- Only "hot" user input -- i.e, freshly typed password starting
from an empty string, with keyboard focus still in the edit
box -- can be revealed.
In particular, prefilled passwod (from cached value) cannot be
revealed.
- Once keyboard focus moves out of the password edit box, the inpit has
to be deleted for the reveal feature to get re-enabled.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- COM interfaces for ICredentialProvider and
IConnectableCredentialProviderCredential combined
with a trimmed down user-interface implemented as
libopenvpn_plap.dll
- Connections autostarted by OpenVPNService are enumerated
as possible PLAP connections. The user is expected to leave
these in management hold so that "connect" will popup any
required user dialogs.
To use:
- Register the dll as a PLAP provider (see included .reg files)
- The enumerated connections will show up as tiles in the PLAP
screen of the login desktop (secure desktop).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This will be used for reading the management i/f
parameters for externally started (persistent) openpvn.exe
TODO: replace the parsing of config file in passphrase.c
using this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Add support for selecting pkcs11-id from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.
A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.
If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.
The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.
Just replacing one client with another will not work:
- OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.
- OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.
To enable using openvpn3:
- use any of *-ovpn3 presets (cmake build system)
- ./configure --enable-ovpn3 (mingw)
To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.
OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.
Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.
Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.
Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Process four new echo commands to construct messages to be
displayed to the user:
echo msg message-text
echo msg-n message-text
echo msg-window message-title
echo msg-notify message-title
Note: All rules of push and echo processing apply and determine
what is received as echo commands by the GUI. In addition,
'url-encoded' characters (% followed by two hex digits) are
decoded and displayed.
The message is constructed in the GUI by concatenating the text
specified in one or more "echo msg text" or "echo msg-n text"
commands. In case of "echo msg text" text is appended with a new
line. An empty text in this case will
just add a new line.
The message ends and gets displayed when one of the following
are receieved:
echo msg-window title
echo msg-notify title
where "title" becomes the title of the message window. In case of
msg-window, a modeless window shows the message, in the latter case
a notification balloon is shown.
Example: when pushed from the server:
push "echo msg I say let the world go to hell%2C"
push "echo msg I must have my cup of tea."
push "echo msg-window Notes from the underground"
will display a modeless window with title
"Notes from the underground" and a two line body
--
I say let the world go to hell,
I must have my cup of tea.
--
Note that the message itself is not quoted in the above examples
and so it relies on the server's option-parser combining
individual words into a space separated string. Number of words
on a line is limited by the maximum number of parameters allowed
in openvpn commands (16). This limitation may be avoided by quoting
the text that follows so that the option parser sees it as one
parameter.
The comma character is not allowed in pushed strings, so
it has to be sent encoded as %2C as shown above.
Such encoding of arbitrary bytes is suppored. For example,
newlines may be embedded as %0A, though discouraged. Instead
use multiple "echo msg" commands to separate lines by new line.
An example with embedded spaces and multiple lines concatenated
without a new line in between (note use of single quotes):
push "echo msg-n I swear to you gentlemen%2C that to be"
push "echo msg-n ' overly conscious is a sickness%2C ' "
push "echo msg-n a real%2C thorough sickness."
push "echo msg-notify Quote of the Day"
will show up as a notification that displays for an
OS-dependent interval as:
--
Quote of the Day
I swear to you gentlemen, that to be overly conscious
is a sickness, a real, thorough sickness.
--
where the location of the line break is automatically determined
by the notification API and is OS version-dependent.
Commands like "echo msg ..." in the config file are also
processed the same way. It gets displayed when the GUI connects
to the management interface and receives all pending echo.
Pushed message(s) get displayed when the client daemon
processes push-reply and passes on echo directives to the
GUI.
TODO: The actual window that displays the messages is
implemented in the next commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Implement connection specific env variables. These are merged
with the process environment strings and passed to scripts.
- To set an env variable, use 'echo setenv name value' in the config
or push from the server. This will set "OPENVPN_name=value" in
the connections's env set. Note that "name" is mangled as
"OPENVPN_name" to avoid servers overwriting sensitive variables
such as PATH. Names are set in the order received and same name
overwrites any previously set value.
