Add a checkbox to the general settings menu
to always prompt for OTP when prompting for password
even if no static-challenge request is received from
the management interface.
The response is appeneded to the password using the
concatenation format and submitted to the management interface.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- The policy setting is checked when GUI is started. Any change
in policy will be effective only after restarting the GUI.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Currently we use an array of connection pointers which needs
to be reallocated when space runs out. But, that happens from
the main thread while the status thread may be referring to those
pointers. Its very hard to fence against possible invalid memory
access. Instead, use a list so that connection pointer never
changes once created.
The connection list is no longer recreated from scratch even when
no connections are active. This means configs added while GUI is
running will always appear at the bottom of the root group listing
until the GUI is restarted.
TODO: This behaviour could be improved by scanning through the groups to
graft new configs at the right branch in the config-group tree.
v2: removed unused references to SetMenuStatusById()
Signed-off-by: Selva Nair <selva.nair@gmail.com>
As we now allow users to set a management password (for persistent
connections), the max size of password should match what openvpn.exe
can handle (128 or 4096 bytes depending on build options).
Increase the buffer size to 4096 though such large passwords
may not work in practice. 127 bytes + NUL, may be a safe upper limit.
For the random password used for connections spawned by the GUI,
the current size of 15 bytes + NUL is retained.
Fixes: #567
Signed-off-by: Selva Nair <selva.nair@gmail.com>
New feature: any connection that is not disconnected on exit
will auto-connect when the GUi is started the next time.
There is no option to toggle auto-connect of any profile. Instead,
just connect normally and leave the connection open while closing the
GUI directly or indirectly (on logout, for example). Such a connection
will auto-connect when the GUI is started the next time.
If auto-connect is not desired for a particular connection, stop it
before exit. Or, the whole feature may be disabled in the setings menu
(implemented in next commit).
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Since version 11.30, we scan config-auto folder and show them
in the menu of available connection profiles. To reduce user-confusion,
always group these configs under a submenu ("Persistent Connections")
even when nested config menu view is not in use.
ActivateConfigGroups() is now always called as Persistent and
System profile groups can now go from empty to non-empty
on rescan.
When nested config menu view is enabled, "persistent", "system"
and "user" configs are always shown in separate groups.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This allows a new user to attach to the mgmt i/f of
persistent connections which would be otherwise blocked
by the previously logged in user.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Useful for releasing the management interface if the user wants to
connect to it by other means.
Detached connections are set to state = detached (no disconnected)
and auto_connect disabled, so that they could be handled properly
during a re-attach.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Three options are provided to control scanning of persistent
(pre-satrted) connections in config-auto folder, and how they
are attached to.
Auto: Scan and list persistent connections and attach to their
management i/f automatically at startup, and periodically
retry on failure to attach.
Manual: Scan and list as above, but do not attach automatically.
User can attach to such connections by manually clicking
connect.
Never: Do not scan config-auto folder.
Default is "Auto"
Change of this setting in the settings menu will take full effect
only if none of the connections are in connecting/connected/detached
state so that the connection list can be updated. Otherwise
restart the GUI.
TODO: Copying the settings dialog changes to all languages
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Distinguish between management socket connected and
ready for interaction with the server. The former can
happen even if the server is connected to another client
and thus non-responsive.
Use manage.connected = 1 in place of true when connected
and = 2 when handshake with server completed and ready for
input.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Parse the config-auto folder used by automatic service
and mark these profiles as persistent.
- These connections are marked as auto_connect to try
attaching to them at start up with periodic retry in
case the daemon or service are restarted.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Remove service-only mode (start/stop service) which has not been in
use since we moved to running the GUI as limited user.
Also its not very useful as it does not allow any control of
service-started daemons
- Keep CheckServiceStatus and always check the status of
automatic service.
The status of the service will be used to toggle supporting
control of persistent connections started by the service.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Persistent connections have openvpn.exe daemon started
external to the GUI (e.g., by the automatic service).
This patch adds support for attaching to the management
i/f of such daemons from the GUI and control the connection.
