-
v24 protected92c63ad9 · ·
OpenVPN 3 Linux v24 (Stable release) The v24 release is another stable release. This resolves issues reported in several earlier releases and improves OpenVPN 3 Linux in several areas. * Improvement: Add --dns option support DNS resolver settings has been troublesome for many years, since there are slightly different implementations which handles the possible pushed DNS options differently between OS platforms and even across client implementations on a single platform. This is being attempted resolved by a new --dns option which can be used instead of the various --dhcp-option settings related to DNS. The --dns option has been available since OpenVPN 2.6. The OpenVPN 3 Core Library has had this support v3.7. But the needed processing of this option has been lacking in OpenVPN 3 Linux until now. With the --dns option, it provides possibilities to configure more modern DNS features such as split-DNS, DNS-over-TLS and DNSSEC. This will in most cases work out-of-the box when using systemd-resolved as the local DNS resolver - but it also depends on the features available in systemd-resolved in the Linux distribution being used. Currently, systemd-resolved does not support DNS-over-HTTPS [1]. If this is being attempted, the connection will disconnect. For users only using /etc/resolv.conf, only the traditional DNS server and search domain settings will be configured. All the additional DNS features will be ignored. [1] <https://github.com/systemd/systemd/issues/8639> * Improvement: Provide better details about the remote server The openvpn3 sessions-list would list a "Session name" when a client session has successfully connected to a remote server. This information was static and not changed since the initial connection. If the VPN configuration profile had more and different --remote lines, only the first connection would be reflected in this "Session name". In v24 this has been changed by querying the VPN client process about the server it is currently connected to. The "Session name" line has thus been replaced with a "Connected to" line which will also include details about connection protocol, DCO mode and port number in use. Note: Due to an issue in the OpenVPN 3 Core Library, the port number is currently not provided on DCO connections. * Improvement: Provide better messages to end-user on session start issues When starting a VPN session, it could fail for various reasons. The reason itself was never provided to the end-user starting the session and it was needed to dig into the log files to figure out why it was failing. With this release, the openvpn3 session-start command will present an end-user friendly reason when the client process provides a reason for the failure. This reduces the need to search the logs for the initial understanding why it failed. * Improvement: Better error message when modifying sealed configurations When attempting to modify a sealed VPN configuration profile (which are read-only), a fairly verbose, debug-like error message was provided to the user. This has been improved to give a more end-user friendly error message instead. * Improvement: Upgrade to OpenVPN 3 Core Library v3.10.4 This resolves an issue where a configuration profile using --pull-filter with single quotes instead of double quotes would be incorrectly parsed. There could also appear issues for VPN sessions with DCO enabled could fail if --inactive was used. This has been fixed in this Core Library release. * Bugfix: Starting VPN sessions could fail on slower systems In some cases, the openvpn3-service-backendstart would not start quickly enough. This would result in the Session Manager as it would not get a response back soon enough that the VPN client process has been started - and it would fail the VPN session start. With the updated GDBus++ and further improvements in the Session Manager, it will now be more graceful to slower starting services and not fail as quickly. This allows the supporting helper services to be able to start properly before interacting with them. * Bugfix: Add support for dhcp-option ADAPTER_DOMAIN_SUFFIX The ADAPTER_DOMAIN_SUFFIX is one of these ambiguous --dhcp-options being treated differently across client implementations. This setting has so far been ignored in OpenVPN 3 Linux until this release. The best user experience seemed to be achieved by parsing this as an alias to the DOMAIN-SEARCH feature. This seems to align best with common user expectations. * Bugfix: DNS search domains might not be removed from /etc/resolv.conf Under some unclear situations, the DNS search domains was not always removed in /etc/resolv.conf. This has been an open issue for a long time, but it seems to have improved since the v22_dev with GDBus++. We still see this occasionally on a few Linux distributions with systemd-resolved. But since we also see the systemd-resolved accepting the DNS updates and removals, we believe this is might be more an issue in systemd-resolved at this point. This issue appears now only with systemd-resolved and is not reproducible in all environments. * Bugfix: Duplicated name servers or search domains to /etc/resolv.conf In prior releases, when the Network Configuration service was configured to use /etc/resolv.conf for DNS resolving it could append duplicated DNS name servers and search domains if duplicates where pushed or added by other VPN connections or present prior to starting the VPN session. In v24 duplicated name servers and search domains are filtered out to only have a single presence of them in /etc/resolv.conf. * Bugfix: openvpn3 sessions-list does not reflect the correct DCO status When running the openvpn3 sessions-list and openvpn3-admin sessionmgr-service --list-sessions commands, the DCO status was not necessarily reflecting the reality. Typically, if the VPN client process failed to activate and use the DCO kernel module, it would still be listed as DCO enabled while in reality being a normal tun interface. This has been resolved in v24 where it will now query the VPN client process for the actual DCO status - not just the configured and requested DCO mode. * Bugfix: Stray VPN sessions not cleaned up In cases where a VPN session have had a log forwarder enabled (like via the openvpn3 log command) and that log forwarder has been stopped, the VPN session would be lingering in the Session Manager as a stray session with no available session details. This is also seen via openvpn3 sessions-list. Attempting to remove the session using openvpn3 session-manage would fail with an error. This has been resolved in v24, where the error situations which might appear if a previous log forwarder could not be identified are now properly handled and will not block the internal session clean-up in the Session Manager. * Bugfix: Spurious CreateVirtualInterface() errors when re-starting failing sessions In some special situations where a running VPN session stopped and attempted restarted after a openvpn3 session-manage --cleanup, the tunnel would fail with various CreateVirtualInterface() and TUN_SETUP_FAILED errors. The session management code has been gradually improved since v22_dev, v23 and now v24 - where stopped and failing sessions are handled better and removed correctly in the Session Manager. * Bugfix: openvpn3 log with --session-path does not work In some scenarios, using openvpn3 log --session-path did not work and did not report any log events. This has been under investigation for a long time and this issue has not been seen since the release with v22_dev and GDBus++. We consider this issue resolved with the updated openvpn3-service-log service in the v22_dev release. * Bugfix: openvpn3 session-start fails with only 2FA authentication The openvpn3 session-start would fail to start a session if the configuration profile would only require 2FA authentication. This has also been fixed since the v22_dev with GDBus++ release which included a refactoring of how VPN sessions were established. * Bugfix: Spurious GLib error messages The shell completion (with bash-completion installed) could often appear with disturbing and confusing GLib-GObject-CRITICAL errors in the output. This has most likely been fixed since v22_dev and the migration to the GDBus++ library. Since this did not happen each time and it varied a bit which Linux distributions it happened on we've kept this on our radar for some time. We now feel more confident this type of errors is being handled properly and should not disturb the user any more. Known issues: - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. ---- Changes from v23 to v24 --------------------------------------- David Sommerseth (56): configmgr: Improve error message on sealed config profiles configmgr: Switch to std::set<> for target lists for ACL checks docs: Re-enable doxygen build target client: Add support for --dhcp-option ADAPTER_DOMAIN_SUFFIX client: Stop running VPN clients in client destructor client: Properly plug-in DBus::MainLoop handling in BackendClientObject client: Make BackendSignals::LogFATAL() thread safe client: Extend BackendSignals to have access to a DBus::MainLoop object client: Improve exception handling when starting client worker thread client: Handle COMPRESS_ERROR events ovpn3cli/session-start: Retrieve more status details when throwing SessionException client: Fix incorrect error message in NetCfgTunBuilder::socket_protect() client: Move DNS scope logging from LOG_DEBUG to LOG_VERB2 cleanup: Remove pointless local scope ovpn3cli::session::start_session() configmgr: Add debug option --use-session-bus log: Rework the tear-down of ProxyLogEvents objects netcfg: Cleanup NetCfgException dbus/signals: Add Signals::StatusChange::LastEvent() client: Add BackendSignals::LastStatusEvent() client: Add new property: connection sessionmgr: Implement extraction of connection details from client client: Extract DCO status from ConnectionInfo when available ovpn3cli/sessions-list: Improve session information with connection details build: Minor tweaks to D-Bus/systemd/state-dir build options netcfg/proxy: Make all proxy methods const methods netcfg/proxy: Extend NetCfgProxy::Device with openvpn::DnsOptions parsing client: Enable --dns option parsing in the VPN client netcfg/resolved: Extend systemd-resolved proxy with DNSSEC support policy/netcfg: Grant privilege to set DNSSEC on systemd-resolved netcfg/systemd-resolved: Implement support for setting the DNSSEC mode netcfg: Extend NetCfgDevice with D-Bus APIs for DNSSEC netcfg/proxy: Extend NetCfgProxy::Device with DNSSEC support netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNSSEC support netcfg/resolved: Extend systemd-resolved proxy with SetDNSOverTLS() policy/netcfg: Grant privilege to set DNS-overTLS in systemd-resolved netcfg/systemd-resolved: Implement support for setting the DNS transport mode netcfg/systemd-resolved: Refactor and simplify the code netcfg: Extend NetCfgDevice with D-Bus APIs for setting DNS transport netcfg/proxy: Extend NetCfgProxy::Device with DNS transport support netcfg/proxy: Extend NetCfgProxy::Device::AddDnsOptions() with DNS transport support codestyle: Fix misc deviating code style to conform with .clang-format dbus/signals: Include iostream client: Improve debugging in openvpn3-service-backendstart client/backendstart: Move LogServiceProxy inside the service object sessionmgr: Add RegistrationRequest debug logging sessionmgr: Allow net.openvpn.v3.backends to settle before accessing it ovpn3cli: Start a glib2 MainLoop in the command line tools sessionmgr/proxy: Replace sleep with waiting for SESS_CREATED signal ovpn3cli/sessions-list: Don't show "Connected to" without any details netcfg/proxy: Disable support for DoH core: Update to latest OpenVPN 3 Core Library v3.10.4 vendor: Update to ASIO 1.32.0 client: Fix missing handling of the delayed shutdown thread in BackendSignals sessionmgr: Fix misbehaviour if GetUID() fails in Session::helper_stop_log_forwards() client: Add support for a couple more TLS error events ovpn3cli: Improve mainloop start synchronisation Petr Portnov (2): build: reduce hardcoded 'asio_path' build: allow installation directories' customization Razvan Cojocaru (7): cleanup: Remove stray semicolons configmgr/overrides: Remove OverrideType::invalid configmgr/overrides: Use glib2::DataType::Extract(value) configmgr/overrides: Remove struct OverrideValue configmgr/overrides: Rename ValidOverride -> Override sessionmgr: Remove unused Session::connection_started bool netcfg/resolvconf-file: Don't add nameservers that already exist -------------------------------------------------------------------- -
v23 protectedd8239ede · ·
OpenVPN 3 Linux v23 (Stable release) The v23 release is stable release which expands the distribution target since v22_dev was released. The goal for this step was to stabilize the codebase which was migrated to GDBus++ and the new Meson building system. This release brings back the OpenVPN 3 AWS-VPC Add-on which was not ready for the v22_dev release. This service has also been migrated to use GDBus++. The behaviour of this add-on should otherwise be identical to the service shipped in v21 and older releases. In addition, a new add-on is included in this release. The Cloud Connexa service is being extended with a new functionality, referred to as Device Posture Checks (DPC). This feature will enable the VPN server to request certain checks to be performed on the client side and reported back to the server. These checks are restricted to what the new OpenVPN 3 Device Posture Service (openvpn3-service-devposture) provides. To enable the client-side functionality, the VPN client configuration must be pre- imported and an Enterprise ID must be assigned to the configuration profile. That will allow the server to request Device Posture Checks to be performed. The currently implemented DPC tests only provides platform information, like Linux distribution name and version, kernel versions, CPU architecture and the client's local time. In future releases, more tests may be implemented. Known issues: - Shell completion may list duplicated options in some cases - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. Other changes: * Improvement: Upgrade to OpenVPN 3 Core Library v3.10.1 This library update provides the functionality to provide the Device Posture Check functionality in the OpenVPN wire protocol. A fix to resolve compilation errors when the -Wnon-virtual-dtor compiler flag is enabled is included too. * Bugfix: Report client and version correctly in IV_GUI_VER The v22_dev release unfortunately changed the format of the IV_GUI_VER. It would report: 'openvpn3-linux/v22:dev' when it should have been 'OpenVPN3/Linux/v22_dev'. This has been corrected. * Bugfix: --tag option not working with config-import or config-manage A regression bug was introduced in v22_dev which handled the available tracking of Configuration Manager features incorrectly and ended up disabling this feature in the openvpn3 config-import and openvpn3 config-manage commands. This has been fixed. * Bugfix: systemd-resolved support rejected