OpenVPN 3 Linux v14 (beta)
The highlights of this release includes:
* Security: [CVE-2021-3547] --verify-x509-name overrides certificate checks
The OpenVPN 3 Core library got support for --verify-x509-name in
commit 583986920236f7e (committed 2019-11-08). This implementation
would reset prior certificate checks. If a prior certificate check
failed and the --verify-x509-name check passed, the connection would
be accepted as valid. This has been fixed in the Core library as
of OpenVPN 3 Core library commit febf01ef68b84f.
* systemd-resolved - support for DNS zones
This is the first step towards a better split-DNS support. It
implements the needed configuration settings to properly set up the
global or tunnel DNS resolver scopes in systemd-resolved. For the
resolv-conf based mode, this setting will be ignored (and logged as a
warning) as resolv-conf only supports a single DNS resolver.
Currently, the tunnel scope is very simplistic and will only result in
systemd-resolved not querying anything than pushed DOMAIN/DOMAIN-SEARCH
domains via the DNS servers for the VPN session. It is more a reverse
filter, than an explicit filter. All other "global" scopes will also be
queried. Domains *not* matching the DOMAIN/DOMAIN-SEARCH settings
will be *not* queried via this VPN link.
This behaviour is more how systemd-resolved is designed and this
behaviour will hopefully be further improved later on.
* Improved SELinux policies
OpenVPN 3 Linux is now able to be run on CentOS, Fedora and Red Hat
Enterprise Linux with DCO enabled on VPN profiles and with SELinux
policies being enforced. The openvpn3-service-netcfg and
openvpn3-service-client processes will now run in their own confined
environment with further restricted access.
* The OpenVPN 3 client will report IV_HWADDR
When connecting, the client will report back some peer information to
the server. Until now, the IV_HWADDR has not been provided. This
value is supposed to be a fixed value per connecting host. The
reported information is a SHA256 hash of /etc/machine-id and some
more OpenVPN 3 Linux specific values. If this machine-id file is not
readable, it will generate its own value and store it under
/var/lib/openvpn3 for a persistent value.
* Support for querying the user for HTTP proxy credentials during
connection
* Support for inline --http-user-pass values in configuration files
* Support for inline --auth-user-pass values in configuration files
* DCO support can now be activated with openvpn3 session-start and
openvpn2 command line front-ends
* DCO device names will now carry the name of --dev in the configuration
In addition to several bug fixes and other improvements.
Antonio Quartulli (1):
ovpn-dco: adapt interfaces to new API format
Arne Schwabe (1):
Add Coverity to jenkins build
David Sommerseth (67):
build: Fix out-of-tree builds from git checkouts
dbus/signals: Kick out the poor char */std::string "converters"
netcfg: Fix incorrect return string in DNS::ResolverSettings::AddNameServers()
log: Fix incorrect unsigned int logic
log: Clean-up a switch statement
client: Add exception safe-guard in BackendClientDBus d'tor
netcfg: Fix incorrect IPv6 default gw setup
submodules: Update OpenVPN 3 Core and ovpn-dco
glib: Improve error message when GLibUtils::checkParams() fails
configmgr: Prepare for --dns-scope in configuration profiles
netcfg: Implement DNS resolver scope support
client: Propagate VPN profile dns-scope setting to netcfg
python: Add support for dns-scope setting via openvpn3-autoload
client: Delay the forced shutdown on LogFATAL()
client: Add ClientException to start improving client error handling
cli: Be more friendly with ERR_PROFILE_SERVER_LOCKED_UNSUPPORTED
tests/signal_listener: Add support for Log() with session tokens
client: Enable DCO configuration override via D-Bus property
sessionmgr: Provide access to the DCO flag in a VPN session
docs/sessions: Update net.openvpn.v3.sessions D-Bus documentation
docs/client: Update net.openvpn.v3.backends.be* D-Bus documentation
ovpn3cli: Add --dco support to session-start
python: Extend SessionManager.Session with DCO capabilities
python: Extend ConfigParser with DCO support
python/openvpn2: Add support for enabling/disabling DCO
python/openvpn2: Fix stray verb debug print()
ovpn3cli/session: Display an indicator on DCO enabled sessions
Revert "configmgr: Add DCO device naming hack"
ovpn3cli/session-start: Fix incorrect console input truncation
dco: Update to latest ovpn-dco
vendor: Update to ASIO 1.18.1
core-ext: Fix improper processing of potential inline options
selinux: Add policies for netcfg and client processes
selinux: Rework the policy build Makefile
build: Make netcfg DNS resolver configurable
build: Detect Linux distro to configure DNS resolver
build: Fix missing distribution of SELinux policy files
python: Fix incorrect JSON parsing error message (filename)
netcfg: Add method to extract only error message in NetCfgProxyException
netcfg/proxy: Try to ensure net.openvpn.v3.netcfg is available
cli: Properly catch if net.openvpn.v3.netcfg is unavailable
configfile: Add "true" as a valid "present" value
build: Save the OpenVPN 3 statedir into config.h
common: Implement MachineID for uniquely identifying a host
client: Implement passing IV_HWADDR
vendor: Update to ASIO 1.18.2
dco: Update to latest ovpn-dco
core: Update to latest OpenVPN 3 Core library
common: Add missing sstream include in machineid.cpp
common,core: Fix compat issues with older OpenSSL
common: Use proper OpenSSL EVP SHA256 APIs in MachineID related code
netcfg: Only LogCritical when DNS resolver changes failed
client: Properly handle device disabling exceptions
selinux: Add missing file context transition for resolv.conf
client: Improve error handling when interacting with the NetCfg service
netcfg: Disable DNS::ResolverSettings for failing resolved updates
netcfg/resolved: Catch more error situations
client/core: Fix incorrect bool logic for TUN_SETUP/TUN_IFACE events
client/core: Improve fatal exception handling in event()
netcfg: Use the proper capng_select_t when dropping capabilities
dbus: Extend DBusProxy with GetNameOwner() method
dbus: Extend DBusProxy with StartServiceByName() method
netcfg/resolved: Check if org.freedesktop.PolicyKit1 is available
docs: Update README with polkit/policykit dependency requirement
netcfg: Catch exceptions related to SystemdResolved init issues
netcfg: Catch more exceptions when establishing a virtual interface
selinux: Fix proper privileges for netcfg netlink_generic_socket
Heiko Hund (4):
update .gitignore
core-extension: Add support for inline auth-user-pass
core-extension: Add support for inline http-proxy-user-pass
client: Allow querying HTTP proxy credentials dynamically
Romain Loutrel (1):
python: Add --mute, --route-delay and --route-method to ignored options