many thanks to Jonathan Phillibert from Amazon Web Services
for investigating and reporting that responding to such packets
might lead to traffic amplification
When memory is released and reallocated, a random security value called a canary is written to the before/after area of memory, and if the value has been modified, the process is terminated (restarted) for safety, assuming it is a buffer overflow of the memory area. This feature may effectively prevent confidentiality or integrity violations in the event that some heap area overflow vulnerability is discovered in this system in the future.
Interface grouping is available on FreeBSD and OpenBSD. This will allow
you to enumerate only SoftEther virtual interfaces or exclude SoftEther
virtual interfaces, and be helpful when making custom scripts to start
DHCP client when virtual interface become up (=VPN connection
established) for example.
Usage examples as follows.
List all interfaces' names available on the system:
```
$ ifconfig -l
vtnet0 lo0 vpn_client0 vpn_client1 vpn_client2
```
Display a list of SoftEther virtual interfaces:
```
$ ifconfig -g softether
vpn_client0
vpn_client1
vpn_client2
```
Display details about SoftEther virtual interfaces that are up:
```
$ ifconfig -a -u -g softether
vpn_client0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: SoftEther Virtual Network Adapter
options=80000<LINKSTATE>
ether 5e:71:fa:f8:91:4a
hwaddr 58:9c:fc:10:34:2a
groups: tap softether
media: Ethernet autoselect
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
Opened by PID 1445
```
Display details about interfaces except for SoftEther virtual interfaces:
```
$ ifconfig -a -G softether
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
ether 58:9c:fc:00:f0:23
inet6 fe80::5a9c:fcff:fe00:f023%vtnet0 prefixlen 64 scopeid 0x1
inet 192.168.96.7 netmask 0xffffff00 broadcast 192.168.96.255
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
```
In contrast to Linux, FreeBSD's tap devices are still plumbed after fd
closed. The tap device must be destroyed in addition to closing fd
to delete virtual network interfaces used for VPN connection.
NicDelete command now works properly and virtual network interfaces used
by vpnclient are cleaned up when shutting down vpnclient.
found by coverity
CID 343528 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking name suggests that it may be null,
but it has already been dereferenced on all paths leading to the
check.
438 if (name == NULL || k == NULL || k->private_key == false)
439 {
440 sec->Error = SEC_ERROR_BAD_PARAMETER;
441 return false;
442 }
found by coverity
CID 343537 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking name suggests that it may be null
but it has already been dereferenced on all paths leading to the
check.
664 if (name == NULL)
665 {
666 sec->Error = SEC_ERROR_BAD_PARAMETER;
667 return false;
668 }
found by coverity
CID 343536 (#1 of 1): Dereference before null check (REVERSE_INULL)
check_after_deref: Null-checking name suggests that it may be null, but
it has already been dereferenced on all paths leading to the check.
1339 if (name == NULL || data == NULL || size == 0)
1340 {
1341 sec->Error = SEC_ERROR_BAD_PARAMETER;
1342 return false;
1343 }
=================================================================
==1505093==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000366b88 at pc 0x7f72afadc34a bp 0x7f72990fa390 sp 0x7f72990fa388
READ of size 4 at 0x607000366b88 thread T22
#0 0x7f72afadc349 in GetCaps /home/ilia/SoftEtherVPN/src/Cedar/Server.c:1861
#1 0x7f72afadc382 in GetCapsInt /home/ilia/SoftEtherVPN/src/Cedar/Server.c:1802
#2 0x7f72afaf72a5 in GetServerCapsInt /home/ilia/SoftEtherVPN/src/Cedar/Server.c:1098
#3 0x7f72afaf7318 in GetServerCapsBool /home/ilia/SoftEtherVPN/src/Cedar/Server.c:1104
#4 0x7f72afaf771e in SiWriteHubCfg /home/ilia/SoftEtherVPN/src/Cedar/Server.c:4887
#5 0x7f72afaf771e in SiWriteHubCfg /home/ilia/SoftEtherVPN/src/Cedar/Server.c:4824
#6 0x7f72afaf7c0b in SiWriteHubs /home/ilia/SoftEtherVPN/src/Cedar/Server.c:5548
#7 0x7f72afaf7c0b in SiWriteHubs /home/ilia/SoftEtherVPN/src/Cedar/Server.c:5515
#8 0x7f72afaf81d6 in SiWriteConfigurationToCfg /home/ilia/SoftEtherVPN/src/Cedar/Server.c:3166
#9 0x7f72afaf86bc in SiWriteConfigurationFile /home/ilia/SoftEtherVPN/src/Cedar/Server.c:6593
#10 0x7f72afaf86bc in SiWriteConfigurationFile /home/ilia/SoftEtherVPN/src/Cedar/Server.c:6569
#11 0x7f72afaf8914 in SiSaverThread /home/ilia/SoftEtherVPN/src/Cedar/Server.c:6561
#12 0x7f72afaf8914 in SiSaverThread /home/ilia/SoftEtherVPN/src/Cedar/Server.c:6547
#13 0x7f72af6e0cfa in ThreadPoolProc /home/ilia/SoftEtherVPN/src/Mayaqua/Kernel.c:872
#14 0x7f72af6e0cfa in ThreadPoolProc /home/ilia/SoftEtherVPN/src/Mayaqua/Kernel.c:827
#15 0x7f72af76eeb4 in UnixDefaultThreadProc /home/ilia/SoftEtherVPN/src/Mayaqua/Unix.c:1604
#16 0x7f72af4ffc56 in start_thread (/lib64/libc.so.6+0x8cc56) (BuildId: 6107835fa7d4725691b2b7f6aaee7abe09f493b2)
#17 0x7f72af585a6f in __clone3 (/lib64/libc.so.6+0x112a6f) (BuildId: 6107835fa7d4725691b2b7f6aaee7abe09f493b2)
0x607000366b88 is located 24 bytes inside of 72-byte region [0x607000366b70,0x607000366bb8)
freed by thread T0 here:
#0 0x7f72afed7fc8 in __interceptor_free.part.0 (/lib64/libasan.so.8+0xd7fc8) (BuildId: 9501248886f79bf1482f3e153f794be742818172)
#1 0x7f72af76ed6f in UnixMemoryFree /home/ilia/SoftEtherVPN/src/Mayaqua/Unix.c:2072
previously allocated by thread T22 here:
#0 0x7f72afed92ff in malloc (/lib64/libasan.so.8+0xd92ff) (BuildId: 9501248886f79bf1482f3e153f794be742818172)
#1 0x7f72af76f35d in UnixMemoryAlloc /home/ilia/SoftEtherVPN/src/Mayaqua/Unix.c:2053
Thread T22 created by T0 here:
#0 0x7f72afe48966 in pthread_create (/lib64/libasan.so.8+0x48966) (BuildId: 9501248886f79bf1482f3e153f794be742818172)
#1 0x7f72af76f713 in UnixInitThread /home/ilia/SoftEtherVPN/src/Mayaqua/Unix.c:1683
SUMMARY: AddressSanitizer: heap-use-after-free /home/ilia/SoftEtherVPN/src/Cedar/Server.c:1861 in GetCaps
Shadow bytes around the buggy address:
0x607000366900: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x607000366980: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
0x607000366a00: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
0x607000366a80: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x607000366b00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
=>0x607000366b80: fd[fd]fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x607000366c00: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
0x607000366c80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
0x607000366d00: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000366d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x607000366e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
TALOS-2023-1741
CVE-2023-23581
SoftEther VPN vpnserver EnSafeHttpHeaderValueStr denial of service
vulnerability
A denial of service vulnerability exists in the vpnserver
EnSafeHttpHeaderValueStr functionality of SoftEther VPN 5.01.9674 and
5.02. A specially-crafted network packet can lead to denial of service.
specially crafted network packet lead to buffer overrun and process
crash. working exploit was provided by Cisco Talos team.
