTION_PARM_SIZE
, true, &gc
);
2494 while (buf_parse (&b
, delim
, p
, OPTION_PARM_SIZE
))
2495 options_warning_safe_scan2 (msglevel
, delim
, report_inconsistent
, p
, b2_src
, b1_name
, b2_name
);
2501 options_warning_safe_ml (const int msglevel
, char *actual
, const char *expected
, size_t actual_n
)
2503 struct gc_arena gc
= gc_new ();
2507 struct buffer local
= alloc_buf_gc (OPTION_PARM_SIZE
+ 16, &gc
);
2508 struct buffer remote
= alloc_buf_gc (OPTION_PARM_SIZE
+ 16, &gc
);
2509 actual
[actual_n
- 1] = 0;
2511 buf_printf (&local
, "version %s", expected
);
2512 buf_printf (&remote
, "version %s", actual
);
2514 options_warning_safe_scan1 (msglevel
, ',', true,
2518 options_warning_safe_scan1 (msglevel
, ',', false,
2527 options_cmp_equal_safe (char *actual
, const char *expected
, size_t actual_n
)
2529 struct gc_arena gc
= gc_new ();
2534 actual
[actual_n
- 1] = 0;
2535 #ifndef STRICT_OPTIONS_CHECK
2536 if (strncmp (actual
, expected
, 2))
2538 msg (D_SHOW_OCC
, "NOTE: Options consistency check may be skewed by version differences");
2539 options_warning_safe_ml (D_SHOW_OCC
, actual
, expected
, actual_n
);
2543 ret
= !strcmp (actual
, expected
);
2550 options_warning_safe (char *actual
, const char *expected
, size_t actual_n
)
2552 options_warning_safe_ml (M_WARN
, actual
, expected
, actual_n
);
2556 options_string_version (const char* s
, struct gc_arena
*gc
)
2558 struct buffer out
= alloc_buf_gc (4, gc
);
2559 strncpynt ((char *) BPTR (&out
), s
, 3);
2563 #endif /* ENABLE_OCC */
2566 foreign_option (struct options
*o
, char *argv
[], int len
, struct env_set
*es
)
2570 struct gc_arena gc
= gc_new();
2571 struct buffer name
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
2572 struct buffer value
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
2577 good
&= buf_printf (&name
, "foreign_option_%d", o
->foreign_option_index
+ 1);
2578 ++o
->foreign_option_index
;
2579 for (i
= 0; i
< len
; ++i
)
2584 good
&= buf_printf (&value
, " ");
2585 good
&= buf_printf (&value
, "%s", argv
[i
]);
2590 setenv_str (es
, BSTR(&name
), BSTR(&value
));
2592 msg (M_WARN
, "foreign_option: name/value overflow");
2598 * parse/print topology coding
2602 parse_topology (const char *str
, const int msglevel
)
2604 if (streq (str
, "net30"))
2606 else if (streq (str
, "p2p"))
2608 else if (streq (str
, "subnet"))
2612 msg (msglevel
, "--topology must be net30, p2p, or subnet");
2618 print_topology (const int topology
)
2638 * Manage auth-retry variable
2641 static int global_auth_retry
; /* GLOBAL */
2644 auth_retry_get (void)
2646 return global_auth_retry
;
2650 auth_retry_set (const int msglevel
, const char *option
)
2652 if (streq (option
, "interact"))
2653 global_auth_retry
= AR_INTERACT
;
2654 else if (streq (option
, "nointeract"))
2655 global_auth_retry
= AR_NOINTERACT
;
2656 else if (streq (option
, "none"))
2657 global_auth_retry
= AR_NONE
;
2660 msg (msglevel
, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
2667 auth_retry_print (void)
2669 switch (global_auth_retry
)
2674 return "nointeract";
2685 * Print the help message.
2690 FILE *fp
= msg_fp(0);
2694 fprintf (fp
, "Usage message not available\n");
2699 init_options (&o
, true);
2701 #if defined(USE_CRYPTO) && defined(USE_SSL)
2702 fprintf (fp
, usage_message
,
2704 o
.ce
.connect_retry_seconds
,
2705 o
.ce
.local_port
, o
.ce
.remote_port
,
2706 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
2708 o
.authname
, o
.ciphername
,
2709 o
.replay_window
, o
.replay_time
,
2710 o
.tls_timeout
, o
.renegotiate_seconds
,
2711 o
.handshake_window
, o
.transition_window
);
2712 #elif defined(USE_CRYPTO)
2713 fprintf (fp
, usage_message
,
2715 o
.ce
.connect_retry_seconds
,
2716 o
.ce
.local_port
, o
.ce
.remote_port
,
2717 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
2719 o
.authname
, o
.ciphername
,
2720 o
.replay_window
, o
.replay_time
);
2722 fprintf (fp
, usage_message
,
2724 o
.ce
.connect_retry_seconds
,
2725 o
.ce
.local_port
, o
.ce
.remote_port
,
2726 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
2731 #endif /* ENABLE_SMALL */
2733 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
2739 msg (M_WARN
|M_NOPREFIX
, "Use --help for more information.");
2740 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
2744 usage_version (void)
2746 msg (M_INFO
|M_NOPREFIX
, "%s", title_string
);
2747 msg (M_INFO
|M_NOPREFIX
, "Originally developed by James Yonan");
2748 msg (M_INFO
|M_NOPREFIX
, "Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>");
2749 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
2753 notnull (const char *arg
, const char *description
)
2756 msg (M_USAGE
, "You must define %s", description
);
2760 string_defined_equal (const char *s1
, const char *s2
)
2763 return !strcmp (s1
, s2
);
2770 ping_rec_err (int msglevel
)
2772 msg (msglevel
, "only one of --ping-exit or --ping-restart options may be specified");
2777 positive_atoi (const char *str
)
2779 const int i
= atoi (str
);
2780 return i
< 0 ? 0 : i
;
2784 atou (const char *str
)
2786 unsigned int val
= 0;
2787 sscanf (str
, "%u", &val
);
2792 space (unsigned char c
)
2794 return c
== '\0' || isspace (c
);
2798 parse_line (const char *line
,
2804 struct gc_arena
*gc
)
2806 const int STATE_INITIAL
= 0;
2807 const int STATE_READING_QUOTED_PARM
= 1;
2808 const int STATE_READING_UNQUOTED_PARM
= 2;
2809 const int STATE_DONE
= 3;
2810 const int STATE_READING_SQUOTED_PARM
= 4;
2812 const char *error_prefix
= "";
2815 const char *c
= line
;
2816 int state
= STATE_INITIAL
;
2817 bool backslash
= false;
2820 char parm
[OPTION_PARM_SIZE
];
2821 unsigned int parm_len
= 0;
2823 msglevel
&= ~M_OPTERR
;
2825 if (msglevel
& M_MSG_VIRT_OUT
)
2826 error_prefix
= "ERROR: ";
2833 if (!backslash
&& in
== '\\' && state
!= STATE_READING_SQUOTED_PARM
)
2839 if (state
== STATE_INITIAL
)
2843 if (in
== ';' || in
== '#') /* comment */
2845 if (!backslash
&& in
== '\"')
2846 state
= STATE_READING_QUOTED_PARM
;
2847 else if (!backslash
&& in
== '\'')
2848 state
= STATE_READING_SQUOTED_PARM
;
2852 state
= STATE_READING_UNQUOTED_PARM
;
2856 else if (state
== STATE_READING_UNQUOTED_PARM
)
2858 if (!backslash
&& space (in
))
2863 else if (state
== STATE_READING_QUOTED_PARM
)
2865 if (!backslash
&& in
== '\"')
2870 else if (state
== STATE_READING_SQUOTED_PARM
)
2877 if (state
== STATE_DONE
)
2879 /* ASSERT (parm_len > 0); */
2880 p
[ret
] = gc_malloc (parm_len
+ 1, true, gc
);
2881 memcpy (p
[ret
], parm
, parm_len
);
2882 p
[ret
][parm_len
] = '\0';
2883 state
= STATE_INITIAL
;
2888 if (backslash
&& out
)
2890 if (!(out
== '\\' || out
== '\"' || space (out
)))
2893 msg (msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix
, file
, line_num
);
2895 msg (msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
"\\\\static.key\"", error_prefix
, file
, line_num
);
2903 /* store parameter character */
2906 if (parm_len
>= SIZE (parm
))
2908 parm
[SIZE (parm
) - 1] = 0;
2909 msg (msglevel
, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
2910 error_prefix
, file
, line_num
, (int) SIZE (parm
), parm
);
2913 parm
[parm_len
++] = out
;
2916 /* avoid overflow if too many parms in one config file line */
2920 } while (*c
++ != '\0');
2922 if (state
== STATE_READING_QUOTED_PARM
)
2924 msg (msglevel
, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix
, file
, line_num
);
2927 if (state
== STATE_READING_SQUOTED_PARM
)
2929 msg (msglevel
, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix
, file
, line_num
);
2932 if (state
!= STATE_INITIAL
)
2934 msg (msglevel
, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix
, state
, file
, line_num
);
2940 for (i
= 0; i
< ret
; ++i
)
2942 msg (M_INFO
|M_NOPREFIX
, "%s:%d ARG[%d] '%s'", file
, line_num
, i
, p
[i
]);
2950 bypass_doubledash (char **p
)
2952 if (strlen (*p
) >= 3 && !strncmp (*p
, "--", 2))
2956 #if ENABLE_INLINE_FILES
2959 # define IS_TYPE_FP 1
2960 # define IS_TYPE_BUF 2
2964 struct buffer
*multiline
;
2969 in_src_get (const struct in_src
*is
, char *line
, const int size
)
2971 if (is
->type
== IS_TYPE_FP
)
2973 return BOOL_CAST (fgets (line
, size
, is
->u
.fp
));
2975 else if (is
->type
== IS_TYPE_BUF
)
2977 bool status
= buf_parse (is
->u
.multiline
, '\n', line
, size
);
2978 if ((int) strlen (line
) + 1 < size
)
2979 strcat (line
, "\n");
2990 read_inline_file (struct in_src
*is
, const char *close_tag
, struct gc_arena
*gc
)
2992 char line
[OPTION_LINE_SIZE
];
2993 struct buffer buf
= alloc_buf (10000);
2995 while (in_src_get (is
, line
, sizeof (line
)))
2997 if (!strncmp (line
, close_tag
, strlen (close_tag
)))
2999 buf_printf (&buf
, "%s", line
);
3001 ret
= string_alloc (BSTR (&buf
), gc
);
3009 check_inline_file (struct in_src
*is
, char *p
[], struct gc_arena
*gc
)
3015 if (arg
[0] == '<' && arg
[strlen(arg
)-1] == '>')
3017 struct buffer close_tag
;
3018 arg
[strlen(arg
)-1] = '\0';
3019 p
[0] = string_alloc (arg
+1, gc
);
