Tim De Baets [Wed, 12 Jan 2022 17:20:09 +0000 (18:20 +0100)]
Issue OC_CMD_DETACH instead of OC_CMD_CANCEL on Ctrl+Break
If the user terminates OpenConnect with Ctrl+C, the session will be
logged off (OC_CMD_CANCEL), and with Ctrl+Break the session will NOT
be logged off (OC_CMD_DETACH). Either way, the vpnc-script
will still be invoked with reason=disconnect.
Signed-off-by: Tim De Baets <10608063-tdebaets@users.noreply.gitlab.com>
Tim De Baets [Tue, 11 Jan 2022 17:40:28 +0000 (18:40 +0100)]
Install a custom signal handler on Windows using SetConsoleCtrlHandler()
This fixes the longstanding bug
https://gitlab.com/openconnect/openconnect/-/issues/362, wherein the
vpnc-script never gets called to do any routing cleanup on Windows.
Also added checking for the number of characters returned by ReadConsole() so
that we still exit when receiving a control signal while waiting for user
input.
Signed-off-by: Tim De Baets <10608063-tdebaets@users.noreply.gitlab.com>
Daniel Lenski [Mon, 3 Jan 2022 16:23:18 +0000 (11:23 -0500)]
dumb_socketpair(): fallback from AF_UNIX to AF_INET if AF_UNIX fails
1) If bind() fails with an AF_UNIX socket, we should retry with
AF_INET socket
Because we have to used named paths for AF_UNIX sockets on Windows, a
likely point of failure is that the temporary directory in
nonexistent/non-writable, or even that we somehow have a collision in the
filename.
2) If any of the other AF_UNIX operations (listen, socket, connect, accept)
fail, we might as well also retry with AF_INET.
We don't know of any expected points-of-failure, but all indications are
that AF_UNIX support in Windows is incomplete, undocumented, and
potentially buggy.
Daniel Lenski [Sat, 1 Jan 2022 03:22:54 +0000 (22:22 -0500)]
dumb_socketpair(): generate named socket path more carefully
Windows forces us to use named-path Unix sockets. Generating a path in the
temporary directory, combining current high-res time and PID, seems like a
less-bad option.
On GitHub, a commenter
[suggested](https://github.com/microsoft/WSL/issues/4240#issuecomment-1010545442)
that it would be better to use
[GetTempFileName](https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-gettempfilenamea)
here. However, that function:
- Only adds 16 bits of time-based random bits,
- Will currently fail if there aren't 14 characters available for the filename,
- Might conceivably generate paths longer than UNIX_PATH_MAX, and
- Offers no other apparent offsetting advantages
Daniel Lenski [Fri, 31 Dec 2021 17:25:43 +0000 (12:25 -0500)]
dumb_socketpair(): try to use AF_UNIX socketpair on Windows 10 and newer
As a workaround for the lack of socketpair() on Windows, we use
dumb_socketpair() from https://github.com/ncm/selectable-socketpair/blob/master/socketpair.c,
which uses a pair of IPv4 local sockets (listening on 127.0.0.1).
Unfortunately, and maddeningly, it's possible for the local IPv4 routes
(127.0.0.0/8) to be deleted on Windows; this will prevent dumb_socketpair()
from working in its current form.
See https://gitlab.com/openconnect/openconnect/-/issues/228 and
https://gitlab.com/openconnect/openconnect/-/issues/361 for examples of how
to trigger this condition. The simplest way to do it is with `route /f`.
Fortunately, Windows 10+ supports AF_UNIX sockets, which we should be able
to use to sidestep this issue.
This feature was announced in December 2017 in
https://devblogs.microsoft.com/commandline/af_unix-comes-to-windows.
It is evidently incomplete, and also buggy:
1) "Abstract" sockets don't actually seem to work, and this is probably why
the socketpair() function still isn't implemented, even though AF_UNIX
support would naturally enable it:
https://github.com/microsoft/WSL/issues/4240#issuecomment-506437851
2) Actual MSDN documentation for this feature is seemingly nonexistent.
3) MinGW lacks the expected <afunix.h> header, but other FLOSS projects show
how to embed the needed `struct sockaddr_un` definition:
- https://github.com/MisterDA/ocaml/commit/5855ce5ffd931a2802d5b9a5b2987ab0b276fd0a
- https://github.com/curl/curl/blob/curl-7_74_0/lib/config-win32.h#L725-L734
Nevertheless, it works well enough that we can use it in OpenConnect. The
modified version of dumb_socketpair() in this patch tries to create an AF_UNIX
socketpair, and only uses IPv4 local sockets as a fallback. With this modified
version, I confirm that I can do the following on Windows 10:
1) Nuke routes with `route /f`.
