1
0
mirror of https://github.com/SoftEtherVPN/SoftEtherVPN.git synced 2024-11-25 10:59:53 +03:00
Commit Graph

58 Commits

Author SHA1 Message Date
Evengard
edcdc923ad Reworked EAP-TLS 1.3 to account for RFC9190, implemented searching by certificate instead of certificate CN 2023-01-31 20:33:18 +03:00
Evengard
26403c70e3 Reworking the EAP CN matching option from admin options to extended options 2023-01-24 12:18:20 +03:00
Evengard
0a60cdf141 Hiding the EAP-TLS match user by certificate behind an admin option, disabled by default 2023-01-24 11:48:49 +03:00
Yihong Wu
4a3b4589c6 Show connection names in icon tips 2022-05-15 15:22:46 +08:00
Yihong Wu
ca996ed89a
Merge pull request #1522 from domosekai/tls
Implement complete server certificate verification
2022-05-12 23:38:38 +08:00
Yihong Wu
992a998a34 Add missing translation for protocol details 2022-04-01 22:18:54 +08:00
Yihong Wu
0a4455ac40 Add more TLS negotiation info in logging and UI 2021-12-29 17:41:29 +08:00
Yihong Wu
f94ac6351e Implement complete server certificate verification 2021-12-29 17:41:29 +08:00
Yihong Wu
9c2a573cf2 Display key algorithm and parameters in cert dialog 2021-09-24 17:12:51 +08:00
Koichiro IWAO
fce3592917
hamcore(ja,tw,cn): translate "Authentication"
appeared in "OpenSSL Engine Authorization"
2021-07-13 18:44:42 +09:00
Koichiro IWAO
410b7a959d
Fix case of OpenSSL 2021-07-13 18:41:41 +09:00
Davide Beatrici
c310163244 Cedar/Command: Add GenX25519 and GetPublicX25519 commands
GenX25519 command - Create new X25519 keypair
Help for command "GenX25519"

Purpose:
  Create new X25519 keypair

Description:
  Use this to create a new X25519 keypair, which can be used for WireGuard.
  Both the private and public key will be shown.
  The public key can be shared and is used to identify a peer.
  Also, it can always be retrieved from the private key using the GetPublicX25519 command.
  The private key should be kept in a secure place and never be shared.
  It cannot be recovered once lost.

Usage:
  GenX25519

==========================================================================================

GetPublicX25519 command - Retrieve public X25519 key from a private one
Help for command "GetPublicX25519"

Purpose:
  Retrieve public X25519 key from a private one

Description:
  Use this if you have a private X25519 key and want to get its corresponding public key.

Usage:
  GetPublicX25519 [private]

Parameters:
  private - The private X25519 key you want to get the corresponding public key of.
2021-07-07 08:43:41 +02:00
Davide Beatrici
46ca5f7b98 Use "%S" instead of "%s" for LA_SET_PORTS_UDP and LA_SET_PROTO_OPTIONS
Turns out %S refers to ANSI/UTF-8 and %s to UTF-16.

This commit fixes a buffer overflow reported by AddressSanitizer and removes an unnecessary conversion to UTF-16.
2021-06-27 21:08:26 +02:00
Davide Beatrici
4221579e95 Remove obsolete hardcoded build number checks
The open-source project began with version 1.00, build 9022.

With the exception of an informative message fallback for builds older than 9428 (2014), all checks were for closed-source builds.
2021-06-27 07:21:06 +02:00
Davide Beatrici
2aaf9012a0 Cedar/Proto_OpenVPN: Make timeout and ping transmission interval configurable
Also, the default timeout value is set to 30000 (milliseconds) instead of 10000.

The change is made because it was reported that some routers failed to connect in time.
2021-04-21 08:29:30 +02:00
Davide Beatrici
a8580458c4 Cedar/Command: Add WgkAdd, WgkDelete and WgkEnum commands
WgkAdd command - Add a WireGuard key
Help for command "WgkAdd"

Purpose:
  Add a WireGuard key

Description:
  This command can be used to add a WireGuard key to the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkAdd [key] [/HUB:hub] [/USER:user]

Parameters:
  key   - WireGuard key. Make sure it is the public one!
  /HUB  - Hub the key will be associated to.
  /USER - User the key will be associated to, in the specified hub.

