2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26
* Support routines for configuring and accessing TUN/TAP
27
* virtual network adapters.
29
* This file is based on the TUN/TAP driver interface routines
30
* from VTun by Maxim Krasnyansky <max_mk@yahoo.com>.
35
#elif defined(_MSC_VER)
36
#include "config-msvc.h"
54
/* #define SIMULATE_DHCP_FAILED */ /* simulate bad DHCP negotiation */
56
#define NI_TEST_FIRST (1<<0)
57
#define NI_IP_NETMASK (1<<1)
58
#define NI_OPTIONS (1<<2)
60
static void netsh_ifconfig (const struct tuntap_options *to,
61
const char *flex_name,
63
const in_addr_t netmask,
64
const unsigned int flags);
65
static void netsh_command (const struct argv *a, int n);
67
static const char *netsh_get_id (const char *dev_node, struct gc_arena *gc);
72
static void solaris_error_close (struct tuntap *tt, const struct env_set *es, const char *actual, bool unplumb_inet6);
76
static void clear_tuntap (struct tuntap *tuntap);
79
is_dev_type (const char *dev, const char *dev_type, const char *match_type)
85
return !strcmp (dev_type, match_type);
87
return !strncmp (dev, match_type, strlen (match_type));
91
dev_type_enum (const char *dev, const char *dev_type)
93
if (is_dev_type (dev, dev_type, "tun"))
95
else if (is_dev_type (dev, dev_type, "tap"))
97
else if (is_dev_type (dev, dev_type, "null"))
100
return DEV_TYPE_UNDEF;
104
dev_type_string (const char *dev, const char *dev_type)
106
switch (dev_type_enum (dev, dev_type))
115
return "[unknown-dev-type]";
120
* Try to predict the actual TUN/TAP device instance name,
121
* before the device is actually opened.
124
guess_tuntap_dev (const char *dev,
125
const char *dev_type,
126
const char *dev_node,
130
const int dt = dev_type_enum (dev, dev_type);
131
if (dt == DEV_TYPE_TUN || dt == DEV_TYPE_TAP)
133
return netsh_get_id (dev_node, gc);
142
/* --ifconfig-nowarn disables some options sanity checking */
143
static const char ifconfig_warn_how_to_silence[] = "(silence this warning with --ifconfig-nowarn)";
146
* If !tun, make sure ifconfig_remote_netmask looks
149
* If tun, make sure ifconfig_remote_netmask looks
150
* like an IPv4 address.
153
ifconfig_sanity_check (bool tun, in_addr_t addr, int topology)
155
struct gc_arena gc = gc_new ();
156
const bool looks_like_netmask = ((addr & 0xFF000000) == 0xFF000000);
159
if (looks_like_netmask && (topology == TOP_NET30 || topology == TOP_P2P))
160
msg (M_WARN, "WARNING: Since you are using --dev tun with a point-to-point topology, the second argument to --ifconfig must be an IP address. You are using something (%s) that looks more like a netmask. %s",
161
print_in_addr_t (addr, 0, &gc),
162
ifconfig_warn_how_to_silence);
166
if (!looks_like_netmask)
167
msg (M_WARN, "WARNING: Since you are using --dev tap, the second argument to --ifconfig must be a netmask, for example something like 255.255.255.0. %s",
168
ifconfig_warn_how_to_silence);
174
* For TAP-style devices, generate a broadcast address.
177
generate_ifconfig_broadcast_addr (in_addr_t local,
180
return local | ~netmask;
184
* Check that --local and --remote addresses do not
185
* clash with ifconfig addresses or subnet.
188
check_addr_clash (const char *name,
192
in_addr_t remote_netmask)
194
struct gc_arena gc = gc_new ();
196
msg (M_INFO, "CHECK_ADDR_CLASH type=%d public=%s local=%s, remote_netmask=%s",
198
print_in_addr_t (public, 0, &gc),
199
print_in_addr_t (local, 0, &gc),
200
print_in_addr_t (remote_netmask, 0, &gc));
205
if (type == DEV_TYPE_TUN)
207
const in_addr_t test_netmask = 0xFFFFFF00;
208
const in_addr_t public_net = public & test_netmask;
209
const in_addr_t local_net = local & test_netmask;
210
const in_addr_t remote_net = remote_netmask & test_netmask;
212
if (public == local || public == remote_netmask)
214
"WARNING: --%s address [%s] conflicts with --ifconfig address pair [%s, %s]. %s",
216
print_in_addr_t (public, 0, &gc),
217
print_in_addr_t (local, 0, &gc),
218
print_in_addr_t (remote_netmask, 0, &gc),
219
ifconfig_warn_how_to_silence);
221
if (public_net == local_net || public_net == remote_net)
223
"WARNING: potential conflict between --%s address [%s] and --ifconfig address pair [%s, %s] -- this is a warning only that is triggered when local/remote addresses exist within the same /24 subnet as --ifconfig endpoints. %s",
225
print_in_addr_t (public, 0, &gc),
226
print_in_addr_t (local, 0, &gc),
227
print_in_addr_t (remote_netmask, 0, &gc),
228
ifconfig_warn_how_to_silence);
230
else if (type == DEV_TYPE_TAP)
232
const in_addr_t public_network = public & remote_netmask;
233
const in_addr_t virtual_network = local & remote_netmask;
234
if (public_network == virtual_network)
236
"WARNING: --%s address [%s] conflicts with --ifconfig subnet [%s, %s] -- local and remote addresses cannot be inside of the --ifconfig subnet. %s",
238
print_in_addr_t (public, 0, &gc),
239
print_in_addr_t (local, 0, &gc),
240
print_in_addr_t (remote_netmask, 0, &gc),
241
ifconfig_warn_how_to_silence);
248
* Issue a warning if ip/netmask (on the virtual IP network) conflicts with
249
* the settings on the local LAN. This is designed to flag issues where
250
* (for example) the OpenVPN server LAN is running on 192.168.1.x, but then
251
* an OpenVPN client tries to connect from a public location that is also running
252
* off of a router set to 192.168.1.x.
255
check_subnet_conflict (const in_addr_t ip,
256
const in_addr_t netmask,
259
#if 0 /* too many false positives */
260
struct gc_arena gc = gc_new ();
261
in_addr_t lan_gw = 0;
262
in_addr_t lan_netmask = 0;
264
if (get_default_gateway (&lan_gw, &lan_netmask) && lan_netmask)
266
const in_addr_t lan_network = lan_gw & lan_netmask;
267
const in_addr_t network = ip & netmask;
269
/* do the two subnets defined by network/netmask and lan_network/lan_netmask intersect? */
270
if ((network & lan_netmask) == lan_network
271
|| (lan_network & netmask) == network)
273
msg (M_WARN, "WARNING: potential %s subnet conflict between local LAN [%s/%s] and remote VPN [%s/%s]",
275
print_in_addr_t (lan_network, 0, &gc),
276
print_in_addr_t (lan_netmask, 0, &gc),
277
print_in_addr_t (network, 0, &gc),
278
print_in_addr_t (netmask, 0, &gc));
286
warn_on_use_of_common_subnets (void)
288
struct gc_arena gc = gc_new ();
289
struct route_gateway_info rgi;
290
const int needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
292
get_default_gateway (&rgi);
293
if ((rgi.flags & needed) == needed)
295
const in_addr_t lan_network = rgi.gateway.addr & rgi.gateway.netmask;
296
if (lan_network == 0xC0A80000 || lan_network == 0xC0A80100)
297
msg (M_WARN, "NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.");
303
* Return a string to be used for options compatibility check
307
ifconfig_options_string (const struct tuntap* tt, bool remote, bool disable, struct gc_arena *gc)
309
struct buffer out = alloc_buf_gc (256, gc);
310
if (tt->did_ifconfig_setup && !disable)
312
if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
314
buf_printf (&out, "%s %s",
315
print_in_addr_t (tt->local & tt->remote_netmask, 0, gc),
316
print_in_addr_t (tt->remote_netmask, 0, gc));
318
else if (tt->type == DEV_TYPE_TUN)
323
r = print_in_addr_t (tt->local, 0, gc);
324
l = print_in_addr_t (tt->remote_netmask, 0, gc);
328
l = print_in_addr_t (tt->local, 0, gc);
329
r = print_in_addr_t (tt->remote_netmask, 0, gc);
331
buf_printf (&out, "%s %s", r, l);
334
buf_printf (&out, "[undef]");
340
* Return a status string describing wait state.
343
tun_stat (const struct tuntap *tt, unsigned int rwflags, struct gc_arena *gc)
345
struct buffer out = alloc_buf_gc (64, gc);
348
if (rwflags & EVENT_READ)
350
buf_printf (&out, "T%s",
351
(tt->rwflags_debug & EVENT_READ) ? "R" : "r");
353
buf_printf (&out, "%s",
354
overlapped_io_state_ascii (&tt->reads));
357
if (rwflags & EVENT_WRITE)
359
buf_printf (&out, "T%s",
360
(tt->rwflags_debug & EVENT_WRITE) ? "W" : "w");
362
buf_printf (&out, "%s",
363
overlapped_io_state_ascii (&tt->writes));
369
buf_printf (&out, "T?");
375
* Return true for point-to-point topology, false for subnet topology
378
is_tun_p2p (const struct tuntap *tt)
382
if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
384
else if (tt->type == DEV_TYPE_TUN)
387
msg (M_FATAL, "Error: problem with tun vs. tap setting"); /* JYFIXME -- needs to be caught earlier, in init_tun? */
393
* Init tun/tap object.
395
* Set up tuntap structure for ifconfig,
396
* but don't execute yet.
399
init_tun (const char *dev, /* --dev option */
400
const char *dev_type, /* --dev-type option */
401
int topology, /* one of the TOP_x values */
402
const char *ifconfig_local_parm, /* --ifconfig parm 1 */
403
const char *ifconfig_remote_netmask_parm, /* --ifconfig parm 2 */
404
const char *ifconfig_ipv6_local_parm, /* --ifconfig parm 1 IPv6 */
405
int ifconfig_ipv6_netbits_parm,
406
const char *ifconfig_ipv6_remote_parm, /* --ifconfig parm 2 IPv6 */
407
in_addr_t local_public,
408
in_addr_t remote_public,
409
const bool strict_warn,
412
struct gc_arena gc = gc_new ();
415
ALLOC_OBJ (tt, struct tuntap);
418
tt->type = dev_type_enum (dev, dev_type);
419
tt->topology = topology;
421
if (ifconfig_local_parm && ifconfig_remote_netmask_parm)
424
const char *ifconfig_local = NULL;
425
const char *ifconfig_remote_netmask = NULL;
426
const char *ifconfig_broadcast = NULL;
429
* We only handle TUN/TAP devices here, not --dev null devices.
431
tun = is_tun_p2p (tt);
434
* Convert arguments to binary IPv4 addresses.
437
tt->local = getaddr (
440
| GETADDR_FATAL_ON_SIGNAL
447
tt->remote_netmask = getaddr (
448
(tun ? GETADDR_RESOLVE : 0)
450
| GETADDR_FATAL_ON_SIGNAL
452
ifconfig_remote_netmask_parm,
458
* Look for common errors in --ifconfig parms
462
ifconfig_sanity_check (tt->type == DEV_TYPE_TUN, tt->remote_netmask, tt->topology);
465
* If local_public or remote_public addresses are defined,
466
* make sure they do not clash with our virtual subnet.
469
check_addr_clash ("local",
475
check_addr_clash ("remote",
481
if (tt->type == DEV_TYPE_TAP || (tt->type == DEV_TYPE_TUN && tt->topology == TOP_SUBNET))
482
check_subnet_conflict (tt->local, tt->remote_netmask, "TUN/TAP adapter");
483
else if (tt->type == DEV_TYPE_TUN)
484
check_subnet_conflict (tt->local, IPV4_NETMASK_HOST, "TUN/TAP adapter");
488
* Set ifconfig parameters
490
ifconfig_local = print_in_addr_t (tt->local, 0, &gc);
491
ifconfig_remote_netmask = print_in_addr_t (tt->remote_netmask, 0, &gc);
494
* If TAP-style interface, generate broadcast address.
498
tt->broadcast = generate_ifconfig_broadcast_addr (tt->local, tt->remote_netmask);
499
ifconfig_broadcast = print_in_addr_t (tt->broadcast, 0, &gc);
503
* Set environmental variables with ifconfig parameters.
507
setenv_str (es, "ifconfig_local", ifconfig_local);
510
setenv_str (es, "ifconfig_remote", ifconfig_remote_netmask);
514
setenv_str (es, "ifconfig_netmask", ifconfig_remote_netmask);
515
setenv_str (es, "ifconfig_broadcast", ifconfig_broadcast);
519
tt->did_ifconfig_setup = true;
522
if (ifconfig_ipv6_local_parm && ifconfig_ipv6_remote_parm)
524
const char *ifconfig_ipv6_local = NULL;
525
const char *ifconfig_ipv6_remote = NULL;
528
* Convert arguments to binary IPv6 addresses.
531
if ( inet_pton( AF_INET6, ifconfig_ipv6_local_parm, &tt->local_ipv6 ) != 1 ||
532
inet_pton( AF_INET6, ifconfig_ipv6_remote_parm, &tt->remote_ipv6 ) != 1 )
534
msg( M_FATAL, "init_tun: problem converting IPv6 ifconfig addresses %s and %s to binary", ifconfig_ipv6_local_parm, ifconfig_ipv6_remote_parm );
536
tt->netbits_ipv6 = ifconfig_ipv6_netbits_parm;
539
* Set ifconfig parameters
541
ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
542
ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
545
* Set environmental variables with ifconfig parameters.
549
setenv_str (es, "ifconfig_ipv6_local", ifconfig_ipv6_local);
550
setenv_int (es, "ifconfig_ipv6_netbits", tt->netbits_ipv6);
551
setenv_str (es, "ifconfig_ipv6_remote", ifconfig_ipv6_remote);
553
tt->did_ifconfig_ipv6_setup = true;
561
* Platform specific tun initializations
564
init_tun_post (struct tuntap *tt,
565
const struct frame *frame,
566
const struct tuntap_options *options)
568
tt->options = *options;
570
overlapped_io_init (&tt->reads, frame, FALSE, true);
571
overlapped_io_init (&tt->writes, frame, TRUE, true);
572
tt->rw_handle.read = tt->reads.overlapped.hEvent;
573
tt->rw_handle.write = tt->writes.overlapped.hEvent;
574
tt->adapter_index = TUN_ADAPTER_INDEX_INVALID;
578
#if defined(WIN32) || \
579
defined(TARGET_DARWIN) || defined(TARGET_NETBSD) || defined(TARGET_OPENBSD)
581
/* some of the platforms will auto-add a "network route" pointing
582
* to the interface on "ifconfig tunX 2001:db8::1/64", others need
583
* an extra call to "route add..."
584
* -> helper function to simplify code below
586
void add_route_connected_v6_net(struct tuntap * tt,
587
const struct env_set *es)
589
struct route_ipv6 r6;
592
r6.network = tt->local_ipv6;
593
r6.netbits = tt->netbits_ipv6;
594
r6.gateway = tt->local_ipv6;
595
r6.metric = 0; /* connected route */
596
r6.metric_defined = true;
597
add_route_ipv6 (&r6, tt, 0, es);
600
void delete_route_connected_v6_net(struct tuntap * tt,
601
const struct env_set *es)
603
struct route_ipv6 r6;
606
r6.network = tt->local_ipv6;
607
r6.netbits = tt->netbits_ipv6;
608
r6.gateway = tt->local_ipv6;
609
r6.metric = 0; /* connected route */
610
r6.metric_defined = true;
611
delete_route_ipv6 (&r6, tt, 0, es);
616
/* execute the ifconfig command through the shell */
618
do_ifconfig (struct tuntap *tt,
619
const char *actual, /* actual device name */
621
const struct env_set *es)
623
struct gc_arena gc = gc_new ();
625
if (tt->did_ifconfig_setup)
628
const char *ifconfig_local = NULL;
629
const char *ifconfig_remote_netmask = NULL;
630
const char *ifconfig_broadcast = NULL;
631
const char *ifconfig_ipv6_local = NULL;
632
const char *ifconfig_ipv6_remote = NULL;
633
bool do_ipv6 = false;
638
msg( M_INFO, "do_ifconfig, tt->ipv6=%d, tt->did_ifconfig_ipv6_setup=%d",
639
tt->ipv6, tt->did_ifconfig_ipv6_setup );
642
* We only handle TUN/TAP devices here, not --dev null devices.