2) Reconnect network adapter via GUI.
3) Confirm that IPv4 local route (127.0.0.0/8) still hasn't been recreated.
4) Run OpenConnect and successfully create the cmd pipe.
So this appears to fix https://gitlab.com/openconnect/openconnect/-/issues/228 and
https://gitlab.com/openconnect/openconnect/-/issues/361, at least on Windows 10
and newer.
Dimitri Papadopoulos [Tue, 23 Nov 2021 09:56:32 +0000 (10:56 +0100)]
Windows: fix instability with Wintun as tunnel device driver
In https://gitlab.com/openconnect/openconnect/-/issues/338, multiple users
reported that connections using Wintun as the tunnel device driver become
non-functional after 20-30 minutes of operation, without
any message from OpenConnect at all.
We analyzed this issue as follows:
1. There was an off-by-one error in the check of outgoing packet size
against the tunnel device's MTU (`tun_len < pkt->len`). Outgoing packets
of exactly the MTU size would be considered errors and silently discarded
by OpenConnect.
2. However, OpenConnect failed to instruct the driver to release these
discarded packets. They would accumulate in the Wintun driver buffer and
probably cause an out-of-memory condition, eventually freezing the
driver.
We fixed the issued as follows:
1. Fix the off-by-one error, changing to `tun_len <= pkt->len`.
2. Always release outgoing packets, even if discarded.
3. Print extended debugging messages when receiving/sending packets. Such
messages would have helped us diagnose the error much sooner.
Developers and users have confirmed that, with these changes, Wintun
connections run stably for at least 60 minutes. (See
https://gitlab.com/openconnect/openconnect/-/merge_requests/306#note_745393731).
Also, in
https://gitlab.com/openconnect/openconnect/-/merge_requests/300?commit_id=b5ff6f3fb1b8d06cf56426b13c7af96e25cd922b,
we reverted to TAP-Windows as the default driver on Windows due to the
aforementioned stability issues. Although Wintun connections now appear to
be stable, we are not quite ready yet to un/re-revert, and make Wintun the
default driver again.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Dimitri Papadopoulos [Tue, 23 Nov 2021 16:08:37 +0000 (17:08 +0100)]
Follow Wintun example to the letter (versions 0.10.2 or 0.13)
* Call WintunFreeAdapter() after WintunDeleteAdapter()
* Optional argument of WintunFreeAdapter() argument can be NULL
* Call WintunGetRunningDriverVersion() before WintunStartSession()
This does not actually fix anything. However, by following the Wintun
example to the letter, we make sure there are no other hidden isues.
Daniel Lenski [Wed, 15 Dec 2021 01:06:50 +0000 (17:06 -0800)]
When running on Windows, the default OS value should be 'win'
This makes the behavior on Windows consistent with other platforms.
Also attempt to detect iOS, and set the default OS value to 'apple-ios'
there. As far as we know, no one has built LibOpenConnect on iOS (see
https://gitlab.com/openconnect/openconnect/-/issues/163), but this should
help future-proof it.
Daniel Lenski [Wed, 15 Dec 2021 00:54:34 +0000 (16:54 -0800)]
openconnect_set_reported_os should reject illegal values
The OS values ('vpninfo->platname') that OpenConnect accepts are
historically derived from the Cisco AnyConnect protocol:
linux, linux-64, win, mac-intel, android, apple-ios.
In the Cisco AnyConnect protocol, the platname was sometimes sent verbatim
on the wire (see auth.c), and could perhaps be thought of as a potentially
free-form string.
However:
(a) The platname value is now used in other protocols, requiring lookups to
convert to the correct forms for those protocols (e.g., see
auth-globalprotect.c).
(b) Even in the Cisco AnyConnect protocol, the platname value has
has to be handled with switch/if statements which can only correctly
handle the limited set of known values.
Since only a limited set of values are actually *understood* by OpenConnect,
allowing arbitrary values to be provided—but silently ignored or
mishandled—leads to confusing errors, such as in
https://lists.infradead.org/pipermail/openconnect-devel/2021-December/005079.html.
In that case, a user specified '--os=windows' (incorrect) instead of
'--os=win' (correct). This likely led to incorrect server behavior, but
OpenConnect silently accepted the incorrect value.