An integer underflow vulnerability exists in the vpnserver
OvsProcessData functionality of SoftEther VPN 5.01.9674 and 5.02. A
specially-crafted network packet can lead to denial of service. An
attacker can send a malicious packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by
Talos or confirmed to be vulnerable by the vendor.
SoftEther VPN 5.01.9674
SoftEther VPN 5.02
While 5.01.9674 is a development version, it is distributed at the time
of writing by Ubuntu and other Debian-based distributions.
Before change, contiguous whitespaces appeared in version string.
This room is for beta string (such as Alpha, Beta) and beta number but
it looks a bit odd if the build is not alpha/beta/RC.
> Version 5.02 Build 5180 Alpha 3 (Japanese)
> Version 5.02 Build 5180 Beta 3 (Japanese)
> Version 5.02 Build 5180 Release Candidate 3 (Japanese)
> Version 5.02 Build 5180 (Japanese)
> ^^^
Now version string looks neat like this:
> Version 5.02 Build 5180 (Japanese)
> Version 5.02 Build 5180 Release Candidate 3 (Japanese)
This is just a cosmetic problem in the result of "Caps" command which
gets the list of server functions/capability. There's no behavioural
change in SoftEtherVPN whether running on VM so far.
On Ubuntu Server 22.04 LTS (and newer?), the ./configure command fails because the 'pkgconf' package is not installed by default. Suggest that the 'pkgconf' package be installed in this command line.
1875 if (mutex == NULL)
1876 {
CID 367204 (#1 of 1): Resource leak (RESOURCE_LEAK)4. leaked_storage: Variable lock going out of scope leaks the storage it points to.
1877 return NULL;
1878 }
On FreeBSD the stock code will attempt to expand the interface MTU any time a packet is to be sent that exceeds the current MTU. This results in a down/up on the interface that is wildly disruptive to existing services on that adapter and, eventually, is likely to run into MTU limits and start logging failures, even with jumbo-frame capable adapters. Thus if compiling on a FreeBSD machine disable this capability. Tested against 12.3-STABLE and 13.1-STABLE on v4.38-9760 from the FreeBSD ports tree but likely applies here as well; see bug report https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267178
OpenVPN always allowed 8 ACKs in P_ACK_V1 packets but only used
up to 4 in other control packets. Since Softether drops all packets with
more than 4 ACKs it also drops legimate P_ACK_V1.
See also this issue: https://github.com/schwabe/ics-openvpn/issues/1486
On big endian system, while store 32 bits and 16bits number in memory of UINT64 variable "tmp", first 4 bytes of it always be zero makes "cookie" and "size" always be zero, lead to udpaccel unusable.
This would be a very useful link/info to include I think, or is there some reason not to?
Also a small update to clarify what can be found at softether-download.com
We need the function since 9dbbfcd388, but unfortunately it's not provided by LibreSSL.
By introducing a build time check we inform the user about the issue explicitly instead of just letting compilation fail.
GenX25519 command - Create new X25519 keypair
Help for command "GenX25519"
Purpose:
Create new X25519 keypair
Description:
Use this to create a new X25519 keypair, which can be used for WireGuard.
Both the private and public key will be shown.
The public key can be shared and is used to identify a peer.
Also, it can always be retrieved from the private key using the GetPublicX25519 command.
The private key should be kept in a secure place and never be shared.
It cannot be recovered once lost.
Usage:
GenX25519
==========================================================================================
GetPublicX25519 command - Retrieve public X25519 key from a private one
Help for command "GetPublicX25519"
Purpose:
Retrieve public X25519 key from a private one
Description:
Use this if you have a private X25519 key and want to get its corresponding public key.
Usage:
GetPublicX25519 [private]
Parameters:
private - The private X25519 key you want to get the corresponding public key of.
The files are created in a new folder to keep the source tree tidier.
Please note that only X25519/X448 keys are supported due to an OpenSSL limitation:
https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html
We have functions that handle AES keys in Encrypt.c/.h.
Ideally we should move them into the new files.
Our own implementation works fine, however we should use OpenSSL's one since we already link to the library.
Base64Decode() and Base64Encode() return the required buffer size when "dst" is NULL.
This allows to efficiently allocate a buffer, without wasting memory or risking an overflow.
Base64FromBin() and Base64ToBin() perform all steps, returning a heap-allocated buffer with the data in it.
* change `ReadOnlyDirectories` -> `ReadOnlyPaths` and `ReadWriteDirectories` -> `ReadWritePaths`
* add `ReadWritePaths` for other necessary directories (this should address #1111)
* add "common" package provides for `libcedar.so()(64bit)` to allow `softether-vpnserver` package to install properly
* exclude `/lib/systemd/system` paths from RPM package file listing to prevent file conflicts when installing RPM (these paths already are "owned" by the systemd RPM)
Turns out %S refers to ANSI/UTF-8 and %s to UTF-16.
This commit fixes a buffer overflow reported by AddressSanitizer and removes an unnecessary conversion to UTF-16.
The open-source project began with version 1.00, build 9022.
With the exception of an informative message fallback for builds older than 9428 (2014), all checks were for closed-source builds.
- <pthread.h> included for the "pthread_t" type definition.
- <net/ethernet.h> include removed as the header doesn't exist.
- AI_ALL and AI_V4MAPPED defined to 0 as the options don't exist.
52 bytes in 2 blocks are definitely lost in loss record 5 of 13
at 0x483877F: malloc (vg_replace_malloc.c:307)
by 0x4ABB1BB: UnixMemoryAlloc (Unix.c:2033)
by 0x4A7FABF: InternalMalloc (Memory.c:3819)
by 0x4A7B769: MallocEx (Memory.c:3650)
by 0x4A7B769: Malloc (Memory.c:3641)
by 0x4AA71A9: CopyStr (Str.c:1884)
by 0x4A61A9C: DnsCacheReverseUpdate (DNS.c:257)
by 0x4A62123: DnsResolveReverse (DNS.c:506)
by 0x4A93EB3: GetHostName (Network.c:15023)
by 0x4A93EB3: AcceptInitEx (Network.c:12589)
by 0x4934659: TCPAcceptedThread (Listener.c:172)
by 0x4A76469: ThreadPoolProc (Kernel.c:872)
by 0x4ABD159: UnixDefaultThreadProc (Unix.c:1589)
by 0x51C2EA6: start_thread (pthread_create.c:477)
2,280 (684 direct, 1,596 indirect) bytes in 9 blocks are definitely lost in loss record 11 of 13
at 0x483877F: malloc (vg_replace_malloc.c:307)
by 0x4C65AC5: gaih_inet.constprop.0 (getaddrinfo.c:1058)
by 0x4C67224: getaddrinfo (getaddrinfo.c:2256)
by 0x4A61E06: DnsResolver (DNS.c:404)
by 0x4A76469: ThreadPoolProc (Kernel.c:872)
by 0x4ABD159: UnixDefaultThreadProc (Unix.c:1589)
by 0x51C2EA6: start_thread (pthread_create.c:477)
by 0x4C7CDEE: clone (clone.S:95)
Also, the default timeout value is set to 30000 (milliseconds) instead of 10000.
The change is made because it was reported that some routers failed to connect in time.
This commit also fixes a bug which caused the server to initialize all boolean options to false.
It was caused by SiLoadProtoCfg() not checking whether the item exists in the configuration file.
CfgGetBool() always returns false if the item doesn't exist.
it turned out to be almost impossible to install libsodium on
OpenSUSE (for example Factory repo url is broken).
Let us drop OpenSUSE builds for a while. Maybe we'll get them back later.
From a functional point of view, the main improvement is that GetIP() now always prioritizes IPv6 over IPv4.
The previous implementation always returned an IPv4 address, unless not available: in such case it failed.
This means that now connections to hostnames should be established via IPv6 if available.
From a programmer point of view, getting rid of the insane wrappers is enough to justify a complete rewrite.
As an extra, several unrelated unused global variables are removed.
Before this commit, the IP address reported by the NAT-T server was immediately discarded.
That's because the peer should be accessible via the IP address used to establish the TCP connection.
