32#ifdef HAVE_CONFIG_VERSION_H
33#include "config-version.h"
71#ifdef CONFIGURE_GIT_REVISION
72 " [git:" CONFIGURE_GIT_REVISION CONFIGURE_GIT_FLAGS
"]"
75#if defined(ENABLE_CRYPTO_MBEDTLS)
77#elif defined(ENABLE_CRYPTO_OPENSSL)
89#ifdef ENABLE_COMP_STUB
96#ifdef PRODUCT_TAP_DEBUG
103#if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
105#elif defined(IP_RECVDSTADDR)
113#ifdef CONFIGURE_GIT_REVISION
114 " built on " __DATE__
124 "--config file : Read configuration options from file.\n"
125 "--help : Show options.\n"
126 "--version : Show copyright and version information.\n"
129 "--local host|* [port]: Local host name or IP address and port for bind.\n"
130 " If specified, OpenVPN will bindto this address. If unspecified,\n"
131 " OpenVPN will bind to all interfaces. '*' can be used as hostname\n"
132 " and means 'any host' (OpenVPN will listen on what is returned by the OS).\n"
133 " On a client, or in point-to-point mode, this can only be specified once (1 socket).\n"
134 " On an OpenVPN setup running as ``--server``, this can be specified multiple times\n"
135 " to open multiple listening sockets on different addresses and/or different ports.\n"
136 " In order to specify multiple listen ports without specifying an address, use '*'\n"
137 " to signal 'use what the operating system gives you as default', for\n"
138 " 'all IPv4 addresses' use '0.0.0.0', for 'all IPv6 addresses' use '::'.\n"
139 " ``--local`` implies ``--bind``.\n"
140 "--remote host [port] : Remote host name or ip address.\n"
141 "--remote-random : If multiple --remote options specified, choose one randomly.\n"
142 "--remote-random-hostname : Add a random string to remote DNS name.\n"
143 "--mode m : Major mode, m = 'p2p' (default, point-to-point) or 'server'.\n"
144 "--proto p : Use protocol p for communicating with peer.\n"
145 " p = udp (default), tcp-server, tcp-client\n"
146 " udp4, tcp4-server, tcp4-client\n"
147 " udp6, tcp6-server, tcp6-client\n"
148 "--proto-force p : only consider protocol p in list of connection profiles.\n"
150 "--connect-retry n [m] : For client, number of seconds to wait between\n"
151 " connection retries (default=%d). On repeated retries\n"
152 " the wait time is exponentially increased to a maximum of m\n"
154 "--connect-retry-max n : Maximum connection attempt retries, default infinite.\n"
155 "--http-proxy s p [up] [auth] : Connect to remote host\n"
156 " through an HTTP proxy at address s and port p.\n"
157 " If proxy authentication is required,\n"
158 " up is a file containing username/password on 2 lines, or\n"
159 " 'stdin' to prompt from console. Add auth='ntlm2' if\n"
160 " the proxy requires NTLM authentication.\n"
161 "--http-proxy s p 'auto[-nct]' : Like the above directive, but automatically\n"
162 " determine auth method and query for username/password\n"
163 " if needed. auto-nct disables weak proxy auth methods.\n"
164 "--http-proxy-option type [parm] : Set extended HTTP proxy options.\n"
165 " Repeat to set multiple options.\n"
166 " VERSION version (default=1.0)\n"
167 " AGENT user-agent\n"
168 "--socks-proxy s [p] [up] : Connect to remote host through a Socks5 proxy at\n"
169 " address s and port p (default port = 1080).\n"
170 " If proxy authentication is required,\n"
171 " up is a file containing username/password on 2 lines, or\n"
172 " 'stdin' to prompt for console.\n"
173 "--socks-proxy-retry : Retry indefinitely on Socks proxy errors.\n"
174 "--resolv-retry n: If hostname resolve fails for --remote, retry\n"
175 " resolve for n seconds before failing (disabled by default).\n"
176 " Set n=\"infinite\" to retry indefinitely.\n"
177 "--float : Allow remote to change its IP address/port, such as through\n"
178 " DHCP (this is the default if --remote is not used).\n"
179 "--ipchange cmd : Run command cmd on remote ip address initial\n"
180 " setting or change -- execute as: cmd ip-address port#\n"
181 "--port port : TCP/UDP port # for both local and remote.\n"
182 "--lport port : TCP/UDP port # for local (default=%s). Implies --bind.\n"
183 "--rport port : TCP/UDP port # for remote (default=%s).\n"
184 "--bind : Bind to local address and port. (This is the default unless\n"
185 " --proto tcp-client"
189 "--nobind : Do not bind to local address and port.\n"
190 "--dev tunX|tapX : tun/tap device (X can be omitted for dynamic device.\n"
191 "--dev-type dt : Which device type are we using? (dt = tun or tap) Use\n"
192 " this option only if the tun/tap device used with --dev\n"
193 " does not begin with \"tun\" or \"tap\".\n"
194 "--dev-node node : Explicitly set the device node rather than using\n"
195 " /dev/net/tun, /dev/tun, /dev/tap, etc.\n"
196#if defined(ENABLE_DCO)
197 "--disable-dco : Do not attempt using Data Channel Offload.\n"
199 "--lladdr hw : Set the link layer address of the tap device.\n"
200 "--topology t : Set --dev tun topology: 'net30', 'p2p', or 'subnet'.\n"
202 "--iproute cmd : Use this command instead of default " IPROUTE_PATH
".\n"
204 "--ifconfig l rn : TUN: configure device to use IP address l as a local\n"
205 " endpoint and rn as a remote endpoint. l & rn should be\n"
206 " swapped on the other peer. l & rn must be private\n"
207 " addresses outside of the subnets used by either peer.\n"
208 " TAP: configure device to use IP address l as a local\n"
209 " endpoint and rn as a subnet mask.\n"
210 "--ifconfig-ipv6 l r : configure device to use IPv6 address l as local\n"
211 " endpoint (as a /64) and r as remote endpoint\n"
212 "--ifconfig-noexec : Don't actually execute ifconfig/netsh command, instead\n"
213 " pass --ifconfig parms by environment to scripts.\n"
214 "--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of the\n"
215 " connection doesn't match the remote side.\n"
217 "--route-table table_id : Specify a custom routing table for use with --route(-ipv6).\n"
218 " If not specified, the id of the default routing table will be used.\n"
220 "--route network [netmask] [gateway] [metric] :\n"
221 " Add route to routing table after connection\n"
222 " is established. Multiple routes can be specified.\n"
223 " netmask default: 255.255.255.255\n"
224 " gateway default: taken from --route-gateway or --ifconfig\n"
225 " Specify default by leaving blank or setting to \"default\".\n"
226 "--route-ipv6 network/bits [gateway] [metric] :\n"
227 " Add IPv6 route to routing table after connection\n"
228 " is established. Multiple routes can be specified.\n"
229 " gateway default: taken from --route-ipv6-gateway or 'remote'\n"
230 " in --ifconfig-ipv6\n"
231 "--route-gateway gw|'dhcp' : Specify a default gateway for use with --route.\n"
232 "--route-ipv6-gateway gw : Specify a default gateway for use with --route-ipv6.\n"
233 "--route-metric m : Specify a default metric for use with --route.\n"
234 "--route-delay n [w] : Delay n seconds after connection initiation before\n"
235 " adding routes (may be 0). If not specified, routes will\n"
236 " be added immediately after tun/tap open. On Windows, wait\n"
237 " up to w seconds for TUN/TAP adapter to come up.\n"
238 "--route-up cmd : Run command cmd after routes are added.\n"
239 "--route-pre-down cmd : Run command cmd before routes are removed.\n"
240 "--route-noexec : Don't add routes automatically. Instead pass routes to\n"
241 " --route-up script using environmental variables.\n"
242 "--route-nopull : When used with --client or --pull, accept options pushed\n"
243 " by server EXCEPT for routes, dns, and dhcp options.\n"
244 "--allow-pull-fqdn : Allow client to pull DNS names from server for\n"
245 " --ifconfig, --route, and --route-gateway.\n"
246 "--redirect-gateway [flags]: Automatically execute routing\n"
247 " commands to redirect all outgoing IP traffic through the\n"
248 " VPN. Add 'local' flag if both " PACKAGE_NAME
" servers are directly\n"
249 " connected via a common subnet, such as with WiFi.\n"
250 " Add 'def1' flag to set default route using using 0.0.0.0/1\n"
251 " and 128.0.0.0/1 rather than 0.0.0.0/0. Add 'bypass-dhcp'\n"
252 " flag to add a direct route to DHCP server, bypassing tunnel.\n"
253 " Add 'bypass-dns' flag to similarly bypass tunnel for DNS.\n"
254 "--redirect-private [flags]: Like --redirect-gateway, but omit actually changing\n"
255 " the default gateway. Useful when pushing private subnets.\n"
256 "--block-ipv6 : (Client) Instead sending IPv6 to the server generate\n"
257 " ICMPv6 host unreachable messages on the client.\n"
258 " (Server) Instead of forwarding IPv6 packets send\n"
259 " ICMPv6 host unreachable packets to the client.\n"
260 "--client-nat snat|dnat network netmask alias : on client add 1-to-1 NAT rule.\n"
261 "--push-peer-info : (client only) push client info to server.\n"
262 "--setenv name value : Set a custom environmental variable to pass to script.\n"
263 "--setenv FORWARD_COMPATIBLE 1 : Relax config file syntax checking to allow\n"
264 " directives for future OpenVPN versions to be ignored.\n"
265 "--ignore-unknown-option opt1 opt2 ...: Relax config file syntax. Allow\n"
266 " these options to be ignored when unknown\n"
267 "--script-security level: Where level can be:\n"
268 " 0 -- strictly no calling of external programs\n"
269 " 1 -- (default) only call built-ins such as ifconfig\n"
270 " 2 -- allow calling of built-ins and scripts\n"
271 " 3 -- allow password to be passed to scripts via env\n"
272 "--shaper n : Restrict output to peer to n bytes per second.\n"
273 "--keepalive n m : Helper option for setting timeouts in server mode. Send\n"
274 " ping once every n seconds, restart if ping not received\n"
276 "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n"
277 " produces a combined in/out byte count < bytes.\n"
278 "--session-timeout n: Limit connection time to n seconds.\n"
279 "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n"
280 "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n"
281 "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n"
283 "--ping n : Ping remote once every n seconds over TCP/UDP port.\n"
285 "--multihome : Configure a multi-homed UDP server.\n"
287 "--fast-io : Optimize TUN/TAP/UDP writes.\n"
288 "--remap-usr1 s : On SIGUSR1 signals, remap signal (s='SIGHUP' or 'SIGTERM').\n"
289 "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n"
290 "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n"
291 "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n"
292#if PASSTOS_CAPABILITY
293 "--passtos : TOS passthrough (applies to IPv4 only).\n"
295 "--tun-mtu n : Take the tun/tap device MTU to be n and derive the\n"
296 " TCP/UDP MTU from it (default=%d).\n"
297 "--tun-mtu-extra n : Assume that tun/tap device might return as many\n"
298 " as n bytes more than the tun-mtu size on read\n"
299 " (default TUN=0 TAP=%d).\n"
300 "--tun-mtu-max n : Maximum pushable MTU (default and minimum=%d).\n"
301 "--link-mtu n : Take the TCP/UDP device MTU to be n and derive the tun MTU\n"
303 "--mtu-disc type : Should we do Path MTU discovery on TCP/UDP channel?\n"
304 " 'no' -- Never send DF (Don't Fragment) frames\n"
305 " 'maybe' -- Use per-route hints\n"
306 " 'yes' -- Always DF (Don't Fragment)\n"
307 "--mtu-test : Empirically measure and report MTU.\n"
308#ifdef ENABLE_FRAGMENT
309 "--fragment max : Enable internal datagram fragmentation so that no UDP\n"
310 " datagrams are sent which are larger than max bytes.\n"
311 " Adds 4 bytes of overhead per datagram.\n"
313 "--mssfix [n] : Set upper bound on TCP MSS, default = tun-mtu size\n"
314 " or --fragment max value, whichever is lower.\n"
315 "--sndbuf size : Set the TCP/UDP send buffer size.\n"
316 "--rcvbuf size : Set the TCP/UDP receive buffer size.\n"
317#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
318 "--mark value : Mark encrypted packets being sent with value. The mark value\n"
319 " can be matched in policy routing and packetfilter rules.\n"
320 "--bind-dev dev : Bind to the given device when making connection to a peer or\n"
321 " listening for connections. This allows sending encrypted packets\n"
322 " via a VRF present on the system.\n"
324 "--txqueuelen n : Set the tun/tap TX queue length to n (Linux only).\n"
325#ifdef ENABLE_MEMSTATS
326 "--memstats file : Write live usage stats to memory mapped binary file.\n"
328 "--mlock : Disable Paging -- ensures key material and tunnel\n"
329 " data will never be written to disk.\n"
330 "--up cmd : Run command cmd after successful tun device open.\n"
331 " Execute as: cmd tun/tap-dev tun-mtu link-mtu \\\n"
332 " ifconfig-local-ip ifconfig-remote-ip\n"
333 " (pre --user or --group UID/GID change)\n"
334 "--up-delay : Delay tun/tap open and possible --up script execution\n"
335 " until after TCP/UDP connection establishment with peer.\n"
336 "--down cmd : Run command cmd after tun device close.\n"
337 " (post --user/--group UID/GID change and/or --chroot)\n"
338 " (command parameters are same as --up option)\n"
339 "--down-pre : Run --down command before TUN/TAP close.\n"
340 "--up-restart : Run up/down commands for all restarts including those\n"
341 " caused by --ping-restart or SIGUSR1\n"
342 "--user user : Set UID to user after initialization.\n"
343 "--group group : Set GID to group after initialization.\n"
344 "--chroot dir : Chroot to this directory after initialization.\n"
346 "--setcon context: Apply this SELinux context after initialization.\n"
348 "--cd dir : Change to this directory before initialization.\n"
349 "--daemon [name] : Become a daemon after initialization.\n"
350 " The optional 'name' parameter will be passed\n"
351 " as the program name to the system logger.\n"
352 "--syslog [name] : Output to syslog, but do not become a daemon.\n"
353 " See --daemon above for a description of the 'name' parm.\n"
354 "--log file : Output log to file which is created/truncated on open.\n"
355 "--log-append file : Append log to file, or create file if nonexistent.\n"
356 "--suppress-timestamps : Don't log timestamps to stdout/stderr.\n"
357 "--machine-readable-output : Always log timestamp, message flags to stdout/stderr.\n"
358 "--writepid file : Write main process ID to file.\n"
359 "--nice n : Change process priority (>0 = lower, <0 = higher).\n"
360 "--echo [parms ...] : Echo parameters to log output.\n"
361 "--verb n : Set output verbosity to n (default=%d):\n"
362 " (Level 3 is recommended if you want a good summary\n"
363 " of what's happening without being swamped by output).\n"
364 " : 0 -- no output except fatal errors\n"
365 " : 1 -- startup info + connection initiated messages +\n"
366 " non-fatal encryption & net errors\n"
367 " : 2,3 -- show TLS negotiations & route info\n"
368 " : 4 -- show parameters\n"
369 " : 5 -- show 'RrWw' chars on console for each packet sent\n"
370 " and received from TCP/UDP (caps) or tun/tap (lc)\n"
371 " : 6 to 11 -- debug messages of increasing verbosity\n"
372 "--mute n : Log at most n consecutive messages in the same category.\n"
373 "--status file [n] : Write operational status to file every n seconds.\n"
374 "--status-version [n] : Choose the status file format version number.\n"
375 " Currently, n can be 1, 2, or 3 (default=1).\n"
376 "--disable-occ : (DEPRECATED) Disable options consistency check between peers.\n"
378 "--gremlin mask : Special stress testing mode (for debugging only).\n"
381 "--compress alg : Use compression algorithm alg\n"
382 "--allow-compression: Specify whether compression should be allowed\n"
383#if defined(ENABLE_LZO)
384 "--comp-lzo : Use LZO compression -- may add up to 1 byte per\n"
385 " packet for incompressible data.\n"
386 "--comp-noadapt : Don't use adaptive compression when --comp-lzo\n"
390#ifdef ENABLE_MANAGEMENT
391 "--management ip port [pass] : Enable a TCP server on ip:port to handle\n"
392 " management functions. pass is a password file\n"
393 " or 'stdin' to prompt from console.\n"
395 " To listen on a unix domain socket, specific the pathname\n"
396 " in place of ip and use 'unix' as the port number.\n"
398 "--management-client : Management interface will connect as a TCP client to\n"
399 " ip/port rather than listen as a TCP server.\n"
400 "--management-query-passwords : Query management channel for private key\n"
401 " and auth-user-pass passwords.\n"
402 "--management-query-proxy : Query management channel for proxy information.\n"
403 "--management-query-remote : Query management channel for --remote directive.\n"
404 "--management-hold : Start " PACKAGE_NAME
" in a hibernating state, until a client\n"
405 " of the management interface explicitly starts it.\n"
406 "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
407 "--management-forget-disconnect : Forget passwords when management disconnect\n"
409 "--management-up-down : Report tunnel up/down events to management interface.\n"
410 "--management-log-cache n : Cache n lines of log file history for usage\n"
411 " by the management channel.\n"
413 "--management-client-user u : When management interface is a unix socket, only\n"
414 " allow connections from user u.\n"
415 "--management-client-group g : When management interface is a unix socket, only\n"
416 " allow connections from group g.\n"
418 "--management-client-auth : gives management interface client the responsibility\n"
419 " to authenticate clients after their client certificate\n"
420 " has been verified.\n"
423 "--plugin m [str]: Load plug-in module m passing str as an argument\n"
424 " to its initialization function.\n"
426 "--vlan-tagging : Enable 802.1Q-based VLAN tagging.\n"
427 "--vlan-accept tagged|untagged|all : Set VLAN tagging mode. Default is 'all'.\n"
428 "--vlan-pvid v : Sets the Port VLAN Identifier. Defaults to 1.\n"
430 "Multi-Client Server options (when --mode server is used):\n"
431 "--server network netmask : Helper option to easily configure server mode.\n"
432 "--server-ipv6 network/bits : Configure IPv6 server mode.\n"
433 "--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to\n"
434 " easily configure ethernet bridging server mode.\n"
435 "--push \"option\" : Push a config file option back to the peer for remote\n"
436 " execution. Peer must specify --pull in its config file.\n"
437 "--push-reset : Don't inherit global push list for specific\n"
438 " client instance.\n"
439 "--push-remove opt : Remove options matching 'opt' from the push list for\n"
440 " a specific client instance.\n"
441 "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n"
442 " to be dynamically allocated to connecting clients.\n"
443 "--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool\n"
444 " data to file, at seconds intervals (default=600).\n"
445 " If seconds=0, file will be treated as read-only.\n"
446 "--ifconfig-ipv6-pool base-IP/bits : set aside an IPv6 network block\n"
447 " to be dynamically allocated to connecting clients.\n"
448 "--ifconfig-push local remote-netmask : Push an ifconfig option to remote,\n"
449 " overrides --ifconfig-pool dynamic allocation.\n"
450 " Only valid in a client-specific config file.\n"
451 "--ifconfig-ipv6-push local/bits remote : Push an ifconfig-ipv6 option to\n"
452 " remote, overrides --ifconfig-ipv6-pool allocation.\n"
453 " Only valid in a client-specific config file.\n"