This patch modifies openconnect_set_reported_os to return -EINVAL if
any OS name other than one of the 6 legal values is specified.
Future improvements:
1. Replace the numerous repetitions of the literal OS values with something
saner, like an enum type.
2. Consider retiring the Cisco-specific values altogether as part of the
"Great Renaming"
(https://gitlab.com/openconnect/openconnect/-/merge_requests/151).
Dimitri Papadopoulos [Wed, 8 Dec 2021 08:21:06 +0000 (09:21 +0100)]
Load wintun.dll from the application directory only
Do not attempt to load it from the System32 directory.
Different versions of `wintun.dll` or `wintun.sys` float around in system
directories. In my case, a `C:\Windows\System32\wintun.sys` had been left
behind for some reason, and was being loaded at startup, taking precedence
over the `wintun.dll` bundled with OpenConnect. Unfortunately, different
versions are not compatible, at least not entirely, while OpenConnect is
being tested with the bundled `wintun.dll` only.
To avoid this DLL hell, we shall load exclusively the bundled version of
`wintun.dll` from the application directory, and disregard any `wintun.dll`
or `wintun.sys` installed in system directories by other software.
Dimitri Papadopoulos [Wed, 1 Dec 2021 16:43:55 +0000 (17:43 +0100)]
Fix Windows installer so that it uninstalls cleanly
The "Online Documentation.url" web-link was added in
https://gitlab.com/openconnect/openconnect/-/commit/44c8038707c06897588aa75ef02a38793387b86e.
It needs to be deleted upon uninstallation.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Dimitri Papadopoulos [Sat, 28 Aug 2021 06:08:08 +0000 (09:08 +0300)]
AC_PROG_LIBTOOL → LT_INIT
Run autopudate on configure.ac.
According to the Libtool manual, AC_PROG_LIBTOOL and AM_PROG_LIBTOOL are
deprecated names for older versions of LT_INIT:
https://www.gnu.org/software/libtool/manual/html_node/LT_005fINIT.html
Dimitri Papadopoulos [Sun, 8 Aug 2021 09:45:06 +0000 (11:45 +0200)]
AC_LANG_C → AC_LANG([C])
Run autopudate on configure.ac.
According to the Autoconf 2.69 manual, AC_LANG_C is obsolete:
https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Obsolete-Macros.html
Dimitri Papadopoulos [Sun, 8 Aug 2021 08:03:51 +0000 (10:03 +0200)]
AC_CONFIG_MACRO_DIRS
According to the Automake manual, we should declare the 'm4' directory
explicitly:
https://www.gnu.org/software/automake/manual/html_node/Local-Macros.html
André Draszik [Tue, 23 Nov 2021 12:16:43 +0000 (12:16 +0000)]
csd-wrapper: make it work again if binaries are compressed
CSD binaries can be uncompressed or .gz compressed, and the
csd-wrapper.sh script here tries to support both cases,
but actually doesn't work in the compressed case.
It just ends up specifying incorrect URLs and destination
file names, making this miserably fail:
+ curl -s -k https://xx.xxx.xxx.xx/CACHE/sdesktop/hostscan/linux_x64/cscan -o /home/xxx/.cisco/hostscan/bin/cscan.tmp
+ [[ ! -f /home/xxx/.cisco/hostscan/bin/cscan.tmp ]]
+ [[ ! -s /home/xxx/.cisco/hostscan/bin/cscan.tmp ]]
+ [[ ! -s /home/xxx/.cisco/hostscan/bin/cscan.tmp ]]
+ rm /home/xxx/.cisco/hostscan/bin/cscan.tmp
+ echo 'Failure on cscan, trying gz'
Failure on cscan, trying gz
+ FILE_GZ=/home/xxx/.cisco/hostscan/bin/cscan.tmp.gz
+ curl -s -k --pinnedpubkey sha256//vI158z4H4BLBZKv927uWmvsJbFZzGEilTkI36lKv5BM= https://xx.xxx.xxx.xx/CACHE/sdesktop/hostscan/linux_x64//home/xxx/.cisco/hostscan/bin/cscan.tmp.gz -o /home/xxx/.cisco/hostscan/bin/cscan.tmp.gz
+ gunzip --verbose --decompress /home/xxx/.cisco/hostscan/bin/cscan.tmp.gz
gzip: /home/xxx/.cisco/hostscan/bin/cscan.tmp.gz: unexpected end of file
As can be seen the 2nd curl call has my local path appended to the
URL, which of course can not work ($TMPFILE contains the full local
path).