User "domosekai" (https://www.domosekai.com) pointed out that the NAT-T IP address should be taken into account.
In his case it's required due to his broadband carrier's NAT causing TCP and UDP to have different external IPs.
Co-authored-by: domosekai <54519668+domosekai@users.noreply.github.com>
This greatly improves performance and reduces the binary's size (~0.2 MB vs ~5 MB).
All recent Windows versions are supported, starting with Vista.
No dialogs are created, aside from error/warning ones in case of failure.
The only dependency (aside from Windows libraries) is libhamcore.
The bug caused ProtoOptionsGet and ProtoOptionsSet not to work anymore after c90617e0e86dedf78e0e3c8a71263a80eec29caa.
The functions were introduced in aa65327e73, but the issue went unnoticed because bool was the same as UINT.
BOOL was just an alias for bool, this commit replaces all instances of it for consistency.
For some reason bool was defined as a 4-byte integer instead of a 1-byte one, presumably to match WinAPI's definition: https://docs.microsoft.com/en-us/windows/win32/winprog/windows-data-types
Nothing should break now that bool is 1-byte, as no protocol code appears to be relying on the size of the data type.
PACK, for example, explicitly stores boolean values as 4-byte integers.
This commit can be seen as a follow-up to 61ccaed4f6.
This commit:
- Switches from Ubuntu 16.04 to 18.04 for all builds, mainly in order to use a more recent version of libsodium.
- Installs libsodium, used by the WireGuard implementation.
WgkAdd command - Add a WireGuard key
Help for command "WgkAdd"
Purpose:
Add a WireGuard key
Description:
This command can be used to add a WireGuard key to the allowed key list.
To execute this command, you must have VPN Server administrator privileges.
Usage:
WgkAdd [key] [/HUB:hub] [/USER:user]
Parameters:
key - WireGuard key. Make sure it is the public one!
/HUB - Hub the key will be associated to.
/USER - User the key will be associated to, in the specified hub.
================================================================================
WgkDelete command - Delete a WireGuard key
Help for command "WgkDelete"
Purpose:
Delete a WireGuard key
Description:
This command can be used to delete a WireGuard key from the allowed key list.
To execute this command, you must have VPN Server administrator privileges.
Usage:
WgkDelete [key]
Parameters:
key - WireGuard key.
================================================================================
WgkEnum command - List the WireGuard keys
Help for command "WgkEnum"
Purpose:
List the WireGuard keys
Description:
This command retrieves the WireGuard keys that are allowed to connect to the server, along with the associated Virtual Hub and user.
You can add a key with the WgkAdd command.
You can delete a key with the WgkDelete command.
To execute this command, you must have VPN Server administrator privileges.
Usage:
WgkEnum
Please note that the implementation is not 100% conformant to the protocol whitepaper (https://www.wireguard.com/papers/wireguard.pdf).
More specifically: all peers are expected to send a handshake initiation once the current keypair is about to expire or is expired.
I decided not to do that because our implementation is meant to act as a server only. A true WireGuard peer acts, instead, as both a client and a server.
Once the keypair is expired, we immediately delete the session.
The cookie mechanism can be implemented in future.
As for authentication: unfortunately using the already existing methods is not possible due to the protocol not providing a way to send strings to a peer.
That's because WireGuard doesn't have a concept of "users": it identifies a peer through the public key, which is determined using the source address.
As a solution, this commit adds a special authentication method: once we receive the handshake initiation message and decrypt the peer's public key, we check whether it's in the allowed key list.
If it is, we retrieve the associated Virtual Hub and user; if the hub exists and the user is in it, the authentication is successful.
The allowed key list is stored in the configuration file like this:
declare WireGuardKeyList
{
declare 96oA7iMvjn7oXiG3ghBDPaSUytT75uXceLV+Fx3XMlM=
{
string Hub DEFAULT
string User user
}
}
WireGuard does not provide any configuration messages, meaning that we cannot push the IP address we receive from the DHCP server to the client.
In order to overcome the limitation we don't perform any DHCP operations and instead just extract the source IP address from the first IPv4 packet we receive in the tunnel.
The gateway address and the subnet mask can be set using the new "SetStaticNetwork" command. The values can be retrieved using "OptionsGet".
In future we will add a "allowed source IP addresses" function, similar to what the original WireGuard implementation provides.
================================================================================
SetStaticNetwork command - Set Virtual Hub static IPv4 network parameters
Help for command "SetStaticNetwork"
Purpose:
Set Virtual Hub static IPv4 network parameters
Description:
Set the static IPv4 network parameters for the Virtual Hub. They are used when DHCP is not available (e.g. WireGuard sessions).
You can get the current settings by using the OptionsGet command.
Usage:
SetStaticNetwork [/GATEWAY:gateway] [/SUBNET:subnet]
Parameters:
/GATEWAY - Specify the IP address of the gateway that will be used for internet communication.
/SUBNET - Specify the subnet mask, required to determine the size of the local VPN network.
The WireGuard implementation will have two options that should not have a fixed default value, because they represent two keys (one is preshared, the other is private).
Instead of handling these two options differently in ProtoNewContainer(), this commit adds a new function to PROTO_IMPL: ProtoOptionString().
ProtoOptionString() takes the option's name as argument and returns a heap-allocated string that will be used as value. The function returns NULL when the option doesn't need a randomized value.
This new implementation can be easily compiled and executed without the need for other components to be present.
It relies on standard C functions, aside from stat() which is part of POSIX but available on Windows as well.
There's only one third-party dependency, which is tinydir: a single-file header-only library for traversing directories.
2575 // Address
at_least: At condition size < 1U, the value of size must be at least 1.
cannot_single: At condition size < 1U, the value of size cannot be equal to 0.
dead_error_condition: The condition size < 1U cannot be true.
2576 if (size < 1)
2577 {
CID 287533 (#1 of 1): Logically dead code (DEADCODE)dead_error_line: Execution cannot reach this statement: goto LABEL_ERROR;.
2578 goto LABEL_ERROR;
2579 }
CID 355460 (#1 of 1): Dereference before null check (REVERSE_INULL)check_after_deref: Null-checking p suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
737 if (p == NULL)
738 {
739 return false;
740 }
CID 287561 (#1 of 1): Array compared against 0 (NO_EFFECT)array_null: Comparing an array to null is not useful: src == NULL, since the test will always evaluate as true.
Was src formerly declared as a pointer?
3748 if (cedar == NULL || src == NULL || dst == NULL)
3749 {
3750 return false;
3751 }
(gdb) bt
0 0x00007f43857a5e14 in __GI___pthread_mutex_init (mutex=0x0, mutexattr=0x0) at pthread_mutex_init.c:89
1 0x00007f4385eaaf1b in UnixNewLock () at SoftEtherVPN/src/Mayaqua/Unix.c:1845
2 0x00007f4385e92331 in NewLockMain () at SoftEtherVPN/src/Mayaqua/Object.c:89
3 0x00007f4385e92359 in NewLock () at SoftEtherVPN/src/Mayaqua/Object.c:101
4 0x00007f4385e92765 in NewCounter () at SoftEtherVPN/src/Mayaqua/Object.c:171
5 0x00007f4385e92e76 in NewRef () at SoftEtherVPN/src/Mayaqua/Object.c:339
6 0x00007f4385e76939 in NewSkEx (no_compact=0) at SoftEtherVPN/src/Mayaqua/Memory.c:863
7 0x00007f4385e68c95 in NormalizePathW (
dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048, src=<optimized out>)
at SoftEtherVPN/src/Mayaqua/FileIO.c:1960
8 0x00007f4385e69188 in ConbinePathW (
dst=0x7ffe65932940 L"\xd6ff2ffb\xfbf14ce5\xad8669ca\x41998a9c\x5107d62d\x8d2ab3f2\x37ceaad2\xffc947ec\xad8ed8d8\x33e9f2f7\xc05723a9\x843263e3\x5516beb3\x12571e2a\xd81405f3\xf92194fe\xd807aa98\x12835b01\x243185be\x550c7dc3\xfd74170d\x12835b01\x553185be\x550c7dc3\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf1f4\x72be5d74\x80deb1fe\x9bdc06a7\xc19bf174\x894d4018\xc54302b8\x145dc92\x143b3917\x62aa4fb8\x915764b1\xd5e11bef\x9d5fbc5\xb956c25b\x59f111f1\x923f82a4\xab1c5ed5\x3956c25b\x59f111f1\x923f82a4\xab1c5ed5\xbaeb40", size=2048,
dirname=0xbace10 L"/root/.local/bin", filename=0x7ffe65932100 L"SoftEtherVPN/build/vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1686
9 0x00007f4385e6af48 in UnixGetExeNameW (name=0x7f4385ede820 <exe_file_name_w> L"/tmp/a.out", size=2048, arg=0xbb5050 L"./vpntest") at SoftEtherVPN/src/Mayaqua/FileIO.c:1401
10 0x00007f4385e6b04b in InitGetExeName (arg=<optimized out>) at SoftEtherVPN/src/Mayaqua/FileIO.c:1367
11 0x00007f4385e7470a in InitMayaqua (memcheck=memcheck@entry=0, debug=debug@entry=1, argc=argc@entry=3, argv=argv@entry=0x7ffe659340e8)
at SoftEtherVPN/src/Mayaqua/Mayaqua.c:456
12 0x0000000000401282 in main (argc=3, argv=0x7ffe659340e8) at SoftEtherVPN/src/vpntest/vpntest.c:259
"2050 LA_DEL_CRL" - this entry appear in logfile when you delete cert from Certificate Revocation List. Thats why need to change it.
