OpenVPN Linux v10 (beta)
The highlights of this release are:
* Feature: systemd-resolved integration
By default, OpenVPN 3 Linux will modify the /etc/resolv.conf file
with DNS configurations pushed by the VPN server. This release
adds systemd-resolved as an alternative to this approach, where
the systemd-resolved service will be in charge of querying the
proper DNS resolvers and there will no longer be any fight over
configuration files such as /etc/resolv.conf.
In this release, pushed DNS configurations will be handled quite
similar to how DNS queries has been handled before. The DNS settings
pushed by the VPN server will typically take precedence, but
systemd-resolved may query other servers on other interfaces as well.
That said, if the VPN server pushes "dhcp-options DOMAIN ....", hosts
under that domain will in this case only be queried via the VPN tunnel
alone. You may call this a partial DNS-split.
In coming releases, we will evaluate further possibilities to configure
how DNS requests would be handled by systemd-resolved. This could
include modes such as full split (only query for pushed DOMAIN via the
DNS server provided by the VPN) or exclusive VPN (DNS queries should
only go via the VPN tunnel).
This systemd-resolved integration requires at least CentOS 8,
Fedora 31, 32 or Rawhide, Red Hat Enterprise 8 or Ubuntu 20.04. Other
distributions may work as long as it uses systemd v243 or newer.
To enable systemd-resolved, fully ensure that systemd-resolved is
properly configured and activated on your system. Currently only
Ubuntu 20.04 does that somewhat out-of-the-box (there might be some
additional changes to nsswitch.conf is required for optimal
performance). Please read the available systemd-resolved
documentation for your Linux distribution.
Once systemd-resolved is enabled and activated, run this command
as root before starting any VPN tunnels:
# openvpn3-admin netcfg-service --config-set systemd-resolved 1
and wait until the openvpn3-service-netcfg has restarted. With
the log-level set to 5 or higher in netcfg-service, the log file will
include this log line:
Network Configuration VERB2: systemd-resolved DNS configuration backend
* Feature: openvpn3 log with --config will now wait for a not-started session
When starting the end-user session logging, prior versions required the
VPN session to already be running before a log client could be attached.
With this release, if the session has not already been started, the
openvpn3 log command will wait until it sees the appropriate VPN session
has started and will attach to it instantly. This allows to grab the
first log lines of a starting VPN sessions for an end-user without
other ways of accessing OpenVPN logs.
* Improvement: openvpn3 log sanitizes new line characters better
The log output of openvpn3 log could contain a lot of additional blank
lines. These has been removed and indenting has been added for multi-
line log events to make the log output more readable.
* Improvement: openvpn3-as indicates tls-crypt-v2 support to AS
When downloading a VPN configuration profile from an OpenVPN Access
Server, the openvpn3-as script will now signal to the server it is
capable of handling configurations with --tls-crypt-v2.
* Bugfix: Improper session clean-up on server triggered disconnect
If the VPN server forcefully disconnected an already established
session, the Session Manager would not properly track this which lead
to lacking session details with openvpn3 sessions-list.
This has now been resolved by properly catching a server triggered
disconnect and properly shutting down the openvpn3-service-client
process responsible for the session, which will properly update
the session manager about the disconnected session.
* Bugfix: AWS integration failed to propagate routes in some AWS regions
The openvpn3-service-aws process could in some AWS regions fail to push
routes to the AWS-VPC, leading to a process crash. Both the crash and
the AWS service has been extended with more region CA certificates used
for the request validations. In addition it will now pick up more of
system CA certificate file locations than before.
* Bugfix: openvpn3 command could throw unfriendly error messages
If a user was not granted access to a running VPN session, attempting
to access this session via openvpn3 session-manage would lead to a
openvpn:BusProxyAccessDeniedException exception error.
This has been improved and will now instead show "Access Denied" in
a more user-friendly way to the user.
* Bugfix: openvpn3-service-netcfg would crash without --resolve-conf
If the openvpn3-service-netcfg would be started without the
--resolv-conf configuration, it would crash if the VPN server pushed a
DNS configuration. This has been properly resolved and it is now
possible to start the service completely without any DNS configuration
support.
* Bugfix: openvpn3-service-client crash on some hosts with log redirection
If the openvpn3-service-backendstart was given the
' --client-log-file stdout:', this would tell it to start the
openvpn3-service-client process with '--log-file stdout:'. This would
on some hosts cause a program crash instead. This has been resolved.
* Bugfix: openvpn3-service-sessionmgr would crash on illegal log-levels
If a user attempted to change the log-level in the D-Bus session object
the user is granted access to with an invalid value, it would lead to a
crash of the openvpn3-service-sessionmgr process. This would make it
impossible to further manage already running VPN sessions without root
privileges.
This has been resolved to properly rejecting invalid values as an error
back to the calling user instead of treating it as a fatal failure.