Fixes: 9da32db08ba4 ("Clean up csd-wrapper.sh") Signed-off-by: André Draszik <git@andred.net>
Daniel Lenski [Sat, 20 Nov 2021 21:12:34 +0000 (13:12 -0800)]
Refuse to handle forms without ->auth_id (but do it in the right place, and noisily)
In 0b47ea1882346fdedfcd8a315f51aeb39e13459e ("Refuse to handle forms without
->auth_id"), the process_auth_form_cb for the OpenConnect CLI was modified
to silently reject forms with auth_id unset.
Issues with this:
1. If a form doesn't have its auth_id set, it'll fail *silently*, which
makes it confusingly difficult to identify the root cause. (See #351.)
2. As that commit message says, GUIs/front-ends need the auth_id to be set,
but it didn't do anything to enforce it other than for the CLI.
The solution is to reject forms with auth_id unset in process_auth_form()
itself, rather than expecting the front-ends’ callback functions to check
this, and to do so with an error message explaining that this is a bug in
OpenConnect.
Daniel Lenski [Fri, 19 Nov 2021 19:26:59 +0000 (11:26 -0800)]
Bugfix F5 'plain' login form
Fixes #351.
It turns out that the "plain auth form" for F5 has been broken since 0b47ea1882346fdedfcd8a315f51aeb39e13459e. (This form is used as a stand-in
when the server fails to provide a real HTML login form, and only gives a
JavaScript mess that dynamically creates a form.)
DW probably didn't notice this when making that commit, because a07bbbcd711c6fc4ef20fd9719e0e5da40f141f9 had previously fixed the other
places where a form with no `auth_id` could be created.
This ensures that the "plain auth form" has its `auth_id` set, and adds test
coverage of this form to `f5-auth-and-config`.
Daniel Lenski [Mon, 15 Nov 2021 05:27:12 +0000 (21:27 -0800)]
The option '--force-dpd' should be followed even if the server specifies a lesser DPD interval
The `openconnect_set_dpd()` API function, and the command-line option
`--force-dpd=SEC`, specify an exact DPD (Dead Peer Detection) interval for
the client, which is intended to override the server-specified value.
However, several protocols
would simply *ignore* the specified interval, and accept the
server's interval, if the server's interval was *less* than the one
specified via API or command-line.
- AnyConnect/ocserv has behaved this way since the `--force-dpd` option was
first added in 2012 (see 54784befa190a670a7c33661e505415eaaab8dd1)
- ESP support, added for oNCP/Pulse, copied this behavior
- Fortinet copied this behavior
- Array copied this behavior
This behavior can cause problems for protocols where DPD, or reconnection in
general, is broken, and where a user wishes to specify a long interval (e.g.
`--force-dpd=99999`) to effectively disable DPD. Specifically, Fortinet is
affected by this; see
https://gitlab.com/openconnect/openconnect/-/issues/334#note_732774445.
The straightforward solution here is just to make the `--force-dpd` option
do what it says, and set the client's DPD interval unconditionally.
Daniel Lenski [Wed, 13 Oct 2021 01:25:40 +0000 (18:25 -0700)]
Juniper/NC ESP rekey fix
This should fix https://gitlab.com/openconnect/openconnect/-/issues/322.
This was an immensely tricky issue to identify and solve. Many thanks to
@john508 for his patient logging, testing, and bisecting.
This came down to a subtle combination of 2 problems, described further in
https://gitlab.com/openconnect/openconnect/-/issues/322#note_702122197.
First, a bug:
The code for Juniper/Pulse 'dontsend' added in
https://gitlab.com/openconnect/openconnect/-/commit/b4f50f8bd5da7e6ac926ddd5095501edbc204cd0
caused IPv6 packets to get sent over the Juniper oNCP/TLS channel in a
completely mangled form, thereby confusing the server and making it not
respond to subsequent ESP rekey packets sent over the oNCP/TLS channel.
The fix is to use this code path *only* for the Pulse protocol, not for the
Juniper protocol. Juniper cannot do ESP-over-IPv6 at all, and cannot send
tunneled IPv6 packets at all (neither via ESP-over-IPv4, nor via oNCP/TLS).
Second, we introduced a subtle regression against a Juniper server behavior
which we weren't previously aware of:
Juniper servers apparently don't always resend the IP address in a
configuration packet, if that configuration packet is for
rekey/reconnection only.