644
tun = is_tun_p2p (tt);
647
* Set ifconfig parameters
649
ifconfig_local = print_in_addr_t (tt->local, 0, &gc);
650
ifconfig_remote_netmask = print_in_addr_t (tt->remote_netmask, 0, &gc);
652
if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
654
ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
655
ifconfig_ipv6_remote = print_in6_addr (tt->remote_ipv6, 0, &gc);
660
* If TAP-style device, generate broadcast address.
663
ifconfig_broadcast = print_in_addr_t (tt->broadcast, 0, &gc);
665
#ifdef ENABLE_MANAGEMENT
668
management_set_state (management,
669
OPENVPN_STATE_ASSIGN_IP,
677
#if defined(TARGET_LINUX)
678
#ifdef ENABLE_IPROUTE
680
* Set the MTU for the device
683
"%s link set dev %s up mtu %d",
688
argv_msg (M_INFO, &argv);
689
openvpn_execve_check (&argv, es, S_FATAL, "Linux ip link set failed");
694
* Set the address for the device
697
"%s addr add dev %s local %s peer %s",
701
ifconfig_remote_netmask
703
argv_msg (M_INFO, &argv);
704
openvpn_execve_check (&argv, es, S_FATAL, "Linux ip addr add failed");
707
"%s addr add dev %s %s/%d broadcast %s",
711
count_netmask_bits(ifconfig_remote_netmask),
714
argv_msg (M_INFO, &argv);
715
openvpn_execve_check (&argv, es, S_FATAL, "Linux ip addr add failed");
720
"%s -6 addr add %s/%d dev %s",
726
argv_msg (M_INFO, &argv);
727
openvpn_execve_check (&argv, es, S_FATAL, "Linux ip -6 addr add failed");
729
tt->did_ifconfig = true;
733
"%s %s %s pointopoint %s mtu %d",
737
ifconfig_remote_netmask,
742
"%s %s %s netmask %s mtu %d broadcast %s",
746
ifconfig_remote_netmask,
750
argv_msg (M_INFO, &argv);
751
openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig failed");
761
argv_msg (M_INFO, &argv);
762
openvpn_execve_check (&argv, es, S_FATAL, "Linux ifconfig inet6 failed");
764
tt->did_ifconfig = true;
766
#endif /*ENABLE_IPROUTE*/
767
#elif defined(TARGET_SOLARIS)
769
/* Solaris 2.6 (and 7?) cannot set all parameters in one go...
771
* ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 up
772
* ifconfig tun2 netmask 255.255.255.255
777
"%s %s %s %s mtu %d up",
781
ifconfig_remote_netmask,
785
argv_msg (M_INFO, &argv);
786
if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-1 failed"))
787
solaris_error_close (tt, es, actual, false);
790
"%s %s netmask 255.255.255.255",
796
if (tt->topology == TOP_SUBNET)
799
"%s %s %s %s netmask %s mtu %d up",
804
ifconfig_remote_netmask,
810
" %s %s %s netmask %s broadcast + up",
814
ifconfig_remote_netmask
817
argv_msg (M_INFO, &argv);
818
if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig phase-2 failed"))
819
solaris_error_close (tt, es, actual, false);
823
argv_printf (&argv, "%s %s inet6 unplumb",
824
IFCONFIG_PATH, actual );
825
argv_msg (M_INFO, &argv);
826
openvpn_execve_check (&argv, es, 0, NULL);
828
if ( tt->type == DEV_TYPE_TUN )
831
"%s %s inet6 plumb %s/%d %s up",
841
/* base IPv6 tap interface needs to be brought up first
843
argv_printf (&argv, "%s %s inet6 plumb up",
844
IFCONFIG_PATH, actual );
845
argv_msg (M_INFO, &argv);
846
if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 (prepare) failed"))
847
solaris_error_close (tt, es, actual, true);
849
/* we might need to do "ifconfig %s inet6 auto-dhcp drop"
850
* after the system has noticed the interface and fired up
851
* the DHCPv6 client - but this takes quite a while, and the
852
* server will ignore the DHCPv6 packets anyway. So we don't.
855
/* static IPv6 addresses need to go to a subinterface (tap0:1)
858
"%s %s inet6 addif %s/%d up",
859
IFCONFIG_PATH, actual,
860
ifconfig_ipv6_local, tt->netbits_ipv6 );
862
argv_msg (M_INFO, &argv);
863
if (!openvpn_execve_check (&argv, es, 0, "Solaris ifconfig IPv6 failed"))
864
solaris_error_close (tt, es, actual, true);
867
if (!tun && tt->topology == TOP_SUBNET)
869
/* Add a network route for the local tun interface */
872
r.flags = RT_DEFINED | RT_METRIC_DEFINED;
873
r.network = tt->local & tt->remote_netmask;
874
r.netmask = tt->remote_netmask;
875
r.gateway = tt->local;
877
add_route (&r, tt, 0, NULL, es);
880
tt->did_ifconfig = true;
882
#elif defined(TARGET_OPENBSD)
885
* On OpenBSD, tun interfaces are persistent if created with
886
* "ifconfig tunX create", and auto-destroyed if created by
887
* opening "/dev/tunX" (so we just use the /dev/tunX)
890
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
893
"%s %s %s %s mtu %d netmask 255.255.255.255 up -link0",
897
ifconfig_remote_netmask,
901
if ( tt->topology == TOP_SUBNET )
904
"%s %s %s %s mtu %d netmask %s up -link0",
910
ifconfig_remote_netmask
915
"%s %s %s netmask %s mtu %d broadcast %s link0",
919
ifconfig_remote_netmask,
923
argv_msg (M_INFO, &argv);
924
openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed");
934
argv_msg (M_INFO, &argv);
935
openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig inet6 failed");
937
/* and, hooray, we explicitely need to add a route... */
938
add_route_connected_v6_net(tt, es);
940
tt->did_ifconfig = true;
942
#elif defined(TARGET_NETBSD)
944
/* whether or not NetBSD can do IPv6 can be seen by the availability of
945
* the TUNSIFHEAD ioctl() - see next TARGET_NETBSD block for more details
948
# define NETBSD_MULTI_AF
953
"%s %s %s %s mtu %d netmask 255.255.255.255 up",
957
ifconfig_remote_netmask,
961
if ( tt->topology == TOP_SUBNET )
964
"%s %s %s %s mtu %d netmask %s up",
970
ifconfig_remote_netmask
975
* NetBSD has distinct tun and tap devices
976
* so we don't need the "link0" extra parameter to specify we want to do
977
* tunneling at the ethernet level
980
"%s %s %s netmask %s mtu %d broadcast %s",
984
ifconfig_remote_netmask,
988
argv_msg (M_INFO, &argv);
989
openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig failed");
993
#ifdef NETBSD_MULTI_AF
1001
argv_msg (M_INFO, &argv);
1002
openvpn_execve_check (&argv, es, S_FATAL, "NetBSD ifconfig inet6 failed");
1004
/* and, hooray, we explicitely need to add a route... */
1005
add_route_connected_v6_net(tt, es);
1007
msg( M_INFO, "no IPv6 support for tun interfaces on NetBSD before 4.0 (if your system is newer, recompile openvpn)" );
1011
tt->did_ifconfig = true;
1013
#elif defined(TARGET_DARWIN)
1015
* Darwin (i.e. Mac OS X) seems to exhibit similar behaviour to OpenBSD...
1022
argv_msg (M_INFO, &argv);
1023
openvpn_execve_check (&argv, es, 0, NULL);
1024
msg (M_INFO, "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure");
1027
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
1030
"%s %s %s %s mtu %d netmask 255.255.255.255 up",
1034
ifconfig_remote_netmask,
1039
if (tt->topology == TOP_SUBNET)
1041
"%s %s %s %s netmask %s mtu %d up",
1046
ifconfig_remote_netmask,
1051
"%s %s %s netmask %s mtu %d up",
1055
ifconfig_remote_netmask,
1060
argv_msg (M_INFO, &argv);
1061
openvpn_execve_check (&argv, es, S_FATAL, "Mac OS X ifconfig failed");
1062
tt->did_ifconfig = true;
1064
/* Add a network route for the local tun interface */
1065
if (!tun && tt->topology == TOP_SUBNET)
1069
r.flags = RT_DEFINED;
1070
r.network = tt->local & tt->remote_netmask;
1071
r.netmask = tt->remote_netmask;
1072
r.gateway = tt->local;
1073
add_route (&r, tt, 0, NULL, es);
1079
"%s %s inet6 %s/%d",
1082
ifconfig_ipv6_local,
1085
argv_msg (M_INFO, &argv);
1086
openvpn_execve_check (&argv, es, S_FATAL, "MacOS X ifconfig inet6 failed");
1088
/* and, hooray, we explicitely need to add a route... */
1089
add_route_connected_v6_net(tt, es);
1092
#elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||defined(__FreeBSD_kernel__)
1094
/* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */
1097
"%s %s %s %s mtu %d netmask 255.255.255.255 up",
1101
ifconfig_remote_netmask,
1104
else if ( tt->topology == TOP_SUBNET )
1107
"%s %s %s %s mtu %d netmask %s up",
1113
ifconfig_remote_netmask
1118
"%s %s %s netmask %s mtu %d up",
1122
ifconfig_remote_netmask,
1126
argv_msg (M_INFO, &argv);
1127
openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig failed");
1128
tt->did_ifconfig = true;
1130
/* Add a network route for the local tun interface */
1131
if (!tun && tt->topology == TOP_SUBNET)
1135
r.flags = RT_DEFINED;
1136
r.network = tt->local & tt->remote_netmask;
1137
r.netmask = tt->remote_netmask;
1138
r.gateway = tt->local;
1139
add_route (&r, tt, 0, NULL, es);
1145
"%s %s inet6 %s/%d",
1148
ifconfig_ipv6_local,
1151
argv_msg (M_INFO, &argv);
1152
openvpn_execve_check (&argv, es, S_FATAL, "FreeBSD ifconfig inet6 failed");
1155
#elif defined (WIN32)
1158
* Make sure that both ifconfig addresses are part of the
1163
verify_255_255_255_252 (tt->local, tt->remote_netmask);
1164
tt->adapter_netmask = ~3;
1168
tt->adapter_netmask = tt->remote_netmask;
1171
switch (tt->options.ip_win32_type)
1173
case IPW32_SET_MANUAL:
1174
msg (M_INFO, "******** NOTE: Please manually set the IP/netmask of '%s' to %s/%s (if it is not already set)",
1177
print_in_addr_t (tt->adapter_netmask, 0, &gc));
1179
case IPW32_SET_NETSH:
1180
if (!strcmp (actual, "NULL"))
1181
msg (M_FATAL, "Error: When using --ip-win32 netsh, if you have more than one TAP-Windows adapter, you must also specify --dev-node");
1183
netsh_ifconfig (&tt->options,
1186
tt->adapter_netmask,
1187
NI_IP_NETMASK|NI_OPTIONS);
1191
tt->did_ifconfig = true;
1194
/* IPv6 always uses "netsh" interface */
1197
char * saved_actual;
1199
if (!strcmp (actual, "NULL"))
1200
msg (M_FATAL, "Error: When using --tun-ipv6, if you have more than one TAP-Windows adapter, you must also specify --dev-node");
1202
/* example: netsh interface ipv6 set address MyTap 2001:608:8003::d store=active */
1204
"%s%sc interface ipv6 set address %s %s store=active",
1208
ifconfig_ipv6_local );
1210
netsh_command (&argv, 4);
1212
/* explicit route needed */
1213
/* on windows, OpenVPN does ifconfig first, open_tun later, so
1214
* tt->actual_name might not yet be initialized, but routing code
1215
* needs to know interface name - point to "actual", restore later
1217
saved_actual = tt->actual_name;
1218
tt->actual_name = (char*) actual;
1219
add_route_connected_v6_net(tt, es);
1220
tt->actual_name = saved_actual;
1223
msg (M_FATAL, "Sorry, but I don't know how to do 'ifconfig' commands on this operating system. You should ifconfig your TUN/TAP device manually or use an --up script.");
1231
clear_tuntap (struct tuntap *tuntap)
1235
tuntap->hand = NULL;
1239
#ifdef TARGET_SOLARIS
1242
tuntap->ipv6 = false;
1246
open_null (struct tuntap *tt)
1248
tt->actual_name = string_alloc ("null", NULL);
1253
open_tun_generic (const char *dev, const char *dev_type, const char *dev_node,
1254
bool ipv6_explicitly_supported, bool dynamic,
1258
char dynamic_name[256];
1259
bool dynamic_opened = false;
1262
if ( tt->ipv6 && ! ipv6_explicitly_supported )
1263
msg (M_WARN, "NOTE: explicit support for IPv6 tun devices is not provided for this OS");
1265
if (tt->type == DEV_TYPE_NULL)
1272
* --dev-node specified, so open an explicit device node
1276
openvpn_snprintf (tunname, sizeof (tunname), "%s", dev_node);
1281
* dynamic open is indicated by --dev specified without
1282
* explicit unit number. Try opening /dev/[dev]n
1283
* where n = [0, 255].
1285
#ifdef TARGET_NETBSD
1286
/* on NetBSD, tap (but not tun) devices are opened by
1287
* opening /dev/tap and then querying the system about the
1288
* actual device name (tap0, tap1, ...) assigned
1290
if ( dynamic && strcmp( dev, "tap" ) == 0 )
1293
if ((tt->fd = open ( "/dev/tap", O_RDWR)) < 0)
1295
msg (M_FATAL, "Cannot allocate NetBSD TAP dev dynamically");
1297
if ( ioctl( tt->fd, TAPGIFNAME, (void*)&ifr ) < 0 )
1299
msg (M_FATAL, "Cannot query NetBSD TAP device name");
1301
CLEAR(dynamic_name);
1302
strncpy( dynamic_name, ifr.ifr_name, sizeof(dynamic_name)-1 );
1303
dynamic_opened = true;
1304
openvpn_snprintf (tunname, sizeof (tunname), "/dev/%s", dynamic_name );
1309
if (dynamic && !has_digit((unsigned char *)dev))
1312
for (i = 0; i < 256; ++i)
1314
openvpn_snprintf (tunname, sizeof (tunname),
1315
"/dev/%s%d", dev, i);
1316
openvpn_snprintf (dynamic_name, sizeof (dynamic_name),
1318
if ((tt->fd = open (tunname, O_RDWR)) > 0)
1320
dynamic_opened = true;
1323
msg (D_READ_WRITE | M_ERRNO, "Tried opening %s (failed)", tunname);
1325
if (!dynamic_opened)
1326
msg (M_FATAL, "Cannot allocate TUN/TAP dev dynamically");
1329
* explicit unit number specified
1333
openvpn_snprintf (tunname, sizeof (tunname), "/dev/%s", dev);
1337
if (!dynamic_opened)
1339
/* has named device existed before? if so, don't destroy at end */
1340
if ( if_nametoindex( dev ) > 0 )
1342
msg (M_INFO, "TUN/TAP device %s exists previously, keep at program end", dev );
1343
tt->persistent_if = true;
1346
if ((tt->fd = open (tunname, O_RDWR)) < 0)
1347
msg (M_ERR, "Cannot open TUN/TAP dev %s", tunname);
1350
set_nonblock (tt->fd);
1351
set_cloexec (tt->fd); /* don't pass fd to scripts */
1352
msg (M_INFO, "TUN/TAP device %s opened", tunname);
1354
/* tt->actual_name is passed to up and down scripts and used as the ifconfig dev name */
1355
tt->actual_name = string_alloc (dynamic_opened ? dynamic_name : dev, NULL);
1360
close_tun_generic (struct tuntap *tt)
1364
if (tt->actual_name)
1365
free (tt->actual_name);
1371
#if defined(TARGET_LINUX)
1373
#ifdef HAVE_LINUX_IF_TUN_H /* New driver support */
1375
#ifndef HAVE_LINUX_SOCKIOS_H
1376
#error header file linux/sockios.h required
1382
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
1387
* We handle --dev null specially, we do not open /dev/null for this.