IPv6 DNS resolver address An oversight in the systemd-resolved implementation refused to accept pushed DNS resolver addresses when it was an IPv6 address. This has been fixed and both IPv4 and IPv6 addresses are now fully supported. * Improvement: Python configuration parser support for --connect-retry{,-max} The Python configuration parser in the openvpn3 module did not provide a pass-through for --connect-retry and --connect-retry-max options. This would result in configuration profiles containing these options would not function when using the Python based tools while it would work using the 'openvpn3' command. Credits ------- Thanks goes to those continuing testing and reporting issues. A special thanks to Grzegorz Gutowski who provided the fix to the Python module. He is also the project lead behind the openvpn3-indicator project, which provides a tray-icon for OpenVPN 3 Linux. If you use a graphical desktop, that's a project worth checking out! Many thanks also goes to Razvan Cojocaru who has stepped in providing many great improvements and done all the work for the Device Posture support in OpenVPN 3 Linux. And Lev Stipakov who migrated the OpenVPN 3 AWS-VPC add-on service to GDBus++ ---- Changes from v22_dev to v23 --------------------------------------- David Sommerseth (24): configmgr: Load configuration profiles before starting the D-Bus service netcfg: Make NetCfgNotifSubscriptions use uint32_t as filter bit mask codestyle: Fix minor code style deviations build: Enable overriding OpenVPN 3 Core Library version string scripts: Modify the output of the --gui-version addons/devposture: Fix compilation error with older JsonCpp libraries addons/devposture: Make devposture-proxy test program more generic addons/devposture: Document the Enterprise Profile file format build: Install some additional documentation by default docs: Clarify a GDBus++ and mbed TLS build dependencies better build: Set PACKAGE_NAME to 'OpenVPN3/Linux' Some minor #include clean-ups configmgr: Cleaning up #include files configmgr: Use CoreLog for logging events from the Core library. client: Don't stop if devposture service is unavailable devposture/test: Improve argument parsing in devposture-proxy addon/devposture/proxy: Properly re-throw DevPosture::Proxy::Handler exceptions netcfg/resolved: Factor out resolved::Exception to a separate file tests/resolved: Extend systemd-resolved proxy test client with IPv6 support netcfg/resolved: Add new D-Bus IP Address parser class netcfg/resolved: Use GDBus++ glib2 helpers extracting data in SearchDomains::GetGVariant netcfg/resolved: Plug-in resolved::IPAddress into ResolverRecord netcfg/resolved: Refactor out resolved::ResolverRecord core: Update to OpenVPN 3 Core Library v3.10.1 Grzegorz Gutowski (1): python: Pass through --connect-retry and --connect-retry-max Lev Stipakov (5): netcfg: use proper C++ base type for NetCfgChangeType netcfg/proxy: Check non-response call for nullptr before freeing configmgr: remove unused class members addons/aws: Switch to GDBus++ addons/aws: adapt to core RandomAPI changes Razvan Cojocaru (10): core: Update to OpenVPN 3 Core Library releaseprep/3.10 addons/devposture: Add openvpn3-linux-devposture configmgr: Add the enterprise-profile override ovpn3cli/config: Add openvpn3 config-manage --enterprise-profile client: Plug in Device Posture support configmgr: Use a regular expression to determine version number configmgr: Accumulate proxy feature flags instead of overwriting netcfg: Check stub-resolv.conf before giving up on systemd-resolved common: give SingleCommand a virtual destructor addons/devposture: Add core_ver and extra_ver to client_info -
v22_dev protected2ec1ebce · ·
OpenVPN 3 Linux v22_dev (Limited Release) This is a limited release primarily targeting Fedora 39 and newer plus Ubuntu 24.04. Other Linux distributions shipping glib2 version 2.76 or newer will also benefit from this release. This release contains a massive re-factoring of the D-Bus integration layer with glib2. The glib2 2.76 and newer releases contains several internal changes which broke the D-Bus implementation layer in OpenVPN 3 Linux v21 and older releases [1]. To fix this, it was decided to split out the base D-Bus integration into a new standalone library which OpenVPN 3 Linux will depend on. This new project is called GDBus++. [1] <https://github.com/OpenVPN/openvpn3-linux/issues/171> This change brings in a vastly improved D-Bus integration which will now make extended use of multi-threading when processing D-Bus method calls and implements modern C++17 approaches when handling requests to registered D-Bus objects. It has also been a strong focus on getting rid of as much of various glib2 warnings which could occasionally appear in prior OpenVPN 3 Linux releases. There are most likely a still a lot more room for improvements to both the new DBus++ and the upgraded OpenVPN 3 Linux code, which is why this release targets a more limited release scope. That said, this new code can be made available for all the officially supported RPM distributions by enabling a "development snapshots" repository. But this repository will also not have the same QA guarantees as the official stable repositories. This release has only been through the full QA validation on Fedora 39, Fedora 40 and Ubuntu 24.04. On a development note, this project has now migrated to use Meson [2] as the build system. The autoconf/automake build system is now completely removed. The Meson build system has turned out to be way simpler to use and configure than autotools ever was, especially from a developers point of view. [2] <https://mesonbuild.com/> There are unfortunately a few known issues which is targeted for the coming v23 release: - AWS VPC integration is not yet ready, so this add-on is currently not available in this v22_dev release. - Shell completion may list duplicated options in some cases - openvpn3-admin journal --since has a time zone related issue and may not list all log events within the closest hours. Other changes worth mentioning with this release: * Improvement: Upgrade to OpenVPN 3 Core library v3.8.5 This upgrade contains several bug fixes related to the option parser, mostly issues reported by a wide range of users. In addition to incorrect behaviour with the stub compression when the --compress option was used. * Improvement: openvpn3-admin journal --since argument The --since argument can now use the keywords 'today' and 'yesterday'. * Bug fix: openvpn3-admin log-service would not change some settings On some distributions, the --dbus-details and other boolean flags was not properly changed when requested. This has been improved. Credits ------- Finally, it is needed to give a HUGE THANK YOU to all the community testers which installed and tested rolling development snapshots during the development of this release. Without all this testing, we would not have the same confidence in this release as we have now. All your help and feedback has been really valuable and helpful during this the development phase. ---- Changes from v21 to v22_dev --------------------------------------- David Sommerseth (324): ovpn3cli/admin: log-service lacked initial state and init ovpn3cli/admin: Add today/yesterday to journal --since codestyle: Use default lambda scope indentation processwatch: Remove the processwatch.hpp feature idlecheck: Remove IdleChecker implementation for GDBus++ refactoring build: Add bare meson build setup GDBus++: First step in migrating to the new D-Bus implementation GDBus++: Rework constants setup for OpenVPN 3 Linux GDBus++: Migrate the log/proxy-log.hpp implementation build: Add bare meson setup for generating man pages build: Install the base D-Bus policy build: Replace individual D-Bus auto-start service files with a template GDBus++: Migrate openvpn3-service-backendstart build: Add some log handling into the internal shared common library GDBus++: Migrate D-Bus proxy code for net.openvpn.v3.config client: Simplify StatusEvent() constructors build: Extend version extraction to include a few git flags build: Build and install SELinux policies via Meson GDBus++: Partial migration of netcfg code required to build VPN client backend common: Extend RequiresQueue with callback functionality GDBus++: Complete migration of StatusEvent() GDBus++: Kick out THROW_LOGEXCEPTION() macro GDBus++: GDBus++: Complete migration of LogEvent() GDBus++/LogSender: Use SignalDeclaration() methods setting up signals GDBus++/common: Improve RequiresQueue, avoid static_cast<>() GDBus++: First stab at migrating openvpn3-service-client build/selinux: Fix wrongly behaving SELinux build detection build: Fix issues with missing sd_id128 variable in meson build: Prepare the ground for building dco-keyconfig.proto GDBus++/common: Migrate PlatformInfo GDBUs++/sessionmgr: Initial migration of SessionManager::Event() GDBus++/netcfg: Initial migration of NetCfg:DNS::ResolverSettings() netcfg: Enforce smart-pointer usage for NetCfg::DNS::ResolverSettings() GDBus++/netcfg: Extend NetCfgChangeType with GDBus++ glib2 helpers GDBus++: Migrate the unit tests client/log: Rewrite the Core library D-Bus log implementation client: Fix minor coding style issues in ConnectionStatDetails common: Refactor build-config.h inclusion in MachineID Avoid including build-config.h in header files GDBus++: Complete migration of NetCfg::DNS::SettingsManager common: Add missing sstream include file in configfileparser.hpp GDBus++: Migrated NetCfgSubscriptions client: Minor code cleanup in core-client.hpp GDBus++: Migrate NetCfgSignals GDBus++: Extend NetCfgProxy::Device with DCO support GDBus++/client: Fix dco and log_level property handling client: Remove pointless debug logging of the current run status client: Add debug logging when validate_sender() rejects a caller build: Use --prod-version as Meson project version build: Replace hard-coded -Werror with werror option client/core: Rename 'signal' object to 'signals' client/core: Reorder and fix #include file related challenges client/core: Relocate statistics.hpp include client/core: Clean up some #include hierarchy in core-client/core-client-netcfg build: Add libnl-3.0 as a dependency build: Add debug_internal build configuration flag client: Add BackendSignals::Create() static helper function log/proxy: Use DBus::Object::Path instead of std::string configmgr/proxy: Use DBus::Object::Path instead of std::string client: Use DBus::Object::Path in NetCfgTunBuilder::netcfg_get_device_path() client: Cleanup leftovers in NetCfgTunBuilder for ovpncli-netcfg client: Add debug logging when requesting NetCfg Cleanup() netcfg/proxy: Use DBus::Object::Path instead of std::string tests/netcfg: Migrate netcfg-changeevent-selftest to GDBus++/meson netcfg: Migrate NetCfgChangeEvent fully to GDBus++ tests/netcfg: Migrate netcfg-proxy-unit to GDBus++/Meson tests/netcfg: List D-Bus paths if the "Re-fetching" fails core: Update to OpenVPN 3 Core Library v3.8.4 netcfg/dns: Migrate NetCfg::DNS::resolved proxy to GDBus++ netcfg/dns: Refactor the SettingsManager and ResolverBackendInterface netcfg/dns: Refactor NetCfg::DNS::ResolvConfFile netcfg/dns: Fix NetCfg::DNS::ResolverSettings::operator<<() behaviour netcfg/dns: Refactor NetCfg::DNS::SystemdResolved netcfg/build: Include NetCfgChangeType into the static netcfg library build: Move some netcfg components out of the static libnetcfg library GDBus++: Migrate openvpn3-service-netcfg (non-DCO) selinux: Allow openvpn3-service-netcfg to use syslog client: Fix incorrect empty session_path property client: Explicitly set the scope on a few Core library types netcfg/dns: Fix glib2 GVariant ref counting issues netcfg: Preserve a pointer to the LogWriter object in NetCfgDevice netcfg: Return the proper data type in DcoAvailable netcfg: GDBus++: Complete migration of openvpn3-service-netcfg vendor: Remove googletest as a git submodule netcfg: Check the results when preserving capabilities netcfg/dns: systemd-resolved SetDefaultRoute is a method netcfg/dns: Detect unsupported SetDefaultRoute feature in systemd-resolved sessionmgr: Replace GetIntrospection() with SessionManager::Event::SignalDeclaration() sessionmgr: Minor cleanups of SessionManager::Event log: Make the StatusChange signal optional in LogSender log: Make LogWriter::Ptr a std::shared_ptr netcfg: Use DBus::Object::Path in method_fetch_interface_list() client: Add AttentionReq class GDBus++/tests: Migrate signal-listener configmgr/proxy: Do an extra object existence check in ctor dbus: Add a GDBus++ DBus::Object extension - Object::ACL core: Update to OpenVPN 3 Core Library v3.8.5 Provide operator<<() function for OpenVPN 3 Linux specific types log: Fix incorrect data type in LogProxy::ProxyLogEvents() python: Migrate openvpn3.constants generator to Meson sessionmgr: Remove not needed arg in SessionManager::Event::SignalDeclaration() build: Include dbus/path.cpp into the common static library sessionmgr: Adding SessionManager::NewTunnelQueue infrastructure sessionmgr: Add generic code for sending session and manager signals sessionmgr: GDBus++ migration of the openvpn3-service-sessionmgr Codestyle refresh of migrated code docs: Update openvpn3-service-sessionmgr man page docs: Update D-Bus documentation for net.openvpn.v3.sessions vendor: Upgrade ASIO to v1.30.2 build: Relocate build-version.h for dist packaging build: Fix scripts/get-version, use proper path for build-version.h build: Generate and install openvpn3/constants.h netcfg/dns: Fix missing virtual destructor compiler warnings configmgr: Fix warnings about dangling references gdbus++: Simplified DBus::Service API tests: Extend request-queue-service with file logging tests: Add request-queue-test tests: Make PlatformInfo unit-test run without D-Bus tests: Add more Meson test cases tests: Classify already declared Meson test cases events: Relocate AttentionReq and StatusEvent events: Relocate LogEvent into Events::Log dbus: Codestyle cleanup in GDBusPP::Object::Extension::ACL dbus/signals: Refactor AttentionRequired and StatusChange signals sessionmgr: Cleanup in sessionmgr-events.hpp log: Refactor LogFilter to Log::EventFilter dbus/signals: Implement ::Signals::Log dbus: Clean up minor issues in DBusRequiresQueueProxy dbus: Extend DBusRequiresQueueProxy to allow proxy assignment later on sessionmgr: Migrate the Session Manager D-Bus proxy client to GDBus++ dbus/signals: Implement Signals::ReceiveLog log: Clarify DBus::Signal::Group::Create() call destination signals/statuschange: Harden StatusChange::GetLastStatusChange() in empty cases client/backendstart: Rework how StatusChange signals are sent client: Rework how backend VPN client sends StatusChange/AttentionRequired client: Rework RegistrationRequest signal sending sessionmgr: Refactor out StatusChange calls via LogSender sessionmgr: Fix a few minor codestyle related issues log: Remove StatusChange signal handling from LogSender log: Remove classes and features which is no longer needed tests: Migrate logservice1 debug/test tool to GDBus++ tests: Extend logservice1 with logtag settings support build: Refactor ENABLE_DEBUG macro in netcfg-dns-direct-file-selftest build: Remove debug_internal setting common: Add a '[DCO]' tag in get_version() string when DCO enabled build: Redo the ENABLE_OVPNDCO macro setup log: Clean up LogTag log: Extend Log::EventFilter with a smart-pointer creator log: Cleanup LogMetaData and LogMetaDataValue events: Extend Events::Log() to also carry signal sender details signals: Extend Signals::ReceiveLog() to pass signal sender details log: Simplify the LogWriter API slightly log: LogWriter::Write() implementations must check if metadata is valid log/proxy: LogServiceProxy::Detach() must wait for a reply log: Make more Log::EventFilter methods publicly available log: Improve misleading Log::EventFilter error message client: Signals sent should not change the D-Bus path client: Backendstarter can use a bit longer idle-exit sessionmgr: Improve retrieve sessions helper method dbus/signals: std::move() the callback lambda to the signal handler events/log: Extend Events::Log to carry a LogTag::Ptr log: Simplify LogWriter API - remove PrependMeta() + AddLogTag() log: Rework passing of LogTag to the LogWriter backend signals/statuschange: Implement Signals::ReceiveStatusChange sessionmgr: Disable log forwarding for sessions closing GDBus++/log: Migration of net.openvpn.v3.log / openvpn3-service-log sessionmgr: Add missing session_name property in Session objects log: Initialize logstream pointer properly docs: Create, build and install man pages log: Remove unused namespace in openvpn3-service-log.cpp build/tests: Build the cmdparser-test program common: Remove RCPtr from cmdargparser.