2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * Additions for eurephia plugin done by:
11 * David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2009
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2
15 * as published by the Free Software Foundation.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program (see the file COPYING included with this
24 * distribution); if not, write to the Free Software Foundation, Inc.,
25 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
29 * 2004-01-28: Added Socks5 proxy support
30 * (Christof Meerwald, http://cmeerw.org)
35 #elif defined(_MSC_VER)
36 #include "config-msvc.h"
38 #ifdef HAVE_CONFIG_VERSION_H
39 #include "config-version.h"
53 #include "packet_id.h"
65 const char title_string
[] =
70 #if defined(ENABLE_CRYPTO_POLARSSL)
72 #elif defined(ENABLE_CRYPTO_OPENSSL)
76 #endif /* defined(ENABLE_CRYPTO_POLARSSL) */
77 #else /* ! ENABLE_SSL */
78 #if defined(ENABLE_CRYPTO_POLARSSL)
79 " [CRYPTO (PolarSSL)]"
80 #elif defined(ENABLE_CRYPTO_OPENSSL)
84 #endif /* defined(ENABLE_CRYPTO_POLARSSL) */
85 #endif /* ENABLE_SSL */
86 #endif /* ENABLE_CRYPTO */
88 #ifdef ENABLE_LZO_STUB
97 #ifdef PRODUCT_TAP_DEBUG
103 #ifdef ENABLE_EUREPHIA
106 #if ENABLE_IP_PKTINFO
110 " built on " __DATE__
115 static const char usage_message
[] =
119 "--config file : Read configuration options from file.\n"
120 "--help : Show options.\n"
121 "--version : Show copyright and version information.\n"
124 "--local host : Local host name or ip address. Implies --bind.\n"
125 "--remote host [port] : Remote host name or ip address.\n"
126 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
127 "--remote-random-hostname : Add a random string to remote DNS name.\n"
128 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
129 "--proto p : Use protocol p for communicating with peer.\n"
130 " p = udp (default), tcp-server, or tcp-client\n"
131 "--proto-force p : only consider protocol p in list of connection profiles.\n"
132 " p = udp6, tcp6-server, or tcp6-client (ipv6)\n"
133 "--connect-retry n : For --proto tcp-client, number of seconds to wait\n"
134 " between connection retries (default=%d).\n"
135 "--connect-timeout n : For --proto tcp-client, connection timeout (in seconds).\n"
136 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
137 #ifdef ENABLE_HTTP_PROXY
138 "--http-proxy s p [up] [auth] : Connect to remote host\n"
139 " through an HTTP proxy at address s and port p.\n"
140 " If proxy authentication is required,\n"
141 " up is a file containing username/password on 2 lines, or\n"
142 " 'stdin' to prompt from console. Add auth='ntlm' if\n"
143 " the proxy requires NTLM authentication.\n"
144 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
145 " determine auth method and query for username/password\n"
146 " if needed. auto-nct disables weak proxy auth methods.\n"
147 "--http-proxy-retry : Retry indefinitely on HTTP proxy errors.\n"
148 "--http-proxy-timeout n : Proxy timeout in seconds, default=5.\n"
149 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
150 " Repeat to set multiple options.\n"
151 " VERSION version (default=1.0)\n"
152 " AGENT user-agent\n"
155 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
156 " address s and port p (default port = 1080).\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt for console.\n"
160 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
162 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
163 " resolve for n seconds before failing (disabled by default).\n"
164 " Set n=\"infinite\" to retry indefinitely.\n"
165 "--float : Allow remote to change its IP address/port, such as through\n"
166 " DHCP (this is the default if --remote is not used).\n"
167 "--ipchange cmd : Run command cmd on remote ip address initial\n"
168 " setting or change -- execute as: cmd ip-address port#\n"
169 "--port port : TCP/UDP port # for both local and remote.\n"
170 "--lport port : TCP/UDP port # for local (default=%d). Implies --bind.\n"
171 "--rport port : TCP/UDP port # for remote (default=%d).\n"
172 "--bind : Bind to local address and port. (This is the default unless\n"
173 " --proto tcp-client"
174 #ifdef ENABLE_HTTP_PROXY
181 "--nobind : Do not bind to local address and port.\n"
182 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
183 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
184 " this option only if the tun/tap device used with --dev\n"
185 " does not begin with \"tun\" or \"tap\".\n"
186 "--dev-node node : Explicitly set the device node rather than using\n"
187 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
188 "--lladdr hw : Set the link layer address of the tap device.\n"
189 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
190 "--tun-ipv6 : Build tun link capable of forwarding IPv6 traffic.\n"
191 #ifdef ENABLE_IPROUTE
192 "--iproute cmd : Use this command instead of default " IPROUTE_PATH
".\n"
194 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
195 " endpoint and rn as a remote endpoint. l & rn should be\n"
196 " swapped on the other peer. l & rn must be private\n"
197 " addresses outside of the subnets used by either peer.\n"
198 " TAP: configure device to use IP address l as a local\n"
199 " endpoint and rn as a subnet mask.\n"
200 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
201 " endpoint (as a /64) and r as remote endpoint\n"
202 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
203 " pass --ifconfig parms by environment to scripts.\n"
204 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
205 " connection doesn't match the remote side.\n"
206 "--route network [netmask] [gateway] [metric] :\n"
207 " Add route to routing table after connection\n"
208 " is established. Multiple routes can be specified.\n"
209 " netmask default: 255.255.255.255\n"
210 " gateway default: taken from --route-gateway or --ifconfig\n"
211 " Specify default by leaving blank or setting to \"nil\".\n"
212 "--route-ipv6 network/bits [gateway] [metric] :\n"
213 " Add IPv6 route to routing table after connection\n"
214 " is established. Multiple routes can be specified.\n"
215 " gateway default: taken from --route-ipv6-gateway or --ifconfig\n"
216 "--max-routes n : Specify the maximum number of routes that may be defined\n"
217 " or pulled from a server.\n"
218 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
219 "--route-metric m : Specify a default metric for use with --route.\n"
220 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
221 " adding routes (may be 0). If not specified, routes will\n"
222 " be added immediately after tun/tap open. On Windows, wait\n"
223 " up to w seconds for TUN/TAP adapter to come up.\n"
224 "--route-up cmd : Run command cmd after routes are added.\n"
225 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
226 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
227 " --route-up script using environmental variables.\n"
228 "--route-nopull : When used with --client or --pull, accept options pushed\n"
229 " by server EXCEPT for routes and dhcp options.\n"
230 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
231 " --ifconfig, --route, and --route-gateway.\n"
232 "--redirect-gateway [flags]: Automatically execute routing\n"
233 " commands to redirect all outgoing IP traffic through the\n"
234 " VPN. Add 'local' flag if both " PACKAGE_NAME
" servers are directly\n"
235 " connected via a common subnet, such as with WiFi.\n"
236 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
237 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
238 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
239 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
240 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
241 " the default gateway. Useful when pushing private subnets.\n"
242 #ifdef ENABLE_CLIENT_NAT
243 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
245 #ifdef ENABLE_PUSH_PEER_INFO
246 "--push-peer-info : (client only) push client info to server.\n"
248 "--setenv name value : Set a custom environmental variable to pass to script.\n"
249 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
250 " directives for future OpenVPN versions to be ignored.\n"
251 "--script-security level: Where level can be:\n"
252 " 0 -- strictly no calling of external programs\n"
253 " 1 -- (default) only call built-ins such as ifconfig\n"
254 " 2 -- allow calling of built-ins and scripts\n"
255 " 3 -- allow password to be passed to scripts via env\n"
256 "--shaper n : Restrict output to peer to n bytes per second.\n"
257 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
258 " ping once every n seconds, restart if ping not received\n"
260 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
261 " produces a combined in/out byte count < bytes.\n"
262 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
263 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
264 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
266 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
267 #if ENABLE_IP_PKTINFO
268 "--multihome : Configure a multi-homed UDP server.\n"
270 "--fast-io : (experimental) Optimize TUN/TAP/UDP writes.\n"
271 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
272 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
273 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
274 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
275 "--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n"
276 #if PASSTOS_CAPABILITY
277 "--passtos : TOS passthrough (applies to IPv4 only).\n"
279 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
280 " TCP/UDP MTU from it (default=%d).\n"
281 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
282 " as n bytes more than the tun-mtu size on read\n"
283 " (default TUN=0 TAP=%d).\n"
284 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
286 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
287 " 'no' -- Never send DF (Don't Fragment) frames\n"
288 " 'maybe' -- Use per-route hints\n"
289 " 'yes' -- Always DF (Don't Fragment)\n"
291 "--mtu-test : Empirically measure and report MTU.\n"
293 #ifdef ENABLE_FRAGMENT
294 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
295 " datagrams are sent which are larger than max bytes.\n"
296 " Adds 4 bytes of overhead per datagram.\n"
298 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
299 " or --fragment max value, whichever is lower.\n"
300 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
301 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
302 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
303 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
304 " can be matched in policy routing and packetfilter rules.\n"
306 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
307 #ifdef ENABLE_MEMSTATS
308 "--memstats file : Write live usage stats to memory mapped binary file.\n"
310 "--mlock : Disable Paging -- ensures key material and tunnel\n"
311 " data will never be written to disk.\n"
312 "--up cmd : Run command cmd after successful tun device open.\n"
313 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
314 " ifconfig-local-ip ifconfig-remote-ip\n"
315 " (pre --user or --group UID/GID change)\n"
316 "--up-delay : Delay tun/tap open and possible --up script execution\n"
317 " until after TCP/UDP connection establishment with peer.\n"
318 "--down cmd : Run command cmd after tun device close.\n"
319 " (post --user/--group UID/GID change and/or --chroot)\n"
320 " (command parameters are same as --up option)\n"
321 "--down-pre : Run --down command before TUN/TAP close.\n"
322 "--up-restart : Run up/down commands for all restarts including those\n"
323 " caused by --ping-restart or SIGUSR1\n"
324 "--user user : Set UID to user after initialization.\n"
325 "--group group : Set GID to group after initialization.\n"
326 "--chroot dir : Chroot to this directory after initialization.\n"
327 #ifdef ENABLE_SELINUX
328 "--setcon context: Apply this SELinux context after initialization.\n"
330 "--cd dir : Change to this directory before initialization.\n"
331 "--daemon [name] : Become a daemon after initialization.\n"
332 " The optional 'name' parameter will be passed\n"
333 " as the program name to the system logger.\n"
334 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
335 " See --daemon above for a description of the 'name' parm.\n"
336 "--inetd [name] ['wait'|'nowait'] : Run as an inetd or xinetd server.\n"
337 " See --daemon above for a description of the 'name' parm.\n"
338 "--log file : Output log to file which is created/truncated on open.\n"
339 "--log-append file : Append log to file, or create file if nonexistent.\n"
340 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
341 "--writepid file : Write main process ID to file.\n"
342 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
343 "--echo [parms ...] : Echo parameters to log output.\n"
344 "--verb n : Set output verbosity to n (default=%d):\n"
345 " (Level 3 is recommended if you want a good summary\n"
346 " of what's happening without being swamped by output).\n"
347 " : 0 -- no output except fatal errors\n"
348 " : 1 -- startup info + connection initiated messages +\n"
349 " non-fatal encryption & net errors\n"
350 " : 2,3 -- show TLS negotiations & route info\n"
351 " : 4 -- show parameters\n"
352 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
353 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
354 " : 6 to 11 -- debug messages of increasing verbosity\n"
355 "--mute n : Log at most n consecutive messages in the same category.\n"
356 "--status file n : Write operational status to file every n seconds.\n"
357 "--status-version [n] : Choose the status file format version number.\n"
358 " Currently, n can be 1, 2, or 3 (default=1).\n"
360 "--disable-occ : Disable options consistency check between peers.\n"
363 "--gremlin mask : Special stress testing mode (for debugging only).\n"
366 "--comp-lzo : Use fast LZO compression -- may add up to 1 byte per\n"
367 " packet for uncompressible data.\n"
368 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
371 #ifdef ENABLE_MANAGEMENT
372 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
373 " management functions. pass is a password file\n"
374 " or 'stdin' to prompt from console.\n"
375 #if UNIX_SOCK_SUPPORT
376 " To listen on a unix domain socket, specific the pathname\n"
377 " in place of ip and use 'unix' as the port number.\n"
379 "--management-client : Management interface will connect as a TCP client to\n"
380 " ip/port rather than listen as a TCP server.\n"
381 "--management-query-passwords : Query management channel for private key\n"
382 " and auth-user-pass passwords.\n"
383 "--management-query-proxy : Query management channel for proxy information.\n"
384 "--management-query-remote : Query management channel for --remote directive.\n"
385 "--management-hold : Start " PACKAGE_NAME
" in a hibernating state, until a client\n"
386 " of the management interface explicitly starts it.\n"
387 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
388 "--management-forget-disconnect : Forget passwords when management disconnect\n"
390 "--management-up-down : Report tunnel up/down events to management interface.\n"
391 "--management-log-cache n : Cache n lines of log file history for usage\n"
392 " by the management channel.\n"
393 #if UNIX_SOCK_SUPPORT
394 "--management-client-user u : When management interface is a unix socket, only\n"
395 " allow connections from user u.\n"
396 "--management-client-group g : When management interface is a unix socket, only\n"
397 " allow connections from group g.\n"
399 #ifdef MANAGEMENT_DEF_AUTH
400 "--management-client-auth : gives management interface client the responsibility\n"
401 " to authenticate clients after their client certificate\n"
402 " has been verified.\n"
405 "--management-client-pf : management interface clients must specify a packet\n"
406 " filter file for each connecting client.\n"
410 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
411 " to its initialization function.\n"
416 "Multi-Client Server options (when --mode server is used):\n"
417 "--server network netmask : Helper option to easily configure server mode.\n"
418 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
419 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
420 " easily configure ethernet bridging server mode.\n"
421 "--push \"option\" : Push a config file option back to the peer for remote\n"
422 " execution. Peer must specify --pull in its config file.\n"
423 "--push-reset : Don't inherit global push list for specific\n"
424 " client instance.\n"
425 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
426 " to be dynamically allocated to connecting clients.\n"
427 "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n"
428 " in tun mode. Not compatible with Windows clients.\n"
429 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
430 " data to file, at seconds intervals (default=600).\n"
431 " If seconds=0, file will be treated as read-only.\n"
432 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
433 " to be dynamically allocated to connecting clients.\n"
434 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
435 " overrides --ifconfig-pool dynamic allocation.\n"
436 " Only valid in a client-specific config file.\n"
437 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
438 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
439 " Only valid in a client-specific config file.\n"
440 "--iroute network [netmask] : Route subnet to client.\n"
441 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
442 " Sets up internal routes only.\n"
443 " Only valid in a client-specific config file.\n"
444 "--disable : Client is disabled.\n"
445 " Only valid in a client-specific config file.\n"
446 "--client-cert-not-required : Don't require client certificate, client\n"
447 " will authenticate using username/password.\n"
448 "--username-as-common-name : For auth-user-pass authentication, use\n"
449 " the authenticated username as the common name,\n"
450 " rather than the common name from the client cert.\n"
451 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
452 " run command cmd to verify. If method='via-env', pass\n"
453 " user/pass via environment, if method='via-file', pass\n"
454 " user/pass via temporary file.\n"
455 "--opt-verify : Clients that connect with options that are incompatible\n"
456 " with those of the server will be disconnected.\n"
457 "--auth-user-pass-optional : Allow connections by clients that don't\n"
458 " specify a username/password.\n"
459 "--no-name-remapping : Allow Common Name and X509 Subject to include\n"
460 " any printable character.\n"
461 "--client-to-client : Internally route client-to-client traffic.\n"
462 "--duplicate-cn : Allow multiple clients with the same common name to\n"
463 " concurrently connect.\n"
464 "--client-connect cmd : Run command cmd on client connection.\n"
465 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
466 "--client-config-dir dir : Directory for custom client config files.\n"
467 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
468 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
469 "--hash-size r v : Set the size of the real address hash table to r and the\n"
470 " virtual address table to v.\n"
471 "--bcast-buffers n : Allocate n broadcast buffers.\n"
472 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
473 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
474 " as well as pushes it to connecting clients.\n"
475 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
476 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
477 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
478 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
479 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
480 " older than n seconds. Run this check every t\n"
481 " seconds (defaults to n).\n"
483 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
484 " sessions to a web server at host:port. dir specifies an\n"
485 " optional directory to write origin IP:port data.\n"
489 "Client options (when connecting to a multi-client server):\n"
490 "--client : Helper option to easily configure client mode.\n"
491 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
492 " up is a file containing username/password on 2 lines,\n"
493 " or omit to prompt from console.\n"
494 "--pull : Accept certain config file options from the peer as if they\n"
495 " were part of the local config file. Must be specified\n"
496 " when connecting to a '--mode server' remote host.\n"
497 "--auth-retry t : How to handle auth failures. Set t to\n"
498 " none (default), interact, or nointeract.\n"
499 "--static-challenge t e : Enable static challenge/response protocol using\n"
500 " challenge text t, with e indicating echo flag (0|1)\n"
501 "--server-poll-timeout n : when polling possible remote servers to connect to\n"
502 " in a round-robin fashion, spend no more than n seconds\n"
503 " waiting for a response before trying the next server.\n"
506 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
507 " server/remote. n = # of retries, default=1.\n"
511 "Data Channel Encryption Options (must be compatible between peers):\n"
512 "(These options are meaningful for both Static Key & TLS-mode)\n"
513 "--secret f [d] : Enable Static Key encryption mode (non-TLS).\n"
514 " Use shared secret file f, generate with --genkey.\n"
515 " The optional d parameter controls key directionality.\n"
516 " If d is specified, use separate keys for each\n"
517 " direction, set d=0 on one side of the connection,\n"
518 " and d=1 on the other side.\n"
519 "--auth alg : Authenticate packets with HMAC using message\n"
520 " digest algorithm alg (default=%s).\n"
521 " (usually adds 16 or 20 bytes per packet)\n"
522 " Set alg=none to disable authentication.\n"
523 "--cipher alg : Encrypt packets with cipher algorithm alg\n"
525 " Set alg=none to disable encryption.\n"
526 "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
527 " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n"
528 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
529 "--keysize n : Size of cipher key in bits (optional).\n"
530 " If unspecified, defaults to cipher-specific default.\n"
532 #ifndef ENABLE_CRYPTO_POLARSSL
533 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
535 "--no-replay : Disable replay protection.\n"
536 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
537 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
538 " and a time window of t seconds.\n"
539 " Default n=%d t=%d\n"
540 "--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.\n"
541 "--replay-persist file : Persist replay-protection state across sessions\n"
543 "--test-crypto : Run a self-test of crypto features enabled.\n"
544 " For debugging only.\n"
545 #ifdef ENABLE_PREDICTION_RESISTANCE
546 "--use-prediction-resistance: Enable prediction resistance on the random\n"
547 " number generator.\n"
551 "TLS Key Negotiation Options:\n"
552 "(These options are meaningful only for TLS-mode)\n"
553 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
554 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
555 "--key-method m : Data channel key exchange method. m should be a method\n"
556 " number, such as 1 (default), 2, etc.\n"
557 "--ca file : Certificate authority file in .pem format containing\n"
558 " root certificate.\n"
559 #ifndef ENABLE_CRYPTO_POLARSSL
560 "--capath dir : A directory of trusted certificates (CAs"
561 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
563 #else /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
565 " WARNING: no support of CRL available with this version.\n"
566 #endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */
567 #endif /* ENABLE_CRYPTO_POLARSSL */
568 "--dh file : File containing Diffie Hellman parameters\n"
569 " in .pem format (for --tls-server only).\n"
570 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
571 "--cert file : Local certificate in .pem format -- must be signed\n"
572 " by a Certificate Authority in --ca file.\n"
573 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
574 "--key file : Local private key in .pem format.\n"
575 #ifndef ENABLE_CRYPTO_POLARSSL
576 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
577 " and optionally the root CA certificate.\n"
579 #ifdef ENABLE_X509ALTUSERNAME
580 "--x509-username-field : Field used in x509 certificate to be username.\n"
583 "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
585 "--cryptoapicert select-string : Load the certificate and private key from the\n"
586 " Windows Certificate System Store.\n"
588 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
589 " : Use --show-tls to see a list of supported TLS ciphers.\n"
590 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
591 " if no ACK from remote within n seconds (default=%d).\n"
592 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
593 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
594 "--reneg-sec n : Renegotiate data chan. key after n seconds (default=%d).\n"
595 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
596 " of handshake initiation by any peer (default=%d).\n"
597 "--tran-window n : Transition window -- old key can live this many seconds\n"
598 " after new key renegotiation begins (default=%d).\n"
599 "--single-session: Allow only one session (reset state on restart).\n"
600 "--tls-exit : Exit on TLS negotiation failure.\n"
601 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
602 " control channel to protect against DoS attacks.\n"
603 " f (required) is a shared-secret passphrase file.\n"
604 " The optional d parameter controls key directionality,\n"
605 " see --secret option for more info.\n"
606 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
607 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
608 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
609 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
610 " pending TLS connection that has otherwise passed all other\n"
611 " tests of certification. cmd should return 0 to allow\n"
612 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
613 " executed as 'cmd certificate_depth subject')\n"
614 "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n"
615 " in an openvpn temporary file in [directory]. Peer cert is \n"
616 " stored before tls-verify script execution and deleted after.\n"
617 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
618 " DN name. The remote host must also pass all other tests\n"
619 " of verification.\n"
620 "--ns-cert-type t: Require that peer certificate was signed with an explicit\n"
621 " nsCertType designation t = 'client' | 'server'.\n"
622 #ifdef ENABLE_X509_TRACK
623 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
624 " plugins and management interface.\n"
626 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
627 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
628 " explicit key usage, you can specify more than one value.\n"
629 " value should be given in hex format.\n"
630 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
631 " explicit extended key usage. Extended key usage can be encoded\n"
632 " as an object identifier or OpenSSL string representation.\n"
633 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
634 " key usage and extended key usage based on RFC3280 TLS rules.\n"
635 " t = 'client' | 'server'.\n"
636 #endif /* OPENSSL_VERSION_NUMBER || ENABLE_CRYPTO_POLARSSL */
637 #endif /* ENABLE_SSL */
641 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
642 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
643 " path. Set for each provider.\n"
644 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
645 " 0 : Try to determind automatically (default).\n"
647 " 2 : Use SignRecover.\n"
648 " 4 : Use Decrypt.\n"
650 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
651 " certificate can be accessed. Set for each provider.\n"
652 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
653 " cache until token is removed.\n"
654 "--pkcs11-id-management : Acquire identity from management interface.\n"
655 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
656 #endif /* ENABLE_PKCS11 */
658 "SSL Library information:\n"
659 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
660 "--show-digests : Show message digest algorithms to use with --auth option.\n"
661 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
663 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
667 "Windows Specific:\n"
668 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
669 " from SystemRoot environment variable.\n"
670 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
671 " IP address using method = manual, netsh, ipapi,\n"
672 " dynamic, or adaptive (default = adaptive).\n"
673 " Dynamic method allows two optional parameters:\n"
674 " offset: DHCP server address offset (> -256 and < 256).\n"
675 " If 0, use network address, if >0, take nth\n"
676 " address forward from network address, if <0,\n"
677 " take nth address backward from broadcast\n"
680 " lease-time: Lease time in seconds.\n"
681 " Default is one year.\n"
682 "--route-method : Which method to use for adding routes on Windows?\n"
683 " adaptive (default) -- Try ipapi then fall back to exe.\n"
684 " ipapi -- Use IP helper API.\n"
685 " exe -- Call the route.exe shell command.\n"
686 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
687 " be used with --ip-win32 dynamic. For options\n"
688 " which allow multiple addresses,\n"
689 " --dhcp-option must be repeated.\n"
690 " DOMAIN name : Set DNS suffix\n"
691 " DNS addr : Set domain name server address(es)\n"
692 " NTP : Set NTP server address(es)\n"
693 " NBDD : Set NBDD server address(es)\n"
694 " WINS addr : Set WINS server address(es)\n"
695 " NBT type : Set NetBIOS over TCP/IP Node type\n"
696 " 1: B, 2: P, 4: M, 8: H\n"
697 " NBS id : Set NetBIOS scope ID\n"
698 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
699 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
700 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
702 "--dhcp-release : Ask Windows to release the TAP adapter lease on shutdown.\n"
703 "--register-dns : Run net stop dnscache, net start dnscache, ipconfig /flushdns\n"
704 " and ipconfig /registerdns on connection initiation.\n"
705 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
706 " attempting to set adapter properties.\n"
707 "--pause-exit : When run from a console window, pause before exiting.\n"
708 "--service ex [0|1] : For use when " PACKAGE_NAME
" is being instantiated by a\n"
709 " service, and should not be used directly by end-users.\n"
710 " ex is the name of an event object which, when\n"
711 " signaled, will cause " PACKAGE_NAME
" to exit. A second\n"
712 " optional parameter controls the initial state of ex.\n"
713 "--show-net-up : Show " PACKAGE_NAME
"'s view of routing table and net adapter list\n"
714 " after TAP adapter is up and routes have been added.\n"
715 "Windows Standalone Options:\n"
717 "--show-adapters : Show all TAP-Windows adapters.\n"
718 "--show-net : Show " PACKAGE_NAME
"'s view of routing table and net adapter list.\n"
719 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
720 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME
" running without admin privileges\n"
721 " to access TAP adapter.\n"
724 "Generate a random key (only for non-TLS static key encryption mode):\n"
725 "--genkey : Generate a random key to be used as a shared secret,\n"
726 " for use with the --secret option.\n"
727 "--secret file : Write key to file.\n"
728 #endif /* ENABLE_CRYPTO */
729 #ifdef ENABLE_FEATURE_TUN_PERSIST
731 "Tun/tap config mode (available with linux 2.4+):\n"
732 "--mktun : Create a persistent tunnel.\n"
733 "--rmtun : Remove a persistent tunnel.\n"
734 "--dev tunX|tapX : tun/tap device\n"
735 "--dev-type dt : Device type. See tunnel options above for details.\n"
736 "--user user : User to set privilege to.\n"
737 "--group group : Group to set privilege to.\n"
741 "PKCS#11 standalone options:\n"
742 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
743 " --verb option can be added *BEFORE* this.\n"
744 #endif /* ENABLE_PKCS11 */
746 "General Standalone Options:\n"
748 "--show-gateway : Show info about default gateway.\n"
752 #endif /* !ENABLE_SMALL */
755 * This is where the options defaults go.