"2051 LA_SET_CRL" - this entry must appear in logfile when you edit cert in Certificate Revocation List, but it doesn't happen (perhaps it's a bug)
The script on our server bumps the build number for every new version + commit combination.
Each combination is associated to a unique build number and vice versa.
There's a separate counter for each version.
The reason why we cannot just use "git describe --tags --dirty" is because it relies on the last tag's name and generates a string like "5.01.9674-212-g54280853".
What we want, instead, is the last part of the version to be increased for every build.
Then, once we consider the branch stable enough, we create a tag like "5.01" and bump the version immediately after the new release.
Please note that for pull requests the build number will always be 0, because the secret token is only available in the Nightly pipeline.
The BUILD_NUMBER option controls the last part of the version, allowing us to increase it for each build.
This commit also adds version.py, which simply prints the version (e.g. "5.01") specified in CMakeLists.txt.
The script will be used to determine the build number.
Since 35200a29ea we build complete installers using CMake, meaning that there's no need for BuildUtil anymore.
MSBuild projects that are not migrated to CMake yet are kept for reference.
This commit also updates BUILD_WINDOWS.md so that it mentions Visual Studio 2019 instead of 2017.
To solve the problem that the escape condition of the loop that tries name resolution in UDP mode was reversed in the keep-alive function of the Internet connection, so the name resolution retry is set to 250 msec interval instead of the normal 60 second interval.
This works for all VPN protocols.
In SessionMain(): for DHCPDISCOVER and DHCPREQUEST frames, write the static IP address (which is retrieved from the user notes) in the SIADDR field of DHCPHEADER.
In VirtualDhcpServer(): for DHCPDISCOVER and DHCPREQUEST frames, read the static IP address from the SIADDR field of DHCPHEADER and assign it to the client.
- When building on Windows XP using Visual Studio 2008, I encountered the following issue.
- I did a fresh install of Windows XP SP3 32-bit, then applied updates including .NET 3.5. Next I installed MS Visual Studio 2008, then updated with sp1. All of this according to the documentation in your readme for building on Windows.
- In file src/BuildUtils/VpnBuilder.cs, there are two "if" statements testing the same thing, which is to determine if it is a 32-bit or 64-bit machine/compiler. But the then and else clauses are reversed, so clearly, one of them is wrong. The result I saw is that the SDK path being used to run RC.exe is left as the NULL string and so it fails to run the RC.exe program.
- This happens early in the build process, building the build utils. The two "if" statements are used to set paths for the Visual Studio VC and SDK directories. Depending on the integer pointer size, it uses different paths in the registry.
- When I looked in the registry on my Windows XP machine, there is no key HKLM\SOFTWARE\Wow6432Node, I have only seen that on 64-bit machines.
- For the fix, I consolidated the two "if" statements into one, the existing statement on line 380 would only set a value for Paths.VisualStudioVCDir (which got set correctly). Now I moved the code for also setting Paths.MicrosoftSDKDir, while reversing the values from the incorrectly coded "if" statement.
- I can understand that under certain circumstances, this issue would not be encountered, but should be easily reproducible when installing a clean system.
error: cannot initialize a variable of type 'wchar_t *' with an lvalue of type 'const wchar_t [4]'
wchar_t *protocol_str = (udp ? L"UDP" : L"TCP");
^ ~~~~~~~~~~~~~~~~~~~~~~~
The "session created" and "session deleted" messages were useful when a single OPENVPN_SERVER object handled multiple UDP sessions.
Now that each session has its own OPENVPN_SERVER object and session creations/deletions are logged by PROTO, the messages are redundant.
In future we will change the OpenVPN implementation so that the multi-session handling code is deleted.
The messages were like this:
OpenVPN Module: The OpenVPN Server Module is starting.
OpenVPN Session 1 (192.168.122.211:47390 -> 0.0.0.0:1194): A new session is created. Protocol: UDP
OpenVPN Session 1 (192.168.122.211:47390 -> 0.0.0.0:1194): Deleting the session.
OpenVPN Module: The OpenVPN Server Module is stopped.
ProtoHandleDatagrams() takes care of deleting a session if marked as halted.
However, the check is performed when a packet for that session is received; that never happens if the remote host doesn't send at least a packet.
This commit fixes the issue by moving the check into the loop that iterates through all sessions.
ProtoOptionsGet command - Lists the options for the specified protocol
Help for command "ProtoOptionsGet"
Purpose:
Lists the options for the specified protocol
Description:
This command can be used to retrieve the options for a specific protocol.
Detailed info (e.g. value type) will be shown.
You can change an option's value with the ProtoOptionsSet command.
Usage:
ProtoOptionsGet [protocol]
Parameters:
protocol - Protocol name.
ProtoOptionsSet command - Sets an option's value for the specified protocol
Help for command "ProtoOptionsSet"
Purpose:
Sets an option's value for the specified protocol
Description:
This command can be used to change an option's value for a specific protocol.
You can retrieve the options using the ProtoOptionsGet command.
To execute this command, you must have VPN Server administrator privileges.
Usage:
ProtoOptionsSet [protocol] [/NAME:option_name] [/VALUE:string/true/false]
Parameters:
protocol - Protocol name.
/NAME - Option name.
/VALUE - Option value. Make sure to write a value that is accepted by the specified protocol!
PROTO_OPTION is a structure that describes an option (who would've guessed?).
It's designed in a way that allows it to occupy as low memory as possible, while providing great flexibility.
The idea is similar to the one implemented in LIST for trivial types, with the difference that PROTO_OPTION doesn't require casting due to the use of union.
AppVeyor provides vcpkg and a great guide explaining how to use it and cache the installed packages: https://www.appveyor.com/docs/lang/cpp/#vc-packaging-tool
However, we're currently relying on Azure Pipelines for the Windows builds and keeping one on AppVeyor would be a waste of CI resources.
This commit also changes the x86 build so that it uses the "amd64_x86" toolchain, for potentially better build performance.
The architecture is now appended to the installers.
The purpose of the configuration was to build installers and continually verify that MSVC 2008 could still build the project.
MSVC 2008 was a requirement because we wanted to maintain support for very old versions of Windows (9x).
During the past few years we encountered many annoying limitations due to that requirement, such as the lack of support for designated initializers.
We ended up deciding to only keep support for operating systems older than 7 in the stable repository.
As for the installers, we now build them on Azure Pipelines (currently with MSVC 2019).
The reason why we don't build these two targets is that they're not used.
