Aaron LI [Sun, 13 Dec 2020 08:38:38 +0000 (16:38 +0800)]
Add DragonFly BSD support and improve FreeBSD support
Support DragonFly BSD for TUN creation and destroy in the same way as
FreeBSD.
No need to load the `if_tun` kernel module, because the `ifconfig(8)`
utility on FreeBSD and DragonFly BSD will auto load it if necessary
(the `-n` option suppresses this behavior; see man page for details).
This feature was added to `ifconfig(8)` in 1999:
https://github.com/freebsd/freebsd/commit/4d16916f800d4c5ee37fb3c93ca6981ad9b33eb3
In addition, FreeBSD 13 has merged `if_tun` and `if_tap` into a single
module named `if_tuntap`. So this change improves the FreeBSD
support.
Signed-off-by: Aaron LI <aly@aaronly.me> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 8 Dec 2020 07:31:50 +0000 (23:31 -0800)]
fix another ifconfig syntax difference between Linux and *BSDs
See https://gitlab.com/openconnect/vpnc-scripts/-/merge_requests/9#note_466328301 :
> Thanks. I don't know how this one was missed; the [FreeBSD man
> page](https://www.freebsd.org/cgi/man.cgi?ifconfig) and [macOS man
> page](https://ss64.com/osx/ifconfig.html) clearly show that `delete` has
> to come _after_ the address.
>
> However, Linux's ifconfig [requires `del` to come
> before](https://linux.die.net/man/8/ifconfig), and _only_ works for
> removing IPv6 addresses… so this needs to be reworked a bit to not break
> on Linux.
Daniel Lenski [Tue, 8 Dec 2020 06:12:05 +0000 (22:12 -0800)]
use `ip netns` instead of ocserv `listen-netns` config option for test configs
`listen-netns` is new in ocserv 1.1.1, while iproute2's `ip netns` will work
more universally on Linux, allowing testing on older Linux distributions (see
https://gitlab.com/openconnect/vpnc-scripts/-/commit/c95a3ad0e77963fea73c185ff0308e1edabe522c#note_457425702)
Trygve Aaberge [Sun, 12 Aug 2018 09:53:31 +0000 (11:53 +0200)]
Use systemd-resolve to check if resolved is running
resolved may be included in nsswitch.conf even though systemd-resolved
is not running. E.g. Arch Linux includes resolved in nsswitch.conf by
default, but systemd-resolved is not enabled by default, which causes
this script to fail updating dns.
This patch uses the systemd-resolve command, which is included with
systemd, to check if systemd-resolved is actually running.
Signed-off-by: Trygve Aaberge <trygveaa@gmail.com> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Fri, 27 Nov 2020 19:54:23 +0000 (11:54 -0800)]
CI: don't need to install ocserv and which
These are already included in the Centos7 build image: https://gitlab.com/openconnect/build-images/-/blob/master/openconnect-cli/centos7/Dockerfile#L11
Daniel Lenski [Sat, 28 Nov 2020 02:27:08 +0000 (18:27 -0800)]
numerous fixes for Linux IPv6 configuration using ifconfig/route/netstat
Trying to ensure that none of the commands executed change in any way on the actual non-Linux OSes which
we cannot directly test with CI currently.
- add missing $route_syntax_gw
- need new syntax variants:
- $ifconfig_syntax_add_inet6 ('add' on Linux, 'inet6' on *BSDs)
- $route_syntax_ipv6 ('-6' on Linux, '-inet6' on *BSDs)
- special handling for IPv6 route addition deletion on Linux:
- '-host'/-net' are REQUIRED on *BSDs but Linux 'route' rejects them
⇒ add $route_syntax_ipv6_{host,net} for these cases
- Linux 'route' rejects local adapter's IPv6 address as gateway with "SIOCADDRT: invalid argument"
⇒ use 'dev $DEVICE' instead of 'gw $NETGW' in this case on Linux
Daniel Lenski [Wed, 25 Nov 2020 21:48:20 +0000 (13:48 -0800)]
try running tests with *BSD-ish tools (ifconfig/route/netstat) for additional coverage
Things that should be improved:
* Need a better way to disable iproute2. Most likely the sanest way to
do this will actually be to split the vpnc-script into two versions, rather than
try to maintain its one-size-fits-all structure.