454 "--iroute network [netmask] : Route subnet to client.\n"
455 "--iroute-ipv6 network/bits : Route IPv6 subnet to client.\n"
456 " Sets up internal routes only.\n"
457 " Only valid in a client-specific config file.\n"
458 "--disable : Client is disabled.\n"
459 " Only valid in a client-specific config file.\n"
460 "--override-username: Overrides the client-specific username to be used.\n"
461 " Only valid in a client-specific config file.\n"
462 "--verify-client-cert [none|optional|require] : perform no, optional or\n"
463 " mandatory client certificate verification.\n"
464 " Default is to require the client to supply a certificate.\n"
465 "--username-as-common-name : For auth-user-pass authentication, use\n"
466 " the authenticated username as the common name,\n"
467 " rather than the common name from the client cert.\n"
468 "--auth-user-pass-verify cmd method: Query client for username/password and\n"
469 " run command cmd to verify. If method='via-env', pass\n"
470 " user/pass via environment, if method='via-file', pass\n"
471 " user/pass via temporary file.\n"
472 "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n"
473 " to each client, replacing the password. Useful when\n"
474 " OTP based two-factor auth mechanisms are in use and\n"
475 " --reneg-* options are enabled. Optionally a lifetime in seconds\n"
476 " for generated tokens can be set.\n"
477 "--opt-verify : (DEPRECATED) Clients that connect with options that are incompatible\n"
478 " with those of the server will be disconnected.\n"
479 "--auth-user-pass-optional : Allow connections by clients that don't\n"
480 " specify a username/password.\n"
481 "--no-name-remapping : (DEPRECATED) Allow Common Name and X509 Subject to include\n"
482 " any printable character.\n"
483 "--client-to-client : Internally route client-to-client traffic.\n"
484 "--duplicate-cn : Allow multiple clients with the same common name to\n"
485 " concurrently connect.\n"
486 "--client-connect cmd : Run command cmd on client connection.\n"
487 "--client-disconnect cmd : Run command cmd on client disconnection.\n"
488 "--client-config-dir dir : Directory for custom client config files.\n"
489 "--ccd-exclusive : Refuse connection unless custom client config is found.\n"
490 "--tmp-dir dir : Temporary directory, used for --client-connect return file and plugin communication.\n"
491 "--hash-size r v : Set the size of the real address hash table to r and the\n"
492 " virtual address table to v.\n"
493 "--bcast-buffers n : Allocate n broadcast buffers.\n"
494 "--tcp-queue-limit n : Maximum number of queued TCP output packets.\n"
495 "--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server\n"
496 " as well as pushes it to connecting clients.\n"
497 "--learn-address cmd : Run command cmd to validate client virtual addresses.\n"
498 "--connect-freq n s : Allow a maximum of n new connections per s seconds.\n"
499 "--connect-freq-initial n s : Allow a maximum of n replies for initial connections attempts per s seconds.\n"
500 "--max-clients n : Allow a maximum of n simultaneously connected clients.\n"
501 "--max-routes-per-client n : Allow a maximum of n internal routes per client.\n"
502 "--stale-routes-check n [t] : Remove routes with a last activity timestamp\n"
503 " older than n seconds. Run this check every t\n"
504 " seconds (defaults to n).\n"
505 "--explicit-exit-notify [n] : In UDP server mode send [RESTART] command on exit/restart to connected\n"
506 " clients. n = 1 - reconnect to same server,\n"
507 " 2 - advance to next server, default=1.\n"
509 "--port-share host port [dir] : When run in TCP mode, proxy incoming HTTPS\n"
510 " sessions to a web server at host:port. dir specifies an\n"
511 " optional directory to write origin IP:port data.\n"
514 "Client options (when connecting to a multi-client server):\n"
515 "--client : Helper option to easily configure client mode.\n"
516 "--auth-user-pass [up] : Authenticate with server using username/password.\n"
517 " up is a file containing the username on the first line,\n"
518 " and a password on the second. If either the password or both\n"
519 " the username and the password are omitted OpenVPN will prompt\n"
520 " for them from console.\n"
521 "--pull : Accept certain config file options from the peer as if they\n"
522 " were part of the local config file. Must be specified\n"
523 " when connecting to a '--mode server' remote host.\n"
524 "--pull-filter accept|ignore|reject t : Filter each option received from the\n"
525 " server if it starts with the text t. The action flag accept,\n"
526 " ignore or reject causes the option to be allowed, removed or\n"
527 " rejected with error. May be specified multiple times, and\n"
528 " each filter is applied in the order of appearance.\n"
529 "--dns server <n> <option> <value> [value ...] : Configure option for DNS server #n\n"
530 " Valid options are :\n"
531 " address <addr[:port]> [addr[:port] ...] : server addresses 4/6\n"
532 " resolve-domains <domain> [domain ...] : split domains\n"
533 " dnssec <yes|no|optional> : option to use DNSSEC\n"
534 " transport <DoH|DoT> : query server over HTTPS / TLS\n"
535 " sni <domain> : DNS server name indication\n"
536 "--dns search-domains <domain> [domain ...]:\n"
537 " Add domains to DNS domain search list\n"
538 "--dns-updown cmd|force|disable : Run cmd as user defined dns config command,\n"
539 " force running the default script or disable running it.\n"
540 "--auth-retry t : How to handle auth failures. Set t to\n"
541 " none (default), interact, or nointeract.\n"
542 "--static-challenge t e [<scrv1|concat>]: Enable static challenge/response protocol using\n"
543 " challenge text t, with e indicating echo flag (0|1)\n"
544 " and optional argument scrv1 or concat to use SCRV1 protocol or"
545 " concatenate response with password. Default is scrv1.\n"
546 "--connect-timeout n : when polling possible remote servers to connect to\n"
547 " in a round-robin fashion, spend no more than n seconds\n"
548 " waiting for a response before trying the next server.\n"
549 "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n"
550 " incoming tun packets with same destination as host.\n"
551 "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n"
552 " server/remote. n = # of retries, default=1.\n"
554 "Data Channel Encryption Options (must be compatible between peers):\n"
555 "(These options are meaningful for both Static Key & TLS-mode)\n"
556 "--auth alg : Authenticate packets with HMAC using message\n"
557 " digest algorithm alg (default=%s).\n"
558 " (usually adds 16 or 20 bytes per packet)\n"
559 " Set alg=none to disable authentication.\n"
560 "--cipher alg : Encrypt packets with cipher algorithm alg.\n"
561 " You should usually use --data-ciphers instead.\n"
562 " Set alg=none to disable encryption.\n"
563 "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
564#ifndef ENABLE_CRYPTO_MBEDTLS
565 "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n"
567 "--mute-replay-warnings : Silence the output of replay warnings to log file.\n"
568 "--replay-window n [t] : Use a replay protection sliding window of size n\n"
569 " and a time window of t seconds.\n"
570 " Default n=%d t=%d\n"
571 "--replay-persist file : Persist replay-protection state across sessions\n"
573 "--test-crypto : Run a self-test of crypto features enabled.\n"
574 " For debugging only.\n"
575#ifdef ENABLE_PREDICTION_RESISTANCE
576 "--use-prediction-resistance: Enable prediction resistance on the random\n"
577 " number generator.\n"
580 "TLS Key Negotiation Options:\n"
581 "(These options are meaningful only for TLS-mode)\n"
582 "--tls-server : Enable TLS and assume server role during TLS handshake.\n"
583 "--tls-client : Enable TLS and assume client role during TLS handshake.\n"
584 "--ca file : Certificate authority file in .pem format containing\n"
585 " root certificate.\n"
586#ifndef ENABLE_CRYPTO_MBEDTLS
587 "--capath dir : A directory of trusted certificates (CAs"
590 "--dh file : File containing Diffie Hellman parameters\n"
591 " in .pem format (for --tls-server only).\n"
592 " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
593 "--cert file : Local certificate in .pem format or a URI -- must be signed\n"
594 " by a Certificate Authority in --ca file used by the peer.\n"
595 "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
596 "--key file : Local private key in .pem format or a URI.\n"
597 "--tls-version-min <version> ['or-highest'] : sets the minimum TLS version we\n"
598 " will accept from the peer. If version is unrecognized and 'or-highest'\n"
599 " is specified, require max TLS version supported by SSL implementation.\n"
600 "--tls-version-max <version> : sets the maximum TLS version we will use.\n"
601#ifndef ENABLE_CRYPTO_MBEDTLS
602 "--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
603 " and optionally the root CA certificate.\n"
605#ifdef ENABLE_X509ALTUSERNAME
606 "--x509-username-field : Field in x509 certificate containing the username.\n"
607 " Default is CN in the Subject field.\n"
609 "--verify-hash hash [algo] : Specify fingerprint for level-1 certificate.\n"
610 " Valid algo flags are SHA1 and SHA256. \n"
612 "--cryptoapicert select-string : Load the certificate and private key from the\n"
613 " Windows Certificate System Store.\n"
615 "--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).\n"
616 "--tls-ciphersuites l: A list of allowed TLS 1.3 cipher suites separated by : (optional)\n"
617 " : Use --show-tls to see a list of supported TLS ciphers (suites).\n"
618 "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n"
619 " (default=legacy).\n"
620 "--providers l : A list l of OpenSSL providers to load.\n"
621 "--tls-timeout n : Packet retransmit timeout on TLS control channel\n"
622 " if no ACK from remote within n seconds (default=%d).\n"
623 "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n"
624 "--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.\n"
625 "--reneg-sec max [min] : Renegotiate data chan. key after at most max (default=%d)\n"
626 " and at least min (defaults to 90%% of max on servers and equal\n"
627 " to max on clients).\n"
628 "--hand-window n : Data channel key exchange must finalize within n seconds\n"
629 " of handshake initiation by any peer (default=%d).\n"
630 "--tran-window n : Transition window -- old key can live this many seconds\n"
631 " after new key renegotiation begins (default=%d).\n"
632 "--single-session: Allow only one session (reset state on restart).\n"
633 "--tls-exit : Exit on TLS negotiation failure.\n"
634 "--tls-auth f [d]: Add an additional layer of authentication on top of the TLS\n"
635 " control channel to protect against attacks on the TLS stack\n"
636 " and DoS attacks.\n"
637 " f (required) is a shared-secret key file.\n"
638 " The optional d parameter controls key directionality.\n"
639 "--tls-crypt key : Add an additional layer of authenticated encryption on top\n"
640 " of the TLS control channel to hide the TLS certificate,\n"
641 " provide basic post-quantum security and protect against\n"
642 " attacks on the TLS stack and DoS attacks.\n"
643 " key (required) provides the pre-shared key file.\n"
644 "--tls-crypt-v2 key : For clients: use key as a client-specific tls-crypt key.\n"
645 " For servers: use key to decrypt client-specific keys. For\n"
646 " key generation (--genkey tls-crypt-v2-client): use key to\n"
647 " encrypt generated client-specific key. (See --tls-crypt.)\n"
648 "--genkey tls-crypt-v2-client [keyfile] [base64 metadata]: Generate a\n"
649 " fresh tls-crypt-v2 client key, and store to\n"
650 " keyfile. If supplied, include metadata in wrapped key.\n"
651 "--genkey tls-crypt-v2-server [keyfile] [base64 metadata]: Generate a\n"
652 " fresh tls-crypt-v2 server key, and store to keyfile\n"
653 "--tls-crypt-v2-verify cmd : Run command cmd to verify the metadata of the\n"
654 " client-supplied tls-crypt-v2 client key\n"
655 "--askpass [file]: Get PEM password from controlling tty before we daemonize.\n"
656 "--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.\n"
657 "--crl-verify crl ['dir']: Check peer certificate against a CRL.\n"
658 "--tls-verify cmd: Run command cmd to verify the X509 name of a\n"
659 " pending TLS connection that has otherwise passed all other\n"
660 " tests of certification. cmd should return 0 to allow\n"
661 " TLS handshake to proceed, or 1 to fail. (cmd is\n"
662 " executed as 'cmd certificate_depth subject')\n"
663 "--verify-x509-name name: Accept connections only from a host with X509 subject\n"
664 " DN name. The remote host must also pass all other tests\n"
665 " of verification.\n"
666#ifndef ENABLE_CRYPTO_MBEDTLS
667 "--ns-cert-type t: (DEPRECATED) Require that peer certificate was signed with \n"
668 " an explicit nsCertType designation t = 'client' | 'server'.\n"
670 "--x509-track x : Save peer X509 attribute x in environment for use by\n"
671 " plugins and management interface.\n"
672 "--keying-material-exporter label len : Save Exported Keying Material (RFC5705)\n"
673 " of len bytes (min. 16 bytes) using label in environment for use by plugins.\n"
674 "--remote-cert-ku v ... : Require that the peer certificate was signed with\n"
675 " explicit key usage, you can specify more than one value.\n"
676 " value should be given in hex format.\n"
677 "--remote-cert-eku oid : Require that the peer certificate was signed with\n"
678 " explicit extended key usage. Extended key usage can be encoded\n"
679 " as an object identifier or OpenSSL string representation.\n"
680 "--remote-cert-tls t: Require that peer certificate was signed with explicit\n"
681 " key usage and extended key usage based on RFC3280 TLS rules.\n"
682 " t = 'client' | 'server'.\n"
686 "--pkcs11-providers provider ... : PKCS#11 provider to load.\n"
687 "--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authentication\n"
688 " path. Set for each provider.\n"
689 "--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.\n"
690 " 0 : Try to determine automatically (default).\n"
692 " 2 : Use SignRecover.\n"
693 " 4 : Use Decrypt.\n"
695 "--pkcs11-cert-private [0|1] ... : Set if login should be performed before\n"
696 " certificate can be accessed. Set for each provider.\n"
697 "--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1\n"
698 " cache until token is removed.\n"
699 "--pkcs11-id-management : Acquire identity from management interface.\n"
700 "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-pkcs11-ids\n"
703 "SSL Library information:\n"
704 "--show-ciphers : Show cipher algorithms to use with --cipher option.\n"
705 "--show-digests : Show message digest algorithms to use with --auth option.\n"
706 "--show-engines : Show hardware crypto accelerator engines (if available).\n"
707 "--show-tls : Show all TLS ciphers (TLS used only as a control channel).\n"
710 "Windows Specific:\n"
711 "--win-sys path : Pathname of Windows system directory. Default is the pathname\n"
712 " from SystemRoot environment variable.\n"
713 "--ip-win32 method : When using --ifconfig on Windows, set TAP-Windows adapter\n"
714 " IP address using method = manual, netsh, ipapi,\n"
715 " dynamic, or adaptive (default = adaptive).\n"
716 " Dynamic method allows two optional parameters:\n"
717 " offset: DHCP server address offset (> -256 and < 256).\n"
718 " If 0, use network address, if >0, take nth\n"
719 " address forward from network address, if <0,\n"
720 " take nth address backward from broadcast\n"
723 " lease-time: Lease time in seconds.\n"
724 " Default is one year.\n"
725 "--route-method : Which method to use for adding routes on Windows?\n"
726 " adaptive (default) -- Try ipapi then fall back to exe.\n"
727 " ipapi -- Use IP helper API.\n"
728 " exe -- Call the route.exe shell command.\n"
729 "--dhcp-option type [parm] : Set extended TAP-Windows properties, must\n"
730 " be used with --ip-win32 dynamic. For options\n"
731 " which allow multiple addresses,\n"
732 " --dhcp-option must be repeated.\n"
733 " DOMAIN name : Set DNS suffix\n"
734 " DOMAIN-SEARCH entry : Add entry to DNS domain search list\n"
735 " DNS addr : Set domain name server address(es) (IPv4 and IPv6)\n"
736 " NTP : Set NTP server address(es)\n"
737 " NBDD : Set NBDD server address(es)\n"
738 " WINS addr : Set WINS server address(es)\n"
739 " NBT type : Set NetBIOS over TCP/IP Node type\n"
740 " 1: B, 2: P, 4: M, 8: H\n"
741 " NBS id : Set NetBIOS scope ID\n"
742 " DISABLE-NBT : Disable Netbios-over-TCP/IP.\n"
743 "--dhcp-renew : Ask Windows to renew the TAP adapter lease on startup.\n"
744 "--dhcp-pre-release : Ask Windows to release the previous TAP adapter lease on\n"
746 "--register-dns : Run ipconfig /flushdns and ipconfig /registerdns\n"
747 " on connection initiation.\n"
748 "--tap-sleep n : Sleep for n seconds after TAP adapter open before\n"
749 " attempting to set adapter properties.\n"
750 "--pause-exit : When run from a console window, pause before exiting.\n"
751 "--service ex [0|1] : For use when " PACKAGE_NAME
" is being instantiated by a\n"
752 " service, and should not be used directly by end-users.\n"
753 " ex is the name of an event object which, when\n"
754 " signaled, will cause " PACKAGE_NAME
" to exit. A second\n"
755 " optional parameter controls the initial state of ex.\n"
756 "--show-net-up : Show " PACKAGE_NAME
"'s view of routing table and net adapter list\n"
757 " after TAP adapter is up and routes have been added.\n"
758 "--block-outside-dns : Block DNS on other network adapters to prevent DNS leaks\n"
759 "Windows Standalone Options:\n"
761 "--show-adapters : Show all TAP-Windows adapters.\n"
762 "--show-net : Show " PACKAGE_NAME
"'s view of routing table and net adapter list.\n"
763 "--show-valid-subnets : Show valid subnets for --dev tun emulation.\n"
764 "--allow-nonadmin [TAP-adapter] : Allow " PACKAGE_NAME
" running without admin privileges\n"
765 " to access TAP adapter.\n"
768 "Generate a new key :\n"
769 "--genkey tls-auth file : Generate a new random key of type and write to file\n"
770 " (for use with --tls-auth or --tls-crypt)."
771#ifdef ENABLE_FEATURE_TUN_PERSIST
773 "Tun/tap config mode (available with linux 2.4+):\n"
774 "--mktun : Create a persistent tunnel.\n"
775 "--rmtun : Remove a persistent tunnel.\n"
776 "--dev tunX|tapX : tun/tap device\n"
777 "--dev-type dt : Device type. See tunnel options above for details.\n"
778 "--user user : User to set privilege to.\n"
779 "--group group : Group to set privilege to.\n"
783 "PKCS#11 standalone options:\n"
784#ifdef DEFAULT_PKCS11_MODULE
785 "--show-pkcs11-ids [provider] [cert_private] : Show PKCS#11 available ids.\n"
787 "--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.\n"
789 " --verb option can be added *BEFORE* this.\n"
792 "General Standalone Options:\n"
794 "--show-gateway [address]: Show info about gateway [to v4/v6 address].\n"
818 o->
ce.
af = AF_UNSPEC;
843#ifdef ENABLE_MANAGEMENT
848#ifdef ENABLE_FEATURE_TUN_PERSIST
881#ifdef ENABLE_PREDICTION_RESISTANCE
882 o->use_prediction_resistance =
false;
892#ifdef ENABLE_X509ALTUSERNAME
896 o->pkcs11_pin_cache_period = -1;
911 msg(
M_USAGE,
"Could not find a suitable temporary directory."