1389
if (tt->type == DEV_TYPE_NULL)
1396
* Process --dev-node
1398
const char *node = dev_node;
1400
node = "/dev/net/tun";
1403
* Open the interface
1405
if ((tt->fd = open (node, O_RDWR)) < 0)
1407
msg (M_ERR, "ERROR: Cannot open TUN/TAP dev %s", node);
1411
* Process --tun-ipv6
1415
ifr.ifr_flags = IFF_NO_PI;
1417
#if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN)
1418
ifr.ifr_flags |= IFF_ONE_QUEUE;
1422
* Figure out if tun or tap device
1424
if (tt->type == DEV_TYPE_TUN)
1426
ifr.ifr_flags |= IFF_TUN;
1428
else if (tt->type == DEV_TYPE_TAP)
1430
ifr.ifr_flags |= IFF_TAP;
1434
msg (M_FATAL, "I don't recognize device %s as a tun or tap device",
1439
* Set an explicit name, if --dev is not tun or tap
1441
if (strcmp(dev, "tun") && strcmp(dev, "tap"))
1442
strncpynt (ifr.ifr_name, dev, IFNAMSIZ);
1445
* Use special ioctl that configures tun/tap device with the parms
1448
if (ioctl (tt->fd, TUNSETIFF, (void *) &ifr) < 0)
1450
msg (M_ERR, "ERROR: Cannot ioctl TUNSETIFF %s", dev);
1453
msg (M_INFO, "TUN/TAP device %s opened", ifr.ifr_name);
1456
* Try making the TX send queue bigger
1458
#if defined(IFF_ONE_QUEUE) && defined(SIOCSIFTXQLEN)
1459
if (tt->options.txqueuelen) {
1460
struct ifreq netifr;
1463
if ((ctl_fd = socket (AF_INET, SOCK_DGRAM, 0)) >= 0)
1466
strncpynt (netifr.ifr_name, ifr.ifr_name, IFNAMSIZ);
1467
netifr.ifr_qlen = tt->options.txqueuelen;
1468
if (ioctl (ctl_fd, SIOCSIFTXQLEN, (void *) &netifr) >= 0)
1469
msg (D_OSBUF, "TUN/TAP TX queue length set to %d", tt->options.txqueuelen);
1471
msg (M_WARN | M_ERRNO, "Note: Cannot set tx queue length on %s", ifr.ifr_name);
1476
msg (M_WARN | M_ERRNO, "Note: Cannot open control socket on %s", ifr.ifr_name);
1481
set_nonblock (tt->fd);
1482
set_cloexec (tt->fd);
1483
tt->actual_name = string_alloc (ifr.ifr_name, NULL);
1491
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
1501
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
1503
open_tun_generic (dev, dev_type, dev_node, false, true, tt);
1506
#endif /* HAVE_LINUX_IF_TUN_H */
1508
#ifdef ENABLE_FEATURE_TUN_PERSIST
1511
* This can be removed in future
1512
* when all systems will use newer
1516
#define TUNSETOWNER _IOW('T', 204, int)
1519
#define TUNSETGROUP _IOW('T', 206, int)
1523
tuncfg (const char *dev, const char *dev_type, const char *dev_node, int persist_mode, const char *username, const char *groupname, const struct tuntap_options *options)
1527
ALLOC_OBJ (tt, struct tuntap);
1529
tt->type = dev_type_enum (dev, dev_type);
1530
tt->options = *options;
1531
open_tun (dev, dev_type, dev_node, tt);
1532
if (ioctl (tt->fd, TUNSETPERSIST, persist_mode) < 0)
1533
msg (M_ERR, "Cannot ioctl TUNSETPERSIST(%d) %s", persist_mode, dev);
1534
if (username != NULL)
1536
struct platform_state_user platform_state_user;
1538
if (!platform_user_get (username, &platform_state_user))
1539
msg (M_ERR, "Cannot get user entry for %s", username);
1541
if (ioctl (tt->fd, TUNSETOWNER, platform_state_user.pw->pw_uid) < 0)
1542
msg (M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", username, dev);
1544
if (groupname != NULL)
1546
struct platform_state_group platform_state_group;
1548
if (!platform_group_get (groupname, &platform_state_group))
1549
msg (M_ERR, "Cannot get group entry for %s", groupname);
1551
if (ioctl (tt->fd, TUNSETGROUP, platform_state_group.gr->gr_gid) < 0)
1552
msg (M_ERR, "Cannot ioctl TUNSETOWNER(%s) %s", groupname, dev);
1555
msg (M_INFO, "Persist state set to: %s", (persist_mode ? "ON" : "OFF"));
1558
#endif /* ENABLE_FEATURE_TUN_PERSIST */
1561
close_tun (struct tuntap *tt)
1565
if (tt->type != DEV_TYPE_NULL && tt->did_ifconfig)
1568
struct gc_arena gc = gc_new ();
1571
#ifdef ENABLE_IPROUTE
1572
if (is_tun_p2p (tt))
1575
"%s addr del dev %s local %s peer %s",
1578
print_in_addr_t (tt->local, 0, &gc),
1579
print_in_addr_t (tt->remote_netmask, 0, &gc)
1585
"%s addr del dev %s %s/%d",
1588
print_in_addr_t (tt->local, 0, &gc),
1589
count_netmask_bits(print_in_addr_t (tt->remote_netmask, 0, &gc))
1600
argv_msg (M_INFO, &argv);
1601
openvpn_execve_check (&argv, NULL, 0, "Linux ip addr del failed");
1606
close_tun_generic (tt);
1612
write_tun (struct tuntap* tt, uint8_t *buf, int len)
1618
struct iovec vect[2];
1621
iph = (struct iphdr *)buf;
1625
if(iph->version == 6)
1626
pi.proto = htons(ETH_P_IPV6);
1628
pi.proto = htons(ETH_P_IP);
1630
vect[0].iov_len = sizeof(pi);
1631
vect[0].iov_base = π
1632
vect[1].iov_len = len;
1633
vect[1].iov_base = buf;
1635
ret = writev(tt->fd, vect, 2);
1636
return(ret - sizeof(pi));
1639
return write (tt->fd, buf, len);
1643
read_tun (struct tuntap* tt, uint8_t *buf, int len)
1647
struct iovec vect[2];
1651
vect[0].iov_len = sizeof(pi);
1652
vect[0].iov_base = π
1653
vect[1].iov_len = len;
1654
vect[1].iov_base = buf;
1656
ret = readv(tt->fd, vect, 2);
1657
return(ret - sizeof(pi));
1660
return read (tt->fd, buf, len);
1663
#elif defined(TARGET_SOLARIS)
1666
#error I need the symbol TUNNEWPPA from net/if_tun.h
1670
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
1672
int if_fd, ip_muxid, arp_muxid, arp_fd, ppa = -1;
1675
const char *ip_node, *arp_node;
1676
const char *dev_tuntap_type;
1679
struct strioctl strioc_if, strioc_ppa;
1681
/* improved generic TUN/TAP driver from
1682
* http://www.whiteboard.ne.jp/~admin2/tuntap/
1687
if (tt->type == DEV_TYPE_NULL)
1693
if (tt->type == DEV_TYPE_TUN)
1695
ip_node = "/dev/udp";
1697
dev_node = "/dev/tun";
1698
dev_tuntap_type = "tun";
1699
link_type = I_PLINK;
1702
else if (tt->type == DEV_TYPE_TAP)
1704
ip_node = "/dev/udp";
1706
dev_node = "/dev/tap";
1707
arp_node = dev_node;
1708
dev_tuntap_type = "tap";
1709
link_type = I_PLINK; /* was: I_LINK */
1714
msg (M_FATAL, "I don't recognize device %s as a tun or tap device",
1718
if ((tt->ip_fd = open (ip_node, O_RDWR, 0)) < 0)
1719
msg (M_ERR, "Can't open %s", ip_node);
1721
if ((tt->fd = open (dev_node, O_RDWR, 0)) < 0)
1722
msg (M_ERR, "Can't open %s", dev_node);
1724
/* get unit number */
1728
while (*ptr && !isdigit ((int) *ptr))
1733
/* Assign a new PPA and get its unit number. */
1734
strioc_ppa.ic_cmd = TUNNEWPPA;
1735
strioc_ppa.ic_timout = 0;
1736
strioc_ppa.ic_len = sizeof(ppa);
1737
strioc_ppa.ic_dp = (char *)&ppa;
1739
if ( *ptr == '\0' ) /* no number given, try dynamic */
1741
bool found_one = false;
1742
while( ! found_one && ppa < 64 )
1744
int new_ppa = ioctl (tt->fd, I_STR, &strioc_ppa);
1747
msg( M_INFO, "open_tun: got dynamic interface '%s%d'", dev_tuntap_type, new_ppa );
1752
if ( errno != EEXIST )
1753
msg (M_ERR, "open_tun: unexpected error trying to find free %s interface", dev_tuntap_type );
1757
msg (M_ERR, "open_tun: could not find free %s interface, give up.", dev_tuntap_type );
1759
else /* try this particular one */
1761
if ((ppa = ioctl (tt->fd, I_STR, &strioc_ppa)) < 0)
1762
msg (M_ERR, "Can't assign PPA for new interface (%s%d)", dev_tuntap_type, ppa );
1765
if ((if_fd = open (dev_node, O_RDWR, 0)) < 0)
1766
msg (M_ERR, "Can't open %s (2)", dev_node);
1768
if (ioctl (if_fd, I_PUSH, "ip") < 0)
1769
msg (M_ERR, "Can't push IP module");
1771
if (tt->type == DEV_TYPE_TUN)
1773
/* Assign ppa according to the unit number returned by tun device */
1774
if (ioctl (if_fd, IF_UNITSEL, (char *) &ppa) < 0)
1775
msg (M_ERR, "Can't set PPA %d", ppa);
1778
tt->actual_name = (char *) malloc (32);
1779
check_malloc_return (tt->actual_name);
1781
openvpn_snprintf (tt->actual_name, 32, "%s%d", dev_tuntap_type, ppa);
1783
if (tt->type == DEV_TYPE_TAP)
1785
if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) < 0)
1786
msg (M_ERR, "Can't get flags\n");
1787
strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
1789
/* Assign ppa according to the unit number returned by tun device */
1790
if (ioctl (if_fd, SIOCSLIFNAME, &ifr) < 0)
1791
msg (M_ERR, "Can't set PPA %d", ppa);
1792
if (ioctl(if_fd, SIOCGLIFFLAGS, &ifr) <0)
1793
msg (M_ERR, "Can't get flags\n");
1794
/* Push arp module to if_fd */
1795
if (ioctl (if_fd, I_PUSH, "arp") < 0)
1796
msg (M_ERR, "Can't push ARP module");
1798
/* Pop any modules on the stream */
1801
if (ioctl (tt->ip_fd, I_POP, NULL) < 0)
1804
/* Push arp module to ip_fd */
1805
if (ioctl (tt->ip_fd, I_PUSH, "arp") < 0)
1806
msg (M_ERR, "Can't push ARP module\n");
1809
if ((arp_fd = open (arp_node, O_RDWR, 0)) < 0)
1810
msg (M_ERR, "Can't open %s\n", arp_node);
1811
/* Push arp module to arp_fd */
1812
if (ioctl (arp_fd, I_PUSH, "arp") < 0)
1813
msg (M_ERR, "Can't push ARP module\n");
1815
/* Set ifname to arp */
1816
strioc_if.ic_cmd = SIOCSLIFNAME;
1817
strioc_if.ic_timout = 0;
1818
strioc_if.ic_len = sizeof(ifr);
1819
strioc_if.ic_dp = (char *)𝔦
1820
if (ioctl(arp_fd, I_STR, &strioc_if) < 0){
1821
msg (M_ERR, "Can't set ifname to arp\n");
1825
if ((ip_muxid = ioctl (tt->ip_fd, link_type, if_fd)) < 0)
1826
msg (M_ERR, "Can't link %s device to IP", dev_tuntap_type);
1828
if (tt->type == DEV_TYPE_TAP) {
1829
if ((arp_muxid = ioctl (tt->ip_fd, link_type, arp_fd)) < 0)
1830
msg (M_ERR, "Can't link %s device to ARP", dev_tuntap_type);
1835
strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
1836
ifr.lifr_ip_muxid = ip_muxid;
1837
if (tt->type == DEV_TYPE_TAP) {
1838
ifr.lifr_arp_muxid = arp_muxid;
1841
if (ioctl (tt->ip_fd, SIOCSLIFMUXID, &ifr) < 0)
1843
if (tt->type == DEV_TYPE_TAP)
1845
ioctl (tt->ip_fd, I_PUNLINK , arp_muxid);
1847
ioctl (tt->ip_fd, I_PUNLINK, ip_muxid);
1848
msg (M_ERR, "Can't set multiplexor id");
1851
set_nonblock (tt->fd);
1852
set_cloexec (tt->fd);
1853
set_cloexec (tt->ip_fd);
1855
msg (M_INFO, "TUN/TAP device %s opened", tt->actual_name);
1859
solaris_close_tun (struct tuntap *tt)
1863
/* IPv6 interfaces need to be 'manually' de-configured */
1864
if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
1868
argv_printf( &argv, "%s %s inet6 unplumb",
1869
IFCONFIG_PATH, tt->actual_name );
1870
argv_msg (M_INFO, &argv);
1871
openvpn_execve_check (&argv, NULL, 0, "Solaris ifconfig inet6 unplumb failed");
1879
strncpynt (ifr.lifr_name, tt->actual_name, sizeof (ifr.lifr_name));
1881
if (ioctl (tt->ip_fd, SIOCGLIFFLAGS, &ifr) < 0)
1882
msg (M_WARN | M_ERRNO, "Can't get iface flags");
1884
if (ioctl (tt->ip_fd, SIOCGLIFMUXID, &ifr) < 0)
1885
msg (M_WARN | M_ERRNO, "Can't get multiplexor id");
1887
if (tt->type == DEV_TYPE_TAP)
1889
if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_arp_muxid) < 0)
1890
msg (M_WARN | M_ERRNO, "Can't unlink interface(arp)");
1893
if (ioctl (tt->ip_fd, I_PUNLINK, ifr.lifr_ip_muxid) < 0)
1894
msg (M_WARN | M_ERRNO, "Can't unlink interface(ip)");
1912
close_tun (struct tuntap *tt)
1916
solaris_close_tun (tt);
1918
if (tt->actual_name)
1919
free (tt->actual_name);
1927
solaris_error_close (struct tuntap *tt, const struct env_set *es,
1928
const char *actual, bool unplumb_inet6 )
1935
argv_printf( &argv, "%s %s inet6 unplumb",
1936
IFCONFIG_PATH, actual );
1937
argv_msg (M_INFO, &argv);
1938
openvpn_execve_check (&argv, es, 0, "Solaris ifconfig inet6 unplumb failed");
1946
argv_msg (M_INFO, &argv);
1947
openvpn_execve_check (&argv, es, 0, "Solaris ifconfig unplumb failed");
1949
msg (M_FATAL, "Solaris ifconfig failed");
1954
write_tun (struct tuntap* tt, uint8_t *buf, int len)
1958
sbuf.buf = (char *)buf;
1959
return putmsg (tt->fd, NULL, &sbuf, 0) >= 0 ? sbuf.len : -1;
1963
read_tun (struct tuntap* tt, uint8_t *buf, int len)
1969
sbuf.buf = (char *)buf;
1970
return getmsg (tt->fd, NULL, &sbuf, &f) >= 0 ? sbuf.len : -1;
1973
#elif defined(TARGET_OPENBSD)
1976
* OpenBSD has a slightly incompatible TUN device from
1977
* the rest of the world, in that it prepends a
1978
* uint32 to the beginning of the IP header
1979
* to designate the protocol (why not just
1980
* look at the version field in the IP header to
1981
* determine v4 or v6?).
