- Only "hot" user input -- i.e, freshly typed password starting
from an empty string, with keyboard focus still in the edit
box -- can be revealed.
In particular, prefilled passwod (from cached value) cannot be
revealed.
- Once keyboard focus moves out of the password edit box, the inpit has
to be deleted for the reveal feature to get re-enabled.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
When connected, the daemon now reports the state as
CONNECTED,ROUTE_ERROR on routing errors that would have been
reported as CONNECTED,SUCCESS in the past.
To not overly disrupt the current behaviour we treat CONNECTED,ROUTE_ERROR
almost the same was as CONNECTED,SUCCESS except that an error is logged and
the status window is popped up if not already open for all cases other
that CONNECTED,SUCCESS.
Further, the icons on the status window, is left at yellow
and the status text is set to "Connected with routing errors"
in case of ROUTE_ERROR.
Tray and menu icons will change to green. Leaving them yellow is not
persistent as we do not yet have a state variable in the GUI that distinguishes
between "successfully connected" and "connected with route errors".
TODO: re-work this CONNECTED state handling based on how critical
ROUTE_ERROR is in real use.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Also remove related variables from configure.ac
as those are unused since we updated resources to be
MSVC compliant.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- ShellExecute with runas is used to elevate
- This Option is hidden if PLAP dll is not found in the
install_path bin folder
- Depends on the presence of openvpn-plap-install.reg
and openvpn-plap-uninstall.reg in the install-path bin
folder.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
If '--management' option cannot be parsed in the config file of a
persistent profile (due to missing option, unreadable password etc.),
connecting it from the GUI menu fails.
In such cases show an error message instead of silently failing.
The message is shown only during manual connect attempts,
not during auto-connect or resume.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Useful for releasing the management interface if the user wants to
connect to it by other means.
Detached connections are set to state = detached (no disconnected)
and auto_connect disabled, so that they could be handled properly
during a re-attach.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Three options are provided to control scanning of persistent
(pre-satrted) connections in config-auto folder, and how they
are attached to.
Auto: Scan and list persistent connections and attach to their
management i/f automatically at startup, and periodically
retry on failure to attach.
Manual: Scan and list as above, but do not attach automatically.
User can attach to such connections by manually clicking
connect.
Never: Do not scan config-auto folder.
Default is "Auto"
Change of this setting in the settings menu will take full effect
only if none of the connections are in connecting/connected/detached
state so that the connection list can be updated. Otherwise
restart the GUI.
TODO: Copying the settings dialog changes to all languages
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Remove service-only mode (start/stop service) which has not been in
use since we moved to running the GUI as limited user.
Also its not very useful as it does not allow any control of
service-started daemons
- Keep CheckServiceStatus and always check the status of
automatic service.
The status of the service will be used to toggle supporting
control of persistent connections started by the service.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Persistent connections have openvpn.exe daemon started
external to the GUI (e.g., by the automatic service).
This patch adds support for attaching to the management
i/f of such daemons from the GUI and control the connection.
The GUI never stops or starts the openvpn.exe process in this
case. Instead, connect and disconnect buttons signal the
management interface of a running openvpn.exe process to start
the tunnel by attaching to mgmt i/f and sending hold-release if
needed or stop it and wait in management-hold state
(see DisconnectDaemon()).
When the GUI process exits, persistent connections are left in their
current state using DetachOpenVPN().
No connections are marked as persistent as yet. That is done
in a following commit.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Add support for selecting pkcs11-id from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.
A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.
If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.
The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This extended style makes the window topmost in z-order.
We currently set this for the user-auth and private-key
passphrase dialogs, but useful for any dialog that may popup
without user interaction.
(Eg., challenge response during a server-initiated restart
or reneg).
Trac: #1465
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.
Just replacing one client with another will not work:
- OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.
- OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.
To enable using openvpn3:
- use any of *-ovpn3 presets (cmake build system)
- ./configure --enable-ovpn3 (mingw)
To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.
OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.
Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.
Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
* Provide more space for challenge dialog text
We do use a re-sizeable dialog box for dynamic challenge-response
to cater for potentially long lines of challenge text. But the
space specified for the widget is enough for only a single short line
(~60 characters) of text.
Increase the horizontal and vertical space to allow for up to
two lines of ~120 characters per line.