================================================================================

WgkDelete command - Delete a WireGuard key
Help for command "WgkDelete"

Purpose:
  Delete a WireGuard key

Description:
  This command can be used to delete a WireGuard key from the allowed key list.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkDelete [key]

Parameters:
  key - WireGuard key.

================================================================================

WgkEnum command - List the WireGuard keys
Help for command "WgkEnum"

Purpose:
  List the WireGuard keys

Description:
  This command retrieves the WireGuard keys that are allowed to connect to the server, along with the associated Virtual Hub and user.
  You can add a key with the WgkAdd command.
  You can delete a key with the WgkDelete command.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  WgkEnum
2021-03-01 02:49:59 +01:00
Davide Beatrici
6115f1c713 Cedar/Admin: Implement RPC methods to add/delete/list WireGuard keys 2021-03-01 02:49:59 +01:00
Davide Beatrici
dd1eebdbed Cedar: Implement support for WireGuard
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.

The cookie mechanism can be implemented in future.

As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.

The allowed key list is stored in the configuration file like this:

declare WireGuardKeyList
{
	declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
	{
		string Hub DEFAULT
		string User user
	}
}
2021-03-01 02:49:59 +01:00
Davide Beatrici
afe576dcdc Cedar: Add "DefaultGateway" and "DefaultSubnet" virtual hub options
WireGuard does not provide any configuration messages, meaning that we cannot push the IP address we receive from the DHCP server to the client.

In order to overcome the limitation we don't perform any DHCP operations and instead just extract the source IP address from the first IPv4 packet we receive in the tunnel.

The gateway address and the subnet mask can be set using the new "SetStaticNetwork" command. The values can be retrieved using "OptionsGet".

In future we will add a "allowed source IP addresses" function, similar to what the original WireGuard implementation provides.

================================================================================

SetStaticNetwork command - Set Virtual Hub static IPv4 network parameters
Help for command "SetStaticNetwork"

Purpose:
  Set Virtual Hub static IPv4 network parameters

Description:
  Set the static IPv4 network parameters for the Virtual Hub. They are used when DHCP is not available (e.g. WireGuard sessions).
  You can get the current settings by using the OptionsGet command.

Usage:
  SetStaticNetwork [/GATEWAY:gateway] [/SUBNET:subnet]

Parameters:
  /GATEWAY - Specify the IP address of the gateway that will be used for internet communication.
  /SUBNET  - Specify the subnet mask, required to determine the size of the local VPN network.
2021-03-01 02:49:59 +01:00
mcallist
f52ccc6493 Add translation for pw_type5 for the non-english languages 2020-10-09 11:03:55 +02:00
mcallist
2e0c24f6c8 Add english translation to each language for openssl engine auth 2020-10-09 10:22:23 +02:00
Koichiro IWAO
7b73e3c0c8
hamcore: correct mistake enable/disable in help meessages 2020-09-03 21:54:50 +09:00
Davide Beatrici
5d782a67b4 Cedar/Proto_OpenVPN.c: remove redundant log messages
The "session created" and "session deleted" messages were useful when a single OPENVPN_SERVER object handled multiple UDP sessions.

Now that each session has its own OPENVPN_SERVER object and session creations/deletions are logged by PROTO, the messages are redundant.

In future we will change the OpenVPN implementation so that the multi-session handling code is deleted.

The messages were like this:

OpenVPN Module: The OpenVPN Server Module is starting.
OpenVPN Session 1 (192.168.122.211:47390 -> 0.0.0.0:1194): A new session is created. Protocol: UDP

OpenVPN Session 1 (192.168.122.211:47390 -> 0.0.0.0:1194): Deleting the session.
OpenVPN Module: The OpenVPN Server Module is stopped.
2020-08-06 22:24:45 +02:00
Davide Beatrici
cda0062367 Cedar/Proto: add ProtoLog(), write message to log on session creation/deletion
Example:

[OpenVPN] 192.168.122.100:47390 -> 0.0.0.0:1194 (UDP): Session created.
[OpenVPN] 192.168.122.100:47390 -> 0.0.0.0:1194 (UDP): Session deleted.