1983
* We strip off this field on reads and
1984
* put it back on writes.
1986
* I have not tested TAP devices on OpenBSD,
1987
* but I have conditionalized the special
1988
* TUN handling code described above to
1989
* go away for TAP devices.
1993
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
1995
open_tun_generic (dev, dev_type, dev_node, true, true, tt);
1997
/* Enable multicast on the interface */
2000
struct tuninfo info;
2002
if (ioctl (tt->fd, TUNGIFINFO, &info) < 0) {
2003
msg (M_WARN | M_ERRNO, "Can't get interface info: %s",
2007
#ifdef IFF_MULTICAST /* openbsd 4.x doesn't have this */
2008
info.flags |= IFF_MULTICAST;
2011
if (ioctl (tt->fd, TUNSIFINFO, &info) < 0) {
2012
msg (M_WARN | M_ERRNO, "Can't set interface info: %s",
2018
/* tun(4): "If the device was created by opening /dev/tunN, it will be
2019
* automatically destroyed. Devices created via ifconfig(8) are
2020
* only marked as not running and traffic will be dropped
2021
* returning EHOSTDOWN."
2022
* --> no special handling should be needed - *but* OpenBSD is misbehaving
2023
* here: if the interface was put in tap mode ("ifconfig tunN link0"), it
2024
* *will* stay around, and needs to be cleaned up manually
2028
close_tun (struct tuntap* tt)
2030
/* only *TAP* devices need destroying, tun devices auto-self-destruct
2032
if (tt && (tt->type == DEV_TYPE_TUN || tt->persistent_if ) )
2034
close_tun_generic (tt);
2039
struct gc_arena gc = gc_new ();
2042
/* setup command, close tun dev (clears tt->actual_name!), run command
2046
argv_printf (&argv, "%s %s destroy",
2047
IFCONFIG_PATH, tt->actual_name);
2049
close_tun_generic (tt);
2051
argv_msg (M_INFO, &argv);
2052
openvpn_execve_check (&argv, NULL, 0, "OpenBSD 'destroy tun interface' failed (non-critical)");
2059
openbsd_modify_read_write_return (int len)
2062
return len > sizeof (u_int32_t) ? len - sizeof (u_int32_t) : 0;
2068
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2070
if (tt->type == DEV_TYPE_TUN)
2076
iph = (struct ip *) buf;
2078
if (tt->ipv6 && iph->ip_v == 6)
2079
type = htonl (AF_INET6);
2081
type = htonl (AF_INET);
2083
iv[0].iov_base = &type;
2084
iv[0].iov_len = sizeof (type);
2085
iv[1].iov_base = buf;
2086
iv[1].iov_len = len;
2088
return openbsd_modify_read_write_return (writev (tt->fd, iv, 2));
2091
return write (tt->fd, buf, len);
2095
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2097
if (tt->type == DEV_TYPE_TUN)
2102
iv[0].iov_base = &type;
2103
iv[0].iov_len = sizeof (type);
2104
iv[1].iov_base = buf;
2105
iv[1].iov_len = len;
2107
return openbsd_modify_read_write_return (readv (tt->fd, iv, 2));
2110
return read (tt->fd, buf, len);
2113
#elif defined(TARGET_NETBSD)
2116
* NetBSD before 4.0 does not support IPv6 on tun out of the box,
2117
* but there exists a patch (sys/net/if_tun.c, 1.79->1.80, see PR 32944).
2119
* NetBSD 4.0 and up do, but we need to put the tun interface into
2120
* "multi_af" mode, which will prepend the address family to all packets
2121
* (same as OpenBSD and FreeBSD). If this is not enabled, the kernel
2122
* silently drops all IPv6 packets on output and gets confused on input.
2124
* On earlier versions, multi_af is not available at all, so we have
2125
* two different NetBSD code variants here :-(
2130
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
2132
#ifdef NETBSD_MULTI_AF
2133
open_tun_generic (dev, dev_type, dev_node, true, true, tt);
2135
open_tun_generic (dev, dev_type, dev_node, false, true, tt);
2140
int i = IFF_POINTOPOINT|IFF_MULTICAST;
2141
ioctl (tt->fd, TUNSIFMODE, &i); /* multicast on */
2143
ioctl (tt->fd, TUNSLMODE, &i); /* link layer mode off */
2145
#ifdef NETBSD_MULTI_AF
2146
if ( tt->type == DEV_TYPE_TUN )
2149
if (ioctl (tt->fd, TUNSIFHEAD, &i) < 0) /* multi-af mode on */
2151
msg (M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD): %s", strerror(errno));
2158
/* the current way OpenVPN handles tun devices on NetBSD leads to
2159
* lingering tunX interfaces after close -> for a full cleanup, they
2160
* need to be explicitely destroyed
2163
close_tun (struct tuntap *tt)
2165
/* only tun devices need destroying, tap devices auto-self-destruct
2167
if (tt && ( tt->type != DEV_TYPE_TUN || tt->persistent_if ) )
2169
close_tun_generic (tt);
2174
struct gc_arena gc = gc_new ();
2177
/* setup command, close tun dev (clears tt->actual_name!), run command
2181
argv_printf (&argv, "%s %s destroy",
2182
IFCONFIG_PATH, tt->actual_name);
2184
close_tun_generic (tt);
2186
argv_msg (M_INFO, &argv);
2187
openvpn_execve_check (&argv, NULL, 0, "NetBSD 'destroy tun interface' failed (non-critical)");
2193
#ifdef NETBSD_MULTI_AF
2196
netbsd_modify_read_write_return (int len)
2199
return len > sizeof (u_int32_t) ? len - sizeof (u_int32_t) : 0;
2205
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2207
if (tt->type == DEV_TYPE_TUN)
2211
struct openvpn_iphdr *iph;
2213
iph = (struct openvpn_iphdr *) buf;
2215
if (tt->ipv6 && OPENVPN_IPH_GET_VER(iph->version_len) == 6)
2216
type = htonl (AF_INET6);
2218
type = htonl (AF_INET);
2220
iv[0].iov_base = (char *)&type;
2221
iv[0].iov_len = sizeof (type);
2222
iv[1].iov_base = buf;
2223
iv[1].iov_len = len;
2225
return netbsd_modify_read_write_return (writev (tt->fd, iv, 2));
2228
return write (tt->fd, buf, len);
2232
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2234
if (tt->type == DEV_TYPE_TUN)
2239
iv[0].iov_base = (char *)&type;
2240
iv[0].iov_len = sizeof (type);
2241
iv[1].iov_base = buf;
2242
iv[1].iov_len = len;
2244
return netbsd_modify_read_write_return (readv (tt->fd, iv, 2));
2247
return read (tt->fd, buf, len);
2250
#else /* not NETBSD_MULTI_AF -> older code, IPv4 only */
2253
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2255
return write (tt->fd, buf, len);
2259
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2261
return read (tt->fd, buf, len);
2263
#endif /* NETBSD_MULTI_AF */
2265
#elif defined(TARGET_FREEBSD)
2268
freebsd_modify_read_write_return (int len)
2271
return len > sizeof (u_int32_t) ? len - sizeof (u_int32_t) : 0;
2277
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
2279
open_tun_generic (dev, dev_type, dev_node, true, true, tt);
2281
if (tt->fd >= 0 && tt->type == DEV_TYPE_TUN)
2283
int i = IFF_POINTOPOINT | IFF_MULTICAST;
2285
if (ioctl (tt->fd, TUNSIFMODE, &i) < 0) {
2286
msg (M_WARN | M_ERRNO, "ioctl(TUNSIFMODE): %s", strerror(errno));
2289
if (ioctl (tt->fd, TUNSIFHEAD, &i) < 0) {
2290
msg (M_WARN | M_ERRNO, "ioctl(TUNSIFHEAD): %s", strerror(errno));
2295
/* tun(4): "These network interfaces persist until the if_tun.ko module is
2296
* unloaded, or until removed with the ifconfig(8) command."
2297
* (verified for FreeBSD 6.3, 7.4, 8.2 and 9, same for tap(4))
2299
* so, to avoid lingering tun/tap interfaces after OpenVPN quits,
2300
* we need to call "ifconfig ... destroy" for cleanup
2303
close_tun (struct tuntap *tt)
2305
if (tt && tt->persistent_if ) /* keep pre-existing if around */
2307
close_tun_generic (tt);
2310
else if (tt) /* close and destroy */
2312
struct gc_arena gc = gc_new ();
2315
/* setup command, close tun dev (clears tt->actual_name!), run command
2319
argv_printf (&argv, "%s %s destroy",
2320
IFCONFIG_PATH, tt->actual_name);
2322
close_tun_generic (tt);
2324
argv_msg (M_INFO, &argv);
2325
openvpn_execve_check (&argv, NULL, 0, "FreeBSD 'destroy tun interface' failed (non-critical)");
2332
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2334
if (tt->type == DEV_TYPE_TUN)
2340
iph = (struct ip *) buf;
2342
if (tt->ipv6 && iph->ip_v == 6)
2343
type = htonl (AF_INET6);
2345
type = htonl (AF_INET);
2347
iv[0].iov_base = (char *)&type;
2348
iv[0].iov_len = sizeof (type);
2349
iv[1].iov_base = buf;
2350
iv[1].iov_len = len;
2352
return freebsd_modify_read_write_return (writev (tt->fd, iv, 2));
2355
return write (tt->fd, buf, len);
2359
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2361
if (tt->type == DEV_TYPE_TUN)
2366
iv[0].iov_base = (char *)&type;
2367
iv[0].iov_len = sizeof (type);
2368
iv[1].iov_base = buf;
2369
iv[1].iov_len = len;
2371
return freebsd_modify_read_write_return (readv (tt->fd, iv, 2));
2374
return read (tt->fd, buf, len);
2377
#elif defined(TARGET_DRAGONFLY)
2380
dragonfly_modify_read_write_return (int len)
2383
return len > sizeof (u_int32_t) ? len - sizeof (u_int32_t) : 0;
2389
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
2391
open_tun_generic (dev, dev_type, dev_node, true, true, tt);
2397
/* Disable extended modes */
2398
ioctl (tt->fd, TUNSLMODE, &i);
2400
ioctl (tt->fd, TUNSIFHEAD, &i);
2405
close_tun (struct tuntap *tt)
2409
close_tun_generic (tt);
2415
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2417
if (tt->type == DEV_TYPE_TUN)
2423
iph = (struct ip *) buf;
2425
if (tt->ipv6 && iph->ip_v == 6)
2426
type = htonl (AF_INET6);
2428
type = htonl (AF_INET);
2430
iv[0].iov_base = (char *)&type;
2431
iv[0].iov_len = sizeof (type);
2432
iv[1].iov_base = buf;
2433
iv[1].iov_len = len;
2435
return dragonfly_modify_read_write_return (writev (tt->fd, iv, 2));
2438
return write (tt->fd, buf, len);
2442
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2444
if (tt->type == DEV_TYPE_TUN)
2449
iv[0].iov_base = (char *)&type;
2450
iv[0].iov_len = sizeof (type);
2451
iv[1].iov_base = buf;
2452
iv[1].iov_len = len;
2454
return dragonfly_modify_read_write_return (readv (tt->fd, iv, 2));
2457
return read (tt->fd, buf, len);
2460
#elif defined(TARGET_DARWIN)
2462
/* Darwin (MacOS X) is mostly "just use the generic stuff", but there
2463
* is always one caveat...:
2465
* If IPv6 is configured, and the tun device is closed, the IPv6 address
2466
* configured to the tun interface changes to a lingering /128 route
2467
* pointing to lo0. Need to unconfigure... (observed on 10.5)
2471
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
2473
open_tun_generic (dev, dev_type, dev_node, true, true, tt);
2477
close_tun (struct tuntap* tt)
2481
struct gc_arena gc = gc_new ();
2485
if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
2487
const char * ifconfig_ipv6_local =
2488
print_in6_addr (tt->local_ipv6, 0, &gc);
2490
argv_printf (&argv, "%s delete -inet6 %s",
2491
ROUTE_PATH, ifconfig_ipv6_local );
2492
argv_msg (M_INFO, &argv);
2493
openvpn_execve_check (&argv, NULL, 0, "MacOS X 'remove inet6 route' failed (non-critical)");
2496
close_tun_generic (tt);
2504
write_tun (struct tuntap* tt, uint8_t *buf, int len)
2506
return write (tt->fd, buf, len);
2510
read_tun (struct tuntap* tt, uint8_t *buf, int len)
2512
return read (tt->fd, buf, len);
2515
#elif defined(WIN32)
2518
tun_read_queue (struct tuntap *tt, int maxsize)
2520
if (tt->reads.iostate == IOSTATE_INITIAL)
2526
/* reset buf to its initial state */
2527
tt->reads.buf = tt->reads.buf_init;
2529
len = maxsize ? maxsize : BLEN (&tt->reads.buf);
2530
ASSERT (len <= BLEN (&tt->reads.buf));
2532
/* the overlapped read will signal this event on I/O completion */
2533
ASSERT (ResetEvent (tt->reads.overlapped.hEvent));
2537
BPTR (&tt->reads.buf),
2540
&tt->reads.overlapped
2543
if (status) /* operation completed immediately? */
2545
/* since we got an immediate return, we must signal the event object ourselves */
2546
ASSERT (SetEvent (tt->reads.overlapped.hEvent));
2548
tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
2549
tt->reads.status = 0;
2551
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Read immediate return [%d,%d]",
2553
(int) tt->reads.size);
2557
err = GetLastError ();
2558
if (err == ERROR_IO_PENDING) /* operation queued? */
2560
tt->reads.iostate = IOSTATE_QUEUED;
2561
tt->reads.status = err;
2562
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Read queued [%d]",
2565
else /* error occurred */
2567
struct gc_arena gc = gc_new ();
2568
ASSERT (SetEvent (tt->reads.overlapped.hEvent));
2569
tt->reads.iostate = IOSTATE_IMMEDIATE_RETURN;
2570
tt->reads.status = err;
2571
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Read error [%d] : %s",
2573
strerror_win32 (status, &gc));
2578
return tt->reads.iostate;
2582
tun_write_queue (struct tuntap *tt, struct buffer *buf)
2584
if (tt->writes.iostate == IOSTATE_INITIAL)
2589
/* make a private copy of buf */
2590
tt->writes.buf = tt->writes.buf_init;
2591
tt->writes.buf.len = 0;
2592
ASSERT (buf_copy (&tt->writes.buf, buf));
2594
/* the overlapped write will signal this event on I/O completion */
2595
ASSERT (ResetEvent (tt->writes.overlapped.hEvent));
2599
BPTR (&tt->writes.buf),
2600
BLEN (&tt->writes.buf),
2602
&tt->writes.overlapped
2605
if (status) /* operation completed immediately? */
2607
tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
2609
/* since we got an immediate return, we must signal the event object ourselves */
2610
ASSERT (SetEvent (tt->writes.overlapped.hEvent));
2612
tt->writes.status = 0;
2614
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Write immediate return [%d,%d]",
2615
BLEN (&tt->writes.buf),
2616
(int) tt->writes.size);
2620
err = GetLastError ();
2621
if (err == ERROR_IO_PENDING) /* operation queued? */
2623
tt->writes.iostate = IOSTATE_QUEUED;
2624
tt->writes.status = err;
2625
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Write queued [%d]",
2626
BLEN (&tt->writes.buf));
2628
else /* error occurred */
2630
struct gc_arena gc = gc_new ();
2631
ASSERT (SetEvent (tt->writes.overlapped.hEvent));
2632
tt->writes.iostate = IOSTATE_IMMEDIATE_RETURN;
2633
tt->writes.status = err;
2634
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Write error [%d] : %s",
2635