More specifically: they require proper configuration to work correctly, which is currently missing.
While vpninstall may be worth salvaging, vpnweb is definitely a relict of the past because it relies on ActiveX.
vpndrvinst is the name of the target and thus the default output name, let's use it.
`vpndrvinst.exe" also sounds less fishy than "driver_installer.exe"...
BuildUtil compiles the project as 32 bit and 64 bit, before building the installer package.
64 bit binaries have the "_x64" suffix and are added to the package alongside the 32 bit ones (that have no suffix).
The CMake project compiles the binaries for a single architecture and they have no suffix.
We decided that providing two separate installers is the best solution.
As for the binaries with the "_ia64" suffix: they never existed during the this repository's lifespan.
The MSBuild project built the binary into "src/bin/hamcore", causing it to be added to "hamcore.se2".
As hinted by the name of the file ("vpnsetup_nosign.exe"), it is not signed by BuildUtil, possibly to save time (the setup package is signed).
The CMake project builds the binary in the same directory as the other ones, allowing the setup to install them without the need to build a package.
Previously, the file needed to be present in order for the setup to work.
This commit removes the requirement so that the setup can be ran from the build directory without the need to copy the file (which is now removed from the repository).
The inclusion of the headers is probably a very old leftover, from when OpenSSL was not encapsulated into Mayaqua yet.
In fact, there was a "HAM_C" (defined in vpndrvinst.c) definition check in Mayaqua/Encrypt.h preventing the redefinition of OpenSSL types.
When "VPN_EXE" is defined, Mayaqua.h defines WinMain(), which handles arguments in a special way.
This commit passes "WIN32" to add_executable(), so that WinMain() is used as entry point instead of main().
The use of main() instead of WinMain() was causing service mode not to work due to the "/service" argument being discarded.
Our CMake project used to forcefully create and use two different build directories: "build" and "tmp".
This commit changes the behavior so that only the build directory CMake is ran in is used.
The "configure" script now runs CMake in "build" by default, instead of "tmp".
strtok() and wcstok() are considered unsafe functions.
A segmentation fault caused by the use of strtok() was recently reported.
Co-authored-by: Takuho NAKANO <takotakot@users.noreply.github.com>
The SSTP implementation doesn't provide packet identification, because it's not required: the protocol is identified by the HTTP header it sends to the server.
"ClientOption", as the name implies, is only used in a client context.
The issue was introduced in 235bd07e67. Before that, an unrelated check prevented UnixVLanSetState() from being called in a server context.
SoftEther VPN originally created the NIC in the UP state and never changed it, even when the the client was not connected.
The behavior was changed in 59e1483dbf, which also added the NicDownOnDisconnect option
The option was disabled by default for backwards compatibility with scripts that don't check whether the NIC is down, but it's not ideal.
This commit forces the correct behavior and removes the commands "TUNDownOnDisconnectEnable", "TUNDownOnDisconnectDisable" and "TUNDownOnDisconnectGet".
PortsUDPSet: This command can be used to specify a single or multiple UDP ports the server should listen on. "0" can be specified to disable the UDP listener.
Administrator privileges are required to execute the command.
PortsUDPGet: This command can be used to retrieve the UDP ports the server is listening on.
The two commands replace the functionality that was previously provided by OpenVpnEnable and OpenVpnGet, respectively.
Originally, StrToPortList() returned NULL when it encountered a number equal to 0 or higher than 65535.
This commit adds a new parameter to the function called "limit_range":
- When its value is true, the function retains the original behavior.
- When its value is false, the function doesn't check whether the number is in the network port number range (1-65535).
The change is required because the command to set the UDP ports will allow to remove all ports by specifying "0" as the port number.
Now that Proto supports UDP, the server can handle multiple protocols on each UDP port.
The UDP ports are specified by the "OpenVPN_UdpPortList" configuration setting, because:
- OpenVPN is currently the only UDP protocol supported by SoftEther VPN to allow a custom port number.
- Before Proto was introduced, a unified interface for the protocols didn't exist; each protocol implementation had to create its own listener.
In preparation for the upcoming WireGuard implementation, this commit renames "OpenVPN_UdpPortList" to "PortsUDP", which should clarify that the setting is global.
The change is reflected in the code. Also, the ports are now stored in a LIST rather than a string. The conversion between string and LIST only happens when loading/saving the configuration.
The default UDP ports are now the same as the TCP ones (443, 992, 1194, 5555).
*** CID 358434: Null pointer dereferences (REVERSE_INULL)
/src/Cedar/Proto.c: 451 in ProtoHandleDatagrams()
445 void ProtoHandleDatagrams(UDPLISTENER *listener, LIST *datagrams)
446 {
447 UINT i;
448 HASH_LIST *sessions;
449 PROTO *proto = listener->Param;
450
>>> CID 358434: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "listener" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
451 if (proto == NULL || listener == NULL || datagrams == NULL)
452 {
453 return;
454 }
455
456 sessions = proto->Sessions;
As a side effect, the DH parameter is now applied to the TCP server as well.
Previously, the default value was always used, ignoring the one from the configuration.
When a datagram is received, the matching session is looked up in a hash list; if it's not found, a new session is created.
This method allows to use a single UDP port for multiple protocols, as we do with TCP.
Also, each session has its own dedicated thread, used to process the received datagrams and generate the ones that are then sent through the UDP listener.
In addition to guaranteeing constant performance, separate threads also prevent a single one from blocking all sessions.
This allows to stop a UDP listener without deleting it.
It's especially useful when no datagrams should be received anymore, but there are other threads accessing the listener.
- An additional parameter is added to IsPacketForMe(), used to specify the protocol type (currently either TCP or UDP).
- SupportedModes() is dropped because it's now redundant.
- IsOk() and EstablishedSessions() are dropped because error checking should be handled by the implementation.
- ProtoImplDetect() now takes a buffer and its size rather than a SOCK, so that it can be used to detect UDP protocols.
- The OpenVPN toggle check is moved to ProtoImplDetect(), so that we don't have to duplicate it once UDP support is implemented.
The PROTO structure is now used to identify the system as a whole, rather than a single protocol. It's stored and initialized in Server.
ProtoCompare(), ProtoAdd() and ProtoDetected() are renamed to make the difference between PROTO and PROTO_IMPL more clear.
ProtoGet() and ProtoNum() are removed because the related list can now be accessed directly by Server.
2020-05-01 07:14:38 +02:00
554 changed files with 40887 additions and 100269 deletions
- 7z a "%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_%APPVEYOR_BUILD_VERSION%_Windows_x86_%CONFIGURATION%_PDBs-vs2015.zip" "%APPVEYOR_BUILD_FOLDER%\src\DebugFiles\pdb\Win32_Release\*.pdb"
- 7z a "%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_%APPVEYOR_BUILD_VERSION%_Windows_x64_%CONFIGURATION%_PDBs-vs2015.zip" "%APPVEYOR_BUILD_FOLDER%\src\DebugFiles\pdb\x64_Release\*.pdb"
- 7z a "%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_%APPVEYOR_BUILD_VERSION%_Windows_x64_%CONFIGURATION%-vs2017.zip" "%APPVEYOR_BUILD_FOLDER%\build\*.exe"
- 7z a "%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_%APPVEYOR_BUILD_VERSION%_Windows_x64_%CONFIGURATION%-vs2017.zip" "%APPVEYOR_BUILD_FOLDER%\build\hamcore.se2"
- 7z a "%APPVEYOR_BUILD_FOLDER%\%APPVEYOR_PROJECT_NAME%_%APPVEYOR_BUILD_VERSION%_Windows_x64_%CONFIGURATION%_PDBs-vs2017.zip" "%APPVEYOR_BUILD_FOLDER%\build\*.pdb"
about:This repository is for SoftEther VPN 5.x Developer Edition, developed independently from SoftEther VPN 4.x. Visit vpnusers.com if you would like to report issues or ask questions about version 4.x!