[OpenVPN] 192.168.122.100:49866 -> 192.168.122.1:1194 (TCP): Session created.
[OpenVPN] 192.168.122.100:49866 -> 192.168.122.1:1194 (TCP): Session deleted.
2020-08-06 22:24:24 +02:00
Davide Beatrici
6b3ac84ba2 Cedar: remove old commands and unused variables 2020-07-28 00:57:37 +02:00
Davide Beatrici
5209b310e3 Cedar/Command: add ProtoOptionsGet and ProtoOptionsSet commands
ProtoOptionsGet command - Lists the options for the specified protocol
Help for command "ProtoOptionsGet"

Purpose:
  Lists the options for the specified protocol

Description:
  This command can be used to retrieve the options for a specific protocol.
  Detailed info (e.g. value type) will be shown.
  You can change an option's value with the ProtoOptionsSet command.

Usage:
  ProtoOptionsGet [protocol]

Parameters:
  protocol - Protocol name.

ProtoOptionsSet command - Sets an option's value for the specified protocol
Help for command "ProtoOptionsSet"

Purpose:
  Sets an option's value for the specified protocol

Description:
  This command can be used to change an option's value for a specific protocol.
  You can retrieve the options using the ProtoOptionsGet command.
  To execute this command, you must have VPN Server administrator privileges.

Usage:
  ProtoOptionsSet [protocol] [/NAME:option_name] [/VALUE:string/true/false]

Parameters:
  protocol - Protocol name.
  /NAME    - Option name.
  /VALUE   - Option value. Make sure to write a value that is accepted by the specified protocol!
2020-07-28 00:57:36 +02:00
Davide Beatrici
3a275d7257 Cedar/Admin: implement RPC methods to get/set Proto options 2020-07-28 00:57:36 +02:00
Davide Beatrici
cc61c90372 Cedar/SW.c: remove "install_src.dat" file check
Previously, the file needed to be present in order for the setup to work.

This commit removes the requirement so that the setup can be ran from the build directory without the need to copy the file (which is now removed from the repository).
2020-07-27 20:59:40 +02:00
Davide Beatrici
235bd07e67 Cedar: remove "NicDownOnDisconnect" option
SoftEther VPN originally created the NIC in the UP state and never changed it, even when the the client was not connected.

The behavior was changed in 59e1483dbf, which also added the NicDownOnDisconnect option

The option was disabled by default for backwards compatibility with scripts that don't check whether the NIC is down, but it's not ideal.

This commit forces the correct behavior and removes the commands "TUNDownOnDisconnectEnable", "TUNDownOnDisconnectDisable" and "TUNDownOnDisconnectGet".
2020-06-27 22:47:04 +02:00
Davide Beatrici
c4838006b1 Cedar/SM.c: move UDP ports setting outside of the OpenVPN/SSTP dialog
This commit moves the UDP ports setting right below the TCP listeners and uses the new RPC methods to get and set them.
2020-05-20 20:18:51 +02:00
Davide Beatrici
9e6476c7b2 Cedar/Command: Implement PortsUDPGet and PortsUDPSet commands
PortsUDPSet: This command can be used to specify a single or multiple UDP ports the server should listen on. "0" can be specified to disable the UDP listener.
Administrator privileges are required to execute the command.

PortsUDPGet: This command can be used to retrieve the UDP ports the server is listening on.

The two commands replace the functionality that was previously provided by OpenVpnEnable and OpenVpnGet, respectively.
2020-05-20 20:17:53 +02:00
Davide Beatrici
f1cb86d979 Cedar/Admin: implement new RPC methods to get/set the UDP ports 2020-05-20 20:17:34 +02:00
Davide Beatrici
c4ec63fe32 Rename "OpenVPN_UdpPortList" to "PortsUDP", store ports in a LIST
Now that Proto supports UDP, the server can handle multiple protocols on each UDP port.

The UDP ports are specified by the "OpenVPN_UdpPortList" configuration setting, because:

- OpenVPN is currently the only UDP protocol supported by SoftEther VPN to allow a custom port number.
- Before Proto was introduced, a unified interface for the protocols didn't exist; each protocol implementation had to create its own listener.

In preparation for the upcoming WireGuard implementation, this commit renames "OpenVPN_UdpPortList" to "PortsUDP", which should clarify that the setting is global.