3020 p
[1] = string_alloc (INLINE_FILE_TAG
, gc
);
3021 close_tag
= alloc_buf (strlen(p
[0]) + 4);
3022 buf_printf (&close_tag
, "</%s>", p
[0]);
3023 p
[2] = read_inline_file (is
, BSTR (&close_tag
), gc
);
3025 free_buf (&close_tag
);
3033 check_inline_file_via_fp (FILE *fp
, char *p
[], struct gc_arena
*gc
)
3036 is
.type
= IS_TYPE_FP
;
3038 return check_inline_file (&is
, p
, gc
);
3042 check_inline_file_via_buf (struct buffer
*multiline
, char *p
[], struct gc_arena
*gc
)
3045 is
.type
= IS_TYPE_BUF
;
3046 is
.u
.multiline
= multiline
;
3047 return check_inline_file (&is
, p
, gc
);
3053 add_option (struct options
*options
,
3059 const unsigned int permission_mask
,
3060 unsigned int *option_types_found
,
3061 struct env_set
*es
);
3064 read_config_file (struct options
*options
,
3067 const char *top_file
,
3070 const unsigned int permission_mask
,
3071 unsigned int *option_types_found
,
3074 const int max_recursive_levels
= 10;
3077 char line
[OPTION_LINE_SIZE
];
3081 if (level
<= max_recursive_levels
)
3083 if (streq (file
, "stdin"))
3086 fp
= fopen (file
, "r");
3090 while (fgets(line
, sizeof (line
), fp
))
3094 if (parse_line (line
, p
, SIZE (p
), file
, line_num
, msglevel
, &options
->gc
))
3096 bypass_doubledash (&p
[0]);
3097 #if ENABLE_INLINE_FILES
3098 check_inline_file_via_fp (fp
, p
, &options
->gc
);
3100 add_option (options
, p
, file
, line_num
, level
, msglevel
, permission_mask
, option_types_found
, es
);
3108 msg (msglevel
, "In %s:%d: Error opening configuration file: %s", top_file
, top_line
, file
);
3113 msg (msglevel
, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file
, top_line
, file
);
3120 read_config_string (const char *prefix
,
3121 struct options
*options
,
3124 const unsigned int permission_mask
,
3125 unsigned int *option_types_found
,
3128 char line
[OPTION_LINE_SIZE
];
3129 struct buffer multiline
;
3132 buf_set_read (&multiline
, (uint8_t*)config
, strlen (config
));
3134 while (buf_parse (&multiline
, '\n', line
, sizeof (line
)))
3139 if (parse_line (line
, p
, SIZE (p
), prefix
, line_num
, msglevel
, &options
->gc
))
3141 bypass_doubledash (&p
[0]);
3142 #if ENABLE_INLINE_FILES
3143 check_inline_file_via_buf (&multiline
, p
, &options
->gc
);
3145 add_option (options
, p
, NULL
, line_num
, 0, msglevel
, permission_mask
, option_types_found
, es
);
3153 parse_argv (struct options
*options
,
3157 const unsigned int permission_mask
,
3158 unsigned int *option_types_found
,
3167 /* config filename specified only? */
3168 if (argc
== 2 && strncmp (argv
[1], "--", 2))
3174 add_option (options
, p
, NULL
, 0, 0, msglevel
, permission_mask
, option_types_found
, es
);
3178 /* parse command line */
3179 for (i
= 1; i
< argc
; ++i
)
3184 if (strncmp(p
[0], "--", 2))
3186 msg (msglevel
, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p
[0]);
3191 for (j
= 1; j
< MAX_PARMS
; ++j
)
3195 char *arg
= argv
[i
+ j
];
3196 if (strncmp (arg
, "--", 2))
3202 add_option (options
, p
, NULL
, 0, 0, msglevel
, permission_mask
, option_types_found
, es
);
3209 apply_push_options (struct options
*options
,
3211 unsigned int permission_mask
,
3212 unsigned int *option_types_found
,
3215 char line
[OPTION_PARM_SIZE
];
3217 const char *file
= "[PUSH-OPTIONS]";
3218 const int msglevel
= D_PUSH_ERRORS
|M_OPTERR
;
3220 while (buf_parse (buf
, ',', line
, sizeof (line
)))
3225 if (parse_line (line
, p
, SIZE (p
), file
, line_num
, msglevel
, &options
->gc
))
3227 add_option (options
, p
, file
, line_num
, 0, msglevel
, permission_mask
, option_types_found
, es
);
3234 options_server_import (struct options
*o
,
3235 const char *filename
,
3237 unsigned int permission_mask
,
3238 unsigned int *option_types_found
,
3241 msg (D_PUSH
, "OPTIONS IMPORT: reading client specific options from: %s", filename
);
3242 read_config_file (o
,
3253 void options_string_import (struct options
*options
,
3256 const unsigned int permission_mask
,
3257 unsigned int *option_types_found
,
3260 read_config_string ("[CONFIG-STRING]", options
, config
, msglevel
, permission_mask
, option_types_found
, es
);
3265 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], (mask), permission_mask, option_types_found, msglevel)) goto err; }
3268 verify_permission (const char *name
,
3269 const unsigned int type
,
3270 const unsigned int allowed
,
3271 unsigned int *found
,
3274 if (!(type
& allowed
))
3276 msg (msglevel
, "option '%s' cannot be used in this context", name
);
3289 #define VERIFY_PERMISSION(mask)
3294 * Check that an option doesn't have too
3298 #define NM_QUOTE_HINT (1<<0)
3301 no_more_than_n_args (const int msglevel
,
3304 const unsigned int flags
)
3306 const int len
= string_array_len ((const char **)p
);
3313 msg (msglevel
, "the --%s directive should have at most %d parameter%s.%s",
3316 max
>= 3 ? "s" : "",
3317 (flags
& NM_QUOTE_HINT
) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3325 msglevel_forward_compatible (struct options
*options
, const int msglevel
)
3327 return options
->forward_compatible
? M_WARN
: msglevel
;
3331 add_option (struct options
*options
,
3337 const unsigned int permission_mask
,
3338 unsigned int *option_types_found
,
3341 struct gc_arena gc
= gc_new ();
3342 const bool pull_mode
= BOOL_CAST (permission_mask
& OPT_P_PULL_MODE
);
3343 int msglevel_fc
= msglevel_forward_compatible (options
, msglevel
);
3345 ASSERT (MAX_PARMS
>= 5);
3348 file
= "[CMD-LINE]";
3351 if (streq (p
[0], "help"))
3353 VERIFY_PERMISSION (OPT_P_GENERAL
);
3356 if (streq (p
[0], "version"))
3358 VERIFY_PERMISSION (OPT_P_GENERAL
);
3361 else if (streq (p
[0], "config") && p
[1])
3363 VERIFY_PERMISSION (OPT_P_CONFIG
);
3365 /* save first config file only in options */
3366 if (!options
->config
)
3367 options
->config
= p
[1];
3369 read_config_file (options
, p
[1], level
, file
, line
, msglevel
, permission_mask
, option_types_found
, es
);
3372 else if (streq (p
[0], "foreign-option") && p
[1])
3374 VERIFY_PERMISSION (OPT_P_IPWIN32
);
3375 foreign_option (options
, p
, 3, es
);
3378 else if (streq (p
[0], "echo") || streq (p
[0], "parameter"))
3380 struct buffer string
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
3384 VERIFY_PERMISSION (OPT_P_ECHO
);
3386 for (j
= 1; j
< MAX_PARMS
; ++j
)
3391 good
&= buf_printf (&string
, " ");
3392 good
&= buf_printf (&string
, "%s", p
[j
]);
3396 msg (M_INFO
, "%s:%s",
3397 pull_mode
? "ECHO-PULL" : "ECHO",
3399 #ifdef ENABLE_MANAGEMENT
3401 management_echo (management
, BSTR (&string
), pull_mode
);
3405 msg (M_WARN
, "echo/parameter option overflow");
3407 #ifdef ENABLE_MANAGEMENT
3408 else if (streq (p
[0], "management") && p
[1] && p
[2])
3412 VERIFY_PERMISSION (OPT_P_GENERAL
);
3413 if (streq (p
[2], "unix"))
3415 #if UNIX_SOCK_SUPPORT
3416 options
->management_flags
|= MF_UNIX_SOCK
;
3418 msg (msglevel
, "MANAGEMENT: this platform does not support unix domain sockets");
3425 if (!legal_ipv4_port (port
))
3427 msg (msglevel
, "port number associated with --management directive is out of range");
3432 options
->management_addr
= p
[1];
3433 options
->management_port
= port
;
3436 options
->management_user_pass
= p
[3];
3439 else if (streq (p
[0], "management-client-user") && p
[1])
3441 VERIFY_PERMISSION (OPT_P_GENERAL
);
3442 options
->management_client_user
= p
[1];
3444 else if (streq (p
[0], "management-client-group") && p
[1])
3446 VERIFY_PERMISSION (OPT_P_GENERAL
);
3447 options
->management_client_group
= p
[1];
3449 else if (streq (p
[0], "management-query-passwords"))
3451 VERIFY_PERMISSION (OPT_P_GENERAL
);
3452 options
->management_flags
|= MF_QUERY_PASSWORDS
;
3454 else if (streq (p
[0], "management-hold"))
3456 VERIFY_PERMISSION (OPT_P_GENERAL
);
3457 options
->management_flags
|= MF_HOLD
;
3459 else if (streq (p
[0], "management-signal"))
3461 VERIFY_PERMISSION (OPT_P_GENERAL
);
3462 options
->management_flags
|= MF_SIGNAL
;
3464 else if (streq (p
[0], "management-forget-disconnect"))
3466 VERIFY_PERMISSION (OPT_P_GENERAL
);
3467 options
->management_flags
|= MF_FORGET_DISCONNECT
;
3469 else if (streq (p
[0], "management-client"))
3471 VERIFY_PERMISSION (OPT_P_GENERAL
);
3472 options
->management_flags
|= MF_CONNECT_AS_CLIENT
;
3473 options
->management_write_peer_info_file
= p
[1];
3475 #ifdef MANAGEMENT_DEF_AUTH
3476 else if (streq (p
[0], "management-client-auth"))
3478 VERIFY_PERMISSION (OPT_P_GENERAL
);
3479 options
->management_flags
|= MF_CLIENT_AUTH
;
3482 #ifdef MANAGEMENT_PF
3483 else if (streq (p
[0], "management-client-pf"))
3485 VERIFY_PERMISSION (OPT_P_GENERAL
);
3486 options
->management_flags
|= (MF_CLIENT_PF
| MF_CLIENT_AUTH
);
3489 else if (streq (p
[0], "management-log-cache") && p
[1])
3493 VERIFY_PERMISSION (OPT_P_GENERAL
);
3494 cache
= atoi (p
[1]);
3497 msg (msglevel
, "--management-log-cache parameter is out of range");
3500 options
->management_log_history_cache
= cache
;
3503 #ifdef ENABLE_PLUGIN
3504 else if (streq (p