|GitLab CI|[](https://gitlab.com/SoftEther/SoftEtherVPN/pipelines)|
|Cirrus CI|[](https://cirrus-ci.com/github/SoftEtherVPN/SoftEtherVPN)|
- [SoftEther VPN](#softether-vpn)
- [BOARD MEMBERS OF THIS REPOSITORY](#board-members-of-this-repository)
* [Build from Source code](#build-from-source-code)
- [About HTML5-based Modern Admin Console and JSON-RPC API Suite](#about-html5-based-modern-admin-console-and-json-rpc-api-suite)
* [Built-in SoftEther VPN Server HTML5 Ajax-based Web Administration Console](#built-in-softether-vpn-server-html5-ajax-based-web-administration-console)
| Certificate Authentication | ⚠️ | ✅ | SE supports the feature in SSL-VPN only. |
| IPv6-capable VPN Tunnel | ⚠️ | ✅ | SE supports IPv6 in L2 VPN tunnels only. |
| IPv4 Route Management | ✅ | ✅ | Windows clients only |
| IPv6 Route Management | ❌ | ✅ | Windows clients only |
| TLS Server Verification | ⚠️ | ✅ | In SE you need to specify the exact certificate or CA to verify. DE can perform standard TLS verification and use the system CA store. |
| Dual-stack Name Resolution | ⚠️ | ✅ | SE attempts in IPv6 only after IPv4 has failed. |
| ECDSA Certificates Import | ❌ | ✅ | |
| Runs on Windows XP and Earlier | ✅ | ❌ | |
| Compatible with SoftEther VPN 1.0 | ✅ | ❌ | |
| AES-NI Hardware Acceleration | ⚠️ | ✅ | SE requires [intel_aes_lib](https://software.intel.com/sites/default/files/article/181731/intel-aesni-sample-library-v1.2.zip) to enable AES-NI, so x86 only. In DE, enabled by default as long as processor supports it (at least x86 and ARM). |
# Installation
## For Ubuntu
Launchpad PPA maintained by [Dmitry Verkhoturov](https://github.com/paskal):
[Daily builds](https://code.launchpad.net/~paskal-07/+archive/ubuntu/softethervpn) (latest released tag)
@ -14508,15 +14508,15 @@ All APIs are based on the <a href="https://www.jsonrpc.org/specification">JSON-R
</tbody>
</table>
<hr/>
<p><aid="getddnsinternetsettng"></a></p>
<h2id="getddnsinternetsettng-rpc-api-get-the-proxy-settings-for-connecting-to-the-ddns-server">"GetDDnsInternetSettng" RPC API - Get the Proxy Settings for Connecting to the DDNS server</h2>
<p><aid="getddnsinternetsetting"></a></p>
<h2id="getddnsinternetsetting-rpc-api-get-the-proxy-settings-for-connecting-to-the-ddns-server">"GetDDnsInternetSetting" RPC API - Get the Proxy Settings for Connecting to the DDNS server</h2>
<h3id="description-131">Description</h3>
<p>Get the Proxy Settings for Connecting to the DDNS server.</p>
@ -14571,15 +14571,15 @@ All APIs are based on the <a href="https://www.jsonrpc.org/specification">JSON-R
</tbody>
</table>
<hr/>
<p><aid="setddnsinternetsettng"></a></p>
<h2id="setddnsinternetsettng-rpc-api-set-the-proxy-settings-for-connecting-to-the-ddns-server">"SetDDnsInternetSettng" RPC API - Set the Proxy Settings for Connecting to the DDNS server</h2>
<p><aid="setddnsinternetsetting"></a></p>
<h2id="setddnsinternetsetting-rpc-api-set-the-proxy-settings-for-connecting-to-the-ddns-server">"SetDDnsInternetSetting" RPC API - Set the Proxy Settings for Connecting to the DDNS server</h2>
<h3id="description-132">Description</h3>
<p>Set the Proxy Settings for Connecting to the DDNS server.</p>
`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(UpperCase(username_ascii_string) + password_ascii_string).
`HashedPassword_bin` | `string` (Base64 binary) | SHA-0 Hashed password. Valid only if ClientAuth_AuthType_u32 == SHA0_Hashed_Password (1). The SHA-0 hashed password must be caluclated by the SHA0(password_ascii_string + UpperCase(username_ascii_string)).
`PlainPassword_str` | `string` (ASCII) | Plaintext Password. Valid only if ClientAuth_AuthType_u32 == PlainPassword (2).
`ClientX_bin` | `string` (Base64 binary) | Client certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
`ClientK_bin` | `string` (Base64 binary) | Client private key of the certificate. Valid only if ClientAuth_AuthType_u32 == Cert (3).
@ -2600,7 +2600,7 @@ Get List of Cascade Connections. Use this to get a list of Cascade Connections t
"Online_bool": false,
"Connected_bool": false,
"LastError_u32": 0,
"ConnectedTime_dt": "2020-08-01T12:24:36.123",
"ConnectedTime_dt": "2024-08-01T12:24:36.123",
"Hostname_str": "hostname",
"TargetHubName_str": "targethubname"
},
@ -2609,7 +2609,7 @@ Get List of Cascade Connections. Use this to get a list of Cascade Connections t
"Online_bool": false,
"Connected_bool": false,
"LastError_u32": 0,
"ConnectedTime_dt": "2020-08-01T12:24:36.123",
"ConnectedTime_dt": "2024-08-01T12:24:36.123",
"Hostname_str": "hostname",
"TargetHubName_str": "targethubname"
},
@ -2618,7 +2618,7 @@ Get List of Cascade Connections. Use this to get a list of Cascade Connections t
"Online_bool": false,
"Connected_bool": false,
"LastError_u32": 0,
"ConnectedTime_dt": "2020-08-01T12:24:36.123",
"ConnectedTime_dt": "2024-08-01T12:24:36.123",
"Hostname_str": "hostname",
"TargetHubName_str": "targethubname"
}
@ -2834,9 +2834,9 @@ Get Current Cascade Connection Status. When a Cascade Connection registered on t
`UsePolicy_bool` | `boolean` | The flag whether to use security policy
`policy:Access_bool` | `boolean` | Security policy: Allow Access. The users, which this policy value is true, have permission to make VPN connection to VPN Server.
`policy:DHCPFilter_bool` | `boolean` | Security policy: Filter DHCP Packets (IPv4). All IPv4 DHCP packets in sessions defined this policy will be filtered.
@ -3779,7 +3779,7 @@ Change User Settings. Use this to change user settings that is registered on the
"GroupName_str": "groupname",
"Realname_utf": "realname",
"Note_utf": "note",
"ExpireTime_dt": "2020-08-01T12:24:36.123",
"ExpireTime_dt": "2024-08-01T12:24:36.123",
"AuthType_u32": 0,
"Auth_Password_str": "auth_password",
"UserX_bin": "SGVsbG8gV29ybGQ=",
@ -3842,9 +3842,9 @@ Change User Settings. Use this to change user settings that is registered on the
"GroupName_str": "groupname",
"Realname_utf": "realname",
"Note_utf": "note",
"CreatedTime_dt": "2020-08-01T12:24:36.123",
"UpdatedTime_dt": "2020-08-01T12:24:36.123",
"ExpireTime_dt": "2020-08-01T12:24:36.123",
"CreatedTime_dt": "2024-08-01T12:24:36.123",
"UpdatedTime_dt": "2024-08-01T12:24:36.123",
"ExpireTime_dt": "2024-08-01T12:24:36.123",
"AuthType_u32": 0,
"Auth_Password_str": "auth_password",
"UserX_bin": "SGVsbG8gV29ybGQ=",
@ -3925,14 +3925,14 @@ Name | Type | Description
`RadiusUsername_utf` | `string` (UTF8) | Username in RADIUS server, optional, valid only if AuthType_u32 == Radius(4).
`NtUsername_utf` | `string` (UTF8) | Username in NT Domain server, optional, valid only if AuthType_u32 == NT(5).