756 * Any option not explicitly set here
760 init_options (struct options
*o
, const bool init_gc
)
768 o
->mode
= MODE_POINT_TO_POINT
;
769 o
->topology
= TOP_NET30
;
770 o
->ce
.proto
= PROTO_UDPv4
;
771 o
->ce
.connect_retry_seconds
= 5;
772 o
->ce
.connect_timeout
= 10;
773 o
->ce
.connect_retry_max
= 0;
774 o
->ce
.local_port
= o
->ce
.remote_port
= OPENVPN_PORT
;
776 o
->status_file_update_freq
= 60;
777 o
->status_file_version
= 1;
778 o
->ce
.bind_local
= true;
779 o
->ce
.tun_mtu
= TUN_MTU_DEFAULT
;
780 o
->ce
.link_mtu
= LINK_MTU_DEFAULT
;
781 o
->ce
.mtu_discover_type
= -1;
782 o
->ce
.mssfix
= MSSFIX_DEFAULT
;
783 o
->route_delay_window
= 30;
784 o
->max_routes
= MAX_ROUTES_DEFAULT
;
785 o
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
790 #ifdef ENABLE_MANAGEMENT
791 o
->management_log_history_cache
= 250;
792 o
->management_echo_buffer_size
= 100;
793 o
->management_state_buffer_size
= 100;
795 #ifdef ENABLE_FEATURE_TUN_PERSIST
803 o
->tuntap_options
.txqueuelen
= 100;
807 o
->tuntap_options
.ip_win32_type
= IPW32_SET_ADAPTIVE
;
809 o
->tuntap_options
.ip_win32_type
= IPW32_SET_DHCP_MASQ
;
811 o
->tuntap_options
.dhcp_lease_time
= 31536000; /* one year */
812 o
->tuntap_options
.dhcp_masq_offset
= 0; /* use network address as internal DHCP server address */
813 o
->route_method
= ROUTE_METHOD_ADAPTIVE
;
816 o
->real_hash_size
= 256;
817 o
->virtual_hash_size
= 256;
818 o
->n_bcast_buf
= 256;
819 o
->tcp_queue_limit
= 64;
820 o
->max_clients
= 1024;
821 o
->max_routes_per_client
= 256;
822 o
->stale_routes_check_interval
= 0;
823 o
->ifconfig_pool_persist_refresh_freq
= 600;
826 o
->scheduled_exit_interval
= 5;
827 o
->server_poll_timeout
= 0;
830 o
->ciphername
= "BF-CBC";
831 o
->ciphername_defined
= true;
832 o
->authname
= "SHA1";
833 o
->authname_defined
= true;
834 o
->prng_hash
= "SHA1";
835 o
->prng_nonce_secret_len
= 16;
837 o
->replay_window
= DEFAULT_SEQ_BACKTRACK
;
838 o
->replay_time
= DEFAULT_TIME_BACKTRACK
;
840 o
->key_direction
= KEY_DIRECTION_BIDIRECTIONAL
;
841 #ifdef ENABLE_PREDICTION_RESISTANCE
842 o
->use_prediction_resistance
= false;
847 o
->renegotiate_seconds
= 3600;
848 o
->handshake_window
= 60;
849 o
->transition_window
= 3600;
850 #ifdef ENABLE_X509ALTUSERNAME
851 o
->x509_username_field
= X509_USERNAME_FIELD_DEFAULT
;
853 #endif /* ENABLE_SSL */
854 #endif /* ENABLE_CRYPTO */
856 o
->pkcs11_pin_cache_period
= -1;
857 #endif /* ENABLE_PKCS11 */
859 /* tmp is only used in P2MP server context */
861 /* Set default --tmp-dir */
863 /* On Windows, find temp dir via enviroment variables */
864 o
->tmp_dir
= win_get_tempdir();
866 /* Non-windows platforms use $TMPDIR, and if not set, default to '/tmp' */
867 o
->tmp_dir
= getenv("TMPDIR");
872 #endif /* P2MP_SERVER */
876 uninit_options (struct options
*o
)
886 #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
887 #define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
888 #define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
889 #define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
890 #define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
891 #define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
896 setenv_connection_entry (struct env_set
*es
,
897 const struct connection_entry
*e
,
900 setenv_str_i (es
, "proto", proto2ascii (e
->proto
, false), i
);
901 setenv_str_i (es
, "local", e
->local
, i
);
902 setenv_int_i (es
, "local_port", e
->local_port
, i
);
903 setenv_str_i (es
, "remote", e
->remote
, i
);
904 setenv_int_i (es
, "remote_port", e
->remote_port
, i
);
906 #ifdef ENABLE_HTTP_PROXY
907 if (e
->http_proxy_options
)
909 setenv_str_i (es
, "http_proxy_server", e
->http_proxy_options
->server
, i
);
910 setenv_int_i (es
, "http_proxy_port", e
->http_proxy_options
->port
, i
);
914 if (e
->socks_proxy_server
)
916 setenv_str_i (es
, "socks_proxy_server", e
->socks_proxy_server
, i
);
917 setenv_int_i (es
, "socks_proxy_port", e
->socks_proxy_port
, i
);
923 setenv_settings (struct env_set
*es
, const struct options
*o
)
925 setenv_str (es
, "config", o
->config
);
926 setenv_int (es
, "verb", o
->verbosity
);
927 setenv_int (es
, "daemon", o
->daemon
);
928 setenv_int (es
, "daemon_log_redirect", o
->log
);
929 setenv_unsigned (es
, "daemon_start_time", time(NULL
));
930 setenv_int (es
, "daemon_pid", platform_getpid());
932 if (o
->connection_list
)
935 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
936 setenv_connection_entry (es
, o
->connection_list
->array
[i
], i
+1);
939 setenv_connection_entry (es
, &o
->ce
, 1);
943 get_ip_addr (const char *ip_string
, int msglevel
, bool *error
)
945 unsigned int flags
= GETADDR_HOST_ORDER
;
946 bool succeeded
= false;
949 if (msglevel
& M_FATAL
)
950 flags
|= GETADDR_FATAL
;
952 ret
= getaddr (flags
, ip_string
, 0, &succeeded
, NULL
);
953 if (!succeeded
&& error
)
958 /* helper: parse a text string containing an IPv6 address + netbits
959 * in "standard format" (2001:dba::/32)
960 * "/nn" is optional, default to /64 if missing
962 * return true if parsing succeeded, modify *network and *netbits
963 * return address part without "/nn" in *printable_ipv6 (if != NULL)
966 get_ipv6_addr( const char * prefix_str
, struct in6_addr
*network
,
967 unsigned int * netbits
, char ** printable_ipv6
, int msglevel
)
972 struct in6_addr t_network
;
974 sep
= strchr( prefix_str
, '/' );
981 bits
= strtol( sep
+1, &endp
, 10 );
982 if ( *endp
!= '\0' || bits
< 0 || bits
> 128 )
984 msg (msglevel
, "IPv6 prefix '%s': invalid '/bits' spec", prefix_str
);
989 /* temporary replace '/' in caller-provided string with '\0', otherwise
990 * inet_pton() will refuse prefix string
991 * (alternative would be to strncpy() the prefix to temporary buffer)
994 if ( sep
!= NULL
) *sep
= '\0';
996 rc
= inet_pton( AF_INET6
, prefix_str
, &t_network
);
998 if ( rc
== 1 && printable_ipv6
!= NULL
)
1000 *printable_ipv6
= string_alloc( prefix_str
, NULL
);
1003 if ( sep
!= NULL
) *sep
= '/';
1007 msg (msglevel
, "IPv6 prefix '%s': invalid IPv6 address", prefix_str
);
1011 if ( netbits
!= NULL
)
1015 if ( network
!= NULL
)
1017 *network
= t_network
;
1019 return true; /* parsing OK, values set */
1022 static bool ipv6_addr_safe_hexplusbits( const char * ipv6_prefix_spec
)
1024 struct in6_addr t_addr
;
1025 unsigned int t_bits
;
1027 return get_ipv6_addr( ipv6_prefix_spec
, &t_addr
, &t_bits
, NULL
, M_WARN
);
1031 string_substitute (const char *src
, int from
, int to
, struct gc_arena
*gc
)
1033 char *ret
= (char *) gc_malloc (strlen (src
) + 1, true, gc
);
1050 parse_hash_fingerprint(const char *str
, int nbytes
, int msglevel
, struct gc_arena
*gc
)
1053 const char *cp
= str
;
1054 uint8_t *ret
= (uint8_t *) gc_malloc (nbytes
, true, gc
);
1059 for (i
= 0; i
< nbytes
; ++i
)
1062 msg (msglevel
, "format error in hash fingerprint: %s", str
);
1067 if (sscanf(bs
, "%x", &byte
) != 1)
1068 msg (msglevel
, "format error in hash fingerprint hex byte: %s", str
);
1069 ret
[i
] = (uint8_t)byte
;
1071 if (term
!= ':' && term
!= 0)
1072 msg (msglevel
, "format error in hash fingerprint delimiter: %s", str
);
1076 if (term
!= 0 || i
!= nbytes
-1)
1077 msg (msglevel
, "hash fingerprint is different length than expected (%d bytes): %s", nbytes
, str
);
1084 #ifndef ENABLE_SMALL
1087 show_dhcp_option_addrs (const char *name
, const in_addr_t
*array
, int len
)
1089 struct gc_arena gc
= gc_new ();
1091 for (i
= 0; i
< len
; ++i
)
1093 msg (D_SHOW_PARMS
, " %s[%d] = %s",
1096 print_in_addr_t (array
[i
], 0, &gc
));
1102 show_tuntap_options (const struct tuntap_options
*o
)
1104 SHOW_BOOL (ip_win32_defined
);
1105 SHOW_INT (ip_win32_type
);
1106 SHOW_INT (dhcp_masq_offset
);
1107 SHOW_INT (dhcp_lease_time
);
1108 SHOW_INT (tap_sleep
);
1109 SHOW_BOOL (dhcp_options
);
1110 SHOW_BOOL (dhcp_renew
);
1111 SHOW_BOOL (dhcp_pre_release
);
1112 SHOW_BOOL (dhcp_release
);
1114 SHOW_STR (netbios_scope
);
1115 SHOW_INT (netbios_node_type
);
1116 SHOW_BOOL (disable_nbt
);
1118 show_dhcp_option_addrs ("DNS", o
->dns
, o
->dns_len
);
1119 show_dhcp_option_addrs ("WINS", o
->wins
, o
->wins_len
);
1120 show_dhcp_option_addrs ("NTP", o
->ntp
, o
->ntp_len
);
1121 show_dhcp_option_addrs ("NBDD", o
->nbdd
, o
->nbdd_len
);
1127 dhcp_option_address_parse (const char *name
, const char *parm
, in_addr_t
*array
, int *len
, int msglevel
)
1129 if (*len
>= N_DHCP_ADDR
)
1131 msg (msglevel
, "--dhcp-option %s: maximum of %d %s servers can be specified",
1138 if (ip_addr_dotted_quad_safe (parm
)) /* FQDN -- IP address only */
1141 const in_addr_t addr
= get_ip_addr (parm
, msglevel
, &error
);
1143 array
[(*len
)++] = addr
;
1147 msg (msglevel
, "dhcp-option parameter %s '%s' must be an IP address", name
, parm
);
1156 #ifndef ENABLE_SMALL
1159 show_p2mp_parms (const struct options
*o
)
1161 struct gc_arena gc
= gc_new ();
1164 msg (D_SHOW_PARMS
, " server_network = %s", print_in_addr_t (o
->server_network
, 0, &gc
));
1165 msg (D_SHOW_PARMS
, " server_netmask = %s", print_in_addr_t (o
->server_netmask
, 0, &gc
));
1166 msg (D_SHOW_PARMS
, " server_network_ipv6 = %s", print_in6_addr (o
->server_network_ipv6
, 0, &gc
) );
1167 SHOW_INT (server_netbits_ipv6
);
1168 msg (D_SHOW_PARMS
, " server_bridge_ip = %s", print_in_addr_t (o
->server_bridge_ip
, 0, &gc
));
1169 msg (D_SHOW_PARMS
, " server_bridge_netmask = %s", print_in_addr_t (o
->server_bridge_netmask
, 0, &gc
));
1170 msg (D_SHOW_PARMS
, " server_bridge_pool_start = %s", print_in_addr_t (o
->server_bridge_pool_start
, 0, &gc
));
1171 msg (D_SHOW_PARMS
, " server_bridge_pool_end = %s", print_in_addr_t (o
->server_bridge_pool_end
, 0, &gc
));
1172 if (o
->push_list
.head
)
1174 const struct push_entry
*e
= o
->push_list
.head
;
1178 msg (D_SHOW_PARMS
, " push_entry = '%s'", e
->option
);
1182 SHOW_BOOL (ifconfig_pool_defined
);
1183 msg (D_SHOW_PARMS
, " ifconfig_pool_start = %s", print_in_addr_t (o
->ifconfig_pool_start
, 0, &gc
));
1184 msg (D_SHOW_PARMS
, " ifconfig_pool_end = %s", print_in_addr_t (o
->ifconfig_pool_end
, 0, &gc
));
1185 msg (D_SHOW_PARMS
, " ifconfig_pool_netmask = %s", print_in_addr_t (o
->ifconfig_pool_netmask
, 0, &gc
));
1186 SHOW_STR (ifconfig_pool_persist_filename
);
1187 SHOW_INT (ifconfig_pool_persist_refresh_freq
);
1188 SHOW_BOOL (ifconfig_ipv6_pool_defined
);
1189 msg (D_SHOW_PARMS
, " ifconfig_ipv6_pool_base = %s", print_in6_addr (o
->ifconfig_ipv6_pool_base
, 0, &gc
));
1190 SHOW_INT (ifconfig_ipv6_pool_netbits
);
1191 SHOW_INT (n_bcast_buf
);
1192 SHOW_INT (tcp_queue_limit
);
1193 SHOW_INT (real_hash_size
);
1194 SHOW_INT (virtual_hash_size
);
1195 SHOW_STR (client_connect_script
);
1196 SHOW_STR (learn_address_script
);
1197 SHOW_STR (client_disconnect_script
);
1198 SHOW_STR (client_config_dir
);
1199 SHOW_BOOL (ccd_exclusive
);
1201 SHOW_BOOL (push_ifconfig_defined
);
1202 msg (D_SHOW_PARMS
, " push_ifconfig_local = %s", print_in_addr_t (o
->push_ifconfig_local
, 0, &gc
));
1203 msg (D_SHOW_PARMS
, " push_ifconfig_remote_netmask = %s", print_in_addr_t (o
->push_ifconfig_remote_netmask
, 0, &gc
));
1204 SHOW_BOOL (push_ifconfig_ipv6_defined
);
1205 msg (D_SHOW_PARMS
, " push_ifconfig_ipv6_local = %s/%d", print_in6_addr (o
->push_ifconfig_ipv6_local
, 0, &gc
), o
->push_ifconfig_ipv6_netbits
);
1206 msg (D_SHOW_PARMS
, " push_ifconfig_ipv6_remote = %s", print_in6_addr (o
->push_ifconfig_ipv6_remote
, 0, &gc
));
1207 SHOW_BOOL (enable_c2c
);
1208 SHOW_BOOL (duplicate_cn
);
1211 SHOW_INT (max_clients
);
1212 SHOW_INT (max_routes_per_client
);
1213 SHOW_STR (auth_user_pass_verify_script
);
1214 SHOW_BOOL (auth_user_pass_verify_script_via_file
);
1216 SHOW_STR (port_share_host
);
1217 SHOW_INT (port_share_port
);
1219 #endif /* P2MP_SERVER */
1223 SHOW_STR (auth_user_pass_file
);
1228 #endif /* ! ENABLE_SMALL */
1233 option_iroute (struct options
*o
,
1234 const char *network_str
,
1235 const char *netmask_str
,
1240 ALLOC_OBJ_GC (ir
, struct iroute
, &o
->gc
);
1241 ir
->network
= getaddr (GETADDR_HOST_ORDER
, network_str
, 0, NULL
, NULL
);
1246 const in_addr_t netmask
= getaddr (GETADDR_HOST_ORDER
, netmask_str
, 0, NULL
, NULL
);
1247 if (!netmask_to_netbits (ir
->network
, netmask
, &ir
->netbits
))
1249 msg (msglevel
, "in --iroute %s %s : Bad network/subnet specification",
1256 ir
->next
= o
->iroutes
;
1261 option_iroute_ipv6 (struct options
*o
,
1262 const char *prefix_str
,
1265 struct iroute_ipv6
*ir
;
1267 ALLOC_OBJ_GC (ir
, struct iroute_ipv6
, &o
->gc
);
1269 if ( get_ipv6_addr (prefix_str
, &ir
->network
, &ir
->netbits
, NULL
, msglevel
) < 0 )
1271 msg (msglevel
, "in --iroute-ipv6 %s: Bad IPv6 prefix specification",
1276 ir
->next
= o
->iroutes_ipv6
;
1277 o
->iroutes_ipv6
= ir
;
1279 #endif /* P2MP_SERVER */
1282 #if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL)
1284 show_http_proxy_options (const struct http_proxy_options
*o
)
1286 msg (D_SHOW_PARMS
, "BEGIN http_proxy");
1289 SHOW_STR (auth_method_string
);
1290 SHOW_STR (auth_file
);
1293 SHOW_STR (http_version
);
1294 SHOW_STR (user_agent
);
1295 msg (D_SHOW_PARMS
, "END http_proxy");
1300 options_detach (struct options
*o
)
1304 #ifdef ENABLE_CLIENT_NAT
1305 o
->client_nat
= NULL
;
1313 rol_check_alloc (struct options
*options
)
1315 if (!options
->routes
)
1316 options
->routes
= new_route_option_list (options
->max_routes
, &options
->gc
);
1320 rol6_check_alloc (struct options
*options
)
1322 if (!options
->routes_ipv6
)
1323 options
->routes_ipv6
= new_route_ipv6_option_list (options
->max_routes
, &options
->gc
);
1326 #ifdef ENABLE_CLIENT_NAT
1328 cnol_check_alloc (struct options
*options
)
1330 if (!options
->client_nat
)
1331 options
->client_nat
= new_client_nat_list (&options
->gc
);
1335 #ifndef ENABLE_SMALL
1337 show_connection_entry (const struct connection_entry
*o
)
1339 msg (D_SHOW_PARMS
, " proto = %s", proto2ascii (o
->proto
, false));
1341 SHOW_INT (local_port
);
1343 SHOW_INT (remote_port
);
1344 SHOW_BOOL (remote_float
);
1345 SHOW_BOOL (bind_defined
);
1346 SHOW_BOOL (bind_local
);
1347 SHOW_INT (connect_retry_seconds
);
1348 SHOW_INT (connect_timeout
);
1349 SHOW_INT (connect_retry_max
);
1351 #ifdef ENABLE_HTTP_PROXY
1352 if (o
->http_proxy_options
)
1353 show_http_proxy_options (o
->http_proxy_options
);
1356 SHOW_STR (socks_proxy_server
);
1357 SHOW_INT (socks_proxy_port
);
1358 SHOW_BOOL (socks_proxy_retry
);
1361 SHOW_BOOL (tun_mtu_defined
);
1362 SHOW_INT (link_mtu
);
1363 SHOW_BOOL (link_mtu_defined
);
1364 SHOW_INT (tun_mtu_extra
);
1365 SHOW_BOOL (tun_mtu_extra_defined
);
1367 SHOW_INT (mtu_discover_type
);
1369 #ifdef ENABLE_FRAGMENT
1370 SHOW_INT (fragment
);
1375 SHOW_INT (explicit_exit_notification
);
1381 show_connection_entries (const struct options
*o
)
1383 msg (D_SHOW_PARMS
, "Connection profiles [default]:");
1384 show_connection_entry (&o
->ce
);
1385 if (o
->connection_list
)
1387 const struct connection_list
*l
= o
->connection_list
;
1389 for (i
= 0; i
< l
->len
; ++i
)
1391 msg (D_SHOW_PARMS
, "Connection profiles [%d]:", i
);
1392 show_connection_entry (l
->array
[i
]);
1395 msg (D_SHOW_PARMS
, "Connection profiles END");
1401 show_settings (const struct options
*o
)
1403 #ifndef ENABLE_SMALL
1404 msg (D_SHOW_PARMS
, "Current Parameter Settings:");
1410 #ifdef ENABLE_FEATURE_TUN_PERSIST
1411 SHOW_BOOL (persist_config
);
1412 SHOW_INT (persist_mode
);
1415 #ifdef ENABLE_CRYPTO
1416 SHOW_BOOL (show_ciphers
);
1417 SHOW_BOOL (show_digests
);
1418 SHOW_BOOL (show_engines
);
1421 SHOW_STR (key_pass_file
);
1422 SHOW_BOOL (show_tls_ciphers
);
1426 show_connection_entries (o
);
1428 SHOW_BOOL (remote_random
);
1430 SHOW_STR (ipchange
);
1432 SHOW_STR (dev_type
);
1433 SHOW_STR (dev_node
);
1435 SHOW_INT (topology
);
1436 SHOW_BOOL (tun_ipv6
);
1437 SHOW_STR (ifconfig_local
);
1438 SHOW_STR (ifconfig_remote_netmask
);
1439 SHOW_BOOL (ifconfig_noexec
);
1440 SHOW_BOOL (ifconfig_nowarn
);
1441 SHOW_STR (ifconfig_ipv6_local
);
1442 SHOW_INT (ifconfig_ipv6_netbits
);
1443 SHOW_STR (ifconfig_ipv6_remote
);
1445 #ifdef ENABLE_FEATURE_SHAPER
1449 SHOW_INT (mtu_test
);
1454 SHOW_INT (keepalive_ping
);
1455 SHOW_INT (keepalive_timeout
);
1456 SHOW_INT (inactivity_timeout
);
1457 SHOW_INT (ping_send_timeout
);
1458 SHOW_INT (ping_rec_timeout
);
1459 SHOW_INT (ping_rec_timeout_action
);
1460 SHOW_BOOL (ping_timer_remote
);
1461 SHOW_INT (remap_sigusr1
);
1462 SHOW_BOOL (persist_tun
);
1463 SHOW_BOOL (persist_local_ip
);
1464 SHOW_BOOL (persist_remote_ip
);
1465 SHOW_BOOL (persist_key
);
1467 #if PASSTOS_CAPABILITY
1468 SHOW_BOOL (passtos
);
1471 SHOW_INT (resolve_retry_seconds
);
1473 SHOW_STR (username
);
1474 SHOW_STR (groupname
);
1475 SHOW_STR (chroot_dir
);
1477 #ifdef ENABLE_SELINUX
1478 SHOW_STR (selinux_context
);
1480 SHOW_STR (writepid
);
1481 SHOW_STR (up_script
);
1482 SHOW_STR (down_script
);
1483 SHOW_BOOL (down_pre
);
1484 SHOW_BOOL (up_restart
);
1485 SHOW_BOOL (up_delay
);
1489 SHOW_BOOL (suppress_timestamps
);
1491 SHOW_INT (verbosity
);
1496 SHOW_STR (status_file
);
1497 SHOW_INT (status_file_version
);
1498 SHOW_INT (status_file_update_freq
);
1505 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1508 SHOW_INT (sockflags
);
1510 SHOW_BOOL (fast_io
);
1516 SHOW_STR (route_script
);
1517 SHOW_STR (route_default_gateway
);
1518 SHOW_INT (route_default_metric
);
1519 SHOW_BOOL (route_noexec
);
1520 SHOW_INT (route_delay
);
1521 SHOW_INT (route_delay_window
);
1522 SHOW_BOOL (route_delay_defined
);
1523 SHOW_BOOL (route_nopull
);
1524 SHOW_BOOL (route_gateway_via_dhcp
);
1525 SHOW_INT (max_routes
);
1526 SHOW_BOOL (allow_pull_fqdn
);
1528 print_route_options (o
->routes
, D_SHOW_PARMS
);
1530 #ifdef ENABLE_CLIENT_NAT
1532 print_client_nat_list(o
->client_nat
, D_SHOW_PARMS
);
1535 #ifdef ENABLE_MANAGEMENT
1536 SHOW_STR (management_addr
);
1537 SHOW_INT (management_port
);
1538 SHOW_STR (management_user_pass
);
1539 SHOW_INT (management_log_history_cache
);
1540 SHOW_INT (management_echo_buffer_size
);
1541 SHOW_STR (management_write_peer_info_file
);
1542 SHOW_STR (management_client_user
);
1543 SHOW_STR (management_client_group
);
1544 SHOW_INT (management_flags
);
1546 #ifdef ENABLE_PLUGIN
1548 plugin_option_list_print (o
->plugin_list
, D_SHOW_PARMS
);
1551 #ifdef ENABLE_CRYPTO
1552 SHOW_STR (shared_secret_file
);
1553 SHOW_INT (key_direction
);
1554 SHOW_BOOL (ciphername_defined
);
1555 SHOW_STR (ciphername
);
1556 SHOW_BOOL (authname_defined
);
1557 SHOW_STR (authname
);
1558 SHOW_STR (prng_hash
);
1559 SHOW_INT (prng_nonce_secret_len
);
1561 #ifndef ENABLE_CRYPTO_POLARSSL
1563 #endif /* ENABLE_CRYPTO_POLARSSL */
1565 SHOW_BOOL (mute_replay_warnings
);
1566 SHOW_INT (replay_window
);
1567 SHOW_INT (replay_time
);
1568 SHOW_STR (packet_id_file
);
1570 SHOW_BOOL (test_crypto
);
1571 #ifdef ENABLE_PREDICTION_RESISTANCE
1572 SHOW_BOOL (use_prediction_resistance
);
1576 SHOW_BOOL (tls_server
);
1577 SHOW_BOOL (tls_client
);
1578 SHOW_INT (key_method
);
1582 SHOW_STR (cert_file
);
1584 #ifdef MANAGMENT_EXTERNAL_KEY
1585 if((o
->management_flags
& MF_EXTERNAL_KEY
))
1586 SHOW_PARM ("priv_key_file","EXTERNAL_PRIVATE_KEY","%s");
1589 SHOW_STR (priv_key_file
);
1590 #ifndef ENABLE_CRYPTO_POLARSSL
1591 SHOW_STR (pkcs12_file
);
1593 #ifdef ENABLE_CRYPTOAPI
1594 SHOW_STR (cryptoapi_cert
);
1596 SHOW_STR (cipher_list
);
1597 SHOW_STR (tls_verify
);
1598 SHOW_STR (tls_export_cert
);
1599 SHOW_INT (verify_x509_type
);
1600 SHOW_STR (verify_x509_name
);
1601 SHOW_STR (crl_file
);
1602 SHOW_INT (ns_cert_type
);
1605 for (i
=0;i
<MAX_PARMS
;i
++)
1606 SHOW_INT (remote_cert_ku
[i
]);
1608 SHOW_STR (remote_cert_eku
);
1609 SHOW_INT (ssl_flags
);
1611 SHOW_INT (tls_timeout
);
1613 SHOW_INT (renegotiate_bytes
);
1614 SHOW_INT (renegotiate_packets
);
1615 SHOW_INT (renegotiate_seconds
);
1617 SHOW_INT (handshake_window
);
1618 SHOW_INT (transition_window
);
1620 SHOW_BOOL (single_session
);
1621 #ifdef ENABLE_PUSH_PEER_INFO
1622 SHOW_BOOL (push_peer_info
);
1624 SHOW_BOOL (tls_exit
);
1626 SHOW_STR (tls_auth_file
);
1630 #ifdef ENABLE_PKCS11
1633 for (i
=0;i
<MAX_PARMS
&& o
->pkcs11_providers
[i
] != NULL
;i
++)
1634 SHOW_PARM (pkcs11_providers
, o
->pkcs11_providers
[i
], "%s");
1638 for (i
=0;i
<MAX_PARMS
;i
++)
1639 SHOW_PARM (pkcs11_protected_authentication
, o
->pkcs11_protected_authentication
[i
] ? "ENABLED" : "DISABLED", "%s");
1643 for (i
=0;i
<MAX_PARMS
;i
++)
1644 SHOW_PARM (pkcs11_private_mode
, o
->pkcs11_private_mode
[i
], "%08x");
1648 for (i
=0;i
<MAX_PARMS
;i
++)
1649 SHOW_PARM (pkcs11_cert_private
, o
->pkcs11_cert_private
[i
] ? "ENABLED" : "DISABLED", "%s");
1651 SHOW_INT (pkcs11_pin_cache_period
);
1652 SHOW_STR (pkcs11_id
);
1653 SHOW_BOOL (pkcs11_id_management
);
1654 #endif /* ENABLE_PKCS11 */
1657 show_p2mp_parms (o
);
1661 SHOW_BOOL (show_net_up
);
1662 SHOW_INT (route_method
);
1663 show_tuntap_options (&o
->tuntap_options
);
1673 #if HTTP_PROXY_OVERRIDE
1675 static struct http_proxy_options
*
1676 parse_http_proxy_override (const char *server
,
1680 struct gc_arena
*gc
)
1684 struct http_proxy_options
*ho
;
1685 const int int_port
= atoi(port
);
1687 if (!legal_ipv4_port (int_port
))
1689 msg (msglevel
, "Bad http-proxy port number: %s", port
);
1693 ALLOC_OBJ_CLEAR_GC (ho
, struct http_proxy_options
, gc
);
1694 ho
->server
= string_alloc(server
, gc
);
1695 ho
->port
= int_port
;
1698 if (flags
&& !strcmp(flags
, "nct"))
1699 ho
->auth_retry
= PAR_NCT
;
1701 ho
->auth_retry
= PAR_ALL
;
1702 ho
->http_version
= "1.0";
1703 ho
->user_agent
= "OpenVPN-Autoproxy/1.0";
1711 options_postprocess_http_proxy_override (struct options
*o
)
1713 const struct connection_list
*l
= o
->connection_list
;
1717 bool succeed
= false;
1718 for (i
= 0; i
< l
->len
; ++i
)
1720 struct connection_entry
*ce
= l
->array
[i
];
1721 if (ce
->proto
== PROTO_TCPv4_CLIENT
|| ce
->proto
== PROTO_TCPv4
)
1723 ce
->http_proxy_options
= o
->http_proxy_override
;
1729 for (i
= 0; i
< l
->len
; ++i
)
1731 struct connection_entry
*ce
= l
->array
[i
];
1732 if (ce
->proto
== PROTO_UDPv4
)
1734 ce
->flags
|= CE_DISABLED
;
1739 msg (M_WARN
, "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
1745 static struct connection_list
*
1746 alloc_connection_list_if_undef (struct options
*options
)
1748 if (!options
->connection_list
)
1749 ALLOC_OBJ_CLEAR_GC (options
->connection_list
, struct connection_list
, &options
->gc
);
1750 return options
->connection_list
;
1753 static struct connection_entry
*
1754 alloc_connection_entry (struct options
*options
, const int msglevel
)
1756 struct connection_list
*l
= alloc_connection_list_if_undef (options
);
1757 struct connection_entry
*e
;
1759 if (l
->len
>= CONNECTION_LIST_SIZE
)
1761 msg (msglevel
, "Maximum number of 'connection' options (%d) exceeded", CONNECTION_LIST_SIZE
);
1764 ALLOC_OBJ_GC (e
, struct connection_entry
, &options
->gc
);
1765 l
->array
[l
->len
++] = e
;
1769 static struct remote_list
*
1770 alloc_remote_list_if_undef (struct options
*options
)
1772 if (!options
->remote_list
)
1773 ALLOC_OBJ_CLEAR_GC (options
->remote_list
, struct remote_list
, &options
->gc
);
1774 return options
->remote_list
;
1777 static struct remote_entry
*
1778 alloc_remote_entry (struct options
*options
, const int msglevel
)
1780 struct remote_list
*l
= alloc_remote_list_if_undef (options
);
1781 struct remote_entry
*e
;
1783 if (l
->len
>= CONNECTION_LIST_SIZE
)
1785 msg (msglevel
, "Maximum number of 'remote' options (%d) exceeded", CONNECTION_LIST_SIZE
);
1788 ALLOC_OBJ_GC (e
, struct remote_entry
, &options
->gc
);
1789 l
->array
[l
->len
++] = e
;
1794 connection_entry_load_re (struct connection_entry
*ce
, const struct remote_entry
*re
)
1797 ce
->remote
= re
->remote
;
1798 if (re
->remote_port
>= 0)
1799 ce
->remote_port
= re
->remote_port
;
1801 ce
->proto
= re
->proto
;
1805 options_postprocess_verify_ce (const struct options
*options
, const struct connection_entry
*ce
)
1807 struct options defaults
;
1808 int dev
= DEV_TYPE_UNDEF
;
1811 init_options (&defaults
, true);
1813 #ifdef ENABLE_CRYPTO
1814 if (options
->test_crypto
)
1816 notnull (options
->shared_secret_file
, "key file (--secret)");
1820 notnull (options
->dev
, "TUN/TAP device (--dev)");
1823 * Get tun/tap/null device type
1825 dev
= dev_type_enum (options
->dev
, options
->dev_type
);
1828 * If "proto tcp" is specified, make sure we know whether it is
1829 * tcp-client or tcp-server.
