2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27
#elif defined(_MSC_VER)
28
#include "config-msvc.h"
43
print_netmask (int netbits, struct gc_arena *gc)
45
struct buffer out = alloc_buf_gc (128, gc);
46
const in_addr_t netmask = netbits_to_netmask (netbits);
48
buf_printf (&out, "%s (/%d)", print_in_addr_t (netmask, 0, gc), netbits);
54
print_opt_route_gateway (const in_addr_t route_gateway, struct gc_arena *gc)
56
struct buffer out = alloc_buf_gc (128, gc);
57
ASSERT (route_gateway);
58
buf_printf (&out, "route-gateway %s", print_in_addr_t (route_gateway, 0, gc));
63
print_opt_route_gateway_dhcp (struct gc_arena *gc)
65
struct buffer out = alloc_buf_gc (32, gc);
66
buf_printf (&out, "route-gateway dhcp");
71
print_opt_route (const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc)
73
struct buffer out = alloc_buf_gc (128, gc);
77
buf_printf (&out, "route %s %s",
78
print_in_addr_t (network, 0, gc),
79
print_in_addr_t (netmask, 0, gc));
81
buf_printf (&out, "route %s",
82
print_in_addr_t (network, 0, gc));
88
print_opt_topology (const int topology, struct gc_arena *gc)
90
struct buffer out = alloc_buf_gc (128, gc);
92
buf_printf (&out, "topology %s", print_topology (topology));
98
print_str_int (const char *str, const int i, struct gc_arena *gc)
100
struct buffer out = alloc_buf_gc (128, gc);
101
buf_printf (&out, "%s %d", str, i);
106
print_str (const char *str, struct gc_arena *gc)
108
struct buffer out = alloc_buf_gc (128, gc);
109
buf_printf (&out, "%s", str);
114
helper_add_route (const in_addr_t network, const in_addr_t netmask, struct options *o)
117
add_route_to_option_list (o->routes,
118
print_in_addr_t (network, 0, &o->gc),
119
print_in_addr_t (netmask, 0, &o->gc),
125
verify_common_subnet (const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet)
127
struct gc_arena gc = gc_new ();
128
if ((a & subnet) != (b & subnet))
129
msg (M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet",
131
print_in_addr_t (a, 0, &gc),
132
print_in_addr_t (b, 0, &gc),
133
print_in_addr_t (subnet, 0, &gc));
140
* Process server, server-bridge, and client helper
141
* directives after the parameters themselves have been
142
* parsed and placed in struct options.
145
helper_client_server (struct options *o)
147
struct gc_arena gc = gc_new ();
153
* Get tun/tap/null device type
155
const int dev = dev_type_enum (o->dev, o->dev_type);
156
const int topology = o->topology;
160
* HELPER DIRECTIVE for IPv6
162
* server-ipv6 2001:db8::/64
168
* ifconfig-ipv6 2001:db8::1 2001:db8::2
170
* ifconfig-ipv6-pool 2001:db8::1:0/64
173
if ( o->server_ipv6_defined )
175
if ( ! o->server_defined )
177
msg (M_USAGE, "--server-ipv6 must be used together with --server");
179
if ( o->server_flags & SF_NOPOOL )
181
msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" );
183
if ( o->ifconfig_ipv6_pool_defined )
185
msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly");
188
/* local ifconfig is "base address + 1" and "+2" */
189
o->ifconfig_ipv6_local =
190
print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc );
191
o->ifconfig_ipv6_remote =
192
print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc );
193
o->ifconfig_ipv6_netbits = o->server_netbits_ipv6;
195
/* pool starts at "base address + 0x1000" - leave enough room */
196
ASSERT( o->server_netbits_ipv6 <= 112 ); /* want 16 bits */
198
o->ifconfig_ipv6_pool_defined = true;
199
o->ifconfig_ipv6_pool_base =
200
add_in6_addr( o->server_network_ipv6, 0x1000 );
201
o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6;
205
push_option( o, "tun-ipv6", M_USAGE );
212
* server 10.8.0.0 255.255.255.0
218
* push "topology [topology]"
220
* if tun AND (topology == net30 OR topology == p2p):
221
* ifconfig 10.8.0.1 10.8.0.2
223
* ifconfig-pool 10.8.0.4 10.8.0.251
224
* route 10.8.0.0 255.255.255.0
225
* if client-to-client:
226
* push "route 10.8.0.0 255.255.255.0"
227
* else if topology == net30:
228
* push "route 10.8.0.1"
230
* if tap OR (tun AND topology == subnet):
231
* ifconfig 10.8.0.1 255.255.255.0
233
* ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0
234
* push "route-gateway 10.8.0.1"
237
if (o->server_defined)
243
msg (M_USAGE, "--server and --client cannot be used together");
245
if (o->server_bridge_defined || o->server_bridge_proxy_dhcp)
246
msg (M_USAGE, "--server and --server-bridge cannot be used together");
248
if (o->shared_secret_file)
249
msg (M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)");
251
if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
252
msg (M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
254
if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN))
255
msg (M_USAGE, "--server directive only makes sense with --dev tun or --dev tap");
257
status = netmask_to_netbits (o->server_network, o->server_netmask, &netbits);
259
msg (M_USAGE, "--server directive network/netmask combination is invalid");
262
msg (M_USAGE, "--server directive netmask is invalid");
264
if (netbits < IFCONFIG_POOL_MIN_NETBITS)
265
msg (M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)",
266
print_netmask (IFCONFIG_POOL_MIN_NETBITS, &gc));
268
if (dev == DEV_TYPE_TUN)
270
int pool_end_reserve = 4;
273
msg (M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower",
274
print_netmask (29, &gc));