* Need a better way to enable tracing in vpnc-script. This really should be added
to OpenConnect itself (in part, by adding `-x` to the `sh /path/to/vpnc-script`
exec) since we're frequently requesting it of real users for real issues.
James Hennessy [Sun, 17 Feb 2019 19:18:05 +0000 (14:18 -0500)]
Don't use /sbin/resolvconf if it just points to resolvectl.
On Fedora 29 systems, resolvconf is a symbolic link to resolvectl, but
using resolvectl won't work unless "resolve" appears on the "hosts" line
of /etc/nsswitch. If we reach the point of considering resolvconf, then
"resolve" is not enabled and resolvectl should be avoided.
Daniel Lenski [Wed, 25 Nov 2020 16:37:05 +0000 (08:37 -0800)]
include calling process ID in DEFAULT_ROUTE_FILE{,_IPV6}
This should allow multiple "stacked" VPNs to run concurrently while
preserving the default route(s). There is still a race condition if they
aren't terminated in the correct order.
Ignatios Souvatzis [Thu, 14 May 2020 12:02:08 +0000 (14:02 +0200)]
Patch: make ipv6 in ipv4 and ipv6 in ipv6 tunnels work on (Net)BSD
Hello all,
since my uni's computing centre added inside ipv6 to their tunnel two
days ago I found that OpenConnect hat problems tearing down and
often, setting up the routes.
Three items I had to fix or enhance:
a) an ifconfig ... del ... somewhere. Correct syntax on all BSD's
I've been in touch with over the last decades is ifconifg ... delete ...
b) route handling for the default route was not really there - it wasn't
restored on shutting down the tunnel.
I've done a ::/1 + 8000::1 instead of default (== ::/0) trick here,
in concept what OpenVPN does for IPv4 (0.0.0.0/1 + 128.0.0.0/1)
(has higher priority as more-specific than default due to the shorter
mask, and is unlikely to be more specific than any real local route).
c) protection of the ipv6 transport route didn't work, as it implicitly
assumed always going via ipv4.
This wasn't a problem as long as the inner addresses were
IPv4-only, but broke the tunnel once the effective ipv6 default
route kicked in via the tunnel.
Daniel Lenski [Wed, 30 Sep 2020 19:22:43 +0000 (12:22 -0700)]
preserve metric in fix_ip_get_output
This will allow us to keep, for example, both a lower-metric route to the
VPN gateway through an Ethernet interface, and a higher-metric route to the
VPN gateway through a WiFi interface.
Daniel Lenski [Fri, 25 Sep 2020 00:16:00 +0000 (17:16 -0700)]
make do_attempt_reconnect work with route/ifconfig
Unlike with iproute2, there is no way to determine which interface(s)
have routes that actually match the VPN gateway, so we simply try
finding a default-route gateway, as upon initial connection.
For this to work properly, we need to ensure that get_default_gw excludes
TUNDEV (since the goal is to prevent loopback), and only uses the first
match.
Daniel Lenski [Fri, 25 Sep 2020 00:14:00 +0000 (17:14 -0700)]
add working do_attempt_reconnect
This initial implementation requires iproute2. It find all routes that match
the VPN gateway (excluding those matching "dev $TUNDEV", since the goal is
to prevent loopback), and simply tries adding them one-by-one.
See https://gitlab.com/openconnect/openconnect/-/issues/17 for the original
motivation for adding `reason=attempt-reconnect`.
See https://github.com/dlenski/vpn-slice/pull/14#issuecomment-489293114 for
a discussion of the complexities of implementing it correctly.