1831 if (ce
->proto
== PROTO_TCPv4
)
1832 msg (M_USAGE
, "--proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client");
1833 if (ce
->proto
== PROTO_TCPv6
)
1834 msg (M_USAGE
, "--proto tcp6 is ambiguous in this context. Please specify --proto tcp6-server or --proto tcp6-client");
1837 * Sanity check on daemon/inetd modes
1840 if (options
->daemon
&& options
->inetd
)
1841 msg (M_USAGE
, "only one of --daemon or --inetd may be specified");
1843 if (options
->inetd
&& (ce
->local
|| ce
->remote
))
1844 msg (M_USAGE
, "--local or --remote cannot be used with --inetd");
1846 if (options
->inetd
&& ce
->proto
== PROTO_TCPv4_CLIENT
)
1847 msg (M_USAGE
, "--proto tcp-client cannot be used with --inetd");
1849 if (options
->inetd
== INETD_NOWAIT
&& ce
->proto
!= PROTO_TCPv4_SERVER
)
1850 msg (M_USAGE
, "--inetd nowait can only be used with --proto tcp-server");
1852 if (options
->inetd
== INETD_NOWAIT
1853 #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
1854 && !(options
->tls_server
|| options
->tls_client
)
1857 msg (M_USAGE
, "--inetd nowait can only be used in TLS mode");
1859 if (options
->inetd
== INETD_NOWAIT
&& dev
!= DEV_TYPE_TAP
)
1860 msg (M_USAGE
, "--inetd nowait only makes sense in --dev tap mode");
1863 if (options
->lladdr
&& dev
!= DEV_TYPE_TAP
)
1864 msg (M_USAGE
, "--lladdr can only be used in --dev tap mode");
1867 * Sanity check on TCP mode options
1870 if (ce
->connect_retry_defined
&& ce
->proto
!= PROTO_TCPv4_CLIENT
1871 && ce
->proto
!= PROTO_TCPv6_CLIENT
)
1872 msg (M_USAGE
, "--connect-retry doesn't make sense unless also used with "
1873 "--proto tcp-client or tcp6-client");
1875 if (ce
->connect_timeout_defined
&& ce
->proto
!= PROTO_TCPv4_CLIENT
1876 && ce
->proto
!= PROTO_TCPv6_CLIENT
)
1877 msg (M_USAGE
, "--connect-timeout doesn't make sense unless also used with "
1878 "--proto tcp-client or tcp6-client");
1881 * Sanity check on MTU parameters
1883 if (options
->ce
.tun_mtu_defined
&& options
->ce
.link_mtu_defined
)
1884 msg (M_USAGE
, "only one of --tun-mtu or --link-mtu may be defined (note that --ifconfig implies --link-mtu %d)", LINK_MTU_DEFAULT
);
1887 if (!proto_is_udp(ce
->proto
) && options
->mtu_test
)
1888 msg (M_USAGE
, "--mtu-test only makes sense with --proto udp");
1891 /* will we be pulling options from server? */
1893 pull
= options
->pull
;
1897 * Sanity check on --local, --remote, and --ifconfig
1900 if (proto_is_net(ce
->proto
)
1901 && string_defined_equal (ce
->local
, ce
->remote
)
1902 && ce
->local_port
== ce
->remote_port
)
1903 msg (M_USAGE
, "--remote and --local addresses are the same");
1905 if (string_defined_equal (ce
->remote
, options
->ifconfig_local
)
1906 || string_defined_equal (ce
->remote
, options
->ifconfig_remote_netmask
))
1907 msg (M_USAGE
, "--local and --remote addresses must be distinct from --ifconfig addresses");
1909 if (string_defined_equal (ce
->local
, options
->ifconfig_local
)
1910 || string_defined_equal (ce
->local
, options
->ifconfig_remote_netmask
))
1911 msg (M_USAGE
, "--local addresses must be distinct from --ifconfig addresses");
1913 if (string_defined_equal (options
->ifconfig_local
, options
->ifconfig_remote_netmask
))
1914 msg (M_USAGE
, "local and remote/netmask --ifconfig addresses must be different");
1916 if (ce
->bind_defined
&& !ce
->bind_local
)
1917 msg (M_USAGE
, "--bind and --nobind can't be used together");
1919 if (ce
->local
&& !ce
->bind_local
)
1920 msg (M_USAGE
, "--local and --nobind don't make sense when used together");
1922 if (ce
->local_port_defined
&& !ce
->bind_local
)
1923 msg (M_USAGE
, "--lport and --nobind don't make sense when used together");
1925 if (!ce
->remote
&& !ce
->bind_local
)
1926 msg (M_USAGE
, "--nobind doesn't make sense unless used with --remote");
1929 * Check for consistency of management options
1931 #ifdef ENABLE_MANAGEMENT
1932 if (!options
->management_addr
&&
1933 (options
->management_flags
1934 || options
->management_write_peer_info_file
1935 || options
->management_log_history_cache
!= defaults
.management_log_history_cache
))
1936 msg (M_USAGE
, "--management is not specified, however one or more options which modify the behavior of --management were specified");
1938 if ((options
->management_client_user
|| options
->management_client_group
)
1939 && !(options
->management_flags
& MF_UNIX_SOCK
))
1940 msg (M_USAGE
, "--management-client-(user|group) can only be used on unix domain sockets");
1944 * Windows-specific options.
1948 if (dev
== DEV_TYPE_TUN
&& !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
1949 msg (M_USAGE
, "On Windows, --ifconfig is required when --dev tun is used");
1951 if ((options
->tuntap_options
.ip_win32_defined
)
1952 && !(pull
|| (options
->ifconfig_local
&& options
->ifconfig_remote_netmask
)))
1953 msg (M_USAGE
, "On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
1955 if (options
->tuntap_options
.dhcp_options
1956 && options
->tuntap_options
.ip_win32_type
!= IPW32_SET_DHCP_MASQ
1957 && options
->tuntap_options
.ip_win32_type
!= IPW32_SET_ADAPTIVE
)
1958 msg (M_USAGE
, "--dhcp-options requires --ip-win32 dynamic or adaptive");
1962 * Check that protocol options make sense.
1965 #ifdef ENABLE_FRAGMENT
1966 if (!proto_is_udp(ce
->proto
) && ce
->fragment
)
1967 msg (M_USAGE
, "--fragment can only be used with --proto udp");
1971 if (!proto_is_udp(ce
->proto
) && ce
->explicit_exit_notification
)
1972 msg (M_USAGE
, "--explicit-exit-notify can only be used with --proto udp");
1975 if (!ce
->remote
&& (ce
->proto
== PROTO_TCPv4_CLIENT
1976 || ce
->proto
== PROTO_TCPv6_CLIENT
))
1977 msg (M_USAGE
, "--remote MUST be used in TCP Client mode");
1979 #ifdef ENABLE_HTTP_PROXY
1980 if ((ce
->http_proxy_options
) && ce
->proto
!= PROTO_TCPv4_CLIENT
)
1981 msg (M_USAGE
, "--http-proxy MUST be used in TCP Client mode (i.e. --proto tcp-client)");
1984 #if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_SOCKS)
1985 if (ce
->http_proxy_options
&& ce
->socks_proxy_server
)
1986 msg (M_USAGE
, "--http-proxy can not be used together with --socks-proxy");
1990 if (ce
->socks_proxy_server
&& ce
->proto
== PROTO_TCPv4_SERVER
)
1991 msg (M_USAGE
, "--socks-proxy can not be used in TCP Server mode");
1994 if ((ce
->proto
== PROTO_TCPv4_SERVER
|| ce
->proto
== PROTO_TCPv6_SERVER
)
1995 && connection_list_defined (options
))
1996 msg (M_USAGE
, "TCP server mode allows at most one --remote address");
2001 * Check consistency of --mode server options.
2003 if (options
->mode
== MODE_SERVER
)
2005 if (!(dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
))
2006 msg (M_USAGE
, "--mode server only works with --dev tun or --dev tap");
2008 msg (M_USAGE
, "--pull cannot be used with --mode server");
2009 if (!(proto_is_udp(ce
->proto
) || ce
->proto
== PROTO_TCPv4_SERVER
2010 || ce
->proto
== PROTO_TCPv6_SERVER
))
2011 msg (M_USAGE
, "--mode server currently only supports "
2012 "--proto udp or --proto tcp-server or proto tcp6-server");
2014 if ((options
->port_share_host
|| options
->port_share_port
) &&
2015 (ce
->proto
!= PROTO_TCPv4_SERVER
&& ce
->proto
!= PROTO_TCPv6_SERVER
))
2016 msg (M_USAGE
, "--port-share only works in TCP server mode "
2017 "(--proto tcp-server or tcp6-server)");
2019 if (!options
->tls_server
)
2020 msg (M_USAGE
, "--mode server requires --tls-server");
2022 msg (M_USAGE
, "--remote cannot be used with --mode server");
2023 if (!ce
->bind_local
)
2024 msg (M_USAGE
, "--nobind cannot be used with --mode server");
2025 #ifdef ENABLE_HTTP_PROXY
2026 if (ce
->http_proxy_options
)
2027 msg (M_USAGE
, "--http-proxy cannot be used with --mode server");
2030 if (ce
->socks_proxy_server
)
2031 msg (M_USAGE
, "--socks-proxy cannot be used with --mode server");
2033 if (options
->connection_list
)
2034 msg (M_USAGE
, "<connection> cannot be used with --mode server");
2036 if (options
->tun_ipv6
)
2037 msg (M_USAGE
, "--tun-ipv6 cannot be used with --mode server");
2039 if (options
->shaper
)
2040 msg (M_USAGE
, "--shaper cannot be used with --mode server");
2042 msg (M_USAGE
, "--inetd cannot be used with --mode server");
2043 if (options
->ipchange
)
2044 msg (M_USAGE
, "--ipchange cannot be used with --mode server (use --client-connect instead)");
2045 if (!(proto_is_dgram(ce
->proto
) || ce
->proto
== PROTO_TCPv4_SERVER
2046 || ce
->proto
== PROTO_TCPv6_SERVER
))
2047 msg (M_USAGE
, "--mode server currently only supports "
2048 "--proto udp or --proto tcp-server or --proto tcp6-server");
2049 if (!proto_is_udp(ce
->proto
) && (options
->cf_max
|| options
->cf_per
))
2050 msg (M_USAGE
, "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2051 if (!(dev
== DEV_TYPE_TAP
|| (dev
== DEV_TYPE_TUN
&& options
->topology
== TOP_SUBNET
)) && options
->ifconfig_pool_netmask
)
2052 msg (M_USAGE
, "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2054 if (ce
->explicit_exit_notification
)
2055 msg (M_USAGE
, "--explicit-exit-notify cannot be used with --mode server");
2057 if (options
->routes
&& (options
->routes
->flags
& RG_ENABLE
))
2058 msg (M_USAGE
, "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2059 if (options
->route_delay_defined
)
2060 msg (M_USAGE
, "--route-delay cannot be used with --mode server");
2061 if (options
->up_delay
)
2062 msg (M_USAGE
, "--up-delay cannot be used with --mode server");
2063 if (!options
->ifconfig_pool_defined
&& options
->ifconfig_pool_persist_filename
)
2064 msg (M_USAGE
, "--ifconfig-pool-persist must be used with --ifconfig-pool");
2065 if (options
->ifconfig_ipv6_pool_defined
&& !options
->ifconfig_ipv6_local
)
2066 msg (M_USAGE
, "--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2067 if (options
->ifconfig_ipv6_local
&& !options
->tun_ipv6
)
2068 msg (M_INFO
, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6");
2070 if (options
->auth_user_pass_file
)
2071 msg (M_USAGE
, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2072 if (options
->ccd_exclusive
&& !options
->client_config_dir
)
2073 msg (M_USAGE
, "--ccd-exclusive must be used with --client-config-dir");
2074 if (options
->key_method
!= 2)
2075 msg (M_USAGE
, "--mode server requires --key-method 2");
2078 const bool ccnr
= (options
->auth_user_pass_verify_script
2079 || PLUGIN_OPTION_LIST (options
)
2080 || MAN_CLIENT_AUTH_ENABLED (options
));
2081 const char *postfix
= "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2082 if ((options
->ssl_flags
& SSLF_CLIENT_CERT_NOT_REQUIRED
) && !ccnr
)
2083 msg (M_USAGE
, "--client-cert-not-required %s", postfix
);
2084 if ((options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
) && !ccnr
)
2085 msg (M_USAGE
, "--username-as-common-name %s", postfix
);
2086 if ((options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
) && !ccnr
)
2087 msg (M_USAGE
, "--auth-user-pass-optional %s", postfix
);
2093 * When not in server mode, err if parameters are
2094 * specified which require --mode server.
2096 if (options
->ifconfig_pool_defined
|| options
->ifconfig_pool_persist_filename
)
2097 msg (M_USAGE
, "--ifconfig-pool/--ifconfig-pool-persist requires --mode server");
2098 if (options
->ifconfig_ipv6_pool_defined
)
2099 msg (M_USAGE
, "--ifconfig-ipv6-pool requires --mode server");
2100 if (options
->real_hash_size
!= defaults
.real_hash_size
2101 || options
->virtual_hash_size
!= defaults
.virtual_hash_size
)
2102 msg (M_USAGE
, "--hash-size requires --mode server");
2103 if (options
->learn_address_script
)
2104 msg (M_USAGE
, "--learn-address requires --mode server");
2105 if (options
->client_connect_script
)
2106 msg (M_USAGE
, "--client-connect requires --mode server");
2107 if (options
->client_disconnect_script
)
2108 msg (M_USAGE
, "--client-disconnect requires --mode server");
2109 if (options
->client_config_dir
|| options
->ccd_exclusive
)
2110 msg (M_USAGE
, "--client-config-dir/--ccd-exclusive requires --mode server");
2111 if (options
->enable_c2c
)
2112 msg (M_USAGE
, "--client-to-client requires --mode server");
2113 if (options
->duplicate_cn
)
2114 msg (M_USAGE
, "--duplicate-cn requires --mode server");
2115 if (options
->cf_max
|| options
->cf_per
)
2116 msg (M_USAGE
, "--connect-freq requires --mode server");
2117 if (options
->ssl_flags
& SSLF_CLIENT_CERT_NOT_REQUIRED
)
2118 msg (M_USAGE
, "--client-cert-not-required requires --mode server");
2119 if (options
->ssl_flags
& SSLF_USERNAME_AS_COMMON_NAME
)
2120 msg (M_USAGE
, "--username-as-common-name requires --mode server");
2121 if (options
->ssl_flags
& SSLF_AUTH_USER_PASS_OPTIONAL
)
2122 msg (M_USAGE
, "--auth-user-pass-optional requires --mode server");
2123 if (options
->ssl_flags
& SSLF_OPT_VERIFY
)
2124 msg (M_USAGE
, "--opt-verify requires --mode server");
2125 if (options
->server_flags
& SF_TCP_NODELAY_HELPER
)
2126 msg (M_USAGE
, "--tcp-nodelay requires --mode server");
2127 if (options
->auth_user_pass_verify_script
)
2128 msg (M_USAGE
, "--auth-user-pass-verify requires --mode server");
2130 if (options
->port_share_host
|| options
->port_share_port
)
2131 msg (M_USAGE
, "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2134 if (options
->stale_routes_check_interval
)
2135 msg (M_USAGE
, "--stale-routes-check requires --mode server");
2136 if (compat_flag (COMPAT_FLAG_QUERY
| COMPAT_NO_NAME_REMAPPING
))
2137 msg (M_USAGE
, "--compat-x509-names no-remapping requires --mode server");
2139 #endif /* P2MP_SERVER */
2141 #ifdef ENABLE_CRYPTO
2144 * Check consistency of replay options
2146 if ((!proto_is_udp(ce
->proto
))
2147 && (options
->replay_window
!= defaults
.replay_window
2148 || options
->replay_time
!= defaults
.replay_time
))
2149 msg (M_USAGE
, "--replay-window only makes sense with --proto udp");
2151 if (!options
->replay
2152 && (options
->replay_window
!= defaults
.replay_window
2153 || options
->replay_time
!= defaults
.replay_time
))
2154 msg (M_USAGE
, "--replay-window doesn't make sense when replay protection is disabled with --no-replay");
2157 * SSL/TLS mode sanity checks.
2161 if (options
->tls_server
+ options
->tls_client
+
2162 (options
->shared_secret_file
!= NULL
) > 1)
2163 msg (M_USAGE
, "specify only one of --tls-server, --tls-client, or --secret");
2165 if (options
->tls_server
)
2167 notnull (options
->dh_file
, "DH file (--dh)");
2169 if (options
->tls_server
|| options
->tls_client
)
2171 #ifdef ENABLE_PKCS11
2172 if (options
->pkcs11_providers
[0])
2174 notnull (options
->ca_file
, "CA file (--ca)");
2176 if (options
->pkcs11_id_management
&& options
->pkcs11_id
!= NULL
)
2177 msg(M_USAGE
, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2178 if (!options
->pkcs11_id_management
&& options
->pkcs11_id
== NULL
)
2179 msg(M_USAGE
, "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2180 if (options
->cert_file
)
2181 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs11-provider is also specified.");
2182 if (options
->priv_key_file
)
2183 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs11-provider is also specified.");
2184 #ifdef MANAGMENT_EXTERNAL_KEY
2185 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2186 msg(M_USAGE
, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified.");
2188 if (options
->pkcs12_file
)
2189 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --pkcs11-provider is also specified.");
2190 #ifdef ENABLE_CRYPTOAPI
2191 if (options
->cryptoapi_cert
)
2192 msg(M_USAGE
, "Parameter --cryptoapicert cannot be used when --pkcs11-provider is also specified.");
2197 #ifdef MANAGMENT_EXTERNAL_KEY
2198 if((options
->management_flags
& MF_EXTERNAL_KEY
) && options
->priv_key_file
)
2200 msg (M_USAGE
, "--key and --management-external-key are mutually exclusive");
2204 #ifdef ENABLE_CRYPTOAPI
2205 if (options
->cryptoapi_cert
)
2207 if ((!(options
->ca_file
)) && (!(options
->ca_path
)))
2208 msg(M_USAGE
, "You must define CA file (--ca) or CA path (--capath)");
2209 if (options
->cert_file
)
2210 msg(M_USAGE
, "Parameter --cert cannot be used when --cryptoapicert is also specified.");
2211 if (options
->priv_key_file
)
2212 msg(M_USAGE
, "Parameter --key cannot be used when --cryptoapicert is also specified.");
2213 if (options
->pkcs12_file
)
2214 msg(M_USAGE
, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified.");
2215 #ifdef MANAGMENT_EXTERNAL_KEY
2216 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2217 msg(M_USAGE
, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified.");
2222 if (options
->pkcs12_file
)
2224 #ifdef ENABLE_CRYPTO_POLARSSL
2225 msg(M_USAGE
, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN.");
2227 if (options
->ca_path
)
2228 msg(M_USAGE
, "Parameter --capath cannot be used when --pkcs12 is also specified.");
2229 if (options
->cert_file
)
2230 msg(M_USAGE
, "Parameter --cert cannot be used when --pkcs12 is also specified.");
2231 if (options
->priv_key_file
)
2232 msg(M_USAGE
, "Parameter --key cannot be used when --pkcs12 is also specified.");
2233 #ifdef MANAGMENT_EXTERNAL_KEY
2234 if (options
->management_flags
& MF_EXTERNAL_KEY
)
2235 msg(M_USAGE
, "Parameter --external-management-key cannot be used when --pkcs12 is also specified.");
2241 #ifdef ENABLE_CRYPTO_POLARSSL
2242 if (!(options
->ca_file
))
2243 msg(M_USAGE
, "You must define CA file (--ca)");
2244 if (options
->ca_path
)
2245 msg(M_USAGE
, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN.");
2247 if ((!(options
->ca_file
)) && (!(options
->ca_path
)))
2248 msg(M_USAGE
, "You must define CA file (--ca) or CA path (--capath)");
2253 const int sum
= (options
->cert_file
!= NULL
) +
2254 #ifdef MANAGMENT_EXTERNAL_KEY
2255 ((options
->priv_key_file
!= NULL
) || (options
->management_flags
& MF_EXTERNAL_KEY
));
2257 (options
->priv_key_file
!= NULL
);
2264 if (!options
->auth_user_pass_file
)
2266 msg (M_USAGE
, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass");
2272 msg (M_USAGE
, "If you use one of --cert or --key, you must use them both");
2277 notnull (options
->cert_file
, "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2278 #ifdef MANAGMENT_EXTERNAL_KEY
2279 if (!(options
->management_flags
& MF_EXTERNAL_KEY
))
2281 notnull (options
->priv_key_file
, "private key file (--key) or PKCS#12 file (--pkcs12)");
2288 * Make sure user doesn't specify any TLS options
2289 * when in non-TLS mode.