[0], "plugin") && p
[1])
3506 VERIFY_PERMISSION (OPT_P_PLUGIN
);
3507 if (!options
->plugin_list
)
3508 options
->plugin_list
= plugin_option_list_new (&options
->gc
);
3509 if (!plugin_option_list_add (options
->plugin_list
, &p
[1], &options
->gc
))
3511 msg (msglevel
, "plugin add failed: %s", p
[1]);
3516 else if (streq (p
[0], "mode") && p
[1])
3518 VERIFY_PERMISSION (OPT_P_GENERAL
);
3519 if (streq (p
[1], "p2p"))
3520 options
->mode
= MODE_POINT_TO_POINT
;
3522 else if (streq (p
[1], "server"))
3523 options
->mode
= MODE_SERVER
;
3527 msg (msglevel
, "Bad --mode parameter: %s", p
[1]);
3531 else if (streq (p
[0], "dev") && p
[1])
3533 VERIFY_PERMISSION (OPT_P_GENERAL
);
3534 options
->dev
= p
[1];
3536 else if (streq (p
[0], "dev-type") && p
[1])
3538 VERIFY_PERMISSION (OPT_P_GENERAL
);
3539 options
->dev_type
= p
[1];
3541 else if (streq (p
[0], "dev-node") && p
[1])
3543 VERIFY_PERMISSION (OPT_P_GENERAL
);
3544 options
->dev_node
= p
[1];
3546 else if (streq (p
[0], "lladdr") && p
[1])
3548 VERIFY_PERMISSION (OPT_P_UP
);
3549 if (mac_addr_safe (p
[1])) /* MAC address only */
3550 options
->lladdr
= p
[1];
3553 msg (msglevel
, "lladdr parm '%s' must be a MAC address", p
[1]);
3557 else if (streq (p
[0], "topology") && p
[1])
3559 VERIFY_PERMISSION (OPT_P_UP
);
3560 options
->topology
= parse_topology (p
[1], msglevel
);
3562 else if (streq (p
[0], "tun-ipv6"))
3564 VERIFY_PERMISSION (OPT_P_UP
);
3565 options
->tun_ipv6
= true;
3567 #ifdef CONFIG_FEATURE_IPROUTE
3568 else if (streq (p
[0], "iproute") && p
[1])
3570 VERIFY_PERMISSION (OPT_P_GENERAL
);
3571 iproute_path
= p
[1];
3574 else if (streq (p
[0], "ifconfig") && p
[1] && p
[2])
3576 VERIFY_PERMISSION (OPT_P_UP
);
3577 if (ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) && ip_or_dns_addr_safe (p
[2], options
->allow_pull_fqdn
)) /* FQDN -- may be DNS name */
3579 options
->ifconfig_local
= p
[1];
3580 options
->ifconfig_remote_netmask
= p
[2];
3584 msg (msglevel
, "ifconfig parms '%s' and '%s' must be valid addresses", p
[1], p
[2]);
3588 else if (streq (p
[0], "ifconfig-noexec"))
3590 VERIFY_PERMISSION (OPT_P_UP
);
3591 options
->ifconfig_noexec
= true;
3593 else if (streq (p
[0], "ifconfig-nowarn"))
3595 VERIFY_PERMISSION (OPT_P_UP
);
3596 options
->ifconfig_nowarn
= true;
3598 else if (streq (p
[0], "local") && p
[1])
3600 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3601 options
->ce
.local
= p
[1];
3603 else if (streq (p
[0], "remote-random"))
3605 VERIFY_PERMISSION (OPT_P_GENERAL
);
3606 options
->remote_random
= true;
3608 #if ENABLE_CONNECTION
3609 else if (streq (p
[0], "connection") && p
[1])
3611 VERIFY_PERMISSION (OPT_P_GENERAL
);
3612 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
3615 struct connection_entry
*e
;
3617 init_options (&sub
, true);
3618 sub
.ce
= options
->ce
;
3619 read_config_string ("[CONNECTION-OPTIONS]", &sub
, p
[2], msglevel
, OPT_P_CONNECTION
, option_types_found
, es
);
3622 msg (msglevel
, "Each 'connection' block must contain exactly one 'remote' directive");
3626 e
= alloc_connection_entry (options
, msglevel
);
3630 gc_transfer (&options
->gc
, &sub
.gc
);
3631 uninit_options (&sub
);
3635 else if (streq (p
[0], "remote") && p
[1])
3637 struct remote_entry re
;
3639 re
.remote_port
= re
.proto
= -1;
3641 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3645 const int port
= atoi (p
[2]);
3646 if (!legal_ipv4_port (port
))
3648 msg (msglevel
, "remote: port number associated with host %s is out of range", p
[1]);
3651 re
.remote_port
= port
;
3654 const int proto
= ascii2proto (p
[3]);
3657 msg (msglevel
, "remote: bad protocol associated with host %s: '%s'", p
[1], p
[3]);
3663 #ifdef ENABLE_CONNECTION
3664 if (permission_mask
& OPT_P_GENERAL
)
3666 struct remote_entry
*e
= alloc_remote_entry (options
, msglevel
);
3671 else if (permission_mask
& OPT_P_CONNECTION
)
3674 connection_entry_load_re (&options
->ce
, &re
);
3677 else if (streq (p
[0], "resolv-retry") && p
[1])
3679 VERIFY_PERMISSION (OPT_P_GENERAL
);
3680 if (streq (p
[1], "infinite"))
3681 options
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
3683 options
->resolve_retry_seconds
= positive_atoi (p
[1]);
3685 else if (streq (p
[0], "connect-retry") && p
[1])
3687 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3688 options
->ce
.connect_retry_seconds
= positive_atoi (p
[1]);
3689 options
->ce
.connect_retry_defined
= true;
3691 else if (streq (p
[0], "connect-timeout") && p
[1])
3693 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3694 options
->ce
.connect_timeout
= positive_atoi (p
[1]);
3695 options
->ce
.connect_timeout_defined
= true;
3697 else if (streq (p
[0], "connect-retry-max") && p
[1])
3699 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3700 options
->ce
.connect_retry_max
= positive_atoi (p
[1]);
3702 else if (streq (p
[0], "ipchange") && p
[1])
3704 VERIFY_PERMISSION (OPT_P_SCRIPT
);
3705 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
3707 options
->ipchange
= string_substitute (p
[1], ',', ' ', &options
->gc
);
3709 else if (streq (p
[0], "float"))
3711 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
3712 options
->ce
.remote_float
= true;
3715 else if (streq (p
[0], "gremlin") && p
[1])
3717 VERIFY_PERMISSION (OPT_P_GENERAL
);
3718 options
->gremlin
= positive_atoi (p
[1]);
3721 else if (streq (p
[0], "chroot") && p
[1])
3723 VERIFY_PERMISSION (OPT_P_GENERAL
);
3724 options
->chroot_dir
= p
[1];
3726 else if (streq (p
[0], "cd") && p
[1])
3728 VERIFY_PERMISSION (OPT_P_GENERAL
);
3729 if (openvpn_chdir (p
[1]))
3731 msg (M_ERR
, "cd to '%s' failed", p
[1]);
3734 options
->cd_dir
= p
[1];
3737 else if (streq (p
[0], "setcon") && p
[1])
3739 VERIFY_PERMISSION (OPT_P_GENERAL
);
3740 options
->selinux_context
= p
[1];
3743 else if (streq (p
[0], "writepid") && p
[1])
3745 VERIFY_PERMISSION (OPT_P_GENERAL
);
3746 options
->writepid
= p
[1];
3748 else if (streq (p
[0], "up") && p
[1])
3750 VERIFY_PERMISSION (OPT_P_SCRIPT
);
3751 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
3753 options
->up_script
= p
[1];
3755 else if (streq (p
[0], "down") && p
[1])
3757 VERIFY_PERMISSION (OPT_P_SCRIPT
);
3758 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
3760 options
->down_script
= p
[1];
3762 else if (streq (p
[0], "down-pre"))
3764 VERIFY_PERMISSION (OPT_P_GENERAL
);
3765 options
->down_pre
= true;
3767 else if (streq (p
[0], "up-delay"))
3769 VERIFY_PERMISSION (OPT_P_GENERAL
);
3770 options
->up_delay
= true;
3772 else if (streq (p
[0], "up-restart"))
3774 VERIFY_PERMISSION (OPT_P_GENERAL
);
3775 options
->up_restart
= true;
3777 else if (streq (p
[0], "syslog"))
3779 VERIFY_PERMISSION (OPT_P_GENERAL
);
3780 open_syslog (p
[1], false);
3782 else if (streq (p
[0], "daemon"))
3785 VERIFY_PERMISSION (OPT_P_GENERAL
);
3786 if (!options
->daemon
)
3788 options
->daemon
= didit
= true;
3789 open_syslog (p
[1], false);
3795 msg (M_WARN
, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p
[1]);
3800 else if (streq (p
[0], "inetd"))
3802 VERIFY_PERMISSION (OPT_P_GENERAL
);
3803 if (!options
->inetd
)
3806 const char *name
= NULL
;
3807 const char *opterr
= "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
3809 options
->inetd
= -1;
3811 for (z
= 1; z
<= 2; ++z
)
3815 if (streq (p
[z
], "wait"))
3817 if (options
->inetd
!= -1)
3819 msg (msglevel
, opterr
);
3823 options
->inetd
= INETD_WAIT
;
3825 else if (streq (p
[z
], "nowait"))
3827 if (options
->inetd
!= -1)
3829 msg (msglevel
, opterr
);
3833 options
->inetd
= INETD_NOWAIT
;
3839 msg (msglevel
, opterr
);
3848 if (options
->inetd
== -1)
3849 options
->inetd
= INETD_WAIT
;
3851 save_inetd_socket_descriptor ();
3852 open_syslog (name
, true);
3855 else if (streq (p
[0], "log") && p
[1])
3857 VERIFY_PERMISSION (OPT_P_GENERAL
);
3858 options
->log
= true;
3859 redirect_stdout_stderr (p
[1], false);
3861 else if (streq (p
[0], "suppress-timestamps"))
3863 VERIFY_PERMISSION (OPT_P_GENERAL
);
3864 options
->suppress_timestamps
= true;
3865 set_suppress_timestamps(true);
3867 else if (streq (p
[0], "log-append") && p
[1])
3869 VERIFY_PERMISSION (OPT_P_GENERAL
);
3870 options
->log
= true;
3871 redirect_stdout_stderr (p
[1], true);
3873 else if (streq (p
[0], "mlock"))
3875 VERIFY_PERMISSION (OPT_P_GENERAL
);
3876 options
->mlock
= true;
3878 #if ENABLE_IP_PKTINFO
3879 else if (streq (p
[0], "multihome"))
3881 VERIFY_PERMISSION (OPT_P_GENERAL
);
3882 options
->sockflags
|= SF_USE_IP_PKTINFO
;
3885 else if (streq (p
[0], "verb") && p
[1])
3887 VERIFY_PERMISSION (OPT_P_MESSAGES
);
3888 options
->verbosity
= positive_atoi (p
[1]);
3890 else if (streq (p
[0], "mute") && p
[1])
3892 VERIFY_PERMISSION (OPT_P_MESSAGES
);
3893 options
->mute
= positive_atoi (p
[1]);
3895 else if (streq (p
[0], "errors-to-stderr"))
3897 VERIFY_PERMISSION (OPT_P_MESSAGES
);
3900 else if (streq (p
[0], "status") && p
[1])
3902 VERIFY_PERMISSION (OPT_P_GENERAL
);
3903 options
->status_file