BLEN (&tt->writes.buf),
2636
strerror_win32 (err, &gc));
2641
return tt->writes.iostate;
2647
struct overlapped_io *io,
2653
switch (io->iostate)
2655
case IOSTATE_QUEUED:
2656
status = GetOverlappedResult(
2664
/* successful return for a queued operation */
2668
io->iostate = IOSTATE_INITIAL;
2669
ASSERT (ResetEvent (io->overlapped.hEvent));
2670
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Completion success [%d]", ret);
2674
/* error during a queued operation */
2676
if (GetLastError() != ERROR_IO_INCOMPLETE)
2678
/* if no error (i.e. just not finished yet),
2679
then DON'T execute this code */
2680
io->iostate = IOSTATE_INITIAL;
2681
ASSERT (ResetEvent (io->overlapped.hEvent));
2682
msg (D_WIN32_IO | M_ERRNO, "WIN32 I/O: TAP Completion error");
2687
case IOSTATE_IMMEDIATE_RETURN:
2688
io->iostate = IOSTATE_INITIAL;
2689
ASSERT (ResetEvent (io->overlapped.hEvent));
2692
/* error return for a non-queued operation */
2693
SetLastError (io->status);
2695
msg (D_WIN32_IO | M_ERRNO, "WIN32 I/O: TAP Completion non-queued error");
2699
/* successful return for a non-queued operation */
2703
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Completion non-queued success [%d]", ret);
2707
case IOSTATE_INITIAL: /* were we called without proper queueing? */
2708
SetLastError (ERROR_INVALID_FUNCTION);
2710
dmsg (D_WIN32_IO, "WIN32 I/O: TAP Completion BAD STATE");
2722
const struct tap_reg *
2723
get_tap_reg (struct gc_arena *gc)
2728
struct tap_reg *first = NULL;
2729
struct tap_reg *last = NULL;
2732
status = RegOpenKeyEx(
2739
if (status != ERROR_SUCCESS)
2740
msg (M_FATAL, "Error opening registry key: %s", ADAPTER_KEY);
2744
char enum_name[256];
2745
char unit_string[256];
2747
char component_id_string[] = "ComponentId";
2748
char component_id[256];
2749
char net_cfg_instance_id_string[] = "NetCfgInstanceId";
2750
char net_cfg_instance_id[256];
2753
len = sizeof (enum_name);
2754
status = RegEnumKeyEx(
2763
if (status == ERROR_NO_MORE_ITEMS)
2765
else if (status != ERROR_SUCCESS)
2766
msg (M_FATAL, "Error enumerating registry subkeys of key: %s",
2769
openvpn_snprintf (unit_string, sizeof(unit_string), "%s\\%s",
2770
ADAPTER_KEY, enum_name);
2772
status = RegOpenKeyEx(
2779
if (status != ERROR_SUCCESS)
2780
dmsg (D_REGISTRY, "Error opening registry key: %s", unit_string);
2783
len = sizeof (component_id);
2784
status = RegQueryValueEx(
2786
component_id_string,
2792
if (status != ERROR_SUCCESS || data_type != REG_SZ)
2793
dmsg (D_REGISTRY, "Error opening registry key: %s\\%s",
2794
unit_string, component_id_string);
2797
len = sizeof (net_cfg_instance_id);
2798
status = RegQueryValueEx(
2800
net_cfg_instance_id_string,
2803
net_cfg_instance_id,
2806
if (status == ERROR_SUCCESS && data_type == REG_SZ)
2808
if (!strcmp (component_id, TAP_WIN_COMPONENT_ID))
2810
struct tap_reg *reg;
2811
ALLOC_OBJ_CLEAR_GC (reg, struct tap_reg, gc);
2812
reg->guid = string_alloc (net_cfg_instance_id, gc);
2814
/* link into return list */
2823
RegCloseKey (unit_key);
2828
RegCloseKey (adapter_key);
2832
const struct panel_reg *
2833
get_panel_reg (struct gc_arena *gc)
2836
HKEY network_connections_key;
2838
struct panel_reg *first = NULL;
2839
struct panel_reg *last = NULL;
2842
status = RegOpenKeyEx(
2844
NETWORK_CONNECTIONS_KEY,
2847
&network_connections_key);
2849
if (status != ERROR_SUCCESS)
2850
msg (M_FATAL, "Error opening registry key: %s", NETWORK_CONNECTIONS_KEY);
2854
char enum_name[256];
2855
char connection_string[256];
2856
HKEY connection_key;
2857
char name_data[256];
2859
const char name_string[] = "Name";
2861
len = sizeof (enum_name);
2862
status = RegEnumKeyEx(
2863
network_connections_key,
2871
if (status == ERROR_NO_MORE_ITEMS)
2873
else if (status != ERROR_SUCCESS)
2874
msg (M_FATAL, "Error enumerating registry subkeys of key: %s",
2875
NETWORK_CONNECTIONS_KEY);
2877
openvpn_snprintf (connection_string, sizeof(connection_string),
2878
"%s\\%s\\Connection",
2879
NETWORK_CONNECTIONS_KEY, enum_name);
2881
status = RegOpenKeyEx(
2888
if (status != ERROR_SUCCESS)
2889
dmsg (D_REGISTRY, "Error opening registry key: %s", connection_string);
2892
len = sizeof (name_data);
2893
status = RegQueryValueEx(
2901
if (status != ERROR_SUCCESS || name_type != REG_SZ)
2902
dmsg (D_REGISTRY, "Error opening registry key: %s\\%s\\%s",
2903
NETWORK_CONNECTIONS_KEY, connection_string, name_string);
2906
struct panel_reg *reg;
2908
ALLOC_OBJ_CLEAR_GC (reg, struct panel_reg, gc);
2909
reg->name = string_alloc (name_data, gc);
2910
reg->guid = string_alloc (enum_name, gc);
2912
/* link into return list */
2919
RegCloseKey (connection_key);
2924
RegCloseKey (network_connections_key);
2930
* Check that two addresses are part of the same 255.255.255.252 subnet.
2933
verify_255_255_255_252 (in_addr_t local, in_addr_t remote)
2935
struct gc_arena gc = gc_new ();
2936
const unsigned int mask = 3;
2937
const char *err = NULL;
2939
if (local == remote)
2941
err = "must be different";
2944
if ((local & (~mask)) != (remote & (~mask)))
2946
err = "must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
2949
if ((local & mask) == 0
2950
|| (local & mask) == 3
2951
|| (remote & mask) == 0
2952
|| (remote & mask) == 3)
2954
err = "cannot use the first or last address within a given 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver";
2962
msg (M_FATAL, "There is a problem in your selection of --ifconfig endpoints [local=%s, remote=%s]. The local and remote VPN endpoints %s. Try '" PACKAGE " --show-valid-subnets' option for more info.",
2963
print_in_addr_t (local, 0, &gc),
2964
print_in_addr_t (remote, 0, &gc),
2969
void show_valid_win32_tun_subnets (void)
2974
printf ("On Windows, point-to-point IP support (i.e. --dev tun)\n");
2975
printf ("is emulated by the TAP-Windows driver. The major limitation\n");
2976
printf ("imposed by this approach is that the --ifconfig local and\n");
2977
printf ("remote endpoints must be part of the same 255.255.255.252\n");
2978
printf ("subnet. The following list shows examples of endpoint\n");
2979
printf ("pairs which satisfy this requirement. Only the final\n");
2980
printf ("component of the IP address pairs is at issue.\n\n");
2981
printf ("As an example, the following option would be correct:\n");
2982
printf (" --ifconfig 10.7.0.5 10.7.0.6 (on host A)\n");
2983
printf (" --ifconfig 10.7.0.6 10.7.0.5 (on host B)\n");
2984
printf ("because [5,6] is part of the below list.\n\n");
2986
for (i = 0; i < 256; i += 4)
2988
printf("[%3d,%3d] ", i+1, i+2);
3000
show_tap_win_adapters (int msglev, int warnlev)
3002
struct gc_arena gc = gc_new ();
3004
bool warn_panel_null = false;
3005
bool warn_panel_dup = false;
3006
bool warn_tap_dup = false;
3010
const struct tap_reg *tr;
3011
const struct tap_reg *tr1;
3012
const struct panel_reg *pr;
3014
const struct tap_reg *tap_reg = get_tap_reg (&gc);
3015
const struct panel_reg *panel_reg = get_panel_reg (&gc);
3017
msg (msglev, "Available TAP-WIN32 adapters [name, GUID]:");
3019
/* loop through each TAP-Windows adapter registry entry */
3020
for (tr = tap_reg; tr != NULL; tr = tr->next)
3024
/* loop through each network connections entry in the control panel */
3025
for (pr = panel_reg; pr != NULL; pr = pr->next)
3027
if (!strcmp (tr->guid, pr->guid))
3029
msg (msglev, "'%s' %s", pr->name, tr->guid);
3036
warn_panel_dup = true;
3038
else if (links == 0)
3040
/* a TAP adapter exists without a link from the network
3041
connections control panel */
3042
warn_panel_null = true;
3043
msg (msglev, "[NULL] %s", tr->guid);
3047
/* check for TAP-Windows adapter duplicated GUIDs */
3048
for (tr = tap_reg; tr != NULL; tr = tr->next)
3050
for (tr1 = tap_reg; tr1 != NULL; tr1 = tr1->next)
3052
if (tr != tr1 && !strcmp (tr->guid, tr1->guid))
3053
warn_tap_dup = true;
3057
/* warn on registry inconsistencies */
3059
msg (warnlev, "WARNING: Some TAP-Windows adapters have duplicate GUIDs");
3062
msg (warnlev, "WARNING: Some TAP-Windows adapters have duplicate links from the Network Connections control panel");
3064
if (warn_panel_null)
3065
msg (warnlev, "WARNING: Some TAP-Windows adapters have no link from the Network Connections control panel");
3071
* Confirm that GUID is a TAP-Windows adapter.
3074
is_tap_win (const char *guid, const struct tap_reg *tap_reg)
3076
const struct tap_reg *tr;
3078
for (tr = tap_reg; tr != NULL; tr = tr->next)
3080
if (guid && !strcmp (tr->guid, guid))
3088
guid_to_name (const char *guid, const struct panel_reg *panel_reg)
3090
const struct panel_reg *pr;
3092
for (pr = panel_reg; pr != NULL; pr = pr->next)
3094
if (guid && !strcmp (pr->guid, guid))
3102
name_to_guid (const char *name, const struct tap_reg *tap_reg, const struct panel_reg *panel_reg)
3104
const struct panel_reg *pr;
3106
for (pr = panel_reg; pr != NULL; pr = pr->next)
3108
if (name && !strcmp (pr->name, name) && is_tap_win (pr->guid, tap_reg))
3116
at_least_one_tap_win (const struct tap_reg *tap_reg)
3119
msg (M_FATAL, "There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> " PACKAGE_NAME " -> Add a new TAP-Windows virtual ethernet adapter.");
3123
* Get an adapter GUID and optional actual_name from the
3124
* registry for the TAP device # = device_number.
3127
get_unspecified_device_guid (const int device_number,
3129
int actual_name_size,
3130
const struct tap_reg *tap_reg_src,
3131
const struct panel_reg *panel_reg_src,
3132
struct gc_arena *gc)
3134
const struct tap_reg *tap_reg = tap_reg_src;
3135
struct buffer ret = clear_buf ();
3136
struct buffer actual = clear_buf ();
3139
ASSERT (device_number >= 0);
3141
/* Make sure we have at least one TAP adapter */
3145
/* The actual_name output buffer may be NULL */
3148
ASSERT (actual_name_size > 0);
3149
buf_set_write (&actual, actual_name, actual_name_size);
3152
/* Move on to specified device number */
3153
for (i = 0; i < device_number; i++)
3155
tap_reg = tap_reg->next;
3160
/* Save Network Panel name (if exists) in actual_name */
3163
const char *act = guid_to_name (tap_reg->guid, panel_reg_src);
3165
buf_printf (&actual, "%s", act);
3167
buf_printf (&actual, "%s", tap_reg->guid);
3170
/* Save GUID for return value */
3171
ret = alloc_buf_gc (256, gc);
3172
buf_printf (&ret, "%s", tap_reg->guid);
3177
* Lookup a --dev-node adapter name in the registry
3178
* returning the GUID and optional actual_name.
3181
get_device_guid (const char *name,
3183
int actual_name_size,
3184
const struct tap_reg *tap_reg,
3185
const struct panel_reg *panel_reg,
3186
struct gc_arena *gc)
3188
struct buffer ret = alloc_buf_gc (256, gc);
3189
struct buffer actual = clear_buf ();
3191
/* Make sure we have at least one TAP adapter */
3195
/* The actual_name output buffer may be NULL */
3198
ASSERT (actual_name_size > 0);
3199
buf_set_write (&actual, actual_name, actual_name_size);
3202
/* Check if GUID was explicitly specified as --dev-node parameter */
3203
if (is_tap_win (name, tap_reg))
3205
const char *act = guid_to_name (name, panel_reg);
3206
buf_printf (&ret, "%s", name);
3208
buf_printf (&actual, "%s", act);
3210
buf_printf (&actual, "%s", name);
3214
/* Lookup TAP adapter in network connections list */
3216
const char *guid = name_to_guid (name, tap_reg, panel_reg);
3219
buf_printf (&actual, "%s", name);
3220
buf_printf (&ret, "%s", guid);
3229
* Get adapter info list
3231
const IP_ADAPTER_INFO *
3232
get_adapter_info_list (struct gc_arena *gc)
3235
IP_ADAPTER_INFO *pi = NULL;
3238
if ((status = GetAdaptersInfo (NULL, &size)) != ERROR_BUFFER_OVERFLOW)
3240
msg (M_INFO, "GetAdaptersInfo #1 failed (status=%u) : %s",
3241
(unsigned int)status,
3242
strerror_win32 (status, gc));
3246
pi = (PIP_ADAPTER_INFO) gc_malloc (size, false, gc);
3247
if ((status = GetAdaptersInfo (pi, &size)) == NO_ERROR)
3251
msg (M_INFO, "GetAdaptersInfo #2 failed (status=%u) : %s",
3252
(unsigned int)status,
3253
strerror_win32 (status, gc));
3259
const IP_PER_ADAPTER_INFO *
3260
get_per_adapter_info (const DWORD index, struct gc_arena *gc)
3263
IP_PER_ADAPTER_INFO *pi = NULL;
3266
if (index != TUN_ADAPTER_INDEX_INVALID)
3268
if ((status = GetPerAdapterInfo (index, NULL, &size)) != ERROR_BUFFER_OVERFLOW)
3270
msg (M_INFO, "GetPerAdapterInfo #1 failed (status=%u) : %s",
3271
(unsigned int)status,
3272
strerror_win32 (status, gc));
3276
pi = (PIP_PER_ADAPTER_INFO) gc_malloc (size, false, gc);
3277
if ((status = GetPerAdapterInfo ((ULONG)index, pi, &size)) == ERROR_SUCCESS)
3281
msg (M_INFO, "GetPerAdapterInfo #2 failed (status=%u) : %s",
3282
(unsigned int)status,
3283
strerror_win32 (status, gc));
3290
static const IP_INTERFACE_INFO *
3291
get_interface_info_list (struct gc_arena *gc)
3294
IP_INTERFACE_INFO *ii = NULL;
3297
if ((status = GetInterfaceInfo (NULL, &size)) != ERROR_INSUFFICIENT_BUFFER)
3299
msg (M_INFO, "GetInterfaceInfo #1 failed (status=%u) : %s",
3300
(unsigned int)status,
3301
strerror_win32 (status, gc));
3305
ii = (PIP_INTERFACE_INFO) gc_malloc (size, false, gc);
3306
if ((status = GetInterfaceInfo (ii, &size)) == NO_ERROR)
3310
msg (M_INFO, "GetInterfaceInfo #2 failed (status=%u) : %s",
3311
(unsigned int)status,
3312
strerror_win32 (status, gc));
3318
static const IP_ADAPTER_INDEX_MAP *
3319
get_interface_info (DWORD index, struct gc_arena *gc)
3321
const IP_INTERFACE_INFO *list = get_interface_info_list (gc);
3325
for (i = 0; i < list->NumAdapters; ++i)
3327
const IP_ADAPTER_INDEX_MAP *inter = &list->Adapter[i];
3328
if (index == inter->Index)
3336
* Given an adapter index, return a pointer to the
3337
* IP_ADAPTER_INFO structure for that adapter.