2292 #define MUST_BE_UNDEF(parm) if (options->parm != defaults.parm) msg (M_USAGE, err, #parm);
2294 const char err
[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";
2296 MUST_BE_UNDEF (ca_file
);
2297 MUST_BE_UNDEF (ca_path
);
2298 MUST_BE_UNDEF (dh_file
);
2299 MUST_BE_UNDEF (cert_file
);
2300 MUST_BE_UNDEF (priv_key_file
);
2301 #ifndef ENABLE_CRYPTO_POLARSSL
2302 MUST_BE_UNDEF (pkcs12_file
);
2304 MUST_BE_UNDEF (cipher_list
);
2305 MUST_BE_UNDEF (tls_verify
);
2306 MUST_BE_UNDEF (tls_export_cert
);
2307 MUST_BE_UNDEF (verify_x509_name
);
2308 MUST_BE_UNDEF (tls_timeout
);
2309 MUST_BE_UNDEF (renegotiate_bytes
);
2310 MUST_BE_UNDEF (renegotiate_packets
);
2311 MUST_BE_UNDEF (renegotiate_seconds
);
2312 MUST_BE_UNDEF (handshake_window
);
2313 MUST_BE_UNDEF (transition_window
);
2314 MUST_BE_UNDEF (tls_auth_file
);
2315 MUST_BE_UNDEF (single_session
);
2316 #ifdef ENABLE_PUSH_PEER_INFO
2317 MUST_BE_UNDEF (push_peer_info
);
2319 MUST_BE_UNDEF (tls_exit
);
2320 MUST_BE_UNDEF (crl_file
);
2321 MUST_BE_UNDEF (key_method
);
2322 MUST_BE_UNDEF (ns_cert_type
);
2323 MUST_BE_UNDEF (remote_cert_ku
[0]);
2324 MUST_BE_UNDEF (remote_cert_eku
);
2325 #ifdef ENABLE_PKCS11
2326 MUST_BE_UNDEF (pkcs11_providers
[0]);
2327 MUST_BE_UNDEF (pkcs11_private_mode
[0]);
2328 MUST_BE_UNDEF (pkcs11_id
);
2329 MUST_BE_UNDEF (pkcs11_id_management
);
2333 msg (M_USAGE
, err
, "--pull");
2335 #undef MUST_BE_UNDEF
2336 #endif /* ENABLE_CRYPTO */
2337 #endif /* ENABLE_SSL */
2340 if (options
->auth_user_pass_file
&& !options
->pull
)
2341 msg (M_USAGE
, "--auth-user-pass requires --pull");
2344 uninit_options (&defaults
);
2348 options_postprocess_mutate_ce (struct options
*o
, struct connection_entry
*ce
)
2350 const int dev
= dev_type_enum (o
->dev
, o
->dev_type
);
2353 if (o
->server_defined
|| o
->server_bridge_defined
|| o
->server_bridge_proxy_dhcp
)
2355 if (ce
->proto
== PROTO_TCPv4
)
2356 ce
->proto
= PROTO_TCPv4_SERVER
;
2357 else if (ce
->proto
== PROTO_TCPv6
)
2358 ce
->proto
= PROTO_TCPv6_SERVER
;
2364 if (ce
->proto
== PROTO_TCPv4
)
2365 ce
->proto
= PROTO_TCPv4_CLIENT
;
2366 else if (ce
->proto
== PROTO_TCPv6
)
2367 ce
->proto
= PROTO_TCPv6_CLIENT
;
2371 if (ce
->proto
== PROTO_TCPv4_CLIENT
&& !ce
->local
&& !ce
->local_port_defined
&& !ce
->bind_defined
)
2372 ce
->bind_local
= false;
2375 if (ce
->proto
== PROTO_UDPv4
&& ce
->socks_proxy_server
&& !ce
->local
&& !ce
->local_port_defined
&& !ce
->bind_defined
)
2376 ce
->bind_local
= false;
2379 if (!ce
->bind_local
)
2382 /* if protocol forcing is enabled, disable all protocols except for the forced one */
2383 if (o
->proto_force
>= 0 && proto_is_tcp(o
->proto_force
) != proto_is_tcp(ce
->proto
))
2384 ce
->flags
|= CE_DISABLED
;
2387 * If --mssfix is supplied without a parameter, default
2388 * it to --fragment value, if --fragment is specified.
2390 if (o
->ce
.mssfix_default
)
2392 #ifdef ENABLE_FRAGMENT
2394 o
->ce
.mssfix
= ce
->fragment
;
2396 msg (M_USAGE
, "--mssfix must specify a parameter");
2404 if (!ce
->tun_mtu_defined
&& !ce
->link_mtu_defined
)
2406 ce
->tun_mtu_defined
= true;
2408 if ((dev
== DEV_TYPE_TAP
) && !ce
->tun_mtu_extra_defined
)
2410 ce
->tun_mtu_extra_defined
= true;
2411 ce
->tun_mtu_extra
= TAP_MTU_EXTRA_DEFAULT
;
2418 options_postprocess_mutate_invariant (struct options
*options
)
2420 const int dev
= dev_type_enum (options
->dev
, options
->dev_type
);
2423 * In forking TCP server mode, you don't need to ifconfig
2424 * the tap device (the assumption is that it will be bridged).
2426 if (options
->inetd
== INETD_NOWAIT
)
2427 options
->ifconfig_noexec
= true;
2430 if ((dev
== DEV_TYPE_TUN
|| dev
== DEV_TYPE_TAP
) && !options
->route_delay_defined
)
2432 if (options
->mode
== MODE_POINT_TO_POINT
)
2434 options
->route_delay_defined
= true;
2435 options
->route_delay
= 5; /* Vista sometimes has a race without this */
2439 if (options
->ifconfig_noexec
)
2441 options
->tuntap_options
.ip_win32_type
= IPW32_SET_MANUAL
;
2442 options
->ifconfig_noexec
= false;
2448 * Check consistency of --mode server options.
2450 if (options
->mode
== MODE_SERVER
)
2454 * We need to explicitly set --tap-sleep because
2455 * we do not schedule event timers in the top-level context.
2457 options
->tuntap_options
.tap_sleep
= 10;
2458 if (options
->route_delay_defined
&& options
->route_delay
)
2459 options
->tuntap_options
.tap_sleep
= options
->route_delay
;
2460 options
->route_delay_defined
= false;
2467 options_postprocess_verify (const struct options
*o
)
2469 if (o
->connection_list
)
2472 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
2473 options_postprocess_verify_ce (o
, o
->connection_list
->array
[i
]);
2476 options_postprocess_verify_ce (o
, &o
->ce
);
2480 options_postprocess_mutate (struct options
*o
)
2483 * Process helper-type options which map to other, more complex
2484 * sequences of options.
2486 helper_client_server (o
);
2487 helper_keepalive (o
);
2488 helper_tcp_nodelay (o
);
2490 options_postprocess_mutate_invariant (o
);
2492 if (o
->remote_list
&& !o
->connection_list
)
2495 * For compatibility with 2.0.x, map multiple --remote options
2496 * into connection list (connection lists added in 2.1).
2498 if (o
->remote_list
->len
> 1 || o
->force_connection_list
)
2500 const struct remote_list
*rl
= o
->remote_list
;
2502 for (i
= 0; i
< rl
->len
; ++i
)
2504 const struct remote_entry
*re
= rl
->array
[i
];
2505 struct connection_entry ce
= o
->ce
;
2506 struct connection_entry
*ace
;
2508 ASSERT (re
->remote
);
2509 connection_entry_load_re (&ce
, re
);
2510 ace
= alloc_connection_entry (o
, M_USAGE
);
2515 else if (o
->remote_list
->len
== 1) /* one --remote option specified */
2517 connection_entry_load_re (&o
->ce
, o
->remote_list
->array
[0]);
2524 if (o
->connection_list
)
2527 for (i
= 0; i
< o
->connection_list
->len
; ++i
)
2528 options_postprocess_mutate_ce (o
, o
->connection_list
->array
[i
]);
2530 #if HTTP_PROXY_OVERRIDE
2531 if (o
->http_proxy_override
)
2532 options_postprocess_http_proxy_override(o
);
2536 options_postprocess_mutate_ce (o
, &o
->ce
);
2540 * Save certain parms before modifying options via --pull
2547 * Check file/directory sanity
2550 #ifndef ENABLE_SMALL /** Expect people using the stripped down version to know what they do */
2552 #define CHKACC_FILE (1<<0) /** Check for a file/directory precense */
2553 #define CHKACC_DIRPATH (1<<1) /** Check for directory precense where a file should reside */
2554 #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */
2555 #define CHKACC_INLINE (1<<3) /** File is present if it's an inline file */
2556 #define CHKACC_ACPTSTDIN (1<<4) /** If filename is stdin, it's allowed and "exists" */
2559 check_file_access(const int type
, const char *file
, const int mode
, const char *opt
)
2563 /* If no file configured, no errors to look for */
2567 /* If this may be an inline file, and the proper inline "filename" is set - no issues */
2568 if ((type
& CHKACC_INLINE
) && streq(file
, INLINE_FILE_TAG
) )
2571 /* If stdin is allowed and the file name is 'stdin', then do no
2572 * further checks as stdin is always available
2574 if( (type
& CHKACC_ACPTSTDIN
) && streq(file
, "stdin") )
2577 /* Is the directory path leading to the given file accessible? */
2578 if (type
& CHKACC_DIRPATH
)
2580 char *fullpath
= strdup(file
); /* POSIX dirname() implementaion may modify its arguments */
2581 char *dirpath
= dirname(fullpath
);
2583 if (platform_access (dirpath
, mode
|X_OK
) != 0)
2588 /* Is the file itself accessible? */
2589 if (!errcode
&& (type
& CHKACC_FILE
) && (platform_access (file
, mode
) != 0) )
2592 /* If the file exists and is accessible, is it writable? */
2593 if (!errcode
&& (type
& CHKACC_FILEXSTWR
) && (platform_access (file
, F_OK
) == 0) )
2594 if (platform_access (file
, W_OK
) != 0)
2597 /* Scream if an error is found */
2599 msg (M_NOPREFIX
|M_OPTERR
, "%s fails with '%s': %s",
2600 opt
, file
, strerror(errno
));
2602 /* Return true if an error occured */
2603 return (errcode
!= 0 ? true : false);
2607 * Verifies that the path in the "command" that comes after certain script options (e.g., --up) is a
2608 * valid file with appropriate permissions.
2610 * "command" consists of a path, optionally followed by a space, which may be
2611 * followed by arbitrary arguments. It is NOT a full shell command line -- shell expansion is not
2614 * The path and arguments in "command" may be single- or double-quoted or escaped.
2616 * The path is extracted from "command", then check_file_access() is called to check it. The
2617 * arguments, if any, are ignored.
2619 * Note that the type, mode, and opt arguments to this routine are the same as the corresponding
2620 * check_file_access() arguments.
2623 check_cmd_access(const char *command
, const char *opt
)
2628 /* If no command was set, there are no errors to look for */
2632 /* Extract executable path and arguments */
2634 argv_printf (&argv
, "%sc", command
);
2636 /* if an executable is specified then check it; otherwise, complain */
2638 /* Scripts requires R_OK as well, but that might fail on binaries which
2639 * only requires X_OK to function on Unix - a scenario not unlikely to
2640 * be seen on suid binaries.
2642 return_code
= check_file_access(CHKACC_FILE
, argv
.argv
[0], X_OK
, opt
);
2645 msg (M_NOPREFIX
|M_OPTERR
, "%s fails with '%s': No path to executable.",
2656 * Sanity check of all file/dir options. Checks that file/dir
2657 * is accessible by OpenVPN
2660 options_postprocess_filechecks (struct options
*options
)
2664 /* ** SSL/TLS/crypto related files ** */
2666 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->dh_file
, R_OK
, "--dh");
2667 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->ca_file
, R_OK
, "--ca");
2668 errs
|= check_file_access (CHKACC_FILE
, options
->ca_path
, R_OK
, "--capath");
2669 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->cert_file
, R_OK
, "--cert");
2670 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->extra_certs_file
, R_OK
,
2672 #ifdef MANAGMENT_EXTERNAL_KEY
2673 if(!(options
->management_flags
& MF_EXTERNAL_KEY
))
2675 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->priv_key_file
, R_OK
,
2677 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->pkcs12_file
, R_OK
,
2680 if (options
->ssl_flags
& SSLF_CRL_VERIFY_DIR
)
2681 errs
|= check_file_access (CHKACC_FILE
, options
->crl_file
, R_OK
|X_OK
,
2682 "--crl-verify directory");
2684 errs
|= check_file_access (CHKACC_FILE
, options
->crl_file
, R_OK
,
2687 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->tls_auth_file
, R_OK
,
2689 #endif /* ENABLE_SSL */
2690 #ifdef ENABLE_CRYPTO
2691 errs
|= check_file_access (CHKACC_FILE
|CHKACC_INLINE
, options
->shared_secret_file
, R_OK
,
2693 errs
|= check_file_access (CHKACC_DIRPATH
|CHKACC_FILEXSTWR
,
2694 options
->packet_id_file
, R_OK
|W_OK
, "--replay-persist");
2695 #endif /* ENABLE_CRYPTO */
2698 /* ** Password files ** */
2700 errs
|= check_file_access (CHKACC_FILE
, options
->key_pass_file
, R_OK
,
2702 #endif /* ENABLE_SSL */
2703 #ifdef ENABLE_MANAGEMENT
2704 errs
|= check_file_access (CHKACC_FILE
|CHKACC_ACPTSTDIN
,
2705 options
->management_user_pass
, R_OK
,
2706 "--management user/password file");
2707 #endif /* ENABLE_MANAGEMENT */
2709 errs
|= check_file_access (CHKACC_FILE
|CHKACC_ACPTSTDIN
,
2710 options
->auth_user_pass_file
, R_OK
,
2711 "--auth-user-pass");
2714 /* ** System related ** */
2715 errs
|= check_file_access (CHKACC_FILE
, options
->chroot_dir
,
2716 R_OK
|X_OK
, "--chroot directory");
2717 errs
|= check_file_access (CHKACC_DIRPATH
|CHKACC_FILEXSTWR
, options
->writepid
,
2718 R_OK
|W_OK
, "--writepid");
2720 /* ** Log related ** */
2721 errs
|= check_file_access (CHKACC_DIRPATH
|CHKACC_FILEXSTWR
, options
->status_file
,
2722 R_OK
|W_OK
, "--status");
2724 /* ** Config related ** */
2726 errs
|= check_file_access (CHKACC_FILE
, options
->tls_export_cert
,
2727 R_OK
|W_OK
|X_OK
, "--tls-export-cert");
2728 #endif /* ENABLE_SSL */
2730 errs
|= check_file_access (CHKACC_FILE
, options
->client_config_dir
,
2731 R_OK
|X_OK
, "--client-config-dir");
2732 errs
|= check_file_access (CHKACC_FILE
, options
->tmp_dir
,
2733 R_OK
|W_OK
|X_OK
, "Temporary directory (--tmp-dir)");
2735 #endif /* P2MP_SERVER */
2738 msg (M_USAGE
, "Please correct these errors.");
2740 #endif /* !ENABLE_SMALL */
2743 * Sanity check on options.
2744 * Also set some options based on other
2748 options_postprocess (struct options
*options
)
2750 options_postprocess_mutate (options
);
2751 options_postprocess_verify (options
);
2752 #ifndef ENABLE_SMALL
2753 options_postprocess_filechecks (options
);
2754 #endif /* !ENABLE_SMALL */
2760 * Save/Restore certain option defaults before --pull is applied.
2764 pre_pull_save (struct options
*o
)
2768 ALLOC_OBJ_CLEAR_GC (o
->pre_pull
, struct options_pre_pull
, &o
->gc
);
2769 o
->pre_pull
->tuntap_options
= o
->tuntap_options
;
2770 o
->pre_pull
->tuntap_options_defined
= true;
2771 o
->pre_pull
->foreign_option_index
= o
->foreign_option_index
;
2774 o
->pre_pull
->routes
= clone_route_option_list(o
->routes
, &o
->gc
);
2775 o
->pre_pull
->routes_defined
= true;
2779 o
->pre_pull
->routes_ipv6
= clone_route_ipv6_option_list(o
->routes_ipv6
, &o
->gc
);
2780 o
->pre_pull
->routes_ipv6_defined
= true;
2782 #ifdef ENABLE_CLIENT_NAT
2785 o
->pre_pull
->client_nat
= clone_client_nat_option_list(o
->client_nat
, &o
->gc
);
2786 o
->pre_pull
->client_nat_defined
= true;
2793 pre_pull_restore (struct options
*o
)
2795 const struct options_pre_pull
*pp
= o
->pre_pull
;
2798 CLEAR (o
->tuntap_options
);
2799 if (pp
->tuntap_options_defined
)
2800 o
->tuntap_options
= pp
->tuntap_options
;
2802 if (pp
->routes_defined
)
2804 rol_check_alloc (o
);
2805 copy_route_option_list (o
->routes
, pp
->routes
);
2810 if (pp
->routes_ipv6_defined
)
2812 rol6_check_alloc (o
);
2813 copy_route_ipv6_option_list (o
->routes_ipv6
, pp
->routes_ipv6
);
2816 o
->routes_ipv6
= NULL
;
2818 #ifdef ENABLE_CLIENT_NAT
2819 if (pp
->client_nat_defined
)
2821 cnol_check_alloc (o
);
2822 copy_client_nat_option_list (o
->client_nat
, pp
->client_nat
);
2825 o
->client_nat
= NULL
;
2828 o
->foreign_option_index
= pp
->foreign_option_index
;
2831 o
->push_continuation
= 0;
2839 * Build an options string to represent data channel encryption options.
2840 * This string must match exactly between peers. The keysize is checked
2841 * separately by read_key().
2843 * The following options must match on both peers:
2847 * --dev tun|tap [unit number need not match]
2848 * --dev-type tun|tap
2853 * --proto tcp-client [matched with --proto tcp-server
2854 * on the other end of the connection]
2855 * --proto tcp-server [matched with --proto tcp-client on
2856 * the other end of the connection]
2858 * --ifconfig x y [matched with --ifconfig y x on
2859 * the other end of the connection]
2876 * --tls-client [matched with --tls-server on
2877 * the other end of the connection]
2878 * --tls-server [matched with --tls-client on
2879 * the other end of the connection]
2883 options_string (const struct options
*o
,
2884 const struct frame
*frame
,
2887 struct gc_arena
*gc
)
2889 struct buffer out
= alloc_buf (OPTION_LINE_SIZE
);
2890 bool tt_local
= false;
2892 buf_printf (&out
, "V4");
2898 buf_printf (&out
, ",dev-type %s", dev_type_string (o
->dev
, o
->dev_type
));
2899 buf_printf (&out
, ",link-mtu %d", EXPANDED_SIZE (frame
));
2900 buf_printf (&out
, ",tun-mtu %d", PAYLOAD_SIZE (frame
));
2901 buf_printf (&out
, ",proto %s", proto2ascii (proto_remote (o
->ce
.proto
, remote
), true));
2903 /* send tun_ipv6 only in peer2peer mode - in client/server mode, it
2904 * is usually pushed by the server, triggering a non-helpful warning
2906 if (o
->tun_ipv6
&& o
->mode
== MODE_POINT_TO_POINT
&& !PULL_DEFINED(o
))
2907 buf_printf (&out
, ",tun-ipv6");
2910 * Try to get ifconfig parameters into the options string.
2911 * If tt is undefined, make a temporary instantiation.
2915 tt
= init_tun (o
->dev
,
2919 o
->ifconfig_remote_netmask
,
2920 o
->ifconfig_ipv6_local
,
2921 o
->ifconfig_ipv6_netbits
,
2922 o
->ifconfig_ipv6_remote
,
2931 if (tt
&& o
->mode
== MODE_POINT_TO_POINT
&& !PULL_DEFINED(o
))
2933 const char *ios
= ifconfig_options_string (tt
, remote
, o
->ifconfig_nowarn
, gc
);
2934 if (ios
&& strlen (ios
))
2935 buf_printf (&out
, ",ifconfig %s", ios
);
2944 if (o
->lzo
& LZO_SELECTED
)
2945 buf_printf (&out
, ",comp-lzo");
2948 #ifdef ENABLE_FRAGMENT
2950 buf_printf (&out
, ",mtu-dynamic");
2953 #ifdef ENABLE_CRYPTO
2956 #define TLS_CLIENT (o->tls_client)
2957 #define TLS_SERVER (o->tls_server)
2959 #define TLS_CLIENT (false)
2960 #define TLS_SERVER (false)
2967 const char *kd
= keydirection2ascii (o
->key_direction
, remote
);
2969 buf_printf (&out
, ",keydir %s", kd
);
2975 if (o
->shared_secret_file
|| TLS_CLIENT
|| TLS_SERVER
)
2979 ASSERT ((o
->shared_secret_file
!= NULL
)
2980 + (TLS_CLIENT
== true)
2981 + (TLS_SERVER
== true)
2984 init_key_type (&kt
, o
->ciphername
, o
->ciphername_defined
,
2985 o
->authname
, o
->authname_defined
,
2986 o
->keysize
, true, false);
2988 buf_printf (&out
, ",cipher %s", cipher_kt_name (kt
.cipher
));
2989 buf_printf (&out
, ",auth %s", md_kt_name (kt
.digest
));
2990 buf_printf (&out
, ",keysize %d", kt
.cipher_length
* 8);
2991 if (o
->shared_secret_file
)
2992 buf_printf (&out
, ",secret");
2994 buf_printf (&out
, ",no-replay");
2996 buf_printf (&out
, ",no-iv");
2998 #ifdef ENABLE_PREDICTION_RESISTANCE
2999 if (o
->use_prediction_resistance
)
3000 buf_printf (&out
, ",use-prediction-resistance");
3009 if (TLS_CLIENT
|| TLS_SERVER
)
3011 if (o
->tls_auth_file
)
3012 buf_printf (&out
, ",tls-auth");
3014 if (o
->key_method
> 1)
3015 buf_printf (&out
, ",key-method %d", o
->key_method
);
3021 buf_printf (&out
, ",tls-server");
3022 else if (TLS_SERVER
)
3023 buf_printf (&out
, ",tls-client");
3028 buf_printf (&out
, ",tls-client");
3029 else if (TLS_SERVER
)
3030 buf_printf (&out
, ",tls-server");
3033 #endif /* ENABLE_SSL */
3038 #endif /* ENABLE_CRYPTO */
3044 * Compare option strings for equality.
3045 * If the first two chars of the strings differ, it means that
3046 * we are looking at different versions of the options string,
3047 * therefore don't compare them and return true.
3051 options_cmp_equal (char *actual
, const char *expected
)
3053 return options_cmp_equal_safe (actual
, expected
, strlen (actual
) + 1);
3057 options_warning (char *actual
, const char *expected
)
3059 options_warning_safe (actual
, expected
, strlen (actual
) + 1);
3063 options_warning_extract_parm1 (const char *option_string
,
3064 struct gc_arena
*gc_ret
)
3066 struct gc_arena gc
= gc_new ();
3067 struct buffer b
= string_alloc_buf (option_string
, &gc
);
3068 char *p
= gc_malloc (OPTION_PARM_SIZE
, false, &gc
);
3071 buf_parse (&b
, ' ', p
, OPTION_PARM_SIZE
);
3072 ret
= string_alloc (p
, gc_ret
);
3078 options_warning_safe_scan2 (const int msglevel
,
3080 const bool report_inconsistent
,
3082 const struct buffer
*b2_src
,
3083 const char *b1_name
,
3084 const char *b2_name
)
3086 /* we will stop sending 'proto xxx' in OCC in a future version
3087 * (because it's not useful), and to reduce questions when
3088 * interoperating, we start not-printing a warning about it today
3090 if (strncmp(p1
, "proto ", 6) == 0 )
3095 if (strlen (p1
) > 0)
3097 struct gc_arena gc
= gc_new ();
3098 struct buffer b2
= *b2_src
;
3099 const char *p1_prefix
= options_warning_extract_parm1 (p1
, &gc
);
3100 char *p2
= gc_malloc (OPTION_PARM_SIZE
, false, &gc
);
3102 while (buf_parse (&b2
, delim
, p2
, OPTION_PARM_SIZE
))
3106 const char *p2_prefix
= options_warning_extract_parm1 (p2
, &gc
);
3108 if (!strcmp (p1
, p2
))
3110 if (!strcmp (p1_prefix
, p2_prefix
))
3112 if (report_inconsistent
)
3113 msg (msglevel
, "WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
3114 safe_print (p1_prefix
, &gc
),
3116 safe_print (p1
, &gc
),
3118 safe_print (p2
, &gc
));
3124 msg (msglevel
, "WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
3125 safe_print (p1_prefix
, &gc
),
3129 safe_print (p1
, &gc
));
3137 options_warning_safe_scan1 (const int msglevel
,
3139 const bool report_inconsistent
,
3140 const struct buffer
*b1_src
,
3141 const struct buffer
*b2_src
,
3142 const char *b1_name
,
3143 const char *b2_name
)
3145 struct gc_arena gc
= gc_new ();
3146 struct buffer b
= *b1_src
;
3147 char *p
= gc_malloc (OPTION_PARM_SIZE
, true, &gc
);
3149 while (buf_parse (&b
, delim
, p
, OPTION_PARM_SIZE
))
3150 options_warning_safe_scan2 (msglevel
, delim
, report_inconsistent
, p
, b2_src
, b1_name
, b2_name
);
3156 options_warning_safe_ml (const int msglevel
, char *actual
, const char *expected
, size_t actual_n
)
3158 struct gc_arena gc
= gc_new ();
3162 struct buffer local
= alloc_buf_gc (OPTION_PARM_SIZE
+ 16, &gc
);
3163 struct buffer remote
= alloc_buf_gc (OPTION_PARM_SIZE
+ 16, &gc
);
3164 actual
[actual_n
- 1] = 0;
3166 buf_printf (&local
, "version %s", expected
);
3167 buf_printf (&remote
, "version %s", actual
);
3169 options_warning_safe_scan1 (msglevel
, ',', true,
3173 options_warning_safe_scan1 (msglevel
, ',', false,
3182 options_cmp_equal_safe (char *actual
, const char *expected
, size_t actual_n
)
3184 struct gc_arena gc
= gc_new ();
3189 actual
[actual_n
- 1] = 0;
3190 #ifndef ENABLE_STRICT_OPTIONS_CHECK
3191 if (strncmp (actual
, expected
, 2))
3193 msg (D_SHOW_OCC
, "NOTE: Options consistency check may be skewed by version differences");
3194 options_warning_safe_ml (D_SHOW_OCC
, actual
, expected
, actual_n
);
3198 ret
= !strcmp (actual
, expected
);
3205 options_warning_safe (char *actual
, const char *expected
, size_t actual_n
)
3207 options_warning_safe_ml (M_WARN
, actual
, expected
, actual_n
);
3211 options_string_version (const char* s
, struct gc_arena
*gc
)
3213 struct buffer out
= alloc_buf_gc (4, gc
);
3214 strncpynt ((char *) BPTR (&out
), s
, 3);
3218 #endif /* ENABLE_OCC */
3221 foreign_option (struct options
*o
, char *argv
[], int len
, struct env_set
*es
)
3225 struct gc_arena gc
= gc_new();
3226 struct buffer name
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
3227 struct buffer value
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
3232 good
&= buf_printf (&name
, "foreign_option_%d", o
->foreign_option_index
+ 1);
3233 ++o
->foreign_option_index
;
3234 for (i
= 0; i
< len
; ++i
)
3239 good
&= buf_printf (&value
, " ");
3240 good
&= buf_printf (&value
, "%s", argv
[i
]);
3245 setenv_str (es
, BSTR(&name
), BSTR(&value
));
3247 msg (M_WARN
, "foreign_option: name/value overflow");
3253 * parse/print topology coding
3257 parse_topology (const char *str
, const int msglevel
)
3259 if (streq (str
, "net30"))
3261 else if (streq (str
, "p2p"))
3263 else if (streq (str
, "subnet"))
3267 msg (msglevel
, "--topology must be net30, p2p, or subnet");
3273 print_topology (const int topology
)
3293 * Manage auth-retry variable
3296 static int global_auth_retry
; /* GLOBAL */
3299 auth_retry_get (void)
3301 return global_auth_retry
;
3305 auth_retry_set (const int msglevel
, const char *option
)
3307 if (streq (option
, "interact"))
3308 global_auth_retry
= AR_INTERACT
;
3309 else if (streq (option
, "nointeract"))
3310 global_auth_retry
= AR_NOINTERACT
;
3311 else if (streq (option
, "none"))
3312 global_auth_retry
= AR_NONE
;
3315 msg (msglevel
, "--auth-retry method must be 'interact', 'nointeract', or 'none'");
3322 auth_retry_print (void)
3324 switch (global_auth_retry
)
3329 return "nointeract";
3340 * Print the help message.