[ch]pp common/cmdargparser: Pass std::string by reference common/cmdargparser: Replace typedef with using for consistency GDBus++/ovpn3cli: Start migration of openvpn3 and openvpn3-admin cli tools policy: Allow access to GetAll property method in backends and log services tests: Migrate dbus/get-service-version-prop to Meson and GDBus++ GDBus++/ovpn3cli: Migrate 'openvpn3-admin version' build: Move DNS configuration code from netcfg service to netcfgmgr_lib GDBus++/ovpn3cli: Migrate 'openvpn3-admin init-config' log/journald: Add O3_LOG_SENDER meta data for log service log/journald: Update the journald log parser to new Events::Log location log/journald: Extend the journald parser to include the updated log service GDBus++/ovpn3cli: Migrate 'openvpn3-admin journal' sessionmgr/proxy: Add Session::GetConfigName() GDBus++/ovpn3cli: Migrate argument helper functions GDBus++/ovpn3cli: Migrate 'openvpn3-admin log-service' netcfg/proxy: Enforce NetCfgProxy::Manager to be a smart-pointer log: Add additional mutex around log subscription changes netcfg: Catch errors sending signals netcfg/dns: Preserve device name in systemd-resolved D-Bus proxy netcfg/dns: Retrieve values set in NetCfg::DNS::resolved::Link setters netcfg/dns-resolved: Implement sending NetworkChange DNS added/removed signals netcfg/dns: Provide device name when sending DNS_*_REMOVED signals netcfg: Fix incorrect signal subscription D-Bus API netcfg: Don't try to send NetworkChange signals without subscribers netcfg/NetworkChange: Implement crude subscription ownership tracking netcfg: Activate the missing NetworkChange subscription feature netcfg/proxy: Fix typo in D-Bus data type subscription retrival netcfg: Fix type inconsistency in NetCfgChangeType netcfg/proxy: Use DBus::Exception::GetRawError() instead of what() netcfg/proxy: Use synchronous call for NotificationUnsubscribe netcfg: Base NetCfg exceptions on DBus::Exception GDBus++/ovpn3cli: Migrate 'openvpn3-admin netcfg-service' sessionmgr/proxy: Don't call StartServiceByName() in the constructor build: Add workaround for tinyxml2 macro bug in OpenVPN 3 Core sessionmgr/proxy: Implement SessionManager::Proxy::Manager::Introspect() sessionmgr/proxy: Implement methods for a few Session object properties GDBus++/ovpn3cli: Migrate 'openvpn3-admin sessionmgr-service' sessionmgr: Remove superfluous check in helper_retrieve_sessions() utils: Add a global time_t to local date/time string converter configmgr/proxy: Extend the configmgr proxy with property getters GDBus++/ovpn3cli: Migrate 'openvpn3 configs-list' configmgr/proxy: Extend the configmgr proxy with CheckObjectExists() configmgr/proxy: Add helper code for using smart-pointers ovpn3cli/arghelpers: Add optional DBus::Connection to retrieve_config_path() GDBus++/ovpn3cli: Migrate 'openvpn3 config-manage' GDBus++/ovpn3cli: Migrate 'openvpn3 config-acl' GDBus++/ovpn3cli: Migrate 'openvpn3 config-dump' GDBus++/ovpn3cli: Migrate 'openvpn3 config-remove' GDBus++/ovpn3cli: Migrate 'openvpn3 config-import' configmgr/proxy: Improve error message on config object not found sessionmgr/proxy: Add GetConfigPath() method GDBus++/ovpn3cli: Migrate 'openvpn3 sessions-list' GDBus++/ovpn3cli: Migrate 'openvpn3 session-stats' sessionmgr/proxy: Add CheckSessionExists() method GDBus++/ovpn3cli: Migrate 'openvpn3 session-acl' client: Use StatusMinor::SESS_AUTH_URL for pending web authentications common/cmdargparser: Add missing #include <sstream> dbus: Improve object ownership GetUID/GetPID call error scenarios common: Add missing #include<string> in open-uri.hpp events: Fix typ0 in the Status method - Get/SetPrintMode log/proxy: Harden the LogProxy::Remove() method sessionmgr: Improve log_forwarders access across multiple threads configmgr/proxy: Update DBus::Proxy::Exception throw APIs sessionmgr: Session::method_ready() uses wrong exception string for parsing sessionmgr/proxy: Use *::List where possible for handling known std::vector<> types sessionmgr/proxy: Session::Ready() cannot use simple_call() sessionmgr/proxy: Session::GetLastStatus() should not return a const object GDBus++/ovpn3cli: Migrate 'openvpn3 session-auth' sessionmgr/proxy: Base SessionManager::Proxy::Exception on DBus::Exception ovpn3cli: retrieve_config_path() should return DBus::Object::Path sessionmgr/proxy: Provide all details when Proxy::Session::Ready() fallback throws configmgr/proxy: OpenVPN3ConfigurationProxy::Import() should return DBus::Object::Path ovpn3cli/GDBus++: Migrate 'openvpn3 session-start' ovpn3cli/session: Move statistics_plain() helper function to helpers.cpp ovpn3cli/GDBus++: Migrate 'openvpn3 session-manage' sessionmgr: Don't wipe the log_forwarders map until we're done log/logwriter: Extend the API to handle Events::Status common/utils: Add is_colour_terminal() helper function tests/GDBus++: Migrate the logfwd-listener test program sessionmgr/proxy: Move local exceptions to SessionManager::Proxy::Exception ovpn3cli/GDBus++: Migrate 'openvpn3 log' ovpn3cli: Make main() provide argv[0] details in exceptions GDBus++: Remove left overs from the old DBus implementation policy: Be more generous with access to Ping methods sessionmgr/proxy: Add extra check at setup to check availability in Manager configmgr/proxy: Replace Ping in ctor with CheckObjectExists() ovpn3cli/log: Fix signal setup errors with fresh starts ovpn3cli/log: LogAttach::lookup_config_name() does not always need iterations build: Remove autoconf/automake build configuration docs: Update README and BUILD documentation codestyle: Do a complete reformat for consistency docs/man: The logger service is renamed - openvpn3-service-log docs: Update the renamed openvpn3-service-log in misc documentation src: Update to the renamed openvpn3-service-log in the sources docs/man: Generalize the generation and installation of man pages build: Move finding 'cp' from dco to main meson.build build: Install the Python code via Meson docs: Minor style cleanup in dbus-overview.md build: Install the distro/systemd files if systemd is enabled build: Remove the '-dev' extension to binaries build: Split out the openvpn3/ Python module to a separate meson.build build: Prepare and install bash-completion files when enabled build: Generate and install polkit and PolicyKit rules build: Install the persistent configurations directory build: Migrate profilemerge-optionlist test program to Meson tests: Build config JSON import/export test programs tests: Build open-uri-test common: Get rid of glib-unix.h from cmdargparser.hpp build: Reduce linking deps for test programs build: Don't build unit-tests unless enabled ovpn3cli: Fix failing shell-completion for 'openvpn3 log' configmgr: Adjust ACLs for Fetch/FetchJSON and public_access rights configmgr: Grant read access to more config object properties configmgr: Provide better user-error when Authorize() rejects access log: Don't duplicate Events::Log() prefix in the log writes ovpn3cli/log: Remove duplicated Events::Log details in log output configmgr/proxy: Add/Remove tag methods provided odd errors ovpn3cli/config-manage: Remove not needed details in errors from --tag and --remove-tag ovpn3cli/config-manage: Extract all profile before displaying it configmgr/proxy: Add method to retrieve the D-Bus path of the object ovpn3cli/config-acl: Add some air around the output and show D-Bus path ovpn3cli/config-manage: Add D-Bus path to --show configmgr: Fix properties via add_persistent_property() not working code style: Use BreakBeforeBinaryOperators: NonAssignment code style clean-up ovpn3cli/config-manage: Better message on profile objects not found ovpn3cli: Improve overall error extraction for the command line ovpn3cli/log: Improve error message when LogForward() call fails netcfg/proxy: Fix incorrect data type for Device::SetMtu() netcfg: Implement missing device object properties configmgr: Fix mixed up Log Attach() API usage sessionmgr: Generalize the check if the backend VPN proxy is valid sessionmgr: Remove the backend VPN proxy if session closing fails sessionmgr: Catch errors if DBus::Object::Manager::RemoveObject() fails sessionmgr: Fail Authorization() if VPN backend is dead configmgr/proxy: Calling CheckObjectExists() should not happen in ctor sessionmgr/proxy: Improve the SessionManager::Proxy::Manager setup configmgr: Ensure log service is available on config import configmgr: Improve error message to user on import errors client: Check vpnclient object exists in 'Ready' callback ovpn3cli/session-start: Improve stability starting sessions from file tests: Don't run config-override-selftest if Config Manager is inaccessible configmgr: Extend configuration objects with a Validate() D-Bus method ovpn3cli/session-start: Validate config profiles before starting a new VPN session python: Add config profile validation in openvpn2 and openvpn3-systemd ovpn3cli/config: Add profile validity check in config-manage and configs-list github: Add issue template - migration to codeberg.org configmgr/proxy: Add feature check for Validate method ovpn3cli/session-start: Always refresh feature set setting up configmgr proxy netcfg/proxy: Check non-response calls for nullptr before freeing client: Catch exceptions from NetCfgProxy::Device method calls netcfg: Return when no DNS resolver is configured in method_add_dns_search() Frank Lichtenheld (1): build-selinux-policy: make sure to use bash Razvan Cojocaru (4): GDBus++: Migrate openvpn3-service-configmgr build: Use version_compare(), not lexicographical comparisons Use get_option('sbindir') instead of hardcoded 'sbin' log/syslog: Don't assign NULL to const std::string& parameter -
v21 protectededf113b8 · ·
OpenVPN 3 Linux v21 (stable) This is primarily a maintenance release with several minor bug fixes and general improvements. * Improvement: Upgrade OpenVPN 3 Core Library to v3.8.2 This is an upgrade from Core Library 3.7, which provides more enhancements and adds support for the newer ovpn-dco-v2 kernel module * Bugfix: OpenVPN 3 Linux AWS VPC lacks support for IMDSv2 mattjbyrd reported the AWS VPC integration was not working with EC2 instances where IMDSv2 was enforced. This issue is resolved with the OpenVPN 3 Core Library upgrade. Details: <https://github.com/OpenVPN/openvpn3-linux/issues/192> * Bugfix: Python StatusCallback did not work without LogCallback enabled Jeremy Fleischman reported an issue related the openvpn3 Python module did not work when just setting up a SessionManager.StatusCallback() method. He provided a fix which is now included in v21. Thanks a lot, Jeremy! Details: <https://github.com/OpenVPN/openvpn3-linux/commit/ba6fe37e7e28d1e633b56052383da3072f03c11e> * Bugfix: openvpn3 config-manage override may not always work The openvpn3 config-manage override options would in some cases not work due to a programming error related to an internal set_override() method and the SetOverride() D-Bus method. The result was that typically string values ended up empty. Now all the overrides can be configured again. * Bugfix: OpenVPN 3 Python based configuration parser issues Several options and --profile-overrides did not work or was completely missing, like the dns-scope and allow-compression overrides. This has been improved and the list of overrides should now be up-to-date with openvpn3 config-manage. The Python based option parser also did not fully support overrides with a boolean true/false setting properly. This has also been fixed. * Improvement: Detect needed host specific settings during package install The OpenVPN 3 Linux v20 introduced the openvpn3-admin init-config command. This has been further improved and will now be run automatically during the package installation. This command will probe the system for important features on the system, like what kind of system logging is in use, what kind of DNS resolver approach being available (systemd-resolved, /etc/resolv.conf) as well as doing other sanity checks, like if the needed openvpn user/group is present, important directories being configured correctly and that SELinux based systems have the proper file contexts set up. The default behaviour is that existing configuration changes done will NOT be overwritten. But if no settings has been set, it will generate configurations files better matching the running system. * Improvements: OpenVPN 3 Log Service The OpenVPN 3 Log service (openvpn3-service-logger) made it hard to track where Attached: and Detached: log events came from. This does now add a PID reference, which can be traced more easily in the logs. * Improvements: OpenVPN 3 Configuration Manager feature support tracking When upgrading OpenVPN 3 Linux versions, there might be situations where an older OpenVPN 3 Configuration Manager will be running but the openvpn3 command line tool is newer. When the command line tool attempts to access features in the Configuration Manager backed not available, it would result in an error and a poorer user experience. The code providing the glue interface for the calling side (openvpn3) has been extended with a feature/version mapping, so it can filter out operations not supported if the backend version is lacking certain functions. In most cases, the openvpn3 config commands will then continue to work as before, just not providing access to features available in newer back-ends. A similar functionality is planned for the Session Manager and is being considered for the OpenVPN 3 Python module. * Improvements: OpenVPN 3 Python module Configuration profiles from OpenVPN Access Server and some times OpenVPN Cloud