The GUI never stops or starts the openvpn.exe process in this
case. Instead, connect and disconnect buttons signal the
management interface of a running openvpn.exe process to start
the tunnel by attaching to mgmt i/f and sending hold-release if
needed or stop it and wait in management-hold state
(see DisconnectDaemon()).
When the GUI process exits, persistent connections are left in their
current state using DetachOpenVPN().
No connections are marked as persistent as yet. That is done
in a following commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Add support for selecting pkcs11-id from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.
A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.
If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.
The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
In some cases the service may take a while to startup openvpn.exe,
causing connection to the management interface to timeout. This could
leave behind the OpenVPN process if/when it eventually starts up.
(Trac 905, 1050).
As errors in starting up the OpenVPN daemon are independently
handled, its better to keep retrying the management interface connection
until aborted due to errors or by the user.
- On timeout, log a message on the status window and retry the
management interface connection
- Eliminate the timed-out state that is no longer used
- Call StopOpenVPN() before abort so that OpenVPN daemon
is not left running in case it starts up later.
- In the unlikely event that OpenManagement() fails, show an error
- User can abort by pressing disconnect
A "retrying.." message is logged on to the status window every
15 seconds.
See Trac: #905, #1050
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.
Just replacing one client with another will not work:
- OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.
- OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.
To enable using openvpn3:
- use any of *-ovpn3 presets (cmake build system)
- ./configure --enable-ovpn3 (mingw)
To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.
OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.
Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.
Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Set env variables such as OPENSSL_CONF and OPENSSL_MODULES
- Replace deprecated initialization (since OpenSSL 1.1.0)
by OpenSSL_init_crypto()
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We currently use WM_COMMAND message which is delivered with the
ID of the menu item requiring a unique ID for every command
(connect, disconnect etc..) for each connection profile. Instead,
use WM_MENUCOMMAND so that the message delivers a handle to the
menu and the position index of the menu item.
Connection menu array is now dynamically allocated. Yet, there
is still a limitation on the number of configs as the config
index + mgmt_port_offset must be < 65536 to be usable as a port
number. The error message shown for "too many configs" is reworded.
(English language file only).
Note: The current way of selecting the management port based on the
index of the config file increases chances of port conflicts
when the number of configs is large. It could be useful to change
this logic but that is beyond the cope of this PR.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Add an option in the advanced settings menu for
the management port offset. Allows any value in the
range 1 to 61000 which with upto ~4000 added as connection
id keeps it in range.
Default is the currently hard coded value of 25340.
As Windows has no concept of privileged ports and the ephemeral
range used varies from version to version, no attempt is made to
avoid conflicts with ports in use.
- Add an option to choose the config menu view from the
advanced settings with three options:
Auto: Automatically switch to the nested view when
number of configs exceed a limit (currently 25)
Flat: Force the flat view irrespective of the number of
configs
Nested: Force the nested view irrespective of the number
of configs
Issues: 370 and 387
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Suppress messages with exactly same content as previously
displayed within popup_mute_interval (24h by default). This parameter
may be set on command line as "--popup_mute_interval n" where n is
in hours.
- Command line option '--disable_popup_messages' disables all echo
message popups (window and notification).
This patch only handles suppression of repeated messages during
reconnections.
TODO: Persist message history in the registry and use it to mute
repeated messages after disconnects and across restarts of the GUI.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Process four new echo commands to construct messages to be
displayed to the user:
echo msg message-text
echo msg-n message-text
echo msg-window message-title
echo msg-notify message-title
Note: All rules of push and echo processing apply and determine
what is received as echo commands by the GUI. In addition,
'url-encoded' characters (% followed by two hex digits) are
decoded and displayed.
The message is constructed in the GUI by concatenating the text
specified in one or more "echo msg text" or "echo msg-n text"
commands. In case of "echo msg text" text is appended with a new
line. An empty text in this case will
just add a new line.