= p
[1];
3906 options
->status_file_update_freq
= positive_atoi (p
[2]);
3909 else if (streq (p
[0], "status-version") && p
[1])
3913 VERIFY_PERMISSION (OPT_P_GENERAL
);
3914 version
= atoi (p
[1]);
3915 if (version
< 1 || version
> 3)
3917 msg (msglevel
, "--status-version must be 1 to 3");
3920 options
->status_file_version
= version
;
3922 else if (streq (p
[0], "remap-usr1") && p
[1])
3924 VERIFY_PERMISSION (OPT_P_GENERAL
);
3925 if (streq (p
[1], "SIGHUP"))
3926 options
->remap_sigusr1
= SIGHUP
;
3927 else if (streq (p
[1], "SIGTERM"))
3928 options
->remap_sigusr1
= SIGTERM
;
3931 msg (msglevel
, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
3935 else if ((streq (p
[0], "link-mtu") || streq (p
[0], "udp-mtu")) && p
[1])
3937 VERIFY_PERMISSION (OPT_P_MTU
);
3938 options
->link_mtu
= positive_atoi (p
[1]);
3939 options
->link_mtu_defined
= true;
3941 else if (streq (p
[0], "tun-mtu") && p
[1])
3943 VERIFY_PERMISSION (OPT_P_MTU
);
3944 options
->tun_mtu
= positive_atoi (p
[1]);
3945 options
->tun_mtu_defined
= true;
3947 else if (streq (p
[0], "tun-mtu-extra") && p
[1])
3949 VERIFY_PERMISSION (OPT_P_MTU
);
3950 options
->tun_mtu_extra
= positive_atoi (p
[1]);
3951 options
->tun_mtu_extra_defined
= true;
3953 #ifdef ENABLE_FRAGMENT
3954 else if (streq (p
[0], "mtu-dynamic"))
3956 VERIFY_PERMISSION (OPT_P_GENERAL
);
3957 msg (msglevel
, "--mtu-dynamic has been replaced by --fragment");
3960 else if (streq (p
[0], "fragment") && p
[1])
3962 VERIFY_PERMISSION (OPT_P_MTU
);
3963 options
->fragment
= positive_atoi (p
[1]);
3966 else if (streq (p
[0], "mtu-disc") && p
[1])
3968 VERIFY_PERMISSION (OPT_P_MTU
);
3969 options
->mtu_discover_type
= translate_mtu_discover_type_name (p
[1]);
3972 else if (streq (p
[0], "mtu-test"))
3974 VERIFY_PERMISSION (OPT_P_GENERAL
);
3975 options
->mtu_test
= true;
3978 else if (streq (p
[0], "nice") && p
[1])
3980 VERIFY_PERMISSION (OPT_P_NICE
);
3981 options
->nice
= atoi (p
[1]);
3983 else if (streq (p
[0], "rcvbuf") && p
[1])
3985 VERIFY_PERMISSION (OPT_P_SOCKBUF
);
3986 options
->rcvbuf
= positive_atoi (p
[1]);
3988 else if (streq (p
[0], "sndbuf") && p
[1])
3990 VERIFY_PERMISSION (OPT_P_SOCKBUF
);
3991 options
->sndbuf
= positive_atoi (p
[1]);
3993 else if (streq (p
[0], "socket-flags"))
3996 VERIFY_PERMISSION (OPT_P_SOCKFLAGS
);
3997 for (j
= 1; j
< MAX_PARMS
&& p
[j
]; ++j
)
3999 if (streq (p
[j
], "TCP_NODELAY"))
4000 options
->sockflags
|= SF_TCP_NODELAY
;
4002 msg (msglevel
, "unknown socket flag: %s", p
[j
]);
4005 else if (streq (p
[0], "txqueuelen") && p
[1])
4007 VERIFY_PERMISSION (OPT_P_GENERAL
);
4009 options
->tuntap_options
.txqueuelen
= positive_atoi (p
[1]);
4011 msg (msglevel
, "--txqueuelen not supported on this OS");
4016 else if (streq (p
[0], "nice-work") && p
[1])
4018 VERIFY_PERMISSION (OPT_P_NICE
);
4019 options
->nice_work
= atoi (p
[1]);
4021 else if (streq (p
[0], "threads") && p
[1])
4025 VERIFY_PERMISSION (OPT_P_GENERAL
);
4026 n_threads
= positive_atoi (p
[1]);
4029 msg (msglevel
, "--threads parameter must be at least 1");
4032 options
->n_threads
= n_threads
;
4035 else if (streq (p
[0], "shaper") && p
[1])
4037 #ifdef HAVE_GETTIMEOFDAY
4040 VERIFY_PERMISSION (OPT_P_SHAPER
);
4041 shaper
= atoi (p
[1]);
4042 if (shaper
< SHAPER_MIN
|| shaper
> SHAPER_MAX
)
4044 msg (msglevel
, "Bad shaper value, must be between %d and %d",
4045 SHAPER_MIN
, SHAPER_MAX
);
4048 options
->shaper
= shaper
;
4049 #else /* HAVE_GETTIMEOFDAY */
4050 VERIFY_PERMISSION (OPT_P_GENERAL
);
4051 msg (msglevel
, "--shaper requires the gettimeofday() function which is missing");
4053 #endif /* HAVE_GETTIMEOFDAY */
4055 else if (streq (p
[0], "port") && p
[1])
4059 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4061 if (!legal_ipv4_port (port
))
4063 msg (msglevel
, "Bad port number: %s", p
[1]);
4066 options
->ce
.port_option_used
= true;
4067 options
->ce
.local_port
= options
->ce
.remote_port
= port
;
4069 else if (streq (p
[0], "lport") && p
[1])
4073 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4075 if (!legal_ipv4_port (port
))
4077 msg (msglevel
, "Bad local port number: %s", p
[1]);
4080 options
->ce
.local_port_defined
= true;
4081 options
->ce
.port_option_used
= true;
4082 options
->ce
.local_port
= port
;
4084 else if (streq (p
[0], "rport") && p
[1])
4088 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4090 if (!legal_ipv4_port (port
))
4092 msg (msglevel
, "Bad remote port number: %s", p
[1]);
4095 options
->ce
.port_option_used
= true;
4096 options
->ce
.remote_port
= port
;
4098 else if (streq (p
[0], "bind"))
4100 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4101 options
->ce
.bind_defined
= true;
4103 else if (streq (p
[0], "nobind"))
4105 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4106 options
->ce
.bind_local
= false;
4108 else if (streq (p
[0], "fast-io"))
4110 VERIFY_PERMISSION (OPT_P_GENERAL
);
4111 options
->fast_io
= true;
4113 else if (streq (p
[0], "inactive") && p
[1])
4115 VERIFY_PERMISSION (OPT_P_TIMER
);
4116 options
->inactivity_timeout
= positive_atoi (p
[1]);
4118 options
->inactivity_minimum_bytes
= positive_atoi (p
[2]);
4120 else if (streq (p
[0], "proto") && p
[1])
4123 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4124 proto
= ascii2proto (p
[1]);
4127 msg (msglevel
, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4129 proto2ascii_all (&gc
));
4132 options
->ce
.proto
= proto
;
4134 #ifdef GENERAL_PROXY_SUPPORT
4135 else if (streq (p
[0], "auto-proxy"))
4139 VERIFY_PERMISSION (OPT_P_GENERAL
);
4140 options
->auto_proxy_info
= get_proxy_settings (&error
, &options
->gc
);
4142 msg (M_WARN
, "PROXY: %s", error
);
4144 else if (streq (p
[0], "show-proxy-settings"))
4146 struct auto_proxy_info
*pi
;
4149 VERIFY_PERMISSION (OPT_P_GENERAL
);
4150 pi
= get_proxy_settings (&error
, &options
->gc
);
4153 msg (M_INFO
|M_NOPREFIX
, "HTTP Server: %s", np(pi
->http
.server
));
4154 msg (M_INFO
|M_NOPREFIX
, "HTTP Port: %d", pi
->http
.port
);
4155 msg (M_INFO
|M_NOPREFIX
, "SOCKS Server: %s", np(pi
->socks
.server
));
4156 msg (M_INFO
|M_NOPREFIX
, "SOCKS Port: %d", pi
->socks
.port
);
4159 msg (msglevel
, "Proxy error: %s", error
);
4161 show_win_proxy_settings (M_INFO
|M_NOPREFIX
);
4163 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
4165 #endif /* GENERAL_PROXY_SUPPORT */
4166 #ifdef ENABLE_HTTP_PROXY
4167 else if (streq (p
[0], "http-proxy") && p
[1])
4169 struct http_proxy_options
*ho
;
4171 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4177 msg (msglevel
, "http-proxy port number not defined");
4181 if (!legal_ipv4_port (port
))
4183 msg (msglevel
, "Bad http-proxy port number: %s", p
[2]);
4187 ho
= init_http_options_if_undefined (options
);
4195 if (streq (p
[3], "auto"))
4196 ho
->auth_retry
= true;
4199 ho
->auth_method_string
= "basic";
4200 ho
->auth_file
= p
[3];
4204 ho
->auth_method_string
= p
[4];
4210 ho
->auth_method_string
= "none";
4213 else if (streq (p
[0], "http-proxy-retry"))
4215 struct http_proxy_options
*ho
;
4216 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4217 ho
= init_http_options_if_undefined (options
);
4220 else if (streq (p
[0], "http-proxy-timeout") && p
[1])
4222 struct http_proxy_options
*ho
;
4224 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4225 ho
= init_http_options_if_undefined (options
);
4226 ho
->timeout
= positive_atoi (p
[1]);
4228 else if (streq (p
[0], "http-proxy-option") && p
[1])
4230 struct http_proxy_options
*ho
;
4232 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4233 ho
= init_http_options_if_undefined (options
);
4235 if (streq (p
[1], "VERSION") && p
[2])
4237 ho
->http_version
= p
[2];
4239 else if (streq (p
[1], "AGENT") && p
[2])
4241 ho
->user_agent
= p
[2];
4245 msg (msglevel
, "Bad http-proxy-option or missing parameter: '%s'", p
[1]);
4250 else if (streq (p
[0], "socks-proxy") && p
[1])
4252 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4258 if (!legal_ipv4_port (port
))
4260 msg (msglevel
, "Bad socks-proxy port number: %s", p
[2]);
4263 options
->ce
.socks_proxy_port
= port
;
4267 options
->ce
.socks_proxy_port
= 1080;
4269 options
->ce
.socks_proxy_server
= p
[1];
4271 else if (streq (p
[0], "socks-proxy-retry"))
4273 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4274 options
->ce
.socks_proxy_retry
= true;
4277 else if (streq (p
[0], "keepalive") && p
[1] && p
[2])
4279 VERIFY_PERMISSION (OPT_P_GENERAL
);
4280 options
->keepalive_ping
= atoi (p
[1]);
4281 options
->keepalive_timeout
= atoi (p
[2]);
4283 else if (streq (p
[0], "ping") && p
[1])
4285 VERIFY_PERMISSION (OPT_P_TIMER
);
4286 options
->ping_send_timeout
= positive_atoi (p
[1]);
4288 else if (streq (p
[0], "ping-exit") && p
[1])
4290 VERIFY_PERMISSION (OPT_P_TIMER
);
4291 options
->ping_rec_timeout
= positive_atoi (p
[1]);
4292 options
->ping_rec_timeout_action
= PING_EXIT
;
4294 else if (streq (p
[0], "ping-restart") && p
[1])
4296 VERIFY_PERMISSION (OPT_P_TIMER
