Connection profiles shown on the login screen using PLAP
requires automatic service that starts openvpn.exe
processes for these profiles.
This commit adds an attempt to start the service from
PLAP dll. The service is started only if any PLAP enabled
profiles are found.
As starting the service can spawn up OpenVPN.exe processes and
the GUI may attach to them, auto-connect in the GUI is
suspended during session lock to leave the connections free to
be controlled from PLAP screen.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- instantiate OpenVPN PLAP provider which will enumerate configs
in config-auto directory.
- Attempt to connect each config found one after the other
The test program is deliberately written in C++ as that's how most
Windows programs (and likely, LogonUI.exe) may use the COM object.
Note that duplicate configs are ignored, so ensure that config
files in config-auto are not "shadowed" by identical named one's
in user's profile or in global config folder.
Additional notes:
The test program is not linked to the plap dll.
Instead it finds the module using CoGetClassObject,
so the plap dll must be registered in the system.
It also tests dynamically loading the dll from
C:\Program Files\OpenVPN\bin\libopenvpn_plap.dll
which should succeed even if the registration is not
proper.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
- This will be used for reading the management i/f
parameters for externally started (persistent) openpvn.exe
TODO: replace the parsing of config file in passphrase.c
using this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
enable hardware-enforced stack protection on
compatible hardware/software (/CETCOMPAT linker option)
enable QSpectre protection
enable Control Flow Guard
issues were found by Microsoft BinSkim
Add support for selecting pkcs11-id from the GUI.
Requires --management-pkcs11-id in the config file.
This option is not added by the GUI.
A list of all available pkcs11 certificates are presented to the
user with buttons OK, Cancel, Retry. OK submits the selected
entry, Cancel closes the connection, Retry reconstructs the
list of certificates by querying the daemon again. The latter
can be used to retry after inserting a token.
If no certificates are found, a message suggesting to insert
a token and press 'Retry' is displayed.
The list shows the "Issued-to", "Issued-by" names
(usually the subject & issuer common names) and valid-until
date in current locale for each certificate.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
This adds optional support for using OpenVPN3 client
as an alternative to openvpn2.
Just replacing one client with another will not work:
- OpenVPN3 doesn't use interactive service, it uses
"agent" service with completely different protocol. OpenVPN GUI
needs to talk to agent using HTTP and JSON.
- OpenVPN3 management interface realtime notifications must be
explicitly turned on in order for GUI to work.
To enable using openvpn3:
- use any of *-ovpn3 presets (cmake build system)
- ./configure --enable-ovpn3 (mingw)
To switch betweet openvpn2 and openvpn3, see "OpenVPN Engine"
radiobutton group in Settings -> Advanced dialog.
OnReady() implementation was slighly changed - "log all on"
replaced with "log on all" - according to management interface
documentation this is the right way to do it, and also OpenVPN3
only supports "on all" order.
Management interface - enabled OpenVPN3 client (omiclient.exe) and
agent (ovpnagent.exe) are now part of openvpn3 repo.
Co-authored-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Christopher Ng <facboy@gmail.com>
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Manifest is a convenient way to automatically
install dependencies. Since we have to support
both OpenSSL 1.1.1 (for OpenVPN 2.5) and OpenSSL 3
(for coming OpenVPN 2.6) and manifest file name
is hardcoded, we create two manifests and put them
into different directories.
To simplify build process, define configuration presets
for arch (x86/x64/arm64), debug/release and oss1.1.1/ossl3.
This way building is greatly simplified:
cmake -S . --preset x64-debug-ossl3
cmake --build --preset x64-debug-ossl3
Update GitHub Actions script accordingly.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
- remove vcpkg manifest and use whatever openssl
version is installed. To build with openssl3, one could
use openssl3 port from openvpn/contrib/vcpkg-ports.
- build with openssl1.1.1 and openssl3 in GitHub Actions
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Replace old wcstok signature with security-enhanced
version, which stores position information between calls in
"context" parameter instead of internal per-thread context.
This allows to get rid of _CRT_NON_CONFORMING_WCSTOK
define in CMakeLists.txt
Reported-by: Kai Schtrom
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Allow users to bypass HTTPS is not good, but may nevertheless be useful during development.
DEBUG macro is widely used in openvpn-gui code but was missing from CMakeLists.txt, so add it there.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Use WinInet to download profile into memory buffer.
If there are certain certificate errors (invalid CN,
wrong date, unknown CA, revocation check failed),
ask if user wants to continue.
Extract profile name from content, sanitize name and
save profile in temp directory. Then import profile
using existing facilities.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This is the first patch from series which implemets
importing profile from URL, currently implemented
by OpenVPN Access Server.
Move "Import from file" menu item under new "Import"
item. Add "Import from AS..." item under "Import", which
opens new profile import dialog.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Selva Nair