Connexa will often contain "meta options", typically prefixed with "# OVPN_". The Python parser would not accept several of the deprecated meta options. The parser has now been extended to filter out those options not needed, used or supported by the OpenVPN 3 Core Library. * Improvements: Adjustments needed to satisfy Debian packaging Several minor issues has been done to satisfy the Debian package linter utility. There are still some issues left, some will not be possible to improve before Debian ships with a newer dbus-daemon - as we need functionality present in a newer release. The dbus-broker is also lacking a similar functionality currently. This work is also done in collaboration with Marc Leeman who is working on providing an native Debian repo package for OpenVPN 3 Linux. Thanks a lot, Marc! Details: <https://github.com/OpenVPN/openvpn3-linux/issues/193> * Feature: Label/tag support for imported OpenVPN configuration profiles The OpenVPN 3 Configuration Manager and the openvpn3 config-manage and configs-list commands has been extended to with the ability to add one or more text labels to configuration profiles. At import time, the openvpn3 config-import command can also assign tags immediately. Users with many imported configuration profiles can more easily filter which configurations shown with the openvpn3 configs-list command. Other tools (openvpn3-as, openvpn-connector-setup) will also make use of this feature as they are being updated, to more easily understand where a configuration profile arrived from. * Feature: JSON formatted output with openvpn3 configs-list and config-dump The list of configurations can now be retrieved as a JSON formatted list via the openvpn3 configs-lists. The openvpn3 config-dump will normally dump the normal configuration using the standard OpenVPN configuration file format. The JSON format will contain all the additional meta options, overrides and access control lists not expressed in the standard file format. This format is the same format used internally for persistent configuration profiles. * Feature: Filtering options when retrieving available configurations The openvpn3 configs-list command has been extended with several filter arguments to only extract filters with a specific tag or owner as well as a simple prefix filter on the configuration name. The OpenVPN 3 Configuration Manager also exposes two new D-Bus methods to retrieve available configuration profiles based on a tag or owner. * Feature: Simple and verbose list formats in openvpn3 configs-list The default listing in openvpn3 configs-list has been simplified and will only list one configuration profile per line now. The more comprehensive list can be retrieved using the --verbose argument. The verbose list will also include configuration tags. ---- Changes from v20 to v21 ------------------------------------------- Antonio Quartulli (2): ovpn3cli/init-config: use namespace NetCfg::DNS also if no systemd is available netcfg-dco: remove code made obsolete by ovpn-dco-v2 David Sommerseth (128): Update GitHub pull-req template configmgr: Add override caching to OpenVPN3ConfigurationProxy::GetOverrides() configmgr: Extend Configuration Proxy with GetOverrideValue() ovpn3cli/config: Explicitly provide DNS Resolver Scope setting netcfg/dns: Enable default DNS routing when scope is global netcfg/dns: Document the NetCfg::DNS::systemdResolved::updateQueueEntry properties build: Fix improper cleanup aws: Remove execute flag on systemd unit file log: Save a flag for changed properties in LogServiceProxy log: Extend LogServiceProxy to track what the original value was ovpn3cli/admin: Refactor log-service command docs: Improve doxygen setup common: Add missing header file in lookup.hpp netcfg/dns: New method - ResolvConfFile::GetNameServers() ovpn3cli: Extend init-config to also consider /etc/resolv.conf log: Extend LogMetaDataValue to handle integers log: Parse the O3_INTERNAL_METHOD meta data log: Extend Logger with GetLogTagPtr() method log/service: Refactor out log detaching logic to separate method log/service: Enable automatic cleanup of stray subscriptions python: Fix ConfigParser.ReadConfigFile not removing semicolon comments Update to OpenVPN 3 Core library v3.8 baseline client: Check if the configuration is DCO compliant before start vendor: Update to ASIO 1.28.0 log: Add caller PID to Attach/Detach calls docs: Remove Linux distributions which is no longer supported log: Strip double {tag:...} references in openvpn3-admin journal output core: Update to latest OpenVPN 3 Core 3.8 related changes ovpn3cli: Add --exists and --quiet to config-manage configmgr: Add missing #include<dbus/path.hpp> docs: Add missing configmgr description: SetOverride/UnsetOverride configmgr: Add support for assigning tags to config profiles configmgr: Preserve configuration profile tags on disk configmgr: Return gracefully if a method call is not processed configmgr: Expose C++ method for checking config profile tags configmgr: Add D-Bus method to search for config profile tags configmgr/proxy: Extend proxy object with tag management ovpn3cli: Show config profile tags in config-manage configmgr/proxy: Improve tag management error handling in proxy object ovpn3cli: Add tag management to config-manage ovpn3cli/config-manage: Consider --quiet in all informational output configmgr/proxy: Make tag prefix 'system:' reserved python: Extend Configuration implementation with tag management python: Implement SearchByTag() in ConfigurationManager object python: Extend ConfigurationManager.Import() to add system tags python/openvpn3-as: Add an openvpn3-as specific system tag on import configmgr: Refactor ConfigManagerObject D-Bus method call handler configmgr: Refactor ConfigurationObject D-Bus method call handler configmgr: Rework the config profile usage counter check logic configmgr: Replace __FUNCTION__ macro in GLibUtils calls core: Switch to OpenVPN 3 Core version 3.8 configmgr: Reorder #include files configmgr: Remove stray handler_fetch_json() method configmr: Refactor g_variant_get() calls, use GLibUtils instead dbus/glib: Extend GVariantBuilder helpers with type override configmgr: Refactor std::vector D-Bus return values to use GLibUtils configmgr/proxy: Refactor g_variant_get() calls, use GLibUtils instead dbus: Extend GLibUtils with ParseGVariantList() configmr/proxy: Refactor proxy code retrieving D-Bus arrays ovpn3cli: Add --filter-config to configs-list command configmgr/proxy: Extend proxy object with tag search ovpn3cli: Add --filter-tag to configs-list command configmgr: Add D-Bus method to search for profiles by specific owner configmgr/proxy: Extend proxy object with SearchByOwner() ovpn3cli: Add --filter-owner to configs-list ovpn3cli: Add --count to configs-list ovpn3cli: Improve configs-list output client: Do not reset empty env array in backendstart core: Update to OpenVPN 3 Core library v3.8.1 dbus: Clean up odd init booleans in DBusProxy dbus: Cleaning up impropoer DBusProxy internal proxy pointers freeing dbus: Remove the DBusProxy() constructor accepting DBus() objects dbus: Protect DBusProxy::proxy pointers changes better ovpn3cli: Fix signedness comparison issue in cmd_config_manage() netcfg: Fix improper use of std::move() variables in NetCfgProxyException dbus: Fix copy-paste error in DBusProxy destructor configmgr: Use a better data type for timestamps in JSON Export() netcfg/unit: Add DNSResolverSettings.AddNameServer_multiple test netcfg/dns: Replace RC/RCPtr with std::shared_ptr in ResolverSettings netcfg/dns: Be consistent with for-iterators in SettingsManager dbus: Add more details when dbus_proxy_call() fails dbus: Fix incorrect use of proxy object in DBusProxy::GetNameOwner() build: Add a few missing #include files netcfg/dns: Improve details on file removal in FileGenerator::Write() netcfg/dns: Catch and report errors in ResolvConfFile::~ResolvConfFile() netcfg: Check fd properly before close() in NetCfgServiceObject::protect_socket() common: Fix potential memleak in SingleCommand::parse_commandline() common: Fix incorrect arg passing in Configuration::OptionMapEntry common: Fix incorrect lambda arg passing in Configuration::File docs: Fix incorrect signal signature for netcfg.NetworkChange ovpn3cli/configs-list: Add --json output format build: Do not distribute ovpn-dco header as part of openvpn3-linux configmgr: Use Json::Value::UInt64 instead of uint64_t dbus/glibutils: Don't initialize std::stringstream configmgr: Check override type as well as D-Bus type in set_override() configmgr: Add missing #include in overrides.hpp configmgr: Fix incorrect set_override() declaration configmgr: Fix lacking config override value extraction configmgr/tests: Update config-override-selftest exception checks python: Add support for --ignore-unknown-option in openvpn2 core/config: Extend OpenVPN Access Server configuration support core/config: Filter out meta-options in OptionListJSON::json_export() tests: Add unit test for OptionsJSON string and JSON export methods common: Extend ParsedArgs::Present(std::vector<>) to optionally return empty string ovpn3cli: Don't throw an exception in config-manage if operation is not found python: Fix typ0 in error message with incorrect override key python: Move supported profile overrides definition python: Ensure --profile-overrides is not put into generated config python: Add support for allow-compression profile override setting ovpn3cli/config: Move openvpn3 config-import into a separate compilation unit ovpn3cli/config: Extend JSON schema used by config-dump --json python: ConfigParser does not process boolean overrides correctly python: Add support for dns-scope profile override in ConfigParser core: Update to OpenVPN 3 Core library v3.8.2 configmgr/proxy: Add framework for backend feature checking configmgr/proxy: Add CfgMgrFeatures::TAGS checking ovpn3cli/config: Add feature check for configs-list and config-manage configmgr/proxy: Add forcing feature loading in the OpenVPN3ConfigurationProxy ovpn3cli/config: Add --tag support to config-import ovpn3cli/config: Fix typo in JSON key for transfer_owner_session ovpn3cli/config: Add missing feature check in config-dump proxy: Fix incorrect version extraction logic with non-service root paths build: Rework the OpenVPN 3 Core library version macro (OPENVPN_VERSION) python: ConfigParser does not accept --bind python: ConfigParser did not accept dns-fallback-google and persist-tun overrides docs/man: Use the proper section tag in openvpn3-systemd.8 misc: Fixing several typ0s all over the code base docs: Minor touches to README and BUILD docs Frank Lichtenheld (1): docs/man: Fix description in openvpn3-config-manage man page Jeremy Fleischman (1): python: Fix StatusChangeCallback() so it works without a LogCallback -
v20 protectede7531f45 · ·
OpenVPN 3 Linux v20 (stable) This is the first stable relase of OpenVPN 3 Linux. This release is mostly adding minor improvements, a few bug fix and adding two more helper tools. * Feature: openvpn3-admin journal This is a helper function to retrieve log events from the OpenVPN 3 Linux stack logging with systemd-journald. It can be considered a lightweight journaldctl tool, which is targetting some of the filters useful for OpenVPN 3 Linux. * Feature: openvpn3-admin init-setup This is another helper function to configure OpenVPN 3 Linux in an automated fashion based on the current runtime environment. It will ensure proper state directories are present with the proper ownership and access, as well as SELinux context lables if that is availale. It will check if the needed user/group accounts is present and wether to use systemd-journald and systemd-resolved or not. In the next release, this feature will be used in the the packaging scripts for Debian/Ubuntu and Fedora/Red Hat Enterise Linux packaging as well. * Improvement: Full support for CR_TEXT based multi-factor authentication Prior releases did not fully support CR_TEXT/crtext based authentication which would result in disconnecting from the server while querying the user for the additional credentials. This new mode is more efficient and will keep the connection to the server alive. * Improvement: Improve behaviour with incorrect private key passphrase Prior releases would dump an error message which would not be much end-user friendly if the connection failed due to incorrect passphrase to the private encryption key needed for the connection. This has been improved and the error handling should be more clear for non-technical users. * Improvement: Run resume and restart operations in the background Until now, the openvpn3 session-manage --resume and --restart operations would run in the foreground, resulting in stopping the VPN session if this operation would be interrupted. These operations can typically run in the background. If a re-authentication would be need, the openvpn3 session-auth command is available to complete that operation. It is also possible to run these operations in the foreground by adding the --timeout argument with a value reasonable to wait for this operation to complete. * Improvement: Install openvpn3/constants.h header file This adds ah eader file which contains all the constants used by the OpenVPN 3 Linux stack, which is suitable for C programs. The constants listed here is similar to the constants found when importing the Python 3 openvpn3.constants module. These constants are typically used in D-Bus signals issued by the OpenVPN 3 Linux stack. * Bugfix: Don't hardcode use of --journald in openvpn3-service-logger Not all Linux distributions ships with the systemd stack. Auto-detect during build time if systemd support is available or not and fallback to syslog if systemd support is lacking. * Bugfix: Don't hardfail if systemd-resolved is unreachable If openvpn3-service-netcfg could not reach or access the systemd-resolved service, it would hard-fail which again would cause the VPN session to fail starting. This has been changed so the VPN session will succeed, but it will instead not do the DNS configuration. This situation will be duely logged in the system logs. * Documentation: Highlight deprecation of openvpn3-autoload The openvpn3-autoload feature is being deprecated in favour of using the systemd openvpn3-session@.service feature instead. The openvpn3-autoload feature will still be around though, until there is a suitable alternative for Linux distributions not capable of using the more native systemd approach. * Documentation: Generic overhaul Lots of the man pages as well as README.md file has been reviewed and updated. Lots of details has been clarified and the README.md has been split up into several files as it has grown quite a lot and some of the information would be better to have in other files to avoid duplicating the information. * Code: Coding style There exists now a .clang-format coding style definition and all the C++ source code and headers should now be using this style. * Copyright: Switch to SPDX license tags To ease the maintenance of copyright blobs, all files with an AGPL copyright blob has been switched to the SPDX license tag.