The complete overview of all changes:
Arne Schwabe (5):
Announce tls-crypt-v2 support on AS configuration import
Compile fix for ILP32 platforms like Raspberry Pi
contrib/cmake: Remove extra ${OPENVPN3_LINUX_ROOT} from source files
contrib/cmake: Make CMakeLists.txt work with config.h from configure
contrib: Improve Jenkinsfile with stage and archiving test-suite.log
David Sommerseth (81):
vendor: Update ASIO to 1.16.0
core: Update to latest core git master
cli/session: Fix incorrect command reference in throws
sessionmgr/proxy: Add TunInterfaceException
cli/session: Properly catch DBusException
log: Remove trailing newlines in LogEvents
ovpn3cli/log: Indent multiline log lines
ovpn3cli/log: Add --interface option
sessionmgr: Fix crash with incorrect log level
sessionmgr: Add SessionManager::Event class
sessionmgr: Implement sending SessionManagerEvent signals
ovpn3cli/log: Improve the complete session log setup logic
client: Fix failing --log-file feature
docs: Add missing dependency in Debian/Ubuntu instructions
netcfg: Avoid segfault when configured without --resolv-conf
client: New debug option in openvpn3-service-backendstart
common/build: Rework version information handling
build: Clean up after version metadata rework
build: Fix 'make install'
dbus: Clarify a few StatusMinor states in the comment
client: Process CLIENT_HALT event
build: Fix 'make uninstall' for the SELinux policy
client: Fix incorrect environment array handling
netcfg: Fix a typo in the AddNameServers exceptions
netcfgmgr/dns: Add indication when to apply DNS settings
netcfgmgr/dns: Extend ResolverSettings object store tun device name
netcfgmgr/dns: Apply resolver settings according to the backend
dbus/glib: Extend checkParams() to optionally ignore children count
dbus/proxy: Migrate to better value extraction in GetProperty() and CheckServiceAvail()
policy: Added polkit policy for systemd-resolved interaction
netcfg: Add proxy code for systemd-resolved
netcfg: Add ResolverBackendInterface implementation for systemd-resolved
netcfg: Complete the systemd-resolved support
netcfg: systemd-resolved - Make all global queries also go via VPN
policy: Add support for legacy polkit PKLA files
man: Minor cleanups and improvements
common/cmdargparser: Refactor ParsedArgs passing to be a smart pointer
common/ParsedArgs: New methods to retrieve the last set option values
common: Extend ParsedArgs with CheckExclusiveOptions() method
common: Extend command parser with ParsedArgsConfig class
man: Make template out of a few of the man pages
netcfg: Extend service with --state-dir
common: Extend ParsedArgs::Present() with a std::vector variant
common: Move command line parsing related exception
common: Implement a simple and generic JSON config parser
common: Extend ParsedArgs with a simpler config file parser approach
netcfg: Implement the new config file parser
common: Remove the no longer used ParsedArgsConfig implementation
netcfg: Extend manager object with a config_file property
cli/netcfg-service: Extend with --config-show, --config-set and --config-unset
netcfg: Fix incorrect default log-level
cli/netcfg: Add --config-file-override to netcfg-service
cli/netcfg: Make netcfg-service command more robust
common: Extend Configuration::File parser with option groups
cli/netcfg: Extend netcfg-service with CheckExclusiveOptions() check
common: Extend Configuration::File with GetRelatedExclusiveOptions()
common: Extend ParsedArgs::ImportConfigFile() with exclusive check
netcfg: Allow configuration file to override command line arguments
python: Add support for --tls-cipher
cli/log: Extend shell auto-completion with --config
cli/log: Fix typ0 in AttachByConfig() method name
deps: Update ASIO to 1.17.0
deps: Update OpenVPN 3 Core library to latest git master
Update .gitignore - it was missing openvpn3.pp.bz2
dbus: Add a couple of missing header files
cli: Handle DBusProxyAccessDeniedException events better
netcfg/resolved: Better exception handling when communicating with systemd-resolved
python/shell: Add bash-completion for openvpn2
build: Enable installing bash-completion scripts
docs: Update README.md with missing googletest mention
common: Fix Configuration::File::Save() not writing empty files
build/aws: Simplify the autotools setup for addons/aws
build: Fix missing uninstall of bash-completion scripts
build/aws: Fix failing out-of-tree builds
build/aws: Fix incorrect distribution of D-Bus policy and systemd unit files
contrib/CI: Enable the AWS addon in Jenkins builds
common: Configuration::File::Load() should accept empty files
netcfg/resolved: Revert tun interface DNS settings on removal
core: Update to latest OpenVPN 3 Core library
cli/admin: netcfg-service could exit with an empty error
docs: Update README.md
Lev Stipakov (5):
client: properly handle client termination
contrib: Add missing files in CMakelists.txt
addons/aws: Improve error handling
addons/aws: AWS certificates to verify instance identity
addons/aws: provide AWS certs directory to core library