Daniel Lenski [Thu, 8 Oct 2020 00:51:29 +0000 (17:51 -0700)]
don't try to set an explicit route to VPN gateway if localhost, and ignore bogus non-forwardable exclude routes
This should fix confusing errors (see https://gitlab.com/openconnect/openconnect/-/issues/172 and
https://gitlab.com/openconnect/openconnect/-/issues/173) and close #8.
Per IANA (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#note1),
there are other IPv4 blocks which are effectively unrouteable (not "Forwardable"), but the ones included here
(0.*, 127.*, 169.254.*) are the ones we've actually seen in real VPNs in the wild.
Daniel Lenski [Fri, 25 Sep 2020 16:14:02 +0000 (16:14 +0000)]
Ignore link-local routes in set_default_route
See https://gitlab.com/openconnect/openconnect/-/issues/180#note_418673102, and https://superuser.com/a/1067742 for an explanation of what these routes mean on macOS.
Florian Domain [Mon, 10 Aug 2020 12:13:26 +0000 (14:13 +0200)]
Use resolvectl for systemd-resolved
- resolvectl is embedded in systemd-resolved and is more simpler
to use than calling directly busctl as we don't have to format IPs or
specify which address family it belongs.
- fix IPv6 nameserver, address family was previously hardcoded to IPv4
so the call to the busctl was failing.
Daniel Lenski [Fri, 7 Aug 2020 00:49:35 +0000 (17:49 -0700)]
cleanup whitespace in vpnc-script-win.js
Current indentation is a mixture of 4×space and TAB, which is bad practice
and very confusing when browsing in GitLab's web UI (defaults to
TAB=8×space. Cleaned up indentation with `wtf -i -sx4`
(https://github.com/dlenski/wtf/)
In order to set up routing exclusions properly, we now ask for routes without
specified prefixlen and later add it manually before calling `ip route add`.
Older versions of `ip` silently ignored the prefixlen -- as confirmed in:
https://www.spinics.net/lists/netdev/msg570803.html.
Reproduction:
$ ip route get 1.2.0.0/24
Error: ipv4: Invalid values in header for route get request.
Daniel Lenski [Thu, 6 Jun 2019 00:31:38 +0000 (17:31 -0700)]
iproute2 is Linux only; don't try to set IPROUTE on another OS
If `which ip` returns something on another OS, it's an unrelated tool that
won't work for routing configuration. This should fix the macOS issue
discovered at:
https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009
Signed-off-by: Daniel Lenski <daniel.lenski@finalphasesystems.com>
Robin H. Johnson [Wed, 20 Jun 2018 06:26:37 +0000 (06:26 +0000)]
resolvconf: set search instead of domain
Some vpn clients pass multiple domains for DNS search scope, which
requires that we use search rather than domain. The generic path was
already using search, so just switch the resolvconf path to also use
search.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Gernot Hillier [Wed, 21 Feb 2018 16:46:43 +0000 (17:46 +0100)]
Revive route cleanup for /sbin/route code
Cleanup our routes upon disconnect also when using /sbin/route command - even
if OS will do it for us when TUNDEV gets removed. That's the same what the
ip-route code already does.
Additionally, we obviously didn't need route deletion in set_network_route for
/sbin/route mode - this function didn't do anything until now. So remove this
call -- it's a bad idea to call del_network_route inside set_network_route
anyways because both modify the same global variables.
Signed-off-by: Gernot Hillier <gernot.hillier@siemens.com> Tested-by: Thomas Zander <thomas.zander@siemens.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Gernot Hillier [Wed, 21 Feb 2018 16:46:42 +0000 (17:46 +0100)]
Support split-exclude rules from Pulse gateway
The vpnc-script used by OpenConnect only supports "split include" rules (default
route unchanged, specific VPN routes added). We add support for Pulse's "split
exclude" rules (default route to VPN, exclude rules for targets to be connected
via normal uplink).