-
v19_beta protected33da965f · ·
OpenVPN 3 Linux v19 (beta) This release does another round of improving the logging system, in addition to bug fixes and other improvements. * Log system changes The net.openvpn.v3.log service has been extended to support logging directly to systemd-journald as an alternative to syslog. The default log destination has been changed from syslog to journald. Using the systemd-journald as the log destination allows attaching more meta data variables to the log events, which can be used when querying the journal using journalctl. These additional meta data variables can be observed when using the 'verbose', 'json', 'json-pretty' or 'export' output modes (journalctl --output) The OpenVPN 3 Linux specific meta data variables are prefixed with "O3_". The meta variables OpenVPN 3 Linux may make use of are: - O3_LOG_GROUP / O3_LOG_CATEGORY These are direct mapped to the logging classification described here: <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/dbus/dbus-logging.md> - O3_LOGTAG This tag is unique per openvpn3-service-* process and will be changed if the process restarts. This information has so far been added to the beginning of the log lines, as the '{tag:....}' prefix. This prefixing to the log lines can now be removed by running: # openvpn3-admin log-service --enable-log-prefix false The O3_LOGTAG will have the same content as the prefix, without the '{tag:...}' encapsulation; O3_LOGTAG contains only the plain identifier. The log tags currently active can be listed by running: # openvpn3-admin log-service --list-subscriptions - O3_SENDER, O3_INTERFACE, O3_OBJECT_PATH These are added if the D-Bus log details are enabled by running: # openvpn3-admin log-service --dbus-details true - O3_SESSION_TOKEN This is used by the openvpn3-service-client process, where the session token has the same value as the argument the process is started with To list only these OpenVPN 3 Linux meta variables, run this command: # journalctl -o verbose --since today \ --output-fields=O3_SENDER,O3_INTERFACE,O3_METHOD,O3_OBJECT_PATH,O3_LOGTAG,O3_SESSION_TOKEN,O3_LOG_GROUP,O3_LOG_CATEGORY,MESSAGE \ _PID=$(pidof openvpn3-service-logger) This query can be extended further to narrow down the log scope. To only list client process log events, add this to the line above: O3_LOG_GROUP=Client * Enhancement: IV_PLAT_VER sent to server This field provides OS details of the platform the OpenVPN 3 client is running on. This will contain an arbitrary string provided by either the systemd-hostnamed service, or if that is unavailable it will extract some more generic information using the uname() system function. The IV_GUI_VER string has also been slimmed down a bit to only provide information about the OpenVPN 3 Linux client alone. The IV_VER will contain information about the OpenVPN 3 Core library version which OpenVPN 3 Linux is compiled against. * Update to OpenVPN 3 Core Library v3.7.1 This update of the OpenVPN 3 Core library is a maintenance release. The changes which touches OpenVPN 3 Linux is related to the ovpn-dco kernel module support. On systems running more VPN sessions in parallel with DCO (Data Channel Offload) enabled, the Core library could in some situations perform operations on the wrong DCO interface. * Bugfix: Web based authentication with OpenVPN Access Server fix When connecting to OpenVPN Access Server configured with web based authentication (i.e. SAML), the authentication could fail on renegotiations. The fix currently applied will require to import the Access Server profile once again. This will be improved further in the next release. <https://github.com/OpenVPN/openvpn3-linux/issues/154> * Bugfix: Python warning with openvpn3-as on Ubuntu 22.04 When running the openvpn3-as utility on Ubuntu 22.04 it would complain about using a deprecated ssl.SSLContext() mode. This has been updated to use the preferred mode. * Bugfix: openvpn3 command line bash-completion The bash-completion support has been changed to avoid adding an additional space after file and directory names. The complete list of changes: David Sommerseth (74): tests: Improve MachineIDTest::get_systemd_api test build: Split up proxy-netcfg into a manager and device compilation unit core: Update to latest OpenVPN 3 Core Library 3.7 development shell: Fix proposing more options to --config shell completion shell: Fix trailing spaces in bash-completion build: Generate C compatible header file dbus: Add missing #include in glibutils.hpp log: Move LogTag into its own compilation unit log: Extend LogTag to enable/disable the tag mark encapsulation log: Extend LogTag with copy constructor log: Add new helper classes for log meta data log: Implement the new meta data log handling log: Extend LogMetaDataValue to process LogTag objects log: Extend LogMetaData with GetMetaDataRecords() method log: Use LogTag in Logger class instead of std::string common: Allow setting default filename in Configuration::File ctor common: Extend Configuration::File with Get/Set for more data types log: Re-implement configuration state saving log: Switch to GLibUtils::ExtractValue in LogEvent log: Implement LogTag prefix configuration setting log: Extend LogEvent with LogGroup/Category string extraction log: Add support for native systemd-journald logging log: Implement systemd-journald support in openvpn3-service-logger log: Split logwritter.hpp into its own compilation unit log: Split out StreamLogWriter and ColourStreamWriter log: Split out SyslogWriter to its own compilation unit log: Split out JournaldWriter to its own compilation unit log: Final change of the logwriter.hpp split-up refactoring log: Extend LogWriter API to provide backend info log: Extend net.openvpn.v3.log interface with log_method property cli/log: Provide information about logging method in use cli/log: Add admin --enable-log-prefix config setting log: Fix memory corruption with syslog/openlog() log: Rework initial opening information in logger service common: Extend Configuration::File with GetFilename() log: Extend state/config file option coverage log/logger: Simplify exclusive option check log/logger: Rework configuration/state loading log/logger: Extend with D-Bus property for config_file common: Add missing include files in cmdparser-exceptions.hpp cli/log: Add new options for logger config file management logger: Enable --journald as default log method build: Don't use space in PACKAGE_NAME docs/man: Add missing --auth-req option in openvpn3 session-auth docs: Added GitHub pull-request template log: Avoid halting logger startup on missing log-service.json dbus: Make bus_name and interface protected members in DBusProxy dbus/proxy: Check if property proxy is configured dbus/connection: Add extra connection tests in DBus constructors common: Add PlatformInfo API client: Send platform OS/distro peer information to server client: Simplify IV_GUI_VER string utils: Fix incorrect string concat in get_guiversion() tests/unit: Handle PlatformInfo::DBus error gracefully python: Use ssl.PROTOCOL_TLS_CLIENT in openvpn3-as configmgr: Initialise all members of ConfigurationObject class common: inline optparser_mkline function in core-extensions build: Fix clang++ warnings related to __LINE__ usage sessionmgr: Remove not needed namespace reference build: Fix missing override issues in logging and netcfg-signals.hpp log: Remove not used class variable in LoggerProxy log: Add virtual destructor in LogTag log: Pass the LogTag objects as smart pointers tests: Extend LogMetaData unit tests (LogMetaData, LogMetaDataValue) client: Add workaround for OpenVPN Access Server web authentication tests/core: Extend profilemerge-optionlist with dump functionality ovpn-dco: Update to latest headers docs: Add details about nscd and sssd log: Fix lacking LogWriter::AddMeta() doxy doc log: Fix missing O3_LOGTAG meta data variable cli/log-service: Fix incorrect change detection for log prefixing cli/log-service: Correct the behaviour with journald and D-Bus details distro: Improve openvpn3-session@.service unit core: Update to OpenVPN 3 Core Library v3.7.1 Jagadeesh Kotra (1): docs/client: fix typo in net.openvpn.v3.client docs Raphael Mader (1): log: Fix non-systemd build -
-
v18_beta protected5c47318f · ·
OpenVPN 3 Linux v18 (beta) This release does a larger overhaul on the logging system with a few additional bug fixes and other improvements. * Log system changes In prior releases, the backend VPN client (openvpn3-service-client processes) sent Log signals (events) to the log service (openvpn3-service-logger process). If a user wanted to receive real-time log events, it could easily do so by flipping a boolean flag in the VPN session, managed by the session manager (openvpn3-service-sessionmgr process). In this case, the session manager would also pick up Log events from the VPN client and forward them. This architecture had a flaw which meant that if the log forwarding in the session manager was enabled for a session, anyone could pick up these log events. And if one of these log listeners turned off the log forwarding, this would happen for all other listeners at once. This design also meant that the VPN client process needed to send Log events to two different destinations; both the logger and the session manager. With the change introduced in v18_beta, the VPN client process now only sends Log events to the logger service. When a user wants to receive log events now, it needs to call the net.openvpn.v3.sessions.LogForward() method setting an enable flag instead of flipping the receive_log_events boolean property directly. The session manager will now do a proper access control to the caller and then tell the log service to forward Log events directly to the program wanting to receive Log events. To disable this forwarding, the program just calls the same method and unset the enabling flag. This new architecture also allows multiple log forwarders to run in parallel without impacting the other listeners. Each forwarding are now handled independently. And forwarding Log events will no longer impact the session manager any more. * Enhancement: openvpn3-as profiles can be started via systemd In v16_beta a new systemd unit file was introduced to make it possible to manage VPN sessions via systemd. With v18_beta this integration has been extended to the openvpn3-as utility which can download a VPN profile directly from an OpenVPN Access Server. When run as root, two new options can be used: --systemd-start and --owner. The first one will instruct openvpn3-as to enable the imported configuration profile to be started automatically during boot. The --owner takes a username argument, which, when run as root, will transfer the ownership of this VPN profile to the given username. When the VPN session is started as root, the session will automatically also be owned by the given user. * Bugfix: openvpn3 session-start with web based authentication The instruction guide to help continue with web based authentication was misleading and no longer correct. This has been improved and the console now contains the correct instructions. * Bugfix: Configuration manager could mangle --verify-x509-name When importing a configuration file with the --verify-x509-name option, it would often be misinterpreted when the import was as a persistent configuration profile. This has been resolved and the internal on-disk storage format for persistent configuration profiles has been upgraded to correctly handle this type of option class, with quoted strings. <https://github.com/OpenVPN/openvpn3-linux/issues/90> * Bugfix: openvpn3-service-configmgr could segfault If the oepnvpn3-service-configmgr could not manage to reach the net.openvpn.v3.log service (openvpn3-service-logger), it would segfault resulting in a core dump needlessly. This has been resolved by adding proper error handling and gracefully exit with a more reasonable error message. * Bugfix: Network Configuration state saving failing silently When the Network Configuration service (openvpn3-service-netcfg) configuration was to be written to disk and failing, the prior implementation ignored any errors happening. This has been improved and the error is now presented to the user if there is an error saving the configuration file. * Bugfix: Python based config parser can now handle legacy algorithms The v17_beta release introduced a --enable-legacy-algorithms flag to be set on a configuration profile. This worked fine via the openvpn3 config-manage interface, but the Python parser lacked the parsing of this option. This has now been implemented, via the --profile-override option. * Bugfix: Python based config parser did not accept --auth-nocache The --auth-nocache is not a feature directly available in OpenVPN 3 Core library. But it does not block a configuration file from working, so this was put to the internal "ignore list". * Bugfix: openvpn2 could some times dump spurious error messages If CTRL-C was performed during the shutdown phase of a VPN session, where it would typically wait for statistics data to be collected it, could print various errors about local variables being unavilable. This has now been improved. The complete list of changes: David Schneider (1): docs: Fix incorrect doc paths in net.openvpn.v3.sessions docs David Sommerseth (79): core-extension: Revamp the whole OptionListJSON class core-extension: Remove the ProfileMergeJSON class ovpn3cli: Improve session-start tip with URL auth python: Add support for enable-legacy-algorithms in config parser python: Extend openvpn3.Configuration class with GetConfigName() python: Extend openvpn3.Configuration class with SetOwnershipTransfer() python: Extend openvpn3-as with systemd integration python: Extend openvpn3-as with --owner log/proxy: Switch over from RCPtr to std::shared_ptr log/proxy: Add LogServiceProxyException exception class log/proxy: Add LogServiceProxy::AttachInterface() helper function configmgr: Switch over to LogServiceProxy::AttachInterface() sessionmgr: Switch over to LogServiceProxy::AttachInterface() netcfg: Switch over to LogServiceProxy::AttachInterface() client: Switch over to LogServiceProxy::AttachInterface() addons/aws: Switch over to LogServiceProxy::AttachInterface() python: Add --auth-nocache to ConfigParser's ignore list python: Fix spurious errors during disconnect in openvpn2 common: Add error handling to Configuration::File::Save() dbus: Fix various warnings in connection.hpp dbus: Fix/improve header inclusion in signal.hpp client: Add missing include dbus-log.hpp in backend-signal.hpp log: Fix several spelling errors in comments in logwriter.hpp log: Remove the openvpn namespace and improve includes in dbus-log.hpp build: Rework distro/systemd EXTRA_DIST file list python: Allow --auth-retry to be passed on tests: Fix incorrect namespace closing in machine-id test build: Disallow AWS addon builds without OpenSSL build: Remove hard-coded gio-unix-2.0 include paths common: Fix missing header include for UID/GID lookups dbus: Remove the openvpn namespace from DBus related classes dbus: Extend DBus class with GetUniqueBusName() dbus: Ensure the D-Bus connection is valid dbus: Make path.hpp a separate compilation unit dbus: Free some GError structures in DBusProxy calls log: Refactor service.hpp to be a separate compilation unit log: Replace RC/RCPtr based smart pointers with standard C++ log: Make dbus-log.hpp a separate compilation unit log: Don't log or proxy empty log events dbus: Extend with DBusSignalProducer::set_object_path() client: Extend with BackendSignals::SetSessionPath() client: Extend RegistrationConfirmation D-Bus method with session path client: Extend BackendSignals with GetSessionPath() method client: Provide related session path as a property log: Implement net.openvpn.v3.log.AssignSession client: Provide session path details to log service log: Extend D-Bus logging with path filtering log: Extend LogSender with ProxyStatusChange() method log: Extend Logger class with LogSender forwarding support log: Extend log forwarding to also include StatusChange signals log: Implement base LoggerProxy class log: Implement ProxyLogEvent method and D-Bus proxy helper class log: Implement the LogForwardBase helper class sessionmgr: Tear out the current SessionLogEvent implementation log: Implement proper access control in LoggerProxy sessionmgr: Re-implement log forwarding to end-users log: Re-implement LogForwardBase to request forwarding via session manager sessionmgr: Fix incorrect #include fencing ovpn3cli: Re-implement log command with new logging infrastructure log: Implement LogEvent::RemoveToken() log: Remove session token from forwarded log events python: Rework openvpn3.SessionManager for the new logging infrastructure python: Update openvpn2 to properly disable logging on shutdown distro/systemd: Disable log forwarding properly on shutdown build: Install D-Bus policies in ${datadir}/system.d dbus: Extend DBusSignalProducer with SendTarget() method log: Extend LogSender::Log() with an optional target address client: Rework BackendSignals to avoid Log signal duplication dbus: Extend GLibUtils with CreateEmptyBuilderFromType() log: Extend LogSender with GetLastLogEvent() client: Extend internal session object with last_log_line property sessionmgr: Re-implement last_log session object property vendor: Upgrade ASIO to 1.22.1 dco: Upgrade to latest ovpn-dco git master policy: Add a mandatory D-Bus policy for Log and StatusChange signals docs: Update README with dependencies and distro changes docs: Improve the net.openvpn.v3.log docs slightly docs/README: Add info about systemd unit file docs/README: Fix a few minor details Jagadeesh Kotra (1): docs: Fix missing information for net.openvpn.v3.configuration.Import -