To address this, we need to add a special case for Juniper to the
install_vpn_opts() function, which was added in
https://gitlab.com/openconnect/openconnect/-/commit/3d845bc9bf62b3e816e0d2fd72970ef33964a191.
Daniel Lenski [Sat, 13 Nov 2021 18:35:36 +0000 (10:35 -0800)]
Fix/update comments in fake-*-server.py scripts
Also adds a stub to make sure that 'fake-juniper-server.py' rejects attempts
to start speaking the Junos/Pulse protocol, rather than the Juniper/oNCP
protocol.
Daniel Lenski [Fri, 12 Nov 2021 01:16:01 +0000 (17:16 -0800)]
Re-add TAP-Windows driver to installer, and update docs to reference its inclusion
This mostly reverts commit 8c1d2de09829d0930d1a7642b0729cd6cbf5ab67 ("Remove
TAP-Windows driver from installer, and update docs to reference Wintun's
default inclusion").
It appears that Wintun is not fully stable yet for OpenConnect VPN connections.
See #338 for two reports of instability (with #324 as a possible third), including
one where switching to TAP-Windows clearly resolved the issue.
Per https://gitlab.com/openconnect/openconnect/-/issues/338#note_731175712,
we should revert to installing and using TAP-Windows by default until we can figure out why.
OpenConnect will continue to use Wintun if TAP-Windows is unavailable, but will
issue a loud warning to the log.
Daniel Lenski [Thu, 21 Oct 2021 00:48:12 +0000 (17:48 -0700)]
Add support for Fortinet's HTML-type multi-factor authentication
Fortinet is known to support *two* different types of MFA/2FA challenges
(see details in
https://gitlab.com/openconnect/openconnect/-/issues/332#note_709413011):
1. HTTP 200 response to initial login with plain-text body
(`ret=...,reqid=...,polid=...,...tokeninfo=,chal_msg=...`) containing
prompt and fields to be parroted back.
2. HTTP 401 response to initial login with HTML body containing a "normal"
HTML form to be filled out and sent back.
Daniel Lenski [Mon, 18 Oct 2021 03:03:23 +0000 (20:03 -0700)]
Enable Fortinet DPD even if server doesn't say that reconnect-after-drop is allowed
Even if we can't automatically reconnect, disabling DPD doesn't seem like a
good idea. This will just recapitulate the poor behavior of official
Fortinet clients, which don't provide useful signals about dropped
connection.
Instead, let's just tell users explicitly that reconnect probably won't work
in the logging messages.
Daniel Lenski [Fri, 24 Sep 2021 22:50:53 +0000 (22:50 +0000)]
Annotate vpnc-script-win.js with a header documenting its exact source revision
By annotating the vpnc-script-win.js included in the Windows installers
with information about the exact source revision, we will ease reporting
and reduce confusion about problems resulting from interactions between
OpenConnect and vpnc-script.
Example of the header added to vpnc-script-win.js:
// This script matches the version found at https://gitlab.com/openconnect/vpnc-scripts/-/blob/b749c2cadc2f32e2efffa69302861f9a7d4a4e5f/vpnc-script-win.js
// Updated on 2021-09-24 by Daniel Lenski <dlenski@gmail.com> ("Ensure that vpnc-script-win.js works even if INTERNAL_IP4_{NETADDR,NETMASK} are unset")
//
The logging statement has the call of the form
logging.(format_string % (format_args...))
For such calls, it is recommended to leave string interpolation to the
logging method itself and be written as
logging.(format_string, format_args...)
so that the program may avoid incurring the cost of the interpolation
in those cases in which no message will be logged. For more details, see
PEP 282.
Do not use a mutable like `list` or `dictionary` as a default value to an
argument. Python’s default arguments are evaluated once when the function
is defined. Using a mutable default argument and mutating it will mutate
that object for all future calls to the function as well.
Consider using literal syntax to create the data structure
Using the literal syntax can give minor performance bumps compared to
using function calls to create `dict`, `list` and `tuple`.
This is because here, the name `dict` must be looked up in the global
scope in case it has been rebound. Same goes for the other two types
`list()` and `tuple()`.
Using the `len` function to check if a sequence is empty is not idiomatic
and can be less performant than checking the truthiness of the object.
`len` doesn't know the context in which it is called, so if computing the
length means traversing the entire sequence, it must; it doesn't know
that the result is just being compared to 0. Computing the boolean value
can stop after it sees the first element, regardless of how long the
sequence actually is.