3345 FILE *fp
= msg_fp(0);
3349 fprintf (fp
, "Usage message not available\n");
3354 init_options (&o
, true);
3356 #if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
3357 fprintf (fp
, usage_message
,
3359 o
.ce
.connect_retry_seconds
,
3360 o
.ce
.local_port
, o
.ce
.remote_port
,
3361 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
3363 o
.authname
, o
.ciphername
,
3364 o
.replay_window
, o
.replay_time
,
3365 o
.tls_timeout
, o
.renegotiate_seconds
,
3366 o
.handshake_window
, o
.transition_window
);
3367 #elif defined(ENABLE_CRYPTO)
3368 fprintf (fp
, usage_message
,
3370 o
.ce
.connect_retry_seconds
,
3371 o
.ce
.local_port
, o
.ce
.remote_port
,
3372 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
3374 o
.authname
, o
.ciphername
,
3375 o
.replay_window
, o
.replay_time
);
3377 fprintf (fp
, usage_message
,
3379 o
.ce
.connect_retry_seconds
,
3380 o
.ce
.local_port
, o
.ce
.remote_port
,
3381 TUN_MTU_DEFAULT
, TAP_MTU_EXTRA_DEFAULT
,
3386 #endif /* ENABLE_SMALL */
3388 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
3394 msg (M_WARN
|M_NOPREFIX
, "Use --help for more information.");
3395 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
3399 usage_version (void)
3401 msg (M_INFO
|M_NOPREFIX
, "%s", title_string
);
3402 msg (M_INFO
|M_NOPREFIX
, "Originally developed by James Yonan");
3403 msg (M_INFO
|M_NOPREFIX
, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>");
3404 #ifndef ENABLE_SMALL
3405 #ifdef CONFIGURE_DEFINES
3406 msg (M_INFO
|M_NOPREFIX
, "Compile time defines: %s", CONFIGURE_DEFINES
);
3408 #ifdef CONFIGURE_SPECIAL_BUILD
3409 msg (M_INFO
|M_NOPREFIX
, "special build: %s", CONFIGURE_SPECIAL_BUILD
);
3411 #ifdef CONFIGURE_GIT_REVISION
3412 msg (M_INFO
|M_NOPREFIX
, "git revision: %s", CONFIGURE_GIT_REVISION
);
3415 openvpn_exit (OPENVPN_EXIT_STATUS_USAGE
); /* exit point */
3419 notnull (const char *arg
, const char *description
)
3422 msg (M_USAGE
, "You must define %s", description
);
3426 string_defined_equal (const char *s1
, const char *s2
)
3429 return !strcmp (s1
, s2
);
3436 ping_rec_err (int msglevel
)
3438 msg (msglevel
, "only one of --ping-exit or --ping-restart options may be specified");
3443 positive_atoi (const char *str
)
3445 const int i
= atoi (str
);
3446 return i
< 0 ? 0 : i
;
3449 #ifdef WIN32 /* This function is only used when compiling on Windows */
3451 atou (const char *str
)
3453 unsigned int val
= 0;
3454 sscanf (str
, "%u", &val
);
3460 space (unsigned char c
)
3462 return c
== '\0' || isspace (c
);
3466 parse_line (const char *line
,
3472 struct gc_arena
*gc
)
3474 const int STATE_INITIAL
= 0;
3475 const int STATE_READING_QUOTED_PARM
= 1;
3476 const int STATE_READING_UNQUOTED_PARM
= 2;
3477 const int STATE_DONE
= 3;
3478 const int STATE_READING_SQUOTED_PARM
= 4;
3480 const char *error_prefix
= "";
3483 const char *c
= line
;
3484 int state
= STATE_INITIAL
;
3485 bool backslash
= false;
3488 char parm
[OPTION_PARM_SIZE
];
3489 unsigned int parm_len
= 0;
3491 msglevel
&= ~M_OPTERR
;
3493 if (msglevel
& M_MSG_VIRT_OUT
)
3494 error_prefix
= "ERROR: ";
3501 if (!backslash
&& in
== '\\' && state
!= STATE_READING_SQUOTED_PARM
)
3507 if (state
== STATE_INITIAL
)
3511 if (in
== ';' || in
== '#') /* comment */
3513 if (!backslash
&& in
== '\"')
3514 state
= STATE_READING_QUOTED_PARM
;
3515 else if (!backslash
&& in
== '\'')
3516 state
= STATE_READING_SQUOTED_PARM
;
3520 state
= STATE_READING_UNQUOTED_PARM
;
3524 else if (state
== STATE_READING_UNQUOTED_PARM
)
3526 if (!backslash
&& space (in
))
3531 else if (state
== STATE_READING_QUOTED_PARM
)
3533 if (!backslash
&& in
== '\"')
3538 else if (state
== STATE_READING_SQUOTED_PARM
)
3545 if (state
== STATE_DONE
)
3547 /* ASSERT (parm_len > 0); */
3548 p
[ret
] = gc_malloc (parm_len
+ 1, true, gc
);
3549 memcpy (p
[ret
], parm
, parm_len
);
3550 p
[ret
][parm_len
] = '\0';
3551 state
= STATE_INITIAL
;
3556 if (backslash
&& out
)
3558 if (!(out
== '\\' || out
== '\"' || space (out
)))
3561 msg (msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d", error_prefix
, file
, line_num
);
3563 msg (msglevel
, "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
"\\\\static.key\"", error_prefix
, file
, line_num
);
3571 /* store parameter character */
3574 if (parm_len
>= SIZE (parm
))
3576 parm
[SIZE (parm
) - 1] = 0;
3577 msg (msglevel
, "%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
3578 error_prefix
, file
, line_num
, (int) SIZE (parm
), parm
);
3581 parm
[parm_len
++] = out
;
3584 /* avoid overflow if too many parms in one config file line */
3588 } while (*c
++ != '\0');
3590 if (state
== STATE_READING_QUOTED_PARM
)
3592 msg (msglevel
, "%sOptions error: No closing quotation (\") in %s:%d", error_prefix
, file
, line_num
);
3595 if (state
== STATE_READING_SQUOTED_PARM
)
3597 msg (msglevel
, "%sOptions error: No closing single quotation (\') in %s:%d", error_prefix
, file
, line_num
);
3600 if (state
!= STATE_INITIAL
)
3602 msg (msglevel
, "%sOptions error: Residual parse state (%d) in %s:%d", error_prefix
, state
, file
, line_num
);
3608 for (i
= 0; i
< ret
; ++i
)
3610 msg (M_INFO
|M_NOPREFIX
, "%s:%d ARG[%d] '%s'", file
, line_num
, i
, p
[i
]);
3618 bypass_doubledash (char **p
)
3620 if (strlen (*p
) >= 3 && !strncmp (*p
, "--", 2))
3625 # define IS_TYPE_FP 1
3626 # define IS_TYPE_BUF 2
3630 struct buffer
*multiline
;
3635 in_src_get (const struct in_src
*is
, char *line
, const int size
)
3637 if (is
->type
== IS_TYPE_FP
)
3639 return BOOL_CAST (fgets (line
, size
, is
->u
.fp
));
3641 else if (is
->type
== IS_TYPE_BUF
)
3643 bool status
= buf_parse (is
->u
.multiline
, '\n', line
, size
);
3644 if ((int) strlen (line
) + 1 < size
)
3645 strcat (line
, "\n");
3656 read_inline_file (struct in_src
*is
, const char *close_tag
, struct gc_arena
*gc
)
3658 char line
[OPTION_LINE_SIZE
];
3659 struct buffer buf
= alloc_buf (10000);
3661 while (in_src_get (is
, line
, sizeof (line
)))
3663 if (!strncmp (line
, close_tag
, strlen (close_tag
)))
3665 buf_printf (&buf
, "%s", line
);
3667 ret
= string_alloc (BSTR (&buf
), gc
);
3675 check_inline_file (struct in_src
*is
, char *p
[], struct gc_arena
*gc
)
3681 if (arg
[0] == '<' && arg
[strlen(arg
)-1] == '>')
3683 struct buffer close_tag
;
3684 arg
[strlen(arg
)-1] = '\0';
3685 p
[0] = string_alloc (arg
+1, gc
);
3686 p
[1] = string_alloc (INLINE_FILE_TAG
, gc
);
3687 close_tag
= alloc_buf (strlen(p
[0]) + 4);
3688 buf_printf (&close_tag
, "</%s>", p
[0]);
3689 p
[2] = read_inline_file (is
, BSTR (&close_tag
), gc
);
3691 free_buf (&close_tag
);
3699 check_inline_file_via_fp (FILE *fp
, char *p
[], struct gc_arena
*gc
)
3702 is
.type
= IS_TYPE_FP
;
3704 return check_inline_file (&is
, p
, gc
);
3708 check_inline_file_via_buf (struct buffer
*multiline
, char *p
[], struct gc_arena
*gc
)
3711 is
.type
= IS_TYPE_BUF
;
3712 is
.u
.multiline
= multiline
;
3713 return check_inline_file (&is
, p
, gc
);
3717 add_option (struct options
*options
,
3723 const unsigned int permission_mask
,
3724 unsigned int *option_types_found
,
3725 struct env_set
*es
);
3728 read_config_file (struct options
*options
,
3731 const char *top_file
,
3734 const unsigned int permission_mask
,
3735 unsigned int *option_types_found
,
3738 const int max_recursive_levels
= 10;
3741 char line
[OPTION_LINE_SIZE
];
3745 if (level
<= max_recursive_levels
)
3747 if (streq (file
, "stdin"))
3750 fp
= platform_fopen (file
, "r");
3754 while (fgets(line
, sizeof (line
), fp
))
3759 /* Ignore UTF-8 BOM at start of stream */
3760 if (line_num
== 1 && strncmp (line
, "\xEF\xBB\xBF", 3) == 0)
3762 if (parse_line (line
+ offset
, p
, SIZE (p
), file
, line_num
, msglevel
, &options
->gc
))
3764 bypass_doubledash (&p
[0]);
3765 check_inline_file_via_fp (fp
, p
, &options
->gc
);
3766 add_option (options
, p
, file
, line_num
, level
, msglevel
, permission_mask
, option_types_found
, es
);
3774 msg (msglevel
, "In %s:%d: Error opening configuration file: %s", top_file
, top_line
, file
);
3779 msg (msglevel
, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file
, top_line
, file
);
3786 read_config_string (const char *prefix
,
3787 struct options
*options
,
3790 const unsigned int permission_mask
,
3791 unsigned int *option_types_found
,
3794 char line
[OPTION_LINE_SIZE
];
3795 struct buffer multiline
;
3798 buf_set_read (&multiline
, (uint8_t*)config
, strlen (config
));
3800 while (buf_parse (&multiline
, '\n', line
, sizeof (line
)))
3805 if (parse_line (line
, p
, SIZE (p
), prefix
, line_num
, msglevel
, &options
->gc
))
3807 bypass_doubledash (&p
[0]);
3808 check_inline_file_via_buf (&multiline
, p
, &options
->gc
);
3809 add_option (options
, p
, NULL
, line_num
, 0, msglevel
, permission_mask
, option_types_found
, es
);
3817 parse_argv (struct options
*options
,
3821 const unsigned int permission_mask
,
3822 unsigned int *option_types_found
,
3831 /* config filename specified only? */
3832 if (argc
== 2 && strncmp (argv
[1], "--", 2))
3838 add_option (options
, p
, NULL
, 0, 0, msglevel
, permission_mask
, option_types_found
, es
);
3842 /* parse command line */
3843 for (i
= 1; i
< argc
; ++i
)
3848 if (strncmp(p
[0], "--", 2))
3850 msg (msglevel
, "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'", p
[0]);
3855 for (j
= 1; j
< MAX_PARMS
; ++j
)
3859 char *arg
= argv
[i
+ j
];
3860 if (strncmp (arg
, "--", 2))
3866 add_option (options
, p
, NULL
, 0, 0, msglevel
, permission_mask
, option_types_found
, es
);
3873 apply_push_options (struct options
*options
,
3875 unsigned int permission_mask
,
3876 unsigned int *option_types_found
,
3879 char line
[OPTION_PARM_SIZE
];
3881 const char *file
= "[PUSH-OPTIONS]";
3882 const int msglevel
= D_PUSH_ERRORS
|M_OPTERR
;
3884 while (buf_parse (buf
, ',', line
, sizeof (line
)))
3889 if (parse_line (line
, p
, SIZE (p
), file
, line_num
, msglevel
, &options
->gc
))
3891 add_option (options
, p
, file
, line_num
, 0, msglevel
, permission_mask
, option_types_found
, es
);
3898 options_server_import (struct options
*o
,
3899 const char *filename
,
3901 unsigned int permission_mask
,
3902 unsigned int *option_types_found
,
3905 msg (D_PUSH
, "OPTIONS IMPORT: reading client specific options from: %s", filename
);
3906 read_config_file (o
,
3917 void options_string_import (struct options
*options
,
3920 const unsigned int permission_mask
,
3921 unsigned int *option_types_found
,
3924 read_config_string ("[CONFIG-STRING]", options
, config
, msglevel
, permission_mask
, option_types_found
, es
);
3929 #define VERIFY_PERMISSION(mask) { if (!verify_permission(p[0], file, (mask), permission_mask, option_types_found, msglevel)) goto err; }
3932 verify_permission (const char *name
,
3934 const unsigned int type
,
3935 const unsigned int allowed
,
3936 unsigned int *found
,
3939 if (!(type
& allowed
))
3941 msg (msglevel
, "option '%s' cannot be used in this context (%s)", name
, file
);
3954 #define VERIFY_PERMISSION(mask)
3959 * Check that an option doesn't have too
3963 #define NM_QUOTE_HINT (1<<0)
3966 no_more_than_n_args (const int msglevel
,
3969 const unsigned int flags
)
3971 const int len
= string_array_len ((const char **)p
);
3978 msg (msglevel
, "the --%s directive should have at most %d parameter%s.%s",
3981 max
>= 3 ? "s" : "",
3982 (flags
& NM_QUOTE_HINT
) ? " To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")." : "");
3990 msglevel_forward_compatible (struct options
*options
, const int msglevel
)
3992 return options
->forward_compatible
? M_WARN
: msglevel
;
3996 set_user_script (struct options
*options
,
3997 const char **script
,
3998 const char *new_script
,
4002 msg (M_WARN
, "Multiple --%s scripts defined. "
4003 "The previously configured script is overridden.", type
);
4005 *script
= new_script
;
4006 options
->user_script_used
= true;
4008 #ifndef ENABLE_SMALL
4010 char script_name
[100];
4011 openvpn_snprintf (script_name
, sizeof(script_name
),
4012 "--%s script", type
);
4014 if (check_cmd_access (*script
, script_name
))
4015 msg (M_USAGE
, "Please correct this error.");
4022 add_option (struct options
*options
,
4028 const unsigned int permission_mask
,
4029 unsigned int *option_types_found
,
4032 struct gc_arena gc
= gc_new ();
4033 const bool pull_mode
= BOOL_CAST (permission_mask
& OPT_P_PULL_MODE
);
4034 int msglevel_fc
= msglevel_forward_compatible (options
, msglevel
);
4036 ASSERT (MAX_PARMS
>= 5);
4039 file
= "[CMD-LINE]";
4042 if (streq (p
[0], "help"))
4044 VERIFY_PERMISSION (OPT_P_GENERAL
);
4047 if (streq (p
[0], "version"))
4049 VERIFY_PERMISSION (OPT_P_GENERAL
);
4052 else if (streq (p
[0], "config") && p
[1])
4054 VERIFY_PERMISSION (OPT_P_CONFIG
);
4056 /* save first config file only in options */
4057 if (!options
->config
)
4058 options
->config
= p
[1];
4060 read_config_file (options
, p
[1], level
, file
, line
, msglevel
, permission_mask
, option_types_found
, es
);
4063 else if (streq (p
[0], "show-gateway"))
4065 struct route_gateway_info rgi
;
4066 VERIFY_PERMISSION (OPT_P_GENERAL
);
4067 get_default_gateway(&rgi
);
4068 print_default_gateway(M_INFO
, &rgi
);
4069 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
4073 else if (streq (p
[0], "foreign-option") && p
[1])
4075 VERIFY_PERMISSION (OPT_P_IPWIN32
);
4076 foreign_option (options
, p
, 3, es
);
4079 else if (streq (p
[0], "echo") || streq (p
[0], "parameter"))
4081 struct buffer string
= alloc_buf_gc (OPTION_PARM_SIZE
, &gc
);
4085 VERIFY_PERMISSION (OPT_P_ECHO
);
4087 for (j
= 1; j
< MAX_PARMS
; ++j
)
4092 good
&= buf_printf (&string
, " ");
4093 good
&= buf_printf (&string
, "%s", p
[j
]);
4098 /* removed for now since ECHO can potentially include
4099 security-sensitive strings */
4100 msg (M_INFO
, "%s:%s",
4101 pull_mode
? "ECHO-PULL" : "ECHO",
4104 #ifdef ENABLE_MANAGEMENT
4106 management_echo (management
, BSTR (&string
), pull_mode
);
4110 msg (M_WARN
, "echo/parameter option overflow");
4112 #ifdef ENABLE_MANAGEMENT
4113 else if (streq (p
[0], "management") && p
[1] && p
[2])
4117 VERIFY_PERMISSION (OPT_P_GENERAL
);
4118 if (streq (p
[2], "unix"))
4120 #if UNIX_SOCK_SUPPORT
4121 options
->management_flags
|= MF_UNIX_SOCK
;
4123 msg (msglevel
, "MANAGEMENT: this platform does not support unix domain sockets");
4130 if (!legal_ipv4_port (port
))
4132 msg (msglevel
, "port number associated with --management directive is out of range");
4137 options
->management_addr
= p
[1];
4138 options
->management_port
= port
;
4141 options
->management_user_pass
= p
[3];
4144 else if (streq (p
[0], "management-client-user") && p
[1])
4146 VERIFY_PERMISSION (OPT_P_GENERAL
);
4147 options
->management_client_user
= p
[1];
4149 else if (streq (p
[0], "management-client-group") && p
[1])
4151 VERIFY_PERMISSION (OPT_P_GENERAL
);
4152 options
->management_client_group
= p
[1];
4154 else if (streq (p
[0], "management-query-passwords"))
4156 VERIFY_PERMISSION (OPT_P_GENERAL
);
4157 options
->management_flags
|= MF_QUERY_PASSWORDS
;
4159 else if (streq (p
[0], "management-query-remote"))
4161 VERIFY_PERMISSION (OPT_P_GENERAL
);
4162 options
->management_flags
|= MF_QUERY_REMOTE
;
4164 else if (streq (p
[0], "management-query-proxy"))
4166 VERIFY_PERMISSION (OPT_P_GENERAL
);
4167 options
->management_flags
|= MF_QUERY_PROXY
;
4168 options
->force_connection_list
= true;
4170 else if (streq (p
[0], "management-hold"))
4172 VERIFY_PERMISSION (OPT_P_GENERAL
);
4173 options
->management_flags
|= MF_HOLD
;
4175 else if (streq (p
[0], "management-signal"))
4177 VERIFY_PERMISSION (OPT_P_GENERAL
);
4178 options
->management_flags
|= MF_SIGNAL
;
4180 else if (streq (p
[0], "management-forget-disconnect"))
4182 VERIFY_PERMISSION (OPT_P_GENERAL
);
4183 options
->management_flags
|= MF_FORGET_DISCONNECT
;
4185 else if (streq (p
[0], "management-up-down"))
4187 VERIFY_PERMISSION (OPT_P_GENERAL
);
4188 options
->management_flags
|= MF_UP_DOWN
;
4190 else if (streq (p
[0], "management-client"))
4192 VERIFY_PERMISSION (OPT_P_GENERAL
);
4193 options
->management_flags
|= MF_CONNECT_AS_CLIENT
;
4194 options
->management_write_peer_info_file
= p
[1];
4196 #ifdef MANAGMENT_EXTERNAL_KEY
4197 else if (streq (p
[0], "management-external-key"))
4199 VERIFY_PERMISSION (OPT_P_GENERAL
);
4200 options
->management_flags
|= MF_EXTERNAL_KEY
;
4203 #ifdef MANAGEMENT_DEF_AUTH
4204 else if (streq (p
[0], "management-client-auth"))
4206 VERIFY_PERMISSION (OPT_P_GENERAL
);
4207 options
->management_flags
|= MF_CLIENT_AUTH
;
4210 #ifdef ENABLE_X509_TRACK
4211 else if (streq (p
[0], "x509-track") && p
[1])
4213 VERIFY_PERMISSION (OPT_P_GENERAL
);
4214 x509_track_add (&options
->x509_track
, p
[1], msglevel
, &options
->gc
);
4217 #ifdef MANAGEMENT_PF
4218 else if (streq (p
[0], "management-client-pf"))
4220 VERIFY_PERMISSION (OPT_P_GENERAL
);
4221 options
->management_flags
|= (MF_CLIENT_PF
| MF_CLIENT_AUTH
);
4224 else if (streq (p
[0], "management-log-cache") && p
[1])
4228 VERIFY_PERMISSION (OPT_P_GENERAL
);
4229 cache
= atoi (p
[1]);
4232 msg (msglevel
, "--management-log-cache parameter is out of range");
4235 options
->management_log_history_cache
= cache
;
4238 #ifdef ENABLE_PLUGIN
4239 else if (streq (p
[0], "plugin") && p
[1])
4241 VERIFY_PERMISSION (OPT_P_PLUGIN
);
4242 if (!options
->plugin_list
)
4243 options
->plugin_list
= plugin_option_list_new (&options
->gc
);
4244 if (!plugin_option_list_add (options
->plugin_list
, &p
[1], &options
->gc
))
4246 msg (msglevel
, "plugin add failed: %s", p
[1]);
4251 else if (streq (p
[0], "mode") && p
[1])
4253 VERIFY_PERMISSION (OPT_P_GENERAL
);
4254 if (streq (p
[1], "p2p"))
4255 options
->mode
= MODE_POINT_TO_POINT
;
4257 else if (streq (p
[1], "server"))
4258 options
->mode
= MODE_SERVER
;
4262 msg (msglevel
, "Bad --mode parameter: %s", p
[1]);
4266 else if (streq (p
[0], "dev") && p
[1])
4268 VERIFY_PERMISSION (OPT_P_GENERAL
);
4269 options
->dev
= p
[1];
4271 else if (streq (p
[0], "dev-type") && p
[1])
4273 VERIFY_PERMISSION (OPT_P_GENERAL
);
4274 options
->dev_type
= p
[1];
4276 else if (streq (p
[0], "dev-node") && p
[1])
4278 VERIFY_PERMISSION (OPT_P_GENERAL
);
4279 options
->dev_node
= p
[1];
4281 else if (streq (p
[0], "lladdr") && p
[1])
4283 VERIFY_PERMISSION (OPT_P_UP
);
4284 if (mac_addr_safe (p
[1])) /* MAC address only */
4285 options
->lladdr
= p
[1];
4288 msg (msglevel
, "lladdr parm '%s' must be a MAC address", p
[1]);
4292 else if (streq (p
[0], "topology") && p
[1])
4294 VERIFY_PERMISSION (OPT_P_UP
);
4295 options
->topology
= parse_topology (p
[1], msglevel
);
4297 else if (streq (p
[0], "tun-ipv6"))
4299 VERIFY_PERMISSION (OPT_P_UP
);
4300 options
->tun_ipv6
= true;
4302 #ifdef ENABLE_IPROUTE
4303 else if (streq (p
[0], "iproute") && p
[1])
4305 VERIFY_PERMISSION (OPT_P_GENERAL
);
4306 iproute_path
= p
[1];
4309 else if (streq (p
[0], "ifconfig") && p
[1] && p
[2])
4311 VERIFY_PERMISSION (OPT_P_UP
);
4312 if (ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) && ip_or_dns_addr_safe (p
[2], options
->allow_pull_fqdn
)) /* FQDN -- may be DNS name */
4314 options
->ifconfig_local
= p
[1];
4315 options
->ifconfig_remote_netmask
= p
[2];
4319 msg (msglevel
, "ifconfig parms '%s' and '%s' must be valid addresses", p
[1], p
[2]);
4323 else if (streq (p
[0], "ifconfig-ipv6") && p
[1] && p
[2] )
4325 unsigned int netbits
;
4328 VERIFY_PERMISSION (OPT_P_UP
);
4329 if ( get_ipv6_addr( p
[1], NULL
, &netbits
, &ipv6_local
, msglevel
) &&
4330 ipv6_addr_safe( p
[2] ) )
4332 if ( netbits
< 64 || netbits
> 124 )
4334 msg( msglevel
, "ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'", netbits
);
4338 if (options
->ifconfig_ipv6_local
)
4339 /* explicitly ignoring this is a const char */
4340 free ((char *) options
->ifconfig_ipv6_local
);
4342 options
->ifconfig_ipv6_local
= ipv6_local
;
4343 options
->ifconfig_ipv6_netbits
= netbits
;
4344 options
->ifconfig_ipv6_remote
= p
[2];
4348 msg (msglevel
, "ifconfig-ipv6 parms '%s' and '%s' must be valid addresses", p
[1], p
[2]);
4352 else if (streq (p
[0], "ifconfig-noexec"))
4354 VERIFY_PERMISSION (OPT_P_UP
);
4355 options
->ifconfig_noexec
= true;
4357 else if (streq (p
[0], "ifconfig-nowarn"))
4359 VERIFY_PERMISSION (OPT_P_UP
);
4360 options
->ifconfig_nowarn
= true;
4362 else if (streq (p
[0], "local") && p
[1])
4364 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4365 options
->ce
.local
= p
[1];
4367 else if (streq (p
[0], "remote-random"))
4369 VERIFY_PERMISSION (OPT_P_GENERAL
);
4370 options
->remote_random
= true;
4372 else if (streq (p
[0], "connection") && p
[1])
4374 VERIFY_PERMISSION (OPT_P_GENERAL
);
4375 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
4378 struct connection_entry
*e
;
4380 init_options (&sub
, true);
4381 sub
.ce
= options
->ce
;
4382 read_config_string ("[CONNECTION-OPTIONS]", &sub
, p
[2], msglevel