912 " (GetTempPath() failed). Consider using --tmp-dir");
928#ifdef ENABLE_DNS_UPDOWN_BY_DEFAULT
974#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
975#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
976#define SHOW_STR_INLINE(var) \
977 SHOW_PARM(var, o->var##_inline ? "[INLINE]" : (o->var ? o->var : "[UNDEF]"), "'%s'")
978#define SHOW_INT(var) SHOW_PARM(var, o->var, "%d")
979#define SHOW_UINT(var) SHOW_PARM(var, o->var, "%u")
980#define SHOW_INT64(var) SHOW_PARM(var, o->var, "%" PRIi64)
981#define SHOW_UNSIGNED(var) SHOW_PARM(var, o->var, "0x%08x")
982#define SHOW_BOOL(var) SHOW_PARM(var, (o->var ? "ENABLED" : "DISABLED"), "%s");
1046setenv_foreign_option(
struct options *o,
const char *option,
const char *value,
struct env_set *
es)
1065 ++
o->foreign_option_index;
1069 msg(
M_WARN,
"foreign_option: name/value overflow");
1081 for (current = *list, prev = NULL; current != NULL; current = current->
next)
1083 char *tmp_value = NULL;
1084 if (!strncmp(current->
string,
"foreign_option_",
sizeof(
"foreign_option_") - 1))
1086 tmp_value = strchr(current->
string,
'=');
1087 if (tmp_value && ++tmp_value)
1089 if (!strncmp(tmp_value,
"dhcp-option ",
sizeof(
"dhcp-option ") - 1))
1097 *list = current->
next;
1113 bool succeeded =
false;
1121 ret =
getaddr(flags, ip_string, 0, &succeeded, NULL);
1122 if (!succeeded && error)
1137 const char *end = strchr(addr,
'/');
1145 size_t len = end - addr;
1147 memcpy(ret, addr, len);
1155 struct in6_addr t_addr;
1156 unsigned int t_bits;
1164 char *ret = (
char *)
gc_malloc(strlen(src) + 1,
true,
gc);
1193 const char *cp = str;
1201 while (*cp &&
i < nbytes)
1204 if (!isxdigit(cp[0]) || !isxdigit(cp[1]) || (cp[2] !=
':' && cp[2] !=
'\0')
1205 || sscanf(cp,
"%x", &
byte) != 1)
1207 msg(msglevel,
"format error in hash fingerprint: %s", str);
1211 ret->
hash[
i++] = (uint8_t)
byte;
1222 msg(msglevel,
"hash fingerprint is wrong length - expected %d bytes, got %d: %s", nbytes,
i,
1225 else if (term !=
'\0')
1227 msg(msglevel,
"hash fingerprint too long - expected only %d bytes: %s", nbytes, str);
1251 while ((line =
strsep(&lines,
"\n")))
1254 while (isspace(*line))
1259 if (strlen(line) == 0 || *line ==
'#' || *line ==
';')
1287 for (
i = 0;
i < len; ++
i)
1298 for (
i = 0;
i < len; ++
i)
1334 struct in6_addr addr;
1337 msg(msglevel,
"--dhcp-option DNS: maximum of %d IPv6 dns servers can be specified",
1342 dns6_list[(*len)++] = addr;
1351 msg(msglevel,
"--dhcp-option %s: maximum of %d %s servers can be specified", name,
1359 const in_addr_t addr =
get_ip_addr(parm, msglevel, &error);
1362 array[(*len)++] = addr;
1367 msg(msglevel,
"dhcp-option parameter %s '%s' must be an IP address", name, parm);
1424 SHOW_STR(ifconfig_pool_persist_filename);
1425 SHOW_INT(ifconfig_pool_persist_refresh_freq);
1429 SHOW_INT(ifconfig_ipv6_pool_netbits);
1436 SHOW_STR(client_disconnect_script);
1437 SHOW_STR(client_crresponse_script);
1459 SHOW_STR(auth_user_pass_verify_script);
1460 SHOW_BOOL(auth_user_pass_verify_script_via_file);
1498 msg(msglevel,
"in --iroute %s %s : Bad network/subnet specification", network_str,
1517 msg(msglevel,
"in --iroute-ipv6 %s: Bad IPv6 prefix specification", prefix_str);
1634#ifdef ENABLE_FRAGMENT
1641 SHOW_INT(explicit_exit_notification);
1657 for (
i = 0;
i <
l->len; ++
i)
1699#ifdef ENABLE_FEATURE_TUN_PERSIST
1721#if defined(ENABLE_DCO)
1753#if PASSTOS_CAPABILITY
1764#ifdef ENABLE_SELINUX
1790#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
1825#ifdef ENABLE_MANAGEMENT
1829 SHOW_INT(management_log_history_cache);
1830 SHOW_INT(management_echo_buffer_size);
1847#ifndef ENABLE_CRYPTO_MBEDTLS
1855#ifdef ENABLE_PREDICTION_RESISTANCE
1866 SHOW_PARM(
"cert_file",
"EXTERNAL_CERT",
"%s");
1876 SHOW_PARM(
"priv_key_file",
"EXTERNAL_PRIVATE_KEY",
"%s");
1882#ifndef ENABLE_CRYPTO_MBEDTLS
1885#ifdef ENABLE_CRYPTOAPI
1892 SHOW_STR(tls_export_peer_cert_dir);
1941 for (
i = 0;
i <
MAX_PARMS && o->pkcs11_providers[
i] != NULL;
i++)
1943 SHOW_PARM(pkcs11_providers, o->pkcs11_providers[
i],
"%s");
1950 SHOW_PARM(pkcs11_protected_authentication,
1951 o->pkcs11_protected_authentication[
i] ?
"ENABLED" :
"DISABLED",
"%s");
1958 SHOW_PARM(pkcs11_private_mode, o->pkcs11_private_mode[
i],
"%08x");
1965 SHOW_PARM(pkcs11_cert_private, o->pkcs11_cert_private[
i] ?
"ENABLED" :
"DISABLED",
1990#ifdef ENABLE_MANAGEMENT
2002 if (flags && !strcmp(flags,
"nct"))
2026 for (
i = 0;
i <
l->len; ++
i)
2037 for (
i = 0;
i < l->
len; ++
i)
2049 "Note: option http-proxy-override ignored because no TCP-based connection profiles are defined");
2073 const int new_cap = l->
capacity + 1;
2074 const size_t elem_size =
sizeof(*l->
array);
2080 "Unable to process more local options: out of memory. Number of entries = %d",
2085 l->
array = new_array;
2120 "Unable to process more connection options: out of memory. Number of entries = %d",
2156 "Unable to process more remote options: out of memory. Number of entries = %d",
2223 if (key_file && *key_file && !(*key_inline))
2239#ifdef ENABLE_CRYPTO_MBEDTLS
2242 msg(
M_USAGE,
"Parameter --capath cannot be used with the mbed TLS version of OpenVPN.");
2255 const char *
const str =
"You must define CA file (--ca)"
2256#ifndef ENABLE_CRYPTO_MBEDTLS
2257 " or CA path (--capath)"
2259 " and/or peer fingerprint verification (--peer-fingerprint)";
2263#define MUST_BE_UNDEF(parm, parm_name) \
2264 if (options->parm != defaults.parm) \
2266 msg(M_USAGE, use_err, parm_name); \
2268#define MUST_BE_FALSE(condition, parm_name) \
2271 msg(M_USAGE, use_err, parm_name); \
2303 msg(
M_USAGE,
"--proto tcp is ambiguous in this context. Please specify "
2304 "--proto tcp-server or --proto tcp-client");
2313 msg(
M_USAGE,
"multiple --local statements only allowed in --server mode");
2318 msg(
M_USAGE,
"--lladdr can only be used in --dev tap mode");
2326 msg(
M_USAGE,
"only one of --tun-mtu or --link-mtu may be defined");
2331 msg(
M_USAGE,
"--mtu-test only makes sense with --proto udp");
2344 msg(
M_USAGE,
"--local and --remote addresses must be distinct from --ifconfig "
2350 msg(
M_USAGE,
"local and remote/netmask --ifconfig addresses must be different");
2355 msg(
M_USAGE,
"--bind and --nobind can't be used together");
2360 msg(
M_USAGE,
"--lport and --nobind don't make sense when used together");
2365 msg(
M_USAGE,
"--nobind doesn't make sense unless used with --remote");
2375 msg(
M_USAGE,
"--remote and one of the --local addresses are the same");
2381 msg(
M_USAGE,
"--local addresses must be distinct from --ifconfig addresses");
2386 msg(
M_USAGE,
"--local and --nobind don't make sense when used together");
2393#ifdef ENABLE_MANAGEMENT
2399 "--management is not specified, however one or more options which modify the behavior of --management were specified");
2405 msg(
M_USAGE,
"--management-client-(user|group) can only be used on unix domain sockets");
2411 msg(
M_WARN,
"WARNING: Using --management on a TCP port WITHOUT "
2412 "passwords is STRONGLY discouraged and considered insecure");
2417#if !defined(HAVE_XKEY_PROVIDER)
2421 msg(
M_FATAL,
"management-external-key with TLS 1.3 or later requires "
2422 "nopadding argument/support");
2433 msg(
M_USAGE,
"On Windows, --ifconfig is required when --dev tun is used");
2439 msg(
M_USAGE,
"On Windows, --ip-win32 doesn't make sense unless --ifconfig is also used");
2444 const char *prefix =
"Some --dhcp-option or --dns options require DHCP server";
2447 msg(
M_USAGE,
"%s, which is not supported by the selected %s driver", prefix,
2453 msg(
M_USAGE,
"%s, which requires --ip-win32 dynamic or adaptive", prefix);
2462#ifdef ENABLE_FRAGMENT
2465 msg(
M_USAGE,
"--fragment can only be used with --proto udp");
2471 msg(
M_USAGE,
"--remote MUST be used in TCP Client mode");
2476 msg(
M_USAGE,
"--http-proxy MUST be used in TCP Client mode (i.e. --proto "
2482 msg(
M_USAGE,
"--http-proxy not specified but other http proxy options present");
2487 msg(
M_USAGE,
"--http-proxy can not be used together with --socks-proxy");
2492 msg(
M_USAGE,
"--socks-proxy can not be used in TCP Server mode");
2497 msg(
M_USAGE,
"TCP server mode allows at most one --remote address");
2505 const char use_err[] =
"--%s cannot be used with --mode server.";
2507#define USAGE_VALID_SERVER_PROTOS \
2508 "--mode server currently only supports " \
2509 "--proto values of udp, tcp-server, tcp4-server, or tcp6-server"
2510#ifdef TARGET_ANDROID
2511 msg(
M_FATAL,
"--mode server not supported on Android");
2515 msg(
M_USAGE,
"--mode server only works with --dev tun or --dev tap");
2520 msg(
M_WARN,
"--pull-filter ignored for --mode server");
2530 msg(
M_USAGE,
"--port-share only works in TCP server mode "
2531 "(--proto values of tcp-server, tcp4-server, or tcp6-server)");
2536 msg(
M_USAGE,
"--mode server requires --tls-server");
2547 msg(
M_USAGE,
"<connection> cannot be used with --mode server");
2553 msg(
M_USAGE,
"--ipchange cannot be used with --mode server (use "
2554 "--client-connect instead)");
2563 "--connect-freq only works with --mode server --proto udp. Try --max-clients instead.");
2569 "The third parameter to --ifconfig-pool (netmask) is only valid in --dev tap mode");
2574 "--redirect-gateway cannot be used with --mode server (however --push \"redirect-gateway\" is fine)");
2582 "--ifconfig-pool-persist must be used with --ifconfig-pool or --ifconfig-ipv6-pool");
2586 msg(
M_USAGE,
"--ifconfig-ipv6-pool needs --ifconfig-ipv6");
2588 MUST_BE_UNDEF(allow_recursive_routing,
"allow-recursive-routing");
2592 "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)");
2596 msg(
M_USAGE,
"--ccd-exclusive must be used with --client-config-dir");
2600 msg(
M_USAGE,
"--auth-gen-token needs a non-infinite "
2601 "--renegotiate_seconds setting");
2607 "--auth-gen-token renewal time needs to be at least "
2608 " two times --hand-window (%d).",
2614 const char *use_err =
2615 "--%s must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
2619 "verify-client-cert none|optional");
2621 "username-as-common-name");
2623 "auth-user-pass-optional");
2628 msg(
M_USAGE,
"--vlan-tagging must be used with --dev tap");
2632 const char use_err[] =
"--%s requires --vlan-tagging";
2639 const char use_err[] =
"--%s requires --mode server";
2645 MUST_BE_UNDEF(ifconfig_pool_persist_filename,
"ifconfig-pool-persist");
2646 MUST_BE_UNDEF(ifconfig_ipv6_pool_defined,
"ifconfig-ipv6-pool");
2651 MUST_BE_UNDEF(client_crresponse_script,
"client-crresponse");
2652 MUST_BE_UNDEF(client_disconnect_script,
"client-disconnect");
2661 "verify-client-cert");
2667 msg(
M_WARN,
"WARNING: setting tcp-nodelay on the client side will not "
2668 "affect the server. To have TCP_NODELAY in both direction use "
2669 "tcp-nodelay in the server configuration instead.");
2671 MUST_BE_UNDEF(auth_user_pass_verify_script,
"auth-user-pass-verify");
2677 "--port-share requires TCP server mode (--mode server --proto tcp-server)");
2680 MUST_BE_UNDEF(stale_routes_check_interval,
"stale-routes-check");
2684 MUST_BE_UNDEF(force_key_material_export,
"force-key-material-export");
2692 msg(
M_USAGE,
"specify only one of --tls-server, --tls-client, or --secret");
2703 msg(msglevel,
"DEPRECATION: No tls-client or tls-server option in "
2704 "configuration detected. OpenVPN 2.8 will remove the "
2705 "functionality to run a VPN without TLS. "
2706 "See the examples section in the manual page for "
2707 "examples of a similar quick setup with peer-fingerprint. "
2708 "OpenVPN 2.7 allows using this configuration when using "
2709 "--allow-deprecated-insecure-static-crypto but you should move "
2710 "to a proper configuration using TLS as soon as possible.");
2715 msg(
M_WARN,
"WARNING: POTENTIALLY DANGEROUS OPTION "
2716 "--verify-client-cert none|optional "
2717 "may accept clients which do not present a certificate");
2722 const int tls_version_min =
2727 msg(
M_USAGE,
"--tls-version-min bigger than --tls-version-max");
2736 msg(
M_WARN,
"Option pkcs11-id is ignored as no pkcs11-providers are specified");
2738 else if (!
options->pkcs11_providers[0] &&
options->pkcs11_id_management)
2741 "Option pkcs11-id-management is ignored as no pkcs11-providers are specified");
2744 if (
options->pkcs11_providers[0])
2749 "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified.");
2751 if (!
options->pkcs11_id_management &&
options->pkcs11_id == NULL)
2754 "Parameter --pkcs11-id or --pkcs11-id-management should be specified.");
2756 const char use_err[] =
2757 "Parameter --%s cannot be used when --pkcs11-provider is also specified.";
2763#ifdef ENABLE_CRYPTOAPI
2769#ifdef ENABLE_CRYPTOAPI
2772 const char use_err[] =
2773 "Parameter --%s cannot be used when --cryptoapicert is also specified.";
2784#ifdef ENABLE_CRYPTO_MBEDTLS
2785 msg(
M_USAGE,
"Parameter --pkcs12 cannot be used with the mbed TLS version of OpenVPN.");
2787 const char use_err[] =
"Parameter --%s cannot be used when --pkcs12 is also specified.";
2799 msg(
M_USAGE,
"--key and --management-external-key are mutually exclusive");
2805 msg(
M_USAGE,
"--cert and --management-external-cert are mutually exclusive");
2810 "--management-external-cert must be used with --management-external-key");
2824 msg(
M_USAGE,
"No client-side authentication method is "
2825 "specified. You must use either "
2826 "--cert/--key, --pkcs12, or "
2827 "--auth-user-pass");
2832 msg(
M_USAGE,
"If you use one of --cert or --key, you must use them both");
2840 "certificate file (--cert) or PKCS#12 file (--pkcs12)");
2845 "private key file (--key) or PKCS#12 file (--pkcs12)");
2851 msg(
M_USAGE,
"--tls-auth and --tls-crypt are mutually exclusive");
2857 "--tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode");
2867 const char use_err[] =
"Parameter %s can only be specified in TLS-mode, "
2868 "i.e. where --tls-server or --tls-client is also specified.";
2875#ifndef ENABLE_CRYPTO_MBEDTLS
2902 MUST_BE_UNDEF(pkcs11_private_mode[0],
"pkcs11-private-mode");
2914 msg(
M_USAGE,
"--auth-user-pass requires --pull");
2983 if (ce->
af == AF_INET6)
2985 msg(
M_INFO,
"WARNING: '--proto udp6' is not compatible with "
2986 "'--socks-proxy' today. Forcing IPv4 mode.");
2990 msg(
M_INFO,
"NOTICE: dual-stack mode for '--proto udp' does not "
2991 "work correctly with '--socks-proxy' today. Forcing IPv4.");
3018#ifdef ENABLE_FRAGMENT
3075 msg(
M_WARN,
"NOTICE: --explicit-exit-notify ignored for --proto tcp");
3104 msg(
M_INFO,
"Flag 'def1' added to --redirect-gateway (iservice is in use)");
3277#ifdef DEFAULT_PKCS11_MODULE
3283 options->pkcs11_providers[0] = DEFAULT_PKCS11_MODULE;
3308 msg(
M_WARN,
"Note: --client-to-client has no effect when using data "
3309 "channel offload: packets are always sent to the VPN "
3310 "interface and then routed based on the system routing table");
3341 "Note: --cipher is not set. OpenVPN versions before 2.5 "
3342 "defaulted to BF-CBC as fallback when cipher negotiation "
3343 "failed in this case. If you need this fallback please add "
3344 "'--data-ciphers-fallback BF-CBC' to your configuration "
3345 "and/or add BF-CBC to --data-ciphers. E.g. "
3346 "--data-ciphers %s:BF-CBC",
3352 "DEPRECATED OPTION: --cipher set to '%s' but missing in "
3353 "--data-ciphers (%s). OpenVPN ignores --cipher for cipher "
3389 if (tls_ver_min == 0)
3397 else if (tls_ver_max == 0 || tls_ver_max >=
TLS_VER_1_2)
3458 "supported by the TLS library. Your system does not support this "
3459 "calculation anymore or your security policy (e.g. FIPS 140-2) "
3460 "forbids it. Connections will only work with peers running "
3461 "OpenVPN 2.6.0 or higher)");
3464 msg(
M_WARN,
"Automatically enabling option "
3465 "--force-tls-key-material-export");
3471#if defined(_WIN32) || defined(TARGET_ANDROID)
3531 msg(
M_WARN,
"WARNING: couldn't copy all --dns search-domains to TUN/TAP");
3540 bool non_standard_server_port =
false;
3545 non_standard_server_port =
true;
3557 bool overflow =
false;
3575 msg(
M_WARN,
"WARNING: couldn't copy all --dns server addresses to TUN/TAP");
3614 const int fo_count =
o->foreign_option_index;
3615 o->foreign_option_index = 0;
3639 buf_printf(&name,
"foreign_option_%d", ++
o->foreign_option_index);
3650 if (
dhcp->dns_len ||
dhcp->dns6_len)
3658 for (
size_t i = 0;
i <
dhcp->domain_search_list_len; ++
i)
3662 new->
name =
dhcp->domain_search_list[
i];
3667 const size_t max_addrs =
SIZE(server->
addr);
3688 setenv_foreign_option(o,
"DOMAIN", d->
name,
es);
3695 bool non_standard_server_port =
false;
3700 non_standard_server_port =
true;
3726 setenv_foreign_option(o, option, value,
es);
3759 msg(
M_USAGE,
"--data-ciphers list contains unsupported ciphers or is too long.");
3768 for (
i = 0;
i <
rl->len; ++
i)
3840 msg(
M_WARN,
"WARNING: Ignoring option 'dh' in tls-client mode, please only "
3841 "include this in your server configuration");
3844#if ENABLE_MANAGEMENT
3852 msg(
M_INFO,
"Using certificate fingerprint to verify peer (no CA "
3859 msg(
M_USAGE,
"Options 'config stdin' and 'remap-usr1 SIGHUP' are "
3860 "incompatible with each other.");
3885 "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled");
3896 msg(
M_WARN,
"Note: ignoring --dev-node as it has no effect when using "
3897 "data channel offload");
3918#if defined(_WIN32) || defined(TARGET_ANDROID)
3921 dhcp_options_postprocess_dns(o,
es);
3938#define CHKACC_FILE (1 << 0)
3939#define CHKACC_DIRPATH (1 << 1)
3940#define CHKACC_FILEXSTWR (1 << 2)
3941#define CHKACC_ACPTSTDIN (1 << 3)
3942#define CHKACC_PRIVATE (1 << 4)
3943#define CHKACC_ACCEPT_URI (1 << 5)
3969 if (!strncmp(file,
"file:", 5))
3973 else if (!strchr(file,
'/') || strchr(file,
'/') > strchr(file,
':'))
3984 char *dirpath =
dirname(fullpath);
4019 if (st.st_mode & (S_IRWXG | S_IRWXO))
4021 msg(
M_WARN,
"WARNING: file '%s' is group or others accessible", file);
4034 return (errcode != 0 ?