3340
const IP_ADAPTER_INFO *
3341
get_adapter (const IP_ADAPTER_INFO *ai, DWORD index)
3343
if (ai && index != TUN_ADAPTER_INDEX_INVALID)
3345
const IP_ADAPTER_INFO *a;
3347
/* find index in the linked list */
3348
for (a = ai; a != NULL; a = a->Next)
3350
if (a->Index == index)
3357
const IP_ADAPTER_INFO *
3358
get_adapter_info (DWORD index, struct gc_arena *gc)
3360
return get_adapter (get_adapter_info_list (gc), index);
3364
get_adapter_n_ip_netmask (const IP_ADAPTER_INFO *ai)
3369
const IP_ADDR_STRING *ip = &ai->IpAddressList;
3383
get_adapter_ip_netmask (const IP_ADAPTER_INFO *ai, const int n, in_addr_t *ip, in_addr_t *netmask)
3391
const IP_ADDR_STRING *iplist = &ai->IpAddressList;
3399
iplist = iplist->Next;
3404
const unsigned int getaddr_flags = GETADDR_HOST_ORDER;
3405
const char *ip_str = iplist->IpAddress.String;
3406
const char *netmask_str = iplist->IpMask.String;
3407
bool succeed1 = false;
3408
bool succeed2 = false;
3410
if (ip_str && netmask_str && strlen (ip_str) && strlen (netmask_str))
3412
*ip = getaddr (getaddr_flags, ip_str, 0, &succeed1, NULL);
3413
*netmask = getaddr (getaddr_flags, netmask_str, 0, &succeed2, NULL);
3414
ret = (succeed1 == true && succeed2 == true);
3423
test_adapter_ip_netmask (const IP_ADAPTER_INFO *ai, const in_addr_t ip, const in_addr_t netmask)
3427
in_addr_t ip_adapter = 0;
3428
in_addr_t netmask_adapter = 0;
3429
const bool status = get_adapter_ip_netmask (ai, 0, &ip_adapter, &netmask_adapter);
3430
return (status && ip_adapter == ip && netmask_adapter == netmask);
3436
const IP_ADAPTER_INFO *
3437
get_tun_adapter (const struct tuntap *tt, const IP_ADAPTER_INFO *list)
3440
return get_adapter (list, tt->adapter_index);
3446
is_adapter_up (const struct tuntap *tt, const IP_ADAPTER_INFO *list)
3451
const IP_ADAPTER_INFO *ai = get_tun_adapter (tt, list);
3455
const int n = get_adapter_n_ip_netmask (ai);
3457
/* loop once for every IP/netmask assigned to adapter */
3458
for (i = 0; i < n; ++i)
3460
in_addr_t ip, netmask;
3461
if (get_adapter_ip_netmask (ai, i, &ip, &netmask))
3463
if (tt->local && tt->adapter_netmask)
3465
/* wait for our --ifconfig parms to match the actual adapter parms */
3466
if (tt->local == ip && tt->adapter_netmask == netmask)
3471
/* --ifconfig was not defined, maybe using a real DHCP server */
3479
ret = true; /* this can occur when TAP adapter is bridged */
3485
is_ip_in_adapter_subnet (const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
3490
if (highest_netmask)
3491
*highest_netmask = 0;
3495
const int n = get_adapter_n_ip_netmask (ai);
3496
for (i = 0; i < n; ++i)
3498
in_addr_t adapter_ip, adapter_netmask;
3499
if (get_adapter_ip_netmask (ai, i, &adapter_ip, &adapter_netmask))
3501
if (adapter_ip && adapter_netmask && (ip & adapter_netmask) == (adapter_ip & adapter_netmask))
3503
if (highest_netmask && adapter_netmask > *highest_netmask)
3504
*highest_netmask = adapter_netmask;
3514
adapter_index_of_ip (const IP_ADAPTER_INFO *list,
3519
struct gc_arena gc = gc_new ();
3520
DWORD ret = TUN_ADAPTER_INDEX_INVALID;
3521
in_addr_t highest_netmask = 0;
3531
if (is_ip_in_adapter_subnet (list, ip, &hn))
3533
if (first || hn > highest_netmask)
3535
highest_netmask = hn;
3541
else if (hn == highest_netmask)
3550
dmsg (D_ROUTE_DEBUG, "DEBUG: IP Locate: ip=%s nm=%s index=%d count=%d",
3551
print_in_addr_t (ip, 0, &gc),
3552
print_in_addr_t (highest_netmask, 0, &gc),
3554
count ? *count : -1);
3556
if (ret == TUN_ADAPTER_INDEX_INVALID && count)
3560
*netmask = highest_netmask;
3567
* Given an adapter index, return true if the adapter
3571
#define DHCP_STATUS_UNDEF 0
3572
#define DHCP_STATUS_ENABLED 1
3573
#define DHCP_STATUS_DISABLED 2
3576
dhcp_status (DWORD index)
3578
struct gc_arena gc = gc_new ();
3579
int ret = DHCP_STATUS_UNDEF;
3580
if (index != TUN_ADAPTER_INDEX_INVALID)
3582
const IP_ADAPTER_INFO *ai = get_adapter_info (index, &gc);
3586
if (ai->DhcpEnabled)
3587
ret = DHCP_STATUS_ENABLED;
3589
ret = DHCP_STATUS_DISABLED;
3597
* Delete all temporary address/netmask pairs which were added
3598
* to adapter (given by index) by previous calls to AddIPAddress.
3601
delete_temp_addresses (DWORD index)
3603
struct gc_arena gc = gc_new ();
3604
const IP_ADAPTER_INFO *a = get_adapter_info (index, &gc);
3608
const IP_ADDR_STRING *ip = &a->IpAddressList;
3612
const DWORD context = ip->Context;
3614
if ((status = DeleteIPAddress ((ULONG) context)) == NO_ERROR)
3616
msg (M_INFO, "Successfully deleted previously set dynamic IP/netmask: %s/%s",
3617
ip->IpAddress.String,
3622
const char *empty = "0.0.0.0";
3623
if (strcmp (ip->IpAddress.String, empty)
3624
|| strcmp (ip->IpMask.String, empty))
3625
msg (M_INFO, "NOTE: could not delete previously set dynamic IP/netmask: %s/%s (status=%u)",
3626
ip->IpAddress.String,
3628
(unsigned int)status);
3637
* Get interface index for use with IP Helper API functions.
3640
get_adapter_index_method_1 (const char *guid)
3645
_snwprintf (wbuf, SIZE (wbuf), L"\\DEVICE\\TCPIP_%S", guid);
3646
wbuf [SIZE(wbuf) - 1] = 0;
3647
if (GetAdapterIndex (wbuf, &aindex) != NO_ERROR)
3648
index = TUN_ADAPTER_INDEX_INVALID;
3650
index = (DWORD)aindex;
3655
get_adapter_index_method_2 (const char *guid)
3657
struct gc_arena gc = gc_new ();
3658
DWORD index = TUN_ADAPTER_INDEX_INVALID;
3660
const IP_ADAPTER_INFO *list = get_adapter_info_list (&gc);
3664
if (!strcmp (guid, list->AdapterName))
3666
index = list->Index;
3677
get_adapter_index (const char *guid)
3680
index = get_adapter_index_method_1 (guid);
3681
if (index == TUN_ADAPTER_INDEX_INVALID)
3682
index = get_adapter_index_method_2 (guid);
3683
if (index == TUN_ADAPTER_INDEX_INVALID)
3684
msg (M_INFO, "NOTE: could not get adapter index for %s", guid);
3689
get_adapter_index_flexible (const char *name) /* actual name or GUID */
3691
struct gc_arena gc = gc_new ();
3693
index = get_adapter_index_method_1 (name);
3694
if (index == TUN_ADAPTER_INDEX_INVALID)
3695
index = get_adapter_index_method_2 (name);
3696
if (index == TUN_ADAPTER_INDEX_INVALID)
3698
const struct tap_reg *tap_reg = get_tap_reg (&gc);
3699
const struct panel_reg *panel_reg = get_panel_reg (&gc);
3700
const char *guid = name_to_guid (name, tap_reg, panel_reg);
3701
index = get_adapter_index_method_1 (guid);
3702
if (index == TUN_ADAPTER_INDEX_INVALID)
3703
index = get_adapter_index_method_2 (guid);
3705
if (index == TUN_ADAPTER_INDEX_INVALID)
3706
msg (M_INFO, "NOTE: could not get adapter index for name/GUID '%s'", name);
3712
* Return a string representing a PIP_ADDR_STRING
3715
format_ip_addr_string (const IP_ADDR_STRING *ip, struct gc_arena *gc)
3717
struct buffer out = alloc_buf_gc (256, gc);
3720
buf_printf (&out, "%s", ip->IpAddress.String);
3721
if (strlen (ip->IpMask.String))
3723
buf_printf (&out, "/");
3724
buf_printf (&out, "%s", ip->IpMask.String);
3726
buf_printf (&out, " ");
3733
* Show info for a single adapter
3736
show_adapter (int msglev, const IP_ADAPTER_INFO *a, struct gc_arena *gc)
3738
msg (msglev, "%s", a->Description);
3739
msg (msglev, " Index = %d", (int)a->Index);
3740
msg (msglev, " GUID = %s", a->AdapterName);
3741
msg (msglev, " IP = %s", format_ip_addr_string (&a->IpAddressList, gc));
3742
msg (msglev, " MAC = %s", format_hex_ex (a->Address, a->AddressLength, 0, 1, ":", gc));
3743
msg (msglev, " GATEWAY = %s", format_ip_addr_string (&a->GatewayList, gc));
3746
msg (msglev, " DHCP SERV = %s", format_ip_addr_string (&a->DhcpServer, gc));
3747
msg (msglev, " DHCP LEASE OBTAINED = %s", time_string (a->LeaseObtained, 0, false, gc));
3748
msg (msglev, " DHCP LEASE EXPIRES = %s", time_string (a->LeaseExpires, 0, false, gc));
3752
msg (msglev, " PRI WINS = %s", format_ip_addr_string (&a->PrimaryWinsServer, gc));
3753
msg (msglev, " SEC WINS = %s", format_ip_addr_string (&a->SecondaryWinsServer, gc));
3757
const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info (a->Index, gc);
3760
msg (msglev, " DNS SERV = %s", format_ip_addr_string (&pai->DnsServerList, gc));
3766
* Show current adapter list
3769
show_adapters (int msglev)
3771
struct gc_arena gc = gc_new ();
3772
const IP_ADAPTER_INFO *ai = get_adapter_info_list (&gc);
3774
msg (msglev, "SYSTEM ADAPTER LIST");
3777
const IP_ADAPTER_INFO *a;
3779
/* find index in the linked list */
3780
for (a = ai; a != NULL; a = a->Next)
3782
show_adapter (msglev, a, &gc);
3789
* Set a particular TAP-Windows adapter (or all of them if
3790
* adapter_name == NULL) to allow it to be opened from
3791
* a non-admin account. This setting will only persist
3792
* for the lifetime of the device object.
3796
tap_allow_nonadmin_access_handle (const char *device_path, HANDLE hand)
3798
struct security_attributes sa;
3801
if (!init_security_attributes_allow_all (&sa))
3802
msg (M_ERR, "Error: init SA failed");
3804
status = SetKernelObjectSecurity (hand, DACL_SECURITY_INFORMATION, &sa.sd);
3807
msg (M_ERRNO, "Error: SetKernelObjectSecurity failed on %s", device_path);
3811
msg (M_INFO|M_NOPREFIX, "TAP-Windows device: %s [Non-admin access allowed]", device_path);
3816
tap_allow_nonadmin_access (const char *dev_node)
3818
struct gc_arena gc = gc_new ();
3819
const struct tap_reg *tap_reg = get_tap_reg (&gc);
3820
const struct panel_reg *panel_reg = get_panel_reg (&gc);
3821
const char *device_guid = NULL;
3823
char actual_buffer[256];
3824
char device_path[256];
3826
at_least_one_tap_win (tap_reg);
3830
/* Get the device GUID for the device specified with --dev-node. */
3831
device_guid = get_device_guid (dev_node, actual_buffer, sizeof (actual_buffer), tap_reg, panel_reg, &gc);
3834
msg (M_FATAL, "TAP-Windows adapter '%s' not found", dev_node);
3836
/* Open Windows TAP-Windows adapter */
3837
openvpn_snprintf (device_path, sizeof(device_path), "%s%s%s",
3845
0, /* was: FILE_SHARE_READ */
3848
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
3852
if (hand == INVALID_HANDLE_VALUE)
3853
msg (M_ERR, "CreateFile failed on TAP device: %s", device_path);
3855
tap_allow_nonadmin_access_handle (device_path, hand);
3860
int device_number = 0;
3862
/* Try opening all TAP devices */
3865
device_guid = get_unspecified_device_guid (device_number,
3867
sizeof (actual_buffer),
3875
/* Open Windows TAP-Windows adapter */
3876
openvpn_snprintf (device_path, sizeof(device_path), "%s%s%s",
3884
0, /* was: FILE_SHARE_READ */
3887
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
3891
if (hand == INVALID_HANDLE_VALUE)
3892
msg (M_WARN, "CreateFile failed on TAP device: %s", device_path);
3895
tap_allow_nonadmin_access_handle (device_path, hand);
3906
* DHCP release/renewal
3909
dhcp_release_by_adapter_index(const DWORD adapter_index)
3911
struct gc_arena gc = gc_new ();
3913
const IP_ADAPTER_INDEX_MAP *inter = get_interface_info (adapter_index, &gc);
3917
DWORD status = IpReleaseAddress ((IP_ADAPTER_INDEX_MAP *)inter);
3918
if (status == NO_ERROR)
3920
msg (D_TUNTAP_INFO, "TAP: DHCP address released");
3924
msg (M_WARN, "NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: %s (code=%u)",
3925
strerror_win32 (status, &gc),
3926
(unsigned int)status);
3934
dhcp_release (const struct tuntap *tt)
3936
if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
3937
return dhcp_release_by_adapter_index (tt->adapter_index);
3943
dhcp_renew_by_adapter_index (const DWORD adapter_index)
3945
struct gc_arena gc = gc_new ();
3947
const IP_ADAPTER_INDEX_MAP *inter = get_interface_info (adapter_index, &gc);
3951
DWORD status = IpRenewAddress ((IP_ADAPTER_INDEX_MAP *)inter);
3952
if (status == NO_ERROR)
3954
msg (D_TUNTAP_INFO, "TAP: DHCP address renewal succeeded");
3958
msg (M_WARN, "WARNING: Failed to renew DHCP IP address lease on TAP-Windows adapter: %s (code=%u)",
3959
strerror_win32 (status, &gc),
3960
(unsigned int)status);
3967
dhcp_renew (const struct tuntap *tt)
3969
if (tt && tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ && tt->adapter_index != TUN_ADAPTER_INDEX_INVALID)
3970
return dhcp_renew_by_adapter_index (tt->adapter_index);
3980
netsh_command (const struct argv *a, int n)
3983
for (i = 0; i < n; ++i)
3987
netcmd_semaphore_lock ();
3988
argv_msg_prefix (M_INFO, a, "NETSH");
3989
status = openvpn_execve_check (a, NULL, 0, "ERROR: netsh command failed");
3990
netcmd_semaphore_release ();
3995
msg (M_FATAL, "NETSH: command failed");
3999
ipconfig_register_dns (const struct env_set *es)
4003
const char err[] = "ERROR: Windows ipconfig command failed";
4005
msg (D_TUNTAP_INFO, "Start net commands...");
4006
netcmd_semaphore_lock ();
4010
argv_printf (&argv, "%s%sc stop dnscache",
4012
WIN_NET_PATH_SUFFIX);
4013
argv_msg (D_TUNTAP_INFO, &argv);
4014
status = openvpn_execve_check (&argv, es, 0, err);
4017
argv_printf (&argv, "%s%sc start dnscache",
4019
WIN_NET_PATH_SUFFIX);
4020
argv_msg (D_TUNTAP_INFO, &argv);
4021
status = openvpn_execve_check (&argv, es, 0, err);
4024
argv_printf (&argv, "%s%sc /flushdns",
4026
WIN_IPCONFIG_PATH_SUFFIX);
4027
argv_msg (D_TUNTAP_INFO, &argv);
4028
status = openvpn_execve_check (&argv, es, 0, err);
4031
argv_printf (&argv, "%s%sc /registerdns",
4033
WIN_IPCONFIG_PATH_SUFFIX);
4034
argv_msg (D_TUNTAP_INFO, &argv);
4035
status = openvpn_execve_check (&argv, es, 0, err);
4038
netcmd_semaphore_release ();
4039
msg (D_TUNTAP_INFO, "End net commands...");
4043
ip_addr_string_to_array (in_addr_t *dest, int *dest_len, const IP_ADDR_STRING *src)
4048
const unsigned int getaddr_flags = GETADDR_HOST_ORDER;
4049
const char *ip_str = src->IpAddress.String;
4051
bool succeed = false;
4055
if (!ip_str || !strlen (ip_str))
4058
ip = getaddr (getaddr_flags, ip_str, 0, &succeed, NULL);
4069
struct gc_arena gc = gc_new ();
4070
msg (M_INFO, "ip_addr_string_to_array [%d]", *dest_len);
4071
for (i = 0; i < *dest_len; ++i)
4073
msg (M_INFO, "%s", print_in_addr_t (dest[i], 0, &gc));
4081
ip_addr_one_to_one (const in_addr_t *a1, const int a1len, const IP_ADDR_STRING *ias)
4084
int a2len = SIZE(a2);
4087
ip_addr_string_to_array (a2, &a2len, ias);
4088
/*msg (M_INFO, "a1len=%d a2len=%d", a1len, a2len);*/
4092
for (i = 0; i < a1len; ++i)
4101
ip_addr_member_of (const in_addr_t addr, const IP_ADDR_STRING *ias)
4107
ip_addr_string_to_array (aa, &len, ias);
4108
for (i = 0; i < len; ++i)
4117
netsh_ifconfig_options (const char *type,
4118
const in_addr_t *addr_list,
4120
const IP_ADDR_STRING *current,
4121
const char *flex_name,
4122
const bool test_first)
4124
struct gc_arena gc = gc_new ();
4125
struct argv argv = argv_new ();
4126
bool delete_first = false;
4128
/* first check if we should delete existing DNS/WINS settings from TAP interface */
4131
if (!ip_addr_one_to_one (addr_list, addr_len, current))
4132
delete_first = true;
4135
delete_first = true;
4137
/* delete existing DNS/WINS settings from TAP interface */
4140
argv_printf (&argv, "%s%sc interface ip delete %s %s all",
4145
netsh_command (&argv, 2);
4148
/* add new DNS/WINS settings to TAP interface */
4152
for (i = 0; i < addr_len; ++i)
4154
if (delete_first || !test_first || !ip_addr_member_of (addr_list[i], current))
4156
const char *fmt = count ?