);
4297 options
->ping_rec_timeout
= positive_atoi (p
[1]);
4298 options
->ping_rec_timeout_action
= PING_RESTART
;
4300 else if (streq (p
[0], "ping-timer-rem"))
4302 VERIFY_PERMISSION (OPT_P_TIMER
);
4303 options
->ping_timer_remote
= true;
4306 else if (streq (p
[0], "explicit-exit-notify"))
4308 VERIFY_PERMISSION (OPT_P_EXPLICIT_NOTIFY
);
4311 options
->explicit_exit_notification
= positive_atoi (p
[1]);
4315 options
->explicit_exit_notification
= 1;
4319 else if (streq (p
[0], "persist-tun"))
4321 VERIFY_PERMISSION (OPT_P_PERSIST
);
4322 options
->persist_tun
= true;
4324 else if (streq (p
[0], "persist-key"))
4326 VERIFY_PERMISSION (OPT_P_PERSIST
);
4327 options
->persist_key
= true;
4329 else if (streq (p
[0], "persist-local-ip"))
4331 VERIFY_PERMISSION (OPT_P_PERSIST_IP
);
4332 options
->persist_local_ip
= true;
4334 else if (streq (p
[0], "persist-remote-ip"))
4336 VERIFY_PERMISSION (OPT_P_PERSIST_IP
);
4337 options
->persist_remote_ip
= true;
4339 else if (streq (p
[0], "route") && p
[1])
4341 VERIFY_PERMISSION (OPT_P_ROUTE
);
4342 rol_check_alloc (options
);
4345 if (!ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) && !is_special_addr (p
[1])) /* FQDN -- may be DNS name */
4347 msg (msglevel
, "route parameter network/IP '%s' must be a valid address", p
[1]);
4350 if (p
[2] && !ip_addr_dotted_quad_safe (p
[2])) /* FQDN -- must be IP address */
4352 msg (msglevel
, "route parameter netmask '%s' must be an IP address", p
[2]);
4355 if (p
[3] && !ip_or_dns_addr_safe (p
[3], options
->allow_pull_fqdn
) && !is_special_addr (p
[3])) /* FQDN -- may be DNS name */
4357 msg (msglevel
, "route parameter gateway '%s' must be a valid address", p
[3]);
4361 add_route_to_option_list (options
->routes
, p
[1], p
[2], p
[3], p
[4]);
4363 else if (streq (p
[0], "max-routes") && p
[1])
4367 VERIFY_PERMISSION (OPT_P_GENERAL
);
4368 max_routes
= atoi (p
[1]);
4369 if (max_routes
< 0 || max_routes
> 100000000)
4371 msg (msglevel
, "--max-routes parameter is out of range");
4374 options
->max_routes
= max_routes
;
4376 else if (streq (p
[0], "route-gateway") && p
[1])
4378 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
4379 if (streq (p
[1], "dhcp"))
4381 options
->route_gateway_via_dhcp
= true;
4385 if (ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) || is_special_addr (p
[1])) /* FQDN -- may be DNS name */
4387 options
->route_default_gateway
= p
[1];
4391 msg (msglevel
, "route-gateway parm '%s' must be a valid address", p
[1]);
4396 else if (streq (p
[0], "route-metric") && p
[1])
4398 VERIFY_PERMISSION (OPT_P_ROUTE
);
4399 options
->route_default_metric
= positive_atoi (p
[1]);
4401 else if (streq (p
[0], "route-delay"))
4403 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
4404 options
->route_delay_defined
= true;
4407 options
->route_delay
= positive_atoi (p
[1]);
4410 options
->route_delay_window
= positive_atoi (p
[2]);
4415 options
->route_delay
= 0;
4418 else if (streq (p
[0], "route-up") && p
[1])
4420 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4421 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4423 options
->route_script
= p
[1];
4425 else if (streq (p
[0], "route-noexec"))
4427 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4428 options
->route_noexec
= true;
4430 else if (streq (p
[0], "route-nopull"))
4432 VERIFY_PERMISSION (OPT_P_GENERAL
);
4433 options
->route_nopull
= true;
4435 else if (streq (p
[0], "allow-pull-fqdn"))
4437 VERIFY_PERMISSION (OPT_P_GENERAL
);
4438 options
->allow_pull_fqdn
= true;
4440 else if (streq (p
[0], "redirect-gateway") || streq (p
[0], "redirect-private"))
4443 VERIFY_PERMISSION (OPT_P_ROUTE
);
4444 rol_check_alloc (options
);
4445 if (streq (p
[0], "redirect-gateway"))
4446 options
->routes
->flags
|= RG_REROUTE_GW
;
4447 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
4449 if (streq (p
[j
], "local"))
4450 options
->routes
->flags
|= RG_LOCAL
;
4451 else if (streq (p
[j
], "autolocal"))
4452 options
->routes
->flags
|= RG_AUTO_LOCAL
;
4453 else if (streq (p
[j
], "def1"))
4454 options
->routes
->flags
|= RG_DEF1
;
4455 else if (streq (p
[j
], "bypass-dhcp"))
4456 options
->routes
->flags
|= RG_BYPASS_DHCP
;
4457 else if (streq (p
[j
], "bypass-dns"))
4458 options
->routes
->flags
|= RG_BYPASS_DNS
;
4461 msg (msglevel
, "unknown --%s flag: %s", p
[0], p
[j
]);
4465 options
->routes
->flags
|= RG_ENABLE
;
4467 else if (streq (p
[0], "remote-random-hostname"))
4469 VERIFY_PERMISSION (OPT_P_GENERAL
);
4470 options
->sockflags
|= SF_HOST_RANDOMIZE
;
4472 else if (streq (p
[0], "setenv") && p
[1])
4474 VERIFY_PERMISSION (OPT_P_GENERAL
);
4475 if (streq (p
[1], "REMOTE_RANDOM_HOSTNAME"))
4477 options
->sockflags
|= SF_HOST_RANDOMIZE
;
4479 else if (streq (p
[1], "GENERIC_CONFIG"))
4481 msg (msglevel
, "this is a generic configuration and cannot directly be used");
4485 else if (streq (p
[1], "SERVER_POLL_TIMEOUT") && p
[2])
4487 options
->server_poll_timeout
= positive_atoi(p
[2]);
4492 if (streq (p
[1], "FORWARD_COMPATIBLE") && p
[2] && streq (p
[2], "1"))
4494 options
->forward_compatible
= true;
4495 msglevel_fc
= msglevel_forward_compatible (options
, msglevel
);
4497 setenv_str (es
, p
[1], p
[2] ? p
[2] : "");
4500 else if (streq (p
[0], "setenv-safe") && p
[1])
4502 VERIFY_PERMISSION (OPT_P_SETENV
);
4503 setenv_str_safe (es
, p
[1], p
[2] ? p
[2] : "");
4505 else if (streq (p
[0], "script-security") && p
[1])
4507 VERIFY_PERMISSION (OPT_P_GENERAL
);
4508 script_security
= atoi (p
[1]);
4511 if (streq (p
[2], "execve"))
4512 script_method
= SM_EXECVE
;
4513 else if (streq (p
[2], "system"))
4514 script_method
= SM_SYSTEM
;
4517 msg (msglevel
, "unknown --script-security method: %s", p
[2]);
4522 script_method
= SM_EXECVE
;
4524 else if (streq (p
[0], "mssfix"))
4526 VERIFY_PERMISSION (OPT_P_GENERAL
);
4529 options
->mssfix
= positive_atoi (p
[1]);
4532 options
->mssfix_default
= true;
4536 else if (streq (p
[0], "disable-occ"))
4538 VERIFY_PERMISSION (OPT_P_GENERAL
);
4539 options
->occ
= false;
4544 else if (streq (p
[0], "server") && p
[1] && p
[2])
4546 const int lev
= M_WARN
;
4548 in_addr_t network
, netmask
;
4550 VERIFY_PERMISSION (OPT_P_GENERAL
);
4551 network
= get_ip_addr (p
[1], lev
, &error
);
4552 netmask
= get_ip_addr (p
[2], lev
, &error
);
4553 if (error
|| !network
|| !netmask
)
4555 msg (msglevel
, "error parsing --server parameters");
4558 options
->server_defined
= true;
4559 options
->server_network
= network
;
4560 options
->server_netmask
= netmask
;
4564 if (streq (p
[3], "nopool"))
4565 options
->server_flags
|= SF_NOPOOL
;
4568 msg (msglevel
, "error parsing --server: %s is not a recognized flag", p
[3]);
4573 else if (streq (p
[0], "server-bridge") && p
[1] && p
[2] && p
[3] && p
[4])
4575 const int lev
= M_WARN
;
4577 in_addr_t ip
, netmask
, pool_start
, pool_end
;
4579 VERIFY_PERMISSION (OPT_P_GENERAL
);
4580 ip
= get_ip_addr (p
[1], lev
, &error
);
4581 netmask
= get_ip_addr (p
[2], lev
, &error
);
4582 pool_start
= get_ip_addr (p
[3], lev
, &error
);
4583 pool_end
= get_ip_addr (p
[4], lev
, &error
);
4584 if (error
|| !ip
|| !netmask
|| !pool_start
|| !pool_end
)
4586 msg (msglevel
, "error parsing --server-bridge parameters");
4589 options
->server_bridge_defined
= true;
4590 options
->server_bridge_ip
= ip
;
4591 options
->server_bridge_netmask
= netmask
;
4592 options
->server_bridge_pool_start
= pool_start
;
4593 options
->server_bridge_pool_end
= pool_end
;
4595 else if (streq (p
[0], "server-bridge") && p
[1] && streq (p
[1], "nogw"))
4597 VERIFY_PERMISSION (OPT_P_GENERAL
);
4598 options
->server_bridge_proxy_dhcp
= true;
4599 options
->server_flags
|= SF_NO_PUSH_ROUTE_GATEWAY
;
4601 else if (streq (p
[0], "server-bridge") && !p
[1])
4603 VERIFY_PERMISSION (OPT_P_GENERAL
);
4604 options
->server_bridge_proxy_dhcp
= true;
4606 else if (streq (p
[0], "push") && p
[1])
4608 VERIFY_PERMISSION (OPT_P_PUSH
);
4609 push_options (options
, &p
[1], msglevel
, &options
->gc
);
4611 else if (streq (p
[0], "push-reset"))
4613 VERIFY_PERMISSION (OPT_P_INSTANCE
);
4614 push_reset (options
);
4616 else if (streq (p
[0], "ifconfig-pool") && p
[1] && p
[2])
4618 const int lev
= M_WARN
;
4620 in_addr_t start
, end
, netmask
=0;
4622 VERIFY_PERMISSION (OPT_P_GENERAL
);
4623 start
= get_ip_addr (p
[1], lev
, &error
);
4624 end
= get_ip_addr (p
[2], lev
, &error
);
4627 netmask
= get_ip_addr (p
[3], lev
, &error
);
4631 msg (msglevel
, "error parsing --ifconfig-pool parameters");
4634 if (!ifconfig_pool_verify_range (msglevel
, start
, end
))
4637 options
->ifconfig_pool_defined
= true;
4638 options
->ifconfig_pool_start
= start
;
4639 options
->ifconfig_pool_end
= end
;
4641 options
->ifconfig_pool_netmask
= netmask
;
4643 else if (streq (p
[0], "ifconfig-pool-persist") && p
[1])
4645 VERIFY_PERMISSION (OPT_P_GENERAL
);
4646 options
->ifconfig_pool_persist_filename
= p
[1];
4649 options
->ifconfig_pool_persist_refresh_freq