, OPT_P_CONNECTION
, option_types_found
, es
);
4385 msg (msglevel
, "Each 'connection' block must contain exactly one 'remote' directive");
4389 e
= alloc_connection_entry (options
, msglevel
);
4393 gc_transfer (&options
->gc
, &sub
.gc
);
4394 uninit_options (&sub
);
4397 else if (streq (p
[0], "remote-ip-hint") && p
[1])
4399 VERIFY_PERMISSION (OPT_P_GENERAL
);
4400 options
->remote_ip_hint
= p
[1];
4402 #if HTTP_PROXY_OVERRIDE
4403 else if (streq (p
[0], "http-proxy-override") && p
[1] && p
[2])
4405 VERIFY_PERMISSION (OPT_P_GENERAL
);
4406 options
->http_proxy_override
= parse_http_proxy_override(p
[1], p
[2], p
[3], msglevel
, &options
->gc
);
4407 if (!options
->http_proxy_override
)
4409 options
->force_connection_list
= true;
4412 else if (streq (p
[0], "remote") && p
[1])
4414 struct remote_entry re
;
4416 re
.remote_port
= re
.proto
= -1;
4418 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4422 const int port
= atoi (p
[2]);
4423 if (!legal_ipv4_port (port
))
4425 msg (msglevel
, "remote: port number associated with host %s is out of range", p
[1]);
4428 re
.remote_port
= port
;
4431 const int proto
= ascii2proto (p
[3]);
4434 msg (msglevel
, "remote: bad protocol associated with host %s: '%s'", p
[1], p
[3]);
4440 if (permission_mask
& OPT_P_GENERAL
)
4442 struct remote_entry
*e
= alloc_remote_entry (options
, msglevel
);
4447 else if (permission_mask
& OPT_P_CONNECTION
)
4449 connection_entry_load_re (&options
->ce
, &re
);
4452 else if (streq (p
[0], "resolv-retry") && p
[1])
4454 VERIFY_PERMISSION (OPT_P_GENERAL
);
4455 if (streq (p
[1], "infinite"))
4456 options
->resolve_retry_seconds
= RESOLV_RETRY_INFINITE
;
4458 options
->resolve_retry_seconds
= positive_atoi (p
[1]);
4460 else if (streq (p
[0], "connect-retry") && p
[1])
4462 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4463 options
->ce
.connect_retry_seconds
= positive_atoi (p
[1]);
4464 options
->ce
.connect_retry_defined
= true;
4466 else if (streq (p
[0], "connect-timeout") && p
[1])
4468 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4469 options
->ce
.connect_timeout
= positive_atoi (p
[1]);
4470 options
->ce
.connect_timeout_defined
= true;
4472 else if (streq (p
[0], "connect-retry-max") && p
[1])
4474 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4475 options
->ce
.connect_retry_max
= positive_atoi (p
[1]);
4477 else if (streq (p
[0], "ipchange") && p
[1])
4479 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4480 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4482 set_user_script (options
,
4484 string_substitute (p
[1], ',', ' ', &options
->gc
),
4487 else if (streq (p
[0], "float"))
4489 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4490 options
->ce
.remote_float
= true;
4493 else if (streq (p
[0], "gremlin") && p
[1])
4495 VERIFY_PERMISSION (OPT_P_GENERAL
);
4496 options
->gremlin
= positive_atoi (p
[1]);
4499 else if (streq (p
[0], "chroot") && p
[1])
4501 VERIFY_PERMISSION (OPT_P_GENERAL
);
4502 options
->chroot_dir
= p
[1];
4504 else if (streq (p
[0], "cd") && p
[1])
4506 VERIFY_PERMISSION (OPT_P_GENERAL
);
4507 if (platform_chdir (p
[1]))
4509 msg (M_ERR
, "cd to '%s' failed", p
[1]);
4512 options
->cd_dir
= p
[1];
4514 #ifdef ENABLE_SELINUX
4515 else if (streq (p
[0], "setcon") && p
[1])
4517 VERIFY_PERMISSION (OPT_P_GENERAL
);
4518 options
->selinux_context
= p
[1];
4521 else if (streq (p
[0], "writepid") && p
[1])
4523 VERIFY_PERMISSION (OPT_P_GENERAL
);
4524 options
->writepid
= p
[1];
4526 else if (streq (p
[0], "up") && p
[1])
4528 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4529 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4531 set_user_script (options
, &options
->up_script
, p
[1], "up");
4533 else if (streq (p
[0], "down") && p
[1])
4535 VERIFY_PERMISSION (OPT_P_SCRIPT
);
4536 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
4538 set_user_script (options
, &options
->down_script
, p
[1], "down");
4540 else if (streq (p
[0], "down-pre"))
4542 VERIFY_PERMISSION (OPT_P_GENERAL
);
4543 options
->down_pre
= true;
4545 else if (streq (p
[0], "up-delay"))
4547 VERIFY_PERMISSION (OPT_P_GENERAL
);
4548 options
->up_delay
= true;
4550 else if (streq (p
[0], "up-restart"))
4552 VERIFY_PERMISSION (OPT_P_GENERAL
);
4553 options
->up_restart
= true;
4555 else if (streq (p
[0], "syslog"))
4557 VERIFY_PERMISSION (OPT_P_GENERAL
);
4558 open_syslog (p
[1], false);
4560 else if (streq (p
[0], "daemon"))
4563 VERIFY_PERMISSION (OPT_P_GENERAL
);
4564 if (!options
->daemon
)
4566 options
->daemon
= didit
= true;
4567 open_syslog (p
[1], false);
4573 msg (M_WARN
, "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)", p
[1]);
4578 else if (streq (p
[0], "inetd"))
4580 VERIFY_PERMISSION (OPT_P_GENERAL
);
4581 if (!options
->inetd
)
4584 const char *name
= NULL
;
4585 const char *opterr
= "when --inetd is used with two parameters, one of them must be 'wait' or 'nowait' and the other must be a daemon name to use for system logging";
4587 options
->inetd
= -1;
4589 for (z
= 1; z
<= 2; ++z
)
4593 if (streq (p
[z
], "wait"))
4595 if (options
->inetd
!= -1)
4597 msg (msglevel
, "%s", opterr
);
4601 options
->inetd
= INETD_WAIT
;
4603 else if (streq (p
[z
], "nowait"))
4605 if (options
->inetd
!= -1)
4607 msg (msglevel
, "%s", opterr
);
4611 options
->inetd
= INETD_NOWAIT
;
4617 msg (msglevel
, "%s", opterr
);
4626 if (options
->inetd
== -1)
4627 options
->inetd
= INETD_WAIT
;
4629 save_inetd_socket_descriptor ();
4630 open_syslog (name
, true);
4633 else if (streq (p
[0], "log") && p
[1])
4635 VERIFY_PERMISSION (OPT_P_GENERAL
);
4636 options
->log
= true;
4637 redirect_stdout_stderr (p
[1], false);
4639 else if (streq (p
[0], "suppress-timestamps"))
4641 VERIFY_PERMISSION (OPT_P_GENERAL
);
4642 options
->suppress_timestamps
= true;
4643 set_suppress_timestamps(true);
4645 else if (streq (p
[0], "log-append") && p
[1])
4647 VERIFY_PERMISSION (OPT_P_GENERAL
);
4648 options
->log
= true;
4649 redirect_stdout_stderr (p
[1], true);
4651 #ifdef ENABLE_MEMSTATS
4652 else if (streq (p
[0], "memstats") && p
[1])
4654 VERIFY_PERMISSION (OPT_P_GENERAL
);
4655 options
->memstats_fn
= p
[1];
4658 else if (streq (p
[0], "mlock"))
4660 VERIFY_PERMISSION (OPT_P_GENERAL
);
4661 options
->mlock
= true;
4663 #if ENABLE_IP_PKTINFO
4664 else if (streq (p
[0], "multihome"))
4666 VERIFY_PERMISSION (OPT_P_GENERAL
);
4667 options
->sockflags
|= SF_USE_IP_PKTINFO
;
4670 else if (streq (p
[0], "verb") && p
[1])
4672 VERIFY_PERMISSION (OPT_P_MESSAGES
);
4673 options
->verbosity
= positive_atoi (p
[1]);
4674 #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
4675 /* Warn when a debug verbosity is supplied when built without debug support */
4676 if (options
->verbosity
>= 7)
4677 msg (M_WARN
, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
4678 options
->verbosity
);
4681 else if (streq (p
[0], "mute") && p
[1])
4683 VERIFY_PERMISSION (OPT_P_MESSAGES
);
4684 options
->mute
= positive_atoi (p
[1]);
4686 else if (streq (p
[0], "errors-to-stderr"))
4688 VERIFY_PERMISSION (OPT_P_MESSAGES
);
4691 else if (streq (p
[0], "status") && p
[1])
4693 VERIFY_PERMISSION (OPT_P_GENERAL
);
4694 options
->status_file
= p
[1];
4697 options
->status_file_update_freq
= positive_atoi (p
[2]);
4700 else if (streq (p
[0], "status-version") && p
[1])
4704 VERIFY_PERMISSION (OPT_P_GENERAL
);
4705 version
= atoi (p
[1]);
4706 if (version
< 1 || version
> 3)
4708 msg (msglevel
, "--status-version must be 1 to 3");
4711 options
->status_file_version
= version
;
4713 else if (streq (p
[0], "remap-usr1") && p
[1])
4715 VERIFY_PERMISSION (OPT_P_GENERAL
);
4716 if (streq (p
[1], "SIGHUP"))
4717 options
->remap_sigusr1
= SIGHUP
;
4718 else if (streq (p
[1], "SIGTERM"))
4719 options
->remap_sigusr1
= SIGTERM
;
4722 msg (msglevel
, "--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
4726 else if ((streq (p
[0], "link-mtu") || streq (p
[0], "udp-mtu")) && p
[1])
4728 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4729 options
->ce
.link_mtu
= positive_atoi (p
[1]);
4730 options
->ce
.link_mtu_defined
= true;
4732 else if (streq (p
[0], "tun-mtu") && p
[1])
4734 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4735 options
->ce
.tun_mtu
= positive_atoi (p
[1]);
4736 options
->ce
.tun_mtu_defined
= true;
4738 else if (streq (p
[0], "tun-mtu-extra") && p
[1])
4740 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4741 options
->ce
.tun_mtu_extra
= positive_atoi (p
[1]);
4742 options
->ce
.tun_mtu_extra_defined
= true;
4744 #ifdef ENABLE_FRAGMENT
4745 else if (streq (p
[0], "mtu-dynamic"))
4747 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4748 msg (msglevel
, "--mtu-dynamic has been replaced by --fragment");
4751 else if (streq (p
[0], "fragment") && p
[1])
4753 /* VERIFY_PERMISSION (OPT_P_MTU); */
4754 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4755 options
->ce
.fragment
= positive_atoi (p
[1]);
4758 else if (streq (p
[0], "mtu-disc") && p
[1])
4760 VERIFY_PERMISSION (OPT_P_MTU
|OPT_P_CONNECTION
);
4761 options
->ce
.mtu_discover_type
= translate_mtu_discover_type_name (p
[1]);
4764 else if (streq (p
[0], "mtu-test"))
4766 VERIFY_PERMISSION (OPT_P_GENERAL
);
4767 options
->mtu_test
= true;
4770 else if (streq (p
[0], "nice") && p
[1])
4772 VERIFY_PERMISSION (OPT_P_NICE
);
4773 options
->nice
= atoi (p
[1]);
4775 else if (streq (p
[0], "rcvbuf") && p
[1])
4777 VERIFY_PERMISSION (OPT_P_SOCKBUF
);
4778 options
->rcvbuf
= positive_atoi (p
[1]);
4780 else if (streq (p
[0], "sndbuf") && p
[1])
4782 VERIFY_PERMISSION (OPT_P_SOCKBUF
);
4783 options
->sndbuf
= positive_atoi (p
[1]);
4785 else if (streq (p
[0], "mark") && p
[1])
4787 #if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
4788 VERIFY_PERMISSION (OPT_P_GENERAL
);
4789 options
->mark
= atoi(p
[1]);
4792 else if (streq (p
[0], "socket-flags"))
4795 VERIFY_PERMISSION (OPT_P_SOCKFLAGS
);
4796 for (j
= 1; j
< MAX_PARMS
&& p
[j
]; ++j
)
4798 if (streq (p
[j
], "TCP_NODELAY"))
4799 options
->sockflags
|= SF_TCP_NODELAY
;
4801 msg (msglevel
, "unknown socket flag: %s", p
[j
]);
4804 else if (streq (p
[0], "txqueuelen") && p
[1])
4806 VERIFY_PERMISSION (OPT_P_GENERAL
);
4808 options
->tuntap_options
.txqueuelen
= positive_atoi (p
[1]);
4810 msg (msglevel
, "--txqueuelen not supported on this OS");
4814 else if (streq (p
[0], "shaper") && p
[1])
4816 #ifdef ENABLE_FEATURE_SHAPER
4819 VERIFY_PERMISSION (OPT_P_SHAPER
);
4820 shaper
= atoi (p
[1]);
4821 if (shaper
< SHAPER_MIN
|| shaper
> SHAPER_MAX
)
4823 msg (msglevel
, "Bad shaper value, must be between %d and %d",
4824 SHAPER_MIN
, SHAPER_MAX
);
4827 options
->shaper
= shaper
;
4828 #else /* ENABLE_FEATURE_SHAPER */
4829 VERIFY_PERMISSION (OPT_P_GENERAL
);
4830 msg (msglevel
, "--shaper requires the gettimeofday() function which is missing");
4832 #endif /* ENABLE_FEATURE_SHAPER */
4834 else if (streq (p
[0], "port") && p
[1])
4838 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4840 if (!legal_ipv4_port (port
))
4842 msg (msglevel
, "Bad port number: %s", p
[1]);
4845 options
->ce
.local_port
= options
->ce
.remote_port
= port
;
4847 else if (streq (p
[0], "lport") && p
[1])
4851 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4853 if ((port
!= 0) && !legal_ipv4_port (port
))
4855 msg (msglevel
, "Bad local port number: %s", p
[1]);
4858 options
->ce
.local_port_defined
= true;
4859 options
->ce
.local_port
= port
;
4861 else if (streq (p
[0], "rport") && p
[1])
4865 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4867 if (!legal_ipv4_port (port
))
4869 msg (msglevel
, "Bad remote port number: %s", p
[1]);
4872 options
->ce
.remote_port
= port
;
4874 else if (streq (p
[0], "bind"))
4876 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4877 options
->ce
.bind_defined
= true;
4879 else if (streq (p
[0], "nobind"))
4881 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4882 options
->ce
.bind_local
= false;
4884 else if (streq (p
[0], "fast-io"))
4886 VERIFY_PERMISSION (OPT_P_GENERAL
);
4887 options
->fast_io
= true;
4889 else if (streq (p
[0], "inactive") && p
[1])
4891 VERIFY_PERMISSION (OPT_P_TIMER
);
4892 options
->inactivity_timeout
= positive_atoi (p
[1]);
4894 options
->inactivity_minimum_bytes
= positive_atoi (p
[2]);
4896 else if (streq (p
[0], "proto") && p
[1])
4899 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4900 proto
= ascii2proto (p
[1]);
4903 msg (msglevel
, "Bad protocol: '%s'. Allowed protocols with --proto option: %s",
4905 proto2ascii_all (&gc
));
4908 options
->ce
.proto
= proto
;
4910 else if (streq (p
[0], "proto-force") && p
[1])
4913 VERIFY_PERMISSION (OPT_P_GENERAL
);
4914 proto_force
= ascii2proto (p
[1]);
4915 if (proto_force
< 0)
4917 msg (msglevel
, "Bad --proto-force protocol: '%s'", p
[1]);
4920 options
->proto_force
= proto_force
;
4921 options
->force_connection_list
= true;
4923 #ifdef ENABLE_HTTP_PROXY
4924 else if (streq (p
[0], "http-proxy") && p
[1])
4926 struct http_proxy_options
*ho
;
4928 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4934 msg (msglevel
, "http-proxy port number not defined");
4938 if (!legal_ipv4_port (port
))
4940 msg (msglevel
, "Bad http-proxy port number: %s", p
[2]);
4944 ho
= init_http_proxy_options_once (&options
->ce
.http_proxy_options
, &options
->gc
);
4952 /* auto -- try to figure out proxy addr, port, and type automatically */
4953 /* semiauto -- given proxy addr:port, try to figure out type automatically */
4954 /* (auto|semiauto)-nct -- disable proxy auth cleartext protocols (i.e. basic auth) */
4955 if (streq (p
[3], "auto"))
4956 ho
->auth_retry
= PAR_ALL
;
4957 else if (streq (p
[3], "auto-nct"))
4958 ho
->auth_retry
= PAR_NCT
;
4961 ho
->auth_method_string
= "basic";
4962 ho
->auth_file
= p
[3];
4966 ho
->auth_method_string
= p
[4];
4972 ho
->auth_method_string
= "none";
4975 else if (streq (p
[0], "http-proxy-retry"))
4977 struct http_proxy_options
*ho
;
4978 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4979 ho
= init_http_proxy_options_once (&options
->ce
.http_proxy_options
, &options
->gc
);
4982 else if (streq (p
[0], "http-proxy-timeout") && p
[1])
4984 struct http_proxy_options
*ho
;
4986 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4987 ho
= init_http_proxy_options_once (&options
->ce
.http_proxy_options
, &options
->gc
);
4988 ho
->timeout
= positive_atoi (p
[1]);
4990 else if (streq (p
[0], "http-proxy-option") && p
[1])
4992 struct http_proxy_options
*ho
;
4994 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
4995 ho
= init_http_proxy_options_once (&options
->ce
.http_proxy_options
, &options
->gc
);
4997 if (streq (p
[1], "VERSION") && p
[2])
4999 ho
->http_version
= p
[2];
5001 else if (streq (p
[1], "AGENT") && p
[2])
5003 ho
->user_agent
= p
[2];
5007 msg (msglevel
, "Bad http-proxy-option or missing parameter: '%s'", p
[1]);
5012 else if (streq (p
[0], "socks-proxy") && p
[1])
5014 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
5020 if (!legal_ipv4_port (port
))
5022 msg (msglevel
, "Bad socks-proxy port number: %s", p
[2]);
5025 options
->ce
.socks_proxy_port
= port
;
5029 options
->ce
.socks_proxy_port
= 1080;
5031 options
->ce
.socks_proxy_server
= p
[1];
5032 options
->ce
.socks_proxy_authfile
= p
[3]; /* might be NULL */
5034 else if (streq (p
[0], "socks-proxy-retry"))
5036 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
5037 options
->ce
.socks_proxy_retry
= true;
5040 else if (streq (p
[0], "keepalive") && p
[1] && p
[2])
5042 VERIFY_PERMISSION (OPT_P_GENERAL
);
5043 options
->keepalive_ping
= atoi (p
[1]);
5044 options
->keepalive_timeout
= atoi (p
[2]);
5046 else if (streq (p
[0], "ping") && p
[1])
5048 VERIFY_PERMISSION (OPT_P_TIMER
);
5049 options
->ping_send_timeout
= positive_atoi (p
[1]);
5051 else if (streq (p
[0], "ping-exit") && p
[1])
5053 VERIFY_PERMISSION (OPT_P_TIMER
);
5054 options
->ping_rec_timeout
= positive_atoi (p
[1]);
5055 options
->ping_rec_timeout_action
= PING_EXIT
;
5057 else if (streq (p
[0], "ping-restart") && p
[1])
5059 VERIFY_PERMISSION (OPT_P_TIMER
);
5060 options
->ping_rec_timeout
= positive_atoi (p
[1]);
5061 options
->ping_rec_timeout_action
= PING_RESTART
;
5063 else if (streq (p
[0], "ping-timer-rem"))
5065 VERIFY_PERMISSION (OPT_P_TIMER
);
5066 options
->ping_timer_remote
= true;
5069 else if (streq (p
[0], "explicit-exit-notify"))
5071 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
|OPT_P_EXPLICIT_NOTIFY
);
5074 options
->ce
.explicit_exit_notification
= positive_atoi (p
[1]);
5078 options
->ce
.explicit_exit_notification
= 1;
5082 else if (streq (p
[0], "persist-tun"))
5084 VERIFY_PERMISSION (OPT_P_PERSIST
);
5085 options
->persist_tun
= true;
5087 else if (streq (p
[0], "persist-key"))
5089 VERIFY_PERMISSION (OPT_P_PERSIST
);
5090 options
->persist_key
= true;
5092 else if (streq (p
[0], "persist-local-ip"))
5094 VERIFY_PERMISSION (OPT_P_PERSIST_IP
);
5095 options
->persist_local_ip
= true;
5097 else if (streq (p
[0], "persist-remote-ip"))
5099 VERIFY_PERMISSION (OPT_P_PERSIST_IP
);
5100 options
->persist_remote_ip
= true;
5102 #ifdef ENABLE_CLIENT_NAT
5103 else if (streq (p
[0], "client-nat") && p
[1] && p
[2] && p
[3] && p
[4])
5105 VERIFY_PERMISSION (OPT_P_ROUTE
);
5106 cnol_check_alloc (options
);
5107 add_client_nat_to_option_list(options
->client_nat
, p
[1], p
[2], p
[3], p
[4], msglevel
);
5110 else if (streq (p
[0], "route") && p
[1])
5112 VERIFY_PERMISSION (OPT_P_ROUTE
);
5113 rol_check_alloc (options
);
5116 if (!ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) && !is_special_addr (p
[1])) /* FQDN -- may be DNS name */
5118 msg (msglevel
, "route parameter network/IP '%s' must be a valid address", p
[1]);
5121 if (p
[2] && !ip_addr_dotted_quad_safe (p
[2])) /* FQDN -- must be IP address */
5123 msg (msglevel
, "route parameter netmask '%s' must be an IP address", p
[2]);
5126 if (p
[3] && !ip_or_dns_addr_safe (p
[3], options
->allow_pull_fqdn
) && !is_special_addr (p
[3])) /* FQDN -- may be DNS name */
5128 msg (msglevel
, "route parameter gateway '%s' must be a valid address", p
[3]);
5132 add_route_to_option_list (options
->routes
, p
[1], p
[2], p
[3], p
[4]);
5134 else if (streq (p
[0], "route-ipv6") && p
[1])
5136 VERIFY_PERMISSION (OPT_P_ROUTE
);
5137 rol6_check_alloc (options
);
5140 if (!ipv6_addr_safe_hexplusbits (p
[1]))
5142 msg (msglevel
, "route-ipv6 parameter network/IP '%s' must be a valid address", p
[1]);
5145 if (p
[2] && !ipv6_addr_safe (p
[2]))
5147 msg (msglevel
, "route-ipv6 parameter gateway '%s' must be a valid address", p
[2]);
5150 /* p[3] is metric, if present */
5152 add_route_ipv6_to_option_list (options
->routes_ipv6
, p
[1], p
[2], p
[3]);
5154 else if (streq (p
[0], "max-routes") && p
[1])
5158 VERIFY_PERMISSION (OPT_P_GENERAL
);
5159 max_routes
= atoi (p
[1]);
5160 if (max_routes
< 0 || max_routes
> 100000000)
5162 msg (msglevel
, "--max-routes parameter is out of range");
5165 if (options
->routes
|| options
->routes_ipv6
)
5167 msg (msglevel
, "--max-routes must to be specifed before any route/route-ipv6/redirect-gateway option");
5170 options
->max_routes
= max_routes
;
5172 else if (streq (p
[0], "route-gateway") && p
[1])
5174 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
5175 if (streq (p
[1], "dhcp"))
5177 options
->route_gateway_via_dhcp
= true;
5181 if (ip_or_dns_addr_safe (p
[1], options
->allow_pull_fqdn
) || is_special_addr (p
[1])) /* FQDN -- may be DNS name */
5183 options
->route_default_gateway
= p
[1];
5187 msg (msglevel
, "route-gateway parm '%s' must be a valid address", p
[1]);
5192 else if (streq (p
[0], "route-metric") && p
[1])
5194 VERIFY_PERMISSION (OPT_P_ROUTE
);
5195 options
->route_default_metric
= positive_atoi (p
[1]);
5197 else if (streq (p
[0], "route-delay"))
5199 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
5200 options
->route_delay_defined
= true;
5203 options
->route_delay
= positive_atoi (p
[1]);
5206 options
->route_delay_window
= positive_atoi (p
[2]);
5211 options
->route_delay
= 0;
5214 else if (streq (p
[0], "route-up") && p
[1])
5216 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5217 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5219 set_user_script (options
, &options
->route_script
, p
[1], "route-up");
5221 else if (streq (p
[0], "route-pre-down") && p
[1])
5223 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5224 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5226 set_user_script (options
,
5227 &options
->route_predown_script
,
5231 else if (streq (p
[0], "route-noexec"))
5233 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5234 options
->route_noexec
= true;
5236 else if (streq (p
[0], "route-nopull"))
5238 VERIFY_PERMISSION (OPT_P_GENERAL
);
5239 options
->route_nopull
= true;
5241 else if (streq (p
[0], "allow-pull-fqdn"))