`NumLogin_u32` | `number` (uint32) | Number of total logins of the user
`Recv.BroadcastBytes_u64` | `number` (uint64) | Number of broadcast packets (Recv)
`UsePolicy_bool` | `boolean` | The flag whether to use security policy
`policy:Access_bool` | `boolean` | Security policy: Allow Access. The users, which this policy value is true, have permission to make VPN connection to VPN Server.
`policy:DHCPFilter_bool` | `boolean` | Security policy: Filter DHCP Packets (IPv4). All IPv4 DHCP packets in sessions defined this policy will be filtered.
@ -4004,9 +4004,9 @@ Get User Settings. Use this to get user settings information that is registered
"GroupName_str": "groupname",
"Realname_utf": "realname",
"Note_utf": "note",
"CreatedTime_dt": "2020-08-01T12:24:36.123",
"UpdatedTime_dt": "2020-08-01T12:24:36.123",
"ExpireTime_dt": "2020-08-01T12:24:36.123",
"CreatedTime_dt": "2024-08-01T12:24:36.123",
"UpdatedTime_dt": "2024-08-01T12:24:36.123",
"ExpireTime_dt": "2024-08-01T12:24:36.123",
"AuthType_u32": 0,
"Auth_Password_str": "auth_password",
"UserX_bin": "SGVsbG8gV29ybGQ=",
@ -4087,14 +4087,14 @@ Name | Type | Description
`RadiusUsername_utf` | `string` (UTF8) | Username in RADIUS server, optional, valid only if AuthType_u32 == Radius(4).
`NtUsername_utf` | `string` (UTF8) | Username in NT Domain server, optional, valid only if AuthType_u32 == NT(5).
`NumLogin_u32` | `number` (uint32) | Number of total logins of the user
`Recv.BroadcastBytes_u64` | `number` (uint64) | Number of broadcast packets (Recv)
`UsePolicy_bool` | `boolean` | The flag whether to use security policy
`policy:Access_bool` | `boolean` | Security policy: Allow Access. The users, which this policy value is true, have permission to make VPN connection to VPN Server.
`policy:DHCPFilter_bool` | `boolean` | Security policy: Filter DHCP Packets (IPv4). All IPv4 DHCP packets in sessions defined this policy will be filtered.
@ -4207,11 +4207,11 @@ Get List of Users. Use this to get a list of users that are registered on the se
"Note_utf": "note",
"AuthType_u32": 0,
"NumLogin_u32": 0,
"LastLoginTime_dt": "2020-08-01T12:24:36.123",
"LastLoginTime_dt": "2024-08-01T12:24:36.123",
"DenyAccess_bool": false,
"IsTrafficFilled_bool": false,
"IsExpiresFilled_bool": false,
"Expires_dt": "2020-08-01T12:24:36.123",
"Expires_dt": "2024-08-01T12:24:36.123",
"Ex.Recv.BroadcastBytes_u64": 0,
"Ex.Recv.BroadcastCount_u64": 0,
"Ex.Recv.UnicastBytes_u64": 0,
@ -4228,11 +4228,11 @@ Get List of Users. Use this to get a list of users that are registered on the se
"Note_utf": "note",
"AuthType_u32": 0,
"NumLogin_u32": 0,
"LastLoginTime_dt": "2020-08-01T12:24:36.123",
"LastLoginTime_dt": "2024-08-01T12:24:36.123",
"DenyAccess_bool": false,
"IsTrafficFilled_bool": false,
"IsExpiresFilled_bool": false,
"Expires_dt": "2020-08-01T12:24:36.123",
"Expires_dt": "2024-08-01T12:24:36.123",
"Ex.Recv.BroadcastBytes_u64": 0,
"Ex.Recv.BroadcastCount_u64": 0,
"Ex.Recv.UnicastBytes_u64": 0,
@ -4249,11 +4249,11 @@ Get List of Users. Use this to get a list of users that are registered on the se
"Note_utf": "note",
"AuthType_u32": 0,
"NumLogin_u32": 0,
"LastLoginTime_dt": "2020-08-01T12:24:36.123",
"LastLoginTime_dt": "2024-08-01T12:24:36.123",
"DenyAccess_bool": false,
"IsTrafficFilled_bool": false,
"IsExpiresFilled_bool": false,
"Expires_dt": "2020-08-01T12:24:36.123",
"Expires_dt": "2024-08-01T12:24:36.123",
"Ex.Recv.BroadcastBytes_u64": 0,
"Ex.Recv.BroadcastCount_u64": 0,
"Ex.Recv.UnicastBytes_u64": 0,
@ -4425,14 +4425,14 @@ Name | Type | Description
`Name_str` | `string` (ASCII) | The group name
`Realname_utf` | `string` (UTF8) | Optional real name (full name) of the group, allow using any Unicode characters
`Note_utf` | `string` (UTF8) | Optional, specify a description of the group
`Recv.BroadcastBytes_u64` | `number` (uint64) | Number of broadcast packets (Recv)
`UsePolicy_bool` | `boolean` | The flag whether to use security policy
`policy:Access_bool` | `boolean` | Security policy: Allow Access. The users, which this policy value is true, have permission to make VPN connection to VPN Server.
`policy:DHCPFilter_bool` | `boolean` | Security policy: Filter DHCP Packets (IPv4). All IPv4 DHCP packets in sessions defined this policy will be filtered.
@ -4743,14 +4743,14 @@ Name | Type | Description
`Name_str` | `string` (ASCII) | The group name
`Realname_utf` | `string` (UTF8) | Optional real name (full name) of the group, allow using any Unicode characters
`Note_utf` | `string` (UTF8) | Optional, specify a description of the group
`Recv.BroadcastBytes_u64` | `number` (uint64) | Number of broadcast packets (Recv)
`UsePolicy_bool` | `boolean` | The flag whether to use security policy
`policy:Access_bool` | `boolean` | Security policy: Allow Access. The users, which this policy value is true, have permission to make VPN connection to VPN Server.
`policy:DHCPFilter_bool` | `boolean` | Security policy: Filter DHCP Packets (IPv4). All IPv4 DHCP packets in sessions defined this policy will be filtered.
@ -4939,8 +4939,8 @@ Get List of Connected VPN Sessions. Use this to get a list of the sessions conne
"Client_MonitorMode_bool": false,
"VLanId_u32": 0,
"UniqueId_bin": "SGVsbG8gV29ybGQ=",
"CreatedTime_dt": "2020-08-01T12:24:36.123",
"LastCommTime_dt": "2020-08-01T12:24:36.123"
"CreatedTime_dt": "2024-08-01T12:24:36.123",
"LastCommTime_dt": "2024-08-01T12:24:36.123"
},
{
"Name_str": "name",
@ -4961,8 +4961,8 @@ Get List of Connected VPN Sessions. Use this to get a list of the sessions conne
"Client_MonitorMode_bool": false,
"VLanId_u32": 0,
"UniqueId_bin": "SGVsbG8gV29ybGQ=",
"CreatedTime_dt": "2020-08-01T12:24:36.123",
"LastCommTime_dt": "2020-08-01T12:24:36.123"
"CreatedTime_dt": "2024-08-01T12:24:36.123",
"LastCommTime_dt": "2024-08-01T12:24:36.123"
},
{
"Name_str": "name",
@ -4983,8 +4983,8 @@ Get List of Connected VPN Sessions. Use this to get a list of the sessions conne
"Client_MonitorMode_bool": false,
"VLanId_u32": 0,
"UniqueId_bin": "SGVsbG8gV29ybGQ=",
"CreatedTime_dt": "2020-08-01T12:24:36.123",
"LastCommTime_dt": "2020-08-01T12:24:36.123"
"CreatedTime_dt": "2024-08-01T12:24:36.123",
"LastCommTime_dt": "2024-08-01T12:24:36.123"
}
]
}
@ -5059,9 +5059,9 @@ Get Session Status. Use this to specify a session currently connected to the cur
@ -278,9 +278,9 @@ export declare class VpnServerRpc {
/** Enable / Disable VPN Azure Function. Enable or disable the VPN Azure function. VPN Azure makes it easier to establish a VPN Session from your home PC to your office PC. While a VPN connection is established, you can access to any other servers on the private network of your company. You don't need a global IP address on the office PC (VPN Server). It can work behind firewalls or NATs. No network administrator's configuration required. You can use the built-in SSTP-VPN Client of Windows in your home PC. VPN Azure is a cloud VPN service operated by SoftEther Corporation. VPN Azure is free of charge and available to anyone. Visit http://www.vpnazure.net/ to see details and how-to-use instructions. The VPN Azure hostname is same to the hostname of the Dynamic DNS setting, but altering the domain suffix to "vpnazure.net". To change the hostname use the ChangeDDnsClientHostname API. To call this API, you must have VPN Server administrator privileges. This API cannot be invoked on VPN Bridge. You cannot execute this API for Virtual Hubs of VPN Servers operating as a cluster. */
Building without USE_MUSL environment variable set compiles, but produced executables exhibit bad run-time behaviour.