The message ends and gets displayed when one of the following
are receieved:
echo msg-window title
echo msg-notify title
where "title" becomes the title of the message window. In case of
msg-window, a modeless window shows the message, in the latter case
a notification balloon is shown.
Example: when pushed from the server:
push "echo msg I say let the world go to hell%2C"
push "echo msg I must have my cup of tea."
push "echo msg-window Notes from the underground"
will display a modeless window with title
"Notes from the underground" and a two line body
--
I say let the world go to hell,
I must have my cup of tea.
--
Note that the message itself is not quoted in the above examples
and so it relies on the server's option-parser combining
individual words into a space separated string. Number of words
on a line is limited by the maximum number of parameters allowed
in openvpn commands (16). This limitation may be avoided by quoting
the text that follows so that the option parser sees it as one
parameter.
The comma character is not allowed in pushed strings, so
it has to be sent encoded as %2C as shown above.
Such encoding of arbitrary bytes is suppored. For example,
newlines may be embedded as %0A, though discouraged. Instead
use multiple "echo msg" commands to separate lines by new line.
An example with embedded spaces and multiple lines concatenated
without a new line in between (note use of single quotes):
push "echo msg-n I swear to you gentlemen%2C that to be"
push "echo msg-n ' overly conscious is a sickness%2C ' "
push "echo msg-n a real%2C thorough sickness."
push "echo msg-notify Quote of the Day"
will show up as a notification that displays for an
OS-dependent interval as:
--
Quote of the Day
I swear to you gentlemen, that to be overly conscious
is a sickness, a real, thorough sickness.
--
where the location of the line break is automatically determined
by the notification API and is OS version-dependent.
Commands like "echo msg ..." in the config file are also
processed the same way. It gets displayed when the GUI connects
to the management interface and receives all pending echo.
Pushed message(s) get displayed when the client daemon
processes push-reply and passes on echo directives to the
GUI.
TODO: The actual window that displays the messages is
implemented in the next commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We didn't use interactive service when gui was running
under admin because of some privilege escalation vulnerability in Vista.
Apparently this issue doesn't exist on Win7 and newer versions so
it is safe to use iservice on those systems.
Introduce "Always use interactive service" option,
which is "on" by default. This should enable users,
who by various reasons run gui as admin, use Wintun.
When gui is running as admin and interactive service
cannot be started or not installed, warn that wintun will not work.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
As config group is reallocated when full, do not store the pointer to the
parent group. Instead use the id of the group which is invariant across
reallocs. Similarly in connection array store the id of the group
instead of a pointer.
Also
- Do not call ActivateConfigGroups() -- when connections are active:
in this case we want preserve config data structures during rescan.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
fixup
The number of configs is now unlimited. But there is a limit
of 2^16 menu items which permits only about 2^12 configs to be
displayed in the menu. A warning is shown if the number of
configs exceeds this value.
For a responsive menu keep the number of configs under ~1000.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Group all configs in a subdirectory with directory name
as the label.
- If any connection is active, newly found configs are
added to the root group to keep the logic simple.
- Directory hierarchy is scanned up to a depth of 4: i.e.,
config_dir and global_config_dir and its subdirectories
up to 3 levels down.
Only support for scanning configs and attaching group labels
is added here. Rendering the nested menu is the subject of
a later commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When openvpn is run with --help option it pops up a help
message and exits when that window is closed. Such instances
cannot accept any commands and should not be treated as a
running instance.
Fix by
(i) When run with --help, promptly release the semaphore used
to restrict to a single running instance.
(ii) Wait for a short interval (200 msec) before timing out of
locking the semaphore. This helps avoid race conditions.
While at it also make sure the semaphore is released and closed
on exit.
Fixes issue: #237
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Implement connection specific env variables. These are merged
with the process environment strings and passed to scripts.
- To set an env variable, use 'echo setenv name value' in the config
or push from the server. This will set "OPENVPN_name=value" in
the connections's env set. Note that "name" is mangled as
"OPENVPN_name" to avoid servers overwriting sensitive variables
such as PATH. Names are set in the order received and same name
overwrites any previously set value.