-
-
-
v17_betaUb2204 protected67bba720 · ·
OpenVPN 3 Linux v17 (beta, Ubuntu 22.04) This release is the v17_beta release with an additional backport of a patch from the development branch. This change is required to make OpenVPN 3 Linux build on Ubuntu 22.04. This release is therefor only prepared for this particular distribution and version. David Sommerseth (1): build: Remove hard-coded gio-unix-2.0 include paths -
v17_beta protected079e9da7 · ·
OpenVPN 3 Linux v17 (beta) This release consists mostly of several enhancements of various sizes. * Behavior change: Only AEAD ciphers available for data channel by default As part of the OpenSSL 3 support, non-AEAD ciphers are no longer enabled by default on for the data channel cipher. That means essentially only AES-GCM and, if the TLS library supports it, ChaCha20-Poly1305. To restore the previous behaviour, the configuration profile must be imported via 'openvpn3 config-import' and then use an override setting: $ openvpn3 config-manage --enable-legacy-algorithms true --config $CONFIG_NAME * Command line: openvpn3 config-dump The openvpn3 config-show command has been deprecated in favour of openvpn3 config-dump. This to avoid ambiguity in behaviour with commands supporting --show and to more clearly indicate it is the configuration _file_ and not configuration profile being displayed. * Feature: openvpn3 session-auth command This is a new command which can be used to interact with VPN sessions requiring interaction related to user authentications. This is useful if the initial connection had not completed properly or that the server requires the user to re-authenticate. * Enhancement: Log level improvements on client log data In prior releases, the default log level in the backend process was set to 6, which is a debug level. With this release, the default log level is 3. But this is now more easily configurable. - The OpenVPN 3 VPN Client process now parses and respects the --verb option. - The configuration profile can set a log-level override. - Running VPN sessions can be adjusted on-the-fly using the the new --log-level option in openvpn3 session-manage. Changes using this approach are instant. - The default log level can also be changed by editing /usr/share/dbus-1/system-services/net.openvpn.v3.backends.service. Add the '--client-log-level 6' to the program in the Exec= line to restore the previous default log level. * Enhancement: Full support for --static-challenge Both the OpenVPN 3 client implementation and Python interface has gained full support for the --static-challenge option * Enhancement: systemd user credential passing When starting a VPN session via the openvpn3-session@.service unit file, the systemd-ask-password mechanism will be used to retrieve the requested user credentials. * Enhancement: VPN session ownership transfer For configuration profiles shared with more users, it is the the session owner is the user which started the VPN session. With this release, the configuration owner can set the --transfer-owner-session flag via openvpn3 config-acl. This will make the configuration profile owner the session owner as well, regardless of which user starting the session. The user starting the session will automatically be granted ACL entries to manage the session and access the VPN log events. This is useful for VPN profiles being started automatically during boot via the systemd openvpn3-session@.service unit file. These sessions are typically started as root, but the session owner can end up being a different user on the system. But the user need to grant access to the profile for the root user for this to work. * Extend openvpn3-as with an --insecure-certs option In v16_beta, the openvpn3-as utility was extended to validate the https server certificate of the OpenVPN Access Server. For servers using self-signed certificates or signed by a unknown CA, this tool would no longer work. By using this option, the user instructs this tool to ignore such issues. * Bugfix: Persistent configuration profiles with multiple --remote Configuration files containing multiple --remote lines would not be preserved correctly in the saved configuration profile; only the last entry would be stored. This has been improved and all entries will now be preserved at import time. Beware: Configuration profiles will need to be re-imported to restore all the --remote entries. * Bugfix: Fix --tls-crypt-v2 in the Python parser In prior releases, configurations started via the Python interface would fail with an error if --tls-crypt-v2 was used. This is now fixed. * Bugfix: Fix Python file loading of files with spaces in file names In prior releases, the configuration parser incorrectly parsed file names containing spaces. This has been improved. * Bugfix: Non-functional shell completion for config files The prior release regressed on shell completion for OpenVPN configuration files via the openvpn3 config-import and session-start commands. This has been resolved in this release. * Distro: Builds on distributions using musl instead of glibc Building OpenVPN 3 Linux on Alpine did not work too well as there were several aspects not compatible with the development stack on this distribution. Both the OpenVPN 3 Core library and the Linux client has been modified to be able to build successfully. * Distro: Python 3.6 or newer is now required As of this release, any Linux distribution with Python older than version 3.6 is no longer supported. This removes the support for Debian 9. The complete list of changes: David Sommerseth (61): cli/session-start: Add --background support log: Improve LogEvent formatting log: Use the LogEvent GVariant generator in LogSender log: Extend the LogSender::Log() with duplicate check client: Simplify BackendSignals::Log() client: Remove some not needed log duplication client: Don't switch to Reconnecting state on initial connect python: Remove aenum workaround for Python 3.5 or older python: Remove spurious import line from openvpn2 python: Ignore --mute-replay-warnings option python: Add --insecure-certs option to openvpn3-as git: Switch to https for submodules python: Extend ConfigParser to understand --tls-crypt-v2 python: Fix a few errors in ConfigParser sessionmgr: Fix incorrect LogEvent proxy format core-ext: Properly parse options which may be used more times common: Extend MachineID to support systemd API for machine-id python: Fix incorrect parsing of filenames with spaces client: Add support for static-challenge configurations common: Extend command line parser with alias command support ovpn3cli: Depreacte config-show in favour of config-dump core: Update to latest OpenVPN 3 Core library build: Avoid GNUism in Makefile.am configmgr/client: Remove support for forcing AES-CBC cipher configmgr: Extend with session ownership transfer flag ovpn3cli: Extend config-acl to support --transfer-owner-session sessionmgr: Respect the configuration profile transfer-ownership flag client: Parse the --verb option to set log-level client: Add support for 'log-level' override sessionmgr: Retrieve the client log-level for the session log-level sessionmgr: Proxy log-level settings in session to backend tests: Extend config-export-json-test to process files too core-ext: Fix incorrect handling of --static-challenge in JSON export systemd: Fix incorrect access to mainloop object in status handler systemd: Fix incorrect sd_notify() behaviour systemd: Add support for profiles needing user credentials common/shell: Fix bash-completion for options with optional arguments common: Don't throw an exception in ParsedArgs::GetValueLen() ovn3cli/session: Extend session-manage to set session log-level core: Update to latest OpenVPN 3 Core library dbus: Change the proxy call timeout to 5 seconds log: Don't throw exception on invalid LogGroup/LogCategory client: Use the proper index value to retrieve the --verb value client: Change default log-level to 3 systemd: Do not change the log level at startup by default client: Extend StatusEvent with stringstream formatting control cli/session: Extend the session module with session-auth cli/session: Extend session-auth to also list URL based auth cli/session: Implement completing on-going auth in session-auth cli/session: Add shell-completion support for session-auth cli/session: Remove "Auth URL" from sessions-list man: Add missing --log-level entry in openvpn3-config-manage client: Set proper status when needing user credentials ovpn-dco: Update to latest git master client: Configuration file --verb must not override profile log-level sessionmgr: Always change the SessionObject log level dbus/creds: Use creds specific exception for user lookup issues sessionmgr: Add more debug details of credentials check fails core: Update to latest OpenVPN 3 Core library client/cli: Add --enable-legacy-algorithms override shell: Fix bash completion for file/directory names Samuli Seppänen (2): docs: Remove redundant package from Fedora build deps command-line docs: Fix setup instructions for CentOS 8 -
v16_beta protected713b35e9 · ·
OpenVPN 3 Linux v16 (beta) This release is mostly a bug-fix release with several known issues resolved and a few minor feature additions. * Bug: Incompatible OCC strings sent to server v15_beta updated the OpenVPN 3 Core library, leading to an incompatibility. This issues have now been resolved in a later update of the Core library. - OCC strings sent over the wire to the server is now always prefixed with TCPv4 or UDPv4. <https://github.com/OpenVPN/openvpn3/commit/dee1b625c3> * Bug: DNS caching issues for long-running VPN client sessions Before v16_beta, the client would do a DNS lookup before connecting and preserve those lookups if --persist-tun was used. This works fine until the configured servers changes IP address and no longer is reachable. Then the client will go into a reconnect loop trying to connect, but no other DNS lookups would be done. The Core library has implemented an improved approach which will trigger a new DNS lookup in cases where it can no longer get a connection established. Important related changes: <https://github.com/OpenVPN/openvpn3/commit/e365c44b08658> <https://github.com/OpenVPN/openvpn3/commit/2e3774c059705> NOTE: This is not a perfect solution. Clients on networks utilizing NAT64 is expected to fail when connecting to server on an IPv4 address where it changes during the runtime of the client. The best way to resolve this is to make the server available via IPv6 as well. * Bug: Pushed DNS search domains didn't work well Several reports indicated that pushing DOMAIN or DOMAIN-SEARCH didn't enable them as search domains properly when using system-resolved. This has been fixed by not tagging each domain as routing domains. This may for some users change the lookup behaviour so all DNS queries are sent to multiple DNS servers instead of just the VPN provided DNS server. We will investigate further how to reduce these side-effects when utilizing systemd-resolved. * Improvement: Do not use connection timeout by default Both the 'openvpn3 session-start' and 'openvpn3-autoload' had a timeout behaviour where it would stop running if it didn't get a connection established within approx. 30 seconds. If the server is unavailable or the client is no a network with temporarily connection issues, this is a drawback. The solution is to remove the current timeout behaviour. The 'openvpn3 session-start' command has been extended with a --timeout argument which can be used to restore the previous behaviour. * Improvement: openvpn3-as now requires properly signed https server certificates. Prior versions of openvpn3-as didn't verify the https server certificate. This has now been fixed. * Improvement: Add better systemd integration for sessions This release introduces a Python based systemd integration, which will start a pre-imported (openvpn3 config-import) configuration profile using the openvpn3-sessions@.service unit file. This can also be used to start connections automatically during boot. The advantage this has over openvpn3-autoload is that it manages VPN sessions on-by-one, while openvpn3-autoload just loaded and started everything configured without any real session management. Using the openvpn3-sessions@.service, the session status is now also available via 'systemctl' and log events are easily found via 'journalctl'. If a session is stopped via 'openvpn3 session-manage', this is also reflected in 'systemctl'. See the openvpn3-systemd(8) man page for details: <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-systemd.8.rst> This support is not complete yet, and will be extended in coming releases. * Improvement: Support for the newer WEB_AUTH pending authentication method * Improvement: Extend openvpn3-admin with a sessionmgr-service command. This new command currently only supports listing all running VPN sessions on the host and list the owner of each session as well as the tun/DCO interface in use. See the openvpn3-admin-sessionmgr-service(8) man page for details. <https://github.com/OpenVPN/openvpn3-linux/blob/master/docs/man/openvpn3-admin-sessionmgr-service.8.rst> * Improvement: Python based configuration parser updates The configuration parser used by openvpn2, openvpn3-autoload and the new openvpn3-systemd integration now ignores --ncp-ciphers, --data-ciphers and --data-ciphers-fallback These options was added in OpenVPN 2.4 and 2.5 as part to help migration from prior default ciphers to better ones. Connecting to some servers could need a more specific cipher to be set. This is believed not to be needed in OpenVPN 3, so instead we just ignore these options if found. Complete list of changes: Arne Schwabe (1): Implement WEB_AUTH auth pending method David Sommerseth (39): vendor: Upgrade to googletest 1.11 python: Harden openvpn3-as HTTPS connect ovpn3cli: Add --timeout support to session connect operations python: Remove connection attempt counting in openvpn3-autoload python: Add SessionManagerEventType constants python: Add SessionManagerEvent callback systemd: Add support for VPN session management via systemd sessionmgr: Grammar fix in an error message sessionmgr: Split out pure manager functions from OpenVPN3SessionProxy python: Use std namespace explicitly dbus: Add DBusProxy::Introspect() method tests: Make netcfg-proxy-unit test aware of other devices dbus/creds: Add new DBusCredentials::CheckACL_allowRoot() method sessionmgr: Grant root user access to read all session properties ovpn3cli/admin: Add sessionmgr-service command common: Fix duplicated imports of config.h sessionmgr: Simplify the ACL check for properties cli/sessionmgr: Simplify property extraction core: Update OpenVPN 3 Core library (DNS cache fix) common: Improve the OptionValueType::Present implementation common: Extend Configuration::File with an UnsetOption() method common: Configuration::File - Add backwards compat parsing for present opts cli/admin: Call instead Config::File::UnsetOption() on --config-unset common: Add private ParsedArgs::remove_arg() method common: Simplify ParsedArgs::ImportConfigFile() common: Don't throw on missing key in ParsedArgs::GetAllValues() cli/openvpn3: Fix missing space in config-remove warning cli/config: Fix incorrect spelling python: Handle CTRL-C in openvpn3-as gracefully python/openvpn3-as: Improve profile download error handling python/openvpn3-as: Fix incorrect exception type ovpn3cli: Fix session-start with dynamic challenge auth python: Fix dyn-challenge auth in openvpn2 cli/session: Not all connection failures are timeout related cli/session: Fix never ending session with failed 2FA lookup: Add error checking to sysconf() lookups common: Fix typo with MachineID::SourceType::NONE netcfg/resolved: Don't configure --dhcp-option DOMAIN as routing domains python: Add --data-ciphers and related options to the ignore list. Frank Lichtenheld (3): build: make gen-openvpn2-completion.py output reproducible on old Python build: Use timestamp of the constant.py source file build: Avoid generating broken bash-completion file Heiko Hund (1): netcfg: Move check for DCO availability to NetCfg -