For targets specified as split-exclude by the gateway, we add additional routes
which keep traffic as-is (i.e. separate from tunnel). On platforms only
providing /sbin/route, we guess that those are reached via default gateway.
Please note that IPv6 variant is completely untested as I have no
access to according testbeds.
Tested on Linux (using ip and route command) in a IPv4 environment, "ip"
case also tested in a IPv6 dialup config (gateway is IPv4 only).
Signed-off-by: Gernot Hillier <gernot.hillier@siemens.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Thiago Padilha [Thu, 20 Oct 2016 05:03:50 +0000 (02:03 -0300)]
Add support for systemd-resolved
Add support for modifying DNS information on systems using systemd-resolved.
The communication with systemd-resolved is done through dbus, which is
possible with the `busctl` program that comes with systemd version 229
and later.
Signed-off-by: Thiago de Arruda <tpadilha84@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Corey Hickey [Sun, 28 Aug 2016 05:45:14 +0000 (22:45 -0700)]
rewrite resolv.conf parsing
This patch simplifies parsing and changes behavior in two ways:
1. Domains for searching are now parsed from "search" and "domain"
lines. Only a "search" line is outputted, since "search" supports
multiple domains and is mutually exclusive with "domain". The motivation
for this is to make vpnc-script behave sanely when there are existing
resolv.conf files with only "domain" or with both "domain" and "search".
2. All original "nameserver" lines are discarded and replaced rather
than only the number of nameservers from $INTERNAL_IP4_DNS. The
rationale here is that vpnc-script should be consistent and either
retain all original nameservers or overwrite all of them. Retaining them
is problematic because there is a limit of three, and overwriting is
closer to the original behavior.
The Darwin changes are untested, but are a simple search/replace and
thus should work fine.
Signed-off-by: Corey Hickey <bugfood-ml@fatooh.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Björn Ketelaars [Sat, 14 Mar 2015 18:31:38 +0000 (19:31 +0100)]
OSX - Fix split DNS when doing split routing
Currently one can choose between two scenarios:
- overriding the default gateway, which breaks split routing, and honoring the
DNS server as proposed by the server
- not overriding the default gateway, which enables split routing, but without
honoring the DNS server as proposed by the server
446 # next line overrides the default gateway and breaks split routing
447 # d.add Router $INTERNAL_IP4_ADDRESS
Split DNS, when doing split routing, is enabled by adding INTERNAL_IP4_DNS to
the list of DNS servers.
Signed-off-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
John Baldwin [Thu, 12 Mar 2015 15:28:51 +0000 (15:28 +0000)]
Enable resolvconf on FreeBSD too
According to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195359
this should work fine. I've no idea why it wasn't enable for FreeBSD
in the first place; perhaps just lack of testing and conservatism.
Signed-off-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Antonio Borneo [Sun, 1 Dec 2013 07:06:41 +0000 (15:06 +0800)]
Add support for "unbound" DNS resolver
Original patch from Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
posted at Red Hat Bugzilla - Bug #865092
https://bugzilla.redhat.com/show_bug.cgi?id=865092
Removed bashism, removed trailing spaces, use tab for indentation.
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Emanuel Haupt [Mon, 28 Jan 2013 15:33:38 +0000 (15:33 +0000)]
Fix various issues on FreeBSD
- duplicate creation of tun devices
- cleanup of created tun device
- deadlock of vpnc holding an open file descriptor on /dev/tunN
- properly restoring /etc/resolv.conf
Signed-off-by: Emanuel Haupt <ehaupt@FreeBSD.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 23 Apr 2012 00:20:34 +0000 (01:20 +0100)]
Add script hooks
This is based loosely in concept on the Debian patch, and is also needed for
OpenWrt unless we want to add a bunch of OpenWrt-specific stuff in here too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / vpnc-scripts.git / log