= positive_atoi (p
[2]);
4652 else if (streq (p
[0], "ifconfig-pool-linear"))
4654 VERIFY_PERMISSION (OPT_P_GENERAL
);
4655 options
->topology
= TOP_P2P
;
4657 else if (streq (p
[0], "hash-size") && p
[1] && p
[2])
4661 VERIFY_PERMISSION (OPT_P_GENERAL
);
4663 virtual = atoi (p
[2]);
4664 if (real
< 1 || virtual < 1)
4666 msg (msglevel
, "--hash-size sizes must be >= 1 (preferably a power of 2)");
4669 options
->real_hash_size
= real
;
4670 options
->virtual_hash_size
= real
;
4672 else if (streq (p
[0], "connect-freq") && p
[1] && p
[2])
4676 VERIFY_PERMISSION (OPT_P_GENERAL
);
4677 cf_max
= atoi (p
[1]);
4678 cf_per
= atoi (p
[2]);
4679 if (cf_max
< 0 || cf_per
< 0)
4681 msg (msglevel
, "--connect-freq parms must be > 0");
4684 options
->cf_max
= cf_max
;
4685 options
->cf_per
= cf_per
;
4687 else if (streq (p
[0], "max-clients") && p
[1])
4691 VERIFY_PERMISSION (OPT_P_GENERAL
);
4692 max_clients
= atoi (p
[1]);
4693 if (max_clients
< 0)
4695 msg (msglevel
, "--max-clients must be at least 1");
4698 options
->max_clients
= max_clients
;
4700 else if (streq (p
[0], "max-routes-per-client") && p
[1])
4702 VERIFY_PERMISSION (OPT_P_INHERIT
);
4703 options
->max_routes_per_client
= max_int (atoi (p
[1]), 1);
4705 else if (streq (p
[0], "client-cert-not-required"))
4707 VERIFY_PERMISSION (OPT_P_GENERAL
);
4708 options
->ssl_flags
|= SSLF_CLIENT_CERT_NOT_REQUIRED
;
4710 else if (streq (p
[0], "username-as-common-name"))
4712 VERIFY_PERMISSION (OPT_P_GENERAL
);
4713 options
->ssl_flags
|= SSLF_USERNAME_AS_COMMON_NAME
;
4715 else if (streq (p
[0], "auth-user-pass-optional"))
4717 VERIFY_PERMISSION (OPT_P_GENERAL
);
4718 options
->ssl_flags
|= SSLF_AUTH_USER_PASS_OPTIONAL
;
4720 else if (streq (p
[0], "no-name-remapping"))
4722 VERIFY_PERMISSION (OPT_P_GENERAL
);
4723 options
->ssl_flags
|= SSLF_NO_NAME_REMAPPING
;
4725 else if (streq (p
[0], "opt-verify"))
4727 VERIFY_PERMISSION (OPT_P_GENERAL
);
4728 options
->ssl_flags
|= SSLF_OPT_VERIFY
;
4730 else if (streq (p
[0], "auth-user-pass-verify") && p
[1])
4732 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4733 if (!no_more_than_n_args (msglevel
, p
, 3, NM_QUOTE_HINT
))
4737 if (streq (p
[2], "via-env"))
4738 options
->auth_user_pass_verify_script_via_file
= false;
4739 else if (streq (p
[2], "via-file"))
4740 options
->auth_user_pass_verify_script_via_file
= true;
4743 msg (msglevel
, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
4749 msg (msglevel
, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
4752 options
->auth_user_pass_verify_script
= p
[1];
4754 else if (streq (p
[0], "client-connect") && p
[1])
4756 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4757 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4759 options
->client_connect_script
= p
[1];
4761 else if (streq (p
[0], "client-disconnect") && p
[1])
4763 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4764 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4766 options
->client_disconnect_script
= p
[1];
4768 else if (streq (p
[0], "learn-address") && p
[1])
4770 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4771 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4773 options
->learn_address_script
= p
[1];
4775 else if (streq (p
[0], "tmp-dir") && p
[1])
4777 VERIFY_PERMISSION (OPT_P_GENERAL
);
4778 options
->tmp_dir
= p
[1];
4780 else if (streq (p
[0], "client-config-dir") && p
[1])
4782 VERIFY_PERMISSION (OPT_P_GENERAL
);
4783 options
->client_config_dir
= p
[1];
4785 else if (streq (p
[0], "ccd-exclusive"))
4787 VERIFY_PERMISSION (OPT_P_GENERAL
);
4788 options
->ccd_exclusive
= true;
4790 else if (streq (p
[0], "bcast-buffers") && p
[1])
4794 VERIFY_PERMISSION (OPT_P_GENERAL
);
4795 n_bcast_buf
= atoi (p
[1]);
4796 if (n_bcast_buf
< 1)
4797 msg (msglevel
, "--bcast-buffers parameter must be > 0");
4798 options
->n_bcast_buf
= n_bcast_buf
;
4800 else if (streq (p
[0], "tcp-queue-limit") && p
[1])
4802 int tcp_queue_limit
;
4804 VERIFY_PERMISSION (OPT_P_GENERAL
);
4805 tcp_queue_limit
= atoi (p
[1]);
4806 if (tcp_queue_limit
< 1)
4807 msg (msglevel
, "--tcp-queue-limit parameter must be > 0");
4808 options
->tcp_queue_limit
= tcp_queue_limit
;
4811 else if (streq (p
[0], "port-share") && p
[1] && p
[2])
4815 VERIFY_PERMISSION (OPT_P_GENERAL
);
4817 if (!legal_ipv4_port (port
))
4819 msg (msglevel
, "port number associated with --port-share directive is out of range");
4823 options
->port_share_host
= p
[1];
4824 options
->port_share_port
= port
;
4827 else if (streq (p
[0], "client-to-client"))
4829 VERIFY_PERMISSION (OPT_P_GENERAL
);
4830 options
->enable_c2c
= true;
4832 else if (streq (p
[0], "duplicate-cn"))
4834 VERIFY_PERMISSION (OPT_P_GENERAL
);
4835 options
->duplicate_cn
= true;
4837 else if (streq (p
[0], "iroute") && p
[1])
4839 const char *netmask
= NULL
;
4841 VERIFY_PERMISSION (OPT_P_INSTANCE
);
4846 option_iroute (options
, p
[1], netmask
, msglevel
);
4848 else if (streq (p
[0], "ifconfig-push") && p
[1] && p
[2])
4850 in_addr_t local
, remote_netmask
;
4852 VERIFY_PERMISSION (OPT_P_INSTANCE
);
4853 local
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
4854 remote_netmask
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[2], 0, NULL
, NULL
);
4855 if (local
&& remote_netmask
)
4857 options
->push_ifconfig_defined
= true;
4858 options
->push_ifconfig_local
= local
;
4859 options
->push_ifconfig_remote_netmask
= remote_netmask
;
4863 msg (msglevel
, "cannot parse --ifconfig-push addresses");
4867 else if (streq (p
[0], "ifconfig-push-constraint") && p
[1] && p
[2])
4869 in_addr_t network
, netmask
;
4871 VERIFY_PERMISSION (OPT_P_GENERAL
);
4872 network
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
4873 netmask
= getaddr (GETADDR_HOST_ORDER
, p
[2], 0, NULL
, NULL
);
4874 if (network
&& netmask
)
4876 options
->push_ifconfig_constraint_defined
= true;
4877 options
->push_ifconfig_constraint_network
= network
;
4878 options
->push_ifconfig_constraint_netmask
= netmask
;
4882 msg (msglevel
, "cannot parse --ifconfig-push-constraint addresses");
4886 else if (streq (p
[0], "disable"))
4888 VERIFY_PERMISSION (OPT_P_INSTANCE
);
4889 options
->disable
= true;
4891 else if (streq (p
[0], "tcp-nodelay"))
4893 VERIFY_PERMISSION (OPT_P_GENERAL
);
4894 options
->server_flags
|= SF_TCP_NODELAY_HELPER
;
4896 #endif /* P2MP_SERVER */
4898 else if (streq (p
[0], "client"))
4900 VERIFY_PERMISSION (OPT_P_GENERAL
);
4901 options
->client
= true;
4903 else if (streq (p
[0], "pull"))
4905 VERIFY_PERMISSION (OPT_P_GENERAL
);
4906 options
->pull
= true;
4908 else if (streq (p
[0], "push-continuation") && p
[1])
4910 VERIFY_PERMISSION (OPT_P_PULL_MODE
);
4911 options
->push_continuation
= atoi(p
[1]);
4913 else if (streq (p
[0], "server-poll-timeout") && p
[1])
4915 VERIFY_PERMISSION (OPT_P_GENERAL
);
4916 options
->server_poll_timeout
= positive_atoi(p
[1]);
4918 else if (streq (p
[0], "auth-user-pass"))
4920 VERIFY_PERMISSION (OPT_P_GENERAL
);
4923 options
->auth_user_pass_file
= p
[1];
4926 options
->auth_user_pass_file
= "stdin";
4928 else if (streq (p
[0], "auth-retry") && p
[1])
4930 VERIFY_PERMISSION (OPT_P_GENERAL
);
4931 auth_retry_set (msglevel
, p
[1]);
4935 else if (streq (p
[0], "win-sys") && p
[1])
4937 VERIFY_PERMISSION (OPT_P_GENERAL
);
4938 if (streq (p
[1], "env"))
4939 set_win_sys_path_via_env (es
);
4941 set_win_sys_path (p
[1], es
);
4943 else if (streq (p
[0], "route-method") && p
[1])
4945 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
4946 if (streq (p
[1], "adaptive"))
4947 options
->route_method
= ROUTE_METHOD_ADAPTIVE
;
4948 else if (streq (p
[1], "ipapi"))
4949 options
->route_method
= ROUTE_METHOD_IPAPI
;
4950 else if (streq (p
[1], "exe"))
4951 options
->route_method
= ROUTE_METHOD_EXE
;
4954 msg (msglevel
, "--route method must be 'adaptive', 'ipapi', or 'exe'");
4958 else if (streq (p
[0], "ip-win32") && p
[1])
4960 const int index
= ascii2ipset (p
[1]);
4961 struct tuntap_options
*to
= &options
->tuntap_options
;
4963 VERIFY_PERMISSION (OPT_P_IPWIN32
);
4968 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
4970 ipset2ascii_all (&gc
));
4974 if (index
== IPW32_SET_ADAPTIVE
)
4975 options
->route_delay_window
= IPW32_SET_ADAPTIVE_DELAY_WINDOW
;
4977 if (index
== IPW32_SET_DHCP_MASQ
)
4981 if (!streq (p
[2], "default"))
4983 int offset
= atoi (p
[2]);
4985 if (!(offset
> -256 && offset
< 256))
4987 msg (msglevel
, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset
);
4991 to
->dhcp_masq_custom_offset
= true;
4992 to
->dhcp_masq_offset
= offset
;
4997 const int min_lease
= 30;
4999 lease_time
= atoi (p
[3]);
5000 if (lease_time
< min_lease
)
5002 msg (msglevel
, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time
, min_lease
);
5005 to
->dhcp_lease_time
= lease_time
;
5009 to
->ip_win32_type
= index
;
5010 to
->ip_win32_defined
= true;
5012 else if (streq (p
[0], "dhcp-option") && p
[1])
5014 struct tuntap_options
*o
= &options