true :
false);
4077 const char *file,
const int mode,
const char *opt)
4196 R_OK | X_OK,
"--crl-verify directory");
4230 R_OK | W_OK,
"--replay-persist");
4235#ifdef ENABLE_MANAGEMENT
4254 R_OK | X_OK,
"--client-config-dir");
4256 R_OK | W_OK | X_OK,
"Temporary directory (--tmp-dir)");
4260 msg(
M_USAGE,
"Please correct these errors.");
4291#if defined(_WIN32) || defined(TARGET_ANDROID)
4294 dhcp_options_postprocess_dns(o,
es);
4361 if (
o->ce.occ_mtu != 0)
4387 tt =
init_tun(
o->dev,
o->dev_type,
o->topology,
o->ifconfig_local,
4388 o->ifconfig_remote_netmask,
o->ifconfig_ipv6_local,
o->ifconfig_ipv6_netbits,
4418#ifdef ENABLE_FRAGMENT
4425#define TLS_CLIENT (o->tls_client)
4426#define TLS_SERVER (o->tls_server)
4480#ifdef ENABLE_PREDICTION_RESISTANCE
4481 if (o->use_prediction_resistance)
4483 buf_printf(&out,
",use-prediction-resistance");
4604 msg(msglevel,
"WARNING: '%s' is used inconsistently, %s='%s', %s='%s'",
4613 msg(msglevel,
"WARNING: '%s' is present in %s config but missing in %s config, %s='%s'",
4669 actual[actual_n - 1] = 0;
4670 if (strncmp(actual, expected, 2))
4672 msg(
D_SHOW_OCC,
"NOTE: Options consistency check may be skewed by version differences");
4677 ret = !strcmp(actual, expected);
4712 const char *end =
strchr(
p,
',');
4748 msg(msglevel,
"--topology must be net30, p2p, or subnet");
4790 if (
streq(option,
"interact"))
4794 else if (
streq(option,
"nointeract"))
4798 else if (
streq(option,
"none"))
4804 msg(msglevel,
"--auth-retry method must be 'interact', 'nointeract', or 'none'");
4819 return "nointeract";
4839 fprintf(fp,
"Usage message not available\n");
4889#define LZO_LIB_VER_STR ", LZO ", lzo_version_string()
4891#define LZO_LIB_VER_STR "", ""
4896#undef LZO_LIB_VER_STR
4911#ifdef CONFIGURE_DEFINES
4914#ifdef CONFIGURE_SPECIAL_BUILD
4926 msg(
M_USAGE,
"You must define %s", description);
4935 return !strcmp(s1, s2);
4945ping_rec_err(
int msglevel)
4947 msg(msglevel,
"only one of --ping-exit or --ping-restart options may be specified");
4955 unsigned int val = 0;
4956 sscanf(str,
"%u", &val);
4964 return c ==
'\0' || isspace(c);
4968parse_line(
const char *line,
char *p[],
const int n,
const char *file,
const int line_num,
4971 const int STATE_INITIAL = 0;
4972 const int STATE_READING_QUOTED_PARM = 1;
4973 const int STATE_READING_UNQUOTED_PARM = 2;
4974 const int STATE_DONE = 3;
4975 const int STATE_READING_SQUOTED_PARM = 4;
4977 const char *error_prefix =
"";
4980 const char *c = line;
4981 int state = STATE_INITIAL;
4982 bool backslash =
false;
4986 unsigned int parm_len = 0;
4988 msglevel &= ~M_OPTERR;
4992 error_prefix =
"ERROR: ";
5000 if (!backslash && in ==
'\\' && state != STATE_READING_SQUOTED_PARM)
5006 if (state == STATE_INITIAL)
5010 if (in ==
';' || in ==
'#')
5014 if (!backslash && in ==
'\"')
5016 state = STATE_READING_QUOTED_PARM;
5018 else if (!backslash && in ==
'\'')
5020 state = STATE_READING_SQUOTED_PARM;
5025 state = STATE_READING_UNQUOTED_PARM;
5029 else if (state == STATE_READING_UNQUOTED_PARM)
5031 if (!backslash &&
space(in))
5040 else if (state == STATE_READING_QUOTED_PARM)
5042 if (!backslash && in ==
'\"')
5051 else if (state == STATE_READING_SQUOTED_PARM)
5062 if (state == STATE_DONE)
5066 memcpy(p[ret], parm, parm_len);
5067 p[ret][parm_len] =
'\0';
5068 state = STATE_INITIAL;
5073 if (backslash && out)
5075 if (!(out ==
'\\' || out ==
'\"' ||
space(out)))
5078 msg(msglevel,
"%sOptions warning: Bad backslash ('\\') usage in %s:%d",
5079 error_prefix, file, line_num);
5082 "%sOptions warning: Bad backslash ('\\') usage in %s:%d: remember that backslashes are treated as shell-escapes and if you need to pass backslash characters as part of a Windows filename, you should use double backslashes such as \"c:\\\\" PACKAGE
5084 error_prefix, file, line_num);
5095 if (parm_len >=
SIZE(parm))
5097 parm[
SIZE(parm) - 1] = 0;
5098 msg(msglevel,
"%sOptions error: Parameter at %s:%d is too long (%d chars max): %s",
5099 error_prefix, file, line_num, (
int)
SIZE(parm), parm);
5102 parm[parm_len++] = out;
5111 }
while (*c++ !=
'\0');
5113 if (state == STATE_READING_QUOTED_PARM)
5115 msg(msglevel,
"%sOptions error: No closing quotation (\") in %s:%d", error_prefix, file,
5119 if (state == STATE_READING_SQUOTED_PARM)
5121 msg(msglevel,
"%sOptions error: No closing single quotation (\') in %s:%d", error_prefix,
5125 if (state != STATE_INITIAL)
5127 msg(msglevel,
"%sOptions error: Residual parse state (%d) in %s:%d", error_prefix, state,
5134 for (
i = 0;
i < ret; ++
i)
5146 if (strlen(*p) >= 3 && !strncmp(*p,
"--", 2))
5155#define IS_TYPE_BUF 2
5239 if (arg[0] ==
'<' && arg[
strlen(arg) - 1] ==
'>')
5243 arg[
strlen(arg) - 1] =
'\0';
5274 int line,
const int level,
const int msglevel,
5275 const unsigned int permission_mask,
unsigned int *option_types_found,
5279 const char *file,
int line,
const int msglevel,
5280 const unsigned int permission_mask,
unsigned int *option_types_found,
5284 const char *file,
int line,
const int level,
const int msglevel,
5285 const unsigned int permission_mask,
unsigned int *option_types_found,
5286 struct env_set *
es,
unsigned int *update_options_found);
5290 const int top_line,
const int msglevel,
const unsigned int permission_mask,
5291 unsigned int *option_types_found,
struct env_set *
es)
5293 const int max_recursive_levels = 10;
5300 if (level <= max_recursive_levels)
5302 if (
streq(file,
"stdin"))
5313 while (fgets(line,
sizeof(line),
fp))
5321 "In %s:%d: Maximum option line length (%d) exceeded, line starts with %s",
5326 if (line_num == 1 && strncmp(line,
"\xEF\xBB\xBF", 3) == 0)
5330 if (
parse_line(line + offset, p,
SIZE(p) - 1, file, line_num, msglevel,
5336 permission_mask, option_types_found,
es);
5337 line_num += lines_inline;
5347 msg(msglevel,
"In %s:%d: Error opening configuration file: %s", top_file, top_line,
5354 "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.",
5355 top_file, top_line, file);
5363 const int msglevel,
const unsigned int permission_mask,
5364 unsigned int *option_types_found,
struct env_set *
es)
5382 option_types_found,
es);
5413 for (
int i = 1;
i < argc; ++
i)
5421 "I'm trying to parse \"%s\" as an --option parameter but I don't see a leading '--'",
5459 const char *file =
"[PUSH-OPTIONS]";
5499 option_types_found,
es);
5504 option_types_found,
es);
5521 msg(
D_PUSH,
"OPTIONS IMPORT: reading client specific options from: %s", filename);
5532 option_types_found,
es);
5535#define VERIFY_PERMISSION(mask) \
5537 if (!verify_permission(p[0], file, line, (mask), permission_mask, option_types_found, \
5538 msglevel, options, is_inline)) \
5546 const unsigned int allowed,
unsigned int *
found,
const int msglevel,
5551 msg(msglevel,
"option '%s' cannot be used in this context (%s)", name, file);
5557 msg(msglevel,
"option '%s' is not expected to be inline (%s:%d)", name, file,
line);
5578 msg(
M_WARN,
"Option '%s' in %s:%d is ignored by previous <connection> blocks ", name,
5583 msg(
M_WARN,
"Option '%s' is ignored by previous <connection> blocks", name);
5595#define NM_QUOTE_HINT (1 << 0)
5609 msg(msglevel,
"the --%s directive should have at most %d parameter%s.%s",
p[0], max - 1,
5610 max >= 3 ?
"s" :
"",
5612 ?
" To pass a list of arguments as one of the parameters, try enclosing them in double quotes (\"\")."
5628#define RESET_OPTION_ROUTES(option_ptr, field) \
5631 option_ptr->field = NULL; \
5632 option_ptr->flags = 0; \
5658 unsigned int *option_types_found,
struct env_set *
es)
5662 if (
streq(
p[0],
"ifconfig") && !
p[1])
5668 else if (
streq(
p[0],
"ifconfig-ipv6") && !
p[1])
5675 else if (
streq(
p[0],
"route") && !
p[1])
5678 if (
c->c1.route_list)
5685 else if (
streq(
p[0],
"route-ipv6") && !
p[1])
5688 if (
c->c1.route_ipv6_list)
5695 else if (
streq(
p[0],
"route-gateway") && !
p[1])
5701 else if (
streq(
p[0],
"route-metric") && !
p[1])
5706 else if (
streq(
p[0],
"push-continuation") && !
p[1])
5711 else if ((
streq(
p[0],
"redirect-gateway") ||
streq(
p[0],
"redirect-private")) && !
p[1])
5725 else if (
streq(
p[0],
"dns") && !
p[1])
5731 else if (
streq(
p[0],
"topology") && !
p[1])
5737 else if (
streq(
p[0],
"tun-mtu") && !
p[1])
5744 else if (
streq(
p[0],
"block-ipv6") && !
p[1])
5749#if defined(_WIN32) || defined(TARGET_ANDROID)
5750 else if (
streq(
p[0],
"dhcp-option") && !
p[1])
5759 memset(o->
dns6, 0,
sizeof(o->
dns6));
5761 memset(o->
dns, 0,
sizeof(o->
dns));
5763 memset(o->
wins, 0,
sizeof(o->
wins));
5765 memset(o->
ntp, 0,
sizeof(o->
ntp));
5767 memset(o->
nbdd, 0,
sizeof(o->
nbdd));
5774#if defined(TARGET_ANDROID)
5775 o->http_proxy_port = 0;
5776 o->http_proxy = NULL;
5781 else if (
streq(p[0],
"block-outside-dns") && !p[1])
5787 else if (
streq(p[0],
"dhcp-option") && !p[1])
5796 int msglevel_unknown = msglevel_fc;
5803 msglevel_unknown =
M_WARN;
5807 msg(msglevel_unknown,
5808 "Unrecognized option or missing or extra parameter(s) in %s:%d: -%s (%s)", file, line,
5809 p[0], PACKAGE_VERSION);
5813 msg(msglevel,
"Error occurred trying to remove %s option", p[0]);
5826 msg(msglevel,
"route parameter network/IP '%s' must be a valid address", p[1]);
5831 msg(msglevel,
"route parameter netmask '%s' must be an IP address", p[2]);
5837 msg(msglevel,
"route parameter gateway '%s' must be a valid address", p[3]);
5853 msg(msglevel,
"route-ipv6 parameter network/IP '%s' must be a valid address", p[1]);
5858 msg(msglevel,
"route-ipv6 parameter gateway '%s' must be a valid address", p[2]);
5869 if (
streq(p[1],
"search-domains") && p[2])
5874 else if (
streq(p[1],
"server") && p[2] && p[3] && p[4])
5879 msg(msglevel,
"--dns server: invalid priority value '%s'", p[2]);
5886 if (
streq(p[3],
"address") && p[4])
5888 for (
int i = 4; p[
i]; ++
i)
5892 msg(msglevel,
"--dns server %ld: malformed address or maximum exceeded '%s'",
5898 else if (
streq(p[3],
"resolve-domains"))
5902 else if (
streq(p[3],
"dnssec") && !p[5])
5904 if (
streq(p[4],
"yes"))
5908 else if (
streq(p[4],
"no"))
5912 else if (
streq(p[4],
"optional"))
5918 msg(msglevel,
"--dns server %ld: malformed dnssec value '%s'",
priority, p[4]);
5922 else if (
streq(p[3],
"transport") && !p[5])
5924 if (
streq(p[4],
"plain"))
5928 else if (
streq(p[4],
"DoH"))
5932 else if (
streq(p[4],
"DoT"))
5938 msg(msglevel,
"--dns server %ld: malformed transport value '%s'",
priority, p[4]);
5942 else if (
streq(p[3],
"sni") && !p[5])
5949 "--dns server %ld: unknown option type '%s' or missing or unknown parameter",
5956 msg(msglevel,
"--dns: unknown option type '%s' or missing or unknown parameter", p[1]);
5987 const char *file,
int line,
const int level,
const int msglevel,
5988 const unsigned int permission_mask,
unsigned int *option_types_found,
5989 struct env_set *
es,
unsigned int *update_options_found)
5994 if (
streq(p[0],
"route") && p[1] && !p[5])
6012 else if (
streq(p[0],
"route-ipv6") && p[1] && !p[4])
6030 else if (
streq(p[0],
"redirect-gateway") ||
streq(p[0],
"redirect-private"))
6048 else if (
streq(p[0],
"dns") && p[1])
6062#if defined(_WIN32) || defined(TARGET_ANDROID)
6063 else if (
streq(p[0],
"dhcp-option") && p[1] && !p[3])
6091#if defined(TARGET_ANDROID)
6092 o->http_proxy_port = 0;
6093 o->http_proxy = NULL;
6099 else if (
streq(p[0],
"dhcp-option") && p[1] && !p[3])
6110 option_types_found,
es);
6113 msg(msglevel,
"Error occurred trying to update %s option", p[0]);
6118 const char *type,
bool in_chroot)
6123 "Multiple --%s scripts defined. "
6124 "The previously configured script is overridden.",
6127 *script = new_script;
6132 char script_name[100];
6133 snprintf(script_name,
sizeof(script_name),
"--%s script", type);
6148 msg(
M_WARN,
"WARNING: Compression for receiving enabled. "
6149 "Compression has been used in the past to break encryption. "
6150 "Compression support is deprecated and we recommend to disable "
6161 ret = ret || (
options->pkcs11_providers[0] != NULL);
6163#ifdef ENABLE_CRYPTOAPI
6172 const int level,
const int msglevel,
const unsigned int permission_mask,
6173 unsigned int *option_types_found,
struct env_set *
es)
6189 p[2] =
"setenv opt";
6197 file =
"[CMD-LINE]";
6200 if (
streq(p[0],
"help"))
6206 msg(msglevel,
"--help does not accept any parameters");
6210 if (
streq(p[0],
"version") && !p[1])
6215 else if (
streq(p[0],
"config") && p[1] && !p[2])
6226 option_types_found,
es);
6228#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6229 else if (
streq(p[0],
"show-gateway") && !p[2])
6233 in_addr_t remote_ipv4 = 0;
6234 struct in6_addr remote_ipv6 = IN6ADDR_ANY_INIT;
6253 else if (
streq(p[0],
"echo") ||
streq(p[0],
"parameter"))
6277 if (
p[1] &&
strncmp(
p[1],
"msg", 3) == 0)
6281#ifdef ENABLE_MANAGEMENT
6290 msg(
M_WARN,
"echo/parameter option overflow");
6293#ifdef ENABLE_MANAGEMENT
6294 else if (
streq(
p[0],
"management") &&
p[1] &&
p[2] && !
p[4])
6299#if UNIX_SOCK_SUPPORT
6302 msg(msglevel,
"MANAGEMENT: this platform does not support unix domain sockets");
6314 else if (
streq(
p[0],
"management-client-user") &&
p[1] && !
p[2])
6319 else if (
streq(
p[0],
"management-client-group") &&
p[1] && !
p[2])
6324 else if (
streq(
p[0],
"management-query-passwords") && !
p[1])
6329 else if (
streq(
p[0],
"management-query-remote") && !
p[1])
6334 else if (
streq(
p[0],
"management-query-proxy") && !
p[1])
6339 else if (
streq(
p[0],
"management-hold") && !
p[1])
6344 else if (
streq(
p[0],
"management-signal") && !
p[1])
6349 else if (
streq(
p[0],
"management-forget-disconnect") && !
p[1])
6354 else if (
streq(
p[0],
"management-up-down") && !
p[1])
6359 else if (
streq(
p[0],
"management-client") && !
p[1])
6364 else if (
streq(
p[0],
"management-external-key"))
6373 else if (
streq(
p[
j],
"pkcs1"))
6381 else if (
streq(
p[
j],
"digest"))
6387 msg(msglevel,
"Unknown management-external-key flag: %s",
p[
j]);
6400 else if (
streq(
p[0],
"management-external-cert") &&
p[1] && !
p[2])
6406 else if (
streq(
p[0],
"management-client-auth") && !
p[1])
6411 else if (
streq(
p[0],
"management-log-cache") &&
p[1] && !
p[2])
6422 else if (
streq(
p[0],
"plugin") &&
p[1])
6431 msg(msglevel,
"plugin add failed: %s",
p[1]);
6436 else if (
streq(
p[0],
"mode") &&
p[1] && !
p[2])
6443 else if (
streq(
p[1],
"server"))
6449 msg(msglevel,
"Bad --mode parameter: %s",
p[1]);
6453 else if (
streq(
p[0],
"dev") &&
p[1] && !
p[2])
6458 else if (
streq(
p[0],
"dev-type") &&
p[1] && !
p[2])
6464 else if (
streq(
p[0],
"windows-driver") &&
p[1] && !
p[2])
6468 "DEPRECATED OPTION: windows-driver: In OpenVPN 2.7, the default Windows driver is ovpn-dco. "
6469 "If incompatible options are used, OpenVPN will fall back to tap-windows6. Wintun support has been removed.");
6472 else if (
streq(
p[0],
"disable-dco"))
6476 else if (
streq(
p[0],
"dev-node") &&
p[1] && !
p[2])
6481 else if (
streq(
p[0],
"lladdr") &&
p[1] && !
p[2])
6490 msg(msglevel,
"lladdr parm '%s' must be a MAC address",
p[1]);
6494 else if (
streq(
p[0],
"topology") &&
p[1] && !
p[2])
6499 else if (
streq(
p[0],
"tun-ipv6") && !
p[1])
6504 "Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.");
6507#ifdef ENABLE_IPROUTE
6508 else if (
streq(
p[0],
"iproute") &&
p[1] && !
p[2])
6514 else if (
streq(
p[0],
"ifconfig") &&
p[1] &&
p[2] && !
p[3])
6525 msg(msglevel,
"ifconfig parms '%s' and '%s' must be valid addresses",
p[1],
p[2]);
6529 else if (
streq(
p[0],
"ifconfig-ipv6") &&
p[1] &&
p[2] && !