5243 VERIFY_PERMISSION (OPT_P_GENERAL
);
5244 options
->allow_pull_fqdn
= true;
5246 else if (streq (p
[0], "redirect-gateway") || streq (p
[0], "redirect-private"))
5249 VERIFY_PERMISSION (OPT_P_ROUTE
);
5250 rol_check_alloc (options
);
5251 if (streq (p
[0], "redirect-gateway"))
5252 options
->routes
->flags
|= RG_REROUTE_GW
;
5253 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
5255 if (streq (p
[j
], "local"))
5256 options
->routes
->flags
|= RG_LOCAL
;
5257 else if (streq (p
[j
], "autolocal"))
5258 options
->routes
->flags
|= RG_AUTO_LOCAL
;
5259 else if (streq (p
[j
], "def1"))
5260 options
->routes
->flags
|= RG_DEF1
;
5261 else if (streq (p
[j
], "bypass-dhcp"))
5262 options
->routes
->flags
|= RG_BYPASS_DHCP
;
5263 else if (streq (p
[j
], "bypass-dns"))
5264 options
->routes
->flags
|= RG_BYPASS_DNS
;
5265 else if (streq (p
[j
], "block-local"))
5266 options
->routes
->flags
|= RG_BLOCK_LOCAL
;
5269 msg (msglevel
, "unknown --%s flag: %s", p
[0], p
[j
]);
5273 options
->routes
->flags
|= RG_ENABLE
;
5275 else if (streq (p
[0], "remote-random-hostname"))
5277 VERIFY_PERMISSION (OPT_P_GENERAL
);
5278 options
->sockflags
|= SF_HOST_RANDOMIZE
;
5280 else if (streq (p
[0], "setenv") && p
[1])
5282 VERIFY_PERMISSION (OPT_P_GENERAL
);
5283 if (streq (p
[1], "REMOTE_RANDOM_HOSTNAME"))
5285 options
->sockflags
|= SF_HOST_RANDOMIZE
;
5287 else if (streq (p
[1], "GENERIC_CONFIG"))
5289 msg (msglevel
, "this is a generic configuration and cannot directly be used");
5292 #ifdef ENABLE_PUSH_PEER_INFO
5293 else if (streq (p
[1], "PUSH_PEER_INFO"))
5295 options
->push_peer_info
= true;
5299 else if (streq (p
[1], "SERVER_POLL_TIMEOUT") && p
[2])
5301 options
->server_poll_timeout
= positive_atoi(p
[2]);
5306 if (streq (p
[1], "FORWARD_COMPATIBLE") && p
[2] && streq (p
[2], "1"))
5308 options
->forward_compatible
= true;
5309 msglevel_fc
= msglevel_forward_compatible (options
, msglevel
);
5311 setenv_str (es
, p
[1], p
[2] ? p
[2] : "");
5314 else if (streq (p
[0], "setenv-safe") && p
[1])
5316 VERIFY_PERMISSION (OPT_P_SETENV
);
5317 setenv_str_safe (es
, p
[1], p
[2] ? p
[2] : "");
5319 else if (streq (p
[0], "script-security") && p
[1])
5321 VERIFY_PERMISSION (OPT_P_GENERAL
);
5322 script_security
= atoi (p
[1]);
5324 else if (streq (p
[0], "mssfix"))
5326 VERIFY_PERMISSION (OPT_P_GENERAL
|OPT_P_CONNECTION
);
5329 options
->ce
.mssfix
= positive_atoi (p
[1]);
5332 options
->ce
.mssfix_default
= true;
5336 else if (streq (p
[0], "disable-occ"))
5338 VERIFY_PERMISSION (OPT_P_GENERAL
);
5339 options
->occ
= false;
5344 else if (streq (p
[0], "server") && p
[1] && p
[2])
5346 const int lev
= M_WARN
;
5348 in_addr_t network
, netmask
;
5350 VERIFY_PERMISSION (OPT_P_GENERAL
);
5351 network
= get_ip_addr (p
[1], lev
, &error
);
5352 netmask
= get_ip_addr (p
[2], lev
, &error
);
5353 if (error
|| !network
|| !netmask
)
5355 msg (msglevel
, "error parsing --server parameters");
5358 options
->server_defined
= true;
5359 options
->server_network
= network
;
5360 options
->server_netmask
= netmask
;
5364 if (streq (p
[3], "nopool"))
5365 options
->server_flags
|= SF_NOPOOL
;
5368 msg (msglevel
, "error parsing --server: %s is not a recognized flag", p
[3]);
5373 else if (streq (p
[0], "server-ipv6") && p
[1] )
5375 const int lev
= M_WARN
;
5376 struct in6_addr network
;
5377 unsigned int netbits
= 0;
5379 VERIFY_PERMISSION (OPT_P_GENERAL
);
5380 if ( ! get_ipv6_addr (p
[1], &network
, &netbits
, NULL
, lev
) )
5382 msg (msglevel
, "error parsing --server-ipv6 parameter");
5385 if ( netbits
< 64 || netbits
> 112 )
5387 msg( msglevel
, "--server-ipv6 settings: only /64../112 supported right now (not /%d)", netbits
);
5390 options
->server_ipv6_defined
= true;
5391 options
->server_network_ipv6
= network
;
5392 options
->server_netbits_ipv6
= netbits
;
5394 if (p
[2]) /* no "nopool" options or similar for IPv6 */
5396 msg (msglevel
, "error parsing --server-ipv6: %s is not a recognized flag", p
[3]);
5400 else if (streq (p
[0], "server-bridge") && p
[1] && p
[2] && p
[3] && p
[4])
5402 const int lev
= M_WARN
;
5404 in_addr_t ip
, netmask
, pool_start
, pool_end
;
5406 VERIFY_PERMISSION (OPT_P_GENERAL
);
5407 ip
= get_ip_addr (p
[1], lev
, &error
);
5408 netmask
= get_ip_addr (p
[2], lev
, &error
);
5409 pool_start
= get_ip_addr (p
[3], lev
, &error
);
5410 pool_end
= get_ip_addr (p
[4], lev
, &error
);
5411 if (error
|| !ip
|| !netmask
|| !pool_start
|| !pool_end
)
5413 msg (msglevel
, "error parsing --server-bridge parameters");
5416 options
->server_bridge_defined
= true;
5417 options
->server_bridge_ip
= ip
;
5418 options
->server_bridge_netmask
= netmask
;
5419 options
->server_bridge_pool_start
= pool_start
;
5420 options
->server_bridge_pool_end
= pool_end
;
5422 else if (streq (p
[0], "server-bridge") && p
[1] && streq (p
[1], "nogw"))
5424 VERIFY_PERMISSION (OPT_P_GENERAL
);
5425 options
->server_bridge_proxy_dhcp
= true;
5426 options
->server_flags
|= SF_NO_PUSH_ROUTE_GATEWAY
;
5428 else if (streq (p
[0], "server-bridge") && !p
[1])
5430 VERIFY_PERMISSION (OPT_P_GENERAL
);
5431 options
->server_bridge_proxy_dhcp
= true;
5433 else if (streq (p
[0], "push") && p
[1])
5435 VERIFY_PERMISSION (OPT_P_PUSH
);
5436 push_options (options
, &p
[1], msglevel
, &options
->gc
);
5438 else if (streq (p
[0], "push-reset"))
5440 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5441 push_reset (options
);
5443 else if (streq (p
[0], "ifconfig-pool") && p
[1] && p
[2])
5445 const int lev
= M_WARN
;
5447 in_addr_t start
, end
, netmask
=0;
5449 VERIFY_PERMISSION (OPT_P_GENERAL
);
5450 start
= get_ip_addr (p
[1], lev
, &error
);
5451 end
= get_ip_addr (p
[2], lev
, &error
);
5454 netmask
= get_ip_addr (p
[3], lev
, &error
);
5458 msg (msglevel
, "error parsing --ifconfig-pool parameters");
5461 if (!ifconfig_pool_verify_range (msglevel
, start
, end
))
5464 options
->ifconfig_pool_defined
= true;
5465 options
->ifconfig_pool_start
= start
;
5466 options
->ifconfig_pool_end
= end
;
5468 options
->ifconfig_pool_netmask
= netmask
;
5470 else if (streq (p
[0], "ifconfig-pool-persist") && p
[1])
5472 VERIFY_PERMISSION (OPT_P_GENERAL
);
5473 options
->ifconfig_pool_persist_filename
= p
[1];
5476 options
->ifconfig_pool_persist_refresh_freq
= positive_atoi (p
[2]);
5479 else if (streq (p
[0], "ifconfig-pool-linear"))
5481 VERIFY_PERMISSION (OPT_P_GENERAL
);
5482 options
->topology
= TOP_P2P
;
5484 else if (streq (p
[0], "ifconfig-ipv6-pool") && p
[1] )
5486 const int lev
= M_WARN
;
5487 struct in6_addr network
;
5488 unsigned int netbits
= 0;
5490 VERIFY_PERMISSION (OPT_P_GENERAL
);
5491 if ( ! get_ipv6_addr (p
[1], &network
, &netbits
, NULL
, lev
) )
5493 msg (msglevel
, "error parsing --ifconfig-ipv6-pool parameters");
5496 if ( netbits
< 64 || netbits
> 112 )
5498 msg( msglevel
, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits
);
5502 options
->ifconfig_ipv6_pool_defined
= true;
5503 options
->ifconfig_ipv6_pool_base
= network
;
5504 options
->ifconfig_ipv6_pool_netbits
= netbits
;
5506 else if (streq (p
[0], "hash-size") && p
[1] && p
[2])
5510 VERIFY_PERMISSION (OPT_P_GENERAL
);
5512 virtual = atoi (p
[2]);
5513 if (real
< 1 || virtual < 1)
5515 msg (msglevel
, "--hash-size sizes must be >= 1 (preferably a power of 2)");
5518 options
->real_hash_size
= real
;
5519 options
->virtual_hash_size
= real
;
5521 else if (streq (p
[0], "connect-freq") && p
[1] && p
[2])
5525 VERIFY_PERMISSION (OPT_P_GENERAL
);
5526 cf_max
= atoi (p
[1]);
5527 cf_per
= atoi (p
[2]);
5528 if (cf_max
< 0 || cf_per
< 0)
5530 msg (msglevel
, "--connect-freq parms must be > 0");
5533 options
->cf_max
= cf_max
;
5534 options
->cf_per
= cf_per
;
5536 else if (streq (p
[0], "max-clients") && p
[1])
5540 VERIFY_PERMISSION (OPT_P_GENERAL
);
5541 max_clients
= atoi (p
[1]);
5542 if (max_clients
< 0)
5544 msg (msglevel
, "--max-clients must be at least 1");
5547 options
->max_clients
= max_clients
;
5549 else if (streq (p
[0], "max-routes-per-client") && p
[1])
5551 VERIFY_PERMISSION (OPT_P_INHERIT
);
5552 options
->max_routes_per_client
= max_int (atoi (p
[1]), 1);
5554 else if (streq (p
[0], "client-cert-not-required"))
5556 VERIFY_PERMISSION (OPT_P_GENERAL
);
5557 options
->ssl_flags
|= SSLF_CLIENT_CERT_NOT_REQUIRED
;
5559 else if (streq (p
[0], "username-as-common-name"))
5561 VERIFY_PERMISSION (OPT_P_GENERAL
);
5562 options
->ssl_flags
|= SSLF_USERNAME_AS_COMMON_NAME
;
5564 else if (streq (p
[0], "auth-user-pass-optional"))
5566 VERIFY_PERMISSION (OPT_P_GENERAL
);
5567 options
->ssl_flags
|= SSLF_AUTH_USER_PASS_OPTIONAL
;
5569 else if (streq (p
[0], "opt-verify"))
5571 VERIFY_PERMISSION (OPT_P_GENERAL
);
5572 options
->ssl_flags
|= SSLF_OPT_VERIFY
;
5574 else if (streq (p
[0], "auth-user-pass-verify") && p
[1])
5576 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5577 if (!no_more_than_n_args (msglevel
, p
, 3, NM_QUOTE_HINT
))
5581 if (streq (p
[2], "via-env"))
5582 options
->auth_user_pass_verify_script_via_file
= false;
5583 else if (streq (p
[2], "via-file"))
5584 options
->auth_user_pass_verify_script_via_file
= true;
5587 msg (msglevel
, "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
5593 msg (msglevel
, "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
5596 set_user_script (options
,
5597 &options
->auth_user_pass_verify_script
,
5598 p
[1], "auth-user-pass-verify");
5600 else if (streq (p
[0], "client-connect") && p
[1])
5602 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5603 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5605 set_user_script (options
, &options
->client_connect_script
,
5606 p
[1], "client-connect");
5608 else if (streq (p
[0], "client-disconnect") && p
[1])
5610 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5611 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5613 set_user_script (options
, &options
->client_disconnect_script
,
5614 p
[1], "client-disconnect");
5616 else if (streq (p
[0], "learn-address") && p
[1])
5618 VERIFY_PERMISSION (OPT_P_SCRIPT
);
5619 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
5621 set_user_script (options
, &options
->learn_address_script
,
5622 p
[1], "learn-address");
5624 else if (streq (p
[0], "tmp-dir") && p
[1])
5626 VERIFY_PERMISSION (OPT_P_GENERAL
);
5627 options
->tmp_dir
= p
[1];
5629 else if (streq (p
[0], "client-config-dir") && p
[1])
5631 VERIFY_PERMISSION (OPT_P_GENERAL
);
5632 options
->client_config_dir
= p
[1];
5634 else if (streq (p
[0], "ccd-exclusive"))
5636 VERIFY_PERMISSION (OPT_P_GENERAL
);
5637 options
->ccd_exclusive
= true;
5639 else if (streq (p
[0], "bcast-buffers") && p
[1])
5643 VERIFY_PERMISSION (OPT_P_GENERAL
);
5644 n_bcast_buf
= atoi (p
[1]);
5645 if (n_bcast_buf
< 1)
5646 msg (msglevel
, "--bcast-buffers parameter must be > 0");
5647 options
->n_bcast_buf
= n_bcast_buf
;
5649 else if (streq (p
[0], "tcp-queue-limit") && p
[1])
5651 int tcp_queue_limit
;
5653 VERIFY_PERMISSION (OPT_P_GENERAL
);
5654 tcp_queue_limit
= atoi (p
[1]);
5655 if (tcp_queue_limit
< 1)
5656 msg (msglevel
, "--tcp-queue-limit parameter must be > 0");
5657 options
->tcp_queue_limit
= tcp_queue_limit
;
5660 else if (streq (p
[0], "port-share") && p
[1] && p
[2])
5664 VERIFY_PERMISSION (OPT_P_GENERAL
);
5666 if (!legal_ipv4_port (port
))
5668 msg (msglevel
, "port number associated with --port-share directive is out of range");
5672 options
->port_share_host
= p
[1];
5673 options
->port_share_port
= port
;
5674 options
->port_share_journal_dir
= p
[3];
5677 else if (streq (p
[0], "client-to-client"))
5679 VERIFY_PERMISSION (OPT_P_GENERAL
);
5680 options
->enable_c2c
= true;
5682 else if (streq (p
[0], "duplicate-cn"))
5684 VERIFY_PERMISSION (OPT_P_GENERAL
);
5685 options
->duplicate_cn
= true;
5687 else if (streq (p
[0], "iroute") && p
[1])
5689 const char *netmask
= NULL
;
5691 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5696 option_iroute (options
, p
[1], netmask
, msglevel
);
5698 else if (streq (p
[0], "iroute-ipv6") && p
[1])
5700 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5701 option_iroute_ipv6 (options
, p
[1], msglevel
);
5703 else if (streq (p
[0], "ifconfig-push") && p
[1] && p
[2])
5705 in_addr_t local
, remote_netmask
;
5707 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5708 local
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
5709 remote_netmask
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[2], 0, NULL
, NULL
);
5710 if (local
&& remote_netmask
)
5712 options
->push_ifconfig_defined
= true;
5713 options
->push_ifconfig_local
= local
;
5714 options
->push_ifconfig_remote_netmask
= remote_netmask
;
5715 #ifdef ENABLE_CLIENT_NAT
5717 options
->push_ifconfig_local_alias
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[3], 0, NULL
, NULL
);
5722 msg (msglevel
, "cannot parse --ifconfig-push addresses");
5726 else if (streq (p
[0], "ifconfig-push-constraint") && p
[1] && p
[2])
5728 in_addr_t network
, netmask
;
5730 VERIFY_PERMISSION (OPT_P_GENERAL
);
5731 network
= getaddr (GETADDR_HOST_ORDER
|GETADDR_RESOLVE
, p
[1], 0, NULL
, NULL
);
5732 netmask
= getaddr (GETADDR_HOST_ORDER
, p
[2], 0, NULL
, NULL
);
5733 if (network
&& netmask
)
5735 options
->push_ifconfig_constraint_defined
= true;
5736 options
->push_ifconfig_constraint_network
= network
;
5737 options
->push_ifconfig_constraint_netmask
= netmask
;
5741 msg (msglevel
, "cannot parse --ifconfig-push-constraint addresses");
5745 else if (streq (p
[0], "ifconfig-ipv6-push") && p
[1] )
5747 struct in6_addr local
, remote
;
5748 unsigned int netbits
;
5750 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5752 if ( ! get_ipv6_addr( p
[1], &local
, &netbits
, NULL
, msglevel
) )
5754 msg (msglevel
, "cannot parse --ifconfig-ipv6-push addresses");
5760 if ( !get_ipv6_addr( p
[2], &remote
, NULL
, NULL
, msglevel
) )
5762 msg( msglevel
, "cannot parse --ifconfig-ipv6-push addresses");
5768 if ( ! options
->ifconfig_ipv6_local
||
5769 ! get_ipv6_addr( options
->ifconfig_ipv6_local
, &remote
,
5770 NULL
, NULL
, msglevel
) )
5772 msg( msglevel
, "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
5777 options
->push_ifconfig_ipv6_defined
= true;
5778 options
->push_ifconfig_ipv6_local
= local
;
5779 options
->push_ifconfig_ipv6_netbits
= netbits
;
5780 options
->push_ifconfig_ipv6_remote
= remote
;
5782 else if (streq (p
[0], "disable"))
5784 VERIFY_PERMISSION (OPT_P_INSTANCE
);
5785 options
->disable
= true;
5787 else if (streq (p
[0], "tcp-nodelay"))
5789 VERIFY_PERMISSION (OPT_P_GENERAL
);
5790 options
->server_flags
|= SF_TCP_NODELAY_HELPER
;
5792 else if (streq (p
[0], "stale-routes-check") && p
[1])
5794 int ageing_time
, check_interval
;
5796 VERIFY_PERMISSION (OPT_P_GENERAL
);
5797 ageing_time
= atoi (p
[1]);
5799 check_interval
= atoi (p
[2]);
5801 check_interval
= ageing_time
;
5803 if (ageing_time
< 1 || check_interval
< 1)
5805 msg (msglevel
, "--stale-routes-check aging time and check interval must be >= 1");
5808 options
->stale_routes_ageing_time
= ageing_time
;
5809 options
->stale_routes_check_interval
= check_interval
;
5811 #endif /* P2MP_SERVER */
5813 else if (streq (p
[0], "client"))
5815 VERIFY_PERMISSION (OPT_P_GENERAL
);
5816 options
->client
= true;
5818 else if (streq (p
[0], "pull"))
5820 VERIFY_PERMISSION (OPT_P_GENERAL
);
5821 options
->pull
= true;
5823 else if (streq (p
[0], "push-continuation") && p
[1])
5825 VERIFY_PERMISSION (OPT_P_PULL_MODE
);
5826 options
->push_continuation
= atoi(p
[1]);
5828 else if (streq (p
[0], "server-poll-timeout") && p
[1])
5830 VERIFY_PERMISSION (OPT_P_GENERAL
);
5831 options
->server_poll_timeout
= positive_atoi(p
[1]);
5833 else if (streq (p
[0], "auth-user-pass"))
5835 VERIFY_PERMISSION (OPT_P_GENERAL
);
5838 options
->auth_user_pass_file
= p
[1];
5841 options
->auth_user_pass_file
= "stdin";
5843 else if (streq (p
[0], "auth-retry") && p
[1])
5845 VERIFY_PERMISSION (OPT_P_GENERAL
);
5846 auth_retry_set (msglevel
, p
[1]);
5848 #ifdef ENABLE_CLIENT_CR
5849 else if (streq (p
[0], "static-challenge") && p
[1] && p
[2])
5851 VERIFY_PERMISSION (OPT_P_GENERAL
);
5852 options
->sc_info
.challenge_text
= p
[1];
5854 options
->sc_info
.flags
|= SC_ECHO
;
5859 else if (streq (p
[0], "win-sys") && p
[1])
5861 VERIFY_PERMISSION (OPT_P_GENERAL
);
5862 if (streq (p
[1], "env"))
5863 msg (M_INFO
, "NOTE: --win-sys env is default from OpenVPN v2.3. "
5864 "This entry will now be ignored. "
5865 "Please remove this entry from your configuration file.");
5867 set_win_sys_path (p
[1], es
);
5869 else if (streq (p
[0], "route-method") && p
[1])
5871 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
5872 if (streq (p
[1], "adaptive"))
5873 options
->route_method
= ROUTE_METHOD_ADAPTIVE
;
5874 else if (streq (p
[1], "ipapi"))
5875 options
->route_method
= ROUTE_METHOD_IPAPI
;
5876 else if (streq (p
[1], "exe"))
5877 options
->route_method
= ROUTE_METHOD_EXE
;
5880 msg (msglevel
, "--route method must be 'adaptive', 'ipapi', or 'exe'");
5884 else if (streq (p
[0], "ip-win32") && p
[1])
5886 const int index
= ascii2ipset (p
[1]);
5887 struct tuntap_options
*to
= &options
->tuntap_options
;
5889 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5894 "Bad --ip-win32 method: '%s'. Allowed methods: %s",
5896 ipset2ascii_all (&gc
));
5900 if (index
== IPW32_SET_ADAPTIVE
)
5901 options
->route_delay_window
= IPW32_SET_ADAPTIVE_DELAY_WINDOW
;
5903 if (index
== IPW32_SET_DHCP_MASQ
)
5907 if (!streq (p
[2], "default"))
5909 int offset
= atoi (p
[2]);
5911 if (!(offset
> -256 && offset
< 256))
5913 msg (msglevel
, "--ip-win32 dynamic [offset] [lease-time]: offset (%d) must be > -256 and < 256", offset
);
5917 to
->dhcp_masq_custom_offset
= true;
5918 to
->dhcp_masq_offset
= offset
;
5923 const int min_lease
= 30;
5925 lease_time
= atoi (p
[3]);
5926 if (lease_time
< min_lease
)
5928 msg (msglevel
, "--ip-win32 dynamic [offset] [lease-time]: lease time parameter (%d) must be at least %d seconds", lease_time
, min_lease
);
5931 to
->dhcp_lease_time
= lease_time
;
5935 to
->ip_win32_type
= index
;
5936 to
->ip_win32_defined
= true;
5938 else if (streq (p
[0], "dhcp-option") && p
[1])
5940 struct tuntap_options
*o
= &options
->tuntap_options
;
5941 VERIFY_PERMISSION (OPT_P_IPWIN32
);
5943 if (streq (p
[1], "DOMAIN") && p
[2])
5947 else if (streq (p
[1], "NBS") && p
[2])
5949 o
->netbios_scope
= p
[2];
5951 else if (streq (p
[1], "NBT") && p
[2])
5955 if (!(t
== 1 || t
== 2 || t
== 4 || t
== 8))
5957 msg (msglevel
, "--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t
);
5960 o
->netbios_node_type
= t
;
5962 else if (streq (p
[1], "DNS") && p
[2])
5964 dhcp_option_address_parse ("DNS", p
[2], o
->dns
, &o
->dns_len
, msglevel
);
5966 else if (streq (p
[1], "WINS") && p
[2])
5968 dhcp_option_address_parse ("WINS", p
[2], o
->wins
, &o
->wins_len
, msglevel
);
5970 else if (streq (p
[1], "NTP") && p
[2])
5972 dhcp_option_address_parse ("NTP", p
[2], o
->ntp
, &o
->ntp_len
, msglevel
);
5974 else if (streq (p
[1], "NBDD") && p
[2])
5976 dhcp_option_address_parse ("NBDD", p
[2], o
->nbdd
, &o
->nbdd_len
, msglevel
);
5978 else if (streq (p
[1], "DISABLE-NBT"))
5984 msg (msglevel
, "--dhcp-option: unknown option type '%s' or missing parameter", p
[1]);
5987 o
->dhcp_options
= true;
5989 else if (streq (p
[0], "show-adapters"))
5991 VERIFY_PERMISSION (OPT_P_GENERAL
);
5992 show_tap_win_adapters (M_INFO
|M_NOPREFIX
, M_WARN
|M_NOPREFIX
);
5993 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
5995 else if (streq (p
[0], "show-net"))
5997 VERIFY_PERMISSION (OPT_P_GENERAL
);
5998 show_routes (M_INFO
|M_NOPREFIX
);
5999 show_adapters (M_INFO
|M_NOPREFIX
);
6000 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6002 else if (streq (p
[0], "show-net-up"))
6004 VERIFY_PERMISSION (OPT_P_UP
);
6005 options
->show_net_up
= true;
6007 else if (streq (p
[0], "tap-sleep") && p
[1])
6010 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6012 if (s
< 0 || s
>= 256)
6014 msg (msglevel
, "--tap-sleep parameter must be between 0 and 255");
6017 options
->tuntap_options
.tap_sleep
= s
;
6019 else if (streq (p
[0], "dhcp-renew"))
6021 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6022 options
->tuntap_options
.dhcp_renew
= true;
6024 else if (streq (p
[0], "dhcp-pre-release"))
6026 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6027 options
->tuntap_options
.dhcp_pre_release
= true;
6029 else if (streq (p
[0], "dhcp-release"))
6031 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6032 options
->tuntap_options
.dhcp_release
= true;
6034 else if (streq (p
[0], "dhcp-internal") && p
[1]) /* standalone method for internal use */
6036 unsigned int adapter_index
;
6037 VERIFY_PERMISSION (OPT_P_GENERAL
);
6038 set_debug_level (options
->verbosity
, SDL_CONSTRAIN
);
6039 adapter_index
= atou (p
[1]);