The default size of the Window is not changed. But it is
automatically resized if the space required for the text
is longer than the window width minus some margin. The max
horizontal size of the window is capped at 640 nominal pixels
as longer text will be wrapped in to two lines.
Github issue #468
Signed-off-by: Selva Nair <selva.nair@gmail.com>
The user is prompted with a message showing the config
name that will be imported. The user can accept or cancel
the operation.
If the user was already prompted for over-write permission
because a config with the same name exists, no further dialog
is shown.
Import using the menu (Import File...) is not affected.
Rationale:
We want to set "Import" as the default verb for the context
menu of .ovpn files. This will allow import of configs by
double-click. Also when .ovpn file is downloaded using a browser,
setting the default bowser action to "open" will result in an import.
In such cases a silent import action could be surprising, and a
prompt showing what is being imported could provide a better UX.
On the flip-side, the prompt/dialog will also be shown when import
is done from the context menu of .ovpn by "right click and
choose import" or when "openvpn-gui.exe --import foo"
or "openvpn-gui.exe --command import foo" is executed. As import
is an action that does not result in an immediately visible result
(unlike, say, edit or print), a prompt requiring user action is of
some value even in these cases. At worst it's a minor annoyance.
See also: https://github.com/OpenVPN/openvpn-build/pull/227
and discussions there-in
Signed-off-by: Selva Nair <selva.nair@gmail.com>
%S --> %hs in wide format strings, %ls otherwise
%s --> %ls in wide format strings, unchanged otherwise
%c --> %lc in wide format strings
Resource files together have about 970 lines affected and
were edited by looping through all with
sed -i 's/%S/%hs/g' $file
sed -i 's/%s/%ls/g' $file
All other files were manually changed (about 85 lines).
Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO
if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei).
This breaks non-standard spec such as %S. Anyway, we have been
gradually getting rid of those.
MSVC builds should not be affected.
v2: multiple occurrences in same line was missed in v1 (/g missing in
sed expression). Fixed.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
ParseUrl extended to parse generic URLs and parse
the path. DownloadProfile() function re-factored
for reuse with generic URL.
Also:
- INTERNET_FLAG_RELOAD added to the request
call to force reloading the data from server instead
of using possibly cached data.
- Input box for URL extended in length to about
50 characters wide.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Import a config file from command line as
`openvpn-gui.exe --command import <file-path>`
The command is send to a running instance if any.
Otherwise the GUI extecutable is started and
the import processed.
`openvpn-gui --import <file-path>`
is interpreted as the same command.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.
Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the first patch from series which implemets
importing profile from URL, currently implemented
by OpenVPN Access Server.
Move "Import from file" menu item under new "Import"
item. Add "Import from AS..." item under "Import", which
opens new profile import dialog.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Also add an edit box for setting the mute interval for
repeated echo messages. To be specified in hours
>=0. A zero value disables muting.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Remove intermediate quotes in continued lines
- Remove macro substitutions in strings
- Split two long LTEXT (>256 characters) into two
All changes autogenerated using a sed script here
https://gist.github.com/selvanair/ae78c29869d7c1d15abcb909f04676c6
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We currently use WM_COMMAND message which is delivered with the
ID of the menu item requiring a unique ID for every command
(connect, disconnect etc..) for each connection profile. Instead,
use WM_MENUCOMMAND so that the message delivers a handle to the
menu and the position index of the menu item.
Connection menu array is now dynamically allocated. Yet, there
is still a limitation on the number of configs as the config
index + mgmt_port_offset must be < 65536 to be usable as a port
number. The error message shown for "too many configs" is reworded.
(English language file only).
Note: The current way of selecting the management port based on the
index of the config file increases chances of port conflicts
when the number of configs is large. It could be useful to change
this logic but that is beyond the cope of this PR.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Describe recently added command line options:
- iservice_admin
- disable_popup_messages
- popup_mute_interval
- management_port_offset
Added the default English text to all langauage files.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Add an option in the advanced settings menu for
the management port offset. Allows any value in the
range 1 to 61000 which with upto ~4000 added as connection
id keeps it in range.
Default is the currently hard coded value of 25340.
As Windows has no concept of privileged ports and the ephemeral
range used varies from version to version, no attempt is made to
avoid conflicts with ports in use.