- Environment variable names are allowed to contain only alpha numeric
characters and underscore as in openvpn.exe. But, unlike openvpn.exe,
invalid names are ignored, not sanitized.
v2 changes (Dec 16, 2017):
- If value is missing, the directive is interpreted as a delete command
and the env var with matching name in the connection's env set is removed.
- Windows needs env block to be ordered:
While merging connection specific env vars with process env block, order
the entries 'alphabetically' (locale independent, case insensitive
unicode ordinal order). In case of duplicates, the value in connection
env set replaces the one in process env.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
The openvpn-gui-res-cs.rc file was not included in release tarballs, which made
tarball-based builds fail.
URL: https://github.com/OpenVPN/openvpn-gui/issues/131
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Option ediitng dialogs are in two tabs: General and Advanced.
Proxy related options are left in the proxy tab. Options
config_dir, config_ext, log_dir, script timeouts and
service-only flag are in the Advanced tab. All other more commonly
used flags and options are in the General tab.
- As options are editable, save values in registry only when they differ
from the default values. This leaves the registry clean and makes changing
options and their defaults during updates easier.
- Entries for config_dir and log_dir must be absolute paths.
Environemental variables such as %PROFILEDIR% may be used
to construct these.
- Empty config_dir, config_ext and log_dir entries are silently
ignored (i.e., the current values are left unchanged).
- Store all numeric and boolean parameters in registry as DWORD instead of
strings.
- On startup, the default parameters are loaded, then the registry is read
and finally command-line parameters parsedi.
- Out of range script timeout values in registry truncated with a
warning instead of fatal error. This allows the user to access the
settings dialog and make corrections.
- Save proxy and language settings under the same
HKCU\Software\OpenVPN-GUI key as other options instead of under Nilings.
- Save the current version of the GUI in regsitry so that updates
can be detected and any needed registry cleanup done.
- If no version info is present in the registry any values in OpenVPN-GUI
key in HKCU are deleted for a clean start as this is the first version
to save registry values in HKCU. Language and proxy data if present
under Nilings is migrated.
Note: new controls in the General tab and newly added Advanced tab dialog
are copied to all language files from the English version. These need to
be translated.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Use ShellExecute to open config and log files so that
file associations can be used. If that fails fall-back to
the default editor (notepad.exe).
- Remove the keys editor and log_viewer from registry.
The user can change the editor/viewer through fie association.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Username and, optionally, password as well as the private
key passphrase are saved in config-specific registry keys
- All saved data are kept encrypted using DPAPI
- The passphrase dialog is skipped if a valid saved private
key password is available. However, the user-auth dialog
is always presented, prefilled with the saved username
and password.
Note: A text string "Save password" is added to three dialogs
in all language resource files. Additional text with ids
IDS_MENU_CLEARPASS and IDS_NFO_DELETE_PASS are added to the
STRINGTABLE only in the English language resource file.
All these need translations.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When a connection is attempted using a config in a location
that would fail, offer an option to add the user to the "OpenVPN
Administrators" group. This is done using shell-execute which will
show a UAC prompt for elevation. If it fails (due to user chooses
NO or the UAC dialog fails) the connection is not started.
v2 Changes
- Rebase to master
- Automaticlaly add the admin group if it doesn't exist
- Allow unicode strings in debug output
- Use domain\username to identify user
- Fix the PrintDebug macro
Minor changes based on user feedback
- Bring the window back to foreground after UAC prompt completion
- Show a message if another connection is tried during authorization
- Do not add user to ovpn_admin_group if it is same as the built-in admin group
Signed-off-by: Selva Nair <selva.nair@gmail.com>
'make installer' will now spit out an openvpn-gui-installer.exe. The
location of the required makensis tool can be specified by appending
MAKENSIS=/path/to/makensis to the configure command line. Otherwise
it's searched for in your $PATH. The installer target is only available
when makensis is available.
Proxy settings are fetched from the users Internet Options
for the active connection. If WPAD or a PAC script is configured
they are preferred and used for automatic proxy detection.
Proxy bypass configuration is completely ignored.
Selva Nair