p[3])
6531 unsigned int netbits;
6538 msg(msglevel,
"ifconfig-ipv6: /netbits must be between 64 and 124, not '/%d'",
6549 msg(msglevel,
"ifconfig-ipv6 parms '%s' and '%s' must be valid addresses",
p[1],
p[2]);
6553 else if (
streq(
p[0],
"ifconfig-noexec") && !
p[1])
6558 else if (
streq(
p[0],
"ifconfig-nowarn") && !
p[1])
6563 else if (
streq(
p[0],
"local") &&
p[1] && !
p[4])
6575 if (strcmp(p[1],
"*") != 0)
6590 else if (
streq(p[0],
"remote-random") && !p[1])
6595 else if (
streq(p[0],
"connection") && p[1] && !p[3])
6606 option_types_found,
es);
6610 "Each 'connection' block must contain exactly one 'remote' directive");
6626 else if (
streq(p[0],
"ignore-unknown-option") && p[1])
6631 const char **ignore;
6635 for (
i = 1; p[
i];
i++)
6655 for (j = 1; p[j]; j++)
6658 if (p[j][0] ==
'-' && p[j][1] ==
'-')
6671#if ENABLE_MANAGEMENT
6672 else if (
streq(p[0],
"http-proxy-override") && p[1] && p[2] && !p[4])
6682 else if (
streq(p[0],
"remote") && p[1] && !p[4])
6700 msg(msglevel,
"remote: bad protocol associated with host %s: '%s'", p[1], p[3]);
6721 else if (
streq(p[0],
"resolv-retry") && p[1] && !p[2])
6724 if (
streq(p[1],
"infinite"))
6733 else if ((
streq(p[0],
"preresolve") ||
streq(p[0],
"ip-remote-hint")) && !p[2])
6744 else if (
streq(p[0],
"connect-retry") && p[1] && !p[3])
6755 msg(
M_WARN,
"connect retry wait interval truncated to %d",
6765 else if ((
streq(p[0],
"connect-timeout") ||
streq(p[0],
"server-poll-timeout")) && p[1]
6771 else if (
streq(p[0],
"connect-retry-max") && p[1] && !p[2])
6776 else if (
streq(p[0],
"ipchange") && p[1])
6786 else if (
streq(p[0],
"float") && !p[1])
6792 else if (
streq(p[0],
"gremlin") && p[1] && !p[2])
6798 else if (
streq(p[0],
"chroot") && p[1] && !p[2])
6803 else if (
streq(p[0],
"cd") && p[1] && !p[2])
6808 msg(
M_ERR,
"cd to '%s' failed", p[1]);
6813#ifdef ENABLE_SELINUX
6814 else if (
streq(p[0],
"setcon") && p[1] && !p[2])
6817 options->selinux_context = p[1];
6820 else if (
streq(p[0],
"writepid") && p[1] && !p[2])
6825 else if (
streq(p[0],
"up") && p[1])
6834 else if (
streq(p[0],
"down") && p[1])
6843 else if (
streq(p[0],
"down-pre") && !p[1])
6848 else if (
streq(p[0],
"up-delay") && !p[1])
6853 else if (
streq(p[0],
"up-restart") && !p[1])
6858 else if (
streq(p[0],
"syslog") && !p[2])
6863 else if (
streq(p[0],
"daemon") && !p[2])
6877 "WARNING: Multiple --daemon directives specified, ignoring --daemon %s. (Note that initscripts sometimes add their own --daemon directive.)",
6883 else if (
streq(p[0],
"log") && p[1] && !p[2])
6889 else if (
streq(p[0],
"suppress-timestamps") && !p[1])
6895 else if (
streq(p[0],
"machine-readable-output") && !p[1])
6901 else if (
streq(p[0],
"log-append") && p[1] && !p[2])
6907#ifdef ENABLE_MEMSTATS
6908 else if (
streq(p[0],
"memstats") && p[1] && !p[2])
6914 else if (
streq(p[0],
"mlock") && !p[1])
6919#if ENABLE_IP_PKTINFO
6920 else if (
streq(p[0],
"multihome") && !p[1])
6926 else if (
streq(p[0],
"verb") && p[1] && !p[2])
6936#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
6941 "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
6946 else if (
streq(p[0],
"mute") && p[1] && !p[2])
6951 else if (
streq(p[0],
"errors-to-stderr") && !p[1])
6956 else if (
streq(p[0],
"status") && p[1] && !p[3])
6965 else if (
streq(p[0],
"status-version") && p[1] && !p[2])
6973 else if (
streq(p[0],
"remap-usr1") && p[1] && !p[2])
6976 if (
streq(p[1],
"SIGHUP"))
6980 else if (
streq(p[1],
"SIGTERM"))
6986 msg(msglevel,
"--remap-usr1 parm must be 'SIGHUP' or 'SIGTERM'");
6990 else if ((
streq(p[0],
"link-mtu") ||
streq(p[0],
"udp-mtu")) && p[1] && !p[2])
6996 else if (
streq(p[0],
"tun-mtu") && p[1] && !p[3])
7010 else if (
streq(p[0],
"tun-mtu-max") && p[1] && !p[2])
7014 if (max_mtu < 68 || max_mtu > 65536)
7016 msg(msglevel,
"--tun-mtu-max value '%s' is invalid", p[1]);
7023 else if (
streq(p[0],
"tun-mtu-extra") && p[1] && !p[2])
7029 else if (
streq(p[0],
"max-packet-size") && p[1] && !p[2])
7038 "Note: max-packet-size value outside of allowed "
7039 "control channel packet size (%d to %d), will use %d "
7049#ifdef ENABLE_FRAGMENT
7050 else if (
streq(p[0],
"mtu-dynamic"))
7053 msg(msglevel,
"--mtu-dynamic has been replaced by --fragment");
7056 else if (
streq(p[0],
"fragment") && p[1] && !p[3])
7063 msg(msglevel,
"--fragment needs to be at least 68");
7067 if (p[2] &&
streq(p[2],
"mtu"))
7073 msg(msglevel,
"Unknown parameter to --fragment: %s", p[2]);
7077 else if (
streq(p[0],
"mtu-disc") && p[1] && !p[2])
7082 else if (
streq(p[0],
"mtu-test") && !p[1])
7087 else if (
streq(p[0],
"nice") && p[1] && !p[2])
7092 else if (
streq(p[0],
"rcvbuf") && p[1] && !p[2])
7097 else if (
streq(p[0],
"sndbuf") && p[1] && !p[2])
7102 else if (
streq(p[0],
"mark") && p[1] && !p[2])
7104#if defined(TARGET_LINUX) && HAVE_DECL_SO_MARK
7109 else if (
streq(p[0],
"socket-flags"))
7115 if (
streq(p[j],
"TCP_NODELAY"))
7121 msg(msglevel,
"unknown socket flag: %s", p[j]);
7126 else if (
streq(p[0],
"bind-dev") && p[1])
7132 else if (
streq(p[0],
"txqueuelen") && p[1] && !p[2])
7138 msg(msglevel,
"--txqueuelen not supported on this OS");
7142 else if (
streq(p[0],
"shaper") && p[1] && !p[2])
7150 else if (
streq(p[0],
"port") && p[1] && !p[2])
7155 else if (
streq(p[0],
"lport") && p[1] && !p[2])
7160 if (!
streq(p[1],
"0"))
7166 else if (
streq(p[0],
"rport") && p[1] && !p[2])
7171 else if (
streq(p[0],
"bind") && !p[2])
7175 if (p[1] &&
streq(p[1],
"ipv6only"))
7180 else if (
streq(p[0],
"nobind") && !p[1])
7185 else if (
streq(p[0],
"fast-io") && !p[1])
7190 else if (
streq(p[0],
"inactive") && p[1] && !p[3])
7196 int64_t val = atoll(p[2]);
7201 "WARNING: '--inactive' with a 'bytes' value"
7202 " >2 Gbyte was silently ignored in older versions. If "
7203 " your VPN exits unexpectedly with 'Inactivity timeout'"
7204 " in %d seconds, revisit this value.",
7209 else if (
streq(p[0],
"session-timeout") && p[1] && !p[2])
7214 else if (
streq(p[0],
"proto") && p[1] && !p[2])
7223 msg(msglevel,
"Bad protocol: '%s'. Allowed protocols with --proto option: %s", p[1],
7230 else if (
streq(p[0],
"proto-force") && p[1] && !p[2])
7235 if (proto_force < 0)
7237 msg(msglevel,
"Bad --proto-force protocol: '%s'", p[1]);
7242 else if (
streq(p[0],
"http-proxy") && p[1] && !p[5])
7251 msg(msglevel,
"http-proxy port number not defined");
7265 if (
streq(p[3],
"auto"))
7269 else if (
streq(p[3],
"auto-nct"))
7289 else if (
streq(p[0],
"http-proxy-user-pass") && p[1])
7297 else if (
streq(p[0],
"http-proxy-retry") ||
streq(p[0],
"socks-proxy-retry"))
7300 msg(
M_WARN,
"DEPRECATED OPTION: http-proxy-retry and socks-proxy-retry: "
7301 "In OpenVPN 2.4 proxy connection retries are handled like regular connections. "
7302 "Use connect-retry-max 1 to get a similar behavior as before.");
7304 else if (
streq(p[0],
"http-proxy-timeout") && p[1] && !p[2])
7308 "DEPRECATED OPTION: http-proxy-timeout: In OpenVPN 2.4 the timeout until a connection to a "
7309 "server is established is managed with a single timeout set by connect-timeout");
7311 else if (
streq(p[0],
"http-proxy-option") && p[1] && !p[4])
7318 if (
streq(p[1],
"VERSION") && p[2] && !p[3])
7322 else if (
streq(p[1],
"AGENT") && p[2] && !p[3])
7326 else if ((
streq(p[1],
"EXT1") ||
streq(p[1],
"EXT2") ||
streq(p[1],
"CUSTOM-HEADER"))
7345 msg(msglevel,
"Cannot use more than %d http-proxy-option CUSTOM-HEADER : '%s'",
7352 custom_header->
name = p[2];
7353 custom_header->
content = p[3];
7358 msg(msglevel,
"Bad http-proxy-option or missing or extra parameter: '%s'", p[1]);
7361 else if (
streq(p[0],
"socks-proxy") && p[1] && !p[4])
7376 else if (
streq(p[0],
"keepalive") && p[1] && p[2] && !p[3])
7382 else if (
streq(p[0],
"ping") && p[1] && !p[2])
7387 else if (
streq(p[0],
"ping-exit") && p[1] && !p[2])
7393 else if (
streq(p[0],
"ping-restart") && p[1] && !p[2])
7399 else if (
streq(p[0],
"ping-timer-rem") && !p[1])
7404 else if (
streq(p[0],
"explicit-exit-notify") && !p[2])
7416 else if (
streq(p[0],
"persist-tun") && !p[1])
7421 else if (
streq(p[0],
"persist-key") && !p[1])
7424 msg(
M_WARN,
"DEPRECATED: --persist-key option ignored. "
7425 "Keys are now always persisted across restarts. ");
7427 else if (
streq(p[0],
"persist-local-ip") && !p[1])
7432 else if (
streq(p[0],
"persist-remote-ip") && !p[1])
7437 else if (
streq(p[0],
"client-nat") && p[1] && p[2] && p[3] && p[4] && !p[5])
7443 else if (
streq(p[0],
"route-table") && p[1] && !p[2])
7446 msg(
M_WARN,
"NOTE: --route-table is supported only on Linux when SITNL is built-in");
7451 else if (
streq(p[0],
"route") && p[1] && !p[5])
7461 else if (
streq(p[0],
"route-ipv6") && p[1] && !p[4])
7471 else if (
streq(p[0],
"max-routes") && !p[2])
7473 msg(
M_WARN,
"DEPRECATED OPTION: --max-routes option ignored. "
7474 "The number of routes is unlimited as of OpenVPN 2.4. "
7475 "This option will be removed in a future version, "
7476 "please remove it from your configuration.");
7478 else if (
streq(p[0],
"route-gateway") && p[1] && !p[2])
7481 if (
streq(p[1],
"dhcp"))
7494 msg(msglevel,
"route-gateway parm '%s' must be a valid address", p[1]);
7499 else if (
streq(p[0],
"route-ipv6-gateway") && p[1] && !p[2])
7507 msg(msglevel,
"route-ipv6-gateway parm '%s' must be a valid address", p[1]);
7511 else if (
streq(p[0],
"route-metric") && p[1] && !p[2])
7516 else if (
streq(p[0],
"route-delay") && !p[3])
7533 else if (
streq(p[0],
"route-up") && p[1])
7542 else if (
streq(p[0],
"route-pre-down") && p[1])
7551 else if (
streq(p[0],
"route-noexec") && !p[1])
7556 else if (
streq(p[0],
"route-nopull") && !p[1])
7561 else if (
streq(p[0],
"pull-filter") && p[1] && p[2] && !p[3])
7567 if (strcmp(
"accept", p[1]) == 0)
7571 else if (strcmp(
"ignore", p[1]) == 0)
7575 else if (strcmp(
"reject", p[1]) == 0)
7581 msg(msglevel,
"Unknown --pull-filter type: %s", p[1]);
7585 f->
size = strlen(p[2]);
7587 else if (
streq(p[0],
"allow-pull-fqdn") && !p[1])
7592 else if (
streq(p[0],
"redirect-gateway") ||
streq(p[0],
"redirect-private"))
7600 msg(
M_WARN,
"WARNING: You have specified redirect-gateway and "
7601 "redirect-private at the same time (or the same option "
7602 "multiple times). This is not well supported and may lead to "
7603 "unexpected results");
7608 if (
streq(p[0],
"redirect-gateway"))
7612 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
7614 if (
streq(p[j],
"local"))
7618 else if (
streq(p[j],
"autolocal"))
7622 else if (
streq(p[j],
"def1"))
7626 else if (
streq(p[j],
"bypass-dhcp"))
7630 else if (
streq(p[j],
"bypass-dns"))
7634 else if (
streq(p[j],
"block-local"))
7638 else if (
streq(p[j],
"ipv6"))
7643 else if (
streq(p[j],
"!ipv4"))
7649 msg(msglevel,
"unknown --%s flag: %s", p[0], p[j]);
7668 else if (
streq(p[0],
"block-ipv6") && !p[1])
7673 else if (
streq(p[0],
"remote-random-hostname") && !p[1])
7678 else if (
streq(p[0],
"setenv") && p[1] && !p[3])
7681 if (
streq(p[1],
"REMOTE_RANDOM_HOSTNAME") && !p[2])
7685 else if (
streq(p[1],
"GENERIC_CONFIG"))
7687 msg(msglevel,
"this is a generic configuration and cannot directly be used");
7690 else if (
streq(p[1],
"PUSH_PEER_INFO") && !p[2])
7694 else if (
streq(p[1],
"SERVER_POLL_TIMEOUT") && p[2])
7700 if (
streq(p[1],
"FORWARD_COMPATIBLE") && p[2] &&
streq(p[2],
"1"))
7708 else if (
streq(p[0],
"compat-mode") && p[1] && !p[3])
7710 unsigned int major, minor, patch;
7711 if (!(sscanf(p[1],
"%u.%u.%u", &major, &minor, &patch) == 3))
7713 msg(msglevel,
"cannot parse version number for --compat-mode: %s", p[1]);
7719 else if (
streq(p[0],
"setenv-safe") && p[1] && !p[3])
7724 else if (
streq(p[0],
"script-security") && p[1] && !p[2])
7733 else if (
streq(p[0],
"mssfix") && !p[3])
7741 if (mssfix != 0 && (mssfix < TLS_CHANNEL_MTU_MIN || mssfix > UINT16_MAX))
7743 msg(msglevel,
"--mssfix value '%s' is invalid", p[1]);
7761 if (p[2] &&
streq(p[2],
"mtu"))
7765 else if (p[2] &&
streq(p[2],
"fixed"))
7771 msg(msglevel,
"Unknown parameter to --mssfix: %s", p[2]);
7774 else if (
streq(p[0],
"disable-occ") && !p[1])
7779 else if (
streq(p[0],
"server") && p[1] && p[2] && !p[4])
7783 in_addr_t network, netmask;
7788 if (error || !network || !netmask)
7790 msg(msglevel,
"error parsing --server parameters");
7799 if (
streq(p[3],
"nopool"))
7805 msg(msglevel,
"error parsing --server: %s is not a recognized flag", p[3]);
7810 else if (
streq(p[0],
"server-ipv6") && p[1] && !p[2])
7813 struct in6_addr network;
7814 unsigned int netbits = 0;
7819 msg(msglevel,
"error parsing --server-ipv6 parameter");
7822 if (netbits < 64 || netbits > 124)
7824 msg(msglevel,
"--server-ipv6 settings: network must be between /64 and /124 (not /%d)",
7833 else if (
streq(p[0],
"server-bridge") && p[1] && p[2] && p[3] && p[4] && !p[5])
7837 in_addr_t ip, netmask, pool_start, pool_end;
7844 if (error || !ip || !netmask || !pool_start || !pool_end)
7846 msg(msglevel,
"error parsing --server-bridge parameters");
7855 else if (
streq(p[0],
"server-bridge") && p[1] &&
streq(p[1],
"nogw") && !p[2])
7861 else if (
streq(p[0],
"server-bridge") && !p[1])
7866 else if (
streq(p[0],
"push") && p[1] && !p[2])
7871 else if (
streq(p[0],
"push-reset") && !p[1])
7876 else if (
streq(p[0],
"push-remove") && p[1] && !p[2])
7882 else if (
streq(p[0],
"ifconfig-pool") && p[1] && p[2] && !p[4])
7886 in_addr_t start, end, netmask = 0;
7897 msg(msglevel,
"error parsing --ifconfig-pool parameters");
7913 else if (
streq(p[0],
"ifconfig-pool-persist") && p[1] && !p[3])
7922 else if (
streq(p[0],
"ifconfig-ipv6-pool") && p[1] && !p[2])
7925 struct in6_addr network;
7926 unsigned int netbits = 0;
7931 msg(msglevel,
"error parsing --ifconfig-ipv6-pool parameters");
7934 if (netbits < 64 || netbits > 124)
7937 "--ifconfig-ipv6-pool settings: network must be between /64 and /124 (not /%d)",
7946 else if (
streq(p[0],
"hash-size") && p[1] && p[2] && !p[3])
7952 || !
atoi_constrained(p[2], &
virtual,
"hash-size virtual", 1, INT_MAX, msglevel))
7959 else if (
streq(p[0],
"connect-freq") && p[1] && p[2] && !p[3])
7964 if (!
atoi_constrained(p[1], &cf_max,
"connect-freq n", 1, INT_MAX, msglevel)
7965 || !
atoi_constrained(p[2], &cf_per,
"connect-freq seconds", 1, INT_MAX, msglevel))
7972 else if (
streq(p[0],
"connect-freq-initial") && p[1] && p[2] && !p[3])
7977 if (!
atoi_constrained(p[1], &cf_max,
"connect-freq-initial n", 1, INT_MAX, msglevel)
7978 || !
atoi_constrained(p[2], &cf_per,
"connect-freq-initial seconds", 1, INT_MAX, msglevel))
7985 else if (
streq(p[0],
"max-clients") && p[1] && !p[2])
7993 else if (
streq(p[0],
"max-routes-per-client") && p[1] && !p[2])
7998 else if (
streq(p[0],
"client-cert-not-required") && !p[1])
8002 "REMOVED OPTION: --client-cert-not-required, use '--verify-client-cert none' instead");
8004 else if (
streq(p[0],
"verify-client-cert") && !p[2])
8013 if (
streq(p[1],
"none"))
8017 else if (
streq(p[1],
"optional"))
8021 else if (!