- Add an option to choose the config menu view from the
advanced settings with three options:
Auto: Automatically switch to the nested view when
number of configs exceed a limit (currently 25)
Flat: Force the flat view irrespective of the number of
configs
Nested: Force the nested view irrespective of the number
of configs
Issues: 370 and 387
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Add a message box that support appending messages with
a title formatted at a larger font and a text
displayed in the default font.
- A global instance of the message box is used to
display messages from all profiles.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
We didn't use interactive service when gui was running
under admin because of some privilege escalation vulnerability in Vista.
Apparently this issue doesn't exist on Win7 and newer versions so
it is safe to use iservice on those systems.
Introduce "Always use interactive service" option,
which is "on" by default. This should enable users,
who by various reasons run gui as admin, use Wintun.
When gui is running as admin and interactive service
cannot be started or not installed, warn that wintun will not work.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- Prompt the user for permission if import may overwrite
an existing config.
- Also raise an error if the import file source matches the
global or local config directory. Reimporting a config on to
itself is not supported. This also avoids ERROR_SHARING_VIOLATION
in CopyFile() when source and destination are the same.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This checkbox is inactive and does nothing.
The service-only usage can be still activated using the command
line option --service_only or by editing the registry, but its
not a recommended use case for GUI version 11.0 and above.
See also issue: #264
Signed-off-by: Selva Nair <selva.nair@gmail.com>
After a failure the auth-pass dialog is shown with the password
field prefilled but highlighted. This allows the user to easily
overwrite the password or resubmit the old password if the
failure was temporary.
After a private key passphrase failure, the dialog is not
prefilled with saved password as this failure happens locally
and in such cases the password is very likely wrong.
If the user aborts the dialog by pressing cancel, the saved
password will get used during the next connection attempt.
Wrong username or password warning text is changed to: "Wrong
credentials".
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Show the assigned IP numbers, traffic stats (bytes in/out), and
the GUI and OpenVPN core versions on the status window.
Note: IDS_TXT_BYTECOUNT = "Bytes in: %s out %s" needs translation.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Why: The current message assumes the balloon to appear attached
to the icon which is not the case in Windows 10.
Based on feedback from larson0815 and Deantwo here:
https://github.com/selvanair/openvpn-gui/issues/5
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- New option --command <action> <params> to send commands to
a running instance of openvpn-gui.exe
Supported actions are
connect, disconnect, reconnect
each of which takes the name of the config (with or without the
extension .ovpn) as a parameter;
disconnect_all, exit
which take no parameter and
silent_connection
which takes an optional parameter = 0 or 1 (1 is the default)
Examples: with the gui running, start a new instance as
openvpn-gui.exe --command disconnect myvpn : ask running instance
to disconnect myvpn if connected
openvpn-gui.exe --command status myvpn : ask running instance
to show the status window for myvpn if available
openvpn-gui.exe --command disconnect_all : ask running instance
to disconnect all active connections
- The second instance exits after issuing a SendMessage to the
already running instance. If no action is specified, the running
instance is notified to show a balloon to alert the user
- These messages may also be sent from scripts as COPYDATA messages
with the wData element specifying the action to execute and lpData
a pointer to the parameter. The dwData param must be one of
WM_OVPN_xxx with xxx = START, STOP, RESTART, STOPALL, EXIT or
SILENT. See main.h for their values.
v2: Bug fixes based on test reports from larson0815
here: https://github.com/selvanair/openvpn-gui/issues/5
and cron410 here: https://github.com/OpenVPN/openvpn-gui/issues/104
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This works the same way as restart button in the status window
but is more conveniently accessible from the tray menu.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Effective only when username and password are saved.
- The user may interrupt auto submission and edit the username/password.
- If silent_connection is on the dialog is bypassed without any delay.
v2 changes:
- Display message in normal text color and show remaining time
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Make the OK button appear highlighted as the default action so that
the user can press enter and submit the form. This also gives a clearer
indication of the default action when automatic submission of saved
username/password activates.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- Flag password and username input if these contain an invalid character
(currently only embedded '\n' is disallowed). Shows a popup when OK
is pressed so that the user can correct the input and resubmit.
- Add an error message to the log when the management i/f returns
ERROR for incorrectly parsed commands. Otherwise such errors go
unnoticed.
Note: IDS_ERR_INVALID_USERNAME/PASSWORD need translations.
Reported and tested by: Florian Beier (H4ndl3 on github)
Fixes Trac: #958
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Selva Nair