Daniel Lenski [Thu, 16 Sep 2021 19:51:43 +0000 (12:51 -0700)]
Provide the vpnc-script with our PID (as $VPNPID)
This will enable a vpnc-script to more easily identify which VPN connection
is calling it, in the case of multiple concurrent or "stacked" VPN
connections.
Because OpenConnect (and vpnc) invoke the vpnc-script via an intermediate
shell process, the vpnc-script would otherwise need to determine its
GRANDparent PID, which is an error-prone, and not easily portable, process.
See https://gitlab.com/openconnect/vpnc-scripts/-/issues/28 and
https://gitlab.com/openconnect/vpnc-scripts/-/merge_requests/36 for issues
with the current approaches.
Daniel Lenski [Fri, 2 Apr 2021 07:16:59 +0000 (00:16 -0700)]
Try to delete-and-reclaim IP addresses from down interfaces
As mentioned previously, Windows will not allow us to set an IP address on
the tunnel interface (using 'netsh' in vpnc-script-win.js) if that address
is assigned to another interface, *even if* that interface is not currently
up.
In order to figure out if our interface's desired IP address(es) are
assigned to any other interface(s), we have to iterate over the results of
`GetAdaptersAddresses`. This retrieves a list of all IP addresses (both
Legacy and IPv6) by interface, along with up/down status thereof.
If we find another interface that is assigned our desired IP address, but is
not up, we should attempt to unassign/delete/reclaim the address from this
interface. In order to do that, we need to use a completely separate API
(`GetUnicastIpAddressTable`) to get a list of all assigned IP addresses in a
form that can be used to delete them (with `DeleteUnicastIpAddressEntry`).
The simplest way to structure the code to do this is to use two nested
loops:
- The outer loop iterates over the adapters and addresses returned by
`GetAdaptersAddresses`
- The inner loop — which runs only in the case of a conflicting address —
iterates over the addresses as returned by `GetUnicastIpAddressTables`.
- Perhaps this could be optimized, but because this runs only once per VPN
connection, and a typical client system will have <<N=100 adapters and IP
addresses… it doesn't seem worth it.
NB: I had previously tried avoiding the use of `GetUnicastIpAddressTable`
altogether by creating a fake/synthetic `MIB_UNICASTIPADDRESS_ROW` with
most of the fields filled in using information returned by
`GetAdaptersAddresses`, and passing this directly to
`DeleteUnicastIpAddressEntry`. It simply did not work, perhaps due to
the absence of one or two seemingly-unimportant fields whose values
couldn't be determined. (See 4acc773c69d8b06da2983fd5fe70cca357822503)
Daniel Lenski [Fri, 2 Apr 2021 05:57:02 +0000 (22:57 -0700)]
Add check_address_conflicts() to tun-win32.c
If other adapters have conflicting IPv4/IPv6 addresses, vpnc-script-win.js
will fail to configure the tunnel addresses correctly.
For now, check_address_conflicts() only checks and fails; it doesn't try to
delete/reclaim the conflicting addresses.
[ Yay, Windows, for persisting a value we don't need or want persisted, and
not allowing us to override this with 'netsh interface ipvX set address'.
This appears to be a limitation of the Windows 'netsh' configuration
utility. ]
Daniel Lenski [Thu, 1 Apr 2021 00:21:41 +0000 (17:21 -0700)]
Don't set Legacy IP address on Windows tunnel interface within OpenConnect itself
The pre-existing Windows routing connection script (vpnc-script-win.js) was
not able to reliably set the Legacy IP address of the tunnel interface, so
we've been setting it in OpenConnect itself since 60d1f092e35f05217f1c96823c4f1b86c7915bbd.
As of https://gitlab.com/openconnect/vpnc-scripts/-/merge_requests/26, we've
got vpnc-script-win.js setting the Legacy IP address correctly, and IPv6 as
well. We should leave this as the script's responsibility for
cross-platform consistency.
Daniel Lenski [Wed, 31 Mar 2021 01:08:00 +0000 (18:08 -0700)]
Use hostname as Wintun ifname (if ifname not specified)
Without this change, OpenConnect will *only* attempt to use the Wintun
driver if `-i InterfaceName`, and will require TAP-Windows driver otherwise.
That seems like a surprising and hard-to-discover behavior.
Instead, we should use the VPN server's hostname as a sane default interface
name with Wintun, and only attempt to use TAP-Windows as a fallback in the
case where Wintun can't be initialized.
projects / users / dwmw2 / openconnect.git / log