- Environment variable names are allowed to contain only alpha numeric
characters and underscore as in openvpn.exe. But, unlike openvpn.exe,
invalid names are ignored, not sanitized.
v2 changes (Dec 16, 2017):
- If value is missing, the directive is interpreted as a delete command
and the env var with matching name in the connection's env set is removed.
- Windows needs env block to be ordered:
While merging connection specific env vars with process env block, order
the entries 'alphabetically' (locale independent, case insensitive
unicode ordinal order). In case of duplicates, the value in connection
env set replaces the one in process env.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- New option --command <action> <params> to send commands to
a running instance of openvpn-gui.exe
Supported actions are
connect, disconnect, reconnect
each of which takes the name of the config (with or without the
extension .ovpn) as a parameter;
disconnect_all, exit
which take no parameter and
silent_connection
which takes an optional parameter = 0 or 1 (1 is the default)
Examples: with the gui running, start a new instance as
openvpn-gui.exe --command disconnect myvpn : ask running instance
to disconnect myvpn if connected
openvpn-gui.exe --command status myvpn : ask running instance
to show the status window for myvpn if available
openvpn-gui.exe --command disconnect_all : ask running instance
to disconnect all active connections
- The second instance exits after issuing a SendMessage to the
already running instance. If no action is specified, the running
instance is notified to show a balloon to alert the user
- These messages may also be sent from scripts as COPYDATA messages
with the wData element specifying the action to execute and lpData
a pointer to the parameter. The dwData param must be one of
WM_OVPN_xxx with xxx = START, STOP, RESTART, STOPALL, EXIT or
SILENT. See main.h for their values.
v2: Bug fixes based on test reports from larson0815
here: https://github.com/selvanair/openvpn-gui/issues/5
and cron410 here: https://github.com/OpenVPN/openvpn-gui/issues/104
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- "Wrong username or password" message shown in the auth userpass dialog after
an auth failure
- "Wrong password" message shown in the private key password dialog after a
password failure.
These message texts are colored red by default (TODO: make the color customizable)
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- A new registry HKLM\Software\OpenVPN\disable_save_passwords
(32 bit DWORD value) may be set to a non-zero value to
disable password saving by users. Applies to both auth and
private key passwords. Usernames are always saved.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Set dpi-awareness to true in the manifest (i.e., "system-dpi aware")
- Check system dpi and scale and/or position widgets and windows
that depend on the system dpi (only components within the status
window are affected).
Note: Declaring dpi awareness eliminates automatic rescaling of
windows that causes blurred text on high dpi monitors.
Windows 8.1 and later allow per monitor dpi setting which is
not handled here.
Note: IDS_NFO_TOKEN_PASSWORD_CAPTION and IDS_NFO_TOKEN_PASSWORD_REQUEST
strings need translation.
TODO: support for selecting pkcs11-id from the GUI
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Add a base64 decode function using Windows CyptoAPI
- Move multibyte to widechar conversions to a function
- Add config name to caption of password dialogs to help user
identify the request
- Add new dialog template for generic password/PIN requests
and use it to handle dynamic challenge
Note 1: if dynamic challenge response verification fails, an auth-failed
message is returned by the server causing the GUI to clear any saved
password even if the user-auth dialog itself succeeeded.
Note 2: Dialog template ID_DLG_CHALLENGE_RESPONSE added to language
files may require translation.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Option ediitng dialogs are in two tabs: General and Advanced.
Proxy related options are left in the proxy tab. Options
config_dir, config_ext, log_dir, script timeouts and
service-only flag are in the Advanced tab. All other more commonly
used flags and options are in the General tab.
- As options are editable, save values in registry only when they differ
from the default values. This leaves the registry clean and makes changing
options and their defaults during updates easier.
- Entries for config_dir and log_dir must be absolute paths.
Environemental variables such as %PROFILEDIR% may be used
to construct these.
- Empty config_dir, config_ext and log_dir entries are silently
ignored (i.e., the current values are left unchanged).