streq(p[1],
"require"))
8024 "parameter to --verify-client-cert must be 'none', 'optional' or 'require'");
8029 else if (
streq(p[0],
"username-as-common-name") && !p[1])
8034 else if (
streq(p[0],
"auth-user-pass-optional") && !p[1])
8039 else if (
streq(p[0],
"opt-verify") && !p[1])
8042 msg(
M_INFO,
"DEPRECATION: opt-verify is deprecated and will be removed "
8046 else if (
streq(p[0],
"auth-user-pass-verify") && p[1])
8055 if (
streq(p[2],
"via-env"))
8059 else if (
streq(p[2],
"via-file"))
8066 "second parm to --auth-user-pass-verify must be 'via-env' or 'via-file'");
8073 "--auth-user-pass-verify requires a second parameter ('via-env' or 'via-file')");
8077 "auth-user-pass-verify",
true);
8079 else if (
streq(p[0],
"auth-gen-token"))
8092 else if (
streq(p[
i],
"external-auth"))
8098 msg(msglevel,
"Invalid argument to auth-gen-token: %s (%d)", p[
i],
i);
8102 else if (
streq(p[0],
"auth-gen-token-secret") && p[1] && !p[2])
8108 else if (
streq(p[0],
"client-connect") && p[1])
8117 else if (
streq(p[0],
"client-crresponse") && p[1])
8127 else if (
streq(p[0],
"client-disconnect") && p[1])
8137 else if (
streq(p[0],
"learn-address") && p[1])
8146 else if (
streq(p[0],
"tmp-dir") && p[1] && !p[2])
8151 else if (
streq(p[0],
"client-config-dir") && p[1] && !p[2])
8156 else if (
streq(p[0],
"ccd-exclusive") && !p[1])
8161 else if (
streq(p[0],
"bcast-buffers") && p[1] && !p[2])
8166 else if (
streq(p[0],
"tcp-queue-limit") && p[1] && !p[2])
8172 else if (
streq(p[0],
"port-share") && p[1] && p[2] && !p[4])
8175 options->port_share_host = p[1];
8176 options->port_share_port = p[2];
8177 options->port_share_journal_dir = p[3];
8180 else if (
streq(p[0],
"client-to-client") && !p[1])
8185 else if (
streq(p[0],
"duplicate-cn") && !p[1])
8190 else if (
streq(p[0],
"iroute") && p[1] && !p[3])
8195 else if (
streq(p[0],
"iroute-ipv6") && p[1] && !p[2])
8200 else if (
streq(p[0],
"ifconfig-push") && p[1] && p[2] && !p[4])
8202 in_addr_t local, remote_netmask;
8207 if (local && remote_netmask)
8220 msg(msglevel,
"cannot parse --ifconfig-push addresses");
8224 else if (
streq(p[0],
"ifconfig-push-constraint") && p[1] && p[2] && !p[3])
8226 in_addr_t network, netmask;
8231 if (network && netmask)
8239 msg(msglevel,
"cannot parse --ifconfig-push-constraint addresses");
8243 else if (
streq(p[0],
"ifconfig-ipv6-push") && p[1] && !p[3])
8245 struct in6_addr local, remote;
8246 unsigned int netbits;
8252 msg(msglevel,
"cannot parse --ifconfig-ipv6-push addresses");
8260 msg(msglevel,
"cannot parse --ifconfig-ipv6-push addresses");
8270 "second argument to --ifconfig-ipv6-push missing and no global --ifconfig-ipv6 address set");
8281 else if (
streq(p[0],
"disable") && !p[1])
8286 else if (
streq(p[0],
"override-username") && p[1] && !p[2])
8292 "override-username exceeds the maximum length of %d "
8305 else if (
streq(p[0],
"tcp-nodelay") && !p[1])
8310 else if (
streq(p[0],
"stale-routes-check") && p[1] && !p[3])
8312 int ageing_time, check_interval;
8315 if (!
atoi_constrained(p[1], &ageing_time,
"stale-routes-check age", 1, INT_MAX, msglevel))
8323 "stale-routes-check interval", 1, INT_MAX, msglevel))
8330 check_interval = ageing_time;
8337 else if (
streq(p[0],
"client") && !p[1])
8342 else if (
streq(p[0],
"pull") && !p[1])
8347 else if (
streq(p[0],
"push-continuation") && p[1] && !p[2])
8352 else if (
streq(p[0],
"auth-user-pass") && !p[2])
8365 else if (
streq(p[0],
"auth-retry") && p[1] && !p[2])
8370#ifdef ENABLE_MANAGEMENT
8371 else if (
streq(p[0],
"static-challenge") && p[1] && p[2] && !p[4])
8379 if (p[3] &&
streq(p[3],
"concat"))
8383 else if (p[3] && !
streq(p[3],
"scrv1"))
8385 msg(msglevel,
"--static-challenge: unknown format indicator '%s'", p[3]);
8390 else if (
streq(p[0],
"msg-channel") && p[1])
8394 HANDLE process = GetCurrentProcess();
8395 HANDLE handle = (HANDLE)((intptr_t)atoll(p[1]));
8397 DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
8399 msg(msglevel,
"could not duplicate service pipe handle");
8404 msg(msglevel,
"--msg-channel is only supported on Windows");
8409 else if (
streq(p[0],
"win-sys") && p[1] && !p[2])
8412 if (
streq(p[1],
"env"))
8414 msg(
M_INFO,
"NOTE: --win-sys env is default from OpenVPN 2.3. "
8415 "This entry will now be ignored. "
8416 "Please remove this entry from your configuration file.");
8423 else if (
streq(p[0],
"route-method") && p[1] && !p[2])
8426 if (
streq(p[1],
"adaptive"))
8430 else if (
streq(p[1],
"ipapi"))
8434 else if (
streq(p[1],
"exe"))
8440 msg(msglevel,
"--route method must be 'adaptive', 'ipapi', or 'exe'");
8444 else if (
streq(p[0],
"ip-win32") && p[1] && !p[4])
8453 msg(msglevel,
"Bad --ip-win32 method: '%s'. Allowed methods: %s", p[1],
8467 if (!
streq(p[2],
"default"))
8471 if (!
atoi_constrained(p[2], &offset,
"ip-win32 offset", -256, 256, msglevel))
8482 "ip-win32 lease time", 30, INT_MAX, msglevel))
8493 else if (
streq(p[0],
"dns-updown") && p[1])
8501 if (
streq(p[1],
"disable"))
8506 else if (
streq(p[1],
"force"))
8511 dns->
updown = DEFAULT_DNS_UPDOWN;
8526 else if (
streq(p[0],
"dns") && p[1])
8534 else if (
streq(p[0],
"dhcp-option") && p[1])
8537#if defined(_WIN32) || defined(TARGET_ANDROID)
8542 bool dhcp_optional =
false;
8544 if ((
streq(p[1],
"DOMAIN") ||
streq(p[1],
"ADAPTER_DOMAIN_SUFFIX")) && p[2] && !p[3])
8546 dhcp->domain = p[2];
8547 dhcp_optional =
true;
8549 else if (
streq(p[1],
"DOMAIN-SEARCH") && p[2] && !p[3])
8553 dhcp->domain_search_list[
dhcp->domain_search_list_len++] = p[2];
8557 msg(msglevel,
"--dhcp-option %s: maximum of %d search entries can be specified",
8560 dhcp_optional =
true;
8562 else if ((
streq(p[1],
"DNS") ||
streq(p[1],
"DNS6")) && p[2] && !p[3]
8565 if (strstr(p[2],
":"))
8572 dhcp_optional =
true;
8575#if defined(_WIN32) || defined(TARGET_ANDROID)
8576 else if (
streq(p[1],
"NBS") && p[2] && !p[3])
8581 else if (
streq(p[1],
"NBT") && p[2] && !p[3])
8584 if (!(t == 1 || t == 2 || t == 4 || t == 8))
8586 msg(msglevel,
"--dhcp-option NBT: parameter (%d) must be 1, 2, 4, or 8", t);
8592 else if (
streq(p[1],
"WINS") && p[2] && !p[3])
8597 else if (
streq(p[1],
"NTP") && p[2] && !p[3])
8602 else if (
streq(p[1],
"NBDD") && p[2] && !p[3])
8607 else if (
streq(p[1],
"DISABLE-NBT") && !p[2])
8612#if defined(TARGET_ANDROID)
8613 else if (
streq(p[1],
"PROXY_HTTP") && p[3] && !p[4])
8616 o->http_proxy = p[2];
8621 msg(msglevel,
"--dhcp-option: unknown option type '%s' or missing or unknown parameter",
8626 setenv_foreign_option(
options, p[1], p[2],
es);
8631#if defined(_WIN32) || defined(TARGET_ANDROID)
8637 else if (
streq(p[0],
"show-adapters") && !p[1])
8643 else if (
streq(p[0],
"show-net") && !p[1])
8650 else if (
streq(p[0],
"show-net-up") && !p[1])
8655 else if (
streq(p[0],
"tap-sleep") && p[1] && !p[2])
8663 else if (
streq(p[0],
"dhcp-renew") && !p[1])
8668 else if (
streq(p[0],
"dhcp-pre-release") && !p[1])
8674 else if (
streq(p[0],
"dhcp-release") && !p[1])
8676 msg(
M_WARN,
"Obsolete option --dhcp-release detected. This is now on by default");
8678 else if (
streq(p[0],
"dhcp-internal") && p[1] && !p[2])
8680 unsigned int adapter_index;
8683 adapter_index =
atou(p[1]);
8695 else if (
streq(p[0],
"register-dns") && !p[1])
8700 else if (
streq(p[0],
"block-outside-dns") && !p[1])
8705 else if (
streq(p[0],
"rdns-internal") && !p[1])
8721 else if (
streq(p[0],
"show-valid-subnets") && !p[1])
8727 else if (
streq(p[0],
"pause-exit") && !p[1])
8732 else if (
streq(p[0],
"service") && p[1] && !p[3])
8741 else if (
streq(p[0],
"allow-nonadmin") && !p[2])
8747 else if (
streq(p[0],
"user") && p[1] && !p[2])
8750 msg(
M_WARN,
"NOTE: --user option is not implemented on Windows");
8752 else if (
streq(p[0],
"group") && p[1] && !p[2])
8755 msg(
M_WARN,
"NOTE: --group option is not implemented on Windows");
8758 else if (
streq(p[0],
"user") && p[1] && !p[2])
8763 else if (
streq(p[0],
"group") && p[1] && !p[2])
8768 else if (
streq(p[0],
"dhcp-option") && p[1] && !p[3])
8771 setenv_foreign_option(
options, p[1], p[2],
es);
8773 else if (
streq(p[0],
"route-method") && p[1] && !p[2])
8779#if PASSTOS_CAPABILITY
8780 else if (
streq(p[0],
"passtos") && !p[1])
8786 else if (
streq(p[0],
"allow-compression") && p[1] && !p[2])
8790 if (
streq(p[1],
"no"))
8795 msg(msglevel,
"'--allow-compression no' conflicts with "
8796 " enabling compression");
8803 "Cannot set allow-compression to '%s' "
8804 "after set to 'no'",
8808 else if (
streq(p[1],
"asym"))
8812 else if (
streq(p[1],
"yes"))
8815 "DEPRECATED OPTION: \"--allow-compression yes\" has been removed. "
8816 "We will use \"asym\" mode instead. See the manual page for more information.");
8823 "bad allow-compression option: %s -- "
8824 "must be 'yes', 'no', or 'asym'",
8829 else if (
streq(p[0],
"comp-lzo") && !p[2])
8839 if (
streq(p[1],
"no"))
8847 else if (!(
streq(p[1],
"yes") ||
streq(p[1],
"adaptive")))
8849 msg(msglevel,
"bad comp-lzo option: %s -- must be 'yes', 'no', or 'adaptive'",
8856 else if (
streq(p[0],
"comp-noadapt") && !p[1])
8860 else if (
streq(p[0],
"compress") && !p[2])
8863 const char *alg =
"stub";
8869 if (
streq(alg,
"stub"))
8874 else if (
streq(alg,
"stub-v2"))
8879 else if (
streq(alg,
"migrate"))
8884 else if (
streq(alg,
"lzo"))
8889 else if (
streq(alg,
"lz4"))
8894 else if (
streq(alg,
"lz4-v2"))
8900 msg(msglevel,
"bad comp option: %s", alg);
8906 else if (
streq(p[0],
"show-ciphers") && !p[1])
8911 else if (
streq(p[0],
"show-digests") && !p[1])
8916 else if (
streq(p[0],
"show-engines") && !p[1])
8921 else if (
streq(p[0],
"key-direction") && p[1] && !p[2])
8928 if (key_direction >= 0)
8944 else if (
streq(p[0],
"secret") && p[1] && !p[3])
8946 msg(
M_WARN,
"DEPRECATED OPTION: The option --secret is deprecated.");
8950 if (!is_inline && p[2])
8955 if (key_direction >= 0)
8965 else if (
streq(p[0],
"allow-deprecated-insecure-static-crypto"))
8970 else if (
streq(p[0],
"genkey") && !p[4])
8980 if (
streq(p[1],
"secret") ||
streq(p[1],
"tls-auth") ||
streq(p[1],
"tls-crypt"))
8984 else if (
streq(p[1],
"tls-crypt-v2-server"))
8988 else if (
streq(p[1],
"tls-crypt-v2-client"))
8996 else if (
streq(p[1],
"auth-token"))
9002 msg(msglevel,
"unknown --genkey type: %s", p[1]);
9010 else if (
streq(p[0],
"auth") && p[1] && !p[2])
9015 else if (
streq(p[0],
"cipher") && p[1] && !p[2])
9020 else if (
streq(p[0],
"data-ciphers-fallback") && p[1] && !p[2])
9026 else if ((
streq(p[0],
"data-ciphers") ||
streq(p[0],
"ncp-ciphers")) && p[1] && !p[2])
9029 if (
streq(p[0],
"ncp-ciphers"))
9031 msg(
M_INFO,
"Note: Treating option '--ncp-ciphers' as "
9032 " '--data-ciphers' (renamed in OpenVPN 2.5).");
9036 else if (
streq(p[0],
"key-derivation") && p[1])
9041 if (
streq(p[1],
"tls-ekm"))
9047 msg(msglevel,
"Unknown key-derivation method %s", p[1]);
9050 else if (
streq(p[0],
"protocol-flags") && p[1])
9056 for (
size_t j = 1; j <
MAX_PARMS && p[j] != NULL; j++)
9058 if (
streq(p[j],
"cc-exit"))
9062 else if (
streq(p[j],
"tls-ekm"))
9066 else if (
streq(p[j],
"dyn-tls-crypt"))
9070 else if (
streq(p[j],
"aead-epoch"))
9076 msg(msglevel,
"Unknown protocol-flags flag: %s", p[j]);
9080 else if (
streq(p[0],
"force-tls-key-material-export"))
9085 else if (
streq(p[0],
"prng") && p[1] && !p[3])
9087 msg(
M_WARN,
"NOTICE: --prng option ignored (SSL library PRNG is used)");
9089 else if (
streq(p[0],
"no-replay") && !p[1])
9093 msg(
M_FATAL,
"--no-replay was removed in OpenVPN 2.7. "
9094 "Update your configuration.");
9096 else if (
streq(p[0],
"replay-window") && !p[3])
9118 msg(msglevel,
"replay-window option is missing window size parameter");
9122 else if (
streq(p[0],
"mute-replay-warnings") && !p[1])
9127 else if (
streq(p[0],
"replay-persist") && p[1] && !p[2])
9132 else if (
streq(p[0],
"test-crypto") && !p[1])
9137#ifndef ENABLE_CRYPTO_MBEDTLS
9138 else if (
streq(p[0],
"engine") && !p[2])
9151 else if (
streq(p[0],
"providers") && p[1])
9153 for (
size_t j = 1; j <
MAX_PARMS && p[j] != NULL; j++)
9158#ifdef ENABLE_PREDICTION_RESISTANCE
9159 else if (
streq(p[0],
"use-prediction-resistance") && !p[1])
9162 options->use_prediction_resistance =
true;
9165 else if (
streq(p[0],
"show-tls") && !p[1])
9170 else if ((
streq(p[0],
"show-curves") ||
streq(p[0],
"show-groups")) && !p[1])
9175 else if (
streq(p[0],
"ecdh-curve") && p[1] && !p[2])
9178 msg(
M_WARN,
"Consider setting groups/curves preference with "
9179 "tls-groups instead of forcing a specific curve with "
9183 else if (
streq(p[0],
"tls-server") && !p[1])
9188 else if (
streq(p[0],
"tls-client") && !p[1])
9193 else if (
streq(p[0],
"ca") && p[1] && !p[2])
9199#ifndef ENABLE_CRYPTO_MBEDTLS
9200 else if (
streq(p[0],
"capath") && p[1] && !p[2])
9206 else if (
streq(p[0],
"dh") && p[1] && !p[2])
9212 else if (
streq(p[0],
"cert") && p[1] && !p[2])
9218 else if (
streq(p[0],
"extra-certs") && p[1] && !p[2])
9224 else if ((
streq(p[0],
"verify-hash") && p[1] && !p[3])
9225 || (
streq(p[0],
"peer-fingerprint") && p[1] && !p[2]))
9229 int verify_hash_depth = 0;
9230 if (
streq(p[0],
"verify-hash"))
9232 msg(
M_WARN,
"DEPRECATED OPTION: The option --verify-hash is deprecated. "
9233 "You should switch to the either use the level 1 certificate as "
9234 "--ca option, use --tls-verify or use --peer-fingerprint");
9236 verify_hash_depth = 1;
9246 "ERROR: Setting %s not allowed. --verify-hash and"
9247 " --peer-fingerprint are mutually exclusive",
9252 if (
streq(p[0],
"verify-hash"))
9254 if ((!p[2] && !is_inline) || (p[2] &&
streq(p[2],
"SHA1")))
9259 else if (p[2] && !