v15_beta protected6c9bbc9e · ·
OpenVPN 3 Linux v15 (beta) The highlights of this release includes: * Bugfix: 2FA authentication with dynamic challenge protocol Servers (most commonly OpenVPN Access Server) deployed with 2FA based authentication would fail when the dynamic challenge protocol was utilized. The result would be a client disconnecting with a timeout error and in some cases the 'openvpn3 sessions-list' would enlist "ghost" sessions not responding. This command would also wait for a long time before reporting the complete list of sessions when such ghost sessions are present. Reported: <https://github.com/OpenVPN/openvpn3-linux/issues/55> * Bugfix: Fix misbehaviours with --tls-crypt-v2 This feature has been a known issue for a long time, but newer OpenVPN Access Servers now pushes tls-crypt-v2 profiles resulting in connections failing with NETWORK_EOF_ERROR errors in the log. Reported: <https://github.com/OpenVPN/openvpn3-linux/issues/55> * Feature: Added openvpn3-admin variables command This "openvpn3-admin variables" command will provide runtime information used by openvpn3-linux. First variable accessible is the value reported in the IV_HWADDR field sent to the VPN server. This can be seen using: # openvpn3-admin variables --machine-id David Sommerseth (5): docs: Update README.md with new DCO and SELinux info common: Extend MachineID to provide source information ovpn3cli/admin: Add a new 'variables' admin command Revert "client/core: Improve fatal exception handling in event()" core-ext: Add support for inline --tls-crypt-v2 -
v14_beta protected6ae8c77f · ·
OpenVPN 3 Linux v14 (beta) The highlights of this release includes: * Security: [CVE-2021-3547] --verify-x509-name overrides certificate checks The OpenVPN 3 Core library got support for --verify-x509-name in commit 583986920236f7e (committed 2019-11-08). This implementation would reset prior certificate checks. If a prior certificate check failed and the --verify-x509-name check passed, the connection would be accepted as valid. This has been fixed in the Core library as of OpenVPN 3 Core library commit febf01ef68b84f. * systemd-resolved - support for DNS zones This is the first step towards a better split-DNS support. It implements the needed configuration settings to properly set up the global or tunnel DNS resolver scopes in systemd-resolved. For the resolv-conf based mode, this setting will be ignored (and logged as a warning) as resolv-conf only supports a single DNS resolver. Currently, the tunnel scope is very simplistic and will only result in systemd-resolved not querying anything than pushed DOMAIN/DOMAIN-SEARCH domains via the DNS servers for the VPN session. It is more a reverse filter, than an explicit filter. All other "global" scopes will also be queried. Domains *not* matching the DOMAIN/DOMAIN-SEARCH settings will be *not* queried via this VPN link. This behaviour is more how systemd-resolved is designed and this behaviour will hopefully be further improved later on. * Improved SELinux policies OpenVPN 3 Linux is now able to be run on CentOS, Fedora and Red Hat Enterprise Linux with DCO enabled on VPN profiles and with SELinux policies being enforced. The openvpn3-service-netcfg and openvpn3-service-client processes will now run in their own confined environment with further restricted access. * The OpenVPN 3 client will report IV_HWADDR When connecting, the client will report back some peer information to the server. Until now, the IV_HWADDR has not been provided. This value is supposed to be a fixed value per connecting host. The reported information is a SHA256 hash of /etc/machine-id and some more OpenVPN 3 Linux specific values. If this machine-id file is not readable, it will generate its own value and store it under /var/lib/openvpn3 for a persistent value. * Support for querying the user for HTTP proxy credentials during connection * Support for inline --http-user-pass values in configuration files * Support for inline --auth-user-pass values in configuration files * DCO support can now be activated with openvpn3 session-start and openvpn2 command line front-ends * DCO device names will now carry the name of --dev in the configuration In addition to several bug fixes and other improvements. Antonio Quartulli (1): ovpn-dco: adapt interfaces to new API format Arne Schwabe (1): Add Coverity to jenkins build David Sommerseth (67): build: Fix out-of-tree builds from git checkouts dbus/signals: Kick out the poor char */std::string "converters" netcfg: Fix incorrect return string in DNS::ResolverSettings::AddNameServers() log: Fix incorrect unsigned int logic log: Clean-up a switch statement client: Add exception safe-guard in BackendClientDBus d'tor netcfg: Fix incorrect IPv6 default gw setup submodules: Update OpenVPN 3 Core and ovpn-dco glib: Improve error message when GLibUtils::checkParams() fails configmgr: Prepare for --dns-scope in configuration profiles netcfg: Implement DNS resolver scope support client: Propagate VPN profile dns-scope setting to netcfg python: Add support for dns-scope setting via openvpn3-autoload client: Delay the forced shutdown on LogFATAL() client: Add ClientException to start improving client error handling cli: Be more friendly with ERR_PROFILE_SERVER_LOCKED_UNSUPPORTED tests/signal_listener: Add support for Log() with session tokens client: Enable DCO configuration override via D-Bus property sessionmgr: Provide access to the DCO flag in a VPN session docs/sessions: Update net.openvpn.v3.sessions D-Bus documentation docs/client: Update net.openvpn.v3.backends.be* D-Bus documentation ovpn3cli: Add --dco support to session-start python: Extend SessionManager.Session with DCO capabilities python: Extend ConfigParser with DCO support python/openvpn2: Add support for enabling/disabling DCO python/openvpn2: Fix stray verb debug print() ovpn3cli/session: Display an indicator on DCO enabled sessions Revert "configmgr: Add DCO device naming hack" ovpn3cli/session-start: Fix incorrect console input truncation dco: Update to latest ovpn-dco vendor: Update to ASIO 1.18.1 core-ext: Fix improper processing of potential inline options selinux: Add policies for netcfg and client processes selinux: Rework the policy build Makefile build: Make netcfg DNS resolver configurable build: Detect Linux distro to configure DNS resolver build: Fix missing distribution of SELinux policy files python: Fix incorrect JSON parsing error message (filename) netcfg: Add method to extract only error message in NetCfgProxyException netcfg/proxy: Try to ensure net.openvpn.v3.netcfg is available cli: Properly catch if net.openvpn.v3.netcfg is unavailable configfile: Add "true" as a valid "present" value build: Save the OpenVPN 3 statedir into config.h common: Implement MachineID for uniquely identifying a host client: Implement passing IV_HWADDR vendor: Update to ASIO 1.18.2 dco: Update to latest ovpn-dco core: Update to latest OpenVPN 3 Core library common: Add missing sstream include in machineid.cpp common,core: Fix compat issues with older OpenSSL common: Use proper OpenSSL EVP SHA256 APIs in MachineID related code netcfg: Only LogCritical when DNS resolver changes failed client: Properly handle device disabling exceptions selinux: Add missing file context transition for resolv.conf client: Improve error handling when interacting with the NetCfg service netcfg: Disable DNS::ResolverSettings for failing resolved updates netcfg/resolved: Catch more error situations client/core: Fix incorrect bool logic for TUN_SETUP/TUN_IFACE events client/core: Improve fatal exception handling in event() netcfg: Use the proper capng_select_t when dropping capabilities dbus: Extend DBusProxy with GetNameOwner() method dbus: Extend DBusProxy with StartServiceByName() method netcfg/resolved: Check if org.freedesktop.PolicyKit1 is available docs: Update README with polkit/policykit dependency requirement netcfg: Catch exceptions related to SystemdResolved init issues netcfg: Catch more exceptions when establishing a virtual interface selinux: Fix proper privileges for netcfg netlink_generic_socket Heiko Hund (4): update .gitignore core-extension: Add support for inline auth-user-pass core-extension: Add support for inline http-proxy-user-pass client: Allow querying HTTP proxy credentials dynamically Romain Loutrel (1): python: Add --mute, --route-delay and --route-method to ignored options -
v13_beta protected20319752 · ·
OpenVPN 3 Linux v13 (beta) The highlights of this release includes: * Feature: IPv6 and TCP protocol support in OpenVPN Data Channel Off-load (DCO) The DCO feature is currently a tech-preview feature. It is not targeted for production usage in its current shape. As this is still under heavy development, we currently only support the latest Fedora releases (Fedora 32 and newer) and Ubuntu 20.04. This currently requires Linux kernel 5.4 and newer. This release includes an updated ovpn-dco implementation which adds both TCP and IPv6 protocols to be used for the transport between client and server. If you are testing the DCO feature, also be sure you use the updated kmod-ovpn-dco package, or build the ovpn-dco module based on git commit 8f04ed862539f0. * Bugfix: Misleading argument count when options are missing arguments If an option requring a certain minimum amount of arguments was missing one or more arguments, for example using just --keepalive 30, the error would be: ERR_PROFILE_OPTION: option_error: option 'keepalive' must have at least 3 arguments This is incorrect. The correct number should be "2 arguments". This has been fixed in the OpenVPN 3 Core library which generated this error string. * Bugfix: Multi-factor authentication broke with v12_beta With the v12_beta release, web based authentication was added. This also added signalling support for the CR_TEXT authentication method which was not intended to be added. This resulted in many multi-factor authentication configurations to fail, in particular those connecting to OpenVPN Access Server. This has been corrected and openvpn3-linux does no longer signal CR_TEXT authentication method support. David Sommerseth (1): client: Don't signal support for crtext authentication Lev Stipakov (5): ovpn-dco: support for various transport protocols core: Update to Core library with ovpn-dco transport improvements ovpn-dco: Update to latest git master ovpn-dco: truncate nonce_tail length ovpn-dco: remove cbc-hmac support -
v12_beta protectedbe651516 · ·
OpenVPN 3 Linux v12 (beta) The highlights of this release includes: * Feature: Web-based authentication For servers allowing web based authentication, OpenVPN 3 Linux will now pick up this authentication type request and handle it. If the openvpn2 or openvpn3 user-front-end applications are able to open a browser window with the given URL, it will do so. If not, it will present the URL needed for the further authentication process. In addition, any VPN sessions awaiting web based authentication is also presented via the `openvpn3 sessions-list` command together with the authentication URL. * Bugfix: OpenVPN 3 Linux configuration manager could crash If the openvpn3-service-configmgr program was started with the --state-dir argument pointing at an unreadable or non-existing directory, it would crash. This has been fixed to provide a better error message and exit gracefully. * Bugfix: Properly handle restart of paused sessions VPN sessions being paused (like via `openvpn3 session-manage --pause`) would not recover properly if it was recovered by using the `restart` method instead of `resume`. When trying to pause the session again, it would not do so as the session was considered paused already. Resuming a VPN session via both the `resume` and the `restart` method are considered appropriate and is now handled correctly. * Bugfix: openvpn2 running in the foreground could exit with an error If the openvpn2 front-end was used to start a VPN session and it was running in the foreground (no use of --daemon), it would present and error message when closing the session *if* the VPN session was closed via another channel (such as `openvpn3 session-manage`). This has been fixed and it will now exit properly if this situation appears, without any additional error messages. * Bugfix: openvpn2 would misinterpret --keepalive The OpenVPN option parser in the Python 3 openvpn module would not properly parse a few arguments which used multiple arguments - such as --keepalive. This has been fixed. * Enhancements: openvpn2 now understands --tls-version-{min,max} In prior releases, the Python 3 openvpn module did not understand the --tls-version-min and --tls-version-max options. This has been resolved and these options are forwarded properly to the configuration manager. David Sommerseth (11): client: Properly reset the paused flag on session restart python: Improve parsing of options with multiple arguments python: Extend argument parser with support for --tls-version-min/max dbus: Add web-auth constant to ClientAttentionGroup client: Enable web-auth support and URL extraction python: Add support for handling web-auth in openvpn2 python: Resolve error in openvpn2 on disconnect with pre-closed sessions common: Implement function for opening up URIs on the host ovpn3cli: Add support web auth via openvpn3 ovpn3cli: Improve 'sessions-list' for sessions awaiting web auth configmgr: Abort properly if --state-dir processing fails -
v11_beta protected087393e7 · ·