->tuntap_options
;
5015 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5017 if (streq (p
[1], "DOMAIN") && p
[2])
5021 else if (streq (p
[1], "NBS") && p
[2])
5023 o
->netbios_scope
= p
[2];
5025 else if (streq (p
[1], "NBT") && p
[2])
5029 if (!(t
== 1 || t
== 2 || t
== 4 || t
== 8))
5031 msg (msglevel
, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t
);
5034 o
->netbios_node_type
= t
;
5036 else if (streq (p
[1], "DNS") && p
[2])
5038 dhcp_option_address_parse ("DNS", p
[2], o
->dns
, &o
->dns_len
, msglevel
);
5040 else if (streq (p
[1], "WINS") && p
[2])
5042 dhcp_option_address_parse ("WINS", p
[2], o
->wins
, &o
->wins_len
, msglevel
);
5044 else if (streq (p
[1], "NTP") && p
[2])
5046 dhcp_option_address_parse ("NTP", p
[2], o
->ntp
, &o
->ntp_len
, msglevel
);
5048 else if (streq (p
[1], "NBDD") && p
[2])
5050 dhcp_option_address_parse ("NBDD", p
[2], o
->nbdd
, &o
->nbdd_len
, msglevel
);
5052 else if (streq (p
[1], "DISABLE-NBT"))
5058 msg (msglevel
, "--dhcp-option: unknown option type '%s' or missing parameter", p
[1]);
5061 o
->dhcp_options
= true;
5063 else if (streq (p
[0], "show-adapters"))
5065 VERIFY_PERMISSION (OPT_P_GENERAL
);
5066 show_tap_win32_adapters (M_INFO
|M_NOPREFIX
, M_WARN
|M_NOPREFIX
);
5067 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5069 else if (streq (p
[0], "show-net"))
5071 VERIFY_PERMISSION (OPT_P_GENERAL
);
5072 show_routes (M_INFO
|M_NOPREFIX
);
5073 show_adapters (M_INFO
|M_NOPREFIX
);
5074 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5076 else if (streq (p
[0], "show-net-up"))
5078 VERIFY_PERMISSION (OPT_P_UP
);
5079 options
->show_net_up
= true;
5081 else if (streq (p
[0], "tap-sleep") && p
[1])
5084 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5086 if (s
< 0 || s
>= 256)
5088 msg (msglevel
, "--tap-sleep parameter must be between 0 and 255");
5091 options
->tuntap_options
.tap_sleep
= s
;
5093 else if (streq (p
[0], "dhcp-renew"))
5095 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5096 options
->tuntap_options
.dhcp_renew
= true;
5098 else if (streq (p
[0], "dhcp-pre-release"))
5100 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5101 options
->tuntap_options
.dhcp_pre_release
= true;
5103 else if (streq (p
[0], "dhcp-release"))
5105 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5106 options
->tuntap_options
.dhcp_release
= true;
5108 else if (streq (p
[0], "dhcp-rr") && p
[1]) /* standalone method for internal use */
5110 unsigned int adapter_index
;
5111 VERIFY_PERMISSION (OPT_P_GENERAL
);
5112 set_debug_level (options
->verbosity
, SDL_CONSTRAIN
);
5113 adapter_index
= atou (p
[1]);
5114 sleep (options
->tuntap_options
.tap_sleep
);
5115 if (options
->tuntap_options
.dhcp_pre_release
)
5116 dhcp_release_by_adapter_index (adapter_index
);
5117 if (options
->tuntap_options
.dhcp_renew
)
5118 dhcp_renew_by_adapter_index (adapter_index
);
5119 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
5121 else if (streq (p
[0], "show-valid-subnets"))
5123 VERIFY_PERMISSION (OPT_P_GENERAL
);
5124 show_valid_win32_tun_subnets ();
5125 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
5127 else if (streq (p
[0], "pause-exit"))
5129 VERIFY_PERMISSION (OPT_P_GENERAL
);
5130 set_pause_exit_win32 ();
5132 else if (streq (p
[0], "service") && p
[1])
5134 VERIFY_PERMISSION (OPT_P_GENERAL
);
5135 options
->exit_event_name
= p
[1];
5138 options
->exit_event_initial_state
= (atoi(p
[2]) != 0);
5141 else if (streq (p
[0], "allow-nonadmin"))
5143 VERIFY_PERMISSION (OPT_P_GENERAL
);
5144 tap_allow_nonadmin_access (p
[1]);
5145 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5147 else if (streq (p
[0], "user") && p
[1])
5149 VERIFY_PERMISSION (OPT_P_GENERAL
);
5150 msg (M_WARN
, "NOTE: --user option is not implemented on Windows");
5152 else if (streq (p
[0], "group") && p
[1])
5154 VERIFY_PERMISSION (OPT_P_GENERAL
);
5155 msg (M_WARN
, "NOTE: --group option is not implemented on Windows");
5158 else if (streq (p
[0], "user") && p
[1])
5160 VERIFY_PERMISSION (OPT_P_GENERAL
);
5161 options
->username
= p
[1];
5163 else if (streq (p
[0], "group") && p
[1])
5165 VERIFY_PERMISSION (OPT_P_GENERAL
);
5166 options
->groupname
= p
[1];
5168 else if (streq (p
[0], "dhcp-option") && p
[1])
5170 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5171 foreign_option (options
, p
, 3, es
);
5173 else if (streq (p
[0], "route-method") && p
[1]) /* ignore when pushed to non-Windows OS */
5175 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
5178 #if PASSTOS_CAPABILITY
5179 else if (streq (p
[0], "passtos"))
5181 VERIFY_PERMISSION (OPT_P_GENERAL
);
5182 options
->passtos
= true;
5186 else if (streq (p
[0], "comp-lzo"))
5188 VERIFY_PERMISSION (OPT_P_COMP
);
5191 if (streq (p
[1], "yes"))
5192 options
->lzo
= LZO_SELECTED
|LZO_ON
;
5193 else if (streq (p
[1], "no"))
5194 options
->lzo
= LZO_SELECTED
;
5195 else if (streq (p
[1], "adaptive"))
5196 options
->lzo
= LZO_SELECTED
|LZO_ON
|LZO_ADAPTIVE
;
5199 msg (msglevel
, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p
[1]);
5204 options
->lzo
= LZO_SELECTED
|LZO_ON
|LZO_ADAPTIVE
;
5206 else if (streq (p
[0], "comp-noadapt"))
5208 VERIFY_PERMISSION (OPT_P_COMP
);
5209 options
->lzo
&= ~LZO_ADAPTIVE
;
5211 #endif /* USE_LZO */
5213 else if (streq (p
[0], "show-ciphers"))
5215 VERIFY_PERMISSION (OPT_P_GENERAL
);
5216 options
->show_ciphers
= true;
5218 else if (streq (p
[0], "show-digests"))
5220 VERIFY_PERMISSION (OPT_P_GENERAL
);
5221 options
->show_digests
= true;
5223 else if (streq (p
[0], "show-engines"))
5225 VERIFY_PERMISSION (OPT_P_GENERAL
);
5226 options
->show_engines
= true;
5228 else if (streq (p
[0], "key-direction") && p
[1])
5232 key_direction
= ascii2keydirection (msglevel
, p
[1]);
5233 if (key_direction
>= 0)
5234 options
->key_direction
= key_direction
;
5238 else if (streq (p
[0], "secret") && p
[1])
5240 VERIFY_PERMISSION (OPT_P_GENERAL
);
5241 #if ENABLE_INLINE_FILES
5242 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5244 options
->shared_secret_file_inline
= p
[2];
5252 key_direction
= ascii2keydirection (msglevel
, p
[2]);
5253 if (key_direction
>= 0)
5254 options
->key_direction
= key_direction
;
5258 options
->shared_secret_file
= p
[1];
5260 else if (streq (p
[0], "genkey"))
5262 VERIFY_PERMISSION (OPT_P_GENERAL
);
5263 options
->genkey
= true;
5265 else if (streq (p
[0], "auth") && p
[1])
5267 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5268 options
->authname_defined
= true;
5269 options
->authname
= p
[1];
5270 if (streq (options
->authname
, "none"))
5272 options
->authname_defined
= false;
5273 options
->authname
= NULL
;
5276 else if (streq (p
[0], "auth"))
5278 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5279 options
->authname_defined
= true;
5281 else if (streq (p
[0], "cipher") && p
[1])
5283 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5284 options
->ciphername_defined
= true;
5285 options
->ciphername
= p
[1];
5286 if (streq (options
->ciphername
, "none"))
5288 options
->ciphername_defined
= false;
5289 options
->ciphername
= NULL
;
5292 else if (streq (p
[0], "cipher"))
5294 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5295 options
->ciphername_defined
= true;
5297 else if (streq (p
[0], "prng") && p
[1])
5299 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5300 if (streq (p
[1], "none"))
5301 options
->prng_hash
= NULL
;
5303 options
->prng_hash
= p
[1];
5306 const int sl
= atoi (p
[2]);
5307 if (sl
>= NONCE_SECRET_LEN_MIN
&& sl
<= NONCE_SECRET_LEN_MAX
)
5309 options
->prng_nonce_secret_len
= sl
;
5313 msg (msglevel
, "prng parameter nonce_secret_len must be between %d and %d",
5314 NONCE_SECRET_LEN_MIN
, NONCE_SECRET_LEN_MAX
);
5319 else if (streq (p
[0], "no-replay"))
5321 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5322 options
->replay
= false;
5324 else if (streq (p
[0], "replay-window"))
5326 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5331 replay_window
= atoi (p
[1]);
5332 if (!(MIN_SEQ_BACKTRACK
<= replay_window
&& replay_window
<= MAX_SEQ_BACKTRACK
))
5334 msg (msglevel
, "replay-window window size parameter (%d) must be between %d and %d",
5340 options
->replay_window
= replay_window
;
5346 replay_time
= atoi (p
[2]);
5347 if (!(MIN_TIME_BACKTRACK
<= replay_time
&& replay_time
<= MAX_TIME_BACKTRACK
))
5349 msg (msglevel
, "replay-window time window parameter (%d) must be between %d and %d",
5352 MAX_TIME_BACKTRACK
);
5355 options
->replay_time
= replay_time
;
5360 msg (msglevel
, "replay-window option is missing window size parameter");
5364 else if (streq (p
[0], "mute-replay-warnings"))
5366 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5367 options
->mute_replay_warnings
= true;
5369 else if (streq (p
[0], "no-iv"))
5371 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5372 options
->use_iv
= false;
5374 else if (streq (p
[0], "replay-persist") && p
[1])
5376 VERIFY_PERMISSION (OPT_P_GENERAL