277
pool_end_reserve = 0;
279
o->mode = MODE_SERVER;
280
o->tls_server = true;
282
if (topology == TOP_NET30 || topology == TOP_P2P)
284
o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
285
o->ifconfig_remote_netmask = print_in_addr_t (o->server_network + 2, 0, &o->gc);
287
if (!(o->server_flags & SF_NOPOOL))
289
o->ifconfig_pool_defined = true;
290
o->ifconfig_pool_start = o->server_network + 4;
291
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve;
292
ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
295
helper_add_route (o->server_network, o->server_netmask, o);
297
push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE);
298
else if (topology == TOP_NET30)
299
push_option (o, print_opt_route (o->server_network + 1, 0, &o->gc), M_USAGE);
301
else if (topology == TOP_SUBNET)
303
o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
304
o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
306
if (!(o->server_flags & SF_NOPOOL))
308
o->ifconfig_pool_defined = true;
309
o->ifconfig_pool_start = o->server_network + 2;
310
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2;
311
ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
313
o->ifconfig_pool_netmask = o->server_netmask;
315
push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
320
push_option (o, print_opt_topology (topology, &o->gc), M_USAGE);
322
else if (dev == DEV_TYPE_TAP)
325
msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower",
326
print_netmask (30, &gc));
328
o->mode = MODE_SERVER;
329
o->tls_server = true;
330
o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc);
331
o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc);
333
if (!(o->server_flags & SF_NOPOOL))
335
o->ifconfig_pool_defined = true;
336
o->ifconfig_pool_start = o->server_network + 2;
337
o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1;
338
ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
340
o->ifconfig_pool_netmask = o->server_netmask;
342
push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE);
349
/* set push-ifconfig-constraint directive */
350
if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET))
352
o->push_ifconfig_constraint_defined = true;
353
o->push_ifconfig_constraint_network = o->server_network;
354
o->push_ifconfig_constraint_netmask = o->server_netmask;
361
* server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254
368
* ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0
369
* push "route-gateway 10.8.0.4"
381
* push "route-gateway dhcp"
383
else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp)
386
msg (M_USAGE, "--server-bridge and --client cannot be used together");
388
if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined)
389
msg (M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly");
391
if (o->shared_secret_file)
392
msg (M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)");
394
if (dev != DEV_TYPE_TAP)
395
msg (M_USAGE, "--server-bridge directive only makes sense with --dev tap");
397
if (o->server_bridge_defined)
399
verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask);
400
verify_common_subnet ("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask);
401
verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask);
404
o->mode = MODE_SERVER;
405
o->tls_server = true;
407
if (o->server_bridge_defined)
409
o->ifconfig_pool_defined = true;
410
o->ifconfig_pool_start = o->server_bridge_pool_start;
411
o->ifconfig_pool_end = o->server_bridge_pool_end;
412
ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end);
413
o->ifconfig_pool_netmask = o->server_bridge_netmask;
414
push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE);
416
else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY))
418
push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE);
422
#endif /* P2MP_SERVER */
436
if (o->key_method != 2)
437
msg (M_USAGE, "--client requires --key-method 2");
440
o->tls_client = true;
460
* push "ping-restart 60"
466
helper_keepalive (struct options *o)
468
if (o->keepalive_ping || o->keepalive_timeout)
473
if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0)
474
msg (M_USAGE, "--keepalive parameters must be > 0");
475
if (o->keepalive_ping * 2 > o->keepalive_timeout)
476
msg (M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.",
477
o->keepalive_timeout,
479
if (o->ping_send_timeout || o->ping_rec_timeout)
480
msg (M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives.");
485
if (o->mode == MODE_POINT_TO_POINT)
487
o->ping_rec_timeout_action = PING_RESTART;
488
o->ping_send_timeout = o->keepalive_ping;
489
o->ping_rec_timeout = o->keepalive_timeout;
492
else if (o->mode == MODE_SERVER)
494
o->ping_rec_timeout_action = PING_RESTART;
495
o->ping_send_timeout = o->keepalive_ping;
496
o->ping_rec_timeout = o->keepalive_timeout * 2;
497
push_option (o, print_str_int ("ping", o->keepalive_ping, &o->gc), M_USAGE);
498
push_option (o, print_str_int ("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE);
517
* socket-flags TCP_NODELAY
518
* push "socket-flags TCP_NODELAY"
521
helper_tcp_nodelay (struct options *o)
524
if (o->server_flags & SF_TCP_NODELAY_HELPER)
526
if (o->mode == MODE_SERVER)
528
o->sockflags |= SF_TCP_NODELAY;
529
push_option (o, print_str ("socket-flags TCP_NODELAY", &o->gc), M_USAGE);