The change is reflected in the code. Also, the ports are now stored in a LIST rather than a string. The conversion between string and LIST only happens when loading/saving the configuration.

The default UDP ports are now the same as the TCP ones (443, 992, 1194, 5555).
2020-05-20 03:16:19 +02:00
Ben RUBSON
5e1c728f92
Update strtable_tw.stb 2020-05-12 22:08:59 +02:00
Paul Menzel
be3e45a4bf hamcore: Remove trailing spaces from comments 2020-03-25 12:23:55 +01:00
Daiyuu Nobori
9c227f3480 Add the warning message if KB3033929 is not installed in Windows 7 / Server 2008 R2. 2019-06-30 01:20:52 +09:00
Daiyuu Nobori
458906b151 Added JSON-RPC error message 2019-05-28 22:48:26 +09:00
Daiyuu Nobori
881f34ac56 Compacting headers, updating trivial texts to fit to the license change from GPLv2 to Apache License 2.0. 2019-01-14 12:25:53 +09:00
Daiyuu Nobori
16ed2f3e0c Documents: Switching license from GPLv2 to Apache License 2.0. 2018-12-02 09:37:24 +09:00
Davide Beatrici
aefbd2e903 Add custom HTTP header feature for HTTP proxy
A custom HTTP header can be used to bypass certain restrictions imposed on the network or to avoid speed limitations applied by the QoS.
2018-11-29 20:32:21 +01:00
Davide Beatrici
6a45921f41 OpenVPN: Add packet scrambling/obfuscation feature
This allows an OpenVPN client to bypass a firewall which is aware of the protocol and is able to block it.
The XOR mask set on the server has to be the same on the client, otherwise it will not be able to connect with certain obfuscation modes.
A special OpenVPN client built with the "XOR patch" is required in order to use this function, because it has never been merged in the official OpenVPN repository.

Two parameters are added to the server configuration: "OpenVPNObfuscationMethod" and "OpenVPNObfuscationMask".
Their value can be retrieved with "OpenVpnObfuscationGet" and set with "OpenVpnObfuscationEnable" in the VPN Command Line Management Utility.
2018-11-12 22:32:37 +01:00
Davide Beatrici
53e0a2e5e2 Add support for SOCKS5 proxy protocol 2018-10-30 15:11:16 +01:00
Davide Beatrici
e02237f397 Add string for "IF_TYPE_PROP_VIRTUAL" network interface type 2018-10-03 09:10:27 +02:00
Ilya Shipitsin
0f77b5e30e fix localization files, missing strings were taken from "en" 2018-09-23 22:24:21 +05:00
mogikanin
2ec48c765e Added string to other stb files 2018-09-19 12:10:23 +03:00
Davide Beatrici
02db806181 Remove SSLv3 support 2018-08-09 00:25:40 +02:00
MtCedarNet
dd24472089 Change 'Don't use TLS' to 'Use SSL 3.0' to clarify the danger.
Committer: MtCedarNet <mtcedar@hotmail.com>
2018-08-08 19:09:44 +09:00
Davide Beatrici
59000e04cc Merge PR #335: Retry connection on untrusted server certificate 2018-08-05 21:15:52 +02:00
Joshua Perry
28e8d4bcce Retry connection on untrusted server certificate
With server certificate validation enabled, vpnclient unconditionally
stopped connection on untrusted server certificate. Added account
configuration parameter to retry connection if server certivicate failed
validation.
2018-08-05 20:48:16 +02:00
Joshua Perry
59e1483dbf Put TUN down on client disconnect.
On startup client creates TUN interface in UP state and kept it UP even
if connection to the server was lost. Creating interface in DOWN state,
turning it UP on successful (re-)connection to server and DOWN on either
disconnect or connection loss would enable DHCP client (say dhclient5)
to detect necessity for lease renewal.

Added a client configuration parameter to create TUN interface in DOWN
state and commands to enable, disable, and query the configuration
parameter.
Enabling the parameter causes client to put all unused TUN interfaces
DOWN, create new TUN interfaces in DOWN state, and turn TUN interfaces
corresponding to active sessions DOWN on connection loss or
disconnecting from server.
Disabling the parameter forces client to turn all TUN interfaces UP and
create new TUN interfaces in UP state.
Default value is 'Disable'.
2018-08-05 17:36:05 +02:00