6040 sleep (options
->tuntap_options
.tap_sleep
);
6041 if (options
->tuntap_options
.dhcp_pre_release
)
6042 dhcp_release_by_adapter_index (adapter_index
);
6043 if (options
->tuntap_options
.dhcp_renew
)
6044 dhcp_renew_by_adapter_index (adapter_index
);
6045 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6047 else if (streq (p
[0], "register-dns"))
6049 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6050 options
->tuntap_options
.register_dns
= true;
6052 else if (streq (p
[0], "rdns-internal"))
6053 /* standalone method for internal use
6055 * (if --register-dns is set, openvpn needs to call itself in a
6056 * sub-process to execute the required functions in a non-blocking
6057 * way, and uses --rdns-internal to signal that to itself)
6060 VERIFY_PERMISSION (OPT_P_GENERAL
);
6061 set_debug_level (options
->verbosity
, SDL_CONSTRAIN
);
6062 if (options
->tuntap_options
.register_dns
)
6063 ipconfig_register_dns (NULL
);
6064 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6066 else if (streq (p
[0], "show-valid-subnets"))
6068 VERIFY_PERMISSION (OPT_P_GENERAL
);
6069 show_valid_win32_tun_subnets ();
6070 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6072 else if (streq (p
[0], "pause-exit"))
6074 VERIFY_PERMISSION (OPT_P_GENERAL
);
6075 set_pause_exit_win32 ();
6077 else if (streq (p
[0], "service") && p
[1])
6079 VERIFY_PERMISSION (OPT_P_GENERAL
);
6080 options
->exit_event_name
= p
[1];
6083 options
->exit_event_initial_state
= (atoi(p
[2]) != 0);
6086 else if (streq (p
[0], "allow-nonadmin"))
6088 VERIFY_PERMISSION (OPT_P_GENERAL
);
6089 tap_allow_nonadmin_access (p
[1]);
6090 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6092 else if (streq (p
[0], "user") && p
[1])
6094 VERIFY_PERMISSION (OPT_P_GENERAL
);
6095 msg (M_WARN
, "NOTE: --user option is not implemented on Windows");
6097 else if (streq (p
[0], "group") && p
[1])
6099 VERIFY_PERMISSION (OPT_P_GENERAL
);
6100 msg (M_WARN
, "NOTE: --group option is not implemented on Windows");
6103 else if (streq (p
[0], "user") && p
[1])
6105 VERIFY_PERMISSION (OPT_P_GENERAL
);
6106 options
->username
= p
[1];
6108 else if (streq (p
[0], "group") && p
[1])
6110 VERIFY_PERMISSION (OPT_P_GENERAL
);
6111 options
->groupname
= p
[1];
6113 else if (streq (p
[0], "dhcp-option") && p
[1])
6115 VERIFY_PERMISSION (OPT_P_IPWIN32
);
6116 foreign_option (options
, p
, 3, es
);
6118 else if (streq (p
[0], "route-method") && p
[1]) /* ignore when pushed to non-Windows OS */
6120 VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS
);
6123 #if PASSTOS_CAPABILITY
6124 else if (streq (p
[0], "passtos"))
6126 VERIFY_PERMISSION (OPT_P_GENERAL
);
6127 options
->passtos
= true;
6131 else if (streq (p
[0], "comp-lzo"))
6133 VERIFY_PERMISSION (OPT_P_COMP
);
6136 if (streq (p
[1], "yes"))
6137 options
->lzo
= LZO_SELECTED
|LZO_ON
;
6138 else if (streq (p
[1], "no"))
6139 options
->lzo
= LZO_SELECTED
;
6140 else if (streq (p
[1], "adaptive"))
6141 options
->lzo
= LZO_SELECTED
|LZO_ON
|LZO_ADAPTIVE
;
6144 msg (msglevel
, "bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'", p
[1]);
6149 options
->lzo
= LZO_SELECTED
|LZO_ON
|LZO_ADAPTIVE
;
6151 else if (streq (p
[0], "comp-noadapt"))
6153 VERIFY_PERMISSION (OPT_P_COMP
);
6154 options
->lzo
&= ~LZO_ADAPTIVE
;
6156 #endif /* ENABLE_LZO */
6157 #ifdef ENABLE_CRYPTO
6158 else if (streq (p
[0], "show-ciphers"))
6160 VERIFY_PERMISSION (OPT_P_GENERAL
);
6161 options
->show_ciphers
= true;
6163 else if (streq (p
[0], "show-digests"))
6165 VERIFY_PERMISSION (OPT_P_GENERAL
);
6166 options
->show_digests
= true;
6168 else if (streq (p
[0], "show-engines"))
6170 VERIFY_PERMISSION (OPT_P_GENERAL
);
6171 options
->show_engines
= true;
6173 else if (streq (p
[0], "key-direction") && p
[1])
6177 key_direction
= ascii2keydirection (msglevel
, p
[1]);
6178 if (key_direction
>= 0)
6179 options
->key_direction
= key_direction
;
6183 else if (streq (p
[0], "secret") && p
[1])
6185 VERIFY_PERMISSION (OPT_P_GENERAL
);
6186 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6188 options
->shared_secret_file_inline
= p
[2];
6195 key_direction
= ascii2keydirection (msglevel
, p
[2]);
6196 if (key_direction
>= 0)
6197 options
->key_direction
= key_direction
;
6201 options
->shared_secret_file
= p
[1];
6203 else if (streq (p
[0], "genkey"))
6205 VERIFY_PERMISSION (OPT_P_GENERAL
);
6206 options
->genkey
= true;
6208 else if (streq (p
[0], "auth") && p
[1])
6210 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6211 options
->authname_defined
= true;
6212 options
->authname
= p
[1];
6213 if (streq (options
->authname
, "none"))
6215 options
->authname_defined
= false;
6216 options
->authname
= NULL
;
6219 else if (streq (p
[0], "auth"))
6221 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6222 options
->authname_defined
= true;
6224 else if (streq (p
[0], "cipher") && p
[1])
6226 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6227 options
->ciphername_defined
= true;
6228 options
->ciphername
= p
[1];
6229 if (streq (options
->ciphername
, "none"))
6231 options
->ciphername_defined
= false;
6232 options
->ciphername
= NULL
;
6235 else if (streq (p
[0], "cipher"))
6237 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6238 options
->ciphername_defined
= true;
6240 else if (streq (p
[0], "prng") && p
[1])
6242 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6243 if (streq (p
[1], "none"))
6244 options
->prng_hash
= NULL
;
6246 options
->prng_hash
= p
[1];
6249 const int sl
= atoi (p
[2]);
6250 if (sl
>= NONCE_SECRET_LEN_MIN
&& sl
<= NONCE_SECRET_LEN_MAX
)
6252 options
->prng_nonce_secret_len
= sl
;
6256 msg (msglevel
, "prng parameter nonce_secret_len must be between %d and %d",
6257 NONCE_SECRET_LEN_MIN
, NONCE_SECRET_LEN_MAX
);
6262 else if (streq (p
[0], "no-replay"))
6264 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6265 options
->replay
= false;
6267 else if (streq (p
[0], "replay-window"))
6269 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6274 replay_window
= atoi (p
[1]);
6275 if (!(MIN_SEQ_BACKTRACK
<= replay_window
&& replay_window
<= MAX_SEQ_BACKTRACK
))
6277 msg (msglevel
, "replay-window window size parameter (%d) must be between %d and %d",
6283 options
->replay_window
= replay_window
;
6289 replay_time
= atoi (p
[2]);
6290 if (!(MIN_TIME_BACKTRACK
<= replay_time
&& replay_time
<= MAX_TIME_BACKTRACK
))
6292 msg (msglevel
, "replay-window time window parameter (%d) must be between %d and %d",
6295 MAX_TIME_BACKTRACK
);
6298 options
->replay_time
= replay_time
;
6303 msg (msglevel
, "replay-window option is missing window size parameter");
6307 else if (streq (p
[0], "mute-replay-warnings"))
6309 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6310 options
->mute_replay_warnings
= true;
6312 else if (streq (p
[0], "no-iv"))
6314 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6315 options
->use_iv
= false;
6317 else if (streq (p
[0], "replay-persist") && p
[1])
6319 VERIFY_PERMISSION (OPT_P_GENERAL
);
6320 options
->packet_id_file
= p
[1];
6322 else if (streq (p
[0], "test-crypto"))
6324 VERIFY_PERMISSION (OPT_P_GENERAL
);
6325 options
->test_crypto
= true;
6327 #ifndef ENABLE_CRYPTO_POLARSSL
6328 else if (streq (p
[0], "engine"))
6330 VERIFY_PERMISSION (OPT_P_GENERAL
);
6333 options
->engine
= p
[1];
6336 options
->engine
= "auto";
6338 #endif /* ENABLE_CRYPTO_POLARSSL */
6339 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
6340 else if (streq (p
[0], "keysize") && p
[1])
6344 VERIFY_PERMISSION (OPT_P_CRYPTO
);
6345 keysize
= atoi (p
[1]) / 8;
6346 if (keysize
< 0 || keysize
> MAX_CIPHER_KEY_LENGTH
)
6348 msg (msglevel
, "Bad keysize: %s", p
[1]);
6351 options
->keysize
= keysize
;
6354 #ifdef ENABLE_PREDICTION_RESISTANCE
6355 else if (streq (p
[0], "use-prediction-resistance"))
6357 VERIFY_PERMISSION (OPT_P_GENERAL
);
6358 options
->use_prediction_resistance
= true;
6362 else if (streq (p
[0], "show-tls"))
6364 VERIFY_PERMISSION (OPT_P_GENERAL
);
6365 options
->show_tls_ciphers
= true;
6367 else if (streq (p
[0], "tls-server"))
6369 VERIFY_PERMISSION (OPT_P_GENERAL
);
6370 options
->tls_server
= true;
6372 else if (streq (p
[0], "tls-client"))
6374 VERIFY_PERMISSION (OPT_P_GENERAL
);
6375 options
->tls_client
= true;
6377 else if (streq (p
[0], "ca") && p
[1])
6379 VERIFY_PERMISSION (OPT_P_GENERAL
);
6380 options
->ca_file
= p
[1];
6381 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6383 options
->ca_file_inline
= p
[2];
6386 #ifndef ENABLE_CRYPTO_POLARSSL
6387 else if (streq (p
[0], "capath") && p
[1])
6389 VERIFY_PERMISSION (OPT_P_GENERAL
);
6390 options
->ca_path
= p
[1];
6392 #endif /* ENABLE_CRYPTO_POLARSSL */
6393 else if (streq (p
[0], "dh") && p
[1])
6395 VERIFY_PERMISSION (OPT_P_GENERAL
);
6396 options
->dh_file
= p
[1];
6397 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6399 options
->dh_file_inline
= p
[2];
6402 else if (streq (p
[0], "cert") && p
[1])
6404 VERIFY_PERMISSION (OPT_P_GENERAL
);
6405 options
->cert_file
= p
[1];
6406 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6408 options
->cert_file_inline
= p
[2];
6411 else if (streq (p
[0], "extra-certs") && p
[1])
6413 VERIFY_PERMISSION (OPT_P_GENERAL
);
6414 options
->extra_certs_file
= p
[1];
6415 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6417 options
->extra_certs_file_inline
= p
[2];
6420 else if (streq (p
[0], "verify-hash") && p
[1])
6422 VERIFY_PERMISSION (OPT_P_GENERAL
);
6423 options
->verify_hash
= parse_hash_fingerprint(p
[1], SHA_DIGEST_LENGTH
, msglevel
, &options
->gc
);
6425 #ifdef ENABLE_CRYPTOAPI
6426 else if (streq (p
[0], "cryptoapicert") && p
[1])
6428 VERIFY_PERMISSION (OPT_P_GENERAL
);
6429 options
->cryptoapi_cert
= p
[1];
6432 else if (streq (p
[0], "key") && p
[1])
6434 VERIFY_PERMISSION (OPT_P_GENERAL
);
6435 options
->priv_key_file
= p
[1];
6436 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6438 options
->priv_key_file_inline
= p
[2];
6441 #ifndef ENABLE_CRYPTO_POLARSSL
6442 else if (streq (p
[0], "pkcs12") && p
[1])
6444 VERIFY_PERMISSION (OPT_P_GENERAL
);
6445 options
->pkcs12_file
= p
[1];
6446 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6448 options
->pkcs12_file_inline
= p
[2];
6451 #endif /* ENABLE_CRYPTO_POLARSSL */
6452 else if (streq (p
[0], "askpass"))
6454 VERIFY_PERMISSION (OPT_P_GENERAL
);
6457 options
->key_pass_file
= p
[1];
6460 options
->key_pass_file
= "stdin";
6462 else if (streq (p
[0], "auth-nocache"))
6464 VERIFY_PERMISSION (OPT_P_GENERAL
);
6465 ssl_set_auth_nocache ();
6467 else if (streq (p
[0], "auth-token") && p
[1])
6469 VERIFY_PERMISSION (OPT_P_ECHO
);
6470 ssl_set_auth_token(p
[1]);
6471 #ifdef ENABLE_MANAGEMENT
6473 management_auth_token (management
, p
[1]);
6476 else if (streq (p
[0], "single-session"))
6478 VERIFY_PERMISSION (OPT_P_GENERAL
);
6479 options
->single_session
= true;
6481 #ifdef ENABLE_PUSH_PEER_INFO
6482 else if (streq (p
[0], "push-peer-info"))
6484 VERIFY_PERMISSION (OPT_P_GENERAL
);
6485 options
->push_peer_info
= true;
6488 else if (streq (p
[0], "tls-exit"))
6490 VERIFY_PERMISSION (OPT_P_GENERAL
);
6491 options
->tls_exit
= true;
6493 else if (streq (p
[0], "tls-cipher") && p
[1])
6495 VERIFY_PERMISSION (OPT_P_GENERAL
);
6496 options
->cipher_list
= p
[1];
6498 else if (streq (p
[0], "crl-verify") && p
[1])
6500 VERIFY_PERMISSION (OPT_P_GENERAL
);
6501 if (p
[2] && streq(p
[2], "dir"))
6502 options
->ssl_flags
|= SSLF_CRL_VERIFY_DIR
;
6503 options
->crl_file
= p
[1];
6505 else if (streq (p
[0], "tls-verify") && p
[1])
6507 VERIFY_PERMISSION (OPT_P_SCRIPT
);
6508 if (!no_more_than_n_args (msglevel
, p
, 2, NM_QUOTE_HINT
))
6510 set_user_script (options
, &options
->tls_verify
,
6511 string_substitute (p
[1], ',', ' ', &options
->gc
),
6514 #ifndef ENABLE_CRYPTO_POLARSSL
6515 else if (streq (p
[0], "tls-export-cert") && p
[1])
6517 VERIFY_PERMISSION (OPT_P_GENERAL
);
6518 options
->tls_export_cert
= p
[1];
6521 else if (streq (p
[0], "compat-names"))
6523 VERIFY_PERMISSION (OPT_P_GENERAL
);
6524 if (options
->verify_x509_type
!= VERIFY_X509_NONE
&&
6525 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_DN
&&
6526 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_RDN_PREFIX
)
6528 msg (msglevel
, "you cannot use --compat-names with --verify-x509-name");
6531 msg (M_WARN
, "DEPRECATED OPTION: --compat-names, please update your configuration");
6532 compat_flag (COMPAT_FLAG_SET
| COMPAT_NAMES
);
6534 if (p
[1] && streq (p
[1], "no-remapping"))
6535 compat_flag (COMPAT_FLAG_SET
| COMPAT_NO_NAME_REMAPPING
);
6537 else if (streq (p
[0], "no-name-remapping"))
6539 VERIFY_PERMISSION (OPT_P_GENERAL
);
6540 if (options
->verify_x509_type
!= VERIFY_X509_NONE
&&
6541 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_DN
&&
6542 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_RDN_PREFIX
)
6544 msg (msglevel
, "you cannot use --no-name-remapping with --verify-x509-name");
6547 msg (M_WARN
, "DEPRECATED OPTION: --no-name-remapping, please update your configuration");
6548 compat_flag (COMPAT_FLAG_SET
| COMPAT_NAMES
);
6549 compat_flag (COMPAT_FLAG_SET
| COMPAT_NO_NAME_REMAPPING
);
6552 else if (streq (p
[0], "tls-remote") && p
[1])
6554 VERIFY_PERMISSION (OPT_P_GENERAL
);
6556 if (options
->verify_x509_type
!= VERIFY_X509_NONE
&&
6557 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_DN
&&
6558 options
->verify_x509_type
!= TLS_REMOTE_SUBJECT_RDN_PREFIX
)
6560 msg (msglevel
, "you cannot use --tls-remote with --verify-x509-name");
6563 msg (M_WARN
, "DEPRECATED OPTION: --tls-remote, please update your configuration");
6567 int is_username
= (!strchr (p
[1], '=') || !strstr (p
[1], ", "));
6568 int type
= TLS_REMOTE_SUBJECT_DN
;
6569 if (p
[1][0] != '/' && is_username
)
6570 type
= TLS_REMOTE_SUBJECT_RDN_PREFIX
;
6573 * Enable legacy openvpn format for DNs that have not been converted
6574 * yet and --x509-username-field (not containing an '=' or ', ')
6576 if (p
[1][0] == '/' || is_username
)
6577 compat_flag (COMPAT_FLAG_SET
| COMPAT_NAMES
);
6579 options
->verify_x509_type
= type
;
6580 options
->verify_x509_name
= p
[1];
6583 else if (streq (p
[0], "verify-x509-name") && p
[1] && strlen (p
[1]))
6585 int type
= VERIFY_X509_SUBJECT_DN
;
6586 VERIFY_PERMISSION (OPT_P_GENERAL
);
6587 if (options
->verify_x509_type
== TLS_REMOTE_SUBJECT_DN
||
6588 options
->verify_x509_type
== TLS_REMOTE_SUBJECT_RDN_PREFIX
)
6590 msg (msglevel
, "you cannot use --verify-x509-name with --tls-remote");
6593 if (compat_flag (COMPAT_FLAG_QUERY
| COMPAT_NAMES
))
6595 msg (msglevel
, "you cannot use --verify-x509-name with "
6596 "--compat-names or --no-name-remapping");
6601 if (streq (p
[2], "subject"))
6602 type
= VERIFY_X509_SUBJECT_DN
;
6603 else if (streq (p
[2], "name"))
6604 type
= VERIFY_X509_SUBJECT_RDN
;
6605 else if (streq (p
[2], "name-prefix"))
6606 type
= VERIFY_X509_SUBJECT_RDN_PREFIX
;
6609 msg (msglevel
, "unknown X.509 name type: %s", p
[2]);
6613 options
->verify_x509_type
= type
;
6614 options
->verify_x509_name
= p
[1];
6616 else if (streq (p
[0], "ns-cert-type") && p
[1])
6618 VERIFY_PERMISSION (OPT_P_GENERAL
);
6619 if (streq (p
[1], "server"))
6620 options
->ns_cert_type
= NS_CERT_CHECK_SERVER
;
6621 else if (streq (p
[1], "client"))
6622 options
->ns_cert_type
= NS_CERT_CHECK_CLIENT
;
6625 msg (msglevel
, "--ns-cert-type must be 'client' or 'server'");
6629 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || ENABLE_CRYPTO_POLARSSL
6630 else if (streq (p
[0], "remote-cert-ku"))
6634 VERIFY_PERMISSION (OPT_P_GENERAL
);
6636 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
6637 sscanf (p
[j
], "%x", &(options
->remote_cert_ku
[j
-1]));
6639 else if (streq (p
[0], "remote-cert-eku") && p
[1])
6641 VERIFY_PERMISSION (OPT_P_GENERAL
);
6642 options
->remote_cert_eku
= p
[1];
6644 else if (streq (p
[0], "remote-cert-tls") && p
[1])
6646 VERIFY_PERMISSION (OPT_P_GENERAL
);
6648 if (streq (p
[1], "server"))
6650 options
->remote_cert_ku
[0] = 0xa0;
6651 options
->remote_cert_ku
[1] = 0x88;
6652 options
->remote_cert_eku
= "TLS Web Server Authentication";
6654 else if (streq (p
[1], "client"))
6656 options
->remote_cert_ku
[0] = 0x80;
6657 options
->remote_cert_ku
[1] = 0x08;
6658 options
->remote_cert_ku
[2] = 0x88;
6659 options
->remote_cert_eku
= "TLS Web Client Authentication";
6663 msg (msglevel
, "--remote-cert-tls must be 'client' or 'server'");
6667 #endif /* OPENSSL_VERSION_NUMBER */
6668 else if (streq (p
[0], "tls-timeout") && p
[1])
6670 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6671 options
->tls_timeout
= positive_atoi (p
[1]);
6673 else if (streq (p
[0], "reneg-bytes") && p
[1])
6675 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6676 options
->renegotiate_bytes
= positive_atoi (p
[1]);
6678 else if (streq (p
[0], "reneg-pkts") && p
[1])
6680 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6681 options
->renegotiate_packets
= positive_atoi (p
[1]);
6683 else if (streq (p
[0], "reneg-sec") && p
[1])
6685 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6686 options
->renegotiate_seconds
= positive_atoi (p
[1]);
6688 else if (streq (p
[0], "hand-window") && p
[1])
6690 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6691 options
->handshake_window
= positive_atoi (p
[1]);
6693 else if (streq (p
[0], "tran-window") && p
[1])
6695 VERIFY_PERMISSION (OPT_P_TLS_PARMS
);
6696 options
->transition_window
= positive_atoi (p
[1]);
6698 else if (streq (p
[0], "tls-auth") && p
[1])
6700 VERIFY_PERMISSION (OPT_P_GENERAL
);
6701 if (streq (p
[1], INLINE_FILE_TAG
) && p
[2])
6703 options
->tls_auth_file_inline
= p
[2];
6710 key_direction
= ascii2keydirection (msglevel
, p
[2]);
6711 if (key_direction
>= 0)
6712 options
->key_direction
= key_direction
;
6716 options
->tls_auth_file
= p
[1];
6718 else if (streq (p
[0], "key-method") && p
[1])
6722 VERIFY_PERMISSION (OPT_P_GENERAL
);
6723 key_method
= atoi (p
[1]);
6724 if (key_method
< KEY_METHOD_MIN
|| key_method
> KEY_METHOD_MAX
)
6726 msg (msglevel
, "key_method parameter (%d) must be >= %d and <= %d",
6732 options
->key_method
= key_method
;
6734 #ifdef ENABLE_X509ALTUSERNAME
6735 else if (streq (p
[0], "x509-username-field") && p
[1])
6738 VERIFY_PERMISSION (OPT_P_GENERAL
);
6739 if( strncmp ("ext:",s
,4) != 0 )
6740 while ((*s
= toupper(*s
)) != '\0') s
++; /* Uppercase if necessary */
6741 options
->x509_username_field
= p
[1];
6743 #endif /* ENABLE_X509ALTUSERNAME */
6744 #endif /* ENABLE_SSL */
6745 #endif /* ENABLE_CRYPTO */
6746 #ifdef ENABLE_PKCS11
6747 else if (streq (p
[0], "show-pkcs11-ids") && p
[1])
6749 char *provider
= p
[1];
6750 bool cert_private
= (p
[2] == NULL
? false : ( atoi (p
[2]) != 0 ));
6752 VERIFY_PERMISSION (OPT_P_GENERAL
);
6754 set_debug_level (options
->verbosity
, SDL_CONSTRAIN
);
6755 show_pkcs11_ids (provider
, cert_private
);
6756 openvpn_exit (OPENVPN_EXIT_STATUS_GOOD
); /* exit point */
6758 else if (streq (p
[0], "pkcs11-providers") && p
[1])
6762 VERIFY_PERMISSION (OPT_P_GENERAL
);
6764 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
6765 options
->pkcs11_providers
[j
-1] = p
[j
];
6767 else if (streq (p
[0], "pkcs11-protected-authentication"))
6771 VERIFY_PERMISSION (OPT_P_GENERAL
);
6773 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
6774 options
->pkcs11_protected_authentication
[j
-1] = atoi (p
[j
]) != 0 ? 1 : 0;
6776 else if (streq (p
[0], "pkcs11-private-mode") && p
[1])
6780 VERIFY_PERMISSION (OPT_P_GENERAL
);
6782 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
6783 sscanf (p
[j
], "%x", &(options
->pkcs11_private_mode
[j
-1]));
6785 else if (streq (p
[0], "pkcs11-cert-private"))
6789 VERIFY_PERMISSION (OPT_P_GENERAL
);
6791 for (j
= 1; j
< MAX_PARMS
&& p
[j
] != NULL
; ++j
)
6792 options
->pkcs11_cert_private
[j
-1] = atoi (p
[j
]) != 0 ? 1 : 0;
6794 else if (streq (p
[0], "pkcs11-pin-cache") && p
[1])
6796 VERIFY_PERMISSION (OPT_P_GENERAL
);
6797 options
->pkcs11_pin_cache_period
= atoi (p
[1]);
6799 else if (streq (p
[0], "pkcs11-id") && p
[1])
6801 VERIFY_PERMISSION (OPT_P_GENERAL
);
6802 options
->pkcs11_id
= p
[1];
6804 else if (streq (p
[0], "pkcs11-id-management"))
6806 VERIFY_PERMISSION (OPT_P_GENERAL
);
6807 options
->pkcs11_id_management
= true;
6810 #ifdef ENABLE_FEATURE_TUN_PERSIST
6811 else if (streq (p
[0], "rmtun"))
6813 VERIFY_PERMISSION (OPT_P_GENERAL
);
6814 options
->persist_config
= true;
6815 options
->persist_mode
= 0;
6817 else if (streq (p
[0], "mktun"))
6819 VERIFY_PERMISSION (OPT_P_GENERAL
);
6820 options
->persist_config
= true;
6821 options
->persist_mode
= 1;
6827 msg (msglevel_fc
, "Unrecognized option or missing parameter(s) in %s:%d: %s (%s)", file
, line
, p
[0], PACKAGE_VERSION
);
6829 msg (msglevel_fc
, "Unrecognized option or missing parameter(s): --%s (%s)", p
[0], PACKAGE_VERSION
);