streq(p[2],
"SHA256"))
9262 "invalid or unsupported hashing algorithm: %s "
9263 "(only SHA1 and SHA256 are supported)",
9283 while (listend->
next)
9285 listend = listend->
next;
9287 listend->
next = newlist;
9290#if defined(ENABLE_CRYPTOAPI) && defined(HAVE_XKEY_PROVIDER)
9291 else if (
streq(p[0],
"cryptoapicert") && p[1] && !p[2])
9297 else if (
streq(p[0],
"key") && p[1] && !p[2])
9303 else if (
streq(p[0],
"tls-version-min") && p[1] && !p[3])
9310 msg(msglevel,
"unknown tls-version-min parameter: %s", p[1]);
9314#ifdef ENABLE_CRYPTO_MBEDTLS
9317 msg(
M_WARN,
"--tls-version-min %s is not supported by mbedtls, using 1.2", p[1]);
9325 else if (
streq(p[0],
"tls-version-max") && p[1] && !p[2])
9332 msg(msglevel,
"unknown tls-version-max parameter: %s", p[1]);
9338#ifndef ENABLE_CRYPTO_MBEDTLS
9339 else if (
streq(p[0],
"pkcs12") && p[1] && !p[2])
9346 else if (
streq(p[0],
"askpass") && !p[2])
9358 else if (
streq(p[0],
"auth-nocache") && !p[1])
9363 else if (
streq(p[0],
"auth-token") && p[1] && !p[2])
9367#ifdef ENABLE_MANAGEMENT
9374 else if (
streq(p[0],
"auth-token-user") && p[1] && !p[2])
9379 else if (
streq(p[0],
"single-session") && !p[1])
9384 else if (
streq(p[0],
"push-peer-info") && !p[1])
9389 else if (
streq(p[0],
"tls-exit") && !p[1])
9394 else if (
streq(p[0],
"tls-cipher") && p[1] && !p[2])
9399 else if (
streq(p[0],
"tls-cert-profile") && p[1] && !p[2])
9404 else if (
streq(p[0],
"tls-ciphersuites") && p[1] && !p[2])
9409 else if (
streq(p[0],
"tls-groups") && p[1] && !p[2])
9414 else if (
streq(p[0],
"crl-verify") && p[1] && ((p[2] &&
streq(p[2],
"dir")) || !p[2]))
9417 if (p[2] &&
streq(p[2],
"dir"))
9424 else if (
streq(p[0],
"tls-verify") && p[1])
9434 else if (
streq(p[0],
"tls-export-cert") && p[1] && !p[2])
9439 else if (
streq(p[0],
"compat-names"))
9442 msg(msglevel,
"--compat-names was removed in OpenVPN 2.5. "
9443 "Update your configuration.");
9446 else if (
streq(p[0],
"no-name-remapping") && !p[1])
9449 msg(msglevel,
"--no-name-remapping was removed in OpenVPN 2.5. "
9450 "Update your configuration.");
9453 else if (
streq(p[0],
"verify-x509-name") && p[1] && strlen(p[1]) && !p[3])
9459 if (
streq(p[2],
"subject"))
9463 else if (
streq(p[2],
"name"))
9467 else if (
streq(p[2],
"name-prefix"))
9473 msg(msglevel,
"unknown X.509 name type: %s", p[2]);
9480 else if (
streq(p[0],
"ns-cert-type") && p[1] && !p[2])
9482#ifdef ENABLE_CRYPTO_MBEDTLS
9483 msg(msglevel,
"--ns-cert-type is not available with mbedtls.");
9487 if (
streq(p[1],
"server"))
9491 else if (
streq(p[1],
"client"))
9497 msg(msglevel,
"--ns-cert-type must be 'client' or 'server'");
9502 else if (
streq(p[0],
"remote-cert-ku"))
9507 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9517 else if (
streq(p[0],
"remote-cert-eku") && p[1] && !p[2])
9522 else if (
streq(p[0],
"remote-cert-tls") && p[1] && !p[2])
9526 if (
streq(p[1],
"server"))
9531 else if (
streq(p[1],
"client"))
9538 msg(msglevel,
"--remote-cert-tls must be 'client' or 'server'");
9542 else if (
streq(p[0],
"tls-timeout") && p[1] && !p[2])
9547 else if (
streq(p[0],
"reneg-bytes") && p[1] && !p[2])
9551 long long reneg_bytes = strtoll(p[1], &end, 10);
9552 if (*end !=
'\0' || reneg_bytes < 0)
9554 msg(msglevel,
"--reneg-bytes parameter must be an integer and >= 0");
9559 else if (
streq(p[0],
"reneg-pkts") && p[1] && !p[2])
9563 long long pkt_max = strtoll(p[1], &end, 10);
9564 if (*end !=
'\0' || pkt_max < 0)
9566 msg(msglevel,
"--reneg-pkts parameter must be an integer and >= 0");
9571 else if (
streq(p[0],
"reneg-sec") && p[1] && !p[3])
9580 else if (
streq(p[0],
"hand-window") && p[1] && !p[2])
9585 else if (
streq(p[0],
"tran-window") && p[1] && !p[2])
9590 else if (
streq(p[0],
"tls-auth") && p[1] && !p[3])
9592 int key_direction = -1;
9601 if (!is_inline && p[2])
9604 if (key_direction < 0)
9617 if (!is_inline && p[2])
9620 if (key_direction < 0)
9628 else if (
streq(p[0],
"tls-crypt") && p[1] && !p[3])
9642 else if (
streq(p[0],
"tls-crypt-v2") && p[1] && !p[3])
9656 if (p[2] &&
streq(p[2],
"force-cookie"))
9660 else if (p[2] &&
streq(p[2],
"allow-noncookie"))
9666 msg(msglevel,
"Unsupported tls-crypt-v2 argument: %s", p[2]);
9669 else if (
streq(p[0],
"tls-crypt-v2-verify") && p[1] && !p[2])
9674 else if (
streq(p[0],
"x509-track") && p[1] && !p[2])
9679#ifdef ENABLE_X509ALTUSERNAME
9680 else if (
streq(p[0],
"x509-username-field") && p[1])
9683 for (
size_t j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9687 if (strncmp(
"ext:", s, 4) == 0 && !x509_username_field_ext_supported(s + 4))
9689 msg(msglevel,
"Unsupported x509-username-field extension: %s", s);
9691 options->x509_username_field[j - 1] = p[j];
9696 else if (
streq(p[0],
"show-pkcs11-ids") && !p[3])
9698 char *provider = p[1];
9699 bool cert_private = (p[2] == NULL ? false : (
atoi_warn(p[2], msglevel) != 0));
9701#ifdef DEFAULT_PKCS11_MODULE
9704 provider = DEFAULT_PKCS11_MODULE;
9709 long i = strtol(provider, &endp, 10);
9715 provider = DEFAULT_PKCS11_MODULE;
9722 msg(msglevel,
"--show-pkcs11-ids requires a provider parameter");
9729 show_pkcs11_ids(provider, cert_private);
9732 else if (
streq(p[0],
"pkcs11-providers") && p[1])
9738 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9740 options->pkcs11_providers[j - 1] = p[j];
9743 else if (
streq(p[0],
"pkcs11-protected-authentication"))
9749 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9751 options->pkcs11_protected_authentication[j - 1] =
9755 else if (
streq(p[0],
"pkcs11-private-mode") && p[1])
9761 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9763 sscanf(p[j],
"%x", &(
options->pkcs11_private_mode[j - 1]));
9766 else if (
streq(p[0],
"pkcs11-cert-private"))
9772 for (j = 1; j <
MAX_PARMS && p[j] != NULL; ++j)
9777 else if (
streq(p[0],
"pkcs11-pin-cache") && p[1] && !p[2])
9782 else if (
streq(p[0],
"pkcs11-id") && p[1] && !p[2])
9787 else if (
streq(p[0],
"pkcs11-id-management") && !p[1])
9790 options->pkcs11_id_management =
true;
9793 else if (
streq(p[0],
"rmtun") && !p[1])
9799 else if (
streq(p[0],
"mktun") && !p[1])
9805 else if (
streq(p[0],
"peer-id") && p[1] && !p[2])
9811 else if (
streq(p[0],
"keying-material-exporter") && p[1] && p[2])
9817 if (strncmp(p[1],
"EXPORTER", 8))
9819 msg(msglevel,
"Keying material exporter label must begin with "
9828 if (ekm_length < 16 || ekm_length > 4095)
9830 msg(msglevel,
"Invalid keying material exporter length");
9837 else if (
streq(p[0],
"allow-recursive-routing") && !p[1])
9842 else if (
streq(p[0],
"vlan-tagging") && !p[1])
9847 else if (
streq(p[0],
"vlan-accept") && p[1] && !p[2])
9850 if (
streq(p[1],
"tagged"))
9854 else if (
streq(p[1],
"untagged"))
9858 else if (
streq(p[1],
"all"))
9864 msg(msglevel,
"--vlan-accept must be 'tagged', 'untagged' or 'all'");
9868 else if (
streq(p[0],
"vlan-pvid") && p[1] && !p[2])
9875 msg(msglevel,
"the parameter of --vlan-pvid parameters must be >= %u and <= %u",
9883 int msglevel_unknown = msglevel_fc;
9890 msglevel_unknown =
M_WARN;
9896 msg(msglevel_unknown,
9897 "Unrecognized option or missing or extra parameter(s) in %s:%d: %s (%s)", file,
9898 line, p[0], PACKAGE_VERSION);
9902 msg(msglevel_unknown,
"Unrecognized option or missing or extra parameter(s): --%s (%s)",
9903 p[0], PACKAGE_VERSION);
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
void free_buf(struct buffer *buf)
void buf_clear(struct buffer *buf)
bool buf_printf(struct buffer *buf, const char *format,...)
void gc_transfer(struct gc_arena *dest, struct gc_arena *src)
void * gc_realloc(void *ptr, size_t size, struct gc_arena *a)
allows to realloc a pointer previously allocated by gc_malloc or gc_realloc
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
struct buffer alloc_buf(size_t size)
int string_array_len(const char **array)
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
bool buf_parse(struct buffer *buf, const int delim, char *line, const int size)
char * string_alloc(const char *str, struct gc_arena *gc)
struct buffer string_alloc_buf(const char *str, struct gc_arena *gc)
static void gc_detach(struct gc_arena *a)
static bool buf_copy(struct buffer *dest, const struct buffer *src)
#define ALLOC_ARRAY_GC(dptr, type, n, gc)
static bool buf_valid(const struct buffer *buf)
static void gc_init(struct gc_arena *a)
static bool buf_safe(const struct buffer *buf, size_t len)
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
#define ALLOC_OBJ_GC(dptr, type, gc)
static void strncpynt(char *dest, const char *src, size_t maxlen)
static void gc_free(struct gc_arena *a)
static bool strprefix(const char *str, const char *prefix)
Return true iff str starts with prefix.
static struct gc_arena gc_new(void)
void print_client_nat_list(const struct client_nat_option_list *list, int msglevel)
void add_client_nat_to_option_list(struct client_nat_option_list *dest, const char *type, const char *network, const char *netmask, const char *foreign_network, int msglevel)
struct client_nat_option_list * new_client_nat_list(struct gc_arena *gc)
struct client_nat_option_list * clone_client_nat_option_list(const struct client_nat_option_list *src, struct gc_arena *gc)
void copy_client_nat_option_list(struct client_nat_option_list *dest, const struct client_nat_option_list *src)
#define TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_MTU_MIN
bool check_compression_settings_valid(struct compress_options *info, int msglevel)
Checks if the compression settings are valid.
#define COMP_F_ALLOW_STUB_ONLY
Only accept stub compression, even with COMP_F_ADVERTISE_STUBS_ONLY we still accept other compression...
#define COMP_F_SWAP
initial command byte is swapped with last byte in buffer to preserve payload alignment
#define COMP_ALG_LZ4
LZ4 algorithm.
#define COMP_F_ALLOW_NOCOMP_ONLY
Do not allow compression framing (breaks DCO)
#define COMP_F_ALLOW_ASYM
Compression was explicitly set to allow asymetric compression.
#define COMP_ALGV2_UNCOMPRESSED
#define COMP_ALG_STUB
support compression command byte and framing without actual compression
#define COMP_ALG_LZO
LZO algorithm.
#define COMP_F_ADVERTISE_STUBS_ONLY
tell server that we only support compression stubs
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
static bool comp_non_stub_enabled(const struct compress_options *info)
int daemon(int nochdir, int noclose)
char * dirname(char *path)
char * strsep(char **stringp, const char *delim)
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
int ascii2keydirection(int msglevel, const char *str)
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
bool check_tls_prf_working(void)
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS K...
void test_crypto(struct crypto_options *co, struct frame *frame)
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
#define KEY_DIRECTION_BIDIRECTIONAL
#define CO_USE_CC_EXIT_NOTIFY
Bit-flag indicating that explicit exit notifies should be sent via the control channel instead of usi...
static bool cipher_defined(const char *ciphername)
Checks if the cipher is defined and is not the null (none) cipher.
const char * md_kt_name(const char *mdname)
Retrieve a string describing the digest digest (e.g.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
int cipher_kt_key_size(const char *ciphername)
Returns the size of keys used by the cipher, in bytes.
#define SHA_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
static bool dco_check_startup_option(int msglevel, const struct options *o)
static bool dco_check_option(int msglevel, const struct options *o)
static const char * dco_version_string(struct gc_arena *gc)
bool dns_options_verify(int msglevel, const struct dns_options *o)
Checks validity of DNS options.
void dns_domain_list_append(struct dns_domain **entry, char **domains, struct gc_arena *gc)
Appends DNS domain parameters to a linked list.
void dns_options_postprocess_pull(struct dns_options *o)
Merges pulled DNS servers with static ones into an ordered list.
bool dns_server_addr_parse(struct dns_server *server, const char *addr)
Parses a string IPv4 or IPv6 address and optional colon separated port, into a in_addr or in6_addr re...
struct dns_server * dns_server_get(struct dns_server **entry, long priority, struct gc_arena *gc)
Find or create DNS server with priority in a linked list.
bool dns_server_priority_parse(long *priority, const char *str, bool pulled)
Parses a string DNS server priority and validates it.
struct dns_options clone_dns_options(const struct dns_options *o, struct gc_arena *gc)
Makes a deep copy of the passed DNS options.
void show_dns_options(const struct dns_options *o)
Prints configured DNS options.
void dns_options_preprocess_pull(struct dns_options *o)
Saves and resets the server options, so that pulled ones don't mix in.
static bool dns_updown_user_set(const struct dns_options *o)
Returns whether dns-updown is user defined.
static bool dns_updown_forced(const struct dns_options *o)
Returns whether dns-updown is forced to run.
void setenv_int(struct env_set *es, const char *name, int value)
void setenv_str_i(struct env_set *es, const char *name, const char *value, const int i)
void setenv_str(struct env_set *es, const char *name, const char *value)
const char * env_set_get(const struct env_set *es, const char *name)
void setenv_str_safe(struct env_set *es, const char *name, const char *value)
bool env_set_del(struct env_set *es, const char *str)
void setenv_long_long(struct env_set *es, const char *name, long long value)
Interface functions to the internal and external multiplexers.
void helper_setdefault_topology(struct options *o)
Set –topology default depending on –mode.
void helper_tcp_nodelay(struct options *o)
void helper_client_server(struct options *o)
void helper_keepalive(struct options *o)
static int max_int(int x, int y)
static int constrain_int(int x, int min, int max)
static SERVICE_STATUS status
static int tls_verify(struct openvpn_plugin_args_func_in const *args)
void management_auth_token(struct management *man, const char *token)
void management_echo(struct management *man, const char *string, const bool pull)
#define MF_FORGET_DISCONNECT
#define MF_EXTERNAL_KEY_PKCS1PAD
#define MF_EXTERNAL_KEY_PSSPAD
#define MF_EXTERNAL_KEY_NOPADDING
#define MF_QUERY_PASSWORDS
#define MF_EXTERNAL_KEY_DIGEST
#define MF_CONNECT_AS_CLIENT
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
const char * safe_print(const char *str, struct gc_arena *gc)
int translate_mtu_discover_type_name(const char *name)
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
#define TAP_MTU_EXTRA_DEFAULT
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
static int net_ctx_init(struct context *c, openvpn_net_ctx_t *ctx)
void errors_to_stderr(void)
void open_syslog(const char *pgmname, bool stdio_to_null)
void redirect_stdout_stderr(const char *file, bool append)
FILE * msg_fp(const unsigned int flags)
void openvpn_exit(const int status)
static bool machine_readable_output
void set_suppress_timestamps(bool suppressed)
void set_machine_readable_output(bool parsable)
bool set_debug_level(const int level, const unsigned int flags)
static bool suppress_timestamps
#define OPENVPN_EXIT_STATUS_USAGE
#define OPENVPN_EXIT_STATUS_GOOD
bool options_cmp_equal(char *actual, const char *expected)
static void options_warning_safe_ml(const int msglevel, char *actual, const char *expected, size_t actual_n)
#define RESET_OPTION_ROUTES(option_ptr, field)
static void rol6_check_alloc(struct options *options)
#define CHKACC_PRIVATE
Warn if this (private) file is group/others accessible.
static bool check_file_access_chroot_inline(bool is_inline, const char *chroot, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access_chroot() that returns false immediately if the file is inline (and th...
static bool check_file_access_chroot(const char *chroot, const int type, const char *file, const int mode, const char *opt)
static void options_warning_safe_scan2(const int msglevel, const int delim, const bool report_inconsistent, const char *p1, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
static void options_postprocess_verify_ce(const struct options *options, const struct connection_entry *ce)
static int msglevel_forward_compatible(struct options *options, const int msglevel)
static struct local_entry * alloc_local_entry(struct connection_entry *ce, const int msglevel, struct gc_arena *gc)
static void options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce)
static void update_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, unsigned int *update_options_found)
Processes an option to update.
static void usage_version(void)
static bool check_route_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
static bool in_src_get(const struct in_src *is, char *line, const int size)
static struct pull_filter * alloc_pull_filter(struct options *o)
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
#define USAGE_VALID_SERVER_PROTOS
#define CHKACC_DIRPATH
Check for directory presence where a file should reside.
static void pre_connect_save(struct options *o)
#define CHKACC_ACPTSTDIN
If filename is stdin, it's allowed and "exists".
static void setenv_connection_entry(struct env_set *es, const struct connection_entry *e, const int i)
static int check_inline_file_via_buf(struct buffer *multiline, char *p[], struct gc_arena *gc)
static int global_auth_retry
bool options_postprocess_pull(struct options *o, struct env_set *es)
void uninit_options(struct options *o)
static void connection_entry_load_re(struct connection_entry *ce, const struct remote_entry *re)
static int check_inline_file(struct in_src *is, char *p[], struct gc_arena *gc)
static bool verify_permission(const char *name, const char *file, int line, const unsigned int type, const unsigned int allowed, unsigned int *found, const int msglevel, struct options *options, bool is_inline)
static void read_config_file(struct options *options, const char *file, int level, const char *top_file, const int top_line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
void show_windows_version(const unsigned int flags)
#define VERIFY_PERMISSION(mask)
static const char * options_warning_extract_parm1(const char *option_string, struct gc_arena *gc_ret)
bool key_is_external(const struct options *options)
static bool no_more_than_n_args(const int msglevel, char *p[], const int max, const unsigned int flags)
static void check_ca_required(const struct options *options)
bool auth_retry_set(const int msglevel, const char *option)
static struct http_proxy_options * parse_http_proxy_override(const char *server, const char *port, const char *flags, struct gc_arena *gc)
static void read_config_string(const char *prefix, struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
static bool space(char c)
static void bypass_doubledash(char **p)
#define CHKACC_FILEXSTWR
If file exists, is it writable?
static bool check_dns_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
static void tuntap_options_postprocess_dns(struct options *o)
Postprocess DNS related settings.
static char * get_ipv6_addr_no_netbits(const char *addr, struct gc_arena *gc)
Returns newly allocated string containing address part without "/nn".
void show_dco_version(const unsigned int flags)
void rol_check_alloc(struct options *options)
static struct local_list * alloc_local_list_if_undef(struct connection_entry *ce, struct gc_arena *gc)
#define SHOW_UNSIGNED(var)
void show_settings(const struct options *o)
static void set_user_script(struct options *options, const char **script, const char *new_script, const char *type, bool in_chroot)
static in_addr_t get_ip_addr(const char *ip_string, int msglevel, bool *error)
static void show_dhcp_option_list(const char *name, const char *const *array, int len)
static bool check_route6_option(struct options *options, char *p[], const int msglevel, bool pull_mode)
static void show_connection_entries(const struct options *o)
static void options_postprocess_mutate_le(struct connection_entry *ce, struct local_entry *le, int mode)
static void option_iroute_ipv6(struct options *o, const char *prefix_str, int msglevel)
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
void parse_argv(struct options *options, const int argc, char *argv[], const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
bool string_defined_equal(const char *s1, const char *s2)
static bool check_file_access_inline(bool is_inline, const int type, const char *file, const int mode, const char *opt)
A wrapper for check_file_access() that returns false immediately if the file is inline (and therefore...
static void remove_option(struct context *c, struct options *options, char *p[], bool is_inline, const char *file, int line, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Resets options found in the PUSH_UPDATE message that are preceded by the - flag.
void options_postprocess(struct options *options, struct env_set *es)
int parse_topology(const char *str, const int msglevel)
static void show_dhcp_option_addrs(const char *name, const in_addr_t *array, int len)
const char * auth_retry_print(void)
static void show_http_proxy_options(const struct http_proxy_options *o)
static void options_postprocess_filechecks(struct options *options)
static void show_connection_entry(const struct connection_entry *o)
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
void show_library_versions(const unsigned int flags)
void setenv_settings(struct env_set *es, const struct options *o)
#define CHKACC_ACCEPT_URI
Do not check URIs, unless they start with file:
static const char usage_message[]
static char * string_substitute(const char *src, int from, int to, struct gc_arena *gc)
static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a hexstring and checks if the string has the correct length.