);
5377 options
->packet_id_file
= p
[1];
5379 else if (streq (p
[0], "test-crypto"))
5381 VERIFY_PERMISSION (OPT_P_GENERAL
);
5382 options
->test_crypto
= true;
5384 else if (streq (p
[0], "engine"))
5386 VERIFY_PERMISSION (OPT_P_GENERAL
);
5389 options
->engine
= p
[1];
5392 options
->engine
= "auto";
5394 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
5395 else if (streq (p
[0], "keysize") && p
[1])
5399 VERIFY_PERMISSION (OPT_P_CRYPTO
);
5400 keysize
= atoi (p
[1]) / 8;
5401 if (keysize
< 0 || keysize
> MAX_CIPHER_KEY_LENGTH
)
5403 msg (msglevel
, "Bad keysize: %s", p
[1]);
5406 options
->keysize
= keysize
;
5410 else if (streq (p
[0], "show-tls"))
5412 VERIFY_PERMISSION (OPT_P_GENERAL
);
5413 options
->show_tls_ciphers
= true;
5415 else if (streq (p
[0], "tls-server"))
5417 VERIFY_PERMISSION (OPT_P_GENERAL
);
5418 options
->tls_server
= true;
5420 else if (streq (p
[0], "tls-client"))
5422 VERIFY_PERMISSION (OPT_P_GENERAL
);
5423 options
->tls_client
= true;
5425 else if (streq (p
[0], "ca") && p
[1])
5427 VERIFY_PERMISSION (OPT_P_GENERAL
);
5428 options
->ca_file
= p
[1];
5429 #if ENABLE_INLINE_FILES
5430 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5432 options
->ca_file_inline
= p
[2];
5436 else if (streq (p
[0], "capath") && p
[1])
5438 VERIFY_PERMISSION (OPT_P_GENERAL
);
5439 options
->ca_path
= p
[1];
5441 else if (streq (p
[0], "dh") && p
[1])
5443 VERIFY_PERMISSION (OPT_P_GENERAL
);
5444 options
->dh_file
= p
[1];
5445 #if ENABLE_INLINE_FILES
5446 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5448 options
->dh_file_inline
= p
[2];
5452 else if (streq (p
[0], "cert") && p
[1])
5454 VERIFY_PERMISSION (OPT_P_GENERAL
);
5455 options
->cert_file
= p
[1];
5456 #if ENABLE_INLINE_FILES
5457 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5459 options
->cert_file_inline
= p
[2];
5464 else if (streq (p
[0], "cryptoapicert") && p
[1])
5466 VERIFY_PERMISSION (OPT_P_GENERAL
);
5467 options
->cryptoapi_cert
= p
[1];
5470 else if (streq (p
[0], "key") && p
[1])
5472 VERIFY_PERMISSION (OPT_P_GENERAL
);
5473 options
->priv_key_file
= p
[1];
5474 #if ENABLE_INLINE_FILES
5475 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5477 options
->priv_key_file_inline
= p
[2];
5481 else if (streq (p
[0], "pkcs12") && p
[1])
5483 VERIFY_PERMISSION (OPT_P_GENERAL
);
5484 options
->pkcs12_file
= p
[1];
5486 else if (streq (p
[0], "askpass"))
5488 VERIFY_PERMISSION (OPT_P_GENERAL
);
5491 options
->key_pass_file
= p
[1];
5494 options
->key_pass_file
= "stdin";
5496 else if (streq (p
[0], "auth-nocache"))
5498 VERIFY_PERMISSION (OPT_P_GENERAL
);
5499 ssl_set_auth_nocache ();
5501 else if (streq (p
[0], "single-session"))
5503 VERIFY_PERMISSION (OPT_P_GENERAL
);
5504 options
->single_session
= true;
5506 else if (streq (p
[0], "tls-exit"))
5508 VERIFY_PERMISSION (OPT_P_GENERAL
);
5509 options
->tls_exit
= true;
5511 else if (streq (p
[0], "tls-cipher") && p
[1])
5513 VERIFY_PERMISSION (OPT_P_GENERAL
);
5514 options
->cipher_list
= p
[1];
5516 else if (streq (p
[0], "crl-verify") && p
[1])
5518 VERIFY_PERMISSION (OPT_P_GENERAL
);
5519 options
->crl_file
= p
[1];
5521 else if (streq (p
[0], "tls-verify") && p
[1])
5523 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5524 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5526 options
->tls_verify
= string_substitute (p
[1], ',', ' ', &options
->gc
);
5528 else if (streq (p
[0], "tls-remote") && p
[1])
5530 VERIFY_PERMISSION (OPT_P_GENERAL
);
5531 options
->tls_remote
= p
[1];
5533 else if (streq (p
[0], "ns-cert-type") && p
[1])
5535 VERIFY_PERMISSION (OPT_P_GENERAL
);
5536 if (streq (p
[1], "server"))
5537 options
->ns_cert_type
= NS_SSL_SERVER
;
5538 else if (streq (p
[1], "client"))
5539 options
->ns_cert_type
= NS_SSL_CLIENT
;
5542 msg (msglevel
, "--ns-cert-type must be 'client' or 'server'");
5546 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
5547 else if (streq (p
[0], "remote-cert-ku"))
5551 VERIFY_PERMISSION (OPT_P_GENERAL
);
5553 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5554 sscanf (p
[j
], "%x", &(options
->remote_cert_ku
[j
-1]));
5556 else if (streq (p
[0], "remote-cert-eku") && p
[1])
5558 VERIFY_PERMISSION (OPT_P_GENERAL
);
5559 options
->remote_cert_eku
= p
[1];
5561 else if (streq (p
[0], "remote-cert-tls") && p
[1])
5563 VERIFY_PERMISSION (OPT_P_GENERAL
);
5565 if (streq (p
[1], "server"))
5567 options
->remote_cert_ku
[0] = 0xa0;
5568 options
->remote_cert_ku
[1] = 0x88;
5569 options
->remote_cert_eku
= "TLS Web Server Authentication";
5571 else if (streq (p
[1], "client"))
5573 options
->remote_cert_ku
[0] = 0x80;
5574 options
->remote_cert_ku
[1] = 0x08;
5575 options
->remote_cert_ku
[2] = 0x88;
5576 options
->remote_cert_eku
= "TLS Web Client Authentication";
5580 msg (msglevel
, "--remote-cert-tls must be 'client' or 'server'");
5584 #endif /* OPENSSL_VERSION_NUMBER */
5585 else if (streq (p
[0], "tls-timeout") && p
[1])
5587 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5588 options
->tls_timeout
= positive_atoi (p
[1]);
5590 else if (streq (p
[0], "reneg-bytes") && p
[1])
5592 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5593 options
->renegotiate_bytes
= positive_atoi (p
[1]);
5595 else if (streq (p
[0], "reneg-pkts") && p
[1])
5597 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5598 options
->renegotiate_packets
= positive_atoi (p
[1]);
5600 else if (streq (p
[0], "reneg-sec") && p
[1])
5602 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5603 options
->renegotiate_seconds
= positive_atoi (p
[1]);
5605 else if (streq (p
[0], "hand-window") && p
[1])
5607 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5608 options
->handshake_window
= positive_atoi (p
[1]);
5610 else if (streq (p
[0], "tran-window") && p
[1])
5612 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
5613 options
->transition_window
= positive_atoi (p
[1]);
5615 else if (streq (p
[0], "tls-auth") && p
[1])
5617 VERIFY_PERMISSION (OPT_P_GENERAL
);
5618 #if ENABLE_INLINE_FILES
5619 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
5621 options
->tls_auth_file_inline
= p
[2];
5629 key_direction
= ascii2keydirection (msglevel
, p
[2]);
5630 if (key_direction
>= 0)
5631 options
->key_direction
= key_direction
;
5635 options
->tls_auth_file
= p
[1];
5637 else if (streq (p
[0], "key-method") && p
[1])
5641 VERIFY_PERMISSION (OPT_P_GENERAL
);
5642 key_method
= atoi (p
[1]);
5643 if (key_method
< KEY_METHOD_MIN
|| key_method
> KEY_METHOD_MAX
)
5645 msg (msglevel
, "key_method parameter (%d) must be >= %d and <= %d",
5651 options
->key_method
= key_method
;
5653 #endif /* USE_SSL */
5654 #endif /* USE_CRYPTO */
5655 #ifdef ENABLE_PKCS11
5656 else if (streq (p
[0], "show-pkcs11-ids") && p
[1])
5658 char *provider
= p
[1];
5659 bool cert_private
= (p
[2] == NULL
? false : ( atoi (p
[2]) != 0 ));
5661 VERIFY_PERMISSION (OPT_P_GENERAL
);
5663 set_debug_level (options
->verbosity
, SDL_CONSTRAIN
);
5664 show_pkcs11_ids (provider
, cert_private
);
5665 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5667 else if (streq (p
[0], "pkcs11-providers") && p
[1])
5671 VERIFY_PERMISSION (OPT_P_GENERAL
);
5673 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5674 options
->pkcs11_providers
[j
-1] = p
[j
];
5676 else if (streq (p
[0], "pkcs11-protected-authentication"))
5680 VERIFY_PERMISSION (OPT_P_GENERAL
);
5682 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5683 options
->pkcs11_protected_authentication
[j
-1] = atoi (p
[j
]) != 0 ? 1 : 0;
5685 else if (streq (p
[0], "pkcs11-private-mode") && p
[1])
5689 VERIFY_PERMISSION (OPT_P_GENERAL
);
5691 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5692 sscanf (p
[j
], "%x", &(options
->pkcs11_private_mode
[j
-1]));
5694 else if (streq (p
[0], "pkcs11-cert-private"))
5698 VERIFY_PERMISSION (OPT_P_GENERAL
);
5700 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5701 options
->pkcs11_cert_private
[j
-1] = atoi (p
[j
]) != 0 ? 1 : 0;
5703 else if (streq (p
[0], "pkcs11-pin-cache") && p
[1])
5705 VERIFY_PERMISSION (OPT_P_GENERAL
);
5706 options
->pkcs11_pin_cache_period
= atoi (p
[1]);
5708 else if (streq (p
[0], "pkcs11-id") && p
[1])
5710 VERIFY_PERMISSION (OPT_P_GENERAL
);
5711 options
->pkcs11_id
= p
[1];
5713 else if (streq (p
[0], "pkcs11-id-management"))
5715 VERIFY_PERMISSION (OPT_P_GENERAL
);
5716 options
->pkcs11_id_management
= true;
5719 #ifdef TUNSETPERSIST
5720 else if (streq (p
[0], "rmtun"))
5722 VERIFY_PERMISSION (OPT_P_GENERAL
);
5723 options
->persist_config
= true;
5724 options
->persist_mode
= 0;
5726 else if (streq (p
[0], "mktun"))
5728 VERIFY_PERMISSION (OPT_P_GENERAL
);
5729 options
->persist_config
= true;
5730 options
->persist_mode
= 1;
5736 msg (msglevel_fc
, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file
, line
, p
[0], PACKAGE_VERSION
);
5738 msg (msglevel_fc
, "Unrecognized option or missing parameter(s): --%s (%s)", p
[0], PACKAGE_VERSION
);