@ -228,7 +228,7 @@ You can write your own VPN Server management application in your favorite langua
You can use any SoftEtherVPN component (server, client, bridge) without installing it, if you wish so.
In this case please do not run the `make install` command after compiling the source code, and head directly to the **bin/** directory. There you will find the generated binaries for SoftEtherVPN and those could be used without installing SoftEtherVPN.
In this case please do not run the `make install` command after compiling the source code, and head directly to the **build/** directory. There you will find the generated binaries for SoftEtherVPN and those could be used without installing SoftEtherVPN.
If you are a programmer, you can open the SoftEther VPN solution file
with Visual Studio 2008 to customize. Open "src\SEVPN.sln" and enjoy it.
Visual Studio 2008 is required as to maintain compatibility with Windows 9x, due to Visual C++ 2008 being the last version compatibile with Windows 9x and Windows NT 4.x binary linking.
- Visual Studio 2008's installer ISO can be found on Microsoft's site here: https://download.microsoft.com/download/E/8/E/E8EEB394-7F42-4963-A2D8-29559B738298/VS2008ExpressWithSP1ENUX1504728.iso
- The Microsoft Windows Driver Kit 7.1.0 can be found here: https://download.microsoft.com/download/4/A/2/4A25C7D5-EFBE-4182-B6A9-AE6850409A78/GRMWDK_EN_7600_1.ISO
If using anything else other than Visual Studio 2008 for development, your code **MUST** support Microsoft Visual C++ 2008 due to aforementioned reasons.
It is OK to add newer Visual Studio (2015, 2017) solution files to the project, but there then must be dual solution files for both Visual C++ 2008 and the latest Visual Studio.
Build and Development Instructions with Visual Studio 2017 & CMake
An alternative method for development of the SoftEtherVPN project on Windows is through CMake.
There are several methods for using CMake but the easiest by far is through Visual Studio 2017 by importing the CMake project directly
There are several methods for using CMake but the easiest by far is through Visual Studio by importing the CMake project directly
into it. So that is what will be described below.
Requirements:
## Requirements
1. Download Visual Studio 2017 (Community Edition is fine).
2. During install, make sure to check "Desktop development with C++" under "Workloads".
3. Click on individual components and scroll until you see "Visual C++ tools for CMake" under the compilers section. Make sure this is checked.
4. Proceed with and finish Visual Studio 2017 install.
5. Install the needed submodules to build the project, avoiding CMake telling you to do so with: `git submodule update --init --recursive`
- Visual Studio 2019 or 2022 (Community Edition is fine)
Building:
https://visualstudio.microsoft.com/downloads
Once both installs have finished, launch Visual Studio. Once its started go to the File menu click `Open --> CMake`. Then navigate to where you
cloned the project and open the `CMakeLists.txt` file in the projects root directory.
- Git for Windows (or other git tool)
Visual Studio will proceed to start the CMake configuration process and once its finished, you can simply go to toolbar and click `CMake -> Build All`.
https://gitforwindows.org/
Once it has finished, hopefully with no errors, look in the newly created `/build` directory in the project's folder. Inside are the development versions
of all the SoftEtherVPN components.
- vcpkg
Congrats, you now have a complete CMake development environment for SoftEtherVPN on Windows, enjoy and happy contributing!
https://github.com/microsoft/vcpkg
Download Links:
- Visual Studio 2017 from Microsoft: https://visualstudio.microsoft.com/downloads
## Installation
************************************
Thank You Using SoftEther VPN !
By SoftEther VPN Open-Source Project
https://www.softether.org/
- Visual Studio
Download from the official site and run the installer.
Make sure to check **Desktop development with C++** under *Workloads* and **Clang C++ Tools for Windows** in *Optional* components.
- Git
Nothing special. Just follow the installer.
- vcpkg
Let's say you will install it to `C:\vcpkg`.
Open your preferred terminal and go to `C:\`. Then run these commands.
```
C:\> git clone https://github.com/microsoft/vcpkg
C:\> cd vcpkg
C:\vcpkg> bootstrap-vcpkg.bat
C:\vcpkg> vcpkg integrate install
```
## Update
- vcpkg
You are recommended to update vcpkg from time to time, so that the latest libraries are used in the build.
Go to the installation path, pull the latest repo and the binary:
```
C:\vcpkg> git pull
C:\vcpkg> bootstrap-vcpkg.bat
```
## Building
1. Launch Visual Studio
Choose either **Clone a repository** to clone from GitHub or **Open a local folder** if you already have a copy.
1. Open Terminal (*View -> Terminal*). Install the needed submodules to build the project, avoiding CMake telling you to do so with:
`git submodule update --init --recursive`
**Note**: This step is not necessary if you have chosen **Clone a repository** as Visual Studio automatically takes care of it.
1. Switch to folder view in the solution explorer
1. Select a configuration from the dropdown menu below the search box. The default configurations are:
- x64-native
Build x64 executables with 64-bit compiler (most common)
- x64-on-x86
Cross compile x64 executables with 32-bit compiler
- x86-native
Build x86 executables with 32-bit compiler
- x86-on-x64
Cross compile x86 executables with 64-bit compiler
On 64-bit Windows, all four configurations can be used. 32-bit platforms can only use 32-bit compiler.
1. Visual Studio will try generating CMake cache. If not, click **Project -> Configure Cache** or **Generate Cache**.
If CMake is busy, you will find **Generate Cache** greyed out. Wait until it finishes or click **Cancel CMake Cache Generation** to stop it.
The initial configuration will take a longer time since it needs to download and install dependencies.
1. When *CMake generation finished* is displayed, simply go to toolbar and click **Build -> Build All**.
1. Once building has finished, hopefully with no errors, look in the newly created `/build` directory in the project's folder.
Run `vpnsetup.exe` to install desired components.
1. Congrats, you now have a complete CMake development environment for SoftEtherVPN on Windows, enjoy and happy contributing!
## Notes
1. Build number
You can change the build number in `CMakeSettings.json`. Use any integer no less than 5180.
Delete and regenerate CMake cache after the change.
1. OpenSSL
The above instruction builds OpenSSL library statically in the SoftEther binaries,
so that when you distribute the installer to others they will not need to install OpenSSL separately.
However, the downside is that the OpenSSL library cannot be updated without a rebuild and reinstallation of SoftEther.
It's also possible to build OpenSSL library dynamically so that you can update OpenSSL without rebuilding SoftEther.
To achieve that, you need to remove `openssl` from `vcpkg.json` and install OpenSSL directly.
Installing from a package manager such as [Scoop](https://scoop.sh/) would make the subsequent updates easily.
However, you should avoid using [Winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
for the time being because due to a bug it cannot detect the correct version of OpenSSL, causing endless updates.
If you install from Scoop, make sure to add the OpenSSL folder to the system's `PATH`.
As Scoop already adds it to the user's `PATH`, just copy the same location into the system environment variable(s).
SoftEther Client Service starts from the System account and will fail to start if OpenSSL is not in the global `PATH`.
Building should be straightforward. You can verify that the binaries are now linked against the locally installed OpenSSL
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