OpenVPN 3 Linux v11 (beta) The highlights of this release includes: * Feature: OpenVPN Data Channel Off-load (DCO) This features is currently a tech-preview feature. It is not targeted for production usage in its current shape. As this is still under heavy development, we currently only support the latest Fedora releases (Fedora 32 and newer) and Ubuntu 20.04. This currently requires Linux kernel 5.4 and newer. This facilitates a brand new kernel module, ovpn-dco, where all the crypto operations related to the OpenVPN data channel happens directly inside the kernel. The data channel operations are related to the tunnelled network traffic. This has the advantage of being able to reduce the network packet processing overhead compared to the traditional tun devices. When using the tun interfaces with OpenVPN, the remote side sends encrypted network traffic to a UDP or TCP socket. The Linux kernel forwards these packets from kernel space to the OpenVPN user space process, which decrypts the packet and extracts the unencrypted network traffic. This unencrypted data is then passed to a tun interface, which sends the traffic back to the kernel space for further processing. The ovpn-dco module changes this packet route. When the remote side sends data channel packets, the ovpn-dco kernel module will receive the packet and will have the encryption keys needed to decrypt the packet directly in the kernel space and then pass it directly to the virtual interface ovpn-dco manages. If the OpenVPN packet from the remote side is a control channel packet, the ovpn-dco kernel module will pass this traffic up to the OpenVPN user space process. Control channel packets are used to pass authentication credentials, configuration setup, data channel key exchanges, etc. To make use of this feature, the kmod-ovpn-dco kernel module must be installed on the system. The OpenVPN 3 Linux project provides kmod-ovpn-dco packages for Fedora 32, 33 and Rawhide in addition to Ubuntu 20.04. On Fedora, with the openvpn3 Copr repository enabled: # yum install kmod-ovpn-dco On Ubuntu, with the openvpn3 apt repository configured: # apt install kmod-ovpn-dco With the kernel module installed, the configuration file must be be imported: $ openvpn3 config-import --config CONFIG_FILENAME --name CFGNAME Then the imported configuration profile must get the DCO feature enabled: $ openvpn3 config-manage --show --name CFGNAME --dco true To preserve this setting through reboots, consider adding --persistent when importing the configuration file via 'openvpn3 config-import'. Now everything is ready and a VPN session can be started: $ openvpn3 session-start --config CFGNAME The ovpn-dco kernel module from the openvpn3 repositories has some limitations: - No TCP support ovpn-dco will require a UDP connection to the server. - No IPv6 support ovpn-dco does only support IPv4 for the connection to the remote server. - Limited data channel cipher support ovpn-dco only supports the AES-GCM ciphers. Support for more ciphers will arrive later. - No interface statistics available The ovpn-dco module has not yet implemented traffic statistics. All of these limitations will be resolved in future releases. A more comprehensive list of what ovpn-dco is working on and will support can be found in the ovpn-dco project. WARNING: The ovpn-dco kernel module is under heavy development. This means that the API used between the kernel space and OpenVPN user space processes may change. Therefore the kernel module version must be the same which OpenVPN 3 Linux has been compiled against. Once the API is has become stable, this restriction will no longer be needed. * Bugfix: OpenVPN 3 Linux configuration manager could crash If the an imported persistent configuration file would contain syntax errors, the openvpn3-service-configmgr process could crash (SEGV). This has been improved and the configuration manager will now ignore incorrect or corrupted persistent configuration files. * Bugfix: openvpn3 and openvpn3-admin could sometimes crash Occasionally on certain hosts, the 'openvpn3' and 'openvpn3-admin' tools could crash unexpectedly. This was an error related to the argument alias processing and has been fixed to avoid this issue. * Enhancements: The openvpn2 bash-completion support is extended In prior versions, the openvpn2 command did not provide any shell completion help to the --config option. This has been resolved. * OpenVPN Access Server configuration import improvements The 'openvpn3-as' utility now signals to the Access Server the downloaded configuration profile is intended to be imported into a local storage. Arne Schwabe (1): Indicate that the openvpn-as imports a config David Sommerseth (13): configmgr: Better handling of incorrect configuration profiles docs: Fix incorrect attribute header - user-auth:password core: Update client and aws service to use new Core process init common/cmdargparser: Fix lacking alias initialization netcfg: Rename the tun device properly on non-DCO builds configmgr: Add DCO device naming hack Update to latest OpenVPN 3 Core library dco: Update ovpn-dco submodule to get the latest header files docs: Update README with related to the new DCO feature docs/man: Add missing options in openvpn3-config-manage man page build: Fix out-of-tree builds when --enable-bash-completion is enabled shell: Improve openvpn2 --config bash completion core/ovpn-dco: Sync up DCO API changes Lev Stipakov (16): openvpn3-service-client: add debug option to specify client path build: Define OPENVPN_USE_SITNL in configure.ac core: Update to latest openvpn3 Core library common: adapt to Core library changes in core JSON extensions tests: add missing include in netcfg cli Add ovpn-dco submodule build: Add ovpn-dco build options configmgr: Add support for "dco" config property client/netcfg: Initial support for ovpn-dco netcfg: Implement crypto key passing for ovpn-dco netcfg: Implement ovpn-dco tun establish() client/netcfg: Handle ovpn-dco device creation error netcfg: Implement ovpn-dco crypto key swapping netcfg: Implement setting peer properties for ovpn-dco Jenkinsfile: add ovpn-dco support ovpn-dco: explicitly subscribe for genl packets -
v10_beta protectedff27a9f8 · ·
OpenVPN Linux v10 (beta) The highlights of this release are: * Feature: systemd-resolved integration By default, OpenVPN 3 Linux will modify the /etc/resolv.conf file with DNS configurations pushed by the VPN server. This release adds systemd-resolved as an alternative to this approach, where the systemd-resolved service will be in charge of querying the proper DNS resolvers and there will no longer be any fight over configuration files such as /etc/resolv.conf. In this release, pushed DNS configurations will be handled quite similar to how DNS queries has been handled before. The DNS settings pushed by the VPN server will typically take precedence, but systemd-resolved may query other servers on other interfaces as well. That said, if the VPN server pushes "dhcp-options DOMAIN ....", hosts under that domain will in this case only be queried via the VPN tunnel alone. You may call this a partial DNS-split. In coming releases, we will evaluate further possibilities to configure how DNS requests would be handled by systemd-resolved. This could include modes such as full split (only query for pushed DOMAIN via the DNS server provided by the VPN) or exclusive VPN (DNS queries should only go via the VPN tunnel). This systemd-resolved integration requires at least CentOS 8, Fedora 31, 32 or Rawhide, Red Hat Enterprise 8 or Ubuntu 20.04. Other distributions may work as long as it uses systemd v243 or newer. To enable systemd-resolved, fully ensure that systemd-resolved is properly configured and activated on your system. Currently only Ubuntu 20.04 does that somewhat out-of-the-box (there might be some additional changes to nsswitch.conf is required for optimal performance). Please read the available systemd-resolved documentation for your Linux distribution. Once systemd-resolved is enabled and activated, run this command as root before starting any VPN tunnels: # openvpn3-admin netcfg-service --config-set systemd-resolved 1 and wait until the openvpn3-service-netcfg has restarted. With the log-level set to 5 or higher in netcfg-service, the log file will include this log line: Network Configuration VERB2: systemd-resolved DNS configuration backend * Feature: openvpn3 log with --config will now wait for a not-started session When starting the end-user session logging, prior versions required the VPN session to already be running before a log client could be attached. With this release, if the session has not already been started, the openvpn3 log command will wait until it sees the appropriate VPN session has started and will attach to it instantly. This allows to grab the first log lines of a starting VPN sessions for an end-user without other ways of accessing OpenVPN logs. * Improvement: openvpn3 log sanitizes new line characters better The log output of openvpn3 log could contain a lot of additional blank lines. These has been removed and indenting has been added for multi- line log events to make the log output more readable. * Improvement: openvpn3-as indicates tls-crypt-v2 support to AS When downloading a VPN configuration profile from an OpenVPN Access Server, the openvpn3-as script will now signal to the server it is capable of handling configurations with --tls-crypt-v2. * Bugfix: Improper session clean-up on server triggered disconnect If the VPN server forcefully disconnected an already established session, the Session Manager would not properly track this which lead to lacking session details with openvpn3 sessions-list. This has now been resolved by properly catching a server triggered disconnect and properly shutting down the openvpn3-service-client process responsible for the session, which will properly update the session manager about the disconnected session. * Bugfix: AWS integration failed to propagate routes in some AWS regions The openvpn3-service-aws process could in some AWS regions fail to push routes to the AWS-VPC, leading to a process crash. Both the crash and the AWS service has been extended with more region CA certificates used for the request validations. In addition it will now pick up more of system CA certificate file locations than before. * Bugfix: openvpn3 command could throw unfriendly error messages If a user was not granted access to a running VPN session, attempting to access this session via openvpn3 session-manage would lead to a openvpn:BusProxyAccessDeniedException exception error. This has been improved and will now instead show "Access Denied" in a more user-friendly way to the user. * Bugfix: openvpn3-service-netcfg would crash without --resolve-conf If the openvpn3-service-netcfg would be started without the --resolv-conf configuration, it would crash if the VPN server pushed a DNS configuration. This has been properly resolved and it is now possible to start the service completely without any DNS configuration support. * Bugfix: openvpn3-service-client crash on some hosts with log redirection If the openvpn3-service-backendstart was given the ' --client-log-file stdout:', this would tell it to start the openvpn3-service-client process with '--log-file stdout:'. This would on some hosts cause a program crash instead. This has been resolved. * Bugfix: openvpn3-service-sessionmgr would crash on illegal log-levels If a user attempted to change the log-level in the D-Bus session object the user is granted access to with an invalid value, it would lead to a crash of the openvpn3-service-sessionmgr process. This would make it impossible to further manage already running VPN sessions without root privileges. This has been resolved to properly rejecting invalid values as an error back to the calling user instead of treating it as a fatal failure. The complete overview of all changes: Arne Schwabe (5): Announce tls-crypt-v2 support on AS configuration import Compile fix for ILP32 platforms like Raspberry Pi contrib/cmake: Remove extra ${OPENVPN3_LINUX_ROOT} from source files contrib/cmake: Make CMakeLists.txt work with config.h from configure contrib: Improve Jenkinsfile with stage and archiving test-suite.log David Sommerseth (81): vendor: Update ASIO to 1.16.0 core: Update to latest core git master cli/session: Fix incorrect command reference in throws sessionmgr/proxy: Add TunInterfaceException cli/session: Properly catch DBusException log: Remove trailing newlines in LogEvents ovpn3cli/log: Indent multiline log lines ovpn3cli/log: Add --interface option sessionmgr: Fix crash with incorrect log level sessionmgr: Add SessionManager::Event class sessionmgr: Implement sending SessionManagerEvent signals ovpn3cli/log: Improve the complete session log setup logic client: Fix failing --log-file feature docs: Add missing dependency in Debian/Ubuntu instructions netcfg: Avoid segfault when configured without --resolv-conf client: New debug option in openvpn3-service-backendstart common/build: Rework version information handling build: Clean up after version metadata rework build: Fix 'make install' dbus: Clarify a few StatusMinor states in the comment client: Process CLIENT_HALT event build: Fix 'make uninstall' for the SELinux policy client: Fix incorrect environment array handling netcfg: Fix a typo in the AddNameServers exceptions netcfgmgr/dns: Add indication when to apply DNS settings netcfgmgr/dns: Extend ResolverSettings object store tun device name netcfgmgr/dns: Apply resolver settings according to the backend dbus/glib: Extend checkParams() to optionally ignore children count dbus/proxy: Migrate to better value extraction in GetProperty() and CheckServiceAvail() policy: Added polkit policy for systemd-resolved interaction netcfg: Add proxy code for systemd-resolved netcfg: Add ResolverBackendInterface implementation for systemd-resolved netcfg: Complete the systemd-resolved support netcfg: systemd-resolved - Make all global queries also go via VPN policy: Add support for legacy polkit PKLA files man: Minor cleanups and improvements common/cmdargparser: Refactor ParsedArgs passing to be a smart pointer common/ParsedArgs: New methods to retrieve the last set option values common: Extend ParsedArgs with CheckExclusiveOptions() method common: Extend command parser with ParsedArgsConfig class man: Make template out of a few of the man pages netcfg: Extend service with --state-dir common: Extend ParsedArgs::Present() with a std::vector variant common: Move command line parsing related exception common: Implement a simple and generic JSON config parser common: Extend ParsedArgs with a simpler config file parser approach netcfg: Implement the new config file parser common: Remove the no longer used ParsedArgsConfig implementation netcfg: Extend manager object with a config_file property cli/netcfg-service: Extend with --config-show, --config-set and --config-unset netcfg: Fix incorrect default log-level cli/netcfg: Add --config-file-override to netcfg-service cli/netcfg: Make netcfg-service command more robust common: Extend Configuration::File parser with option groups cli/netcfg: Extend netcfg-service with CheckExclusiveOptions() check common: Extend Configuration::File with GetRelatedExclusiveOptions() common: Extend ParsedArgs::ImportConfigFile() with exclusive check netcfg: Allow configuration file to override command line arguments python: Add support for --tls-cipher cli/log: Extend shell auto-completion with --config cli/log: Fix typ0 in AttachByConfig() method name deps: Update ASIO to 1.17.0 deps: Update OpenVPN 3 Core library to latest git master Update .gitignore - it was missing openvpn3.pp.bz2 dbus: Add a couple of missing header files cli: Handle DBusProxyAccessDeniedException events better netcfg/resolved: Better exception handling when communicating with systemd-resolved python/shell: Add bash-completion for openvpn2 build: Enable installing bash-completion scripts docs: Update README.md with missing googletest mention common: Fix Configuration::File::Save() not writing empty files build/aws: Simplify the autotools setup for addons/aws build: Fix missing uninstall of bash-completion scripts build/aws: Fix failing out-of-tree builds build/aws: Fix incorrect distribution of D-Bus policy and systemd unit files contrib/CI: Enable the AWS addon in Jenkins builds common: Configuration::File::Load() should accept empty files netcfg/resolved: Revert tun interface DNS settings on removal core: Update to latest OpenVPN 3 Core library cli/admin: netcfg-service could exit with an empty error docs: Update README.md Lev Stipakov (5): client: properly handle client termination contrib: Add missing files in CMakelists.txt addons/aws: Improve error handling addons/aws: AWS certificates to verify instance identity addons/aws: provide AWS certs directory to core library