- Store all numeric and boolean parameters in registry as DWORD instead of
strings.
- On startup, the default parameters are loaded, then the registry is read
and finally command-line parameters parsedi.
- Out of range script timeout values in registry truncated with a
warning instead of fatal error. This allows the user to access the
settings dialog and make corrections.
- Save proxy and language settings under the same
HKCU\Software\OpenVPN-GUI key as other options instead of under Nilings.
- Save the current version of the GUI in regsitry so that updates
can be detected and any needed registry cleanup done.
- If no version info is present in the registry any values in OpenVPN-GUI
key in HKCU are deleted for a clean start as this is the first version
to save registry values in HKCU. Language and proxy data if present
under Nilings is migrated.
Note: new controls in the General tab and newly added Advanced tab dialog
are copied to all language files from the English version. These need to
be translated.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Replace allow_password by a runtime check that enables password
change menu only when the user has write-access to the key file.
- Read exe_path and priority from HKLM and do not duplicate in HKCU.
- Always allow the user to view the config: edit will succeed if user
has write access.
- Always include the proxy settings tab which is the default.
- Remove the unused power event handling and disconnect_on_suspend key.
- Remove password_attempts -- user can stop the password dilaog
by clicking cancel.
- Remove allow_service: implicitly enabled if service_only is used.
- Deprecate removed options in cmd-line parser
- Update README.rst
- Close config file before exit in GetKeyFileName
- Close thread and dialog handles in passphrase.c
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Username and, optionally, password as well as the private
key passphrase are saved in config-specific registry keys
- All saved data are kept encrypted using DPAPI
- The passphrase dialog is skipped if a valid saved private
key password is available. However, the user-auth dialog
is always presented, prefilled with the saved username
and password.
Note: A text string "Save password" is added to three dialogs
in all language resource files. Additional text with ids
IDS_MENU_CLEARPASS and IDS_NFO_DELETE_PASS are added to the
STRINGTABLE only in the English language resource file.
All these need translations.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Asynchronously read Input on the service pipe which are mostly
errors reported by the service. Display the errors on the status log
window and to the log file if its not opened by openvpn.
If/when openvpn fails to start or exits with error, close
the connection without waiting for management socket timeout.
v2:
- rebase to master
- fix a bug in setting manage.connected state
- ensure management socket is closed and resources freed before thread exit
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When a connection is attempted using a config in a location
that would fail, offer an option to add the user to the "OpenVPN
Administrators" group. This is done using shell-execute which will
show a UAC prompt for elevation. If it fails (due to user chooses
NO or the UAC dialog fails) the connection is not started.
v2 Changes
- Rebase to master
- Automaticlaly add the admin group if it doesn't exist
- Allow unicode strings in debug output
- Use domain\username to identify user
- Fix the PrintDebug macro
Minor changes based on user feedback
- Bring the window back to foreground after UAC prompt completion
- Show a message if another connection is tried during authorization
- Do not add user to ovpn_admin_group if it is same as the built-in admin group
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Set default config directory (config_dir) to %UserProfile%\OpenVPN\config
(saved and read back from HKCU\Software\OpenVPN-GUI\config_dir)
- Add a global_config_dir variable read from HKLM\Software\OpenVPN\config_dir
or set to OpenVPN-install-path\config
- Scan both directories and their sub directories for connection profiles.
In case of name conflicts config_dir gets priority over global_config_dir
- Eliminate multiple warnings of duplicate configs
Fixed on review (Thanks to leobasilio@gmail.com)
- Fix wrongly used o.config_dir in 2 locations
- Unrelated: Added missing CheckIServiceStatus to service.h
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Handle early errors (openvpn exits before management connection is up)
with a helpful error message that points the user to view log.
- Include only readable config files in the connection list
- Warn if no connection profiles found
TODO: handle startup errors from interactive service
You can now define up to how many configuration files you want
to support by stating something like
./configure MAX_CONFIGS=150 ...
when invoking configure. Default value remains 50.
Selva Nair