static struct connection_list * alloc_connection_list_if_undef(struct options *options)
static bool check_cmd_access(const char *command, const char *opt, const char *chroot)
static void options_warning_safe_scan1(const int msglevel, const int delim, const bool report_inconsistent, const struct buffer *b1_src, const struct buffer *b2_src, const char *b1_name, const char *b2_name)
static struct connection_entry * alloc_connection_entry(struct options *options, const int msglevel)
static void dhcp_option_dns6_parse(const char *parm, struct in6_addr *dns6_list, int *len, int msglevel)
bool apply_push_options(struct context *c, struct options *options, struct buffer *buf, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es, bool is_update)
static bool check_file_access(const int type, const char *file, const int mode, const char *opt)
static void show_p2mp_parms(const struct options *o)
static const char * pull_filter_type_name(int type)
static void cnol_check_alloc(struct options *options)
int parse_line(const char *line, char *p[], const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
static int check_inline_file_via_fp(FILE *fp, char *p[], struct gc_arena *gc)
static struct remote_entry * alloc_remote_entry(struct options *options, const int msglevel)
static void options_postprocess_mutate(struct options *o, struct env_set *es)
void options_detach(struct options *o)
static unsigned int atou(const char *str)
void pre_connect_restore(struct options *o, struct gc_arena *gc)
static void dhcp_option_address_parse(const char *name, const char *parm, in_addr_t *array, int *len, int msglevel)
static struct pull_filter_list * alloc_pull_filter_list(struct options *o)
const char * print_topology(const int topology)
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
#define SHOW_STR_INLINE(var)
static void options_postprocess_cipher(struct options *o)
static void options_set_backwards_compatible_options(struct options *o)
Changes default values so that OpenVPN can be compatible with the user specified version.
static void show_tuntap_options(const struct tuntap_options *o)
void init_options(struct options *o, const bool init_gc)
#define MUST_BE_FALSE(condition, parm_name)
#define MUST_BE_UNDEF(parm, parm_name)
static const char * print_vlan_accept(enum vlan_acceptable_frames mode)
#define SHOW_PARM(name, value, format)
static void options_postprocess_http_proxy_override(struct options *o)
void options_warning(char *actual, const char *expected)
static void show_pull_filter_list(const struct pull_filter_list *l)
#define CHKACC_FILE
Check for a file/directory presence.
const char * options_string_version(const char *s, struct gc_arena *gc)
static void options_postprocess_mutate_invariant(struct options *options)
static bool ipv6_addr_safe_hexplusbits(const char *ipv6_prefix_spec)
const char title_string[]
static void setenv_local_entry(struct env_set *es, const struct local_entry *e, const int i)
static void remap_redirect_gateway_flags(struct options *opt)
static void add_option(struct options *options, char *p[], bool is_inline, const char *file, int line, const int level, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
static struct verify_hash_list * parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
Parses a string consisting of multiple lines of hexstrings and checks if each string has the correct ...
static struct remote_list * alloc_remote_list_if_undef(struct options *options)
void notnull(const char *arg, const char *description)
static void show_compression_warning(struct compress_options *info)
static void options_process_mutate_prf(struct options *o)
bool has_udp_in_local_list(const struct options *options)
static void option_iroute(struct options *o, const char *network_str, const char *netmask_str, int msglevel)
char * options_string(const struct options *o, const struct frame *frame, struct tuntap *tt, openvpn_net_ctx_t *ctx, bool remote, struct gc_arena *gc)
static char * read_inline_file(struct in_src *is, const char *close_tag, int *num_lines, struct gc_arena *gc)
static void options_postprocess_verify(const struct options *o)
static void connection_entry_preload_key(const char **key_file, bool *key_inline, struct gc_arena *gc)
static bool need_compatibility_before(const struct options *o, unsigned int version)
The option –compat-mode is used to set up default settings to values used on the specified openvpn ve...
#define MODE_POINT_TO_POINT
#define PUF_TYPE_ACCEPT
filter type to accept a matching option
#define SF_TCP_NODELAY_HELPER
#define OPT_P_INSTANCE
allowed in ccd, client-connect etc
#define OPT_P_NCP
Negotiable crypto parameters.
#define OPT_P_ROUTE_TABLE
#define CONNECTION_LIST_SIZE
#define OPT_P_U_REDIR_GATEWAY
#define OPT_P_EXPLICIT_NOTIFY
#define PUF_TYPE_IGNORE
filter type to ignore a matching option
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
#define PUF_TYPE_REJECT
filter type to reject and trigger SIGUSR1
@ GENKEY_TLS_CRYPTV2_SERVER
@ GENKEY_TLS_CRYPTV2_CLIENT
#define SF_NO_PUSH_ROUTE_GATEWAY
#define PULL_DEFINED(opt)
#define PLUGIN_OPTION_LIST(opt)
#define ROUTE_OPTION_FLAGS(o)
#define OPT_P_ROUTE_EXTRAS
#define MAN_CLIENT_AUTH_ENABLED(opt)
@ VLAN_ONLY_UNTAGGED_OR_PRIORITY
bool check_push_update_option_flags(char *line, int *i, unsigned int *flags)
Checks the formatting and validity of options inside push-update messages.
bool atoi_constrained(const char *str, int *value, const char *name, int min, int max, int msglevel)
Converts a str to an integer if the string can be represented as an integer number and is between min...
int positive_atoi(const char *str, int msglevel)
Converts a str to a positive number if the string represents a postive integer number.
int atoi_warn(const char *str, int msglevel)
Converts a str to an integer if the string can be represented as an integer number.
bool apply_pull_filter(const struct options *o, char *line)
Filter an option line by all pull filters.
bool valid_integer(const char *str, bool positive)
Checks if the string is a valid integer by checking if it can be converted to an integer.
#define MAX_SEQ_BACKTRACK
#define MIN_SEQ_BACKTRACK
#define DEFAULT_SEQ_BACKTRACK
#define MAX_TIME_BACKTRACK
#define DEFAULT_TIME_BACKTRACK
#define MIN_TIME_BACKTRACK
struct plugin_option_list * plugin_option_list_new(struct gc_arena *gc)
bool plugin_option_list_add(struct plugin_option_list *list, char **p, struct gc_arena *gc)
void plugin_option_list_print(const struct plugin_option_list *list, int msglevel)
bool ifconfig_pool_verify_range(const int msglevel, const in_addr_t start, const in_addr_t end)
#define OPENVPN_8021Q_MIN_VID
#define OPENVPN_8021Q_MAX_VID
struct http_proxy_options * init_http_proxy_options_once(struct http_proxy_options **hpo, struct gc_arena *gc)
#define MAX_CUSTOM_HTTP_HEADER
void push_reset(struct options *o)
void clone_push_list(struct options *o)
void push_remove_option(struct options *o, const char *p)
void push_options(struct options *o, char **p, int msglevel, struct gc_arena *gc)
#define PUSH_OPT_TO_REMOVE
#define PUSH_OPT_OPTIONAL
bool is_special_addr(const char *addr_str)
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
int netmask_to_netbits2(in_addr_t netmask)
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
void show_routes(int msglev)
void print_route_options(const struct route_option_list *rol, int level)
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
struct route_option_list * new_route_option_list(struct gc_arena *a)
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
#define ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_ADAPTIVE
void script_security_set(int level)
#define SSEC_PW_ENV
allow calling of built-in programs and user-defined scripts that may receive a password as an environ...
#define SSEC_NONE
strictly no calling of external programs
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
static void bind_local(struct link_socket *sock, const sa_family_t ai_family)
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
#define RESOLV_RETRY_INFINITE
#define SF_USE_IP_PKTINFO
#define SF_HOST_RANDOMIZE
const char * proto2ascii(int proto, sa_family_t af, bool display_form)
bool mac_addr_safe(const char *mac_addr)
const char * proto2ascii_all(struct gc_arena *gc)
sa_family_t ascii2af(const char *proto_name)
const char * proto_remote(int proto, bool remote)
bool ipv6_addr_safe(const char *ipv6_text_addr)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
bool ip_or_dns_addr_safe(const char *addr, const bool allow_fqdn)
int ascii2proto(const char *proto_name)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
bool ip_addr_dotted_quad_safe(const char *dotted_quad)
static bool proto_is_net(int proto)
static bool proto_is_udp(int proto)
Returns if the protocol being used is UDP.
#define GETADDR_HOST_ORDER
static bool proto_is_dgram(int proto)
Return if the protocol is datagram (UDP)
void ssl_set_auth_token_user(const char *username)
void ssl_set_auth_nocache(void)
int tls_version_parse(const char *vstr, const char *extra)
void ssl_set_auth_token(const char *token)
bool ssl_get_auth_nocache(void)
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Control Channel SSL/Data channel negotiation module.
#define X509_USERNAME_FIELD_DEFAULT
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
#define TLS_VER_BAD
Parse a TLS version specifier.
#define EXPORT_KEY_DATA_LABEL
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
#define SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CRL_VERIFY_DIR
#define SSLF_TLS_DEBUG_ENABLED
#define SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_MASK
#define SSLF_USERNAME_AS_COMMON_NAME
void options_postprocess_setdefault_ncpciphers(struct options *o)
Checks for availibility of Chacha20-Poly1305 and sets the ncp_cipher to either AES-256-GCM:AES-128-GC...
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
void append_cipher_to_ncp_list(struct options *o, const char *ciphername)
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
char * mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
Check whether the ciphers in the supplied list are supported.
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
Control Channel Verification Module.
#define OPENVPN_KU_REQUIRED
Require keyUsage to be present in cert (0xFFFF is an invalid KU value)
#define VERIFY_X509_SUBJECT_DN
#define VERIFY_X509_SUBJECT_RDN
#define NS_CERT_CHECK_CLIENT
Do not perform Netscape certificate type verification.
#define VERIFY_X509_SUBJECT_RDN_PREFIX
#define NS_CERT_CHECK_SERVER
Do not perform Netscape certificate type verification.
void x509_track_add(const struct x509_track **ll_head, const char *name, int msglevel, struct gc_arena *gc)
Wrapper structure for dynamically allocated memory.
int capacity
Size in bytes of memory allocated by malloc().
uint8_t * data
Pointer to the allocated memory.
int len
Length in bytes of the actual content within the allocated memory.
struct local_list * local_list
int connect_retry_seconds
bool tls_crypt_v2_force_cookie
int connect_retry_seconds_max
const char * tls_crypt_file
const char * tls_crypt_v2_file
bool tun_mtu_extra_defined
const char * socks_proxy_port
struct http_proxy_options * http_proxy_options
bool tls_crypt_file_inline
bool tls_auth_file_inline
int explicit_exit_notification
const char * socks_proxy_authfile
const char * socks_proxy_server
const char * tls_auth_file
bool tls_crypt_v2_file_inline
struct connection_entry ** array
struct route_list * route_list
List of routing information.
struct route_ipv6_list * route_ipv6_list
struct tuntap * tuntap
Tun/tap virtual network interface.
Contains all state information for one tunnel.
openvpn_net_ctx_t net_ctx
Networking API opaque context.
struct options options
Options loaded from command line or configuration file.
struct context_1 c1
Level 1 context.
in_addr_t dns[N_DHCP_ADDR]
struct dns_server * servers
struct dhcp_options from_dhcp
enum dns_updown_flags updown_flags
struct dns_domain * search_domains
union dns_server_addr::@0 in
struct dns_server_addr addr[8]
struct dns_domain * domains
enum dns_server_transport transport
Structure for reassembling one incoming fragmented packet.
Packet geometry parameters.
int tun_mtu
the (user) configured tun-mtu.
Garbage collection arena used to keep track of dynamically allocated memory.
const char * http_version
const char * auth_method_string
struct http_custom_header custom_headers[MAX_CUSTOM_HTTP_HEADER]
const char * auth_file_up
struct buffer * multiline
struct iroute_ipv6 * next
const char * cipher
const name of the cipher
const char * digest
Message digest static parameters.
struct local_entry ** array
struct tuntap_options tuntap_options
int ping_rec_timeout_action
bool tuntap_options_defined
struct route_option_list * routes
struct compress_options comp
struct dns_options dns_options
const char * route_default_gateway
struct route_ipv6_option_list * routes_ipv6
struct client_nat_option_list * client_nat
const char * route_ipv6_default_gateway
int resolve_retry_seconds
const char * genkey_extra_data
struct compress_options comp
struct http_proxy_options * http_proxy_override
int push_ifconfig_ipv6_netbits
struct connection_list * connection_list
const char * management_port
bool tls_crypt_file_inline
const char * ifconfig_ipv6_remote
int max_routes_per_client
const char * ncp_ciphers_conf
The original ncp_ciphers specified by the user in the configuration.
enum vlan_acceptable_frames vlan_accept
in_addr_t push_ifconfig_constraint_network
struct options_pre_connect * pre_connect
int renegotiate_seconds_min
const char * auth_token_secret_file
unsigned int imported_protocol_flags
const char * tls_export_peer_cert_dir
const char * cryptoapi_cert
unsigned int backwards_compatible
What version we should try to be compatible with as major * 10000 + minor * 100 + patch,...
hash_algo_type verify_hash_algo
int scheduled_exit_interval
int stale_routes_ageing_time
unsigned int push_option_types_found
int management_state_buffer_size
const char * tls_auth_file
struct provider_list providers
struct in6_addr server_network_ipv6
int management_echo_buffer_size
unsigned remote_cert_ku[MAX_PARMS]
bool server_bridge_defined
const char * keying_material_exporter_label
const char * remote_cert_eku
in_addr_t ifconfig_pool_netmask
bool server_bridge_proxy_dhcp
bool allow_recursive_routing
const char * exit_event_name
const char * ifconfig_ipv6_local
bool auth_user_pass_verify_script_via_file
int ifconfig_pool_persist_refresh_freq
bool push_ifconfig_defined
bool ifconfig_pool_defined
const char * packet_id_file
const char * tls_crypt_v2_file
int management_log_history_cache
in_addr_t server_bridge_netmask
const char * ip_remote_hint
struct route_option_list * routes
in_addr_t ifconfig_pool_end
int64_t inactivity_minimum_bytes
bool ifconfig_ipv6_pool_defined
unsigned int server_flags
bool push_ifconfig_ipv6_blocked
const char * client_disconnect_script
struct remote_list * remote_list
const char * key_pass_file
bool mute_replay_warnings
const char * tls_crypt_file
const char * ifconfig_local
struct connection_entry ce
struct iroute_ipv6 * iroutes_ipv6
struct push_list push_list
struct tuntap_options tuntap_options
struct verify_hash_list * verify_hash
const char * tls_cert_profile
int64_t renegotiate_packets
unsigned int management_flags
const char * route_default_gateway
in_addr_t push_ifconfig_local_alias
struct dns_options dns_options
bool exit_event_initial_state
struct static_challenge_info sc_info
bool auth_token_call_auth
const char * learn_address_script
const char * auth_user_pass_file
int stale_routes_check_interval
struct plugin_option_list * plugin_list
const char * tls_crypt_v2_verify_script
const char * auth_user_pass_verify_script
const char * extra_certs_file
int ifconfig_ipv6_pool_netbits
in_addr_t push_ifconfig_constraint_netmask
const char * route_ipv6_default_gateway
bool priv_key_file_inline
int ping_rec_timeout_action
bool auth_user_pass_file_inline
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
const char * route_predown_script
in_addr_t push_ifconfig_local
const char ** ignore_unknown_option
int route_default_table_id
bool auth_token_secret_file_inline
bool extra_certs_file_inline
bool push_ifconfig_constraint_defined
int keying_material_exporter_length
bool force_key_material_export
const char * cipher_list_tls13
int status_file_update_freq
const char * management_client_user
bool allow_deprecated_insecure_static_crypto
struct pull_filter_list * pull_filter_list
const char * management_certificate
const char * genkey_filename
const struct x509_track * x509_track
bool shared_secret_file_inline
struct in6_addr push_ifconfig_ipv6_remote
const char * management_addr
const char * client_connect_script
const char * verify_x509_name
bool route_gateway_via_dhcp
bool push_ifconfig_ipv6_defined
const char * override_username
const char * client_crresponse_script
struct route_ipv6_option_list * routes_ipv6
bool machine_readable_output
const char * priv_key_file
bool tls_auth_file_inline
bool tls_crypt_v2_file_inline
in_addr_t server_bridge_pool_start
struct client_nat_option_list * client_nat
struct in6_addr push_ifconfig_ipv6_local
const char * ifconfig_remote_netmask
in_addr_t server_bridge_pool_end
enum tun_driver_type windows_driver
int64_t renegotiate_bytes
const char * route_script
in_addr_t ifconfig_pool_start
const char * management_user_pass
unsigned int server_netbits_ipv6
in_addr_t push_ifconfig_remote_netmask
in_addr_t server_bridge_ip
const char * shared_secret_file
const char * management_client_group
struct in6_addr ifconfig_ipv6_pool_base
const char * client_config_dir
enum genkey_type genkey_type
const char * ifconfig_pool_persist_filename
int ifconfig_ipv6_netbits
const char * names[MAX_PARMS]
struct pull_filter * tail
struct pull_filter * head
struct pull_filter * next
struct remote_entry ** array
const char * challenge_text
struct in6_addr dns6[N_DHCP_ADDR]
in_addr_t nbdd[N_DHCP_ADDR]
in_addr_t ntp[N_DHCP_ADDR]
in_addr_t wins[N_DHCP_ADDR]
in_addr_t dns[N_DHCP_ADDR]
const char * netbios_scope
bool dhcp_masq_custom_offset
int domain_search_list_len
const char * domain_search_list[N_SEARCH_LIST_LEN]
struct verify_hash_list * next
uint8_t hash[SHA256_DIGEST_LENGTH]
unsigned short sa_family_t
static bool pkcs11_id_management
void ipconfig_register_dns(const struct env_set *es)
int dev_type_enum(const char *dev, const char *dev_type)
bool dhcp_renew_by_adapter_index(const DWORD adapter_index)
int ascii2ipset(const char *name)
struct tuntap * init_tun(const char *dev, const char *dev_type, int topology, const char *ifconfig_local_parm, const char *ifconfig_remote_netmask_parm, const char *ifconfig_ipv6_local_parm, int ifconfig_ipv6_netbits_parm, const char *ifconfig_ipv6_remote_parm, struct addrinfo *local_public, struct addrinfo *remote_public, const bool strict_warn, struct env_set *es, openvpn_net_ctx_t *ctx, struct tuntap *tt)
void show_tap_win_adapters(int msglev, int warnlev)
void show_adapters(int msglev)
bool dhcp_release_by_adapter_index(const DWORD adapter_index)
const char * dev_type_string(const char *dev, const char *dev_type)
void tap_allow_nonadmin_access(const char *dev_node)
static bool dhcp_renew(const struct tuntap *tt)
const char * ifconfig_options_string(const struct tuntap *tt, bool remote, bool disable, struct gc_arena *gc)
const char * ipset2ascii_all(struct gc_arena *gc)
void show_valid_win32_tun_subnets(void)
const char * print_tun_backend_driver(enum tun_driver_type driver)
Return a string representation of the tun backed driver type.
#define IPW32_SET_ADAPTIVE
#define DHCP_OPTIONS_DHCP_REQUIRED
#define N_SEARCH_LIST_LEN
#define IPW32_SET_DHCP_MASQ
@ WINDOWS_DRIVER_UNSPECIFIED
@ WINDOWS_DRIVER_TAP_WINDOWS6
#define IPW32_SET_ADAPTIVE_DELAY_WINDOW
#define DHCP_OPTIONS_DHCP_OPTIONAL
static bool is_tun_afunix(const char *devnode)
Checks whether a –dev-node parameter specifies a AF_UNIX device.
const char * win_get_tempdir(void)
void set_win_sys_path(const char *newpath, struct env_set *es)
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
void set_pause_exit_win32(void)