4157
"%s%sc interface ip add %s %s %s"
4158
: "%s%sc interface ip set %s %s static %s";
4160
argv_printf (&argv, fmt,
4165
print_in_addr_t (addr_list[i], 0, &gc));
4166
netsh_command (&argv, 2);
4172
msg (M_INFO, "NETSH: \"%s\" %s %s [already set]",
4175
print_in_addr_t (addr_list[i], 0, &gc));
4185
init_ip_addr_string2 (IP_ADDR_STRING *dest, const IP_ADDR_STRING *src1, const IP_ADDR_STRING *src2)
4192
dest[0].Next = NULL;
4197
dest[0].Next = &dest[1];
4198
dest[1].Next = NULL;
4203
netsh_ifconfig (const struct tuntap_options *to,
4204
const char *flex_name,
4206
const in_addr_t netmask,
4207
const unsigned int flags)
4209
struct gc_arena gc = gc_new ();
4210
struct argv argv = argv_new ();
4211
const IP_ADAPTER_INFO *ai = NULL;
4212
const IP_PER_ADAPTER_INFO *pai = NULL;
4214
if (flags & NI_TEST_FIRST)
4216
const IP_ADAPTER_INFO *list = get_adapter_info_list (&gc);
4217
const int index = get_adapter_index_flexible (flex_name);
4218
ai = get_adapter (list, index);
4219
pai = get_per_adapter_info (index, &gc);
4222
if (flags & NI_IP_NETMASK)
4224
if (test_adapter_ip_netmask (ai, ip, netmask))
4226
msg (M_INFO, "NETSH: \"%s\" %s/%s [already set]",
4228
print_in_addr_t (ip, 0, &gc),
4229
print_in_addr_t (netmask, 0, &gc));
4233
/* example: netsh interface ip set address my-tap static 10.3.0.1 255.255.255.0 */
4234
argv_printf (&argv, "%s%sc interface ip set address %s static %s %s",
4238
print_in_addr_t (ip, 0, &gc),
4239
print_in_addr_t (netmask, 0, &gc));
4241
netsh_command (&argv, 4);
4245
/* set WINS/DNS options */
4246
if (flags & NI_OPTIONS)
4248
IP_ADDR_STRING wins[2];
4252
netsh_ifconfig_options ("dns",
4255
pai ? &pai->DnsServerList : NULL,
4257
BOOL_CAST (flags & NI_TEST_FIRST));
4258
if (ai && ai->HaveWins)
4259
init_ip_addr_string2 (wins, &ai->PrimaryWinsServer, &ai->SecondaryWinsServer);
4261
netsh_ifconfig_options ("wins",
4266
BOOL_CAST (flags & NI_TEST_FIRST));
4274
netsh_enable_dhcp (const struct tuntap_options *to,
4275
const char *actual_name)
4280
/* example: netsh interface ip set address my-tap dhcp */
4282
"%s%sc interface ip set address %s dhcp",
4287
netsh_command (&argv, 4);
4293
* Return a TAP name for netsh commands.
4296
netsh_get_id (const char *dev_node, struct gc_arena *gc)
4298
const struct tap_reg *tap_reg = get_tap_reg (gc);
4299
const struct panel_reg *panel_reg = get_panel_reg (gc);
4300
struct buffer actual = alloc_buf_gc (256, gc);
4303
at_least_one_tap_win (tap_reg);
4307
guid = get_device_guid (dev_node, BPTR (&actual), BCAP (&actual), tap_reg, panel_reg, gc);
4311
guid = get_unspecified_device_guid (0, BPTR (&actual), BCAP (&actual), tap_reg, panel_reg, gc);
4313
if (get_unspecified_device_guid (1, NULL, 0, tap_reg, panel_reg, gc)) /* ambiguous if more than one TAP-Windows adapter */
4318
return "NULL"; /* not found */
4319
else if (strcmp (BPTR (&actual), "NULL"))
4320
return BPTR (&actual); /* control panel name */
4322
return guid; /* no control panel name, return GUID instead */
4326
* Called iteratively on TAP-Windows wait-for-initialization polling loop
4329
tun_standby_init (struct tuntap *tt)
4331
tt->standby_iter = 0;
4335
tun_standby (struct tuntap *tt)
4339
if (tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
4341
if (tt->standby_iter == IPW32_SET_ADAPTIVE_TRY_NETSH)
4343
msg (M_INFO, "NOTE: now trying netsh (this may take some time)");
4344
netsh_ifconfig (&tt->options,
4347
tt->adapter_netmask,
4348
NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS);
4350
else if (tt->standby_iter >= IPW32_SET_ADAPTIVE_TRY_NETSH*2)
4359
* Convert DHCP options from the command line / config file
4360
* into a raw DHCP-format options string.
4364
write_dhcp_u8 (struct buffer *buf, const int type, const int data, bool *error)
4366
if (!buf_safe (buf, 3))
4369
msg (M_WARN, "write_dhcp_u8: buffer overflow building DHCP options");
4372
buf_write_u8 (buf, type);
4373
buf_write_u8 (buf, 1);
4374
buf_write_u8 (buf, data);
4378
write_dhcp_u32_array (struct buffer *buf, const int type, const uint32_t *data, const unsigned int len, bool *error)
4383
const int size = len * sizeof (uint32_t);
4385
if (!buf_safe (buf, 2 + size))
4388
msg (M_WARN, "write_dhcp_u32_array: buffer overflow building DHCP options");
4391
if (size < 1 || size > 255)
4394
msg (M_WARN, "write_dhcp_u32_array: size (%d) must be > 0 and <= 255", size);
4397
buf_write_u8 (buf, type);
4398
buf_write_u8 (buf, size);
4399
for (i = 0; i < len; ++i)
4400
buf_write_u32 (buf, data[i]);
4405
write_dhcp_str (struct buffer *buf, const int type, const char *str, bool *error)
4407
const int len = strlen (str);
4408
if (!buf_safe (buf, 2 + len))
4411
msg (M_WARN, "write_dhcp_str: buffer overflow building DHCP options");
4414
if (len < 1 || len > 255)
4417
msg (M_WARN, "write_dhcp_str: string '%s' must be > 0 bytes and <= 255 bytes", str);
4420
buf_write_u8 (buf, type);
4421
buf_write_u8 (buf, len);
4422
buf_write (buf, str, len);
4426
build_dhcp_options_string (struct buffer *buf, const struct tuntap_options *o)
4430
write_dhcp_str (buf, 15, o->domain, &error);
4432
if (o->netbios_scope)
4433
write_dhcp_str (buf, 47, o->netbios_scope, &error);
4435
if (o->netbios_node_type)
4436
write_dhcp_u8 (buf, 46, o->netbios_node_type, &error);
4438
write_dhcp_u32_array (buf, 6, (uint32_t*)o->dns, o->dns_len, &error);
4439
write_dhcp_u32_array (buf, 44, (uint32_t*)o->wins, o->wins_len, &error);
4440
write_dhcp_u32_array (buf, 42, (uint32_t*)o->ntp, o->ntp_len, &error);
4441
write_dhcp_u32_array (buf, 45, (uint32_t*)o->nbdd, o->nbdd_len, &error);
4443
/* the MS DHCP server option 'Disable Netbios-over-TCP/IP
4444
is implemented as vendor option 001, value 002.
4445
A value of 001 means 'leave NBT alone' which is the default */
4448
if (!buf_safe (buf, 8))
4450
msg (M_WARN, "build_dhcp_options_string: buffer overflow building DHCP options");
4453
buf_write_u8 (buf, 43);
4454
buf_write_u8 (buf, 6); /* total length field */
4455
buf_write_u8 (buf, 0x001);
4456
buf_write_u8 (buf, 4); /* length of the vendor specified field */
4457
buf_write_u32 (buf, 0x002);
4463
fork_dhcp_action (struct tuntap *tt)
4465
if (tt->options.dhcp_pre_release || tt->options.dhcp_renew)
4467
struct gc_arena gc = gc_new ();
4468
struct buffer cmd = alloc_buf_gc (256, &gc);
4470
const int pre_sleep = 1;
4472
buf_printf (&cmd, "openvpn --verb %d --tap-sleep %d", verb, pre_sleep);
4473
if (tt->options.dhcp_pre_release)
4474
buf_printf (&cmd, " --dhcp-pre-release");
4475
if (tt->options.dhcp_renew)
4476
buf_printf (&cmd, " --dhcp-renew");
4477
buf_printf (&cmd, " --dhcp-internal %u", (unsigned int)tt->adapter_index);
4479
fork_to_self (BSTR (&cmd));
4485
fork_register_dns_action (struct tuntap *tt)
4487
if (tt && tt->options.register_dns)
4489
struct gc_arena gc = gc_new ();
4490
struct buffer cmd = alloc_buf_gc (256, &gc);
4493
buf_printf (&cmd, "openvpn --verb %d --register-dns --rdns-internal", verb);
4494
fork_to_self (BSTR (&cmd));
4500
dhcp_masq_addr (const in_addr_t local, const in_addr_t netmask, const int offset)
4502
struct gc_arena gc = gc_new ();
4503
in_addr_t dsa; /* DHCP server addr */
4506
dsa = (local | (~netmask)) + offset;
4508
dsa = (local & netmask) + offset;
4511
msg (M_FATAL, "ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to %s -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server", print_in_addr_t (dsa, 0, &gc));
4513
if ((local & netmask) != (dsa & netmask))
4514
msg (M_FATAL, "ERROR: --ip-win32 dynamic [offset] : offset is outside of --ifconfig subnet");
4521
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
4523
struct gc_arena gc = gc_new ();
4524
char device_path[256];
4525
const char *device_guid = NULL;
4527
bool dhcp_masq = false;
4528
bool dhcp_masq_post = false;
4530
/*netcmd_semaphore_lock ();*/
4532
msg( M_INFO, "open_tun, tt->ipv6=%d", tt->ipv6 );
4534
if (tt->type == DEV_TYPE_NULL)
4540
else if (tt->type == DEV_TYPE_TAP || tt->type == DEV_TYPE_TUN)
4546
msg (M_FATAL|M_NOPREFIX, "Unknown virtual device type: '%s'", dev);
4550
* Lookup the device name in the registry, using the --dev-node high level name.
4553
const struct tap_reg *tap_reg = get_tap_reg (&gc);
4554
const struct panel_reg *panel_reg = get_panel_reg (&gc);
4555
char actual_buffer[256];
4557
at_least_one_tap_win (tap_reg);
4561
/* Get the device GUID for the device specified with --dev-node. */
4562
device_guid = get_device_guid (dev_node, actual_buffer, sizeof (actual_buffer), tap_reg, panel_reg, &gc);
4565
msg (M_FATAL, "TAP-Windows adapter '%s' not found", dev_node);
4567
/* Open Windows TAP-Windows adapter */
4568
openvpn_snprintf (device_path, sizeof(device_path), "%s%s%s",
4573
tt->hand = CreateFile (
4575
GENERIC_READ | GENERIC_WRITE,
4576
0, /* was: FILE_SHARE_READ */
4579
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
4583
if (tt->hand == INVALID_HANDLE_VALUE)
4584
msg (M_ERR, "CreateFile failed on TAP device: %s", device_path);
4588
int device_number = 0;
4590
/* Try opening all TAP devices until we find one available */
4593
device_guid = get_unspecified_device_guid (device_number,
4595
sizeof (actual_buffer),
4601
msg (M_FATAL, "All TAP-Windows adapters on this system are currently in use.");
4603
/* Open Windows TAP-Windows adapter */
4604
openvpn_snprintf (device_path, sizeof(device_path), "%s%s%s",
4609
tt->hand = CreateFile (
4611
GENERIC_READ | GENERIC_WRITE,
4612
0, /* was: FILE_SHARE_READ */
4615
FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
4619
if (tt->hand == INVALID_HANDLE_VALUE)
4620
msg (D_TUNTAP_INFO, "CreateFile failed on TAP device: %s", device_path);
4628
/* translate high-level device name into a device instance
4629
GUID using the registry */
4630
tt->actual_name = string_alloc (actual_buffer, NULL);
4633
msg (M_INFO, "TAP-WIN32 device [%s] opened: %s", tt->actual_name, device_path);
4634
tt->adapter_index = get_adapter_index (device_guid);
4636
/* get driver version info */
4640
if (DeviceIoControl (tt->hand, TAP_WIN_IOCTL_GET_VERSION,
4641
&info, sizeof (info),
4642
&info, sizeof (info), &len, NULL))
4644
msg (D_TUNTAP_INFO, "TAP-Windows Driver Version %d.%d %s",
4647
(info[2] ? "(DEBUG)" : ""));
4650
if (!(info[0] == TAP_WIN_MIN_MAJOR && info[1] >= TAP_WIN_MIN_MINOR))
4651
msg (M_FATAL, "ERROR: This version of " PACKAGE_NAME " requires a TAP-Windows driver that is at least version %d.%d -- If you recently upgraded your " PACKAGE_NAME " distribution, a reboot is probably required at this point to get Windows to see the new driver.",
4655
/* usage of numeric constants is ugly, but this is really tied to
4656
* *this* version of the driver
4658
if ( tt->ipv6 && tt->type == DEV_TYPE_TUN &&
4659
info[0] == 9 && info[1] < 8)
4661
msg( M_INFO, "WARNING: Tap-Win32 driver version %d.%d does not support IPv6 in TUN mode. IPv6 will be disabled. Upgrade to Tap-Win32 9.8 (2.2-beta3 release or later) or use TAP mode to get IPv6", (int) info[0], (int) info[1] );
4665
/* tap driver 9.8 (2.2.0 and 2.2.1 release) is buggy
4667
if ( tt->type == DEV_TYPE_TUN &&
4668
info[0] == 9 && info[1] == 8)
4670
msg( M_FATAL, "ERROR: Tap-Win32 driver version %d.%d is buggy regarding small IPv4 packets in TUN mode. Upgrade to Tap-Win32 9.9 (2.2.2 release or later) or use TAP mode", (int) info[0], (int) info[1] );
4674
/* get driver MTU */
4677
if (DeviceIoControl (tt->hand, TAP_WIN_IOCTL_GET_MTU,
4679
&mtu, sizeof (mtu), &len, NULL))
4681
tt->post_open_mtu = (int) mtu;
4682
msg (D_MTU_INFO, "TAP-Windows MTU=%d", (int) mtu);
4687
* Preliminaries for setting TAP-Windows adapter TCP/IP
4688
* properties via --ip-win32 dynamic or --ip-win32 adaptive.
4690
if (tt->did_ifconfig_setup)
4692
if (tt->options.ip_win32_type == IPW32_SET_DHCP_MASQ)
4695
* If adapter is set to non-DHCP, set to DHCP mode.
4697
if (dhcp_status (tt->adapter_index) == DHCP_STATUS_DISABLED)
4698
netsh_enable_dhcp (&tt->options, tt->actual_name);
4700
dhcp_masq_post = true;
4702
else if (tt->options.ip_win32_type == IPW32_SET_ADAPTIVE)
4705
* If adapter is set to non-DHCP, use netsh right away.
4707
if (dhcp_status (tt->adapter_index) != DHCP_STATUS_ENABLED)
4709
netsh_ifconfig (&tt->options,
4712
tt->adapter_netmask,
4713
NI_TEST_FIRST|NI_IP_NETMASK|NI_OPTIONS);
4722
/* set point-to-point mode if TUN device */
4724
if (tt->type == DEV_TYPE_TUN)
4726
if (!tt->did_ifconfig_setup)
4728
msg (M_FATAL, "ERROR: --dev tun also requires --ifconfig");
4731
if (tt->topology == TOP_SUBNET)
4736
ep[0] = htonl (tt->local);
4737
ep[1] = htonl (tt->local & tt->remote_netmask);
4738
ep[2] = htonl (tt->remote_netmask);
4740
status = DeviceIoControl (tt->hand, TAP_WIN_IOCTL_CONFIG_TUN,
4742
ep, sizeof (ep), &len, NULL);
4744
msg (status ? M_INFO : M_FATAL, "Set TAP-Windows TUN subnet mode network/local/netmask = %s/%s/%s [%s]",
4745
print_in_addr_t (ep[1], IA_NET_ORDER, &gc),
4746
print_in_addr_t (ep[0], IA_NET_ORDER, &gc),
4747
print_in_addr_t (ep[2], IA_NET_ORDER, &gc),
4748
status ? "SUCCEEDED" : "FAILED");
4753
ep[0] = htonl (tt->local);
4754
ep[1] = htonl (tt->remote_netmask);
4756
if (!DeviceIoControl (tt->hand, TAP_WIN_IOCTL_CONFIG_POINT_TO_POINT,
4758
ep, sizeof (ep), &len, NULL))
4759
msg (M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set Point-to-Point mode, which is required for --dev tun");
4763
/* should we tell the TAP-Windows driver to masquerade as a DHCP server as a means
4764
of setting the adapter address? */
4769
/* We will answer DHCP requests with a reply to set IP/subnet to these values */
4770
ep[0] = htonl (tt->local);
4771
ep[1] = htonl (tt->adapter_netmask);
4773
/* At what IP address should the DHCP server masquerade at? */
4774
if (tt->type == DEV_TYPE_TUN)
4776
if (tt->topology == TOP_SUBNET)
4778
if (tt->options.dhcp_masq_custom_offset)
4779
ep[2] = dhcp_masq_addr (tt->local, tt->remote_netmask, tt->options.dhcp_masq_offset);
4781
ep[2] = dhcp_masq_addr (tt->local, tt->remote_netmask, -1);
4784
ep[2] = htonl (tt->remote_netmask);
4788
ASSERT (tt->type == DEV_TYPE_TAP);
4789
ep[2] = dhcp_masq_addr (tt->local, tt->adapter_netmask, tt->options.dhcp_masq_custom_offset ? tt->options.dhcp_masq_offset : 0);
4792
/* lease time in seconds */
4793
ep[3] = (uint32_t) tt->options.dhcp_lease_time;
4797
#ifndef SIMULATE_DHCP_FAILED /* this code is disabled to simulate bad DHCP negotiation */
4798
if (!DeviceIoControl (tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_MASQ,
4800
ep, sizeof (ep), &len, NULL))
4801
msg (M_FATAL, "ERROR: The TAP-Windows driver rejected a DeviceIoControl call to set TAP_WIN_IOCTL_CONFIG_DHCP_MASQ mode");
4803
msg (M_INFO, "Notified TAP-Windows driver to set a DHCP IP/netmask of %s/%s on interface %s [DHCP-serv: %s, lease-time: %d]",
4804
print_in_addr_t (tt->local, 0, &gc),
4805
print_in_addr_t (tt->adapter_netmask, 0, &gc),
4807
print_in_addr_t (ep[2], IA_NET_ORDER, &gc),
4811
/* user-supplied DHCP options capability */
4812
if (tt->options.dhcp_options)
4814
struct buffer buf = alloc_buf (256);
4815
if (build_dhcp_options_string (&buf, &tt->options))
4817
msg (D_DHCP_OPT, "DHCP option string: %s", format_hex (BPTR (&buf), BLEN (&buf), 0, &gc));
4818
if (!DeviceIoControl (tt->hand, TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT,
4819
BPTR (&buf), BLEN (&buf),
4820
BPTR (&buf), BLEN (&buf), &len, NULL))
4821
msg (M_FATAL, "ERROR: The TAP-Windows driver rejected a TAP_WIN_IOCTL_CONFIG_DHCP_SET_OPT DeviceIoControl call");
4824
msg (M_WARN, "DHCP option string not set due to error");
4830
/* set driver media status to 'connected' */
4832
ULONG status = TRUE;
4833
if (!DeviceIoControl (tt->hand, TAP_WIN_IOCTL_SET_MEDIA_STATUS,
4834
&status, sizeof (status),
4835
&status, sizeof (status), &len, NULL))
4836
msg (M_WARN, "WARNING: The TAP-Windows driver rejected a TAP_WIN_IOCTL_SET_MEDIA_STATUS DeviceIoControl call.");
4839
/* possible wait for adapter to come up */
4841
int s = tt->options.tap_sleep;
4844
msg (M_INFO, "Sleeping for %d seconds...", s);
4849
/* possibly use IP Helper API to set IP address on adapter */
4851
const DWORD index = tt->adapter_index;
4853
/* flush arp cache */
4854
if (index != TUN_ADAPTER_INDEX_INVALID)
4858
if ((status = FlushIpNetTable (index)) == NO_ERROR)
4859
msg (M_INFO, "Successful ARP Flush on interface [%u] %s",
4860
(unsigned int)index,
4863
msg (D_TUNTAP_INFO, "NOTE: FlushIpNetTable failed on interface [%u] %s (status=%u) : %s",
4864
(unsigned int)index,
4866
(unsigned int)status,
4867
strerror_win32 (status, &gc));
4871
* If the TAP-Windows driver is masquerading as a DHCP server
4872
* make sure the TCP/IP properties for the adapter are
4877
/* check dhcp enable status */
4878
if (dhcp_status (index) == DHCP_STATUS_DISABLED)
4879
msg (M_WARN, "WARNING: You have selected '--ip-win32 dynamic', which will not work unless the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
4881
/* force an explicit DHCP lease renewal on TAP adapter? */
4882
if (tt->options.dhcp_pre_release)
4884
if (tt->options.dhcp_renew)
4888
fork_dhcp_action (tt);
4890
if (tt->did_ifconfig_setup && tt->options.ip_win32_type == IPW32_SET_IPAPI)
4893
const char *error_suffix = "I am having trouble using the Windows 'IP helper API' to automatically set the IP address -- consider using other --ip-win32 methods (not 'ipapi')";
4895
/* couldn't get adapter index */
4896
if (index == TUN_ADAPTER_INDEX_INVALID)
4898
msg (M_FATAL, "ERROR: unable to get adapter index for interface %s -- %s",
4903
/* check dhcp enable status */
4904
if (dhcp_status (index) == DHCP_STATUS_DISABLED)
4905
msg (M_WARN, "NOTE: You have selected (explicitly or by default) '--ip-win32 ipapi', which has a better chance of working correctly if the TAP-Windows TCP/IP properties are set to 'Obtain an IP address automatically'");
4907
/* delete previously added IP addresses which were not
4908
correctly deleted */
4909
delete_temp_addresses (index);
4911
/* add a new IP address */
4912
if ((status = AddIPAddress (htonl(tt->local),
4913
htonl(tt->adapter_netmask),
4916
&tt->ipapi_instance)) == NO_ERROR)
4917
msg (M_INFO, "Succeeded in adding a temporary IP/netmask of %s/%s to interface %s using the Win32 IP Helper API",
4918
print_in_addr_t (tt->local, 0, &gc),
4919
print_in_addr_t (tt->adapter_netmask, 0, &gc),
4923
msg (M_FATAL, "ERROR: AddIPAddress %s/%s failed on interface %s, index=%d, status=%u (windows error: '%s') -- %s",
4924
print_in_addr_t (tt->local, 0, &gc),
4925
print_in_addr_t (tt->adapter_netmask, 0, &gc),
4928
(unsigned int)status,
4929
strerror_win32 (status, &gc),
4931
tt->ipapi_context_defined = true;
4934
/*netcmd_semaphore_release ();*/
4939
tap_win_getinfo (const struct tuntap *tt, struct gc_arena *gc)
4941
if (tt && tt->hand != NULL)
4943
struct buffer out = alloc_buf_gc (256, gc);
4945
if (DeviceIoControl (tt->hand, TAP_WIN_IOCTL_GET_INFO,
4946
BSTR (&out), BCAP (&out),
4947
BSTR (&out), BCAP (&out),
4957
tun_show_debug (struct tuntap *tt)
4959
if (tt && tt->hand != NULL)
4961
struct buffer out = alloc_buf (1024);
4963
while (DeviceIoControl (tt->hand, TAP_WIN_IOCTL_GET_LOG_LINE,
4964
BSTR (&out), BCAP (&out),
4965
BSTR (&out), BCAP (&out),
4968
msg (D_TAP_WIN_DEBUG, "TAP-Windows: %s", BSTR (&out));
4975
close_tun (struct tuntap *tt)
4977
struct gc_arena gc = gc_new ();
4981
if ( tt->ipv6 && tt->did_ifconfig_ipv6_setup )
4983
const char *ifconfig_ipv6_local;
4987
/* remove route pointing to interface */
4988
delete_route_connected_v6_net(tt, NULL);
4990
/* netsh interface ipv6 delete address \"%s\" %s */
4991
ifconfig_ipv6_local = print_in6_addr (tt->local_ipv6, 0, &gc);
4993
"%s%sc interface ipv6 delete address %s %s",
4997
ifconfig_ipv6_local );
4999
netsh_command (&argv, 1);
5003
if (tt->ipapi_context_defined)
5006
if ((status = DeleteIPAddress (tt->ipapi_context)) != NO_ERROR)
5008
msg (M_WARN, "Warning: DeleteIPAddress[%u] failed on TAP-Windows adapter, status=%u : %s",
5009
(unsigned int)tt->ipapi_context,
5010
(unsigned int)status,
5011
strerror_win32 (status, &gc));
5016
if (tt->options.dhcp_release)
5019
if (tt->hand != NULL)
5021
dmsg (D_WIN32_IO_LOW, "Attempting CancelIO on TAP-Windows adapter");
5022
if (!CancelIo (tt->hand))
5023
msg (M_WARN | M_ERRNO, "Warning: CancelIO failed on TAP-Windows adapter");
5026
dmsg (D_WIN32_IO_LOW, "Attempting close of overlapped read event on TAP-Windows adapter");
5027
overlapped_io_close (&tt->reads);
5029
dmsg (D_WIN32_IO_LOW, "Attempting close of overlapped write event on TAP-Windows adapter");
5030
overlapped_io_close (&tt->writes);
5032
if (tt->hand != NULL)
5034
dmsg (D_WIN32_IO_LOW, "Attempting CloseHandle on TAP-Windows adapter");
5035
if (!CloseHandle (tt->hand))
5036
msg (M_WARN | M_ERRNO, "Warning: CloseHandle failed on TAP-Windows adapter");
5039
if (tt->actual_name)
5040
free (tt->actual_name);
5049
* Convert --ip-win32 constants between index and ascii form.
5052
struct ipset_names {
5053
const char *short_form;
5056
/* Indexed by IPW32_SET_x */
5057
static const struct ipset_names ipset_names[] = {
5066
ascii2ipset (const char* name)
5069
ASSERT (IPW32_SET_N == SIZE (ipset_names));
5070
for (i = 0; i < IPW32_SET_N; ++i)
5071
if (!strcmp (name, ipset_names[i].short_form))
5077
ipset2ascii (int index)
5079
ASSERT (IPW32_SET_N == SIZE (ipset_names));
5080
if (index < 0 || index >= IPW32_SET_N)
5081
return "[unknown --ip-win32 type]";
5083
return ipset_names[index].short_form;
5087
ipset2ascii_all (struct gc_arena *gc)
5089
struct buffer out = alloc_buf_gc (256, gc);
5092
ASSERT (IPW32_SET_N == SIZE (ipset_names));
5093
for (i = 0; i < IPW32_SET_N; ++i)
5096
buf_printf(&out, " ");
5097
buf_printf(&out, "[%s]", ipset2ascii(i));
5105
open_tun (const char *dev, const char *dev_type, const char *dev_node, struct tuntap *tt)
5107
open_tun_generic (dev, dev_type, dev_node, false, true, tt);
5111
close_tun (struct tuntap* tt)
5115
close_tun_generic (tt);
5121
write_tun (struct tuntap* tt, uint8_t *buf, int len)
5123
return write (tt->fd, buf, len);
5127
read_tun (struct tuntap* tt, uint8_t *buf, int len)
5129
return read (tt->fd, buf, len);